X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=src%2FPVE%2FAccessControl.pm;h=eea6e141aa71a8c883f2819564a988a008da6505;hb=d0cce79f8b52d3feead2e92b94971a67e04ba977;hp=c3d3d160a393abafefceea0da7e8c03785079167;hpb=dc547a1339a437e7893294ce3630a7b8f0d5db4e;p=pve-access-control.git diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm index c3d3d16..eea6e14 100644 --- a/src/PVE/AccessControl.pm +++ b/src/PVE/AccessControl.pm @@ -7,11 +7,14 @@ use Crypt::OpenSSL::Random; use Crypt::OpenSSL::RSA; use Net::SSLeay; use Net::IP; +use MIME::Base32; use MIME::Base64; use Digest::SHA; use IO::File; use File::stat; use JSON; +use Scalar::Util 'weaken'; +use URI::Escape; use PVE::OTP; use PVE::Ticket; @@ -68,15 +71,39 @@ sub pve_verify_realm { PVE::Auth::Plugin::pve_verify_realm(@_); } +# Locking both config files together is only ever allowed in one order: +# 1) tfa config +# 2) user config +# If we permit the other way round, too, we might end up deadlocking! +my $user_config_locked; sub lock_user_config { my ($code, $errmsg) = @_; + my $locked = 1; + $user_config_locked = \$locked; + weaken $user_config_locked; # make this scope guard signal safe... + cfs_lock_file("user.cfg", undef, $code); + $user_config_locked = undef; if (my $err = $@) { $errmsg ? die "$errmsg: $err" : die $err; } } +sub lock_tfa_config { + my ($code, $errmsg) = @_; + + die "tfa config lock cannot be acquired while holding user config lock\n" + if ($user_config_locked && $$user_config_locked); + + my $res = cfs_lock_file("priv/tfa.cfg", undef, $code); + if (my $err = $@) { + $errmsg ? die "$errmsg: $err" : die $err; + } + + return $res; +} + my $cache_read_key = sub { my ($type) = @_; @@ -464,12 +491,8 @@ sub verify_token { return wantarray ? ($tokenid) : $tokenid; } - -# VNC tickets -# - they do not contain the username in plain text -# - they are restricted to a specific resource path (example: '/vms/100') -sub assemble_vnc_ticket { - my ($username, $path) = @_; +my $assemble_short_lived_ticket = sub { + my ($prefix, $username, $path) = @_; my $rsa_priv = get_privkey(); @@ -478,11 +501,13 @@ sub assemble_vnc_ticket { my $secret_data = "$username:$path"; return PVE::Ticket::assemble_rsa_ticket( - $rsa_priv, 'PVEVNC', undef, $secret_data); -} + $rsa_priv, $prefix, undef, $secret_data); +}; -sub verify_vnc_ticket { - my ($ticket, $username, $path, $noerr) = @_; +my $verify_short_lived_ticket = sub { + my ($ticket, $prefix, $username, $path, $noerr) = @_; + + $path = normalize_path($path); my $secret_data = "$username:$path"; @@ -492,12 +517,42 @@ sub verify_vnc_ticket { return undef; } else { # raise error via undef ticket - PVE::Ticket::verify_rsa_ticket($rsa_pub, 'PVEVNC'); + PVE::Ticket::verify_rsa_ticket($rsa_pub, $prefix); } } return PVE::Ticket::verify_rsa_ticket( - $rsa_pub, 'PVEVNC', $ticket, $secret_data, -20, 40, $noerr); + $rsa_pub, $prefix, $ticket, $secret_data, -20, 40, $noerr); +}; + +# VNC tickets +# - they do not contain the username in plain text +# - they are restricted to a specific resource path (example: '/vms/100') +sub assemble_vnc_ticket { + my ($username, $path) = @_; + + return $assemble_short_lived_ticket->('PVEVNC', $username, $path); +} + +sub verify_vnc_ticket { + my ($ticket, $username, $path, $noerr) = @_; + + return $verify_short_lived_ticket->($ticket, 'PVEVNC', $username, $path, $noerr); +} + +# Tunnel tickets +# - they do not contain the