tyler/proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

server/rest: add ApiAuth trait to make user auth generic

Browse Source 
This allows switching the base user identification/authentication method
in the rest server. Will initially be used for single file restore VMs,
where authentication is based on a ticket file, not the PBS user
backend (PAM/local).

To avoid putting generic types into the RestServer type for this, we
merge the two calls "extract_auth_data" and "check_auth" into a single
one, which can use whatever type it wants internally.

Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
This commit is contained in:
Stefan Reiter 2021-03-31 12:21:51 +02:00 committed by Thomas Lamprecht
parent 9fe3358ce6
commit 26858dba84
5 changed files with 160 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/bin/proxmox-backup-api.rs
View File

@ -6,8 +6,11 @@ use proxmox::api::RpcEnvironmentType;
//use proxmox_backup::tools; //use proxmox_backup::tools;
//use proxmox_backup::api_schema::config::*; //use proxmox_backup::api_schema::config::*;
use proxmox_backup::server::rest::*; use proxmox_backup::server::{
use proxmox_backup::server; self,
auth::default_api_auth,
rest::*,
};
use proxmox_backup::tools::daemon; use proxmox_backup::tools::daemon;
use proxmox_backup::auth_helpers::*; use proxmox_backup::auth_helpers::*;
use proxmox_backup::config; use proxmox_backup::config;
@ -53,7 +56,11 @@ async fn run() -> Result<(), Error> {
let _ = csrf_secret(); // load with lazy_static let _ = csrf_secret(); // load with lazy_static
let mut config = server::ApiConfig::new( let mut config = server::ApiConfig::new(
buildcfg::JS_DIR, &proxmox_backup::api2::ROUTER, RpcEnvironmentType::PRIVILEGED)?; buildcfg::JS_DIR,
&proxmox_backup::api2::ROUTER,
RpcEnvironmentType::PRIVILEGED,
default_api_auth(),
)?;
let mut commando_sock = server::CommandoSocket::new(server::our_ctrl_sock()); let mut commando_sock = server::CommandoSocket::new(server::our_ctrl_sock());

7
src/bin/proxmox-backup-proxy.rs
View File

@ -14,6 +14,7 @@ use proxmox::api::RpcEnvironmentType;
use proxmox_backup::{ use proxmox_backup::{
backup::DataStore, backup::DataStore,
server::{ server::{
auth::default_api_auth,
WorkerTask, WorkerTask,
ApiConfig, ApiConfig,
rest::*, rest::*,
@ -84,7 +85,11 @@ async fn run() -> Result<(), Error> {
let _ = csrf_secret(); // load with lazy_static let _ = csrf_secret(); // load with lazy_static
let mut config = ApiConfig::new( let mut config = ApiConfig::new(
buildcfg::JS_DIR, &proxmox_backup::api2::ROUTER, RpcEnvironmentType::PUBLIC)?; buildcfg::JS_DIR,
&proxmox_backup::api2::ROUTER,
RpcEnvironmentType::PUBLIC,
default_api_auth(),
)?;
// Enable experimental tape UI if tape.cfg exists // Enable experimental tape UI if tape.cfg exists
if Path::new("/etc/proxmox-backup/tape.cfg").exists() { if Path::new("/etc/proxmox-backup/tape.cfg").exists() {

193
src/server/auth.rs
View File

@ -1,101 +1,140 @@
//! Provides authentication primitives for the HTTP server //! Provides authentication primitives for the HTTP server
use anyhow::{bail, format_err, Error}; use anyhow::{format_err, Error};
use std::sync::Arc;
use crate::tools::ticket::Ticket;
use crate::auth_helpers::*;
use crate::tools;
use crate::config::cached_user_info::CachedUserInfo;
use crate::api2::types::{Authid, Userid}; use crate::api2::types::{Authid, Userid};
use crate::auth_helpers::*;
use crate::config::cached_user_info::CachedUserInfo;
use crate::tools;
use crate::tools::ticket::Ticket;
use hyper::header; use hyper::header;
use percent_encoding::percent_decode_str; use percent_encoding::percent_decode_str;
pub struct UserAuthData { pub enum AuthError {
Generic(Error),
NoData,
}
impl From<Error> for AuthError {
fn from(err: Error) -> Self {
AuthError::Generic(err)
}
}
pub trait ApiAuth {
fn check_auth(
&self,
headers: &http::HeaderMap,
method: &hyper::Method,
user_info: &CachedUserInfo,
) -> Result<Authid, AuthError>;
}
struct UserAuthData {
ticket: String, ticket: String,
csrf_token: Option<String>, csrf_token: Option<String>,
} }
pub enum AuthData { enum AuthData {
User(UserAuthData), User(UserAuthData),
ApiToken(String), ApiToken(String),
} }
pub fn extract_auth_data(headers: &http::HeaderMap) -> Option<AuthData> { pub struct UserApiAuth {}
if let Some(raw_cookie) = headers.get(header::COOKIE) { pub fn default_api_auth() -> Arc<UserApiAuth> {
if let Ok(cookie) = raw_cookie.to_str() { Arc::new(UserApiAuth {})
if let Some(ticket) = tools::extract_cookie(cookie, "PBSAuthCookie") {
let csrf_token = match headers.get("CSRFPreventionToken").map(|v| v.to_str()) {
Some(Ok(v)) => Some(v.to_owned()),
_ => None,
};
return Some(AuthData::User(UserAuthData {
ticket,
csrf_token,
}));
}
}
}
match headers.get(header::AUTHORIZATION).map(|v| v.to_str()) {
Some(Ok(v)) => {
if v.starts_with("PBSAPIToken ") || v.starts_with("PBSAPIToken=") {
Some(AuthData::ApiToken(v["PBSAPIToken ".len()..].to_owned()))
} else {
None
}
},
_ => None,
}
} }
pub fn check_auth( impl UserApiAuth {
method: &hyper::Method, fn extract_auth_data(headers: &http::HeaderMap) -> Option<AuthData> {
auth_data: &AuthData, if let Some(raw_cookie) = headers.get(header::COOKIE) {
user_info: &CachedUserInfo, if let Ok(cookie) = raw_cookie.to_str() {
) -> Result<Authid, Error> { if let Some(ticket) = tools::extract_cookie(cookie, "PBSAuthCookie") {
match auth_data { let csrf_token = match headers.get("CSRFPreventionToken").map(|v| v.to_str()) {
AuthData::User(user_auth_data) => { Some(Ok(v)) => Some(v.to_owned()),
let ticket = user_auth_data.ticket.clone(); _ => None,
let ticket_lifetime = tools::ticket::TICKET_LIFETIME; };
return Some(AuthData::User(UserAuthData { ticket, csrf_token }));
let userid: Userid = Ticket::<super::ticket::ApiTicket>::parse(&ticket)?
.verify_with_time_frame(public_auth_key(), "PBS", None, -300..ticket_lifetime)?
.require_full()?;
let auth_id = Authid::from(userid.clone());
if !user_info.is_active_auth_id(&auth_id) {
bail!("user account disabled or expired.");
}
if method != hyper::Method::GET {
if let Some(csrf_token) = &user_auth_data.csrf_token {
verify_csrf_prevention_token(csrf_secret(), &userid, &csrf_token, -300, ticket_lifetime)?;
} else {
bail!("missing CSRF prevention token");
} }
} }
}
Ok(auth_id) match headers.get(header::AUTHORIZATION).map(|v| v.to_str()) {
}, Some(Ok(v)) => {
AuthData::ApiToken(api_token) => { if v.starts_with("PBSAPIToken ") || v.starts_with("PBSAPIToken=") {
let mut parts = api_token.splitn(2, ':'); Some(AuthData::ApiToken(v["PBSAPIToken ".len()..].to_owned()))
let tokenid = parts.next() } else {
.ok_or_else(|| format_err!("failed to split API token header"))?; None
let tokenid: Authid = tokenid.parse()?; }
if !user_info.is_active_auth_id(&tokenid) {
bail!("user account or token disabled or expired.");
} }
_ => None,
let tokensecret = parts.next() }
.ok_or_else(|| format_err!("failed to split API token header"))?; }
let tokensecret = percent_decode_str(tokensecret) }
.decode_utf8()
.map_err(|_| format_err!("failed to decode API token header"))?; impl ApiAuth for UserApiAuth {
fn check_auth(
crate::config::token_shadow::verify_secret(&tokenid, &tokensecret)?; &self,
headers: &http::HeaderMap,
Ok(tokenid) method: &hyper::Method,
user_info: &CachedUserInfo,
) -> Result<Authid, AuthError> {
let auth_data = Self::extract_auth_data(headers);
match auth_data {
Some(AuthData::User(user_auth_data)) => {
let ticket = user_auth_data.ticket.clone();
let ticket_lifetime = tools::ticket::TICKET_LIFETIME;
let userid: Userid = Ticket::<super::ticket::ApiTicket>::parse(&ticket)?
.verify_with_time_frame(public_auth_key(), "PBS", None, -300..ticket_lifetime)?
.require_full()?;
let auth_id = Authid::from(userid.clone());
if !user_info.is_active_auth_id(&auth_id) {
return Err(format_err!("user account disabled or expired.").into());
}
if method != hyper::Method::GET {
if let Some(csrf_token) = &user_auth_data.csrf_token {
verify_csrf_prevention_token(
csrf_secret(),
&userid,
&csrf_token,
-300,
ticket_lifetime,
)?;
} else {
return Err(format_err!("missing CSRF prevention token").into());
}
}
Ok(auth_id)
}
Some(AuthData::ApiToken(api_token)) => {
let mut parts = api_token.splitn(2, ':');
let tokenid = parts
.next()
.ok_or_else(|| format_err!("failed to split API token header"))?;
let tokenid: Authid = tokenid.parse()?;
if !user_info.is_active_auth_id(&tokenid) {
return Err(format_err!("user account or token disabled or expired.").into());
}
let tokensecret = parts
.next()
.ok_or_else(|| format_err!("failed to split API token header"))?;
let tokensecret = percent_decode_str(tokensecret)
.decode_utf8()
.map_err(|_| format_err!("failed to decode API token header"))?;
crate::config::token_shadow::verify_secret(&tokenid, &tokensecret)?;
Ok(tokenid)
}
None => Err(AuthError::NoData),
} }
} }
} }

