use failure::*;
-use lazy_static::lazy_static;
-use std::sync::Arc;
+use ::serde::{Deserialize, Serialize};
-use crate::api_schema::*;
-use proxmox::tools::common_regex;
+use proxmox::api::{api, schema::*};
+use proxmox::const_regex;
+use proxmox::{IPRE, IPV4RE, IPV6RE, IPV4OCTET, IPV6H16, IPV6LS32};
-lazy_static!{
+// File names: may not contain slashes, may not start with "."
+pub const FILENAME_FORMAT: ApiStringFormat = ApiStringFormat::VerifyFn(|name| {
+ if name.starts_with('.') {
+ bail!("file names may not start with '.'");
+ }
+ if name.contains('/') {
+ bail!("file names may not contain slashes");
+ }
+ Ok(())
+});
- // File names: may not contain slashes, may not start with "."
- pub static ref FILENAME_FORMAT: Arc<ApiStringFormat> = Arc::new(ApiStringFormat::VerifyFn(|name| {
- if name.starts_with('.') {
- bail!("file names may not start with '.'");
+macro_rules! DNS_LABEL { () => (r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)") }
+macro_rules! DNS_NAME { () => (concat!(r"(?:", DNS_LABEL!() , r"\.)*", DNS_LABEL!())) }
+
+// we only allow a limited set of characters
+// colon is not allowed, because we store usernames in
+// colon separated lists)!
+// slash is not allowed because it is used as pve API delimiter
+// also see "man useradd"
+macro_rules! USER_NAME_REGEX_STR { () => (r"(?:[^\s:/[:cntrl:]]+)") }
+
+macro_rules! PROXMOX_SAFE_ID_REGEX_STR { () => (r"(?:[A-Za-z0-9_][A-Za-z0-9._\-]*)") }
+
+const_regex!{
+ pub IP_FORMAT_REGEX = IPRE!();
+ pub SHA256_HEX_REGEX = r"^[a-f0-9]{64}$"; // fixme: define in common_regex ?
+ pub SYSTEMD_DATETIME_REGEX = r"^\d{4}-\d{2}-\d{2}( \d{2}:\d{2}(:\d{2})?)?$"; // fixme: define in common_regex ?
+
+ pub PASSWORD_REGEX = r"^[[:^cntrl:]]*$"; // everything but control characters
+
+ /// Regex for safe identifiers.
+ ///
+ /// This
+ /// [article](https://dwheeler.com/essays/fixing-unix-linux-filenames.html)
+ /// contains further information why it is reasonable to restict
+ /// names this way. This is not only useful for filenames, but for
+ /// any identifier command line tools work with.
+ pub PROXMOX_SAFE_ID_REGEX = concat!(r"^", PROXMOX_SAFE_ID_REGEX_STR!(), r"$");
+
+ pub SINGLE_LINE_COMMENT_REGEX = r"^[[:^cntrl:]]*$";
+
+ pub HOSTNAME_REGEX = r"^(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)$";
+
+ pub DNS_NAME_REGEX = concat!(r"^", DNS_NAME!(), r"$");
+
+ pub DNS_NAME_OR_IP_REGEX = concat!(r"^", DNS_NAME!(), "|", IPRE!(), r"$");
+
+ pub PROXMOX_USER_ID_REGEX = concat!(r"^", USER_NAME_REGEX_STR!(), r"@", PROXMOX_SAFE_ID_REGEX_STR!(), r"$");
+
+ pub CERT_FINGERPRINT_SHA256_REGEX = r"^(?:[0-9a-fA-F][0-9a-fA-F])(?::[0-9a-fA-F][0-9a-fA-F]){31}$";
+
+ pub ACL_PATH_REGEX = concat!(r"^(?:\/|", r"(?:\/", PROXMOX_SAFE_ID_REGEX_STR!(), ")+", r")$");
+}
+
+pub const SYSTEMD_DATETIME_FORMAT: ApiStringFormat =
+ ApiStringFormat::Pattern(&SYSTEMD_DATETIME_REGEX);
+
+pub const IP_FORMAT: ApiStringFormat =
+ ApiStringFormat::Pattern(&IP_FORMAT_REGEX);
+
+pub const PVE_CONFIG_DIGEST_FORMAT: ApiStringFormat =
+ ApiStringFormat::Pattern(&SHA256_HEX_REGEX);
+
+pub const CERT_FINGERPRINT_SHA256_FORMAT: ApiStringFormat =
+ ApiStringFormat::Pattern(&CERT_FINGERPRINT_SHA256_REGEX);
+
+pub const PROXMOX_SAFE_ID_FORMAT: ApiStringFormat =
+ ApiStringFormat::Pattern(&PROXMOX_SAFE_ID_REGEX);
+
+pub const SINGLE_LINE_COMMENT_FORMAT: ApiStringFormat =
+ ApiStringFormat::Pattern(&SINGLE_LINE_COMMENT_REGEX);
+
+pub const HOSTNAME_FORMAT: ApiStringFormat =
+ ApiStringFormat::Pattern(&HOSTNAME_REGEX);
+
+pub const DNS_NAME_FORMAT: ApiStringFormat =
+ ApiStringFormat::Pattern(&DNS_NAME_REGEX);
+
+pub const DNS_NAME_OR_IP_FORMAT: ApiStringFormat =
+ ApiStringFormat::Pattern(&DNS_NAME_OR_IP_REGEX);
+
+pub const PROXMOX_USER_ID_FORMAT: ApiStringFormat =
+ ApiStringFormat::Pattern(&PROXMOX_USER_ID_REGEX);
+
+pub const PASSWORD_FORMAT: ApiStringFormat =
+ ApiStringFormat::Pattern(&PASSWORD_REGEX);
+
+pub const ACL_PATH_FORMAT: ApiStringFormat =
+ ApiStringFormat::Pattern(&ACL_PATH_REGEX);
+
+
+pub const PASSWORD_SCHEMA: Schema = StringSchema::new("Password.")
+ .format(&PASSWORD_FORMAT)
+ .min_length(1)
+ .max_length(1024)
+ .schema();
+
+pub const PBS_PASSWORD_SCHEMA: Schema = StringSchema::new("User Password.")
+ .format(&PASSWORD_FORMAT)
+ .min_length(5)
+ .max_length(64)
+ .schema();
+
+pub const CERT_FINGERPRINT_SHA256_SCHEMA: Schema = StringSchema::new(
+ "X509 certificate fingerprint (sha256)."
+)
+ .format(&CERT_FINGERPRINT_SHA256_FORMAT)
+ .schema();
+
+pub const PROXMOX_CONFIG_DIGEST_SCHEMA: Schema = StringSchema::new(r#"\
+Prevent changes if current configuration file has different SHA256 digest.
+This can be used to prevent concurrent modifications.
+"#
+)
+ .format(&PVE_CONFIG_DIGEST_FORMAT)
+ .schema();
+
+
+pub const CHUNK_DIGEST_FORMAT: ApiStringFormat =
+ ApiStringFormat::Pattern(&SHA256_HEX_REGEX);
+
+pub const CHUNK_DIGEST_SCHEMA: Schema = StringSchema::new("Chunk digest (SHA256).")
+ .format(&CHUNK_DIGEST_FORMAT)
+ .schema();
+
+pub const NODE_SCHEMA: Schema = StringSchema::new("Node name (or 'localhost')")
+ .format(&ApiStringFormat::VerifyFn(|node| {
+ if node == "localhost" || node == proxmox::tools::nodename() {
+ Ok(())
+ } else {
+ bail!("no such node '{}'", node);
+ }
+ }))
+ .schema();
+
+pub const SEARCH_DOMAIN_SCHEMA: Schema =
+ StringSchema::new("Search domain for host-name lookup.").schema();
+
+pub const FIRST_DNS_SERVER_SCHEMA: Schema =
+ StringSchema::new("First name server IP address.")
