+my $USER_CONTROLLED_TFA_TYPES = {
+ u2f => 1,
+ oath => 1,
+};
+
+# Delete an entry by setting $data=undef in which case $type is ignored.
+# Otherwise both must be valid.
+sub user_set_tfa {
+ my ($userid, $realm, $type, $data, $cached_usercfg, $cached_domaincfg) = @_;
+
+ if (defined($data) && !defined($type)) {
+ # This is an internal usage error and should not happen
+ die "cannot set tfa data without a type\n";
+ }
+
+ my $user_cfg = $cached_usercfg || cfs_read_file('user.cfg');
+ my $user = $user_cfg->{users}->{$userid}
+ or die "user '$userid' not found\n";
+
+ my $domain_cfg = $cached_domaincfg || cfs_read_file('domains.cfg');
+ my $realm_cfg = $domain_cfg->{ids}->{$realm};
+ die "auth domain '$realm' does not exist\n" if !$realm_cfg;
+
+ my $realm_tfa = $realm_cfg->{tfa};
+ if (defined($realm_tfa)) {
+ $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa);
+ # If the realm has a TFA setting, we're only allowed to use that.
+ if (defined($data)) {
+ my $required_type = $realm_tfa->{type};
+ if ($required_type ne $type) {
+ die "realm '$realm' only allows TFA of type '$required_type\n";
+ }
+
+ if (defined($data->{config})) {
+ # XXX: Is it enough if the type matches? Or should the configuration also match?
+ }
+
+ # realm-configured tfa always uses a simple key list, so use the user.cfg
+ $user->{keys} = $data->{keys};
+ } else {
+ die "realm '$realm' does not allow removing the 2nd factor\n";
+ }
+ } else {
+ # Without a realm-enforced TFA setting the user can add a u2f or totp entry by themselves.
+ # The 'yubico' type requires yubico server settings, which have to be configured on the
+ # realm, so this is not supported here:
+ die "domain '$realm' does not support TFA type '$type'\n"
+ if defined($data) && !$USER_CONTROLLED_TFA_TYPES->{$type};
+ }
+
+ # Custom TFA entries are stored in priv/tfa.cfg as they can be more complet: u2f uses a
+ # public key and a key handle, TOTP requires the usual totp settings...
+
+ my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
+ my $tfa = ($tfa_cfg->{users}->{$userid} //= {});
+
+ if (defined($data)) {
+ $tfa->{type} = $type;
+ $tfa->{data} = $data;
+ cfs_write_file('priv/tfa.cfg', $tfa_cfg);
+
+ $user->{keys} = "x!$type";
+ } else {
+ delete $tfa_cfg->{users}->{$userid};
+ cfs_write_file('priv/tfa.cfg', $tfa_cfg);
+
+ delete $user->{keys};
+ }
+
+ cfs_write_file('user.cfg', $user_cfg);
+}
+
+sub user_get_tfa {
+ my ($username, $realm) = @_;
+
+ my $user_cfg = cfs_read_file('user.cfg');
+ my $user = $user_cfg->{users}->{$username}
+ or die "user '$username' not found\n";
+
+ my $keys = $user->{keys};
+
+ my $domain_cfg = cfs_read_file('domains.cfg');
+ my $realm_cfg = $domain_cfg->{ids}->{$realm};
+ die "auth domain '$realm' does not exist\n" if !$realm_cfg;
+
+ my $realm_tfa = $realm_cfg->{tfa};
+ $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa)
+ if $realm_tfa;
+
+ if (!$keys) {
+ return if !$realm_tfa;
+ die "missing required 2nd keys\n";
+ }
+
+ # new style config starts with an 'x' and optionally contains a !<type> suffix
+ if ($keys !~ /^x(?:!.*)?$/) {
+ # old style config, find the type via the realm
+ return if !$realm_tfa;
+ return ($realm_tfa->{type}, {
+ keys => $keys,
+ config => $realm_tfa,
+ });
+ } else {
+ my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
+ my $tfa = $tfa_cfg->{users}->{$username};
+ return if !$tfa; # should not happen (user.cfg wasn't cleaned up?)
+
+ if ($realm_tfa) {
+ # if the realm has a tfa setting we need to verify the type:
+ die "auth domain '$realm' and user have mismatching TFA settings\n"
+ if $realm_tfa && $realm_tfa->{type} ne $tfa->{type};
+ }
+
+ return ($tfa->{type}, $tfa->{data});
+ }
+}
+