[pve-access-control.git] / PVE / API2 / Group.pm

package PVE::API2::Group;

use strict;
use warnings;
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;
use PVE::SafeSyslog;
use PVE::RESTHandler;

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    name => 'index', 
    path => '', 
    method => 'GET',
    description => "Group index.",
    permissions => { 
	description => "The returned list is restricted to groups where you have 'User.Modify', 'Sys.Audit'  or 'Group.Allocate' permissions on /access/groups/<group>.",
	user => 'all',
    },
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		groupid => { type => 'string' },
	    },
	},
	links => [ { rel => 'child', href => "{groupid}" } ],
    },
    code => sub {
	my ($param) = @_;
    
	my $res = [];

	my $rpcenv = PVE::RPCEnvironment::get();
	my $usercfg = cfs_read_file("user.cfg");
	my $authuser = $rpcenv->get_user();

	my $privs = [ 'User.Modify', 'Sys.Audit', 'Group.Allocate'];

	foreach my $group (keys %{$usercfg->{groups}}) {
	    next if !$rpcenv->check_any($authuser, "/access/groups/$group", $privs, 1);
	    my $data = $usercfg->{groups}->{$group};
	    my $entry = { groupid => $group };
	    $entry->{comment} = $data->{comment} if defined($data->{comment});
	    push @$res, $entry;
	}

	return $res;
    }});

__PACKAGE__->register_method ({
    name => 'create_group', 
    protected => 1,
    path => '', 
    method => 'POST',
    permissions => { 
	check => ['perm', '/access/groups', ['Group.Allocate']],
    },
    description => "Create new group.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    groupid => { type => 'string', format => 'pve-groupid' },
	    comment => { type => 'string', optional => 1 },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {
			
		my $usercfg = cfs_read_file("user.cfg");

		my $group = $param->{groupid};
	
		die "group '$group' already exists\n" 
		    if $usercfg->{groups}->{$group};

		$usercfg->{groups}->{$group} = { users => {} };

		$usercfg->{groups}->{$group}->{comment} = $param->{comment} if $param->{comment};

		
		cfs_write_file("user.cfg", $usercfg);
	    }, "create group failed");

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'update_group', 
    protected => 1,
    path => '{groupid}', 
    method => 'PUT',
    permissions => { 
	check => ['perm', '/access/groups', ['Group.Allocate']],
    },
    description => "Update group data.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    groupid => {
		type => 'string', format => 'pve-groupid',
		completion => \&PVE::AccessControl::complete_group,
	    },
	    comment => { type => 'string', optional => 1 },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {
			
		my $usercfg = cfs_read_file("user.cfg");

		my $group = $param->{groupid};
	
		my $data = $usercfg->{groups}->{$group};

		die "group '$group' does not exist\n" 
		    if !$data;

		$data->{comment} = $param->{comment} if defined($param->{comment});
		
		cfs_write_file("user.cfg", $usercfg);
	    }, "update group failed");

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'read_group', 
    path => '{groupid}', 
    method => 'GET',
    permissions => { 
	check => ['perm', '/access/groups', ['Sys.Audit', 'Group.Allocate'], any => 1],
   },
    description => "Get group configuration.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    groupid => { type => 'string', format => 'pve-groupid' },
	},
    },
    returns => {
	type => "object",
	additionalProperties => 0,
	properties => {
	    comment => { type => 'string', optional => 1 },
	    members => {
		type => 'array',
		items => {
		    type => "string",
		},
	    },
	},
    },
    code => sub {
	my ($param) = @_;

	my $group = $param->{groupid};

	my $usercfg = cfs_read_file("user.cfg");
 
	my $data = $usercfg->{groups}->{$group};

	die "group '$group' does not exist\n" if !$data;

	my $members = $data->{users} ? [ keys %{$data->{users}} ] : [];

	my $res = { members => $members };

	$res->{comment} = $data->{comment} if defined($data->{comment});

	return $res;
    }});


__PACKAGE__->register_method ({
    name => 'delete_group', 
    protected => 1,
    path => '{groupid}', 
    method => 'DELETE',
    permissions => { 
	check => ['perm', '/access/groups', ['Group.Allocate']],
    },
    description => "Delete group.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    groupid => {
		type => 'string' , format => 'pve-groupid',
		completion => \&PVE::AccessControl::complete_group,
	    },
	}
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {

		my $usercfg = cfs_read_file("user.cfg");

		my $group = $param->{groupid};

		die "group '$group' does not exist\n" 
		    if !$usercfg->{groups}->{$group};
	
		delete ($usercfg->{groups}->{$group});

		PVE::AccessControl::delete_group_acl($group, $usercfg);

		cfs_write_file("user.cfg", $usercfg);
	    }, "delete group failed");
	
	return undef;
    }});

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::API2::Group;
	2
	3	use strict;
	4	use warnings;
	5	use PVE::Cluster qw (cfs_read_file cfs_write_file);
	6	use PVE::AccessControl;
2c3a6c0a	7	use PVE::SafeSyslog;
2c3a6c0a DM	8	use PVE::RESTHandler;
	9
	10	use base qw(PVE::RESTHandler);
	11
2c3a6c0a DM	12	__PACKAGE__->register_method ({
	13	name => 'index',
	14	path => '',
	15	method => 'GET',
	16	description => "Group index.",
96919234	17	permissions => {
82b63965	18	description => "The returned list is restricted to groups where you have 'User.Modify', 'Sys.Audit' or 'Group.Allocate' permissions on /access/groups/<group>.",
96919234 DM	19	user => 'all',
96919234 DM	20	},
2c3a6c0a DM	21	parameters => {
	22	additionalProperties => 0,
	23	properties => {},
	24	},
	25	returns => {
	26	type => 'array',
	27	items => {
	28	type => "object",
	29	properties => {
	30	groupid => { type => 'string' },
	31	},
	32	},
	33	links => [ { rel => 'child', href => "{groupid}" } ],
	34	},
	35	code => sub {
	36	my ($param) = @_;
	37
	38	my $res = [];
	39
96919234	40	my $rpcenv = PVE::RPCEnvironment::get();
2c3a6c0a	41	my $usercfg = cfs_read_file("user.cfg");
96919234 DM	42	my $authuser = $rpcenv->get_user();
96919234 DM	43
82b63965 DM	44	my $privs = [ 'User.Modify', 'Sys.Audit', 'Group.Allocate'];
82b63965 DM	45
2c3a6c0a	46	foreach my $group (keys %{$usercfg->{groups}}) {
82b63965	47	next if !$rpcenv->check_any($authuser, "/access/groups/$group", $privs, 1);
8de1fb5a DM	48	my $data = $usercfg->{groups}->{$group};
	49	my $entry = { groupid => $group };
	50	$entry->{comment} = $data->{comment} if defined($data->{comment});
2c3a6c0a DM	51	push @$res, $entry;
	52	}
	53
	54	return $res;
	55	}});
	56
	57	__PACKAGE__->register_method ({
	58	name => 'create_group',
	59	protected => 1,
	60	path => '',
	61	method => 'POST',
96919234	62	permissions => {
82b63965	63	check => ['perm', '/access/groups', ['Group.Allocate']],
96919234	64	},
2c3a6c0a DM	65	description => "Create new group.",
	66	parameters => {
	67	additionalProperties => 0,
	68	properties => {
	69	groupid => { type => 'string', format => 'pve-groupid' },
	70	comment => { type => 'string', optional => 1 },
	71	},
	72	},
	73	returns => { type => 'null' },
	74	code => sub {
	75	my ($param) = @_;
	76
	77	PVE::AccessControl::lock_user_config(
	78	sub {
	79
	80	my $usercfg = cfs_read_file("user.cfg");
	81
	82	my $group = $param->{groupid};
	83
	84	die "group '$group' already exists\n"
	85	if $usercfg->{groups}->{$group};
	86
	87	$usercfg->{groups}->{$group} = { users => {} };
	88
	89	$usercfg->{groups}->{$group}->{comment} = $param->{comment} if $param->{comment};
	90
	91
	92	cfs_write_file("user.cfg", $usercfg);
	93	}, "create group failed");
	94
