pve-access-control

mirror of https://git.proxmox.com/git/pve-access-control synced 2025-06-08 22:42:30 +00:00

Author	SHA1	Message	Date
Dominik Csapak	5efff6c196	fix vnc ticket verification without authkey lifetime since $authkey_lifetime is currently set to 0, we have to check this, else we always fail to verify the VNC ticket Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>	2019-03-18 10:40:51 +01:00
Thomas Lamprecht	03593f3d01	fixup call to cfs_lock_authkey Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2019-03-14 11:18:43 +01:00
Fabian Grünbichler	21800a71a7	fix #2079 : add periodic auth key rotation and modify checks to accept still valid tickets generated using the previous auth key. the slightly complicated caching mechanism is needed for reading the key and its modification timestamp in one go while only reading and parsing it again if it has changed. the +- 300 seconds fuzzing is kept for slightly out-of-sync clusters, since the time encoded in the tickets is the result of time() on whichever node the ticket API call got forwarded to. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>	2019-03-14 10:34:41 +01:00
Dominik Csapak	0fea3f1677	fix #1998 : correct return properties for read_role we have each privilege as property of the return object, so we generate it from $valid_privs this has the advantage that all privileges are well documented with that api call Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>	2018-11-23 14:21:03 +01:00
Stoiko Ivanov	ab7b19b58c	PVE::AccessControl: register userid with completion Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>	2018-06-27 16:40:55 +02:00
Stoiko Ivanov	b7ba86d426	fix PVE::AccessControl::role_is_special PVE::AccessControl::role_is_special now returns 0 instead of '' for false (Schemavalidation did complain about '') Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>	2018-06-27 16:40:55 +02:00
Philip Abernethy	16e50b59f9	properly register pve-poolid format was erroneously registered as verify_groupname, overriding the previous registration	2017-10-19 11:58:36 +02:00
Matthias Urban	aad513f6d1	VM.Snapshot.Rollback privilege added VM.Snapshot.Rollback privilege added Signed-off-by: Matthias Urban <matthias.urban@pure-systems.com>	2017-09-22 09:08:28 +02:00
Philip Abernethy	0a6e09fd47	Whitespace fixes Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2017-09-22 08:38:50 +02:00
Philip Abernethy	5654af83fa	Remove unused Dumper uses Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2017-09-22 08:38:48 +02:00
Philip Abernethy	894e6f0c4b	fix #1501 : pveum: die when deleting special role Die with a helpful error message instead of silently ignoring the user when trying to delete a special role. Also add a property to the API answer for possible later use by the WebUI. Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>	2017-09-22 08:38:21 +02:00
Dietmar Maurer	972859d115	use new PVE::OTP class from pve-common	2017-03-30 17:44:54 +02:00
Dietmar Maurer	a1f8aaae84	use new PVE::Ticket class	2017-01-19 13:40:25 +01:00
Wolfgang Bumiller	03e2a71e3d	don't import 'RFC' from MIME::Base32 call encode_rfc3548 explicitly instead as newer versions of the base32 package will drop this import scheme (stretch)	2016-07-26 15:02:49 +02:00
Dominik Csapak	5426494b10	fix #1062 : use correct length for base32 keys we wrongly assumed the keys to be 32 chars long, instead of 16 Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>	2016-07-20 15:21:48 +02:00
Wolfgang Bumiller	9d52f6f2ae	drop oathtool dependency Generate hotp/totp in perl directly, also support keys in hex notation (this is how eg. the yubikey-personalization-gui displays them, but without the whitespaces).	2016-07-01 10:21:53 +02:00
Wolfgang Bumiller	b10d0e266b	drop libdigest-hmac-perl dependency Its functionality is provided by perl core's Digest::SHA module now.	2016-07-01 10:21:53 +02:00
Fabian Grünbichler	1075c589ee	fix typos and grammar	2016-03-14 11:38:50 +01:00
Fabian Grünbichler	ba6c2e6699	fix #916 : allow HTTPS to access custom yubico url remove the limit to HTTP only, since it would only apply for custom yubico validation server urls anyway.	2016-03-14 11:38:39 +01:00
Fabian Grünbichler	449037034e	Catch error instead of segfaulting when trying to parse a certificate subject, Net::SSLeay will segfault in libcrypto when given 0 as input. Catch this and die with a meaningful error message instead.	2016-03-09 14:40:19 +01:00
Dietmar Maurer	3e5bfdf60f	pveum: implement bash completion hooks	2015-10-01 17:22:09 +02:00
Alen Grizonic	6084476178	remove_storage_access: cleanup of access permissions for removed storage Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>	2015-08-19 15:25:15 +02:00
Dietmar Maurer	57a704731b	cleanup: avoid writing user.cfg twice	2015-08-14 07:55:36 +02:00
Dietmar Maurer	66931b1141	white space cleanup	2015-08-14 07:49:18 +02:00
Alen Grizonic	3b4a3f94e1	access permissions cleanup fix for removed vms and pools Signed-off-by: Alen Grizonic <a.grizonic@proxmox.com>	2015-08-14 07:47:32 +02:00
Wolfgang Bumiller	d6eb662119	fix access of possibly undefined variable	2015-08-07 11:58:47 +02:00
Wolfgang Bumiller	62af314a96	improve parse_user_config, parse_shadow_config same as in pve-common: replace substituting line parsing with /gm modified match regexps.	2015-07-22 08:10:49 +02:00
Wolfgang Bumiller	2516752605	remote_viewer_config: brackets around ipv6 http address	2015-05-27 11:14:29 +02:00
Wolfgang Link	7279f31c3b	Fix: disable root root can now be disabled in GUI. Signed-off-by: Wolfgang Link <w.link@proxmox.com>	2015-01-30 06:19:26 +01:00
Dietmar Maurer	419880e683	remove debugging code	2014-07-23 07:02:37 +02:00
Dietmar Maurer	86cd805b63	add step/digits option to oath configuration	2014-07-23 06:59:01 +02:00
Dietmar Maurer	1abc2c0aee	add oath two factor auth, bump version to 3.0-14	2014-07-17 14:04:13 +02:00
Dietmar Maurer	077f078cd6	enable yubico OTP (by removing debuging code)	2014-07-15 14:18:17 +02:00
Dietmar Maurer	96f8ebd625	add basic support for two factor auth	2014-06-23 11:42:44 +02:00
Dietmar Maurer	ab652a8018	add experimental code for yubico OTP verification	2014-06-20 12:58:17 +02:00
Dietmar Maurer	63691fc66a	cleanup previous patch	2014-01-22 07:25:09 +01:00
Lindsay Mathieson	dc7573bf85	Sets common hot keys for spice client * "Ctl-Alt-Insert" for secure-attention (Ctrl-Alt-del) * "Shift-F11" for Full Screen toggle * "Ctrl-Alt-R" for cursor release Signed-off-by: Lindsay Mathieson <lindsay.mathieson@gmail.com>	2014-01-22 07:22:57 +01:00
Dietmar Maurer	cee5583b3d	implement helper to generate SPICE remote-viewer configuration Moved read_x509_subject_spice() from PVE::QemuServer. Depend on libnet-ssleay-perl.	2013-12-10 10:43:46 +01:00
Dietmar Maurer	e4f8fc2e7e	allow dots in access paths Because storage IDs may contain dots.	2013-11-26 07:52:05 +01:00
Dietmar Maurer	6126ab75a0	prevent user enumeration attacks	2013-11-18 09:05:04 +01:00
Dietmar Maurer	cb442f35e7	spice: use lowercase hostname in ticktet signature	2013-10-28 08:10:48 +01:00
Dietmar Maurer	7c410d6301	use warnings instead of global -w flag	2013-10-01 13:04:53 +02:00
Dietmar Maurer	3f62bdbea6	produce shorter spiceproxy tickets By using a simple Digest with private secret /etc/pve/pve-www.key. This is less secure than pub key auth, but good enough for the proxy.	2013-07-19 12:35:23 +02:00
Dietmar Maurer	bf3e6d3105	new ticket code for spice	2013-06-26 13:07:00 +02:00
Dietmar Maurer	83d1f13ec0	assemble_spice_ticket: do not use base32 encoding	2013-06-25 12:03:48 +02:00
Alexandre Derumier	23b35225d3	assemble_spice_ticket Signed-off-by: Alexandre Derumier <aderumier@odiso.com>	2013-06-25 11:48:05 +02:00
Dietmar Maurer	018ae3a90e	moved add_vm_to_pool/remove_vm_from_pool from qemu-server Because we can also use this for openvz containers	2013-05-14 11:55:26 +02:00
Dietmar Maurer	7b395f990d	rename VM.Copy to VM.Clone	2013-05-02 11:44:52 +02:00
Dietmar Maurer	ff4b223563	add VM.Copy priviledge And a new role called PVETemplateUser	2013-04-29 11:40:32 +02:00
Dietmar Maurer	e3e6510c3a	add VM.Snapshot permission	2012-09-10 09:24:37 +02:00

1 2

77 Commits