drop pbs_tools::auth
`pbs_client::connect_to_localhost` now requires the key as optional parameter Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller
parent
8cf445ecc4
commit
01a080215d
|
|
@ -4,11 +4,11 @@
|
|||
//! server using https.
|
||||
|
||||
use anyhow::Error;
|
||||
use openssl::pkey::{PKey, Private};
|
||||
|
||||
use pbs_api_types::{Authid, Userid};
|
||||
use pbs_tools::ticket::Ticket;
|
||||
use pbs_tools::cert::CertInfo;
|
||||
use pbs_tools::auth::private_auth_key;
|
||||
|
||||
pub mod catalog_shell;
|
||||
pub mod dynamic_index;
|
||||
|
|
@ -53,22 +53,15 @@ pub const PROXMOX_BACKUP_TCP_KEEPALIVE_TIME: u32 = 120;
|
|||
/// Connect to localhost:8007 as root@pam
|
||||
///
|
||||
/// This automatically creates a ticket if run as 'root' user.
|
||||
pub fn connect_to_localhost() -> Result<HttpClient, Error> {
|
||||
|
||||
let uid = nix::unistd::Uid::current();
|
||||
|
||||
let client = if uid.is_root() {
|
||||
pub fn connect_to_localhost(auth_key: Option<&PKey<Private>>) -> Result<HttpClient, Error> {
|
||||
let options = if let Some(auth_key) = auth_key {
|
||||
let ticket = Ticket::new("PBS", Userid::root_userid())?
|
||||
.sign(private_auth_key(), None)?;
|
||||
.sign(auth_key, None)?;
|
||||
let fingerprint = CertInfo::new()?.fingerprint()?;
|
||||
let options = HttpClientOptions::new_non_interactive(ticket, Some(fingerprint));
|
||||
|
||||
HttpClient::new("localhost", 8007, Authid::root_auth_id(), options)?
|
||||
HttpClientOptions::new_non_interactive(ticket, Some(fingerprint))
|
||||
} else {
|
||||
let options = HttpClientOptions::new_interactive(None, None);
|
||||
|
||||
HttpClient::new("localhost", 8007, Authid::root_auth_id(), options)?
|
||||
HttpClientOptions::new_interactive(None, None)
|
||||
};
|
||||
|
||||
Ok(client)
|
||||
HttpClient::new("localhost", 8007, Authid::root_auth_id(), options)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,26 +0,0 @@
|
|||
//! Helpers for authentication used by both client and server.
|
||||
|
||||
use anyhow::Error;
|
||||
use lazy_static::lazy_static;
|
||||
use openssl::pkey::{PKey, Private};
|
||||
use openssl::rsa::Rsa;
|
||||
|
||||
use proxmox::tools::fs::file_get_contents;
|
||||
|
||||
use pbs_buildcfg::configdir;
|
||||
|
||||
fn load_private_auth_key() -> Result<PKey<Private>, Error> {
|
||||
let pem = file_get_contents(configdir!("/authkey.key"))?;
|
||||
let rsa = Rsa::private_key_from_pem(&pem)?;
|
||||
let key = PKey::from_rsa(rsa)?;
|
||||
|
||||
Ok(key)
|
||||
}
|
||||
|
||||
pub fn private_auth_key() -> &'static PKey<Private> {
|
||||
lazy_static! {
|
||||
static ref KEY: PKey<Private> = load_private_auth_key().unwrap();
|
||||
}
|
||||
|
||||
&KEY
|
||||
}
|
||||
|
|
@ -1,5 +1,4 @@
|
|||
pub mod acl;
|
||||
pub mod auth;
|
||||
pub mod blocking;
|
||||
pub mod borrow;
|
||||
pub mod broadcast_future;
|
||||
|
|
|
|||
|
|
@ -15,15 +15,13 @@ use pbs_api_types::{
|
|||
Userid, Authid, PASSWORD_SCHEMA, ACL_PATH_SCHEMA,
|
||||
PRIVILEGES, PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT,
|
||||
};
|
||||
use pbs_tools::auth::private_auth_key;
|
||||
use pbs_tools::ticket::{self, Empty, Ticket};
|
||||
