]> git.proxmox.com Git - pve-access-control.git/blob - src/PVE/API2/ACL.pm
projects / pve-access-control.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
drop support for old login API
[pve-access-control.git] / src / PVE / API2 / ACL.pm
1 package PVE::API2::ACL;
2
3 use strict;
4 use warnings;
5 use PVE::Cluster qw (cfs_read_file cfs_write_file);
6 use PVE::Tools qw(split_list);
7 use PVE::AccessControl;
8 use PVE::Exception qw(raise_param_exc);
9 use PVE::JSONSchema qw(get_standard_option register_standard_option);
10
11 use PVE::SafeSyslog;
12
13 use PVE::RESTHandler;
14
15 use base qw(PVE::RESTHandler);
16
17 register_standard_option('acl-propagate', {
18 description => "Allow to propagate (inherit) permissions.",
19 type => 'boolean',
20 optional => 1,
21 default => 1,
22 });
23 register_standard_option('acl-path', {
24 description => "Access control path",
25 type => 'string',
26 });
27
28 __PACKAGE__->register_method ({
29 name => 'read_acl',
30 path => '',
31 method => 'GET',
32 description => "Get Access Control List (ACLs).",
33 permissions => {
34 description => "The returned list is restricted to objects where you have rights to modify permissions.",
35 user => 'all',
36 },
37 parameters => {
38 additionalProperties => 0,
39 properties => {},
40 },
41 returns => {
42 type => 'array',
43 items => {
44 type => "object",
45 additionalProperties => 0,
46 properties => {
47 propagate => get_standard_option('acl-propagate'),
48 path => get_standard_option('acl-path'),
49 type => { type => 'string', enum => ['user', 'group', 'token'] },
50 ugid => { type => 'string' },
51 roleid => { type => 'string' },
52 },
53 },
54 },
55 code => sub {
56 my ($param) = @_;
57
58 my $rpcenv = PVE::RPCEnvironment::get();
59 my $authuser = $rpcenv->get_user();
60 my $res = [];
61
62 my $usercfg = $rpcenv->{user_cfg};
63 if (!$usercfg || !$usercfg->{acl_root}) {
64 return $res;
65 }
66
67 my $audit = $rpcenv->check($authuser, '/access', ['Sys.Audit'], 1);
68
69 my $root = $usercfg->{acl_root};
70 PVE::AccessControl::iterate_acl_tree("/", $root, sub {
71 my ($path, $node) = @_;
72 foreach my $type (qw(user group token)) {
73 my $d = $node->{"${type}s"};
74 next if !$d;
75 next if !($audit || $rpcenv->check_perm_modify($authuser, $path, 1));
76 foreach my $id (keys %$d) {
77 foreach my $role (keys %{$d->{$id}}) {
78 my $propagate = $d->{$id}->{$role};
79 push @$res, {
80 path => $path,
81 type => $type,
82 ugid => $id,
83 roleid => $role,
84 propagate => $propagate,
85 };
86 }
87 }
88 }
89 });
90
91 return $res;
92 }});
93
94 __PACKAGE__->register_method ({
95 name => 'update_acl',
96 protected => 1,
97 path => '',
98 method => 'PUT',
99 permissions => {
100 check => ['perm-modify', '{path}'],
101 },
102 description => "Update Access Control List (add or remove permissions).",
103 parameters => {
104 additionalProperties => 0,
105 properties => {
106 propagate => get_standard_option('acl-propagate'),
107 path => get_standard_option('acl-path'),
108 users => {
109 description => "List of users.",
110 type => 'string', format => 'pve-userid-list',
111 optional => 1,
112 },
113 groups => {
114 description => "List of groups.",
115 type => 'string', format => 'pve-groupid-list',
116 optional => 1,
117 },
118 tokens => {
119 description => "List of API tokens.",
120 type => 'string', format => 'pve-tokenid-list',
121 optional => 1,
122 },
123 roles => {
124 description => "List of roles.",
125 type => 'string', format => 'pve-roleid-list',
126 },
127 delete => {
128 description => "Remove permissions (instead of adding it).",
129 type => 'boolean',
130 optional => 1,
131 },
132 },
133 },
134 returns => { type => 'null' },
135 code => sub {
136 my ($param) = @_;
137
138 if (!($param->{users} || $param->{groups} || $param->{tokens})) {
139 raise_param_exc({ map { $_ => "either 'users', 'groups' or 'tokens' is required." } qw(users groups tokens) });
140 }
141
142 my $path = PVE::AccessControl::normalize_path($param->{path});
143 raise_param_exc({ path => "invalid ACL path '$param->{path}'" }) if !$path;
144
145 if (!$param->{delete} && !PVE::AccessControl::check_path($path)) {
146 raise_param_exc({ path => "invalid ACL path '$param->{path}'" });
147 }
148
149 PVE::AccessControl::lock_user_config(
150 sub {
151
152 my $cfg = cfs_read_file("user.cfg");
153
154 my $propagate = 1;
155
156 if (defined($param->{propagate})) {
157 $propagate = $param->{propagate} ? 1 : 0;
158 }
159
160 my $node = PVE::AccessControl::find_acl_tree_node($cfg->{acl_root}, $path);
161
162 foreach my $role (split_list($param->{roles})) {
163 die "role '$role' does not exist\n"
164 if !$cfg->{roles}->{$role};
165
166 foreach my $group (split_list($param->{groups})) {
167
168 die "group '$group' does not exist\n"
169 if !$cfg->{groups}->{$group};
170
171 if ($param->{delete}) {
172 delete($node->{groups}->{$group}->{$role});
173 } else {
174 $node->{groups}->{$group}->{$role} = $propagate;
175 }
176 }
177
178 foreach my $userid (split_list($param->{users})) {
179 my $username = PVE::AccessControl::verify_username($userid);
180
181 die "user '$username' does not exist\n"
182 if !$cfg->{users}->{$username};
183
184 if ($param->{delete}) {
185 delete ($node->{users}->{$username}->{$role});
186 } else {
187 $node->{users}->{$username}->{$role} = $propagate;
188 }
189 }
190
191 foreach my $tokenid (split_list($param->{tokens})) {
192 my ($username, $token) = PVE::AccessControl::split_tokenid($tokenid);
193 PVE::AccessControl::check_token_exist($cfg, $username, $token);
194
195 if ($param->{delete}) {
196 delete $node->{tokens}->{$tokenid}->{$role};
197 } else {
198 $node->{tokens}->{$tokenid}->{$role} = $propagate;
199 }
200 }
201 }
202
203 cfs_write_file("user.cfg", $cfg);
204 }, "ACL update failed");
205
206 return undef;
207 }});
208
209 1;
Access control framework