[pve-access-control.git] / PVE / Auth / PVE.pm

package PVE::Auth::PVE;

use strict;
use PVE::Auth::Plugin;
use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);

use base qw(PVE::Auth::Plugin);

my $shadowconfigfile = "priv/shadow.cfg";

cfs_register_file($shadowconfigfile, 
		  \&parse_shadow_passwd, 
		  \&write_shadow_config);

sub parse_shadow_passwd {
    my ($filename, $raw) = @_;

    my $shadow = {};

    while ($raw && $raw =~ s/^(.*?)(\n|$)//) {
	my $line = $1;

	next if $line =~ m/^\s*$/; # skip empty lines

	if ($line !~ m/^\S+:\S+:$/) {
	    warn "pve shadow password: ignore invalid line $.\n";
	    next;
	}

	my ($userid, $crypt_pass) = split (/:/, $line);
	$shadow->{users}->{$userid}->{shadow} = $crypt_pass;
    }

    return $shadow;
}

sub write_shadow_config {
    my ($filename, $cfg) = @_;

    my $data = '';
    foreach my $userid (keys %{$cfg->{users}}) {
	my $crypt_pass = $cfg->{users}->{$userid}->{shadow};
	$data .= "$userid:$crypt_pass:\n";
    }

    return $data
}

sub lock_shadow_config {
    my ($code, $errmsg) = @_;

    cfs_lock_file($shadowconfigfile, undef, $code);
    my $err = $@;
    if ($err) {
	$errmsg ? die "$errmsg: $err" : die $err;
    }
}

sub type {
    return 'pve';
}

sub defaults {
    return {
	default => { optional => 1 },
	comment => { optional => 1 },
    };
}

sub authenticate_user {
    my ($class, $config, $realm, $username, $password) = @_;

    die "no password\n" if !$password;

    my $shadow_cfg = cfs_read_file($shadowconfigfile);
    
    if ($shadow_cfg->{users}->{$username}) {
	my $encpw = crypt($password, $shadow_cfg->{users}->{$username}->{shadow});
        die "invalid credentials\n" if ($encpw ne $shadow_cfg->{users}->{$username}->{shadow});
    } else {
	die "no password set\n";
    }

    return 1;
}

sub store_password {
    my ($class, $config, $realm, $username, $password) = @_;

    lock_shadow_config(sub {
	my $shadow_cfg = cfs_read_file($shadowconfigfile);
	my $epw = PVE::Auth::Plugin::encrypt_pw($password);
	$shadow_cfg->{users}->{$username}->{shadow} = $epw;
	cfs_write_file($shadowconfigfile, $shadow_cfg);
    });
}

sub delete_user {
    my ($class, $config, $realm, $username) = @_;
 
    lock_shadow_config(sub {
	my $shadow_cfg = cfs_read_file($shadowconfigfile);

	delete $shadow_cfg->{users}->{$username};

	cfs_write_file($shadowconfigfile, $shadow_cfg);
   });
}

1;
Commit	Line	Data
5bb4e06a DM	1	package PVE::Auth::PVE;
	2
	3	use strict;
	4	use PVE::Auth::Plugin;
	5	use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
	6
	7	use base qw(PVE::Auth::Plugin);
	8
	9	my $shadowconfigfile = "priv/shadow.cfg";
	10
	11	cfs_register_file($shadowconfigfile,
	12	\&parse_shadow_passwd,
	13	\&write_shadow_config);
	14
	15	sub parse_shadow_passwd {
	16	my ($filename, $raw) = @_;
	17
	18	my $shadow = {};
	19
	20	while ($raw && $raw =~ s/^(.*?)(\n\|$)//) {
	21	my $line = $1;
	22
	23	next if $line =~ m/^\s*$/; # skip empty lines
	24
	25	if ($line !~ m/^\S+:\S+:$/) {
	26	warn "pve shadow password: ignore invalid line $.\n";
	27	next;
	28	}
	29
	30	my ($userid, $crypt_pass) = split (/:/, $line);
	31	$shadow->{users}->{$userid}->{shadow} = $crypt_pass;
	32	}
	33
	34	return $shadow;
	35	}
	36
	37	sub write_shadow_config {
	38	my ($filename, $cfg) = @_;
	39
	40	my $data = '';
	41	foreach my $userid (keys %{$cfg->{users}}) {
	42	my $crypt_pass = $cfg->{users}->{$userid}->{shadow};
	43	$data .= "$userid:$crypt_pass:\n";
	44	}
	45
	46	return $data
	47	}
	48
	49	sub lock_shadow_config {
	50	my ($code, $errmsg) = @_;
	51
	52	cfs_lock_file($shadowconfigfile, undef, $code);
	53	my $err = $@;
	54	if ($err) {
	55	$errmsg ? die "$errmsg: $err" : die $err;
	56	}
	57	}
	58
	59	sub type {
	60	return 'pve';
	61	}
	62
	63	sub defaults {
	64	return {
65	default => { optional => 1 },
66	comment => { optional => 1 },
67	};
68	}
69
70	sub authenticate_user {
71	my ($class, $config, $realm, $username, $password) = @_;
72
73	die "no password\n" if !$password;
74
75	my $shadow_cfg = cfs_read_file($shadowconfigfile);
76
77	if ($shadow_cfg->{users}->{$username}) {
78	my $encpw = crypt($password, $shadow_cfg->{users}->{$username}->{shadow});
79	die "invalid credentials\n" if ($encpw ne $shadow_cfg->{users}->{$username}->{shadow});
80	} else {
81	die "no password set\n";
82	}
83
84	return 1;
85	}
86
87	sub store_password {
88	my ($class, $config, $realm, $username, $password) = @_;
89
90	lock_shadow_config(sub {
91	my $shadow_cfg = cfs_read_file($shadowconfigfile);
92	my $epw = PVE::Auth::Plugin::encrypt_pw($password);
93	$shadow_cfg->{users}->{$username}->{shadow} = $epw;
94	cfs_write_file($shadowconfigfile, $shadow_cfg);
95	});
96	}
97
98	sub delete_user {
99	my ($class, $config, $realm, $username) = @_;
100
101	lock_shadow_config(sub {
102	my $shadow_cfg = cfs_read_file($shadowconfigfile);
103
104	delete $shadow_cfg->{users}->{$username};
105
106	cfs_write_file($shadowconfigfile, $shadow_cfg);
107	});
108	}
109
110	1;