public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: [pmg-devel] [PATCH api 4/6] add tfa config api
Date: Fri, 26 Nov 2021 14:55:08 +0100	[thread overview]
Message-ID: <20211126135524.117846-5-w.bumiller@proxmox.com> (raw)
In-Reply-To: <20211126135524.117846-1-w.bumiller@proxmox.com>

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/Makefile              |   1 +
 src/PMG/API2/Config.pm    |   6 ++
 src/PMG/API2/TFAConfig.pm | 142 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 149 insertions(+)
 create mode 100644 src/PMG/API2/TFAConfig.pm

diff --git a/src/Makefile b/src/Makefile
index c2bf2c9..f08be0f 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -149,6 +149,7 @@ LIBSOURCES =				\
 	PMG/API2/Quarantine.pm		\
 	PMG/API2/AccessControl.pm	\
 	PMG/API2/TFA.pm			\
+	PMG/API2/TFAConfig.pm		\
 	PMG/API2/ObjectGroupHelpers.pm	\
 	PMG/API2/Rules.pm		\
 	PMG/API2/RuleDB.pm		\
diff --git a/src/PMG/API2/Config.pm b/src/PMG/API2/Config.pm
index c5697e1..19ae8f1 100644
--- a/src/PMG/API2/Config.pm
+++ b/src/PMG/API2/Config.pm
@@ -27,6 +27,7 @@ use PMG::API2::DKIMSign;
 use PMG::API2::SACustom;
 use PMG::API2::PBS::Remote;
 use PMG::API2::ACME;
+use PMG::API2::TFAConfig;
 
 use base qw(PVE::RESTHandler);
 
@@ -105,6 +106,11 @@ __PACKAGE__->register_method ({
     path => 'acme',
 });
 
+__PACKAGE__->register_method ({
+    subclass => "PMG::API2::TFAConfig",
+    path => 'tfa',
+});
+
 __PACKAGE__->register_method ({
     name => 'index', 
     path => '',
diff --git a/src/PMG/API2/TFAConfig.pm b/src/PMG/API2/TFAConfig.pm
new file mode 100644
index 0000000..dbe8969
--- /dev/null
+++ b/src/PMG/API2/TFAConfig.pm
@@ -0,0 +1,142 @@
+package PMG::API2::TFAConfig;
+
+use strict;
+use warnings;
+
+use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
+use PVE::JSONSchema qw(get_standard_option);
+use PVE::RESTHandler;
+use PVE::Tools qw(extract_param);
+
+use PMG::AccessControl;
+use PMG::RESTEnvironment;
+use PMG::TFAConfig;
+use PMG::UserConfig;
+use PMG::Utils;
+
+use base qw(PVE::RESTHandler);
+
+my $wa_config_schema = {
+    type => 'object',
+    properties => {
+	rp => {
+	    type => 'string',
+	    description =>
+		"Relying party name. Any text identifier.\n"
+		."Changing this *may* break existing credentials.",
+	},
+	origin => {
+	    type => 'string',
+	    optional => 1,
+	    description =>
+		'Site origin. Must be a `https://` URL (or `http://localhost`).'
+		.' Should contain the address users type in their browsers to access the web'
+		." interface.\n"
+		.'Changing this *may* break existing credentials.',
+	},
+	id => {
+	    type => 'string',
+	    description =>
+		"Relying part ID. Must be the domain name without protocol, port or location.\n"
+		.'Changing this *will* break existing credentials.',
+	},
+    },
+};
+
+my %return_properties = $wa_config_schema->{properties}->%*;
+$return_properties{$_}->{optional} = 1 for keys %return_properties;
+
+my $wa_config_return_schema = {
+    type => 'object',
+    properties => \%return_properties,
+};
+
+__PACKAGE__->register_method({
+    name => 'get_webauthn_config',
+    path => 'webauthn',
+    method => 'GET',
+    protected => 1,
+    permissions => { user => 'all' },
+    description => "Read the webauthn configuration.",
+    parameters => {
+	additionalProperties => 0,
+	properties => {},
+    },
+    returns => {
+	optional => 1,
+	$wa_config_schema->%*,
+    },
+    code => sub {
+	my ($param) = @_;
+
+	my $cfg = PMG::TFAConfig->new();
+	return $cfg->get_webauthn_config();
+    }});
+
+__PACKAGE__->register_method({
+    name => 'update_webauthn_config',
+    path => 'webauthn',
+    method => 'PUT',
+    protected => 1,
+    proxyto => 'master',
+    permissions => { check => [ 'admin' ] },
+    description => "Read the webauthn configuration.",
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    $wa_config_schema->{properties}->%*,
+	    delete => {
+		type => 'string', enum => [keys $wa_config_schema->{properties}->%*],
+		description => "A list of settings you want to delete.",
+		optional => 1,
+	    },
+	    digest => {
+		type => 'string',
+		description => 'Prevent changes if current configuration file has different SHA1 digest.'
+		    .' This can be used to prevent concurrent modifications.',
+		maxLength => 40,
+		optional => 1,
+	    },
+	},
+    },
+    returns => { type => 'null' },
+    code => sub {
+	my ($param) = @_;
+
+	my $digest = extract_param($param, 'digest');
+	my $delete = extract_param($param, 'delete');
+
+	PMG::TFAConfig::lock_config(sub {
+	    my $cfg = PMG::TFAConfig->new();
+
+	    my ($config_digest, $wa) = $cfg->get_webauthn_config();
+	    if (defined($digest)) {
+		PVE::Tools::assert_if_modified($digest, $config_digest);
+	    }
+
+	    foreach my $opt (PVE::Tools::split_list($delete)) {
+		delete $wa->{$opt};
+	    }
+	    foreach my $opt (keys %$param) {
+		my $value = $param->{$opt};
+		if (length($value)) {
+		    $wa->{$opt} = $value;
+		} else {
+		    delete $wa->{$opt};
+		}
+	    }
+
+	    # to remove completely, pass `undef`:
+	    if (!%$wa) {
+		$wa = undef;
+	    }
+
+	    $cfg->set_webauthn_config($wa);
+
+	    $cfg->write();
+	});
+
+	return;
+    }});
+
+1;
-- 
2.30.2





