[pve-access-control.git] / PVE / API2 / Domains.pm

package PVE::API2::Domains;

use strict;
use warnings;
use PVE::Exception qw(raise_param_exc);
use PVE::Tools qw(extract_param);
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;
use PVE::JSONSchema qw(get_standard_option);

use PVE::SafeSyslog;
use PVE::RESTHandler;
use PVE::Auth::Plugin;

my $domainconfigfile = "domains.cfg";

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    name => 'index',
    path => '',
    method => 'GET',
    description => "Authentication domain index.",
    permissions => {
	description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
	user => 'world',
    },
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		realm => { type => 'string' },
		type => { type => 'string' },
		tfa => {
		    description => "Two-factor authentication provider.",
		    type => 'string',
		    enum => [ 'yubico', 'oath' ],
		    optional => 1,
		},
		comment => {
		    description => "A comment. The GUI use this text when you select a domain (Realm) on the login window.",
		    type => 'string',
		    optional => 1,
		},
	    },
	},
	links => [ { rel => 'child', href => "{realm}" } ],
    },
    code => sub {
	my ($param) = @_;

	my $res = [];

	my $cfg = cfs_read_file($domainconfigfile);
	my $ids = $cfg->{ids};

	foreach my $realm (keys %$ids) {
	    my $d = $ids->{$realm};
	    my $entry = { realm => $realm, type => $d->{type} };
	    $entry->{comment} = $d->{comment} if $d->{comment};
	    $entry->{default} = 1 if $d->{default};
	    if ($d->{tfa} && (my $tfa_cfg = PVE::Auth::Plugin::parse_tfa_config($d->{tfa}))) {
		$entry->{tfa} = $tfa_cfg->{type};
	    }
	    push @$res, $entry;
	}

	return $res;
    }});

__PACKAGE__->register_method ({
    name => 'create',
    protected => 1,
    path => '',
    method => 'POST',
    permissions => {
	check => ['perm', '/access/realm', ['Realm.Allocate']],
    },
    description => "Add an authentication server.",
    parameters => PVE::Auth::Plugin->createSchema(),
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::Auth::Plugin::lock_domain_config(
	    sub {

		my $cfg = cfs_read_file($domainconfigfile);
		my $ids = $cfg->{ids};

		my $realm = extract_param($param, 'realm');
		my $type = $param->{type};

		die "domain '$realm' already exists\n"
		    if $ids->{$realm};

		die "unable to use reserved name '$realm'\n"
		    if ($realm eq 'pam' || $realm eq 'pve');

		die "unable to create builtin type '$type'\n"
		    if ($type eq 'pam' || $type eq 'pve');

		my $plugin = PVE::Auth::Plugin->lookup($type);
		my $config = $plugin->check_config($realm, $param, 1, 1);

		if ($config->{default}) {
		    foreach my $r (keys %$ids) {
			delete $ids->{$r}->{default};
		    }
		}

		$ids->{$realm} = $config;

		cfs_write_file($domainconfigfile, $cfg);
	    }, "add auth server failed");

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'update',
    path => '{realm}',
    method => 'PUT',
    permissions => {
	check => ['perm', '/access/realm', ['Realm.Allocate']],
    },
    description => "Update authentication server settings.",
    protected => 1,
    parameters => PVE::Auth::Plugin->updateSchema(),
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::Auth::Plugin::lock_domain_config(
	    sub {

		my $cfg = cfs_read_file($domainconfigfile);
		my $ids = $cfg->{ids};

		my $digest = extract_param($param, 'digest');
		PVE::SectionConfig::assert_if_modified($cfg, $digest);

		my $realm = extract_param($param, 'realm');

		die "domain '$realm' does not exist\n"
		    if !$ids->{$realm};

		my $delete_str = extract_param($param, 'delete');
		die "no options specified\n" if !$delete_str && !scalar(keys %$param);

		foreach my $opt (PVE::Tools::split_list($delete_str)) {
		    delete $ids->{$realm}->{$opt};
		}

		my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
		my $config = $plugin->check_config($realm, $param, 0, 1);

		if ($config->{default}) {
		    foreach my $r (keys %$ids) {
			delete $ids->{$r}->{default};
		    }
		}

		foreach my $p (keys %$config) {
		    $ids->{$realm}->{$p} = $config->{$p};
		}

		cfs_write_file($domainconfigfile, $cfg);
	    }, "update auth server failed");

	return undef;
    }});

