update read_user_tfa_type call

[pve-access-control.git] / src / PVE / API2 / User.pm
diff --git a/src/PVE/API2/User.pm b/src/PVE/API2/User.pm

index 06cc6804fd9a9f13b5af7d08856fc6958526e02b..3d4d4e08d02775a36b5bb66299065647e66ffb9a 100644 (file)
--- a/src/PVE/API2/User.pm
+++ b/src/PVE/API2/User.pm
@@ -451,11 +451,19 @@ __PACKAGE__->register_method ({
             # know that it's OK to drop any TFA entry in that case.
             delete $usercfg->{users}->{$userid};
  
-           PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);
-
-           PVE::AccessControl::delete_user_group($userid, $usercfg);
-           PVE::AccessControl::delete_user_acl($userid, $usercfg);
-           cfs_write_file("user.cfg", $usercfg);
+           my $partial_deletion = '';
+           eval {
+               PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef, $usercfg, $domain_cfg);
+               $partial_deletion = ' - but deleted related TFA';
+
+               PVE::AccessControl::delete_user_group($userid, $usercfg);
+               $partial_deletion .= ', Groups';
+               PVE::AccessControl::delete_user_acl($userid, $usercfg);
+               $partial_deletion .= ', ACLs';
+
+               cfs_write_file("user.cfg", $usercfg);
+           };
+           die "$@$partial_deletion\n" if $@;
         }, "delete user failed");
  
         return undef;
@@ -477,6 +485,12 @@ __PACKAGE__->register_method ({
         additionalProperties => 0,
         properties => {
             userid => get_standard_option('userid-completed'),
+           multiple => {
+               type => 'boolean',
+               description => 'Request all entries as an array.',
+               optional => 1,
+               default => 0,
+           },
         },
      },
      returns => {
@@ -491,9 +505,23 @@ __PACKAGE__->register_method ({
             user => {
                 type => 'string',
                 enum => [qw(oath u2f)],
-               description => "The type of TFA the user has set, if any.",
+               description =>
+                   "The type of TFA the user has set, if any."
+                   . " Only set if 'multiple' was not passed.",
                 optional => 1,
             },
+           types => {
+               type => 'array',
+               description =>
+                   "Array of the user configured TFA types, if any."
+                   . " Only available if 'multiple' was not passed.",
+               optional => 1,
+               items => {
+                   type => 'string',
+                   enum => [qw(totp u2f yubico webauthn recovedry)],
+                   description => 'A TFA type.',
+               },
+           },
         },
         type => "object"
      },
@@ -506,15 +534,24 @@ __PACKAGE__->register_method ({
         my $realm_cfg = $domain_cfg->{ids}->{$realm};
         die "auth domain '$realm' does not exist\n" if !$realm_cfg;
  
+       my $res = {};
         my $realm_tfa = {};
         $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_cfg->{tfa}) if $realm_cfg->{tfa};
+       $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type};
  
         my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
-       my $tfa = $tfa_cfg->{users}->{$username};
-
-       my $res = {};
-       $res->{realm} = $realm_tfa->{type} if $realm_tfa->{type};
-       $res->{user} = $tfa->{type} if $tfa->{type};
+       if ($param->{multiple}) {
+           my $tfa = $tfa_cfg->get_user($username);
+           my $user = [];
+           foreach my $type (keys %$tfa) {
+               next if !scalar($tfa->{$type}->@*);
+               push @$user, $type;
+           }
+           $res->{user} = $user;
+       } else {
+           my $tfa = $tfa_cfg->{users}->{$username};
+           $res->{user} = $tfa->{type} if $tfa->{type};
+       }
         return $res;
      }});