tyler/proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

cleanup User configuration: use Updater

Browse Source
This commit is contained in:
Dietmar Maurer 2021-09-09 13:14:28 +02:00
parent 8cc3760e74
commit b65dfff574
9 changed files with 90 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pbs-api-types/src/lib.rs
View File

@ -61,10 +61,7 @@ pub use userid::{PROXMOX_GROUP_ID_SCHEMA, PROXMOX_TOKEN_ID_SCHEMA, PROXMOX_TOKEN
#[macro_use] #[macro_use]
mod user; mod user;
pub use user::{ApiToken, User, UserWithTokens}; pub use user::*;
pub use user::{
EMAIL_SCHEMA, ENABLE_USER_SCHEMA, EXPIRE_USER_SCHEMA, FIRST_NAME_SCHEMA, LAST_NAME_SCHEMA,
};
pub mod upid; pub mod upid;
pub use upid::UPID; pub use upid::UPID;

7
pbs-api-types/src/user.rs
View File

@ -1,7 +1,9 @@
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use proxmox::api::api; use proxmox::api::api;
use proxmox::api::schema::{BooleanSchema, IntegerSchema, Schema, StringSchema}; use proxmox::api::schema::{
BooleanSchema, IntegerSchema, Schema, StringSchema, Updater,
};
use super::{SINGLE_LINE_COMMENT_FORMAT, SINGLE_LINE_COMMENT_SCHEMA}; use super::{SINGLE_LINE_COMMENT_FORMAT, SINGLE_LINE_COMMENT_SCHEMA};
use super::userid::{Authid, Userid, PROXMOX_TOKEN_ID_SCHEMA}; use super::userid::{Authid, Userid, PROXMOX_TOKEN_ID_SCHEMA};
@ -171,9 +173,10 @@ impl ApiToken {
}, },
} }
)] )]
#[derive(Serialize,Deserialize)] #[derive(Serialize,Deserialize,Updater)]
/// User properties. /// User properties.
pub struct User { pub struct User {
#[updater(skip)]
pub userid: Userid, pub userid: Userid,
#[serde(skip_serializing_if="Option::is_none")] #[serde(skip_serializing_if="Option::is_none")]
pub comment: Option<String>, pub comment: Option<String>,

5
src/api2/access/openid.rs
View File

@ -12,18 +12,17 @@ use proxmox::{identity, sortable};
use proxmox_openid::{OpenIdAuthenticator, OpenIdConfig}; use proxmox_openid::{OpenIdAuthenticator, OpenIdConfig};
use pbs_api_types::{Userid, User, REALM_ID_SCHEMA};
use pbs_buildcfg::PROXMOX_BACKUP_RUN_DIR_M; use pbs_buildcfg::PROXMOX_BACKUP_RUN_DIR_M;
use pbs_tools::auth::private_auth_key; use pbs_tools::auth::private_auth_key;
use pbs_tools::ticket::Ticket; use pbs_tools::ticket::Ticket;
use pbs_config::domains::{OpenIdUserAttribute, OpenIdRealmConfig}; use pbs_config::domains::{OpenIdUserAttribute, OpenIdRealmConfig};
use crate::server::ticket::ApiTicket; use crate::server::ticket::ApiTicket;
use crate::config::cached_user_info::CachedUserInfo; use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::open_backup_lockfile; use pbs_config::open_backup_lockfile;
use crate::api2::types::*;
use crate::auth_helpers::*; use crate::auth_helpers::*;
fn openid_authenticator(realm_config: &OpenIdRealmConfig, redirect_url: &str) -> Result<OpenIdAuthenticator, Error> { fn openid_authenticator(realm_config: &OpenIdRealmConfig, redirect_url: &str) -> Result<OpenIdAuthenticator, Error> {
@ -119,7 +118,7 @@ pub fn openid_login(
if config.autocreate.unwrap_or(false) { if config.autocreate.unwrap_or(false) {
use crate::config::user; use crate::config::user;
let _lock = open_backup_lockfile(user::USER_CFG_LOCKFILE, None, true)?; let _lock = open_backup_lockfile(user::USER_CFG_LOCKFILE, None, true)?;
let user = user::User { let user = User {
userid: user_id.clone(), userid: user_id.clone(),
comment: None, comment: None,
enable: None, enable: None,

