pve-access-control.git
2 days agopartially fix #2825: authkey: rotate if it was generated in the future master
Thomas Lamprecht [Fri, 3 Jul 2020 09:06:55 +0000 (11:06 +0200)]
partially fix #2825: authkey: rotate if it was generated in the future

Can happen if the RTC is in the future during installation and first
boot, when during key generation the clock is in the future and then,
after the key was already generated, jumps back in time.

Allow a fuzz of $auth_graceperiod, which is currently 5 minutes, as
that fuzz allows some minor, not really problematic, time sync
disparity in clusters.

If an old authkey exists, meaning we rotated at least once, check it's
time too. Only rotate if it'd not be valid for any tickets in the
cluster anymore, i.e., if it difference between the current key is >
$ticket_lifetime (2 hours)..

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 days agoauthkey: use variable instead of hard coded grace period value
Thomas Lamprecht [Fri, 3 Jul 2020 13:18:11 +0000 (15:18 +0200)]
authkey: use variable instead of hard coded grace period value

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
6 days agobump version to 6.1-2
Thomas Lamprecht [Tue, 30 Jun 2020 11:06:59 +0000 (13:06 +0200)]
bump version to 6.1-2

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
10 days agointroduce VM.Config.Cloudinit permission
Mira Limbeck [Thu, 25 Jun 2020 14:48:46 +0000 (16:48 +0200)]
introduce VM.Config.Cloudinit permission

It is added to PVEVMUser by default.

Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
3 weeks agoapi2: AccessControl: add sdn permissions.modify
Alexandre Derumier [Fri, 12 Jun 2020 09:53:22 +0000 (11:53 +0200)]
api2: AccessControl: add sdn permissions.modify

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
3 weeks agocomput coarse UI permissions: also check SDN ones
Thomas Lamprecht [Tue, 9 Jun 2020 09:43:51 +0000 (11:43 +0200)]
comput coarse UI permissions: also check SDN ones

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 weeks agobump version to 6.1-1
Thomas Lamprecht [Fri, 8 May 2020 15:47:50 +0000 (17:47 +0200)]
bump version to 6.1-1

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 weeks agoLDAP: skip anonymous bind when clientcert/key is given
Dominik Csapak [Fri, 8 May 2020 11:16:58 +0000 (13:16 +0200)]
LDAP: skip anonymous bind when clientcert/key is given

It seems that servers associate the client-cert/key with an account, so
doing an explicit anonymous bind then 'logs out' the already verified
user, limiting the search results in some cases

before refactoring to PVE::LDAP, we did not do '$ldap->bind' at all when
there was no bind_dn, but it is not really clear if Net::LDAP does this
automatically when searching (other libraries do this), so leave the
anonymous bind (for compatibility with PMG) but skip it when a client
certificate and key is given.

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
8 weeks agoldap_delete_credentials: don't complain if already deleted
Thomas Lamprecht [Fri, 8 May 2020 07:38:34 +0000 (09:38 +0200)]
ldap_delete_credentials: don't complain if already deleted

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agowhitespace cleanup
Tim Marx [Wed, 6 May 2020 12:00:53 +0000 (14:00 +0200)]
whitespace cleanup

Signed-off-by: Tim Marx <t.marx@proxmox.com>
2 months agopveum: add 'tfa delete' subcommand for deleting user-TFA
Thomas Lamprecht [Sun, 3 May 2020 14:40:03 +0000 (16:40 +0200)]
pveum: add 'tfa delete' subcommand for deleting user-TFA

Allows a user to straight forward delete TFS over CLI, easier as
telling them to edit some config files, and the API is already there.

Short circuit most params of that API call to undef, as they do not
make sense to expose.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agobump version to 6.0-7
Thomas Lamprecht [Sat, 25 Apr 2020 17:35:20 +0000 (19:35 +0200)]
bump version to 6.0-7

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agodomains: dry-run: adapt log messages and improve variable name
Thomas Lamprecht [Sat, 25 Apr 2020 16:55:35 +0000 (18:55 +0200)]
domains: dry-run: adapt log messages and improve variable name

keep variable names aligned with the params the relate to, "write"
was quite ambiguous too (write what?)

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agoparse_sync_opts: code cleanup
Thomas Lamprecht [Sat, 25 Apr 2020 16:54:45 +0000 (18:54 +0200)]
parse_sync_opts: code cleanup

avoid confusion between fmt default and cfg default

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agodomain sync: add 'dry-run' parameter
Dominik Csapak [Thu, 23 Apr 2020 06:47:19 +0000 (08:47 +0200)]
domain sync: add 'dry-run' parameter

this can be used to test the resulting config before actually changing
anything

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2 months agoauth ldap/ad: introduce connection 'mode'
Dominik Csapak [Thu, 23 Apr 2020 06:47:18 +0000 (08:47 +0200)]
auth ldap/ad: introduce connection 'mode'

instead of having only a 'secure' flag which switches between
ldap/ldaps we now have a mode which also contains 'ldap+starttls'

our connection code in PVE::LDAP can handle this already (used in pmg)
so that is no problem

if we want to really remove the 'secure' flag, e.g. in 7.0
we'd either have to rewrite the config or have it as an error
in a pve6to7 script

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2 months agodomain sync: make options actually required
Dominik Csapak [Thu, 23 Apr 2020 06:47:17 +0000 (08:47 +0200)]
domain sync: make options actually required

we want the api options to be optional, but only as long as there are
default values set in the realm config

since they are all marked as optional (else they would be required in
the api) this check did not work as intended

instead, set the result to the value of:
* the parameter
* the set default in the config
* the api default
in this order

if it is undef after this, raise a parameter exception

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2 months agoauth ldap/ad: make password a parameter for the api
Dominik Csapak [Wed, 8 Apr 2020 07:00:53 +0000 (09:00 +0200)]
auth ldap/ad: make password a parameter for the api

Allows us to add it in the gui, until now the admin needed to create
the file themself.

Mirrored after credential handling from CIFS and PBS in their
pve-storage plugins

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
[Thomas: don't differ from storage one unnecessarily, keep comments
 and behavior]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agoapi/domain: add on add/update/delete hooks
Thomas Lamprecht [Sat, 18 Apr 2020 16:47:37 +0000 (18:47 +0200)]
api/domain: add on add/update/delete hooks

Almost 1:1 taken from pve-storage ones

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agotoken create: return also full token id for convenience
Thomas Lamprecht [Wed, 15 Apr 2020 18:41:38 +0000 (20:41 +0200)]
token create: return also full token id for convenience

makes creating a client for this slightly nicer, as it doesn't needs
to be as state full.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agobuildsys: fix getting the build commit
Thomas Lamprecht [Wed, 15 Apr 2020 18:04:54 +0000 (20:04 +0200)]
buildsys: fix getting the build commit

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2 months agotoken: avoid undef warning if no tokens are configured
Thomas Lamprecht [Wed, 15 Apr 2020 15:13:59 +0000 (17:13 +0200)]
token: avoid undef warning if no tokens are configured

Initially the config may not even exist, and so the first token
create would give one then a ugly warning like:
> Use of uninitialized value $raw in split at ..

Handle that case, empty config (where we get '') was fine already, so
explicitly check for definedness, not truthiness.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agoauth ad: add sync-defaults-options
Dominik Csapak [Mon, 6 Apr 2020 11:31:52 +0000 (13:31 +0200)]
auth ad: add sync-defaults-options

this was missing for AD realms

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
3 months agod/control: bump versioned to libpve-common-perl
Thomas Lamprecht [Sat, 21 Mar 2020 15:51:06 +0000 (16:51 +0100)]
d/control: bump versioned to libpve-common-perl

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agosplit and sort some module use
Thomas Lamprecht [Sat, 21 Mar 2020 15:04:44 +0000 (16:04 +0100)]
split and sort some module use

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agorealm: add default-sync-options to config
Thomas Lamprecht [Sat, 21 Mar 2020 15:01:56 +0000 (16:01 +0100)]
realm: add default-sync-options to config

This allows us to have a convenient way to set the desired default
sync options, and thus not forcing users to pass always all options
when they want to trigger a sync.

