fix #916: allow HTTPS to access custom yubico url

[pve-access-control.git] / PVE / AccessControl.pm

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index d3f1cf6661b1fcc5221e2630a521d8b7cb8f9639..550fa87c24d23cb606c7760ac867fcf761801c8c 100644 (file)
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -287,8 +287,15 @@ sub read_x509_subject_spice {
 
     # read x509 subject
     my $bio = Net::SSLeay::BIO_new_file($filename, 'r');
+    die "Could not open $filename using OpenSSL\n"
+       if !$bio;
+
     my $x509 = Net::SSLeay::PEM_read_bio_X509($bio);
     Net::SSLeay::BIO_free($bio);
+
+    die "Could not parse X509 certificate in $filename\n"
+       if !$x509;
+
     my $nameobj = Net::SSLeay::X509_get_subject_name($x509);
     my $subject = Net::SSLeay::X509_NAME_oneline($nameobj);
     Net::SSLeay::X509_free($x509);
@@ -1093,23 +1100,47 @@ sub remove_vm_access {
     my ($vmid) = @_;
     my $delVMaccessFn = sub {
         my $usercfg = cfs_read_file("user.cfg");
+       my $modified;
 
-        if (my $acl = $usercfg->{acl}->{'/vms/'.$vmid}) {
-            delete $usercfg->{acl}->{'/vms/'.$vmid};
-            cfs_write_file("user.cfg", $usercfg);
+        if (my $acl = $usercfg->{acl}->{"/vms/$vmid"}) {
+            delete $usercfg->{acl}->{"/vms/$vmid"};
+           $modified = 1;
         }
         if (my $pool = $usercfg->{vms}->{$vmid}) {
             if (my $data = $usercfg->{pools}->{$pool}) {
                 delete $data->{vms}->{$vmid};
                 delete $usercfg->{vms}->{$vmid};
-                cfs_write_file("user.cfg", $usercfg);
+               $modified = 1;
             }
         }
+       cfs_write_file("user.cfg", $usercfg) if $modified;
     };
 
     lock_user_config($delVMaccessFn, "access permissions cleanup for VM $vmid failed");
 }
 
+sub remove_storage_access {
+    my ($storeid) = @_;
+
+    my $deleteStorageAccessFn = sub {
+        my $usercfg = cfs_read_file("user.cfg");
+       my $modified;
+
+        if (my $storage = $usercfg->{acl}->{"/storage/$storeid"}) {
+            delete $usercfg->{acl}->{"/storage/$storeid"};
+            $modified = 1;
+        }
+       foreach my $pool (keys %{$usercfg->{pools}}) {
+           delete $usercfg->{pools}->{$pool}->{storage}->{$storeid};
+           $modified = 1;
+       }
+        cfs_write_file("user.cfg", $usercfg) if $modified;
+    };
+
+    lock_user_config($deleteStorageAccessFn,
+                    "access permissions cleanup for storage $storeid failed");
+}
+
 sub add_vm_to_pool {
     my ($vmid, $pool) = @_;
 
@@ -1168,8 +1199,6 @@ sub yubico_verify_otp {
 
     die "yubico: wrong OTP lenght\n" if (length($otp) < 32) || (length($otp) > 48);
 
-    # we always use http, because https cert verification always make problem, and
-    # some proxies does not work with https.
 
     $url = 'http://api2.yubico.com/wsapi/2.0/verify' if !defined($url);
 
@@ -1186,10 +1215,10 @@ sub yubico_verify_otp {
 
     my $req = HTTP::Request->new('GET' => "$url?$paramstr");
 
-    my $ua = LWP::UserAgent->new(protocols_allowed => ['http'], timeout => 30);
+    my $ua = LWP::UserAgent->new(protocols_allowed => ['http', 'https'], timeout => 30);
 
     if ($proxy) {
-       $ua->proxy(['http'], $proxy);
+       $ua->proxy(['http', 'https'], $proxy);
     } else {
        $ua->env_proxy;
     }
@@ -1270,4 +1299,27 @@ sub oath_verify_otp {
     die "oath auth failed\n" if !$found;
 }
 
+# bash completion helpers
+
+sub complete_username {
+
+    my $user_cfg = cfs_read_file('user.cfg');
+
+    return [ keys %{$user_cfg->{users}} ];
+}
+
+sub complete_group {
+
+    my $user_cfg = cfs_read_file('user.cfg');
+
+    return [ keys %{$user_cfg->{groups}} ];
+}
+
+sub complete_realm {
+
+    my $domain_cfg = cfs_read_file('domains.cfg');
+
+    return [ keys %{$domain_cfg->{ids}} ];
+}
+
 1;