4
src/api2/access/tfa.rs
View File

@ -7,7 +7,7 @@ use proxmox::api::{api, Permission, Router, RpcEnvironment};
use proxmox::tools::tfa::totp::Totp; use proxmox::tools::tfa::totp::Totp;
use proxmox::{http_bail, http_err}; use proxmox::{http_bail, http_err};
use pbs_api_types::{Authid, Userid, PASSWORD_SCHEMA, PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT}; use pbs_api_types::{Authid, Userid, User, PASSWORD_SCHEMA, PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT};
use crate::config::cached_user_info::CachedUserInfo; use crate::config::cached_user_info::CachedUserInfo;
use crate::config::tfa::{TfaInfo, TfaUserData}; use crate::config::tfa::{TfaInfo, TfaUserData};
@ -37,7 +37,7 @@ fn tfa_update_auth(
let (config, _digest) = crate::config::user::config()?; let (config, _digest) = crate::config::user::config()?;
if config if config
.lookup::<crate::config::user::User>("user", userid.as_str()) .lookup::<User>("user", userid.as_str())
.is_err() .is_err()
{ {
http_bail!(UNAUTHORIZED, "user '{}' does not exists.", userid); http_bail!(UNAUTHORIZED, "user '{}' does not exists.", userid);

191
src/api2/access/user.rs
View File

@ -7,25 +7,18 @@ use std::collections::HashMap;
use proxmox::api::{api, ApiMethod, Router, RpcEnvironment, Permission}; use proxmox::api::{api, ApiMethod, Router, RpcEnvironment, Permission};
use proxmox::api::router::SubdirMap; use proxmox::api::router::SubdirMap;
use proxmox::api::schema::{Schema, StringSchema};
use pbs_api_types::{ use pbs_api_types::{
PASSWORD_FORMAT, PROXMOX_CONFIG_DIGEST_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA, Authid, PROXMOX_CONFIG_DIGEST_SCHEMA, SINGLE_LINE_COMMENT_SCHEMA, Authid,
Tokenname, UserWithTokens, Userid, PRIV_SYS_AUDIT, PRIV_PERMISSIONS_MODIFY, Tokenname, UserWithTokens, Userid, User, UserUpdater, ApiToken,
ENABLE_USER_SCHEMA, EXPIRE_USER_SCHEMA, PBS_PASSWORD_SCHEMA,
PRIV_SYS_AUDIT, PRIV_PERMISSIONS_MODIFY,
}; };
use pbs_config::token_shadow; use pbs_config::token_shadow;
use pbs_config::open_backup_lockfile;
use crate::config::user;
use crate::config::cached_user_info::CachedUserInfo; use crate::config::cached_user_info::CachedUserInfo;
pub const PBS_PASSWORD_SCHEMA: Schema = StringSchema::new("User Password.") fn new_user_with_tokens(user: User) -> UserWithTokens {
.format(&PASSWORD_FORMAT)
.min_length(5)
.max_length(64)
.schema();
fn new_user_with_tokens(user: user::User) -> UserWithTokens {
UserWithTokens { UserWithTokens {
userid: user.userid, userid: user.userid,
comment: user.comment, comment: user.comment,
@ -66,7 +59,7 @@ pub fn list_users(
mut rpcenv: &mut dyn RpcEnvironment, mut rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<UserWithTokens>, Error> { ) -> Result<Vec<UserWithTokens>, Error> {
let (config, digest) = user::config()?; let (config, digest) = crate::config::user::config()?;
let auth_id: Authid = rpcenv let auth_id: Authid = rpcenv
.get_auth_id() .get_auth_id()
@ -80,23 +73,23 @@ pub fn list_users(
let top_level_privs = user_info.lookup_privs(&auth_id, &["access", "users"]); let top_level_privs = user_info.lookup_privs(&auth_id, &["access", "users"]);
let top_level_allowed = (top_level_privs & PRIV_SYS_AUDIT) != 0; let top_level_allowed = (top_level_privs & PRIV_SYS_AUDIT) != 0;
let filter_by_privs = |user: &user::User| { let filter_by_privs = |user: &User| {
top_level_allowed || user.userid == *userid top_level_allowed || user.userid == *userid
}; };
let list:Vec<user::User> = config.convert_to_typed_array("user")?; let list:Vec<User> = config.convert_to_typed_array("user")?;
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into(); rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
let iter = list.into_iter().filter(filter_by_privs); let iter = list.into_iter().filter(filter_by_privs);
let list = if include_tokens { let list = if include_tokens {
let tokens: Vec<user::ApiToken> = config.convert_to_typed_array("token")?; let tokens: Vec<ApiToken> = config.convert_to_typed_array("token")?;
