[pve-devel] [RFC 12/23] API: add API token API endpoints

Tue Oct 22 13:44:09 CEST 2019

Do we really want a enable/disable property?
Wouldn't it be enough to delete the token?

> Fabian Grünbichler <f.gruenbichler at proxmox.com> hat am 17. Oktober 2019 15:14 geschrieben:
> 
>  
> and integration for user API endpoints.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
> 
> Notes:
>     pveum integration will come in a future version, but
>     
>     pveum token add/modify/delete <user> <token> [OPTIONS]
>     
>     or
>     
>     pveum user token add/modify/delete <user> <token> [OPTIONS]
>     
>     seem like likely candidates.
> 
>  PVE/API2/User.pm | 287 ++++++++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 284 insertions(+), 3 deletions(-)
> 
> diff --git a/PVE/API2/User.pm b/PVE/API2/User.pm
> index fb5b22a..1646418 100644
> --- a/PVE/API2/User.pm
> +++ b/PVE/API2/User.pm
> @@ -2,9 +2,9 @@ package PVE::API2::User;
>  
>  use strict;
>  use warnings;
> -use PVE::Exception qw(raise raise_perm_exc);
> +use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
>  use PVE::Cluster qw (cfs_read_file cfs_write_file);
> -use PVE::Tools qw(split_list);
> +use PVE::Tools qw(split_list extract_param);
>  use PVE::AccessControl;
>  use PVE::JSONSchema qw(get_standard_option register_standard_option);
>  
> @@ -40,6 +40,39 @@ register_standard_option('group-list', {
>      optional => 1,
>      completion => \&PVE::AccessControl::complete_group,
>  });
> +register_standard_option('token-subid', {
> +    type => 'string',
> +    pattern => $PVE::AccessControl::token_subid_regex,
> +    description => 'User-specific token identifier.',
> +});
> +register_standard_option('token-enable', {
> +    description => "Enable the API token (default). You can set this to '0' to disable this specific token.",
> +    type => 'boolean',
> +    optional => 1,
> +    default => 1,
> +});
> +register_standard_option('token-expire', {
> +    description => "API token expiration date (seconds since epoch). '0' means no expiration date.",
> +    type => 'integer',
> +    minimum => 0,
> +    optional => 1,
> +});
> +register_standard_option('token-privsep', {
> +    description => "Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.",
> +    type => 'boolean',
> +    optional => 1,
> +    default => 1,
> +});
> +register_standard_option('token-comment', { type => 'string', optional => 1 });
> +register_standard_option('token-info', {
> +    type => 'object',
> +    properties => {
> +	enable => get_standard_option('token-enable'),
> +	expire => get_standard_option('token-expire'),
> +	privsep => get_standard_option('token-privsep'),
> +	comment => get_standard_option('token-comment'),
> +    }
> +});
>  
>  my $extract_user_data = sub {
>      my ($data, $full) = @_;
> @@ -53,6 +86,7 @@ my $extract_user_data = sub {
>      return $res if !$full;
>  
>      $res->{groups} = $data->{groups} ? [ keys %{$data->{groups}} ] : [];
> +    $res->{tokens} = $data->{tokens} ? [ keys %{$data->{tokens}} ] : [];
>  
>      return $res;
>  };
> @@ -228,7 +262,17 @@ __PACKAGE__->register_method ({
>  	    email => get_standard_option('user-email'),
>  	    comment => get_standard_option('user-comment'),
>  	    keys => get_standard_option('user-keys'),
> -	    groups => { type => 'array' },
> +	    groups => {
> +		type => 'array',
> +		items => {
> +		    type => 'string',
> +		    format => 'pve-groupid',
> +		},
> +	    },
> +	    tokens => {
> +		type => 'array',
> +		items => get_standard_option('token-subid'),
> +	    },
>  	},
>  	type => "object"
>      },
> @@ -428,4 +472,241 @@ __PACKAGE__->register_method ({
>  	return $res;
>      }});
>  
> +my $token_info_extend = sub {
> +    my ($props) = @_;
> +
> +    my $obj = get_standard_option('token-info');
> +    my $base_props = $obj->{properties};
> +    $obj->{properties} = {};
> +
> +    foreach my $prop (keys %$base_props) {
> +	$obj->{properties}->{$prop} = $base_props->{$prop};
> +    }
> +
> +    foreach my $add_prop (keys %$props) {
> +	$obj->{properties}->{$add_prop} = $props->{$add_prop};
> +    }
> +
> +    return $obj;
> +};
> +
> +__PACKAGE__->register_method ({
> +    name => 'token_index',
> +    path => '{userid}/token',
> +    method => 'GET',
> +    description => "Get user API tokens.",
> +    permissions => {
> +	check => ['userid-param', 'self'],
> +    },
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    userid => get_standard_option('userid-completed'),
> +	},
> +    },
> +    returns => {
> +	type => "array",
> +	items => $token_info_extend->({
> +		    tokenid => get_standard_option('token-subid'),
> +	}),
> +	links => [ { rel => 'child', href => "{tokenid}" } ],
> +    },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my $userid = PVE::AccessControl::verify_username($param->{userid});
> +	my $usercfg = cfs_read_file("user.cfg");
> +
> +	my $user = PVE::AccessControl::check_user_exist($usercfg, $userid);
> +
> +	my $tokens = $user->{tokens} // {};
> +	return [ map { $tokens->{$_}->{tokenid} = $_; $tokens->{$_} } keys %$tokens];
> +    }});
> +
> +__PACKAGE__->register_method ({
> +    name => 'read_token',
> +    path => '{userid}/token/{tokenid}',
> +    method => 'GET',
> +    description => "Get specific API token information.",
> +    permissions => {
> +	check => ['userid-param', 'self'],
> +    },
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    userid => get_standard_option('userid-completed'),
> +	    tokenid => get_standard_option('token-subid'),
> +	},
> +    },
> +    returns => get_standard_option('token-info'),
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my $userid = PVE::AccessControl::verify_username($param->{userid});
> +	my $tokenid = $param->{tokenid};
> +
> +	my $usercfg = cfs_read_file("user.cfg");
> +
> +	return PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
> +    }});
> +
> +__PACKAGE__->register_method ({
> +    name => 'generate_token',
> +    path => '{userid}/token/{tokenid}',
> +    method => 'POST',
> +    description => "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!",
> +    permissions => {
> +	check => ['userid-param', 'self'],
> +    },
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    userid => get_standard_option('userid-completed'),
> +	    tokenid => get_standard_option('token-subid'),
> +	    enable => get_standard_option('token-enable'),
> +	    expire => get_standard_option('token-expire'),
> +	    privsep => get_standard_option('token-privsep'),
> +	    comment => get_standard_option('token-comment'),
> +	},
> +    },
> +    returns => {
> +	additionalProperties => 0,
> +	type => "object",
> +	properties => {
> +	    info => get_standard_option('token-info'),
> +	    value => {
> +		type => 'string',
> +		description => 'API token value used for authentication.',
> +	    },
> +	},
> +    },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
> +	my $tokenid = extract_param($param, 'tokenid');
> +
> +	my $usercfg = cfs_read_file("user.cfg");
> +
> +	my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1);
> +	my $value;
> +
> +	PVE::AccessControl::check_user_exist($usercfg, $userid);
> +	raise_param_exc({ 'tokenid' => 'Token already exists.' }) if defined($token);
> +
> +	my $generate_and_add_token = sub {
> +	    $usercfg = cfs_read_file("user.cfg");
> +	    PVE::AccessControl::check_user_exist($usercfg, $userid);
> +	    die "Token already exists.\n" if defined(PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1));
> +
> +	    my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
> +	    $value = PVE::AccessControl::generate_token($full_tokenid);
> +
> +	    $token = {};
> +	    $token->{enable} = defined($param->{enable}) ? $param->{enable} : 1;
> +	    $token->{privsep} = defined($param->{privsep}) ? $param->{privsep} : 1;
> +	    $token->{expire} = $param->{expire} if defined($param->{expire});
> +	    $token->{comment} = $param->{comment} if $param->{comment};
> +
> +	    $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
> +	    cfs_write_file("user.cfg", $usercfg);
> +	};
> +
> +	PVE::AccessControl::lock_user_config($generate_and_add_token, 'generating token failed');
> +
> +	return { info => $token, value => $value };
> +    }});
> +
> +
> +__PACKAGE__->register_method ({
> +    name => 'update_token_info',
> +    path => '{userid}/token/{tokenid}',
> +    method => 'PUT',
> +    description => "Update API token for a specific user.",
> +    permissions => {
> +	check => ['userid-param', 'self'],
> +    },
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    userid => get_standard_option('userid-completed'),
> +	    tokenid => get_standard_option('token-subid'),
> +	    enable => get_standard_option('token-enable'),
> +	    expire => get_standard_option('token-expire'),
> +	    privsep => get_standard_option('token-privsep'),
> +	    comment => get_standard_option('token-comment'),
> +	},
> +    },
> +    returns => get_standard_option('token-info', { description => "Updated token information." }),
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
> +	my $tokenid = extract_param($param, 'tokenid');
> +
> +	my $usercfg = cfs_read_file("user.cfg");
> +	my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
> +
> +	my $update_token = sub {
> +	    $usercfg = cfs_read_file("user.cfg");
> +	    $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
> +
> +	    my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
> +
> +	    $token->{enable} = $param->{enable} if defined($param->{enable});
> +	    $token->{privsep} = $param->{privsep} if defined($param->{privsep});
> +	    $token->{expire} = $param->{expire} if defined($param->{expire});
> +	    $token->{comment} = $param->{comment} if $param->{comment};
> +
> +	    $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
> +	    cfs_write_file("user.cfg", $usercfg);
> +	};
> +
> +	PVE::AccessControl::lock_user_config($update_token, 'updating token info failed');
> +
> +	return $token;
> +    }});
> +
> +
> +__PACKAGE__->register_method ({
> +    name => 'remove_token',
> +    path => '{userid}/token/{tokenid}',
> +    method => 'DELETE',
> +    description => "Remove API token for a specific user.",
> +    permissions => {
> +	check => ['userid-param', 'self'],
> +    },
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    userid => get_standard_option('userid-completed'),
> +	    tokenid => get_standard_option('token-subid'),
> +	},
> +    },
> +    returns => { type => 'null' },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
> +	my $tokenid = extract_param($param, 'tokenid');
> +
> +	my $usercfg = cfs_read_file("user.cfg");
> +	my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
> +
> +	my $update_token = sub {
> +	    $usercfg = cfs_read_file("user.cfg");
> +
> +	    PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
> +
> +	    my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
> +	    PVE::AccessControl::delete_token($full_tokenid);
> +	    delete $usercfg->{users}->{$userid}->{tokens}->{$tokenid};
> +
> +	    cfs_write_file("user.cfg", $usercfg);
> +	};
> +
> +	PVE::AccessControl::lock_user_config($update_token, 'deleting token failed');
> +
> +	return;
> +    }});
>  1;
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel