[pbs-devel] [PATCH proxmox-backup 4/5] fix #3887: api2: add regenerate token endpoint
Fabian Grünbichler
f.gruenbichler at proxmox.com
Wed Dec 21 11:53:01 CET 2022
On December 21, 2022 10:56 am, Thomas Lamprecht wrote:
> On 20/12/2022 15:57, Hannes Laimer wrote:
>> Signed-off-by: Hannes Laimer <h.laimer at proxmox.com>
>> ---
>> src/api2/access/user.rs | 61 ++++++++++++++++++++++++++++++++++++++++-
>> 1 file changed, 60 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/api2/access/user.rs b/src/api2/access/user.rs
>> index 40177c8d..c2b563f7 100644
>> --- a/src/api2/access/user.rs
>> +++ b/src/api2/access/user.rs
> [..]
>> + token_shadow::set_secret(&tokenid, &secret)?;
>> +
>> + Ok(json!({
>> + "tokenid": tokenid_string,
>> + "value": secret
>> + }))
>> +}
>> +
>> #[api(
>> protected: true,
>> input: {
>> @@ -754,11 +807,17 @@ pub fn list_tokens(
>> Ok(res)
>> }
>>
>> +const TOKEN_SUBDIRS: SubdirMap = &[(
>> + "regenerate",
>> + &Router::new().post(&API_METHOD_REGENERATE_TOKEN),
>> +)];
>> +
>> const TOKEN_ITEM_ROUTER: Router = Router::new()
>> .get(&API_METHOD_READ_TOKEN)
>> .put(&API_METHOD_UPDATE_TOKEN)
>> .post(&API_METHOD_GENERATE_TOKEN)
>> - .delete(&API_METHOD_DELETE_TOKEN);
>> + .delete(&API_METHOD_DELETE_TOKEN)
>> + .subdirs(TOKEN_SUBDIRS);
>
> hmm, but now I cannot get the available subdir's via GET due to that being
> already used for reading the token info. Besides the added imperfection, I'm
> actually not sure from top of my head about the implications in PBS, but in
> PVE this would cause some technical issues in pvesh/api-viewer - did you
> check how those (debug api and api-viewer) handle to a shared subdir + "normal"
> get on the same API endpoint?
yeah, this would break editing tokens (and external calls to that GET API endpoint).
>
>>
>> const TOKEN_ROUTER: Router = Router::new()
>> .get(&API_METHOD_LIST_TOKENS)
it could be folded either into the update_token call (currently no return type,
could return an optional new secret) or the generate_token call, guarded by a
new "regenerate" boolean parameter. for updating it could even be combined with
an actual metadata update, for generate it would probably make more sense to
enforce that any optional parameters match the current one to avoid accidents..
More information about the pbs-devel
mailing list