src/api2/access.rs

   1 use failure::*;
   2
   3 use crate::tools;
   4 use crate::api::schema::*;
   5 use crate::api::router::*;
   6 use crate::tools::ticket::*;
   7 use crate::auth_helpers::*;
   8
   9 use hyper::StatusCode;
  10
  11 use serde_json::{json, Value};
  12
  13 fn authenticate_user(username: &str, password: &str) -> Result<(), Error> {
  14
  15     if username == "root@pam" {
  16         let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();
  17         auth.get_handler().set_credentials("root", password);
  18         auth.authenticate()?;
  19         return Ok(());
  20     }
  21
  22     bail!("inavlid credentials");
  23 }
  24
  25 fn create_ticket(
  26     param: Value,
  27     _info: &ApiMethod,
  28     _rpcenv: &mut RpcEnvironment,
  29 ) -> Result<Value, Error> {
  30
  31     let username = tools::required_string_param(&param, "username")?;
  32     let password = tools::required_string_param(&param, "password")?;
  33
  34     match authenticate_user(username, password) {
  35         Ok(_) => {
  36
  37             let ticket = assemble_rsa_ticket( private_auth_key(), "PBS", Some(username), None)?;
  38
  39             let token = assemble_csrf_prevention_token(csrf_secret(), username);
  40
  41             log::info!("successful auth for user '{}'", username);
  42
  43             return Ok(json!({
  44                 "username": username,
  45                 "ticket": ticket,
  46                 "CSRFPreventionToken": token,
  47             }));
  48         }
  49         Err(err) => {
  50             let client_ip = "unknown"; // $rpcenv->get_client_ip() || '';
  51             log::error!("authentication failure; rhost={} user={} msg={}", client_ip, username, err.to_string());
  52             return Err(http_err!(UNAUTHORIZED, "permission check failed.".into()));
  53         }
  54     }
  55 }
  56
  57 pub fn router() -> Router {
  58
  59     let route = Router::new()
  60         .get(ApiMethod::new(
  61             |_,_,_| Ok(json!([
  62                 {"subdir": "ticket"}
  63             ])),
  64             ObjectSchema::new("Directory index.")))
  65         .subdir(
  66             "ticket",
  67             Router::new()
  68                 .post(
  69                     ApiMethod::new(
  70                         create_ticket,
  71                         ObjectSchema::new("Create or verify authentication ticket.")
  72                             .required(
  73                                 "username",
  74                                 StringSchema::new("User name.")
  75                                     .max_length(64)
  76                             )
  77                             .required(
  78                                 "password",
  79                                 StringSchema::new("The secret password. This can also be a valid ticket.")
  80                             )
  81                     ).returns(
  82                         ObjectSchema::new("Returns authentication ticket with additional infos.")
  83                             .required("username", StringSchema::new("User name."))
  84                             .required("ticket", StringSchema::new("Auth ticket."))
  85                             .required("CSRFPreventionToken", StringSchema::new("Cross Site Request Forgery Prevention Token."))
  86                     ).protected(true)
  87                 )
  88         );
  89
  90     route
  91 }