move/rename root_permission_check to RPCEnvironment

[pve-access-control.git] / src / PVE / RPCEnvironment.pm

diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
index 646a9b93d18c2c8a4451905319cc3130590e08bd..db33cbb26ecd1c33adf2a978c2a9488e00ec0d21 100644 (file)
--- a/src/PVE/RPCEnvironment.pm
+++ b/src/PVE/RPCEnvironment.pm
@@ -5,7 +5,7 @@ use warnings;
 
 use PVE::AccessControl;
 use PVE::Cluster;
-use PVE::Exception qw(raise raise_perm_exc);
+use PVE::Exception qw(raise raise_param_exc raise_perm_exc);
 use PVE::INotify;
 use PVE::ProcFSTools;
 use PVE::RESTEnvironment;
@@ -637,4 +637,34 @@ sub is_worker {
     return PVE::RESTEnvironment->is_worker();
 }
 
+# Only root may modify root, regular users need to specify their password.
+#
+# Returns the userid returned from `verify_username`.
+# Or ($userid, $realm) in list context.
+sub reauth_user_for_user_modification : prototype($$$$) {
+    my ($rpcenv, $authuser, $userid, $password) = @_;
+
+    ($userid, undef, my $realm) = PVE::AccessControl::verify_username($userid);
+    $rpcenv->check_user_exist($userid);
+
+    raise_perm_exc() if $userid eq 'root@pam' && $authuser ne 'root@pam';
+
+    # Regular users need to confirm their password to change TFA settings.
+    if ($authuser ne 'root@pam') {
+       raise_param_exc({ 'password' => 'password is required to modify TFA data' })
+           if !defined($password);
+
+       ($authuser, my $auth_username, my $auth_realm) =
+           PVE::AccessControl::verify_username($authuser);
+
+       my $domain_cfg = PVE::Cluster::cfs_read_file('domains.cfg');
+       my $cfg = $domain_cfg->{ids}->{$auth_realm};
+       die "auth domain '$auth_realm' does not exist\n" if !$cfg;
+       my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
+       $plugin->authenticate_user($cfg, $auth_realm, $auth_username, $password);
+    }
+
+    return wantarray ? ($userid, $realm) : $userid;
+}
+
 1;