]> git.proxmox.com Git - pve-access-control.git/blob - PVE/API2/Domains.pm
projects / pve-access-control.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
added domain attribute for AD servers
[pve-access-control.git] / PVE / API2 / Domains.pm
1 package PVE::API2::Domains;
2
3 use strict;
4 use warnings;
5 use PVE::Cluster qw (cfs_read_file cfs_write_file);
6 use PVE::AccessControl;
7 use PVE::JSONSchema qw(get_standard_option);
8
9 use PVE::SafeSyslog;
10
11 use Data::Dumper; # fixme: remove
12
13 use PVE::RESTHandler;
14
15 my $domainconfigfile = "domains.cfg";
16
17 use base qw(PVE::RESTHandler);
18
19 __PACKAGE__->register_method ({
20 name => 'index',
21 path => '',
22 method => 'GET',
23 description => "Authentication domain index.",
24 permissions => { user => 'world' },
25 parameters => {
26 additionalProperties => 0,
27 properties => {},
28 },
29 returns => {
30 type => 'array',
31 items => {
32 type => "object",
33 properties => {
34 realm => { type => 'string' },
35 comment => { type => 'string', optional => 1 },
36 },
37 },
38 links => [ { rel => 'child', href => "{realm}" } ],
39 },
40 code => sub {
41 my ($param) = @_;
42
43 my $res = [];
44
45 my $cfg = cfs_read_file($domainconfigfile);
46
47 foreach my $realm (keys %$cfg) {
48 my $d = $cfg->{$realm};
49 my $entry = { realm => $realm, type => $d->{type} };
50 $entry->{comment} = $d->{comment} if $d->{comment};
51 $entry->{default} = 1 if $d->{default};
52 push @$res, $entry;
53 }
54
55 return $res;
56 }});
57
58 __PACKAGE__->register_method ({
59 name => 'create',
60 protected => 1,
61 path => '',
62 method => 'POST',
63 description => "Add an authentication server.",
64 parameters => {
65 additionalProperties => 0,
66 properties => {
67 realm => get_standard_option('realm'),
68 type => {
69 description => "Server type.",
70 type => 'string',
71 enum => [ 'ad', 'ldap' ],
72 },
73 server1 => {
74 description => "Server IP address (or DNS name)",
75 type => 'string',
76 },
77 server2 => {
78 description => "Fallback Server IP address (or DNS name)",
79 type => 'string',
80 optional => 1,
81 },
82 secure => {
83 description => "Use secure LDAPS protocol.",
84 type => 'boolean',
85 optional => 1,
86 },
87 default => {
88 description => "Use this as default realm",
89 type => 'boolean',
90 optional => 1,
91 },
92 comment => {
93 type => 'string',
94 optional => 1,
95 },
96 port => {
97 description => "Server port",
98 type => 'integer',
99 minimum => 1,
100 maximum => 65535,
101 optional => 1,
102 },
103 domain => {
104 description => "AD domain name",
105 type => 'string',
106 optional => 1,
107 },
108 base_dn => {
109 description => "LDAP base domain name",
110 type => 'string',
111 optional => 1,
112 },
113 user_attr => {
114 description => "LDAP user attribute name",
115 type => 'string',
116 optional => 1,
117 },
118 },
119 },
120 returns => { type => 'null' },
121 code => sub {
122 my ($param) = @_;
123
124 PVE::AccessControl::lock_domain_config(
125 sub {
126
127 my $cfg = cfs_read_file($domainconfigfile);
128
129 my $realm = $param->{realm};
130
131 die "domain '$realm' already exists\n"
132 if $cfg->{$realm};
133
134 die "unable to use reserved name '$realm'\n"
135 if ($realm eq 'pam' || $realm eq 'pve');
136
137 if (defined($param->{secure})) {
138 $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0;
139 }
140
141 if ($param->{default}) {
142 foreach my $r (keys %$cfg) {
143 delete $cfg->{$r}->{default};
144 }
145 }
146
147 foreach my $p (keys %$param) {
148 next if $p eq 'realm';
149 $cfg->{$realm}->{$p} = $param->{$p};
150 }
151
152 cfs_write_file($domainconfigfile, $cfg);
