the helper is modeled after the corresponding user method.
the 'tokenid' option goes into PVE::AccessControl, since we need it in
multiple API modules.
Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
---
Notes:
v2->v3:
- use this to avoid autovivification in parser
v1->v2:
- remove enabled helper (since flag was removed)
- drop brackets in error message
PVE/AccessControl.pm | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index b293291..7fc514a 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -211,6 +211,12 @@ sub rotate_authkey {
die $@ if $@;
}
+PVE::JSONSchema::register_standard_option('tokenid', {
+ description => "API token identifier.",
+ type => "string",
+ format => "pve-tokenid",
+});
+
our $token_subid_regex = $PVE::Auth::Plugin::realm_regex;
# username@realm username realm tokenid
@@ -533,6 +539,20 @@ sub check_user_enabled {
return undef;
}
+sub check_token_exist {
+ my ($usercfg, $username, $tokenid, $noerr) = @_;
+
+ my $user = check_user_exist($usercfg, $username, $noerr);
+ return undef if !$user;
+
+ return $user->{tokens}->{$tokenid}
+ if defined($user->{tokens}) && $user->{tokens}->{$tokenid};
+
+ die "no such token '$tokenid' for user '$username'\n" if !$noerr;
+
+ return undef;
+}
+
sub verify_one_time_pw {
my ($type, $username, $keys, $tfa_cfg, $otp) = @_;
@@ -1042,7 +1062,7 @@ sub parse_user_config {
warn "user config - ignore invalid acl member
'$ug'\n";
}
} elsif (my ($user, $token) = split_tokenid($ug, 1)) {
- if ($cfg->{users}->{$user}->{tokens}->{$token}) { #
token exists
+ if (check_token_exist($cfg, $user, $token, 1)) {
$cfg->{acl}->{$path}->{tokens}->{$ug}->{$role}
= $propagate;
} else {
warn "user config - ignore invalid acl token
'$ug'\n";
--
2.20.1
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
