]> git.proxmox.com Git - pve-access-control.git/blame - src/PVE/API2/User.pm
projects / pve-access-control.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bump version to 8.1.4
[pve-access-control.git] / src / PVE / API2 / User.pm
CommitLineData
2c3a6c0a
DM		 1package PVE::API2::User;
2
3use strict;
4use warnings;
525a931b 5
4e4c8d40 6use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
2c3a6c0a 7use PVE::Cluster qw (cfs_read_file cfs_write_file);
4e4c8d40 8use PVE::Tools qw(split_list extract_param);
3a5ae7a0 9use PVE::JSONSchema qw(get_standard_option register_standard_option);
2c3a6c0a
DM		 10use PVE::SafeSyslog;
11
525a931b 12use PVE::AccessControl;
d658d04a 13use PVE::Auth::Plugin;
525a931b
TL		 14use PVE::TokenConfig;
15
2c3a6c0a
DM		 16use PVE::RESTHandler;
17
18use base qw(PVE::RESTHandler);
19
3a5ae7a0
SI		 20register_standard_option('user-enable', {
21 description => "Enable the account (default). You can set this to '0' to disable the account",
22 type => 'boolean',
23 optional => 1,
24 default => 1,
25});
26register_standard_option('user-expire', {
27 description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
28 type => 'integer',
29 minimum => 0,
30 optional => 1,
31});
04712fc4
FE		 32register_standard_option('user-firstname', { type => 'string', optional => 1, maxLength => 1024, });
33register_standard_option('user-lastname', { type => 'string', optional => 1, maxLength => 1024, });
34register_standard_option('user-email', {
35 type => 'string',
36 optional => 1,
37 format => 'email-opt',
744ec314 38 maxLength => 254, # 256 including punctuation and separator is the max path as per RFC 5321
04712fc4
FE		 39});
40register_standard_option('user-comment', {
41 type => 'string',
42 optional => 1,
744ec314 43 maxLength => 2048,
04712fc4 44});
3a5ae7a0
SI		 45register_standard_option('user-keys', {
46 description => "Keys for two factor auth (yubico).",
47 type => 'string',
2dabf3c3 48 pattern => '[0-9a-zA-Z!=]{0,4096}',
3a5ae7a0
SI		 49 optional => 1,
50});
51register_standard_option('group-list', {
52 type => 'string', format => 'pve-groupid-list',
53 optional => 1,
54 completion => \&PVE::AccessControl::complete_group,
55});
4e4c8d40
FG		 56register_standard_option('token-subid', {
57 type => 'string',
58 pattern => $PVE::AccessControl::token_subid_regex,
59 description => 'User-specific token identifier.',
60});
61register_standard_option('token-expire', {
62 description => "API token expiration date (seconds since epoch). '0' means no expiration date.",
63 type => 'integer',
64 minimum => 0,
65 optional => 1,
b974bdc0 66 default => 'same as user',
4e4c8d40
FG		 67});
68register_standard_option('token-privsep', {
69 description => "Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.",
70 type => 'boolean',
71 optional => 1,
72 default => 1,
73});
74register_standard_option('token-comment', { type => 'string', optional => 1 });
75register_standard_option('token-info', {
76 type => 'object',
77 properties => {
78 expire => get_standard_option('token-expire'),
79 privsep => get_standard_option('token-privsep'),
80 comment => get_standard_option('token-comment'),
81 }
82});
83
84my $token_info_extend = sub {
85 my ($props) = @_;
86
87 my $obj = get_standard_option('token-info');
88 my $base_props = $obj->{properties};
89 $obj->{properties} = {};
90
91 foreach my $prop (keys %$base_props) {
92 $obj->{properties}->{$prop} = $base_props->{$prop};
