From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: [pmg-devel] [PATCH api 4/6] add tfa config api
Date: Fri, 26 Nov 2021 14:55:08 +0100 [thread overview]
Message-ID: <20211126135524.117846-5-w.bumiller@proxmox.com> (raw)
In-Reply-To: <20211126135524.117846-1-w.bumiller@proxmox.com>
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/Makefile | 1 +
src/PMG/API2/Config.pm | 6 ++
src/PMG/API2/TFAConfig.pm | 142 ++++++++++++++++++++++++++++++++++++++
3 files changed, 149 insertions(+)
create mode 100644 src/PMG/API2/TFAConfig.pm
diff --git a/src/Makefile b/src/Makefile
index c2bf2c9..f08be0f 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -149,6 +149,7 @@ LIBSOURCES = \
PMG/API2/Quarantine.pm \
PMG/API2/AccessControl.pm \
PMG/API2/TFA.pm \
+ PMG/API2/TFAConfig.pm \
PMG/API2/ObjectGroupHelpers.pm \
PMG/API2/Rules.pm \
PMG/API2/RuleDB.pm \
diff --git a/src/PMG/API2/Config.pm b/src/PMG/API2/Config.pm
index c5697e1..19ae8f1 100644
--- a/src/PMG/API2/Config.pm
+++ b/src/PMG/API2/Config.pm
@@ -27,6 +27,7 @@ use PMG::API2::DKIMSign;
use PMG::API2::SACustom;
use PMG::API2::PBS::Remote;
use PMG::API2::ACME;
+use PMG::API2::TFAConfig;
use base qw(PVE::RESTHandler);
@@ -105,6 +106,11 @@ __PACKAGE__->register_method ({
path => 'acme',
});
+__PACKAGE__->register_method ({
+ subclass => "PMG::API2::TFAConfig",
+ path => 'tfa',
+});
+
__PACKAGE__->register_method ({
name => 'index',
path => '',
diff --git a/src/PMG/API2/TFAConfig.pm b/src/PMG/API2/TFAConfig.pm
new file mode 100644
index 0000000..dbe8969
--- /dev/null
+++ b/src/PMG/API2/TFAConfig.pm
@@ -0,0 +1,142 @@
+package PMG::API2::TFAConfig;
+
+use strict;
+use warnings;
+
+use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
+use PVE::JSONSchema qw(get_standard_option);
+use PVE::RESTHandler;
+use PVE::Tools qw(extract_param);
+
+use PMG::AccessControl;
+use PMG::RESTEnvironment;
+use PMG::TFAConfig;
+use PMG::UserConfig;
+use PMG::Utils;
+
+use base qw(PVE::RESTHandler);
+
+my $wa_config_schema = {
+ type => 'object',
+ properties => {
+ rp => {
+ type => 'string',
+ description =>
+ "Relying party name. Any text identifier.\n"
+ ."Changing this *may* break existing credentials.",
+ },
+ origin => {
+ type => 'string',
+ optional => 1,
+ description =>
+ 'Site origin. Must be a `https://` URL (or `http://localhost`).'
+ .' Should contain the address users type in their browsers to access the web'
+ ." interface.\n"
+ .'Changing this *may* break existing credentials.',
+ },
+ id => {
+ type => 'string',
+ description =>
+ "Relying part ID. Must be the domain name without protocol, port or location.\n"
+ .'Changing this *will* break existing credentials.',
+ },
+ },
+};
+
+my %return_properties = $wa_config_schema->{properties}->%*;
+$return_properties{$_}->{optional} = 1 for keys %return_properties;
+
+my $wa_config_return_schema = {
+ type => 'object',
+ properties => \%return_properties,
+};
+
+__PACKAGE__->register_method({
+ name => 'get_webauthn_config',
+ path => 'webauthn',
+ method => 'GET',
+ protected => 1,
+ permissions => { user => 'all' },
+ description => "Read the webauthn configuration.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {},
+ },
+ returns => {
+ optional => 1,
+ $wa_config_schema->%*,
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my $cfg = PMG::TFAConfig->new();
+ return $cfg->get_webauthn_config();
+ }});
+
+__PACKAGE__->register_method({
+ name => 'update_webauthn_config',
+ path => 'webauthn',
+ method => 'PUT',
+ protected => 1,
+ proxyto => 'master',
+ permissions => { check => [ 'admin' ] },
+ description => "Read the webauthn configuration.",
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ $wa_config_schema->{properties}->%*,
+ delete => {
+ type => 'string', enum => [keys $wa_config_schema->{properties}->%*],
+ description => "A list of settings you want to delete.",
+ optional => 1,
+ },
+ digest => {
+ type => 'string',
+ description => 'Prevent changes if current configuration file has different SHA1 digest.'
