From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <d.csapak@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by lists.proxmox.com (Postfix) with ESMTPS id EA4858A798
for <pve-devel@lists.proxmox.com>; Thu, 20 Oct 2022 15:14:14 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id CC498181D5
for <pve-devel@lists.proxmox.com>; Thu, 20 Oct 2022 15:14:14 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
[94.136.29.106])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by firstgate.proxmox.com (Proxmox) with ESMTPS
for <pve-devel@lists.proxmox.com>; Thu, 20 Oct 2022 15:14:13 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 42BBF44AC6
for <pve-devel@lists.proxmox.com>; Thu, 20 Oct 2022 15:14:13 +0200 (CEST)
From: Dominik Csapak <d.csapak@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Thu, 20 Oct 2022 15:14:11 +0200
Message-Id: <20221020131412.3493343-3-d.csapak@proxmox.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20221020131412.3493343-1-d.csapak@proxmox.com>
References: <20221020131412.3493343-1-d.csapak@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results: 0
AWL 0.068 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
Subject: [pve-devel] [PATCH access-control 2/3] authenticate_2nd_new: rename
$otp to $tfa_response
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2022 13:14:15 -0000
since that is what it really is, not only a otp
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
src/PVE/AccessControl.pm | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index c45188c..d83dee2 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -787,7 +787,7 @@ sub authenticate_2nd_old : prototype($$$) {
}
sub authenticate_2nd_new_do : prototype($$$$) {
- my ($username, $realm, $otp, $tfa_challenge) = @_;
+ my ($username, $realm, $tfa_response, $tfa_challenge) = @_;
my ($tfa_cfg, $realm_tfa) = user_get_tfa($username, $realm, 1);
if (!defined($tfa_cfg)) {
@@ -809,20 +809,20 @@ sub authenticate_2nd_new_do : prototype($$$$) {
return to_json($challenge);
}
- if ($otp =~ /^yubico:(.*)$/) {
- $otp = $1;
+ if ($tfa_response =~ /^yubico:(.*)$/) {
+ $tfa_response = $1;
# Defer to after unlocking the TFA config:
return sub {
authenticate_yubico_new(
- $tfa_cfg, $username, $realm_tfa, $tfa_challenge, $otp,
+ $tfa_cfg, $username, $realm_tfa, $tfa_challenge, $tfa_response,
);
};
}
}
my $response_type;
- if (defined($otp)) {
- if ($otp !~ /^([^:]+):/) {
+ if (defined($tfa_response)) {
+ if ($tfa_response !~ /^([^:]+):/) {
die "bad otp response\n";
}
$response_type = $1;
@@ -837,13 +837,13 @@ sub authenticate_2nd_new_do : prototype($$$$) {
my $must_save = 0;
if (defined($tfa_challenge)) {
$tfa_challenge = verify_ticket($tfa_challenge, 0, $username);
- $must_save = $tfa_cfg->authentication_verify($username, $tfa_challenge, $otp);
+ $must_save = $tfa_cfg->authentication_verify($username, $tfa_challenge, $tfa_response);
$tfa_challenge = undef;
} else {
$tfa_challenge = $tfa_cfg->authentication_challenge($username);
- if (defined($otp)) {
+ if (defined($tfa_response)) {
if (defined($tfa_challenge)) {
- $must_save = $tfa_cfg->authentication_verify($username, $tfa_challenge, $otp);
+ $must_save = $tfa_cfg->authentication_verify($username, $tfa_challenge, $tfa_response);
} else {
die "no such challenge\n";
}
@@ -859,16 +859,16 @@ sub authenticate_2nd_new_do : prototype($$$$) {
# Returns a tfa challenge or undef.
sub authenticate_2nd_new : prototype($$$$) {
- my ($username, $realm, $otp, $tfa_challenge) = @_;
+ my ($username, $realm, $tfa_response, $tfa_challenge) = @_;
my $result;
- if (defined($otp) && $otp =~ m/^recovery:$/) {
+ if (defined($tfa_response) && $tfa_response =~ m/^recovery:$/) {
$result = lock_tfa_config(sub {
- authenticate_2nd_new_do($username, $realm, $otp, $tfa_challenge);
+ authenticate_2nd_new_do($username, $realm, $tfa_response, $tfa_challenge);
});
} else {
- $result = authenticate_2nd_new_do($username, $realm, $otp, $tfa_challenge);
+ $result = authenticate_2nd_new_do($username, $realm, $tfa_response, $tfa_challenge);
}
# Yubico auth returns the authentication sub:
--
2.30.2