[proxmox-backup.git] / src / auth.rs

//! Proxmox Backup Server Authentication
//!
//! This library contains helper to authenticate users.

use std::net::IpAddr;
use std::path::PathBuf;
use std::pin::Pin;

use anyhow::{bail, Error};
use futures::Future;
use once_cell::sync::{Lazy, OnceCell};
use proxmox_router::http_bail;
use serde_json::json;

use proxmox_auth_api::api::{Authenticator, LockedTfaConfig};
use proxmox_auth_api::ticket::{Empty, Ticket};
use proxmox_auth_api::types::Authid;
use proxmox_auth_api::Keyring;
use proxmox_ldap::{Config, Connection, ConnectionMode};
use proxmox_tfa::api::{OpenUserChallengeData, TfaConfig};

use pbs_api_types::{LdapMode, LdapRealmConfig, OpenIdRealmConfig, RealmRef, Userid, UsernameRef};
use pbs_buildcfg::configdir;

use crate::auth_helpers;

pub const TERM_PREFIX: &str = "PBSTERM";

struct PbsAuthenticator;

const SHADOW_CONFIG_FILENAME: &str = configdir!("/shadow.json");

impl Authenticator for PbsAuthenticator {
    fn authenticate_user<'a>(
        &self,
        username: &'a UsernameRef,
        password: &'a str,
        _client_ip: Option<&'a IpAddr>,
    ) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
        Box::pin(async move {
            let data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
            match data[username.as_str()].as_str() {
                None => bail!("no password set"),
                Some(enc_password) => proxmox_sys::crypt::verify_crypt_pw(password, enc_password)?,
            }
            Ok(())
        })
    }

    fn store_password(
        &self,
        username: &UsernameRef,
        password: &str,
        _client_ip: Option<&IpAddr>,
    ) -> Result<(), Error> {
        let enc_password = proxmox_sys::crypt::encrypt_pw(password)?;
        let mut data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
        data[username.as_str()] = enc_password.into();

        let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
        let options = proxmox_sys::fs::CreateOptions::new()
            .perm(mode)
            .owner(nix::unistd::ROOT)
            .group(nix::unistd::Gid::from_raw(0));

        let data = serde_json::to_vec_pretty(&data)?;
        proxmox_sys::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options, true)?;

        Ok(())
    }

    fn remove_password(&self, username: &UsernameRef) -> Result<(), Error> {
        let mut data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
        if let Some(map) = data.as_object_mut() {
            map.remove(username.as_str());
        }

        let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
        let options = proxmox_sys::fs::CreateOptions::new()
            .perm(mode)
            .owner(nix::unistd::ROOT)
            .group(nix::unistd::Gid::from_raw(0));

        let data = serde_json::to_vec_pretty(&data)?;
        proxmox_sys::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options, true)?;

        Ok(())
    }
}

struct OpenIdAuthenticator();
/// When a user is manually added, the lookup_authenticator is called to verify that
/// the realm exists. Thus, it is necessary to have an (empty) implementation for
/// OpendID as well.
impl Authenticator for OpenIdAuthenticator {
    fn authenticate_user<'a>(
        &'a self,
        _username: &'a UsernameRef,
        _password: &'a str,
        _client_ip: Option<&'a IpAddr>,
    ) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
        Box::pin(async move {
            http_bail!(
                NOT_IMPLEMENTED,
                "password authentication is not implemented for OpenID realms"
            );
        })
    }

    fn store_password(
        &self,
        _username: &UsernameRef,
        _password: &str,
        _client_ip: Option<&IpAddr>,
    ) -> Result<(), Error> {
        http_bail!(
            NOT_IMPLEMENTED,
            "storing passwords is not implemented for OpenID realms"
        );
    }

    fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
        http_bail!(
            NOT_IMPLEMENTED,
            "storing passwords is not implemented for OpenID realms"
        );
    }
}

