[pve-access-control.git] / PVE / API2 / Domains.pm

package PVE::API2::Domains;

use strict;
use warnings;
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;
use PVE::JSONSchema qw(get_standard_option);

use PVE::SafeSyslog;

use Data::Dumper; # fixme: remove

use PVE::RESTHandler;

my $domainconfigfile = "domains.cfg";

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    name => 'index', 
    path => '', 
    method => 'GET',
    description => "Authentication domain index.",
    permissions => { user => 'world' },
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		realm => { type => 'string' },
		comment => { type => 'string', optional => 1 },
	    },
	},
	links => [ { rel => 'child', href => "{realm}" } ],
    },
    code => sub {
	my ($param) = @_;
    
	my $res = [];

	my $cfg = cfs_read_file($domainconfigfile);
 
	foreach my $realm (keys %$cfg) {
	    my $d = $cfg->{$realm};
	    my $entry = { realm => $realm, type => $d->{type} };
	    $entry->{comment} = $d->{comment} if $d->{comment};
	    $entry->{default} = 1 if $d->{default};
	    push @$res, $entry;
	}

	return $res;
    }});

__PACKAGE__->register_method ({
    name => 'create', 
    protected => 1,
    path => '', 
    method => 'POST',
    description => "Add an authentication server.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	    type => {
		description => "Server type.",
		type => 'string', 
		enum => [ 'ad', 'ldap' ],
	    },
	    server1 => { 
		description => "Server IP address (or DNS name)",		
		type => 'string',
	    },
	    server2 => { 
		description => "Fallback Server IP address (or DNS name)",
		type => 'string',
		optional => 1,
	    },
	    secure => { 
		description => "Use secure LDAPS protocol.",
		type => 'boolean', 
		optional => 1,
	    },
	    default => { 
		description => "Use this as default realm",
		type => 'boolean', 
		optional => 1,
	    },
	    comment => { 
		type => 'string', 
		optional => 1,
	    },
	    port => {
		description => "Server port. Use '0' if you want to use default settings'",
		type => 'integer',
		minimum => 0,
		maximum => 65535,
		optional => 1,
	    },
	    domain => {
		description => "AD domain name",
		type => 'string',
		optional => 1,
	    },
	    base_dn => {
		description => "LDAP base domain name",
		type => 'string',
		optional => 1,
	    },
	    user_attr => {
		description => "LDAP user attribute name",
		type => 'string',
		optional => 1,
	    },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_domain_config(
	    sub {
			
		my $cfg = cfs_read_file($domainconfigfile);

		my $realm = $param->{realm};
	
		die "domain '$realm' already exists\n" 
		    if $cfg->{$realm};

		die "unable to use reserved name '$realm'\n"
		    if ($realm eq 'pam' || $realm eq 'pve');

		if (defined($param->{secure})) {
		    $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0;
		}

		if ($param->{default}) {
		    foreach my $r (keys %$cfg) {
			delete $cfg->{$r}->{default};
		    }
		}

		foreach my $p (keys %$param) {
		    next if $p eq 'realm';
		    $cfg->{$realm}->{$p} = $param->{$p} if $param->{$p};
		}

		# port 0 ==> use default
		# server2 == '' ===> delete server2
		for my $p (qw(port server2)) { 
		    if (defined($param->{$p}) && !$param->{$p}) { 
			delete $cfg->{$realm}->{$p};
		    }
		}

		cfs_write_file($domainconfigfile, $cfg);
	    }, "add auth server failed");

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'update', 
    path => '{realm}', 
    method => 'PUT',
    description => "Update authentication server settings.",
    protected => 1,
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	    server1 => { 
		description => "Server IP address (or DNS name)",		
		type => 'string',
		optional => 1,
	    },
	    server2 => { 
		description => "Fallback Server IP address (or DNS name)",
		type => 'string',
		optional => 1,
	    },
	    secure => { 
		description => "Use secure LDAPS protocol.",
		type => 'boolean', 
		optional => 1,
	    },
	    default => { 
		description => "Use this as default realm",
		type => 'boolean', 
		optional => 1,
	    },
	    comment => { 
		type => 'string', 
		optional => 1,
	    },
	    port => {
		description => "Server port. Use '0' if you want to use default settings'",
		type => 'integer',
		minimum => 0,
		maximum => 65535,
		optional => 1,
	    },
	    domain => {
		description => "AD domain name",
		type => 'string',
		optional => 1,
	    },
	    base_dn => {
		description => "LDAP base domain name",
		type => 'string',
		optional => 1,
	    },
	    user_attr => {
		description => "LDAP user attribute name",
		type => 'string',
		optional => 1,
	    },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_domain_config(
	    sub {
			
		my $cfg = cfs_read_file($domainconfigfile);

		my $realm = $param->{realm};
		delete $param->{realm};

		die "unable to modify bultin domain '$realm'\n"
		    if ($realm eq 'pam' || $realm eq 'pve');

		die "domain '$realm' does not exist\n" 
		    if !$cfg->{$realm};

		if (defined($param->{secure})) {
		    $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0;
		}

		if ($param->{default}) {
		    foreach my $r (keys %$cfg) {
			delete $cfg->{$r}->{default};
		    }
		}

		foreach my $p (keys %$param) {
		    if ($param->{$p}) {
			$cfg->{$realm}->{$p} = $param->{$p};
		    } else {
			delete $cfg->{$realm}->{$p};
		    }
		}

		cfs_write_file($domainconfigfile, $cfg);
	    }, "update auth server failed");

	return undef;
    }});

# fixme: return format!
__PACKAGE__->register_method ({
    name => 'read', 
    path => '{realm}', 
    method => 'GET',
    description => "Get auth server configuration.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	},
    },
    returns => {},
    code => sub {
	my ($param) = @_;

	my $cfg = cfs_read_file($domainconfigfile);

	my $realm = $param->{realm};
	
	my $data = $cfg->{$realm};
	die "domain '$realm' does not exist\n" if !$data;

	return $data;
    }});


__PACKAGE__->register_method ({
    name => 'delete', 
    path => '{realm}', 
    method => 'DELETE',
    description => "Delete an authentication server.",
    protected => 1,
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	}
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {

		my $cfg = cfs_read_file($domainconfigfile);

		my $realm = $param->{realm};
	
		die "domain '$realm' does not exist\n" if !$cfg->{$realm};

		delete $cfg->{$realm};

		cfs_write_file($domainconfigfile, $cfg);
	    }, "delete auth server failed");
	
	return undef;
    }});

