[pve-access-control.git] / PVE / API2 / Domains.pm

package PVE::API2::Domains;

use strict;
use warnings;
use PVE::Tools qw(extract_param);
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;
use PVE::JSONSchema qw(get_standard_option);

use PVE::SafeSyslog;
use PVE::RESTHandler;
use PVE::Auth::Plugin;

my $domainconfigfile = "domains.cfg";

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    name => 'index', 
    path => '', 
    method => 'GET',
    description => "Authentication domain index.",
    permissions => { 
	description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
	user => 'world', 
    },
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		realm => { type => 'string' },
		tfa => {
		    description => "Two-factor authentication provider.",
		    type => 'string',
		    enum => [ 'yubico', 'oath' ],
		    optional => 1,
		},
		comment => {
		    description => "A comment. The GUI use this text when you select a domain (Realm) on the login window.",
		    type => 'string',
		    optional => 1,
		},
	    },
	},
	links => [ { rel => 'child', href => "{realm}" } ],
    },
    code => sub {
	my ($param) = @_;
    
	my $res = [];

	my $cfg = cfs_read_file($domainconfigfile);
	my $ids = $cfg->{ids};

	foreach my $realm (keys %$ids) {
	    my $d = $ids->{$realm};
	    my $entry = { realm => $realm, type => $d->{type} };
	    $entry->{comment} = $d->{comment} if $d->{comment};
	    $entry->{default} = 1 if $d->{default};
	    if ($d->{tfa} && (my $tfa_cfg = PVE::Auth::Plugin::parse_tfa_config($d->{tfa}))) {
		$entry->{tfa} = $tfa_cfg->{type};
	    }
	    push @$res, $entry;
	}

	return $res;
    }});

__PACKAGE__->register_method ({
    name => 'create', 
    protected => 1,
    path => '', 
    method => 'POST',
    permissions => { 
	check => ['perm', '/access/realm', ['Realm.Allocate']],
    },
    description => "Add an authentication server.",
    parameters => PVE::Auth::Plugin->createSchema(),
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::Auth::Plugin::lock_domain_config(
	    sub {
			
		my $cfg = cfs_read_file($domainconfigfile);
		my $ids = $cfg->{ids};

		my $realm = extract_param($param, 'realm');
		my $type = $param->{type};
	
		die "domain '$realm' already exists\n" 
		    if $ids->{$realm};

		die "unable to use reserved name '$realm'\n"
		    if ($realm eq 'pam' || $realm eq 'pve');

		die "unable to create builtin type '$type'\n"
		    if ($type eq 'pam' || $type eq 'pve');

		my $plugin = PVE::Auth::Plugin->lookup($type);
		my $config = $plugin->check_config($realm, $param, 1, 1);

		if ($config->{default}) {
		    foreach my $r (keys %$ids) {
			delete $ids->{$r}->{default};
		    }
		}

		$ids->{$realm} = $config;

		cfs_write_file($domainconfigfile, $cfg);
	    }, "add auth server failed");

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'update', 
    path => '{realm}', 
    method => 'PUT',
    permissions => { 
	check => ['perm', '/access/realm', ['Realm.Allocate']],
    },
    description => "Update authentication server settings.",
    protected => 1,
    parameters => PVE::Auth::Plugin->updateSchema(),
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::Auth::Plugin::lock_domain_config(
	    sub {
			
		my $cfg = cfs_read_file($domainconfigfile);
		my $ids = $cfg->{ids};

		my $digest = extract_param($param, 'digest');
		PVE::SectionConfig::assert_if_modified($cfg, $digest);

		my $realm = extract_param($param, 'realm');

		die "domain '$realm' does not exist\n" 
		    if !$ids->{$realm};

		my $delete_str = extract_param($param, 'delete');
		die "no options specified\n" if !$delete_str && !scalar(keys %$param);

		foreach my $opt (PVE::Tools::split_list($delete_str)) {
		    delete $ids->{$realm}->{$opt};
		}
	
		my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
		my $config = $plugin->check_config($realm, $param, 0, 1);

		if ($config->{default}) {
		    foreach my $r (keys %$ids) {
			delete $ids->{$r}->{default};
		    }
		}

		foreach my $p (keys %$config) {
		    $ids->{$realm}->{$p} = $config->{$p};
		}

		cfs_write_file($domainconfigfile, $cfg);
	    }, "update auth server failed");

	return undef;
    }});

# fixme: return format!
__PACKAGE__->register_method ({
    name => 'read', 
    path => '{realm}', 
    method => 'GET',
    description => "Get auth server configuration.",
    permissions => { 
	check => ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any => 1],
    },
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	},
    },
    returns => {},
    code => sub {
	my ($param) = @_;

	my $cfg = cfs_read_file($domainconfigfile);

	my $realm = $param->{realm};
	
	my $data = $cfg->{ids}->{$realm};
	die "domain '$realm' does not exist\n" if !$data;

	$data->{digest} = $cfg->{digest};

	return $data;
    }});


__PACKAGE__->register_method ({
    name => 'delete', 
    path => '{realm}', 
    method => 'DELETE',
    permissions => { 
	check => ['perm', '/access/realm', ['Realm.Allocate']],
    },
    description => "Delete an authentication server.",
    protected => 1,
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	}
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::Auth::Plugin::lock_domain_config(
	    sub {

		my $cfg = cfs_read_file($domainconfigfile);
		my $ids = $cfg->{ids};

		my $realm = $param->{realm};
	
		die "domain '$realm' does not exist\n" if !$ids->{$realm};

		delete $ids->{$realm};

		cfs_write_file($domainconfigfile, $cfg);
	    }, "delete auth server failed");
	
	return undef;
    }});

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::API2::Domains;
	2
	3	use strict;
	4	use warnings;
5bb4e06a	5	use PVE::Tools qw(extract_param);
2c3a6c0a DM	6	use PVE::Cluster qw (cfs_read_file cfs_write_file);
	7	use PVE::AccessControl;
	8	use PVE::JSONSchema qw(get_standard_option);
	9
	10	use PVE::SafeSyslog;
2c3a6c0a	11	use PVE::RESTHandler;
5bb4e06a	12	use PVE::Auth::Plugin;
2c3a6c0a DM	13
	14	my $domainconfigfile = "domains.cfg";
	15
	16	use base qw(PVE::RESTHandler);
	17
	18	__PACKAGE__->register_method ({
	19	name => 'index',
	20	path => '',
	21	method => 'GET',
	22	description => "Authentication domain index.",
82b63965 DM	23	permissions => {
	24	description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
	25	user => 'world',
	26	},
2c3a6c0a DM	27	parameters => {
	28	additionalProperties => 0,
	29	properties => {},
	30	},
	31	returns => {
	32	type => 'array',
	33	items => {
	34	type => "object",
	35	properties => {
	36	realm => { type => 'string' },
96f8ebd6 DM	37	tfa => {
	38	description => "Two-factor authentication provider.",
	39	type => 'string',
1abc2c0a	40	enum => [ 'yubico', 'oath' ],
96f8ebd6 DM	41	optional => 1,
96f8ebd6 DM	42	},
52b2eff3 DM	43	comment => {
	44	description => "A comment. The GUI use this text when you select a domain (Realm) on the login window.",
	45	type => 'string',
	46	optional => 1,
	47	},
2c3a6c0a DM	48	},
	49	},
	50	links => [ { rel => 'child', href => "{realm}" } ],
	51	},
	52	code => sub {
	53	my ($param) = @_;
	54
	55	my $res = [];
	56
	57	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a DM	58	my $ids = $cfg->{ids};
	59
	60	foreach my $realm (keys %$ids) {
	61	my $d = $ids->{$realm};
2c3a6c0a DM	62	my $entry = { realm => $realm, type => $d->{type} };
	63	$entry->{comment} = $d->{comment} if $d->{comment};
	64	$entry->{default} = 1 if $d->{default};
96f8ebd6 DM	65	if ($d->{tfa} && (my $tfa_cfg = PVE::Auth::Plugin::parse_tfa_config($d->{tfa}))) {
	66	$entry->{tfa} = $tfa_cfg->{type};
	67	}
2c3a6c0a DM	68	push @$res, $entry;
	69	}
	70
	71	return $res;
	72	}});
	73
	74	__PACKAGE__->register_method ({
	75	name => 'create',
	76	protected => 1,
	77	path => '',
	78	method => 'POST',
96919234	79	permissions => {
82b63965	80	check => ['perm', '/access/realm', ['Realm.Allocate']],
96919234	81	},
2c3a6c0a	82	description => "Add an authentication server.",
5bb4e06a	83	parameters => PVE::Auth::Plugin->createSchema(),
2c3a6c0a DM	84	returns => { type => 'null' },
	85	code => sub {
	86	my ($param) = @_;
	87
5bb4e06a	88	PVE::Auth::Plugin::lock_domain_config(
2c3a6c0a DM	89	sub {
	90
	91	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a	92	my $ids = $cfg->{ids};
2c3a6c0a	93
5bb4e06a DM	94	my $realm = extract_param($param, 'realm');
5bb4e06a DM	95	my $type = $param->{type};
2c3a6c0a DM	96
2c3a6c0a DM	97	die "domain '$realm' already exists\n"
5bb4e06a	98	if $ids->{$realm};
2c3a6c0a DM	99
	100	die "unable to use reserved name '$realm'\n"
	101	if ($realm eq 'pam' \|\| $realm eq 'pve');
	102
5bb4e06a DM	103	die "unable to create builtin type '$type'\n"
5bb4e06a DM	104	if ($type eq 'pam' \|\| $type eq 'pve');
af4a8a85	105
5bb4e06a DM	106	my $plugin = PVE::Auth::Plugin->lookup($type);
5bb4e06a DM	107	my $config = $plugin->check_config($realm, $param, 1, 1);
2c3a6c0a	108