+ .format(&IP_FORMAT)
+ .schema();
+
+pub const SECOND_DNS_SERVER_SCHEMA: Schema =
+ StringSchema::new("Second name server IP address.")
+ .format(&IP_FORMAT)
+ .schema();
+
+pub const THIRD_DNS_SERVER_SCHEMA: Schema =
+ StringSchema::new("Third name server IP address.")
+ .format(&IP_FORMAT)
+ .schema();
+
+pub const BACKUP_ARCHIVE_NAME_SCHEMA: Schema =
+ StringSchema::new("Backup archive name.")
+ .format(&PROXMOX_SAFE_ID_FORMAT)
+ .schema();
+
+pub const BACKUP_TYPE_SCHEMA: Schema =
+ StringSchema::new("Backup type.")
+ .format(&ApiStringFormat::Enum(&["vm", "ct", "host"]))
+ .schema();
+
+pub const BACKUP_ID_SCHEMA: Schema =
+ StringSchema::new("Backup ID.")
+ .format(&PROXMOX_SAFE_ID_FORMAT)
+ .schema();
+
+pub const BACKUP_TIME_SCHEMA: Schema =
+ IntegerSchema::new("Backup time (Unix epoch.)")
+ .minimum(1_547_797_308)
+ .schema();
+
+pub const UPID_SCHEMA: Schema = StringSchema::new("Unique Process/Task ID.")
+ .max_length(256)
+ .schema();
+
+pub const DATASTORE_SCHEMA: Schema = StringSchema::new("Datastore name.")
+ .format(&PROXMOX_SAFE_ID_FORMAT)
+ .min_length(3)
+ .max_length(32)
+ .schema();
+
+pub const REMOTE_ID_SCHEMA: Schema = StringSchema::new("Remote ID.")
+ .format(&PROXMOX_SAFE_ID_FORMAT)
+ .min_length(3)
+ .max_length(32)
+ .schema();
+
+pub const SINGLE_LINE_COMMENT_SCHEMA: Schema = StringSchema::new("Comment (single line).")
+ .format(&SINGLE_LINE_COMMENT_FORMAT)
+ .schema();
+
+pub const HOSTNAME_SCHEMA: Schema = StringSchema::new("Hostname (as defined in RFC1123).")
+ .format(&HOSTNAME_FORMAT)
+ .schema();
+
+pub const DNS_NAME_OR_IP_SCHEMA: Schema = StringSchema::new("DNS name or IP address.")
+ .format(&DNS_NAME_OR_IP_FORMAT)
+ .schema();
+
+pub const PROXMOX_AUTH_REALM_SCHEMA: Schema = StringSchema::new("Authentication domain ID")
+ .format(&PROXMOX_SAFE_ID_FORMAT)
+ .min_length(3)
+ .max_length(32)
+ .schema();
+
+pub const PROXMOX_USER_ID_SCHEMA: Schema = StringSchema::new("User ID")
+ .format(&PROXMOX_USER_ID_FORMAT)
+ .min_length(3)
+ .max_length(64)
+ .schema();
+
+
+// Complex type definitions
+
+#[api(
+ properties: {
+ "backup-type": {
+ schema: BACKUP_TYPE_SCHEMA,
+ },
+ "backup-id": {
+ schema: BACKUP_ID_SCHEMA,
+ },
+ "last-backup": {
+ schema: BACKUP_TIME_SCHEMA,
+ },
+ "backup-count": {
+ type: Integer,
+ },
+ files: {
+ items: {
+ schema: BACKUP_ARCHIVE_NAME_SCHEMA
+ },
+ },
+ },
+)]
+#[derive(Serialize, Deserialize)]
+#[serde(rename_all="kebab-case")]
+/// Basic information about a backup group.
