use strict;
use warnings;
+use PVE::Exception qw(raise raise_perm_exc);
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::Tools qw(split_list);
use PVE::AccessControl;
-use PVE::JSONSchema qw(get_standard_option);
+use PVE::JSONSchema qw(get_standard_option register_standard_option);
use PVE::SafeSyslog;
-use Data::Dumper; # fixme: remove
-
use PVE::RESTHandler;
use base qw(PVE::RESTHandler);
+register_standard_option('user-enable', {
+ description => "Enable the account (default). You can set this to '0' to disable the account",
+ type => 'boolean',
+ optional => 1,
+ default => 1,
+});
+register_standard_option('user-expire', {
+ description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
+ type => 'integer',
+ minimum => 0,
+ optional => 1,
+});
+register_standard_option('user-firstname', { type => 'string', optional => 1 });
+register_standard_option('user-lastname', { type => 'string', optional => 1 });
+register_standard_option('user-email', { type => 'string', optional => 1, format => 'email-opt' });
+register_standard_option('user-comment', { type => 'string', optional => 1 });
+register_standard_option('user-keys', {
+ description => "Keys for two factor auth (yubico).",
+ type => 'string',
+ optional => 1,
+});
+register_standard_option('group-list', {
+ type => 'string', format => 'pve-groupid-list',
+ optional => 1,
+ completion => \&PVE::AccessControl::complete_group,
+});
+
my $extract_user_data = sub {
my ($data, $full) = @_;
my $res = {};
- foreach my $prop (qw(enable expire firstname lastname email comment)) {
+ foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
$res->{$prop} = $data->{$prop} if defined($data->{$prop});
}
};
__PACKAGE__->register_method ({
- name => 'index',
- path => '',
+ name => 'index',
+ path => '',
method => 'GET',
description => "User index.",
- permissions => { user => 'all' },
+ permissions => {
+ description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
+ user => 'all',
+ },
parameters => {
additionalProperties => 0,
properties => {
items => {
type => "object",
properties => {
- userid => { type => 'string' },
+ userid => get_standard_option('userid-completed'),
+ enable => get_standard_option('user-enable'),
+ expire => get_standard_option('user-expire'),
+ firstname => get_standard_option('user-firstname'),
+ lastname => get_standard_option('user-lastname'),
+ email => get_standard_option('user-email'),
+ comment => get_standard_option('user-comment'),
+ keys => get_standard_option('user-keys'),
},
},
links => [ { rel => 'child', href => "{userid}" } ],
},
code => sub {
my ($param) = @_;
-
+
my $rpcenv = PVE::RPCEnvironment::get();
+ my $usercfg = $rpcenv->{user_cfg};
my $authuser = $rpcenv->get_user();
my $res = [];
- my $usercfg = cfs_read_file("user.cfg");
-
+ my $privs = [ 'User.Modify', 'Sys.Audit' ];
+ my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
+ my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
+ my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
+
foreach my $user (keys %{$usercfg->{users}}) {
- # root sees all entries, a user only sees its own entry
- next if $authuser ne 'root@pam' && $user ne $authuser;
+
+ if (!($canUserMod || $user eq $authuser)) {
+ next if !$allowed_users->{$user};
+ }
my $entry = &$extract_user_data($usercfg->{users}->{$user});
}});
__PACKAGE__->register_method ({
- name => 'create_user',
+ name => 'create_user',
protected => 1,
- path => '',
+ path => '',
method => 'POST',
+ permissions => {
+ description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
+ check => [ 'and',
+ [ 'userid-param', 'Realm.AllocateUser'],
+ [ 'userid-group', ['User.Modify'], groups_param => 1],
+ ],
+ },
description => "Create new user.",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
- userid => get_standard_option('userid'),
- password => { type => 'string', optional => 1, minLength => 5, maxLength => 64 },
- groups => { type => 'string', optional => 1, format => 'pve-groupid-list'},
- firstname => { type => 'string', optional => 1 },
- lastname => { type => 'string', optional => 1 },
- email => { type => 'string', optional => 1, format => 'email-opt' },
- comment => { type => 'string', optional => 1 },
- expire => {
- description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
- type => 'integer',
- minimum => 0,
+ userid => get_standard_option('userid-completed'),
+ enable => get_standard_option('user-enable'),
+ expire => get_standard_option('user-expire'),
