]>
Commit | Line | Data |
---|---|---|
1 | package PVE::API2::User; | |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use PVE::Exception qw(raise raise_perm_exc raise_param_exc); | |
7 | use PVE::Cluster qw (cfs_read_file cfs_write_file); | |
8 | use PVE::Tools qw(split_list extract_param); | |
9 | use PVE::JSONSchema qw(get_standard_option register_standard_option); | |
10 | use PVE::SafeSyslog; | |
11 | ||
12 | use PVE::AccessControl; | |
13 | use PVE::Auth::Plugin; | |
14 | use PVE::TokenConfig; | |
15 | ||
16 | use PVE::RESTHandler; | |
17 | ||
18 | use base qw(PVE::RESTHandler); | |
19 | ||
20 | register_standard_option('user-enable', { | |
21 | description => "Enable the account (default). You can set this to '0' to disable the account", | |
22 | type => 'boolean', | |
23 | optional => 1, | |
24 | default => 1, | |
25 | }); | |
26 | register_standard_option('user-expire', { | |
27 | description => "Account expiration date (seconds since epoch). '0' means no expiration date.", | |
28 | type => 'integer', | |
29 | minimum => 0, | |
30 | optional => 1, | |
31 | }); | |
32 | register_standard_option('user-firstname', { type => 'string', optional => 1, maxLength => 1024, }); | |
33 | register_standard_option('user-lastname', { type => 'string', optional => 1, maxLength => 1024, }); | |
34 | register_standard_option('user-email', { | |
35 | type => 'string', | |
36 | optional => 1, | |
37 | format => 'email-opt', | |
38 | maxLength => 254, # 256 including punctuation and separator is the max path as per RFC 5321 | |
39 | }); | |
40 | register_standard_option('user-comment', { | |
41 | type => 'string', | |
42 | optional => 1, | |
43 | maxLength => 2048, | |
44 | }); | |
45 | register_standard_option('user-keys', { | |
46 | description => "Keys for two factor auth (yubico).", | |
47 | type => 'string', | |
48 | pattern => '[0-9a-zA-Z!=]{0,4096}', | |
49 | optional => 1, | |
50 | }); | |
51 | register_standard_option('group-list', { | |
52 | type => 'string', format => 'pve-groupid-list', | |
53 | optional => 1, | |
54 | completion => \&PVE::AccessControl::complete_group, | |
55 | }); | |
56 | register_standard_option('token-subid', { | |
57 | type => 'string', | |
58 | pattern => $PVE::AccessControl::token_subid_regex, | |
59 | description => 'User-specific token identifier.', | |
60 | }); | |
61 | register_standard_option('token-expire', { | |
62 | description => "API token expiration date (seconds since epoch). '0' means no expiration date.", | |
63 | type => 'integer', | |
64 | minimum => 0, | |
65 | optional => 1, | |
66 | default => 'same as user', | |
67 | }); | |
68 | register_standard_option('token-privsep', { | |
69 | description => "Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.", | |
70 | type => 'boolean', | |
71 | optional => 1, | |
72 | default => 1, | |
73 | }); | |
74 | register_standard_option('token-comment', { type => 'string', optional => 1 }); | |
75 | register_standard_option('token-info', { | |
76 | type => 'object', | |
77 | properties => { | |
78 | expire => get_standard_option('token-expire'), | |
79 | privsep => get_standard_option('token-privsep'), | |
80 | comment => get_standard_option('token-comment'), | |
81 | } | |
82 | }); | |
83 | ||
84 | my $token_info_extend = sub { | |
85 | my ($props) = @_; | |
86 | ||
87 | my $obj = get_standard_option('token-info'); | |
88 | my $base_props = $obj->{properties}; | |
89 | $obj->{properties} = {}; | |
90 | ||
91 | foreach my $prop (keys %$base_props) { | |
92 | $obj->{properties}->{$prop} = $base_props->{$prop}; | |
93 | } | |
94 | ||
95 | foreach my $add_prop (keys %$props) { | |
96 | $obj->{properties}->{$add_prop} = $props->{$add_prop}; | |
97 | } | |
98 | ||
99 | return $obj; | |
100 | }; | |
101 | ||
102 | my $extract_user_data = sub { | |
103 | my ($data, $full) = @_; | |
104 | ||
105 | my $res = {}; | |
106 | ||
