]>
git.proxmox.com Git - pve-access-control.git/blob - PVE/Auth/Plugin.pm
1 package PVE
::Auth
::Plugin
;
8 use PVE
::SectionConfig
;
9 use PVE
::JSONSchema
qw(get_standard_option);
10 use PVE
::Cluster
qw(cfs_register_file cfs_read_file cfs_lock_file);
14 use base
qw(PVE::SectionConfig);
16 my $domainconfigfile = "domains.cfg";
18 cfs_register_file
($domainconfigfile,
19 sub { __PACKAGE__-
>parse_config(@_); },
20 sub { __PACKAGE__-
>write_config(@_); });
22 sub lock_domain_config
{
23 my ($code, $errmsg) = @_;
25 cfs_lock_file
($domainconfigfile, undef, $code);
28 $errmsg ?
die "$errmsg: $err" : die $err;
32 my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
34 PVE
::JSONSchema
::register_format
('pve-realm', \
&pve_verify_realm
);
35 sub pve_verify_realm
{
36 my ($realm, $noerr) = @_;
38 if ($realm !~ m/^${realm_regex}$/) {
39 return undef if $noerr;
40 die "value does not look like a valid realm\n";
45 PVE
::JSONSchema
::register_standard_option
('realm', {
46 description
=> "Authentication domain ID",
47 type
=> 'string', format
=> 'pve-realm',
51 PVE
::JSONSchema
::register_format
('pve-userid', \
&verify_username
);
53 my ($username, $noerr) = @_;
55 $username = '' if !$username;
56 my $len = length($username);
58 die "user name '$username' is too short\n" if !$noerr;
62 die "user name '$username' is too long ($len > 64)\n" if !$noerr;
66 # we only allow a limited set of characters
67 # colon is not allowed, because we store usernames in
68 # colon separated lists)!
69 # slash is not allowed because it is used as pve API delimiter
70 # also see "man useradd"
71 if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) {
72 return wantarray ?
($username, $1, $2) : $username;
75 die "value '$username' does not look like a valid user name\n" if !$noerr;
80 PVE
::JSONSchema
::register_standard_option
('userid', {
81 description
=> "User ID",
82 type
=> 'string', format
=> 'pve-userid',
89 my $time = substr(Digest
::SHA
::sha1_base64
(time), 0, 8);
90 return crypt(encode
("utf8", $pw), "\$5\$$time\$");
95 type
=> { description
=> "Realm type." },
96 realm
=> get_standard_option
('realm'),
104 sub parse_section_header
{
105 my ($class, $line) = @_;
107 if ($line =~ m/^(\S+):\s*(\S+)\s*$/) {
108 my ($type, $realm) = (lc($1), $2);
109 my $errmsg = undef; # set if you want to skip whole section
110 eval { pve_verify_realm
($realm); };
112 my $config = {}; # to return additional attributes
113 return ($type, $realm, $errmsg, $config);
119 my ($class, $filename, $raw) = @_;
121 my $cfg = $class->SUPER::parse_config
($filename, $raw);
124 foreach my $realm (keys %{$cfg->{ids
}}) {
125 my $data = $cfg->{ids
}->{$realm};
126 # make sure there is only one default marker
127 if ($data->{default}) {
129 delete $data->{default};
135 if ($data->{comment
}) {
136 $data->{comment
} = PVE
::Tools
::decode_text
($data->{comment
});
141 # add default domains
143 $cfg->{ids
}->{pve
} = {
145 comment
=> "Proxmox VE authentication server",
148 $cfg->{ids
}->{pam
} = {
150 plugin
=> 'PVE::Auth::PAM',
151 comment
=> "Linux PAM standard authentication",
158 my ($class, $filename, $cfg) = @_;
160 delete $cfg->{ids
}->{pve
};
161 delete $cfg->{ids
}->{pam
};
163 foreach my $realm (keys %{$cfg->{ids
}}) {
164 my $data = $cfg->{ids
}->{$realm};
165 if ($data->{comment
}) {
166 $data->{comment
} = PVE
::Tools
::encode_text
($data->{comment
});
170 $class->SUPER::write_config
($filename, $cfg);
173 sub authenticate_user
{
174 my ($class, $config, $realm, $username, $password) = @_;
180 my ($class, $config, $realm, $username, $password) = @_;
182 my $type = $class->type();
184 die "can't set password on auth type '$type'\n";
188 my ($class, $config, $realm, $username) = @_;
190 # do nothing by default