rest server: cleanup auth-log handling

[proxmox-backup.git] / src / api2 / access / mod.rs

diff --git a/src/api2/access/mod.rs b/src/api2/access/mod.rs
index 32dfe9de31a0a03256fc3ee0ac81bebed0e05e6a..48a90d1b68461bc95b7ddc66b1f339d40ba4d6ce 100644 (file)
--- a/src/api2/access/mod.rs
+++ b/src/api2/access/mod.rs
@@ -11,16 +11,18 @@ use proxmox::api::{api, Permission, RpcEnvironment};
 use proxmox::{http_err, list_subdirs_api_method};
 use proxmox::{identity, sortable};
 
+use pbs_api_types::{
+    Userid, Authid, PASSWORD_SCHEMA, ACL_PATH_SCHEMA,
+    PRIVILEGES, PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT,
+};
 use pbs_tools::auth::private_auth_key;
 use pbs_tools::ticket::{self, Empty, Ticket};
+use pbs_config::acl::AclTreeNode;
 
-use crate::api2::types::*;
 use crate::auth_helpers::*;
 use crate::server::ticket::ApiTicket;
 
-use crate::config::acl as acl_config;
-use crate::config::acl::{PRIVILEGES, PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT};
-use crate::config::cached_user_info::CachedUserInfo;
+use pbs_config::CachedUserInfo;
 use crate::config::tfa::TfaChallenge;
 
 pub mod acl;
@@ -194,6 +196,12 @@ pub fn create_ticket(
     tfa_challenge: Option<String>,
     rpcenv: &mut dyn RpcEnvironment,
 ) -> Result<Value, Error> {
+
+    use proxmox_rest_server::RestEnvironment;
+
+    let env: &RestEnvironment = rpcenv.as_any().downcast_ref::<RestEnvironment>()
+        .ok_or_else(|| format_err!("detected worng RpcEnvironment type"))?;
+
     match authenticate_user(&username, &password, path, privs, port, tfa_challenge) {
         Ok(AuthResult::Success) => Ok(json!({ "username": username })),
         Ok(AuthResult::CreateTicket) => {
@@ -201,8 +209,7 @@ pub fn create_ticket(
             let ticket = Ticket::new("PBS", &api_ticket)?.sign(private_auth_key(), None)?;
             let token = assemble_csrf_prevention_token(csrf_secret(), &username);
 
-            crate::server::rest::auth_logger()?
-                .log(format!("successful auth for user '{}'", username));
+            env.log_auth(username.as_str());
 
             Ok(json!({
                 "username": username,
@@ -221,20 +228,7 @@ pub fn create_ticket(
             }))
         }
         Err(err) => {
-            let client_ip = match rpcenv.get_client_ip().map(|addr| addr.ip()) {
-                Some(ip) => format!("{}", ip),
-                None => "unknown".into(),
-            };
-
-            let msg = format!(
-                "authentication failure; rhost={} user={} msg={}",
-                client_ip,
-                username,
-                err.to_string()
-            );
-            crate::server::rest::auth_logger()?.log(&msg);
-            log::error!("{}", msg);
-
+            env.log_failed_auth(Some(username.to_string()), &err.to_string());
             Err(http_err!(UNAUTHORIZED, "permission check failed."))
         }
     }
@@ -355,7 +349,7 @@ pub fn list_permissions(
 
     fn populate_acl_paths(
         mut paths: HashSet<String>,
-        node: acl_config::AclTreeNode,
+        node: AclTreeNode,
         path: &str,
     ) -> HashSet<String> {
         for (sub_path, child_node) in node.children {
@@ -375,7 +369,7 @@ pub fn list_permissions(
         None => {
             let mut paths = HashSet::new();
 
-            let (acl_tree, _) = acl_config::config()?;
+            let (acl_tree, _) = pbs_config::acl::config()?;
             paths = populate_acl_paths(paths, acl_tree.root, "");
 
             // default paths, returned even if no ACL exists
@@ -392,7 +386,7 @@ pub fn list_permissions(
     let map = paths.into_iter().fold(
         HashMap::new(),
         |mut map: HashMap<String, HashMap<String, bool>>, path: String| {
-            let split_path = acl_config::split_acl_path(path.as_str());
+            let split_path = pbs_config::acl::split_acl_path(path.as_str());
             let (privs, propagated_privs) = user_info.lookup_privs_details(&auth_id, &split_path);
 
             match privs {