13
src/server/config.rs
View File

@ -13,6 +13,7 @@ use proxmox::api::{ApiMethod, Router, RpcEnvironmentType};
use proxmox::tools::fs::{create_path, CreateOptions}; use proxmox::tools::fs::{create_path, CreateOptions};
use crate::tools::{FileLogger, FileLogOptions}; use crate::tools::{FileLogger, FileLogOptions};
use super::auth::ApiAuth;
pub struct ApiConfig { pub struct ApiConfig {
basedir: PathBuf, basedir: PathBuf,
@ -23,11 +24,16 @@ pub struct ApiConfig {
template_files: RwLock<HashMap<String, (SystemTime, PathBuf)>>, template_files: RwLock<HashMap<String, (SystemTime, PathBuf)>>,
request_log: Option<Arc<Mutex<FileLogger>>>, request_log: Option<Arc<Mutex<FileLogger>>>,
pub enable_tape_ui: bool, pub enable_tape_ui: bool,
pub api_auth: Arc<dyn ApiAuth + Send + Sync>,
} }
impl ApiConfig { impl ApiConfig {
pub fn new<B: Into<PathBuf>>(
pub fn new<B: Into<PathBuf>>(basedir: B, router: &'static Router, env_type: RpcEnvironmentType) -> Result<Self, Error> { basedir: B,
router: &'static Router,
env_type: RpcEnvironmentType,
api_auth: Arc<dyn ApiAuth + Send + Sync>,
) -> Result<Self, Error> {
Ok(Self { Ok(Self {
basedir: basedir.into(), basedir: basedir.into(),
router, router,
@ -37,7 +43,8 @@ impl ApiConfig {
template_files: RwLock::new(HashMap::new()), template_files: RwLock::new(HashMap::new()),
request_log: None, request_log: None,
enable_tape_ui: false, enable_tape_ui: false,
}) api_auth,
})
} }
pub fn find_method( pub fn find_method(

