]> git.proxmox.com Git - pve-access-control.git/blame - src/PVE/API2/User.pm
projects / pve-access-control.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
api: users: use public regex directly to parse out realm
[pve-access-control.git] / src / PVE / API2 / User.pm
CommitLineData
2c3a6c0a
DM		 1package PVE::API2::User;
2
3use strict;
4use warnings;
525a931b 5
4e4c8d40 6use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
2c3a6c0a 7use PVE::Cluster qw (cfs_read_file cfs_write_file);
4e4c8d40 8use PVE::Tools qw(split_list extract_param);
3a5ae7a0 9use PVE::JSONSchema qw(get_standard_option register_standard_option);
2c3a6c0a
DM		 10use PVE::SafeSyslog;
11
525a931b 12use PVE::AccessControl;
d658d04a 13use PVE::Auth::Plugin;
525a931b
TL		 14use PVE::TokenConfig;
15
2c3a6c0a
DM		 16use PVE::RESTHandler;
17
18use base qw(PVE::RESTHandler);
19
3a5ae7a0
SI		 20register_standard_option('user-enable', {
21 description => "Enable the account (default). You can set this to '0' to disable the account",
22 type => 'boolean',
23 optional => 1,
24 default => 1,
25});
26register_standard_option('user-expire', {
27 description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
28 type => 'integer',
29 minimum => 0,
30 optional => 1,
31});
32register_standard_option('user-firstname', { type => 'string', optional => 1 });
33register_standard_option('user-lastname', { type => 'string', optional => 1 });
34register_standard_option('user-email', { type => 'string', optional => 1, format => 'email-opt' });
35register_standard_option('user-comment', { type => 'string', optional => 1 });
36register_standard_option('user-keys', {
37 description => "Keys for two factor auth (yubico).",
38 type => 'string',
39 optional => 1,
40});
41register_standard_option('group-list', {
42 type => 'string', format => 'pve-groupid-list',
43 optional => 1,
44 completion => \&PVE::AccessControl::complete_group,
45});
4e4c8d40
FG		 46register_standard_option('token-subid', {
47 type => 'string',
48 pattern => $PVE::AccessControl::token_subid_regex,
49 description => 'User-specific token identifier.',
50});
51register_standard_option('token-expire', {
52 description => "API token expiration date (seconds since epoch). '0' means no expiration date.",
53 type => 'integer',
54 minimum => 0,
55 optional => 1,
b974bdc0 56 default => 'same as user',
4e4c8d40
FG		 57});
58register_standard_option('token-privsep', {
59 description => "Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.",
60 type => 'boolean',
61 optional => 1,
62 default => 1,
63});
64register_standard_option('token-comment', { type => 'string', optional => 1 });
65register_standard_option('token-info', {
66 type => 'object',
67 properties => {
68 expire => get_standard_option('token-expire'),
69 privsep => get_standard_option('token-privsep'),
70 comment => get_standard_option('token-comment'),
71 }
72});
73
74my $token_info_extend = sub {
75 my ($props) = @_;
76
77 my $obj = get_standard_option('token-info');
78 my $base_props = $obj->{properties};
79 $obj->{properties} = {};
80
81 foreach my $prop (keys %$base_props) {
82 $obj->{properties}->{$prop} = $base_props->{$prop};
83 }
84
85 foreach my $add_prop (keys %$props) {
86 $obj->{properties}->{$add_prop} = $props->{$add_prop};
87 }
88
89 return $obj;
90};
3a5ae7a0 91
2c3a6c0a
DM		 92my $extract_user_data = sub {
93 my ($data, $full) = @_;
94
95 my $res = {};
96
96f8ebd6 97 foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
2c3a6c0a
DM		 98 $res->{$prop} = $data->{$prop} if defined($data->{$prop});
99 }
100
101 return $res if !$full;
102
