1 package PVE
::API2
::User
;
6 use PVE
::Exception
qw(raise raise_perm_exc raise_param_exc);
7 use PVE
::Cluster qw
(cfs_read_file cfs_write_file
);
8 use PVE
::Tools
qw(split_list extract_param);
9 use PVE
::JSONSchema
qw(get_standard_option register_standard_option);
12 use PVE
::AccessControl
;
13 use PVE
::Auth
::Plugin
;
18 use base
qw(PVE::RESTHandler);
20 register_standard_option
('user-enable', {
21 description
=> "Enable the account (default). You can set this to '0' to disable the account",
26 register_standard_option
('user-expire', {
27 description
=> "Account expiration date (seconds since epoch). '0' means no expiration date.",
32 register_standard_option
('user-firstname', { type
=> 'string', optional
=> 1, maxLength
=> 1024, });
33 register_standard_option
('user-lastname', { type
=> 'string', optional
=> 1, maxLength
=> 1024, });
34 register_standard_option
('user-email', {
37 format
=> 'email-opt',
38 maxLength
=> 254, # 256 including punctuation and separator is the max path as per RFC 5321
40 register_standard_option
('user-comment', {
45 register_standard_option
('user-keys', {
46 description
=> "Keys for two factor auth (yubico).",
48 pattern
=> '[0-9a-zA-Z!=]{0,4096}',
51 register_standard_option
('group-list', {
52 type
=> 'string', format
=> 'pve-groupid-list',
54 completion
=> \
&PVE
::AccessControl
::complete_group
,
56 register_standard_option
('token-subid', {
58 pattern
=> $PVE::AccessControl
::token_subid_regex
,
59 description
=> 'User-specific token identifier.',
61 register_standard_option
('token-expire', {
62 description
=> "API token expiration date (seconds since epoch). '0' means no expiration date.",
66 default => 'same as user',
68 register_standard_option
('token-privsep', {
69 description
=> "Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.",
74 register_standard_option
('token-comment', { type
=> 'string', optional
=> 1 });
75 register_standard_option
('token-info', {
78 expire
=> get_standard_option
('token-expire'),
79 privsep
=> get_standard_option
('token-privsep'),
80 comment
=> get_standard_option
('token-comment'),
84 my $token_info_extend = sub {
87 my $obj = get_standard_option
('token-info');
88 my $base_props = $obj->{properties
};
89 $obj->{properties
} = {};
91 foreach my $prop (keys %$base_props) {
92 $obj->{properties
}->{$prop} = $base_props->{$prop};
95 foreach my $add_prop (keys %$props) {
96 $obj->{properties
}->{$add_prop} = $props->{$add_prop};
102 my $extract_user_data = sub {
103 my ($data, $full) = @_;
107 foreach my $prop (qw(enable expire firstname lastname email comment keys)) {
108 $res->{$prop} = $data->{$prop} if defined($data->{$prop});
111 return $res if !$full;
113 $res->{groups
} = $data->{groups
} ?
[ sort keys %{$data->{groups
}} ] : [];
114 $res->{tokens
} = $data->{tokens
};
119 __PACKAGE__-
>register_method ({
123 description
=> "User index.",
125 description
=> "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
128 protected
=> 1, # to access priv/tfa.cfg
130 additionalProperties
=> 0,
134 description
=> "Optional filter for enable property.",
139 description
=> "Include group and token information.",
150 userid
=> get_standard_option
('userid-completed'),
151 enable
=> get_standard_option
('user-enable'),
152 expire
=> get_standard_option
('user-expire'),
153 firstname
=> get_standard_option
('user-firstname'),
154 lastname
=> get_standard_option
('user-lastname'),
155 email
=> get_standard_option
('user-email'),
156 comment
=> get_standard_option
('user-comment'),
157 keys => get_standard_option
('user-keys'),
158 groups
=> get_standard_option
('group-list'),
162 items
=> $token_info_extend->({
163 tokenid
=> get_standard_option
('token-subid'),
167 type
=> 'string', format
=> 'pve-realm',
168 description
=> 'The type of the users realm',
169 optional
=> 1, # it should always be there, but we use conditional code below, so..
