PMG/UserConfig.pm

   1 package PMG::UserConfig;
   2
   3
   4 use strict;
   5 use warnings;
   6 use Data::Dumper;
   7 use Clone 'clone';
   8
   9 use PVE::Tools;
  10 use PVE::INotify;
  11 use PVE::JSONSchema qw(get_standard_option);
  12 use PVE::Exception qw(raise);
  13
  14 use PMG::Utils;
  15
  16 my $inotify_file_id = 'pmg-user.conf';
  17 my $config_filename = '/etc/pmg/user.conf';
  18
  19 sub new {
  20     my ($type) = @_;
  21
  22     my $class = ref($type) || $type;
  23
  24     my $cfg = PVE::INotify::read_file($inotify_file_id);
  25
  26     return bless $cfg, $class;
  27 }
  28
  29 sub write {
  30     my ($self) = @_;
  31
  32     PVE::INotify::write_file($inotify_file_id, $self);
  33 }
  34
  35 my $lockfile = "/var/lock/pmguser.lck";
  36
  37 sub lock_config {
  38     my ($code, $errmsg) = @_;
  39
  40     my $p = PVE::Tools::lock_file($lockfile, undef, $code);
  41     if (my $err = $@) {
  42         $errmsg ? die "$errmsg: $err" : die $err;
  43     }
  44 }
  45
  46 our $schema = {
  47     additionalProperties => 0,
  48     properties => {
  49         userid => get_standard_option('username'),
  50         email => {
  51             description => "Users E-Mail address.",
  52             type => 'string', format => 'email',
  53             optional => 1,
  54         },
  55         expire => {
  56             description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
  57             type => 'integer',
  58             minimum => 0,
  59             default => 0,
  60             optional => 1,
  61         },
  62         enable => {
  63             description => "Flag to enable or disable the account.",
  64             type => 'boolean',
  65             default => 0,
  66             optional => 1,
  67         },
  68         crypt_pass => {
  69             description => "Encrypted password (see `man crypt`)",
  70             type => 'string',
  71             pattern => '\$\d\$[a-zA-Z0-9\.\/]+\$[a-zA-Z0-9\.\/]+',
  72             optional => 1,
  73         },
  74         role => {
  75             description => "User role.",
  76             type => 'string',
  77             enum => ['root', 'admin', 'qmanager', 'quser', 'audit'],
  78         },
  79         first => {
  80             description => "First name.",
  81             type => 'string',
  82             maxLength => 64,
  83             optional => 1,
  84         },
  85         'last' => {
  86             description => "Last name.",
  87             type => 'string',
  88             maxLength => 64,
  89             optional => 1,
  90         },
  91         keys => {
  92             description => "Keys for two factor auth (yubico).",
  93             type => 'string',
  94             maxLength => 128,
  95             optional => 1,
  96         },
  97         comment => {
  98             description => "Comment.",
  99             type => 'string',
 100             optional => 1,
 101         },
 102     },
 103 };
 104
 105 our $update_schema = clone($schema);
 106 $update_schema->{properties}->{role}->{optional} = 1;
 107 $update_schema->{properties}->{delete} = {
 108     type => 'string', format => 'pve-configid-list',
 109     description => "A list of settings you want to delete.",
 110     maxLength => 4096,
 111     optional => 1,
 112 };
 113
 114 my $verity_entry = sub {
 115     my ($entry) = @_;
 116
 117     my $errors = {};
 118     PVE::JSONSchema::check_prop($entry, $schema, '', $errors);
 119     if (scalar(%$errors)) {
 120         raise "verify entry failed\n", errors => $errors;
 121     }
 122 };
 123
 124 sub read_user_conf {
 125     my ($filename, $fh) = @_;
 126
 127     my $cfg = {};
 128
 129     if ($fh) {
 130
 131         my $comment = '';
 132
 133         while (defined(my $line = <$fh>)) {
 134             next if $line =~ m/^\s*$/;
 135             if ($line =~ m/^#(.*)$/) {
 136                 $comment = $1;
 137                 next;
 138             }
 139
 140             if ($line =~ m/^
 141                (?<userid>(?:[^\s:]+)) :
 142                (?<enable>[01]?) :
 143                (?<expire>\d*) :
 144                (?<crypt_pass>(?:[^\s:]*)) :
 145                (?<role>[a-z]+) :
 146                (?<email>(?:[^\s:]*)) :
 147                (?<first>(?:[^:]*)) :
 148                (?<last>(?:[^:]*)) :
 149                (?<keys>(?:[^:]*)) :
 150                $/x
 151             ) {
 152                 my $d = {
 153                     userid => $+{userid},
 154                     enable => $+{enable} || 0,
 155                     expire => $+{expire} || 0,
 156                     role => $+{role},
 157                 };
 158                 $d->{comment} = $comment if $comment;
 159                 $comment = '';
 160                 foreach my $k (qw(crypt_pass email first last keys)) {
 161                     $d->{$k} = $+{$k} if $+{$k};
 162                 }
 163                 eval {
 164                     $verity_entry->($d);
 165                     $cfg->{$d->{userid}} = $d;
 166                 };
 167                 if (my $err = $@) {
 168                     warn "$filename: $err";
 169                 }
 170             } else {
 171                 warn "$filename: ignore invalid line $.\n";
 172                 $comment = '';
 173             }
 174         }
 175     }
 176
 177     $cfg->{root} //= {};
 178     $cfg->{root}->{userid} = 'root';
 179     $cfg->{root}->{enable} = 1;
 180     $cfg->{root}->{comment} = 'Unix Superuser';
 181     $cfg->{root}->{role} = 'root';
 182     delete $cfg->{root}->{crypt_pass};
 183
 184     return $cfg;
 185 }
 186
 187 sub write_user_conf {
 188     my ($filename, $fh, $cfg) = @_;
 189
 190     my $raw = '';
 191
 192     delete $cfg->{root}->{crypt_pass};
 193
 194     foreach my $userid (keys %$cfg) {
 195         my $d = $cfg->{$userid};
 196         $d->{userid} = $userid;
 197         eval {
 198             $verity_entry->($d);
 199             $cfg->{$d->{userid}} = $d;
 200         };
 201         if (my $err = $@) {
 202             die $err;
 203         }
 204         my $line = "$userid:";
 205         for my $k (qw(enable expire crypt_pass role email first last keys)) {
 206             $line .= ($d->{$k} // '') . ':';
 207         }
 208         if (my $comment = $d->{comment}) {
 209             my $firstline = (split /\n/, $comment)[0]; # only allow one line
 210             $raw .= "#$firstline\n";
 211         }
 212         $raw .= $line . "\n";
 213     }
 214
 215     PVE::Tools::safe_print($filename, $fh, $raw);
 216 }
 217
 218 PVE::INotify::register_file($inotify_file_id, $config_filename,
 219                             \&read_user_conf,
 220                             \&write_user_conf,
 221                             undef,
 222                             always_call_parser => 1);
 223
 224 sub lookup_user_data {
 225     my ($self, $username, $noerr) = @_;
 226
 227     return $self->{$username} if $self->{$username};
 228
 229     die "no such user ('$username')\n" if !$noerr;
 230
 231     return undef;
 232 }
 233
 234 sub authenticate_user {
 235     my ($self, $username, $password) = @_;
 236
 237     die "no password\n" if !$password;
 238
 239     my $data = $self->lookup_user_data($username);
 240
 241     my $ctime = time();
 242     my $expire = $data->{expire};
 243
 244     die "account expired\n" if $expire && ($expire < $ctime);
 245
 246     if ($data->{crypt_pass}) {
 247         my $encpw = crypt($password, $data->{crypt_pass});
 248         die "invalid credentials\n" if ($encpw ne $data->{crypt_pass});
 249     } else {
 250         die "no password set\n";
 251     }
 252
 253     return 1;
 254 }
 255
 256 sub set_password {
 257     my ($class, $username, $password) = @_;
 258
 259     lock_config(sub {
 260         my $cfg = $class->new();
 261         my $data = $cfg->lookup_user_data($username); # user exists
 262         my $epw = PMG::Utils::encrypt_pw($password);
 263         $data->{crypt_pass} = $epw;
 264         $cfg->write();
 265     });
 266 }
 267
 268 1;