107 | foreach my $prop (qw(enable expire firstname lastname email comment keys)) { | |
108 | $res->{$prop} = $data->{$prop} if defined($data->{$prop}); | |
109 | } | |
110 | ||
111 | return $res if !$full; | |
112 | ||
113 | $res->{groups} = $data->{groups} ? [ sort keys %{$data->{groups}} ] : []; | |
114 | $res->{tokens} = $data->{tokens}; | |
115 | ||
116 | return $res; | |
117 | }; | |
118 | ||
119 | __PACKAGE__->register_method ({ | |
120 | name => 'index', | |
121 | path => '', | |
122 | method => 'GET', | |
123 | description => "User index.", | |
124 | permissions => { | |
125 | description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.", | |
126 | user => 'all', | |
127 | }, | |
128 | protected => 1, # to access priv/tfa.cfg | |
129 | parameters => { | |
130 | additionalProperties => 0, | |
131 | properties => { | |
132 | enabled => { | |
133 | type => 'boolean', | |
134 | description => "Optional filter for enable property.", | |
135 | optional => 1, | |
136 | }, | |
137 | full => { | |
138 | type => 'boolean', | |
139 | description => "Include group and token information.", | |
140 | optional => 1, | |
141 | default => 0, | |
142 | } | |
143 | }, | |
144 | }, | |
145 | returns => { | |
146 | type => 'array', | |
147 | items => { | |
148 | type => "object", | |
149 | properties => { | |
150 | userid => get_standard_option('userid-completed'), | |
151 | enable => get_standard_option('user-enable'), | |
152 | expire => get_standard_option('user-expire'), | |
153 | firstname => get_standard_option('user-firstname'), | |
154 | lastname => get_standard_option('user-lastname'), | |
155 | email => get_standard_option('user-email'), | |
156 | comment => get_standard_option('user-comment'), | |
157 | keys => get_standard_option('user-keys'), | |
158 | groups => get_standard_option('group-list'), | |
159 | tokens => { | |
160 | type => 'array', | |
161 | optional => 1, | |
162 | items => $token_info_extend->({ | |
163 | tokenid => get_standard_option('token-subid'), | |
164 | }), | |
165 | }, | |
166 | 'realm-type' => { | |
167 | type => 'string', format => 'pve-realm', | |
168 | description => 'The type of the users realm', | |
169 | optional => 1, # it should always be there, but we use conditional code below, so.. | |
170 | }, | |
171 | 'totp-locked' => { | |
172 | type => 'boolean', | |
173 | optional => 1, | |
174 | description => 'True if the user is currently locked out of TOTP factors.', | |
175 | }, | |
176 | 'tfa-locked-until' => { | |
177 | type => 'integer', | |
178 | optional => 1, | |
179 | description => | |
180 | 'Contains a timestamp until when a user is locked out of 2nd factors.', | |
181 | }, | |
182 | }, | |
183 | }, | |
184 | links => [ { rel => 'child', href => "{userid}" } ], | |
185 | }, | |
186 | code => sub { | |
187 | my ($param) = @_; | |
188 | ||
189 | my $rpcenv = PVE::RPCEnvironment::get(); | |
190 | my $usercfg = $rpcenv->{user_cfg}; | |
191 | my $authuser = $rpcenv->get_user(); | |
192 | ||
193 | my $domainscfg = cfs_read_file('domains.cfg'); | |
194 | my $domainids = $domainscfg->{ids}; | |
195 | ||
196 | my $res = []; | |
197 | ||
198 | my $privs = [ 'User.Modify', 'Sys.Audit' ]; | |
199 | my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1); | |
200 | my $groups = $rpcenv->filter_groups($authuser, $privs, 1); | |
201 | my $allowed_users = $rpcenv->group_member_join([keys %$groups]); | |
202 | ||
203 | my $tfa_cfg = cfs_read_file('priv/tfa.cfg'); | |
204 | ||
205 | foreach my $user (sort keys %{$usercfg->{users}}) { | |
206 | if (!($canUserMod || $user eq $authuser)) { | |
207 | next if !$allowed_users->{$user}; | |
208 | } | |
209 | ||
210 | my $entry = $extract_user_data->($usercfg->{users}->{$user}, $param->{full}); | |
211 | ||
212 | if (defined($param->{enabled})) { | |
213 | next if $entry->{enable} && !$param->{enabled}; | |
214 | next if !$entry->{enable} && $param->{enabled}; | |
