[pbs-devel] [PATCH v3 proxmox-backup 07/18] auth: add LDAP realm authenticator

Lukas Wagner l.wagner at proxmox.com
Thu Feb 9 14:31:17 CET 2023


This commits also makes user authentication async, so that e.g. a not
responding LDAP server cannot block other logins.

Signed-off-by: Lukas Wagner <l.wagner at proxmox.com>
---
 Cargo.toml             |   2 +
 src/api2/access/mod.rs |   8 +--
 src/api2/access/tfa.rs |  15 ++--
 src/auth.rs            | 157 +++++++++++++++++++++++++++++++++++------
 4 files changed, 151 insertions(+), 31 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 2bf9ae48..f087cc47 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -62,6 +62,7 @@ proxmox-fuse = "0.1.3"
 proxmox-http = { version = "0.7", features = [ "client", "http-helpers", "websocket" ] } # see below
 proxmox-io = "1.0.1" # tools and client use "tokio" feature
 proxmox-lang = "1.1"
+proxmox-ldap = "0.1"
 proxmox-metrics = "0.2"
 proxmox-rest-server = "0.2.1"
 # some use "cli", some use "cli" and "server", pbs-config uses nothing
@@ -205,6 +206,7 @@ proxmox-compression.workspace = true
 proxmox-http = { workspace = true, features = [ "client-trait", "proxmox-async" ] } # pbs-client doesn't use these
 proxmox-io.workspace = true
 proxmox-lang.workspace = true
+proxmox-ldap.workspace = true
 proxmox-metrics.workspace = true
 proxmox-rest-server.workspace = true
 proxmox-router = { workspace = true, features = [ "cli", "server"] }
diff --git a/src/api2/access/mod.rs b/src/api2/access/mod.rs
index 9274b782..d3e21763 100644
--- a/src/api2/access/mod.rs
+++ b/src/api2/access/mod.rs
@@ -43,7 +43,7 @@ enum AuthResult {
     Partial(Box<TfaChallenge>),
 }
 
-fn authenticate_user(
+async fn authenticate_user(
     userid: &Userid,
     password: &str,
     path: Option<String>,
@@ -107,7 +107,7 @@ fn authenticate_user(
 
     #[allow(clippy::let_unit_value)]
     {
-        let _: () = crate::auth::authenticate_user(userid, password)?;
+        let _: () = crate::auth::authenticate_user(userid, password).await?;
     }
 
     Ok(match crate::config::tfa::login_challenge(userid)? {
@@ -190,7 +190,7 @@ fn authenticate_2nd(
 /// Create or verify authentication ticket.
 ///
 /// Returns: An authentication ticket with additional infos.
-pub fn create_ticket(
+pub async fn create_ticket(
     username: Userid,
     password: String,
     path: Option<String>,
@@ -206,7 +206,7 @@ pub fn create_ticket(
         .downcast_ref::<RestEnvironment>()
         .ok_or_else(|| format_err!("detected wrong RpcEnvironment type"))?;
 
-    match authenticate_user(&username, &password, path, privs, port, tfa_challenge) {
+    match authenticate_user(&username, &password, path, privs, port, tfa_challenge).await {
         Ok(AuthResult::Success) => Ok(json!({ "username": username })),
         Ok(AuthResult::CreateTicket) => {
             let api_ticket = ApiTicket::Full(username.clone());
diff --git a/src/api2/access/tfa.rs b/src/api2/access/tfa.rs
index 7e6d028a..599aee60 100644
--- a/src/api2/access/tfa.rs
+++ b/src/api2/access/tfa.rs
@@ -19,7 +19,7 @@ use crate::config::tfa::UserAccess;
 /// This means that user admins need to type in their own password while editing a user, and
 /// regular users, which can only change their own TFA settings (checked at the API level), can
 /// change their own settings using their own password.
-fn tfa_update_auth(
+async fn tfa_update_auth(
     rpcenv: &mut dyn RpcEnvironment,
     userid: &Userid,
     password: Option<String>,
@@ -32,6 +32,7 @@ fn tfa_update_auth(
         #[allow(clippy::let_unit_value)]
         {
             let _: () = crate::auth::authenticate_user(authid.user(), &password)
+                .await
                 .map_err(|err| http_err!(UNAUTHORIZED, "{}", err))?;
         }
     }
@@ -114,13 +115,13 @@ fn get_tfa_entry(userid: Userid, id: String) -> Result<methods::TypedTfaInfo, Er
     },
 )]
 /// Delete a single TFA entry.
-fn delete_tfa(
+async fn delete_tfa(
     userid: Userid,
     id: String,
     password: Option<String>,
     rpcenv: &mut dyn RpcEnvironment,
 ) -> Result<(), Error> {
-    tfa_update_auth(rpcenv, &userid, password, false)?;
+    tfa_update_auth(rpcenv, &userid, password, false).await?;
 
     let _lock = crate::config::tfa::write_lock()?;
 
