]> git.proxmox.com Git - pve-access-control.git/blob - src/PVE/API2/User.pm
projects / pve-access-control.git / blob
? search:


06cc6804fd9a9f13b5af7d08856fc6958526e02b
[pve-access-control.git] / src / PVE / API2 / User.pm
1 package PVE::API2::User;
2
3 use strict;
4 use warnings;
5
6 use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
7 use PVE::Cluster qw (cfs_read_file cfs_write_file);
8 use PVE::Tools qw(split_list extract_param);
9 use PVE::JSONSchema qw(get_standard_option register_standard_option);
10 use PVE::SafeSyslog;
11
12 use PVE::AccessControl;
13 use PVE::Auth::Plugin;
14 use PVE::TokenConfig;
15
16 use PVE::RESTHandler;
17
18 use base qw(PVE::RESTHandler);
19
20 register_standard_option('user-enable', {
21 description => "Enable the account (default). You can set this to '0' to disable the account",
22 type => 'boolean',
23 optional => 1,
24 default => 1,
25 });
26 register_standard_option('user-expire', {
27 description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
28 type => 'integer',
29 minimum => 0,
30 optional => 1,
31 });
32 register_standard_option('user-firstname', { type => 'string', optional => 1 });
33 register_standard_option('user-lastname', { type => 'string', optional => 1 });
34 register_standard_option('user-email', { type => 'string', optional => 1, format => 'email-opt' });
35 register_standard_option('user-comment', { type => 'string', optional => 1 });
36 register_standard_option('user-keys', {
37 description => "Keys for two factor auth (yubico).",
38 type => 'string',
39 optional => 1,
40 });
41 register_standard_option('group-list', {
42 type => 'string', format => 'pve-groupid-list',
43 optional => 1,
44 completion => \&PVE::AccessControl::complete_group,
45 });
46 register_standard_option('token-subid', {
47 type => 'string',
48 pattern => $PVE::AccessControl::token_subid_regex,
49 description => 'User-specific token identifier.',
50 });
51 register_standard_option('token-expire', {
52 description => "API token expiration date (seconds since epoch). '0' means no expiration date.",
53 type => 'integer',
54 minimum => 0,
55 optional => 1,
56 default => 'same as user',
57 });
58 register_standard_option('token-privsep', {
59 description => "Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.",
60 type => 'boolean',
61 optional => 1,
62 default => 1,
63 });
64 register_standard_option('token-comment', { type => 'string', optional => 1 });
65 register_standard_option('token-info', {
66 type => 'object',
67 properties => {
68 expire => get_standard_option('token-expire'),
69 privsep => get_standard_option('token-privsep'),
70 comment => get_standard_option('token-comment'),
71 }
72 });
73
74 my $token_info_extend = sub {
75 my ($props) = @_;
76
77 my $obj = get_standard_option('token-info');
78 my $base_props = $obj->{properties};
79 $obj->{properties} = {};
80
81 foreach my $prop (keys %$base_props) {
82 $obj->{properties}->{$prop} = $base_props->{$prop};
83 }
84
85 foreach my $add_prop (keys %$props) {
86 $obj->{properties}->{$add_prop} = $props->{$add_prop};
87 }
88
89 return $obj;
90 };
91
92 my $extract_user_data = sub {
93 my ($data, $full) = @_;
94
95 my $res = {};
96
97 foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
98 $res->{$prop} = $data->{$prop} if defined($data->{$prop});
99 }
100
101 return $res if !$full;
102
103 $res->{groups} = $data->{groups} ? [ keys %{$data->{groups}} ] : [];
104 $res->{tokens} = $data->{tokens};
105
106 return $res;
107 };
108
109 __PACKAGE__->register_method ({
110 name => 'index',
111 path => '',
112 method => 'GET',
113 description => "User index.",
114 permissions => {
115 description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
116 user => 'all',
117 },
118 parameters => {
119 additionalProperties => 0,
120 properties => {
121 enabled => {
122 type => 'boolean',
123 description => "Optional filter for enable property.",
124 optional => 1,
125 },
126 full => {
127 type => 'boolean',
128 description => "Include group and token information.",
129 optional => 1,
130 default => 0,
131 }
132 },
133 },
134 returns => {
135 type => 'array',
136 items => {
137 type => "object",
138 properties => {
139 userid => get_standard_option('userid-completed'),
140 enable => get_standard_option('user-enable'),
141 expire => get_standard_option('user-expire'),
142 firstname => get_standard_option('user-firstname'),
143 lastname => get_standard_option('user-lastname'),
144 email => get_standard_option('user-email'),
145 comment => get_standard_option('user-comment'),
146 keys => get_standard_option('user-keys'),
147 groups => get_standard_option('group-list'),
148 tokens => {
149 type => 'array',
150 optional => 1,
151 items => $token_info_extend->({
152 tokenid => get_standard_option('token-subid'),
153 }),
154 },
155 'realm-type' => {
156 type => 'string', format => 'pve-realm',
157 description => 'The type of the users realm',
158 optional => 1, # it should always be there, but we use conditional code below, so..
