]> git.proxmox.com Git - proxmox-backup.git/blobdiff - src/auth_helpers.rs
projects / proxmox-backup.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
use new fsync parameter to replace_file and atomic_open_or_create
[proxmox-backup.git] / src / auth_helpers.rs
diff --git a/src/auth_helpers.rs b/src/auth_helpers.rs
index 6e2d04f820f58539e907cba195c314cc17d999e3..f15c0eab5cc947758abfdcd0a78ea897eac2c2d4 100644 (file)
--- a/src/auth_helpers.rs
+++ b/src/auth_helpers.rs
@@ -1,25 +1,25 @@
-use failure::*;
-use lazy_static::lazy_static;
+use std::path::PathBuf;
 
-use openssl::rsa::{Rsa};
-use openssl::pkey::{PKey, Public, Private};
+use anyhow::{bail, format_err, Error};
+use lazy_static::lazy_static;
+use openssl::pkey::{PKey, Private, Public};
+use openssl::rsa::Rsa;
 use openssl::sha;
 
-use std::path::PathBuf;
+use proxmox::tools::fs::{file_get_contents, replace_file, CreateOptions};
+use proxmox_lang::try_block;
 
-use proxmox::tools::{
-    try_block,
-    fs::{file_get_contents, replace_file, CreateOptions},
-};
+use pbs_buildcfg::configdir;
+use pbs_api_types::Userid;
 
 fn compute_csrf_secret_digest(
     timestamp: i64,
     secret: &[u8],
-    username: &str,
+    userid: &Userid,
 ) -> String {
 
     let mut hasher = sha::Sha256::new();
-    let data = format!("{:08X}:{}:", timestamp, username);
+    let data = format!("{:08X}:{}:", timestamp, userid);
     hasher.update(data.as_bytes());
     hasher.update(secret);
 
@@ -28,20 +28,19 @@ fn compute_csrf_secret_digest(
 
 pub fn assemble_csrf_prevention_token(
     secret: &[u8],
-    username: &str,
+    userid: &Userid,
 ) -> String {
 
-    let epoch = std::time::SystemTime::now().duration_since(
-        std::time::SystemTime::UNIX_EPOCH).unwrap().as_secs() as i64;
+    let epoch = proxmox_time::epoch_i64();
 
-    let digest = compute_csrf_secret_digest(epoch, secret, username);
+    let digest = compute_csrf_secret_digest(epoch, secret, userid);
 
     format!("{:08X}:{}", epoch, digest)
 }
 
 pub fn verify_csrf_prevention_token(
     secret: &[u8],
-    username: &str,
+    userid: &Userid,
     token: &str,
     min_age: i64,
     max_age: i64,
@@ -63,14 +62,13 @@ pub fn verify_csrf_prevention_token(
         let ttime = i64::from_str_radix(timestamp, 16).
             map_err(|err| format_err!("timestamp format error - {}", err))?;
 
-        let digest = compute_csrf_secret_digest(ttime, secret, username);
+        let digest = compute_csrf_secret_digest(ttime, secret, userid);
 
         if digest != sig {
             bail!("invalid signature.");
         }
 
-        let now = std::time::SystemTime::now().duration_since(
-            std::time::SystemTime::UNIX_EPOCH)?.as_secs() as i64;
+        let now = proxmox_time::epoch_i64();
 
         let age = now - ttime;
         if age < min_age {
@@ -97,7 +95,7 @@ pub fn generate_csrf_key() -> Result<(), Error> {
 
     use nix::sys::stat::Mode;
 
-    let (_, backup_gid) = crate::tools::getpwnam_ugid("backup")?;
+    let backup_user = pbs_config::backup_user()?;
 
     replace_file(
         &path,
@@ -105,7 +103,8 @@ pub fn generate_csrf_key() -> Result<(), Error> {
         CreateOptions::new()
             .perm(Mode::from_bits_truncate(0o0640))
             .owner(nix::unistd::ROOT)
-            .group(nix::unistd::Gid::from_raw(backup_gid)),
+            .group(backup_user.gid),
+        true,
     )?;
 
     Ok(())
@@ -127,11 +126,15 @@ pub fn generate_auth_key() -> Result<(), Error> {
     use nix::sys::stat::Mode;
 
     replace_file(
-        &priv_path, &priv_pem, CreateOptions::new().perm(Mode::from_bits_truncate(0o0600)))?;
+        &priv_path,
+        &priv_pem,
+        CreateOptions::new().perm(Mode::from_bits_truncate(0o0600)),
+        true,
+    )?;
 
     let public_pem = rsa.public_key_to_pem()?;
 
-    let (_, backup_gid) = crate::tools::getpwnam_ugid("backup")?;
+    let backup_user = pbs_config::backup_user()?;
 
     replace_file(
         &public_path,
@@ -139,7 +142,8 @@ pub fn generate_auth_key() -> Result<(), Error> {
         CreateOptions::new()
             .perm(Mode::from_bits_truncate(0o0640))
             .owner(nix::unistd::ROOT)
-            .group(nix::unistd::Gid::from_raw(backup_gid)),
+            .group(backup_user.gid),
+        true,
     )?;
 
     Ok(())
@@ -155,37 +159,35 @@ pub fn csrf_secret() -> &'static [u8] {
     &SECRET
 }
 
-fn load_private_auth_key() -> Result<PKey<Private>, Error> {
+fn load_public_auth_key() -> Result<PKey<Public>, Error> {
 
-    let pem = file_get_contents(configdir!("/authkey.key"))?;
-    let rsa = Rsa::private_key_from_pem(&pem)?;
+    let pem = file_get_contents(configdir!("/authkey.pub"))?;
+    let rsa = Rsa::public_key_from_pem(&pem)?;
     let key = PKey::from_rsa(rsa)?;
 
     Ok(key)
 }
 
-pub fn private_auth_key() -> &'static PKey<Private> {
+pub fn public_auth_key() -> &'static PKey<Public> {
 
     lazy_static! {
-        static ref KEY: PKey<Private> = load_private_auth_key().unwrap();
+        static ref KEY: PKey<Public> = load_public_auth_key().unwrap();
     }
 
     &KEY
 }
 
-fn load_public_auth_key() -> Result<PKey<Public>, Error> {
-
-    let pem = file_get_contents(configdir!("/authkey.pub"))?;
-    let rsa = Rsa::public_key_from_pem(&pem)?;
+fn load_private_auth_key() -> Result<PKey<Private>, Error> {
+    let pem = file_get_contents(configdir!("/authkey.key"))?;
+    let rsa = Rsa::private_key_from_pem(&pem)?;
     let key = PKey::from_rsa(rsa)?;
 
     Ok(key)
 }
 
-pub fn public_auth_key() -> &'static PKey<Public> {
-
+pub fn private_auth_key() -> &'static PKey<Private> {
     lazy_static! {
-        static ref KEY: PKey<Public> = load_public_auth_key().unwrap();
+        static ref KEY: PKey<Private> = load_private_auth_key().unwrap();
     }
 
     &KEY
Proxmox Backup Server and Client