#[allow(clippy::upper_case_acronyms)]
pub struct LdapAuthenticator {
    config: LdapRealmConfig,
}

impl Authenticator for LdapAuthenticator {
    /// Authenticate user in LDAP realm
    fn authenticate_user<'a>(
        &'a self,
        username: &'a UsernameRef,
        password: &'a str,
        _client_ip: Option<&'a IpAddr>,
    ) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
        Box::pin(async move {
            let ldap_config = Self::api_type_to_config(&self.config)?;
            let ldap = Connection::new(ldap_config);
            ldap.authenticate_user(username.as_str(), password).await?;
            Ok(())
        })
    }

    fn store_password(
        &self,
        _username: &UsernameRef,
        _password: &str,
        _client_ip: Option<&IpAddr>,
    ) -> Result<(), Error> {
        http_bail!(
            NOT_IMPLEMENTED,
            "storing passwords is not implemented for LDAP realms"
        );
    }

    fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
        http_bail!(
            NOT_IMPLEMENTED,
            "removing passwords is not implemented for LDAP realms"
        );
    }
}

impl LdapAuthenticator {
    pub fn api_type_to_config(config: &LdapRealmConfig) -> Result<Config, Error> {
        Self::api_type_to_config_with_password(
            config,
            auth_helpers::get_ldap_bind_password(&config.realm)?,
        )
    }

    pub fn api_type_to_config_with_password(
        config: &LdapRealmConfig,
        password: Option<String>,
    ) -> Result<Config, Error> {
        let mut servers = vec![config.server1.clone()];
        if let Some(server) = &config.server2 {
            servers.push(server.clone());
        }

        let (ca_store, trusted_cert) = lookup_ca_store_or_cert_path(config.capath.as_deref());

        Ok(Config {
            servers,
            port: config.port,
            user_attr: config.user_attr.clone(),
            base_dn: config.base_dn.clone(),
            bind_dn: config.bind_dn.clone(),
            bind_password: password,
            tls_mode: ldap_to_conn_mode(config.mode.unwrap_or_default()),
            verify_certificate: config.verify.unwrap_or_default(),
            additional_trusted_certificates: trusted_cert,
            certificate_store_path: ca_store,
        })
    }
}

fn ldap_to_conn_mode(mode: LdapMode) -> ConnectionMode {
    match mode {
        LdapMode::Ldap => ConnectionMode::Ldap,
        LdapMode::StartTls => ConnectionMode::StartTls,
        LdapMode::Ldaps => ConnectionMode::Ldaps,
    }
}

fn lookup_ca_store_or_cert_path(capath: Option<&str>) -> (Option<PathBuf>, Option<Vec<PathBuf>>) {
    if let Some(capath) = capath {
        let path = PathBuf::from(capath);
        if path.is_dir() {
            (Some(path), None)
        } else {
            (None, Some(vec![path]))
        }
    } else {
        (None, None)
    }
}

/// Lookup the authenticator for the specified realm
pub(crate) fn lookup_authenticator(
    realm: &RealmRef,
) -> Result<Box<dyn Authenticator + Send + Sync>, Error> {
    match realm.as_str() {
        "pam" => Ok(Box::new(proxmox_auth_api::Pam::new("proxmox-backup-auth"))),
        "pbs" => Ok(Box::new(PbsAuthenticator)),
        realm => {
            let (domains, _digest) = pbs_config::domains::config()?;
            if let Ok(config) = domains.lookup::<LdapRealmConfig>("ldap", realm) {
                Ok(Box::new(LdapAuthenticator { config }))
            } else if domains.lookup::<OpenIdRealmConfig>("openid", realm).is_ok() {
                Ok(Box::new(OpenIdAuthenticator()))
            } else {
                bail!("unknown realm '{}'", realm);
            }
        }
    }
}

/// Authenticate users
pub(crate) fn authenticate_user<'a>(
    userid: &'a Userid,
    password: &'a str,
    client_ip: Option<&'a IpAddr>,
) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
    Box::pin(async move {
        lookup_authenticator(userid.realm())?
            .authenticate_user(userid.name(), password, client_ip)
            .await?;
        Ok(())
    })
}

static PRIVATE_KEYRING: Lazy<Keyring> =
    Lazy::new(|| Keyring::with_private_key(crate::auth_helpers::private_auth_key().clone().into()));
static PUBLIC_KEYRING: Lazy<Keyring> =
    Lazy::new(|| Keyring::with_public_key(crate::auth_helpers::public_auth_key().clone().into()));
static AUTH_CONTEXT: OnceCell<PbsAuthContext> = OnceCell::new();

pub fn setup_auth_context(use_private_key: bool) {
    let keyring = if use_private_key {
        &*PRIVATE_KEYRING
    } else {
        &*PUBLIC_KEYRING
    };

    AUTH_CONTEXT
        .set(PbsAuthContext {
            keyring,
            csrf_secret: crate::auth_helpers::csrf_secret().to_vec(),
        })
        .map_err(drop)
        .expect("auth context setup twice");

    proxmox_auth_api::set_auth_context(AUTH_CONTEXT.get().unwrap());
}

pub(crate) fn private_auth_keyring() -> &'static Keyring {
    &PRIVATE_KEYRING
}

pub(crate) fn public_auth_keyring() -> &'static Keyring {
    &PUBLIC_KEYRING
}

struct PbsAuthContext {
    keyring: &'static Keyring,
    csrf_secret: Vec<u8>,
}

impl proxmox_auth_api::api::AuthContext for PbsAuthContext {
    fn lookup_realm(&self, realm: &RealmRef) -> Option<Box<dyn Authenticator + Send + Sync>> {
        lookup_authenticator(realm).ok()
    }

    /// Get the current authentication keyring.
    fn keyring(&self) -> &Keyring {
        self.keyring
    }

    /// The auth prefix without the separating colon. Eg. `"PBS"`.
    fn auth_prefix(&self) -> &'static str {
        "PBS"
    }

    /// API token prefix (without the `'='`).
    fn auth_token_prefix(&self) -> &'static str {
        "PBSAPIToken"
    }

    /// Auth cookie name.
    fn auth_cookie_name(&self) -> &'static str {
        "PBSAuthCookie"
    }

    /// Check if a userid is enabled and return a [`UserInformation`] handle.
    fn auth_id_is_active(&self, auth_id: &Authid) -> Result<bool, Error> {
        Ok(pbs_config::CachedUserInfo::new()?.is_active_auth_id(auth_id))
    }

    /// Access the TFA config with an exclusive lock.
    fn tfa_config_write_lock(&self) -> Result<Box<dyn LockedTfaConfig>, Error> {
        Ok(Box::new(PbsLockedTfaConfig {
            _lock: crate::config::tfa::read_lock()?,
            config: crate::config::tfa::read()?,
        }))
    }

    /// CSRF prevention token secret data.
    fn csrf_secret(&self) -> &[u8] {
        &self.csrf_secret
    }

    /// Verify a token secret.
    fn verify_token_secret(&self, token_id: &Authid, token_secret: &str) -> Result<(), Error> {
        pbs_config::token_shadow::verify_secret(token_id, token_secret)
    }

    /// Check path based tickets. (Used for terminal tickets).
    fn check_path_ticket(
        &self,
        userid: &Userid,
        password: &str,
        path: String,
        privs: String,
        port: u16,
    ) -> Result<Option<bool>, Error> {
        if !password.starts_with("PBSTERM:") {
            return Ok(None);
        }

        if let Ok(Empty) = Ticket::parse(password).and_then(|ticket| {
            ticket.verify(
                self.keyring,
                TERM_PREFIX,
                Some(&crate::tools::ticket::term_aad(userid, &path, port)),
            )
        }) {
            let user_info = pbs_config::CachedUserInfo::new()?;
            let auth_id = Authid::from(userid.clone());
            for (name, privilege) in pbs_api_types::PRIVILEGES {
                if *name == privs {
                    let mut path_vec = Vec::new();
                    for part in path.split('/') {
                        if !part.is_empty() {
                            path_vec.push(part);
                        }
                    }
                    user_info.check_privs(&auth_id, &path_vec, *privilege, false)?;
                    return Ok(Some(true));
                }
            }
        }

        Ok(Some(false))
    }
}

struct PbsLockedTfaConfig {
    _lock: pbs_config::BackupLockGuard,
    config: TfaConfig,
}

static USER_ACCESS: crate::config::tfa::UserAccess = crate::config::tfa::UserAccess;

impl LockedTfaConfig for PbsLockedTfaConfig {
    fn config_mut(&mut self) -> (&dyn OpenUserChallengeData, &mut TfaConfig) {
        (&USER_ACCESS, &mut self.config)
    }

    fn save_config(&mut self) -> Result<(), Error> {
        crate::config::tfa::write(&self.config)
    }
}
Commit	Line	Data
7d817b03 DM	1	//! Proxmox Backup Server Authentication
	2	//!
	3	//! This library contains helper to authenticate users.
	4
177ee20b	5	use std::net::IpAddr;
19dfcfd8 LW	6	use std::path::PathBuf;
19dfcfd8 LW	7	use std::pin::Pin;
7d817b03	8
d97ff8ae	9	use anyhow::{bail, Error};
19dfcfd8	10	use futures::Future;
569324cb	11	use once_cell::sync::{Lazy, OnceCell};
19dfcfd8	12	use proxmox_router::http_bail;
7d817b03 DM	13	use serde_json::json;
7d817b03 DM	14
d97ff8ae WB	15	use proxmox_auth_api::api::{Authenticator, LockedTfaConfig};
	16	use proxmox_auth_api::ticket::{Empty, Ticket};
	17	use proxmox_auth_api::types::Authid;
	18	use proxmox_auth_api::Keyring;
	19	use proxmox_ldap::{Config, Connection, ConnectionMode};
	20	use proxmox_tfa::api::{OpenUserChallengeData, TfaConfig};
	21
7c418952	22	use pbs_api_types::{LdapMode, LdapRealmConfig, OpenIdRealmConfig, RealmRef, Userid, UsernameRef};
af06decd	23	use pbs_buildcfg::configdir;
e7cb4dc5	24
19dfcfd8	25	use crate::auth_helpers;
19dfcfd8	26
d97ff8ae	27	pub const TERM_PREFIX: &str = "PBSTERM";
7d817b03	28
d97ff8ae	29	struct PbsAuthenticator;
7d817b03	30
e7cb4dc5	31	const SHADOW_CONFIG_FILENAME: &str = configdir!("/shadow.json");
7d817b03	32
d97ff8ae	33	impl Authenticator for PbsAuthenticator {
19dfcfd8 LW	34	fn authenticate_user<'a>(
	35	&self,
	36	username: &'a UsernameRef,
	37	password: &'a str,
177ee20b	38	_client_ip: Option<&'a IpAddr>,
19dfcfd8 LW	39	) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
	40	Box::pin(async move {
	41	let data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
	42	match data[username.as_str()].as_str() {
	43	None => bail!("no password set"),
	44	Some(enc_password) => proxmox_sys::crypt::verify_crypt_pw(password, enc_password)?,
	45	}
	46	Ok(())
	47	})
7d817b03 DM	48	}
7d817b03 DM	49
177ee20b WB	50	fn store_password(
	51	&self,
	52	username: &UsernameRef,
	53	password: &str,
	54	_client_ip: Option<&IpAddr>,
	55	) -> Result<(), Error> {
d5790a9f	56	let enc_password = proxmox_sys::crypt::encrypt_pw(password)?;
25877d05	57	let mut data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
e7cb4dc5	58	data[username.as_str()] = enc_password.into();
7d817b03 DM	59
7d817b03 DM	60	let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
9531d2c5	61	let options = proxmox_sys::fs::CreateOptions::new()
7d817b03 DM	62	.perm(mode)
	63	.owner(nix::unistd::ROOT)
	64	.group(nix::unistd::Gid::from_raw(0));
	65
	66	let data = serde_json::to_vec_pretty(&data)?;
25877d05	67	proxmox_sys::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options, true)?;
7d817b03 DM	68
	69	Ok(())
	70	}
a4e871f5 DC	71
a4e871f5 DC	72	fn remove_password(&self, username: &UsernameRef) -> Result<(), Error> {
25877d05	73	let mut data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
a4e871f5 DC	74	if let Some(map) = data.as_object_mut() {
	75	map.remove(username.as_str());
	76	}
	77
