[proxmox-backup.git] / src / api2 / access / tfa.rs

use anyhow::{bail, format_err, Error};
use serde::{Deserialize, Serialize};

use proxmox::api::{api, Permission, Router, RpcEnvironment};
use proxmox::tools::tfa::totp::Totp;
use proxmox::{http_bail, http_err};

use crate::api2::types::{Authid, Userid, PASSWORD_SCHEMA};
use crate::config::acl::{PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT};
use crate::config::cached_user_info::CachedUserInfo;
use crate::config::tfa::{TfaInfo, TfaUserData};

/// Perform first-factor (password) authentication only. Ignore password for the root user.
/// Otherwise check the current user's password.
///
/// This means that user admins need to type in their own password while editing a user, and
/// regular users, which can only change their own TFA settings (checked at the API level), can
/// change their own settings using their own password.
fn tfa_update_auth(
    rpcenv: &mut dyn RpcEnvironment,
    userid: &Userid,
    password: Option<String>,
    must_exist: bool,
) -> Result<(), Error> {
    let authid: Authid = rpcenv.get_auth_id().unwrap().parse()?;

    if authid.user() != Userid::root_userid() {
        let password = password.ok_or_else(|| http_err!(UNAUTHORIZED, "missing password"))?;
        let _: () = crate::auth::authenticate_user(authid.user(), &password)
            .map_err(|err| http_err!(UNAUTHORIZED, "{}", err))?;
    }

    // After authentication, verify that the to-be-modified user actually exists:
    if must_exist && authid.user() != userid {
        let (config, _digest) = crate::config::user::config()?;

        if config
            .lookup::<crate::config::user::User>("user", userid.as_str())
            .is_err()
        {
            http_bail!(UNAUTHORIZED, "user '{}' does not exists.", userid);
        }
    }

    Ok(())
}

#[api]
/// A TFA entry type.
#[derive(Deserialize, Serialize)]
#[serde(rename_all = "lowercase")]
enum TfaType {
    /// A TOTP entry type.
    Totp,
    /// A U2F token entry.
    U2f,
    /// A Webauthn token entry.
    Webauthn,
    /// Recovery tokens.
    Recovery,
}

#[api(
    properties: {
        type: { type: TfaType },
        info: { type: TfaInfo },
    },
)]
/// A TFA entry for a user.
#[derive(Deserialize, Serialize)]
#[serde(deny_unknown_fields)]
struct TypedTfaInfo {
    #[serde(rename = "type")]
    pub ty: TfaType,

    #[serde(flatten)]
    pub info: TfaInfo,
}

fn to_data(data: TfaUserData) -> Vec<TypedTfaInfo> {
    let mut out = Vec::with_capacity(
        data.totp.len()
            + data.u2f.len()
            + data.webauthn.len()
            + if data.recovery().is_some() { 1 } else { 0 },
    );
    if let Some(recovery) = data.recovery() {
        out.push(TypedTfaInfo {
            ty: TfaType::Recovery,
            info: TfaInfo::recovery(recovery.created),
        })
    }
    for entry in data.totp {
        out.push(TypedTfaInfo {
            ty: TfaType::Totp,
            info: entry.info,
        });
    }
    for entry in data.webauthn {
        out.push(TypedTfaInfo {
            ty: TfaType::Webauthn,
            info: entry.info,
        });
    }
    for entry in data.u2f {
        out.push(TypedTfaInfo {
            ty: TfaType::U2f,
            info: entry.info,
        });
    }
    out
}

/// Iterate through tuples of `(type, index, id)`.
fn tfa_id_iter(data: &TfaUserData) -> impl Iterator<Item = (TfaType, usize, &str)> {
    data.totp
        .iter()
        .enumerate()
        .map(|(i, entry)| (TfaType::Totp, i, entry.info.id.as_str()))
        .chain(
            data.webauthn
                .iter()
                .enumerate()
                .map(|(i, entry)| (TfaType::Webauthn, i, entry.info.id.as_str())),
        )
        .chain(
            data.u2f
                .iter()
                .enumerate()
                .map(|(i, entry)| (TfaType::U2f, i, entry.info.id.as_str())),
        )
        .chain(
            data.recovery
                .iter()
                .map(|_| (TfaType::Recovery, 0, "recovery")),
        )
}

#[api(
    protected: true,
    input: {
        properties: { userid: { type: Userid } },
    },
    access: {
        permission: &Permission::Or(&[
            &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
            &Permission::UserParam("userid"),
        ]),
    },
)]
/// Add a TOTP secret to the user.
fn list_user_tfa(userid: Userid) -> Result<Vec<TypedTfaInfo>, Error> {
    let _lock = crate::config::tfa::read_lock()?;

    Ok(match crate::config::tfa::read()?.users.remove(&userid) {
        Some(data) => to_data(data),
        None => Vec::new(),
    })
}