174 description
=> 'True if the user is currently locked out of TOTP factors.',
176 'tfa-locked-until' => {
180 'Contains a timestamp until when a user is locked out of 2nd factors.',
184 links
=> [ { rel
=> 'child', href
=> "{userid}" } ],
189 my $rpcenv = PVE
::RPCEnvironment
::get
();
190 my $usercfg = $rpcenv->{user_cfg
};
191 my $authuser = $rpcenv->get_user();
193 my $domainscfg = cfs_read_file
('domains.cfg');
194 my $domainids = $domainscfg->{ids
};
198 my $privs = [ 'User.Modify', 'Sys.Audit' ];
199 my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
200 my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
201 my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
203 my $tfa_cfg = cfs_read_file
('priv/tfa.cfg');
205 foreach my $user (sort keys %{$usercfg->{users
}}) {
206 if (!($canUserMod || $user eq $authuser)) {
207 next if !$allowed_users->{$user};
210 my $entry = $extract_user_data->($usercfg->{users
}->{$user}, $param->{full
});
212 if (defined($param->{enabled
})) {
213 next if $entry->{enable
} && !$param->{enabled
};
214 next if !$entry->{enable
} && $param->{enabled
};
217 $entry->{groups
} = join(',', @{$entry->{groups
}}) if $entry->{groups
};
219 if (defined(my $tokens = $entry->{tokens
})) {
221 map { { tokenid
=> $_, %{$tokens->{$_}} } } sort keys %$tokens
225 if ($user =~ /($PVE::Auth::Plugin::realm_regex)$/) {
227 $entry->{'realm-type'} = $domainids->{$realm}->{type
} if exists $domainids->{$realm};
230 $entry->{userid
} = $user;
232 if (defined($tfa_cfg)) {
233 if (my $data = $tfa_cfg->tfa_lock_status($user)) {
234 for (qw(totp-locked tfa-locked-until)) {
235 $entry->{$_} = $data->{$_} if exists($data->{$_});
246 __PACKAGE__-
>register_method ({
247 name
=> 'create_user',
252 description
=> "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
255 [ 'userid-param', 'Realm.AllocateUser'],
256 [ 'userid-group', ['User.Modify'], groups_param
=> 'create'],
259 description
=> "Create new user.",
261 additionalProperties
=> 0,
263 userid
=> get_standard_option
('userid-completed'),
264 enable
=> get_standard_option
('user-enable'),
265 expire
=> get_standard_option
('user-expire'),
266 firstname
=> get_standard_option
('user-firstname'),
267 lastname
=> get_standard_option
('user-lastname'),
268 email
=> get_standard_option
('user-email'),
269 comment
=> get_standard_option
('user-comment'),
270 keys => get_standard_option
('user-keys'),
272 description
=> "Initial password.",
278 groups
=> get_standard_option
('group-list'),
281 returns
=> { type
=> 'null' },
285 PVE
::AccessControl
::lock_user_config
(sub {
286 my ($username, $ruid, $realm) = PVE
::AccessControl
::verify_username
($param->{userid
});
288 my $usercfg = cfs_read_file
("user.cfg");
290 # ensure "user exists" check works for case insensitive realms
291 $username = PVE
::AccessControl
::lookup_username
($username, 1);
292 die "user '$username' already exists\n" if $usercfg->{users
}->{$username};
294 PVE
::AccessControl
::domain_set_password
($realm, $ruid, $param->{password
})
295 if defined($param->{password
});
297 my $enable = defined($param->{enable
}) ?
