[pve-devel] [PATCH v3 access-control 08/20] API: add API token API endpoints

Fabian Grünbichler f.gruenbichler at proxmox.com
Tue Jan 21 13:54:06 CET 2020


and integration for user API endpoints.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---

Notes:
    v1->v2:
    - adapted API schema somewhat
    - actually allow privileged users to view/modify/delete tokens of other users
    - remove enable flag from token schema
    - make API calls protected if they lock user.cfg
    - use PVE::TokenConfig

 PVE/API2/User.pm | 294 ++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 291 insertions(+), 3 deletions(-)

diff --git a/PVE/API2/User.pm b/PVE/API2/User.pm
index fb5b22a..fb985dd 100644
--- a/PVE/API2/User.pm
+++ b/PVE/API2/User.pm
@@ -2,11 +2,12 @@ package PVE::API2::User;
 
 use strict;
 use warnings;
-use PVE::Exception qw(raise raise_perm_exc);
+use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
 use PVE::Cluster qw (cfs_read_file cfs_write_file);
-use PVE::Tools qw(split_list);
+use PVE::Tools qw(split_list extract_param);
 use PVE::AccessControl;
 use PVE::JSONSchema qw(get_standard_option register_standard_option);
+use PVE::TokenConfig;
 
 use PVE::SafeSyslog;
 
@@ -40,6 +41,50 @@ register_standard_option('group-list', {
     optional => 1,
     completion => \&PVE::AccessControl::complete_group,
 });
+register_standard_option('token-subid', {
+    type => 'string',
+    pattern => $PVE::AccessControl::token_subid_regex,
+    description => 'User-specific token identifier.',
+});
+register_standard_option('token-expire', {
+    description => "API token expiration date (seconds since epoch). '0' means no expiration date.",
+    type => 'integer',
+    minimum => 0,
+    optional => 1,
+});
+register_standard_option('token-privsep', {
+    description => "Restrict API token privileges with separate ACLs (default), or give full privileges of corresponding user.",
+    type => 'boolean',
+    optional => 1,
+    default => 1,
+});
+register_standard_option('token-comment', { type => 'string', optional => 1 });
+register_standard_option('token-info', {
+    type => 'object',
+    properties => {
+	expire => get_standard_option('token-expire'),
+	privsep => get_standard_option('token-privsep'),
+	comment => get_standard_option('token-comment'),
+    }
+});
+
+my $token_info_extend = sub {
+    my ($props) = @_;
+
+    my $obj = get_standard_option('token-info');
+    my $base_props = $obj->{properties};
+    $obj->{properties} = {};
+
+    foreach my $prop (keys %$base_props) {
+	$obj->{properties}->{$prop} = $base_props->{$prop};
+    }
+
+    foreach my $add_prop (keys %$props) {
+	$obj->{properties}->{$add_prop} = $props->{$add_prop};
+    }
+
+    return $obj;
+};
 
 my $extract_user_data = sub {
     my ($data, $full) = @_;
@@ -53,6 +98,7 @@ my $extract_user_data = sub {
     return $res if !$full;
 
     $res->{groups} = $data->{groups} ? [ keys %{$data->{groups}} ] : [];
+    $res->{tokens} = $data->{tokens};
 
     return $res;
 };
@@ -228,7 +274,16 @@ __PACKAGE__->register_method ({
 	    email => get_standard_option('user-email'),
 	    comment => get_standard_option('user-comment'),
 	    keys => get_standard_option('user-keys'),
-	    groups => { type => 'array' },
+	    groups => {
+		type => 'array',
+		items => {
+		    type => 'string',
+		    format => 'pve-groupid',
+		},
+	    },
+	    tokens => {
+		type => 'object',
+	    },
 	},
 	type => "object"
     },
@@ -428,4 +483,237 @@ __PACKAGE__->register_method ({
 	return $res;
     }});
 
