* [pve-devel] [PATCH pve-access-control] fix #6528: tfa: update user config on removal of TFA
@ 2025-07-29 8:30 Shan Shaji
2025-07-29 9:45 ` Fabian Grünbichler
0 siblings, 1 reply; 5+ messages in thread
From: Shan Shaji @ 2025-07-29 8:30 UTC (permalink / raw)
To: pve-devel
When removing TFA from a user via the command line, the change was not
reflected in the GUI or in the output of `pveum user list`. Both
continued to show that TFA was enabled for the user. Fixed the issue
by updating the user configuration file.
Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
Tested Cases:
- Case 1:
- Added one TFA for a user.
- Delete with CLI `pveum user tfa delete <user>`
- Verified if the UI and CLI outputs are updated.
- Case 2:
- Add two TFA for a user.
- Delete with CLI `pveum user tfa delete <user>`
- Verified if the UI and CLI outputs are updated.
- Case 3:
- Add two TFA for a user.
- Delete with CLI `pveum user tfa delete <user> --id <id>`
- Verified if the UI and CLI outputs are updated.
src/PVE/CLI/pveum.pm | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/src/PVE/CLI/pveum.pm b/src/PVE/CLI/pveum.pm
index 0645a6d..87e68df 100755
--- a/src/PVE/CLI/pveum.pm
+++ b/src/PVE/CLI/pveum.pm
@@ -141,16 +141,28 @@ __PACKAGE__->register_method({
my $userid = extract_param($param, "userid");
my $tfa_id = extract_param($param, "id");
+ my $update_user_config;
PVE::AccessControl::lock_tfa_config(sub {
my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
if (defined($tfa_id)) {
- $tfa_cfg->api_delete_tfa($userid, $tfa_id);
+ my $has_entries_left = $tfa_cfg->api_delete_tfa($userid, $tfa_id);
+ $update_user_config = !$has_entries_left;
} else {
- $tfa_cfg->remove_user($userid);
+ my $needs_user_saving = $tfa_cfg->remove_user($userid);
+ $update_user_config = $needs_user_saving;
}
cfs_write_file('priv/tfa.cfg', $tfa_cfg);
});
+
+ if ($update_user_config) {
+ PVE::AccessControl::lock_user_config(sub {
+ my $user_cfg = cfs_read_file('user.cfg');
+ my $user = $user_cfg->{users}->{$userid};
+ $user->{keys} = undef;
+ cfs_write_file('user.cfg', $user_cfg);
+ });
+ }
return;
},
});
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH pve-access-control] fix #6528: tfa: update user config on removal of TFA
2025-07-29 8:30 [pve-devel] [PATCH pve-access-control] fix #6528: tfa: update user config on removal of TFA Shan Shaji
@ 2025-07-29 9:45 ` Fabian Grünbichler
2025-07-29 10:26 ` Shan Shaji
0 siblings, 1 reply; 5+ messages in thread
From: Fabian Grünbichler @ 2025-07-29 9:45 UTC (permalink / raw)
To: Proxmox VE development discussion
On July 29, 2025 10:30 am, Shan Shaji wrote:
> When removing TFA from a user via the command line, the change was not
> reflected in the GUI or in the output of `pveum user list`. Both
> continued to show that TFA was enabled for the user. Fixed the issue
> by updating the user configuration file.
>
> Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
> ---
>
> Tested Cases:
> - Case 1:
> - Added one TFA for a user.
> - Delete with CLI `pveum user tfa delete <user>`
> - Verified if the UI and CLI outputs are updated.
> - Case 2:
> - Add two TFA for a user.
> - Delete with CLI `pveum user tfa delete <user>`
> - Verified if the UI and CLI outputs are updated.
> - Case 3:
> - Add two TFA for a user.
> - Delete with CLI `pveum user tfa delete <user> --id <id>`
> - Verified if the UI and CLI outputs are updated.
>
> src/PVE/CLI/pveum.pm | 16 ++++++++++++++--
> 1 file changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/src/PVE/CLI/pveum.pm b/src/PVE/CLI/pveum.pm
> index 0645a6d..87e68df 100755
> --- a/src/PVE/CLI/pveum.pm
> +++ b/src/PVE/CLI/pveum.pm
> @@ -141,16 +141,28 @@ __PACKAGE__->register_method({
>
> my $userid = extract_param($param, "userid");
> my $tfa_id = extract_param($param, "id");
> + my $update_user_config;
>
> PVE::AccessControl::lock_tfa_config(sub {
> my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
> if (defined($tfa_id)) {
> - $tfa_cfg->api_delete_tfa($userid, $tfa_id);
> + my $has_entries_left = $tfa_cfg->api_delete_tfa($userid, $tfa_id);
> + $update_user_config = !$has_entries_left;
this one is nice split like that, but
> } else {
> - $tfa_cfg->remove_user($userid);
> + my $needs_user_saving = $tfa_cfg->remove_user($userid);
> + $update_user_config = $needs_user_saving;
these two lines could be combined IMHO, or we could even unconditionally
set $update_user_config here - if we (are asked to) remove all TFA
entries for a particular user, we want to clear the 'x' entry even if no
TFA entries existed in the first place (e.g., because the configs ran
out of sync).
> }
> cfs_write_file('priv/tfa.cfg', $tfa_cfg);
> });
> +
> + if ($update_user_config) {
> + PVE::AccessControl::lock_user_config(sub {
> + my $user_cfg = cfs_read_file('user.cfg');
> + my $user = $user_cfg->{users}->{$userid};
> + $user->{keys} = undef;
> + cfs_write_file('user.cfg', $user_cfg);
> + });
> + }
the locking here is incomplete - in the meantime, another invocation
could have added a TFA entry again, and potentially the 'x' marker is
dropped afterwards making user.cfg wrong/out of sync..
PVE::API2::TFA::delete_tfa() has the same issue, but in
PVE::API2::TFA::add_tfa_entry we have a nested call:
lock_tfa_config() {
set_user_tfa_enabled() {
lock_user_config() {
add 'x' entry to user.cfg
}
}
add tfa entry to tfa.cfg
}
if that lock order is used everywhere else as well, the two deletion
paths (API and CLI) should also be done like that, to avoid races. there
might be more code paths missing proper nested locking, I haven't done a
complete analysis.
> return;
> },
> });
> --
> 2.39.5
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH pve-access-control] fix #6528: tfa: update user config on removal of TFA
2025-07-29 9:45 ` Fabian Grünbichler
@ 2025-07-29 10:26 ` Shan Shaji
2025-07-29 10:40 ` Fabian Grünbichler
0 siblings, 1 reply; 5+ messages in thread
From: Shan Shaji @ 2025-07-29 10:26 UTC (permalink / raw)
To: Proxmox VE development discussion
Thank you so much for the review and i will update it accordingly.
Had some doubts which i added as inline comments.
On Tue Jul 29, 2025 at 11:45 AM CEST, Fabian Grünbichler wrote:
> On July 29, 2025 10:30 am, Shan Shaji wrote:
> > When removing TFA from a user via the command line, the change was not
> > reflected in the GUI or in the output of `pveum user list`. Both
> > continued to show that TFA was enabled for the user. Fixed the issue
> > by updating the user configuration file.
> >
> > Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
> > ---
> >
> > Tested Cases:
> > - Case 1:
> > - Added one TFA for a user.
> > - Delete with CLI `pveum user tfa delete <user>`
> > - Verified if the UI and CLI outputs are updated.
> > - Case 2:
> > - Add two TFA for a user.
> > - Delete with CLI `pveum user tfa delete <user>`
> > - Verified if the UI and CLI outputs are updated.
> > - Case 3:
> > - Add two TFA for a user.
> > - Delete with CLI `pveum user tfa delete <user> --id <id>`
> > - Verified if the UI and CLI outputs are updated.
> >
> > src/PVE/CLI/pveum.pm | 16 ++++++++++++++--
> > 1 file changed, 14 insertions(+), 2 deletions(-)
> >
> > diff --git a/src/PVE/CLI/pveum.pm b/src/PVE/CLI/pveum.pm
> > index 0645a6d..87e68df 100755
> > --- a/src/PVE/CLI/pveum.pm
> > +++ b/src/PVE/CLI/pveum.pm
> > @@ -141,16 +141,28 @@ __PACKAGE__->register_method({
> >
> > my $userid = extract_param($param, "userid");
> > my $tfa_id = extract_param($param, "id");
> > + my $update_user_config;
> >
> > PVE::AccessControl::lock_tfa_config(sub {
> > my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
> > if (defined($tfa_id)) {
> > - $tfa_cfg->api_delete_tfa($userid, $tfa_id);
> > + my $has_entries_left = $tfa_cfg->api_delete_tfa($userid, $tfa_id);
> > + $update_user_config = !$has_entries_left;
>
> this one is nice split like that, but
>
> > } else {
> > - $tfa_cfg->remove_user($userid);
> > + my $needs_user_saving = $tfa_cfg->remove_user($userid);
> > + $update_user_config = $needs_user_saving;
>
> these two lines could be combined IMHO, or we could even unconditionally
> set $update_user_config here - if we (are asked to) remove all TFA
> entries for a particular user, we want to clear the 'x' entry even if no
> TFA entries existed in the first place (e.g., because the configs ran
> out of sync).
So it's okay if i set `$update_user_config = 1;`
> > }
> > cfs_write_file('priv/tfa.cfg', $tfa_cfg);
> > });
> > +
> > + if ($update_user_config) {
> > + PVE::AccessControl::lock_user_config(sub {
> > + my $user_cfg = cfs_read_file('user.cfg');
> > + my $user = $user_cfg->{users}->{$userid};
> > + $user->{keys} = undef;
> > + cfs_write_file('user.cfg', $user_cfg);
> > + });
> > + }
>
> the locking here is incomplete - in the meantime, another invocation
> could have added a TFA entry again, and potentially the 'x' marker is
> dropped afterwards making user.cfg wrong/out of sync..
