[pve-access-control.git] / PVE / API2 / Role.pm

package PVE::API2::Role;

use strict;
use warnings;
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;

use PVE::SafeSyslog;

use PVE::RESTHandler;

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    name => 'index',
    path => '',
    method => 'GET',
    description => "Role index.",
    permissions => {
	user => 'all',
    },
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		roleid => { type => 'string' },
	    },
	},
	links => [ { rel => 'child', href => "{roleid}" } ],
    },
    code => sub {
	my ($param) = @_;

	my $res = [];

	my $usercfg = cfs_read_file("user.cfg");

	foreach my $role (keys %{$usercfg->{roles}}) {
	    my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}});
	    push @$res, {
		roleid => $role,
		privs => $privs,
		special => PVE::AccessControl::role_is_special($role),
	    };
	}

	return $res;
}});

__PACKAGE__->register_method ({
    name => 'create_role',
    protected => 1,
    path => '',
    method => 'POST',
    permissions => {
	check => ['perm', '/access', ['Sys.Modify']],
    },
    description => "Create new role.",
    parameters => {
	additionalProperties => 0,
	properties => {
	    roleid => { type => 'string', format => 'pve-roleid' },
	    privs => { type => 'string' , format => 'pve-priv-list', optional => 1 },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {

		my $usercfg = cfs_read_file("user.cfg");

		my $role = $param->{roleid};

		die "role '$role' already exists\n"
		    if $usercfg->{roles}->{$role};

		$usercfg->{roles}->{$role} = {};

		PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});

		cfs_write_file("user.cfg", $usercfg);
	    }, "create role failed");

	return undef;
}});

__PACKAGE__->register_method ({
    name => 'update_role',
    protected => 1,
    path => '{roleid}',
    method => 'PUT',
    permissions => {
	check => ['perm', '/access', ['Sys.Modify']],
    },
    description => "Create new role.",
    parameters => {
	additionalProperties => 0,
	properties => {
	    roleid => { type => 'string', format => 'pve-roleid' },
	    privs => { type => 'string' , format => 'pve-priv-list' },
	    append => {
		type => 'boolean',
		optional => 1,
		requires => 'privs',
	    },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {

		my $role = $param->{roleid};

		my $usercfg = cfs_read_file("user.cfg");

		die "role '$role' does not exist\n"
		    if !$usercfg->{roles}->{$role};

		$usercfg->{roles}->{$role} = {} if !$param->{append};

		PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});

		cfs_write_file("user.cfg", $usercfg);
	    }, "update role failed");

	return undef;
}});

# fixme: return format!
__PACKAGE__->register_method ({
    name => 'read_role',
    path => '{roleid}',
    method => 'GET',
    permissions => {
	user => 'all',
    },
    description => "Get role configuration.",
    parameters => {
	additionalProperties => 0,
	properties => {
	    roleid => { type => 'string' , format => 'pve-roleid' },
	},
    },
    returns => {},
    code => sub {
	my ($param) = @_;

	my $usercfg = cfs_read_file("user.cfg");

	my $role = $param->{roleid};

	my $data = $usercfg->{roles}->{$role};

	die "role '$role' does not exist\n" if !$data;

	return $data;
}});

__PACKAGE__->register_method ({
    name => 'delete_role',
    protected => 1,
    path => '{roleid}',
    method => 'DELETE',
    permissions => {
	check => ['perm', '/access', ['Sys.Modify']],
    },
    description => "Delete role.",
    parameters => {
	additionalProperties => 0,
	properties => {
	    roleid => { type => 'string', format => 'pve-roleid' },
	}
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	my $role = $param->{roleid};

	die "auto-generated role '$role' cannot be deleted\n"
	    if PVE::AccessControl::role_is_special($role);

	PVE::AccessControl::lock_user_config(
	    sub {
		my $usercfg = cfs_read_file("user.cfg");

		die "role '$role' does not exist\n"
		    if !$usercfg->{roles}->{$role};

		delete ($usercfg->{roles}->{$role});