153 }, "add auth server failed");
154
155 return undef;
156 }});
157
158 __PACKAGE__->register_method ({
159 name => 'update',
160 path => '{realm}',
161 method => 'PUT',
162 description => "Update authentication server settings.",
163 protected => 1,
164 parameters => {
165 additionalProperties => 0,
166 properties => {
167 realm => get_standard_option('realm'),
168 server1 => {
169 description => "Server IP address (or DNS name)",
170 type => 'string',
171 optional => 1,
172 },
173 server2 => {
174 description => "Fallback Server IP address (or DNS name)",
175 type => 'string',
176 optional => 1,
177 },
178 secure => {
179 description => "Use secure LDAPS protocol.",
180 type => 'boolean',
181 optional => 1,
182 },
183 default => {
184 description => "Use this as default realm",
185 type => 'boolean',
186 optional => 1,
187 },
188 comment => {
189 type => 'string',
190 optional => 1,
191 },
192 port => {
193 description => "Server port",
194 type => 'integer',
195 minimum => 1,
196 maximum => 65535,
197 optional => 1,
198 },
199 domain => {
200 description => "AD domain name",
201 type => 'string',
202 optional => 1,
203 },
204 base_dn => {
205 description => "LDAP base domain name",
206 type => 'string',
207 optional => 1,
208 },
209 user_attr => {
210 description => "LDAP user attribute name",
211 type => 'string',
212 optional => 1,
213 },
214 },
215 },
216 returns => { type => 'null' },
217 code => sub {
218 my ($param) = @_;
219
220 PVE::AccessControl::lock_domain_config(
221 sub {
222
223 my $cfg = cfs_read_file($domainconfigfile);
224
225 my $realm = $param->{realm};
226 delete $param->{realm};
227
228 die "unable to modify bultin domain '$realm'\n"
229 if ($realm eq 'pam' || $realm eq 'pve');
230
231 die "domain '$realm' does not exist\n"
232 if !$cfg->{$realm};
233
234 if (defined($param->{secure})) {
235 $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0;
236 }
237
238 if ($param->{default}) {
239 foreach my $r (keys %$cfg) {
240 delete $cfg->{$r}->{default};
241 }
242 }
243
244 foreach my $p (keys %$param) {
245 $cfg->{$realm}->{$p} = $param->{$p};
246 }
247
248 cfs_write_file($domainconfigfile, $cfg);
249 }, "update auth server failed");
250
251 return undef;
252 }});
253
254 # fixme: return format!
255 __PACKAGE__->register_method ({
256 name => 'read',
257 path => '{realm}',
258 method => 'GET',
259 description => "Get auth server configuration.",
260 parameters => {
261 additionalProperties => 0,
262 properties => {
263 realm => get_standard_option('realm'),
264 },
265 },
266 returns => {},
267 code => sub {
268 my ($param) = @_;
269
270 my $cfg = cfs_read_file($domainconfigfile);
271
272 my $realm = $param->{realm};
273
274 my $data = $cfg->{$realm};
275 die "domain '$realm' does not exist\n" if !$data;
276
277 return $data;
278 }});
279
280
281 __PACKAGE__->register_method ({
282 name => 'delete',
283 path => '{realm}',
284 method => 'DELETE',
285 description => "Delete an authentication server.",
286 protected => 1,
287 parameters => {
288 additionalProperties => 0,
289 properties => {
290 realm => get_standard_option('realm'),
291 }
292 },
293 returns => { type => 'null' },
294 code => sub {
295 my ($param) = @_;
296
297 PVE::AccessControl::lock_user_config(
298 sub {
299
300 my $cfg = cfs_read_file($domainconfigfile);
301
302 my $realm = $param->{realm};
303
304 die "domain '$realm' does not exist\n" if !$cfg->{$realm};
305
306 delete $cfg->{$realm};
307
308 cfs_write_file($domainconfigfile, $cfg);
309 }, "delete auth server failed");
310
311 return undef;
312 }});
313
314 1;
Access control framework