[pve-access-control.git] / PVE / API2 / ACL.pm

package PVE::API2::ACL;

use strict;
use warnings;
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::Tools qw(split_list);
use PVE::AccessControl;
use PVE::Exception qw(raise_param_exc);
use PVE::JSONSchema qw(get_standard_option register_standard_option);

use PVE::SafeSyslog;

use PVE::RESTHandler;

use base qw(PVE::RESTHandler);

register_standard_option('acl-propagate', {
    description => "Allow to propagate (inherit) permissions.",
    type => 'boolean',
    optional => 1,
    default => 1,
});
register_standard_option('acl-path', {
    description => "Access control path",
    type => 'string',
});

__PACKAGE__->register_method ({
    name => 'read_acl',
    path => '',
    method => 'GET',
    description => "Get Access Control List (ACLs).",
    permissions => {
	description => "The returned list is restricted to objects where you have rights to modify permissions.",
	user => 'all',
    },
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    additionalProperties => 0,
	    properties => {
		propagate => get_standard_option('acl-propagate'),
		path => get_standard_option('acl-path'),
		type => { type => 'string', enum => ['user', 'group', 'token'] },
		ugid => { type => 'string' },
		roleid => { type => 'string' },
	    },
	},
    },
    code => sub {
	my ($param) = @_;

	my $rpcenv = PVE::RPCEnvironment::get();
	my $authuser = $rpcenv->get_user();
	my $res = [];

	my $usercfg = $rpcenv->{user_cfg};
	if (!$usercfg || !$usercfg->{acl}) {
	    return $res;
	}

	my $audit = $rpcenv->check($authuser, '/access', ['Sys.Audit'], 1);

	my $acl = $usercfg->{acl};
	foreach my $path (keys %$acl) {
	    foreach my $type (qw(user group token)) {
		my $d = $acl->{$path}->{"${type}s"};
		next if !$d;
		next if !($audit || $rpcenv->check_perm_modify($authuser, $path, 1));
		foreach my $id (keys %$d) {
		    foreach my $role (keys %{$d->{$id}}) {
			my $propagate = $d->{$id}->{$role};
			push @$res, {
			    path => $path,
			    type => $type,
			    ugid => $id,
			    roleid => $role,
			    propagate => $propagate,
			};
		    }
		}
	    }
	}

	return $res;
    }});

__PACKAGE__->register_method ({
    name => 'update_acl',
    protected => 1,
    path => '',
    method => 'PUT',
    permissions => {
	check => ['perm-modify', '{path}'],
    },
    description => "Update Access Control List (add or remove permissions).",
    parameters => {
	additionalProperties => 0,
	properties => {
	    propagate => get_standard_option('acl-propagate'),
	    path => get_standard_option('acl-path'),
	    users => {
		description => "List of users.",
		type => 'string',  format => 'pve-userid-list',
		optional => 1,
	    },
	    groups => {
		description => "List of groups.",
		type => 'string', format => 'pve-groupid-list',
		optional => 1,
	    },
	    tokens => {
		description => "List of API tokens.",
		type => 'string', format => 'pve-tokenid-list',
		optional => 1,
	    },
	    roles => {
		description => "List of roles.",
		type => 'string', format => 'pve-roleid-list',
	    },
	    delete => {
		description => "Remove permissions (instead of adding it).",
		type => 'boolean',
		optional => 1,
	    },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	if (!($param->{users} || $param->{groups} || $param->{tokens})) {
	    raise_param_exc({ map { $_ => "either 'users', 'groups' or 'tokens' is required." } qw(users groups tokens) });
	}

	my $path = PVE::AccessControl::normalize_path($param->{path});
	raise_param_exc({ path => "invalid ACL path '$param->{path}'" }) if !$path;

	PVE::AccessControl::lock_user_config(
	    sub {

		my $cfg = cfs_read_file("user.cfg");

		my $propagate = 1;

		if (defined($param->{propagate})) {
		    $propagate = $param->{propagate} ? 1 : 0;
		}

		foreach my $role (split_list($param->{roles})) {
		    die "role '$role' does not exist\n"
			if !$cfg->{roles}->{$role};

		    foreach my $group (split_list($param->{groups})) {

			die "group '$group' does not exist\n"
			    if !$cfg->{groups}->{$group};

			if ($param->{delete}) {
			    delete($cfg->{acl}->{$path}->{groups}->{$group}->{$role});
			} else {
			    $cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
			}
		    }

		    foreach my $userid (split_list($param->{users})) {
			my $username = PVE::AccessControl::verify_username($userid);

			die "user '$username' does not exist\n"
			    if !$cfg->{users}->{$username};