$param->{enable
} : 1;
298 $usercfg->{users
}->{$username} = { enable
=> $enable };
299 $usercfg->{users
}->{$username}->{expire
} = $param->{expire
} if $param->{expire
};
301 if ($param->{groups
}) {
302 foreach my $group (split_list
($param->{groups
})) {
303 if ($usercfg->{groups
}->{$group}) {
304 PVE
::AccessControl
::add_user_group
($username, $usercfg, $group);
306 die "no such group '$group'\n";
311 $usercfg->{users
}->{$username}->{firstname
} = $param->{firstname
} if $param->{firstname
};
312 $usercfg->{users
}->{$username}->{lastname
} = $param->{lastname
} if $param->{lastname
};
313 $usercfg->{users
}->{$username}->{email
} = $param->{email
} if $param->{email
};
314 $usercfg->{users
}->{$username}->{comment
} = $param->{comment
} if $param->{comment
};
315 $usercfg->{users
}->{$username}->{keys} = $param->{keys} if $param->{keys};
317 cfs_write_file
("user.cfg", $usercfg);
318 }, "create user failed");
323 __PACKAGE__-
>register_method ({
327 description
=> "Get user configuration.",
329 check
=> ['userid-group', ['User.Modify', 'Sys.Audit']],
332 additionalProperties
=> 0,
334 userid
=> get_standard_option
('userid-completed'),
338 additionalProperties
=> 0,
340 enable
=> get_standard_option
('user-enable'),
341 expire
=> get_standard_option
('user-expire'),
342 firstname
=> get_standard_option
('user-firstname'),
343 lastname
=> get_standard_option
('user-lastname'),
344 email
=> get_standard_option
('user-email'),
345 comment
=> get_standard_option
('user-comment'),
346 keys => get_standard_option
('user-keys'),
352 format
=> 'pve-groupid',
358 additionalProperties
=> get_standard_option
('token-info'),
366 my ($username, undef, $domain) = PVE
::AccessControl
::verify_username
($param->{userid
});
368 my $usercfg = cfs_read_file
("user.cfg");
370 my $data = PVE
::AccessControl
::check_user_exist
($usercfg, $username);
372 return &$extract_user_data($data, 1);
375 __PACKAGE__-
>register_method ({
376 name
=> 'update_user',
381 check
=> ['userid-group', ['User.Modify'], groups_param
=> 'update' ],
383 description
=> "Update user configuration.",
385 additionalProperties
=> 0,
387 userid
=> get_standard_option
('userid-completed'),
388 enable
=> get_standard_option
('user-enable'),
389 expire
=> get_standard_option
('user-expire'),
390 firstname
=> get_standard_option
('user-firstname'),
391 lastname
=> get_standard_option
('user-lastname'),
392 email
=> get_standard_option
('user-email'),
393 comment
=> get_standard_option
('user-comment'),
394 keys => get_standard_option
('user-keys'),
395 groups
=> get_standard_option
('group-list'),
399 requires
=> 'groups',
403 returns
=> { type
=> 'null' },
407 my ($username, $ruid, $realm) = PVE
::AccessControl
::verify_username
($param->{userid
});
409 PVE
::AccessControl
::lock_user_config
(sub {
410 my $usercfg = cfs_read_file
("user.cfg");
412 PVE
::AccessControl
::check_user_exist
($usercfg, $username);
414 $usercfg->{users
}->{$username}->{enable
} = $param->{enable
} if defined($param->{enable
});
415 $usercfg->{users
}->{$username}->{expire
} = $param->{expire
} if defined($param->{expire
});
417 PVE
::AccessControl
::delete_user_group
($username, $usercfg)
418 if (!$param->{append
} && defined($param->{groups
}));
420 if ($param->{groups
}) {
421 foreach my $group (split_list
($param->{groups
})) {
422 if ($usercfg->{groups
}->{$group}) {
423 PVE
::AccessControl
::add_user_group
($username, $usercfg, $group);
425 die "no such group '$group'\n";
430 $usercfg->{users
}->{$username}->{firstname
} = $param->{firstname
} if defined($param->{firstname
});
431 $usercfg->{users
}->{$username}->{lastname
} = $param->{lastname
} if defined($param->{lastname
});
432 $usercfg->{users
}->{$username}->{email
} = $param->{email
} if defined($param->{email
});
433 $usercfg->{users
}->{$username}->{comment
} = $param->{comment
} if defined($param->{comment
});
434 $usercfg->{users
}->{$username}->{keys} = $param->{keys} if defined($param->{keys});
436 cfs_write_file
("user.cfg", $usercfg);
437 }, "update user failed");
442 __PACKAGE__-
>register_method ({
443 name
=> 'delete_user',
447 description
=> "Delete user.",
450 [ 'userid-param', 'Realm.AllocateUser'],
451 [ 'userid-group', ['User.Modify']],
455 additionalProperties
=> 0,
457 userid
=> get_standard_option
('userid-completed'),
460 returns
=> { type
=> 'null' },
464 my $rpcenv = PVE
::RPCEnvironment
::get
();
465 my $authuser = $rpcenv->get_user();
467 my ($userid, $ruid, $realm) = PVE
::AccessControl
::verify_username
($param->{userid
});
469 PVE
::AccessControl
::lock_user_config
(sub {
470 my $usercfg = cfs_read_file
("user.cfg");
472 # NOTE: disable the user first (transaction like), so if (e.g.) we fail in the middle of
473 # TFA deletion the user will be still disabled and not just without TFA protection.
