[pve-access-control.git] / PVE / API2 / Group.pm

package PVE::API2::Group;

use strict;
use warnings;
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;
use PVE::SafeSyslog;
use PVE::RESTHandler;
use PVE::JSONSchema qw(get_standard_option register_standard_option);

use base qw(PVE::RESTHandler);

register_standard_option('group-id', {
    type => 'string',
    format => 'pve-groupid',
    title => 'Group ID' ,
    completion => \&PVE::AccessControl::complete_group,
});

register_standard_option('group-comment', { type => 'string', optional => 1 });

__PACKAGE__->register_method ({
    name => 'index', 
    path => '', 
    method => 'GET',
    description => "Group index.",
    permissions => { 
	description => "The returned list is restricted to groups where you have 'User.Modify', 'Sys.Audit'  or 'Group.Allocate' permissions on /access/groups/<group>.",
	user => 'all',
    },
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		groupid => get_standard_option('group-id'),
		comment => get_standard_option('group-comment'),
	    },
	},
	links => [ { rel => 'child', href => "{groupid}" } ],
    },
    code => sub {
	my ($param) = @_;
    
	my $res = [];

	my $rpcenv = PVE::RPCEnvironment::get();
	my $usercfg = cfs_read_file("user.cfg");
	my $authuser = $rpcenv->get_user();

	my $privs = [ 'User.Modify', 'Sys.Audit', 'Group.Allocate'];

	foreach my $group (keys %{$usercfg->{groups}}) {
	    next if !$rpcenv->check_any($authuser, "/access/groups/$group", $privs, 1);
	    my $data = $usercfg->{groups}->{$group};
	    my $entry = { groupid => $group };
	    $entry->{comment} = $data->{comment} if defined($data->{comment});
	    push @$res, $entry;
	}

	return $res;
    }});

__PACKAGE__->register_method ({
    name => 'create_group', 
    protected => 1,
    path => '', 
    method => 'POST',
    permissions => { 
	check => ['perm', '/access/groups', ['Group.Allocate']],
    },
    description => "Create new group.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    groupid => get_standard_option('group-id'),
	    comment => get_standard_option('group-comment'),
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {
			
		my $usercfg = cfs_read_file("user.cfg");

		my $group = $param->{groupid};
	
		die "group '$group' already exists\n" 
		    if $usercfg->{groups}->{$group};

		$usercfg->{groups}->{$group} = { users => {} };

		$usercfg->{groups}->{$group}->{comment} = $param->{comment} if $param->{comment};

		
		cfs_write_file("user.cfg", $usercfg);
	    }, "create group failed");

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'update_group', 
    protected => 1,
    path => '{groupid}', 
    method => 'PUT',
    permissions => { 
	check => ['perm', '/access/groups', ['Group.Allocate']],
    },
    description => "Update group data.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    groupid => get_standard_option('group-id'),
	    comment => get_standard_option('group-comment'),
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {
			
		my $usercfg = cfs_read_file("user.cfg");

		my $group = $param->{groupid};
	
		my $data = $usercfg->{groups}->{$group};

		die "group '$group' does not exist\n" 
		    if !$data;

		$data->{comment} = $param->{comment} if defined($param->{comment});
		
		cfs_write_file("user.cfg", $usercfg);
	    }, "update group failed");

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'read_group', 
    path => '{groupid}', 
    method => 'GET',
    permissions => { 
	check => ['perm', '/access/groups', ['Sys.Audit', 'Group.Allocate'], any => 1],
   },
    description => "Get group configuration.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    groupid => get_standard_option('group-id'),
	},
    },
    returns => {
	type => "object",
	additionalProperties => 0,
	properties => {
	    comment => get_standard_option('group-comment'),
	    members => {
		type => 'array',
		items => get_standard_option('userid-completed')
	    },
	},
    },
    code => sub {
	my ($param) = @_;

	my $group = $param->{groupid};

	my $usercfg = cfs_read_file("user.cfg");
 
	my $data = $usercfg->{groups}->{$group};

	die "group '$group' does not exist\n" if !$data;

	my $members = $data->{users} ? [ keys %{$data->{users}} ] : [];

	my $res = { members => $members };

	$res->{comment} = $data->{comment} if defined($data->{comment});

	return $res;
    }});


__PACKAGE__->register_method ({
    name => 'delete_group', 
    protected => 1,
    path => '{groupid}', 
    method => 'DELETE',
    permissions => { 
	check => ['perm', '/access/groups', ['Group.Allocate']],
    },
    description => "Delete group.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    groupid => get_standard_option('group-id'),
	}
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {

		my $usercfg = cfs_read_file("user.cfg");

		my $group = $param->{groupid};

		die "group '$group' does not exist\n" 
		    if !$usercfg->{groups}->{$group};
	
		delete ($usercfg->{groups}->{$group});

		PVE::AccessControl::delete_group_acl($group, $usercfg);

		cfs_write_file("user.cfg", $usercfg);
	    }, "delete group failed");
	
	return undef;
    }});

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::API2::Group;
	2
	3	use strict;
	4	use warnings;
	5	use PVE::Cluster qw (cfs_read_file cfs_write_file);
	6	use PVE::AccessControl;
2c3a6c0a	7	use PVE::SafeSyslog;
2c3a6c0a	8	use PVE::RESTHandler;
3a5ae7a0	9	use PVE::JSONSchema qw(get_standard_option register_standard_option);
2c3a6c0a DM	10
	11	use base qw(PVE::RESTHandler);
	12
3a5ae7a0 SI	13	register_standard_option('group-id', {
	14	type => 'string',
	15	format => 'pve-groupid',
bcf4eb3d	16	title => 'Group ID' ,
3a5ae7a0 SI	17	completion => \&PVE::AccessControl::complete_group,
	18	});
	19
	20	register_standard_option('group-comment', { type => 'string', optional => 1 });
	21
2c3a6c0a DM	22	__PACKAGE__->register_method ({
	23	name => 'index',
	24	path => '',
	25	method => 'GET',
	26	description => "Group index.",
96919234	27	permissions => {
82b63965	28	description => "The returned list is restricted to groups where you have 'User.Modify', 'Sys.Audit' or 'Group.Allocate' permissions on /access/groups/<group>.",
96919234 DM	29	user => 'all',
96919234 DM	30	},
2c3a6c0a DM	31	parameters => {
	32	additionalProperties => 0,
	33	properties => {},
	34	},
	35	returns => {
	36	type => 'array',
	37	items => {
	38	type => "object",
	39	properties => {
3a5ae7a0 SI	40	groupid => get_standard_option('group-id'),
3a5ae7a0 SI	41	comment => get_standard_option('group-comment'),
2c3a6c0a DM	42	},
	43	},
	44	links => [ { rel => 'child', href => "{groupid}" } ],
	45	},
	46	code => sub {
	47	my ($param) = @_;
	48
	49	my $res = [];
	50
96919234	51	my $rpcenv = PVE::RPCEnvironment::get();
2c3a6c0a	52	my $usercfg = cfs_read_file("user.cfg");
96919234 DM	53	my $authuser = $rpcenv->get_user();
96919234 DM	54
82b63965 DM	55	my $privs = [ 'User.Modify', 'Sys.Audit', 'Group.Allocate'];
82b63965 DM	56
2c3a6c0a	57	foreach my $group (keys %{$usercfg->{groups}}) {
82b63965	58	next if !$rpcenv->check_any($authuser, "/access/groups/$group", $privs, 1);
8de1fb5a DM	59	my $data = $usercfg->{groups}->{$group};
	60	my $entry = { groupid => $group };
	61	$entry->{comment} = $data->{comment} if defined($data->{comment});
2c3a6c0a DM	62	push @$res, $entry;
	63	}
	64
	65	return $res;
	66	}});
	67
	68	__PACKAGE__->register_method ({
	69	name => 'create_group',
	70	protected => 1,
	71	path => '',
	72	method => 'POST',
96919234	73	permissions => {
82b63965	74	check => ['perm', '/access/groups', ['Group.Allocate']],
96919234	75	},
2c3a6c0a DM	76	description => "Create new group.",
	77	parameters => {
	78	additionalProperties => 0,
	79	properties => {
3a5ae7a0 SI	80	groupid => get_standard_option('group-id'),
3a5ae7a0 SI	81	comment => get_standard_option('group-comment'),
2c3a6c0a DM	82	},
	83	},
	84	returns => { type => 'null' },
	85	code => sub {
	86	my ($param) = @_;
	87
	88	PVE::AccessControl::lock_user_config(
	89	sub {
	90
	91	my $usercfg = cfs_read_file("user.cfg");
	92
	93	my $group = $param->{groupid};
	94
	95	die "group '$group' already exists\n"
	96	if $usercfg->{groups}->{$group};
	97
	98	$usercfg->{groups}->{$group} = { users => {} };
	99
	100	$usercfg->{groups}->{$group}->{comment} = $param->{comment} if $param->{comment};
	101
	102
	103	cfs_write_file("user.cfg", $usercfg);
	104	}, "create group failed");
	105
	106	return undef;
	107	}});
	108
	109	__PACKAGE__->register_method ({
	110	name => 'update_group',
	111	protected => 1,
	112	path => '{groupid}',
	113	method => 'PUT',
96919234	114	permissions => {
82b63965	115	check => ['perm', '/access/groups', ['Group.Allocate']],
96919234	116	},
2c3a6c0a DM	117	description => "Update group data.",
	118	parameters => {
	119	additionalProperties => 0,
	120	properties => {
3a5ae7a0 SI	121	groupid => get_standard_option('group-id'),
3a5ae7a0 SI	122	comment => get_standard_option('group-comment'),
2c3a6c0a DM	123	},
	124	},
	125	returns => { type => 'null' },
	126	code => sub {
	127	my ($param) = @_;
	128
	129	PVE::AccessControl::lock_user_config(
	130	sub {
	131
	132	my $usercfg = cfs_read_file("user.cfg");
	133
	134	my $group = $param->{groupid};
	135
	136	my $data = $usercfg->{groups}->{$group};
	137
	138	die "group '$group' does not exist\n"
	139	if !$data;
	140
39c85db8	141	$data->{comment} = $param->{comment} if defined($param->{comment});
2c3a6c0a DM	142
2c3a6c0a DM	143	cfs_write_file("user.cfg", $usercfg);
39c85db8	144	}, "update group failed");
2c3a6c0a DM	145
	146	return undef;
	147	}});
	148
2c3a6c0a DM	149	__PACKAGE__->register_method ({
	150	name => 'read_group',
	151	path => '{groupid}',
	152	method => 'GET',
96919234	153	permissions => {
82b63965 DM	154	check => ['perm', '/access/groups', ['Sys.Audit', 'Group.Allocate'], any => 1],
82b63965 DM	155	},
2c3a6c0a DM	156	description => "Get group configuration.",
	157	parameters => {
	158	additionalProperties => 0,
	159	properties => {
3a5ae7a0	160	groupid => get_standard_option('group-id'),
2c3a6c0a DM	161	},
2c3a6c0a DM	162	},
8de1fb5a DM	163	returns => {
	164	type => "object",
	165	additionalProperties => 0,
	166	properties => {
3a5ae7a0	167	comment => get_standard_option('group-comment'),
8de1fb5a DM	168	members => {
8de1fb5a DM	169	type => 'array',
3a5ae7a0	170	items => get_standard_option('userid-completed')
8de1fb5a DM	171	},
	172	},
	173	},
2c3a6c0a DM	174	code => sub {
	175	my ($param) = @_;
	176
	177	my $group = $param->{groupid};
	178
	179	my $usercfg = cfs_read_file("user.cfg");
	180
	181	my $data = $usercfg->{groups}->{$group};
	182
	183	die "group '$group' does not exist\n" if !$data;
	184
8de1fb5a DM	185	my $members = $data->{users} ? [ keys %{$data->{users}} ] : [];
	186
	187	my $res = { members => $members };
	188
	189	$res->{comment} = $data->{comment} if defined($data->{comment});
	190
	191	return $res;
2c3a6c0a DM	192	}});
	193
	194
	195	__PACKAGE__->register_method ({
	196	name => 'delete_group',
	197	protected => 1,
	198	path => '{groupid}',
	199	method => 'DELETE',
96919234	200	permissions => {
82b63965	201	check => ['perm', '/access/groups', ['Group.Allocate']],
96919234	202	},
2c3a6c0a DM	203	description => "Delete group.",
	204	parameters => {
	205	additionalProperties => 0,
	206	properties => {
3a5ae7a0	207	groupid => get_standard_option('group-id'),
2c3a6c0a DM	208	}
	209	},
	210	returns => { type => 'null' },
	211	code => sub {
	212	my ($param) = @_;
	213
	214	PVE::AccessControl::lock_user_config(
	215	sub {
	216
	217	my $usercfg = cfs_read_file("user.cfg");
	218
	219	my $group = $param->{groupid};
	220
	221	die "group '$group' does not exist\n"
	222	if !$usercfg->{groups}->{$group};
	223
	224	delete ($usercfg->{groups}->{$group});
	225
	226	PVE::AccessControl::delete_group_acl($group, $usercfg);
	227
	228	cfs_write_file("user.cfg", $usercfg);
	229	}, "delete group failed");
	230
	231	return undef;
	232	}});
	233
	234	1;