]> git.proxmox.com Git - pve-access-control.git/blame - src/PVE/API2/User.pm
projects / pve-access-control.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
api2: token: use userid-group as API perm check
[pve-access-control.git] / src / PVE / API2 / User.pm
CommitLineData
2c3a6c0a
DM		 1package PVE::API2::User;
2
3use strict;
4use warnings;
525a931b 5
4e4c8d40 6use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
2c3a6c0a 7use PVE::Cluster qw (cfs_read_file cfs_write_file);
4e4c8d40 8use PVE::Tools qw(split_list extract_param);
3a5ae7a0 9use PVE::JSONSchema qw(get_standard_option register_standard_option);
2c3a6c0a
DM		 10use PVE::SafeSyslog;
11
525a931b 12use PVE::AccessControl;
d658d04a 13use PVE::Auth::Plugin;
525a931b
TL		 14use PVE::TokenConfig;
15
2c3a6c0a
DM		 16use PVE::RESTHandler;
17
18use base qw(PVE::RESTHandler);
19
3a5ae7a0
SI		 20register_standard_option('user-enable', {
21 description => "Enable the account (default). You can set this to '0' to disable the account",
22 type => 'boolean',
23 optional => 1,
24 default => 1,
25});
26register_standard_option('user-expire', {
27 description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
28 type => 'integer',
29 minimum => 0,
30 optional => 1,
31});
32register_standard_option('user-firstname', { type => 'string', optional => 1 });
33register_standard_option('user-lastname', { type => 'string', optional => 1 });
34register_standard_option('user-email', { type => 'string', optional => 1, format => 'email-opt' });
35register_standard_option('user-comment', { type => 'string', optional => 1 });
36register_standard_option('user-keys', {
37 description => "Keys for two factor auth (yubico).",
38 type => 'string',
39 optional => 1,
40});
41register_standard_option('group-list', {
42 type => 'string', format => 'pve-groupid-list',
43 optional => 1,
44 completion => \&PVE::AccessControl::complete_group,
45});
4e4c8d40
FG		 46register_standard_option('token-subid', {
47 type => 'string',
48 pattern => $PVE::AccessControl::token_subid_regex,
49 description => 'User-specific token identifier.',
50});
51register_standard_option('token-expire', {
52 description => "API token expiration date (seconds since epoch). '0' means no expiration date.",
53 type => 'integer',
54 minimum => 0,
55 optional => 1,
b974bdc0 56 default => 'same as user',
4e4c8d40
FG		 57});
58register_standard_option('token-privsep', {
59 description => "Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.",
60 type => 'boolean',
61 optional => 1,
62 default => 1,
63});
64register_standard_option('token-comment', { type => 'string', optional => 1 });
65register_standard_option('token-info', {
66 type => 'object',
67 properties => {
68 expire => get_standard_option('token-expire'),
69 privsep => get_standard_option('token-privsep'),
70 comment => get_standard_option('token-comment'),
71 }
72});
73
74my $token_info_extend = sub {
75 my ($props) = @_;
76
77 my $obj = get_standard_option('token-info');
78 my $base_props = $obj->{properties};
79 $obj->{properties} = {};
80
81 foreach my $prop (keys %$base_props) {
82 $obj->{properties}->{$prop} = $base_props->{$prop};
83 }
84
85 foreach my $add_prop (keys %$props) {
86 $obj->{properties}->{$add_prop} = $props->{$add_prop};
87 }
88
89 return $obj;
90};
3a5ae7a0 91
2c3a6c0a
DM		 92my $extract_user_data = sub {
93 my ($data, $full) = @_;
94
95 my $res = {};
96
96f8ebd6 97 foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
2c3a6c0a
DM		 98 $res->{$prop} = $data->{$prop} if defined($data->{$prop});
99 }
100
101 return $res if !$full;
102
103 $res->{groups} = $data->{groups} ? [ keys %{$data->{groups}} ] : [];
4e4c8d40 104 $res->{tokens} = $data->{tokens};
2c3a6c0a
DM		 105
106 return $res;
107};
108
109__PACKAGE__->register_method ({
0a6e09fd
PA		 110 name => 'index',
111 path => '',
2c3a6c0a
DM		 112 method => 'GET',
113 description => "User index.",
