proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-08-18 02:57:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
286 Commits 5 Branches 0 Tags 988 KiB
stable-5
Commit Graph

188 Commits

Author SHA1 Message Date
Dietmar Maurer
a1f8aaae84 use new PVE::Ticket class 2017-01-19 13:40:25 +01:00
Dietmar Maurer
e83e0ed584 RPCEnvironment: removed check_volume_access() to avoid cyclic dependency 
moved to PVE::Storage
 2017-01-18 17:35:50 +01:00
Dietmar Maurer
c104e4abe6 PVE::PCEnvironment: use new PVE::RESTEnvironment as base class 2017-01-18 13:25:51 +01:00
Dietmar Maurer
86c4f1e6d1 setup_default_cli_env: expect $class as first parameter 2017-01-12 13:53:18 +01:00
Dietmar Maurer
5ae5900d26 PVE/RPCEnvironment.pm: new function setup_default_cli_env 
Convenience function for command line tools.
 2017-01-12 10:01:17 +01:00
Dietmar Maurer
52b2eff3c5 PVE/API2/Domains.pm: fix property description 2017-01-11 12:11:01 +01:00
Wolfgang Bumiller
b5040b42f1 Close #833: ldap: non-anonymous bind support 
The password will be read from /etc/pve/priv/ldap/$realm.pw
 2016-08-05 10:59:14 +02:00
Wolfgang Bumiller
03e2a71e3d don't import 'RFC' from MIME::Base32 
call encode_rfc3548 explicitly instead as newer versions of
the base32 package will drop this import scheme (stretch)
 2016-07-26 15:02:49 +02:00
Dominik Csapak
5426494b10 fix #1062: use correct length for base32 keys 
we wrongly assumed the keys to be 32 chars long,
instead of 16

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
 2016-07-20 15:21:48 +02:00
Wolfgang Bumiller
9d52f6f2ae drop oathtool dependency 
Generate hotp/totp in perl directly, also support keys in
hex notation (this is how eg. the
yubikey-personalization-gui displays them, but without the
whitespaces).
 2016-07-01 10:21:53 +02:00
Wolfgang Bumiller
b10d0e266b drop libdigest-hmac-perl dependency 
Its functionality is provided by perl core's Digest::SHA
module now.
 2016-07-01 10:21:53 +02:00
Dietmar Maurer
175d238cc9 remove unused inline docs 2016-04-08 07:08:23 +02:00
Fabian Grünbichler
8978ab373c Fix uninitialized warning 
when shadow.cfg does not exist, parsing should return an
empty hash instead of displaying a warning
 2016-04-01 07:10:23 +02:00
Fabian Grünbichler
7b6dfe82df Add is_worker to RPCEnvironment 
after forking the actual worker process, the child/worker
sets a flag that can be checked later on by methods called
in the worker.

used in the ZFS storage plugins in pve-storage to decide on
a short or long default timeout for ZFS operations.
 2016-03-15 16:47:11 +01:00
Fabian Grünbichler
1075c589ee fix typos and grammar 2016-03-14 11:38:50 +01:00
Fabian Grünbichler
ba6c2e6699 fix #916: allow HTTPS to access custom yubico url 
remove the limit to HTTP only, since it would only apply for
custom yubico validation server urls anyway.
 2016-03-14 11:38:39 +01:00
Fabian Grünbichler
449037034e Catch error instead of segfaulting 
when trying to parse a certificate subject, Net::SSLeay
will segfault in libcrypto when given 0 as input. Catch
this and die with a meaningful error message instead.
 2016-03-09 14:40:19 +01:00
Wolfgang Bumiller
66c6293830 Fix #861: use safer sprintf formatting 2016-01-08 12:52:15 +01:00
Wolfgang Bumiller
8b600c4d27 Auth::LDAP, Auth::AD: ipv6 support 
Also had to change server1/server2 schema from a pattern to
the 'address' format.
 2015-12-03 12:08:56 +01:00
Dietmar Maurer
085f3e07e1 improve manual page 2015-10-02 10:59:40 +02:00
Dietmar Maurer
98007830ee make read_password a CLIHandler class method 
And use new run_cli_handler() method.
 2015-10-02 10:45:58 +02:00
Dietmar Maurer
3e5bfdf60f pveum: implement bash completion hooks 2015-10-01 17:22:09 +02:00
Dietmar Maurer
09281ad744 convert pveum into a PVE::CLI class 2015-10-01 16:49:37 +02:00
Alen Grizonic
6084476178 remove_storage_access: cleanup of access permissions for removed storage 
Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
 2015-08-19 15:25:15 +02:00
Dietmar Maurer
57a704731b cleanup: avoid writing user.cfg twice 2015-08-14 07:55:36 +02:00
Dietmar Maurer
66931b1141 white space cleanup 2015-08-14 07:49:18 +02:00
Alen Grizonic
3b4a3f94e1 access permissions cleanup fix 
for removed vms and pools

Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>
 2015-08-14 07:47:32 +02:00
Wolfgang Bumiller
d6eb662119 fix access of possibly undefined variable 2015-08-07 11:58:47 +02:00
Wolfgang Bumiller
62af314a96 improve parse_user_config, parse_shadow_config 
same as in pve-common: replace substituting line parsing
with /gm modified match regexps.
 2015-07-22 08:10:49 +02:00
Wolfgang Bumiller
2516752605 remote_viewer_config: brackets around ipv6 http address 2015-05-27 11:14:29 +02:00
Wolfgang Link
7279f31c3b Fix: disable root 
root can now be disabled in GUI.

