[pve-devel] [PATCH v2 access-control 11/23] API token: add verification method

Fabian Grünbichler f.gruenbichler at proxmox.com
Thu Nov 21 15:43:29 CET 2019


which checks that the user and token exist and are not expired, and then
generates the string to be matched with the pmxcfs-stored token shadow
config file.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---

Notes:
    new in v2
    
    requires versioned dependency on pve-cluster with PVE::Cluster::verify_token

 PVE/AccessControl.pm | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 573117f..05a20b4 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -399,6 +399,39 @@ sub verify_ticket {
     return wantarray ? ($username, $age, $tfa_info) : $username;
 }
 
+sub verify_token {
+    my ($api_token) = @_;
+
+    die "no API token specified\n" if !$api_token;
+
+    my ($tokenid, $value);
+    if ($api_token =~ /^($token_full_regex)=(.*)$/) {
+	$tokenid = $1;
+	$value = $2;
+    } else {
+	die "no tokenid specified\n";
+    }
+
+    my ($username, $token) = split_tokenid($tokenid);
+
+    my $usercfg = cfs_read_file('user.cfg');
+    check_user_enabled($usercfg, $username);
+    check_token_exist($usercfg, $username, $token);
+
+    my $ctime = time();
+
+    my $user = $usercfg->{users}->{$username};
+    die "account expired\n" if $user->{expire} && ($user->{expire} < $ctime);
+
+    my $token_info = $user->{tokens}->{$token};
+    die "token expired\n" if $token_info->{expire} && ($token_info->{expire} < $ctime);
+
+    die "invalid token value!\n" if !PVE::Cluster::verify_token($tokenid, $value);
+
+    return wantarray ? ($tokenid) : $tokenid;
+}
+
+
 # VNC tickets
 # - they do not contain the username in plain text
 # - they are restricted to a specific resource path (example: '/vms/100')
-- 
2.20.1





More information about the pve-devel mailing list