]> git.proxmox.com Git - pve-access-control.git/blame - src/PVE/API2/User.pm
projects / pve-access-control.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bump version to 8.0.0~1
[pve-access-control.git] / src / PVE / API2 / User.pm
CommitLineData
2c3a6c0a
DM		 1package PVE::API2::User;
2
3use strict;
4use warnings;
525a931b 5
4e4c8d40 6use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
2c3a6c0a 7use PVE::Cluster qw (cfs_read_file cfs_write_file);
4e4c8d40 8use PVE::Tools qw(split_list extract_param);
3a5ae7a0 9use PVE::JSONSchema qw(get_standard_option register_standard_option);
2c3a6c0a
DM		 10use PVE::SafeSyslog;
11
525a931b 12use PVE::AccessControl;
d658d04a 13use PVE::Auth::Plugin;
525a931b
TL		 14use PVE::TokenConfig;
15
2c3a6c0a
DM		 16use PVE::RESTHandler;
17
18use base qw(PVE::RESTHandler);
19
3a5ae7a0
SI		 20register_standard_option('user-enable', {
21 description => "Enable the account (default). You can set this to '0' to disable the account",
22 type => 'boolean',
23 optional => 1,
24 default => 1,
25});
26register_standard_option('user-expire', {
27 description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
28 type => 'integer',
29 minimum => 0,
30 optional => 1,
31});
32register_standard_option('user-firstname', { type => 'string', optional => 1 });
33register_standard_option('user-lastname', { type => 'string', optional => 1 });
34register_standard_option('user-email', { type => 'string', optional => 1, format => 'email-opt' });
35register_standard_option('user-comment', { type => 'string', optional => 1 });
36register_standard_option('user-keys', {
37 description => "Keys for two factor auth (yubico).",
38 type => 'string',
39 optional => 1,
40});
41register_standard_option('group-list', {
42 type => 'string', format => 'pve-groupid-list',
43 optional => 1,
44 completion => \&PVE::AccessControl::complete_group,
45});
4e4c8d40
FG		 46register_standard_option('token-subid', {
47 type => 'string',
48 pattern => $PVE::AccessControl::token_subid_regex,
49 description => 'User-specific token identifier.',
50});
51register_standard_option('token-expire', {
52 description => "API token expiration date (seconds since epoch). '0' means no expiration date.",
53 type => 'integer',
54 minimum => 0,
55 optional => 1,
b974bdc0 56 default => 'same as user',
4e4c8d40
FG		 57});
58register_standard_option('token-privsep', {
59 description => "Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.",
60 type => 'boolean',
61 optional => 1,
62 default => 1,
63});
64register_standard_option('token-comment', { type => 'string', optional => 1 });
65register_standard_option('token-info', {
66 type => 'object',
67 properties => {
68 expire => get_standard_option('token-expire'),
69 privsep => get_standard_option('token-privsep'),
70 comment => get_standard_option('token-comment'),
71 }
72});
73
74my $token_info_extend = sub {
75 my ($props) = @_;
76
77 my $obj = get_standard_option('token-info');
78 my $base_props = $obj->{properties};
79 $obj->{properties} = {};
80
81 foreach my $prop (keys %$base_props) {
82 $obj->{properties}->{$prop} = $base_props->{$prop};
83 }
84
85 foreach my $add_prop (keys %$props) {
86 $obj->{properties}->{$add_prop} = $props->{$add_prop};
87 }
88
89 return $obj;
90};
3a5ae7a0 91
2c3a6c0a
DM		 92my $extract_user_data = sub {
93 my ($data, $full) = @_;
94
