[pve-access-control.git] / PVE / Auth / Plugin.pm

package PVE::Auth::Plugin;

use strict;
use warnings;
use Encode;
use Digest::SHA;
use PVE::Tools;
use PVE::SectionConfig;
use PVE::JSONSchema qw(get_standard_option);
use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);

use base qw(PVE::SectionConfig);

my $domainconfigfile = "domains.cfg";

cfs_register_file($domainconfigfile,
		  sub { __PACKAGE__->parse_config(@_); },
		  sub { __PACKAGE__->write_config(@_); });

sub lock_domain_config {
    my ($code, $errmsg) = @_;

    cfs_lock_file($domainconfigfile, undef, $code);
    my $err = $@;
    if ($err) {
	$errmsg ? die "$errmsg: $err" : die $err;
    }
}

our $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
our $user_regex = qr![^\s:/]+!;

PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
sub pve_verify_realm {
    my ($realm, $noerr) = @_;

    if ($realm !~ m/^${realm_regex}$/) {
	return undef if $noerr;
	die "value does not look like a valid realm\n";
    }
    return $realm;
}

PVE::JSONSchema::register_standard_option('realm', {
    description => "Authentication domain ID",
    type => 'string', format => 'pve-realm',
    maxLength => 32,
});

my $realm_sync_options_desc = {
    scope => {
	description => "Select what to sync.",
	type => 'string',
	enum => [qw(users groups both)],
	optional => '1',
    },
    full => {
	description => "If set, uses the LDAP Directory as source of truth,"
	    ." deleting users or groups not returned from the sync. Otherwise"
	    ." only syncs information which is not already present, and does not"
	    ." deletes or modifies anything else.",
	type => 'boolean',
	optional => '1',
    },
    'enable-new' => {
	description => "Enable newly synced users immediately.",
	type => 'boolean',
	default => '1',
	optional => '1',
    },
    purge => {
	description => "Remove ACLs for users or groups which were removed from"
	    ." the config during a sync.",
	type => 'boolean',
	optional => '1',
    },
};
PVE::JSONSchema::register_standard_option('realm-sync-options', $realm_sync_options_desc);
PVE::JSONSchema::register_format('realm-sync-options', $realm_sync_options_desc);

PVE::JSONSchema::register_format('pve-userid', \&verify_username);
sub verify_username {
    my ($username, $noerr) = @_;

    $username = '' if !$username;
    my $len = length($username);
    if ($len < 3) {
	die "user name '$username' is too short\n" if !$noerr;
	return undef;
    }
    if ($len > 64) {
	die "user name '$username' is too long ($len > 64)\n" if !$noerr;
	return undef;
    }

    # we only allow a limited set of characters
    # colon is not allowed, because we store usernames in
    # colon separated lists)!
    # slash is not allowed because it is used as pve API delimiter
    # also see "man useradd"
    if ($username =~ m!^(${user_regex})\@(${realm_regex})$!) {
	return wantarray ? ($username, $1, $2) : $username;
    }

    die "value '$username' does not look like a valid user name\n" if !$noerr;

    return undef;
}

PVE::JSONSchema::register_standard_option('userid', {
    description => "User ID",
    type => 'string', format => 'pve-userid',
    maxLength => 64,
});

my $tfa_format = {
    type => {
        description => "The type of 2nd factor authentication.",
        format_description => 'TFATYPE',
        type => 'string',
        enum => [qw(yubico oath)],
    },
    id => {
        description => "Yubico API ID.",
        format_description => 'ID',
        type => 'string',
        optional => 1,
    },
    key => {
        description => "Yubico API Key.",
        format_description => 'KEY',
        type => 'string',
        optional => 1,
    },
    url => {
        description => "Yubico API URL.",
        format_description => 'URL',
        type => 'string',
        optional => 1,
    },
    digits => {
        description => "TOTP digits.",
        format_description => 'COUNT',
        type => 'integer',
        minimum => 6, maximum => 8,
        default => 6,
        optional => 1,
    },
    step => {
        description => "TOTP time period.",
        format_description => 'SECONDS',
        type => 'integer',
        minimum => 10,
        default => 30,
        optional => 1,
    },
};

