[pmg-api.git] / PMG / RuleDB / LDAP.pm

package PMG::RuleDB::LDAP;

use strict;
use warnings;
use DBI;

use PVE::Exception qw(raise_param_exc);

use PMG::Utils;
use PMG::RuleDB::Object;
use PMG::LDAPCache;
use PMG::LDAPSet;

use base qw(PMG::RuleDB::Object);

sub otype {
    return 1005;
}

sub oclass {
    return 'who';
}

sub otype_text {
    return 'LDAP Group';
}

sub new {
    my ($type, $ldapgroup, $profile, $ogroup) = @_;

    my $class = ref($type) || $type;

    my $self = $class->SUPER::new($class->otype(), $ogroup);

    $self->{ldapgroup} = $ldapgroup // '';
    $self->{profile} = $profile // '';

    return $self;
}

sub load_attr {
    my ($type, $ruledb, $id, $ogroup, $value) = @_;

    my $class = ref($type) || $type;

    defined($value) || die "undefined value: ERROR";

    my $obj;
    if ($value =~ m/^([^:]*):(.*)$/) {
	$obj = $class->new($2, $1, $ogroup);
	$obj->{digest} = Digest::SHA::sha1_hex($id, $2, $1, $ogroup);
    } else {
	$obj = $class->new($value, '', $ogroup);
	$obj->{digest} = Digest::SHA::sha1_hex($id, $value, '#', $ogroup);
    }

    $obj->{id} = $id;

    return $obj;
}

sub save {
    my ($self, $ruledb) = @_;

    defined($self->{ogroup}) || die "undefined ogroup: ERROR";
    defined($self->{ldapgroup}) || die "undefined ldap group: ERROR";
    defined($self->{profile}) || die "undefined ldap profile: ERROR";

    my $grp = $self->{ldapgroup};
    my $profile = $self->{profile};

    my $confdata = "$profile:$grp";

    if (defined ($self->{id})) {
	# update

	$ruledb->{dbh}->do(
	    "UPDATE Object SET Value = ? WHERE ID = ?",
	    undef, $confdata, $self->{id});

    } else {
	# insert

	my $sth = $ruledb->{dbh}->prepare(
	    "INSERT INTO Object (Objectgroup_ID, ObjectType, Value) " .
	    "VALUES (?, ?, ?);");

	$sth->execute($self->{ogroup}, $self->otype, $confdata);

	$self->{id} = PMG::Utils::lastid($ruledb->{dbh}, 'object_id_seq');
    }

    return $self->{id};
}

sub test_ldap {
    my ($ldap, $addr, $group, $profile) = @_;

    if ($group eq '') {
	return $ldap->mail_exists($addr, $profile);
    } elsif ($group eq '-') {
	return !$ldap->mail_exists($addr, $profile);
    } elsif ($profile) {
	return $ldap->user_in_group ($addr, $group, $profile);
    } else {
	# fail if we have a real $group without $profile
	return 0;
    }
}

sub who_match {
    my ($self, $addr, $ip, $ldap) = @_;

    return 0 if !$ldap;

    return test_ldap($ldap, $addr, $self->{ldapgroup}, $self->{profile});
}

sub short_desc {
    my ($self) = @_;

    my $desc;

    my $profile = $self->{profile};
    my $group = $self->{ldapgroup};

    if ($group eq '') {
	$desc = "Existing LDAP address";
	if ($profile) {
	    $desc .= ", profile '$profile'";
	} else {
	    $desc .= ", any profile";
	}
    } elsif ($group eq '-') {
	$desc = "Unknown LDAP address";
	if ($profile) {
	    $desc .= ", profile '$profile'";
	} else {
	    $desc .= ", any profile";
	}
    } elsif ($profile) {
	$desc = "LDAP group '$group', profile '$profile'";
    } else {
	$desc = "LDAP group without profile - fail always";
    }

