[pve-access-control.git] / src / PVE / API2 / TFA.pm

package PVE::API2::TFA;

use strict;
use warnings;

use HTTP::Status qw(:constants);

use PVE::AccessControl;
use PVE::Cluster qw(cfs_read_file cfs_write_file);
use PVE::JSONSchema qw(get_standard_option);
use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
use PVE::RPCEnvironment;

use PVE::API2::AccessControl; # for old login api get_u2f_instance method

use PVE::RESTHandler;

use base qw(PVE::RESTHandler);

my $OPTIONAL_PASSWORD_SCHEMA = {
    description => "The current password.",
    type => 'string',
    optional => 1, # Only required if not root@pam
    minLength => 5,
    maxLength => 64
};

my $TFA_TYPE_SCHEMA = {
    type => 'string',
    description => 'TFA Entry Type.',
    enum => [qw(totp u2f webauthn recovery yubico)],
};

my %TFA_INFO_PROPERTIES = (
    id => {
	type => 'string',
	description => 'The id used to reference this entry.',
    },
    description => {
	type => 'string',
	description => 'User chosen description for this entry.',
    },
    created => {
	type => 'integer',
	description => 'Creation time of this entry as unix epoch.',
    },
    enable => {
	type => 'boolean',
	description => 'Whether this TFA entry is currently enabled.',
	optional => 1,
	default => 1,
    },
);

my $TYPED_TFA_ENTRY_SCHEMA = {
    type => 'object',
    description => 'TFA Entry.',
    properties => {
	type => $TFA_TYPE_SCHEMA,
	%TFA_INFO_PROPERTIES,
    },
};

my $TFA_ID_SCHEMA = {
    type => 'string',
    description => 'A TFA entry id.',
};

my $TFA_UPDATE_INFO_SCHEMA = {
    type => 'object',
    properties => {
	id => {
	    type => 'string',
	    description => 'The id of a newly added TFA entry.',
	},
	challenge => {
	    type => 'string',
	    optional => 1,
	    description =>
		'When adding u2f entries, this contains a challenge the user must respond to in order'
		.' to finish the registration.'
	},
	recovery => {
	    type => 'array',
	    optional => 1,
	    description =>
		'When adding recovery codes, this contains the list of codes to be displayed to'
		.' the user',
	    items => {
		type => 'string',
		description => 'A recovery entry.'
	    },
	},
    },
};

# Only root may modify root, regular users need to specify their password.
#
# Returns the userid returned from `verify_username`.
# Or ($userid, $realm) in list context.
my sub root_permission_check : prototype($$$$) {
    my ($rpcenv, $authuser, $userid, $password) = @_;

    ($userid, undef, my $realm) = PVE::AccessControl::verify_username($userid);
    $rpcenv->check_user_exist($userid);

    raise_perm_exc() if $userid eq 'root@pam' && $authuser ne 'root@pam';

    # Regular users need to confirm their password to change TFA settings.
    if ($authuser ne 'root@pam') {
	raise_param_exc({ 'password' => 'password is required to modify TFA data' })
	    if !defined($password);

	($authuser, my $auth_username, my $auth_realm) =
	    PVE::AccessControl::verify_username($authuser);

	my $domain_cfg = cfs_read_file('domains.cfg');
	my $cfg = $domain_cfg->{ids}->{$auth_realm};
	die "auth domain '$auth_realm' does not exist\n" if !$cfg;
	my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
	$plugin->authenticate_user($cfg, $auth_realm, $auth_username, $password);
    }

    return wantarray ? ($userid, $realm) : $userid;
}

# Set TFA to enabled if $tfa_cfg is passed, or to disabled if $tfa_cfg is undef,
# When enabling we also merge the old user.cfg keys into the $tfa_cfg.
my sub set_user_tfa_enabled : prototype($$$) {
    my ($userid, $realm, $tfa_cfg) = @_;

    PVE::AccessControl::lock_user_config(sub {
	my $user_cfg = cfs_read_file('user.cfg');
	my $user = $user_cfg->{users}->{$userid};
	my $keys = $user->{keys};
	# When enabling, we convert old-old keys,
	# When disabling, we shouldn't actually have old keys anymore, so if they are there,
	# they'll be removed.
	if ($tfa_cfg && $keys && $keys !~ /^x(?:!.*)?$/) {
	    my $domain_cfg = cfs_read_file('domains.cfg');
	    my $realm_cfg = $domain_cfg->{ids}->{$realm};
	    die "auth domain '$realm' does not exist\n" if !$realm_cfg;

	    my $realm_tfa = $realm_cfg->{tfa};
	    $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa) if $realm_tfa;

