PVE/Auth/Plugin.pm

   1 package PVE::Auth::Plugin;
   2
   3 use strict;
   4 use warnings;
   5 use Encode;
   6 use Digest::SHA;
   7 use PVE::Tools;
   8 use PVE::SectionConfig;
   9 use PVE::JSONSchema qw(get_standard_option);
  10 use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);
  11
  12 use Data::Dumper;
  13
  14 use base qw(PVE::SectionConfig);
  15
  16 my $domainconfigfile = "domains.cfg";
  17
  18 cfs_register_file($domainconfigfile,
  19                   sub { __PACKAGE__->parse_config(@_); },
  20                   sub { __PACKAGE__->write_config(@_); });
  21
  22 sub lock_domain_config {
  23     my ($code, $errmsg) = @_;
  24
  25     cfs_lock_file($domainconfigfile, undef, $code);
  26     my $err = $@;
  27     if ($err) {
  28         $errmsg ? die "$errmsg: $err" : die $err;
  29     }
  30 }
  31
  32 my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
  33
  34 PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
  35 sub pve_verify_realm {
  36     my ($realm, $noerr) = @_;
  37
  38     if ($realm !~ m/^${realm_regex}$/) {
  39         return undef if $noerr;
  40         die "value does not look like a valid realm\n";
  41     }
  42     return $realm;
  43 }
  44
  45 PVE::JSONSchema::register_standard_option('realm', {
  46     description => "Authentication domain ID",
  47     type => 'string', format => 'pve-realm',
  48     maxLength => 32,
  49 });
  50
  51 PVE::JSONSchema::register_format('pve-userid', \&verify_username);
  52 sub verify_username {
  53     my ($username, $noerr) = @_;
  54
  55     $username = '' if !$username;
  56     my $len = length($username);
  57     if ($len < 3) {
  58         die "user name '$username' is too short\n" if !$noerr;
  59         return undef;
  60     }
  61     if ($len > 64) {
  62         die "user name '$username' is too long ($len > 64)\n" if !$noerr;
  63         return undef;
  64     }
  65
  66     # we only allow a limited set of characters
  67     # colon is not allowed, because we store usernames in
  68     # colon separated lists)!
  69     # slash is not allowed because it is used as pve API delimiter
  70     # also see "man useradd"
  71     if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) {
  72         return wantarray ? ($username, $1, $2) : $username;
  73     }
  74
  75     die "value '$username' does not look like a valid user name\n" if !$noerr;
  76
  77     return undef;
  78 }
  79
  80 PVE::JSONSchema::register_standard_option('userid', {
  81     description => "User ID",
  82     type => 'string', format => 'pve-userid',
  83     maxLength => 64,
  84 });
  85
  86 PVE::JSONSchema::register_format('pve-tfa-config', \&verify_tfa_config);
  87 sub verify_tfa_config {
  88     my ($value, $noerr) = @_;
  89
  90     return $value if parse_tfa_config($value);
  91
  92     return undef if $noerr;
  93
  94     die "unable to parse tfa option\n";
  95 }
  96
  97 PVE::JSONSchema::register_standard_option('tfa', {
  98     description => "Use Two-factor authentication.",
  99     type => 'string', format => 'pve-tfa-config',
 100     optional => 1,
 101     maxLength => 128,
 102 });
 103
 104 sub parse_tfa_config {
 105     my ($data) = @_;
 106
 107     my $res = {};
 108
 109     foreach my $kvp (split(/,/, $data)) {
 110
 111         if ($kvp =~ m/^type=(yubico|oath)$/) {
 112             $res->{type} = $1;
 113         } elsif ($kvp =~ m/^id=(\S+)$/) {
 114             $res->{id} = $1;
 115         } elsif ($kvp =~ m/^key=(\S+)$/) {
 116             $res->{key} = $1;
