proxmox-mirrors/proxmox
1
0
Fork 1
mirror of https://git.proxmox.com/git/proxmox synced 2025-06-02 03:28:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,097 Commits 3 Branches 0 Tags 17 MiB
a909d5789c
Commit Graph

2097 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Wolfgang Bumiller
077a83f401 add proxmox-apt and proxmox-openid to workspace 
and fixup d/copyright

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-24 09:24:27 +02:00
Wolfgang Bumiller
6253f263ce Merge branch 'proxmox-openid-merge' 2023-05-24 09:22:09 +02:00
Wolfgang Bumiller
68ebe9ec8a Merge branch 'proxmox-apt-merge' 2023-05-24 09:22:04 +02:00
Wolfgang Bumiller
0ff81719ad move to proxmox-apt/ 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-24 09:21:55 +02:00
Wolfgang Bumiller
88d1783a65 move to proxmox-openid/ 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-24 09:20:44 +02:00
Wolfgang Bumiller
6c8191471e bump proxmox-subscription to 0.4.0-1 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-23 13:02:51 +02:00
Wolfgang Bumiller
e5ff0dc40b bump proxmox-auth-api to 0.2.0-1 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-23 13:02:51 +02:00
Wolfgang Bumiller
c531c314c6 bump proxmox-rest-server to 0.4.0-1 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-23 13:02:51 +02:00
Wolfgang Bumiller
ca56a67251 bump proxmox-metrics to 0.3.0-1 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-23 13:02:51 +02:00
Wolfgang Bumiller
af2d4c6c86 bump proxmox-http to 0.9.0-1 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-23 13:02:51 +02:00
Wolfgang Bumiller
644852296d bump proxmox-shared-memory to 0.3.0-1 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-23 13:02:51 +02:00
Wolfgang Bumiller
4f2a7d971b bump proxmox-compression to 0.2.0-1 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-23 13:02:51 +02:00
Wolfgang Bumiller
dd87a120bd bump proxmox-sys to 0.5.0-1 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-23 13:02:51 +02:00
Wolfgang Bumiller
bd63af3c3b make upload: bump dist to bookworm 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-23 13:02:51 +02:00
Wolfgang Bumiller
818ac8e708 update zstd 0.6 -> 0.12 for bookworm 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-23 13:02:51 +02:00
Wolfgang Bumiller
8f8d52f148 update d/copyright files to debian copyright-format 1.0 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-23 13:02:39 +02:00
Wolfgang Bumiller
392290ec6c buildsys: improve clean target 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-23 10:50:33 +02:00
Wolfgang Bumiller
77e8db8649 buildsys: add dsc and %-dsc targets 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-23 10:50:27 +02:00
Wolfgang Bumiller
76ac1a3903 bump proxmox-tfa to 4.0.0-1, auth-api to 0.1.1-1 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-10 10:43:21 +02:00
Wolfgang Bumiller
4324aea004 auth-api: update to new tfa crate 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-10 10:43:21 +02:00
Wolfgang Bumiller
39017fa334 tfa: add functions to unlock totp and tfa 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-10 10:35:54 +02:00
Wolfgang Bumiller
a3448feb1a tfa: log all tfa verify errors and treat as failure, count 
Use a custom result type to return success/failure and the
need to save the user data to the caller, while having
logged the error messages rather than returning them.

We count general TFA failures and also TOTP specifically,
and lock the user out of their 2nd factors on too many
failures.

To this end, all errors are now treated as failures.
While technically we can have crypto errors the user might
not be able to cause, we can't always know, and not all
errors are guaranteed to be a host side configuration issue,
so instead, all errors (since they are rare) now now counted
as a regular TFA error.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-10 10:35:54 +02:00
Wolfgang Bumiller
50b793db8d tfa: add data for rate limiting and blocking 
TfaUserData uses `#[serde(deny_unknown_fields)]`, so we add
this now, but using it will require explicitly enabling it.

If the TOTP count is high, the user should be locked out of
TOTP entirely until they use a recovery key to reset the
count.

If a user's TFA try count is too high, they should get rate
limited.

In both cases they should receive some kind of notification.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-10 10:26:51 +02:00
Wolfgang Bumiller
8d968274f1 tfa: make 'anyhow' optional, enable with the 'api' feature 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-08 10:32:26 +02:00
Wolfgang Bumiller
3224f42ff5 tfa: fix warning with types feature w/o api feature 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-08 10:32:26 +02:00
Wolfgang Bumiller
5c39559cad tfa: drop anyhow from totp module 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-08 10:32:26 +02:00
Wolfgang Bumiller
c45620b447 tfa: drop anyhow from u2f module 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-08 10:32:26 +02:00
Wolfgang Bumiller
0d942e81a3 tfa: add a 'types' feature to get TfaInfo and TfaType 
without adding the entire API as well, so API clients can
actually use the types used by the api methods without
requiring the backend implementation being built in as
well...

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-08 10:32:26 +02:00
Wolfgang Bumiller
b6840e95ad tfa: make failing to generate a webauthn challenge non-fatal 
If WA or U2F fail to produce a challenge, the user may still
log in with other factors and the challenge will be
considered to not be empty.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-08 10:32:26 +02:00
Wolfgang Bumiller
4b3d171b2d tfa: don't return a challenge if all 2nd factors are disabled 
Instead, this should allow the user to login without them.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-08 10:32:26 +02:00
Wolfgang Bumiller
ea1d023a61 tfa: don't automatically drop empty recovery 
This should only ever be explicitly removed.

Similarly, include an empty array of recovery keys in the
tfa challenge, so that clients know about empty recoveries
rather than getting an empty challenge when there are no
other factors available.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-05-08 10:32:26 +02:00
Dietmar Maurer
b66ceaede0 proxmox-longin: allow access to RecoveryState keys (make it pub) 
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
 2023-05-08 10:26:54 +02:00
Dietmar Maurer
a41c8481e2 proxmox-login: pass body as &str to response() 
Signed-off-by: Dietmar Maurer <dietmar@proxmox.com>
 2023-05-08 08:23:10 +02:00
Dietmar Maurer
be169e25ae add new proxmox-login to workspace members 2023-05-05 09:29:50 +02:00
Dietmar Maurer
26f586d5eb new proxmox-login package 
Author: Wofgang Bumiller <w.bumiller@proxmox.com>
 2023-05-04 09:09:08 +02:00
Wolfgang Bumiller
12674a37e0 api-macro: support non-idents in serde(rename) 
For PVE we'll have enum variants like /dev/urandom...

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-04-03 10:01:44 +02:00
Fabian Grünbichler
39453abb8f http: sync: drop unused &self parameter 
these are just internal helpers, changing their signature is fine.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2023-03-07 09:30:13 +01:00
Fabian Grünbichler
6a1be173a6 http: sync: derive default user-agent from crate version 
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2023-03-07 09:30:13 +01:00
Fabian Grünbichler
5ba9d9b2c2 http: sync: remove redundant calls for setting User-Agent 
the requests are all created via the agent that already contains the user
agent, so this internal helper isn't needed anymore.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2023-03-07 09:30:13 +01:00
Fabian Grünbichler
d69fee254a http: sync: set user-agent via ureq agent 
this allows us to slim down our code, and once
https://github.com/algesten/ureq/pull/597 is merged upstream (and/or we update
to a version containing the fix) it also means the custom user agent is used
for requests to the proxy host, if one is configured.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2023-03-07 09:30:13 +01:00
Thomas Lamprecht
5df815f660 proxmox-tfa: update generated d/control 
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
 2023-03-02 16:54:59 +01:00
Wolfgang Bumiller
32e7d3ccdf bump proxmox-auth-api to 0.1.0-1 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-03-02 16:44:35 +01:00
Wolfgang Bumiller
1bccff7e68 auth-api: make example require pam-authenticator 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-03-02 16:44:35 +01:00
Wolfgang Bumiller
82e212e33a bump schema dependency to 1.3.7 for auth-api 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-03-02 16:44:35 +01:00
Wolfgang Bumiller
2f5b1f26cc bump proxmox-schema to 1.3.7-1 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-03-02 16:44:35 +01:00
Wolfgang Bumiller
bca9c6dbaf bump proxmox-tfa to 3.0.0-1 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-03-02 16:44:35 +01:00
Wolfgang Bumiller
5349ae208b add proxmox-auth-api crate 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-03-02 16:44:35 +01:00
Wolfgang Bumiller
a8bd8fca15 schema: add basic api types feature 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-03-02 16:14:04 +01:00
Wolfgang Bumiller
f813e8d866 sort workspace members 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-03-02 16:14:04 +01:00
Wolfgang Bumiller
8a90efba68 bump proxmox-metrics to 0.2.2 
to update proxmox-http dep to 0.8

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 2023-03-02 16:14:04 +01:00