]>
Commit | Line | Data |
---|---|---|
5bb4e06a DM |
1 | package PVE::Auth::PVE; |
2 | ||
3 | use strict; | |
7c410d63 DM |
4 | use warnings; |
5 | ||
5bb4e06a DM |
6 | use PVE::Auth::Plugin; |
7 | use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file); | |
8 | ||
9 | use base qw(PVE::Auth::Plugin); | |
10 | ||
11 | my $shadowconfigfile = "priv/shadow.cfg"; | |
12 | ||
13 | cfs_register_file($shadowconfigfile, | |
14 | \&parse_shadow_passwd, | |
15 | \&write_shadow_config); | |
16 | ||
17 | sub parse_shadow_passwd { | |
18 | my ($filename, $raw) = @_; | |
19 | ||
20 | my $shadow = {}; | |
21 | ||
22 | while ($raw && $raw =~ s/^(.*?)(\n|$)//) { | |
23 | my $line = $1; | |
24 | ||
25 | next if $line =~ m/^\s*$/; # skip empty lines | |
26 | ||
27 | if ($line !~ m/^\S+:\S+:$/) { | |
28 | warn "pve shadow password: ignore invalid line $.\n"; | |
29 | next; | |
30 | } | |
31 | ||
32 | my ($userid, $crypt_pass) = split (/:/, $line); | |
33 | $shadow->{users}->{$userid}->{shadow} = $crypt_pass; | |
34 | } | |
35 | ||
36 | return $shadow; | |
37 | } | |
38 | ||
39 | sub write_shadow_config { | |
40 | my ($filename, $cfg) = @_; | |
41 | ||
42 | my $data = ''; | |
43 | foreach my $userid (keys %{$cfg->{users}}) { | |
44 | my $crypt_pass = $cfg->{users}->{$userid}->{shadow}; | |
45 | $data .= "$userid:$crypt_pass:\n"; | |
46 | } | |
47 | ||
48 | return $data | |
49 | } | |
50 | ||
51 | sub lock_shadow_config { | |
52 | my ($code, $errmsg) = @_; | |
53 | ||
54 | cfs_lock_file($shadowconfigfile, undef, $code); | |
55 | my $err = $@; | |
56 | if ($err) { | |
57 | $errmsg ? die "$errmsg: $err" : die $err; | |
58 | } | |
59 | } | |
60 | ||
61 | sub type { | |
62 | return 'pve'; | |
63 | } | |
64 | ||
65 | sub defaults { | |
66 | return { | |
67 | default => { optional => 1 }, | |
68 | comment => { optional => 1 }, | |
69 | }; | |
70 | } | |
71 | ||
72 | sub authenticate_user { | |
73 | my ($class, $config, $realm, $username, $password) = @_; | |
74 | ||
75 | die "no password\n" if !$password; | |
76 | ||
77 | my $shadow_cfg = cfs_read_file($shadowconfigfile); | |
78 | ||
79 | if ($shadow_cfg->{users}->{$username}) { | |
80 | my $encpw = crypt($password, $shadow_cfg->{users}->{$username}->{shadow}); | |
81 | die "invalid credentials\n" if ($encpw ne $shadow_cfg->{users}->{$username}->{shadow}); | |
82 | } else { | |
83 | die "no password set\n"; | |
84 | } | |
85 | ||
86 | return 1; | |
87 | } | |
88 | ||
89 | sub store_password { | |
90 | my ($class, $config, $realm, $username, $password) = @_; | |
91 | ||
92 | lock_shadow_config(sub { | |
93 | my $shadow_cfg = cfs_read_file($shadowconfigfile); | |
94 | my $epw = PVE::Auth::Plugin::encrypt_pw($password); | |
95 | $shadow_cfg->{users}->{$username}->{shadow} = $epw; | |
96 | cfs_write_file($shadowconfigfile, $shadow_cfg); | |
97 | }); | |
98 | } | |
99 | ||
100 | sub delete_user { | |
101 | my ($class, $config, $realm, $username) = @_; | |
102 | ||
103 | lock_shadow_config(sub { | |
104 | my $shadow_cfg = cfs_read_file($shadowconfigfile); | |
105 | ||
106 | delete $shadow_cfg->{users}->{$username}; | |
107 | ||
108 | cfs_write_file($shadowconfigfile, $shadow_cfg); | |
109 | }); | |
110 | } | |
111 | ||
112 | 1; |