215 | } | |
216 | ||
217 | $entry->{groups} = join(',', @{$entry->{groups}}) if $entry->{groups}; | |
218 | ||
219 | if (defined(my $tokens = $entry->{tokens})) { | |
220 | $entry->{tokens} = [ | |
221 | map { { tokenid => $_, %{$tokens->{$_}} } } sort keys %$tokens | |
222 | ]; | |
223 | } | |
224 | ||
225 | if ($user =~ /($PVE::Auth::Plugin::realm_regex)$/) { | |
226 | my $realm = $1; | |
227 | $entry->{'realm-type'} = $domainids->{$realm}->{type} if exists $domainids->{$realm}; | |
228 | } | |
229 | ||
230 | $entry->{userid} = $user; | |
231 | ||
232 | if (defined($tfa_cfg)) { | |
233 | if (my $data = $tfa_cfg->tfa_lock_status($user)) { | |
234 | for (qw(totp-locked tfa-locked-until)) { | |
235 | $entry->{$_} = $data->{$_} if exists($data->{$_}); | |
236 | } | |
237 | } | |
238 | } | |
239 | ||
240 | push @$res, $entry; | |
241 | } | |
242 | ||
243 | return $res; | |
244 | }}); | |
245 | ||
246 | __PACKAGE__->register_method ({ | |
247 | name => 'create_user', | |
248 | protected => 1, | |
249 | path => '', | |
250 | method => 'POST', | |
251 | permissions => { | |
252 | description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.", | |
253 | check => [ | |
254 | 'and', | |
255 | [ 'userid-param', 'Realm.AllocateUser'], | |
256 | [ 'userid-group', ['User.Modify'], groups_param => 'create'], | |
257 | ], | |
258 | }, | |
259 | description => "Create new user.", | |
260 | parameters => { | |
261 | additionalProperties => 0, | |
262 | properties => { | |
263 | userid => get_standard_option('userid-completed'), | |
264 | enable => get_standard_option('user-enable'), | |
265 | expire => get_standard_option('user-expire'), | |
266 | firstname => get_standard_option('user-firstname'), | |
267 | lastname => get_standard_option('user-lastname'), | |
268 | email => get_standard_option('user-email'), | |
269 | comment => get_standard_option('user-comment'), | |
270 | keys => get_standard_option('user-keys'), | |
271 | password => { | |
272 | description => "Initial password.", | |
273 | type => 'string', | |
274 | optional => 1, | |
275 | minLength => 5, | |
276 | maxLength => 64 | |
277 | }, | |
278 | groups => get_standard_option('group-list'), | |
279 | }, | |
280 | }, | |
281 | returns => { type => 'null' }, | |
282 | code => sub { | |
283 | my ($param) = @_; | |
284 | ||
285 | PVE::AccessControl::lock_user_config(sub { | |
286 | my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid}); | |
287 | ||
288 | my $usercfg = cfs_read_file("user.cfg"); | |
289 | ||
290 | # ensure "user exists" check works for case insensitive realms | |
291 | $username = PVE::AccessControl::lookup_username($username, 1); | |
292 | die "user '$username' already exists\n" if $usercfg->{users}->{$username}; | |
293 | ||
294 | PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password}) | |
295 | if defined($param->{password}); | |
296 | ||
297 | my $enable = defined($param->{enable}) ? $param->{enable} : 1; | |
298 | $usercfg->{users}->{$username} = { enable => $enable }; | |
299 | $usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire}; | |
300 | ||
301 | if ($param->{groups}) { | |
302 | foreach my $group (split_list($param->{groups})) { | |
303 | if ($usercfg->{groups}->{$group}) { | |
304 | PVE::AccessControl::add_user_group($username, $usercfg, $group); | |
305 | } else { | |
306 | die "no such group '$group'\n"; | |
307 | } | |
308 | } | |
309 | } | |
310 | ||
311 | $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if $param->{firstname}; | |
312 | $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname}; | |
313 | $usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email}; | |
314 | $usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment}; | |
315 | $usercfg->{users}->{$username}->{keys} = $param->{keys} if $param->{keys}; | |
316 | ||
317 | cfs_write_file("user.cfg", $usercfg); | |