#[api(
    protected: true,
    input: {
        properties: {
            userid: { type: Userid },
            id: { description: "the tfa entry id" }
        },
    },
    access: {
        permission: &Permission::Or(&[
            &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
            &Permission::UserParam("userid"),
        ]),
    },
)]
/// Get a single TFA entry.
fn get_tfa_entry(userid: Userid, id: String) -> Result<TypedTfaInfo, Error> {
    let _lock = crate::config::tfa::read_lock()?;

    if let Some(user_data) = crate::config::tfa::read()?.users.remove(&userid) {
        match {
            // scope to prevent the temprary iter from borrowing across the whole match
            let entry = tfa_id_iter(&user_data).find(|(_ty, _index, entry_id)| id == *entry_id);
            entry.map(|(ty, index, _)| (ty, index))
        } {
            Some((TfaType::Recovery, _)) => {
                if let Some(recovery) = user_data.recovery() {
                    return Ok(TypedTfaInfo {
                        ty: TfaType::Recovery,
                        info: TfaInfo::recovery(recovery.created),
                    });
                }
            }
            Some((TfaType::Totp, index)) => {
                return Ok(TypedTfaInfo {
                    ty: TfaType::Totp,
                    // `into_iter().nth()` to *move* out of it
                    info: user_data.totp.into_iter().nth(index).unwrap().info,
                });
            }
            Some((TfaType::Webauthn, index)) => {
                return Ok(TypedTfaInfo {
                    ty: TfaType::Webauthn,
                    info: user_data.webauthn.into_iter().nth(index).unwrap().info,
                });
            }
            Some((TfaType::U2f, index)) => {
                return Ok(TypedTfaInfo {
                    ty: TfaType::U2f,
                    info: user_data.u2f.into_iter().nth(index).unwrap().info,
                });
            }
            None => (),
        }
    }

    http_bail!(NOT_FOUND, "no such tfa entry: {}/{}", userid, id);
}

#[api(
    protected: true,
    input: {
        properties: {
            userid: { type: Userid },
            id: {
                description: "the tfa entry id",
            },
            password: {
                schema: PASSWORD_SCHEMA,
                optional: true,
            },
        },
    },
    access: {
        permission: &Permission::Or(&[
            &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
            &Permission::UserParam("userid"),
        ]),
    },
)]
/// Get a single TFA entry.
fn delete_tfa(
    userid: Userid,
    id: String,
    password: Option<String>,
    rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
    tfa_update_auth(rpcenv, &userid, password, false)?;

    let _lock = crate::config::tfa::write_lock()?;

    let mut data = crate::config::tfa::read()?;

    let user_data = data
        .users
        .get_mut(&userid)
        .ok_or_else(|| http_err!(NOT_FOUND, "no such entry: {}/{}", userid, id))?;

    match {
        // scope to prevent the temprary iter from borrowing across the whole match
        let entry = tfa_id_iter(&user_data).find(|(_, _, entry_id)| id == *entry_id);
        entry.map(|(ty, index, _)| (ty, index))
    } {
        Some((TfaType::Recovery, _)) => user_data.recovery = None,
        Some((TfaType::Totp, index)) => drop(user_data.totp.remove(index)),
        Some((TfaType::Webauthn, index)) => drop(user_data.webauthn.remove(index)),
        Some((TfaType::U2f, index)) => drop(user_data.u2f.remove(index)),
        None => http_bail!(NOT_FOUND, "no such tfa entry: {}/{}", userid, id),
    }

    if user_data.is_empty() {
        data.users.remove(&userid);
    }

    crate::config::tfa::write(&data)?;

    Ok(())
}

#[api(
    properties: {
        "userid": { type: Userid },
        "entries": {
            type: Array,
            items: { type: TypedTfaInfo },
        },
    },
)]
#[derive(Deserialize, Serialize)]
#[serde(deny_unknown_fields)]
/// Over the API we only provide the descriptions for TFA data.
struct TfaUser {
    /// The user this entry belongs to.
    userid: Userid,

    /// TFA entries.
    entries: Vec<TypedTfaInfo>,
}

#[api(
    protected: true,
    input: {
        properties: {},
    },
    access: {
        permission: &Permission::Anybody,
        description: "Returns all or just the logged-in user, depending on privileges.",
    },
    returns: {
        description: "The list tuples of user and TFA entries.",
        type: Array,
        items: { type: TfaUser }
    },
)]
/// List user TFA configuration.
fn list_tfa(rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<TfaUser>, Error> {
    let authid: Authid = rpcenv.get_auth_id().unwrap().parse()?;
    let user_info = CachedUserInfo::new()?;

    let top_level_privs = user_info.lookup_privs(&authid, &["access", "users"]);
    let top_level_allowed = (top_level_privs & PRIV_SYS_AUDIT) != 0;

    let _lock = crate::config::tfa::read_lock()?;
    let tfa_data = crate::config::tfa::read()?.users;

    let mut out = Vec::<TfaUser>::new();
    if top_level_allowed {
        for (user, data) in tfa_data {
            out.push(TfaUser {
                userid: user,
                entries: to_data(data),
            });
        }
    } else {
        if let Some(data) = { tfa_data }.remove(authid.user()) {
            out.push(TfaUser {
                userid: authid.into(),
                entries: to_data(data),
            });
        }
    }

