]> git.proxmox.com Git - pve-access-control.git/blob - PVE/API2/Domains.pm
projects / pve-access-control.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
api: realm sync: cleanup code and refactor
[pve-access-control.git] / PVE / API2 / Domains.pm
1 package PVE::API2::Domains;
2
3 use strict;
4 use warnings;
5 use PVE::Exception qw(raise_param_exc);
6 use PVE::Tools qw(extract_param);
7 use PVE::Cluster qw (cfs_read_file cfs_write_file);
8 use PVE::AccessControl;
9 use PVE::JSONSchema qw(get_standard_option);
10
11 use PVE::SafeSyslog;
12 use PVE::RESTHandler;
13 use PVE::Auth::Plugin;
14
15 my $domainconfigfile = "domains.cfg";
16
17 use base qw(PVE::RESTHandler);
18
19 __PACKAGE__->register_method ({
20 name => 'index',
21 path => '',
22 method => 'GET',
23 description => "Authentication domain index.",
24 permissions => {
25 description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
26 user => 'world',
27 },
28 parameters => {
29 additionalProperties => 0,
30 properties => {},
31 },
32 returns => {
33 type => 'array',
34 items => {
35 type => "object",
36 properties => {
37 realm => { type => 'string' },
38 type => { type => 'string' },
39 tfa => {
40 description => "Two-factor authentication provider.",
41 type => 'string',
42 enum => [ 'yubico', 'oath' ],
43 optional => 1,
44 },
45 comment => {
46 description => "A comment. The GUI use this text when you select a domain (Realm) on the login window.",
47 type => 'string',
48 optional => 1,
49 },
50 },
51 },
52 links => [ { rel => 'child', href => "{realm}" } ],
53 },
54 code => sub {
55 my ($param) = @_;
56
57 my $res = [];
58
59 my $cfg = cfs_read_file($domainconfigfile);
60 my $ids = $cfg->{ids};
61
62 foreach my $realm (keys %$ids) {
63 my $d = $ids->{$realm};
64 my $entry = { realm => $realm, type => $d->{type} };
65 $entry->{comment} = $d->{comment} if $d->{comment};
66 $entry->{default} = 1 if $d->{default};
67 if ($d->{tfa} && (my $tfa_cfg = PVE::Auth::Plugin::parse_tfa_config($d->{tfa}))) {
68 $entry->{tfa} = $tfa_cfg->{type};
69 }
70 push @$res, $entry;
71 }
72
73 return $res;
74 }});
75
76 __PACKAGE__->register_method ({
77 name => 'create',
78 protected => 1,
79 path => '',
80 method => 'POST',
81 permissions => {
82 check => ['perm', '/access/realm', ['Realm.Allocate']],
83 },
84 description => "Add an authentication server.",
85 parameters => PVE::Auth::Plugin->createSchema(),
86 returns => { type => 'null' },
87 code => sub {
88 my ($param) = @_;
89
90 PVE::Auth::Plugin::lock_domain_config(
91 sub {
92
93 my $cfg = cfs_read_file($domainconfigfile);
94 my $ids = $cfg->{ids};
95
96 my $realm = extract_param($param, 'realm');
97 my $type = $param->{type};
98
99 die "domain '$realm' already exists\n"
100 if $ids->{$realm};
101
102 die "unable to use reserved name '$realm'\n"
103 if ($realm eq 'pam' || $realm eq 'pve');
104
105 die "unable to create builtin type '$type'\n"
106 if ($type eq 'pam' || $type eq 'pve');
107
108 my $plugin = PVE::Auth::Plugin->lookup($type);
109 my $config = $plugin->check_config($realm, $param, 1, 1);
110
111 if ($config->{default}) {
112 foreach my $r (keys %$ids) {
113 delete $ids->{$r}->{default};
114 }
115 }
116
117 $ids->{$realm} = $config;
118
119 cfs_write_file($domainconfigfile, $cfg);
120 }, "add auth server failed");
121
122 return undef;
123 }});
124
125 __PACKAGE__->register_method ({
126 name => 'update',
127 path => '{realm}',
128 method => 'PUT',
129 permissions => {
130 check => ['perm', '/access/realm', ['Realm.Allocate']],
131 },
132 description => "Update authentication server settings.",
133 protected => 1,
134 parameters => PVE::Auth::Plugin->updateSchema(),
135 returns => { type => 'null' },
136 code => sub {
137 my ($param) = @_;
138
139 PVE::Auth::Plugin::lock_domain_config(
140 sub {
141
142 my $cfg = cfs_read_file($domainconfigfile);
143 my $ids = $cfg->{ids};
144
145 my $digest = extract_param($param, 'digest');
146 PVE::SectionConfig::assert_if_modified($cfg, $digest);
147
148 my $realm = extract_param($param, 'realm');
149
150 die "domain '$realm' does not exist\n"
151 if !$ids->{$realm};
152
153 my $delete_str = extract_param($param, 'delete');
154 die "no options specified\n" if !$delete_str && !scalar(keys %$param);
155
156 foreach my $opt (PVE::Tools::split_list($delete_str)) {
157 delete $ids->{$realm}->{$opt};
158 }
159
160 my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
161 my $config = $plugin->check_config($realm, $param, 0, 1);
162
163 if ($config->{default}) {
164 foreach my $r (keys %$ids) {
165 delete $ids->{$r}->{default};
166 }
167 }
168
169 foreach my $p (keys %$config) {
170 $ids->{$realm}->{$p} = $config->{$p};
171 }
172
173 cfs_write_file($domainconfigfile, $cfg);
174 }, "update auth server failed");
175
176 return undef;
177 }});
178
179 # fixme: return format!
