//! Provides authentication primitives for the HTTP server
-use anyhow::{bail, format_err, Error};
+use anyhow::{format_err, Error};
-use crate::tools::ticket::Ticket;
+use std::sync::Arc;
+
+use crate::api2::types::{Authid, Userid};
use crate::auth_helpers::*;
-use crate::tools;
use crate::config::cached_user_info::CachedUserInfo;
-use crate::api2::types::{Authid, Userid};
+use crate::tools;
+use crate::tools::ticket::Ticket;
use hyper::header;
use percent_encoding::percent_decode_str;
-pub struct UserAuthData {
+pub enum AuthError {
+ Generic(Error),
+ NoData,
+}
+
+impl From<Error> for AuthError {
+ fn from(err: Error) -> Self {
+ AuthError::Generic(err)
+ }
+}
+
+pub trait ApiAuth {
+ fn check_auth(
+ &self,
+ headers: &http::HeaderMap,
+ method: &hyper::Method,
+ user_info: &CachedUserInfo,
+ ) -> Result<Authid, AuthError>;
+}
+
+struct UserAuthData {
ticket: String,
csrf_token: Option<String>,
}
-pub enum AuthData {
+enum AuthData {
User(UserAuthData),
ApiToken(String),
}
-pub fn extract_auth_data(headers: &http::HeaderMap) -> Option<AuthData> {
- if let Some(raw_cookie) = headers.get(header::COOKIE) {
- if let Ok(cookie) = raw_cookie.to_str() {
- if let Some(ticket) = tools::extract_cookie(cookie, "PBSAuthCookie") {
- let csrf_token = match headers.get("CSRFPreventionToken").map(|v| v.to_str()) {
- Some(Ok(v)) => Some(v.to_owned()),
- _ => None,
- };
- return Some(AuthData::User(UserAuthData {
- ticket,
- csrf_token,
- }));
+pub struct UserApiAuth {}
+pub fn default_api_auth() -> Arc<UserApiAuth> {
+ Arc::new(UserApiAuth {})
+}
+
+impl UserApiAuth {
+ fn extract_auth_data(headers: &http::HeaderMap) -> Option<AuthData> {
+ if let Some(raw_cookie) = headers.get(header::COOKIE) {
+ if let Ok(cookie) = raw_cookie.to_str() {
+ if let Some(ticket) = tools::extract_cookie(cookie, "PBSAuthCookie") {
+ let csrf_token = match headers.get("CSRFPreventionToken").map(|v| v.to_str()) {
+ Some(Ok(v)) => Some(v.to_owned()),
+ _ => None,
+ };
+ return Some(AuthData::User(UserAuthData { ticket, csrf_token }));
+ }
}
}
- }
- match headers.get(header::AUTHORIZATION).map(|v| v.to_str()) {
- Some(Ok(v)) => {
- if v.starts_with("PBSAPIToken ") || v.starts_with("PBSAPIToken=") {
- Some(AuthData::ApiToken(v["PBSAPIToken ".len()..].to_owned()))
- } else {
- None
+ match headers.get(header::AUTHORIZATION).map(|v| v.to_str()) {
+ Some(Ok(v)) => {
+ if v.starts_with("PBSAPIToken ") || v.starts_with("PBSAPIToken=") {
+ Some(AuthData::ApiToken(v["PBSAPIToken ".len()..].to_owned()))
+ } else {
+ None
+ }
}
- },
- _ => None,
+ _ => None,
+ }
}
}
-pub fn check_auth(
- method: &hyper::Method,
- auth_data: &AuthData,
- user_info: &CachedUserInfo,
-) -> Result<Authid, Error> {
- match auth_data {
- AuthData::User(user_auth_data) => {
- let ticket = user_auth_data.ticket.clone();
- let ticket_lifetime = tools::ticket::TICKET_LIFETIME;
-
- let userid: Userid = Ticket::<super::ticket::ApiTicket>::parse(&ticket)?
- .verify_with_time_frame(public_auth_key(), "PBS", None, -300..ticket_lifetime)?
- .require_full()?;
-
- let auth_id = Authid::from(userid.clone());
- if !user_info.is_active_auth_id(&auth_id) {
- bail!("user account disabled or expired.");
- }
+impl ApiAuth for UserApiAuth {
+ fn check_auth(
+ &self,
+ headers: &http::HeaderMap,
+ method: &hyper::Method,
+ user_info: &CachedUserInfo,
+ ) -> Result<Authid, AuthError> {
+ let auth_data = Self::extract_auth_data(headers);
+ match auth_data {
+ Some(AuthData::User(user_auth_data)) => {
+ let ticket = user_auth_data.ticket.clone();
+ let ticket_lifetime = tools::ticket::TICKET_LIFETIME;
- if method != hyper::Method::GET {
- if let Some(csrf_token) = &user_auth_data.csrf_token {
- verify_csrf_prevention_token(csrf_secret(), &userid, &csrf_token, -300, ticket_lifetime)?;
- } else {
- bail!("missing CSRF prevention token");
+ let userid: Userid = Ticket::<super::ticket::ApiTicket>::parse(&ticket)?
