PVE/Auth/Plugin.pm

   1 package PVE::Auth::Plugin;
   2
   3 use strict;
   4 use warnings;
   5 use Encode;
   6 use Digest::SHA;
   7 use PVE::Tools;
   8 use PVE::SectionConfig;
   9 use PVE::JSONSchema qw(get_standard_option);
  10 use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);
  11
  12 use Data::Dumper;
  13
  14 use base qw(PVE::SectionConfig);
  15
  16 my $domainconfigfile = "domains.cfg";
  17
  18 cfs_register_file($domainconfigfile,
  19                   sub { __PACKAGE__->parse_config(@_); },
  20                   sub { __PACKAGE__->write_config(@_); });
  21
  22 sub lock_domain_config {
  23     my ($code, $errmsg) = @_;
  24
  25     cfs_lock_file($domainconfigfile, undef, $code);
  26     my $err = $@;
  27     if ($err) {
  28         $errmsg ? die "$errmsg: $err" : die $err;
  29     }
  30 }
  31
  32 my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
  33
  34 PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
  35 sub pve_verify_realm {
  36     my ($realm, $noerr) = @_;
  37
  38     if ($realm !~ m/^${realm_regex}$/) {
  39         return undef if $noerr;
  40         die "value does not look like a valid realm\n";
  41     }
  42     return $realm;
  43 }
  44
  45 PVE::JSONSchema::register_standard_option('realm', {
  46     description => "Authentication domain ID",
  47     type => 'string', format => 'pve-realm',
  48     maxLength => 32,
  49 });
  50
  51 PVE::JSONSchema::register_format('pve-userid', \&verify_username);
  52 sub verify_username {
  53     my ($username, $noerr) = @_;
  54
  55     $username = '' if !$username;
  56     my $len = length($username);
  57     if ($len < 3) {
  58         die "user name '$username' is too short\n" if !$noerr;
  59         return undef;
  60     }
  61     if ($len > 64) {
  62         die "user name '$username' is too long ($len > 64)\n" if !$noerr;
  63         return undef;
  64     }
  65
  66     # we only allow a limited set of characters
  67     # colon is not allowed, because we store usernames in
  68     # colon separated lists)!
  69     # slash is not allowed because it is used as pve API delimiter
  70     # also see "man useradd"
  71     if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) {
  72         return wantarray ? ($username, $1, $2) : $username;
  73     }
  74
  75     die "value '$username' does not look like a valid user name\n" if !$noerr;
  76
  77     return undef;
  78 }
  79
  80 PVE::JSONSchema::register_standard_option('userid', {
  81     description => "User ID",
  82     type => 'string', format => 'pve-userid',
  83     maxLength => 64,
  84 });
  85
  86 sub encrypt_pw {
  87     my ($pw) = @_;
  88
  89     my $time = substr(Digest::SHA::sha1_base64 (time), 0, 8);
  90     return crypt(encode("utf8", $pw), "\$5\$$time\$");
  91 }
  92
  93 my $defaultData = {
  94     propertyList => {
  95         type => { description => "Realm type." },
  96         realm => get_standard_option('realm'),
  97     },
  98 };
  99
 100 sub private {
 101     return $defaultData;
 102 }
 103
 104 sub parse_section_header {
 105     my ($class, $line) = @_;
 106
 107     if ($line =~ m/^(\S+):\s*(\S+)\s*$/) {
 108         my ($type, $realm) = (lc($1), $2);
 109         my $errmsg = undef; # set if you want to skip whole section
 110         eval { pve_verify_realm($realm); };
 111         $errmsg = $@ if $@;
 112         my $config = {}; # to return additional attributes
 113         return ($type, $realm, $errmsg, $config);
 114     }
 115     return undef;
 116 }
 117
 118 sub parse_config {
 119     my ($class, $filename, $raw) = @_;
 120
 121     my $cfg = $class->SUPER::parse_config($filename, $raw);
 122
 123     my $default;
 124     foreach my $realm (keys %{$cfg->{ids}}) {
 125         my $data = $cfg->{ids}->{$realm};
 126         # make sure there is only one default marker
 127         if ($data->{default}) {
 128             if ($default) {
 129                 delete $data->{default};
 130             } else {
 131                 $default = $realm;
 132             }
 133         }
 134
 135         if ($data->{comment}) {
 136             $data->{comment} = PVE::Tools::decode_text($data->{comment});
 137         }
 138
 139     }
 140
 141     # add default domains
 142
 143     $cfg->{ids}->{pve} = {
 144         type => 'pve',
 145         comment => "Proxmox VE authentication server",
 146     };
 147
 148     $cfg->{ids}->{pam} = {
 149         type => 'pam',
 150         plugin => 'PVE::Auth::PAM',
 151         comment => "Linux PAM standard authentication",
 152     };
 153
 154     return $cfg;
 155 };
 156
 157 sub write_config {
 158     my ($class, $filename, $cfg) = @_;
 159
 160     delete $cfg->{ids}->{pve};
 161     delete $cfg->{ids}->{pam};
 162
 163     foreach my $realm (keys %{$cfg->{ids}}) {
 164         my $data = $cfg->{ids}->{$realm};
 165         if ($data->{comment}) {
 166             $data->{comment} = PVE::Tools::encode_text($data->{comment});
 167         }
 168     }
 169
 170     $class->SUPER::write_config($filename, $cfg);
 171 }
 172
 173 sub authenticate_user {
 174     my ($class, $config, $realm, $username, $password) = @_;
 175
 176     die "overwrite me";
 177 }
 178
 179 sub store_password {
 180     my ($class, $config, $realm, $username, $password) = @_;
 181
 182     my $type = $class->type();
 183
 184     die "can't set password on auth type '$type'\n";
 185 }
 186
 187 sub delete_user {
 188     my ($class, $config, $realm, $username) = @_;
 189
 190     # do nothing by default
 191 }
 192
 193 1;