93 }
94
95 foreach my $add_prop (keys %$props) {
96 $obj->{properties}->{$add_prop} = $props->{$add_prop};
97 }
98
99 return $obj;
100};
3a5ae7a0 101
2c3a6c0a
DM		 102my $extract_user_data = sub {
103 my ($data, $full) = @_;
104
105 my $res = {};
106
96f8ebd6 107 foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
2c3a6c0a
DM		 108 $res->{$prop} = $data->{$prop} if defined($data->{$prop});
109 }
110
111 return $res if !$full;
112
32978035 113 $res->{groups} = $data->{groups} ? [ sort keys %{$data->{groups}} ] : [];
4e4c8d40 114 $res->{tokens} = $data->{tokens};
2c3a6c0a
DM		 115
116 return $res;
117};
118
119__PACKAGE__->register_method ({
0a6e09fd
PA		 120 name => 'index',
121 path => '',
2c3a6c0a
DM		 122 method => 'GET',
123 description => "User index.",
0a6e09fd 124 permissions => {
82b63965 125 description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
96919234
DM		 126 user => 'all',
127 },
3c4cebc9 128 protected => 1, # to access priv/tfa.cfg
2c3a6c0a
DM		 129 parameters => {
130 additionalProperties => 0,
cb6f2f93
DM		 131 properties => {
132 enabled => {
133 type => 'boolean',
134 description => "Optional filter for enable property.",
135 optional => 1,
3a4ed527
FG		 136 },
137 full => {
138 type => 'boolean',
139 description => "Include group and token information.",
140 optional => 1,
141 default => 0,
cb6f2f93
DM		 142 }
143 },
2c3a6c0a
DM		 144 },
145 returns => {
146 type => 'array',
147 items => {
148 type => "object",
149 properties => {
3a5ae7a0
SI		 150 userid => get_standard_option('userid-completed'),
151 enable => get_standard_option('user-enable'),
152 expire => get_standard_option('user-expire'),
153 firstname => get_standard_option('user-firstname'),
154 lastname => get_standard_option('user-lastname'),
155 email => get_standard_option('user-email'),
156 comment => get_standard_option('user-comment'),
157 keys => get_standard_option('user-keys'),
3a4ed527
FG		 158 groups => get_standard_option('group-list'),
159 tokens => {
160 type => 'array',
161 optional => 1,
162 items => $token_info_extend->({
163 tokenid => get_standard_option('token-subid'),
164 }),
8bb59c26 165 },
3f6023f5
TL		 166 'realm-type' => {
167 type => 'string', format => 'pve-realm',
8bb59c26 168 description => 'The type of the users realm',
3f6023f5 169 optional => 1, # it should always be there, but we use conditional code below, so..
8bb59c26 170 },
3c4cebc9
WB		 171 'totp-locked' => {
172 type => 'boolean',
173 optional => 1,
174 description => 'True if the user is currently locked out of TOTP factors.',
175 },
176 'tfa-locked-until' => {
177 type => 'integer',
178 optional => 1,
179 description =>
180 'Contains a timestamp until when a user is locked out of 2nd factors.',
181 },
2c3a6c0a
DM		 182 },
183 },
184 links => [ { rel => 'child', href => "{userid}" } ],
185 },
186 code => sub {
187 my ($param) = @_;
0a6e09fd 188
930dcfc8 189 my $rpcenv = PVE::RPCEnvironment::get();
37d45deb 190 my $usercfg = $rpcenv->{user_cfg};
930dcfc8
DM		 191 my $authuser = $rpcenv->get_user();
192
8bb59c26
DC		 193 my $domainscfg = cfs_read_file('domains.cfg');
194 my $domainids = $domainscfg->{ids};
195
2c3a6c0a
DM		 196 my $res = [];
197
82b63965
DM		 198 my $privs = [ 'User.Modify', 'Sys.Audit' ];
199 my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
b9180ed2 200 my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
0a6e09fd 201 my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
