[pve-access-control.git] / src / PVE / API2 / TFA.pm

package PVE::API2::TFA;

use strict;
use warnings;

use HTTP::Status qw(:constants);

use PVE::AccessControl;
use PVE::Cluster qw(cfs_read_file cfs_write_file);
use PVE::JSONSchema qw(get_standard_option);
use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
use PVE::RPCEnvironment;

use PVE::API2::AccessControl; # for old login api get_u2f_instance method

use PVE::RESTHandler;

use base qw(PVE::RESTHandler);

my $OPTIONAL_PASSWORD_SCHEMA = {
    description => "The current password.",
    type => 'string',
    optional => 1, # Only required if not root@pam
    minLength => 5,
    maxLength => 64
};

my $TFA_TYPE_SCHEMA = {
    type => 'string',
    description => 'TFA Entry Type.',
    enum => [qw(totp u2f webauthn recovery yubico)],
};

my %TFA_INFO_PROPERTIES = (
    id => {
	type => 'string',
	description => 'The id used to reference this entry.',
    },
    description => {
	type => 'string',
	description => 'User chosen description for this entry.',
    },
    created => {
	type => 'integer',
	description => 'Creation time of this entry as unix epoch.',
    },
    enable => {
	type => 'boolean',
	description => 'Whether this TFA entry is currently enabled.',
	optional => 1,
	default => 1,
    },
);

my $TYPED_TFA_ENTRY_SCHEMA = {
    type => 'object',
    description => 'TFA Entry.',
    properties => {
	type => $TFA_TYPE_SCHEMA,
	%TFA_INFO_PROPERTIES,
    },
};

my $TFA_ID_SCHEMA = {
    type => 'string',
    description => 'A TFA entry id.',
};

my $TFA_UPDATE_INFO_SCHEMA = {
    type => 'object',
    properties => {
	id => {
	    type => 'string',
	    description => 'The id of a newly added TFA entry.',
	},
	challenge => {
	    type => 'string',
	    optional => 1,
	    description =>
		'When adding u2f entries, this contains a challenge the user must respond to in order'
		.' to finish the registration.'
	},
	recovery => {
	    type => 'array',
	    optional => 1,
	    description =>
		'When adding recovery codes, this contains the list of codes to be displayed to'
		.' the user',
	    items => {
		type => 'string',
		description => 'A recovery entry.'
	    },
	},
    },
};

# Only root may modify root, regular users need to specify their password.
#
# Returns the userid returned from `verify_username`.
# Or ($userid, $realm) in list context.
my sub root_permission_check : prototype($$$$) {
    my ($rpcenv, $authuser, $userid, $password) = @_;

    ($userid, my $ruid, my $realm) = PVE::AccessControl::verify_username($userid);
    $rpcenv->check_user_exist($userid);

    raise_perm_exc() if $userid eq 'root@pam' && $authuser ne 'root@pam';

    # Regular users need to confirm their password to change TFA settings.
    if ($authuser ne 'root@pam') {
	raise_param_exc({ 'password' => 'password is required to modify TFA data' })
	    if !defined($password);

	my $domain_cfg = cfs_read_file('domains.cfg');
	my $cfg = $domain_cfg->{ids}->{$realm};
	die "auth domain '$realm' does not exist\n" if !$cfg;
	my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
	$plugin->authenticate_user($cfg, $realm, $ruid, $password);
    }

    return wantarray ? ($userid, $realm) : $userid;
}

# Set TFA to enabled if $tfa_cfg is passed, or to disabled if $tfa_cfg is undef,
# When enabling we also merge the old user.cfg keys into the $tfa_cfg.
my sub set_user_tfa_enabled : prototype($$$) {
    my ($userid, $realm, $tfa_cfg) = @_;

    PVE::AccessControl::lock_user_config(sub {
	my $user_cfg = cfs_read_file('user.cfg');
	my $user = $user_cfg->{users}->{$userid};
	my $keys = $user->{keys};
	# When enabling, we convert old-old keys,
	# When disabling, we shouldn't actually have old keys anymore, so if they are there,
	# they'll be removed.
	if ($tfa_cfg && $keys && $keys !~ /^x(?:!.*)?$/) {
	    my $domain_cfg = cfs_read_file('domains.cfg');
	    my $realm_cfg = $domain_cfg->{ids}->{$realm};
	    die "auth domain '$realm' does not exist\n" if !$realm_cfg;

	    my $realm_tfa = $realm_cfg->{tfa};
	    $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa) if $realm_tfa;

