src/api2/config/access/tfa.rs

   1 //! For now this only has the TFA subdir, which is in this file.
   2 //! If we add more, it should be moved into a sub module.
   3
   4 use anyhow::Error;
   5
   6 use proxmox_router::{Router, RpcEnvironment, Permission, SubdirMap};
   7 use proxmox_schema::api;
   8 use proxmox_router::list_subdirs_api_method;
   9
  10 use pbs_api_types::PROXMOX_CONFIG_DIGEST_SCHEMA;
  11
  12 use crate::config::tfa::{self, WebauthnConfig, WebauthnConfigUpdater};
  13
  14 pub const ROUTER: Router = Router::new()
  15     .get(&list_subdirs_api_method!(SUBDIRS))
  16     .subdirs(SUBDIRS);
  17
  18 const SUBDIRS: SubdirMap = &[("webauthn", &WEBAUTHN_ROUTER)];
  19
  20 const WEBAUTHN_ROUTER: Router = Router::new()
  21     .get(&API_METHOD_GET_WEBAUTHN_CONFIG)
  22     .put(&API_METHOD_UPDATE_WEBAUTHN_CONFIG);
  23
  24 #[api(
  25     protected: true,
  26     input: {
  27         properties: {},
  28     },
  29     returns: {
  30         type: WebauthnConfig,
  31         optional: true,
  32     },
  33     access: {
  34         permission: &Permission::Anybody,
  35     },
  36 )]
  37 /// Get the TFA configuration.
  38 pub fn get_webauthn_config(
  39     mut rpcenv: &mut dyn RpcEnvironment,
  40 ) -> Result<Option<WebauthnConfig>, Error> {
  41     let (config, digest) = match tfa::webauthn_config()? {
  42         Some(c) => c,
  43         None => return Ok(None),
  44     };
  45     rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
  46     Ok(Some(config))
  47 }
  48
  49 #[api(
  50     protected: true,
  51     input: {
  52         properties: {
  53             webauthn: {
  54                 flatten: true,
  55                 type: WebauthnConfigUpdater,
  56             },
  57             digest: {
  58                 optional: true,
  59                 schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
  60             },
  61         },
  62     },
  63 )]
  64 /// Update the TFA configuration.
  65 pub fn update_webauthn_config(
  66     webauthn: WebauthnConfigUpdater,
  67     digest: Option<String>,
  68 ) -> Result<(), Error> {
  69     let _lock = tfa::write_lock();
  70
  71     let mut tfa = tfa::read()?;
  72
  73     if let Some(wa) = &mut tfa.webauthn {
  74         if let Some(ref digest) = digest {
  75             let digest = proxmox::tools::hex_to_digest(digest)?;
  76             crate::tools::detect_modified_configuration_file(
  77                 &digest,
  78                 &crate::config::tfa::webauthn_config_digest(&wa)?,
  79             )?;
  80         }
  81         if let Some(ref rp) = webauthn.rp { wa.rp = rp.clone(); }
  82         if let Some(ref origin) = webauthn.origin { wa.origin = origin.clone(); }
  83         if let Some(ref id) = webauthn.id { wa.id = id.clone(); }
  84     } else {
  85         let rp = webauthn.rp.unwrap();
  86         let origin = webauthn.origin.unwrap();
  87         let id = webauthn.id.unwrap();
  88         tfa.webauthn = Some(WebauthnConfig { rp, origin, id });
  89     }
  90
  91     tfa::write(&tfa)?;
  92
  93     Ok(())
  94 }