37d45deb 202
3c4cebc9
WB		 203 my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
204
525a931b 205 foreach my $user (sort keys %{$usercfg->{users}}) {
37d45deb
DM		 206 if (!($canUserMod || $user eq $authuser)) {
207 next if !$allowed_users->{$user};
208 }
930dcfc8 209
525a931b 210 my $entry = $extract_user_data->($usercfg->{users}->{$user}, $param->{full});
cb6f2f93
DM		 211
212 if (defined($param->{enabled})) {
213 next if $entry->{enable} && !$param->{enabled};
214 next if !$entry->{enable} && $param->{enabled};
215 }
216
3a4ed527 217 $entry->{groups} = join(',', @{$entry->{groups}}) if $entry->{groups};
525a931b
TL		 218
219 if (defined(my $tokens = $entry->{tokens})) {
220 $entry->{tokens} = [
221 map { { tokenid => $_, %{$tokens->{$_}} } } sort keys %$tokens
222 ];
223 }
3a4ed527 224
d658d04a
TL		 225 if ($user =~ /($PVE::Auth::Plugin::realm_regex)$/) {
226 my $realm = $1;
227 $entry->{'realm-type'} = $domainids->{$realm}->{type} if exists $domainids->{$realm};
8bb59c26
DC		 228 }
229
2c3a6c0a 230 $entry->{userid} = $user;
525a931b 231
3c4cebc9
WB		 232 if (defined($tfa_cfg)) {
233 if (my $data = $tfa_cfg->tfa_lock_status($user)) {
53a2b715
WB		 234 for (qw(totp-locked tfa-locked-until)) {
235 $entry->{$_} = $data->{$_} if exists($data->{$_});
236 }
3c4cebc9
WB		 237 }
238 }
239
2c3a6c0a
DM		 240 push @$res, $entry;
241 }
242
243 return $res;
244 }});
245
246__PACKAGE__->register_method ({
0a6e09fd 247 name => 'create_user',
2c3a6c0a 248 protected => 1,
0a6e09fd 249 path => '',
2c3a6c0a 250 method => 'POST',
0a6e09fd 251 permissions => {
82b63965 252 description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
3e5b237f
TL		 253 check => [
254 'and',
255 [ 'userid-param', 'Realm.AllocateUser'],
aee071ad 256 [ 'userid-group', ['User.Modify'], groups_param => 'create'],
3e5b237f 257 ],
96919234 258 },
2c3a6c0a
DM		 259 description => "Create new user.",
260 parameters => {
0a6e09fd 261 additionalProperties => 0,
2c3a6c0a 262 properties => {
3a5ae7a0
SI		 263 userid => get_standard_option('userid-completed'),
264 enable => get_standard_option('user-enable'),
265 expire => get_standard_option('user-expire'),
266 firstname => get_standard_option('user-firstname'),
267 lastname => get_standard_option('user-lastname'),
268 email => get_standard_option('user-email'),
269 comment => get_standard_option('user-comment'),
270 keys => get_standard_option('user-keys'),
37d45deb
DM		 271 password => {
272 description => "Initial password.",
0a6e09fd
PA		 273 type => 'string',
274 optional => 1,
275 minLength => 5,
276 maxLength => 64
37d45deb 277 },
3a5ae7a0 278 groups => get_standard_option('group-list'),
2c3a6c0a
DM		 279 },
280 },
281 returns => { type => 'null' },
282 code => sub {
283 my ($param) = @_;
284
2dd1e1d4
TL		 285 PVE::AccessControl::lock_user_config(sub {
286 my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
0a6e09fd 287
2dd1e1d4 288 my $usercfg = cfs_read_file("user.cfg");
0a6e09fd 289
f335d265
TL		 290 # ensure "user exists" check works for case insensitive realms
291 $username = PVE::AccessControl::lookup_username($username, 1);
292 die "user '$username' already exists\n" if $usercfg->{users}->{$username};
2c3a6c0a 293
2dd1e1d4
TL		 294 PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
295 if defined($param->{password});
0a6e09fd 296
2dd1e1d4
TL		 297 my $enable = defined($param->{enable}) ? $param->{enable} : 1;
298 $usercfg->{users}->{$username} = { enable => $enable };
299 $usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire};
2c3a6c0a 300
2dd1e1d4
TL		 301 if ($param->{groups}) {
302 foreach my $group (split_list($param->{groups})) {
303 if ($usercfg->{groups}->{$group}) {
304 PVE::AccessControl::add_user_group($username, $usercfg, $group);
305 } else {
306 die "no such group '$group'\n";
2c3a6c0a
DM		 307 }
308 }
2dd1e1d4 309 }
2c3a6c0a 310
2dd1e1d4
TL		 311 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if $param->{firstname};
312 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname};
313 $usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email};
314 $usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment};
315 $usercfg->{users}->{$username}->{keys} = $param->{keys} if $param->{keys};
2c3a6c0a 316
2dd1e1d4
TL		 317 cfs_write_file("user.cfg", $usercfg);
318 }, "create user failed");
2c3a6c0a
DM		 319
320 return undef;
321 }});
322
323__PACKAGE__->register_method ({
0a6e09fd
PA		 324 name => 'read_user',
325 path => '{userid}',
2c3a6c0a
DM		 326 method => 'GET',
327 description => "Get user configuration.",
0a6e09fd 328 permissions => {
82b63965 329 check => ['userid-group', ['User.Modify', 'Sys.Audit']],
96919234 330 },
2c3a6c0a 331 parameters => {
0a6e09fd 332 additionalProperties => 0,
2c3a6c0a 333 properties => {
3a5ae7a0 334 userid => get_standard_option('userid-completed'),
2c3a6c0a
DM		 335 },
336 },
337 returns => {
0a6e09fd 338 additionalProperties => 0,
2c3a6c0a 339 properties => {
3a5ae7a0
SI		 340 enable => get_standard_option('user-enable'),
341 expire => get_standard_option('user-expire'),
342 firstname => get_standard_option('user-firstname'),
343 lastname => get_standard_option('user-lastname'),
344 email => get_standard_option('user-email'),
345 comment => get_standard_option('user-comment'),
346 keys => get_standard_option('user-keys'),
4e4c8d40
FG		 347 groups => {
348 type => 'array',
72c4589c 349 optional => 1,
4e4c8d40
FG		 350 items => {
351 type => 'string',
352 format => 'pve-groupid',
353 },
354 },
355 tokens => {
72c4589c 356 optional => 1,
4e4c8d40 357 type => 'object',
031e388f 358 additionalProperties => get_standard_option('token-info'),
4e4c8d40 359 },
3a5ae7a0
SI		 360 },
361 type => "object"
2c3a6c0a
DM		 362 },
363 code => sub {
364 my ($param) = @_;
365
3e5b237f 366 my ($username, undef, $domain) = PVE::AccessControl::verify_username($param->{userid});
2c3a6c0a
DM		 367
368 my $usercfg = cfs_read_file("user.cfg");
2c3a6c0a 369
37d45deb 370 my $data = PVE::AccessControl::check_user_exist($usercfg, $username);
0a6e09fd 371
2c3a6c0a
DM		 372 return &$extract_user_data($data, 1);
373 }});
374
375__PACKAGE__->register_method ({
0a6e09fd 376 name => 'update_user',
2c3a6c0a 377 protected => 1,
0a6e09fd 378 path => '{userid}',
2c3a6c0a 379 method => 'PUT',
0a6e09fd 380 permissions => {
aee071ad 381 check => ['userid-group', ['User.Modify'], groups_param => 'update' ],
96919234 382 },
2c3a6c0a
DM		 383 description => "Update user configuration.",
384 parameters => {
0a6e09fd 385 additionalProperties => 0,
2c3a6c0a 386 properties => {
3a5ae7a0
SI		 387 userid => get_standard_option('userid-completed'),
388 enable => get_standard_option('user-enable'),
389 expire => get_standard_option('user-expire'),
390 firstname => get_standard_option('user-firstname'),
391 lastname => get_standard_option('user-lastname'),
392 email => get_standard_option('user-email'),
393 comment => get_standard_option('user-comment'),
394 keys => get_standard_option('user-keys'),
395 groups => get_standard_option('group-list'),
0a6e09fd
PA		 396 append => {
397 type => 'boolean',
2c3a6c0a
DM		 398 optional => 1,
399 requires => 'groups',
400 },
2c3a6c0a
DM		 401 },
402 },
403 returns => { type => 'null' },
404 code => sub {
405 my ($param) = @_;
37d45deb 406
3e5b237f 407 my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
0a6e09fd 408
3e5b237f
TL		 409 PVE::AccessControl::lock_user_config(sub {
410 my $usercfg = cfs_read_file("user.cfg");
2c3a6c0a 411
3e5b237f 412 PVE::AccessControl::check_user_exist($usercfg, $username);
2c3a6c0a 413
3e5b237f
TL		 414 $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
415 $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
2c3a6c0a 416
3e5b237f
TL		 417 PVE::AccessControl::delete_user_group($username, $usercfg)
418 if (!$param->{append} && defined($param->{groups}));
2c3a6c0a 419
3e5b237f
TL		 420 if ($param->{groups}) {
421 foreach my $group (split_list($param->{groups})) {
422 if ($usercfg->{groups}->{$group}) {
423 PVE::AccessControl::add_user_group($username, $usercfg, $group);
424 } else {
425 die "no such group '$group'\n";
2c3a6c0a
DM		 426 }
427 }
3e5b237f 428 }
2c3a6c0a 429
3e5b237f
TL		 430 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname});
431 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
432 $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
433 $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
434 $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
2c3a6c0a 435
3e5b237f
TL		 436 cfs_write_file("user.cfg", $usercfg);
437 }, "update user failed");
0a6e09fd 438
2c3a6c0a
DM		 439 return undef;
440 }});
441
442__PACKAGE__->register_method ({
0a6e09fd 443 name => 'delete_user',
2c3a6c0a 444 protected => 1,
0a6e09fd 445 path => '{userid}',
2c3a6c0a
DM		 446 method => 'DELETE',
447 description => "Delete user.",
0a6e09fd 448 permissions => {
82b63965 449 check => [ 'and',
3e5b237f
TL		 450 [ 'userid-param', 'Realm.AllocateUser'],
451 [ 'userid-group', ['User.Modify']],
452 ],
12683df7 453 },
2c3a6c0a 454 parameters => {
0a6e09fd 455 additionalProperties => 0,
2c3a6c0a 456 properties => {
3a5ae7a0 457 userid => get_standard_option('userid-completed'),
2c3a6c0a
DM		 458 }
459 },
460 returns => { type => 'null' },
461 code => sub {
462 my ($param) = @_;
0a6e09fd 463
37d45deb
DM		 464 my $rpcenv = PVE::RPCEnvironment::get();
465 my $authuser = $rpcenv->get_user();
466
3e5b237f 467 my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
2c3a6c0a 468
3e5b237f
TL		 469 PVE::AccessControl::lock_user_config(sub {
470 my $usercfg = cfs_read_file("user.cfg");
2c3a6c0a 471
ba6cc98f
TL		 472 # NOTE: disable the user first (transaction like), so if (e.g.) we fail in the middle of
473 # TFA deletion the user will be still disabled and not just without TFA protection.
474 $usercfg->{users}->{$userid}->{enable} = 0;
475 cfs_write_file("user.cfg", $usercfg);
476
3e5b237f
TL		 477 my $domain_cfg = cfs_read_file('domains.cfg');
478 if (my $cfg = $domain_cfg->{ids}->{$realm}) {
479 my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
480 $plugin->delete_user($cfg, $realm, $ruid);
481 }
2c3a6c0a 482
8ecf1a49
TL		 483 # Remove user from cache before removing the TFA entry so realms with TFA-enforcement
484 # know that it's OK to drop any TFA entry in that case.
3e5b237f 485 delete $usercfg->{users}->{$userid};
37d45deb 486
e780b46a
TL		 487 my $partial_deletion = '';
488 eval {
d168ab34 489 PVE::AccessControl::user_remove_tfa($userid);
e780b46a
TL		 490 $partial_deletion = ' - but deleted related TFA';
491
492 PVE::AccessControl::delete_user_group($userid, $usercfg);
493 $partial_deletion .= ', Groups';
494 PVE::AccessControl::delete_user_acl($userid, $usercfg);
495 $partial_deletion .= ', ACLs';
496
497 cfs_write_file("user.cfg", $usercfg);
498 };
499 die "$@$partial_deletion\n" if $@;
3e5b237f 500 }, "delete user failed");
0a6e09fd 501
2c3a6c0a
DM		 502 return undef;
503 }});
504
e51988b4
DC		 505__PACKAGE__->register_method ({
506 name => 'read_user_tfa_type',
507 path => '{userid}/tfa',
508 method => 'GET',
509 protected => 1,
510 description => "Get user TFA types (Personal and Realm).",
511 permissions => {
512 check => [ 'or',
513 ['userid-param', 'self'],
514 ['userid-group', ['User.Modify', 'Sys.Audit']],
515 ],
516 },
517 parameters => {
518 additionalProperties => 0,
519 properties => {
520 userid => get_standard_option('userid-completed'),
f7f2e28e
WB		 521 multiple => {
522 type => 'boolean',
523 description => 'Request all entries as an array.',
524 optional => 1,
525 default => 0,
526 },
e51988b4
DC		 527 },
528 },
529 returns => {
530 additionalProperties => 0,
531 properties => {
532 realm => {
533 type => 'string',
534 enum => [qw(oath yubico)],
535 description => "The type of TFA the users realm has set, if any.",
536 optional => 1,
537 },
538 user => {
539 type => 'string',
540 enum => [qw(oath u2f)],
f7f2e28e
WB		 541 description =>
542 "The type of TFA the user has set, if any."
543 . " Only set if 'multiple' was not passed.",
e51988b4
DC		 544 optional => 1,
545 },
f7f2e28e
WB		 546 types => {
547 type => 'array',
548 description =>
549 "Array of the user configured TFA types, if any."
550 . " Only available if 'multiple' was not passed.",
551 optional => 1,
552 items => {
553 type => 'string',
554 enum => [qw(totp u2f yubico webauthn recovedry)],
555 description => 'A TFA type.',
556 },
557 },
e51988b4
DC		 558 },
559 type => "object"
560 },
561 code => sub {
562 my ($param) = @_;
563
564 my ($username, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
565
e51988b4
DC		 566 my $domain_cfg = cfs_read_file('domains.cfg');
567 my $realm_cfg = $domain_cfg->{ids}->{$realm};
568 die "auth domain '$realm' does not exist\n" if !$realm_cfg;
569
f7f2e28e 570 my $res = {};
e51988b4 571 my $realm_tfa = {};
3e5b237f 572 $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa}) if $realm_cfg->{tfa};
f7f2e28e 573 $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type};
e51988b4
DC		 574
575 my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
f7f2e28e
WB		 576 if ($param->{multiple}) {
577 my $tfa = $tfa_cfg->get_user($username);
578 my $user = [];
579 foreach my $type (keys %$tfa) {
580 next if !scalar($tfa->{$type}->@*);
581 push @$user, $type;
582 }
583 $res->{user} = $user;
584 } else {
585 my $tfa = $tfa_cfg->{users}->{$username};
586 $res->{user} = $tfa->{type} if $tfa->{type};
587 }
e51988b4
DC		 588 return $res;
589 }});
590
330b8dbb
WB		 591__PACKAGE__->register_method ({
592 name => 'unlock_tfa',
593 path => '{userid}/unlock-tfa',
594 method => 'PUT',
595 protected => 1,
596 description => "Unlock a user's TFA authentication.",
597 permissions => {
598 check => [ 'userid-group', ['User.Modify']],
599 },
600 parameters => {
601 additionalProperties => 0,
602 properties => {
603 userid => get_standard_option('userid-completed'),
604 },
605 },
606 returns => { type => 'boolean' },
607 code => sub {
608 my ($param) = @_;
609
610 my $userid = extract_param($param, "userid");
611
612 my $user_was_locked = PVE::AccessControl::lock_tfa_config(sub {
613 my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
614 my $was_locked = $tfa_cfg->api_unlock_tfa($userid);
