]> git.proxmox.com Git - pmg-api.git/blob - PMG/UserConfig.pm
projects / pmg-api.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
PMG/API2/MyNetworks.pm: fix links attribute
[pmg-api.git] / PMG / UserConfig.pm
1 package PMG::UserConfig;
2
3 use strict;
4 use warnings;
5 use Data::Dumper;
6 use Clone 'clone';
7
8 use PVE::Tools;
9 use PVE::INotify;
10 use PVE::JSONSchema qw(get_standard_option);
11 use PVE::Exception qw(raise);
12
13 use PMG::Utils;
14
15 my $inotify_file_id = 'pmg-user.conf';
16 my $config_filename = '/etc/pmg/user.conf';
17
18 sub new {
19 my ($type) = @_;
20
21 my $class = ref($type) || $type;
22
23 my $cfg = PVE::INotify::read_file($inotify_file_id);
24
25 return bless $cfg, $class;
26 }
27
28 sub write {
29 my ($self) = @_;
30
31 PVE::INotify::write_file($inotify_file_id, $self);
32 }
33
34 my $lockfile = "/var/lock/pmguser.lck";
35
36 sub lock_config {
37 my ($code, $errmsg) = @_;
38
39 my $p = PVE::Tools::lock_file($lockfile, undef, $code);
40 if (my $err = $@) {
41 $errmsg ? die "$errmsg: $err" : die $err;
42 }
43 }
44
45 my $schema = {
46 additionalProperties => 0,
47 properties => {
48 userid => get_standard_option('userid'),
49 username => get_standard_option('username', { optional => 1 }),
50 realm => {
51 description => "Authentication realm.",
52 type => 'string',
53 enum => ['pam', 'pmg'],
54 default => 'pmg',
55 optional => 1,
56 },
57 email => {
58 description => "Users E-Mail address.",
59 type => 'string', format => 'email',
60 optional => 1,
61 },
62 expire => {
63 description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
64 type => 'integer',
65 minimum => 0,
66 default => 0,
67 optional => 1,
68 },
69 enable => {
70 description => "Flag to enable or disable the account.",
71 type => 'boolean',
72 default => 0,
73 optional => 1,
74 },
75 crypt_pass => {
76 description => "Encrypted password (see `man crypt`)",
77 type => 'string',
78 pattern => '\$\d\$[a-zA-Z0-9\.\/]+\$[a-zA-Z0-9\.\/]+',
79 optional => 1,
80 },
81 role => {
82 description => "User role. Role 'root' is reseved for the Unix Superuser.",
83 type => 'string',
84 enum => ['root', 'admin', 'qmanager', 'audit'],
85 },
86 firstname => {
87 description => "First name.",
88 type => 'string',
89 maxLength => 64,
90 optional => 1,
91 },
92 lastname => {
93 description => "Last name.",
94 type => 'string',
95 maxLength => 64,
96 optional => 1,
97 },
98 keys => {
99 description => "Keys for two factor auth (yubico).",
100 type => 'string',
101 maxLength => 128,
102 optional => 1,
103 },
104 comment => {
105 description => "Comment.",
106 type => 'string',
107 optional => 1,
108 },
109 },
110 };
111
112 our $create_schema = clone($schema);
113 delete $create_schema->{properties}->{username};
114 delete $create_schema->{properties}->{realm};
115 $create_schema->{properties}->{password} = {
116 description => "Password",
117 type => 'string',
118 maxLength => 32,
119 minLength => 5,
120 optional => 1,
121 };
122
123 our $update_schema = clone($create_schema);
124 $update_schema->{properties}->{role}->{optional} = 1;
125 $update_schema->{properties}->{delete} = {
126 type => 'string', format => 'pve-configid-list',
127 description => "A list of settings you want to delete.",
128 maxLength => 4096,
129 optional => 1,
130 };
131
132 my $verity_entry = sub {
133 my ($entry) = @_;
134
135 my $errors = {};
136 PVE::JSONSchema::check_prop($entry, $schema, '', $errors);
137 if (scalar(%$errors)) {
138 raise "verify entry failed\n", errors => $errors;
139 }
140 };
141
142 my $fixup_root_properties = sub {
143 my ($cfg) = @_;
144
145 $cfg->{'root@pam'}->{userid} = 'root@pam';
146 $cfg->{'root@pam'}->{username} = 'root';
147 $cfg->{'root@pam'}->{realm} = 'pam';
148 $cfg->{'root@pam'}->{enable} = 1;
149 $cfg->{'root@pam'}->{expire} = 0;
150 $cfg->{'root@pam'}->{comment} = 'Unix Superuser';
151 $cfg->{'root@pam'}->{role} = 'root';
152 delete $cfg->{'root@pam'}->{crypt_pass};
153 };
154
155 sub read_user_conf {
156 my ($filename, $fh) = @_;
157
158 my $cfg = {};
159
160 if ($fh) {
161
162 my $comment = '';
163
164 while (defined(my $line = <$fh>)) {
165 next if $line =~ m/^\s*$/;
166 if ($line =~ m/^#(.*)$/) {
167 $comment = $1;
168 next;
169 }
170
171 if ($line =~ m/^
172 (?<userid>(?:[^\s:]+)) :
173 (?<enable>[01]?) :
174 (?<expire>\d*) :
175 (?<crypt_pass>(?:[^\s:]*)) :
176 (?<role>[a-z]+) :
177 (?<email>(?:[^\s:]*)) :
178 (?<firstname>(?:[^:]*)) :
179 (?<lastname>(?:[^:]*)) :
180 (?<keys>(?:[^:]*)) :
181 $/x
182 ) {
183 my $d = {
184 username => $+{userid},
185 userid => $+{userid} . '@pmg',
186 realm => 'pmg',
187 enable => $+{enable} || 0,
188 expire => $+{expire} || 0,
189 role => $+{role},
190 };
191 $d->{comment} = $comment if $comment;
192 $comment = '';
193 foreach my $k (qw(crypt_pass email firstname lastname keys)) {
194 $d->{$k} = $+{$k} if $+{$k};
195 }
196 eval {
197 $verity_entry->($d);
198 $cfg->{$d->{userid}} = $d;
199 die "role 'root' is reserved\n"
200 if $d->{role} eq 'root' && $d->{userid} ne 'root@pmg';
201 };
202 if (my $err = $@) {
203 warn "$filename: $err";
204 }
205 } else {
206 warn "$filename: ignore invalid line $.\n";
207 $comment = '';
208 }
209 }
210 }
211
212 # hack: we list root@pam here (root@pmg is an alias for root@pam)
213 $cfg->{'root@pam'} = $cfg->{'root@pmg'} // {};
214 delete $cfg->{'root@pmg'};
215 $cfg->{'root@pam'} //= {};
216
217 $fixup_root_properties->($cfg);
218
219 return $cfg;
220 }
221
222 sub write_user_conf {
223 my ($filename, $fh, $cfg) = @_;
224
225 my $raw = '';
226
227 $fixup_root_properties->($cfg);
228
229 foreach my $userid (keys %$cfg) {
230 my $d = $cfg->{$userid};
231
232 $d->{userid} = $userid;
233
234 die "invalid userid '$userid'\n" if $userid eq 'root@pmg';
235
236 eval {
237 $verity_entry->($d);
238 $cfg->{$d->{userid}} = $d;
239
240 if ($d->{userid} ne 'root@pam') {
241 die "role 'root' is reserved\n" if $d->{role} eq 'root';
242 die "unable to add users for realm '$d->{realm}'\n"
243 if $d->{realm} && $d->{realm} ne 'pmg';
244 }
245 };
246 if (my $err = $@) {
247 die $err;
248 }
249
250 my $line;
251
252 if ($userid eq 'root@pam') {
253 $line = 'root:';
254 $d->{crypt_pass} = '',
255 $d->{expire} = '0',
256 $d->{role} = 'root';
257 } else {
258 next if $userid !~ m/^(?<username>.+)\@pmg$/;
259 $line = "$+{username}:";
260 }
261
262 for my $k (qw(enable expire crypt_pass role email firstname lastname keys)) {
263 $line .= ($d->{$k} // '') . ':';
264 }
265 if (my $comment = $d->{comment}) {
266 my $firstline = (split /\n/, $comment)[0]; # only allow one line
267 $raw .= "#$firstline\n";
268 }
269 $raw .= $line . "\n";
270 }
271
272 my $gid = getgrnam('www-data');
273 chown(0, $gid, $fh);
274 chmod(0640, $fh);
275
276 PVE::Tools::safe_print($filename, $fh, $raw);
277 }
278
279 PVE::INotify::register_file($inotify_file_id, $config_filename,
280 \&read_user_conf,
281 \&write_user_conf,
282 undef,
283 always_call_parser => 1);
284
285 sub lookup_user_data {
286 my ($self, $username, $noerr) = @_;
287
288 return $self->{$username} if $self->{$username};
289
290 die "no such user ('$username')\n" if !$noerr;
291
292 return undef;
293 }
294
295 sub authenticate_user {
296 my ($self, $username, $password) = @_;
297
298 die "no password\n" if !$password;
299
300 my $data = $self->lookup_user_data($username);
301
302 my $ctime = time();
303 my $expire = $data->{expire};
304
305 die "account expired\n" if $expire && ($expire < $ctime);
306
307 if ($data->{crypt_pass}) {
308 my $encpw = crypt($password, $data->{crypt_pass});
309 die "invalid credentials\n" if ($encpw ne $data->{crypt_pass});
310 } else {
311 die "no password set\n";
312 }
313
314 return 1;
315 }
316
317 sub set_user_password {
318 my ($class, $username, $password) = @_;
319
320 lock_config(sub {
321 my $cfg = $class->new();
322 my $data = $cfg->lookup_user_data($username); # user exists
323 my $epw = PVE::Tools::encrypt_pw($password);
324 $data->{crypt_pass} = $epw;
325 $cfg->write();
326 });
327 }
328
329 1;
PMG API