[pve-access-control.git] / PVE / API2 / Domains.pm

package PVE::API2::Domains;

use strict;
use warnings;
use PVE::Exception qw(raise_param_exc);
use PVE::Tools qw(extract_param);
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;
use PVE::JSONSchema qw(get_standard_option);

use PVE::SafeSyslog;
use PVE::RESTHandler;
use PVE::Auth::Plugin;

my $domainconfigfile = "domains.cfg";

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    name => 'index',
    path => '',
    method => 'GET',
    description => "Authentication domain index.",
    permissions => {
	description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
	user => 'world',
    },
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		realm => { type => 'string' },
		type => { type => 'string' },
		tfa => {
		    description => "Two-factor authentication provider.",
		    type => 'string',
		    enum => [ 'yubico', 'oath' ],
		    optional => 1,
		},
		comment => {
		    description => "A comment. The GUI use this text when you select a domain (Realm) on the login window.",
		    type => 'string',
		    optional => 1,
		},
	    },
	},
	links => [ { rel => 'child', href => "{realm}" } ],
    },
    code => sub {
	my ($param) = @_;

	my $res = [];

	my $cfg = cfs_read_file($domainconfigfile);
	my $ids = $cfg->{ids};

	foreach my $realm (keys %$ids) {
	    my $d = $ids->{$realm};
	    my $entry = { realm => $realm, type => $d->{type} };
	    $entry->{comment} = $d->{comment} if $d->{comment};
	    $entry->{default} = 1 if $d->{default};
	    if ($d->{tfa} && (my $tfa_cfg = PVE::Auth::Plugin::parse_tfa_config($d->{tfa}))) {
		$entry->{tfa} = $tfa_cfg->{type};
	    }
	    push @$res, $entry;
	}

	return $res;
    }});

__PACKAGE__->register_method ({
    name => 'create',
    protected => 1,
    path => '',
    method => 'POST',
    permissions => {
	check => ['perm', '/access/realm', ['Realm.Allocate']],
    },
    description => "Add an authentication server.",
    parameters => PVE::Auth::Plugin->createSchema(),
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::Auth::Plugin::lock_domain_config(
	    sub {

		my $cfg = cfs_read_file($domainconfigfile);
		my $ids = $cfg->{ids};

		my $realm = extract_param($param, 'realm');
		my $type = $param->{type};

		die "domain '$realm' already exists\n"
		    if $ids->{$realm};

		die "unable to use reserved name '$realm'\n"
		    if ($realm eq 'pam' || $realm eq 'pve');

		die "unable to create builtin type '$type'\n"
		    if ($type eq 'pam' || $type eq 'pve');

		my $plugin = PVE::Auth::Plugin->lookup($type);
		my $config = $plugin->check_config($realm, $param, 1, 1);

		if ($config->{default}) {
		    foreach my $r (keys %$ids) {
			delete $ids->{$r}->{default};
		    }
		}

		$ids->{$realm} = $config;

		cfs_write_file($domainconfigfile, $cfg);
	    }, "add auth server failed");

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'update',
    path => '{realm}',
    method => 'PUT',
    permissions => {
	check => ['perm', '/access/realm', ['Realm.Allocate']],
    },
    description => "Update authentication server settings.",
    protected => 1,
    parameters => PVE::Auth::Plugin->updateSchema(),
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::Auth::Plugin::lock_domain_config(
	    sub {

		my $cfg = cfs_read_file($domainconfigfile);
		my $ids = $cfg->{ids};

		my $digest = extract_param($param, 'digest');
		PVE::SectionConfig::assert_if_modified($cfg, $digest);

		my $realm = extract_param($param, 'realm');

		die "domain '$realm' does not exist\n"
		    if !$ids->{$realm};

		my $delete_str = extract_param($param, 'delete');
		die "no options specified\n" if !$delete_str && !scalar(keys %$param);

		foreach my $opt (PVE::Tools::split_list($delete_str)) {
		    delete $ids->{$realm}->{$opt};
		}

		my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
		my $config = $plugin->check_config($realm, $param, 0, 1);

		if ($config->{default}) {
		    foreach my $r (keys %$ids) {
			delete $ids->{$r}->{default};
		    }
		}

		foreach my $p (keys %$config) {
		    $ids->{$realm}->{$p} = $config->{$p};
		}

		cfs_write_file($domainconfigfile, $cfg);
	    }, "update auth server failed");

	return undef;
    }});