username in plain text +# - they are restricted to a specific resource path (example: '/vms/100', '/socket/run/qemu-server/123.storage') +sub assemble_tunnel_ticket { + my ($username, $path) = @_; + + return $assemble_short_lived_ticket->('PVETUNNEL', $username, $path); +} + +sub verify_tunnel_ticket { + my ($ticket, $username, $path, $noerr) = @_; + + return $verify_short_lived_ticket->($ticket, 'PVETUNNEL', $username, $path, $noerr); } sub assemble_spice_ticket { @@ -598,15 +653,15 @@ sub check_user_enabled { my $data = check_user_exist($usercfg, $username, $noerr); return undef if !$data; - return 1 if $data->{enable}; - - die "user '$username' is disabled\n" if !$noerr; - my $ctime = time(); my $expire = $usercfg->{users}->{$username}->{expire}; die "account expired\n" if $expire && ($expire < $ctime); + return 1 if $data->{enable}; + + die "user '$username' is disabled\n" if !$noerr; + return undef; } @@ -686,7 +741,9 @@ sub authenticate_2nd_old : prototype($$$) { my ($type, $tfa_data) = user_get_tfa($username, $realm, 0); if ($type) { - if ($type eq 'u2f') { + if ($type eq 'incompatible') { + die "old login api disabled, user has incompatible TFA entries\n"; + } elsif ($type eq 'u2f') { # Note that if the user did not manage to complete the initial u2f registration # challenge we have a hash containing a 'challenge' entry in the user's tfa.cfg entry: $tfa_data = undef if exists $tfa_data->{challenge}; @@ -724,29 +781,41 @@ sub authenticate_2nd_new : prototype($$$$) { } my $realm_type = $realm_tfa && $realm_tfa->{type}; - if (defined($realm_type) && $realm_type eq 'yubico') { - # Yubico auth will not be supported in rust for now... - if (!defined($tfa_challenge)) { - my $challenge = { yubico => JSON::true }; - # Even with yubico auth we do allow recovery keys to be used: - if (my $recovery = $tfa_cfg->recovery_state($username)) { - $challenge->{recovery} = $recovery; + # verify realm type unless using recovery keys: + if (defined($realm_type)) { + $realm_type = 'totp' if $realm_type eq 'oath'; # we used to call it that + if ($realm_type eq 'yubico') { + # Yubico auth will not be supported in rust for now... + if (!defined($tfa_challenge)) { + my $challenge = { yubico => JSON::true }; + # Even with yubico auth we do allow recovery keys to be used: + if (my $recovery = $tfa_cfg->recovery_state($username)) { + $challenge->{recovery} = $recovery; + } + return to_json($challenge); } - return to_json($challenge); - } - if ($otp =~ /^yubico:(.*)$/) { - $otp = $1; - # Defer to after unlocking the TFA config: - return sub { - authenticate_yubico_new($tfa_cfg, $username, $realm_tfa, $tfa_challenge, $otp); - }; + if ($otp =~ /^yubico:(.*)$/) { + $otp = $1; + # Defer to after unlocking the TFA config: + return sub { + authenticate_yubico_new( + $tfa_cfg, $username, $realm_tfa, $tfa_challenge, $otp, + ); + }; + } } - # Beside the realm configured auth we only allow recovery keys: - if ($otp !~ /^recovery:/) { - die "realm requires yubico authentication\n"; + my $response_type; + if (defined($otp)) { + if ($otp !