	78	let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
9531d2c5	79	let options = proxmox_sys::fs::CreateOptions::new()
a4e871f5 DC	80	.perm(mode)
	81	.owner(nix::unistd::ROOT)
	82	.group(nix::unistd::Gid::from_raw(0));
	83
	84	let data = serde_json::to_vec_pretty(&data)?;
25877d05	85	proxmox_sys::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options, true)?;
a4e871f5 DC	86
	87	Ok(())
	88	}
7d817b03 DM	89	}
7d817b03 DM	90
7c418952 LW	91	struct OpenIdAuthenticator();
	92	/// When a user is manually added, the lookup_authenticator is called to verify that
	93	/// the realm exists. Thus, it is necessary to have an (empty) implementation for
	94	/// OpendID as well.
d97ff8ae	95	impl Authenticator for OpenIdAuthenticator {
7c418952 LW	96	fn authenticate_user<'a>(
	97	&'a self,
	98	_username: &'a UsernameRef,
	99	_password: &'a str,
177ee20b	100	_client_ip: Option<&'a IpAddr>,
7c418952 LW	101	) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
	102	Box::pin(async move {
	103	http_bail!(
	104	NOT_IMPLEMENTED,
	105	"password authentication is not implemented for OpenID realms"
	106	);
	107	})
	108	}
	109
177ee20b WB	110	fn store_password(
	111	&self,
	112	_username: &UsernameRef,
	113	_password: &str,
	114	_client_ip: Option<&IpAddr>,
	115	) -> Result<(), Error> {
7c418952 LW	116	http_bail!(
	117	NOT_IMPLEMENTED,
	118	"storing passwords is not implemented for OpenID realms"
	119	);
	120	}
	121
	122	fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
	123	http_bail!(
	124	NOT_IMPLEMENTED,
	125	"storing passwords is not implemented for OpenID realms"
	126	);
	127	}
	128	}
	129
19dfcfd8 LW	130	#[allow(clippy::upper_case_acronyms)]
	131	pub struct LdapAuthenticator {
	132	config: LdapRealmConfig,
	133	}
	134
d97ff8ae	135	impl Authenticator for LdapAuthenticator {
19dfcfd8 LW	136	/// Authenticate user in LDAP realm
	137	fn authenticate_user<'a>(
	138	&'a self,
	139	username: &'a UsernameRef,
	140	password: &'a str,
177ee20b	141	_client_ip: Option<&'a IpAddr>,
19dfcfd8 LW	142	) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
	143	Box::pin(async move {
	144	let ldap_config = Self::api_type_to_config(&self.config)?;
	145	let ldap = Connection::new(ldap_config);
	146	ldap.authenticate_user(username.as_str(), password).await?;
	147	Ok(())
	148	})
	149	}
	150
177ee20b WB	151	fn store_password(
	152	&self,
	153	_username: &UsernameRef,
	154	_password: &str,
	155	_client_ip: Option<&IpAddr>,
	156	) -> Result<(), Error> {
19dfcfd8 LW	157	http_bail!(
	158	NOT_IMPLEMENTED,
	159	"storing passwords is not implemented for LDAP realms"
	160	);
	161	}
	162
	163	fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
	164	http_bail!(
	165	NOT_IMPLEMENTED,
	166	"removing passwords is not implemented for LDAP realms"
	167	);
	168	}
	169	}
	170
	171	impl LdapAuthenticator {
	172	pub fn api_type_to_config(config: &LdapRealmConfig) -> Result<Config, Error> {
5210f3b5 SS	173	Self::api_type_to_config_with_password(
	174	config,
	175	auth_helpers::get_ldap_bind_password(&config.realm)?,
	176	)
	177	}
	178
	179	pub fn api_type_to_config_with_password(
	180	config: &LdapRealmConfig,
	181	password: Option<String>,
	182	) -> Result<Config, Error> {
19dfcfd8 LW	183	let mut servers = vec![config.server1.clone()];
	184	if let Some(server) = &config.server2 {
	185	servers.push(server.clone());
	186	}
	187
ab09f409	188	let (ca_store, trusted_cert) = lookup_ca_store_or_cert_path(config.capath.as_deref());
