Commit | Line | Data |
---|---|---|
2c3a6c0a DM |
1 | package PVE::API2::Domains; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | use PVE::Cluster qw (cfs_read_file cfs_write_file); | |
6 | use PVE::AccessControl; | |
7 | use PVE::JSONSchema qw(get_standard_option); | |
8 | ||
9 | use PVE::SafeSyslog; | |
2c3a6c0a DM |
10 | use PVE::RESTHandler; |
11 | ||
12 | my $domainconfigfile = "domains.cfg"; | |
13 | ||
14 | use base qw(PVE::RESTHandler); | |
15 | ||
16 | __PACKAGE__->register_method ({ | |
17 | name => 'index', | |
18 | path => '', | |
19 | method => 'GET', | |
20 | description => "Authentication domain index.", | |
82b63965 DM |
21 | permissions => { |
22 | description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).", | |
23 | user => 'world', | |
24 | }, | |
2c3a6c0a DM |
25 | parameters => { |
26 | additionalProperties => 0, | |
27 | properties => {}, | |
28 | }, | |
29 | returns => { | |
30 | type => 'array', | |
31 | items => { | |
32 | type => "object", | |
33 | properties => { | |
34 | realm => { type => 'string' }, | |
35 | comment => { type => 'string', optional => 1 }, | |
36 | }, | |
37 | }, | |
38 | links => [ { rel => 'child', href => "{realm}" } ], | |
39 | }, | |
40 | code => sub { | |
41 | my ($param) = @_; | |
42 | ||
43 | my $res = []; | |
44 | ||
45 | my $cfg = cfs_read_file($domainconfigfile); | |
46 | ||
47 | foreach my $realm (keys %$cfg) { | |
48 | my $d = $cfg->{$realm}; | |
49 | my $entry = { realm => $realm, type => $d->{type} }; | |
50 | $entry->{comment} = $d->{comment} if $d->{comment}; | |
51 | $entry->{default} = 1 if $d->{default}; | |
52 | push @$res, $entry; | |
53 | } | |
54 | ||
55 | return $res; | |
56 | }}); | |
57 | ||
58 | __PACKAGE__->register_method ({ | |
59 | name => 'create', | |
60 | protected => 1, | |
61 | path => '', | |
62 | method => 'POST', | |
96919234 | 63 | permissions => { |
82b63965 | 64 | check => ['perm', '/access/realm', ['Realm.Allocate']], |
96919234 | 65 | }, |
2c3a6c0a DM |
66 | description => "Add an authentication server.", |
67 | parameters => { | |
68 | additionalProperties => 0, | |
69 | properties => { | |
70 | realm => get_standard_option('realm'), | |
71 | type => { | |
72 | description => "Server type.", | |
73 | type => 'string', | |
74 | enum => [ 'ad', 'ldap' ], | |
75 | }, | |
76 | server1 => { | |
77 | description => "Server IP address (or DNS name)", | |
78 | type => 'string', | |
79 | }, | |
80 | server2 => { | |
81 | description => "Fallback Server IP address (or DNS name)", | |
82 | type => 'string', | |
83 | optional => 1, | |
84 | }, | |
85 | secure => { | |
86 | description => "Use secure LDAPS protocol.", | |
87 | type => 'boolean', | |
88 | optional => 1, | |
89 | }, | |
90 | default => { | |
91 | description => "Use this as default realm", | |
92 | type => 'boolean', | |
93 | optional => 1, | |
94 | }, | |
95 | comment => { | |
96 | type => 'string', | |
97 | optional => 1, | |
98 | }, | |
99 | port => { | |
af4a8a85 | 100 | description => "Server port. Use '0' if you want to use default settings'", |
2c3a6c0a | 101 | type => 'integer', |
af4a8a85 | 102 | minimum => 0, |
2c3a6c0a DM |
103 | maximum => 65535, |
104 | optional => 1, | |
105 | }, | |
a0492cd6 DM |
106 | domain => { |
107 | description => "AD domain name", | |
108 | type => 'string', | |
109 | optional => 1, | |
110 | }, | |
2c3a6c0a DM |
111 | base_dn => { |