+ firstname => get_standard_option('user-firstname'),
+ lastname => get_standard_option('user-lastname'),
+ email => get_standard_option('user-email'),
+ comment => get_standard_option('user-comment'),
+ keys => get_standard_option('user-keys'),
+ password => {
+ description => "Initial password.",
+ type => 'string',
optional => 1,
+ minLength => 5,
+ maxLength => 64
},
- enable => {
- description => "Enable the account (default). You can set this to '0' to disable the accout",
- type => 'boolean',
- optional => 1,
- default => 1,
- },
+ groups => get_standard_option('group-list'),
},
},
returns => { type => 'null' },
PVE::AccessControl::lock_user_config(
sub {
-
+
my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
-
+
my $usercfg = cfs_read_file("user.cfg");
- die "user '$username' already exists\n"
+ die "user '$username' already exists\n"
if $usercfg->{users}->{$username};
-
+
PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
if defined($param->{password});
$usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname};
$usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email};
$usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment};
+ $usercfg->{users}->{$username}->{keys} = $param->{keys} if $param->{keys};
cfs_write_file("user.cfg", $usercfg);
}, "create user failed");
}});
__PACKAGE__->register_method ({
- name => 'read_user',
- path => '{userid}',
+ name => 'read_user',
+ path => '{userid}',
method => 'GET',
description => "Get user configuration.",
+ permissions => {
+ check => ['userid-group', ['User.Modify', 'Sys.Audit']],
+ },
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
- userid => get_standard_option('userid'),
+ userid => get_standard_option('userid-completed'),
},
},
returns => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
- enable => { type => 'boolean' },
- expire => { type => 'integer', optional => 1 },
- firstname => { type => 'string', optional => 1 },
- lastname => { type => 'string', optional => 1 },
- email => { type => 'string', optional => 1 },
- comment => { type => 'string', optional => 1 },
+ enable => get_standard_option('user-enable'),
+ expire => get_standard_option('user-expire'),
+ firstname => get_standard_option('user-firstname'),
+ lastname => get_standard_option('user-lastname'),
+ email => get_standard_option('user-email'),
+ comment => get_standard_option('user-comment'),
+ keys => get_standard_option('user-keys'),
groups => { type => 'array' },
- }
+ },
+ type => "object"
},
code => sub {
my ($param) = @_;
- my ($username, undef, $domain) =
+ my ($username, undef, $domain) =
PVE::AccessControl::verify_username($param->{userid});
my $usercfg = cfs_read_file("user.cfg");
-
- my $data = $usercfg->{users}->{$username};
- die "user '$username' does not exist\n" if !$data;
+ my $data = PVE::AccessControl::check_user_exist($usercfg, $username);
return &$extract_user_data($data, 1);
}});
__PACKAGE__->register_method ({
- name => 'update_user',
+ name => 'update_user',
protected => 1,
- path => '{userid}',
+ path => '{userid}',
method => 'PUT',
+ permissions => {
+ check => ['userid-group', ['User.Modify'], groups_param => 1 ],
+ },
description => "Update user configuration.",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
- userid => get_standard_option('userid'),
- password => { type => 'string', optional => 1, minLength => 5, maxLength => 64 },
- groups => { type => 'string', optional => 1, format => 'pve-groupid-list' },
- append => {
- type => 'boolean',
- optional => 1,
- requires => 'groups',
- },
- enable => {
- description => "Enable/disable the account.",
+ userid => get_standard_option('userid-completed'),
+ enable => get_standard_option('user-enable'),
+ expire => get_standard_option('user-expire'),
+ firstname => get_standard_option('user-firstname'),
+ lastname => get_standard_option('user-lastname'),
+ email => get_standard_option('user-email'),
+ comment => get_standard_option('user-comment'),
+ keys => get_standard_option('user-keys'),
+ groups => get_standard_option('group-list'),
+ append => {
type => 'boolean',
optional => 1,
- },
- firstname => { type => 'string', optional => 1 },
- lastname => { type => 'string', optional => 1 },
- email => { type => 'string', optional => 1, format => 'email-opt' },
- comment => { type => 'string', optional => 1 },
- expire => {
- description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
- type => 'integer',
- minimum => 0,
- optional => 1
+ requires => 'groups',
},
},
},
