The PBS storage plugin used PVE code to detect if an API token was entered in the username field. This lead to bad requests for some valid PBS tokens which are not valid PVE tokens. Examples are "root@pam!1234" and "root@pam!_-".
Relax the token pattern to allow token names and realms that start with numbers or underscores. Also allow single character token names, which are allowed on the backend even though they can't be created through the PBS Web UI. Signed-off-by: Robert Obkircher <[email protected]> --- src/PVE/Storage/PBSPlugin.pm | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/src/PVE/Storage/PBSPlugin.pm b/src/PVE/Storage/PBSPlugin.pm index 5842004..b8dfa09 100644 --- a/src/PVE/Storage/PBSPlugin.pm +++ b/src/PVE/Storage/PBSPlugin.pm @@ -14,6 +14,7 @@ use POSIX qw(mktime strftime ENOENT); use POSIX::strptime; use PVE::APIClient::LWP; +use PVE::Auth::Plugin; use PVE::JSONSchema qw(get_standard_option); use PVE::Network; use PVE::PBSClient; @@ -701,6 +702,21 @@ my sub snapshot_files_encrypted { return $any && $all; } +# SAFE_ID_REGEX_STR: &str = r"(?:[A-Za-z0-9_][A-Za-z0-9._\-]*)"; +my $safe_id_regex = qr/(?:[A-Za-z0-9_][A-Za-z0-9\._\-]*)/; + +# TOKEN_NAME_REGEX_STR: = SAFE_ID_REGEX_STR +my $token_name_regex = $safe_id_regex; + +# USER_NAME_REGEX_STR: &str = r"(?:[^\s:/[:cntrl:]]+)"; +my $user_name_regex = qr/(?:[^\s:\/\p{PosixCntrl}]+)/; + +# USER_ID_REGEX_STR: &str = concatcp!(USER_NAME_REGEX_STR, r"@", SAFE_ID_REGEX_STR); +my $user_id_regex = qr/${user_name_regex}\@${safe_id_regex}/; + +# APITOKEN_ID_REGEX_STR: &str = concatcp!(USER_ID_REGEX_STR, r"!", TOKEN_NAME_REGEX_STR); +my $apitoken_id_regex = qr/${user_id_regex}\!${token_name_regex}/; + # TODO: use a client with native rust/proxmox-backup bindings to profit from # API schema checks and types my sub pbs_api_connect { @@ -710,8 +726,8 @@ my sub pbs_api_connect { my $user = $scfg->{username} // 'root@pam'; - if (my $tokenid = PVE::AccessControl::pve_verify_tokenid($user, 1)) { - $params->{apitoken} = "PBSAPIToken=${tokenid}:${password}"; + if ($user =~ qr/^${apitoken_id_regex}$/) { + $params->{apitoken} = "PBSAPIToken=${user}:${password}"; } else { $params->{password} = $password; $params->{username} = $user; -- 2.47.3 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