+pub struct GroupListItem {
+ pub backup_type: String, // enum
+ pub backup_id: String,
+ pub last_backup: i64,
+ /// Number of contained snapshots
+ pub backup_count: u64,
+ /// List of contained archive files.
+ pub files: Vec<String>,
+}
+
+#[api(
+ properties: {
+ "backup-type": {
+ schema: BACKUP_TYPE_SCHEMA,
+ },
+ "backup-id": {
+ schema: BACKUP_ID_SCHEMA,
+ },
+ "backup-time": {
+ schema: BACKUP_TIME_SCHEMA,
+ },
+ files: {
+ items: {
+ schema: BACKUP_ARCHIVE_NAME_SCHEMA
+ },
+ },
+ },
+)]
+#[derive(Serialize, Deserialize)]
+#[serde(rename_all="kebab-case")]
+/// Basic information about backup snapshot.
+pub struct SnapshotListItem {
+ pub backup_type: String, // enum
+ pub backup_id: String,
+ pub backup_time: i64,
+ /// List of contained archive files.
+ pub files: Vec<String>,
+ /// Overall snapshot size (sum of all archive sizes).
+ #[serde(skip_serializing_if="Option::is_none")]
+ pub size: Option<u64>,
+}
+
+#[api(
+ properties: {
+ "filename": {
+ schema: BACKUP_ARCHIVE_NAME_SCHEMA,
+ },
+ },
+)]
+#[derive(Serialize, Deserialize)]
+#[serde(rename_all="kebab-case")]
+/// Basic information about archive files inside a backup snapshot.
+pub struct BackupContent {
+ pub filename: String,
+ /// Archive size (from backup manifest).
+ #[serde(skip_serializing_if="Option::is_none")]
+ pub size: Option<u64>,
+}
+
+#[api(
+ properties: {
+ "upid": {
+ optional: true,
+ schema: UPID_SCHEMA,
+ },
+ },
+)]
+#[derive(Clone, Serialize, Deserialize)]
+#[serde(rename_all="kebab-case")]
+/// Garbage collection status.
+pub struct GarbageCollectionStatus {
+ pub upid: Option<String>,
+ /// Number of processed index files.
+ pub index_file_count: usize,
+ /// Sum of bytes referred by index files.
+ pub index_data_bytes: u64,
+ /// Bytes used on disk.
+ pub disk_bytes: u64,
+ /// Chunks used on disk.
+ pub disk_chunks: usize,
+ /// Sum of removed bytes.
+ pub removed_bytes: u64,
+ /// Number of removed chunks.
+ pub removed_chunks: usize,
+ /// Sum of pending bytes (pending removal - kept for safety).
+ pub pending_bytes: u64,
+ /// Number of pending chunks (pending removal - kept for safety).
+ pub pending_chunks: usize,
+}
+
+impl Default for GarbageCollectionStatus {
+ fn default() -> Self {
+ GarbageCollectionStatus {
+ upid: None,
+ index_file_count: 0,
+ index_data_bytes: 0,
+ disk_bytes: 0,
+ disk_chunks: 0,
+ removed_bytes: 0,
+ removed_chunks: 0,
+ pending_bytes: 0,
+ pending_chunks: 0,
+ }
+ }
+}
+
+
+#[api()]
+#[derive(Serialize, Deserialize)]
+/// Storage space usage information.
+pub struct StorageStatus {
+ /// Total space (bytes).
+ pub total: u64,
+ /// Used space (bytes).
+ pub used: u64,
+ /// Available space (bytes).
+ pub avail: u64,
+}
+
+#[api(
+ properties: {
+ "upid": { schema: UPID_SCHEMA },
+ },
+)]
+#[derive(Serialize, Deserialize)]
+/// Task properties.
+pub struct TaskListItem {
+ pub upid: String,
+ /// The node name where the task is running on.
