Re: [pve-devel] [PATCH common] add u2f challenge accessors to RESTEnvironment

2018-05-24 Thread Thomas Lamprecht 
On 5/24/18 3:28 PM, Wolfgang Bumiller wrote:
> Signed-off-by: Wolfgang Bumiller 
> ---
>  src/PVE/RESTEnvironment.pm | 14 ++
>  1 file changed, 14 insertions(+)
> 
> diff --git a/src/PVE/RESTEnvironment.pm b/src/PVE/RESTEnvironment.pm
> index 32ffdd1..9c966dd 100644
> --- a/src/PVE/RESTEnvironment.pm
> +++ b/src/PVE/RESTEnvironment.pm
> @@ -217,6 +217,20 @@ sub get_user {
>  die "user name not set\n";
>  }
>  
> +sub set_u2f_challenge {
> +my ($self, $challenge) = @_;
> +
> +$self->{u2f_challenge} = $challenge;
> +}
> +
> +sub get_u2f_challenge {
> +my ($self, $noerr) = @_;
> +
> +return $self->{u2f_challenge} if defined($self->{u2f_challenge}) || 
> $noerr;
> +
> +die "user active challenge\n";

does a "no" miss here at the error messages start?
Else I'm confused ^^

> +}
> +
>  sub is_worker {
>  my ($class) = @_;
>  
> 


___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [RFC/Draft] U2F Authentication

2018-05-24 Thread Alexandre DERUMIER 
does it work with fido2/webauthn too ?

https://www.w3.org/2018/04/pressrelease-webauthn-fido2.html.en

- Mail original -
De: "Wolfgang Bumiller" 
À: "pve-devel" 
Envoyé: Jeudi 24 Mai 2018 15:28:45
Objet: [pve-devel] [RFC/Draft] U2F Authentication

This is an attempt at adding U2F authentication. This is a little 
different than our current 2FA variant, since it requires the user to be 
able to interactively add/update/delete the U2F key, and also (mostly) 
requires the login to happen in two phases which required some changes 
to our ticket system: In addition to regular tickets there's now a 
special u2f ticket syntax which, after the initial login and before the 
verification happened, contains the challenge the client has to 
recognize and deal with by sending it off to the u2f device. 

Notes: 
* Currently this adds libu2f-server bindings to pve-access-control 
(via xs), which therefore now depends on that library. We can add 
this as a "suggested" or "recommended" package, and/or split the 
bindings into a libpve-u2f-perl package or something... 

* Since we need to store the key somewhere, this is currently working 
for the PVE realm for the testing phase. We can either leave it up 
to the authentication plugin to store the data (eg. ldap could maybe 
store it on the ldap server?) or just decide on sticking it all 
somewhere in /etc/priv and keep it plugin independent. (That's 
probably a simpler approach anyway) 

* UI and JS part probably need some polishing by people who're more 
enthusiastic about javascript ;-) 

To test: 
* Setup working certificates (needs to be green in your browser) 
* Configure the u2f appid and origin (we might be able to do that 
automatically - especially now with the additional certificate 
helpers from the let's encrypt part we should be able to figure out 
a default domain/url that way... 
datacenter.cfg example: 

u2f: 
appid=https://awesomecluster.foo.bar:8006,origin=https://awesomecluster.foo.bar:8006
 

___ 
pve-devel mailing list 
pve-devel@pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 

___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH V2 ifupdown2 0/2] ifupdown2 package

2018-05-24 Thread Alexandre DERUMIER 
>>I'll prepare packages for internal testing soon, then we should be
>>able to give more feedback :-)

Thanks wolfgang !


- Mail original -
De: "Wolfgang Bumiller" 
À: "aderumier" 
Cc: "pve-devel" 
Envoyé: Jeudi 24 Mai 2018 15:30:47
Objet: Re: [pve-devel] [PATCH V2 ifupdown2 0/2] ifupdown2 package

On Wed, May 23, 2018 at 12:03:26PM +0200, Alexandre DERUMIER wrote: 
> any comment ? 

I'll prepare packages for internal testing soon, then we should be 
able to give more feedback :-) 

