[pve-access-control.git] / src / PVE / Auth / Plugin.pm

package PVE::Auth::Plugin;

use strict;
use warnings;

use Digest::SHA;
use Encode;

use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);
use PVE::JSONSchema qw(get_standard_option);
use PVE::SectionConfig;
use PVE::Tools;

use base qw(PVE::SectionConfig);

my $domainconfigfile = "domains.cfg";

cfs_register_file($domainconfigfile,
		  sub { __PACKAGE__->parse_config(@_); },
		  sub { __PACKAGE__->write_config(@_); });

sub lock_domain_config {
    my ($code, $errmsg) = @_;

    cfs_lock_file($domainconfigfile, undef, $code);
    my $err = $@;
    if ($err) {
	$errmsg ? die "$errmsg: $err" : die $err;
    }
}

our $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
our $user_regex = qr![^\s:/]+!;

PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
sub pve_verify_realm {
    my ($realm, $noerr) = @_;

    if ($realm !~ m/^${realm_regex}$/) {
	return undef if $noerr;
	die "value does not look like a valid realm\n";
    }
    return $realm;
}

PVE::JSONSchema::register_standard_option('realm', {
    description => "Authentication domain ID",
    type => 'string', format => 'pve-realm',
    maxLength => 32,
});

my $remove_options = "(?:acl|properties|entry)";

my $realm_sync_options_desc = {
    scope => {
	description => "Select what to sync.",
	type => 'string',
	enum => [qw(users groups both)],
	optional => '1',
    },
    'remove-vanished' => {
	description => "A semicolon-seperated list of things to remove when they or the user"
	    ." vanishes during a sync. The following values are possible: 'entry' removes the"
	    ." user/group when not returned from the sync. 'properties' removes the set"
	    ." properties on existing user/group that do not appear in the source (even custom ones)."
	    ." 'acl' removes acls when the user/group is not returned from the sync.",
	type => 'string',
	typetext => "[acl];[properties];[entry]",
	pattern => "(?:$remove_options\;)*$remove_options",
	optional => '1',
    },
    # TODO check/rewrite in pve7to8, and remove with 8.0
    full => {
	description => "DEPRECATED: use 'remove-vanished' instead. If set, uses the LDAP Directory as source of truth,"
	    ." deleting users or groups not returned from the sync and removing"
	    ." all locally modified properties of synced users. If not set,"
	    ." only syncs information which is present in the synced data, and does not"
	    ." delete or modify anything else.",
	type => 'boolean',
	optional => '1',
    },
    'enable-new' => {
	description => "Enable newly synced users immediately.",
	type => 'boolean',
	default => '1',
	optional => '1',
    },
    purge => {
	description => "DEPRECATED: use 'remove-vanished' instead. Remove ACLs for users or"
	    ." groups which were removed from the config during a sync.",
	type => 'boolean',
	optional => '1',
    },
};
PVE::JSONSchema::register_standard_option('realm-sync-options', $realm_sync_options_desc);
PVE::JSONSchema::register_format('realm-sync-options', $realm_sync_options_desc);

PVE::JSONSchema::register_format('pve-userid', \&verify_username);
sub verify_username {
    my ($username, $noerr) = @_;

    $username = '' if !$username;
    my $len = length($username);
    if ($len < 3) {
	die "user name '$username' is too short\n" if !$noerr;
	return undef;
    }
    if ($len > 64) {
	die "user name '$username' is too long ($len > 64)\n" if !$noerr;
	return undef;
    }

    # we only allow a limited set of characters
    # colon is not allowed, because we store usernames in
    # colon separated lists)!
    # slash is not allowed because it is used as pve API delimiter
    # also see "man useradd"
    if ($username =~ m!^(${user_regex})\@(${realm_regex})$!) {
	return wantarray ? ($username, $1, $2) : $username;
    }

    die "value '$username' does not look like a valid user name\n" if !$noerr;

    return undef;
}

PVE::JSONSchema::register_standard_option('userid', {
    description => "User ID",
    type => 'string', format => 'pve-userid',
    maxLength => 64,
});

my $tfa_format = {
    type => {
        description => "The type of 2nd factor authentication.",
        format_description => 'TFATYPE',
        type => 'string',
        enum => [qw(yubico oath)],
    },
    id => {
        description => "Yubico API ID.",
        format_description => 'ID',
        type => 'string',
        optional => 1,
    },
    key => {
        description => "Yubico API Key.",
        format_description => 'KEY',
        type => 'string',
        optional => 1,
    },
    url => {
        description => "Yubico API URL.",
        format_description => 'URL',
        type => 'string',
        optional => 1,
    },
    digits => {
        description => "TOTP digits.",
        format_description => 'COUNT',
        type => 'integer',
        minimum => 6, maximum => 8,
        default => 6,
        optional => 1,
    },
    step => {
        description => "TOTP time period.",
        format_description => 'SECONDS',
        type => 'integer',
        minimum => 10,
        default => 30,
        optional => 1,
    },
};

PVE::JSONSchema::register_format('pve-tfa-config', $tfa_format);

PVE::JSONSchema::register_standard_option('tfa', {
    description => "Use Two-factor authentication.",
    type => 'string', format => 'pve-tfa-config',
    optional => 1,
    maxLength => 128,
});

sub parse_tfa_config {
    my ($data) = @_;

    return PVE::JSONSchema::parse_property_string($tfa_format, $data);
}

my $defaultData = {
    propertyList => {
	type => { description => "Realm type." },
	realm => get_standard_option('realm'),
    },
};

sub private {
    return $defaultData;
}

sub parse_section_header {
    my ($class, $line) = @_;

    if ($line =~ m/^(\S+):\s*(\S+)\s*$/) {
	my ($type, $realm) = (lc($1), $2);
	my $errmsg = undef; # set if you want to skip whole section
	eval { pve_verify_realm($realm); };
	$errmsg = $@ if $@;
	my $config = {}; # to return additional attributes
	return ($type, $realm, $errmsg, $config);
    }
    return undef;
}

sub parse_config {
    my ($class, $filename, $raw) = @_;

    my $cfg = $class->SUPER::parse_config($filename, $raw);

    my $default;
    foreach my $realm (keys %{$cfg->{ids}}) {
	my $data = $cfg->{ids}->{$realm};
	# make sure there is only one default marker
	if ($data->{default}) {
	    if ($default) {
		delete $data->{default};
	    } else {
		$default = $realm;
	    }
	}

	if ($data->{comment}) {
	    $data->{comment} = PVE::Tools::decode_text($data->{comment});
	}

    }

    # add default domains

    $cfg->{ids}->{pve}->{type} = 'pve'; # force type
    $cfg->{ids}->{pve}->{comment} = "Proxmox VE authentication server"
	if !$cfg->{ids}->{pve}->{comment};

    $cfg->{ids}->{pam}->{type} = 'pam'; # force type
    $cfg->{ids}->{pam}->{plugin} =  'PVE::Auth::PAM';
    $cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
	if !$cfg->{ids}->{pam}->{comment};

    return $cfg;
};

sub write_config {
    my ($class, $filename, $cfg) = @_;

    foreach my $realm (keys %{$cfg->{ids}}) {
	my $data = $cfg->{ids}->{$realm};
	if ($data->{comment}) {
	    $data->{comment} = PVE::Tools::encode_text($data->{comment});
	}
    }

    $class->SUPER::write_config($filename, $cfg);
}

sub authenticate_user {
    my ($class, $config, $realm, $username, $password) = @_;

    die "overwrite me";
}

sub store_password {
    my ($class, $config, $realm, $username, $password) = @_;

    my $type = $class->type();

    die "can't set password on auth type '$type'\n";
}

sub delete_user {
    my ($class, $config, $realm, $username) = @_;

    # do nothing by default
}

# called during addition of realm (before the new domain config got written)
# `password` is moved to %param to avoid writing it out to the config
# die to abort addition if there are (grave) problems
# NOTE: runs in a domain config *locked* context
sub on_add_hook {
    my ($class, $realm, $config, %param) = @_;
    # do nothing by default
}

