[pve-devel] [RFC 11/23] DO NOT APPLY: API token stubs for token value handling
Fabian Grünbichler
f.gruenbichler at proxmox.com
Thu Oct 17 15:14:05 CEST 2019
two proposed implementation sites so far:
- pmxcfs (accessible via IPCC)
- stand-alone root daemon/setuid binary
two proposed token formats so far:
- plain UUID
- hash/crypt of UUID(+salt)
in both cases the UUID would be provided as token to the user, the
latter format would provide a bit of protection against brute-forcing in
case the shadow file leaks, but makes verification more expensive.
I'd like to focus on the big picture/API structure/API integration for
this initial RFC v1 (hence just the stubs), but feedback on these
variants is of course already welcome as well ;)
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
PVE/AccessControl.pm | 47 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 47 insertions(+)
diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 432ccc0..b5dfe4b 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -397,6 +397,39 @@ sub verify_ticket {
return wantarray ? ($username, $age, $tfa_info) : $username;
}
+# API Tokens
+sub verify_token {
+ my ($api_token) = @_;
+
+ die "no API token specified\n" if !$api_token;
+
+ my ($tokenid, $value);
+ if ($api_token =~ /^($token_full_regex)=(.*)$/) {
+ $tokenid = $1;
+ $value = $2;
+ } else {
+ die "no tokenid specified\n";
+ }
+
+ my ($username, $token) = split_tokenid($tokenid);
+
+ my $usercfg = cfs_read_file('user.cfg');
+ check_user_enabled($usercfg, $username);
+ check_token_enabled($usercfg, $username, $token);
+
+ my $ctime = time();
+
+ my $user = $usercfg->{users}->{$username};
+ die "account expired\n" if $user->{expire} && ($user->{expire} < $ctime);
+
+ my $token_info = $user->{tokens}->{$token};
+ die "token expired\n" if $token_info->{expire} && ($token_info->{expire} < $ctime);
+
+ # FIXME: actually implement token verification here
+ return wantarray ? ($tokenid) : $tokenid;
+}
+
+
# VNC tickets
# - they do not contain the username in plain text
# - they are restricted to a specific resource path (example: '/vms/100')
@@ -1578,6 +1611,20 @@ sub user_get_tfa {
}
}
+# FIXME: actually implement token generation here
+sub generate_token {
+ my ($tokenid) = @_;
+
+ return "${tokenid}_VALUE";
+}
+
+# FIXME: actually implement token deletion here
+sub delete_token {
+ my ($tokenid) = @_;
+
+ return;
+}
+
# bash completion helpers
register_standard_option('userid-completed',
--
2.20.1
More information about the pve-devel
mailing list