]>
Commit | Line | Data |
---|---|---|
2c3a6c0a DM |
1 | package PVE::API2::User; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
525a931b | 5 | |
4e4c8d40 | 6 | use PVE::Exception qw(raise raise_perm_exc raise_param_exc); |
2c3a6c0a | 7 | use PVE::Cluster qw (cfs_read_file cfs_write_file); |
4e4c8d40 | 8 | use PVE::Tools qw(split_list extract_param); |
3a5ae7a0 | 9 | use PVE::JSONSchema qw(get_standard_option register_standard_option); |
2c3a6c0a DM |
10 | use PVE::SafeSyslog; |
11 | ||
525a931b | 12 | use PVE::AccessControl; |
d658d04a | 13 | use PVE::Auth::Plugin; |
525a931b TL |
14 | use PVE::TokenConfig; |
15 | ||
2c3a6c0a DM |
16 | use PVE::RESTHandler; |
17 | ||
18 | use base qw(PVE::RESTHandler); | |
19 | ||
3a5ae7a0 SI |
20 | register_standard_option('user-enable', { |
21 | description => "Enable the account (default). You can set this to '0' to disable the account", | |
22 | type => 'boolean', | |
23 | optional => 1, | |
24 | default => 1, | |
25 | }); | |
26 | register_standard_option('user-expire', { | |
27 | description => "Account expiration date (seconds since epoch). '0' means no expiration date.", | |
28 | type => 'integer', | |
29 | minimum => 0, | |
30 | optional => 1, | |
31 | }); | |
32 | register_standard_option('user-firstname', { type => 'string', optional => 1 }); | |
33 | register_standard_option('user-lastname', { type => 'string', optional => 1 }); | |
34 | register_standard_option('user-email', { type => 'string', optional => 1, format => 'email-opt' }); | |
35 | register_standard_option('user-comment', { type => 'string', optional => 1 }); | |
36 | register_standard_option('user-keys', { | |
37 | description => "Keys for two factor auth (yubico).", | |
38 | type => 'string', | |
39 | optional => 1, | |
40 | }); | |
41 | register_standard_option('group-list', { | |
42 | type => 'string', format => 'pve-groupid-list', | |
43 | optional => 1, | |
44 | completion => \&PVE::AccessControl::complete_group, | |
45 | }); | |
4e4c8d40 FG |
46 | register_standard_option('token-subid', { |
47 | type => 'string', | |
48 | pattern => $PVE::AccessControl::token_subid_regex, | |
49 | description => 'User-specific token identifier.', | |
50 | }); | |
51 | register_standard_option('token-expire', { | |
52 | description => "API token expiration date (seconds since epoch). '0' means no expiration date.", | |
53 | type => 'integer', | |
54 | minimum => 0, | |
55 | optional => 1, | |
b974bdc0 | 56 | default => 'same as user', |
4e4c8d40 FG |
57 | }); |
58 | register_standard_option('token-privsep', { | |
59 | description => "Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.", | |
60 | type => 'boolean', | |
61 | optional => 1, | |
62 | default => 1, | |
63 | }); | |
64 | register_standard_option('token-comment', { type => 'string', optional => 1 }); | |
65 | register_standard_option('token-info', { | |
66 | type => 'object', | |
67 | properties => { | |
68 | expire => get_standard_option('token-expire'), | |
69 | privsep => get_standard_option('token-privsep'), | |
70 | comment => get_standard_option('token-comment'), | |
71 | } | |
72 | }); | |
73 | ||
74 | my $token_info_extend = sub { | |
75 | my ($props) = @_; | |
76 | ||
77 | my $obj = get_standard_option('token-info'); | |
78 | my $base_props = $obj->{properties}; | |
79 | $obj->{properties} = {}; | |
80 | ||
81 | foreach my $prop (keys %$base_props) { | |
82 | $obj->{properties}->{$prop} = $base_props->{$prop}; | |
83 | } | |
84 | ||
85 | foreach my $add_prop (keys %$props) { | |
86 | $obj->{properties}->{$add_prop} = $props->{$add_prop}; | |
87 | } | |
88 | ||
89 | return $obj; | |
90 | }; | |
3a5ae7a0 | 91 | |
2c3a6c0a DM |
92 | my $extract_user_data = sub { |
93 | my ($data, $full) = @_; | |
94 | ||
95 | my $res = {}; | |
96 | ||
96f8ebd6 | 97 | foreach my $prop (qw(enable expire firstname lastname email comment keys)) { |
2c3a6c0a DM |
98 | $res->{$prop} = $data->{$prop} if defined($data->{$prop}); |
99 | } | |
100 | ||
101 | return $res if !$full; | |
102 | ||
103 | $res->{groups} = $data->{groups} ? [ keys %{$data->{groups}} ] : []; | |
4e4c8d40 | 104 | $res->{tokens} = $data->{tokens}; |
2c3a6c0a DM |
105 | |
106 | return $res; | |
107 | }; | |
108 | ||
109 | __PACKAGE__->register_method ({ | |
0a6e09fd PA |
110 | name => 'index', |
111 | path => '', | |
2c3a6c0a DM |
112 | method => 'GET', |
113 | description => "User index.", | |
0a6e09fd | 114 | permissions => { |
82b63965 | 115 | description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.", |
96919234 DM |
116 | user => 'all', |
117 | }, | |
3c4cebc9 | 118 | protected => 1, # to access priv/tfa.cfg |
2c3a6c0a DM |
119 | parameters => { |
120 | additionalProperties => 0, | |
cb6f2f93 DM |
121 | properties => { |
122 | enabled => { | |
123 | type => 'boolean', | |
124 | description => "Optional filter for enable property.", | |
125 | optional => 1, | |
3a4ed527 FG |
126 | }, |
127 | full => { | |
128 | type => 'boolean', | |
129 | description => "Include group and token information.", | |
130 | optional => 1, | |
131 | default => 0, | |
cb6f2f93 DM |
132 | } |
133 | }, | |
2c3a6c0a DM |
134 | }, |
135 | returns => { | |
136 | type => 'array', | |
137 | items => { | |
138 | type => "object", | |
139 | properties => { | |
3a5ae7a0 SI |
140 | userid => get_standard_option('userid-completed'), |
141 | enable => get_standard_option('user-enable'), | |
142 | expire => get_standard_option('user-expire'), | |
143 | firstname => get_standard_option('user-firstname'), | |
144 | lastname => get_standard_option('user-lastname'), | |
145 | email => get_standard_option('user-email'), | |
146 | comment => get_standard_option('user-comment'), | |
147 | keys => get_standard_option('user-keys'), | |
3a4ed527 FG |
148 | groups => get_standard_option('group-list'), |
149 | tokens => { | |
150 | type => 'array', | |
151 | optional => 1, | |
152 | items => $token_info_extend->({ | |
153 | tokenid => get_standard_option('token-subid'), | |
154 | }), | |
8bb59c26 | 155 | }, |
3f6023f5 TL |
156 | 'realm-type' => { |
157 | type => 'string', format => 'pve-realm', | |
8bb59c26 | 158 | description => 'The type of the users realm', |
3f6023f5 | 159 | optional => 1, # it should always be there, but we use conditional code below, so.. |
8bb59c26 | 160 | }, |
3c4cebc9 WB |
161 | 'totp-locked' => { |
162 | type => 'boolean', | |
163 | optional => 1, | |
164 | description => 'True if the user is currently locked out of TOTP factors.', | |
165 | }, | |
166 | 'tfa-locked-until' => { | |
167 | type => 'integer', | |
168 | optional => 1, | |
169 | description => | |
170 | 'Contains a timestamp until when a user is locked out of 2nd factors.', | |
171 | }, | |
2c3a6c0a DM |
172 | }, |
173 | }, | |
174 | links => [ { rel => 'child', href => "{userid}" } ], | |
175 | }, | |
176 | code => sub { | |
177 | my ($param) = @_; | |
0a6e09fd | 178 | |
930dcfc8 | 179 | my $rpcenv = PVE::RPCEnvironment::get(); |
37d45deb | 180 | my $usercfg = $rpcenv->{user_cfg}; |
930dcfc8 DM |
181 | my $authuser = $rpcenv->get_user(); |
182 | ||
8bb59c26 DC |
183 | my $domainscfg = cfs_read_file('domains.cfg'); |
184 | my $domainids = $domainscfg->{ids}; | |
185 | ||
2c3a6c0a DM |
186 | my $res = []; |
187 | ||
82b63965 DM |
188 | my $privs = [ 'User.Modify', 'Sys.Audit' ]; |
189 | my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1); | |
b9180ed2 | 190 | my $groups = $rpcenv->filter_groups($authuser, $privs, 1); |
0a6e09fd | 191 | my $allowed_users = $rpcenv->group_member_join([keys %$groups]); |
37d45deb | 192 | |
3c4cebc9 WB |
193 | my $tfa_cfg = cfs_read_file('priv/tfa.cfg'); |
194 | ||
525a931b | 195 | foreach my $user (sort keys %{$usercfg->{users}}) { |
37d45deb DM |
196 | if (!($canUserMod || $user eq $authuser)) { |
197 | next if !$allowed_users->{$user}; | |
198 | } | |
930dcfc8 | 199 | |
525a931b | 200 | my $entry = $extract_user_data->($usercfg->{users}->{$user}, $param->{full}); |
cb6f2f93 DM |
201 | |
202 | if (defined($param->{enabled})) { | |
203 | next if $entry->{enable} && !$param->{enabled}; | |
204 | next if !$entry->{enable} && $param->{enabled}; | |
205 | } | |
206 | ||
3a4ed527 | 207 | $entry->{groups} = join(',', @{$entry->{groups}}) if $entry->{groups}; |
525a931b TL |
208 | |
209 | if (defined(my $tokens = $entry->{tokens})) { | |
210 | $entry->{tokens} = [ | |
