]> git.proxmox.com Git - pve-access-control.git/blob - PVE/API2/User.pm
projects / pve-access-control.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
API: add API token API endpoints
[pve-access-control.git] / PVE / API2 / User.pm
1 package PVE::API2::User;
2
3 use strict;
4 use warnings;
5 use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
6 use PVE::Cluster qw (cfs_read_file cfs_write_file);
7 use PVE::Tools qw(split_list extract_param);
8 use PVE::AccessControl;
9 use PVE::JSONSchema qw(get_standard_option register_standard_option);
10 use PVE::TokenConfig;
11
12 use PVE::SafeSyslog;
13
14 use PVE::RESTHandler;
15
16 use base qw(PVE::RESTHandler);
17
18 register_standard_option('user-enable', {
19 description => "Enable the account (default). You can set this to '0' to disable the account",
20 type => 'boolean',
21 optional => 1,
22 default => 1,
23 });
24 register_standard_option('user-expire', {
25 description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
26 type => 'integer',
27 minimum => 0,
28 optional => 1,
29 });
30 register_standard_option('user-firstname', { type => 'string', optional => 1 });
31 register_standard_option('user-lastname', { type => 'string', optional => 1 });
32 register_standard_option('user-email', { type => 'string', optional => 1, format => 'email-opt' });
33 register_standard_option('user-comment', { type => 'string', optional => 1 });
34 register_standard_option('user-keys', {
35 description => "Keys for two factor auth (yubico).",
36 type => 'string',
37 optional => 1,
38 });
39 register_standard_option('group-list', {
40 type => 'string', format => 'pve-groupid-list',
41 optional => 1,
42 completion => \&PVE::AccessControl::complete_group,
43 });
44 register_standard_option('token-subid', {
45 type => 'string',
46 pattern => $PVE::AccessControl::token_subid_regex,
47 description => 'User-specific token identifier.',
48 });
49 register_standard_option('token-expire', {
50 description => "API token expiration date (seconds since epoch). '0' means no expiration date.",
51 type => 'integer',
52 minimum => 0,
53 optional => 1,
54 });
55 register_standard_option('token-privsep', {
56 description => "Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.",
57 type => 'boolean',
58 optional => 1,
59 default => 1,
60 });
61 register_standard_option('token-comment', { type => 'string', optional => 1 });
62 register_standard_option('token-info', {
63 type => 'object',
64 properties => {
65 expire => get_standard_option('token-expire'),
66 privsep => get_standard_option('token-privsep'),
67 comment => get_standard_option('token-comment'),
68 }
69 });
70
71 my $token_info_extend = sub {
72 my ($props) = @_;
73
74 my $obj = get_standard_option('token-info');
75 my $base_props = $obj->{properties};
76 $obj->{properties} = {};
77
78 foreach my $prop (keys %$base_props) {
79 $obj->{properties}->{$prop} = $base_props->{$prop};
80 }
81
82 foreach my $add_prop (keys %$props) {
83 $obj->{properties}->{$add_prop} = $props->{$add_prop};
84 }
85
86 return $obj;
87 };
88
89 my $extract_user_data = sub {
90 my ($data, $full) = @_;
91
92 my $res = {};
93
94 foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
95 $res->{$prop} = $data->{$prop} if defined($data->{$prop});
96 }
97
98 return $res if !$full;
99
100 $res->{groups} = $data->{groups} ? [ keys %{$data->{groups}} ] : [];
101 $res->{tokens} = $data->{tokens};
102
103 return $res;
104 };
105
106 __PACKAGE__->register_method ({
107 name => 'index',
108 path => '',
109 method => 'GET',
110 description => "User index.",
111 permissions => {
112 description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
113 user => 'all',
114 },
115 parameters => {
116 additionalProperties => 0,
117 properties => {
118 enabled => {
119 type => 'boolean',
120 description => "Optional filter for enable property.",
121 optional => 1,
122 }
123 },
124 },
125 returns => {
126 type => 'array',
127 items => {
128 type => "object",
129 properties => {
130 userid => get_standard_option('userid-completed'),
131 enable => get_standard_option('user-enable'),
132 expire => get_standard_option('user-expire'),
