2021-01-22 14:53:51 +00:00
|
|
|
//! Two Factor Authentication
|
|
|
|
|
2021-11-16 14:03:26 +00:00
|
|
|
use anyhow::Error;
|
2020-11-16 13:37:22 +00:00
|
|
|
|
2021-11-16 14:03:26 +00:00
|
|
|
use proxmox_router::{http_bail, http_err, Permission, Router, RpcEnvironment};
|
2021-10-08 09:19:37 +00:00
|
|
|
use proxmox_schema::api;
|
2021-11-16 14:03:26 +00:00
|
|
|
use proxmox_tfa::api::methods;
|
2021-09-09 08:32:44 +00:00
|
|
|
|
2021-11-16 14:03:26 +00:00
|
|
|
use pbs_api_types::{
|
|
|
|
Authid, User, Userid, PASSWORD_SCHEMA, PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT,
|
|
|
|
};
|
2021-09-10 04:53:53 +00:00
|
|
|
use pbs_config::CachedUserInfo;
|
2021-11-16 14:03:26 +00:00
|
|
|
|
|
|
|
use crate::config::tfa::UserAccess;
|
2020-11-16 13:37:22 +00:00
|
|
|
|
|
|
|
/// Perform first-factor (password) authentication only. Ignore password for the root user.
|
|
|
|
/// Otherwise check the current user's password.
|
|
|
|
///
|
|
|
|
/// This means that user admins need to type in their own password while editing a user, and
|
|
|
|
/// regular users, which can only change their own TFA settings (checked at the API level), can
|
|
|
|
/// change their own settings using their own password.
|
|
|
|
fn tfa_update_auth(
|
|
|
|
rpcenv: &mut dyn RpcEnvironment,
|
|
|
|
userid: &Userid,
|
|
|
|
password: Option<String>,
|
2020-12-18 13:09:47 +00:00
|
|
|
must_exist: bool,
|
2020-11-16 13:37:22 +00:00
|
|
|
) -> Result<(), Error> {
|
|
|
|
let authid: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
|
|
|
|
|
|
|
if authid.user() != Userid::root_userid() {
|
2021-01-08 09:30:11 +00:00
|
|
|
let password = password.ok_or_else(|| http_err!(UNAUTHORIZED, "missing password"))?;
|
|
|
|
let _: () = crate::auth::authenticate_user(authid.user(), &password)
|
|
|
|
.map_err(|err| http_err!(UNAUTHORIZED, "{}", err))?;
|
2020-11-16 13:37:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// After authentication, verify that the to-be-modified user actually exists:
|
2020-12-18 13:09:47 +00:00
|
|
|
if must_exist && authid.user() != userid {
|
2021-09-10 04:53:53 +00:00
|
|
|
let (config, _digest) = pbs_config::user::config()?;
|
2020-11-16 13:37:22 +00:00
|
|
|
|
2021-11-16 14:03:26 +00:00
|
|
|
if config.lookup::<User>("user", userid.as_str()).is_err() {
|
2021-01-08 09:30:11 +00:00
|
|
|
http_bail!(UNAUTHORIZED, "user '{}' does not exists.", userid);
|
2020-11-16 13:37:22 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: { userid: { type: Userid } },
|
|
|
|
},
|
|
|
|
access: {
|
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
|
|
|
},
|
|
|
|
)]
|
|
|
|
/// Add a TOTP secret to the user.
|
2021-11-16 14:03:26 +00:00
|
|
|
fn list_user_tfa(userid: Userid) -> Result<Vec<methods::TypedTfaInfo>, Error> {
|
2020-11-16 13:37:22 +00:00
|
|
|
let _lock = crate::config::tfa::read_lock()?;
|
|
|
|
|
2021-11-16 14:03:26 +00:00
|
|
|
methods::list_user_tfa(&crate::config::tfa::read()?, userid.as_str())
|
2020-11-16 13:37:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: { type: Userid },
|
|
|
|
id: { description: "the tfa entry id" }
|
|
|
|
},
|
|
|
|
},
|
|
|
|
access: {
|
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
|
|
|
},
|
|
|
|
)]
|
|
|
|
/// Get a single TFA entry.