	    PVE::AccessControl::add_old_keys_to_realm_tfa($userid, $tfa_cfg, $realm_tfa, $keys);
	}
	$user->{keys} = $tfa_cfg ? 'x' : undef;
	cfs_write_file("user.cfg", $user_cfg);
    }, "enabling TFA for the user failed");
}

### OLD API

__PACKAGE__->register_method({
    name => 'verify_tfa',
    path => '',
    method => 'POST',
    permissions => { user => 'all' },
    protected => 1, # else we can't access shadow files
    allowtoken => 0, # we don't want tokens to access TFA information
    description => 'Finish a u2f challenge.',
    parameters => {
	additionalProperties => 0,
	properties => {
	    response => {
		type => 'string',
		description => 'The response to the current authentication challenge.',
	    },
	}
    },
    returns => {
	type => 'object',
	properties => {
	    ticket => { type => 'string' },
	    # cap
	}
    },
    code => sub {
	my ($param) = @_;

	my $rpcenv = PVE::RPCEnvironment::get();
	my $authuser = $rpcenv->get_user();
	my ($username, undef, $realm) = PVE::AccessControl::verify_username($authuser);

	my ($tfa_type, $tfa_data) = PVE::AccessControl::user_get_tfa($username, $realm, 0);
	if (!defined($tfa_type)) {
	    raise('no u2f data available');
	}

	eval {
	    if ($tfa_type eq 'u2f') {
		my $challenge = $rpcenv->get_u2f_challenge()
		   or raise('no active challenge');

		my $keyHandle = $tfa_data->{keyHandle};
		my $publicKey = $tfa_data->{publicKey};
		raise("incomplete u2f setup")
		    if !defined($keyHandle) || !defined($publicKey);

		my $u2f = PVE::API2::AccessControl::get_u2f_instance($rpcenv, $publicKey, $keyHandle);
		$u2f->set_challenge($challenge);

		my ($counter, $present) = $u2f->auth_verify($param->{response});
		# Do we want to do anything with these?
	    } else {
		# sanity check before handing off to the verification code:
		my $keys = $tfa_data->{keys} or die "missing tfa keys\n";
		my $config = $tfa_data->{config} or die "bad tfa entry\n";
		PVE::AccessControl::verify_one_time_pw($tfa_type, $authuser, $keys, $config, $param->{response});
	    }
	};
	if (my $err = $@) {
	    my $clientip = $rpcenv->get_client_ip() || '';
	    syslog('err', "authentication verification failure; rhost=$clientip user=$authuser msg=$err");
	    die PVE::Exception->new("authentication failure\n", code => 401);
	}

	return {
	    ticket => PVE::AccessControl::assemble_ticket($authuser),
	    cap => $rpcenv->compute_api_permission($authuser),
	}
    }});

### END OLD API

__PACKAGE__->register_method ({
    name => 'list_user_tfa',
    path => '{userid}',
    method => 'GET',
    permissions => {
	check => [ 'or',
	    ['userid-param', 'self'],
	    ['userid-group', ['User.Modify', 'Sys.Audit']],
	],
    },
    protected => 1, # else we can't access shadow files
    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
    description => 'List TFA configurations of users.',
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid', {
		completion => \&PVE::AccessControl::complete_username,
	    }),
	}
    },
    returns => {
	description => "A list of the user's TFA entries.",
	type => 'array',
	items => $TYPED_TFA_ENTRY_SCHEMA,
    },
    code => sub {
	my ($param) = @_;
	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
	return $tfa_cfg->api_list_user_tfa($param->{userid});
    }});

__PACKAGE__->register_method ({
    name => 'get_tfa_entry',
    path => '{userid}/{id}',
    method => 'GET',
    permissions => {
	check => [ 'or',
	    ['userid-param', 'self'],
	    ['userid-group', ['User.Modify', 'Sys.Audit']],
	],
    },
    protected => 1, # else we can't access shadow files
    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
    description => 'Fetch a requested TFA entry if present.',
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid', {
		completion => \&PVE::AccessControl::complete_username,
	    }),
	    id => $TFA_ID_SCHEMA,
	}
    },
    returns => $TYPED_TFA_ENTRY_SCHEMA,
    code => sub {
	my ($param) = @_;
	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
	my $id = $param->{id};
	my $entry = $tfa_cfg->api_get_tfa_entry($param->{userid}, $id);
	raise("No such tfa entry '$id'", code => HTTP::Status::HTTP_NOT_FOUND) if !$entry;
	return $entry;
    }});

