[proxmox-backup.git] / pbs-config / src / user.rs

use std::collections::HashMap;
use std::sync::{Arc, RwLock};

use anyhow::{bail, Error};
use lazy_static::lazy_static;

use proxmox_schema::*;
use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};

use pbs_api_types::{
    Authid, Userid, ApiToken, User,
};

use crate::memcom::Memcom;

use crate::{open_backup_lockfile, replace_backup_config, BackupLockGuard};

lazy_static! {
    pub static ref CONFIG: SectionConfig = init();
}

fn init() -> SectionConfig {
    let mut config = SectionConfig::new(&Authid::API_SCHEMA);

    let user_schema = match User::API_SCHEMA {
        Schema::Object(ref user_schema) => user_schema,
        _ => unreachable!(),
    };
    let user_plugin = SectionConfigPlugin::new("user".to_string(), Some("userid".to_string()), user_schema);
    config.register_plugin(user_plugin);

    let token_schema = match ApiToken::API_SCHEMA {
        Schema::Object(ref token_schema) => token_schema,
        _ => unreachable!(),
    };
    let token_plugin = SectionConfigPlugin::new("token".to_string(), Some("tokenid".to_string()), token_schema);
    config.register_plugin(token_plugin);

    config
}

pub const USER_CFG_FILENAME: &str = "/etc/proxmox-backup/user.cfg";
pub const USER_CFG_LOCKFILE: &str = "/etc/proxmox-backup/.user.lck";

/// Get exclusive lock
pub fn lock_config() -> Result<BackupLockGuard, Error> {
    open_backup_lockfile(USER_CFG_LOCKFILE, None, true)
}

pub fn config() -> Result<(SectionConfigData, [u8;32]), Error> {

    let content = proxmox::tools::fs::file_read_optional_string(USER_CFG_FILENAME)?
        .unwrap_or_else(|| "".to_string());

    let digest = openssl::sha::sha256(content.as_bytes());
    let mut data = CONFIG.parse(USER_CFG_FILENAME, &content)?;

    if data.sections.get("root@pam").is_none() {
        let user: User = User {
            userid: Userid::root_userid().clone(),
            comment: Some("Superuser".to_string()),
            enable: None,
            expire: None,
            firstname: None,
            lastname: None,
            email: None,
        };
        data.set_data("root@pam", "user", &user).unwrap();
    }

    Ok((data, digest))
}

pub fn cached_config() -> Result<Arc<SectionConfigData>, Error> {

    struct ConfigCache {
        data: Option<Arc<SectionConfigData>>,
        last_mtime: i64,
        last_mtime_nsec: i64,
    }

    lazy_static! {
        static ref CACHED_CONFIG: RwLock<ConfigCache> = RwLock::new(
            ConfigCache { data: None, last_mtime: 0, last_mtime_nsec: 0 });
    }

    let stat = match nix::sys::stat::stat(USER_CFG_FILENAME) {
        Ok(stat) => Some(stat),
        Err(nix::Error::Sys(nix::errno::Errno::ENOENT)) => None,
        Err(err) => bail!("unable to stat '{}' - {}", USER_CFG_FILENAME, err),
    };

    { // limit scope
        let cache = CACHED_CONFIG.read().unwrap();
        if let Some(ref config) = cache.data {
            if let Some(stat) = stat {
                if stat.st_mtime == cache.last_mtime && stat.st_mtime_nsec == cache.last_mtime_nsec {
                    return Ok(config.clone());
                }
            } else if cache.last_mtime == 0 && cache.last_mtime_nsec == 0 {
                return Ok(config.clone());
            }
        }
    }

    let (config, _digest) = config()?;
    let config = Arc::new(config);

    let mut cache = CACHED_CONFIG.write().unwrap();
    if let Some(stat) = stat {
        cache.last_mtime = stat.st_mtime;
        cache.last_mtime_nsec = stat.st_mtime_nsec;
    }
    cache.data = Some(config.clone());

    Ok(config)
}

pub fn save_config(config: &SectionConfigData) -> Result<(), Error> {
    let raw = CONFIG.write(USER_CFG_FILENAME, &config)?;
    replace_backup_config(USER_CFG_FILENAME, raw.as_bytes())?;

    // increase user cache generation
    // We use this in CachedUserInfo
    let memcom = Memcom::new()?;
    memcom.increase_user_cache_generation();

    Ok(())
}

/// Only exposed for testing
#[doc(hidden)]
pub fn test_cfg_from_str(raw: &str) -> Result<(SectionConfigData, [u8;32]), Error> {
    let cfg = init();
    let parsed = cfg.parse("test_user_cfg", raw)?;

    Ok((parsed, [0;32]))
}

// shell completion helper
pub fn complete_userid(_arg: &str, _param: &HashMap<String, String>) -> Vec<String> {
    match config() {
        Ok((data, _digest)) => {
            data.sections.iter()
                .filter_map(|(id, (section_type, _))| {
                    if section_type == "user" {
                        Some(id.to_string())
                    } else {
                        None
                    }
                }).collect()
        },
        Err(_) => return vec![],
    }
}