	    PVE::AccessControl::add_old_keys_to_realm_tfa($userid, $tfa_cfg, $realm_tfa, $keys);
	}
	$user->{keys} = $tfa_cfg ? 'x' : undef;
	cfs_write_file("user.cfg", $user_cfg);
    }, "enabling TFA for the user failed");
}

### OLD API

__PACKAGE__->register_method({
    name => 'verify_tfa',
    path => '',
    method => 'POST',
    permissions => { user => 'all' },
    protected => 1, # else we can't access shadow files
    allowtoken => 0, # we don't want tokens to access TFA information
    description => 'Finish a u2f challenge.',
    parameters => {
	additionalProperties => 0,
	properties => {
	    response => {
		type => 'string',
		description => 'The response to the current authentication challenge.',
	    },
	}
    },
    returns => {
	type => 'object',
	properties => {
	    ticket => { type => 'string' },
	    # cap
	}
    },
    code => sub {
	my ($param) = @_;

	my $rpcenv = PVE::RPCEnvironment::get();
	my $authuser = $rpcenv->get_user();
	my ($username, undef, $realm) = PVE::AccessControl::verify_username($authuser);

	my ($tfa_type, $tfa_data) = PVE::AccessControl::user_get_tfa($username, $realm, 0);
	if (!defined($tfa_type)) {
	    raise('no u2f data available');
	}
	if ($tfa_type eq 'incompatible') {
	    raise('tfa entries incompatible with old login api');
	}

	eval {
	    if ($tfa_type eq 'u2f') {
		my $challenge = $rpcenv->get_u2f_challenge()
		   or raise('no active challenge');

		my $keyHandle = $tfa_data->{keyHandle};
		my $publicKey = $tfa_data->{publicKey};
		raise("incomplete u2f setup")
		    if !defined($keyHandle) || !defined($publicKey);

		my $u2f = PVE::API2::AccessControl::get_u2f_instance($rpcenv, $publicKey, $keyHandle);
		$u2f->set_challenge($challenge);

		my ($counter, $present) = $u2f->auth_verify($param->{response});
		# Do we want to do anything with these?
	    } else {
		# sanity check before handing off to the verification code:
		my $keys = $tfa_data->{keys} or die "missing tfa keys\n";
		my $config = $tfa_data->{config} or die "bad tfa entry\n";
		PVE::AccessControl::verify_one_time_pw($tfa_type, $authuser, $keys, $config, $param->{response});
	    }
	};
	if (my $err = $@) {
	    my $clientip = $rpcenv->get_client_ip() || '';
	    syslog('err', "authentication verification failure; rhost=$clientip user=$authuser msg=$err");
	    die PVE::Exception->new("authentication failure\n", code => 401);
	}

	return {
	    ticket => PVE::AccessControl::assemble_ticket($authuser),
	    cap => $rpcenv->compute_api_permission($authuser),
	}
    }});

### END OLD API

__PACKAGE__->register_method ({
    name => 'list_user_tfa',
    path => '{userid}',
    method => 'GET',
    permissions => {
	check => [ 'or',
	    ['userid-param', 'self'],
	    ['userid-group', ['User.Modify', 'Sys.Audit']],
	],
    },
    protected => 1, # else we can't access shadow files
    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
    description => 'List TFA configurations of users.',
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid', {
		completion => \&PVE::AccessControl::complete_username,
	    }),
	}
    },
    returns => {
	description => "A list of the user's TFA entries.",
	type => 'array',
	items => $TYPED_TFA_ENTRY_SCHEMA,
    },
    code => sub {
	my ($param) = @_;
	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
	return $tfa_cfg->api_list_user_tfa($param->{userid});
    }});

__PACKAGE__->register_method ({
    name => 'get_tfa_entry',
    path => '{userid}/{id}',
    method => 'GET',
    permissions => {
	check => [ 'or',
	    ['userid-param', 'self'],
	    ['userid-group', ['User.Modify', 'Sys.Audit']],
	],
    },
    protected => 1, # else we can't access shadow files
    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
    description => 'Fetch a requested TFA entry if present.',
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid', {
		completion => \&PVE::AccessControl::complete_username,
	    }),
	    id => $TFA_ID_SCHEMA,
	}
    },
    returns => $TYPED_TFA_ENTRY_SCHEMA,
    code => sub {
	my ($param) = @_;
	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
	my $id = $param->{id};
	my $entry = $tfa_cfg->api_get_tfa_entry($param->{userid}, $id);
	raise("No such tfa entry '$id'", code => HTTP::Status::HTTP_NOT_FOUND) if !$entry;
	return $entry;
    }});