__PACKAGE__->register_method ({
    name => 'delete_tfa',
    path => '{userid}/{id}',
    method => 'DELETE',
    permissions => {
	check => [ 'or',
	    ['userid-param', 'self'],
	    ['userid-group', ['User.Modify']],
	],
    },
    protected => 1, # else we can't access shadow files
    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
    description => 'Delete a TFA entry by ID.',
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid', {
		completion => \&PVE::AccessControl::complete_username,
	    }),
	    id => $TFA_ID_SCHEMA,
	    password => $OPTIONAL_PASSWORD_SCHEMA,
	}
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::assert_new_tfa_config_available();
	
	my $rpcenv = PVE::RPCEnvironment::get();
	my $authuser = $rpcenv->get_user();
	my $userid =
	    root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});

	my $has_entries_left = PVE::AccessControl::lock_tfa_config(sub {
	    my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
	    my $has_entries_left = $tfa_cfg->api_delete_tfa($userid, $param->{id});
	    cfs_write_file('priv/tfa.cfg', $tfa_cfg);
	    return $has_entries_left;
	});
	if (!$has_entries_left) {
	    set_user_tfa_enabled($userid, undef, undef);
	}
    }});

__PACKAGE__->register_method ({
    name => 'list_tfa',
    path => '',
    method => 'GET',
    permissions => {
	description => "Returns all or just the logged-in user, depending on privileges.",
	user => 'all',
    },
    protected => 1, # else we can't access shadow files
    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
    description => 'List TFA configurations of users.',
    parameters => {
	additionalProperties => 0,
	properties => {}
    },
    returns => {
	description => "The list tuples of user and TFA entries.",
	type => 'array',
	items => {
	    type => 'object',
	    properties => {
		userid => {
		    type => 'string',
		    description => 'User this entry belongs to.',
		},
		entries => {
		    type => 'array',
		    items => $TYPED_TFA_ENTRY_SCHEMA,
		},
	    },
	},
    },
    code => sub {
	my ($param) = @_;

	my $rpcenv = PVE::RPCEnvironment::get();
	my $authuser = $rpcenv->get_user();
	my $top_level_allowed = ($authuser eq 'root@pam');

	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
	return $tfa_cfg->api_list_tfa($authuser, $top_level_allowed);
    }});

__PACKAGE__->register_method ({
    name => 'add_tfa_entry',
    path => '{userid}',
    method => 'POST',
    permissions => {
	check => [ 'or',
	    ['userid-param', 'self'],
	    ['userid-group', ['User.Modify']],
	],
    },
    protected => 1, # else we can't access shadow files
    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
    description => 'Add a TFA entry for a user.',
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid', {
		completion => \&PVE::AccessControl::complete_username,
	    }),
            type => $TFA_TYPE_SCHEMA,
	    description => {
		type => 'string',
		description => 'A description to distinguish multiple entries from one another',
		maxLength => 255,
		optional => 1,
	    },
	    totp => {
		type => 'string',
		description => "A totp URI.",
		optional => 1,
	    },
	    value => {
		type => 'string',
		description =>
		    'The current value for the provided totp URI, or a Webauthn/U2F'
		    .' challenge response',
		optional => 1,
	    },
	    challenge => {
		type => 'string',
		description => 'When responding to a u2f challenge: the original challenge string',
		optional => 1,
	    },
	    password => $OPTIONAL_PASSWORD_SCHEMA,
	},
    },
    returns => $TFA_UPDATE_INFO_SCHEMA,
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::assert_new_tfa_config_available();

	my $rpcenv = PVE::RPCEnvironment::get();
	my $authuser = $rpcenv->get_user();
	my ($userid, $realm) =
	    root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});

	my $type = delete $param->{type};
	my $value = delete $param->{value};
	if ($type eq 'yubico') {
	    $value = validate_yubico_otp($userid, $realm, $value);
	}

	return PVE::AccessControl::lock_tfa_config(sub {
	    my $tfa_cfg = cfs_read_file('priv/tfa.cfg');

	    set_user_tfa_enabled($userid, $realm, $tfa_cfg);

	    PVE::AccessControl::configure_u2f_and_wa($tfa_cfg);

	    my $response = $tfa_cfg->api_add_tfa_entry(
		$userid,
		$param->{description},
		$param->{totp},
		$value,
		$param->{challenge},
		$type,
	    );

	    cfs_write_file('priv/tfa.cfg', $tfa_cfg);

	    return $response;
	});
    }});

sub validate_yubico_otp : prototype($$) {
    my ($userid, $realm, $value) = @_;

    my $domain_cfg = cfs_read_file('domains.cfg');
    my $realm_cfg = $domain_cfg->{ids}->{$realm};
    die "auth domain '$realm' does not exist\n" if !$realm_cfg;

    my $realm_tfa = $realm_cfg->{tfa};
    die "no yubico otp configuration available for realm $realm\n"
	if !$realm_tfa;

    $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa);
    die "realm is not setup for Yubico OTP\n"
	if !$realm_tfa || $realm_tfa->{type} ne 'yubico';

    my $public_key = substr($value, 0, 12);

    PVE::AccessControl::authenticate_yubico_do($value, $public_key, $realm_tfa);

    return $public_key;
}

__PACKAGE__->register_method ({
    name => 'update_tfa_entry',
    path => '{userid}/{id}',
    method => 'PUT',
    permissions => {
	check => [ 'or',
	    ['userid-param', 'self'],
	    ['userid-group', ['User.Modify']],
	],
    },
    protected => 1, # else we can't access shadow files
    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
    description => 'Add a TFA entry for a user.',
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid', {
		completion => \&PVE::AccessControl::complete_username,
	    }),
	    id => $TFA_ID_SCHEMA,
	    description => {
		type => 'string',
		description => 'A description to distinguish multiple entries from one another',
		maxLength => 255,
		optional => 1,
	    },
	    enable => {
		type => 'boolean',
		description => 'Whether the entry should be enabled for login.',
		optional => 1,
	    },
	    password => $OPTIONAL_PASSWORD_SCHEMA,
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::assert_new_tfa_config_available();

	my $rpcenv = PVE::RPCEnvironment::get();
	my $authuser = $rpcenv->get_user();
	my $userid =
	    root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});

	PVE::AccessControl::lock_tfa_config(sub {
	    my $tfa_cfg = cfs_read_file('priv/tfa.cfg');

	    $tfa_cfg->api_update_tfa_entry(
		$userid,
		$param->{id},
		$param->{description},
		$param->{enable},
	    );

	    cfs_write_file('priv/tfa.cfg', $tfa_cfg);
	});
    }});