# called during domain configuration update (before the updated domain config got
# written). `password` is moved to %param to avoid writing it out to the config
# die to abort the update if there are (grave) problems
# NOTE: runs in a domain config *locked* context
sub on_update_hook {
    my ($class, $realm, $config, %param) = @_;
    # do nothing by default
}

# called during deletion of realms (before the new domain config got written)
# and if the activate check on addition fails, to cleanup all storage traces
# which on_add_hook may have created.
# die to abort deletion if there are (very grave) problems
# NOTE: runs in a storage config *locked* context
sub on_delete_hook {
    my ($class, $realm, $config) = @_;
    # do nothing by default
}

1;
Commit	Line	Data
5bb4e06a DM	1	package PVE::Auth::Plugin;
	2
	3	use strict;
	4	use warnings;
b49abe2d	5
5bb4e06a	6	use Digest::SHA;
b49abe2d TL	7	use Encode;
b49abe2d TL	8
5bb4e06a	9	use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);
b49abe2d TL	10	use PVE::JSONSchema qw(get_standard_option);
	11	use PVE::SectionConfig;
	12	use PVE::Tools;
5bb4e06a	13
5bb4e06a DM	14	use base qw(PVE::SectionConfig);
	15
	16	my $domainconfigfile = "domains.cfg";
	17
0a6e09fd	18	cfs_register_file($domainconfigfile,
5bb4e06a DM	19	sub { __PACKAGE__->parse_config(@_); },
	20	sub { __PACKAGE__->write_config(@_); });
	21
	22	sub lock_domain_config {
	23	my ($code, $errmsg) = @_;
	24
	25	cfs_lock_file($domainconfigfile, undef, $code);
	26	my $err = $@;
	27	if ($err) {
	28	$errmsg ? die "$errmsg: $err" : die $err;
	29	}
	30	}
	31
8e23f971 FG	32	our $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
8e23f971 FG	33	our $user_regex = qr![^\s:/]+!;
5bb4e06a DM	34
	35	PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
	36	sub pve_verify_realm {
	37	my ($realm, $noerr) = @_;
0a6e09fd	38
5bb4e06a DM	39	if ($realm !~ m/^${realm_regex}$/) {
5bb4e06a DM	40	return undef if $noerr;
0a6e09fd	41	die "value does not look like a valid realm\n";
5bb4e06a DM	42	}
	43	return $realm;
	44	}
	45
	46	PVE::JSONSchema::register_standard_option('realm', {
	47	description => "Authentication domain ID",
	48	type => 'string', format => 'pve-realm',
	49	maxLength => 32,
	50	});
	51
98df2ebc DC	52	my $remove_options = "(?:acl\|properties\|entry)";
98df2ebc DC	53
d29d2d4a TL	54	my $realm_sync_options_desc = {
	55	scope => {
	56	description => "Select what to sync.",
	57	type => 'string',
	58	enum => [qw(users groups both)],
	59	optional => '1',
	60	},
98df2ebc DC	61	'remove-vanished' => {
	62	description => "A semicolon-seperated list of things to remove when they or the user"
	63	." vanishes during a sync. The following values are possible: 'entry' removes the"
	64	." user/group when not returned from the sync. 'properties' removes the set"
	65	." properties on existing user/group that do not appear in the source (even custom ones)."
	66	." 'acl' removes acls when the user/group is not returned from the sync.",
	67	type => 'string',
	68	typetext => "[acl];[properties];[entry]",
	69	pattern => "(?:$remove_options\;)*$remove_options",
	70	optional => '1',
	71	},
	72	# TODO check/rewrite in pve7to8, and remove with 8.0
d29d2d4a	73	full => {
98df2ebc DC	74	description => "DEPRECATED: use 'remove-vanished' instead. If set, uses the LDAP Directory as source of truth,"
	75	." deleting users or groups not returned from the sync and removing"
	76	." all locally modified properties of synced users. If not set,"
	77	." only syncs information which is present in the synced data, and does not"
