use strict;
use warnings;
-use Data::Dumper;
+
use Clone 'clone';
+use Scalar::Util 'weaken';
use PVE::Tools;
use PVE::INotify;
my $inotify_file_id = 'pmg-user.conf';
my $config_filename = '/etc/pmg/user.conf';
+my $tfa_inotify_file_id = 'pmg-tfa.json';
+my $tfa_config_filename = '/etc/pmg/tfa.json';
+
sub new {
my ($type) = @_;
}
my $lockfile = "/var/lock/pmguser.lck";
+my $tfa_lockfile = "/var/lock/pmgtfa.lck";
+# Locking both config files together is only ever allowed in one order:
+# 1) tfa config
+# 2) user config
+# If we permit the other way round, too, we might end up deadlocking!
+my $user_config_locked;
sub lock_config {
my ($code, $errmsg) = @_;
+ my $locked = 1;
+ $user_config_locked = \$locked;
+ weaken $user_config_locked; # make this scope guard signal safe...
+
my $p = PVE::Tools::lock_file($lockfile, undef, $code);
+ $user_config_locked = undef;
+ if (my $err = $@) {
+ $errmsg ? die "$errmsg: $err" : die $err;
+ }
+}
+
+# This lives here in order to enforce lock order.
+sub lock_tfa_config {
+ my ($code, $errmsg) = @_;
+
+ die "tfa config lock cannot be acquired while holding user config lock\n"
+ if ($user_config_locked && $$user_config_locked);
+
+ my $res = PVE::Tools::lock_file($tfa_lockfile, undef, $code);
if (my $err = $@) {
$errmsg ? die "$errmsg: $err" : die $err;
}
+
+ return $res;
}
my $schema = {