    Ok(out)
}

#[api(
    properties: {
        recovery: {
            description: "A list of recovery codes as integers.",
            type: Array,
            items: {
                type: Integer,
                description: "A one-time usable recovery code entry.",
            },
        },
    },
)]
/// The result returned when adding TFA entries to a user.
#[derive(Default, Serialize)]
struct TfaUpdateInfo {
    /// The id if a newly added TFA entry.
    id: Option<String>,

    /// When adding u2f entries, this contains a challenge the user must respond to in order to
    /// finish the registration.
    #[serde(skip_serializing_if = "Option::is_none")]
    challenge: Option<String>,

    /// When adding recovery codes, this contains the list of codes to be displayed to the user
    /// this one time.
    #[serde(skip_serializing_if = "Vec::is_empty", default)]
    recovery: Vec<String>,
}

impl TfaUpdateInfo {
    fn id(id: String) -> Self {
        Self {
            id: Some(id),
            ..Default::default()
        }
    }
}

#[api(
    protected: true,
    input: {
        properties: {
            userid: { type: Userid },
            description: {
                description: "A description to distinguish multiple entries from one another",
                type: String,
                max_length: 255,
                optional: true,
            },
            "type": { type: TfaType },
            totp: {
                description: "A totp URI.",
                optional: true,
            },
            value: {
                description:
            "The current value for the provided totp URI, or a Webauthn/U2F challenge response",
                optional: true,
            },
            challenge: {
                description: "When responding to a u2f challenge: the original challenge string",
                optional: true,
            },
            password: {
                schema: PASSWORD_SCHEMA,
                optional: true,
            },
        },
    },
    returns: { type: TfaUpdateInfo },
    access: {
        permission: &Permission::Or(&[
            &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
            &Permission::UserParam("userid"),
        ]),
    },
)]
/// Add a TFA entry to the user.
fn add_tfa_entry(
    userid: Userid,
    description: Option<String>,
    totp: Option<String>,
    value: Option<String>,
    challenge: Option<String>,
    password: Option<String>,
    r#type: TfaType,
    rpcenv: &mut dyn RpcEnvironment,
) -> Result<TfaUpdateInfo, Error> {
    tfa_update_auth(rpcenv, &userid, password, true)?;

    let need_description =
        move || description.ok_or_else(|| format_err!("'description' is required for new entries"));

    match r#type {
        TfaType::Totp => match (totp, value) {
            (Some(totp), Some(value)) => {
                if challenge.is_some() {
                    bail!("'challenge' parameter is invalid for 'totp' entries");
                }
                let description = need_description()?;

                let totp: Totp = totp.parse()?;
                if totp
                    .verify(&value, std::time::SystemTime::now(), -1..=1)?
                    .is_none()
                {
                    bail!("failed to verify TOTP challenge");
                }
                crate::config::tfa::add_totp(&userid, description, totp).map(TfaUpdateInfo::id)
            }
            _ => bail!("'totp' type requires both 'totp' and 'value' parameters"),
        },
        TfaType::Webauthn => {
            if totp.is_some() {
                bail!("'totp' parameter is invalid for 'totp' entries");
            }

            match challenge {
                None => crate::config::tfa::add_webauthn_registration(&userid, need_description()?)
                    .map(|c| TfaUpdateInfo {
                        challenge: Some(c),
                        ..Default::default()
                    }),
                Some(challenge) => {
                    let value = value.ok_or_else(|| {
                        format_err!(
                            "missing 'value' parameter (webauthn challenge response missing)"
                        )
                    })?;
                    crate::config::tfa::finish_webauthn_registration(&userid, &challenge, &value)
                        .map(TfaUpdateInfo::id)
                }
            }
        }
        TfaType::U2f => {
            if totp.is_some() {
                bail!("'totp' parameter is invalid for 'totp' entries");
            }

            match challenge {
                None => crate::config::tfa::add_u2f_registration(&userid, need_description()?).map(
                    |c| TfaUpdateInfo {
                        challenge: Some(c),
                        ..Default::default()
                    },
                ),
                Some(challenge) => {
                    let value = value.ok_or_else(|| {
                        format_err!("missing 'value' parameter (u2f challenge response missing)")
                    })?;
                    crate::config::tfa::finish_u2f_registration(&userid, &challenge, &value)
                        .map(TfaUpdateInfo::id)
                }
            }
        }
        TfaType::Recovery => {
            if totp.or(value).or(challenge).is_some() {
                bail!("generating recovery tokens does not allow additional parameters");
            }

            let recovery = crate::config::tfa::add_recovery(&userid)?;