PVE::JSONSchema::register_format('pve-tfa-config', $tfa_format);

PVE::JSONSchema::register_standard_option('tfa', {
    description => "Use Two-factor authentication.",
    type => 'string', format => 'pve-tfa-config',
    optional => 1,
    maxLength => 128,
});

sub parse_tfa_config {
    my ($data) = @_;

    return PVE::JSONSchema::parse_property_string($tfa_format, $data);
}

my $defaultData = {
    propertyList => {
	type => { description => "Realm type." },
	realm => get_standard_option('realm'),
    },
};

sub private {
    return $defaultData;
}

sub parse_section_header {
    my ($class, $line) = @_;

    if ($line =~ m/^(\S+):\s*(\S+)\s*$/) {
	my ($type, $realm) = (lc($1), $2);
	my $errmsg = undef; # set if you want to skip whole section
	eval { pve_verify_realm($realm); };
	$errmsg = $@ if $@;
	my $config = {}; # to return additional attributes
	return ($type, $realm, $errmsg, $config);
    }
    return undef;
}

sub parse_config {
    my ($class, $filename, $raw) = @_;

    my $cfg = $class->SUPER::parse_config($filename, $raw);

    my $default;
    foreach my $realm (keys %{$cfg->{ids}}) {
	my $data = $cfg->{ids}->{$realm};
	# make sure there is only one default marker
	if ($data->{default}) {
	    if ($default) {
		delete $data->{default};
	    } else {
		$default = $realm;
	    }
	}

	if ($data->{comment}) {
	    $data->{comment} = PVE::Tools::decode_text($data->{comment});
	}

    }

    # add default domains

    $cfg->{ids}->{pve}->{type} = 'pve'; # force type
    $cfg->{ids}->{pve}->{comment} = "Proxmox VE authentication server"
	if !$cfg->{ids}->{pve}->{comment};

    $cfg->{ids}->{pam}->{type} = 'pam'; # force type
    $cfg->{ids}->{pam}->{plugin} =  'PVE::Auth::PAM';
    $cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
	if !$cfg->{ids}->{pam}->{comment};

    return $cfg;
};

sub write_config {
    my ($class, $filename, $cfg) = @_;

    foreach my $realm (keys %{$cfg->{ids}}) {
	my $data = $cfg->{ids}->{$realm};
	if ($data->{comment}) {
	    $data->{comment} = PVE::Tools::encode_text($data->{comment});
	}
    }

    $class->SUPER::write_config($filename, $cfg);
}

sub authenticate_user {
    my ($class, $config, $realm, $username, $password) = @_;

    die "overwrite me";
}

sub store_password {
    my ($class, $config, $realm, $username, $password) = @_;

    my $type = $class->type();

    die "can't set password on auth type '$type'\n";
}

sub delete_user {
    my ($class, $config, $realm, $username) = @_;

