[pve-devel] [PATCH access-control 1/1] add /access/user/{id}/tfa api call to get tfa types

Thomas Lamprecht t.lamprecht at proxmox.com
Thu Apr 25 08:20:56 CEST 2019


Am 4/18/19 um 12:46 PM schrieb Dominik Csapak:
> this api call will be used to display the right kind of tfa for the gui
> 
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
>  PVE/API2/User.pm | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 56 insertions(+)
> 
> diff --git a/PVE/API2/User.pm b/PVE/API2/User.pm
> index 4458fc1..afdbfee 100644
> --- a/PVE/API2/User.pm
> +++ b/PVE/API2/User.pm
> @@ -369,4 +369,60 @@ __PACKAGE__->register_method ({
>  	return undef;
>      }});
>  
> +__PACKAGE__->register_method ({
> +    name => 'read_user_tfa_type',
> +    path => '{userid}/tfa',
> +    method => 'GET',
> +    protected => 1,
> +    description => "Get user TFA types (Personal and Realm).",
> +    permissions => {
> +	check => [ 'or',
> +	    ['userid-param', 'self'],
> +	    ['userid-group', ['User.Modify', 'Sys.Audit']],
> +	],
> +    },
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    userid => get_standard_option('userid-completed'),
> +	},
> +    },
> +    returns => {
> +	additionalProperties => 0,
> +	properties => {
> +	    realm => {
> +		type => 'string',
> +		description => "The type of TFA the users realm has set, if any.",

enum => [qw(oath u2f ...?)]

> +		optional => 1,
> +	    },
> +	    user => {
> +		type => 'string',
> +		description => "The type of TFA the user has set, if any.",

same here?



> +		optional => 1,
> +	    },
> +	},
> +	type => "object"
> +    },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my ($username, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
> +
> +
> +	my $domain_cfg = cfs_read_file('domains.cfg');
> +	my $realm_cfg = $domain_cfg->{ids}->{$realm};
> +	die "auth domain '$realm' does not exist\n" if !$realm_cfg;
> +
> +	my $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa})
> +	    if $realm_cfg->{tfa};

above is evil undefined behavior! never do post if on variable declarations,
this can get weird fast and hard to find if mutliple connections through the
same worker handle this, see:
https://git.proxmox.com/?p=pve-container.git;a=commitdiff;h=9de0505c772f7c382c82d9bfb170b3e0664af9ed


> +
> +	my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
> +	my $tfa = $tfa_cfg->{users}->{$username};
> +
> +	my $res = {};
> +	$res->{realm} = $realm_tfa->{type} if $realm_tfa->{type};
> +	$res->{user} = $tfa->{type} if $tfa->{type};
> +	return $res;
> +    }});
> +
>  1;
> 





More information about the pve-devel mailing list