[pve-access-control.git] / PVE / API2 / Domains.pm

package PVE::API2::Domains;

use strict;
use warnings;
use PVE::Tools qw(extract_param);
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;
use PVE::JSONSchema qw(get_standard_option);

use PVE::SafeSyslog;
use PVE::RESTHandler;
use PVE::Auth::Plugin;

my $domainconfigfile = "domains.cfg";

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    name => 'index', 
    path => '', 
    method => 'GET',
    description => "Authentication domain index.",
    permissions => { 
	description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
	user => 'world', 
    },
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		realm => { type => 'string' },
		tfa => {
		    description => "Two-factor authentication provider.",
		    type => 'string',
		    enum => [ 'yubico', 'oath' ],
		    optional => 1,
		},
		comment => { type => 'string', optional => 1 },
		comment => { type => 'string', optional => 1 },
	    },
	},
	links => [ { rel => 'child', href => "{realm}" } ],
    },
    code => sub {
	my ($param) = @_;
    
	my $res = [];

	my $cfg = cfs_read_file($domainconfigfile);
	my $ids = $cfg->{ids};

	foreach my $realm (keys %$ids) {
	    my $d = $ids->{$realm};
	    my $entry = { realm => $realm, type => $d->{type} };
	    $entry->{comment} = $d->{comment} if $d->{comment};
	    $entry->{default} = 1 if $d->{default};
	    if ($d->{tfa} && (my $tfa_cfg = PVE::Auth::Plugin::parse_tfa_config($d->{tfa}))) {
		$entry->{tfa} = $tfa_cfg->{type};
	    }
	    push @$res, $entry;
	}

	return $res;
    }});

__PACKAGE__->register_method ({
    name => 'create', 
    protected => 1,
    path => '', 
    method => 'POST',
    permissions => { 
	check => ['perm', '/access/realm', ['Realm.Allocate']],
    },
    description => "Add an authentication server.",
    parameters => PVE::Auth::Plugin->createSchema(),
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::Auth::Plugin::lock_domain_config(
	    sub {
			
		my $cfg = cfs_read_file($domainconfigfile);
		my $ids = $cfg->{ids};

		my $realm = extract_param($param, 'realm');
		my $type = $param->{type};
	
		die "domain '$realm' already exists\n" 
		    if $ids->{$realm};

		die "unable to use reserved name '$realm'\n"
		    if ($realm eq 'pam' || $realm eq 'pve');

		die "unable to create builtin type '$type'\n"
		    if ($type eq 'pam' || $type eq 'pve');

		my $plugin = PVE::Auth::Plugin->lookup($type);
		my $config = $plugin->check_config($realm, $param, 1, 1);

		if ($config->{default}) {
		    foreach my $r (keys %$ids) {
			delete $ids->{$r}->{default};
		    }
		}

		$ids->{$realm} = $config;

		cfs_write_file($domainconfigfile, $cfg);
	    }, "add auth server failed");

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'update', 
    path => '{realm}', 
    method => 'PUT',
    permissions => { 
	check => ['perm', '/access/realm', ['Realm.Allocate']],
    },
    description => "Update authentication server settings.",
    protected => 1,
    parameters => PVE::Auth::Plugin->updateSchema(),
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::Auth::Plugin::lock_domain_config(
	    sub {
			
		my $cfg = cfs_read_file($domainconfigfile);
		my $ids = $cfg->{ids};

		my $digest = extract_param($param, 'digest');
		PVE::SectionConfig::assert_if_modified($cfg, $digest);

		my $realm = extract_param($param, 'realm');

		die "domain '$realm' does not exist\n" 
		    if !$ids->{$realm};

		my $delete_str = extract_param($param, 'delete');
		die "no options specified\n" if !$delete_str && !scalar(keys %$param);

		foreach my $opt (PVE::Tools::split_list($delete_str)) {
		    delete $ids->{$realm}->{$opt};
		}
	
		my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
		my $config = $plugin->check_config($realm, $param, 0, 1);

		if ($config->{default}) {
		    foreach my $r (keys %$ids) {
			delete $ids->{$r}->{default};
		    }
		}

		foreach my $p (keys %$config) {
		    $ids->{$realm}->{$p} = $config->{$p};
		}

		cfs_write_file($domainconfigfile, $cfg);
	    }, "update auth server failed");

	return undef;
    }});

# fixme: return format!
__PACKAGE__->register_method ({
    name => 'read', 
    path => '{realm}', 
    method => 'GET',
    description => "Get auth server configuration.",
    permissions => { 
	check => ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any => 1],
    },
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	},
    },
    returns => {},
    code => sub {
	my ($param) = @_;

	my $cfg = cfs_read_file($domainconfigfile);

	my $realm = $param->{realm};
	
	my $data = $cfg->{ids}->{$realm};
	die "domain '$realm' does not exist\n" if !$data;

	$data->{digest} = $cfg->{digest};

	return $data;
    }});