    # do nothing by default
}

1;
Commit	Line	Data
5bb4e06a DM	1	package PVE::Auth::Plugin;
	2
	3	use strict;
	4	use warnings;
	5	use Encode;
	6	use Digest::SHA;
	7	use PVE::Tools;
	8	use PVE::SectionConfig;
	9	use PVE::JSONSchema qw(get_standard_option);
	10	use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);
	11
5bb4e06a DM	12	use base qw(PVE::SectionConfig);
	13
	14	my $domainconfigfile = "domains.cfg";
	15
0a6e09fd	16	cfs_register_file($domainconfigfile,
5bb4e06a DM	17	sub { __PACKAGE__->parse_config(@_); },
	18	sub { __PACKAGE__->write_config(@_); });
	19
	20	sub lock_domain_config {
	21	my ($code, $errmsg) = @_;
	22
	23	cfs_lock_file($domainconfigfile, undef, $code);
	24	my $err = $@;
	25	if ($err) {
	26	$errmsg ? die "$errmsg: $err" : die $err;
	27	}
	28	}
	29
8e23f971 FG	30	our $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
8e23f971 FG	31	our $user_regex = qr![^\s:/]+!;
5bb4e06a DM	32
	33	PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
	34	sub pve_verify_realm {
	35	my ($realm, $noerr) = @_;
0a6e09fd	36
5bb4e06a DM	37	if ($realm !~ m/^${realm_regex}$/) {
5bb4e06a DM	38	return undef if $noerr;
0a6e09fd	39	die "value does not look like a valid realm\n";
5bb4e06a DM	40	}
	41	return $realm;
	42	}
	43
	44	PVE::JSONSchema::register_standard_option('realm', {
	45	description => "Authentication domain ID",
	46	type => 'string', format => 'pve-realm',
	47	maxLength => 32,
	48	});
	49
d29d2d4a TL	50	my $realm_sync_options_desc = {
	51	scope => {
	52	description => "Select what to sync.",
	53	type => 'string',
	54	enum => [qw(users groups both)],
	55	optional => '1',
	56	},
	57	full => {
	58	description => "If set, uses the LDAP Directory as source of truth,"
	59	." deleting users or groups not returned from the sync. Otherwise"
	60	." only syncs information which is not already present, and does not"
	61	." deletes or modifies anything else.",
	62	type => 'boolean',
	63	optional => '1',
	64	},
	65	'enable-new' => {
	66	description => "Enable newly synced users immediately.",
	67	type => 'boolean',
	68	default => '1',
	69	optional => '1',
	70	},
	71	purge => {
	72	description => "Remove ACLs for users or groups which were removed from"
	73	." the config during a sync.",
	74	type => 'boolean',
	75	optional => '1',
	76	},
	77	};
	78	PVE::JSONSchema::register_standard_option('realm-sync-options', $realm_sync_options_desc);
	79	PVE::JSONSchema::register_format('realm-sync-options', $realm_sync_options_desc);
	80
5bb4e06a DM	81	PVE::JSONSchema::register_format('pve-userid', \&verify_username);
	82	sub verify_username {
	83	my ($username, $noerr) = @_;
	84
	85	$username = '' if !$username;
	86	my $len = length($username);
	87	if ($len < 3) {
	88	die "user name '$username' is too short\n" if !$noerr;
	89	return undef;
	90	}
	91	if ($len > 64) {
	92	die "user name '$username' is too long ($len > 64)\n" if !$noerr;
	93	return undef;
	94	}
	95
	96	# we only allow a limited set of characters
0a6e09fd	97	# colon is not allowed, because we store usernames in
5bb4e06a DM	98	# colon separated lists)!
5bb4e06a DM	99	# slash is not allowed because it is used as pve API delimiter
0a6e09fd	100	# also see "man useradd"
8e23f971	101	if ($username =~ m!^(${user_regex})\@(${realm_regex})$!) {
5bb4e06a DM	102	return wantarray ? ($username, $1, $2) : $username;
	103	}
	104
	105	die "value '$username' does not look like a valid user name\n" if !$noerr;
	106
	107	return undef;
	108	}
	109
	110	PVE::JSONSchema::register_standard_option('userid', {
af5d7da7	111	description => "User ID",
5bb4e06a DM	112	type => 'string', format => 'pve-userid',
	113	maxLength => 64,
	114	});
	115
9401be39 WB	116	my $tfa_format = {
	117	type => {
	118	description => "The type of 2nd factor authentication.",
	119	format_description => 'TFATYPE',
	120	type => 'string',
