X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=src%2FPVE%2FAccessControl.pm;h=c5be63bc8b49867f642dcdfe5b87837dbe2be9eb;hb=9f345020774728a26f53a37e1716492bbf8b8357;hp=86286781ed72fe5039f612e5709af92d2a644cea;hpb=8a724f7b3a709a5cc8a723840e0104bfad6daf83;p=pve-access-control.git diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm index 8628678..c5be63b 100644 --- a/src/PVE/AccessControl.pm +++ b/src/PVE/AccessControl.pm @@ -7,11 +7,14 @@ use Crypt::OpenSSL::Random; use Crypt::OpenSSL::RSA; use Net::SSLeay; use Net::IP; +use MIME::Base32; use MIME::Base64; use Digest::SHA; use IO::File; use File::stat; use JSON; +use Scalar::Util 'weaken'; +use URI::Escape; use PVE::OTP; use PVE::Ticket; @@ -19,11 +22,14 @@ use PVE::Tools qw(run_command lock_file file_get_contents split_list safe_print) use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file); use PVE::JSONSchema qw(register_standard_option get_standard_option); +use PVE::RS::TFA; + use PVE::Auth::Plugin; use PVE::Auth::AD; use PVE::Auth::LDAP; use PVE::Auth::PVE; use PVE::Auth::PAM; +use PVE::Auth::OpenId; # load and initialize all plugins @@ -31,6 +37,7 @@ PVE::Auth::AD->register(); PVE::Auth::LDAP->register(); PVE::Auth::PVE->register(); PVE::Auth::PAM->register(); +PVE::Auth::OpenId->register(); PVE::Auth::Plugin->init(); # $authdir must be writable by root only! @@ -64,13 +71,37 @@ sub pve_verify_realm { PVE::Auth::Plugin::pve_verify_realm(@_); } +# Locking both config files together is only ever allowed in one order: +# 1) tfa config +# 2) user config +# If we permit the other way round, too, we might end up deadlocking! +my $user_config_locked; sub lock_user_config { my ($code, $errmsg) = @_; + my $locked = 1; + $user_config_locked = \$locked; + weaken $user_config_locked; # make this scope guard signal safe... + cfs_lock_file("user.cfg", undef, $code); + $user_config_locked = undef; + if (my $err = $@) { + $errmsg ? die "$errmsg: $err" : die $err; + } +} + +sub lock_tfa_config { + my ($code, $errmsg) = @_; + + die "tfa config lock cannot be acquired while holding user config lock\n" + if ($user_config_locked && $$user_config_locked); + + my $res = cfs_lock_file("priv/tfa.cfg", undef, $code); if (my $err = $@) { $errmsg ? die "$errmsg: $err" : die $err; } + + return $res; } my $cache_read_key = sub { @@ -334,16 +365,23 @@ my $get_ticket_age_range = sub { return ($min, $max); }; -sub assemble_ticket { - my ($data) = @_; +sub assemble_ticket : prototype($;$) { + my ($data, $aad) = @_; my $rsa_priv = get_privkey(); - return PVE::Ticket::assemble_rsa_ticket($rsa_priv, 'PVE', $data); + return PVE::Ticket::assemble_rsa_ticket($rsa_priv, 'PVE', $data, $aad); } -sub verify_ticket { - my ($ticket, $noerr) = @_; +# Returns the username, "age" and tfa info. +# +# Note that for the new-style outh, tfa info is never set, as it only uses the `/ticket` api call +# via the new 'tfa-challenge' parameter, so this part can go with PVE-8. +# +# New-style auth still uses this function, but sets `$tfa_ticket` to true when validating the tfa +# ticket. +sub verify_ticket : prototype($;$$) { + my ($ticket, $noerr, $tfa_ticket_aad) = @_; my $now = time(); @@ -357,7 +395,7 @@ sub verify_ticket { return undef if !defined($min); return PVE::Ticket::verify_rsa_ticket( - $rsa_pub, 'PVE', $ticket, undef, $min, $max, 1); + $rsa_pub, 'PVE', $ticket, $tfa_ticket_aad, $min, $max, 1); }; my ($data, $age) = $check->(); @@ -378,7 +416,21 @@ sub verify_ticket { return $auth_failure->(); } + if ($tfa_ticket_aad) { + # We're validating a ticket-call's 'tfa-challenge' parameter, so just return its data. + if ($data =~ /^!tfa!