let mut user_to_tokens = tokens let mut user_to_tokens = tokens
.into_iter() .into_iter()
.fold( .fold(
HashMap::new(), HashMap::new(),
|mut map: HashMap<Userid, Vec<user::ApiToken>>, token: user::ApiToken| { |mut map: HashMap<Userid, Vec<ApiToken>>, token: ApiToken| {
if token.tokenid.is_token() { if token.tokenid.is_token() {
map map
.entry(token.tokenid.user().clone()) .entry(token.tokenid.user().clone())
@ -106,7 +99,7 @@ pub fn list_users(
map map
}); });
iter iter
.map(|user: user::User| { .map(|user: User| {
let mut user = new_user_with_tokens(user); let mut user = new_user_with_tokens(user);
user.tokens = user_to_tokens.remove(&user.userid).unwrap_or_default(); user.tokens = user_to_tokens.remove(&user.userid).unwrap_or_default();
user user
@ -124,37 +117,14 @@ pub fn list_users(
protected: true, protected: true,
input: { input: {
properties: { properties: {
userid: { config: {
type: Userid, type: User,
}, flatten: true,
comment: {
schema: SINGLE_LINE_COMMENT_SCHEMA,
optional: true,
}, },
password: { password: {
schema: PBS_PASSWORD_SCHEMA, schema: PBS_PASSWORD_SCHEMA,
optional: true, optional: true,
}, },
enable: {
schema: user::ENABLE_USER_SCHEMA,
optional: true,
},
expire: {
schema: user::EXPIRE_USER_SCHEMA,
optional: true,
},
firstname: {
schema: user::FIRST_NAME_SCHEMA,
optional: true,
},
lastname: {
schema: user::LAST_NAME_SCHEMA,
optional: true,
},
email: {
schema: user::EMAIL_SCHEMA,
optional: true,
},
}, },
}, },
access: { access: {
@ -164,28 +134,26 @@ pub fn list_users(
/// Create new user. /// Create new user.
pub fn create_user( pub fn create_user(
password: Option<String>, password: Option<String>,
param: Value, config: User,
rpcenv: &mut dyn RpcEnvironment rpcenv: &mut dyn RpcEnvironment
) -> Result<(), Error> { ) -> Result<(), Error> {
let _lock = open_backup_lockfile(user::USER_CFG_LOCKFILE, None, true)?; let _lock = crate::config::user::lock_config()?;
let user: user::User = serde_json::from_value(param)?; let (mut section_config, _digest) = crate::config::user::config()?;
let (mut config, _digest) = user::config()?; if section_config.sections.get(config.userid.as_str()).is_some() {
bail!("user '{}' already exists.", config.userid);
if config.sections.get(user.userid.as_str()).is_some() {
bail!("user '{}' already exists.", user.userid);
} }
config.set_data(user.userid.as_str(), "user", &user)?; section_config.set_data(config.userid.as_str(), "user", &config)?;
let realm = user.userid.realm(); let realm = config.userid.realm();
// Fails if realm does not exist! // Fails if realm does not exist!
let authenticator = crate::auth::lookup_authenticator(realm)?; let authenticator = crate::auth::lookup_authenticator(realm)?;
user::save_config(&config)?; crate::config::user::save_config(&section_config)?;
if let Some(password) = password { if let Some(password) = password {
let user_info = CachedUserInfo::new()?; let user_info = CachedUserInfo::new()?;
@ -193,7 +161,7 @@ pub fn create_user(
if realm == "pam" && !user_info.is_superuser(&current_auth_id) { if realm == "pam" && !user_info.is_superuser(&current_auth_id) {
bail!("only superuser can edit pam credentials!"); bail!("only superuser can edit pam credentials!");
} }
authenticator.store_password(user.userid.name(), &password)?; authenticator.store_password(config.userid.name(), &password)?;
} }
Ok(()) Ok(())
@ -207,7 +175,7 @@ pub fn create_user(
}, },
}, },
}, },
returns: { type: user::User }, returns: { type: User },
access: { access: {
permission: &Permission::Or(&[ permission: &Permission::Or(&[
&Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false), &Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false),
@ -216,8 +184,8 @@ pub fn create_user(
}, },
)] )]
/// Read user configuration data. /// Read user configuration data.
pub fn read_user(userid: Userid, mut rpcenv: &mut dyn RpcEnvironment) -> Result<user::User, Error> { pub fn read_user(userid: Userid, mut rpcenv: &mut dyn RpcEnvironment) -> Result<User, Error> {
