]>
git.proxmox.com Git - pve-access-control.git/blob - PVE/Auth/Plugin.pm
1 package PVE
::Auth
::Plugin
;
8 use PVE
::SectionConfig
;
9 use PVE
::JSONSchema
qw(get_standard_option);
10 use PVE
::Cluster
qw(cfs_register_file cfs_read_file cfs_lock_file);
12 use base
qw(PVE::SectionConfig);
14 my $domainconfigfile = "domains.cfg";
16 cfs_register_file
($domainconfigfile,
17 sub { __PACKAGE__-
>parse_config(@_); },
18 sub { __PACKAGE__-
>write_config(@_); });
20 sub lock_domain_config
{
21 my ($code, $errmsg) = @_;
23 cfs_lock_file
($domainconfigfile, undef, $code);
26 $errmsg ?
die "$errmsg: $err" : die $err;
30 our $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
31 our $user_regex = qr![^\s:/]+!;
33 PVE
::JSONSchema
::register_format
('pve-realm', \
&pve_verify_realm
);
34 sub pve_verify_realm
{
35 my ($realm, $noerr) = @_;
37 if ($realm !~ m/^${realm_regex}$/) {
38 return undef if $noerr;
39 die "value does not look like a valid realm\n";
44 PVE
::JSONSchema
::register_standard_option
('realm', {
45 description
=> "Authentication domain ID",
46 type
=> 'string', format
=> 'pve-realm',
50 PVE
::JSONSchema
::register_format
('pve-userid', \
&verify_username
);
52 my ($username, $noerr) = @_;
54 $username = '' if !$username;
55 my $len = length($username);
57 die "user name '$username' is too short\n" if !$noerr;
61 die "user name '$username' is too long ($len > 64)\n" if !$noerr;
65 # we only allow a limited set of characters
66 # colon is not allowed, because we store usernames in
67 # colon separated lists)!
68 # slash is not allowed because it is used as pve API delimiter
69 # also see "man useradd"
70 if ($username =~ m!^(${user_regex})\@(${realm_regex})$!) {
71 return wantarray ?
($username, $1, $2) : $username;
74 die "value '$username' does not look like a valid user name\n" if !$noerr;
79 PVE
::JSONSchema
::register_standard_option
('userid', {
80 description
=> "User ID",
81 type
=> 'string', format
=> 'pve-userid',
87 description
=> "The type of 2nd factor authentication.",
88 format_description
=> 'TFATYPE',
90 enum
=> [qw(yubico oath)],
93 description
=> "Yubico API ID.",
94 format_description
=> 'ID',
99 description
=> "Yubico API Key.",
100 format_description
=> 'KEY',
105 description
=> "Yubico API URL.",
106 format_description
=> 'URL',
111 description
=> "TOTP digits.",
112 format_description
=> 'COUNT',
114 minimum
=> 6, maximum
=> 8,
119 description
=> "TOTP time period.",
120 format_description
=> 'SECONDS',
128 PVE
::JSONSchema
::register_format
('pve-tfa-config', $tfa_format);
130 PVE
::JSONSchema
::register_standard_option
('tfa', {
131 description
=> "Use Two-factor authentication.",
132 type
=> 'string', format
=> 'pve-tfa-config',
137 sub parse_tfa_config
{
140 return PVE
::JSONSchema
::parse_property_string
($tfa_format, $data);
145 type
=> { description
=> "Realm type." },
146 realm
=> get_standard_option
('realm'),
154 sub parse_section_header
{
155 my ($class, $line) = @_;
157 if ($line =~ m/^(\S+):\s*(\S+)\s*$/) {
158 my ($type, $realm) = (lc($1), $2);
159 my $errmsg = undef; # set if you want to skip whole section
160 eval { pve_verify_realm
($realm); };
162 my $config = {}; # to return additional attributes
163 return ($type, $realm, $errmsg, $config);
169 my ($class, $filename, $raw) = @_;
171 my $cfg = $class->SUPER::parse_config
($filename, $raw);
174 foreach my $realm (keys %{$cfg->{ids
}}) {
175 my $data = $cfg->{ids
}->{$realm};
176 # make sure there is only one default marker
177 if ($data->{default}) {
179 delete $data->{default};
185 if ($data->{comment
}) {
186 $data->{comment
} = PVE
::Tools
::decode_text
($data->{comment
});
191 # add default domains
193 $cfg->{ids
}->{pve
}->{type
} = 'pve'; # force type
194 $cfg->{ids
}->{pve
}->{comment
} = "Proxmox VE authentication server"
195 if !$cfg->{ids
}->{pve
}->{comment
};
197 $cfg->{ids
}->{pam
}->{type
} = 'pam'; # force type
198 $cfg->{ids
}->{pam
}->{plugin
} = 'PVE::Auth::PAM';
199 $cfg->{ids
}->{pam
}->{comment
} = "Linux PAM standard authentication"
200 if !$cfg->{ids
}->{pam
}->{comment
};
206 my ($class, $filename, $cfg) = @_;
208 foreach my $realm (keys %{$cfg->{ids
}}) {
209 my $data = $cfg->{ids
}->{$realm};
210 if ($data->{comment
}) {
211 $data->{comment
} = PVE
::Tools
::encode_text
($data->{comment
});
215 $class->SUPER::write_config
($filename, $cfg);
218 sub authenticate_user
{
219 my ($class, $config, $realm, $username, $password) = @_;
225 my ($class, $config, $realm, $username, $password) = @_;
227 my $type = $class->type();
229 die "can't set password on auth type '$type'\n";
233 my ($class, $config, $realm, $username) = @_;
235 # do nothing by default