[pve-devel] [RFC 10/23] API token: add API helpers

Thu Oct 17 17:42:33 CEST 2019

On 10/17/19 3:14 PM, Fabian Grünbichler wrote:
> the _exist/_enabled are modelled after the corresponding user methods.
> the 'tokenid' option goes into PVE::AccessControl, since we need it in
> multiple API modules.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
>  PVE/AccessControl.pm | 32 ++++++++++++++++++++++++++++++++
>  1 file changed, 32 insertions(+)
> 
> diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
> index a43aab2..432ccc0 100644
> --- a/PVE/AccessControl.pm
> +++ b/PVE/AccessControl.pm
> @@ -211,6 +211,12 @@ sub rotate_authkey {
>      die $@ if $@;
>  }
>  
> +PVE::JSONSchema::register_standard_option('tokenid', {
> +    description => "API token identifier.",
> +    type => "string",
> +    format => "pve-tokenid",
> +});
> +
>  our $token_subid_regex = $PVE::Auth::Plugin::realm_regex;
>  
>  # username at realm username realm tokenid
> @@ -531,6 +537,32 @@ sub check_user_enabled {
>      return undef;
>  }
>  
> +sub check_token_exist {
> +    my ($usercfg, $username, $tokenid, $noerr) = @_;
> +
> +    my $user = check_user_exist($usercfg, $username, $noerr);
> +    return undef if !$user;
> +
> +    return $user->{tokens}->{$tokenid} if $user->{tokens}->{$tokenid};
> +
> +    die "no such token ('$tokenid') for user ('$username')\n" if !$noerr;

nit: omit parenthesis, 1. not common use, at least not doing two "quoting";
2. in below error there single-quotes

> +
> +    return undef;
> +}
> +
> +sub check_token_enabled {
> +    my ($usercfg, $username, $tokenid, $noerr) = @_;
> +
> +    my $data = check_token_exist($usercfg, $username, $tokenid, $noerr);
> +    return undef if !$data;
> +
> +    return 1 if $data->{enable};
> +
> +    die "token '$tokenid' for user '$username' is disabled\n" if !$noerr;

here

> +
> +    return undef;
> +}
> +
>  sub verify_one_time_pw {
>      my ($type, $username, $keys, $tfa_cfg, $otp) = @_;
>  
> 