rest server: return UserInformation from ApiAuth::check_auth
This need impl UserInformation for Arc<CachedUserInfo> which is implemented with proxmox 0.13.2 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Dietmar Maurer
Thomas Lamprecht
parent
7fa9a37c7c
commit
98b7d58b94
@ -3,6 +3,7 @@ use std::os::unix::io::RawFd;
|
|||||||
use anyhow::{bail, format_err, Error};
|
use anyhow::{bail, format_err, Error};
|
||||||
|
|
||||||
use proxmox::tools::fd::Fd;
|
use proxmox::tools::fd::Fd;
|
||||||
|
use proxmox::api::UserInformation;
|
||||||
|
|
||||||
mod compression;
|
mod compression;
|
||||||
pub use compression::*;
|
pub use compression::*;
|
||||||
@ -41,7 +42,7 @@ pub trait ApiAuth {
|
|||||||
&self,
|
&self,
|
||||||
headers: &http::HeaderMap,
|
headers: &http::HeaderMap,
|
||||||
method: &hyper::Method,
|
method: &hyper::Method,
|
||||||
) -> Result<String, AuthError>;
|
) -> Result<(String, Box<dyn UserInformation + Sync + Send>), AuthError>;
|
||||||
}
|
}
|
||||||
|
|
||||||
static mut SHUTDOWN_REQUESTED: bool = false;
|
static mut SHUTDOWN_REQUESTED: bool = false;
|
||||||
|
|||||||
@ -4,10 +4,22 @@ use std::io::prelude::*;
|
|||||||
|
|
||||||
use anyhow::{bail, format_err, Error};
|
use anyhow::{bail, format_err, Error};
|
||||||
|
|
||||||
|
use proxmox::api::UserInformation;
|
||||||
|
|
||||||
use proxmox_rest_server::{ApiAuth, AuthError};
|
use proxmox_rest_server::{ApiAuth, AuthError};
|
||||||
|
|
||||||
const TICKET_FILE: &str = "/ticket";
|
const TICKET_FILE: &str = "/ticket";
|
||||||
|
|
||||||
|
struct SimpleUserInformation {}
|
||||||
|
|
||||||
|
impl UserInformation for SimpleUserInformation {
|
||||||
|
fn is_superuser(&self, userid: &str) -> bool {
|
||||||
|
userid == "root@pam"
|
||||||
|
}
|
||||||
|
fn is_group_member(&self, _userid: &str, _group: &str) -> bool { false }
|
||||||
|
fn lookup_privs(&self, _userid: &str, _path: &[&str]) -> u64 { 0 }
|
||||||
|
}
|
||||||
|
|
||||||
pub struct StaticAuth {
|
pub struct StaticAuth {
|
||||||
ticket: String,
|
ticket: String,
|
||||||
}
|
}
|
||||||
@ -17,10 +29,10 @@ impl ApiAuth for StaticAuth {
|
|||||||
&self,
|
&self,
|
||||||
headers: &http::HeaderMap,
|
headers: &http::HeaderMap,
|
||||||
_method: &hyper::Method,
|
_method: &hyper::Method,
|
||||||
) -> Result<String, AuthError> {
|
) -> Result<(String, Box<dyn UserInformation + Send + Sync>), AuthError> {
|
||||||
match headers.get(hyper::header::AUTHORIZATION) {
|
match headers.get(hyper::header::AUTHORIZATION) {
|
||||||
Some(header) if header.to_str().unwrap_or("") == &self.ticket => {
|
Some(header) if header.to_str().unwrap_or("") == &self.ticket => {
|
||||||
Ok(String::from("root@pam"))
|
Ok((String::from("root@pam"), Box::new(SimpleUserInformation {})))
|
||||||
}
|
}
|
||||||
_ => {
|
_ => {
|
||||||
return Err(AuthError::Generic(format_err!(
|
return Err(AuthError::Generic(format_err!(
|
||||||
|
|||||||
@ -3,6 +3,8 @@ use anyhow::format_err;
|
|||||||
|
|
||||||
use std::sync::Arc;
|
use std::sync::Arc;
|
||||||
|
|
||||||
|
use proxmox::api::UserInformation;
|
||||||
|
|
||||||
use pbs_tools::ticket::{self, Ticket};
|
use pbs_tools::ticket::{self, Ticket};
|
||||||
use pbs_config::{token_shadow, CachedUserInfo};
|
use pbs_config::{token_shadow, CachedUserInfo};
|
||||||
use pbs_api_types::{Authid, Userid};
|
use pbs_api_types::{Authid, Userid};
|
||||||
@ -56,11 +58,12 @@ impl UserApiAuth {
|
|||||||
}
|
}
|
||||||
|
|
||||||
impl ApiAuth for UserApiAuth {
|
impl ApiAuth for UserApiAuth {
|
||||||
|
|
||||||
fn check_auth(
|
fn check_auth(
|
||||||
&self,
|
&self,
|
||||||
headers: &http::HeaderMap,
|
headers: &http::HeaderMap,
|
||||||
method: &hyper::Method,
|
method: &hyper::Method,
|
||||||
) -> Result<String, AuthError> {
|
) -> Result<(String, Box<dyn UserInformation + Sync + Send>), AuthError> {
|
||||||
|
|
||||||
let user_info = CachedUserInfo::new()?;
|
let user_info = CachedUserInfo::new()?;
|
||||||
|
|
||||||