	78	." delete or modify anything else.",
d29d2d4a TL	79	type => 'boolean',
	80	optional => '1',
	81	},
	82	'enable-new' => {
	83	description => "Enable newly synced users immediately.",
	84	type => 'boolean',
	85	default => '1',
	86	optional => '1',
	87	},
	88	purge => {
98df2ebc DC	89	description => "DEPRECATED: use 'remove-vanished' instead. Remove ACLs for users or"
98df2ebc DC	90	." groups which were removed from the config during a sync.",
d29d2d4a TL	91	type => 'boolean',
	92	optional => '1',
	93	},
	94	};
	95	PVE::JSONSchema::register_standard_option('realm-sync-options', $realm_sync_options_desc);
	96	PVE::JSONSchema::register_format('realm-sync-options', $realm_sync_options_desc);
	97
5bb4e06a DM	98	PVE::JSONSchema::register_format('pve-userid', \&verify_username);
	99	sub verify_username {
	100	my ($username, $noerr) = @_;
	101
	102	$username = '' if !$username;
	103	my $len = length($username);
	104	if ($len < 3) {
	105	die "user name '$username' is too short\n" if !$noerr;
	106	return undef;
	107	}
	108	if ($len > 64) {
	109	die "user name '$username' is too long ($len > 64)\n" if !$noerr;
	110	return undef;
	111	}
	112
	113	# we only allow a limited set of characters
0a6e09fd	114	# colon is not allowed, because we store usernames in
5bb4e06a DM	115	# colon separated lists)!
5bb4e06a DM	116	# slash is not allowed because it is used as pve API delimiter
0a6e09fd	117	# also see "man useradd"
8e23f971	118	if ($username =~ m!^(${user_regex})\@(${realm_regex})$!) {
5bb4e06a DM	119	return wantarray ? ($username, $1, $2) : $username;
	120	}
	121
	122	die "value '$username' does not look like a valid user name\n" if !$noerr;
	123
	124	return undef;
	125	}
	126
	127	PVE::JSONSchema::register_standard_option('userid', {
af5d7da7	128	description => "User ID",
5bb4e06a DM	129	type => 'string', format => 'pve-userid',
	130	maxLength => 64,
	131	});
	132
9401be39 WB	133	my $tfa_format = {
	134	type => {
	135	description => "The type of 2nd factor authentication.",
	136	format_description => 'TFATYPE',
	137	type => 'string',
	138	enum => [qw(yubico oath)],
	139	},
	140	id => {
	141	description => "Yubico API ID.",
	142	format_description => 'ID',
	143	type => 'string',
	144	optional => 1,
	145	},
	146	key => {
	147	description => "Yubico API Key.",
	148	format_description => 'KEY',
	149	type => 'string',
	150	optional => 1,
	151	},
	152	url => {
	153	description => "Yubico API URL.",
	154	format_description => 'URL',
	155	type => 'string',
	156	optional => 1,
	157	},
	158	digits => {
	159	description => "TOTP digits.",
	160	format_description => 'COUNT',
	161	type => 'integer',
	162	minimum => 6, maximum => 8,
	163	default => 6,
	164	optional => 1,
	165	},
	166	step => {
	167	description => "TOTP time period.",
	168	format_description => 'SECONDS',
	169	type => 'integer',
	170	minimum => 10,
	171	default => 30,
	172	optional => 1,
	173	},
	174	};
	175
	176	PVE::JSONSchema::register_format('pve-tfa-config', $tfa_format);
96f8ebd6 DM	177
	178	PVE::JSONSchema::register_standard_option('tfa', {
	179	description => "Use Two-factor authentication.",
	180	type => 'string', format => 'pve-tfa-config',
	181	optional => 1,
	182	maxLength => 128,
	183	});
	184
	185	sub parse_tfa_config {
	186	my ($data) = @_;
	187
9401be39	188	return PVE::JSONSchema::parse_property_string($tfa_format, $data);
96f8ebd6 DM	189	}
96f8ebd6 DM	190
5bb4e06a DM	191	my $defaultData = {
	192	propertyList => {
	193	type => { description => "Realm type." },
	194	realm => get_standard_option('realm'),
	195	},
	196	};
	197
	198	sub private {