133 firstname => get_standard_option('user-firstname'),
134 lastname => get_standard_option('user-lastname'),
135 email => get_standard_option('user-email'),
136 comment => get_standard_option('user-comment'),
137 keys => get_standard_option('user-keys'),
138 },
139 },
140 links => [ { rel => 'child', href => "{userid}" } ],
141 },
142 code => sub {
143 my ($param) = @_;
144
145 my $rpcenv = PVE::RPCEnvironment::get();
146 my $usercfg = $rpcenv->{user_cfg};
147 my $authuser = $rpcenv->get_user();
148
149 my $res = [];
150
151 my $privs = [ 'User.Modify', 'Sys.Audit' ];
152 my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
153 my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
154 my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
155
156 foreach my $user (keys %{$usercfg->{users}}) {
157
158 if (!($canUserMod || $user eq $authuser)) {
159 next if !$allowed_users->{$user};
160 }
161
162 my $entry = &$extract_user_data($usercfg->{users}->{$user});
163
164 if (defined($param->{enabled})) {
165 next if $entry->{enable} && !$param->{enabled};
166 next if !$entry->{enable} && $param->{enabled};
167 }
168
169 $entry->{userid} = $user;
170 push @$res, $entry;
171 }
172
173 return $res;
174 }});
175
176 __PACKAGE__->register_method ({
177 name => 'create_user',
178 protected => 1,
179 path => '',
180 method => 'POST',
181 permissions => {
182 description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
183 check => [ 'and',
184 [ 'userid-param', 'Realm.AllocateUser'],
185 [ 'userid-group', ['User.Modify'], groups_param => 1],
186 ],
187 },
188 description => "Create new user.",
189 parameters => {
190 additionalProperties => 0,
191 properties => {
192 userid => get_standard_option('userid-completed'),
193 enable => get_standard_option('user-enable'),
194 expire => get_standard_option('user-expire'),
195 firstname => get_standard_option('user-firstname'),
196 lastname => get_standard_option('user-lastname'),
197 email => get_standard_option('user-email'),
198 comment => get_standard_option('user-comment'),
199 keys => get_standard_option('user-keys'),
200 password => {
201 description => "Initial password.",
202 type => 'string',
203 optional => 1,
204 minLength => 5,
205 maxLength => 64
206 },
207 groups => get_standard_option('group-list'),
208 },
209 },
210 returns => { type => 'null' },
211 code => sub {
212 my ($param) = @_;
213
214 PVE::AccessControl::lock_user_config(
215 sub {
216
217 my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
218
219 my $usercfg = cfs_read_file("user.cfg");
220
221 die "user '$username' already exists\n"
222 if $usercfg->{users}->{$username};
223
224 PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
225 if defined($param->{password});
226
227 my $enable = defined($param->{enable}) ? $param->{enable} : 1;
228 $usercfg->{users}->{$username} = { enable => $enable };
229 $usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire};
230
231 if ($param->{groups}) {
232 foreach my $group (split_list($param->{groups})) {
233 if ($usercfg->{groups}->{$group}) {
234 PVE::AccessControl::add_user_group($username, $usercfg, $group);
235 } else {
236 die "no such group '$group'\n";
237 }
238 }
239 }
240
241 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if $param->{firstname};
242 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname};
243 $usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email};
244 $usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment};
245 $usercfg->{users}->{$username}->{keys} = $param->{keys} if $param->{keys};
246
247 cfs_write_file("user.cfg", $usercfg);
248 }, "create user failed");
249
250 return undef;
251 }});
252
253 __PACKAGE__->register_method ({
254 name => 'read_user',
255 path => '{userid}',
256 method => 'GET',
257 description => "Get user configuration.",
258 permissions => {
259 check => ['userid-group', ['User.Modify', 'Sys.Audit']],
260 },
261 parameters => {
262 additionalProperties => 0,
263 properties => {
264 userid => get_standard_option('userid-completed'),
265 },
266 },
267 returns => {
268 additionalProperties => 0,
269 properties => {
270 enable => get_standard_option('user-enable'),
