tyler
/
proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

REST server: avoid hard coding world readable API endpoints 

while we probably do not add much more to them, it still looks ugly.

If this was made so that adding a World readable API call is "hard"
and not done by accident, it rather should be done as a test on build
time. But, IMO, the API permission schema definitions are easy to
review, and not often changed/added - so any wrong World readable API
call will normally still caught.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2020-10-02 13:17:12 +02:00 committed by Dietmar Maurer
parent 0c6b83d656
commit 0ac612476a
1 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/server/rest.rs
View File

@ -22,6 +22,7 @@ use proxmox::api::{
ApiHandler, ApiHandler,
ApiMethod, ApiMethod,
HttpError, HttpError,
Permission,
RpcEnvironment, RpcEnvironment,
RpcEnvironmentType, RpcEnvironmentType,
check_api_permission, check_api_permission,
@ -546,13 +547,16 @@ pub async fn handle_request(api: Arc<ApiConfig>, req: Request<Body>) -> Result<R
}; };
let mut uri_param = HashMap::new(); let mut uri_param = HashMap::new();
let api_method = api.find_method(&components[2..], method.clone(), &mut uri_param);
if comp_len == 4 && components[2] == "access" && ( let mut auth_required = true;
(components[3] == "ticket" && method == hyper::Method::POST) || if let Some(api_method) = api_method {
(components[3] == "domains" && method == hyper::Method::GET) if let Permission::World = *api_method.access.permission {
) { auth_required = false; // no auth for endpoints with World permission
// explicitly allow those calls without auth }
} else { }
if auth_required {
let (ticket, token, _) = extract_auth_data(&parts.headers); let (ticket, token, _) = extract_auth_data(&parts.headers);
match check_auth(&method, &ticket, &token, &user_info) { match check_auth(&method, &ticket, &token, &user_info) {
Ok(userid) => rpcenv.set_user(Some(userid.to_string())), Ok(userid) => rpcenv.set_user(Some(userid.to_string())),
@ -565,7 +569,7 @@ pub async fn handle_request(api: Arc<ApiConfig>, req: Request<Body>) -> Result<R
} }
} }
match api.find_method(&components[2..], method, &mut uri_param) { match api_method {
None => { None => {
let err = http_err!(NOT_FOUND, "Path '{}' not found.", path); let err = http_err!(NOT_FOUND, "Path '{}' not found.", path);
return Ok((formatter.format_error)(err)); return Ok((formatter.format_error)(err));