use proxmox::{identity, sortable};
use pbs_api_types::{
- Userid, Authid, PASSWORD_SCHEMA, ACL_PATH_SCHEMA,
+ Userid, Authid, PASSWORD_SCHEMA, ACL_PATH_SCHEMA,
PRIVILEGES, PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT,
};
-use pbs_tools::auth::private_auth_key;
use pbs_tools::ticket::{self, Empty, Ticket};
use pbs_config::acl::AclTreeNode;
+use pbs_config::CachedUserInfo;
use crate::auth_helpers::*;
-use crate::server::ticket::ApiTicket;
-
-use pbs_config::CachedUserInfo;
use crate::config::tfa::TfaChallenge;
+use crate::server::ticket::ApiTicket;
pub mod acl;
pub mod domain;
+pub mod openid;
pub mod role;
pub mod tfa;
pub mod user;
-#[cfg(openid)]
-pub mod openid;
-
#[allow(clippy::large_enum_variant)]
enum AuthResult {
/// Successful authentication which does not require a new ticket.
tfa_challenge: Option<String>,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<Value, Error> {
+
+ use proxmox_rest_server::RestEnvironment;
+
+ let env: &RestEnvironment = rpcenv.as_any().downcast_ref::<RestEnvironment>()
+ .ok_or_else(|| format_err!("detected worng RpcEnvironment type"))?;
+
match authenticate_user(&username, &password, path, privs, port, tfa_challenge) {
Ok(AuthResult::Success) => Ok(json!({ "username": username })),
Ok(AuthResult::CreateTicket) => {
let ticket = Ticket::new("PBS", &api_ticket)?.sign(private_auth_key(), None)?;
let token = assemble_csrf_prevention_token(csrf_secret(), &username);
- crate::server::rest::auth_logger()?
- .log(format!("successful auth for user '{}'", username));
+ env.log_auth(username.as_str());
Ok(json!({
"username": username,
}))
}
Err(err) => {
- let client_ip = match rpcenv.get_client_ip().map(|addr| addr.ip()) {
- Some(ip) => format!("{}", ip),
- None => "unknown".into(),
- };
-
- let msg = format!(
- "authentication failure; rhost={} user={} msg={}",
- client_ip,
- username,
- err.to_string()
- );
- crate::server::rest::auth_logger()?.log(&msg);
- log::error!("{}", msg);
-
+ env.log_failed_auth(Some(username.to_string()), &err.to_string());
Err(http_err!(UNAUTHORIZED, "permission check failed."))
}
}
Ok(map)
}
-#[cfg(openid)]
-const OPENID_ROUTER: &Router = &openid::ROUTER;
-
-#[cfg(not(openid))]
-const OPENID_ROUTER: &Router = &Router::new();
-
#[sortable]
const SUBDIRS: SubdirMap = &sorted!([
("acl", &acl::ROUTER),
&Router::new().get(&API_METHOD_LIST_PERMISSIONS)
),
("ticket", &Router::new().post(&API_METHOD_CREATE_TICKET)),
- ("openid", &OPENID_ROUTER),
+ ("openid", &openid::ROUTER),
("domains", &domain::ROUTER),
("roles", &role::ROUTER),
("users", &user::ROUTER),