drop pbs_tools::auth

[proxmox-backup.git] / src / api2 / access / mod.rs

diff --git a/src/api2/access/mod.rs b/src/api2/access/mod.rs
index 58ac8ca414ef9276f218b78d06876d79d2dbbe9e..7e11edaa7d36e4263d7d3e7245037ecd258b2a6e 100644 (file)
--- a/src/api2/access/mod.rs
+++ b/src/api2/access/mod.rs
@@ -12,28 +12,24 @@ use proxmox::{http_err, list_subdirs_api_method};
 use proxmox::{identity, sortable};
 
 use pbs_api_types::{
-    Userid, Authid, PASSWORD_SCHEMA, ACL_PATH_SCHEMA, 
+    Userid, Authid, PASSWORD_SCHEMA, ACL_PATH_SCHEMA,
     PRIVILEGES, PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT,
 };
-use pbs_tools::auth::private_auth_key;
 use pbs_tools::ticket::{self, Empty, Ticket};
 use pbs_config::acl::AclTreeNode;
+use pbs_config::CachedUserInfo;
 
 use crate::auth_helpers::*;
-use crate::server::ticket::ApiTicket;
-
-use pbs_config::CachedUserInfo;
 use crate::config::tfa::TfaChallenge;
+use crate::server::ticket::ApiTicket;
 
 pub mod acl;
 pub mod domain;
+pub mod openid;
 pub mod role;
 pub mod tfa;
 pub mod user;
 
-#[cfg(openid)]
-pub mod openid;
-
 #[allow(clippy::large_enum_variant)]
 enum AuthResult {
     /// Successful authentication which does not require a new ticket.
@@ -196,6 +192,12 @@ pub fn create_ticket(
     tfa_challenge: Option<String>,
     rpcenv: &mut dyn RpcEnvironment,
 ) -> Result<Value, Error> {
+
+    use proxmox_rest_server::RestEnvironment;
+
+    let env: &RestEnvironment = rpcenv.as_any().downcast_ref::<RestEnvironment>()
+        .ok_or_else(|| format_err!("detected worng RpcEnvironment type"))?;
+
     match authenticate_user(&username, &password, path, privs, port, tfa_challenge) {
         Ok(AuthResult::Success) => Ok(json!({ "username": username })),
         Ok(AuthResult::CreateTicket) => {
@@ -203,8 +205,7 @@ pub fn create_ticket(
             let ticket = Ticket::new("PBS", &api_ticket)?.sign(private_auth_key(), None)?;
             let token = assemble_csrf_prevention_token(csrf_secret(), &username);
 
-            crate::server::rest::auth_logger()?
-                .log(format!("successful auth for user '{}'", username));
+            env.log_auth(username.as_str());
 
             Ok(json!({
                 "username": username,
@@ -223,20 +224,7 @@ pub fn create_ticket(
             }))
         }
         Err(err) => {
-            let client_ip = match rpcenv.get_client_ip().map(|addr| addr.ip()) {
-                Some(ip) => format!("{}", ip),
-                None => "unknown".into(),
-            };
-
-            let msg = format!(
-                "authentication failure; rhost={} user={} msg={}",
-                client_ip,
-                username,
-                err.to_string()
-            );
-            crate::server::rest::auth_logger()?.log(&msg);
-            log::error!("{}", msg);
-
+            env.log_failed_auth(Some(username.to_string()), &err.to_string());
             Err(http_err!(UNAUTHORIZED, "permission check failed."))
         }
     }
@@ -421,12 +409,6 @@ pub fn list_permissions(
     Ok(map)
 }
 
-#[cfg(openid)]
-const OPENID_ROUTER: &Router = &openid::ROUTER;
-
-#[cfg(not(openid))]
-const OPENID_ROUTER: &Router = &Router::new();
-
 #[sortable]
 const SUBDIRS: SubdirMap = &sorted!([
     ("acl", &acl::ROUTER),
@@ -436,7 +418,7 @@ const SUBDIRS: SubdirMap = &sorted!([
         &Router::new().get(&API_METHOD_LIST_PERMISSIONS)
     ),
     ("ticket", &Router::new().post(&API_METHOD_CREATE_TICKET)),
-    ("openid", &OPENID_ROUTER),
+    ("openid", &openid::ROUTER),
     ("domains", &domain::ROUTER),
     ("roles", &role::ROUTER),
     ("users", &user::ROUTER),