    return $desc;
}

sub properties {
    my ($class) = @_;

    return {
	mode => {
	    description => "Operational mode. You can either match 'any' user, match when no such user exists with 'none', or match when the user is member of a specific group.",
	    type => 'string',
	    enum => ['any', 'none', 'group'],
	},
	profile => {
	    description => "Profile ID.",
	    type => 'string', format => 'pve-configid',
	    optional => 1,
	},
	group => {
	    description => "LDAP Group DN",
	    type => 'string',
	    maxLength => 1024,
	    minLength => 1,
	    optional => 1,
	},
    };
}

sub get {
    my ($self) = @_;

    my $group = $self->{ldapgroup};
    my $profile = $self->{profile},

    my $data = {};

    if ($group eq '') {
	$data->{mode} = 'any';
    } elsif ($group eq '-') {
	$data->{mode} = 'none';
    } else {
	$data->{mode} = 'group';
	$data->{group} = $group;
    }

    $data->{profile} = $profile if $profile ne '';

    return $data;
 }

sub update {
    my ($self, $param) = @_;

    my $mode = $param->{mode};

    if (defined(my $profile = $param->{profile})) {
	my $cfg = PVE::INotify::read_file("pmg-ldap.conf");
	my $config = $cfg->{ids}->{$profile};
	die "LDAP profile '$profile' does not exist\n" if !$config;

	if (defined(my $group = $param->{group})) {
	    my $ldapcache = PMG::LDAPCache->new(
		id => $profile, syncmode => 1, %$config);

	    die "LDAP group '$group' does not exist\n"
		if !$ldapcache->group_exists($group);
	}
    }

    if ($mode eq 'any') {
	raise_param_exc({ group => "parameter not allwed with mode '$mode'"})
	    if defined($param->{group});
	$self->{ldapgroup} = '';
	$self->{profile} = $param->{profile} // '';
    } elsif ($mode eq 'none') {
	raise_param_exc({ group => "parameter not allwed with mode '$mode'"})
	    if defined($param->{group});
	$self->{ldapgroup} = '-';
	$self->{profile} = $param->{profile} // '';
    } elsif ($mode eq 'group') {
	raise_param_exc({ group => "parameter is required with mode '$mode'"})
	    if !defined($param->{group});
	$self->{ldapgroup} = $param->{group};
	raise_param_exc({ profile => "parameter is required with mode '$mode'"})
	    if !defined($param->{profile});
	$self->{profile} = $param->{profile};
    } else {
	die "internal error"; # just to me sure
    }
}

1;

__END__

=head1 PMG::RuleDB::LDAP

A WHO object to check LDAP groups

=head2 Attribues

=head3 ldapgroup

An LDAP group (ignore case).