1;
Commit	Line	Data
dc547a13 WB	1	package PVE::API2::TFA;
	2
	3	use strict;
	4	use warnings;
	5
b3dae5dd WB	6	use HTTP::Status qw(:constants);
b3dae5dd WB	7
dc547a13	8	use PVE::AccessControl;
07692c72	9	use PVE::Cluster qw(cfs_read_file cfs_write_file);
dc547a13 WB	10	use PVE::JSONSchema qw(get_standard_option);
	11	use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
	12	use PVE::RPCEnvironment;
	13
	14	use PVE::API2::AccessControl; # for old login api get_u2f_instance method
	15
	16	use PVE::RESTHandler;
	17
	18	use base qw(PVE::RESTHandler);
	19
07692c72 WB	20	my $OPTIONAL_PASSWORD_SCHEMA = {
	21	description => "The current password.",
	22	type => 'string',
	23	optional => 1, # Only required if not root@pam
	24	minLength => 5,
	25	maxLength => 64
	26	};
	27
	28	my $TFA_TYPE_SCHEMA = {
	29	type => 'string',
	30	description => 'TFA Entry Type.',
	31	enum => [qw(totp u2f webauthn recovery yubico)],
	32	};
	33
	34	my %TFA_INFO_PROPERTIES = (
	35	id => {
	36	type => 'string',
	37	description => 'The id used to reference this entry.',
	38	},
	39	description => {
	40	type => 'string',
	41	description => 'User chosen description for this entry.',
	42	},
	43	created => {
	44	type => 'integer',
	45	description => 'Creation time of this entry as unix epoch.',
	46	},
	47	enable => {
	48	type => 'boolean',
	49	description => 'Whether this TFA entry is currently enabled.',
	50	optional => 1,
	51	default => 1,
	52	},
	53	);
	54
	55	my $TYPED_TFA_ENTRY_SCHEMA = {
	56	type => 'object',
	57	description => 'TFA Entry.',
	58	properties => {
	59	type => $TFA_TYPE_SCHEMA,
	60	%TFA_INFO_PROPERTIES,
	61	},
	62	};
	63
	64	my $TFA_ID_SCHEMA = {
	65	type => 'string',
	66	description => 'A TFA entry id.',
	67	};
	68
	69	my $TFA_UPDATE_INFO_SCHEMA = {
	70	type => 'object',
	71	properties => {
	72	id => {
	73	type => 'string',
	74	description => 'The id of a newly added TFA entry.',
	75	},
	76	challenge => {
	77	type => 'string',
	78	optional => 1,
	79	description =>
	80	'When adding u2f entries, this contains a challenge the user must respond to in order'
	81	.' to finish the registration.'
	82	},
	83	recovery => {
84	type => 'array',
85	optional => 1,
86	description =>
87	'When adding recovery codes, this contains the list of codes to be displayed to'
88	.' the user',
89	items => {
90	type => 'string',
91	description => 'A recovery entry.'
92	},
93	},
94	},
95	};
96
97	# Only root may modify root, regular users need to specify their password.
98	#
99	# Returns the userid returned from `verify_username`.
100	# Or ($userid, $realm) in list context.
101	my sub root_permission_check : prototype($$$$) {
102	my ($rpcenv, $authuser, $userid, $password) = @_;
103
104	($userid, my $ruid, my $realm) = PVE::AccessControl::verify_username($userid);
105	$rpcenv->check_user_exist($userid);
106
107	raise_perm_exc() if $userid eq 'root@pam' && $authuser ne 'root@pam';
108
109	# Regular users need to confirm their password to change TFA settings.
110	if ($authuser ne 'root@pam') {
111	raise_param_exc({ 'password' => 'password is required to modify TFA data' })
112	if !defined($password);
113
114	my $domain_cfg = cfs_read_file('domains.cfg');
115	my $cfg = $domain_cfg->{ids}->{$realm};
116	die "auth domain '$realm' does not exist\n" if !$cfg;
117	my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
118	$plugin->authenticate_user($cfg, $realm, $ruid, $password);
119	}
120
121	return wantarray ? ($userid, $realm) : $userid;
122	}
123
0fe62fa8 WB	124	# Set TFA to enabled if $tfa_cfg is passed, or to disabled if $tfa_cfg is undef,
	125	# When enabling we also merge the old user.cfg keys into the $tfa_cfg.
	126	my sub set_user_tfa_enabled : prototype($$$) {
	127	my ($userid, $realm, $tfa_cfg) = @_;
c55555ab WB	128
	129	PVE::AccessControl::lock_user_config(sub {
	130	my $user_cfg = cfs_read_file('user.cfg');
	131	my $user = $user_cfg->{users}->{$userid};
	132	my $keys = $user->{keys};
0fe62fa8 WB	133	# When enabling, we convert old-old keys,
	134	# When disabling, we shouldn't actually have old keys anymore, so if they are there,
	135	# they'll be removed.
	136	if ($tfa_cfg && $keys && $keys !~ /^x(?:!.*)?$/) {
	137	my $domain_cfg = cfs_read_file('domains.cfg');