# fixme: return format!
__PACKAGE__->register_method ({
    name => 'read',
    path => '{realm}',
    method => 'GET',
    description => "Get auth server configuration.",
    permissions => {
	check => ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any => 1],
    },
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	},
    },
    returns => {},
    code => sub {
	my ($param) = @_;

	my $cfg = cfs_read_file($domainconfigfile);

	my $realm = $param->{realm};

	my $data = $cfg->{ids}->{$realm};
	die "domain '$realm' does not exist\n" if !$data;

	$data->{digest} = $cfg->{digest};

	return $data;
    }});


__PACKAGE__->register_method ({
    name => 'delete',
    path => '{realm}',
    method => 'DELETE',
    permissions => {
	check => ['perm', '/access/realm', ['Realm.Allocate']],
    },
    description => "Delete an authentication server.",
    protected => 1,
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	}
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::Auth::Plugin::lock_domain_config(
	    sub {

		my $cfg = cfs_read_file($domainconfigfile);
		my $ids = $cfg->{ids};

		my $realm = $param->{realm};

		die "domain '$realm' does not exist\n" if !$ids->{$realm};

		delete $ids->{$realm};

		cfs_write_file($domainconfigfile, $cfg);
	    }, "delete auth server failed");

	return undef;
    }});

my $update_users = sub {
    my ($usercfg, $realm, $synced_users, $opts) = @_;

    print "syncing users\n";
    $usercfg->{users} = {} if !defined($usercfg->{users});
    my $users = $usercfg->{users};

    my $oldusers = {};
    if ($opts->{'full'}) {
	print "full sync, deleting outdated existing users first\n";
	foreach my $userid (sort keys %$users) {
	    next if $userid !~ m/\@$realm$/;

	    $oldusers->{$userid} = delete $users->{$userid};
	    if ($opts->{'purge'} && !$synced_users->{$userid}) {
		PVE::AccessControl::delete_user_acl($userid, $usercfg);
		print "purged user '$userid' and all its ACL entries\n";
	    } elsif (!defined($synced_users->{$userid})) {
		print "remove user '$userid'\n";
	    }
	}
    }

    foreach my $userid (sort keys %$synced_users) {
	my $synced_user = $synced_users->{$userid} // {};
	if (!defined($users->{$userid})) {
	    my $user = $users->{$userid} = $synced_user;

	    my $olduser = $oldusers->{$userid} // {};
	    if (defined(my $enabled = $olduser->{enable})) {
		$user->{enable} = $enabled;
	    } elsif ($opts->{enable}) {
		$user->{enable} = 1;
	    }

	    if (defined($olduser->{tokens})) {
		$user->{tokens} = $olduser->{tokens};
	    }
	    if (defined($oldusers->{$userid})) {
		print "updated user '$userid'\n";
	    } else {
		print "added user '$userid'\n";
	    }
	} else {
	    my $olduser = $users->{$userid};
	    foreach my $attr (keys %$synced_user) {
		$olduser->{$attr} = $synced_user->{$attr};
	    }
	    print "updated user '$userid'\n";
	}
    }
};

my $update_groups = sub {
    my ($usercfg, $realm, $synced_groups, $opts) = @_;

    print "syncing groups\n";
    $usercfg->{groups} = {} if !defined($usercfg->{groups});
    my $groups = $usercfg->{groups};
    my $oldgroups = {};

    if ($opts->{full}) {
	print "full sync, deleting outdated existing groups first\n";
	foreach my $groupid (sort keys %$groups) {
	    next if $groupid !~ m/\-$realm$/;

	    my $oldgroups->{$groupid} = delete $groups->{$groupid};
	    if ($opts->{purge} && !$synced_groups->{$groupid}) {
		print "purged group '$groupid' and all its ACL entries\n";
		PVE::AccessControl::delete_group_acl($groupid, $usercfg)
	    } elsif (!defined($synced_groups->{$groupid})) {
		print "removed group '$groupid'\n";
	    }
	}
    }

    foreach my $groupid (sort keys %$synced_groups) {
	my $synced_group = $synced_groups->{$groupid};
	if (!defined($groups->{$groupid})) {
	    $groups->{$groupid} = $synced_group;
	    if (defined($oldgroups->{$groupid})) {
		print "updated group '$groupid'\n";
	    } else {
		print "added group '$groupid'\n";
	    }
	} else {
	    my $group = $groups->{$groupid};
	    foreach my $attr (keys %$synced_group) {
		$group->{$attr} = $synced_group->{$attr};
	    }
	    print "updated group '$groupid'\n";
	}
    }
};

__PACKAGE__->register_method ({
    name => 'sync',
    path => '{realm}/sync',
    method => 'POST',
    permissions => {
	description => "'Realm.AllocateUser' on '/access/realm/<realm>' and "
	    ." 'User.Modify' permissions to '/access/groups/'.",
	check => [ 'and',
	    [ 'userid-param', 'Realm.AllocateUser' ],
	    [ 'userid-group', ['User.Modify'] ],
	],
    },
    description => "Syncs users and/or groups from the configured LDAP to user.cfg."
	." NOTE: Synced groups will have the name 'name-\$realm', so make sure"
	." those groups do not exist to prevent overwriting.",
    protected => 1,
    parameters => {
	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	    scope => {
		description => "Select what to sync.",
		type => 'string',
		enum => [qw(users groups both)],
	    },
	    full => {
		description => "If set, uses the LDAP Directory as source of truth, ".
			       "deleting all information not contained there. ".
			       "Otherwise only syncs information set explicitly.",
		type => 'boolean',
	    },
	    enable => {
		description => "Enable newly synced users.",
		type => 'boolean',
	    },
	    purge => {
		description => "Remove ACLs for users/groups that were removed from the config.",
		type => 'boolean',
	    },
	}
    },
    returns => {
	description => 'Worker Task-UPID',
	type => 'string'
    },
    code => sub {
	my ($param) = @_;

	my $rpcenv = PVE::RPCEnvironment::get();
	my $authuser = $rpcenv->get_user();

	my $realm = $param->{realm};
	my $cfg = cfs_read_file($domainconfigfile);
	my $realmconfig = $cfg->{ids}->{$realm};

	raise_param_exc({ 'realm' => 'Realm does not exist.' }) if !defined($realmconfig);
	my $type = $realmconfig->{type};

	if ($type ne 'ldap' && $type ne 'ad') {
	    die "Cannot sync realm type '$type'! Only LDAP/AD realms can be synced.\n";
	}


	my $scope = $param->{scope};
	my $whatstring = $scope eq 'both' ? "users and groups" : $scope;

	my $plugin = PVE::Auth::Plugin->lookup($type);

	my $worker = sub {
	    print "starting sync for realm $realm\n";

	    my ($synced_users, $dnmap) = $plugin->get_users($realmconfig, $realm);
	    my $synced_groups = {};
	    if ($scope eq 'groups' || $scope eq 'both') {
		$synced_groups = $plugin->get_groups($realmconfig, $realm, $dnmap);
	    }

	    PVE::AccessControl::lock_user_config(sub {
		my $usercfg = cfs_read_file("user.cfg");
		print "got data from server, updating $whatstring\n";

		if ($scope eq 'users' || $scope eq 'both') {
		    $update_users->($usercfg, $realm, $synced_users, $param);
		}

		if ($scope eq 'groups' || $scope eq 'both') {
		    $update_groups->($usercfg, $realm, $synced_groups, $param);
		}

		cfs_write_file("user.cfg", $usercfg);
		print "successfully updated $whatstring configuration\n";
	    }, "syncing $whatstring failed");
	};

	return $rpcenv->fork_worker('auth-realm-sync', $realm, $authuser, $worker);
    }});