@@ -207,7 +208,7 @@ fn list_tfa(rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<methods::TfaUser>, Er
 )]
 /// Add a TFA entry to the user.
 #[allow(clippy::too_many_arguments)]
-fn add_tfa_entry(
+async fn add_tfa_entry(
     userid: Userid,
     description: Option<String>,
     totp: Option<String>,
@@ -217,7 +218,7 @@ fn add_tfa_entry(
     r#type: methods::TfaType,
     rpcenv: &mut dyn RpcEnvironment,
 ) -> Result<methods::TfaUpdateInfo, Error> {
-    tfa_update_auth(rpcenv, &userid, password, true)?;
+    tfa_update_auth(rpcenv, &userid, password, true).await?;
 
     let _lock = crate::config::tfa::write_lock()?;
 
@@ -269,7 +270,7 @@ fn add_tfa_entry(
     },
 )]
 /// Update user's TFA entry description.
-fn update_tfa_entry(
+async fn update_tfa_entry(
     userid: Userid,
     id: String,
     description: Option<String>,
@@ -277,7 +278,7 @@ fn update_tfa_entry(
     password: Option<String>,
     rpcenv: &mut dyn RpcEnvironment,
 ) -> Result<(), Error> {
-    tfa_update_auth(rpcenv, &userid, password, true)?;
+    tfa_update_auth(rpcenv, &userid, password, true).await?;
 
     let _lock = crate::config::tfa::write_lock()?;
 
diff --git a/src/auth.rs b/src/auth.rs
index f1d5c0a1..30feb936 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -3,16 +3,27 @@
 //! This library contains helper to authenticate users.
 
 use std::io::Write;
+use std::path::PathBuf;
+use std::pin::Pin;
 use std::process::{Command, Stdio};
 
 use anyhow::{bail, format_err, Error};
+use futures::Future;
+use proxmox_router::http_bail;
 use serde_json::json;
 
-use pbs_api_types::{RealmRef, Userid, UsernameRef};
+use pbs_api_types::{LdapMode, LdapRealmConfig, RealmRef, Userid, UsernameRef};
 use pbs_buildcfg::configdir;
 
+use crate::auth_helpers;
+use proxmox_ldap::{Config, Connection, ConnectionMode};
+
 pub trait ProxmoxAuthenticator {
-    fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
+    fn authenticate_user<'a>(
+        &'a self,
+        username: &'a UsernameRef,
+        password: &'a str,
+    ) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>>;
     fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
     fn remove_password(&self, username: &UsernameRef) -> Result<(), Error>;
 }
@@ -21,12 +32,18 @@ pub trait ProxmoxAuthenticator {
 struct PAM();
 
 impl ProxmoxAuthenticator for PAM {
-    fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
-        let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();
-        auth.get_handler()
-            .set_credentials(username.as_str(), password);
-        auth.authenticate()?;
-        Ok(())
+    fn authenticate_user<'a>(
+        &self,
+        username: &'a UsernameRef,
+        password: &'a str,
+    ) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
+        Box::pin(async move {
+            let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();
+            auth.get_handler()
+                .set_credentials(username.as_str(), password);
+            auth.authenticate()?;
+            Ok(())
+        })
     }
 
     fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
@@ -67,7 +84,10 @@ impl ProxmoxAuthenticator for PAM {
 
     // do not remove password for pam users
     fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
-        Ok(())
+        http_bail!(
+            NOT_IMPLEMENTED,
+            "removing passwords is not implemented for PAM realms"
+        );
     }
 }
 
