proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-07-25 23:40:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Whitespace fixes

Browse Source 
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Philip Abernethy 2017-09-21 11:09:16 +02:00 committed by Wolfgang Bumiller
parent 5654af83fa
commit 0a6e09fd47
5 changed files with 115 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
PVE/API2/ACL.pm
View File

@ -14,11 +14,11 @@ use PVE::RESTHandler;
use base qw(PVE::RESTHandler); use base qw(PVE::RESTHandler);
__PACKAGE__->register_method ({ __PACKAGE__->register_method ({
name => 'read_acl', name => 'read_acl',
path => '', path => '',
method => 'GET', method => 'GET',
description => "Get Access Control List (ACLs).", description => "Get Access Control List (ACLs).",
permissions => { permissions => {
description => "The returned list is restricted to objects where you have rights to modify permissions.", description => "The returned list is restricted to objects where you have rights to modify permissions.",
user => 'all', user => 'all',
}, },
@ -42,7 +42,7 @@ __PACKAGE__->register_method ({
}, },
code => sub { code => sub {
my ($param) = @_; my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get(); my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user(); my $authuser = $rpcenv->get_user();
my $res = []; my $res = [];
@ -79,44 +79,44 @@ __PACKAGE__->register_method ({
}}); }});
__PACKAGE__->register_method ({ __PACKAGE__->register_method ({
name => 'update_acl', name => 'update_acl',
protected => 1, protected => 1,
path => '', path => '',
method => 'PUT', method => 'PUT',
permissions => { permissions => {
check => ['perm-modify', '{path}'], check => ['perm-modify', '{path}'],
}, },
description => "Update Access Control List (add or remove permissions).", description => "Update Access Control List (add or remove permissions).",
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
path => { path => {
description => "Access control path", description => "Access control path",
type => 'string', type => 'string',
}, },
users => { users => {
description => "List of users.", description => "List of users.",
type => 'string', format => 'pve-userid-list', type => 'string', format => 'pve-userid-list',
optional => 1, optional => 1,
}, },
groups => { groups => {
description => "List of groups.", description => "List of groups.",
type => 'string', format => 'pve-groupid-list', type => 'string', format => 'pve-groupid-list',
optional => 1, optional => 1,
}, },
roles => { roles => {
description => "List of roles.", description => "List of roles.",
type => 'string', format => 'pve-roleid-list', type => 'string', format => 'pve-roleid-list',
}, },
propagate => { propagate => {
description => "Allow to propagate (inherit) permissions.", description => "Allow to propagate (inherit) permissions.",
type => 'boolean', type => 'boolean',
optional => 1, optional => 1,
default => 1, default => 1,
}, },
delete => { delete => {
description => "Remove permissions (instead of adding it).", description => "Remove permissions (instead of adding it).",
type => 'boolean', type => 'boolean',
optional => 1, optional => 1,
}, },
}, },
@ -126,8 +126,8 @@ __PACKAGE__->register_method ({
my ($param) = @_; my ($param) = @_;
if (!($param->{users} || $param->{groups})) { if (!($param->{users} || $param->{groups})) {
raise_param_exc({ raise_param_exc({
users => "either 'users' or 'groups' is required.", users => "either 'users' or 'groups' is required.",
groups => "either 'users' or 'groups' is required." }); groups => "either 'users' or 'groups' is required." });
} }
@ -136,17 +136,17 @@ __PACKAGE__->register_method ({
PVE::AccessControl::lock_user_config( PVE::AccessControl::lock_user_config(
sub { sub {
my $cfg = cfs_read_file("user.cfg"); my $cfg = cfs_read_file("user.cfg");
my $propagate = 1; my $propagate = 1;
if (defined($param->{propagate})) { if (defined($param->{propagate})) {
$propagate = $param->{propagate} ? 1 : 0; $propagate = $param->{propagate} ? 1 : 0;
} }
foreach my $role (split_list($param->{roles})) { foreach my $role (split_list($param->{roles})) {
die "role '$role' does not exist\n" die "role '$role' does not exist\n"
if !$cfg->{roles}->{$role}; if !$cfg->{roles}->{$role};
foreach my $group (split_list($param->{groups})) { foreach my $group (split_list($param->{groups})) {