# fixme: return format!
__PACKAGE__->register_method ({
    name => 'read',
    path => '{realm}',
    method => 'GET',
    description => "Get auth server configuration.",
    permissions => {
	check => ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any => 1],
    },
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	},
    },
    returns => {},
    code => sub {
	my ($param) = @_;

	my $cfg = cfs_read_file($domainconfigfile);

	my $realm = $param->{realm};

	my $data = $cfg->{ids}->{$realm};
	die "domain '$realm' does not exist\n" if !$data;

	$data->{digest} = $cfg->{digest};

	return $data;
    }});


__PACKAGE__->register_method ({
    name => 'delete',
    path => '{realm}',
    method => 'DELETE',
    permissions => {
	check => ['perm', '/access/realm', ['Realm.Allocate']],
    },
    description => "Delete an authentication server.",
    protected => 1,
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	}
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::Auth::Plugin::lock_domain_config(
	    sub {

		my $cfg = cfs_read_file($domainconfigfile);
		my $ids = $cfg->{ids};

		my $realm = $param->{realm};

		die "domain '$realm' does not exist\n" if !$ids->{$realm};

		delete $ids->{$realm};

		cfs_write_file($domainconfigfile, $cfg);
	    }, "delete auth server failed");

	return undef;
    }});

my $update_users = sub {
    my ($usercfg, $realm, $synced_users, $opts) = @_;

    print "syncing users\n";
    $usercfg->{users} = {} if !defined($usercfg->{users});
    my $users = $usercfg->{users};

    my $oldusers = {};
    if ($opts->{'full'}) {
	print "full sync, deleting outdated existing users first\n";
	foreach my $userid (sort keys %$users) {
	    next if $userid !~ m/\@$realm$/;

	    $oldusers->{$userid} = delete $users->{$userid};
	    if ($opts->{'purge'} && !$synced_users->{$userid}) {
		PVE::AccessControl::delete_user_acl($userid, $usercfg);
		print "purged user '$userid' and all its ACL entries\n";
	    } elsif (!defined($synced_users->{$userid})) {
		print "remove user '$userid'\n";
	    }
	}
    }

    foreach my $userid (sort keys %$synced_users) {
	my $synced_user = $synced_users->{$userid} // {};
	if (!defined($users->{$userid})) {
	    my $user = $users->{$userid} = $synced_user;

	    my $olduser = $oldusers->{$userid} // {};
	    if (defined(my $enabled = $olduser->{enable})) {
		$user->{enable} = $enabled;
	    } elsif ($opts->{'enable-new'}) {
		$user->{enable} = 1;
	    }

	    if (defined($olduser->{tokens})) {
		$user->{tokens} = $olduser->{tokens};
	    }
	    if (defined($oldusers->{$userid})) {
		print "updated user '$userid'\n";
	    } else {
		print "added user '$userid'\n";
	    }
	} else {
	    my $olduser = $users->{$userid};
	    foreach my $attr (keys %$synced_user) {
		$olduser->{$attr} = $synced_user->{$attr};
	    }
	    print "updated user '$userid'\n";
	}
    }
};

my $update_groups = sub {
    my ($usercfg, $realm, $synced_groups, $opts) = @_;

    print "syncing groups\n";
    $usercfg->{groups} = {} if !defined($usercfg->{groups});
    my $groups = $usercfg->{groups};
    my $oldgroups = {};

    if ($opts->{full}) {
	print "full sync, deleting outdated existing groups first\n";
	foreach my $groupid (sort keys %$groups) {
	    next if $groupid !~ m/\-$realm$/;

