]>
Commit | Line | Data |
---|---|---|
2c3a6c0a DM |
1 | package PVE::API2::Role; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | use PVE::Cluster qw (cfs_read_file cfs_write_file); | |
6 | use PVE::AccessControl; | |
7 | ||
8 | use PVE::SafeSyslog; | |
9 | ||
2c3a6c0a DM |
10 | use PVE::RESTHandler; |
11 | ||
12 | use base qw(PVE::RESTHandler); | |
13 | ||
14 | __PACKAGE__->register_method ({ | |
0a6e09fd PA |
15 | name => 'index', |
16 | path => '', | |
2c3a6c0a DM |
17 | method => 'GET', |
18 | description => "Role index.", | |
0a6e09fd | 19 | permissions => { |
82b63965 | 20 | user => 'all', |
96919234 | 21 | }, |
2c3a6c0a DM |
22 | parameters => { |
23 | additionalProperties => 0, | |
24 | properties => {}, | |
25 | }, | |
26 | returns => { | |
27 | type => 'array', | |
28 | items => { | |
29 | type => "object", | |
30 | properties => { | |
31 | roleid => { type => 'string' }, | |
32 | }, | |
33 | }, | |
34 | links => [ { rel => 'child', href => "{roleid}" } ], | |
35 | }, | |
36 | code => sub { | |
37 | my ($param) = @_; | |
0a6e09fd | 38 | |
2c3a6c0a DM |
39 | my $res = []; |
40 | ||
41 | my $usercfg = cfs_read_file("user.cfg"); | |
0a6e09fd | 42 | |
2c3a6c0a DM |
43 | foreach my $role (keys %{$usercfg->{roles}}) { |
44 | my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}}); | |
186a4e15 WB |
45 | push @$res, { |
46 | roleid => $role, | |
47 | privs => $privs, | |
48 | special => PVE::AccessControl::role_is_special($role), | |
49 | }; | |
2c3a6c0a DM |
50 | } |
51 | ||
52 | return $res; | |
0a6e09fd | 53 | }}); |
2c3a6c0a DM |
54 | |
55 | __PACKAGE__->register_method ({ | |
0a6e09fd | 56 | name => 'create_role', |
2c3a6c0a | 57 | protected => 1, |
0a6e09fd | 58 | path => '', |
2c3a6c0a | 59 | method => 'POST', |
0a6e09fd | 60 | permissions => { |
96919234 DM |
61 | check => ['perm', '/access', ['Sys.Modify']], |
62 | }, | |
2c3a6c0a DM |
63 | description => "Create new role.", |
64 | parameters => { | |
0a6e09fd | 65 | additionalProperties => 0, |
2c3a6c0a DM |
66 | properties => { |
67 | roleid => { type => 'string', format => 'pve-roleid' }, | |
68 | privs => { type => 'string' , format => 'pve-priv-list', optional => 1 }, | |
69 | }, | |
70 | }, | |
71 | returns => { type => 'null' }, | |
72 | code => sub { | |
73 | my ($param) = @_; | |
74 | ||
75 | PVE::AccessControl::lock_user_config( | |
76 | sub { | |
0a6e09fd | 77 | |
2c3a6c0a DM |
78 | my $usercfg = cfs_read_file("user.cfg"); |
79 | ||
80 | my $role = $param->{roleid}; | |
81 | ||
0a6e09fd | 82 | die "role '$role' already exists\n" |
2c3a6c0a DM |
83 | if $usercfg->{roles}->{$role}; |
84 | ||
85 | $usercfg->{roles}->{$role} = {}; | |
86 | ||
87 | PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs}); | |
88 | ||
89 | cfs_write_file("user.cfg", $usercfg); | |
90 | }, "create role failed"); | |
91 | ||
92 | return undef; | |
0a6e09fd | 93 | }}); |
2c3a6c0a DM |
94 | |
95 | __PACKAGE__->register_method ({ | |
0a6e09fd | 96 | name => 'update_role', |
2c3a6c0a | 97 | protected => 1, |
0a6e09fd | 98 | path => '{roleid}', |
2c3a6c0a | 99 | method => 'PUT', |
0a6e09fd | 100 | permissions => { |
96919234 DM |
101 | check => ['perm', '/access', ['Sys.Modify']], |
102 | }, | |
2c3a6c0a DM |
103 | description => "Create new role.", |
104 | parameters => { | |
0a6e09fd | 105 | additionalProperties => 0, |
2c3a6c0a DM |
106 | properties => { |