95 my $res = {};
96
96f8ebd6 97 foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
2c3a6c0a
DM		 98 $res->{$prop} = $data->{$prop} if defined($data->{$prop});
99 }
100
101 return $res if !$full;
102
103 $res->{groups} = $data->{groups} ? [ keys %{$data->{groups}} ] : [];
4e4c8d40 104 $res->{tokens} = $data->{tokens};
2c3a6c0a
DM		 105
106 return $res;
107};
108
109__PACKAGE__->register_method ({
0a6e09fd
PA		 110 name => 'index',
111 path => '',
2c3a6c0a
DM		 112 method => 'GET',
113 description => "User index.",
0a6e09fd 114 permissions => {
82b63965 115 description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
96919234
DM		 116 user => 'all',
117 },
3c4cebc9 118 protected => 1, # to access priv/tfa.cfg
2c3a6c0a
DM		 119 parameters => {
120 additionalProperties => 0,
cb6f2f93
DM		 121 properties => {
122 enabled => {
123 type => 'boolean',
124 description => "Optional filter for enable property.",
125 optional => 1,
3a4ed527
FG		 126 },
127 full => {
128 type => 'boolean',
129 description => "Include group and token information.",
130 optional => 1,
131 default => 0,
cb6f2f93
DM		 132 }
133 },
2c3a6c0a
DM		 134 },
135 returns => {
136 type => 'array',
137 items => {
138 type => "object",
139 properties => {
3a5ae7a0
SI		 140 userid => get_standard_option('userid-completed'),
141 enable => get_standard_option('user-enable'),
142 expire => get_standard_option('user-expire'),
143 firstname => get_standard_option('user-firstname'),
144 lastname => get_standard_option('user-lastname'),
145 email => get_standard_option('user-email'),
146 comment => get_standard_option('user-comment'),
147 keys => get_standard_option('user-keys'),
3a4ed527
FG		 148 groups => get_standard_option('group-list'),
149 tokens => {
150 type => 'array',
151 optional => 1,
152 items => $token_info_extend->({
153 tokenid => get_standard_option('token-subid'),
154 }),
8bb59c26 155 },
3f6023f5
TL		 156 'realm-type' => {
157 type => 'string', format => 'pve-realm',
8bb59c26 158 description => 'The type of the users realm',
3f6023f5 159 optional => 1, # it should always be there, but we use conditional code below, so..
8bb59c26 160 },
3c4cebc9
WB		 161 'totp-locked' => {
162 type => 'boolean',
163 optional => 1,
164 description => 'True if the user is currently locked out of TOTP factors.',
165 },
166 'tfa-locked-until' => {
167 type => 'integer',
168 optional => 1,
169 description =>
170 'Contains a timestamp until when a user is locked out of 2nd factors.',
171 },
2c3a6c0a
DM		 172 },
173 },
174 links => [ { rel => 'child', href => "{userid}" } ],
175 },
176 code => sub {
177 my ($param) = @_;
0a6e09fd 178
930dcfc8 179 my $rpcenv = PVE::RPCEnvironment::get();
37d45deb 180 my $usercfg = $rpcenv->{user_cfg};
930dcfc8
DM		 181 my $authuser = $rpcenv->get_user();
182
8bb59c26
DC		 183 my $domainscfg = cfs_read_file('domains.cfg');
184 my $domainids = $domainscfg->{ids};
185
2c3a6c0a
DM		 186 my $res = [];
187
82b63965
DM		 188 my $privs = [ 'User.Modify', 'Sys.Audit' ];
189 my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
b9180ed2 190 my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
0a6e09fd 191 my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
37d45deb 192
3c4cebc9
WB		 193 my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
194
525a931b 195 foreach my $user (sort keys %{$usercfg->{users}}) {