	    my $oldgroups->{$groupid} = delete $groups->{$groupid};
	    if ($opts->{purge} && !$synced_groups->{$groupid}) {
		print "purged group '$groupid' and all its ACL entries\n";
		PVE::AccessControl::delete_group_acl($groupid, $usercfg)
	    } elsif (!defined($synced_groups->{$groupid})) {
		print "removed group '$groupid'\n";
	    }
	}
    }

    foreach my $groupid (sort keys %$synced_groups) {
	my $synced_group = $synced_groups->{$groupid};
	if (!defined($groups->{$groupid})) {
	    $groups->{$groupid} = $synced_group;
	    if (defined($oldgroups->{$groupid})) {
		print "updated group '$groupid'\n";
	    } else {
		print "added group '$groupid'\n";
	    }
	} else {
	    my $group = $groups->{$groupid};
	    foreach my $attr (keys %$synced_group) {
		$group->{$attr} = $synced_group->{$attr};
	    }
	    print "updated group '$groupid'\n";
	}
    }
};

my $parse_sync_opts = sub {
    my ($param, $realmconfig) = @_;

    my $sync_opts_fmt = PVE::JSONSchema::get_format('realm-sync-options');

    my $res = {};
    if (defined(my $cfg_opts = $realmconfig->{'sync-defaults-options'})) {
	$res = PVE::JSONSchema::parse_property_string($sync_opts_fmt, $cfg_opts);
    }

    for my $opt (sort keys %$sync_opts_fmt) {
	my $fmt = $sync_opts_fmt->{$opt};

	if (exists $param->{$opt}) {
	    $res->{$opt} = $param->{$opt};
	} elsif (!exists $res->{$opt}) {
	    raise_param_exc({
		"$opt" => 'Not passed as parameter and not defined in realm default sync options.'
	    }) if !$fmt->{optional};
	    $res->{$opt} = $fmt->{default} if exists $fmt->{default};
	}
    }
    return $res;
};

__PACKAGE__->register_method ({
    name => 'sync',
    path => '{realm}/sync',
    method => 'POST',
    permissions => {
	description => "'Realm.AllocateUser' on '/access/realm/<realm>' and "
	    ." 'User.Modify' permissions to '/access/groups/'.",
	check => [ 'and',
	    [ 'userid-param', 'Realm.AllocateUser' ],
	    [ 'userid-group', ['User.Modify'] ],
	],
    },
    description => "Syncs users and/or groups from the configured LDAP to user.cfg."
	." NOTE: Synced groups will have the name 'name-\$realm', so make sure"
	." those groups do not exist to prevent overwriting.",
    protected => 1,
    parameters => {
	additionalProperties => 0,
	properties => get_standard_option('realm-sync-options', {
	    realm => get_standard_option('realm'),
	})
    },
    returns => {
	description => 'Worker Task-UPID',
	type => 'string'
    },
    code => sub {
	my ($param) = @_;

	my $rpcenv = PVE::RPCEnvironment::get();
	my $authuser = $rpcenv->get_user();

	my $realm = $param->{realm};
	my $cfg = cfs_read_file($domainconfigfile);
	my $realmconfig = $cfg->{ids}->{$realm};

	raise_param_exc({ 'realm' => 'Realm does not exist.' }) if !defined($realmconfig);
	my $type = $realmconfig->{type};

	if ($type ne 'ldap' && $type ne 'ad') {
	    die "Cannot sync realm type '$type'! Only LDAP/AD realms can be synced.\n";
	}

	my $opts = $parse_sync_opts->($param, $realmconfig); # can throw up

	my $scope = $opts->{scope};
	my $whatstring = $scope eq 'both' ? "users and groups" : $scope;

	my $plugin = PVE::Auth::Plugin->lookup($type);

	my $worker = sub {
	    print "starting sync for realm $realm\n";

	    my ($synced_users, $dnmap) = $plugin->get_users($realmconfig, $realm);
	    my $synced_groups = {};
	    if ($scope eq 'groups' || $scope eq 'both') {
		$synced_groups = $plugin->get_groups($realmconfig, $realm, $dnmap);
	    }

	    PVE::AccessControl::lock_user_config(sub {
		my $usercfg = cfs_read_file("user.cfg");
		print "got data from server, updating $whatstring\n";

		if ($scope eq 'users' || $scope eq 'both') {
		    $update_users->($usercfg, $realm, $synced_users, $opts);
		}

		if ($scope eq 'groups' || $scope eq 'both') {
		    $update_groups->($usercfg, $realm, $synced_groups, $opts);
		}

		cfs_write_file("user.cfg", $usercfg);
		print "successfully updated $whatstring configuration\n";
	    }, "syncing $whatstring failed");
	};

	return $rpcenv->fork_worker('auth-realm-sync', $realm, $authuser, $worker);
    }});

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::API2::Domains;
	2
	3	use strict;
	4	use warnings;
673d2bf2	5	use PVE::Exception qw(raise_param_exc);
5bb4e06a	6	use PVE::Tools qw(extract_param);
2c3a6c0a DM	7	use PVE::Cluster qw (cfs_read_file cfs_write_file);
	8	use PVE::AccessControl;
	9	use PVE::JSONSchema qw(get_standard_option);
	10
	11	use PVE::SafeSyslog;
2c3a6c0a	12	use PVE::RESTHandler;
5bb4e06a	13	use PVE::Auth::Plugin;
2c3a6c0a DM	14
	15	my $domainconfigfile = "domains.cfg";
	16
	17	use base qw(PVE::RESTHandler);
	18
	19	__PACKAGE__->register_method ({
32449f35 DC	20	name => 'index',
32449f35 DC	21	path => '',
2c3a6c0a DM	22	method => 'GET',
2c3a6c0a DM	23	description => "Authentication domain index.",
32449f35	24	permissions => {
82b63965	25	description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
32449f35	26	user => 'world',
82b63965	27	},
2c3a6c0a DM	28	parameters => {
	29	additionalProperties => 0,
	30	properties => {},
	31	},
	32	returns => {
	33	type => 'array',
	34	items => {
	35	type => "object",
	36	properties => {
	37	realm => { type => 'string' },
f3c87f9b	38	type => { type => 'string' },
96f8ebd6 DM	39	tfa => {
	40	description => "Two-factor authentication provider.",
	41	type => 'string',
1abc2c0a	42	enum => [ 'yubico', 'oath' ],
96f8ebd6 DM	43	optional => 1,
96f8ebd6 DM	44	},
52b2eff3 DM	45	comment => {
	46	description => "A comment. The GUI use this text when you select a domain (Realm) on the login window.",
	47	type => 'string',
	48	optional => 1,
	49	},
2c3a6c0a DM	50	},
	51	},
	52	links => [ { rel => 'child', href => "{realm}" } ],
	53	},
	54	code => sub {
	55	my ($param) = @_;
32449f35	56
2c3a6c0a DM	57	my $res = [];
	58
	59	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a DM	60	my $ids = $cfg->{ids};
	61
	62	foreach my $realm (keys %$ids) {
	63	my $d = $ids->{$realm};
2c3a6c0a DM	64	my $entry = { realm => $realm, type => $d->{type} };
	65	$entry->{comment} = $d->{comment} if $d->{comment};
	66	$entry->{default} = 1 if $d->{default};
96f8ebd6 DM	67	if ($d->{tfa} && (my $tfa_cfg = PVE::Auth::Plugin::parse_tfa_config($d->{tfa}))) {
	68	$entry->{tfa} = $tfa_cfg->{type};
	69	}
2c3a6c0a DM	70	push @$res, $entry;
	71	}
	72
	73	return $res;
	74	}});
	75
	76	__PACKAGE__->register_method ({
32449f35	77	name => 'create',
2c3a6c0a	78	protected => 1,
32449f35	79	path => '',
2c3a6c0a	80	method => 'POST',
32449f35	81	permissions => {
82b63965	82	check => ['perm', '/access/realm', ['Realm.Allocate']],
96919234	83	},
2c3a6c0a	84	description => "Add an authentication server.",
5bb4e06a	85	parameters => PVE::Auth::Plugin->createSchema(),
2c3a6c0a DM	86	returns => { type => 'null' },
	87	code => sub {
	88	my ($param) = @_;
	89
5bb4e06a	90	PVE::Auth::Plugin::lock_domain_config(
2c3a6c0a	91	sub {
32449f35	92
2c3a6c0a	93	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a	94	my $ids = $cfg->{ids};
2c3a6c0a	95
5bb4e06a DM	96	my $realm = extract_param($param, 'realm');
5bb4e06a DM	97	my $type = $param->{type};
32449f35 DC	98
32449f35 DC	99	die "domain '$realm' already exists\n"
5bb4e06a	100	if $ids->{$realm};
2c3a6c0a DM	101
	102	die "unable to use reserved name '$realm'\n"
	103	if ($realm eq 'pam' \|\| $realm eq 'pve');
	104
5bb4e06a DM	105	die "unable to create builtin type '$type'\n"
5bb4e06a DM	106	if ($type eq 'pam' \|\| $type eq 'pve');
af4a8a85	107
5bb4e06a DM	108	my $plugin = PVE::Auth::Plugin->lookup($type);
5bb4e06a DM	109	my $config = $plugin->check_config($realm, $param, 1, 1);
2c3a6c0a	110
5bb4e06a DM	111	if ($config->{default}) {
	112	foreach my $r (keys %$ids) {
	113	delete $ids->{$r}->{default};
0c156363	114	}
af4a8a85 DM	115	}
af4a8a85 DM	116
5bb4e06a DM	117	$ids->{$realm} = $config;
5bb4e06a DM	118
2c3a6c0a DM	119	cfs_write_file($domainconfigfile, $cfg);
	120	}, "add auth server failed");
	121
	122	return undef;
	123	}});
	124
	125	__PACKAGE__->register_method ({
32449f35 DC	126	name => 'update',
32449f35 DC	127	path => '{realm}',
2c3a6c0a	128	method => 'PUT',
32449f35	129	permissions => {
82b63965	130	check => ['perm', '/access/realm', ['Realm.Allocate']],
96919234	131	},
2c3a6c0a DM	132	description => "Update authentication server settings.",
2c3a6c0a DM	133	protected => 1,
5bb4e06a	134	parameters => PVE::Auth::Plugin->updateSchema(),
2c3a6c0a DM	135	returns => { type => 'null' },
	136	code => sub {
	137	my ($param) = @_;
	138
5bb4e06a	139	PVE::Auth::Plugin::lock_domain_config(
2c3a6c0a	140	sub {
32449f35	141
2c3a6c0a	142	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a	143	my $ids = $cfg->{ids};
2c3a6c0a	144
5bb4e06a DM	145	my $digest = extract_param($param, 'digest');
	146	PVE::SectionConfig::assert_if_modified($cfg, $digest);
	147
	148	my $realm = extract_param($param, 'realm');
2c3a6c0a	149
32449f35	150	die "domain '$realm' does not exist\n"
5bb4e06a DM	151	if !$ids->{$realm};
	152
	153	my $delete_str = extract_param($param, 'delete');
	154	die "no options specified\n" if !$delete_str && !scalar(keys %$param);
2c3a6c0a	155
5bb4e06a DM	156	foreach my $opt (PVE::Tools::split_list($delete_str)) {
5bb4e06a DM	157	delete $ids->{$realm}->{$opt};
2c3a6c0a	158	}
32449f35	159
5bb4e06a DM	160	my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
5bb4e06a DM	161	my $config = $plugin->check_config($realm, $param, 0, 1);
2c3a6c0a	162
5bb4e06a DM	163	if ($config->{default}) {
	164	foreach my $r (keys %$ids) {
	165	delete $ids->{$r}->{default};
2c3a6c0a DM	166	}
	167	}
	168
5bb4e06a DM	169	foreach my $p (keys %$config) {
5bb4e06a DM	170	$ids->{$realm}->{$p} = $config->{$p};
af4a8a85 DM	171	}
af4a8a85 DM	172
2c3a6c0a DM	173	cfs_write_file($domainconfigfile, $cfg);
	174	}, "update auth server failed");
	175
	176	return undef;
	177	}});
	178
	179	# fixme: return format!
	180	__PACKAGE__->register_method ({
32449f35 DC	181	name => 'read',
32449f35 DC	182	path => '{realm}',
2c3a6c0a DM	183	method => 'GET',
2c3a6c0a DM	184	description => "Get auth server configuration.",
32449f35	185	permissions => {
82b63965	186	check => ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any => 1],
96919234	187	},
2c3a6c0a DM	188	parameters => {
	189	additionalProperties => 0,
	190	properties => {
	191	realm => get_standard_option('realm'),
	192	},
	193	},
	194	returns => {},
	195	code => sub {
	196	my ($param) = @_;
	197
	198	my $cfg = cfs_read_file($domainconfigfile);
	199
	200	my $realm = $param->{realm};
32449f35	201
5bb4e06a	202	my $data = $cfg->{ids}->{$realm};
2c3a6c0a DM	203	die "domain '$realm' does not exist\n" if !$data;
2c3a6c0a DM	204
5bb4e06a DM	205	$data->{digest} = $cfg->{digest};
5bb4e06a DM	206
2c3a6c0a DM	207	return $data;
	208	}});
	209
	210
	211	__PACKAGE__->register_method ({
32449f35 DC	212	name => 'delete',
32449f35 DC	213	path => '{realm}',
2c3a6c0a	214	method => 'DELETE',
32449f35	215	permissions => {
82b63965	216	check => ['perm', '/access/realm', ['Realm.Allocate']],
96919234	217	},
2c3a6c0a DM	218	description => "Delete an authentication server.",
	219	protected => 1,
	220	parameters => {
	221	additionalProperties => 0,
	222	properties => {
	223	realm => get_standard_option('realm'),
	224	}
	225	},
	226	returns => { type => 'null' },
	227	code => sub {
	228	my ($param) = @_;
	229
5bb4e06a	230	PVE::Auth::Plugin::lock_domain_config(
2c3a6c0a DM	231	sub {
	232
	233	my $cfg = cfs_read_file($domainconfigfile);
5bb4e06a	234	my $ids = $cfg->{ids};
2c3a6c0a DM	235
2c3a6c0a DM	236	my $realm = $param->{realm};
32449f35	237
5bb4e06a	238	die "domain '$realm' does not exist\n" if !$ids->{$realm};
2c3a6c0a	239
5bb4e06a	240	delete $ids->{$realm};
2c3a6c0a DM	241
	242	cfs_write_file($domainconfigfile, $cfg);
	243	}, "delete auth server failed");
32449f35	244
2c3a6c0a DM	245	return undef;
	246	}});
	247
415179b0 TL	248	my $update_users = sub {
	249	my ($usercfg, $realm, $synced_users, $opts) = @_;
	250
	251	print "syncing users\n";
	252	$usercfg->{users} = {} if !defined($usercfg->{users});
	253	my $users = $usercfg->{users};
	254
	255	my $oldusers = {};
	256	if ($opts->{'full'}) {
	257	print "full sync, deleting outdated existing users first\n";
	258	foreach my $userid (sort keys %$users) {
	259	next if $userid !~ m/\@$realm$/;
	260
	261	$oldusers->{$userid} = delete $users->{$userid};
	262	if ($opts->{'purge'} && !$synced_users->{$userid}) {
	263	PVE::AccessControl::delete_user_acl($userid, $usercfg);
	264	print "purged user '$userid' and all its ACL entries\n";
	265	} elsif (!defined($synced_users->{$userid})) {
	266	print "remove user '$userid'\n";
	267	}
	268	}
	269	}
	270
	271	foreach my $userid (sort keys %$synced_users) {
	272	my $synced_user = $synced_users->{$userid} // {};
	273	if (!defined($users->{$userid})) {
	274	my $user = $users->{$userid} = $synced_user;
	275
	276	my $olduser = $oldusers->{$userid} // {};
	277	if (defined(my $enabled = $olduser->{enable})) {
	278	$user->{enable} = $enabled;
d29d2d4a	279	} elsif ($opts->{'enable-new'}) {
415179b0 TL	280	$user->{enable} = 1;
	281	}
	282
	283	if (defined($olduser->{tokens})) {
	284	$user->{tokens} = $olduser->{tokens};
	285	}
	286	if (defined($oldusers->{$userid})) {
	287	print "updated user '$userid'\n";
	288	} else {
	289	print "added user '$userid'\n";
	290	}
	291	} else {
	292	my $olduser = $users->{$userid};
	293	foreach my $attr (keys %$synced_user) {
	294	$olduser->{$attr} = $synced_user->{$attr};
	295	}
	296	print "updated user '$userid'\n";
	297	}
	298	}
	299	};
	300
	301	my $update_groups = sub {
	302	my ($usercfg, $realm, $synced_groups, $opts) = @_;
	303
	304	print "syncing groups\n";
	305	$usercfg->{groups} = {} if !defined($usercfg->{groups});
	306	my $groups = $usercfg->{groups};
	307	my $oldgroups = {};
	308
	309	if ($opts->{full}) {
	310	print "full sync, deleting outdated existing groups first\n";
	311	foreach my $groupid (sort keys %$groups) {
	312	next if $groupid !~ m/\-$realm$/;
	313
	314	my $oldgroups->{$groupid} = delete $groups->{$groupid};
	315	if ($opts->{purge} && !$synced_groups->{$groupid}) {
	316	print "purged group '$groupid' and all its ACL entries\n";
	317	PVE::AccessControl::delete_group_acl($groupid, $usercfg)
	318	} elsif (!defined($synced_groups->{$groupid})) {
	319	print "removed group '$groupid'\n";
	320	}
	321	}
	322	}
	323
	324	foreach my $groupid (sort keys %$synced_groups) {
	325	my $synced_group = $synced_groups->{$groupid};
	326	if (!defined($groups->{$groupid})) {
	327	$groups->{$groupid} = $synced_group;
	328	if (defined($oldgroups->{$groupid})) {
	329	print "updated group '$groupid'\n";
	330	} else {
	331	print "added group '$groupid'\n";
	332	}
	333	} else {
	334	my $group = $groups->{$groupid};
	335	foreach my $attr (keys %$synced_group) {
	336	$group->{$attr} = $synced_group->{$attr};
	337	}
	338	print "updated group '$groupid'\n";
	339	}
	340	}
	341	};
	342
d29d2d4a TL	343	my $parse_sync_opts = sub {
	344	my ($param, $realmconfig) = @_;
	345
	346	my $sync_opts_fmt = PVE::JSONSchema::get_format('realm-sync-options');
	347
	348	my $res = {};
	349	if (defined(my $cfg_opts = $realmconfig->{'sync-defaults-options'})) {
	350	$res = PVE::JSONSchema::parse_property_string($sync_opts_fmt, $cfg_opts);
	351	}
	352
	353	for my $opt (sort keys %$sync_opts_fmt) {
	354	my $fmt = $sync_opts_fmt->{$opt};
	355
	356	if (exists $param->{$opt}) {
	357	$res->{$opt} = $param->{$opt};
	358	} elsif (!exists $res->{$opt}) {
	359	raise_param_exc({
	360	"$opt" => 'Not passed as parameter and not defined in realm default sync options.'
	361	}) if !$fmt->{optional};
	362	$res->{$opt} = $fmt->{default} if exists $fmt->{default};
	363	}
	364	}
	365	return $res;
	366	};
	367
673d2bf2 DC	368	__PACKAGE__->register_method ({
	369	name => 'sync',
	370	path => '{realm}/sync',
	371	method => 'POST',
	372	permissions => {
