pve-access-control.git
3 months agobump version to 7.1-8
Thomas Lamprecht [Thu, 28 Apr 2022 15:02:54 +0000 (17:02 +0200)]
bump version to 7.1-8

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agoadd realm-sync regression test for new 'remove-vanished'
Dominik Csapak [Mon, 28 Mar 2022 12:38:05 +0000 (14:38 +0200)]
add realm-sync regression test for new 'remove-vanished'

by having a test case that does not delete properties, but acls and
entries

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agoconvert regression tests to new 'remove-vanished' parameter
Dominik Csapak [Mon, 28 Mar 2022 12:38:04 +0000 (14:38 +0200)]
convert regression tests to new 'remove-vanished' parameter

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agofix #3668: realm-sync: replace 'full' & 'purge' with 'remove-vanished'
Dominik Csapak [Mon, 28 Mar 2022 12:38:03 +0000 (14:38 +0200)]
fix #3668: realm-sync: replace 'full' & 'purge' with 'remove-vanished'

Both, 'full' & 'purge', configure what is removed when an entry
(or property) is not returned anymore from the sync result. For users
it may be thus easier to understand setting a single property without
wondering about the interaction of the two specific ones.

The new 'remove-vanished' is a list of things to remove, namely:
 * 'acl'
 * 'entry'
 * 'properties'.

The old 'full' gets mapped to 'entry;properties' and an old 'purge'
to the 'acl'

Keep the old properties for backwards-compatibility but transform to
the new list on edit. Add a deprecation notice to the description
with a TODO reminder to remove with 8.0

Note, this commit changes two things slightly:
* 'purge' (now remove-vanished -> acl) does now remove ACLs for
  vanished entries even when we keep those entries. Previously those
  were only deleted when we also removed the entries (this can be
  seen by the changed regression test)
* since 'remove-vanished' is empty by default, only the scope must be
  given explicitly on sync or the sync-default. Previously 'full' and
  'purge' must have been configured explicitly (no big deal, since
  the default is to not remove anything)

Bug #3668 is fixed when not selecting 'properties' for the sync, so
that existing (custom) properties are not deleted on update

Suggested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
[ T: some commit message typos/wording ]
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
3 months agoadd regression tests for realm-sync
Dominik Csapak [Mon, 28 Mar 2022 12:38:02 +0000 (14:38 +0200)]
add regression tests for realm-sync

to fully test the 'end-to-end' sync api call, we have to mock quite
some methods for cluster/rpcenvironment/ldap

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
4 months agorpc env: indentation fixes
Thomas Lamprecht [Wed, 23 Mar 2022 11:24:57 +0000 (12:24 +0100)]
rpc env: indentation fixes

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
4 months agobump version to 7.1-7
Thomas Lamprecht [Mon, 21 Mar 2022 15:15:29 +0000 (16:15 +0100)]
bump version to 7.1-7

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
4 months agoapi: get user: declare token schema
Wolfgang Bumiller [Mon, 21 Mar 2022 14:29:12 +0000 (15:29 +0100)]
api: get user: declare token schema

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
4 months agouserid-group check: distinguish create and update
Fabian Grünbichler [Thu, 17 Mar 2022 08:57:21 +0000 (09:57 +0100)]
userid-group check: distinguish create and update

and check both existing groups and the groups parameter in the update
case. the following user.cfg settings can be used for testing:

user:test@pve:1:0:t::::x:
user:other@pve:1:0:t::::x:
group:test:test@pve::
group:test3:::
role:RealmUserAllocator:Realm.AllocateUser:
role:UserModifier:User.Modify:
acl:0:/access/groups/test:test@pve:UserModifier:
acl:0:/access/groups/test3:@test:UserModifier:
acl:0:/access/realm/pve:test@pve:RealmUserAllocator:

unchanged: the user 'test@pve' can allocate new '@pve' users, but
only if the created user will belong to at least one of 'test'
(direct ACL for that user) or 'test3' (indirect ACL via 'test' group)
groups.

changed: if the user 'test@pve' updates an existing user, they need
to (A) have 'User.Modify' on at least one existing group of that
user, and (B) 'User.Modify' on all of the groups passed in via the
'groups' parameter. A is the general rule for 'allowed to modify
user' across the board, but was missing for this specific variant of
the check. B was the case before, but just checking this without also
checking A allows a user to pull off-limits users into groups that
they can modify, which then in turn allows them to modify those users
via A which is now passing.

for example, without this patch 'test@pve' would be able to add
'other@pve' to either 'test' or 'test3', and then in turn call any of
the API endpoints that require 'User.Modify' on a user's group
(change TFA, change password or delete user if realm is pve, ..).

all the other userid-group checks without group_param set remain
unchanged as well, since $check_existing_user is true in that case.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
6 months agobump version to 7.1-6
Fabian Grünbichler [Fri, 21 Jan 2022 13:20:58 +0000 (14:20 +0100)]
bump version to 7.1-6

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
6 months agorpcenv->permissions() ensure propagate is always defined
Fabian Grünbichler [Fri, 21 Jan 2022 10:57:30 +0000 (11:57 +0100)]
rpcenv->permissions() ensure propagate is always defined

this shouldn't happen anymore, but a safeguard in case the parser ever
has a bug does not hurt.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
6 months agorpcenv: skip undef propagation flag in more places
Fabian Grünbichler [Fri, 21 Jan 2022 10:52:08 +0000 (11:52 +0100)]
rpcenv: skip undef propagation flag in more places

these are just cosmetic fixes/safeguards against future bugs -
compute_api_permissions is used to set the 'cap' object to hide parts of
the GUI that are not usable without the corresponding privs in the
backend anyway, and get_effective_permissions is only used to return the
permission tree without a specific path query.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
6 months agotest: extend intersection tests
Fabian Grünbichler [Fri, 21 Jan 2022 10:23:25 +0000 (11:23 +0100)]
test: extend intersection tests

to check the previous commit's fix.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
6 months agorpcenv: improve user/token intersection
Fabian Grünbichler [Fri, 21 Jan 2022 10:23:36 +0000 (11:23 +0100)]
rpcenv: improve user/token intersection

this could return undef for the propagation flag instead of 1/0, leading
to confusing displays of permission trees. all the actual checks using
the returned hash check for definedness anyway, so the actual
privileges checked and the displayed ones were not identical.

fixes: 7e8bcaa754432f084e53d9daf13c653a8777d88b
"roles()/permissions(): also return propagate flag"

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
6 months agoget effective permissions: return /sdn path too
Thomas Lamprecht [Fri, 21 Jan 2022 13:19:55 +0000 (14:19 +0100)]
get effective permissions: return /sdn path too

only cosmetic for the user to see what their permission tree looks
like.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
7 months agofix realm sync permissions
Wolfgang Bumiller [Mon, 20 Dec 2021 10:31:15 +0000 (11:31 +0100)]
fix realm sync permissions

The userid-* permission check variants work on
$param->{userid} directly which does not exist for this
call. Also, they work on the realm of the user being
checked, rather than the realm provided as parameter.

The result was that as non-root user this always failed
with the message "userid '' too short"

Fix this by making the check explicitly work like in the
description.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
7 months agouse statement fixup
Wolfgang Bumiller [Tue, 14 Dec 2021 08:13:44 +0000 (09:13 +0100)]
use statement fixup

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agotfa list: account for admin permissions
Wolfgang Bumiller [Mon, 6 Dec 2021 13:33:44 +0000 (14:33 +0100)]
tfa list: account for admin permissions

instead of restricting listing tfa entries of others to
root@pam, perform the same checks the user-list does and
which also reflect the permissions of the api calls actually
operating on those users, so, `User.Modify` on the user (but
also `Sys.Audit`, since it's only a read-operation, just
like the user index API call)

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agotfa: when modifying others, verify the current user's password
Wolfgang Bumiller [Mon, 6 Dec 2021 13:12:33 +0000 (14:12 +0100)]
tfa: when modifying others, verify the current user's password

this was wrong as it asked for the password of the
to-be-edited user instead, which makes no sense

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agofix #3768: warn on bad u2f or webauthn settings
Wolfgang Bumiller [Mon, 6 Dec 2021 08:38:01 +0000 (09:38 +0100)]
fix #3768: warn on bad u2f or webauthn settings

but don't bail out of the entire auth process, otherwise
not even totp or recovery keys will work anymore in this
case

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agofix a 'use of undefined...' warning
Wolfgang Bumiller [Mon, 6 Dec 2021 08:38:00 +0000 (09:38 +0100)]
fix a 'use of undefined...' warning

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agobump version to 7.1-5
Thomas Lamprecht [Thu, 25 Nov 2021 06:57:45 +0000 (07:57 +0100)]
bump version to 7.1-5

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agoopenid: fix username-claim fallback
Thomas Lamprecht [Thu, 25 Nov 2021 06:57:10 +0000 (07:57 +0100)]
openid: fix username-claim fallback

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agobump version to 7.1-4
Wolfgang Bumiller [Mon, 22 Nov 2021 13:04:57 +0000 (14:04 +0100)]
bump version to 7.1-4

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agofill origin into webauthn config if not provided
Wolfgang Bumiller [Mon, 22 Nov 2021 12:52:57 +0000 (13:52 +0100)]
fill origin into webauthn config if not provided

in order to allow subdomains to work, the wa config should
only specify 'id' and 'rp', the 'origin' gets filled in by
the node

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agobump version to 7.1-3
Thomas Lamprecht [Fri, 19 Nov 2021 07:12:02 +0000 (08:12 +0100)]
bump version to 7.1-3

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agod/control: bump versioned dependency to libpve-rs-perl
Thomas Lamprecht [Fri, 19 Nov 2021 08:34:25 +0000 (09:34 +0100)]
d/control: bump versioned dependency to libpve-rs-perl

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agoopenid: support configuring ACR values
Thomas Lamprecht [Thu, 18 Nov 2021 16:01:04 +0000 (17:01 +0100)]
openid: support configuring ACR values

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agoopenid: support configuring scopes
Thomas Lamprecht [Thu, 18 Nov 2021 16:00:42 +0000 (17:00 +0100)]
openid: support configuring scopes

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agoopenid: support configuring the prompt
Thomas Lamprecht [Thu, 18 Nov 2021 13:53:44 +0000 (14:53 +0100)]
openid: support configuring the prompt

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agoopenid: fix whitespace/indentation
Thomas Lamprecht [Thu, 18 Nov 2021 13:52:52 +0000 (14:52 +0100)]
openid: fix whitespace/indentation

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agoopenid: allow arbitrary username-claims
Thomas Lamprecht [Thu, 18 Nov 2021 13:24:24 +0000 (14:24 +0100)]
openid: allow arbitrary username-claims

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agobump version to 7.1-2
Thomas Lamprecht [Wed, 17 Nov 2021 12:45:08 +0000 (13:45 +0100)]
bump version to 7.1-2

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agod/control: bump versioned dependency to libpve-rs-perl
Thomas Lamprecht [Wed, 17 Nov 2021 12:47:59 +0000 (13:47 +0100)]
d/control: bump versioned dependency to libpve-rs-perl

to ensure we get the incompatible type set for such TFA entries

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agocatch incompatible tfa entries with a nice error
Wolfgang Bumiller [Wed, 17 Nov 2021 11:34:40 +0000 (12:34 +0100)]
catch incompatible tfa entries with a nice error

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agobump version to 7.1-1
Thomas Lamprecht [Mon, 15 Nov 2021 14:33:29 +0000 (15:33 +0100)]
bump version to 7.1-1

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agotfa: fix http 404 in get_tfa_entry
Wolfgang Bumiller [Fri, 12 Nov 2021 09:37:45 +0000 (10:37 +0100)]
tfa: fix http 404 in get_tfa_entry

this produced warnings in the journal and returned code 500
instead

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agobump version to 7.0-7
Thomas Lamprecht [Thu, 11 Nov 2021 17:20:02 +0000 (18:20 +0100)]
bump version to 7.0-7

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agod/control: break pve-manager (<< 7.0-15)
Thomas Lamprecht [Thu, 11 Nov 2021 17:19:23 +0000 (18:19 +0100)]
d/control: break pve-manager (<< 7.0-15)

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agoticket: normalize path for verification
Fabian Grünbichler [Thu, 11 Nov 2021 14:07:12 +0000 (15:07 +0100)]
ticket: normalize path for verification

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
8 months agotickets: add tunnel ticket
Fabian Grünbichler [Thu, 11 Nov 2021 14:07:11 +0000 (15:07 +0100)]
tickets: add tunnel ticket

just like VNC ticket, but different prefix to prevent confusion.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
8 months agotfa: upgrade check: early return if no cluster members
Thomas Lamprecht [Thu, 11 Nov 2021 11:29:58 +0000 (12:29 +0100)]
tfa: upgrade check: early return if no cluster members

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agotfa: upgrade check: more info in error message(s)
Thomas Lamprecht [Thu, 11 Nov 2021 11:06:42 +0000 (12:06 +0100)]
tfa: upgrade check: more info in error message(s)

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agotfa: upgrade check: be less strict about version format
Thomas Lamprecht [Thu, 11 Nov 2021 11:05:52 +0000 (12:05 +0100)]
tfa: upgrade check: be less strict about version format

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agoimplement version checks for tfa
Wolfgang Bumiller [Wed, 10 Nov 2021 14:11:45 +0000 (15:11 +0100)]
implement version checks for tfa

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agomerge old user.cfg keys to tfa config when adding entries
Wolfgang Bumiller [Wed, 10 Nov 2021 12:49:03 +0000 (13:49 +0100)]
merge old user.cfg keys to tfa config when adding entries

this happens when the first new tfa entry is added and the
'keys' entry is replaced by "x"

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
8 months agod/control: add liburi-perl dependency
Wolfgang Bumiller [Wed, 10 Nov 2021 12:49:02 +0000 (13:49 +0100)]
d/control: add liburi-perl dependency

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agocheck enforced realm tfa type in new auth
Wolfgang Bumiller [Wed, 10 Nov 2021 12:49:01 +0000 (13:49 +0100)]
check enforced realm tfa type in new auth

this way we could also add webauthn as a required tfa type
to the realm configs later on

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agoassert tfa/user config lock order
Wolfgang Bumiller [Wed, 10 Nov 2021 12:49:00 +0000 (13:49 +0100)]
assert tfa/user config lock order

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agoset/remove 'x' for tfa keys in user.cfg in new api
Wolfgang Bumiller [Tue, 9 Nov 2021 11:27:05 +0000 (12:27 +0100)]
set/remove 'x' for tfa keys in user.cfg in new api

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agopveum: update tfa delete command
Wolfgang Bumiller [Tue, 9 Nov 2021 11:27:04 +0000 (12:27 +0100)]
pveum: update tfa delete command

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agoupdate tfa cleanup when deleting users
Wolfgang Bumiller [Tue, 9 Nov 2021 11:27:03 +0000 (12:27 +0100)]
update tfa cleanup when deleting users

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agosupport registering yubico otp keys
Wolfgang Bumiller [Tue, 9 Nov 2021 11:27:02 +0000 (12:27 +0100)]
support registering yubico otp keys

In PBS we don't support this, so the current TFA API in rust
does not support this either (although the config does know
about its *existence*).

For now, yubico authentication will be done in perl. Adding
it to rust the rust TFA crate would not make much sense
anyway as we'd likely not want to use the same http client
crate in pve and pbs anyway (since pve is all blocking code
and pbs is async...)

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agoadd pbs-style TFA API implementation
Wolfgang Bumiller [Tue, 9 Nov 2021 11:27:01 +0000 (12:27 +0100)]
add pbs-style TFA API implementation

implements the same api paths as in pbs by forwarding the
api methods to the rust implementation after performing the
product-specific checks

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agomove TFA api path into its own module
Wolfgang Bumiller [Tue, 9 Nov 2021 11:27:00 +0000 (12:27 +0100)]
move TFA api path into its own module

and remove old modification api

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agohandle yubico authentication in new path
Wolfgang Bumiller [Tue, 9 Nov 2021 11:26:59 +0000 (12:26 +0100)]
handle yubico authentication in new path

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agouse PBS-like auth api call flow
Wolfgang Bumiller [Tue, 9 Nov 2021 11:26:58 +0000 (12:26 +0100)]
use PBS-like auth api call flow

The main difference here is that we have no separate api
path for verification. Instead, the ticket api call gets an
optional 'tfa-challenge' parameter.

This is opt-in: old pve-manager UI with new
pve-access-control will still work as expected, but users
won't be able to *update* their TFA settings.

Since the new tfa config parser will build a compatible
in-perl tfa config object as well, the old authentication
code is left unchanged for compatibility and will be removed
with pve-8, where the `new-format` parameter in the ticket
call will change its default to `1`.

The `change_tfa` call will simply die in this commit. It is
removed later when adding the pbs-style TFA API calls.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agoupdate read_user_tfa_type call
Wolfgang Bumiller [Tue, 9 Nov 2021 11:26:57 +0000 (12:26 +0100)]
update read_user_tfa_type call

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
8 months agouse rust parser for TFA config
Wolfgang Bumiller [Tue, 9 Nov 2021 11:26:56 +0000 (12:26 +0100)]
use rust parser for TFA config

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
9 months agoopenid: proxy: only set env var if DC-config property exists
Thomas Lamprecht [Wed, 3 Nov 2021 10:30:05 +0000 (11:30 +0100)]
openid: proxy: only set env var if DC-config property exists

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
9 months agofix #3513: pass configured proxy to OpenID
Fabian Grünbichler [Tue, 13 Jul 2021 08:09:17 +0000 (10:09 +0200)]
fix #3513: pass configured proxy to OpenID

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
9 months agobump version to 7.0-6
Thomas Lamprecht [Thu, 21 Oct 2021 10:28:58 +0000 (12:28 +0200)]
bump version to 7.0-6

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
9 months agofix user deletion when realm does not enforce TFA
Dominik Csapak [Tue, 19 Oct 2021 11:52:42 +0000 (13:52 +0200)]
fix user deletion when realm does not enforce TFA

here the existance of the user is only interesting if we want to set
data, not if we delete it.

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
10 months agobump version to 7.0-5
Thomas Lamprecht [Mon, 27 Sep 2021 13:50:50 +0000 (15:50 +0200)]
bump version to 7.0-5

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
10 months agoapi: delete user: better communicate partial deletion
Thomas Lamprecht [Mon, 27 Sep 2021 13:46:26 +0000 (15:46 +0200)]
api: delete user: better communicate partial deletion

this is really an edge case and should not happen often in practice,
the time window is small and deletions are not _that_ common, but
still.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
10 months agoapi: delete user: disable first to avoid surprise on error
Thomas Lamprecht [Mon, 27 Sep 2021 13:32:38 +0000 (15:32 +0200)]
api: delete user: disable first to avoid surprise on error

Write out a config with the user disabled so that it cannot be used
even if deletion fails, why ever that is

Suggested-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
10 months agofix #2302: allow deletion of users when realm enforces TFA
Thomas Lamprecht [Mon, 27 Sep 2021 13:31:31 +0000 (15:31 +0200)]
fix #2302: allow deletion of users when realm enforces TFA

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
10 months agoapi: user: indentation & whitspace cleanups
Thomas Lamprecht [Thu, 23 Sep 2021 12:16:50 +0000 (14:16 +0200)]
api: user: indentation & whitspace cleanups

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
11 months agocheck_path: add /sdn/vnets/* path
Alexandre Derumier [Thu, 5 Aug 2021 15:00:44 +0000 (17:00 +0200)]
check_path: add /sdn/vnets/* path

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
13 months agobump version to 7.0-4
Thomas Lamprecht [Fri, 2 Jul 2021 11:45:51 +0000 (13:45 +0200)]
bump version to 7.0-4

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
13 months agoapi: users: use public regex directly to parse out realm
Thomas Lamprecht [Fri, 2 Jul 2021 11:42:16 +0000 (13:42 +0200)]
api: users: use public regex directly to parse out realm

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
13 months agoapi: users: code-style cleanup and sort when iterating users
Thomas Lamprecht [Fri, 2 Jul 2021 11:41:29 +0000 (13:41 +0200)]
api: users: code-style cleanup and sort when iterating users

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
13 months agoapi: users: s/realmtype/realm-type/ in response
Thomas Lamprecht [Fri, 2 Jul 2021 11:38:46 +0000 (13:38 +0200)]
api: users: s/realmtype/realm-type/ in response

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
13 months agoapi: user: add realmtype to user list
Dominik Csapak [Thu, 1 Jul 2021 12:25:00 +0000 (14:25 +0200)]
api: user: add realmtype to user list

this makes it much easier to determine if a user can e.g.
change a password or tfa, based on realm

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
13 months agoimplement OpenID autocreate user feature
Dietmar Maurer [Wed, 30 Jun 2021 06:10:07 +0000 (08:10 +0200)]
implement OpenID autocreate user feature

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
13 months agoapi: implement openid API
Dietmar Maurer [Wed, 30 Jun 2021 06:10:06 +0000 (08:10 +0200)]
api: implement openid API

This moves compute_api_permission() into RPCEnvironment.pm.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
13 months agodepend on libpve-rs-perl
Dietmar Maurer [Wed, 30 Jun 2021 06:10:05 +0000 (08:10 +0200)]
depend on libpve-rs-perl

13 months agoadd OpenId configuration
Dietmar Maurer [Wed, 30 Jun 2021 06:10:04 +0000 (08:10 +0200)]
add OpenId configuration

13 months agocheck_user_enabled: also check if user is expired
Dietmar Maurer [Wed, 30 Jun 2021 06:10:03 +0000 (08:10 +0200)]
check_user_enabled: also check if user is expired

13 months agobump version to 7.0-3
Thomas Lamprecht [Mon, 21 Jun 2021 08:31:23 +0000 (10:31 +0200)]
bump version to 7.0-3

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
13 months agobuildsys: clean more
Thomas Lamprecht [Thu, 17 Jun 2021 12:43:44 +0000 (14:43 +0200)]
buildsys: clean more

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
13 months agoaccess control: style: register configs in single line each
Thomas Lamprecht [Thu, 17 Jun 2021 12:41:02 +0000 (14:41 +0200)]
access control: style: register configs in single line each

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
13 months agocheck_path : add sdn zone path
Alexandre Derumier [Wed, 9 Jun 2021 04:37:30 +0000 (06:37 +0200)]
check_path : add sdn zone path

This was missing in commit20c60513b2a6b2d7c7aae0dcc0391889b9cb7ecf,
so user can't assign permisson on a zone currently

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
13 months agoadd missing paths in check_path
Dominik Csapak [Wed, 16 Jun 2021 13:55:34 +0000 (15:55 +0200)]
add missing paths in check_path

* /access/realm/<realm>
* /access/groups/<group>

were overlooked when fixing #1500

see: https://forum.proxmox.com/threads/are-group-acls-broken-in-v6-4.91000/

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
13 months agorpc env: sort use statements
Thomas Lamprecht [Tue, 15 Jun 2021 12:38:41 +0000 (14:38 +0200)]
rpc env: sort use statements

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
14 months agobuildsys: change upload dist to bullseye
Thomas Lamprecht [Tue, 8 Jun 2021 07:47:21 +0000 (09:47 +0200)]
buildsys: change upload dist to bullseye

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
14 months agobump version to 7.0-2
Fabian Grünbichler [Tue, 1 Jun 2021 09:29:49 +0000 (11:29 +0200)]
bump version to 7.0-2

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
14 months agofix #3402: add Pool.Audit permission
Lorenz Stechauner [Thu, 20 May 2021 10:03:39 +0000 (12:03 +0200)]
fix #3402: add Pool.Audit permission

add new user "PVEPoolUser" and add Pool.Audit to "PVEAuditor".

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
14 months agod/control: add missing libuuid-perl b-d
Fabian Grünbichler [Tue, 18 May 2021 11:17:16 +0000 (13:17 +0200)]
d/control: add missing libuuid-perl b-d

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
14 months agobump version to 7.0-1
Thomas Lamprecht [Sun, 9 May 2021 16:18:39 +0000 (18:18 +0200)]
bump version to 7.0-1

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
14 months agopveum: work around unavailable API2:Pools module
Thomas Lamprecht [Sun, 9 May 2021 17:46:53 +0000 (19:46 +0200)]
pveum: work around unavailable API2:Pools module

commit 42ade84744ab60ff8e452d3e562a36dd3da2b810 added the pool
subcommands, reusing the PVE::API2::Pool module. But that module has
to live in pve-manager and is not available here, most of the time
not a real issue (but always ugly), on bootstrapping this becomes a
blocker though...

So, for now add a hack and do not hard depend on the modules
availability...

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
14 months agod/control: update standards version
Thomas Lamprecht [Sun, 9 May 2021 17:46:31 +0000 (19:46 +0200)]
d/control: update standards version

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
14 months agod/control: drop perl dependency, added by ${perl:Depends}
Thomas Lamprecht [Sun, 9 May 2021 17:46:17 +0000 (19:46 +0200)]
d/control: drop perl dependency, added by ${perl:Depends}

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
14 months agobuildsys: split packaging and source build-systems
Thomas Lamprecht [Sun, 9 May 2021 17:37:47 +0000 (19:37 +0200)]
buildsys: split packaging and source build-systems

Much nicer to handle and work with than entangling all together in a
single spaghetti pile.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
15 months agod/control: bump debhelper compat to >= 12
Thomas Lamprecht [Sun, 9 May 2021 16:16:38 +0000 (18:16 +0200)]
d/control: bump debhelper compat to >= 12

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
15 months agod/rules: fix dh_missing override
Thomas Lamprecht [Sun, 9 May 2021 16:16:03 +0000 (18:16 +0200)]
d/rules: fix dh_missing override

note, with compat level >= 13 we can drop that override finally

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
15 months agobump version to 6.4-1
Thomas Lamprecht [Sat, 24 Apr 2021 17:48:25 +0000 (19:48 +0200)]
bump version to 6.4-1

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
15 months agoresource pools: add resource pool cli commands
Dylan Whyte [Fri, 29 Jan 2021 07:54:39 +0000 (08:54 +0100)]
resource pools: add resource pool cli commands

Add commands for creating, modifying, listing, and deleting resource
pools.

Signed-off-by: Dylan Whyte <d.whyte@proxmox.com>
15 months agofix typo in oathkeygen: randon -> random
Lorenz Stechauner [Tue, 20 Apr 2021 12:11:55 +0000 (14:11 +0200)]
fix typo in oathkeygen: randon -> random

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
15 months agoacl: check path: further resdtrict VMID values
Thomas Lamprecht [Mon, 19 Apr 2021 09:50:16 +0000 (11:50 +0200)]
acl: check path: further resdtrict VMID values

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>