37d45deb
DM		 196 if (!($canUserMod || $user eq $authuser)) {
197 next if !$allowed_users->{$user};
198 }
930dcfc8 199
525a931b 200 my $entry = $extract_user_data->($usercfg->{users}->{$user}, $param->{full});
cb6f2f93
DM		 201
202 if (defined($param->{enabled})) {
203 next if $entry->{enable} && !$param->{enabled};
204 next if !$entry->{enable} && $param->{enabled};
205 }
206
3a4ed527 207 $entry->{groups} = join(',', @{$entry->{groups}}) if $entry->{groups};
525a931b
TL		 208
209 if (defined(my $tokens = $entry->{tokens})) {
210 $entry->{tokens} = [
211 map { { tokenid => $_, %{$tokens->{$_}} } } sort keys %$tokens
212 ];
213 }
3a4ed527 214
d658d04a
TL		 215 if ($user =~ /($PVE::Auth::Plugin::realm_regex)$/) {
216 my $realm = $1;
217 $entry->{'realm-type'} = $domainids->{$realm}->{type} if exists $domainids->{$realm};
8bb59c26
DC		 218 }
219
2c3a6c0a 220 $entry->{userid} = $user;
525a931b 221
3c4cebc9
WB		 222 if (defined($tfa_cfg)) {
223 if (my $data = $tfa_cfg->tfa_lock_status($user)) {
224 $entry->{$_} = $data->{$_} for qw(totp-locked tfa-locked-until);
225 }
226 }
227
2c3a6c0a
DM		 228 push @$res, $entry;
229 }
230
231 return $res;
232 }});
233
234__PACKAGE__->register_method ({
0a6e09fd 235 name => 'create_user',
2c3a6c0a 236 protected => 1,
0a6e09fd 237 path => '',
2c3a6c0a 238 method => 'POST',
0a6e09fd 239 permissions => {
82b63965 240 description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
3e5b237f
TL		 241 check => [
242 'and',
243 [ 'userid-param', 'Realm.AllocateUser'],
aee071ad 244 [ 'userid-group', ['User.Modify'], groups_param => 'create'],
3e5b237f 245 ],
96919234 246 },
2c3a6c0a
DM		 247 description => "Create new user.",
248 parameters => {
0a6e09fd 249 additionalProperties => 0,
2c3a6c0a 250 properties => {
3a5ae7a0
SI		 251 userid => get_standard_option('userid-completed'),
252 enable => get_standard_option('user-enable'),
253 expire => get_standard_option('user-expire'),
254 firstname => get_standard_option('user-firstname'),
255 lastname => get_standard_option('user-lastname'),
256 email => get_standard_option('user-email'),
257 comment => get_standard_option('user-comment'),
258 keys => get_standard_option('user-keys'),
37d45deb
DM		 259 password => {
260 description => "Initial password.",
0a6e09fd
PA		 261 type => 'string',
262 optional => 1,
263 minLength => 5,
264 maxLength => 64
37d45deb 265 },
3a5ae7a0 266 groups => get_standard_option('group-list'),
2c3a6c0a
DM		 267 },
268 },
269 returns => { type => 'null' },
270 code => sub {
271 my ($param) = @_;
272
2dd1e1d4
TL		 273 PVE::AccessControl::lock_user_config(sub {
274 my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
0a6e09fd 275
2dd1e1d4 276 my $usercfg = cfs_read_file("user.cfg");
0a6e09fd 277
f335d265
TL		 278 # ensure "user exists" check works for case insensitive realms
279 $username = PVE::AccessControl::lookup_username($username, 1);
280 die "user '$username' already exists\n" if $usercfg->{users}->{$username};
2c3a6c0a 281
2dd1e1d4
TL		 282 PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
283 if defined($param->{password});
0a6e09fd 284
2dd1e1d4
TL		 285 my $enable = defined($param->{enable}) ? $param->{enable} : 1;
286 $usercfg->{users}->{$username} = { enable => $enable };
287 $usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire};
2c3a6c0a 288
2dd1e1d4
TL		 289 if ($param->{groups}) {