>
> PVE::API2::TFA::delete_tfa() has the same issue, but in
> PVE::API2::TFA::add_tfa_entry we have a nested call:
So the order will the lock TFA -> lock user cfg -> update user cfg ->
update tfa cfg.
> lock_tfa_config() {
> set_user_tfa_enabled() {
> lock_user_config() {
> add 'x' entry to user.cfg
> }
> }
> add tfa entry to tfa.cfg
> }
>
> if that lock order is used everywhere else as well, the two deletion
> paths (API and CLI) should also be done like that, to avoid races. there
> might be more code paths missing proper nested locking, I haven't done a
> complete analysis.
>
> > return;
> > },
> > });
> > --
> > 2.39.5
> >
> >
> >
> > _______________________________________________
> > pve-devel mailing list
> > pve-devel@lists.proxmox.com
> > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> >
> >
> >
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH pve-access-control] fix #6528: tfa: update user config on removal of TFA
2025-07-29 10:26 ` Shan Shaji
@ 2025-07-29 10:40 ` Fabian Grünbichler
2025-07-29 11:06 ` Shan Shaji
0 siblings, 1 reply; 5+ messages in thread
From: Fabian Grünbichler @ 2025-07-29 10:40 UTC (permalink / raw)
To: Proxmox VE development discussion
On July 29, 2025 12:26 pm, Shan Shaji wrote:
> Thank you so much for the review and i will update it accordingly.
> Had some doubts which i added as inline comments.
>
> On Tue Jul 29, 2025 at 11:45 AM CEST, Fabian Grünbichler wrote:
>> On July 29, 2025 10:30 am, Shan Shaji wrote:
>> > +
>> > + if ($update_user_config) {
>> > + PVE::AccessControl::lock_user_config(sub {
>> > + my $user_cfg = cfs_read_file('user.cfg');
>> > + my $user = $user_cfg->{users}->{$userid};
>> > + $user->{keys} = undef;
>> > + cfs_write_file('user.cfg', $user_cfg);
>> > + });
>> > + }
>>
>> the locking here is incomplete - in the meantime, another invocation
>> could have added a TFA entry again, and potentially the 'x' marker is
>> dropped afterwards making user.cfg wrong/out of sync..
>>
>> PVE::API2::TFA::delete_tfa() has the same issue, but in
>> PVE::API2::TFA::add_tfa_entry we have a nested call:
> So the order will the lock TFA -> lock user cfg -> update user cfg ->
> update tfa cfg.
yes, unless you find another code path that does the inverse (lock user
first, then lock TFA while the lock is held) - in that case we need to
settle on one of the two variants ;)
>> lock_tfa_config() {
>> set_user_tfa_enabled() {
>> lock_user_config() {
>> add 'x' entry to user.cfg
>> }
>> }
>> add tfa entry to tfa.cfg
>> }
>>
>> if that lock order is used everywhere else as well, the two deletion
>> paths (API and CLI) should also be done like that, to avoid races. there
>> might be more code paths missing proper nested locking, I haven't done a
>> complete analysis.
>>
>> > return;
>> > },
>> > });
>> > --
>> > 2.39.5
>> >
>> >
>> >
>> > _______________________________________________
>> > pve-devel mailing list
>> > pve-devel@lists.proxmox.com
>> > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>> >
>> >
>> >
>>
>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel@lists.proxmox.com
>> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH pve-access-control] fix #6528: tfa: update user config on removal of TFA
2025-07-29 10:40 ` Fabian Grünbichler
@ 2025-07-29 11:06 ` Shan Shaji
0 siblings, 0 replies; 5+ messages in thread
From: Shan Shaji @ 2025-07-29 11:06 UTC (permalink / raw)
To: Proxmox VE development discussion
superseeded by v2: https://lore.proxmox.com/pve-devel/20250729110229.118959-1-s.shaji@proxmox.com/T/#u
On Tue Jul 29, 2025 at 12:40 PM CEST, Fabian Grünbichler wrote:
> > So the order will the lock TFA -> lock user cfg -> update user cfg ->
> > update tfa cfg.
>
> yes, unless you find another code path that does the inverse (lock user
> first, then lock TFA while the lock is held) - in that case we need to
> settle on one of the two variants ;)
I think it's not possible to do the other way around as when i checked
the implementaion of `lock_tfa_config` in PVE::AccessControl if the
user config is locked it's not possible to acquire a tfa lock. Also
there is a comment that mentions about locking of the files are only
allowed together in one order.
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-07-29 11:05 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-07-29 8:30 [pve-devel] [PATCH pve-access-control] fix #6528: tfa: update user config on removal of TFA Shan Shaji
2025-07-29 9:45 ` Fabian Grünbichler
2025-07-29 10:26 ` Shan Shaji
2025-07-29 10:40 ` Fabian Grünbichler
2025-07-29 11:06 ` Shan Shaji
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox