[pve-devel] [RFC 11/23] DO NOT APPLY: API token stubs for token value handling

Fabian Grünbichler f.gruenbichler at proxmox.com
Thu Oct 17 15:14:05 CEST 2019


two proposed implementation sites so far:
- pmxcfs (accessible via IPCC)
- stand-alone root daemon/setuid binary

two proposed token formats so far:
- plain UUID
- hash/crypt of UUID(+salt)

in both cases the UUID would be provided as token to the user, the
latter format would provide a bit of protection against brute-forcing in
case the shadow file leaks, but makes verification more expensive.

I'd like to focus on the big picture/API structure/API integration for
this initial RFC v1 (hence just the stubs), but feedback on these
variants is of course already welcome as well ;)

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 PVE/AccessControl.pm | 47 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 432ccc0..b5dfe4b 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -397,6 +397,39 @@ sub verify_ticket {
     return wantarray ? ($username, $age, $tfa_info) : $username;
 }
 
+# API Tokens
+sub verify_token {
+    my ($api_token) = @_;
+
+    die "no API token specified\n" if !$api_token;
+
+    my ($tokenid, $value);
+    if ($api_token =~ /^($token_full_regex)=(.*)$/) {
+	$tokenid = $1;
+	$value = $2;
+    } else {
+	die "no tokenid specified\n";
+    }
+
+    my ($username, $token) = split_tokenid($tokenid);
+
+    my $usercfg = cfs_read_file('user.cfg');
+    check_user_enabled($usercfg, $username);
+    check_token_enabled($usercfg, $username, $token);
+
+    my $ctime = time();
+
+    my $user = $usercfg->{users}->{$username};
+    die "account expired\n" if $user->{expire} && ($user->{expire} < $ctime);
+
+    my $token_info = $user->{tokens}->{$token};
+    die "token expired\n" if $token_info->{expire} && ($token_info->{expire} < $ctime);
+
+    # FIXME: actually implement token verification here
+    return wantarray ? ($tokenid) : $tokenid;
+}
+
+
 # VNC tickets
 # - they do not contain the username in plain text
 # - they are restricted to a specific resource path (example: '/vms/100')
@@ -1578,6 +1611,20 @@ sub user_get_tfa {
     }
 }
 
+# FIXME: actually implement token generation here
+sub generate_token {
+    my ($tokenid) = @_;
+
+    return "${tokenid}_VALUE";
+}
+
+# FIXME: actually implement token deletion here
+sub delete_token {
+    my ($tokenid) = @_;
+
+    return;
+}
+
 # bash completion helpers
 
 register_standard_option('userid-completed',
-- 
2.20.1





More information about the pve-devel mailing list