[pve-access-control.git] / PVE / Auth / Plugin.pm

package PVE::Auth::Plugin;

use strict;
use warnings;
use Encode;
use Digest::SHA;
use PVE::Tools;
use PVE::SectionConfig;
use PVE::JSONSchema qw(get_standard_option);
use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);

use base qw(PVE::SectionConfig);

my $domainconfigfile = "domains.cfg";

cfs_register_file($domainconfigfile,
		  sub { __PACKAGE__->parse_config(@_); },
		  sub { __PACKAGE__->write_config(@_); });

sub lock_domain_config {
    my ($code, $errmsg) = @_;

    cfs_lock_file($domainconfigfile, undef, $code);
    my $err = $@;
    if ($err) {
	$errmsg ? die "$errmsg: $err" : die $err;
    }
}

our $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
our $user_regex = qr![^\s:/]+!;

PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
sub pve_verify_realm {
    my ($realm, $noerr) = @_;

    if ($realm !~ m/^${realm_regex}$/) {
	return undef if $noerr;
	die "value does not look like a valid realm\n";
    }
    return $realm;
}

PVE::JSONSchema::register_standard_option('realm', {
    description => "Authentication domain ID",
    type => 'string', format => 'pve-realm',
    maxLength => 32,
});

PVE::JSONSchema::register_format('pve-userid', \&verify_username);
sub verify_username {
    my ($username, $noerr) = @_;

    $username = '' if !$username;
    my $len = length($username);
    if ($len < 3) {
	die "user name '$username' is too short\n" if !$noerr;
	return undef;
    }
    if ($len > 64) {
	die "user name '$username' is too long ($len > 64)\n" if !$noerr;
	return undef;
    }

    # we only allow a limited set of characters
    # colon is not allowed, because we store usernames in
    # colon separated lists)!
    # slash is not allowed because it is used as pve API delimiter
    # also see "man useradd"
    if ($username =~ m!^(${user_regex})\@(${realm_regex})$!) {
	return wantarray ? ($username, $1, $2) : $username;
    }

    die "value '$username' does not look like a valid user name\n" if !$noerr;

    return undef;
}

PVE::JSONSchema::register_standard_option('userid', {
    description => "User ID",
    type => 'string', format => 'pve-userid',
    maxLength => 64,
});

my $tfa_format = {
    type => {
        description => "The type of 2nd factor authentication.",
        format_description => 'TFATYPE',
        type => 'string',
        enum => [qw(yubico oath)],
    },
    id => {
        description => "Yubico API ID.",
        format_description => 'ID',
        type => 'string',
        optional => 1,
    },
    key => {
        description => "Yubico API Key.",
        format_description => 'KEY',
        type => 'string',
        optional => 1,
    },
    url => {
        description => "Yubico API URL.",
        format_description => 'URL',
        type => 'string',
        optional => 1,
    },
    digits => {
        description => "TOTP digits.",
        format_description => 'COUNT',
        type => 'integer',
        minimum => 6, maximum => 8,
        default => 6,
        optional => 1,
    },
    step => {
        description => "TOTP time period.",
        format_description => 'SECONDS',
        type => 'integer',
        minimum => 10,
        default => 30,
        optional => 1,
    },
};

PVE::JSONSchema::register_format('pve-tfa-config', $tfa_format);

PVE::JSONSchema::register_standard_option('tfa', {
    description => "Use Two-factor authentication.",
    type => 'string', format => 'pve-tfa-config',
    optional => 1,
    maxLength => 128,
});

sub parse_tfa_config {
    my ($data) = @_;

    return PVE::JSONSchema::parse_property_string($tfa_format, $data);
}

my $defaultData = {
    propertyList => {
	type => { description => "Realm type." },
	realm => get_standard_option('realm'),
    },
};

sub private {
    return $defaultData;
}

sub parse_section_header {
    my ($class, $line) = @_;

    if ($line =~ m/^(\S+):\s*(\S+)\s*$/) {
	my ($type, $realm) = (lc($1), $2);
	my $errmsg = undef; # set if you want to skip whole section
	eval { pve_verify_realm($realm); };
	$errmsg = $@ if $@;
	my $config = {}; # to return additional attributes
	return ($type, $realm, $errmsg, $config);
    }
    return undef;
}

sub parse_config {
    my ($class, $filename, $raw) = @_;

    my $cfg = $class->SUPER::parse_config($filename, $raw);

    my $default;
    foreach my $realm (keys %{$cfg->{ids}}) {
	my $data = $cfg->{ids}->{$realm};
	# make sure there is only one default marker
	if ($data->{default}) {
	    if ($default) {
		delete $data->{default};
	    } else {
		$default = $realm;
	    }
	}

	if ($data->{comment}) {
	    $data->{comment} = PVE::Tools::decode_text($data->{comment});
	}

    }

    # add default domains

    $cfg->{ids}->{pve}->{type} = 'pve'; # force type
    $cfg->{ids}->{pve}->{comment} = "Proxmox VE authentication server"
	if !$cfg->{ids}->{pve}->{comment};

    $cfg->{ids}->{pam}->{type} = 'pam'; # force type
    $cfg->{ids}->{pam}->{plugin} =  'PVE::Auth::PAM';
    $cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
	if !$cfg->{ids}->{pam}->{comment};

    return $cfg;
};

sub write_config {
    my ($class, $filename, $cfg) = @_;

    foreach my $realm (keys %{$cfg->{ids}}) {
	my $data = $cfg->{ids}->{$realm};
	if ($data->{comment}) {
	    $data->{comment} = PVE::Tools::encode_text($data->{comment});
	}
    }

    $class->SUPER::write_config($filename, $cfg);
}

sub authenticate_user {
    my ($class, $config, $realm, $username, $password) = @_;

    die "overwrite me";
}

sub store_password {
    my ($class, $config, $realm, $username, $password) = @_;

    my $type = $class->type();

    die "can't set password on auth type '$type'\n";
}

sub delete_user {
    my ($class, $config, $realm, $username) = @_;

    # do nothing by default
}

1;
Commit	Line	Data
5bb4e06a DM	1	package PVE::Auth::Plugin;
	2
	3	use strict;
	4	use warnings;
	5	use Encode;
	6	use Digest::SHA;
	7	use PVE::Tools;
	8	use PVE::SectionConfig;
	9	use PVE::JSONSchema qw(get_standard_option);
	10	use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);
	11
5bb4e06a DM	12	use base qw(PVE::SectionConfig);
	13
	14	my $domainconfigfile = "domains.cfg";
	15
0a6e09fd	16	cfs_register_file($domainconfigfile,
5bb4e06a DM	17	sub { __PACKAGE__->parse_config(@_); },
	18	sub { __PACKAGE__->write_config(@_); });
	19
	20	sub lock_domain_config {
	21	my ($code, $errmsg) = @_;
	22
	23	cfs_lock_file($domainconfigfile, undef, $code);
	24	my $err = $@;
	25	if ($err) {
	26	$errmsg ? die "$errmsg: $err" : die $err;
	27	}
	28	}
	29
8e23f971 FG	30	our $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
8e23f971 FG	31	our $user_regex = qr![^\s:/]+!;
5bb4e06a DM	32
	33	PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
	34	sub pve_verify_realm {
	35	my ($realm, $noerr) = @_;
0a6e09fd	36
5bb4e06a DM	37	if ($realm !~ m/^${realm_regex}$/) {
5bb4e06a DM	38	return undef if $noerr;
0a6e09fd	39	die "value does not look like a valid realm\n";
5bb4e06a DM	40	}
	41	return $realm;
	42	}
	43
	44	PVE::JSONSchema::register_standard_option('realm', {
	45	description => "Authentication domain ID",
	46	type => 'string', format => 'pve-realm',
	47	maxLength => 32,
	48	});
	49
	50	PVE::JSONSchema::register_format('pve-userid', \&verify_username);
	51	sub verify_username {
	52	my ($username, $noerr) = @_;
	53
	54	$username = '' if !$username;
	55	my $len = length($username);
	56	if ($len < 3) {
	57	die "user name '$username' is too short\n" if !$noerr;
	58	return undef;
	59	}
	60	if ($len > 64) {
	61	die "user name '$username' is too long ($len > 64)\n" if !$noerr;
	62	return undef;
	63	}
	64
	65	# we only allow a limited set of characters
0a6e09fd	66	# colon is not allowed, because we store usernames in
5bb4e06a DM	67	# colon separated lists)!
5bb4e06a DM	68	# slash is not allowed because it is used as pve API delimiter
0a6e09fd	69	# also see "man useradd"
8e23f971	70	if ($username =~ m!^(${user_regex})\@(${realm_regex})$!) {
5bb4e06a DM	71	return wantarray ? ($username, $1, $2) : $username;
	72	}
	73
	74	die "value '$username' does not look like a valid user name\n" if !$noerr;
	75
	76	return undef;
	77	}
	78
	79	PVE::JSONSchema::register_standard_option('userid', {
af5d7da7	80	description => "User ID",
5bb4e06a DM	81	type => 'string', format => 'pve-userid',
	82	maxLength => 64,
	83	});
	84
9401be39 WB	85	my $tfa_format = {
	86	type => {
	87	description => "The type of 2nd factor authentication.",
	88	format_description => 'TFATYPE',
	89	type => 'string',
	90	enum => [qw(yubico oath)],
	91	},
	92	id => {
	93	description => "Yubico API ID.",
	94	format_description => 'ID',
	95	type => 'string',
	96	optional => 1,
	97	},
	98	key => {
	99	description => "Yubico API Key.",
	100	format_description => 'KEY',
	101	type => 'string',
	102	optional => 1,
	103	},
	104	url => {
	105	description => "Yubico API URL.",
	106	format_description => 'URL',
	107	type => 'string',
	108	optional => 1,
	109	},
	110	digits => {
	111	description => "TOTP digits.",
	112	format_description => 'COUNT',
	113	type => 'integer',
	114	minimum => 6, maximum => 8,
	115	default => 6,
	116	optional => 1,
	117	},
	118	step => {
	119	description => "TOTP time period.",
	120	format_description => 'SECONDS',
	121	type => 'integer',
	122	minimum => 10,
	123	default => 30,
	124	optional => 1,
	125	},
	126	};
	127
	128	PVE::JSONSchema::register_format('pve-tfa-config', $tfa_format);
96f8ebd6 DM	129
	130	PVE::JSONSchema::register_standard_option('tfa', {
	131	description => "Use Two-factor authentication.",
	132	type => 'string', format => 'pve-tfa-config',
	133	optional => 1,
	134	maxLength => 128,
	135	});
	136
	137	sub parse_tfa_config {
	138	my ($data) = @_;
	139
9401be39	140	return PVE::JSONSchema::parse_property_string($tfa_format, $data);
96f8ebd6 DM	141	}
96f8ebd6 DM	142
5bb4e06a DM	143	my $defaultData = {
	144	propertyList => {
	145	type => { description => "Realm type." },
	146	realm => get_standard_option('realm'),
	147	},
	148	};
	149
	150	sub private {
	151	return $defaultData;
	152	}
	153
	154	sub parse_section_header {
	155	my ($class, $line) = @_;
	156
	157	if ($line =~ m/^(\S+):\s(\S+)\s$/) {
	158	my ($type, $realm) = (lc($1), $2);
	159	my $errmsg = undef; # set if you want to skip whole section
	160	eval { pve_verify_realm($realm); };
	161	$errmsg = $@ if $@;
	162	my $config = {}; # to return additional attributes
	163	return ($type, $realm, $errmsg, $config);
	164	}
	165	return undef;
	166	}
	167
	168	sub parse_config {
	169	my ($class, $filename, $raw) = @_;
	170
	171	my $cfg = $class->SUPER::parse_config($filename, $raw);
	172
	173	my $default;
	174	foreach my $realm (keys %{$cfg->{ids}}) {
	175	my $data = $cfg->{ids}->{$realm};
	176	# make sure there is only one default marker
	177	if ($data->{default}) {
	178	if ($default) {
	179	delete $data->{default};
	180	} else {
	181	$default = $realm;
	182	}
	183	}
	184
	185	if ($data->{comment}) {
	186	$data->{comment} = PVE::Tools::decode_text($data->{comment});
	187	}
	188
	189	}
	190
	191	# add default domains
	192
96f8ebd6 DM	193	$cfg->{ids}->{pve}->{type} = 'pve'; # force type
	194	$cfg->{ids}->{pve}->{comment} = "Proxmox VE authentication server"
	195	if !$cfg->{ids}->{pve}->{comment};
5bb4e06a	196
96f8ebd6 DM	197	$cfg->{ids}->{pam}->{type} = 'pam'; # force type
	198	$cfg->{ids}->{pam}->{plugin} = 'PVE::Auth::PAM';
	199	$cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
	200	if !$cfg->{ids}->{pam}->{comment};
5bb4e06a DM	201
	202	return $cfg;
	203	};
	204
	205	sub write_config {
	206	my ($class, $filename, $cfg) = @_;
	207
5bb4e06a DM	208	foreach my $realm (keys %{$cfg->{ids}}) {
	209	my $data = $cfg->{ids}->{$realm};
	210	if ($data->{comment}) {
	211	$data->{comment} = PVE::Tools::encode_text($data->{comment});
	212	}
	213	}
0a6e09fd	214
5bb4e06a DM	215	$class->SUPER::write_config($filename, $cfg);
	216	}
	217
	218	sub authenticate_user {
	219	my ($class, $config, $realm, $username, $password) = @_;
	220
	221	die "overwrite me";
	222	}
	223
	224	sub store_password {
	225	my ($class, $config, $realm, $username, $password) = @_;
	226
	227	my $type = $class->type();
	228
	229	die "can't set password on auth type '$type'\n";
	230	}
	231
	232	sub delete_user {
	233	my ($class, $config, $realm, $username) = @_;
	234
	235	# do nothing by default
	236	}
	237
	238	1;