]>
git.proxmox.com Git - pmg-api.git/blob - src/PMG/API2/Users.pm
1 package PMG
::API2
::Users
;
8 use PVE
::Tools
qw(extract_param);
9 use PVE
::JSONSchema
qw(get_standard_option);
12 use PVE
::Exception
qw(raise_perm_exc);
14 use PMG
::RESTEnvironment
;
18 use base
qw(PVE::RESTHandler);
20 my $extract_userdata = sub {
24 foreach my $k (keys %$entry) {
25 $res->{$k} = $entry->{$k} if $k ne 'crypt_pass';
31 __PACKAGE__-
>register_method ({
35 description
=> "List users.",
38 permissions
=> { check
=> [ 'admin', 'qmanager', 'audit' ] },
40 additionalProperties
=> 0,
48 userid
=> { type
=> 'string'},
49 enable
=> { type
=> 'boolean'},
50 role => { type
=> 'string'},
51 comment
=> { type
=> 'string', optional
=> 1},
55 description
=> 'True if the user is currently locked out of TOTP factors.',
57 'tfa-locked-until' => {
61 'Contains a timestamp until when a user is locked out of 2nd factors.',
65 links
=> [ { rel
=> 'child', href
=> "{userid}" } ],
70 my $cfg = PMG
::UserConfig-
>new();
71 my $tfa_cfg = PMG
::TFAConfig-
>new();
73 my $rpcenv = PMG
::RESTEnvironment-
>get();
74 my $authuser = $rpcenv->get_user();
75 my $role = $rpcenv->get_role();
79 foreach my $userid (sort keys %$cfg) {
80 next if $role eq 'qmanager' && $authuser ne $userid;
81 my $entry = $extract_userdata->($cfg->{$userid});
82 if (defined($tfa_cfg)) {
83 if (my $data = $tfa_cfg->tfa_lock_status($userid)) {
84 for (qw(totp-locked tfa-locked-until)) {
85 $entry->{$_} = $data->{$_} if exists($data->{$_});
95 __PACKAGE__-
>register_method ({
101 description
=> "Create new user",
102 parameters
=> $PMG::UserConfig
::create_schema
,
103 returns
=> { type
=> 'null' },
109 my $cfg = PMG
::UserConfig-
>new();
111 die "User '$param->{userid}' already exists\n"
112 if $cfg->{$param->{userid
}};
115 foreach my $k (keys %$param) {
116 my $v = $param->{$k};
117 if ($k eq 'password') {
118 $entry->{crypt_pass
} = PVE
::Tools
::encrypt_pw
($v);
124 $entry->{enable
} //= 0;
125 $entry->{expire
} //= 0;
126 $entry->{role} //= 'audit';
128 $cfg->{$param->{userid
}} = $entry;
133 PMG
::UserConfig
::lock_config
($code, "create user failed");
138 __PACKAGE__-
>register_method ({
142 description
=> "Read User data.",
143 permissions
=> { check
=> [ 'admin', 'qmanager', 'audit' ] },
147 additionalProperties
=> 0,
149 userid
=> get_standard_option
('userid'),
159 my $cfg = PMG
::UserConfig-
>new();
161 my $rpcenv = PMG
::RESTEnvironment-
>get();
162 my $authuser = $rpcenv->get_user();
163 my $role = $rpcenv->get_role();
166 if $role eq 'qmanager' && $authuser ne $param->{userid
};
168 my $data = $cfg->lookup_user_data($param->{userid
});
170 my $res = $extract_userdata->($data);
175 __PACKAGE__-
>register_method ({
179 description
=> "Update user data.",
182 parameters
=> $PMG::UserConfig
::update_schema
,
183 returns
=> { type
=> 'null' },
189 my $cfg = PMG
::UserConfig-
>new();
191 my $userid = extract_param
($param, 'userid');
193 my $entry = $cfg->lookup_user_data($userid);
195 my $delete_str = extract_param
($param, 'delete');
196 die "no options specified\n"
197 if !$delete_str && !scalar(keys %$param);
199 foreach my $k (PVE
::Tools
::split_list
($delete_str)) {
203 foreach my $k (keys %$param) {
204 my $v = $param->{$k};
205 if ($k eq 'password') {
206 $entry->{crypt_pass
} = PVE
::Tools
::encrypt_pw
($v);
215 PMG
::UserConfig
::lock_config
($code, "update user failed");
220 __PACKAGE__-
>register_method ({
224 description
=> "Delete a user.",
228 additionalProperties
=> 0,
230 userid
=> get_standard_option
('userid'),
233 returns
=> { type
=> 'null' },
239 my $cfg = PMG
::UserConfig-
>new();
241 $cfg->lookup_user_data($param->{userid
}); # user exists?
243 delete $cfg->{$param->{userid
}};
248 PMG
::UserConfig
::lock_config
($code, "delete user failed");
253 __PACKAGE__-
>register_method ({
254 name
=> 'unlock_tfa',
255 path
=> '{userid}/unlock-tfa',
258 description
=> "Unlock a user's TFA authentication.",
259 permissions
=> { check
=> [ 'admin' ] },
261 additionalProperties
=> 0,
263 userid
=> get_standard_option
('userid'),
266 returns
=> { type
=> 'boolean' },
270 my $userid = extract_param
($param, "userid");
272 my $user_was_locked = PMG
::TFAConfig
::lock_config
(sub {
273 my $tfa_cfg = PMG
::TFAConfig-
>new();
274 my $was_locked = $tfa_cfg->api_unlock_tfa($userid);
275 $tfa_cfg->write() if $was_locked;
279 return $user_was_locked;