]> git.proxmox.com Git - pve-access-control.git/blame - src/PVE/API2/User.pm
projects / pve-access-control.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
api: users: s/realmtype/realm-type/ in response
[pve-access-control.git] / src / PVE / API2 / User.pm
CommitLineData
2c3a6c0a
DM		 1package PVE::API2::User;
2
3use strict;
4use warnings;
4e4c8d40 5use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
2c3a6c0a 6use PVE::Cluster qw (cfs_read_file cfs_write_file);
4e4c8d40 7use PVE::Tools qw(split_list extract_param);
2c3a6c0a 8use PVE::AccessControl;
3a5ae7a0 9use PVE::JSONSchema qw(get_standard_option register_standard_option);
4e4c8d40 10use PVE::TokenConfig;
2c3a6c0a
DM		 11
12use PVE::SafeSyslog;
13
2c3a6c0a
DM		 14use PVE::RESTHandler;
15
16use base qw(PVE::RESTHandler);
17
3a5ae7a0
SI		 18register_standard_option('user-enable', {
19 description => "Enable the account (default). You can set this to '0' to disable the account",
20 type => 'boolean',
21 optional => 1,
22 default => 1,
23});
24register_standard_option('user-expire', {
25 description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
26 type => 'integer',
27 minimum => 0,
28 optional => 1,
29});
30register_standard_option('user-firstname', { type => 'string', optional => 1 });
31register_standard_option('user-lastname', { type => 'string', optional => 1 });
32register_standard_option('user-email', { type => 'string', optional => 1, format => 'email-opt' });
33register_standard_option('user-comment', { type => 'string', optional => 1 });
34register_standard_option('user-keys', {
35 description => "Keys for two factor auth (yubico).",
36 type => 'string',
37 optional => 1,
38});
39register_standard_option('group-list', {
40 type => 'string', format => 'pve-groupid-list',
41 optional => 1,
42 completion => \&PVE::AccessControl::complete_group,
43});
4e4c8d40
FG		 44register_standard_option('token-subid', {
45 type => 'string',
46 pattern => $PVE::AccessControl::token_subid_regex,
47 description => 'User-specific token identifier.',
48});
49register_standard_option('token-expire', {
50 description => "API token expiration date (seconds since epoch). '0' means no expiration date.",
51 type => 'integer',
52 minimum => 0,
53 optional => 1,
b974bdc0 54 default => 'same as user',
4e4c8d40
FG		 55});
56register_standard_option('token-privsep', {
57 description => "Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.",
58 type => 'boolean',
59 optional => 1,
60 default => 1,
61});
62register_standard_option('token-comment', { type => 'string', optional => 1 });
63register_standard_option('token-info', {
64 type => 'object',
65 properties => {
66 expire => get_standard_option('token-expire'),
67 privsep => get_standard_option('token-privsep'),
68 comment => get_standard_option('token-comment'),
69 }
70});
71
72my $token_info_extend = sub {
73 my ($props) = @_;
74
75 my $obj = get_standard_option('token-info');
76 my $base_props = $obj->{properties};
77 $obj->{properties} = {};
78
79 foreach my $prop (keys %$base_props) {
80 $obj->{properties}->{$prop} = $base_props->{$prop};
81 }
82
83 foreach my $add_prop (keys %$props) {
84 $obj->{properties}->{$add_prop} = $props->{$add_prop};
85 }
86
87 return $obj;
88};
3a5ae7a0 89
2c3a6c0a
DM		 90my $extract_user_data = sub {
91 my ($data, $full) = @_;
92
93 my $res = {};
94
96f8ebd6 95 foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
2c3a6c0a
DM		 96 $res->{$prop} = $data->{$prop} if defined($data->{$prop});
97 }
98
99 return $res if !$full;
100
101 $res->{groups} = $data->{groups} ? [ keys %{$data->{groups}} ] : [];
4e4c8d40 102 $res->{tokens} = $data->{tokens};
2c3a6c0a
DM		 103
104 return $res;
105};
106
107__PACKAGE__->register_method ({
0a6e09fd
PA		 108 name => 'index',
109 path => '',
2c3a6c0a
DM		 110 method => 'GET',
111 description => "User index.",
0a6e09fd 112 permissions => {
82b63965 113 description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
96919234
DM		 114 user => 'all',
115 },
2c3a6c0a
DM		 116 parameters => {
117 additionalProperties => 0,
cb6f2f93
DM		 118 properties => {
119 enabled => {
120 type => 'boolean',
121 description => "Optional filter for enable property.",
122 optional => 1,
3a4ed527
FG		 123 },
124 full => {
125 type => 'boolean',
126 description => "Include group and token information.",
127 optional => 1,
128 default => 0,
cb6f2f93
DM		 129 }
130 },
2c3a6c0a
DM		 131 },
132 returns => {
133 type => 'array',
134 items => {
135 type => "object",
136 properties => {
3a5ae7a0
SI		 137 userid => get_standard_option('userid-completed'),
138 enable => get_standard_option('user-enable'),
139 expire => get_standard_option('user-expire'),
140 firstname => get_standard_option('user-firstname'),
141 lastname => get_standard_option('user-lastname'),
142 email => get_standard_option('user-email'),
143 comment => get_standard_option('user-comment'),
144 keys => get_standard_option('user-keys'),
3a4ed527
FG		 145 groups => get_standard_option('group-list'),
146 tokens => {
147 type => 'array',
148 optional => 1,
149 items => $token_info_extend->({
150 tokenid => get_standard_option('token-subid'),
151 }),
8bb59c26 152 },
3f6023f5
TL		 153 'realm-type' => {
154 type => 'string', format => 'pve-realm',
8bb59c26 155 description => 'The type of the users realm',
3f6023f5 156 optional => 1, # it should always be there, but we use conditional code below, so..
8bb59c26 157 },
2c3a6c0a
DM		 158 },
159 },
160 links => [ { rel => 'child', href => "{userid}" } ],
161 },
162 code => sub {
163 my ($param) = @_;
0a6e09fd 164
930dcfc8 165 my $rpcenv = PVE::RPCEnvironment::get();
37d45deb 166 my $usercfg = $rpcenv->{user_cfg};
930dcfc8
DM		 167 my $authuser = $rpcenv->get_user();
168
8bb59c26
DC		 169 my $domainscfg = cfs_read_file('domains.cfg');
170 my $domainids = $domainscfg->{ids};
171
2c3a6c0a
DM		 172 my $res = [];
173
82b63965
DM		 174 my $privs = [ 'User.Modify', 'Sys.Audit' ];
175 my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
b9180ed2 176 my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
0a6e09fd 177 my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
37d45deb 178
2c3a6c0a 179 foreach my $user (keys %{$usercfg->{users}}) {
37d45deb
DM		 180 if (!($canUserMod || $user eq $authuser)) {
181 next if !$allowed_users->{$user};
182 }
930dcfc8 183
3a4ed527 184 my $entry = &$extract_user_data($usercfg->{users}->{$user}, $param->{full});
cb6f2f93
DM		 185
186 if (defined($param->{enabled})) {
187 next if $entry->{enable} && !$param->{enabled};
188 next if !$entry->{enable} && $param->{enabled};
189 }
190
3a4ed527
FG		 191 $entry->{groups} = join(',', @{$entry->{groups}}) if $entry->{groups};
192 $entry->{tokens} = [ map { { tokenid => $_, %{$entry->{tokens}->{$_}} } } sort keys %{$entry->{tokens}} ]
193 if defined($entry->{tokens});
194
8bb59c26 195 my (undef, undef, $realm) = PVE::AccessControl::verify_username($user, 1);
3f6023f5
TL		 196 if (defined($realm) && exists($domainids->{$realm})) {
197 $entry->{'realm-type'} = $domainids->{$realm}->{type};
8bb59c26
DC		 198 }
199
2c3a6c0a
DM		 200 $entry->{userid} = $user;
201 push @$res, $entry;
202 }
203
204 return $res;
205 }});
206
207__PACKAGE__->register_method ({
0a6e09fd 208 name => 'create_user',
2c3a6c0a 209 protected => 1,
0a6e09fd 210 path => '',
2c3a6c0a 211 method => 'POST',
0a6e09fd 212 permissions => {
82b63965
DM		 213 description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
214 check => [ 'and',
215 [ 'userid-param', 'Realm.AllocateUser'],
216 [ 'userid-group', ['User.Modify'], groups_param => 1],
217 ],
96919234 218 },
2c3a6c0a
DM		 219 description => "Create new user.",
220 parameters => {
0a6e09fd 221 additionalProperties => 0,
2c3a6c0a 222 properties => {
3a5ae7a0
SI		 223 userid => get_standard_option('userid-completed'),
224 enable => get_standard_option('user-enable'),
225 expire => get_standard_option('user-expire'),
226 firstname => get_standard_option('user-firstname'),
227 lastname => get_standard_option('user-lastname'),
228 email => get_standard_option('user-email'),
229 comment => get_standard_option('user-comment'),
230 keys => get_standard_option('user-keys'),
37d45deb
DM		 231 password => {
232 description => "Initial password.",
0a6e09fd
PA		 233 type => 'string',
234 optional => 1,
235 minLength => 5,
236 maxLength => 64
37d45deb 237 },
3a5ae7a0 238 groups => get_standard_option('group-list'),
2c3a6c0a
DM		 239 },
240 },
241 returns => { type => 'null' },
242 code => sub {
243 my ($param) = @_;
244
2dd1e1d4
TL		 245 PVE::AccessControl::lock_user_config(sub {
246 my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
0a6e09fd 247
2dd1e1d4 248 my $usercfg = cfs_read_file("user.cfg");
0a6e09fd 249
f335d265
TL		 250 # ensure "user exists" check works for case insensitive realms
251 $username = PVE::AccessControl::lookup_username($username, 1);
252 die "user '$username' already exists\n" if $usercfg->{users}->{$username};
2c3a6c0a 253
2dd1e1d4
TL		 254 PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
255 if defined($param->{password});
0a6e09fd 256
2dd1e1d4
TL		 257 my $enable = defined($param->{enable}) ? $param->{enable} : 1;
258 $usercfg->{users}->{$username} = { enable => $enable };
259 $usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire};
2c3a6c0a 260
2dd1e1d4
TL		 261 if ($param->{groups}) {
262 foreach my $group (split_list($param->{groups})) {
263 if ($usercfg->{groups}->{$group}) {
264 PVE::AccessControl::add_user_group($username, $usercfg, $group);
265 } else {
266 die "no such group '$group'\n";
2c3a6c0a
DM		 267 }
268 }
2dd1e1d4 269 }
2c3a6c0a 270
2dd1e1d4
TL		 271 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if $param->{firstname};
272 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname};
273 $usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email};
274 $usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment};
275 $usercfg->{users}->{$username}->{keys} = $param->{keys} if $param->{keys};
2c3a6c0a 276
2dd1e1d4
TL		 277 cfs_write_file("user.cfg", $usercfg);
278 }, "create user failed");
2c3a6c0a
DM		 279
280 return undef;
281 }});
282
283__PACKAGE__->register_method ({
0a6e09fd
PA		 284 name => 'read_user',
285 path => '{userid}',
2c3a6c0a
DM		 286 method => 'GET',
287 description => "Get user configuration.",
0a6e09fd 288 permissions => {
82b63965 289 check => ['userid-group', ['User.Modify', 'Sys.Audit']],
96919234 290 },
2c3a6c0a 291 parameters => {
0a6e09fd 292 additionalProperties => 0,
2c3a6c0a 293 properties => {
3a5ae7a0 294 userid => get_standard_option('userid-completed'),
2c3a6c0a
DM		 295 },
296 },
297 returns => {
0a6e09fd 298 additionalProperties => 0,
2c3a6c0a 299 properties => {
3a5ae7a0
SI		 300 enable => get_standard_option('user-enable'),
301 expire => get_standard_option('user-expire'),