            Ok(TfaUpdateInfo {
                id: Some("recovery".to_string()),
                recovery,
                ..Default::default()
            })
        }
    }
}

#[api(
    protected: true,
    input: {
        properties: {
            userid: { type: Userid },
            id: {
                description: "the tfa entry id",
            },
            description: {
                description: "A description to distinguish multiple entries from one another",
                type: String,
                max_length: 255,
                optional: true,
            },
            enable: {
                description: "Whether this entry should currently be enabled or disabled",
                optional: true,
            },
            password: {
                schema: PASSWORD_SCHEMA,
                optional: true,
            },
        },
    },
    access: {
        permission: &Permission::Or(&[
            &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
            &Permission::UserParam("userid"),
        ]),
    },
)]
/// Update user's TFA entry description.
fn update_tfa_entry(
    userid: Userid,
    id: String,
    description: Option<String>,
    enable: Option<bool>,
    password: Option<String>,
    rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
    tfa_update_auth(rpcenv, &userid, password, true)?;

    let _lock = crate::config::tfa::write_lock()?;

    let mut data = crate::config::tfa::read()?;

    let mut entry = data
        .users
        .get_mut(&userid)
        .and_then(|user| user.find_entry_mut(&id))
        .ok_or_else(|| http_err!(NOT_FOUND, "no such entry: {}/{}", userid, id))?;

    if let Some(description) = description {
        entry.description = description;
    }

    if let Some(enable) = enable {
        entry.enable = enable;
    }

    crate::config::tfa::write(&data)?;
    Ok(())
}

pub const ROUTER: Router = Router::new()
    .get(&API_METHOD_LIST_TFA)
    .match_all("userid", &USER_ROUTER);

const USER_ROUTER: Router = Router::new()
    .get(&API_METHOD_LIST_USER_TFA)
    .post(&API_METHOD_ADD_TFA_ENTRY)
    .match_all("id", &ITEM_ROUTER);

