1 package PVE
::API2
::Domains
;
5 use PVE
::Tools
qw(extract_param);
6 use PVE
::Cluster qw
(cfs_read_file cfs_write_file
);
7 use PVE
::AccessControl
;
8 use PVE
::JSONSchema
qw(get_standard_option);
12 use PVE
::Auth
::Plugin
;
14 my $domainconfigfile = "domains.cfg";
16 use base
qw(PVE::RESTHandler);
18 __PACKAGE__-
>register_method ({
22 description
=> "Authentication domain index.",
24 description
=> "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
28 additionalProperties
=> 0,
36 realm
=> { type
=> 'string' },
38 description
=> "Two-factor authentication provider.",
40 enum
=> [ 'yubico', 'oath' ],
43 comment
=> { type
=> 'string', optional
=> 1 },
44 comment
=> { type
=> 'string', optional
=> 1 },
47 links
=> [ { rel
=> 'child', href
=> "{realm}" } ],
54 my $cfg = cfs_read_file
($domainconfigfile);
55 my $ids = $cfg->{ids
};
57 foreach my $realm (keys %$ids) {
58 my $d = $ids->{$realm};
59 my $entry = { realm
=> $realm, type
=> $d->{type
} };
60 $entry->{comment
} = $d->{comment
} if $d->{comment
};
61 $entry->{default} = 1 if $d->{default};
62 if ($d->{tfa
} && (my $tfa_cfg = PVE
::Auth
::Plugin
::parse_tfa_config
($d->{tfa
}))) {
63 $entry->{tfa
} = $tfa_cfg->{type
};
71 __PACKAGE__-
>register_method ({
77 check
=> ['perm', '/access/realm', ['Realm.Allocate']],
79 description
=> "Add an authentication server.",
80 parameters
=> PVE
::Auth
::Plugin-
>createSchema(),
81 returns
=> { type
=> 'null' },
85 PVE
::Auth
::Plugin
::lock_domain_config
(
88 my $cfg = cfs_read_file
($domainconfigfile);
89 my $ids = $cfg->{ids
};
91 my $realm = extract_param
($param, 'realm');
92 my $type = $param->{type
};
94 die "domain '$realm' already exists\n"
97 die "unable to use reserved name '$realm'\n"
98 if ($realm eq 'pam' || $realm eq 'pve');
100 die "unable to create builtin type '$type'\n"
101 if ($type eq 'pam' || $type eq 'pve');
103 my $plugin = PVE
::Auth
::Plugin-
>lookup($type);
104 my $config = $plugin->check_config($realm, $param, 1, 1);
106 if ($config->{default}) {
107 foreach my $r (keys %$ids) {
108 delete $ids->{$r}->{default};
112 $ids->{$realm} = $config;
114 cfs_write_file
($domainconfigfile, $cfg);
115 }, "add auth server failed");
120 __PACKAGE__-
>register_method ({
125 check
=> ['perm', '/access/realm', ['Realm.Allocate']],
127 description
=> "Update authentication server settings.",
129 parameters
=> PVE
::Auth
::Plugin-
>updateSchema(),
130 returns
=> { type
=> 'null' },
134 PVE
::Auth
::Plugin
::lock_domain_config
(
137 my $cfg = cfs_read_file
($domainconfigfile);
138 my $ids = $cfg->{ids
};
140 my $digest = extract_param
($param, 'digest');
141 PVE
::SectionConfig
::assert_if_modified
($cfg, $digest);
143 my $realm = extract_param
($param, 'realm');
145 die "domain '$realm' does not exist\n"
148 my $delete_str = extract_param
($param, 'delete');
149 die "no options specified\n" if !$delete_str && !scalar(keys %$param);
151 foreach my $opt (PVE
::Tools
::split_list
($delete_str)) {
152 delete $ids->{$realm}->{$opt};
155 my $plugin = PVE
::Auth
::Plugin-
>lookup($ids->{$realm}->{type
});
156 my $config = $plugin->check_config($realm, $param, 0, 1);
158 if ($config->{default}) {
159 foreach my $r (keys %$ids) {
160 delete $ids->{$r}->{default};
164 foreach my $p (keys %$config) {
165 $ids->{$realm}->{$p} = $config->{$p};
168 cfs_write_file
($domainconfigfile, $cfg);
169 }, "update auth server failed");
174 # fixme: return format!
175 __PACKAGE__-
>register_method ({
179 description
=> "Get auth server configuration.",
181 check
=> ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any
=> 1],
184 additionalProperties
=> 0,
186 realm
=> get_standard_option
('realm'),
193 my $cfg = cfs_read_file
($domainconfigfile);
195 my $realm = $param->{realm
};
197 my $data = $cfg->{ids
}->{$realm};
198 die "domain '$realm' does not exist\n" if !$data;
200 $data->{digest
} = $cfg->{digest
};
206 __PACKAGE__-
>register_method ({
211 check
=> ['perm', '/access/realm', ['Realm.Allocate']],
213 description
=> "Delete an authentication server.",
216 additionalProperties
=> 0,
218 realm
=> get_standard_option
('realm'),
221 returns
=> { type
=> 'null' },
225 PVE
::Auth
::Plugin
::lock_domain_config
(
228 my $cfg = cfs_read_file
($domainconfigfile);
229 my $ids = $cfg->{ids
};
231 my $realm = $param->{realm
};
233 die "domain '$realm' does not exist\n" if !$ids->{$realm};
235 delete $ids->{$realm};
237 cfs_write_file
($domainconfigfile, $cfg);
238 }, "delete auth server failed");