]>
git.proxmox.com Git - pve-access-control.git/log
Dominik Csapak [Fri, 13 Mar 2020 12:18:46 +0000 (13:18 +0100)]
Auth/AD: make PVE::Auth::AD a subclass of PVE::Auth::LDAP
this makes it much easier to reuse the sync code from LDAP in AD.
The 'authenticate_user' sub is still the same, but we now
can still use the get_users and get_groups functionality of LDAP
in the case of AD, the user_attr is optional in the config
(would have been a breaking change) but we set it
to default to 'sAMAccountName'
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 13 Mar 2020 12:18:45 +0000 (13:18 +0100)]
Auth/LDAP: add get_{users, groups} subs for syncing
this adds the subs which actually query the LDAP for users/groups
and returns the value in format which makes it easy to insert
in our parsed user.cfg
when we find a user/groupname which cannot be in our config,
we warn the verification error
for groups, we append "-$realm" to the groupname, to lower the chance of
accidental overwriting of existing groups (this will be documented
in the api call since it technically does not prevent overwriting, just
makes it more unlikely)
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 13 Mar 2020 12:18:44 +0000 (13:18 +0100)]
Auth/LDAP: add necessary options for syncing
for syncing users/groups from ldap, we need some more options
so that the users can adapt it to their LDAP setup, which are very
different accross systems.
sensible defaults are documented
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Sat, 7 Mar 2020 18:53:05 +0000 (19:53 +0100)]
d/control: bump versioned dependency to pve-common
to ensure we've the new LDAP module available
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Fri, 6 Mar 2020 10:05:41 +0000 (11:05 +0100)]
Auth/LDAP: refactor out 'connect_and_bind'
we will use this not only for authentication but also for
getting users/groups from LDAP
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 6 Mar 2020 10:05:40 +0000 (11:05 +0100)]
API2/Domains.pm: document 'type' return value
this way it gets printed with 'pveum realm list'
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 6 Mar 2020 10:05:39 +0000 (11:05 +0100)]
API2/Domains.pm: fix whitespace errors
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 6 Mar 2020 10:05:38 +0000 (11:05 +0100)]
add realm commands to pveum
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 6 Mar 2020 10:05:37 +0000 (11:05 +0100)]
use PVE::LDAP module instead of useing Net::LDAP directly
for things like connecting/binding/etc.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Dominik Csapak [Fri, 31 Jan 2020 10:54:33 +0000 (11:54 +0100)]
fix #2575: die when trying to edit built-in roles
instead of silently ignoring the change
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Thomas Lamprecht [Wed, 29 Jan 2020 09:17:31 +0000 (10:17 +0100)]
bump version to 6.0-6
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 29 Jan 2020 09:14:27 +0000 (10:14 +0100)]
d/control: bump versioned dependency on pve-common
for new allowtoken property in schema
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 29 Jan 2020 09:14:15 +0000 (10:14 +0100)]
d/control: change homepage link to https
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:18 +0000 (13:54 +0100)]
user.cfg: skip inexisting roles when parsing ACLs
we do the same for missing users, groups and tokens, and just like
groups, roles with an empty privilege set are explicitly allowed so
pre-generating placeholders is possible.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:17 +0000 (13:54 +0100)]
pveum: add permissions sub-commands
for user and token commands, and some pretty-printing for regular text
output, since the returned nested hash/dict is not very readable.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Wed, 29 Jan 2020 19:21:10 +0000 (20:21 +0100)]
pveum token: rename 'update' subcommand to 'modify' for consistency
While the 1:1 mapping from API call names is not bad it was now the
unique "PUT" (modify) command having a different name here. Avoid
that for consistency.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:16 +0000 (13:54 +0100)]
pveum: add 'pveum user token add/update/remove/list'
mapping 1-to-1 to the respective API paths
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:14 +0000 (13:54 +0100)]
tests: unify config file naming
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:13 +0000 (13:54 +0100)]
test: add token-related tests
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:12 +0000 (13:54 +0100)]
API: add 'permissions' API endpoint
and related helper, to dump permissions + propagate info for
- a specific, given path
- generic top-level + user.cfg-referenced paths, including pools
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:11 +0000 (13:54 +0100)]
roles()/permissions(): also return propagate flag
this information is already available, but not exposed. we need it for
dumping an effective permission tree of a given user/token.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:10 +0000 (13:54 +0100)]
api: disallow some paths for API tokens
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:09 +0000 (13:54 +0100)]
API token: implement permission checks
non-privsep tokens will always return the roles/permissions of their
associated users. privsep tokens will return unfiltered roles, but
filtered permissions.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:08 +0000 (13:54 +0100)]
API: include API tokens in ACL API endpoints
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Wed, 29 Jan 2020 20:21:15 +0000 (21:21 +0100)]
api/users: mark tokens and groups as optional in return schema
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:07 +0000 (13:54 +0100)]
API: add group and token info to user index
otherwise we need 1+N API calls to retrieve the full user+token picture
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Wed, 29 Jan 2020 09:02:52 +0000 (10:02 +0100)]
api: document default of token expiration date
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:06 +0000 (13:54 +0100)]
API: add API token API endpoints
and integration for user API endpoints.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Tue, 28 Jan 2020 20:10:43 +0000 (21:10 +0100)]
d/control: bump versioned dependencies on pve-cluster
to ensure we've got the verify_token method available and the
token.cfg observed.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:05 +0000 (13:54 +0100)]
API token: add verification method
which checks that the user and token exist and are not expired, and then
generates the string to be matched with the pmxcfs-stored token shadow
config file.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:04 +0000 (13:54 +0100)]
API token: add (shadow) TokenConfig
with the format:
<full token ID> <token value/UUID>
it is just used for token value generation/deletion via the User API,
token value verification will happen over pmxcfs/ipcc.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:03 +0000 (13:54 +0100)]
API token: add check_token_exist API helper
the helper is modeled after the corresponding user method.
