]> git.proxmox.com Git - pve-access-control.git/blob - src/PVE/API2/AccessControl.pm
projects / pve-access-control.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tfa: pass whole webauthn config to 'set_webauthn_config'
[pve-access-control.git] / src / PVE / API2 / AccessControl.pm
1 package PVE::API2::AccessControl;
2
3 use strict;
4 use warnings;
5
6 use JSON;
7 use MIME::Base64;
8
9 use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
10 use PVE::SafeSyslog;
11 use PVE::RPCEnvironment;
12 use PVE::Cluster qw(cfs_read_file);
13 use PVE::DataCenterConfig;
14 use PVE::RESTHandler;
15 use PVE::AccessControl;
16 use PVE::JSONSchema qw(get_standard_option);
17 use PVE::API2::Domains;
18 use PVE::API2::User;
19 use PVE::API2::Group;
20 use PVE::API2::Role;
21 use PVE::API2::ACL;
22 use PVE::API2::OpenId;
23 use PVE::API2::TFA;
24 use PVE::Auth::Plugin;
25 use PVE::OTP;
26
27 my $u2f_available = 0;
28 eval {
29 require PVE::U2F;
30 $u2f_available = 1;
31 };
32
33 use base qw(PVE::RESTHandler);
34
35 __PACKAGE__->register_method ({
36 subclass => "PVE::API2::User",
37 path => 'users',
38 });
39
40 __PACKAGE__->register_method ({
41 subclass => "PVE::API2::Group",
42 path => 'groups',
43 });
44
45 __PACKAGE__->register_method ({
46 subclass => "PVE::API2::Role",
47 path => 'roles',
48 });
49
50 __PACKAGE__->register_method ({
51 subclass => "PVE::API2::ACL",
52 path => 'acl',
53 });
54
55 __PACKAGE__->register_method ({
56 subclass => "PVE::API2::Domains",
57 path => 'domains',
58 });
59
60 __PACKAGE__->register_method ({
61 subclass => "PVE::API2::OpenId",
62 path => 'openid',
63 });
64
65 __PACKAGE__->register_method ({
66 subclass => "PVE::API2::TFA",
67 path => 'tfa',
68 });
69
70 __PACKAGE__->register_method ({
71 name => 'index',
72 path => '',
73 method => 'GET',
74 description => "Directory index.",
75 permissions => {
76 user => 'all',
77 },
78 parameters => {
79 additionalProperties => 0,
80 properties => {},
81 },
82 returns => {
83 type => 'array',
84 items => {
85 type => "object",
86 properties => {
87 subdir => { type => 'string' },
88 },
89 },
90 links => [ { rel => 'child', href => "{subdir}" } ],
91 },
92 code => sub {
93 my ($param) = @_;
94
95 my $res = [];
96
97 my $ma = __PACKAGE__->method_attributes();
98
99 foreach my $info (@$ma) {
100 next if !$info->{subclass};
101
102 my $subpath = $info->{match_re}->[0];
103
104 push @$res, { subdir => $subpath };
105 }
106
107 push @$res, { subdir => 'ticket' };
108 push @$res, { subdir => 'password' };
109
110 return $res;
111 }});
112
113
114 my sub verify_auth : prototype($$$$$$$) {
115 my ($rpcenv, $username, $pw_or_ticket, $otp, $path, $privs, $new_format) = @_;
116
117 my $normpath = PVE::AccessControl::normalize_path($path);
118 die "invalid path - $path\n" if defined($path) && !defined($normpath);
119
120 my $ticketuser;
121 if (($ticketuser = PVE::AccessControl::verify_ticket($pw_or_ticket, 1)) &&
122 ($ticketuser eq $username)) {
123 # valid ticket
124 } elsif (PVE::AccessControl::verify_vnc_ticket($pw_or_ticket, $username, $normpath, 1)) {
125 # valid vnc ticket
126 } else {
127 $username = PVE::AccessControl::authenticate_user(
128 $username,
129 $pw_or_ticket,
130 $otp,
131 $new_format,
132 );
133 }
134
135 my $privlist = [ PVE::Tools::split_list($privs) ];
136 if (!($normpath && scalar(@$privlist) && $rpcenv->check($username, $normpath, $privlist))) {
137 die "no permission ($path, $privs)\n";
138 }
139
140 return { username => $username };
141 };
142
143 my sub create_ticket_do : prototype($$$$$$) {
144 my ($rpcenv, $username, $pw_or_ticket, $otp, $new_format, $tfa_challenge) = @_;
145
146 die "TFA response should be in 'password', not 'otp' when 'tfa-challenge' is set\n"
147 if defined($otp) && defined($tfa_challenge);
148
149 my ($ticketuser, undef, $tfa_info);
150 if (!defined($tfa_challenge)) {
151 # We only verify this ticket if we're not responding to a TFA challenge, as in that case
152 # it is a TFA-data ticket and will be verified by `authenticate_user`.
