bump version to 7.2-5
[pve-access-control.git] / PVE / API2 / Domains.pm
1 package PVE::API2::Domains;
2
3 use strict;
4 use warnings;
5 use PVE::Tools qw(extract_param);
6 use PVE::Cluster qw (cfs_read_file cfs_write_file);
7 use PVE::AccessControl;
8 use PVE::JSONSchema qw(get_standard_option);
9
10 use PVE::SafeSyslog;
11 use PVE::RESTHandler;
12 use PVE::Auth::Plugin;
13
14 my $domainconfigfile = "domains.cfg";
15
16 use base qw(PVE::RESTHandler);
17
18 __PACKAGE__->register_method ({
19 name => 'index',
20 path => '',
21 method => 'GET',
22 description => "Authentication domain index.",
23 permissions => {
24 description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
25 user => 'world',
26 },
27 parameters => {
28 additionalProperties => 0,
29 properties => {},
30 },
31 returns => {
32 type => 'array',
33 items => {
34 type => "object",
35 properties => {
36 realm => { type => 'string' },
37 tfa => {
38 description => "Two-factor authentication provider.",
39 type => 'string',
40 enum => [ 'yubico', 'oath' ],
41 optional => 1,
42 },
43 comment => {
44 description => "A comment. The GUI use this text when you select a domain (Realm) on the login window.",
45 type => 'string',
46 optional => 1,
47 },
48 },
49 },
50 links => [ { rel => 'child', href => "{realm}" } ],
51 },
52 code => sub {
53 my ($param) = @_;
54
55 my $res = [];
56
57 my $cfg = cfs_read_file($domainconfigfile);
58 my $ids = $cfg->{ids};
59
60 foreach my $realm (keys %$ids) {
61 my $d = $ids->{$realm};
62 my $entry = { realm => $realm, type => $d->{type} };
63 $entry->{comment} = $d->{comment} if $d->{comment};
64 $entry->{default} = 1 if $d->{default};
65 if ($d->{tfa} && (my $tfa_cfg = PVE::Auth::Plugin::parse_tfa_config($d->{tfa}))) {
66 $entry->{tfa} = $tfa_cfg->{type};
67 }
68 push @$res, $entry;
69 }
70
71 return $res;
72 }});
73
74 __PACKAGE__->register_method ({
75 name => 'create',
76 protected => 1,
77 path => '',
78 method => 'POST',
79 permissions => {
80 check => ['perm', '/access/realm', ['Realm.Allocate']],
81 },
82 description => "Add an authentication server.",
83 parameters => PVE::Auth::Plugin->createSchema(),
84 returns => { type => 'null' },
85 code => sub {
86 my ($param) = @_;
87
88 PVE::Auth::Plugin::lock_domain_config(
89 sub {
90
91 my $cfg = cfs_read_file($domainconfigfile);
92 my $ids = $cfg->{ids};
93
94 my $realm = extract_param($param, 'realm');
95 my $type = $param->{type};
96
97 die "domain '$realm' already exists\n"
98 if $ids->{$realm};
99
100 die "unable to use reserved name '$realm'\n"
101 if ($realm eq 'pam' || $realm eq 'pve');
102
103 die "unable to create builtin type '$type'\n"
104 if ($type eq 'pam' || $type eq 'pve');
105
106 my $plugin = PVE::Auth::Plugin->lookup($type);
107 my $config = $plugin->check_config($realm, $param, 1, 1);
108
109 if ($config->{default}) {
110 foreach my $r (keys %$ids) {
111 delete $ids->{$r}->{default};
112 }
113 }
114
115 $ids->{$realm} = $config;
116
117 cfs_write_file($domainconfigfile, $cfg);
118 }, "add auth server failed");
119
120 return undef;
121 }});
122
123 __PACKAGE__->register_method ({
124 name => 'update',
125 path => '{realm}',
126 method => 'PUT',
127 permissions => {
128 check => ['perm', '/access/realm', ['Realm.Allocate']],
129 },
130 description => "Update authentication server settings.",
131 protected => 1,
132 parameters => PVE::Auth::Plugin->updateSchema(),
133 returns => { type => 'null' },
134 code => sub {
135 my ($param) = @_;
136
137 PVE::Auth::Plugin::lock_domain_config(
138 sub {
139
140 my $cfg = cfs_read_file($domainconfigfile);
141 my $ids = $cfg->{ids};
142
143 my $digest = extract_param($param, 'digest');
144 PVE::SectionConfig::assert_if_modified($cfg, $digest);
145
146 my $realm = extract_param($param, 'realm');
147
148 die "domain '$realm' does not exist\n"
149 if !$ids->{$realm};
150
151 my $delete_str = extract_param($param, 'delete');
152 die "no options specified\n" if !$delete_str && !scalar(keys %$param);
153
154 foreach my $opt (PVE::Tools::split_list($delete_str)) {
155 delete $ids->{$realm}->{$opt};
156 }
157
158 my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
159 my $config = $plugin->check_config($realm, $param, 0, 1);
160
161 if ($config->{default}) {
162 foreach my $r (keys %$ids) {
163 delete $ids->{$r}->{default};
164 }
165 }
166
167 foreach my $p (keys %$config) {
168 $ids->{$realm}->{$p} = $config->{$p};
169 }
170
171 cfs_write_file($domainconfigfile, $cfg);
172 }, "update auth server failed");
173
174 return undef;
175 }});
176
177 # fixme: return format!
178 __PACKAGE__->register_method ({
179 name => 'read',
180 path => '{realm}',
181 method => 'GET',
182 description => "Get auth server configuration.",
183 permissions => {
184 check => ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any => 1],
185 },
186 parameters => {
187 additionalProperties => 0,
188 properties => {
189 realm => get_standard_option('realm'),
190 },
191 },
192 returns => {},
193 code => sub {
194 my ($param) = @_;
195
196 my $cfg = cfs_read_file($domainconfigfile);
197
198 my $realm = $param->{realm};
199
200 my $data = $cfg->{ids}->{$realm};
201 die "domain '$realm' does not exist\n" if !$data;
202
203 $data->{digest} = $cfg->{digest};
204
205 return $data;
206 }});
207
208
209 __PACKAGE__->register_method ({
210 name => 'delete',
211 path => '{realm}',
212 method => 'DELETE',
213 permissions => {
214 check => ['perm', '/access/realm', ['Realm.Allocate']],
215 },
216 description => "Delete an authentication server.",
217 protected => 1,
218 parameters => {
219 additionalProperties => 0,
220 properties => {
221 realm => get_standard_option('realm'),
222 }
223 },
224 returns => { type => 'null' },
225 code => sub {
226 my ($param) = @_;
227
228 PVE::Auth::Plugin::lock_domain_config(
229 sub {
230
231 my $cfg = cfs_read_file($domainconfigfile);
232 my $ids = $cfg->{ids};
233
234 my $realm = $param->{realm};
235
236 die "domain '$realm' does not exist\n" if !$ids->{$realm};
237
238 delete $ids->{$realm};
239
240 cfs_write_file($domainconfigfile, $cfg);
241 }, "delete auth server failed");
242
243 return undef;
244 }});
245
246 1;