From: "Shan Shaji" <s.shaji@proxmox.com>
To: "Proxmox VE development discussion" <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-access-control] fix #6528: tfa: update user config on removal of TFA
Date: Tue, 29 Jul 2025 12:26:52 +0200 [thread overview]
Message-ID: <DBOGTW5GCZZE.3V2FS3RAXC4FR@noor> (raw)
In-Reply-To: <1753781854.l4zxsjc0e1.astroid@yuna.none>
Thank you so much for the review and i will update it accordingly.
Had some doubts which i added as inline comments.
On Tue Jul 29, 2025 at 11:45 AM CEST, Fabian Grünbichler wrote:
> On July 29, 2025 10:30 am, Shan Shaji wrote:
> > When removing TFA from a user via the command line, the change was not
> > reflected in the GUI or in the output of `pveum user list`. Both
> > continued to show that TFA was enabled for the user. Fixed the issue
> > by updating the user configuration file.
> >
> > Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
> > ---
> >
> > Tested Cases:
> > - Case 1:
> > - Added one TFA for a user.
> > - Delete with CLI `pveum user tfa delete <user>`
> > - Verified if the UI and CLI outputs are updated.
> > - Case 2:
> > - Add two TFA for a user.
> > - Delete with CLI `pveum user tfa delete <user>`
> > - Verified if the UI and CLI outputs are updated.
> > - Case 3:
> > - Add two TFA for a user.
> > - Delete with CLI `pveum user tfa delete <user> --id <id>`
> > - Verified if the UI and CLI outputs are updated.
> >
> > src/PVE/CLI/pveum.pm | 16 ++++++++++++++--
> > 1 file changed, 14 insertions(+), 2 deletions(-)
> >
> > diff --git a/src/PVE/CLI/pveum.pm b/src/PVE/CLI/pveum.pm
> > index 0645a6d..87e68df 100755
> > --- a/src/PVE/CLI/pveum.pm
> > +++ b/src/PVE/CLI/pveum.pm
> > @@ -141,16 +141,28 @@ __PACKAGE__->register_method({
> >
> > my $userid = extract_param($param, "userid");
> > my $tfa_id = extract_param($param, "id");
> > + my $update_user_config;
> >
> > PVE::AccessControl::lock_tfa_config(sub {
> > my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
> > if (defined($tfa_id)) {
> > - $tfa_cfg->api_delete_tfa($userid, $tfa_id);
> > + my $has_entries_left = $tfa_cfg->api_delete_tfa($userid, $tfa_id);
> > + $update_user_config = !$has_entries_left;
>
> this one is nice split like that, but
>
> > } else {
> > - $tfa_cfg->remove_user($userid);
> > + my $needs_user_saving = $tfa_cfg->remove_user($userid);
> > + $update_user_config = $needs_user_saving;
>
> these two lines could be combined IMHO, or we could even unconditionally
> set $update_user_config here - if we (are asked to) remove all TFA
> entries for a particular user, we want to clear the 'x' entry even if no
> TFA entries existed in the first place (e.g., because the configs ran
> out of sync).
So it's okay if i set `$update_user_config = 1;`
> > }
> > cfs_write_file('priv/tfa.cfg', $tfa_cfg);
> > });
> > +
> > + if ($update_user_config) {
> > + PVE::AccessControl::lock_user_config(sub {
> > + my $user_cfg = cfs_read_file('user.cfg');
> > + my $user = $user_cfg->{users}->{$userid};
> > + $user->{keys} = undef;
> > + cfs_write_file('user.cfg', $user_cfg);
> > + });
> > + }
>
> the locking here is incomplete - in the meantime, another invocation
> could have added a TFA entry again, and potentially the 'x' marker is
> dropped afterwards making user.cfg wrong/out of sync..
>
> PVE::API2::TFA::delete_tfa() has the same issue, but in
> PVE::API2::TFA::add_tfa_entry we have a nested call:
So the order will the lock TFA -> lock user cfg -> update user cfg ->
update tfa cfg.
> lock_tfa_config() {
> set_user_tfa_enabled() {
> lock_user_config() {
> add 'x' entry to user.cfg
> }
> }
> add tfa entry to tfa.cfg
> }
>
> if that lock order is used everywhere else as well, the two deletion
> paths (API and CLI) should also be done like that, to avoid races. there
> might be more code paths missing proper nested locking, I haven't done a
> complete analysis.
>
> > return;
> > },
> > });
> > --
> > 2.39.5
> >
> >
> >
> > _______________________________________________
> > pve-devel mailing list
> > pve-devel@lists.proxmox.com
> > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> >
> >
> >
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-07-29 10:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-29 8:30 Shan Shaji
2025-07-29 9:45 ` Fabian Grünbichler
2025-07-29 10:26 ` Shan Shaji [this message]
2025-07-29 10:40 ` Fabian Grünbichler
2025-07-29 11:06 ` Shan Shaji
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DBOGTW5GCZZE.3V2FS3RAXC4FR@noor \
--to=s.shaji@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.