]>
git.proxmox.com Git - pve-access-control.git/log
Wolfgang Bumiller [Mon, 6 Dec 2021 13:33:44 +0000 (14:33 +0100)]
tfa list: account for admin permissions
instead of restricting listing tfa entries of others to
root@pam, perform the same checks the user-list does and
which also reflect the permissions of the api calls actually
operating on those users, so, `User.Modify` on the user (but
also `Sys.Audit`, since it's only a read-operation, just
like the user index API call)
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Mon, 6 Dec 2021 13:12:33 +0000 (14:12 +0100)]
tfa: when modifying others, verify the current user's password
this was wrong as it asked for the password of the
to-be-edited user instead, which makes no sense
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Mon, 6 Dec 2021 08:38:01 +0000 (09:38 +0100)]
fix #3768: warn on bad u2f or webauthn settings
but don't bail out of the entire auth process, otherwise
not even totp or recovery keys will work anymore in this
case
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Mon, 6 Dec 2021 08:38:00 +0000 (09:38 +0100)]
fix a 'use of undefined...' warning
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Thomas Lamprecht [Thu, 25 Nov 2021 06:57:45 +0000 (07:57 +0100)]
bump version to 7.1-5
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 25 Nov 2021 06:57:10 +0000 (07:57 +0100)]
openid: fix username-claim fallback
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Mon, 22 Nov 2021 13:04:57 +0000 (14:04 +0100)]
bump version to 7.1-4
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Mon, 22 Nov 2021 12:52:57 +0000 (13:52 +0100)]
fill origin into webauthn config if not provided
in order to allow subdomains to work, the wa config should
only specify 'id' and 'rp', the 'origin' gets filled in by
the node
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Thomas Lamprecht [Fri, 19 Nov 2021 07:12:02 +0000 (08:12 +0100)]
bump version to 7.1-3
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 19 Nov 2021 08:34:25 +0000 (09:34 +0100)]
d/control: bump versioned dependency to libpve-rs-perl
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 18 Nov 2021 16:01:04 +0000 (17:01 +0100)]
openid: support configuring ACR values
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 18 Nov 2021 16:00:42 +0000 (17:00 +0100)]
openid: support configuring scopes
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 18 Nov 2021 13:53:44 +0000 (14:53 +0100)]
openid: support configuring the prompt
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 18 Nov 2021 13:52:52 +0000 (14:52 +0100)]
openid: fix whitespace/indentation
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 18 Nov 2021 13:24:24 +0000 (14:24 +0100)]
openid: allow arbitrary username-claims
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 17 Nov 2021 12:45:08 +0000 (13:45 +0100)]
bump version to 7.1-2
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 17 Nov 2021 12:47:59 +0000 (13:47 +0100)]
d/control: bump versioned dependency to libpve-rs-perl
to ensure we get the incompatible type set for such TFA entries
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Wed, 17 Nov 2021 11:34:40 +0000 (12:34 +0100)]
catch incompatible tfa entries with a nice error
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Thomas Lamprecht [Mon, 15 Nov 2021 14:33:29 +0000 (15:33 +0100)]
bump version to 7.1-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Fri, 12 Nov 2021 09:37:45 +0000 (10:37 +0100)]
tfa: fix http 404 in get_tfa_entry
this produced warnings in the journal and returned code 500
instead
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Thomas Lamprecht [Thu, 11 Nov 2021 17:20:02 +0000 (18:20 +0100)]
bump version to 7.0-7
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 11 Nov 2021 17:19:23 +0000 (18:19 +0100)]
d/control: break pve-manager (<< 7.0-15)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Thu, 11 Nov 2021 14:07:12 +0000 (15:07 +0100)]
ticket: normalize path for verification
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 11 Nov 2021 14:07:11 +0000 (15:07 +0100)]
tickets: add tunnel ticket
just like VNC ticket, but different prefix to prevent confusion.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Thu, 11 Nov 2021 11:29:58 +0000 (12:29 +0100)]
tfa: upgrade check: early return if no cluster members
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 11 Nov 2021 11:06:42 +0000 (12:06 +0100)]
tfa: upgrade check: more info in error message(s)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 11 Nov 2021 11:05:52 +0000 (12:05 +0100)]
tfa: upgrade check: be less strict about version format
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Wed, 10 Nov 2021 14:11:45 +0000 (15:11 +0100)]
implement version checks for tfa
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Wed, 10 Nov 2021 12:49:03 +0000 (13:49 +0100)]
merge old user.cfg keys to tfa config when adding entries
this happens when the first new tfa entry is added and the
'keys' entry is replaced by "x"
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Wed, 10 Nov 2021 12:49:02 +0000 (13:49 +0100)]
d/control: add liburi-perl dependency
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Wed, 10 Nov 2021 12:49:01 +0000 (13:49 +0100)]
check enforced realm tfa type in new auth
this way we could also add webauthn as a required tfa type
to the realm configs later on
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Wed, 10 Nov 2021 12:49:00 +0000 (13:49 +0100)]
assert tfa/user config lock order
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 9 Nov 2021 11:27:05 +0000 (12:27 +0100)]
set/remove 'x' for tfa keys in user.cfg in new api
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 9 Nov 2021 11:27:04 +0000 (12:27 +0100)]
pveum: update tfa delete command
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 9 Nov 2021 11:27:03 +0000 (12:27 +0100)]
update tfa cleanup when deleting users
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 9 Nov 2021 11:27:02 +0000 (12:27 +0100)]
support registering yubico otp keys
In PBS we don't support this, so the current TFA API in rust
does not support this either (although the config does know
about its *existence*).
