X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAPI2%2FAccessControl.pm;h=f01180d138863ee50c21c25bf5f32b9868efb00b;hp=58d93dd4fe9997462db7078b3aa5b7243e8df1d7;hb=96f8ebd62506bc7126d58400004101ef6a13ca71;hpb=82b63965ebbeb41d16a76051018992144eda0a6a diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm index 58d93dd..f01180d 100644 --- a/PVE/API2/AccessControl.pm +++ b/PVE/API2/AccessControl.pm @@ -15,7 +15,6 @@ use PVE::API2::User; use PVE::API2::Group; use PVE::API2::Role; use PVE::API2::ACL; -use PVE::API2::Pool; use base qw(PVE::RESTHandler); @@ -44,11 +43,6 @@ __PACKAGE__->register_method ({ path => 'domains', }); -__PACKAGE__->register_method ({ - subclass => "PVE::API2::Pool", - path => 'pools', -}); - __PACKAGE__->register_method ({ name => 'index', path => '', @@ -94,7 +88,7 @@ __PACKAGE__->register_method ({ my $verify_auth = sub { - my ($rpcenv, $username, $pw_or_ticket, $path, $privs) = @_; + my ($rpcenv, $username, $pw_or_ticket, $otp, $path, $privs) = @_; my $normpath = PVE::AccessControl::normalize_path($path); @@ -105,7 +99,7 @@ my $verify_auth = sub { } elsif (PVE::AccessControl::verify_vnc_ticket($pw_or_ticket, $username, $normpath, 1)) { # valid vnc ticket } else { - $username = PVE::AccessControl::authenticate_user($username, $pw_or_ticket); + $username = PVE::AccessControl::authenticate_user($username, $pw_or_ticket, $otp); } my $privlist = [ PVE::Tools::split_list($privs) ]; @@ -117,14 +111,14 @@ my $verify_auth = sub { }; my $create_ticket = sub { - my ($rpcenv, $username, $pw_or_ticket) = @_; + my ($rpcenv, $username, $pw_or_ticket, $otp) = @_; my $ticketuser; if (($ticketuser = PVE::AccessControl::verify_ticket($pw_or_ticket, 1)) && ($ticketuser eq 'root@pam' || $ticketuser eq $username)) { # valid ticket. Note: root@pam can create tickets for other users } else { - $username = PVE::AccessControl::authenticate_user($username, $pw_or_ticket); + $username = PVE::AccessControl::authenticate_user($username, $pw_or_ticket, $otp); } my $ticket = PVE::AccessControl::assemble_ticket($username); @@ -137,6 +131,93 @@ my $create_ticket = sub { }; }; +my $compute_api_permission = sub { + my ($rpcenv, $authuser) = @_; + + my $usercfg = $rpcenv->{user_cfg}; + + my $nodelist = PVE::Cluster::get_nodelist(); + my $vmlist = PVE::Cluster::get_vmlist() || {}; + my $idlist = $vmlist->{ids} || {}; + + my $cfg = PVE::Storage::config(); + my @sids = PVE::Storage::storage_ids ($cfg); + + my $res = { + vms => {}, + storage => {}, + access => {}, + nodes => {}, + dc => {}, + }; + + my $extract_vm_caps = sub { + my ($path) = @_; + + my $perm = $rpcenv->permissions($authuser, $path); + foreach my $priv (keys %$perm) { + next if !($priv eq 'Permissions.Modify' || $priv =~ m/^VM\./); + $res->{vms}->{$priv} = 1; + } + }; + + foreach my $pool (keys %{$usercfg->{pools}}) { + &$extract_vm_caps("/pool/$pool"); + } + + foreach my $vmid (keys %$idlist, '__phantom__') { + &$extract_vm_caps("/vms/$vmid"); + } + + foreach my $storeid (@sids, '__phantom__') { + my $perm = $rpcenv->permissions($authuser, "/storage/$storeid"); + foreach my $priv (keys %$perm) { + next if !($priv eq 'Permissions.Modify' || $priv =~ m/^Datastore\./); + $res->{storage}->{$priv} = 1; + } + } + + foreach my $path (('/access/groups')) { + my $perm = $rpcenv->permissions($authuser, $path); + foreach my $priv (keys %$perm) { + next if $priv !~ m/^(User|Group)\./; + $res->{access}->{$priv} = 1; + } + } + + foreach my $group (keys %{$usercfg->{users}->{$authuser}->{groups}}, '__phantom__') { + my $perm = $rpcenv->permissions($authuser, "/access/groups/$group"); + if ($perm->{'User.Modify'}) { + $res->{access}->{'User.Modify'} = 1; + } + } + + foreach my $node (@$nodelist) { + my $perm = $rpcenv->permissions($authuser, "/nodes/$node"); + foreach my $priv (keys %$perm) { + next if $priv !~ m/^Sys\./; + $res->{nodes}->{$priv} = 1; + } + } + + my $perm = $rpcenv->permissions($authuser, "/"); + $res->{dc}->{'Sys.Audit'} = 1 if $perm->{'Sys.Audit'}; + + return $res; +}; + +__PACKAGE__->register_method ({ + name => 'get_ticket', + path => 'ticket', + method => 'GET', + permissions => { user => 'world' }, + description => "Dummy. Useful for formaters which want to priovde a login page.", + parameters => { + additionalProperties => 0, + }, + returns => { type => "null" }, + code => sub { return undef; }}); + __PACKAGE__->register_method ({ name => 'create_ticket', path => 'ticket', @@ -162,6 +243,11 @@ __PACKAGE__->register_method ({ description => "The secret password. This can also be a valid ticket.", type => 'string', }, + otp => { + description => "One-time password for Two-factor authentication.", + type => 'string', + optional => 1, + }, path => { description => "Verify ticket, and check if user have access 'privs' on 'path'", type => 'string', @@ -195,24 +281,26 @@ __PACKAGE__->register_method ({ my $rpcenv = PVE::RPCEnvironment::get(); my $res; - eval { # test if user exists and is enabled $rpcenv->check_user_enabled($username); if ($param->{path} && $param->{privs}) { - $res = &$verify_auth($rpcenv, $username, $param->{password}, + $res = &$verify_auth($rpcenv, $username, $param->{password}, $param->{otp}, $param->{path}, $param->{privs}); } else { - $res = &$create_ticket($rpcenv, $username, $param->{password}); + $res = &$create_ticket($rpcenv, $username, $param->{password}, $param->{otp}); } }; if (my $err = $@) { my $clientip = $rpcenv->get_client_ip() || ''; syslog('err', "authentication failure; rhost=$clientip user=$username msg=$err"); - die $err; + # do not return any info to prevent user enumeration attacks + die PVE::Exception->new("authentication failure\n", code => 401); } + $res->{cap} = &$compute_api_permission($rpcenv, $username); + PVE::Cluster::log_msg('info', 'root@pam', "successful auth for user '$username'"); return $res; @@ -266,6 +354,8 @@ __PACKAGE__->register_method ({ } else { # only root may change root password raise_perm_exc() if $userid eq 'root@pam'; + # do not allow to change system user passwords + raise_perm_exc() if $realm eq 'pam'; } }