@@ -77,13 +97,19 @@ struct PBS();
 const SHADOW_CONFIG_FILENAME: &str = configdir!("/shadow.json");
 
 impl ProxmoxAuthenticator for PBS {
-    fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
-        let data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
-        match data[username.as_str()].as_str() {
-            None => bail!("no password set"),
-            Some(enc_password) => proxmox_sys::crypt::verify_crypt_pw(password, enc_password)?,
-        }
-        Ok(())
+    fn authenticate_user<'a>(
+        &self,
+        username: &'a UsernameRef,
+        password: &'a str,
+    ) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
+        Box::pin(async move {
+            let data = proxmox_sys::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
+            match data[username.as_str()].as_str() {
+                None => bail!("no password set"),
+                Some(enc_password) => proxmox_sys::crypt::verify_crypt_pw(password, enc_password)?,
+            }
+            Ok(())
+        })
     }
 
     fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
@@ -122,16 +148,107 @@ impl ProxmoxAuthenticator for PBS {
     }
 }
 
+#[allow(clippy::upper_case_acronyms)]
+pub struct LdapAuthenticator {
+    config: LdapRealmConfig,
+}
+
+impl ProxmoxAuthenticator for LdapAuthenticator {
+    /// Authenticate user in LDAP realm
+    fn authenticate_user<'a>(
+        &'a self,
+        username: &'a UsernameRef,
+        password: &'a str,
+    ) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
+        Box::pin(async move {
+            let ldap_config = Self::api_type_to_config(&self.config)?;
+            let ldap = Connection::new(ldap_config);
+            ldap.authenticate_user(username.as_str(), password).await?;
+            Ok(())
+        })
+    }
+
+    fn store_password(&self, _username: &UsernameRef, _password: &str) -> Result<(), Error> {
+        http_bail!(
+            NOT_IMPLEMENTED,
+            "storing passwords is not implemented for LDAP realms"
+        );
+    }
+
+    fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
+        http_bail!(
+            NOT_IMPLEMENTED,
+            "removing passwords is not implemented for LDAP realms"
+        );
+    }
+}
+
+impl LdapAuthenticator {
+    pub fn api_type_to_config(config: &LdapRealmConfig) -> Result<Config, Error> {
+        let mut servers = vec![config.server1.clone()];
+        if let Some(server) = &config.server2 {
+            servers.push(server.clone());
+        }
+
+        let tls_mode = match config.mode.unwrap_or_default() {
+            LdapMode::Ldap => ConnectionMode::Ldap,
+            LdapMode::StartTls => ConnectionMode::StartTls,
+            LdapMode::Ldaps => ConnectionMode::Ldaps,
+        };
+
+        let (ca_store, trusted_cert) = if let Some(capath) = config.capath.as_deref() {
+            let path = PathBuf::from(capath);
+            if path.is_dir() {
+                (Some(path), None)
+            } else {
+                (None, Some(vec![path]))
+            }
+        } else {
+            (None, None)
+        };
+
+        Ok(Config {
+            servers,
+            port: config.port,
+            user_attr: config.user_attr.clone(),
+            base_dn: config.base_dn.clone(),
+            bind_dn: config.bind_dn.clone(),
+            bind_password: auth_helpers::get_ldap_bind_password(&config.realm)?,
+            tls_mode,
+            verify_certificate: config.verify.unwrap_or_default(),
+            additional_trusted_certificates: trusted_cert,
+            certificate_store_path: ca_store,
+        })
+    }
+}
+
 /// Lookup the autenticator for the specified realm
-pub fn lookup_authenticator(realm: &RealmRef) -> Result<Box<dyn ProxmoxAuthenticator>, Error> {
+pub fn lookup_authenticator(
+    realm: &RealmRef,
+) -> Result<Box<dyn ProxmoxAuthenticator + Send + Sync + 'static>, Error> {
     match realm.as_str() {
         "pam" => Ok(Box::new(PAM())),
         "pbs" => Ok(Box::new(PBS())),
-        _ => bail!("unknown realm '{}'", realm.as_str()),
+        realm => {
+            let (domains, _digest) = pbs_config::domains::config()?;
+            if let Ok(config) = domains.lookup::<LdapRealmConfig>("ldap", realm) {
+                Ok(Box::new(LdapAuthenticator { config }))
+            } else {
+                bail!("unknown realm '{}'", realm);
+            }
+        }
     }
 }
 
 /// Authenticate users
-pub fn authenticate_user(userid: &Userid, password: &str) -> Result<(), Error> {
-    lookup_authenticator(userid.realm())?.authenticate_user(userid.name(), password)
+pub fn authenticate_user<'a>(
+    userid: &'a Userid,
+    password: &'a str,
+) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
+    Box::pin(async move {
+        lookup_authenticator(userid.realm())?
+            .authenticate_user(userid.name(), password)
+            .await?;
+        Ok(())
+    })
 }
-- 
2.30.2






More information about the pbs-devel mailing list