|
2021-11-16 14:03:26 +00:00
|
|
|
fn get_tfa_entry(userid: Userid, id: String) -> Result<methods::TypedTfaInfo, Error> {
|
2020-11-16 13:37:22 +00:00
|
|
|
let _lock = crate::config::tfa::read_lock()?;
|
|
|
|
|
2021-11-16 14:03:26 +00:00
|
|
|
match methods::get_tfa_entry(&crate::config::tfa::read()?, userid.as_str(), &id) {
|
|
|
|
Some(entry) => Ok(entry),
|
|
|
|
None => http_bail!(NOT_FOUND, "no such tfa entry: {}/{}", userid, id),
|
2020-11-16 13:37:22 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: { type: Userid },
|
|
|
|
id: {
|
|
|
|
description: "the tfa entry id",
|
|
|
|
},
|
|
|
|
password: {
|
|
|
|
schema: PASSWORD_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
access: {
|
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
|
|
|
},
|
|
|
|
)]
|
2021-02-22 11:10:34 +00:00
|
|
|
/// Delete a single TFA entry.
|
2020-12-18 12:59:35 +00:00
|
|
|
fn delete_tfa(
|
2020-11-16 13:37:22 +00:00
|
|
|
userid: Userid,
|
|
|
|
id: String,
|
|
|
|
password: Option<String>,
|
|
|
|
rpcenv: &mut dyn RpcEnvironment,
|
|
|
|
) -> Result<(), Error> {
|
2020-12-18 13:09:47 +00:00
|
|
|
tfa_update_auth(rpcenv, &userid, password, false)?;
|
2020-11-16 13:37:22 +00:00
|
|
|
|
|
|
|
let _lock = crate::config::tfa::write_lock()?;
|
|
|
|
|
|
|
|
let mut data = crate::config::tfa::read()?;
|
|
|
|
|
2021-11-16 14:03:26 +00:00
|
|
|
match methods::delete_tfa(&mut data, userid.as_str(), &id) {
|
|
|
|
Ok(_) => (),
|
|
|
|
Err(methods::EntryNotFound) => {
|
|
|
|
http_bail!(NOT_FOUND, "no such tfa entry: {}/{}", userid, id)
|
|
|
|
}
|
2020-11-16 13:37:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
crate::config::tfa::write(&data)?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: {},
|
|
|
|
},
|
|
|
|
access: {
|
|
|
|
permission: &Permission::Anybody,
|
|
|
|
description: "Returns all or just the logged-in user, depending on privileges.",
|
|
|
|
},
|
2020-12-18 12:59:35 +00:00
|
|
|
returns: {
|
|
|
|
description: "The list tuples of user and TFA entries.",
|
|
|
|
type: Array,
|
2021-11-16 14:03:26 +00:00
|
|
|
items: { type: methods::TfaUser }
|
2020-12-18 12:59:35 +00:00
|
|
|
},
|
2020-11-16 13:37:22 +00:00
|
|
|
)]
|
|
|
|
/// List user TFA configuration.
|
2021-11-16 14:03:26 +00:00
|
|
|
fn list_tfa(rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<methods::TfaUser>, Error> {
|
2020-11-16 13:37:22 +00:00
|
|
|
let authid: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
|
|
|
let user_info = CachedUserInfo::new()?;
|
|
|
|
|
|
|
|
let top_level_privs = user_info.lookup_privs(&authid, &["access", "users"]);
|
|
|
|
let top_level_allowed = (top_level_privs & PRIV_SYS_AUDIT) != 0;
|
|
|
|
|
|
|
|
let _lock = crate::config::tfa::read_lock()?;
|
2021-11-16 14:03:26 +00:00
|
|
|
let tfa_data = crate::config::tfa::read()?;
|
|
|
|
methods::list_tfa(&tfa_data, authid.user().as_str(), top_level_allowed)
|
2020-11-16 13:37:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: { type: Userid },
|
|
|
|
description: {
|
|
|
|
description: "A description to distinguish multiple entries from one another",
|
|
|
|
type: String,
|
|
|
|
max_length: 255,
|
|
|
|
optional: true,
|
|
|
|
},
|
2021-11-16 14:03:26 +00:00
|
|
|
"type": { type: methods::TfaType },
|
2020-11-16 13:37:22 +00:00
|
|
|
totp: {
|
|
|
|
description: "A totp URI.",
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
value: {
|
|
|
|
description:
|
|
|
|
"The current value for the provided totp URI, or a Webauthn/U2F challenge response",
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
challenge: {
|
|
|
|
description: "When responding to a u2f challenge: the original challenge string",
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
password: {
|
|
|
|
schema: PASSWORD_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2021-11-16 14:03:26 +00:00
|
|
|
returns: { type: methods::TfaUpdateInfo },
|
2020-11-16 13:37:22 +00:00
|
|
|
access: {
|
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
|
|
|
},
|
|
|
|
)]
|
|
|
|
/// Add a TFA entry to the user.
