tfa: pass whole webauthn config to 'set_webauthn_config'

[pve-access-control.git] / src / PVE / AccessControl.pm

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index d0dbabc71772ecc51d91cce34271ec7866253893..c32dcc303fabc2498ae0cdfc16c4759962213690 100644 (file)
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -203,7 +203,16 @@ sub rotate_authkey {
     return if $authkey_lifetime == 0;
 
     PVE::Cluster::cfs_lock_authkey(undef, sub {
-       # re-check with lock to avoid double rotation in clusters
+       # stat() calls might be answered from the kernel page cache for up to
+       # 1s, so this special dance is needed to avoid a double rotation in
+       # clusters *despite* the cfs_lock context..
+
+       # drop in-process cache hash
+       $pve_auth_key_cache = {};
+       # force open/close of file to invalidate page cache entry
+       get_pubkey();
+       # now re-check with lock held and page cache invalidated so that stat()
+       # does the right thing, and any key updates by other nodes are visible.
        return if check_authkey();
 
        my $old = get_pubkey();
@@ -498,6 +507,8 @@ my $assemble_short_lived_ticket = sub {
 
     $path = normalize_path($path);
 
+    die "invalid ticket path\n" if !defined($path);
+
     my $secret_data = "$username:$path";
 
     return PVE::Ticket::assemble_rsa_ticket(
@@ -509,6 +520,8 @@ my $verify_short_lived_ticket = sub {
 
     $path = normalize_path($path);
 
+    die "invalid ticket path\n" if !defined($path);
+
     my $secret_data = "$username:$path";
 
     my ($rsa_pub, $rsa_mtime) = get_pubkey();
@@ -590,7 +603,7 @@ sub read_x509_subject_spice {
     my $subject = Net::SSLeay::X509_NAME_oneline($nameobj);
     Net::SSLeay::X509_free($x509);
 
-    # remote-viewer wants comma as seperator (not '/')
+    # remote-viewer wants comma as separator (not '/')
     $subject =~ s!^/!!;
     $subject =~ s!/(\w+=)!,$1!g;
 
@@ -908,13 +921,8 @@ sub configure_u2f_and_wa : prototype($) {
        warn "u2f unavailable, configuration error: $@\n" if $@;
     }
     if (my $wa = $dc->{webauthn}) {
-       eval {
-           $tfa_cfg->set_webauthn_config({
-               origin => $wa->{origin} // $get_origin->(),
-               rp => $wa->{rp},
-               id => $wa->{id},
-           });
-       };
+       $wa->{origin} //= $get_origin->();
+       eval { $tfa_cfg->set_webauthn_config({%$wa}) };
        warn "webauthn unavailable, configuration error: $@\n" if $@;
     }
 }
@@ -1166,6 +1174,8 @@ sub lookup_username {
 sub normalize_path {
     my $path = shift;
 
+    return undef if !$path;
+
     $path =~ s|/+|/|g;
 
     $path =~ s|/$||;
@@ -1641,6 +1651,12 @@ sub roles {
 
     return 'Administrator' if $user eq 'root@pam'; # root can do anything
 
+    if (!defined($path)) {
+       # this shouldn't happen!
+       warn "internal error: ACL check called for undefined ACL path!\n";
+       return {};
+    }
+
     if (pve_verify_tokenid($user, 1)) {
        my $tokenid = $user;
        my ($username, $token) = split_tokenid($tokenid);