]> git.proxmox.com Git - pve-access-control.git/blob - PVE/Auth/Plugin.pm
projects / pve-access-control.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
add basic support for two factor auth
[pve-access-control.git] / PVE / Auth / Plugin.pm
1 package PVE::Auth::Plugin;
2
3 use strict;
4 use warnings;
5 use Encode;
6 use Digest::SHA;
7 use PVE::Tools;
8 use PVE::SectionConfig;
9 use PVE::JSONSchema qw(get_standard_option);
10 use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);
11
12 use Data::Dumper;
13
14 use base qw(PVE::SectionConfig);
15
16 my $domainconfigfile = "domains.cfg";
17
18 cfs_register_file($domainconfigfile,
19 sub { __PACKAGE__->parse_config(@_); },
20 sub { __PACKAGE__->write_config(@_); });
21
22 sub lock_domain_config {
23 my ($code, $errmsg) = @_;
24
25 cfs_lock_file($domainconfigfile, undef, $code);
26 my $err = $@;
27 if ($err) {
28 $errmsg ? die "$errmsg: $err" : die $err;
29 }
30 }
31
32 my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
33
34 PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
35 sub pve_verify_realm {
36 my ($realm, $noerr) = @_;
37
38 if ($realm !~ m/^${realm_regex}$/) {
39 return undef if $noerr;
40 die "value does not look like a valid realm\n";
41 }
42 return $realm;
43 }
44
45 PVE::JSONSchema::register_standard_option('realm', {
46 description => "Authentication domain ID",
47 type => 'string', format => 'pve-realm',
48 maxLength => 32,
49 });
50
51 PVE::JSONSchema::register_format('pve-userid', \&verify_username);
52 sub verify_username {
53 my ($username, $noerr) = @_;
54
55 $username = '' if !$username;
56 my $len = length($username);
57 if ($len < 3) {
58 die "user name '$username' is too short\n" if !$noerr;
59 return undef;
60 }
61 if ($len > 64) {
62 die "user name '$username' is too long ($len > 64)\n" if !$noerr;
63 return undef;
64 }
65
66 # we only allow a limited set of characters
67 # colon is not allowed, because we store usernames in
68 # colon separated lists)!
69 # slash is not allowed because it is used as pve API delimiter
70 # also see "man useradd"
71 if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) {
72 return wantarray ? ($username, $1, $2) : $username;
73 }
74
75 die "value '$username' does not look like a valid user name\n" if !$noerr;
76
77 return undef;
78 }
79
80 PVE::JSONSchema::register_standard_option('userid', {
81 description => "User ID",
82 type => 'string', format => 'pve-userid',
83 maxLength => 64,
84 });
85
86 PVE::JSONSchema::register_format('pve-tfa-config', \&verify_tfa_config);
87 sub verify_tfa_config {
88 my ($value, $noerr) = @_;
89
90 return $value if parse_tfa_config($value);
91
92 return undef if $noerr;
93
94 die "unable to parse tfa option\n";
95 }
96
97 PVE::JSONSchema::register_standard_option('tfa', {
98 description => "Use Two-factor authentication.",
99 type => 'string', format => 'pve-tfa-config',
100 optional => 1,
101 maxLength => 128,
102 });
103
104 sub parse_tfa_config {
105 my ($data) = @_;
106
107 my $res = {};
108
109 foreach my $kvp (split(/,/, $data)) {
110
111 if ($kvp =~ m/^type=(yubico)$/) {
112 $res->{type} = $1;
113 } elsif ($kvp =~ m/^id=(\S+)$/) {
114 $res->{id} = $1;
115 } elsif ($kvp =~ m/^key=(\S+)$/) {
116 $res->{key} = $1;
117 } elsif ($kvp =~ m/^url=(\S+)$/) {
118 $res->{url} = $1;
119 } else {
120 return undef;
121 }
122 }
123
124 return undef if !$res->{type};
125
126 return $res;
127 }
128
129 sub encrypt_pw {
130 my ($pw) = @_;
131
132 my $time = substr(Digest::SHA::sha1_base64 (time), 0, 8);
133 return crypt(encode("utf8", $pw), "\$5\$$time\$");
134 }
135
136 my $defaultData = {
137 propertyList => {
138 type => { description => "Realm type." },
139 realm => get_standard_option('realm'),
140 },
141 };
142
143 sub private {
144 return $defaultData;
145 }
146
147 sub parse_section_header {
148 my ($class, $line) = @_;
149
150 if ($line =~ m/^(\S+):\s*(\S+)\s*$/) {
151 my ($type, $realm) = (lc($1), $2);
152 my $errmsg = undef; # set if you want to skip whole section
153 eval { pve_verify_realm($realm); };
154 $errmsg = $@ if $@;
155 my $config = {}; # to return additional attributes
156 return ($type, $realm, $errmsg, $config);
157 }
158 return undef;
159 }
160
161 sub parse_config {
162 my ($class, $filename, $raw) = @_;
163
164 my $cfg = $class->SUPER::parse_config($filename, $raw);
165
166 my $default;
167 foreach my $realm (keys %{$cfg->{ids}}) {
168 my $data = $cfg->{ids}->{$realm};
169 # make sure there is only one default marker
170 if ($data->{default}) {
171 if ($default) {
172 delete $data->{default};
173 } else {
174 $default = $realm;
175 }
176 }
177
178 if ($data->{comment}) {
179 $data->{comment} = PVE::Tools::decode_text($data->{comment});
180 }
181
182 }
183
184 # add default domains
185
186 $cfg->{ids}->{pve}->{type} = 'pve'; # force type
187 $cfg->{ids}->{pve}->{comment} = "Proxmox VE authentication server"
188 if !$cfg->{ids}->{pve}->{comment};
189
190 $cfg->{ids}->{pam}->{type} = 'pam'; # force type
191 $cfg->{ids}->{pam}->{plugin} = 'PVE::Auth::PAM';
192 $cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
193 if !$cfg->{ids}->{pam}->{comment};
194
195 return $cfg;
196 };
197
198 sub write_config {
199 my ($class, $filename, $cfg) = @_;
200
201 delete $cfg->{ids}->{pve};
202 delete $cfg->{ids}->{pam};
203
204 foreach my $realm (keys %{$cfg->{ids}}) {
205 my $data = $cfg->{ids}->{$realm};
206 if ($data->{comment}) {
207 $data->{comment} = PVE::Tools::encode_text($data->{comment});
208 }
209 }
210
211 $class->SUPER::write_config($filename, $cfg);
212 }
213
214 sub authenticate_user {
215 my ($class, $config, $realm, $username, $password) = @_;
216
217 die "overwrite me";
218 }
219
220 sub store_password {
221 my ($class, $config, $realm, $username, $password) = @_;
222
223 my $type = $class->type();
224
225 die "can't set password on auth type '$type'\n";
226 }
227
228 sub delete_user {
229 my ($class, $config, $realm, $username) = @_;
230
231 # do nothing by default
232 }
233
234 1;
Access control framework