use pbs_config::acl::AclTreeNode;
|
||||
use pbs_config::CachedUserInfo;
|
||||
|
||||
use crate::auth_helpers::*;
|
||||
use crate::server::ticket::ApiTicket;
|
||||
|
||||
use pbs_config::CachedUserInfo;
|
||||
use crate::config::tfa::TfaChallenge;
|
||||
use crate::server::ticket::ApiTicket;
|
||||
|
||||
pub mod acl;
|
||||
pub mod domain;
|
||||
|
|
|
|||
|
|
@ -13,16 +13,14 @@ use proxmox_openid::{OpenIdAuthenticator, OpenIdConfig};
|
|||
|
||||
use pbs_api_types::{Userid, User, REALM_ID_SCHEMA};
|
||||
use pbs_buildcfg::PROXMOX_BACKUP_RUN_DIR_M;
|
||||
use pbs_tools::auth::private_auth_key;
|
||||
use pbs_tools::ticket::Ticket;
|
||||
use pbs_config::domains::{OpenIdUserAttribute, OpenIdRealmConfig};
|
||||
|
||||
use crate::server::ticket::ApiTicket;
|
||||
use pbs_config::CachedUserInfo;
|
||||
|
||||
use pbs_config::open_backup_lockfile;
|
||||
|
||||
use crate::auth_helpers::*;
|
||||
use crate::server::ticket::ApiTicket;
|
||||
|
||||
fn openid_authenticator(realm_config: &OpenIdRealmConfig, redirect_url: &str) -> Result<OpenIdAuthenticator, Error> {
|
||||
let config = OpenIdConfig {
|
||||
|
|
|
|||
|
|
@ -20,12 +20,13 @@ use proxmox::list_subdirs_api_method;
|
|||
use proxmox::{identity, sortable};
|
||||
use proxmox_http::websocket::WebSocket;
|
||||
|
||||
use proxmox_rest_server::WorkerTask;
|
||||
|
||||
use pbs_api_types::{Authid, NODE_SCHEMA, PRIV_SYS_CONSOLE};
|
||||
use pbs_tools::auth::private_auth_key;
|
||||
use pbs_tools::ticket::{self, Empty, Ticket};
|
||||
|
||||
use proxmox_rest_server::WorkerTask;
|
||||
use crate::tools;
|
||||
use crate::auth_helpers::private_auth_key;
|
||||
|
||||
pub mod apt;
|
||||
pub mod certificates;
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ use std::path::PathBuf;
|
|||
|
||||
use anyhow::{bail, format_err, Error};
|
||||
use lazy_static::lazy_static;
|
||||
use openssl::pkey::{PKey, Public};
|
||||
use openssl::pkey::{PKey, Private, Public};
|
||||
use openssl::rsa::Rsa;
|
||||
use openssl::sha;
|
||||
|
||||
|
|
@ -170,3 +170,19 @@ pub fn public_auth_key() -> &'static PKey<Public> {
|
|||
|
||||
&KEY
|
||||
}
|
||||
|
||||
fn load_private_auth_key() -> Result<PKey<Private>, Error> {
|
||||
let pem = file_get_contents(configdir!("/authkey.key"))?;
|
||||
let rsa = Rsa::private_key_from_pem(&pem)?;
|
||||
let key = PKey::from_rsa(rsa)?;
|
||||
|
||||
Ok(key)
|
||||
}
|
||||
|
||||
pub fn private_auth_key() -> &'static PKey<Private> {
|
||||
lazy_static! {
|
||||
static ref KEY: PKey<Private> = load_private_auth_key().unwrap();
|
||||
}
|
||||
|
||||
&KEY
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,7 +9,6 @@ use proxmox::try_block;
|
|||
use proxmox::api::RpcEnvironmentType;
|
||||
use proxmox::tools::fs::CreateOptions;
|
||||
|
||||
use pbs_tools::auth::private_auth_key;
|
||||
use proxmox_rest_server::{daemon, ApiConfig, RestServer};
|
||||
|
||||
use proxmox_backup::server::auth::default_api_auth;
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ use serde_json::{json, Value};
|
|||
use proxmox::api::{api, cli::*, RpcEnvironment};
|
||||
use proxmox::tools::fs::CreateOptions;
|
||||
|
||||
use pbs_client::{connect_to_localhost, display_task_log, view_task_result};