the 'tokenid' option goes into PVE::AccessControl, since we need it in
multiple API modules.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:02 +0000 (13:54 +0100)]
API token: add REs, helpers, parsing + writing
token definitions/references in user.cfg always use the full form of the
token id, consisting of:
USER@REALM!TOKENID
token definitions are represented by their own lines prefixed with
'token', which need to come after the corresponding user definition, but
before any ACLs referencing them.
parsed representation in a user config hash is inside a new 'tokens'
element of the corresponding user object, using the unique-per-user
token id as key.
only token metadata is stored inside user.cfg / accessible via the
parsed user config hash. the actual token values will be stored
root-readable only in a separate (shadow) file.
'comment' and 'expire' have the same semantics as for users.
'privsep' determines whether an API token gets the full privileges of
the corresponding user, or just the intersection of privileges of the
corresponding user and those of the API token itself.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:15 +0000 (13:54 +0100)]
API: add group members to group index
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:01 +0000 (13:54 +0100)]
test: add parser/writer tests
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:54:00 +0000 (13:54 +0100)]
fix typo
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Tue, 21 Jan 2020 12:53:59 +0000 (13:53 +0100)]
test: run at build time
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 21 Nov 2019 14:43:25 +0000 (15:43 +0100)]
refactor acl transformation code
pull it into helper sub, since we need this one more time for token ACL
members.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 21 Nov 2019 14:43:24 +0000 (15:43 +0100)]
auth: pull username REs into variables
for reusage in API token ID format/verification
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 21 Nov 2019 14:43:23 +0000 (15:43 +0100)]
rpcenv: drop unused roles()
it was useful for test-cases to verify the behaviour when pools where
introduced, but it is not used anywhere else in the code base and those
tests can also just check on permission-level.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Fri, 13 Dec 2019 11:01:22 +0000 (12:01 +0100)]
grammar fix: s/does not exists/does not exist/g
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 26 Nov 2019 16:56:42 +0000 (17:56 +0100)]
bump version to 6.0-5
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Alexandre Derumier [Tue, 26 Nov 2019 09:01:09 +0000 (10:01 +0100)]
add SDN.Allocate && SDN.Audit privileges
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Fabian Grünbichler [Thu, 21 Nov 2019 14:43:22 +0000 (15:43 +0100)]
access-control: remove check_permissions/permission
they have been handled by PVE::RPCEnvironment for quite some time
already, and the versions there are the complete ones that should be
actually used.
manager switched over their last use not long ago, in 6.0-9, so
record a Breaks to that version.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 21 Nov 2019 14:43:21 +0000 (15:43 +0100)]
pveum: add list commands
we already have the API paths, and they make sense to get an overview
over user.cfg contents.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 21 Nov 2019 14:43:20 +0000 (15:43 +0100)]
user.cfg: sort group and pool members, role privs
makes no functional difference, but keeps the output/written config more
stable.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 21 Nov 2019 14:43:19 +0000 (15:43 +0100)]
user.cfg: ensure propagate flag is 1/0 when parsing
otherwise this might end up as (arbitrary) string somewhere..
