[pbs-devel] [PATCH proxmox-backup 10/14] config: use new dedicated PAM and PBS realm types
Christoph Heiss
c.heiss at proxmox.com
Tue Jul 16 15:45:09 CEST 2024
Signed-off-by: Christoph Heiss <c.heiss at proxmox.com>
---
pbs-config/src/domains.rs | 21 +++++++++++++++++++--
src/api2/access/domain.rs | 13 -------------
src/bin/proxmox-backup-api.rs | 1 +
src/config/mod.rs | 34 ++++++++++++++++++++++++++++++++++
4 files changed, 54 insertions(+), 15 deletions(-)
diff --git a/pbs-config/src/domains.rs b/pbs-config/src/domains.rs
index d372e913..4565c36a 100644
--- a/pbs-config/src/domains.rs
+++ b/pbs-config/src/domains.rs
@@ -8,19 +8,36 @@ use proxmox_schema::{ApiType, ObjectSchema};
use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};
use crate::{open_backup_lockfile, replace_backup_config, BackupLockGuard};
-use pbs_api_types::{AdRealmConfig, LdapRealmConfig, OpenIdRealmConfig, REALM_ID_SCHEMA};
+use pbs_api_types::{
+ AdRealmConfig, LdapRealmConfig, OpenIdRealmConfig, PamRealmConfig, PbsRealmConfig,
+ REALM_ID_SCHEMA,
+};
lazy_static! {
pub static ref CONFIG: SectionConfig = init();
}
fn init() -> SectionConfig {
+ const PAM_SCHEMA: &ObjectSchema = PamRealmConfig::API_SCHEMA.unwrap_object_schema();
+ const PBS_SCHEMA: &ObjectSchema = PbsRealmConfig::API_SCHEMA.unwrap_object_schema();
const AD_SCHEMA: &ObjectSchema = AdRealmConfig::API_SCHEMA.unwrap_object_schema();
const LDAP_SCHEMA: &ObjectSchema = LdapRealmConfig::API_SCHEMA.unwrap_object_schema();
const OPENID_SCHEMA: &ObjectSchema = OpenIdRealmConfig::API_SCHEMA.unwrap_object_schema();
let mut config = SectionConfig::new(&REALM_ID_SCHEMA);
+ config.register_plugin(SectionConfigPlugin::new(
+ "pam".to_owned(),
+ Some("realm".to_owned()),
+ PAM_SCHEMA,
+ ));
+
+ config.register_plugin(SectionConfigPlugin::new(
+ "pbs".to_owned(),
+ Some("realm".to_owned()),
+ PBS_SCHEMA,
+ ));
+
let plugin = SectionConfigPlugin::new(
"openid".to_string(),
Some(String::from("realm")),
@@ -75,7 +92,7 @@ pub fn unset_default_realm(config: &mut SectionConfigData) -> Result<(), Error>
/// Check if a realm with the given name exists
pub fn exists(domains: &SectionConfigData, realm: &str) -> bool {
- realm == "pbs" || realm == "pam" || domains.sections.contains_key(realm)
+ domains.sections.contains_key(realm)
}
// shell completion helper
diff --git a/src/api2/access/domain.rs b/src/api2/access/domain.rs
index 8f8eebda..cede714a 100644
--- a/src/api2/access/domain.rs
+++ b/src/api2/access/domain.rs
@@ -29,19 +29,6 @@ use crate::server::jobstate::Job;
/// Authentication domain/realm index.
fn list_domains(rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<BasicRealmInfo>, Error> {
let mut list = Vec::new();
-
- list.push(serde_json::from_value(json!({
- "realm": "pam",
- "type": "pam",
- "comment": "Linux PAM standard authentication",
- "default": Some(true),
- }))?);
- list.push(serde_json::from_value(json!({
- "realm": "pbs",
- "type": "pbs",
- "comment": "Proxmox Backup authentication server",
- }))?);
-
let (config, digest) = pbs_config::domains::config()?;
for (_, (section_type, v)) in config.sections.iter() {
diff --git a/src/bin/proxmox-backup-api.rs b/src/bin/proxmox-backup-api.rs
index 95c14e41..4caea8a6 100644
--- a/src/bin/proxmox-backup-api.rs
+++ b/src/bin/proxmox-backup-api.rs
@@ -46,6 +46,7 @@ async fn run() -> Result<(), Error> {
config::create_configdir()?;
config::update_self_signed_cert(false)?;
+ config::update_default_realms()?;
proxmox_backup::server::create_run_dir()?;
proxmox_backup::server::create_state_dir()?;
diff --git a/src/config/mod.rs b/src/config/mod.rs
index 324fabca..3931eee9 100644
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@@ -12,6 +12,7 @@ use std::path::Path;
use proxmox_lang::try_block;
+use pbs_api_types::{PamRealmConfig, PbsRealmConfig};
use pbs_buildcfg::{self, configdir};
pub mod acme;
@@ -194,3 +195,36 @@ pub(crate) fn set_proxy_certificate(cert_pem: &[u8], key_pem: &[u8]) -> Result<(
Ok(())
}
+
+pub fn update_default_realms() -> Result<(), Error> {
+ let _lock = pbs_config::domains::lock_config()?;
+ let (mut domains, _) = pbs_config::domains::config()?;
+
+ if !pbs_config::domains::exists(&domains, "pam") {
+ domains.set_data(
+ "pam",
+ "pam",
+ PamRealmConfig {
+ realm: "pam".to_owned(),
+ comment: Some("Linux PAM standard authentication".to_owned()),
+ // Setting it as default here is safe, because if we perform this
+ // migration, the user had not had any chance to set a custom default anyway.
+ default: Some(true),
+ },
+ )?;
+ }
+
+ if !pbs_config::domains::exists(&domains, "pbs") {
+ domains.set_data(
+ "pbs",
+ "pbs",
+ PbsRealmConfig {
+ realm: "pbs".to_owned(),
+ comment: Some("Proxmox Backup authentication server".to_owned()),
+ default: None,
+ },
+ )?;
+ }
+
+ pbs_config::domains::save_config(&domains)
+}
--
2.45.1
More information about the pbs-devel
mailing list