318 | }, "create user failed"); | |
319 | ||
320 | return undef; | |
321 | }}); | |
322 | ||
323 | __PACKAGE__->register_method ({ | |
324 | name => 'read_user', | |
325 | path => '{userid}', | |
326 | method => 'GET', | |
327 | description => "Get user configuration.", | |
328 | permissions => { | |
329 | check => ['userid-group', ['User.Modify', 'Sys.Audit']], | |
330 | }, | |
331 | parameters => { | |
332 | additionalProperties => 0, | |
333 | properties => { | |
334 | userid => get_standard_option('userid-completed'), | |
335 | }, | |
336 | }, | |
337 | returns => { | |
338 | additionalProperties => 0, | |
339 | properties => { | |
340 | enable => get_standard_option('user-enable'), | |
341 | expire => get_standard_option('user-expire'), | |
342 | firstname => get_standard_option('user-firstname'), | |
343 | lastname => get_standard_option('user-lastname'), | |
344 | email => get_standard_option('user-email'), | |
345 | comment => get_standard_option('user-comment'), | |
346 | keys => get_standard_option('user-keys'), | |
347 | groups => { | |
348 | type => 'array', | |
349 | optional => 1, | |
350 | items => { | |
351 | type => 'string', | |
352 | format => 'pve-groupid', | |
353 | }, | |
354 | }, | |
355 | tokens => { | |
356 | optional => 1, | |
357 | type => 'object', | |
358 | additionalProperties => get_standard_option('token-info'), | |
359 | }, | |
360 | }, | |
361 | type => "object" | |
362 | }, | |
363 | code => sub { | |
364 | my ($param) = @_; | |
365 | ||
366 | my ($username, undef, $domain) = PVE::AccessControl::verify_username($param->{userid}); | |
367 | ||
368 | my $usercfg = cfs_read_file("user.cfg"); | |
369 | ||
370 | my $data = PVE::AccessControl::check_user_exist($usercfg, $username); | |
371 | ||
372 | return &$extract_user_data($data, 1); | |
373 | }}); | |
374 | ||
375 | __PACKAGE__->register_method ({ | |
376 | name => 'update_user', | |
377 | protected => 1, | |
378 | path => '{userid}', | |
379 | method => 'PUT', | |
380 | permissions => { | |
381 | check => ['userid-group', ['User.Modify'], groups_param => 'update' ], | |
382 | }, | |
383 | description => "Update user configuration.", | |
384 | parameters => { | |
385 | additionalProperties => 0, | |
386 | properties => { | |
387 | userid => get_standard_option('userid-completed'), | |
388 | enable => get_standard_option('user-enable'), | |
389 | expire => get_standard_option('user-expire'), | |
390 | firstname => get_standard_option('user-firstname'), | |
391 | lastname => get_standard_option('user-lastname'), | |
392 | email => get_standard_option('user-email'), | |
393 | comment => get_standard_option('user-comment'), | |
394 | keys => get_standard_option('user-keys'), | |
395 | groups => get_standard_option('group-list'), | |
396 | append => { | |
397 | type => 'boolean', | |
398 | optional => 1, | |
399 | requires => 'groups', | |
400 | }, | |
401 | }, | |
402 | }, | |
403 | returns => { type => 'null' }, | |
404 | code => sub { | |
405 | my ($param) = @_; | |
406 | ||
407 | my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid}); | |
408 | ||
409 | PVE::AccessControl::lock_user_config(sub { | |
410 | my $usercfg = cfs_read_file("user.cfg"); | |
411 | ||
412 | PVE::AccessControl::check_user_exist($usercfg, $username); | |
413 | ||
414 | $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable}); | |
415 | $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire}); | |
416 | ||
417 | PVE::AccessControl::delete_user_group($username, $usercfg) | |
418 | if (!$param->{append} && defined($param->{groups})); | |
419 | ||
420 | if ($param->{groups}) { | |
421 | foreach my $group (split_list($param->{groups})) { | |
422 | if ($usercfg->{groups}->{$group}) { | |
423 | PVE::AccessControl::add_user_group($username, $usercfg, $group); | |
424 | } else { | |
425 | die "no such group '$group'\n"; | |
426 | } | |
427 | } | |