302 firstname => get_standard_option('user-firstname'),
303 lastname => get_standard_option('user-lastname'),
304 email => get_standard_option('user-email'),
305 comment => get_standard_option('user-comment'),
306 keys => get_standard_option('user-keys'),
4e4c8d40
FG		 307 groups => {
308 type => 'array',
72c4589c 309 optional => 1,
4e4c8d40
FG		 310 items => {
311 type => 'string',
312 format => 'pve-groupid',
313 },
314 },
315 tokens => {
72c4589c 316 optional => 1,
4e4c8d40
FG		 317 type => 'object',
318 },
3a5ae7a0
SI		 319 },
320 type => "object"
2c3a6c0a
DM		 321 },
322 code => sub {
323 my ($param) = @_;
324
0a6e09fd 325 my ($username, undef, $domain) =
2c3a6c0a
DM		 326 PVE::AccessControl::verify_username($param->{userid});
327
328 my $usercfg = cfs_read_file("user.cfg");
2c3a6c0a 329
37d45deb 330 my $data = PVE::AccessControl::check_user_exist($usercfg, $username);
0a6e09fd 331
2c3a6c0a
DM		 332 return &$extract_user_data($data, 1);
333 }});
334
335__PACKAGE__->register_method ({
0a6e09fd 336 name => 'update_user',
2c3a6c0a 337 protected => 1,
0a6e09fd 338 path => '{userid}',
2c3a6c0a 339 method => 'PUT',
0a6e09fd 340 permissions => {
96919234
DM		 341 check => ['userid-group', ['User.Modify'], groups_param => 1 ],
342 },
2c3a6c0a
DM		 343 description => "Update user configuration.",
344 parameters => {
0a6e09fd 345 additionalProperties => 0,
2c3a6c0a 346 properties => {
3a5ae7a0
SI		 347 userid => get_standard_option('userid-completed'),
348 enable => get_standard_option('user-enable'),
349 expire => get_standard_option('user-expire'),
350 firstname => get_standard_option('user-firstname'),
351 lastname => get_standard_option('user-lastname'),
352 email => get_standard_option('user-email'),
353 comment => get_standard_option('user-comment'),
354 keys => get_standard_option('user-keys'),
355 groups => get_standard_option('group-list'),
0a6e09fd
PA		 356 append => {
357 type => 'boolean',
2c3a6c0a
DM		 358 optional => 1,
359 requires => 'groups',
360 },
2c3a6c0a
DM		 361 },
362 },
363 returns => { type => 'null' },
364 code => sub {
365 my ($param) = @_;
37d45deb 366
0a6e09fd 367 my ($username, $ruid, $realm) =
37d45deb 368 PVE::AccessControl::verify_username($param->{userid});
0a6e09fd 369
2c3a6c0a
DM		 370 PVE::AccessControl::lock_user_config(
371 sub {
0a6e09fd 372
2c3a6c0a
DM		 373 my $usercfg = cfs_read_file("user.cfg");
374
37d45deb 375 PVE::AccessControl::check_user_exist($usercfg, $username);
2c3a6c0a
DM		 376
377 $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
378
379 $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
380
0a6e09fd 381 PVE::AccessControl::delete_user_group($username, $usercfg)
e6521738 382 if (!$param->{append} && defined($param->{groups}));
2c3a6c0a
DM		 383
384 if ($param->{groups}) {
385 foreach my $group (split_list($param->{groups})) {
386 if ($usercfg->{groups}->{$group}) {
387 PVE::AccessControl::add_user_group($username, $usercfg, $group);
388 } else {
389 die "no such group '$group'\n";
390 }
391 }
392 }
393
394 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname});
395 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
396 $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
397 $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
96f8ebd6 398 $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
2c3a6c0a
DM		 399
400 cfs_write_file("user.cfg", $usercfg);
401 }, "update user failed");
0a6e09fd 402
2c3a6c0a
DM		 403 return undef;
404 }});
405
406__PACKAGE__->register_method ({
0a6e09fd 407 name => 'delete_user',
2c3a6c0a 408 protected => 1,
0a6e09fd 409 path => '{userid}',
2c3a6c0a
DM		 410 method => 'DELETE',
411 description => "Delete user.",
0a6e09fd 412 permissions => {
82b63965
DM		 413 check => [ 'and',
414 [ 'userid-param', 'Realm.AllocateUser'],
415 [ 'userid-group', ['User.Modify']],
416 ],
12683df7 417 },
2c3a6c0a 418 parameters => {
0a6e09fd 419 additionalProperties => 0,
2c3a6c0a 420 properties => {
3a5ae7a0 421 userid => get_standard_option('userid-completed'),
2c3a6c0a
DM		 422 }
423 },
424 returns => { type => 'null' },
425 code => sub {
426 my ($param) = @_;
0a6e09fd 427
37d45deb
DM		 428 my $rpcenv = PVE::RPCEnvironment::get();
429 my $authuser = $rpcenv->get_user();
430
0a6e09fd 431 my ($userid, $ruid, $realm) =
37d45deb 432 PVE::AccessControl::verify_username($param->{userid});
2c3a6c0a
DM		 433
434 PVE::AccessControl::lock_user_config(
435 sub {
436
2c3a6c0a
DM		 437 my $usercfg = cfs_read_file("user.cfg");
438
5bb4e06a
DM		 439 my $domain_cfg = cfs_read_file('domains.cfg');
440 if (my $cfg = $domain_cfg->{ids}->{$realm}) {
441 my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
442 $plugin->delete_user($cfg, $realm, $ruid);
443 }
2c3a6c0a 444
9536c4dc
WB		 445 # Remove TFA data before removing the user entry as the user entry tells us whether
446 # we need ot update priv/tfa.cfg.
447 PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);
448
5bb4e06a 449 delete $usercfg->{users}->{$userid};
37d45deb
DM		 450
451 PVE::AccessControl::delete_user_group($userid, $usercfg);
452 PVE::AccessControl::delete_user_acl($userid, $usercfg);
2c3a6c0a
DM		 453 cfs_write_file("user.cfg", $usercfg);
454 }, "delete user failed");
0a6e09fd 455
2c3a6c0a
DM		 456 return undef;
457 }});
458
e51988b4
DC		 459__PACKAGE__->register_method ({
460 name => 'read_user_tfa_type',
461 path => '{userid}/tfa',
462 method => 'GET',
463 protected => 1,
464 description => "Get user TFA types (Personal and Realm).",
465 permissions => {
466 check => [ 'or',
467 ['userid-param', 'self'],
468 ['userid-group', ['User.Modify', 'Sys.Audit']],
469 ],
470 },
471 parameters => {
472 additionalProperties => 0,
473 properties => {
474 userid => get_standard_option('userid-completed'),
475 },
476 },
477 returns => {
478 additionalProperties => 0,
479 properties => {
480 realm => {
481 type => 'string',
482 enum => [qw(oath yubico)],
483 description => "The type of TFA the users realm has set, if any.",
484 optional => 1,
485 },
486 user => {
487 type => 'string',
488 enum => [qw(oath u2f)],
489 description => "The type of TFA the user has set, if any.",
490 optional => 1,
491 },
492 },
493 type => "object"
494 },
495 code => sub {
496 my ($param) = @_;
497
498 my ($username, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
499
500
501 my $domain_cfg = cfs_read_file('domains.cfg');
502 my $realm_cfg = $domain_cfg->{ids}->{$realm};
503 die "auth domain '$realm' does not exist\n" if !$realm_cfg;
504
505 my $realm_tfa = {};
506 $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa})
507 if $realm_cfg->{tfa};
508
509 my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
510 my $tfa = $tfa_cfg->{users}->{$username};
511
512 my $res = {};
513 $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type};
514 $res->{user} = $tfa->{type} if $tfa->{type};
515 return $res;
516 }});
517
4e4c8d40
FG		 518__PACKAGE__->register_method ({
519 name => 'token_index',
520 path => '{userid}/token',
521 method => 'GET',
522 description => "Get user API tokens.",
523 permissions => {
524 check => ['or',
525 ['userid-param', 'self'],
526 ['perm', '/access/users/{userid}', ['User.Modify']],
527 ],
528 },
529 parameters => {
530 additionalProperties => 0,
531 properties => {
532 userid => get_standard_option('userid-completed'),
533 },
534 },
535 returns => {
536 type => "array",
537 items => $token_info_extend->({
538 tokenid => get_standard_option('token-subid'),
539 }),
540 links => [ { rel => 'child', href => "{tokenid}" } ],
541 },
542 code => sub {
543 my ($param) = @_;
544
545 my $userid = PVE::AccessControl::verify_username($param->{userid});
546 my $usercfg = cfs_read_file("user.cfg");
547
548 my $user = PVE::AccessControl::check_user_exist($usercfg, $userid);
549
550 my $tokens = $user->{tokens} // {};
551 return [ map { $tokens->{$_}->{tokenid} = $_; $tokens->{$_} } keys %$tokens];
552 }});
553
554__PACKAGE__->register_method ({
555 name => 'read_token',
556 path => '{userid}/token/{tokenid}',
557 method => 'GET',
558 description => "Get specific API token information.",
559 permissions => {
560 check => ['or',
561 ['userid-param', 'self'],
562 ['perm', '/access/users/{userid}', ['User.Modify']],
563 ],
564 },
565 parameters => {
566 additionalProperties => 0,
567 properties => {
568 userid => get_standard_option('userid-completed'),
569 tokenid => get_standard_option('token-subid'),
570 },
571 },
572 returns => get_standard_option('token-info'),
573 code => sub {
574 my ($param) = @_;
575
576 my $userid = PVE::AccessControl::verify_username($param->{userid});
577 my $tokenid = $param->{tokenid};
578
579 my $usercfg = cfs_read_file("user.cfg");
580
581 return PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
582 }});
583
584__PACKAGE__->register_method ({
585 name => 'generate_token',
586 path => '{userid}/token/{tokenid}',
587 method => 'POST',
588 description => "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!",
589 protected => 1,
590 permissions => {
591 check => ['or',
592 ['userid-param', 'self'],
593 ['perm', '/access/users/{userid}', ['User.Modify']],
594 ],
595 },
596 parameters => {
597 additionalProperties => 0,
598 properties => {
599 userid => get_standard_option('userid-completed'),
600 tokenid => get_standard_option('token-subid'),
601 expire => get_standard_option('token-expire'),
602 privsep => get_standard_option('token-privsep'),
603 comment => get_standard_option('token-comment'),
604 },
605 },
606 returns => {
607 additionalProperties => 0,
608 type => "object",
609 properties => {
610 info => get_standard_option('token-info'),
611 value => {
612 type => 'string',
613 description => 'API token value used for authentication.',
614 },
77bfb48e
TL		 615 'full-tokenid' => {
616 type => 'string',
617 format_description => '<userid>!<tokenid>',
618 description => 'The full token id.',
619 },
4e4c8d40
FG		 620 },
621 },
622 code => sub {
623 my ($param) = @_;
624
625 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
626 my $tokenid = extract_param($param, 'tokenid');
627
628 my $usercfg = cfs_read_file("user.cfg");
629
630 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1);
77bfb48e 631 my ($full_tokenid, $value);
4e4c8d40
FG		 632
633 PVE::AccessControl::check_user_exist($usercfg, $userid);
634 raise_param_exc({ 'tokenid' => 'Token already exists.' }) if defined($token);
635
636 my $generate_and_add_token = sub {
637 $usercfg = cfs_read_file("user.cfg");
638 PVE::AccessControl::check_user_exist($usercfg, $userid);
639 die "Token already exists.\n" if defined(PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1));
640
77bfb48e 641 $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
4e4c8d40
FG		 642 $value = PVE::TokenConfig::generate_token($full_tokenid);
643
644 $token = {};
