proxmox-mirrors/pve-access-control
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-access-control synced 2025-10-04 15:53:07 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

api: include tfa lock status in user list

Browse Source 
this means /access/users is now a 'protected' call to get
access to 'priv/tfa.cfg'

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2023-06-02 11:28:34 +02:00
parent 32893f1308
commit 3c4cebc9b7
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/PVE/API2/User.pm
View File

@ -115,6 +115,7 @@ __PACKAGE__->register_method ({
description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.", description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
user => 'all', user => 'all',
}, },
protected => 1, # to access priv/tfa.cfg
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
@ -157,6 +158,17 @@ __PACKAGE__->register_method ({
description => 'The type of the users realm', description => 'The type of the users realm',
optional => 1, # it should always be there, but we use conditional code below, so.. optional => 1, # it should always be there, but we use conditional code below, so..
}, },
'totp-locked' => {
type => 'boolean',
optional => 1,
description => 'True if the user is currently locked out of TOTP factors.',
},
'tfa-locked-until' => {
type => 'integer',
optional => 1,
description =>
'Contains a timestamp until when a user is locked out of 2nd factors.',
},
}, },
}, },
links => [ { rel => 'child', href => "{userid}" } ], links => [ { rel => 'child', href => "{userid}" } ],
@ -178,6 +190,8 @@ __PACKAGE__->register_method ({
my $groups = $rpcenv->filter_groups($authuser, $privs, 1); my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
my $allowed_users = $rpcenv->group_member_join([keys %$groups]); my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
my $tfa_cfg = cfs_read_file('priv/tfa.cfg');
foreach my $user (sort keys %{$usercfg->{users}}) { foreach my $user (sort keys %{$usercfg->{users}}) {
if (!($canUserMod || $user eq $authuser)) { if (!($canUserMod || $user eq $authuser)) {
next if !$allowed_users->{$user}; next if !$allowed_users->{$user};
@ -205,6 +219,12 @@ __PACKAGE__->register_method ({
$entry->{userid} = $user; $entry->{userid} = $user;
if (defined($tfa_cfg)) {
if (my $data = $tfa_cfg->tfa_lock_status($user)) {
$entry->{$_} = $data->{$_} for qw(totp-locked tfa-locked-until);
}
}
push @$res, $entry; push @$res, $entry;
} }