1 package PVE
::API2
::User
;
6 use PVE
::Exception
qw(raise raise_perm_exc raise_param_exc);
7 use PVE
::Cluster qw
(cfs_read_file cfs_write_file
);
8 use PVE
::Tools
qw(split_list extract_param);
9 use PVE
::JSONSchema
qw(get_standard_option register_standard_option);
12 use PVE
::AccessControl
;
13 use PVE
::Auth
::Plugin
;
18 use base
qw(PVE::RESTHandler);
20 register_standard_option
('user-enable', {
21 description
=> "Enable the account (default). You can set this to '0' to disable the account",
26 register_standard_option
('user-expire', {
27 description
=> "Account expiration date (seconds since epoch). '0' means no expiration date.",
32 register_standard_option
('user-firstname', { type
=> 'string', optional
=> 1 });
33 register_standard_option
('user-lastname', { type
=> 'string', optional
=> 1 });
34 register_standard_option
('user-email', { type
=> 'string', optional
=> 1, format
=> 'email-opt' });
35 register_standard_option
('user-comment', { type
=> 'string', optional
=> 1 });
36 register_standard_option
('user-keys', {
37 description
=> "Keys for two factor auth (yubico).",
39 pattern
=> '[0-9a-zA-Z!=]{0,4096}',
42 register_standard_option
('group-list', {
43 type
=> 'string', format
=> 'pve-groupid-list',
45 completion
=> \
&PVE
::AccessControl
::complete_group
,
47 register_standard_option
('token-subid', {
49 pattern
=> $PVE::AccessControl
::token_subid_regex
,
50 description
=> 'User-specific token identifier.',
52 register_standard_option
('token-expire', {
53 description
=> "API token expiration date (seconds since epoch). '0' means no expiration date.",
57 default => 'same as user',
59 register_standard_option
('token-privsep', {
60 description
=> "Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.",
65 register_standard_option
('token-comment', { type
=> 'string', optional
=> 1 });
66 register_standard_option
('token-info', {
69 expire
=> get_standard_option
('token-expire'),
70 privsep
=> get_standard_option
('token-privsep'),
71 comment
=> get_standard_option
('token-comment'),
75 my $token_info_extend = sub {
78 my $obj = get_standard_option
('token-info');
79 my $base_props = $obj->{properties
};
80 $obj->{properties
} = {};
82 foreach my $prop (keys %$base_props) {
83 $obj->{properties
}->{$prop} = $base_props->{$prop};
86 foreach my $add_prop (keys %$props) {
87 $obj->{properties
}->{$add_prop} = $props->{$add_prop};
93 my $extract_user_data = sub {
94 my ($data, $full) = @_;
98 foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
99 $res->{$prop} = $data->{$prop} if defined($data->{$prop});
102 return $res if !$full;
104 $res->{groups
} = $data->{groups
} ?
[ sort keys %{$data->{groups
}} ] : [];
105 $res->{tokens
} = $data->{tokens
};
110 __PACKAGE__-
>register_method ({
114 description
=> "User index.",
116 description
=> "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
119 protected
=> 1, # to access priv/tfa.cfg
121 additionalProperties
=> 0,
125 description
=> "Optional filter for enable property.",
130 description
=> "Include group and token information.",
141 userid
=> get_standard_option
('userid-completed'),
142 enable
=> get_standard_option
('user-enable'),
143 expire
=> get_standard_option
('user-expire'),
144 firstname
=> get_standard_option
('user-firstname'),
145 lastname
=> get_standard_option
('user-lastname'),
146 email
=> get_standard_option
('user-email'),
147 comment
=> get_standard_option
('user-comment'),
148 keys => get_standard_option
('user-keys'),
149 groups
=> get_standard_option
('group-list'),
153 items
=> $token_info_extend->({
154 tokenid
=> get_standard_option
('token-subid'),
158 type
=> 'string', format
=> 'pve-realm',
159 description
=> 'The type of the users realm',
160 optional
=> 1, # it should always be there, but we use conditional code below, so..
165 description
=> 'True if the user is currently locked out of TOTP factors.',
167 'tfa-locked-until' => {
171 'Contains a timestamp until when a user is locked out of 2nd factors.',
175 links
=> [ { rel
=> 'child', href
=> "{userid}" } ],
180 my $rpcenv = PVE
::RPCEnvironment
::get
();
181 my $usercfg = $rpcenv->{user_cfg
};
182 my $authuser = $rpcenv->get_user();
184 my $domainscfg = cfs_read_file
('domains.cfg');
185 my $domainids = $domainscfg->{ids
};
189 my $privs = [ 'User.Modify', 'Sys.Audit' ];
190 my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
191 my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
192 my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
194 my $tfa_cfg = cfs_read_file
('priv/tfa.cfg');
196 foreach my $user (sort keys %{$usercfg->{users
}}) {
197 if (!($canUserMod || $user eq $authuser)) {
198 next if !$allowed_users->{$user};
201 my $entry = $extract_user_data->($usercfg->{users
}->{$user}, $param->{full
});
203 if (defined($param->{enabled
})) {
204 next if $entry->{enable
} && !$param->{enabled
};
205 next if !$entry->{enable
} && $param->{enabled
};
208 $entry->{groups
} = join(',', @{$entry->{groups
}}) if $entry->{groups
};
210 if (defined(my $tokens = $entry->{tokens
})) {
212 map { { tokenid
=> $_, %{$tokens->{$_}} } } sort keys %$tokens
216 if ($user =~ /($PVE::Auth::Plugin::realm_regex)$/) {
218 $entry->{'realm-type'} = $domainids->{$realm}->{type
} if exists $domainids->{$realm};
221 $entry->{userid
} = $user;
223 if (defined($tfa_cfg)) {
224 if (my $data = $tfa_cfg->tfa_lock_status($user)) {
225 for (qw(totp-locked tfa-locked-until)) {
226 $entry->{$_} = $data->{$_} if exists($data->{$_});
237 __PACKAGE__-
>register_method ({
238 name
=> 'create_user',
243 description
=> "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
246 [ 'userid-param', 'Realm.AllocateUser'],
247 [ 'userid-group', ['User.Modify'], groups_param
=> 'create'],
250 description
=> "Create new user.",
252 additionalProperties
=> 0,
254 userid
=> get_standard_option
('userid-completed'),
255 enable
=> get_standard_option
('user-enable'),
256 expire
=> get_standard_option
('user-expire'),
257 firstname
=> get_standard_option
('user-firstname'),
258 lastname
=> get_standard_option
('user-lastname'),
259 email
=> get_standard_option
('user-email'),
260 comment
=> get_standard_option
('user-comment'),
261 keys => get_standard_option
('user-keys'),
263 description
=> "Initial password.",
269 groups
=> get_standard_option
('group-list'),
272 returns
=> { type
=> 'null' },
276 PVE
::AccessControl
::lock_user_config
(sub {
277 my ($username, $ruid, $realm) = PVE
::AccessControl
::verify_username
($param->{userid
});
279 my $usercfg = cfs_read_file
("user.cfg");
281 # ensure "user exists" check works for case insensitive realms
282 $username = PVE
::AccessControl
::lookup_username
($username, 1);
283 die "user '$username' already exists\n" if $usercfg->{users
}->{$username};
285 PVE
::AccessControl
::domain_set_password
($realm, $ruid, $param->{password
})
286 if defined($param->{password
});
288 my $enable = defined($param->{enable
}) ?