__PACKAGE__->register_method ({
    name => 'delete_tfa',
    path => '{userid}/{id}',
    method => 'DELETE',
    permissions => {
	check => [ 'or',
	    ['userid-param', 'self'],
	    ['userid-group', ['User.Modify']],
	],
    },
    protected => 1, # else we can't access shadow files
    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
    description => 'Delete a TFA entry by ID.',
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid', {
		completion => \&PVE::AccessControl::complete_username,
	    }),
	    id => $TFA_ID_SCHEMA,
	    password => $OPTIONAL_PASSWORD_SCHEMA,
	}
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::assert_new_tfa_config_available();
	
	my $rpcenv = PVE::RPCEnvironment::get();
	my $authuser = $rpcenv->get_user();
	my $userid =
	    root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});

	my $has_entries_left = PVE::AccessControl::lock_tfa_config(sub {
	    my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
	    my $has_entries_left = $tfa_cfg->api_delete_tfa($userid, $param->{id});
	    cfs_write_file('priv/tfa.cfg', $tfa_cfg);
	    return $has_entries_left;
	});
	if (!$has_entries_left) {
	    set_user_tfa_enabled($userid, undef, undef);
	}
    }});

__PACKAGE__->register_method ({
    name => 'list_tfa',
    path => '',
    method => 'GET',
    permissions => {
	description => "Returns all or just the logged-in user, depending on privileges.",
	user => 'all',
    },
    protected => 1, # else we can't access shadow files
    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
    description => 'List TFA configurations of users.',
    parameters => {
	additionalProperties => 0,
	properties => {}
    },
    returns => {
	description => "The list tuples of user and TFA entries.",
	type => 'array',
	items => {
	    type => 'object',
	    properties => {
		userid => {
		    type => 'string',
		    description => 'User this entry belongs to.',
		},
		entries => {
		    type => 'array',
		    items => $TYPED_TFA_ENTRY_SCHEMA,
		},
	    },
	},
    },
    code => sub {
	my ($param) = @_;

	my $rpcenv = PVE::RPCEnvironment::get();
	my $authuser = $rpcenv->get_user();

	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
	my $entries = $tfa_cfg->api_list_tfa($authuser, 1);

	my $privs = [ 'User.Modify', 'Sys.Audit' ];
	if ($rpcenv->check_any($authuser, "/access/groups", $privs, 1)) {
	    # can modify all
	    return $entries;
	}

	my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
	my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
	return [
	    grep {
		my $userid = $_->{userid};
		$userid eq $authuser || $allowed_users->{$userid}
	    } $entries->@*
	];
    }});

__PACKAGE__->register_method ({
    name => 'add_tfa_entry',
    path => '{userid}',
    method => 'POST',
    permissions => {
	check => [ 'or',
	    ['userid-param', 'self'],
	    ['userid-group', ['User.Modify']],
	],
    },
    protected => 1, # else we can't access shadow files
    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
    description => 'Add a TFA entry for a user.',
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid', {
		completion => \&PVE::AccessControl::complete_username,
	    }),
            type => $TFA_TYPE_SCHEMA,
	    description => {
		type => 'string',
		description => 'A description to distinguish multiple entries from one another',
		maxLength => 255,
		optional => 1,
	    },
	    totp => {
		type => 'string',
		description => "A totp URI.",
		optional => 1,
	    },
	    value => {
		type => 'string',
		description =>
		    'The current value for the provided totp URI, or a Webauthn/U2F'
		    .' challenge response',
		optional => 1,
	    },
	    challenge => {
		type => 'string',
		description => 'When responding to a u2f challenge: the original challenge string',
		optional => 1,
	    },
	    password => $OPTIONAL_PASSWORD_SCHEMA,
	},
    },
    returns => $TFA_UPDATE_INFO_SCHEMA,
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::assert_new_tfa_config_available();

	my $rpcenv = PVE::RPCEnvironment::get();
	my $authuser = $rpcenv->get_user();
	my ($userid, $realm) =
	    root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});

	my $type = delete $param->{type};
	my $value = delete $param->{value};
	if ($type eq 'yubico') {
	    $value = validate_yubico_otp($userid, $realm, $value);
	}

	return PVE::AccessControl::lock_tfa_config(sub {
	    my $tfa_cfg = cfs_read_file('priv/tfa.cfg');

	    set_user_tfa_enabled($userid, $realm, $tfa_cfg);

