]>
Commit | Line | Data |
---|---|---|
2c3a6c0a DM |
1 | package PVE::API2::Domains; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | use PVE::Cluster qw (cfs_read_file cfs_write_file); | |
6 | use PVE::AccessControl; | |
7 | use PVE::JSONSchema qw(get_standard_option); | |
8 | ||
9 | use PVE::SafeSyslog; | |
10 | ||
11 | use Data::Dumper; # fixme: remove | |
12 | ||
13 | use PVE::RESTHandler; | |
14 | ||
15 | my $domainconfigfile = "domains.cfg"; | |
16 | ||
17 | use base qw(PVE::RESTHandler); | |
18 | ||
19 | __PACKAGE__->register_method ({ | |
20 | name => 'index', | |
21 | path => '', | |
22 | method => 'GET', | |
23 | description => "Authentication domain index.", | |
24 | permissions => { user => 'world' }, | |
25 | parameters => { | |
26 | additionalProperties => 0, | |
27 | properties => {}, | |
28 | }, | |
29 | returns => { | |
30 | type => 'array', | |
31 | items => { | |
32 | type => "object", | |
33 | properties => { | |
34 | realm => { type => 'string' }, | |
35 | comment => { type => 'string', optional => 1 }, | |
36 | }, | |
37 | }, | |
38 | links => [ { rel => 'child', href => "{realm}" } ], | |
39 | }, | |
40 | code => sub { | |
41 | my ($param) = @_; | |
42 | ||
43 | my $res = []; | |
44 | ||
45 | my $cfg = cfs_read_file($domainconfigfile); | |
46 | ||
47 | foreach my $realm (keys %$cfg) { | |
48 | my $d = $cfg->{$realm}; | |
49 | my $entry = { realm => $realm, type => $d->{type} }; | |
50 | $entry->{comment} = $d->{comment} if $d->{comment}; | |
51 | $entry->{default} = 1 if $d->{default}; | |
52 | push @$res, $entry; | |
53 | } | |
54 | ||
55 | return $res; | |
56 | }}); | |
57 | ||
58 | __PACKAGE__->register_method ({ | |
59 | name => 'create', | |
60 | protected => 1, | |
61 | path => '', | |
62 | method => 'POST', | |
63 | description => "Add an authentication server.", | |
64 | parameters => { | |
65 | additionalProperties => 0, | |
66 | properties => { | |
67 | realm => get_standard_option('realm'), | |
68 | type => { | |
69 | description => "Server type.", | |
70 | type => 'string', | |
71 | enum => [ 'ad', 'ldap' ], | |
72 | }, | |
73 | server1 => { | |
74 | description => "Server IP address (or DNS name)", | |
75 | type => 'string', | |
76 | }, | |
77 | server2 => { | |
78 | description => "Fallback Server IP address (or DNS name)", | |
79 | type => 'string', | |
80 | optional => 1, | |
81 | }, | |
82 | secure => { | |
83 | description => "Use secure LDAPS protocol.", | |
84 | type => 'boolean', | |
85 | optional => 1, | |
86 | }, | |
87 | default => { | |
88 | description => "Use this as default realm", | |
89 | type => 'boolean', | |
90 | optional => 1, | |
91 | }, | |
92 | comment => { | |
93 | type => 'string', | |
94 | optional => 1, | |
95 | }, | |
96 | port => { | |
af4a8a85 | 97 | description => "Server port. Use '0' if you want to use default settings'", |
2c3a6c0a | 98 | type => 'integer', |
af4a8a85 | 99 | minimum => 0, |
2c3a6c0a DM |
100 | maximum => 65535, |
101 | optional => 1, | |
102 | }, | |
a0492cd6 DM |
103 | domain => { |
104 | description => "AD domain name", | |
105 | type => 'string', | |
106 | optional => 1, | |
107 | }, | |
2c3a6c0a DM |
108 | base_dn => { |
