[pve-access-control.git] / PVE / API2 / Group.pm

package PVE::API2::Group;

use strict;
use warnings;
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;
use PVE::SafeSyslog;
use PVE::RESTHandler;

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    name => 'index', 
    path => '', 
    method => 'GET',
    description => "Group index.",
    permissions => { 
	description => "The returned list is restricted to groups where you have 'User.Allocate' or 'Sys.Audit' permissions on '/access', or 'User.Allocate' on /access/groups/<group>.",
	user => 'all',
    },
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		groupid => { type => 'string' },
	    },
	},
	links => [ { rel => 'child', href => "{groupid}" } ],
    },
    code => sub {
	my ($param) = @_;
    
	my $res = [];

	my $rpcenv = PVE::RPCEnvironment::get();
	my $usercfg = cfs_read_file("user.cfg");
	my $authuser = $rpcenv->get_user();

	my $privs = [ 'User.Allocate', 'Sys.Audit' ];
	my $allow = $rpcenv->check_any($authuser, "/access", $privs, 1);
	my $allowed_groups = $rpcenv->filter_groups($authuser, $privs, 1);
 
	foreach my $group (keys %{$usercfg->{groups}}) {
	    next if !($allow || $allowed_groups->{$group});
	    my $data = $usercfg->{groups}->{$group};
	    my $entry = { groupid => $group };
	    $entry->{comment} = $data->{comment} if defined($data->{comment});
	    push @$res, $entry;
	}

	return $res;
    }});

__PACKAGE__->register_method ({
    name => 'create_group', 
    protected => 1,
    path => '', 
    method => 'POST',
    permissions => { 
	check => ['perm', '/access', ['Sys.Modify']],
    },
    description => "Create new group.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    groupid => { type => 'string', format => 'pve-groupid' },
	    comment => { type => 'string', optional => 1 },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {
			
		my $usercfg = cfs_read_file("user.cfg");

		my $group = $param->{groupid};
	
		die "group '$group' already exists\n" 
		    if $usercfg->{groups}->{$group};

		$usercfg->{groups}->{$group} = { users => {} };

		$usercfg->{groups}->{$group}->{comment} = $param->{comment} if $param->{comment};

		
		cfs_write_file("user.cfg", $usercfg);
	    }, "create group failed");

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'update_group', 
    protected => 1,
    path => '{groupid}', 
    method => 'PUT',
    permissions => { 
	check => ['perm', '/access', ['Sys.Modify']],
    },
    description => "Update group data.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    groupid => { type => 'string', format => 'pve-groupid' },
	    comment => { type => 'string', optional => 1 },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {
			
		my $usercfg = cfs_read_file("user.cfg");

		my $group = $param->{groupid};
	
		my $data = $usercfg->{groups}->{$group};

		die "group '$group' does not exist\n" 
		    if !$data;

		$data->{comment} = $param->{comment} if defined($param->{comment});
		
		cfs_write_file("user.cfg", $usercfg);
	    }, "update group failed");

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'read_group', 
    path => '{groupid}', 
    method => 'GET',
    permissions => { 
	check => ['perm', '/access', ['Sys.Audit']],
    },
    description => "Get group configuration.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    groupid => { type => 'string', format => 'pve-groupid' },
	},
    },
    returns => {
	type => "object",
	additionalProperties => 0,
	properties => {
	    comment => { type => 'string', optional => 1 },
	    members => {
		type => 'array',
		items => {
		    type => "string",
		},
	    },
	},
    },
    code => sub {
	my ($param) = @_;

	my $group = $param->{groupid};

	my $usercfg = cfs_read_file("user.cfg");
 
	my $data = $usercfg->{groups}->{$group};

	die "group '$group' does not exist\n" if !$data;

	my $members = $data->{users} ? [ keys %{$data->{users}} ] : [];

	my $res = { members => $members };

	$res->{comment} = $data->{comment} if defined($data->{comment});

	return $res;
    }});