112 | description => "LDAP base domain name", | |
113 | type => 'string', | |
114 | optional => 1, | |
115 | }, | |
116 | user_attr => { | |
117 | description => "LDAP user attribute name", | |
118 | type => 'string', | |
119 | optional => 1, | |
120 | }, | |
121 | }, | |
122 | }, | |
123 | returns => { type => 'null' }, | |
124 | code => sub { | |
125 | my ($param) = @_; | |
126 | ||
127 | PVE::AccessControl::lock_domain_config( | |
128 | sub { | |
129 | ||
130 | my $cfg = cfs_read_file($domainconfigfile); | |
131 | ||
132 | my $realm = $param->{realm}; | |
133 | ||
134 | die "domain '$realm' already exists\n" | |
135 | if $cfg->{$realm}; | |
136 | ||
137 | die "unable to use reserved name '$realm'\n" | |
138 | if ($realm eq 'pam' || $realm eq 'pve'); | |
139 | ||
140 | if (defined($param->{secure})) { | |
141 | $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0; | |
142 | } | |
af4a8a85 | 143 | |
2c3a6c0a DM |
144 | if ($param->{default}) { |
145 | foreach my $r (keys %$cfg) { | |
146 | delete $cfg->{$r}->{default}; | |
147 | } | |
148 | } | |
149 | ||
150 | foreach my $p (keys %$param) { | |
151 | next if $p eq 'realm'; | |
0c156363 | 152 | $cfg->{$realm}->{$p} = $param->{$p} if $param->{$p}; |
2c3a6c0a DM |
153 | } |
154 | ||
af4a8a85 | 155 | # port 0 ==> use default |
0c156363 DM |
156 | # server2 == '' ===> delete server2 |
157 | for my $p (qw(port server2)) { | |
158 | if (defined($param->{$p}) && !$param->{$p}) { | |
159 | delete $cfg->{$realm}->{$p}; | |
160 | } | |
af4a8a85 DM |
161 | } |
162 | ||
2c3a6c0a DM |
163 | cfs_write_file($domainconfigfile, $cfg); |
164 | }, "add auth server failed"); | |
165 | ||
166 | return undef; | |
167 | }}); | |
168 | ||
169 | __PACKAGE__->register_method ({ | |
170 | name => 'update', | |
171 | path => '{realm}', | |
172 | method => 'PUT', | |
96919234 | 173 | permissions => { |
82b63965 | 174 | check => ['perm', '/access/realm', ['Realm.Allocate']], |
96919234 | 175 | }, |
2c3a6c0a DM |
176 | description => "Update authentication server settings.", |
177 | protected => 1, | |
178 | parameters => { | |
179 | additionalProperties => 0, | |
180 | properties => { | |
181 | realm => get_standard_option('realm'), | |
182 | server1 => { | |
183 | description => "Server IP address (or DNS name)", | |
184 | type => 'string', | |
185 | optional => 1, | |
186 | }, | |
187 | server2 => { | |
188 | description => "Fallback Server IP address (or DNS name)", | |
189 | type => 'string', | |
190 | optional => 1, | |
191 | }, | |
192 | secure => { | |
193 | description => "Use secure LDAPS protocol.", | |
194 | type => 'boolean', | |
195 | optional => 1, | |
196 | }, | |
197 | default => { | |
198 | description => "Use this as default realm", | |
199 | type => 'boolean', | |
200 | optional => 1, | |
201 | }, | |
202 | comment => { | |
203 | type => 'string', | |
204 | optional => 1, | |
205 | }, | |
206 | port => { | |
af4a8a85 | 207 | description => "Server port. Use '0' if you want to use default settings'", |
2c3a6c0a | 208 | type => 'integer', |
af4a8a85 | 209 | minimum => 0, |
2c3a6c0a DM |
210 | maximum => 65535, |
211 | optional => 1, | |
212 | }, | |
a0492cd6 DM |
213 | domain => { |
214 | description => "AD domain name", | |
215 | type => 'string', | |
216 | optional => 1, | |
217 | }, | |
2c3a6c0a DM |
218 | base_dn => { |
219 | description => "LDAP base domain name", | |
220 | type => 'string', | |
