Re: [pve-devel] [PATCH pve-access-control v2 1/5] check_user_enabled: also check if user is expired

From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-access-control v2 1/5] check_user_enabled: also check if user is expired
Date: Wed, 30 Jun 2021 09:28:15 +0200	[thread overview]
Message-ID: <1625037501.bqm0b1j9mz.astroid@nora.none> (raw)
In-Reply-To: <20210630061007.3345396-2-dietmar@proxmox.com>

the check is cheap, so it does not matter much that it happens in more 
places now (like for every request with a ticket in addition to the old 
every request with a token).

would have been nice to mention whether this is intentional though ;)

On June 30, 2021 8:10 am, Dietmar Maurer wrote:
> ---
>  src/PVE/AccessControl.pm | 16 +++++++---------
>  1 file changed, 7 insertions(+), 9 deletions(-)
> 
> diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
> index 2569a35..8628678 100644
> --- a/src/PVE/AccessControl.pm
> +++ b/src/PVE/AccessControl.pm
> @@ -428,12 +428,10 @@ sub verify_token {
>      check_user_enabled($usercfg, $username);
>      check_token_exist($usercfg, $username, $token);
>  
> -    my $ctime = time();
> -
>      my $user = $usercfg->{users}->{$username};
> -    die "account expired\n" if $user->{expire} && ($user->{expire} < $ctime);
> -
>      my $token_info = $user->{tokens}->{$token};
> +
> +    my $ctime = time();
>      die "token expired\n" if $token_info->{expire} && ($token_info->{expire} < $ctime);
>  
>      die "invalid token value!\n" if !PVE::Cluster::verify_token($tokenid, $value);
> @@ -579,6 +577,11 @@ sub check_user_enabled {
>  
>      die "user '$username' is disabled\n" if !$noerr;
>  
> +    my $ctime = time();
> +    my $expire = $usercfg->{users}->{$username}->{expire};
> +
> +    die "account expired\n" if $expire && ($expire < $ctime);
> +
>      return undef;
>  }
>  
> @@ -629,11 +632,6 @@ sub authenticate_user {
>  
>      check_user_enabled($usercfg, $username);
>  
> -    my $ctime = time();
> -    my $expire = $usercfg->{users}->{$username}->{expire};
> -
> -    die "account expired\n" if $expire && ($expire < $ctime);
> -
>      my $domain_cfg = cfs_read_file('domains.cfg');
>  
>      my $cfg = $domain_cfg->{ids}->{$realm};
> -- 
> 2.30.2
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 