> - Mail original - 
> De: "Alexandre Derumier"  
> À: "pve-devel"  
> Cc: "Alexandre Derumier"  
> Envoyé: Jeudi 17 Mai 2018 12:25:08 
> Objet: [PATCH V2 ifupdown2 0/2] ifupdown2 package 
> 
> Changelog v2: 
> - use submodule for ifupdown2 src 
> - split proxmox/extra patches 
> - add description in 0004-add-dummy-mtu-bridgevlanport-modules.patch 
> - add a note in this cover letter about systemd-networkd and ipv6 madness 
> 
> Hi, 
> 
> Theses last months, I'm working on vxlan implementation. (I'll send info in 
> coming weeks) 
> 
> I have worked on classic ifupdown, but it's not super clean to implement, 
> when we have complex configuration. 
> 
> ifupdown2 is currently well maintained by cumulus since 2014, and support all 
> features from last kernels. 
> (vxlan (unicast, multicast, frr, arp suppression, vrf, vlanaware bridge, 
> vlan attributes on interfaces, ...) 
> and compatible with classic ifupdown syntax. 
> 
> 
> This package is based on cumulus branch 
> https://github.com/CumulusNetworks/ifupdown2/tree/cl3u18 
> as the master/debian branch is old and don't have all features 
> (cumulus is planning to rebase it in coming months) 
> 
> For now, it could be great to simply propose ifupdown2 as alternative to 
> proxmox users. 
> and maybe in 1 or 2 years, if it's working great, make it default for 
> proxmox6 ? 
> 
> Some advantages vs classic ifupdown: 
> 
> -we can reload configuration ! (ifreload -a, or systemctl reload networking). 
> ifupdown2 maintain graphs dependencies between interfaces. 
> 
> (Note that as we don't define tap,veth interfaces in /etc/network/interfaces, 
> they are not bridged anymore if you do ifdown/ifup vmbr0, 
> but it don't remove them on ifreload vmbr0) 
> 
> -we can define ipv4/ipv6 in same interface 
> (no need anymore iface inet6 static, iface inet static, or iface inet manual, 
> but old iface inet syntax is still supported) 
> 
> auto eth0 
> iface eth0 
> address 192.168.0.1 
> address 2001:db8::1:1/64 
> address 2001:db8::2:2/64 
> 
> or multiple ip on loopback 
> 
> auto lo 
> iface lo inet loopback 
> address 10.3.3.3/32 
> address 10:3:3::3/128 
> -classic pre-up scripts still works (if users have custom config) 
> 
> - for ovs I just have needed to make a small workaround in ovs ifupdown 
> script (see my ovs patch), 
> and a small config change (replace allow-ovs by auto). 
> Currently, I don't do in ifupdown2 post-install script 
> 
> -templating support: example: creating vxlan interfaces from 
> vxlan30->vxlan100 
> 
> auto all 
> %for v in range(30,100): 
> 
> auto vxlan${v} 
> iface vxlan${v} 
> vxlan-id ${v} 
> vxlan-local-tunnelip 10.59.100.231 
> bridge-learning off 
> bridge-arp-nd-suppress on 
> bridge-unicast-flood off 
> bridge-multicast-flood off 
> bridge-access ${v} 
> %endfor 
> 
> some documentation here: 
> https://support.cumulusnetworks.com/hc/en-us/articles/202933638-Comparing-ifupdown2-Commands-with-ifupdown-Commands
>  
> 
> 
> About systemd-networkd: 
> - Currently it can't reload configuration 
> https://github.com/systemd/systemd/issues/6654 
> - unicast vxlan it not supported 
> https://github.com/systemd/systemd/issues/5145 
> - I think we don't have to maintain a systemd package if we need to extend it 
> - new features seem to take years to come 
> - IPV6: systemd-networkd reimplement kernel features (ipv6 RA,...) with tons 
> of bugs (some not yet fixed) 
> http://ipv6-net.blogspot.fr/2016/11/ipv6-systemd-another-look.html 
> http://ipv6-net.blogspot.fr/2016/04/systemd-oh-you-wanted-to-run-ipv6.html 
> https://github.com/systemd/systemd/issues/8906 
> 
> 
> Alexandre Derumier (2): 
> add debian dir 
> add ifupdown2 submodule 
> 
> .gitmodules | 3 + 
> debian/changelog | 174 + 
> debian/compat | 1 + 
> debian/control | 31  
> debian/copyright | 28  
> ...0001-start-networking-add-usr-bin-in-PATH.patch | 28  
> ...ns-scripts-fix-ENV-for-interfaces-options.patch | 29  
> ...3-netlink-IFLA_BRPORT_ARP_SUPPRESS-use-32.patch | 31  
> .../extra/0004-add-vxlan-physdev-support.patch | 159 +++ 
> debian/patches/pve/0001-config-tuning.patch | 52 ++ 
> .../pve/0002-manual-interfaces-set-link-up.patch | 58 +++ 
> ...e-tap-veth-fwpr-interfaces-from-bridge-on.patch | 27  
> ...0004-add-dummy-mtu-bridgevlanport-modules.patch | 74

Re: [pve-devel] [PATCH V2 ifupdown2 0/2] ifupdown2 package

2018-05-24 Thread Wolfgang Bumiller 
On Wed, May 23, 2018 at 12:03:26PM +0200, Alexandre DERUMIER wrote:
> any comment ?

I'll prepare packages for internal testing soon, then we should be
able to give more feedback :-)

> - Mail original - 
> De: "Alexandre Derumier"  
> À: "pve-devel"  
> Cc: "Alexandre Derumier"  
> Envoyé: Jeudi 17 Mai 2018 12:25:08 
> Objet: [PATCH V2 ifupdown2 0/2] ifupdown2 package 
> 
> Changelog v2: 
> - use submodule for ifupdown2 src 
> - split proxmox/extra patches 
> - add description in 0004-add-dummy-mtu-bridgevlanport-modules.patch 
> - add a note in this cover letter about systemd-networkd and ipv6 madness 
> 
> Hi, 
> 
> Theses last months, I'm working on vxlan implementation. (I'll send info in 
> coming weeks) 
> 
> I have worked on classic ifupdown, but it's not super clean to implement, 
> when we have complex configuration. 
> 
> ifupdown2 is currently well maintained by cumulus since 2014, and support all 
> features from last kernels. 
> (vxlan (unicast, multicast, frr, arp suppression, vrf, vlanaware bridge, 
> vlan attributes on interfaces, ...) 
> and compatible with classic ifupdown syntax. 
> 
> 
> This package is based on cumulus branch 
> https://github.com/CumulusNetworks/ifupdown2/tree/cl3u18 
> as the master/debian branch is old and don't have all features 
> (cumulus is planning to rebase it in coming months) 
> 
> For now, it could be great to simply propose ifupdown2 as alternative to 
> proxmox users. 
> and maybe in 1 or 2 years, if it's working great, make it default for 
> proxmox6 ? 
> 
> Some advantages vs classic ifupdown: 
> 
> -we can reload configuration ! (ifreload -a, or systemctl reload networking). 
> ifupdown2 maintain graphs dependencies between interfaces. 
> 
> (Note that as we don't define tap,veth interfaces in /etc/network/interfaces, 
> they are not bridged anymore if you do ifdown/ifup vmbr0, 
> but it don't remove them on ifreload vmbr0) 
> 
> -we can define ipv4/ipv6 in same interface 
> (no need anymore iface inet6 static, iface inet static, or iface inet manual, 
> but old iface inet syntax is still supported) 
> 
> auto eth0 
> iface eth0 
> address 192.168.0.1 
> address 2001:db8::1:1/64 
> address 2001:db8::2:2/64 
> 
> or multiple ip on loopback 
> 
> auto lo 
> iface lo inet loopback 
> address 10.3.3.3/32 
> address 10:3:3::3/128 
> -classic pre-up scripts still works (if users have custom config) 
> 
> - for ovs I just have needed to make a small workaround in ovs ifupdown 
> script (see my ovs patch), 
> and a small config change (replace allow-ovs by auto). 
> Currently, I don't do in ifupdown2 post-install script 
> 
> -templating support: example: creating vxlan interfaces from 
> vxlan30->vxlan100 
> 
> auto all 
> %for v in range(30,100): 
> 
> auto vxlan${v} 
> iface vxlan${v} 
> vxlan-id ${v} 
> vxlan-local-tunnelip 10.59.100.231 
> bridge-learning off 
> bridge-arp-nd-suppress on 
> bridge-unicast-flood off 
> bridge-multicast-flood off 
> bridge-access ${v} 
> %endfor 
> 
> some documentation here: 
> https://support.cumulusnetworks.com/hc/en-us/articles/202933638-Comparing-ifupdown2-Commands-with-ifupdown-Commands
>  
> 
> 
> About systemd-networkd: 
> - Currently it can't reload configuration 
> https://github.com/systemd/systemd/issues/6654 
> - unicast vxlan it not supported 
> https://github.com/systemd/systemd/issues/5145 
> - I think we don't have to maintain a systemd package if we need to extend it 
> - new features seem to take years to come 
> - IPV6: systemd-networkd reimplement kernel features (ipv6 RA,...) with tons 
> of bugs (some not yet fixed) 
> http://ipv6-net.blogspot.fr/2016/11/ipv6-systemd-another-look.html 
> http://ipv6-net.blogspot.fr/2016/04/systemd-oh-you-wanted-to-run-ipv6.html 
> https://github.com/systemd/systemd/issues/8906 
> 
> 
> Alexandre Derumier (2): 
> add debian dir 
> add ifupdown2 submodule 
> 
> .gitmodules | 3 + 
> debian/changelog | 174 + 
> debian/compat | 1 + 
> debian/control | 31  
> debian/copyright | 28  
> ...0001-start-networking-add-usr-bin-in-PATH.patch | 28  
> ...ns-scripts-fix-ENV-for-interfaces-options.patch | 29  
> ...3-netlink-IFLA_BRPORT_ARP_SUPPRESS-use-32.patch | 31  
> .../extra/0004-add-vxlan-physdev-support.patch | 159 +++ 
> debian/patches/pve/0001-config-tuning.patch | 52 ++ 
> .../pve/0002-manual-interfaces-set-link-up.patch | 58 +++ 
> ...e-tap-veth-fwpr-interfaces-from-bridge-on.patch | 27  
> ...0004-add-dummy-mtu-bridgevlanport-modules.patch | 74 + 
> debian/patches/series | 8 + 
> debian/rules | 21 +++ 
> ifupdown2 | 1 + 
> 16 files changed, 725 insertions(+) 
> create mode 100644 .gitmodules 
> create mode 100644 debian/changelog 
> create mode 100644 debian/compat 
> create mode 100644 debian/control 
> create mode 100644 debian/copyright 
> create mode 100644 
>

[pve-devel] [PATCH manager 3/3] ui: support u2f authentication

2018-05-24 Thread Wolfgang Bumiller 
Signed-off-by: Wolfgang Bumiller 
---
 www/index.html.tpl |   1 +
 www/manager6/Makefile  |   1 +
 www/manager6/Workspace.js  |   6 +-
 www/manager6/dc/U2FEdit.js | 145 +
 www/manager6/dc/UserView.js|  15 +++-
 www/manager6/window/LoginWindow.js | 121 ---
 6 files changed, 257 insertions(+), 32 deletions(-)
 create mode 100644 www/manager6/dc/U2FEdit.js

diff --git a/www/index.html.tpl b/www/index.html.tpl
index a972e3aa..eca75a6f 100644
--- a/www/index.html.tpl
+++ b/www/index.html.tpl
@@ -22,6 +22,7 @@
 [%- ELSE %]
 
 
+
 [% END %]

[pve-devel] [PATCH manager 1/3] store u2f challenges in the rpc environment

2018-05-24 Thread Wolfgang Bumiller 
Signed-off-by: Wolfgang Bumiller 
---
 PVE/HTTPServer.pm | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index 9a02e799..a3174fbd 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -80,7 +80,13 @@ sub auth_handler {
 
die "No ticket\n" if !$ticket;
 
-   ($username, $age) = PVE::AccessControl::verify_ticket($ticket);
+   ($username, $age, my $challenge) = 
PVE::AccessControl::verify_ticket($ticket);
+
+   if (defined($challenge)) {
+   $rpcenv->set_u2f_challenge($challenge);
+   die "No ticket2\n"
+   if ($rel_uri ne '/access/u2f' || $method ne 'POST');
+   }
 
