1 package PVE
::API2
::Domains
;
5 use PVE
::Tools
qw(extract_param);
6 use PVE
::Cluster qw
(cfs_read_file cfs_write_file
);
7 use PVE
::AccessControl
;
8 use PVE
::JSONSchema
qw(get_standard_option);
12 use PVE
::Auth
::Plugin
;
14 my $domainconfigfile = "domains.cfg";
16 use base
qw(PVE::RESTHandler);
18 __PACKAGE__-
>register_method ({
22 description
=> "Authentication domain index.",
24 description
=> "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
28 additionalProperties
=> 0,
36 realm
=> { type
=> 'string' },
38 description
=> "Two-factor authentication provider.",
40 enum
=> [ 'yubico', 'oath' ],
44 description
=> "A comment. The GUI use this text when you select a domain (Realm) on the login window.",
50 links
=> [ { rel
=> 'child', href
=> "{realm}" } ],
57 my $cfg = cfs_read_file
($domainconfigfile);
58 my $ids = $cfg->{ids
};
60 foreach my $realm (keys %$ids) {
61 my $d = $ids->{$realm};
62 my $entry = { realm
=> $realm, type
=> $d->{type
} };
63 $entry->{comment
} = $d->{comment
} if $d->{comment
};
64 $entry->{default} = 1 if $d->{default};
65 if ($d->{tfa
} && (my $tfa_cfg = PVE
::Auth
::Plugin
::parse_tfa_config
($d->{tfa
}))) {
66 $entry->{tfa
} = $tfa_cfg->{type
};
74 __PACKAGE__-
>register_method ({
80 check
=> ['perm', '/access/realm', ['Realm.Allocate']],
82 description
=> "Add an authentication server.",
83 parameters
=> PVE
::Auth
::Plugin-
>createSchema(),
84 returns
=> { type
=> 'null' },
88 PVE
::Auth
::Plugin
::lock_domain_config
(
91 my $cfg = cfs_read_file
($domainconfigfile);
92 my $ids = $cfg->{ids
};
94 my $realm = extract_param
($param, 'realm');
95 my $type = $param->{type
};
97 die "domain '$realm' already exists\n"
100 die "unable to use reserved name '$realm'\n"
101 if ($realm eq 'pam' || $realm eq 'pve');
103 die "unable to create builtin type '$type'\n"
104 if ($type eq 'pam' || $type eq 'pve');
106 my $plugin = PVE
::Auth
::Plugin-
>lookup($type);
107 my $config = $plugin->check_config($realm, $param, 1, 1);
109 if ($config->{default}) {
110 foreach my $r (keys %$ids) {
111 delete $ids->{$r}->{default};
115 $ids->{$realm} = $config;
117 cfs_write_file
($domainconfigfile, $cfg);
118 }, "add auth server failed");
123 __PACKAGE__-
>register_method ({
128 check
=> ['perm', '/access/realm', ['Realm.Allocate']],
130 description
=> "Update authentication server settings.",
132 parameters
=> PVE
::Auth
::Plugin-
>updateSchema(),
133 returns
=> { type
=> 'null' },
137 PVE
::Auth
::Plugin
::lock_domain_config
(
140 my $cfg = cfs_read_file
($domainconfigfile);
141 my $ids = $cfg->{ids
};
143 my $digest = extract_param
($param, 'digest');
144 PVE
::SectionConfig
::assert_if_modified
($cfg, $digest);
146 my $realm = extract_param
($param, 'realm');
148 die "domain '$realm' does not exist\n"
151 my $delete_str = extract_param
($param, 'delete');
152 die "no options specified\n" if !$delete_str && !scalar(keys %$param);
154 foreach my $opt (PVE
::Tools
::split_list
($delete_str)) {
155 delete $ids->{$realm}->{$opt};
158 my $plugin = PVE
::Auth
::Plugin-
>lookup($ids->{$realm}->{type
});
159 my $config = $plugin->check_config($realm, $param, 0, 1);
161 if ($config->{default}) {
162 foreach my $r (keys %$ids) {
163 delete $ids->{$r}->{default};
167 foreach my $p (keys %$config) {
168 $ids->{$realm}->{$p} = $config->{$p};
171 cfs_write_file
($domainconfigfile, $cfg);
172 }, "update auth server failed");
177 # fixme: return format!
178 __PACKAGE__-
>register_method ({
182 description
=> "Get auth server configuration.",
184 check
=> ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any
=> 1],
187 additionalProperties
=> 0,
189 realm
=> get_standard_option
('realm'),
196 my $cfg = cfs_read_file
($domainconfigfile);
198 my $realm = $param->{realm
};
200 my $data = $cfg->{ids
}->{$realm};
201 die "domain '$realm' does not exist\n" if !$data;
203 $data->{digest
} = $cfg->{digest
};
209 __PACKAGE__-
>register_method ({
214 check
=> ['perm', '/access/realm', ['Realm.Allocate']],
216 description
=> "Delete an authentication server.",
219 additionalProperties
=> 0,
221 realm
=> get_standard_option
('realm'),
224 returns
=> { type
=> 'null' },
228 PVE
::Auth
::Plugin
::lock_domain_config
(
231 my $cfg = cfs_read_file
($domainconfigfile);
232 my $ids = $cfg->{ids
};
234 my $realm = $param->{realm
};
236 die "domain '$realm' does not exist\n" if !$ids->{$realm};
238 delete $ids->{$realm};
240 cfs_write_file
($domainconfigfile, $cfg);
241 }, "delete auth server failed");