(.*)$/) { + return $1; + } + die "bad ticket\n"; + } + my ($username, $tfa_info); + if ($data =~ /^!tfa!(.*)$/) { + # PBS style half-authenticated ticket, contains a json string form of a `TfaChallenge` + # object. + # This type of ticket does not contain the user name. + return { type => 'new', data => $1 }; + } if ($data =~ m{^u2f!([^!]+)!([0-9a-zA-Z/.=_\-+]+)$}) { # Ticket for u2f-users: ($username, my $challenge) = ($1, $2); @@ -599,6 +651,7 @@ sub check_token_exist { return undef; } +# deprecated sub verify_one_time_pw { my ($type, $username, $keys, $tfa_cfg, $otp) = @_; @@ -619,8 +672,8 @@ sub verify_one_time_pw { # password should be utf8 encoded # Note: some plugins delay/sleep if auth fails -sub authenticate_user { - my ($username, $password, $otp) = @_; +sub authenticate_user : prototype($$$$;$) { + my ($username, $password, $otp, $new_format, $tfa_challenge) = @_; die "no username specified\n" if !$username; @@ -637,9 +690,28 @@ sub authenticate_user { my $cfg = $domain_cfg->{ids}->{$realm}; die "auth domain '$realm' does not exist\n" if !$cfg; my $plugin = PVE::Auth::Plugin->lookup($cfg->{type}); + + if ($tfa_challenge) { + # This is the 2nd factor, use the password for the OTP response. + my $tfa_challenge = authenticate_2nd_new($username, $realm, $password, $tfa_challenge); + return wantarray ? ($username, $tfa_challenge) : $username; + } + $plugin->authenticate_user($cfg, $realm, $ruid, $password); - my ($type, $tfa_data) = user_get_tfa($username, $realm); + if ($new_format) { + # This is the first factor with an optional immediate 2nd factor for TOTP: + my $tfa_challenge = authenticate_2nd_new($username, $realm, $otp, $tfa_challenge); + return wantarray ? ($username, $tfa_challenge) : $username; + } else { + return authenticate_2nd_old($username, $realm, $otp); + } +} + +sub authenticate_2nd_old : prototype($$$) { + my ($username, $realm, $otp) = @_; + + my ($type, $tfa_data) = user_get_tfa($username, $realm, 0); if ($type) { if ($type eq 'u2f') { # Note that if the user did not manage to complete the initial u2f registration @@ -667,6 +739,141 @@ sub authenticate_user { return wantarray ? ($username, $tfa_data) : $username; } +# Returns a tfa challenge or undef. +sub authenticate_2nd_new : prototype($$$$) { + my ($username, $realm, $otp, $tfa_challenge) = @_; + + my $result = lock_tfa_config(sub { + my ($tfa_cfg, $realm_tfa) = user_get_tfa($username, $realm, 1); + + if (!defined($tfa_cfg)) { + return undef; + } + + my $realm_type = $realm_tfa && $realm_tfa->{type}; + $realm_type = 'totp' if $realm_type eq 'oath'; # we used to call it that + # verify realm type unless using recovery keys: + if (defined($realm_type)) { + if ($realm_type eq 'yubico') { + # Yubico auth will not be supported in rust for now... + if (!defined($tfa_challenge)) { + my $challenge = { yubico => JSON::true }; + # Even with yubico auth we do allow recovery keys to be used: + if (my $recovery = $tfa_cfg->recovery_state($username)) { + $challenge->{recovery} = $recovery; + } + return to_json($challenge); + } + + if ($otp =~ /^yubico:(.*)$/) { + $otp = $1; + # Defer to after unlocking the TFA config: + return sub { + authenticate_yubico_new( + $tfa_cfg, $username, $realm_tfa, $tfa_challenge, $otp, + ); + }; + } + } + + my $response_type; + if (defined($otp)) { + if ($otp !~ /^([^:]+):/) { + die "bad otp response\n"; + } + $response_type = $1; + } + + die "realm requires $realm_type authentication\n" + if $response_type && $response_type ne 'recovery' && $response_type ne $realm_type; + } + + configure_u2f_and_wa($tfa_cfg); + + my $must_save = 0; + if (defined($tfa_challenge)) { + $tfa_challenge = verify_ticket($tfa_challenge, 0, $username); + $must_save = $tfa_cfg->authentication_verify($username, $tfa_challenge, $otp); + $tfa_challenge = undef; + } else { + $tfa_challenge = $tfa_cfg->authentication_challenge($username); + if (defined($otp)) { + if (defined($tfa_challenge)) { + $must_save = $tfa_cfg->authentication_verify($username, $tfa_challenge, $otp); + } else { + die "no such challenge\n"; + } + } + } + + if ($must_save) { + cfs_write_file('priv/tfa.cfg', $tfa_cfg); + } + + return $tfa_challenge; + }); + + # Yubico auth returns the authentication sub: + if (ref($result) eq 'CODE') { + $result = $result->(); + } + + return $result; +} + +sub authenticate_yubico_new : prototype($$$) { + my ($tfa_cfg, $username, $realm, $tfa_challenge, $otp) = @_; + + $tfa_challenge = verify_ticket($tfa_challenge, 0, $username); + $tfa_challenge = from_json($tfa_challenge); + + if (!$tfa_challenge->{yubico}) { + die "no such challenge\n"; + } + + my $keys = $tfa_cfg->get_yubico_keys($username); + die "no keys configured\n" if !defined($keys) || !length($keys); + + authenticate_yubico_do($otp, $keys, $realm); + + # return `undef` to clear the tfa challenge. + return undef; +} + +sub authenticate_yubico_do : prototype($$$) { + my ($value, $keys, $realm) = @_; + + # fixme: proxy support? + my $proxy = undef; + + PVE::OTP::yubico_verify_otp($value, $keys, $realm->{url}, $realm->{id}, $realm->{key}, $proxy); +} + +sub configure_u2f_and_wa : prototype($) { + my ($tfa_cfg) = @_; + + my $dc = cfs_read_file('datacenter.cfg'); + if (my $u2f = $dc->{u2f}) { + my $origin = $u2f->{origin}; + if (!defined($origin)) { + my $rpcenv = PVE::RPCEnvironment::get(); + $origin = $rpcenv->get_request_host(1); + if ($origin) { + $origin = "https://$origin"; + } else { + die "failed to figure out u2f origin\n"; + } + } + $tfa_cfg->set_u2f_config({ + origin => $origin, + appid => $u2f->{appid}, + }); + } + if (my $wa = $dc->{webauthn}) { + $tfa_cfg->set_webauthn_config($wa); + } +} + sub domain_set_password { my ($realm, $username, $password) = @_; @@ -942,6 +1149,7 @@ sub check_path { |/pool/[[:alnum:]\.\-\_]+ |/sdn |/sdn/zones/[[:alnum:]\.\-\_]+ + |/sdn/vnets/[[:alnum:]\.\-\_]+ |/storage |/storage/[[:alnum:]\.\-\_]+ |/vms @@ -1350,33 +1558,21 @@ sub write_user_config { return $data; } -# The TFA configuration in priv/tfa.cfg format contains one line per user of -# the form: -# USER:TYPE:DATA -# DATA is a base64 encoded json string and its format depends on the type. +# Creates a `PVE::RS::TFA` instance from the raw config data. +# Its contained hash will also support the legacy functionality. sub parse_priv_tfa_config { my ($filename, $raw) = @_; - my $users = {}; - my $cfg = { users => $users }; - $raw = '' if !defined($raw); - while ($raw =~ /^\s*(.+?)\s*$/gm) { - my $line = $1; - my ($user, $type, $data) = split(/:/, $line, 3); + my $cfg = PVE::RS::TFA->new($raw); + # Purge invalid users: + foreach my $user ($cfg->users()->@*) { my (undef, undef, $realm) = PVE::Auth::Plugin::verify_username($user, 1); if (!