For now, yubico authentication will be done in perl. Adding
it to rust the rust TFA crate would not make much sense
anyway as we'd likely not want to use the same http client
crate in pve and pbs anyway (since pve is all blocking code
and pbs is async...)
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 9 Nov 2021 11:27:01 +0000 (12:27 +0100)]
add pbs-style TFA API implementation
implements the same api paths as in pbs by forwarding the
api methods to the rust implementation after performing the
product-specific checks
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 9 Nov 2021 11:27:00 +0000 (12:27 +0100)]
move TFA api path into its own module
and remove old modification api
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 9 Nov 2021 11:26:59 +0000 (12:26 +0100)]
handle yubico authentication in new path
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 9 Nov 2021 11:26:58 +0000 (12:26 +0100)]
use PBS-like auth api call flow
The main difference here is that we have no separate api
path for verification. Instead, the ticket api call gets an
optional 'tfa-challenge' parameter.
This is opt-in: old pve-manager UI with new
pve-access-control will still work as expected, but users
won't be able to *update* their TFA settings.
Since the new tfa config parser will build a compatible
in-perl tfa config object as well, the old authentication
code is left unchanged for compatibility and will be removed
with pve-8, where the `new-format` parameter in the ticket
call will change its default to `1`.
The `change_tfa` call will simply die in this commit. It is
removed later when adding the pbs-style TFA API calls.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 9 Nov 2021 11:26:57 +0000 (12:26 +0100)]
update read_user_tfa_type call
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 9 Nov 2021 11:26:56 +0000 (12:26 +0100)]
use rust parser for TFA config
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Thomas Lamprecht [Wed, 3 Nov 2021 10:30:05 +0000 (11:30 +0100)]
openid: proxy: only set env var if DC-config property exists
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Tue, 13 Jul 2021 08:09:17 +0000 (10:09 +0200)]
fix #3513: pass configured proxy to OpenID
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Thu, 21 Oct 2021 10:28:58 +0000 (12:28 +0200)]
bump version to 7.0-6
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Tue, 19 Oct 2021 11:52:42 +0000 (13:52 +0200)]
fix user deletion when realm does not enforce TFA
here the existance of the user is only interesting if we want to set
data, not if we delete it.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Thomas Lamprecht [Mon, 27 Sep 2021 13:50:50 +0000 (15:50 +0200)]
bump version to 7.0-5
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 27 Sep 2021 13:46:26 +0000 (15:46 +0200)]
api: delete user: better communicate partial deletion
this is really an edge case and should not happen often in practice,
the time window is small and deletions are not _that_ common, but
still.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 27 Sep 2021 13:32:38 +0000 (15:32 +0200)]
api: delete user: disable first to avoid surprise on error
Write out a config with the user disabled so that it cannot be used
even if deletion fails, why ever that is
Suggested-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 27 Sep 2021 13:31:31 +0000 (15:31 +0200)]
fix #2302: allow deletion of users when realm enforces TFA
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 23 Sep 2021 12:16:50 +0000 (14:16 +0200)]
api: user: indentation & whitspace cleanups
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Alexandre Derumier [Thu, 5 Aug 2021 15:00:44 +0000 (17:00 +0200)]
check_path: add /sdn/vnets/* path
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Thomas Lamprecht [Fri, 2 Jul 2021 11:45:51 +0000 (13:45 +0200)]
bump version to 7.0-4
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 2 Jul 2021 11:42:16 +0000 (13:42 +0200)]
api: users: use public regex directly to parse out realm
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 2 Jul 2021 11:41:29 +0000 (13:41 +0200)]
api: users: code-style cleanup and sort when iterating users
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 2 Jul 2021 11:38:46 +0000 (13:38 +0200)]
api: users: s/realmtype/realm-type/ in response
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Thu, 1 Jul 2021 12:25:00 +0000 (14:25 +0200)]
api: user: add realmtype to user list
this makes it much easier to determine if a user can e.g.
