[pve-access-control.git] / PVE / Auth / Plugin.pm

package PVE::Auth::Plugin;

use strict;
use warnings;

use Digest::SHA;
use Encode;

use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);
use PVE::JSONSchema qw(get_standard_option);
use PVE::SectionConfig;
use PVE::Tools;

use base qw(PVE::SectionConfig);

my $domainconfigfile = "domains.cfg";

cfs_register_file($domainconfigfile,
		  sub { __PACKAGE__->parse_config(@_); },
		  sub { __PACKAGE__->write_config(@_); });

sub lock_domain_config {
    my ($code, $errmsg) = @_;

    cfs_lock_file($domainconfigfile, undef, $code);
    my $err = $@;
    if ($err) {
	$errmsg ? die "$errmsg: $err" : die $err;
    }
}

our $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
our $user_regex = qr![^\s:/]+!;

PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
sub pve_verify_realm {
    my ($realm, $noerr) = @_;

    if ($realm !~ m/^${realm_regex}$/) {
	return undef if $noerr;
	die "value does not look like a valid realm\n";
    }
    return $realm;
}

PVE::JSONSchema::register_standard_option('realm', {
    description => "Authentication domain ID",
    type => 'string', format => 'pve-realm',
    maxLength => 32,
});

my $realm_sync_options_desc = {
    scope => {
	description => "Select what to sync.",
	type => 'string',
	enum => [qw(users groups both)],
	optional => '1',
    },
    full => {
	description => "If set, uses the LDAP Directory as source of truth,"
	    ." deleting users or groups not returned from the sync. Otherwise"
	    ." only syncs information which is not already present, and does not"
	    ." deletes or modifies anything else.",
	type => 'boolean',
	optional => '1',
    },
    'enable-new' => {
	description => "Enable newly synced users immediately.",
	type => 'boolean',
	default => '1',
	optional => '1',
    },
    purge => {
	description => "Remove ACLs for users or groups which were removed from"
	    ." the config during a sync.",
	type => 'boolean',
	optional => '1',
    },
};
PVE::JSONSchema::register_standard_option('realm-sync-options', $realm_sync_options_desc);
PVE::JSONSchema::register_format('realm-sync-options', $realm_sync_options_desc);

PVE::JSONSchema::register_format('pve-userid', \&verify_username);
sub verify_username {
    my ($username, $noerr) = @_;

    $username = '' if !$username;
    my $len = length($username);
    if ($len < 3) {
	die "user name '$username' is too short\n" if !$noerr;
	return undef;
    }
    if ($len > 64) {
	die "user name '$username' is too long ($len > 64)\n" if !$noerr;
	return undef;
    }

    # we only allow a limited set of characters
    # colon is not allowed, because we store usernames in
    # colon separated lists)!
    # slash is not allowed because it is used as pve API delimiter
    # also see "man useradd"
    if ($username =~ m!^(${user_regex})\@(${realm_regex})$!) {
	return wantarray ? ($username, $1, $2) : $username;
    }

    die "value '$username' does not look like a valid user name\n" if !$noerr;

    return undef;
}

PVE::JSONSchema::register_standard_option('userid', {
    description => "User ID",
    type => 'string', format => 'pve-userid',
    maxLength => 64,
});

my $tfa_format = {
    type => {
        description => "The type of 2nd factor authentication.",
        format_description => 'TFATYPE',
        type => 'string',
        enum => [qw(yubico oath)],
    },
    id => {
        description => "Yubico API ID.",
        format_description => 'ID',
        type => 'string',
        optional => 1,
    },
    key => {
        description => "Yubico API Key.",
        format_description => 'KEY',
        type => 'string',
        optional => 1,
    },
    url => {
        description => "Yubico API URL.",
        format_description => 'URL',
        type => 'string',
        optional => 1,
    },
    digits => {
        description => "TOTP digits.",
        format_description => 'COUNT',
        type => 'integer',
        minimum => 6, maximum => 8,
        default => 6,
        optional => 1,
    },
    step => {
        description => "TOTP time period.",
        format_description => 'SECONDS',
        type => 'integer',
        minimum => 10,
        default => 30,
        optional => 1,
    },
};

PVE::JSONSchema::register_format('pve-tfa-config', $tfa_format);

PVE::JSONSchema::register_standard_option('tfa', {
    description => "Use Two-factor authentication.",
    type => 'string', format => 'pve-tfa-config',
    optional => 1,
    maxLength => 128,
});

sub parse_tfa_config {
    my ($data) = @_;

    return PVE::JSONSchema::parse_property_string($tfa_format, $data);
}

my $defaultData = {
    propertyList => {
	type => { description => "Realm type." },
	realm => get_standard_option('realm'),
    },
};

sub private {
    return $defaultData;
}

sub parse_section_header {
    my ($class, $line) = @_;

    if ($line =~ m/^(\S+):\s*(\S+)\s*$/) {
	my ($type, $realm) = (lc($1), $2);
	my $errmsg = undef; # set if you want to skip whole section
	eval { pve_verify_realm($realm); };
	$errmsg = $@ if $@;
	my $config = {}; # to return additional attributes
	return ($type, $realm, $errmsg, $config);
    }
    return undef;
}

sub parse_config {
    my ($class, $filename, $raw) = @_;

    my $cfg = $class->SUPER::parse_config($filename, $raw);

    my $default;
    foreach my $realm (keys %{$cfg->{ids}}) {
	my $data = $cfg->{ids}->{$realm};
	# make sure there is only one default marker
	if ($data->{default}) {
	    if ($default) {
		delete $data->{default};
	    } else {
		$default = $realm;
	    }
	}

	if ($data->{comment}) {
	    $data->{comment} = PVE::Tools::decode_text($data->{comment});
	}

    }

    # add default domains

    $cfg->{ids}->{pve}->{type} = 'pve'; # force type
    $cfg->{ids}->{pve}->{comment} = "Proxmox VE authentication server"
	if !$cfg->{ids}->{pve}->{comment};

    $cfg->{ids}->{pam}->{type} = 'pam'; # force type
    $cfg->{ids}->{pam}->{plugin} =  'PVE::Auth::PAM';
    $cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
	if !$cfg->{ids}->{pam}->{comment};

    return $cfg;
};

sub write_config {
    my ($class, $filename, $cfg) = @_;

    foreach my $realm (keys %{$cfg->{ids}}) {
	my $data = $cfg->{ids}->{$realm};
	if ($data->{comment}) {
	    $data->{comment} = PVE::Tools::encode_text($data->{comment});
	}
    }

    $class->SUPER::write_config($filename, $cfg);
}

sub authenticate_user {
    my ($class, $config, $realm, $username, $password) = @_;

    die "overwrite me";
}

sub store_password {
    my ($class, $config, $realm, $username, $password) = @_;

    my $type = $class->type();

    die "can't set password on auth type '$type'\n";
}

sub delete_user {
    my ($class, $config, $realm, $username) = @_;

    # do nothing by default
}

1;
Commit	Line	Data
5bb4e06a DM	1	package PVE::Auth::Plugin;
	2
	3	use strict;
	4	use warnings;
b49abe2d	5
5bb4e06a	6	use Digest::SHA;
b49abe2d TL	7	use Encode;
b49abe2d TL	8
5bb4e06a	9	use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);
b49abe2d TL	10	use PVE::JSONSchema qw(get_standard_option);
	11	use PVE::SectionConfig;
	12	use PVE::Tools;
5bb4e06a	13
5bb4e06a DM	14	use base qw(PVE::SectionConfig);
	15
	16	my $domainconfigfile = "domains.cfg";
	17
0a6e09fd	18	cfs_register_file($domainconfigfile,
5bb4e06a DM	19	sub { __PACKAGE__->parse_config(@_); },
	20	sub { __PACKAGE__->write_config(@_); });
	21
	22	sub lock_domain_config {
	23	my ($code, $errmsg) = @_;
	24
	25	cfs_lock_file($domainconfigfile, undef, $code);
	26	my $err = $@;
	27	if ($err) {
	28	$errmsg ? die "$errmsg: $err" : die $err;
	29	}
	30	}
	31
8e23f971 FG	32	our $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
8e23f971 FG	33	our $user_regex = qr![^\s:/]+!;
5bb4e06a DM	34
	35	PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
	36	sub pve_verify_realm {
	37	my ($realm, $noerr) = @_;
0a6e09fd	38
5bb4e06a DM	39	if ($realm !~ m/^${realm_regex}$/) {
5bb4e06a DM	40	return undef if $noerr;
0a6e09fd	41	die "value does not look like a valid realm\n";
5bb4e06a DM	42	}
	43	return $realm;
	44	}
	45
	46	PVE::JSONSchema::register_standard_option('realm', {
	47	description => "Authentication domain ID",
	48	type => 'string', format => 'pve-realm',
	49	maxLength => 32,
	50	});
	51
d29d2d4a TL	52	my $realm_sync_options_desc = {
	53	scope => {
	54	description => "Select what to sync.",
	55	type => 'string',
	56	enum => [qw(users groups both)],
	57	optional => '1',
	58	},
	59	full => {
	60	description => "If set, uses the LDAP Directory as source of truth,"
	61	." deleting users or groups not returned from the sync. Otherwise"
	62	." only syncs information which is not already present, and does not"
	63	." deletes or modifies anything else.",
	64	type => 'boolean',
	65	optional => '1',
	66	},
	67	'enable-new' => {
	68	description => "Enable newly synced users immediately.",
	69	type => 'boolean',
	70	default => '1',
	71	optional => '1',
	72	},
	73	purge => {
	74	description => "Remove ACLs for users or groups which were removed from"
	75	." the config during a sync.",
	76	type => 'boolean',
	77	optional => '1',
	78	},
	79	};
	80	PVE::JSONSchema::register_standard_option('realm-sync-options', $realm_sync_options_desc);
	81	PVE::JSONSchema::register_format('realm-sync-options', $realm_sync_options_desc);
	82
5bb4e06a DM	83	PVE::JSONSchema::register_format('pve-userid', \&verify_username);
	84	sub verify_username {
	85	my ($username, $noerr) = @_;
	86
	87	$username = '' if !$username;
	88	my $len = length($username);
	89	if ($len < 3) {
	90	die "user name '$username' is too short\n" if !$noerr;
	91	return undef;
	92	}
	93	if ($len > 64) {
	94	die "user name '$username' is too long ($len > 64)\n" if !$noerr;
	95	return undef;
	96	}
	97
	98	# we only allow a limited set of characters
0a6e09fd	99	# colon is not allowed, because we store usernames in
5bb4e06a DM	100	# colon separated lists)!
5bb4e06a DM	101	# slash is not allowed because it is used as pve API delimiter
0a6e09fd	102	# also see "man useradd"
8e23f971	103	if ($username =~ m!^(${user_regex})\@(${realm_regex})$!) {
5bb4e06a DM	104	return wantarray ? ($username, $1, $2) : $username;
	105	}
	106
	107	die "value '$username' does not look like a valid user name\n" if !$noerr;
	108
	109	return undef;
	110	}
	111
	112	PVE::JSONSchema::register_standard_option('userid', {
af5d7da7	113	description => "User ID",
5bb4e06a DM	114	type => 'string', format => 'pve-userid',
	115	maxLength => 64,
	116	});
	117
9401be39 WB	118	my $tfa_format = {
	119	type => {
	120	description => "The type of 2nd factor authentication.",
	121	format_description => 'TFATYPE',
