-use failure::*;
-use lazy_static::lazy_static;
+use std::path::PathBuf;
-use openssl::rsa::{Rsa};
-use openssl::pkey::{PKey, Public, Private};
+use anyhow::{bail, format_err, Error};
+use lazy_static::lazy_static;
+use openssl::pkey::{PKey, Private, Public};
+use openssl::rsa::Rsa;
use openssl::sha;
-use std::path::PathBuf;
+use proxmox_sys::fs::{file_get_contents, replace_file, CreateOptions};
+use proxmox_lang::try_block;
-use proxmox::tools::{
- try_block,
- fs::{file_get_contents, file_set_contents, file_set_contents_full},
-};
+use pbs_buildcfg::configdir;
+use pbs_api_types::Userid;
fn compute_csrf_secret_digest(
timestamp: i64,
secret: &[u8],
- username: &str,
+ userid: &Userid,
) -> String {
let mut hasher = sha::Sha256::new();
- let data = format!("{:08X}:{}:", timestamp, username);
+ let data = format!("{:08X}:{}:", timestamp, userid);
hasher.update(data.as_bytes());
hasher.update(secret);
pub fn assemble_csrf_prevention_token(
secret: &[u8],
- username: &str,
+ userid: &Userid,
) -> String {
- let epoch = std::time::SystemTime::now().duration_since(
- std::time::SystemTime::UNIX_EPOCH).unwrap().as_secs() as i64;
+ let epoch = proxmox_time::epoch_i64();
- let digest = compute_csrf_secret_digest(epoch, secret, username);
+ let digest = compute_csrf_secret_digest(epoch, secret, userid);
format!("{:08X}:{}", epoch, digest)
}
pub fn verify_csrf_prevention_token(
secret: &[u8],
- username: &str,
+ userid: &Userid,
token: &str,
min_age: i64,
max_age: i64,
let ttime = i64::from_str_radix(timestamp, 16).
map_err(|err| format_err!("timestamp format error - {}", err))?;
- let digest = compute_csrf_secret_digest(ttime, secret, username);
+ let digest = compute_csrf_secret_digest(ttime, secret, userid);
if digest != sig {
bail!("invalid signature.");
}
- let now = std::time::SystemTime::now().duration_since(
- std::time::SystemTime::UNIX_EPOCH)?.as_secs() as i64;
+ let now = proxmox_time::epoch_i64();
let age = now - ttime;
if age < min_age {
use nix::sys::stat::Mode;
- let (_, backup_gid) = crate::tools::getpwnam_ugid("backup")?;
- let uid = Some(nix::unistd::ROOT);
- let gid = Some(nix::unistd::Gid::from_raw(backup_gid));
+ let backup_user = pbs_config::backup_user()?;
- file_set_contents_full(
- &path, &pem, Some(Mode::from_bits_truncate(0o0640)), uid, gid)?;
+ replace_file(
+ &path,
+ &pem,
+ CreateOptions::new()
+ .perm(Mode::from_bits_truncate(0o0640))
+ .owner(nix::unistd::ROOT)
+ .group(backup_user.gid),
+ true,
+ )?;
Ok(())
}
use nix::sys::stat::Mode;
- file_set_contents(
- &priv_path, &priv_pem, Some(Mode::from_bits_truncate(0o0600)))?;
-
+ replace_file(
+ &priv_path,
+ &priv_pem,
+ CreateOptions::new().perm(Mode::from_bits_truncate(0o0600)),
+ true,
+ )?;
let public_pem = rsa.public_key_to_pem()?;
- file_set_contents(&public_path, &public_pem, None)?;
+ let backup_user = pbs_config::backup_user()?;
+
+ replace_file(
+ &public_path,
+ &public_pem,
+ CreateOptions::new()
+ .perm(Mode::from_bits_truncate(0o0640))
+ .owner(nix::unistd::ROOT)
+ .group(backup_user.gid),
+ true,
+ )?;
Ok(())
}
&SECRET
}
-fn load_private_auth_key() -> Result<PKey<Private>, Error> {
+fn load_public_auth_key() -> Result<PKey<Public>, Error> {
- let pem = file_get_contents(configdir!("/authkey.key"))?;
- let rsa = Rsa::private_key_from_pem(&pem)?;
+ let pem = file_get_contents(configdir!("/authkey.pub"))?;
+ let rsa = Rsa::public_key_from_pem(&pem)?;
let key = PKey::from_rsa(rsa)?;
Ok(key)
}
-pub fn private_auth_key() -> &'static PKey<Private> {
+pub fn public_auth_key() -> &'static PKey<Public> {
lazy_static! {
- static ref KEY: PKey<Private> = load_private_auth_key().unwrap();
+ static ref KEY: PKey<Public> = load_public_auth_key().unwrap();
}
&KEY
}
-fn load_public_auth_key() -> Result<PKey<Public>, Error> {
-
- let pem = file_get_contents(configdir!("/authkey.pub"))?;
- let rsa = Rsa::public_key_from_pem(&pem)?;
+fn load_private_auth_key() -> Result<PKey<Private>, Error> {
+ let pem = file_get_contents(configdir!("/authkey.key"))?;
+ let rsa = Rsa::private_key_from_pem(&pem)?;
let key = PKey::from_rsa(rsa)?;
Ok(key)
}
-pub fn public_auth_key() -> &'static PKey<Public> {
-
+pub fn private_auth_key() -> &'static PKey<Private> {
lazy_static! {
- static ref KEY: PKey<Public> = load_public_auth_key().unwrap();
+ static ref KEY: PKey<Private> = load_private_auth_key().unwrap();
}
&KEY