return if $authkey_lifetime == 0;
PVE::Cluster::cfs_lock_authkey(undef, sub {
- # re-check with lock to avoid double rotation in clusters
+ # stat() calls might be answered from the kernel page cache for up to
+ # 1s, so this special dance is needed to avoid a double rotation in
+ # clusters *despite* the cfs_lock context..
+
+ # drop in-process cache hash
+ $pve_auth_key_cache = {};
+ # force open/close of file to invalidate page cache entry
+ get_pubkey();
+ # now re-check with lock held and page cache invalidated so that stat()
+ # does the right thing, and any key updates by other nodes are visible.
return if check_authkey();
my $old = get_pubkey();
$path = normalize_path($path);
+ die "invalid ticket path\n" if !defined($path);
+
my $secret_data = "$username:$path";
return PVE::Ticket::assemble_rsa_ticket(
$path = normalize_path($path);
+ die "invalid ticket path\n" if !defined($path);
+
my $secret_data = "$username:$path";
my ($rsa_pub, $rsa_mtime) = get_pubkey();
my $subject = Net::SSLeay::X509_NAME_oneline($nameobj);
Net::SSLeay::X509_free($x509);
- # remote-viewer wants comma as seperator (not '/')
+ # remote-viewer wants comma as separator (not '/')
$subject =~ s!^/!!;
$subject =~ s!/(\w+=)!,$1!g;
warn "u2f unavailable, configuration error: $@\n" if $@;
}
if (my $wa = $dc->{webauthn}) {
- eval {
- $tfa_cfg->set_webauthn_config({
- origin => $wa->{origin} // $get_origin->(),
- rp => $wa->{rp},
- id => $wa->{id},
- });
- };
+ $wa->{origin} //= $get_origin->();
+ eval { $tfa_cfg->set_webauthn_config({%$wa}) };
warn "webauthn unavailable, configuration error: $@\n" if $@;
}
}
sub normalize_path {
my $path = shift;
+ return undef if !$path;
+
$path =~ s|/+|/|g;
$path =~ s|/$||;
return 'Administrator' if $user eq 'root@pam'; # root can do anything
+ if (!defined($path)) {
+ # this shouldn't happen!
+ warn "internal error: ACL check called for undefined ACL path!\n";
+ return {};
+ }
+
if (pve_verify_tokenid($user, 1)) {
my $tokenid = $user;
my ($username, $token) = split_tokenid($tokenid);