	122	type => 'string',
	123	enum => [qw(yubico oath)],
	124	},
	125	id => {
	126	description => "Yubico API ID.",
	127	format_description => 'ID',
	128	type => 'string',
	129	optional => 1,
	130	},
	131	key => {
	132	description => "Yubico API Key.",
	133	format_description => 'KEY',
	134	type => 'string',
	135	optional => 1,
	136	},
	137	url => {
	138	description => "Yubico API URL.",
	139	format_description => 'URL',
	140	type => 'string',
	141	optional => 1,
	142	},
	143	digits => {
	144	description => "TOTP digits.",
	145	format_description => 'COUNT',
	146	type => 'integer',
	147	minimum => 6, maximum => 8,
	148	default => 6,
	149	optional => 1,
	150	},
	151	step => {
	152	description => "TOTP time period.",
	153	format_description => 'SECONDS',
	154	type => 'integer',
	155	minimum => 10,
	156	default => 30,
	157	optional => 1,
	158	},
	159	};
	160
	161	PVE::JSONSchema::register_format('pve-tfa-config', $tfa_format);
96f8ebd6 DM	162
	163	PVE::JSONSchema::register_standard_option('tfa', {
	164	description => "Use Two-factor authentication.",
	165	type => 'string', format => 'pve-tfa-config',
	166	optional => 1,
	167	maxLength => 128,
	168	});
	169
	170	sub parse_tfa_config {
	171	my ($data) = @_;
	172
9401be39	173	return PVE::JSONSchema::parse_property_string($tfa_format, $data);
96f8ebd6 DM	174	}
96f8ebd6 DM	175
5bb4e06a DM	176	my $defaultData = {
	177	propertyList => {
	178	type => { description => "Realm type." },
	179	realm => get_standard_option('realm'),
	180	},
	181	};
	182
	183	sub private {
	184	return $defaultData;
	185	}
	186
	187	sub parse_section_header {
	188	my ($class, $line) = @_;
	189
	190	if ($line =~ m/^(\S+):\s(\S+)\s$/) {
	191	my ($type, $realm) = (lc($1), $2);
	192	my $errmsg = undef; # set if you want to skip whole section
	193	eval { pve_verify_realm($realm); };
	194	$errmsg = $@ if $@;
	195	my $config = {}; # to return additional attributes
	196	return ($type, $realm, $errmsg, $config);
	197	}
	198	return undef;
	199	}
	200
	201	sub parse_config {
	202	my ($class, $filename, $raw) = @_;
	203
	204	my $cfg = $class->SUPER::parse_config($filename, $raw);
	205
	206	my $default;
	207	foreach my $realm (keys %{$cfg->{ids}}) {
	208	my $data = $cfg->{ids}->{$realm};
	209	# make sure there is only one default marker
	210	if ($data->{default}) {
	211	if ($default) {
	212	delete $data->{default};
	213	} else {
	214	$default = $realm;
	215	}
	216	}
	217
	218	if ($data->{comment}) {
	219	$data->{comment} = PVE::Tools::decode_text($data->{comment});
	220	}
	221
	222	}
	223
	224	# add default domains
	225
96f8ebd6 DM	226	$cfg->{ids}->{pve}->{type} = 'pve'; # force type
	227	$cfg->{ids}->{pve}->{comment} = "Proxmox VE authentication server"
	228	if !$cfg->{ids}->{pve}->{comment};
5bb4e06a	229
96f8ebd6 DM	230	$cfg->{ids}->{pam}->{type} = 'pam'; # force type
	231	$cfg->{ids}->{pam}->{plugin} = 'PVE::Auth::PAM';
	232	$cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
	233	if !$cfg->{ids}->{pam}->{comment};
5bb4e06a DM	234
	235	return $cfg;
	236	};
	237
	238	sub write_config {
	239	my ($class, $filename, $cfg) = @_;
	240
5bb4e06a DM	241	foreach my $realm (keys %{$cfg->{ids}}) {
	242	my $data = $cfg->{ids}->{$realm};
	243	if ($data->{comment}) {
	244	$data->{comment} = PVE::Tools::encode_text($data->{comment});
	245	}
	246	}
0a6e09fd	247
5bb4e06a DM	248	$class->SUPER::write_config($filename, $cfg);
	249	}
	250
	251	sub authenticate_user {
	252	my ($class, $config, $realm, $username, $password) = @_;
	253
	254	die "overwrite me";
	255	}
	256
	257	sub store_password {
	258	my ($class, $config, $realm, $username, $password) = @_;
	259
	260	my $type = $class->type();
	261
	262	die "can't set password on auth type '$type'\n";
	263	}
	264
	265	sub delete_user {
	266	my ($class, $config, $realm, $username) = @_;
	267
	268	# do nothing by default
	269	}
	270
	271	1;