[pmg-api.git] / PMG / UserConfig.pm

package PMG::UserConfig;

use strict;
use warnings;
use Data::Dumper;
use Clone 'clone';

use PVE::Tools;
use PVE::INotify;
use PVE::JSONSchema qw(get_standard_option);
use PVE::Exception qw(raise);

use PMG::Utils;

my $inotify_file_id = 'pmg-user.conf';
my $config_filename = '/etc/pmg/user.conf';

sub new {
    my ($type) = @_;

    my $class = ref($type) || $type;

    my $cfg = PVE::INotify::read_file($inotify_file_id);

    return bless $cfg, $class;
}

sub write {
    my ($self) = @_;

    PVE::INotify::write_file($inotify_file_id, $self);
}

my $lockfile = "/var/lock/pmguser.lck";

sub lock_config {
    my ($code, $errmsg) = @_;

    my $p = PVE::Tools::lock_file($lockfile, undef, $code);
    if (my $err = $@) {
	$errmsg ? die "$errmsg: $err" : die $err;
    }
}

my $schema = {
    additionalProperties => 0,
    properties => {
	userid => get_standard_option('userid'),
	username => get_standard_option('username', { optional => 1 }),
	realm => {
	    description => "Authentication realm.",
	    type => 'string',
	    enum => ['pam', 'pmg'],
	    default => 'pmg',
	    optional => 1,
	},
	email => {
	    description => "Users E-Mail address.",
	    type => 'string', format => 'email',
	    optional => 1,
	},
	expire => {
	    description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
	    type => 'integer',
	    minimum => 0,
	    default => 0,
	    optional => 1,
	},
	enable => {
	    description => "Flag to enable or disable the account.",
	    type => 'boolean',
	    default => 0,
	    optional => 1,
	},
	crypt_pass => {
	    description => "Encrypted password (see `man crypt`)",
	    type => 'string',
	    pattern => '\$\d\$[a-zA-Z0-9\.\/]+\$[a-zA-Z0-9\.\/]+',
	    optional => 1,
	},
	role => {
	    description => "User role. Role 'root' is reseved for the Unix Superuser.",
	    type => 'string',
	    enum => ['root', 'admin', 'helpdesk', 'qmanager', 'audit'],
	},
	firstname => {
	    description => "First name.",
	    type => 'string',
	    maxLength => 64,
	    optional => 1,
	},
	lastname => {
	    description => "Last name.",
	    type => 'string',
	    maxLength => 64,
	    optional => 1,
	},
	keys => {
	    description => "Keys for two factor auth (yubico).",
	    type => 'string',
	    maxLength => 128,
	    optional => 1,
	},
	comment => {
	    description => "Comment.",
	    type => 'string',
	    optional => 1,
	},
    },
};

our $create_schema = clone($schema);
delete $create_schema->{properties}->{username};
delete $create_schema->{properties}->{realm};
$create_schema->{properties}->{password} = {
    description => "Password",
    type => 'string',
    maxLength => 32,
    minLength => 5,
    optional => 1,
};

our $update_schema = clone($create_schema);
$update_schema->{properties}->{role}->{optional} = 1;
$update_schema->{properties}->{delete} = {
    type => 'string', format => 'pve-configid-list',
    description => "A list of settings you want to delete.",
    maxLength => 4096,
    optional => 1,
};

my $verify_entry = sub {
    my ($entry) = @_;

    my $errors = {};
    my $userid = $entry->{userid};
    if (defined(my $username = $entry->{username})) {
	if ($userid !~ /^\Q$username\E\@/) {
	    $errors->{'username'} = 'invalid username for userid';
	}
    } else {
	# make sure the username's length is checked
	$entry->{username} = ($userid =~ s/\@.*$//r);
    }
    PVE::JSONSchema::check_prop($entry, $schema, '', $errors);
    if (scalar(%$errors)) {
	raise "verify entry failed\n", errors => $errors;
    }
};

my $fixup_root_properties = sub {
    my ($cfg) = @_;