221 | optional => 1, | |
222 | }, | |
223 | user_attr => { | |
224 | description => "LDAP user attribute name", | |
225 | type => 'string', | |
226 | optional => 1, | |
227 | }, | |
228 | }, | |
229 | }, | |
230 | returns => { type => 'null' }, | |
231 | code => sub { | |
232 | my ($param) = @_; | |
233 | ||
234 | PVE::AccessControl::lock_domain_config( | |
235 | sub { | |
236 | ||
237 | my $cfg = cfs_read_file($domainconfigfile); | |
238 | ||
239 | my $realm = $param->{realm}; | |
240 | delete $param->{realm}; | |
241 | ||
242 | die "unable to modify bultin domain '$realm'\n" | |
243 | if ($realm eq 'pam' || $realm eq 'pve'); | |
244 | ||
245 | die "domain '$realm' does not exist\n" | |
246 | if !$cfg->{$realm}; | |
247 | ||
248 | if (defined($param->{secure})) { | |
249 | $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0; | |
250 | } | |
251 | ||
252 | if ($param->{default}) { | |
253 | foreach my $r (keys %$cfg) { | |
254 | delete $cfg->{$r}->{default}; | |
255 | } | |
256 | } | |
257 | ||
258 | foreach my $p (keys %$param) { | |
0c156363 DM |
259 | if ($param->{$p}) { |
260 | $cfg->{$realm}->{$p} = $param->{$p}; | |
261 | } else { | |
262 | delete $cfg->{$realm}->{$p}; | |
263 | } | |
af4a8a85 DM |
264 | } |
265 | ||
2c3a6c0a DM |
266 | cfs_write_file($domainconfigfile, $cfg); |
267 | }, "update auth server failed"); | |
268 | ||
269 | return undef; | |
270 | }}); | |
271 | ||
272 | # fixme: return format! | |
273 | __PACKAGE__->register_method ({ | |
274 | name => 'read', | |
275 | path => '{realm}', | |
276 | method => 'GET', | |
277 | description => "Get auth server configuration.", | |
96919234 | 278 | permissions => { |
82b63965 | 279 | check => ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any => 1], |
96919234 | 280 | }, |
2c3a6c0a DM |
281 | parameters => { |
282 | additionalProperties => 0, | |
283 | properties => { | |
284 | realm => get_standard_option('realm'), | |
285 | }, | |
286 | }, | |
287 | returns => {}, | |
288 | code => sub { | |
289 | my ($param) = @_; | |
290 | ||
291 | my $cfg = cfs_read_file($domainconfigfile); | |
292 | ||
293 | my $realm = $param->{realm}; | |
294 | ||
295 | my $data = $cfg->{$realm}; | |
296 | die "domain '$realm' does not exist\n" if !$data; | |
297 | ||
298 | return $data; | |
299 | }}); | |
300 | ||
301 | ||
302 | __PACKAGE__->register_method ({ | |
303 | name => 'delete', | |
304 | path => '{realm}', | |
305 | method => 'DELETE', | |
96919234 | 306 | permissions => { |
82b63965 | 307 | check => ['perm', '/access/realm', ['Realm.Allocate']], |
96919234 | 308 | }, |
2c3a6c0a DM |
309 | description => "Delete an authentication server.", |
310 | protected => 1, | |
311 | parameters => { | |
312 | additionalProperties => 0, | |
313 | properties => { | |
314 | realm => get_standard_option('realm'), | |
315 | } | |
316 | }, | |
317 | returns => { type => 'null' }, | |
318 | code => sub { | |
319 | my ($param) = @_; | |
320 | ||
321 | PVE::AccessControl::lock_user_config( | |
322 | sub { | |
323 | ||
324 | my $cfg = cfs_read_file($domainconfigfile); | |
325 | ||
326 | my $realm = $param->{realm}; | |
327 | ||
328 | die "domain '$realm' does not exist\n" if !$cfg->{$realm}; | |
329 | ||
330 | delete $cfg->{$realm}; | |
331 | ||
332 | cfs_write_file($domainconfigfile, $cfg); | |
333 | }, "delete auth server failed"); | |
334 | ||
335 | return undef; | |
336 | }}); | |
337 | ||
338 | 1; |