1 package PVE
::API2
::Domains
;
5 use PVE
::Tools
qw(extract_param);
6 use PVE
::Cluster qw
(cfs_read_file cfs_write_file
);
7 use PVE
::AccessControl
;
8 use PVE
::JSONSchema
qw(get_standard_option);
12 use PVE
::Auth
::Plugin
;
14 my $domainconfigfile = "domains.cfg";
16 use base
qw(PVE::RESTHandler);
18 __PACKAGE__-
>register_method ({
22 description
=> "Authentication domain index.",
24 description
=> "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
28 additionalProperties
=> 0,
36 realm
=> { type
=> 'string' },
37 type
=> { type
=> 'string' },
39 description
=> "Two-factor authentication provider.",
41 enum
=> [ 'yubico', 'oath' ],
45 description
=> "A comment. The GUI use this text when you select a domain (Realm) on the login window.",
51 links
=> [ { rel
=> 'child', href
=> "{realm}" } ],
58 my $cfg = cfs_read_file
($domainconfigfile);
59 my $ids = $cfg->{ids
};
61 foreach my $realm (keys %$ids) {
62 my $d = $ids->{$realm};
63 my $entry = { realm
=> $realm, type
=> $d->{type
} };
64 $entry->{comment
} = $d->{comment
} if $d->{comment
};
65 $entry->{default} = 1 if $d->{default};
66 if ($d->{tfa
} && (my $tfa_cfg = PVE
::Auth
::Plugin
::parse_tfa_config
($d->{tfa
}))) {
67 $entry->{tfa
} = $tfa_cfg->{type
};
75 __PACKAGE__-
>register_method ({
81 check
=> ['perm', '/access/realm', ['Realm.Allocate']],
83 description
=> "Add an authentication server.",
84 parameters
=> PVE
::Auth
::Plugin-
>createSchema(),
85 returns
=> { type
=> 'null' },
89 PVE
::Auth
::Plugin
::lock_domain_config
(
92 my $cfg = cfs_read_file
($domainconfigfile);
93 my $ids = $cfg->{ids
};
95 my $realm = extract_param
($param, 'realm');
96 my $type = $param->{type
};
98 die "domain '$realm' already exists\n"
101 die "unable to use reserved name '$realm'\n"
102 if ($realm eq 'pam' || $realm eq 'pve');
104 die "unable to create builtin type '$type'\n"
105 if ($type eq 'pam' || $type eq 'pve');
107 my $plugin = PVE
::Auth
::Plugin-
>lookup($type);
108 my $config = $plugin->check_config($realm, $param, 1, 1);
110 if ($config->{default}) {
111 foreach my $r (keys %$ids) {
112 delete $ids->{$r}->{default};
116 $ids->{$realm} = $config;
118 cfs_write_file
($domainconfigfile, $cfg);
119 }, "add auth server failed");
124 __PACKAGE__-
>register_method ({
129 check
=> ['perm', '/access/realm', ['Realm.Allocate']],
131 description
=> "Update authentication server settings.",
133 parameters
=> PVE
::Auth
::Plugin-
>updateSchema(),
134 returns
=> { type
=> 'null' },
138 PVE
::Auth
::Plugin
::lock_domain_config
(
141 my $cfg = cfs_read_file
($domainconfigfile);
142 my $ids = $cfg->{ids
};
144 my $digest = extract_param
($param, 'digest');
145 PVE
::SectionConfig
::assert_if_modified
($cfg, $digest);
147 my $realm = extract_param
($param, 'realm');
149 die "domain '$realm' does not exist\n"
152 my $delete_str = extract_param
($param, 'delete');
153 die "no options specified\n" if !$delete_str && !scalar(keys %$param);
155 foreach my $opt (PVE
::Tools
::split_list
($delete_str)) {
156 delete $ids->{$realm}->{$opt};
159 my $plugin = PVE
::Auth
::Plugin-
>lookup($ids->{$realm}->{type
});
160 my $config = $plugin->check_config($realm, $param, 0, 1);
162 if ($config->{default}) {
163 foreach my $r (keys %$ids) {
164 delete $ids->{$r}->{default};
168 foreach my $p (keys %$config) {
169 $ids->{$realm}->{$p} = $config->{$p};
172 cfs_write_file
($domainconfigfile, $cfg);
173 }, "update auth server failed");
178 # fixme: return format!
179 __PACKAGE__-
>register_method ({
183 description
=> "Get auth server configuration.",
185 check
=> ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any
=> 1],
188 additionalProperties
=> 0,
190 realm
=> get_standard_option
('realm'),
197 my $cfg = cfs_read_file
($domainconfigfile);
199 my $realm = $param->{realm
};
201 my $data = $cfg->{ids
}->{$realm};
202 die "domain '$realm' does not exist\n" if !$data;
204 $data->{digest
} = $cfg->{digest
};
210 __PACKAGE__-
>register_method ({
215 check
=> ['perm', '/access/realm', ['Realm.Allocate']],
217 description
=> "Delete an authentication server.",
220 additionalProperties
=> 0,
222 realm
=> get_standard_option
('realm'),
225 returns
=> { type
=> 'null' },
229 PVE
::Auth
::Plugin
::lock_domain_config
(
232 my $cfg = cfs_read_file
($domainconfigfile);
233 my $ids = $cfg->{ids
};
235 my $realm = $param->{realm
};
237 die "domain '$realm' does not exist\n" if !$ids->{$realm};
239 delete $ids->{$realm};
241 cfs_write_file
($domainconfigfile, $cfg);
242 }, "delete auth server failed");