[pdm-devel] [PATCH proxmox 3/3] auth-api: add vncticket verification endpoint and type
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Nov 11 09:29:16 CET 2025
needed to allow token-based shells in PBS/PDM.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
Notes:
new in v1, required for PBS
proxmox-auth-api/src/api/access.rs | 32 +++++++++++++++++++++++++++++-
proxmox-auth-api/src/api/mod.rs | 4 ++--
proxmox-auth-api/src/types.rs | 22 ++++++++++++++++++++
3 files changed, 55 insertions(+), 3 deletions(-)
diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs
index 6921ea29..3ff1d0e8 100644
--- a/proxmox-auth-api/src/api/access.rs
+++ b/proxmox-auth-api/src/api/access.rs
@@ -16,7 +16,7 @@ use proxmox_tfa::api::TfaChallenge;
use super::ApiTicket;
use super::{auth_context, HMACKey};
use crate::ticket::Ticket;
-use crate::types::{Authid, CreateTicket, CreateTicketResponse, Userid};
+use crate::types::{Authid, CreateTicket, CreateTicketResponse, Userid, VerifyVNCTicket};
#[allow(clippy::large_enum_variant)]
enum AuthResult {
@@ -68,6 +68,36 @@ pub async fn create_ticket(
})
}
+#[api(
+ input: {
+ properties: {
+ verify_params: {
+ type: VerifyVNCTicket,
+ flatten: true,
+ }
+ },
+ },
+ protected: true,
+ access: {
+ permission: &Permission::World,
+ },
+)]
+/// Verify that a VNC ticket is valid for a given Authid, path and privilege(s).
+pub async fn verify_vnc_ticket(verify_params: VerifyVNCTicket) -> Result<(), Error> {
+ let auth_context = auth_context()?;
+ match auth_context.check_path_ticket(
+ &verify_params.authid,
+ &verify_params.vncticket,
+ verify_params.path,
+ verify_params.privs,
+ verify_params.port.unwrap_or_default(),
+ )? {
+ None => bail!("Checking VNC ticket failed"), // no path based tickets supported, just fall through.
+ Some(true) => return Ok(()),
+ Some(false) => bail!("No such privilege"),
+ }
+}
+
pub const API_METHOD_LOGOUT: ApiMethod = ApiMethod::new(
&ApiHandler::AsyncHttpBodyParameters(&logout_handler),
&ObjectSchema::new("", &[]),
diff --git a/proxmox-auth-api/src/api/mod.rs b/proxmox-auth-api/src/api/mod.rs
index 3c07ead3..98cf77e9 100644
--- a/proxmox-auth-api/src/api/mod.rs
+++ b/proxmox-auth-api/src/api/mod.rs
@@ -19,8 +19,8 @@ use crate::ticket::Ticket;
use access::verify_csrf_prevention_token;
pub use access::{
- assemble_csrf_prevention_token, create_ticket, API_METHOD_CREATE_TICKET,
- API_METHOD_CREATE_TICKET_HTTP_ONLY, API_METHOD_LOGOUT,
+ assemble_csrf_prevention_token, create_ticket, verify_vnc_ticket, API_METHOD_CREATE_TICKET,
+ API_METHOD_CREATE_TICKET_HTTP_ONLY, API_METHOD_LOGOUT, API_METHOD_VERIFY_VNC_TICKET,
};
pub use ticket::{ApiTicket, PartialTicket};
diff --git a/proxmox-auth-api/src/types.rs b/proxmox-auth-api/src/types.rs
index 9bde661c..86b79d70 100644
--- a/proxmox-auth-api/src/types.rs
+++ b/proxmox-auth-api/src/types.rs
@@ -706,6 +706,28 @@ pub struct CreateTicket {
pub tfa_challenge: Option<String>,
}
+#[api]
+/// The parameter object for verifying a VNC ticket.
+#[derive(Debug, Clone, Deserialize, Serialize)]
+pub struct VerifyVNCTicket {
+ /// Userid or Token
+ pub authid: Authid,
+
+ /// The VNC ticket
+ #[serde(default)]
+ pub vncticket: String,
+
+ /// Verify ticket, and check if user have access 'privs' on 'path'.
+ pub path: String,
+
+ /// Verify ticket, and check if user have access 'privs' on 'path'.
+ pub privs: String,
+
+ /// Port for verifying terminal tickets.
+ #[serde(default, skip_serializing_if = "Option::is_none")]
+ pub port: Option<u16>,
+}
+
#[api]
/// The API response for a ticket call.
#[derive(Debug, Deserialize, Serialize)]
--
2.47.3
More information about the pdm-devel
mailing list