	95	return undef;
	96	}});
	97
	98	__PACKAGE__->register_method ({
	99	name => 'update_group',
	100	protected => 1,
	101	path => '{groupid}',
	102	method => 'PUT',
96919234	103	permissions => {
82b63965	104	check => ['perm', '/access/groups', ['Group.Allocate']],
96919234	105	},
2c3a6c0a DM	106	description => "Update group data.",
	107	parameters => {
	108	additionalProperties => 0,
	109	properties => {
3e5bfdf6 DM	110	groupid => {
	111	type => 'string', format => 'pve-groupid',
	112	completion => \&PVE::AccessControl::complete_group,
	113	},
2c3a6c0a DM	114	comment => { type => 'string', optional => 1 },
	115	},
	116	},
	117	returns => { type => 'null' },
	118	code => sub {
	119	my ($param) = @_;
	120
	121	PVE::AccessControl::lock_user_config(
	122	sub {
	123
	124	my $usercfg = cfs_read_file("user.cfg");
	125
	126	my $group = $param->{groupid};
	127
	128	my $data = $usercfg->{groups}->{$group};
	129
	130	die "group '$group' does not exist\n"
	131	if !$data;
	132
39c85db8	133	$data->{comment} = $param->{comment} if defined($param->{comment});
2c3a6c0a DM	134
2c3a6c0a DM	135	cfs_write_file("user.cfg", $usercfg);
39c85db8	136	}, "update group failed");
2c3a6c0a DM	137
	138	return undef;
	139	}});
	140
2c3a6c0a DM	141	__PACKAGE__->register_method ({
	142	name => 'read_group',
	143	path => '{groupid}',
	144	method => 'GET',
96919234	145	permissions => {
82b63965 DM	146	check => ['perm', '/access/groups', ['Sys.Audit', 'Group.Allocate'], any => 1],
82b63965 DM	147	},
2c3a6c0a DM	148	description => "Get group configuration.",
	149	parameters => {
	150	additionalProperties => 0,
	151	properties => {
	152	groupid => { type => 'string', format => 'pve-groupid' },
	153	},
	154	},
8de1fb5a DM	155	returns => {
	156	type => "object",
	157	additionalProperties => 0,
	158	properties => {
	159	comment => { type => 'string', optional => 1 },
	160	members => {
	161	type => 'array',
	162	items => {
	163	type => "string",
	164	},
	165	},
	166	},
	167	},
2c3a6c0a DM	168	code => sub {
	169	my ($param) = @_;
	170
	171	my $group = $param->{groupid};
	172
	173	my $usercfg = cfs_read_file("user.cfg");
	174
	175	my $data = $usercfg->{groups}->{$group};
	176
	177	die "group '$group' does not exist\n" if !$data;
	178
8de1fb5a DM	179	my $members = $data->{users} ? [ keys %{$data->{users}} ] : [];
	180
	181	my $res = { members => $members };
	182
	183	$res->{comment} = $data->{comment} if defined($data->{comment});
	184
	185	return $res;
2c3a6c0a DM	186	}});
	187
	188
	189	__PACKAGE__->register_method ({
	190	name => 'delete_group',
	191	protected => 1,
	192	path => '{groupid}',
	193	method => 'DELETE',
96919234	194	permissions => {
82b63965	195	check => ['perm', '/access/groups', ['Group.Allocate']],
96919234	196	},
2c3a6c0a DM	197	description => "Delete group.",
	198	parameters => {
	199	additionalProperties => 0,
	200	properties => {
3e5bfdf6 DM	201	groupid => {
	202	type => 'string' , format => 'pve-groupid',
	203	completion => \&PVE::AccessControl::complete_group,
	204	},
2c3a6c0a DM	205	}
	206	},
	207	returns => { type => 'null' },
	208	code => sub {
	209	my ($param) = @_;
	210
	211	PVE::AccessControl::lock_user_config(
	212	sub {
	213
	214	my $usercfg = cfs_read_file("user.cfg");
	215
	216	my $group = $param->{groupid};
	217
	218	die "group '$group' does not exist\n"
	219	if !$usercfg->{groups}->{$group};
	220
	221	delete ($usercfg->{groups}->{$group});
	222
	223	PVE::AccessControl::delete_group_acl($group, $usercfg);
	224
	225	cfs_write_file("user.cfg", $usercfg);
	226	}, "delete group failed");
	227
	228	return undef;
	229	}});
	230
	231	1;