[pve-access-control.git] / PVE / API2 / Domains.pm

package PVE::API2::Domains;

use strict;
use warnings;
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;
use PVE::JSONSchema qw(get_standard_option);

use PVE::SafeSyslog;

use Data::Dumper; # fixme: remove

use PVE::RESTHandler;

my $domainconfigfile = "domains.cfg";

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    name => 'index', 
    path => '', 
    method => 'GET',
    description => "Authentication domain index.",
    permissions => { user => 'world' },
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		realm => { type => 'string' },
		comment => { type => 'string', optional => 1 },
	    },
	},
	links => [ { rel => 'child', href => "{realm}" } ],
    },
    code => sub {
	my ($param) = @_;
    
	my $res = [];

	my $cfg = cfs_read_file($domainconfigfile);
 
	foreach my $realm (keys %$cfg) {
	    my $d = $cfg->{$realm};
	    my $entry = { realm => $realm, type => $d->{type} };
	    $entry->{comment} = $d->{comment} if $d->{comment};
	    $entry->{default} = 1 if $d->{default};
	    push @$res, $entry;
	}

	return $res;
    }});

__PACKAGE__->register_method ({
    name => 'create', 
    protected => 1,
    path => '', 
    method => 'POST',
    description => "Add an authentication server.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	    type => {
		description => "Server type.",
		type => 'string', 
		enum => [ 'ad', 'ldap' ],
	    },
	    server1 => { 
		description => "Server IP address (or DNS name)",		
		type => 'string',
	    },
	    server2 => { 
		description => "Fallback Server IP address (or DNS name)",
		type => 'string',
		optional => 1,
	    },
	    secure => { 
		description => "Use secure LDAPS protocol.",
		type => 'boolean', 
		optional => 1,
	    },
	    default => { 
		description => "Use this as default realm",
		type => 'boolean', 
		optional => 1,
	    },
	    comment => { 
		type => 'string', 
		optional => 1,
	    },
	    port => {
		description => "Server port",
		type => 'integer',
		minimum => 1,
		maximum => 65535,
		optional => 1,
	    },
	    base_dn => {
		description => "LDAP base domain name",
		type => 'string',
		optional => 1,
	    },
	    user_attr => {
		description => "LDAP user attribute name",
		type => 'string',
		optional => 1,
	    },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_domain_config(
	    sub {
			
		my $cfg = cfs_read_file($domainconfigfile);

		my $realm = $param->{realm};
	
		die "domain '$realm' already exists\n" 
		    if $cfg->{$realm};

		die "unable to use reserved name '$realm'\n"
		    if ($realm eq 'pam' || $realm eq 'pve');

		if (defined($param->{secure})) {
		    $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0;
		}
	
		if ($param->{default}) {
		    foreach my $r (keys %$cfg) {
			delete $cfg->{$r}->{default};
		    }
		}

		foreach my $p (keys %$param) {
		    next if $p eq 'realm';
		    $cfg->{$realm}->{$p} = $param->{$p};
		}

		cfs_write_file($domainconfigfile, $cfg);
	    }, "add auth server failed");

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'update', 
    path => '{realm}', 
    method => 'PUT',
    description => "Update authentication server settings.",
    protected => 1,
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	    server1 => { 
		description => "Server IP address (or DNS name)",		
		type => 'string',
		optional => 1,
	    },
	    server2 => { 
		description => "Fallback Server IP address (or DNS name)",
		type => 'string',
		optional => 1,
	    },
	    secure => { 
		description => "Use secure LDAPS protocol.",
		type => 'boolean', 
		optional => 1,
	    },
	    default => { 
		description => "Use this as default realm",
		type => 'boolean', 
		optional => 1,
	    },
	    comment => { 
		type => 'string', 
		optional => 1,
	    },
	    port => {
		description => "Server port",
		type => 'integer',
		minimum => 1,
		maximum => 65535,
		optional => 1,
	    },
	    base_dn => {
		description => "LDAP base domain name",
		type => 'string',
		optional => 1,
	    },
	    user_attr => {
		description => "LDAP user attribute name",
		type => 'string',
		optional => 1,
	    },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_domain_config(
	    sub {
			
		my $cfg = cfs_read_file($domainconfigfile);

		my $realm = $param->{realm};
		delete $param->{realm};

		die "unable to modify bultin domain '$realm'\n"
		    if ($realm eq 'pam' || $realm eq 'pve');

		die "domain '$realm' does not exist\n" 
		    if !$cfg->{$realm};

		if (defined($param->{secure})) {
		    $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0;
		}

		if ($param->{default}) {
		    foreach my $r (keys %$cfg) {
			delete $cfg->{$r}->{default};
		    }
		}

		foreach my $p (keys %$param) {
		    $cfg->{$realm}->{$p} = $param->{$p};
		}

		cfs_write_file($domainconfigfile, $cfg);
	    }, "update auth server failed");

	return undef;
    }});