474 $usercfg->{users
}->{$userid}->{enable
} = 0;
475 cfs_write_file
("user.cfg", $usercfg);
477 my $domain_cfg = cfs_read_file
('domains.cfg');
478 if (my $cfg = $domain_cfg->{ids
}->{$realm}) {
479 my $plugin = PVE
::Auth
::Plugin-
>lookup($cfg->{type
});
480 $plugin->delete_user($cfg, $realm, $ruid);
483 # Remove user from cache before removing the TFA entry so realms with TFA-enforcement
484 # know that it's OK to drop any TFA entry in that case.
485 delete $usercfg->{users
}->{$userid};
487 my $partial_deletion = '';
489 PVE
::AccessControl
::user_remove_tfa
($userid);
490 $partial_deletion = ' - but deleted related TFA';
492 PVE
::AccessControl
::delete_user_group
($userid, $usercfg);
493 $partial_deletion .= ', Groups';
494 PVE
::AccessControl
::delete_user_acl
($userid, $usercfg);
495 $partial_deletion .= ', ACLs';
497 cfs_write_file
("user.cfg", $usercfg);
499 die "$@$partial_deletion\n" if $@;
500 }, "delete user failed");
505 __PACKAGE__-
>register_method ({
506 name
=> 'read_user_tfa_type',
507 path
=> '{userid}/tfa',
510 description
=> "Get user TFA types (Personal and Realm).",
513 ['userid-param', 'self'],
514 ['userid-group', ['User.Modify', 'Sys.Audit']],
518 additionalProperties
=> 0,
520 userid
=> get_standard_option
('userid-completed'),
523 description
=> 'Request all entries as an array.',
530 additionalProperties
=> 0,
534 enum
=> [qw(oath yubico)],
535 description
=> "The type of TFA the users realm has set, if any.",
540 enum
=> [qw(oath u2f)],
542 "The type of TFA the user has set, if any."
543 . " Only set if 'multiple' was not passed.",
549 "Array of the user configured TFA types, if any."
