src/PMG/TFAConfig.pm

   1 package PMG::TFAConfig;
   2
   3 use strict;
   4 use warnings;
   5
   6 use PVE::Tools;
   7 use PVE::INotify;
   8 use PVE::JSONSchema qw(get_standard_option);
   9 use PVE::Exception qw(raise);
  10
  11 use PMG::Utils;
  12 use PMG::UserConfig;
  13
  14 use base 'PMG::RS::TFA';
  15
  16 my $inotify_file_id = 'pmg-tfa.json';
  17 my $config_filename = '/etc/pmg/tfa.json';
  18
  19 sub new {
  20     my ($type) = @_;
  21
  22     my $class = ref($type) || $type;
  23
  24     my $cfg = PVE::INotify::read_file($inotify_file_id);
  25
  26     return bless $cfg, $class;
  27 }
  28
  29 sub write {
  30     my ($self) = @_;
  31
  32     PVE::INotify::write_file($inotify_file_id, $self);
  33 }
  34
  35 # This lives in `UserConfig` in order to enforce lock order.
  36 sub lock_config {
  37     return PMG::UserConfig::lock_tfa_config(@_);
  38 }
  39
  40 my sub read_tfa_conf : prototype($$) {
  41     my ($filename, $fh) = @_;
  42
  43     my $raw;
  44     if ($fh) {
  45         $raw = do { local $/ = undef; <$fh> };
  46     } else {
  47         $raw = '{}';
  48     }
  49
  50     my $cfg = PMG::RS::TFA->new($raw);
  51
  52     # Purge invalid users:
  53     my $usercfg = PMG::UserConfig->new();
  54     foreach my $user ($cfg->users()->@*) {
  55         if (!$usercfg->lookup_user_data($user, 1)) {
  56             $cfg->remove_user($user);
  57         }
  58     }
  59
  60     return $cfg;
  61 }
  62
  63 my sub write_tfa_conf : prototype($$$) {
  64     my ($filename, $fh, $cfg) = @_;
  65
  66     chmod(0600, $fh);
  67
  68     PVE::Tools::safe_print($filename, $fh, $cfg->SUPER::write());
  69 }
  70
  71 PVE::INotify::register_file(
  72     $inotify_file_id,
  73     $config_filename,
  74     \&read_tfa_conf,
  75     \&write_tfa_conf,
  76     undef,
  77     always_call_parser => 1,
  78     # the parser produces a rust TfaConfig object, Clone::clone would break this
  79     noclone => 1,
  80 );
  81
  82 1;