290 foreach my $group (split_list($param->{groups})) {
291 if ($usercfg->{groups}->{$group}) {
292 PVE::AccessControl::add_user_group($username, $usercfg, $group);
293 } else {
294 die "no such group '$group'\n";
2c3a6c0a
DM		 295 }
296 }
2dd1e1d4 297 }
2c3a6c0a 298
2dd1e1d4
TL		 299 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if $param->{firstname};
300 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname};
301 $usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email};
302 $usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment};
303 $usercfg->{users}->{$username}->{keys} = $param->{keys} if $param->{keys};
2c3a6c0a 304
2dd1e1d4
TL		 305 cfs_write_file("user.cfg", $usercfg);
306 }, "create user failed");
2c3a6c0a
DM		 307
308 return undef;
309 }});
310
311__PACKAGE__->register_method ({
0a6e09fd
PA		 312 name => 'read_user',
313 path => '{userid}',
2c3a6c0a
DM		 314 method => 'GET',
315 description => "Get user configuration.",
0a6e09fd 316 permissions => {
82b63965 317 check => ['userid-group', ['User.Modify', 'Sys.Audit']],
96919234 318 },
2c3a6c0a 319 parameters => {
0a6e09fd 320 additionalProperties => 0,
2c3a6c0a 321 properties => {
3a5ae7a0 322 userid => get_standard_option('userid-completed'),
2c3a6c0a
DM		 323 },
324 },
325 returns => {
0a6e09fd 326 additionalProperties => 0,
2c3a6c0a 327 properties => {
3a5ae7a0
SI		 328 enable => get_standard_option('user-enable'),
329 expire => get_standard_option('user-expire'),
330 firstname => get_standard_option('user-firstname'),
331 lastname => get_standard_option('user-lastname'),
332 email => get_standard_option('user-email'),
333 comment => get_standard_option('user-comment'),
334 keys => get_standard_option('user-keys'),
4e4c8d40
FG		 335 groups => {
336 type => 'array',
72c4589c 337 optional => 1,
4e4c8d40
FG		 338 items => {
339 type => 'string',
340 format => 'pve-groupid',
341 },
342 },
343 tokens => {
72c4589c 344 optional => 1,
4e4c8d40 345 type => 'object',
031e388f 346 additionalProperties => get_standard_option('token-info'),
4e4c8d40 347 },
3a5ae7a0
SI		 348 },
349 type => "object"
2c3a6c0a
DM		 350 },
351 code => sub {
352 my ($param) = @_;
353
3e5b237f 354 my ($username, undef, $domain) = PVE::AccessControl::verify_username($param->{userid});
2c3a6c0a
DM		 355
356 my $usercfg = cfs_read_file("user.cfg");
2c3a6c0a 357
37d45deb 358 my $data = PVE::AccessControl::check_user_exist($usercfg, $username);
0a6e09fd 359
2c3a6c0a
DM		 360 return &$extract_user_data($data, 1);
361 }});
362
363__PACKAGE__->register_method ({
0a6e09fd 364 name => 'update_user',
2c3a6c0a 365 protected => 1,
0a6e09fd 366 path => '{userid}',
2c3a6c0a 367 method => 'PUT',
0a6e09fd 368 permissions => {
aee071ad 369 check => ['userid-group', ['User.Modify'], groups_param => 'update' ],
96919234 370 },
2c3a6c0a
DM		 371 description => "Update user configuration.",
372 parameters => {
0a6e09fd 373 additionalProperties => 0,
2c3a6c0a 374 properties => {
3a5ae7a0
SI		 375 userid => get_standard_option('userid-completed'),
376 enable => get_standard_option('user-enable'),
377 expire => get_standard_option('user-expire'),
378 firstname => get_standard_option('user-firstname'),
379 lastname => get_standard_option('user-lastname'),
380 email => get_standard_option('user-email'),
381 comment => get_standard_option('user-comment'),