const ITEM_ROUTER: Router = Router::new()
    .get(&API_METHOD_GET_TFA_ENTRY)
    .put(&API_METHOD_UPDATE_TFA_ENTRY)
    .delete(&API_METHOD_DELETE_TFA);
Commit	Line	Data
027ef213 WB	1	use anyhow::{bail, format_err, Error};
027ef213 WB	2	use serde::{Deserialize, Serialize};
027ef213 WB	3
	4	use proxmox::api::{api, Permission, Router, RpcEnvironment};
	5	use proxmox::tools::tfa::totp::Totp;
	6	use proxmox::{http_bail, http_err};
	7
	8	use crate::api2::types::{Authid, Userid, PASSWORD_SCHEMA};
	9	use crate::config::acl::{PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT};
	10	use crate::config::cached_user_info::CachedUserInfo;
	11	use crate::config::tfa::{TfaInfo, TfaUserData};
	12
	13	/// Perform first-factor (password) authentication only. Ignore password for the root user.
	14	/// Otherwise check the current user's password.
	15	///
	16	/// This means that user admins need to type in their own password while editing a user, and
	17	/// regular users, which can only change their own TFA settings (checked at the API level), can
	18	/// change their own settings using their own password.
	19	fn tfa_update_auth(
	20	rpcenv: &mut dyn RpcEnvironment,
	21	userid: &Userid,
	22	password: Option<String>,
eab25e2f	23	must_exist: bool,
027ef213 WB	24	) -> Result<(), Error> {
	25	let authid: Authid = rpcenv.get_auth_id().unwrap().parse()?;
	26
	27	if authid.user() != Userid::root_userid() {
7ad33e80 WB	28	let password = password.ok_or_else(\|\| http_err!(UNAUTHORIZED, "missing password"))?;
	29	let _: () = crate::auth::authenticate_user(authid.user(), &password)
	30	.map_err(\|err\| http_err!(UNAUTHORIZED, "{}", err))?;
027ef213 WB	31	}
	32
	33	// After authentication, verify that the to-be-modified user actually exists:
eab25e2f	34	if must_exist && authid.user() != userid {
027ef213 WB	35	let (config, _digest) = crate::config::user::config()?;
027ef213 WB	36
4bda5168 WB	37	if config
	38	.lookup::<crate::config::user::User>("user", userid.as_str())
	39	.is_err()
	40	{
7ad33e80	41	http_bail!(UNAUTHORIZED, "user '{}' does not exists.", userid);
027ef213 WB	42	}
	43	}
	44
	45	Ok(())
	46	}
	47
	48	#[api]
	49	/// A TFA entry type.
	50	#[derive(Deserialize, Serialize)]
	51	#[serde(rename_all = "lowercase")]
759af9f0	52	enum TfaType {
027ef213 WB	53	/// A TOTP entry type.
	54	Totp,
	55	/// A U2F token entry.
	56	U2f,
	57	/// A Webauthn token entry.
	58	Webauthn,
	59	/// Recovery tokens.
	60	Recovery,
	61	}
	62
	63	#[api(
	64	properties: {
	65	type: { type: TfaType },
	66	info: { type: TfaInfo },
	67	},
	68	)]
	69	/// A TFA entry for a user.
	70	#[derive(Deserialize, Serialize)]
	71	#[serde(deny_unknown_fields)]
759af9f0	72	struct TypedTfaInfo {
027ef213 WB	73	#[serde(rename = "type")]
	74	pub ty: TfaType,
	75
	76	#[serde(flatten)]
	77	pub info: TfaInfo,
	78	}
	79
	80	fn to_data(data: TfaUserData) -> Vec<TypedTfaInfo> {
	81	let mut out = Vec::with_capacity(
	82	data.totp.len()
	83	+ data.u2f.len()
	84	+ data.webauthn.len()
ad5cee1d	85	+ if data.recovery().is_some() { 1 } else { 0 },
027ef213	86	);
ad5cee1d	87	if let Some(recovery) = data.recovery() {
027ef213 WB	88	out.push(TypedTfaInfo {
027ef213 WB	89	ty: TfaType::Recovery,
ad5cee1d	90	info: TfaInfo::recovery(recovery.created),
027ef213 WB	91	})
	92	}
	93	for entry in data.totp {
	94	out.push(TypedTfaInfo {
	95	ty: TfaType::Totp,
	96	info: entry.info,
	97	});
	98	}
	99	for entry in data.webauthn {
	100	out.push(TypedTfaInfo {
	101	ty: TfaType::Webauthn,
	102	info: entry.info,
	103	});
	104	}
	105	for entry in data.u2f {
	106	out.push(TypedTfaInfo {
	107	ty: TfaType::U2f,
	108	info: entry.info,
	109	});
	110	}
	111	out
	112	}
	113
f58e5132 WB	114	/// Iterate through tuples of `(type, index, id)`.
	115	fn tfa_id_iter(data: &TfaUserData) -> impl Iterator<Item = (TfaType, usize, &str)> {
	116	data.totp
	117	.iter()
	118	.enumerate()
	119	.map(\|(i, entry)\| (TfaType::Totp, i, entry.info.id.as_str()))
	120	.chain(
	121	data.webauthn
	122	.iter()
	123	.enumerate()
	124	.map(\|(i, entry)\| (TfaType::Webauthn, i, entry.info.id.as_str())),
	125	)
	126	.chain(
	127	data.u2f
	128	.iter()
	129	.enumerate()
	130	.map(\|(i, entry)\| (TfaType::U2f, i, entry.info.id.as_str())),
	131	)
	132	.chain(
	133	data.recovery
	134	.iter()
	135	.map(\|_\| (TfaType::Recovery, 0, "recovery")),
	136	)
	137	}
	138
027ef213 WB	139	#[api(
