add experimental code for yubico OTP verification
[pve-access-control.git] / PVE / Auth / PVE.pm
CommitLineData
5bb4e06a
DM
1package PVE::Auth::PVE;
2
3use strict;
7c410d63
DM
4use warnings;
5
5bb4e06a
DM
6use PVE::Auth::Plugin;
7use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
8
9use base qw(PVE::Auth::Plugin);
10
11my $shadowconfigfile = "priv/shadow.cfg";
12
13cfs_register_file($shadowconfigfile,
14 \&parse_shadow_passwd,
15 \&write_shadow_config);
16
17sub parse_shadow_passwd {
18 my ($filename, $raw) = @_;
19
20 my $shadow = {};
21
22 while ($raw && $raw =~ s/^(.*?)(\n|$)//) {
23 my $line = $1;
24
25 next if $line =~ m/^\s*$/; # skip empty lines
26
27 if ($line !~ m/^\S+:\S+:$/) {
28 warn "pve shadow password: ignore invalid line $.\n";
29 next;
30 }
31
32 my ($userid, $crypt_pass) = split (/:/, $line);
33 $shadow->{users}->{$userid}->{shadow} = $crypt_pass;
34 }
35
36 return $shadow;
37}
38
39sub write_shadow_config {
40 my ($filename, $cfg) = @_;
41
42 my $data = '';
43 foreach my $userid (keys %{$cfg->{users}}) {
44 my $crypt_pass = $cfg->{users}->{$userid}->{shadow};
45 $data .= "$userid:$crypt_pass:\n";
46 }
47
48 return $data
49}
50
51sub lock_shadow_config {
52 my ($code, $errmsg) = @_;
53
54 cfs_lock_file($shadowconfigfile, undef, $code);
55 my $err = $@;
56 if ($err) {
57 $errmsg ? die "$errmsg: $err" : die $err;
58 }
59}
60
61sub type {
62 return 'pve';
63}
64
65sub defaults {
66 return {
67 default => { optional => 1 },
68 comment => { optional => 1 },
69 };
70}
71
72sub authenticate_user {
73 my ($class, $config, $realm, $username, $password) = @_;
74
75 die "no password\n" if !$password;
76
77 my $shadow_cfg = cfs_read_file($shadowconfigfile);
78
79 if ($shadow_cfg->{users}->{$username}) {
80 my $encpw = crypt($password, $shadow_cfg->{users}->{$username}->{shadow});
81 die "invalid credentials\n" if ($encpw ne $shadow_cfg->{users}->{$username}->{shadow});
82 } else {
83 die "no password set\n";
84 }
85
86 return 1;
87}
88
89sub store_password {
90 my ($class, $config, $realm, $username, $password) = @_;
91
92 lock_shadow_config(sub {
93 my $shadow_cfg = cfs_read_file($shadowconfigfile);
94 my $epw = PVE::Auth::Plugin::encrypt_pw($password);
95 $shadow_cfg->{users}->{$username}->{shadow} = $epw;
96 cfs_write_file($shadowconfigfile, $shadow_cfg);
97 });
98}
99
100sub delete_user {
101 my ($class, $config, $realm, $username) = @_;
102
103 lock_shadow_config(sub {
104 my $shadow_cfg = cfs_read_file($shadowconfigfile);
105
106 delete $shadow_cfg->{users}->{$username};
107
108 cfs_write_file($shadowconfigfile, $shadow_cfg);
109 });
110}
111
1121;