We still die when an option is neither specified in the domains
(realm) config nor as API/CLI parameter.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agoapi: realm sync: move out group and user update to separate methods
Thomas Lamprecht [Sat, 21 Mar 2020 14:56:51 +0000 (15:56 +0100)]
api: realm sync: move out group and user update to separate methods

keep the api call way smaller and clearer

On moving out some minor adaptions where made, e.g., we do not print
"remove user X" if we know that we'd add it again, but just print a
single "update user X" for that. Same for groups.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agoapi: realm sync: use auth-realm-sync as worker id
Thomas Lamprecht [Sat, 21 Mar 2020 15:07:49 +0000 (16:07 +0100)]
api: realm sync: use auth-realm-sync as worker id

we may potentially also sync something else over this in the future,
for example PAM users from a specific group, so use a more general
name.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agoapi: realm sync: cleanup code and refactor
Thomas Lamprecht [Sat, 21 Mar 2020 14:55:30 +0000 (15:55 +0100)]
api: realm sync: cleanup code and refactor

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agodo not modify ACLs/Groups for missing users
Dominik Csapak [Fri, 13 Mar 2020 12:18:48 +0000 (13:18 +0100)]
do not modify ACLs/Groups for missing users

instead of dropping ACLs and group membership for missing users,
simply warn and leave it in the config

for users that get removed via the api this happens explicitely

this is to prevent that a 'faulty' ldapsync removes users temporarily
and with it all acls that the admin created

we still have a 'purge' flag for the sync where ACLs get removed
explicitly for users removed from ldap

also adapt the tests

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
3 months agoapi: domains: add user/group sync API enpoint
Dominik Csapak [Fri, 13 Mar 2020 12:18:47 +0000 (13:18 +0100)]
api: domains: add user/group sync API enpoint

this api call syncs the users and groups from LDAP/AD to the
user.cfg

it also implements a 'full' mode where we first delete all
users/groups from the config and sync them again

the parameter 'enable' controls if newly synced users are 'enabled'
(if no sync parameter handles that)
the parameter 'purge' controls if ACLs get removed for users/groups
that do not exists anymore after

also add this command to pveum

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
3 months agoAuth/AD: make PVE::Auth::AD a subclass of PVE::Auth::LDAP
Dominik Csapak [Fri, 13 Mar 2020 12:18:46 +0000 (13:18 +0100)]
Auth/AD: make PVE::Auth::AD a subclass of PVE::Auth::LDAP

this makes it much easier to reuse the sync code from LDAP in AD.
The 'authenticate_user' sub is still the same, but we now
can still use the get_users and get_groups functionality of LDAP

in the case of AD, the user_attr is optional in the config
(would have been a breaking change) but we set it
to default to 'sAMAccountName'

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
3 months agoAuth/LDAP: add get_{users, groups} subs for syncing
Dominik Csapak [Fri, 13 Mar 2020 12:18:45 +0000 (13:18 +0100)]
Auth/LDAP: add get_{users, groups} subs for syncing

this adds the subs which actually query the LDAP for users/groups
and returns the value in format which makes it easy to insert
in our parsed user.cfg

when we find a user/groupname which cannot be in our config,
we warn the verification error

for groups, we append "-$realm" to the groupname, to lower the chance of
accidental overwriting of existing groups (this will be documented
in the api call since it technically does not prevent overwriting, just
makes it more unlikely)

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
3 months agoAuth/LDAP: add necessary options for syncing
Dominik Csapak [Fri, 13 Mar 2020 12:18:44 +0000 (13:18 +0100)]
Auth/LDAP: add necessary options for syncing

for syncing users/groups from ldap, we need some more options
so that the users can adapt it to their LDAP setup, which are very
different accross systems.

