]> git.proxmox.com Git - pve-access-control.git/blob - PVE/API2/Group.pm
projects / pve-access-control.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
change from dpkg-deb to dpkg-buildpackage
[pve-access-control.git] / PVE / API2 / Group.pm
1 package PVE::API2::Group;
2
3 use strict;
4 use warnings;
5 use PVE::Cluster qw (cfs_read_file cfs_write_file);
6 use PVE::AccessControl;
7 use PVE::SafeSyslog;
8 use PVE::RESTHandler;
9
10 use base qw(PVE::RESTHandler);
11
12 __PACKAGE__->register_method ({
13 name => 'index',
14 path => '',
15 method => 'GET',
16 description => "Group index.",
17 permissions => {
18 description => "The returned list is restricted to groups where you have 'User.Modify', 'Sys.Audit' or 'Group.Allocate' permissions on /access/groups/<group>.",
19 user => 'all',
20 },
21 parameters => {
22 additionalProperties => 0,
23 properties => {},
24 },
25 returns => {
26 type => 'array',
27 items => {
28 type => "object",
29 properties => {
30 groupid => { type => 'string' },
31 },
32 },
33 links => [ { rel => 'child', href => "{groupid}" } ],
34 },
35 code => sub {
36 my ($param) = @_;
37
38 my $res = [];
39
40 my $rpcenv = PVE::RPCEnvironment::get();
41 my $usercfg = cfs_read_file("user.cfg");
42 my $authuser = $rpcenv->get_user();
43
44 my $privs = [ 'User.Modify', 'Sys.Audit', 'Group.Allocate'];
45
46 foreach my $group (keys %{$usercfg->{groups}}) {
47 next if !$rpcenv->check_any($authuser, "/access/groups/$group", $privs, 1);
48 my $data = $usercfg->{groups}->{$group};
49 my $entry = { groupid => $group };
50 $entry->{comment} = $data->{comment} if defined($data->{comment});
51 push @$res, $entry;
52 }
53
54 return $res;
55 }});
56
57 __PACKAGE__->register_method ({
58 name => 'create_group',
59 protected => 1,
60 path => '',
61 method => 'POST',
62 permissions => {
63 check => ['perm', '/access/groups', ['Group.Allocate']],
64 },
65 description => "Create new group.",
66 parameters => {
67 additionalProperties => 0,
68 properties => {
69 groupid => { type => 'string', format => 'pve-groupid' },
70 comment => { type => 'string', optional => 1 },
71 },
72 },
73 returns => { type => 'null' },
74 code => sub {
75 my ($param) = @_;
76
77 PVE::AccessControl::lock_user_config(
78 sub {
79
80 my $usercfg = cfs_read_file("user.cfg");
81
82 my $group = $param->{groupid};
83
84 die "group '$group' already exists\n"
85 if $usercfg->{groups}->{$group};
86
87 $usercfg->{groups}->{$group} = { users => {} };
88
89 $usercfg->{groups}->{$group}->{comment} = $param->{comment} if $param->{comment};
90
91
92 cfs_write_file("user.cfg", $usercfg);
93 }, "create group failed");
94
95 return undef;
96 }});
97
98 __PACKAGE__->register_method ({
99 name => 'update_group',
100 protected => 1,
101 path => '{groupid}',
102 method => 'PUT',
103 permissions => {
104 check => ['perm', '/access/groups', ['Group.Allocate']],
105 },
106 description => "Update group data.",
107 parameters => {
108 additionalProperties => 0,
109 properties => {
110 groupid => {
111 type => 'string', format => 'pve-groupid',
112 completion => \&PVE::AccessControl::complete_group,
113 },
114 comment => { type => 'string', optional => 1 },
115 },
116 },
117 returns => { type => 'null' },
118 code => sub {
119 my ($param) = @_;
120
121 PVE::AccessControl::lock_user_config(
122 sub {
123
124 my $usercfg = cfs_read_file("user.cfg");
125
126 my $group = $param->{groupid};
127
128 my $data = $usercfg->{groups}->{$group};
129
130 die "group '$group' does not exist\n"
131 if !$data;
132
133 $data->{comment} = $param->{comment} if defined($param->{comment});
134
135 cfs_write_file("user.cfg", $usercfg);
136 }, "update group failed");
137
138 return undef;
139 }});
140
141 __PACKAGE__->register_method ({
142 name => 'read_group',
143 path => '{groupid}',
144 method => 'GET',
145 permissions => {
146 check => ['perm', '/access/groups', ['Sys.Audit', 'Group.Allocate'], any => 1],
147 },
148 description => "Get group configuration.",
149 parameters => {
150 additionalProperties => 0,
151 properties => {
152 groupid => { type => 'string', format => 'pve-groupid' },
153 },
154 },
155 returns => {
156 type => "object",
157 additionalProperties => 0,
158 properties => {
159 comment => { type => 'string', optional => 1 },
160 members => {
161 type => 'array',
162 items => {
163 type => "string",
164 },
165 },
166 },
167 },
168 code => sub {
169 my ($param) = @_;
170
171 my $group = $param->{groupid};
172
173 my $usercfg = cfs_read_file("user.cfg");
174
175 my $data = $usercfg->{groups}->{$group};
176
177 die "group '$group' does not exist\n" if !$data;
178
179 my $members = $data->{users} ? [ keys %{$data->{users}} ] : [];
180
181 my $res = { members => $members };
182
183 $res->{comment} = $data->{comment} if defined($data->{comment});
184
185 return $res;
186 }});
187
188
189 __PACKAGE__->register_method ({
190 name => 'delete_group',
191 protected => 1,
192 path => '{groupid}',
193 method => 'DELETE',
194 permissions => {
195 check => ['perm', '/access/groups', ['Group.Allocate']],
196 },
197 description => "Delete group.",
198 parameters => {
199 additionalProperties => 0,
200 properties => {
201 groupid => {
202 type => 'string' , format => 'pve-groupid',
203 completion => \&PVE::AccessControl::complete_group,
204 },
205 }
206 },
207 returns => { type => 'null' },
208 code => sub {
209 my ($param) = @_;
210
211 PVE::AccessControl::lock_user_config(
212 sub {
213
214 my $usercfg = cfs_read_file("user.cfg");
215
216 my $group = $param->{groupid};
217
218 die "group '$group' does not exist\n"
219 if !$usercfg->{groups}->{$group};
220
221 delete ($usercfg->{groups}->{$group});
222
223 PVE::AccessControl::delete_group_acl($group, $usercfg);
224
225 cfs_write_file("user.cfg", $usercfg);
226 }, "delete group failed");
227
228 return undef;
229 }});
230
231 1;
Access control framework