[pve-access-control.git] / PVE / API2 / User.pm

package PVE::API2::User;

use strict;
use warnings;
use PVE::Exception qw(raise raise_perm_exc);
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::Tools qw(split_list);
use PVE::AccessControl;
use PVE::JSONSchema qw(get_standard_option register_standard_option);

use PVE::SafeSyslog;

use PVE::RESTHandler;

use base qw(PVE::RESTHandler);

register_standard_option('user-enable', {
    description => "Enable the account (default). You can set this to '0' to disable the account",
    type => 'boolean',
    optional => 1,
    default => 1,
});
register_standard_option('user-expire', {
    description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
    type => 'integer',
    minimum => 0,
    optional => 1,
});
register_standard_option('user-firstname', { type => 'string', optional => 1 });
register_standard_option('user-lastname', { type => 'string', optional => 1 });
register_standard_option('user-email', { type => 'string', optional => 1, format => 'email-opt' });
register_standard_option('user-comment', { type => 'string', optional => 1 });
register_standard_option('user-keys', {
    description => "Keys for two factor auth (yubico).",
    type => 'string',
    optional => 1,
});
register_standard_option('group-list', {
    type => 'string', format => 'pve-groupid-list',
    optional => 1,
    completion => \&PVE::AccessControl::complete_group,
});

my $extract_user_data = sub {
    my ($data, $full) = @_;

    my $res = {};

    foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
	$res->{$prop} = $data->{$prop} if defined($data->{$prop});
    }

    return $res if !$full;

    $res->{groups} = $data->{groups} ? [ keys %{$data->{groups}} ] : [];

    return $res;
};

__PACKAGE__->register_method ({
    name => 'index',
    path => '',
    method => 'GET',
    description => "User index.",
    permissions => {
	description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
	user => 'all',
    },
    parameters => {
	additionalProperties => 0,
	properties => {
	    enabled => {
		type => 'boolean',
		description => "Optional filter for enable property.",
		optional => 1,
	    }
	},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
	        userid => get_standard_option('userid-completed'),
	        enable => get_standard_option('user-enable'),
	        expire => get_standard_option('user-expire'),
	        firstname => get_standard_option('user-firstname'),
	        lastname => get_standard_option('user-lastname'),
	        email => get_standard_option('user-email'),
	        comment => get_standard_option('user-comment'),
	        keys => get_standard_option('user-keys'),
	    },
	},
	links => [ { rel => 'child', href => "{userid}" } ],
    },
    code => sub {
	my ($param) = @_;

	my $rpcenv = PVE::RPCEnvironment::get();
	my $usercfg = $rpcenv->{user_cfg};
	my $authuser = $rpcenv->get_user();

	my $res = [];

	my $privs = [ 'User.Modify', 'Sys.Audit' ];
	my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
	my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
	my $allowed_users = $rpcenv->group_member_join([keys %$groups]);

	foreach my $user (keys %{$usercfg->{users}}) {

	    if (!($canUserMod || $user eq $authuser)) {
		next if !$allowed_users->{$user};
	    }

	    my $entry = &$extract_user_data($usercfg->{users}->{$user});

	    if (defined($param->{enabled})) {
		next if $entry->{enable} && !$param->{enabled};
		next if !$entry->{enable} && $param->{enabled};
	    }

	    $entry->{userid} = $user;
	    push @$res, $entry;
	}

	return $res;
    }});

__PACKAGE__->register_method ({
    name => 'create_user',
    protected => 1,
    path => '',
    method => 'POST',
    permissions => {
	description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
	check => [ 'and',
		   [ 'userid-param', 'Realm.AllocateUser'],
		   [ 'userid-group', ['User.Modify'], groups_param => 1],
	    ],
    },
    description => "Create new user.",
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid-completed'),
	    enable => get_standard_option('user-enable'),
	    expire => get_standard_option('user-expire'),
	    firstname => get_standard_option('user-firstname'),
	    lastname => get_standard_option('user-lastname'),
	    email => get_standard_option('user-email'),
	    comment => get_standard_option('user-comment'),
	    keys => get_standard_option('user-keys'),
	    password => {
		description => "Initial password.",
		type => 'string',
		optional => 1,
		minLength => 5,
		maxLength => 64
	    },
	    groups => get_standard_option('group-list'),
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {

		my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});

		my $usercfg = cfs_read_file("user.cfg");

		die "user '$username' already exists\n"
		    if $usercfg->{users}->{$username};

		PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
		    if defined($param->{password});

		my $enable = defined($param->{enable}) ? $param->{enable} : 1;
		$usercfg->{users}->{$username} = { enable => $enable };
		$usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire};

		if ($param->{groups}) {
		    foreach my $group (split_list($param->{groups})) {
			if ($usercfg->{groups}->{$group}) {
			    PVE::AccessControl::add_user_group($username, $usercfg, $group);
			} else {
			    die "no such group '$group'\n";
			}
		    }
		}

		$usercfg->{users}->{$username}->{firstname} = $param->{firstname} if $param->{firstname};
		$usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname};
		$usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email};
		$usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment};
		$usercfg->{users}->{$username}->{keys} = $param->{keys} if $param->{keys};

		cfs_write_file("user.cfg", $usercfg);
	    }, "create user failed");

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'read_user',
    path => '{userid}',
    method => 'GET',
    description => "Get user configuration.",
    permissions => {
	check => ['userid-group', ['User.Modify', 'Sys.Audit']],
    },
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid-completed'),
	},
    },
    returns => {
	additionalProperties => 0,
	properties => {
	    enable => get_standard_option('user-enable'),
	    expire => get_standard_option('user-expire'),
	    firstname => get_standard_option('user-firstname'),
	    lastname => get_standard_option('user-lastname'),
	    email => get_standard_option('user-email'),
	    comment => get_standard_option('user-comment'),
	    keys => get_standard_option('user-keys'),
	    groups => { type => 'array' },
	},
	type => "object"
    },
    code => sub {
	my ($param) = @_;

	my ($username, undef, $domain) =
	    PVE::AccessControl::verify_username($param->{userid});

	my $usercfg = cfs_read_file("user.cfg");

	my $data = PVE::AccessControl::check_user_exist($usercfg, $username);

	return &$extract_user_data($data, 1);
    }});

__PACKAGE__->register_method ({
    name => 'update_user',
    protected => 1,
    path => '{userid}',
    method => 'PUT',
    permissions => {
	check => ['userid-group', ['User.Modify'], groups_param => 1 ],
    },
    description => "Update user configuration.",
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid-completed'),
	    enable => get_standard_option('user-enable'),
	    expire => get_standard_option('user-expire'),
	    firstname => get_standard_option('user-firstname'),
	    lastname => get_standard_option('user-lastname'),
	    email => get_standard_option('user-email'),
	    comment => get_standard_option('user-comment'),
	    keys => get_standard_option('user-keys'),
	    groups => get_standard_option('group-list'),
	    append => {
		type => 'boolean',
		optional => 1,
		requires => 'groups',
	    },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	my ($username, $ruid, $realm) =
	    PVE::AccessControl::verify_username($param->{userid});

	PVE::AccessControl::lock_user_config(
	    sub {

		my $usercfg = cfs_read_file("user.cfg");

		PVE::AccessControl::check_user_exist($usercfg, $username);

		$usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});

		$usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});

		PVE::AccessControl::delete_user_group($username, $usercfg)
		    if (!$param->{append} && defined($param->{groups}));

		if ($param->{groups}) {
		    foreach my $group (split_list($param->{groups})) {
			if ($usercfg->{groups}->{$group}) {
			    PVE::AccessControl::add_user_group($username, $usercfg, $group);
			} else {
			    die "no such group '$group'\n";
			}
		    }
		}

		$usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname});
		$usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
		$usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
		$usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
		$usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});

		cfs_write_file("user.cfg", $usercfg);
	    }, "update user failed");

