X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=src%2FPVE%2FAPI2%2FTFA.pm;h=bee4dee7deba40b2dd825debe3189e42acfd3f94;hb=2974aa334536d57b6baf5032bec58ce2e06ae31c;hp=657a74ce1355e8b2251a7b42943f37085ee46e0b;hpb=b3dae5dd48ec44faf5c877bf42cc93a6b2e0402c;p=pve-access-control.git

diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index 657a74c..bee4dee 100644
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -7,9 +7,10 @@ use HTTP::Status qw(:constants);
 
 use PVE::AccessControl;
 use PVE::Cluster qw(cfs_read_file cfs_write_file);
-use PVE::JSONSchema qw(get_standard_option);
 use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
+use PVE::JSONSchema qw(get_standard_option);
 use PVE::RPCEnvironment;
+use PVE::SafeSyslog;
 
 use PVE::API2::AccessControl; # for old login api get_u2f_instance method
 
@@ -101,7 +102,7 @@ my $TFA_UPDATE_INFO_SCHEMA = {
 my sub root_permission_check : prototype($$$$) {
     my ($rpcenv, $authuser, $userid, $password) = @_;
 
-    ($userid, my $ruid, my $realm) = PVE::AccessControl::verify_username($userid);
+    ($userid, undef, my $realm) = PVE::AccessControl::verify_username($userid);
     $rpcenv->check_user_exist($userid);
 
     raise_perm_exc() if $userid eq 'root@pam' && $authuser ne 'root@pam';
@@ -111,11 +112,14 @@ my sub root_permission_check : prototype($$$$) {
 	raise_param_exc({ 'password' => 'password is required to modify TFA data' })
 	    if !defined($password);
 
+	($authuser, my $auth_username, my $auth_realm) =
+	    PVE::AccessControl::verify_username($authuser);
+
 	my $domain_cfg = cfs_read_file('domains.cfg');
-	my $cfg = $domain_cfg->{ids}->{$realm};
-	die "auth domain '$realm' does not exist\n" if !$cfg;
+	my $cfg = $domain_cfg->{ids}->{$auth_realm};
+	die "auth domain '$auth_realm' does not exist\n" if !$cfg;
 	my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
-	$plugin->authenticate_user($cfg, $realm, $ruid, $password);
+	$plugin->authenticate_user($cfg, $auth_realm, $auth_username, $password);
     }
 
     return wantarray ? ($userid, $realm) : $userid;
@@ -185,6 +189,9 @@ __PACKAGE__->register_method({
 	if (!defined($tfa_type)) {
 	    raise('no u2f data available');
 	}
+	if ($tfa_type eq 'incompatible') {
+	    raise('tfa entries incompatible with old login api');
+	}
 
 	eval {
 	    if ($tfa_type eq 'u2f') {
@@ -368,10 +375,24 @@ __PACKAGE__->register_method ({
 
 	my $rpcenv = PVE::RPCEnvironment::get();
 	my $authuser = $rpcenv->get_user();
-	my $top_level_allowed = ($authuser eq 'root@pam');
 
 	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
-	return $tfa_cfg->api_list_tfa($authuser, $top_level_allowed);
+	my $entries = $tfa_cfg->api_list_tfa($authuser, 1);
+
+	my $privs = [ 'User.Modify', 'Sys.Audit' ];
+	if ($rpcenv->check_any($authuser, "/access/groups", $privs, 1)) {
+	    # can modify all
+	    return $entries;
+	}
+
+	my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
+	my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
+	return [
+	    grep {
+		my $userid = $_->{userid};
+		$userid eq $authuser || $allowed_users->{$userid}
+	    } $entries->@*
+	];
     }});
 
 __PACKAGE__->register_method ({