180 __PACKAGE__->register_method ({
181 name => 'read',
182 path => '{realm}',
183 method => 'GET',
184 description => "Get auth server configuration.",
185 permissions => {
186 check => ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any => 1],
187 },
188 parameters => {
189 additionalProperties => 0,
190 properties => {
191 realm => get_standard_option('realm'),
192 },
193 },
194 returns => {},
195 code => sub {
196 my ($param) = @_;
197
198 my $cfg = cfs_read_file($domainconfigfile);
199
200 my $realm = $param->{realm};
201
202 my $data = $cfg->{ids}->{$realm};
203 die "domain '$realm' does not exist\n" if !$data;
204
205 $data->{digest} = $cfg->{digest};
206
207 return $data;
208 }});
209
210
211 __PACKAGE__->register_method ({
212 name => 'delete',
213 path => '{realm}',
214 method => 'DELETE',
215 permissions => {
216 check => ['perm', '/access/realm', ['Realm.Allocate']],
217 },
218 description => "Delete an authentication server.",
219 protected => 1,
220 parameters => {
221 additionalProperties => 0,
222 properties => {
223 realm => get_standard_option('realm'),
224 }
225 },
226 returns => { type => 'null' },
227 code => sub {
228 my ($param) = @_;
229
230 PVE::Auth::Plugin::lock_domain_config(
231 sub {
232
233 my $cfg = cfs_read_file($domainconfigfile);
234 my $ids = $cfg->{ids};
235
236 my $realm = $param->{realm};
237
238 die "domain '$realm' does not exist\n" if !$ids->{$realm};
239
240 delete $ids->{$realm};
241
242 cfs_write_file($domainconfigfile, $cfg);
243 }, "delete auth server failed");
244
245 return undef;
246 }});
247
248 __PACKAGE__->register_method ({
249 name => 'sync',
250 path => '{realm}/sync',
251 method => 'POST',
252 permissions => {
253 description => "'Realm.AllocateUser' on '/access/realm/<realm>' and "
254 ." 'User.Modify' permissions to '/access/groups/'.",
255 check => [ 'and',
256 [ 'userid-param', 'Realm.AllocateUser' ],
257 [ 'userid-group', ['User.Modify'] ],
258 ],
259 },
260 description => "Syncs users and/or groups from the configured LDAP to user.cfg."
261 ." NOTE: Synced groups will have the name 'name-\$realm', so make sure"
262 ." those groups do not exist to prevent overwriting.",
263 protected => 1,
264 parameters => {
265 additionalProperties => 0,
266 properties => {
267 realm => get_standard_option('realm'),
268 scope => {
269 description => "Select what to sync.",
270 type => 'string',
271 enum => [qw(users groups both)],
272 },
273 full => {
274 description => "If set, uses the LDAP Directory as source of truth, ".
275 "deleting all information not contained there. ".