let (config, digest) = user::config()?; let (config, digest) = crate::config::user::config()?;
let user = config.lookup("user", userid.as_str())?; let user = config.lookup("user", userid.as_str())?;
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into(); rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
Ok(user) Ok(user)
@ -245,34 +213,14 @@ pub enum DeletableProperty {
userid: { userid: {
type: Userid, type: Userid,
}, },
comment: { update: {
optional: true, type: UserUpdater,
schema: SINGLE_LINE_COMMENT_SCHEMA, flatten: true,
}, },
password: { password: {
schema: PBS_PASSWORD_SCHEMA, schema: PBS_PASSWORD_SCHEMA,
optional: true, optional: true,
}, },
enable: {
schema: user::ENABLE_USER_SCHEMA,
optional: true,
},
expire: {
schema: user::EXPIRE_USER_SCHEMA,
optional: true,
},
firstname: {
schema: user::FIRST_NAME_SCHEMA,
optional: true,
},
lastname: {
schema: user::LAST_NAME_SCHEMA,
optional: true,
},
email: {
schema: user::EMAIL_SCHEMA,
optional: true,
},
delete: { delete: {
description: "List of properties to delete.", description: "List of properties to delete.",
type: Array, type: Array,
@ -298,28 +246,23 @@ pub enum DeletableProperty {
#[allow(clippy::too_many_arguments)] #[allow(clippy::too_many_arguments)]
pub fn update_user( pub fn update_user(
userid: Userid, userid: Userid,
comment: Option<String>, update: UserUpdater,
enable: Option<bool>,
expire: Option<i64>,
password: Option<String>, password: Option<String>,
firstname: Option<String>,
lastname: Option<String>,
email: Option<String>,
delete: Option<Vec<DeletableProperty>>, delete: Option<Vec<DeletableProperty>>,
digest: Option<String>, digest: Option<String>,
rpcenv: &mut dyn RpcEnvironment, rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> { ) -> Result<(), Error> {
let _lock = open_backup_lockfile(user::USER_CFG_LOCKFILE, None, true)?; let _lock = crate::config::user::lock_config()?;
let (mut config, expected_digest) = user::config()?; let (mut config, expected_digest) = crate::config::user::config()?;
if let Some(ref digest) = digest { if let Some(ref digest) = digest {
let digest = proxmox::tools::hex_to_digest(digest)?; let digest = proxmox::tools::hex_to_digest(digest)?;
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?; crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
} }
let mut data: user::User = config.lookup("user", userid.as_str())?; let mut data: User = config.lookup("user", userid.as_str())?;
if let Some(delete) = delete { if let Some(delete) = delete {
for delete_prop in delete { for delete_prop in delete {
@ -332,7 +275,7 @@ pub fn update_user(
} }
} }
if let Some(comment) = comment { if let Some(comment) = update.comment {
let comment = comment.trim().to_string(); let comment = comment.trim().to_string();
if comment.is_empty() { if comment.is_empty() {
data.comment = None; data.comment = None;
@ -341,11 +284,11 @@ pub fn update_user(
} }
} }
if let Some(enable) = enable { if let Some(enable) = update.enable {
data.enable = if enable { None } else { Some(false) }; data.enable = if enable { None } else { Some(false) };
} }
if let Some(expire) = expire { if let Some(expire) = update.expire {
data.expire = if expire > 0 { Some(expire) } else { None }; data.expire = if expire > 0 { Some(expire) } else { None };
} }
@ -361,20 +304,20 @@ pub fn update_user(
authenticator.store_password(userid.name(), &password)?; authenticator.store_password(userid.name(), &password)?;
} }
if let Some(firstname) = firstname { if let Some(firstname) = update.firstname {
data.firstname = if firstname.is_empty() { None } else { Some(firstname) }; data.firstname = if firstname.is_empty() { None } else { Some(firstname) };
} }
if let Some(lastname) = lastname { if let Some(lastname) = update.lastname {
data.lastname = if lastname.is_empty() { None } else { Some(lastname) }; data.lastname = if lastname.is_empty() { None } else { Some(lastname) };
