PMG/AccessControl.pm

   1 package PMG::AccessControl;
   2
   3 use strict;
   4 use warnings;
   5 use Authen::PAM;
   6 use PVE::Tools;
   7
   8 use PVE::JSONSchema qw(get_standard_option);
   9
  10 use PMG::UserConfig;
  11
  12 sub normalize_path {
  13     my $path = shift;
  14
  15     $path =~ s|/+|/|g;
  16
  17     $path =~ s|/$||;
  18
  19     $path = '/' if !$path;
  20
  21     $path = "/$path" if $path !~ m|^/|;
  22
  23     return undef if $path !~ m|^[[:alnum:]\.\-\_\/]+$|;
  24
  25     return $path;
  26 }
  27
  28 # password should be utf8 encoded
  29 # Note: some plugins delay/sleep if auth fails
  30 sub authenticate_user {
  31     my ($username, $password, $otp) = @_;
  32
  33     die "no username specified\n" if !$username;
  34
  35     my ($ruid, $realm);
  36
  37     ($username, $ruid, $realm) = PMG::Utils::verify_username($username);
  38
  39     if ($realm eq 'pam') {
  40         die "invalid pam user (only root allowed)\n" if $ruid ne 'root';
  41         authenticate_pam_user($ruid, $password);
  42         return $username;
  43     }
  44
  45     if ($realm eq 'pmg') {
  46         my $usercfg = PMG::UserConfig->new();
  47         $usercfg->authenticate_user($username, $password);
  48         return $username;
  49      }
  50
  51     die "no such realm '$realm'\n";
  52 }
  53
  54 sub set_user_password {
  55     my ($username, $password) = @_;
  56
  57     my ($ruid, $realm);
  58
  59     ($username, $ruid, $realm) = PMG::Utils::verify_username($username);
  60
  61     if ($realm eq 'pam') {
  62         die "invalid pam user (only root allowed)\n" if $ruid ne 'root';
  63
  64         my $cmd = ['usermod'];
  65
  66         my $epw = PMG::Utils::encrypt_pw($password);
  67
  68         push @$cmd, '-p', $epw, $ruid;
  69
  70         run_command($cmd, errmsg => "change password for '$ruid' failed");
  71
  72     } elsif ($realm eq 'pmg') {
  73         PMG::UserConfig->set_user_password($username, $password);
  74     } else {
  75         die "no such realm '$realm'\n";
  76     }
  77 }
  78
  79 # test if user exists and is enabled
  80 sub check_user_enabled {
  81     my ($username, $noerr) = @_;
  82
  83     my ($ruid, $realm);
  84
  85     ($username, $ruid, $realm) = PMG::Utils::verify_username($username, 1);
  86
  87     if ($realm && $ruid) {
  88         if ($realm eq 'pam') {
  89             return 1 if $ruid eq 'root';
  90         } elsif ($realm eq 'pmg') {
  91             my $usercfg = PMG::UserConfig->new();
  92             my $data = $usercfg->lookup_user_data($username, $noerr);
  93             return 1 if $data && $data->{enable};
  94         }
  95     }
  96
  97     die "user '$username' is disabled\n" if !$noerr;
  98
  99     return undef;
 100 }
 101
 102 sub authenticate_pam_user {
 103     my ($username, $password) = @_;
 104
 105     # user need to be able to read /etc/passwd /etc/shadow
 106
 107     my $pamh = Authen::PAM->new('common-auth', $username, sub {
 108         my @res;
 109         while(@_) {
 110             my $msg_type = shift;
 111             my $msg = shift;
 112             push @res, (0, $password);
 113         }
 114         push @res, 0;
 115         return @res;
 116     });
 117
 118     if (!ref($pamh)) {
 119         my $err = $pamh->pam_strerror($pamh);
 120         die "Error during PAM init: $err";
 121     }
 122
 123     my $res;
 124
 125     if (($res = $pamh->pam_authenticate(0)) != PAM_SUCCESS) {
 126         my $err = $pamh->pam_strerror($res);
 127         die "auth failed: $err";
 128     }
 129
 130     if (($res = $pamh->pam_acct_mgmt(0)) != PAM_SUCCESS) {
 131         my $err = $pamh->pam_strerror($res);
 132         die "auth failed: $err";
 133     }
 134
 135     $pamh = 0; # call destructor
 136
 137     return 1;
 138 }
 139
 140 1;