$rpcenv->set_user($username);
 
-- 
2.11.0


___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager 2/3] add u2f-api.js

2018-05-24 Thread Wolfgang Bumiller 
Signed-off-by: Wolfgang Bumiller 
---
 www/Makefile   |   3 +-
 www/u2f-api.js | 748 +
 2 files changed, 750 insertions(+), 1 deletion(-)
 create mode 100644 www/u2f-api.js

diff --git a/www/Makefile b/www/Makefile
index 30becf3a..eaee5ea5 100644
--- a/www/Makefile
+++ b/www/Makefile
@@ -10,4 +10,5 @@ all: ${SUBDIRS} index.html.tpl
 install:
set -e && for i in ${SUBDIRS}; do ${MAKE} -C $$i $@; done
install -m 0644 index.html.tpl ${WWWBASEDIR}
-
+   install -d ${WWWJSDIR}
+   install -m 0644 u2f-api.js ${WWWJSDIR}
diff --git a/www/u2f-api.js b/www/u2f-api.js
new file mode 100644
index ..9244d14e
--- /dev/null
+++ b/www/u2f-api.js
@@ -0,0 +1,748 @@
+//Copyright 2014-2015 Google Inc. All rights reserved.
+
+//Use of this source code is governed by a BSD-style
+//license that can be found in the LICENSE file or at
+//https://developers.google.com/open-source/licenses/bsd
+
+/**
+ * @fileoverview The U2F api.
+ */
+'use strict';
+
+
+/**
+ * Namespace for the U2F api.
+ * @type {Object}
+ */
+var u2f = u2f || {};
+
+/**
+ * FIDO U2F Javascript API Version
+ * @number
+ */
+var js_api_version;
+
+/**
+ * The U2F extension id
+ * @const {string}
+ */
+// The Chrome packaged app extension ID.
+// Uncomment this if you want to deploy a server instance that uses
+// the package Chrome app and does not require installing the U2F Chrome 
extension.
+ u2f.EXTENSION_ID = 'kmendfapggjehodndflmmgagdbamhnfd';
+// The U2F Chrome extension ID.
+// Uncomment this if you want to deploy a server instance that uses
+// the U2F Chrome extension to authenticate.
+// u2f.EXTENSION_ID = 'pfboblefjcgdjicmnffhdgionmgcdmne';
+
+
+/**
+ * Message types for messsages to/from the extension
+ * @const
+ * @enum {string}
+ */
+u2f.MessageTypes = {
+'U2F_REGISTER_REQUEST': 'u2f_register_request',
+'U2F_REGISTER_RESPONSE': 'u2f_register_response',
+'U2F_SIGN_REQUEST': 'u2f_sign_request',
+'U2F_SIGN_RESPONSE': 'u2f_sign_response',
+'U2F_GET_API_VERSION_REQUEST': 'u2f_get_api_version_request',
+'U2F_GET_API_VERSION_RESPONSE': 'u2f_get_api_version_response'
+};
+
+
+/**
+ * Response status codes
+ * @const
+ * @enum {number}
+ */
+u2f.ErrorCodes = {
+'OK': 0,
+'OTHER_ERROR': 1,
+'BAD_REQUEST': 2,
+'CONFIGURATION_UNSUPPORTED': 3,
+'DEVICE_INELIGIBLE': 4,
+'TIMEOUT': 5
+};
+
+
+/**
+ * A message for registration requests
+ * @typedef {{
+ *   type: u2f.MessageTypes,
+ *   appId: ?string,
+ *   timeoutSeconds: ?number,
+ *   requestId: ?number
+ * }}
+ */
+u2f.U2fRequest;
+
+
+/**
+ * A message for registration responses
+ * @typedef {{
+ *   type: u2f.MessageTypes,
+ *   responseData: (u2f.Error | u2f.RegisterResponse | u2f.SignResponse),
+ *   requestId: ?number
+ * }}
+ */
+u2f.U2fResponse;
+
+
+/**
+ * An error object for responses
+ * @typedef {{
+ *   errorCode: u2f.ErrorCodes,
+ *   errorMessage: ?string
+ * }}
+ */
+u2f.Error;
+
+/**
+ * Data object for a single sign request.
+ * @typedef {enum {BLUETOOTH_RADIO, BLUETOOTH_LOW_ENERGY, USB, NFC}}
+ */
+u2f.Transport;
+
+
+/**
+ * Data object for a single sign request.
+ * @typedef {Array}
+ */
+u2f.Transports;
+
+/**
+ * Data object for a single sign request.
+ * @typedef {{
+ *   version: string,
+ *   challenge: string,
+ *   keyHandle: string,
+ *   appId: string
+ * }}
+ */
+u2f.SignRequest;
+
+
+/**
+ * Data object for a sign response.
+ * @typedef {{
+ *   keyHandle: string,
+ *   signatureData: string,
+ *   clientData: string
+ * }}
+ */
+u2f.SignResponse;
+
+
+/**
+ * Data object for a registration request.
+ * @typedef {{
+ *   version: string,
+ *   challenge: string
+ * }}
+ */
+u2f.RegisterRequest;
+
+
+/**
+ * Data object for a registration response.
+ * @typedef {{
+ *   version: string,
+ *   keyHandle: string,
+ *   transports: Transports,
+ *   appId: string
+ * }}
+ */
+u2f.RegisterResponse;
+
+
+/**
+ * Data object for a registered key.
+ * @typedef {{
+ *   version: string,
+ *   keyHandle: string,
+ *   transports: ?Transports,
+ *   appId: ?string
+ * }}
+ */
+u2f.RegisteredKey;
+
+
+/**
+ * Data object for a get API register response.
+ * @typedef {{
+ *   js_api_version: number
+ * }}
+ */
+u2f.GetJsApiVersionResponse;
+
+
+//Low level MessagePort API support
+
+/**
+ * Sets up a MessagePort to the U2F extension using the
+ * available mechanisms.
+ * @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback
+ */
+u2f.getMessagePort = function(callback) {
+  if (typeof chrome != 'undefined' && chrome.runtime) {
+// The actual message here does not matter, but we need to get a reply
+// for the callback to run. Thus, send an empty signature request
+// in order to get a failure response.
+var msg = {
+type: u2f.MessageTypes.U2F_SIGN_REQUEST,
+signRequests: []
+};
+chrome.runtime.sendMessage(u2f.EXTENSION_ID, msg, function() {
+  if

