rest server: return UserInformation from ApiAuth::check_auth

This need impl UserInformation for Arc<CachedUserInfo> which is implemented
with proxmox 0.13.2

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Dietmar Maurer 2021-09-21 07:58:48 +02:00 committed by Thomas Lamprecht
parent 7fa9a37c7c
commit 98b7d58b94
4 changed files with 39 additions and 12 deletions

View File

@ -3,6 +3,7 @@ use std::os::unix::io::RawFd;
use anyhow::{bail, format_err, Error};
use proxmox::tools::fd::Fd;
use proxmox::api::UserInformation;
mod compression;
pub use compression::*;
@ -41,7 +42,7 @@ pub trait ApiAuth {
&self,
headers: &http::HeaderMap,
method: &hyper::Method,
) -> Result<String, AuthError>;
) -> Result<(String, Box<dyn UserInformation + Sync + Send>), AuthError>;
}
static mut SHUTDOWN_REQUESTED: bool = false;

View File

@ -4,10 +4,22 @@ use std::io::prelude::*;
use anyhow::{bail, format_err, Error};
use proxmox::api::UserInformation;
use proxmox_rest_server::{ApiAuth, AuthError};
const TICKET_FILE: &str = "/ticket";
struct SimpleUserInformation {}
impl UserInformation for SimpleUserInformation {
fn is_superuser(&self, userid: &str) -> bool {
userid == "root@pam"
}
fn is_group_member(&self, _userid: &str, _group: &str) -> bool { false }
fn lookup_privs(&self, _userid: &str, _path: &[&str]) -> u64 { 0 }
}
pub struct StaticAuth {
ticket: String,
}
@ -17,10 +29,10 @@ impl ApiAuth for StaticAuth {
&self,
headers: &http::HeaderMap,
_method: &hyper::Method,
) -> Result<String, AuthError> {
) -> Result<(String, Box<dyn UserInformation + Send + Sync>), AuthError> {
match headers.get(hyper::header::AUTHORIZATION) {
Some(header) if header.to_str().unwrap_or("") == &self.ticket => {
Ok(String::from("root@pam"))
Ok((String::from("root@pam"), Box::new(SimpleUserInformation {})))
}
_ => {
return Err(AuthError::Generic(format_err!(

View File

@ -3,6 +3,8 @@ use anyhow::format_err;
use std::sync::Arc;
use proxmox::api::UserInformation;
use pbs_tools::ticket::{self, Ticket};
use pbs_config::{token_shadow, CachedUserInfo};
use pbs_api_types::{Authid, Userid};
@ -56,11 +58,12 @@ impl UserApiAuth {
}
impl ApiAuth for UserApiAuth {
fn check_auth(
&self,
headers: &http::HeaderMap,
method: &hyper::Method,
) -> Result<String, AuthError> {
) -> Result<(String, Box<dyn UserInformation + Sync + Send>), AuthError> {
let user_info = CachedUserInfo::new()?;
@ -93,7 +96,7 @@ impl ApiAuth for UserApiAuth {
}
}
Ok(auth_id.to_string())
Ok((auth_id.to_string(), Box::new(user_info)))
}
Some(AuthData::ApiToken(api_token)) => {
let mut parts = api_token.splitn(2, ':');
@ -115,7 +118,7 @@ impl ApiAuth for UserApiAuth {
token_shadow::verify_secret(&tokenid, &tokensecret)?;
Ok(tokenid.to_string())
Ok((tokenid.to_string(), Box::new(user_info)))
}
None => Err(AuthError::NoData),
}

View File

@ -26,7 +26,7 @@ use proxmox::api::schema::{
};
use proxmox::api::{
check_api_permission, ApiHandler, ApiMethod, HttpError, Permission, RpcEnvironment,
RpcEnvironmentType,
RpcEnvironmentType, UserInformation,
};
use proxmox::http_err;
use proxmox::tools::fs::CreateOptions;
@ -40,12 +40,18 @@ use proxmox_rest_server::{
};
use proxmox_rest_server::formatter::*;
use pbs_config::CachedUserInfo;
extern "C" {
fn tzset();
}
struct EmptyUserInformation {}
impl UserInformation for EmptyUserInformation {
fn is_superuser(&self, _userid: &str) -> bool { false }
fn is_group_member(&self, _userid: &str, _group: &str) -> bool { false }
fn lookup_privs(&self, _userid: &str, _path: &[&str]) -> u64 { 0 }
}
pub struct RestServer {
pub api_config: Arc<ApiConfig>,
}
@ -652,9 +658,14 @@ async fn handle_request(
}
}
let mut user_info: Box<dyn UserInformation + Send + Sync> = Box::new(EmptyUserInformation {});
if auth_required {
match auth.check_auth(&parts.headers, &method) {
Ok(authid) => rpcenv.set_auth_id(Some(authid)),
Ok((authid, info)) => {
rpcenv.set_auth_id(Some(authid));
user_info = info;
}
Err(auth_err) => {
let err = match auth_err {
AuthError::Generic(err) => err,
@ -683,7 +694,7 @@ async fn handle_request(
}
Some(api_method) => {
let auth_id = rpcenv.get_auth_id();
let user_info = CachedUserInfo::new()?;
let user_info = user_info;
if !check_api_permission(
api_method.access.permission,
@ -727,7 +738,7 @@ async fn handle_request(
if comp_len == 0 {
let language = extract_lang_header(&parts.headers);
match auth.check_auth(&parts.headers, &method) {
Ok(auth_id) => {
Ok((auth_id, _user_info)) => {
return Ok(api.get_index(Some(auth_id), language, parts));
}
Err(AuthError::Generic(_)) => {