]>
git.proxmox.com Git - pmg-api.git/blob - PMG/AccessControl.pm
1 package PMG
::AccessControl
;
8 use PVE
::JSONSchema
qw(get_standard_option);
19 $path = '/' if !$path;
21 $path = "/$path" if $path !~ m
|^/|;
23 return undef if $path !~ m
|^[[:alnum
:]\
.\
-\_\
/]+$|;
28 # password should be utf8 encoded
29 # Note: some plugins delay/sleep if auth fails
30 sub authenticate_user
{
31 my ($username, $password, $otp) = @_;
33 die "no username specified\n" if !$username;
37 ($username, $ruid, $realm) = PMG
::Utils
::verify_username
($username);
39 if ($realm eq 'pam') {
40 die "invalid pam user (only root allowed)\n" if $ruid ne 'root';
41 authenticate_pam_user
($ruid, $password);
45 if ($realm eq 'pmg') {
46 my $usercfg = PMG
::UserConfig-
>new();
47 $usercfg->authenticate_user($username, $password);
51 die "no such realm '$realm'\n";
54 sub set_user_password
{
55 my ($username, $password) = @_;
59 ($username, $ruid, $realm) = PMG
::Utils
::verify_username
($username);
61 if ($realm eq 'pam') {
62 die "invalid pam user (only root allowed)\n" if $ruid ne 'root';
64 my $cmd = ['usermod'];
66 my $epw = PVE
::Tools
::encrypt_pw
($password);
68 push @$cmd, '-p', $epw, $ruid;
70 run_command
($cmd, errmsg
=> "change password for '$ruid' failed");
72 } elsif ($realm eq 'pmg') {
73 PMG
::UserConfig-
>set_user_password($username, $password);
75 die "no such realm '$realm'\n";
79 # test if user exists and is enabled
81 sub check_user_enabled
{
82 my ($username, $noerr) = @_;
86 ($username, $ruid, $realm) = PMG
::Utils
::verify_username
($username, 1);
88 if ($realm && $ruid) {
89 if ($realm eq 'pam') {
90 return 'root' if $ruid eq 'root';
91 } elsif ($realm eq 'pmg') {
92 my $usercfg = PMG
::UserConfig-
>new();
93 my $data = $usercfg->lookup_user_data($username, $noerr);
94 return $data->{role} if $data && $data->{enable
};
98 die "user '$username' is disabled\n" if !$noerr;
103 sub authenticate_pam_user
{
104 my ($username, $password) = @_;
106 # user need to be able to read /etc/passwd /etc/shadow
108 my $pamh = Authen
::PAM-
>new('common-auth', $username, sub {
111 my $msg_type = shift;
113 push @res, (0, $password);
120 my $err = $pamh->pam_strerror($pamh);
121 die "Error during PAM init: $err";
126 if (($res = $pamh->pam_authenticate(0)) != PAM_SUCCESS
) {
127 my $err = $pamh->pam_strerror($res);
128 die "auth failed: $err";
131 if (($res = $pamh->pam_acct_mgmt(0)) != PAM_SUCCESS
) {
132 my $err = $pamh->pam_strerror($res);
133 die "auth failed: $err";
136 $pamh = 0; # call destructor