// shell completion helper
pub fn complete_authid(_arg: &str, _param: &HashMap<String, String>) -> Vec<String> {
    match config() {
        Ok((data, _digest)) => data.sections.iter().map(|(id, _)| id.to_string()).collect(),
        Err(_) => vec![],
    }
}

// shell completion helper
pub fn complete_token_name(_arg: &str, param: &HashMap<String, String>) -> Vec<String> {
    let data = match config() {
        Ok((data, _digest)) => data,
        Err(_) => return Vec::new(),
    };

    match param.get("userid") {
        Some(userid) => {
            let user = data.lookup::<User>("user", userid);
            let tokens = data.convert_to_typed_array("token");
            match (user, tokens) {
                (Ok(_), Ok(tokens)) => {
                    tokens
                        .into_iter()
                        .filter_map(|token: ApiToken| {
                            let tokenid = token.tokenid;
                            if tokenid.is_token() && tokenid.user() == userid {
                                Some(tokenid.tokenname().unwrap().as_str().to_string())
                            } else {
                                None
                            }
                        }).collect()
                },
                _ => vec![],
            }
        },
        None => vec![],
    }
}
Commit	Line	Data
68ccdf09 DM	1	use std::collections::HashMap;
	2	use std::sync::{Arc, RwLock};
	3
f7d4e4b5	4	use anyhow::{bail, Error};
579728c6	5	use lazy_static::lazy_static;
579728c6	6
6ef1b649 WB	7	use proxmox_schema::*;
6ef1b649 WB	8	use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};
579728c6	9
b65dfff5 DM	10	use pbs_api_types::{
b65dfff5 DM	11	Authid, Userid, ApiToken, User,
2b7f8dd5 WB	12	};
2b7f8dd5 WB	13
ba3d7e19 DM	14	use crate::memcom::Memcom;
	15
	16	use crate::{open_backup_lockfile, replace_backup_config, BackupLockGuard};
579728c6 DM	17
579728c6 DM	18	lazy_static! {
2322a980	19	pub static ref CONFIG: SectionConfig = init();
579728c6 DM	20	}
579728c6 DM	21
579728c6	22	fn init() -> SectionConfig {
e6dc35ac FG	23	let mut config = SectionConfig::new(&Authid::API_SCHEMA);
	24
	25	let user_schema = match User::API_SCHEMA {
	26	Schema::Object(ref user_schema) => user_schema,
579728c6 DM	27	_ => unreachable!(),
579728c6 DM	28	};
e6dc35ac FG	29	let user_plugin = SectionConfigPlugin::new("user".to_string(), Some("userid".to_string()), user_schema);
e6dc35ac FG	30	config.register_plugin(user_plugin);
579728c6	31
e6dc35ac FG	32	let token_schema = match ApiToken::API_SCHEMA {
	33	Schema::Object(ref token_schema) => token_schema,
	34	_ => unreachable!(),
	35	};
	36	let token_plugin = SectionConfigPlugin::new("token".to_string(), Some("tokenid".to_string()), token_schema);
	37	config.register_plugin(token_plugin);
579728c6 DM	38
	39	config
	40	}
	41
	42	pub const USER_CFG_FILENAME: &str = "/etc/proxmox-backup/user.cfg";
	43	pub const USER_CFG_LOCKFILE: &str = "/etc/proxmox-backup/.user.lck";
	44
b65dfff5 DM	45	/// Get exclusive lock
	46	pub fn lock_config() -> Result<BackupLockGuard, Error> {
	47	open_backup_lockfile(USER_CFG_LOCKFILE, None, true)
	48	}
	49
579728c6	50	pub fn config() -> Result<(SectionConfigData, [u8;32]), Error> {
3eeba687	51
e062ebbc FG	52	let content = proxmox::tools::fs::file_read_optional_string(USER_CFG_FILENAME)?
e062ebbc FG	53	.unwrap_or_else(\|\| "".to_string());
579728c6 DM	54
	55	let digest = openssl::sha::sha256(content.as_bytes());
	56	let mut data = CONFIG.parse(USER_CFG_FILENAME, &content)?;
	57
	58	if data.sections.get("root@pam").is_none() {
9c5c383b	59	let user: User = User {
e7cb4dc5	60	userid: Userid::root_userid().clone(),
9c5c383b DC	61	comment: Some("Superuser".to_string()),
	62	enable: None,
	63	expire: None,
	64	firstname: None,
	65	lastname: None,
	66	email: None,
	67	};
579728c6 DM	68	data.set_data("root@pam", "user", &user).unwrap();