0a6e09fd 114 permissions => {
82b63965 115 description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
96919234
DM		 116 user => 'all',
117 },
2c3a6c0a
DM		 118 parameters => {
119 additionalProperties => 0,
cb6f2f93
DM		 120 properties => {
121 enabled => {
122 type => 'boolean',
123 description => "Optional filter for enable property.",
124 optional => 1,
3a4ed527
FG		 125 },
126 full => {
127 type => 'boolean',
128 description => "Include group and token information.",
129 optional => 1,
130 default => 0,
cb6f2f93
DM		 131 }
132 },
2c3a6c0a
DM		 133 },
134 returns => {
135 type => 'array',
136 items => {
137 type => "object",
138 properties => {
3a5ae7a0
SI		 139 userid => get_standard_option('userid-completed'),
140 enable => get_standard_option('user-enable'),
141 expire => get_standard_option('user-expire'),
142 firstname => get_standard_option('user-firstname'),
143 lastname => get_standard_option('user-lastname'),
144 email => get_standard_option('user-email'),
145 comment => get_standard_option('user-comment'),
146 keys => get_standard_option('user-keys'),
3a4ed527
FG		 147 groups => get_standard_option('group-list'),
148 tokens => {
149 type => 'array',
150 optional => 1,
151 items => $token_info_extend->({
152 tokenid => get_standard_option('token-subid'),
153 }),
8bb59c26 154 },
3f6023f5
TL		 155 'realm-type' => {
156 type => 'string', format => 'pve-realm',
8bb59c26 157 description => 'The type of the users realm',
3f6023f5 158 optional => 1, # it should always be there, but we use conditional code below, so..
8bb59c26 159 },
2c3a6c0a
DM		 160 },
161 },
162 links => [ { rel => 'child', href => "{userid}" } ],
163 },
164 code => sub {
165 my ($param) = @_;
0a6e09fd 166
930dcfc8 167 my $rpcenv = PVE::RPCEnvironment::get();
37d45deb 168 my $usercfg = $rpcenv->{user_cfg};
930dcfc8
DM		 169 my $authuser = $rpcenv->get_user();
170
8bb59c26
DC		 171 my $domainscfg = cfs_read_file('domains.cfg');
172 my $domainids = $domainscfg->{ids};
173
2c3a6c0a
DM		 174 my $res = [];
175
82b63965
DM		 176 my $privs = [ 'User.Modify', 'Sys.Audit' ];
177 my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
b9180ed2 178 my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
0a6e09fd 179 my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
37d45deb 180
525a931b 181 foreach my $user (sort keys %{$usercfg->{users}}) {
37d45deb
DM		 182 if (!($canUserMod || $user eq $authuser)) {
183 next if !$allowed_users->{$user};
184 }
930dcfc8 185
525a931b 186 my $entry = $extract_user_data->($usercfg->{users}->{$user}, $param->{full});
cb6f2f93
DM		 187
188 if (defined($param->{enabled})) {
189 next if $entry->{enable} && !$param->{enabled};
190 next if !$entry->{enable} && $param->{enabled};
191 }
192
3a4ed527 193 $entry->{groups} = join(',', @{$entry->{groups}}) if $entry->{groups};
525a931b
TL		 194
195 if (defined(my $tokens = $entry->{tokens})) {
196 $entry->{tokens} = [
197 map { { tokenid => $_, %{$tokens->{$_}} } } sort keys %$tokens
198 ];
199 }
3a4ed527 200
d658d04a
TL		 201 if ($user =~ /($PVE::Auth::Plugin::realm_regex)$/) {
202 my $realm = $1;
203 $entry->{'realm-type'} = $domainids->{$realm}->{type} if exists $domainids->{$realm};
8bb59c26
DC		 204 }
205
2c3a6c0a 206 $entry->{userid} = $user;
525a931b 207
2c3a6c0a
DM		 208 push @$res, $entry;
209 }
210
211 return $res;
212 }});
213
214__PACKAGE__->register_method ({
0a6e09fd 215 name => 'create_user',
2c3a6c0a 216 protected => 1,
0a6e09fd 217 path => '',
2c3a6c0a 218 method => 'POST',
0a6e09fd 219 permissions => {
82b63965 220 description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
3e5b237f
TL		 221 check => [
222 'and',
223 [ 'userid-param', 'Realm.AllocateUser'],
aee071ad 224 [ 'userid-group', ['User.Modify'], groups_param => 'create'],
3e5b237f 225 ],
96919234 226 },
2c3a6c0a
DM		 227 description => "Create new user.",
228 parameters => {
0a6e09fd 229 additionalProperties => 0,
