[pve-access-control.git] / PVE / API2 / Role.pm

package PVE::API2::Role;

use strict;
use warnings;
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;

use PVE::SafeSyslog;

use PVE::RESTHandler;

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    name => 'index',
    path => '',
    method => 'GET',
    description => "Role index.",
    permissions => {
	user => 'all',
    },
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		roleid => { type => 'string' },
	    },
	},
	links => [ { rel => 'child', href => "{roleid}" } ],
    },
    code => sub {
	my ($param) = @_;

	my $res = [];

	my $usercfg = cfs_read_file("user.cfg");

	foreach my $role (keys %{$usercfg->{roles}}) {
	    my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}});
	    push @$res, { roleid => $role, privs => $privs,
		special => PVE::AccessControl::role_is_special($role) };
	}

	return $res;
}});

__PACKAGE__->register_method ({
    name => 'create_role',
    protected => 1,
    path => '',
    method => 'POST',
    permissions => {
	check => ['perm', '/access', ['Sys.Modify']],
    },
    description => "Create new role.",
    parameters => {
	additionalProperties => 0,
	properties => {
	    roleid => { type => 'string', format => 'pve-roleid' },
	    privs => { type => 'string' , format => 'pve-priv-list', optional => 1 },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {

		my $usercfg = cfs_read_file("user.cfg");

		my $role = $param->{roleid};

		die "role '$role' already exists\n"
		    if $usercfg->{roles}->{$role};

		$usercfg->{roles}->{$role} = {};

		PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});

		cfs_write_file("user.cfg", $usercfg);
	    }, "create role failed");

	return undef;
}});

__PACKAGE__->register_method ({
    name => 'update_role',
    protected => 1,
    path => '{roleid}',
    method => 'PUT',
    permissions => {
	check => ['perm', '/access', ['Sys.Modify']],
    },
    description => "Create new role.",
    parameters => {
	additionalProperties => 0,
	properties => {
	    roleid => { type => 'string', format => 'pve-roleid' },
	    privs => { type => 'string' , format => 'pve-priv-list' },
	    append => {
		type => 'boolean',
		optional => 1,
		requires => 'privs',
	    },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {

		my $role = $param->{roleid};

		my $usercfg = cfs_read_file("user.cfg");

		die "role '$role' does not exist\n"
		    if !$usercfg->{roles}->{$role};

		$usercfg->{roles}->{$role} = {} if !$param->{append};

		PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});

		cfs_write_file("user.cfg", $usercfg);
	    }, "update role failed");

	return undef;
}});

# fixme: return format!
__PACKAGE__->register_method ({
    name => 'read_role',
    path => '{roleid}',
    method => 'GET',
    permissions => {
	user => 'all',
    },
    description => "Get role configuration.",
    parameters => {
	additionalProperties => 0,
	properties => {
	    roleid => { type => 'string' , format => 'pve-roleid' },
	},
    },
    returns => {},
    code => sub {
	my ($param) = @_;

	my $usercfg = cfs_read_file("user.cfg");

	my $role = $param->{roleid};

	my $data = $usercfg->{roles}->{$role};

	die "role '$role' does not exist\n" if !$data;

	return $data;
}});

__PACKAGE__->register_method ({
    name => 'delete_role',
    protected => 1,
    path => '{roleid}',
    method => 'DELETE',
    permissions => {
	check => ['perm', '/access', ['Sys.Modify']],
    },
    description => "Delete role.",
    parameters => {
	additionalProperties => 0,
	properties => {
	    roleid => { type => 'string', format => 'pve-roleid' },
	}
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {

		my $role = $param->{roleid};

		my $usercfg = cfs_read_file("user.cfg");

		die "role '$role' does not exist\n"
		    if !$usercfg->{roles}->{$role};

		die "auto-generated role '$role' can not be deleted\n"
		    if PVE::AccessControl::role_is_special($role);

		delete ($usercfg->{roles}->{$role});

		# fixme: delete role from acl?

		cfs_write_file("user.cfg", $usercfg);
	    }, "delete role failed");

	return undef;
}});

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::API2::Role;
	2
	3	use strict;
	4	use warnings;
	5	use PVE::Cluster qw (cfs_read_file cfs_write_file);
	6	use PVE::AccessControl;
	7
	8	use PVE::SafeSyslog;
	9
2c3a6c0a DM	10	use PVE::RESTHandler;
	11
	12	use base qw(PVE::RESTHandler);
	13
	14	__PACKAGE__->register_method ({
0a6e09fd PA	15	name => 'index',
0a6e09fd PA	16	path => '',
2c3a6c0a DM	17	method => 'GET',
2c3a6c0a DM	18	description => "Role index.",
0a6e09fd	19	permissions => {
82b63965	20	user => 'all',
96919234	21	},
2c3a6c0a DM	22	parameters => {
	23	additionalProperties => 0,
	24	properties => {},
	25	},
	26	returns => {
	27	type => 'array',
	28	items => {
	29	type => "object",
	30	properties => {
	31	roleid => { type => 'string' },
	32	},
	33	},
	34	links => [ { rel => 'child', href => "{roleid}" } ],
	35	},
	36	code => sub {
	37	my ($param) = @_;
0a6e09fd	38
2c3a6c0a DM	39	my $res = [];
	40
	41	my $usercfg = cfs_read_file("user.cfg");
0a6e09fd	42
2c3a6c0a DM	43	foreach my $role (keys %{$usercfg->{roles}}) {
2c3a6c0a DM	44	my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}});
894e6f0c PA	45	push @$res, { roleid => $role, privs => $privs,
894e6f0c PA	46	special => PVE::AccessControl::role_is_special($role) };
2c3a6c0a DM	47	}
	48
	49	return $res;
0a6e09fd	50	}});
2c3a6c0a DM	51
2c3a6c0a DM	52	__PACKAGE__->register_method ({
0a6e09fd	53	name => 'create_role',
2c3a6c0a	54	protected => 1,
0a6e09fd	55	path => '',
2c3a6c0a	56	method => 'POST',
0a6e09fd	57	permissions => {
96919234 DM	58	check => ['perm', '/access', ['Sys.Modify']],
96919234 DM	59	},
2c3a6c0a DM	60	description => "Create new role.",
2c3a6c0a DM	61	parameters => {
0a6e09fd	62	additionalProperties => 0,
2c3a6c0a DM	63	properties => {
	64	roleid => { type => 'string', format => 'pve-roleid' },
	65	privs => { type => 'string' , format => 'pve-priv-list', optional => 1 },
	66	},
	67	},
	68	returns => { type => 'null' },
	69	code => sub {
	70	my ($param) = @_;
	71
	72	PVE::AccessControl::lock_user_config(
	73	sub {
0a6e09fd	74
2c3a6c0a DM	75	my $usercfg = cfs_read_file("user.cfg");
	76
	77	my $role = $param->{roleid};
	78
0a6e09fd	79	die "role '$role' already exists\n"
2c3a6c0a DM	80	if $usercfg->{roles}->{$role};
	81
	82	$usercfg->{roles}->{$role} = {};
	83
	84	PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
	85
	86	cfs_write_file("user.cfg", $usercfg);
	87	}, "create role failed");
	88
	89	return undef;
0a6e09fd	90	}});
2c3a6c0a DM	91
2c3a6c0a DM	92	__PACKAGE__->register_method ({
0a6e09fd	93	name => 'update_role',
2c3a6c0a	94	protected => 1,
0a6e09fd	95	path => '{roleid}',
2c3a6c0a	96	method => 'PUT',
0a6e09fd	97	permissions => {
96919234 DM	98	check => ['perm', '/access', ['Sys.Modify']],
96919234 DM	99	},
2c3a6c0a DM	100	description => "Create new role.",
2c3a6c0a DM	101	parameters => {
0a6e09fd	102	additionalProperties => 0,
2c3a6c0a DM	103	properties => {
	104	roleid => { type => 'string', format => 'pve-roleid' },
	105	privs => { type => 'string' , format => 'pve-priv-list' },
0a6e09fd PA	106	append => {
0a6e09fd PA	107	type => 'boolean',
2c3a6c0a DM	108	optional => 1,
	109	requires => 'privs',
	110	},
	111	},
	112	},
	113	returns => { type => 'null' },
	114	code => sub {
	115	my ($param) = @_;
	116
	117	PVE::AccessControl::lock_user_config(
	118	sub {
0a6e09fd	119
2c3a6c0a DM	120	my $role = $param->{roleid};
	121
	122	my $usercfg = cfs_read_file("user.cfg");
0a6e09fd PA	123
0a6e09fd PA	124	die "role '$role' does not exist\n"
2c3a6c0a DM	125	if !$usercfg->{roles}->{$role};
	126
	127	$usercfg->{roles}->{$role} = {} if !$param->{append};
	128
	129	PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
	130
	131	cfs_write_file("user.cfg", $usercfg);
	132	}, "update role failed");
	133
	134	return undef;
0a6e09fd	135	}});
2c3a6c0a DM	136
	137	# fixme: return format!
	138	__PACKAGE__->register_method ({
0a6e09fd PA	139	name => 'read_role',
0a6e09fd PA	140	path => '{roleid}',
2c3a6c0a	141	method => 'GET',
0a6e09fd	142	permissions => {
82b63965	143	user => 'all',
96919234	144	},
2c3a6c0a DM	145	description => "Get role configuration.",
2c3a6c0a DM	146	parameters => {
0a6e09fd	147	additionalProperties => 0,
2c3a6c0a DM	148	properties => {
	149	roleid => { type => 'string' , format => 'pve-roleid' },
	150	},
	151	},
	152	returns => {},
	153	code => sub {
	154	my ($param) = @_;
	155
	156	my $usercfg = cfs_read_file("user.cfg");
	157
	158	my $role = $param->{roleid};
	159
	160	my $data = $usercfg->{roles}->{$role};
	161
	162	die "role '$role' does not exist\n" if !$data;
	163
	164	return $data;
0a6e09fd	165	}});
2c3a6c0a DM	166
2c3a6c0a DM	167	__PACKAGE__->register_method ({
0a6e09fd	168	name => 'delete_role',
2c3a6c0a	169	protected => 1,
0a6e09fd	170	path => '{roleid}',
2c3a6c0a	171	method => 'DELETE',
0a6e09fd	172	permissions => {
96919234 DM	173	check => ['perm', '/access', ['Sys.Modify']],
96919234 DM	174	},
2c3a6c0a DM	175	description => "Delete role.",
2c3a6c0a DM	176	parameters => {
0a6e09fd	177	additionalProperties => 0,
2c3a6c0a DM	178	properties => {
	179	roleid => { type => 'string', format => 'pve-roleid' },
	180	}
	181	},
	182	returns => { type => 'null' },
	183	code => sub {
	184	my ($param) = @_;
	185
	186	PVE::AccessControl::lock_user_config(
	187	sub {
	188
	189	my $role = $param->{roleid};
	190
	191	my $usercfg = cfs_read_file("user.cfg");
	192
	193	die "role '$role' does not exist\n"
	194	if !$usercfg->{roles}->{$role};
0a6e09fd	195
894e6f0c PA	196	die "auto-generated role '$role' can not be deleted\n"
	197	if PVE::AccessControl::role_is_special($role);
	198
2c3a6c0a DM	199	delete ($usercfg->{roles}->{$role});
	200
	201	# fixme: delete role from acl?
	202
	203	cfs_write_file("user.cfg", $usercfg);
	204	}, "delete role failed");
0a6e09fd	205
2c3a6c0a	206	return undef;
0a6e09fd	207	}});
2c3a6c0a DM	208
2c3a6c0a DM	209	1;