+ .verify_with_time_frame(public_auth_key(), "PBS", None, -300..ticket_lifetime)?
+ .require_full()?;
+
+ let auth_id = Authid::from(userid.clone());
+ if !user_info.is_active_auth_id(&auth_id) {
+ return Err(format_err!("user account disabled or expired.").into());
}
- }
- Ok(auth_id)
- },
- AuthData::ApiToken(api_token) => {
- let mut parts = api_token.splitn(2, ':');
- let tokenid = parts.next()
- .ok_or_else(|| format_err!("failed to split API token header"))?;
- let tokenid: Authid = tokenid.parse()?;
+ if method != hyper::Method::GET {
+ if let Some(csrf_token) = &user_auth_data.csrf_token {
+ verify_csrf_prevention_token(
+ csrf_secret(),
+ &userid,
+ &csrf_token,
+ -300,
+ ticket_lifetime,
+ )?;
+ } else {
+ return Err(format_err!("missing CSRF prevention token").into());
+ }
+ }
- if !user_info.is_active_auth_id(&tokenid) {
- bail!("user account or token disabled or expired.");
+ Ok(auth_id)
}
+ Some(AuthData::ApiToken(api_token)) => {
+ let mut parts = api_token.splitn(2, ':');
+ let tokenid = parts
+ .next()
+ .ok_or_else(|| format_err!("failed to split API token header"))?;
+ let tokenid: Authid = tokenid.parse()?;
- let tokensecret = parts.next()
- .ok_or_else(|| format_err!("failed to split API token header"))?;
- let tokensecret = percent_decode_str(tokensecret)
- .decode_utf8()
- .map_err(|_| format_err!("failed to decode API token header"))?;
+ if !user_info.is_active_auth_id(&tokenid) {
+ return Err(format_err!("user account or token disabled or expired.").into());
+ }
+
+ let tokensecret = parts
+ .next()
+ .ok_or_else(|| format_err!("failed to split API token header"))?;
+ let tokensecret = percent_decode_str(tokensecret)
+ .decode_utf8()
+ .map_err(|_| format_err!("failed to decode API token header"))?;
- crate::config::token_shadow::verify_secret(&tokenid, &tokensecret)?;
+ crate::config::token_shadow::verify_secret(&tokenid, &tokensecret)?;
- Ok(tokenid)
+ Ok(tokenid)
+ }
+ None => Err(AuthError::NoData),
}
}
}
};
use proxmox::http_err;
+use super::auth::AuthError;
use super::environment::RestEnvironment;
use super::formatter::*;
use super::ApiConfig;
-use super::auth::{check_auth, extract_auth_data};
use crate::api2::types::{Authid, Userid};
use crate::auth_helpers::*;
rpcenv.set_client_ip(Some(*peer));
let user_info = CachedUserInfo::new()?;
+ let auth = &api.api_auth;
let delay_unauth_time = std::time::Instant::now() + std::time::Duration::from_millis(3000);
let access_forbidden_time = std::time::Instant::now() + std::time::Duration::from_millis(500);
}
if auth_required {
- let auth_result = match extract_auth_data(&parts.headers) {
- Some(auth_data) => check_auth(&method, &auth_data, &user_info),
- None => Err(format_err!("no authentication credentials provided.")),
- };
- match auth_result {
+ match auth.check_auth(&parts.headers, &method, &user_info) {
Ok(authid) => rpcenv.set_auth_id(Some(authid.to_string())),
- Err(err) => {
+ Err(auth_err) => {
+ let err = match auth_err {
+ AuthError::Generic(err) => err,
+ AuthError::NoData => {
+ format_err!("no authentication credentials provided.")
+ }
+ };
let peer = peer.ip();
auth_logger()?.log(format!(
"authentication failure; rhost={} msg={}",
if comp_len == 0 {
let language = extract_lang_header(&parts.headers);
- if let Some(auth_data) = extract_auth_data(&parts.headers) {
- match check_auth(&method, &auth_data, &user_info) {
- Ok(auth_id) if !auth_id.is_token() => {
+ match auth.check_auth(&parts.headers, &method, &user_info) {
+ Ok(auth_id) => {
+ if !auth_id.is_token() {
let userid = auth_id.user();
let new_csrf_token = assemble_csrf_prevention_token(csrf_secret(), userid);
return Ok(get_index(
parts,
));
}
- _ => {
- tokio::time::sleep_until(Instant::from_std(delay_unauth_time)).await;
- return Ok(get_index(None, None, language, &api, parts));
- }
}
- } else {
- return Ok(get_index(None, None, language, &api, parts));
+ Err(AuthError::Generic(_)) => {
+ tokio::time::sleep_until(Instant::from_std(delay_unauth_time)).await;
+ }
+ Err(AuthError::NoData) => {}
}
+ return Ok(get_index(None, None, language, &api, parts));
} else {
let filename = api.find_alias(&components);
let compression = extract_compression_method(&parts.headers);