2c3a6c0a 230 properties => {
3a5ae7a0
SI		 231 userid => get_standard_option('userid-completed'),
232 enable => get_standard_option('user-enable'),
233 expire => get_standard_option('user-expire'),
234 firstname => get_standard_option('user-firstname'),
235 lastname => get_standard_option('user-lastname'),
236 email => get_standard_option('user-email'),
237 comment => get_standard_option('user-comment'),
238 keys => get_standard_option('user-keys'),
37d45deb
DM		 239 password => {
240 description => "Initial password.",
0a6e09fd
PA		 241 type => 'string',
242 optional => 1,
243 minLength => 5,
244 maxLength => 64
37d45deb 245 },
3a5ae7a0 246 groups => get_standard_option('group-list'),
2c3a6c0a
DM		 247 },
248 },
249 returns => { type => 'null' },
250 code => sub {
251 my ($param) = @_;
252
2dd1e1d4
TL		 253 PVE::AccessControl::lock_user_config(sub {
254 my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
0a6e09fd 255
2dd1e1d4 256 my $usercfg = cfs_read_file("user.cfg");
0a6e09fd 257
f335d265
TL		 258 # ensure "user exists" check works for case insensitive realms
259 $username = PVE::AccessControl::lookup_username($username, 1);
260 die "user '$username' already exists\n" if $usercfg->{users}->{$username};
2c3a6c0a 261
2dd1e1d4
TL		 262 PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
263 if defined($param->{password});
0a6e09fd 264
2dd1e1d4
TL		 265 my $enable = defined($param->{enable}) ? $param->{enable} : 1;
266 $usercfg->{users}->{$username} = { enable => $enable };
267 $usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire};
2c3a6c0a 268
2dd1e1d4
TL		 269 if ($param->{groups}) {
270 foreach my $group (split_list($param->{groups})) {
271 if ($usercfg->{groups}->{$group}) {
272 PVE::AccessControl::add_user_group($username, $usercfg, $group);
273 } else {
274 die "no such group '$group'\n";
2c3a6c0a
DM		 275 }
276 }
2dd1e1d4 277 }
2c3a6c0a 278
2dd1e1d4
TL		 279 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if $param->{firstname};
280 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname};
281 $usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email};
282 $usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment};
283 $usercfg->{users}->{$username}->{keys} = $param->{keys} if $param->{keys};
2c3a6c0a 284
2dd1e1d4
TL		 285 cfs_write_file("user.cfg", $usercfg);
286 }, "create user failed");
2c3a6c0a
DM		 287
288 return undef;
289 }});
290
291__PACKAGE__->register_method ({
0a6e09fd
PA		 292 name => 'read_user',
293 path => '{userid}',
2c3a6c0a
DM		 294 method => 'GET',
295 description => "Get user configuration.",
0a6e09fd 296 permissions => {
82b63965 297 check => ['userid-group', ['User.Modify', 'Sys.Audit']],
96919234 298 },
2c3a6c0a 299 parameters => {
0a6e09fd 300 additionalProperties => 0,
2c3a6c0a 301 properties => {
3a5ae7a0 302 userid => get_standard_option('userid-completed'),
2c3a6c0a
DM		 303 },
304 },
305 returns => {
0a6e09fd 306 additionalProperties => 0,
2c3a6c0a 307 properties => {
3a5ae7a0
SI		 308 enable => get_standard_option('user-enable'),
309 expire => get_standard_option('user-expire'),
310 firstname => get_standard_option('user-firstname'),
311 lastname => get_standard_option('user-lastname'),
312 email => get_standard_option('user-email'),
313 comment => get_standard_option('user-comment'),
314 keys => get_standard_option('user-keys'),
4e4c8d40
FG		 315 groups => {
316 type => 'array',
72c4589c 317 optional => 1,
4e4c8d40
FG		 318 items => {
319 type => 'string',
320 format => 'pve-groupid',
321 },
322 },
323 tokens => {
72c4589c 324 optional => 1,
4e4c8d40 325 type => 'object',
031e388f 326 additionalProperties => get_standard_option('token-info'),
4e4c8d40 327 },
3a5ae7a0
SI		 328 },
329 type => "object"
2c3a6c0a
DM		 330 },
331 code => sub {
332 my ($param) = @_;
333
3e5b237f 334 my ($username, undef, $domain) = PVE::AccessControl::verify_username($param->{userid});
2c3a6c0a
