merge old user.cfg keys to tfa config when adding entries

this happens when the first new tfa entry is added and the
'keys' entry is replaced by "x"

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

src/PVE/API2/TFA.pm

@@ -119,18 +119,29 @@ my sub root_permission_check : prototype($$$$) {
     return wantarray ? ($userid, $realm) : $userid;
 }
 
-my sub set_user_tfa_enabled : prototype($$) {
-    my ($userid, $enabled) = @_;
+# Set TFA to enabled if $tfa_cfg is passed, or to disabled if $tfa_cfg is undef,
+# When enabling we also merge the old user.cfg keys into the $tfa_cfg.
+my sub set_user_tfa_enabled : prototype($$$) {
+    my ($userid, $realm, $tfa_cfg) = @_;
 
     PVE::AccessControl::lock_user_config(sub {
 	my $user_cfg = cfs_read_file('user.cfg');
 	my $user = $user_cfg->{users}->{$userid};
 	my $keys = $user->{keys};
-	if ($keys && $keys !~ /^x(?:!.*)?$/) {
-	    die "user contains tfa keys directly in user.cfg,"
-		." please remove them and add them via the TFA panel instead\n";
+	# When enabling, we convert old-old keys,
+	# When disabling, we shouldn't actually have old keys anymore, so if they are there,
+	# they'll be removed.
+	if ($tfa_cfg && $keys && $keys !~ /^x(?:!.*)?$/) {
+	    my $domain_cfg = cfs_read_file('domains.cfg');
+	    my $realm_cfg = $domain_cfg->{ids}->{$realm};
+	    die "auth domain '$realm' does not exist\n" if !$realm_cfg;
+
+	    my $realm_tfa = $realm_cfg->{tfa};
+	    $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa) if $realm_tfa;
+
+	    PVE::AccessControl::add_old_keys_to_realm_tfa($userid, $tfa_cfg, $realm_tfa, $keys);
 	}
-	$user->{keys} = $enabled ? 'x' : undef;
+	$user->{keys} = $tfa_cfg ? 'x' : undef;
 	cfs_write_file("user.cfg", $user_cfg);
     }, "enabling TFA for the user failed");
 }
@@ -314,7 +325,7 @@ __PACKAGE__->register_method ({
 	    return $has_entries_left;
 	});
 	if (!$has_entries_left) {
-	    set_user_tfa_enabled($userid, 0);
+	    set_user_tfa_enabled($userid, undef, undef);
 	}
     }});
 
@@ -424,10 +435,11 @@ __PACKAGE__->register_method ({
 	    $value = validate_yubico_otp($userid, $realm, $value);
 	}
 
-	set_user_tfa_enabled($userid, 1);
-
 	return PVE::AccessControl::lock_tfa_config(sub {
 	    my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
+
+	    set_user_tfa_enabled($userid, $realm, $tfa_cfg);
+
 	    PVE::AccessControl::configure_u2f_and_wa($tfa_cfg);
 
 	    my $response = $tfa_cfg->api_add_tfa_entry(

src/PVE/AccessControl.pm

@@ -7,12 +7,14 @@ use Crypt::OpenSSL::Random;
 use Crypt::OpenSSL::RSA;
 use Net::SSLeay;
 use Net::IP;
+use MIME::Base32;
 use MIME::Base64;
 use Digest::SHA;
 use IO::File;
 use File::stat;
 use JSON;
 use Scalar::Util 'weaken';
+use URI::Escape;
 
 use PVE::OTP;
 use PVE::Ticket;
@@ -1776,6 +1778,78 @@ sub user_remove_tfa : prototype($) {
     cfs_write_file('priv/tfa.cfg', $tfa_cfg);
 }
 