	    PVE::AccessControl::configure_u2f_and_wa($tfa_cfg);

	    my $response = $tfa_cfg->api_add_tfa_entry(
		$userid,
		$param->{description},
		$param->{totp},
		$value,
		$param->{challenge},
		$type,
	    );

	    cfs_write_file('priv/tfa.cfg', $tfa_cfg);

	    return $response;
	});
    }});

sub validate_yubico_otp : prototype($$) {
    my ($userid, $realm, $value) = @_;

    my $domain_cfg = cfs_read_file('domains.cfg');
    my $realm_cfg = $domain_cfg->{ids}->{$realm};
    die "auth domain '$realm' does not exist\n" if !$realm_cfg;

    my $realm_tfa = $realm_cfg->{tfa};
    die "no yubico otp configuration available for realm $realm\n"
	if !$realm_tfa;

    $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa);
    die "realm is not setup for Yubico OTP\n"
	if !$realm_tfa || $realm_tfa->{type} ne 'yubico';

    my $public_key = substr($value, 0, 12);

    PVE::AccessControl::authenticate_yubico_do($value, $public_key, $realm_tfa);

    return $public_key;
}

__PACKAGE__->register_method ({
    name => 'update_tfa_entry',
    path => '{userid}/{id}',
    method => 'PUT',
    permissions => {
	check => [ 'or',
	    ['userid-param', 'self'],
	    ['userid-group', ['User.Modify']],
	],
    },
    protected => 1, # else we can't access shadow files
    allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
    description => 'Add a TFA entry for a user.',
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid', {
		completion => \&PVE::AccessControl::complete_username,
	    }),
	    id => $TFA_ID_SCHEMA,
	    description => {
		type => 'string',
		description => 'A description to distinguish multiple entries from one another',
		maxLength => 255,
		optional => 1,
	    },
	    enable => {
		type => 'boolean',
		description => 'Whether the entry should be enabled for login.',
		optional => 1,
	    },
	    password => $OPTIONAL_PASSWORD_SCHEMA,
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::assert_new_tfa_config_available();

	my $rpcenv = PVE::RPCEnvironment::get();
	my $authuser = $rpcenv->get_user();
	my $userid =
	    root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});

	PVE::AccessControl::lock_tfa_config(sub {
	    my $tfa_cfg = cfs_read_file('priv/tfa.cfg');

	    $tfa_cfg->api_update_tfa_entry(
		$userid,
		$param->{id},
		$param->{description},
		$param->{enable},
	    );

	    cfs_write_file('priv/tfa.cfg', $tfa_cfg);
	});
    }});