382 keys => get_standard_option('user-keys'),
383 groups => get_standard_option('group-list'),
0a6e09fd
PA		 384 append => {
385 type => 'boolean',
2c3a6c0a
DM		 386 optional => 1,
387 requires => 'groups',
388 },
2c3a6c0a
DM		 389 },
390 },
391 returns => { type => 'null' },
392 code => sub {
393 my ($param) = @_;
37d45deb 394
3e5b237f 395 my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
0a6e09fd 396
3e5b237f
TL		 397 PVE::AccessControl::lock_user_config(sub {
398 my $usercfg = cfs_read_file("user.cfg");
2c3a6c0a 399
3e5b237f 400 PVE::AccessControl::check_user_exist($usercfg, $username);
2c3a6c0a 401
3e5b237f
TL		 402 $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
403 $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
2c3a6c0a 404
3e5b237f
TL		 405 PVE::AccessControl::delete_user_group($username, $usercfg)
406 if (!$param->{append} && defined($param->{groups}));
2c3a6c0a 407
3e5b237f
TL		 408 if ($param->{groups}) {
409 foreach my $group (split_list($param->{groups})) {
410 if ($usercfg->{groups}->{$group}) {
411 PVE::AccessControl::add_user_group($username, $usercfg, $group);
412 } else {
413 die "no such group '$group'\n";
2c3a6c0a
DM		 414 }
415 }
3e5b237f 416 }
2c3a6c0a 417
3e5b237f
TL		 418 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname});
419 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
420 $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
421 $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
422 $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
2c3a6c0a 423
3e5b237f
TL		 424 cfs_write_file("user.cfg", $usercfg);
425 }, "update user failed");
0a6e09fd 426
2c3a6c0a
DM		 427 return undef;
428 }});
429
430__PACKAGE__->register_method ({
0a6e09fd 431 name => 'delete_user',
2c3a6c0a 432 protected => 1,
0a6e09fd 433 path => '{userid}',
2c3a6c0a
DM		 434 method => 'DELETE',
435 description => "Delete user.",
0a6e09fd 436 permissions => {
82b63965 437 check => [ 'and',
3e5b237f
TL		 438 [ 'userid-param', 'Realm.AllocateUser'],
439 [ 'userid-group', ['User.Modify']],
440 ],
12683df7 441 },
2c3a6c0a 442 parameters => {
0a6e09fd 443 additionalProperties => 0,
2c3a6c0a 444 properties => {
3a5ae7a0 445 userid => get_standard_option('userid-completed'),
2c3a6c0a
DM		 446 }
447 },
448 returns => { type => 'null' },
449 code => sub {
450 my ($param) = @_;
0a6e09fd 451
37d45deb
DM		 452 my $rpcenv = PVE::RPCEnvironment::get();
453 my $authuser = $rpcenv->get_user();
454
3e5b237f 455 my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
2c3a6c0a 456
3e5b237f
TL		 457 PVE::AccessControl::lock_user_config(sub {
458 my $usercfg = cfs_read_file("user.cfg");
2c3a6c0a 459
ba6cc98f
TL		 460 # NOTE: disable the user first (transaction like), so if (e.g.) we fail in the middle of
461 # TFA deletion the user will be still disabled and not just without TFA protection.
462 $usercfg->{users}->{$userid}->{enable} = 0;
463 cfs_write_file("user.cfg", $usercfg);
464
3e5b237f
TL		 465 my $domain_cfg = cfs_read_file('domains.cfg');
466 if (my $cfg = $domain_cfg->{ids}->{$realm}) {
467 my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
468 $plugin->delete_user($cfg, $realm, $ruid);
469 }
2c3a6c0a 470
8ecf1a49
TL		 471 # Remove user from cache before removing the TFA entry so realms with TFA-enforcement
472 # know that it's OK to drop any TFA entry in that case.
