]>
Commit | Line | Data |
---|---|---|
2c3a6c0a DM |
1 | package PVE::API2::User; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
37d45deb | 5 | use PVE::Exception qw(raise raise_perm_exc); |
2c3a6c0a DM |
6 | use PVE::Cluster qw (cfs_read_file cfs_write_file); |
7 | use PVE::Tools qw(split_list); | |
8 | use PVE::AccessControl; | |
9 | use PVE::JSONSchema qw(get_standard_option); | |
10 | ||
11 | use PVE::SafeSyslog; | |
12 | ||
13 | use Data::Dumper; # fixme: remove | |
14 | ||
15 | use PVE::RESTHandler; | |
16 | ||
17 | use base qw(PVE::RESTHandler); | |
18 | ||
19 | my $extract_user_data = sub { | |
20 | my ($data, $full) = @_; | |
21 | ||
22 | my $res = {}; | |
23 | ||
24 | foreach my $prop (qw(enable expire firstname lastname email comment)) { | |
25 | $res->{$prop} = $data->{$prop} if defined($data->{$prop}); | |
26 | } | |
27 | ||
28 | return $res if !$full; | |
29 | ||
30 | $res->{groups} = $data->{groups} ? [ keys %{$data->{groups}} ] : []; | |
31 | ||
32 | return $res; | |
33 | }; | |
34 | ||
35 | __PACKAGE__->register_method ({ | |
36 | name => 'index', | |
37 | path => '', | |
38 | method => 'GET', | |
39 | description => "User index.", | |
96919234 | 40 | permissions => { |
82b63965 | 41 | description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.", |
96919234 DM |
42 | user => 'all', |
43 | }, | |
2c3a6c0a DM |
44 | parameters => { |
45 | additionalProperties => 0, | |
cb6f2f93 DM |
46 | properties => { |
47 | enabled => { | |
48 | type => 'boolean', | |
49 | description => "Optional filter for enable property.", | |
50 | optional => 1, | |
51 | } | |
52 | }, | |
2c3a6c0a DM |
53 | }, |
54 | returns => { | |
55 | type => 'array', | |
56 | items => { | |
57 | type => "object", | |
58 | properties => { | |
59 | userid => { type => 'string' }, | |
60 | }, | |
61 | }, | |
62 | links => [ { rel => 'child', href => "{userid}" } ], | |
63 | }, | |
64 | code => sub { | |
65 | my ($param) = @_; | |
66 | ||
930dcfc8 | 67 | my $rpcenv = PVE::RPCEnvironment::get(); |
37d45deb | 68 | my $usercfg = $rpcenv->{user_cfg}; |
930dcfc8 DM |
69 | my $authuser = $rpcenv->get_user(); |
70 | ||
2c3a6c0a DM |
71 | my $res = []; |
72 | ||
82b63965 DM |
73 | my $privs = [ 'User.Modify', 'Sys.Audit' ]; |
74 | my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1); | |
b9180ed2 | 75 | my $groups = $rpcenv->filter_groups($authuser, $privs, 1); |
37d45deb DM |
76 | my $allowed_users = $rpcenv->group_member_join([keys %$groups]); |
77 | ||
2c3a6c0a | 78 | foreach my $user (keys %{$usercfg->{users}}) { |
37d45deb DM |
79 | |
80 | if (!($canUserMod || $user eq $authuser)) { | |
81 | next if !$allowed_users->{$user}; | |
82 | } | |
930dcfc8 | 83 | |
2c3a6c0a | 84 | my $entry = &$extract_user_data($usercfg->{users}->{$user}); |
cb6f2f93 DM |
85 | |
86 | if (defined($param->{enabled})) { | |
87 | next if $entry->{enable} && !$param->{enabled}; | |
88 | next if !$entry->{enable} && $param->{enabled}; | |
89 | } | |
90 | ||
2c3a6c0a DM |
91 | $entry->{userid} = $user; |
92 | push @$res, $entry; | |
93 | } | |
94 | ||
95 | return $res; | |
96 | }}); | |
97 | ||
98 | __PACKAGE__->register_method ({ | |
99 | name => 'create_user', | |
100 | protected => 1, | |
101 | path => '', | |
102 | method => 'POST', | |
96919234 | 103 | permissions => { |
82b63965 DM |
104 | description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.", |
105 | check => [ 'and', | |
106 | [ 'userid-param', 'Realm.AllocateUser'], | |
107 | [ 'userid-group', ['User.Modify'], groups_param => 1], | |
108 | ], | |
96919234 | 109 | }, |
2c3a6c0a DM |
110 | description => "Create new user.", |
111 | parameters => { | |
112 | additionalProperties => 0, | |
113 | properties => { | |
114 | userid => get_standard_option('userid'), | |
37d45deb DM |
115 | password => { |
116 | description => "Initial password.", | |
117 | type => 'string', | |
118 | optional => 1, | |
119 | minLength => 5, | |
120 | maxLength => 64 | |
121 | }, | |
2c3a6c0a DM |
122 | groups => { type => 'string', optional => 1, format => 'pve-groupid-list'}, |
