1 package PVE
::API2
::User
;
5 use PVE
::Exception
qw(raise raise_perm_exc);
6 use PVE
::Cluster qw
(cfs_read_file cfs_write_file
);
7 use PVE
::Tools
qw(split_list);
8 use PVE
::AccessControl
;
9 use PVE
::JSONSchema
qw(get_standard_option register_standard_option);
15 use base
qw(PVE::RESTHandler);
17 register_standard_option
('user-enable', {
18 description
=> "Enable the account (default). You can set this to '0' to disable the account",
23 register_standard_option
('user-expire', {
24 description
=> "Account expiration date (seconds since epoch). '0' means no expiration date.",
29 register_standard_option
('user-firstname', { type
=> 'string', optional
=> 1 });
30 register_standard_option
('user-lastname', { type
=> 'string', optional
=> 1 });
31 register_standard_option
('user-email', { type
=> 'string', optional
=> 1, format
=> 'email-opt' });
32 register_standard_option
('user-comment', { type
=> 'string', optional
=> 1 });
33 register_standard_option
('user-keys', {
34 description
=> "Keys for two factor auth (yubico).",
38 register_standard_option
('group-list', {
39 type
=> 'string', format
=> 'pve-groupid-list',
41 completion
=> \
&PVE
::AccessControl
::complete_group
,
44 my $extract_user_data = sub {
45 my ($data, $full) = @_;
49 foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
50 $res->{$prop} = $data->{$prop} if defined($data->{$prop});
53 return $res if !$full;
55 $res->{groups
} = $data->{groups
} ?
[ keys %{$data->{groups
}} ] : [];
60 __PACKAGE__-
>register_method ({
64 description
=> "User index.",
66 description
=> "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
70 additionalProperties
=> 0,
74 description
=> "Optional filter for enable property.",
84 userid
=> get_standard_option
('userid-completed'),
85 enable
=> get_standard_option
('user-enable'),
86 expire
=> get_standard_option
('user-expire'),
87 firstname
=> get_standard_option
('user-firstname'),
88 lastname
=> get_standard_option
('user-lastname'),
89 email
=> get_standard_option
('user-email'),
90 comment
=> get_standard_option
('user-comment'),
91 keys => get_standard_option
('user-keys'),
94 links
=> [ { rel
=> 'child', href
=> "{userid}" } ],
99 my $rpcenv = PVE
::RPCEnvironment
::get
();
100 my $usercfg = $rpcenv->{user_cfg
};
101 my $authuser = $rpcenv->get_user();
105 my $privs = [ 'User.Modify', 'Sys.Audit' ];
106 my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
107 my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
108 my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
110 foreach my $user (keys %{$usercfg->{users
}}) {
112 if (!($canUserMod || $user eq $authuser)) {
113 next if !$allowed_users->{$user};
116 my $entry = &$extract_user_data($usercfg->{users
}->{$user});
118 if (defined($param->{enabled
})) {
119 next if $entry->{enable
} && !$param->{enabled
};
120 next if !$entry->{enable
} && $param->{enabled
};
123 $entry->{userid
} = $user;
130 __PACKAGE__-
>register_method ({
131 name
=> 'create_user',
136 description
=> "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
138 [ 'userid-param', 'Realm.AllocateUser'],
139 [ 'userid-group', ['User.Modify'], groups_param
=> 1],
142 description
=> "Create new user.",
144 additionalProperties
=> 0,
146 userid
=> get_standard_option
('userid-completed'),
147 enable
=> get_standard_option
('user-enable'),
148 expire
=> get_standard_option
('user-expire'),
149 firstname
=> get_standard_option
('user-firstname'),
150 lastname
=> get_standard_option
('user-lastname'),
151 email
=> get_standard_option
('user-email'),
152 comment
=> get_standard_option
('user-comment'),
153 keys => get_standard_option
('user-keys'),
155 description
=> "Initial password.",
161 groups
=> get_standard_option
('group-list'),
164 returns
=> { type
=> 'null' },
168 PVE
::AccessControl
::lock_user_config
(
171 my ($username, $ruid, $realm) = PVE
::AccessControl
::verify_username
($param->{userid
});
173 my $usercfg = cfs_read_file
("user.cfg");
175 die "user '$username' already exists\n"
176 if $usercfg->{users
}->{$username};
178 PVE
::AccessControl
::domain_set_password
($realm, $ruid, $param->{password
})
179 if defined($param->{password
});
181 my $enable = defined($param->{enable
}) ?
$param->{enable
} : 1;
182 $usercfg->{users
}->{$username} = { enable
=> $enable };
183 $usercfg->{users
}->{$username}->{expire
} = $param->{expire
} if $param->{expire
};
185 if ($param->{groups
}) {
186 foreach my $group (split_list
($param->{groups
})) {
187 if ($usercfg->{groups
}->{$group}) {
188 PVE
::AccessControl
::add_user_group
($username, $usercfg, $group);
190 die "no such group '$group'\n";
195 $usercfg->{users
}->{$username}->{firstname
} = $param->{firstname
} if $param->{firstname
};
196 $usercfg->{users
}->{$username}->{lastname
} = $param->{lastname
} if $param->{lastname
};
197 $usercfg->{users
}->{$username}->{email
} = $param->{email
} if $param->{email
};
198 $usercfg->{users
}->{$username}->{comment
} = $param->{comment
} if $param->{comment
};
199 $usercfg->{users
}->{$username}->{keys} = $param->{keys} if $param->{keys};
201 cfs_write_file
("user.cfg", $usercfg);
202 }, "create user failed");
207 __PACKAGE__-
>register_method ({
211 description
=> "Get user configuration.",
213 check
=> ['userid-group', ['User.Modify', 'Sys.Audit']],
216 additionalProperties
=> 0,
218 userid
=> get_standard_option
('userid-completed'),
222 additionalProperties
=> 0,
224 enable
=> get_standard_option
('user-enable'),
225 expire
=> get_standard_option
('user-expire'),
226 firstname
=> get_standard_option
('user-firstname'),
227 lastname
=> get_standard_option
('user-lastname'),
228 email
=> get_standard_option
('user-email'),
229 comment
=> get_standard_option
('user-comment'),
230 keys => get_standard_option
('user-keys'),
231 groups
=> { type
=> 'array' },
238 my ($username, undef, $domain) =
239 PVE
::AccessControl
::verify_username
($param->{userid
});
241 my $usercfg = cfs_read_file
("user.cfg");
243 my $data = PVE
::AccessControl
::check_user_exist
($usercfg, $username);
245 return &$extract_user_data($data, 1);
248 __PACKAGE__-
>register_method ({
249 name
=> 'update_user',
254 check
=> ['userid-group', ['User.Modify'], groups_param
=> 1 ],
256 description
=> "Update user configuration.",
258 additionalProperties
=> 0,
260 userid
=> get_standard_option
('userid-completed'),
261 enable
=> get_standard_option
('user-enable'),
262 expire
=> get_standard_option
('user-expire'),
263 firstname
=> get_standard_option
('user-firstname'),
264 lastname
=> get_standard_option
('user-lastname'),
265 email
=> get_standard_option
('user-email'),
266 comment
=> get_standard_option
('user-comment'),
267 keys => get_standard_option
('user-keys'),
268 groups
=> get_standard_option
('group-list'),
272 requires
=> 'groups',
276 returns
=> { type
=> 'null' },
280 my ($username, $ruid, $realm) =
281 PVE
::AccessControl
::verify_username
($param->{userid
});
283 PVE
::AccessControl
::lock_user_config
(
286 my $usercfg = cfs_read_file
("user.cfg");
288 PVE
::AccessControl
::check_user_exist
($usercfg, $username);
290 $usercfg->{users
}->{$username}->{enable
} = $param->{enable
} if defined($param->{enable
});
292 $usercfg->{users
}->{$username}->{expire
} = $param->{expire
} if defined($param->{expire
});
294 PVE
::AccessControl
::delete_user_group
($username, $usercfg)
295 if (!$param->{append
} && defined($param->{groups
}));
297 if ($param->{groups
}) {
298 foreach my $group (split_list
($param->{groups
})) {
299 if ($usercfg->{groups
}->{$group}) {
300 PVE
::AccessControl
::add_user_group
($username, $usercfg, $group);
302 die "no such group '$group'\n";
307 $usercfg->{users
}->{$username}->{firstname
} = $param->{firstname
} if defined($param->{firstname
});
308 $usercfg->{users
}->{$username}->{lastname
} = $param->{lastname
} if defined($param->{lastname
});
309 $usercfg->{users
}->{$username}->{email
} = $param->{email
} if defined($param->{email
});
310 $usercfg->{users
}->{$username}->{comment
} = $param->{comment
} if defined($param->{comment
});
311 $usercfg->{users
}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
313 cfs_write_file
("user.cfg", $usercfg);
314 }, "update user failed");
319 __PACKAGE__-
>register_method ({
320 name
=> 'delete_user',
324 description
=> "Delete user.",
327 [ 'userid-param', 'Realm.AllocateUser'],
328 [ 'userid-group', ['User.Modify']],
332 additionalProperties
=> 0,
334 userid
=> get_standard_option
('userid-completed'),
337 returns
=> { type
=> 'null' },
341 my $rpcenv = PVE
::RPCEnvironment
::get
();
342 my $authuser = $rpcenv->get_user();
344 my ($userid, $ruid, $realm) =
345 PVE
::AccessControl
::verify_username
($param->{userid
});
347 PVE
::AccessControl
::lock_user_config
(
350 my $usercfg = cfs_read_file
("user.cfg");
352 my $domain_cfg = cfs_read_file
('domains.cfg');
353 if (my $cfg = $domain_cfg->{ids
}->{$realm}) {
354 my $plugin = PVE
::Auth
::Plugin-
>lookup($cfg->{type
});
355 $plugin->delete_user($cfg, $realm, $ruid);
358 # Remove TFA data before removing the user entry as the user entry tells us whether
359 # we need ot update priv/tfa.cfg.
360 PVE
::AccessControl
::user_set_tfa
($userid, $realm, undef, undef, $usercfg, $domain_cfg);
362 delete $usercfg->{users
}->{$userid};
364 PVE
::AccessControl
::delete_user_group
($userid, $usercfg);
365 PVE
::AccessControl
::delete_user_acl
($userid, $usercfg);
366 cfs_write_file
("user.cfg", $usercfg);
367 }, "delete user failed");