]>
Commit | Line | Data |
---|---|---|
9d82c6bc DM |
1 | package PMG::RESTEnvironment; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
9968426f | 6 | use PVE::INotify; |
9d82c6bc | 7 | use PVE::RESTEnvironment; |
3689f2cd | 8 | use PVE::Exception qw(raise_perm_exc); |
9d82c6bc | 9 | |
9968426f | 10 | use PMG::Cluster; |
9d82c6bc | 11 | use PMG::ClusterConfig; |
27ca2dae | 12 | use PMG::AccessControl; |
9d82c6bc DM |
13 | |
14 | use base qw(PVE::RESTEnvironment); | |
15 | ||
9968426f DM |
16 | my $nodename = PVE::INotify::nodename(); |
17 | ||
9d82c6bc DM |
18 | # initialize environment - must be called once at program startup |
19 | sub init { | |
20 | my ($class, $type, %params) = @_; | |
21 | ||
22 | $class = ref($class) || $class; | |
23 | ||
24 | my $self = $class->SUPER::init($type, %params); | |
25 | ||
26 | $self->{cinfo} = {}; | |
27ca2dae | 27 | $self->{usercfg} = {}; |
ba11e2d3 | 28 | $self->{ticket} = undef; |
9d82c6bc DM |
29 | |
30 | return $self; | |
31 | }; | |
32 | ||
33 | # init_request - must be called before each RPC request | |
34 | sub init_request { | |
35 | my ($self, %params) = @_; | |
36 | ||
37 | $self->SUPER::init_request(%params); | |
38 | ||
ba11e2d3 | 39 | $self->{ticket} = undef; |
9a9be8aa | 40 | $self->{role} = undef; |
01891c99 | 41 | $self->{format} = undef; |
9d82c6bc | 42 | $self->{cinfo} = PVE::INotify::read_file("cluster.conf"); |
27ca2dae | 43 | $self->{usercfg} = PVE::INotify::read_file("pmg-user.conf"); |
9d82c6bc DM |
44 | } |
45 | ||
9a9be8aa DM |
46 | sub setup_default_cli_env { |
47 | my ($class, $username) = @_; | |
48 | ||
49 | $class->SUPER::setup_default_cli_env($username); | |
50 | ||
51 | my $rest_env = $class->get(); | |
52 | $rest_env->set_role('root'); | |
53 | } | |
54 | ||
01891c99 DM |
55 | sub set_format { |
56 | my ($self, $ticket) = @_; | |
57 | ||
58 | $self->{format} = $ticket; | |
59 | } | |
60 | ||
61 | sub get_format { | |
62 | my ($self) = @_; | |
63 | ||
64 | return $self->{format} // 'json'; | |
65 | } | |
66 | ||
ba11e2d3 DM |
67 | sub set_ticket { |
68 | my ($self, $ticket) = @_; | |
69 | ||
70 | $self->{ticket} = $ticket; | |
71 | } | |
72 | ||
73 | sub get_ticket { | |
74 | my ($self) = @_; | |
75 | ||
76 | return $self->{ticket}; | |
77 | } | |
78 | ||
9a9be8aa DM |
79 | sub set_role { |
80 | my ($self, $user) = @_; | |
81 | ||
82 | $self->{role} = $user; | |
83 | } | |
84 | ||
85 | sub get_role { | |
86 | my ($self) = @_; | |
87 | ||
88 | return $self->{role}; | |
89 | } | |
90 | ||
9968426f DM |
91 | sub check_node_is_master { |
92 | my ($self, $noerr); | |
93 | ||
94 | my $master = PMG::Cluster::get_master_node($self->{cinfo}); | |
95 | ||
96 | return 1 if $master eq 'localhost' || $master eq $nodename; | |
97 | ||
98 | return undef if $noerr; | |
99 | ||
100 | die "this node ('$nodename') is not the master node\n"; | |
101 | } | |
102 | ||
27ca2dae | 103 | sub check_api2_permissions { |
9a9be8aa DM |
104 | my ($self, $perm, $uri_param) = @_; |
105 | ||
aedd039f | 106 | my $username = $self->get_user(1); |
27ca2dae DM |
107 | |
108 | return 1 if !$username && $perm->{user} && $perm->{user} eq 'world'; | |
109 | ||
110 | raise_perm_exc("user == null") if !$username; | |
111 | ||
112 | return 1 if $username eq 'root@pam'; | |
113 | ||
114 | raise_perm_exc('user != root@pam') if !$perm; | |
115 | ||
116 | return 1 if $perm->{user} && $perm->{user} eq 'all'; | |
117 | ||
9a9be8aa | 118 | my $role = $self->{role}; |
27ca2dae DM |
119 | |
120 | if (my $allowed_roles = $perm->{check}) { | |
3058a948 DM |
121 | if ($role eq 'helpdesk') { |
122 | # helpdesk is qmanager + audit | |
123 | return 1 if grep { $_ eq 'audit' } @$allowed_roles; | |
124 | return 1 if grep { $_ eq 'qmanager' } @$allowed_roles; | |
125 | } | |
27ca2dae DM |
126 | return 1 if grep { $_ eq $role } @$allowed_roles; |
127 | } | |
128 | ||
129 | raise_perm_exc(); | |
130 | } | |
131 | ||
9d82c6bc | 132 | 1; |