warn "auth key pair missing, generating new one..\n" if !$quiet;
return 0;
} else {
- if (time() - $mtime >= $authkey_lifetime) {
+ my $now = time();
+ if ($now - $mtime >= $authkey_lifetime) {
warn "auth key pair too old, rotating..\n" if !$quiet;;
return 0;
+ } elsif ($mtime > $now + $auth_graceperiod) {
+ # a nodes RTC had a time set in the future during key generation -> ticket
+ # validity is clamped to 0+5 min grace period until now >= mtime again
+ my (undef, $old_mtime) = get_pubkey(1);
+ if ($old_mtime && $mtime >= $old_mtime && $mtime - $old_mtime < $ticket_lifetime) {
+ warn "auth key pair generated in the future (key $mtime > host $now),"
+ ." but old key still exists and in valid grace period so avoid automatic"
+ ." fixup. Cluster time not in sync?\n" if !$quiet;
+ return 1;
+ }
+ warn "auth key pair generated in the future (key $mtime > host $now), rotating..\n" if !$quiet;
+ return 0;
} else {
warn "auth key new enough, skipping rotation\n" if !$quiet;;
return 1;
}
}
+sub lookup_username {
+ my ($username, $noerr) = @_;
+
+ $username =~ m!^(${PVE::Auth::Plugin::user_regex})\@(${PVE::Auth::Plugin::realm_regex})$!;
+
+ my $realm = $2;
+ my $domain_cfg = cfs_read_file("domains.cfg");
+ my $casesensitive = $domain_cfg->{ids}->{$realm}->{'case-sensitive'} // 1;
+ my $usercfg = cfs_read_file('user.cfg');
+
+ if (!$casesensitive) {
+ my @matches = grep { lc $username eq lc $_ } (keys %{$usercfg->{users}});
+
+ die "ambiguous case insensitive match of username '$username', cannot safely grant access!\n"
+ if scalar @matches > 1 && !$noerr;
+
+ return $matches[0]
+ }
+
+ return $username;
+}
+
sub normalize_path {
my $path = shift;
return $path;
}
+sub check_path {
+ my ($path) = @_;
+ return $path =~ m!^(
+ /
+ |/access
+ |/access/groups
+ |/access/realm
+ |/nodes
+ |/nodes/[[:alnum:]\.\-\_]+
+ |/pool
+ |/pool/[[:alnum:]\.\-\_]+
+ |/sdn
+ |/storage
+ |/storage/[[:alnum:]\.\-\_]+
+ |/vms
+ |/vms/[1-9][0-9]{2,}
+ )$!xs;
+}
+
PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname);
sub verify_groupname {
my ($groupname, $noerr) = @_;