    $cfg->{'root@pam'}->{userid} = 'root@pam';
    $cfg->{'root@pam'}->{username} = 'root';
    $cfg->{'root@pam'}->{realm} = 'pam';
    $cfg->{'root@pam'}->{enable} = 1;
    $cfg->{'root@pam'}->{expire} = 0;
    $cfg->{'root@pam'}->{comment} = 'Unix Superuser';
    $cfg->{'root@pam'}->{role} = 'root';
    delete $cfg->{'root@pam'}->{crypt_pass};
};

sub read_user_conf {
    my ($filename, $fh) = @_;

    my $cfg = {};

    if ($fh) {

	my $comment = '';

	while (defined(my $line = <$fh>)) {
	    next if $line =~ m/^\s*$/;
	    if ($line =~ m/^#(.*)$/) {
		$comment = $1;
		next;
	    }

	    if ($line =~ m/^
               (?<userid>(?:[^\s:]+)) :
               (?<enable>[01]?) :
               (?<expire>\d*) :
               (?<crypt_pass>(?:[^\s:]*)) :
               (?<role>[a-z]+) :
               (?<email>(?:[^\s:]*)) :
               (?<firstname>(?:[^:]*)) :
               (?<lastname>(?:[^:]*)) :
               (?<keys>(?:[^:]*)) :
               $/x
	    ) {
		my $d = {
		    username => $+{userid},
		    userid => $+{userid} . '@pmg',
		    realm => 'pmg',
		    enable => $+{enable} || 0,
		    expire => $+{expire} || 0,
		    role => $+{role},
		};
		$d->{comment} = $comment if $comment;
		$comment = '';
		foreach my $k (qw(crypt_pass email firstname lastname keys)) {
		    $d->{$k} = $+{$k} if $+{$k};
		}
		eval {
		    $verify_entry->($d);
		    $cfg->{$d->{userid}} = $d;
		    die "role 'root' is reserved\n"
			if $d->{role} eq 'root' && $d->{userid} ne 'root@pmg';
		};
		if (my $err = $@) {
		    warn "$filename: $err";
		}
	    } else {
		warn "$filename: ignore invalid line $.\n";
		$comment = '';
	    }
	}
    }

    # hack: we list root@pam here (root@pmg is an alias for root@pam)
    $cfg->{'root@pam'} = $cfg->{'root@pmg'} // {};
    delete $cfg->{'root@pmg'};
    $cfg->{'root@pam'} //= {};

    $fixup_root_properties->($cfg);

    return $cfg;
}

sub write_user_conf {
    my ($filename, $fh, $cfg) = @_;

    my $raw = '';

    $fixup_root_properties->($cfg);

    foreach my $userid (keys %$cfg) {
	my $d = $cfg->{$userid};

	$d->{userid} = $userid;

	die "invalid userid '$userid'\n" if $userid eq 'root@pmg';
	$verify_entry->($d);
	$cfg->{$d->{userid}} = $d;

	if ($d->{userid} ne 'root@pam') {
	    die "role 'root' is reserved\n" if $d->{role} eq 'root';
	    die "unable to add users for realm '$d->{realm}'\n"
		if $d->{realm} && $d->{realm} ne 'pmg';
	}

	my $line;

	if ($userid eq 'root@pam') {
	    $line = 'root:';
	    $d->{crypt_pass} = '',
	    $d->{expire} = '0',
	    $d->{role} = 'root';
	} else {
	    next if $userid !~ m/^(?<username>.+)\@pmg$/;
	    $line = "$+{username}:";
	}

	for my $k (qw(enable expire crypt_pass role email firstname lastname keys)) {
	    $line .= ($d->{$k} // '') . ':';
	}
	if (my $comment = $d->{comment}) {
	    my $firstline = (split /\n/, $comment)[0]; # only allow one line
	    $raw .= "#$firstline\n";
	}
	$raw .= $line . "\n";
    }

    my $gid = getgrnam('www-data');
    chown(0, $gid, $fh);
    chmod(0640, $fh);

    PVE::Tools::safe_print($filename, $fh, $raw);
}

PVE::INotify::register_file($inotify_file_id, $config_filename,
			    \&read_user_conf,
			    \&write_user_conf,
			    undef,
			    always_call_parser => 1);

sub lookup_user_data {
    my ($self, $username, $noerr) = @_;

    return $self->{$username} if $self->{$username};

    die "no such user ('$username')\n" if !$noerr;

    return undef;
}

sub authenticate_user {
    my ($self, $username, $password) = @_;

    die "no password\n" if !$password;

    my $data = $self->lookup_user_data($username);

    my $ctime = time();
    my $expire = $data->{expire};

    die "account expired\n" if $expire && ($expire < $ctime);

    if ($data->{crypt_pass}) {
	my $encpw = crypt($password, $data->{crypt_pass});
        die "invalid credentials\n" if ($encpw ne $data->{crypt_pass});
    } else {
	die "no password set\n";
    }

    return 1;
}

sub set_user_password {
    my ($class, $username, $password) = @_;

    lock_config(sub {
	my $cfg = $class->new();
	my $data = $cfg->lookup_user_data($username); # user exists
	my $epw = PVE::Tools::encrypt_pw($password);
	$data->{crypt_pass} = $epw;
	$cfg->write();
    });
}

