[pve-devel] [RFC 10/23] API token: add API helpers

Fabian Grünbichler f.gruenbichler at proxmox.com
Thu Oct 17 15:14:04 CEST 2019


the _exist/_enabled are modelled after the corresponding user methods.
the 'tokenid' option goes into PVE::AccessControl, since we need it in
multiple API modules.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 PVE/AccessControl.pm | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index a43aab2..432ccc0 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -211,6 +211,12 @@ sub rotate_authkey {
     die $@ if $@;
 }
 
+PVE::JSONSchema::register_standard_option('tokenid', {
+    description => "API token identifier.",
+    type => "string",
+    format => "pve-tokenid",
+});
+
 our $token_subid_regex = $PVE::Auth::Plugin::realm_regex;
 
 # username at realm username realm tokenid
@@ -531,6 +537,32 @@ sub check_user_enabled {
     return undef;
 }
 
+sub check_token_exist {
+    my ($usercfg, $username, $tokenid, $noerr) = @_;
+
+    my $user = check_user_exist($usercfg, $username, $noerr);
+    return undef if !$user;
+
+    return $user->{tokens}->{$tokenid} if $user->{tokens}->{$tokenid};
+
+    die "no such token ('$tokenid') for user ('$username')\n" if !$noerr;
+
+    return undef;
+}
+
+sub check_token_enabled {
+    my ($usercfg, $username, $tokenid, $noerr) = @_;
+
+    my $data = check_token_exist($usercfg, $username, $tokenid, $noerr);
+    return undef if !$data;
+
+    return 1 if $data->{enable};
+
+    die "token '$tokenid' for user '$username' is disabled\n" if !$noerr;
+
+    return undef;
+}
+
 sub verify_one_time_pw {
     my ($type, $username, $keys, $tfa_cfg, $otp) = @_;
 
-- 
2.20.1





More information about the pve-devel mailing list