[pve-access-control.git] / src / PVE / CLI / pveum.pm

package PVE::CLI::pveum;

use strict;
use warnings;

use PVE::AccessControl;
use PVE::RPCEnvironment;
use PVE::API2::User;
use PVE::API2::Group;
use PVE::API2::Role;
use PVE::API2::ACL;
use PVE::API2::AccessControl;
use PVE::API2::Domains;
use PVE::CLIFormatter;
use PVE::CLIHandler;
use PVE::JSONSchema qw(get_standard_option);
use PVE::PTY;
use PVE::RESTHandler;
use PVE::Tools qw(extract_param);

use base qw(PVE::CLIHandler);

sub setup_environment {
    PVE::RPCEnvironment->setup_default_cli_env();
}

sub param_mapping {
    my ($name) = @_;

    my $mapping = {
	'change_password' => [
	    PVE::CLIHandler::get_standard_mapping('pve-password'),
	],
	'create_ticket' => [
	    PVE::CLIHandler::get_standard_mapping('pve-password', {
		func => sub {
		    # do not accept values given on cmdline
		    return PVE::PTY::read_password('Enter password: ');
		},
	    }),
	]
    };

    return $mapping->{$name};
}

my $print_api_result = sub {
    my ($data, $schema, $options) = @_;
    PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
};

my $print_perm_result = sub {
    my ($data, $schema, $options) = @_;

    if (!defined($options->{'output-format'}) || $options->{'output-format'} eq 'text') {
	my $table_schema = {
	    type => 'array',
	    items => {
		type => 'object',
		properties => {
		    'path' => { type => 'string', title => 'ACL path' },
		    'permissions' => { type => 'string', title => 'Permissions' },
		},
	    },
	};
	my $table_data = [];
	foreach my $path (sort keys %$data) {
	    my $value = '';
	    my $curr = $data->{$path};
	    foreach my $perm (sort keys %$curr) {
		$value .= "\n" if $value;
		$value .= $perm;
		$value .= " (*)" if $curr->{$perm};
	    }
	    push @$table_data, { path => $path, permissions => $value };
	}
	PVE::CLIFormatter::print_api_result($table_data, $table_schema, undef, $options);
	print "Permissions marked with '(*)' have the 'propagate' flag set.\n";
    } else {
	PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
    }
};

__PACKAGE__->register_method({
    name => 'token_permissions',
    path => 'token_permissions',
    method => 'GET',
    description => 'Retrieve effective permissions of given token.',
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid'),
	    tokenid => get_standard_option('token-subid'),
	    path => get_standard_option('acl-path', {
		description => "Only dump this specific path, not the whole tree.",
		optional => 1,
	    }),
	},
    },
    returns => {
	type => 'object',
	description => 'Hash of structure "path" => "privilege" => "propagate boolean".',
    },
    code => sub {
	my ($param) = @_;

	my $token_subid = extract_param($param, "tokenid");
	$param->{userid} = PVE::AccessControl::join_tokenid($param->{userid}, $token_subid);

	return PVE::API2::AccessControl->permissions($param);
    }});

our $cmddef = {
    user => {
	add    => [ 'PVE::API2::User', 'create_user', ['userid'] ],
	modify => [ 'PVE::API2::User', 'update_user', ['userid'] ],
	delete => [ 'PVE::API2::User', 'delete_user', ['userid'] ],
	list   => [ 'PVE::API2::User', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
	permissions => [ 'PVE::API2::AccessControl', 'permissions', ['userid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
	tfa => {
	    delete => [ 'PVE::API2::AccessControl', 'change_tfa', ['userid'], { action => 'delete', key => undef, config => undef, response => undef, }, ],
	},
	token => {
	    add    => [ 'PVE::API2::User', 'generate_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
	    modify    => [ 'PVE::API2::User', 'update_token_info', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
	    remove    => [ 'PVE::API2::User', 'remove_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
	    list   => [ 'PVE::API2::User', 'token_index', ['userid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
	    permissions => [ __PACKAGE__, 'token_permissions', ['userid', 'tokenid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
	}
    },
    group => {
	add    => [ 'PVE::API2::Group', 'create_group', ['groupid'] ],
	modify => [ 'PVE::API2::Group', 'update_group', ['groupid'] ],
	delete => [ 'PVE::API2::Group', 'delete_group', ['groupid'] ],
	list   => [ 'PVE::API2::Group', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
    },
    role => {
	add    => [ 'PVE::API2::Role', 'create_role', ['roleid'] ],
	modify => [ 'PVE::API2::Role', 'update_role', ['roleid'] ],
	delete => [ 'PVE::API2::Role', 'delete_role', ['roleid'] ],
	list   => [ 'PVE::API2::Role', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
    },
    acl => {
	modify => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 0 }],
	delete => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 1 }],
	list   => [ 'PVE::API2::ACL', 'read_acl', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
    },
    realm => {
	add    => [ 'PVE::API2::Domains', 'create', ['realm'] ],
	modify => [ 'PVE::API2::Domains', 'update', ['realm'] ],
	delete => [ 'PVE::API2::Domains', 'delete', ['realm'] ],
	list   => [ 'PVE::API2::Domains', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
	sync   => [ 'PVE::API2::Domains', 'sync', ['realm'], ],
    },

    ticket => [ 'PVE::API2::AccessControl', 'create_ticket', ['username'], undef,
		sub {
		    my ($res) = @_;
		    print "$res->{ticket}\n";
		}],

    passwd => [ 'PVE::API2::AccessControl', 'change_password', ['userid'] ],

    useradd => { alias => 'user add' },
    usermod => { alias => 'user modify' },
    userdel => { alias => 'user delete' },

    groupadd => { alias => 'group add' },
    groupmod => { alias => 'group modify' },
    groupdel => { alias => 'group delete' },

    roleadd => { alias => 'role add' },
    rolemod => { alias => 'role modify' },
    roledel => { alias => 'role delete' },

    aclmod => { alias => 'acl modify' },
    acldel => { alias => 'acl delete' },
};

# FIXME: HACK! The pool API is in pve-manager as it needs access to storage guest and RRD stats,
# so we only add the pool commands if the API module is available (required for boots-trapping)
my $have_pool_api;
eval {
    require PVE::API2::Pool;
    PVE::API2::Pool->import();
    $have_pool_api = 1;
};

if ($have_pool_api) {
    $cmddef->{pool} = {
	add => [ 'PVE::API2::Pool', 'create_pool', ['poolid'] ],
	modify => [ 'PVE::API2::Pool', 'update_pool', ['poolid'] ],
	delete => [ 'PVE::API2::Pool', 'delete_pool', ['poolid'] ],
	list   => [ 'PVE::API2::Pool', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
    };
}

1;
Commit	Line	Data
09281ad7 DM	1	package PVE::CLI::pveum;
	2
	3	use strict;
	4	use warnings;
042eaa3d	5
66d1b615	6	use PVE::AccessControl;
09281ad7 DM	7	use PVE::RPCEnvironment;
	8	use PVE::API2::User;
	9	use PVE::API2::Group;
	10	use PVE::API2::Role;
	11	use PVE::API2::ACL;
	12	use PVE::API2::AccessControl;
f28a69a0	13	use PVE::API2::Domains;
369851ac	14	use PVE::CLIFormatter;
09281ad7	15	use PVE::CLIHandler;
66d1b615	16	use PVE::JSONSchema qw(get_standard_option);
b34d76e7	17	use PVE::PTY;
369851ac	18	use PVE::RESTHandler;
66d1b615	19	use PVE::Tools qw(extract_param);
09281ad7 DM	20
	21	use base qw(PVE::CLIHandler);
	22
e623414a DM	23	sub setup_environment {
	24	PVE::RPCEnvironment->setup_default_cli_env();
	25	}
	26
b34d76e7 DC	27	sub param_mapping {
b34d76e7 DC	28	my ($name) = @_;
98007830	29
b34d76e7 DC	30	my $mapping = {
	31	'change_password' => [
	32	PVE::CLIHandler::get_standard_mapping('pve-password'),
	33	],
	34	'create_ticket' => [
	35	PVE::CLIHandler::get_standard_mapping('pve-password', {
	36	func => sub {
	37	# do not accept values given on cmdline
	38	return PVE::PTY::read_password('Enter password: ');
	39	},
	40	}),
	41	]
	42	};
	43
	44	return $mapping->{$name};
98007830 DM	45	}
98007830 DM	46
369851ac FG	47	my $print_api_result = sub {
	48	my ($data, $schema, $options) = @_;
	49	PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
	50	};
	51
66d1b615 FG	52	my $print_perm_result = sub {
	53	my ($data, $schema, $options) = @_;
	54
	55	if (!defined($options->{'output-format'}) \|\| $options->{'output-format'} eq 'text') {
	56	my $table_schema = {
	57	type => 'array',
	58	items => {
	59	type => 'object',
	60	properties => {
	61	'path' => { type => 'string', title => 'ACL path' },
	62	'permissions' => { type => 'string', title => 'Permissions' },
	63	},
	64	},
	65	};
	66	my $table_data = [];
	67	foreach my $path (sort keys %$data) {
	68	my $value = '';
	69	my $curr = $data->{$path};
	70	foreach my $perm (sort keys %$curr) {
	71	$value .= "\n" if $value;
	72	$value .= $perm;
	73	$value .= " (*)" if $curr->{$perm};
	74	}
	75	push @$table_data, { path => $path, permissions => $value };
	76	}
	77	PVE::CLIFormatter::print_api_result($table_data, $table_schema, undef, $options);
	78	print "Permissions marked with '(*)' have the 'propagate' flag set.\n";
	79	} else {
	80	PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
	81	}
	82	};
	83
	84	__PACKAGE__->register_method({
	85	name => 'token_permissions',
	86	path => 'token_permissions',
	87	method => 'GET',
	88	description => 'Retrieve effective permissions of given token.',
	89	parameters => {
	90	additionalProperties => 0,
	91	properties => {
	92	userid => get_standard_option('userid'),
	93	tokenid => get_standard_option('token-subid'),
	94	path => get_standard_option('acl-path', {
	95	description => "Only dump this specific path, not the whole tree.",
	96	optional => 1,
	97	}),
	98	},
	99	},
	100	returns => {
	101	type => 'object',
	102	description => 'Hash of structure "path" => "privilege" => "propagate boolean".',
	103	},
	104	code => sub {
	105	my ($param) = @_;
	106
	107	my $token_subid = extract_param($param, "tokenid");
	108	$param->{userid} = PVE::AccessControl::join_tokenid($param->{userid}, $token_subid);
	109
	110	return PVE::API2::AccessControl->permissions($param);
	111	}});
	112
09281ad7	113	our $cmddef = {
1e41cdc9 PA	114	user => {
	115	add => [ 'PVE::API2::User', 'create_user', ['userid'] ],
	116	modify => [ 'PVE::API2::User', 'update_user', ['userid'] ],
	117	delete => [ 'PVE::API2::User', 'delete_user', ['userid'] ],
369851ac	118	list => [ 'PVE::API2::User', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
66d1b615	119	permissions => [ 'PVE::API2::AccessControl', 'permissions', ['userid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
618d112b TL	120	tfa => {
	121	delete => [ 'PVE::API2::AccessControl', 'change_tfa', ['userid'], { action => 'delete', key => undef, config => undef, response => undef, }, ],
	122	},
084c149a FG	123	token => {
084c149a FG	124	add => [ 'PVE::API2::User', 'generate_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
ccaecac1	125	modify => [ 'PVE::API2::User', 'update_token_info', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
084c149a FG	126	remove => [ 'PVE::API2::User', 'remove_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
084c149a FG	127	list => [ 'PVE::API2::User', 'token_index', ['userid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
66d1b615	128	permissions => [ __PACKAGE__, 'token_permissions', ['userid', 'tokenid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
084c149a	129	}
1e41cdc9 PA	130	},
	131	group => {
	132	add => [ 'PVE::API2::Group', 'create_group', ['groupid'] ],
	133	modify => [ 'PVE::API2::Group', 'update_group', ['groupid'] ],
	134	delete => [ 'PVE::API2::Group', 'delete_group', ['groupid'] ],
369851ac	135	list => [ 'PVE::API2::Group', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
1e41cdc9 PA	136	},
	137	role => {
	138	add => [ 'PVE::API2::Role', 'create_role', ['roleid'] ],
	139	modify => [ 'PVE::API2::Role', 'update_role', ['roleid'] ],
	140	delete => [ 'PVE::API2::Role', 'delete_role', ['roleid'] ],
369851ac	141	list => [ 'PVE::API2::Role', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
1e41cdc9 PA	142	},
	143	acl => {
	144	modify => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 0 }],
	145	delete => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 1 }],
369851ac	146	list => [ 'PVE::API2::ACL', 'read_acl', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
1e41cdc9	147	},
f28a69a0 DC	148	realm => {
	149	add => [ 'PVE::API2::Domains', 'create', ['realm'] ],
	150	modify => [ 'PVE::API2::Domains', 'update', ['realm'] ],
	151	delete => [ 'PVE::API2::Domains', 'delete', ['realm'] ],
	152	list => [ 'PVE::API2::Domains', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
673d2bf2	153	sync => [ 'PVE::API2::Domains', 'sync', ['realm'], ],
f28a69a0 DC	154	},
f28a69a0 DC	155
09281ad7 DM	156	ticket => [ 'PVE::API2::AccessControl', 'create_ticket', ['username'], undef,
	157	sub {
	158	my ($res) = @_;
	159	print "$res->{ticket}\n";
	160	}],
	161
765305e2	162	passwd => [ 'PVE::API2::AccessControl', 'change_password', ['userid'] ],
09281ad7	163
1e41cdc9 PA	164	useradd => { alias => 'user add' },
	165	usermod => { alias => 'user modify' },
	166	userdel => { alias => 'user delete' },
09281ad7	167
1e41cdc9 PA	168	groupadd => { alias => 'group add' },
	169	groupmod => { alias => 'group modify' },
	170	groupdel => { alias => 'group delete' },
09281ad7	171
1e41cdc9 PA	172	roleadd => { alias => 'role add' },
	173	rolemod => { alias => 'role modify' },
	174	roledel => { alias => 'role delete' },
09281ad7	175
1e41cdc9 PA	176	aclmod => { alias => 'acl modify' },
1e41cdc9 PA	177	acldel => { alias => 'acl delete' },
09281ad7 DM	178	};
09281ad7 DM	179
3470fad8 TL	180	# FIXME: HACK! The pool API is in pve-manager as it needs access to storage guest and RRD stats,
	181	# so we only add the pool commands if the API module is available (required for boots-trapping)
	182	my $have_pool_api;
	183	eval {
	184	require PVE::API2::Pool;
	185	PVE::API2::Pool->import();
	186	$have_pool_api = 1;
	187	};
	188
	189	if ($have_pool_api) {
	190	$cmddef->{pool} = {
	191	add => [ 'PVE::API2::Pool', 'create_pool', ['poolid'] ],
	192	modify => [ 'PVE::API2::Pool', 'update_pool', ['poolid'] ],
	193	delete => [ 'PVE::API2::Pool', 'delete_pool', ['poolid'] ],
	194	list => [ 'PVE::API2::Pool', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
	195	};
	196	}
	197
09281ad7	198	1;