			if ($param->{delete}) {
			    delete($cfg->{acl}->{$path}->{users}->{$username}->{$role});
			} else {
			    $cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate;
			}
		    }

		    foreach my $tokenid (split_list($param->{tokens})) {
			my ($username, $token) = PVE::AccessControl::split_tokenid($tokenid);
			PVE::AccessControl::check_token_exist($cfg, $username, $token);

			if ($param->{delete}) {
			    delete $cfg->{acl}->{$path}->{tokens}->{$tokenid}->{$role};
			} else {
			    $cfg->{acl}->{$path}->{tokens}->{$tokenid}->{$role} = $propagate;
			}
		    }
		}

		cfs_write_file("user.cfg", $cfg);
	    }, "ACL update failed");

	return undef;
    }});

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::API2::ACL;
	2
	3	use strict;
	4	use warnings;
	5	use PVE::Cluster qw (cfs_read_file cfs_write_file);
	6	use PVE::Tools qw(split_list);
	7	use PVE::AccessControl;
	8	use PVE::Exception qw(raise_param_exc);
3a5ae7a0	9	use PVE::JSONSchema qw(get_standard_option register_standard_option);
2c3a6c0a DM	10
	11	use PVE::SafeSyslog;
	12
2c3a6c0a DM	13	use PVE::RESTHandler;
	14
	15	use base qw(PVE::RESTHandler);
	16
3a5ae7a0 SI	17	register_standard_option('acl-propagate', {
	18	description => "Allow to propagate (inherit) permissions.",
	19	type => 'boolean',
	20	optional => 1,
	21	default => 1,
	22	});
	23	register_standard_option('acl-path', {
	24	description => "Access control path",
	25	type => 'string',
	26	});
	27
2c3a6c0a	28	__PACKAGE__->register_method ({
0a6e09fd PA	29	name => 'read_acl',
0a6e09fd PA	30	path => '',
2c3a6c0a DM	31	method => 'GET',
2c3a6c0a DM	32	description => "Get Access Control List (ACLs).",
0a6e09fd	33	permissions => {
fc21a5c2	34	description => "The returned list is restricted to objects where you have rights to modify permissions.",
e3a3a0d7	35	user => 'all',
96919234	36	},
2c3a6c0a DM	37	parameters => {
	38	additionalProperties => 0,
	39	properties => {},
	40	},
	41	returns => {
	42	type => 'array',
	43	items => {
	44	type => "object",
	45	additionalProperties => 0,
	46	properties => {
3a5ae7a0 SI	47	propagate => get_standard_option('acl-propagate'),
3a5ae7a0 SI	48	path => get_standard_option('acl-path'),
6b5736d5	49	type => { type => 'string', enum => ['user', 'group', 'token'] },
af5d7da7 DM	50	ugid => { type => 'string' },
af5d7da7 DM	51	roleid => { type => 'string' },
2c3a6c0a DM	52	},
	53	},
	54	},
	55	code => sub {
	56	my ($param) = @_;
0a6e09fd	57
e3a3a0d7 DM	58	my $rpcenv = PVE::RPCEnvironment::get();
e3a3a0d7 DM	59	my $authuser = $rpcenv->get_user();
2c3a6c0a DM	60	my $res = [];
2c3a6c0a DM	61
e3a3a0d7	62	my $usercfg = $rpcenv->{user_cfg};
2c3a6c0a	63	if (!$usercfg \|\| !$usercfg->{acl}) {
4384e19e	64	return $res;
2c3a6c0a DM	65	}
2c3a6c0a DM	66
e3a3a0d7 DM	67	my $audit = $rpcenv->check($authuser, '/access', ['Sys.Audit'], 1);
e3a3a0d7 DM	68
2c3a6c0a DM	69	my $acl = $usercfg->{acl};
2c3a6c0a DM	70	foreach my $path (keys %$acl) {
6b5736d5 FG	71	foreach my $type (qw(user group token)) {
6b5736d5 FG	72	my $d = $acl->{$path}->{"${type}s"};
2c3a6c0a	73	next if !$d;
e3a3a0d7	74	next if !($audit \|\| $rpcenv->check_perm_modify($authuser, $path, 1));
2c3a6c0a DM	75	foreach my $id (keys %$d) {
	76	foreach my $role (keys %{$d->{$id}}) {
	77	my $propagate = $d->{$id}->{$role};
	78	push @$res, {
	79	path => $path,
6b5736d5	80	type => $type,
2c3a6c0a DM	81	ugid => $id,
	82	roleid => $role,
	83	propagate => $propagate,
	84	};
	85	}
	86	}
	87	}
	88	}
	89
	90	return $res;
	91	}});
	92
	93	__PACKAGE__->register_method ({
0a6e09fd	94	name => 'update_acl',
