[pmg-api.git] / src / PMG / RuleDB / LDAP.pm

package PMG::RuleDB::LDAP;

use strict;
use warnings;
use DBI;
use Encode qw(encode);

use PVE::Exception qw(raise_param_exc);

use PMG::Utils;
use PMG::RuleDB::Object;
use PMG::LDAPCache;
use PMG::LDAPSet;

use base qw(PMG::RuleDB::Object);

sub otype {
    return 1005;
}

sub oclass {
    return 'who';
}

sub otype_text {
    return 'LDAP Group';
}

sub new {
    my ($type, $ldapgroup, $profile, $ogroup) = @_;

    my $class = ref($type) || $type;

    my $self = $class->SUPER::new($class->otype(), $ogroup);

    $self->{ldapgroup} = $ldapgroup // '';
    $self->{profile} = $profile // '';

    return $self;
}

sub load_attr {
    my ($type, $ruledb, $id, $ogroup, $value) = @_;

    my $class = ref($type) || $type;

    defined($value) || die "undefined value: ERROR";

    my $decoded = PMG::Utils::try_decode_utf8($value);

    my $obj;
    if ($decoded =~ m/^([^:]*):(.*)$/) {
	$obj = $class->new($2, $1, $ogroup);
	$obj->{digest} = Digest::SHA::sha1_hex($id, encode('UTF-8', $2), encode('UTF-8', $1), $ogroup);
    } else {
	$obj = $class->new($decoded, '', $ogroup);
	$obj->{digest} = Digest::SHA::sha1_hex($id, $value, '#', $ogroup);
    }

    $obj->{id} = $id;

    return $obj;
}

sub save {
    my ($self, $ruledb) = @_;

    defined($self->{ogroup}) || die "undefined ogroup: ERROR";
    defined($self->{ldapgroup}) || die "undefined ldap group: ERROR";
    defined($self->{profile}) || die "undefined ldap profile: ERROR";

    my $grp = $self->{ldapgroup};
    my $profile = $self->{profile};

    my $confdata = encode('UTF-8', "$profile:$grp");

    if (defined ($self->{id})) {
	# update

	$ruledb->{dbh}->do(
	    "UPDATE Object SET Value = ? WHERE ID = ?",
	    undef, $confdata, $self->{id});

    } else {
	# insert

	# check if it exists first
	if (my $id = PMG::Utils::get_existing_object_id(
	    $ruledb->{dbh},
	    $self->{ogroup},
	    $self->otype(),
	    $confdata
	)) {
	    return $id;
	}

	my $sth = $ruledb->{dbh}->prepare(
	    "INSERT INTO Object (Objectgroup_ID, ObjectType, Value) " .
	    "VALUES (?, ?, ?);");

	$sth->execute($self->{ogroup}, $self->otype, $confdata);

	$self->{id} = PMG::Utils::lastid($ruledb->{dbh}, 'object_id_seq');
    }

    return $self->{id};
}

sub test_ldap {
    my ($ldap, $addr, $group, $profile) = @_;

    if ($group eq '') {
	return $ldap->mail_exists($addr, $profile);
    } elsif ($group eq '-') {
	return !$ldap->mail_exists($addr, $profile);
    } elsif ($profile) {
	return $ldap->user_in_group ($addr, $group, $profile);
    } else {
	# fail if we have a real $group without $profile
	return 0;
    }
}

sub who_match {
    my ($self, $addr, $ip, $ldap) = @_;

    return 0 if !$ldap;

    return test_ldap($ldap, $addr, $self->{ldapgroup}, $self->{profile});
}

sub short_desc {
    my ($self) = @_;

    my $desc;

    my $profile = $self->{profile};
    my $group = $self->{ldapgroup};

    if ($group eq '') {
	$desc = "Existing LDAP address";
	if ($profile) {
	    $desc .= ", profile '$profile'";
	} else {
	    $desc .= ", any profile";
	}
    } elsif ($group eq '-') {
	$desc = "Unknown LDAP address";
	if ($profile) {
	    $desc .= ", profile '$profile'";
	} else {
	    $desc .= ", any profile";
	}
    } elsif ($profile) {
	$desc = "LDAP group '$group', profile '$profile'";
    } else {
	$desc = "LDAP group without profile - fail always";
    }

