]> git.proxmox.com Git - pve-access-control.git/blame - PVE/API2/User.pm
projects / pve-access-control.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
token create: return also full token id for convenience
[pve-access-control.git] / PVE / API2 / User.pm
CommitLineData
2c3a6c0a
DM		 1package PVE::API2::User;
2
3use strict;
4use warnings;
4e4c8d40 5use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
2c3a6c0a 6use PVE::Cluster qw (cfs_read_file cfs_write_file);
4e4c8d40 7use PVE::Tools qw(split_list extract_param);
2c3a6c0a 8use PVE::AccessControl;
3a5ae7a0 9use PVE::JSONSchema qw(get_standard_option register_standard_option);
4e4c8d40 10use PVE::TokenConfig;
2c3a6c0a
DM		 11
12use PVE::SafeSyslog;
13
2c3a6c0a
DM		 14use PVE::RESTHandler;
15
16use base qw(PVE::RESTHandler);
17
3a5ae7a0
SI		 18register_standard_option('user-enable', {
19 description => "Enable the account (default). You can set this to '0' to disable the account",
20 type => 'boolean',
21 optional => 1,
22 default => 1,
23});
24register_standard_option('user-expire', {
25 description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
26 type => 'integer',
27 minimum => 0,
28 optional => 1,
29});
30register_standard_option('user-firstname', { type => 'string', optional => 1 });
31register_standard_option('user-lastname', { type => 'string', optional => 1 });
32register_standard_option('user-email', { type => 'string', optional => 1, format => 'email-opt' });
33register_standard_option('user-comment', { type => 'string', optional => 1 });
34register_standard_option('user-keys', {
35 description => "Keys for two factor auth (yubico).",
36 type => 'string',
37 optional => 1,
38});
39register_standard_option('group-list', {
40 type => 'string', format => 'pve-groupid-list',
41 optional => 1,
42 completion => \&PVE::AccessControl::complete_group,
43});
4e4c8d40
FG		 44register_standard_option('token-subid', {
45 type => 'string',
46 pattern => $PVE::AccessControl::token_subid_regex,
47 description => 'User-specific token identifier.',
48});
49register_standard_option('token-expire', {
50 description => "API token expiration date (seconds since epoch). '0' means no expiration date.",
51 type => 'integer',
52 minimum => 0,
53 optional => 1,
b974bdc0 54 default => 'same as user',
4e4c8d40
FG		 55});
56register_standard_option('token-privsep', {
57 description => "Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.",
58 type => 'boolean',
59 optional => 1,
60 default => 1,
61});
62register_standard_option('token-comment', { type => 'string', optional => 1 });
63register_standard_option('token-info', {
64 type => 'object',
65 properties => {
66 expire => get_standard_option('token-expire'),
67 privsep => get_standard_option('token-privsep'),
68 comment => get_standard_option('token-comment'),
69 }
70});
71
72my $token_info_extend = sub {
73 my ($props) = @_;
74
75 my $obj = get_standard_option('token-info');
76 my $base_props = $obj->{properties};
77 $obj->{properties} = {};
78
79 foreach my $prop (keys %$base_props) {
80 $obj->{properties}->{$prop} = $base_props->{$prop};
81 }
82
83 foreach my $add_prop (keys %$props) {
84 $obj->{properties}->{$add_prop} = $props->{$add_prop};
85 }
86
87 return $obj;
88};
3a5ae7a0 89
2c3a6c0a
DM		 90my $extract_user_data = sub {
91 my ($data, $full) = @_;
92
93 my $res = {};
94
96f8ebd6 95 foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
2c3a6c0a
DM		 96 $res->{$prop} = $data->{$prop} if defined($data->{$prop});
97 }
98
99 return $res if !$full;
100
101 $res->{groups} = $data->{groups} ? [ keys %{$data->{groups}} ] : [];
4e4c8d40 102 $res->{tokens} = $data->{tokens};
2c3a6c0a
DM		 103
104 return $res;
105};
106
107__PACKAGE__->register_method ({
0a6e09fd
PA		 108 name => 'index',
109 path => '',
2c3a6c0a
DM		 110 method => 'GET',
111 description => "User index.",
0a6e09fd 112 permissions => {
82b63965 113 description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
96919234
DM		 114 user => 'all',
115 },
2c3a6c0a
DM		 116 parameters => {
117 additionalProperties => 0,
cb6f2f93
DM		 118 properties => {
119 enabled => {
120 type => 'boolean',
121 description => "Optional filter for enable property.",
122 optional => 1,
3a4ed527
FG		 123 },
124 full => {
125 type => 'boolean',
126 description => "Include group and token information.",
127 optional => 1,
128 default => 0,
cb6f2f93
DM		 129 }
130 },
2c3a6c0a
DM		 131 },
132 returns => {
133 type => 'array',
134 items => {
135 type => "object",
136 properties => {
3a5ae7a0
SI		 137 userid => get_standard_option('userid-completed'),
138 enable => get_standard_option('user-enable'),
139 expire => get_standard_option('user-expire'),
140 firstname => get_standard_option('user-firstname'),
141 lastname => get_standard_option('user-lastname'),
142 email => get_standard_option('user-email'),
143 comment => get_standard_option('user-comment'),
144 keys => get_standard_option('user-keys'),
3a4ed527
FG		 145 groups => get_standard_option('group-list'),
146 tokens => {
147 type => 'array',
148 optional => 1,
149 items => $token_info_extend->({
150 tokenid => get_standard_option('token-subid'),
151 }),
152 }
2c3a6c0a
DM		 153 },
154 },
155 links => [ { rel => 'child', href => "{userid}" } ],
156 },
157 code => sub {
158 my ($param) = @_;
0a6e09fd 159
930dcfc8 160 my $rpcenv = PVE::RPCEnvironment::get();
37d45deb 161 my $usercfg = $rpcenv->{user_cfg};
930dcfc8
DM		 162 my $authuser = $rpcenv->get_user();
163
2c3a6c0a
DM		 164 my $res = [];
165
82b63965
DM		 166 my $privs = [ 'User.Modify', 'Sys.Audit' ];
167 my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
b9180ed2 168 my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
0a6e09fd 169 my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
37d45deb 170
2c3a6c0a 171 foreach my $user (keys %{$usercfg->{users}}) {
37d45deb
DM		 172 if (!($canUserMod || $user eq $authuser)) {
173 next if !$allowed_users->{$user};
174 }
930dcfc8 175
3a4ed527 176 my $entry = &$extract_user_data($usercfg->{users}->{$user}, $param->{full});
cb6f2f93
DM		 177
178 if (defined($param->{enabled})) {
179 next if $entry->{enable} && !$param->{enabled};
180 next if !$entry->{enable} && $param->{enabled};
181 }
182
3a4ed527
FG		 183 $entry->{groups} = join(',', @{$entry->{groups}}) if $entry->{groups};
184 $entry->{tokens} = [ map { { tokenid => $_, %{$entry->{tokens}->{$_}} } } sort keys %{$entry->{tokens}} ]
185 if defined($entry->{tokens});
186
2c3a6c0a
DM		 187 $entry->{userid} = $user;
188 push @$res, $entry;
189 }
190
191 return $res;
192 }});
193
194__PACKAGE__->register_method ({
0a6e09fd 195 name => 'create_user',
2c3a6c0a 196 protected => 1,
0a6e09fd 197 path => '',
2c3a6c0a 198 method => 'POST',
0a6e09fd 199 permissions => {
82b63965
DM		 200 description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
201 check => [ 'and',
202 [ 'userid-param', 'Realm.AllocateUser'],
203 [ 'userid-group', ['User.Modify'], groups_param => 1],
204 ],
96919234 205 },
2c3a6c0a
DM		 206 description => "Create new user.",
207 parameters => {
0a6e09fd 208 additionalProperties => 0,
2c3a6c0a 209 properties => {
3a5ae7a0
SI		 210 userid => get_standard_option('userid-completed'),
211 enable => get_standard_option('user-enable'),
212 expire => get_standard_option('user-expire'),
213 firstname => get_standard_option('user-firstname'),
214 lastname => get_standard_option('user-lastname'),
215 email => get_standard_option('user-email'),
216 comment => get_standard_option('user-comment'),
217 keys => get_standard_option('user-keys'),
37d45deb
DM		 218 password => {
219 description => "Initial password.",
0a6e09fd
PA		 220 type => 'string',
221 optional => 1,
222 minLength => 5,
223 maxLength => 64
37d45deb 224 },
3a5ae7a0 225 groups => get_standard_option('group-list'),
2c3a6c0a
DM		 226 },
227 },
228 returns => { type => 'null' },
229 code => sub {
230 my ($param) = @_;
231
232 PVE::AccessControl::lock_user_config(
233 sub {
0a6e09fd 234
2c3a6c0a 235 my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
0a6e09fd 236
2c3a6c0a
DM		 237 my $usercfg = cfs_read_file("user.cfg");
238
0a6e09fd 239 die "user '$username' already exists\n"
2c3a6c0a 240 if $usercfg->{users}->{$username};
0a6e09fd 241
2c3a6c0a 242 PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
fdb30a4c 243 if defined($param->{password});
2c3a6c0a
DM		 244
245 my $enable = defined($param->{enable}) ? $param->{enable} : 1;
246 $usercfg->{users}->{$username} = { enable => $enable };
247 $usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire};
248
249 if ($param->{groups}) {
250 foreach my $group (split_list($param->{groups})) {
251 if ($usercfg->{groups}->{$group}) {
252 PVE::AccessControl::add_user_group($username, $usercfg, $group);
253 } else {
254 die "no such group '$group'\n";
255 }
256 }
257 }
258
259 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if $param->{firstname};
260 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname};
261 $usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email};
262 $usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment};
96f8ebd6 263 $usercfg->{users}->{$username}->{keys} = $param->{keys} if $param->{keys};
2c3a6c0a
DM		 264
265 cfs_write_file("user.cfg", $usercfg);
266 }, "create user failed");
267
268 return undef;
269 }});
270
271__PACKAGE__->register_method ({
0a6e09fd
PA		 272 name => 'read_user',
273 path => '{userid}',
2c3a6c0a
DM		 274 method => 'GET',
275 description => "Get user configuration.",
0a6e09fd 276 permissions => {
82b63965 277 check => ['userid-group', ['User.Modify', 'Sys.Audit']],
96919234 278 },
2c3a6c0a 279 parameters => {
0a6e09fd 280 additionalProperties => 0,
2c3a6c0a 281 properties => {
3a5ae7a0 282 userid => get_standard_option('userid-completed'),
2c3a6c0a
DM		 283 },
284 },
285 returns => {
0a6e09fd 286 additionalProperties => 0,
2c3a6c0a 287 properties => {
3a5ae7a0
SI		 288 enable => get_standard_option('user-enable'),
289 expire => get_standard_option('user-expire'),
290 firstname => get_standard_option('user-firstname'),
291 lastname => get_standard_option('user-lastname'),
292 email => get_standard_option('user-email'),
293 comment => get_standard_option('user-comment'),
294 keys => get_standard_option('user-keys'),
4e4c8d40
FG		 295 groups => {
296 type => 'array',
72c4589c 297 optional => 1,
4e4c8d40
FG		 298 items => {
299 type => 'string',
300 format => 'pve-groupid',
301 },
302 },
303 tokens => {
72c4589c 304 optional => 1,
4e4c8d40
FG		 305 type => 'object',
306 },
3a5ae7a0
SI		 307 },
308 type => "object"
2c3a6c0a
DM		 309 },
310 code => sub {
311 my ($param) = @_;
312
0a6e09fd 313 my ($username, undef, $domain) =
2c3a6c0a
DM		 314 PVE::AccessControl::verify_username($param->{userid});
315
316 my $usercfg = cfs_read_file("user.cfg");
2c3a6c0a 317
37d45deb 318 my $data = PVE::AccessControl::check_user_exist($usercfg, $username);
0a6e09fd 319
2c3a6c0a
DM		 320 return &$extract_user_data($data, 1);
321 }});
322
323__PACKAGE__->register_method ({
0a6e09fd 324 name => 'update_user',
2c3a6c0a 325 protected => 1,
0a6e09fd 326 path => '{userid}',
2c3a6c0a 327 method => 'PUT',
0a6e09fd 328 permissions => {
96919234
DM		 329 check => ['userid-group', ['User.Modify'], groups_param => 1 ],
330 },
2c3a6c0a
DM		 331 description => "Update user configuration.",
332 parameters => {
0a6e09fd 333 additionalProperties => 0,
2c3a6c0a 334 properties => {
3a5ae7a0
SI		 335 userid => get_standard_option('userid-completed'),
336 enable => get_standard_option('user-enable'),
337 expire => get_standard_option('user-expire'),
338 firstname => get_standard_option('user-firstname'),
339 lastname => get_standard_option('user-lastname'),
340 email => get_standard_option('user-email'),
341 comment => get_standard_option('user-comment'),
342 keys => get_standard_option('user-keys'),
343 groups => get_standard_option('group-list'),
0a6e09fd
PA		 344 append => {
345 type => 'boolean',
2c3a6c0a
DM		 346 optional => 1,
347 requires => 'groups',
348 },
2c3a6c0a
DM		 349 },
350 },
351 returns => { type => 'null' },
352 code => sub {
353 my ($param) = @_;
37d45deb 354
0a6e09fd 355 my ($username, $ruid, $realm) =
37d45deb 356 PVE::AccessControl::verify_username($param->{userid});
0a6e09fd 357
2c3a6c0a
DM		 358 PVE::AccessControl::lock_user_config(
359 sub {
0a6e09fd 360
2c3a6c0a
DM		 361 my $usercfg = cfs_read_file("user.cfg");
362
37d45deb 363 PVE::AccessControl::check_user_exist($usercfg, $username);
2c3a6c0a
DM		 364
365 $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
366
367 $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
368
0a6e09fd 369 PVE::AccessControl::delete_user_group($username, $usercfg)
e6521738 370 if (!$param->{append} && defined($param->{groups}));
2c3a6c0a
DM		 371
372 if ($param->{groups}) {
373 foreach my $group (split_list($param->{groups})) {
374 if ($usercfg->{groups}->{$group}) {
375 PVE::AccessControl::add_user_group($username, $usercfg, $group);
376 } else {
377 die "no such group '$group'\n";
378 }
379 }
380 }
381
382 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname});
383 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
384 $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
385 $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
96f8ebd6 386 $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
2c3a6c0a
DM		 387
388 cfs_write_file("user.cfg", $usercfg);
389 }, "update user failed");
0a6e09fd 390
2c3a6c0a
DM		 391 return undef;
392 }});
393
394__PACKAGE__->register_method ({
0a6e09fd 395 name => 'delete_user',
2c3a6c0a 396 protected => 1,
0a6e09fd 397 path => '{userid}',
2c3a6c0a
DM		 398 method => 'DELETE',
399 description => "Delete user.",
0a6e09fd 400 permissions => {
82b63965
DM		 401 check => [ 'and',
402 [ 'userid-param', 'Realm.AllocateUser'],
403 [ 'userid-group', ['User.Modify']],
404 ],
12683df7 405 },
2c3a6c0a 406 parameters => {
0a6e09fd 407 additionalProperties => 0,
2c3a6c0a 408 properties => {
3a5ae7a0 409 userid => get_standard_option('userid-completed'),
2c3a6c0a
DM		 410 }
411 },
412 returns => { type => 'null' },
413 code => sub {
414 my ($param) = @_;
0a6e09fd 415
37d45deb
DM		 416 my $rpcenv = PVE::RPCEnvironment::get();
417 my $authuser = $rpcenv->get_user();
418
0a6e09fd 419 my ($userid, $ruid, $realm) =
37d45deb 420 PVE::AccessControl::verify_username($param->{userid});
2c3a6c0a
DM		 421
422 PVE::AccessControl::lock_user_config(
423 sub {
424
2c3a6c0a
DM		 425 my $usercfg = cfs_read_file("user.cfg");
426
5bb4e06a
DM		 427 my $domain_cfg = cfs_read_file('domains.cfg');
428 if (my $cfg = $domain_cfg->{ids}->{$realm}) {
429 my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
430 $plugin->delete_user($cfg, $realm, $ruid);
431 }
2c3a6c0a 432
9536c4dc
WB		 433 # Remove TFA data before removing the user entry as the user entry tells us whether
434 # we need ot update priv/tfa.cfg.
435 PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);
436
5bb4e06a 437 delete $usercfg->{users}->{$userid};
37d45deb
DM		 438
439 PVE::AccessControl::delete_user_group($userid, $usercfg);
440 PVE::AccessControl::delete_user_acl($userid, $usercfg);
2c3a6c0a
DM		 441 cfs_write_file("user.cfg", $usercfg);
442 }, "delete user failed");
0a6e09fd 443
2c3a6c0a
DM		 444 return undef;
445 }});
446
e51988b4
DC		 447__PACKAGE__->register_method ({
448 name => 'read_user_tfa_type',
449 path => '{userid}/tfa',
450 method => 'GET',
451 protected => 1,
452 description => "Get user TFA types (Personal and Realm).",
453 permissions => {
454 check => [ 'or',
455 ['userid-param', 'self'],
456 ['userid-group', ['User.Modify', 'Sys.Audit']],
457 ],
458 },
459 parameters => {
460 additionalProperties => 0,
461 properties => {
462 userid => get_standard_option('userid-completed'),
463 },
464 },
465 returns => {
466 additionalProperties => 0,
467 properties => {
468 realm => {
469 type => 'string',
470 enum => [qw(oath yubico)],
471 description => "The type of TFA the users realm has set, if any.",
472 optional => 1,
473 },
474 user => {
475 type => 'string',
476 enum => [qw(oath u2f)],
477 description => "The type of TFA the user has set, if any.",
478 optional => 1,
479 },
480 },
481 type => "object"
482 },
483 code => sub {
484 my ($param) = @_;
485
486 my ($username, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
487
488
489 my $domain_cfg = cfs_read_file('domains.cfg');
490 my $realm_cfg = $domain_cfg->{ids}->{$realm};
491 die "auth domain '$realm' does not exist\n" if !$realm_cfg;
492
493 my $realm_tfa = {};
494 $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa})
495 if $realm_cfg->{tfa};
496
497 my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
498 my $tfa = $tfa_cfg->{users}->{$username};
499
500 my $res = {};
501 $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type};
502 $res->{user} = $tfa->{type} if $tfa->{type};
503 return $res;
504 }});
505
4e4c8d40
FG		 506__PACKAGE__->register_method ({
507 name => 'token_index',
508 path => '{userid}/token',
509 method => 'GET',
510 description => "Get user API tokens.",
511 permissions => {
512 check => ['or',
513 ['userid-param', 'self'],
514 ['perm', '/access/users/{userid}', ['User.Modify']],
515 ],
516 },
517 parameters => {
518 additionalProperties => 0,
519 properties => {
520 userid => get_standard_option('userid-completed'),
521 },
522 },
523 returns => {
524 type => "array",
525 items => $token_info_extend->({
526 tokenid => get_standard_option('token-subid'),
527 }),
528 links => [ { rel => 'child', href => "{tokenid}" } ],
529 },
530 code => sub {
531 my ($param) = @_;
532
533 my $userid = PVE::AccessControl::verify_username($param->{userid});
534 my $usercfg = cfs_read_file("user.cfg");
535
536 my $user = PVE::AccessControl::check_user_exist($usercfg, $userid);
537
538 my $tokens = $user->{tokens} // {};
539 return [ map { $tokens->{$_}->{tokenid} = $_; $tokens->{$_} } keys %$tokens];
540 }});
541
542__PACKAGE__->register_method ({
543 name => 'read_token',
544 path => '{userid}/token/{tokenid}',
545 method => 'GET',
546 description => "Get specific API token information.",
547 permissions => {
548 check => ['or',
549 ['userid-param', 'self'],
550 ['perm', '/access/users/{userid}', ['User.Modify']],
551 ],
552 },
553 parameters => {
554 additionalProperties => 0,
555 properties => {
556 userid => get_standard_option('userid-completed'),
557 tokenid => get_standard_option('token-subid'),
558 },
559 },
560 returns => get_standard_option('token-info'),
561 code => sub {
562 my ($param) = @_;
563
564 my $userid = PVE::AccessControl::verify_username($param->{userid});
565 my $tokenid = $param->{tokenid};
566
567 my $usercfg = cfs_read_file("user.cfg");
568
569 return PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
570 }});
571
572__PACKAGE__->register_method ({
573 name => 'generate_token',
574 path => '{userid}/token/{tokenid}',
575 method => 'POST',
576 description => "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!",
577 protected => 1,
578 permissions => {
579 check => ['or',
580 ['userid-param', 'self'],
581 ['perm', '/access/users/{userid}', ['User.Modify']],
582 ],
583 },
584 parameters => {
585 additionalProperties => 0,
586 properties => {
587 userid => get_standard_option('userid-completed'),
588 tokenid => get_standard_option('token-subid'),
589 expire => get_standard_option('token-expire'),
590 privsep => get_standard_option('token-privsep'),
591 comment => get_standard_option('token-comment'),
592 },
593 },
594 returns => {
595 additionalProperties => 0,
596 type => "object",
597 properties => {
598 info => get_standard_option('token-info'),
599 value => {
600 type => 'string',