[pve-devel] [RFC/Draft] U2F Authentication

2018-05-24 Thread Wolfgang Bumiller 
This is an attempt at adding U2F authentication. This is a little
different than our current 2FA variant, since it requires the user to be
able to interactively add/update/delete the U2F key, and also (mostly)
requires the login to happen in two phases which required some changes
to our ticket system: In addition to regular tickets there's now a
special u2f ticket syntax which, after the initial login and before the
verification happened, contains the challenge the client has to
recognize and deal with by sending it off to the u2f device.

Notes:
  * Currently this adds libu2f-server bindings to pve-access-control
(via xs), which therefore now depends on that library. We can add
this as a "suggested" or "recommended" package, and/or split the
bindings into a libpve-u2f-perl package or something...

  * Since we need to store the key somewhere, this is currently working
for the PVE realm for the testing phase. We can either leave it up
to the authentication plugin to store the data (eg. ldap could maybe
store it on the ldap server?) or just decide on sticking it all
somewhere in /etc/priv and keep it plugin independent. (That's
probably a simpler approach anyway)

  * UI and JS part probably need some polishing by people who're more
enthusiastic about javascript ;-)

To test:
  * Setup working certificates (needs to be green in your browser)
  * Configure the u2f appid and origin (we might be able to do that
automatically - especially now with the additional certificate
helpers from the let's encrypt part we should be able to figure out
a default domain/url that way...
datacenter.cfg example:

   u2f: 
appid=https://awesomecluster.foo.bar:8006,origin=https://awesomecluster.foo.bar:8006

___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH access-control 2/2] Implement u2f authentication

2018-05-24 Thread Wolfgang Bumiller 
Signed-off-by: Wolfgang Bumiller 
---
 PVE/API2/AccessControl.pm | 215 --
 PVE/AccessControl.pm  |  65 --
 PVE/Auth/AD.pm|   4 +-
 PVE/Auth/LDAP.pm  |   3 +-
 PVE/Auth/PAM.pm   |   3 +-
 PVE/Auth/PVE.pm   |  69 ---
 PVE/Auth/Plugin.pm|  16 
 7 files changed, 346 insertions(+), 29 deletions(-)

diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
index e48f0cb..f236651 100644
--- a/PVE/API2/AccessControl.pm
+++ b/PVE/API2/AccessControl.pm
@@ -3,6 +3,8 @@ package PVE::API2::AccessControl;
 use strict;
 use warnings;
 
+use JSON;
+
 use PVE::Exception qw(raise raise_perm_exc);
 use PVE::SafeSyslog;
 use PVE::RPCEnvironment;
@@ -16,6 +18,12 @@ use PVE::API2::Group;
 use PVE::API2::Role;
 use PVE::API2::ACL;
 
+my $u2f_available = 0;
+eval {
+require PVE::U2F;
+$u2f_available = 1;
+};
+
 use base qw(PVE::RESTHandler);
 
 __PACKAGE__->register_method ({
@@ -113,21 +121,33 @@ my $verify_auth = sub {
 my $create_ticket = sub {
 my ($rpcenv, $username, $pw_or_ticket, $otp) = @_;
 
-my $ticketuser;
+my ($ticketuser, $u2fdata);
 if (($ticketuser = PVE::AccessControl::verify_ticket($pw_or_ticket, 1)) &&
($ticketuser eq 'root@pam' || $ticketuser eq $username)) {
# valid ticket. Note: root@pam can create tickets for other users
 } else {
-   $username = PVE::AccessControl::authenticate_user($username, 
$pw_or_ticket, $otp);
+   ($username, $u2fdata) = 
PVE::AccessControl::authenticate_user($username, $pw_or_ticket, $otp);
 }
 
-my $ticket = PVE::AccessControl::assemble_ticket($username);
+my %extra;
+my $ticket_data = $username;
+if (defined($u2fdata)) {
+   my $u2f = get_u2f_instance($u2fdata->@{qw(publicKey keyHandle)});
+   my $challenge = $u2f->auth_challenge()
+   or die "failed to get u2f challenge\n";
+   $challenge = decode_json($challenge);
+   $extra{U2FChallenge} = $challenge;
+   $ticket_data = "u2f!$username!$challenge->{challenge}";
+}
+
+my $ticket = PVE::AccessControl::assemble_ticket($ticket_data);
 my $csrftoken = 
PVE::AccessControl::assemble_csrf_prevention_token($username);
 
 return {
ticket => $ticket,
username => $username,
CSRFPreventionToken => $csrftoken,
+   %extra,
 };
 };
 