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::API2::Domains;
	2
	3	use strict;
	4	use warnings;
	5	use PVE::Cluster qw (cfs_read_file cfs_write_file);
	6	use PVE::AccessControl;
	7	use PVE::JSONSchema qw(get_standard_option);
	8
	9	use PVE::SafeSyslog;
	10
	11	use Data::Dumper; # fixme: remove
	12
	13	use PVE::RESTHandler;
	14
	15	my $domainconfigfile = "domains.cfg";
	16
	17	use base qw(PVE::RESTHandler);
	18
	19	__PACKAGE__->register_method ({
	20	name => 'index',
	21	path => '',
	22	method => 'GET',
	23	description => "Authentication domain index.",
	24	permissions => { user => 'world' },
	25	parameters => {
	26	additionalProperties => 0,
	27	properties => {},
	28	},
	29	returns => {
	30	type => 'array',
	31	items => {
	32	type => "object",
	33	properties => {
	34	realm => { type => 'string' },
	35	comment => { type => 'string', optional => 1 },
	36	},
	37	},
	38	links => [ { rel => 'child', href => "{realm}" } ],
	39	},
	40	code => sub {
	41	my ($param) = @_;
	42
	43	my $res = [];
	44
	45	my $cfg = cfs_read_file($domainconfigfile);
	46
	47	foreach my $realm (keys %$cfg) {
	48	my $d = $cfg->{$realm};
	49	my $entry = { realm => $realm, type => $d->{type} };
	50	$entry->{comment} = $d->{comment} if $d->{comment};
	51	$entry->{default} = 1 if $d->{default};
	52	push @$res, $entry;
	53	}
	54
	55	return $res;
	56	}});
	57
	58	__PACKAGE__->register_method ({
	59	name => 'create',
	60	protected => 1,
	61	path => '',
	62	method => 'POST',
	63	description => "Add an authentication server.",
	64	parameters => {
65	additionalProperties => 0,
66	properties => {
67	realm => get_standard_option('realm'),
68	type => {
69	description => "Server type.",
70	type => 'string',
71	enum => [ 'ad', 'ldap' ],
72	},
73	server1 => {
74	description => "Server IP address (or DNS name)",
75	type => 'string',
76	},
77	server2 => {
78	description => "Fallback Server IP address (or DNS name)",
79	type => 'string',
80	optional => 1,
81	},
82	secure => {
83	description => "Use secure LDAPS protocol.",
84	type => 'boolean',
85	optional => 1,
86	},
87	default => {
88	description => "Use this as default realm",
89	type => 'boolean',
90	optional => 1,
91	},
92	comment => {
93	type => 'string',
94	optional => 1,
95	},
96	port => {
af4a8a85	97	description => "Server port. Use '0' if you want to use default settings'",
2c3a6c0a	98	type => 'integer',
af4a8a85	99	minimum => 0,
2c3a6c0a DM	100	maximum => 65535,
	101	optional => 1,
	102	},
a0492cd6 DM	103	domain => {
	104	description => "AD domain name",
	105	type => 'string',
	106	optional => 1,
	107	},
2c3a6c0a DM	108	base_dn => {
	109	description => "LDAP base domain name",
	110	type => 'string',
	111	optional => 1,
	112	},
	113	user_attr => {
	114	description => "LDAP user attribute name",
	115	type => 'string',
	116	optional => 1,
	117	},
	118	},
	119	},
	120	returns => { type => 'null' },
	121	code => sub {
	122	my ($param) = @_;
	123
	124	PVE::AccessControl::lock_domain_config(
	125	sub {
	126
	127	my $cfg = cfs_read_file($domainconfigfile);
	128
	129	my $realm = $param->{realm};
	130
	131	die "domain '$realm' already exists\n"
	132	if $cfg->{$realm};
	133
	134	die "unable to use reserved name '$realm'\n"
	135	if ($realm eq 'pam' \|\| $realm eq 'pve');
	136
	137	if (defined($param->{secure})) {
	138	$cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0;
	139	}
af4a8a85	140
2c3a6c0a DM	141	if ($param->{default}) {
	142	foreach my $r (keys %$cfg) {
	143	delete $cfg->{$r}->{default};
	144	}
	145	}
	146
	147	foreach my $p (keys %$param) {
	148	next if $p eq 'realm';
0c156363	149	$cfg->{$realm}->{$p} = $param->{$p} if $param->{$p};
2c3a6c0a DM	150	}
2c3a6c0a DM	151
af4a8a85	152	# port 0 ==> use default
0c156363 DM	153	# server2 == '' ===> delete server2
	154	for my $p (qw(port server2)) {
	155	if (defined($param->{$p}) && !$param->{$p}) {
	156	delete $cfg->{$realm}->{$p};
	157	}
af4a8a85 DM	158	}
af4a8a85 DM	159
2c3a6c0a DM	160	cfs_write_file($domainconfigfile, $cfg);