} }
if let Some(email) = email { if let Some(email) = update.email {
data.email = if email.is_empty() { None } else { Some(email) }; data.email = if email.is_empty() { None } else { Some(email) };
} }
config.set_data(userid.as_str(), "user", &data)?; config.set_data(userid.as_str(), "user", &data)?;
user::save_config(&config)?; crate::config::user::save_config(&config)?;
Ok(()) Ok(())
} }
@ -402,10 +345,10 @@ pub fn update_user(
/// Remove a user from the configuration file. /// Remove a user from the configuration file.
pub fn delete_user(userid: Userid, digest: Option<String>) -> Result<(), Error> { pub fn delete_user(userid: Userid, digest: Option<String>) -> Result<(), Error> {
let _lock = crate::config::user::lock_config()?;
let _tfa_lock = crate::config::tfa::write_lock()?; let _tfa_lock = crate::config::tfa::write_lock()?;
let _lock = open_backup_lockfile(user::USER_CFG_LOCKFILE, None, true)?;
let (mut config, expected_digest) = crate::config::user::config()?;
let (mut config, expected_digest) = user::config()?;
if let Some(ref digest) = digest { if let Some(ref digest) = digest {
let digest = proxmox::tools::hex_to_digest(digest)?; let digest = proxmox::tools::hex_to_digest(digest)?;
@ -417,7 +360,7 @@ pub fn delete_user(userid: Userid, digest: Option<String>) -> Result<(), Error>
None => bail!("user '{}' does not exist.", userid), None => bail!("user '{}' does not exist.", userid),
} }
user::save_config(&config)?; crate::config::user::save_config(&config)?;
let authenticator = crate::auth::lookup_authenticator(userid.realm())?; let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
match authenticator.remove_password(userid.name()) { match authenticator.remove_password(userid.name()) {
@ -457,7 +400,7 @@ pub fn delete_user(userid: Userid, digest: Option<String>) -> Result<(), Error>
}, },
}, },
}, },
returns: { type: user::ApiToken }, returns: { type: ApiToken },
access: { access: {
permission: &Permission::Or(&[ permission: &Permission::Or(&[
&Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false), &Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false),
@ -471,9 +414,9 @@ pub fn read_token(
tokenname: Tokenname, tokenname: Tokenname,
_info: &ApiMethod, _info: &ApiMethod,
mut rpcenv: &mut dyn RpcEnvironment, mut rpcenv: &mut dyn RpcEnvironment,
) -> Result<user::ApiToken, Error> { ) -> Result<ApiToken, Error> {
let (config, digest) = user::config()?; let (config, digest) = crate::config::user::config()?;
let tokenid = Authid::from((userid, Some(tokenname))); let tokenid = Authid::from((userid, Some(tokenname)));
@ -496,11 +439,11 @@ pub fn read_token(
schema: SINGLE_LINE_COMMENT_SCHEMA, schema: SINGLE_LINE_COMMENT_SCHEMA,
}, },
enable: { enable: {
schema: user::ENABLE_USER_SCHEMA, schema: ENABLE_USER_SCHEMA,
optional: true, optional: true,
}, },
expire: { expire: {
schema: user::EXPIRE_USER_SCHEMA, schema: EXPIRE_USER_SCHEMA,
optional: true, optional: true,
}, },
digest: { digest: {
@ -539,9 +482,9 @@ pub fn generate_token(
digest: Option<String>, digest: Option<String>,
) -> Result<Value, Error> { ) -> Result<Value, Error> {
let _lock = open_backup_lockfile(user::USER_CFG_LOCKFILE, None, true)?; let _lock = crate::config::user::lock_config()?;
let (mut config, expected_digest) = user::config()?; let (mut config, expected_digest) = crate::config::user::config()?;
if let Some(ref digest) = digest { if let Some(ref digest) = digest {
let digest = proxmox::tools::hex_to_digest(digest)?; let digest = proxmox::tools::hex_to_digest(digest)?;
@ -558,7 +501,7 @@ pub fn generate_token(
let secret = format!("{:x}", proxmox::tools::uuid::Uuid::generate()); let secret = format!("{:x}", proxmox::tools::uuid::Uuid::generate());
token_shadow::set_secret(&tokenid, &secret)?; token_shadow::set_secret(&tokenid, &secret)?;
let token = user::ApiToken { let token = ApiToken {
tokenid, tokenid,
comment, comment,
enable, enable,
@ -567,7 +510,7 @@ pub fn generate_token(