# fixme: return format!
__PACKAGE__->register_method ({
    name => 'read', 
    path => '{realm}', 
    method => 'GET',
    description => "Get auth server configuration.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	},
    },
    returns => {},
    code => sub {
	my ($param) = @_;

	my $cfg = cfs_read_file($domainconfigfile);

	my $realm = $param->{realm};
	
	my $data = $cfg->{$realm};
	die "domain '$realm' does not exist\n" if !$data;

	return $data;
    }});


__PACKAGE__->register_method ({
    name => 'delete', 
    path => '{realm}', 
    method => 'DELETE',
    description => "Delete an authentication server.",
    protected => 1,
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	}
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {

		my $cfg = cfs_read_file($domainconfigfile);

		my $realm = $param->{realm};
	
		die "domain '$realm' does not exist\n" if !$cfg->{$realm};

		delete $cfg->{$realm};

		cfs_write_file($domainconfigfile, $cfg);
	    }, "delete auth server failed");
	
	return undef;
    }});

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::API2::Domains;
	2
	3	use strict;
	4	use warnings;
	5	use PVE::Cluster qw (cfs_read_file cfs_write_file);
	6	use PVE::AccessControl;
	7	use PVE::JSONSchema qw(get_standard_option);
	8
	9	use PVE::SafeSyslog;
	10
	11	use Data::Dumper; # fixme: remove
	12
	13	use PVE::RESTHandler;
	14
	15	my $domainconfigfile = "domains.cfg";
	16
	17	use base qw(PVE::RESTHandler);
	18
	19	__PACKAGE__->register_method ({
	20	name => 'index',
	21	path => '',
	22	method => 'GET',
	23	description => "Authentication domain index.",
	24	permissions => { user => 'world' },
	25	parameters => {
	26	additionalProperties => 0,
	27	properties => {},
	28	},
	29	returns => {
	30	type => 'array',
	31	items => {
	32	type => "object",
	33	properties => {
	34	realm => { type => 'string' },
	35	comment => { type => 'string', optional => 1 },
	36	},
	37	},
	38	links => [ { rel => 'child', href => "{realm}" } ],
	39	},
	40	code => sub {
	41	my ($param) = @_;
	42
	43	my $res = [];
	44
	45	my $cfg = cfs_read_file($domainconfigfile);
	46
	47	foreach my $realm (keys %$cfg) {
	48	my $d = $cfg->{$realm};
	49	my $entry = { realm => $realm, type => $d->{type} };
	50	$entry->{comment} = $d->{comment} if $d->{comment};
	51	$entry->{default} = 1 if $d->{default};
	52	push @$res, $entry;
	53	}
	54
	55	return $res;
	56	}});
	57
	58	__PACKAGE__->register_method ({
	59	name => 'create',
	60	protected => 1,
	61	path => '',
	62	method => 'POST',
	63	description => "Add an authentication server.",
	64	parameters => {
65	additionalProperties => 0,
66	properties => {
67	realm => get_standard_option('realm'),
68	type => {
69	description => "Server type.",
70	type => 'string',
71	enum => [ 'ad', 'ldap' ],
72	},
73	server1 => {
74	description => "Server IP address (or DNS name)",
75	type => 'string',
76	},
77	server2 => {
78	description => "Fallback Server IP address (or DNS name)",
79	type => 'string',
80	optional => 1,
81	},
82	secure => {
83	description => "Use secure LDAPS protocol.",
84	type => 'boolean',
85	optional => 1,
86	},
87	default => {
88	description => "Use this as default realm",
89	type => 'boolean',
90	optional => 1,
91	},
92	comment => {
93	type => 'string',
94	optional => 1,
95	},
96	port => {
97	description => "Server port",
98	type => 'integer',
99	minimum => 1,
100	maximum => 65535,
101	optional => 1,
102	},
103	base_dn => {
104	description => "LDAP base domain name",
105	type => 'string',
106	optional => 1,
107	},
108	user_attr => {
109	description => "LDAP user attribute name",
110	type => 'string',
111	optional => 1,
112	},
113	},
114	},
115	returns => { type => 'null' },
116	code => sub {
117	my ($param) = @_;
118
119	PVE::AccessControl::lock_domain_config(
120	sub {
121
122	my $cfg = cfs_read_file($domainconfigfile);
123
124	my $realm = $param->{realm};
125
126	die "domain '$realm' already exists\n"
127	if $cfg->{$realm};
128