DM		 335
336 my $usercfg = cfs_read_file("user.cfg");
2c3a6c0a 337
37d45deb 338 my $data = PVE::AccessControl::check_user_exist($usercfg, $username);
0a6e09fd 339
2c3a6c0a
DM		 340 return &$extract_user_data($data, 1);
341 }});
342
343__PACKAGE__->register_method ({
0a6e09fd 344 name => 'update_user',
2c3a6c0a 345 protected => 1,
0a6e09fd 346 path => '{userid}',
2c3a6c0a 347 method => 'PUT',
0a6e09fd 348 permissions => {
aee071ad 349 check => ['userid-group', ['User.Modify'], groups_param => 'update' ],
96919234 350 },
2c3a6c0a
DM		 351 description => "Update user configuration.",
352 parameters => {
0a6e09fd 353 additionalProperties => 0,
2c3a6c0a 354 properties => {
3a5ae7a0
SI		 355 userid => get_standard_option('userid-completed'),
356 enable => get_standard_option('user-enable'),
357 expire => get_standard_option('user-expire'),
358 firstname => get_standard_option('user-firstname'),
359 lastname => get_standard_option('user-lastname'),
360 email => get_standard_option('user-email'),
361 comment => get_standard_option('user-comment'),
362 keys => get_standard_option('user-keys'),
363 groups => get_standard_option('group-list'),
0a6e09fd
PA		 364 append => {
365 type => 'boolean',
2c3a6c0a
DM		 366 optional => 1,
367 requires => 'groups',
368 },
2c3a6c0a
DM		 369 },
370 },
371 returns => { type => 'null' },
372 code => sub {
373 my ($param) = @_;
37d45deb 374
3e5b237f 375 my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
0a6e09fd 376
3e5b237f
TL		 377 PVE::AccessControl::lock_user_config(sub {
378 my $usercfg = cfs_read_file("user.cfg");
2c3a6c0a 379
3e5b237f 380 PVE::AccessControl::check_user_exist($usercfg, $username);
2c3a6c0a 381
3e5b237f
TL		 382 $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
383 $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
2c3a6c0a 384
3e5b237f
TL		 385 PVE::AccessControl::delete_user_group($username, $usercfg)
386 if (!$param->{append} && defined($param->{groups}));
2c3a6c0a 387
3e5b237f
TL		 388 if ($param->{groups}) {
389 foreach my $group (split_list($param->{groups})) {
390 if ($usercfg->{groups}->{$group}) {
391 PVE::AccessControl::add_user_group($username, $usercfg, $group);
392 } else {
393 die "no such group '$group'\n";
2c3a6c0a
DM		 394 }
395 }
3e5b237f 396 }
2c3a6c0a 397
3e5b237f
TL		 398 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname});
399 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
400 $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
401 $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
402 $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
2c3a6c0a 403
3e5b237f
TL		 404 cfs_write_file("user.cfg", $usercfg);
405 }, "update user failed");
0a6e09fd 406
2c3a6c0a
DM		 407 return undef;
408 }});
409
410__PACKAGE__->register_method ({
0a6e09fd 411 name => 'delete_user',
2c3a6c0a 412 protected => 1,
0a6e09fd 413 path => '{userid}',
2c3a6c0a
DM		 414 method => 'DELETE',
415 description => "Delete user.",
0a6e09fd 416 permissions => {
82b63965 417 check => [ 'and',
3e5b237f
TL		 418 [ 'userid-param', 'Realm.AllocateUser'],
419 [ 'userid-group', ['User.Modify']],
420 ],
12683df7 421 },
2c3a6c0a 422 parameters => {
0a6e09fd 423 additionalProperties => 0,
2c3a6c0a 424 properties => {
3a5ae7a0 425 userid => get_standard_option('userid-completed'),
2c3a6c0a
DM		 426 }
427 },
428 returns => { type => 'null' },
429 code => sub {
430 my ($param) = @_;
0a6e09fd 431
37d45deb
DM		 432 my $rpcenv = PVE::RPCEnvironment::get();
433 my $authuser = $rpcenv->get_user();
434
3e5b237f 435 my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
2c3a6c0a 436
3e5b237f
TL		 437 PVE::AccessControl::lock_user_config(sub {
438 my $usercfg = cfs_read_file("user.cfg");
2c3a6c0a 439
ba6cc98f
TL		 440 # NOTE: disable the user first (transaction like), so if (e.g.) we fail in the middle of
441 # TFA deletion the user will be still disabled and not just without TFA protection.
