2020-12-30 11:21:14 +00:00
|
|
|
use anyhow::{bail, format_err, Error};
|
2020-10-07 12:38:12 +00:00
|
|
|
use serde::{Serialize, Deserialize};
|
2020-10-07 11:12:37 +00:00
|
|
|
use serde_json::{json, Value};
|
2020-10-07 12:38:12 +00:00
|
|
|
use std::collections::HashMap;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
2020-04-17 08:08:45 +00:00
|
|
|
use proxmox::api::{api, ApiMethod, Router, RpcEnvironment, Permission};
|
2020-10-07 11:12:37 +00:00
|
|
|
use proxmox::api::router::SubdirMap;
|
2020-04-06 10:09:27 +00:00
|
|
|
use proxmox::api::schema::{Schema, StringSchema};
|
2020-08-04 09:33:02 +00:00
|
|
|
use proxmox::tools::fs::open_file_locked;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
use crate::api2::types::*;
|
|
|
|
use crate::config::user;
|
2020-10-07 11:12:37 +00:00
|
|
|
use crate::config::token_shadow;
|
2020-04-17 09:04:36 +00:00
|
|
|
use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_PERMISSIONS_MODIFY};
|
2020-09-18 13:01:06 +00:00
|
|
|
use crate::config::cached_user_info::CachedUserInfo;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
pub const PBS_PASSWORD_SCHEMA: Schema = StringSchema::new("User Password.")
|
|
|
|
.format(&PASSWORD_FORMAT)
|
|
|
|
.min_length(5)
|
|
|
|
.max_length(64)
|
|
|
|
.schema();
|
|
|
|
|
2020-10-07 12:38:12 +00:00
|
|
|
#[api(
|
|
|
|
properties: {
|
|
|
|
userid: {
|
|
|
|
type: Userid,
|
|
|
|
},
|
|
|
|
comment: {
|
|
|
|
optional: true,
|
|
|
|
schema: SINGLE_LINE_COMMENT_SCHEMA,
|
|
|
|
},
|
|
|
|
enable: {
|
|
|
|
optional: true,
|
|
|
|
schema: user::ENABLE_USER_SCHEMA,
|
|
|
|
},
|
|
|
|
expire: {
|
|
|
|
optional: true,
|
|
|
|
schema: user::EXPIRE_USER_SCHEMA,
|
|
|
|
},
|
|
|
|
firstname: {
|
|
|
|
optional: true,
|
|
|
|
schema: user::FIRST_NAME_SCHEMA,
|
|
|
|
},
|
|
|
|
lastname: {
|
|
|
|
schema: user::LAST_NAME_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
email: {
|
|
|
|
schema: user::EMAIL_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
tokens: {
|
|
|
|
type: Array,
|
|
|
|
optional: true,
|
|
|
|
description: "List of user's API tokens.",
|
|
|
|
items: {
|
|
|
|
type: user::ApiToken
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
)]
|
|
|
|
#[derive(Serialize,Deserialize)]
|
|
|
|
/// User properties with added list of ApiTokens
|
|
|
|
pub struct UserWithTokens {
|
|
|
|
pub userid: Userid,
|
|
|
|
#[serde(skip_serializing_if="Option::is_none")]
|
|
|
|
pub comment: Option<String>,
|
|
|
|
#[serde(skip_serializing_if="Option::is_none")]
|
|
|
|
pub enable: Option<bool>,
|
|
|
|
#[serde(skip_serializing_if="Option::is_none")]
|
|
|
|
pub expire: Option<i64>,
|
|
|
|
#[serde(skip_serializing_if="Option::is_none")]
|
|
|
|
pub firstname: Option<String>,
|
|
|
|
#[serde(skip_serializing_if="Option::is_none")]
|
|
|
|
pub lastname: Option<String>,
|
|
|
|
#[serde(skip_serializing_if="Option::is_none")]
|
|
|
|
pub email: Option<String>,
|
2020-11-06 13:55:34 +00:00
|
|
|
#[serde(skip_serializing_if="Vec::is_empty", default)]
|
2020-10-29 14:17:53 +00:00
|
|
|
pub tokens: Vec<user::ApiToken>,
|
2020-10-07 12:38:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
impl UserWithTokens {
|
|
|
|
fn new(user: user::User) -> Self {
|
|
|
|
Self {
|
|
|
|
userid: user.userid,
|
|
|
|
comment: user.comment,
|
|
|
|
enable: user.enable,
|
|
|
|
expire: user.expire,
|
|
|
|
firstname: user.firstname,
|
|
|
|
lastname: user.lastname,
