PVE/Auth/Plugin.pm

   1 package PVE::Auth::Plugin;
   2
   3 use strict;
   4 use warnings;
   5 use Encode;
   6 use Digest::SHA;
   7 use PVE::Tools;
   8 use PVE::SectionConfig;
   9 use PVE::JSONSchema qw(get_standard_option);
  10 use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);
  11
  12 use base qw(PVE::SectionConfig);
  13
  14 my $domainconfigfile = "domains.cfg";
  15
  16 cfs_register_file($domainconfigfile,
  17                   sub { __PACKAGE__->parse_config(@_); },
  18                   sub { __PACKAGE__->write_config(@_); });
  19
  20 sub lock_domain_config {
  21     my ($code, $errmsg) = @_;
  22
  23     cfs_lock_file($domainconfigfile, undef, $code);
  24     my $err = $@;
  25     if ($err) {
  26         $errmsg ? die "$errmsg: $err" : die $err;
  27     }
  28 }
  29
  30 my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
  31
  32 PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
  33 sub pve_verify_realm {
  34     my ($realm, $noerr) = @_;
  35
  36     if ($realm !~ m/^${realm_regex}$/) {
  37         return undef if $noerr;
  38         die "value does not look like a valid realm\n";
  39     }
  40     return $realm;
  41 }
  42
  43 PVE::JSONSchema::register_standard_option('realm', {
  44     description => "Authentication domain ID",
  45     type => 'string', format => 'pve-realm',
  46     maxLength => 32,
  47 });
  48
  49 PVE::JSONSchema::register_format('pve-userid', \&verify_username);
  50 sub verify_username {
  51     my ($username, $noerr) = @_;
  52
  53     $username = '' if !$username;
  54     my $len = length($username);
  55     if ($len < 3) {
  56         die "user name '$username' is too short\n" if !$noerr;
  57         return undef;
  58     }
  59     if ($len > 64) {
  60         die "user name '$username' is too long ($len > 64)\n" if !$noerr;
  61         return undef;
  62     }
  63
  64     # we only allow a limited set of characters
  65     # colon is not allowed, because we store usernames in
  66     # colon separated lists)!
  67     # slash is not allowed because it is used as pve API delimiter
  68     # also see "man useradd"
  69     if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) {
  70         return wantarray ? ($username, $1, $2) : $username;
  71     }
  72
  73     die "value '$username' does not look like a valid user name\n" if !$noerr;
  74
  75     return undef;
  76 }
  77
  78 PVE::JSONSchema::register_standard_option('userid', {
  79     description => "User ID",
  80     type => 'string', format => 'pve-userid',
  81     maxLength => 64,
  82 });
  83
  84 my $tfa_format = {
  85     type => {
  86         description => "The type of 2nd factor authentication.",
  87         format_description => 'TFATYPE',
  88         type => 'string',
  89         enum => [qw(yubico oath)],
  90     },
  91     id => {
  92         description => "Yubico API ID.",
  93         format_description => 'ID',
  94         type => 'string',
  95         optional => 1,
  96     },
  97     key => {
  98         description => "Yubico API Key.",
  99         format_description => 'KEY',
 100         type => 'string',
 101         optional => 1,
 102     },
 103     url => {
 104         description => "Yubico API URL.",
 105         format_description => 'URL',
 106         type => 'string',
 107         optional => 1,
 108     },
 109     digits => {
 110         description => "TOTP digits.",
 111         format_description => 'COUNT',
 112         type => 'integer',
 113         minimum => 6, maximum => 8,
 114         default => 6,
 115         optional => 1,
 116     },
 117     step => {
 118         description => "TOTP time period.",
 119         format_description => 'SECONDS',
 120         type => 'integer',
 121         minimum => 10,
 122         default => 30,
 123         optional => 1,
 124     },
 125 };
 126
 127 PVE::JSONSchema::register_format('pve-tfa-config', $tfa_format);
 128
 129 PVE::JSONSchema::register_standard_option('tfa', {
 130     description => "Use Two-factor authentication.",
 131     type => 'string', format => 'pve-tfa-config',
 132     optional => 1,
 133     maxLength => 128,
 134 });
 135
 136 sub parse_tfa_config {
 137     my ($data) = @_;
 138
 139     return PVE::JSONSchema::parse_property_string($tfa_format, $data);
 140 }
 141
 142 my $defaultData = {
 143     propertyList => {
 144         type => { description => "Realm type." },
 145         realm => get_standard_option('realm'),
 146     },
 147 };
 148
 149 sub private {
 150     return $defaultData;
 151 }
 152
 153 sub parse_section_header {
 154     my ($class, $line) = @_;
 155
 156     if ($line =~ m/^(\S+):\s*(\S+)\s*$/) {
 157         my ($type, $realm) = (lc($1), $2);
 158         my $errmsg = undef; # set if you want to skip whole section
 159         eval { pve_verify_realm($realm); };
 160         $errmsg = $@ if $@;
 161         my $config = {}; # to return additional attributes
 162         return ($type, $realm, $errmsg, $config);
 163     }
 164     return undef;
 165 }
 166
 167 sub parse_config {
 168     my ($class, $filename, $raw) = @_;
 169
 170     my $cfg = $class->SUPER::parse_config($filename, $raw);
 171
 172     my $default;
 173     foreach my $realm (keys %{$cfg->{ids}}) {
 174         my $data = $cfg->{ids}->{$realm};
 175         # make sure there is only one default marker
 176         if ($data->{default}) {
 177             if ($default) {
 178                 delete $data->{default};
 179             } else {
 180                 $default = $realm;
 181             }
 182         }
 183
 184         if ($data->{comment}) {
 185             $data->{comment} = PVE::Tools::decode_text($data->{comment});
 186         }
 187
 188     }
 189
 190     # add default domains
 191
 192     $cfg->{ids}->{pve}->{type} = 'pve'; # force type
 193     $cfg->{ids}->{pve}->{comment} = "Proxmox VE authentication server"
 194         if !$cfg->{ids}->{pve}->{comment};
 195
 196     $cfg->{ids}->{pam}->{type} = 'pam'; # force type
 197     $cfg->{ids}->{pam}->{plugin} =  'PVE::Auth::PAM';
 198     $cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
 199         if !$cfg->{ids}->{pam}->{comment};
 200
 201     return $cfg;
 202 };
 203
 204 sub write_config {
 205     my ($class, $filename, $cfg) = @_;
 206
 207     foreach my $realm (keys %{$cfg->{ids}}) {
 208         my $data = $cfg->{ids}->{$realm};
 209         if ($data->{comment}) {
 210             $data->{comment} = PVE::Tools::encode_text($data->{comment});
 211         }
 212     }
 213
 214     $class->SUPER::write_config($filename, $cfg);
 215 }
 216
 217 sub authenticate_user {
 218     my ($class, $config, $realm, $username, $password) = @_;
 219
 220     die "overwrite me";
 221 }
 222
 223 sub store_password {
 224     my ($class, $config, $realm, $username, $password) = @_;
 225
 226     my $type = $class->type();
 227
 228     die "can't set password on auth type '$type'\n";
 229 }
 230
 231 sub delete_user {
 232     my ($class, $config, $realm, $username) = @_;
 233
 234     # do nothing by default
 235 }
 236
 237 1;