[proxmox-backup.git] / src / api2 / access / tfa.rs

//! Two Factor Authentication

use anyhow::{bail, format_err, Error};
use serde::{Deserialize, Serialize};

use proxmox::api::{api, Permission, Router, RpcEnvironment};
use proxmox::tools::tfa::totp::Totp;
use proxmox::{http_bail, http_err};

use crate::api2::types::{Authid, Userid, PASSWORD_SCHEMA};
use crate::config::acl::{PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT};
use crate::config::cached_user_info::CachedUserInfo;
use crate::config::tfa::{TfaInfo, TfaUserData};

/// Perform first-factor (password) authentication only. Ignore password for the root user.
/// Otherwise check the current user's password.
///
/// This means that user admins need to type in their own password while editing a user, and
/// regular users, which can only change their own TFA settings (checked at the API level), can
/// change their own settings using their own password.
fn tfa_update_auth(
    rpcenv: &mut dyn RpcEnvironment,
    userid: &Userid,
    password: Option<String>,
    must_exist: bool,
) -> Result<(), Error> {
    let authid: Authid = rpcenv.get_auth_id().unwrap().parse()?;

    if authid.user() != Userid::root_userid() {
        let password = password.ok_or_else(|| http_err!(UNAUTHORIZED, "missing password"))?;
        let _: () = crate::auth::authenticate_user(authid.user(), &password)
            .map_err(|err| http_err!(UNAUTHORIZED, "{}", err))?;
    }

    // After authentication, verify that the to-be-modified user actually exists:
    if must_exist && authid.user() != userid {
        let (config, _digest) = crate::config::user::config()?;

        if config
            .lookup::<crate::config::user::User>("user", userid.as_str())
            .is_err()
        {
            http_bail!(UNAUTHORIZED, "user '{}' does not exists.", userid);
        }
    }

    Ok(())
}

#[api]
/// A TFA entry type.
#[derive(Deserialize, Serialize)]
#[serde(rename_all = "lowercase")]
enum TfaType {
    /// A TOTP entry type.
    Totp,
    /// A U2F token entry.
    U2f,
    /// A Webauthn token entry.
    Webauthn,
    /// Recovery tokens.
    Recovery,
}

#[api(
    properties: {
        type: { type: TfaType },
        info: { type: TfaInfo },
    },
)]
/// A TFA entry for a user.
#[derive(Deserialize, Serialize)]
#[serde(deny_unknown_fields)]
struct TypedTfaInfo {
    #[serde(rename = "type")]
    pub ty: TfaType,

    #[serde(flatten)]
    pub info: TfaInfo,
}

fn to_data(data: TfaUserData) -> Vec<TypedTfaInfo> {
    let mut out = Vec::with_capacity(
        data.totp.len()
            + data.u2f.len()
            + data.webauthn.len()
            + if data.recovery().is_some() { 1 } else { 0 },
    );
    if let Some(recovery) = data.recovery() {
        out.push(TypedTfaInfo {
            ty: TfaType::Recovery,
            info: TfaInfo::recovery(recovery.created),
        })
    }
    for entry in data.totp {
        out.push(TypedTfaInfo {
            ty: TfaType::Totp,
            info: entry.info,
        });
    }
    for entry in data.webauthn {
        out.push(TypedTfaInfo {
            ty: TfaType::Webauthn,
            info: entry.info,
        });
    }
    for entry in data.u2f {
        out.push(TypedTfaInfo {
            ty: TfaType::U2f,
            info: entry.info,
        });
    }
    out
}

/// Iterate through tuples of `(type, index, id)`.
fn tfa_id_iter(data: &TfaUserData) -> impl Iterator<Item = (TfaType, usize, &str)> {
    data.totp
        .iter()
        .enumerate()
        .map(|(i, entry)| (TfaType::Totp, i, entry.info.id.as_str()))
        .chain(
            data.webauthn
                .iter()
                .enumerate()
                .map(|(i, entry)| (TfaType::Webauthn, i, entry.info.id.as_str())),
        )
        .chain(
            data.u2f
                .iter()
                .enumerate()
                .map(|(i, entry)| (TfaType::U2f, i, entry.info.id.as_str())),
        )
        .chain(
            data.recovery
                .iter()
                .map(|_| (TfaType::Recovery, 0, "recovery")),
        )
}

#[api(
    protected: true,
    input: {
        properties: { userid: { type: Userid } },
    },
    access: {
        permission: &Permission::Or(&[
            &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
            &Permission::UserParam("userid"),
        ]),
    },
)]
/// Add a TOTP secret to the user.
fn list_user_tfa(userid: Userid) -> Result<Vec<TypedTfaInfo>, Error> {
    let _lock = crate::config::tfa::read_lock()?;

    Ok(match crate::config::tfa::read()?.users.remove(&userid) {
        Some(data) => to_data(data),
        None => Vec::new(),
    })
}

