PVE/API2/Domains.pm

   1 package PVE::API2::Domains;
   2
   3 use strict;
   4 use warnings;
   5 use PVE::Tools qw(extract_param);
   6 use PVE::Cluster qw (cfs_read_file cfs_write_file);
   7 use PVE::AccessControl;
   8 use PVE::JSONSchema qw(get_standard_option);
   9
  10 use PVE::SafeSyslog;
  11 use PVE::RESTHandler;
  12 use PVE::Auth::Plugin;
  13
  14 my $domainconfigfile = "domains.cfg";
  15
  16 use base qw(PVE::RESTHandler);
  17
  18 __PACKAGE__->register_method ({
  19     name => 'index',
  20     path => '',
  21     method => 'GET',
  22     description => "Authentication domain index.",
  23     permissions => {
  24         description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
  25         user => 'world',
  26     },
  27     parameters => {
  28         additionalProperties => 0,
  29         properties => {},
  30     },
  31     returns => {
  32         type => 'array',
  33         items => {
  34             type => "object",
  35             properties => {
  36                 realm => { type => 'string' },
  37                 tfa => {
  38                     description => "Two-factor authentication provider.",
  39                     type => 'string',
  40                     enum => [ 'yubico' ],
  41                     optional => 1,
  42                 },
  43                 comment => { type => 'string', optional => 1 },
  44                 comment => { type => 'string', optional => 1 },
  45             },
  46         },
  47         links => [ { rel => 'child', href => "{realm}" } ],
  48     },
  49     code => sub {
  50         my ($param) = @_;
  51
  52         my $res = [];
  53
  54         my $cfg = cfs_read_file($domainconfigfile);
  55         my $ids = $cfg->{ids};
  56
  57         foreach my $realm (keys %$ids) {
  58             my $d = $ids->{$realm};
  59             my $entry = { realm => $realm, type => $d->{type} };
  60             $entry->{comment} = $d->{comment} if $d->{comment};
  61             $entry->{default} = 1 if $d->{default};
  62             if ($d->{tfa} && (my $tfa_cfg = PVE::Auth::Plugin::parse_tfa_config($d->{tfa}))) {
  63                 $entry->{tfa} = $tfa_cfg->{type};
  64             }
  65             push @$res, $entry;
  66         }
  67
  68         return $res;
  69     }});
  70
  71 __PACKAGE__->register_method ({
  72     name => 'create',
  73     protected => 1,
  74     path => '',
  75     method => 'POST',
  76     permissions => {
  77         check => ['perm', '/access/realm', ['Realm.Allocate']],
  78     },
  79     description => "Add an authentication server.",
  80     parameters => PVE::Auth::Plugin->createSchema(),
  81     returns => { type => 'null' },
  82     code => sub {
  83         my ($param) = @_;
  84
  85         PVE::Auth::Plugin::lock_domain_config(
  86             sub {
  87
  88                 my $cfg = cfs_read_file($domainconfigfile);
  89                 my $ids = $cfg->{ids};
  90
  91                 my $realm = extract_param($param, 'realm');
  92                 my $type = $param->{type};
  93
  94                 die "domain '$realm' already exists\n"
  95                     if $ids->{$realm};
  96
  97                 die "unable to use reserved name '$realm'\n"
  98                     if ($realm eq 'pam' || $realm eq 'pve');
  99
 100                 die "unable to create builtin type '$type'\n"
 101                     if ($type eq 'pam' || $type eq 'pve');
 102
 103                 my $plugin = PVE::Auth::Plugin->lookup($type);
 104                 my $config = $plugin->check_config($realm, $param, 1, 1);
 105
 106                 if ($config->{default}) {
 107                     foreach my $r (keys %$ids) {
 108                         delete $ids->{$r}->{default};
 109                     }
 110                 }
 111
 112                 $ids->{$realm} = $config;
 113
 114                 cfs_write_file($domainconfigfile, $cfg);
 115             }, "add auth server failed");
 116
 117         return undef;
 118     }});
 119
 120 __PACKAGE__->register_method ({
 121     name => 'update',
