]> git.proxmox.com Git - pve-access-control.git/blob - PVE/API2/Domains.pm
projects / pve-access-control.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
realm: add default-sync-options to config
[pve-access-control.git] / PVE / API2 / Domains.pm
1 package PVE::API2::Domains;
2
3 use strict;
4 use warnings;
5 use PVE::Exception qw(raise_param_exc);
6 use PVE::Tools qw(extract_param);
7 use PVE::Cluster qw (cfs_read_file cfs_write_file);
8 use PVE::AccessControl;
9 use PVE::JSONSchema qw(get_standard_option);
10
11 use PVE::SafeSyslog;
12 use PVE::RESTHandler;
13 use PVE::Auth::Plugin;
14
15 my $domainconfigfile = "domains.cfg";
16
17 use base qw(PVE::RESTHandler);
18
19 __PACKAGE__->register_method ({
20 name => 'index',
21 path => '',
22 method => 'GET',
23 description => "Authentication domain index.",
24 permissions => {
25 description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
26 user => 'world',
27 },
28 parameters => {
29 additionalProperties => 0,
30 properties => {},
31 },
32 returns => {
33 type => 'array',
34 items => {
35 type => "object",
36 properties => {
37 realm => { type => 'string' },
38 type => { type => 'string' },
39 tfa => {
40 description => "Two-factor authentication provider.",
41 type => 'string',
42 enum => [ 'yubico', 'oath' ],
43 optional => 1,
44 },
45 comment => {
46 description => "A comment. The GUI use this text when you select a domain (Realm) on the login window.",
47 type => 'string',
48 optional => 1,
49 },
50 },
51 },
52 links => [ { rel => 'child', href => "{realm}" } ],
53 },
54 code => sub {
55 my ($param) = @_;
56
57 my $res = [];
58
59 my $cfg = cfs_read_file($domainconfigfile);
60 my $ids = $cfg->{ids};
61
62 foreach my $realm (keys %$ids) {
63 my $d = $ids->{$realm};
64 my $entry = { realm => $realm, type => $d->{type} };
65 $entry->{comment} = $d->{comment} if $d->{comment};
66 $entry->{default} = 1 if $d->{default};
67 if ($d->{tfa} && (my $tfa_cfg = PVE::Auth::Plugin::parse_tfa_config($d->{tfa}))) {
68 $entry->{tfa} = $tfa_cfg->{type};
69 }
70 push @$res, $entry;
71 }
72
73 return $res;
74 }});
75
76 __PACKAGE__->register_method ({
77 name => 'create',
78 protected => 1,
79 path => '',
80 method => 'POST',
81 permissions => {
82 check => ['perm', '/access/realm', ['Realm.Allocate']],
83 },
84 description => "Add an authentication server.",
85 parameters => PVE::Auth::Plugin->createSchema(),
86 returns => { type => 'null' },
87 code => sub {
88 my ($param) = @_;
89
90 PVE::Auth::Plugin::lock_domain_config(
91 sub {
92
93 my $cfg = cfs_read_file($domainconfigfile);
94 my $ids = $cfg->{ids};
95
96 my $realm = extract_param($param, 'realm');
97 my $type = $param->{type};
98
99 die "domain '$realm' already exists\n"
100 if $ids->{$realm};
101
102 die "unable to use reserved name '$realm'\n"
103 if ($realm eq 'pam' || $realm eq 'pve');
104
105 die "unable to create builtin type '$type'\n"
106 if ($type eq 'pam' || $type eq 'pve');
107
108 my $plugin = PVE::Auth::Plugin->lookup($type);
109 my $config = $plugin->check_config($realm, $param, 1, 1);
110
111 if ($config->{default}) {
112 foreach my $r (keys %$ids) {
113 delete $ids->{$r}->{default};
114 }
115 }
116
117 $ids->{$realm} = $config;
118
119 cfs_write_file($domainconfigfile, $cfg);
120 }, "add auth server failed");
121
122 return undef;
123 }});
124
125 __PACKAGE__->register_method ({
126 name => 'update',
127 path => '{realm}',
128 method => 'PUT',
129 permissions => {
130 check => ['perm', '/access/realm', ['Realm.Allocate']],
131 },
132 description => "Update authentication server settings.",
133 protected => 1,
134 parameters => PVE::Auth::Plugin->updateSchema(),
135 returns => { type => 'null' },
136 code => sub {
137 my ($param) = @_;
138
139 PVE::Auth::Plugin::lock_domain_config(
140 sub {
141
142 my $cfg = cfs_read_file($domainconfigfile);
143 my $ids = $cfg->{ids};
144
145 my $digest = extract_param($param, 'digest');
146 PVE::SectionConfig::assert_if_modified($cfg, $digest);
147
148 my $realm = extract_param($param, 'realm');
149
150 die "domain '$realm' does not exist\n"
151 if !$ids->{$realm};
152
153 my $delete_str = extract_param($param, 'delete');
154 die "no options specified\n" if !$delete_str && !scalar(keys %$param);
155
156 foreach my $opt (PVE::Tools::split_list($delete_str)) {
157 delete $ids->{$realm}->{$opt};
158 }
159
160 my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
161 my $config = $plugin->check_config($realm, $param, 0, 1);
162
163 if ($config->{default}) {
164 foreach my $r (keys %$ids) {
165 delete $ids->{$r}->{default};
166 }
167 }
168
169 foreach my $p (keys %$config) {
170 $ids->{$realm}->{$p} = $config->{$p};
171 }
172
173 cfs_write_file($domainconfigfile, $cfg);
174 }, "update auth server failed");
175
176 return undef;
177 }});
178
179 # fixme: return format!