|
|
|
|
email: user.email,
|
2020-10-29 14:17:53 +00:00
|
|
|
tokens: Vec::new(),
|
2020-10-07 12:38:12 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-04-06 10:09:27 +00:00
|
|
|
#[api(
|
|
|
|
input: {
|
2020-10-07 12:38:12 +00:00
|
|
|
properties: {
|
|
|
|
include_tokens: {
|
|
|
|
type: bool,
|
|
|
|
description: "Include user's API tokens in returned list.",
|
|
|
|
optional: true,
|
|
|
|
default: false,
|
|
|
|
},
|
|
|
|
},
|
2020-04-06 10:09:27 +00:00
|
|
|
},
|
|
|
|
returns: {
|
|
|
|
description: "List users (with config digest).",
|
|
|
|
type: Array,
|
2020-10-29 14:20:10 +00:00
|
|
|
items: { type: UserWithTokens },
|
2020-04-06 10:09:27 +00:00
|
|
|
},
|
2020-04-17 08:08:45 +00:00
|
|
|
access: {
|
2020-09-18 13:01:06 +00:00
|
|
|
permission: &Permission::Anybody,
|
2020-12-30 11:21:14 +00:00
|
|
|
description: "Returns all or just the logged-in user (/API token owner), depending on privileges.",
|
2020-04-17 08:08:45 +00:00
|
|
|
},
|
2020-04-06 10:09:27 +00:00
|
|
|
)]
|
2020-09-18 13:01:06 +00:00
|
|
|
/// List users
|
2020-04-06 10:09:27 +00:00
|
|
|
pub fn list_users(
|
2020-10-07 12:38:12 +00:00
|
|
|
include_tokens: bool,
|
2020-04-06 10:09:27 +00:00
|
|
|
_info: &ApiMethod,
|
2020-05-18 12:18:36 +00:00
|
|
|
mut rpcenv: &mut dyn RpcEnvironment,
|
2020-10-07 12:38:12 +00:00
|
|
|
) -> Result<Vec<UserWithTokens>, Error> {
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
let (config, digest) = user::config()?;
|
|
|
|
|
2020-12-30 11:21:14 +00:00
|
|
|
let auth_id: Authid = rpcenv
|
|
|
|
.get_auth_id()
|
|
|
|
.ok_or_else(|| format_err!("no authid available"))?
|
|
|
|
.parse()?;
|
|
|
|
|
|
|
|
let userid = auth_id.user();
|
2020-10-23 11:33:21 +00:00
|
|
|
|
2020-09-18 13:01:06 +00:00
|
|
|
let user_info = CachedUserInfo::new()?;
|
|
|
|
|
2020-10-23 11:33:21 +00:00
|
|
|
let top_level_privs = user_info.lookup_privs(&auth_id, &["access", "users"]);
|
2020-09-18 13:01:06 +00:00
|
|
|
let top_level_allowed = (top_level_privs & PRIV_SYS_AUDIT) != 0;
|
|
|
|
|
|
|
|
let filter_by_privs = |user: &user::User| {
|
2020-12-30 11:21:14 +00:00
|
|
|
top_level_allowed || user.userid == *userid
|
2020-09-18 13:01:06 +00:00
|
|
|
};
|
|
|
|
|
2020-10-07 12:38:12 +00:00
|
|
|
|
2020-09-18 13:01:06 +00:00
|
|
|
let list:Vec<user::User> = config.convert_to_typed_array("user")?;
|
2020-05-18 12:18:36 +00:00
|
|
|
|
|
|
|
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
|
2020-04-06 10:09:27 +00:00
|
|
|
|
2020-10-07 12:38:12 +00:00
|
|
|
let iter = list.into_iter().filter(filter_by_privs);
|
|
|
|
let list = if include_tokens {
|
2020-10-29 14:17:53 +00:00
|
|
|
let tokens: Vec<user::ApiToken> = config.convert_to_typed_array("token")?;
|
2020-10-07 12:38:12 +00:00
|
|
|
let mut user_to_tokens = tokens
|
|
|
|
.into_iter()
|
|
|
|
.fold(
|
|
|
|
HashMap::new(),
|
|
|
|
|mut map: HashMap<Userid, Vec<user::ApiToken>>, token: user::ApiToken| {
|
|
|
|
if token.tokenid.is_token() {
|
|
|
|
map
|
|
|
|
.entry(token.tokenid.user().clone())
|
|
|
|
.or_default()
|
|
|
|
.push(token);
|
|
|
|
}
|
|
|
|
map
|
|
|
|
});
|
|
|
|
iter
|
|
|
|
.map(|user: user::User| {
|
|
|
|
let mut user = UserWithTokens::new(user);
|
2020-10-29 14:17:53 +00:00
|
|
|
user.tokens = user_to_tokens.remove(&user.userid).unwrap_or_default();
|
2020-10-07 12:38:12 +00:00
|
|
|
user
|
|
|
|
})
|
|
|
|
.collect()
|
|
|
|
} else {
|
|
|
|
