[pve-devel] r5590 - in pve-access-control/trunk: . PVE PVE/API2

svn-commits at proxmox.com svn-commits at proxmox.com
Wed Feb 23 09:30:06 CET 2011


Author: dietmar
Date: 2011-02-23 09:30:06 +0100 (Wed, 23 Feb 2011)
New Revision: 5590

Modified:
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/PVE/API2/AccessControl.pm
   pve-access-control/trunk/PVE/API2/Domains.pm
   pve-access-control/trunk/PVE/API2/Role.pm
   pve-access-control/trunk/PVE/API2/User.pm
   pve-access-control/trunk/PVE/AccessControl.pm
   pve-access-control/trunk/PVE/RPCEnvironment.pm
   pve-access-control/trunk/pveum
Log:
* PVE/API2/AccessControl.pm (create_ticket): moved code from REST.pm



Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2011-02-23 08:25:32 UTC (rev 5589)
+++ pve-access-control/trunk/ChangeLog	2011-02-23 08:30:06 UTC (rev 5590)
@@ -1,3 +1,7 @@
+2011-02-23  Proxmox Support Team  <support at proxmox.com>
+
+	* PVE/API2/AccessControl.pm (create_ticket): moved code from REST.pm
+
 2011-02-22  Proxmox Support Team  <support at proxmox.com>
 
 	* PVE/AccessControl.pm: make 'domains.cfg' readable by www-data,

Modified: pve-access-control/trunk/PVE/API2/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/API2/AccessControl.pm	2011-02-23 08:25:32 UTC (rev 5589)
+++ pve-access-control/trunk/PVE/API2/AccessControl.pm	2011-02-23 08:30:06 UTC (rev 5590)
@@ -4,9 +4,11 @@
 use warnings;
 
 use PVE::SafeSyslog;
-use Apache2::Const qw(:http);
-
+use PVE::RPCEnvironment;
+use PVE::Cluster;
 use PVE::RESTHandler;
+use PVE::AccessControl;
+use PVE::JSONSchema qw(get_standard_option);
 use PVE::API2::Domains;
 use PVE::API2::User;
 use PVE::API2::Group;
@@ -74,7 +76,94 @@
 	    push @$res, { subdir => $subpath };
 	}
 
+	push @$res, { subdir => 'ticket' };
+
 	return $res;
     }});
 
+__PACKAGE__->register_method ({
+    name => 'create_ticket', 
+    path => 'ticket', 
+    method => 'POST',
+    permissions => { user => 'world' },
+    protected => 1, # else we can't access shadow files
+    description => "Create authentication ticket.",
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    username => {
+		description => "User name",
+		type => 'string',
+		maxLength => 64,
+	    },
+	    realm =>  get_standard_option('realm', {
+		description => "You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>\@<relam>.",
+		optional => 1}),
+	    password => { 
+		description => "The secret password. This can also be a valid ticket.",
+		type => 'string',
+	    },
+	    path => {
+		description => "Only create ticket if user have access 'privs' on 'path'",
+		type => 'string',
+		requires => 'privs',
+		optional => 1,
+		maxLength => 64,
+	    },
+	    privs => { 
+		description => "Only create ticket if user have access 'privs' on 'path'",
+		type => 'string' , format => 'pve-priv-list',
+		requires => 'path',
+		optional => 1,
+		maxLength => 64,
+	    },
+	}
+    },
+    returns => {
+	type => "object",
+	properties => {
+	    ticket => { type => 'string' },
+	}
+    },
+    code => sub {
+	my ($param) = @_;
+    
+	my $username = $param->{username};
+	$username .= "\@$param->{realm}" if $param->{realm};
+
+	my $rpcenv = PVE::RPCEnvironment::get();
+	my $clientip = $rpcenv->get_client_ip() || '';
+
+	my $ticket;
+	eval {
+
+	    if ($param->{path} && $param->{privs}) {
+		my $privs = [ PVE::Tools::split_list($param->{privs}) ];
+		my $path = PVE::AccessControl::normalize_path($param->{path});
+		if (!($path && scalar(@$privs) && $rpcenv->check($username, $path, $privs))) {
+		    die "no permission ($param->{path}, $param->{privs})\n";
+		}
+	    }
+
+	    my $tmp;
+	    if (($tmp = PVE::AccessControl::verify_ticket($param->{password}, 1)) &&
+		($tmp eq $username)) {
+		# got valid ticket
+	    } else {
+		$username = PVE::AccessControl::authenticate_user($username, $param->{password});
+	    }
+	    $ticket = PVE::AccessControl::assemble_ticket($username);
+	};
+	if (my $err = $@) {
+	    syslog('err', "authentication failure; rhost=$clientip user=$username msg=$err");
+	    die $err;
+	}
+
+	PVE::Cluster::log_msg('info', 'root at pam', "successful auth for user '$username'");
+
+	return {
+	    ticket => $ticket,
+	};
+    }});
+
 1;

Modified: pve-access-control/trunk/PVE/API2/Domains.pm
===================================================================
--- pve-access-control/trunk/PVE/API2/Domains.pm	2011-02-23 08:25:32 UTC (rev 5589)
+++ pve-access-control/trunk/PVE/API2/Domains.pm	2011-02-23 08:30:06 UTC (rev 5590)
@@ -21,6 +21,7 @@
     path => '', 
     method => 'GET',
     description => "Authentication domain index.",
+    permissions => { user => 'world' },
     parameters => {
 	additionalProperties => 0,
 	properties => {},

Modified: pve-access-control/trunk/PVE/API2/Role.pm
===================================================================
--- pve-access-control/trunk/PVE/API2/Role.pm	2011-02-23 08:25:32 UTC (rev 5589)
+++ pve-access-control/trunk/PVE/API2/Role.pm	2011-02-23 08:30:06 UTC (rev 5590)
@@ -57,7 +57,7 @@
    	additionalProperties => 0,
 	properties => {
 	    roleid => { type => 'string', format => 'pve-roleid' },
-	    privs => { type => 'string', optional => 1 },
+	    privs => { type => 'string' , format => 'pve-priv-list', optional => 1 },
 	},
     },
     returns => { type => 'null' },

Modified: pve-access-control/trunk/PVE/API2/User.pm
===================================================================
--- pve-access-control/trunk/PVE/API2/User.pm	2011-02-23 08:25:32 UTC (rev 5589)
+++ pve-access-control/trunk/PVE/API2/User.pm	2011-02-23 08:30:06 UTC (rev 5590)
@@ -69,28 +69,6 @@
     }});
 
 __PACKAGE__->register_method ({
-    name => 'create_ticket', 
-    path => '{userid}/ticket', 
-    method => 'POST',
-    description => "Create authentication ticket.",
-    parameters => {
-	additionalProperties => 0,
-	properties => {
-	    userid => get_standard_option('userid'),
-	    password => { type => 'string' },
-	}
-    },
-    returns => { type => 'string' },
-    code => sub {
-	my ($param) = @_;
-    
-	my $user = PVE::AccessControl::authenticate_user($param->{userid}, $param->{password});
-	my $ticket = PVE::AccessControl::assemble_ticket($user);
-
-	return $ticket;
-    }});
-
-__PACKAGE__->register_method ({
     name => 'create_user', 
     protected => 1,
     path => '{userid}', 

Modified: pve-access-control/trunk/PVE/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/AccessControl.pm	2011-02-23 08:25:32 UTC (rev 5589)
+++ pve-access-control/trunk/PVE/AccessControl.pm	2011-02-23 08:30:06 UTC (rev 5590)
@@ -308,34 +308,29 @@
 sub authenticate_user {
     my ($username, $password) = @_;
 
-    eval {
-
-	die "no username specified\n" if !$username;
+    die "no username specified\n" if !$username;
  
-	my ($userid, $realm);
+    my ($userid, $realm);
 
-	($username, $userid, $realm) = verify_username($username);
+    ($username, $userid, $realm) = verify_username($username);
 
-	my $usercfg = cfs_read_file('user.cfg');
+    my $usercfg = cfs_read_file('user.cfg');
 
-	if (!user_enabled($usercfg, $username)) {
-	    sleep(2);
-	    die "no such user ('$username')\n"
-	}
+    if (!user_enabled($usercfg, $username)) {
+	sleep(2);
+	die "no such user ('$username')\n"
+    }
 
-	my $ctime = time();
-	my $expire = $usercfg->{users}->{$username}->{expire};
+    my $ctime = time();
+    my $expire = $usercfg->{users}->{$username}->{expire};
 
-	if ($expire && ($expire < $ctime)) {
-	    sleep(2);
-	    die "account expired\n"
-	}
+    if ($expire && ($expire < $ctime)) {
+	sleep(2);
+	die "account expired\n"
+    }
 
-	authenticate_user_domain($realm, $userid, $password);
-    };
+    authenticate_user_domain($realm, $userid, $password);
 
-    die "auth failed: $@" if $@;
-
     return $username;
 }
 
@@ -620,13 +615,15 @@
     return undef;
 }
 PVE::JSONSchema::register_standard_option('userid', {
-    description => "User ID (email address format)",
+    description => "User ID",
     type => 'string', format => 'pve-userid',
+    maxLength => 64,
 });
 
 PVE::JSONSchema::register_standard_option('realm', {
     description => "Authentication domain ID",
     type => 'string', format => 'pve-configid',
+    maxLength => 32,
 });
 
 PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname);

Modified: pve-access-control/trunk/PVE/RPCEnvironment.pm
===================================================================
--- pve-access-control/trunk/PVE/RPCEnvironment.pm	2011-02-23 08:25:32 UTC (rev 5589)
+++ pve-access-control/trunk/PVE/RPCEnvironment.pm	2011-02-23 08:30:06 UTC (rev 5590)
@@ -135,12 +135,6 @@
     return PVE::AccessControl::user_enabled($cfg, $user);
 }
 
-sub realm_list {
-    my ($self) = @_;
-    
-    return $self->{realms};
-}
-
 # initialize environment - must be called once at program startup
 sub init {
     my ($class, $type, %params) = @_;
@@ -223,25 +217,6 @@
 		my $cfg = PVE::Cluster::cfs_read_file('user.cfg');
 		$self->{user_cfg} = $cfg;
 	    }
-	    my $dcvers = PVE::Cluster::cfs_file_version('domains.cfg'); 
-	    if (!$self->{realms} || !defined($self->{domainsversion}) || 
-		!defined($dcvers) ||  ($dcvers ne $self->{domainsversion})) {
-		$self->{domainsversion} = $dcvers;
-		my $dcfg = PVE::Cluster::cfs_read_file('domains.cfg');
-		my $ra = [];
-		foreach my $realm (keys %$dcfg) {
-		    my $data = $dcfg->{$realm};
-		    my $entry = { 
-			id => $realm,
-			comment => $data->{comment} || $realm,
-		    };
-
-		    $entry->{default} = 1 if $data->{default};
-
-		    push @$ra, $entry;
-		}
-		$self->{realms} = $ra;
-	    }
 	}
     };
     if (my $err = $@) {
@@ -250,6 +225,18 @@
     }
 }
 
+sub set_client_ip {
+    my ($self, $ip) = @_;
+
+    $self->{client_ip} = $ip;
+}
+
+sub get_client_ip {
+    my ($self) = @_;
+
+    return $self->{client_ip};
+}
+
 sub set_language {
     my ($self, $lang) = @_;
 

Modified: pve-access-control/trunk/pveum
===================================================================
--- pve-access-control/trunk/pveum	2011-02-23 08:25:32 UTC (rev 5589)
+++ pve-access-control/trunk/pveum	2011-02-23 08:30:06 UTC (rev 5590)
@@ -14,6 +14,7 @@
 use PVE::API2::Group;
 use PVE::API2::Role;
 use PVE::API2::ACL;
+use PVE::API2::AccessControl;
 use PVE::JSONSchema qw(get_standard_option);
 use PVE::CLIHandler;
 
@@ -54,10 +55,10 @@
 };
 
 my $cmddef = {
-    ticket => [ 'PVE::API2::User', 'create_ticket', ['userid'], undef,
+    ticket => [ 'PVE::API2::AccessControl', 'create_ticket', ['username'], undef,
 		sub {
-		    my $ticket = shift;
-		    print "$ticket\n";
+		    my ($res) = @_;
+		    print "$res->{ticket}\n";
 		}],
     useradd => [ 'PVE::API2::User', 'create_user', ['userid'] ],
     usermod => [ 'PVE::API2::User', 'update_user', ['userid'] ],




More information about the pve-devel mailing list