$realm) { warn "user tfa config - ignore user '$user' - invalid user name\n"; - next; + $cfg->remove_user($user); } - - $data = decode_json(decode_base64($data)); - - $users->{$user} = { - type => $type, - data => $data, - }; } return $cfg; @@ -1385,27 +1581,9 @@ sub parse_priv_tfa_config { sub write_priv_tfa_config { my ($filename, $cfg) = @_; - my $output = ''; - - my $users = $cfg->{users}; - foreach my $user (sort keys %$users) { - my $info = $users->{$user}; - next if !%$info; # skip empty entries - - $info = {%$info}; # copy to verify contents: + assert_new_tfa_config_available(); - my $type = delete $info->{type}; - my $data = delete $info->{data}; - - if (my @keys = keys %$info) { - die "invalid keys in TFA config for user $user: " . join(', ', @keys) . "\n"; - } - - $data = encode_base64(encode_json($data), ''); - $output .= "${user}:${type}:${data}\n"; - } - - return $output; + return $cfg->write(); } sub roles { @@ -1586,75 +1764,118 @@ my $USER_CONTROLLED_TFA_TYPES = { oath => 1, }; -# Delete an entry by setting $data=undef in which case $type is ignored. -# Otherwise both must be valid. -sub user_set_tfa { - my ($userid, $realm, $type, $data, $cached_usercfg, $cached_domaincfg) = @_; - - if (defined($data) && !defined($type)) { - # This is an internal usage error and should not happen - die "cannot set tfa data without a type\n"; +sub assert_new_tfa_config_available() { + PVE::Cluster::cfs_update(); + my $version_info = PVE::Cluster::get_node_kv('version-info'); + die "cannot update tfa config, please make sure all cluster nodes are up to date\n" + if !$version_info; + my $members = PVE::Cluster::get_members(); + my $old = ''; + foreach my $node (keys $members->%*) { + my $info = $version_info->{$node}; + if (!$info) { + $old .= "cluster node '$node' is too old, did not broadcast its version info\n"; + next; + } + $info = from_json($info); + my $ver = $info->{version}; + if ($ver !~ /^(\d+\.\d+)-(\d+)/) { + $old .= "cluster node '$node' provided an invalid version string: '$ver'\n"; + next; + } + my ($maj, $rel) = ($1, $2); + if (!($maj > 7.0 || ($maj == 7.0 && $rel >= 15))) { + $old .= "cluster node '$node' is too old\n"; + next; + } } + die $old if length($old); +} - my $user_cfg = $cached_usercfg || cfs_read_file('user.cfg'); - my $user = $user_cfg->{users}->{$userid} - or die "user '$userid' not found\n"; +sub user_remove_tfa : prototype($) { + my ($userid) = @_; - my $domain_cfg = $cached_domaincfg || cfs_read_file('domains.cfg'); - my $realm_cfg = $domain_cfg->{ids}->{$realm}; - die "auth domain '$realm' does not exist\n" if !$realm_cfg; + assert_new_tfa_config_available(); - my $realm_tfa = $realm_cfg->{tfa}; - if (defined($realm_tfa)) { - $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa); - # If the realm has a TFA setting, we're only allowed to use that. - if (defined($data)) { - my $required_type = $realm_tfa->{type}; - if ($required_type ne $type) { - die "realm '$realm' only allows TFA of type '$required_type\n"; - } + my $tfa_cfg = cfs_read_file('priv/tfa.cfg'); + $tfa_cfg->remove_user($userid); + cfs_write_file('priv/tfa.cfg', $tfa_cfg); +} - if (defined($data->{config})) { - # XXX: Is it enough if the type matches? Or should the configuration also match? - } +my sub add_old_yubico_keys : prototype($$$) { + my ($userid, $tfa_cfg, $keys) = @_; - # realm-configured tfa always uses a simple key list, so use the user.cfg - $user->{keys} = $data->{keys}; - } else { - die "realm '$realm' does not allow removing