From 80770ef49e4134c47a7462a666bf38d7baa76daa Mon Sep 17 00:00:00 2001 From: Robert Obkircher Date: Thu, 20 Nov 2025 14:09:10 +0100 Subject: [PATCH] fix #6900: correctly detect PBS API tokens in storage plugin The PBS storage plugin used PVE code to detect if an API token was entered in the username field. This lead to bad requests for some valid PBS tokens which are not valid PVE tokens. Examples are "root@pam!1234" and "root@pam!_-". Relax the token pattern to allow token names and realms that start with numbers or underscores. Also allow single character token names, which are allowed on the backend even though they can't be created through the PBS Web UI. Signed-off-by: Robert Obkircher Link: https://lore.proxmox.com/20251120131149.147981-1-r.obkircher@proxmox.com --- src/PVE/Storage/PBSPlugin.pm | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/PVE/Storage/PBSPlugin.pm b/src/PVE/Storage/PBSPlugin.pm index 5842004..1e0e038 100644 --- a/src/PVE/Storage/PBSPlugin.pm +++ b/src/PVE/Storage/PBSPlugin.pm @@ -701,6 +701,20 @@ my sub snapshot_files_encrypted { return $any && $all; } +# We cannot use the PVE API token regexes as we're stricter in PVE, +# so some tokens that would be valid for PBS would get rejected. +# Adapt over the PBS ones from proxmox-auth-api/src/types.rs: + +my $safe_id_regex = qr/(?:[A-Za-z0-9_][A-Za-z0-9\._\-]*)/; + +my $token_name_regex = $safe_id_regex; + +my $user_name_regex = qr/(?:[^\s:\/\p{PosixCntrl}]+)/; + +my $user_id_regex = qr/${user_name_regex}\@${safe_id_regex}/; + +my $apitoken_id_regex = qr/${user_id_regex}\!${token_name_regex}/; + # TODO: use a client with native rust/proxmox-backup bindings to profit from # API schema checks and types my sub pbs_api_connect { @@ -710,8 +724,8 @@ my sub pbs_api_connect { my $user = $scfg->{username} // 'root@pam'; - if (my $tokenid = PVE::AccessControl::pve_verify_tokenid($user, 1)) { - $params->{apitoken} = "PBSAPIToken=${tokenid}:${password}"; + if ($user =~ qr/^${apitoken_id_regex}$/) { + $params->{apitoken} = "PBSAPIToken=${user}:${password}"; } else { $params->{password} = $password; $params->{username} = $user;