211 | map { { tokenid => $_, %{$tokens->{$_}} } } sort keys %$tokens | |
212 | ]; | |
213 | } | |
3a4ed527 | 214 | |
d658d04a TL |
215 | if ($user =~ /($PVE::Auth::Plugin::realm_regex)$/) { |
216 | my $realm = $1; | |
217 | $entry->{'realm-type'} = $domainids->{$realm}->{type} if exists $domainids->{$realm}; | |
8bb59c26 DC |
218 | } |
219 | ||
2c3a6c0a | 220 | $entry->{userid} = $user; |
525a931b | 221 | |
3c4cebc9 WB |
222 | if (defined($tfa_cfg)) { |
223 | if (my $data = $tfa_cfg->tfa_lock_status($user)) { | |
53a2b715 WB |
224 | for (qw(totp-locked tfa-locked-until)) { |
225 | $entry->{$_} = $data->{$_} if exists($data->{$_}); | |
226 | } | |
3c4cebc9 WB |
227 | } |
228 | } | |
229 | ||
2c3a6c0a DM |
230 | push @$res, $entry; |
231 | } | |
232 | ||
233 | return $res; | |
234 | }}); | |
235 | ||
236 | __PACKAGE__->register_method ({ | |
0a6e09fd | 237 | name => 'create_user', |
2c3a6c0a | 238 | protected => 1, |
0a6e09fd | 239 | path => '', |
2c3a6c0a | 240 | method => 'POST', |
0a6e09fd | 241 | permissions => { |
82b63965 | 242 | description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.", |
3e5b237f TL |
243 | check => [ |
244 | 'and', | |
245 | [ 'userid-param', 'Realm.AllocateUser'], | |
aee071ad | 246 | [ 'userid-group', ['User.Modify'], groups_param => 'create'], |
3e5b237f | 247 | ], |
96919234 | 248 | }, |
2c3a6c0a DM |
249 | description => "Create new user.", |
250 | parameters => { | |
0a6e09fd | 251 | additionalProperties => 0, |
2c3a6c0a | 252 | properties => { |
3a5ae7a0 SI |
253 | userid => get_standard_option('userid-completed'), |
254 | enable => get_standard_option('user-enable'), | |
255 | expire => get_standard_option('user-expire'), | |
256 | firstname => get_standard_option('user-firstname'), | |
257 | lastname => get_standard_option('user-lastname'), | |
258 | email => get_standard_option('user-email'), | |
259 | comment => get_standard_option('user-comment'), | |
260 | keys => get_standard_option('user-keys'), | |
37d45deb DM |
261 | password => { |
262 | description => "Initial password.", | |
0a6e09fd PA |
263 | type => 'string', |
264 | optional => 1, | |
265 | minLength => 5, | |
266 | maxLength => 64 | |
37d45deb | 267 | }, |
3a5ae7a0 | 268 | groups => get_standard_option('group-list'), |
2c3a6c0a DM |
269 | }, |
270 | }, | |
271 | returns => { type => 'null' }, | |
272 | code => sub { | |
273 | my ($param) = @_; | |
274 | ||
2dd1e1d4 TL |
275 | PVE::AccessControl::lock_user_config(sub { |
276 | my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid}); | |
0a6e09fd | 277 | |
2dd1e1d4 | 278 | my $usercfg = cfs_read_file("user.cfg"); |
0a6e09fd | 279 | |
f335d265 TL |
280 | # ensure "user exists" check works for case insensitive realms |
281 | $username = PVE::AccessControl::lookup_username($username, 1); | |
282 | die "user '$username' already exists\n" if $usercfg->{users}->{$username}; | |
2c3a6c0a | 283 | |
2dd1e1d4 TL |
284 | PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password}) |
285 | if defined($param->{password}); | |
0a6e09fd | 286 | |
2dd1e1d4 TL |
287 | my $enable = defined($param->{enable}) ? $param->{enable} : 1; |
288 | $usercfg->{users}->{$username} = { enable => $enable }; | |
289 | $usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire}; | |
2c3a6c0a | 290 | |
2dd1e1d4 TL |
291 | if ($param->{groups}) { |
292 | foreach my $group (split_list($param->{groups})) { | |
293 | if ($usercfg->{groups}->{$group}) { | |
294 | PVE::AccessControl::add_user_group($username, $usercfg, $group); | |
295 | } else { | |
296 | die "no such group '$group'\n"; | |
2c3a6c0a DM |
297 | } |
298 | } | |
2dd1e1d4 | 299 | } |
2c3a6c0a | 300 | |
2dd1e1d4 TL |
301 | $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if $param->{firstname}; |
302 | $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname}; | |
303 | $usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email}; | |
304 | $usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment}; | |
305 | $usercfg->{users}->{$username}->{keys} = $param->{keys} if $param->{keys}; | |
2c3a6c0a | 306 | |
2dd1e1d4 TL |
307 | cfs_write_file("user.cfg", $usercfg); |
308 | }, "create user failed"); | |
2c3a6c0a DM |
