PVE/Auth/Plugin.pm

   1 package PVE::Auth::Plugin;
   2
   3 use strict;
   4 use warnings;
   5 use Encode;
   6 use Digest::SHA;
   7 use PVE::Tools;
   8 use PVE::SectionConfig;
   9 use PVE::JSONSchema qw(get_standard_option);
  10 use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);
  11
  12 use base qw(PVE::SectionConfig);
  13
  14 my $domainconfigfile = "domains.cfg";
  15
  16 cfs_register_file($domainconfigfile,
  17                   sub { __PACKAGE__->parse_config(@_); },
  18                   sub { __PACKAGE__->write_config(@_); });
  19
  20 sub lock_domain_config {
  21     my ($code, $errmsg) = @_;
  22
  23     cfs_lock_file($domainconfigfile, undef, $code);
  24     my $err = $@;
  25     if ($err) {
  26         $errmsg ? die "$errmsg: $err" : die $err;
  27     }
  28 }
  29
  30 our $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
  31 our $user_regex = qr![^\s:/]+!;
  32
  33 PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
  34 sub pve_verify_realm {
  35     my ($realm, $noerr) = @_;
  36
  37     if ($realm !~ m/^${realm_regex}$/) {
  38         return undef if $noerr;
  39         die "value does not look like a valid realm\n";
  40     }
  41     return $realm;
  42 }
  43
  44 PVE::JSONSchema::register_standard_option('realm', {
  45     description => "Authentication domain ID",
  46     type => 'string', format => 'pve-realm',
  47     maxLength => 32,
  48 });
  49
  50 PVE::JSONSchema::register_format('pve-userid', \&verify_username);
  51 sub verify_username {
  52     my ($username, $noerr) = @_;
  53
  54     $username = '' if !$username;
  55     my $len = length($username);
  56     if ($len < 3) {
  57         die "user name '$username' is too short\n" if !$noerr;
  58         return undef;
  59     }
  60     if ($len > 64) {
  61         die "user name '$username' is too long ($len > 64)\n" if !$noerr;
  62         return undef;
  63     }
  64
  65     # we only allow a limited set of characters
  66     # colon is not allowed, because we store usernames in
  67     # colon separated lists)!
  68     # slash is not allowed because it is used as pve API delimiter
  69     # also see "man useradd"
  70     if ($username =~ m!^(${user_regex})\@(${realm_regex})$!) {
  71         return wantarray ? ($username, $1, $2) : $username;
  72     }
  73
  74     die "value '$username' does not look like a valid user name\n" if !$noerr;
  75
  76     return undef;
  77 }
  78
  79 PVE::JSONSchema::register_standard_option('userid', {
  80     description => "User ID",
  81     type => 'string', format => 'pve-userid',
  82     maxLength => 64,
  83 });
  84
  85 my $tfa_format = {
  86     type => {
  87         description => "The type of 2nd factor authentication.",
  88         format_description => 'TFATYPE',
  89         type => 'string',
  90         enum => [qw(yubico oath)],
  91     },
  92     id => {
  93         description => "Yubico API ID.",
  94         format_description => 'ID',
  95         type => 'string',
  96         optional => 1,
  97     },
  98     key => {
  99         description => "Yubico API Key.",
 100         format_description => 'KEY',
 101         type => 'string',
 102         optional => 1,
 103     },
 104     url => {
 105         description => "Yubico API URL.",
 106         format_description => 'URL',
 107         type => 'string',
 108         optional => 1,
 109     },
 110     digits => {
 111         description => "TOTP digits.",
 112         format_description => 'COUNT',
 113         type => 'integer',
 114         minimum => 6, maximum => 8,
 115         default => 6,
 116         optional => 1,
 117     },
 118     step => {
 119         description => "TOTP time period.",
 120         format_description => 'SECONDS',
 121         type => 'integer',
 122         minimum => 10,
 123         default => 30,
 124         optional => 1,
 125     },
 126 };
 127
 128 PVE::JSONSchema::register_format('pve-tfa-config', $tfa_format);
 129
 130 PVE::JSONSchema::register_standard_option('tfa', {
 131     description => "Use Two-factor authentication.",
 132     type => 'string', format => 'pve-tfa-config',
 133     optional => 1,
 134     maxLength => 128,
 135 });
 136
 137 sub parse_tfa_config {
 138     my ($data) = @_;
 139
 140     return PVE::JSONSchema::parse_property_string($tfa_format, $data);
 141 }
 142
 143 my $defaultData = {
 144     propertyList => {
 145         type => { description => "Realm type." },
 146         realm => get_standard_option('realm'),
 147     },
 148 };
 149
 150 sub private {
 151     return $defaultData;
 152 }
 153
 154 sub parse_section_header {
 155     my ($class, $line) = @_;
 156
 157     if ($line =~ m/^(\S+):\s*(\S+)\s*$/) {
 158         my ($type, $realm) = (lc($1), $2);
 159         my $errmsg = undef; # set if you want to skip whole section
 160         eval { pve_verify_realm($realm); };
 161         $errmsg = $@ if $@;
 162         my $config = {}; # to return additional attributes
 163         return ($type, $realm, $errmsg, $config);
 164     }
 165     return undef;
 166 }
 167
 168 sub parse_config {
 169     my ($class, $filename, $raw) = @_;
 170
 171     my $cfg = $class->SUPER::parse_config($filename, $raw);
 172
 173     my $default;
 174     foreach my $realm (keys %{$cfg->{ids}}) {
 175         my $data = $cfg->{ids}->{$realm};
 176         # make sure there is only one default marker
 177         if ($data->{default}) {
 178             if ($default) {
 179                 delete $data->{default};
 180             } else {
 181                 $default = $realm;
 182             }
 183         }
 184
 185         if ($data->{comment}) {
 186             $data->{comment} = PVE::Tools::decode_text($data->{comment});
 187         }
 188
 189     }
 190
 191     # add default domains
 192
 193     $cfg->{ids}->{pve}->{type} = 'pve'; # force type
 194     $cfg->{ids}->{pve}->{comment} = "Proxmox VE authentication server"
 195         if !$cfg->{ids}->{pve}->{comment};
 196
 197     $cfg->{ids}->{pam}->{type} = 'pam'; # force type
 198     $cfg->{ids}->{pam}->{plugin} =  'PVE::Auth::PAM';
 199     $cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
 200         if !$cfg->{ids}->{pam}->{comment};
 201
 202     return $cfg;
 203 };
 204
 205 sub write_config {
 206     my ($class, $filename, $cfg) = @_;
 207
 208     foreach my $realm (keys %{$cfg->{ids}}) {
 209         my $data = $cfg->{ids}->{$realm};
 210         if ($data->{comment}) {
 211             $data->{comment} = PVE::Tools::encode_text($data->{comment});
 212         }
 213     }
 214
 215     $class->SUPER::write_config($filename, $cfg);
 216 }
 217
 218 sub authenticate_user {
 219     my ($class, $config, $realm, $username, $password) = @_;
 220
 221     die "overwrite me";
 222 }
 223
 224 sub store_password {
 225     my ($class, $config, $realm, $username, $password) = @_;
 226
 227     my $type = $class->type();
 228
 229     die "can't set password on auth type '$type'\n";
 230 }
 231
 232 sub delete_user {
 233     my ($class, $config, $realm, $username) = @_;
 234
 235     # do nothing by default
 236 }
 237
 238 1;