	140	protected: true,
	141	input: {
	142	properties: { userid: { type: Userid } },
	143	},
	144	access: {
	145	permission: &Permission::Or(&[
	146	&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
	147	&Permission::UserParam("userid"),
	148	]),
	149	},
	150	)]
	151	/// Add a TOTP secret to the user.
759af9f0	152	fn list_user_tfa(userid: Userid) -> Result<Vec<TypedTfaInfo>, Error> {
027ef213 WB	153	let _lock = crate::config::tfa::read_lock()?;
	154
	155	Ok(match crate::config::tfa::read()?.users.remove(&userid) {
	156	Some(data) => to_data(data),
	157	None => Vec::new(),
	158	})
	159	}
	160
	161	#[api(
	162	protected: true,
	163	input: {
	164	properties: {
	165	userid: { type: Userid },
	166	id: { description: "the tfa entry id" }
	167	},
	168	},
	169	access: {
	170	permission: &Permission::Or(&[
	171	&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
	172	&Permission::UserParam("userid"),
	173	]),
	174	},
	175	)]
	176	/// Get a single TFA entry.
759af9f0	177	fn get_tfa_entry(userid: Userid, id: String) -> Result<TypedTfaInfo, Error> {
027ef213 WB	178	let _lock = crate::config::tfa::read_lock()?;
	179
	180	if let Some(user_data) = crate::config::tfa::read()?.users.remove(&userid) {
f58e5132 WB	181	match {
	182	// scope to prevent the temprary iter from borrowing across the whole match
	183	let entry = tfa_id_iter(&user_data).find(\|(_ty, _index, entry_id)\| id == *entry_id);
	184	entry.map(\|(ty, index, _)\| (ty, index))
	185	} {
	186	Some((TfaType::Recovery, _)) => {
ad5cee1d WB	187	if let Some(recovery) = user_data.recovery() {
	188	return Ok(TypedTfaInfo {
	189	ty: TfaType::Recovery,
	190	info: TfaInfo::recovery(recovery.created),
	191	});
	192	}
027ef213	193	}
f58e5132 WB	194	Some((TfaType::Totp, index)) => {
	195	return Ok(TypedTfaInfo {
	196	ty: TfaType::Totp,
	197	// `into_iter().nth()` to move out of it
	198	info: user_data.totp.into_iter().nth(index).unwrap().info,
	199	});
027ef213	200	}
f58e5132 WB	201	Some((TfaType::Webauthn, index)) => {
	202	return Ok(TypedTfaInfo {
	203	ty: TfaType::Webauthn,
	204	info: user_data.webauthn.into_iter().nth(index).unwrap().info,
	205	});
027ef213	206	}
f58e5132 WB	207	Some((TfaType::U2f, index)) => {
	208	return Ok(TypedTfaInfo {
	209	ty: TfaType::U2f,
	210	info: user_data.u2f.into_iter().nth(index).unwrap().info,
	211	});
027ef213	212	}
f58e5132	213	None => (),
027ef213 WB	214	}
	215	}
	216
	217	http_bail!(NOT_FOUND, "no such tfa entry: {}/{}", userid, id);
	218	}
	219
	220	#[api(
	221	protected: true,
	222	input: {
	223	properties: {
	224	userid: { type: Userid },
	225	id: {
	226	description: "the tfa entry id",
	227	},
	228	password: {
	229	schema: PASSWORD_SCHEMA,
	230	optional: true,
	231	},
	232	},
	233	},
	234	access: {
	235	permission: &Permission::Or(&[
	236	&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
	237	&Permission::UserParam("userid"),
	238	]),
	239	},
	240	)]
	241	/// Get a single TFA entry.
759af9f0	242	fn delete_tfa(
027ef213 WB	243	userid: Userid,
	244	id: String,
	245	password: Option<String>,
	246	rpcenv: &mut dyn RpcEnvironment,
	247	) -> Result<(), Error> {
eab25e2f	248	tfa_update_auth(rpcenv, &userid, password, false)?;
027ef213 WB	249
	250	let _lock = crate::config::tfa::write_lock()?;
	251
	252	let mut data = crate::config::tfa::read()?;
	253
	254	let user_data = data
	255	.users
	256	.get_mut(&userid)
	257	.ok_or_else(\|\| http_err!(NOT_FOUND, "no such entry: {}/{}", userid, id))?;
	258
f58e5132 WB	259	match {
	260	// scope to prevent the temprary iter from borrowing across the whole match
	261	let entry = tfa_id_iter(&user_data).find(\|(_, _, entry_id)\| id == *entry_id);
	262	entry.map(\|(ty, index, _)\| (ty, index))
	263	} {
	264	Some((TfaType::Recovery, _)) => user_data.recovery = None,
	265	Some((TfaType::Totp, index)) => drop(user_data.totp.remove(index)),
	266	Some((TfaType::Webauthn, index)) => drop(user_data.webauthn.remove(index)),
	267	Some((TfaType::U2f, index)) => drop(user_data.u2f.remove(index)),
	268	None => http_bail!(NOT_FOUND, "no such tfa entry: {}/{}", userid, id),
027ef213 WB	269	}
	270
	271	if user_data.is_empty() {
	272	data.users.remove(&userid);
	273	}
	274
	275	crate::config::tfa::write(&data)?;
	276
	277	Ok(())
	278	}
	279
	280	#[api(
	281	properties: {
	282	"userid": { type: Userid },
	283	"entries": {
	284	type: Array,
