introduce Username, Realm and Userid api types

and begin splitting up types.rs as it has grown quite large already Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2020-08-06 15:46:01 +02:00
parent 27d864210a
commit e7cb4dc50d
42 changed files with 877 additions and 417 deletions
--- a/src/server/rest.rs
+++ b/src/server/rest.rs
@ -27,6 +27,7 @@ use super::formatter::*;
 use super::ApiConfig;

 use crate::auth_helpers::*;
+use crate::api2::types::Userid;
 use crate::tools;
 use crate::config::cached_user_info::CachedUserInfo;

@ -311,10 +312,10 @@ pub async fn handle_api_request<Env: RpcEnvironment, S: 'static + BuildHasher +
    Ok(resp)
 }

-fn get_index(username: Option<String>, token: Option<String>, api: &Arc<ApiConfig>, parts: Parts) ->  Response<Body> {
+fn get_index(userid: Option<Userid>, token: Option<String>, api: &Arc<ApiConfig>, parts: Parts) ->  Response<Body> {

    let nodename = proxmox::tools::nodename();
-    let username = username.unwrap_or_else(|| String::from(""));
+    let userid = userid.as_ref().map(|u| u.as_str()).unwrap_or("");

    let token = token.unwrap_or_else(|| String::from(""));

@ -333,7 +334,7 @@ fn get_index(username: Option<String>, token: Option<String>, api: &Arc<ApiConfi

    let data = json!({
        "NodeName": nodename,
-        "UserName": username,
+        "UserName": userid,
        "CSRFPreventionToken": token,
        "debug": debug,
    });
@ -461,33 +462,33 @@ fn check_auth(
    ticket: &Option<String>,
    token: &Option<String>,
    user_info: &CachedUserInfo,
-) -> Result<String, Error> {
+) -> Result<Userid, Error> {

    let ticket_lifetime = tools::ticket::TICKET_LIFETIME;

-    let username = match ticket {
+    let userid = match ticket {
        Some(ticket) => match tools::ticket::verify_rsa_ticket(public_auth_key(), "PBS", &ticket, None, -300, ticket_lifetime) {
-            Ok((_age, Some(username))) => username.to_owned(),
+            Ok((_age, Some(userid))) => userid,
            Ok((_, None)) => bail!("ticket without username."),
            Err(err) => return Err(err),
        }
        None => bail!("missing ticket"),
    };

-    if !user_info.is_active_user(&username) {
+    if !user_info.is_active_user(&userid) {
        bail!("user account disabled or expired.");
    }

    if method != hyper::Method::GET {
        if let Some(token) = token {
            println!("CSRF prevention token: {:?}", token);
-            verify_csrf_prevention_token(csrf_secret(), &username, &token, -300, ticket_lifetime)?;
+            verify_csrf_prevention_token(csrf_secret(), &userid, &token, -300, ticket_lifetime)?;
        } else {
            bail!("missing CSRF prevention token");
        }
    }

-    Ok(username)
+    Ok(userid)
 }

 pub async fn handle_request(api: Arc<ApiConfig>, req: Request<Body>) -> Result<Response<Body>, Error> {
@ -532,7 +533,7 @@ pub async fn handle_request(api: Arc<ApiConfig>, req: Request<Body>) -> Result<R
            } else {
                let (ticket, token) = extract_auth_data(&parts.headers);
                match check_auth(&method, &ticket, &token, &user_info) {
-                    Ok(username) => rpcenv.set_user(Some(username)),
+                    Ok(userid) => rpcenv.set_user(Some(userid.to_string())),
                    Err(err) => {
                        // always delay unauthorized calls by 3 seconds (from start of request)
                        let err = http_err!(UNAUTHORIZED, "authentication failed - {}", err);
@ -580,9 +581,9 @@ pub async fn handle_request(api: Arc<ApiConfig>, req: Request<Body>) -> Result<R
            let (ticket, token) = extract_auth_data(&parts.headers);
            if ticket != None {
                match check_auth(&method, &ticket, &token, &user_info) {
-                    Ok(username) => {
-                        let new_token = assemble_csrf_prevention_token(csrf_secret(), &username);
-                        return Ok(get_index(Some(username), Some(new_token), &api, parts));
+                    Ok(userid) => {
+                        let new_token = assemble_csrf_prevention_token(csrf_secret(), &userid);
+                        return Ok(get_index(Some(userid), Some(new_token), &api, parts));
                    }
                    _ => {
                        tokio::time::delay_until(Instant::from_std(delay_unauth_time)).await;
--- a/src/server/upid.rs
+++ b/src/server/upid.rs
@ -1,19 +1,21 @@
-use anyhow::{bail, Error};
-use lazy_static::lazy_static;
-use regex::Regex;
-use chrono::Local;
-
 use std::sync::atomic::{AtomicUsize, Ordering};

+use anyhow::{bail, Error};
+use chrono::Local;
+use lazy_static::lazy_static;
+use regex::Regex;
+
 use proxmox::sys::linux::procfs;

+use crate::api2::types::Userid;
+
 /// Unique Process/Task Identifier
 ///
 /// We use this to uniquely identify worker task. UPIDs have a short
 /// string repesentaion, which gives additional information about the
 /// type of the task. for example:
 /// ```text
-/// UPID:{node}:{pid}:{pstart}:{task_id}:{starttime}:{worker_type}:{worker_id}:{username}:
+/// UPID:{node}:{pid}:{pstart}:{task_id}:{starttime}:{worker_type}:{worker_id}:{userid}:
 /// UPID:elsa:00004F37:0039E469:00000000:5CA78B83:garbage_collection::root@pam:
 /// ```
 /// Please note that we use tokio, so a single thread can run multiple
@ -33,7 +35,7 @@ pub struct UPID {
    /// Worker ID (arbitrary ASCII string)
    pub worker_id: Option<String>,
    /// The user who started the task
-    pub username: String,
+    pub userid: Userid,
    /// The node name.
    pub node: String,
 }
@ -41,7 +43,11 @@ pub struct UPID {
 impl UPID {

    /// Create a new UPID
-    pub fn new(worker_type: &str, worker_id: Option<String>, username: &str) -> Result<Self, Error> {
+    pub fn new(
+        worker_type: &str,
+        worker_id: Option<String>,
+        userid: Userid,
+    ) -> Result<Self, Error> {

        let pid = unsafe { libc::getpid() };

@ -67,7 +73,7 @@ impl UPID {
            task_id,
            worker_type: worker_type.to_owned(),
            worker_id,
-            username: username.to_owned(),
+            userid,
            node: proxmox::tools::nodename().to_owned(),
        })
    }
@ -91,7 +97,7 @@ impl std::str::FromStr for UPID {
            static ref REGEX: Regex = Regex::new(concat!(
                r"^UPID:(?P<node>[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?):(?P<pid>[0-9A-Fa-f]{8}):",
                r"(?P<pstart>[0-9A-Fa-f]{8,9}):(?P<task_id>[0-9A-Fa-f]{8,16}):(?P<starttime>[0-9A-Fa-f]{8}):",
-                r"(?P<wtype>[^:\s]+):(?P<wid>[^:\s]*):(?P<username>[^:\s]+):$"
+                r"(?P<wtype>[^:\s]+):(?P<wid>[^:\s]*):(?P<userid>[^:\s]+):$"
            )).unwrap();
        }

@ -104,7 +110,7 @@ impl std::str::FromStr for UPID {
                task_id: usize::from_str_radix(&cap["task_id"], 16).unwrap(),
                worker_type: cap["wtype"].to_string(),
                worker_id: if cap["wid"].is_empty() { None } else { Some(cap["wid"].to_string()) },
-                username: cap["username"].to_string(),
+                userid: cap["userid"].parse()?,
                node: cap["node"].to_string(),
            })
        } else {
@ -124,6 +130,6 @@ impl std::fmt::Display for UPID {
        // more that 8 characters for pstart

        write!(f, "UPID:{}:{:08X}:{:08X}:{:08X}:{:08X}:{}:{}:{}:",
-               self.node, self.pid, self.pstart, self.task_id, self.starttime, self.worker_type, wid, self.username)
+               self.node, self.pid, self.pstart, self.task_id, self.starttime, self.worker_type, wid, self.userid)
    }
 }
--- a/src/server/worker_task.rs
+++ b/src/server/worker_task.rs
@ -20,6 +20,7 @@ use proxmox::tools::fs::{create_path, open_file_locked, replace_file, CreateOpti
 use super::UPID;

 use crate::tools::FileLogger;
+use crate::api2::types::Userid;

 macro_rules! PROXMOX_BACKUP_VAR_RUN_DIR_M { () => ("/run/proxmox-backup") }
 macro_rules! PROXMOX_BACKUP_LOG_DIR_M { () => ("/var/log/proxmox-backup") }
@ -394,10 +395,10 @@ impl Drop for WorkerTask {

 impl WorkerTask {

-    pub fn new(worker_type: &str, worker_id: Option<String>, username: &str, to_stdout: bool) -> Result<Arc<Self>, Error> {
+    pub fn new(worker_type: &str, worker_id: Option<String>, userid: Userid, to_stdout: bool) -> Result<Arc<Self>, Error> {
        println!("register worker");

-        let upid = UPID::new(worker_type, worker_id, username)?;
+        let upid = UPID::new(worker_type, worker_id, userid)?;
        let task_id = upid.task_id;

        let mut path = std::path::PathBuf::from(PROXMOX_BACKUP_TASK_DIR);
@ -442,14 +443,14 @@ impl WorkerTask {
    pub fn spawn<F, T>(
        worker_type: &str,
        worker_id: Option<String>,
-        username: &str,
+        userid: Userid,
        to_stdout: bool,
        f: F,
    ) -> Result<String, Error>
        where F: Send + 'static + FnOnce(Arc<WorkerTask>) -> T,
              T: Send + 'static + Future<Output = Result<(), Error>>,
    {
-        let worker = WorkerTask::new(worker_type, worker_id, username, to_stdout)?;
+        let worker = WorkerTask::new(worker_type, worker_id, userid, to_stdout)?;
        let upid_str = worker.upid.to_string();
        let f = f(worker.clone());
        tokio::spawn(async move {
@ -464,7 +465,7 @@ impl WorkerTask {
    pub fn new_thread<F>(
        worker_type: &str,
        worker_id: Option<String>,
-        username: &str,
+        userid: Userid,
        to_stdout: bool,
        f: F,
    ) -> Result<String, Error>
@ -474,7 +475,7 @@ impl WorkerTask {

        let (p, c) = oneshot::channel::<()>();

-        let worker = WorkerTask::new(worker_type, worker_id, username, to_stdout)?;
+        let worker = WorkerTask::new(worker_type, worker_id, userid, to_stdout)?;
        let upid_str = worker.upid.to_string();

        let _child = std::thread::Builder::new().name(upid_str.clone()).spawn(move || {