601 description => 'API token value used for authentication.',
602 },
77bfb48e
TL		 603 'full-tokenid' => {
604 type => 'string',
605 format_description => '<userid>!<tokenid>',
606 description => 'The full token id.',
607 },
4e4c8d40
FG		 608 },
609 },
610 code => sub {
611 my ($param) = @_;
612
613 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
614 my $tokenid = extract_param($param, 'tokenid');
615
616 my $usercfg = cfs_read_file("user.cfg");
617
618 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1);
77bfb48e 619 my ($full_tokenid, $value);
4e4c8d40
FG		 620
621 PVE::AccessControl::check_user_exist($usercfg, $userid);
622 raise_param_exc({ 'tokenid' => 'Token already exists.' }) if defined($token);
623
624 my $generate_and_add_token = sub {
625 $usercfg = cfs_read_file("user.cfg");
626 PVE::AccessControl::check_user_exist($usercfg, $userid);
627 die "Token already exists.\n" if defined(PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1));
628
77bfb48e 629 $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
4e4c8d40
FG		 630 $value = PVE::TokenConfig::generate_token($full_tokenid);
631
632 $token = {};
633 $token->{privsep} = defined($param->{privsep}) ? $param->{privsep} : 1;
634 $token->{expire} = $param->{expire} if defined($param->{expire});
635 $token->{comment} = $param->{comment} if $param->{comment};
636
637 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
638 cfs_write_file("user.cfg", $usercfg);
639 };
640
641 PVE::AccessControl::lock_user_config($generate_and_add_token, 'generating token failed');
642
77bfb48e
TL		 643 return {
644 info => $token,
645 value => $value,
646 'full-tokenid' => $full_tokenid,
647 };
4e4c8d40
FG		 648 }});
649
650
651__PACKAGE__->register_method ({
652 name => 'update_token_info',
653 path => '{userid}/token/{tokenid}',
654 method => 'PUT',
655 description => "Update API token for a specific user.",
656 protected => 1,
657 permissions => {
658 check => ['or',
659 ['userid-param', 'self'],
660 ['perm', '/access/users/{userid}', ['User.Modify']],
661 ],
662 },
663 parameters => {
664 additionalProperties => 0,
665 properties => {
666 userid => get_standard_option('userid-completed'),
667 tokenid => get_standard_option('token-subid'),
668 expire => get_standard_option('token-expire'),
669 privsep => get_standard_option('token-privsep'),
670 comment => get_standard_option('token-comment'),
671 },
672 },
673 returns => get_standard_option('token-info', { description => "Updated token information." }),
674 code => sub {
675 my ($param) = @_;
676
677 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
678 my $tokenid = extract_param($param, 'tokenid');
679
680 my $usercfg = cfs_read_file("user.cfg");
681 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
682
683 my $update_token = sub {
684 $usercfg = cfs_read_file("user.cfg");
685 $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
686
687 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
688
689 $token->{privsep} = $param->{privsep} if defined($param->{privsep});
690 $token->{expire} = $param->{expire} if defined($param->{expire});
691 $token->{comment} = $param->{comment} if $param->{comment};
692
693 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
694 cfs_write_file("user.cfg", $usercfg);
695 };
696
697 PVE::AccessControl::lock_user_config($update_token, 'updating token info failed');
698
699 return $token;
700 }});
701
702
703__PACKAGE__->register_method ({
704 name => 'remove_token',
705 path => '{userid}/token/{tokenid}',
706 method => 'DELETE',
707 description => "Remove API token for a specific user.",
708 protected => 1,
709 permissions => {
710 check => ['or',
711 ['userid-param', 'self'],
712 ['perm', '/access/users/{userid}', ['User.Modify']],
713 ],
714 },
715 parameters => {
716 additionalProperties => 0,
717 properties => {
718 userid => get_standard_option('userid-completed'),
719 tokenid => get_standard_option('token-subid'),
720 },
721 },
722 returns => { type => 'null' },
723 code => sub {
724 my ($param) = @_;
725
726 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
727 my $tokenid = extract_param($param, 'tokenid');
728
729 my $usercfg = cfs_read_file("user.cfg");
730 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
731
732 my $update_token = sub {
733 $usercfg = cfs_read_file("user.cfg");
734
735 PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
736
737 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
738 PVE::TokenConfig::delete_token($full_tokenid);
739 delete $usercfg->{users}->{$userid}->{tokens}->{$tokenid};
740
741 cfs_write_file("user.cfg", $usercfg);
742 };
743
744 PVE::AccessControl::lock_user_config($update_token, 'deleting token failed');
745
746 return;
747 }});
2c3a6c0a 7481;
Access control framework