]>
git.proxmox.com Git - pve-access-control.git/log
Thomas Lamprecht [Thu, 21 Sep 2017 06:44:17 +0000 (08:44 +0200)]
api: fix typo in 'GET ticket' description
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 14 Sep 2017 13:17:09 +0000 (15:17 +0200)]
API/ticket: rework coarse grained permission computation
We accessed methods from PVE::Storage here but did not define a
"use PVE::Storage". This thus only worked if modules if the
PVE::Storage module got pulled in by something else, by luck.
Simply including said use statement is not an option because
pve-storage is already dependent from pve-access-control, and we want
to avoid cyclic dependencies, especially on the perl module level.
The reason the offending module was used in the first place here
stems from the way how this coarse grained permissions are
calculated.
We check all permission object paths for privileges for an user.
So we got all vmids and all storage ids and computed paths from them.
This works, but is overkill and led to this "illegal" module use.
Instead I opt to not generating all possible paths, but just check
the ones configured plus a small required static set of top level
paths - this allows to generalize handling of the special root@pam
and "normal" users.
It has to be noted that this method is in general just intended for a
coarse capability check to allow hiding a few UI elements which are
not generated by backend calls (which are already permission aware).
The real checks get done by each backend call, automatically for
simple ones and semi-automatically for complex ones.
Wolfgang Bumiller [Tue, 8 Aug 2017 09:57:34 +0000 (11:57 +0200)]
bump version to 5.0-6
Dominik Csapak [Tue, 8 Aug 2017 09:10:15 +0000 (11:10 +0200)]
fix trailing whitespace
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Tue, 8 Aug 2017 09:10:14 +0000 (11:10 +0200)]
fix #1470: ad: server and client certificate support
as with ldap we now accept
the verify, capath, cert and certkey parameters for active directory
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Wolfgang Bumiller [Tue, 8 Aug 2017 09:10:13 +0000 (11:10 +0200)]
ldap: server and client certificate support
This adds 4 more options to the ldap authentication method:
verify: boolean
If enabled, the server certificate must be valid
capath: path to a file or directory
The CA to use to verify the server certificate. Used only
if 'verify' is true.
cert: path to a certificate
Used as client certificate when connecting to a server,
provided 'secure' is true. Requires 'certkey' to be set.
certkey: path to the certificate's key
Required only used when 'cert' is used.
Dietmar Maurer [Thu, 22 Jun 2017 07:13:00 +0000 (09:13 +0200)]
bump version to 5.0-5
In order to test new package built with dpkg-buildpackage.
Fabian Grünbichler [Mon, 12 Jun 2017 08:08:46 +0000 (10:08 +0200)]
build: remove fakeroot from dpkg-buildpackage
Fabian Grünbichler [Mon, 12 Jun 2017 08:07:25 +0000 (10:07 +0200)]
build: add substitution variable
Fabian Grünbichler [Mon, 12 Jun 2017 08:05:09 +0000 (10:05 +0200)]
build: reformat b-d and depends
Fabian Grünbichler [Mon, 12 Jun 2017 08:02:22 +0000 (10:02 +0200)]
build: make control static
Thomas Lamprecht [Fri, 9 Jun 2017 15:44:29 +0000 (17:44 +0200)]
change from dpkg-deb to dpkg-buildpackage
add debian directory and move the respective files there and add
missing (rules, compat).
Add a Source section to the control.in file.
Move the verify_api check to the new "test" target, which gets
executed before the dh_auto_install target.
Cleanup the "clean" target.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dietmar Maurer [Tue, 2 May 2017 09:58:54 +0000 (11:58 +0200)]
bump version to 5.0-4
Dietmar Maurer [Tue, 2 May 2017 08:39:22 +0000 (10:39 +0200)]
PVE/CLI/pveum.pm: call setup_default_cli_env()
Dietmar Maurer [Tue, 2 May 2017 08:37:20 +0000 (10:37 +0200)]
PVE/Auth/PVE.pm: encode uft8 password before calling crypt
Dietmar Maurer [Fri, 31 Mar 2017 15:05:52 +0000 (17:05 +0200)]
check_api2_permissions: avoid warning about uninitialized value
Dietmar Maurer [Thu, 30 Mar 2017 15:54:38 +0000 (17:54 +0200)]
use new PVE::Tools::encrypt_pw, bump version to 5.0-3
Dietmar Maurer [Thu, 30 Mar 2017 15:44:54 +0000 (17:44 +0200)]
use new PVE::OTP class from pve-common
Dietmar Maurer [Thu, 30 Mar 2017 06:54:30 +0000 (08:54 +0200)]
bump version to 5.0-2
Dietmar Maurer [Thu, 30 Mar 2017 06:53:12 +0000 (08:53 +0200)]
encrypt_pw: avoid '+' for crypt salt
And make salt less predictable.
Fabian Grünbichler [Mon, 6 Mar 2017 12:42:40 +0000 (13:42 +0100)]
bump release to 5.0
Fabian Grünbichler [Mon, 13 Mar 2017 10:25:23 +0000 (11:25 +0100)]
buildsys: update make upload target for stretch
Wolfgang Bumiller [Mon, 6 Feb 2017 10:47:37 +0000 (11:47 +0100)]
buildsys: use fakeroot for dpkg-deb
Wolfgang Bumiller [Mon, 6 Feb 2017 10:47:18 +0000 (11:47 +0100)]
buildsys: use gzip -n to disable timestamps
Wolfgang Bumiller [Mon, 6 Feb 2017 10:46:12 +0000 (11:46 +0100)]
buildsys: make job safety
Dietmar Maurer [Thu, 19 Jan 2017 12:42:26 +0000 (13:42 +0100)]
bump version to 4.0-23
Dietmar Maurer [Thu, 19 Jan 2017 12:41:12 +0000 (13:41 +0100)]
remove old test.pl code (does not work anyways).
Dietmar Maurer [Thu, 19 Jan 2017 12:40:25 +0000 (13:40 +0100)]
use new PVE::Ticket class
Dietmar Maurer [Thu, 19 Jan 2017 08:12:34 +0000 (09:12 +0100)]
bump version to 4.0-22
Dietmar Maurer [Wed, 18 Jan 2017 16:35:50 +0000 (17:35 +0100)]
RPCEnvironment: removed check_volume_access() to avoid cyclic dependency
moved to PVE::Storage
Dietmar Maurer [Wed, 18 Jan 2017 12:25:51 +0000 (13:25 +0100)]
PVE::PCEnvironment: use new PVE::RESTEnvironment as base class
Dietmar Maurer [Thu, 12 Jan 2017 12:56:28 +0000 (13:56 +0100)]
bump versuion to 4.0-21
Dietmar Maurer [Thu, 12 Jan 2017 12:53:18 +0000 (13:53 +0100)]
setup_default_cli_env: expect $class as first parameter
Dietmar Maurer [Wed, 11 Jan 2017 11:41:16 +0000 (12:41 +0100)]
bump version to 4.0-20
Dietmar Maurer [Wed, 11 Jan 2017 11:12:11 +0000 (12:12 +0100)]
PVE/RPCEnvironment.pm: new function setup_default_cli_env
Convenience function for command line tools.
Dietmar Maurer [Wed, 11 Jan 2017 11:11:01 +0000 (12:11 +0100)]
PVE/API2/Domains.pm: fix property description
Dietmar Maurer [Fri, 5 Aug 2016 11:10:17 +0000 (13:10 +0200)]
use new repoman for upload target
Dietmar Maurer [Fri, 5 Aug 2016 11:09:27 +0000 (13:09 +0200)]
bump version to 4.0-19
Wolfgang Bumiller [Mon, 25 Jul 2016 13:56:03 +0000 (15:56 +0200)]
Close #833: ldap: non-anonymous bind support
The password will be read from /etc/pve/priv/ldap/$realm.pw
Wolfgang Bumiller [Mon, 25 Jul 2016 06:33:29 +0000 (08:33 +0200)]
don't import 'RFC' from MIME::Base32
call encode_rfc3548 explicitly instead as newer versions of
the base32 package will drop this import scheme (stretch)
Wolfgang Bumiller [Thu, 21 Jul 2016 06:44:25 +0000 (08:44 +0200)]
bump version to 4.0-18
Dominik Csapak [Wed, 20 Jul 2016 11:31:33 +0000 (13:31 +0200)]
fix #1062: use correct length for base32 keys
we wrongly assumed the keys to be 32 chars long,
instead of 16
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Wolfgang Bumiller [Mon, 11 Jul 2016 10:04:39 +0000 (12:04 +0200)]
bump version to 4.0-17
Wolfgang Bumiller [Fri, 1 Jul 2016 08:15:28 +0000 (10:15 +0200)]
drop oathtool dependency
Generate hotp/totp in perl directly, also support keys in
hex notation (this is how eg. the
yubikey-personalization-gui displays them, but without the
whitespaces).