309 | |
310 | return undef; | |
311 | }}); | |
312 | ||
313 | __PACKAGE__->register_method ({ | |
0a6e09fd PA |
314 | name => 'read_user', |
315 | path => '{userid}', | |
2c3a6c0a DM |
316 | method => 'GET', |
317 | description => "Get user configuration.", | |
0a6e09fd | 318 | permissions => { |
82b63965 | 319 | check => ['userid-group', ['User.Modify', 'Sys.Audit']], |
96919234 | 320 | }, |
2c3a6c0a | 321 | parameters => { |
0a6e09fd | 322 | additionalProperties => 0, |
2c3a6c0a | 323 | properties => { |
3a5ae7a0 | 324 | userid => get_standard_option('userid-completed'), |
2c3a6c0a DM |
325 | }, |
326 | }, | |
327 | returns => { | |
0a6e09fd | 328 | additionalProperties => 0, |
2c3a6c0a | 329 | properties => { |
3a5ae7a0 SI |
330 | enable => get_standard_option('user-enable'), |
331 | expire => get_standard_option('user-expire'), | |
332 | firstname => get_standard_option('user-firstname'), | |
333 | lastname => get_standard_option('user-lastname'), | |
334 | email => get_standard_option('user-email'), | |
335 | comment => get_standard_option('user-comment'), | |
336 | keys => get_standard_option('user-keys'), | |
4e4c8d40 FG |
337 | groups => { |
338 | type => 'array', | |
72c4589c | 339 | optional => 1, |
4e4c8d40 FG |
340 | items => { |
341 | type => 'string', | |
342 | format => 'pve-groupid', | |
343 | }, | |
344 | }, | |
345 | tokens => { | |
72c4589c | 346 | optional => 1, |
4e4c8d40 | 347 | type => 'object', |
031e388f | 348 | additionalProperties => get_standard_option('token-info'), |
4e4c8d40 | 349 | }, |
3a5ae7a0 SI |
350 | }, |
351 | type => "object" | |
2c3a6c0a DM |
352 | }, |
353 | code => sub { | |
354 | my ($param) = @_; | |
355 | ||
3e5b237f | 356 | my ($username, undef, $domain) = PVE::AccessControl::verify_username($param->{userid}); |
2c3a6c0a DM |
357 | |
358 | my $usercfg = cfs_read_file("user.cfg"); | |
2c3a6c0a | 359 | |
37d45deb | 360 | my $data = PVE::AccessControl::check_user_exist($usercfg, $username); |
0a6e09fd | 361 | |
2c3a6c0a DM |
362 | return &$extract_user_data($data, 1); |
363 | }}); | |
364 | ||
365 | __PACKAGE__->register_method ({ | |
0a6e09fd | 366 | name => 'update_user', |
2c3a6c0a | 367 | protected => 1, |
0a6e09fd | 368 | path => '{userid}', |
2c3a6c0a | 369 | method => 'PUT', |
0a6e09fd | 370 | permissions => { |
aee071ad | 371 | check => ['userid-group', ['User.Modify'], groups_param => 'update' ], |
96919234 | 372 | }, |
2c3a6c0a DM |
373 | description => "Update user configuration.", |
374 | parameters => { | |
0a6e09fd | 375 | additionalProperties => 0, |
2c3a6c0a | 376 | properties => { |
3a5ae7a0 SI |
377 | userid => get_standard_option('userid-completed'), |
378 | enable => get_standard_option('user-enable'), | |
379 | expire => get_standard_option('user-expire'), | |
380 | firstname => get_standard_option('user-firstname'), | |
381 | lastname => get_standard_option('user-lastname'), | |
382 | email => get_standard_option('user-email'), | |
383 | comment => get_standard_option('user-comment'), | |
384 | keys => get_standard_option('user-keys'), | |
385 | groups => get_standard_option('group-list'), | |
0a6e09fd PA |
386 | append => { |
387 | type => 'boolean', | |
2c3a6c0a DM |
388 | optional => 1, |
389 | requires => 'groups', | |
390 | }, | |
2c3a6c0a DM |
391 | }, |
392 | }, | |
393 | returns => { type => 'null' }, | |
394 | code => sub { | |
395 | my ($param) = @_; | |
37d45deb | 396 | |
3e5b237f | 397 | my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid}); |
0a6e09fd | 398 | |
3e5b237f TL |
399 | PVE::AccessControl::lock_user_config(sub { |
400 | my $usercfg = cfs_read_file("user.cfg"); | |
2c3a6c0a | 401 | |
3e5b237f | 402 | PVE::AccessControl::check_user_exist($usercfg, $username); |
2c3a6c0a | 403 | |
3e5b237f TL |
404 | $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable}); |
405 | $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire}); | |
2c3a6c0a | 406 | |
3e5b237f TL |
407 | PVE::AccessControl::delete_user_group($username, $usercfg) |
408 | if (!$param->{append} && defined($param->{groups})); | |
2c3a6c0a | 409 | |
3e5b237f TL |
410 | if ($param->{groups}) { |
411 | foreach my $group (split_list($param->{groups})) { | |
