From: "Shan Shaji" <s.shaji@proxmox.com>
To: "Proxmox VE development discussion" <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-access-control] fix #6528: tfa: update user config on removal of TFA
Date: Tue, 29 Jul 2025 12:26:52 +0200 [thread overview]
Message-ID: <DBOGTW5GCZZE.3V2FS3RAXC4FR@noor> (raw)
In-Reply-To: <1753781854.l4zxsjc0e1.astroid@yuna.none>
Thank you so much for the review and i will update it accordingly.
Had some doubts which i added as inline comments.
On Tue Jul 29, 2025 at 11:45 AM CEST, Fabian Grünbichler wrote:
> On July 29, 2025 10:30 am, Shan Shaji wrote:
> > When removing TFA from a user via the command line, the change was not
> > reflected in the GUI or in the output of `pveum user list`. Both
> > continued to show that TFA was enabled for the user. Fixed the issue
> > by updating the user configuration file.
> >
> > Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
> > ---
> >
> > Tested Cases:
> > - Case 1:
> > - Added one TFA for a user.
> > - Delete with CLI `pveum user tfa delete <user>`
> > - Verified if the UI and CLI outputs are updated.
> > - Case 2:
> > - Add two TFA for a user.
> > - Delete with CLI `pveum user tfa delete <user>`
> > - Verified if the UI and CLI outputs are updated.
> > - Case 3:
> > - Add two TFA for a user.
> > - Delete with CLI `pveum user tfa delete <user> --id <id>`
> > - Verified if the UI and CLI outputs are updated.
> >
> > src/PVE/CLI/pveum.pm | 16 ++++++++++++++--
> > 1 file changed, 14 insertions(+), 2 deletions(-)
> >
> > diff --git a/src/PVE/CLI/pveum.pm b/src/PVE/CLI/pveum.pm
> > index 0645a6d..87e68df 100755
> > --- a/src/PVE/CLI/pveum.pm
> > +++ b/src/PVE/CLI/pveum.pm
> > @@ -141,16 +141,28 @@ __PACKAGE__->register_method({
> >
> > my $userid = extract_param($param, "userid");
> > my $tfa_id = extract_param($param, "id");
> > + my $update_user_config;
> >
> > PVE::AccessControl::lock_tfa_config(sub {
> > my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
> > if (defined($tfa_id)) {
> > - $tfa_cfg->api_delete_tfa($userid, $tfa_id);
> > + my $has_entries_left = $tfa_cfg->api_delete_tfa($userid, $tfa_id);
> > + $update_user_config = !$has_entries_left;
>
> this one is nice split like that, but
>
> > } else {
> > - $tfa_cfg->remove_user($userid);
> > + my $needs_user_saving = $tfa_cfg->remove_user($userid);
> > + $update_user_config = $needs_user_saving;
>
> these two lines could be combined IMHO, or we could even unconditionally
> set $update_user_config here - if we (are asked to) remove all TFA
> entries for a particular user, we want to clear the 'x' entry even if no
> TFA entries existed in the first place (e.g., because the configs ran
> out of sync).
So it's okay if i set `$update_user_config = 1;`
> > }
> > cfs_write_file('priv/tfa.cfg', $tfa_cfg);
> > });
> > +
> > + if ($update_user_config) {
> > + PVE::AccessControl::lock_user_config(sub {
> > + my $user_cfg = cfs_read_file('user.cfg');
> > + my $user = $user_cfg->{users}->{$userid};
> > + $user->{keys} = undef;
> > + cfs_write_file('user.cfg', $user_cfg);
> > + });
> > + }
>
> the locking here is incomplete - in the meantime, another invocation
> could have added a TFA entry again, and potentially the 'x' marker is
> dropped afterwards making user.cfg wrong/out of sync..
>
> PVE::API2::TFA::delete_tfa() has the same issue, but in
> PVE::API2::TFA::add_tfa_entry we have a nested call:
So the order will the lock TFA -> lock user cfg -> update user cfg ->
update tfa cfg.
> lock_tfa_config() {
> set_user_tfa_enabled() {
> lock_user_config() {
> add 'x' entry to user.cfg
> }
> }
> add tfa entry to tfa.cfg
> }
>
> if that lock order is used everywhere else as well, the two deletion
> paths (API and CLI) should also be done like that, to avoid races. there
> might be more code paths missing proper nested locking, I haven't done a
> complete analysis.
>
> > return;
> > },
> > });
> > --
> > 2.39.5
> >
> >
> >
> > _______________________________________________
> > pve-devel mailing list
> > pve-devel@lists.proxmox.com
> > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> >
> >
> >
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-07-29 10:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-29 8:30 Shan Shaji
2025-07-29 9:45 ` Fabian Grünbichler
2025-07-29 10:26 ` Shan Shaji [this message]
2025-07-29 10:40 ` Fabian Grünbichler
2025-07-29 11:06 ` Shan Shaji
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DBOGTW5GCZZE.3V2FS3RAXC4FR@noor \
--to=s.shaji@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox