From 35c3ca0fc8fa9f6e2db675359809b89c3a46139f Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= Date: Tue, 21 Jan 2020 13:54:05 +0100 Subject: [PATCH] API token: add verification method MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit which checks that the user and token exist and are not expired, and then generates the string to be matched with the pmxcfs-stored token shadow config file. Signed-off-by: Fabian Grünbichler --- PVE/AccessControl.pm | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index 7fc514a..b5e1e09 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -399,6 +399,39 @@ sub verify_ticket { return wantarray ? ($username, $age, $tfa_info) : $username; } +sub verify_token { + my ($api_token) = @_; + + die "no API token specified\n" if !$api_token; + + my ($tokenid, $value); + if ($api_token =~ /^(.*)=(.*)$/) { + $tokenid = $1; + $value = $2; + } else { + die "no tokenid specified\n"; + } + + my ($username, $token) = split_tokenid($tokenid); + + my $usercfg = cfs_read_file('user.cfg'); + check_user_enabled($usercfg, $username); + check_token_exist($usercfg, $username, $token); + + my $ctime = time(); + + my $user = $usercfg->{users}->{$username}; + die "account expired\n" if $user->{expire} && ($user->{expire} < $ctime); + + my $token_info = $user->{tokens}->{$token}; + die "token expired\n" if $token_info->{expire} && ($token_info->{expire} < $ctime); + + die "invalid token value!\n" if !PVE::Cluster::verify_token($tokenid, $value); + + return wantarray ? ($tokenid) : $tokenid; +} + + # VNC tickets # - they do not contain the username in plain text # - they are restricted to a specific resource path (example: '/vms/100') -- 2.39.2