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::API2::Domains;
	2
	3	use strict;
	4	use warnings;
673d2bf2	5	use PVE::Exception qw(raise_param_exc);
5bb4e06a	6	use PVE::Tools qw(extract_param);
2c3a6c0a DM	7	use PVE::Cluster qw (cfs_read_file cfs_write_file);
	8	use PVE::AccessControl;
	9	use PVE::JSONSchema qw(get_standard_option);
	10
	11	use PVE::SafeSyslog;
2c3a6c0a	12	use PVE::RESTHandler;
5bb4e06a	13	use PVE::Auth::Plugin;
2c3a6c0a DM	14
	15	my $domainconfigfile = "domains.cfg";
	16
	17	use base qw(PVE::RESTHandler);
	18
	19	__PACKAGE__->register_method ({
32449f35 DC	20	name => 'index',
32449f35 DC	21	path => '',
2c3a6c0a DM	22	method => 'GET',
2c3a6c0a DM	23	description => "Authentication domain index.",
32449f35	24	permissions => {
82b63965	25	description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
32449f35	26	user => 'world',
82b63965	27	},
2c3a6c0a DM	28	parameters => {
	29	additionalProperties => 0,
	30	properties => {},
	31	},
	32	returns => {
	33	type => 'array',
	34	items => {
	35	type => "object",
	36	properties => {
	37	realm => { type => 'string' },
f3c87f9b	38	type => { type => 'string' },
96f8ebd6 DM	39	tfa => {
	40	description => "Two-factor authentication provider.",
	41	type => 'string',
1abc2c0a	42	enum => [ 'yubico', 'oath' ],
96f8ebd6 DM	43	optional => 1,
96f8ebd6 DM	44	},
52b2eff3 DM	45	comment => {
	46	description => "A comment. The GUI use this text when you select a domain (Realm) on the login window.",
	47	type => 'string',
	48	optional => 1,
	49	},
2c3a6c0a DM	50	},
	51	},
	52	links => [ { rel => 'child', href => "{realm}" } ],
	53	},
	54	code => sub {
	55	my ($param) = @_;
32449f35	56
2c3a6c0a DM	57	my $res = [];
	58
	59	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a DM	60	my $ids = $cfg->{ids};
	61
	62	foreach my $realm (keys %$ids) {
	63	my $d = $ids->{$realm};
2c3a6c0a DM	64	my $entry = { realm => $realm, type => $d->{type} };
	65	$entry->{comment} = $d->{comment} if $d->{comment};
	66	$entry->{default} = 1 if $d->{default};
96f8ebd6 DM	67	if ($d->{tfa} && (my $tfa_cfg = PVE::Auth::Plugin::parse_tfa_config($d->{tfa}))) {
	68	$entry->{tfa} = $tfa_cfg->{type};
	69	}
2c3a6c0a DM	70	push @$res, $entry;
	71	}
	72
	73	return $res;
	74	}});
	75
	76	__PACKAGE__->register_method ({
32449f35	77	name => 'create',
2c3a6c0a	78	protected => 1,
32449f35	79	path => '',
2c3a6c0a	80	method => 'POST',
32449f35	81	permissions => {
82b63965	82	check => ['perm', '/access/realm', ['Realm.Allocate']],
96919234	83	},
2c3a6c0a	84	description => "Add an authentication server.",
5bb4e06a	85	parameters => PVE::Auth::Plugin->createSchema(),
2c3a6c0a DM	86	returns => { type => 'null' },
	87	code => sub {
	88	my ($param) = @_;
	89
5bb4e06a	90	PVE::Auth::Plugin::lock_domain_config(
2c3a6c0a	91	sub {
32449f35	92
2c3a6c0a	93	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a	94	my $ids = $cfg->{ids};
2c3a6c0a	95
5bb4e06a DM	96	my $realm = extract_param($param, 'realm');
5bb4e06a DM	97	my $type = $param->{type};
32449f35 DC	98
32449f35 DC	99	die "domain '$realm' already exists\n"
5bb4e06a	100	if $ids->{$realm};
2c3a6c0a DM	101
	102	die "unable to use reserved name '$realm'\n"
	103	if ($realm eq 'pam' \|\| $realm eq 'pve');
	104
5bb4e06a DM	105	die "unable to create builtin type '$type'\n"
5bb4e06a DM	106	if ($type eq 'pam' \|\| $type eq 'pve');
af4a8a85	107
5bb4e06a DM	108	my $plugin = PVE::Auth::Plugin->lookup($type);
5bb4e06a DM	109	my $config = $plugin->check_config($realm, $param, 1, 1);
2c3a6c0a	110
5bb4e06a DM	111	if ($config->{default}) {
	112	foreach my $r (keys %$ids) {