+ pub node: String,
+ /// The Unix PID
+ pub pid: i64,
+ /// The task start time (Epoch)
+ pub pstart: u64,
+ /// The task start time (Epoch)
+ pub starttime: i64,
+ /// Worker type (arbitrary ASCII string)
+ pub worker_type: String,
+ /// Worker ID (arbitrary ASCII string)
+ pub worker_id: Option<String>,
+ /// The user who started the task
+ pub user: String,
+ /// The task end time (Epoch)
+ #[serde(skip_serializing_if="Option::is_none")]
+ pub endtime: Option<i64>,
+ /// Task end status
+ #[serde(skip_serializing_if="Option::is_none")]
+ pub status: Option<String>,
+}
+
+// Regression tests
+
+#[test]
+fn test_cert_fingerprint_schema() -> Result<(), Error> {
+
+ let schema = CERT_FINGERPRINT_SHA256_SCHEMA;
+
+ let invalid_fingerprints = [
+ "86:88:7c:be:26:77:a5:62:67:d9:06:f5:e4::61:3e:20:dc:cd:43:92:07:7f:fb:65:54:6c:ff:d2:96:36:f8",
+ "88:7C:BE:26:77:a5:62:67:D9:06:f5:e4:14:61:3e:20:dc:cd:43:92:07:7f:fb:65:54:6c:ff:d2:96:36:f8",
+ "86:88:7c:be:26:77:a5:62:67:d9:06:f5:e4::14:61:3e:20:dc:cd:43:92:07:7f:fb:65:54:6c:ff:d2:96:36:f8:ff",
+ "XX:88:7c:be:26:77:a5:62:67:d9:06:f5:e4::14:61:3e:20:dc:cd:43:92:07:7f:fb:65:54:6c:ff:d2:96:36:f8",
+ "86:88:Y4:be:26:77:a5:62:67:d9:06:f5:e4:14:61:3e:20:dc:cd:43:92:07:7f:fb:65:54:6c:ff:d2:96:36:f8",
+ "86:88:0:be:26:77:a5:62:67:d9:06:f5:e4:14:61:3e:20:dc:cd:43:92:07:7f:fb:65:54:6c:ff:d2:96:36:f8",
+ ];
+
+ for fingerprint in invalid_fingerprints.iter() {
+ if let Ok(_) = parse_simple_value(fingerprint, &schema) {
+ bail!("test fingerprint '{}' failed - got Ok() while expection an error.", fingerprint);
+ }
+ }
+
+ let valid_fingerprints = [
+ "86:88:7c:be:26:77:a5:62:67:d9:06:f5:e4:14:61:3e:20:dc:cd:43:92:07:7f:fb:65:54:6c:ff:d2:96:36:f8",
+ "86:88:7C:BE:26:77:a5:62:67:D9:06:f5:e4:14:61:3e:20:dc:cd:43:92:07:7f:fb:65:54:6c:ff:d2:96:36:f8",
+ ];
+
+ for fingerprint in valid_fingerprints.iter() {
+ let v = match parse_simple_value(fingerprint, &schema) {
+ Ok(v) => v,
+ Err(err) => {
+ bail!("unable to parse fingerprint '{}' - {}", fingerprint, err);
+ }
+ };
+
+ if v != serde_json::json!(fingerprint) {
+ bail!("unable to parse fingerprint '{}' - got wrong value {:?}", fingerprint, v);
}
- if name.contains('/') {
- bail!("file names may not contain slashes");
+ }
+
+ Ok(())
+}
+
+#[test]
+fn test_proxmox_user_id_schema() -> Result<(), Error> {
+
+ let schema = PROXMOX_USER_ID_SCHEMA;
+
+ let invalid_user_ids = [
+ "x", // too short
+ "xx", // too short
+ "xxx", // no realm
+ "xxx@", // no realm
+ "xx x@test", // contains space
+ "xx\nx@test", // contains control character
+ "x:xx@test", // contains collon
+ "xx/x@test", // contains slash
+ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@test", // too long
+ ];
+
+ for name in invalid_user_ids.iter() {
+ if let Ok(_) = parse_simple_value(name, &schema) {
