[pve-devel] [PATCH access-control 07/10] support registering yubico otp keys

[Wolfgang Bumiller]

In PBS we don't support this, so the current TFA API in rust
does not support this either (although the config does know
about its *existence*).

For now, yubico authentication will be done in perl. Adding
it to rust the rust TFA crate would not make much sense
anyway as we'd likely not want to use the same http client
crate in pve and pbs anyway (since pve is all blocking code
and pbs is async...)

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
 src/PVE/API2/TFA.pm      | 34 +++++++++++++++++++++++++++++++---
 src/PVE/AccessControl.pm | 15 ++++++++++-----
 2 files changed, 41 insertions(+), 8 deletions(-)

diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index 1888699..2fbc7a8 100644
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -395,9 +395,15 @@ __PACKAGE__->register_method ({
 
 	my $rpcenv = PVE::RPCEnvironment::get();
 	my $authuser = $rpcenv->get_user();
-	my $userid =
+	my ($userid, $realm) =
 	    root_permission_check($rpcenv, $authuser, $param->{userid}, $param->{password});
 
+	my $type = delete $param->{type};
+	my $value = delete $param->{value};
+	if ($type eq 'yubico') {
+	    $value = validate_yubico_otp($userid, $realm, $value);
+	}
+
 	return PVE::AccessControl::lock_tfa_config(sub {
 	    my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
 	    PVE::AccessControl::configure_u2f_and_wa($tfa_cfg);
@@ -406,9 +412,9 @@ __PACKAGE__->register_method ({
 		$userid,
 		$param->{description},
 		$param->{totp},
-		$param->{value},
+		$value,
 		$param->{challenge},
-		$param->{type},
+		$type,
 	    );
 
 	    cfs_write_file('priv/tfa.cfg', $tfa_cfg);
@@ -417,6 +423,28 @@ __PACKAGE__->register_method ({
 	});
     }});
 
+sub validate_yubico_otp : prototype($$) {
+    my ($userid, $realm, $value) = @_;
+
+    my $domain_cfg = cfs_read_file('domains.cfg');
+    my $realm_cfg = $domain_cfg->{ids}->{$realm};
+    die "auth domain '$realm' does not exist\n" if !$realm_cfg;
+
+    my $realm_tfa = $realm_cfg->{tfa};
+    die "no yubico otp configuration available for realm $realm\n"
+	if !$realm_tfa;
+
+    $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa);
+    die "realm is not setup for Yubico OTP\n"
+	if !$realm_tfa || $realm_tfa->{type} ne 'yubico';
+
+    my $public_key = substr($value, 0, 12);
+
+    PVE::AccessControl::authenticate_yubico_do($value, $public_key, $realm_tfa);
+
+    return $public_key;
+}
+
 __PACKAGE__->register_method ({
     name => 'update_tfa_entry',
     path => '{userid}/{id}',
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index fd80368..cd46507 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -806,16 +806,21 @@ sub authenticate_yubico_new : prototype($$$) {
     my $keys = $tfa_cfg->get_yubico_keys($username);
     die "no keys configured\n" if !defined($keys) || !length($keys);
 
-    # Defer to after unlocking the TFA config:
-
-    # fixme: proxy support?
-    my $proxy;
-    PVE::OTP::yubico_verify_otp($otp, $keys, $realm->{url}, $realm->{id}, $realm->{key}, $proxy);
+    authenticate_yubico_do($otp, $keys, $realm);
 
     # return `undef` to clear the tfa challenge.
     return undef;
 }
 
+sub authenticate_yubico_do : prototype($$$) {
+    my ($value, $keys, $realm) = @_;
+
+    # fixme: proxy support?
+    my $proxy = undef;
+
+    PVE::OTP::yubico_verify_otp($value, $keys, $realm->{url}, $realm->{id}, $realm->{key}, $proxy);
+}
+
 sub configure_u2f_and_wa : prototype($) {
     my ($tfa_cfg) = @_;
 
-- 
2.30.2