 122     path => '{realm}',
 123     method => 'PUT',
 124     permissions => {
 125         check => ['perm', '/access/realm', ['Realm.Allocate']],
 126     },
 127     description => "Update authentication server settings.",
 128     protected => 1,
 129     parameters => PVE::Auth::Plugin->updateSchema(),
 130     returns => { type => 'null' },
 131     code => sub {
 132         my ($param) = @_;
 133
 134         PVE::Auth::Plugin::lock_domain_config(
 135             sub {
 136
 137                 my $cfg = cfs_read_file($domainconfigfile);
 138                 my $ids = $cfg->{ids};
 139
 140                 my $digest = extract_param($param, 'digest');
 141                 PVE::SectionConfig::assert_if_modified($cfg, $digest);
 142
 143                 my $realm = extract_param($param, 'realm');
 144
 145                 die "unable to modify bultin domain '$realm'\n"
 146                     if ($realm eq 'pam' || $realm eq 'pve');
 147
 148                 die "domain '$realm' does not exist\n"
 149                     if !$ids->{$realm};
 150
 151                 my $delete_str = extract_param($param, 'delete');
 152                 die "no options specified\n" if !$delete_str && !scalar(keys %$param);
 153
 154                 foreach my $opt (PVE::Tools::split_list($delete_str)) {
 155                     delete $ids->{$realm}->{$opt};
 156                 }
 157
 158                 my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
 159                 my $config = $plugin->check_config($realm, $param, 0, 1);
 160
 161                 if ($config->{default}) {
 162                     foreach my $r (keys %$ids) {
 163                         delete $ids->{$r}->{default};
 164                     }
 165                 }
 166
 167                 foreach my $p (keys %$config) {
 168                     $ids->{$realm}->{$p} = $config->{$p};
 169                 }
 170
 171                 cfs_write_file($domainconfigfile, $cfg);
 172             }, "update auth server failed");
 173
 174         return undef;
 175     }});
 176
 177 # fixme: return format!
 178 __PACKAGE__->register_method ({
 179     name => 'read',
 180     path => '{realm}',
 181     method => 'GET',
 182     description => "Get auth server configuration.",
 183     permissions => {
 184         check => ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any => 1],
 185     },
 186     parameters => {
 187         additionalProperties => 0,
 188         properties => {
 189             realm =>  get_standard_option('realm'),
 190         },
 191     },
 192     returns => {},
 193     code => sub {
 194         my ($param) = @_;
 195
 196         my $cfg = cfs_read_file($domainconfigfile);
 197
 198         my $realm = $param->{realm};
 199
 200         my $data = $cfg->{ids}->{$realm};
 201         die "domain '$realm' does not exist\n" if !$data;
 202
 203         $data->{digest} = $cfg->{digest};
 204
 205         return $data;
 206     }});
 207
 208
 209 __PACKAGE__->register_method ({
 210     name => 'delete',
 211     path => '{realm}',
 212     method => 'DELETE',
 213     permissions => {
 214         check => ['perm', '/access/realm', ['Realm.Allocate']],
 215     },
 216     description => "Delete an authentication server.",
 217     protected => 1,
 218     parameters => {
 219         additionalProperties => 0,
 220         properties => {
 221             realm =>  get_standard_option('realm'),
 222         }
 223     },
 224     returns => { type => 'null' },
 225     code => sub {
 226         my ($param) = @_;
 227
 228         PVE::Auth::Plugin::lock_domain_config(
 229             sub {
 230
 231                 my $cfg = cfs_read_file($domainconfigfile);
 232                 my $ids = $cfg->{ids};
 233
 234                 my $realm = $param->{realm};
 235
 236                 die "domain '$realm' does not exist\n" if !$ids->{$realm};
 237
 238                 delete $ids->{$realm};
 239
 240                 cfs_write_file($domainconfigfile, $cfg);
 241             }, "delete auth server failed");
 242
 243         return undef;
 244     }});
 245
 246 1;