1;
Commit	Line	Data
dc547a13 WB	1	package PVE::API2::TFA;
	2
	3	use strict;
	4	use warnings;
	5
b3dae5dd WB	6	use HTTP::Status qw(:constants);
b3dae5dd WB	7
dc547a13	8	use PVE::AccessControl;
07692c72	9	use PVE::Cluster qw(cfs_read_file cfs_write_file);
dc547a13 WB	10	use PVE::JSONSchema qw(get_standard_option);
	11	use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
	12	use PVE::RPCEnvironment;
	13
	14	use PVE::API2::AccessControl; # for old login api get_u2f_instance method
	15
	16	use PVE::RESTHandler;
	17
	18	use base qw(PVE::RESTHandler);
	19
07692c72 WB	20	my $OPTIONAL_PASSWORD_SCHEMA = {
	21	description => "The current password.",
	22	type => 'string',
	23	optional => 1, # Only required if not root@pam
	24	minLength => 5,
	25	maxLength => 64
	26	};
	27
	28	my $TFA_TYPE_SCHEMA = {
	29	type => 'string',
	30	description => 'TFA Entry Type.',
	31	enum => [qw(totp u2f webauthn recovery yubico)],
	32	};
	33
	34	my %TFA_INFO_PROPERTIES = (
	35	id => {
	36	type => 'string',
	37	description => 'The id used to reference this entry.',
	38	},
	39	description => {
	40	type => 'string',
	41	description => 'User chosen description for this entry.',
	42	},
	43	created => {
	44	type => 'integer',
	45	description => 'Creation time of this entry as unix epoch.',
	46	},
	47	enable => {
	48	type => 'boolean',
	49	description => 'Whether this TFA entry is currently enabled.',
	50	optional => 1,
	51	default => 1,
	52	},
	53	);
	54
	55	my $TYPED_TFA_ENTRY_SCHEMA = {
	56	type => 'object',
	57	description => 'TFA Entry.',
	58	properties => {
	59	type => $TFA_TYPE_SCHEMA,
	60	%TFA_INFO_PROPERTIES,
	61	},
	62	};
	63
	64	my $TFA_ID_SCHEMA = {
	65	type => 'string',
	66	description => 'A TFA entry id.',
	67	};
	68
	69	my $TFA_UPDATE_INFO_SCHEMA = {
	70	type => 'object',
	71	properties => {
	72	id => {
	73	type => 'string',
	74	description => 'The id of a newly added TFA entry.',
	75	},
	76	challenge => {
	77	type => 'string',
	78	optional => 1,
	79	description =>
	80	'When adding u2f entries, this contains a challenge the user must respond to in order'
	81	.' to finish the registration.'
	82	},
	83	recovery => {
84	type => 'array',
85	optional => 1,
86	description =>
87	'When adding recovery codes, this contains the list of codes to be displayed to'
88	.' the user',
89	items => {
90	type => 'string',
91	description => 'A recovery entry.'
92	},
93	},
94	},
95	};
96
97	# Only root may modify root, regular users need to specify their password.
98	#
99	# Returns the userid returned from `verify_username`.
100	# Or ($userid, $realm) in list context.
101	my sub root_permission_check : prototype($$$$) {
102	my ($rpcenv, $authuser, $userid, $password) = @_;
103
dd9e95b1	104	($userid, undef, my $realm) = PVE::AccessControl::verify_username($userid);
07692c72 WB	105	$rpcenv->check_user_exist($userid);
	106
	107	raise_perm_exc() if $userid eq 'root@pam' && $authuser ne 'root@pam';
	108
	109	# Regular users need to confirm their password to change TFA settings.
	110	if ($authuser ne 'root@pam') {
	111	raise_param_exc({ 'password' => 'password is required to modify TFA data' })
	112	if !defined($password);
	113
dd9e95b1 WB	114	($authuser, my $auth_username, my $auth_realm) =
	115	PVE::AccessControl::verify_username($authuser);
	116
07692c72	117	my $domain_cfg = cfs_read_file('domains.cfg');
dd9e95b1 WB	118	my $cfg = $domain_cfg->{ids}->{$auth_realm};
dd9e95b1 WB	119	die "auth domain '$auth_realm' does not exist\n" if !$cfg;
07692c72	120	my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
dd9e95b1	121	$plugin->authenticate_user($cfg, $auth_realm, $auth_username, $password);
07692c72 WB	122	}
	123
	124	return wantarray ? ($userid, $realm) : $userid;
	125	}
	126
0fe62fa8 WB	127	# Set TFA to enabled if $tfa_cfg is passed, or to disabled if $tfa_cfg is undef,
	128	# When enabling we also merge the old user.cfg keys into the $tfa_cfg.
	129	my sub set_user_tfa_enabled : prototype($$$) {
	130	my ($userid, $realm, $tfa_cfg) = @_;
c55555ab WB	131
	132	PVE::AccessControl::lock_user_config(sub {
	133	my $user_cfg = cfs_read_file('user.cfg');
	134	my $user = $user_cfg->{users}->{$userid};
	135	my $keys = $user->{keys};
0fe62fa8 WB	136	# When enabling, we convert old-old keys,
	137	# When disabling, we shouldn't actually have old keys anymore, so if they are there,
	138	# they'll be removed.
	139	if ($tfa_cfg && $keys && $keys !~ /^x(?:!.*)?$/) {
	140	my $domain_cfg = cfs_read_file('domains.cfg');
