From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id AFD397D716 for ; Tue, 9 Nov 2021 12:27:53 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id A5FD2AF8B for ; Tue, 9 Nov 2021 12:27:25 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 4EEA1AF54 for ; Tue, 9 Nov 2021 12:27:24 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 285D842CF2 for ; Tue, 9 Nov 2021 12:27:24 +0100 (CET) From: Wolfgang Bumiller To: pve-devel@lists.proxmox.com Date: Tue, 9 Nov 2021 12:26:56 +0100 Message-Id: <20211109112721.130935-8-w.bumiller@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211109112721.130935-1-w.bumiller@proxmox.com> References: <20211109112721.130935-1-w.bumiller@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.504 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment PROLO_LEO2 0.1 Meta Catches all Leo drug variations so far SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [accesscontrol.pm] Subject: [pve-devel] [PATCH access-control 01/10] use rust parser for TFA config X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Nov 2021 11:27:53 -0000 Signed-off-by: Wolfgang Bumiller --- src/PVE/AccessControl.pm | 50 +++++++++------------------------------- 1 file changed, 11 insertions(+), 39 deletions(-) diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm index 347c2a8..2fa2695 100644 --- a/src/PVE/AccessControl.pm +++ b/src/PVE/AccessControl.pm @@ -19,6 +19,8 @@ use PVE::Tools qw(run_command lock_file file_get_contents split_list safe_print) use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file); use PVE::JSONSchema qw(register_standard_option get_standard_option); +use PVE::RS::TFA; + use PVE::Auth::Plugin; use PVE::Auth::AD; use PVE::Auth::LDAP; @@ -1353,33 +1355,21 @@ sub write_user_config { return $data; } -# The TFA configuration in priv/tfa.cfg format contains one line per user of -# the form: -# USER:TYPE:DATA -# DATA is a base64 encoded json string and its format depends on the type. +# Creates a `PVE::RS::TFA` instance from the raw config data. +# Its contained hash will also support the legacy functionality. sub parse_priv_tfa_config { my ($filename, $raw) = @_; - my $users = {}; - my $cfg = { users => $users }; - $raw = '' if !defined($raw); - while ($raw =~ /^\s*(.+?)\s*$/gm) { - my $line = $1; - my ($user, $type, $data) = split(/:/, $line, 3); + my $cfg = PVE::RS::TFA->new($raw); + # Purge invalid users: + foreach my $user ($cfg->users()->@*) { my (undef, undef, $realm) = PVE::Auth::Plugin::verify_username($user, 1); if (!$realm) { warn "user tfa config - ignore user '$user' - invalid user name\n"; - next; + $cfg->remove_user($user); } - - $data = decode_json(decode_base64($data)); - - $users->{$user} = { - type => $type, - data => $data, - }; } return $cfg; @@ -1388,27 +1378,9 @@ sub parse_priv_tfa_config { sub write_priv_tfa_config { my ($filename, $cfg) = @_; - my $output = ''; - - my $users = $cfg->{users}; - foreach my $user (sort keys %$users) { - my $info = $users->{$user}; - next if !%$info; # skip empty entries - - $info = {%$info}; # copy to verify contents: - - my $type = delete $info->{type}; - my $data = delete $info->{data}; - - if (my @keys = keys %$info) { - die "invalid keys in TFA config for user $user: " . join(', ', @keys) . "\n"; - } - - $data = encode_base64(encode_json($data), ''); - $output .= "${user}:${type}:${data}\n"; - } - - return $output; + # FIXME: Only allow this if the complete cluster has been upgraded to understand the json + # config format. + return $cfg->write(); } sub roles { -- 2.30.2