@ -171,7 +171,7 @@ __PACKAGE__->register_method ({
delete($cfg->{acl}->{$path}->{users}->{$username}->{$role}); delete($cfg->{acl}->{$path}->{users}->{$username}->{$role});
} else { } else {
$cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate; $cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate;
} }
} }
} }

71
PVE/API2/Role.pm
View File

@ -12,11 +12,11 @@ use PVE::RESTHandler;
use base qw(PVE::RESTHandler); use base qw(PVE::RESTHandler);
__PACKAGE__->register_method ({ __PACKAGE__->register_method ({
name => 'index', name => 'index',
path => '', path => '',
method => 'GET', method => 'GET',
description => "Role index.", description => "Role index.",
permissions => { permissions => {
user => 'all', user => 'all',
}, },
parameters => { parameters => {
@ -35,11 +35,11 @@ __PACKAGE__->register_method ({
}, },
code => sub { code => sub {
my ($param) = @_; my ($param) = @_;
my $res = []; my $res = [];
my $usercfg = cfs_read_file("user.cfg"); my $usercfg = cfs_read_file("user.cfg");
foreach my $role (keys %{$usercfg->{roles}}) { foreach my $role (keys %{$usercfg->{roles}}) {
my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}}); my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}});
push @$res, { roleid => $role, privs => $privs, push @$res, { roleid => $role, privs => $privs,
@ -47,19 +47,19 @@ __PACKAGE__->register_method ({
} }
return $res; return $res;
}}); }});
__PACKAGE__->register_method ({ __PACKAGE__->register_method ({
name => 'create_role', name => 'create_role',
protected => 1, protected => 1,
path => '', path => '',
method => 'POST', method => 'POST',
permissions => { permissions => {
check => ['perm', '/access', ['Sys.Modify']], check => ['perm', '/access', ['Sys.Modify']],
}, },
description => "Create new role.", description => "Create new role.",
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
roleid => { type => 'string', format => 'pve-roleid' }, roleid => { type => 'string', format => 'pve-roleid' },
privs => { type => 'string' , format => 'pve-priv-list', optional => 1 }, privs => { type => 'string' , format => 'pve-priv-list', optional => 1 },
@ -71,12 +71,12 @@ __PACKAGE__->register_method ({
PVE::AccessControl::lock_user_config( PVE::AccessControl::lock_user_config(
sub { sub {
my $usercfg = cfs_read_file("user.cfg"); my $usercfg = cfs_read_file("user.cfg");
my $role = $param->{roleid}; my $role = $param->{roleid};
die "role '$role' already exists\n" die "role '$role' already exists\n"
if $usercfg->{roles}->{$role}; if $usercfg->{roles}->{$role};
$usercfg->{roles}->{$role} = {}; $usercfg->{roles}->{$role} = {};
@ -87,24 +87,24 @@ __PACKAGE__->register_method ({
}, "create role failed"); }, "create role failed");
return undef; return undef;
}}); }});
__PACKAGE__->register_method ({ __PACKAGE__->register_method ({
name => 'update_role', name => 'update_role',
protected => 1, protected => 1,
path => '{roleid}', path => '{roleid}',
method => 'PUT', method => 'PUT',
permissions => { permissions => {
check => ['perm', '/access', ['Sys.Modify']], check => ['perm', '/access', ['Sys.Modify']],
}, },
description => "Create new role.", description => "Create new role.",
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
roleid => { type => 'string', format => 'pve-roleid' }, roleid => { type => 'string', format => 'pve-roleid' },
privs => { type => 'string' , format => 'pve-priv-list' }, privs => { type => 'string' , format => 'pve-priv-list' },
append => { append => {
type => 'boolean', type => 'boolean',
optional => 1, optional => 1,
requires => 'privs', requires => 'privs',
}, },
@ -116,12 +116,12 @@ __PACKAGE__->register_method ({
PVE::AccessControl::lock_user_config( PVE::AccessControl::lock_user_config(
sub { sub {
my $role = $param->{roleid}; my $role = $param->{roleid};
my $usercfg = cfs_read_file("user.cfg"); my $usercfg = cfs_read_file("user.cfg");
die "role '$role' does not exist\n" die "role '$role' does not exist\n"
if !$usercfg->{roles}->{$role}; if !$usercfg->{roles}->{$role};
$usercfg->{roles}->{$role} = {} if !$param->{append}; $usercfg->{roles}->{$role} = {} if !$param->{append};
@ -132,19 +132,19 @@ __PACKAGE__->register_method ({
}, "update role failed"); }, "update role failed");
return undef; return undef;
}}); }});