153
154 ($ticketuser, undef, $tfa_info) = PVE::AccessControl::verify_ticket($pw_or_ticket, 1);
155 }
156
157 if (defined($ticketuser) && ($ticketuser eq 'root@pam' || $ticketuser eq $username)) {
158 if (defined($tfa_info)) {
159 die "incomplete ticket\n";
160 }
161 # valid ticket. Note: root@pam can create tickets for other users
162 } else {
163 ($username, $tfa_info) = PVE::AccessControl::authenticate_user(
164 $username,
165 $pw_or_ticket,
166 $otp,
167 $new_format,
168 $tfa_challenge,
169 );
170 }
171
172 my %extra;
173 my $ticket_data = $username;
174 my $aad;
175 if ($new_format) {
176 if (defined($tfa_info)) {
177 $extra{NeedTFA} = 1;
178 $ticket_data = "!tfa!$tfa_info";
179 $aad = $username;
180 }
181 } elsif (defined($tfa_info)) {
182 $extra{NeedTFA} = 1;
183 if ($tfa_info->{type} eq 'u2f') {
184 my $u2finfo = $tfa_info->{data};
185 my $u2f = get_u2f_instance($rpcenv, $u2finfo->@{qw(publicKey keyHandle)});
186 my $challenge = $u2f->auth_challenge()
187 or die "failed to get u2f challenge\n";
188 $challenge = decode_json($challenge);
189 $extra{U2FChallenge} = $challenge;
190 $ticket_data = "u2f!$username!$challenge->{challenge}";
191 } else {
192 # General half-login / 'missing 2nd factor' ticket:
193 $ticket_data = "tfa!$username";
194 }
195 }
196
197 my $ticket = PVE::AccessControl::assemble_ticket($ticket_data, $aad);
198 my $csrftoken = PVE::AccessControl::assemble_csrf_prevention_token($username);
199
200 return {
201 ticket => $ticket,
202 username => $username,
203 CSRFPreventionToken => $csrftoken,
204 %extra,
205 };
206 };
207
208 __PACKAGE__->register_method ({
209 name => 'get_ticket',
210 path => 'ticket',
211 method => 'GET',
212 permissions => { user => 'world' },
213 description => "Dummy. Useful for formatters which want to provide a login page.",
214 parameters => {
215 additionalProperties => 0,
216 },
217 returns => { type => "null" },
218 code => sub { return undef; }});
219
220 __PACKAGE__->register_method ({
221 name => 'create_ticket',
222 path => 'ticket',
223 method => 'POST',
224 permissions => {
225 description => "You need to pass valid credientials.",
226 user => 'world'
227 },
228 protected => 1, # else we can't access shadow files
229 allowtoken => 0, # we don't want tokens to create tickets
230 description => "Create or verify authentication ticket.",
231 parameters => {
232 additionalProperties => 0,
233 properties => {
234 username => {
235 description => "User name",
236 type => 'string',
237 maxLength => 64,
238 completion => \&PVE::AccessControl::complete_username,
239 },
240 realm => get_standard_option('realm', {
241 description => "You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>\@<relam>.",
242 optional => 1,
243 completion => \&PVE::AccessControl::complete_realm,
244 }),
245 password => {
246 description => "The secret password. This can also be a valid ticket.",
247 type => 'string',
248 },
249 otp => {
250 description => "One-time password for Two-factor authentication.",
251 type => 'string',
252 optional => 1,
253 },
254 path => {
255 description => "Verify ticket, and check if user have access 'privs' on 'path'",
256 type => 'string',
257 requires => 'privs',
258 optional => 1,
259 maxLength => 64,
260 },
261 privs => {
262 description => "Verify ticket, and check if user have access 'privs' on 'path'",
263 type => 'string' , format => 'pve-priv-list',
264 requires => 'path',
265 optional => 1,
266 maxLength => 64,
267 },
268 'new-format' => {
269 type => 'boolean',
270 description =>
271 'With webauthn the format of half-authenticated tickts changed.'
272 .' New clients should pass 1 here and not worry about the old format.'
273 .' The old format is deprecated and will be retired with PVE-8.0',
274 optional => 1,
275 default => 0,
276 },
277 'tfa-challenge' => {
278 type => 'string',
279 description => "The signed TFA challenge string the user wants to respond to.",
280 optional => 1,
281 },
282 }
283 },
284 returns => {
285 type => "object",
286 properties => {
287 username => { type => 'string' },
288 ticket => { type => 'string', optional => 1},
289 CSRFPreventionToken => { type => 'string', optional => 1 },
290 clustername => { type => 'string', optional => 1 },
291 # cap => computed api permissions, unless there's a u2f challenge
292 }
293 },
294 code => sub {
295 my ($param) = @_;
296
297 my $username = $param->{username};
298 $username .= "\@$param->{realm}" if $param->{realm};
299
300 $username = PVE::AccessControl::lookup_username($username);
301 my $rpcenv = PVE::RPCEnvironment::get();
302
303 my $res;
304 eval {
305 # test if user exists and is enabled
306 $rpcenv->check_user_enabled($username);
307
308 if ($param->{path} && $param->{privs}) {
309 $res = verify_auth($rpcenv, $username, $param->{password}, $param->{otp},
310 $param->{path}, $param->{privs}, $param->{'new-format'});
311 } else {
312 $res = create_ticket_do(
313 $rpcenv,
314 $username,
315 $param->{password},
316 $param->{otp},
317 $param->{'new-format'},
318 $param->{'tfa-challenge'},
319 );
320 }
321 };
322 if (my $err = $@) {
323 my $clientip = $rpcenv->get_client_ip() || '';
324 syslog('err', "authentication failure; rhost=$clientip user=$username msg=$err");
325 # do not return any info to prevent user enumeration attacks
326 die PVE::Exception->new("authentication failure\n", code => 401);
327 }
328
329 $res->{cap} = $rpcenv->compute_api_permission($username)
330 if !defined($res->{NeedTFA});
331
332 my $clinfo = PVE::Cluster::get_clinfo();
333 if ($clinfo->{cluster}->{name} && $rpcenv->check($username, '/', ['Sys.Audit'], 1)) {
334 $res->{clustername} = $clinfo->{cluster}->{name};
335 }
336
337 PVE::Cluster::log_msg('info', 'root@pam', "successful auth for user '$username'");
338
339 return $res;
340 }});
341
342 __PACKAGE__->register_method ({
343 name => 'change_password',
344 path => 'password',
345 method => 'PUT',
346 permissions => {
347 description => "Each user is allowed to change his own password. A user can change the password of another user if he has 'Realm.AllocateUser' (on the realm of user <userid>) and 'User.Modify' permission on /access/groups/<group> on a group where user <userid> is member of.",
348 check => [ 'or',
349 ['userid-param', 'self'],
350 [ 'and',
351 [ 'userid-param', 'Realm.AllocateUser'],
352 [ 'userid-group', ['User.Modify']]
353 ]
354 ],
355 },
356 protected => 1, # else we can't access shadow files
357 allowtoken => 0, # we don't want tokens to change the regular user password
358 description => "Change user password.",
359 parameters => {
360 additionalProperties => 0,
361 properties => {
362 userid => get_standard_option('userid-completed'),
363 password => {
364 description => "The new password.",
365 type => 'string',
366 minLength => 5,
367 maxLength => 64,
368 },
369 }
370 },
371 returns => { type => "null" },
372 code => sub {
373 my ($param) = @_;
374
375 my $rpcenv = PVE::RPCEnvironment::get();
376 my $authuser = $rpcenv->get_user();
377
378 my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
379
380 $rpcenv->check_user_exist($userid);
381
382 if ($authuser eq 'root@pam') {
383 # OK - root can change anything
384 } else {
385 if ($authuser eq $userid) {
386 $rpcenv->check_user_enabled($userid);
387 # OK - each user can change its own password
388 } else {
389 # only root may change root password
390 raise_perm_exc() if $userid eq 'root@pam';
391 # do not allow to change system user passwords
392 raise_perm_exc() if $realm eq 'pam';
393 }
394 }
395
396 PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password});
397
398 PVE::Cluster::log_msg('info', 'root@pam', "changed password for user '$userid'");
399
400 return undef;
401 }});
402
403 sub get_u2f_config() {
404 die "u2f support not available\n" if !$u2f_available;
405
406 my $dc = cfs_read_file('datacenter.cfg');
407 my $u2f = $dc->{u2f};
408 die "u2f not configured in datacenter.cfg\n" if !$u2f;
409 return $u2f;
410 }
411
412 sub get_u2f_instance {
413 my ($rpcenv, $publicKey, $keyHandle) = @_;
414
415 # We store the public key base64 encoded (as the api provides it in binary)
416 $publicKey = decode_base64($publicKey) if defined($publicKey);
417
418 my $u2fconfig = get_u2f_config();
419 my $u2f = PVE::U2F->new();
420
421 # via the 'Host' header (in case a node has multiple hosts available).