645 $token->{privsep} = defined($param->{privsep}) ? $param->{privsep} : 1;
646 $token->{expire} = $param->{expire} if defined($param->{expire});
647 $token->{comment} = $param->{comment} if $param->{comment};
648
649 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
650 cfs_write_file("user.cfg", $usercfg);
651 };
652
653 PVE::AccessControl::lock_user_config($generate_and_add_token, 'generating token failed');
654
77bfb48e
TL		 655 return {
656 info => $token,
657 value => $value,
658 'full-tokenid' => $full_tokenid,
659 };
4e4c8d40
FG		 660 }});
661
662
663__PACKAGE__->register_method ({
664 name => 'update_token_info',
665 path => '{userid}/token/{tokenid}',
666 method => 'PUT',
667 description => "Update API token for a specific user.",
668 protected => 1,
669 permissions => {
670 check => ['or',
671 ['userid-param', 'self'],
672 ['perm', '/access/users/{userid}', ['User.Modify']],
673 ],
674 },
675 parameters => {
676 additionalProperties => 0,
677 properties => {
678 userid => get_standard_option('userid-completed'),
679 tokenid => get_standard_option('token-subid'),
680 expire => get_standard_option('token-expire'),
681 privsep => get_standard_option('token-privsep'),
682 comment => get_standard_option('token-comment'),
683 },
684 },
685 returns => get_standard_option('token-info', { description => "Updated token information." }),
686 code => sub {
687 my ($param) = @_;
688
689 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
690 my $tokenid = extract_param($param, 'tokenid');
691
692 my $usercfg = cfs_read_file("user.cfg");
693 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
694
695 my $update_token = sub {
696 $usercfg = cfs_read_file("user.cfg");
697 $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
698
699 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
700
701 $token->{privsep} = $param->{privsep} if defined($param->{privsep});
702 $token->{expire} = $param->{expire} if defined($param->{expire});
703 $token->{comment} = $param->{comment} if $param->{comment};
704
705 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
706 cfs_write_file("user.cfg", $usercfg);
707 };
708
709 PVE::AccessControl::lock_user_config($update_token, 'updating token info failed');
710
711 return $token;
712 }});
713
714
715__PACKAGE__->register_method ({
716 name => 'remove_token',
717 path => '{userid}/token/{tokenid}',
718 method => 'DELETE',
719 description => "Remove API token for a specific user.",
720 protected => 1,
721 permissions => {
722 check => ['or',
723 ['userid-param', 'self'],
724 ['perm', '/access/users/{userid}', ['User.Modify']],
725 ],
726 },
727 parameters => {
728 additionalProperties => 0,
729 properties => {
730 userid => get_standard_option('userid-completed'),
731 tokenid => get_standard_option('token-subid'),
732 },
733 },
734 returns => { type => 'null' },
735 code => sub {
736 my ($param) = @_;
737
738 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
739 my $tokenid = extract_param($param, 'tokenid');
740
741 my $usercfg = cfs_read_file("user.cfg");
742 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
743
744 my $update_token = sub {
745 $usercfg = cfs_read_file("user.cfg");
746
747 PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
748
749 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
750 PVE::TokenConfig::delete_token($full_tokenid);
751 delete $usercfg->{users}->{$userid}->{tokens}->{$tokenid};
752
753 cfs_write_file("user.cfg", $usercfg);
754 };
755
756 PVE::AccessControl::lock_user_config($update_token, 'deleting token failed');
757
758 return;
759 }});
2c3a6c0a 7601;
Access control framework