		# fixme: delete role from acl?

		cfs_write_file("user.cfg", $usercfg);
	    }, "delete role failed");

	return undef;
}});

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::API2::Role;
	2
	3	use strict;
	4	use warnings;
	5	use PVE::Cluster qw (cfs_read_file cfs_write_file);
	6	use PVE::AccessControl;
	7
	8	use PVE::SafeSyslog;
	9
2c3a6c0a DM	10	use PVE::RESTHandler;
	11
	12	use base qw(PVE::RESTHandler);
	13
	14	__PACKAGE__->register_method ({
0a6e09fd PA	15	name => 'index',
0a6e09fd PA	16	path => '',
2c3a6c0a DM	17	method => 'GET',
2c3a6c0a DM	18	description => "Role index.",
0a6e09fd	19	permissions => {
82b63965	20	user => 'all',
96919234	21	},
2c3a6c0a DM	22	parameters => {
	23	additionalProperties => 0,
	24	properties => {},
	25	},
	26	returns => {
	27	type => 'array',
	28	items => {
	29	type => "object",
	30	properties => {
	31	roleid => { type => 'string' },
	32	},
	33	},
	34	links => [ { rel => 'child', href => "{roleid}" } ],
	35	},
	36	code => sub {
	37	my ($param) = @_;
0a6e09fd	38
2c3a6c0a DM	39	my $res = [];
	40
	41	my $usercfg = cfs_read_file("user.cfg");
0a6e09fd	42
2c3a6c0a DM	43	foreach my $role (keys %{$usercfg->{roles}}) {
2c3a6c0a DM	44	my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}});
186a4e15 WB	45	push @$res, {
	46	roleid => $role,
	47	privs => $privs,
	48	special => PVE::AccessControl::role_is_special($role),
	49	};
2c3a6c0a DM	50	}
	51
	52	return $res;
0a6e09fd	53	}});
2c3a6c0a DM	54
2c3a6c0a DM	55	__PACKAGE__->register_method ({
0a6e09fd	56	name => 'create_role',
2c3a6c0a	57	protected => 1,
0a6e09fd	58	path => '',
2c3a6c0a	59	method => 'POST',
0a6e09fd	60	permissions => {
96919234 DM	61	check => ['perm', '/access', ['Sys.Modify']],
96919234 DM	62	},
2c3a6c0a DM	63	description => "Create new role.",
2c3a6c0a DM	64	parameters => {
0a6e09fd	65	additionalProperties => 0,
2c3a6c0a DM	66	properties => {
	67	roleid => { type => 'string', format => 'pve-roleid' },
	68	privs => { type => 'string' , format => 'pve-priv-list', optional => 1 },
	69	},
	70	},
	71	returns => { type => 'null' },
	72	code => sub {
	73	my ($param) = @_;
	74
	75	PVE::AccessControl::lock_user_config(
	76	sub {
0a6e09fd	77
2c3a6c0a DM	78	my $usercfg = cfs_read_file("user.cfg");
	79
	80	my $role = $param->{roleid};
	81
0a6e09fd	82	die "role '$role' already exists\n"
2c3a6c0a DM	83	if $usercfg->{roles}->{$role};
	84
	85	$usercfg->{roles}->{$role} = {};
	86
	87	PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
	88
	89	cfs_write_file("user.cfg", $usercfg);
	90	}, "create role failed");
	91
	92	return undef;
0a6e09fd	93	}});
2c3a6c0a DM	94
2c3a6c0a DM	95	__PACKAGE__->register_method ({
0a6e09fd	96	name => 'update_role',
2c3a6c0a	97	protected => 1,
0a6e09fd	98	path => '{roleid}',
2c3a6c0a	99	method => 'PUT',
0a6e09fd	100	permissions => {
96919234 DM	101	check => ['perm', '/access', ['Sys.Modify']],
96919234 DM	102	},
2c3a6c0a DM	103	description => "Create new role.",
2c3a6c0a DM	104	parameters => {
0a6e09fd	105	additionalProperties => 0,