271 expire => get_standard_option('user-expire'),
272 firstname => get_standard_option('user-firstname'),
273 lastname => get_standard_option('user-lastname'),
274 email => get_standard_option('user-email'),
275 comment => get_standard_option('user-comment'),
276 keys => get_standard_option('user-keys'),
277 groups => {
278 type => 'array',
279 items => {
280 type => 'string',
281 format => 'pve-groupid',
282 },
283 },
284 tokens => {
285 type => 'object',
286 },
287 },
288 type => "object"
289 },
290 code => sub {
291 my ($param) = @_;
292
293 my ($username, undef, $domain) =
294 PVE::AccessControl::verify_username($param->{userid});
295
296 my $usercfg = cfs_read_file("user.cfg");
297
298 my $data = PVE::AccessControl::check_user_exist($usercfg, $username);
299
300 return &$extract_user_data($data, 1);
301 }});
302
303 __PACKAGE__->register_method ({
304 name => 'update_user',
305 protected => 1,
306 path => '{userid}',
307 method => 'PUT',
308 permissions => {
309 check => ['userid-group', ['User.Modify'], groups_param => 1 ],
310 },
311 description => "Update user configuration.",
312 parameters => {
313 additionalProperties => 0,
314 properties => {
315 userid => get_standard_option('userid-completed'),
316 enable => get_standard_option('user-enable'),
317 expire => get_standard_option('user-expire'),
318 firstname => get_standard_option('user-firstname'),
319 lastname => get_standard_option('user-lastname'),
320 email => get_standard_option('user-email'),
321 comment => get_standard_option('user-comment'),
322 keys => get_standard_option('user-keys'),
323 groups => get_standard_option('group-list'),
324 append => {
325 type => 'boolean',
326 optional => 1,
327 requires => 'groups',
328 },
329 },
330 },
331 returns => { type => 'null' },
332 code => sub {
333 my ($param) = @_;
334
335 my ($username, $ruid, $realm) =
336 PVE::AccessControl::verify_username($param->{userid});
337
338 PVE::AccessControl::lock_user_config(
339 sub {
340
341 my $usercfg = cfs_read_file("user.cfg");
342
343 PVE::AccessControl::check_user_exist($usercfg, $username);
344
345 $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
346
347 $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
348
349 PVE::AccessControl::delete_user_group($username, $usercfg)
350 if (!$param->{append} && defined($param->{groups}));
351
352 if ($param->{groups}) {
353 foreach my $group (split_list($param->{groups})) {
354 if ($usercfg->{groups}->{$group}) {
355 PVE::AccessControl::add_user_group($username, $usercfg, $group);
356 } else {
357 die "no such group '$group'\n";
358 }
359 }
360 }
361
362 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname});
363 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
364 $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
365 $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
366 $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
367
368 cfs_write_file("user.cfg", $usercfg);
369 }, "update user failed");
370
371 return undef;
372 }});
373
374 __PACKAGE__->register_method ({
375 name => 'delete_user',
376 protected => 1,
377 path => '{userid}',
378 method => 'DELETE',
379 description => "Delete user.",
380 permissions => {
381 check => [ 'and',
382 [ 'userid-param', 'Realm.AllocateUser'],
383 [ 'userid-group', ['User.Modify']],
384 ],
385 },
386 parameters => {
387 additionalProperties => 0,
388 properties => {
389 userid => get_standard_option('userid-completed'),
390 }
391 },
392 returns => { type => 'null' },
393 code => sub {
394 my ($param) = @_;
395
396 my $rpcenv = PVE::RPCEnvironment::get();
397 my $authuser = $rpcenv->get_user();
398
399 my ($userid, $ruid, $realm) =
400 PVE::AccessControl::verify_username($param->{userid});
401
402 PVE::AccessControl::lock_user_config(
403 sub {
404
405 my $usercfg = cfs_read_file("user.cfg");
406
407 my $domain_cfg = cfs_read_file('domains.cfg');
408 if (my $cfg = $domain_cfg->{ids}->{$realm}) {
409 my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
410 $plugin->delete_user($cfg, $realm, $ruid);
411 }
412
413 # Remove TFA data before removing the user entry as the user entry tells us whether
414 # we need ot update priv/tfa.cfg.
