tsarevvv/proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bump proxmox-auth-api dep to 0.3

Browse Source 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2023-06-14 09:58:16 +02:00
parent dae0b67f1f
commit 177ee20bd9
6 changed files with 40 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Cargo.toml
View File

@ -55,7 +55,7 @@ path = "src/lib.rs"
[workspace.dependencies]
# proxmox workspace
proxmox-async = "0.4"
proxmox-auth-api = "0.2"
proxmox-auth-api = "0.3"
proxmox-borrow = "1"
proxmox-compression = "0.2"
proxmox-fuse = "0.1.3"

8
debian/control vendored
View File

@ -52,10 +52,10 @@ Build-Depends: bash-completion,
librust-proxmox-acme-rs-0.4+default-dev,
librust-proxmox-apt-0.10+default-dev,
librust-proxmox-async-0.4+default-dev,
librust-proxmox-auth-api-0.2+api-dev,
librust-proxmox-auth-api-0.2+api-types-dev,
librust-proxmox-auth-api-0.2+default-dev,
librust-proxmox-auth-api-0.2+pam-authenticator-dev,
librust-proxmox-auth-api-0.3+api-dev,
librust-proxmox-auth-api-0.3+api-types-dev,
librust-proxmox-auth-api-0.3+default-dev,
librust-proxmox-auth-api-0.3+pam-authenticator-dev,
librust-proxmox-borrow-1+default-dev,
librust-proxmox-compression-0.2+default-dev (>= 0.2~),
librust-proxmox-fuse-0.1+default-dev (>= 0.1.3-~~),

3
src/api2/access/mod.rs
View File

@ -79,7 +79,8 @@ pub fn change_password(
}
let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
authenticator.store_password(userid.name(), &password)?;
let client_ip = rpcenv.get_client_ip().map(|sa| sa.ip());
authenticator.store_password(userid.name(), &password, client_ip.as_ref())?;
Ok(Value::Null)
}

8
src/api2/access/tfa.rs
View File

@ -28,12 +28,14 @@ async fn tfa_update_auth(
let authid: Authid = rpcenv.get_auth_id().unwrap().parse()?;
if authid.user() != Userid::root_userid() {
let client_ip = rpcenv.get_client_ip().map(|sa| sa.ip());
let password = password.ok_or_else(|| http_err!(UNAUTHORIZED, "missing password"))?;
#[allow(clippy::let_unit_value)]
{
let _: () = crate::auth::authenticate_user(authid.user(), &password)
.await
.map_err(|err| http_err!(UNAUTHORIZED, "{}", err))?;
let _: () =
crate::auth::authenticate_user(authid.user(), &password, client_ip.as_ref())
.await
.map_err(|err| http_err!(UNAUTHORIZED, "{}", err))?;
}
}

6
src/api2/access/user.rs
View File

@ -156,7 +156,8 @@ pub fn create_user(
if realm == "pam" && !user_info.is_superuser(&current_auth_id) {
bail!("only superuser can edit pam credentials!");
}
authenticator.store_password(config.userid.name(), &password)?;
let client_ip = rpcenv.get_client_ip().map(|sa| sa.ip());
authenticator.store_password(config.userid.name(), &password, client_ip.as_ref())?;
}
Ok(())
@ -294,7 +295,8 @@ pub fn update_user(
bail!("only superuser can edit pam credentials!");
}
let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
authenticator.store_password(userid.name(), &password)?;
let client_ip = rpcenv.get_client_ip().map(|sa| sa.ip());
authenticator.store_password(userid.name(), &password, client_ip.as_ref())?;
}
if let Some(firstname) = update.firstname {

28
src/auth.rs
View File

@ -2,6 +2,7 @@
//!
//! This library contains helper to authenticate users.
use std::net::IpAddr;
use std::path::PathBuf;
use std::pin::Pin;
@ -34,6 +35,7 @@ impl Authenticator for PbsAuthenticator {
&self,
username: &'a UsernameRef,
password: &'a str,
_client_ip: Option<&'a IpAddr>,
) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
Box::pin(async move {
let data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
@ -45,7 +47,12 @@ impl Authenticator for PbsAuthenticator {
})
}
fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
fn store_password(
&self,
username: &UsernameRef,
password: &str,
_client_ip: Option<&IpAddr>,
) -> Result<(), Error> {
let enc_password = proxmox_sys::crypt::encrypt_pw(password)?;
let mut data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
data[username.as_str()] = enc_password.into();
@ -90,6 +97,7 @@ impl Authenticator for OpenIdAuthenticator {
&'a self,
_username: &'a UsernameRef,
_password: &'a str,
_client_ip: Option<&'a IpAddr>,
) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
Box::pin(async move {
http_bail!(
@ -99,7 +107,12 @@ impl Authenticator for OpenIdAuthenticator {
})
}
fn store_password(&self, _username: &UsernameRef, _password: &str) -> Result<(), Error> {
fn store_password(
&self,
_username: &UsernameRef,
_password: &str,
_client_ip: Option<&IpAddr>,
) -> Result<(), Error> {
http_bail!(
NOT_IMPLEMENTED,
"storing passwords is not implemented for OpenID realms"
@ -125,6 +138,7 @@ impl Authenticator for LdapAuthenticator {
&'a self,
username: &'a UsernameRef,
password: &'a str,
_client_ip: Option<&'a IpAddr>,
) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
Box::pin(async move {
let ldap_config = Self::api_type_to_config(&self.config)?;
@ -134,7 +148,12 @@ impl Authenticator for LdapAuthenticator {
})
}
fn store_password(&self, _username: &UsernameRef, _password: &str) -> Result<(), Error> {
fn store_password(
&self,
_username: &UsernameRef,
_password: &str,
_client_ip: Option<&IpAddr>,
) -> Result<(), Error> {
http_bail!(
NOT_IMPLEMENTED,
"storing passwords is not implemented for LDAP realms"
@ -212,10 +231,11 @@ pub(crate) fn lookup_authenticator(
pub(crate) fn authenticate_user<'a>(
userid: &'a Userid,
password: &'a str,
client_ip: Option<&'a IpAddr>,
) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
Box::pin(async move {
lookup_authenticator(userid.realm())?
.authenticate_user(userid.name(), password)
.authenticate_user(userid.name(), password, client_ip)
.await?;
Ok(())
})