support registering yubico otp keys

In PBS we don't support this, so the current TFA API in rust
does not support this either (although the config does know
about its *existence*).

For now, yubico authentication will be done in perl. Adding
it to rust the rust TFA crate would not make much sense
anyway as we'd likely not want to use the same http client
crate in pve and pbs anyway (since pve is all blocking code
and pbs is async...)

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index 1888699ed8b0c8cdeb27c19474187b0a535389e7..2fbc7a8483bf7c452f9d4121864fb401d9492b3a 100644 (file)
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -395,9 +395,15 @@ __PACKAGE__->register_method ({
 
        my $rpcenv = PVE::RPCEnvironment::get();
        my $authuser = $rpcenv->get_user();
-       my $userid =
+       my ($userid, $realm) =
            root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});
 
+       my $type = delete $param->{type};
+       my $value = delete $param->{value};
+       if ($type eq 'yubico') {
+           $value = validate_yubico_otp($userid, $realm, $value);
+       }
+
        return PVE::AccessControl::lock_tfa_config(sub {
            my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
            PVE::AccessControl::configure_u2f_and_wa($tfa_cfg);
@@ -406,9 +412,9 @@ __PACKAGE__->register_method ({
                $userid,
                $param->{description},
                $param->{totp},
-               $param->{value},
+               $value,
                $param->{challenge},
-               $param->{type},
+               $type,
            );
 
            cfs_write_file('priv/tfa.cfg', $tfa_cfg);
@@ -417,6 +423,28 @@ __PACKAGE__->register_method ({
        });
     }});
 
+sub validate_yubico_otp : prototype($$) {
+    my ($userid, $realm, $value) = @_;
+
+    my $domain_cfg = cfs_read_file('domains.cfg');
+    my $realm_cfg = $domain_cfg->{ids}->{$realm};
+    die "auth domain '$realm' does not exist\n" if !$realm_cfg;
+
+    my $realm_tfa = $realm_cfg->{tfa};
+    die "no yubico otp configuration available for realm $realm\n"
+       if !$realm_tfa;
+
+    $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa);
+    die "realm is not setup for Yubico OTP\n"
+       if !$realm_tfa || $realm_tfa->{type} ne 'yubico';
+
+    my $public_key = substr($value, 0, 12);
+
+    PVE::AccessControl::authenticate_yubico_do($value, $public_key, $realm_tfa);
+
+    return $public_key;
+}
+
 __PACKAGE__->register_method ({
     name => 'update_tfa_entry',
     path => '{userid}/{id}',

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index fd803684f06b9f458ff2e3eac969b537bf00f404..cd46507ba2fe0dbc9fbcb70b4855ff8ed5341376 100644 (file)
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -806,16 +806,21 @@ sub authenticate_yubico_new : prototype($$$) {
     my $keys = $tfa_cfg->get_yubico_keys($username);
     die "no keys configured\n" if !defined($keys) || !length($keys);
 
-    # Defer to after unlocking the TFA config:
-
-    # fixme: proxy support?
-    my $proxy;
-    PVE::OTP::yubico_verify_otp($otp, $keys, $realm->{url}, $realm->{id}, $realm->{key}, $proxy);
+    authenticate_yubico_do($otp, $keys, $realm);
 
     # return `undef` to clear the tfa challenge.
     return undef;
 }
 
+sub authenticate_yubico_do : prototype($$$) {
+    my ($value, $keys, $realm) = @_;
+
+    # fixme: proxy support?
+    my $proxy = undef;
+
+    PVE::OTP::yubico_verify_otp($value, $keys, $realm->{url}, $realm->{id}, $realm->{key}, $proxy);
+}
+
 sub configure_u2f_and_wa : prototype($) {
     my ($tfa_cfg) = @_;