proxmox-mirrors/proxmox-perl-rs
1
0
Fork 0
mirror of https://git.proxmox.com/git/proxmox-perl-rs synced 2025-07-27 05:51:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

tfa: generate 'incomaptible' entries

Browse Source 
for users with incompatible tfa entries, generate an
'incompatible' entry so they cannot log in via the old api

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2021-11-17 12:33:03 +01:00
parent c6f231494a
commit 205c76068d
1 changed files with 9 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
pve-rs/src/tfa.rs
View File

@ -676,37 +676,6 @@ fn trim_ascii_whitespace(data: &[u8]) -> &[u8] {
trim_ascii_whitespace_start(trim_ascii_whitespace_end(data)) trim_ascii_whitespace_start(trim_ascii_whitespace_end(data))
} }
fn create_legacy_data(data: &TfaUserData) -> bool {
if !data.webauthn.is_empty() || data.recovery.is_some() || data.u2f.len() > 1 {
// incompatible
return false;
}
if data.u2f.is_empty() && data.totp.is_empty() && data.yubico.is_empty() {
// no tfa configured
return false;
}
if let Some(totp) = data.totp.get(0) {
let algorithm = totp.entry.algorithm();
let digits = totp.entry.digits();
let period = totp.entry.period();
if period.subsec_nanos() != 0 {
return false;
}
for totp in data.totp.iter().skip(1) {
if totp.entry.algorithm() != algorithm
|| totp.entry.digits() != digits
|| totp.entry.period() != period
{
return false;
}
}
}
return true;
}
fn b64u_np_encode<T: AsRef<[u8]>>(data: T) -> String { fn b64u_np_encode<T: AsRef<[u8]>>(data: T) -> String {
base64::encode_config(data.as_ref(), base64::URL_SAFE_NO_PAD) base64::encode_config(data.as_ref(), base64::URL_SAFE_NO_PAD)
} }
@ -721,10 +690,6 @@ fn generate_legacy_config(out: &mut perlmod::Hash, config: &TfaConfig) {
let users = Hash::new(); let users = Hash::new();
for (user, data) in &config.users { for (user, data) in &config.users {
if !create_legacy_data(data) {
continue;
}
if let Some(u2f) = data.u2f.get(0) { if let Some(u2f) = data.u2f.get(0) {
let data = Hash::new(); let data = Hash::new();
data.insert( data.insert(
@ -784,6 +749,15 @@ fn generate_legacy_config(out: &mut perlmod::Hash, config: &TfaConfig) {
users.insert(user, Value::new_ref(&entry)); users.insert(user, Value::new_ref(&entry));
continue; continue;
} }
if data.is_empty() {
continue;
}
// lock out the user:
let entry = Hash::new();
entry.insert("type", Value::new_string("incompatible"));
users.insert(user, Value::new_ref(&entry));
} }
out.insert("users", Value::new_ref(&users)); out.insert("users", Value::new_ref(&users));