	113	delete $ids->{$r}->{default};
0c156363	114	}
af4a8a85 DM	115	}
af4a8a85 DM	116
5bb4e06a DM	117	$ids->{$realm} = $config;
5bb4e06a DM	118
2c3a6c0a DM	119	cfs_write_file($domainconfigfile, $cfg);
	120	}, "add auth server failed");
	121
	122	return undef;
	123	}});
	124
	125	__PACKAGE__->register_method ({
32449f35 DC	126	name => 'update',
32449f35 DC	127	path => '{realm}',
2c3a6c0a	128	method => 'PUT',
32449f35	129	permissions => {
82b63965	130	check => ['perm', '/access/realm', ['Realm.Allocate']],
96919234	131	},
2c3a6c0a DM	132	description => "Update authentication server settings.",
2c3a6c0a DM	133	protected => 1,
5bb4e06a	134	parameters => PVE::Auth::Plugin->updateSchema(),
2c3a6c0a DM	135	returns => { type => 'null' },
	136	code => sub {
	137	my ($param) = @_;
	138
5bb4e06a	139	PVE::Auth::Plugin::lock_domain_config(
2c3a6c0a	140	sub {
32449f35	141
2c3a6c0a	142	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a	143	my $ids = $cfg->{ids};
2c3a6c0a	144
5bb4e06a DM	145	my $digest = extract_param($param, 'digest');
	146	PVE::SectionConfig::assert_if_modified($cfg, $digest);
	147
	148	my $realm = extract_param($param, 'realm');
2c3a6c0a	149
32449f35	150	die "domain '$realm' does not exist\n"
5bb4e06a DM	151	if !$ids->{$realm};
	152
	153	my $delete_str = extract_param($param, 'delete');
	154	die "no options specified\n" if !$delete_str && !scalar(keys %$param);
2c3a6c0a	155
5bb4e06a DM	156	foreach my $opt (PVE::Tools::split_list($delete_str)) {
5bb4e06a DM	157	delete $ids->{$realm}->{$opt};
2c3a6c0a	158	}
32449f35	159
5bb4e06a DM	160	my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
5bb4e06a DM	161	my $config = $plugin->check_config($realm, $param, 0, 1);
2c3a6c0a	162
5bb4e06a DM	163	if ($config->{default}) {
	164	foreach my $r (keys %$ids) {
	165	delete $ids->{$r}->{default};
2c3a6c0a DM	166	}
	167	}
	168
5bb4e06a DM	169	foreach my $p (keys %$config) {
5bb4e06a DM	170	$ids->{$realm}->{$p} = $config->{$p};
af4a8a85 DM	171	}
af4a8a85 DM	172
2c3a6c0a DM	173	cfs_write_file($domainconfigfile, $cfg);
	174	}, "update auth server failed");
	175
	176	return undef;
	177	}});
	178
	179	# fixme: return format!
	180	__PACKAGE__->register_method ({
32449f35 DC	181	name => 'read',
32449f35 DC	182	path => '{realm}',
2c3a6c0a DM	183	method => 'GET',
2c3a6c0a DM	184	description => "Get auth server configuration.",
32449f35	185	permissions => {
82b63965	186	check => ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any => 1],
96919234	187	},
2c3a6c0a DM	188	parameters => {
	189	additionalProperties => 0,
	190	properties => {
	191	realm => get_standard_option('realm'),
	192	},
	193	},
	194	returns => {},
	195	code => sub {
	196	my ($param) = @_;
	197
	198	my $cfg = cfs_read_file($domainconfigfile);
	199
	200	my $realm = $param->{realm};
32449f35	201
5bb4e06a	202	my $data = $cfg->{ids}->{$realm};
2c3a6c0a DM	203	die "domain '$realm' does not exist\n" if !$data;
2c3a6c0a DM	204
5bb4e06a DM	205	$data->{digest} = $cfg->{digest};
5bb4e06a DM	206
2c3a6c0a DM	207	return $data;
	208	}});
	209
	210
	211	__PACKAGE__->register_method ({
32449f35 DC	212	name => 'delete',
32449f35 DC	213	path => '{realm}',
2c3a6c0a	214	method => 'DELETE',
32449f35	215	permissions => {
82b63965	216	check => ['perm', '/access/realm', ['Realm.Allocate']],
96919234	217	},
2c3a6c0a DM	218	description => "Delete an authentication server.",
	219	protected => 1,
	220	parameters => {
	221	additionalProperties => 0,
	222	properties => {
	223	realm => get_standard_option('realm'),
	224	}
	225	},
	226	returns => { type => 'null' },
	227	code => sub {
	228	my ($param) = @_;
	229
5bb4e06a	230	PVE::Auth::Plugin::lock_domain_config(
2c3a6c0a DM	231	sub {
	232
	233	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a	234	my $ids = $cfg->{ids};
2c3a6c0a DM	235
2c3a6c0a DM	236	my $realm = $param->{realm};
32449f35	237
5bb4e06a	238	die "domain '$realm' does not exist\n" if !$ids->{$realm};
2c3a6c0a	239
5bb4e06a	240	delete $ids->{$realm};
2c3a6c0a DM	241
	242	cfs_write_file($domainconfigfile, $cfg);
	243	}, "delete auth server failed");
32449f35	244
2c3a6c0a DM	245	return undef;
	246	}});
	247
415179b0 TL	248	my $update_users = sub {
	249	my ($usercfg, $realm, $synced_users, $opts) = @_;
	250
	251	print "syncing users\n";
	252	$usercfg->{users} = {} if !defined($usercfg->{users});
	253	my $users = $usercfg->{users};
	254
	255	my $oldusers = {};
	256	if ($opts->{'full'}) {
	257	print "full sync, deleting outdated existing users first\n";
	258	foreach my $userid (sort keys %$users) {
	259	next if $userid !~ m/\@$realm$/;
	260
	261	$oldusers->{$userid} = delete $users->{$userid};
	262	if ($opts->{'purge'} && !$synced_users->{$userid}) {
	263	PVE::AccessControl::delete_user_acl($userid, $usercfg);
	264	print "purged user '$userid' and all its ACL entries\n";
	265	} elsif (!defined($synced_users->{$userid})) {
	266	print "remove user '$userid'\n";
	267	}
	268	}
	269	}
	270
	271	foreach my $userid (sort keys %$synced_users) {
	272	my $synced_user = $synced_users->{$userid} // {};
	273	if (!defined($users->{$userid})) {
	274	my $user = $users->{$userid} = $synced_user;
	275
	276	my $olduser = $oldusers->{$userid} // {};
	277	if (defined(my $enabled = $olduser->{enable})) {
	278	$user->{enable} = $enabled;
	279	} elsif ($opts->{enable}) {
	280	$user->{enable} = 1;
	281	}
	282
	283	if (defined($olduser->{tokens})) {
	284	$user->{tokens} = $olduser->{tokens};
	285	}
	286	if (defined($oldusers->{$userid})) {
	287	print "updated user '$userid'\n";
	288	} else {
	289	print "added user '$userid'\n";
	290	}
	291	} else {
	292	my $olduser = $users->{$userid};
	293	foreach my $attr (keys %$synced_user) {
	294	$olduser->{$attr} = $synced_user->{$attr};
	295	}
	296	print "updated user '$userid'\n";
	297	}
	298	}
	299	};
	300
	301	my $update_groups = sub {
	302	my ($usercfg, $realm, $synced_groups, $opts) = @_;
	303
	304	print "syncing groups\n";
	305	$usercfg->{groups} = {} if !defined($usercfg->{groups});
	306	my $groups = $usercfg->{groups};
	307	my $oldgroups = {};
	308
	309	if ($opts->{full}) {
	310	print "full sync, deleting outdated existing groups first\n";
	311	foreach my $groupid (sort keys %$groups) {
312	next if $groupid !~ m/\-$realm$/;
313
314	my $oldgroups->{$groupid} = delete $groups->{$groupid};
315	if ($opts->{purge} && !$synced_groups->{$groupid}) {
316	print "purged group '$groupid' and all its ACL entries\n";
317	PVE::AccessControl::delete_group_acl($groupid, $usercfg)
318	} elsif (!defined($synced_groups->{$groupid})) {
319	print "removed group '$groupid'\n";
320	}
321	}
322	}
323
324	foreach my $groupid (sort keys %$synced_groups) {
325	my $synced_group = $synced_groups->{$groupid};
326	if (!defined($groups->{$groupid})) {
327	$groups->{$groupid} = $synced_group;
328	if (defined($oldgroups->{$groupid})) {
329	print "updated group '$groupid'\n";
330	} else {
331	print "added group '$groupid'\n";
332	}
333	} else {
334	my $group = $groups->{$groupid};
335	foreach my $attr (keys %$synced_group) {
336	$group->{$attr} = $synced_group->{$attr};
337	}
338	print "updated group '$groupid'\n";
339	}
340	}
341	};
342
673d2bf2 DC	343	__PACKAGE__->register_method ({
	344	name => 'sync',
	345	path => '{realm}/sync',