1;
Commit	Line	Data
62ebb4bc DM	1	package PMG::UserConfig;
62ebb4bc DM	2
62ebb4bc DM	3	use strict;
62ebb4bc DM	4	use warnings;
fff8e89c DM	5	use Data::Dumper;
fff8e89c DM	6	use Clone 'clone';
62ebb4bc DM	7
	8	use PVE::Tools;
	9	use PVE::INotify;
c861cb3a DM	10	use PVE::JSONSchema qw(get_standard_option);
c861cb3a DM	11	use PVE::Exception qw(raise);
62ebb4bc DM	12
	13	use PMG::Utils;
	14
	15	my $inotify_file_id = 'pmg-user.conf';
	16	my $config_filename = '/etc/pmg/user.conf';
	17
	18	sub new {
	19	my ($type) = @_;
	20
	21	my $class = ref($type) \|\| $type;
	22
	23	my $cfg = PVE::INotify::read_file($inotify_file_id);
	24
	25	return bless $cfg, $class;
	26	}
	27
	28	sub write {
	29	my ($self) = @_;
	30
	31	PVE::INotify::write_file($inotify_file_id, $self);
	32	}
	33
	34	my $lockfile = "/var/lock/pmguser.lck";
	35
	36	sub lock_config {
	37	my ($code, $errmsg) = @_;
	38
	39	my $p = PVE::Tools::lock_file($lockfile, undef, $code);
	40	if (my $err = $@) {
	41	$errmsg ? die "$errmsg: $err" : die $err;
	42	}
	43	}
	44
8333a87c	45	my $schema = {
c861cb3a DM	46	additionalProperties => 0,
c861cb3a DM	47	properties => {
4d813470	48	userid => get_standard_option('userid'),
0c7e2ca4	49	username => get_standard_option('username', { optional => 1 }),
1beed876 DM	50	realm => {
	51	description => "Authentication realm.",
	52	type => 'string',
	53	enum => ['pam', 'pmg'],
	54	default => 'pmg',
	55	optional => 1,
	56	},
c861cb3a DM	57	email => {
c861cb3a DM	58	description => "Users E-Mail address.",
fff8e89c	59	type => 'string', format => 'email',
c861cb3a DM	60	optional => 1,
	61	},
	62	expire => {
fff8e89c	63	description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
c861cb3a DM	64	type => 'integer',
c861cb3a DM	65	minimum => 0,
fff8e89c DM	66	default => 0,
fff8e89c DM	67	optional => 1,
c861cb3a DM	68	},
	69	enable => {
	70	description => "Flag to enable or disable the account.",
	71	type => 'boolean',
fff8e89c DM	72	default => 0,
fff8e89c DM	73	optional => 1,
c861cb3a DM	74	},
	75	crypt_pass => {
	76	description => "Encrypted password (see `man crypt`)",
	77	type => 'string',
	78	pattern => '\$\d\$[a-zA-Z0-9\.\/]+\$[a-zA-Z0-9\.\/]+',
	79	optional => 1,
	80	},
	81	role => {
6006ffde	82	description => "User role. Role 'root' is reseved for the Unix Superuser.",
c861cb3a	83	type => 'string',
3058a948	84	enum => ['root', 'admin', 'helpdesk', 'qmanager', 'audit'],
c861cb3a	85	},
aec44b24	86	firstname => {
c861cb3a DM	87	description => "First name.",
	88	type => 'string',
	89	maxLength => 64,
	90	optional => 1,
	91	},
aec44b24	92	lastname => {
c861cb3a DM	93	description => "Last name.",
	94	type => 'string',
	95	maxLength => 64,
	96	optional => 1,
	97	},
	98	keys => {
fff8e89c	99	description => "Keys for two factor auth (yubico).",
c861cb3a DM	100	type => 'string',
	101	maxLength => 128,
	102	optional => 1,
	103	},
fff8e89c DM	104	comment => {
	105	description => "Comment.",
	106	type => 'string',
	107	optional => 1,
	108	},
c861cb3a DM	109	},
	110	};
	111
8333a87c DM	112	our $create_schema = clone($schema);
	113	delete $create_schema->{properties}->{username};
	114	delete $create_schema->{properties}->{realm};
ca46618a DM	115	$create_schema->{properties}->{password} = {
	116	description => "Password",
	117	type => 'string',
	118	maxLength => 32,
	119	minLength => 5,
	120	optional => 1,
	121	};
8333a87c	122
ca46618a	123	our $update_schema = clone($create_schema);
fff8e89c	124	$update_schema->{properties}->{role}->{optional} = 1;
0ecf02bc DM	125	$update_schema->{properties}->{delete} = {
	126	type => 'string', format => 'pve-configid-list',
	127	description => "A list of settings you want to delete.",
	128	maxLength => 4096,
	129	optional => 1,
	130	};
fff8e89c	131
7e37a733	132	my $verify_entry = sub {
c861cb3a DM	133	my ($entry) = @_;
	134
	135	my $errors = {};
5ede0249 WB	136	my $userid = $entry->{userid};
	137	if (defined(my $username = $entry->{username})) {
	138	if ($userid !~ /^\Q$username\E\@/) {
	139	$errors->{'username'} = 'invalid username for userid';
	140	}
	141	} else {
	142	# make sure the username's length is checked
	143	$entry->{username} = ($userid =~ s/\@.*$//r);
	144	}
c861cb3a DM	145	PVE::JSONSchema::check_prop($entry, $schema, '', $errors);
	146	if (scalar(%$errors)) {
	147	raise "verify entry failed\n", errors => $errors;
	148	}
	149	};
	150
1461db83 DM	151	my $fixup_root_properties = sub {
	152	my ($cfg) = @_;
	153
	154	$cfg->{'root@pam'}->{userid} = 'root@pam';
0c7e2ca4	155	$cfg->{'root@pam'}->{username} = 'root';
1beed876	156	$cfg->{'root@pam'}->{realm} = 'pam';
1461db83 DM	157	$cfg->{'root@pam'}->{enable} = 1;
	158	$cfg->{'root@pam'}->{expire} = 0;
	159	$cfg->{'root@pam'}->{comment} = 'Unix Superuser';
	160	$cfg->{'root@pam'}->{role} = 'root';
	161	delete $cfg->{'root@pam'}->{crypt_pass};
	162	};
	163
62ebb4bc DM	164	sub read_user_conf {
	165	my ($filename, $fh) = @_;
	166
	167	my $cfg = {};
	168
	169	if ($fh) {
	170
	171	my $comment = '';
	172
	173	while (defined(my $line = <$fh>)) {
	174	next if $line =~ m/^\s*$/;
	175	if ($line =~ m/^#(.*)$/) {
	176	$comment = $1;
	177	next;
	178	}
c861cb3a DM	179
	180	if ($line =~ m/^
	181	(?<userid>(?:[^\s:]+)) :
fff8e89c DM	182	(?<enable>[01]?) :
	183	(?<expire>\d*) :
	184	(?<crypt_pass>(?:[^\s:]*)) :
c861cb3a DM	185	(?<role>[a-z]+) :
c861cb3a DM	186	(?<email>(?:[^\s:]*)) :
aec44b24 DM	187	(?<firstname>(?:[^:]*)) :
aec44b24 DM	188	(?<lastname>(?:[^:]*)) :
c861cb3a DM	189	(?<keys>(?:[^:]*)) :
	190	$/x
	191	) {
62ebb4bc	192	my $d = {
0c7e2ca4	193	username => $+{userid},
4d813470	194	userid => $+{userid} . '@pmg',
1beed876	195	realm => 'pmg',
fff8e89c DM	196	enable => $+{enable} \|\| 0,
fff8e89c DM	197	expire => $+{expire} \|\| 0,
c861cb3a	198	role => $+{role},
62ebb4bc DM	199	};
	200	$d->{comment} = $comment if $comment;
	201	$comment = '';
aec44b24	202	foreach my $k (qw(crypt_pass email firstname lastname keys)) {
c861cb3a DM	203	$d->{$k} = $+{$k} if $+{$k};
	204	}
	205	eval {
7e37a733	206	$verify_entry->($d);
c861cb3a	207	$cfg->{$d->{userid}} = $d;
6006ffde DM	208	die "role 'root' is reserved\n"
6006ffde DM	209	if $d->{role} eq 'root' && $d->{userid} ne 'root@pmg';
c861cb3a DM	210	};
	211	if (my $err = $@) {
	212	warn "$filename: $err";
	213	}
62ebb4bc DM	214	} else {
	215	warn "$filename: ignore invalid line $.\n";
	216	$comment = '';
	217	}
	218	}
	219	}
	220
82613302 DM	221	# hack: we list root@pam here (root@pmg is an alias for root@pam)
	222	$cfg->{'root@pam'} = $cfg->{'root@pmg'} // {};
	223	delete $cfg->{'root@pmg'};
	224	$cfg->{'root@pam'} //= {};
1461db83 DM	225
1461db83 DM	226	$fixup_root_properties->($cfg);
62ebb4bc DM	227
	228	return $cfg;
	229	}
	230
	231	sub write_user_conf {
	232	my ($filename, $fh, $cfg) = @_;
	233
	234	my $raw = '';
	235
1461db83	236	$fixup_root_properties->($cfg);
fff8e89c DM	237
	238	foreach my $userid (keys %$cfg) {
	239	my $d = $cfg->{$userid};
82613302	240
fff8e89c	241	$d->{userid} = $userid;
4d813470	242
cf009a08	243	die "invalid userid '$userid'\n" if $userid eq 'root@pmg';
7e37a733	244	$verify_entry->($d);
830a5033	245	$cfg->{$d->{userid}} = $d;
7e818421	246
830a5033 WB	247	if ($d->{userid} ne 'root@pam') {
	248	die "role 'root' is reserved\n" if $d->{role} eq 'root';
	249	die "unable to add users for realm '$d->{realm}'\n"
	250	if $d->{realm} && $d->{realm} ne 'pmg';
fff8e89c	251	}
4d813470	252
82613302 DM	253	my $line;
	254
	255	if ($userid eq 'root@pam') {
	256	$line = 'root:';
	257	$d->{crypt_pass} = '',
05e34f94	258	$d->{expire} = '0',
82613302 DM	259	$d->{role} = 'root';
	260	} else {
	261	next if $userid !~ m/^(?<username>.+)\@pmg$/;
	262	$line = "$+{username}:";
	263	}
4d813470	264
aec44b24	265	for my $k (qw(enable expire crypt_pass role email firstname lastname keys)) {
fff8e89c DM	266	$line .= ($d->{$k} // '') . ':';
fff8e89c DM	267	}
0ecf02bc DM	268	if (my $comment = $d->{comment}) {
	269	my $firstline = (split /\n/, $comment)[0]; # only allow one line
	270	$raw .= "#$firstline\n";
	271	}
fff8e89c DM	272	$raw .= $line . "\n";
fff8e89c DM	273	}
62ebb4bc	274
5232f267 DM	275	my $gid = getgrnam('www-data');
	276	chown(0, $gid, $fh);
	277	chmod(0640, $fh);
dc5f6d6e	278
62ebb4bc DM	279	PVE::Tools::safe_print($filename, $fh, $raw);
	280	}
	281
	282	PVE::INotify::register_file($inotify_file_id, $config_filename,
	283	\&read_user_conf,
	284	\&write_user_conf,
	285	undef,
	286	always_call_parser => 1);
	287
	288	sub lookup_user_data {
	289	my ($self, $username, $noerr) = @_;
	290
	291	return $self->{$username} if $self->{$username};
	292
	293	die "no such user ('$username')\n" if !$noerr;
	294
	295	return undef;
	296	}
	297
	298	sub authenticate_user {
	299	my ($self, $username, $password) = @_;
	300
	301	die "no password\n" if !$password;
	302
	303	my $data = $self->lookup_user_data($username);
	304
c861cb3a DM	305	my $ctime = time();
	306	my $expire = $data->{expire};
	307
	308	die "account expired\n" if $expire && ($expire < $ctime);
	309
62ebb4bc DM	310	if ($data->{crypt_pass}) {
	311	my $encpw = crypt($password, $data->{crypt_pass});
	312	die "invalid credentials\n" if ($encpw ne $data->{crypt_pass});
	313	} else {
	314	die "no password set\n";
	315	}
	316
	317	return 1;
	318	}
	319
be06bc52	320	sub set_user_password {
62ebb4bc DM	321	my ($class, $username, $password) = @_;
	322
	323	lock_config(sub {
	324	my $cfg = $class->new();
	325	my $data = $cfg->lookup_user_data($username); # user exists
1a8170cf	326	my $epw = PVE::Tools::encrypt_pw($password);
62ebb4bc DM	327	$data->{crypt_pass} = $epw;
	328	$cfg->write();
	329	});
	330	}
	331
	332	1;