442 $usercfg->{users}->{$userid}->{enable} = 0;
443 cfs_write_file("user.cfg", $usercfg);
444
3e5b237f
TL		 445 my $domain_cfg = cfs_read_file('domains.cfg');
446 if (my $cfg = $domain_cfg->{ids}->{$realm}) {
447 my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
448 $plugin->delete_user($cfg, $realm, $ruid);
449 }
2c3a6c0a 450
8ecf1a49
TL		 451 # Remove user from cache before removing the TFA entry so realms with TFA-enforcement
452 # know that it's OK to drop any TFA entry in that case.
3e5b237f 453 delete $usercfg->{users}->{$userid};
37d45deb 454
e780b46a
TL		 455 my $partial_deletion = '';
456 eval {
d168ab34 457 PVE::AccessControl::user_remove_tfa($userid);
e780b46a
TL		 458 $partial_deletion = ' - but deleted related TFA';
459
460 PVE::AccessControl::delete_user_group($userid, $usercfg);
461 $partial_deletion .= ', Groups';
462 PVE::AccessControl::delete_user_acl($userid, $usercfg);
463 $partial_deletion .= ', ACLs';
464
465 cfs_write_file("user.cfg", $usercfg);
466 };
467 die "$@$partial_deletion\n" if $@;
3e5b237f 468 }, "delete user failed");
0a6e09fd 469
2c3a6c0a
DM		 470 return undef;
471 }});
472
e51988b4
DC		 473__PACKAGE__->register_method ({
474 name => 'read_user_tfa_type',
475 path => '{userid}/tfa',
476 method => 'GET',
477 protected => 1,
478 description => "Get user TFA types (Personal and Realm).",
479 permissions => {
480 check => [ 'or',
481 ['userid-param', 'self'],
482 ['userid-group', ['User.Modify', 'Sys.Audit']],
483 ],
484 },
485 parameters => {
486 additionalProperties => 0,
487 properties => {
488 userid => get_standard_option('userid-completed'),
f7f2e28e
WB		 489 multiple => {
490 type => 'boolean',
491 description => 'Request all entries as an array.',
492 optional => 1,
493 default => 0,
494 },
e51988b4
DC		 495 },
496 },
497 returns => {
498 additionalProperties => 0,
499 properties => {
500 realm => {
501 type => 'string',
502 enum => [qw(oath yubico)],
503 description => "The type of TFA the users realm has set, if any.",
504 optional => 1,
505 },
506 user => {
507 type => 'string',
508 enum => [qw(oath u2f)],
f7f2e28e
WB		 509 description =>
510 "The type of TFA the user has set, if any."
511 . " Only set if 'multiple' was not passed.",
e51988b4
DC		 512 optional => 1,
513 },
f7f2e28e
WB		 514 types => {
515 type => 'array',
516 description =>
517 "Array of the user configured TFA types, if any."
