# know that it's OK to drop any TFA entry in that case.
delete $usercfg->{users}->{$userid};
- PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);
-
- PVE::AccessControl::delete_user_group($userid, $usercfg);
- PVE::AccessControl::delete_user_acl($userid, $usercfg);
- cfs_write_file("user.cfg", $usercfg);
+ my $partial_deletion = '';
+ eval {
+ PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);
+ $partial_deletion = ' - but deleted related TFA';
+
+ PVE::AccessControl::delete_user_group($userid, $usercfg);
+ $partial_deletion .= ', Groups';
+ PVE::AccessControl::delete_user_acl($userid, $usercfg);
+ $partial_deletion .= ', ACLs';
+
+ cfs_write_file("user.cfg", $usercfg);
+ };
+ die "$@$partial_deletion\n" if $@;
}, "delete user failed");
return undef;
additionalProperties => 0,
properties => {
userid => get_standard_option('userid-completed'),
+ multiple => {
+ type => 'boolean',
+ description => 'Request all entries as an array.',
+ optional => 1,
+ default => 0,
+ },
},
},
returns => {
user => {
type => 'string',
enum => [qw(oath u2f)],
- description => "The type of TFA the user has set, if any.",
+ description =>
+ "The type of TFA the user has set, if any."
+ . " Only set if 'multiple' was not passed.",
optional => 1,
},
+ types => {
+ type => 'array',
+ description =>
+ "Array of the user configured TFA types, if any."
+ . " Only available if 'multiple' was not passed.",
+ optional => 1,
+ items => {
+ type => 'string',
+ enum => [qw(totp u2f yubico webauthn recovedry)],
+ description => 'A TFA type.',
+ },
+ },
},
type => "object"
},
my $realm_cfg = $domain_cfg->{ids}->{$realm};
die "auth domain '$realm' does not exist\n" if !$realm_cfg;
+ my $res = {};
my $realm_tfa = {};
$realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa}) if $realm_cfg->{tfa};
+ $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type};
my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
- my $tfa = $tfa_cfg->{users}->{$username};
-
- my $res = {};
- $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type};
- $res->{user} = $tfa->{type} if $tfa->{type};
+ if ($param->{multiple}) {
+ my $tfa = $tfa_cfg->get_user($username);
+ my $user = [];
+ foreach my $type (keys %$tfa) {
+ next if !scalar($tfa->{$type}->@*);
+ push @$user, $type;
+ }
+ $res->{user} = $user;
+ } else {
+ my $tfa = $tfa_cfg->{users}->{$username};
+ $res->{user} = $tfa->{type} if $tfa->{type};
+ }
return $res;
}});