412 | if ($usercfg->{groups}->{$group}) { | |
413 | PVE::AccessControl::add_user_group($username, $usercfg, $group); | |
414 | } else { | |
415 | die "no such group '$group'\n"; | |
2c3a6c0a DM |
416 | } |
417 | } | |
3e5b237f | 418 | } |
2c3a6c0a | 419 | |
3e5b237f TL |
420 | $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname}); |
421 | $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname}); | |
422 | $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email}); | |
423 | $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment}); | |
424 | $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys}); | |
2c3a6c0a | 425 | |
3e5b237f TL |
426 | cfs_write_file("user.cfg", $usercfg); |
427 | }, "update user failed"); | |
0a6e09fd | 428 | |
2c3a6c0a DM |
429 | return undef; |
430 | }}); | |
431 | ||
432 | __PACKAGE__->register_method ({ | |
0a6e09fd | 433 | name => 'delete_user', |
2c3a6c0a | 434 | protected => 1, |
0a6e09fd | 435 | path => '{userid}', |
2c3a6c0a DM |
436 | method => 'DELETE', |
437 | description => "Delete user.", | |
0a6e09fd | 438 | permissions => { |
82b63965 | 439 | check => [ 'and', |
3e5b237f TL |
440 | [ 'userid-param', 'Realm.AllocateUser'], |
441 | [ 'userid-group', ['User.Modify']], | |
442 | ], | |
12683df7 | 443 | }, |
2c3a6c0a | 444 | parameters => { |
0a6e09fd | 445 | additionalProperties => 0, |
2c3a6c0a | 446 | properties => { |
3a5ae7a0 | 447 | userid => get_standard_option('userid-completed'), |
2c3a6c0a DM |
448 | } |
449 | }, | |
450 | returns => { type => 'null' }, | |
451 | code => sub { | |
452 | my ($param) = @_; | |
0a6e09fd | 453 | |
37d45deb DM |
454 | my $rpcenv = PVE::RPCEnvironment::get(); |
455 | my $authuser = $rpcenv->get_user(); | |
456 | ||
3e5b237f | 457 | my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid}); |
2c3a6c0a | 458 | |
3e5b237f TL |
459 | PVE::AccessControl::lock_user_config(sub { |
460 | my $usercfg = cfs_read_file("user.cfg"); | |
2c3a6c0a | 461 | |
ba6cc98f TL |
462 | # NOTE: disable the user first (transaction like), so if (e.g.) we fail in the middle of |
463 | # TFA deletion the user will be still disabled and not just without TFA protection. | |
464 | $usercfg->{users}->{$userid}->{enable} = 0; | |
465 | cfs_write_file("user.cfg", $usercfg); | |
466 | ||
3e5b237f TL |
467 | my $domain_cfg = cfs_read_file('domains.cfg'); |
468 | if (my $cfg = $domain_cfg->{ids}->{$realm}) { | |
469 | my $plugin = PVE::Auth::Plugin->lookup($cfg->{type}); | |
470 | $plugin->delete_user($cfg, $realm, $ruid); | |
471 | } | |
2c3a6c0a | 472 | |
8ecf1a49 TL |
473 | # Remove user from cache before removing the TFA entry so realms with TFA-enforcement |
474 | # know that it's OK to drop any TFA entry in that case. | |
3e5b237f | 475 | delete $usercfg->{users}->{$userid}; |
37d45deb | 476 | |
e780b46a TL |
477 | my $partial_deletion = ''; |
478 | eval { | |
d168ab34 | 479 | PVE::AccessControl::user_remove_tfa($userid); |
e780b46a TL |
480 | $partial_deletion = ' - but deleted related TFA'; |
481 | ||
482 | PVE::AccessControl::delete_user_group($userid, $usercfg); | |
483 | $partial_deletion .= ', Groups'; | |
484 | PVE::AccessControl::delete_user_acl($userid, $usercfg); | |
485 | $partial_deletion .= ', ACLs'; | |
486 | ||
487 | cfs_write_file("user.cfg", $usercfg); | |
488 | }; | |
489 | die "$@$partial_deletion\n" if $@; | |
3e5b237f | 490 | }, "delete user failed"); |
0a6e09fd | 491 | |
2c3a6c0a DM |
492 | return undef; |
493 | }}); | |
494 | ||
e51988b4 DC |
495 | __PACKAGE__->register_method ({ |
496 | name => 'read_user_tfa_type', | |
497 | path => '{userid}/tfa', | |
498 | method => 'GET', | |
499 | protected => 1, | |
500 | description => "Get user TFA types (Personal and Realm).", | |
501 | permissions => { | |
502 | check => [ 'or', | |
503 | ['userid-param', 'self'], | |
504 | ['userid-group', ['User.Modify', 'Sys.Audit']], | |
505 | ], | |
506 | }, | |
507 | parameters => { | |
508 | additionalProperties => 0, | |
509 | properties => { | |
510 | userid => get_standard_option('userid-completed'), | |
f7f2e28e WB |
511 | multiple => { |
512 | type => 'boolean', | |
513 | description => 'Request all entries as an array.', | |
514 | optional => 1, | |
515 | default => 0, | |
516 | }, | |
e51988b4 DC |
517 | }, |
518 | }, | |
519 | returns => { | |
520 | additionalProperties => 0, | |
521 | properties => { | |
522 | realm => { | |
523 | type => 'string', | |
524 | enum => [qw(oath yubico)], | |
525 | description => "The type of TFA the users realm has set, if any.", | |
526 | optional => 1, | |
527 | }, | |
528 | user => { | |
529 | type => 'string', | |
530 | enum => [qw(oath u2f)], | |
f7f2e28e WB |
531 | description => |
532 | "The type of TFA the user has set, if any." | |
533 | . " Only set if 'multiple' was not passed.", | |
e51988b4 DC |
534 | optional => 1, |
535 | }, | |
f7f2e28e WB |
536 | types => { |
537 | type => 'array', | |
538 | description => | |
539 | "Array of the user configured TFA types, if any." | |
540 | . " Only available if 'multiple' was not passed.", | |
541 | optional => 1, | |
542 | items => { | |
543 | type => 'string', | |
544 | enum => [qw(totp u2f yubico webauthn recovedry)], | |
545 | description => 'A TFA type.', | |
546 | }, | |
547 | }, | |
e51988b4 DC |
548 | }, |
549 | type => "object" | |
550 | }, | |
551 | code => sub { | |
552 | my ($param) = @_; | |
553 | ||
554 | my ($username, undef, $realm) = PVE::AccessControl::verify_username($param->{userid}); | |
555 | ||
e51988b4 DC |
556 | my $domain_cfg = cfs_read_file('domains.cfg'); |
557 | my $realm_cfg = $domain_cfg->{ids}->{$realm}; | |
558 | die "auth domain '$realm' does not exist\n" if !$realm_cfg; | |
559 | ||
f7f2e28e | 560 | my $res = {}; |
e51988b4 | 561 | my $realm_tfa = {}; |
3e5b237f | 562 | $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa}) if $realm_cfg->{tfa}; |
f7f2e28e | 563 | $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type}; |
e51988b4 DC |
564 | |
565 | my $tfa_cfg = cfs_read_file('priv/tfa.cfg'); | |
f7f2e28e WB |
566 | if ($param->{multiple}) { |
567 | my $tfa = $tfa_cfg->get_user($username); | |
568 | my $user = []; | |
569 | foreach my $type (keys %$tfa) { | |
570 | next if !scalar($tfa->{$type}->@*); | |
571 | push @$user, $type; | |
572 | } | |
573 | $res->{user} = $user; | |
574 | } else { | |
575 | my $tfa = $tfa_cfg->{users}->{$username}; | |
576 | $res->{user} = $tfa->{type} if $tfa->{type}; | |
577 | } | |
e51988b4 DC |
578 | return $res; |
579 | }}); | |
580 | ||
330b8dbb WB |
581 | __PACKAGE__->register_method ({ |
582 | name => 'unlock_tfa', | |
583 | path => '{userid}/unlock-tfa', | |
584 | method => 'PUT', | |
585 | protected => 1, | |
586 | description => "Unlock a user's TFA authentication.", | |
587 | permissions => { | |
588 | check => [ 'userid-group', ['User.Modify']], | |
589 | }, | |
590 | parameters => { | |
591 | additionalProperties => 0, | |
592 | properties => { | |
593 | userid => get_standard_option('userid-completed'), | |
594 | }, | |
595 | }, | |
596 | returns => { type => 'boolean' }, | |
597 | code => sub { | |
598 | my ($param) = @_; | |
599 | ||
600 | my $userid = extract_param($param, "userid"); | |
601 | ||
602 | my $user_was_locked = PVE::AccessControl::lock_tfa_config(sub { | |
603 | my $tfa_cfg = cfs_read_file('priv/tfa.cfg'); | |
604 | my $was_locked = $tfa_cfg->api_unlock_tfa($userid); | |
605 | cfs_write_file('priv/tfa.cfg', $tfa_cfg) | |
606 | if $was_locked; | |
607 | return $was_locked; | |
608 | }); | |
609 | ||
610 | return $user_was_locked; | |
611 | }}); | |
612 | ||
4e4c8d40 FG |
613 | __PACKAGE__->register_method ({ |
614 | name => 'token_index', | |
615 | path => '{userid}/token', | |
616 | method => 'GET', | |
617 | description => "Get user API tokens.", | |
618 | permissions => { | |
3e5b237f TL |
619 | check => [ |
620 | 'or', | |
621 | ['userid-param', 'self'], | |
59164ff1 | 622 | ['userid-group', ['User.Modify']], |
4e4c8d40 FG |
623 | ], |
624 | }, | |
625 | parameters => { | |
626 | additionalProperties => 0, | |
627 | properties => { | |
628 | userid => get_standard_option('userid-completed'), | |
629 | }, | |
630 | }, | |
631 | returns => { | |
632 | type => "array", | |
633 | items => $token_info_extend->({ | |
634 | tokenid => get_standard_option('token-subid'), | |
635 | }), | |
