Proxmox/proxmox
5
0
Fork 1
Code Issues Pull Requests Releases Activity
2,513 Commits 3 Branches 0 Tags 16 MiB
Rust 99.7%
Makefile 0.2%
Shell 0.1%
4d6922e2c4
Go to file
Stefan Sterz 4d6922e2c4 auth-api: move to hmac signing for csrf tokens 
previously we used our own hmac-like implementation for csrf token
signing that simply appended the key to the message (csrf token).
however, this is possibly insecure as an attacker that finds a
collision in the hash function can easily forge a signature. after all,
two messages would then produce the same start conditions before
hashing the key. while this is probably a theoretic attack on our csrf
implementation, it does not hurt to move to the safer standard hmac
implementation that avoids such pitfalls.

this commit re-uses the hmac key wrapper used for the keyring. it also
keeps the old construction around so we can use it for a transition
period between old and new csrf token implementations.

this is a breaking change as it changes the signature of the
`csrf_secret` method of the `AuthContext` trait to return an hmac
key.

also exposes `assemble_csrf_prevention_toke` so we can re-use this
code here instead of duplicating it in e.g. proxmox-backup's
auth_helpers.

Signed-off-by: Stefan Sterz <s.sterz@proxmox.com>
2024-05-22 10:26:40 +02:00
.cargo cargo: switch to use packaged crates by default 2020-01-03 09:39:52 +01:00
proxmox-acme bump proxmox-acme to 0.5.2 2024-05-16 11:53:52 +02:00
proxmox-acme-api acme-api: add debian packaging 2024-05-17 12:13:02 +02:00
proxmox-api-macro bump proxmox-api-macro to 1.0.8-1 2024-02-02 13:56:01 +01:00
proxmox-apt fix #5249: apt: allow parsing Packages without Priority field 2024-04-19 08:47:34 +02:00
proxmox-async async: runtime: Modernise module and update docs 2023-08-23 09:51:52 +02:00
proxmox-auth-api auth-api: move to hmac signing for csrf tokens 2024-05-22 10:26:40 +02:00
proxmox-borrow update d/copyright files to debian copyright-format 1.0 2023-05-23 13:02:39 +02:00
proxmox-client bump proxmox-client to 0.3.1-1 2024-02-02 14:06:08 +01:00
proxmox-compression bump proxmox-compression to 0.2.1-1 2023-06-15 11:01:19 +02:00
proxmox-http bump proxmox-http to 0.9.1-1 2024-03-28 13:18:21 +01:00
proxmox-http-error more import cleanups 2023-07-28 11:47:39 +02:00
proxmox-human-byte bump proxmox-human-byte to 0.1.3-1 2024-02-02 13:56:01 +01:00
proxmox-io proxmox-io: fix sparse_copy not copying sparsely on irregular read operations 2023-08-09 12:48:04 +02:00
proxmox-lang update d/copyright files to debian copyright-format 1.0 2023-05-23 13:02:39 +02:00
proxmox-ldap ldap: bump version to 0.2.2-1 2024-04-24 21:13:45 +02:00
proxmox-login tree-wide: run cargo fmt 2024-03-25 17:04:17 +01:00
proxmox-metrics metrics: bump version to 0.3.1-1 2024-04-26 17:36:19 +02:00
proxmox-notify notify: fix TemplateType::Subject doc comment 2024-04-24 08:05:16 +02:00
proxmox-openid clippy fix: unnecessary use of to_string 2023-08-08 11:29:36 +02:00
proxmox-product-config product-config: add feature "impl" 2024-05-06 13:40:32 +02:00
proxmox-rest-server tree-wide: run cargo fmt 2024-03-25 17:04:17 +01:00
proxmox-router router: Use safe wrapper for libc::isatty 2024-02-16 16:56:02 +01:00
proxmox-rrd rrd: fixup examples with the renamed types 2024-02-21 12:28:10 +01:00
proxmox-schema bump proxmox-schema to 3.1.1-1 2024-05-16 09:35:50 +02:00
proxmox-section-config bump proxmox-section-config to 2.0.2-1 2024-05-17 11:04:10 +02:00
proxmox-serde clippy fix: the borrowed expression implements the required traits 2023-08-08 11:05:20 +02:00
proxmox-shared-memory bump proxmox-shared-memory to 0.3.0-1 2023-05-23 13:02:51 +02:00
proxmox-sortable-macro bump proxmox-sortable-macro to 0.1.3-1 2023-10-03 09:37:01 +02:00
proxmox-subscription bump proxmox-subscription to 0.4.3-1 2024-02-02 14:24:54 +01:00
proxmox-sys sys: bump version to 0.5.4-2 2024-04-26 17:24:23 +02:00
proxmox-system-management-api system-management-api: network: add create_interface and update_interface 2024-05-16 10:24:41 +02:00
proxmox-tfa bump proxmox-tfa to 4.1.2 2024-02-02 14:00:49 +01:00
proxmox-time add proxmox-rrd to workspace 2024-02-01 10:30:57 +01:00
proxmox-uuid update d/copyright files to debian copyright-format 1.0 2023-05-23 13:02:39 +02:00
.gitignore git: ignore top level *-deb make target files 2022-08-26 12:18:44 +02:00
build.sh build.sh: split overly long line 2023-06-03 16:48:10 +02:00
bump.sh add bump.sh 2022-12-07 10:36:27 +01:00
Cargo.toml acme-api: reusable ACME api implementation. 2024-05-16 12:35:14 +02:00
Makefile Makefile: enforce the use packaged cargo 2024-01-24 09:26:03 +01:00
README.rst update README 2023-08-01 15:48:19 +02:00
rustfmt.toml bump edition in rustfmt.toml 2022-10-13 15:00:28 +02:00