415 PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);
416
417 delete $usercfg->{users}->{$userid};
418
419 PVE::AccessControl::delete_user_group($userid, $usercfg);
420 PVE::AccessControl::delete_user_acl($userid, $usercfg);
421 cfs_write_file("user.cfg", $usercfg);
422 }, "delete user failed");
423
424 return undef;
425 }});
426
427 __PACKAGE__->register_method ({
428 name => 'read_user_tfa_type',
429 path => '{userid}/tfa',
430 method => 'GET',
431 protected => 1,
432 description => "Get user TFA types (Personal and Realm).",
433 permissions => {
434 check => [ 'or',
435 ['userid-param', 'self'],
436 ['userid-group', ['User.Modify', 'Sys.Audit']],
437 ],
438 },
439 parameters => {
440 additionalProperties => 0,
441 properties => {
442 userid => get_standard_option('userid-completed'),
443 },
444 },
445 returns => {
446 additionalProperties => 0,
447 properties => {
448 realm => {
449 type => 'string',
450 enum => [qw(oath yubico)],
451 description => "The type of TFA the users realm has set, if any.",
452 optional => 1,
453 },
454 user => {
455 type => 'string',
456 enum => [qw(oath u2f)],
457 description => "The type of TFA the user has set, if any.",
458 optional => 1,
459 },
460 },
461 type => "object"
462 },
463 code => sub {
464 my ($param) = @_;
465
466 my ($username, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
467
468
469 my $domain_cfg = cfs_read_file('domains.cfg');
470 my $realm_cfg = $domain_cfg->{ids}->{$realm};
471 die "auth domain '$realm' does not exist\n" if !$realm_cfg;
472
473 my $realm_tfa = {};
474 $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa})
475 if $realm_cfg->{tfa};
476
477 my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
478 my $tfa = $tfa_cfg->{users}->{$username};
479
480 my $res = {};
481 $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type};
482 $res->{user} = $tfa->{type} if $tfa->{type};
483 return $res;
484 }});
485
486 __PACKAGE__->register_method ({
487 name => 'token_index',
488 path => '{userid}/token',
489 method => 'GET',
490 description => "Get user API tokens.",
491 permissions => {
492 check => ['or',
493 ['userid-param', 'self'],
494 ['perm', '/access/users/{userid}', ['User.Modify']],
495 ],
496 },
497 parameters => {
498 additionalProperties => 0,
499 properties => {
500 userid => get_standard_option('userid-completed'),
501 },
502 },
503 returns => {
504 type => "array",
505 items => $token_info_extend->({
506 tokenid => get_standard_option('token-subid'),
507 }),
508 links => [ { rel => 'child', href => "{tokenid}" } ],
509 },
510 code => sub {
511 my ($param) = @_;
512
513 my $userid = PVE::AccessControl::verify_username($param->{userid});
514 my $usercfg = cfs_read_file("user.cfg");
515
516 my $user = PVE::AccessControl::check_user_exist($usercfg, $userid);
517
518 my $tokens = $user->{tokens} // {};
519 return [ map { $tokens->{$_}->{tokenid} = $_; $tokens->{$_} } keys %$tokens];
520 }});
521
522 __PACKAGE__->register_method ({
523 name => 'read_token',
524 path => '{userid}/token/{tokenid}',
525 method => 'GET',
526 description => "Get specific API token information.",
527 permissions => {
528 check => ['or',
529 ['userid-param', 'self'],
530 ['perm', '/access/users/{userid}', ['User.Modify']],
531 ],
532 },
533 parameters => {
534 additionalProperties => 0,
535 properties => {
536 userid => get_standard_option('userid-completed'),
537 tokenid => get_standard_option('token-subid'),
538 },
539 },
540 returns => get_standard_option('token-info'),
541 code => sub {
542 my ($param) = @_;
543
544 my $userid = PVE::AccessControl::verify_username($param->{userid});
545 my $tokenid = $param->{tokenid};
546
547 my $usercfg = cfs_read_file("user.cfg");
548
549 return PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
550 }});
551
552 __PACKAGE__->register_method ({
553 name => 'generate_token',
554 path => '{userid}/token/{tokenid}',
555 method => 'POST',
556 description => "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!",
557 protected => 1,
558 permissions => {
559 check => ['or',
560 ['userid-param', 'self'],
561 ['perm', '/access/users/{userid}', ['User.Modify']],
562 ],
563 },
564 parameters => {
565 additionalProperties => 0,
566 properties => {
567 userid => get_standard_option('userid-completed'),
568 tokenid => get_standard_option('token-subid'),
569 expire => get_standard_option('token-expire'),
570 privsep => get_standard_option('token-privsep'),
571 comment => get_standard_option('token-comment'),
572 },
573 },
574 returns => {
575 additionalProperties => 0,
576 type => "object",
