+sub remove_vm_access {
+ my ($vmid) = @_;
+ my $delVMaccessFn = sub {
+ my $usercfg = cfs_read_file("user.cfg");
+ my $modified;
+
+ if (my $acl = $usercfg->{acl}->{"/vms/$vmid"}) {
+ delete $usercfg->{acl}->{"/vms/$vmid"};
+ $modified = 1;
+ }
+ if (my $pool = $usercfg->{vms}->{$vmid}) {
+ if (my $data = $usercfg->{pools}->{$pool}) {
+ delete $data->{vms}->{$vmid};
+ delete $usercfg->{vms}->{$vmid};
+ $modified = 1;
+ }
+ }
+ cfs_write_file("user.cfg", $usercfg) if $modified;
+ };
+
+ lock_user_config($delVMaccessFn, "access permissions cleanup for VM $vmid failed");
+}
+
+sub remove_storage_access {
+ my ($storeid) = @_;
+
+ my $deleteStorageAccessFn = sub {
+ my $usercfg = cfs_read_file("user.cfg");
+ my $modified;
+
+ if (my $storage = $usercfg->{acl}->{"/storage/$storeid"}) {
+ delete $usercfg->{acl}->{"/storage/$storeid"};
+ $modified = 1;
+ }
+ foreach my $pool (keys %{$usercfg->{pools}}) {
+ delete $usercfg->{pools}->{$pool}->{storage}->{$storeid};
+ $modified = 1;
+ }
+ cfs_write_file("user.cfg", $usercfg) if $modified;
+ };
+
+ lock_user_config($deleteStorageAccessFn,
+ "access permissions cleanup for storage $storeid failed");
+}
+
+sub add_vm_to_pool {
+ my ($vmid, $pool) = @_;
+
+ my $addVMtoPoolFn = sub {
+ my $usercfg = cfs_read_file("user.cfg");
+ if (my $data = $usercfg->{pools}->{$pool}) {
+ $data->{vms}->{$vmid} = 1;
+ $usercfg->{vms}->{$vmid} = $pool;
+ cfs_write_file("user.cfg", $usercfg);
+ }
+ };
+
+ lock_user_config($addVMtoPoolFn, "can't add VM $vmid to pool '$pool'");
+}
+
+sub remove_vm_from_pool {
+ my ($vmid) = @_;
+
+ my $delVMfromPoolFn = sub {
+ my $usercfg = cfs_read_file("user.cfg");
+ if (my $pool = $usercfg->{vms}->{$vmid}) {
+ if (my $data = $usercfg->{pools}->{$pool}) {
+ delete $data->{vms}->{$vmid};
+ delete $usercfg->{vms}->{$vmid};
+ cfs_write_file("user.cfg", $usercfg);
+ }
+ }
+ };
+
+ lock_user_config($delVMfromPoolFn, "pool cleanup for VM $vmid failed");
+}
+
+my $USER_CONTROLLED_TFA_TYPES = {
+ u2f => 1,
+ oath => 1,
+};
+
+# Delete an entry by setting $data=undef in which case $type is ignored.
+# Otherwise both must be valid.
+sub user_set_tfa {
+ my ($userid, $realm, $type, $data, $cached_usercfg, $cached_domaincfg) = @_;
+
+ if (defined($data) && !defined($type)) {
+ # This is an internal usage error and should not happen
+ die "cannot set tfa data without a type\n";
+ }