3e5b237f 473 delete $usercfg->{users}->{$userid};
37d45deb 474
e780b46a
TL		 475 my $partial_deletion = '';
476 eval {
d168ab34 477 PVE::AccessControl::user_remove_tfa($userid);
e780b46a
TL		 478 $partial_deletion = ' - but deleted related TFA';
479
480 PVE::AccessControl::delete_user_group($userid, $usercfg);
481 $partial_deletion .= ', Groups';
482 PVE::AccessControl::delete_user_acl($userid, $usercfg);
483 $partial_deletion .= ', ACLs';
484
485 cfs_write_file("user.cfg", $usercfg);
486 };
487 die "$@$partial_deletion\n" if $@;
3e5b237f 488 }, "delete user failed");
0a6e09fd 489
2c3a6c0a
DM		 490 return undef;
491 }});
492
e51988b4
DC		 493__PACKAGE__->register_method ({
494 name => 'read_user_tfa_type',
495 path => '{userid}/tfa',
496 method => 'GET',
497 protected => 1,
498 description => "Get user TFA types (Personal and Realm).",
499 permissions => {
500 check => [ 'or',
501 ['userid-param', 'self'],
502 ['userid-group', ['User.Modify', 'Sys.Audit']],
503 ],
504 },
505 parameters => {
506 additionalProperties => 0,
507 properties => {
508 userid => get_standard_option('userid-completed'),
f7f2e28e
WB		 509 multiple => {
510 type => 'boolean',
511 description => 'Request all entries as an array.',
512 optional => 1,
513 default => 0,
514 },
e51988b4
DC		 515 },
516 },
517 returns => {
518 additionalProperties => 0,
519 properties => {
520 realm => {
521 type => 'string',
522 enum => [qw(oath yubico)],
523 description => "The type of TFA the users realm has set, if any.",
524 optional => 1,
525 },
526 user => {
527 type => 'string',
528 enum => [qw(oath u2f)],
f7f2e28e
WB		 529 description =>
530 "The type of TFA the user has set, if any."
531 . " Only set if 'multiple' was not passed.",
e51988b4
DC		 532 optional => 1,
533 },
f7f2e28e
WB		 534 types => {
535 type => 'array',
536 description =>
537 "Array of the user configured TFA types, if any."
538 . " Only available if 'multiple' was not passed.",
539 optional => 1,
540 items => {
541 type => 'string',
542 enum => [qw(totp u2f yubico webauthn recovedry)],
543 description => 'A TFA type.',
544 },
545 },
e51988b4
DC		 546 },
547 type => "object"
548 },
549 code => sub {
550 my ($param) = @_;
551
552 my ($username, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
553
e51988b4
DC		 554 my $domain_cfg = cfs_read_file('domains.cfg');
555 my $realm_cfg = $domain_cfg->{ids}->{$realm};
556 die "auth domain '$realm' does not exist\n" if !$realm_cfg;
557
f7f2e28e 558 my $res = {};
e51988b4 559 my $realm_tfa = {};
3e5b237f 560 $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa}) if $realm_cfg->{tfa};
f7f2e28e 561 $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type};
e51988b4
DC		 562
563 my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
f7f2e28e
WB		 564 if ($param->{multiple}) {
565 my $tfa = $tfa_cfg->get_user($username);
566 my $user = [];
567 foreach my $type (keys %$tfa) {
568 next if !scalar($tfa->{$type}->@*);
569 push @$user, $type;
570 }
571 $res->{user} = $user;
572 } else {
573 my $tfa = $tfa_cfg->{users}->{$username};
574 $res->{user} = $tfa->{type} if $tfa->{type};
575 }
e51988b4
DC		 576 return $res;
577 }});
578
330b8dbb
WB		 579__PACKAGE__->register_method ({
580 name => 'unlock_tfa',
581 path => '{userid}/unlock-tfa',
582 method => 'PUT',
583 protected => 1,
584 description => "Unlock a user's TFA authentication.",
585 permissions => {
586 check => [ 'userid-group', ['User.Modify']],
587 },
588 parameters => {
589 additionalProperties => 0,
590 properties => {
591 userid => get_standard_option('userid-completed'),
592 },
593 },
594 returns => { type => 'boolean' },
595 code => sub {
596 my ($param) = @_;
597
598 my $userid = extract_param($param, "userid");
599
600 my $user_was_locked = PVE::AccessControl::lock_tfa_config(sub {
601 my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
602 my $was_locked = $tfa_cfg->api_unlock_tfa($userid);
603 cfs_write_file('priv/tfa.cfg', $tfa_cfg)
604 if $was_locked;
605 return $was_locked;
606 });
607
608 return $user_was_locked;
609 }});
610
4e4c8d40
FG		 611__PACKAGE__->register_method ({
612 name => 'token_index',
613 path => '{userid}/token',
614 method => 'GET',
615 description => "Get user API tokens.",
616 permissions => {
3e5b237f
TL		 617 check => [
618 'or',
619 ['userid-param', 'self'],
59164ff1 620 ['userid-group', ['User.Modify']],
4e4c8d40
FG		 621 ],
622 },
623 parameters => {
624 additionalProperties => 0,
625 properties => {
626 userid => get_standard_option('userid-completed'),
627 },
628 },
629 returns => {
630 type => "array",
631 items => $token_info_extend->({
632 tokenid => get_standard_option('token-subid'),
633 }),
634 links => [ { rel => 'child', href => "{tokenid}" } ],
635 },
636 code => sub {
637 my ($param) = @_;
638
639 my $userid = PVE::AccessControl::verify_username($param->{userid});
640 my $usercfg = cfs_read_file("user.cfg");
641
642 my $user = PVE::AccessControl::check_user_exist($usercfg, $userid);
643
644 my $tokens = $user->{tokens} // {};
645 return [ map { $tokens->{$_}->{tokenid} = $_; $tokens->{$_} } keys %$tokens];
646 }});
647
648__PACKAGE__->register_method ({
649 name => 'read_token',
650 path => '{userid}/token/{tokenid}',
651 method => 'GET',
652 description => "Get specific API token information.",
653 permissions => {
3e5b237f
TL		 654 check => [
655 'or',
656 ['userid-param', 'self'],
59164ff1 657 ['userid-group', ['User.Modify']],
4e4c8d40
FG		 658 ],
659 },
660 parameters => {
661 additionalProperties => 0,
662 properties => {
663 userid => get_standard_option('userid-completed'),
664 tokenid => get_standard_option('token-subid'),
665 },
666 },
667 returns => get_standard_option('token-info'),
668 code => sub {
669 my ($param) = @_;
670
671 my $userid = PVE::AccessControl::verify_username($param->{userid});
672 my $tokenid = $param->{tokenid};
673
674 my $usercfg = cfs_read_file("user.cfg");
675
676 return PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
677 }});
678
679__PACKAGE__->register_method ({
680 name => 'generate_token',
681 path => '{userid}/token/{tokenid}',
682 method => 'POST',
683 description => "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!",
684 protected => 1,
685 permissions => {
3e5b237f
TL		 686 check => [
687 'or',
688 ['userid-param', 'self'],
59164ff1 689 ['userid-group', ['User.Modify']],
4e4c8d40
FG		 690 ],
691 },
692 parameters => {
693 additionalProperties => 0,
694 properties => {
695 userid => get_standard_option('userid-completed'),
696 tokenid => get_standard_option('token-subid'),
697 expire => get_standard_option('token-expire'),
698 privsep => get_standard_option('token-privsep'),
699 comment => get_standard_option('token-comment'),
700 },
701 },
702 returns => {
703 additionalProperties => 0,
704 type => "object",
705 properties => {
706 info => get_standard_option('token-info'),
707 value => {
708 type => 'string',
709 description => 'API token value used for authentication.',
710 },
77bfb48e
TL		 711 'full-tokenid' => {
712 type => 'string',
713 format_description => '<userid>!<tokenid>',
714 description => 'The full token id.',
715 },
4e4c8d40
FG		 716 },
717 },
718 code => sub {
719 my ($param) = @_;
720
721 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
722 my $tokenid = extract_param($param, 'tokenid');
723
724 my $usercfg = cfs_read_file("user.cfg");
725
726 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1);
77bfb48e 727 my ($full_tokenid, $value);
4e4c8d40
FG		 728
729 PVE::AccessControl::check_user_exist($usercfg, $userid);
730 raise_param_exc({ 'tokenid' => 'Token already exists.' }) if defined($token);
731
732 my $generate_and_add_token = sub {
733 $usercfg = cfs_read_file("user.cfg");
734 PVE::AccessControl::check_user_exist($usercfg, $userid);
735 die "Token already exists.\n" if defined(PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1));