615 cfs_write_file('priv/tfa.cfg', $tfa_cfg)
616 if $was_locked;
617 return $was_locked;
618 });
619
620 return $user_was_locked;
621 }});
622
4e4c8d40
FG		 623__PACKAGE__->register_method ({
624 name => 'token_index',
625 path => '{userid}/token',
626 method => 'GET',
627 description => "Get user API tokens.",
628 permissions => {
3e5b237f
TL		 629 check => [
630 'or',
631 ['userid-param', 'self'],
59164ff1 632 ['userid-group', ['User.Modify']],
4e4c8d40
FG		 633 ],
634 },
635 parameters => {
636 additionalProperties => 0,
637 properties => {
638 userid => get_standard_option('userid-completed'),
639 },
640 },
641 returns => {
642 type => "array",
643 items => $token_info_extend->({
644 tokenid => get_standard_option('token-subid'),
645 }),
646 links => [ { rel => 'child', href => "{tokenid}" } ],
647 },
648 code => sub {
649 my ($param) = @_;
650
651 my $userid = PVE::AccessControl::verify_username($param->{userid});
652 my $usercfg = cfs_read_file("user.cfg");
653
654 my $user = PVE::AccessControl::check_user_exist($usercfg, $userid);
655
656 my $tokens = $user->{tokens} // {};
657 return [ map { $tokens->{$_}->{tokenid} = $_; $tokens->{$_} } keys %$tokens];
658 }});
659
660__PACKAGE__->register_method ({
661 name => 'read_token',
662 path => '{userid}/token/{tokenid}',
663 method => 'GET',
664 description => "Get specific API token information.",
665 permissions => {
3e5b237f
TL		 666 check => [
667 'or',
668 ['userid-param', 'self'],
59164ff1 669 ['userid-group', ['User.Modify']],
4e4c8d40
FG		 670 ],
671 },
672 parameters => {
673 additionalProperties => 0,
674 properties => {
675 userid => get_standard_option('userid-completed'),
676 tokenid => get_standard_option('token-subid'),
677 },
678 },
679 returns => get_standard_option('token-info'),
680 code => sub {
681 my ($param) = @_;
682
683 my $userid = PVE::AccessControl::verify_username($param->{userid});
684 my $tokenid = $param->{tokenid};
685
686 my $usercfg = cfs_read_file("user.cfg");
687
688 return PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
689 }});
690
691__PACKAGE__->register_method ({
692 name => 'generate_token',
693 path => '{userid}/token/{tokenid}',
694 method => 'POST',
695 description => "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!",
696 protected => 1,
697 permissions => {
3e5b237f
TL		 698 check => [
699 'or',
700 ['userid-param', 'self'],
59164ff1 701 ['userid-group', ['User.Modify']],
4e4c8d40
FG		 702 ],
703 },
704 parameters => {
705 additionalProperties => 0,
706 properties => {
707 userid => get_standard_option('userid-completed'),
708 tokenid => get_standard_option('token-subid'),
709 expire => get_standard_option('token-expire'),
710 privsep => get_standard_option('token-privsep'),
711 comment => get_standard_option('token-comment'),
712 },
713 },
714 returns => {
715 additionalProperties => 0,
716 type => "object",
717 properties => {
718 info => get_standard_option('token-info'),
719 value => {
720 type => 'string',
721 description => 'API token value used for authentication.',
722 },
77bfb48e
TL		 723 'full-tokenid' => {
724 type => 'string',
725 format_description => '<userid>!<tokenid>',
726 description => 'The full token id.',
727 },
4e4c8d40
FG		 728 },
729 },
730 code => sub {
731 my ($param) = @_;
732
733 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
734 my $tokenid = extract_param($param, 'tokenid');
735
736 my $usercfg = cfs_read_file("user.cfg");
737
738 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1);
77bfb48e 739 my ($full_tokenid, $value);
4e4c8d40
FG		 740
741 PVE::AccessControl::check_user_exist($usercfg, $userid);
742 raise_param_exc({ 'tokenid' => 'Token already exists.' }) if defined($token);
743
744 my $generate_and_add_token = sub {
745 $usercfg = cfs_read_file("user.cfg");
746 PVE::AccessControl::check_user_exist($usercfg, $userid);
747 die "Token already exists.\n" if defined(PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1));
748
77bfb48e 749 $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
4e4c8d40
FG		 750 $value = PVE::TokenConfig::generate_token($full_tokenid);
751
752 $token = {};
753 $token->{privsep} = defined($param->{privsep}) ? $param->{privsep} : 1;
754 $token->{expire} = $param->{expire} if defined($param->{expire});
755 $token->{comment} = $param->{comment} if $param->{comment};
756
757 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
758 cfs_write_file("user.cfg", $usercfg);
759 };
760
761 PVE::AccessControl::lock_user_config($generate_and_add_token, 'generating token failed');
762
77bfb48e
TL		 763 return {
764 info => $token,
765 value => $value,
766 'full-tokenid' => $full_tokenid,
767 };
4e4c8d40
FG		 768 }});
769
770
771__PACKAGE__->register_method ({
772 name => 'update_token_info',
773 path => '{userid}/token/{tokenid}',
774 method => 'PUT',
775 description => "Update API token for a specific user.",
776 protected => 1,
777 permissions => {
3e5b237f
TL		 778 check => [
779 'or',
780 ['userid-param', 'self'],
59164ff1 781 ['userid-group', ['User.Modify']],
4e4c8d40
FG		 782 ],
783 },
784 parameters => {
785 additionalProperties => 0,
786 properties => {
787 userid => get_standard_option('userid-completed'),
788 tokenid => get_standard_option('token-subid'),
789 expire => get_standard_option('token-expire'),
790 privsep => get_standard_option('token-privsep'),
791 comment => get_standard_option('token-comment'),
792 },
793 },
794 returns => get_standard_option('token-info', { description => "Updated token information." }),
795 code => sub {
796 my ($param) = @_;
797
798 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
799 my $tokenid = extract_param($param, 'tokenid');
800
801 my $usercfg = cfs_read_file("user.cfg");
802 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
803
3e5b237f 804 PVE::AccessControl::lock_user_config(sub {
4e4c8d40
FG		 805 $usercfg = cfs_read_file("user.cfg");
806 $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
807
808 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
809
810 $token->{privsep} = $param->{privsep} if defined($param->{privsep});
811 $token->{expire} = $param->{expire} if defined($param->{expire});
812 $token->{comment} = $param->{comment} if $param->{comment};
813
814 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
815 cfs_write_file("user.cfg", $usercfg);
3e5b237f 816 }, 'updating token info failed');
4e4c8d40
FG		 817
818 return $token;
819 }});
820
821
822__PACKAGE__->register_method ({
823 name => 'remove_token',
824 path => '{userid}/token/{tokenid}',
825 method => 'DELETE',
826 description => "Remove API token for a specific user.",
827 protected => 1,
828 permissions => {
3e5b237f
TL		 829 check => [
830 'or',
831 ['userid-param', 'self'],
59164ff1 832 ['userid-group', ['User.Modify']],
4e4c8d40
FG		 833 ],
834 },
835 parameters => {
836 additionalProperties => 0,
837 properties => {
838 userid => get_standard_option('userid-completed'),
839 tokenid => get_standard_option('token-subid'),
840 },
841 },
842 returns => { type => 'null' },
843 code => sub {
844 my ($param) = @_;
845
846 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
847 my $tokenid = extract_param($param, 'tokenid');
848
849 my $usercfg = cfs_read_file("user.cfg");
850 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
851
3e5b237f 852 PVE::AccessControl::lock_user_config(sub {
4e4c8d40
FG		 853 $usercfg = cfs_read_file("user.cfg");
854
855 PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
856
857 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
858 PVE::TokenConfig::delete_token($full_tokenid);
859 delete $usercfg->{users}->{$userid}->{tokens}->{$tokenid};
860
861 cfs_write_file("user.cfg", $usercfg);
3e5b237f 862 }, 'deleting token failed');
4e4c8d40
FG		 863
864 return;
865 }});
2c3a6c0a 8661;
Access control framework