518 . " Only available if 'multiple' was not passed.",
519 optional => 1,
520 items => {
521 type => 'string',
522 enum => [qw(totp u2f yubico webauthn recovedry)],
523 description => 'A TFA type.',
524 },
525 },
e51988b4
DC		 526 },
527 type => "object"
528 },
529 code => sub {
530 my ($param) = @_;
531
532 my ($username, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
533
e51988b4
DC		 534 my $domain_cfg = cfs_read_file('domains.cfg');
535 my $realm_cfg = $domain_cfg->{ids}->{$realm};
536 die "auth domain '$realm' does not exist\n" if !$realm_cfg;
537
f7f2e28e 538 my $res = {};
e51988b4 539 my $realm_tfa = {};
3e5b237f 540 $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa}) if $realm_cfg->{tfa};
f7f2e28e 541 $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type};
e51988b4
DC		 542
543 my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
f7f2e28e
WB		 544 if ($param->{multiple}) {
545 my $tfa = $tfa_cfg->get_user($username);
546 my $user = [];
547 foreach my $type (keys %$tfa) {
548 next if !scalar($tfa->{$type}->@*);
549 push @$user, $type;
550 }
551 $res->{user} = $user;
552 } else {
553 my $tfa = $tfa_cfg->{users}->{$username};
554 $res->{user} = $tfa->{type} if $tfa->{type};
555 }
e51988b4
DC		 556 return $res;
557 }});
558
4e4c8d40
FG		 559__PACKAGE__->register_method ({
560 name => 'token_index',
561 path => '{userid}/token',
562 method => 'GET',
563 description => "Get user API tokens.",
564 permissions => {
3e5b237f
TL		 565 check => [
566 'or',
567 ['userid-param', 'self'],
59164ff1 568 ['userid-group', ['User.Modify']],
4e4c8d40
FG		 569 ],
570 },
571 parameters => {
572 additionalProperties => 0,
573 properties => {
574 userid => get_standard_option('userid-completed'),
575 },
576 },
577 returns => {
578 type => "array",
579 items => $token_info_extend->({
580 tokenid => get_standard_option('token-subid'),
581 }),
582 links => [ { rel => 'child', href => "{tokenid}" } ],
583 },
584 code => sub {
585 my ($param) = @_;
586
587 my $userid = PVE::AccessControl::verify_username($param->{userid});
588 my $usercfg = cfs_read_file("user.cfg");
589
590 my $user = PVE::AccessControl::check_user_exist($usercfg, $userid);
591
592 my $tokens = $user->{tokens} // {};
593 return [ map { $tokens->{$_}->{tokenid} = $_; $tokens->{$_} } keys %$tokens];
594 }});
595
596__PACKAGE__->register_method ({
597 name => 'read_token',
598 path => '{userid}/token/{tokenid}',
599 method => 'GET',
600 description => "Get specific API token information.",
601 permissions => {
3e5b237f
TL		 602 check => [
603 'or',
604 ['userid-param', 'self'],
59164ff1 605 ['userid-group', ['User.Modify']],
4e4c8d40
FG		 606 ],
607 },
608 parameters => {
609 additionalProperties => 0,
610 properties => {
611 userid => get_standard_option('userid-completed'),
612 tokenid => get_standard_option('token-subid'),
613 },
614 },
615 returns => get_standard_option('token-info'),
616 code => sub {
617 my ($param) = @_;
618
619 my $userid = PVE::AccessControl::verify_username($param->{userid});
620 my $tokenid = $param->{tokenid};
621
622 my $usercfg = cfs_read_file("user.cfg");
623
624 return PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
625 }});
626
627__PACKAGE__->register_method ({
628 name => 'generate_token',
629 path => '{userid}/token/{tokenid}',
630 method => 'POST',
631 description => "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!",
632 protected => 1,
633 permissions => {
3e5b237f
TL		 634 check => [
635 'or',
636 ['userid-param', 'self'],
59164ff1 637 ['userid-group', ['User.Modify']],
4e4c8d40
FG		 638 ],
639 },
640 parameters => {
641 additionalProperties => 0,
642 properties => {
643 userid => get_standard_option('userid-completed'),
644 tokenid => get_standard_option('token-subid'),
645 expire => get_standard_option('token-expire'),
646 privsep => get_standard_option('token-privsep'),
647 comment => get_standard_option('token-comment'),
648 },
649 },
650 returns => {
651 additionalProperties => 0,
652 type => "object",
653 properties => {
654 info => get_standard_option('token-info'),
655 value => {
656 type => 'string',
657 description => 'API token value used for authentication.',
658 },
77bfb48e
TL		 659 'full-tokenid' => {
660 type => 'string',
661 format_description => '<userid>!<tokenid>',
662 description => 'The full token id.',
663 },
4e4c8d40
FG		 664 },
665 },
666 code => sub {
667 my ($param) = @_;
668
669 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
670 my $tokenid = extract_param($param, 'tokenid');
671
672 my $usercfg = cfs_read_file("user.cfg");
673
674 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1);
77bfb48e 675 my ($full_tokenid, $value);
4e4c8d40
FG		 676
677 PVE::AccessControl::check_user_exist($usercfg, $userid);
678 raise_param_exc({ 'tokenid' => 'Token already exists.' }) if defined($token);
679
680 my $generate_and_add_token = sub {
681 $usercfg = cfs_read_file("user.cfg");
682 PVE::AccessControl::check_user_exist($usercfg, $userid);
683 die "Token already exists.\n" if defined(PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1));
684
77bfb48e 685 $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
4e4c8d40
FG		 686 $value = PVE::TokenConfig::generate_token($full_tokenid);
687
688 $token = {};
689 $token->{privsep} = defined($param->{privsep}) ? $param->{privsep} : 1;
690 $token->{expire} = $param->{expire} if defined($param->{expire});
691 $token->{comment} = $param->{comment} if $param->{comment};
692
693 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
694 cfs_write_file("user.cfg", $usercfg);
695 };
696
697 PVE::AccessControl::lock_user_config($generate_and_add_token, 'generating token failed');
698
77bfb48e
TL		 699 return {
700 info => $token,
701 value => $value,
702 'full-tokenid' => $full_tokenid,
703 };
4e4c8d40
FG		 704 }});
705
706
707__PACKAGE__->register_method ({
708 name => 'update_token_info',
709 path => '{userid}/token/{tokenid}',
710 method => 'PUT',
711 description => "Update API token for a specific user.",
712 protected => 1,
713 permissions => {
3e5b237f
TL		 714 check => [
715 'or',
716 ['userid-param', 'self'],
59164ff1 717 ['userid-group', ['User.Modify']],
4e4c8d40
FG		 718 ],
719 },
720 parameters => {
721 additionalProperties => 0,
722 properties => {
723 userid => get_standard_option('userid-completed'),
724 tokenid => get_standard_option('token-subid'),
725 expire => get_standard_option('token-expire'),
726 privsep => get_standard_option('token-privsep'),
727 comment => get_standard_option('token-comment'),
728 },
729 },
730 returns => get_standard_option('token-info', { description => "Updated token information." }),
731 code => sub {
732 my ($param) = @_;
733
734 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
735 my $tokenid = extract_param($param, 'tokenid');
736
737 my $usercfg = cfs_read_file("user.cfg");
738 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
739
3e5b237f 740 PVE::AccessControl::lock_user_config(sub {
4e4c8d40
FG		 741 $usercfg = cfs_read_file("user.cfg");
742 $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
743
744 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
745
746 $token->{privsep} = $param->{privsep} if defined($param->{privsep});
747 $token->{expire} = $param->{expire} if defined($param->{expire});
748 $token->{comment} = $param->{comment} if $param->{comment};
749
750 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
751 cfs_write_file("user.cfg", $usercfg);
3e5b237f 752 }, 'updating token info failed');
4e4c8d40
FG		 753
754 return $token;
755 }});
756
757
758__PACKAGE__->register_method ({
759 name => 'remove_token',
760 path => '{userid}/token/{tokenid}',
761 method => 'DELETE',
762 description => "Remove API token for a specific user.",
763 protected => 1,
764 permissions => {
3e5b237f
TL		 765 check => [
766 'or',
767 ['userid-param', 'self'],
59164ff1 768 ['userid-group', ['User.Modify']],
4e4c8d40
FG		 769 ],
770 },
771 parameters => {
772 additionalProperties => 0,
773 properties => {
774 userid => get_standard_option('userid-completed'),
775 tokenid => get_standard_option('token-subid'),
776 },
777 },
778 returns => { type => 'null' },
779 code => sub {
780 my ($param) = @_;
781
782 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
783 my $tokenid = extract_param($param, 'tokenid');
784
785 my $usercfg = cfs_read_file("user.cfg");
786 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
787
3e5b237f 788 PVE::AccessControl::lock_user_config(sub {
4e4c8d40
FG		 789 $usercfg = cfs_read_file("user.cfg");
790
791 PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
792
793 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
794 PVE::TokenConfig::delete_token($full_tokenid);
795 delete $usercfg->{users}->{$userid}->{tokens}->{$tokenid};
796
797 cfs_write_file("user.cfg", $usercfg);
3e5b237f 798 }, 'deleting token failed');
4e4c8d40
FG		 799
800 return;
801 }});
2c3a6c0a 8021;
Access control framework