@@ -246,6 +266,8 @@ __PACKAGE__->register_method ({
username => { type => 'string' },
ticket => { type => 'string', optional => 1},
CSRFPreventionToken => { type => 'string', optional => 1 },
+   challenge => { type => 'string', optional => 1 },
+   # cap => computed api permissions, unless there's a u2f challenge
}
 },
 code => sub {
@@ -275,7 +297,8 @@ __PACKAGE__->register_method ({
die PVE::Exception->new("authentication failure\n", code => 401);
}
 
-   $res->{cap} = &$compute_api_permission($rpcenv, $username);
+   $res->{cap} = &$compute_api_permission($rpcenv, $username)
+   if !defined($res->{U2FChallenge});
 
PVE::Cluster::log_msg('info', 'root@pam', "successful auth for user 
'$username'");
 
@@ -287,7 +310,7 @@ __PACKAGE__->register_method ({
 path => 'password', 
 method => 'PUT',
 permissions => { 
-   description => "Each user is allowed to change his own password. A user 
can change the password of another user if he has 'Realm.AllocateUser' (on the 
realm of user ) and 'User.Modify' permission on /access/groups/ 
on a group where user  is member of.",
+   description => "Each user is allowed to change their own password. A 
user can change the password of another user if they have 'Realm.AllocateUser' 
(on the realm of user ) and 'User.Modify' permission on 
/access/groups/ on a group where user  is member of.",
check => [ 'or', 
   ['userid-param', 'self'],
   [ 'and',
@@ -344,4 +367,186 @@ __PACKAGE__->register_method ({
return undef;
 }});
 
+sub get_u2f_config() {
+die "u2f support not available\n" if !$u2f_available;
+
+my $dc = cfs_read_file('datacenter.cfg');
+my $u2f = $dc->{u2f};
+die "u2f not configured in datacenter.cfg\n" if !$u2f;
+$u2f = PVE::JSONSchema::parse_property_string($PVE::Cluster::u2f_format, 
$u2f);
+return $u2f;
+}
+
+sub get_u2f_instance {
+my ($publicKey, $keyHandle) = @_;
+
+my $u2fconfig = get_u2f_config();
+my $u2f = PVE::U2F->new();
+$u2f->set_appid($u2fconfig->{appid});
+$u2f->set_origin($u2fconfig->{origin});
+$u2f->set_publicKey($publicKey) if defined($publicKey);
+$u2f->set_keyHandle($keyHandle) if defined($keyHandle);
+return $u2f;
+}
+
+__PACKAGE__->register_method ({
+name => 'change_u2f',
+path => 'u2f',
+method => 'PUT',
+permissions => {
+   description => 'A user can change their own u2f token.',
+

[pve-devel] [PATCH common] add u2f challenge accessors to RESTEnvironment

2018-05-24 Thread Wolfgang Bumiller 
Signed-off-by: Wolfgang Bumiller 
---
 src/PVE/RESTEnvironment.pm | 14 ++
 1 file changed, 14 insertions(+)

diff --git a/src/PVE/RESTEnvironment.pm b/src/PVE/RESTEnvironment.pm
index 32ffdd1..9c966dd 100644
--- a/src/PVE/RESTEnvironment.pm
+++ b/src/PVE/RESTEnvironment.pm
@@ -217,6 +217,20 @@ sub get_user {
 die "user name not set\n";
 }
 
+sub set_u2f_challenge {
+my ($self, $challenge) = @_;
+
+$self->{u2f_challenge} = $challenge;
+}
+
+sub get_u2f_challenge {
+my ($self, $noerr) = @_;
+
+return $self->{u2f_challenge} if defined($self->{u2f_challenge}) || $noerr;
+
+die "user active challenge\n";
+}
+
 sub is_worker {
 my ($class) = @_;
 
-- 
2.11.0


___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH cluster 1/1] add u2f configuration to datacenter.cfg

2018-05-24 Thread Wolfgang Bumiller 
Signed-off-by: Wolfgang Bumiller 
---
 data/PVE/Cluster.pm | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm
index 7569abc..149bbda 100644
--- a/data/PVE/Cluster.pm
+++ b/data/PVE/Cluster.pm
@@ -1346,6 +1346,19 @@ my $migration_format = {
 },
 };
 
+our $u2f_format = {
+appid => {
+   type => 'string',
+   description => "Top level domain of PVE hosts for which U2F 
authentication is available.",
+   format_description => 'APPID',
+},
+origin => {
+   type => 'string',
+   description => "U2F Origin.",
+   format_description => 'APPID',
+},
+};
+
 my $datacenter_schema = {
 type => "object",
 additionalProperties => 0,
@@ -1416,6 +1429,12 @@ my $datacenter_schema = {
description => 'Prefix for autogenerated MAC addresses.',
},
bwlimit => PVE::JSONSchema::get_standard_option('bwlimit'),
+   u2f => {
+   optional => 1,
+   type => 'string',
+   format => $u2f_format,
+   description => 'u2f',
+   },
 },
 };
 
-- 
2.11.0


___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH access-control 1/2] add PVE::U2F, libu2f-server bindings

2018-05-24 Thread Wolfgang Bumiller 
Signed-off-by: Wolfgang Bumiller 
---
 .gitignore |   3 ++
 Makefile   |  25 -
 PVE/U2F.pm | 155 
 U2F.xs | 179 +
 4 files changed, 361 insertions(+), 1 deletion(-)
 create mode 100644 PVE/U2F.pm
 create mode 100644 U2F.xs

diff --git a/.gitignore b/.gitignore
index e1fc9d6..9ef3233 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,7 @@
 build
+ppport.h
+U2F.so
+U2F.xsc
 *.deb
 *.1.pod
 *.1.gz
diff --git a/Makefile b/Makefile
index bc1ca81..ba46235 100644
--- a/Makefile
+++ b/Makefile
@@ -20,6 +20,17 @@ GITVERSION:=$(shell cat .git/refs/heads/master)
 
 DEB=${PACKAGE}_${VERSION}-${PKGREL}_${ARCH}.deb
 
+PERL_ARCHLIB != perl -MConfig -e 'print $$Config{archlib};'
+PERL_INSTALLVENDORARCH != perl -MConfig -e 'print $$Config{installvendorarch};'
+PERL_APIVER != perl -MConfig -e 'print 
$$Config{debian_abi}//$$Config{version};'
+PERL_CC != perl -MConfig -e 'print $$Config{cc};'
+PERLSODIR=$(PERL_INSTALLVENDORARCH)/auto
+CFLAGS := -shared -fPIC -O2 -Werror -Wtype-limits -Wall -Wl,-z,relro \
+   -D_FORTIFY_SOURCE=2 -I$(PERL_ARCHLIB)/CORE -DXS_VERSION=\"1.0\"
+
+CFLAGS += `pkg-config --cflags u2f-server`
+LIBS += `pkg-config --libs u2f-server`
+
 # this requires package pve-doc-generator
 export NOVIEW=1
 include /usr/share/pve-doc-generator/pve-doc-generator.mk
@@ -34,8 +45,18 @@ pveum.bash-completion: PVE/CLI/pveum.pm
perl -I. -T -e "use PVE::CLI::pveum; 
PVE::CLI::pveum->generate_bash_completions();" >$@.tmp
mv $@.tmp $@
 
+U2F.c: U2F.xs
+   xsubpp U2F.xs > U2F.xsc
+   mv U2F.xsc U2F.c
+
+ppport.h:
+   perl -MDevel::PPPort -e 'Devel::PPPort::WriteFile();'
+
+U2F.so: U2F.c ppport.h
+   $(PERL_CC) $(CFLAGS) -o U2F.so U2F.c $(LIBS)
+
 .PHONY: install
-install: pveum.1 oathkeygen pveum.bash-completion
+install: pveum.1 oathkeygen pveum.bash-completion U2F.so
install -d ${DESTDIR}${BINDIR}
install -d ${DESTDIR}${SBINDIR}
install -m 0755 pveum ${DESTDIR}${SBINDIR}
@@ -45,6 +66,8 @@ install: pveum.1 oathkeygen pveum.bash-completion
install -d ${DESTDIR}/${DOCDIR}
install -m 0644 pveum.1 ${DESTDIR}/${MAN1DIR}
gzip -9 -n ${DESTDIR}/${MAN1DIR}/pveum.1
+   install -D -m 0644 PVE/U2F.pm ${DESTDIR}${PERLDIR}/PVE/U2F.pm
+   install -D -m 0644 -s U2F.so ${DESTDIR}${PERLSODIR}/PVE/U2F/U2F.so
install -m 0644 -D pveum.bash-completion ${DESTDIR}${BASHCOMPLDIR}/pveum
 
 .PHONY: test
diff --git a/PVE/U2F.pm b/PVE/U2F.pm
new file mode 100644
index 000..acc9348
--- /dev/null
+++ b/PVE/U2F.pm
@@ -0,0 +1,155 @@
+package PVE::U2F;
+
+use 5.024000;
+use strict;
+use warnings;
+
+require Exporter;
+
+our @ISA = qw(Exporter);
+
+# Items to export into callers namespace by default. Note: do not export
+# names by default without a very good reason. Use EXPORT_OK instead.
+# Do not simply export all your public functions/methods/constants.
+
+# This allows declaration  use PVE::U2F::XS ':all';
+# If you do not need this, moving things directly into @EXPORT or @EXPORT_OK
+# will save memory.
+our %EXPORT_TAGS = ( 'all' => [] );
+
+our @EXPORT_OK = ( @{ $EXPORT_TAGS{'all'} } );
+our @EXPORT = ();
+our $VERSION = '1.0';
+
+require XSLoader;
+XSLoader::load('PVE::U2F', $VERSION);
+
+ Context creation
+
+my $global_init = 0;
+sub new($) {
+my ($class) = @_;
+if (!$global_init) {
+   $global_init = 1;
+   do_global_init();
+}
+if (my $lib = new_impl()) {
+   return bless { ctx => $lib }, $class;
+}
+return undef;
+}
+
+sub DESTROY {
+   my ($self) = @_;
+   done_impl($self->{ctx});
+}
+
+ Error handling
+
+my @errcodes = (
+qw(memory json base64 crypto origin challenge signature format)
+);
+sub checkrc($) {
+my ($rc) = @_;
+return if $rc == 0;
+die "u2fs: $errcodes[-$rc-1] error\n" if $rc < 0 && $rc >= -8;
+die "u2fs: unknown error\n";
+}
+
+ Context initialization
+
+sub origin($) { return $_[0]->{origin}; }
+sub set_origin($$) {
+my ($self, $origin) = @_;
+checkrc(set_origin_impl($self->{ctx}, $origin));
+return $self->{origin} = $origin;
+}
+
+sub appid($) { return $_[0]->{appid}; }
+sub set_appid($$) {
+my ($self, $appid) = @_;
+checkrc(set_appid_impl($self->{ctx}, $appid));
+return $self->{appid} = $appid;
+}
+
+sub challenge($) { return $_[0]->{challenge}; }
+sub set_challenge($$) {
+my ($self, $challenge) = @_;
+checkrc(set_challenge_impl($self->{ctx}, $challenge));
+return $self->{challenge} = $challenge;
+}
+
+sub keyHandle($) { return $_[0]->{keyHandle}; }
+sub set_keyHandle($$) {
+my ($self, $keyHandle) = @_;
+checkrc(set_keyHandle_impl($self->{ctx}, $keyHandle));
+return $self->{keyHandle} = $keyHandle;
+}
+
+sub publicKey($) { return $_[0]->{publicKey}; }
+sub set_publicKey($$) {
+my ($self, $publicKey) = @_;
+checkrc(set_publicKey_impl($self->{ctx},