#[api(
    protected: true,
    input: {
        properties: {
            userid: { type: Userid },
            id: { description: "the tfa entry id" }
        },
    },
    access: {
        permission: &Permission::Or(&[
            &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
            &Permission::UserParam("userid"),
        ]),
    },
)]
/// Get a single TFA entry.
fn get_tfa_entry(userid: Userid, id: String) -> Result<TypedTfaInfo, Error> {
    let _lock = crate::config::tfa::read_lock()?;

    if let Some(user_data) = crate::config::tfa::read()?.users.remove(&userid) {
        match {
            // scope to prevent the temporary iter from borrowing across the whole match
            let entry = tfa_id_iter(&user_data).find(|(_ty, _index, entry_id)| id == *entry_id);
            entry.map(|(ty, index, _)| (ty, index))
        } {
            Some((TfaType::Recovery, _)) => {
                if let Some(recovery) = user_data.recovery() {
                    return Ok(TypedTfaInfo {
                        ty: TfaType::Recovery,
                        info: TfaInfo::recovery(recovery.created),
                    });
                }
            }
            Some((TfaType::Totp, index)) => {
                return Ok(TypedTfaInfo {
                    ty: TfaType::Totp,
                    // `into_iter().nth()` to *move* out of it
                    info: user_data.totp.into_iter().nth(index).unwrap().info,
                });
            }
            Some((TfaType::Webauthn, index)) => {
                return Ok(TypedTfaInfo {
                    ty: TfaType::Webauthn,
                    info: user_data.webauthn.into_iter().nth(index).unwrap().info,
                });
            }
            Some((TfaType::U2f, index)) => {
                return Ok(TypedTfaInfo {
                    ty: TfaType::U2f,
                    info: user_data.u2f.into_iter().nth(index).unwrap().info,
                });
            }
            None => (),
        }
    }

    http_bail!(NOT_FOUND, "no such tfa entry: {}/{}", userid, id);
}

#[api(
    protected: true,
    input: {
        properties: {
            userid: { type: Userid },
            id: {
                description: "the tfa entry id",
            },
            password: {
                schema: PASSWORD_SCHEMA,
                optional: true,
            },
        },
    },
    access: {
        permission: &Permission::Or(&[
            &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
            &Permission::UserParam("userid"),
        ]),
    },
)]
/// Delete a single TFA entry.
fn delete_tfa(
    userid: Userid,
    id: String,
    password: Option<String>,
    rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
    tfa_update_auth(rpcenv, &userid, password, false)?;

    let _lock = crate::config::tfa::write_lock()?;

    let mut data = crate::config::tfa::read()?;

    let user_data = data
        .users
        .get_mut(&userid)
        .ok_or_else(|| http_err!(NOT_FOUND, "no such entry: {}/{}", userid, id))?;

    match {
        // scope to prevent the temporary iter from borrowing across the whole match
        let entry = tfa_id_iter(&user_data).find(|(_, _, entry_id)| id == *entry_id);
        entry.map(|(ty, index, _)| (ty, index))
    } {
        Some((TfaType::Recovery, _)) => user_data.recovery = None,
        Some((TfaType::Totp, index)) => drop(user_data.totp.remove(index)),
        Some((TfaType::Webauthn, index)) => drop(user_data.webauthn.remove(index)),
        Some((TfaType::U2f, index)) => drop(user_data.u2f.remove(index)),
        None => http_bail!(NOT_FOUND, "no such tfa entry: {}/{}", userid, id),
    }

    if user_data.is_empty() {
        data.users.remove(&userid);
    }

    crate::config::tfa::write(&data)?;

    Ok(())
}

#[api(
    properties: {
        "userid": { type: Userid },
        "entries": {
            type: Array,
            items: { type: TypedTfaInfo },
        },
    },
)]
#[derive(Deserialize, Serialize)]
#[serde(deny_unknown_fields)]
/// Over the API we only provide the descriptions for TFA data.
struct TfaUser {
    /// The user this entry belongs to.
    userid: Userid,

    /// TFA entries.
    entries: Vec<TypedTfaInfo>,
}

#[api(
    protected: true,
    input: {
        properties: {},
    },
    access: {
        permission: &Permission::Anybody,
        description: "Returns all or just the logged-in user, depending on privileges.",
    },
    returns: {
        description: "The list tuples of user and TFA entries.",
        type: Array,
        items: { type: TfaUser }
    },
)]
/// List user TFA configuration.
fn list_tfa(rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<TfaUser>, Error> {
    let authid: Authid = rpcenv.get_auth_id().unwrap().parse()?;
    let user_info = CachedUserInfo::new()?;

    let top_level_privs = user_info.lookup_privs(&authid, &["access", "users"]);
    let top_level_allowed = (top_level_privs & PRIV_SYS_AUDIT) != 0;

    let _lock = crate::config::tfa::read_lock()?;
    let tfa_data = crate::config::tfa::read()?.users;

    let mut out = Vec::<TfaUser>::new();
    if top_level_allowed {
        for (user, data) in tfa_data {
            out.push(TfaUser {
                userid: user,
                entries: to_data(data),
            });
        }
    } else if let Some(data) = { tfa_data }.remove(authid.user()) {
        out.push(TfaUser {
            userid: authid.into(),
            entries: to_data(data),
        });
    }

