[pve-access-control.git] / src / PVE / CLI / pveum.pm

package PVE::CLI::pveum;

use strict;
use warnings;

use PVE::AccessControl;
use PVE::RPCEnvironment;
use PVE::API2::User;
use PVE::API2::Group;
use PVE::API2::Role;
use PVE::API2::ACL;
use PVE::API2::AccessControl;
use PVE::API2::Domains;
use PVE::API2::TFA;
use PVE::CLIFormatter;
use PVE::CLIHandler;
use PVE::JSONSchema qw(get_standard_option);
use PVE::PTY;
use PVE::RESTHandler;
use PVE::Tools qw(extract_param);

use base qw(PVE::CLIHandler);

sub setup_environment {
    PVE::RPCEnvironment->setup_default_cli_env();
}

sub param_mapping {
    my ($name) = @_;

    my $mapping = {
	'change_password' => [
	    PVE::CLIHandler::get_standard_mapping('pve-password'),
	],
	'create_ticket' => [
	    PVE::CLIHandler::get_standard_mapping('pve-password', {
		func => sub {
		    # do not accept values given on cmdline
		    return PVE::PTY::read_password('Enter password: ');
		},
	    }),
	]
    };

    return $mapping->{$name};
}

my $print_api_result = sub {
    my ($data, $schema, $options) = @_;
    PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
};

my $print_perm_result = sub {
    my ($data, $schema, $options) = @_;

    if (!defined($options->{'output-format'}) || $options->{'output-format'} eq 'text') {
	my $table_schema = {
	    type => 'array',
	    items => {
		type => 'object',
		properties => {
		    'path' => { type => 'string', title => 'ACL path' },
		    'permissions' => { type => 'string', title => 'Permissions' },
		},
	    },
	};
	my $table_data = [];
	foreach my $path (sort keys %$data) {
	    my $value = '';
	    my $curr = $data->{$path};
	    foreach my $perm (sort keys %$curr) {
		$value .= "\n" if $value;
		$value .= $perm;
		$value .= " (*)" if $curr->{$perm};
	    }
	    push @$table_data, { path => $path, permissions => $value };
	}
	PVE::CLIFormatter::print_api_result($table_data, $table_schema, undef, $options);
	print "Permissions marked with '(*)' have the 'propagate' flag set.\n";
    } else {
	PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
    }
};

__PACKAGE__->register_method({
    name => 'token_permissions',
    path => 'token_permissions',
    method => 'GET',
    description => 'Retrieve effective permissions of given token.',
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid'),
	    tokenid => get_standard_option('token-subid'),
	    path => get_standard_option('acl-path', {
		description => "Only dump this specific path, not the whole tree.",
		optional => 1,
	    }),
	},
    },
    returns => {
	type => 'object',
	description => 'Hash of structure "path" => "privilege" => "propagate boolean".',
    },
    code => sub {
	my ($param) = @_;

	my $token_subid = extract_param($param, "tokenid");
	$param->{userid} = PVE::AccessControl::join_tokenid($param->{userid}, $token_subid);

	return PVE::API2::AccessControl->permissions($param);
    }});

our $cmddef = {
    user => {
	add    => [ 'PVE::API2::User', 'create_user', ['userid'] ],
	modify => [ 'PVE::API2::User', 'update_user', ['userid'] ],
	delete => [ 'PVE::API2::User', 'delete_user', ['userid'] ],
	list   => [ 'PVE::API2::User', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
	permissions => [ 'PVE::API2::AccessControl', 'permissions', ['userid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
	tfa => {
	    delete => [ 'PVE::API2::TFA', 'change_tfa', ['userid'], { action => 'delete', key => undef, config => undef, response => undef, }, ],
	},
	token => {
	    add    => [ 'PVE::API2::User', 'generate_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
	    modify    => [ 'PVE::API2::User', 'update_token_info', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
	    remove    => [ 'PVE::API2::User', 'remove_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
	    list   => [ 'PVE::API2::User', 'token_index', ['userid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
	    permissions => [ __PACKAGE__, 'token_permissions', ['userid', 'tokenid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
	}
    },
    group => {
	add    => [ 'PVE::API2::Group', 'create_group', ['groupid'] ],
	modify => [ 'PVE::API2::Group', 'update_group', ['groupid'] ],
	delete => [ 'PVE::API2::Group', 'delete_group', ['groupid'] ],
	list   => [ 'PVE::API2::Group', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
    },
    role => {
	add    => [ 'PVE::API2::Role', 'create_role', ['roleid'] ],
	modify => [ 'PVE::API2::Role', 'update_role', ['roleid'] ],
	delete => [ 'PVE::API2::Role', 'delete_role', ['roleid'] ],
	list   => [ 'PVE::API2::Role', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
    },
    acl => {
	modify => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 0 }],
	delete => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 1 }],
	list   => [ 'PVE::API2::ACL', 'read_acl', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
    },
    realm => {
	add    => [ 'PVE::API2::Domains', 'create', ['realm'] ],
	modify => [ 'PVE::API2::Domains', 'update', ['realm'] ],
	delete => [ 'PVE::API2::Domains', 'delete', ['realm'] ],
	list   => [ 'PVE::API2::Domains', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
	sync   => [ 'PVE::API2::Domains', 'sync', ['realm'], ],
    },

    ticket => [ 'PVE::API2::AccessControl', 'create_ticket', ['username'], undef,
		sub {
		    my ($res) = @_;
		    print "$res->{ticket}\n";
		}],

    passwd => [ 'PVE::API2::AccessControl', 'change_password', ['userid'] ],

    useradd => { alias => 'user add' },
    usermod => { alias => 'user modify' },
    userdel => { alias => 'user delete' },

    groupadd => { alias => 'group add' },
    groupmod => { alias => 'group modify' },
    groupdel => { alias => 'group delete' },

    roleadd => { alias => 'role add' },
    rolemod => { alias => 'role modify' },
    roledel => { alias => 'role delete' },

    aclmod => { alias => 'acl modify' },
    acldel => { alias => 'acl delete' },
};

# FIXME: HACK! The pool API is in pve-manager as it needs access to storage guest and RRD stats,
# so we only add the pool commands if the API module is available (required for boots-trapping)
my $have_pool_api;
eval {
    require PVE::API2::Pool;
    PVE::API2::Pool->import();
    $have_pool_api = 1;
};

if ($have_pool_api) {
    $cmddef->{pool} = {
	add => [ 'PVE::API2::Pool', 'create_pool', ['poolid'] ],
	modify => [ 'PVE::API2::Pool', 'update_pool', ['poolid'] ],
	delete => [ 'PVE::API2::Pool', 'delete_pool', ['poolid'] ],
	list   => [ 'PVE::API2::Pool', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
    };
}