returns => { type => 'null' },
code => sub {
my ($param) = @_;
-
+
+ my ($username, $ruid, $realm) =
+ PVE::AccessControl::verify_username($param->{userid});
+
PVE::AccessControl::lock_user_config(
sub {
- my ($username, $ruid, $realm) =
- PVE::AccessControl::verify_username($param->{userid});
-
my $usercfg = cfs_read_file("user.cfg");
- die "user '$username' does not exist\n"
- if !$usercfg->{users}->{$username};
-
- PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
- if defined($param->{password});
+ PVE::AccessControl::check_user_exist($usercfg, $username);
$usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
$usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
- PVE::AccessControl::delete_user_group($username, $usercfg)
+ PVE::AccessControl::delete_user_group($username, $usercfg)
if (!$param->{append} && defined($param->{groups}));
if ($param->{groups}) {
$usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
$usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
$usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
+ $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
cfs_write_file("user.cfg", $usercfg);
}, "update user failed");
-
+
return undef;
}});
__PACKAGE__->register_method ({
- name => 'delete_user',
+ name => 'delete_user',
protected => 1,
- path => '{userid}',
+ path => '{userid}',
method => 'DELETE',
description => "Delete user.",
+ permissions => {
+ check => [ 'and',
+ [ 'userid-param', 'Realm.AllocateUser'],
+ [ 'userid-group', ['User.Modify']],
+ ],
+ },
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
- userid => get_standard_option('userid'),
+ userid => get_standard_option('userid-completed'),
}
},
returns => { type => 'null' },
code => sub {
my ($param) = @_;
+ my $rpcenv = PVE::RPCEnvironment::get();
+ my $authuser = $rpcenv->get_user();
+
+ my ($userid, $ruid, $realm) =
+ PVE::AccessControl::verify_username($param->{userid});
+
PVE::AccessControl::lock_user_config(
sub {
- my ($username, $ruid, $realm) =
- PVE::AccessControl::verify_username($param->{userid});
-
my $usercfg = cfs_read_file("user.cfg");
- die "user '$username' does not exist\n"
- if !$usercfg->{users}->{$username};
+ my $domain_cfg = cfs_read_file('domains.cfg');
+ if (my $cfg = $domain_cfg->{ids}->{$realm}) {
+ my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
+ $plugin->delete_user($cfg, $realm, $ruid);
+ }
- delete ($usercfg->{users}->{$username});
+ # Remove TFA data before removing the user entry as the user entry tells us whether
+ # we need ot update priv/tfa.cfg.
+ PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);
- PVE::AccessControl::delete_shadow_password($ruid) if $realm eq 'pve';
- PVE::AccessControl::delete_user_group($username, $usercfg);
- PVE::AccessControl::delete_user_acl($username, $usercfg);
+ delete $usercfg->{users}->{$userid};
+ PVE::AccessControl::delete_user_group($userid, $usercfg);
+ PVE::AccessControl::delete_user_acl($userid, $usercfg);
cfs_write_file("user.cfg", $usercfg);
}, "delete user failed");
-
+
return undef;
}});
+__PACKAGE__->register_method ({
+ name => 'read_user_tfa_type',
+ path => '{userid}/tfa',
+ method => 'GET',
+ protected => 1,
+ description => "Get user TFA types (Personal and Realm).",
+ permissions => {
+ check => [ 'or',
+ ['userid-param', 'self'],
+ ['userid-group', ['User.Modify', 'Sys.Audit']],
+ ],
+ },
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ userid => get_standard_option('userid-completed'),
+ },
+ },
+ returns => {
+ additionalProperties => 0,
+ properties => {
+ realm => {
+ type => 'string',
+ enum => [qw(oath yubico)],
+ description => "The type of TFA the users realm has set, if any.",
+ optional => 1,
+ },
+ user => {
+ type => 'string',
+ enum => [qw(oath u2f)],
+ description => "The type of TFA the user has set, if any.",
+ optional => 1,
+ },
+ },
+ type => "object"
+ },
+ code => sub {
+ my ($param) = @_;
+
+ my ($username, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
+
+
+ my $domain_cfg = cfs_read_file('domains.cfg');
+ my $realm_cfg = $domain_cfg->{ids}->{$realm};
+ die "auth domain '$realm' does not exist\n" if !$realm_cfg;
+
+ my $realm_tfa = {};
+ $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa})
+ if $realm_cfg->{tfa};
+
+ my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
+ my $tfa = $tfa_cfg->{users}->{$username};
+
+ my $res = {};
+ $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type};
+ $res->{user} = $tfa->{type} if $tfa->{type};
+ return $res;
+ }});
+
1;