proxmox-backup/src/api2/access.rs

97 lines
3.2 KiB
Rust
Raw Normal View History

2019-01-30 14:14:20 +00:00
use failure::*;
use crate::tools;
2019-02-17 09:16:33 +00:00
use crate::api_schema::*;
2019-02-17 08:59:20 +00:00
use crate::api_schema::router::*;
2019-01-30 14:14:20 +00:00
use crate::tools::ticket::*;
use crate::auth_helpers::*;
use hyper::StatusCode;
2019-01-30 14:14:20 +00:00
use serde_json::{json, Value};
fn authenticate_user(username: &str, password: &str) -> Result<(), Error> {
let ticket_lifetime = tools::ticket::TICKET_LIFETIME;
if password.starts_with("PBS:") {
if let Ok((_age, Some(ticket_username))) = tools::ticket::verify_rsa_ticket(public_auth_key(), "PBS", password, None, -300, ticket_lifetime) {
if ticket_username == username {
return Ok(());
} else {
bail!("ticket login failed - wrong username");
}
}
}
if username == "root@pam" {
let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();
auth.get_handler().set_credentials("root", password);
auth.authenticate()?;
2019-01-30 14:14:20 +00:00
return Ok(());
}
bail!("inavlid credentials");
}
fn create_ticket(
param: Value,
_info: &ApiMethod,
_rpcenv: &mut dyn RpcEnvironment,
2019-01-30 14:14:20 +00:00
) -> Result<Value, Error> {
let username = tools::required_string_param(&param, "username")?;
let password = tools::required_string_param(&param, "password")?;
match authenticate_user(username, password) {
Ok(_) => {
2019-01-31 11:22:00 +00:00
let ticket = assemble_rsa_ticket( private_auth_key(), "PBS", Some(username), None)?;
2019-01-30 14:14:20 +00:00
let token = assemble_csrf_prevention_token(csrf_secret(), username);
log::info!("successful auth for user '{}'", username);
2019-10-26 09:36:01 +00:00
Ok(json!({
2019-01-30 14:14:20 +00:00
"username": username,
"ticket": ticket,
"CSRFPreventionToken": token,
2019-10-26 09:36:01 +00:00
}))
2019-01-30 14:14:20 +00:00
}
Err(err) => {
let client_ip = "unknown"; // $rpcenv->get_client_ip() || '';
log::error!("authentication failure; rhost={} user={} msg={}", client_ip, username, err.to_string());
2019-10-26 09:36:01 +00:00
Err(http_err!(UNAUTHORIZED, "permission check failed.".into()))
2019-01-30 14:14:20 +00:00
}
}
}
pub fn router() -> Router {
2019-10-26 09:36:01 +00:00
Router::new()
2019-01-30 14:14:20 +00:00
.subdir(
"ticket",
Router::new()
.post(
ApiMethod::new(
create_ticket,
ObjectSchema::new("Create or verify authentication ticket.")
.required(
"username",
StringSchema::new("User name.")
.max_length(64)
)
.required(
"password",
StringSchema::new("The secret password. This can also be a valid ticket.")
)
).returns(
ObjectSchema::new("Returns authentication ticket with additional infos.")
.required("username", StringSchema::new("User name."))
.required("ticket", StringSchema::new("Auth ticket."))
.required("CSRFPreventionToken", StringSchema::new("Cross Site Request Forgery Prevention Token."))
).protected(true)
)
)
2019-10-26 09:36:01 +00:00
.list_subdirs()
2019-01-30 14:14:20 +00:00
}