159 },
160 },
161 },
162 links => [ { rel => 'child', href => "{userid}" } ],
163 },
164 code => sub {
165 my ($param) = @_;
166
167 my $rpcenv = PVE::RPCEnvironment::get();
168 my $usercfg = $rpcenv->{user_cfg};
169 my $authuser = $rpcenv->get_user();
170
171 my $domainscfg = cfs_read_file('domains.cfg');
172 my $domainids = $domainscfg->{ids};
173
174 my $res = [];
175
176 my $privs = [ 'User.Modify', 'Sys.Audit' ];
177 my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
178 my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
179 my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
180
181 foreach my $user (sort keys %{$usercfg->{users}}) {
182 if (!($canUserMod || $user eq $authuser)) {
183 next if !$allowed_users->{$user};
184 }
185
186 my $entry = $extract_user_data->($usercfg->{users}->{$user}, $param->{full});
187
188 if (defined($param->{enabled})) {
189 next if $entry->{enable} && !$param->{enabled};
190 next if !$entry->{enable} && $param->{enabled};
191 }
192
193 $entry->{groups} = join(',', @{$entry->{groups}}) if $entry->{groups};
194
195 if (defined(my $tokens = $entry->{tokens})) {
196 $entry->{tokens} = [
197 map { { tokenid => $_, %{$tokens->{$_}} } } sort keys %$tokens
198 ];
199 }
200
201 if ($user =~ /($PVE::Auth::Plugin::realm_regex)$/) {
202 my $realm = $1;
203 $entry->{'realm-type'} = $domainids->{$realm}->{type} if exists $domainids->{$realm};
204 }
205
206 $entry->{userid} = $user;
207
208 push @$res, $entry;
209 }
210
211 return $res;
212 }});
213
214 __PACKAGE__->register_method ({
215 name => 'create_user',
216 protected => 1,
217 path => '',
218 method => 'POST',
219 permissions => {
220 description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
221 check => [
222 'and',
223 [ 'userid-param', 'Realm.AllocateUser'],
224 [ 'userid-group', ['User.Modify'], groups_param => 1],
225 ],
226 },
227 description => "Create new user.",
228 parameters => {
229 additionalProperties => 0,
230 properties => {
231 userid => get_standard_option('userid-completed'),
232 enable => get_standard_option('user-enable'),
233 expire => get_standard_option('user-expire'),
234 firstname => get_standard_option('user-firstname'),
235 lastname => get_standard_option('user-lastname'),
236 email => get_standard_option('user-email'),
237 comment => get_standard_option('user-comment'),
238 keys => get_standard_option('user-keys'),
239 password => {
240 description => "Initial password.",
241 type => 'string',
242 optional => 1,
243 minLength => 5,
244 maxLength => 64
245 },
246 groups => get_standard_option('group-list'),
247 },
248 },
249 returns => { type => 'null' },
250 code => sub {
251 my ($param) = @_;
252
253 PVE::AccessControl::lock_user_config(sub {
254 my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
255
256 my $usercfg = cfs_read_file("user.cfg");
257
258 # ensure "user exists" check works for case insensitive realms
259 $username = PVE::AccessControl::lookup_username($username, 1);
260 die "user '$username' already exists\n" if $usercfg->{users}->{$username};
261
262 PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
263 if defined($param->{password});
264
265 my $enable = defined($param->{enable}) ? $param->{enable} : 1;
266 $usercfg->{users}->{$username} = { enable => $enable };
267 $usercfg->{users}->{$username}->{expire} = $param->{expire} if $param->{expire};
268
269 if ($param->{groups}) {
270 foreach my $group (split_list($param->{groups})) {
271 if ($usercfg->{groups}->{$group}) {
272 PVE::AccessControl::add_user_group($username, $usercfg, $group);
273 } else {
274 die "no such group '$group'\n";
275 }
276 }
277 }
278
279 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if $param->{firstname};