iter.map(|user: user::User| UserWithTokens::new(user))
|
|
|
|
.collect()
|
|
|
|
};
|
|
|
|
|
|
|
|
Ok(list)
|
2020-04-06 10:09:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
2020-08-06 13:46:01 +00:00
|
|
|
type: Userid,
|
2020-04-06 10:09:27 +00:00
|
|
|
},
|
|
|
|
comment: {
|
|
|
|
schema: SINGLE_LINE_COMMENT_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
password: {
|
|
|
|
schema: PBS_PASSWORD_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
enable: {
|
|
|
|
schema: user::ENABLE_USER_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
expire: {
|
|
|
|
schema: user::EXPIRE_USER_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
firstname: {
|
|
|
|
schema: user::FIRST_NAME_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
lastname: {
|
|
|
|
schema: user::LAST_NAME_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
email: {
|
|
|
|
schema: user::EMAIL_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2020-04-17 08:08:45 +00:00
|
|
|
access: {
|
2020-04-30 07:30:00 +00:00
|
|
|
permission: &Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
|
2020-04-17 08:08:45 +00:00
|
|
|
},
|
2020-04-06 10:09:27 +00:00
|
|
|
)]
|
|
|
|
/// Create new user.
|
2021-01-13 16:26:14 +00:00
|
|
|
pub fn create_user(
|
|
|
|
password: Option<String>,
|
|
|
|
param: Value,
|
|
|
|
rpcenv: &mut dyn RpcEnvironment
|
|
|
|
) -> Result<(), Error> {
|
2020-04-06 10:09:27 +00:00
|
|
|
|
2020-09-28 08:50:44 +00:00
|
|
|
let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
2020-05-19 07:49:39 +00:00
|
|
|
let user: user::User = serde_json::from_value(param)?;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
let (mut config, _digest) = user::config()?;
|
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
if let Some(_) = config.sections.get(user.userid.as_str()) {
|
2020-05-19 07:49:39 +00:00
|
|
|
bail!("user '{}' already exists.", user.userid);
|
2020-04-06 10:09:27 +00:00
|
|
|
}
|
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
config.set_data(user.userid.as_str(), "user", &user)?;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
2021-01-13 16:26:14 +00:00
|
|
|
let realm = user.userid.realm();
|
|
|
|
|
|
|
|
// Fails if realm does not exist!
|
|
|
|
let authenticator = crate::auth::lookup_authenticator(realm)?;
|
|
|
|
|
2020-04-06 10:09:27 +00:00
|
|
|
user::save_config(&config)?;
|
|
|
|
|
2020-04-08 09:57:14 +00:00
|
|
|
if let Some(password) = password {
|
2021-01-13 16:26:14 +00:00
|
|
|
let user_info = CachedUserInfo::new()?;
|
|
|
|
let current_auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
|
|
|
if realm == "pam" && !user_info.is_superuser(¤t_auth_id) {
|
|
|
|
bail!("only superuser can edit pam credentials!");
|
|
|
|
}
|
2020-08-06 13:46:01 +00:00
|
|
|
authenticator.store_password(user.userid.name(), &password)?;
|
2020-04-08 09:57:14 +00:00
|
|
|
}
|
|
|
|
|
2020-04-06 10:09:27 +00:00
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
2020-08-06 13:46:01 +00:00
|
|
|
type: Userid,
|
2020-04-06 10:09:27 +00:00
|
|
|
},
|
2020-04-09 08:19:38 +00:00
|
|
|
},
|
2020-04-06 10:09:27 +00:00
|
|
|
},
|
2020-12-09 09:54:38 +00:00
|
|
|
returns: { type: user::User },
|
2020-04-17 08:08:45 +00:00
|
|
|
access: {
|
2020-09-18 13:01:06 +00:00
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
2020-04-17 08:08:45 +00:00
|
|
|
},
|
2020-04-06 10:09:27 +00:00
|
|
|
)]
|
|
|
|
/// Read user configuration data.
|
2020-08-06 13:46:01 +00:00
|
|
|
pub fn read_user(userid: Userid, mut rpcenv: &mut dyn RpcEnvironment) -> Result<user::User, Error> {
|
2020-04-06 10:09:27 +00:00
|
|
|
let (config, digest) = user::config()?;
|
2020-08-06 13:46:01 +00:00
|
|
|
let user = config.lookup("user", userid.as_str())?;
|
2020-05-18 12:18:36 +00:00
|
|
|
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
|
|
|
|
Ok(user)
|
2020-04-06 10:09:27 +00:00
|
|
|
}
|
|
|
|
|
2020-11-11 12:34:13 +00:00
|
|
|
#[api()]
|
|
|
|
#[derive(Serialize, Deserialize)]
|
|
|
|
#[serde(rename_all="kebab-case")]
|
|
|
|
#[allow(non_camel_case_types)]
|
|
|
|
pub enum DeletableProperty {
|
|
|
|
/// Delete the comment property.
|
|
|
|
comment,
|
|
|
|
/// Delete the firstname property.
|
|
|
|
firstname,
|
|
|
|
/// Delete the lastname property.
|
|
|
|
lastname,
|
|
|
|
/// Delete the email property.
|
|
|
|
email,
|
|
|
|
}
|
|
|
|
|
2020-04-06 10:09:27 +00:00
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
2020-08-06 13:46:01 +00:00
|
|
|
type: Userid,
|
2020-04-06 10:09:27 +00:00
|
|
|
},
|
|
|
|
comment: {
|
|
|
|
optional: true,
|
|
|
|
schema: SINGLE_LINE_COMMENT_SCHEMA,
|
|
|
|
},
|
|
|
|
password: {
|
|
|
|
schema: PBS_PASSWORD_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
enable: {
|
|
|
|
schema: user::ENABLE_USER_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
expire: {
|
|
|
|
schema: user::EXPIRE_USER_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
firstname: {
|
|
|
|
schema: user::FIRST_NAME_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
lastname: {
|
|
|
|
schema: user::LAST_NAME_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
email: {
|
|
|
|
schema: user::EMAIL_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
2020-11-11 12:34:13 +00:00
|
|
|
delete: {
|
|
|
|
description: "List of properties to delete.",
|
|
|
|
type: Array,
|
|
|
|
optional: true,
|
|
|
|
items: {
|
|
|
|
type: DeletableProperty,
|
|
|
|
}
|
|
|
|
},
|
2020-04-06 10:09:27 +00:00
|
|
|
digest: {
|
|
|
|
optional: true,
|
|
|
|
schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2020-04-17 08:08:45 +00:00
|
|
|
access: {
|
2020-09-18 13:01:06 +00:00
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
2020-04-17 08:08:45 +00:00
|
|
|
},
|
2020-04-06 10:09:27 +00:00
|
|
|
)]
|
|
|
|
/// Update user configuration.
|
|
|
|
pub fn update_user(
|
2020-08-06 13:46:01 +00:00
|
|
|
userid: Userid,
|
2020-04-06 10:09:27 +00:00
|
|
|
comment: Option<String>,
|
|
|
|
enable: Option<bool>,
|
|
|
|
expire: Option<i64>,
|
|
|
|
password: Option<String>,
|
|
|
|
firstname: Option<String>,
|
|
|
|
lastname: Option<String>,
|
|
|
|
email: Option<String>,
|
2020-11-11 12:34:13 +00:00
|
|
|
delete: Option<Vec<DeletableProperty>>,
|
2020-04-06 10:09:27 +00:00
|
|
|
digest: Option<String>,
|
2021-01-13 16:26:14 +00:00
|
|
|
rpcenv: &mut dyn RpcEnvironment,
|
2020-04-06 10:09:27 +00:00
|
|
|
) -> Result<(), Error> {
|
|
|
|
|
2020-09-28 08:50:44 +00:00
|
|
|
let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
let (mut config, expected_digest) = user::config()?;
|
|
|
|
|
|
|
|
if let Some(ref digest) = digest {
|
|
|
|
let digest = proxmox::tools::hex_to_digest(digest)?;
|
|
|
|
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
|
|
|
|
}
|
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
let mut data: user::User = config.lookup("user", userid.as_str())?;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
2020-11-11 12:34:13 +00:00
|
|
|
if let Some(delete) = delete {
|
|
|
|
for delete_prop in delete {
|
|
|
|
match delete_prop {
|
|
|
|
DeletableProperty::comment => data.comment = None,
|
|
|
|
DeletableProperty::firstname => data.firstname = None,
|
|
|
|
DeletableProperty::lastname => data.lastname = None,
|
|
|
|
DeletableProperty::email => data.email = None,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-04-06 10:09:27 +00:00
|
|
|
if let Some(comment) = comment {
|
|
|
|
let comment = comment.trim().to_string();
|
|
|
|
if comment.is_empty() {
|
|
|
|
data.comment = None;
|
|
|
|
} else {
|
|
|
|
data.comment = Some(comment);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(enable) = enable {
|
|
|
|
data.enable = if enable { None } else { Some(false) };
|
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(expire) = expire {
|
|
|
|
data.expire = if expire > 0 { Some(expire) } else { None };
|
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(password) = password {
|
2021-01-13 16:26:14 +00:00
|
|
|
let user_info = CachedUserInfo::new()?;
|
|
|
|
let current_auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
|
|
|
|
let self_service = current_auth_id.user() == &userid;
|
|
|
|
let target_realm = userid.realm();
|
|
|
|
if !self_service && target_realm == "pam" && !user_info.is_superuser(¤t_auth_id) {
|
|
|
|
bail!("only superuser can edit pam credentials!");
|
|
|
|
}
|
2020-08-06 13:46:01 +00:00
|
|
|
let authenticator = crate::auth::lookup_authenticator(userid.realm())?;
|
|
|
|
authenticator.store_password(userid.name(), &password)?;
|
2020-04-06 10:09:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(firstname) = firstname {
|
|
|
|
data.firstname = if firstname.is_empty() { None } else { Some(firstname) };
|
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(lastname) = lastname {
|
|
|
|
data.lastname = if lastname.is_empty() { None } else { Some(lastname) };
|
|
|
|
}
|
|
|
|
if let Some(email) = email {
|
|
|
|
data.email = if email.is_empty() { None } else { Some(email) };
|
|
|
|
}
|
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
config.set_data(userid.as_str(), "user", &data)?;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
user::save_config(&config)?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
2020-08-06 13:46:01 +00:00
|
|
|
type: Userid,
|
2020-04-06 10:09:27 +00:00
|
|
|
},
|
|
|
|
digest: {
|
|
|
|
optional: true,
|
|
|
|
schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2020-04-17 08:08:45 +00:00
|
|
|
access: {
|
2020-09-18 13:01:06 +00:00
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
2020-04-17 08:08:45 +00:00
|
|
|
},
|
2020-04-06 10:09:27 +00:00
|
|
|
)]
|
|
|
|
/// Remove a user from the configuration file.