636 | links => [ { rel => 'child', href => "{tokenid}" } ], | |
637 | }, | |
638 | code => sub { | |
639 | my ($param) = @_; | |
640 | ||
641 | my $userid = PVE::AccessControl::verify_username($param->{userid}); | |
642 | my $usercfg = cfs_read_file("user.cfg"); | |
643 | ||
644 | my $user = PVE::AccessControl::check_user_exist($usercfg, $userid); | |
645 | ||
646 | my $tokens = $user->{tokens} // {}; | |
647 | return [ map { $tokens->{$_}->{tokenid} = $_; $tokens->{$_} } keys %$tokens]; | |
648 | }}); | |
649 | ||
650 | __PACKAGE__->register_method ({ | |
651 | name => 'read_token', | |
652 | path => '{userid}/token/{tokenid}', | |
653 | method => 'GET', | |
654 | description => "Get specific API token information.", | |
655 | permissions => { | |
3e5b237f TL |
656 | check => [ |
657 | 'or', | |
658 | ['userid-param', 'self'], | |
59164ff1 | 659 | ['userid-group', ['User.Modify']], |
4e4c8d40 FG |
660 | ], |
661 | }, | |
662 | parameters => { | |
663 | additionalProperties => 0, | |
664 | properties => { | |
665 | userid => get_standard_option('userid-completed'), | |
666 | tokenid => get_standard_option('token-subid'), | |
667 | }, | |
668 | }, | |
669 | returns => get_standard_option('token-info'), | |
670 | code => sub { | |
671 | my ($param) = @_; | |
672 | ||
673 | my $userid = PVE::AccessControl::verify_username($param->{userid}); | |
674 | my $tokenid = $param->{tokenid}; | |
675 | ||
676 | my $usercfg = cfs_read_file("user.cfg"); | |
677 | ||
678 | return PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid); | |
679 | }}); | |
680 | ||
681 | __PACKAGE__->register_method ({ | |
682 | name => 'generate_token', | |
683 | path => '{userid}/token/{tokenid}', | |
684 | method => 'POST', | |
685 | description => "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!", | |
686 | protected => 1, | |
687 | permissions => { | |
3e5b237f TL |
688 | check => [ |
689 | 'or', | |
690 | ['userid-param', 'self'], | |
59164ff1 | 691 | ['userid-group', ['User.Modify']], |
4e4c8d40 FG |
692 | ], |
693 | }, | |
694 | parameters => { | |
695 | additionalProperties => 0, | |
696 | properties => { | |
697 | userid => get_standard_option('userid-completed'), | |
698 | tokenid => get_standard_option('token-subid'), | |
699 | expire => get_standard_option('token-expire'), | |
700 | privsep => get_standard_option('token-privsep'), | |
701 | comment => get_standard_option('token-comment'), | |
702 | }, | |
703 | }, | |
704 | returns => { | |
705 | additionalProperties => 0, | |
706 | type => "object", | |
707 | properties => { | |
708 | info => get_standard_option('token-info'), | |
709 | value => { | |
710 | type => 'string', | |
711 | description => 'API token value used for authentication.', | |
712 | }, | |
77bfb48e TL |
713 | 'full-tokenid' => { |
714 | type => 'string', | |
715 | format_description => '<userid>!<tokenid>', | |
716 | description => 'The full token id.', | |
717 | }, | |
4e4c8d40 FG |
718 | }, |
719 | }, | |
720 | code => sub { | |
721 | my ($param) = @_; | |
722 | ||
723 | my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid')); | |
724 | my $tokenid = extract_param($param, 'tokenid'); | |
725 | ||
726 | my $usercfg = cfs_read_file("user.cfg"); | |
727 | ||
728 | my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1); | |
77bfb48e | 729 | my ($full_tokenid, $value); |
4e4c8d40 FG |
730 | |
731 | PVE::AccessControl::check_user_exist($usercfg, $userid); | |
732 | raise_param_exc({ 'tokenid' => 'Token already exists.' }) if defined($token); | |
733 | ||
734 | my $generate_and_add_token = sub { | |
735 | $usercfg = cfs_read_file("user.cfg"); | |
736 | PVE::AccessControl::check_user_exist($usercfg, $userid); | |
737 | die "Token already exists.\n" if defined(PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1)); | |
738 | ||
77bfb48e | 739 | $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid); |
4e4c8d40 FG |
740 | $value = PVE::TokenConfig::generate_token($full_tokenid); |
741 | ||
742 | $token = {}; | |
743 | $token->{privsep} = defined($param->{privsep}) ? $param->{privsep} : 1; | |
744 | $token->{expire} = $param->{expire} if defined($param->{expire}); | |
745 | $token->{comment} = $param->{comment} if $param->{comment}; | |