	346	method => 'POST',
	347	permissions => {
cf109814 TL	348	description => "'Realm.AllocateUser' on '/access/realm/<realm>' and "
cf109814 TL	349	." 'User.Modify' permissions to '/access/groups/'.",
673d2bf2	350	check => [ 'and',
cf109814 TL	351	[ 'userid-param', 'Realm.AllocateUser' ],
	352	[ 'userid-group', ['User.Modify'] ],
	353	],
673d2bf2	354	},
cf109814 TL	355	description => "Syncs users and/or groups from the configured LDAP to user.cfg."
	356	." NOTE: Synced groups will have the name 'name-\$realm', so make sure"
	357	." those groups do not exist to prevent overwriting.",
673d2bf2 DC	358	protected => 1,
	359	parameters => {
	360	additionalProperties => 0,
	361	properties => {
	362	realm => get_standard_option('realm'),
	363	scope => {
	364	description => "Select what to sync.",
	365	type => 'string',
	366	enum => [qw(users groups both)],
	367	},
	368	full => {
	369	description => "If set, uses the LDAP Directory as source of truth, ".
	370	"deleting all information not contained there. ".
	371	"Otherwise only syncs information set explicitly.",
	372	type => 'boolean',
	373	},
	374	enable => {
	375	description => "Enable newly synced users.",
	376	type => 'boolean',
	377	},
	378	purge => {
	379	description => "Remove ACLs for users/groups that were removed from the config.",
	380	type => 'boolean',
	381	},
	382	}
	383	},
cf109814 TL	384	returns => {
	385	description => 'Worker Task-UPID',
	386	type => 'string'
	387	},
673d2bf2 DC	388	code => sub {
	389	my ($param) = @_;
	390
	391	my $rpcenv = PVE::RPCEnvironment::get();
	392	my $authuser = $rpcenv->get_user();
	393
673d2bf2 DC	394	my $realm = $param->{realm};
673d2bf2 DC	395	my $cfg = cfs_read_file($domainconfigfile);
cf109814	396	my $realmconfig = $cfg->{ids}->{$realm};
673d2bf2	397
cf109814 TL	398	raise_param_exc({ 'realm' => 'Realm does not exist.' }) if !defined($realmconfig);
cf109814 TL	399	my $type = $realmconfig->{type};
673d2bf2 DC	400
673d2bf2 DC	401	if ($type ne 'ldap' && $type ne 'ad') {
cf109814	402	die "Cannot sync realm type '$type'! Only LDAP/AD realms can be synced.\n";
673d2bf2	403	}
673d2bf2	404
673d2bf2	405
cf109814 TL	406	my $scope = $param->{scope};
cf109814 TL	407	my $whatstring = $scope eq 'both' ? "users and groups" : $scope;
673d2bf2	408
cf109814	409	my $plugin = PVE::Auth::Plugin->lookup($type);
673d2bf2 DC	410
673d2bf2 DC	411	my $worker = sub {
cf109814 TL	412	print "starting sync for realm $realm\n";
	413
	414	my ($synced_users, $dnmap) = $plugin->get_users($realmconfig, $realm);
	415	my $synced_groups = {};
	416	if ($scope eq 'groups' \|\| $scope eq 'both') {
	417	$synced_groups = $plugin->get_groups($realmconfig, $realm, $dnmap);
673d2bf2 DC	418	}
673d2bf2 DC	419
cf109814	420	PVE::AccessControl::lock_user_config(sub {
673d2bf2	421	my $usercfg = cfs_read_file("user.cfg");
cf109814	422	print "got data from server, updating $whatstring\n";
673d2bf2	423
415179b0 TL	424	if ($scope eq 'users' \|\| $scope eq 'both') {
415179b0 TL	425	$update_users->($usercfg, $realm, $synced_users, $param);
673d2bf2 DC	426	}
673d2bf2 DC	427
415179b0 TL	428	if ($scope eq 'groups' \|\| $scope eq 'both') {
415179b0 TL	429	$update_groups->($usercfg, $realm, $synced_groups, $param);
673d2bf2	430	}
cf109814	431
673d2bf2	432	cfs_write_file("user.cfg", $usercfg);
cf109814 TL	433	print "successfully updated $whatstring configuration\n";
cf109814 TL	434	}, "syncing $whatstring failed");
673d2bf2 DC	435	};
673d2bf2 DC	436
6a2138e4	437	return $rpcenv->fork_worker('auth-realm-sync', $realm, $authuser, $worker);
673d2bf2 DC	438	}});
673d2bf2 DC	439
2c3a6c0a	440	1;