  parent reply	other threads:[~2021-11-26 13:55 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-26 13:55 [pmg-devel] [PATCH multiple 0/7] PMG TFA support Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH api 1/6] add tfa.json and its lock methods Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH api 2/6] add PMG::TFAConfig module Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH api 3/6] add TFA API Wolfgang Bumiller
2021-11-26 17:29   ` Stoiko Ivanov
2021-11-26 13:55 ` Wolfgang Bumiller [this message]
2021-11-26 13:55 ` [pmg-devel] [PATCH api 5/6] implement tfa authentication Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH api 6/6] provide qrcode.min.js from libjs-qrcodejs Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH gui] add TFA components Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH perl-rs 1/7] pve: bump perlmod to 0.9 Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH perl-rs 2/7] pve: update to proxmox-tfa 2.0 Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH perl-rs 3/7] pve: bump d/control Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH perl-rs 4/7] import pmg-rs Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH perl-rs 5/7] pmg: bump perlmod to 0.9 Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH perl-rs 6/7] pmg: add tfa module Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH perl-rs 7/7] pmg: bump d/control Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH proxmox 1/6] tfa: fix typo in docs Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH proxmox 2/6] tfa: add WebauthnConfig::digest method Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH proxmox 3/6] tfa: let OriginUrl deref to its inner Url, add FromStr impl Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH proxmox 4/6] tfa: make configured webauthn origin optional Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH proxmox 5/6] tfa: clippy fixes Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH proxmox 6/6] bump proxmox-tfa to 2.0.0-1 Wolfgang Bumiller
2021-11-26 17:34 ` [pmg-devel] [PATCH multiple 0/7] PMG TFA support Stoiko Ivanov
2021-11-28 21:17 ` [pmg-devel] applied-series: " Thomas Lamprecht

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211126135524.117846-5-w.bumiller@proxmox.com \
    --to=w.bumiller@proxmox.com \
    --cc=pmg-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal