]>
Commit | Line | Data |
---|---|---|
5bb4e06a DM |
1 | package PVE::Auth::Plugin; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | use Encode; | |
6 | use Digest::SHA; | |
7 | use PVE::Tools; | |
8 | use PVE::SectionConfig; | |
9 | use PVE::JSONSchema qw(get_standard_option); | |
10 | use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file); | |
11 | ||
5bb4e06a DM |
12 | use base qw(PVE::SectionConfig); |
13 | ||
14 | my $domainconfigfile = "domains.cfg"; | |
15 | ||
0a6e09fd | 16 | cfs_register_file($domainconfigfile, |
5bb4e06a DM |
17 | sub { __PACKAGE__->parse_config(@_); }, |
18 | sub { __PACKAGE__->write_config(@_); }); | |
19 | ||
20 | sub lock_domain_config { | |
21 | my ($code, $errmsg) = @_; | |
22 | ||
23 | cfs_lock_file($domainconfigfile, undef, $code); | |
24 | my $err = $@; | |
25 | if ($err) { | |
26 | $errmsg ? die "$errmsg: $err" : die $err; | |
27 | } | |
28 | } | |
29 | ||
30 | my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/; | |
31 | ||
32 | PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm); | |
33 | sub pve_verify_realm { | |
34 | my ($realm, $noerr) = @_; | |
0a6e09fd | 35 | |
5bb4e06a DM |
36 | if ($realm !~ m/^${realm_regex}$/) { |
37 | return undef if $noerr; | |
0a6e09fd | 38 | die "value does not look like a valid realm\n"; |
5bb4e06a DM |
39 | } |
40 | return $realm; | |
41 | } | |
42 | ||
43 | PVE::JSONSchema::register_standard_option('realm', { | |
44 | description => "Authentication domain ID", | |
45 | type => 'string', format => 'pve-realm', | |
46 | maxLength => 32, | |
47 | }); | |
48 | ||
49 | PVE::JSONSchema::register_format('pve-userid', \&verify_username); | |
50 | sub verify_username { | |
51 | my ($username, $noerr) = @_; | |
52 | ||
53 | $username = '' if !$username; | |
54 | my $len = length($username); | |
55 | if ($len < 3) { | |
56 | die "user name '$username' is too short\n" if !$noerr; | |
57 | return undef; | |
58 | } | |
59 | if ($len > 64) { | |
60 | die "user name '$username' is too long ($len > 64)\n" if !$noerr; | |
61 | return undef; | |
62 | } | |
63 | ||
64 | # we only allow a limited set of characters | |
0a6e09fd | 65 | # colon is not allowed, because we store usernames in |
5bb4e06a DM |
66 | # colon separated lists)! |
67 | # slash is not allowed because it is used as pve API delimiter | |
0a6e09fd | 68 | # also see "man useradd" |
5bb4e06a DM |
69 | if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) { |
70 | return wantarray ? ($username, $1, $2) : $username; | |
71 | } | |
72 | ||
73 | die "value '$username' does not look like a valid user name\n" if !$noerr; | |
74 | ||
75 | return undef; | |
76 | } | |
77 | ||
78 | PVE::JSONSchema::register_standard_option('userid', { | |
79 | description => "User ID", | |
80 | type => 'string', format => 'pve-userid', | |
81 | maxLength => 64, | |
82 | }); | |
83 | ||
96f8ebd6 DM |
84 | PVE::JSONSchema::register_format('pve-tfa-config', \&verify_tfa_config); |
85 | sub verify_tfa_config { | |
86 | my ($value, $noerr) = @_; | |
87 | ||
88 | return $value if parse_tfa_config($value); | |
89 | ||
90 | return undef if $noerr; | |
91 | ||
92 | die "unable to parse tfa option\n"; | |
93 | } | |
94 | ||
95 | PVE::JSONSchema::register_standard_option('tfa', { | |
96 | description => "Use Two-factor authentication.", | |
97 | type => 'string', format => 'pve-tfa-config', | |
98 | optional => 1, | |
99 | maxLength => 128, | |
100 | }); | |
101 | ||
102 | sub parse_tfa_config { | |
103 | my ($data) = @_; | |
104 | ||
105 | my $res = {}; | |
106 | ||
107 | foreach my $kvp (split(/,/, $data)) { | |
108 | ||
1abc2c0a | 109 | if ($kvp =~ m/^type=(yubico|oath)$/) { |
