]>
Commit | Line | Data |
---|---|---|
1 | package PVE::Auth::PVE; | |
2 | ||
3 | use strict; | |
4 | use PVE::Auth::Plugin; | |
5 | use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file); | |
6 | ||
7 | use base qw(PVE::Auth::Plugin); | |
8 | ||
9 | my $shadowconfigfile = "priv/shadow.cfg"; | |
10 | ||
11 | cfs_register_file($shadowconfigfile, | |
12 | \&parse_shadow_passwd, | |
13 | \&write_shadow_config); | |
14 | ||
15 | sub parse_shadow_passwd { | |
16 | my ($filename, $raw) = @_; | |
17 | ||
18 | my $shadow = {}; | |
19 | ||
20 | while ($raw && $raw =~ s/^(.*?)(\n|$)//) { | |
21 | my $line = $1; | |
22 | ||
23 | next if $line =~ m/^\s*$/; # skip empty lines | |
24 | ||
25 | if ($line !~ m/^\S+:\S+:$/) { | |
26 | warn "pve shadow password: ignore invalid line $.\n"; | |
27 | next; | |
28 | } | |
29 | ||
30 | my ($userid, $crypt_pass) = split (/:/, $line); | |
31 | $shadow->{users}->{$userid}->{shadow} = $crypt_pass; | |
32 | } | |
33 | ||
34 | return $shadow; | |
35 | } | |
36 | ||
37 | sub write_shadow_config { | |
38 | my ($filename, $cfg) = @_; | |
39 | ||
40 | my $data = ''; | |
41 | foreach my $userid (keys %{$cfg->{users}}) { | |
42 | my $crypt_pass = $cfg->{users}->{$userid}->{shadow}; | |
43 | $data .= "$userid:$crypt_pass:\n"; | |
44 | } | |
45 | ||
46 | return $data | |
47 | } | |
48 | ||
49 | sub lock_shadow_config { | |
50 | my ($code, $errmsg) = @_; | |
51 | ||
52 | cfs_lock_file($shadowconfigfile, undef, $code); | |
53 | my $err = $@; | |
54 | if ($err) { | |
55 | $errmsg ? die "$errmsg: $err" : die $err; | |
56 | } | |
57 | } | |
58 | ||
59 | sub type { | |
60 | return 'pve'; | |
61 | } | |
62 | ||
63 | sub defaults { | |
64 | return { | |
65 | default => { optional => 1 }, | |
66 | comment => { optional => 1 }, | |
67 | }; | |
68 | } | |
69 | ||
70 | sub authenticate_user { | |
71 | my ($class, $config, $realm, $username, $password) = @_; | |
72 | ||
73 | die "no password\n" if !$password; | |
74 | ||
75 | my $shadow_cfg = cfs_read_file($shadowconfigfile); | |
76 | ||
77 | if ($shadow_cfg->{users}->{$username}) { | |
78 | my $encpw = crypt($password, $shadow_cfg->{users}->{$username}->{shadow}); | |
79 | die "invalid credentials\n" if ($encpw ne $shadow_cfg->{users}->{$username}->{shadow}); | |
80 | } else { | |
81 | die "no password set\n"; | |
82 | } | |
83 | ||
84 | return 1; | |
85 | } | |
86 | ||
87 | sub store_password { | |
88 | my ($class, $config, $realm, $username, $password) = @_; | |
89 | ||
90 | lock_shadow_config(sub { | |
91 | my $shadow_cfg = cfs_read_file($shadowconfigfile); | |
92 | my $epw = PVE::Auth::Plugin::encrypt_pw($password); | |
93 | $shadow_cfg->{users}->{$username}->{shadow} = $epw; | |
94 | cfs_write_file($shadowconfigfile, $shadow_cfg); | |
95 | }); | |
96 | } | |
97 | ||
98 | sub delete_user { | |
99 | my ($class, $config, $realm, $username) = @_; | |
100 | ||
101 | lock_shadow_config(sub { | |
102 | my $shadow_cfg = cfs_read_file($shadowconfigfile); | |
103 | ||
104 | delete $shadow_cfg->{users}->{$username}; | |
105 | ||
106 | cfs_write_file($shadowconfigfile, $shadow_cfg); | |
107 | }); | |
108 | } | |
109 | ||
110 | 1; |