103 $res->{groups} = $data->{groups} ? [ keys %{$data->{groups}} ] : [];
4e4c8d40 104 $res->{tokens} = $data->{tokens};
2c3a6c0a
DM		 105
106 return $res;
107};
108
109__PACKAGE__->register_method ({
0a6e09fd
PA		 110 name => 'index',
111 path => '',
2c3a6c0a
DM		 112 method => 'GET',
113 description => "User index.",
0a6e09fd 114 permissions => {
82b63965 115 description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
96919234
DM		 116 user => 'all',
117 },
2c3a6c0a
DM		 118 parameters => {
119 additionalProperties => 0,
cb6f2f93
DM		 120 properties => {
121 enabled => {
122 type => 'boolean',
123 description => "Optional filter for enable property.",
124 optional => 1,
3a4ed527
FG		 125 },
126 full => {
127 type => 'boolean',
128 description => "Include group and token information.",
129 optional => 1,
130 default => 0,
cb6f2f93
DM		 131 }
132 },
2c3a6c0a
DM		 133 },
134 returns => {
135 type => 'array',
136 items => {
137 type => "object",
138 properties => {
3a5ae7a0
SI		 139 userid => get_standard_option('userid-completed'),
140 enable => get_standard_option('user-enable'),
141 expire => get_standard_option('user-expire'),
142 firstname => get_standard_option('user-firstname'),
143 lastname => get_standard_option('user-lastname'),
144 email => get_standard_option('user-email'),
145 comment => get_standard_option('user-comment'),
146 keys => get_standard_option('user-keys'),
3a4ed527
FG		 147 groups => get_standard_option('group-list'),
148 tokens => {
149 type => 'array',
150 optional => 1,
151 items => $token_info_extend->({
152 tokenid => get_standard_option('token-subid'),
153 }),
8bb59c26 154 },
3f6023f5
TL		 155 'realm-type' => {
156 type => 'string', format => 'pve-realm',
8bb59c26 157 description => 'The type of the users realm',
3f6023f5 158 optional => 1, # it should always be there, but we use conditional code below, so..
8bb59c26 159 },
2c3a6c0a
DM		 160 },
161 },
162 links => [ { rel => 'child', href => "{userid}" } ],
163 },
164 code => sub {
165 my ($param) = @_;
0a6e09fd 166
930dcfc8 167 my $rpcenv = PVE::RPCEnvironment::get();
37d45deb 168 my $usercfg = $rpcenv->{user_cfg};
930dcfc8
DM		 169 my $authuser = $rpcenv->get_user();
170
8bb59c26
DC		 171 my $domainscfg = cfs_read_file('domains.cfg');
172 my $domainids = $domainscfg->{ids};
173
2c3a6c0a
DM		 174 my $res = [];
175
82b63965
DM		 176 my $privs = [ 'User.Modify', 'Sys.Audit' ];
177 my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
b9180ed2 178 my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
0a6e09fd 179 my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
37d45deb 180
525a931b 181 foreach my $user (sort keys %{$usercfg->{users}}) {
37d45deb
DM		 182 if (!($canUserMod || $user eq $authuser)) {
183 next if !$allowed_users->{$user};
184 }
930dcfc8 185
525a931b 186 my $entry = $extract_user_data->($usercfg->{users}->{$user}, $param->{full});
cb6f2f93
DM		 187
188 if (defined($param->{enabled})) {
189 next if $entry->{enable} && !$param->{enabled};
190 next if !$entry->{enable} && $param->{enabled};
191 }
192
3a4ed527 193 $entry->{groups} = join(',', @{$entry->{groups}}) if $entry->{groups};
525a931b
TL		 194
195 if (defined(my $tokens = $entry->{tokens})) {
196 $entry->{tokens} = [
197 map { { tokenid => $_, %{$tokens->{$_}} } } sort keys %$tokens
198 ];
199 }
3a4ed527 200
d658d04a
TL		 201 if ($user =~ /($PVE::Auth::Plugin::realm_regex)$/) {
202 my $realm = $1;
203 $entry->{'realm-type'} = $domainids->{$realm}->{type} if exists $domainids->{$realm};
8bb59c26
DC		 204 }
205
2c3a6c0a 206 $entry->{userid} = $user;
525a931b 207
2c3a6c0a
DM		 208 push @$res, $entry;
209 }
210
211 return $res;
212 }});
213
214__PACKAGE__->register_method ({
0a6e09fd 215 name => 'create_user',
2c3a6c0a 216 protected => 1,
0a6e09fd 217 path => '',
2c3a6c0a 218 method => 'POST',
0a6e09fd 219 permissions => {
82b63965
DM		 220 description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
221 check => [ 'and',
222 [ 'userid-param', 'Realm.AllocateUser'],
223 [ 'userid-group', ['User.Modify'], groups_param => 1],
224 ],
96919234 225 },
2c3a6c0a
DM		 226 description => "Create new user.",
227 parameters => {
0a6e09fd 228 additionalProperties => 0,
2c3a6c0a 229 properties => {
3a5ae7a0
SI		 230 userid => get_standard_option('userid-completed'),
231 enable => get_standard_option('user-enable'),
232 expire => get_standard_option('user-expire'),
233 firstname => get_standard_option('user-firstname'),
234 lastname => get_standard_option('user-lastname'),
235 email => get_standard_option('user-email'),
236 comment => get_standard_option('user-comment'),
237 keys => get_standard_option('user-keys'),
37d45deb
DM		 238 password => {
239 description => "Initial password.",
0a6e09fd
PA		 240 type => 'string',
241 optional => 1,
242 minLength => 5,
243 maxLength => 64
37d45deb 244 },
3a5ae7a0 245 groups => get_standard_option('group-list'),
2c3a6c0a
DM		 246 },
247 },
248 returns => { type => 'null' },
249 code => sub {
250 my ($param) = @_;
251
2dd1e1d4
TL		 252 PVE::AccessControl::lock_user_config(sub {
253 my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
0a6e09fd 254
2dd1e1d4 255 my $usercfg = cfs_read_file("user.cfg");
0a6e09fd 256
f335d265
TL		 257 # ensure "user exists" check works for case insensitive realms
258 $username = PVE::AccessControl::lookup_username($username, 1);
259 die "user '$username' already exists\n" if $usercfg->{users}->{$username};
2c3a6c0a 260
2dd1e1d4
TL		 261 PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
262 if defined($param->{password});
0a6e09fd 263
2dd1e1d4
TL		 264 my $enable = defined($param->{enable}) ? $param->{enable} : 1;
265 $usercfg->{users}->{$username} = { enable => $enable };
266 $usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire};
2c3a6c0a 267
2dd1e1d4
TL		 268 if ($param->{groups}) {
269 foreach my $group (split_list($param->{groups})) {
270 if ($usercfg->{groups}->{$group}) {
271 PVE::AccessControl::add_user_group($username, $usercfg, $group);
272 } else {
273 die "no such group '$group'\n";
2c3a6c0a
DM		 274 }
275 }
2dd1e1d4 276 }
2c3a6c0a 277
2dd1e1d4
TL		 278 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if $param->{firstname};
279 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname};
280 $usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email};
281 $usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment};
282 $usercfg->{users}->{$username}->{keys} = $param->{keys} if $param->{keys};
2c3a6c0a 283
2dd1e1d4
TL		 284 cfs_write_file("user.cfg", $usercfg);
285 }, "create user failed");
2c3a6c0a
DM		 286
287 return undef;
288 }});
289
290__PACKAGE__->register_method ({
0a6e09fd
PA		 291 name => 'read_user',
292 path => '{userid}',
2c3a6c0a
DM		 293 method => 'GET',
294 description => "Get user configuration.",
0a6e09fd 295 permissions => {
82b63965 296 check => ['userid-group', ['User.Modify', 'Sys.Audit']],
96919234 297 },
2c3a6c0a 298 parameters => {
0a6e09fd 299 additionalProperties => 0,
2c3a6c0a 300 properties => {
3a5ae7a0 301 userid => get_standard_option('userid-completed'),
2c3a6c0a
DM		 302 },
303 },
304 returns => {
0a6e09fd 305 additionalProperties => 0,
2c3a6c0a 306 properties => {
3a5ae7a0
SI		 307 enable => get_standard_option('user-enable'),