	138	my $realm_cfg = $domain_cfg->{ids}->{$realm};
	139	die "auth domain '$realm' does not exist\n" if !$realm_cfg;
	140
	141	my $realm_tfa = $realm_cfg->{tfa};
	142	$realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa) if $realm_tfa;
	143
	144	PVE::AccessControl::add_old_keys_to_realm_tfa($userid, $tfa_cfg, $realm_tfa, $keys);
c55555ab	145	}
0fe62fa8	146	$user->{keys} = $tfa_cfg ? 'x' : undef;
c55555ab WB	147	cfs_write_file("user.cfg", $user_cfg);
	148	}, "enabling TFA for the user failed");
	149	}
	150
dc547a13 WB	151	### OLD API
	152
	153	__PACKAGE__->register_method({
	154	name => 'verify_tfa',
	155	path => '',
	156	method => 'POST',
	157	permissions => { user => 'all' },
	158	protected => 1, # else we can't access shadow files
	159	allowtoken => 0, # we don't want tokens to access TFA information
	160	description => 'Finish a u2f challenge.',
	161	parameters => {
	162	additionalProperties => 0,
	163	properties => {
	164	response => {
	165	type => 'string',
	166	description => 'The response to the current authentication challenge.',
	167	},
	168	}
	169	},
	170	returns => {
	171	type => 'object',
	172	properties => {
	173	ticket => { type => 'string' },
	174	# cap
	175	}
	176	},
	177	code => sub {
	178	my ($param) = @_;
	179
	180	my $rpcenv = PVE::RPCEnvironment::get();
	181	my $authuser = $rpcenv->get_user();
	182	my ($username, undef, $realm) = PVE::AccessControl::verify_username($authuser);
	183
	184	my ($tfa_type, $tfa_data) = PVE::AccessControl::user_get_tfa($username, $realm, 0);
	185	if (!defined($tfa_type)) {
	186	raise('no u2f data available');
	187	}
	188
	189	eval {
	190	if ($tfa_type eq 'u2f') {
	191	my $challenge = $rpcenv->get_u2f_challenge()
	192	or raise('no active challenge');
	193
	194	my $keyHandle = $tfa_data->{keyHandle};
	195	my $publicKey = $tfa_data->{publicKey};
	196	raise("incomplete u2f setup")
	197	if !defined($keyHandle) \|\| !defined($publicKey);
	198
	199	my $u2f = PVE::API2::AccessControl::get_u2f_instance($rpcenv, $publicKey, $keyHandle);
	200	$u2f->set_challenge($challenge);
	201
	202	my ($counter, $present) = $u2f->auth_verify($param->{response});
	203	# Do we want to do anything with these?
	204	} else {
	205	# sanity check before handing off to the verification code:
	206	my $keys = $tfa_data->{keys} or die "missing tfa keys\n";
	207	my $config = $tfa_data->{config} or die "bad tfa entry\n";
	208	PVE::AccessControl::verify_one_time_pw($tfa_type, $authuser, $keys, $config, $param->{response});
	209	}
	210	};
	211	if (my $err = $@) {
	212	my $clientip = $rpcenv->get_client_ip() \|\| '';
	213	syslog('err', "authentication verification failure; rhost=$clientip user=$authuser msg=$err");
	214	die PVE::Exception->new("authentication failure\n", code => 401);
215	}
216
217	return {
218	ticket => PVE::AccessControl::assemble_ticket($authuser),
219	cap => $rpcenv->compute_api_permission($authuser),
220	}
221	}});
222
223	### END OLD API
224
dc547a13 WB	225	__PACKAGE__->register_method ({
	226	name => 'list_user_tfa',
	227	path => '{userid}',
	228	method => 'GET',
	229	permissions => {
	230	check => [ 'or',
	231	['userid-param', 'self'],
	232	['userid-group', ['User.Modify', 'Sys.Audit']],
	233	],
	234	},
	235	protected => 1, # else we can't access shadow files
	236	allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
	237	description => 'List TFA configurations of users.',
	238	parameters => {
	239	additionalProperties => 0,
	240	properties => {
	241	userid => get_standard_option('userid', {
	242	completion => \&PVE::AccessControl::complete_username,
	243	}),
	244	}
	245	},
	246	returns => {
	247	description => "A list of the user's TFA entries.",
	248	type => 'array',
	249	items => $TYPED_TFA_ENTRY_SCHEMA,
	250	},
	251	code => sub {
	252	my ($param) = @_;
	253	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
	254	return $tfa_cfg->api_list_user_tfa($param->{userid});
	255	}});
	256
	257	__PACKAGE__->register_method ({
	258	name => 'get_tfa_entry',
	259	path => '{userid}/{id}',
	260	method => 'GET',
	261	permissions => {
	262	check => [ 'or',
	263	['userid-param', 'self'],
	264	['userid-group', ['User.Modify', 'Sys.Audit']],
	265	],
	266	},
	267	protected => 1, # else we can't access shadow files
