[pve-access-control.git] / src / PVE / Auth / Plugin.pm

package PVE::Auth::Plugin;

use strict;
use warnings;

use Digest::SHA;
use Encode;

use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);
use PVE::JSONSchema qw(get_standard_option);
use PVE::SectionConfig;
use PVE::Tools;

use base qw(PVE::SectionConfig);

my $domainconfigfile = "domains.cfg";

cfs_register_file($domainconfigfile,
		  sub { __PACKAGE__->parse_config(@_); },
		  sub { __PACKAGE__->write_config(@_); });

sub lock_domain_config {
    my ($code, $errmsg) = @_;

    cfs_lock_file($domainconfigfile, undef, $code);
    my $err = $@;
    if ($err) {
	$errmsg ? die "$errmsg: $err" : die $err;
    }
}

our $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
our $user_regex = qr![^\s:/]+!;

PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
sub pve_verify_realm {
    my ($realm, $noerr) = @_;

    if ($realm !~ m/^${realm_regex}$/) {
	return undef if $noerr;
	die "value does not look like a valid realm\n";
    }
    return $realm;
}

PVE::JSONSchema::register_standard_option('realm', {
    description => "Authentication domain ID",
    type => 'string', format => 'pve-realm',
    maxLength => 32,
});

my $remove_options = "(?:acl|properties|entry)";

my $realm_sync_options_desc = {
    scope => {
	description => "Select what to sync.",
	type => 'string',
	enum => [qw(users groups both)],
	optional => '1',
    },
    'remove-vanished' => {
	description => "A semicolon-seperated list of things to remove when they or the user"
	    ." vanishes during a sync. The following values are possible: 'entry' removes the"
	    ." user/group when not returned from the sync. 'properties' removes the set"
	    ." properties on existing user/group that do not appear in the source (even custom ones)."
	    ." 'acl' removes acls when the user/group is not returned from the sync."
	    ." Instead of a list it also can be 'none' (the default).",
	type => 'string',
	default => 'none',
	typetext => "([acl];[properties];[entry])|none",
	pattern => "(?:(?:$remove_options\;)*$remove_options)|none",
	optional => '1',
    },
    # TODO check/rewrite in pve7to8, and remove with 8.0
    full => {
	description => "DEPRECATED: use 'remove-vanished' instead. If set, uses the LDAP Directory as source of truth,"
	    ." deleting users or groups not returned from the sync and removing"
	    ." all locally modified properties of synced users. If not set,"
	    ." only syncs information which is present in the synced data, and does not"
	    ." delete or modify anything else.",
	type => 'boolean',
	optional => '1',
    },
    'enable-new' => {
	description => "Enable newly synced users immediately.",
	type => 'boolean',
	default => '1',
	optional => '1',
    },
    purge => {
	description => "DEPRECATED: use 'remove-vanished' instead. Remove ACLs for users or"
	    ." groups which were removed from the config during a sync.",
	type => 'boolean',
	optional => '1',
    },
};
PVE::JSONSchema::register_standard_option('realm-sync-options', $realm_sync_options_desc);
PVE::JSONSchema::register_format('realm-sync-options', $realm_sync_options_desc);

PVE::JSONSchema::register_format('pve-userid', \&verify_username);
sub verify_username {
    my ($username, $noerr) = @_;

    $username = '' if !$username;
    my $len = length($username);
    if ($len < 3) {
	die "user name '$username' is too short\n" if !$noerr;
	return undef;
    }
    if ($len > 64) {
	die "user name '$username' is too long ($len > 64)\n" if !$noerr;
	return undef;
    }

    # we only allow a limited set of characters
    # colon is not allowed, because we store usernames in
    # colon separated lists)!
    # slash is not allowed because it is used as pve API delimiter
    # also see "man useradd"
    if ($username =~ m!^(${user_regex})\@(${realm_regex})$!) {
	return wantarray ? ($username, $1, $2) : $username;
    }

    die "value '$username' does not look like a valid user name\n" if !$noerr;

    return undef;
}

PVE::JSONSchema::register_standard_option('userid', {
    description => "User ID",
    type => 'string', format => 'pve-userid',
    maxLength => 64,
});

my $tfa_format = {
    type => {
        description => "The type of 2nd factor authentication.",
        format_description => 'TFATYPE',
        type => 'string',
        enum => [qw(yubico oath)],
    },
    id => {
        description => "Yubico API ID.",
        format_description => 'ID',
        type => 'string',
        optional => 1,
    },
    key => {
        description => "Yubico API Key.",
        format_description => 'KEY',
        type => 'string',
        optional => 1,
    },
    url => {
        description => "Yubico API URL.",
        format_description => 'URL',
        type => 'string',
        optional => 1,
    },
    digits => {
        description => "TOTP digits.",
        format_description => 'COUNT',
        type => 'integer',
        minimum => 6, maximum => 8,
        default => 6,
        optional => 1,
    },
    step => {
        description => "TOTP time period.",
        format_description => 'SECONDS',
        type => 'integer',
        minimum => 10,
        default => 30,
        optional => 1,
    },
};

PVE::JSONSchema::register_format('pve-tfa-config', $tfa_format);

PVE::JSONSchema::register_standard_option('tfa', {
    description => "Use Two-factor authentication.",
    type => 'string', format => 'pve-tfa-config',
    optional => 1,
    maxLength => 128,
});

sub parse_tfa_config {
    my ($data) = @_;

    return PVE::JSONSchema::parse_property_string($tfa_format, $data);
}

my $defaultData = {
    propertyList => {
	type => { description => "Realm type." },
	realm => get_standard_option('realm'),
    },
};

sub private {
    return $defaultData;
}

sub parse_section_header {
    my ($class, $line) = @_;

    if ($line =~ m/^(\S+):\s*(\S+)\s*$/) {
	my ($type, $realm) = (lc($1), $2);
	my $errmsg = undef; # set if you want to skip whole section
	eval { pve_verify_realm($realm); };
	$errmsg = $@ if $@;
	my $config = {}; # to return additional attributes
	return ($type, $realm, $errmsg, $config);
    }
    return undef;
}

sub parse_config {
    my ($class, $filename, $raw) = @_;

    my $cfg = $class->SUPER::parse_config($filename, $raw);

    my $default;
    foreach my $realm (keys %{$cfg->{ids}}) {
	my $data = $cfg->{ids}->{$realm};
	# make sure there is only one default marker
	if ($data->{default}) {
	    if ($default) {
		delete $data->{default};
	    } else {
		$default = $realm;
	    }
	}

	if ($data->{comment}) {
	    $data->{comment} = PVE::Tools::decode_text($data->{comment});
	}

    }

    # add default domains

    $cfg->{ids}->{pve}->{type} = 'pve'; # force type
    $cfg->{ids}->{pve}->{comment} = "Proxmox VE authentication server"
	if !$cfg->{ids}->{pve}->{comment};

    $cfg->{ids}->{pam}->{type} = 'pam'; # force type
    $cfg->{ids}->{pam}->{plugin} =  'PVE::Auth::PAM';
    $cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
	if !$cfg->{ids}->{pam}->{comment};

    return $cfg;
};

sub write_config {
    my ($class, $filename, $cfg) = @_;

    foreach my $realm (keys %{$cfg->{ids}}) {
	my $data = $cfg->{ids}->{$realm};
	if ($data->{comment}) {
	    $data->{comment} = PVE::Tools::encode_text($data->{comment});
	}
    }

    $class->SUPER::write_config($filename, $cfg);
}

sub authenticate_user {
    my ($class, $config, $realm, $username, $password) = @_;

    die "overwrite me";
}

sub store_password {
    my ($class, $config, $realm, $username, $password) = @_;

    my $type = $class->type();

    die "can't set password on auth type '$type'\n";
}

sub delete_user {
    my ($class, $config, $realm, $username) = @_;

    # do nothing by default
}

# called during addition of realm (before the new domain config got written)
# `password` is moved to %param to avoid writing it out to the config
# die to abort addition if there are (grave) problems
# NOTE: runs in a domain config *locked* context
sub on_add_hook {
    my ($class, $realm, $config, %param) = @_;
    # do nothing by default
}

