use strict;
use warnings;
+
use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::Tools qw(split_list extract_param);
-use PVE::AccessControl;
use PVE::JSONSchema qw(get_standard_option register_standard_option);
-use PVE::TokenConfig;
-
use PVE::SafeSyslog;
+use PVE::AccessControl;
+use PVE::Auth::Plugin;
+use PVE::TokenConfig;
+
use PVE::RESTHandler;
use base qw(PVE::RESTHandler);
description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
user => 'all',
},
+ protected => 1, # to access priv/tfa.cfg
parameters => {
additionalProperties => 0,
properties => {
tokenid => get_standard_option('token-subid'),
}),
},
- realmtype => {
- type => 'string',
+ 'realm-type' => {
+ type => 'string', format => 'pve-realm',
description => 'The type of the users realm',
+ optional => 1, # it should always be there, but we use conditional code below, so..
+ },
+ 'totp-locked' => {
+ type => 'boolean',
+ optional => 1,
+ description => 'True if the user is currently locked out of TOTP factors.',
+ },
+ 'tfa-locked-until' => {
+ type => 'integer',
+ optional => 1,
+ description =>
+ 'Contains a timestamp until when a user is locked out of 2nd factors.',
},
},
},
my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
- foreach my $user (keys %{$usercfg->{users}}) {
+ my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
+
+ foreach my $user (sort keys %{$usercfg->{users}}) {
if (!($canUserMod || $user eq $authuser)) {
next if !$allowed_users->{$user};
}
- my $entry = &$extract_user_data($usercfg->{users}->{$user}, $param->{full});
+ my $entry = $extract_user_data->($usercfg->{users}->{$user}, $param->{full});
if (defined($param->{enabled})) {
next if $entry->{enable} && !$param->{enabled};
}
$entry->{groups} = join(',', @{$entry->{groups}}) if $entry->{groups};
- $entry->{tokens} = [ map { { tokenid => $_, %{$entry->{tokens}->{$_}} } } sort keys %{$entry->{tokens}} ]
- if defined($entry->{tokens});
- my (undef, undef, $realm) = PVE::AccessControl::verify_username($user, 1);
+ if (defined(my $tokens = $entry->{tokens})) {
+ $entry->{tokens} = [
+ map { { tokenid => $_, %{$tokens->{$_}} } } sort keys %$tokens
+ ];
+ }
- if (defined($realm) && $domainids->{$realm}) {
- $entry->{realmtype} = $domainids->{$realm}->{type};
+ if ($user =~ /($PVE::Auth::Plugin::realm_regex)$/) {
+ my $realm = $1;
+ $entry->{'realm-type'} = $domainids->{$realm}->{type} if exists $domainids->{$realm};
}
$entry->{userid} = $user;
+
+ if (defined($tfa_cfg)) {
+ if (my $data = $tfa_cfg->tfa_lock_status($user)) {
+ for (qw(totp-locked tfa-locked-until)) {
+ $entry->{$_} = $data->{$_} if exists($data->{$_});
+ }
+ }
+ }
+
push @$res, $entry;
}
method => 'POST',
permissions => {
description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
- check => [ 'and',
- [ 'userid-param', 'Realm.AllocateUser'],
- [ 'userid-group', ['User.Modify'], groups_param => 1],
- ],
+ check => [
+ 'and',
+ [ 'userid-param', 'Realm.AllocateUser'],
+ [ 'userid-group', ['User.Modify'], groups_param => 'create'],
+ ],
},
description => "Create new user.",
parameters => {
tokens => {
optional => 1,
type => 'object',
+ additionalProperties => get_standard_option('token-info'),
},
},
type => "object"
code => sub {
my ($param) = @_;
- my ($username, undef, $domain) =
- PVE::AccessControl::verify_username($param->{userid});
+ my ($username, undef, $domain) = PVE::AccessControl::verify_username($param->{userid});
my $usercfg = cfs_read_file("user.cfg");
path => '{userid}',
method => 'PUT',
permissions => {
- check => ['userid-group', ['User.Modify'], groups_param => 1 ],
+ check => ['userid-group', ['User.Modify'], groups_param => 'update' ],
},
description => "Update user configuration.",
parameters => {
code => sub {
my ($param) = @_;
- my ($username, $ruid, $realm) =
- PVE::AccessControl::verify_username($param->{userid});
-
- PVE::AccessControl::lock_user_config(
- sub {
+ my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
- my $usercfg = cfs_read_file("user.cfg");
-
- PVE::AccessControl::check_user_exist($usercfg, $username);
+ PVE::AccessControl::lock_user_config(sub {
+ my $usercfg = cfs_read_file("user.cfg");
- $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
+ PVE::AccessControl::check_user_exist($usercfg, $username);
- $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