sensible defaults are documented

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agod/control: bump versioned dependency to pve-common
Thomas Lamprecht [Sat, 7 Mar 2020 18:53:05 +0000 (19:53 +0100)]
d/control: bump versioned dependency to pve-common

to ensure we've the new LDAP module available

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agoAuth/LDAP: refactor out 'connect_and_bind'
Dominik Csapak [Fri, 6 Mar 2020 10:05:41 +0000 (11:05 +0100)]
Auth/LDAP: refactor out 'connect_and_bind'

we will use this not only for authentication but also for
getting users/groups from LDAP

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
3 months agoAPI2/Domains.pm: document 'type' return value
Dominik Csapak [Fri, 6 Mar 2020 10:05:40 +0000 (11:05 +0100)]
API2/Domains.pm: document 'type' return value

this way it gets printed with 'pveum realm list'

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
3 months agoAPI2/Domains.pm: fix whitespace errors
Dominik Csapak [Fri, 6 Mar 2020 10:05:39 +0000 (11:05 +0100)]
API2/Domains.pm: fix whitespace errors

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
3 months agoadd realm commands to pveum
Dominik Csapak [Fri, 6 Mar 2020 10:05:38 +0000 (11:05 +0100)]
add realm commands to pveum

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
3 months agouse PVE::LDAP module instead of useing Net::LDAP directly
Dominik Csapak [Fri, 6 Mar 2020 10:05:37 +0000 (11:05 +0100)]
use PVE::LDAP module instead of useing Net::LDAP directly

for things like connecting/binding/etc.

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
5 months agofix #2575: die when trying to edit built-in roles
Dominik Csapak [Fri, 31 Jan 2020 10:54:33 +0000 (11:54 +0100)]
fix #2575: die when trying to edit built-in roles

instead of silently ignoring the change

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
5 months agobump version to 6.0-6
Thomas Lamprecht [Wed, 29 Jan 2020 09:17:31 +0000 (10:17 +0100)]
bump version to 6.0-6

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
5 months agod/control: bump versioned dependency on pve-common
Thomas Lamprecht [Wed, 29 Jan 2020 09:14:27 +0000 (10:14 +0100)]
d/control: bump versioned dependency on pve-common

for new allowtoken property in schema

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
5 months agod/control: change homepage link to https
Thomas Lamprecht [Wed, 29 Jan 2020 09:14:15 +0000 (10:14 +0100)]
d/control: change homepage link to https

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
5 months agouser.cfg: skip inexisting roles when parsing ACLs
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:18 +0000 (13:54 +0100)]
user.cfg: skip inexisting roles when parsing ACLs

we do the same for missing users, groups and tokens, and just like
groups, roles with an empty privilege set are explicitly allowed so
pre-generating placeholders is possible.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agopveum: add permissions sub-commands
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:17 +0000 (13:54 +0100)]
pveum: add permissions sub-commands

for user and token commands, and some pretty-printing for regular text
output, since the returned nested hash/dict is not very readable.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agopveum token: rename 'update' subcommand to 'modify' for consistency
Thomas Lamprecht [Wed, 29 Jan 2020 19:21:10 +0000 (20:21 +0100)]
pveum token: rename 'update' subcommand to 'modify' for consistency

While the 1:1 mapping from API call names is not bad it was now the
unique "PUT" (modify) command having a different name here. Avoid
that for consistency.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
5 months agopveum: add 'pveum user token add/update/remove/list'
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:16 +0000 (13:54 +0100)]
pveum: add 'pveum user token add/update/remove/list'

mapping 1-to-1 to the respective API paths

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agotests: unify config file naming
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:14 +0000 (13:54 +0100)]
tests: unify config file naming

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agotest: add token-related tests
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:13 +0000 (13:54 +0100)]
test: add token-related tests

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agoAPI: add 'permissions' API endpoint
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:12 +0000 (13:54 +0100)]
API: add 'permissions' API endpoint

and related helper, to dump permissions + propagate info for
- a specific, given path
- generic top-level + user.cfg-referenced paths, including pools

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agoroles()/permissions(): also return propagate flag
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:11 +0000 (13:54 +0100)]
roles()/permissions(): also return propagate flag

this information is already available, but not exposed. we need it for
dumping an effective permission tree of a given user/token.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agoapi: disallow some paths for API tokens
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:10 +0000 (13:54 +0100)]
api: disallow some paths for API tokens