109 | description => "LDAP base domain name", | |
110 | type => 'string', | |
111 | optional => 1, | |
112 | }, | |
113 | user_attr => { | |
114 | description => "LDAP user attribute name", | |
115 | type => 'string', | |
116 | optional => 1, | |
117 | }, | |
118 | }, | |
119 | }, | |
120 | returns => { type => 'null' }, | |
121 | code => sub { | |
122 | my ($param) = @_; | |
123 | ||
124 | PVE::AccessControl::lock_domain_config( | |
125 | sub { | |
126 | ||
127 | my $cfg = cfs_read_file($domainconfigfile); | |
128 | ||
129 | my $realm = $param->{realm}; | |
130 | ||
131 | die "domain '$realm' already exists\n" | |
132 | if $cfg->{$realm}; | |
133 | ||
134 | die "unable to use reserved name '$realm'\n" | |
135 | if ($realm eq 'pam' || $realm eq 'pve'); | |
136 | ||
137 | if (defined($param->{secure})) { | |
138 | $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0; | |
139 | } | |
af4a8a85 | 140 | |
2c3a6c0a DM |
141 | if ($param->{default}) { |
142 | foreach my $r (keys %$cfg) { | |
143 | delete $cfg->{$r}->{default}; | |
144 | } | |
145 | } | |
146 | ||
147 | foreach my $p (keys %$param) { | |
148 | next if $p eq 'realm'; | |
0c156363 | 149 | $cfg->{$realm}->{$p} = $param->{$p} if $param->{$p}; |
2c3a6c0a DM |
150 | } |
151 | ||
af4a8a85 | 152 | # port 0 ==> use default |
0c156363 DM |
153 | # server2 == '' ===> delete server2 |
154 | for my $p (qw(port server2)) { | |
155 | if (defined($param->{$p}) && !$param->{$p}) { | |
156 | delete $cfg->{$realm}->{$p}; | |
157 | } | |
af4a8a85 DM |
158 | } |
159 | ||
2c3a6c0a DM |
160 | cfs_write_file($domainconfigfile, $cfg); |
161 | }, "add auth server failed"); | |
162 | ||
163 | return undef; | |
164 | }}); | |
165 | ||
166 | __PACKAGE__->register_method ({ | |
167 | name => 'update', | |
168 | path => '{realm}', | |
169 | method => 'PUT', | |
170 | description => "Update authentication server settings.", | |
171 | protected => 1, | |
172 | parameters => { | |
173 | additionalProperties => 0, | |
174 | properties => { | |
175 | realm => get_standard_option('realm'), | |
176 | server1 => { | |
177 | description => "Server IP address (or DNS name)", | |
178 | type => 'string', | |
179 | optional => 1, | |
180 | }, | |
181 | server2 => { | |
182 | description => "Fallback Server IP address (or DNS name)", | |
183 | type => 'string', | |
184 | optional => 1, | |
185 | }, | |
186 | secure => { | |
187 | description => "Use secure LDAPS protocol.", | |
188 | type => 'boolean', | |
189 | optional => 1, | |
190 | }, | |
191 | default => { | |
192 | description => "Use this as default realm", | |
193 | type => 'boolean', | |
194 | optional => 1, | |
195 | }, | |
196 | comment => { | |
197 | type => 'string', | |
198 | optional => 1, | |
199 | }, | |
200 | port => { | |
af4a8a85 | 201 | description => "Server port. Use '0' if you want to use default settings'", |
2c3a6c0a | 202 | type => 'integer', |
af4a8a85 | 203 | minimum => 0, |
2c3a6c0a DM |
204 | maximum => 65535, |
205 | optional => 1, | |
206 | }, | |
a0492cd6 DM |
207 | domain => { |
208 | description => "AD domain name", | |
209 | type => 'string', | |
210 | optional => 1, | |
211 | }, | |
2c3a6c0a DM |
212 | base_dn => { |
213 | description => "LDAP base domain name", | |
214 | type => 'string', | |
215 | optional => 1, | |
216 | }, | |
217 | user_attr => { | |
218 | description => "LDAP user attribute name", | |
219 | type => 'string', | |
220 | optional => 1, | |
221 | }, | |
222 | }, | |
223 | }, | |
224 | returns => { type => 'null' }, | |
225 | code => sub { | |
226 | my ($param) = @_; | |
227 | ||
228 | PVE::AccessControl::lock_domain_config( | |
229 | sub { | |
230 | ||
231 | my $cfg = cfs_read_file($domainconfigfile); | |
232 | ||
233 | my $realm = $param->{realm}; | |
234 | delete $param->{realm}; | |
235 | ||
236 | die "unable to modify bultin domain '$realm'\n" | |
237 | if ($realm eq 'pam' || $realm eq 'pve'); | |
238 | ||
239 | die "domain '$realm' does not exist\n" | |
240 | if !$cfg->{$realm}; | |
241 | ||
242 | if (defined($param->{secure})) { | |
243 | $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0; | |
244 | } | |
245 | ||
246 | if ($param->{default}) { | |
247 | foreach my $r (keys %$cfg) { | |
248 | delete $cfg->{$r}->{default}; | |
249 | } | |
250 | } | |
251 | ||
252 | foreach my $p (keys %$param) { | |
0c156363 DM |
253 | if ($param->{$p}) { |
254 | $cfg->{$realm}->{$p} = $param->{$p}; | |
255 | } else { | |
256 | delete $cfg->{$realm}->{$p}; | |
257 | } | |
af4a8a85 DM |
258 | } |
259 | ||
2c3a6c0a DM |
260 | cfs_write_file($domainconfigfile, $cfg); |
261 | }, "update auth server failed"); | |
262 | ||
263 | return undef; | |
264 | }}); | |
265 | ||
266 | # fixme: return format! | |
267 | __PACKAGE__->register_method ({ | |
268 | name => 'read', | |
269 | path => '{realm}', | |
270 | method => 'GET', | |
271 | description => "Get auth server configuration.", | |
272 | parameters => { | |
273 | additionalProperties => 0, | |
274 | properties => { | |
275 | realm => get_standard_option('realm'), | |
276 | }, | |
277 | }, | |
278 | returns => {}, | |
279 | code => sub { | |
280 | my ($param) = @_; | |
281 | ||
282 | my $cfg = cfs_read_file($domainconfigfile); | |
283 | ||
284 | my $realm = $param->{realm}; | |
285 | ||
286 | my $data = $cfg->{$realm}; | |
287 | die "domain '$realm' does not exist\n" if !$data; | |
288 | ||
289 | return $data; | |
290 | }}); | |
291 | ||
292 | ||
293 | __PACKAGE__->register_method ({ | |
294 | name => 'delete', | |
295 | path => '{realm}', | |
296 | method => 'DELETE', | |
297 | description => "Delete an authentication server.", | |
298 | protected => 1, | |
299 | parameters => { | |
300 | additionalProperties => 0, | |
301 | properties => { | |
302 | realm => get_standard_option('realm'), | |
303 | } | |
304 | }, | |
305 | returns => { type => 'null' }, | |
306 | code => sub { | |
307 | my ($param) = @_; | |
308 | ||
309 | PVE::AccessControl::lock_user_config( | |
310 | sub { | |
311 | ||
312 | my $cfg = cfs_read_file($domainconfigfile); | |
313 | ||
314 | my $realm = $param->{realm}; | |
315 | ||
316 | die "domain '$realm' does not exist\n" if !$cfg->{$realm}; | |
317 | ||
318 | delete $cfg->{$realm}; | |
319 | ||
320 | cfs_write_file($domainconfigfile, $cfg); | |
321 | }, "delete auth server failed"); | |
322 | ||
323 | return undef; | |
324 | }}); | |
325 | ||
326 | 1; |