src/api2/access/acl.rs

   1 use failure::*;
   2 use serde_json::Value;
   3 use ::serde::{Deserialize, Serialize};
   4
   5 use proxmox::api::{api, ApiMethod, Router, RpcEnvironment};
   6 use proxmox::api::schema::{Schema, StringSchema, BooleanSchema, ApiStringFormat};
   7
   8 use crate::api2::types::*;
   9 use crate::config::acl;
  10
  11 pub const ACL_PROPAGATE_SCHEMA: Schema = BooleanSchema::new(
  12     "Allow to propagate (inherit) permissions.")
  13     .default(true)
  14     .schema();
  15
  16 pub const ACL_PATH_SCHEMA: Schema = StringSchema::new(
  17     "Access control path.")
  18     .format(&ACL_PATH_FORMAT)
  19     .min_length(1)
  20     .max_length(128)
  21     .schema();
  22
  23 pub const ACL_UGID_TYPE_SCHEMA: Schema = StringSchema::new(
  24     "Type of 'ugid' property.")
  25     .format(&ApiStringFormat::Enum(&["user", "group"]))
  26     .schema();
  27
  28 pub const ACL_ROLE_SCHEMA: Schema = StringSchema::new(
  29     "Role.")
  30     .format(&ApiStringFormat::Enum(&["Admin", "User", "Audit", "NoAccess"]))
  31     .schema();
  32
  33 #[api(
  34     properties: {
  35         propagate: {
  36             schema: ACL_PROPAGATE_SCHEMA,
  37         },
  38         path: {
  39             schema: ACL_PATH_SCHEMA,
  40         },
  41         ugid_type: {
  42             schema: ACL_UGID_TYPE_SCHEMA,
  43         },
  44         ugid: {
  45             type: String,
  46             description: "User or Group ID.",
  47         },
  48         roleid: {
  49             schema: ACL_ROLE_SCHEMA,
  50         }
  51     }
  52 )]
  53 #[derive(Serialize, Deserialize)]
  54 /// ACL list entry.
  55 pub struct AclListItem {
  56     path: String,
  57     ugid: String,
  58     ugid_type: String,
  59     propagate: bool,
  60     roleid: String,
  61 }
  62
  63 fn extract_acl_node_data(
  64     node: &acl::AclTreeNode,
  65     path: &str,
  66     list: &mut Vec<AclListItem>,
  67 ) {
  68     for (user, roles) in &node.users {
  69         for (role, propagate) in roles {
  70             list.push(AclListItem {
  71                 path: if path.is_empty() { String::from("/") } else { path.to_string() },
  72                 propagate: *propagate,
  73                 ugid_type: String::from("user"),
  74                 ugid: user.to_string(),
  75                 roleid: role.to_string(),
  76             });
  77         }
  78     }
  79     for (group, roles) in &node.groups {
  80         for (role, propagate) in roles {
  81             list.push(AclListItem {
  82                 path: if path.is_empty() { String::from("/") } else { path.to_string() },
  83                 propagate: *propagate,
  84                 ugid_type: String::from("group"),
  85                 ugid: group.to_string(),
  86                 roleid: role.to_string(),
  87             });
  88         }
  89     }
  90     for (comp, child) in &node.children {
  91         let new_path = format!("{}/{}", path, comp);
  92         extract_acl_node_data(child, &new_path, list);
  93     }
  94 }
  95
  96 #[api(
  97     returns: {
  98         description: "ACL entry list.",
  99         type: Array,
 100         items: {
 101             type: AclListItem,
 102         }
 103     }
 104 )]
 105 /// Read Access Control List (ACLs).
 106 pub fn read_acl(
 107     _rpcenv: &mut dyn RpcEnvironment,
 108 ) -> Result<Vec<AclListItem>, Error> {
 109
 110     //let auth_user = rpcenv.get_user().unwrap();
 111
 112     let (tree, digest) = acl::config()?;
 113
 114     let mut list: Vec<AclListItem> = Vec::new();
 115     extract_acl_node_data(&tree.root, "", &mut list);
 116
 117     Ok(list)
 118 }
 119
 120 pub const ROUTER: Router = Router::new()
 121     .get(&API_METHOD_READ_ACL);