428 | } | |
429 | ||
430 | $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname}); | |
431 | $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname}); | |
432 | $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email}); | |
433 | $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment}); | |
434 | $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys}); | |
435 | ||
436 | cfs_write_file("user.cfg", $usercfg); | |
437 | }, "update user failed"); | |
438 | ||
439 | return undef; | |
440 | }}); | |
441 | ||
442 | __PACKAGE__->register_method ({ | |
443 | name => 'delete_user', | |
444 | protected => 1, | |
445 | path => '{userid}', | |
446 | method => 'DELETE', | |
447 | description => "Delete user.", | |
448 | permissions => { | |
449 | check => [ 'and', | |
450 | [ 'userid-param', 'Realm.AllocateUser'], | |
451 | [ 'userid-group', ['User.Modify']], | |
452 | ], | |
453 | }, | |
454 | parameters => { | |
455 | additionalProperties => 0, | |
456 | properties => { | |
457 | userid => get_standard_option('userid-completed'), | |
458 | } | |
459 | }, | |
460 | returns => { type => 'null' }, | |
461 | code => sub { | |
462 | my ($param) = @_; | |
463 | ||
464 | my $rpcenv = PVE::RPCEnvironment::get(); | |
465 | my $authuser = $rpcenv->get_user(); | |
466 | ||
467 | my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid}); | |
468 | ||
469 | PVE::AccessControl::lock_user_config(sub { | |
470 | my $usercfg = cfs_read_file("user.cfg"); | |
471 | ||
472 | # NOTE: disable the user first (transaction like), so if (e.g.) we fail in the middle of | |
473 | # TFA deletion the user will be still disabled and not just without TFA protection. | |
474 | $usercfg->{users}->{$userid}->{enable} = 0; | |
475 | cfs_write_file("user.cfg", $usercfg); | |
476 | ||
477 | my $domain_cfg = cfs_read_file('domains.cfg'); | |
478 | if (my $cfg = $domain_cfg->{ids}->{$realm}) { | |
479 | my $plugin = PVE::Auth::Plugin->lookup($cfg->{type}); | |
480 | $plugin->delete_user($cfg, $realm, $ruid); | |
481 | } | |
482 | ||
483 | # Remove user from cache before removing the TFA entry so realms with TFA-enforcement | |
484 | # know that it's OK to drop any TFA entry in that case. | |
485 | delete $usercfg->{users}->{$userid}; | |
486 | ||
487 | my $partial_deletion = ''; | |
488 | eval { | |
489 | PVE::AccessControl::user_remove_tfa($userid); | |
490 | $partial_deletion = ' - but deleted related TFA'; | |
491 | ||
492 | PVE::AccessControl::delete_user_group($userid, $usercfg); | |
493 | $partial_deletion .= ', Groups'; | |
494 | PVE::AccessControl::delete_user_acl($userid, $usercfg); | |
495 | $partial_deletion .= ', ACLs'; | |
496 | ||
497 | cfs_write_file("user.cfg", $usercfg); | |
498 | }; | |
499 | die "$@$partial_deletion\n" if $@; | |
500 | }, "delete user failed"); | |
501 | ||
502 | return undef; | |
503 | }}); | |
504 | ||
505 | __PACKAGE__->register_method ({ | |
506 | name => 'read_user_tfa_type', | |
507 | path => '{userid}/tfa', | |
508 | method => 'GET', | |
509 | protected => 1, | |
510 | description => "Get user TFA types (Personal and Realm).", | |
511 | permissions => { | |
512 | check => [ 'or', | |
513 | ['userid-param', 'self'], | |
514 | ['userid-group', ['User.Modify', 'Sys.Audit']], | |
515 | ], | |
516 | }, | |
517 | parameters => { | |
518 | additionalProperties => 0, | |
519 | properties => { | |
520 | userid => get_standard_option('userid-completed'), | |
521 | multiple => { | |
522 | type => 'boolean', | |
523 | description => 'Request all entries as an array.', | |
524 | optional => 1, | |
525 | default => 0, | |
526 | }, | |
527 | }, | |
528 | }, | |
529 | returns => { | |
530 | additionalProperties => 0, | |
531 | properties => { | |
532 | realm => { | |
533 | type => 'string', | |
534 | enum => [qw(oath yubico)], | |
535 | description => "The type of TFA the users realm has set, if any.", | |
536 | optional => 1, | |
537 | }, | |
538 | user => { | |
539 | type => 'string', | |
540 | enum => [qw(oath u2f)], | |
541 | description => | |
542 | "The type of TFA the user has set, if any." | |
543 | . " Only set if 'multiple' was not passed.", | |
544 | optional => 1, | |
545 | }, | |
546 | types => { | |
547 | type => 'array', | |
548 | description => | |
549 | "Array of the user configured TFA types, if any." | |
550 | . " Only available if 'multiple' was not passed.", | |
551 | optional => 1, | |
552 | items => { | |
553 | type => 'string', | |
554 | enum => [qw(totp u2f yubico webauthn recovedry)], | |
555 | description => 'A TFA type.', | |
556 | }, | |
557 | }, | |
558 | }, | |
559 | type => "object" | |
560 | }, | |
561 | code => sub { | |
562 | my ($param) = @_; | |
563 | ||
564 | my ($username, undef, $realm) = PVE::AccessControl::verify_username($param->{userid}); | |
565 | ||
566 | my $domain_cfg = cfs_read_file('domains.cfg'); | |
567 | my $realm_cfg = $domain_cfg->{ids}->{$realm}; | |
568 | die "auth domain '$realm' does not exist\n" if !$realm_cfg; | |
569 | ||
570 | my $res = {}; | |
571 | my $realm_tfa = {}; | |
572 | $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa}) if $realm_cfg->{tfa}; | |
573 | $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type}; | |
574 | ||
575 | my $tfa_cfg = cfs_read_file('priv/tfa.cfg'); | |
576 | if ($param->{multiple}) { | |
577 | my $tfa = $tfa_cfg->get_user($username); | |
578 | my $user = []; | |
579 | foreach my $type (keys %$tfa) { | |
580 | next if !scalar($tfa->{$type}->@*); | |
581 | push @$user, $type; | |
582 | } | |
583 | $res->{user} = $user; | |
584 | } else { | |
585 | my $tfa = $tfa_cfg->{users}->{$username}; | |
586 | $res->{user} = $tfa->{type} if $tfa->{type}; | |
587 | } | |
588 | return $res; | |
589 | }}); | |
590 | ||
591 | __PACKAGE__->register_method ({ | |
592 | name => 'unlock_tfa', | |
593 | path => '{userid}/unlock-tfa', | |
594 | method => 'PUT', | |
595 | protected => 1, | |
596 | description => "Unlock a user's TFA authentication.", | |
597 | permissions => { | |
598 | check => [ 'userid-group', ['User.Modify']], | |
599 | }, | |
600 | parameters => { | |
601 | additionalProperties => 0, | |
602 | properties => { | |
603 | userid => get_standard_option('userid-completed'), | |
604 | }, | |
605 | }, | |
606 | returns => { type => 'boolean' }, | |
607 | code => sub { | |
608 | my ($param) = @_; | |
609 | ||
610 | my $userid = extract_param($param, "userid"); | |
611 | ||
612 | my $user_was_locked = PVE::AccessControl::lock_tfa_config(sub { | |
613 | my $tfa_cfg = cfs_read_file('priv/tfa.cfg'); | |
614 | my $was_locked = $tfa_cfg->api_unlock_tfa($userid); | |
615 | cfs_write_file('priv/tfa.cfg', $tfa_cfg) | |
616 | if $was_locked; | |
617 | return $was_locked; | |
618 | }); | |
619 | ||
620 | return $user_was_locked; | |
621 | }}); | |
622 | ||
623 | __PACKAGE__->register_method ({ | |
624 | name => 'token_index', | |
625 | path => '{userid}/token', | |
626 | method => 'GET', | |
627 | description => "Get user API tokens.", | |
628 | permissions => { | |
629 | check => [ | |
630 | 'or', | |
631 | ['userid-param', 'self'], | |
632 | ['userid-group', ['User.Modify']], | |
633 | ], | |
634 | }, | |
635 | parameters => { | |
636 | additionalProperties => 0, | |
637 | properties => { | |
638 | userid => get_standard_option('userid-completed'), | |
639 | }, | |
640 | }, | |
641 | returns => { | |
642 | type => "array", | |
643 | items => $token_info_extend->({ | |
644 | tokenid => get_standard_option('token-subid'), | |
645 | }), | |
646 | links => [ { rel => 'child', href => "{tokenid}" } ], | |
647 | }, | |
648 | code => sub { | |
649 | my ($param) = @_; | |
650 | ||
651 | my $userid = PVE::AccessControl::verify_username($param->{userid}); | |
652 | my $usercfg = cfs_read_file("user.cfg"); | |
653 | ||
654 | my $user = PVE::AccessControl::check_user_exist($usercfg, $userid); | |
655 | ||
656 | my $tokens = $user->{tokens} // {}; | |
657 | return [ map { $tokens->{$_}->{tokenid} = $_; $tokens->{$_} } keys %$tokens]; | |
658 | }}); | |
659 | ||
660 | __PACKAGE__->register_method ({ | |
661 | name => 'read_token', | |
662 | path => '{userid}/token/{tokenid}', | |
663 | method => 'GET', | |
664 | description => "Get specific API token information.", | |
665 | permissions => { | |
666 | check => [ | |
667 | 'or', | |
668 | ['userid-param', 'self'], | |
669 | ['userid-group', ['User.Modify']], | |
670 | ], | |
671 | }, | |
672 | parameters => { | |
673 | additionalProperties => 0, | |
674 | properties => { | |
675 | userid => get_standard_option('userid-completed'), | |
676 | tokenid => get_standard_option('token-subid'), | |
677 | }, | |
678 | }, | |
679 | returns => get_standard_option('token-info'), | |
680 | code => sub { | |
681 | my ($param) = @_; | |
682 | ||
683 | my $userid = PVE::AccessControl::verify_username($param->{userid}); | |
684 | my $tokenid = $param->{tokenid}; | |
685 | ||
686 | my $usercfg = cfs_read_file("user.cfg"); | |
687 | ||
688 | return PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid); | |
689 | }}); | |
690 | ||
691 | __PACKAGE__->register_method ({ | |
692 | name => 'generate_token', | |
693 | path => '{userid}/token/{tokenid}', | |
694 | method => 'POST', | |
695 | description => "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!", | |
696 | protected => 1, | |
697 | permissions => { | |
698 | check => [ | |
699 | 'or', | |
700 | ['userid-param', 'self'], | |
701 | ['userid-group', ['User.Modify']], | |
702 | ], | |
703 | }, | |
704 | parameters => { | |
705 | additionalProperties => 0, | |
706 | properties => { | |
707 | userid => get_standard_option('userid-completed'), | |
708 | tokenid => get_standard_option('token-subid'), | |
709 | expire => get_standard_option('token-expire'), | |
710 | privsep => get_standard_option('token-privsep'), | |
711 | comment => get_standard_option('token-comment'), | |
712 | }, | |
713 | }, | |
714 | returns => { | |
715 | additionalProperties => 0, | |
716 | type => "object", | |
717 | properties => { | |
718 | info => get_standard_option('token-info'), | |
719 | value => { | |
720 | type => 'string', | |
721 | description => 'API token value used for authentication.', | |
722 | }, | |
723 | 'full-tokenid' => { | |
724 | type => 'string', | |
725 | format_description => '<userid>!<tokenid>', | |
726 | description => 'The full token id.', | |
727 | }, | |
728 | }, | |
729 | }, | |
730 | code => sub { | |
731 | my ($param) = @_; | |
732 | ||
733 | my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid')); | |
734 | my $tokenid = extract_param($param, 'tokenid'); | |
735 | ||
736 | my $usercfg = cfs_read_file("user.cfg"); | |
737 | ||
738 | my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1); | |
739 | my ($full_tokenid, $value); | |
740 | ||
741 | PVE::AccessControl::check_user_exist($usercfg, $userid); | |
742 | raise_param_exc({ 'tokenid' => 'Token already exists.' }) if defined($token); | |
743 | ||
744 | my $generate_and_add_token = sub { | |
745 | $usercfg = cfs_read_file("user.cfg"); | |
746 | PVE::AccessControl::check_user_exist($usercfg, $userid); | |
747 | die "Token already exists.\n" if defined(PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1)); | |
748 | ||
749 | $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid); | |
750 | $value = PVE::TokenConfig::generate_token($full_tokenid); | |
751 | ||
752 | $token = {}; | |
753 | $token->{privsep} = defined($param->{privsep}) ? $param->{privsep} : 1; | |
754 | $token->{expire} = $param->{expire} if defined($param->{expire}); | |
755 | $token->{comment} = $param->{comment} if $param->{comment}; | |
756 | ||
757 | $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token; | |
