add experimental code for yubico OTP verification

[pve-access-control.git] / PVE / AccessControl.pm

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index f03f6b5bba4e67fbb6f2a90d9210d62e344f37be..3e6ed3119d141ec335a2fdfd86aaf1ea31ece163 100644 (file)
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -5,8 +5,12 @@ use warnings;
 use Encode;
 use Crypt::OpenSSL::Random;
 use Crypt::OpenSSL::RSA;
+use Net::SSLeay;
 use MIME::Base64;
 use Digest::SHA;
+use Digest::HMAC_SHA1;
+use URI::Escape;
+use LWP::UserAgent;
 use PVE::Tools qw(run_command lock_file file_get_contents split_list safe_print);
 use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
 use PVE::JSONSchema;
@@ -277,6 +281,60 @@ sub verify_spice_connect_url {
     return undef;
 }
 
+sub read_x509_subject_spice {
+    my ($filename) = @_;
+
+    # read x509 subject
+    my $bio = Net::SSLeay::BIO_new_file($filename, 'r');
+    my $x509 = Net::SSLeay::PEM_read_bio_X509($bio);
+    Net::SSLeay::BIO_free($bio);
+    my $nameobj = Net::SSLeay::X509_get_subject_name($x509);
+    my $subject = Net::SSLeay::X509_NAME_oneline($nameobj);
+    Net::SSLeay::X509_free($x509);
+  
+    # remote-viewer wants comma as seperator (not '/')
+    $subject =~ s!^/!!;
+    $subject =~ s!/(\w+=)!,$1!g;
+
+    return $subject;
+}
+
+# helper to generate SPICE remote-viewer configuration
+sub remote_viewer_config {
+    my ($authuser, $vmid, $node, $proxy, $title, $port) = @_;
+
+    if (!$proxy) {
+       my $host = `hostname -f` || PVE::INotify::nodename();
+       chomp $host;
+       $proxy = $host;
+    }
+
+    my ($ticket, $proxyticket) = assemble_spice_ticket($authuser, $vmid, $node);
+
+    my $filename = "/etc/pve/local/pve-ssl.pem";
+    my $subject = read_x509_subject_spice($filename);
+
+    my $cacert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192);
+    $cacert =~ s/\n/\\n/g;
+
+    my $config = {
+       'secure-attention' => "Ctrl+Alt+Ins",
+       'toggle-fullscreen' => "Shift+F11",
+       'release-cursor' => "Ctrl+Alt+R",
+       type => 'spice',
+       title => $title,
+       host => $proxyticket, # this break tls hostname verification, so we need to use 'host-subject'
+       proxy => "http://$proxy:3128",
+       'tls-port' => $port,
+       'host-subject' => $subject,
+       ca => $cacert,
+       password => $ticket,
+       'delete-this-file' => 1,
+    };
+
+    return ($ticket, $proxyticket, $config);
+}
+
 sub check_user_exist {
     my ($usercfg, $username, $noerr) = @_;
 
@@ -1043,4 +1101,87 @@ sub remove_vm_from_pool {
     lock_user_config($delVMfromPoolFn, "pool cleanup for VM $vmid failed");
 }
 
+# experimental code for yubico OTP verification
+
+sub yubico_compute_param_sig {
+    my ($param, $api_key) = @_;
+
+    my $paramstr = '';
+    foreach my $key (sort keys %$param) {
+       $paramstr .= '&' if $paramstr;
+       $paramstr .= "$key=$param->{$key}";
+    }
+
+    my $sig = uri_escape(encode_base64(Digest::HMAC_SHA1::hmac_sha1($paramstr, decode_base64($api_key || '')), ''));
+
+    return ($paramstr, $sig);
+}
+
+sub yubico_verify_otp {
+    my ($otp, $api_id, $api_key, $proxy) = @_;
+
+    die "yubicloud: wrong OTP lenght\n" if (length($otp) < 32) || (length($otp) > 48);
+
+    # we always use http, because https cert verification always make problem, and
+    # some proxies does not work with https.
+
+    my $url = 'http://api2.yubico.com/wsapi/2.0/verify';
+    
+    my $params = {
+       nonce =>  Digest::HMAC_SHA1::hmac_sha1_hex(time(), rand()),
+       id => $api_id,
+       otp => uri_escape($otp),
+       timestamp => 1,
+    };
+
+    my ($paramstr, $sig) = yubico_compute_param_sig($params, $api_key);
+
+    $paramstr .= "&h=$sig" if $api_key;
+
+    my $req = HTTP::Request->new('GET' => "$url?$paramstr");
+
+    my $ua = LWP::UserAgent->new(protocols_allowed => ['http'], timeout => 30);
+
+    if ($proxy) {
+       $ua->proxy(['http'], $proxy);
+    } else {
+       $ua->env_proxy;
+    }
+
+    my $response = $ua->request($req);
+    my $code = $response->code;
+
+    if ($code != 200) {
+       my $msg = $response->message || 'unknown';
+       die "Invalid response from server: $code $msg\n";
+    }
+
+    my $raw = $response->decoded_content;
+
+    my $result = {};
+    foreach my $kvpair (split(/\n/, $raw)) {
+       chomp $kvpair;
+       if($kvpair =~ /^\S+=/) {
+           my ($k, $v) = split(/=/, $kvpair, 2);
+           $v =~ s/\s//g;
+           $result->{$k} = $v;
+        }
+    }
+
+    my $rsig = $result->{h};
+    delete $result->{h};
+
+    if ($api_key) {
+       my ($datastr, $vsig) = yubico_compute_param_sig($result, $api_key);
+       $vsig = uri_unescape($vsig);
+       die "yubicloud: result signature verification failed\n" if $rsig ne $vsig;
+    }
+
+    die "yubicloud auth failed: $result->{status}\n" if $result->{status} ne 'OK';
+
+    $result->{publicid} = substr(lc($result->{otp}), 0, 12);
+
+    return $result;
+}
+
 1;