PVE/API2/Domains.pm

   1 package PVE::API2::Domains;
   2
   3 use strict;
   4 use warnings;
   5 use PVE::Tools qw(extract_param);
   6 use PVE::Cluster qw (cfs_read_file cfs_write_file);
   7 use PVE::AccessControl;
   8 use PVE::JSONSchema qw(get_standard_option);
   9
  10 use PVE::SafeSyslog;
  11 use PVE::RESTHandler;
  12 use PVE::Auth::Plugin;
  13
  14 my $domainconfigfile = "domains.cfg";
  15
  16 use base qw(PVE::RESTHandler);
  17
  18 __PACKAGE__->register_method ({
  19     name => 'index',
  20     path => '',
  21     method => 'GET',
  22     description => "Authentication domain index.",
  23     permissions => {
  24         description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
  25         user => 'world',
  26     },
  27     parameters => {
  28         additionalProperties => 0,
  29         properties => {},
  30     },
  31     returns => {
  32         type => 'array',
  33         items => {
  34             type => "object",
  35             properties => {
  36                 realm => { type => 'string' },
  37                 type => { type => 'string' },
  38                 tfa => {
  39                     description => "Two-factor authentication provider.",
  40                     type => 'string',
  41                     enum => [ 'yubico', 'oath' ],
  42                     optional => 1,
  43                 },
  44                 comment => {
  45                     description => "A comment. The GUI use this text when you select a domain (Realm) on the login window.",
  46                     type => 'string',
  47                     optional => 1,
  48                 },
  49             },
  50         },
  51         links => [ { rel => 'child', href => "{realm}" } ],
  52     },
  53     code => sub {
  54         my ($param) = @_;
  55
  56         my $res = [];
  57
  58         my $cfg = cfs_read_file($domainconfigfile);
  59         my $ids = $cfg->{ids};
  60
  61         foreach my $realm (keys %$ids) {
  62             my $d = $ids->{$realm};
  63             my $entry = { realm => $realm, type => $d->{type} };
  64             $entry->{comment} = $d->{comment} if $d->{comment};
  65             $entry->{default} = 1 if $d->{default};
  66             if ($d->{tfa} && (my $tfa_cfg = PVE::Auth::Plugin::parse_tfa_config($d->{tfa}))) {
  67                 $entry->{tfa} = $tfa_cfg->{type};
  68             }
  69             push @$res, $entry;
  70         }
  71
  72         return $res;
  73     }});
  74
  75 __PACKAGE__->register_method ({
  76     name => 'create',
  77     protected => 1,
  78     path => '',
  79     method => 'POST',
  80     permissions => {
  81         check => ['perm', '/access/realm', ['Realm.Allocate']],
  82     },
  83     description => "Add an authentication server.",
  84     parameters => PVE::Auth::Plugin->createSchema(),
  85     returns => { type => 'null' },
  86     code => sub {
  87         my ($param) = @_;
  88
  89         PVE::Auth::Plugin::lock_domain_config(
  90             sub {
  91
  92                 my $cfg = cfs_read_file($domainconfigfile);
  93                 my $ids = $cfg->{ids};
  94
  95                 my $realm = extract_param($param, 'realm');
  96                 my $type = $param->{type};
  97
  98                 die "domain '$realm' already exists\n"
  99                     if $ids->{$realm};
 100
 101                 die "unable to use reserved name '$realm'\n"
 102                     if ($realm eq 'pam' || $realm eq 'pve');
 103
 104                 die "unable to create builtin type '$type'\n"
 105                     if ($type eq 'pam' || $type eq 'pve');
 106
 107                 my $plugin = PVE::Auth::Plugin->lookup($type);
 108                 my $config = $plugin->check_config($realm, $param, 1, 1);
 109
 110                 if ($config->{default}) {
 111                     foreach my $r (keys %$ids) {
 112                         delete $ids->{$r}->{default};
 113                     }
 114                 }
 115
 116                 $ids->{$realm} = $config;
 117
 118                 cfs_write_file($domainconfigfile, $cfg);
