tyler
/
proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

drop pbs_tools::auth 

`pbs_client::connect_to_localhost` now requires the key as
optional parameter

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2021-09-29 11:05:26 +02:00
parent 8cf445ecc4
commit 01a080215d
15 changed files with 57 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
pbs-client/src/lib.rs
View File

@ -4,11 +4,11 @@
//! server using https. //! server using https.
use anyhow::Error; use anyhow::Error;
use openssl::pkey::{PKey, Private};
use pbs_api_types::{Authid, Userid}; use pbs_api_types::{Authid, Userid};
use pbs_tools::ticket::Ticket; use pbs_tools::ticket::Ticket;
use pbs_tools::cert::CertInfo; use pbs_tools::cert::CertInfo;
use pbs_tools::auth::private_auth_key;
pub mod catalog_shell; pub mod catalog_shell;
pub mod dynamic_index; pub mod dynamic_index;
@ -53,22 +53,15 @@ pub const PROXMOX_BACKUP_TCP_KEEPALIVE_TIME: u32 = 120;
/// Connect to localhost:8007 as root@pam /// Connect to localhost:8007 as root@pam
/// ///
/// This automatically creates a ticket if run as 'root' user. /// This automatically creates a ticket if run as 'root' user.
pub fn connect_to_localhost() -> Result<HttpClient, Error> { pub fn connect_to_localhost(auth_key: Option<&PKey<Private>>) -> Result<HttpClient, Error> {
let options = if let Some(auth_key) = auth_key {
let uid = nix::unistd::Uid::current();
let client = if uid.is_root() {
let ticket = Ticket::new("PBS", Userid::root_userid())? let ticket = Ticket::new("PBS", Userid::root_userid())?
.sign(private_auth_key(), None)?; .sign(auth_key, None)?;
let fingerprint = CertInfo::new()?.fingerprint()?; let fingerprint = CertInfo::new()?.fingerprint()?;
let options = HttpClientOptions::new_non_interactive(ticket, Some(fingerprint)); HttpClientOptions::new_non_interactive(ticket, Some(fingerprint))
HttpClient::new("localhost", 8007, Authid::root_auth_id(), options)?
} else { } else {
let options = HttpClientOptions::new_interactive(None, None); HttpClientOptions::new_interactive(None, None)
HttpClient::new("localhost", 8007, Authid::root_auth_id(), options)?
}; };
Ok(client) HttpClient::new("localhost", 8007, Authid::root_auth_id(), options)
} }

26
pbs-tools/src/auth.rs
View File

@ -1,26 +0,0 @@
//! Helpers for authentication used by both client and server.
use anyhow::Error;
use lazy_static::lazy_static;
use openssl::pkey::{PKey, Private};
use openssl::rsa::Rsa;
use proxmox::tools::fs::file_get_contents;
use pbs_buildcfg::configdir;
fn load_private_auth_key() -> Result<PKey<Private>, Error> {
let pem = file_get_contents(configdir!("/authkey.key"))?;
let rsa = Rsa::private_key_from_pem(&pem)?;
let key = PKey::from_rsa(rsa)?;
Ok(key)
}
pub fn private_auth_key() -> &'static PKey<Private> {
lazy_static! {
static ref KEY: PKey<Private> = load_private_auth_key().unwrap();
}
&KEY
}

1
pbs-tools/src/lib.rs
View File

@ -1,5 +1,4 @@
pub mod acl; pub mod acl;
pub mod auth;
pub mod blocking; pub mod blocking;
pub mod borrow; pub mod borrow;
pub mod broadcast_future; pub mod broadcast_future;

6
src/api2/access/mod.rs
View File

@ -15,15 +15,13 @@ use pbs_api_types::{
Userid, Authid, PASSWORD_SCHEMA, ACL_PATH_SCHEMA, Userid, Authid, PASSWORD_SCHEMA, ACL_PATH_SCHEMA,
PRIVILEGES, PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT, PRIVILEGES, PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT,
}; };
use pbs_tools::auth::private_auth_key;
use pbs_tools::ticket::{self, Empty, Ticket}; use pbs_tools::ticket::{self, Empty, Ticket};
use pbs_config::acl::AclTreeNode; use pbs_config::acl::AclTreeNode;
use pbs_config::CachedUserInfo;
use crate::auth_helpers::*; use crate::auth_helpers::*;
use crate::server::ticket::ApiTicket;
use pbs_config::CachedUserInfo;
use crate::config::tfa::TfaChallenge; use crate::config::tfa::TfaChallenge;
use crate::server::ticket::ApiTicket;
pub mod acl; pub mod acl;
pub mod domain; pub mod domain;

