[pve-access-control.git] / PVE / API2 / Domains.pm

package PVE::API2::Domains;

use strict;
use warnings;
use PVE::Tools qw(extract_param);
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;
use PVE::JSONSchema qw(get_standard_option);

use PVE::SafeSyslog;
use PVE::RESTHandler;
use PVE::Auth::Plugin;

my $domainconfigfile = "domains.cfg";

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    name => 'index', 
    path => '', 
    method => 'GET',
    description => "Authentication domain index.",
    permissions => { 
	description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
	user => 'world', 
    },
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		realm => { type => 'string' },
		comment => { type => 'string', optional => 1 },
	    },
	},
	links => [ { rel => 'child', href => "{realm}" } ],
    },
    code => sub {
	my ($param) = @_;
    
	my $res = [];

	my $cfg = cfs_read_file($domainconfigfile);
	my $ids = $cfg->{ids};

	foreach my $realm (keys %$ids) {
	    my $d = $ids->{$realm};
	    my $entry = { realm => $realm, type => $d->{type} };
	    $entry->{comment} = $d->{comment} if $d->{comment};
	    $entry->{default} = 1 if $d->{default};
	    push @$res, $entry;
	}

	return $res;
    }});

__PACKAGE__->register_method ({
    name => 'create', 
    protected => 1,
    path => '', 
    method => 'POST',
    permissions => { 
	check => ['perm', '/access/realm', ['Realm.Allocate']],
    },
    description => "Add an authentication server.",
    parameters => PVE::Auth::Plugin->createSchema(),
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::Auth::Plugin::lock_domain_config(
	    sub {
			
		my $cfg = cfs_read_file($domainconfigfile);
		my $ids = $cfg->{ids};

		my $realm = extract_param($param, 'realm');
		my $type = $param->{type};
	
		die "domain '$realm' already exists\n" 
		    if $ids->{$realm};

		die "unable to use reserved name '$realm'\n"
		    if ($realm eq 'pam' || $realm eq 'pve');

		die "unable to create builtin type '$type'\n"
		    if ($type eq 'pam' || $type eq 'pve');

		my $plugin = PVE::Auth::Plugin->lookup($type);
		my $config = $plugin->check_config($realm, $param, 1, 1);

		if ($config->{default}) {
		    foreach my $r (keys %$ids) {
			delete $ids->{$r}->{default};
		    }
		}

		$ids->{$realm} = $config;

		cfs_write_file($domainconfigfile, $cfg);
	    }, "add auth server failed");

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'update', 
    path => '{realm}', 
    method => 'PUT',
    permissions => { 
	check => ['perm', '/access/realm', ['Realm.Allocate']],
    },
    description => "Update authentication server settings.",
    protected => 1,
    parameters => PVE::Auth::Plugin->updateSchema(),
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::Auth::Plugin::lock_domain_config(
	    sub {
			
		my $cfg = cfs_read_file($domainconfigfile);
		my $ids = $cfg->{ids};

		my $digest = extract_param($param, 'digest');
		PVE::SectionConfig::assert_if_modified($cfg, $digest);

		my $realm = extract_param($param, 'realm');

		die "unable to modify bultin domain '$realm'\n"
		    if ($realm eq 'pam' || $realm eq 'pve');

		die "domain '$realm' does not exist\n" 
		    if !$ids->{$realm};

		my $delete_str = extract_param($param, 'delete');
		die "no options specified\n" if !$delete_str && !scalar(keys %$param);

		foreach my $opt (PVE::Tools::split_list($delete_str)) {
		    delete $ids->{$realm}->{$opt};
		}
	
		my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
		my $config = $plugin->check_config($realm, $param, 0, 1);

		if ($config->{default}) {
		    foreach my $r (keys %$ids) {
			delete $ids->{$r}->{default};
		    }
		}

		foreach my $p (keys %$config) {
		    $ids->{$realm}->{$p} = $config->{$p};
		}

		cfs_write_file($domainconfigfile, $cfg);
	    }, "update auth server failed");

	return undef;
    }});

# fixme: return format!
__PACKAGE__->register_method ({
    name => 'read', 
    path => '{realm}', 
    method => 'GET',
    description => "Get auth server configuration.",
    permissions => { 
	check => ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any => 1],
    },
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	},
    },
    returns => {},
    code => sub {
	my ($param) = @_;

	my $cfg = cfs_read_file($domainconfigfile);

	my $realm = $param->{realm};
	
	my $data = $cfg->{ids}->{$realm};
	die "domain '$realm' does not exist\n" if !$data;

	$data->{digest} = $cfg->{digest};

	return $data;
    }});


__PACKAGE__->register_method ({
    name => 'delete', 
    path => '{realm}', 
    method => 'DELETE',
    permissions => { 
	check => ['perm', '/access/realm', ['Realm.Allocate']],
    },
    description => "Delete an authentication server.",
    protected => 1,
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	}
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::Auth::Plugin::lock_domain_config(
	    sub {

		my $cfg = cfs_read_file($domainconfigfile);
		my $ids = $cfg->{ids};

		my $realm = $param->{realm};
	
		die "domain '$realm' does not exist\n" if !$ids->{$realm};

		delete $ids->{$realm};

		cfs_write_file($domainconfigfile, $cfg);
	    }, "delete auth server failed");
	
	return undef;
    }});

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::API2::Domains;
	2
	3	use strict;
	4	use warnings;
5bb4e06a	5	use PVE::Tools qw(extract_param);
2c3a6c0a DM	6	use PVE::Cluster qw (cfs_read_file cfs_write_file);
	7	use PVE::AccessControl;
	8	use PVE::JSONSchema qw(get_standard_option);
	9
	10	use PVE::SafeSyslog;
2c3a6c0a	11	use PVE::RESTHandler;
5bb4e06a	12	use PVE::Auth::Plugin;
2c3a6c0a DM	13
	14	my $domainconfigfile = "domains.cfg";
	15
	16	use base qw(PVE::RESTHandler);
	17
	18	__PACKAGE__->register_method ({
	19	name => 'index',
	20	path => '',
	21	method => 'GET',
	22	description => "Authentication domain index.",
82b63965 DM	23	permissions => {
	24	description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
	25	user => 'world',
	26	},
2c3a6c0a DM	27	parameters => {
	28	additionalProperties => 0,
	29	properties => {},
	30	},
	31	returns => {
	32	type => 'array',
	33	items => {
	34	type => "object",
	35	properties => {
	36	realm => { type => 'string' },
	37	comment => { type => 'string', optional => 1 },
	38	},
	39	},
	40	links => [ { rel => 'child', href => "{realm}" } ],
	41	},
	42	code => sub {
	43	my ($param) = @_;
	44
	45	my $res = [];
	46
	47	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a DM	48	my $ids = $cfg->{ids};
	49
	50	foreach my $realm (keys %$ids) {
	51	my $d = $ids->{$realm};
2c3a6c0a DM	52	my $entry = { realm => $realm, type => $d->{type} };
	53	$entry->{comment} = $d->{comment} if $d->{comment};
	54	$entry->{default} = 1 if $d->{default};
	55	push @$res, $entry;
	56	}
	57
	58	return $res;
	59	}});
	60
	61	__PACKAGE__->register_method ({
	62	name => 'create',
	63	protected => 1,
	64	path => '',
	65	method => 'POST',
96919234	66	permissions => {
82b63965	67	check => ['perm', '/access/realm', ['Realm.Allocate']],
96919234	68	},
2c3a6c0a	69	description => "Add an authentication server.",
5bb4e06a	70	parameters => PVE::Auth::Plugin->createSchema(),
2c3a6c0a DM	71	returns => { type => 'null' },
	72	code => sub {
	73	my ($param) = @_;
	74
5bb4e06a	75	PVE::Auth::Plugin::lock_domain_config(
2c3a6c0a DM	76	sub {
	77
	78	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a	79	my $ids = $cfg->{ids};
2c3a6c0a	80
5bb4e06a DM	81	my $realm = extract_param($param, 'realm');
5bb4e06a DM	82	my $type = $param->{type};
2c3a6c0a DM	83
2c3a6c0a DM	84	die "domain '$realm' already exists\n"
5bb4e06a	85	if $ids->{$realm};
2c3a6c0a DM	86
	87	die "unable to use reserved name '$realm'\n"
	88	if ($realm eq 'pam' \|\| $realm eq 'pve');
	89
5bb4e06a DM	90	die "unable to create builtin type '$type'\n"
5bb4e06a DM	91	if ($type eq 'pam' \|\| $type eq 'pve');
af4a8a85	92
5bb4e06a DM	93	my $plugin = PVE::Auth::Plugin->lookup($type);
5bb4e06a DM	94	my $config = $plugin->check_config($realm, $param, 1, 1);
2c3a6c0a	95
5bb4e06a DM	96	if ($config->{default}) {
	97	foreach my $r (keys %$ids) {
	98	delete $ids->{$r}->{default};
0c156363	99	}
af4a8a85 DM	100	}
af4a8a85 DM	101
5bb4e06a DM	102	$ids->{$realm} = $config;
5bb4e06a DM	103
2c3a6c0a DM	104	cfs_write_file($domainconfigfile, $cfg);
	105	}, "add auth server failed");
	106