19dfcfd8 LW	189
	190	Ok(Config {
	191	servers,
	192	port: config.port,
	193	user_attr: config.user_attr.clone(),
	194	base_dn: config.base_dn.clone(),
	195	bind_dn: config.bind_dn.clone(),
5210f3b5	196	bind_password: password,
30c34f0b	197	tls_mode: ldap_to_conn_mode(config.mode.unwrap_or_default()),
19dfcfd8 LW	198	verify_certificate: config.verify.unwrap_or_default(),
	199	additional_trusted_certificates: trusted_cert,
	200	certificate_store_path: ca_store,
	201	})
	202	}
	203	}
	204
30c34f0b CH	205	fn ldap_to_conn_mode(mode: LdapMode) -> ConnectionMode {
	206	match mode {
	207	LdapMode::Ldap => ConnectionMode::Ldap,
	208	LdapMode::StartTls => ConnectionMode::StartTls,
	209	LdapMode::Ldaps => ConnectionMode::Ldaps,
	210	}
	211	}
	212
ab09f409 CH	213	fn lookup_ca_store_or_cert_path(capath: Option<&str>) -> (Option<PathBuf>, Option<Vec<PathBuf>>) {
	214	if let Some(capath) = capath {
	215	let path = PathBuf::from(capath);
	216	if path.is_dir() {
	217	(Some(path), None)
	218	} else {
	219	(None, Some(vec![path]))
	220	}
	221	} else {
	222	(None, None)
	223	}
	224	}
	225
6685122c	226	/// Lookup the authenticator for the specified realm
d97ff8ae	227	pub(crate) fn lookup_authenticator(
19dfcfd8	228	realm: &RealmRef,
d97ff8ae	229	) -> Result<Box<dyn Authenticator + Send + Sync>, Error> {
e7cb4dc5	230	match realm.as_str() {
d97ff8ae WB	231	"pam" => Ok(Box::new(proxmox_auth_api::Pam::new("proxmox-backup-auth"))),
d97ff8ae WB	232	"pbs" => Ok(Box::new(PbsAuthenticator)),
19dfcfd8 LW	233	realm => {
	234	let (domains, _digest) = pbs_config::domains::config()?;
	235	if let Ok(config) = domains.lookup::<LdapRealmConfig>("ldap", realm) {
	236	Ok(Box::new(LdapAuthenticator { config }))
7c418952 LW	237	} else if domains.lookup::<OpenIdRealmConfig>("openid", realm).is_ok() {
7c418952 LW	238	Ok(Box::new(OpenIdAuthenticator()))
19dfcfd8 LW	239	} else {
	240	bail!("unknown realm '{}'", realm);
	241	}
	242	}
7d817b03 DM	243	}
	244	}
	245
4b40148c	246	/// Authenticate users
d97ff8ae	247	pub(crate) fn authenticate_user<'a>(
19dfcfd8 LW	248	userid: &'a Userid,
19dfcfd8 LW	249	password: &'a str,
177ee20b	250	client_ip: Option<&'a IpAddr>,
19dfcfd8 LW	251	) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
	252	Box::pin(async move {
	253	lookup_authenticator(userid.realm())?
177ee20b	254	.authenticate_user(userid.name(), password, client_ip)
19dfcfd8 LW	255	.await?;
	256	Ok(())
	257	})
7d817b03	258	}
d97ff8ae	259
569324cb WB	260	static PRIVATE_KEYRING: Lazy<Keyring> =
	261	Lazy::new(\|\| Keyring::with_private_key(crate::auth_helpers::private_auth_key().clone().into()));
	262	static PUBLIC_KEYRING: Lazy<Keyring> =
	263	Lazy::new(\|\| Keyring::with_public_key(crate::auth_helpers::public_auth_key().clone().into()));
d97ff8ae WB	264	static AUTH_CONTEXT: OnceCell<PbsAuthContext> = OnceCell::new();
	265
	266	pub fn setup_auth_context(use_private_key: bool) {
	267	let keyring = if use_private_key {
569324cb	268	&*PRIVATE_KEYRING
d97ff8ae	269	} else {
569324cb	270	&*PUBLIC_KEYRING
d97ff8ae WB	271	};
	272
	273	AUTH_CONTEXT
	274	.set(PbsAuthContext {
	275	keyring,
	276	csrf_secret: crate::auth_helpers::csrf_secret().to_vec(),
	277	})
	278	.map_err(drop)
	279	.expect("auth context setup twice");
	280
	281	proxmox_auth_api::set_auth_context(AUTH_CONTEXT.get().unwrap());
	282	}
	283
569324cb	284	pub(crate) fn private_auth_keyring() -> &'static Keyring {