736
77bfb48e 737 $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
4e4c8d40
FG		 738 $value = PVE::TokenConfig::generate_token($full_tokenid);
739
740 $token = {};
741 $token->{privsep} = defined($param->{privsep}) ? $param->{privsep} : 1;
742 $token->{expire} = $param->{expire} if defined($param->{expire});
743 $token->{comment} = $param->{comment} if $param->{comment};
744
745 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
746 cfs_write_file("user.cfg", $usercfg);
747 };
748
749 PVE::AccessControl::lock_user_config($generate_and_add_token, 'generating token failed');
750
77bfb48e
TL		 751 return {
752 info => $token,
753 value => $value,
754 'full-tokenid' => $full_tokenid,
755 };
4e4c8d40
FG		 756 }});
757
758
759__PACKAGE__->register_method ({
760 name => 'update_token_info',
761 path => '{userid}/token/{tokenid}',
762 method => 'PUT',
763 description => "Update API token for a specific user.",
764 protected => 1,
765 permissions => {
3e5b237f
TL		 766 check => [
767 'or',
768 ['userid-param', 'self'],
59164ff1 769 ['userid-group', ['User.Modify']],
4e4c8d40
FG		 770 ],
771 },
772 parameters => {
773 additionalProperties => 0,
774 properties => {
775 userid => get_standard_option('userid-completed'),
776 tokenid => get_standard_option('token-subid'),
777 expire => get_standard_option('token-expire'),
778 privsep => get_standard_option('token-privsep'),
779 comment => get_standard_option('token-comment'),
780 },
781 },
782 returns => get_standard_option('token-info', { description => "Updated token information." }),
783 code => sub {
784 my ($param) = @_;
785
786 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
787 my $tokenid = extract_param($param, 'tokenid');
788
789 my $usercfg = cfs_read_file("user.cfg");
790 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
791
3e5b237f 792 PVE::AccessControl::lock_user_config(sub {
4e4c8d40
FG		 793 $usercfg = cfs_read_file("user.cfg");
794 $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
795
796 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
797
798 $token->{privsep} = $param->{privsep} if defined($param->{privsep});
799 $token->{expire} = $param->{expire} if defined($param->{expire});
800 $token->{comment} = $param->{comment} if $param->{comment};
801
802 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
803 cfs_write_file("user.cfg", $usercfg);
3e5b237f 804 }, 'updating token info failed');
4e4c8d40
FG		 805
806 return $token;
807 }});
808
809
810__PACKAGE__->register_method ({
811 name => 'remove_token',
812 path => '{userid}/token/{tokenid}',
813 method => 'DELETE',
814 description => "Remove API token for a specific user.",
815 protected => 1,
816 permissions => {
3e5b237f
TL		 817 check => [
818 'or',
819 ['userid-param', 'self'],
59164ff1 820 ['userid-group', ['User.Modify']],
4e4c8d40
FG		 821 ],
822 },
823 parameters => {
824 additionalProperties => 0,
825 properties => {
826 userid => get_standard_option('userid-completed'),
827 tokenid => get_standard_option('token-subid'),
828 },
829 },
830 returns => { type => 'null' },
831 code => sub {
832 my ($param) = @_;
833
834 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
835 my $tokenid = extract_param($param, 'tokenid');
836
837 my $usercfg = cfs_read_file("user.cfg");
838 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
839
3e5b237f 840 PVE::AccessControl::lock_user_config(sub {
4e4c8d40
FG		 841 $usercfg = cfs_read_file("user.cfg");
842
843 PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
844
845 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
846 PVE::TokenConfig::delete_token($full_tokenid);
847 delete $usercfg->{users}->{$userid}->{tokens}->{$tokenid};
848
849 cfs_write_file("user.cfg", $usercfg);
3e5b237f 850 }, 'deleting token failed');
4e4c8d40
FG		 851
852 return;
853 }});
2c3a6c0a 8541;
Access control framework