cf109814 TL	373	description => "'Realm.AllocateUser' on '/access/realm/<realm>' and "
cf109814 TL	374	." 'User.Modify' permissions to '/access/groups/'.",
673d2bf2	375	check => [ 'and',
cf109814 TL	376	[ 'userid-param', 'Realm.AllocateUser' ],
	377	[ 'userid-group', ['User.Modify'] ],
	378	],
673d2bf2	379	},
cf109814 TL	380	description => "Syncs users and/or groups from the configured LDAP to user.cfg."
	381	." NOTE: Synced groups will have the name 'name-\$realm', so make sure"
	382	." those groups do not exist to prevent overwriting.",
673d2bf2 DC	383	protected => 1,
	384	parameters => {
	385	additionalProperties => 0,
d29d2d4a TL	386	properties => get_standard_option('realm-sync-options', {
	387	realm => get_standard_option('realm'),
	388	})
673d2bf2	389	},
cf109814 TL	390	returns => {
	391	description => 'Worker Task-UPID',
	392	type => 'string'
	393	},
673d2bf2 DC	394	code => sub {
	395	my ($param) = @_;
	396
	397	my $rpcenv = PVE::RPCEnvironment::get();
	398	my $authuser = $rpcenv->get_user();
	399
673d2bf2 DC	400	my $realm = $param->{realm};
673d2bf2 DC	401	my $cfg = cfs_read_file($domainconfigfile);
cf109814	402	my $realmconfig = $cfg->{ids}->{$realm};
673d2bf2	403
cf109814 TL	404	raise_param_exc({ 'realm' => 'Realm does not exist.' }) if !defined($realmconfig);
cf109814 TL	405	my $type = $realmconfig->{type};
673d2bf2 DC	406
673d2bf2 DC	407	if ($type ne 'ldap' && $type ne 'ad') {
cf109814	408	die "Cannot sync realm type '$type'! Only LDAP/AD realms can be synced.\n";
673d2bf2	409	}
673d2bf2	410
d29d2d4a	411	my $opts = $parse_sync_opts->($param, $realmconfig); # can throw up
673d2bf2	412
d29d2d4a	413	my $scope = $opts->{scope};
cf109814	414	my $whatstring = $scope eq 'both' ? "users and groups" : $scope;
673d2bf2	415
cf109814	416	my $plugin = PVE::Auth::Plugin->lookup($type);
673d2bf2 DC	417
673d2bf2 DC	418	my $worker = sub {
cf109814 TL	419	print "starting sync for realm $realm\n";
	420
	421	my ($synced_users, $dnmap) = $plugin->get_users($realmconfig, $realm);
	422	my $synced_groups = {};
	423	if ($scope eq 'groups' \|\| $scope eq 'both') {
	424	$synced_groups = $plugin->get_groups($realmconfig, $realm, $dnmap);
673d2bf2 DC	425	}
673d2bf2 DC	426
cf109814	427	PVE::AccessControl::lock_user_config(sub {
673d2bf2	428	my $usercfg = cfs_read_file("user.cfg");
cf109814	429	print "got data from server, updating $whatstring\n";
673d2bf2	430
415179b0	431	if ($scope eq 'users' \|\| $scope eq 'both') {
d29d2d4a	432	$update_users->($usercfg, $realm, $synced_users, $opts);
673d2bf2 DC	433	}
673d2bf2 DC	434
415179b0	435	if ($scope eq 'groups' \|\| $scope eq 'both') {
d29d2d4a	436	$update_groups->($usercfg, $realm, $synced_groups, $opts);
673d2bf2	437	}
cf109814	438
673d2bf2	439	cfs_write_file("user.cfg", $usercfg);
cf109814 TL	440	print "successfully updated $whatstring configuration\n";
cf109814 TL	441	}, "syncing $whatstring failed");
673d2bf2 DC	442	};
673d2bf2 DC	443
6a2138e4	444	return $rpcenv->fork_worker('auth-realm-sync', $realm, $authuser, $worker);
673d2bf2 DC	445	}});
673d2bf2 DC	446
2c3a6c0a	447	1;