746 | ||
747 | $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token; | |
748 | cfs_write_file("user.cfg", $usercfg); | |
749 | }; | |
750 | ||
751 | PVE::AccessControl::lock_user_config($generate_and_add_token, 'generating token failed'); | |
752 | ||
77bfb48e TL |
753 | return { |
754 | info => $token, | |
755 | value => $value, | |
756 | 'full-tokenid' => $full_tokenid, | |
757 | }; | |
4e4c8d40 FG |
758 | }}); |
759 | ||
760 | ||
761 | __PACKAGE__->register_method ({ | |
762 | name => 'update_token_info', | |
763 | path => '{userid}/token/{tokenid}', | |
764 | method => 'PUT', | |
765 | description => "Update API token for a specific user.", | |
766 | protected => 1, | |
767 | permissions => { | |
3e5b237f TL |
768 | check => [ |
769 | 'or', | |
770 | ['userid-param', 'self'], | |
59164ff1 | 771 | ['userid-group', ['User.Modify']], |
4e4c8d40 FG |
772 | ], |
773 | }, | |
774 | parameters => { | |
775 | additionalProperties => 0, | |
776 | properties => { | |
777 | userid => get_standard_option('userid-completed'), | |
778 | tokenid => get_standard_option('token-subid'), | |
779 | expire => get_standard_option('token-expire'), | |
780 | privsep => get_standard_option('token-privsep'), | |
781 | comment => get_standard_option('token-comment'), | |
782 | }, | |
783 | }, | |
784 | returns => get_standard_option('token-info', { description => "Updated token information." }), | |
785 | code => sub { | |
786 | my ($param) = @_; | |
787 | ||
788 | my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid')); | |
789 | my $tokenid = extract_param($param, 'tokenid'); | |
790 | ||
791 | my $usercfg = cfs_read_file("user.cfg"); | |
792 | my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid); | |
793 | ||
3e5b237f | 794 | PVE::AccessControl::lock_user_config(sub { |
4e4c8d40 FG |
795 | $usercfg = cfs_read_file("user.cfg"); |
796 | $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid); | |
797 | ||
798 | my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid); | |
799 | ||
800 | $token->{privsep} = $param->{privsep} if defined($param->{privsep}); | |
801 | $token->{expire} = $param->{expire} if defined($param->{expire}); | |
802 | $token->{comment} = $param->{comment} if $param->{comment}; | |
803 | ||
804 | $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token; | |
805 | cfs_write_file("user.cfg", $usercfg); | |
3e5b237f | 806 | }, 'updating token info failed'); |
4e4c8d40 FG |
807 | |
808 | return $token; | |
809 | }}); | |
810 | ||
811 | ||
812 | __PACKAGE__->register_method ({ | |
813 | name => 'remove_token', | |
814 | path => '{userid}/token/{tokenid}', | |
815 | method => 'DELETE', | |
816 | description => "Remove API token for a specific user.", | |
817 | protected => 1, | |
818 | permissions => { | |
3e5b237f TL |
819 | check => [ |
820 | 'or', | |
821 | ['userid-param', 'self'], | |
59164ff1 | 822 | ['userid-group', ['User.Modify']], |
4e4c8d40 FG |
823 | ], |
824 | }, | |
825 | parameters => { | |
826 | additionalProperties => 0, | |
827 | properties => { | |
828 | userid => get_standard_option('userid-completed'), | |
829 | tokenid => get_standard_option('token-subid'), | |
830 | }, | |
831 | }, | |
832 | returns => { type => 'null' }, | |
833 | code => sub { | |
834 | my ($param) = @_; | |
835 | ||
836 | my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid')); | |
837 | my $tokenid = extract_param($param, 'tokenid'); | |
838 | ||
839 | my $usercfg = cfs_read_file("user.cfg"); | |
840 | my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid); | |
841 | ||
3e5b237f | 842 | PVE::AccessControl::lock_user_config(sub { |
4e4c8d40 FG |
843 | $usercfg = cfs_read_file("user.cfg"); |
844 | ||
845 | PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid); | |
846 | ||
847 | my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid); | |
848 | PVE::TokenConfig::delete_token($full_tokenid); | |
849 | delete $usercfg->{users}->{$userid}->{tokens}->{$tokenid}; | |
850 | ||
851 | cfs_write_file("user.cfg", $usercfg); | |
3e5b237f | 852 | }, 'deleting token failed'); |
4e4c8d40 FG |
853 | |
854 | return; | |
855 | }}); | |
2c3a6c0a | 856 | 1; |