	268	allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
07692c72	269	description => 'Fetch a requested TFA entry if present.',
dc547a13 WB	270	parameters => {
	271	additionalProperties => 0,
	272	properties => {
	273	userid => get_standard_option('userid', {
	274	completion => \&PVE::AccessControl::complete_username,
	275	}),
	276	id => $TFA_ID_SCHEMA,
	277	}
	278	},
	279	returns => $TYPED_TFA_ENTRY_SCHEMA,
	280	code => sub {
	281	my ($param) = @_;
	282	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
07692c72 WB	283	my $id = $param->{id};
07692c72 WB	284	my $entry = $tfa_cfg->api_get_tfa_entry($param->{userid}, $id);
b3dae5dd	285	raise("No such tfa entry '$id'", code => HTTP::Status::HTTP_NOT_FOUND) if !$entry;
07692c72 WB	286	return $entry;
	287	}});
	288
	289	__PACKAGE__->register_method ({
	290	name => 'delete_tfa',
	291	path => '{userid}/{id}',
	292	method => 'DELETE',
	293	permissions => {
	294	check => [ 'or',
	295	['userid-param', 'self'],
	296	['userid-group', ['User.Modify']],
	297	],
	298	},
	299	protected => 1, # else we can't access shadow files
	300	allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
	301	description => 'Delete a TFA entry by ID.',
	302	parameters => {
	303	additionalProperties => 0,
	304	properties => {
	305	userid => get_standard_option('userid', {
	306	completion => \&PVE::AccessControl::complete_username,
	307	}),
	308	id => $TFA_ID_SCHEMA,
	309	password => $OPTIONAL_PASSWORD_SCHEMA,
	310	}
	311	},
	312	returns => { type => 'null' },
	313	code => sub {
	314	my ($param) = @_;
	315
	316	PVE::AccessControl::assert_new_tfa_config_available();
	317
	318	my $rpcenv = PVE::RPCEnvironment::get();
	319	my $authuser = $rpcenv->get_user();
	320	my $userid =
	321	root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});
	322
c55555ab	323	my $has_entries_left = PVE::AccessControl::lock_tfa_config(sub {
07692c72	324	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
c55555ab	325	my $has_entries_left = $tfa_cfg->api_delete_tfa($userid, $param->{id});
07692c72	326	cfs_write_file('priv/tfa.cfg', $tfa_cfg);
c55555ab	327	return $has_entries_left;
07692c72	328	});
c55555ab	329	if (!$has_entries_left) {
0fe62fa8	330	set_user_tfa_enabled($userid, undef, undef);
c55555ab	331	}
dc547a13 WB	332	}});
	333
	334	__PACKAGE__->register_method ({
	335	name => 'list_tfa',
	336	path => '',
	337	method => 'GET',
	338	permissions => {
	339	description => "Returns all or just the logged-in user, depending on privileges.",
	340	user => 'all',
	341	},
	342	protected => 1, # else we can't access shadow files
	343	allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
	344	description => 'List TFA configurations of users.',
	345	parameters => {
	346	additionalProperties => 0,
	347	properties => {}
	348	},
	349	returns => {
	350	description => "The list tuples of user and TFA entries.",
	351	type => 'array',
	352	items => {
	353	type => 'object',
	354	properties => {
	355	userid => {
	356	type => 'string',
	357	description => 'User this entry belongs to.',
	358	},
	359	entries => {
	360	type => 'array',
	361	items => $TYPED_TFA_ENTRY_SCHEMA,
	362	},
	363	},
	364	},
	365	},
	366	code => sub {
	367	my ($param) = @_;
	368
	369	my $rpcenv = PVE::RPCEnvironment::get();
	370	my $authuser = $rpcenv->get_user();
dc547a13 WB	371	my $top_level_allowed = ($authuser eq 'root@pam');
	372
	373	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
	374	return $tfa_cfg->api_list_tfa($authuser, $top_level_allowed);
	375	}});
	376
07692c72 WB	377	__PACKAGE__->register_method ({
	378	name => 'add_tfa_entry',
	379	path => '{userid}',
	380	method => 'POST',
	381	permissions => {
	382	check => [ 'or',
	383	['userid-param', 'self'],
	384	['userid-group', ['User.Modify']],
	385	],
	386	},
	387	protected => 1, # else we can't access shadow files
	388	allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
	389	description => 'Add a TFA entry for a user.',
	390	parameters => {
	391	additionalProperties => 0,
	392	properties => {
	393	userid => get_standard_option('userid', {
	394	completion => \&PVE::AccessControl::complete_username,
	395	}),
	396	type => $TFA_TYPE_SCHEMA,
	397	description => {
	398	type => 'string',
