From 571e9d062e9a81cdf24176a566d8a8eccee32276 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= Date: Tue, 21 Jan 2020 13:54:03 +0100 Subject: [PATCH] API token: add check_token_exist API helper MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit the helper is modeled after the corresponding user method. the 'tokenid' option goes into PVE::AccessControl, since we need it in multiple API modules. Signed-off-by: Fabian Grünbichler --- PVE/AccessControl.pm | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index b293291..7fc514a 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -211,6 +211,12 @@ sub rotate_authkey { die $@ if $@; } +PVE::JSONSchema::register_standard_option('tokenid', { + description => "API token identifier.", + type => "string", + format => "pve-tokenid", +}); + our $token_subid_regex = $PVE::Auth::Plugin::realm_regex; # username@realm username realm tokenid @@ -533,6 +539,20 @@ sub check_user_enabled { return undef; } +sub check_token_exist { + my ($usercfg, $username, $tokenid, $noerr) = @_; + + my $user = check_user_exist($usercfg, $username, $noerr); + return undef if !$user; + + return $user->{tokens}->{$tokenid} + if defined($user->{tokens}) && $user->{tokens}->{$tokenid}; + + die "no such token '$tokenid' for user '$username'\n" if !$noerr; + + return undef; +} + sub verify_one_time_pw { my ($type, $username, $keys, $tfa_cfg, $otp) = @_; @@ -1042,7 +1062,7 @@ sub parse_user_config { warn "user config - ignore invalid acl member '$ug'\n"; } } elsif (my ($user, $token) = split_tokenid($ug, 1)) { - if ($cfg->{users}->{$user}->{tokens}->{$token}) { # token exists + if (check_token_exist($cfg, $user, $token, 1)) { $cfg->{acl}->{$path}->{tokens}->{$ug}->{$role} = $propagate; } else { warn "user config - ignore invalid acl token '$ug'\n"; -- 2.39.2