5bb4e06a DM	109	if ($config->{default}) {
	110	foreach my $r (keys %$ids) {
	111	delete $ids->{$r}->{default};
0c156363	112	}
af4a8a85 DM	113	}
af4a8a85 DM	114
5bb4e06a DM	115	$ids->{$realm} = $config;
5bb4e06a DM	116
2c3a6c0a DM	117	cfs_write_file($domainconfigfile, $cfg);
	118	}, "add auth server failed");
	119
	120	return undef;
	121	}});
	122
	123	__PACKAGE__->register_method ({
	124	name => 'update',
	125	path => '{realm}',
	126	method => 'PUT',
96919234	127	permissions => {
82b63965	128	check => ['perm', '/access/realm', ['Realm.Allocate']],
96919234	129	},
2c3a6c0a DM	130	description => "Update authentication server settings.",
2c3a6c0a DM	131	protected => 1,
5bb4e06a	132	parameters => PVE::Auth::Plugin->updateSchema(),
2c3a6c0a DM	133	returns => { type => 'null' },
	134	code => sub {
	135	my ($param) = @_;
	136
5bb4e06a	137	PVE::Auth::Plugin::lock_domain_config(
2c3a6c0a DM	138	sub {
	139
	140	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a	141	my $ids = $cfg->{ids};
2c3a6c0a	142
5bb4e06a DM	143	my $digest = extract_param($param, 'digest');
	144	PVE::SectionConfig::assert_if_modified($cfg, $digest);
	145
	146	my $realm = extract_param($param, 'realm');
2c3a6c0a	147
2c3a6c0a	148	die "domain '$realm' does not exist\n"
5bb4e06a DM	149	if !$ids->{$realm};
	150
	151	my $delete_str = extract_param($param, 'delete');
	152	die "no options specified\n" if !$delete_str && !scalar(keys %$param);
2c3a6c0a	153
5bb4e06a DM	154	foreach my $opt (PVE::Tools::split_list($delete_str)) {
5bb4e06a DM	155	delete $ids->{$realm}->{$opt};
2c3a6c0a	156	}
5bb4e06a DM	157
	158	my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
	159	my $config = $plugin->check_config($realm, $param, 0, 1);
2c3a6c0a	160
5bb4e06a DM	161	if ($config->{default}) {
	162	foreach my $r (keys %$ids) {
	163	delete $ids->{$r}->{default};
2c3a6c0a DM	164	}
	165	}
	166
5bb4e06a DM	167	foreach my $p (keys %$config) {
5bb4e06a DM	168	$ids->{$realm}->{$p} = $config->{$p};
af4a8a85 DM	169	}
af4a8a85 DM	170
2c3a6c0a DM	171	cfs_write_file($domainconfigfile, $cfg);
	172	}, "update auth server failed");
	173
	174	return undef;
	175	}});
	176
	177	# fixme: return format!
	178	__PACKAGE__->register_method ({
	179	name => 'read',
	180	path => '{realm}',
	181	method => 'GET',
	182	description => "Get auth server configuration.",
96919234	183	permissions => {
82b63965	184	check => ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any => 1],
96919234	185	},
2c3a6c0a DM	186	parameters => {
	187	additionalProperties => 0,
	188	properties => {
	189	realm => get_standard_option('realm'),
	190	},
	191	},
	192	returns => {},
	193	code => sub {
	194	my ($param) = @_;
	195
	196	my $cfg = cfs_read_file($domainconfigfile);
	197
	198	my $realm = $param->{realm};
	199
5bb4e06a	200	my $data = $cfg->{ids}->{$realm};
2c3a6c0a DM	201	die "domain '$realm' does not exist\n" if !$data;
2c3a6c0a DM	202
5bb4e06a DM	203	$data->{digest} = $cfg->{digest};
5bb4e06a DM	204
2c3a6c0a DM	205	return $data;
	206	}});
	207
	208
	209	__PACKAGE__->register_method ({
	210	name => 'delete',
	211	path => '{realm}',
	212	method => 'DELETE',
96919234	213	permissions => {
82b63965	214	check => ['perm', '/access/realm', ['Realm.Allocate']],
96919234	215	},
2c3a6c0a DM	216	description => "Delete an authentication server.",
	217	protected => 1,
	218	parameters => {
	219	additionalProperties => 0,
	220	properties => {
	221	realm => get_standard_option('realm'),
	222	}
	223	},
	224	returns => { type => 'null' },
	225	code => sub {
	226	my ($param) = @_;
	227
5bb4e06a	228	PVE::Auth::Plugin::lock_domain_config(
2c3a6c0a DM	229	sub {
	230
	231	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a	232	my $ids = $cfg->{ids};
2c3a6c0a DM	233
	234	my $realm = $param->{realm};
	235
5bb4e06a	236	die "domain '$realm' does not exist\n" if !$ids->{$realm};
2c3a6c0a	237
5bb4e06a	238	delete $ids->{$realm};
2c3a6c0a DM	239
	240	cfs_write_file($domainconfigfile, $cfg);
	241	}, "delete auth server failed");
	242
	243	return undef;
	244	}});
	245
	246	1;