2020-04-17 12:11:25 +00:00
|
|
|
use anyhow::{bail, Error};
|
2020-10-07 11:12:37 +00:00
|
|
|
use serde_json::{json, Value};
|
2020-04-06 10:09:27 +00:00
|
|
|
|
2020-04-17 08:08:45 +00:00
|
|
|
use proxmox::api::{api, ApiMethod, Router, RpcEnvironment, Permission};
|
2020-10-07 11:12:37 +00:00
|
|
|
use proxmox::api::router::SubdirMap;
|
2020-04-06 10:09:27 +00:00
|
|
|
use proxmox::api::schema::{Schema, StringSchema};
|
2020-08-04 09:33:02 +00:00
|
|
|
use proxmox::tools::fs::open_file_locked;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
use crate::api2::types::*;
|
|
|
|
use crate::config::user;
|
2020-10-07 11:12:37 +00:00
|
|
|
use crate::config::token_shadow;
|
2020-04-17 09:04:36 +00:00
|
|
|
use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_PERMISSIONS_MODIFY};
|
2020-09-18 13:01:06 +00:00
|
|
|
use crate::config::cached_user_info::CachedUserInfo;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
pub const PBS_PASSWORD_SCHEMA: Schema = StringSchema::new("User Password.")
|
|
|
|
.format(&PASSWORD_FORMAT)
|
|
|
|
.min_length(5)
|
|
|
|
.max_length(64)
|
|
|
|
.schema();
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
input: {
|
|
|
|
properties: {},
|
|
|
|
},
|
|
|
|
returns: {
|
|
|
|
description: "List users (with config digest).",
|
|
|
|
type: Array,
|
2020-05-20 09:27:58 +00:00
|
|
|
items: { type: user::User },
|
2020-04-06 10:09:27 +00:00
|
|
|
},
|
2020-04-17 08:08:45 +00:00
|
|
|
access: {
|
2020-09-18 13:01:06 +00:00
|
|
|
permission: &Permission::Anybody,
|
|
|
|
description: "Returns all or just the logged-in user, depending on privileges.",
|
2020-04-17 08:08:45 +00:00
|
|
|
},
|
2020-04-06 10:09:27 +00:00
|
|
|
)]
|
2020-09-18 13:01:06 +00:00
|
|
|
/// List users
|
2020-04-06 10:09:27 +00:00
|
|
|
pub fn list_users(
|
|
|
|
_param: Value,
|
|
|
|
_info: &ApiMethod,
|
2020-05-18 12:18:36 +00:00
|
|
|
mut rpcenv: &mut dyn RpcEnvironment,
|
|
|
|
) -> Result<Vec<user::User>, Error> {
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
let (config, digest) = user::config()?;
|
|
|
|
|
2020-10-23 11:33:21 +00:00
|
|
|
// intentionally user only for now
|
|
|
|
let userid: Userid = rpcenv.get_auth_id().unwrap().parse()?;
|
|
|
|
let auth_id = Authid::from(userid.clone());
|
|
|
|
|
2020-09-18 13:01:06 +00:00
|
|
|
let user_info = CachedUserInfo::new()?;
|
|
|
|
|
2020-10-23 11:33:21 +00:00
|
|
|
let top_level_privs = user_info.lookup_privs(&auth_id, &["access", "users"]);
|
2020-09-18 13:01:06 +00:00
|
|
|
let top_level_allowed = (top_level_privs & PRIV_SYS_AUDIT) != 0;
|
|
|
|
|
|
|
|
let filter_by_privs = |user: &user::User| {
|
|
|
|
top_level_allowed || user.userid == userid
|
|
|
|
};
|
|
|
|
|
|
|
|
let list:Vec<user::User> = config.convert_to_typed_array("user")?;
|
2020-05-18 12:18:36 +00:00
|
|
|
|
|
|
|
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
|
2020-04-06 10:09:27 +00:00
|
|
|
|
2020-09-18 13:01:06 +00:00
|
|
|
Ok(list.into_iter().filter(filter_by_privs).collect())
|
2020-04-06 10:09:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
2020-08-06 13:46:01 +00:00
|
|
|
type: Userid,
|
2020-04-06 10:09:27 +00:00
|
|
|
},
|
|
|
|
comment: {
|
|
|
|
schema: SINGLE_LINE_COMMENT_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
password: {
|
|
|
|
schema: PBS_PASSWORD_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
enable: {
|
|
|
|
schema: user::ENABLE_USER_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
expire: {
|
|
|
|
schema: user::EXPIRE_USER_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
firstname: {
|
|
|
|
schema: user::FIRST_NAME_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
lastname: {
|
|
|
|
schema: user::LAST_NAME_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
email: {
|
|
|
|
schema: user::EMAIL_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2020-04-17 08:08:45 +00:00
|
|
|
access: {
|
2020-04-30 07:30:00 +00:00
|
|
|
permission: &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
|
2020-04-17 08:08:45 +00:00
|
|
|
},
|
2020-04-06 10:09:27 +00:00
|
|
|
)]
|
|
|
|
/// Create new user.
