Commit Graph

562 Commits

Author SHA1 Message Date
Thomas Lamprecht
1c9b650186 bump version to 7.0-7
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-11-11 18:20:02 +01:00
Thomas Lamprecht
4a26e5f1c1 d/control: break pve-manager (<< 7.0-15)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-11-11 18:19:52 +01:00
Fabian Grünbichler
06b4a3b381 ticket: normalize path for verification
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-11-11 16:19:08 +01:00
Fabian Grünbichler
3760a33cc8 tickets: add tunnel ticket
just like VNC ticket, but different prefix to prevent confusion.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-11-11 16:19:08 +01:00
Thomas Lamprecht
6c6a9ce00f tfa: upgrade check: early return if no cluster members
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-11-11 12:30:02 +01:00
Thomas Lamprecht
b649f3b40e tfa: upgrade check: more info in error message(s)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-11-11 12:27:58 +01:00
Thomas Lamprecht
9f34502077 tfa: upgrade check: be less strict about version format
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-11-11 12:05:57 +01:00
Wolfgang Bumiller
72f4c73feb implement version checks for tfa
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-11 11:56:34 +01:00
Wolfgang Bumiller
0fe62fa87f merge old user.cfg keys to tfa config when adding entries
this happens when the first new tfa entry is added and the
'keys' entry is replaced by "x"

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-11-10 14:09:49 +01:00
Wolfgang Bumiller
fb1a49f313 d/control: add liburi-perl dependency
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 13:52:40 +01:00
Wolfgang Bumiller
a0374ad0ee check enforced realm tfa type in new auth
this way we could also add webauthn as a required tfa type
to the realm configs later on

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 13:52:40 +01:00
Wolfgang Bumiller
2ee46655a5 assert tfa/user config lock order
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 13:52:40 +01:00
Wolfgang Bumiller
c55555ab74 set/remove 'x' for tfa keys in user.cfg in new api
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
9d06f6038e pveum: update tfa delete command
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
d168ab34d6 update tfa cleanup when deleting users
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
8c1e3ab3e9 support registering yubico otp keys
In PBS we don't support this, so the current TFA API in rust
does not support this either (although the config does know
about its *existence*).

For now, yubico authentication will be done in perl. Adding
it to rust the rust TFA crate would not make much sense
anyway as we'd likely not want to use the same http client
crate in pve and pbs anyway (since pve is all blocking code
and pbs is async...)

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
07692c72ff add pbs-style TFA API implementation
implements the same api paths as in pbs by forwarding the
api methods to the rust implementation after performing the
product-specific checks

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
dc547a1339 move TFA api path into its own module
and remove old modification api

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
6adcb18c01 handle yubico authentication in new path
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
afb10353d1 use PBS-like auth api call flow
The main difference here is that we have no separate api
path for verification. Instead, the ticket api call gets an
optional 'tfa-challenge' parameter.

This is opt-in: old pve-manager UI with new
pve-access-control will still work as expected, but users
won't be able to *update* their TFA settings.

Since the new tfa config parser will build a compatible
in-perl tfa config object as well, the old authentication
code is left unchanged for compatibility and will be removed
with pve-8, where the `new-format` parameter in the ticket
call will change its default to `1`.

The `change_tfa` call will simply die in this commit. It is
removed later when adding the pbs-style TFA API calls.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
f7f2e28e6d update read_user_tfa_type call
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
57098eb8fb use rust parser for TFA config
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Thomas Lamprecht
afda4f1a83 openid: proxy: only set env var if DC-config property exists
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-11-03 11:30:05 +01:00
Fabian Grünbichler
bb0cfca4b0 fix #3513: pass configured proxy to OpenID
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-11-03 11:27:40 +01:00
Thomas Lamprecht
cd46b379b3 bump version to 7.0-6
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-10-21 12:28:58 +02:00
Dominik Csapak
4aa4f0b3d7 fix user deletion when realm does not enforce TFA
here the existance of the user is only interesting if we want to set
data, not if we delete it.

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-10-21 12:27:42 +02:00
Thomas Lamprecht
52da88a86c bump version to 7.0-5
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-10-04 12:47:15 +02:00
Thomas Lamprecht
e780b46aab api: delete user: better communicate partial deletion
this is really an edge case and should not happen often in practice,
the time window is small and deletions are not _that_ common, but
still.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-09-27 15:48:21 +02:00
Thomas Lamprecht
ba6cc98fcb api: delete user: disable first to avoid surprise on error
Write out a config with the user disabled so that it cannot be used
even if deletion fails, why ever that is

Suggested-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-09-27 15:47:22 +02:00
Thomas Lamprecht
8ecf1a490d fix #2302: allow deletion of users when realm enforces TFA
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-09-27 15:32:05 +02:00
Thomas Lamprecht
3e5b237feb api: user: indentation & whitspace cleanups
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-09-23 14:16:50 +02:00
Alexandre Derumier
4100ba8d65 check_path: add /sdn/vnets/* path
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
2021-08-23 18:19:15 +02:00
Thomas Lamprecht
543d646c44 bump version to 7.0-4
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-02 13:45:51 +02:00
Thomas Lamprecht
d658d04acb api: users: use public regex directly to parse out realm
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-02 13:42:16 +02:00
Thomas Lamprecht
525a931b98 api: users: code-style cleanup and sort when iterating users
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-02 13:41:29 +02:00
Thomas Lamprecht
3f6023f55c api: users: s/realmtype/realm-type/ in response
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-02 13:38:46 +02:00
Dominik Csapak
8bb59c2612 api: user: add realmtype to user list
this makes it much easier to determine if a user can e.g.
change a password or tfa, based on realm

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-07-02 13:14:51 +02:00
Dietmar Maurer
fbf4594aaf implement OpenID autocreate user feature
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-01 13:35:58 +02:00
Dietmar Maurer
ac344d7df3 api: implement openid API
This moves compute_api_permission() into RPCEnvironment.pm.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-01 13:31:45 +02:00
Dietmar Maurer
f0c9ef167b depend on libpve-rs-perl 2021-07-01 13:13:59 +02:00
Dietmar Maurer
52d1c1b966 add OpenId configuration 2021-07-01 13:13:59 +02:00
Dietmar Maurer
8a724f7b3a check_user_enabled: also check if user is expired 2021-07-01 13:13:59 +02:00
Thomas Lamprecht
7a4c4fd870 bump version to 7.0-3
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-21 10:31:23 +02:00
Thomas Lamprecht
a981f7c1c6 buildsys: clean more
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-17 14:43:44 +02:00
Thomas Lamprecht
d7e8d24ef5 access control: style: register configs in single line each
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-17 14:41:02 +02:00
Alexandre Derumier
0a06acb128 check_path : add sdn zone path
This was missing in commit20c60513b2a6b2d7c7aae0dcc0391889b9cb7ecf,
so user can't assign permisson on a zone currently

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-17 13:15:36 +02:00
Dominik Csapak
8737ff3718 add missing paths in check_path
* /access/realm/<realm>
* /access/groups/<group>

were overlooked when fixing #1500

see: https://forum.proxmox.com/threads/are-group-acls-broken-in-v6-4.91000/

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-06-16 16:19:33 +02:00
Thomas Lamprecht
5e868938f1 rpc env: sort use statements
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-15 14:38:41 +02:00
Thomas Lamprecht
f368e8c75c buildsys: change upload dist to bullseye
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-08 09:47:21 +02:00
Fabian Grünbichler
0902a936f3 bump version to 7.0-2
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-06-01 11:29:49 +02:00