1 package PVE
::API2
::User
;
6 use PVE
::Exception
qw(raise raise_perm_exc raise_param_exc);
7 use PVE
::Cluster qw
(cfs_read_file cfs_write_file
);
8 use PVE
::Tools
qw(split_list extract_param);
9 use PVE
::JSONSchema
qw(get_standard_option register_standard_option);
12 use PVE
::AccessControl
;
17 use base
qw(PVE::RESTHandler);
19 register_standard_option
('user-enable', {
20 description
=> "Enable the account (default). You can set this to '0' to disable the account",
25 register_standard_option
('user-expire', {
26 description
=> "Account expiration date (seconds since epoch). '0' means no expiration date.",
31 register_standard_option
('user-firstname', { type
=> 'string', optional
=> 1 });
32 register_standard_option
('user-lastname', { type
=> 'string', optional
=> 1 });
33 register_standard_option
('user-email', { type
=> 'string', optional
=> 1, format
=> 'email-opt' });
34 register_standard_option
('user-comment', { type
=> 'string', optional
=> 1 });
35 register_standard_option
('user-keys', {
36 description
=> "Keys for two factor auth (yubico).",
40 register_standard_option
('group-list', {
41 type
=> 'string', format
=> 'pve-groupid-list',
43 completion
=> \
&PVE
::AccessControl
::complete_group
,
45 register_standard_option
('token-subid', {
47 pattern
=> $PVE::AccessControl
::token_subid_regex
,
48 description
=> 'User-specific token identifier.',
50 register_standard_option
('token-expire', {
51 description
=> "API token expiration date (seconds since epoch). '0' means no expiration date.",
55 default => 'same as user',
57 register_standard_option
('token-privsep', {
58 description
=> "Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.",
63 register_standard_option
('token-comment', { type
=> 'string', optional
=> 1 });
64 register_standard_option
('token-info', {
67 expire
=> get_standard_option
('token-expire'),
68 privsep
=> get_standard_option
('token-privsep'),
69 comment
=> get_standard_option
('token-comment'),
73 my $token_info_extend = sub {
76 my $obj = get_standard_option
('token-info');
77 my $base_props = $obj->{properties
};
78 $obj->{properties
} = {};
80 foreach my $prop (keys %$base_props) {
81 $obj->{properties
}->{$prop} = $base_props->{$prop};
84 foreach my $add_prop (keys %$props) {
85 $obj->{properties
}->{$add_prop} = $props->{$add_prop};
91 my $extract_user_data = sub {
92 my ($data, $full) = @_;
96 foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
97 $res->{$prop} = $data->{$prop} if defined($data->{$prop});
100 return $res if !$full;
102 $res->{groups
} = $data->{groups
} ?
[ keys %{$data->{groups
}} ] : [];
103 $res->{tokens
} = $data->{tokens
};
108 __PACKAGE__-
>register_method ({
112 description
=> "User index.",
114 description
=> "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
118 additionalProperties
=> 0,
122 description
=> "Optional filter for enable property.",
127 description
=> "Include group and token information.",
138 userid
=> get_standard_option
('userid-completed'),
139 enable
=> get_standard_option
('user-enable'),
140 expire
=> get_standard_option
('user-expire'),
141 firstname
=> get_standard_option
('user-firstname'),
142 lastname
=> get_standard_option
('user-lastname'),
143 email
=> get_standard_option
('user-email'),
144 comment
=> get_standard_option
('user-comment'),
145 keys => get_standard_option
('user-keys'),
146 groups
=> get_standard_option
('group-list'),
150 items
=> $token_info_extend->({
151 tokenid
=> get_standard_option
('token-subid'),
155 type
=> 'string', format
=> 'pve-realm',
156 description
=> 'The type of the users realm',
157 optional
=> 1, # it should always be there, but we use conditional code below, so..
161 links
=> [ { rel
=> 'child', href
=> "{userid}" } ],
166 my $rpcenv = PVE
::RPCEnvironment
::get
();
167 my $usercfg = $rpcenv->{user_cfg
};
168 my $authuser = $rpcenv->get_user();
170 my $domainscfg = cfs_read_file
('domains.cfg');
171 my $domainids = $domainscfg->{ids
};
175 my $privs = [ 'User.Modify', 'Sys.Audit' ];
176 my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
177 my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
178 my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
180 foreach my $user (sort keys %{$usercfg->{users
}}) {
181 if (!($canUserMod || $user eq $authuser)) {
182 next if !$allowed_users->{$user};
185 my $entry = $extract_user_data->($usercfg->{users
}->{$user}, $param->{full
});
187 if (defined($param->{enabled
})) {
188 next if $entry->{enable
} && !$param->{enabled
};
189 next if !$entry->{enable
} && $param->{enabled
};
192 $entry->{groups
} = join(',', @{$entry->{groups
}}) if $entry->{groups
};
194 if (defined(my $tokens = $entry->{tokens
})) {
196 map { { tokenid
=> $_, %{$tokens->{$_}} } } sort keys %$tokens
200 my (undef, undef, $realm) = PVE
::AccessControl
::verify_username
($user, 1);
201 if (defined($realm) && exists($domainids->{$realm})) {
202 $entry->{'realm-type'} = $domainids->{$realm}->{type
};
205 $entry->{userid
} = $user;
213 __PACKAGE__-
>register_method ({
214 name
=> 'create_user',
219 description
=> "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
221 [ 'userid-param', 'Realm.AllocateUser'],
222 [ 'userid-group', ['User.Modify'], groups_param
=> 1],
225 description
=> "Create new user.",
227 additionalProperties
=> 0,
229 userid
=> get_standard_option
('userid-completed'),
230 enable
=> get_standard_option
('user-enable'),
231 expire
=> get_standard_option
('user-expire'),
232 firstname
=> get_standard_option
('user-firstname'),
233 lastname
=> get_standard_option
('user-lastname'),
234 email
=> get_standard_option
('user-email'),
235 comment
=> get_standard_option
('user-comment'),
236 keys => get_standard_option
('user-keys'),
238 description
=> "Initial password.",
244 groups
=> get_standard_option
('group-list'),
247 returns
=> { type
=> 'null' },
251 PVE
::AccessControl
::lock_user_config
(sub {
252 my ($username, $ruid, $realm) = PVE
::AccessControl
::verify_username
($param->{userid
});
254 my $usercfg = cfs_read_file
("user.cfg");
256 # ensure "user exists" check works for case insensitive realms
257 $username = PVE
::AccessControl
::lookup_username
($username, 1);
258 die "user '$username' already exists\n" if $usercfg->{users
}->{$username};
260 PVE
::AccessControl
::domain_set_password
($realm, $ruid, $param->{password
})
261 if defined($param->{password
});
263 my $enable = defined($param->{enable
}) ?
$param->{enable
} : 1;
264 $usercfg->{users
}->{$username} = { enable
=> $enable };
265 $usercfg->{users
}->{$username}->{expire
} = $param->{expire
} if $param->{expire
};
267 if ($param->{groups
}) {
268 foreach my $group (split_list
($param->{groups
})) {
269 if ($usercfg->{groups
}->{$group}) {
270 PVE
::AccessControl
::add_user_group
($username, $usercfg, $group);
272 die "no such group '$group'\n";
277 $usercfg->{users
}->{$username}->{firstname
} = $param->{firstname
} if $param->{firstname
};
278 $usercfg->{users
}->{$username}->{lastname
} = $param->{lastname
} if $param->{lastname
};
279 $usercfg->{users
}->{$username}->{email
} = $param->{email
} if $param->{email
};
280 $usercfg->{users
}->{$username}->{comment
} = $param->{comment
} if $param->{comment
};
281 $usercfg->{users
}->{$username}->{keys} = $param->{keys} if $param->{keys};
283 cfs_write_file
("user.cfg", $usercfg);
284 }, "create user failed");
289 __PACKAGE__-
>register_method ({
293 description
=> "Get user configuration.",
295 check
=> ['userid-group', ['User.Modify', 'Sys.Audit']],
298 additionalProperties
=> 0,
300 userid
=> get_standard_option
('userid-completed'),
304 additionalProperties
=> 0,
306 enable
=> get_standard_option
('user-enable'),
307 expire
=> get_standard_option
('user-expire'),
308 firstname
=> get_standard_option
('user-firstname'),
309 lastname
=> get_standard_option
('user-lastname'),
310 email
=> get_standard_option
('user-email'),
311 comment
=> get_standard_option
('user-comment'),
312 keys => get_standard_option
('user-keys'),
318 format
=> 'pve-groupid',
331 my ($username, undef, $domain) =
332 PVE
::AccessControl
::verify_username
($param->{userid
});
334 my $usercfg = cfs_read_file
("user.cfg");
336 my $data = PVE
::AccessControl
::check_user_exist
($usercfg, $username);
338 return &$extract_user_data($data, 1);
341 __PACKAGE__-
>register_method ({
342 name
=> 'update_user',
347 check
=> ['userid-group', ['User.Modify'], groups_param
=> 1 ],
349 description
=> "Update user configuration.",
351 additionalProperties
=> 0,
353 userid
=> get_standard_option
('userid-completed'),
354 enable
=> get_standard_option
('user-enable'),
355 expire
=> get_standard_option
('user-expire'),
356 firstname
=> get_standard_option
('user-firstname'),
357 lastname
=> get_standard_option
('user-lastname'),
358 email
=> get_standard_option
('user-email'),
359 comment
=> get_standard_option
('user-comment'),
360 keys => get_standard_option
('user-keys'),
361 groups
=> get_standard_option
('group-list'),
365 requires
=> 'groups',
369 returns
=> { type
=> 'null' },
373 my ($username, $ruid, $realm) =
374 PVE
::AccessControl
::verify_username
($param->{userid
});
376 PVE
::AccessControl
::lock_user_config
(
379 my $usercfg = cfs_read_file
("user.cfg");
381 PVE
::AccessControl
::check_user_exist
($usercfg, $username);
383 $usercfg->{users
}->{$username}->{enable
} = $param->{enable
} if defined($param->{enable
});
385 $usercfg->{users
}->{$username}->{expire
} = $param->{expire
} if defined($param->{expire
});
387 PVE
::AccessControl
::delete_user_group
($username, $usercfg)
388 if (!$param->{append
} && defined($param->{groups
}));
390 if ($param->{groups
}) {
391 foreach my $group (split_list
($param->{groups
})) {
392 if ($usercfg->{groups
}->{$group}) {
393 PVE
::AccessControl
::add_user_group
($username, $usercfg, $group);
395 die "no such group '$group'\n";
400 $usercfg->{users
}->{$username}->{firstname
} = $param->{firstname
} if defined($param->{firstname
});
401 $usercfg->{users
}->{$username}->{lastname
} = $param->{lastname
} if defined($param->{lastname
});
402 $usercfg->{users
}->{$username}->{email
} = $param->{email
} if defined($param->{email
});
403 $usercfg->{users
}->{$username}->{comment
} = $param->{comment
} if defined($param->{comment
});
404 $usercfg->{users
}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
406 cfs_write_file
("user.cfg", $usercfg);
407 }, "update user failed");
412 __PACKAGE__-
>register_method ({
413 name
=> 'delete_user',
417 description
=> "Delete user.",
420 [ 'userid-param', 'Realm.AllocateUser'],
421 [ 'userid-group', ['User.Modify']],
425 additionalProperties
=> 0,
427 userid
=> get_standard_option
('userid-completed'),
430 returns
=> { type
=> 'null' },
434 my $rpcenv = PVE
::RPCEnvironment
::get
();
435 my $authuser = $rpcenv->get_user();
437 my ($userid, $ruid, $realm) =
438 PVE
::AccessControl
::verify_username
($param->{userid
});
440 PVE
::AccessControl
::lock_user_config
(
443 my $usercfg = cfs_read_file
("user.cfg");
445 my $domain_cfg = cfs_read_file
('domains.cfg');
446 if (my $cfg = $domain_cfg->{ids
}->{$realm}) {
447 my $plugin = PVE
::Auth
::Plugin-
>lookup($cfg->{type
});
448 $plugin->delete_user($cfg, $realm, $ruid);
451 # Remove TFA data before removing the user entry as the user entry tells us whether
452 # we need ot update priv/tfa.cfg.
453 PVE
::AccessControl
::user_set_tfa
($userid, $realm, undef, undef, $usercfg, $domain_cfg);
455 delete $usercfg->{users
}->{$userid};
457 PVE
::AccessControl
::delete_user_group
($userid, $usercfg);
458 PVE
::AccessControl
::delete_user_acl
($userid, $usercfg);
459 cfs_write_file
("user.cfg", $usercfg);
460 }, "delete user failed");
465 __PACKAGE__-
>register_method ({
466 name
=> 'read_user_tfa_type',
467 path
=> '{userid}/tfa',
470 description
=> "Get user TFA types (Personal and Realm).",
473 ['userid-param', 'self'],
474 ['userid-group', ['User.Modify', 'Sys.Audit']],
478 additionalProperties
=> 0,
480 userid
=> get_standard_option
('userid-completed'),
484 additionalProperties
=> 0,
488 enum
=> [qw(oath yubico)],
489 description
=> "The type of TFA the users realm has set, if any.",
494 enum
=> [qw(oath u2f)],
495 description
=> "The type of TFA the user has set, if any.",
504 my ($username, undef, $realm) = PVE
::AccessControl
::verify_username
($param->{userid
});
507 my $domain_cfg = cfs_read_file
('domains.cfg');
508 my $realm_cfg = $domain_cfg->{ids
}->{$realm};
509 die "auth domain '$realm' does not exist\n" if !$realm_cfg;
512 $realm_tfa = PVE
::Auth
::Plugin
::parse_tfa_config
($realm_cfg->{tfa
})
513 if $realm_cfg->{tfa
};
515 my $tfa_cfg = cfs_read_file
('priv/tfa.cfg');
516 my $tfa = $tfa_cfg->{users
}->{$username};
519 $res->{realm
} = $realm_tfa->{type
} if $realm_tfa->{type
};
520 $res->{user
} = $tfa->{type
} if $tfa->{type
};
524 __PACKAGE__-
>register_method ({
525 name
=> 'token_index',
526 path
=> '{userid}/token',
528 description
=> "Get user API tokens.",
531 ['userid-param', 'self'],
532 ['perm', '/access/users/{userid}', ['User.Modify']],
536 additionalProperties
=> 0,
538 userid
=> get_standard_option
('userid-completed'),
543 items
=> $token_info_extend->({
544 tokenid
=> get_standard_option
('token-subid'),
546 links
=> [ { rel
=> 'child', href
=> "{tokenid}" } ],
551 my $userid = PVE
::AccessControl
::verify_username
($param->{userid
});
552 my $usercfg = cfs_read_file
("user.cfg");
554 my $user = PVE
::AccessControl
::check_user_exist
($usercfg, $userid);
556 my $tokens = $user->{tokens
} // {};
557 return [ map { $tokens->{$_}->{tokenid
} = $_; $tokens->{$_} } keys %$tokens];
560 __PACKAGE__-
>register_method ({
561 name
=> 'read_token',
562 path
=> '{userid}/token/{tokenid}',
564 description
=> "Get specific API token information.",
567 ['userid-param', 'self'],
568 ['perm', '/access/users/{userid}', ['User.Modify']],
572 additionalProperties
=> 0,
574 userid
=> get_standard_option
('userid-completed'),
575 tokenid
=> get_standard_option
('token-subid'),
578 returns
=> get_standard_option
('token-info'),
582 my $userid = PVE
::AccessControl
::verify_username
($param->{userid
});
583 my $tokenid = $param->{tokenid
};
585 my $usercfg = cfs_read_file
("user.cfg");
587 return PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid);
590 __PACKAGE__-
>register_method ({
591 name
=> 'generate_token',
592 path
=> '{userid}/token/{tokenid}',
594 description
=> "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!",
598 ['userid-param', 'self'],
599 ['perm', '/access/users/{userid}', ['User.Modify']],
603 additionalProperties
=> 0,
605 userid
=> get_standard_option
('userid-completed'),
606 tokenid
=> get_standard_option
('token-subid'),
607 expire
=> get_standard_option
('token-expire'),
608 privsep
=> get_standard_option
('token-privsep'),
609 comment
=> get_standard_option
('token-comment'),
613 additionalProperties
=> 0,
616 info
=> get_standard_option
('token-info'),
619 description
=> 'API token value used for authentication.',
623 format_description
=> '<userid>!<tokenid>',
624 description
=> 'The full token id.',
631 my $userid = PVE
::AccessControl
::verify_username
(extract_param
($param, 'userid'));
632 my $tokenid = extract_param
($param, 'tokenid');
634 my $usercfg = cfs_read_file
("user.cfg");
636 my $token = PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid, 1);
637 my ($full_tokenid, $value);
639 PVE
::AccessControl
::check_user_exist
($usercfg, $userid);
640 raise_param_exc
({ 'tokenid' => 'Token already exists.' }) if defined($token);
642 my $generate_and_add_token = sub {
643 $usercfg = cfs_read_file
("user.cfg");
644 PVE
::AccessControl
::check_user_exist
($usercfg, $userid);
645 die "Token already exists.\n" if defined(PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid, 1));
647 $full_tokenid = PVE
::AccessControl
::join_tokenid
($userid, $tokenid);
648 $value = PVE
::TokenConfig
::generate_token
($full_tokenid);
651 $token->{privsep
} = defined($param->{privsep
}) ?
$param->{privsep
} : 1;
652 $token->{expire
} = $param->{expire
} if defined($param->{expire
});
653 $token->{comment
} = $param->{comment
} if $param->{comment
};
655 $usercfg->{users
}->{$userid}->{tokens
}->{$tokenid} = $token;
656 cfs_write_file
("user.cfg", $usercfg);
659 PVE
::AccessControl
::lock_user_config
($generate_and_add_token, 'generating token failed');
664 'full-tokenid' => $full_tokenid,
669 __PACKAGE__-
>register_method ({
670 name
=> 'update_token_info',
671 path
=> '{userid}/token/{tokenid}',
673 description
=> "Update API token for a specific user.",
677 ['userid-param', 'self'],
678 ['perm', '/access/users/{userid}', ['User.Modify']],
682 additionalProperties
=> 0,
684 userid
=> get_standard_option
('userid-completed'),
685 tokenid
=> get_standard_option
('token-subid'),
686 expire
=> get_standard_option
('token-expire'),
687 privsep
=> get_standard_option
('token-privsep'),
688 comment
=> get_standard_option
('token-comment'),
691 returns
=> get_standard_option
('token-info', { description
=> "Updated token information." }),
695 my $userid = PVE
::AccessControl
::verify_username
(extract_param
($param, 'userid'));
696 my $tokenid = extract_param
($param, 'tokenid');
698 my $usercfg = cfs_read_file
("user.cfg");
699 my $token = PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid);
701 my $update_token = sub {
702 $usercfg = cfs_read_file
("user.cfg");
703 $token = PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid);
705 my $full_tokenid = PVE
::AccessControl
::join_tokenid
($userid, $tokenid);
707 $token->{privsep
} = $param->{privsep
} if defined($param->{privsep
});
708 $token->{expire
} = $param->{expire
} if defined($param->{expire
});
709 $token->{comment
} = $param->{comment
} if $param->{comment
};
711 $usercfg->{users
}->{$userid}->{tokens
}->{$tokenid} = $token;
712 cfs_write_file
("user.cfg", $usercfg);
715 PVE
::AccessControl
::lock_user_config
($update_token, 'updating token info failed');
721 __PACKAGE__-
>register_method ({
722 name
=> 'remove_token',
723 path
=> '{userid}/token/{tokenid}',
725 description
=> "Remove API token for a specific user.",
729 ['userid-param', 'self'],
730 ['perm', '/access/users/{userid}', ['User.Modify']],
734 additionalProperties
=> 0,
736 userid
=> get_standard_option
('userid-completed'),
737 tokenid
=> get_standard_option
('token-subid'),
740 returns
=> { type
=> 'null' },
744 my $userid = PVE
::AccessControl
::verify_username
(extract_param
($param, 'userid'));
745 my $tokenid = extract_param
($param, 'tokenid');
747 my $usercfg = cfs_read_file
("user.cfg");
748 my $token = PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid);
750 my $update_token = sub {
751 $usercfg = cfs_read_file
("user.cfg");
753 PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid);
755 my $full_tokenid = PVE
::AccessControl
::join_tokenid
($userid, $tokenid);
756 PVE
::TokenConfig
::delete_token
($full_tokenid);
757 delete $usercfg->{users
}->{$userid}->{tokens
}->{$tokenid};
759 cfs_write_file
("user.cfg", $usercfg);
762 PVE
::AccessControl
::lock_user_config
($update_token, 'deleting token failed');