 119             }, "add auth server failed");
 120
 121         return undef;
 122     }});
 123
 124 __PACKAGE__->register_method ({
 125     name => 'update',
 126     path => '{realm}',
 127     method => 'PUT',
 128     permissions => {
 129         check => ['perm', '/access/realm', ['Realm.Allocate']],
 130     },
 131     description => "Update authentication server settings.",
 132     protected => 1,
 133     parameters => PVE::Auth::Plugin->updateSchema(),
 134     returns => { type => 'null' },
 135     code => sub {
 136         my ($param) = @_;
 137
 138         PVE::Auth::Plugin::lock_domain_config(
 139             sub {
 140
 141                 my $cfg = cfs_read_file($domainconfigfile);
 142                 my $ids = $cfg->{ids};
 143
 144                 my $digest = extract_param($param, 'digest');
 145                 PVE::SectionConfig::assert_if_modified($cfg, $digest);
 146
 147                 my $realm = extract_param($param, 'realm');
 148
 149                 die "domain '$realm' does not exist\n"
 150                     if !$ids->{$realm};
 151
 152                 my $delete_str = extract_param($param, 'delete');
 153                 die "no options specified\n" if !$delete_str && !scalar(keys %$param);
 154
 155                 foreach my $opt (PVE::Tools::split_list($delete_str)) {
 156                     delete $ids->{$realm}->{$opt};
 157                 }
 158
 159                 my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
 160                 my $config = $plugin->check_config($realm, $param, 0, 1);
 161
 162                 if ($config->{default}) {
 163                     foreach my $r (keys %$ids) {
 164                         delete $ids->{$r}->{default};
 165                     }
 166                 }
 167
 168                 foreach my $p (keys %$config) {
 169                     $ids->{$realm}->{$p} = $config->{$p};
 170                 }
 171
 172                 cfs_write_file($domainconfigfile, $cfg);
 173             }, "update auth server failed");
 174
 175         return undef;
 176     }});
 177
 178 # fixme: return format!
 179 __PACKAGE__->register_method ({
 180     name => 'read',
 181     path => '{realm}',
 182     method => 'GET',
 183     description => "Get auth server configuration.",
 184     permissions => {
 185         check => ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any => 1],
 186     },
 187     parameters => {
 188         additionalProperties => 0,
 189         properties => {
 190             realm =>  get_standard_option('realm'),
 191         },
 192     },
 193     returns => {},
 194     code => sub {
 195         my ($param) = @_;
 196
 197         my $cfg = cfs_read_file($domainconfigfile);
 198
 199         my $realm = $param->{realm};
 200
 201         my $data = $cfg->{ids}->{$realm};
 202         die "domain '$realm' does not exist\n" if !$data;
 203
 204         $data->{digest} = $cfg->{digest};
 205
 206         return $data;
 207     }});
 208
 209
 210 __PACKAGE__->register_method ({
 211     name => 'delete',
 212     path => '{realm}',
 213     method => 'DELETE',
 214     permissions => {
 215         check => ['perm', '/access/realm', ['Realm.Allocate']],
 216     },
 217     description => "Delete an authentication server.",
 218     protected => 1,
 219     parameters => {
 220         additionalProperties => 0,
 221         properties => {
 222             realm =>  get_standard_option('realm'),
 223         }
 224     },
 225     returns => { type => 'null' },
 226     code => sub {
 227         my ($param) = @_;
 228
 229         PVE::Auth::Plugin::lock_domain_config(
 230             sub {
 231
 232                 my $cfg = cfs_read_file($domainconfigfile);
 233                 my $ids = $cfg->{ids};
 234
 235                 my $realm = $param->{realm};
 236
 237                 die "domain '$realm' does not exist\n" if !$ids->{$realm};
 238
 239                 delete $ids->{$realm};
 240
 241                 cfs_write_file($domainconfigfile, $cfg);
 242             }, "delete auth server failed");
 243
 244         return undef;
 245     }});
 246
 247 1;