2c3a6c0a DM	106	properties => {
	107	roleid => { type => 'string', format => 'pve-roleid' },
	108	privs => { type => 'string' , format => 'pve-priv-list' },
0a6e09fd PA	109	append => {
0a6e09fd PA	110	type => 'boolean',
2c3a6c0a DM	111	optional => 1,
	112	requires => 'privs',
	113	},
	114	},
	115	},
	116	returns => { type => 'null' },
	117	code => sub {
	118	my ($param) = @_;
	119
	120	PVE::AccessControl::lock_user_config(
	121	sub {
0a6e09fd	122
2c3a6c0a DM	123	my $role = $param->{roleid};
	124
	125	my $usercfg = cfs_read_file("user.cfg");
0a6e09fd PA	126
0a6e09fd PA	127	die "role '$role' does not exist\n"
2c3a6c0a DM	128	if !$usercfg->{roles}->{$role};
	129
	130	$usercfg->{roles}->{$role} = {} if !$param->{append};
	131
	132	PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
	133
	134	cfs_write_file("user.cfg", $usercfg);
	135	}, "update role failed");
	136
	137	return undef;
0a6e09fd	138	}});
2c3a6c0a DM	139
	140	# fixme: return format!
	141	__PACKAGE__->register_method ({
0a6e09fd PA	142	name => 'read_role',
0a6e09fd PA	143	path => '{roleid}',
2c3a6c0a	144	method => 'GET',
0a6e09fd	145	permissions => {
82b63965	146	user => 'all',
96919234	147	},
2c3a6c0a DM	148	description => "Get role configuration.",
2c3a6c0a DM	149	parameters => {
0a6e09fd	150	additionalProperties => 0,
2c3a6c0a DM	151	properties => {
	152	roleid => { type => 'string' , format => 'pve-roleid' },
	153	},
	154	},
	155	returns => {},
	156	code => sub {
	157	my ($param) = @_;
	158
	159	my $usercfg = cfs_read_file("user.cfg");
	160
	161	my $role = $param->{roleid};
	162
	163	my $data = $usercfg->{roles}->{$role};
	164
	165	die "role '$role' does not exist\n" if !$data;
	166
	167	return $data;
0a6e09fd	168	}});
2c3a6c0a DM	169
2c3a6c0a DM	170	__PACKAGE__->register_method ({
0a6e09fd	171	name => 'delete_role',
2c3a6c0a	172	protected => 1,
0a6e09fd	173	path => '{roleid}',
2c3a6c0a	174	method => 'DELETE',
0a6e09fd	175	permissions => {
96919234 DM	176	check => ['perm', '/access', ['Sys.Modify']],
96919234 DM	177	},
2c3a6c0a DM	178	description => "Delete role.",
2c3a6c0a DM	179	parameters => {
0a6e09fd	180	additionalProperties => 0,
2c3a6c0a DM	181	properties => {
	182	roleid => { type => 'string', format => 'pve-roleid' },
	183	}
	184	},
	185	returns => { type => 'null' },
	186	code => sub {
	187	my ($param) = @_;
	188
e41cc73c	189	my $role = $param->{roleid};
2c3a6c0a	190
e41cc73c WB	191	die "auto-generated role '$role' cannot be deleted\n"
e41cc73c WB	192	if PVE::AccessControl::role_is_special($role);
2c3a6c0a	193
e41cc73c WB	194	PVE::AccessControl::lock_user_config(
e41cc73c WB	195	sub {
2c3a6c0a DM	196	my $usercfg = cfs_read_file("user.cfg");
	197
	198	die "role '$role' does not exist\n"
	199	if !$usercfg->{roles}->{$role};
0a6e09fd	200
2c3a6c0a DM	201	delete ($usercfg->{roles}->{$role});
	202
	203	# fixme: delete role from acl?
	204
	205	cfs_write_file("user.cfg", $usercfg);
	206	}, "delete role failed");
0a6e09fd	207
2c3a6c0a	208	return undef;
0a6e09fd	209	}});
2c3a6c0a DM	210
2c3a6c0a DM	211	1;