__PACKAGE__->register_method ({
    name => 'delete', 
    path => '{realm}', 
    method => 'DELETE',
    permissions => { 
	check => ['perm', '/access/realm', ['Realm.Allocate']],
    },
    description => "Delete an authentication server.",
    protected => 1,
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	}
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::Auth::Plugin::lock_domain_config(
	    sub {

		my $cfg = cfs_read_file($domainconfigfile);
		my $ids = $cfg->{ids};

		my $realm = $param->{realm};
	
		die "domain '$realm' does not exist\n" if !$ids->{$realm};

		delete $ids->{$realm};

		cfs_write_file($domainconfigfile, $cfg);
	    }, "delete auth server failed");
	
	return undef;
    }});

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::API2::Domains;
	2
	3	use strict;
	4	use warnings;
5bb4e06a	5	use PVE::Tools qw(extract_param);
2c3a6c0a DM	6	use PVE::Cluster qw (cfs_read_file cfs_write_file);
	7	use PVE::AccessControl;
	8	use PVE::JSONSchema qw(get_standard_option);
	9
	10	use PVE::SafeSyslog;
2c3a6c0a	11	use PVE::RESTHandler;
5bb4e06a	12	use PVE::Auth::Plugin;
2c3a6c0a DM	13
	14	my $domainconfigfile = "domains.cfg";
	15
	16	use base qw(PVE::RESTHandler);
	17
	18	__PACKAGE__->register_method ({
	19	name => 'index',
	20	path => '',
	21	method => 'GET',
	22	description => "Authentication domain index.",
82b63965 DM	23	permissions => {
	24	description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
	25	user => 'world',
	26	},
2c3a6c0a DM	27	parameters => {
	28	additionalProperties => 0,
	29	properties => {},
	30	},
	31	returns => {
	32	type => 'array',
	33	items => {
	34	type => "object",
	35	properties => {
	36	realm => { type => 'string' },
96f8ebd6 DM	37	tfa => {
	38	description => "Two-factor authentication provider.",
	39	type => 'string',
1abc2c0a	40	enum => [ 'yubico', 'oath' ],
96f8ebd6 DM	41	optional => 1,
	42	},
	43	comment => { type => 'string', optional => 1 },
2c3a6c0a DM	44	comment => { type => 'string', optional => 1 },
	45	},
	46	},
	47	links => [ { rel => 'child', href => "{realm}" } ],
	48	},
	49	code => sub {
	50	my ($param) = @_;
	51
	52	my $res = [];
	53
	54	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a DM	55	my $ids = $cfg->{ids};
	56
	57	foreach my $realm (keys %$ids) {
	58	my $d = $ids->{$realm};
2c3a6c0a DM	59	my $entry = { realm => $realm, type => $d->{type} };
	60	$entry->{comment} = $d->{comment} if $d->{comment};
	61	$entry->{default} = 1 if $d->{default};
96f8ebd6 DM	62	if ($d->{tfa} && (my $tfa_cfg = PVE::Auth::Plugin::parse_tfa_config($d->{tfa}))) {
	63	$entry->{tfa} = $tfa_cfg->{type};
	64	}
2c3a6c0a DM	65	push @$res, $entry;
	66	}
	67
	68	return $res;
	69	}});
	70
	71	__PACKAGE__->register_method ({
	72	name => 'create',
	73	protected => 1,
	74	path => '',
	75	method => 'POST',
96919234	76	permissions => {
82b63965	77	check => ['perm', '/access/realm', ['Realm.Allocate']],
96919234	78	},
2c3a6c0a	79	description => "Add an authentication server.",
5bb4e06a	80	parameters => PVE::Auth::Plugin->createSchema(),
2c3a6c0a DM	81	returns => { type => 'null' },
	82	code => sub {
	83	my ($param) = @_;
	84
5bb4e06a	85	PVE::Auth::Plugin::lock_domain_config(
2c3a6c0a DM	86	sub {
	87
	88	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a	89	my $ids = $cfg->{ids};
2c3a6c0a	90
5bb4e06a DM	91	my $realm = extract_param($param, 'realm');
5bb4e06a DM	92	my $type = $param->{type};
2c3a6c0a DM	93
2c3a6c0a DM	94	die "domain '$realm' already exists\n"
5bb4e06a	95	if $ids->{$realm};
2c3a6c0a DM	96
	97	die "unable to use reserved name '$realm'\n"
	98	if ($realm eq 'pam' \|\| $realm eq 'pve');
	99
5bb4e06a DM	100	die "unable to create builtin type '$type'\n"
5bb4e06a DM	101	if ($type eq 'pam' \|\| $type eq 'pve');
af4a8a85	102
5bb4e06a DM	103	my $plugin = PVE::Auth::Plugin->lookup($type);
5bb4e06a DM	104	my $config = $plugin->check_config($realm, $param, 1, 1);
2c3a6c0a	105
5bb4e06a DM	106	if ($config->{default}) {
	107	foreach my $r (keys %$ids) {