758 | cfs_write_file("user.cfg", $usercfg); | |
759 | }; | |
760 | ||
761 | PVE::AccessControl::lock_user_config($generate_and_add_token, 'generating token failed'); | |
762 | ||
763 | return { | |
764 | info => $token, | |
765 | value => $value, | |
766 | 'full-tokenid' => $full_tokenid, | |
767 | }; | |
768 | }}); | |
769 | ||
770 | ||
771 | __PACKAGE__->register_method ({ | |
772 | name => 'update_token_info', | |
773 | path => '{userid}/token/{tokenid}', | |
774 | method => 'PUT', | |
775 | description => "Update API token for a specific user.", | |
776 | protected => 1, | |
777 | permissions => { | |
778 | check => [ | |
779 | 'or', | |
780 | ['userid-param', 'self'], | |
781 | ['userid-group', ['User.Modify']], | |
782 | ], | |
783 | }, | |
784 | parameters => { | |
785 | additionalProperties => 0, | |
786 | properties => { | |
787 | userid => get_standard_option('userid-completed'), | |
788 | tokenid => get_standard_option('token-subid'), | |
789 | expire => get_standard_option('token-expire'), | |
790 | privsep => get_standard_option('token-privsep'), | |
791 | comment => get_standard_option('token-comment'), | |
792 | }, | |
793 | }, | |
794 | returns => get_standard_option('token-info', { description => "Updated token information." }), | |
795 | code => sub { | |
796 | my ($param) = @_; | |
797 | ||
798 | my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid')); | |
799 | my $tokenid = extract_param($param, 'tokenid'); | |
800 | ||
801 | my $usercfg = cfs_read_file("user.cfg"); | |
802 | my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid); | |
803 | ||
804 | PVE::AccessControl::lock_user_config(sub { | |
805 | $usercfg = cfs_read_file("user.cfg"); | |
806 | $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid); | |
807 | ||
808 | my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid); | |
809 | ||
810 | $token->{privsep} = $param->{privsep} if defined($param->{privsep}); | |
811 | $token->{expire} = $param->{expire} if defined($param->{expire}); | |
812 | $token->{comment} = $param->{comment} if $param->{comment}; | |
813 | ||
814 | $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token; | |
815 | cfs_write_file("user.cfg", $usercfg); | |
816 | }, 'updating token info failed'); | |
817 | ||
818 | return $token; | |
819 | }}); | |
820 | ||
821 | ||
822 | __PACKAGE__->register_method ({ | |
823 | name => 'remove_token', | |
824 | path => '{userid}/token/{tokenid}', | |
825 | method => 'DELETE', | |
826 | description => "Remove API token for a specific user.", | |
827 | protected => 1, | |
828 | permissions => { | |
829 | check => [ | |
830 | 'or', | |
831 | ['userid-param', 'self'], | |
832 | ['userid-group', ['User.Modify']], | |
833 | ], | |
834 | }, | |
835 | parameters => { | |
836 | additionalProperties => 0, | |
837 | properties => { | |
838 | userid => get_standard_option('userid-completed'), | |
839 | tokenid => get_standard_option('token-subid'), | |
840 | }, | |
841 | }, | |
842 | returns => { type => 'null' }, | |
843 | code => sub { | |
844 | my ($param) = @_; | |
845 | ||
846 | my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid')); | |
847 | my $tokenid = extract_param($param, 'tokenid'); | |
848 | ||
849 | my $usercfg = cfs_read_file("user.cfg"); | |
850 | my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid); | |
851 | ||
852 | PVE::AccessControl::lock_user_config(sub { | |
853 | $usercfg = cfs_read_file("user.cfg"); | |
854 | ||
855 | PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid); | |
856 | ||
857 | my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid); | |
858 | PVE::TokenConfig::delete_token($full_tokenid); | |
859 | delete $usercfg->{users}->{$userid}->{tokens}->{$tokenid}; | |
860 | ||
861 | cfs_write_file("user.cfg", $usercfg); | |
862 | }, 'deleting token failed'); | |
863 | ||
864 | return; | |
865 | }}); | |
866 | 1; |