308 expire => get_standard_option('user-expire'),
309 firstname => get_standard_option('user-firstname'),
310 lastname => get_standard_option('user-lastname'),
311 email => get_standard_option('user-email'),
312 comment => get_standard_option('user-comment'),
313 keys => get_standard_option('user-keys'),
4e4c8d40
FG		 314 groups => {
315 type => 'array',
72c4589c 316 optional => 1,
4e4c8d40
FG		 317 items => {
318 type => 'string',
319 format => 'pve-groupid',
320 },
321 },
322 tokens => {
72c4589c 323 optional => 1,
4e4c8d40
FG		 324 type => 'object',
325 },
3a5ae7a0
SI		 326 },
327 type => "object"
2c3a6c0a
DM		 328 },
329 code => sub {
330 my ($param) = @_;
331
0a6e09fd 332 my ($username, undef, $domain) =
2c3a6c0a
DM		 333 PVE::AccessControl::verify_username($param->{userid});
334
335 my $usercfg = cfs_read_file("user.cfg");
2c3a6c0a 336
37d45deb 337 my $data = PVE::AccessControl::check_user_exist($usercfg, $username);
0a6e09fd 338
2c3a6c0a
DM		 339 return &$extract_user_data($data, 1);
340 }});
341
342__PACKAGE__->register_method ({
0a6e09fd 343 name => 'update_user',
2c3a6c0a 344 protected => 1,
0a6e09fd 345 path => '{userid}',
2c3a6c0a 346 method => 'PUT',
0a6e09fd 347 permissions => {
96919234
DM		 348 check => ['userid-group', ['User.Modify'], groups_param => 1 ],
349 },
2c3a6c0a
DM		 350 description => "Update user configuration.",
351 parameters => {
0a6e09fd 352 additionalProperties => 0,
2c3a6c0a 353 properties => {
3a5ae7a0
SI		 354 userid => get_standard_option('userid-completed'),
355 enable => get_standard_option('user-enable'),
356 expire => get_standard_option('user-expire'),
357 firstname => get_standard_option('user-firstname'),
358 lastname => get_standard_option('user-lastname'),
359 email => get_standard_option('user-email'),
360 comment => get_standard_option('user-comment'),
361 keys => get_standard_option('user-keys'),
362 groups => get_standard_option('group-list'),
0a6e09fd
PA		 363 append => {
364 type => 'boolean',
2c3a6c0a
DM		 365 optional => 1,
366 requires => 'groups',
367 },
2c3a6c0a
DM		 368 },
369 },
370 returns => { type => 'null' },
371 code => sub {
372 my ($param) = @_;
37d45deb 373
0a6e09fd 374 my ($username, $ruid, $realm) =
37d45deb 375 PVE::AccessControl::verify_username($param->{userid});
0a6e09fd 376
2c3a6c0a
DM		 377 PVE::AccessControl::lock_user_config(
378 sub {
0a6e09fd 379
2c3a6c0a
DM		 380 my $usercfg = cfs_read_file("user.cfg");
381
37d45deb 382 PVE::AccessControl::check_user_exist($usercfg, $username);
2c3a6c0a
DM		 383
384 $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
385
386 $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
387
0a6e09fd 388 PVE::AccessControl::delete_user_group($username, $usercfg)
e6521738 389 if (!$param->{append} && defined($param->{groups}));
2c3a6c0a
DM		 390
391 if ($param->{groups}) {
392 foreach my $group (split_list($param->{groups})) {
393 if ($usercfg->{groups}->{$group}) {
394 PVE::AccessControl::add_user_group($username, $usercfg, $group);
395 } else {
396 die "no such group '$group'\n";
397 }
398 }
399 }
400
401 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname});
402 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
403 $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
404 $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
96f8ebd6 405 $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
2c3a6c0a
DM		 406
407 cfs_write_file("user.cfg", $usercfg);
408 }, "update user failed");
0a6e09fd 409
2c3a6c0a
DM		 410 return undef;
411 }});
412
413__PACKAGE__->register_method ({
0a6e09fd 414 name => 'delete_user',
2c3a6c0a 415 protected => 1,
0a6e09fd 416 path => '{userid}',
2c3a6c0a
DM		 417 method => 'DELETE',
418 description => "Delete user.",
0a6e09fd 419 permissions => {
82b63965
DM		 420 check => [ 'and',
421 [ 'userid-param', 'Realm.AllocateUser'],
422 [ 'userid-group', ['User.Modify']],
423 ],
12683df7 424 },
2c3a6c0a 425 parameters => {
0a6e09fd 426 additionalProperties => 0,
2c3a6c0a 427 properties => {
3a5ae7a0 428 userid => get_standard_option('userid-completed'),
2c3a6c0a
DM		 429 }
430 },
431 returns => { type => 'null' },
432 code => sub {
433 my ($param) = @_;
0a6e09fd 434
37d45deb
DM		 435 my $rpcenv = PVE::RPCEnvironment::get();
436 my $authuser = $rpcenv->get_user();
437
0a6e09fd 438 my ($userid, $ruid, $realm) =
37d45deb 439 PVE::AccessControl::verify_username($param->{userid});
2c3a6c0a
DM		 440
441 PVE::AccessControl::lock_user_config(
442 sub {
443
2c3a6c0a
DM		 444 my $usercfg = cfs_read_file("user.cfg");
445
5bb4e06a
DM		 446 my $domain_cfg = cfs_read_file('domains.cfg');
447 if (my $cfg = $domain_cfg->{ids}->{$realm}) {
448 my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
449 $plugin->delete_user($cfg, $realm, $ruid);
450 }
2c3a6c0a 451
9536c4dc
WB		 452 # Remove TFA data before removing the user entry as the user entry tells us whether
453 # we need ot update priv/tfa.cfg.
454 PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);
455
5bb4e06a 456 delete $usercfg->{users}->{$userid};
37d45deb
DM		 457
458 PVE::AccessControl::delete_user_group($userid, $usercfg);
459 PVE::AccessControl::delete_user_acl($userid, $usercfg);
2c3a6c0a
DM		 460 cfs_write_file("user.cfg", $usercfg);
461 }, "delete user failed");
0a6e09fd 462
2c3a6c0a
DM		 463 return undef;
464 }});
465
e51988b4
DC		 466__PACKAGE__->register_method ({
467 name => 'read_user_tfa_type',
468 path => '{userid}/tfa',
469 method => 'GET',
470 protected => 1,
471 description => "Get user TFA types (Personal and Realm).",
472 permissions => {
473 check => [ 'or',
474 ['userid-param', 'self'],
475 ['userid-group', ['User.Modify', 'Sys.Audit']],
476 ],
477 },
478 parameters => {
479 additionalProperties => 0,
480 properties => {
481 userid => get_standard_option('userid-completed'),
482 },
483 },
484 returns => {
485 additionalProperties => 0,
486 properties => {
487 realm => {
488 type => 'string',
489 enum => [qw(oath yubico)],
490 description => "The type of TFA the users realm has set, if any.",
491 optional => 1,
492 },
493 user => {
494 type => 'string',
495 enum => [qw(oath u2f)],
496 description => "The type of TFA the user has set, if any.",
497 optional => 1,
498 },
499 },
500 type => "object"
501 },
502 code => sub {
503 my ($param) = @_;
504
505 my ($username, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
506
507
508 my $domain_cfg = cfs_read_file('domains.cfg');
509 my $realm_cfg = $domain_cfg->{ids}->{$realm};
510 die "auth domain '$realm' does not exist\n" if !$realm_cfg;
511
512 my $realm_tfa = {};
513 $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa})
514 if $realm_cfg->{tfa};
515
516 my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
517 my $tfa = $tfa_cfg->{users}->{$username};
518
519 my $res = {};
520 $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type};
521 $res->{user} = $tfa->{type} if $tfa->{type};
522 return $res;
523 }});
524
4e4c8d40
FG		 525__PACKAGE__->register_method ({
526 name => 'token_index',
527 path => '{userid}/token',
528 method => 'GET',
529 description => "Get user API tokens.",
530 permissions => {
531 check => ['or',
532 ['userid-param', 'self'],
533 ['perm', '/access/users/{userid}', ['User.Modify']],
534 ],
535 },
536 parameters => {
537 additionalProperties => 0,
538 properties => {
539 userid => get_standard_option('userid-completed'),
540 },
541 },
542 returns => {
543 type => "array",
544 items => $token_info_extend->({
545 tokenid => get_standard_option('token-subid'),
546 }),
547 links => [ { rel => 'child', href => "{tokenid}" } ],
548 },
549 code => sub {
550 my ($param) = @_;
551
552 my $userid = PVE::AccessControl::verify_username($param->{userid});
553 my $usercfg = cfs_read_file("user.cfg");
554
555 my $user = PVE::AccessControl::check_user_exist($usercfg, $userid);
556
557 my $tokens = $user->{tokens} // {};
558 return [ map { $tokens->{$_}->{tokenid} = $_; $tokens->{$_} } keys %$tokens];
559 }});
560
561__PACKAGE__->register_method ({
562 name => 'read_token',
563 path => '{userid}/token/{tokenid}',
564 method => 'GET',
565 description => "Get specific API token information.",
566 permissions => {
567 check => ['or',
568 ['userid-param', 'self'],
569 ['perm', '/access/users/{userid}', ['User.Modify']],
570 ],
571 },
572 parameters => {
573 additionalProperties => 0,
574 properties => {
575 userid => get_standard_option('userid-completed'),
576 tokenid => get_standard_option('token-subid'),
577 },
578 },
579 returns => get_standard_option('token-info'),
580 code => sub {
581 my ($param) = @_;
582
583 my $userid = PVE::AccessControl::verify_username($param->{userid});
584 my $tokenid = $param->{tokenid};
585
586 my $usercfg = cfs_read_file("user.cfg");
587
588 return PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
589 }});
590
591__PACKAGE__->register_method ({
592 name => 'generate_token',
593 path => '{userid}/token/{tokenid}',
594 method => 'POST',
595 description => "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!",
596 protected => 1,
597 permissions => {
598 check => ['or',
599 ['userid-param', 'self'],
600 ['perm', '/access/users/{userid}', ['User.Modify']],
601 ],
602 },
603 parameters => {
604 additionalProperties => 0,
605 properties => {
606 userid => get_standard_option('userid-completed'),
607 tokenid => get_standard_option('token-subid'),
608 expire => get_standard_option('token-expire'),
609 privsep => get_standard_option('token-privsep'),
610 comment => get_standard_option('token-comment'),
611 },
612 },
613 returns => {
614 additionalProperties => 0,
615 type => "object",
616 properties => {
617 info => get_standard_option('token-info'),
618 value => {
619 type => 'string',
620 description => 'API token value used for authentication.',
621 },
77bfb48e
TL		 622 'full-tokenid' => {
623 type => 'string',
624 format_description => '<userid>!<tokenid>',
625 description => 'The full token id.',
626 },
4e4c8d40
FG		 627 },
628 },
629 code => sub {
630 my ($param) = @_;
631
632 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
633 my $tokenid = extract_param($param, 'tokenid');
634
635 my $usercfg = cfs_read_file("user.cfg");
636
637 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1);
77bfb48e 638 my ($full_tokenid, $value);
4e4c8d40
FG		 639
640 PVE::AccessControl::check_user_exist($usercfg, $userid);
641 raise_param_exc({ 'tokenid' => 'Token already exists.' }) if defined($token);
642
643 my $generate_and_add_token = sub {
644 $usercfg = cfs_read_file("user.cfg");
645 PVE::AccessControl::check_user_exist($usercfg, $userid);
646 die "Token already exists.\n" if defined(PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1));
647
77bfb48e 648 $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
4e4c8d40
FG		 649 $value = PVE::TokenConfig::generate_token($full_tokenid);
650
651 $token = {};
652 $token->{privsep} = defined($param->{privsep}) ? $param->{privsep} : 1;
653 $token->{expire} = $param->{expire} if defined($param->{expire});
654 $token->{comment} = $param->{comment} if $param->{comment};
655
656 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
657 cfs_write_file("user.cfg", $usercfg);
658 };
659
660 PVE::AccessControl::lock_user_config($generate_and_add_token, 'generating token failed');
661
77bfb48e
TL		 662 return {
663 info => $token,
664 value => $value,
665 'full-tokenid' => $full_tokenid,
666 };
4e4c8d40
FG		 667 }});
668
669
670__PACKAGE__->register_method ({
671 name => 'update_token_info',
672 path => '{userid}/token/{tokenid}',
673 method => 'PUT',
674 description => "Update API token for a specific user.",
675 protected => 1,
676 permissions => {
677 check => ['or',
678 ['userid-param', 'self'],
679 ['perm', '/access/users/{userid}', ['User.Modify']],
680 ],
681 },
682 parameters => {
683 additionalProperties => 0,
684 properties => {
685 userid => get_standard_option('userid-completed'),
686 tokenid => get_standard_option('token-subid'),
687 expire => get_standard_option('token-expire'),
688 privsep => get_standard_option('token-privsep'),
689 comment => get_standard_option('token-comment'),
690 },
691 },
692 returns => get_standard_option('token-info', { description => "Updated token information." }),
693 code => sub {
694 my ($param) = @_;
695
696 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
697 my $tokenid = extract_param($param, 'tokenid');
698
699 my $usercfg = cfs_read_file("user.cfg");
700 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
701
702 my $update_token = sub {
703 $usercfg = cfs_read_file("user.cfg");
704 $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
705
706 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
707
708 $token->{privsep} = $param->{privsep} if defined($param->{privsep});
709 $token->{expire} = $param->{expire} if defined($param->{expire});
710 $token->{comment} = $param->{comment} if $param->{comment};
711
712 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
713 cfs_write_file("user.cfg", $usercfg);
714 };
715
716 PVE::AccessControl::lock_user_config($update_token, 'updating token info failed');
717
718 return $token;
719 }});
720
721
722__PACKAGE__->register_method ({
723 name => 'remove_token',
724 path => '{userid}/token/{tokenid}',
725 method => 'DELETE',
726 description => "Remove API token for a specific user.",
727 protected => 1,
728 permissions => {
729 check => ['or',
730 ['userid-param', 'self'],
731 ['perm', '/access/users/{userid}', ['User.Modify']],
732 ],
733 },
734 parameters => {
735 additionalProperties => 0,
736 properties => {
737 userid => get_standard_option('userid-completed'),
738 tokenid => get_standard_option('token-subid'),
739 },
740 },
741 returns => { type => 'null' },
742 code => sub {
743 my ($param) = @_;
744
745 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
746 my $tokenid = extract_param($param, 'tokenid');
747
748 my $usercfg = cfs_read_file("user.cfg");
749 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
750
751 my $update_token = sub {
752 $usercfg = cfs_read_file("user.cfg");
753
754 PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
755
756 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
757 PVE::TokenConfig::delete_token($full_tokenid);
758 delete $usercfg->{users}->{$userid}->{tokens}->{$tokenid};
759
760 cfs_write_file("user.cfg", $usercfg);
761 };
762
763 PVE::AccessControl::lock_user_config($update_token, 'deleting token failed');
764
765 return;
766 }});
2c3a6c0a 7671;
Access control framework