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Mon, 11 Nov 2019 10:28:11 +0000 (11:28 +0100)]
bump version to 6.0-4
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Fabian Grünbichler [Mon, 11 Nov 2019 10:28:10 +0000 (11:28 +0100)]
d/control: (build-)depend on libpve-cluster-perl
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Mon, 11 Nov 2019 10:28:09 +0000 (11:28 +0100)]
use already parsed u2f property string
since libpve-cluster-perl 6.0-8 this happens automatically when parsing
the datacenter.cfg, just like the other property strings stored there.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Mon, 11 Nov 2019 10:28:08 +0000 (11:28 +0100)]
use PVE::DataCenterConfig
since we read datacenter.cfg, and parse the u2f property string using a
format defined in PVE::DataCenterConfig.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 14 Nov 2019 10:00:59 +0000 (11:00 +0100)]
API: fix calls to raise_param_exc
the parameter needs to be a hash reference, not a hash.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 6 Nov 2019 12:36:31 +0000 (13:36 +0100)]
d/control: correctly set Architecture field
this packge only contains perl modules and scripts, shell completions
and documentation - no architecture-specific stuff whatsoever.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 6 Nov 2019 12:36:28 +0000 (13:36 +0100)]
ticket: use clinfo to get cluster name
instead of parsing corosync.conf, and avoid coupling the access-control
API with PVE::Corosync. if corosync.conf and pmxcfs don't agree on how
the cluster is called, there is a bigger issue anyway..
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 6 Nov 2019 12:36:27 +0000 (13:36 +0100)]
pveum: don't unconditionally create auth key
anything that uses it should already generate it anyway.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 6 Nov 2019 12:36:26 +0000 (13:36 +0100)]
pveum: cleanup outdated use statements
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 6 Nov 2019 12:36:25 +0000 (13:36 +0100)]
d/control: remove outdated dependencies
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 6 Nov 2019 12:36:24 +0000 (13:36 +0100)]
build: leave man page compression to dh_docs
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 6 Nov 2019 12:36:23 +0000 (13:36 +0100)]
build: use dh_missing
to fail the build if files are installed, but not shipped in any
package.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 6 Nov 2019 12:36:22 +0000 (13:36 +0100)]
build: bump compat to 10
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Wed, 6 Nov 2019 19:23:21 +0000 (20:23 +0100)]
ldaps: support TLS 1.3 as SSL version
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Alexandre Derumier [Mon, 4 Nov 2019 09:18:05 +0000 (10:18 +0100)]
ldap auth: add sslversion option
default to tls1.2
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
Thomas Lamprecht [Tue, 29 Oct 2019 07:55:09 +0000 (08:55 +0100)]
bump version to 6.0-3
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 29 Oct 2019 07:25:29 +0000 (08:25 +0100)]
d/control: bump versioned dependency on pve-common
to ensure the new 'pve-tfa-secret' format is available
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Mon, 28 Oct 2019 11:20:39 +0000 (12:20 +0100)]
api: tfa: use the new 'pve-tfa-secret' format
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fabian Grünbichler [Thu, 17 Oct 2019 13:13:58 +0000 (15:13 +0200)]
user.cfg: sort ACL members
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 17 Oct 2019 13:13:57 +0000 (15:13 +0200)]
user.cfg: sort entries alphabetically in each section
it's not required for dependencies (since those are only ever between
sections, and not within), but makes for easier diffing.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 17 Oct 2019 13:13:56 +0000 (15:13 +0200)]
add missing 'use PVE::Auth::Plugin'
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Thu, 3 Oct 2019 08:33:28 +0000 (10:33 +0200)]
parse_user_cfg: correctly parse group names in ACLs
usernames are allowed to start with '@', so adding a user '@test@pve'
and adding it to an ACL should work, instead of ignoring that part of
the ACL entry.
So use verify_groupname to additionally enforce that the group name we
extracted does not include an additional @, as then it cannot be a
group.
note: there is no potential for user and group to be confused, since a
username must end with '@REALM', and a group reference in an ACL can
only contain one '@' (as first character).
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Wed, 26 Jun 2019 18:25:06 +0000 (20:25 +0200)]
bump version to 6.0-2
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 26 Jun 2019 17:34:13 +0000 (19:34 +0200)]
improve CSRF compat with older PVE
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 24 Jun 2019 16:17:21 +0000 (18:17 +0200)]
bump version to 6.0-1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Oguz Bektas [Wed, 19 Jun 2019 07:39:33 +0000 (09:39 +0200)]
use hmac_sha256 instead of sha1 for csrf token
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
Fabian Grünbichler [Wed, 19 Jun 2019 09:46:19 +0000 (11:46 +0200)]
ticket: add comments about auth key mtime
we cannot fully close this window, and don't need to anyway since we
apply +-300s when calculating ticket age ranges, but documenting where
mtime is used and what we expect seems like a good idea for future
readers.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 19 Jun 2019 09:46:18 +0000 (11:46 +0200)]
ticket: reorder calls when rotating
to shrink the window between the two file_set_contents calls. we don't
need the mtimes to line up exactly since we have 300s of uncertainty
anyway, but generating an RSA key could take a while ;)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Fabian Grünbichler [Wed, 19 Jun 2019 09:46:17 +0000 (11:46 +0200)]
ticket: properly verify exactly 5min old tickets
to fix an issue where valid tickets could be rejected 5 minutes after a
key rotation, where the minimum age is exactly 0 seconds.
thanks Dominik for triaging!