	199	return $defaultData;
	200	}
	201
	202	sub parse_section_header {
	203	my ($class, $line) = @_;
	204
	205	if ($line =~ m/^(\S+):\s(\S+)\s$/) {
	206	my ($type, $realm) = (lc($1), $2);
	207	my $errmsg = undef; # set if you want to skip whole section
	208	eval { pve_verify_realm($realm); };
	209	$errmsg = $@ if $@;
	210	my $config = {}; # to return additional attributes
	211	return ($type, $realm, $errmsg, $config);
	212	}
	213	return undef;
	214	}
	215
	216	sub parse_config {
	217	my ($class, $filename, $raw) = @_;
	218
	219	my $cfg = $class->SUPER::parse_config($filename, $raw);
	220
	221	my $default;
	222	foreach my $realm (keys %{$cfg->{ids}}) {
	223	my $data = $cfg->{ids}->{$realm};
	224	# make sure there is only one default marker
	225	if ($data->{default}) {
	226	if ($default) {
	227	delete $data->{default};
	228	} else {
	229	$default = $realm;
	230	}
	231	}
	232
	233	if ($data->{comment}) {
	234	$data->{comment} = PVE::Tools::decode_text($data->{comment});
	235	}
	236
	237	}
	238
	239	# add default domains
	240
96f8ebd6 DM	241	$cfg->{ids}->{pve}->{type} = 'pve'; # force type
	242	$cfg->{ids}->{pve}->{comment} = "Proxmox VE authentication server"
	243	if !$cfg->{ids}->{pve}->{comment};
5bb4e06a	244
96f8ebd6 DM	245	$cfg->{ids}->{pam}->{type} = 'pam'; # force type
	246	$cfg->{ids}->{pam}->{plugin} = 'PVE::Auth::PAM';
	247	$cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
	248	if !$cfg->{ids}->{pam}->{comment};
5bb4e06a DM	249
	250	return $cfg;
	251	};
	252
	253	sub write_config {
	254	my ($class, $filename, $cfg) = @_;
	255
5bb4e06a DM	256	foreach my $realm (keys %{$cfg->{ids}}) {
	257	my $data = $cfg->{ids}->{$realm};
	258	if ($data->{comment}) {
	259	$data->{comment} = PVE::Tools::encode_text($data->{comment});
	260	}
	261	}
0a6e09fd	262
5bb4e06a DM	263	$class->SUPER::write_config($filename, $cfg);
	264	}
	265
	266	sub authenticate_user {
	267	my ($class, $config, $realm, $username, $password) = @_;
	268
	269	die "overwrite me";
	270	}
	271
	272	sub store_password {
	273	my ($class, $config, $realm, $username, $password) = @_;
	274
	275	my $type = $class->type();
	276
	277	die "can't set password on auth type '$type'\n";
	278	}
	279
	280	sub delete_user {
	281	my ($class, $config, $realm, $username) = @_;
	282
	283	# do nothing by default
	284	}
	285
89338e4d TL	286	# called during addition of realm (before the new domain config got written)
89338e4d TL	287	# `password` is moved to %param to avoid writing it out to the config
7d23b7ca	288	# die to abort addition if there are (grave) problems
89338e4d TL	289	# NOTE: runs in a domain config locked context
	290	sub on_add_hook {
	291	my ($class, $realm, $config, %param) = @_;
	292	# do nothing by default
	293	}
	294
	295	# called during domain configuration update (before the updated domain config got
	296	# written). `password` is moved to %param to avoid writing it out to the config
	297	# die to abort the update if there are (grave) problems
	298	# NOTE: runs in a domain config locked context
	299	sub on_update_hook {
	300	my ($class, $realm, $config, %param) = @_;
	301	# do nothing by default
	302	}
	303
	304	# called during deletion of realms (before the new domain config got written)
	305	# and if the activate check on addition fails, to cleanup all storage traces
	306	# which on_add_hook may have created.
	307	# die to abort deletion if there are (very grave) problems
	308	# NOTE: runs in a storage config locked context
	309	sub on_delete_hook {
	310	my ($class, $realm, $config) = @_;
	311	# do nothing by default
	312	}
	313
5bb4e06a	314	1;