34
src/server/rest.rs
View File

@ -30,10 +30,10 @@ use proxmox::api::{
}; };
use proxmox::http_err; use proxmox::http_err;
use super::auth::AuthError;
use super::environment::RestEnvironment; use super::environment::RestEnvironment;
use super::formatter::*; use super::formatter::*;
use super::ApiConfig; use super::ApiConfig;
use super::auth::{check_auth, extract_auth_data};
use crate::api2::types::{Authid, Userid}; use crate::api2::types::{Authid, Userid};
use crate::auth_helpers::*; use crate::auth_helpers::*;
@ -678,6 +678,7 @@ async fn handle_request(
rpcenv.set_client_ip(Some(*peer)); rpcenv.set_client_ip(Some(*peer));
let user_info = CachedUserInfo::new()?; let user_info = CachedUserInfo::new()?;
let auth = &api.api_auth;
let delay_unauth_time = std::time::Instant::now() + std::time::Duration::from_millis(3000); let delay_unauth_time = std::time::Instant::now() + std::time::Duration::from_millis(3000);
let access_forbidden_time = std::time::Instant::now() + std::time::Duration::from_millis(500); let access_forbidden_time = std::time::Instant::now() + std::time::Duration::from_millis(500);
@ -703,13 +704,15 @@ async fn handle_request(
} }
if auth_required { if auth_required {
let auth_result = match extract_auth_data(&parts.headers) { match auth.check_auth(&parts.headers, &method, &user_info) {
Some(auth_data) => check_auth(&method, &auth_data, &user_info),
None => Err(format_err!("no authentication credentials provided.")),
};
match auth_result {
Ok(authid) => rpcenv.set_auth_id(Some(authid.to_string())), Ok(authid) => rpcenv.set_auth_id(Some(authid.to_string())),
Err(err) => { Err(auth_err) => {
let err = match auth_err {
AuthError::Generic(err) => err,
AuthError::NoData => {
format_err!("no authentication credentials provided.")
}
};
let peer = peer.ip(); let peer = peer.ip();
auth_logger()?.log(format!( auth_logger()?.log(format!(
"authentication failure; rhost={} msg={}", "authentication failure; rhost={} msg={}",
@ -772,9 +775,9 @@ async fn handle_request(
if comp_len == 0 { if comp_len == 0 {
let language = extract_lang_header(&parts.headers); let language = extract_lang_header(&parts.headers);
if let Some(auth_data) = extract_auth_data(&parts.headers) { match auth.check_auth(&parts.headers, &method, &user_info) {
match check_auth(&method, &auth_data, &user_info) { Ok(auth_id) => {
Ok(auth_id) if !auth_id.is_token() => { if !auth_id.is_token() {
let userid = auth_id.user(); let userid = auth_id.user();
let new_csrf_token = assemble_csrf_prevention_token(csrf_secret(), userid); let new_csrf_token = assemble_csrf_prevention_token(csrf_secret(), userid);
return Ok(get_index( return Ok(get_index(
@ -785,14 +788,13 @@ async fn handle_request(
parts, parts,
)); ));
} }
_ => {
tokio::time::sleep_until(Instant::from_std(delay_unauth_time)).await;
return Ok(get_index(None, None, language, &api, parts));
}
} }
} else { Err(AuthError::Generic(_)) => {
return Ok(get_index(None, None, language, &api, parts)); tokio::time::sleep_until(Instant::from_std(delay_unauth_time)).await;
}
Err(AuthError::NoData) => {}
} }
return Ok(get_index(None, None, language, &api, parts));
} else { } else {
let filename = api.find_alias(&components); let filename = api.find_alias(&components);
let compression = extract_compression_method(&parts.headers); let compression = extract_compression_method(&parts.headers);