	285	items: { type: TypedTfaInfo },
	286	},
	287	},
	288	)]
	289	#[derive(Deserialize, Serialize)]
	290	#[serde(deny_unknown_fields)]
	291	/// Over the API we only provide the descriptions for TFA data.
759af9f0	292	struct TfaUser {
027ef213 WB	293	/// The user this entry belongs to.
	294	userid: Userid,
	295
	296	/// TFA entries.
	297	entries: Vec<TypedTfaInfo>,
	298	}
	299
	300	#[api(
	301	protected: true,
	302	input: {
	303	properties: {},
	304	},
	305	access: {
	306	permission: &Permission::Anybody,
	307	description: "Returns all or just the logged-in user, depending on privileges.",
	308	},
759af9f0 WB	309	returns: {
	310	description: "The list tuples of user and TFA entries.",
	311	type: Array,
	312	items: { type: TfaUser }
	313	},
027ef213 WB	314	)]
027ef213 WB	315	/// List user TFA configuration.
759af9f0	316	fn list_tfa(rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<TfaUser>, Error> {
027ef213 WB	317	let authid: Authid = rpcenv.get_auth_id().unwrap().parse()?;
	318	let user_info = CachedUserInfo::new()?;
	319
	320	let top_level_privs = user_info.lookup_privs(&authid, &["access", "users"]);
	321	let top_level_allowed = (top_level_privs & PRIV_SYS_AUDIT) != 0;
	322
	323	let _lock = crate::config::tfa::read_lock()?;
	324	let tfa_data = crate::config::tfa::read()?.users;
	325
	326	let mut out = Vec::<TfaUser>::new();
	327	if top_level_allowed {
	328	for (user, data) in tfa_data {
	329	out.push(TfaUser {
	330	userid: user,
	331	entries: to_data(data),
	332	});
	333	}
	334	} else {
	335	if let Some(data) = { tfa_data }.remove(authid.user()) {
	336	out.push(TfaUser {
	337	userid: authid.into(),
	338	entries: to_data(data),
	339	});
	340	}
	341	}
	342
759af9f0	343	Ok(out)
027ef213 WB	344	}
	345
	346	#[api(
	347	properties: {
	348	recovery: {
	349	description: "A list of recovery codes as integers.",
	350	type: Array,
	351	items: {
	352	type: Integer,
	353	description: "A one-time usable recovery code entry.",
	354	},
	355	},
	356	},
	357	)]
	358	/// The result returned when adding TFA entries to a user.
	359	#[derive(Default, Serialize)]
	360	struct TfaUpdateInfo {
	361	/// The id if a newly added TFA entry.
	362	id: Option<String>,
	363
	364	/// When adding u2f entries, this contains a challenge the user must respond to in order to
	365	/// finish the registration.
	366	#[serde(skip_serializing_if = "Option::is_none")]
	367	challenge: Option<String>,
	368
	369	/// When adding recovery codes, this contains the list of codes to be displayed to the user
	370	/// this one time.
	371	#[serde(skip_serializing_if = "Vec::is_empty", default)]
	372	recovery: Vec<String>,
	373	}
	374
	375	impl TfaUpdateInfo {
	376	fn id(id: String) -> Self {
	377	Self {
	378	id: Some(id),
	379	..Default::default()
	380	}
	381	}
	382	}
	383
	384	#[api(
	385	protected: true,
	386	input: {
	387	properties: {
	388	userid: { type: Userid },
	389	description: {
	390	description: "A description to distinguish multiple entries from one another",
	391	type: String,
	392	max_length: 255,
	393	optional: true,
	394	},
	395	"type": { type: TfaType },
	396	totp: {
	397	description: "A totp URI.",
	398	optional: true,
	399	},
	400	value: {
	401	description:
	402	"The current value for the provided totp URI, or a Webauthn/U2F challenge response",
	403	optional: true,
	404	},
	405	challenge: {
	406	description: "When responding to a u2f challenge: the original challenge string",
	407	optional: true,
408	},
409	password: {
410	schema: PASSWORD_SCHEMA,
411	optional: true,
412	},
413	},
414	},
415	returns: { type: TfaUpdateInfo },
416	access: {
417	permission: &Permission::Or(&[
418	&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
419	&Permission::UserParam("userid"),
420	]),
421	},
422	)]
423	/// Add a TFA entry to the user.
424	fn add_tfa_entry(
425	userid: Userid,
426	description: Option<String>,
427	totp: Option<String>,
428	value: Option<String>,
429	challenge: Option<String>,
430	password: Option<String>,
d8318467	431	r#type: TfaType,
027ef213 WB	432	rpcenv: &mut dyn RpcEnvironment,
027ef213 WB	433	) -> Result<TfaUpdateInfo, Error> {
eab25e2f	434	tfa_update_auth(rpcenv, &userid, password, true)?;
027ef213	435
027ef213 WB	436	let need_description =
	437	move \|\| description.ok_or_else(\|\| format_err!("'description' is required for new entries"));
	438
