]>
Commit | Line | Data |
---|---|---|
5bb4e06a DM |
1 | package PVE::Auth::Plugin; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | use Encode; | |
6 | use Digest::SHA; | |
7 | use PVE::Tools; | |
8 | use PVE::SectionConfig; | |
9 | use PVE::JSONSchema qw(get_standard_option); | |
10 | use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file); | |
11 | ||
12 | use Data::Dumper; | |
13 | ||
14 | use base qw(PVE::SectionConfig); | |
15 | ||
16 | my $domainconfigfile = "domains.cfg"; | |
17 | ||
18 | cfs_register_file($domainconfigfile, | |
19 | sub { __PACKAGE__->parse_config(@_); }, | |
20 | sub { __PACKAGE__->write_config(@_); }); | |
21 | ||
22 | sub lock_domain_config { | |
23 | my ($code, $errmsg) = @_; | |
24 | ||
25 | cfs_lock_file($domainconfigfile, undef, $code); | |
26 | my $err = $@; | |
27 | if ($err) { | |
28 | $errmsg ? die "$errmsg: $err" : die $err; | |
29 | } | |
30 | } | |
31 | ||
32 | my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/; | |
33 | ||
34 | PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm); | |
35 | sub pve_verify_realm { | |
36 | my ($realm, $noerr) = @_; | |
37 | ||
38 | if ($realm !~ m/^${realm_regex}$/) { | |
39 | return undef if $noerr; | |
40 | die "value does not look like a valid realm\n"; | |
41 | } | |
42 | return $realm; | |
43 | } | |
44 | ||
45 | PVE::JSONSchema::register_standard_option('realm', { | |
46 | description => "Authentication domain ID", | |
47 | type => 'string', format => 'pve-realm', | |
48 | maxLength => 32, | |
49 | }); | |
50 | ||
51 | PVE::JSONSchema::register_format('pve-userid', \&verify_username); | |
52 | sub verify_username { | |
53 | my ($username, $noerr) = @_; | |
54 | ||
55 | $username = '' if !$username; | |
56 | my $len = length($username); | |
57 | if ($len < 3) { | |
58 | die "user name '$username' is too short\n" if !$noerr; | |
59 | return undef; | |
60 | } | |
61 | if ($len > 64) { | |
62 | die "user name '$username' is too long ($len > 64)\n" if !$noerr; | |
63 | return undef; | |
64 | } | |
65 | ||
66 | # we only allow a limited set of characters | |
67 | # colon is not allowed, because we store usernames in | |
68 | # colon separated lists)! | |
69 | # slash is not allowed because it is used as pve API delimiter | |
70 | # also see "man useradd" | |
71 | if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) { | |
72 | return wantarray ? ($username, $1, $2) : $username; | |
73 | } | |
74 | ||
75 | die "value '$username' does not look like a valid user name\n" if !$noerr; | |
76 | ||
77 | return undef; | |
78 | } | |
79 | ||
80 | PVE::JSONSchema::register_standard_option('userid', { | |
81 | description => "User ID", | |
82 | type => 'string', format => 'pve-userid', | |
83 | maxLength => 64, | |
84 | }); | |
85 | ||
86 | sub encrypt_pw { | |
87 | my ($pw) = @_; | |
88 | ||
89 | my $time = substr(Digest::SHA::sha1_base64 (time), 0, 8); | |
90 | return crypt(encode("utf8", $pw), "\$5\$$time\$"); | |
91 | } | |
92 | ||
93 | my $defaultData = { | |
94 | propertyList => { | |
95 | type => { description => "Realm type." }, | |
96 | realm => get_standard_option('realm'), | |
97 | }, | |
98 | }; | |
99 | ||
100 | sub private { | |
101 | return $defaultData; | |
102 | } | |
103 | ||
104 | sub parse_section_header { | |
105 | my ($class, $line) = @_; | |
106 | ||
107 | if ($line =~ m/^(\S+):\s*(\S+)\s*$/) { | |
108 | my ($type, $realm) = (lc($1), $2); | |
109 | my $errmsg = undef; # set if you want to skip whole section | |
110 | eval { pve_verify_realm($realm); }; | |
111 | $errmsg = $@ if $@; | |
112 | my $config = {}; # to return additional attributes | |
113 | return ($type, $realm, $errmsg, $config); | |
114 | } | |
115 | return undef; | |
116 | } | |
117 | ||
118 | sub parse_config { | |
119 | my ($class, $filename, $raw) = @_; | |
120 | ||
121 | my $cfg = $class->SUPER::parse_config($filename, $raw); | |
122 | ||
123 | my $default; | |
124 | foreach my $realm (keys %{$cfg->{ids}}) { | |
125 | my $data = $cfg->{ids}->{$realm}; | |
126 | # make sure there is only one default marker | |
127 | if ($data->{default}) { | |
128 | if ($default) { | |
129 | delete $data->{default}; | |
130 | } else { | |
131 | $default = $realm; | |
132 | } | |
133 | } | |
134 | ||
135 | if ($data->{comment}) { | |
136 | $data->{comment} = PVE::Tools::decode_text($data->{comment}); | |
137 | } | |
138 | ||
139 | } | |
140 | ||
141 | # add default domains | |
142 | ||
143 | $cfg->{ids}->{pve} = { | |
144 | type => 'pve', | |
145 | comment => "Proxmox VE authentication server", | |
146 | }; | |
147 | ||
148 | $cfg->{ids}->{pam} = { | |
149 | type => 'pam', | |
150 | plugin => 'PVE::Auth::PAM', | |
151 | comment => "Linux PAM standard authentication", | |
152 | }; | |
153 | ||
154 | return $cfg; | |
155 | }; | |
156 | ||
157 | sub write_config { | |
158 | my ($class, $filename, $cfg) = @_; | |
159 | ||
160 | delete $cfg->{ids}->{pve}; | |
161 | delete $cfg->{ids}->{pam}; | |
162 | ||
163 | foreach my $realm (keys %{$cfg->{ids}}) { | |
164 | my $data = $cfg->{ids}->{$realm}; | |
165 | if ($data->{comment}) { | |
166 | $data->{comment} = PVE::Tools::encode_text($data->{comment}); | |
167 | } | |
168 | } | |
169 | ||
170 | $class->SUPER::write_config($filename, $cfg); | |
171 | } | |
172 | ||
173 | sub authenticate_user { | |
174 | my ($class, $config, $realm, $username, $password) = @_; | |
175 | ||
176 | die "overwrite me"; | |
177 | } | |
178 | ||
179 | sub store_password { | |
180 | my ($class, $config, $realm, $username, $password) = @_; | |
181 | ||
182 | my $type = $class->type(); | |
183 | ||
184 | die "can't set password on auth type '$type'\n"; | |
185 | } | |
186 | ||
187 | sub delete_user { | |
188 | my ($class, $config, $realm, $username) = @_; | |
189 | ||
190 | # do nothing by default | |
191 | } | |
192 | ||
193 | 1; |