X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAccessControl.pm;h=310a3f1dedf76d68790207ea98337beac6f71c4a;hp=b06ca3b2dfe7bfa87db6998d27df58852dd87845;hb=12683df7c4ee7dd10257a35189998ebe2bde5597;hpb=7070c1aee526ad755c7afeb632e28f2f29e27d2b

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index b06ca3b..310a3f1 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -150,7 +150,7 @@ sub assemble_ticket {
 sub verify_ticket {
     my ($ticket, $noerr) = @_;
 
-    if ($ticket && $ticket =~ m/^(\S+)::([^:\s]+)$/) {
+    if ($ticket && $ticket =~ m/^(PVE:\S+)::([^:\s]+)$/) {
 	my $plain = $1;
 	my $sig = $2;
 
@@ -175,6 +175,56 @@ sub verify_ticket {
     return undef;
 }
 
+# VNC tickets
+# - they do not contain the username in plain text
+# - they are restricted to a specific resource path (example: '/vms/100')
+sub assemble_vnc_ticket {
+    my ($username, $path) = @_;
+
+    my $rsa_priv = get_privkey();
+
+    my $timestamp = sprintf("%08X", time());
+
+    my $plain = "PVEVNC:$timestamp";
+
+    $path = normalize_path($path);
+
+    my $full = "$plain:$username:$path";
+
+    my $ticket = $plain . "::" . encode_base64($rsa_priv->sign($full), '');
+
+    return $ticket;
+}
+
+sub verify_vnc_ticket {
+    my ($ticket, $username, $path, $noerr) = @_;
+
+    if ($ticket && $ticket =~ m/^(PVEVNC:\S+)::([^:\s]+)$/) {
+	my $plain = $1;
+	my $sig = $2;
+	my $full = "$plain:$username:$path";
+
+	my $rsa_pub = get_pubkey();
+	# Note: sign only match if $username and  $path is correct
+	if ($rsa_pub->verify($full, decode_base64($sig))) {
+	    if ($plain =~ m/^PVEVNC:([A-Z0-9]{8})$/) {
+		my $ttime = hex($1);
+
+		my $age = time() - $ttime;
+
+		if (($age > -20) && ($age < 40)) {
+		    return 1;
+		}
+	    }
+	}
+    }
+
+    die "permission denied - invalid vnc ticket\n" if !$noerr;
+
+    return undef;
+}
+
+
 sub authenticate_user_shadow {
     my ($userid, $password) = @_;
 
@@ -323,18 +373,30 @@ sub authenticate_user_domain {
     }
 }
 
-sub check_user_enabled {
+sub check_user_exist {
     my ($usercfg, $username, $noerr) = @_;
 
     $username = verify_username($username, $noerr);
     return undef if !$username;
  
-    return 1 if $usercfg && $usercfg->{users}->{$username} &&
-	$usercfg->{users}->{$username}->{enable};
+    return $usercfg->{users}->{$username} if $usercfg && $usercfg->{users}->{$username};
+
+    die "no such user ('$username')\n" if !$noerr;
+ 
+    return undef;
+}
+
+sub check_user_enabled {
+    my ($usercfg, $username, $noerr) = @_;
+
+    my $data = check_user_exist($usercfg, $username, $noerr);
+    return undef if !$data;
+
+    return 1 if $data->{enable};
 
     return 1 if $username eq 'root@pam'; # root is always enabled
 
-    die "no such user ('$username')\n" if !$noerr;
+    die "user '$username' is disabled\n" if !$noerr;
  
     return undef;
 }
@@ -491,7 +553,7 @@ my $privgroups = {
     Sys => {
 	root => [
 	    'Sys.PowerMgmt',	 
-	    'Sys.Modify', # edit/change node settings	 
+	    'Sys.Modify', # edit/change node settings
 	],
 	admin => [
 	    'Sys.Console',    
@@ -515,6 +577,18 @@ my $privgroups = {
 	    'Datastore.Audit',
 	],
     },
+    User => {
+	root => [
+
+	    ],
+	admin => [
+	    'User.Modify',
+	    'User.Add',
+	    'User.Delete',
+	    ],
+	user => [],
+	audit => [],
+    },
 };
 
 my $valid_privs = {};