[pve-devel] [PATCH v2 access-control 11/23] API token: add verification method
Fabian Grünbichler
f.gruenbichler at proxmox.com
Thu Nov 21 15:43:29 CET 2019
which checks that the user and token exist and are not expired, and then
generates the string to be matched with the pmxcfs-stored token shadow
config file.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
Notes:
new in v2
requires versioned dependency on pve-cluster with PVE::Cluster::verify_token
PVE/AccessControl.pm | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 573117f..05a20b4 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -399,6 +399,39 @@ sub verify_ticket {
return wantarray ? ($username, $age, $tfa_info) : $username;
}
+sub verify_token {
+ my ($api_token) = @_;
+
+ die "no API token specified\n" if !$api_token;
+
+ my ($tokenid, $value);
+ if ($api_token =~ /^($token_full_regex)=(.*)$/) {
+ $tokenid = $1;
+ $value = $2;
+ } else {
+ die "no tokenid specified\n";
+ }
+
+ my ($username, $token) = split_tokenid($tokenid);
+
+ my $usercfg = cfs_read_file('user.cfg');
+ check_user_enabled($usercfg, $username);
+ check_token_exist($usercfg, $username, $token);
+
+ my $ctime = time();
+
+ my $user = $usercfg->{users}->{$username};
+ die "account expired\n" if $user->{expire} && ($user->{expire} < $ctime);
+
+ my $token_info = $user->{tokens}->{$token};
+ die "token expired\n" if $token_info->{expire} && ($token_info->{expire} < $ctime);
+
+ die "invalid token value!\n" if !PVE::Cluster::verify_token($tokenid, $value);
+
+ return wantarray ? ($tokenid) : $tokenid;
+}
+
+
# VNC tickets
# - they do not contain the username in plain text
# - they are restricted to a specific resource path (example: '/vms/100')
--
2.20.1
More information about the pve-devel
mailing list