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agoAPI token: implement permission checks
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:09 +0000 (13:54 +0100)]
API token: implement permission checks

non-privsep tokens will always return the roles/permissions of their
associated users. privsep tokens will return unfiltered roles, but
filtered permissions.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agoAPI: include API tokens in ACL API endpoints
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:08 +0000 (13:54 +0100)]
API: include API tokens in ACL API endpoints

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agoapi/users: mark tokens and groups as optional in return schema
Thomas Lamprecht [Wed, 29 Jan 2020 20:21:15 +0000 (21:21 +0100)]
api/users: mark tokens and groups as optional in return schema

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
5 months agoAPI: add group and token info to user index
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:07 +0000 (13:54 +0100)]
API: add group and token info to user index

otherwise we need 1+N API calls to retrieve the full user+token picture

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agoapi: document default of token expiration date
Thomas Lamprecht [Wed, 29 Jan 2020 09:02:52 +0000 (10:02 +0100)]
api: document default of token expiration date

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
5 months agoAPI: add API token API endpoints
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:06 +0000 (13:54 +0100)]
API: add API token API endpoints

and integration for user API endpoints.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agod/control: bump versioned dependencies on pve-cluster
Thomas Lamprecht [Tue, 28 Jan 2020 20:10:43 +0000 (21:10 +0100)]
d/control: bump versioned dependencies on pve-cluster

to ensure we've got the verify_token method available and the
token.cfg observed.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
5 months agoAPI token: add verification method
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:05 +0000 (13:54 +0100)]
API token: add verification method

which checks that the user and token exist and are not expired, and then
generates the string to be matched with the pmxcfs-stored token shadow
config file.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agoAPI token: add (shadow) TokenConfig
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:04 +0000 (13:54 +0100)]
API token: add (shadow) TokenConfig

with the format:

<full token ID> <token value/UUID>

it is just used for token value generation/deletion via the User API,
token value verification will happen over pmxcfs/ipcc.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agoAPI token: add check_token_exist API helper
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:03 +0000 (13:54 +0100)]
API token: add check_token_exist API helper

the helper is modeled after the corresponding user method.

the 'tokenid' option goes into PVE::AccessControl, since we need it in
multiple API modules.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agoAPI token: add REs, helpers, parsing + writing
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:02 +0000 (13:54 +0100)]
API token: add REs, helpers, parsing + writing

token definitions/references in user.cfg always use the full form of the
token id, consisting of:

USER@REALM!TOKENID

token definitions are represented by their own lines prefixed with
'token', which need to come after the corresponding user definition, but
before any ACLs referencing them.

parsed representation in a user config hash is inside a new 'tokens'
element of the corresponding user object, using the unique-per-user
token id as key.

only token metadata is stored inside user.cfg / accessible via the
parsed user config hash. the actual token values will be stored
root-readable only in a separate (shadow) file.

'comment' and 'expire' have the same semantics as for users.

'privsep' determines whether an API token gets the full privileges of
the corresponding user, or just the intersection of privileges of the
corresponding user and those of the API token itself.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agoAPI: add group members to group index
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:15 +0000 (13:54 +0100)]
API: add group members to group index

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agotest: add parser/writer tests
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:01 +0000 (13:54 +0100)]
test: add parser/writer tests

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agofix typo
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:00 +0000 (13:54 +0100)]
fix typo

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agotest: run at build time
Fabian Grünbichler [Tue, 21 Jan 2020 12:53:59 +0000 (13:53 +0100)]
test: run at build time

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agorefactor acl transformation code
Fabian Grünbichler [Thu, 21 Nov 2019 14:43:25 +0000 (15:43 +0100)]
refactor acl transformation code

pull it into helper sub, since we need this one more time for token ACL
members.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agoauth: pull username REs into variables
Fabian Grünbichler [Thu, 21 Nov 2019 14:43:24 +0000 (15:43 +0100)]
auth: pull username REs into variables

for reusage in API token ID format/verification

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
5 months agorpcenv: drop unused roles()
Fabian Grünbichler [Thu, 21 Nov 2019 14:43:23 +0000 (15:43 +0100)]
rpcenv: drop unused roles()

it was useful for test-cases to verify the behaviour when pools where
introduced, but it is not used anywhere else in the code base and those
tests can also just check on permission-level.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
6 months agogrammar fix: s/does not exists/does not exist/g
Thomas Lamprecht [Fri, 13 Dec 2019 11:01:22 +0000 (12:01 +0100)]
grammar fix: s/does not exists/does not exist/g

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
7 months agobump version to 6.0-5
Thomas Lamprecht [Tue, 26 Nov 2019 16:56:42 +0000 (17:56 +0100)]
bump version to 6.0-5

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
7 months agoadd SDN.Allocate && SDN.Audit privileges
Alexandre Derumier [Tue, 26 Nov 2019 09:01:09 +0000 (10:01 +0100)]
add SDN.Allocate && SDN.Audit privileges

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
7 months agoaccess-control: remove check_permissions/permission
Fabian Grünbichler [Thu, 21 Nov 2019 14:43:22 +0000 (15:43 +0100)]
access-control: remove check_permissions/permission

they have been handled by PVE::RPCEnvironment for quite some time
already, and the versions there are the complete ones that should be
actually used.

manager switched over their last use not long ago, in 6.0-9, so
record a Breaks to that version.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
7 months agopveum: add list commands
Fabian Grünbichler [Thu, 21 Nov 2019 14:43:21 +0000 (15:43 +0100)]
pveum: add list commands

we already have the API paths, and they make sense to get an overview
over user.cfg contents.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
7 months agouser.cfg: sort group and pool members, role privs
Fabian Grünbichler [Thu, 21 Nov 2019 14:43:20 +0000 (15:43 +0100)]
user.cfg: sort group and pool members, role privs

makes no functional difference, but keeps the output/written config more
stable.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
7 months agouser.cfg: ensure propagate flag is 1/0 when parsing
Fabian Grünbichler [Thu, 21 Nov 2019 14:43:19 +0000 (15:43 +0100)]
user.cfg: ensure propagate flag is 1/0 when parsing

otherwise this might end up as (arbitrary) string somewhere..

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
7 months agobump version to 6.0-4
Fabian Grünbichler [Mon, 11 Nov 2019 10:28:11 +0000 (11:28 +0100)]
bump version to 6.0-4

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
7 months agod/control: (build-)depend on libpve-cluster-perl
Fabian Grünbichler [Mon, 11 Nov 2019 10:28:10 +0000 (11:28 +0100)]
d/control: (build-)depend on libpve-cluster-perl

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
7 months agouse already parsed u2f property string
Fabian Grünbichler [Mon, 11 Nov 2019 10:28:09 +0000 (11:28 +0100)]
use already parsed u2f property string

since libpve-cluster-perl 6.0-8 this happens automatically when parsing
the datacenter.cfg, just like the other property strings stored there.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
7 months agouse PVE::DataCenterConfig
Fabian Grünbichler [Mon, 11 Nov 2019 10:28:08 +0000 (11:28 +0100)]
use PVE::DataCenterConfig

since we read datacenter.cfg, and parse the u2f property string using a
format defined in PVE::DataCenterConfig.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
7 months agoAPI: fix calls to raise_param_exc
Fabian Grünbichler [Thu, 14 Nov 2019 10:00:59 +0000 (11:00 +0100)]
API: fix calls to raise_param_exc

the parameter needs to be a hash reference, not a hash.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
7 months agod/control: correctly set Architecture field
Fabian Grünbichler [Wed, 6 Nov 2019 12:36:31 +0000 (13:36 +0100)]
d/control: correctly set Architecture field

this packge only contains perl modules and scripts, shell completions
and documentation - no architecture-specific stuff whatsoever.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
7 months agoticket: use clinfo to get cluster name
Fabian Grünbichler [Wed, 6 Nov 2019 12:36:28 +0000 (13:36 +0100)]
ticket: use clinfo to get cluster name

instead of parsing corosync.conf, and avoid coupling the access-control
API with PVE::Corosync. if corosync.conf and pmxcfs don't agree on how
the cluster is called, there is a bigger issue anyway..