Wolfgang Bumiller [Fri, 1 Jul 2016 08:15:27 +0000 (10:15 +0200)]
drop libdigest-hmac-perl dependency
Its functionality is provided by perl core's Digest::SHA
module now.
Dietmar Maurer [Fri, 8 Apr 2016 05:08:23 +0000 (07:08 +0200)]
remove unused inline docs
Dietmar Maurer [Fri, 8 Apr 2016 05:06:27 +0000 (07:06 +0200)]
use pve-doc-generator, bump version to 4.0-16
Dietmar Maurer [Fri, 1 Apr 2016 05:11:24 +0000 (07:11 +0200)]
bump version to 4.0-15
Fabian Grünbichler [Wed, 30 Mar 2016 10:09:12 +0000 (12:09 +0200)]
Fix uninitialized warning
when shadow.cfg does not exist, parsing should return an
empty hash instead of displaying a warning
Dietmar Maurer [Tue, 15 Mar 2016 15:47:51 +0000 (16:47 +0100)]
bump version to 4.0-14
Fabian Grünbichler [Tue, 15 Mar 2016 12:58:44 +0000 (13:58 +0100)]
Add is_worker to RPCEnvironment
after forking the actual worker process, the child/worker
sets a flag that can be checked later on by methods called
in the worker.
used in the ZFS storage plugins in pve-storage to decide on
a short or long default timeout for ZFS operations.
Dietmar Maurer [Mon, 14 Mar 2016 10:39:43 +0000 (11:39 +0100)]
bump version to 4.0-13
Fabian Grünbichler [Mon, 14 Mar 2016 10:25:03 +0000 (11:25 +0100)]
fix typos and grammar
Fabian Grünbichler [Mon, 14 Mar 2016 10:25:02 +0000 (11:25 +0100)]
fix #916: allow HTTPS to access custom yubico url
remove the limit to HTTP only, since it would only apply for
custom yubico validation server urls anyway.
Dietmar Maurer [Wed, 9 Mar 2016 13:41:35 +0000 (14:41 +0100)]
bump version to 4.0-12
Fabian Grünbichler [Tue, 8 Mar 2016 15:17:55 +0000 (16:17 +0100)]
Catch error instead of segfaulting
when trying to parse a certificate subject, Net::SSLeay
will segfault in libcrypto when given 0 as input. Catch
this and die with a meaningful error message instead.
Dietmar Maurer [Fri, 8 Jan 2016 11:53:03 +0000 (12:53 +0100)]
bump version to 4.0-11
Wolfgang Bumiller [Fri, 8 Jan 2016 11:43:43 +0000 (12:43 +0100)]
Fix #861: use safer sprintf formatting
Dietmar Maurer [Thu, 3 Dec 2015 11:12:43 +0000 (12:12 +0100)]
set RELEASE=4.1
Dietmar Maurer [Thu, 3 Dec 2015 11:09:51 +0000 (12:09 +0100)]
bump version to 4.0-10
Wolfgang Bumiller [Wed, 2 Dec 2015 15:06:46 +0000 (16:06 +0100)]
Auth::LDAP, Auth::AD: ipv6 support
Also had to change server1/server2 schema from a pattern to
the 'address' format.
Dietmar Maurer [Fri, 2 Oct 2015 08:59:40 +0000 (10:59 +0200)]
improve manual page
Dietmar Maurer [Fri, 2 Oct 2015 08:45:58 +0000 (10:45 +0200)]
make read_password a CLIHandler class method
And use new run_cli_handler() method.
Dietmar Maurer [Thu, 1 Oct 2015 15:23:12 +0000 (17:23 +0200)]
bump version to 4.0-9
Dietmar Maurer [Thu, 1 Oct 2015 15:22:09 +0000 (17:22 +0200)]
pveum: implement bash completion hooks
Dietmar Maurer [Thu, 1 Oct 2015 14:53:01 +0000 (16:53 +0200)]
pveum: install bash completion config
Dietmar Maurer [Thu, 1 Oct 2015 14:44:43 +0000 (16:44 +0200)]
convert pveum into a PVE::CLI class
Dietmar Maurer [Wed, 19 Aug 2015 13:39:34 +0000 (15:39 +0200)]
bump version to 4.0-8
Alen Grizonic [Wed, 19 Aug 2015 08:32:19 +0000 (10:32 +0200)]
remove_storage_access: cleanup of access permissions for removed storage
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Dietmar Maurer [Fri, 14 Aug 2015 05:57:29 +0000 (07:57 +0200)]
bump version to 4.0-7
Dietmar Maurer [Fri, 14 Aug 2015 05:55:36 +0000 (07:55 +0200)]
cleanup: avoid writing user.cfg twice
Dietmar Maurer [Fri, 14 Aug 2015 05:49:18 +0000 (07:49 +0200)]
white space cleanup
Alen Grizonic [Thu, 13 Aug 2015 11:41:33 +0000 (13:41 +0200)]
access permissions cleanup fix
for removed vms and pools
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
Wolfgang Bumiller [Fri, 7 Aug 2015 07:49:53 +0000 (09:49 +0200)]
fix access of possibly undefined variable
Dietmar Maurer [Mon, 27 Jul 2015 11:14:54 +0000 (13:14 +0200)]
bump version to 4.0-6
Wolfgang Bumiller [Wed, 15 Jul 2015 08:25:42 +0000 (10:25 +0200)]
improve parse_user_config, parse_shadow_config
same as in pve-common: replace substituting line parsing
with /gm modified match regexps.