577 properties => {
578 info => get_standard_option('token-info'),
579 value => {
580 type => 'string',
581 description => 'API token value used for authentication.',
582 },
583 },
584 },
585 code => sub {
586 my ($param) = @_;
587
588 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
589 my $tokenid = extract_param($param, 'tokenid');
590
591 my $usercfg = cfs_read_file("user.cfg");
592
593 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1);
594 my $value;
595
596 PVE::AccessControl::check_user_exist($usercfg, $userid);
597 raise_param_exc({ 'tokenid' => 'Token already exists.' }) if defined($token);
598
599 my $generate_and_add_token = sub {
600 $usercfg = cfs_read_file("user.cfg");
601 PVE::AccessControl::check_user_exist($usercfg, $userid);
602 die "Token already exists.\n" if defined(PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1));
603
604 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
605 $value = PVE::TokenConfig::generate_token($full_tokenid);
606
607 $token = {};
608 $token->{privsep} = defined($param->{privsep}) ? $param->{privsep} : 1;
609 $token->{expire} = $param->{expire} if defined($param->{expire});
610 $token->{comment} = $param->{comment} if $param->{comment};
611
612 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
613 cfs_write_file("user.cfg", $usercfg);
614 };
615
616 PVE::AccessControl::lock_user_config($generate_and_add_token, 'generating token failed');
617
618 return { info => $token, value => $value };
619 }});
620
621
622 __PACKAGE__->register_method ({
623 name => 'update_token_info',
624 path => '{userid}/token/{tokenid}',
625 method => 'PUT',
626 description => "Update API token for a specific user.",
627 protected => 1,
628 permissions => {
629 check => ['or',
630 ['userid-param', 'self'],
631 ['perm', '/access/users/{userid}', ['User.Modify']],
632 ],
633 },
634 parameters => {
635 additionalProperties => 0,
636 properties => {
637 userid => get_standard_option('userid-completed'),
638 tokenid => get_standard_option('token-subid'),
639 expire => get_standard_option('token-expire'),
640 privsep => get_standard_option('token-privsep'),
641 comment => get_standard_option('token-comment'),
642 },
643 },
644 returns => get_standard_option('token-info', { description => "Updated token information." }),
645 code => sub {
646 my ($param) = @_;
647
648 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
649 my $tokenid = extract_param($param, 'tokenid');
650
651 my $usercfg = cfs_read_file("user.cfg");
652 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
653
654 my $update_token = sub {
655 $usercfg = cfs_read_file("user.cfg");
656 $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
657
658 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
659
660 $token->{privsep} = $param->{privsep} if defined($param->{privsep});
661 $token->{expire} = $param->{expire} if defined($param->{expire});
662 $token->{comment} = $param->{comment} if $param->{comment};
663
664 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
665 cfs_write_file("user.cfg", $usercfg);
666 };
667
668 PVE::AccessControl::lock_user_config($update_token, 'updating token info failed');
669
670 return $token;
671 }});
672
673
674 __PACKAGE__->register_method ({
675 name => 'remove_token',
676 path => '{userid}/token/{tokenid}',
677 method => 'DELETE',
678 description => "Remove API token for a specific user.",
679 protected => 1,
680 permissions => {
681 check => ['or',
682 ['userid-param', 'self'],
683 ['perm', '/access/users/{userid}', ['User.Modify']],
684 ],
685 },
686 parameters => {
687 additionalProperties => 0,
688 properties => {
689 userid => get_standard_option('userid-completed'),
690 tokenid => get_standard_option('token-subid'),
691 },
692 },
693 returns => { type => 'null' },
694 code => sub {
695 my ($param) = @_;
696
697 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
698 my $tokenid = extract_param($param, 'tokenid');
699
700 my $usercfg = cfs_read_file("user.cfg");
701 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
702
703 my $update_token = sub {
704 $usercfg = cfs_read_file("user.cfg");
705
706 PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
707
708 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
709 PVE::TokenConfig::delete_token($full_tokenid);
710 delete $usercfg->{users}->{$userid}->{tokens}->{$tokenid};
711
712 cfs_write_file("user.cfg", $usercfg);
713 };
714
715 PVE::AccessControl::lock_user_config($update_token, 'deleting token failed');
716
717 return;
718 }});
719 1;
Access control framework