mirror of
https://git.proxmox.com/git/pve-access-control
synced 2025-10-05 00:20:29 +00:00
api: drop old verify_tfa api call
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller
parent
6b190c646e
commit
cb64967379
@ -152,83 +152,6 @@ my sub set_user_tfa_enabled : prototype($$$) {
|
||||
}, "enabling TFA for the user failed");
|
||||
}
|
||||
|
||||
### OLD API
|
||||
|
||||
__PACKAGE__->register_method({
|
||||
name => 'verify_tfa',
|
||||
path => '',
|
||||
method => 'POST',
|
||||
permissions => { user => 'all' },
|
||||
protected => 1, # else we can't access shadow files
|
||||
allowtoken => 0, # we don't want tokens to access TFA information
|
||||
description => 'Finish a u2f challenge.',
|
||||
parameters => {
|
||||
additionalProperties => 0,
|
||||
properties => {
|
||||
response => {
|
||||
type => 'string',
|
||||
description => 'The response to the current authentication challenge.',
|
||||
},
|
||||
}
|
||||
},
|
||||
returns => {
|
||||
type => 'object',
|
||||
properties => {
|
||||
ticket => { type => 'string' },
|
||||
# cap
|
||||
}
|
||||
},
|
||||
code => sub {
|
||||
my ($param) = @_;
|
||||
|
||||
my $rpcenv = PVE::RPCEnvironment::get();
|
||||
my $authuser = $rpcenv->get_user();
|
||||
my ($username, undef, $realm) = PVE::AccessControl::verify_username($authuser);
|
||||
|
||||
my ($tfa_type, $tfa_data) = PVE::AccessControl::user_get_tfa($username, $realm, 0);
|
||||
if (!defined($tfa_type)) {
|
||||
raise('no u2f data available');
|
||||
}
|
||||
if ($tfa_type eq 'incompatible') {
|
||||
raise('tfa entries incompatible with old login api');
|
||||
}
|
||||
|
||||
eval {
|
||||
if ($tfa_type eq 'u2f') {
|
||||
my $challenge = $rpcenv->get_u2f_challenge()
|
||||
or raise('no active challenge');
|
||||
|
||||
my $keyHandle = $tfa_data->{keyHandle};
|
||||
my $publicKey = $tfa_data->{publicKey};
|
||||
raise("incomplete u2f setup")
|
||||
if !defined($keyHandle) || !defined($publicKey);
|
||||
|
||||
my $u2f = PVE::API2::AccessControl::get_u2f_instance($rpcenv, $publicKey, $keyHandle);
|
||||
$u2f->set_challenge($challenge);
|
||||
|
||||
my ($counter, $present) = $u2f->auth_verify($param->{response});
|
||||
# Do we want to do anything with these?
|
||||
} else {
|
||||
# sanity check before handing off to the verification code:
|
||||
my $keys = $tfa_data->{keys} or die "missing tfa keys\n";
|
||||
my $config = $tfa_data->{config} or die "bad tfa entry\n";
|
||||
PVE::AccessControl::verify_one_time_pw($tfa_type, $authuser, $keys, $config, $param->{response});
|
||||
}
|
||||
};
|
||||
if (my $err = $@) {
|
||||
my $clientip = $rpcenv->get_client_ip() || '';
|
||||
syslog('err', "authentication verification failure; rhost=$clientip user=$authuser msg=$err");
|
||||
die PVE::Exception->new("authentication failure\n", code => 401);
|
||||
}
|
||||
|
||||
return {
|
||||
ticket => PVE::AccessControl::assemble_ticket($authuser),
|
||||
cap => $rpcenv->compute_api_permission($authuser),
|
||||
}
|
||||
}});
|
||||
|
||||
### END OLD API
|
||||
|
||||
__PACKAGE__->register_method ({
|
||||
name => 'list_user_tfa',
|
||||
path => '{userid}',
|
||||
|
||||
Loading…
Reference in New Issue
Block a user