$param->{enable
} : 1;
289 $usercfg->{users
}->{$username} = { enable
=> $enable };
290 $usercfg->{users
}->{$username}->{expire
} = $param->{expire
} if $param->{expire
};
292 if ($param->{groups
}) {
293 foreach my $group (split_list
($param->{groups
})) {
294 if ($usercfg->{groups
}->{$group}) {
295 PVE
::AccessControl
::add_user_group
($username, $usercfg, $group);
297 die "no such group '$group'\n";
302 $usercfg->{users
}->{$username}->{firstname
} = $param->{firstname
} if $param->{firstname
};
303 $usercfg->{users
}->{$username}->{lastname
} = $param->{lastname
} if $param->{lastname
};
304 $usercfg->{users
}->{$username}->{email
} = $param->{email
} if $param->{email
};
305 $usercfg->{users
}->{$username}->{comment
} = $param->{comment
} if $param->{comment
};
306 $usercfg->{users
}->{$username}->{keys} = $param->{keys} if $param->{keys};
308 cfs_write_file
("user.cfg", $usercfg);
309 }, "create user failed");
314 __PACKAGE__-
>register_method ({
318 description
=> "Get user configuration.",
320 check
=> ['userid-group', ['User.Modify', 'Sys.Audit']],
323 additionalProperties
=> 0,
325 userid
=> get_standard_option
('userid-completed'),
329 additionalProperties
=> 0,
331 enable
=> get_standard_option
('user-enable'),
332 expire
=> get_standard_option
('user-expire'),
333 firstname
=> get_standard_option
('user-firstname'),
334 lastname
=> get_standard_option
('user-lastname'),
335 email
=> get_standard_option
('user-email'),
336 comment
=> get_standard_option
('user-comment'),
337 keys => get_standard_option
('user-keys'),
343 format
=> 'pve-groupid',
349 additionalProperties
=> get_standard_option
('token-info'),
357 my ($username, undef, $domain) = PVE
::AccessControl
::verify_username
($param->{userid
});
359 my $usercfg = cfs_read_file
("user.cfg");
361 my $data = PVE
::AccessControl
::check_user_exist
($usercfg, $username);
363 return &$extract_user_data($data, 1);
366 __PACKAGE__-
>register_method ({
367 name
=> 'update_user',
372 check
=> ['userid-group', ['User.Modify'], groups_param
=> 'update' ],
374 description
=> "Update user configuration.",
376 additionalProperties
=> 0,
378 userid
=> get_standard_option
('userid-completed'),
379 enable
=> get_standard_option
('user-enable'),
380 expire
=> get_standard_option
('user-expire'),
381 firstname
=> get_standard_option
('user-firstname'),
382 lastname
=> get_standard_option
('user-lastname'),
383 email
=> get_standard_option
('user-email'),
384 comment
=> get_standard_option
('user-comment'),
385 keys => get_standard_option
('user-keys'),
386 groups
=> get_standard_option
('group-list'),
390 requires
=> 'groups',
394 returns
=> { type
=> 'null' },
398 my ($username, $ruid, $realm) = PVE
::AccessControl
::verify_username
($param->{userid
});
400 PVE
::AccessControl
::lock_user_config
(sub {
401 my $usercfg = cfs_read_file
("user.cfg");
403 PVE
::AccessControl
::check_user_exist
($usercfg, $username);
405 $usercfg->{users
}->{$username}->{enable
} = $param->{enable
} if defined($param->{enable
});
406 $usercfg->{users
}->{$username}->{expire
} = $param->{expire
} if defined($param->{expire
});
408 PVE
::AccessControl
::delete_user_group
($username, $usercfg)
409 if (!$param->{append
} && defined($param->{groups
}));
411 if ($param->{groups
}) {
412 foreach my $group (split_list
($param->{groups
})) {
413 if ($usercfg->{groups
}->{$group}) {
414 PVE
::AccessControl
::add_user_group
($username, $usercfg, $group);
416 die "no such group '$group'\n";
421 $usercfg->{users
}->{$username}->{firstname
} = $param->{firstname
} if defined($param->{firstname
});
422 $usercfg->{users
}->{$username}->{lastname
} = $param->{lastname
} if defined($param->{lastname
});
423 $usercfg->{users
}->{$username}->{email
} = $param->{email
} if defined($param->{email
});
424 $usercfg->{users
}->{$username}->{comment
} = $param->{comment
} if defined($param->{comment
});
425 $usercfg->{users
}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
427 cfs_write_file
("user.cfg", $usercfg);
428 }, "update user failed");
433 __PACKAGE__-
>register_method ({
434 name
=> 'delete_user',
438 description
=> "Delete user.",
441 [ 'userid-param', 'Realm.AllocateUser'],
442 [ 'userid-group', ['User.Modify']],
446 additionalProperties
=> 0,
448 userid
=> get_standard_option
('userid-completed'),
451 returns
=> { type
=> 'null' },
455 my $rpcenv = PVE
::RPCEnvironment
::get
();
456 my $authuser = $rpcenv->get_user();
458 my ($userid, $ruid, $realm) = PVE
::AccessControl
::verify_username
($param->{userid
});
460 PVE
::AccessControl
::lock_user_config
(sub {
461 my $usercfg = cfs_read_file
("user.cfg");
463 # NOTE: disable the user first (transaction like), so if (e.g.) we fail in the middle of
464 # TFA deletion the user will be still disabled and not just without TFA protection.
