this means /access/users is now a 'protected' call to get
access to 'priv/tfa.cfg'
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
user => 'all',
},
description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
user => 'all',
},
+ protected => 1, # to access priv/tfa.cfg
parameters => {
additionalProperties => 0,
properties => {
parameters => {
additionalProperties => 0,
properties => {
description => 'The type of the users realm',
optional => 1, # it should always be there, but we use conditional code below, so..
},
description => 'The type of the users realm',
optional => 1, # it should always be there, but we use conditional code below, so..
},
+ 'totp-locked' => {
+ type => 'boolean',
+ optional => 1,
+ description => 'True if the user is currently locked out of TOTP factors.',
+ },
+ 'tfa-locked-until' => {
+ type => 'integer',
+ optional => 1,
+ description =>
+ 'Contains a timestamp until when a user is locked out of 2nd factors.',
+ },
},
},
links => [ { rel => 'child', href => "{userid}" } ],
},
},
links => [ { rel => 'child', href => "{userid}" } ],
my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
+ my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
+
foreach my $user (sort keys %{$usercfg->{users}}) {
if (!($canUserMod || $user eq $authuser)) {
next if !$allowed_users->{$user};
foreach my $user (sort keys %{$usercfg->{users}}) {
if (!($canUserMod || $user eq $authuser)) {
next if !$allowed_users->{$user};
$entry->{userid} = $user;
$entry->{userid} = $user;
+ if (defined($tfa_cfg)) {
+ if (my $data = $tfa_cfg->tfa_lock_status($user)) {
+ $entry->{$_} = $data->{$_} for qw(totp-locked tfa-locked-until);
+ }
+ }
+