276 "Otherwise only syncs information set explicitly.",
277 type => 'boolean',
278 },
279 enable => {
280 description => "Enable newly synced users.",
281 type => 'boolean',
282 },
283 purge => {
284 description => "Remove ACLs for users/groups that were removed from the config.",
285 type => 'boolean',
286 },
287 }
288 },
289 returns => {
290 description => 'Worker Task-UPID',
291 type => 'string'
292 },
293 code => sub {
294 my ($param) = @_;
295
296 my $rpcenv = PVE::RPCEnvironment::get();
297 my $authuser = $rpcenv->get_user();
298
299 my $realm = $param->{realm};
300 my $cfg = cfs_read_file($domainconfigfile);
301 my $realmconfig = $cfg->{ids}->{$realm};
302
303 raise_param_exc({ 'realm' => 'Realm does not exist.' }) if !defined($realmconfig);
304 my $type = $realmconfig->{type};
305
306 if ($type ne 'ldap' && $type ne 'ad') {
307 die "Cannot sync realm type '$type'! Only LDAP/AD realms can be synced.\n";
308 }
309
310
311 my $scope = $param->{scope};
312 my $whatstring = $scope eq 'both' ? "users and groups" : $scope;
313
314 my $plugin = PVE::Auth::Plugin->lookup($type);
315
316 my $worker = sub {
317 print "starting sync for realm $realm\n";
318
319 my ($synced_users, $dnmap) = $plugin->get_users($realmconfig, $realm);
320 my $synced_groups = {};
321 if ($scope eq 'groups' || $scope eq 'both') {
322 $synced_groups = $plugin->get_groups($realmconfig, $realm, $dnmap);
323 }
324
325 PVE::AccessControl::lock_user_config(sub {
326 my $usercfg = cfs_read_file("user.cfg");
327 print "got data from server, updating $whatstring\n";
328
329 if ($sync_users) {
330 print "syncing users\n";
331 my $oldusers = $usercfg->{users};
332
333 my $oldtokens = {};
334 my $oldenabled = {};
335
336 if ($param->{full}) {
337 print "full sync, deleting existing users first\n";
338 foreach my $userid (keys %$oldusers) {
339 next if $userid !~ m/\@$realm$/;
340 # we save the old tokens
341 $oldtokens->{$userid} = $oldusers->{$userid}->{tokens};
342 $oldenabled->{$userid} = $oldusers->{$userid}->{enable} // 0;
343 delete $oldusers->{$userid};
344 PVE::AccessControl::delete_user_acl($userid, $usercfg)
345 if $param->{purge} && !$users->{$userid};
346 print "removed user '$userid'\n";
347 }
348 }
349
350 foreach my $userid (keys %$users) {
351 my $user = $users->{$userid};
352 if (!defined($oldusers->{$userid})) {
353 $oldusers->{$userid} = $user;
354
355 if (defined($oldenabled->{$userid})) {
356 $oldusers->{$userid}->{enable} = $oldenabled->{$userid};
357 } elsif ($param->{enable}) {
358 $oldusers->{$userid}->{enable} = 1;
359 }
360
361 if (defined($oldtokens->{$userid})) {
362 $oldusers->{$userid}->{tokens} = $oldtokens->{$userid};
363 }
364
365 print "added user '$userid'\n";
366 } else {
367 my $olduser = $oldusers->{$userid};
368 foreach my $attr (keys %$user) {
369 $olduser->{$attr} = $user->{$attr};
370 }
371 print "updated user '$userid'\n";
372 }
373 }
374 }
375
376 if ($sync_groups) {
377 print "syncing groups\n";
378 my $oldgroups = $usercfg->{groups};
379
380 if ($param->{full}) {
381 print "full sync, deleting existing groups first\n";
382 foreach my $groupid (keys %$oldgroups) {
383 next if $groupid !~ m/\-$realm$/;
384 delete $oldgroups->{$groupid};
385 PVE::AccessControl::delete_group_acl($groupid, $usercfg)
386 if $param->{purge} && !$groups->{$groupid};
387 print "removed group '$groupid'\n";
388 }
389 }
390
391 foreach my $groupid (keys %$groups) {
392 my $group = $groups->{$groupid};
393 if (!defined($oldgroups->{$groupid})) {
394 $oldgroups->{$groupid} = $group;
395 print "added group '$groupid'\n";
396 } else {
397 my $oldgroup = $oldgroups->{$groupid};
398 foreach my $attr (keys %$group) {
399 $oldgroup->{$attr} = $group->{$attr};
400 }
401 print "updated group '$groupid'\n";
402 }
403 }
404 }
405
406 cfs_write_file("user.cfg", $usercfg);
407 print "successfully updated $whatstring configuration\n";
408 }, "syncing $whatstring failed");
409 };
410
411 return $rpcenv->fork_worker('ldapsync', $realm, $authuser, $worker);
412 }});
413
414 1;
Access control framework