	69	}
	70
	71	Ok((data, digest))
	72	}
	73
109d7817	74	pub fn cached_config() -> Result<Arc<SectionConfigData>, Error> {
68ccdf09 DM	75
68ccdf09 DM	76	struct ConfigCache {
109d7817	77	data: Option<Arc<SectionConfigData>>,
68ccdf09 DM	78	last_mtime: i64,
	79	last_mtime_nsec: i64,
	80	}
	81
	82	lazy_static! {
	83	static ref CACHED_CONFIG: RwLock<ConfigCache> = RwLock::new(
	84	ConfigCache { data: None, last_mtime: 0, last_mtime_nsec: 0 });
	85	}
	86
b9f2f761 DM	87	let stat = match nix::sys::stat::stat(USER_CFG_FILENAME) {
	88	Ok(stat) => Some(stat),
	89	Err(nix::Error::Sys(nix::errno::Errno::ENOENT)) => None,
	90	Err(err) => bail!("unable to stat '{}' - {}", USER_CFG_FILENAME, err),
	91	};
68ccdf09	92
bd88dc41	93	{ // limit scope
68ccdf09	94	let cache = CACHED_CONFIG.read().unwrap();
bd88dc41 DM	95	if let Some(ref config) = cache.data {
	96	if let Some(stat) = stat {
	97	if stat.st_mtime == cache.last_mtime && stat.st_mtime_nsec == cache.last_mtime_nsec {
	98	return Ok(config.clone());
	99	}
	100	} else if cache.last_mtime == 0 && cache.last_mtime_nsec == 0 {
109d7817	101	return Ok(config.clone());
68ccdf09 DM	102	}
	103	}
	104	}
	105
109d7817	106	let (config, _digest) = config()?;
68ccdf09 DM	107	let config = Arc::new(config);
	108
	109	let mut cache = CACHED_CONFIG.write().unwrap();
b9f2f761 DM	110	if let Some(stat) = stat {
	111	cache.last_mtime = stat.st_mtime;
	112	cache.last_mtime_nsec = stat.st_mtime_nsec;
	113	}
109d7817	114	cache.data = Some(config.clone());
68ccdf09	115
109d7817	116	Ok(config)
68ccdf09 DM	117	}
68ccdf09 DM	118
579728c6 DM	119	pub fn save_config(config: &SectionConfigData) -> Result<(), Error> {
579728c6 DM	120	let raw = CONFIG.write(USER_CFG_FILENAME, &config)?;
b65dfff5	121	replace_backup_config(USER_CFG_FILENAME, raw.as_bytes())?;
579728c6	122
fda19dcc DM	123	// increase user cache generation
	124	// We use this in CachedUserInfo
	125	let memcom = Memcom::new()?;
	126	memcom.increase_user_cache_generation();
	127
579728c6 DM	128	Ok(())
	129	}
	130
ba3d7e19 DM	131	/// Only exposed for testing
	132	#[doc(hidden)]
	133	pub fn test_cfg_from_str(raw: &str) -> Result<(SectionConfigData, [u8;32]), Error> {
18077ac6 FG	134	let cfg = init();
	135	let parsed = cfg.parse("test_user_cfg", raw)?;
	136
	137	Ok((parsed, [0;32]))
	138	}
	139
579728c6	140	// shell completion helper
e6dc35ac	141	pub fn complete_userid(_arg: &str, _param: &HashMap<String, String>) -> Vec<String> {
579728c6	142	match config() {
e6dc35ac FG	143	Ok((data, _digest)) => {
	144	data.sections.iter()
	145	.filter_map(\|(id, (section_type, _))\| {
	146	if section_type == "user" {
	147	Some(id.to_string())
	148	} else {
	149	None
	150	}
	151	}).collect()
	152	},
579728c6 DM	153	Err(_) => return vec![],
	154	}
	155	}
e6dc35ac FG	156
	157	// shell completion helper
	158	pub fn complete_authid(_arg: &str, _param: &HashMap<String, String>) -> Vec<String> {
	159	match config() {
	160	Ok((data, _digest)) => data.sections.iter().map(\|(id, _)\| id.to_string()).collect(),
	161	Err(_) => vec![],
	162	}
	163	}
2156dec5 FG	164
	165	// shell completion helper
	166	pub fn complete_token_name(_arg: &str, param: &HashMap<String, String>) -> Vec<String> {
	167	let data = match config() {
	168	Ok((data, _digest)) => data,
	169	Err(_) => return Vec::new(),
	170	};
	171
	172	match param.get("userid") {
	173	Some(userid) => {
	174	let user = data.lookup::<User>("user", userid);
	175	let tokens = data.convert_to_typed_array("token");
	176	match (user, tokens) {
	177	(Ok(_), Ok(tokens)) => {
	178	tokens
	179	.into_iter()
	180	.filter_map(\|token: ApiToken\| {
	181	let tokenid = token.tokenid;
	182	if tokenid.is_token() && tokenid.user() == userid {
	183	Some(tokenid.tokenname().unwrap().as_str().to_string())
	184	} else {
	185	None
	186	}
	187	}).collect()
	188	},
	189	_ => vec![],
	190	}
	191	},
	192	None => vec![],
	193	}
	194	}