use strict;
use warnings;
-use Encode;
+
use Digest::SHA;
-use PVE::Tools;
-use PVE::SectionConfig;
-use PVE::JSONSchema qw(get_standard_option);
+use Encode;
+
use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);
+use PVE::JSONSchema qw(get_standard_option);
+use PVE::SectionConfig;
+use PVE::Tools;
use base qw(PVE::SectionConfig);
my $domainconfigfile = "domains.cfg";
-cfs_register_file($domainconfigfile,
+cfs_register_file($domainconfigfile,
sub { __PACKAGE__->parse_config(@_); },
sub { __PACKAGE__->write_config(@_); });
}
}
-my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
+our $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
+our $user_regex = qr![^\s:/]+!;
PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
sub pve_verify_realm {
my ($realm, $noerr) = @_;
-
+
if ($realm !~ m/^${realm_regex}$/) {
return undef if $noerr;
- die "value does not look like a valid realm\n";
+ die "value does not look like a valid realm\n";
}
return $realm;
}
maxLength => 32,
});
+my $realm_sync_options_desc = {
+ scope => {
+ description => "Select what to sync.",
+ type => 'string',
+ enum => [qw(users groups both)],
+ optional => '1',
+ },
+ full => {
+ description => "If set, uses the LDAP Directory as source of truth,"
+ ." deleting users or groups not returned from the sync. Otherwise"
+ ." only syncs information which is not already present, and does not"
+ ." deletes or modifies anything else.",
+ type => 'boolean',
+ optional => '1',
+ },
+ 'enable-new' => {
+ description => "Enable newly synced users immediately.",
+ type => 'boolean',
+ default => '1',
+ optional => '1',
+ },
+ purge => {
+ description => "Remove ACLs for users or groups which were removed from"
+ ." the config during a sync.",
+ type => 'boolean',
+ optional => '1',
+ },
+};
+PVE::JSONSchema::register_standard_option('realm-sync-options', $realm_sync_options_desc);
+PVE::JSONSchema::register_format('realm-sync-options', $realm_sync_options_desc);
+
PVE::JSONSchema::register_format('pve-userid', \&verify_username);
sub verify_username {
my ($username, $noerr) = @_;
}
# we only allow a limited set of characters
- # colon is not allowed, because we store usernames in
+ # colon is not allowed, because we store usernames in
# colon separated lists)!
# slash is not allowed because it is used as pve API delimiter
- # also see "man useradd"
- if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) {
+ # also see "man useradd"
+ if ($username =~ m!^(${user_regex})\@(${realm_regex})$!) {
return wantarray ? ($username, $1, $2) : $username;
}
maxLength => 64,
});
-PVE::JSONSchema::register_format('pve-tfa-config', \&verify_tfa_config);
-sub verify_tfa_config {
- my ($value, $noerr) = @_;
-
- return $value if parse_tfa_config($value);
-
- return undef if $noerr;
+my $tfa_format = {
+ type => {
+ description => "The type of 2nd factor authentication.",
+ format_description => 'TFATYPE',
+ type => 'string',
+ enum => [qw(yubico oath)],
+ },
+ id => {
+ description => "Yubico API ID.",
+ format_description => 'ID',
+ type => 'string',
+ optional => 1,
+ },
+ key => {
+ description => "Yubico API Key.",
+ format_description => 'KEY',
+ type => 'string',
+ optional => 1,
+ },
+ url => {
+ description => "Yubico API URL.",
+ format_description => 'URL',
+ type => 'string',
+ optional => 1,
+ },
+ digits => {
+ description => "TOTP digits.",
+ format_description => 'COUNT',
+ type => 'integer',
+ minimum => 6, maximum => 8,
+ default => 6,
+ optional => 1,
+ },
+ step => {
+ description => "TOTP time period.",
+ format_description => 'SECONDS',
+ type => 'integer',
+ minimum => 10,
+ default => 30,
+ optional => 1,
+ },
+};
- die "unable to parse tfa option\n";
-}
+PVE::JSONSchema::register_format('pve-tfa-config', $tfa_format);
PVE::JSONSchema::register_standard_option('tfa', {
description => "Use Two-factor authentication.",
sub parse_tfa_config {
my ($data) = @_;
- my $res = {};
-
- foreach my $kvp (split(/,/, $data)) {
-
- if ($kvp =~ m/^type=(yubico|oath)$/) {
- $res->{type} = $1;
- } elsif ($kvp =~ m/^id=(\S+)$/) {
- $res->{id} = $1;
- } elsif ($kvp =~ m/^key=(\S+)$/) {
- $res->{key} = $1;
- } elsif ($kvp =~ m/^url=(\S+)$/) {
- $res->{url} = $1;
- } elsif ($kvp =~ m/^digits=([6|7|8])$/) {
- $res->{digits} = $1;
- } elsif ($kvp =~ m/^step=([1-9]\d+)$/) {
- $res->{step} = $1;
- } else {
- return undef;
- }
- }
-
- return undef if !$res->{type};
-
- return $res;
+ return PVE::JSONSchema::parse_property_string($tfa_format, $data);
}
my $defaultData = {
$data->{comment} = PVE::Tools::encode_text($data->{comment});
}
}
-
+
$class->SUPER::write_config($filename, $cfg);
}
# do nothing by default
}
+# called during addition of realm (before the new domain config got written)
+# `password` is moved to %param to avoid writing it out to the config
+# die to abort additon if there are (grave) problems
+# NOTE: runs in a domain config *locked* context
+sub on_add_hook {
+ my ($class, $realm, $config, %param) = @_;
+ # do nothing by default
+}
+
+# called during domain configuration update (before the updated domain config got
+# written). `password` is moved to %param to avoid writing it out to the config
+# die to abort the update if there are (grave) problems
+# NOTE: runs in a domain config *locked* context
+sub on_update_hook {
+ my ($class, $realm, $config, %param) = @_;
+ # do nothing by default
+}
+
+# called during deletion of realms (before the new domain config got written)
+# and if the activate check on addition fails, to cleanup all storage traces
+# which on_add_hook may have created.
+# die to abort deletion if there are (very grave) problems
+# NOTE: runs in a storage config *locked* context
+sub on_delete_hook {
+ my ($class, $realm, $config) = @_;
+ # do nothing by default
+}
+
1;
projects / pve-access-control.git / blobdiff