config.set_data(&tokenid_string, "token", &token)?; config.set_data(&tokenid_string, "token", &token)?;
user::save_config(&config)?; crate::config::user::save_config(&config)?;
Ok(json!({ Ok(json!({
"tokenid": tokenid_string, "tokenid": tokenid_string,
@ -590,11 +533,11 @@ pub fn generate_token(
schema: SINGLE_LINE_COMMENT_SCHEMA, schema: SINGLE_LINE_COMMENT_SCHEMA,
}, },
enable: { enable: {
schema: user::ENABLE_USER_SCHEMA, schema: ENABLE_USER_SCHEMA,
optional: true, optional: true,
}, },
expire: { expire: {
schema: user::EXPIRE_USER_SCHEMA, schema: EXPIRE_USER_SCHEMA,
optional: true, optional: true,
}, },
digest: { digest: {
@ -620,9 +563,9 @@ pub fn update_token(
digest: Option<String>, digest: Option<String>,
) -> Result<(), Error> { ) -> Result<(), Error> {
let _lock = open_backup_lockfile(user::USER_CFG_LOCKFILE, None, true)?; let _lock = crate::config::user::lock_config()?;
let (mut config, expected_digest) = user::config()?; let (mut config, expected_digest) = crate::config::user::config()?;
if let Some(ref digest) = digest { if let Some(ref digest) = digest {
let digest = proxmox::tools::hex_to_digest(digest)?; let digest = proxmox::tools::hex_to_digest(digest)?;
@ -632,7 +575,7 @@ pub fn update_token(
let tokenid = Authid::from((userid, Some(tokenname))); let tokenid = Authid::from((userid, Some(tokenname)));
let tokenid_string = tokenid.to_string(); let tokenid_string = tokenid.to_string();
let mut data: user::ApiToken = config.lookup("token", &tokenid_string)?; let mut data: ApiToken = config.lookup("token", &tokenid_string)?;
if let Some(comment) = comment { if let Some(comment) = comment {
let comment = comment.trim().to_string(); let comment = comment.trim().to_string();
@ -653,7 +596,7 @@ pub fn update_token(
config.set_data(&tokenid_string, "token", &data)?; config.set_data(&tokenid_string, "token", &data)?;
user::save_config(&config)?; crate::config::user::save_config(&config)?;
Ok(()) Ok(())
} }
@ -688,9 +631,9 @@ pub fn delete_token(
digest: Option<String>, digest: Option<String>,
) -> Result<(), Error> { ) -> Result<(), Error> {
let _lock = open_backup_lockfile(user::USER_CFG_LOCKFILE, None, true)?; let _lock = crate::config::user::lock_config()?;
let (mut config, expected_digest) = user::config()?; let (mut config, expected_digest) = crate::config::user::config()?;
if let Some(ref digest) = digest { if let Some(ref digest) = digest {
let digest = proxmox::tools::hex_to_digest(digest)?; let digest = proxmox::tools::hex_to_digest(digest)?;
@ -707,7 +650,7 @@ pub fn delete_token(
token_shadow::delete_secret(&tokenid)?; token_shadow::delete_secret(&tokenid)?;
user::save_config(&config)?; crate::config::user::save_config(&config)?;
Ok(()) Ok(())
} }
@ -723,7 +666,7 @@ pub fn delete_token(
returns: { returns: {
description: "List user's API tokens (with config digest).", description: "List user's API tokens (with config digest).",
type: Array, type: Array,
items: { type: user::ApiToken }, items: { type: ApiToken },
}, },
access: { access: {
permission: &Permission::Or(&[ permission: &Permission::Or(&[
@ -737,15 +680,15 @@ pub fn list_tokens(
userid: Userid, userid: Userid,
_info: &ApiMethod, _info: &ApiMethod,
mut rpcenv: &mut dyn RpcEnvironment, mut rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<user::ApiToken>, Error> { ) -> Result<Vec<ApiToken>, Error> {
let (config, digest) = user::config()?; let (config, digest) = crate::config::user::config()?;
let list:Vec<user::ApiToken> = config.convert_to_typed_array("token")?; let list:Vec<ApiToken> = config.convert_to_typed_array("token")?;
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into(); rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
let filter_by_owner = |token: &user::ApiToken| { let filter_by_owner = |token: &ApiToken| {
if token.tokenid.is_token() { if token.tokenid.is_token() {
token.tokenid.user() == &userid token.tokenid.user() == &userid
} else { } else {

3
src/config/cached_user_info.rs
View File

@ -9,10 +9,9 @@ use lazy_static::lazy_static;
use proxmox::api::UserInformation; use proxmox::api::UserInformation;
use proxmox::tools::time::epoch_i64; use proxmox::tools::time::epoch_i64;
use pbs_api_types::{Authid, Userid, ROLE_ADMIN}; use pbs_api_types::{Authid, Userid, User, ApiToken, ROLE_ADMIN};
use pbs_config::acl::{AclTree, ROLE_NAMES}; use pbs_config::acl::{AclTree, ROLE_NAMES};
use super::user::{ApiToken, User};
use crate::tools::Memcom; use crate::tools::Memcom;
/// Cache User/Group/Token/Acl configuration data for fast permission tests /// Cache User/Group/Token/Acl configuration data for fast permission tests

4
src/config/tfa.rs
View File

@ -27,8 +27,7 @@ use proxmox::tools::AsHex;
use pbs_buildcfg::configdir; use pbs_buildcfg::configdir;
use pbs_config::{open_backup_lockfile, BackupLockGuard}; use pbs_config::{open_backup_lockfile, BackupLockGuard};
use pbs_api_types::{Userid, User};
use crate::api2::types::Userid;
/// Mapping of userid to TFA entry. /// Mapping of userid to TFA entry.
pub type TfaUsers = HashMap<Userid, TfaUserData>; pub type TfaUsers = HashMap<Userid, TfaUserData>;
@ -278,7 +277,6 @@ impl TfaConfig {
/// Remove non-existent users. /// Remove non-existent users.
pub fn cleanup_users(&mut self, config: &proxmox::api::section_config::SectionConfigData) { pub fn cleanup_users(&mut self, config: &proxmox::api::section_config::SectionConfigData) {
use crate::config::user::User;
self.users self.users
.retain(|user, _| config.lookup::<User>("user", user.as_str()).is_ok()); .retain(|user, _| config.lookup::<User>("user", user.as_str()).is_ok());
} }