96f8ebd6 DM |
110 | $res->{type} = $1; |
111 | } elsif ($kvp =~ m/^id=(\S+)$/) { | |
112 | $res->{id} = $1; | |
113 | } elsif ($kvp =~ m/^key=(\S+)$/) { | |
114 | $res->{key} = $1; | |
115 | } elsif ($kvp =~ m/^url=(\S+)$/) { | |
116 | $res->{url} = $1; | |
86cd805b DM |
117 | } elsif ($kvp =~ m/^digits=([6|7|8])$/) { |
118 | $res->{digits} = $1; | |
119 | } elsif ($kvp =~ m/^step=([1-9]\d+)$/) { | |
120 | $res->{step} = $1; | |
96f8ebd6 DM |
121 | } else { |
122 | return undef; | |
0a6e09fd | 123 | } |
96f8ebd6 DM |
124 | } |
125 | ||
126 | return undef if !$res->{type}; | |
127 | ||
128 | return $res; | |
129 | } | |
130 | ||
5bb4e06a DM |
131 | my $defaultData = { |
132 | propertyList => { | |
133 | type => { description => "Realm type." }, | |
134 | realm => get_standard_option('realm'), | |
135 | }, | |
136 | }; | |
137 | ||
138 | sub private { | |
139 | return $defaultData; | |
140 | } | |
141 | ||
142 | sub parse_section_header { | |
143 | my ($class, $line) = @_; | |
144 | ||
145 | if ($line =~ m/^(\S+):\s*(\S+)\s*$/) { | |
146 | my ($type, $realm) = (lc($1), $2); | |
147 | my $errmsg = undef; # set if you want to skip whole section | |
148 | eval { pve_verify_realm($realm); }; | |
149 | $errmsg = $@ if $@; | |
150 | my $config = {}; # to return additional attributes | |
151 | return ($type, $realm, $errmsg, $config); | |
152 | } | |
153 | return undef; | |
154 | } | |
155 | ||
156 | sub parse_config { | |
157 | my ($class, $filename, $raw) = @_; | |
158 | ||
159 | my $cfg = $class->SUPER::parse_config($filename, $raw); | |
160 | ||
161 | my $default; | |
162 | foreach my $realm (keys %{$cfg->{ids}}) { | |
163 | my $data = $cfg->{ids}->{$realm}; | |
164 | # make sure there is only one default marker | |
165 | if ($data->{default}) { | |
166 | if ($default) { | |
167 | delete $data->{default}; | |
168 | } else { | |
169 | $default = $realm; | |
170 | } | |
171 | } | |
172 | ||
173 | if ($data->{comment}) { | |
174 | $data->{comment} = PVE::Tools::decode_text($data->{comment}); | |
175 | } | |
176 | ||
177 | } | |
178 | ||
179 | # add default domains | |
180 | ||
96f8ebd6 DM |
181 | $cfg->{ids}->{pve}->{type} = 'pve'; # force type |
182 | $cfg->{ids}->{pve}->{comment} = "Proxmox VE authentication server" | |
183 | if !$cfg->{ids}->{pve}->{comment}; | |
5bb4e06a | 184 | |
96f8ebd6 DM |
185 | $cfg->{ids}->{pam}->{type} = 'pam'; # force type |
186 | $cfg->{ids}->{pam}->{plugin} = 'PVE::Auth::PAM'; | |
187 | $cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication" | |
188 | if !$cfg->{ids}->{pam}->{comment}; | |
5bb4e06a DM |
189 | |
190 | return $cfg; | |
191 | }; | |
192 | ||
193 | sub write_config { | |
194 | my ($class, $filename, $cfg) = @_; | |
195 | ||
5bb4e06a DM |
196 | foreach my $realm (keys %{$cfg->{ids}}) { |
197 | my $data = $cfg->{ids}->{$realm}; | |
198 | if ($data->{comment}) { | |
199 | $data->{comment} = PVE::Tools::encode_text($data->{comment}); | |
200 | } | |
201 | } | |
0a6e09fd | 202 | |
5bb4e06a DM |
203 | $class->SUPER::write_config($filename, $cfg); |
204 | } | |
205 | ||
206 | sub authenticate_user { | |
207 | my ($class, $config, $realm, $username, $password) = @_; | |
208 | ||
209 | die "overwrite me"; | |
210 | } | |
211 | ||
212 | sub store_password { | |
213 | my ($class, $config, $realm, $username, $password) = @_; | |
214 | ||
215 | my $type = $class->type(); | |
216 | ||
217 | die "can't set password on auth type '$type'\n"; | |
218 | } | |
219 | ||
220 | sub delete_user { | |
221 | my ($class, $config, $realm, $username) = @_; | |
222 | ||
223 | # do nothing by default | |
224 | } | |
225 | ||
226 | 1; |