+ .' This can be used to prevent concurrent modifications.',
+ maxLength => 40,
+ optional => 1,
+ },
+ },
+ },
+ returns => { type => 'null' },
+ code => sub {
+ my ($param) = @_;
+
+ my $digest = extract_param($param, 'digest');
+ my $delete = extract_param($param, 'delete');
+
+ PMG::TFAConfig::lock_config(sub {
+ my $cfg = PMG::TFAConfig->new();
+
+ my ($config_digest, $wa) = $cfg->get_webauthn_config();
+ if (defined($digest)) {
+ PVE::Tools::assert_if_modified($digest, $config_digest);
+ }
+
+ foreach my $opt (PVE::Tools::split_list($delete)) {
+ delete $wa->{$opt};
+ }
+ foreach my $opt (keys %$param) {
+ my $value = $param->{$opt};
+ if (length($value)) {
+ $wa->{$opt} = $value;
+ } else {
+ delete $wa->{$opt};
+ }
+ }
+
+ # to remove completely, pass `undef`:
+ if (!%$wa) {
+ $wa = undef;
+ }
+
+ $cfg->set_webauthn_config($wa);
+
+ $cfg->write();
+ });
+
+ return;
+ }});
+
+1;
--
2.30.2
next prev parent reply other threads:[~2021-11-26 13:55 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-26 13:55 [pmg-devel] [PATCH multiple 0/7] PMG TFA support Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH api 1/6] add tfa.json and its lock methods Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH api 2/6] add PMG::TFAConfig module Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH api 3/6] add TFA API Wolfgang Bumiller
2021-11-26 17:29 ` Stoiko Ivanov
2021-11-26 13:55 ` Wolfgang Bumiller [this message]
2021-11-26 13:55 ` [pmg-devel] [PATCH api 5/6] implement tfa authentication Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH api 6/6] provide qrcode.min.js from libjs-qrcodejs Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH gui] add TFA components Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH perl-rs 1/7] pve: bump perlmod to 0.9 Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH perl-rs 2/7] pve: update to proxmox-tfa 2.0 Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH perl-rs 3/7] pve: bump d/control Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH perl-rs 4/7] import pmg-rs Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH perl-rs 5/7] pmg: bump perlmod to 0.9 Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH perl-rs 6/7] pmg: add tfa module Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH perl-rs 7/7] pmg: bump d/control Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH proxmox 1/6] tfa: fix typo in docs Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH proxmox 2/6] tfa: add WebauthnConfig::digest method Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH proxmox 3/6] tfa: let OriginUrl deref to its inner Url, add FromStr impl Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH proxmox 4/6] tfa: make configured webauthn origin optional Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH proxmox 5/6] tfa: clippy fixes Wolfgang Bumiller
2021-11-26 13:55 ` [pmg-devel] [PATCH proxmox 6/6] bump proxmox-tfa to 2.0.0-1 Wolfgang Bumiller
2021-11-26 17:34 ` [pmg-devel] [PATCH multiple 0/7] PMG TFA support Stoiko Ivanov
2021-11-28 21:17 ` [pmg-devel] applied-series: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211126135524.117846-5-w.bumiller@proxmox.com \
--to=w.bumiller@proxmox.com \
--cc=pmg-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox