[pve-access-control.git] / PVE / API2 / Group.pm

package PVE::API2::Group;

use strict;
use warnings;
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;

use PVE::SafeSyslog;

use Data::Dumper; # fixme: remove

use PVE::RESTHandler;

use base qw(PVE::RESTHandler);

my $extract_group_data = sub {
    my ($data, $full) = @_;

    my $res = {};

    $res->{comment} = $data->{comment} if defined($data->{comment});

    return $res if !$full;

    $res->{users} = $data->{users} ? [ keys %{$data->{users}} ] : [];

    return $res;
};

# fixme: index should return more/all attributes?
__PACKAGE__->register_method ({
    name => 'index', 
    path => '', 
    method => 'GET',
    description => "Group index.",
    permissions => { 
	description => "The returned list is restricted to groups where you have 'User.Add' or 'Sys.Audit' permissions on '/access', or 'User.Add' on /access/groups/<group>.",
	user => 'all',
    },
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		groupid => { type => 'string' },
	    },
	},
	links => [ { rel => 'child', href => "{groupid}" } ],
    },
    code => sub {
	my ($param) = @_;
    
	my $res = [];

	my $rpcenv = PVE::RPCEnvironment::get();
	my $usercfg = cfs_read_file("user.cfg");
	my $authuser = $rpcenv->get_user();

	my $privs = [ 'User.Add', 'Sys.Audit' ];
	my $allow = $rpcenv->check_any($authuser, "/access", $privs, 1);
	syslog("info", "TEST $allow");
	my $allowed_groups = $rpcenv->filter_groups($authuser, $privs, 1);
 
	foreach my $group (keys %{$usercfg->{groups}}) {
	    next if !($allow || $allowed_groups->{$group});
	    my $entry = &$extract_group_data($usercfg->{groups}->{$group});
	    $entry->{groupid} = $group;
	    push @$res, $entry;
	}

	return $res;
    }});

__PACKAGE__->register_method ({
    name => 'create_group', 
    protected => 1,
    path => '', 
    method => 'POST',
    permissions => { 
	check => ['perm', '/access', ['Sys.Modify']],
    },
    description => "Create new group.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    groupid => { type => 'string', format => 'pve-groupid' },
	    comment => { type => 'string', optional => 1 },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {
			
		my $usercfg = cfs_read_file("user.cfg");

		my $group = $param->{groupid};
	
		die "group '$group' already exists\n" 
		    if $usercfg->{groups}->{$group};

		$usercfg->{groups}->{$group} = { users => {} };

		$usercfg->{groups}->{$group}->{comment} = $param->{comment} if $param->{comment};

		
		cfs_write_file("user.cfg", $usercfg);
	    }, "create group failed");

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'update_group', 
    protected => 1,
    path => '{groupid}', 
    method => 'PUT',
    permissions => { 
	check => ['perm', '/access', ['Sys.Modify']],
    },
    description => "Update group data.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    # fixme: set/delete members
	    groupid => { type => 'string', format => 'pve-groupid' },
	    comment => { type => 'string', optional => 1 },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {
			
		my $usercfg = cfs_read_file("user.cfg");

		my $group = $param->{groupid};
	
		my $data = $usercfg->{groups}->{$group};

		die "group '$group' does not exist\n" 
		    if !$data;

		$data->{comment} = $param->{comment} if $param->{comment};
		
		cfs_write_file("user.cfg", $usercfg);
	    }, "create group failed");

	return undef;
    }});

# fixme: return format!
__PACKAGE__->register_method ({
    name => 'read_group', 
    path => '{groupid}', 
    method => 'GET',
    permissions => { 
	check => ['perm', '/access', ['Sys.Audit']],
    },
    description => "Get group configuration.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    groupid => { type => 'string', format => 'pve-groupid' },
	},
    },
    returns => {},
    code => sub {
	my ($param) = @_;

	my $group = $param->{groupid};

	my $usercfg = cfs_read_file("user.cfg");
 
	my $data = $usercfg->{groups}->{$group};

	die "group '$group' does not exist\n" if !$data;

	return &$extract_group_data($data, 1);
    }});


__PACKAGE__->register_method ({
    name => 'delete_group', 
    protected => 1,
    path => '{groupid}', 
    method => 'DELETE',
    permissions => { 
	check => ['perm', '/access', ['Sys.Modify']],
    },
    description => "Delete group.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    groupid => { type => 'string' , format => 'pve-groupid' },
	}
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {

		my $usercfg = cfs_read_file("user.cfg");

		my $group = $param->{groupid};

		die "group '$group' does not exist\n" 
		    if !$usercfg->{groups}->{$group};
	
		delete ($usercfg->{groups}->{$group});

		PVE::AccessControl::delete_group_acl($group, $usercfg);

		cfs_write_file("user.cfg", $usercfg);
	    }, "delete group failed");
	
	return undef;
    }});

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::API2::Group;
	2
	3	use strict;
	4	use warnings;
	5	use PVE::Cluster qw (cfs_read_file cfs_write_file);
	6	use PVE::AccessControl;
	7
	8	use PVE::SafeSyslog;
	9
	10	use Data::Dumper; # fixme: remove
	11
	12	use PVE::RESTHandler;
	13
	14	use base qw(PVE::RESTHandler);
	15
	16	my $extract_group_data = sub {
	17	my ($data, $full) = @_;
	18
	19	my $res = {};
	20
	21	$res->{comment} = $data->{comment} if defined($data->{comment});
	22
	23	return $res if !$full;
	24
	25	$res->{users} = $data->{users} ? [ keys %{$data->{users}} ] : [];
	26
	27	return $res;
	28	};
	29
	30	# fixme: index should return more/all attributes?
	31	__PACKAGE__->register_method ({
	32	name => 'index',
	33	path => '',
	34	method => 'GET',
	35	description => "Group index.",
96919234 DM	36	permissions => {
	37	description => "The returned list is restricted to groups where you have 'User.Add' or 'Sys.Audit' permissions on '/access', or 'User.Add' on /access/groups/<group>.",
	38	user => 'all',
	39	},
2c3a6c0a DM	40	parameters => {
	41	additionalProperties => 0,
	42	properties => {},
	43	},
	44	returns => {
	45	type => 'array',
	46	items => {
	47	type => "object",
	48	properties => {
	49	groupid => { type => 'string' },
	50	},
	51	},
	52	links => [ { rel => 'child', href => "{groupid}" } ],
	53	},
	54	code => sub {
	55	my ($param) = @_;
	56
	57	my $res = [];
	58
96919234	59	my $rpcenv = PVE::RPCEnvironment::get();
2c3a6c0a	60	my $usercfg = cfs_read_file("user.cfg");
96919234 DM	61	my $authuser = $rpcenv->get_user();
	62
	63	my $privs = [ 'User.Add', 'Sys.Audit' ];
	64	my $allow = $rpcenv->check_any($authuser, "/access", $privs, 1);
4bc17477	65	syslog("info", "TEST $allow");
96919234	66	my $allowed_groups = $rpcenv->filter_groups($authuser, $privs, 1);
2c3a6c0a DM	67
2c3a6c0a DM	68	foreach my $group (keys %{$usercfg->{groups}}) {
96919234	69	next if !($allow \|\| $allowed_groups->{$group});
2c3a6c0a DM	70	my $entry = &$extract_group_data($usercfg->{groups}->{$group});
	71	$entry->{groupid} = $group;
	72	push @$res, $entry;
	73	}
	74
	75	return $res;
	76	}});
	77
	78	__PACKAGE__->register_method ({
	79	name => 'create_group',
	80	protected => 1,
	81	path => '',
	82	method => 'POST',
96919234 DM	83	permissions => {
	84	check => ['perm', '/access', ['Sys.Modify']],
	85	},
2c3a6c0a DM	86	description => "Create new group.",
	87	parameters => {
	88	additionalProperties => 0,
	89	properties => {
	90	groupid => { type => 'string', format => 'pve-groupid' },
	91	comment => { type => 'string', optional => 1 },
	92	},
	93	},
	94	returns => { type => 'null' },
	95	code => sub {
	96	my ($param) = @_;
	97
	98	PVE::AccessControl::lock_user_config(
	99	sub {
	100
	101	my $usercfg = cfs_read_file("user.cfg");
	102
	103	my $group = $param->{groupid};
	104
	105	die "group '$group' already exists\n"
	106	if $usercfg->{groups}->{$group};
	107
	108	$usercfg->{groups}->{$group} = { users => {} };
	109
	110	$usercfg->{groups}->{$group}->{comment} = $param->{comment} if $param->{comment};
	111
	112
	113	cfs_write_file("user.cfg", $usercfg);
	114	}, "create group failed");
	115
	116	return undef;
	117	}});
	118
	119	__PACKAGE__->register_method ({
	120	name => 'update_group',
	121	protected => 1,
	122	path => '{groupid}',
	123	method => 'PUT',
96919234 DM	124	permissions => {
	125	check => ['perm', '/access', ['Sys.Modify']],
	126	},
2c3a6c0a DM	127	description => "Update group data.",
	128	parameters => {
	129	additionalProperties => 0,
	130	properties => {
	131	# fixme: set/delete members
	132	groupid => { type => 'string', format => 'pve-groupid' },
	133	comment => { type => 'string', optional => 1 },
	134	},
	135	},
	136	returns => { type => 'null' },
	137	code => sub {
	138	my ($param) = @_;
	139
	140	PVE::AccessControl::lock_user_config(
	141	sub {
	142
	143	my $usercfg = cfs_read_file("user.cfg");
	144
	145	my $group = $param->{groupid};
	146
	147	my $data = $usercfg->{groups}->{$group};
	148
	149	die "group '$group' does not exist\n"
	150	if !$data;
	151
	152	$data->{comment} = $param->{comment} if $param->{comment};
	153
	154	cfs_write_file("user.cfg", $usercfg);
	155	}, "create group failed");
	156
	157	return undef;
	158	}});
	159
	160	# fixme: return format!
	161	__PACKAGE__->register_method ({
	162	name => 'read_group',
	163	path => '{groupid}',
	164	method => 'GET',
96919234 DM	165	permissions => {
	166	check => ['perm', '/access', ['Sys.Audit']],
	167	},
2c3a6c0a DM	168	description => "Get group configuration.",
	169	parameters => {
	170	additionalProperties => 0,
	171	properties => {
	172	groupid => { type => 'string', format => 'pve-groupid' },
	173	},
	174	},
	175	returns => {},
	176	code => sub {
	177	my ($param) = @_;
	178
	179	my $group = $param->{groupid};
	180
	181	my $usercfg = cfs_read_file("user.cfg");
	182
	183	my $data = $usercfg->{groups}->{$group};
	184
	185	die "group '$group' does not exist\n" if !$data;
	186
	187	return &$extract_group_data($data, 1);
	188	}});
	189
	190
	191	__PACKAGE__->register_method ({
	192	name => 'delete_group',
	193	protected => 1,
	194	path => '{groupid}',
	195	method => 'DELETE',
96919234 DM	196	permissions => {
	197	check => ['perm', '/access', ['Sys.Modify']],
	198	},
2c3a6c0a DM	199	description => "Delete group.",
	200	parameters => {
	201	additionalProperties => 0,
	202	properties => {
	203	groupid => { type => 'string' , format => 'pve-groupid' },
	204	}
	205	},
	206	returns => { type => 'null' },
	207	code => sub {
	208	my ($param) = @_;
	209
	210	PVE::AccessControl::lock_user_config(
	211	sub {
	212
	213	my $usercfg = cfs_read_file("user.cfg");
	214
	215	my $group = $param->{groupid};
	216
	217	die "group '$group' does not exist\n"
	218	if !$usercfg->{groups}->{$group};
	219
	220	delete ($usercfg->{groups}->{$group});
	221
	222	PVE::AccessControl::delete_group_acl($group, $usercfg);
	223
	224	cfs_write_file("user.cfg", $usercfg);
	225	}, "delete group failed");
	226
	227	return undef;
	228	}});
	229
	230	1;