+my sub add_old_yubico_keys : prototype($$$) {
+    my ($userid, $tfa_cfg, $keys) = @_;
+
+    my $count = 0;
+    foreach my $key (split_list($keys)) {
+	my $description = "<old userconfig key $count>";
+	++$count;
+	$tfa_cfg->add_yubico_entry($userid, $description, $key);
+    }
+}
+
+my sub normalize_totp_secret : prototype($) {
+    my ($key) = @_;
+
+    my $binkey;
+    # See PVE::OTP::oath_verify_otp:
+    if ($key =~ /^v2-0x([0-9a-fA-F]+)$/) {
+	# v2, hex
+	$binkey = pack('H*', $1);
+    } elsif ($key =~ /^v2-([A-Z2-7=]+)$/) {
+	# v2, base32
+	$binkey = MIME::Base32::decode_rfc3548($1);
+    } elsif ($key =~ /^[A-Z2-7=]{16}$/) {
+	$binkey = MIME::Base32::decode_rfc3548($key);
+    } elsif ($key =~ /^[A-Fa-f0-9]{40}$/) {
+	$binkey = pack('H*', $key);
+    } else {
+	return undef;
+    }
+
+    return MIME::Base32::encode_rfc3548($binkey);
+}
+
+my sub add_old_totp_keys : prototype($$$$) {
+    my ($userid, $tfa_cfg, $realm_tfa, $keys) = @_;
+
+    my $issuer = 'Proxmox%20VE';
+    my $account = uri_escape("Old key for $userid");
+    my $digits = $realm_tfa->{digits} || 6;
+    my $step = $realm_tfa->{step} || 30;
+    my $uri = "otpauth://totp/$issuer:$account?digits=$digits&period=$step&algorithm=SHA1&secret=";
+
+    my $count = 0;
+    foreach my $key (split_list($keys)) {
+	$key = normalize_totp_secret($key);
+	# and just skip invalid keys:
+	next if !defined($key);
+
+	my $description = "<old userconfig key $count>";
+	++$count;
+	eval { $tfa_cfg->add_totp_entry($userid, $description, $uri . $key) };
+	warn $@ if $@;
+    }
+}
+
+sub add_old_keys_to_realm_tfa : prototype($$$$) {
+    my ($userid, $tfa_cfg, $realm_tfa, $keys) = @_;
+
+    # if there's no realm tfa configured, we don't know what the keys mean, so we just ignore
+    # them...
+    return if !$realm_tfa;
+
+    my $type = $realm_tfa->{type};
+    if ($type eq 'oath') {
+	add_old_totp_keys($userid, $tfa_cfg, $realm_tfa, $keys);
+    } elsif ($type eq 'yubico') {
+	add_old_yubico_keys($userid, $tfa_cfg, $keys);
+    } else {
+	# invalid keys, we'll just drop them now...
+    }
+}
+
 sub user_get_tfa : prototype($$$) {
     my ($username, $realm, $new_format) = @_;
 
@@ -1798,6 +1872,14 @@ sub user_get_tfa : prototype($$$) {
 	die "missing required 2nd keys\n";
     }
 
+    if ($new_format) {
+	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
+	if (defined($keys) && $keys !~ /^x(?:!.*)$/) {
+	    add_old_keys_to_realm_tfa($username, $tfa_cfg, $realm_tfa, $keys);
+	}
+	return ($tfa_cfg, $realm_tfa);
+    }
+
     # new style config starts with an 'x' and optionally contains a !<type> suffix
     if ($keys !~ /^x(?:!.*)?$/) {
 	# old style config, find the type via the realm
@@ -1808,9 +1890,6 @@ sub user_get_tfa : prototype($$$) {
 	});
     } else {
 	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
-	if ($new_format) {
-	    return ($tfa_cfg, $realm_tfa);
-	} else {
 	my $tfa = $tfa_cfg->{users}->{$username};
 	return if !$tfa; # should not happen (user.cfg wasn't cleaned up?)
 
@@ -1823,7 +1902,6 @@ sub user_get_tfa : prototype($$$) {
 	return ($tfa->{type}, $tfa->{data});
     }
 }
-}
 
 # bash completion helpers