tyler/proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

move user configuration to pbs_config workspace

Browse Source 
Also moved memcom.rs and cached_user_info.rs
This commit is contained in:
Dietmar Maurer
2021-09-10 06:53:53 +02:00
parent b65dfff574
commit ba3d7e19fb
42 changed files with 87 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/api2/access/acl.rs
View File

@ -12,7 +12,7 @@ use pbs_api_types::{
use pbs_config::acl::AclTreeNode;
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
fn extract_acl_node_data(
node: &AclTreeNode,
@ -221,7 +221,7 @@ pub fn update_acl(
bail!("parameter 'group' - groups are currently not supported.");
} else if let Some(ref auth_id) = auth_id {
if !delete { // Note: we allow to delete non-existent users
let user_cfg = crate::config::user::cached_config()?;
let user_cfg = pbs_config::user::cached_config()?;
if user_cfg.sections.get(&auth_id.to_string()).is_none() {
bail!(format!("no such {}.",
if auth_id.is_token() { "API token" } else { "user" }));

2
src/api2/access/mod.rs
View File

@ -22,7 +22,7 @@ use pbs_config::acl::AclTreeNode;
use crate::auth_helpers::*;
use crate::server::ticket::ApiTicket;
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
use crate::config::tfa::TfaChallenge;
pub mod acl;

4
src/api2/access/openid.rs
View File

@ -19,7 +19,7 @@ use pbs_tools::ticket::Ticket;
use pbs_config::domains::{OpenIdUserAttribute, OpenIdRealmConfig};
use crate::server::ticket::ApiTicket;
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
use pbs_config::open_backup_lockfile;
@ -116,7 +116,7 @@ pub fn openid_login(
if !user_info.is_active_user_id(&user_id) {
if config.autocreate.unwrap_or(false) {
use crate::config::user;
use pbs_config::user;
let _lock = open_backup_lockfile(user::USER_CFG_LOCKFILE, None, true)?;
let user = User {
userid: user_id.clone(),

4
src/api2/access/tfa.rs
View File

@ -9,7 +9,7 @@ use proxmox::{http_bail, http_err};
use pbs_api_types::{Authid, Userid, User, PASSWORD_SCHEMA, PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT};
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
use crate::config::tfa::{TfaInfo, TfaUserData};
/// Perform first-factor (password) authentication only. Ignore password for the root user.
@ -34,7 +34,7 @@ fn tfa_update_auth(
// After authentication, verify that the to-be-modified user actually exists:
if must_exist && authid.user() != userid {
let (config, _digest) = crate::config::user::config()?;
let (config, _digest) = pbs_config::user::config()?;
if config
.lookup::<User>("user", userid.as_str())

46
src/api2/access/user.rs
View File

@ -16,7 +16,7 @@ use pbs_api_types::{
};
use pbs_config::token_shadow;
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
fn new_user_with_tokens(user: User) -> UserWithTokens {
UserWithTokens {
@ -59,7 +59,7 @@ pub fn list_users(
mut rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<UserWithTokens>, Error> {
let (config, digest) = crate::config::user::config()?;
let (config, digest) = pbs_config::user::config()?;
let auth_id: Authid = rpcenv
.get_auth_id()
@ -138,9 +138,9 @@ pub fn create_user(
rpcenv: &mut dyn RpcEnvironment
) -> Result<(), Error> {
let _lock = crate::config::user::lock_config()?;
let _lock = pbs_config::user::lock_config()?;
let (mut section_config, _digest) = crate::config::user::config()?;
let (mut section_config, _digest) = pbs_config::user::config()?;
if section_config.sections.get(config.userid.as_str()).is_some() {
bail!("user '{}' already exists.", config.userid);
@ -153,7 +153,7 @@ pub fn create_user(
// Fails if realm does not exist!
let authenticator = crate::auth::lookup_authenticator(realm)?;
crate::config::user::save_config(&section_config)?;
pbs_config::user::save_config(&section_config)?;
if let Some(password) = password {
let user_info = CachedUserInfo::new()?;
@ -185,7 +185,7 @@ pub fn create_user(
)]
/// Read user configuration data.
pub fn read_user(userid: Userid, mut rpcenv: &mut dyn RpcEnvironment) -> Result<User, Error> {
let (config, digest) = crate::config::user::config()?;
let (config, digest) = pbs_config::user::config()?;
let user = config.lookup("user", userid.as_str())?;
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
Ok(user)
@ -253,9 +253,9 @@ pub fn update_user(
rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
let _lock = crate::config::user::lock_config()?;
let _lock = pbs_config::user::lock_config()?;
let (mut config, expected_digest) = crate::config::user::config()?;
let (mut config, expected_digest) = pbs_config::user::config()?;
if let Some(ref digest) = digest {
let digest = proxmox::tools::hex_to_digest(digest)?;
@ -317,7 +317,7 @@ pub fn update_user(
config.set_data(userid.as_str(), "user", &data)?;
crate::config::user::save_config(&config)?;
pbs_config::user::save_config(&config)?;
Ok(())
}
@ -345,10 +345,10 @@ pub fn update_user(
/// Remove a user from the configuration file.
pub fn delete_user(userid: Userid, digest: Option<String>) -> Result<(), Error> {
let _lock = crate::config::user::lock_config()?;
let _lock = pbs_config::user::lock_config()?;
let _tfa_lock = crate::config::tfa::write_lock()?;
let (mut config, expected_digest) = crate::config::user::config()?;
let (mut config, expected_digest) = pbs_config::user::config()?;
if let Some(ref digest) = digest {
let digest = proxmox::tools::hex_to_digest(digest)?;
@ -360,7 +360,7 @@ pub fn delete_user(userid: Userid, digest: Option<String>) -> Result<(), Error>
None => bail!("user '{}' does not exist.", userid),
}
crate::config::user::save_config(&config)?;
pbs_config::user::save_config(&config)?;
let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
match authenticator.remove_password(userid.name()) {
@ -416,7 +416,7 @@ pub fn read_token(
mut rpcenv: &mut dyn RpcEnvironment,
) -> Result<ApiToken, Error> {
let (config, digest) = crate::config::user::config()?;
let (config, digest) = pbs_config::user::config()?;
let tokenid = Authid::from((userid, Some(tokenname)));
@ -482,9 +482,9 @@ pub fn generate_token(
digest: Option<String>,
) -> Result<Value, Error> {
let _lock = crate::config::user::lock_config()?;
let _lock = pbs_config::user::lock_config()?;
let (mut config, expected_digest) = crate::config::user::config()?;
let (mut config, expected_digest) = pbs_config::user::config()?;
if let Some(ref digest) = digest {
let digest = proxmox::tools::hex_to_digest(digest)?;
@ -510,7 +510,7 @@ pub fn generate_token(
config.set_data(&tokenid_string, "token", &token)?;
crate::config::user::save_config(&config)?;
pbs_config::user::save_config(&config)?;
Ok(json!({
"tokenid": tokenid_string,
@ -563,9 +563,9 @@ pub fn update_token(
digest: Option<String>,
) -> Result<(), Error> {
let _lock = crate::config::user::lock_config()?;
let _lock = pbs_config::user::lock_config()?;
let (mut config, expected_digest) = crate::config::user::config()?;
let (mut config, expected_digest) = pbs_config::user::config()?;
if let Some(ref digest) = digest {
let digest = proxmox::tools::hex_to_digest(digest)?;
@ -596,7 +596,7 @@ pub fn update_token(
config.set_data(&tokenid_string, "token", &data)?;
crate::config::user::save_config(&config)?;
pbs_config::user::save_config(&config)?;
Ok(())
}
@ -631,9 +631,9 @@ pub fn delete_token(
digest: Option<String>,
) -> Result<(), Error> {
let _lock = crate::config::user::lock_config()?;
let _lock = pbs_config::user::lock_config()?;
let (mut config, expected_digest) = crate::config::user::config()?;
let (mut config, expected_digest) = pbs_config::user::config()?;
if let Some(ref digest) = digest {
let digest = proxmox::tools::hex_to_digest(digest)?;
@ -650,7 +650,7 @@ pub fn delete_token(
token_shadow::delete_secret(&tokenid)?;
crate::config::user::save_config(&config)?;
pbs_config::user::save_config(&config)?;
Ok(())
}
@ -682,7 +682,7 @@ pub fn list_tokens(
mut rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<ApiToken>, Error> {
let (config, digest) = crate::config::user::config()?;
let (config, digest) = pbs_config::user::config()?;
let list:Vec<ApiToken> = config.convert_to_typed_array("token")?;

2
src/api2/admin/datastore.rs
View File

@ -58,7 +58,7 @@ use crate::backup::{
DataStore, LocalChunkReader,
};
use crate::config::datastore;
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
use crate::server::{jobstate::Job, WorkerTask};

4
src/api2/admin/sync.rs
View File

@ -9,6 +9,7 @@ use proxmox::{list_subdirs_api_method, sortable};
use pbs_api_types::{DATASTORE_SCHEMA, JOB_ID_SCHEMA, Authid, SyncJobConfig, SyncJobStatus};
use pbs_config::sync;
use pbs_config::CachedUserInfo;
use crate::{
api2::{
@ -18,9 +19,6 @@ use crate::{
check_sync_job_read_access,
},
},
config::{
cached_user_info::CachedUserInfo,
},
server::{
jobstate::{
Job,

2
src/api2/admin/verify.rs
View File

@ -12,6 +12,7 @@ use pbs_api_types::{
PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_VERIFY,
};
use pbs_config::verify;
use pbs_config::CachedUserInfo;
use crate::{
api2::types::{
@ -25,7 +26,6 @@ use crate::{
compute_schedule_status,
},
},
config::cached_user_info::CachedUserInfo,
};
#[api(

2
src/api2/backup/mod.rs
View File

@ -26,7 +26,7 @@ use pbs_datastore::manifest::{archive_type, ArchiveType};
use crate::server::{WorkerTask, H2Service};
use crate::backup::DataStore;
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
mod environment;
use environment::*;

2
src/api2/config/changer.rs
View File

@ -15,9 +15,9 @@ use pbs_api_types::{
PROXMOX_CONFIG_DIGEST_SCHEMA, CHANGER_NAME_SCHEMA, SLOT_ARRAY_SCHEMA,
PRIV_TAPE_AUDIT, PRIV_TAPE_MODIFY,
};
use pbs_config::CachedUserInfo;
use crate::{
config::cached_user_info::CachedUserInfo,
tape::{
linux_tape_changer_list,
check_drive_path,

2
src/api2/config/datastore.rs
View File

@ -24,7 +24,7 @@ use crate::api2::admin::{
sync::list_sync_jobs,
verify::list_verification_jobs,
};
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
use crate::config::datastore::{self, DataStoreConfig, DataStoreConfigUpdater};
use crate::server::{jobstate, WorkerTask};

2
src/api2/config/drive.rs
View File

@ -8,9 +8,9 @@ use pbs_api_types::{
Authid, LtoTapeDrive, LtoTapeDriveUpdater, ScsiTapeChanger,
PROXMOX_CONFIG_DIGEST_SCHEMA, DRIVE_NAME_SCHEMA, PRIV_TAPE_AUDIT, PRIV_TAPE_MODIFY,
};
use pbs_config::CachedUserInfo;
use crate::{
config::cached_user_info::CachedUserInfo,
tape::{
lto_tape_device_list,
check_drive_path,

2
src/api2/config/media_pool.rs
View File

@ -15,7 +15,7 @@ use pbs_api_types::{
PRIV_TAPE_AUDIT, PRIV_TAPE_MODIFY,
};
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
#[api(
protected: true,

2
src/api2/config/remote.rs
View File

@ -13,7 +13,7 @@ use pbs_api_types::{
};
use pbs_config::sync;
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
#[api(
input: {

4
src/api2/config/sync.rs
View File

@ -11,7 +11,7 @@ use pbs_api_types::{
};
use pbs_config::sync;
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
pub fn check_sync_job_read_access(
user_info: &CachedUserInfo,
@ -356,7 +356,7 @@ pub const ROUTER: Router = Router::new()
#[test]
fn sync_job_access_test() -> Result<(), Error> {
let (user_cfg, _) = crate::config::user::test_cfg_from_str(r###"
let (user_cfg, _) = pbs_config::user::test_cfg_from_str(r###"
user: noperm@pbs
user: read@pbs

2
src/api2/config/tape_backup_job.rs
View File

@ -10,7 +10,7 @@ use pbs_api_types::{
PRIV_TAPE_AUDIT, PRIV_TAPE_MODIFY,
};
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
#[api(
input: {

2
src/api2/config/verify.rs
View File

@ -10,7 +10,7 @@ use pbs_api_types::{
};
use pbs_config::verify;
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
#[api(
input: {

2
src/api2/node/subscription.rs
View File

@ -10,7 +10,7 @@ use pbs_api_types::{
use crate::tools;
use crate::tools::subscription::{self, SubscriptionStatus, SubscriptionInfo};
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
#[api(
input: {

2
src/api2/node/tasks.rs
View File

@ -18,7 +18,7 @@ use pbs_api_types::{
use crate::api2::types::TaskStateType;
use crate::api2::pull::check_pull_privs;
use crate::server::{self, UPID, UPIDExt, TaskState, TaskListInfoIterator};
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
// matches respective job execution privileges
fn check_job_privs(auth_id: &Authid, user_info: &CachedUserInfo, upid: &UPID) -> Result<(), Error> {

2
src/api2/pull.rs
View File

@ -16,7 +16,7 @@ use pbs_api_types::{
use crate::server::{WorkerTask, jobstate::Job, pull::pull_store};
use crate::backup::DataStore;
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
pub fn check_pull_privs(
auth_id: &Authid,

2
src/api2/reader/mod.rs
View File

@ -37,6 +37,7 @@ use pbs_datastore::PROXMOX_BACKUP_READER_PROTOCOL_ID_V1;
use pbs_datastore::backup_info::BackupDir;
use pbs_datastore::index::IndexFile;
use pbs_datastore::manifest::{archive_type, ArchiveType};
use pbs_config::CachedUserInfo;
use crate::{
api2::helpers,
@ -45,7 +46,6 @@ use crate::{
WorkerTask,
H2Service,
},
config::cached_user_info::CachedUserInfo,
};
mod environment;

2
src/api2/status.rs
View File

@ -22,7 +22,7 @@ use pbs_api_types::{
use crate::backup::DataStore;
use crate::config::datastore;
use crate::tools::statistics::{linear_regression};
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
#[api(
returns: {

2
src/api2/tape/backup.rs
View File

@ -23,9 +23,9 @@ use pbs_api_types::{
use pbs_datastore::{task_log, task_warn, StoreProgress};
use pbs_datastore::backup_info::{BackupDir, BackupInfo};
use pbs_datastore::task::TaskState;
use pbs_config::CachedUserInfo;
use crate::{
config::cached_user_info::CachedUserInfo,
server::{
lookup_user_email,
TapeBackupJobSummary,

2
src/api2/tape/changer.rs
View File

@ -11,9 +11,9 @@ use pbs_api_types::{
Authid, ChangerListEntry, LtoTapeDrive, MtxEntryKind, MtxStatusEntry, ScsiTapeChanger,
CHANGER_NAME_SCHEMA, PRIV_TAPE_AUDIT, PRIV_TAPE_READ,
};
use pbs_config::CachedUserInfo;
use crate::{
config::cached_user_info::CachedUserInfo,
tape::{
TAPE_STATUS_DIR,
Inventory,

2
src/api2/tape/drive.rs
View File

@ -30,9 +30,9 @@ use pbs_api_types::{
use pbs_datastore::task_log;
use pbs_api_types::{PRIV_TAPE_AUDIT, PRIV_TAPE_READ, PRIV_TAPE_WRITE};
use pbs_config::CachedUserInfo;
use crate::{
config::cached_user_info::CachedUserInfo,
api2::tape::restore::{
fast_catalog_restore,
restore_media,

2
src/api2/tape/media.rs
View File

@ -16,9 +16,9 @@ use pbs_api_types::{
MediaStatus, MediaContentEntry, MediaContentListFilter,
PRIV_TAPE_AUDIT,
};
use pbs_config::CachedUserInfo;
use crate::{
config::cached_user_info::CachedUserInfo,
tape::{
TAPE_STATUS_DIR,
Inventory,

2
src/api2/tape/restore.rs
View File

@ -41,10 +41,10 @@ use pbs_datastore::fixed_index::FixedIndexReader;
use pbs_datastore::index::IndexFile;
use pbs_datastore::manifest::{archive_type, ArchiveType, BackupManifest, MANIFEST_BLOB_NAME};
use pbs_datastore::task::TaskState;
use pbs_config::CachedUserInfo;
use crate::{
tools::ParallelHandler,
config::cached_user_info::CachedUserInfo,
backup::DataStore,
server::{
lookup_user_email,

2
src/bin/docgen.rs
View File

@ -53,7 +53,7 @@ fn main() -> Result<(), Error> {
"datastore.cfg" => dump_section_config(&config::datastore::CONFIG),
"tape.cfg" => dump_section_config(&pbs_config::drive::CONFIG),
"tape-job.cfg" => dump_section_config(&pbs_config::tape_job::CONFIG),
"user.cfg" => dump_section_config(&config::user::CONFIG),
"user.cfg" => dump_section_config(&pbs_config::user::CONFIG),
"remote.cfg" => dump_section_config(&pbs_config::remote::CONFIG),
"sync.cfg" => dump_section_config(&pbs_config::sync::CONFIG),
"verification.cfg" => dump_section_config(&pbs_config::verify::CONFIG),

2
src/bin/proxmox_backup_manager/acl.rs
View File

@ -60,7 +60,7 @@ pub fn acl_commands() -> CommandLineInterface {
"update",
CliCommand::new(&api2::access::acl::API_METHOD_UPDATE_ACL)
.arg_param(&["path", "role"])
.completion_cb("auth-id", config::user::complete_authid)
.completion_cb("auth-id", pbs_config::user::complete_authid)
.completion_cb("path", config::datastore::complete_acl_path)
);

14
src/bin/proxmox_backup_manager/user.rs
View File

@ -181,38 +181,38 @@ pub fn user_commands() -> CommandLineInterface {
"update",
CliCommand::new(&api2::access::user::API_METHOD_UPDATE_USER)
.arg_param(&["userid"])
.completion_cb("userid", config::user::complete_userid)
.completion_cb("userid", pbs_config::user::complete_userid)
)
.insert(
"remove",
CliCommand::new(&api2::access::user::API_METHOD_DELETE_USER)
.arg_param(&["userid"])
.completion_cb("userid", config::user::complete_userid)
.completion_cb("userid", pbs_config::user::complete_userid)
)
.insert(
"list-tokens",
CliCommand::new(&&API_METHOD_LIST_TOKENS)
.arg_param(&["userid"])
.completion_cb("userid", config::user::complete_userid)
.completion_cb("userid", pbs_config::user::complete_userid)
)
.insert(
"generate-token",
CliCommand::new(&api2::access::user::API_METHOD_GENERATE_TOKEN)
.arg_param(&["userid", "tokenname"])
.completion_cb("userid", config::user::complete_userid)
.completion_cb("userid", pbs_config::user::complete_userid)
)
.insert(
"delete-token",
CliCommand::new(&api2::access::user::API_METHOD_DELETE_TOKEN)
.arg_param(&["userid", "tokenname"])
.completion_cb("userid", config::user::complete_userid)
.completion_cb("tokenname", config::user::complete_token_name)
.completion_cb("userid", pbs_config::user::complete_userid)
.completion_cb("tokenname", pbs_config::user::complete_token_name)
)
.insert(
"permissions",
CliCommand::new(&&API_METHOD_LIST_PERMISSIONS)
.arg_param(&["auth-id"])
.completion_cb("auth-id", config::user::complete_authid)
.completion_cb("auth-id", pbs_config::user::complete_authid)
.completion_cb("path", config::datastore::complete_acl_path)
);

2
src/bin/proxmox_restore_daemon/auth.rs
View File

@ -6,7 +6,7 @@ use anyhow::{bail, format_err, Error};
use pbs_api_types::Authid;
use proxmox_backup::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
use proxmox_backup::server::auth::{ApiAuth, AuthError};
const TICKET_FILE: &str = "/ticket";

184
src/config/cached_user_info.rs
View File

@ -1,184 +0,0 @@
//! Cached user info for fast ACL permission checks
use std::sync::{RwLock, Arc};
use anyhow::{Error, bail};
use proxmox::api::section_config::SectionConfigData;
use lazy_static::lazy_static;
use proxmox::api::UserInformation;
use proxmox::tools::time::epoch_i64;
use pbs_api_types::{Authid, Userid, User, ApiToken, ROLE_ADMIN};
use pbs_config::acl::{AclTree, ROLE_NAMES};
use crate::tools::Memcom;
/// Cache User/Group/Token/Acl configuration data for fast permission tests
pub struct CachedUserInfo {
user_cfg: Arc<SectionConfigData>,
acl_tree: Arc<AclTree>,
}
struct ConfigCache {
data: Option<Arc<CachedUserInfo>>,
last_update: i64,
last_user_cache_generation: usize,
}
lazy_static! {
static ref CACHED_CONFIG: RwLock<ConfigCache> = RwLock::new(
ConfigCache { data: None, last_update: 0, last_user_cache_generation: 0 }
);
}
impl CachedUserInfo {
/// Returns a cached instance (up to 5 seconds old).
pub fn new() -> Result<Arc<Self>, Error> {
let now = epoch_i64();
let memcom = Memcom::new()?;
let user_cache_generation = memcom.user_cache_generation();
{ // limit scope
let cache = CACHED_CONFIG.read().unwrap();
if (user_cache_generation == cache.last_user_cache_generation) &&
((now - cache.last_update) < 5)
{
if let Some(ref config) = cache.data {
return Ok(config.clone());
}
}
}
let config = Arc::new(CachedUserInfo {
user_cfg: super::user::cached_config()?,
acl_tree: pbs_config::acl::cached_config()?,
});
let mut cache = CACHED_CONFIG.write().unwrap();
cache.last_update = now;
cache.last_user_cache_generation = user_cache_generation;
cache.data = Some(config.clone());
Ok(config)
}
#[cfg(test)]
pub(crate) fn test_new(user_cfg: SectionConfigData, acl_tree: AclTree) -> Self {
Self {
user_cfg: Arc::new(user_cfg),
acl_tree: Arc::new(acl_tree),
}
}
/// Test if a user_id is enabled and not expired
pub fn is_active_user_id(&self, userid: &Userid) -> bool {
if let Ok(info) = self.user_cfg.lookup::<User>("user", userid.as_str()) {
info.is_active()
} else {
false
}
}
/// Test if a authentication id is enabled and not expired
pub fn is_active_auth_id(&self, auth_id: &Authid) -> bool {
let userid = auth_id.user();
if !self.is_active_user_id(userid) {
return false;
}
if auth_id.is_token() {
if let Ok(info) = self.user_cfg.lookup::<ApiToken>("token", &auth_id.to_string()) {
return info.is_active();
} else {
return false;
}
}
true
}
pub fn check_privs(
&self,
auth_id: &Authid,
path: &[&str],
required_privs: u64,
partial: bool,
) -> Result<(), Error> {
let privs = self.lookup_privs(&auth_id, path);
let allowed = if partial {
(privs & required_privs) != 0
} else {
(privs & required_privs) == required_privs
};
if !allowed {
// printing the path doesn't leaks any information as long as we
// always check privilege before resource existence
bail!("no permissions on '/{}'", path.join("/"));
}
Ok(())
}
pub fn is_superuser(&self, auth_id: &Authid) -> bool {
!auth_id.is_token() && auth_id.user() == "root@pam"
}
pub fn is_group_member(&self, _userid: &Userid, _group: &str) -> bool {
false
}
pub fn lookup_privs(&self, auth_id: &Authid, path: &[&str]) -> u64 {
let (privs, _) = self.lookup_privs_details(auth_id, path);
privs
}
pub fn lookup_privs_details(&self, auth_id: &Authid, path: &[&str]) -> (u64, u64) {
if self.is_superuser(auth_id) {
return (ROLE_ADMIN, ROLE_ADMIN);
}
let roles = self.acl_tree.roles(auth_id, path);
let mut privs: u64 = 0;
let mut propagated_privs: u64 = 0;
for (role, propagate) in roles {
if let Some((role_privs, _)) = ROLE_NAMES.get(role.as_str()) {
if propagate {
propagated_privs |= role_privs;
}
privs |= role_privs;
}
}
if auth_id.is_token() {
// limit privs to that of owning user
let user_auth_id = Authid::from(auth_id.user().clone());
privs &= self.lookup_privs(&user_auth_id, path);
let (owner_privs, owner_propagated_privs) = self.lookup_privs_details(&user_auth_id, path);
privs &= owner_privs;
propagated_privs &= owner_propagated_privs;
}
(privs, propagated_privs)
}
}
impl UserInformation for CachedUserInfo {
fn is_superuser(&self, userid: &str) -> bool {
userid == "root@pam"
}
fn is_group_member(&self, _userid: &str, _group: &str) -> bool {
false
}
fn lookup_privs(&self, auth_id: &str, path: &[&str]) -> u64 {
match auth_id.parse::<Authid>() {
Ok(auth_id) => Self::lookup_privs(self, &auth_id, path),
Err(_) => 0,
}
}
}

2
src/config/mod.rs
View File

@ -15,11 +15,9 @@ use proxmox::try_block;
use pbs_buildcfg::{self, configdir};
pub mod acme;
pub mod cached_user_info;
pub mod datastore;
pub mod node;
pub mod tfa;
pub mod user;
/// Check configuration directory permissions
///

198
src/config/user.rs
View File

@ -1,198 +0,0 @@
use std::collections::HashMap;
use std::sync::{Arc, RwLock};
use anyhow::{bail, Error};
use lazy_static::lazy_static;
use proxmox::api::{
schema::*,
section_config::{
SectionConfig,
SectionConfigData,
SectionConfigPlugin,
}
};
use pbs_api_types::{
Authid, Userid, ApiToken, User,
};
use pbs_config::{open_backup_lockfile, replace_backup_config, BackupLockGuard};
use crate::tools::Memcom;
lazy_static! {
pub static ref CONFIG: SectionConfig = init();
}
fn init() -> SectionConfig {
let mut config = SectionConfig::new(&Authid::API_SCHEMA);
let user_schema = match User::API_SCHEMA {
Schema::Object(ref user_schema) => user_schema,
_ => unreachable!(),
};
let user_plugin = SectionConfigPlugin::new("user".to_string(), Some("userid".to_string()), user_schema);
config.register_plugin(user_plugin);
let token_schema = match ApiToken::API_SCHEMA {
Schema::Object(ref token_schema) => token_schema,
_ => unreachable!(),
};
let token_plugin = SectionConfigPlugin::new("token".to_string(), Some("tokenid".to_string()), token_schema);
config.register_plugin(token_plugin);
config
}
pub const USER_CFG_FILENAME: &str = "/etc/proxmox-backup/user.cfg";
pub const USER_CFG_LOCKFILE: &str = "/etc/proxmox-backup/.user.lck";
/// Get exclusive lock
pub fn lock_config() -> Result<BackupLockGuard, Error> {
open_backup_lockfile(USER_CFG_LOCKFILE, None, true)
}
pub fn config() -> Result<(SectionConfigData, [u8;32]), Error> {
let content = proxmox::tools::fs::file_read_optional_string(USER_CFG_FILENAME)?
.unwrap_or_else(|| "".to_string());
let digest = openssl::sha::sha256(content.as_bytes());
let mut data = CONFIG.parse(USER_CFG_FILENAME, &content)?;
if data.sections.get("root@pam").is_none() {
let user: User = User {
userid: Userid::root_userid().clone(),
comment: Some("Superuser".to_string()),
enable: None,
expire: None,
firstname: None,
lastname: None,
email: None,
};
data.set_data("root@pam", "user", &user).unwrap();
}
Ok((data, digest))
}
pub fn cached_config() -> Result<Arc<SectionConfigData>, Error> {
struct ConfigCache {
data: Option<Arc<SectionConfigData>>,
last_mtime: i64,
last_mtime_nsec: i64,
}
lazy_static! {
static ref CACHED_CONFIG: RwLock<ConfigCache> = RwLock::new(
ConfigCache { data: None, last_mtime: 0, last_mtime_nsec: 0 });
}
let stat = match nix::sys::stat::stat(USER_CFG_FILENAME) {
Ok(stat) => Some(stat),
Err(nix::Error::Sys(nix::errno::Errno::ENOENT)) => None,
Err(err) => bail!("unable to stat '{}' - {}", USER_CFG_FILENAME, err),
};
{ // limit scope
let cache = CACHED_CONFIG.read().unwrap();
if let Some(ref config) = cache.data {
if let Some(stat) = stat {
if stat.st_mtime == cache.last_mtime && stat.st_mtime_nsec == cache.last_mtime_nsec {
return Ok(config.clone());
}
} else if cache.last_mtime == 0 && cache.last_mtime_nsec == 0 {
return Ok(config.clone());
}
}
}
let (config, _digest) = config()?;
let config = Arc::new(config);
let mut cache = CACHED_CONFIG.write().unwrap();
if let Some(stat) = stat {
cache.last_mtime = stat.st_mtime;
cache.last_mtime_nsec = stat.st_mtime_nsec;
}
cache.data = Some(config.clone());
Ok(config)
}
pub fn save_config(config: &SectionConfigData) -> Result<(), Error> {
let raw = CONFIG.write(USER_CFG_FILENAME, &config)?;
replace_backup_config(USER_CFG_FILENAME, raw.as_bytes())?;
// increase user cache generation
// We use this in CachedUserInfo
let memcom = Memcom::new()?;
memcom.increase_user_cache_generation();
Ok(())
}
#[cfg(test)]
pub(crate) fn test_cfg_from_str(raw: &str) -> Result<(SectionConfigData, [u8;32]), Error> {
let cfg = init();
let parsed = cfg.parse("test_user_cfg", raw)?;
Ok((parsed, [0;32]))
}
// shell completion helper
pub fn complete_userid(_arg: &str, _param: &HashMap<String, String>) -> Vec<String> {
match config() {
Ok((data, _digest)) => {
data.sections.iter()
.filter_map(|(id, (section_type, _))| {
if section_type == "user" {
Some(id.to_string())
} else {
None
}
}).collect()
},
Err(_) => return vec![],
}
}
// shell completion helper
pub fn complete_authid(_arg: &str, _param: &HashMap<String, String>) -> Vec<String> {
match config() {
Ok((data, _digest)) => data.sections.iter().map(|(id, _)| id.to_string()).collect(),
Err(_) => vec![],
}
}
// shell completion helper
pub fn complete_token_name(_arg: &str, param: &HashMap<String, String>) -> Vec<String> {
let data = match config() {
Ok((data, _digest)) => data,
Err(_) => return Vec::new(),
};
match param.get("userid") {
Some(userid) => {
let user = data.lookup::<User>("user", userid);
let tokens = data.convert_to_typed_array("token");
match (user, tokens) {
(Ok(_), Ok(tokens)) => {
tokens
.into_iter()
.filter_map(|token: ApiToken| {
let tokenid = token.tokenid;
if tokenid.is_token() && tokenid.user() == userid {
Some(tokenid.tokenname().unwrap().as_str().to_string())
} else {
None
}
}).collect()
},
_ => vec![],
}
},
None => vec![],
}
}

2
src/server/auth.rs
View File

@ -8,7 +8,7 @@ use pbs_config::token_shadow;
use crate::api2::types::{Authid, Userid};
use crate::auth_helpers::*;
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
use crate::tools;
use hyper::header;

2
src/server/email_notifications.rs
View File

@ -548,7 +548,7 @@ pub fn send_updates_available(
/// Lookup users email address
pub fn lookup_user_email(userid: &Userid) -> Option<String> {
if let Ok(user_config) = crate::config::user::cached_config() {
if let Ok(user_config) = pbs_config::user::cached_config() {
if let Ok(user) = user_config.lookup::<User>("user", userid.as_str()) {
return user.email;
}

2
src/server/prune_job.rs
View File

@ -6,9 +6,9 @@ use pbs_datastore::{task_log, task_warn};
use pbs_datastore::backup_info::BackupInfo;
use pbs_datastore::prune::{compute_prune_info, PruneOptions};
use pbs_api_types::{Authid, PRIV_DATASTORE_MODIFY};
use pbs_config::CachedUserInfo;
use crate::{
config::cached_user_info::CachedUserInfo,
backup::DataStore,
server::jobstate::Job,
server::WorkerTask,

2
src/server/rest.rs
View File

@ -40,7 +40,7 @@ use super::ApiConfig;
use crate::api2::types::{Authid, Userid};
use crate::auth_helpers::*;
use crate::config::cached_user_info::CachedUserInfo;
use pbs_config::CachedUserInfo;
use crate::tools;
use crate::tools::compression::CompressionMethod;
use crate::tools::FileLogger;

81
src/tools/memcom.rs
View File

@ -1,81 +0,0 @@
//! Memory based communication channel between proxy & daemon for things such as cache
//! invalidation.
use std::os::unix::io::AsRawFd;
use std::sync::atomic::{AtomicUsize, Ordering};
use std::sync::Arc;
use anyhow::Error;
use nix::fcntl::OFlag;
use nix::sys::mman::{MapFlags, ProtFlags};
use nix::sys::stat::Mode;
use once_cell::sync::OnceCell;
use proxmox::tools::fs::CreateOptions;
use proxmox::tools::mmap::Mmap;
/// In-memory communication channel.
pub struct Memcom {
mmap: Mmap<u8>,
}
#[repr(C)]
struct Head {
// User (user.cfg) cache generation/version.
user_cache_generation: AtomicUsize,
}
static INSTANCE: OnceCell<Arc<Memcom>> = OnceCell::new();
const MEMCOM_FILE_PATH: &str = pbs_buildcfg::rundir!("/proxmox-backup-memcom");
const EMPTY_PAGE: [u8; 4096] = [0u8; 4096];
impl Memcom {
/// Open the memory based communication channel singleton.
pub fn new() -> Result<Arc<Self>, Error> {
INSTANCE.get_or_try_init(Self::open).map(Arc::clone)
}
// Actual work of `new`:
fn open() -> Result<Arc<Self>, Error> {
let user = pbs_config::backup_user()?;
let options = CreateOptions::new()
.perm(Mode::from_bits_truncate(0o660))
.owner(user.uid)
.group(user.gid);
let file = proxmox::tools::fs::atomic_open_or_create_file(
MEMCOM_FILE_PATH,
OFlag::O_RDWR | OFlag::O_CLOEXEC,
&EMPTY_PAGE, options)?;
let mmap = unsafe {
Mmap::<u8>::map_fd(
file.as_raw_fd(),
0,
4096,
ProtFlags::PROT_READ | ProtFlags::PROT_WRITE,
MapFlags::MAP_SHARED | MapFlags::MAP_NORESERVE | MapFlags::MAP_POPULATE,
)?
};
Ok(Arc::new(Self { mmap }))
}
// Shortcut to get the mapped `Head` as a `Head`.
fn head(&self) -> &Head {
unsafe { &*(self.mmap.as_ptr() as *const u8 as *const Head) }
}
/// Returns the user cache generation number.
pub fn user_cache_generation(&self) -> usize {
self.head().user_cache_generation.load(Ordering::Acquire)
}
/// Increase the user cache generation number.
pub fn increase_user_cache_generation(&self) {
self.head()
.user_cache_generation
.fetch_add(1, Ordering::AcqRel);
}
}

3
src/tools/mod.rs
View File

@ -28,9 +28,6 @@ pub mod config;
pub mod daemon;
pub mod disks;
mod memcom;
pub use memcom::Memcom;
pub mod serde_filter;
pub mod statistics;
pub mod subscription;