]> git.proxmox.com Git - pve-access-control.git/blob - PVE/API2/Domains.pm
projects / pve-access-control.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
api: realm sync: move out group and user update to separate methods
[pve-access-control.git] / PVE / API2 / Domains.pm
1 package PVE::API2::Domains;
2
3 use strict;
4 use warnings;
5 use PVE::Exception qw(raise_param_exc);
6 use PVE::Tools qw(extract_param);
7 use PVE::Cluster qw (cfs_read_file cfs_write_file);
8 use PVE::AccessControl;
9 use PVE::JSONSchema qw(get_standard_option);
10
11 use PVE::SafeSyslog;
12 use PVE::RESTHandler;
13 use PVE::Auth::Plugin;
14
15 my $domainconfigfile = "domains.cfg";
16
17 use base qw(PVE::RESTHandler);
18
19 __PACKAGE__->register_method ({
20 name => 'index',
21 path => '',
22 method => 'GET',
23 description => "Authentication domain index.",
24 permissions => {
25 description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
26 user => 'world',
27 },
28 parameters => {
29 additionalProperties => 0,
30 properties => {},
31 },
32 returns => {
33 type => 'array',
34 items => {
35 type => "object",
36 properties => {
37 realm => { type => 'string' },
38 type => { type => 'string' },
39 tfa => {
40 description => "Two-factor authentication provider.",
41 type => 'string',
42 enum => [ 'yubico', 'oath' ],
43 optional => 1,
44 },
45 comment => {
46 description => "A comment. The GUI use this text when you select a domain (Realm) on the login window.",
47 type => 'string',
48 optional => 1,
49 },
50 },
51 },
52 links => [ { rel => 'child', href => "{realm}" } ],
53 },
54 code => sub {
55 my ($param) = @_;
56
57 my $res = [];
58
59 my $cfg = cfs_read_file($domainconfigfile);
60 my $ids = $cfg->{ids};
61
62 foreach my $realm (keys %$ids) {
63 my $d = $ids->{$realm};
64 my $entry = { realm => $realm, type => $d->{type} };
65 $entry->{comment} = $d->{comment} if $d->{comment};
66 $entry->{default} = 1 if $d->{default};
67 if ($d->{tfa} && (my $tfa_cfg = PVE::Auth::Plugin::parse_tfa_config($d->{tfa}))) {
68 $entry->{tfa} = $tfa_cfg->{type};
69 }
70 push @$res, $entry;
71 }
72
73 return $res;
74 }});
75
76 __PACKAGE__->register_method ({
77 name => 'create',
78 protected => 1,
79 path => '',
80 method => 'POST',
81 permissions => {
82 check => ['perm', '/access/realm', ['Realm.Allocate']],
83 },
84 description => "Add an authentication server.",
85 parameters => PVE::Auth::Plugin->createSchema(),
86 returns => { type => 'null' },
87 code => sub {
88 my ($param) = @_;
89
90 PVE::Auth::Plugin::lock_domain_config(
91 sub {
92
93 my $cfg = cfs_read_file($domainconfigfile);
94 my $ids = $cfg->{ids};
95
96 my $realm = extract_param($param, 'realm');
97 my $type = $param->{type};
98
99 die "domain '$realm' already exists\n"
100 if $ids->{$realm};
101
102 die "unable to use reserved name '$realm'\n"
103 if ($realm eq 'pam' || $realm eq 'pve');
104
105 die "unable to create builtin type '$type'\n"
106 if ($type eq 'pam' || $type eq 'pve');
107
108 my $plugin = PVE::Auth::Plugin->lookup($type);
109 my $config = $plugin->check_config($realm, $param, 1, 1);
110
111 if ($config->{default}) {
112 foreach my $r (keys %$ids) {
113 delete $ids->{$r}->{default};
114 }
115 }
116
117 $ids->{$realm} = $config;
118
119 cfs_write_file($domainconfigfile, $cfg);
120 }, "add auth server failed");
121
122 return undef;
123 }});
124
125 __PACKAGE__->register_method ({
126 name => 'update',
127 path => '{realm}',
128 method => 'PUT',
129 permissions => {
130 check => ['perm', '/access/realm', ['Realm.Allocate']],
131 },
132 description => "Update authentication server settings.",
133 protected => 1,
134 parameters => PVE::Auth::Plugin->updateSchema(),
135 returns => { type => 'null' },
136 code => sub {
137 my ($param) = @_;
138
139 PVE::Auth::Plugin::lock_domain_config(
140 sub {
141
142 my $cfg = cfs_read_file($domainconfigfile);
143 my $ids = $cfg->{ids};
144
145 my $digest = extract_param($param, 'digest');
146 PVE::SectionConfig::assert_if_modified($cfg, $digest);
147
148 my $realm = extract_param($param, 'realm');
149
150 die "domain '$realm' does not exist\n"
151 if !$ids->{$realm};
152
153 my $delete_str = extract_param($param, 'delete');
154 die "no options specified\n" if !$delete_str && !scalar(keys %$param);
155
156 foreach my $opt (PVE::Tools::split_list($delete_str)) {
157 delete $ids->{$realm}->{$opt};
158 }
159
160 my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
161 my $config = $plugin->check_config($realm, $param, 0, 1);
162
163 if ($config->{default}) {
164 foreach my $r (keys %$ids) {
165 delete $ids->{$r}->{default};
166 }
167 }
168
169 foreach my $p (keys %$config) {
170 $ids->{$realm}->{$p} = $config->{$p};
171 }
172
173 cfs_write_file($domainconfigfile, $cfg);
174 }, "update auth server failed");
175
176 return undef;
177 }});
178
179 # fixme: return format!