1;
Commit	Line	Data
09281ad7 DM	1	package PVE::CLI::pveum;
	2
	3	use strict;
	4	use warnings;
042eaa3d	5
66d1b615	6	use PVE::AccessControl;
09281ad7 DM	7	use PVE::RPCEnvironment;
	8	use PVE::API2::User;
	9	use PVE::API2::Group;
	10	use PVE::API2::Role;
	11	use PVE::API2::ACL;
	12	use PVE::API2::AccessControl;
f28a69a0	13	use PVE::API2::Domains;
dc547a13	14	use PVE::API2::TFA;
369851ac	15	use PVE::CLIFormatter;
09281ad7	16	use PVE::CLIHandler;
66d1b615	17	use PVE::JSONSchema qw(get_standard_option);
b34d76e7	18	use PVE::PTY;
369851ac	19	use PVE::RESTHandler;
66d1b615	20	use PVE::Tools qw(extract_param);
09281ad7 DM	21
	22	use base qw(PVE::CLIHandler);
	23
e623414a DM	24	sub setup_environment {
	25	PVE::RPCEnvironment->setup_default_cli_env();
	26	}
	27
b34d76e7 DC	28	sub param_mapping {
b34d76e7 DC	29	my ($name) = @_;
98007830	30
b34d76e7 DC	31	my $mapping = {
	32	'change_password' => [
	33	PVE::CLIHandler::get_standard_mapping('pve-password'),
	34	],
	35	'create_ticket' => [
	36	PVE::CLIHandler::get_standard_mapping('pve-password', {
	37	func => sub {
	38	# do not accept values given on cmdline
	39	return PVE::PTY::read_password('Enter password: ');
	40	},
	41	}),
	42	]
	43	};
	44
	45	return $mapping->{$name};
98007830 DM	46	}
98007830 DM	47
369851ac FG	48	my $print_api_result = sub {
	49	my ($data, $schema, $options) = @_;
	50	PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
	51	};
	52
66d1b615 FG	53	my $print_perm_result = sub {
	54	my ($data, $schema, $options) = @_;
	55
	56	if (!defined($options->{'output-format'}) \|\| $options->{'output-format'} eq 'text') {
	57	my $table_schema = {
	58	type => 'array',
	59	items => {
	60	type => 'object',
	61	properties => {
	62	'path' => { type => 'string', title => 'ACL path' },
	63	'permissions' => { type => 'string', title => 'Permissions' },
	64	},
	65	},
	66	};
	67	my $table_data = [];
	68	foreach my $path (sort keys %$data) {
	69	my $value = '';
	70	my $curr = $data->{$path};
	71	foreach my $perm (sort keys %$curr) {
	72	$value .= "\n" if $value;
	73	$value .= $perm;
	74	$value .= " (*)" if $curr->{$perm};
	75	}
	76	push @$table_data, { path => $path, permissions => $value };
	77	}
	78	PVE::CLIFormatter::print_api_result($table_data, $table_schema, undef, $options);
	79	print "Permissions marked with '(*)' have the 'propagate' flag set.\n";
	80	} else {
	81	PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
	82	}
	83	};
	84
	85	__PACKAGE__->register_method({
	86	name => 'token_permissions',
	87	path => 'token_permissions',
	88	method => 'GET',
	89	description => 'Retrieve effective permissions of given token.',
	90	parameters => {
	91	additionalProperties => 0,
	92	properties => {
	93	userid => get_standard_option('userid'),
	94	tokenid => get_standard_option('token-subid'),
	95	path => get_standard_option('acl-path', {
	96	description => "Only dump this specific path, not the whole tree.",
	97	optional => 1,
	98	}),
	99	},
	100	},
	101	returns => {
	102	type => 'object',
	103	description => 'Hash of structure "path" => "privilege" => "propagate boolean".',
	104	},
	105	code => sub {
	106	my ($param) = @_;
	107
	108	my $token_subid = extract_param($param, "tokenid");
	109	$param->{userid} = PVE::AccessControl::join_tokenid($param->{userid}, $token_subid);
	110
	111	return PVE::API2::AccessControl->permissions($param);
	112	}});
	113
09281ad7	114	our $cmddef = {
1e41cdc9 PA	115	user => {
	116	add => [ 'PVE::API2::User', 'create_user', ['userid'] ],
	117	modify => [ 'PVE::API2::User', 'update_user', ['userid'] ],
	118	delete => [ 'PVE::API2::User', 'delete_user', ['userid'] ],
369851ac	119	list => [ 'PVE::API2::User', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
66d1b615	120	permissions => [ 'PVE::API2::AccessControl', 'permissions', ['userid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
