use PVE::JSONSchema qw(get_standard_option);
use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_lock_file);
-use Data::Dumper;
-
use base qw(PVE::SectionConfig);
my $domainconfigfile = "domains.cfg";
-cfs_register_file($domainconfigfile,
+cfs_register_file($domainconfigfile,
sub { __PACKAGE__->parse_config(@_); },
sub { __PACKAGE__->write_config(@_); });
PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
sub pve_verify_realm {
my ($realm, $noerr) = @_;
-
+
if ($realm !~ m/^${realm_regex}$/) {
return undef if $noerr;
- die "value does not look like a valid realm\n";
+ die "value does not look like a valid realm\n";
}
return $realm;
}
}
# we only allow a limited set of characters
- # colon is not allowed, because we store usernames in
+ # colon is not allowed, because we store usernames in
# colon separated lists)!
# slash is not allowed because it is used as pve API delimiter
- # also see "man useradd"
+ # also see "man useradd"
if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) {
return wantarray ? ($username, $1, $2) : $username;
}
maxLength => 64,
});
-sub encrypt_pw {
- my ($pw) = @_;
+my $tfa_format = {
+ type => {
+ description => "The type of 2nd factor authentication.",
+ format_description => 'TFATYPE',
+ type => 'string',
+ enum => [qw(yubico oath)],
+ },
+ id => {
+ description => "Yubico API ID.",
+ format_description => 'ID',
+ type => 'string',
+ optional => 1,
+ },
+ key => {
+ description => "Yubico API Key.",
+ format_description => 'KEY',
+ type => 'string',
+ optional => 1,
+ },
+ url => {
+ description => "Yubico API URL.",
+ format_description => 'URL',
+ type => 'string',
+ optional => 1,
+ },
+ digits => {
+ description => "TOTP digits.",
+ format_description => 'COUNT',
+ type => 'integer',
+ minimum => 6, maximum => 8,
+ default => 6,
+ optional => 1,
+ },
+ step => {
+ description => "TOTP time period.",
+ format_description => 'SECONDS',
+ type => 'integer',
+ minimum => 10,
+ default => 30,
+ optional => 1,
+ },
+};
+
+PVE::JSONSchema::register_format('pve-tfa-config', $tfa_format);
+
+PVE::JSONSchema::register_standard_option('tfa', {
+ description => "Use Two-factor authentication.",
+ type => 'string', format => 'pve-tfa-config',
+ optional => 1,
+ maxLength => 128,
+});
- my $time = substr(Digest::SHA::sha1_base64 (time), 0, 8);
- return crypt(encode("utf8", $pw), "\$5\$$time\$");
+sub parse_tfa_config {
+ my ($data) = @_;
+
+ return PVE::JSONSchema::parse_property_string($tfa_format, $data);
}
my $defaultData = {
# add default domains
- $cfg->{ids}->{pve} = {
- type => 'pve',
- comment => "Proxmox VE authentication server",
- };
+ $cfg->{ids}->{pve}->{type} = 'pve'; # force type
+ $cfg->{ids}->{pve}->{comment} = "Proxmox VE authentication server"
+ if !$cfg->{ids}->{pve}->{comment};
- $cfg->{ids}->{pam} = {
- type => 'pam',
- plugin => 'PVE::Auth::PAM',
- comment => "Linux PAM standard authentication",
- };
+ $cfg->{ids}->{pam}->{type} = 'pam'; # force type
+ $cfg->{ids}->{pam}->{plugin} = 'PVE::Auth::PAM';
+ $cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
+ if !$cfg->{ids}->{pam}->{comment};
return $cfg;
};
sub write_config {
my ($class, $filename, $cfg) = @_;
- delete $cfg->{ids}->{pve};
- delete $cfg->{ids}->{pam};
-
foreach my $realm (keys %{$cfg->{ids}}) {
my $data = $cfg->{ids}->{$realm};
if ($data->{comment}) {
$data->{comment} = PVE::Tools::encode_text($data->{comment});
}
}
-
+
$class->SUPER::write_config($filename, $cfg);
}
projects / pve-access-control.git / blobdiff