Signed-off-by: Wolfgang Link <w.link@proxmox.com>
 2015-01-30 06:19:26 +01:00
Dietmar Maurer
419880e683 remove debugging code 2014-07-23 07:02:37 +02:00
Dietmar Maurer
86cd805b63 add step/digits option to oath configuration 2014-07-23 06:59:01 +02:00
Dietmar Maurer
30be0de97a allow to write builtin auth domains 
So that we can set tfa, comment, default with the GUI.
 2014-07-18 11:30:19 +02:00
Dietmar Maurer
1abc2c0aee add oath two factor auth, bump version to 3.0-14 2014-07-17 14:04:13 +02:00
Dietmar Maurer
077f078cd6 enable yubico OTP (by removing debuging code) 2014-07-15 14:18:17 +02:00
Dietmar Maurer
96f8ebd625 add basic support for two factor auth 2014-06-23 11:42:44 +02:00
Dietmar Maurer
ab652a8018 add experimental code for yubico OTP verification 2014-06-20 12:58:17 +02:00
Dietmar Maurer
11a9043610 use correct connection string for AD auth (use encryption and port info). 2014-05-22 07:12:25 +02:00
Dietmar Maurer
39e4e36348 add dummy API for login page 2014-04-30 14:45:57 +02:00
Dietmar Maurer
63691fc66a cleanup previous patch 2014-01-22 07:25:09 +01:00
Lindsay Mathieson
dc7573bf85 Sets common hot keys for spice client 
* "Ctl-Alt-Insert" for secure-attention (Ctrl-Alt-del)
 * "Shift-F11" for Full Screen toggle
 * "Ctrl-Alt-R" for cursor release

Signed-off-by: Lindsay Mathieson <lindsay.mathieson@gmail.com>
 2014-01-22 07:22:57 +01:00
Dietmar Maurer
cee5583b3d implement helper to generate SPICE remote-viewer configuration 
Moved read_x509_subject_spice() from PVE::QemuServer.
Depend on libnet-ssleay-perl.
 2013-12-10 10:43:46 +01:00
Dietmar Maurer
e4f8fc2e7e allow dots in access paths 
Because storage IDs may contain dots.
 2013-11-26 07:52:05 +01:00
Dietmar Maurer
fe2defd9d5 return correct 401 status code for unauthorized calls 
New HTTP::Server will delay the call by 3 seconds.
 2013-11-18 11:25:32 +01:00
Dietmar Maurer
6126ab75a0 prevent user enumeration attacks 2013-11-18 09:05:04 +01:00
Dietmar Maurer
cb442f35e7 spice: use lowercase hostname in ticktet signature 2013-10-28 08:10:48 +01:00
Dietmar Maurer
7c410d6301 use warnings instead of global -w flag 2013-10-01 13:04:53 +02:00
Dietmar Maurer
5f494227b8 remove path related code from check_volume_access() 2013-10-01 12:09:51 +02:00
Alexandre Derumier
854f1dceb6 check_volume_access : use parse_volname instead path 
to avoid extra calls for some storageplugins (zfs,nexenta).

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2013-10-01 11:40:57 +02:00
Dietmar Maurer
3f62bdbea6 produce shorter spiceproxy tickets 
By using a simple Digest with private secret /etc/pve/pve-www.key. This is
less secure than pub key auth, but good enough for the proxy.
 2013-07-19 12:35:23 +02:00
Dietmar Maurer
bf3e6d3105 new ticket code for spice 2013-06-26 13:07:00 +02:00
Dietmar Maurer
83d1f13ec0 assemble_spice_ticket: do not use base32 encoding 2013-06-25 12:03:48 +02:00
Alexandre Derumier
23b35225d3 assemble_spice_ticket 
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2013-06-25 11:48:05 +02:00
Dietmar Maurer
018ae3a90e moved add_vm_to_pool/remove_vm_from_pool from qemu-server 
Because we can also use this for openvz containers
 2013-05-14 11:55:26 +02:00
Dietmar Maurer
7b395f990d rename VM.Copy to VM.Clone 2013-05-02 11:44:52 +02:00
Dietmar Maurer
ff4b223563 add VM.Copy priviledge 
And a new role called PVETemplateUser
 2013-04-29 11:40:32 +02:00
Dietmar Maurer
b78ce7c252 remove CGI.pm related code 
New pveproxy does not need that.
 2013-04-15 12:34:41 +02:00
Dietmar Maurer
e5ae548727 fix access permissions for backup files 
bump version to 1.0-26
 2013-02-28 10:01:04 +01:00
Dietmar Maurer
e3e6510c3a add VM.Snapshot permission 2012-09-10 09:24:37 +02:00
Dietmar Maurer
1e15ebe7b5 untaint path 2012-06-06 13:06:51 +02:00
Dietmar Maurer
437be042c2 correctly compute GUI capabilities (consider pools) 2012-05-30 08:47:43 +02:00
Dietmar Maurer
5bb4e06a64 new plugin architecture for Auth modules 2012-05-22 10:43:30 +02:00
Dietmar Maurer
3030a17643 do not allow user names including slash 2012-04-24 10:10:35 +02:00
Dietmar Maurer
3036e8b1be add ability to fork cli workers in background 2012-04-24 10:10:12 +02:00
Dietmar Maurer
dd2cfee072 return set of privileges on login - can be used to adopt GUI 2012-04-17 10:26:48 +02:00
Dietmar Maurer
533219a122 fix bug #151: corretly parse username inside ticket 2012-04-11 10:21:15 +02:00
Dietmar Maurer
1cf154b72f allow users to change his own password 2012-04-11 09:40:42 +02:00
Dietmar Maurer
2de144076b better error message for useradd 2012-03-01 12:40:52 +01:00
Dietmar Maurer
e2993b66c3 set propagate flag by default 2012-03-01 12:38:46 +01:00
Dietmar Maurer
cc7bdf3377 Add VM.Config.CDROM privilege to PVEVMUser rule 2012-02-22 11:45:55 +01:00
Dietmar Maurer
a69bbe2e7e fix buf in userid-param permission check 2012-02-22 10:53:08 +01:00
Dietmar Maurer
d9483d9406 allow more characters in ldap base_dn attribute 2012-02-22 06:17:27 +01:00
Dietmar Maurer
8461960715 allow more characters with realm IDs 2012-02-20 08:54:40 +01:00
Dietmar Maurer
09d270580b use full name for verify_user 2012-02-15 07:06:58 +01:00
Dietmar Maurer
9b2172261e fix acl group name parser 2012-02-14 11:57:41 +01:00
Dietmar Maurer
3eac4e3570 fix bug in check_volume_access (fixes vzrestore) 2012-02-13 09:58:37 +01:00
Dietmar Maurer
4384e19e9b fix return value for empty ACL list 2012-02-10 11:25:23 +01:00
Dietmar Maurer
59321f2682 do not allow to change system user passwords 2012-02-09 11:26:37 +01:00
Dietmar Maurer
17ecec711f fix syntax 2012-02-09 11:15:59 +01:00
Dietmar Maurer
fef1bc1717 moved check_volume_access from qemu-server 2012-02-06 12:35:39 +01:00
Dietmar Maurer
4fb3cc5841 remove buggy check_storage_perm 
Storage permissions are automatically inherited from pool, so this method is more or less useless.
 2012-02-06 12:04:21 +01:00
Dietmar Maurer
68d5a86d1a new privilege VM.Backup 2012-02-06 10:44:42 +01:00
Dietmar Maurer
373cb38394 new privilege Datastore.AllocateTemplate 2012-02-06 10:05:18 +01:00
Dietmar Maurer
c0fead8c98 add more privileges, improve docs 2012-02-01 13:26:21 +01:00
Dietmar Maurer
a23cec1f94 new helper functions 2012-02-01 11:14:29 +01:00
Dietmar Maurer
c4a776a657 new test option 'require_param' - code cleanup 2012-02-01 08:12:21 +01:00
Dietmar Maurer
7a7a517a52 add special test for pool 2012-01-31 08:23:33 +01:00
Dietmar Maurer
dee1c8829a add Pool.Allocate priviledge 2012-01-31 07:37:38 +01:00
Dietmar Maurer
f3957883eb moved Pool.pm to pve-manager package 2012-01-27 08:44:22 +01:00
Dietmar Maurer
82b63965eb cleanup permission checks 
Added new Real.AllocateUser priviledge
 2012-01-27 08:34:12 +01:00
Dietmar Maurer
8de1fb5ae3 code cleanup 2012-01-26 14:02:25 +01:00
Dietmar Maurer
9a53427a8e fix return format 2012-01-26 13:47:07 +01:00
Dietmar Maurer
cab28ea50b code cleanup 2012-01-26 13:35:33 +01:00
Dietmar Maurer
399932c682 return array instead of hash 2012-01-26 13:02:07 +01:00
Dietmar Maurer
39c85db819 add pool API 2012-01-26 12:42:01 +01:00
Dietmar Maurer
7b6f1fd306 remove debug message 2012-01-26 09:54:56 +01:00
Dietmar Maurer
2e376c5849 only add Permissions.Modify to SysAdmin role 2012-01-26 09:39:02 +01:00
Dietmar Maurer
fc21a5c220 add description 2012-01-26 08:31:27 +01:00
Dietmar Maurer
19f60b5e3c use User.Allocate instead of User.Add/User.Delete 2012-01-26 08:26:31 +01:00