	121	enum => [qw(yubico oath)],
	122	},
	123	id => {
	124	description => "Yubico API ID.",
	125	format_description => 'ID',
	126	type => 'string',
	127	optional => 1,
	128	},
	129	key => {
	130	description => "Yubico API Key.",
	131	format_description => 'KEY',
	132	type => 'string',
	133	optional => 1,
	134	},
	135	url => {
	136	description => "Yubico API URL.",
	137	format_description => 'URL',
	138	type => 'string',
	139	optional => 1,
	140	},
	141	digits => {
	142	description => "TOTP digits.",
	143	format_description => 'COUNT',
	144	type => 'integer',
	145	minimum => 6, maximum => 8,
	146	default => 6,
	147	optional => 1,
	148	},
	149	step => {
	150	description => "TOTP time period.",
	151	format_description => 'SECONDS',
	152	type => 'integer',
	153	minimum => 10,
	154	default => 30,
	155	optional => 1,
	156	},
	157	};
	158
	159	PVE::JSONSchema::register_format('pve-tfa-config', $tfa_format);
96f8ebd6 DM	160
	161	PVE::JSONSchema::register_standard_option('tfa', {
	162	description => "Use Two-factor authentication.",
	163	type => 'string', format => 'pve-tfa-config',
	164	optional => 1,
	165	maxLength => 128,
	166	});
	167
	168	sub parse_tfa_config {
	169	my ($data) = @_;
	170
9401be39	171	return PVE::JSONSchema::parse_property_string($tfa_format, $data);
96f8ebd6 DM	172	}
96f8ebd6 DM	173
5bb4e06a DM	174	my $defaultData = {
	175	propertyList => {
	176	type => { description => "Realm type." },
	177	realm => get_standard_option('realm'),
	178	},
	179	};
	180
	181	sub private {
	182	return $defaultData;
	183	}
	184
	185	sub parse_section_header {
	186	my ($class, $line) = @_;
	187
	188	if ($line =~ m/^(\S+):\s(\S+)\s$/) {
	189	my ($type, $realm) = (lc($1), $2);
	190	my $errmsg = undef; # set if you want to skip whole section
	191	eval { pve_verify_realm($realm); };
	192	$errmsg = $@ if $@;
	193	my $config = {}; # to return additional attributes
	194	return ($type, $realm, $errmsg, $config);
	195	}
	196	return undef;
	197	}
	198
	199	sub parse_config {
	200	my ($class, $filename, $raw) = @_;
	201
	202	my $cfg = $class->SUPER::parse_config($filename, $raw);
	203
	204	my $default;
	205	foreach my $realm (keys %{$cfg->{ids}}) {
	206	my $data = $cfg->{ids}->{$realm};
	207	# make sure there is only one default marker
	208	if ($data->{default}) {
	209	if ($default) {
	210	delete $data->{default};
	211	} else {
	212	$default = $realm;
	213	}
	214	}
	215
	216	if ($data->{comment}) {
	217	$data->{comment} = PVE::Tools::decode_text($data->{comment});
	218	}
	219
	220	}
	221
	222	# add default domains
	223
96f8ebd6 DM	224	$cfg->{ids}->{pve}->{type} = 'pve'; # force type
	225	$cfg->{ids}->{pve}->{comment} = "Proxmox VE authentication server"
	226	if !$cfg->{ids}->{pve}->{comment};
5bb4e06a	227
96f8ebd6 DM	228	$cfg->{ids}->{pam}->{type} = 'pam'; # force type
	229	$cfg->{ids}->{pam}->{plugin} = 'PVE::Auth::PAM';
	230	$cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
	231	if !$cfg->{ids}->{pam}->{comment};
5bb4e06a DM	232
	233	return $cfg;
	234	};
	235
	236	sub write_config {
	237	my ($class, $filename, $cfg) = @_;
	238
5bb4e06a DM	239	foreach my $realm (keys %{$cfg->{ids}}) {
	240	my $data = $cfg->{ids}->{$realm};
	241	if ($data->{comment}) {
	242	$data->{comment} = PVE::Tools::encode_text($data->{comment});
	243	}
	244	}
0a6e09fd	245
5bb4e06a DM	246	$class->SUPER::write_config($filename, $cfg);
	247	}
	248
	249	sub authenticate_user {
	250	my ($class, $config, $realm, $username, $password) = @_;
	251
	252	die "overwrite me";
	253	}
	254
	255	sub store_password {
	256	my ($class, $config, $realm, $username, $password) = @_;
	257
	258	my $type = $class->type();
	259
	260	die "can't set password on auth type '$type'\n";
	261	}
	262
	263	sub delete_user {
	264	my ($class, $config, $realm, $username) = @_;
	265
	266	# do nothing by default
	267	}
	268
	269	1;