	141	my $realm_cfg = $domain_cfg->{ids}->{$realm};
	142	die "auth domain '$realm' does not exist\n" if !$realm_cfg;
	143
	144	my $realm_tfa = $realm_cfg->{tfa};
	145	$realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa) if $realm_tfa;
	146
	147	PVE::AccessControl::add_old_keys_to_realm_tfa($userid, $tfa_cfg, $realm_tfa, $keys);
c55555ab	148	}
0fe62fa8	149	$user->{keys} = $tfa_cfg ? 'x' : undef;
c55555ab WB	150	cfs_write_file("user.cfg", $user_cfg);
	151	}, "enabling TFA for the user failed");
	152	}
	153
dc547a13 WB	154	### OLD API
	155
	156	__PACKAGE__->register_method({
	157	name => 'verify_tfa',
	158	path => '',
	159	method => 'POST',
	160	permissions => { user => 'all' },
	161	protected => 1, # else we can't access shadow files
	162	allowtoken => 0, # we don't want tokens to access TFA information
	163	description => 'Finish a u2f challenge.',
	164	parameters => {
	165	additionalProperties => 0,
	166	properties => {
	167	response => {
	168	type => 'string',
	169	description => 'The response to the current authentication challenge.',
	170	},
	171	}
	172	},
	173	returns => {
	174	type => 'object',
	175	properties => {
	176	ticket => { type => 'string' },
	177	# cap
	178	}
	179	},
	180	code => sub {
	181	my ($param) = @_;
	182
	183	my $rpcenv = PVE::RPCEnvironment::get();
	184	my $authuser = $rpcenv->get_user();
	185	my ($username, undef, $realm) = PVE::AccessControl::verify_username($authuser);
	186
	187	my ($tfa_type, $tfa_data) = PVE::AccessControl::user_get_tfa($username, $realm, 0);
	188	if (!defined($tfa_type)) {
	189	raise('no u2f data available');
	190	}
93c1d74a WB	191	if ($tfa_type eq 'incompatible') {
	192	raise('tfa entries incompatible with old login api');
	193	}
dc547a13 WB	194
	195	eval {
	196	if ($tfa_type eq 'u2f') {
	197	my $challenge = $rpcenv->get_u2f_challenge()
	198	or raise('no active challenge');
	199
	200	my $keyHandle = $tfa_data->{keyHandle};
	201	my $publicKey = $tfa_data->{publicKey};
	202	raise("incomplete u2f setup")
	203	if !defined($keyHandle) \|\| !defined($publicKey);
	204
	205	my $u2f = PVE::API2::AccessControl::get_u2f_instance($rpcenv, $publicKey, $keyHandle);
	206	$u2f->set_challenge($challenge);
	207
	208	my ($counter, $present) = $u2f->auth_verify($param->{response});
	209	# Do we want to do anything with these?
	210	} else {
	211	# sanity check before handing off to the verification code:
	212	my $keys = $tfa_data->{keys} or die "missing tfa keys\n";
	213	my $config = $tfa_data->{config} or die "bad tfa entry\n";
	214	PVE::AccessControl::verify_one_time_pw($tfa_type, $authuser, $keys, $config, $param->{response});
	215	}
	216	};
	217	if (my $err = $@) {
	218	my $clientip = $rpcenv->get_client_ip() \|\| '';
	219	syslog('err', "authentication verification failure; rhost=$clientip user=$authuser msg=$err");
	220	die PVE::Exception->new("authentication failure\n", code => 401);
	221	}
	222
	223	return {
	224	ticket => PVE::AccessControl::assemble_ticket($authuser),
	225	cap => $rpcenv->compute_api_permission($authuser),
	226	}
	227	}});
	228
	229	### END OLD API
	230
dc547a13 WB	231	__PACKAGE__->register_method ({
	232	name => 'list_user_tfa',
	233	path => '{userid}',
	234	method => 'GET',
	235	permissions => {
	236	check => [ 'or',
	237	['userid-param', 'self'],
	238	['userid-group', ['User.Modify', 'Sys.Audit']],
	239	],
	240	},
	241	protected => 1, # else we can't access shadow files
	242	allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
	243	description => 'List TFA configurations of users.',
	244	parameters => {
	245	additionalProperties => 0,
	246	properties => {
	247	userid => get_standard_option('userid', {
	248	completion => \&PVE::AccessControl::complete_username,
	249	}),
	250	}
	251	},
	252	returns => {
	253	description => "A list of the user's TFA entries.",
	254	type => 'array',
	255	items => $TYPED_TFA_ENTRY_SCHEMA,
	256	},
	257	code => sub {
	258	my ($param) = @_;
	259	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
	260	return $tfa_cfg->api_list_user_tfa($param->{userid});
	261	}});
	262
	263	__PACKAGE__->register_method ({
	264	name => 'get_tfa_entry',
	265	path => '{userid}/{id}',
	266	method => 'GET',
	267	permissions => {
	268	check => [ 'or',
	269	['userid-param', 'self'],
	270	['userid-group', ['User.Modify', 'Sys.Audit']],
	271	],
	272	},
	273	protected => 1, # else we can't access shadow files
	274	allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