123 | firstname => { type => 'string', optional => 1 }, | |
124 | lastname => { type => 'string', optional => 1 }, | |
125 | email => { type => 'string', optional => 1, format => 'email-opt' }, | |
126 | comment => { type => 'string', optional => 1 }, | |
127 | expire => { | |
128 | description => "Account expiration date (seconds since epoch). '0' means no expiration date.", | |
129 | type => 'integer', | |
130 | minimum => 0, | |
131 | optional => 1, | |
132 | }, | |
133 | enable => { | |
134 | description => "Enable the account (default). You can set this to '0' to disable the accout", | |
135 | type => 'boolean', | |
136 | optional => 1, | |
137 | default => 1, | |
138 | }, | |
139 | }, | |
140 | }, | |
141 | returns => { type => 'null' }, | |
142 | code => sub { | |
143 | my ($param) = @_; | |
144 | ||
145 | PVE::AccessControl::lock_user_config( | |
146 | sub { | |
147 | ||
148 | my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid}); | |
149 | ||
150 | my $usercfg = cfs_read_file("user.cfg"); | |
151 | ||
152 | die "user '$username' already exists\n" | |
153 | if $usercfg->{users}->{$username}; | |
154 | ||
155 | PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password}) | |
fdb30a4c | 156 | if defined($param->{password}); |
2c3a6c0a DM |
157 | |
158 | my $enable = defined($param->{enable}) ? $param->{enable} : 1; | |
159 | $usercfg->{users}->{$username} = { enable => $enable }; | |
160 | $usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire}; | |
161 | ||
162 | if ($param->{groups}) { | |
163 | foreach my $group (split_list($param->{groups})) { | |
164 | if ($usercfg->{groups}->{$group}) { | |
165 | PVE::AccessControl::add_user_group($username, $usercfg, $group); | |
166 | } else { | |
167 | die "no such group '$group'\n"; | |
168 | } | |
169 | } | |
170 | } | |
171 | ||
172 | $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if $param->{firstname}; | |
173 | $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname}; | |
174 | $usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email}; | |
175 | $usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment}; | |
176 | ||
177 | cfs_write_file("user.cfg", $usercfg); | |
178 | }, "create user failed"); | |
179 | ||
180 | return undef; | |
181 | }}); | |
182 | ||
183 | __PACKAGE__->register_method ({ | |
184 | name => 'read_user', | |
185 | path => '{userid}', | |
186 | method => 'GET', | |
187 | description => "Get user configuration.", | |
96919234 | 188 | permissions => { |
82b63965 | 189 | check => ['userid-group', ['User.Modify', 'Sys.Audit']], |
96919234 | 190 | }, |
2c3a6c0a DM |
191 | parameters => { |
192 | additionalProperties => 0, | |
193 | properties => { | |
194 | userid => get_standard_option('userid'), | |
195 | }, | |
196 | }, | |
197 | returns => { | |
198 | additionalProperties => 0, | |
199 | properties => { | |
200 | enable => { type => 'boolean' }, | |
201 | expire => { type => 'integer', optional => 1 }, | |
202 | firstname => { type => 'string', optional => 1 }, | |
203 | lastname => { type => 'string', optional => 1 }, | |
204 | email => { type => 'string', optional => 1 }, | |
205 | comment => { type => 'string', optional => 1 }, | |
206 | groups => { type => 'array' }, | |
207 | } | |
208 | }, | |
209 | code => sub { | |
210 | my ($param) = @_; | |
211 | ||
212 | my ($username, undef, $domain) = | |
213 | PVE::AccessControl::verify_username($param->{userid}); | |
214 | ||
215 | my $usercfg = cfs_read_file("user.cfg"); | |
2c3a6c0a | 216 | |
37d45deb DM |
217 | my $data = PVE::AccessControl::check_user_exist($usercfg, $username); |
218 | ||
2c3a6c0a DM |
219 | return &$extract_user_data($data, 1); |
220 | }}); | |
221 | ||
222 | __PACKAGE__->register_method ({ | |
223 | name => 'update_user', | |
224 | protected => 1, | |
225 | path => '{userid}', | |
226 | method => 'PUT', | |
96919234 DM |
227 | permissions => { |
228 | check => ['userid-group', ['User.Modify'], groups_param => 1 ], | |
229 | }, | |
2c3a6c0a DM |
230 | description => "Update user configuration.", |
231 | parameters => { | |
232 | additionalProperties => 0, | |