Dietmar Maurer [Wed, 10 Jun 2015 08:40:28 +0000 (10:40 +0200)]
bump version to 4.0-5
Wolfgang Bumiller [Wed, 10 Jun 2015 07:20:00 +0000 (09:20 +0200)]
pveum: check for $cmd being defined
fixes an 'undefined value' error when no command is
specified.
Dietmar Maurer [Mon, 1 Jun 2015 10:25:48 +0000 (12:25 +0200)]
bump version to 4.0-4
Dietmar Maurer [Mon, 1 Jun 2015 08:03:48 +0000 (10:03 +0200)]
use activate-noawait triggers
Dietmar Maurer [Wed, 27 May 2015 09:16:01 +0000 (11:16 +0200)]
bump version to 4.0-3
Wolfgang Bumiller [Wed, 27 May 2015 07:30:55 +0000 (09:30 +0200)]
remote_viewer_config: brackets around ipv6 http address
Wolfgang Bumiller [Wed, 27 May 2015 07:30:54 +0000 (09:30 +0200)]
non-root buildfix
Dietmar Maurer [Tue, 5 May 2015 13:06:53 +0000 (15:06 +0200)]
bump version to 4.0-2
Dietmar Maurer [Tue, 5 May 2015 13:06:06 +0000 (15:06 +0200)]
trigger pve-api-updates event
Dietmar Maurer [Thu, 26 Feb 2015 10:31:54 +0000 (11:31 +0100)]
bump version for Debian Jessie
Dietmar Maurer [Fri, 30 Jan 2015 05:20:42 +0000 (06:20 +0100)]
bump version to 3.0-16
Wolfgang Link [Wed, 28 Jan 2015 09:36:49 +0000 (10:36 +0100)]
Fix: disable root
root can now be disabled in GUI.
Signed-off-by: Wolfgang Link <w.link@proxmox.com>
Dietmar Maurer [Wed, 23 Jul 2014 05:02:37 +0000 (07:02 +0200)]
remove debugging code
Dietmar Maurer [Wed, 23 Jul 2014 05:01:04 +0000 (07:01 +0200)]
bump version to 3.0-15
Dietmar Maurer [Wed, 23 Jul 2014 04:59:01 +0000 (06:59 +0200)]
add step/digits option to oath configuration
Dietmar Maurer [Fri, 18 Jul 2014 09:24:55 +0000 (11:24 +0200)]
allow to write builtin auth domains
So that we can set tfa, comment, default with the GUI.
Dietmar Maurer [Thu, 17 Jul 2014 11:59:53 +0000 (13:59 +0200)]
add oath two factor auth, bump version to 3.0-14
Dietmar Maurer [Tue, 15 Jul 2014 12:18:17 +0000 (14:18 +0200)]
enable yubico OTP (by removing debuging code)
Dietmar Maurer [Mon, 23 Jun 2014 09:42:44 +0000 (11:42 +0200)]
add basic support for two factor auth
Dietmar Maurer [Fri, 20 Jun 2014 10:58:17 +0000 (12:58 +0200)]
add experimental code for yubico OTP verification
Dietmar Maurer [Thu, 22 May 2014 05:16:36 +0000 (07:16 +0200)]
bump version to 3.0-13
Dietmar Maurer [Thu, 22 May 2014 05:12:25 +0000 (07:12 +0200)]
use correct connection string for AD auth (use encryption and port info).
Dietmar Maurer [Wed, 30 Apr 2014 12:48:27 +0000 (14:48 +0200)]
bump version to 3.0-12
Dietmar Maurer [Wed, 30 Apr 2014 12:45:57 +0000 (14:45 +0200)]
add dummy API for login page