From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 60BCB71B2E for ; Wed, 30 Jun 2021 08:10:10 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 543CB16095 for ; Wed, 30 Jun 2021 08:10:10 +0200 (CEST) Received: from dev7.proxmox.com (unknown [94.136.29.99]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0C82E16072 for ; Wed, 30 Jun 2021 08:10:08 +0200 (CEST) Received: by dev7.proxmox.com (Postfix, from userid 0) id C7930801BC; Wed, 30 Jun 2021 08:10:08 +0200 (CEST) From: Dietmar Maurer To: pve-devel@lists.proxmox.com Date: Wed, 30 Jun 2021 08:10:03 +0200 Message-Id: <20210630061007.3345396-2-dietmar@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210630061007.3345396-1-dietmar@proxmox.com> References: <20210630061007.3345396-1-dietmar@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.579 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [accesscontrol.pm] Subject: [pve-devel] [PATCH pve-access-control v2 1/5] check_user_enabled: also check if user is expired X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jun 2021 06:10:10 -0000 --- src/PVE/AccessControl.pm | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm index 2569a35..8628678 100644 --- a/src/PVE/AccessControl.pm +++ b/src/PVE/AccessControl.pm @@ -428,12 +428,10 @@ sub verify_token { check_user_enabled($usercfg, $username); check_token_exist($usercfg, $username, $token); - my $ctime = time(); - my $user = $usercfg->{users}->{$username}; - die "account expired\n" if $user->{expire} && ($user->{expire} < $ctime); - my $token_info = $user->{tokens}->{$token}; + + my $ctime = time(); die "token expired\n" if $token_info->{expire} && ($token_info->{expire} < $ctime); die "invalid token value!\n" if !PVE::Cluster::verify_token($tokenid, $value); @@ -579,6 +577,11 @@ sub check_user_enabled { die "user '$username' is disabled\n" if !$noerr; + my $ctime = time(); + my $expire = $usercfg->{users}->{$username}->{expire}; + + die "account expired\n" if $expire && ($expire < $ctime); + return undef; } @@ -629,11 +632,6 @@ sub authenticate_user { check_user_enabled($usercfg, $username); - my $ctime = time(); - my $expire = $usercfg->{users}->{$username}->{expire}; - - die "account expired\n" if $expire && ($expire < $ctime); - my $domain_cfg = cfs_read_file('domains.cfg'); my $cfg = $domain_cfg->{ids}->{$realm}; -- 2.30.2