 117         } elsif ($kvp =~ m/^url=(\S+)$/) {
 118             $res->{url} = $1;
 119         } elsif ($kvp =~ m/^digits=([6|7|8])$/) {
 120             $res->{digits} = $1;
 121         } elsif ($kvp =~ m/^step=([1-9]\d+)$/) {
 122             $res->{step} = $1;
 123         } else {
 124             return undef;
 125         }
 126     }
 127
 128     return undef if !$res->{type};
 129
 130     return $res;
 131 }
 132
 133 my $salt_starter = time();
 134
 135 sub encrypt_pw {
 136     my ($pw) = @_;
 137
 138     $salt_starter++;
 139     my $salt = substr(Digest::SHA::sha1_base64(time() + $salt_starter + $$), 0, 8);
 140
 141     # crypt does not want '+' in salt (see 'man crypt')
 142     $salt =~ s/\+/X/g;
 143
 144     return crypt(encode("utf8", $pw), "\$5\$$salt\$");
 145 }
 146
 147 my $defaultData = {
 148     propertyList => {
 149         type => { description => "Realm type." },
 150         realm => get_standard_option('realm'),
 151     },
 152 };
 153
 154 sub private {
 155     return $defaultData;
 156 }
 157
 158 sub parse_section_header {
 159     my ($class, $line) = @_;
 160
 161     if ($line =~ m/^(\S+):\s*(\S+)\s*$/) {
 162         my ($type, $realm) = (lc($1), $2);
 163         my $errmsg = undef; # set if you want to skip whole section
 164         eval { pve_verify_realm($realm); };
 165         $errmsg = $@ if $@;
 166         my $config = {}; # to return additional attributes
 167         return ($type, $realm, $errmsg, $config);
 168     }
 169     return undef;
 170 }
 171
 172 sub parse_config {
 173     my ($class, $filename, $raw) = @_;
 174
 175     my $cfg = $class->SUPER::parse_config($filename, $raw);
 176
 177     my $default;
 178     foreach my $realm (keys %{$cfg->{ids}}) {
 179         my $data = $cfg->{ids}->{$realm};
 180         # make sure there is only one default marker
 181         if ($data->{default}) {
 182             if ($default) {
 183                 delete $data->{default};
 184             } else {
 185                 $default = $realm;
 186             }
 187         }
 188
 189         if ($data->{comment}) {
 190             $data->{comment} = PVE::Tools::decode_text($data->{comment});
 191         }
 192
 193     }
 194
 195     # add default domains
 196
 197     $cfg->{ids}->{pve}->{type} = 'pve'; # force type
 198     $cfg->{ids}->{pve}->{comment} = "Proxmox VE authentication server"
 199         if !$cfg->{ids}->{pve}->{comment};
 200
 201     $cfg->{ids}->{pam}->{type} = 'pam'; # force type
 202     $cfg->{ids}->{pam}->{plugin} =  'PVE::Auth::PAM';
 203     $cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
 204         if !$cfg->{ids}->{pam}->{comment};
 205
 206     return $cfg;
 207 };
 208
 209 sub write_config {
 210     my ($class, $filename, $cfg) = @_;
 211
 212     foreach my $realm (keys %{$cfg->{ids}}) {
 213         my $data = $cfg->{ids}->{$realm};
 214         if ($data->{comment}) {
 215             $data->{comment} = PVE::Tools::encode_text($data->{comment});
 216         }
 217     }
 218
 219     $class->SUPER::write_config($filename, $cfg);
 220 }
 221
 222 sub authenticate_user {
 223     my ($class, $config, $realm, $username, $password) = @_;
 224
 225     die "overwrite me";
 226 }
 227
 228 sub store_password {
 229     my ($class, $config, $realm, $username, $password) = @_;
 230
 231     my $type = $class->type();
 232
 233     die "can't set password on auth type '$type'\n";
 234 }
 235
 236 sub delete_user {
 237     my ($class, $config, $realm, $username) = @_;
 238
 239     # do nothing by default
 240 }
 241
 242 1;