tfa: remove tfa user when a user is deleted

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2020-12-11 14:34:47 +01:00 · 2020-12-11 14:34:47 +01:00 · f22dfb5ece
commit f22dfb5ece
parent 4bda51688b
2 changed files with 26 additions and 0 deletions
--- a/src/api2/access/user.rs
+++ b/src/api2/access/user.rs
@ -437,6 +437,7 @@ pub fn update_user(
 /// Remove a user from the configuration file.
 pub fn delete_user(userid: Userid, digest: Option<String>) -> Result<(), Error> {

+    let _tfa_lock = crate::config::tfa::write_lock()?;
    let _lock = open_file_locked(user::USER_CFG_LOCKFILE, std::time::Duration::new(10, 0), true)?;

    let (mut config, expected_digest) = user::config()?;
@ -453,6 +454,19 @@ pub fn delete_user(userid: Userid, digest: Option<String>) -> Result<(), Error>

    user::save_config(&config)?;

+    match crate::config::tfa::read().and_then(|mut cfg| {
+        let _: bool = cfg.remove_user(&userid);
+        crate::config::tfa::write(&cfg)
+    }) {
+        Ok(()) => (),
+        Err(err) => {
+            eprintln!(
+                "error updating TFA config after deleting user {:?}: {}",
+                userid, err
+            );
+        }
+    }
+
    Ok(())
 }

--- a/src/config/tfa.rs
+++ b/src/config/tfa.rs
@ -247,6 +247,18 @@ impl TfaConfig {
            None => bail!("no 2nd factor available for user '{}'", userid),
        }
    }
+
+    /// Remove non-existent users.
+    pub fn cleanup_users(&mut self, config: &proxmox::api::section_config::SectionConfigData) {
+        use crate::config::user::User;
+        self.users
+            .retain(|user, _| config.lookup::<User>("user", user.as_str()).is_ok());
+    }
+
+    /// Remove a user. Returns `true` if the user actually existed.
+    pub fn remove_user(&mut self, user: &Userid) -> bool {
+        self.users.remove(user).is_some()
+    }
 }

 #[api]