|
||||
use pbs_client::{display_task_log, view_task_result};
|
||||
use pbs_tools::percent_encoding::percent_encode_component;
|
||||
use pbs_tools::json::required_string_param;
|
||||
use pbs_api_types::{
|
||||
|
|
@ -17,8 +17,9 @@ use pbs_api_types::{
|
|||
|
||||
use proxmox_rest_server::wait_for_local_worker;
|
||||
|
||||
use proxmox_backup::config;
|
||||
use proxmox_backup::api2;
|
||||
use proxmox_backup::client_helpers::connect_to_localhost;
|
||||
use proxmox_backup::config;
|
||||
|
||||
mod proxmox_backup_manager;
|
||||
use proxmox_backup_manager::*;
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ use proxmox::{
|
|||
},
|
||||
};
|
||||
|
||||
use pbs_client::{connect_to_localhost, view_task_result};
|
||||
use pbs_client::view_task_result;
|
||||
use pbs_tools::format::{
|
||||
HumanByte,
|
||||
render_epoch,
|
||||
|
|
@ -49,6 +49,7 @@ use proxmox_backup::{
|
|||
proxmox_tape_magic_to_text,
|
||||
},
|
||||
},
|
||||
client_helpers::connect_to_localhost,
|
||||
};
|
||||
|
||||
mod proxmox_tape;
|
||||
|
|
|
|||
|
|
@ -16,9 +16,11 @@ use proxmox::api::{
|
|||
};
|
||||
|
||||
use pbs_api_types::{PROXMOX_UPID_REGEX, UPID};
|
||||
use pbs_client::{connect_to_localhost, view_task_result};
|
||||
use pbs_client::view_task_result;
|
||||
use proxmox_rest_server::normalize_uri_path;
|
||||
|
||||
use proxmox_backup::client_helpers::connect_to_localhost;
|
||||
|
||||
const PROG_NAME: &str = "proxmox-backup-debug api";
|
||||
const URL_ASCIISET: percent_encoding::AsciiSet = percent_encoding::NON_ALPHANUMERIC.remove(b'/');
|
||||
|
||||
|
|
|
|||
|
|
@ -3,10 +3,11 @@ use serde_json::Value;
|
|||
|
||||
use proxmox::api::{api, cli::*, RpcEnvironment, ApiHandler};
|
||||
|
||||
use pbs_client::{connect_to_localhost, view_task_result};
|
||||
use pbs_client::view_task_result;
|
||||
use pbs_api_types::{DataStoreConfig, DATASTORE_SCHEMA};
|
||||
|
||||
use proxmox_backup::api2;
|
||||
use proxmox_backup::client_helpers::connect_to_localhost;
|
||||
|
||||
#[api(
|
||||
input: {
|
||||
|
|
|
|||
|
|
@ -4,9 +4,10 @@ use serde_json::Value;
|
|||
use proxmox::api::{api, cli::*, RpcEnvironment, ApiHandler};
|
||||
|
||||
use pbs_api_types::JOB_ID_SCHEMA;
|
||||
use pbs_client::{connect_to_localhost, view_task_result};
|
||||
use pbs_client::view_task_result;
|
||||
|
||||
use proxmox_backup::api2;
|
||||
use proxmox_backup::client_helpers::connect_to_localhost;
|
||||
|
||||
#[api(
|
||||
input: {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
use anyhow::Error;
|
||||
|
||||
use crate::auth_helpers::private_auth_key;
|
||||
|
||||
/// As root we have access to the private key file and can use it directly. Otherwise the connect
|
||||
/// call will interactively query the password.
|
||||
pub fn connect_to_localhost() -> Result<pbs_client::HttpClient, Error> {
|
||||
pbs_client::connect_to_localhost(if nix::unistd::Uid::current().is_root() {
|
||||
Some(private_auth_key())
|
||||
} else {
|
||||
None
|
||||
})
|
||||
}
|
||||
|
|
@ -25,3 +25,5 @@ pub mod rrd;
|
|||
pub mod tape;
|
||||
|
||||
pub mod acme;
|
||||
|
||||
pub mod client_helpers;
|
||||
|
|
|
|||
Loading…
Reference in New Issue