	107	return undef;
	108	}});
	109
	110	__PACKAGE__->register_method ({
	111	name => 'update',
	112	path => '{realm}',
	113	method => 'PUT',
96919234	114	permissions => {
82b63965	115	check => ['perm', '/access/realm', ['Realm.Allocate']],
96919234	116	},
2c3a6c0a DM	117	description => "Update authentication server settings.",
2c3a6c0a DM	118	protected => 1,
5bb4e06a	119	parameters => PVE::Auth::Plugin->updateSchema(),
2c3a6c0a DM	120	returns => { type => 'null' },
	121	code => sub {
	122	my ($param) = @_;
	123
5bb4e06a	124	PVE::Auth::Plugin::lock_domain_config(
2c3a6c0a DM	125	sub {
	126
	127	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a	128	my $ids = $cfg->{ids};
2c3a6c0a	129
5bb4e06a DM	130	my $digest = extract_param($param, 'digest');
	131	PVE::SectionConfig::assert_if_modified($cfg, $digest);
	132
	133	my $realm = extract_param($param, 'realm');
2c3a6c0a DM	134
	135	die "unable to modify bultin domain '$realm'\n"
	136	if ($realm eq 'pam' \|\| $realm eq 'pve');
	137
	138	die "domain '$realm' does not exist\n"
5bb4e06a DM	139	if !$ids->{$realm};
	140
	141	my $delete_str = extract_param($param, 'delete');
	142	die "no options specified\n" if !$delete_str && !scalar(keys %$param);
2c3a6c0a	143
5bb4e06a DM	144	foreach my $opt (PVE::Tools::split_list($delete_str)) {
5bb4e06a DM	145	delete $ids->{$realm}->{$opt};
2c3a6c0a	146	}
5bb4e06a DM	147
	148	my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
	149	my $config = $plugin->check_config($realm, $param, 0, 1);
2c3a6c0a	150
5bb4e06a DM	151	if ($config->{default}) {
	152	foreach my $r (keys %$ids) {
	153	delete $ids->{$r}->{default};
2c3a6c0a DM	154	}
	155	}
	156
5bb4e06a DM	157	foreach my $p (keys %$config) {
5bb4e06a DM	158	$ids->{$realm}->{$p} = $config->{$p};
af4a8a85 DM	159	}
af4a8a85 DM	160
2c3a6c0a DM	161	cfs_write_file($domainconfigfile, $cfg);
	162	}, "update auth server failed");
	163
	164	return undef;
	165	}});
	166
	167	# fixme: return format!
	168	__PACKAGE__->register_method ({
	169	name => 'read',
	170	path => '{realm}',
	171	method => 'GET',
	172	description => "Get auth server configuration.",
96919234	173	permissions => {
82b63965	174	check => ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any => 1],
96919234	175	},
2c3a6c0a DM	176	parameters => {
	177	additionalProperties => 0,
	178	properties => {
	179	realm => get_standard_option('realm'),
	180	},
	181	},
	182	returns => {},
	183	code => sub {
	184	my ($param) = @_;
	185
	186	my $cfg = cfs_read_file($domainconfigfile);
	187
	188	my $realm = $param->{realm};
	189
5bb4e06a	190	my $data = $cfg->{ids}->{$realm};
2c3a6c0a DM	191	die "domain '$realm' does not exist\n" if !$data;
2c3a6c0a DM	192
5bb4e06a DM	193	$data->{digest} = $cfg->{digest};
5bb4e06a DM	194
2c3a6c0a DM	195	return $data;
	196	}});
	197
	198
	199	__PACKAGE__->register_method ({
	200	name => 'delete',
	201	path => '{realm}',
	202	method => 'DELETE',
96919234	203	permissions => {
82b63965	204	check => ['perm', '/access/realm', ['Realm.Allocate']],
96919234	205	},
2c3a6c0a DM	206	description => "Delete an authentication server.",
	207	protected => 1,
	208	parameters => {
	209	additionalProperties => 0,
	210	properties => {
	211	realm => get_standard_option('realm'),
	212	}
	213	},
	214	returns => { type => 'null' },
	215	code => sub {
	216	my ($param) = @_;
	217
5bb4e06a	218	PVE::Auth::Plugin::lock_domain_config(
2c3a6c0a DM	219	sub {
	220
	221	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a	222	my $ids = $cfg->{ids};
2c3a6c0a DM	223
	224	my $realm = $param->{realm};
	225
5bb4e06a	226	die "domain '$realm' does not exist\n" if !$ids->{$realm};
2c3a6c0a	227
5bb4e06a	228	delete $ids->{$realm};
2c3a6c0a DM	229
	230	cfs_write_file($domainconfigfile, $cfg);
	231	}, "delete auth server failed");
	232
	233	return undef;
	234	}});
	235
	236	1;