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
7 months agopveum: don't unconditionally create auth key
Fabian Grünbichler [Wed, 6 Nov 2019 12:36:27 +0000 (13:36 +0100)]
pveum: don't unconditionally create auth key

anything that uses it should already generate it anyway.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
7 months agopveum: cleanup outdated use statements
Fabian Grünbichler [Wed, 6 Nov 2019 12:36:26 +0000 (13:36 +0100)]
pveum: cleanup outdated use statements

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
7 months agod/control: remove outdated dependencies
Fabian Grünbichler [Wed, 6 Nov 2019 12:36:25 +0000 (13:36 +0100)]
d/control: remove outdated dependencies

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
7 months agobuild: leave man page compression to dh_docs
Fabian Grünbichler [Wed, 6 Nov 2019 12:36:24 +0000 (13:36 +0100)]
build: leave man page compression to dh_docs

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
7 months agobuild: use dh_missing
Fabian Grünbichler [Wed, 6 Nov 2019 12:36:23 +0000 (13:36 +0100)]
build: use dh_missing

to fail the build if files are installed, but not shipped in any
package.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
7 months agobuild: bump compat to 10
Fabian Grünbichler [Wed, 6 Nov 2019 12:36:22 +0000 (13:36 +0100)]
build: bump compat to 10

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
7 months agoldaps: support TLS 1.3 as SSL version
Thomas Lamprecht [Wed, 6 Nov 2019 19:23:21 +0000 (20:23 +0100)]
ldaps: support TLS 1.3 as SSL version

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
7 months agoldap auth: add sslversion option
Alexandre Derumier [Mon, 4 Nov 2019 09:18:05 +0000 (10:18 +0100)]
ldap auth: add sslversion option

default to tls1.2

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
8 months agobump version to 6.0-3
Thomas Lamprecht [Tue, 29 Oct 2019 07:55:09 +0000 (08:55 +0100)]
bump version to 6.0-3

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agod/control: bump versioned dependency on pve-common
Thomas Lamprecht [Tue, 29 Oct 2019 07:25:29 +0000 (08:25 +0100)]
d/control: bump versioned dependency on pve-common

to ensure the new 'pve-tfa-secret' format is available

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agoapi: tfa: use the new 'pve-tfa-secret' format
Wolfgang Bumiller [Mon, 28 Oct 2019 11:20:39 +0000 (12:20 +0100)]
api: tfa: use the new 'pve-tfa-secret' format

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agouser.cfg: sort ACL members
Fabian Grünbichler [Thu, 17 Oct 2019 13:13:58 +0000 (15:13 +0200)]
user.cfg: sort ACL members

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
8 months agouser.cfg: sort entries alphabetically in each section
Fabian Grünbichler [Thu, 17 Oct 2019 13:13:57 +0000 (15:13 +0200)]
user.cfg: sort entries alphabetically in each section

it's not required for dependencies (since those are only ever between
sections, and not within), but makes for easier diffing.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
8 months agoadd missing 'use PVE::Auth::Plugin'
Fabian Grünbichler [Thu, 17 Oct 2019 13:13:56 +0000 (15:13 +0200)]
add missing 'use PVE::Auth::Plugin'

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
9 months agoparse_user_cfg: correctly parse group names in ACLs
Fabian Grünbichler [Thu, 3 Oct 2019 08:33:28 +0000 (10:33 +0200)]
parse_user_cfg: correctly parse group names in ACLs

usernames are allowed to start with '@', so adding a user '@test@pve'
and adding it to an ACL should work, instead of ignoring that part of
the ACL entry.

So use verify_groupname to additionally enforce that the group name we
extracted does not include an additional @, as then it cannot be a
group.

note: there is no potential for user and group to be confused, since a
username must end with '@REALM', and a group reference in an ACL can
only contain one '@' (as first character).

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>