From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id AAD4A81ED1 for ; Fri, 26 Nov 2021 14:55:43 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 7EC2E19205 for ; Fri, 26 Nov 2021 14:55:43 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 8DA56191BA for ; Fri, 26 Nov 2021 14:55:39 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 6541C46AA1 for ; Fri, 26 Nov 2021 14:55:39 +0100 (CET) From: Wolfgang Bumiller To: pmg-devel@lists.proxmox.com Date: Fri, 26 Nov 2021 14:55:05 +0100 Message-Id: <20211126135524.117846-2-w.bumiller@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211126135524.117846-1-w.bumiller@proxmox.com> References: <20211126135524.117846-1-w.bumiller@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.453 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [cluster.pm, userconfig.pm] Subject: [pmg-devel] [PATCH api 1/6] add tfa.json and its lock methods X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Nov 2021 13:55:43 -0000 Signed-off-by: Wolfgang Bumiller --- src/PMG/Cluster.pm | 1 + src/PMG/UserConfig.pm | 32 +++++++++++++++++++++++++++++++- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/src/PMG/Cluster.pm b/src/PMG/Cluster.pm index d82a392..31384b2 100644 --- a/src/PMG/Cluster.pm +++ b/src/PMG/Cluster.pm @@ -459,6 +459,7 @@ sub sync_config_from_master { 'pmg-csrf.key', 'ldap.conf', 'user.conf', + 'tfa.json', 'domains', 'mynetworks', 'transport', diff --git a/src/PMG/UserConfig.pm b/src/PMG/UserConfig.pm index 42a7d20..b9a83a7 100644 --- a/src/PMG/UserConfig.pm +++ b/src/PMG/UserConfig.pm @@ -2,8 +2,9 @@ package PMG::UserConfig; use strict; use warnings; -use Data::Dumper; + use Clone 'clone'; +use Scalar::Util 'weaken'; use PVE::Tools; use PVE::INotify; @@ -15,6 +16,9 @@ use PMG::Utils; my $inotify_file_id = 'pmg-user.conf'; my $config_filename = '/etc/pmg/user.conf'; +my $tfa_inotify_file_id = 'pmg-tfa.json'; +my $tfa_config_filename = '/etc/pmg/tfa.json'; + sub new { my ($type) = @_; @@ -32,14 +36,40 @@ sub write { } my $lockfile = "/var/lock/pmguser.lck"; +my $tfa_lockfile = "/var/lock/pmgtfa.lck"; +# Locking both config files together is only ever allowed in one order: +# 1) tfa config +# 2) user config +# If we permit the other way round, too, we might end up deadlocking! +my $user_config_locked; sub lock_config { my ($code, $errmsg) = @_; + my $locked = 1; + $user_config_locked = \$locked; + weaken $user_config_locked; # make this scope guard signal safe... + my $p = PVE::Tools::lock_file($lockfile, undef, $code); + $user_config_locked = undef; + if (my $err = $@) { + $errmsg ? die "$errmsg: $err" : die $err; + } +} + +# This lives here in order to enforce lock order. +sub lock_tfa_config { + my ($code, $errmsg) = @_; + + die "tfa config lock cannot be acquired while holding user config lock\n" + if ($user_config_locked && $$user_config_locked); + + my $res = PVE::Tools::lock_file($tfa_lockfile, undef, $code); if (my $err = $@) { $errmsg ? die "$errmsg: $err" : die $err; } + + return $res; } my $schema = { -- 2.30.2