|
2020-05-19 07:49:39 +00:00
|
|
|
pub fn create_user(password: Option<String>, param: Value) -> Result<(), Error> {
|
2020-04-06 10:09:27 +00:00
|
|
|
|
2020-09-28 08:50:44 +00:00
|
|
|
let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
2020-05-19 07:49:39 +00:00
|
|
|
let user: user::User = serde_json::from_value(param)?;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
let (mut config, _digest) = user::config()?;
|
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
if let Some(_) = config.sections.get(user.userid.as_str()) {
|
2020-05-19 07:49:39 +00:00
|
|
|
bail!("user '{}' already exists.", user.userid);
|
2020-04-06 10:09:27 +00:00
|
|
|
}
|
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
let authenticator = crate::auth::lookup_authenticator(&user.userid.realm())?;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
config.set_data(user.userid.as_str(), "user", &user)?;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
user::save_config(&config)?;
|
|
|
|
|
2020-04-08 09:57:14 +00:00
|
|
|
if let Some(password) = password {
|
2020-08-06 13:46:01 +00:00
|
|
|
authenticator.store_password(user.userid.name(), &password)?;
|
2020-04-08 09:57:14 +00:00
|
|
|
}
|
|
|
|
|
2020-04-06 10:09:27 +00:00
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
2020-08-06 13:46:01 +00:00
|
|
|
type: Userid,
|
2020-04-06 10:09:27 +00:00
|
|
|
},
|
2020-04-09 08:19:38 +00:00
|
|
|
},
|
2020-04-06 10:09:27 +00:00
|
|
|
},
|
|
|
|
returns: {
|
|
|
|
description: "The user configuration (with config digest).",
|
|
|
|
type: user::User,
|
|
|
|
},
|
2020-04-17 08:08:45 +00:00
|
|
|
access: {
|
2020-09-18 13:01:06 +00:00
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
2020-04-17 08:08:45 +00:00
|
|
|
},
|
2020-04-06 10:09:27 +00:00
|
|
|
)]
|
|
|
|
/// Read user configuration data.
|
2020-08-06 13:46:01 +00:00
|
|
|
pub fn read_user(userid: Userid, mut rpcenv: &mut dyn RpcEnvironment) -> Result<user::User, Error> {
|
2020-04-06 10:09:27 +00:00
|
|
|
let (config, digest) = user::config()?;
|
2020-08-06 13:46:01 +00:00
|
|
|
let user = config.lookup("user", userid.as_str())?;
|
2020-05-18 12:18:36 +00:00
|
|
|
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
|
|
|
|
Ok(user)
|
2020-04-06 10:09:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
2020-08-06 13:46:01 +00:00
|
|
|
type: Userid,
|
2020-04-06 10:09:27 +00:00
|
|
|
},
|
|
|
|
comment: {
|
|
|
|
optional: true,
|
|
|
|
schema: SINGLE_LINE_COMMENT_SCHEMA,
|
|
|
|
},
|
|
|
|
password: {
|
|
|
|
schema: PBS_PASSWORD_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
enable: {
|
|
|
|
schema: user::ENABLE_USER_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
expire: {
|
|
|
|
schema: user::EXPIRE_USER_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
firstname: {
|
|
|
|
schema: user::FIRST_NAME_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
lastname: {
|
|
|
|
schema: user::LAST_NAME_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
email: {
|
|
|
|
schema: user::EMAIL_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
digest: {
|
|
|
|
optional: true,
|
|
|
|
schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2020-04-17 08:08:45 +00:00
|
|
|
access: {
|
2020-09-18 13:01:06 +00:00
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
2020-04-17 08:08:45 +00:00
|
|
|
},
|
2020-04-06 10:09:27 +00:00
|
|
|
)]
|
|
|
|
/// Update user configuration.
|
|
|
|
pub fn update_user(
|
2020-08-06 13:46:01 +00:00
|
|
|
userid: Userid,
|
2020-04-06 10:09:27 +00:00
|
|
|
comment: Option<String>,
|
|
|
|
enable: Option<bool>,
|
|
|
|
expire: Option<i64>,
|
|
|
|
password: Option<String>,
|
|
|
|
firstname: Option<String>,
|
|
|
|
lastname: Option<String>,
|
|
|
|
email: Option<String>,
|
|
|
|
digest: Option<String>,
|
|
|
|
) -> Result<(), Error> {
|
|
|
|
|
2020-09-28 08:50:44 +00:00
|
|
|
let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
let (mut config, expected_digest) = user::config()?;
|
|
|
|
|
|
|
|
if let Some(ref digest) = digest {
|
|
|
|
let digest = proxmox::tools::hex_to_digest(digest)?;
|
|
|
|
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
|
|
|
|
}
|
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
let mut data: user::User = config.lookup("user", userid.as_str())?;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
if let Some(comment) = comment {
|
|
|
|
let comment = comment.trim().to_string();
|
|
|
|
if comment.is_empty() {
|
|
|
|
data.comment = None;
|
|
|
|
} else {
|
|
|
|
data.comment = Some(comment);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(enable) = enable {
|
|
|
|
data.enable = if enable { None } else { Some(false) };
|
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(expire) = expire {
|
|
|
|
data.expire = if expire > 0 { Some(expire) } else { None };
|
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(password) = password {
|
2020-08-06 13:46:01 +00:00
|
|
|
let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
|
|
|
|
authenticator.store_password(userid.name(), &password)?;
|
2020-04-06 10:09:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(firstname) = firstname {
|
|
|
|
data.firstname = if firstname.is_empty() { None } else { Some(firstname) };
|
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(lastname) = lastname {
|
|
|
|
data.lastname = if lastname.is_empty() { None } else { Some(lastname) };
|
|
|
|
}
|
|
|
|
if let Some(email) = email {
|
|
|
|
data.email = if email.is_empty() { None } else { Some(email) };
|
|
|
|
}
|
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
config.set_data(userid.as_str(), "user", &data)?;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
user::save_config(&config)?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
2020-08-06 13:46:01 +00:00
|
|
|
type: Userid,
|
2020-04-06 10:09:27 +00:00
|
|
|
},
|
|
|
|
digest: {
|
|
|
|
optional: true,
|
|
|
|
schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2020-04-17 08:08:45 +00:00
|
|
|
access: {
|
2020-09-18 13:01:06 +00:00
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
2020-04-17 08:08:45 +00:00
|
|
|
},
|
2020-04-06 10:09:27 +00:00
|
|
|
)]
|
|
|
|
/// Remove a user from the configuration file.
|
2020-08-06 13:46:01 +00:00
|
|
|
pub fn delete_user(userid: Userid, digest: Option<String>) -> Result<(), Error> {
|
2020-04-06 10:09:27 +00:00
|
|
|
|
2020-09-28 08:50:44 +00:00
|
|
|
let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
let (mut config, expected_digest) = user::config()?;
|
|
|
|
|
|
|
|
if let Some(ref digest) = digest {
|
|
|
|
let digest = proxmox::tools::hex_to_digest(digest)?;
|
|
|
|
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
|
|
|
|
}
|
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
match config.sections.get(userid.as_str()) {
|
|
|
|
Some(_) => { config.sections.remove(userid.as_str()); },
|
2020-04-06 10:09:27 +00:00
|
|
|
None => bail!("user '{}' does not exist.", userid),
|
|
|
|
}
|
|
|
|
|
|
|
|
user::save_config(&config)?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
2020-10-07 11:12:37 +00:00
|
|
|
#[api(
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
|
|
|
type: Userid,
|
|
|
|
},
|
|
|
|
tokenname: {
|
|
|
|
type: Tokenname,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
returns: {
|
|
|
|
description: "Get API token metadata (with config digest).",
|
|
|
|
type: user::ApiToken,
|
|
|
|
},
|
|
|
|
access: {
|
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
|
|
|
},
|
|
|
|
)]
|
|
|
|
/// Read user's API token metadata
|
|
|
|
pub fn read_token(
|
|
|
|
userid: Userid,
|
|
|
|
tokenname: Tokenname,
|
|
|
|
_info: &ApiMethod,
|
|
|
|
mut rpcenv: &mut dyn RpcEnvironment,
|
|
|
|
) -> Result<user::ApiToken, Error> {
|
|
|
|
|
|
|
|
let (config, digest) = user::config()?;
|
|
|
|
|
|
|
|
let tokenid = Authid::from((userid, Some(tokenname)));
|
|
|
|
|
|
|
|
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
|
|
|
|
config.lookup("token", &tokenid.to_string())
|
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
|
|
|
type: Userid,
|
|
|
|
},
|
|
|
|
tokenname: {
|
|
|
|
type: Tokenname,
|
|
|
|
},
|
|
|
|
comment: {
|
|
|
|
optional: true,
|
|
|
|
schema: SINGLE_LINE_COMMENT_SCHEMA,
|
|
|
|
},
|
|
|
|
enable: {
|
|
|
|
schema: user::ENABLE_USER_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
expire: {
|
|
|
|
schema: user::EXPIRE_USER_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
digest: {
|
|
|
|
optional: true,
|
|
|
|
schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
access: {
|
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
|
|
|
},
|
|
|
|
returns: {
|
|
|
|
description: "API token identifier + generated secret.",
|
|
|
|
properties: {
|
|
|
|
value: {
|
|
|
|
type: String,
|
|
|
|
description: "The API token secret",
|
|
|
|
},
|
|
|
|
tokenid: {
|
|
|
|
type: String,
|
|
|
|
description: "The API token identifier",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
)]
|
|
|
|
/// Generate a new API token with given metadata
|
|
|
|
pub fn generate_token(
|
|
|
|
userid: Userid,
|
|
|
|
tokenname: Tokenname,
|
|
|
|
comment: Option<String>,
|
|
|
|
enable: Option<bool>,
|
|
|
|
expire: Option<i64>,
|
|
|
|
digest: Option<String>,
|
|
|
|
) -> Result<Value, Error> {
|
|
|
|
|
|
|
|
let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
|
|
|
|
|
|
|
let (mut config, expected_digest) = user::config()?;
|
|
|
|
|
|
|
|
if let Some(ref digest) = digest {
|
|
|
|
let digest = proxmox::tools::hex_to_digest(digest)?;
|
|
|
|
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
|
|
|
|
}
|
|
|
|
|
|
|
|
let tokenid = Authid::from((userid.clone(), Some(tokenname.clone())));
|
|
|
|
let tokenid_string = tokenid.to_string();
|
|
|
|
|
|
|
|
if let Some(_) = config.sections.get(&tokenid_string) {
|
|
|
|
bail!("token '{}' for user '{}' already exists.", tokenname.as_str(), userid);
|
|
|
|
}
|
|
|
|
|
|
|
|
let secret = format!("{:x}", proxmox::tools::uuid::Uuid::generate());
|
|
|
|
token_shadow::set_secret(&tokenid, &secret)?;
|
|
|
|
|
|
|
|
let token = user::ApiToken {
|
|
|
|
tokenid: tokenid.clone(),
|
|
|
|
comment,
|
|
|
|
enable,
|
|
|
|
expire,
|
|
|
|
};
|
|
|
|
|
|
|
|
config.set_data(&tokenid_string, "token", &token)?;
|
|
|
|
|
|
|
|
user::save_config(&config)?;
|
|
|
|
|
|
|
|
Ok(json!({
|
|
|
|
"tokenid": tokenid_string,
|
|
|
|
"value": secret
|
|
|
|
}))
|
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
|
|
|
type: Userid,
|
|
|
|
},
|
|
|
|
tokenname: {
|
|
|
|
type: Tokenname,
|
|
|
|
},
|
|
|
|
comment: {
|
|
|
|
optional: true,
|
|
|
|
schema: SINGLE_LINE_COMMENT_SCHEMA,
|
|
|
|
},
|
|
|
|
enable: {
|
|
|
|
schema: user::ENABLE_USER_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
expire: {
|
|
|
|
schema: user::EXPIRE_USER_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
digest: {
|
|
|
|
optional: true,
|
|
|
|
schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
access: {
|
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
|
|
|
},
|
|
|
|
)]
|
|
|
|
/// Update user's API token metadata
|
|
|
|
pub fn update_token(
|
|
|
|
userid: Userid,
|
|
|
|
tokenname: Tokenname,
|
|
|
|
comment: Option<String>,
|
|
|
|
enable: Option<bool>,
|
|
|
|
expire: Option<i64>,
|
|
|
|
digest: Option<String>,
|
|
|
|
) -> Result<(), Error> {
|
|
|
|
|
|
|
|
let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
|
|
|
|
|
|
|
let (mut config, expected_digest) = user::config()?;
|
|
|
|
|
|
|
|
if let Some(ref digest) = digest {
|
|
|
|
let digest = proxmox::tools::hex_to_digest(digest)?;
|
|
|
|
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
|
|
|
|
}
|
|
|
|
|
|
|
|
let tokenid = Authid::from((userid, Some(tokenname)));
|
|
|
|
let tokenid_string = tokenid.to_string();
|
|
|
|
|
|
|
|
let mut data: user::ApiToken = config.lookup("token", &tokenid_string)?;
|
|
|
|
|
|
|
|
if let Some(comment) = comment {
|
|
|
|
let comment = comment.trim().to_string();
|
|
|
|
if comment.is_empty() {
|
|
|
|
data.comment = None;
|
|
|
|
} else {
|
|
|
|
data.comment = Some(comment);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(enable) = enable {
|
|
|
|
data.enable = if enable { None } else { Some(false) };
|
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(expire) = expire {
|
|
|
|
data.expire = if expire > 0 { Some(expire) } else { None };
|
|
|
|
}
|
|
|
|
|
|
|
|
config.set_data(&tokenid_string, "token", &data)?;
|
|
|
|
|
|
|
|
user::save_config(&config)?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
|
|
|
type: Userid,
|
|
|
|
},
|
|
|
|
tokenname: {
|
|
|
|
type: Tokenname,
|
|
|
|
},
|
|
|
|
digest: {
|
|
|
|
optional: true,
|
|
|
|
schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
access: {
|
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
|
|
|
},
|
|
|
|
)]
|
|
|
|
/// Delete a user's API token
|
|
|
|
pub fn delete_token(
|
|
|
|
userid: Userid,
|
|
|
|
tokenname: Tokenname,
|
|
|
|
digest: Option<String>,
|
|
|
|
) -> Result<(), Error> {
|
|
|
|
|
|
|
|
let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
|
|
|
|
|
|
|
let (mut config, expected_digest) = user::config()?;
|
|
|
|
|
|
|
|
if let Some(ref digest) = digest {
|
|
|
|
let digest = proxmox::tools::hex_to_digest(digest)?;
|
|
|
|
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
|
|
|
|
}
|
|
|
|
|
|
|
|
let tokenid = Authid::from((userid.clone(), Some(tokenname.clone())));
|
|
|
|
let tokenid_string = tokenid.to_string();
|
|
|
|
|
|
|
|
match config.sections.get(&tokenid_string) {
|
|
|
|
Some(_) => { config.sections.remove(&tokenid_string); },
|
|
|
|
None => bail!("token '{}' of user '{}' does not exist.", tokenname.as_str(), userid),
|
|
|
|
}
|
|
|
|
|
|
|
|
token_shadow::delete_secret(&tokenid)?;
|
|
|
|
|
|
|
|
user::save_config(&config)?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
|
|
|
type: Userid,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
returns: {
|
|
|
|
description: "List user's API tokens (with config digest).",
|
|
|
|
type: Array,
|
|
|
|
items: { type: user::ApiToken },
|
|
|
|
},
|
|
|
|
access: {
|
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
|
|
|
},
|
|
|
|
)]
|
|
|
|
/// List user's API tokens
|
|
|
|
pub fn list_tokens(
|
|
|
|
userid: Userid,
|
|
|
|
_info: &ApiMethod,
|
|
|
|
mut rpcenv: &mut dyn RpcEnvironment,
|
|
|
|
) -> Result<Vec<user::ApiToken>, Error> {
|
|
|
|
|
|
|
|
let (config, digest) = user::config()?;
|
|
|
|
|
|
|
|
let list:Vec<user::ApiToken> = config.convert_to_typed_array("token")?;
|
|
|
|
|
|
|
|
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
|
|
|
|
|
|
|
|
let filter_by_owner = |token: &user::ApiToken| {
|
|
|
|
if token.tokenid.is_token() {
|
|
|
|
token.tokenid.user() == &userid
|
|
|
|
} else {
|
|
|
|
false
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
|
|
|
Ok(list.into_iter().filter(filter_by_owner).collect())
|
|
|
|
}
|
|
|
|
|
|
|
|
const TOKEN_ITEM_ROUTER: Router = Router::new()
|
|
|
|
.get(&API_METHOD_READ_TOKEN)
|
|
|
|
.put(&API_METHOD_UPDATE_TOKEN)
|
|
|
|
.post(&API_METHOD_GENERATE_TOKEN)
|
|
|
|
.delete(&API_METHOD_DELETE_TOKEN);
|
|
|
|
|
|
|
|
const TOKEN_ROUTER: Router = Router::new()
|
|
|
|
.get(&API_METHOD_LIST_TOKENS)
|
|
|
|
.match_all("tokenname", &TOKEN_ITEM_ROUTER);
|
|
|
|
|
|
|
|
const USER_SUBDIRS: SubdirMap = &[
|
|
|
|
("token", &TOKEN_ROUTER),
|
|
|
|
];
|
|
|
|
|
|
|
|
const USER_ROUTER: Router = Router::new()
|
2020-04-06 10:09:27 +00:00
|
|
|
.get(&API_METHOD_READ_USER)
|
|
|
|
.put(&API_METHOD_UPDATE_USER)
|
2020-10-07 11:12:37 +00:00
|
|
|
.delete(&API_METHOD_DELETE_USER)
|
|
|
|
.subdirs(USER_SUBDIRS);
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
pub const ROUTER: Router = Router::new()
|
|
|
|
.get(&API_METHOD_LIST_USERS)
|
|
|
|
.post(&API_METHOD_CREATE_USER)
|
2020-10-07 11:12:37 +00:00
|
|
|
.match_all("userid", &USER_ROUTER);
|