+ $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
+ $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
- PVE::AccessControl::delete_user_group($username, $usercfg)
- if (!$param->{append} && defined($param->{groups}));
+ PVE::AccessControl::delete_user_group($username, $usercfg)
+ if (!$param->{append} && defined($param->{groups}));
- if ($param->{groups}) {
- foreach my $group (split_list($param->{groups})) {
- if ($usercfg->{groups}->{$group}) {
- PVE::AccessControl::add_user_group($username, $usercfg, $group);
- } else {
- die "no such group '$group'\n";
- }
+ if ($param->{groups}) {
+ foreach my $group (split_list($param->{groups})) {
+ if ($usercfg->{groups}->{$group}) {
+ PVE::AccessControl::add_user_group($username, $usercfg, $group);
+ } else {
+ die "no such group '$group'\n";
}
}
+ }
- $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname});
- $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
- $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
- $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
- $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
+ $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname});
+ $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
+ $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
+ $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
+ $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
- cfs_write_file("user.cfg", $usercfg);
- }, "update user failed");
+ cfs_write_file("user.cfg", $usercfg);
+ }, "update user failed");
return undef;
}});
description => "Delete user.",
permissions => {
check => [ 'and',
- [ 'userid-param', 'Realm.AllocateUser'],
- [ 'userid-group', ['User.Modify']],
- ],
+ [ 'userid-param', 'Realm.AllocateUser'],
+ [ 'userid-group', ['User.Modify']],
+ ],
},
parameters => {
additionalProperties => 0,
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
- my ($userid, $ruid, $realm) =
- PVE::AccessControl::verify_username($param->{userid});
+ my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
- PVE::AccessControl::lock_user_config(
- sub {
+ PVE::AccessControl::lock_user_config(sub {
+ my $usercfg = cfs_read_file("user.cfg");
- my $usercfg = cfs_read_file("user.cfg");
+ # NOTE: disable the user first (transaction like), so if (e.g.) we fail in the middle of
+ # TFA deletion the user will be still disabled and not just without TFA protection.
+ $usercfg->{users}->{$userid}->{enable} = 0;
+ cfs_write_file("user.cfg", $usercfg);
- my $domain_cfg = cfs_read_file('domains.cfg');
- if (my $cfg = $domain_cfg->{ids}->{$realm}) {
- my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
- $plugin->delete_user($cfg, $realm, $ruid);
- }
+ my $domain_cfg = cfs_read_file('domains.cfg');
+ if (my $cfg = $domain_cfg->{ids}->{$realm}) {
+ my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
+ $plugin->delete_user($cfg, $realm, $ruid);
+ }
- # Remove TFA data before removing the user entry as the user entry tells us whether
- # we need ot update priv/tfa.cfg.
- PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);
+ # Remove user from cache before removing the TFA entry so realms with TFA-enforcement
+ # know that it's OK to drop any TFA entry in that case.
+ delete $usercfg->{users}->{$userid};
- delete $usercfg->{users}->{$userid};
+ my $partial_deletion = '';
+ eval {
+ PVE::AccessControl::user_remove_tfa($userid);
+ $partial_deletion = ' - but deleted related TFA';
PVE::AccessControl::delete_user_group($userid, $usercfg);
+ $partial_deletion .= ', Groups';
PVE::AccessControl::delete_user_acl($userid, $usercfg);
+ $partial_deletion .= ', ACLs';
+
cfs_write_file("user.cfg", $usercfg);
- }, "delete user failed");
+ };
+ die "$@$partial_deletion\n" if $@;
+ }, "delete user failed");
return undef;
}});
additionalProperties => 0,
properties => {
userid => get_standard_option('userid-completed'),
+ multiple => {
+ type => 'boolean',
+ description => 'Request all entries as an array.',
+ optional => 1,
+ default => 0,
+ },
},
},
returns => {
user => {
type => 'string',
enum => [qw(oath u2f)],
- description => "The type of TFA the user has set, if any.",
+ description =>
+ "The type of TFA the user has set, if any."
+ . " Only set if 'multiple' was not passed.",
optional => 1,
},
+ types => {
+ type => 'array',
+ description =>
+ "Array of the user configured TFA types, if any."