2c3a6c0a	95	protected => 1,
0a6e09fd	96	path => '',
2c3a6c0a	97	method => 'PUT',
0a6e09fd	98	permissions => {
e3a3a0d7	99	check => ['perm-modify', '{path}'],
96919234	100	},
2c3a6c0a DM	101	description => "Update Access Control List (add or remove permissions).",
2c3a6c0a DM	102	parameters => {
0a6e09fd	103	additionalProperties => 0,
2c3a6c0a	104	properties => {
3a5ae7a0 SI	105	propagate => get_standard_option('acl-propagate'),
3a5ae7a0 SI	106	path => get_standard_option('acl-path'),
0a6e09fd	107	users => {
2c3a6c0a	108	description => "List of users.",
0a6e09fd	109	type => 'string', format => 'pve-userid-list',
2c3a6c0a DM	110	optional => 1,
2c3a6c0a DM	111	},
0a6e09fd	112	groups => {
2c3a6c0a DM	113	description => "List of groups.",
2c3a6c0a DM	114	type => 'string', format => 'pve-groupid-list',
0a6e09fd	115	optional => 1,
2c3a6c0a	116	},
6b5736d5 FG	117	tokens => {
	118	description => "List of API tokens.",
	119	type => 'string', format => 'pve-tokenid-list',
	120	optional => 1,
	121	},
0a6e09fd	122	roles => {
2c3a6c0a DM	123	description => "List of roles.",
	124	type => 'string', format => 'pve-roleid-list',
	125	},
2c3a6c0a DM	126	delete => {
2c3a6c0a DM	127	description => "Remove permissions (instead of adding it).",
0a6e09fd	128	type => 'boolean',
2c3a6c0a DM	129	optional => 1,
	130	},
	131	},
	132	},
	133	returns => { type => 'null' },
	134	code => sub {
	135	my ($param) = @_;
	136
6b5736d5 FG	137	if (!($param->{users} \|\| $param->{groups} \|\| $param->{tokens})) {
6b5736d5 FG	138	raise_param_exc({ map { $_ => "either 'users', 'groups' or 'tokens' is required." } qw(users groups tokens) });
2c3a6c0a DM	139	}
	140
	141	my $path = PVE::AccessControl::normalize_path($param->{path});
	142	raise_param_exc({ path => "invalid ACL path '$param->{path}'" }) if !$path;
	143
	144	PVE::AccessControl::lock_user_config(
	145	sub {
0a6e09fd	146
2c3a6c0a DM	147	my $cfg = cfs_read_file("user.cfg");
2c3a6c0a DM	148
e2993b66	149	my $propagate = 1;
0a6e09fd	150
e2993b66 DM	151	if (defined($param->{propagate})) {
	152	$propagate = $param->{propagate} ? 1 : 0;
	153	}
2c3a6c0a DM	154
2c3a6c0a DM	155	foreach my $role (split_list($param->{roles})) {
0a6e09fd	156	die "role '$role' does not exist\n"
2c3a6c0a DM	157	if !$cfg->{roles}->{$role};
	158
	159	foreach my $group (split_list($param->{groups})) {
	160
	161	die "group '$group' does not exist\n"
	162	if !$cfg->{groups}->{$group};
	163
	164	if ($param->{delete}) {
	165	delete($cfg->{acl}->{$path}->{groups}->{$group}->{$role});
	166	} else {
	167	$cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
	168	}
	169	}
	170
	171	foreach my $userid (split_list($param->{users})) {
	172	my $username = PVE::AccessControl::verify_username($userid);
	173
	174	die "user '$username' does not exist\n"
	175	if !$cfg->{users}->{$username};
	176
	177	if ($param->{delete}) {
	178	delete($cfg->{acl}->{$path}->{users}->{$username}->{$role});
	179	} else {
	180	$cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate;
0a6e09fd	181	}
2c3a6c0a	182	}
6b5736d5 FG	183
	184	foreach my $tokenid (split_list($param->{tokens})) {
	185	my ($username, $token) = PVE::AccessControl::split_tokenid($tokenid);
	186	PVE::AccessControl::check_token_exist($cfg, $username, $token);
	187
	188	if ($param->{delete}) {
	189	delete $cfg->{acl}->{$path}->{tokens}->{$tokenid}->{$role};
	190	} else {
	191	$cfg->{acl}->{$path}->{tokens}->{$tokenid}->{$role} = $propagate;
	192	}
	193	}
2c3a6c0a DM	194	}
	195
	196	cfs_write_file("user.cfg", $cfg);
	197	}, "ACL update failed");
	198
	199	return undef;
	200	}});
	201
	202	1;