X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAPI2%2FUser.pm;h=89c83430165e1ce84b2dbe051b48cae0c8c06d63;hp=602e3f030ba4bc990adf7717e659f1007cf1b7f5;hb=bcf4eb3d4960aa2b3d1e63c482fc35b83bab2c0a;hpb=5654af83fa4f8ffc4e44176eea6229716eae2036 diff --git a/PVE/API2/User.pm b/PVE/API2/User.pm index 602e3f0..89c8343 100644 --- a/PVE/API2/User.pm +++ b/PVE/API2/User.pm @@ -6,7 +6,7 @@ use PVE::Exception qw(raise raise_perm_exc); use PVE::Cluster qw (cfs_read_file cfs_write_file); use PVE::Tools qw(split_list); use PVE::AccessControl; -use PVE::JSONSchema qw(get_standard_option); +use PVE::JSONSchema qw(get_standard_option register_standard_option); use PVE::SafeSyslog; @@ -14,6 +14,34 @@ use PVE::RESTHandler; use base qw(PVE::RESTHandler); +register_standard_option('user-enable', { + title => "Enable", + description => "Enable the account (default). You can set this to '0' to disable the account", + type => 'boolean', + optional => 1, + default => 1, +}); +register_standard_option('user-expire', { + description => "Account expiration date (seconds since epoch). '0' means no expiration date.", + type => 'integer', + minimum => 0, + optional => 1, +}); +register_standard_option('user-firstname', { type => 'string', optional => 1 }); +register_standard_option('user-lastname', { type => 'string', optional => 1 }); +register_standard_option('user-email', { type => 'string', optional => 1, format => 'email-opt' }); +register_standard_option('user-comment', { type => 'string', optional => 1 }); +register_standard_option('user-keys', { + description => "Keys for two factor auth (yubico).", + type => 'string', + optional => 1, +}); +register_standard_option('group-list', { + type => 'string', format => 'pve-groupid-list', + optional => 1, + completion => \&PVE::AccessControl::complete_group, +}); + my $extract_user_data = sub { my ($data, $full) = @_; @@ -31,11 +59,11 @@ my $extract_user_data = sub { }; __PACKAGE__->register_method ({ - name => 'index', - path => '', + name => 'index', + path => '', method => 'GET', description => "User index.", - permissions => { + permissions => { description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.", user => 'all', }, @@ -54,14 +82,21 @@ __PACKAGE__->register_method ({ items => { type => "object", properties => { - userid => { type => 'string' }, + userid => get_standard_option('userid-completed'), + enable => get_standard_option('user-enable'), + expire => get_standard_option('user-expire'), + firstname => get_standard_option('user-firstname'), + lastname => get_standard_option('user-lastname'), + email => get_standard_option('user-email'), + comment => get_standard_option('user-comment'), + keys => get_standard_option('user-keys'), }, }, links => [ { rel => 'child', href => "{userid}" } ], }, code => sub { my ($param) = @_; - + my $rpcenv = PVE::RPCEnvironment::get(); my $usercfg = $rpcenv->{user_cfg}; my $authuser = $rpcenv->get_user(); @@ -71,7 +106,7 @@ __PACKAGE__->register_method ({ my $privs = [ 'User.Modify', 'Sys.Audit' ]; my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1); my $groups = $rpcenv->filter_groups($authuser, $privs, 1); - my $allowed_users = $rpcenv->group_member_join([keys %$groups]); + my $allowed_users = $rpcenv->group_member_join([keys %$groups]); foreach my $user (keys %{$usercfg->{users}}) { @@ -94,11 +129,11 @@ __PACKAGE__->register_method ({ }}); __PACKAGE__->register_method ({ - name => 'create_user', + name => 'create_user', protected => 1, - path => '', + path => '', method => 'POST', - permissions => { + permissions => { description => "You need 'Realm.AllocateUser' on '/access/realm/' on the realm of user , and 'User.Modify' permissions to '/access/groups/' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.", check => [ 'and', [ 'userid-param', 'Realm.AllocateUser'], @@ -107,42 +142,24 @@ __PACKAGE__->register_method ({ }, description => "Create new user.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { - userid => get_standard_option('userid'), + userid => get_standard_option('userid-completed'), + enable => get_standard_option('user-enable'), + expire => get_standard_option('user-expire'), + firstname => get_standard_option('user-firstname'), + lastname => get_standard_option('user-lastname'), + email => get_standard_option('user-email'), + comment => get_standard_option('user-comment'), + keys => get_standard_option('user-keys'), password => { description => "Initial password.", - type => 'string', - optional => 1, - minLength => 5, - maxLength => 64 - }, - groups => { - type => 'string', format => 'pve-groupid-list', - optional => 1, - completion => \&PVE::AccessControl::complete_group, - }, - firstname => { type => 'string', optional => 1 }, - lastname => { type => 'string', optional => 1 }, - email => { type => 'string', optional => 1, format => 'email-opt' }, - comment => { type => 'string', optional => 1 }, - keys => { - description => "Keys for two factor auth (yubico).", - type => 'string', - optional => 1, - }, - expire => { - description => "Account expiration date (seconds since epoch). '0' means no expiration date.", - type => 'integer', - minimum => 0, - optional => 1, - }, - enable => { - description => "Enable the account (default). You can set this to '0' to disable the accout", - type => 'boolean', + type => 'string', optional => 1, - default => 1, + minLength => 5, + maxLength => 64 }, + groups => get_standard_option('group-list'), }, }, returns => { type => 'null' }, @@ -151,14 +168,14 @@ __PACKAGE__->register_method ({ PVE::AccessControl::lock_user_config( sub { - + my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid}); - + my $usercfg = cfs_read_file("user.cfg"); - die "user '$username' already exists\n" + die "user '$username' already exists\n" if $usercfg->{users}->{$username}; - + PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password}) if defined($param->{password}); @@ -189,89 +206,71 @@ __PACKAGE__->register_method ({ }}); __PACKAGE__->register_method ({ - name => 'read_user', - path => '{userid}', + name => 'read_user', + path => '{userid}', method => 'GET', description => "Get user configuration.", - permissions => { + permissions => { check => ['userid-group', ['User.Modify', 'Sys.Audit']], }, parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { - userid => get_standard_option('userid'), + userid => get_standard_option('userid-completed'), }, }, returns => { - additionalProperties => 0, + additionalProperties => 0, properties => { - enable => { type => 'boolean' }, - expire => { type => 'integer', optional => 1 }, - firstname => { type => 'string', optional => 1 }, - lastname => { type => 'string', optional => 1 }, - email => { type => 'string', optional => 1 }, - comment => { type => 'string', optional => 1 }, - keys => { type => 'string', optional => 1 }, + enable => get_standard_option('user-enable'), + expire => get_standard_option('user-expire'), + firstname => get_standard_option('user-firstname'), + lastname => get_standard_option('user-lastname'), + email => get_standard_option('user-email'), + comment => get_standard_option('user-comment'), + keys => get_standard_option('user-keys'), groups => { type => 'array' }, - } + }, + type => "object" }, code => sub { my ($param) = @_; - my ($username, undef, $domain) = + my ($username, undef, $domain) = PVE::AccessControl::verify_username($param->{userid}); my $usercfg = cfs_read_file("user.cfg"); my $data = PVE::AccessControl::check_user_exist($usercfg, $username); - + return &$extract_user_data($data, 1); }}); __PACKAGE__->register_method ({ - name => 'update_user', + name => 'update_user', protected => 1, - path => '{userid}', + path => '{userid}', method => 'PUT', - permissions => { + permissions => { check => ['userid-group', ['User.Modify'], groups_param => 1 ], }, description => "Update user configuration.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { - userid => get_standard_option('userid', { - completion => \&PVE::AccessControl::complete_username, - }), - groups => { - type => 'string', format => 'pve-groupid-list', - optional => 1, - completion => \&PVE::AccessControl::complete_group, - }, - append => { - type => 'boolean', - optional => 1, - requires => 'groups', - }, - enable => { - description => "Enable/disable the account.", + userid => get_standard_option('userid-completed'), + enable => get_standard_option('user-enable'), + expire => get_standard_option('user-expire'), + firstname => get_standard_option('user-firstname'), + lastname => get_standard_option('user-lastname'), + email => get_standard_option('user-email'), + comment => get_standard_option('user-comment'), + keys => get_standard_option('user-keys'), + groups => get_standard_option('group-list'), + append => { type => 'boolean', optional => 1, - }, - firstname => { type => 'string', optional => 1 }, - lastname => { type => 'string', optional => 1 }, - email => { type => 'string', optional => 1, format => 'email-opt' }, - comment => { type => 'string', optional => 1 }, - keys => { - description => "Keys for two factor auth (yubico).", - type => 'string', - optional => 1, - }, - expire => { - description => "Account expiration date (seconds since epoch). '0' means no expiration date.", - type => 'integer', - minimum => 0, - optional => 1 + requires => 'groups', }, }, }, @@ -279,12 +278,12 @@ __PACKAGE__->register_method ({ code => sub { my ($param) = @_; - my ($username, $ruid, $realm) = + my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid}); - + PVE::AccessControl::lock_user_config( sub { - + my $usercfg = cfs_read_file("user.cfg"); PVE::AccessControl::check_user_exist($usercfg, $username); @@ -293,7 +292,7 @@ __PACKAGE__->register_method ({ $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire}); - PVE::AccessControl::delete_user_group($username, $usercfg) + PVE::AccessControl::delete_user_group($username, $usercfg) if (!$param->{append} && defined($param->{groups})); if ($param->{groups}) { @@ -314,38 +313,36 @@ __PACKAGE__->register_method ({ cfs_write_file("user.cfg", $usercfg); }, "update user failed"); - + return undef; }}); __PACKAGE__->register_method ({ - name => 'delete_user', + name => 'delete_user', protected => 1, - path => '{userid}', + path => '{userid}', method => 'DELETE', description => "Delete user.", - permissions => { + permissions => { check => [ 'and', [ 'userid-param', 'Realm.AllocateUser'], [ 'userid-group', ['User.Modify']], ], }, parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { - userid => get_standard_option('userid', { - completion => \&PVE::AccessControl::complete_username, - }), + userid => get_standard_option('userid-completed'), } }, returns => { type => 'null' }, code => sub { my ($param) = @_; - + my $rpcenv = PVE::RPCEnvironment::get(); my $authuser = $rpcenv->get_user(); - my ($userid, $ruid, $realm) = + my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid}); PVE::AccessControl::lock_user_config( @@ -366,7 +363,7 @@ __PACKAGE__->register_method ({ cfs_write_file("user.cfg", $usercfg); }, "delete user failed"); - + return undef; }});