provide separate helpers for pub/priv auth keyring access

This used to be the case before the switch to the auth api crate and is required for some helpers where we don't want to have to setup the complete auth context. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2025-01-06 13:18:00 +03:00 · 2023-03-29 14:37:20 +02:00 · 2023-03-29 14:37:20 +02:00 · 569324cb95
commit 569324cb95
parent 6477df8f89
4 changed files with 23 additions and 17 deletions
--- a/src/api2/access/openid.rs
+++ b/src/api2/access/openid.rs
@ -21,7 +21,7 @@ use pbs_buildcfg::PROXMOX_BACKUP_RUN_DIR_M;
 use pbs_config::open_backup_lockfile;
 use pbs_config::CachedUserInfo;

-use crate::auth::auth_keyring;
+use crate::auth::private_auth_keyring;
 use crate::auth_helpers::*;

 fn openid_authenticator(
@ -200,7 +200,7 @@ pub fn openid_login(
        }

        let api_ticket = ApiTicket::Full(user_id.clone());
-        let ticket = Ticket::new("PBS", &api_ticket)?.sign(auth_keyring(), None)?;
+        let ticket = Ticket::new("PBS", &api_ticket)?.sign(private_auth_keyring(), None)?;
        let token = assemble_csrf_prevention_token(csrf_secret(), &user_id);

        env.log_auth(user_id.as_str());
--- a/src/api2/node/mod.rs
+++ b/src/api2/node/mod.rs
@ -26,7 +26,7 @@ use proxmox_sys::fd::fd_change_cloexec;

 use pbs_api_types::{NODE_SCHEMA, PRIV_SYS_CONSOLE};

-use crate::auth::auth_keyring;
+use crate::auth::{private_auth_keyring, public_auth_keyring};
 use crate::tools;

 pub mod apt;
@ -119,7 +119,7 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
    let port = listener.local_addr()?.port();

    let ticket = Ticket::new(crate::auth::TERM_PREFIX, &Empty)?.sign(
-        auth_keyring(),
+        private_auth_keyring(),
        Some(&tools::ticket::term_aad(userid, path, port)),
    )?;

@ -290,7 +290,7 @@ fn upgrade_to_websocket(

        // will be checked again by termproxy
        Ticket::<Empty>::parse(ticket)?.verify(
-            auth_keyring(),
+            public_auth_keyring(),
            crate::auth::TERM_PREFIX,
            Some(&tools::ticket::term_aad(userid, "/system", port)),
        )?;
--- a/src/auth.rs
+++ b/src/auth.rs
@ -7,7 +7,7 @@ use std::pin::Pin;

 use anyhow::{bail, Error};
 use futures::Future;
-use once_cell::sync::OnceCell;
+use once_cell::sync::{Lazy, OnceCell};
 use proxmox_router::http_bail;
 use serde_json::json;

@ -221,13 +221,17 @@ pub(crate) fn authenticate_user<'a>(
    })
 }

+static PRIVATE_KEYRING: Lazy<Keyring> =
+    Lazy::new(|| Keyring::with_private_key(crate::auth_helpers::private_auth_key().clone().into()));
+static PUBLIC_KEYRING: Lazy<Keyring> =
+    Lazy::new(|| Keyring::with_public_key(crate::auth_helpers::public_auth_key().clone().into()));
 static AUTH_CONTEXT: OnceCell<PbsAuthContext> = OnceCell::new();

 pub fn setup_auth_context(use_private_key: bool) {
    let keyring = if use_private_key {
-        Keyring::with_private_key(crate::auth_helpers::private_auth_key().clone().into())
+        &*PRIVATE_KEYRING
    } else {
-        Keyring::with_public_key(crate::auth_helpers::public_auth_key().clone().into())
+        &*PUBLIC_KEYRING
    };

    AUTH_CONTEXT
@ -241,15 +245,16 @@ pub fn setup_auth_context(use_private_key: bool) {
    proxmox_auth_api::set_auth_context(AUTH_CONTEXT.get().unwrap());
 }

-pub(crate) fn auth_keyring() -> &'static Keyring {
-    &AUTH_CONTEXT
-        .get()
-        .expect("setup_auth_context not called")
-        .keyring
+pub(crate) fn private_auth_keyring() -> &'static Keyring {
+    &*PRIVATE_KEYRING
+}
+
+pub(crate) fn public_auth_keyring() -> &'static Keyring {
+    &*PUBLIC_KEYRING
 }

 struct PbsAuthContext {
-    keyring: Keyring,
+    keyring: &'static Keyring,
    csrf_secret: Vec<u8>,
 }

@ -260,7 +265,7 @@ impl proxmox_auth_api::api::AuthContext for PbsAuthContext {

    /// Get the current authentication keyring.
    fn keyring(&self) -> &Keyring {
-        &self.keyring
+        self.keyring
    }

    /// The auth prefix without the separating colon. Eg. `"PBS"`.
--- a/src/client_helpers.rs
+++ b/src/client_helpers.rs
@ -5,14 +5,15 @@ use pbs_client::{HttpClient, HttpClientOptions};

 use proxmox_auth_api::ticket::Ticket;

-use crate::auth::auth_keyring;
+use crate::auth::private_auth_keyring;

 /// Connect to localhost:8007 as root@pam
 ///
 /// This automatically creates a ticket if run as 'root' user.
 pub fn connect_to_localhost() -> Result<pbs_client::HttpClient, Error> {
    let options = if nix::unistd::Uid::current().is_root() {
-        let ticket = Ticket::new("PBS", Userid::root_userid())?.sign(auth_keyring(), None)?;
+        let ticket =
+            Ticket::new("PBS", Userid::root_userid())?.sign(private_auth_keyring(), None)?;
        let fingerprint = crate::cert_info()?.fingerprint()?;
        HttpClientOptions::new_non_interactive(ticket, Some(fingerprint))
    } else {