[pdm-devel] [PATCH proxmox-backup 3/4] api: node shell: allow access for tokens
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Nov 11 09:29:19 CET 2025
needed for PDM, but backwards compatible for existing user-based usage.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
Notes:
new in v1, requires bumped termproxy
src/api2/node/mod.rs | 28 ++++++++--------------------
src/auth.rs | 5 ++---
src/tools/ticket.rs | 6 +++---
3 files changed, 13 insertions(+), 26 deletions(-)
diff --git a/src/api2/node/mod.rs b/src/api2/node/mod.rs
index 72df9ea72..a5ec903a7 100644
--- a/src/api2/node/mod.rs
+++ b/src/api2/node/mod.rs
@@ -98,7 +98,7 @@ pub const SHELL_CMD_SCHEMA: Schema = StringSchema::new("The command to run.")
)]
/// Call termproxy and return shell ticket
async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Result<Value, Error> {
- let root_user = Userid::root_userid();
+ let root_auth_id = Authid::root_auth_id();
// intentionally user only for now
let auth_id: Authid = rpcenv
@@ -106,12 +106,6 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
.ok_or_else(|| format_err!("no authid available"))?
.parse()?;
- if auth_id.is_token() {
- bail!("API tokens cannot access this API endpoint");
- }
-
- let userid = auth_id.user();
-
let path = "/system";
// use port 0 and let the kernel decide which port is free
@@ -120,21 +114,21 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
let ticket = Ticket::new(crate::auth::TERM_PREFIX, &Empty)?.sign(
private_auth_keyring(),
- Some(&tools::ticket::term_aad(userid, path, port)),
+ Some(&tools::ticket::term_aad(&auth_id, path, port)),
)?;
let mut command = Vec::new();
match cmd.as_deref() {
Some("login") | None => {
command.push("login");
- if userid == root_user {
+ if auth_id == *root_auth_id {
command.push("-f");
command.push("root");
}
}
Some("upgrade") => {
- if userid != root_user {
- bail!("only {root_user} can upgrade");
+ if auth_id != *root_auth_id {
+ bail!("only {root_auth_id} can upgrade");
}
// TODO: add nicer/safer wrapper like in PVE instead
command.push("sh");
@@ -144,7 +138,6 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
_ => bail!("invalid command"),
};
- let username = userid.name().to_owned();
let upid = WorkerTask::spawn(
"termproxy",
None,
@@ -166,6 +159,7 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
"--authport",
"82",
"--port-as-fd",
+ "--vncticket-endpoint",
"--",
]);
arguments.extend_from_slice(&command);
@@ -234,9 +228,8 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
},
)?;
- // FIXME: We're returning the user NAME only?
Ok(json!({
- "user": username,
+ "user": auth_id,
"ticket": ticket,
"port": port,
"upid": upid,
@@ -278,11 +271,6 @@ fn upgrade_to_websocket(
.ok_or_else(|| format_err!("no authid available"))?
.parse()?;
- if auth_id.is_token() {
- bail!("API tokens cannot access this API endpoint");
- }
-
- let userid = auth_id.user();
let ticket = pbs_tools::json::required_string_param(¶m, "vncticket")?;
let port: u16 = pbs_tools::json::required_integer_param(¶m, "port")? as u16;
@@ -290,7 +278,7 @@ fn upgrade_to_websocket(
Ticket::<Empty>::parse(ticket)?.verify(
public_auth_keyring(),
crate::auth::TERM_PREFIX,
- Some(&tools::ticket::term_aad(userid, "/system", port)),
+ Some(&tools::ticket::term_aad(&auth_id, "/system", port)),
)?;
let (ws, response) = WebSocket::new(parts.headers.clone())?;
diff --git a/src/auth.rs b/src/auth.rs
index ac24c8cac..a930d8cd9 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -449,7 +449,7 @@ impl proxmox_auth_api::api::AuthContext for PbsAuthContext {
/// Check path based tickets. (Used for terminal tickets).
fn check_path_ticket(
&self,
- userid: &Userid,
+ auth_id: &Authid,
password: &str,
path: String,
privs: String,
@@ -463,11 +463,10 @@ impl proxmox_auth_api::api::AuthContext for PbsAuthContext {
ticket.verify(
self.keyring,
TERM_PREFIX,
- Some(&crate::tools::ticket::term_aad(userid, &path, port)),
+ Some(&crate::tools::ticket::term_aad(auth_id, &path, port)),
)
}) {
let user_info = pbs_config::CachedUserInfo::new()?;
- let auth_id = Authid::from(userid.clone());
for (name, privilege) in pbs_api_types::PRIVILEGES {
if *name == privs {
let mut path_vec = Vec::new();
diff --git a/src/tools/ticket.rs b/src/tools/ticket.rs
index 8dd3c968a..f086d2d82 100644
--- a/src/tools/ticket.rs
+++ b/src/tools/ticket.rs
@@ -1,5 +1,5 @@
-use pbs_api_types::Userid;
+use pbs_api_types::Authid;
-pub fn term_aad(userid: &Userid, path: &str, port: u16) -> String {
- format!("{userid}{path}{port}")
+pub fn term_aad(auth_id: &Authid, path: &str, port: u16) -> String {
+ format!("{auth_id}{path}{port}")
}
--
2.47.3
More information about the pdm-devel
mailing list