[proxmox-backup.git] / src / api2 / access.rs

use failure::*;

use serde_json::{json, Value};

use proxmox::{sortable, identity};

use crate::tools;
use crate::api_schema::*;
use crate::api_schema::router::*;
use crate::tools::ticket::*;
use crate::auth_helpers::*;


fn authenticate_user(username: &str, password: &str) -> Result<(), Error> {

    let ticket_lifetime = tools::ticket::TICKET_LIFETIME;

    if password.starts_with("PBS:") {
        if let Ok((_age, Some(ticket_username))) = tools::ticket::verify_rsa_ticket(public_auth_key(), "PBS", password, None, -300, ticket_lifetime) {
            if ticket_username == username {
                return Ok(());
            } else {
                bail!("ticket login failed - wrong username");
            }
        }
    }

    if username == "root@pam" {
        let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();
        auth.get_handler().set_credentials("root", password);
        auth.authenticate()?;
        return Ok(());
    }

    bail!("inavlid credentials");
}

fn create_ticket(
    param: Value,
    _info: &ApiMethod,
    _rpcenv: &mut dyn RpcEnvironment,
) -> Result<Value, Error> {

    let username = tools::required_string_param(&param, "username")?;
    let password = tools::required_string_param(&param, "password")?;

    match authenticate_user(username, password) {
        Ok(_) => {

            let ticket = assemble_rsa_ticket( private_auth_key(), "PBS", Some(username), None)?;

            let token = assemble_csrf_prevention_token(csrf_secret(), username);

            log::info!("successful auth for user '{}'", username);

            Ok(json!({
                "username": username,
                "ticket": ticket,
                "CSRFPreventionToken": token,
            }))
        }
        Err(err) => {
	    let client_ip = "unknown"; // $rpcenv->get_client_ip() || '';
            log::error!("authentication failure; rhost={} user={} msg={}", client_ip, username, err.to_string());
            Err(http_err!(UNAUTHORIZED, "permission check failed.".into()))
        }
    }
}

#[sortable]
const SUBDIRS: SubdirMap = &[
    (
        "ticket", &Router::new()
            .post(
                &ApiMethod::new(
                    &ApiHandler::Sync(&create_ticket),
                    &ObjectSchema::new(
                        "Create or verify authentication ticket.",
                        &sorted!([
                            (
                                "username",
                                false,
                                &StringSchema::new("User name.")
                                    .max_length(64)
                                    .schema()
                            ),
                            (
                                "password",
                                false,
                                &StringSchema::new("The secret password. This can also be a valid ticket.")
                                    .schema()
                            ),
                        ]),
                    )
                ).returns(
                    &ObjectSchema::new(
                        "Returns authentication ticket with additional infos.",
                        &sorted!([
                            (
                                "username",
                                false,
                                &StringSchema::new("User name.").schema()
                            ),
                            (
                                "ticket",
                                false,
                                &StringSchema::new("Auth ticket.").schema()
                            ),
                            (
                                "CSRFPreventionToken",
                                false,
                                &StringSchema::new("Cross Site Request Forgery Prevention Token.")
                                    .schema()
                            ),
                        ]),
                    ).schema()
                ).protected(true)
            )
    )
];