180 __PACKAGE__->register_method ({
181 name => 'read',
182 path => '{realm}',
183 method => 'GET',
184 description => "Get auth server configuration.",
185 permissions => {
186 check => ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any => 1],
187 },
188 parameters => {
189 additionalProperties => 0,
190 properties => {
191 realm => get_standard_option('realm'),
192 },
193 },
194 returns => {},
195 code => sub {
196 my ($param) = @_;
197
198 my $cfg = cfs_read_file($domainconfigfile);
199
200 my $realm = $param->{realm};
201
202 my $data = $cfg->{ids}->{$realm};
203 die "domain '$realm' does not exist\n" if !$data;
204
205 $data->{digest} = $cfg->{digest};
206
207 return $data;
208 }});
209
210
211 __PACKAGE__->register_method ({
212 name => 'delete',
213 path => '{realm}',
214 method => 'DELETE',
215 permissions => {
216 check => ['perm', '/access/realm', ['Realm.Allocate']],
217 },
218 description => "Delete an authentication server.",
219 protected => 1,
220 parameters => {
221 additionalProperties => 0,
222 properties => {
223 realm => get_standard_option('realm'),
224 }
225 },
226 returns => { type => 'null' },
227 code => sub {
228 my ($param) = @_;
229
230 PVE::Auth::Plugin::lock_domain_config(
231 sub {
232
233 my $cfg = cfs_read_file($domainconfigfile);
234 my $ids = $cfg->{ids};
235
236 my $realm = $param->{realm};
237
238 die "domain '$realm' does not exist\n" if !$ids->{$realm};
239
240 delete $ids->{$realm};
241
242 cfs_write_file($domainconfigfile, $cfg);
243 }, "delete auth server failed");
244
245 return undef;
246 }});
247
248 my $update_users = sub {
249 my ($usercfg, $realm, $synced_users, $opts) = @_;
250
251 print "syncing users\n";
252 $usercfg->{users} = {} if !defined($usercfg->{users});
253 my $users = $usercfg->{users};
254
255 my $oldusers = {};
256 if ($opts->{'full'}) {
257 print "full sync, deleting outdated existing users first\n";
258 foreach my $userid (sort keys %$users) {
259 next if $userid !~ m/\@$realm$/;
260
261 $oldusers->{$userid} = delete $users->{$userid};
262 if ($opts->{'purge'} && !$synced_users->{$userid}) {
263 PVE::AccessControl::delete_user_acl($userid, $usercfg);
264 print "purged user '$userid' and all its ACL entries\n";
265 } elsif (!defined($synced_users->{$userid})) {
266 print "remove user '$userid'\n";
267 }
268 }
269 }
270
271 foreach my $userid (sort keys %$synced_users) {
272 my $synced_user = $synced_users->{$userid} // {};
273 if (!defined($users->{$userid})) {
274 my $user = $users->{$userid} = $synced_user;
275
276 my $olduser = $oldusers->{$userid} // {};
277 if (defined(my $enabled = $olduser->{enable})) {
278 $user->{enable} = $enabled;
279 } elsif ($opts->{enable}) {
280 $user->{enable} = 1;
281 }
282
283 if (defined($olduser->{tokens})) {
284 $user->{tokens} = $olduser->{tokens};
285 }
286 if (defined($oldusers->{$userid})) {
287 print "updated user '$userid'\n";
288 } else {
289 print "added user '$userid'\n";
290 }
291 } else {
292 my $olduser = $users->{$userid};
293 foreach my $attr (keys %$synced_user) {
294 $olduser->{$attr} = $synced_user->{$attr};
295 }
296 print "updated user '$userid'\n";
297 }
298 }
299 };
300
301 my $update_groups = sub {
302 my ($usercfg, $realm, $synced_groups, $opts) = @_;
303
304 print "syncing groups\n";
305 $usercfg->{groups} = {} if !defined($usercfg->{groups});
306 my $groups = $usercfg->{groups};
307 my $oldgroups = {};
308
309 if ($opts->{full}) {
310 print "full sync, deleting outdated existing groups first\n";
311 foreach my $groupid (sort keys %$groups) {
312 next if $groupid !~ m/\-$realm$/;
313
314 my $oldgroups->{$groupid} = delete $groups->{$groupid};
315 if ($opts->{purge} && !$synced_groups->{$groupid}) {
316 print "purged group '$groupid' and all its ACL entries\n";