	161	}, "add auth server failed");
	162
	163	return undef;
	164	}});
	165
	166	__PACKAGE__->register_method ({
	167	name => 'update',
	168	path => '{realm}',
	169	method => 'PUT',
	170	description => "Update authentication server settings.",
	171	protected => 1,
	172	parameters => {
	173	additionalProperties => 0,
	174	properties => {
	175	realm => get_standard_option('realm'),
	176	server1 => {
	177	description => "Server IP address (or DNS name)",
	178	type => 'string',
	179	optional => 1,
	180	},
	181	server2 => {
	182	description => "Fallback Server IP address (or DNS name)",
	183	type => 'string',
	184	optional => 1,
	185	},
	186	secure => {
	187	description => "Use secure LDAPS protocol.",
	188	type => 'boolean',
	189	optional => 1,
	190	},
	191	default => {
	192	description => "Use this as default realm",
	193	type => 'boolean',
	194	optional => 1,
	195	},
	196	comment => {
	197	type => 'string',
	198	optional => 1,
	199	},
	200	port => {
af4a8a85	201	description => "Server port. Use '0' if you want to use default settings'",
2c3a6c0a	202	type => 'integer',
af4a8a85	203	minimum => 0,
2c3a6c0a DM	204	maximum => 65535,
	205	optional => 1,
	206	},
a0492cd6 DM	207	domain => {
	208	description => "AD domain name",
	209	type => 'string',
	210	optional => 1,
	211	},
2c3a6c0a DM	212	base_dn => {
	213	description => "LDAP base domain name",
	214	type => 'string',
	215	optional => 1,
	216	},
	217	user_attr => {
	218	description => "LDAP user attribute name",
	219	type => 'string',
	220	optional => 1,
	221	},
	222	},
	223	},
	224	returns => { type => 'null' },
	225	code => sub {
	226	my ($param) = @_;
	227
	228	PVE::AccessControl::lock_domain_config(
	229	sub {
	230
	231	my $cfg = cfs_read_file($domainconfigfile);
	232
	233	my $realm = $param->{realm};
	234	delete $param->{realm};
	235
	236	die "unable to modify bultin domain '$realm'\n"
	237	if ($realm eq 'pam' \|\| $realm eq 'pve');
	238
	239	die "domain '$realm' does not exist\n"
	240	if !$cfg->{$realm};
	241
	242	if (defined($param->{secure})) {
	243	$cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0;
	244	}
	245
	246	if ($param->{default}) {
	247	foreach my $r (keys %$cfg) {
	248	delete $cfg->{$r}->{default};
	249	}
	250	}
	251
	252	foreach my $p (keys %$param) {
0c156363 DM	253	if ($param->{$p}) {
	254	$cfg->{$realm}->{$p} = $param->{$p};
	255	} else {
	256	delete $cfg->{$realm}->{$p};
	257	}
af4a8a85 DM	258	}
af4a8a85 DM	259
2c3a6c0a DM	260	cfs_write_file($domainconfigfile, $cfg);
	261	}, "update auth server failed");
	262
	263	return undef;
	264	}});
	265
	266	# fixme: return format!
	267	__PACKAGE__->register_method ({
	268	name => 'read',
	269	path => '{realm}',
	270	method => 'GET',
	271	description => "Get auth server configuration.",
	272	parameters => {
	273	additionalProperties => 0,
	274	properties => {
	275	realm => get_standard_option('realm'),
	276	},
	277	},
	278	returns => {},
	279	code => sub {
	280	my ($param) = @_;
	281
	282	my $cfg = cfs_read_file($domainconfigfile);
	283
	284	my $realm = $param->{realm};
	285
	286	my $data = $cfg->{$realm};
	287	die "domain '$realm' does not exist\n" if !$data;
	288
	289	return $data;
	290	}});
	291
	292
	293	__PACKAGE__->register_method ({
	294	name => 'delete',
	295	path => '{realm}',
	296	method => 'DELETE',
	297	description => "Delete an authentication server.",
	298	protected => 1,
	299	parameters => {
	300	additionalProperties => 0,
	301	properties => {
	302	realm => get_standard_option('realm'),
	303	}
	304	},
	305	returns => { type => 'null' },
	306	code => sub {
	307	my ($param) = @_;
	308
	309	PVE::AccessControl::lock_user_config(
	310	sub {
	311
	312	my $cfg = cfs_read_file($domainconfigfile);
	313
	314	my $realm = $param->{realm};
	315
	316	die "domain '$realm' does not exist\n" if !$cfg->{$realm};
	317
	318	delete $cfg->{$realm};
	319
	320	cfs_write_file($domainconfigfile, $cfg);
	321	}, "delete auth server failed");
	322
	323	return undef;
324	}});
325
326	1;