API token: add (shadow) TokenConfig

with the format:

<full token ID> <token value/UUID>

it is just used for token value generation/deletion via the User API,
token value verification will happen over pmxcfs/ipcc.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/PVE/Makefile b/PVE/Makefile
index 410d9d8575981ca8953e1ad1746ce59d3ee32bc2..c839d8f3f225dff14da76f324284dbba3bc0e073 100644 (file)
--- a/PVE/Makefile
+++ b/PVE/Makefile
@@ -5,5 +5,6 @@ install:
        make -C Auth install
        install -D -m 0644 AccessControl.pm ${DESTDIR}${PERLDIR}/PVE/AccessControl.pm
        install -D -m 0644 RPCEnvironment.pm ${DESTDIR}${PERLDIR}/PVE/RPCEnvironment.pm
+       install -D -m 0644 TokenConfig.pm ${DESTDIR}${PERLDIR}/PVE/TokenConfig.pm
        make -C API2 install
        make -C CLI install

diff --git a/PVE/TokenConfig.pm b/PVE/TokenConfig.pm
new file mode 100644 (file)
index 0000000..94d87e5
--- /dev/null
+++ b/PVE/TokenConfig.pm
@@ -0,0 +1,79 @@
+package PVE::TokenConfig;
+
+use strict;
+use warnings;
+
+use UUID;
+
+use PVE::AccessControl;
+use PVE::Cluster;
+
+my $parse_token_cfg = sub {
+    my ($filename, $raw) = @_;
+
+    my $parsed = {};
+    my @lines = split(/\n/, $raw);
+
+    foreach my $line (@lines) {
+       next if $line =~ m/^\s*$/;
+
+       if ($line =~ m/^(\S+) (\S+)$/) {
+           if (PVE::AccessControl::pve_verify_tokenid($1, 1)) {
+               $parsed->{$1} = $2;
+               next;
+           }
+       }
+
+       warn "skipping invalid token.cfg entry\n";
+    }
+
+    return $parsed;
+};
+
+my $write_token_cfg = sub {
+    my ($filename, $data) = @_;
+
+    my $raw = '';
+    foreach my $tokenid (sort keys %$data) {
+       $raw .= "$tokenid $data->{$tokenid}\n";
+    }
+
+    return $raw;
+};
+
+PVE::Cluster::cfs_register_file('priv/token.cfg', $parse_token_cfg, $write_token_cfg);
+
+sub generate_token {
+    my ($tokenid) = @_;
+
+    PVE::AccessControl::pve_verify_tokenid($tokenid);
+
+    my $token_value = PVE::Cluster::cfs_lock_file('priv/token.cfg', 10, sub {
+       my $uuid = UUID::uuid();
+       my $token_cfg = PVE::Cluster::cfs_read_file('priv/token.cfg');
+
+       $token_cfg->{$tokenid} = $uuid;
+
+       PVE::Cluster::cfs_write_file('priv/token.cfg', $token_cfg);
+
+       return $uuid;
+    });
+
+    die "$@\n" if defined($@);
+
+    return $token_value;
+}
+
+sub delete_token {
+    my ($tokenid) = @_;
+
+    PVE::Cluster::cfs_lock_file('priv/token.cfg', 10, sub {
+       my $token_cfg = PVE::Cluster::cfs_read_file('priv/token.cfg');
+
+       delete $token_cfg->{$tokenid};
+
+       PVE::Cluster::cfs_write_file('priv/token.cfg', $token_cfg);
+    });
+
+    die "$@\n" if defined($@);
+}

diff --git a/debian/control b/debian/control
index 4247b1f232913277d2078992f996bd8b51b5aff0..3d43a391aec39e71e8a6f1b01bd083ce12edeba1 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -27,6 +27,7 @@ Depends: libauthen-pam-perl,
          libpve-common-perl (>= 6.0-6),
          libpve-cluster-perl,
          libpve-u2f-server-perl (>= 1.0-2),
+         libuuid-perl,
          perl (>= 5.6.0-16),
          pve-cluster (>= 5.0-35),
          ${misc:Depends},