422 my $origin = $u2fconfig->{origin};
423 if (!defined($origin)) {
424 $origin = $rpcenv->get_request_host(1);
425 if ($origin) {
426 $origin = "https://$origin";
427 } else {
428 die "failed to figure out u2f origin\n";
429 }
430 }
431
432 my $appid = $u2fconfig->{appid} // $origin;
433 $u2f->set_appid($appid);
434 $u2f->set_origin($origin);
435 $u2f->set_publicKey($publicKey) if defined($publicKey);
436 $u2f->set_keyHandle($keyHandle) if defined($keyHandle);
437 return $u2f;
438 }
439
440 sub verify_user_tfa_config {
441 my ($type, $tfa_cfg, $value) = @_;
442
443 if (!defined($type)) {
444 die "missing tfa 'type'\n";
445 }
446
447 if ($type ne 'oath') {
448 die "invalid type for custom tfa authentication\n";
449 }
450
451 my $secret = $tfa_cfg->{keys}
452 or die "missing TOTP secret\n";
453 $tfa_cfg = $tfa_cfg->{config};
454 # Copy the hash to verify that we have no unexpected keys without modifying the original hash.
455 $tfa_cfg = {%$tfa_cfg};
456
457 # We can only verify 1 secret but oath_verify_otp allows multiple:
458 if (scalar(PVE::Tools::split_list($secret)) != 1) {
459 die "only exactly one secret key allowed\n";
460 }
461
462 my $digits = delete($tfa_cfg->{digits}) // 6;
463 my $step = delete($tfa_cfg->{step}) // 30;
464 # Maybe also this?
465 # my $algorithm = delete($tfa_cfg->{algorithm}) // 'sha1';
466
467 if (length(my $more = join(', ', keys %$tfa_cfg))) {
468 die "unexpected tfa config keys: $more\n";
469 }
470
471 PVE::OTP::oath_verify_otp($value, $secret, $step, $digits);
472 }
473
474
475 __PACKAGE__->register_method({
476 name => 'permissions',
477 path => 'permissions',
478 method => 'GET',
479 description => 'Retrieve effective permissions of given user/token.',
480 permissions => {
481 description => "Each user/token is allowed to dump their own permissions. A user can dump the permissions of another user if they have 'Sys.Audit' permission on /access.",
482 user => 'all',
483 },
484 parameters => {
485 additionalProperties => 0,
486 properties => {
487 userid => {
488 type => 'string',
489 description => "User ID or full API token ID",
490 pattern => $PVE::AccessControl::userid_or_token_regex,
491 optional => 1,
492 },
493 path => get_standard_option('acl-path', {
494 description => "Only dump this specific path, not the whole tree.",
495 optional => 1,
496 }),
497 },
498 },
499 returns => {
500 type => 'object',
501 description => 'Map of "path" => (Map of "privilege" => "propagate boolean").',
502 },
503 code => sub {
504 my ($param) = @_;
505
506 my $rpcenv = PVE::RPCEnvironment::get();
507
508 my $userid = $param->{userid};
509 if (defined($userid)) {
510 $rpcenv->check($rpcenv->get_user(), '/access', ['Sys.Audit']);
511 } else {
512 $userid = $rpcenv->get_user();
513 }
514
515 my $res;
516
517 if (my $path = $param->{path}) {
518 my $perms = $rpcenv->permissions($userid, $path);
519 if ($perms) {
520 $res = { $path => $perms };
521 } else {
522 $res = {};
523 }
524 } else {
525 $res = $rpcenv->get_effective_permissions($userid);
526 }
527
528 return $res;
529 }});
530
531 1;
Access control framework