+ . " Only available if 'multiple' was not passed.",
+ optional => 1,
+ items => {
+ type => 'string',
+ enum => [qw(totp u2f yubico webauthn recovedry)],
+ description => 'A TFA type.',
+ },
+ },
},
type => "object"
},
my ($username, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
-
my $domain_cfg = cfs_read_file('domains.cfg');
my $realm_cfg = $domain_cfg->{ids}->{$realm};
die "auth domain '$realm' does not exist\n" if !$realm_cfg;
+ my $res = {};
my $realm_tfa = {};
- $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa})
- if $realm_cfg->{tfa};
+ $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa}) if $realm_cfg->{tfa};
+ $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type};
my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
- my $tfa = $tfa_cfg->{users}->{$username};
-
- my $res = {};
- $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type};
- $res->{user} = $tfa->{type} if $tfa->{type};
+ if ($param->{multiple}) {
+ my $tfa = $tfa_cfg->get_user($username);
+ my $user = [];
+ foreach my $type (keys %$tfa) {
+ next if !scalar($tfa->{$type}->@*);
+ push @$user, $type;
+ }
+ $res->{user} = $user;
+ } else {
+ my $tfa = $tfa_cfg->{users}->{$username};
+ $res->{user} = $tfa->{type} if $tfa->{type};
+ }
return $res;
}});
+__PACKAGE__->register_method ({
+ name => 'unlock_tfa',
+ path => '{userid}/unlock-tfa',
+ method => 'PUT',
+ protected => 1,
+ description => "Unlock a user's TFA authentication.",
+ permissions => {
+ check => [ 'userid-group', ['User.Modify']],
+ },
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ userid => get_standard_option('userid-completed'),
+ },
+ },
+ returns => { type => 'boolean' },
+ code => sub {
+ my ($param) = @_;
+
+ my $userid = extract_param($param, "userid");
+
+ my $user_was_locked = PVE::AccessControl::lock_tfa_config(sub {
+ my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
+ my $was_locked = $tfa_cfg->api_unlock_tfa($userid);
+ cfs_write_file('priv/tfa.cfg', $tfa_cfg)
+ if $was_locked;
+ return $was_locked;
+ });
+
+ return $user_was_locked;
+ }});
+
__PACKAGE__->register_method ({
name => 'token_index',
path => '{userid}/token',
method => 'GET',
description => "Get user API tokens.",
permissions => {
- check => ['or',
- ['userid-param', 'self'],
- ['perm', '/access/users/{userid}', ['User.Modify']],
+ check => [
+ 'or',
+ ['userid-param', 'self'],
+ ['userid-group', ['User.Modify']],
],
},
parameters => {
method => 'GET',
description => "Get specific API token information.",
permissions => {
- check => ['or',
- ['userid-param', 'self'],
- ['perm', '/access/users/{userid}', ['User.Modify']],
+ check => [
+ 'or',
+ ['userid-param', 'self'],
+ ['userid-group', ['User.Modify']],
],
},
parameters => {
description => "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!",
protected => 1,
permissions => {
- check => ['or',
- ['userid-param', 'self'],
- ['perm', '/access/users/{userid}', ['User.Modify']],
+ check => [
+ 'or',
+ ['userid-param', 'self'],
+ ['userid-group', ['User.Modify']],
],
},
parameters => {
description => "Update API token for a specific user.",
protected => 1,
permissions => {
- check => ['or',
- ['userid-param', 'self'],
- ['perm', '/access/users/{userid}', ['User.Modify']],
+ check => [
+ 'or',
+ ['userid-param', 'self'],
+ ['userid-group', ['User.Modify']],
],
},
parameters => {
my $usercfg = cfs_read_file("user.cfg");
my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
- my $update_token = sub {
+ PVE::AccessControl::lock_user_config(sub {
$usercfg = cfs_read_file("user.cfg");
$token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
$usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
cfs_write_file("user.cfg", $usercfg);
- };
-
- PVE::AccessControl::lock_user_config($update_token, 'updating token info failed');
+ }, 'updating token info failed');
return $token;
}});
description => "Remove API token for a specific user.",
protected => 1,
permissions => {
- check => ['or',
- ['userid-param', 'self'],
- ['perm', '/access/users/{userid}', ['User.Modify']],
+ check => [
+ 'or',
+ ['userid-param', 'self'],
+ ['userid-group', ['User.Modify']],
],
},
parameters => {
my $usercfg = cfs_read_file("user.cfg");
my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
- my $update_token = sub {
+ PVE::AccessControl::lock_user_config(sub {
$usercfg = cfs_read_file("user.cfg");
PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
delete $usercfg->{users}->{$userid}->{tokens}->{$tokenid};
cfs_write_file("user.cfg", $usercfg);
- };
-
- PVE::AccessControl::lock_user_config($update_token, 'deleting token failed');
+ }, 'deleting token failed');
return;
}});