233 | properties => { | |
234 | userid => get_standard_option('userid'), | |
2c3a6c0a DM |
235 | groups => { type => 'string', optional => 1, format => 'pve-groupid-list' }, |
236 | append => { | |
237 | type => 'boolean', | |
238 | optional => 1, | |
239 | requires => 'groups', | |
240 | }, | |
241 | enable => { | |
242 | description => "Enable/disable the account.", | |
243 | type => 'boolean', | |
244 | optional => 1, | |
245 | }, | |
246 | firstname => { type => 'string', optional => 1 }, | |
247 | lastname => { type => 'string', optional => 1 }, | |
248 | email => { type => 'string', optional => 1, format => 'email-opt' }, | |
249 | comment => { type => 'string', optional => 1 }, | |
250 | expire => { | |
251 | description => "Account expiration date (seconds since epoch). '0' means no expiration date.", | |
252 | type => 'integer', | |
253 | minimum => 0, | |
254 | optional => 1 | |
255 | }, | |
256 | }, | |
257 | }, | |
258 | returns => { type => 'null' }, | |
259 | code => sub { | |
260 | my ($param) = @_; | |
37d45deb DM |
261 | |
262 | my ($username, $ruid, $realm) = | |
263 | PVE::AccessControl::verify_username($param->{userid}); | |
2c3a6c0a DM |
264 | |
265 | PVE::AccessControl::lock_user_config( | |
266 | sub { | |
2c3a6c0a DM |
267 | |
268 | my $usercfg = cfs_read_file("user.cfg"); | |
269 | ||
37d45deb | 270 | PVE::AccessControl::check_user_exist($usercfg, $username); |
2c3a6c0a DM |
271 | |
272 | $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable}); | |
273 | ||
274 | $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire}); | |
275 | ||
276 | PVE::AccessControl::delete_user_group($username, $usercfg) | |
e6521738 | 277 | if (!$param->{append} && defined($param->{groups})); |
2c3a6c0a DM |
278 | |
279 | if ($param->{groups}) { | |
280 | foreach my $group (split_list($param->{groups})) { | |
281 | if ($usercfg->{groups}->{$group}) { | |
282 | PVE::AccessControl::add_user_group($username, $usercfg, $group); | |
283 | } else { | |
284 | die "no such group '$group'\n"; | |
285 | } | |
286 | } | |
287 | } | |
288 | ||
289 | $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname}); | |
290 | $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname}); | |
291 | $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email}); | |
292 | $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment}); | |
293 | ||
294 | cfs_write_file("user.cfg", $usercfg); | |
295 | }, "update user failed"); | |
296 | ||
297 | return undef; | |
298 | }}); | |
299 | ||
300 | __PACKAGE__->register_method ({ | |
301 | name => 'delete_user', | |
302 | protected => 1, | |
303 | path => '{userid}', | |
304 | method => 'DELETE', | |
305 | description => "Delete user.", | |
12683df7 | 306 | permissions => { |
82b63965 DM |
307 | check => [ 'and', |
308 | [ 'userid-param', 'Realm.AllocateUser'], | |
309 | [ 'userid-group', ['User.Modify']], | |
310 | ], | |
12683df7 | 311 | }, |
2c3a6c0a DM |
312 | parameters => { |
313 | additionalProperties => 0, | |
314 | properties => { | |
315 | userid => get_standard_option('userid'), | |
316 | } | |
317 | }, | |
318 | returns => { type => 'null' }, | |
319 | code => sub { | |
320 | my ($param) = @_; | |
37d45deb DM |
321 | |
322 | my $rpcenv = PVE::RPCEnvironment::get(); | |
323 | my $authuser = $rpcenv->get_user(); | |
324 | ||
325 | my ($userid, $ruid, $realm) = | |
326 | PVE::AccessControl::verify_username($param->{userid}); | |
2c3a6c0a DM |
327 | |
328 | PVE::AccessControl::lock_user_config( | |
329 | sub { | |
330 | ||
2c3a6c0a DM |
331 | my $usercfg = cfs_read_file("user.cfg"); |
332 | ||
37d45deb | 333 | delete ($usercfg->{users}->{$userid}); |
2c3a6c0a DM |
334 | |
335 | PVE::AccessControl::delete_shadow_password($ruid) if $realm eq 'pve'; | |
37d45deb DM |
336 | |
337 | PVE::AccessControl::delete_user_group($userid, $usercfg); | |
338 | PVE::AccessControl::delete_user_acl($userid, $usercfg); | |
2c3a6c0a DM |
339 | |
340 | cfs_write_file("user.cfg", $usercfg); | |
341 | }, "delete user failed"); | |
342 | ||
343 | return undef; | |
344 | }}); | |
345 | ||
346 | 1; |