[pve-access-control.git] / PVE / Auth / PVE.pm

package PVE::Auth::PVE;

use strict;
use warnings;
use Encode;

use PVE::Tools;
use PVE::Auth::Plugin;
use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);

use base qw(PVE::Auth::Plugin);

my $shadowconfigfile = "priv/shadow.cfg";

cfs_register_file($shadowconfigfile, 
		  \&parse_shadow_passwd, 
		  \&write_shadow_config);

sub parse_shadow_passwd {
    my ($filename, $raw) = @_;

    my $shadow = {};

    return $shadow if !defined($raw);

    while ($raw =~ /^\s*(.+?)\s*$/gm) {
	my $line = $1;

	if ($line !~ m/^\S+:\S+:$/) {
	    warn "pve shadow password: ignore invalid line $.\n";
	    next;
	}

	my ($userid, $crypt_pass) = split (/:/, $line);
	$shadow->{users}->{$userid}->{shadow} = $crypt_pass;
    }

    return $shadow;
}

sub write_shadow_config {
    my ($filename, $cfg) = @_;

    my $data = '';
    foreach my $userid (keys %{$cfg->{users}}) {
	my $crypt_pass = $cfg->{users}->{$userid}->{shadow};
	$data .= "$userid:$crypt_pass:\n";
    }

    return $data
}

sub lock_shadow_config {
    my ($code, $errmsg) = @_;

    cfs_lock_file($shadowconfigfile, undef, $code);
    my $err = $@;
    if ($err) {
	$errmsg ? die "$errmsg: $err" : die $err;
    }
}

sub type {
    return 'pve';
}

sub options {
    return {
	default => { optional => 1 },
	comment => { optional => 1 },
	tfa => { optional => 1 },
    };
}

sub authenticate_user {
    my ($class, $config, $realm, $username, $password) = @_;

    die "no password\n" if !$password;

    my $shadow_cfg = cfs_read_file($shadowconfigfile);
    
    if ($shadow_cfg->{users}->{$username}) {
	my $encpw = crypt(Encode::encode('utf8', $password),
			  $shadow_cfg->{users}->{$username}->{shadow});
       die "invalid credentials\n" if ($encpw ne $shadow_cfg->{users}->{$username}->{shadow});
    } else {
	die "no password set\n";
    }

    return 1;
}

sub store_password {
    my ($class, $config, $realm, $username, $password) = @_;

    lock_shadow_config(sub {
	my $shadow_cfg = cfs_read_file($shadowconfigfile);
	my $epw = PVE::Tools::encrypt_pw($password);
	$shadow_cfg->{users}->{$username}->{shadow} = $epw;
	cfs_write_file($shadowconfigfile, $shadow_cfg);
    });
}

sub delete_user {
    my ($class, $config, $realm, $username) = @_;
 
    lock_shadow_config(sub {
	my $shadow_cfg = cfs_read_file($shadowconfigfile);

	delete $shadow_cfg->{users}->{$username};

	cfs_write_file($shadowconfigfile, $shadow_cfg);
   });
}

1;
Commit	Line	Data
5bb4e06a DM	1	package PVE::Auth::PVE;
	2
	3	use strict;
7c410d63	4	use warnings;
3641833b	5	use Encode;
7c410d63	6
63358f40	7	use PVE::Tools;
5bb4e06a DM	8	use PVE::Auth::Plugin;
	9	use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
	10
	11	use base qw(PVE::Auth::Plugin);
	12
	13	my $shadowconfigfile = "priv/shadow.cfg";
	14
	15	cfs_register_file($shadowconfigfile,
	16	\&parse_shadow_passwd,
	17	\&write_shadow_config);
	18
	19	sub parse_shadow_passwd {
	20	my ($filename, $raw) = @_;
	21
	22	my $shadow = {};
	23
8978ab37 FG	24	return $shadow if !defined($raw);
8978ab37 FG	25
62af314a	26	while ($raw =~ /^\s(.+?)\s$/gm) {
5bb4e06a DM	27	my $line = $1;
5bb4e06a DM	28
5bb4e06a DM	29	if ($line !~ m/^\S+:\S+:$/) {
	30	warn "pve shadow password: ignore invalid line $.\n";
	31	next;
	32	}
	33
	34	my ($userid, $crypt_pass) = split (/:/, $line);
	35	$shadow->{users}->{$userid}->{shadow} = $crypt_pass;
	36	}
	37
	38	return $shadow;
	39	}
	40
	41	sub write_shadow_config {
	42	my ($filename, $cfg) = @_;
	43
	44	my $data = '';
	45	foreach my $userid (keys %{$cfg->{users}}) {
	46	my $crypt_pass = $cfg->{users}->{$userid}->{shadow};
	47	$data .= "$userid:$crypt_pass:\n";
	48	}
	49
	50	return $data
	51	}
	52
	53	sub lock_shadow_config {
	54	my ($code, $errmsg) = @_;
	55
	56	cfs_lock_file($shadowconfigfile, undef, $code);
	57	my $err = $@;
	58	if ($err) {
	59	$errmsg ? die "$errmsg: $err" : die $err;
	60	}
	61	}
	62
	63	sub type {
	64	return 'pve';
	65	}
	66
96f8ebd6	67	sub options {
5bb4e06a DM	68	return {
	69	default => { optional => 1 },
	70	comment => { optional => 1 },
96f8ebd6	71	tfa => { optional => 1 },
5bb4e06a DM	72	};
	73	}
	74
	75	sub authenticate_user {
	76	my ($class, $config, $realm, $username, $password) = @_;
	77
	78	die "no password\n" if !$password;
	79
	80	my $shadow_cfg = cfs_read_file($shadowconfigfile);
	81
	82	if ($shadow_cfg->{users}->{$username}) {
3641833b DM	83	my $encpw = crypt(Encode::encode('utf8', $password),
	84	$shadow_cfg->{users}->{$username}->{shadow});
	85	die "invalid credentials\n" if ($encpw ne $shadow_cfg->{users}->{$username}->{shadow});
5bb4e06a DM	86	} else {
	87	die "no password set\n";
	88	}
	89
	90	return 1;
	91	}
	92
	93	sub store_password {
	94	my ($class, $config, $realm, $username, $password) = @_;
	95
	96	lock_shadow_config(sub {
	97	my $shadow_cfg = cfs_read_file($shadowconfigfile);
63358f40	98	my $epw = PVE::Tools::encrypt_pw($password);
5bb4e06a DM	99	$shadow_cfg->{users}->{$username}->{shadow} = $epw;
	100	cfs_write_file($shadowconfigfile, $shadow_cfg);
	101	});
	102	}
	103
	104	sub delete_user {
	105	my ($class, $config, $realm, $username) = @_;
	106
	107	lock_shadow_config(sub {
	108	my $shadow_cfg = cfs_read_file($shadowconfigfile);
	109
	110	delete $shadow_cfg->{users}->{$username};
	111
	112	cfs_write_file($shadowconfigfile, $shadow_cfg);
	113	});
	114	}
	115
	116	1;