180 __PACKAGE__->register_method ({
181 name => 'read',
182 path => '{realm}',
183 method => 'GET',
184 description => "Get auth server configuration.",
185 permissions => {
186 check => ['perm', '/access/realm', ['Realm.Allocate', 'Sys.Audit'], any => 1],
187 },
188 parameters => {
189 additionalProperties => 0,
190 properties => {
191 realm => get_standard_option('realm'),
192 },
193 },
194 returns => {},
195 code => sub {
196 my ($param) = @_;
197
198 my $cfg = cfs_read_file($domainconfigfile);
199
200 my $realm = $param->{realm};
201
202 my $data = $cfg->{ids}->{$realm};
203 die "domain '$realm' does not exist\n" if !$data;
204
205 $data->{digest} = $cfg->{digest};
206
207 return $data;
208 }});
209
210
211 __PACKAGE__->register_method ({
212 name => 'delete',
213 path => '{realm}',
214 method => 'DELETE',
215 permissions => {
216 check => ['perm', '/access/realm', ['Realm.Allocate']],
217 },
218 description => "Delete an authentication server.",
219 protected => 1,
220 parameters => {
221 additionalProperties => 0,
222 properties => {
223 realm => get_standard_option('realm'),
224 }
225 },
226 returns => { type => 'null' },
227 code => sub {
228 my ($param) = @_;
229
230 PVE::Auth::Plugin::lock_domain_config(
231 sub {
232
233 my $cfg = cfs_read_file($domainconfigfile);
234 my $ids = $cfg->{ids};
235
236 my $realm = $param->{realm};
237
238 die "domain '$realm' does not exist\n" if !$ids->{$realm};
239
240 delete $ids->{$realm};
241
242 cfs_write_file($domainconfigfile, $cfg);
243 }, "delete auth server failed");
244
245 return undef;
246 }});
247
248 my $update_users = sub {
249 my ($usercfg, $realm, $synced_users, $opts) = @_;
250
251 print "syncing users\n";
252 $usercfg->{users} = {} if !defined($usercfg->{users});
253 my $users = $usercfg->{users};
254
255 my $oldusers = {};
256 if ($opts->{'full'}) {
257 print "full sync, deleting outdated existing users first\n";
258 foreach my $userid (sort keys %$users) {
259 next if $userid !~ m/\@$realm$/;
260
261 $oldusers->{$userid} = delete $users->{$userid};
262 if ($opts->{'purge'} && !$synced_users->{$userid}) {
263 PVE::AccessControl::delete_user_acl($userid, $usercfg);
264 print "purged user '$userid' and all its ACL entries\n";
265 } elsif (!defined($synced_users->{$userid})) {
266 print "remove user '$userid'\n";
267 }
268 }
269 }
270
271 foreach my $userid (sort keys %$synced_users) {
272 my $synced_user = $synced_users->{$userid} // {};
273 if (!defined($users->{$userid})) {
274 my $user = $users->{$userid} = $synced_user;
275
276 my $olduser = $oldusers->{$userid} // {};
277 if (defined(my $enabled = $olduser->{enable})) {
278 $user->{enable} = $enabled;
279 } elsif ($opts->{'enable-new'}) {
280 $user->{enable} = 1;
281 }
282
283 if (defined($olduser->{tokens})) {
284 $user->{tokens} = $olduser->{tokens};
285 }
286 if (defined($oldusers->{$userid})) {
287 print "updated user '$userid'\n";
288 } else {
289 print "added user '$userid'\n";
290 }
291 } else {
292 my $olduser = $users->{$userid};
293 foreach my $attr (keys %$synced_user) {
294 $olduser->{$attr} = $synced_user->{$attr};
295 }
296 print "updated user '$userid'\n";
297 }
298 }
299 };
300
301 my $update_groups = sub {
302 my ($usercfg, $realm, $synced_groups, $opts) = @_;
303
304 print "syncing groups\n";
305 $usercfg->{groups} = {} if !defined($usercfg->{groups});
306 my $groups = $usercfg->{groups};
307 my $oldgroups = {};
308
309 if ($opts->{full}) {
310 print "full sync, deleting outdated existing groups first\n";
311 foreach my $groupid (sort keys %$groups) {
312 next if $groupid !~ m/\-$realm$/;
313
314 my $oldgroups->{$groupid} = delete $groups->{$groupid};
315 if ($opts->{purge} && !$synced_groups->{$groupid}) {
316 print "purged group '$groupid' and all its ACL entries\n";
317 PVE::AccessControl::delete_group_acl($groupid, $usercfg)
318 } elsif (!defined($synced_groups->{$groupid})) {
319 print "removed group '$groupid'\n";
320 }