__PACKAGE__->register_method ({
    name => 'delete_group', 
    protected => 1,
    path => '{groupid}', 
    method => 'DELETE',
    permissions => { 
	check => ['perm', '/access', ['Sys.Modify']],
    },
    description => "Delete group.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    groupid => { type => 'string' , format => 'pve-groupid' },
	}
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {

		my $usercfg = cfs_read_file("user.cfg");

		my $group = $param->{groupid};

		die "group '$group' does not exist\n" 
		    if !$usercfg->{groups}->{$group};
	
		delete ($usercfg->{groups}->{$group});

		PVE::AccessControl::delete_group_acl($group, $usercfg);

		cfs_write_file("user.cfg", $usercfg);
	    }, "delete group failed");
	
	return undef;
    }});

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::API2::Group;
	2
	3	use strict;
	4	use warnings;
	5	use PVE::Cluster qw (cfs_read_file cfs_write_file);
	6	use PVE::AccessControl;
2c3a6c0a	7	use PVE::SafeSyslog;
2c3a6c0a DM	8	use PVE::RESTHandler;
	9
	10	use base qw(PVE::RESTHandler);
	11
2c3a6c0a DM	12	__PACKAGE__->register_method ({
	13	name => 'index',
	14	path => '',
	15	method => 'GET',
	16	description => "Group index.",
96919234	17	permissions => {
19f60b5e	18	description => "The returned list is restricted to groups where you have 'User.Allocate' or 'Sys.Audit' permissions on '/access', or 'User.Allocate' on /access/groups/<group>.",
96919234 DM	19	user => 'all',
96919234 DM	20	},
2c3a6c0a DM	21	parameters => {
	22	additionalProperties => 0,
	23	properties => {},
	24	},
	25	returns => {
	26	type => 'array',
	27	items => {
	28	type => "object",
	29	properties => {
	30	groupid => { type => 'string' },
	31	},
	32	},
	33	links => [ { rel => 'child', href => "{groupid}" } ],
	34	},
	35	code => sub {
	36	my ($param) = @_;
	37
	38	my $res = [];
	39
96919234	40	my $rpcenv = PVE::RPCEnvironment::get();
2c3a6c0a	41	my $usercfg = cfs_read_file("user.cfg");
96919234 DM	42	my $authuser = $rpcenv->get_user();
96919234 DM	43
19f60b5e	44	my $privs = [ 'User.Allocate', 'Sys.Audit' ];
96919234 DM	45	my $allow = $rpcenv->check_any($authuser, "/access", $privs, 1);
96919234 DM	46	my $allowed_groups = $rpcenv->filter_groups($authuser, $privs, 1);
2c3a6c0a DM	47
2c3a6c0a DM	48	foreach my $group (keys %{$usercfg->{groups}}) {
96919234	49	next if !($allow \|\| $allowed_groups->{$group});
8de1fb5a DM	50	my $data = $usercfg->{groups}->{$group};
	51	my $entry = { groupid => $group };
	52	$entry->{comment} = $data->{comment} if defined($data->{comment});
2c3a6c0a DM	53	push @$res, $entry;
	54	}
	55
	56	return $res;
	57	}});
	58
	59	__PACKAGE__->register_method ({
	60	name => 'create_group',
	61	protected => 1,
	62	path => '',
	63	method => 'POST',
96919234 DM	64	permissions => {
	65	check => ['perm', '/access', ['Sys.Modify']],
	66	},
2c3a6c0a DM	67	description => "Create new group.",
	68	parameters => {
	69	additionalProperties => 0,
	70	properties => {
	71	groupid => { type => 'string', format => 'pve-groupid' },
	72	comment => { type => 'string', optional => 1 },
	73	},
	74	},
	75	returns => { type => 'null' },
	76	code => sub {
	77	my ($param) = @_;
	78
	79	PVE::AccessControl::lock_user_config(
	80	sub {
	81
	82	my $usercfg = cfs_read_file("user.cfg");
	83
	84	my $group = $param->{groupid};
	85
	86	die "group '$group' already exists\n"
	87	if $usercfg->{groups}->{$group};
	88
	89	$usercfg->{groups}->{$group} = { users => {} };
	90