# fixme: return format! # fixme: return format!
__PACKAGE__->register_method ({ __PACKAGE__->register_method ({
name => 'read_role', name => 'read_role',
path => '{roleid}', path => '{roleid}',
method => 'GET', method => 'GET',
permissions => { permissions => {
user => 'all', user => 'all',
}, },
description => "Get role configuration.", description => "Get role configuration.",
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
roleid => { type => 'string' , format => 'pve-roleid' }, roleid => { type => 'string' , format => 'pve-roleid' },
}, },
@ -162,20 +162,19 @@ __PACKAGE__->register_method ({
die "role '$role' does not exist\n" if !$data; die "role '$role' does not exist\n" if !$data;
return $data; return $data;
}}); }});
__PACKAGE__->register_method ({ __PACKAGE__->register_method ({
name => 'delete_role', name => 'delete_role',
protected => 1, protected => 1,
path => '{roleid}', path => '{roleid}',
method => 'DELETE', method => 'DELETE',
permissions => { permissions => {
check => ['perm', '/access', ['Sys.Modify']], check => ['perm', '/access', ['Sys.Modify']],
}, },
description => "Delete role.", description => "Delete role.",
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
roleid => { type => 'string', format => 'pve-roleid' }, roleid => { type => 'string', format => 'pve-roleid' },
} }
@ -193,7 +192,7 @@ __PACKAGE__->register_method ({
die "role '$role' does not exist\n" die "role '$role' does not exist\n"
if !$usercfg->{roles}->{$role}; if !$usercfg->{roles}->{$role};
die "auto-generated role '$role' can not be deleted\n" die "auto-generated role '$role' can not be deleted\n"
if PVE::AccessControl::role_is_special($role); if PVE::AccessControl::role_is_special($role);
@ -203,8 +202,8 @@ __PACKAGE__->register_method ({
cfs_write_file("user.cfg", $usercfg); cfs_write_file("user.cfg", $usercfg);
}, "delete role failed"); }, "delete role failed");
return undef; return undef;
}}); }});
1; 1;

102
PVE/API2/User.pm
View File

@ -31,11 +31,11 @@ my $extract_user_data = sub {
}; };
__PACKAGE__->register_method ({ __PACKAGE__->register_method ({
name => 'index', name => 'index',
path => '', path => '',
method => 'GET', method => 'GET',
description => "User index.", description => "User index.",
permissions => { permissions => {
description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.", description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
user => 'all', user => 'all',
}, },
@ -61,7 +61,7 @@ __PACKAGE__->register_method ({
}, },
code => sub { code => sub {
my ($param) = @_; my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get(); my $rpcenv = PVE::RPCEnvironment::get();
my $usercfg = $rpcenv->{user_cfg}; my $usercfg = $rpcenv->{user_cfg};
my $authuser = $rpcenv->get_user(); my $authuser = $rpcenv->get_user();
@ -71,7 +71,7 @@ __PACKAGE__->register_method ({
my $privs = [ 'User.Modify', 'Sys.Audit' ]; my $privs = [ 'User.Modify', 'Sys.Audit' ];
my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1); my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
my $groups = $rpcenv->filter_groups($authuser, $privs, 1); my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
my $allowed_users = $rpcenv->group_member_join([keys %$groups]); my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
foreach my $user (keys %{$usercfg->{users}}) { foreach my $user (keys %{$usercfg->{users}}) {
@ -94,11 +94,11 @@ __PACKAGE__->register_method ({
}}); }});
__PACKAGE__->register_method ({ __PACKAGE__->register_method ({
name => 'create_user', name => 'create_user',
protected => 1, protected => 1,
path => '', path => '',
method => 'POST', method => 'POST',
permissions => { permissions => {
description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.", description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
check => [ 'and', check => [ 'and',
[ 'userid-param', 'Realm.AllocateUser'], [ 'userid-param', 'Realm.AllocateUser'],
@ -107,15 +107,15 @@ __PACKAGE__->register_method ({
}, },
description => "Create new user.", description => "Create new user.",
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
userid => get_standard_option('userid'), userid => get_standard_option('userid'),
password => { password => {
description => "Initial password.", description => "Initial password.",
type => 'string', type => 'string',
optional => 1, optional => 1,
minLength => 5, minLength => 5,
maxLength => 64 maxLength => 64
}, },
groups => { groups => {
type => 'string', format => 'pve-groupid-list', type => 'string', format => 'pve-groupid-list',
@ -128,12 +128,12 @@ __PACKAGE__->register_method ({
comment => { type => 'string', optional => 1 }, comment => { type => 'string', optional => 1 },
keys => { keys => {
description => "Keys for two factor auth (yubico).", description => "Keys for two factor auth (yubico).",
type => 'string', type => 'string',
optional => 1, optional => 1,
}, },
expire => { expire => {
description => "Account expiration date (seconds since epoch). '0' means no expiration date.", description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
type => 'integer', type => 'integer',
minimum => 0, minimum => 0,
optional => 1, optional => 1,
}, },
@ -151,14 +151,14 @@ __PACKAGE__->register_method ({
PVE::AccessControl::lock_user_config( PVE::AccessControl::lock_user_config(
sub { sub {
my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid}); my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
my $usercfg = cfs_read_file("user.cfg"); my $usercfg = cfs_read_file("user.cfg");
die "user '$username' already exists\n" die "user '$username' already exists\n"
if $usercfg->{users}->{$username}; if $usercfg->{users}->{$username};
PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password}) PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
if defined($param->{password}); if defined($param->{password});
@ -189,56 +189,56 @@ __PACKAGE__->register_method ({
}}); }});
__PACKAGE__->register_method ({ __PACKAGE__->register_method ({
name => 'read_user', name => 'read_user',
path => '{userid}', path => '{userid}',
method => 'GET', method => 'GET',
description => "Get user configuration.", description => "Get user configuration.",
permissions => { permissions => {
check => ['userid-group', ['User.Modify', 'Sys.Audit']], check => ['userid-group', ['User.Modify', 'Sys.Audit']],
}, },
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
userid => get_standard_option('userid'), userid => get_standard_option('userid'),
}, },
}, },
returns => { returns => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
enable => { type => 'boolean' }, enable => { type => 'boolean' },
expire => { type => 'integer', optional => 1 }, expire => { type => 'integer', optional => 1 },
firstname => { type => 'string', optional => 1 }, firstname => { type => 'string', optional => 1 },
lastname => { type => 'string', optional => 1 }, lastname => { type => 'string', optional => 1 },
email => { type => 'string', optional => 1 }, email => { type => 'string', optional => 1 },
comment => { type => 'string', optional => 1 }, comment => { type => 'string', optional => 1 },
keys => { type => 'string', optional => 1 }, keys => { type => 'string', optional => 1 },
groups => { type => 'array' }, groups => { type => 'array' },
} }
}, },
code => sub { code => sub {
my ($param) = @_; my ($param) = @_;
my ($username, undef, $domain) = my ($username, undef, $domain) =
PVE::AccessControl::verify_username($param->{userid}); PVE::AccessControl::verify_username($param->{userid});
my $usercfg = cfs_read_file("user.cfg"); my $usercfg = cfs_read_file("user.cfg");