    Ok(out)
}

#[api(
    properties: {
        recovery: {
            description: "A list of recovery codes as integers.",
            type: Array,
            items: {
                type: Integer,
                description: "A one-time usable recovery code entry.",
            },
        },
    },
)]
/// The result returned when adding TFA entries to a user.
#[derive(Default, Serialize)]
struct TfaUpdateInfo {
    /// The id if a newly added TFA entry.
    id: Option<String>,

    /// When adding u2f entries, this contains a challenge the user must respond to in order to
    /// finish the registration.
    #[serde(skip_serializing_if = "Option::is_none")]
    challenge: Option<String>,

    /// When adding recovery codes, this contains the list of codes to be displayed to the user
    /// this one time.
    #[serde(skip_serializing_if = "Vec::is_empty", default)]
    recovery: Vec<String>,
}

impl TfaUpdateInfo {
    fn id(id: String) -> Self {
        Self {
            id: Some(id),
            ..Default::default()
        }
    }
}

#[api(
    protected: true,
    input: {
        properties: {
            userid: { type: Userid },
            description: {
                description: "A description to distinguish multiple entries from one another",
                type: String,
                max_length: 255,
                optional: true,
            },
            "type": { type: TfaType },
            totp: {
                description: "A totp URI.",
                optional: true,
            },
            value: {
                description:
            "The current value for the provided totp URI, or a Webauthn/U2F challenge response",
                optional: true,
            },
            challenge: {
                description: "When responding to a u2f challenge: the original challenge string",
                optional: true,
            },
            password: {
                schema: PASSWORD_SCHEMA,
                optional: true,
            },
        },
    },
    returns: { type: TfaUpdateInfo },
    access: {
        permission: &Permission::Or(&[
            &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
            &Permission::UserParam("userid"),
        ]),
    },
)]
/// Add a TFA entry to the user.
#[allow(clippy::too_many_arguments)]
fn add_tfa_entry(
    userid: Userid,
    description: Option<String>,
    totp: Option<String>,
    value: Option<String>,
    challenge: Option<String>,
    password: Option<String>,
    r#type: TfaType,
    rpcenv: &mut dyn RpcEnvironment,
) -> Result<TfaUpdateInfo, Error> {
    tfa_update_auth(rpcenv, &userid, password, true)?;

    let need_description =
        move || description.ok_or_else(|| format_err!("'description' is required for new entries"));

    match r#type {
        TfaType::Totp => match (totp, value) {
            (Some(totp), Some(value)) => {
                if challenge.is_some() {
                    bail!("'challenge' parameter is invalid for 'totp' entries");
                }
                let description = need_description()?;

                let totp: Totp = totp.parse()?;
                if totp
                    .verify(&value, std::time::SystemTime::now(), -1..=1)?
                    .is_none()
                {
                    bail!("failed to verify TOTP challenge");
                }
                crate::config::tfa::add_totp(&userid, description, totp).map(TfaUpdateInfo::id)
            }
            _ => bail!("'totp' type requires both 'totp' and 'value' parameters"),
        },
        TfaType::Webauthn => {
            if totp.is_some() {
                bail!("'totp' parameter is invalid for 'totp' entries");
            }

            match challenge {
                None => crate::config::tfa::add_webauthn_registration(&userid, need_description()?)
                    .map(|c| TfaUpdateInfo {
                        challenge: Some(c),
                        ..Default::default()
                    }),
                Some(challenge) => {
                    let value = value.ok_or_else(|| {
                        format_err!(
                            "missing 'value' parameter (webauthn challenge response missing)"
                        )
                    })?;
                    crate::config::tfa::finish_webauthn_registration(&userid, &challenge, &value)
                        .map(TfaUpdateInfo::id)
                }
            }
        }
        TfaType::U2f => {
            if totp.is_some() {
                bail!("'totp' parameter is invalid for 'totp' entries");
            }

            match challenge {
                None => crate::config::tfa::add_u2f_registration(&userid, need_description()?).map(
                    |c| TfaUpdateInfo {
                        challenge: Some(c),
                        ..Default::default()
                    },
                ),
                Some(challenge) => {
                    let value = value.ok_or_else(|| {
                        format_err!("missing 'value' parameter (u2f challenge response missing)")
                    })?;
                    crate::config::tfa::finish_u2f_registration(&userid, &challenge, &value)
                        .map(TfaUpdateInfo::id)
                }
            }
        }
        TfaType::Recovery => {
            if totp.or(value).or(challenge).is_some() {
                bail!("generating recovery tokens does not allow additional parameters");
            }

            let recovery = crate::config::tfa::add_recovery(&userid)?;

            Ok(TfaUpdateInfo {
                id: Some("recovery".to_string()),
                recovery,
                ..Default::default()
            })
        }
    }
}

#[api(
    protected: true,
    input: {
        properties: {
            userid: { type: Userid },
            id: {
                description: "the tfa entry id",
            },
            description: {
                description: "A description to distinguish multiple entries from one another",
                type: String,
                max_length: 255,
                optional: true,
            },
            enable: {
                description: "Whether this entry should currently be enabled or disabled",
                optional: true,
            },
            password: {
                schema: PASSWORD_SCHEMA,
                optional: true,
            },
        },
    },
    access: {
        permission: &Permission::Or(&[
            &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
            &Permission::UserParam("userid"),
        ]),
    },
)]
/// Update user's TFA entry description.
fn update_tfa_entry(
    userid: Userid,
    id: String,
    description: Option<String>,
    enable: Option<bool>,
    password: Option<String>,
    rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
    tfa_update_auth(rpcenv, &userid, password, true)?;

    let _lock = crate::config::tfa::write_lock()?;

    let mut data = crate::config::tfa::read()?;

    let mut entry = data
        .users
        .get_mut(&userid)
        .and_then(|user| user.find_entry_mut(&id))
        .ok_or_else(|| http_err!(NOT_FOUND, "no such entry: {}/{}", userid, id))?;

    if let Some(description) = description {
        entry.description = description;
    }

    if let Some(enable) = enable {
        entry.enable = enable;
    }

    crate::config::tfa::write(&data)?;
    Ok(())
}

pub const ROUTER: Router = Router::new()
    .get(&API_METHOD_LIST_TFA)
    .match_all("userid", &USER_ROUTER);

const USER_ROUTER: Router = Router::new()
    .get(&API_METHOD_LIST_USER_TFA)
    .post(&API_METHOD_ADD_TFA_ENTRY)
    .match_all("id", &ITEM_ROUTER);