107 | roleid => { type => 'string', format => 'pve-roleid' }, | |
108 | privs => { type => 'string' , format => 'pve-priv-list' }, | |
0a6e09fd PA |
109 | append => { |
110 | type => 'boolean', | |
2c3a6c0a DM |
111 | optional => 1, |
112 | requires => 'privs', | |
113 | }, | |
114 | }, | |
115 | }, | |
116 | returns => { type => 'null' }, | |
117 | code => sub { | |
118 | my ($param) = @_; | |
119 | ||
120 | PVE::AccessControl::lock_user_config( | |
121 | sub { | |
0a6e09fd | 122 | |
2c3a6c0a DM |
123 | my $role = $param->{roleid}; |
124 | ||
125 | my $usercfg = cfs_read_file("user.cfg"); | |
0a6e09fd PA |
126 | |
127 | die "role '$role' does not exist\n" | |
2c3a6c0a DM |
128 | if !$usercfg->{roles}->{$role}; |
129 | ||
130 | $usercfg->{roles}->{$role} = {} if !$param->{append}; | |
131 | ||
132 | PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs}); | |
133 | ||
134 | cfs_write_file("user.cfg", $usercfg); | |
135 | }, "update role failed"); | |
136 | ||
137 | return undef; | |
0a6e09fd | 138 | }}); |
2c3a6c0a DM |
139 | |
140 | # fixme: return format! | |
141 | __PACKAGE__->register_method ({ | |
0a6e09fd PA |
142 | name => 'read_role', |
143 | path => '{roleid}', | |
2c3a6c0a | 144 | method => 'GET', |
0a6e09fd | 145 | permissions => { |
82b63965 | 146 | user => 'all', |
96919234 | 147 | }, |
2c3a6c0a DM |
148 | description => "Get role configuration.", |
149 | parameters => { | |
0a6e09fd | 150 | additionalProperties => 0, |
2c3a6c0a DM |
151 | properties => { |
152 | roleid => { type => 'string' , format => 'pve-roleid' }, | |
153 | }, | |
154 | }, | |
155 | returns => {}, | |
156 | code => sub { | |
157 | my ($param) = @_; | |
158 | ||
159 | my $usercfg = cfs_read_file("user.cfg"); | |
160 | ||
161 | my $role = $param->{roleid}; | |
162 | ||
163 | my $data = $usercfg->{roles}->{$role}; | |
164 | ||
165 | die "role '$role' does not exist\n" if !$data; | |
166 | ||
167 | return $data; | |
0a6e09fd | 168 | }}); |
2c3a6c0a DM |
169 | |
170 | __PACKAGE__->register_method ({ | |
0a6e09fd | 171 | name => 'delete_role', |
2c3a6c0a | 172 | protected => 1, |
0a6e09fd | 173 | path => '{roleid}', |
2c3a6c0a | 174 | method => 'DELETE', |
0a6e09fd | 175 | permissions => { |
96919234 DM |
176 | check => ['perm', '/access', ['Sys.Modify']], |
177 | }, | |
2c3a6c0a DM |
178 | description => "Delete role.", |
179 | parameters => { | |
0a6e09fd | 180 | additionalProperties => 0, |
2c3a6c0a DM |
181 | properties => { |
182 | roleid => { type => 'string', format => 'pve-roleid' }, | |
183 | } | |
184 | }, | |
185 | returns => { type => 'null' }, | |
186 | code => sub { | |
187 | my ($param) = @_; | |
188 | ||
e41cc73c | 189 | my $role = $param->{roleid}; |
2c3a6c0a | 190 | |
e41cc73c WB |
191 | die "auto-generated role '$role' cannot be deleted\n" |
192 | if PVE::AccessControl::role_is_special($role); | |
2c3a6c0a | 193 | |
e41cc73c WB |
194 | PVE::AccessControl::lock_user_config( |
195 | sub { | |
2c3a6c0a DM |
196 | my $usercfg = cfs_read_file("user.cfg"); |
197 | ||
198 | die "role '$role' does not exist\n" | |
199 | if !$usercfg->{roles}->{$role}; | |
0a6e09fd | 200 | |
2c3a6c0a DM |
201 | delete ($usercfg->{roles}->{$role}); |
202 | ||
203 | # fixme: delete role from acl? | |
204 | ||
205 | cfs_write_file("user.cfg", $usercfg); | |
206 | }, "delete role failed"); | |
0a6e09fd | 207 | |
2c3a6c0a | 208 | return undef; |
0a6e09fd | 209 | }}); |
2c3a6c0a DM |
210 | |
211 | 1; |