+ bail!("test userid '{}' failed - got Ok() while expection an error.", name);
+ }
+ }
+
+ let valid_user_ids = [
+ "xxx@y",
+ "name@y",
+ "xxx@test-it.com",
+ "xxx@_T_E_S_T-it.com",
+ "x_x-x.x@test-it.com",
+ ];
+
+ for name in valid_user_ids.iter() {
+ let v = match parse_simple_value(name, &schema) {
+ Ok(v) => v,
+ Err(err) => {
+ bail!("unable to parse userid '{}' - {}", name, err);
+ }
+ };
+
+ if v != serde_json::json!(name) {
+ bail!("unable to parse userid '{}' - got wrong value {:?}", name, v);
}
- Ok(())
- })).into();
-
- pub static ref IP_FORMAT: Arc<ApiStringFormat> = ApiStringFormat::Pattern(&common_regex::IP_REGEX).into();
-
- pub static ref PVE_CONFIG_DIGEST_FORMAT: Arc<ApiStringFormat> =
- ApiStringFormat::Pattern(&common_regex::SHA256_HEX_REGEX).into();
-
- pub static ref PVE_CONFIG_DIGEST_SCHEMA: Arc<Schema> =
- StringSchema::new("Prevent changes if current configuration file has different SHA256 digest. This can be used to prevent concurrent modifications.")
- .format(PVE_CONFIG_DIGEST_FORMAT.clone()).into();
-
- pub static ref CHUNK_DIGEST_FORMAT: Arc<ApiStringFormat> =
- ApiStringFormat::Pattern(&common_regex::SHA256_HEX_REGEX).into();
-
- pub static ref CHUNK_DIGEST_SCHEMA: Arc<Schema> =
- StringSchema::new("Chunk digest (SHA256).")
- .format(CHUNK_DIGEST_FORMAT.clone()).into();
-
- pub static ref NODE_SCHEMA: Arc<Schema> = Arc::new(
- StringSchema::new("Node name (or 'localhost')")
- .format(
- Arc::new(ApiStringFormat::VerifyFn(|node| {
- if node == "localhost" || node == proxmox::tools::nodename() {
- Ok(())
- } else {
- bail!("no such node '{}'", node);
- }
- }))
- )
- .into()
- );
-
- pub static ref SEARCH_DOMAIN_SCHEMA: Arc<Schema> =
- StringSchema::new("Search domain for host-name lookup.").into();
-
- pub static ref FIRST_DNS_SERVER_SCHEMA: Arc<Schema> =
- StringSchema::new("First name server IP address.")
- .format(IP_FORMAT.clone()).into();
-
- pub static ref SECOND_DNS_SERVER_SCHEMA: Arc<Schema> =
- StringSchema::new("Second name server IP address.")
- .format(IP_FORMAT.clone()).into();
-
- pub static ref THIRD_DNS_SERVER_SCHEMA: Arc<Schema> =
- StringSchema::new("Third name server IP address.")
- .format(IP_FORMAT.clone()).into();
-
- pub static ref BACKUP_ARCHIVE_NAME_SCHEMA: Arc<Schema> =
- StringSchema::new("Backup archive name.")
- .format(FILENAME_FORMAT.clone()).into();
-
- pub static ref BACKUP_TYPE_SCHEMA: Arc<Schema> =
- StringSchema::new("Backup type.")
- .format(Arc::new(ApiStringFormat::Enum(&["vm", "ct", "host"])))
- .into();
-
- pub static ref BACKUP_ID_SCHEMA: Arc<Schema> =
- StringSchema::new("Backup ID.")
- .format(FILENAME_FORMAT.clone())
- .into();
-
- pub static ref BACKUP_TIME_SCHEMA: Arc<Schema> =
- IntegerSchema::new("Backup time (Unix epoch.)")
- .minimum(1_547_797_308)
- .into();
+ }
+ Ok(())
}