pve-access-control

mirror of https://git.proxmox.com/git/pve-access-control synced 2025-08-17 06:19:21 +00:00

Author	SHA1	Message	Date
Wolfgang Bumiller	d12f247edc	fill origin into webauthn config if not provided in order to allow subdomains to work, the wa config should only specify 'id' and 'rp', the 'origin' gets filled in by the node Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>	2021-11-22 13:55:21 +01:00
Thomas Lamprecht	44a55ff792	bump version to 7.1-3 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-11-19 14:35:44 +01:00
Thomas Lamprecht	8a47ffa50b	d/control: bump versioned dependency to libpve-rs-perl Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-11-19 14:35:44 +01:00
Thomas Lamprecht	bc9d11591e	openid: support configuring ACR values Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-11-19 06:59:34 +01:00
Thomas Lamprecht	48e51c3383	openid: support configuring scopes Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-11-18 17:00:42 +01:00
Thomas Lamprecht	348c703875	openid: support configuring the prompt Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-11-18 16:30:41 +01:00
Thomas Lamprecht	83f0ad5d8d	openid: fix whitespace/indentation Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-11-18 14:52:52 +01:00
Thomas Lamprecht	271bbc10e9	openid: allow arbitrary username-claims Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-11-18 14:31:08 +01:00
Thomas Lamprecht	6f643e7953	bump version to 7.1-2 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-11-17 13:48:24 +01:00
Thomas Lamprecht	dbbd91c27f	d/control: bump versioned dependency to libpve-rs-perl to ensure we get the incompatible type set for such TFA entries Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-11-17 13:48:24 +01:00
Wolfgang Bumiller	93c1d74a62	catch incompatible tfa entries with a nice error Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>	2021-11-17 12:52:56 +01:00
Thomas Lamprecht	92bca71e86	bump version to 7.1-1 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-11-15 15:33:29 +01:00
Wolfgang Bumiller	b3dae5dd48	tfa: fix http 404 in get_tfa_entry this produced warnings in the journal and returned code 500 instead Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>	2021-11-12 11:01:48 +01:00
Thomas Lamprecht	1c9b650186	bump version to 7.0-7 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-11-11 18:20:02 +01:00
Thomas Lamprecht	4a26e5f1c1	d/control: break pve-manager (<< 7.0-15) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-11-11 18:19:52 +01:00
Fabian Grünbichler	06b4a3b381	ticket: normalize path for verification Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>	2021-11-11 16:19:08 +01:00
Fabian Grünbichler	3760a33cc8	tickets: add tunnel ticket just like VNC ticket, but different prefix to prevent confusion. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>	2021-11-11 16:19:08 +01:00
Thomas Lamprecht	6c6a9ce00f	tfa: upgrade check: early return if no cluster members Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-11-11 12:30:02 +01:00
Thomas Lamprecht	b649f3b40e	tfa: upgrade check: more info in error message(s) Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-11-11 12:27:58 +01:00
Thomas Lamprecht	9f34502077	tfa: upgrade check: be less strict about version format Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-11-11 12:05:57 +01:00
Wolfgang Bumiller	72f4c73feb	implement version checks for tfa Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>	2021-11-11 11:56:34 +01:00
Wolfgang Bumiller	0fe62fa87f	merge old user.cfg keys to tfa config when adding entries this happens when the first new tfa entry is added and the 'keys' entry is replaced by "x" Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-11-10 14:09:49 +01:00
Wolfgang Bumiller	fb1a49f313	d/control: add liburi-perl dependency Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>	2021-11-10 13:52:40 +01:00
Wolfgang Bumiller	a0374ad0ee	check enforced realm tfa type in new auth this way we could also add webauthn as a required tfa type to the realm configs later on Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>	2021-11-10 13:52:40 +01:00
Wolfgang Bumiller	2ee46655a5	assert tfa/user config lock order Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>	2021-11-10 13:52:40 +01:00
Wolfgang Bumiller	c55555ab74	set/remove 'x' for tfa keys in user.cfg in new api Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>	2021-11-10 11:13:21 +01:00
Wolfgang Bumiller	9d06f6038e	pveum: update tfa delete command Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>	2021-11-10 11:13:21 +01:00
Wolfgang Bumiller	d168ab34d6	update tfa cleanup when deleting users Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>	2021-11-10 11:13:21 +01:00
Wolfgang Bumiller	8c1e3ab3e9	support registering yubico otp keys In PBS we don't support this, so the current TFA API in rust does not support this either (although the config does know about its existence). For now, yubico authentication will be done in perl. Adding it to rust the rust TFA crate would not make much sense anyway as we'd likely not want to use the same http client crate in pve and pbs anyway (since pve is all blocking code and pbs is async...) Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>	2021-11-10 11:13:21 +01:00
Wolfgang Bumiller	07692c72ff	add pbs-style TFA API implementation implements the same api paths as in pbs by forwarding the api methods to the rust implementation after performing the product-specific checks Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>	2021-11-10 11:13:21 +01:00
Wolfgang Bumiller	dc547a1339	move TFA api path into its own module and remove old modification api Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>	2021-11-10 11:13:21 +01:00
Wolfgang Bumiller	6adcb18c01	handle yubico authentication in new path Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>	2021-11-10 11:13:21 +01:00
Wolfgang Bumiller	afb10353d1	use PBS-like auth api call flow The main difference here is that we have no separate api path for verification. Instead, the ticket api call gets an optional 'tfa-challenge' parameter. This is opt-in: old pve-manager UI with new pve-access-control will still work as expected, but users won't be able to update their TFA settings. Since the new tfa config parser will build a compatible in-perl tfa config object as well, the old authentication code is left unchanged for compatibility and will be removed with pve-8, where the `new-format` parameter in the ticket call will change its default to `1`. The `change_tfa` call will simply die in this commit. It is removed later when adding the pbs-style TFA API calls. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>	2021-11-10 11:13:21 +01:00
Wolfgang Bumiller	f7f2e28e6d	update read_user_tfa_type call Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>	2021-11-10 11:13:21 +01:00
Wolfgang Bumiller	57098eb8fb	use rust parser for TFA config Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>	2021-11-10 11:13:21 +01:00
Thomas Lamprecht	afda4f1a83	openid: proxy: only set env var if DC-config property exists Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-11-03 11:30:05 +01:00
Fabian Grünbichler	bb0cfca4b0	fix #3513 : pass configured proxy to OpenID Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>	2021-11-03 11:27:40 +01:00
Thomas Lamprecht	cd46b379b3	bump version to 7.0-6 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-10-21 12:28:58 +02:00
Dominik Csapak	4aa4f0b3d7	fix user deletion when realm does not enforce TFA here the existance of the user is only interesting if we want to set data, not if we delete it. Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>	2021-10-21 12:27:42 +02:00
Thomas Lamprecht	52da88a86c	bump version to 7.0-5 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-10-04 12:47:15 +02:00
Thomas Lamprecht	e780b46aab	api: delete user: better communicate partial deletion this is really an edge case and should not happen often in practice, the time window is small and deletions are not _that_ common, but still. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-09-27 15:48:21 +02:00
Thomas Lamprecht	ba6cc98fcb	api: delete user: disable first to avoid surprise on error Write out a config with the user disabled so that it cannot be used even if deletion fails, why ever that is Suggested-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-09-27 15:47:22 +02:00
Thomas Lamprecht	8ecf1a490d	fix #2302 : allow deletion of users when realm enforces TFA Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-09-27 15:32:05 +02:00
Thomas Lamprecht	3e5b237feb	api: user: indentation & whitspace cleanups Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-09-23 14:16:50 +02:00
Alexandre Derumier	4100ba8d65	check_path: add /sdn/vnets/* path Signed-off-by: Alexandre Derumier <aderumier@odiso.com>	2021-08-23 18:19:15 +02:00
Thomas Lamprecht	543d646c44	bump version to 7.0-4 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-07-02 13:45:51 +02:00
Thomas Lamprecht	d658d04acb	api: users: use public regex directly to parse out realm Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-07-02 13:42:16 +02:00
Thomas Lamprecht	525a931b98	api: users: code-style cleanup and sort when iterating users Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-07-02 13:41:29 +02:00
Thomas Lamprecht	3f6023f55c	api: users: s/realmtype/realm-type/ in response Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2021-07-02 13:38:46 +02:00
Dominik Csapak	8bb59c2612	api: user: add realmtype to user list this makes it much easier to determine if a user can e.g. change a password or tfa, based on realm Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>	2021-07-02 13:14:51 +02:00

... 3 4 5 6 7 ...

675 Commits