X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAccessControl.pm;h=331823e3b5130aa77b01d4187fad8e920070d441;hp=6c04b47d550346d5fb938fb0da5cd697a194994b;hb=2e376c5849d8717b5d8b8f4a779ea03490625c58;hpb=845cf3a36358efeea602d66ad0ddee253cce0a97

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 6c04b47..331823e 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -150,7 +150,7 @@ sub assemble_ticket {
 sub verify_ticket {
     my ($ticket, $noerr) = @_;
 
-    if ($ticket && $ticket =~ m/^(\S+)::([^:\s]+)$/) {
+    if ($ticket && $ticket =~ m/^(PVE:\S+)::([^:\s]+)$/) {
 	my $plain = $1;
 	my $sig = $2;
 
@@ -175,6 +175,56 @@ sub verify_ticket {
     return undef;
 }
 
+# VNC tickets
+# - they do not contain the username in plain text
+# - they are restricted to a specific resource path (example: '/vms/100')
+sub assemble_vnc_ticket {
+    my ($username, $path) = @_;
+
+    my $rsa_priv = get_privkey();
+
+    my $timestamp = sprintf("%08X", time());
+
+    my $plain = "PVEVNC:$timestamp";
+
+    $path = normalize_path($path);
+
+    my $full = "$plain:$username:$path";
+
+    my $ticket = $plain . "::" . encode_base64($rsa_priv->sign($full), '');
+
+    return $ticket;
+}
+
+sub verify_vnc_ticket {
+    my ($ticket, $username, $path, $noerr) = @_;
+
+    if ($ticket && $ticket =~ m/^(PVEVNC:\S+)::([^:\s]+)$/) {
+	my $plain = $1;
+	my $sig = $2;
+	my $full = "$plain:$username:$path";
+
+	my $rsa_pub = get_pubkey();
+	# Note: sign only match if $username and  $path is correct
+	if ($rsa_pub->verify($full, decode_base64($sig))) {
+	    if ($plain =~ m/^PVEVNC:([A-Z0-9]{8})$/) {
+		my $ttime = hex($1);
+
+		my $age = time() - $ttime;
+
+		if (($age > -20) && ($age < 40)) {
+		    return 1;
+		}
+	    }
+	}
+    }
+
+    die "permission denied - invalid vnc ticket\n" if !$noerr;
+
+    return undef;
+}
+
+
 sub authenticate_user_shadow {
     my ($userid, $password) = @_;
 
@@ -323,18 +373,32 @@ sub authenticate_user_domain {
     }
 }
 
-sub user_enabled {
-    my ($usercfg, $username) = @_;
+sub check_user_exist {
+    my ($usercfg, $username, $noerr) = @_;
 
-    $username = verify_username($username, 1);
+    $username = verify_username($username, $noerr);
     return undef if !$username;
  
-    return 1 if $usercfg && $usercfg->{users}->{$username} &&
-	$usercfg->{users}->{$username}->{enable};
+    return $usercfg->{users}->{$username} if $usercfg && $usercfg->{users}->{$username};
+
+    die "no such user ('$username')\n" if !$noerr;
+ 
+    return undef;
+}
+
+sub check_user_enabled {
+    my ($usercfg, $username, $noerr) = @_;
+
+    my $data = check_user_exist($usercfg, $username, $noerr);
+    return undef if !$data;
+
+    return 1 if $data->{enable};
 
     return 1 if $username eq 'root@pam'; # root is always enabled
 
-    return 0;
+    die "user '$username' is disabled\n" if !$noerr;
+ 
+    return undef;
 }
 
 # password should be utf8 encoded
@@ -349,9 +413,10 @@ sub authenticate_user {
 
     my $usercfg = cfs_read_file('user.cfg');
 
-    if (!user_enabled($usercfg, $username)) {
+    eval { check_user_enabled($usercfg, $username); };
+    if (my $err = $@) {
 	sleep(2);
-	die "no such user ('$username')\n";
+	die $err;
     }
 
     my $ctime = time();
@@ -475,7 +540,6 @@ my $privgroups = {
 	    'VM.Modify', 
 	    'VM.Allocate', 
 	    'VM.Migrate',
-	    'Permissions.Modify',
 	],
 	user => [
 	    'VM.Console', 
@@ -488,9 +552,10 @@ my $privgroups = {
     Sys => {
 	root => [
 	    'Sys.PowerMgmt',	 
-	    'Sys.Modify', # edit/change node settings	 
+	    'Sys.Modify', # edit/change node settings
 	],
 	admin => [
+	    'Permissions.Modify',
 	    'Sys.Console',    
 	    'Sys.Syslog',
 	],
@@ -500,11 +565,10 @@ my $privgroups = {
 	],
     },
     Datastore => {
-	root => [
+	root => [],
+	admin => [
 	    'Datastore.Allocate',
-	    'Permissions.Modify',
 	],
-	admin => [],
 	user => [
 	    'Datastore.AllocateSpace',
 	],
@@ -512,6 +576,15 @@ my $privgroups = {
 	    'Datastore.Audit',
 	],
     },
+    User => {
+	root => [],
+	admin => [
+	    'User.Modify',
+	    'User.Allocate',
+	],
+	user => [],
+	audit => [],
+    },
 };
 
 my $valid_privs = {};
@@ -586,12 +659,14 @@ sub add_role_privs {
 sub normalize_path {
     my $path = shift;
 
-    $path =~ s|/+|/|;
+    $path =~ s|/+|/|g;
 
     $path =~ s|/$||;
 
     $path = '/' if !$path;
 
+    $path = "/$path" if $path !~ m|^/|;
+
     return undef if $path !~ m|^[[:alnum:]\-\_\/]+$|;
 
     return $path;
@@ -839,6 +914,44 @@ sub parse_user_config {
 	    } else {
 		warn "user config - ignore invalid path in acl '$pathtxt'\n";
 	    }
+	} elsif ($et eq 'pool') {
+	    my ($pathtxt, $comment, $vmlist, $storelist) = @data;
+
+	    if (my $path = normalize_path($pathtxt)) {
+		# make sure to add the pool (even if there are no members)
+		$cfg->{pools}->{$path} = { vms => {}, storage => {} } if !$cfg->{pools}->{$path};
+
+		$cfg->{pools}->{$path}->{comment} = PVE::Tools::decode_text($comment) if $comment;
+
+		foreach my $vmid (split_list($vmlist)) {
+		    if ($vmid !~ m/^\d+$/) {
+			warn "user config - ignore invalid vmid '$vmid' in pool '$path'\n";
+			next;
+		    }
+		    $vmid = int($vmid);
+
+		    if ($cfg->{vms}->{$vmid}) {
+			warn "user config - ignore duplicate vmid '$vmid' in pool '$path'\n";
+			next;
+		    }
+
+		    $cfg->{pools}->{$path}->{vms}->{$vmid} = 1;
+		    
+		    # record vmid ==> pool relation
+		    $cfg->{vms}->{$vmid} = $path;
+		}
+
+		foreach my $storeid (split_list($storelist)) {
+		    if ($storeid !~ m/^[a-z][a-z0-9\-\_\.]*[a-z0-9]$/i) {
+			warn "user config - ignore invalid storage '$storeid' in pool '$path'\n";
+			next;
+		    }
+		    $cfg->{pools}->{$path}->{storage}->{$storeid} = 1;
+		}
+
+	    } else {
+		warn "user config - ignore invalid path in pool'$pathtxt'\n";
+	    }
 	} else {
 	    warn "user config - ignore config line: $line\n";
 	}
@@ -1040,8 +1153,6 @@ sub write_user_config {
     my $data = '';
 
     foreach my $user (keys %{$cfg->{users}}) {
-	next if $user eq 'root@pam';
-
 	my $d = $cfg->{users}->{$user};
 	my $firstname = $d->{firstname} ? PVE::Tools::encode_text($d->{firstname}) : '';
 	my $lastname = $d->{lastname} ? PVE::Tools::encode_text($d->{lastname}) : '';
@@ -1063,6 +1174,16 @@ sub write_user_config {
 
     $data .= "\n";
 
+    foreach my $path (keys %{$cfg->{pools}}) {
+	my $d = $cfg->{pools}->{$path};
+	my $vmlist = join (',', keys %{$d->{vms}});
+	my $storelist = join (',', keys %{$d->{storage}});
+	my $comment = $d->{comment} ? PVE::Tools::encode_text($d->{comment}) : '';	
+	$data .= "pool:$path:$comment:$vmlist:$storelist:\n";
+    }
+
+    $data .= "\n";
+
     foreach my $role (keys %{$cfg->{roles}}) {
 	next if $special_roles->{$role};
 
@@ -1131,6 +1252,9 @@ sub write_user_config {
 sub roles {
     my ($cfg, $user, $path) = @_;
 
+    # NOTE: we do not consider pools here. 
+    # You need to use $rpcenv->roles() instead if you want that.
+
     return 'Administrator' if $user eq 'root@pam'; # root can do anything
 
     my $perm = {};
@@ -1179,18 +1303,14 @@ sub roles {
 	    $perm = $new; # overwrite previous settings
 	    next;
 	}
-
-	#die "what herea?";
     }
 
-    my $res = {};
-    if (!defined ($perm->{NoAccess})) {
-	$res = $perm; 
-    }
+    return ('NoAccess') if defined ($perm->{NoAccess});
+    #return () if defined ($perm->{NoAccess});
    
     #print "permission $user $path = " . Dumper ($perm);
 
-    my @ra = keys %$res;
+    my @ra = keys %$perm;
 
     #print "roles $user $path = " . join (',', @ra) . "\n";