|
2020-08-06 13:46:01 +00:00
|
|
|
pub fn delete_user(userid: Userid, digest: Option<String>) -> Result<(), Error> {
|
2020-04-06 10:09:27 +00:00
|
|
|
|
2020-12-11 13:34:47 +00:00
|
|
|
let _tfa_lock = crate::config::tfa::write_lock()?;
|
2020-09-28 08:50:44 +00:00
|
|
|
let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
let (mut config, expected_digest) = user::config()?;
|
|
|
|
|
|
|
|
if let Some(ref digest) = digest {
|
|
|
|
let digest = proxmox::tools::hex_to_digest(digest)?;
|
|
|
|
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
|
|
|
|
}
|
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
match config.sections.get(userid.as_str()) {
|
|
|
|
Some(_) => { config.sections.remove(userid.as_str()); },
|
2020-04-06 10:09:27 +00:00
|
|
|
None => bail!("user '{}' does not exist.", userid),
|
|
|
|
}
|
|
|
|
|
|
|
|
user::save_config(&config)?;
|
|
|
|
|
2020-12-11 13:34:47 +00:00
|
|
|
match crate::config::tfa::read().and_then(|mut cfg| {
|
|
|
|
let _: bool = cfg.remove_user(&userid);
|
|
|
|
crate::config::tfa::write(&cfg)
|
|
|
|
}) {
|
|
|
|
Ok(()) => (),
|
|
|
|
Err(err) => {
|
|
|
|
eprintln!(
|
|
|
|
"error updating TFA config after deleting user {:?}: {}",
|
|
|
|
userid, err
|
|
|
|
);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-04-06 10:09:27 +00:00
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
2020-10-07 11:12:37 +00:00
|
|
|
#[api(
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
|
|
|
type: Userid,
|
|
|
|
},
|
|
|
|
tokenname: {
|
|
|
|
type: Tokenname,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2020-12-09 09:54:38 +00:00
|
|
|
returns: { type: user::ApiToken },
|
2020-10-07 11:12:37 +00:00
|
|
|
access: {
|
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
|
|
|
},
|
|
|
|
)]
|
|
|
|
/// Read user's API token metadata
|
|
|
|
pub fn read_token(
|
|
|
|
userid: Userid,
|
|
|
|
tokenname: Tokenname,
|
|
|
|
_info: &ApiMethod,
|
|
|
|
mut rpcenv: &mut dyn RpcEnvironment,
|
|
|
|
) -> Result<user::ApiToken, Error> {
|
|
|
|
|
|
|
|
let (config, digest) = user::config()?;
|
|
|
|
|
|
|
|
let tokenid = Authid::from((userid, Some(tokenname)));
|
|
|
|
|
|
|
|
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
|
|
|
|
config.lookup("token", &tokenid.to_string())
|
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
|
|
|
type: Userid,
|
|
|
|
},
|
|
|
|
tokenname: {
|
|
|
|
type: Tokenname,
|
|
|
|
},
|
|
|
|
comment: {
|
|
|
|
optional: true,
|
|
|
|
schema: SINGLE_LINE_COMMENT_SCHEMA,
|
|
|
|
},
|
|
|
|
enable: {
|
|
|
|
schema: user::ENABLE_USER_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
expire: {
|
|
|
|
schema: user::EXPIRE_USER_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
digest: {
|
|
|
|
optional: true,
|
|
|
|
schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
access: {
|
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
|
|
|
},
|
|
|
|
returns: {
|
|
|
|
description: "API token identifier + generated secret.",
|
|
|
|
properties: {
|
|
|
|
value: {
|
|
|
|
type: String,
|
|
|
|
description: "The API token secret",
|
|
|
|
},
|
|
|
|
tokenid: {
|
|
|
|
type: String,
|
|
|
|
description: "The API token identifier",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
)]
|
|
|
|
/// Generate a new API token with given metadata
|
|
|
|
pub fn generate_token(
|
|
|
|
userid: Userid,
|
|
|
|
tokenname: Tokenname,
|
|
|
|
comment: Option<String>,
|
|
|
|
enable: Option<bool>,
|
|
|
|
expire: Option<i64>,
