[pmg-devel] [PATCH pve-common v6 1/12] add Schema package with auth module that contains realm sync options
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue Feb 25 18:24:40 CET 2025
Am 25.02.25 um 14:36 schrieb Markus Frank:
> This is because these standard options & formats are used by both PVE
> and PMG. Schema-definitions are based on:
> pve-access-control/src/PVE/Auth/Plugin.pm
For now I'd favor having this in PMG as registered pmg-tfa-config format,
or won't that work?
And tbh. I'm not sure if that's really required in the first place, as IIRC
this is the ancient per-realm format that existed before our modern TFA
implementation. Also, exposing TOTP digits/seconds does not make much sense
as there are some very popular clients that cannot cope with non-defaul values
here.
This can be refactored/cleaned-up when there is more time so that we can also
look deeper into pve-access-control to see what's sharable under a more generic
'pmx-' format name prefix.
>
> Signed-off-by: Markus Frank <m.frank at proxmox.com>
> ---
> v6: removed schema-definitions only used by PVE
>
> src/Makefile | 2 ++
> src/PVE/Schema/Auth.pm | 46 ++++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 48 insertions(+)
> create mode 100644 src/PVE/Schema/Auth.pm
>
> diff --git a/src/Makefile b/src/Makefile
> index 2d8bdc4..833bbc1 100644
> --- a/src/Makefile
> +++ b/src/Makefile
> @@ -29,6 +29,7 @@ LIB_SOURCES = \
> RESTEnvironment.pm \
> RESTHandler.pm \
> SafeSyslog.pm \
> + Schema/Auth.pm \
> SectionConfig.pm \
> SysFSTools.pm \
> Syscall.pm \
> @@ -41,6 +42,7 @@ all:
> install: $(addprefix PVE/,${LIB_SOURCES})
> install -d -m 0755 ${DESTDIR}${PERLDIR}/PVE
> install -d -m 0755 ${DESTDIR}${PERLDIR}/PVE/Job
> + install -d -m 0755 ${DESTDIR}${PERLDIR}/PVE/Schema
> for i in ${LIB_SOURCES}; do install -D -m 0644 PVE/$$i ${DESTDIR}${PERLDIR}/PVE/$$i; done
>
>
> diff --git a/src/PVE/Schema/Auth.pm b/src/PVE/Schema/Auth.pm
> new file mode 100644
> index 0000000..031301e
> --- /dev/null
> +++ b/src/PVE/Schema/Auth.pm
> @@ -0,0 +1,46 @@
> +package PVE::Schema::Auth;
> +
> +use strict;
> +use warnings;
> +
> +use PVE::JSONSchema qw(parse_property_string);
> +
> +my $tfa_format = {
> + type => {
> + description => "The type of 2nd factor authentication.",
> + format_description => 'TFATYPE',
> + type => 'string',
> + enum => [qw(oath)],
> + },
> + digits => {
> + description => "TOTP digits.",
> + format_description => 'COUNT',
> + type => 'integer',
> + minimum => 6, maximum => 8,
> + default => 6,
> + optional => 1,
> + },
> + step => {
> + description => "TOTP time period.",
> + format_description => 'SECONDS',
> + type => 'integer',
> + minimum => 10,
> + default => 30,
> + optional => 1,
> + },
> +};
> +
> +PVE::JSONSchema::register_format('pve-tfa-config', $tfa_format);
> +
> +PVE::JSONSchema::register_standard_option('tfa', {
> + description => "Use Two-factor authentication.",
> + type => 'string', format => 'pve-tfa-config',
> + optional => 1,
> + maxLength => 128,
the maxLength looks a bit odd to me, makes not much sense if this property
has a format anyway? Actually the whole format is pretty borked and borderline
useless, but that's pre-existing...
> +});
> +
> +sub parse_tfa_config {
> + my ($data) = @_;
> +
> + return parse_property_string($tfa_format, $data);
> +}
More information about the pmg-devel
mailing list