]> git.proxmox.com Git - pve-access-control.git/blob - PVE/API2/Group.pm
projects / pve-access-control.git / blob
? search:


37f8be24645e204e11dc012d1feb798ac8184cd1
[pve-access-control.git] / PVE / API2 / Group.pm
1 package PVE::API2::Group;
2
3 use strict;
4 use warnings;
5 use PVE::Cluster qw (cfs_read_file cfs_write_file);
6 use PVE::AccessControl;
7 use PVE::SafeSyslog;
8 use PVE::RESTHandler;
9 use PVE::JSONSchema qw(get_standard_option register_standard_option);
10
11 use base qw(PVE::RESTHandler);
12
13 register_standard_option('group-id', {
14 type => 'string',
15 format => 'pve-groupid',
16 completion => \&PVE::AccessControl::complete_group,
17 });
18
19 register_standard_option('group-comment', { type => 'string', optional => 1 });
20
21 __PACKAGE__->register_method ({
22 name => 'index',
23 path => '',
24 method => 'GET',
25 description => "Group index.",
26 permissions => {
27 description => "The returned list is restricted to groups where you have 'User.Modify', 'Sys.Audit' or 'Group.Allocate' permissions on /access/groups/<group>.",
28 user => 'all',
29 },
30 parameters => {
31 additionalProperties => 0,
32 properties => {},
33 },
34 returns => {
35 type => 'array',
36 items => {
37 type => "object",
38 properties => {
39 groupid => get_standard_option('group-id'),
40 comment => get_standard_option('group-comment'),
41 },
42 },
43 links => [ { rel => 'child', href => "{groupid}" } ],
44 },
45 code => sub {
46 my ($param) = @_;
47
48 my $res = [];
49
50 my $rpcenv = PVE::RPCEnvironment::get();
51 my $usercfg = cfs_read_file("user.cfg");
52 my $authuser = $rpcenv->get_user();
53
54 my $privs = [ 'User.Modify', 'Sys.Audit', 'Group.Allocate'];
55
56 foreach my $group (keys %{$usercfg->{groups}}) {
57 next if !$rpcenv->check_any($authuser, "/access/groups/$group", $privs, 1);
58 my $data = $usercfg->{groups}->{$group};
59 my $entry = { groupid => $group };
60 $entry->{comment} = $data->{comment} if defined($data->{comment});
61 push @$res, $entry;
62 }
63
64 return $res;
65 }});
66
67 __PACKAGE__->register_method ({
68 name => 'create_group',
69 protected => 1,
70 path => '',
71 method => 'POST',
72 permissions => {
73 check => ['perm', '/access/groups', ['Group.Allocate']],
74 },
75 description => "Create new group.",
76 parameters => {
77 additionalProperties => 0,
78 properties => {
79 groupid => get_standard_option('group-id'),
80 comment => get_standard_option('group-comment'),
81 },
82 },
83 returns => { type => 'null' },
84 code => sub {
85 my ($param) = @_;
86
87 PVE::AccessControl::lock_user_config(
88 sub {
89
90 my $usercfg = cfs_read_file("user.cfg");
91
92 my $group = $param->{groupid};
93
94 die "group '$group' already exists\n"
95 if $usercfg->{groups}->{$group};
96
97 $usercfg->{groups}->{$group} = { users => {} };
98
99 $usercfg->{groups}->{$group}->{comment} = $param->{comment} if $param->{comment};
100
101
102 cfs_write_file("user.cfg", $usercfg);
103 }, "create group failed");
104
105 return undef;
106 }});
107
108 __PACKAGE__->register_method ({
109 name => 'update_group',
110 protected => 1,
111 path => '{groupid}',
112 method => 'PUT',
113 permissions => {
114 check => ['perm', '/access/groups', ['Group.Allocate']],
115 },
116 description => "Update group data.",
117 parameters => {
118 additionalProperties => 0,
119 properties => {
120 groupid => get_standard_option('group-id'),
121 comment => get_standard_option('group-comment'),
122 },
123 },
124 returns => { type => 'null' },
125 code => sub {
126 my ($param) = @_;
127
128 PVE::AccessControl::lock_user_config(
129 sub {
130
131 my $usercfg = cfs_read_file("user.cfg");
132
133 my $group = $param->{groupid};
134
135 my $data = $usercfg->{groups}->{$group};
136
137 die "group '$group' does not exist\n"
138 if !$data;
139
140 $data->{comment} = $param->{comment} if defined($param->{comment});
141
142 cfs_write_file("user.cfg", $usercfg);
143 }, "update group failed");
144
145 return undef;
146 }});
147
148 __PACKAGE__->register_method ({
149 name => 'read_group',
150 path => '{groupid}',
151 method => 'GET',
152 permissions => {
153 check => ['perm', '/access/groups', ['Sys.Audit', 'Group.Allocate'], any => 1],
154 },
155 description => "Get group configuration.",
156 parameters => {
157 additionalProperties => 0,
158 properties => {
159 groupid => get_standard_option('group-id'),
160 },
161 },
162 returns => {
163 type => "object",
164 additionalProperties => 0,
165 properties => {
166 comment => get_standard_option('group-comment'),
167 members => {
168 type => 'array',
169 items => get_standard_option('userid-completed')
170 },
171 },
172 },
173 code => sub {
174 my ($param) = @_;
175
176 my $group = $param->{groupid};
177
178 my $usercfg = cfs_read_file("user.cfg");
179
180 my $data = $usercfg->{groups}->{$group};
181
182 die "group '$group' does not exist\n" if !$data;
183
184 my $members = $data->{users} ? [ keys %{$data->{users}} ] : [];
185
186 my $res = { members => $members };
187
188 $res->{comment} = $data->{comment} if defined($data->{comment});
189
190 return $res;
191 }});
192
193
194 __PACKAGE__->register_method ({
195 name => 'delete_group',
196 protected => 1,
197 path => '{groupid}',
198 method => 'DELETE',
199 permissions => {
200 check => ['perm', '/access/groups', ['Group.Allocate']],
201 },
202 description => "Delete group.",
203 parameters => {
204 additionalProperties => 0,
205 properties => {
206 groupid => get_standard_option('group-id'),
207 }
208 },
209 returns => { type => 'null' },
210 code => sub {
211 my ($param) = @_;
212
213 PVE::AccessControl::lock_user_config(
214 sub {
215
216 my $usercfg = cfs_read_file("user.cfg");
217
218 my $group = $param->{groupid};
219
220 die "group '$group' does not exist\n"
221 if !$usercfg->{groups}->{$group};
222
223 delete ($usercfg->{groups}->{$group});
224
225 PVE::AccessControl::delete_group_acl($group, $usercfg);
226
227 cfs_write_file("user.cfg", $usercfg);
228 }, "delete group failed");
229
230 return undef;
231 }});
232
233 1;
Access control framework