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'delete_user',
    protected => 1,
    path => '{userid}',
    method => 'DELETE',
    description => "Delete user.",
    permissions => {
	check => [ 'and',
		   [ 'userid-param', 'Realm.AllocateUser'],
		   [ 'userid-group', ['User.Modify']],
	    ],
    },
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid-completed'),
	}
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	my $rpcenv = PVE::RPCEnvironment::get();
	my $authuser = $rpcenv->get_user();

	my ($userid, $ruid, $realm) =
	    PVE::AccessControl::verify_username($param->{userid});

	PVE::AccessControl::lock_user_config(
	    sub {

		my $usercfg = cfs_read_file("user.cfg");

		my $domain_cfg = cfs_read_file('domains.cfg');
		if (my $cfg = $domain_cfg->{ids}->{$realm}) {
		    my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
		    $plugin->delete_user($cfg, $realm, $ruid);
		}

		# Remove TFA data before removing the user entry as the user entry tells us whether
		# we need ot update priv/tfa.cfg.
		PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);

		delete $usercfg->{users}->{$userid};

		PVE::AccessControl::delete_user_group($userid, $usercfg);
		PVE::AccessControl::delete_user_acl($userid, $usercfg);
		cfs_write_file("user.cfg", $usercfg);
	    }, "delete user failed");

	return undef;
    }});

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::API2::User;
	2
	3	use strict;
	4	use warnings;
37d45deb	5	use PVE::Exception qw(raise raise_perm_exc);
2c3a6c0a DM	6	use PVE::Cluster qw (cfs_read_file cfs_write_file);
	7	use PVE::Tools qw(split_list);
	8	use PVE::AccessControl;
3a5ae7a0	9	use PVE::JSONSchema qw(get_standard_option register_standard_option);
2c3a6c0a DM	10
	11	use PVE::SafeSyslog;
	12
2c3a6c0a DM	13	use PVE::RESTHandler;
	14
	15	use base qw(PVE::RESTHandler);
	16
3a5ae7a0 SI	17	register_standard_option('user-enable', {
	18	description => "Enable the account (default). You can set this to '0' to disable the account",
	19	type => 'boolean',
	20	optional => 1,
	21	default => 1,
	22	});
	23	register_standard_option('user-expire', {
	24	description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
	25	type => 'integer',
	26	minimum => 0,
	27	optional => 1,
	28	});
	29	register_standard_option('user-firstname', { type => 'string', optional => 1 });
	30	register_standard_option('user-lastname', { type => 'string', optional => 1 });
	31	register_standard_option('user-email', { type => 'string', optional => 1, format => 'email-opt' });
	32	register_standard_option('user-comment', { type => 'string', optional => 1 });
	33	register_standard_option('user-keys', {
	34	description => "Keys for two factor auth (yubico).",
	35	type => 'string',
	36	optional => 1,
	37	});
	38	register_standard_option('group-list', {
	39	type => 'string', format => 'pve-groupid-list',
	40	optional => 1,
	41	completion => \&PVE::AccessControl::complete_group,
	42	});
	43
2c3a6c0a DM	44	my $extract_user_data = sub {
	45	my ($data, $full) = @_;
	46
	47	my $res = {};
	48
96f8ebd6	49	foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
2c3a6c0a DM	50	$res->{$prop} = $data->{$prop} if defined($data->{$prop});
	51	}
	52
	53	return $res if !$full;
	54
	55	$res->{groups} = $data->{groups} ? [ keys %{$data->{groups}} ] : [];
	56
	57	return $res;
	58	};
	59
	60	__PACKAGE__->register_method ({
0a6e09fd PA	61	name => 'index',
0a6e09fd PA	62	path => '',
2c3a6c0a DM	63	method => 'GET',
2c3a6c0a DM	64	description => "User index.",
0a6e09fd	65	permissions => {
82b63965	66	description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
96919234 DM	67	user => 'all',
96919234 DM	68	},
2c3a6c0a DM	69	parameters => {
2c3a6c0a DM	70	additionalProperties => 0,
cb6f2f93 DM	71	properties => {
	72	enabled => {
	73	type => 'boolean',
	74	description => "Optional filter for enable property.",
	75	optional => 1,
	76	}
	77	},
2c3a6c0a DM	78	},
	79	returns => {
	80	type => 'array',
	81	items => {
	82	type => "object",
	83	properties => {
3a5ae7a0 SI	84	userid => get_standard_option('userid-completed'),
	85	enable => get_standard_option('user-enable'),
	86	expire => get_standard_option('user-expire'),
	87	firstname => get_standard_option('user-firstname'),
	88	lastname => get_standard_option('user-lastname'),
	89	email => get_standard_option('user-email'),
	90	comment => get_standard_option('user-comment'),
	91	keys => get_standard_option('user-keys'),
2c3a6c0a DM	92	},
	93	},
	94	links => [ { rel => 'child', href => "{userid}" } ],
	95	},
	96	code => sub {
	97	my ($param) = @_;
0a6e09fd	98
930dcfc8	99	my $rpcenv = PVE::RPCEnvironment::get();
37d45deb	100	my $usercfg = $rpcenv->{user_cfg};
930dcfc8 DM	101	my $authuser = $rpcenv->get_user();
930dcfc8 DM	102
2c3a6c0a DM	103	my $res = [];
2c3a6c0a DM	104
82b63965 DM	105	my $privs = [ 'User.Modify', 'Sys.Audit' ];
82b63965 DM	106	my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
b9180ed2	107	my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
0a6e09fd	108	my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
37d45deb	109
2c3a6c0a	110	foreach my $user (keys %{$usercfg->{users}}) {
37d45deb DM	111
	112	if (!($canUserMod \|\| $user eq $authuser)) {
	113	next if !$allowed_users->{$user};
	114	}
930dcfc8	115
2c3a6c0a	116	my $entry = &$extract_user_data($usercfg->{users}->{$user});
cb6f2f93 DM	117
	118	if (defined($param->{enabled})) {
	119	next if $entry->{enable} && !$param->{enabled};
	120	next if !$entry->{enable} && $param->{enabled};
	121	}
	122
2c3a6c0a DM	123	$entry->{userid} = $user;
	124	push @$res, $entry;
	125	}
	126
	127	return $res;
	128	}});
	129
	130	__PACKAGE__->register_method ({
0a6e09fd	131	name => 'create_user',
2c3a6c0a	132	protected => 1,
0a6e09fd	133	path => '',
2c3a6c0a	134	method => 'POST',
0a6e09fd	135	permissions => {
82b63965 DM	136	description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
	137	check => [ 'and',
	138	[ 'userid-param', 'Realm.AllocateUser'],
	139	[ 'userid-group', ['User.Modify'], groups_param => 1],
	140	],
96919234	141	},
2c3a6c0a DM	142	description => "Create new user.",
2c3a6c0a DM	143	parameters => {
0a6e09fd	144	additionalProperties => 0,
2c3a6c0a	145	properties => {
3a5ae7a0 SI	146	userid => get_standard_option('userid-completed'),
	147	enable => get_standard_option('user-enable'),
	148	expire => get_standard_option('user-expire'),
	149	firstname => get_standard_option('user-firstname'),
	150	lastname => get_standard_option('user-lastname'),
	151	email => get_standard_option('user-email'),
	152	comment => get_standard_option('user-comment'),
	153	keys => get_standard_option('user-keys'),
37d45deb DM	154	password => {
37d45deb DM	155	description => "Initial password.",
0a6e09fd PA	156	type => 'string',
	157	optional => 1,
	158	minLength => 5,
	159	maxLength => 64
37d45deb	160	},
3a5ae7a0	161	groups => get_standard_option('group-list'),
2c3a6c0a DM	162	},
	163	},
	164	returns => { type => 'null' },
	165	code => sub {
	166	my ($param) = @_;
	167
	168	PVE::AccessControl::lock_user_config(
	169	sub {
0a6e09fd	170
2c3a6c0a	171	my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
0a6e09fd	172
2c3a6c0a DM	173	my $usercfg = cfs_read_file("user.cfg");
2c3a6c0a DM	174
0a6e09fd	175	die "user '$username' already exists\n"
2c3a6c0a	176	if $usercfg->{users}->{$username};
0a6e09fd	177
2c3a6c0a	178	PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
fdb30a4c	179	if defined($param->{password});
2c3a6c0a DM	180
	181	my $enable = defined($param->{enable}) ? $param->{enable} : 1;
	182	$usercfg->{users}->{$username} = { enable => $enable };
	183	$usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire};
	184
	185	if ($param->{groups}) {
	186	foreach my $group (split_list($param->{groups})) {
	187	if ($usercfg->{groups}->{$group}) {
	188	PVE::AccessControl::add_user_group($username, $usercfg, $group);
	189	} else {
	190	die "no such group '$group'\n";
	191	}
	192	}
	193	}
	194
	195	$usercfg->{users}->{$username}->{firstname} = $param->{firstname} if $param->{firstname};
	196	$usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname};
	197	$usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email};
	198	$usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment};
96f8ebd6	199	$usercfg->{users}->{$username}->{keys} = $param->{keys} if $param->{keys};
2c3a6c0a DM	200
	201	cfs_write_file("user.cfg", $usercfg);
	202	}, "create user failed");
	203
	204	return undef;
	205	}});
	206
	207	__PACKAGE__->register_method ({
0a6e09fd PA	208	name => 'read_user',
0a6e09fd PA	209	path => '{userid}',
2c3a6c0a DM	210	method => 'GET',
2c3a6c0a DM	211	description => "Get user configuration.",
0a6e09fd	212	permissions => {
82b63965	213	check => ['userid-group', ['User.Modify', 'Sys.Audit']],
96919234	214	},
2c3a6c0a	215	parameters => {
0a6e09fd	216	additionalProperties => 0,
2c3a6c0a	217	properties => {
3a5ae7a0	218	userid => get_standard_option('userid-completed'),
2c3a6c0a DM	219	},
	220	},
	221	returns => {
0a6e09fd	222	additionalProperties => 0,
2c3a6c0a	223	properties => {
3a5ae7a0 SI	224	enable => get_standard_option('user-enable'),
	225	expire => get_standard_option('user-expire'),
	226	firstname => get_standard_option('user-firstname'),
	227	lastname => get_standard_option('user-lastname'),
	228	email => get_standard_option('user-email'),
	229	comment => get_standard_option('user-comment'),
	230	keys => get_standard_option('user-keys'),
2c3a6c0a	231	groups => { type => 'array' },
3a5ae7a0 SI	232	},
3a5ae7a0 SI	233	type => "object"
2c3a6c0a DM	234	},
	235	code => sub {
	236	my ($param) = @_;
	237
0a6e09fd	238	my ($username, undef, $domain) =
2c3a6c0a DM	239	PVE::AccessControl::verify_username($param->{userid});
	240
	241	my $usercfg = cfs_read_file("user.cfg");
2c3a6c0a	242
37d45deb	243	my $data = PVE::AccessControl::check_user_exist($usercfg, $username);
0a6e09fd	244
2c3a6c0a DM	245	return &$extract_user_data($data, 1);
	246	}});
	247
	248	__PACKAGE__->register_method ({
0a6e09fd	249	name => 'update_user',
2c3a6c0a	250	protected => 1,