    return $desc;
}

sub properties {
    my ($class) = @_;

    return {
	mode => {
	    description => "Operational mode. You can either match 'any' user, match when no such user exists with 'none', or match when the user is member of a specific group.",
	    type => 'string',
	    enum => ['any', 'none', 'group'],
	},
	profile => {
	    description => "Profile ID.",
	    type => 'string', format => 'pve-configid',
	    optional => 1,
	},
	group => {
	    description => "LDAP Group DN",
	    type => 'string',
	    maxLength => 1024,
	    minLength => 1,
	    optional => 1,
	},
    };
}

sub get {
    my ($self) = @_;

    my $group = $self->{ldapgroup};
    my $profile = $self->{profile},

    my $data = {};

    if ($group eq '') {
	$data->{mode} = 'any';
    } elsif ($group eq '-') {
	$data->{mode} = 'none';
    } else {
	$data->{mode} = 'group';
	$data->{group} = $group;
    }

    $data->{profile} = $profile if $profile ne '';

    return $data;
 }

sub update {
    my ($self, $param) = @_;

    my $mode = $param->{mode};

    if (defined(my $profile = $param->{profile})) {
	my $cfg = PVE::INotify::read_file("pmg-ldap.conf");
	my $config = $cfg->{ids}->{$profile};
	die "LDAP profile '$profile' does not exist\n" if !$config;

	if (defined(my $group = $param->{group})) {
	    my $ldapcache = PMG::LDAPCache->new(
		id => $profile, syncmode => 1, %$config);

	    die "LDAP group '$group' does not exist\n"
		if !$ldapcache->group_exists($group);
	}
    }

    if ($mode eq 'any') {
	raise_param_exc({ group => "parameter not allwed with mode '$mode'"})
	    if defined($param->{group});
	$self->{ldapgroup} = '';
	$self->{profile} = $param->{profile} // '';
    } elsif ($mode eq 'none') {
	raise_param_exc({ group => "parameter not allwed with mode '$mode'"})
	    if defined($param->{group});
	$self->{ldapgroup} = '-';
	$self->{profile} = $param->{profile} // '';
    } elsif ($mode eq 'group') {
	raise_param_exc({ group => "parameter is required with mode '$mode'"})
	    if !defined($param->{group});
	$self->{ldapgroup} = $param->{group};
	raise_param_exc({ profile => "parameter is required with mode '$mode'"})
	    if !defined($param->{profile});
	$self->{profile} = $param->{profile};
    } else {
	die "internal error"; # just to me sure
    }
}

1;

__END__

=head1 PMG::RuleDB::LDAP

A WHO object to check LDAP groups

=head2 Attributes

=head3 ldapgroup

An LDAP group (ignore case).