+__PACKAGE__->register_method ({
+    name => 'token_index',
+    path => '{userid}/token',
+    method => 'GET',
+    description => "Get user API tokens.",
+    permissions => {
+	check => ['or',
+		    ['userid-param', 'self'],
+		    ['perm', '/access/users/{userid}', ['User.Modify']],
+	],
+    },
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    userid => get_standard_option('userid-completed'),
+	},
+    },
+    returns => {
+	type => "array",
+	items => $token_info_extend->({
+		    tokenid => get_standard_option('token-subid'),
+	}),
+	links => [ { rel => 'child', href => "{tokenid}" } ],
+    },
+    code => sub {
+	my ($param) = @_;
+
+	my $userid = PVE::AccessControl::verify_username($param->{userid});
+	my $usercfg = cfs_read_file("user.cfg");
+
+	my $user = PVE::AccessControl::check_user_exist($usercfg, $userid);
+
+	my $tokens = $user->{tokens} // {};
+	return [ map { $tokens->{$_}->{tokenid} = $_; $tokens->{$_} } keys %$tokens];
+    }});
+
+__PACKAGE__->register_method ({
+    name => 'read_token',
+    path => '{userid}/token/{tokenid}',
+    method => 'GET',
+    description => "Get specific API token information.",
+    permissions => {
+	check => ['or',
+		    ['userid-param', 'self'],
+		    ['perm', '/access/users/{userid}', ['User.Modify']],
+	],
+    },
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    userid => get_standard_option('userid-completed'),
+	    tokenid => get_standard_option('token-subid'),
+	},
+    },
+    returns => get_standard_option('token-info'),
+    code => sub {
+	my ($param) = @_;
+
+	my $userid = PVE::AccessControl::verify_username($param->{userid});
+	my $tokenid = $param->{tokenid};
+
+	my $usercfg = cfs_read_file("user.cfg");
+
+	return PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
+    }});
+
+__PACKAGE__->register_method ({
+    name => 'generate_token',
+    path => '{userid}/token/{tokenid}',
+    method => 'POST',
+    description => "Generate a new API token for a specific user. NOTE: returns API token value, which needs to be stored as it cannot be retrieved afterwards!",
+    protected => 1,
+    permissions => {
+	check => ['or',
+		    ['userid-param', 'self'],
+		    ['perm', '/access/users/{userid}', ['User.Modify']],
+	],
+    },
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    userid => get_standard_option('userid-completed'),
+	    tokenid => get_standard_option('token-subid'),
+	    expire => get_standard_option('token-expire'),
+	    privsep => get_standard_option('token-privsep'),
+	    comment => get_standard_option('token-comment'),
+	},
+    },
+    returns => {
+	additionalProperties => 0,
+	type => "object",
+	properties => {
+	    info => get_standard_option('token-info'),
+	    value => {
+		type => 'string',
+		description => 'API token value used for authentication.',
+	    },
+	},
+    },
+    code => sub {
+	my ($param) = @_;
+
+	my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
+	my $tokenid = extract_param($param, 'tokenid');
+
+	my $usercfg = cfs_read_file("user.cfg");
+
+	my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1);
+	my $value;
+
+	PVE::AccessControl::check_user_exist($usercfg, $userid);
+	raise_param_exc({ 'tokenid' => 'Token already exists.' }) if defined($token);
+
+	my $generate_and_add_token = sub {
+	    $usercfg = cfs_read_file("user.cfg");
+	    PVE::AccessControl::check_user_exist($usercfg, $userid);
+	    die "Token already exists.\n" if defined(PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid, 1));
+
+	    my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
+	    $value = PVE::TokenConfig::generate_token($full_tokenid);
+
+	    $token = {};
+	    $token->{privsep} = defined($param->{privsep}) ? $param->{privsep} : 1;
+	    $token->{expire} = $param->{expire} if defined($param->{expire});
+	    $token->{comment} = $param->{comment} if $param->{comment};
+
+	    $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
+	    cfs_write_file("user.cfg", $usercfg);
+	};
+
+	PVE::AccessControl::lock_user_config($generate_and_add_token, 'generating token failed');
+
+	return { info => $token, value => $value };
+    }});
+
+
+__PACKAGE__->register_method ({
+    name => 'update_token_info',
+    path => '{userid}/token/{tokenid}',
+    method => 'PUT',
+    description => "Update API token for a specific user.",
+    protected => 1,
+    permissions => {
+	check => ['or',
+		    ['userid-param', 'self'],
+		    ['perm', '/access/users/{userid}', ['User.Modify']],
+	],
+    },
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    userid => get_standard_option('userid-completed'),
+	    tokenid => get_standard_option('token-subid'),
+	    expire => get_standard_option('token-expire'),
+	    privsep => get_standard_option('token-privsep'),
+	    comment => get_standard_option('token-comment'),
+	},
+    },
+    returns => get_standard_option('token-info', { description => "Updated token information." }),
+    code => sub {
+	my ($param) = @_;
+
+	my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
+	my $tokenid = extract_param($param, 'tokenid');
+
+	my $usercfg = cfs_read_file("user.cfg");
+	my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
+
+	my $update_token = sub {
+	    $usercfg = cfs_read_file("user.cfg");
+	    $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
+
+	    my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
+
+	    $token->{privsep} = $param->{privsep} if defined($param->{privsep});
+	    $token->{expire} = $param->{expire} if defined($param->{expire});
+	    $token->{comment} = $param->{comment} if $param->{comment};
+
+	    $usercfg->{users}->{$userid}->{tokens}->{$tokenid} = $token;
+	    cfs_write_file("user.cfg", $usercfg);
+	};
+
+	PVE::AccessControl::lock_user_config($update_token, 'updating token info failed');
+
+	return $token;
+    }});
+
+
+__PACKAGE__->register_method ({
+    name => 'remove_token',
+    path => '{userid}/token/{tokenid}',
+    method => 'DELETE',
+    description => "Remove API token for a specific user.",
+    protected => 1,
+    permissions => {
+	check => ['or',
+		    ['userid-param', 'self'],
+		    ['perm', '/access/users/{userid}', ['User.Modify']],
+	],
+    },
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    userid => get_standard_option('userid-completed'),
+	    tokenid => get_standard_option('token-subid'),
+	},
+    },
+    returns => { type => 'null' },
+    code => sub {
+	my ($param) = @_;
+
+	my $userid = PVE::AccessControl::verify_username(extract_param($param, 'userid'));
+	my $tokenid = extract_param($param, 'tokenid');
+
+	my $usercfg = cfs_read_file("user.cfg");
+	my $token = PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
+
+	my $update_token = sub {
+	    $usercfg = cfs_read_file("user.cfg");
+
+	    PVE::AccessControl::check_token_exist($usercfg, $userid, $tokenid);
+
+	    my $full_tokenid = PVE::AccessControl::join_tokenid($userid, $tokenid);
+	    PVE::TokenConfig::delete_token($full_tokenid);
+	    delete $usercfg->{users}->{$userid}->{tokens}->{$tokenid};
+
+	    cfs_write_file("user.cfg", $usercfg);
+	};
+
+	PVE::AccessControl::lock_user_config($update_token, 'deleting token failed');
+
+	return;
+    }});
 1;
-- 
2.20.1




More information about the pve-devel mailing list