[pve-devel] [PATCH v2 access-control 10/23] API token: add (shadow) TokenConfig

Fabian Grünbichler f.gruenbichler at proxmox.com
Thu Nov 21 15:43:28 CET 2019


with the format:

<full token ID> <token value/UUID>

it is just used for token value generation/deletion via the User API,
token value verification will happen over pmxcfs/ipcc.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---

Notes:
    new in v2
    
    requires versioned build- and runtime-dependency on pve-cluster with
    priv/token.cfg observed

 PVE/Makefile       |  1 +
 PVE/TokenConfig.pm | 79 ++++++++++++++++++++++++++++++++++++++++++++++
 debian/control     |  1 +
 3 files changed, 81 insertions(+)
 create mode 100644 PVE/TokenConfig.pm

diff --git a/PVE/Makefile b/PVE/Makefile
index 410d9d8..c839d8f 100644
--- a/PVE/Makefile
+++ b/PVE/Makefile
@@ -5,5 +5,6 @@ install:
 	make -C Auth install
 	install -D -m 0644 AccessControl.pm ${DESTDIR}${PERLDIR}/PVE/AccessControl.pm
 	install -D -m 0644 RPCEnvironment.pm ${DESTDIR}${PERLDIR}/PVE/RPCEnvironment.pm
+	install -D -m 0644 TokenConfig.pm ${DESTDIR}${PERLDIR}/PVE/TokenConfig.pm
 	make -C API2 install
 	make -C CLI install
diff --git a/PVE/TokenConfig.pm b/PVE/TokenConfig.pm
new file mode 100644
index 0000000..94d87e5
--- /dev/null
+++ b/PVE/TokenConfig.pm
@@ -0,0 +1,79 @@
+package PVE::TokenConfig;
+
+use strict;
+use warnings;
+
+use UUID;
+
+use PVE::AccessControl;
+use PVE::Cluster;
+
+my $parse_token_cfg = sub {
+    my ($filename, $raw) = @_;
+
+    my $parsed = {};
+    my @lines = split(/\n/, $raw);
+
+    foreach my $line (@lines) {
+	next if $line =~ m/^\s*$/;
+
+	if ($line =~ m/^(\S+) (\S+)$/) {
+	    if (PVE::AccessControl::pve_verify_tokenid($1, 1)) {
+		$parsed->{$1} = $2;
+		next;
+	    }
+	}
+
+	warn "skipping invalid token.cfg entry\n";
+    }
+
+    return $parsed;
+};
+
+my $write_token_cfg = sub {
+    my ($filename, $data) = @_;
+
+    my $raw = '';
+    foreach my $tokenid (sort keys %$data) {
+	$raw .= "$tokenid $data->{$tokenid}\n";
+    }
+
+    return $raw;
+};
+
+PVE::Cluster::cfs_register_file('priv/token.cfg', $parse_token_cfg, $write_token_cfg);
+
+sub generate_token {
+    my ($tokenid) = @_;
+
+    PVE::AccessControl::pve_verify_tokenid($tokenid);
+
+    my $token_value = PVE::Cluster::cfs_lock_file('priv/token.cfg', 10, sub {
+	my $uuid = UUID::uuid();
+	my $token_cfg = PVE::Cluster::cfs_read_file('priv/token.cfg');
+
+	$token_cfg->{$tokenid} = $uuid;
+
+	PVE::Cluster::cfs_write_file('priv/token.cfg', $token_cfg);
+
+	return $uuid;
+    });
+
+    die "$@\n" if defined($@);
+
+    return $token_value;
+}
+
+sub delete_token {
+    my ($tokenid) = @_;
+
+    PVE::Cluster::cfs_lock_file('priv/token.cfg', 10, sub {
+	my $token_cfg = PVE::Cluster::cfs_read_file('priv/token.cfg');
+
+	delete $token_cfg->{$tokenid};
+
+	PVE::Cluster::cfs_write_file('priv/token.cfg', $token_cfg);
+    });
+
+    die "$@\n" if defined($@);
+}
diff --git a/debian/control b/debian/control
index 4247b1f..3d43a39 100644
--- a/debian/control
+++ b/debian/control
@@ -27,6 +27,7 @@ Depends: libauthen-pam-perl,
          libpve-common-perl (>= 6.0-6),
          libpve-cluster-perl,
          libpve-u2f-server-perl (>= 1.0-2),
+         libuuid-perl,
          perl (>= 5.6.0-16),
          pve-cluster (>= 5.0-35),
          ${misc:Depends},
-- 
2.20.1





More information about the pve-devel mailing list