=head3 profile

The LDAP profile name

=head2 Examples

    $obj = PMG::RuleDB::LDAP>new ('groupname', 'profile_name');
Commit	Line	Data
10621236 DM	1	package PMG::RuleDB::LDAP;
	2
	3	use strict;
	4	use warnings;
	5	use DBI;
ff1a61ff	6	use Encode qw(encode);
10621236	7
2aeda4ac DM	8	use PVE::Exception qw(raise_param_exc);
2aeda4ac DM	9
10621236 DM	10	use PMG::Utils;
	11	use PMG::RuleDB::Object;
	12	use PMG::LDAPCache;
	13	use PMG::LDAPSet;
	14
	15	use base qw(PMG::RuleDB::Object);
	16
	17	sub otype {
	18	return 1005;
	19	}
	20
	21	sub oclass {
	22	return 'who';
	23	}
	24
	25	sub otype_text {
	26	return 'LDAP Group';
	27	}
	28
10621236 DM	29	sub new {
	30	my ($type, $ldapgroup, $profile, $ogroup) = @_;
	31
	32	my $class = ref($type) \|\| $type;
	33
	34	my $self = $class->SUPER::new($class->otype(), $ogroup);
	35
	36	$self->{ldapgroup} = $ldapgroup // '';
	37	$self->{profile} = $profile // '';
	38
	39	return $self;
	40	}
	41
	42	sub load_attr {
	43	my ($type, $ruledb, $id, $ogroup, $value) = @_;
	44
	45	my $class = ref($type) \|\| $type;
	46
	47	defined($value) \|\| die "undefined value: ERROR";
	48
ff1a61ff DC	49	my $decoded = PMG::Utils::try_decode_utf8($value);
ff1a61ff DC	50
10621236	51	my $obj;
ff1a61ff	52	if ($decoded =~ m/^([^:]):(.)$/) {
10621236	53	$obj = $class->new($2, $1, $ogroup);
ff1a61ff	54	$obj->{digest} = Digest::SHA::sha1_hex($id, encode('UTF-8', $2), encode('UTF-8', $1), $ogroup);
10621236	55	} else {
ff1a61ff	56	$obj = $class->new($decoded, '', $ogroup);
2aeda4ac	57	$obj->{digest} = Digest::SHA::sha1_hex($id, $value, '#', $ogroup);
10621236 DM	58	}
	59
	60	$obj->{id} = $id;
	61
	62	return $obj;
	63	}
	64
	65	sub save {
	66	my ($self, $ruledb) = @_;
	67
	68	defined($self->{ogroup}) \|\| die "undefined ogroup: ERROR";
	69	defined($self->{ldapgroup}) \|\| die "undefined ldap group: ERROR";
	70	defined($self->{profile}) \|\| die "undefined ldap profile: ERROR";
	71
	72	my $grp = $self->{ldapgroup};
	73	my $profile = $self->{profile};
	74
ff1a61ff	75	my $confdata = encode('UTF-8', "$profile:$grp");
10621236 DM	76
	77	if (defined ($self->{id})) {
	78	# update
	79
	80	$ruledb->{dbh}->do(
	81	"UPDATE Object SET Value = ? WHERE ID = ?",
	82	undef, $confdata, $self->{id});
	83
	84	} else {
	85	# insert
	86
736b986f DC	87	# check if it exists first
	88	if (my $id = PMG::Utils::get_existing_object_id(
	89	$ruledb->{dbh},
	90	$self->{ogroup},
	91	$self->otype(),
	92	$confdata
	93	)) {
	94	return $id;
	95	}
	96
10621236 DM	97	my $sth = $ruledb->{dbh}->prepare(
	98	"INSERT INTO Object (Objectgroup_ID, ObjectType, Value) " .
	99	"VALUES (?, ?, ?);");
	100
	101	$sth->execute($self->{ogroup}, $self->otype, $confdata);
	102
	103	$self->{id} = PMG::Utils::lastid($ruledb->{dbh}, 'object_id_seq');
	104	}
	105
	106	return $self->{id};
	107	}
	108
	109	sub test_ldap {
	110	my ($ldap, $addr, $group, $profile) = @_;
	111
	112	if ($group eq '') {
	113	return $ldap->mail_exists($addr, $profile);
	114	} elsif ($group eq '-') {
	115	return !$ldap->mail_exists($addr, $profile);
2aeda4ac	116	} elsif ($profile) {
10621236	117	return $ldap->user_in_group ($addr, $group, $profile);
2aeda4ac DM	118	} else {
	119	# fail if we have a real $group without $profile
	120	return 0;
10621236 DM	121	}
	122	}
	123
	124	sub who_match {
	125	my ($self, $addr, $ip, $ldap) = @_;
	126
	127	return 0 if !$ldap;
	128
	129	return test_ldap($ldap, $addr, $self->{ldapgroup}, $self->{profile});
	130	}
	131
2aeda4ac DM	132	sub short_desc {
	133	my ($self) = @_;
	134
	135	my $desc;
	136
	137	my $profile = $self->{profile};
	138	my $group = $self->{ldapgroup};
	139