07692c72	275	description => 'Fetch a requested TFA entry if present.',
dc547a13 WB	276	parameters => {
	277	additionalProperties => 0,
	278	properties => {
	279	userid => get_standard_option('userid', {
	280	completion => \&PVE::AccessControl::complete_username,
	281	}),
	282	id => $TFA_ID_SCHEMA,
	283	}
	284	},
	285	returns => $TYPED_TFA_ENTRY_SCHEMA,
	286	code => sub {
	287	my ($param) = @_;
	288	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
07692c72 WB	289	my $id = $param->{id};
07692c72 WB	290	my $entry = $tfa_cfg->api_get_tfa_entry($param->{userid}, $id);
b3dae5dd	291	raise("No such tfa entry '$id'", code => HTTP::Status::HTTP_NOT_FOUND) if !$entry;
07692c72 WB	292	return $entry;
	293	}});
	294
	295	__PACKAGE__->register_method ({
	296	name => 'delete_tfa',
	297	path => '{userid}/{id}',
	298	method => 'DELETE',
	299	permissions => {
	300	check => [ 'or',
	301	['userid-param', 'self'],
	302	['userid-group', ['User.Modify']],
	303	],
	304	},
	305	protected => 1, # else we can't access shadow files
	306	allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
	307	description => 'Delete a TFA entry by ID.',
	308	parameters => {
	309	additionalProperties => 0,
	310	properties => {
	311	userid => get_standard_option('userid', {
	312	completion => \&PVE::AccessControl::complete_username,
	313	}),
	314	id => $TFA_ID_SCHEMA,
	315	password => $OPTIONAL_PASSWORD_SCHEMA,
	316	}
	317	},
	318	returns => { type => 'null' },
	319	code => sub {
	320	my ($param) = @_;
	321
	322	PVE::AccessControl::assert_new_tfa_config_available();
	323
	324	my $rpcenv = PVE::RPCEnvironment::get();
	325	my $authuser = $rpcenv->get_user();
	326	my $userid =
	327	root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});
	328
c55555ab	329	my $has_entries_left = PVE::AccessControl::lock_tfa_config(sub {
07692c72	330	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
c55555ab	331	my $has_entries_left = $tfa_cfg->api_delete_tfa($userid, $param->{id});
07692c72	332	cfs_write_file('priv/tfa.cfg', $tfa_cfg);
c55555ab	333	return $has_entries_left;
07692c72	334	});
c55555ab	335	if (!$has_entries_left) {
0fe62fa8	336	set_user_tfa_enabled($userid, undef, undef);
c55555ab	337	}
dc547a13 WB	338	}});
	339
	340	__PACKAGE__->register_method ({
	341	name => 'list_tfa',
	342	path => '',
	343	method => 'GET',
	344	permissions => {
	345	description => "Returns all or just the logged-in user, depending on privileges.",
	346	user => 'all',
	347	},
	348	protected => 1, # else we can't access shadow files
	349	allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
	350	description => 'List TFA configurations of users.',
	351	parameters => {
	352	additionalProperties => 0,
	353	properties => {}
	354	},
	355	returns => {
	356	description => "The list tuples of user and TFA entries.",
	357	type => 'array',
	358	items => {
	359	type => 'object',
	360	properties => {
	361	userid => {
	362	type => 'string',
	363	description => 'User this entry belongs to.',
	364	},
	365	entries => {
	366	type => 'array',
	367	items => $TYPED_TFA_ENTRY_SCHEMA,
	368	},
	369	},
	370	},
	371	},
	372	code => sub {
	373	my ($param) = @_;
	374
	375	my $rpcenv = PVE::RPCEnvironment::get();
	376	my $authuser = $rpcenv->get_user();
dc547a13 WB	377
dc547a13 WB	378	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
dc7ef240 WB	379	my $entries = $tfa_cfg->api_list_tfa($authuser, 1);
	380
	381	my $privs = [ 'User.Modify', 'Sys.Audit' ];
	382	if ($rpcenv->check_any($authuser, "/access/groups", $privs, 1)) {
	383	# can modify all
	384	return $entries;
	385	}
	386
	387	my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
	388	my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
	389	return [
	390	grep {
	391	my $userid = $_->{userid};
	392	$userid eq $authuser \|\| $allowed_users->{$userid}
	393	} $entries->@*
	394	];
dc547a13 WB	395	}});
dc547a13 WB	396
07692c72 WB	397	__PACKAGE__->register_method ({
	398	name => 'add_tfa_entry',
	399	path => '{userid}',
	400	method => 'POST',
	401	permissions => {
	402	check => [ 'or',
	403	['userid-param', 'self'],
	404	['userid-group', ['User.Modify']],
	405	],
	406	},
	407	protected => 1, # else we can't access shadow files
	408	allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
	409	description => 'Add a TFA entry for a user.',
	410	parameters => {
	411	additionalProperties => 0,
	412	properties => {
	413	userid => get_standard_option('userid', {
