+sub add_vm_to_pool {
+ my ($vmid, $pool) = @_;
+
+ my $addVMtoPoolFn = sub {
+ my $usercfg = cfs_read_file("user.cfg");
+ if (my $data = $usercfg->{pools}->{$pool}) {
+ $data->{vms}->{$vmid} = 1;
+ $usercfg->{vms}->{$vmid} = $pool;
+ cfs_write_file("user.cfg", $usercfg);
+ }
+ };
+
+ lock_user_config($addVMtoPoolFn, "can't add VM $vmid to pool '$pool'");
+}
+
+sub remove_vm_from_pool {
+ my ($vmid) = @_;
+
+ my $delVMfromPoolFn = sub {
+ my $usercfg = cfs_read_file("user.cfg");
+ if (my $pool = $usercfg->{vms}->{$vmid}) {
+ if (my $data = $usercfg->{pools}->{$pool}) {
+ delete $data->{vms}->{$vmid};
+ delete $usercfg->{vms}->{$vmid};
+ cfs_write_file("user.cfg", $usercfg);
+ }
+ }
+ };
+
+ lock_user_config($delVMfromPoolFn, "pool cleanup for VM $vmid failed");
+}
+
+# experimental code for yubico OTP verification
+
+sub yubico_compute_param_sig {
+ my ($param, $api_key) = @_;
+
+ my $paramstr = '';
+ foreach my $key (sort keys %$param) {
+ $paramstr .= '&' if $paramstr;
+ $paramstr .= "$key=$param->{$key}";
+ }
+
+ my $sig = uri_escape(encode_base64(Digest::HMAC_SHA1::hmac_sha1($paramstr, decode_base64($api_key || '')), ''));
+
+ return ($paramstr, $sig);
+}
+
+sub yubico_verify_otp {
+ my ($otp, $keys, $url, $api_id, $api_key, $proxy) = @_;
+
+ die "yubico: missing password\n" if !defined($otp);
+ die "yubico: missing API ID\n" if !defined($api_id);
+ die "yubico: missing API KEY\n" if !defined($api_key);
+ die "yubico: no associated yubico keys\n" if $keys =~ m/^\s+$/;
+
+ die "yubico: wrong OTP lenght\n" if (length($otp) < 32) || (length($otp) > 48);
+
+ # we always use http, because https cert verification always make problem, and
+ # some proxies does not work with https.
+
+ $url = 'http://api2.yubico.com/wsapi/2.0/verify' if !defined($url);
+
+ my $params = {
+ nonce => Digest::HMAC_SHA1::hmac_sha1_hex(time(), rand()),
+ id => $api_id,
+ otp => uri_escape($otp),
+ timestamp => 1,
+ };
+
+ my ($paramstr, $sig) = yubico_compute_param_sig($params, $api_key);
+
+ $paramstr .= "&h=$sig" if $api_key;
+
+ my $req = HTTP::Request->new('GET' => "$url?$paramstr");
+
+ my $ua = LWP::UserAgent->new(protocols_allowed => ['http'], timeout => 30);
+
+ if ($proxy) {
+ $ua->proxy(['http'], $proxy);
+ } else {
+ $ua->env_proxy;
+ }
+
+ my $response = $ua->request($req);
+ my $code = $response->code;
+
+ if ($code != 200) {
+ my $msg = $response->message || 'unknown';
+ die "Invalid response from server: $code $msg\n";
+ }
+
+ my $raw = $response->decoded_content;
+
+ my $result = {};
+ foreach my $kvpair (split(/\n/, $raw)) {
+ chomp $kvpair;
+ if($kvpair =~ /^\S+=/) {
+ my ($k, $v) = split(/=/, $kvpair, 2);
+ $v =~ s/\s//g;
+ $result->{$k} = $v;
+ }
+ }
+
+ my $rsig = $result->{h};
+ delete $result->{h};
+
+ if ($api_key) {
+ my ($datastr, $vsig) = yubico_compute_param_sig($result, $api_key);
+ $vsig = uri_unescape($vsig);
+ die "yubico: result signature verification failed\n" if $rsig ne $vsig;
+ }
+
+ die "yubico auth failed: $result->{status}\n" if $result->{status} ne 'OK';
+
+ my $publicid = $result->{publicid} = substr(lc($result->{otp}), 0, 12);
+
+ my $found;
+ foreach my $k (PVE::Tools::split_list($keys)) {
+ if ($k eq $publicid) {
+ $found = 1;
+ last;
+ }
+ }
+
+ die "yubico auth failed: key does not belong to user\n" if !$found;
+
+ return $result;
+}
+
+sub oath_verify_otp {
+ my ($otp, $keys, $step, $digits) = @_;
+
+ die "oath: missing password\n" if !defined($otp);
+ die "oath: no associated oath keys\n" if $keys =~ m/^\s+$/;
+
+ $step = 30 if !$step;
+ $digits = 6 if !$digits;
+
+ my $found;
+
+ my $parser = sub {
+ my $line = shift;
+
+ if ($line =~ m/^\d{6}$/) {
+ $found = 1 if $otp eq $line;
+ }
+ };
+
+ foreach my $k (PVE::Tools::split_list($keys)) {
+ # Note: we generate 3 values to allow small time drift
+ my $now = localtime(time() - $step);
+ my $cmd = ['oathtool', '--totp', '--digits', $digits, '-N', $now, '-s', $step, '-w', '2', '-b', $k];
+ eval { run_command($cmd, outfunc => $parser, errfunc => sub {}); };
+ last if $found;
+ }
+
+ die "oath auth failed\n" if !$found;
+}
+