]> git.proxmox.com Git - pve-access-control.git/blob - PVE/Auth/Plugin.pm
projects / pve-access-control.git / blob
? search:


d5d2c06971357b57bd15937f4a641608efbfe958
[pve-access-control.git] / PVE / Auth / Plugin.pm
1 package PVE::Auth::Plugin;
2
3 use strict;
4 use warnings;
5 use Encode;
6 use Digest::SHA;
7 use PVE::Tools;
8 use PVE::SectionConfig;
9 use PVE::JSONSchema qw(get_standard_option);
10 use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);
11
12 use base qw(PVE::SectionConfig);
13
14 my $domainconfigfile = "domains.cfg";
15
16 cfs_register_file($domainconfigfile,
17 sub { __PACKAGE__->parse_config(@_); },
18 sub { __PACKAGE__->write_config(@_); });
19
20 sub lock_domain_config {
21 my ($code, $errmsg) = @_;
22
23 cfs_lock_file($domainconfigfile, undef, $code);
24 my $err = $@;
25 if ($err) {
26 $errmsg ? die "$errmsg: $err" : die $err;
27 }
28 }
29
30 my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
31
32 PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
33 sub pve_verify_realm {
34 my ($realm, $noerr) = @_;
35
36 if ($realm !~ m/^${realm_regex}$/) {
37 return undef if $noerr;
38 die "value does not look like a valid realm\n";
39 }
40 return $realm;
41 }
42
43 PVE::JSONSchema::register_standard_option('realm', {
44 description => "Authentication domain ID",
45 type => 'string', format => 'pve-realm',
46 maxLength => 32,
47 });
48
49 PVE::JSONSchema::register_format('pve-userid', \&verify_username);
50 sub verify_username {
51 my ($username, $noerr) = @_;
52
53 $username = '' if !$username;
54 my $len = length($username);
55 if ($len < 3) {
56 die "user name '$username' is too short\n" if !$noerr;
57 return undef;
58 }
59 if ($len > 64) {
60 die "user name '$username' is too long ($len > 64)\n" if !$noerr;
61 return undef;
62 }
63
64 # we only allow a limited set of characters
65 # colon is not allowed, because we store usernames in
66 # colon separated lists)!
67 # slash is not allowed because it is used as pve API delimiter
68 # also see "man useradd"
69 if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) {
70 return wantarray ? ($username, $1, $2) : $username;
71 }
72
73 die "value '$username' does not look like a valid user name\n" if !$noerr;
74
75 return undef;
76 }
77
78 PVE::JSONSchema::register_standard_option('userid', {
79 description => "User ID",
80 type => 'string', format => 'pve-userid',
81 maxLength => 64,
82 });
83
84 PVE::JSONSchema::register_format('pve-tfa-config', \&verify_tfa_config);
85 sub verify_tfa_config {
86 my ($value, $noerr) = @_;
87
88 return $value if parse_tfa_config($value);
89
90 return undef if $noerr;
91
92 die "unable to parse tfa option\n";
93 }
94
95 PVE::JSONSchema::register_standard_option('tfa', {
96 description => "Use Two-factor authentication.",
97 type => 'string', format => 'pve-tfa-config',
98 optional => 1,
99 maxLength => 128,
100 });
101
102 sub parse_tfa_config {
103 my ($data) = @_;
104
105 my $res = {};
106
107 foreach my $kvp (split(/,/, $data)) {
108
109 if ($kvp =~ m/^type=(yubico|oath)$/) {
110 $res->{type} = $1;
111 } elsif ($kvp =~ m/^id=(\S+)$/) {
112 $res->{id} = $1;
113 } elsif ($kvp =~ m/^key=(\S+)$/) {
114 $res->{key} = $1;
115 } elsif ($kvp =~ m/^url=(\S+)$/) {
116 $res->{url} = $1;
117 } elsif ($kvp =~ m/^digits=([6|7|8])$/) {
118 $res->{digits} = $1;
119 } elsif ($kvp =~ m/^step=([1-9]\d+)$/) {
120 $res->{step} = $1;
121 } else {
122 return undef;
123 }
124 }
125
126 return undef if !$res->{type};
127
128 return $res;
129 }
130
131 my $defaultData = {
132 propertyList => {
133 type => { description => "Realm type." },
134 realm => get_standard_option('realm'),
135 },
136 };
137
138 sub private {
139 return $defaultData;
140 }
141
142 sub parse_section_header {
143 my ($class, $line) = @_;
144
145 if ($line =~ m/^(\S+):\s*(\S+)\s*$/) {
146 my ($type, $realm) = (lc($1), $2);
147 my $errmsg = undef; # set if you want to skip whole section
148 eval { pve_verify_realm($realm); };
149 $errmsg = $@ if $@;
150 my $config = {}; # to return additional attributes
151 return ($type, $realm, $errmsg, $config);
152 }
153 return undef;
154 }
155
156 sub parse_config {
157 my ($class, $filename, $raw) = @_;
158
159 my $cfg = $class->SUPER::parse_config($filename, $raw);
160
161 my $default;
162 foreach my $realm (keys %{$cfg->{ids}}) {
163 my $data = $cfg->{ids}->{$realm};
164 # make sure there is only one default marker
165 if ($data->{default}) {
166 if ($default) {
167 delete $data->{default};
168 } else {
169 $default = $realm;
170 }
171 }
172
173 if ($data->{comment}) {
174 $data->{comment} = PVE::Tools::decode_text($data->{comment});
175 }
176
177 }
178
179 # add default domains
180
181 $cfg->{ids}->{pve}->{type} = 'pve'; # force type
182 $cfg->{ids}->{pve}->{comment} = "Proxmox VE authentication server"
183 if !$cfg->{ids}->{pve}->{comment};
184
185 $cfg->{ids}->{pam}->{type} = 'pam'; # force type
186 $cfg->{ids}->{pam}->{plugin} = 'PVE::Auth::PAM';
187 $cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
188 if !$cfg->{ids}->{pam}->{comment};
189
190 return $cfg;
191 };
192
193 sub write_config {
194 my ($class, $filename, $cfg) = @_;
195
196 foreach my $realm (keys %{$cfg->{ids}}) {
197 my $data = $cfg->{ids}->{$realm};
198 if ($data->{comment}) {
199 $data->{comment} = PVE::Tools::encode_text($data->{comment});
200 }
201 }
202
203 $class->SUPER::write_config($filename, $cfg);
204 }
205
206 sub authenticate_user {
207 my ($class, $config, $realm, $username, $password) = @_;
208
209 die "overwrite me";
210 }
211
212 sub store_password {
213 my ($class, $config, $realm, $username, $password) = @_;
214
215 my $type = $class->type();
216
217 die "can't set password on auth type '$type'\n";
218 }
219
220 sub delete_user {
221 my ($class, $config, $realm, $username) = @_;
222
223 # do nothing by default
224 }
225
226 1;
Access control framework