[pmg-devel] [PATCH api 1/6] add tfa.json and its lock methods
Wolfgang Bumiller
w.bumiller at proxmox.com
Fri Nov 26 14:55:05 CET 2021
Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
src/PMG/Cluster.pm | 1 +
src/PMG/UserConfig.pm | 32 +++++++++++++++++++++++++++++++-
2 files changed, 32 insertions(+), 1 deletion(-)
diff --git a/src/PMG/Cluster.pm b/src/PMG/Cluster.pm
index d82a392..31384b2 100644
--- a/src/PMG/Cluster.pm
+++ b/src/PMG/Cluster.pm
@@ -459,6 +459,7 @@ sub sync_config_from_master {
'pmg-csrf.key',
'ldap.conf',
'user.conf',
+ 'tfa.json',
'domains',
'mynetworks',
'transport',
diff --git a/src/PMG/UserConfig.pm b/src/PMG/UserConfig.pm
index 42a7d20..b9a83a7 100644
--- a/src/PMG/UserConfig.pm
+++ b/src/PMG/UserConfig.pm
@@ -2,8 +2,9 @@ package PMG::UserConfig;
use strict;
use warnings;
-use Data::Dumper;
+
use Clone 'clone';
+use Scalar::Util 'weaken';
use PVE::Tools;
use PVE::INotify;
@@ -15,6 +16,9 @@ use PMG::Utils;
my $inotify_file_id = 'pmg-user.conf';
my $config_filename = '/etc/pmg/user.conf';
+my $tfa_inotify_file_id = 'pmg-tfa.json';
+my $tfa_config_filename = '/etc/pmg/tfa.json';
+
sub new {
my ($type) = @_;
@@ -32,14 +36,40 @@ sub write {
}
my $lockfile = "/var/lock/pmguser.lck";
+my $tfa_lockfile = "/var/lock/pmgtfa.lck";
+# Locking both config files together is only ever allowed in one order:
+# 1) tfa config
+# 2) user config
+# If we permit the other way round, too, we might end up deadlocking!
+my $user_config_locked;
sub lock_config {
my ($code, $errmsg) = @_;
+ my $locked = 1;
+ $user_config_locked = \$locked;
+ weaken $user_config_locked; # make this scope guard signal safe...
+
my $p = PVE::Tools::lock_file($lockfile, undef, $code);
+ $user_config_locked = undef;
+ if (my $err = $@) {
+ $errmsg ? die "$errmsg: $err" : die $err;
+ }
+}
+
+# This lives here in order to enforce lock order.
+sub lock_tfa_config {
+ my ($code, $errmsg) = @_;
+
+ die "tfa config lock cannot be acquired while holding user config lock\n"
+ if ($user_config_locked && $$user_config_locked);
+
+ my $res = PVE::Tools::lock_file($tfa_lockfile, undef, $code);
if (my $err = $@) {
$errmsg ? die "$errmsg: $err" : die $err;
}
+
+ return $res;
}
my $schema = {
--
2.30.2
More information about the pmg-devel
mailing list