const ITEM_ROUTER: Router = Router::new()
    .get(&API_METHOD_GET_TFA_ENTRY)
    .put(&API_METHOD_UPDATE_TFA_ENTRY)
    .delete(&API_METHOD_DELETE_TFA);
Commit	Line	Data
bf78f708 DM	1	//! Two Factor Authentication
bf78f708 DM	2
027ef213 WB	3	use anyhow::{bail, format_err, Error};
027ef213 WB	4	use serde::{Deserialize, Serialize};
027ef213 WB	5
	6	use proxmox::api::{api, Permission, Router, RpcEnvironment};
	7	use proxmox::tools::tfa::totp::Totp;
	8	use proxmox::{http_bail, http_err};
	9
	10	use crate::api2::types::{Authid, Userid, PASSWORD_SCHEMA};
	11	use crate::config::acl::{PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT};
	12	use crate::config::cached_user_info::CachedUserInfo;
	13	use crate::config::tfa::{TfaInfo, TfaUserData};
	14
	15	/// Perform first-factor (password) authentication only. Ignore password for the root user.
	16	/// Otherwise check the current user's password.
	17	///
	18	/// This means that user admins need to type in their own password while editing a user, and
	19	/// regular users, which can only change their own TFA settings (checked at the API level), can
	20	/// change their own settings using their own password.
	21	fn tfa_update_auth(
	22	rpcenv: &mut dyn RpcEnvironment,
	23	userid: &Userid,
	24	password: Option<String>,
eab25e2f	25	must_exist: bool,
027ef213 WB	26	) -> Result<(), Error> {
	27	let authid: Authid = rpcenv.get_auth_id().unwrap().parse()?;
	28
	29	if authid.user() != Userid::root_userid() {
7ad33e80 WB	30	let password = password.ok_or_else(\|\| http_err!(UNAUTHORIZED, "missing password"))?;
	31	let _: () = crate::auth::authenticate_user(authid.user(), &password)
	32	.map_err(\|err\| http_err!(UNAUTHORIZED, "{}", err))?;
027ef213 WB	33	}
	34
	35	// After authentication, verify that the to-be-modified user actually exists:
eab25e2f	36	if must_exist && authid.user() != userid {
027ef213 WB	37	let (config, _digest) = crate::config::user::config()?;
027ef213 WB	38
4bda5168 WB	39	if config
	40	.lookup::<crate::config::user::User>("user", userid.as_str())
	41	.is_err()
	42	{
7ad33e80	43	http_bail!(UNAUTHORIZED, "user '{}' does not exists.", userid);
027ef213 WB	44	}
	45	}
	46
	47	Ok(())
	48	}
	49
	50	#[api]
	51	/// A TFA entry type.
	52	#[derive(Deserialize, Serialize)]
	53	#[serde(rename_all = "lowercase")]
759af9f0	54	enum TfaType {
027ef213 WB	55	/// A TOTP entry type.
	56	Totp,
	57	/// A U2F token entry.
	58	U2f,
	59	/// A Webauthn token entry.
	60	Webauthn,
	61	/// Recovery tokens.
	62	Recovery,
	63	}
	64
	65	#[api(
	66	properties: {
	67	type: { type: TfaType },
	68	info: { type: TfaInfo },
	69	},
	70	)]
	71	/// A TFA entry for a user.
	72	#[derive(Deserialize, Serialize)]
	73	#[serde(deny_unknown_fields)]
759af9f0	74	struct TypedTfaInfo {
027ef213 WB	75	#[serde(rename = "type")]
	76	pub ty: TfaType,
	77
	78	#[serde(flatten)]
	79	pub info: TfaInfo,
	80	}
	81
	82	fn to_data(data: TfaUserData) -> Vec<TypedTfaInfo> {
	83	let mut out = Vec::with_capacity(
	84	data.totp.len()
	85	+ data.u2f.len()
	86	+ data.webauthn.len()
ad5cee1d	87	+ if data.recovery().is_some() { 1 } else { 0 },
027ef213	88	);
ad5cee1d	89	if let Some(recovery) = data.recovery() {
027ef213 WB	90	out.push(TypedTfaInfo {
027ef213 WB	91	ty: TfaType::Recovery,
ad5cee1d	92	info: TfaInfo::recovery(recovery.created),
027ef213 WB	93	})
	94	}
	95	for entry in data.totp {
	96	out.push(TypedTfaInfo {
	97	ty: TfaType::Totp,
	98	info: entry.info,
	99	});
	100	}
	101	for entry in data.webauthn {
	102	out.push(TypedTfaInfo {
	103	ty: TfaType::Webauthn,
	104	info: entry.info,
	105	});
	106	}
	107	for entry in data.u2f {
	108	out.push(TypedTfaInfo {
	109	ty: TfaType::U2f,
	110	info: entry.info,
	111	});
	112	}
	113	out
	114	}
	115
f58e5132 WB	116	/// Iterate through tuples of `(type, index, id)`.
	117	fn tfa_id_iter(data: &TfaUserData) -> impl Iterator<Item = (TfaType, usize, &str)> {
	118	data.totp
	119	.iter()
	120	.enumerate()
	121	.map(\|(i, entry)\| (TfaType::Totp, i, entry.info.id.as_str()))
	122	.chain(
	123	data.webauthn
	124	.iter()
	125	.enumerate()
	126	.map(\|(i, entry)\| (TfaType::Webauthn, i, entry.info.id.as_str())),
	127	)
	128	.chain(
	129	data.u2f
	130	.iter()
	131	.enumerate()
	132	.map(\|(i, entry)\| (TfaType::U2f, i, entry.info.id.as_str())),
	133	)
	134	.chain(
	135	data.recovery
	136	.iter()
	137	.map(\|_\| (TfaType::Recovery, 0, "recovery")),
	138	)
	139	}
	140
027ef213 WB	141	#[api(
	142	protected: true,
	143	input: {
	144	properties: { userid: { type: Userid } },
	145	},
	146	access: {
	147	permission: &Permission::Or(&[
	148	&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
	149	&Permission::UserParam("userid"),
	150	]),
	151	},
	152	)]
	153	/// Add a TOTP secret to the user.
759af9f0	154	fn list_user_tfa(userid: Userid) -> Result<Vec<TypedTfaInfo>, Error> {
027ef213 WB	155	let _lock = crate::config::tfa::read_lock()?;
	156
	157	Ok(match crate::config::tfa::read()?.users.remove(&userid) {
	158	Some(data) => to_data(data),
	159	None => Vec::new(),
	160	})
	161	}
	162
	163	#[api(
	164	protected: true,
	165	input: {
	166	properties: {
	167	userid: { type: Userid },
	168	id: { description: "the tfa entry id" }
	169	},
	170	},
	171	access: {
	172	permission: &Permission::Or(&[
	173	&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
	174	&Permission::UserParam("userid"),
	175	]),
	176	},
	177	)]
	178	/// Get a single TFA entry.
759af9f0	179	fn get_tfa_entry(userid: Userid, id: String) -> Result<TypedTfaInfo, Error> {
027ef213 WB	180	let _lock = crate::config::tfa::read_lock()?;
	181
	182	if let Some(user_data) = crate::config::tfa::read()?.users.remove(&userid) {
f58e5132	183	match {
d1d74c43	184	// scope to prevent the temporary iter from borrowing across the whole match
f58e5132 WB	185	let entry = tfa_id_iter(&user_data).find(\|(_ty, _index, entry_id)\| id == *entry_id);
	186	entry.map(\|(ty, index, _)\| (ty, index))
	187	} {
	188	Some((TfaType::Recovery, _)) => {
ad5cee1d WB	189	if let Some(recovery) = user_data.recovery() {
	190	return Ok(TypedTfaInfo {
	191	ty: TfaType::Recovery,
	192	info: TfaInfo::recovery(recovery.created),
	193	});
	194	}
027ef213	195	}
f58e5132 WB	196	Some((TfaType::Totp, index)) => {
	197	return Ok(TypedTfaInfo {
	198	ty: TfaType::Totp,
	199	// `into_iter().nth()` to move out of it
	200	info: user_data.totp.into_iter().nth(index).unwrap().info,
	201	});
027ef213	202	}
f58e5132 WB	203	Some((TfaType::Webauthn, index)) => {
	204	return Ok(TypedTfaInfo {
	205	ty: TfaType::Webauthn,
	206	info: user_data.webauthn.into_iter().nth(index).unwrap().info,
	207	});
027ef213	208	}
f58e5132 WB	209	Some((TfaType::U2f, index)) => {
	210	return Ok(TypedTfaInfo {
	211	ty: TfaType::U2f,
	212	info: user_data.u2f.into_iter().nth(index).unwrap().info,
	213	});
027ef213	214	}
f58e5132	215	None => (),
027ef213 WB	216	}
	217	}
	218
	219	http_bail!(NOT_FOUND, "no such tfa entry: {}/{}", userid, id);
	220	}
	221
	222	#[api(
	223	protected: true,
	224	input: {
	225	properties: {
	226	userid: { type: Userid },
	227	id: {
	228	description: "the tfa entry id",
	229	},
	230	password: {
	231	schema: PASSWORD_SCHEMA,
	232	optional: true,
	233	},
	234	},
	235	},
	236	access: {
	237	permission: &Permission::Or(&[
	238	&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
	239	&Permission::UserParam("userid"),
	240	]),
	241	},
	242	)]
043018cf	243	/// Delete a single TFA entry.
759af9f0	244	fn delete_tfa(
027ef213 WB	245	userid: Userid,
	246	id: String,
	247	password: Option<String>,
	248	rpcenv: &mut dyn RpcEnvironment,
	249	) -> Result<(), Error> {
eab25e2f	250	tfa_update_auth(rpcenv, &userid, password, false)?;
027ef213 WB	251
	252	let _lock = crate::config::tfa::write_lock()?;
	253
	254	let mut data = crate::config::tfa::read()?;
	255
	256	let user_data = data
	257	.users
	258	.get_mut(&userid)
	259	.ok_or_else(\|\| http_err!(NOT_FOUND, "no such entry: {}/{}", userid, id))?;
	260
f58e5132	261	match {
d1d74c43	262	// scope to prevent the temporary iter from borrowing across the whole match
f58e5132 WB	263	let entry = tfa_id_iter(&user_data).find(\|(_, _, entry_id)\| id == *entry_id);
	264	entry.map(\|(ty, index, _)\| (ty, index))
	265	} {
	266	Some((TfaType::Recovery, _)) => user_data.recovery = None,
	267	Some((TfaType::Totp, index)) => drop(user_data.totp.remove(index)),
	268	Some((TfaType::Webauthn, index)) => drop(user_data.webauthn.remove(index)),
	269	Some((TfaType::U2f, index)) => drop(user_data.u2f.remove(index)),
	270	None => http_bail!(NOT_FOUND, "no such tfa entry: {}/{}", userid, id),
027ef213 WB	271	}
	272
	273	if user_data.is_empty() {
	274	data.users.remove(&userid);
	275	}
	276
	277	crate::config::tfa::write(&data)?;
	278
	279	Ok(())
	280	}
	281
	282	#[api(
	283	properties: {
	284	"userid": { type: Userid },
	285	"entries": {
	286	type: Array,
	287	items: { type: TypedTfaInfo },
	288	},
	289	},
	290	)]
	291	#[derive(Deserialize, Serialize)]
	292	#[serde(deny_unknown_fields)]
	293	/// Over the API we only provide the descriptions for TFA data.
759af9f0	294	struct TfaUser {
027ef213 WB	295	/// The user this entry belongs to.
	296	userid: Userid,
	297
	298	/// TFA entries.
	299	entries: Vec<TypedTfaInfo>,
	300	}
	301
	302	#[api(
	303	protected: true,
	304	input: {
	305	properties: {},
	306	},
	307	access: {
	308	permission: &Permission::Anybody,
	309	description: "Returns all or just the logged-in user, depending on privileges.",
	310	},
759af9f0 WB	311	returns: {
	312	description: "The list tuples of user and TFA entries.",
	313	type: Array,
	314	items: { type: TfaUser }
	315	},
027ef213 WB	316	)]
027ef213 WB	317	/// List user TFA configuration.
759af9f0	318	fn list_tfa(rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<TfaUser>, Error> {
027ef213 WB	319	let authid: Authid = rpcenv.get_auth_id().unwrap().parse()?;
	320	let user_info = CachedUserInfo::new()?;
	321
	322	let top_level_privs = user_info.lookup_privs(&authid, &["access", "users"]);
	323	let top_level_allowed = (top_level_privs & PRIV_SYS_AUDIT) != 0;
	324
	325	let _lock = crate::config::tfa::read_lock()?;
	326	let tfa_data = crate::config::tfa::read()?.users;
	327
	328	let mut out = Vec::<TfaUser>::new();
	329	if top_level_allowed {
	330	for (user, data) in tfa_data {
	331	out.push(TfaUser {
	332	userid: user,
	333	entries: to_data(data),
	334	});
	335	}
47ea98e0 FG	336	} else if let Some(data) = { tfa_data }.remove(authid.user()) {
	337	out.push(TfaUser {
	338	userid: authid.into(),
	339	entries: to_data(data),
	340	});
027ef213 WB	341	}
027ef213 WB	342
759af9f0	343	Ok(out)
027ef213 WB	344	}
	345
	346	#[api(
	347	properties: {
	348	recovery: {
	349	description: "A list of recovery codes as integers.",
	350	type: Array,
	351	items: {
	352	type: Integer,
	353	description: "A one-time usable recovery code entry.",
	354	},
	355	},
	356	},
	357	)]
	358	/// The result returned when adding TFA entries to a user.
	359	#[derive(Default, Serialize)]
	360	struct TfaUpdateInfo {
	361	/// The id if a newly added TFA entry.
	362	id: Option<String>,
	363
	364	/// When adding u2f entries, this contains a challenge the user must respond to in order to
	365	/// finish the registration.
	366	#[serde(skip_serializing_if = "Option::is_none")]
	367	challenge: Option<String>,
	368
	369	/// When adding recovery codes, this contains the list of codes to be displayed to the user
	370	/// this one time.
	371	#[serde(skip_serializing_if = "Vec::is_empty", default)]
	372	recovery: Vec<String>,
	373	}
	374
	375	impl TfaUpdateInfo {
	376	fn id(id: String) -> Self {
	377	Self {
	378	id: Some(id),
	379	..Default::default()
	380	}
	381	}
	382	}
	383
	384	#[api(
	385	protected: true,
	386	input: {
	387	properties: {
	388	userid: { type: Userid },
	389	description: {
	390	description: "A description to distinguish multiple entries from one another",
	391	type: String,
	392	max_length: 255,
	393	optional: true,
	394	},
	395	"type": { type: TfaType },
	396	totp: {
	397	description: "A totp URI.",
	398	optional: true,
	399	},
	400	value: {
	401	description:
	402	"The current value for the provided totp URI, or a Webauthn/U2F challenge response",
	403	optional: true,
	404	},
	405	challenge: {
	406	description: "When responding to a u2f challenge: the original challenge string",
	407	optional: true,
408	},
409	password: {
410	schema: PASSWORD_SCHEMA,
411	optional: true,
412	},
413	},
414	},
415	returns: { type: TfaUpdateInfo },
416	access: {
417	permission: &Permission::Or(&[
418	&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
419	&Permission::UserParam("userid"),
420	]),
421	},
422	)]
423	/// Add a TFA entry to the user.
367c0ff7	424	#[allow(clippy::too_many_arguments)]
027ef213 WB	425	fn add_tfa_entry(
	426	userid: Userid,
	427	description: Option<String>,
	428	totp: Option<String>,
	429	value: Option<String>,
	430	challenge: Option<String>,
	431	password: Option<String>,
d8318467	432	r#type: TfaType,
027ef213 WB	433	rpcenv: &mut dyn RpcEnvironment,
027ef213 WB	434	) -> Result<TfaUpdateInfo, Error> {
eab25e2f	435	tfa_update_auth(rpcenv, &userid, password, true)?;
027ef213	436
027ef213 WB	437	let need_description =
	438	move \|\| description.ok_or_else(\|\| format_err!("'description' is required for new entries"));
	439
d8318467	440	match r#type {
027ef213 WB	441	TfaType::Totp => match (totp, value) {
	442	(Some(totp), Some(value)) => {
	443	if challenge.is_some() {
	444	bail!("'challenge' parameter is invalid for 'totp' entries");
	445	}
	446	let description = need_description()?;
	447
	448	let totp: Totp = totp.parse()?;
	449	if totp
	450	.verify(&value, std::time::SystemTime::now(), -1..=1)?
	451	.is_none()
	452	{
	453	bail!("failed to verify TOTP challenge");
	454	}
	455	crate::config::tfa::add_totp(&userid, description, totp).map(TfaUpdateInfo::id)
	456	}
	457	_ => bail!("'totp' type requires both 'totp' and 'value' parameters"),
	458	},
	459	TfaType::Webauthn => {
	460	if totp.is_some() {
	461	bail!("'totp' parameter is invalid for 'totp' entries");
	462	}
	463
	464	match challenge {
	465	None => crate::config::tfa::add_webauthn_registration(&userid, need_description()?)
	466	.map(\|c\| TfaUpdateInfo {
	467	challenge: Some(c),
	468	..Default::default()
	469	}),
	470	Some(challenge) => {
	471	let value = value.ok_or_else(\|\| {
	472	format_err!(
	473	"missing 'value' parameter (webauthn challenge response missing)"
	474	)
	475	})?;
	476	crate::config::tfa::finish_webauthn_registration(&userid, &challenge, &value)
	477	.map(TfaUpdateInfo::id)
	478	}
	479	}
	480	}
	481	TfaType::U2f => {
	482	if totp.is_some() {
	483	bail!("'totp' parameter is invalid for 'totp' entries");
	484	}
	485
	486	match challenge {
	487	None => crate::config::tfa::add_u2f_registration(&userid, need_description()?).map(
	488	\|c\| TfaUpdateInfo {
	489	challenge: Some(c),
	490	..Default::default()
	491	},
	492	),
	493	Some(challenge) => {
	494	let value = value.ok_or_else(\|\| {
	495	format_err!("missing 'value' parameter (u2f challenge response missing)")
	496	})?;
	497	crate::config::tfa::finish_u2f_registration(&userid, &challenge, &value)
	498	.map(TfaUpdateInfo::id)
	499	}
	500	}
	501	}
	502	TfaType::Recovery => {
	503	if totp.or(value).or(challenge).is_some() {
	504	bail!("generating recovery tokens does not allow additional parameters");
505	}
506
507	let recovery = crate::config::tfa::add_recovery(&userid)?;
508
509	Ok(TfaUpdateInfo {
510	id: Some("recovery".to_string()),
511	recovery,
512	..Default::default()
513	})
514	}
515	}
516	}
517
518	#[api(
519	protected: true,
520	input: {
521	properties: {
522	userid: { type: Userid },
523	id: {
524	description: "the tfa entry id",
525	},
526	description: {
527	description: "A description to distinguish multiple entries from one another",
528	type: String,
529	max_length: 255,
530	optional: true,
531	},
532	enable: {
533	description: "Whether this entry should currently be enabled or disabled",
534	optional: true,
535	},
536	password: {
537	schema: PASSWORD_SCHEMA,
538	optional: true,
539	},
540	},
541	},
542	access: {
543	permission: &Permission::Or(&[
544	&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
545	&Permission::UserParam("userid"),
546	]),
547	},
548	)]
549	/// Update user's TFA entry description.
759af9f0	550	fn update_tfa_entry(
027ef213 WB	551	userid: Userid,
	552	id: String,
	553	description: Option<String>,
	554	enable: Option<bool>,
	555	password: Option<String>,
	556	rpcenv: &mut dyn RpcEnvironment,
	557	) -> Result<(), Error> {
eab25e2f	558	tfa_update_auth(rpcenv, &userid, password, true)?;
027ef213 WB	559
	560	let _lock = crate::config::tfa::write_lock()?;
	561
	562	let mut data = crate::config::tfa::read()?;
	563
	564	let mut entry = data
	565	.users
	566	.get_mut(&userid)
	567	.and_then(\|user\| user.find_entry_mut(&id))
	568	.ok_or_else(\|\| http_err!(NOT_FOUND, "no such entry: {}/{}", userid, id))?;
	569
	570	if let Some(description) = description {
	571	entry.description = description;
	572	}
	573
	574	if let Some(enable) = enable {
	575	entry.enable = enable;
	576	}
	577
	578	crate::config::tfa::write(&data)?;
	579	Ok(())
	580	}
	581
	582	pub const ROUTER: Router = Router::new()
	583	.get(&API_METHOD_LIST_TFA)
	584	.match_all("userid", &USER_ROUTER);
	585
	586	const USER_ROUTER: Router = Router::new()
	587	.get(&API_METHOD_LIST_USER_TFA)
	588	.post(&API_METHOD_ADD_TFA_ENTRY)
	589	.match_all("id", &ITEM_ROUTER);
	590
	591	const ITEM_ROUTER: Router = Router::new()
1fc9ac04	592	.get(&API_METHOD_GET_TFA_ENTRY)
027ef213 WB	593	.put(&API_METHOD_UPDATE_TFA_ENTRY)
027ef213 WB	594	.delete(&API_METHOD_DELETE_TFA);