|
|
|
|
digest: Option<String>,
|
|
|
|
) -> Result<Value, Error> {
|
|
|
|
|
|
|
|
let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
|
|
|
|
|
|
|
let (mut config, expected_digest) = user::config()?;
|
|
|
|
|
|
|
|
if let Some(ref digest) = digest {
|
|
|
|
let digest = proxmox::tools::hex_to_digest(digest)?;
|
|
|
|
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
|
|
|
|
}
|
|
|
|
|
|
|
|
let tokenid = Authid::from((userid.clone(), Some(tokenname.clone())));
|
|
|
|
let tokenid_string = tokenid.to_string();
|
|
|
|
|
|
|
|
if let Some(_) = config.sections.get(&tokenid_string) {
|
|
|
|
bail!("token '{}' for user '{}' already exists.", tokenname.as_str(), userid);
|
|
|
|
}
|
|
|
|
|
|
|
|
let secret = format!("{:x}", proxmox::tools::uuid::Uuid::generate());
|
|
|
|
token_shadow::set_secret(&tokenid, &secret)?;
|
|
|
|
|
|
|
|
let token = user::ApiToken {
|
|
|
|
tokenid: tokenid.clone(),
|
|
|
|
comment,
|
|
|
|
enable,
|
|
|
|
expire,
|
|
|
|
};
|
|
|
|
|
|
|
|
config.set_data(&tokenid_string, "token", &token)?;
|
|
|
|
|
|
|
|
user::save_config(&config)?;
|
|
|
|
|
|
|
|
Ok(json!({
|
|
|
|
"tokenid": tokenid_string,
|
|
|
|
"value": secret
|
|
|
|
}))
|
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
|
|
|
type: Userid,
|
|
|
|
},
|
|
|
|
tokenname: {
|
|
|
|
type: Tokenname,
|
|
|
|
},
|
|
|
|
comment: {
|
|
|
|
optional: true,
|
|
|
|
schema: SINGLE_LINE_COMMENT_SCHEMA,
|
|
|
|
},
|
|
|
|
enable: {
|
|
|
|
schema: user::ENABLE_USER_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
expire: {
|
|
|
|
schema: user::EXPIRE_USER_SCHEMA,
|
|
|
|
optional: true,
|
|
|
|
},
|
|
|
|
digest: {
|
|
|
|
optional: true,
|
|
|
|
schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
access: {
|
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
|
|
|
},
|
|
|
|
)]
|
|
|
|
/// Update user's API token metadata
|
|
|
|
pub fn update_token(
|
|
|
|
userid: Userid,
|
|
|
|
tokenname: Tokenname,
|
|
|
|
comment: Option<String>,
|
|
|
|
enable: Option<bool>,
|
|
|
|
expire: Option<i64>,
|
|
|
|
digest: Option<String>,
|
|
|
|
) -> Result<(), Error> {
|
|
|
|
|
|
|
|
let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
|
|
|
|
|
|
|
let (mut config, expected_digest) = user::config()?;
|
|
|
|
|
|
|
|
if let Some(ref digest) = digest {
|
|
|
|
let digest = proxmox::tools::hex_to_digest(digest)?;
|
|
|
|
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
|
|
|
|
}
|
|
|
|
|
|
|
|
let tokenid = Authid::from((userid, Some(tokenname)));
|
|
|
|
let tokenid_string = tokenid.to_string();
|
|
|
|
|
|
|
|
let mut data: user::ApiToken = config.lookup("token", &tokenid_string)?;
|
|
|
|
|
|
|
|
if let Some(comment) = comment {
|
|
|
|
let comment = comment.trim().to_string();
|
|
|
|
if comment.is_empty() {
|
|
|
|
data.comment = None;
|
|
|
|
} else {
|
|
|
|
data.comment = Some(comment);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(enable) = enable {
|
|
|
|
data.enable = if enable { None } else { Some(false) };
|
|
|
|
}
|
|
|
|
|
|
|
|
if let Some(expire) = expire {
|
|
|
|
data.expire = if expire > 0 { Some(expire) } else { None };
|
|
|
|
}
|
|
|
|
|
|
|
|
config.set_data(&tokenid_string, "token", &data)?;
|
|
|
|
|
|
|
|
user::save_config(&config)?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
protected: true,
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
|
|
|
type: Userid,
|
|
|
|
},
|
|
|
|
tokenname: {
|
|
|
|
type: Tokenname,
|
|
|
|
},
|
|
|
|
digest: {
|
|
|
|
optional: true,
|
|
|
|
schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
access: {
|
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_PERMISSIONS_MODIFY, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
|
|
|
},
|
|
|
|
)]
|
|
|
|
/// Delete a user's API token
|
|
|
|
pub fn delete_token(
|
|
|
|
userid: Userid,
|
|
|
|
tokenname: Tokenname,
|
|
|
|
digest: Option<String>,
|
|
|
|
) -> Result<(), Error> {
|
|
|
|
|
|
|
|
let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;
|
|
|
|
|
|
|
|
let (mut config, expected_digest) = user::config()?;
|
|
|
|
|
|
|
|
if let Some(ref digest) = digest {
|
|
|
|
let digest = proxmox::tools::hex_to_digest(digest)?;
|
|
|
|
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
|
|
|
|
}
|
|
|
|
|
|
|
|
let tokenid = Authid::from((userid.clone(), Some(tokenname.clone())));
|
|
|
|
let tokenid_string = tokenid.to_string();
|
|
|
|
|
|
|
|
match config.sections.get(&tokenid_string) {
|
|
|
|
Some(_) => { config.sections.remove(&tokenid_string); },
|
|
|
|
None => bail!("token '{}' of user '{}' does not exist.", tokenname.as_str(), userid),
|
|
|
|
}
|
|
|
|
|
|
|
|
token_shadow::delete_secret(&tokenid)?;
|
|
|
|
|
|
|
|
user::save_config(&config)?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
|
|
|
#[api(
|
|
|
|
input: {
|
|
|
|
properties: {
|
|
|
|
userid: {
|
|
|
|
type: Userid,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
returns: {
|
|
|
|
description: "List user's API tokens (with config digest).",
|
|
|
|
type: Array,
|
|
|
|
items: { type: user::ApiToken },
|
|
|
|
},
|
|
|
|
access: {
|
|
|
|
permission: &Permission::Or(&[
|
|
|
|
&Permission::Privilege(&["access", "users"], PRIV_SYS_AUDIT, false),
|
|
|
|
&Permission::UserParam("userid"),
|
|
|
|
]),
|
|
|
|
},
|
|
|
|
)]
|
|
|
|
/// List user's API tokens
|
|
|
|
pub fn list_tokens(
|
|
|
|
userid: Userid,
|
|
|
|
_info: &ApiMethod,
|
|
|
|
mut rpcenv: &mut dyn RpcEnvironment,
|
|
|
|
) -> Result<Vec<user::ApiToken>, Error> {
|
|
|
|
|
|
|
|
let (config, digest) = user::config()?;
|
|
|
|
|
|
|
|
let list:Vec<user::ApiToken> = config.convert_to_typed_array("token")?;
|
|
|
|
|
|
|
|
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
|
|
|
|
|
|
|
|
let filter_by_owner = |token: &user::ApiToken| {
|
|
|
|
if token.tokenid.is_token() {
|
|
|
|
token.tokenid.user() == &userid
|
|
|
|
} else {
|
|
|
|
false
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
|
|
|
Ok(list.into_iter().filter(filter_by_owner).collect())
|
|
|
|
}
|
|
|
|
|
|
|
|
const TOKEN_ITEM_ROUTER: Router = Router::new()
|
|
|
|
.get(&API_METHOD_READ_TOKEN)
|
|
|
|
.put(&API_METHOD_UPDATE_TOKEN)
|
|
|
|
.post(&API_METHOD_GENERATE_TOKEN)
|
|
|
|
.delete(&API_METHOD_DELETE_TOKEN);
|
|
|
|
|
|
|
|
const TOKEN_ROUTER: Router = Router::new()
|
|
|
|
.get(&API_METHOD_LIST_TOKENS)
|
|
|
|
.match_all("tokenname", &TOKEN_ITEM_ROUTER);
|
|
|
|
|
|
|
|
const USER_SUBDIRS: SubdirMap = &[
|
|
|
|
("token", &TOKEN_ROUTER),
|
|
|
|
];
|
|
|
|
|
|
|
|
const USER_ROUTER: Router = Router::new()
|
2020-04-06 10:09:27 +00:00
|
|
|
.get(&API_METHOD_READ_USER)
|
|
|
|
.put(&API_METHOD_UPDATE_USER)
|
2020-10-07 11:12:37 +00:00
|
|
|
.delete(&API_METHOD_DELETE_USER)
|
|
|
|
.subdirs(USER_SUBDIRS);
|
2020-04-06 10:09:27 +00:00
|
|
|
|
|
|
|
pub const ROUTER: Router = Router::new()
|
|
|
|
.get(&API_METHOD_LIST_USERS)
|
|
|
|
.post(&API_METHOD_CREATE_USER)
|
2020-10-07 11:12:37 +00:00
|
|
|
.match_all("userid", &USER_ROUTER);
|