4
src/api2/access/openid.rs
View File

@ -13,16 +13,14 @@ use proxmox_openid::{OpenIdAuthenticator, OpenIdConfig};
use pbs_api_types::{Userid, User, REALM_ID_SCHEMA}; use pbs_api_types::{Userid, User, REALM_ID_SCHEMA};
use pbs_buildcfg::PROXMOX_BACKUP_RUN_DIR_M; use pbs_buildcfg::PROXMOX_BACKUP_RUN_DIR_M;
use pbs_tools::auth::private_auth_key;
use pbs_tools::ticket::Ticket; use pbs_tools::ticket::Ticket;
use pbs_config::domains::{OpenIdUserAttribute, OpenIdRealmConfig}; use pbs_config::domains::{OpenIdUserAttribute, OpenIdRealmConfig};
use crate::server::ticket::ApiTicket;
use pbs_config::CachedUserInfo; use pbs_config::CachedUserInfo;
use pbs_config::open_backup_lockfile; use pbs_config::open_backup_lockfile;
use crate::auth_helpers::*; use crate::auth_helpers::*;
use crate::server::ticket::ApiTicket;
fn openid_authenticator(realm_config: &OpenIdRealmConfig, redirect_url: &str) -> Result<OpenIdAuthenticator, Error> { fn openid_authenticator(realm_config: &OpenIdRealmConfig, redirect_url: &str) -> Result<OpenIdAuthenticator, Error> {
let config = OpenIdConfig { let config = OpenIdConfig {

5
src/api2/node/mod.rs
View File

@ -20,12 +20,13 @@ use proxmox::list_subdirs_api_method;
use proxmox::{identity, sortable}; use proxmox::{identity, sortable};
use proxmox_http::websocket::WebSocket; use proxmox_http::websocket::WebSocket;
use proxmox_rest_server::WorkerTask;
use pbs_api_types::{Authid, NODE_SCHEMA, PRIV_SYS_CONSOLE}; use pbs_api_types::{Authid, NODE_SCHEMA, PRIV_SYS_CONSOLE};
use pbs_tools::auth::private_auth_key;
use pbs_tools::ticket::{self, Empty, Ticket}; use pbs_tools::ticket::{self, Empty, Ticket};
use proxmox_rest_server::WorkerTask;
use crate::tools; use crate::tools;
use crate::auth_helpers::private_auth_key;
pub mod apt; pub mod apt;
pub mod certificates; pub mod certificates;

18
src/auth_helpers.rs
View File

@ -2,7 +2,7 @@ use std::path::PathBuf;
use anyhow::{bail, format_err, Error}; use anyhow::{bail, format_err, Error};
use lazy_static::lazy_static; use lazy_static::lazy_static;
use openssl::pkey::{PKey, Public}; use openssl::pkey::{PKey, Private, Public};
use openssl::rsa::Rsa; use openssl::rsa::Rsa;
use openssl::sha; use openssl::sha;
@ -170,3 +170,19 @@ pub fn public_auth_key() -> &'static PKey<Public> {
&KEY &KEY
} }
fn load_private_auth_key() -> Result<PKey<Private>, Error> {
let pem = file_get_contents(configdir!("/authkey.key"))?;
let rsa = Rsa::private_key_from_pem(&pem)?;
let key = PKey::from_rsa(rsa)?;
Ok(key)
}
pub fn private_auth_key() -> &'static PKey<Private> {
lazy_static! {
static ref KEY: PKey<Private> = load_private_auth_key().unwrap();
}
&KEY
}

1
src/bin/proxmox-backup-api.rs
View File

@ -9,7 +9,6 @@ use proxmox::try_block;
use proxmox::api::RpcEnvironmentType; use proxmox::api::RpcEnvironmentType;
use proxmox::tools::fs::CreateOptions; use proxmox::tools::fs::CreateOptions;
use pbs_tools::auth::private_auth_key;
use proxmox_rest_server::{daemon, ApiConfig, RestServer}; use proxmox_rest_server::{daemon, ApiConfig, RestServer};
use proxmox_backup::server::auth::default_api_auth; use proxmox_backup::server::auth::default_api_auth;

