[pmg-api.git] / PMG / UserConfig.pm

package PMG::UserConfig;

use strict;
use warnings;
use Data::Dumper;
use Clone 'clone';

use PVE::Tools;
use PVE::INotify;
use PVE::JSONSchema qw(get_standard_option);
use PVE::Exception qw(raise);

use PMG::Utils;

my $inotify_file_id = 'pmg-user.conf';
my $config_filename = '/etc/pmg/user.conf';

sub new {
    my ($type) = @_;

    my $class = ref($type) || $type;

    my $cfg = PVE::INotify::read_file($inotify_file_id);

    return bless $cfg, $class;
}

sub write {
    my ($self) = @_;

    PVE::INotify::write_file($inotify_file_id, $self);
}

my $lockfile = "/var/lock/pmguser.lck";

sub lock_config {
    my ($code, $errmsg) = @_;

    my $p = PVE::Tools::lock_file($lockfile, undef, $code);
    if (my $err = $@) {
	$errmsg ? die "$errmsg: $err" : die $err;
    }
}

my $schema = {
    additionalProperties => 0,
    properties => {
	userid => get_standard_option('userid'),
	username => get_standard_option('username', { optional => 1 }),
	realm => {
	    description => "Authentication realm.",
	    type => 'string',
	    enum => ['pam', 'pmg'],
	    default => 'pmg',
	    optional => 1,
	},
	email => {
	    description => "Users E-Mail address.",
	    type => 'string', format => 'email',
	    optional => 1,
	},
	expire => {
	    description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
	    type => 'integer',
	    minimum => 0,
	    default => 0,
	    optional => 1,
	},
	enable => {
	    description => "Flag to enable or disable the account.",
	    type => 'boolean',
	    default => 0,
	    optional => 1,
	},
	crypt_pass => {
	    description => "Encrypted password (see `man crypt`)",
	    type => 'string',
	    pattern => '\$\d\$[a-zA-Z0-9\.\/]+\$[a-zA-Z0-9\.\/]+',
	    optional => 1,
	},
	role => {
	    description => "User role. Role 'root' is reseved for the Unix Superuser.",
	    type => 'string',
	    enum => ['root', 'admin', 'qmanager', 'audit'],
	},
	firstname => {
	    description => "First name.",
	    type => 'string',
	    maxLength => 64,
	    optional => 1,
	},
	lastname => {
	    description => "Last name.",
	    type => 'string',
	    maxLength => 64,
	    optional => 1,
	},
	keys => {
	    description => "Keys for two factor auth (yubico).",
	    type => 'string',
	    maxLength => 128,
	    optional => 1,
	},
	comment => {
	    description => "Comment.",
	    type => 'string',
	    optional => 1,
	},
    },
};

our $create_schema = clone($schema);
delete $create_schema->{properties}->{username};
delete $create_schema->{properties}->{realm};
$create_schema->{properties}->{password} = {
    description => "Password",
    type => 'string',
    maxLength => 32,
    minLength => 5,
    optional => 1,
};

our $update_schema = clone($create_schema);
$update_schema->{properties}->{role}->{optional} = 1;
$update_schema->{properties}->{delete} = {
    type => 'string', format => 'pve-configid-list',
    description => "A list of settings you want to delete.",
    maxLength => 4096,
    optional => 1,
};

my $verity_entry = sub {
    my ($entry) = @_;

    my $errors = {};
    PVE::JSONSchema::check_prop($entry, $schema, '', $errors);
    if (scalar(%$errors)) {
	raise "verify entry failed\n", errors => $errors;
    }
};

my $fixup_root_properties = sub {
    my ($cfg) = @_;

    $cfg->{'root@pam'}->{userid} = 'root@pam';
    $cfg->{'root@pam'}->{username} = 'root';
    $cfg->{'root@pam'}->{realm} = 'pam';
    $cfg->{'root@pam'}->{enable} = 1;
    $cfg->{'root@pam'}->{expire} = 0;
    $cfg->{'root@pam'}->{comment} = 'Unix Superuser';
    $cfg->{'root@pam'}->{role} = 'root';
    delete $cfg->{'root@pam'}->{crypt_pass};
};

sub read_user_conf {
    my ($filename, $fh) = @_;

    my $cfg = {};

    if ($fh) {

	my $comment = '';