	91	$usercfg->{groups}->{$group}->{comment} = $param->{comment} if $param->{comment};
	92
	93
	94	cfs_write_file("user.cfg", $usercfg);
	95	}, "create group failed");
	96
	97	return undef;
	98	}});
	99
	100	__PACKAGE__->register_method ({
	101	name => 'update_group',
	102	protected => 1,
	103	path => '{groupid}',
	104	method => 'PUT',
96919234 DM	105	permissions => {
	106	check => ['perm', '/access', ['Sys.Modify']],
	107	},
2c3a6c0a DM	108	description => "Update group data.",
	109	parameters => {
	110	additionalProperties => 0,
	111	properties => {
2c3a6c0a DM	112	groupid => { type => 'string', format => 'pve-groupid' },
	113	comment => { type => 'string', optional => 1 },
	114	},
	115	},
	116	returns => { type => 'null' },
	117	code => sub {
	118	my ($param) = @_;
	119
	120	PVE::AccessControl::lock_user_config(
	121	sub {
	122
	123	my $usercfg = cfs_read_file("user.cfg");
	124
	125	my $group = $param->{groupid};
	126
	127	my $data = $usercfg->{groups}->{$group};
	128
	129	die "group '$group' does not exist\n"
	130	if !$data;
	131
39c85db8	132	$data->{comment} = $param->{comment} if defined($param->{comment});
2c3a6c0a DM	133
2c3a6c0a DM	134	cfs_write_file("user.cfg", $usercfg);
39c85db8	135	}, "update group failed");
2c3a6c0a DM	136
	137	return undef;
	138	}});
	139
2c3a6c0a DM	140	__PACKAGE__->register_method ({
	141	name => 'read_group',
	142	path => '{groupid}',
	143	method => 'GET',
96919234 DM	144	permissions => {
	145	check => ['perm', '/access', ['Sys.Audit']],
	146	},
2c3a6c0a DM	147	description => "Get group configuration.",
	148	parameters => {
	149	additionalProperties => 0,
	150	properties => {
	151	groupid => { type => 'string', format => 'pve-groupid' },
	152	},
	153	},
8de1fb5a DM	154	returns => {
	155	type => "object",
	156	additionalProperties => 0,
	157	properties => {
	158	comment => { type => 'string', optional => 1 },
	159	members => {
	160	type => 'array',
	161	items => {
	162	type => "string",
	163	},
	164	},
	165	},
	166	},
2c3a6c0a DM	167	code => sub {
	168	my ($param) = @_;
	169
	170	my $group = $param->{groupid};
	171
	172	my $usercfg = cfs_read_file("user.cfg");
	173
	174	my $data = $usercfg->{groups}->{$group};
	175
	176	die "group '$group' does not exist\n" if !$data;
	177
8de1fb5a DM	178	my $members = $data->{users} ? [ keys %{$data->{users}} ] : [];
	179
	180	my $res = { members => $members };
	181
	182	$res->{comment} = $data->{comment} if defined($data->{comment});
	183
	184	return $res;
2c3a6c0a DM	185	}});
	186
	187
	188	__PACKAGE__->register_method ({
	189	name => 'delete_group',
	190	protected => 1,
	191	path => '{groupid}',
	192	method => 'DELETE',
96919234 DM	193	permissions => {
	194	check => ['perm', '/access', ['Sys.Modify']],
	195	},
2c3a6c0a DM	196	description => "Delete group.",
	197	parameters => {
	198	additionalProperties => 0,
	199	properties => {
	200	groupid => { type => 'string' , format => 'pve-groupid' },
	201	}
	202	},
	203	returns => { type => 'null' },
	204	code => sub {
	205	my ($param) = @_;
	206
	207	PVE::AccessControl::lock_user_config(
	208	sub {
	209
	210	my $usercfg = cfs_read_file("user.cfg");
	211
	212	my $group = $param->{groupid};
	213
	214	die "group '$group' does not exist\n"
	215	if !$usercfg->{groups}->{$group};
	216
	217	delete ($usercfg->{groups}->{$group});
	218
	219	PVE::AccessControl::delete_group_acl($group, $usercfg);
	220
	221	cfs_write_file("user.cfg", $usercfg);
	222	}, "delete group failed");
	223
	224	return undef;
	225	}});
	226
	227	1;