# called during domain configuration update (before the updated domain config got
# written). `password` is moved to %param to avoid writing it out to the config
# die to abort the update if there are (grave) problems
# NOTE: runs in a domain config *locked* context
sub on_update_hook {
    my ($class, $realm, $config, %param) = @_;
    # do nothing by default
}

# called during deletion of realms (before the new domain config got written)
# and if the activate check on addition fails, to cleanup all storage traces
# which on_add_hook may have created.
# die to abort deletion if there are (very grave) problems
# NOTE: runs in a storage config *locked* context
sub on_delete_hook {
    my ($class, $realm, $config) = @_;
    # do nothing by default
}

1;
Commit	Line	Data
5bb4e06a DM	1	package PVE::Auth::Plugin;
	2
	3	use strict;
	4	use warnings;
b49abe2d	5
5bb4e06a	6	use Digest::SHA;
b49abe2d TL	7	use Encode;
b49abe2d TL	8
5bb4e06a	9	use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);
b49abe2d TL	10	use PVE::JSONSchema qw(get_standard_option);
	11	use PVE::SectionConfig;
	12	use PVE::Tools;
5bb4e06a	13
5bb4e06a DM	14	use base qw(PVE::SectionConfig);
	15
	16	my $domainconfigfile = "domains.cfg";
	17
0a6e09fd	18	cfs_register_file($domainconfigfile,
5bb4e06a DM	19	sub { __PACKAGE__->parse_config(@_); },
	20	sub { __PACKAGE__->write_config(@_); });
	21
	22	sub lock_domain_config {
	23	my ($code, $errmsg) = @_;
	24
	25	cfs_lock_file($domainconfigfile, undef, $code);
	26	my $err = $@;
	27	if ($err) {
	28	$errmsg ? die "$errmsg: $err" : die $err;
	29	}
	30	}
	31
8e23f971 FG	32	our $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
8e23f971 FG	33	our $user_regex = qr![^\s:/]+!;
5bb4e06a DM	34
	35	PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
	36	sub pve_verify_realm {
	37	my ($realm, $noerr) = @_;
0a6e09fd	38
5bb4e06a DM	39	if ($realm !~ m/^${realm_regex}$/) {
5bb4e06a DM	40	return undef if $noerr;
0a6e09fd	41	die "value does not look like a valid realm\n";
5bb4e06a DM	42	}
	43	return $realm;
	44	}
	45
	46	PVE::JSONSchema::register_standard_option('realm', {
	47	description => "Authentication domain ID",
	48	type => 'string', format => 'pve-realm',
	49	maxLength => 32,
	50	});
	51
98df2ebc DC	52	my $remove_options = "(?:acl\|properties\|entry)";
98df2ebc DC	53
d29d2d4a TL	54	my $realm_sync_options_desc = {
	55	scope => {
	56	description => "Select what to sync.",
	57	type => 'string',
	58	enum => [qw(users groups both)],
	59	optional => '1',
	60	},
98df2ebc DC	61	'remove-vanished' => {
	62	description => "A semicolon-seperated list of things to remove when they or the user"
	63	." vanishes during a sync. The following values are possible: 'entry' removes the"
	64	." user/group when not returned from the sync. 'properties' removes the set"
	65	." properties on existing user/group that do not appear in the source (even custom ones)."
982db929 DC	66	." 'acl' removes acls when the user/group is not returned from the sync."
982db929 DC	67	." Instead of a list it also can be 'none' (the default).",
98df2ebc	68	type => 'string',
982db929 DC	69	default => 'none',
	70	typetext => "([acl];[properties];[entry])\|none",
	71	pattern => "(?:(?:$remove_options\;)*$remove_options)\|none",
98df2ebc DC	72	optional => '1',
	73	},
	74	# TODO check/rewrite in pve7to8, and remove with 8.0
d29d2d4a	75	full => {
98df2ebc DC	76	description => "DEPRECATED: use 'remove-vanished' instead. If set, uses the LDAP Directory as source of truth,"
	77	." deleting users or groups not returned from the sync and removing"
	78	." all locally modified properties of synced users. If not set,"
	79	." only syncs information which is present in the synced data, and does not"
	80	." delete or modify anything else.",
d29d2d4a TL	81	type => 'boolean',
	82	optional => '1',
	83	},
	84	'enable-new' => {
	85	description => "Enable newly synced users immediately.",
	86	type => 'boolean',
	87	default => '1',
	88	optional => '1',
	89	},
	90	purge => {
98df2ebc DC	91	description => "DEPRECATED: use 'remove-vanished' instead. Remove ACLs for users or"
98df2ebc DC	92	." groups which were removed from the config during a sync.",
d29d2d4a TL	93	type => 'boolean',
	94	optional => '1',
	95	},
	96	};
	97	PVE::JSONSchema::register_standard_option('realm-sync-options', $realm_sync_options_desc);
	98	PVE::JSONSchema::register_format('realm-sync-options', $realm_sync_options_desc);
	99
5bb4e06a DM	100	PVE::JSONSchema::register_format('pve-userid', \&verify_username);
	101	sub verify_username {
	102	my ($username, $noerr) = @_;
	103
	104	$username = '' if !$username;
	105	my $len = length($username);
	106	if ($len < 3) {
	107	die "user name '$username' is too short\n" if !$noerr;
	108	return undef;
	109	}
	110	if ($len > 64) {
	111	die "user name '$username' is too long ($len > 64)\n" if !$noerr;
	112	return undef;
	113	}
	114
	115	# we only allow a limited set of characters
0a6e09fd	116	# colon is not allowed, because we store usernames in
5bb4e06a DM	117	# colon separated lists)!
5bb4e06a DM	118	# slash is not allowed because it is used as pve API delimiter
0a6e09fd	119	# also see "man useradd"
8e23f971	120	if ($username =~ m!^(${user_regex})\@(${realm_regex})$!) {
5bb4e06a DM	121	return wantarray ? ($username, $1, $2) : $username;
	122	}
	123
	124	die "value '$username' does not look like a valid user name\n" if !$noerr;
	125
	126	return undef;
	127	}
	128
	129	PVE::JSONSchema::register_standard_option('userid', {
af5d7da7	130	description => "User ID",
5bb4e06a DM	131	type => 'string', format => 'pve-userid',
	132	maxLength => 64,
	133	});
	134
9401be39 WB	135	my $tfa_format = {
	136	type => {
	137	description => "The type of 2nd factor authentication.",
	138	format_description => 'TFATYPE',
	139	type => 'string',
	140	enum => [qw(yubico oath)],
	141	},
	142	id => {
	143	description => "Yubico API ID.",
	144	format_description => 'ID',
	145	type => 'string',
	146	optional => 1,
	147	},
	148	key => {
	149	description => "Yubico API Key.",
	150	format_description => 'KEY',
	151	type => 'string',
	152	optional => 1,
	153	},
	154	url => {
	155	description => "Yubico API URL.",
	156	format_description => 'URL',
	157	type => 'string',
	158	optional => 1,
	159	},
	160	digits => {
	161	description => "TOTP digits.",
	162	format_description => 'COUNT',
	163	type => 'integer',
	164	minimum => 6, maximum => 8,
	165	default => 6,
	166	optional => 1,
	167	},
	168	step => {
	169	description => "TOTP time period.",
	170	format_description => 'SECONDS',
	171	type => 'integer',
	172	minimum => 10,
	173	default => 30,
	174	optional => 1,
	175	},
	176	};
	177
	178	PVE::JSONSchema::register_format('pve-tfa-config', $tfa_format);
96f8ebd6 DM	179
	180	PVE::JSONSchema::register_standard_option('tfa', {
	181	description => "Use Two-factor authentication.",
	182	type => 'string', format => 'pve-tfa-config',
	183	optional => 1,
	184	maxLength => 128,
	185	});
	186
	187	sub parse_tfa_config {
	188	my ($data) = @_;
	189
9401be39	190	return PVE::JSONSchema::parse_property_string($tfa_format, $data);
96f8ebd6 DM	191	}
96f8ebd6 DM	192
5bb4e06a DM	193	my $defaultData = {
	194	propertyList => {
	195	type => { description => "Realm type." },
	196	realm => get_standard_option('realm'),