465 $usercfg->{users
}->{$userid}->{enable
} = 0;
466 cfs_write_file
("user.cfg", $usercfg);
468 my $domain_cfg = cfs_read_file
('domains.cfg');
469 if (my $cfg = $domain_cfg->{ids
}->{$realm}) {
470 my $plugin = PVE
::Auth
::Plugin-
>lookup($cfg->{type
});
471 $plugin->delete_user($cfg, $realm, $ruid);
474 # Remove user from cache before removing the TFA entry so realms with TFA-enforcement
475 # know that it's OK to drop any TFA entry in that case.
476 delete $usercfg->{users
}->{$userid};
478 my $partial_deletion = '';
480 PVE
::AccessControl
::user_remove_tfa
($userid);
481 $partial_deletion = ' - but deleted related TFA';
483 PVE
::AccessControl
::delete_user_group
($userid, $usercfg);
484 $partial_deletion .= ', Groups';
485 PVE
::AccessControl
::delete_user_acl
($userid, $usercfg);
486 $partial_deletion .= ', ACLs';
488 cfs_write_file
("user.cfg", $usercfg);
490 die "$@$partial_deletion\n" if $@;
491 }, "delete user failed");
496 __PACKAGE__-
>register_method ({
497 name
=> 'read_user_tfa_type',
498 path
=> '{userid}/tfa',
501 description
=> "Get user TFA types (Personal and Realm).",
504 ['userid-param', 'self'],
505 ['userid-group', ['User.Modify', 'Sys.Audit']],
509 additionalProperties
=> 0,
511 userid
=> get_standard_option
('userid-completed'),
514 description
=> 'Request all entries as an array.',
521 additionalProperties
=> 0,
525 enum
=> [qw(oath yubico)],
526 description
=> "The type of TFA the users realm has set, if any.",
531 enum
=> [qw(oath u2f)],
533 "The type of TFA the user has set, if any."
534 . " Only set if 'multiple' was not passed.",
540 "Array of the user configured TFA types, if any."
541 . " Only available if 'multiple' was not passed.",
545 enum
=> [qw(totp u2f yubico webauthn recovedry)],
546 description
=> 'A TFA type.',
555 my ($username, undef, $realm) = PVE
::AccessControl
::verify_username
($param->{userid
});
557 my $domain_cfg = cfs_read_file
('domains.cfg');
558 my $realm_cfg = $domain_cfg->{ids
}->{$realm};
559 die "auth domain '$realm' does not exist\n" if !$realm_cfg;
563 $realm_tfa = PVE
::Auth
::Plugin
::parse_tfa_config
($realm_cfg->{tfa
}) if $realm_cfg->{tfa
};
564 $res->{realm
} = $realm_tfa->{type
} if $realm_tfa->{type
};
566 my $tfa_cfg = cfs_read_file
('priv/tfa.cfg');
567 if ($param->{multiple
}) {
568 my $tfa = $tfa_cfg->get_user($username);
570 foreach my $type (keys %$tfa) {
571 next if !scalar($tfa->{$type}->@*);
574 $res->{user
} = $user;
576 my $tfa = $tfa_cfg->{users
}->{$username};
577 $res->{user
} = $tfa->{type
} if $tfa->{type
};
582 __PACKAGE__-
>register_method ({
583 name
=> 'unlock_tfa',
584 path
=> '{userid}/unlock-tfa',
587 description
=> "Unlock a user's TFA authentication.",
589 check
=> [ 'userid-group', ['User.Modify']],
592 additionalProperties
=> 0,
594 userid
=> get_standard_option
('userid-completed'),
597 returns
=> { type
=> 'boolean' },
601 my $userid = extract_param
($param, "userid");
603 my $user_was_locked = PVE
::AccessControl
::lock_tfa_config
(sub {
604 my $tfa_cfg = cfs_read_file
('priv/tfa.cfg');
605 my $was_locked = $tfa_cfg->api_unlock_tfa($userid);
606 cfs_write_file
('priv/tfa.cfg', $tfa_cfg)
611 return $user_was_locked;
614 __PACKAGE__-
>register_method ({
615 name
=> 'token_index',
616 path
=> '{userid}/token',
618 description
=> "Get user API tokens.",
622 ['userid-param', 'self'],
623 ['userid-group', ['User.Modify']],
627 additionalProperties
=> 0,
629 userid
=> get_standard_option
('userid-completed'),
634 items
=> $token_info_extend->({
635 tokenid
=> get_standard_option
('token-subid'),
637 links
=> [ { rel
=> 'child', href
=> "{tokenid}" } ],
642 my $userid = PVE
::AccessControl
::verify_username
($param->{userid
});
643 my $usercfg = cfs_read_file
("user.cfg");
645 my $user = PVE
::AccessControl
::check_user_exist
($usercfg, $userid);
647 my $tokens = $user->{tokens
} // {};
648 return [ map { $tokens->{$_}->{tokenid
} = $_; $tokens->{$_} } keys %$tokens];
651 __PACKAGE__-
>register_method ({
652 name
=> 'read_token',
653 path
=> '{userid}/token/{tokenid}',
655 description
=> "Get specific API token information.",
659 ['userid-param', 'self'],
660 ['userid-group', ['User.Modify']],
664 additionalProperties
=> 0,
666 userid
=> get_standard_option
('userid-completed'),
667 tokenid
=> get_standard_option
('token-subid'),
670 returns
=> get_standard_option
('token-info'),
674 my $userid = PVE
::AccessControl
::verify_username
($param->{userid
});
675 my $tokenid = $param->{tokenid
};
677 my $usercfg = cfs_read_file
("user.cfg");
679 return PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid);
682 __PACKAGE__-
>register_method ({
683 name
=> 'generate_token',
684 path
=> '{userid}/token/{tokenid}',
686 description
=> "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!",
691 ['userid-param', 'self'],
692 ['userid-group', ['User.Modify']],
696 additionalProperties
=> 0,
698 userid
=> get_standard_option
('userid-completed'),
699 tokenid
=> get_standard_option
('token-subid'),
700 expire
=> get_standard_option
('token-expire'),
701 privsep
=> get_standard_option
('token-privsep'),
702 comment
=> get_standard_option
('token-comment'),
706 additionalProperties
=> 0,
709 info
=> get_standard_option
('token-info'),
712 description
=> 'API token value used for authentication.',
716 format_description
=> '<userid>!<tokenid>',
717 description
=> 'The full token id.',
724 my $userid = PVE
::AccessControl
::verify_username
(extract_param
($param, 'userid'));
725 my $tokenid = extract_param
($param, 'tokenid');
727 my $usercfg = cfs_read_file
("user.cfg");
729 my $token = PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid, 1);
730 my ($full_tokenid, $value);
732 PVE
::AccessControl
::check_user_exist
($usercfg, $userid);
733 raise_param_exc
({ 'tokenid' => 'Token already exists.' }) if defined($token);
735 my $generate_and_add_token = sub {
736 $usercfg = cfs_read_file
("user.cfg");
737 PVE
::AccessControl
::check_user_exist
($usercfg, $userid);
738 die "Token already exists.\n" if defined(PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid, 1));
740 $full_tokenid = PVE
::AccessControl
::join_tokenid
($userid, $tokenid);
741 $value = PVE
::TokenConfig
::generate_token
($full_tokenid);
744 $token->{privsep
} = defined($param->{privsep
}) ?
$param->{privsep
} : 1;
745 $token->{expire
} = $param->{expire
} if defined($param->{expire
});
746 $token->{comment
} = $param->{comment
} if $param->{comment
};
748 $usercfg->{users
}->{$userid}->{tokens
}->{$tokenid} = $token;
749 cfs_write_file
("user.cfg", $usercfg);
752 PVE
::AccessControl
::lock_user_config
($generate_and_add_token, 'generating token failed');
757 'full-tokenid' => $full_tokenid,
762 __PACKAGE__-
>register_method ({
763 name
=> 'update_token_info',
764 path
=> '{userid}/token/{tokenid}',
766 description
=> "Update API token for a specific user.",
771 ['userid-param', 'self'],
772 ['userid-group', ['User.Modify']],
776 additionalProperties
=> 0,
778 userid
=> get_standard_option
('userid-completed'),
779 tokenid
=> get_standard_option
('token-subid'),
780 expire
=> get_standard_option
('token-expire'),
781 privsep
=> get_standard_option
('token-privsep'),
782 comment
=> get_standard_option
('token-comment'),
785 returns
=> get_standard_option
('token-info', { description
=> "Updated token information." }),
789 my $userid = PVE
::AccessControl
::verify_username
(extract_param
($param, 'userid'));
790 my $tokenid = extract_param
($param, 'tokenid');
792 my $usercfg = cfs_read_file
("user.cfg");
793 my $token = PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid);
795 PVE
::AccessControl
::lock_user_config
(sub {
796 $usercfg = cfs_read_file
("user.cfg");
797 $token = PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid);
799 my $full_tokenid = PVE
::AccessControl
::join_tokenid
($userid, $tokenid);
801 $token->{privsep
} = $param->{privsep
} if defined($param->{privsep
});
802 $token->{expire
} = $param->{expire
} if defined($param->{expire
});
803 $token->{comment
} = $param->{comment
} if $param->{comment
};
805 $usercfg->{users
}->{$userid}->{tokens
}->{$tokenid} = $token;
806 cfs_write_file
("user.cfg", $usercfg);
807 }, 'updating token info failed');
813 __PACKAGE__-
>register_method ({
814 name
=> 'remove_token',
815 path
=> '{userid}/token/{tokenid}',
817 description
=> "Remove API token for a specific user.",
822 ['userid-param', 'self'],
823 ['userid-group', ['User.Modify']],
827 additionalProperties
=> 0,
829 userid
=> get_standard_option
('userid-completed'),
830 tokenid
=> get_standard_option
('token-subid'),
833 returns
=> { type
=> 'null' },
837 my $userid = PVE
::AccessControl
::verify_username
(extract_param
($param, 'userid'));
838 my $tokenid = extract_param
($param, 'tokenid');
840 my $usercfg = cfs_read_file
("user.cfg");
841 my $token = PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid);
843 PVE
::AccessControl
::lock_user_config
(sub {
844 $usercfg = cfs_read_file
("user.cfg");
846 PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid);
848 my $full_tokenid = PVE
::AccessControl
::join_tokenid
($userid, $tokenid);
849 PVE
::TokenConfig
::delete_token
($full_tokenid);
850 delete $usercfg->{users
}->{$userid}->{tokens
}->{$tokenid};
852 cfs_write_file
("user.cfg", $usercfg);
853 }, 'deleting token failed');