pub const ROUTER: Router = Router::new()
    .get(&list_subdirs_api_method!(SUBDIRS))
    .subdirs(SUBDIRS);
Commit	Line	Data
34f956bc DM	1	use failure::*;
34f956bc DM	2
552c2259 DM	3	use serde_json::{json, Value};
	4
	5	use proxmox::{sortable, identity};
	6
34f956bc	7	use crate::tools;
ef2f2efb	8	use crate::api_schema::*;
dc9a007b	9	use crate::api_schema::router::*;
34f956bc DM	10	use crate::tools::ticket::*;
	11	use crate::auth_helpers::*;
	12
34f956bc DM	13
	14	fn authenticate_user(username: &str, password: &str) -> Result<(), Error> {
	15
f8f94534 DM	16	let ticket_lifetime = tools::ticket::TICKET_LIFETIME;
	17
	18	if password.starts_with("PBS:") {
	19	if let Ok((_age, Some(ticket_username))) = tools::ticket::verify_rsa_ticket(public_auth_key(), "PBS", password, None, -300, ticket_lifetime) {
	20	if ticket_username == username {
	21	return Ok(());
	22	} else {
	23	bail!("ticket login failed - wrong username");
	24	}
	25	}
	26	}
	27
c82bc1a1	28	if username == "root@pam" {
1d77b6cf WB	29	let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();
1d77b6cf WB	30	auth.get_handler().set_credentials("root", password);
c82bc1a1	31	auth.authenticate()?;
34f956bc DM	32	return Ok(());
	33	}
	34
	35	bail!("inavlid credentials");
	36	}
	37
	38	fn create_ticket(
	39	param: Value,
	40	_info: &ApiMethod,
dd5495d6	41	_rpcenv: &mut dyn RpcEnvironment,
34f956bc DM	42	) -> Result<Value, Error> {
	43
	44	let username = tools::required_string_param(&param, "username")?;
	45	let password = tools::required_string_param(&param, "password")?;
	46
	47	match authenticate_user(username, password) {
	48	Ok(_) => {
	49
b9903d63	50	let ticket = assemble_rsa_ticket( private_auth_key(), "PBS", Some(username), None)?;
34f956bc DM	51
	52	let token = assemble_csrf_prevention_token(csrf_secret(), username);
	53
	54	log::info!("successful auth for user '{}'", username);
	55
62ee2eb4	56	Ok(json!({
34f956bc DM	57	"username": username,
	58	"ticket": ticket,
	59	"CSRFPreventionToken": token,
62ee2eb4	60	}))
34f956bc DM	61	}
	62	Err(err) => {
	63	let client_ip = "unknown"; // $rpcenv->get_client_ip() \|\| '';
	64	log::error!("authentication failure; rhost={} user={} msg={}", client_ip, username, err.to_string());
62ee2eb4	65	Err(http_err!(UNAUTHORIZED, "permission check failed.".into()))
34f956bc DM	66	}
	67	}
	68	}
	69
552c2259	70	#[sortable]
255f378a DM	71	const SUBDIRS: SubdirMap = &[
	72	(
	73	"ticket", &Router::new()
	74	.post(
	75	&ApiMethod::new(
	76	&ApiHandler::Sync(&create_ticket),
	77	&ObjectSchema::new(
	78	"Create or verify authentication ticket.",
552c2259	79	&sorted!([
255f378a	80	(
34f956bc	81	"username",
255f378a DM	82	false,
255f378a DM	83	&StringSchema::new("User name.")
34f956bc	84	.max_length(64)
255f378a DM	85	.schema()
	86	),
	87	(
34f956bc	88	"password",
255f378a DM	89	false,
	90	&StringSchema::new("The secret password. This can also be a valid ticket.")
	91	.schema()
	92	),
552c2259	93	]),
255f378a DM	94	)
	95	).returns(
	96	&ObjectSchema::new(
	97	"Returns authentication ticket with additional infos.",
552c2259	98	&sorted!([
255f378a DM	99	(
	100	"username",
	101	false,
	102	&StringSchema::new("User name.").schema()
	103	),
	104	(
	105	"ticket",
	106	false,
	107	&StringSchema::new("Auth ticket.").schema()
	108	),
	109	(
	110	"CSRFPreventionToken",
	111	false,
	112	&StringSchema::new("Cross Site Request Forgery Prevention Token.")
	113	.schema()
	114	),
552c2259	115	]),
255f378a DM	116	).schema()
	117	).protected(true)
	118	)
	119	)
	120	];
	121
	122	pub const ROUTER: Router = Router::new()
	123	.get(&list_subdirs_api_method!(SUBDIRS))
	124	.subdirs(SUBDIRS);