Re: [pve-devel] [PATCH access-control v1 1/1] fix #4546: api: Return user expiration date on access/ticket API call

Fri, 06 Oct 2023 06:16:38 -0700 

Comments inline.

On 9/22/23 16:36, Philipp Hufnagl wrote:

Adds an additional, optional parameter to the access/tickets api call
which tells when the currently used user account will expire. If it will
not expire, the parameter will not be added.

Signed-off-by: Philipp Hufnagl <p.hufn...@proxmox.com>
---
  src/PVE/API2/AccessControl.pm | 8 ++++++++
  src/PVE/AccessControl.pm      | 8 ++++++++
  2 files changed, 16 insertions(+)

diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index 74b3910..e562a97 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -267,6 +267,11 @@ __PACKAGE__->register_method ({
            ticket => { type => 'string', optional => 1},
            CSRFPreventionToken => { type => 'string', optional => 1 },
            clustername => { type => 'string', optional => 1 },
+           user_expires => {


I'd prefer a different property name. `user_expires` kinda suggests it
to be a boolean variable (e.g. whether the user expires at *some point*)
How about `account-expiry-date`? Also note that prefer to use hyphens
(-) instead of underscores (_) for new properties.


+               type => 'number',
+                description => "When the user account expires.",

I'd maybe elaborate a bit: "Account expiration date as a UNIX timestamp"
or something like that.


+               optional => 1 ,
+           },
            # cap => computed api permissions, unless there's a u2f challenge
        }
      },
@@ -304,6 +309,9 @@ __PACKAGE__->register_method ({
            die PVE::Exception->new("authentication failure\n", code => 401);
        }
+ my $exp = PVE::AccessControl::lookup_user_expiration($username); 
+       $res->{user_expieres} = $exp if defined($exp);


Typo in `user_expieres`
Nit: maybe call it $expires/$expiry instead of $exp. Not much longer
but easier to follow.


+
        $res->{cap} = $rpcenv->compute_api_permission($username)
            if !defined($res->{NeedTFA});
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm 
index cc0f00b..471cc92 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -1234,6 +1234,14 @@ sub lookup_username {
      return $username;
  }
+sub lookup_user_expiration { 
+    my ($username) = @_;
+    my $usercfg = cfs_read_file('user.cfg');
+    my $exp = $usercfg->{users}->{$username}->{expire};
+    return undef if $exp == 0;
+    return $exp;
+}


Nit: Same as above


--
- Lukas


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to