1 package PVE
::API2
::Domains
;
5 use PVE
::Tools
qw(extract_param);
6 use PVE
::Cluster qw
(cfs_read_file cfs_write_file
);
7 use PVE
::AccessControl
;
8 use PVE
::JSONSchema
qw(get_standard_option);
12 use PVE
::Auth
::Plugin
;
14 my $domainconfigfile = "domains.cfg";
16 use base
qw(PVE::RESTHandler);
18 __PACKAGE__-
>register_method ({
22 description
=> "Authentication domain index.",
24 description
=> "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
28 additionalProperties
=> 0,
36 realm
=> { type
=> 'string' },
38 description
=> "Two-factor authentication provider.",
43 comment
=> { type
=> 'string', optional
=> 1 },
44 comment
=> { type
=> 'string', optional
=> 1 },
47 links
=> [ { rel
=> 'child', href
=> "{realm}" } ],
54 my $cfg = cfs_read_file
($domainconfigfile);
55 my $ids = $cfg->{ids
};
57 foreach my $realm (keys %$ids) {
58 my $d = $ids->{$realm};
59 my $entry = { realm
=> $realm, type
=> $d->{type
} };
60 $entry->{comment
} = $d->{comment
} if $d->{comment
};
61 $entry->{default} = 1 if $d->{default};
62 if ($d->{tfa
} && (my $tfa_cfg = PVE
::Auth
::Plugin
::parse_tfa_config
($d->{tfa
}))) {
63 $entry->{tfa
} = $tfa_cfg->{type
};
71 __PACKAGE__-
>register_method ({
77 check
=> ['perm', '/access/realm', ['Realm.Allocate']],
79 description
=> "Add an authentication server.",
80 parameters
=> PVE
::Auth
::Plugin-
>createSchema(),
81 returns
=> { type
=> 'null' },
85 PVE
::Auth
::Plugin
::lock_domain_config
(
88 my $cfg = cfs_read_file
($domainconfigfile);
89 my $ids = $cfg->{ids
};
91 my $realm = extract_param
($param, 'realm');
92 my $type = $param->{type
};
94 die "domain '$realm' already exists\n"
97 die "unable to use reserved name '$realm'\n"
98 if ($realm eq 'pam' || $realm eq 'pve');
100 die "unable to create builtin type '$type'\n"
101 if ($type eq 'pam' || $type eq 'pve');
103 my $plugin = PVE
::Auth
::Plugin-
>lookup($type);
104 my $config = $plugin->check_config($realm, $param, 1, 1);
106 if ($config->{default}) {
107 foreach my $r (keys %$ids) {
108 delete $ids->{$r}->{default};
112 $ids->{$realm} = $config;
114 cfs_write_file
($domainconfigfile, $cfg);
115 }, "add auth server failed");
120 __PACKAGE__-
>register_method ({
125 check
=> ['perm', '/access/realm', ['Realm.Allocate']],
127 description
=> "Update authentication server settings.",
129 parameters
=> PVE
::Auth
::Plugin-
>updateSchema(),
130 returns
=> { type
=> 'null' },
134 PVE
::Auth
::Plugin
::lock_domain_config
(
137 my $cfg = cfs_read_file
($domainconfigfile);
138 my $ids = $cfg->{ids
};
140 my $digest = extract_param
($param, 'digest');
141 PVE
::SectionConfig
::assert_if_modified
($cfg, $digest);
143 my $realm = extract_param
($param, 'realm');
145 die "unable to modify bultin domain '$realm'\n"
146 if ($realm eq 'pam' || $realm eq 'pve');
148 die "domain '$realm' does not exist\n"
151 my $delete_str = extract_param
($param, 'delete');
152 die "no options specified\n" if !$delete_str && !scalar(keys %$param);
154 foreach my $opt (PVE
::Tools
::split_list
($delete_str)) {
155 delete $ids->{$realm}->{$opt};
158 my $plugin = PVE
::Auth
::Plugin-
>lookup($ids->{$realm}->{type
});
159 my $config = $plugin->check_config($realm, $param, 0, 1);
161 if ($config->{default}) {
162 foreach my $r (keys %$ids) {
163 delete $ids->{$r}->{default};
167 foreach my $p (keys %$config) {
168 $ids->{$realm}->{$p} = $config->{$p};
171 cfs_write_file
($domainconfigfile, $cfg);
172 }, "update auth server failed");
177 # fixme: return format!
178 __PACKAGE__-
>register_method ({
182 description
=> "Get auth server configuration.",
184 check
=> ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any
=> 1],
187 additionalProperties
=> 0,
189 realm
=> get_standard_option
('realm'),
196 my $cfg = cfs_read_file
($domainconfigfile);
198 my $realm = $param->{realm
};
200 my $data = $cfg->{ids
}->{$realm};
201 die "domain '$realm' does not exist\n" if !$data;
203 $data->{digest
} = $cfg->{digest
};
209 __PACKAGE__-
>register_method ({
214 check
=> ['perm', '/access/realm', ['Realm.Allocate']],
216 description
=> "Delete an authentication server.",
219 additionalProperties
=> 0,
221 realm
=> get_standard_option
('realm'),
224 returns
=> { type
=> 'null' },
228 PVE
::Auth
::Plugin
::lock_domain_config
(
231 my $cfg = cfs_read_file
($domainconfigfile);
232 my $ids = $cfg->{ids
};
234 my $realm = $param->{realm
};
236 die "domain '$realm' does not exist\n" if !$ids->{$realm};
238 delete $ids->{$realm};
240 cfs_write_file
($domainconfigfile, $cfg);
241 }, "delete auth server failed");