]>
Commit | Line | Data |
---|---|---|
1 | package PVE::Auth::PVE; | |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use PVE::Auth::Plugin; | |
7 | use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file); | |
8 | ||
9 | use base qw(PVE::Auth::Plugin); | |
10 | ||
11 | my $shadowconfigfile = "priv/shadow.cfg"; | |
12 | ||
13 | cfs_register_file($shadowconfigfile, | |
14 | \&parse_shadow_passwd, | |
15 | \&write_shadow_config); | |
16 | ||
17 | sub parse_shadow_passwd { | |
18 | my ($filename, $raw) = @_; | |
19 | ||
20 | my $shadow = {}; | |
21 | ||
22 | while ($raw =~ /^\s*(.+?)\s*$/gm) { | |
23 | my $line = $1; | |
24 | ||
25 | if ($line !~ m/^\S+:\S+:$/) { | |
26 | warn "pve shadow password: ignore invalid line $.\n"; | |
27 | next; | |
28 | } | |
29 | ||
30 | my ($userid, $crypt_pass) = split (/:/, $line); | |
31 | $shadow->{users}->{$userid}->{shadow} = $crypt_pass; | |
32 | } | |
33 | ||
34 | return $shadow; | |
35 | } | |
36 | ||
37 | sub write_shadow_config { | |
38 | my ($filename, $cfg) = @_; | |
39 | ||
40 | my $data = ''; | |
41 | foreach my $userid (keys %{$cfg->{users}}) { | |
42 | my $crypt_pass = $cfg->{users}->{$userid}->{shadow}; | |
43 | $data .= "$userid:$crypt_pass:\n"; | |
44 | } | |
45 | ||
46 | return $data | |
47 | } | |
48 | ||
49 | sub lock_shadow_config { | |
50 | my ($code, $errmsg) = @_; | |
51 | ||
52 | cfs_lock_file($shadowconfigfile, undef, $code); | |
53 | my $err = $@; | |
54 | if ($err) { | |
55 | $errmsg ? die "$errmsg: $err" : die $err; | |
56 | } | |
57 | } | |
58 | ||
59 | sub type { | |
60 | return 'pve'; | |
61 | } | |
62 | ||
63 | sub options { | |
64 | return { | |
65 | default => { optional => 1 }, | |
66 | comment => { optional => 1 }, | |
67 | tfa => { optional => 1 }, | |
68 | }; | |
69 | } | |
70 | ||
71 | sub authenticate_user { | |
72 | my ($class, $config, $realm, $username, $password) = @_; | |
73 | ||
74 | die "no password\n" if !$password; | |
75 | ||
76 | my $shadow_cfg = cfs_read_file($shadowconfigfile); | |
77 | ||
78 | if ($shadow_cfg->{users}->{$username}) { | |
79 | my $encpw = crypt($password, $shadow_cfg->{users}->{$username}->{shadow}); | |
80 | die "invalid credentials\n" if ($encpw ne $shadow_cfg->{users}->{$username}->{shadow}); | |
81 | } else { | |
82 | die "no password set\n"; | |
83 | } | |
84 | ||
85 | return 1; | |
86 | } | |
87 | ||
88 | sub store_password { | |
89 | my ($class, $config, $realm, $username, $password) = @_; | |
90 | ||
91 | lock_shadow_config(sub { | |
92 | my $shadow_cfg = cfs_read_file($shadowconfigfile); | |
93 | my $epw = PVE::Auth::Plugin::encrypt_pw($password); | |
94 | $shadow_cfg->{users}->{$username}->{shadow} = $epw; | |
95 | cfs_write_file($shadowconfigfile, $shadow_cfg); | |
96 | }); | |
97 | } | |
98 | ||
99 | sub delete_user { | |
100 | my ($class, $config, $realm, $username) = @_; | |
101 | ||
102 | lock_shadow_config(sub { | |
103 | my $shadow_cfg = cfs_read_file($shadowconfigfile); | |
104 | ||
105 | delete $shadow_cfg->{users}->{$username}; | |
106 | ||
107 | cfs_write_file($shadowconfigfile, $shadow_cfg); | |
108 | }); | |
109 | } | |
110 | ||
111 | 1; |