321 }
322 }
323
324 foreach my $groupid (sort keys %$synced_groups) {
325 my $synced_group = $synced_groups->{$groupid};
326 if (!defined($groups->{$groupid})) {
327 $groups->{$groupid} = $synced_group;
328 if (defined($oldgroups->{$groupid})) {
329 print "updated group '$groupid'\n";
330 } else {
331 print "added group '$groupid'\n";
332 }
333 } else {
334 my $group = $groups->{$groupid};
335 foreach my $attr (keys %$synced_group) {
336 $group->{$attr} = $synced_group->{$attr};
337 }
338 print "updated group '$groupid'\n";
339 }
340 }
341 };
342
343 my $parse_sync_opts = sub {
344 my ($param, $realmconfig) = @_;
345
346 my $sync_opts_fmt = PVE::JSONSchema::get_format('realm-sync-options');
347
348 my $res = {};
349 if (defined(my $cfg_opts = $realmconfig->{'sync-defaults-options'})) {
350 $res = PVE::JSONSchema::parse_property_string($sync_opts_fmt, $cfg_opts);
351 }
352
353 for my $opt (sort keys %$sync_opts_fmt) {
354 my $fmt = $sync_opts_fmt->{$opt};
355
356 if (exists $param->{$opt}) {
357 $res->{$opt} = $param->{$opt};
358 } elsif (!exists $res->{$opt}) {
359 raise_param_exc({
360 "$opt" => 'Not passed as parameter and not defined in realm default sync options.'
361 }) if !$fmt->{optional};
362 $res->{$opt} = $fmt->{default} if exists $fmt->{default};
363 }
364 }
365 return $res;
366 };
367
368 __PACKAGE__->register_method ({
369 name => 'sync',
370 path => '{realm}/sync',
371 method => 'POST',
372 permissions => {
373 description => "'Realm.AllocateUser' on '/access/realm/<realm>' and "
374 ." 'User.Modify' permissions to '/access/groups/'.",
375 check => [ 'and',
376 [ 'userid-param', 'Realm.AllocateUser' ],
377 [ 'userid-group', ['User.Modify'] ],
378 ],
379 },
380 description => "Syncs users and/or groups from the configured LDAP to user.cfg."
381 ." NOTE: Synced groups will have the name 'name-\$realm', so make sure"
382 ." those groups do not exist to prevent overwriting.",
383 protected => 1,
384 parameters => {
385 additionalProperties => 0,
386 properties => get_standard_option('realm-sync-options', {
387 realm => get_standard_option('realm'),
388 })
389 },
390 returns => {
391 description => 'Worker Task-UPID',
392 type => 'string'
393 },
394 code => sub {
395 my ($param) = @_;
396
397 my $rpcenv = PVE::RPCEnvironment::get();
398 my $authuser = $rpcenv->get_user();
399
400 my $realm = $param->{realm};
401 my $cfg = cfs_read_file($domainconfigfile);
402 my $realmconfig = $cfg->{ids}->{$realm};
403
404 raise_param_exc({ 'realm' => 'Realm does not exist.' }) if !defined($realmconfig);
405 my $type = $realmconfig->{type};
406
407 if ($type ne 'ldap' && $type ne 'ad') {
408 die "Cannot sync realm type '$type'! Only LDAP/AD realms can be synced.\n";
409 }
410
411 my $opts = $parse_sync_opts->($param, $realmconfig); # can throw up
412
413 my $scope = $opts->{scope};
414 my $whatstring = $scope eq 'both' ? "users and groups" : $scope;
415
416 my $plugin = PVE::Auth::Plugin->lookup($type);
417
418 my $worker = sub {
419 print "starting sync for realm $realm\n";
420
421 my ($synced_users, $dnmap) = $plugin->get_users($realmconfig, $realm);
422 my $synced_groups = {};
423 if ($scope eq 'groups' || $scope eq 'both') {
424 $synced_groups = $plugin->get_groups($realmconfig, $realm, $dnmap);
425 }
426
427 PVE::AccessControl::lock_user_config(sub {
428 my $usercfg = cfs_read_file("user.cfg");
429 print "got data from server, updating $whatstring\n";
430
431 if ($scope eq 'users' || $scope eq 'both') {
432 $update_users->($usercfg, $realm, $synced_users, $opts);
433 }
434
435 if ($scope eq 'groups' || $scope eq 'both') {
436 $update_groups->($usercfg, $realm, $synced_groups, $opts);
437 }
438
439 cfs_write_file("user.cfg", $usercfg);
440 print "successfully updated $whatstring configuration\n";
441 }, "syncing $whatstring failed");
442 };
443
444 return $rpcenv->fork_worker('auth-realm-sync', $realm, $authuser, $worker);
445 }});
446
447 1;
Access control framework