@ -93,7 +96,7 @@ impl ApiAuth for UserApiAuth {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(auth_id.to_string())
|
Ok((auth_id.to_string(), Box::new(user_info)))
|
||||||
}
|
}
|
||||||
Some(AuthData::ApiToken(api_token)) => {
|
Some(AuthData::ApiToken(api_token)) => {
|
||||||
let mut parts = api_token.splitn(2, ':');
|
let mut parts = api_token.splitn(2, ':');
|
||||||
@ -115,7 +118,7 @@ impl ApiAuth for UserApiAuth {
|
|||||||
|
|
||||||
token_shadow::verify_secret(&tokenid, &tokensecret)?;
|
token_shadow::verify_secret(&tokenid, &tokensecret)?;
|
||||||
|
|
||||||
Ok(tokenid.to_string())
|
Ok((tokenid.to_string(), Box::new(user_info)))
|
||||||
}
|
}
|
||||||
None => Err(AuthError::NoData),
|
None => Err(AuthError::NoData),
|
||||||
}
|
}
|
||||||
|
|||||||
@ -26,7 +26,7 @@ use proxmox::api::schema::{
|
|||||||
};
|
};
|
||||||
use proxmox::api::{
|
use proxmox::api::{
|
||||||
check_api_permission, ApiHandler, ApiMethod, HttpError, Permission, RpcEnvironment,
|
check_api_permission, ApiHandler, ApiMethod, HttpError, Permission, RpcEnvironment,
|
||||||
RpcEnvironmentType,
|
RpcEnvironmentType, UserInformation,
|
||||||
};
|
};
|
||||||
use proxmox::http_err;
|
use proxmox::http_err;
|
||||||
use proxmox::tools::fs::CreateOptions;
|
use proxmox::tools::fs::CreateOptions;
|
||||||
@ -40,12 +40,18 @@ use proxmox_rest_server::{
|
|||||||
};
|
};
|
||||||
use proxmox_rest_server::formatter::*;
|
use proxmox_rest_server::formatter::*;
|
||||||
|
|
||||||
use pbs_config::CachedUserInfo;
|
|
||||||
|
|
||||||
extern "C" {
|
extern "C" {
|
||||||
fn tzset();
|
fn tzset();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
struct EmptyUserInformation {}
|
||||||
|
|
||||||
|
impl UserInformation for EmptyUserInformation {
|
||||||
|
fn is_superuser(&self, _userid: &str) -> bool { false }
|
||||||
|
fn is_group_member(&self, _userid: &str, _group: &str) -> bool { false }
|
||||||
|
fn lookup_privs(&self, _userid: &str, _path: &[&str]) -> u64 { 0 }
|
||||||
|
}
|
||||||
|
|
||||||
pub struct RestServer {
|
pub struct RestServer {
|
||||||
pub api_config: Arc<ApiConfig>,
|
pub api_config: Arc<ApiConfig>,
|
||||||
}
|
}
|
||||||
@ -652,9 +658,14 @@ async fn handle_request(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
let mut user_info: Box<dyn UserInformation + Send + Sync> = Box::new(EmptyUserInformation {});
|
||||||
|
|
||||||
if auth_required {
|
if auth_required {
|
||||||
match auth.check_auth(&parts.headers, &method) {
|
match auth.check_auth(&parts.headers, &method) {
|
||||||
Ok(authid) => rpcenv.set_auth_id(Some(authid)),
|
Ok((authid, info)) => {
|
||||||
|
rpcenv.set_auth_id(Some(authid));
|
||||||
|
user_info = info;
|
||||||
|
}
|
||||||
Err(auth_err) => {
|
Err(auth_err) => {
|
||||||
let err = match auth_err {
|
let err = match auth_err {
|
||||||
AuthError::Generic(err) => err,
|
AuthError::Generic(err) => err,
|
||||||
@ -683,7 +694,7 @@ async fn handle_request(
|
|||||||
}
|
}
|
||||||
Some(api_method) => {
|
Some(api_method) => {
|
||||||
let auth_id = rpcenv.get_auth_id();
|
let auth_id = rpcenv.get_auth_id();
|
||||||
let user_info = CachedUserInfo::new()?;
|
let user_info = user_info;
|
||||||
|
|
||||||
if !check_api_permission(
|
if !check_api_permission(
|
||||||
api_method.access.permission,
|
api_method.access.permission,
|
||||||
@ -727,7 +738,7 @@ async fn handle_request(
|
|||||||
if comp_len == 0 {
|
if comp_len == 0 {
|
||||||
let language = extract_lang_header(&parts.headers);
|
let language = extract_lang_header(&parts.headers);
|
||||||
match auth.check_auth(&parts.headers, &method) {
|
match auth.check_auth(&parts.headers, &method) {
|
||||||
Ok(auth_id) => {
|
Ok((auth_id, _user_info)) => {
|
||||||
return Ok(api.get_index(Some(auth_id), language, parts));
|
return Ok(api.get_index(Some(auth_id), language, parts));
|
||||||
}
|
}
|
||||||
Err(AuthError::Generic(_)) => {
|
Err(AuthError::Generic(_)) => {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user