]>
Commit | Line | Data |
---|---|---|
2c3a6c0a DM |
1 | package PVE::API2::Domains; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | use PVE::Cluster qw (cfs_read_file cfs_write_file); | |
6 | use PVE::AccessControl; | |
7 | use PVE::JSONSchema qw(get_standard_option); | |
8 | ||
9 | use PVE::SafeSyslog; | |
10 | ||
11 | use Data::Dumper; # fixme: remove | |
12 | ||
13 | use PVE::RESTHandler; | |
14 | ||
15 | my $domainconfigfile = "domains.cfg"; | |
16 | ||
17 | use base qw(PVE::RESTHandler); | |
18 | ||
19 | __PACKAGE__->register_method ({ | |
20 | name => 'index', | |
21 | path => '', | |
22 | method => 'GET', | |
23 | description => "Authentication domain index.", | |
24 | permissions => { user => 'world' }, | |
25 | parameters => { | |
26 | additionalProperties => 0, | |
27 | properties => {}, | |
28 | }, | |
29 | returns => { | |
30 | type => 'array', | |
31 | items => { | |
32 | type => "object", | |
33 | properties => { | |
34 | realm => { type => 'string' }, | |
35 | comment => { type => 'string', optional => 1 }, | |
36 | }, | |
37 | }, | |
38 | links => [ { rel => 'child', href => "{realm}" } ], | |
39 | }, | |
40 | code => sub { | |
41 | my ($param) = @_; | |
42 | ||
43 | my $res = []; | |
44 | ||
45 | my $cfg = cfs_read_file($domainconfigfile); | |
46 | ||
47 | foreach my $realm (keys %$cfg) { | |
48 | my $d = $cfg->{$realm}; | |
49 | my $entry = { realm => $realm, type => $d->{type} }; | |
50 | $entry->{comment} = $d->{comment} if $d->{comment}; | |
51 | $entry->{default} = 1 if $d->{default}; | |
52 | push @$res, $entry; | |
53 | } | |
54 | ||
55 | return $res; | |
56 | }}); | |
57 | ||
58 | __PACKAGE__->register_method ({ | |
59 | name => 'create', | |
60 | protected => 1, | |
61 | path => '', | |
62 | method => 'POST', | |
63 | description => "Add an authentication server.", | |
64 | parameters => { | |
65 | additionalProperties => 0, | |
66 | properties => { | |
67 | realm => get_standard_option('realm'), | |
68 | type => { | |
69 | description => "Server type.", | |
70 | type => 'string', | |
71 | enum => [ 'ad', 'ldap' ], | |
72 | }, | |
73 | server1 => { | |
74 | description => "Server IP address (or DNS name)", | |
75 | type => 'string', | |
76 | }, | |
77 | server2 => { | |
78 | description => "Fallback Server IP address (or DNS name)", | |
79 | type => 'string', | |
80 | optional => 1, | |
81 | }, | |
82 | secure => { | |
83 | description => "Use secure LDAPS protocol.", | |
84 | type => 'boolean', | |
85 | optional => 1, | |
86 | }, | |
87 | default => { | |
88 | description => "Use this as default realm", | |
89 | type => 'boolean', | |
90 | optional => 1, | |
91 | }, | |
92 | comment => { | |
93 | type => 'string', | |
94 | optional => 1, | |
95 | }, | |
96 | port => { | |
97 | description => "Server port", | |
98 | type => 'integer', | |
99 | minimum => 1, | |
100 | maximum => 65535, | |
101 | optional => 1, | |
102 | }, | |
103 | base_dn => { | |
104 | description => "LDAP base domain name", | |
105 | type => 'string', | |
106 | optional => 1, | |
107 | }, | |
108 | user_attr => { | |
109 | description => "LDAP user attribute name", | |
110 | type => 'string', | |
111 | optional => 1, | |
112 | }, | |
113 | }, | |
114 | }, | |
115 | returns => { type => 'null' }, | |
116 | code => sub { | |
117 | my ($param) = @_; | |
118 | ||
119 | PVE::AccessControl::lock_domain_config( | |
120 | sub { | |
121 | ||
122 | my $cfg = cfs_read_file($domainconfigfile); | |
123 | ||
124 | my $realm = $param->{realm}; | |
125 | ||
126 | die "domain '$realm' already exists\n" | |
127 | if $cfg->{$realm}; | |
128 | ||
129 | die "unable to use reserved name '$realm'\n" | |
130 | if ($realm eq 'pam' || $realm eq 'pve'); | |
131 | ||
132 | if (defined($param->{secure})) { | |
133 | $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0; | |
134 | } | |
135 | ||
136 | if ($param->{default}) { | |
137 | foreach my $r (keys %$cfg) { | |
138 | delete $cfg->{$r}->{default}; | |
139 | } | |
140 | } | |
141 | ||
142 | foreach my $p (keys %$param) { | |
143 | next if $p eq 'realm'; | |
144 | $cfg->{$realm}->{$p} = $param->{$p}; | |
145 | } | |
146 | ||
147 | cfs_write_file($domainconfigfile, $cfg); | |
148 | }, "add auth server failed"); | |
149 | ||
150 | return undef; | |
151 | }}); | |
152 | ||
153 | __PACKAGE__->register_method ({ | |
154 | name => 'update', | |
155 | path => '{realm}', | |
156 | method => 'PUT', | |
157 | description => "Update authentication server settings.", | |
158 | protected => 1, | |
159 | parameters => { | |
160 | additionalProperties => 0, | |
161 | properties => { | |
162 | realm => get_standard_option('realm'), | |
163 | server1 => { | |
164 | description => "Server IP address (or DNS name)", | |
165 | type => 'string', | |
166 | optional => 1, | |
167 | }, | |
168 | server2 => { | |
169 | description => "Fallback Server IP address (or DNS name)", | |
170 | type => 'string', | |
171 | optional => 1, | |
172 | }, | |
173 | secure => { | |
174 | description => "Use secure LDAPS protocol.", | |
175 | type => 'boolean', | |
176 | optional => 1, | |
177 | }, | |
178 | default => { | |
179 | description => "Use this as default realm", | |
180 | type => 'boolean', | |
181 | optional => 1, | |
182 | }, | |
183 | comment => { | |
184 | type => 'string', | |
185 | optional => 1, | |
186 | }, | |
187 | port => { | |
188 | description => "Server port", | |
189 | type => 'integer', | |
190 | minimum => 1, | |
191 | maximum => 65535, | |
192 | optional => 1, | |
193 | }, | |
194 | base_dn => { | |
195 | description => "LDAP base domain name", | |
196 | type => 'string', | |
197 | optional => 1, | |
198 | }, | |
199 | user_attr => { | |
200 | description => "LDAP user attribute name", | |
201 | type => 'string', | |
202 | optional => 1, | |
203 | }, | |
204 | }, | |
205 | }, | |
206 | returns => { type => 'null' }, | |
207 | code => sub { | |
208 | my ($param) = @_; | |
209 | ||
210 | PVE::AccessControl::lock_domain_config( | |
211 | sub { | |
212 | ||
213 | my $cfg = cfs_read_file($domainconfigfile); | |
214 | ||
215 | my $realm = $param->{realm}; | |
216 | delete $param->{realm}; | |
217 | ||
218 | die "unable to modify bultin domain '$realm'\n" | |
219 | if ($realm eq 'pam' || $realm eq 'pve'); | |
220 | ||
221 | die "domain '$realm' does not exist\n" | |
222 | if !$cfg->{$realm}; | |
223 | ||
224 | if (defined($param->{secure})) { | |
225 | $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0; | |
226 | } | |
227 | ||
228 | if ($param->{default}) { | |
229 | foreach my $r (keys %$cfg) { | |
230 | delete $cfg->{$r}->{default}; | |
231 | } | |
232 | } | |
233 | ||
234 | foreach my $p (keys %$param) { | |
235 | $cfg->{$realm}->{$p} = $param->{$p}; | |
236 | } | |
237 | ||
238 | cfs_write_file($domainconfigfile, $cfg); | |
239 | }, "update auth server failed"); | |
240 | ||
241 | return undef; | |
242 | }}); | |
243 | ||
244 | # fixme: return format! | |
245 | __PACKAGE__->register_method ({ | |
246 | name => 'read', | |
247 | path => '{realm}', | |
248 | method => 'GET', | |
249 | description => "Get auth server configuration.", | |
250 | parameters => { | |
251 | additionalProperties => 0, | |
252 | properties => { | |
253 | realm => get_standard_option('realm'), | |
254 | }, | |
255 | }, | |
256 | returns => {}, | |
257 | code => sub { | |
258 | my ($param) = @_; | |
259 | ||
260 | my $cfg = cfs_read_file($domainconfigfile); | |
261 | ||
262 | my $realm = $param->{realm}; | |
263 | ||
264 | my $data = $cfg->{$realm}; | |
265 | die "domain '$realm' does not exist\n" if !$data; | |
266 | ||
267 | return $data; | |
268 | }}); | |
269 | ||
270 | ||
271 | __PACKAGE__->register_method ({ | |
272 | name => 'delete', | |
273 | path => '{realm}', | |
274 | method => 'DELETE', | |
275 | description => "Delete an authentication server.", | |
276 | protected => 1, | |
277 | parameters => { | |
278 | additionalProperties => 0, | |
279 | properties => { | |
280 | realm => get_standard_option('realm'), | |
281 | } | |
282 | }, | |
283 | returns => { type => 'null' }, | |
284 | code => sub { | |
285 | my ($param) = @_; | |
286 | ||
287 | PVE::AccessControl::lock_user_config( | |
288 | sub { | |
289 | ||
290 | my $cfg = cfs_read_file($domainconfigfile); | |
291 | ||
292 | my $realm = $param->{realm}; | |
293 | ||
294 | die "domain '$realm' does not exist\n" if !$cfg->{$realm}; | |
295 | ||
296 | delete $cfg->{$realm}; | |
297 | ||
298 | cfs_write_file($domainconfigfile, $cfg); | |
299 | }, "delete auth server failed"); | |
300 | ||
301 | return undef; | |
302 | }}); | |
303 | ||
304 | 1; |