618d112b	121	tfa => {
dc547a13	122	delete => [ 'PVE::API2::TFA', 'change_tfa', ['userid'], { action => 'delete', key => undef, config => undef, response => undef, }, ],
618d112b	123	},
084c149a FG	124	token => {
084c149a FG	125	add => [ 'PVE::API2::User', 'generate_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
ccaecac1	126	modify => [ 'PVE::API2::User', 'update_token_info', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
084c149a FG	127	remove => [ 'PVE::API2::User', 'remove_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
084c149a FG	128	list => [ 'PVE::API2::User', 'token_index', ['userid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
66d1b615	129	permissions => [ __PACKAGE__, 'token_permissions', ['userid', 'tokenid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
084c149a	130	}
1e41cdc9 PA	131	},
	132	group => {
	133	add => [ 'PVE::API2::Group', 'create_group', ['groupid'] ],
	134	modify => [ 'PVE::API2::Group', 'update_group', ['groupid'] ],
	135	delete => [ 'PVE::API2::Group', 'delete_group', ['groupid'] ],
369851ac	136	list => [ 'PVE::API2::Group', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
1e41cdc9 PA	137	},
	138	role => {
	139	add => [ 'PVE::API2::Role', 'create_role', ['roleid'] ],
	140	modify => [ 'PVE::API2::Role', 'update_role', ['roleid'] ],
	141	delete => [ 'PVE::API2::Role', 'delete_role', ['roleid'] ],
369851ac	142	list => [ 'PVE::API2::Role', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
1e41cdc9 PA	143	},
	144	acl => {
	145	modify => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 0 }],
	146	delete => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 1 }],
369851ac	147	list => [ 'PVE::API2::ACL', 'read_acl', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
1e41cdc9	148	},
f28a69a0 DC	149	realm => {
	150	add => [ 'PVE::API2::Domains', 'create', ['realm'] ],
	151	modify => [ 'PVE::API2::Domains', 'update', ['realm'] ],
	152	delete => [ 'PVE::API2::Domains', 'delete', ['realm'] ],
	153	list => [ 'PVE::API2::Domains', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
673d2bf2	154	sync => [ 'PVE::API2::Domains', 'sync', ['realm'], ],
f28a69a0 DC	155	},
f28a69a0 DC	156
09281ad7 DM	157	ticket => [ 'PVE::API2::AccessControl', 'create_ticket', ['username'], undef,
	158	sub {
	159	my ($res) = @_;
	160	print "$res->{ticket}\n";
	161	}],
	162
765305e2	163	passwd => [ 'PVE::API2::AccessControl', 'change_password', ['userid'] ],
09281ad7	164
1e41cdc9 PA	165	useradd => { alias => 'user add' },
	166	usermod => { alias => 'user modify' },
	167	userdel => { alias => 'user delete' },
09281ad7	168
1e41cdc9 PA	169	groupadd => { alias => 'group add' },
	170	groupmod => { alias => 'group modify' },
	171	groupdel => { alias => 'group delete' },
09281ad7	172
1e41cdc9 PA	173	roleadd => { alias => 'role add' },
	174	rolemod => { alias => 'role modify' },
	175	roledel => { alias => 'role delete' },
09281ad7	176
1e41cdc9 PA	177	aclmod => { alias => 'acl modify' },
1e41cdc9 PA	178	acldel => { alias => 'acl delete' },
09281ad7 DM	179	};
09281ad7 DM	180
3470fad8 TL	181	# FIXME: HACK! The pool API is in pve-manager as it needs access to storage guest and RRD stats,
	182	# so we only add the pool commands if the API module is available (required for boots-trapping)
	183	my $have_pool_api;
	184	eval {
	185	require PVE::API2::Pool;
	186	PVE::API2::Pool->import();
	187	$have_pool_api = 1;
	188	};
	189
	190	if ($have_pool_api) {
	191	$cmddef->{pool} = {
	192	add => [ 'PVE::API2::Pool', 'create_pool', ['poolid'] ],
	193	modify => [ 'PVE::API2::Pool', 'update_pool', ['poolid'] ],
	194	delete => [ 'PVE::API2::Pool', 'delete_pool', ['poolid'] ],
	195	list => [ 'PVE::API2::Pool', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
	196	};
	197	}
	198
09281ad7	199	1;