14
src/config/user.rs
View File

@ -13,11 +13,10 @@ use proxmox::api::{
} }
}; };
use pbs_api_types::{Authid, Userid}; use pbs_api_types::{
pub use pbs_api_types::{ApiToken, User}; Authid, Userid, ApiToken, User,
pub use pbs_api_types::{
EMAIL_SCHEMA, ENABLE_USER_SCHEMA, EXPIRE_USER_SCHEMA, FIRST_NAME_SCHEMA, LAST_NAME_SCHEMA,
}; };
use pbs_config::{open_backup_lockfile, replace_backup_config, BackupLockGuard};
use crate::tools::Memcom; use crate::tools::Memcom;
@ -48,6 +47,11 @@ fn init() -> SectionConfig {
pub const USER_CFG_FILENAME: &str = "/etc/proxmox-backup/user.cfg"; pub const USER_CFG_FILENAME: &str = "/etc/proxmox-backup/user.cfg";
pub const USER_CFG_LOCKFILE: &str = "/etc/proxmox-backup/.user.lck"; pub const USER_CFG_LOCKFILE: &str = "/etc/proxmox-backup/.user.lck";
/// Get exclusive lock
pub fn lock_config() -> Result<BackupLockGuard, Error> {
open_backup_lockfile(USER_CFG_LOCKFILE, None, true)
}
pub fn config() -> Result<(SectionConfigData, [u8;32]), Error> { pub fn config() -> Result<(SectionConfigData, [u8;32]), Error> {
let content = proxmox::tools::fs::file_read_optional_string(USER_CFG_FILENAME)? let content = proxmox::tools::fs::file_read_optional_string(USER_CFG_FILENAME)?
@ -119,7 +123,7 @@ pub fn cached_config() -> Result<Arc<SectionConfigData>, Error> {
pub fn save_config(config: &SectionConfigData) -> Result<(), Error> { pub fn save_config(config: &SectionConfigData) -> Result<(), Error> {
let raw = CONFIG.write(USER_CFG_FILENAME, &config)?; let raw = CONFIG.write(USER_CFG_FILENAME, &config)?;
pbs_config::replace_backup_config(USER_CFG_FILENAME, raw.as_bytes())?; replace_backup_config(USER_CFG_FILENAME, raw.as_bytes())?;
// increase user cache generation // increase user cache generation
// We use this in CachedUserInfo // We use this in CachedUserInfo

6
src/server/email_notifications.rs
View File

@ -9,7 +9,7 @@ use proxmox::try_block;
use pbs_tools::format::HumanByte; use pbs_tools::format::HumanByte;
use pbs_api_types::{ use pbs_api_types::{
TapeBackupJobSetup, SyncJobConfig, VerificationJobConfig, User, TapeBackupJobSetup, SyncJobConfig, VerificationJobConfig,
APTUpdateInfo, GarbageCollectionStatus, APTUpdateInfo, GarbageCollectionStatus,
Userid, Notify, DatastoreNotify, Userid, Notify, DatastoreNotify,
}; };
@ -548,9 +548,7 @@ pub fn send_updates_available(
/// Lookup users email address /// Lookup users email address
pub fn lookup_user_email(userid: &Userid) -> Option<String> { pub fn lookup_user_email(userid: &Userid) -> Option<String> {
use crate::config::user::{self, User}; if let Ok(user_config) = crate::config::user::cached_config() {
if let Ok(user_config) = user::cached_config() {
if let Ok(user) = user_config.lookup::<User>("user", userid.as_str()) { if let Ok(user) = user_config.lookup::<User>("user", userid.as_str()) {
return user.email; return user.email;
} }