5
src/bin/proxmox-backup-manager.rs
View File

@ -7,7 +7,7 @@ use serde_json::{json, Value};
use proxmox::api::{api, cli::*, RpcEnvironment}; use proxmox::api::{api, cli::*, RpcEnvironment};
use proxmox::tools::fs::CreateOptions; use proxmox::tools::fs::CreateOptions;
use pbs_client::{connect_to_localhost, display_task_log, view_task_result}; use pbs_client::{display_task_log, view_task_result};
use pbs_tools::percent_encoding::percent_encode_component; use pbs_tools::percent_encoding::percent_encode_component;
use pbs_tools::json::required_string_param; use pbs_tools::json::required_string_param;
use pbs_api_types::{ use pbs_api_types::{
@ -17,8 +17,9 @@ use pbs_api_types::{
use proxmox_rest_server::wait_for_local_worker; use proxmox_rest_server::wait_for_local_worker;
use proxmox_backup::config;
use proxmox_backup::api2; use proxmox_backup::api2;
use proxmox_backup::client_helpers::connect_to_localhost;
use proxmox_backup::config;
mod proxmox_backup_manager; mod proxmox_backup_manager;
use proxmox_backup_manager::*; use proxmox_backup_manager::*;

3
src/bin/proxmox-tape.rs
View File

@ -14,7 +14,7 @@ use proxmox::{
}, },
}; };
use pbs_client::{connect_to_localhost, view_task_result}; use pbs_client::view_task_result;
use pbs_tools::format::{ use pbs_tools::format::{
HumanByte, HumanByte,
render_epoch, render_epoch,
@ -49,6 +49,7 @@ use proxmox_backup::{
proxmox_tape_magic_to_text, proxmox_tape_magic_to_text,
}, },
}, },
client_helpers::connect_to_localhost,
}; };
mod proxmox_tape; mod proxmox_tape;

4
src/bin/proxmox_backup_debug/api.rs
View File

@ -16,9 +16,11 @@ use proxmox::api::{
}; };
use pbs_api_types::{PROXMOX_UPID_REGEX, UPID}; use pbs_api_types::{PROXMOX_UPID_REGEX, UPID};
use pbs_client::{connect_to_localhost, view_task_result}; use pbs_client::view_task_result;
use proxmox_rest_server::normalize_uri_path; use proxmox_rest_server::normalize_uri_path;
use proxmox_backup::client_helpers::connect_to_localhost;
const PROG_NAME: &str = "proxmox-backup-debug api"; const PROG_NAME: &str = "proxmox-backup-debug api";
const URL_ASCIISET: percent_encoding::AsciiSet = percent_encoding::NON_ALPHANUMERIC.remove(b'/'); const URL_ASCIISET: percent_encoding::AsciiSet = percent_encoding::NON_ALPHANUMERIC.remove(b'/');

3
src/bin/proxmox_backup_manager/datastore.rs
View File

@ -3,10 +3,11 @@ use serde_json::Value;
use proxmox::api::{api, cli::*, RpcEnvironment, ApiHandler}; use proxmox::api::{api, cli::*, RpcEnvironment, ApiHandler};
use pbs_client::{connect_to_localhost, view_task_result}; use pbs_client::view_task_result;
use pbs_api_types::{DataStoreConfig, DATASTORE_SCHEMA}; use pbs_api_types::{DataStoreConfig, DATASTORE_SCHEMA};
use proxmox_backup::api2; use proxmox_backup::api2;
use proxmox_backup::client_helpers::connect_to_localhost;
#[api( #[api(
input: { input: {

3
src/bin/proxmox_tape/backup_job.rs
View File

@ -4,9 +4,10 @@ use serde_json::Value;
use proxmox::api::{api, cli::*, RpcEnvironment, ApiHandler}; use proxmox::api::{api, cli::*, RpcEnvironment, ApiHandler};
use pbs_api_types::JOB_ID_SCHEMA; use pbs_api_types::JOB_ID_SCHEMA;
use pbs_client::{connect_to_localhost, view_task_result}; use pbs_client::view_task_result;
use proxmox_backup::api2; use proxmox_backup::api2;
use proxmox_backup::client_helpers::connect_to_localhost;
#[api( #[api(
input: { input: {

13
src/client_helpers.rs Normal file
View File

@ -0,0 +1,13 @@
use anyhow::Error;
use crate::auth_helpers::private_auth_key;
/// As root we have access to the private key file and can use it directly. Otherwise the connect
/// call will interactively query the password.
pub fn connect_to_localhost() -> Result<pbs_client::HttpClient, Error> {
pbs_client::connect_to_localhost(if nix::unistd::Uid::current().is_root() {
Some(private_auth_key())
} else {
None
})
}

2
src/lib.rs
View File

@ -25,3 +25,5 @@ pub mod rrd;
pub mod tape; pub mod tape;
pub mod acme; pub mod acme;
pub mod client_helpers;