mirror of
https://git.proxmox.com/git/pve-access-control
synced 2025-10-05 06:06:13 +00:00
api: drop old verify_tfa api call
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller
parent
6b190c646e
commit
cb64967379
@ -152,83 +152,6 @@ my sub set_user_tfa_enabled : prototype($$$) {
|
|||||||
}, "enabling TFA for the user failed");
|
}, "enabling TFA for the user failed");
|
||||||
}
|
}
|
||||||
|
|
||||||
### OLD API
|
|
||||||
|
|
||||||
__PACKAGE__->register_method({
|
|
||||||
name => 'verify_tfa',
|
|
||||||
path => '',
|
|
||||||
method => 'POST',
|
|
||||||
permissions => { user => 'all' },
|
|
||||||
protected => 1, # else we can't access shadow files
|
|
||||||
allowtoken => 0, # we don't want tokens to access TFA information
|
|
||||||
description => 'Finish a u2f challenge.',
|
|
||||||
parameters => {
|
|
||||||
additionalProperties => 0,
|
|
||||||
properties => {
|
|
||||||
response => {
|
|
||||||
type => 'string',
|
|
||||||
description => 'The response to the current authentication challenge.',
|
|
||||||
},
|
|
||||||
}
|
|
||||||
},
|
|
||||||
returns => {
|
|
||||||
type => 'object',
|
|
||||||
properties => {
|
|
||||||
ticket => { type => 'string' },
|
|
||||||
# cap
|
|
||||||
}
|
|
||||||
},
|
|
||||||
code => sub {
|
|
||||||
my ($param) = @_;
|
|
||||||
|
|
||||||
my $rpcenv = PVE::RPCEnvironment::get();
|
|
||||||
my $authuser = $rpcenv->get_user();
|
|
||||||
my ($username, undef, $realm) = PVE::AccessControl::verify_username($authuser);
|
|
||||||
|
|
||||||
my ($tfa_type, $tfa_data) = PVE::AccessControl::user_get_tfa($username, $realm, 0);
|
|
||||||
if (!defined($tfa_type)) {
|
|
||||||
raise('no u2f data available');
|
|
||||||
}
|
|
||||||
if ($tfa_type eq 'incompatible') {
|
|
||||||
raise('tfa entries incompatible with old login api');
|
|
||||||
}
|
|
||||||
|
|
||||||
eval {
|
|
||||||
if ($tfa_type eq 'u2f') {
|
|
||||||
my $challenge = $rpcenv->get_u2f_challenge()
|
|
||||||
or raise('no active challenge');
|
|
||||||
|
|
||||||
my $keyHandle = $tfa_data->{keyHandle};
|
|
||||||
my $publicKey = $tfa_data->{publicKey};
|
|
||||||
raise("incomplete u2f setup")
|
|
||||||
if !defined($keyHandle) || !defined($publicKey);
|
|
||||||
|
|
||||||
my $u2f = PVE::API2::AccessControl::get_u2f_instance($rpcenv, $publicKey, $keyHandle);
|
|
||||||
$u2f->set_challenge($challenge);
|
|
||||||
|
|
||||||
my ($counter, $present) = $u2f->auth_verify($param->{response});
|
|
||||||
# Do we want to do anything with these?
|
|
||||||
} else {
|
|
||||||
# sanity check before handing off to the verification code:
|
|
||||||
my $keys = $tfa_data->{keys} or die "missing tfa keys\n";
|
|
||||||
my $config = $tfa_data->{config} or die "bad tfa entry\n";
|
|
||||||
PVE::AccessControl::verify_one_time_pw($tfa_type, $authuser, $keys, $config, $param->{response});
|
|
||||||
}
|
|
||||||
};
|
|
||||||
if (my $err = $@) {
|
|
||||||
my $clientip = $rpcenv->get_client_ip() || '';
|
|
||||||
syslog('err', "authentication verification failure; rhost=$clientip user=$authuser msg=$err");
|
|
||||||
die PVE::Exception->new("authentication failure\n", code => 401);
|
|
||||||
}
|
|
||||||
|
|
||||||
return {
|
|
||||||
ticket => PVE::AccessControl::assemble_ticket($authuser),
|
|
||||||
cap => $rpcenv->compute_api_permission($authuser),
|
|
||||||
}
|
|
||||||
}});
|
|
||||||
|
|
||||||
### END OLD API
|
|
||||||
|
|
||||||
__PACKAGE__->register_method ({
|
__PACKAGE__->register_method ({
|
||||||
name => 'list_user_tfa',
|
name => 'list_user_tfa',
|
||||||
path => '{userid}',
|
path => '{userid}',
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user