README.rst 

Local cargo config
==================

This repository ships with a ``.cargo/config`` that replaces the crates.io
registry with packaged crates located in ``/usr/share/cargo/registry``.

A similar config is also applied building with dh_cargo. Cargo.lock needs to be
deleted when switching between packaged crates and crates.io, since the
checksums are not compatible.

To reference new dependencies (or updated versions) that are not yet packaged,
the dependency needs to point directly to a path or git source.

Steps for Releases
==================

- Run ./bump.sh <CRATE> [patch|minor|major|<VERSION>]
-- Fill out changelog
-- Confirm bump commit
- Build packages with `make deb`.
-- Don't forget to commit updated d/control!

Adding Crates
=============

1) At the top level:
  - Generate the crate: ``cargo new --lib the-name``
  - Sort the crate into ``Cargo.toml``'s ``workspace.members``

2) In the new crate's ``Cargo.toml``:
  - In ``[package]`` set:
      authors.workspace = true
      license.workspace = true
      edition.workspace = true
      exclude.workspace = true
      repository.workspace = true
  - Add a meaningful ``description``
  - Copy ``debian/copyright`` and ``debian/debcargo.toml`` from another subcrate.

Adding a new Dependency
=======================

1) At the top level:
  - Add it to ``[workspace.dependencies]`` specifying the version and any
    features that should be enabled throughout the workspace

2) In each member's ``Cargo.toml``:
  - Add it to the desired dependencies section with ``workspace = true`` and no
    version specified.
  - If this member requires additional features, add only the extra features to
    the member dependency.

Updating a Dependency's Version
===============================

1) At the top level:
  - Bump the version in ``[workspace.dependencies]`` as desired.
  - Check for deprecations or breakage throughout the workspace.

Notes on Workspace Inheritance
==============================

Common metadata (like authors, license, ..) are inherited throughout the
workspace. If new fields are added that are identical for all crates, they
should be defined in the top-level ``Cargo.toml`` file's
``[workspace.package]`` section, and inherited in all members explicitly by
setting ``FIELD.workspace = true`` in the member's ``[package]`` section.

Dependency information is also inherited throughout the workspace, allowing a
single dependency specification in the top-level Cargo.toml file to be used by
all members.

Some restrictions apply:
- features can only be added in members, never removed (this includes
  ``default_features = false``!)
 - the base feature set at the workspace level should be the minimum (possibly
   empty!) set required by all members
- workspace dependency specifications cannot include ``optional``
 - if needed, the ``optional`` flag needs to be set at the member level when
   using a workspace dependency