Wolfgang Bumiller
9d06f6038e
pveum: update tfa delete command
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
d168ab34d6
update tfa cleanup when deleting users
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
8c1e3ab3e9
support registering yubico otp keys
...
In PBS we don't support this, so the current TFA API in rust
does not support this either (although the config does know
about its *existence*).
For now, yubico authentication will be done in perl. Adding
it to rust the rust TFA crate would not make much sense
anyway as we'd likely not want to use the same http client
crate in pve and pbs anyway (since pve is all blocking code
and pbs is async...)
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
07692c72ff
add pbs-style TFA API implementation
...
implements the same api paths as in pbs by forwarding the
api methods to the rust implementation after performing the
product-specific checks
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
dc547a1339
move TFA api path into its own module
...
and remove old modification api
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
6adcb18c01
handle yubico authentication in new path
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
afb10353d1
use PBS-like auth api call flow
...
The main difference here is that we have no separate api
path for verification. Instead, the ticket api call gets an
optional 'tfa-challenge' parameter.
This is opt-in: old pve-manager UI with new
pve-access-control will still work as expected, but users
won't be able to *update* their TFA settings.
Since the new tfa config parser will build a compatible
in-perl tfa config object as well, the old authentication
code is left unchanged for compatibility and will be removed
with pve-8, where the `new-format` parameter in the ticket
call will change its default to `1`.
The `change_tfa` call will simply die in this commit. It is
removed later when adding the pbs-style TFA API calls.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
f7f2e28e6d
update read_user_tfa_type call
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Wolfgang Bumiller
57098eb8fb
use rust parser for TFA config
...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2021-11-10 11:13:21 +01:00
Thomas Lamprecht
afda4f1a83
openid: proxy: only set env var if DC-config property exists
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-11-03 11:30:05 +01:00
Fabian Grünbichler
bb0cfca4b0
fix #3513 : pass configured proxy to OpenID
...
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-11-03 11:27:40 +01:00
Thomas Lamprecht
cd46b379b3
bump version to 7.0-6
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-10-21 12:28:58 +02:00
Dominik Csapak
4aa4f0b3d7
fix user deletion when realm does not enforce TFA
...
here the existance of the user is only interesting if we want to set
data, not if we delete it.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-10-21 12:27:42 +02:00
Thomas Lamprecht
52da88a86c
bump version to 7.0-5
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-10-04 12:47:15 +02:00
Thomas Lamprecht
e780b46aab
api: delete user: better communicate partial deletion
...
this is really an edge case and should not happen often in practice,
the time window is small and deletions are not _that_ common, but
still.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-09-27 15:48:21 +02:00
Thomas Lamprecht
ba6cc98fcb
api: delete user: disable first to avoid surprise on error
...
Write out a config with the user disabled so that it cannot be used
even if deletion fails, why ever that is
Suggested-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-09-27 15:47:22 +02:00
Thomas Lamprecht
8ecf1a490d
fix #2302 : allow deletion of users when realm enforces TFA
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-09-27 15:32:05 +02:00
Thomas Lamprecht
3e5b237feb
api: user: indentation & whitspace cleanups
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-09-23 14:16:50 +02:00
Alexandre Derumier
4100ba8d65
check_path: add /sdn/vnets/* path
...
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
2021-08-23 18:19:15 +02:00
Thomas Lamprecht
543d646c44
bump version to 7.0-4
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-02 13:45:51 +02:00
Thomas Lamprecht
d658d04acb
api: users: use public regex directly to parse out realm
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-02 13:42:16 +02:00
Thomas Lamprecht
525a931b98
api: users: code-style cleanup and sort when iterating users
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-02 13:41:29 +02:00
Thomas Lamprecht
3f6023f55c
api: users: s/realmtype/realm-type/ in response
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-02 13:38:46 +02:00
Dominik Csapak
8bb59c2612
api: user: add realmtype to user list
...
this makes it much easier to determine if a user can e.g.
change a password or tfa, based on realm
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-07-02 13:14:51 +02:00
Dietmar Maurer
fbf4594aaf
implement OpenID autocreate user feature
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-01 13:35:58 +02:00
Dietmar Maurer
ac344d7df3
api: implement openid API
...