	140	if ($group eq '') {
	141	$desc = "Existing LDAP address";
687306ad DM	142	if ($profile) {
	143	$desc .= ", profile '$profile'";
	144	} else {
	145	$desc .= ", any profile";
	146	}
2aeda4ac DM	147	} elsif ($group eq '-') {
2aeda4ac DM	148	$desc = "Unknown LDAP address";
687306ad DM	149	if ($profile) {
	150	$desc .= ", profile '$profile'";
	151	} else {
	152	$desc .= ", any profile";
	153	}
2aeda4ac	154	} elsif ($profile) {
f76f331a	155	$desc = "LDAP group '$group', profile '$profile'";
2aeda4ac DM	156	} else {
	157	$desc = "LDAP group without profile - fail always";
	158	}
	159
	160	return $desc;
	161	}
	162
	163	sub properties {
	164	my ($class) = @_;
	165
	166	return {
	167	mode => {
	168	description => "Operational mode. You can either match 'any' user, match when no such user exists with 'none', or match when the user is member of a specific group.",
	169	type => 'string',
	170	enum => ['any', 'none', 'group'],
	171	},
	172	profile => {
	173	description => "Profile ID.",
	174	type => 'string', format => 'pve-configid',
	175	optional => 1,
	176	},
	177	group => {
	178	description => "LDAP Group DN",
	179	type => 'string',
	180	maxLength => 1024,
	181	minLength => 1,
	182	optional => 1,
	183	},
	184	};
	185	}
	186
	187	sub get {
	188	my ($self) = @_;
	189
	190	my $group = $self->{ldapgroup};
	191	my $profile = $self->{profile},
	192
	193	my $data = {};
	194
	195	if ($group eq '') {
	196	$data->{mode} = 'any';
	197	} elsif ($group eq '-') {
	198	$data->{mode} = 'none';
	199	} else {
	200	$data->{mode} = 'group';
	201	$data->{group} = $group;
	202	}
	203
	204	$data->{profile} = $profile if $profile ne '';
	205
	206	return $data;
	207	}
	208
	209	sub update {
	210	my ($self, $param) = @_;
	211
	212	my $mode = $param->{mode};
	213
d974ca19 DM	214	if (defined(my $profile = $param->{profile})) {
	215	my $cfg = PVE::INotify::read_file("pmg-ldap.conf");
	216	my $config = $cfg->{ids}->{$profile};
	217	die "LDAP profile '$profile' does not exist\n" if !$config;
	218
	219	if (defined(my $group = $param->{group})) {
	220	my $ldapcache = PMG::LDAPCache->new(
	221	id => $profile, syncmode => 1, %$config);
	222
	223	die "LDAP group '$group' does not exist\n"
	224	if !$ldapcache->group_exists($group);
	225	}
	226	}
	227
2aeda4ac	228	if ($mode eq 'any') {
5182cea0	229	raise_param_exc({ group => "parameter not allwed with mode '$mode'"})
2aeda4ac DM	230	if defined($param->{group});
	231	$self->{ldapgroup} = '';
	232	$self->{profile} = $param->{profile} // '';
	233	} elsif ($mode eq 'none') {
5182cea0	234	raise_param_exc({ group => "parameter not allwed with mode '$mode'"})
2aeda4ac DM	235	if defined($param->{group});
	236	$self->{ldapgroup} = '-';
	237	$self->{profile} = $param->{profile} // '';
	238	} elsif ($mode eq 'group') {
5182cea0	239	raise_param_exc({ group => "parameter is required with mode '$mode'"})
2aeda4ac DM	240	if !defined($param->{group});
2aeda4ac DM	241	$self->{ldapgroup} = $param->{group};
5182cea0	242	raise_param_exc({ profile => "parameter is required with mode '$mode'"})
2aeda4ac DM	243	if !defined($param->{profile});
	244	$self->{profile} = $param->{profile};
	245	} else {
	246	die "internal error"; # just to me sure
	247	}
	248	}
	249
10621236 DM	250	1;
	251
	252	__END__
	253
	254	=head1 PMG::RuleDB::LDAP
	255
	256	A WHO object to check LDAP groups
	257
1359baef	258	=head2 Attributes
10621236 DM	259
	260	=head3 ldapgroup
	261
	262	An LDAP group (ignore case).
	263
	264	=head3 profile
	265
	266	The LDAP profile name
	267
	268	=head2 Examples
	269
	270	$obj = PMG::RuleDB::LDAP>new ('groupname', 'profile_name');