[pve-devel] [PATCH v3 access-control 06/20] API token: add (shadow) TokenConfig
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Jan 21 13:54:04 CET 2020
with the format:
<full token ID> <token value/UUID>
it is just used for token value generation/deletion via the User API,
token value verification will happen over pmxcfs/ipcc.
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
Notes:
new in v2
requires versioned build- and runtime-dependency on pve-cluster with
priv/token.cfg observed
PVE/Makefile | 1 +
PVE/TokenConfig.pm | 79 ++++++++++++++++++++++++++++++++++++++++++++++
debian/control | 1 +
3 files changed, 81 insertions(+)
create mode 100644 PVE/TokenConfig.pm
diff --git a/PVE/Makefile b/PVE/Makefile
index 410d9d8..c839d8f 100644
--- a/PVE/Makefile
+++ b/PVE/Makefile
@@ -5,5 +5,6 @@ install:
make -C Auth install
install -D -m 0644 AccessControl.pm ${DESTDIR}${PERLDIR}/PVE/AccessControl.pm
install -D -m 0644 RPCEnvironment.pm ${DESTDIR}${PERLDIR}/PVE/RPCEnvironment.pm
+ install -D -m 0644 TokenConfig.pm ${DESTDIR}${PERLDIR}/PVE/TokenConfig.pm
make -C API2 install
make -C CLI install
diff --git a/PVE/TokenConfig.pm b/PVE/TokenConfig.pm
new file mode 100644
index 0000000..94d87e5
--- /dev/null
+++ b/PVE/TokenConfig.pm
@@ -0,0 +1,79 @@
+package PVE::TokenConfig;
+
+use strict;
+use warnings;
+
+use UUID;
+
+use PVE::AccessControl;
+use PVE::Cluster;
+
+my $parse_token_cfg = sub {
+ my ($filename, $raw) = @_;
+
+ my $parsed = {};
+ my @lines = split(/\n/, $raw);
+
+ foreach my $line (@lines) {
+ next if $line =~ m/^\s*$/;
+
+ if ($line =~ m/^(\S+) (\S+)$/) {
+ if (PVE::AccessControl::pve_verify_tokenid($1, 1)) {
+ $parsed->{$1} = $2;
+ next;
+ }
+ }
+
+ warn "skipping invalid token.cfg entry\n";
+ }
+
+ return $parsed;
+};
+
+my $write_token_cfg = sub {
+ my ($filename, $data) = @_;
+
+ my $raw = '';
+ foreach my $tokenid (sort keys %$data) {
+ $raw .= "$tokenid $data->{$tokenid}\n";
+ }
+
+ return $raw;
+};
+
+PVE::Cluster::cfs_register_file('priv/token.cfg', $parse_token_cfg, $write_token_cfg);
+
+sub generate_token {
+ my ($tokenid) = @_;
+
+ PVE::AccessControl::pve_verify_tokenid($tokenid);
+
+ my $token_value = PVE::Cluster::cfs_lock_file('priv/token.cfg', 10, sub {
+ my $uuid = UUID::uuid();
+ my $token_cfg = PVE::Cluster::cfs_read_file('priv/token.cfg');
+
+ $token_cfg->{$tokenid} = $uuid;
+
+ PVE::Cluster::cfs_write_file('priv/token.cfg', $token_cfg);
+
+ return $uuid;
+ });
+
+ die "$@\n" if defined($@);
+
+ return $token_value;
+}
+
+sub delete_token {
+ my ($tokenid) = @_;
+
+ PVE::Cluster::cfs_lock_file('priv/token.cfg', 10, sub {
+ my $token_cfg = PVE::Cluster::cfs_read_file('priv/token.cfg');
+
+ delete $token_cfg->{$tokenid};
+
+ PVE::Cluster::cfs_write_file('priv/token.cfg', $token_cfg);
+ });
+
+ die "$@\n" if defined($@);
+}
diff --git a/debian/control b/debian/control
index 4247b1f..3d43a39 100644
--- a/debian/control
+++ b/debian/control
@@ -27,6 +27,7 @@ Depends: libauthen-pam-perl,
libpve-common-perl (>= 6.0-6),
libpve-cluster-perl,
libpve-u2f-server-perl (>= 1.0-2),
+ libuuid-perl,
perl (>= 5.6.0-16),
pve-cluster (>= 5.0-35),
${misc:Depends},
--
2.20.1
More information about the pve-devel
mailing list