api: improve error messages for restricted endpoints

the old variant attempted to parse a tokenid as userid and returned the
cryptic parsing error to the client, which is rather confusing.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2020-12-30 12:21:13 +01:00 committed by Dietmar Maurer
parent 81764111fe
commit 13f5863561
2 changed files with 27 additions and 9 deletions

View File

@ -206,14 +206,18 @@ fn change_password(
password: String, password: String,
rpcenv: &mut dyn RpcEnvironment, rpcenv: &mut dyn RpcEnvironment,
) -> Result<Value, Error> { ) -> Result<Value, Error> {
let current_auth: Authid = rpcenv
let current_user: Userid = rpcenv
.get_auth_id() .get_auth_id()
.ok_or_else(|| format_err!("unknown user"))? .ok_or_else(|| format_err!("no authid available"))?
.parse()?; .parse()?;
let current_auth = Authid::from(current_user.clone());
let mut allowed = userid == current_user; if current_auth.is_token() {
bail!("API tokens cannot access this API endpoint");
}
let current_user = current_auth.user();
let mut allowed = userid == *current_user;
if current_user == "root@pam" { allowed = true; } if current_user == "root@pam" { allowed = true; }

View File

@ -92,11 +92,16 @@ async fn termproxy(
rpcenv: &mut dyn RpcEnvironment, rpcenv: &mut dyn RpcEnvironment,
) -> Result<Value, Error> { ) -> Result<Value, Error> {
// intentionally user only for now // intentionally user only for now
let userid: Userid = rpcenv let auth_id: Authid = rpcenv
.get_auth_id() .get_auth_id()
.ok_or_else(|| format_err!("unknown user"))? .ok_or_else(|| format_err!("no authid available"))?
.parse()?; .parse()?;
let auth_id = Authid::from(userid.clone());
if auth_id.is_token() {
bail!("API tokens cannot access this API endpoint");
}
let userid = auth_id.user();
if userid.realm() != "pam" { if userid.realm() != "pam" {
bail!("only pam users can use the console"); bail!("only pam users can use the console");
@ -267,7 +272,16 @@ fn upgrade_to_websocket(
) -> ApiResponseFuture { ) -> ApiResponseFuture {
async move { async move {
// intentionally user only for now // intentionally user only for now
let userid: Userid = rpcenv.get_auth_id().unwrap().parse()?; let auth_id: Authid = rpcenv
.get_auth_id()
.ok_or_else(|| format_err!("no authid available"))?
.parse()?;
if auth_id.is_token() {
bail!("API tokens cannot access this API endpoint");
}
let userid = auth_id.user();
let ticket = tools::required_string_param(&param, "vncticket")?; let ticket = tools::required_string_param(&param, "vncticket")?;
let port: u16 = tools::required_integer_param(&param, "port")? as u16; let port: u16 = tools::required_integer_param(&param, "port")? as u16;