0a6e09fd	251	path => '{userid}',
2c3a6c0a	252	method => 'PUT',
0a6e09fd	253	permissions => {
96919234 DM	254	check => ['userid-group', ['User.Modify'], groups_param => 1 ],
96919234 DM	255	},
2c3a6c0a DM	256	description => "Update user configuration.",
2c3a6c0a DM	257	parameters => {
0a6e09fd	258	additionalProperties => 0,
2c3a6c0a	259	properties => {
3a5ae7a0 SI	260	userid => get_standard_option('userid-completed'),
	261	enable => get_standard_option('user-enable'),
	262	expire => get_standard_option('user-expire'),
	263	firstname => get_standard_option('user-firstname'),
	264	lastname => get_standard_option('user-lastname'),
	265	email => get_standard_option('user-email'),
	266	comment => get_standard_option('user-comment'),
	267	keys => get_standard_option('user-keys'),
	268	groups => get_standard_option('group-list'),
0a6e09fd PA	269	append => {
0a6e09fd PA	270	type => 'boolean',
2c3a6c0a DM	271	optional => 1,
	272	requires => 'groups',
	273	},
2c3a6c0a DM	274	},
	275	},
	276	returns => { type => 'null' },
	277	code => sub {
	278	my ($param) = @_;
37d45deb	279
0a6e09fd	280	my ($username, $ruid, $realm) =
37d45deb	281	PVE::AccessControl::verify_username($param->{userid});
0a6e09fd	282
2c3a6c0a DM	283	PVE::AccessControl::lock_user_config(
2c3a6c0a DM	284	sub {
0a6e09fd	285
2c3a6c0a DM	286	my $usercfg = cfs_read_file("user.cfg");
2c3a6c0a DM	287
37d45deb	288	PVE::AccessControl::check_user_exist($usercfg, $username);
2c3a6c0a DM	289
	290	$usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
	291
	292	$usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
	293
0a6e09fd	294	PVE::AccessControl::delete_user_group($username, $usercfg)
e6521738	295	if (!$param->{append} && defined($param->{groups}));
2c3a6c0a DM	296
	297	if ($param->{groups}) {
	298	foreach my $group (split_list($param->{groups})) {
	299	if ($usercfg->{groups}->{$group}) {
	300	PVE::AccessControl::add_user_group($username, $usercfg, $group);
	301	} else {
	302	die "no such group '$group'\n";
	303	}
	304	}
	305	}
	306
	307	$usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname});
	308	$usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
	309	$usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
	310	$usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
96f8ebd6	311	$usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
2c3a6c0a DM	312
	313	cfs_write_file("user.cfg", $usercfg);
	314	}, "update user failed");
0a6e09fd	315
2c3a6c0a DM	316	return undef;
	317	}});
	318
	319	__PACKAGE__->register_method ({
0a6e09fd	320	name => 'delete_user',
2c3a6c0a	321	protected => 1,
0a6e09fd	322	path => '{userid}',
2c3a6c0a DM	323	method => 'DELETE',
2c3a6c0a DM	324	description => "Delete user.",
0a6e09fd	325	permissions => {
82b63965 DM	326	check => [ 'and',
	327	[ 'userid-param', 'Realm.AllocateUser'],
	328	[ 'userid-group', ['User.Modify']],
	329	],
12683df7	330	},
2c3a6c0a	331	parameters => {
0a6e09fd	332	additionalProperties => 0,
2c3a6c0a	333	properties => {
3a5ae7a0	334	userid => get_standard_option('userid-completed'),
2c3a6c0a DM	335	}
	336	},
	337	returns => { type => 'null' },
	338	code => sub {
	339	my ($param) = @_;
0a6e09fd	340
37d45deb DM	341	my $rpcenv = PVE::RPCEnvironment::get();
	342	my $authuser = $rpcenv->get_user();
	343
0a6e09fd	344	my ($userid, $ruid, $realm) =
37d45deb	345	PVE::AccessControl::verify_username($param->{userid});
2c3a6c0a DM	346
	347	PVE::AccessControl::lock_user_config(
	348	sub {
	349
2c3a6c0a DM	350	my $usercfg = cfs_read_file("user.cfg");
2c3a6c0a DM	351
5bb4e06a DM	352	my $domain_cfg = cfs_read_file('domains.cfg');
	353	if (my $cfg = $domain_cfg->{ids}->{$realm}) {
	354	my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
	355	$plugin->delete_user($cfg, $realm, $ruid);
	356	}
2c3a6c0a	357
9536c4dc WB	358	# Remove TFA data before removing the user entry as the user entry tells us whether
	359	# we need ot update priv/tfa.cfg.
	360	PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);
	361
5bb4e06a	362	delete $usercfg->{users}->{$userid};
37d45deb DM	363
	364	PVE::AccessControl::delete_user_group($userid, $usercfg);
	365	PVE::AccessControl::delete_user_acl($userid, $usercfg);
2c3a6c0a DM	366	cfs_write_file("user.cfg", $usercfg);
2c3a6c0a DM	367	}, "delete user failed");
0a6e09fd	368
2c3a6c0a DM	369	return undef;
	370	}});
	371
	372	1;