~ /^([^:]+):/) { + die "bad otp response\n"; + } + $response_type = $1; } + + die "realm requires $realm_type authentication\n" + if $response_type && $response_type ne 'recovery' && $response_type ne $realm_type; } configure_u2f_and_wa($tfa_cfg); @@ -795,38 +864,54 @@ sub authenticate_yubico_new : prototype($$$) { my $keys = $tfa_cfg->get_yubico_keys($username); die "no keys configured\n" if !defined($keys) || !length($keys); - # Defer to after unlocking the TFA config: - - # fixme: proxy support? - my $proxy; - PVE::OTP::yubico_verify_otp($otp, $keys, $realm->{url}, $realm->{id}, $realm->{key}, $proxy); + authenticate_yubico_do($otp, $keys, $realm); # return `undef` to clear the tfa challenge. return undef; } +sub authenticate_yubico_do : prototype($$$) { + my ($value, $keys, $realm) = @_; + + # fixme: proxy support? + my $proxy = undef; + + PVE::OTP::yubico_verify_otp($value, $keys, $realm->{url}, $realm->{id}, $realm->{key}, $proxy); +} + sub configure_u2f_and_wa : prototype($) { my ($tfa_cfg) = @_; + my $rpc_origin; + my $get_origin = sub { + return $rpc_origin if defined($rpc_origin); + my $rpcenv = PVE::RPCEnvironment::get(); + if (my $origin = $rpcenv->get_request_host(1)) { + $rpc_origin = "https://$origin"; + return $rpc_origin; + } + die "failed to figure out origin\n"; + }; + my $dc = cfs_read_file('datacenter.cfg'); if (my $u2f = $dc->{u2f}) { - my $origin = $u2f->{origin}; - if (!defined($origin)) { - my $rpcenv = PVE::RPCEnvironment::get(); - $origin = $rpcenv->get_request_host(1); - if ($origin) { - $origin = "https://$origin"; - } else { - die "failed to figure out u2f origin\n"; - } - } - $tfa_cfg->set_u2f_config({ - origin => $origin, - appid => $u2f->{appid}, - }); + eval { + $tfa_cfg->set_u2f_config({ + origin => $u2f->{origin} // $get_origin->(), + appid => $u2f->{appid}, + }); + }; + warn "u2f unavailable, configuration error: $@\n" if $@; } if (my $wa = $dc->{webauthn}) { - $tfa_cfg->set_webauthn_config($wa); + eval { + $tfa_cfg->set_webauthn_config({ + origin => $wa->{origin} // $get_origin->(), + rp => $wa->{rp}, + id => $wa->{id}, + }); + }; + warn "webauthn unavailable, configuration error: $@\n" if $@; } } @@ -1537,8 +1622,8 @@ sub parse_priv_tfa_config { sub write_priv_tfa_config { my ($filename, $cfg) = @_; - # FIXME: Only allow this if the complete cluster has been upgraded to understand the json - # config format. + assert_new_tfa_config_available(); + return $cfg->write(); } @@ -1720,6 +1805,116 @@ my $USER_CONTROLLED_TFA_TYPES = { oath => 1, }; +sub assert_new_tfa_config_available() { + PVE::Cluster::cfs_update(); + my $version_info = PVE::Cluster::get_node_kv('version-info'); + die "cannot update tfa config, please make sure all cluster nodes are up to date\n" + if !$version_info; + my $members = PVE::Cluster::get_members() or return; # get_members returns undef on no cluster + my $old = ''; + foreach my $node (keys $members->%*) { + my $info = $version_info->{$node}; + if (!$info) { + $old .= " cluster node '$node' is too old, did not broadcast its version info\n"; + next; + } + $info = from_json($info); + my $ver = $info->{version}; + if ($ver !~ /^(\d+\.\d+)-(\d+)/) { + $old .= " cluster node '$node' provided an invalid version string: '$ver'\n"; + next; + } + my ($maj, $rel) = ($1, $2); + if (!($maj > 7.0 || ($maj == 7.0 && $rel >= 15))) { + $old .= " cluster node '$node' is too old ($ver < 7.0-15)\n"; + next; + } + } + die "cannot update tfa config, following nodes are not up to date:\n$old" if length($old); +} + +sub user_remove_tfa : prototype($) { + my ($userid) = @_; + + assert_new_tfa_config_available(); + + my $tfa_cfg = cfs_read_file('priv/tfa.cfg'); + $tfa_cfg->remove_user($userid); + cfs_write_file('priv/tfa.cfg', $tfa_cfg); +} + +my sub add_old_yubico_keys : prototype($$$) { + my ($userid, $tfa_cfg, $keys) = @_; + + my $count = 0; + foreach my $key (split_list($keys)) { + my $description = ""; + ++$count; + $tfa_cfg->add_yubico_entry($userid, $description, $key); + } +} + +my sub normalize_totp_secret : prototype($) { + my ($key) = @_; + + my $binkey; + # See PVE::OTP::oath_verify_otp: + if ($key =~ /^v2-0x([0-9a-fA-F]+)$/) { + # v2, hex + $binkey = pack('H*', $1); + } elsif ($key =~ /^v2-([A-Z2-7=]+)$/) { + # v2, base32 + $binkey = MIME::Base32::decode_rfc3548($1); + } elsif ($key =~ /^[A-Z2-7=]{16}$/) { + $binkey = MIME::Base32::decode_rfc3548($key); + } elsif ($key =~ /^[A-Fa-f0-9]{40}$/) { + $binkey = pack('H*', $key); + } else { + return undef; + } + + return MIME::Base32::encode_rfc3548($binkey); +} + +my sub add_old_totp_keys : prototype($$$$) { + my ($userid, $tfa_cfg, $realm_tfa, $keys) = @_; + + my $issuer = 'Proxmox%20VE'; + my $account = uri_escape("Old key for $userid"); + my $digits = $realm_tfa->{digits} || 6; + my $step = $realm_tfa->{step} || 30; + my $uri = "otpauth://totp/$issuer:$account?digits=$digits&period=$step&algorithm=SHA1&secret="; + + my $count = 0; + foreach my $key (split_list($keys)) { + $key = normalize_totp_secret($key); + # and just skip invalid keys: + next if !defined($key); + + my $description = ""; + ++$count; + eval { $tfa_cfg->add_totp_entry($userid, $description, $uri . $key) }; + warn $@ if $@; + } +} + +sub add_old_keys_to_realm_tfa : prototype($$$$) { + my ($userid, $tfa_cfg, $realm_tfa, $keys) = @_; + + # if there's no realm tfa configured, we don't know what the keys mean, so we just ignore + # them... + return if !$realm_tfa; + + my $type = $realm_tfa->{type}; + if ($type eq 'oath') { + add_old_totp_keys($userid, $tfa_cfg, $realm_tfa, $keys); + } elsif ($type eq 'yubico') { + add_old_yubico_keys($userid, $tfa_cfg, $keys); + } else { + # invalid keys, we'll just drop them now... + } +} + sub user_get_tfa : prototype($$$) { my ($username, $realm, $new_format) = @_; @@ -1742,6 +1937,14 @@ sub user_get_tfa : prototype($$$) { die "missing required 2nd keys\n"; } + if ($new_format) { + my $tfa_cfg = cfs_read_file('priv/tfa.cfg'); + if (defined($keys) && $keys !~ /^x(?:!.*)$/) { + add_old_keys_to_realm_tfa($username, $tfa_cfg, $realm_tfa, $keys); + } + return ($tfa_cfg, $realm_tfa); + } + # new style config starts with an 'x' and optionally contains a ! suffix if ($keys !~ /^x(?:!.*)?$/) { # old style config, find the type via the realm @@ -1752,20 +1955,16 @@ sub user_get_tfa : prototype($$$) { }); } else { my $tfa_cfg = cfs_read_file('priv/tfa.cfg'); - if ($new_format) { - return ($tfa_cfg, $realm_tfa); - } else { - my $tfa = $tfa_cfg->{users}->{$username}; - return if !$tfa; # should not happen (user.cfg wasn't cleaned up?) + my $tfa = $tfa_cfg->{users}->{$username}; + return if !$tfa; # should not happen (user.cfg wasn't cleaned up?) - if ($realm_tfa) { - # if the realm has a tfa setting we need to verify the type: - die "auth domain '$realm' and user have mismatching TFA settings\n" - if $realm_tfa && $realm_tfa->{type} ne $tfa->{type}; - } - - return ($tfa->{type}, $tfa->{data}); + if ($realm_tfa) { + # if the realm has a tfa setting we need to verify the type: + die "auth domain '$realm' and user have mismatching TFA settings\n" + if $realm_tfa && $realm_tfa->{type} ne $tfa->{type}; } + + return ($tfa->{type}, $tfa->{data}); } }