280 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if $param->{lastname};
281 $usercfg->{users}->{$username}->{email} = $param->{email} if $param->{email};
282 $usercfg->{users}->{$username}->{comment} = $param->{comment} if $param->{comment};
283 $usercfg->{users}->{$username}->{keys} = $param->{keys} if $param->{keys};
284
285 cfs_write_file("user.cfg", $usercfg);
286 }, "create user failed");
287
288 return undef;
289 }});
290
291 __PACKAGE__->register_method ({
292 name => 'read_user',
293 path => '{userid}',
294 method => 'GET',
295 description => "Get user configuration.",
296 permissions => {
297 check => ['userid-group', ['User.Modify', 'Sys.Audit']],
298 },
299 parameters => {
300 additionalProperties => 0,
301 properties => {
302 userid => get_standard_option('userid-completed'),
303 },
304 },
305 returns => {
306 additionalProperties => 0,
307 properties => {
308 enable => get_standard_option('user-enable'),
309 expire => get_standard_option('user-expire'),
310 firstname => get_standard_option('user-firstname'),
311 lastname => get_standard_option('user-lastname'),
312 email => get_standard_option('user-email'),
313 comment => get_standard_option('user-comment'),
314 keys => get_standard_option('user-keys'),
315 groups => {
316 type => 'array',
317 optional => 1,
318 items => {
319 type => 'string',
320 format => 'pve-groupid',
321 },
322 },
323 tokens => {
324 optional => 1,
325 type => 'object',
326 },
327 },
328 type => "object"
329 },
330 code => sub {
331 my ($param) = @_;
332
333 my ($username, undef, $domain) = PVE::AccessControl::verify_username($param->{userid});
334
335 my $usercfg = cfs_read_file("user.cfg");
336
337 my $data = PVE::AccessControl::check_user_exist($usercfg, $username);
338
339 return &$extract_user_data($data, 1);
340 }});
341
342 __PACKAGE__->register_method ({
343 name => 'update_user',
344 protected => 1,
345 path => '{userid}',
346 method => 'PUT',
347 permissions => {
348 check => ['userid-group', ['User.Modify'], groups_param => 1 ],
349 },
350 description => "Update user configuration.",
351 parameters => {
352 additionalProperties => 0,
353 properties => {
354 userid => get_standard_option('userid-completed'),
355 enable => get_standard_option('user-enable'),
356 expire => get_standard_option('user-expire'),
357 firstname => get_standard_option('user-firstname'),
358 lastname => get_standard_option('user-lastname'),
359 email => get_standard_option('user-email'),
360 comment => get_standard_option('user-comment'),
361 keys => get_standard_option('user-keys'),
362 groups => get_standard_option('group-list'),
363 append => {
364 type => 'boolean',
365 optional => 1,
366 requires => 'groups',
367 },
368 },
369 },
370 returns => { type => 'null' },
371 code => sub {
372 my ($param) = @_;
373
374 my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
375
376 PVE::AccessControl::lock_user_config(sub {
377 my $usercfg = cfs_read_file("user.cfg");
378
379 PVE::AccessControl::check_user_exist($usercfg, $username);
380
381 $usercfg->{users}->{$username}->{enable} = $param->{enable} if defined($param->{enable});
382 $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
383
384 PVE::AccessControl::delete_user_group($username, $usercfg)
385 if (!$param->{append} && defined($param->{groups}));
386
387 if ($param->{groups}) {
388 foreach my $group (split_list($param->{groups})) {
389 if ($usercfg->{groups}->{$group}) {
390 PVE::AccessControl::add_user_group($username, $usercfg, $group);
391 } else {
392 die "no such group '$group'\n";
393 }
394 }
395 }
396
397 $usercfg->{users}->{$username}->{firstname} = $param->{firstname} if defined($param->{firstname});
398 $usercfg->{users}->{$username}->{lastname} = $param->{lastname} if defined($param->{lastname});
399 $usercfg->{users}->{$username}->{email} = $param->{email} if defined($param->{email});
400 $usercfg->{users}->{$username}->{comment} = $param->{comment} if defined($param->{comment});
401 $usercfg->{users}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
402
403 cfs_write_file("user.cfg", $usercfg);
404 }, "update user failed");
405
406 return undef;
407 }});
408
409 __PACKAGE__->register_method ({
410 name => 'delete_user',
411 protected => 1,
412 path => '{userid}',
413 method => 'DELETE',
414 description => "Delete user.",
415 permissions => {
416 check => [ 'and',
417 [ 'userid-param', 'Realm.AllocateUser'],
418 [ 'userid-group', ['User.Modify']],
419 ],
420 },
421 parameters => {
422 additionalProperties => 0,
423 properties => {
424 userid => get_standard_option('userid-completed'),
425 }
426 },
427 returns => { type => 'null' },
428 code => sub {
429 my ($param) = @_;
430
431 my $rpcenv = PVE::RPCEnvironment::get();
432 my $authuser = $rpcenv->get_user();
433
434 my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
435
436 PVE::AccessControl::lock_user_config(sub {
437 my $usercfg = cfs_read_file("user.cfg");
438
439 # NOTE: disable the user first (transaction like), so if (e.g.) we fail in the middle of
440 # TFA deletion the user will be still disabled and not just without TFA protection.
441 $usercfg->{users}->{$userid}->{enable} = 0;
442 cfs_write_file("user.cfg", $usercfg);
443
444 my $domain_cfg = cfs_read_file('domains.cfg');
445 if (my $cfg = $domain_cfg->{ids}->{$realm}) {
446 my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
447 $plugin->delete_user($cfg, $realm, $ruid);
448 }
449
450 # Remove user from cache before removing the TFA entry so realms with TFA-enforcement
451 # know that it's OK to drop any TFA entry in that case.
452 delete $usercfg->{users}->{$userid};
453
454 PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);
455
456 PVE::AccessControl::delete_user_group($userid, $usercfg);
457 PVE::AccessControl::delete_user_acl($userid, $usercfg);
458 cfs_write_file("user.cfg", $usercfg);
459 }, "delete user failed");
460
461 return undef;
462 }});
463
464 __PACKAGE__->register_method ({
465 name => 'read_user_tfa_type',
466 path => '{userid}/tfa',
467 method => 'GET',
468 protected => 1,
469 description => "Get user TFA types (Personal and Realm).",
470 permissions => {
471 check => [ 'or',
472 ['userid-param', 'self'],
473 ['userid-group', ['User.Modify', 'Sys.Audit']],
474 ],
475 },
476 parameters => {
477 additionalProperties => 0,
478 properties => {
479 userid => get_standard_option('userid-completed'),
480 },
481 },
482 returns => {
483 additionalProperties => 0,
484 properties => {
485 realm => {
486 type => 'string',
487 enum => [qw(oath yubico)],
488 description => "The type of TFA the users realm has set, if any.",
489 optional => 1,
490 },
491 user => {
492 type => 'string',
493 enum => [qw(oath u2f)],
494 description => "The type of TFA the user has set, if any.",
495 optional => 1,
496 },
497 },
498 type => "object"
499 },
500 code => sub {
501 my ($param) = @_;
502
503 my ($username, undef, $realm) = PVE::AccessControl::verify_username($param->{userid});
504
505 my $domain_cfg = cfs_read_file('domains.cfg');
506 my $realm_cfg = $domain_cfg->{ids}->{$realm};
507 die "auth domain '$realm' does not exist\n" if !$realm_cfg;
508
509 my $realm_tfa = {};
510 $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa}) if $realm_cfg->{tfa};
511
512 my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
513 my $tfa = $tfa_cfg->{users}->{$username};
514
515 my $res = {};
516 $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type};
517 $res->{user} = $tfa->{type} if $tfa->{type};
518 return $res;
519 }});
520
521 __PACKAGE__->register_method ({
522 name => 'token_index',
523 path => '{userid}/token',
524 method => 'GET',
525 description => "Get user API tokens.",
526 permissions => {
527 check => [
528 'or',
529 ['userid-param', 'self'],
530 ['perm', '/access/users/{userid}', ['User.Modify']],
531 ],
532 },
533 parameters => {
534 additionalProperties => 0,
535 properties => {
536 userid => get_standard_option('userid-completed'),
537 },
538 },
539 returns => {
540 type => "array",
541 items => $token_info_extend->({
542 tokenid => get_standard_option('token-subid'),
543 }),
544 links => [ { rel => 'child', href => "{tokenid}" } ],
545 },
546 code => sub {
547 my ($param) = @_;
548
549 my $userid = PVE::AccessControl::verify_username($param->{userid});
550 my $usercfg = cfs_read_file("user.cfg");
551
552 my $user = PVE::AccessControl::check_user_exist($usercfg, $userid);
553
554 my $tokens = $user->{tokens} // {};
555 return [ map { $tokens->{$_}->{tokenid} = $_; $tokens->{$_} } keys %$tokens];
556 }});
557
558 __PACKAGE__->register_method ({
559 name => 'read_token',
560 path => '{userid}/token/{tokenid}',
561 method => 'GET',
562 description => "Get specific API token information.",
563 permissions => {
564 check => [
565 'or',
566 ['userid-param', 'self'],
567 ['perm', '/access/users/{userid}', ['User.Modify']],
568 ],
569 },
570 parameters => {
571 additionalProperties => 0,
572 properties => {
573 userid => get_standard_option('userid-completed'),
574 tokenid => get_standard_option('token-subid'),
575 },
576 },
577 returns => get_standard_option('token-info'),
578 code => sub {
579 my ($param) = @_;
580
581 my $userid = PVE::AccessControl::verify_username($param->{userid});
582 my $tokenid = $param->{tokenid};
583
584 my $usercfg = cfs_read_file("user.cfg");
585
586 return PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
587 }});
588
589 __PACKAGE__->register_method ({
590 name => 'generate_token',
591 path => '{userid}/token/{tokenid}',
592 method => 'POST',
593 description => "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!",
594 protected => 1,
595 permissions => {
596 check => [
597 'or',
598 ['userid-param', 'self'],
599 ['perm', '/access/users/{userid}', ['User.Modify']],
600 ],
601 },
602 parameters => {
603 additionalProperties => 0,
604 properties => {
605 userid => get_standard_option('userid-completed'),
606 tokenid => get_standard_option('token-subid'),
607 expire => get_standard_option('token-expire'),
608 privsep => get_standard_option('token-privsep'),
609 comment => get_standard_option('token-comment'),
610 },
611 },
612 returns => {
613 additionalProperties => 0,
614 type => "object",
615 properties => {
616 info => get_standard_option('token-info'),
617 value => {
618 type => 'string',
619 description => 'API token value used for authentication.',
620 },
621 'full-tokenid' => {
622 type => 'string',
623 format_description => '<userid>!<tokenid>',
624 description => 'The full token id.',
625 },
626 },
627 },
628 code => sub {
629 my ($param) = @_;
630
631 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
632 my $tokenid = extract_param($param, 'tokenid');
633
634 my $usercfg = cfs_read_file("user.cfg");
635
636 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1);
637 my ($full_tokenid, $value);
638
639 PVE::AccessControl::check_user_exist($usercfg, $userid);
640 raise_param_exc({ 'tokenid' => 'Token already exists.' }) if defined($token);
641
642 my $generate_and_add_token = sub {
643 $usercfg = cfs_read_file("user.cfg");
644 PVE::AccessControl::check_user_exist($usercfg, $userid);
645 die "Token already exists.\n" if defined(PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1));
646
647 $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
648 $value = PVE::TokenConfig::generate_token($full_tokenid);
649
650 $token = {};
651 $token->{privsep} = defined($param->{privsep}) ? $param->{privsep} : 1;
652 $token->{expire} = $param->{expire} if defined($param->{expire});
653 $token->{comment} = $param->{comment} if $param->{comment};
654
655 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
656 cfs_write_file("user.cfg", $usercfg);
657 };
658
659 PVE::AccessControl::lock_user_config($generate_and_add_token, 'generating token failed');
660
661 return {
662 info => $token,
663 value => $value,
664 'full-tokenid' => $full_tokenid,
665 };
666 }});
667
668
669 __PACKAGE__->register_method ({
670 name => 'update_token_info',
671 path => '{userid}/token/{tokenid}',
672 method => 'PUT',
673 description => "Update API token for a specific user.",
674 protected => 1,
675 permissions => {
676 check => [
677 'or',
678 ['userid-param', 'self'],
679 ['perm', '/access/users/{userid}', ['User.Modify']],
680 ],
681 },
682 parameters => {
683 additionalProperties => 0,
684 properties => {
685 userid => get_standard_option('userid-completed'),
686 tokenid => get_standard_option('token-subid'),
687 expire => get_standard_option('token-expire'),
688 privsep => get_standard_option('token-privsep'),
689 comment => get_standard_option('token-comment'),
690 },
691 },
692 returns => get_standard_option('token-info', { description => "Updated token information." }),
693 code => sub {
694 my ($param) = @_;
695
696 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
697 my $tokenid = extract_param($param, 'tokenid');
698
699 my $usercfg = cfs_read_file("user.cfg");
700 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
701
702 PVE::AccessControl::lock_user_config(sub {
703 $usercfg = cfs_read_file("user.cfg");
704 $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
705
706 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
707
708 $token->{privsep} = $param->{privsep} if defined($param->{privsep});
709 $token->{expire} = $param->{expire} if defined($param->{expire});
710 $token->{comment} = $param->{comment} if $param->{comment};
711
712 $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
713 cfs_write_file("user.cfg", $usercfg);
714 }, 'updating token info failed');
715
716 return $token;
717 }});
718
719
720 __PACKAGE__->register_method ({
721 name => 'remove_token',
722 path => '{userid}/token/{tokenid}',
723 method => 'DELETE',
724 description => "Remove API token for a specific user.",
725 protected => 1,
726 permissions => {
727 check => [
728 'or',
729 ['userid-param', 'self'],
730 ['perm', '/access/users/{userid}', ['User.Modify']],
731 ],
732 },
733 parameters => {
734 additionalProperties => 0,
735 properties => {
736 userid => get_standard_option('userid-completed'),
737 tokenid => get_standard_option('token-subid'),
738 },
739 },
740 returns => { type => 'null' },
741 code => sub {
742 my ($param) = @_;
743
744 my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
745 my $tokenid = extract_param($param, 'tokenid');
746
747 my $usercfg = cfs_read_file("user.cfg");
748 my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
749
750 PVE::AccessControl::lock_user_config(sub {
751 $usercfg = cfs_read_file("user.cfg");
752
753 PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
754
755 my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
756 PVE::TokenConfig::delete_token($full_tokenid);
757 delete $usercfg->{users}->{$userid}->{tokens}->{$tokenid};
758
759 cfs_write_file("user.cfg", $usercfg);
760 }, 'deleting token failed');
761
762 return;
763 }});
764 1;
Access control framework