=head3 profile

The LDAP profile name

=head2 Examples

    $obj = PMG::RuleDB::LDAP>new ('groupname', 'profile_name');
Commit	Line	Data
10621236 DM	1	package PMG::RuleDB::LDAP;
	2
	3	use strict;
	4	use warnings;
	5	use DBI;
	6
2aeda4ac DM	7	use PVE::Exception qw(raise_param_exc);
2aeda4ac DM	8
10621236 DM	9	use PMG::Utils;
	10	use PMG::RuleDB::Object;
	11	use PMG::LDAPCache;
	12	use PMG::LDAPSet;
	13
	14	use base qw(PMG::RuleDB::Object);
	15
	16	sub otype {
	17	return 1005;
	18	}
	19
	20	sub oclass {
	21	return 'who';
	22	}
	23
	24	sub otype_text {
	25	return 'LDAP Group';
	26	}
	27
10621236 DM	28	sub new {
	29	my ($type, $ldapgroup, $profile, $ogroup) = @_;
	30
	31	my $class = ref($type) \|\| $type;
	32
	33	my $self = $class->SUPER::new($class->otype(), $ogroup);
	34
	35	$self->{ldapgroup} = $ldapgroup // '';
	36	$self->{profile} = $profile // '';
	37
	38	return $self;
	39	}
	40
	41	sub load_attr {
	42	my ($type, $ruledb, $id, $ogroup, $value) = @_;
	43
	44	my $class = ref($type) \|\| $type;
	45
	46	defined($value) \|\| die "undefined value: ERROR";
	47
	48	my $obj;
	49	if ($value =~ m/^([^:]):(.)$/) {
	50	$obj = $class->new($2, $1, $ogroup);
2aeda4ac	51	$obj->{digest} = Digest::SHA::sha1_hex($id, $2, $1, $ogroup);
10621236	52	} else {
2aeda4ac DM	53	$obj = $class->new($value, '', $ogroup);
2aeda4ac DM	54	$obj->{digest} = Digest::SHA::sha1_hex($id, $value, '#', $ogroup);
10621236 DM	55	}
	56
	57	$obj->{id} = $id;
	58
	59	return $obj;
	60	}
	61
	62	sub save {
	63	my ($self, $ruledb) = @_;
	64
	65	defined($self->{ogroup}) \|\| die "undefined ogroup: ERROR";
	66	defined($self->{ldapgroup}) \|\| die "undefined ldap group: ERROR";
	67	defined($self->{profile}) \|\| die "undefined ldap profile: ERROR";
	68
	69	my $grp = $self->{ldapgroup};
	70	my $profile = $self->{profile};
	71
	72	my $confdata = "$profile:$grp";
	73
	74	if (defined ($self->{id})) {
	75	# update
	76
	77	$ruledb->{dbh}->do(
	78	"UPDATE Object SET Value = ? WHERE ID = ?",
	79	undef, $confdata, $self->{id});
	80
	81	} else {
	82	# insert
	83
	84	my $sth = $ruledb->{dbh}->prepare(
	85	"INSERT INTO Object (Objectgroup_ID, ObjectType, Value) " .
	86	"VALUES (?, ?, ?);");
	87
	88	$sth->execute($self->{ogroup}, $self->otype, $confdata);
	89
	90	$self->{id} = PMG::Utils::lastid($ruledb->{dbh}, 'object_id_seq');
	91	}
	92
	93	return $self->{id};
	94	}
	95
	96	sub test_ldap {
	97	my ($ldap, $addr, $group, $profile) = @_;
	98
	99	if ($group eq '') {
	100	return $ldap->mail_exists($addr, $profile);
	101	} elsif ($group eq '-') {
	102	return !$ldap->mail_exists($addr, $profile);
2aeda4ac	103	} elsif ($profile) {
10621236	104	return $ldap->user_in_group ($addr, $group, $profile);
2aeda4ac DM	105	} else {
	106	# fail if we have a real $group without $profile
	107	return 0;
10621236 DM	108	}
	109	}
	110
	111	sub who_match {
	112	my ($self, $addr, $ip, $ldap) = @_;
	113
	114	return 0 if !$ldap;
	115
	116	return test_ldap($ldap, $addr, $self->{ldapgroup}, $self->{profile});
	117	}
	118
2aeda4ac DM	119	sub short_desc {
	120	my ($self) = @_;
	121
	122	my $desc;
	123
	124	my $profile = $self->{profile};
	125	my $group = $self->{ldapgroup};
	126
	127	if ($group eq '') {
	128	$desc = "Existing LDAP address";
687306ad DM	129	if ($profile) {
	130	$desc .= ", profile '$profile'";
	131	} else {
	132	$desc .= ", any profile";
	133	}
2aeda4ac DM	134	} elsif ($group eq '-') {
