From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id B32F37D719 for ; Tue, 9 Nov 2021 12:27:53 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 71B8EAFDF for ; Tue, 9 Nov 2021 12:27:27 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 7FC5AAF7C for ; Tue, 9 Nov 2021 12:27:25 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 535D042CF2 for ; Tue, 9 Nov 2021 12:27:25 +0100 (CET) From: Wolfgang Bumiller To: pve-devel@lists.proxmox.com Date: Tue, 9 Nov 2021 12:27:05 +0100 Message-Id: <20211109112721.130935-17-w.bumiller@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211109112721.130935-1-w.bumiller@proxmox.com> References: <20211109112721.130935-1-w.bumiller@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.543 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [tfa.pm] Subject: [pve-devel] [PATCH access-control 10/10] set/remove 'x' for tfa keys in user.cfg in new api X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Nov 2021 11:27:53 -0000 Signed-off-by: Wolfgang Bumiller --- src/PVE/API2/TFA.pm | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm index 2fbc7a8..53f57fc 100644 --- a/src/PVE/API2/TFA.pm +++ b/src/PVE/API2/TFA.pm @@ -119,6 +119,22 @@ my sub root_permission_check : prototype($$$$) { return wantarray ? ($userid, $realm) : $userid; } +my sub set_user_tfa_enabled : prototype($$) { + my ($userid, $enabled) = @_; + + PVE::AccessControl::lock_user_config(sub { + my $user_cfg = cfs_read_file('user.cfg'); + my $user = $user_cfg->{users}->{$userid}; + my $keys = $user->{keys}; + if ($keys && $keys !~ /^x(?:!.*)?$/) { + die "user contains tfa keys directly in user.cfg," + ." please remove them and add them via the TFA panel instead\n"; + } + $user->{keys} = $enabled ? 'x' : undef; + cfs_write_file("user.cfg", $user_cfg); + }, "enabling TFA for the user failed"); +} + ### OLD API __PACKAGE__->register_method({ @@ -291,11 +307,15 @@ __PACKAGE__->register_method ({ my $userid = root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password}); - return PVE::AccessControl::lock_tfa_config(sub { + my $has_entries_left = PVE::AccessControl::lock_tfa_config(sub { my $tfa_cfg = cfs_read_file('priv/tfa.cfg'); - $tfa_cfg->api_delete_tfa($userid, $param->{id}); + my $has_entries_left = $tfa_cfg->api_delete_tfa($userid, $param->{id}); cfs_write_file('priv/tfa.cfg', $tfa_cfg); + return $has_entries_left; }); + if (!$has_entries_left) { + set_user_tfa_enabled($userid, 0); + } }}); __PACKAGE__->register_method ({ @@ -404,6 +424,8 @@ __PACKAGE__->register_method ({ $value = validate_yubico_otp($userid, $realm, $value); } + set_user_tfa_enabled($userid, 1); + return PVE::AccessControl::lock_tfa_config(sub { my $tfa_cfg = cfs_read_file('priv/tfa.cfg'); PVE::AccessControl::configure_u2f_and_wa($tfa_cfg); -- 2.30.2