This moves compute_api_permission() into RPCEnvironment.pm.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-07-01 13:31:45 +02:00
Dietmar Maurer
f0c9ef167b
depend on libpve-rs-perl
2021-07-01 13:13:59 +02:00
Dietmar Maurer
52d1c1b966
add OpenId configuration
2021-07-01 13:13:59 +02:00
Dietmar Maurer
8a724f7b3a
check_user_enabled: also check if user is expired
2021-07-01 13:13:59 +02:00
Thomas Lamprecht
7a4c4fd870
bump version to 7.0-3
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-21 10:31:23 +02:00
Thomas Lamprecht
a981f7c1c6
buildsys: clean more
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-17 14:43:44 +02:00
Thomas Lamprecht
d7e8d24ef5
access control: style: register configs in single line each
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-17 14:41:02 +02:00
Alexandre Derumier
0a06acb128
check_path : add sdn zone path
...
This was missing in commit20c60513b2a6b2d7c7aae0dcc0391889b9cb7ecf,
so user can't assign permisson on a zone currently
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-17 13:15:36 +02:00
Dominik Csapak
8737ff3718
add missing paths in check_path
...
* /access/realm/<realm>
* /access/groups/<group>
were overlooked when fixing #1500
see: https://forum.proxmox.com/threads/are-group-acls-broken-in-v6-4.91000/
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-06-16 16:19:33 +02:00
Thomas Lamprecht
5e868938f1
rpc env: sort use statements
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-15 14:38:41 +02:00
Thomas Lamprecht
f368e8c75c
buildsys: change upload dist to bullseye
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-06-08 09:47:21 +02:00
Fabian Grünbichler
0902a936f3
bump version to 7.0-2
...
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-06-01 11:29:49 +02:00
Lorenz Stechauner
6d048ad6fc
fix #3402 : add Pool.Audit permission
...
add new user "PVEPoolUser" and add Pool.Audit to "PVEAuditor".
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
2021-06-01 10:31:16 +02:00
Fabian Grünbichler
8ac53236df
d/control: add missing libuuid-perl b-d
...
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2021-05-19 11:54:26 +02:00
Thomas Lamprecht
67febb6933
bump version to 7.0-1
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-09 19:48:50 +02:00
Thomas Lamprecht
3470fad8c1
pveum: work around unavailable API2:Pools module
...
commit 42ade84744
2021-05-09 19:48:50 +02:00
Thomas Lamprecht
d4c9a54e35
d/control: update standards version
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-09 19:48:50 +02:00
Thomas Lamprecht
ce4b5d6066
d/control: drop perl dependency, added by ${perl:Depends}
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-09 19:48:50 +02:00
Thomas Lamprecht
197d1016fd
buildsys: split packaging and source build-systems
...
Much nicer to handle and work with than entangling all together in a
single spaghetti pile.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-09 19:48:50 +02:00
Thomas Lamprecht
08eb54c9dc
d/control: bump debhelper compat to >= 12
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-09 18:16:38 +02:00
Thomas Lamprecht
ebcefa86d4
d/rules: fix dh_missing override
...
note, with compat level >= 13 we can drop that override finally
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-05-09 18:16:04 +02:00
Thomas Lamprecht
2942ba4139
bump version to 6.4-1
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-04-24 19:48:25 +02:00
Dylan Whyte
42ade84744
resource pools: add resource pool cli commands
...
Add commands for creating, modifying, listing, and deleting resource
pools.
Signed-off-by: Dylan Whyte <d.whyte@proxmox.com>
2021-04-22 21:53:09 +02:00
Lorenz Stechauner
b89cd20528
fix typo in oathkeygen: randon -> random
...
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
2021-04-20 18:13:51 +02:00
Thomas Lamprecht
ad1ef9fc1c
acl: check path: further resdtrict VMID values
...
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-04-19 11:50:16 +02:00