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Thomas Lamprecht [Tue, 21 May 2019 16:52:09 +0000 (18:52 +0200)]
buildsys: switch upload dist over to buster
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 21 May 2019 16:51:40 +0000 (18:51 +0200)]
bump version to 6.0-0+1
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 21 May 2019 19:29:59 +0000 (21:29 +0200)]
fix #2079: activate authkey rotation every 24 hours
This activates the authkey rotation added in commits
1800a71a79c7cf49108e22781d2f34be87b1efd through
f7282aee6b2ae36b7cfc2331e33e49a818b914fd
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 21 May 2019 16:50:10 +0000 (18:50 +0200)]
buildsys: use dpkg-dev makefile helpers for pkg info
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 15 May 2019 14:22:30 +0000 (16:22 +0200)]
bump version to 5.1-10
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dominik Csapak [Fri, 3 May 2019 07:45:51 +0000 (09:45 +0200)]
add /access/user/{id}/tfa api call to get tfa types
this api call will be used to display the right kind of tfa for the gui
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Thomas Lamprecht [Tue, 30 Apr 2019 14:02:41 +0000 (14:02 +0000)]
bump version to 5.1-9
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Thu, 18 Apr 2019 08:24:48 +0000 (10:24 +0200)]
tfa: realm required TFA should lock out users without TFA
This changed with the previous TFA changes.
In the long term, the plan is to let the user get into the
half-logged-in state and open the TFA configuration window
on the UI to allow them to finish their TFA setup, but for
now we restore the previous behavior.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Mon, 15 Apr 2019 07:08:24 +0000 (09:08 +0200)]
typo fixup
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Thu, 11 Apr 2019 09:31:58 +0000 (11:31 +0200)]
store the tfa type in user.cfg
This allows some improvements to the user experience on the
web ui.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Thomas Lamprecht [Tue, 9 Apr 2019 10:48:53 +0000 (12:48 +0200)]
bump version to 5.1-8
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 9 Apr 2019 10:46:22 +0000 (12:46 +0200)]
d/control: bump version dependency to libpve-u2f-server-perl
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Tue, 9 Apr 2019 10:44:23 +0000 (12:44 +0200)]
u2f: new perl bindings encode public key for us
as it was binary data, which can contain everything, including '\0',
and this was cut off, making it impossible to login after
registration, as a borked publicKey got saved in tfa.cfg
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Mon, 8 Apr 2019 14:56:41 +0000 (16:56 +0200)]
bump version to 5.1-7
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Mon, 8 Apr 2019 11:58:27 +0000 (13:58 +0200)]
verify_ticket: allow general non-challenge tfa to be run as two step call
This allows for doing OTP TFA in two steps, first login with normal
credentials and get the half-logged-in ticket, then send the OTP
verification for full login, same as with u2f was already possible.
This allows for a nicer UI, as OTP fields can be shown on demand, and
do not need to be visible by default.
The old way of sending the OTP code immediately with the initial
credentials request still works for backward compatibility and as
some API user may prefer it.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 3 Apr 2019 11:41:20 +0000 (13:41 +0200)]
bump version to 5.1-6
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 3 Apr 2019 11:37:57 +0000 (13:37 +0200)]
d/control: bump version dependency for pve-cluster
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Thomas Lamprecht [Wed, 3 Apr 2019 11:34:23 +0000 (13:34 +0200)]
followup: s/CUSTOM_TFA_TYPES/USER_CONTROLLED_TFA_TYPES/
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wolfgang Bumiller [Tue, 2 Apr 2019 10:21:57 +0000 (12:21 +0200)]
allow users to change their totp settings
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 2 Apr 2019 10:21:56 +0000 (12:21 +0200)]
use a property string for tfa config
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 2 Apr 2019 10:21:55 +0000 (12:21 +0200)]
u2f authentication
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 2 Apr 2019 10:21:54 +0000 (12:21 +0200)]
delete TFA entries when deleting a user
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 2 Apr 2019 10:21:53 +0000 (12:21 +0200)]
u2f api endpoints
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Wolfgang Bumiller [Tue, 2 Apr 2019 10:21:52 +0000 (12:21 +0200)]
depend on libpve-u2f-server-perl
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>