[pve-devel] applied: [PATCH v4 apiclient] fix #2227: enable totp codes to be passed in cli

[Thomas Lamprecht]

On 16.08.19 13:51, Oguz Bektas wrote:
> this patch enables to pass totp codes during cluster join if tfa has
> been enabled for root at pam (or any other user actually, but having it enabled on
> root causes problems during cluster join).
> 
> u2f support is not yet implemented.
> 
> Co-developed-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
> Co-developed-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> ---
> 
> v3->v4:
> per thomas' suggestion:
> * change error messages
> * use a variable for the ticket regex for improved readability

applied, thanks!

> 
>  PVE/APIClient/LWP.pm | 31 +++++++++++++++++++++++++------
>  1 file changed, 25 insertions(+), 6 deletions(-)
> 
> diff --git a/PVE/APIClient/LWP.pm b/PVE/APIClient/LWP.pm
> index c0e30ff..97fd64f 100755
> --- a/PVE/APIClient/LWP.pm
> +++ b/PVE/APIClient/LWP.pm
> @@ -92,6 +92,23 @@ sub update_ticket {
>      $agent->default_header('Cookie', $cookie);
>  }
>  
> +sub two_factor_auth_login {
> +    my ($self, $type, $challenge) = @_;
> +
> +    if ($type eq 'PVE:tfa') {
> +	raise("TFA-enabled login currently works only with a TTY.") if !-t STDIN;
> +	print "\nEnter OTP code for user $self->{username}: ";
> +	my $tfa_response = <STDIN>;
> +	chomp $tfa_response;
> +	return $self->post('/api2/json/access/tfa', {response => $tfa_response});
> +    } elsif ($type eq 'PVE:u2f') {
> +	# TODO: implement u2f-enabled join
> +	raise("U2F-enabled login is currently not implemented.");
> +    } else {
> +	raise("Authentication type '$type' not recognized, aborting!");
> +    }
> +}
> +
>  sub login {
>      my ($self) = @_;
>  
> @@ -129,15 +146,17 @@ sub login {
>      my $res = from_json($response->decoded_content, {utf8 => 1, allow_nonref => 1});
>  
>      my $data = $extract_data->($res);
> -
> -    # TODO: make it possible to use tfa
> -    if ($data->{ticket} =~ m/^PVE:tfa!/) {
> -	raise("Two Factor Auth is not yet implemented! Try disabling TFA for the user '$username'.\n");
> -    }
> -
>      $self->update_ticket($data->{ticket});
>      $self->update_csrftoken($data->{CSRFPreventionToken});
>  
> +    # handle two-factor login
> +    my $tfa_ticket_re = qr/^([^\s!]+)![^!]*(!([0-9a-zA-Z\/.=_\-+]+))?$/;
> +    if ($data->{ticket} =~ m/$tfa_ticket_re/) {
> +	my ($type, $challenge) = ($1, $2);
> +	$data = $self->two_factor_auth_login($type, $challenge);
> +	$self->update_ticket($data->{ticket});
> +    }
> +
>      return $data;
>  }
>  
>