550 . " Only available if 'multiple' was not passed.",
554 enum
=> [qw(totp u2f yubico webauthn recovedry)],
555 description
=> 'A TFA type.',
564 my ($username, undef, $realm) = PVE
::AccessControl
::verify_username
($param->{userid
});
566 my $domain_cfg = cfs_read_file
('domains.cfg');
567 my $realm_cfg = $domain_cfg->{ids
}->{$realm};
568 die "auth domain '$realm' does not exist\n" if !$realm_cfg;
572 $realm_tfa = PVE
::Auth
::Plugin
::parse_tfa_config
($realm_cfg->{tfa
}) if $realm_cfg->{tfa
};
573 $res->{realm
} = $realm_tfa->{type
} if $realm_tfa->{type
};
575 my $tfa_cfg = cfs_read_file
('priv/tfa.cfg');
576 if ($param->{multiple
}) {
577 my $tfa = $tfa_cfg->get_user($username);
579 foreach my $type (keys %$tfa) {
580 next if !scalar($tfa->{$type}->@*);
583 $res->{user
} = $user;
585 my $tfa = $tfa_cfg->{users
}->{$username};
586 $res->{user
} = $tfa->{type
} if $tfa->{type
};
591 __PACKAGE__-
>register_method ({
592 name
=> 'unlock_tfa',
593 path
=> '{userid}/unlock-tfa',
596 description
=> "Unlock a user's TFA authentication.",
598 check
=> [ 'userid-group', ['User.Modify']],
601 additionalProperties
=> 0,
603 userid
=> get_standard_option
('userid-completed'),
606 returns
=> { type
=> 'boolean' },
610 my $userid = extract_param
($param, "userid");
612 my $user_was_locked = PVE
::AccessControl
::lock_tfa_config
(sub {
613 my $tfa_cfg = cfs_read_file
('priv/tfa.cfg');
614 my $was_locked = $tfa_cfg->api_unlock_tfa($userid);
615 cfs_write_file
('priv/tfa.cfg', $tfa_cfg)
620 return $user_was_locked;
623 __PACKAGE__-
>register_method ({
624 name
=> 'token_index',
625 path
=> '{userid}/token',
627 description
=> "Get user API tokens.",
631 ['userid-param', 'self'],
632 ['userid-group', ['User.Modify']],
636 additionalProperties
=> 0,
638 userid
=> get_standard_option
('userid-completed'),
643 items
=> $token_info_extend->({
644 tokenid
=> get_standard_option
('token-subid'),
646 links
=> [ { rel
=> 'child', href
=> "{tokenid}" } ],
651 my $userid = PVE
::AccessControl
::verify_username
($param->{userid
});
652 my $usercfg = cfs_read_file
("user.cfg");
654 my $user = PVE
::AccessControl
::check_user_exist
($usercfg, $userid);
656 my $tokens = $user->{tokens
} // {};
657 return [ map { $tokens->{$_}->{tokenid
} = $_; $tokens->{$_} } keys %$tokens];
660 __PACKAGE__-
>register_method ({
661 name
=> 'read_token',
662 path
=> '{userid}/token/{tokenid}',
664 description
=> "Get specific API token information.",
668 ['userid-param', 'self'],
669 ['userid-group', ['User.Modify']],
673 additionalProperties
=> 0,
675 userid
=> get_standard_option
('userid-completed'),
676 tokenid
=> get_standard_option
('token-subid'),
679 returns
=> get_standard_option
('token-info'),
683 my $userid = PVE
::AccessControl
::verify_username
($param->{userid
});
684 my $tokenid = $param->{tokenid
};
686 my $usercfg = cfs_read_file
("user.cfg");
688 return PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid);
691 __PACKAGE__-
>register_method ({
692 name
=> 'generate_token',
693 path
=> '{userid}/token/{tokenid}',
695 description
=> "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!",
700 ['userid-param', 'self'],
701 ['userid-group', ['User.Modify']],
705 additionalProperties
=> 0,
707 userid
=> get_standard_option
('userid-completed'),
708 tokenid
=> get_standard_option
('token-subid'),
709 expire
=> get_standard_option
('token-expire'),
710 privsep
=> get_standard_option
('token-privsep'),
711 comment
=> get_standard_option
('token-comment'),
715 additionalProperties
=> 0,
718 info
=> get_standard_option
('token-info'),
721 description
=> 'API token value used for authentication.',
725 format_description
=> '<userid>!<tokenid>',
726 description
=> 'The full token id.',
733 my $userid = PVE
::AccessControl
::verify_username
(extract_param
($param, 'userid'));
734 my $tokenid = extract_param
($param, 'tokenid');
736 my $usercfg = cfs_read_file
("user.cfg");
738 my $token = PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid, 1);
739 my ($full_tokenid, $value);
741 PVE
::AccessControl
::check_user_exist
($usercfg, $userid);
742 raise_param_exc
({ 'tokenid' => 'Token already exists.' }) if defined($token);
744 my $generate_and_add_token = sub {
745 $usercfg = cfs_read_file
("user.cfg");
746 PVE
::AccessControl
::check_user_exist
($usercfg, $userid);
747 die "Token already exists.\n" if defined(PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid, 1));
749 $full_tokenid = PVE
::AccessControl
::join_tokenid
($userid, $tokenid);
750 $value = PVE
::TokenConfig
::generate_token
($full_tokenid);
753 $token->{privsep
} = defined($param->{privsep
}) ?