	399	description => 'A description to distinguish multiple entries from one another',
	400	maxLength => 255,
	401	optional => 1,
	402	},
	403	totp => {
	404	type => 'string',
	405	description => "A totp URI.",
	406	optional => 1,
	407	},
	408	value => {
	409	type => 'string',
	410	description =>
	411	'The current value for the provided totp URI, or a Webauthn/U2F'
	412	.' challenge response',
	413	optional => 1,
	414	},
	415	challenge => {
	416	type => 'string',
	417	description => 'When responding to a u2f challenge: the original challenge string',
	418	optional => 1,
	419	},
	420	password => $OPTIONAL_PASSWORD_SCHEMA,
	421	},
	422	},
	423	returns => $TFA_UPDATE_INFO_SCHEMA,
	424	code => sub {
	425	my ($param) = @_;
	426
	427	PVE::AccessControl::assert_new_tfa_config_available();
	428
	429	my $rpcenv = PVE::RPCEnvironment::get();
	430	my $authuser = $rpcenv->get_user();
8c1e3ab3	431	my ($userid, $realm) =
07692c72 WB	432	root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});
07692c72 WB	433
8c1e3ab3 WB	434	my $type = delete $param->{type};
	435	my $value = delete $param->{value};
	436	if ($type eq 'yubico') {
	437	$value = validate_yubico_otp($userid, $realm, $value);
	438	}
	439
07692c72 WB	440	return PVE::AccessControl::lock_tfa_config(sub {
07692c72 WB	441	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
0fe62fa8 WB	442
	443	set_user_tfa_enabled($userid, $realm, $tfa_cfg);
	444
07692c72 WB	445	PVE::AccessControl::configure_u2f_and_wa($tfa_cfg);
	446
	447	my $response = $tfa_cfg->api_add_tfa_entry(
	448	$userid,
	449	$param->{description},
	450	$param->{totp},
8c1e3ab3	451	$value,
07692c72	452	$param->{challenge},
8c1e3ab3	453	$type,
07692c72 WB	454	);
	455
	456	cfs_write_file('priv/tfa.cfg', $tfa_cfg);
	457
	458	return $response;
	459	});
	460	}});
	461
8c1e3ab3 WB	462	sub validate_yubico_otp : prototype($$) {
	463	my ($userid, $realm, $value) = @_;
	464
	465	my $domain_cfg = cfs_read_file('domains.cfg');
	466	my $realm_cfg = $domain_cfg->{ids}->{$realm};
	467	die "auth domain '$realm' does not exist\n" if !$realm_cfg;
	468
	469	my $realm_tfa = $realm_cfg->{tfa};
	470	die "no yubico otp configuration available for realm $realm\n"
	471	if !$realm_tfa;
	472
	473	$realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa);
	474	die "realm is not setup for Yubico OTP\n"
	475	if !$realm_tfa \|\| $realm_tfa->{type} ne 'yubico';
	476
	477	my $public_key = substr($value, 0, 12);
	478
	479	PVE::AccessControl::authenticate_yubico_do($value, $public_key, $realm_tfa);
	480
	481	return $public_key;
	482	}
	483
07692c72 WB	484	__PACKAGE__->register_method ({
	485	name => 'update_tfa_entry',
	486	path => '{userid}/{id}',
	487	method => 'PUT',
	488	permissions => {
	489	check => [ 'or',
	490	['userid-param', 'self'],
	491	['userid-group', ['User.Modify']],
	492	],
	493	},
	494	protected => 1, # else we can't access shadow files
	495	allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
	496	description => 'Add a TFA entry for a user.',
	497	parameters => {
	498	additionalProperties => 0,
	499	properties => {
	500	userid => get_standard_option('userid', {
	501	completion => \&PVE::AccessControl::complete_username,
	502	}),
	503	id => $TFA_ID_SCHEMA,
	504	description => {
	505	type => 'string',
	506	description => 'A description to distinguish multiple entries from one another',
	507	maxLength => 255,
	508	optional => 1,
	509	},
	510	enable => {
	511	type => 'boolean',
	512	description => 'Whether the entry should be enabled for login.',
	513	optional => 1,
	514	},
	515	password => $OPTIONAL_PASSWORD_SCHEMA,
	516	},
	517	},
	518	returns => { type => 'null' },
	519	code => sub {
	520	my ($param) = @_;
	521
	522	PVE::AccessControl::assert_new_tfa_config_available();
	523
	524	my $rpcenv = PVE::RPCEnvironment::get();
	525	my $authuser = $rpcenv->get_user();
	526	my $userid =
	527	root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});
	528
	529	PVE::AccessControl::lock_tfa_config(sub {
	530	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
	531
	532	$tfa_cfg->api_update_tfa_entry(
	533	$userid,
	534	$param->{id},
	535	$param->{description},
	536	$param->{enable},
	537	);
	538
	539	cfs_write_file('priv/tfa.cfg', $tfa_cfg);
	540	});
	541	}});
	542
dc547a13	543	1;