	414	completion => \&PVE::AccessControl::complete_username,
	415	}),
	416	type => $TFA_TYPE_SCHEMA,
	417	description => {
	418	type => 'string',
	419	description => 'A description to distinguish multiple entries from one another',
	420	maxLength => 255,
	421	optional => 1,
	422	},
	423	totp => {
	424	type => 'string',
	425	description => "A totp URI.",
	426	optional => 1,
	427	},
	428	value => {
	429	type => 'string',
	430	description =>
	431	'The current value for the provided totp URI, or a Webauthn/U2F'
	432	.' challenge response',
	433	optional => 1,
	434	},
	435	challenge => {
	436	type => 'string',
	437	description => 'When responding to a u2f challenge: the original challenge string',
	438	optional => 1,
	439	},
	440	password => $OPTIONAL_PASSWORD_SCHEMA,
	441	},
	442	},
	443	returns => $TFA_UPDATE_INFO_SCHEMA,
	444	code => sub {
	445	my ($param) = @_;
	446
	447	PVE::AccessControl::assert_new_tfa_config_available();
	448
	449	my $rpcenv = PVE::RPCEnvironment::get();
	450	my $authuser = $rpcenv->get_user();
8c1e3ab3	451	my ($userid, $realm) =
07692c72 WB	452	root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});
07692c72 WB	453
8c1e3ab3 WB	454	my $type = delete $param->{type};
	455	my $value = delete $param->{value};
	456	if ($type eq 'yubico') {
	457	$value = validate_yubico_otp($userid, $realm, $value);
	458	}
	459
07692c72 WB	460	return PVE::AccessControl::lock_tfa_config(sub {
07692c72 WB	461	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
0fe62fa8 WB	462
	463	set_user_tfa_enabled($userid, $realm, $tfa_cfg);
	464
07692c72 WB	465	PVE::AccessControl::configure_u2f_and_wa($tfa_cfg);
	466
	467	my $response = $tfa_cfg->api_add_tfa_entry(
	468	$userid,
	469	$param->{description},
	470	$param->{totp},
8c1e3ab3	471	$value,
07692c72	472	$param->{challenge},
8c1e3ab3	473	$type,
07692c72 WB	474	);
	475
	476	cfs_write_file('priv/tfa.cfg', $tfa_cfg);
	477
	478	return $response;
	479	});
	480	}});
	481
8c1e3ab3 WB	482	sub validate_yubico_otp : prototype($$) {
	483	my ($userid, $realm, $value) = @_;
	484
	485	my $domain_cfg = cfs_read_file('domains.cfg');
	486	my $realm_cfg = $domain_cfg->{ids}->{$realm};
	487	die "auth domain '$realm' does not exist\n" if !$realm_cfg;
	488
	489	my $realm_tfa = $realm_cfg->{tfa};
	490	die "no yubico otp configuration available for realm $realm\n"
	491	if !$realm_tfa;
	492
	493	$realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa);
	494	die "realm is not setup for Yubico OTP\n"
	495	if !$realm_tfa \|\| $realm_tfa->{type} ne 'yubico';
	496
	497	my $public_key = substr($value, 0, 12);
	498
	499	PVE::AccessControl::authenticate_yubico_do($value, $public_key, $realm_tfa);
	500
	501	return $public_key;
	502	}
	503
07692c72 WB	504	__PACKAGE__->register_method ({
	505	name => 'update_tfa_entry',
	506	path => '{userid}/{id}',
	507	method => 'PUT',
	508	permissions => {
	509	check => [ 'or',
	510	['userid-param', 'self'],
	511	['userid-group', ['User.Modify']],
	512	],
	513	},
	514	protected => 1, # else we can't access shadow files
	515	allowtoken => 0, # we don't want tokens to change the regular user's TFA settings
	516	description => 'Add a TFA entry for a user.',
	517	parameters => {
	518	additionalProperties => 0,
	519	properties => {
	520	userid => get_standard_option('userid', {
	521	completion => \&PVE::AccessControl::complete_username,
	522	}),
	523	id => $TFA_ID_SCHEMA,
	524	description => {
	525	type => 'string',
	526	description => 'A description to distinguish multiple entries from one another',
	527	maxLength => 255,
	528	optional => 1,
	529	},
	530	enable => {
	531	type => 'boolean',
	532	description => 'Whether the entry should be enabled for login.',
	533	optional => 1,
	534	},
	535	password => $OPTIONAL_PASSWORD_SCHEMA,
	536	},
	537	},
	538	returns => { type => 'null' },
	539	code => sub {
	540	my ($param) = @_;
	541
	542	PVE::AccessControl::assert_new_tfa_config_available();
	543
	544	my $rpcenv = PVE::RPCEnvironment::get();
	545	my $authuser = $rpcenv->get_user();
	546	my $userid =
	547	root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});
	548
	549	PVE::AccessControl::lock_tfa_config(sub {
	550	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
	551
	552	$tfa_cfg->api_update_tfa_entry(
	553	$userid,
	554	$param->{id},
	555	$param->{description},
	556	$param->{enable},
	557	);
	558
	559	cfs_write_file('priv/tfa.cfg', $tfa_cfg);
	560	});
	561	}});
	562
dc547a13	563	1;