$param->{privsep
} : 1;
754 $token->{expire
} = $param->{expire
} if defined($param->{expire
});
755 $token->{comment
} = $param->{comment
} if $param->{comment
};
757 $usercfg->{users
}->{$userid}->{tokens
}->{$tokenid} = $token;
758 cfs_write_file
("user.cfg", $usercfg);
761 PVE
::AccessControl
::lock_user_config
($generate_and_add_token, 'generating token failed');
766 'full-tokenid' => $full_tokenid,
771 __PACKAGE__-
>register_method ({
772 name
=> 'update_token_info',
773 path
=> '{userid}/token/{tokenid}',
775 description
=> "Update API token for a specific user.",
780 ['userid-param', 'self'],
781 ['userid-group', ['User.Modify']],
785 additionalProperties
=> 0,
787 userid
=> get_standard_option
('userid-completed'),
788 tokenid
=> get_standard_option
('token-subid'),
789 expire
=> get_standard_option
('token-expire'),
790 privsep
=> get_standard_option
('token-privsep'),
791 comment
=> get_standard_option
('token-comment'),
794 returns
=> get_standard_option
('token-info', { description
=> "Updated token information." }),
798 my $userid = PVE
::AccessControl
::verify_username
(extract_param
($param, 'userid'));
799 my $tokenid = extract_param
($param, 'tokenid');
801 my $usercfg = cfs_read_file
("user.cfg");
802 my $token = PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid);
804 PVE
::AccessControl
::lock_user_config
(sub {
805 $usercfg = cfs_read_file
("user.cfg");
806 $token = PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid);
808 my $full_tokenid = PVE
::AccessControl
::join_tokenid
($userid, $tokenid);
810 $token->{privsep
} = $param->{privsep
} if defined($param->{privsep
});
811 $token->{expire
} = $param->{expire
} if defined($param->{expire
});
812 $token->{comment
} = $param->{comment
} if $param->{comment
};
814 $usercfg->{users
}->{$userid}->{tokens
}->{$tokenid} = $token;
815 cfs_write_file
("user.cfg", $usercfg);
816 }, 'updating token info failed');
822 __PACKAGE__-
>register_method ({
823 name
=> 'remove_token',
824 path
=> '{userid}/token/{tokenid}',
826 description
=> "Remove API token for a specific user.",
831 ['userid-param', 'self'],
832 ['userid-group', ['User.Modify']],
836 additionalProperties
=> 0,
838 userid
=> get_standard_option
('userid-completed'),
839 tokenid
=> get_standard_option
('token-subid'),
842 returns
=> { type
=> 'null' },
846 my $userid = PVE
::AccessControl
::verify_username
(extract_param
($param, 'userid'));
847 my $tokenid = extract_param
($param, 'tokenid');
849 my $usercfg = cfs_read_file
("user.cfg");
850 my $token = PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid);
852 PVE
::AccessControl
::lock_user_config
(sub {
853 $usercfg = cfs_read_file
("user.cfg");
855 PVE
::AccessControl
::check_token_exist
($usercfg, $userid, $tokenid);
857 my $full_tokenid = PVE
::AccessControl
::join_tokenid
($userid, $tokenid);
858 PVE
::TokenConfig
::delete_token
($full_tokenid);
859 delete $usercfg->{users
}->{$userid}->{tokens
}->{$tokenid};
861 cfs_write_file
("user.cfg", $usercfg);
862 }, 'deleting token failed');