129	die "unable to use reserved name '$realm'\n"
130	if ($realm eq 'pam' \|\| $realm eq 'pve');
131
132	if (defined($param->{secure})) {
133	$cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0;
134	}
135
136	if ($param->{default}) {
137	foreach my $r (keys %$cfg) {
138	delete $cfg->{$r}->{default};
139	}
140	}
141
142	foreach my $p (keys %$param) {
143	next if $p eq 'realm';
144	$cfg->{$realm}->{$p} = $param->{$p};
145	}
146
147	cfs_write_file($domainconfigfile, $cfg);
148	}, "add auth server failed");
149
150	return undef;
151	}});
152
153	__PACKAGE__->register_method ({
154	name => 'update',
155	path => '{realm}',
156	method => 'PUT',
157	description => "Update authentication server settings.",
158	protected => 1,
159	parameters => {
160	additionalProperties => 0,
161	properties => {
162	realm => get_standard_option('realm'),
163	server1 => {
164	description => "Server IP address (or DNS name)",
165	type => 'string',
166	optional => 1,
167	},
168	server2 => {
169	description => "Fallback Server IP address (or DNS name)",
170	type => 'string',
171	optional => 1,
172	},
173	secure => {
174	description => "Use secure LDAPS protocol.",
175	type => 'boolean',
176	optional => 1,
177	},
178	default => {
179	description => "Use this as default realm",
180	type => 'boolean',
181	optional => 1,
182	},
183	comment => {
184	type => 'string',
185	optional => 1,
186	},
187	port => {
188	description => "Server port",
189	type => 'integer',
190	minimum => 1,
191	maximum => 65535,
192	optional => 1,
193	},
194	base_dn => {
195	description => "LDAP base domain name",
196	type => 'string',
197	optional => 1,
198	},
199	user_attr => {
200	description => "LDAP user attribute name",
201	type => 'string',
202	optional => 1,
203	},
204	},
205	},
206	returns => { type => 'null' },
207	code => sub {
208	my ($param) = @_;
209
210	PVE::AccessControl::lock_domain_config(
211	sub {
212
213	my $cfg = cfs_read_file($domainconfigfile);
214
215	my $realm = $param->{realm};
216	delete $param->{realm};
217
218	die "unable to modify bultin domain '$realm'\n"
219	if ($realm eq 'pam' \|\| $realm eq 'pve');
220
221	die "domain '$realm' does not exist\n"
222	if !$cfg->{$realm};
223
224	if (defined($param->{secure})) {
225	$cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0;
226	}
227
228	if ($param->{default}) {
229	foreach my $r (keys %$cfg) {
230	delete $cfg->{$r}->{default};
231	}
232	}
233
234	foreach my $p (keys %$param) {
235	$cfg->{$realm}->{$p} = $param->{$p};
236	}
237
238	cfs_write_file($domainconfigfile, $cfg);
239	}, "update auth server failed");
240
241	return undef;
242	}});
243
244	# fixme: return format!
245	__PACKAGE__->register_method ({
246	name => 'read',
247	path => '{realm}',
248	method => 'GET',
249	description => "Get auth server configuration.",
250	parameters => {
251	additionalProperties => 0,
252	properties => {
253	realm => get_standard_option('realm'),
254	},
255	},
256	returns => {},
257	code => sub {
258	my ($param) = @_;
259
260	my $cfg = cfs_read_file($domainconfigfile);
261
262	my $realm = $param->{realm};
263
264	my $data = $cfg->{$realm};
265	die "domain '$realm' does not exist\n" if !$data;
266
267	return $data;
268	}});
269
270
271	__PACKAGE__->register_method ({
272	name => 'delete',
273	path => '{realm}',
274	method => 'DELETE',
275	description => "Delete an authentication server.",
276	protected => 1,
277	parameters => {
278	additionalProperties => 0,
279	properties => {
280	realm => get_standard_option('realm'),
281	}
282	},
283	returns => { type => 'null' },
284	code => sub {
285	my ($param) = @_;
286
287	PVE::AccessControl::lock_user_config(
288	sub {
289
290	my $cfg = cfs_read_file($domainconfigfile);
291
292	my $realm = $param->{realm};
293
294	die "domain '$realm' does not exist\n" if !$cfg->{$realm};
295
296	delete $cfg->{$realm};
297
298	cfs_write_file($domainconfigfile, $cfg);
299	}, "delete auth server failed");
300
301	return undef;
302	}});
303
304	1;