	197	},
	198	};
	199
	200	sub private {
	201	return $defaultData;
	202	}
	203
	204	sub parse_section_header {
	205	my ($class, $line) = @_;
	206
	207	if ($line =~ m/^(\S+):\s(\S+)\s$/) {
	208	my ($type, $realm) = (lc($1), $2);
	209	my $errmsg = undef; # set if you want to skip whole section
	210	eval { pve_verify_realm($realm); };
	211	$errmsg = $@ if $@;
	212	my $config = {}; # to return additional attributes
	213	return ($type, $realm, $errmsg, $config);
	214	}
	215	return undef;
	216	}
	217
	218	sub parse_config {
	219	my ($class, $filename, $raw) = @_;
	220
	221	my $cfg = $class->SUPER::parse_config($filename, $raw);
	222
	223	my $default;
	224	foreach my $realm (keys %{$cfg->{ids}}) {
	225	my $data = $cfg->{ids}->{$realm};
	226	# make sure there is only one default marker
	227	if ($data->{default}) {
	228	if ($default) {
	229	delete $data->{default};
	230	} else {
	231	$default = $realm;
	232	}
	233	}
	234
	235	if ($data->{comment}) {
	236	$data->{comment} = PVE::Tools::decode_text($data->{comment});
	237	}
	238
	239	}
	240
	241	# add default domains
	242
96f8ebd6 DM	243	$cfg->{ids}->{pve}->{type} = 'pve'; # force type
	244	$cfg->{ids}->{pve}->{comment} = "Proxmox VE authentication server"
	245	if !$cfg->{ids}->{pve}->{comment};
5bb4e06a	246
96f8ebd6 DM	247	$cfg->{ids}->{pam}->{type} = 'pam'; # force type
	248	$cfg->{ids}->{pam}->{plugin} = 'PVE::Auth::PAM';
	249	$cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
	250	if !$cfg->{ids}->{pam}->{comment};
5bb4e06a DM	251
	252	return $cfg;
	253	};
	254
	255	sub write_config {
	256	my ($class, $filename, $cfg) = @_;
	257
5bb4e06a DM	258	foreach my $realm (keys %{$cfg->{ids}}) {
	259	my $data = $cfg->{ids}->{$realm};
	260	if ($data->{comment}) {
	261	$data->{comment} = PVE::Tools::encode_text($data->{comment});
	262	}
	263	}
0a6e09fd	264
5bb4e06a DM	265	$class->SUPER::write_config($filename, $cfg);
	266	}
	267
	268	sub authenticate_user {
	269	my ($class, $config, $realm, $username, $password) = @_;
	270
	271	die "overwrite me";
	272	}
	273
	274	sub store_password {
	275	my ($class, $config, $realm, $username, $password) = @_;
	276
	277	my $type = $class->type();
	278
	279	die "can't set password on auth type '$type'\n";
	280	}
	281
	282	sub delete_user {
	283	my ($class, $config, $realm, $username) = @_;
	284
	285	# do nothing by default
	286	}
	287
89338e4d TL	288	# called during addition of realm (before the new domain config got written)
89338e4d TL	289	# `password` is moved to %param to avoid writing it out to the config
7d23b7ca	290	# die to abort addition if there are (grave) problems
89338e4d TL	291	# NOTE: runs in a domain config locked context
	292	sub on_add_hook {
	293	my ($class, $realm, $config, %param) = @_;
	294	# do nothing by default
	295	}
	296
	297	# called during domain configuration update (before the updated domain config got
	298	# written). `password` is moved to %param to avoid writing it out to the config
	299	# die to abort the update if there are (grave) problems
	300	# NOTE: runs in a domain config locked context
	301	sub on_update_hook {
	302	my ($class, $realm, $config, %param) = @_;
	303	# do nothing by default
	304	}
	305
	306	# called during deletion of realms (before the new domain config got written)
	307	# and if the activate check on addition fails, to cleanup all storage traces
	308	# which on_add_hook may have created.
	309	# die to abort deletion if there are (very grave) problems
	310	# NOTE: runs in a storage config locked context
	311	sub on_delete_hook {
	312	my ($class, $realm, $config) = @_;
	313	# do nothing by default
	314	}
	315
5bb4e06a	316	1;