	108	delete $ids->{$r}->{default};
0c156363	109	}
af4a8a85 DM	110	}
af4a8a85 DM	111
5bb4e06a DM	112	$ids->{$realm} = $config;
5bb4e06a DM	113
2c3a6c0a DM	114	cfs_write_file($domainconfigfile, $cfg);
	115	}, "add auth server failed");
	116
	117	return undef;
	118	}});
	119
	120	__PACKAGE__->register_method ({
	121	name => 'update',
	122	path => '{realm}',
	123	method => 'PUT',
96919234	124	permissions => {
82b63965	125	check => ['perm', '/access/realm', ['Realm.Allocate']],
96919234	126	},
2c3a6c0a DM	127	description => "Update authentication server settings.",
2c3a6c0a DM	128	protected => 1,
5bb4e06a	129	parameters => PVE::Auth::Plugin->updateSchema(),
2c3a6c0a DM	130	returns => { type => 'null' },
	131	code => sub {
	132	my ($param) = @_;
	133
5bb4e06a	134	PVE::Auth::Plugin::lock_domain_config(
2c3a6c0a DM	135	sub {
	136
	137	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a	138	my $ids = $cfg->{ids};
2c3a6c0a	139
5bb4e06a DM	140	my $digest = extract_param($param, 'digest');
	141	PVE::SectionConfig::assert_if_modified($cfg, $digest);
	142
	143	my $realm = extract_param($param, 'realm');
2c3a6c0a	144
2c3a6c0a	145	die "domain '$realm' does not exist\n"
5bb4e06a DM	146	if !$ids->{$realm};
	147
	148	my $delete_str = extract_param($param, 'delete');
	149	die "no options specified\n" if !$delete_str && !scalar(keys %$param);
2c3a6c0a	150
5bb4e06a DM	151	foreach my $opt (PVE::Tools::split_list($delete_str)) {
5bb4e06a DM	152	delete $ids->{$realm}->{$opt};
2c3a6c0a	153	}
5bb4e06a DM	154
	155	my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
	156	my $config = $plugin->check_config($realm, $param, 0, 1);
2c3a6c0a	157
5bb4e06a DM	158	if ($config->{default}) {
	159	foreach my $r (keys %$ids) {
	160	delete $ids->{$r}->{default};
2c3a6c0a DM	161	}
	162	}
	163
5bb4e06a DM	164	foreach my $p (keys %$config) {
5bb4e06a DM	165	$ids->{$realm}->{$p} = $config->{$p};
af4a8a85 DM	166	}
af4a8a85 DM	167
2c3a6c0a DM	168	cfs_write_file($domainconfigfile, $cfg);
	169	}, "update auth server failed");
	170
	171	return undef;
	172	}});
	173
	174	# fixme: return format!
	175	__PACKAGE__->register_method ({
	176	name => 'read',
	177	path => '{realm}',
	178	method => 'GET',
	179	description => "Get auth server configuration.",
96919234	180	permissions => {
82b63965	181	check => ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any => 1],
96919234	182	},
2c3a6c0a DM	183	parameters => {
	184	additionalProperties => 0,
	185	properties => {
	186	realm => get_standard_option('realm'),
	187	},
	188	},
	189	returns => {},
	190	code => sub {
	191	my ($param) = @_;
	192
	193	my $cfg = cfs_read_file($domainconfigfile);
	194
	195	my $realm = $param->{realm};
	196
5bb4e06a	197	my $data = $cfg->{ids}->{$realm};
2c3a6c0a DM	198	die "domain '$realm' does not exist\n" if !$data;
2c3a6c0a DM	199
5bb4e06a DM	200	$data->{digest} = $cfg->{digest};
5bb4e06a DM	201
2c3a6c0a DM	202	return $data;
	203	}});
	204
	205
	206	__PACKAGE__->register_method ({
	207	name => 'delete',
	208	path => '{realm}',
	209	method => 'DELETE',
96919234	210	permissions => {
82b63965	211	check => ['perm', '/access/realm', ['Realm.Allocate']],
96919234	212	},
2c3a6c0a DM	213	description => "Delete an authentication server.",
	214	protected => 1,
	215	parameters => {
	216	additionalProperties => 0,
	217	properties => {
	218	realm => get_standard_option('realm'),
	219	}
	220	},
	221	returns => { type => 'null' },
	222	code => sub {
	223	my ($param) = @_;
	224
5bb4e06a	225	PVE::Auth::Plugin::lock_domain_config(
2c3a6c0a DM	226	sub {
	227
	228	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a	229	my $ids = $cfg->{ids};
2c3a6c0a DM	230
	231	my $realm = $param->{realm};
	232
5bb4e06a	233	die "domain '$realm' does not exist\n" if !$ids->{$realm};
2c3a6c0a	234
5bb4e06a	235	delete $ids->{$realm};
2c3a6c0a DM	236
	237	cfs_write_file($domainconfigfile, $cfg);
	238	}, "delete auth server failed");
	239
	240	return undef;
	241	}});
	242
	243	1;