|
2021-01-25 13:42:59 +00:00
|
|
|
#[allow(clippy::too_many_arguments)]
|
2020-11-16 13:37:22 +00:00
|
|
|
fn add_tfa_entry(
|
|
|
|
userid: Userid,
|
|
|
|
description: Option<String>,
|
|
|
|
totp: Option<String>,
|
|
|
|
value: Option<String>,
|
|
|
|
challenge: Option<String>,
|
|
|
|
password: Option<String>,
|
2021-11-16 14:03:26 +00:00
|
|
|
r#type: methods::TfaType,
|
2020-11-16 13:37:22 +00:00
|
|
|
rpcenv: &mut dyn RpcEnvironment,
|
2021-11-16 14:03:26 +00:00
|
|
|
) -> Result<methods::TfaUpdateInfo, Error> {
|
2020-12-18 13:09:47 +00:00
|
|
|
tfa_update_auth(rpcenv, &userid, password, true)?;
|
2020-11-16 13:37:22 +00:00
|
|
|
|
2021-11-16 14:03:26 +00:00
|
|
|
let _lock = crate::config::tfa::write_lock()?;
|
2020-11-16 13:37:22 +00:00
|
|
|
|
2021-11-16 14:03:26 +00:00
|
|
|
let mut data = crate::config::tfa::read()?;
|
|
|
|
let out = methods::add_tfa_entry(
|
|
|
|
&mut data,
|
|
|
|
UserAccess,
|
|
|
|
userid.as_str(),
|
|
|
|
description,
|
|
|
|
totp,
|
|
|
|
value,
|
|
|
|
challenge,
|
|
|
|
r#type,
|
|
|
|
)?;
|
|
|
|
crate::config::tfa::write(&data)?;
|
|
|
|
Ok(out)
|
2020-11-16 13:37:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: { type: Userid },
|
|
|
|
id: {
|
|
|
|
description: "the tfa entry id",
|
|
|
|
},
|
|
|
|
description: {
|
|
|
|
description: "A description to distinguish multiple entries from one another",
|
|
|
|
type: String,
|
|
|
|
max_length: 255,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
enable: {
|
|
|
|
description: "Whether this entry should currently be enabled or disabled",
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
password: {
|
|
|
|
schema: PASSWORD_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
access: {
|
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
|
|
|
},
|
|
|
|
)]
|
|
|
|
/// Update user's TFA entry description.
|
2020-12-18 12:59:35 +00:00
|
|
|
fn update_tfa_entry(
|
2020-11-16 13:37:22 +00:00
|
|
|
userid: Userid,
|
|
|
|
id: String,
|
|
|
|
description: Option<String>,
|
|
|
|
enable: Option<bool>,
|
|
|
|
password: Option<String>,
|
|
|
|
rpcenv: &mut dyn RpcEnvironment,
|
|
|
|
) -> Result<(), Error> {
|
2020-12-18 13:09:47 +00:00
|
|
|
tfa_update_auth(rpcenv, &userid, password, true)?;
|
2020-11-16 13:37:22 +00:00
|
|
|
|
|
|
|
let _lock = crate::config::tfa::write_lock()?;
|
|
|
|
|
|
|
|
let mut data = crate::config::tfa::read()?;
|
2021-11-16 14:03:26 +00:00
|
|
|
match methods::update_tfa_entry(&mut data, userid.as_str(), &id, description, enable) {
|
|
|
|
Ok(()) => (),
|
|
|
|
Err(methods::EntryNotFound) => http_bail!(NOT_FOUND, "no such entry: {}/{}", userid, id),
|
2020-11-16 13:37:22 +00:00
|
|
|
}
|
|
|
|
crate::config::tfa::write(&data)?;
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
pub const ROUTER: Router = Router::new()
|
|
|
|
.get(&API_METHOD_LIST_TFA)
|
|
|
|
.match_all("userid", &USER_ROUTER);
|
|
|
|
|
|
|
|
const USER_ROUTER: Router = Router::new()
|
|
|
|
.get(&API_METHOD_LIST_USER_TFA)
|
|
|
|
.post(&API_METHOD_ADD_TFA_ENTRY)
|
|
|
|
.match_all("id", &ITEM_ROUTER);
|
|
|
|
|
|
|
|
const ITEM_ROUTER: Router = Router::new()
|
2020-12-14 13:27:26 +00:00
|
|
|
.get(&API_METHOD_GET_TFA_ENTRY)
|
2020-11-16 13:37:22 +00:00
|
|
|
.put(&API_METHOD_UPDATE_TFA_ENTRY)
|
|
|
|
.delete(&API_METHOD_DELETE_TFA);
|