Thomas Lamprecht
1c9b650186
bump version to 7.0-7
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-11-11 18:20:02 +01:00
Thomas Lamprecht
4a26e5f1c1
d/control: break pve-manager (<< 7.0-15)
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-11-11 18:19:52 +01:00
Fabian Grünbichler
06b4a3b381
ticket: normalize path for verification
...
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-11-11 16:19:08 +01:00
Fabian Grünbichler
3760a33cc8
tickets: add tunnel ticket
...
just like VNC ticket, but different prefix to prevent confusion.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-11-11 16:19:08 +01:00
Thomas Lamprecht
6c6a9ce00f
tfa: upgrade check: early return if no cluster members
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-11-11 12:30:02 +01:00
Thomas Lamprecht
b649f3b40e
tfa: upgrade check: more info in error message(s)
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-11-11 12:27:58 +01:00
Thomas Lamprecht
9f34502077
tfa: upgrade check: be less strict about version format
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-11-11 12:05:57 +01:00
Wolfgang Bumiller
72f4c73feb
implement version checks for tfa
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-11 11:56:34 +01:00
Wolfgang Bumiller
0fe62fa87f
merge old user.cfg keys to tfa config when adding entries
...
this happens when the first new tfa entry is added and the
'keys' entry is replaced by "x"
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-11-10 14:09:49 +01:00
Wolfgang Bumiller
fb1a49f313
d/control: add liburi-perl dependency
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 13:52:40 +01:00
Wolfgang Bumiller
a0374ad0ee
check enforced realm tfa type in new auth
...
this way we could also add webauthn as a required tfa type
to the realm configs later on
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 13:52:40 +01:00
Wolfgang Bumiller
2ee46655a5
assert tfa/user config lock order
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 13:52:40 +01:00
Wolfgang Bumiller
c55555ab74
set/remove 'x' for tfa keys in user.cfg in new api
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
9d06f6038e
pveum: update tfa delete command
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
d168ab34d6
update tfa cleanup when deleting users
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
8c1e3ab3e9
support registering yubico otp keys
...
In PBS we don't support this, so the current TFA API in rust
does not support this either (although the config does know
about its *existence*).
For now, yubico authentication will be done in perl. Adding
it to rust the rust TFA crate would not make much sense
anyway as we'd likely not want to use the same http client
crate in pve and pbs anyway (since pve is all blocking code
and pbs is async...)
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
07692c72ff
add pbs-style TFA API implementation
...
implements the same api paths as in pbs by forwarding the
api methods to the rust implementation after performing the
product-specific checks
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
dc547a1339
move TFA api path into its own module
...
and remove old modification api
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
6adcb18c01
handle yubico authentication in new path
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
afb10353d1
use PBS-like auth api call flow
...
The main difference here is that we have no separate api
path for verification. Instead, the ticket api call gets an
optional 'tfa-challenge' parameter.
This is opt-in: old pve-manager UI with new
pve-access-control will still work as expected, but users
won't be able to *update* their TFA settings.
Since the new tfa config parser will build a compatible
in-perl tfa config object as well, the old authentication
code is left unchanged for compatibility and will be removed
with pve-8, where the `new-format` parameter in the ticket
call will change its default to `1`.
The `change_tfa` call will simply die in this commit. It is
removed later when adding the pbs-style TFA API calls.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
f7f2e28e6d
update read_user_tfa_type call
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
57098eb8fb
use rust parser for TFA config
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Thomas Lamprecht
afda4f1a83
openid: proxy: only set env var if DC-config property exists
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-11-03 11:30:05 +01:00
Fabian Grünbichler
bb0cfca4b0
fix #3513 : pass configured proxy to OpenID
...
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-11-03 11:27:40 +01:00
Thomas Lamprecht
cd46b379b3
bump version to 7.0-6
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-10-21 12:28:58 +02:00
Dominik Csapak
4aa4f0b3d7
fix user deletion when realm does not enforce TFA
...
here the existance of the user is only interesting if we want to set
data, not if we delete it.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-10-21 12:27:42 +02:00
Thomas Lamprecht
52da88a86c
bump version to 7.0-5
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-10-04 12:47:15 +02:00
Thomas Lamprecht
e780b46aab
api: delete user: better communicate partial deletion
...
this is really an edge case and should not happen often in practice,
the time window is small and deletions are not _that_ common, but
still.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-09-27 15:48:21 +02:00
Thomas Lamprecht
ba6cc98fcb
api: delete user: disable first to avoid surprise on error
...
Write out a config with the user disabled so that it cannot be used
even if deletion fails, why ever that is
Suggested-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-09-27 15:47:22 +02:00
Thomas Lamprecht
8ecf1a490d
fix #2302 : allow deletion of users when realm enforces TFA
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-09-27 15:32:05 +02:00
Thomas Lamprecht
3e5b237feb
api: user: indentation & whitspace cleanups
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-09-23 14:16:50 +02:00
Alexandre Derumier
4100ba8d65
check_path: add /sdn/vnets/* path
...
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
2021-08-23 18:19:15 +02:00
Thomas Lamprecht
543d646c44
bump version to 7.0-4
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-02 13:45:51 +02:00
Thomas Lamprecht
d658d04acb
api: users: use public regex directly to parse out realm
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-02 13:42:16 +02:00
Thomas Lamprecht
525a931b98
api: users: code-style cleanup and sort when iterating users
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-02 13:41:29 +02:00
Thomas Lamprecht
3f6023f55c
api: users: s/realmtype/realm-type/ in response
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-02 13:38:46 +02:00
Dominik Csapak
8bb59c2612
api: user: add realmtype to user list
...
this makes it much easier to determine if a user can e.g.
change a password or tfa, based on realm
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-07-02 13:14:51 +02:00
Dietmar Maurer
fbf4594aaf
implement OpenID autocreate user feature
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-01 13:35:58 +02:00
Dietmar Maurer
ac344d7df3
api: implement openid API
...
This moves compute_api_permission() into RPCEnvironment.pm.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-01 13:31:45 +02:00
Dietmar Maurer
f0c9ef167b
depend on libpve-rs-perl
2021-07-01 13:13:59 +02:00
Dietmar Maurer
52d1c1b966
add OpenId configuration
2021-07-01 13:13:59 +02:00
Dietmar Maurer
8a724f7b3a
check_user_enabled: also check if user is expired
2021-07-01 13:13:59 +02:00
Thomas Lamprecht
7a4c4fd870
bump version to 7.0-3
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-21 10:31:23 +02:00
Thomas Lamprecht
a981f7c1c6
buildsys: clean more
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-17 14:43:44 +02:00
Thomas Lamprecht
d7e8d24ef5
access control: style: register configs in single line each
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-17 14:41:02 +02:00
Alexandre Derumier
0a06acb128
check_path : add sdn zone path
...
This was missing in commit20c60513b2a6b2d7c7aae0dcc0391889b9cb7ecf,
so user can't assign permisson on a zone currently
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-17 13:15:36 +02:00
Dominik Csapak
8737ff3718
add missing paths in check_path
...
* /access/realm/<realm>
* /access/groups/<group>
were overlooked when fixing #1500
see: https://forum.proxmox.com/threads/are-group-acls-broken-in-v6-4.91000/
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-06-16 16:19:33 +02:00
Thomas Lamprecht
5e868938f1
rpc env: sort use statements
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-15 14:38:41 +02:00
Thomas Lamprecht
f368e8c75c
buildsys: change upload dist to bullseye
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-08 09:47:21 +02:00
Fabian Grünbichler
0902a936f3
bump version to 7.0-2
...
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-06-01 11:29:49 +02:00