the 2nd factor\n"; - } + my $count = 0; + foreach my $key (split_list($keys)) { + my $description = ""; + ++$count; + $tfa_cfg->add_yubico_entry($userid, $description, $key); + } +} + +my sub normalize_totp_secret : prototype($) { + my ($key) = @_; + + my $binkey; + # See PVE::OTP::oath_verify_otp: + if ($key =~ /^v2-0x([0-9a-fA-F]+)$/) { + # v2, hex + $binkey = pack('H*', $1); + } elsif ($key =~ /^v2-([A-Z2-7=]+)$/) { + # v2, base32 + $binkey = MIME::Base32::decode_rfc3548($1); + } elsif ($key =~ /^[A-Z2-7=]{16}$/) { + $binkey = MIME::Base32::decode_rfc3548($key); + } elsif ($key =~ /^[A-Fa-f0-9]{40}$/) { + $binkey = pack('H*', $key); } else { - # Without a realm-enforced TFA setting the user can add a u2f or totp entry by themselves. - # The 'yubico' type requires yubico server settings, which have to be configured on the - # realm, so this is not supported here: - die "domain '$realm' does not support TFA type '$type'\n" - if defined($data) && !$USER_CONTROLLED_TFA_TYPES->{$type}; + return undef; } - # Custom TFA entries are stored in priv/tfa.cfg as they can be more complet: u2f uses a - # public key and a key handle, TOTP requires the usual totp settings... + return MIME::Base32::encode_rfc3548($binkey); +} - my $tfa_cfg = cfs_read_file('priv/tfa.cfg'); - my $tfa = ($tfa_cfg->{users}->{$userid} //= {}); +my sub add_old_totp_keys : prototype($$$$) { + my ($userid, $tfa_cfg, $realm_tfa, $keys) = @_; + + my $issuer = 'Proxmox%20VE'; + my $account = uri_escape("Old key for $userid"); + my $digits = $realm_tfa->{digits} || 6; + my $step = $realm_tfa->{step} || 30; + my $uri = "otpauth://totp/$issuer:$account?digits=$digits&period=$step&algorithm=SHA1&secret="; + + my $count = 0; + foreach my $key (split_list($keys)) { + $key = normalize_totp_secret($key); + # and just skip invalid keys: + next if !defined($key); + + my $description = ""; + ++$count; + eval { $tfa_cfg->add_totp_entry($userid, $description, $uri . $key) }; + warn $@ if $@; + } +} - if (defined($data)) { - $tfa->{type} = $type; - $tfa->{data} = $data; - cfs_write_file('priv/tfa.cfg', $tfa_cfg); +sub add_old_keys_to_realm_tfa : prototype($$$$) { + my ($userid, $tfa_cfg, $realm_tfa, $keys) = @_; - $user->{keys} = "x!$type"; - } else { - delete $tfa_cfg->{users}->{$userid}; - cfs_write_file('priv/tfa.cfg', $tfa_cfg); + # if there's no realm tfa configured, we don't know what the keys mean, so we just ignore + # them... + return if !$realm_tfa; - delete $user->{keys}; + my $type = $realm_tfa->{type}; + if ($type eq 'oath') { + add_old_totp_keys($userid, $tfa_cfg, $realm_tfa, $keys); + } elsif ($type eq 'yubico') { + add_old_yubico_keys($userid, $tfa_cfg, $keys); + } else { + # invalid keys, we'll just drop them now... } - - cfs_write_file('user.cfg', $user_cfg); } -sub user_get_tfa { - my ($username, $realm) = @_; +sub user_get_tfa : prototype($$$) { + my ($username, $realm, $new_format) = @_; my $user_cfg = cfs_read_file('user.cfg'); my $user = $user_cfg->{users}->{$username} @@ -1675,6 +1896,14 @@ sub user_get_tfa { die "missing required 2nd keys\n"; } + if ($new_format) { + my $tfa_cfg = cfs_read_file('priv/tfa.cfg'); + if (defined($keys) && $keys !~ /^x(?:!.*)$/) { + add_old_keys_to_realm_tfa($username, $tfa_cfg, $realm_tfa, $keys); + } + return ($tfa_cfg, $realm_tfa); + } + # new style config starts with an 'x' and optionally contains a ! suffix if ($keys !~ /^x(?:!.*)?$/) { # old style config, find the type via the realm