d8318467	439	match r#type {
027ef213 WB	440	TfaType::Totp => match (totp, value) {
	441	(Some(totp), Some(value)) => {
	442	if challenge.is_some() {
	443	bail!("'challenge' parameter is invalid for 'totp' entries");
	444	}
	445	let description = need_description()?;
	446
	447	let totp: Totp = totp.parse()?;
	448	if totp
	449	.verify(&value, std::time::SystemTime::now(), -1..=1)?
	450	.is_none()
	451	{
	452	bail!("failed to verify TOTP challenge");
	453	}
	454	crate::config::tfa::add_totp(&userid, description, totp).map(TfaUpdateInfo::id)
	455	}
	456	_ => bail!("'totp' type requires both 'totp' and 'value' parameters"),
	457	},
	458	TfaType::Webauthn => {
	459	if totp.is_some() {
	460	bail!("'totp' parameter is invalid for 'totp' entries");
	461	}
	462
	463	match challenge {
	464	None => crate::config::tfa::add_webauthn_registration(&userid, need_description()?)
	465	.map(\|c\| TfaUpdateInfo {
	466	challenge: Some(c),
	467	..Default::default()
	468	}),
	469	Some(challenge) => {
	470	let value = value.ok_or_else(\|\| {
	471	format_err!(
	472	"missing 'value' parameter (webauthn challenge response missing)"
	473	)
	474	})?;
	475	crate::config::tfa::finish_webauthn_registration(&userid, &challenge, &value)
	476	.map(TfaUpdateInfo::id)
	477	}
	478	}
	479	}
	480	TfaType::U2f => {
	481	if totp.is_some() {
	482	bail!("'totp' parameter is invalid for 'totp' entries");
	483	}
	484
	485	match challenge {
	486	None => crate::config::tfa::add_u2f_registration(&userid, need_description()?).map(
	487	\|c\| TfaUpdateInfo {
	488	challenge: Some(c),
	489	..Default::default()
	490	},
	491	),
	492	Some(challenge) => {
	493	let value = value.ok_or_else(\|\| {
	494	format_err!("missing 'value' parameter (u2f challenge response missing)")
	495	})?;
	496	crate::config::tfa::finish_u2f_registration(&userid, &challenge, &value)
	497	.map(TfaUpdateInfo::id)
	498	}
	499	}
	500	}
	501	TfaType::Recovery => {
	502	if totp.or(value).or(challenge).is_some() {
	503	bail!("generating recovery tokens does not allow additional parameters");
504	}
505
506	let recovery = crate::config::tfa::add_recovery(&userid)?;
507
508	Ok(TfaUpdateInfo {
509	id: Some("recovery".to_string()),
510	recovery,
511	..Default::default()
512	})
513	}
514	}
515	}
516
517	#[api(
518	protected: true,
519	input: {
520	properties: {
521	userid: { type: Userid },
522	id: {
523	description: "the tfa entry id",
524	},
525	description: {
526	description: "A description to distinguish multiple entries from one another",
527	type: String,
528	max_length: 255,
529	optional: true,
530	},
531	enable: {
532	description: "Whether this entry should currently be enabled or disabled",
533	optional: true,
534	},
535	password: {
536	schema: PASSWORD_SCHEMA,
537	optional: true,
538	},
539	},
540	},
541	access: {
542	permission: &Permission::Or(&[
543	&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
544	&Permission::UserParam("userid"),
545	]),
546	},
547	)]
548	/// Update user's TFA entry description.
759af9f0	549	fn update_tfa_entry(
027ef213 WB	550	userid: Userid,
	551	id: String,
	552	description: Option<String>,
	553	enable: Option<bool>,
	554	password: Option<String>,
	555	rpcenv: &mut dyn RpcEnvironment,
	556	) -> Result<(), Error> {
eab25e2f	557	tfa_update_auth(rpcenv, &userid, password, true)?;
027ef213 WB	558
	559	let _lock = crate::config::tfa::write_lock()?;
	560
	561	let mut data = crate::config::tfa::read()?;
	562
	563	let mut entry = data
	564	.users
	565	.get_mut(&userid)
	566	.and_then(\|user\| user.find_entry_mut(&id))
	567	.ok_or_else(\|\| http_err!(NOT_FOUND, "no such entry: {}/{}", userid, id))?;
	568
	569	if let Some(description) = description {
	570	entry.description = description;
	571	}
	572
	573	if let Some(enable) = enable {
	574	entry.enable = enable;
	575	}
	576
	577	crate::config::tfa::write(&data)?;
	578	Ok(())
	579	}
	580
	581	pub const ROUTER: Router = Router::new()
	582	.get(&API_METHOD_LIST_TFA)
	583	.match_all("userid", &USER_ROUTER);
	584
	585	const USER_ROUTER: Router = Router::new()
	586	.get(&API_METHOD_LIST_USER_TFA)
	587	.post(&API_METHOD_ADD_TFA_ENTRY)
	588	.match_all("id", &ITEM_ROUTER);
	589
	590	const ITEM_ROUTER: Router = Router::new()
1fc9ac04	591	.get(&API_METHOD_GET_TFA_ENTRY)
027ef213 WB	592	.put(&API_METHOD_UPDATE_TFA_ENTRY)
027ef213 WB	593	.delete(&API_METHOD_DELETE_TFA);