[pve-access-control.git] / PVE / API2 / AccessControl.pm

package PVE::API2::AccessControl;

use strict;
use warnings;

use PVE::SafeSyslog;
use PVE::RPCEnvironment;
use PVE::Cluster;
use PVE::RESTHandler;
use PVE::AccessControl;
use PVE::JSONSchema qw(get_standard_option);
use PVE::API2::Domains;
use PVE::API2::User;
use PVE::API2::Group;
use PVE::API2::Role;
use PVE::API2::ACL;

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    subclass => "PVE::API2::User",  
    path => 'users',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Group",  
    path => 'groups',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Role",  
    path => 'roles',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::ACL",  
    path => 'acl',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Domains",  
    path => 'domains',
});

__PACKAGE__->register_method ({
    name => 'index', 
    path => '', 
    method => 'GET',
    description => "Directory index.",
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		subdir => { type => 'string' },
	    },
	},
	links => [ { rel => 'child', href => "{subdir}" } ],
    },
    code => sub {
	my ($param) = @_;
    
	my $res = [];

	my $ma = __PACKAGE__->method_attributes();

	foreach my $info (@$ma) {
	    next if !$info->{subclass};

	    my $subpath = $info->{match_re}->[0];

	    push @$res, { subdir => $subpath };
	}

	push @$res, { subdir => 'ticket' };

	return $res;
    }});

__PACKAGE__->register_method ({
    name => 'create_ticket', 
    path => 'ticket', 
    method => 'POST',
    permissions => { user => 'world' },
    protected => 1, # else we can't access shadow files
    description => "Create authentication ticket.",
    parameters => {
	additionalProperties => 0,
	properties => {
	    username => {
		description => "User name",
		type => 'string',
		maxLength => 64,
	    },
	    realm =>  get_standard_option('realm', {
		description => "You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>\@<relam>.",
		optional => 1}),
	    password => { 
		description => "The secret password. This can also be a valid ticket.",
		type => 'string',
	    },
	    path => {
		description => "Only create ticket if user have access 'privs' on 'path'",
		type => 'string',
		requires => 'privs',
		optional => 1,
		maxLength => 64,
	    },
	    privs => { 
		description => "Only create ticket if user have access 'privs' on 'path'",
		type => 'string' , format => 'pve-priv-list',
		requires => 'path',
		optional => 1,
		maxLength => 64,
	    },
	}
    },
    returns => {
	type => "object",
	properties => {
	    ticket => { type => 'string' },
	    username => { type => 'string' },
	    CSRFPreventionToken => { type => 'string' },
	}
    },
    code => sub {
	my ($param) = @_;
    
	my $username = $param->{username};
	$username .= "\@$param->{realm}" if $param->{realm};

	my $rpcenv = PVE::RPCEnvironment::get();
	my $clientip = $rpcenv->get_client_ip() || '';

	my $ticket;
	my $token;
	eval {

	    if ($param->{path} && $param->{privs}) {
		my $privs = [ PVE::Tools::split_list($param->{privs}) ];
		my $path = PVE::AccessControl::normalize_path($param->{path});
		if (!($path && scalar(@$privs) && $rpcenv->check($username, $path, $privs))) {
		    die "no permission ($param->{path}, $param->{privs})\n";
		}
	    }

	    my $tmp;
	    if (($tmp = PVE::AccessControl::verify_ticket($param->{password}, 1)) &&
		($tmp eq $username)) {
		# got valid ticket
	    } else {
		$username = PVE::AccessControl::authenticate_user($username, $param->{password});
	    }
	    $ticket = PVE::AccessControl::assemble_ticket($username);
	    $token = PVE::AccessControl::assemble_csrf_prevention_token($username);
	};
	if (my $err = $@) {
	    syslog('err', "authentication failure; rhost=$clientip user=$username msg=$err");
	    die $err;
	}

	PVE::Cluster::log_msg('info', 'root@pam', "successful auth for user '$username'");

	return {
	    ticket => $ticket,
	    username => $username,
	    CSRFPreventionToken => $token,
	};
    }});

1;
Commit	Line	Data
	1	package PVE::API2::AccessControl;
	2
	3	use strict;
	4	use warnings;
	5
	6	use PVE::SafeSyslog;
	7	use PVE::RPCEnvironment;
	8	use PVE::Cluster;
	9	use PVE::RESTHandler;
	10	use PVE::AccessControl;
	11	use PVE::JSONSchema qw(get_standard_option);
	12	use PVE::API2::Domains;
	13	use PVE::API2::User;
	14	use PVE::API2::Group;
	15	use PVE::API2::Role;
	16	use PVE::API2::ACL;
	17
	18	use base qw(PVE::RESTHandler);
	19
	20	__PACKAGE__->register_method ({
	21	subclass => "PVE::API2::User",
	22	path => 'users',
	23	});
	24
	25	__PACKAGE__->register_method ({
	26	subclass => "PVE::API2::Group",
	27	path => 'groups',
	28	});
	29
	30	__PACKAGE__->register_method ({
	31	subclass => "PVE::API2::Role",
	32	path => 'roles',
	33	});
	34
	35	__PACKAGE__->register_method ({
	36	subclass => "PVE::API2::ACL",
	37	path => 'acl',
	38	});
	39
	40	__PACKAGE__->register_method ({
	41	subclass => "PVE::API2::Domains",
	42	path => 'domains',
	43	});
	44
	45	__PACKAGE__->register_method ({
	46	name => 'index',
	47	path => '',
	48	method => 'GET',
	49	description => "Directory index.",
	50	parameters => {
	51	additionalProperties => 0,
	52	properties => {},
	53	},
	54	returns => {
	55	type => 'array',
	56	items => {
	57	type => "object",
	58	properties => {
	59	subdir => { type => 'string' },
	60	},
	61	},
	62	links => [ { rel => 'child', href => "{subdir}" } ],
	63	},
	64	code => sub {
	65	my ($param) = @_;
	66
	67	my $res = [];
	68
	69	my $ma = __PACKAGE__->method_attributes();
	70
	71	foreach my $info (@$ma) {
	72	next if !$info->{subclass};
	73
	74	my $subpath = $info->{match_re}->[0];
	75
	76	push @$res, { subdir => $subpath };
	77	}
	78
	79	push @$res, { subdir => 'ticket' };
	80
	81	return $res;
	82	}});
	83
	84	__PACKAGE__->register_method ({
	85	name => 'create_ticket',
	86	path => 'ticket',
	87	method => 'POST',
	88	permissions => { user => 'world' },
	89	protected => 1, # else we can't access shadow files
	90	description => "Create authentication ticket.",
	91	parameters => {
	92	additionalProperties => 0,
	93	properties => {
	94	username => {
	95	description => "User name",
	96	type => 'string',
	97	maxLength => 64,
	98	},
	99	realm => get_standard_option('realm', {
	100	description => "You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>\@<relam>.",
	101	optional => 1}),
	102	password => {
	103	description => "The secret password. This can also be a valid ticket.",
	104	type => 'string',
	105	},
	106	path => {
	107	description => "Only create ticket if user have access 'privs' on 'path'",
	108	type => 'string',
	109	requires => 'privs',
	110	optional => 1,
	111	maxLength => 64,
	112	},
	113	privs => {
	114	description => "Only create ticket if user have access 'privs' on 'path'",
	115	type => 'string' , format => 'pve-priv-list',
	116	requires => 'path',
	117	optional => 1,
	118	maxLength => 64,
	119	},
	120	}
	121	},
	122	returns => {
	123	type => "object",
	124	properties => {
	125	ticket => { type => 'string' },
	126	username => { type => 'string' },
	127	CSRFPreventionToken => { type => 'string' },
	128	}
	129	},
	130	code => sub {
	131	my ($param) = @_;
	132
	133	my $username = $param->{username};
	134	$username .= "\@$param->{realm}" if $param->{realm};
	135
	136	my $rpcenv = PVE::RPCEnvironment::get();
	137	my $clientip = $rpcenv->get_client_ip() \|\| '';
	138
	139	my $ticket;
	140	my $token;
	141	eval {
	142
	143	if ($param->{path} && $param->{privs}) {
	144	my $privs = [ PVE::Tools::split_list($param->{privs}) ];
	145	my $path = PVE::AccessControl::normalize_path($param->{path});
	146	if (!($path && scalar(@$privs) && $rpcenv->check($username, $path, $privs))) {
	147	die "no permission ($param->{path}, $param->{privs})\n";
	148	}
	149	}
	150
	151	my $tmp;
	152	if (($tmp = PVE::AccessControl::verify_ticket($param->{password}, 1)) &&
	153	($tmp eq $username)) {
	154	# got valid ticket
	155	} else {
	156	$username = PVE::AccessControl::authenticate_user($username, $param->{password});
	157	}
	158	$ticket = PVE::AccessControl::assemble_ticket($username);
	159	$token = PVE::AccessControl::assemble_csrf_prevention_token($username);
	160	};
	161	if (my $err = $@) {
	162	syslog('err', "authentication failure; rhost=$clientip user=$username msg=$err");
	163	die $err;
	164	}
	165
	166	PVE::Cluster::log_msg('info', 'root@pam', "successful auth for user '$username'");
	167
	168	return {
	169	ticket => $ticket,
	170	username => $username,
	171	CSRFPreventionToken => $token,
	172	};
	173	}});
	174
	175	1;