From 3a540a697f24ff981919bade6e9de0e7105fd534 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Tue, 21 Jan 2020 13:54:04 +0100 Subject: [PATCH] API token: add (shadow) TokenConfig MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit with the format: it is just used for token value generation/deletion via the User API, token value verification will happen over pmxcfs/ipcc. Signed-off-by: Fabian Grünbichler --- PVE/Makefile | 1 + PVE/TokenConfig.pm | 79 ++++++++++++++++++++++++++++++++++++++++++++++ debian/control | 1 + 3 files changed, 81 insertions(+) create mode 100644 PVE/TokenConfig.pm diff --git a/PVE/Makefile b/PVE/Makefile index 410d9d8..c839d8f 100644 --- a/PVE/Makefile +++ b/PVE/Makefile @@ -5,5 +5,6 @@ install: make -C Auth install install -D -m 0644 AccessControl.pm ${DESTDIR}${PERLDIR}/PVE/AccessControl.pm install -D -m 0644 RPCEnvironment.pm ${DESTDIR}${PERLDIR}/PVE/RPCEnvironment.pm + install -D -m 0644 TokenConfig.pm ${DESTDIR}${PERLDIR}/PVE/TokenConfig.pm make -C API2 install make -C CLI install diff --git a/PVE/TokenConfig.pm b/PVE/TokenConfig.pm new file mode 100644 index 0000000..94d87e5 --- /dev/null +++ b/PVE/TokenConfig.pm @@ -0,0 +1,79 @@ +package PVE::TokenConfig; + +use strict; +use warnings; + +use UUID; + +use PVE::AccessControl; +use PVE::Cluster; + +my $parse_token_cfg = sub { + my ($filename, $raw) = @_; + + my $parsed = {}; + my @lines = split(/\n/, $raw); + + foreach my $line (@lines) { + next if $line =~ m/^\s*$/; + + if ($line =~ m/^(\S+) (\S+)$/) { + if (PVE::AccessControl::pve_verify_tokenid($1, 1)) { + $parsed->{$1} = $2; + next; + } + } + + warn "skipping invalid token.cfg entry\n"; + } + + return $parsed; +}; + +my $write_token_cfg = sub { + my ($filename, $data) = @_; + + my $raw = ''; + foreach my $tokenid (sort keys %$data) { + $raw .= "$tokenid $data->{$tokenid}\n"; + } + + return $raw; +}; + +PVE::Cluster::cfs_register_file('priv/token.cfg', $parse_token_cfg, $write_token_cfg); + +sub generate_token { + my ($tokenid) = @_; + + PVE::AccessControl::pve_verify_tokenid($tokenid); + + my $token_value = PVE::Cluster::cfs_lock_file('priv/token.cfg', 10, sub { + my $uuid = UUID::uuid(); + my $token_cfg = PVE::Cluster::cfs_read_file('priv/token.cfg'); + + $token_cfg->{$tokenid} = $uuid; + + PVE::Cluster::cfs_write_file('priv/token.cfg', $token_cfg); + + return $uuid; + }); + + die "$@\n" if defined($@); + + return $token_value; +} + +sub delete_token { + my ($tokenid) = @_; + + PVE::Cluster::cfs_lock_file('priv/token.cfg', 10, sub { + my $token_cfg = PVE::Cluster::cfs_read_file('priv/token.cfg'); + + delete $token_cfg->{$tokenid}; + + PVE::Cluster::cfs_write_file('priv/token.cfg', $token_cfg); + }); + + die "$@\n" if defined($@); +} diff --git a/debian/control b/debian/control index 4247b1f..3d43a39 100644 --- a/debian/control +++ b/debian/control @@ -27,6 +27,7 @@ Depends: libauthen-pam-perl, libpve-common-perl (>= 6.0-6), libpve-cluster-perl, libpve-u2f-server-perl (>= 1.0-2), + libuuid-perl, perl (>= 5.6.0-16), pve-cluster (>= 5.0-35), ${misc:Depends},