[pve-devel] applied: [PATCH kernel 4.15 1/4] update ZFS to 0.7.9-pve1

2018-05-24 Thread Thomas Lamprecht 
On 5/22/18 1:31 PM, Thomas Lamprecht wrote:
> Signed-off-by: Thomas Lamprecht 
> ---
>  submodules/zfsonlinux | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/submodules/zfsonlinux b/submodules/zfsonlinux
> index 47ae0e2..cabb465 16
> --- a/submodules/zfsonlinux
> +++ b/submodules/zfsonlinux
> @@ -1 +1 @@
> -Subproject commit 47ae0e2662084a44bb22068f3fc1e5a618ccbe15
> +Subproject commit cabb465d41a695d4db17729628e6694a645c083e
> 

applied series

___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH kernel 4.13 1/4] update ZFS to 0.7.9-pve1

2018-05-24 Thread Thomas Lamprecht 
On 5/22/18 4:01 PM, Thomas Lamprecht wrote:
> Signed-off-by: Thomas Lamprecht 
> ---
>  submodules/zfsonlinux | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/submodules/zfsonlinux b/submodules/zfsonlinux
> index 47ae0e2..cabb465 16
> --- a/submodules/zfsonlinux
> +++ b/submodules/zfsonlinux
> @@ -1 +1 @@
> -Subproject commit 47ae0e2662084a44bb22068f3fc1e5a618ccbe15
> +Subproject commit cabb465d41a695d4db17729628e6694a645c083e
> 

applied series

___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [Patch guest-common] set last_sync_snapname after a job restored.

2018-05-24 Thread Thomas Lamprecht 
On 5/22/18 3:30 PM, Wolfgang Link wrote:
> The replication need the last_sync_snapname to clean up
> the last snapshot after the replication run done.
> 
> If this is not correctly set the snapshot will exist until the next run.
> ---
>  PVE/Replication.pm | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/PVE/Replication.pm b/PVE/Replication.pm
> index 493b77d..0d05547 100644
> --- a/PVE/Replication.pm
> +++ b/PVE/Replication.pm
> @@ -63,6 +63,7 @@ sub find_common_replication_snapshot {

The foreach loop iterating the remote snapshots below is in this while loop:

foreach my $volid (@$volumes) {
[...]
}

so last_sync_snapname gets set to the remote snap of the last volid iterated,
couldn't that be a problem when multiple volumes get replicated?

>   foreach my $remote_snap (@desc_sorted_snap) {
>   if (defined($last_snapshots->{$volid}->{$remote_snap})) {
>   $base_snapshots->{$volid} = $remote_snap;
> + $last_sync_snapname = $remote_snap;
>   last;
>   }
>   }
> 

Then, the if above hits only if the $remote_snap is in $last_snapshots,
which is as $last_sync_snapname both generated from $last_sync and $job
so this seems redundant/weird?

After some off-list discussion with Wolfgang B. we determined that it
could make more sense to actually calculate $last_sync in
find_common_replication_snapshot , i.e. go to both snapshot list and
take the newest timestamp they have in common - where all volumes were
replicated successfully. Then we have always a correct $last_sync and
the prepare method would take care of stale snapshots.

___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied: [PATCH qemu-server] fix #1779: vzdump: ensure guest-fsfreeze-thaw is called on error

2018-05-24 Thread Thomas Lamprecht 
On 5/23/18 11:07 AM, Wolfgang Bumiller wrote:
> as QMPClient's queue_execute can throw an error
> 
> Signed-off-by: Wolfgang Bumiller 
> ---
>  PVE/VZDump/QemuServer.pm | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/PVE/VZDump/QemuServer.pm b/PVE/VZDump/QemuServer.pm
> index 42680f8..70abe99 100644
> --- a/PVE/VZDump/QemuServer.pm
> +++ b/PVE/VZDump/QemuServer.pm
> @@ -416,16 +416,18 @@ sub archive {
>   $self->logerr($err);
>   }
>   }
>  
> - $qmpclient->queue_execute();
> + eval { $qmpclient->queue_execute() };
> + my $qmperr = $@;
>  
>   if ($agent_running){
>   eval { PVE::QemuServer::vm_mon_cmd($vmid, "guest-fsfreeze-thaw"); };
>   if (my $err = $@) {
>   $self->logerr($err);
>   }
>   }
> + die $qmperr if $qmperr;
>   die $qmpclient->{errors}->{$vmid} if $qmpclient->{errors}->{$vmid};
>  
>   if ($cpid) {
>   POSIX::close($outfileno) == 0 ||
> 

applied, thanks

___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel