access-control: make token shadow implementation re-usable

this commit factors out the token shadow implementation from
`proxmox-backup` so it can be used in other products.

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
This commit is contained in:
Shannon Sterz 2024-06-19 11:54:14 +02:00 committed by Wolfgang Bumiller
parent 47eeecf711
commit ed6a17cec9
4 changed files with 94 additions and 0 deletions

View File

@ -17,9 +17,11 @@ anyhow.workspace = true
nix.workspace = true nix.workspace = true
openssl.workspace = true openssl.workspace = true
serde.workspace = true serde.workspace = true
serde_json.workspace = true
# proxmox-notify.workspace = true # proxmox-notify.workspace = true
proxmox-auth-api = { workspace = true, features = [ "api-types" ] } proxmox-auth-api = { workspace = true, features = [ "api-types" ] }
proxmox-schema.workspace = true proxmox-schema.workspace = true
proxmox-product-config.workspace = true proxmox-product-config.workspace = true
proxmox-sys = { workspace = true, features = [ "crypt" ] }
proxmox-time.workspace = true proxmox-time.workspace = true

View File

@ -72,3 +72,10 @@ pub(crate) fn acl_config_lock() -> PathBuf {
conf_dir().join(".acl.lck") conf_dir().join(".acl.lck")
} }
pub(crate) fn token_shadow() -> PathBuf {
conf_dir().join("token.shadow")
}
pub(crate) fn token_shadow_lock() -> PathBuf {
conf_dir().join("token.shadow.lock")
}

View File

@ -1,3 +1,4 @@
pub mod acl; pub mod acl;
pub mod init; pub mod init;
pub mod token_shadow;
pub mod types; pub mod types;

View File

@ -0,0 +1,84 @@
use std::collections::HashMap;
use anyhow::{bail, format_err, Error};
use proxmox_product_config::{open_api_lockfile, replace_config, ApiLockGuard};
use serde::{Deserialize, Serialize};
use serde_json::{from_value, Value};
use proxmox_auth_api::types::Authid;
use crate::init::{token_shadow, token_shadow_lock};
#[derive(Serialize, Deserialize)]
#[serde(rename_all = "kebab-case")]
/// ApiToken id / secret pair
pub struct ApiTokenSecret {
pub tokenid: Authid,
pub secret: String,
}
// Get exclusive lock
fn lock_config() -> Result<ApiLockGuard, Error> {
open_api_lockfile(token_shadow_lock(), None, true)
}
fn read_file() -> Result<HashMap<Authid, String>, Error> {
let json = proxmox_sys::fs::file_get_json(token_shadow(), Some(Value::Null))?;
if json == Value::Null {
Ok(HashMap::new())
} else {
// swallow serde error which might contain sensitive data
from_value(json)
.map_err(|_err| format_err!("unable to parse '{}'", token_shadow().display()))
}
}
fn write_file(data: HashMap<Authid, String>) -> Result<(), Error> {
let json = serde_json::to_vec(&data)?;
replace_config(token_shadow(), &json)
}
/// Verifies that an entry for given tokenid / API token secret exists
pub fn verify_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> {
if !tokenid.is_token() {
bail!("not an API token ID");
}
let data = read_file()?;
match data.get(tokenid) {
Some(hashed_secret) => proxmox_sys::crypt::verify_crypt_pw(secret, hashed_secret),
None => bail!("invalid API token"),
}
}
/// Adds a new entry for the given tokenid / API token secret. The secret is stored as salted hash.
pub fn set_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> {
if !tokenid.is_token() {
bail!("not an API token ID");
}
let _guard = lock_config()?;
let mut data = read_file()?;
let hashed_secret = proxmox_sys::crypt::encrypt_pw(secret)?;
data.insert(tokenid.clone(), hashed_secret);
write_file(data)?;
Ok(())
}
/// Deletes the entry for the given tokenid.
pub fn delete_secret(tokenid: &Authid) -> Result<(), Error> {
if !tokenid.is_token() {
bail!("not an API token ID");
}
let _guard = lock_config()?;
let mut data = read_file()?;
data.remove(tokenid);
write_file(data)?;
Ok(())
}