12c841b4	285	&PRIVATE_KEYRING
569324cb WB	286	}
	287
	288	pub(crate) fn public_auth_keyring() -> &'static Keyring {
12c841b4	289	&PUBLIC_KEYRING
d97ff8ae WB	290	}
	291
	292	struct PbsAuthContext {
569324cb	293	keyring: &'static Keyring,
d97ff8ae WB	294	csrf_secret: Vec<u8>,
	295	}
	296
	297	impl proxmox_auth_api::api::AuthContext for PbsAuthContext {
	298	fn lookup_realm(&self, realm: &RealmRef) -> Option<Box<dyn Authenticator + Send + Sync>> {
	299	lookup_authenticator(realm).ok()
	300	}
	301
	302	/// Get the current authentication keyring.
	303	fn keyring(&self) -> &Keyring {
569324cb	304	self.keyring
d97ff8ae WB	305	}
	306
	307	/// The auth prefix without the separating colon. Eg. `"PBS"`.
	308	fn auth_prefix(&self) -> &'static str {
	309	"PBS"
	310	}
	311
	312	/// API token prefix (without the `'='`).
	313	fn auth_token_prefix(&self) -> &'static str {
	314	"PBSAPIToken"
	315	}
	316
	317	/// Auth cookie name.
	318	fn auth_cookie_name(&self) -> &'static str {
	319	"PBSAuthCookie"
	320	}
	321
	322	/// Check if a userid is enabled and return a [`UserInformation`] handle.
	323	fn auth_id_is_active(&self, auth_id: &Authid) -> Result<bool, Error> {
	324	Ok(pbs_config::CachedUserInfo::new()?.is_active_auth_id(auth_id))
	325	}
	326
	327	/// Access the TFA config with an exclusive lock.
	328	fn tfa_config_write_lock(&self) -> Result<Box<dyn LockedTfaConfig>, Error> {
	329	Ok(Box::new(PbsLockedTfaConfig {
	330	_lock: crate::config::tfa::read_lock()?,
	331	config: crate::config::tfa::read()?,
	332	}))
	333	}
	334
	335	/// CSRF prevention token secret data.
	336	fn csrf_secret(&self) -> &[u8] {
	337	&self.csrf_secret
	338	}
	339
	340	/// Verify a token secret.
	341	fn verify_token_secret(&self, token_id: &Authid, token_secret: &str) -> Result<(), Error> {
	342	pbs_config::token_shadow::verify_secret(token_id, token_secret)
	343	}
	344
	345	/// Check path based tickets. (Used for terminal tickets).
	346	fn check_path_ticket(
	347	&self,
	348	userid: &Userid,
	349	password: &str,
	350	path: String,
	351	privs: String,
	352	port: u16,
	353	) -> Result<Option<bool>, Error> {
	354	if !password.starts_with("PBSTERM:") {
	355	return Ok(None);
	356	}
	357
	358	if let Ok(Empty) = Ticket::parse(password).and_then(\|ticket\| {
	359	ticket.verify(
cd0daa8b	360	self.keyring,
d97ff8ae WB	361	TERM_PREFIX,
	362	Some(&crate::tools::ticket::term_aad(userid, &path, port)),
	363	)
	364	}) {
	365	let user_info = pbs_config::CachedUserInfo::new()?;
	366	let auth_id = Authid::from(userid.clone());
	367	for (name, privilege) in pbs_api_types::PRIVILEGES {
	368	if *name == privs {
	369	let mut path_vec = Vec::new();
	370	for part in path.split('/') {
	371	if !part.is_empty() {
	372	path_vec.push(part);
	373	}
	374	}
	375	user_info.check_privs(&auth_id, &path_vec, *privilege, false)?;
	376	return Ok(Some(true));
	377	}
	378	}
	379	}
	380
	381	Ok(Some(false))
	382	}
	383	}
	384
	385	struct PbsLockedTfaConfig {
	386	_lock: pbs_config::BackupLockGuard,
	387	config: TfaConfig,
	388	}
	389
	390	static USER_ACCESS: crate::config::tfa::UserAccess = crate::config::tfa::UserAccess;
	391
	392	impl LockedTfaConfig for PbsLockedTfaConfig {
	393	fn config_mut(&mut self) -> (&dyn OpenUserChallengeData, &mut TfaConfig) {
	394	(&USER_ACCESS, &mut self.config)
	395	}
	396
	397	fn save_config(&mut self) -> Result<(), Error> {
	398	crate::config::tfa::write(&self.config)
	399	}
	400	}