	while (defined(my $line = <$fh>)) {
	    next if $line =~ m/^\s*$/;
	    if ($line =~ m/^#(.*)$/) {
		$comment = $1;
		next;
	    }

	    if ($line =~ m/^
               (?<userid>(?:[^\s:]+)) :
               (?<enable>[01]?) :
               (?<expire>\d*) :
               (?<crypt_pass>(?:[^\s:]*)) :
               (?<role>[a-z]+) :
               (?<email>(?:[^\s:]*)) :
               (?<firstname>(?:[^:]*)) :
               (?<lastname>(?:[^:]*)) :
               (?<keys>(?:[^:]*)) :
               $/x
	    ) {
		my $d = {
		    username => $+{userid},
		    userid => $+{userid} . '@pmg',
		    realm => 'pmg',
		    enable => $+{enable} || 0,
		    expire => $+{expire} || 0,
		    role => $+{role},
		};
		$d->{comment} = $comment if $comment;
		$comment = '';
		foreach my $k (qw(crypt_pass email firstname lastname keys)) {
		    $d->{$k} = $+{$k} if $+{$k};
		}
		eval {
		    $verity_entry->($d);
		    $cfg->{$d->{userid}} = $d;
		    die "role 'root' is reserved\n"
			if $d->{role} eq 'root' && $d->{userid} ne 'root@pmg';
		};
		if (my $err = $@) {
		    warn "$filename: $err";
		}
	    } else {
		warn "$filename: ignore invalid line $.\n";
		$comment = '';
	    }
	}
    }

    # hack: we list root@pam here (root@pmg is an alias for root@pam)
    $cfg->{'root@pam'} = $cfg->{'root@pmg'} // {};
    delete $cfg->{'root@pmg'};
    $cfg->{'root@pam'} //= {};

    $fixup_root_properties->($cfg);

    return $cfg;
}

sub write_user_conf {
    my ($filename, $fh, $cfg) = @_;

    my $raw = '';

    $fixup_root_properties->($cfg);

    foreach my $userid (keys %$cfg) {
	my $d = $cfg->{$userid};

	$d->{userid} = $userid;

	die "invalid userid '$userid'\n" if $userid eq 'root@pmg';

	eval {
	    $verity_entry->($d);
	    $cfg->{$d->{userid}} = $d;

	    if ($d->{userid} ne 'root@pam') {
		die "role 'root' is reserved\n" if $d->{role} eq 'root';
		die "unable to add users for realm '$d->{realm}'\n"
		    if $d->{realm} && $d->{realm} ne 'pmg';
	    }
	};
	if (my $err = $@) {
	    die $err;
	}

	my $line;

	if ($userid eq 'root@pam') {
	    $line = 'root:';
	    $d->{crypt_pass} = '',
	    $d->{expire} = '0',
	    $d->{role} = 'root';
	} else {
	    next if $userid !~ m/^(?<username>.+)\@pmg$/;
	    $line = "$+{username}:";
	}

	for my $k (qw(enable expire crypt_pass role email firstname lastname keys)) {
	    $line .= ($d->{$k} // '') . ':';
	}
	if (my $comment = $d->{comment}) {
	    my $firstline = (split /\n/, $comment)[0]; # only allow one line
	    $raw .= "#$firstline\n";
	}
	$raw .= $line . "\n";
    }

    my $gid = getgrnam('www-data');
    chown(0, $gid, $fh);
    chmod(0640, $fh);

    PVE::Tools::safe_print($filename, $fh, $raw);
}

PVE::INotify::register_file($inotify_file_id, $config_filename,
			    \&read_user_conf,
			    \&write_user_conf,
			    undef,
			    always_call_parser => 1);

sub lookup_user_data {
    my ($self, $username, $noerr) = @_;

    return $self->{$username} if $self->{$username};

    die "no such user ('$username')\n" if !$noerr;

    return undef;
}

sub authenticate_user {
    my ($self, $username, $password) = @_;

    die "no password\n" if !$password;

    my $data = $self->lookup_user_data($username);

    my $ctime = time();
    my $expire = $data->{expire};

    die "account expired\n" if $expire && ($expire < $ctime);

    if ($data->{crypt_pass}) {
	my $encpw = crypt($password, $data->{crypt_pass});
        die "invalid credentials\n" if ($encpw ne $data->{crypt_pass});
    } else {
	die "no password set\n";
    }

    return 1;
}

sub set_user_password {
    my ($class, $username, $password) = @_;

    lock_config(sub {
	my $cfg = $class->new();
	my $data = $cfg->lookup_user_data($username); # user exists
	my $epw = PVE::Tools::encrypt_pw($password);
	$data->{crypt_pass} = $epw;
	$cfg->write();
    });
}

1;
Commit	Line	Data
62ebb4bc DM	1	package PMG::UserConfig;
62ebb4bc DM	2
62ebb4bc DM	3	use strict;
62ebb4bc DM	4	use warnings;
fff8e89c DM	5	use Data::Dumper;
fff8e89c DM	6	use Clone 'clone';
62ebb4bc DM	7
	8	use PVE::Tools;
	9	use PVE::INotify;
c861cb3a DM	10	use PVE::JSONSchema qw(get_standard_option);
c861cb3a DM	11	use PVE::Exception qw(raise);
62ebb4bc DM	12
	13	use PMG::Utils;
	14
	15	my $inotify_file_id = 'pmg-user.conf';
	16	my $config_filename = '/etc/pmg/user.conf';
	17
	18	sub new {
	19	my ($type) = @_;
	20
	21	my $class = ref($type) \|\| $type;
	22
	23	my $cfg = PVE::INotify::read_file($inotify_file_id);
	24
	25	return bless $cfg, $class;
	26	}
	27
	28	sub write {
	29	my ($self) = @_;
	30
	31	PVE::INotify::write_file($inotify_file_id, $self);
	32	}
	33
	34	my $lockfile = "/var/lock/pmguser.lck";
	35
	36	sub lock_config {
	37	my ($code, $errmsg) = @_;
	38
	39	my $p = PVE::Tools::lock_file($lockfile, undef, $code);
	40	if (my $err = $@) {
	41	$errmsg ? die "$errmsg: $err" : die $err;
	42	}
	43	}
	44
8333a87c	45	my $schema = {
c861cb3a DM	46	additionalProperties => 0,
c861cb3a DM	47	properties => {
4d813470	48	userid => get_standard_option('userid'),
0c7e2ca4	49	username => get_standard_option('username', { optional => 1 }),
1beed876 DM	50	realm => {
	51	description => "Authentication realm.",
	52	type => 'string',
	53	enum => ['pam', 'pmg'],
	54	default => 'pmg',
	55	optional => 1,
	56	},
c861cb3a DM	57	email => {
c861cb3a DM	58	description => "Users E-Mail address.",
fff8e89c	59	type => 'string', format => 'email',
c861cb3a DM	60	optional => 1,
	61	},
	62	expire => {
fff8e89c	63	description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
c861cb3a DM	64	type => 'integer',
c861cb3a DM	65	minimum => 0,
fff8e89c DM	66	default => 0,
fff8e89c DM	67	optional => 1,
c861cb3a DM	68	},
	69	enable => {
	70	description => "Flag to enable or disable the account.",
	71	type => 'boolean',
fff8e89c DM	72	default => 0,
fff8e89c DM	73	optional => 1,
c861cb3a DM	74	},
	75	crypt_pass => {
	76	description => "Encrypted password (see `man crypt`)",
	77	type => 'string',
	78	pattern => '\$\d\$[a-zA-Z0-9\.\/]+\$[a-zA-Z0-9\.\/]+',
	79	optional => 1,
	80	},
	81	role => {
6006ffde	82	description => "User role. Role 'root' is reseved for the Unix Superuser.",
c861cb3a	83	type => 'string',
6006ffde	84	enum => ['root', 'admin', 'qmanager', 'audit'],
c861cb3a	85	},
aec44b24	86	firstname => {
c861cb3a DM	87	description => "First name.",
	88	type => 'string',
	89	maxLength => 64,
	90	optional => 1,
	91	},
aec44b24	92	lastname => {
c861cb3a DM	93	description => "Last name.",
	94	type => 'string',
	95	maxLength => 64,
	96	optional => 1,
	97	},
	98	keys => {
fff8e89c	99	description => "Keys for two factor auth (yubico).",
c861cb3a DM	100	type => 'string',
	101	maxLength => 128,
	102	optional => 1,
	103	},
fff8e89c DM	104	comment => {
	105	description => "Comment.",
	106	type => 'string',
	107	optional => 1,
	108	},
c861cb3a DM	109	},
	110	};
	111
8333a87c DM	112	our $create_schema = clone($schema);
	113	delete $create_schema->{properties}->{username};
	114	delete $create_schema->{properties}->{realm};
ca46618a DM	115	$create_schema->{properties}->{password} = {
	116	description => "Password",
	117	type => 'string',
	118	maxLength => 32,
	119	minLength => 5,
	120	optional => 1,
	121	};
8333a87c	122
ca46618a	123	our $update_schema = clone($create_schema);
fff8e89c	124	$update_schema->{properties}->{role}->{optional} = 1;
0ecf02bc DM	125	$update_schema->{properties}->{delete} = {
	126	type => 'string', format => 'pve-configid-list',
	127	description => "A list of settings you want to delete.",
	128	maxLength => 4096,
	129	optional => 1,
	130	};
fff8e89c	131
c861cb3a DM	132	my $verity_entry = sub {
	133	my ($entry) = @_;
	134
	135	my $errors = {};
	136	PVE::JSONSchema::check_prop($entry, $schema, '', $errors);
	137	if (scalar(%$errors)) {
	138	raise "verify entry failed\n", errors => $errors;
	139	}
	140	};
	141
1461db83 DM	142	my $fixup_root_properties = sub {
	143	my ($cfg) = @_;
	144
	145	$cfg->{'root@pam'}->{userid} = 'root@pam';
0c7e2ca4	146	$cfg->{'root@pam'}->{username} = 'root';
1beed876	147	$cfg->{'root@pam'}->{realm} = 'pam';
1461db83 DM	148	$cfg->{'root@pam'}->{enable} = 1;
	149	$cfg->{'root@pam'}->{expire} = 0;
	150	$cfg->{'root@pam'}->{comment} = 'Unix Superuser';
	151	$cfg->{'root@pam'}->{role} = 'root';
	152	delete $cfg->{'root@pam'}->{crypt_pass};
	153	};
	154
62ebb4bc DM	155	sub read_user_conf {
	156	my ($filename, $fh) = @_;
	157
	158	my $cfg = {};
	159
	160	if ($fh) {
	161
	162	my $comment = '';
	163
	164	while (defined(my $line = <$fh>)) {
	165	next if $line =~ m/^\s*$/;
	166	if ($line =~ m/^#(.*)$/) {
	167	$comment = $1;
	168	next;
	169	}
c861cb3a DM	170
	171	if ($line =~ m/^
	172	(?<userid>(?:[^\s:]+)) :
fff8e89c DM	173	(?<enable>[01]?) :
	174	(?<expire>\d*) :
	175	(?<crypt_pass>(?:[^\s:]*)) :
c861cb3a DM	176	(?<role>[a-z]+) :
c861cb3a DM	177	(?<email>(?:[^\s:]*)) :
aec44b24 DM	178	(?<firstname>(?:[^:]*)) :
aec44b24 DM	179	(?<lastname>(?:[^:]*)) :
c861cb3a DM	180	(?<keys>(?:[^:]*)) :
	181	$/x
	182	) {
62ebb4bc	183	my $d = {
0c7e2ca4	184	username => $+{userid},
4d813470	185	userid => $+{userid} . '@pmg',
1beed876	186	realm => 'pmg',
fff8e89c DM	187	enable => $+{enable} \|\| 0,
fff8e89c DM	188	expire => $+{expire} \|\| 0,
c861cb3a	189	role => $+{role},
62ebb4bc DM	190	};
	191	$d->{comment} = $comment if $comment;
	192	$comment = '';
aec44b24	193	foreach my $k (qw(crypt_pass email firstname lastname keys)) {
c861cb3a DM	194	$d->{$k} = $+{$k} if $+{$k};
	195	}
	196	eval {
	197	$verity_entry->($d);
	198	$cfg->{$d->{userid}} = $d;
6006ffde DM	199	die "role 'root' is reserved\n"
6006ffde DM	200	if $d->{role} eq 'root' && $d->{userid} ne 'root@pmg';
c861cb3a DM	201	};
	202	if (my $err = $@) {
	203	warn "$filename: $err";
	204	}
62ebb4bc DM	205	} else {
	206	warn "$filename: ignore invalid line $.\n";
	207	$comment = '';
	208	}
	209	}
	210	}
	211
82613302 DM	212	# hack: we list root@pam here (root@pmg is an alias for root@pam)
	213	$cfg->{'root@pam'} = $cfg->{'root@pmg'} // {};
	214	delete $cfg->{'root@pmg'};
	215	$cfg->{'root@pam'} //= {};
1461db83 DM	216
1461db83 DM	217	$fixup_root_properties->($cfg);
62ebb4bc DM	218
	219	return $cfg;
	220	}
	221
	222	sub write_user_conf {
	223	my ($filename, $fh, $cfg) = @_;
	224
	225	my $raw = '';
	226
1461db83	227	$fixup_root_properties->($cfg);
fff8e89c DM	228
	229	foreach my $userid (keys %$cfg) {
	230	my $d = $cfg->{$userid};
82613302	231
fff8e89c	232	$d->{userid} = $userid;
4d813470	233
cf009a08	234	die "invalid userid '$userid'\n" if $userid eq 'root@pmg';
7e818421	235
fff8e89c DM	236	eval {
	237	$verity_entry->($d);
	238	$cfg->{$d->{userid}} = $d;
6006ffde	239
1beed876 DM	240	if ($d->{userid} ne 'root@pam') {
	241	die "role 'root' is reserved\n" if $d->{role} eq 'root';
	242	die "unable to add users for realm '$d->{realm}'\n"
b5dc7933	243	if $d->{realm} && $d->{realm} ne 'pmg';
1beed876	244	}
fff8e89c DM	245	};
	246	if (my $err = $@) {
	247	die $err;
	248	}
4d813470	249
82613302 DM	250	my $line;
	251
	252	if ($userid eq 'root@pam') {
	253	$line = 'root:';
	254	$d->{crypt_pass} = '',
05e34f94	255	$d->{expire} = '0',
82613302 DM	256	$d->{role} = 'root';
	257	} else {
	258	next if $userid !~ m/^(?<username>.+)\@pmg$/;
	259	$line = "$+{username}:";
	260	}
4d813470	261
aec44b24	262	for my $k (qw(enable expire crypt_pass role email firstname lastname keys)) {
fff8e89c DM	263	$line .= ($d->{$k} // '') . ':';
fff8e89c DM	264	}
0ecf02bc DM	265	if (my $comment = $d->{comment}) {
	266	my $firstline = (split /\n/, $comment)[0]; # only allow one line
	267	$raw .= "#$firstline\n";
	268	}
fff8e89c DM	269	$raw .= $line . "\n";
fff8e89c DM	270	}
62ebb4bc	271
5232f267 DM	272	my $gid = getgrnam('www-data');
	273	chown(0, $gid, $fh);
	274	chmod(0640, $fh);
dc5f6d6e	275
62ebb4bc DM	276	PVE::Tools::safe_print($filename, $fh, $raw);
	277	}
	278
	279	PVE::INotify::register_file($inotify_file_id, $config_filename,
	280	\&read_user_conf,
	281	\&write_user_conf,
	282	undef,
	283	always_call_parser => 1);
	284
	285	sub lookup_user_data {
	286	my ($self, $username, $noerr) = @_;
	287
	288	return $self->{$username} if $self->{$username};
	289
	290	die "no such user ('$username')\n" if !$noerr;
	291
	292	return undef;
	293	}
	294
	295	sub authenticate_user {
	296	my ($self, $username, $password) = @_;
	297
	298	die "no password\n" if !$password;
	299
	300	my $data = $self->lookup_user_data($username);
	301
c861cb3a DM	302	my $ctime = time();
	303	my $expire = $data->{expire};
	304
	305	die "account expired\n" if $expire && ($expire < $ctime);
	306
62ebb4bc DM	307	if ($data->{crypt_pass}) {
	308	my $encpw = crypt($password, $data->{crypt_pass});
	309	die "invalid credentials\n" if ($encpw ne $data->{crypt_pass});
	310	} else {
	311	die "no password set\n";
	312	}
	313
	314	return 1;
	315	}
	316
be06bc52	317	sub set_user_password {
62ebb4bc DM	318	my ($class, $username, $password) = @_;
	319
	320	lock_config(sub {
	321	my $cfg = $class->new();
	322	my $data = $cfg->lookup_user_data($username); # user exists
1a8170cf	323	my $epw = PVE::Tools::encrypt_pw($password);
62ebb4bc DM	324	$data->{crypt_pass} = $epw;
	325	$cfg->write();
	326	});
	327	}
	328
	329	1;