my $data = PVE::AccessControl::check_user_exist($usercfg, $username); my $data = PVE::AccessControl::check_user_exist($usercfg, $username);
return &$extract_user_data($data, 1); return &$extract_user_data($data, 1);
}}); }});
__PACKAGE__->register_method ({ __PACKAGE__->register_method ({
name => 'update_user', name => 'update_user',
protected => 1, protected => 1,
path => '{userid}', path => '{userid}',
method => 'PUT', method => 'PUT',
permissions => { permissions => {
check => ['userid-group', ['User.Modify'], groups_param => 1 ], check => ['userid-group', ['User.Modify'], groups_param => 1 ],
}, },
description => "Update user configuration.", description => "Update user configuration.",
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
userid => get_standard_option('userid', { userid => get_standard_option('userid', {
completion => \&PVE::AccessControl::complete_username, completion => \&PVE::AccessControl::complete_username,
@ -248,8 +248,8 @@ __PACKAGE__->register_method ({
optional => 1, optional => 1,
completion => \&PVE::AccessControl::complete_group, completion => \&PVE::AccessControl::complete_group,
}, },
append => { append => {
type => 'boolean', type => 'boolean',
optional => 1, optional => 1,
requires => 'groups', requires => 'groups',
}, },
@ -264,14 +264,14 @@ __PACKAGE__->register_method ({
comment => { type => 'string', optional => 1 }, comment => { type => 'string', optional => 1 },
keys => { keys => {
description => "Keys for two factor auth (yubico).", description => "Keys for two factor auth (yubico).",
type => 'string', type => 'string',
optional => 1, optional => 1,
}, },
expire => { expire => {
description => "Account expiration date (seconds since epoch). '0' means no expiration date.", description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
type => 'integer', type => 'integer',
minimum => 0, minimum => 0,
optional => 1 optional => 1
}, },
}, },
}, },
@ -279,12 +279,12 @@ __PACKAGE__->register_method ({
code => sub { code => sub {
my ($param) = @_; my ($param) = @_;
my ($username, $ruid, $realm) = my ($username, $ruid, $realm) =
PVE::AccessControl::verify_username($param->{userid}); PVE::AccessControl::verify_username($param->{userid});
PVE::AccessControl::lock_user_config( PVE::AccessControl::lock_user_config(
sub { sub {
my $usercfg = cfs_read_file("user.cfg"); my $usercfg = cfs_read_file("user.cfg");
PVE::AccessControl::check_user_exist($usercfg, $username); PVE::AccessControl::check_user_exist($usercfg, $username);
@ -293,7 +293,7 @@ __PACKAGE__->register_method ({
$usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire}); $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
PVE::AccessControl::delete_user_group($username, $usercfg) PVE::AccessControl::delete_user_group($username, $usercfg)
if (!$param->{append} && defined($param->{groups})); if (!$param->{append} && defined($param->{groups}));
if ($param->{groups}) { if ($param->{groups}) {
@ -314,24 +314,24 @@ __PACKAGE__->register_method ({
cfs_write_file("user.cfg", $usercfg); cfs_write_file("user.cfg", $usercfg);
}, "update user failed"); }, "update user failed");
return undef; return undef;
}}); }});
__PACKAGE__->register_method ({ __PACKAGE__->register_method ({
name => 'delete_user', name => 'delete_user',
protected => 1, protected => 1,
path => '{userid}', path => '{userid}',
method => 'DELETE', method => 'DELETE',
description => "Delete user.", description => "Delete user.",
permissions => { permissions => {
check => [ 'and', check => [ 'and',
[ 'userid-param', 'Realm.AllocateUser'], [ 'userid-param', 'Realm.AllocateUser'],
[ 'userid-group', ['User.Modify']], [ 'userid-group', ['User.Modify']],
], ],
}, },
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
userid => get_standard_option('userid', { userid => get_standard_option('userid', {
completion => \&PVE::AccessControl::complete_username, completion => \&PVE::AccessControl::complete_username,
@ -341,11 +341,11 @@ __PACKAGE__->register_method ({
returns => { type => 'null' }, returns => { type => 'null' },
code => sub { code => sub {
my ($param) = @_; my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get(); my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user(); my $authuser = $rpcenv->get_user();
my ($userid, $ruid, $realm) = my ($userid, $ruid, $realm) =
PVE::AccessControl::verify_username($param->{userid}); PVE::AccessControl::verify_username($param->{userid});
PVE::AccessControl::lock_user_config( PVE::AccessControl::lock_user_config(
@ -366,7 +366,7 @@ __PACKAGE__->register_method ({
cfs_write_file("user.cfg", $usercfg); cfs_write_file("user.cfg", $usercfg);
}, "delete user failed"); }, "delete user failed");
return undef; return undef;
}}); }});

3
PVE/AccessControl.pm
View File

@ -45,7 +45,6 @@ cfs_register_file('user.cfg',
\&parse_user_config, \&parse_user_config,
\&write_user_config); \&write_user_config);
sub verify_username { sub verify_username {
PVE::Auth::Plugin::verify_username(@_); PVE::Auth::Plugin::verify_username(@_);
} }
@ -172,7 +171,6 @@ sub assemble_spice_ticket {
$secret, $username, $vmid, $node); $secret, $username, $vmid, $node);
} }
sub verify_spice_connect_url { sub verify_spice_connect_url {
my ($connect_str) = @_; my ($connect_str) = @_;
@ -537,7 +535,6 @@ sub normalize_path {
return $path; return $path;
} }
PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname); PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname);
sub verify_groupname { sub verify_groupname {
my ($groupname, $noerr) = @_; my ($groupname, $noerr) = @_;

14
PVE/Auth/Plugin.pm
View File

@ -13,7 +13,7 @@ use base qw(PVE::SectionConfig);
my $domainconfigfile = "domains.cfg"; my $domainconfigfile = "domains.cfg";
cfs_register_file($domainconfigfile, cfs_register_file($domainconfigfile,
sub { __PACKAGE__->parse_config(@_); }, sub { __PACKAGE__->parse_config(@_); },
sub { __PACKAGE__->write_config(@_); }); sub { __PACKAGE__->write_config(@_); });
@ -32,10 +32,10 @@ my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm); PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
sub pve_verify_realm { sub pve_verify_realm {
my ($realm, $noerr) = @_; my ($realm, $noerr) = @_;
if ($realm !~ m/^${realm_regex}$/) { if ($realm !~ m/^${realm_regex}$/) {
return undef if $noerr; return undef if $noerr;
die "value does not look like a valid realm\n"; die "value does not look like a valid realm\n";
} }
return $realm; return $realm;
} }
@ -62,10 +62,10 @@ sub verify_username {
} }
# we only allow a limited set of characters # we only allow a limited set of characters
# colon is not allowed, because we store usernames in # colon is not allowed, because we store usernames in
# colon separated lists)! # colon separated lists)!
# slash is not allowed because it is used as pve API delimiter # slash is not allowed because it is used as pve API delimiter
# also see "man useradd" # also see "man useradd"
if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) { if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) {
return wantarray ? ($username, $1, $2) : $username; return wantarray ? ($username, $1, $2) : $username;
} }
@ -120,7 +120,7 @@ sub parse_tfa_config {
$res->{step} = $1; $res->{step} = $1;
} else { } else {
return undef; return undef;
} }
} }
return undef if !$res->{type}; return undef if !$res->{type};
@ -199,7 +199,7 @@ sub write_config {
$data->{comment} = PVE::Tools::encode_text($data->{comment}); $data->{comment} = PVE::Tools::encode_text($data->{comment});
} }
} }
$class->SUPER::write_config($filename, $cfg); $class->SUPER::write_config($filename, $cfg);
} }