2aeda4ac DM	135	$desc = "Unknown LDAP address";
687306ad DM	136	if ($profile) {
	137	$desc .= ", profile '$profile'";
	138	} else {
	139	$desc .= ", any profile";
	140	}
2aeda4ac	141	} elsif ($profile) {
f76f331a	142	$desc = "LDAP group '$group', profile '$profile'";
2aeda4ac DM	143	} else {
	144	$desc = "LDAP group without profile - fail always";
	145	}
	146
	147	return $desc;
	148	}
	149
	150	sub properties {
	151	my ($class) = @_;
	152
	153	return {
	154	mode => {
	155	description => "Operational mode. You can either match 'any' user, match when no such user exists with 'none', or match when the user is member of a specific group.",
	156	type => 'string',
	157	enum => ['any', 'none', 'group'],
	158	},
	159	profile => {
	160	description => "Profile ID.",
	161	type => 'string', format => 'pve-configid',
	162	optional => 1,
	163	},
	164	group => {
	165	description => "LDAP Group DN",
	166	type => 'string',
	167	maxLength => 1024,
	168	minLength => 1,
	169	optional => 1,
	170	},
	171	};
	172	}
	173
	174	sub get {
	175	my ($self) = @_;
	176
	177	my $group = $self->{ldapgroup};
	178	my $profile = $self->{profile},
	179
	180	my $data = {};
	181
	182	if ($group eq '') {
	183	$data->{mode} = 'any';
	184	} elsif ($group eq '-') {
	185	$data->{mode} = 'none';
	186	} else {
	187	$data->{mode} = 'group';
	188	$data->{group} = $group;
	189	}
	190
	191	$data->{profile} = $profile if $profile ne '';
	192
	193	return $data;
	194	}
	195
	196	sub update {
	197	my ($self, $param) = @_;
	198
	199	my $mode = $param->{mode};
	200
d974ca19 DM	201	if (defined(my $profile = $param->{profile})) {
	202	my $cfg = PVE::INotify::read_file("pmg-ldap.conf");
	203	my $config = $cfg->{ids}->{$profile};
	204	die "LDAP profile '$profile' does not exist\n" if !$config;
	205
	206	if (defined(my $group = $param->{group})) {
	207	my $ldapcache = PMG::LDAPCache->new(
	208	id => $profile, syncmode => 1, %$config);
	209
	210	die "LDAP group '$group' does not exist\n"
	211	if !$ldapcache->group_exists($group);
	212	}
	213	}
	214
2aeda4ac	215	if ($mode eq 'any') {
5182cea0	216	raise_param_exc({ group => "parameter not allwed with mode '$mode'"})
2aeda4ac DM	217	if defined($param->{group});
	218	$self->{ldapgroup} = '';
	219	$self->{profile} = $param->{profile} // '';
	220	} elsif ($mode eq 'none') {
5182cea0	221	raise_param_exc({ group => "parameter not allwed with mode '$mode'"})
2aeda4ac DM	222	if defined($param->{group});
	223	$self->{ldapgroup} = '-';
	224	$self->{profile} = $param->{profile} // '';
	225	} elsif ($mode eq 'group') {
5182cea0	226	raise_param_exc({ group => "parameter is required with mode '$mode'"})
2aeda4ac DM	227	if !defined($param->{group});
2aeda4ac DM	228	$self->{ldapgroup} = $param->{group};
5182cea0	229	raise_param_exc({ profile => "parameter is required with mode '$mode'"})
2aeda4ac DM	230	if !defined($param->{profile});
	231	$self->{profile} = $param->{profile};
	232	} else {
	233	die "internal error"; # just to me sure
	234	}
	235	}
	236
10621236 DM	237	1;
	238
	239	__END__
	240
	241	=head1 PMG::RuleDB::LDAP
	242
	243	A WHO object to check LDAP groups
	244
	245	=head2 Attribues
	246
	247	=head3 ldapgroup
	248
	249	An LDAP group (ignore case).
	250
	251	=head3 profile
	252
	253	The LDAP profile name
	254
	255	=head2 Examples
	256
	257	$obj = PMG::RuleDB::LDAP>new ('groupname', 'profile_name');