317 PVE::AccessControl::delete_group_acl($groupid, $usercfg)
318 } elsif (!defined($synced_groups->{$groupid})) {
319 print "removed group '$groupid'\n";
320 }
321 }
322 }
323
324 foreach my $groupid (sort keys %$synced_groups) {
325 my $synced_group = $synced_groups->{$groupid};
326 if (!defined($groups->{$groupid})) {
327 $groups->{$groupid} = $synced_group;
328 if (defined($oldgroups->{$groupid})) {
329 print "updated group '$groupid'\n";
330 } else {
331 print "added group '$groupid'\n";
332 }
333 } else {
334 my $group = $groups->{$groupid};
335 foreach my $attr (keys %$synced_group) {
336 $group->{$attr} = $synced_group->{$attr};
337 }
338 print "updated group '$groupid'\n";
339 }
340 }
341 };
342
343 __PACKAGE__->register_method ({
344 name => 'sync',
345 path => '{realm}/sync',
346 method => 'POST',
347 permissions => {
348 description => "'Realm.AllocateUser' on '/access/realm/<realm>' and "
349 ." 'User.Modify' permissions to '/access/groups/'.",
350 check => [ 'and',
351 [ 'userid-param', 'Realm.AllocateUser' ],
352 [ 'userid-group', ['User.Modify'] ],
353 ],
354 },
355 description => "Syncs users and/or groups from the configured LDAP to user.cfg."
356 ." NOTE: Synced groups will have the name 'name-\$realm', so make sure"
357 ." those groups do not exist to prevent overwriting.",
358 protected => 1,
359 parameters => {
360 additionalProperties => 0,
361 properties => {
362 realm => get_standard_option('realm'),
363 scope => {
364 description => "Select what to sync.",
365 type => 'string',
366 enum => [qw(users groups both)],
367 },
368 full => {
369 description => "If set, uses the LDAP Directory as source of truth, ".
370 "deleting all information not contained there. ".
371 "Otherwise only syncs information set explicitly.",
372 type => 'boolean',
373 },
374 enable => {
375 description => "Enable newly synced users.",
376 type => 'boolean',
377 },
378 purge => {
379 description => "Remove ACLs for users/groups that were removed from the config.",
380 type => 'boolean',
381 },
382 }
383 },
384 returns => {
385 description => 'Worker Task-UPID',
386 type => 'string'
387 },
388 code => sub {
389 my ($param) = @_;
390
391 my $rpcenv = PVE::RPCEnvironment::get();
392 my $authuser = $rpcenv->get_user();
393
394 my $realm = $param->{realm};
395 my $cfg = cfs_read_file($domainconfigfile);
396 my $realmconfig = $cfg->{ids}->{$realm};
397
398 raise_param_exc({ 'realm' => 'Realm does not exist.' }) if !defined($realmconfig);
399 my $type = $realmconfig->{type};
400
401 if ($type ne 'ldap' && $type ne 'ad') {
402 die "Cannot sync realm type '$type'! Only LDAP/AD realms can be synced.\n";
403 }
404
405
406 my $scope = $param->{scope};
407 my $whatstring = $scope eq 'both' ? "users and groups" : $scope;
408
409 my $plugin = PVE::Auth::Plugin->lookup($type);
410
411 my $worker = sub {
412 print "starting sync for realm $realm\n";
413
414 my ($synced_users, $dnmap) = $plugin->get_users($realmconfig, $realm);
415 my $synced_groups = {};
416 if ($scope eq 'groups' || $scope eq 'both') {
417 $synced_groups = $plugin->get_groups($realmconfig, $realm, $dnmap);
418 }
419
420 PVE::AccessControl::lock_user_config(sub {
421 my $usercfg = cfs_read_file("user.cfg");
422 print "got data from server, updating $whatstring\n";
423
424 if ($scope eq 'users' || $scope eq 'both') {
425 $update_users->($usercfg, $realm, $synced_users, $param);
426 }
427
428 if ($scope eq 'groups' || $scope eq 'both') {
429 $update_groups->($usercfg, $realm, $synced_groups, $param);
430 }
431
432 cfs_write_file("user.cfg", $usercfg);
433 print "successfully updated $whatstring configuration\n";
434 }, "syncing $whatstring failed");
435 };
436
437 return $rpcenv->fork_worker('auth-realm-sync', $realm, $authuser, $worker);
438 }});
439
440 1;
Access control framework