change a password or tfa, based on realm
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dietmar Maurer [Wed, 30 Jun 2021 06:10:07 +0000 (08:10 +0200)]
implement OpenID autocreate user feature
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dietmar Maurer [Wed, 30 Jun 2021 06:10:06 +0000 (08:10 +0200)]
api: implement openid API
This moves compute_api_permission() into RPCEnvironment.pm.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dietmar Maurer [Wed, 30 Jun 2021 06:10:05 +0000 (08:10 +0200)]
depend on libpve-rs-perl
Dietmar Maurer [Wed, 30 Jun 2021 06:10:04 +0000 (08:10 +0200)]
add OpenId configuration
Dietmar Maurer [Wed, 30 Jun 2021 06:10:03 +0000 (08:10 +0200)]
check_user_enabled: also check if user is expired
Thomas Lamprecht [Mon, 21 Jun 2021 08:31:23 +0000 (10:31 +0200)]
bump version to 7.0-3
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 17 Jun 2021 12:43:44 +0000 (14:43 +0200)]
buildsys: clean more
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Thu, 17 Jun 2021 12:41:02 +0000 (14:41 +0200)]
access control: style: register configs in single line each
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Alexandre Derumier [Wed, 9 Jun 2021 04:37:30 +0000 (06:37 +0200)]
check_path : add sdn zone path
This was missing in commit20c60513b2a6b2d7c7aae0dcc0391889b9cb7ecf,
so user can't assign permisson on a zone currently
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Wed, 16 Jun 2021 13:55:34 +0000 (15:55 +0200)]
add missing paths in check_path
* /access/realm/<realm>
* /access/groups/<group>
were overlooked when fixing #1500
see: https://forum.proxmox.com/threads/are-group-acls-broken-in-v6-4.91000/
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Thomas Lamprecht [Tue, 15 Jun 2021 12:38:41 +0000 (14:38 +0200)]
rpc env: sort use statements
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 8 Jun 2021 07:47:21 +0000 (09:47 +0200)]
buildsys: change upload dist to bullseye
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Tue, 1 Jun 2021 09:29:49 +0000 (11:29 +0200)]
bump version to 7.0-2
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Lorenz Stechauner [Thu, 20 May 2021 10:03:39 +0000 (12:03 +0200)]
fix #3402: add Pool.Audit permission
add new user "PVEPoolUser" and add Pool.Audit to "PVEAuditor".
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
Fabian Grünbichler [Tue, 18 May 2021 11:17:16 +0000 (13:17 +0200)]
d/control: add missing libuuid-perl b-d
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Sun, 9 May 2021 16:18:39 +0000 (18:18 +0200)]
bump version to 7.0-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sun, 9 May 2021 17:46:53 +0000 (19:46 +0200)]
pveum: work around unavailable API2:Pools module
commit
42ade84744ab60ff8e452d3e562a36dd3da2b810 added the pool
subcommands, reusing the PVE::API2::Pool module. But that module has
to live in pve-manager and is not available here, most of the time
not a real issue (but always ugly), on bootstrapping this becomes a
blocker though...
So, for now add a hack and do not hard depend on the modules
availability...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sun, 9 May 2021 17:46:31 +0000 (19:46 +0200)]
d/control: update standards version
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sun, 9 May 2021 17:46:17 +0000 (19:46 +0200)]
d/control: drop perl dependency, added by ${perl:Depends}
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sun, 9 May 2021 17:37:47 +0000 (19:37 +0200)]
buildsys: split packaging and source build-systems
Much nicer to handle and work with than entangling all together in a
single spaghetti pile.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sun, 9 May 2021 16:16:38 +0000 (18:16 +0200)]
d/control: bump debhelper compat to >= 12
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sun, 9 May 2021 16:16:03 +0000 (18:16 +0200)]
d/rules: fix dh_missing override
note, with compat level >= 13 we can drop that override finally
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 24 Apr 2021 17:48:25 +0000 (19:48 +0200)]
bump version to 6.4-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dylan Whyte [Fri, 29 Jan 2021 07:54:39 +0000 (08:54 +0100)]
resource pools: add resource pool cli commands
Add commands for creating, modifying, listing, and deleting resource
pools.
Signed-off-by: Dylan Whyte <d.whyte@proxmox.com>
Lorenz Stechauner [Tue, 20 Apr 2021 12:11:55 +0000 (14:11 +0200)]
fix typo in oathkeygen: randon -> random
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
Thomas Lamprecht [Mon, 19 Apr 2021 09:50:16 +0000 (11:50 +0200)]
acl: check path: further resdtrict VMID values
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 19 Apr 2021 09:48:49 +0000 (11:48 +0200)]
acl: check path: spell param out
we normally use shift only in closures, to keep them short, as a
module method this should rather use our standard style.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Lorenz Stechauner [Mon, 19 Apr 2021 07:16:28 +0000 (09:16 +0200)]
fix #1500: permission path syntax check for access control
Syntax for permission paths is now checked on API calls for
creation or update on permissions.
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
Wolfgang Bumiller [Fri, 20 Nov 2020 10:05:34 +0000 (11:05 +0100)]
fix #1670: change PAM service name to project specific name
Instead of 'common-auth' use 'proxmox-ve-auth', this way
users can override PAM authentication settings via
`/etc/pam.d/proxmox-ve-auth`.
If the file does not exist, pam will use `/etc/pam.d/other`
which by default behaves like `common-auth`.
Note that this *can* be different from directly using
`common-auth` *if* a user has actually modified
`/etc/pam.d/other` for some reason.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Thomas Lamprecht [Tue, 29 Sep 2020 06:53:56 +0000 (08:53 +0200)]
bump version to 6.1-3
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 29 Sep 2020 05:09:51 +0000 (07:09 +0200)]
api/users: catch existing user also on case insensitive realm
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 29 Sep 2020 04:19:07 +0000 (06:19 +0200)]
api/users: indentation cleanup
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Link [Tue, 8 Sep 2020 12:09:45 +0000 (14:09 +0200)]
fix #2947 login name for the LDAP/AD realm can be case-insensitive
This is an optional for LDAP and AD realm.
The default behavior is case-sensitive.
Signed-off-by: Wolfgang Link <w.link@proxmox.com>
Thomas Lamprecht [Fri, 3 Jul 2020 09:06:55 +0000 (11:06 +0200)]
partially fix #2825: authkey: rotate if it was generated in the future
Can happen if the RTC is in the future during installation and first
boot, when during key generation the clock is in the future and then,
after the key was already generated, jumps back in time.
Allow a fuzz of $auth_graceperiod, which is currently 5 minutes, as
that fuzz allows some minor, not really problematic, time sync
disparity in clusters.
If an old authkey exists, meaning we rotated at least once, check it's
time too. Only rotate if it'd not be valid for any tickets in the
cluster anymore, i.e., if it difference between the current key is >
$ticket_lifetime (2 hours)..
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 3 Jul 2020 13:18:11 +0000 (15:18 +0200)]
authkey: use variable instead of hard coded grace period value
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 30 Jun 2020 11:06:59 +0000 (13:06 +0200)]
bump version to 6.1-2
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Mira Limbeck [Thu, 25 Jun 2020 14:48:46 +0000 (16:48 +0200)]
introduce VM.Config.Cloudinit permission
It is added to PVEVMUser by default.
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Alexandre Derumier [Fri, 12 Jun 2020 09:53:22 +0000 (11:53 +0200)]
api2: AccessControl: add sdn permissions.modify
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Thomas Lamprecht [Tue, 9 Jun 2020 09:43:51 +0000 (11:43 +0200)]
comput coarse UI permissions: also check SDN ones
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Fri, 8 May 2020 15:47:50 +0000 (17:47 +0200)]
bump version to 6.1-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Fri, 8 May 2020 11:16:58 +0000 (13:16 +0200)]
LDAP: skip anonymous bind when clientcert/key is given
It seems that servers associate the client-cert/key with an account, so
doing an explicit anonymous bind then 'logs out' the already verified
user, limiting the search results in some cases
before refactoring to PVE::LDAP, we did not do '$ldap->bind' at all when
there was no bind_dn, but it is not really clear if Net::LDAP does this
automatically when searching (other libraries do this), so leave the
anonymous bind (for compatibility with PMG) but skip it when a client
certificate and key is given.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Thomas Lamprecht [Fri, 8 May 2020 07:38:34 +0000 (09:38 +0200)]
ldap_delete_credentials: don't complain if already deleted
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Tim Marx [Wed, 6 May 2020 12:00:53 +0000 (14:00 +0200)]
whitespace cleanup
Signed-off-by: Tim Marx <t.marx@proxmox.com>