iimported from svn 'pve-access-control/trunk'
[pve-access-control.git] / PVE / API2 / Role.pm
1 package PVE::API2::Role;
2
3 use strict;
4 use warnings;
5 use PVE::Cluster qw (cfs_read_file cfs_write_file);
6 use PVE::AccessControl;
7
8 use PVE::SafeSyslog;
9
10 use Data::Dumper; # fixme: remove
11
12 use PVE::RESTHandler;
13
14 use base qw(PVE::RESTHandler);
15
16 __PACKAGE__->register_method ({
17 name => 'index',
18 path => '',
19 method => 'GET',
20 description => "Role index.",
21 parameters => {
22 additionalProperties => 0,
23 properties => {},
24 },
25 returns => {
26 type => 'array',
27 items => {
28 type => "object",
29 properties => {
30 roleid => { type => 'string' },
31 },
32 },
33 links => [ { rel => 'child', href => "{roleid}" } ],
34 },
35 code => sub {
36 my ($param) = @_;
37
38 my $res = [];
39
40 my $usercfg = cfs_read_file("user.cfg");
41
42 foreach my $role (keys %{$usercfg->{roles}}) {
43 my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}});
44 push @$res, { roleid => $role, privs => $privs };
45 }
46
47 return $res;
48 }});
49
50 __PACKAGE__->register_method ({
51 name => 'create_role',
52 protected => 1,
53 path => '',
54 method => 'POST',
55 description => "Create new role.",
56 parameters => {
57 additionalProperties => 0,
58 properties => {
59 roleid => { type => 'string', format => 'pve-roleid' },
60 privs => { type => 'string' , format => 'pve-priv-list', optional => 1 },
61 },
62 },
63 returns => { type => 'null' },
64 code => sub {
65 my ($param) = @_;
66
67 PVE::AccessControl::lock_user_config(
68 sub {
69
70 my $usercfg = cfs_read_file("user.cfg");
71
72 my $role = $param->{roleid};
73
74 die "role '$role' already exists\n"
75 if $usercfg->{roles}->{$role};
76
77 $usercfg->{roles}->{$role} = {};
78
79 PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
80
81 cfs_write_file("user.cfg", $usercfg);
82 }, "create role failed");
83
84 return undef;
85 }});
86
87 __PACKAGE__->register_method ({
88 name => 'update_role',
89 protected => 1,
90 path => '{roleid}',
91 method => 'PUT',
92 description => "Create new role.",
93 parameters => {
94 additionalProperties => 0,
95 properties => {
96 roleid => { type => 'string', format => 'pve-roleid' },
97 privs => { type => 'string' , format => 'pve-priv-list' },
98 append => {
99 type => 'boolean',
100 optional => 1,
101 requires => 'privs',
102 },
103 },
104 },
105 returns => { type => 'null' },
106 code => sub {
107 my ($param) = @_;
108
109 PVE::AccessControl::lock_user_config(
110 sub {
111
112 my $role = $param->{roleid};
113
114 my $usercfg = cfs_read_file("user.cfg");
115
116 die "role '$role' does not exist\n"
117 if !$usercfg->{roles}->{$role};
118
119 $usercfg->{roles}->{$role} = {} if !$param->{append};
120
121 PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
122
123 cfs_write_file("user.cfg", $usercfg);
124 }, "update role failed");
125
126 return undef;
127 }});
128
129 # fixme: return format!
130 __PACKAGE__->register_method ({
131 name => 'read_role',
132 path => '{roleid}',
133 method => 'GET',
134 description => "Get role configuration.",
135 parameters => {
136 additionalProperties => 0,
137 properties => {
138 roleid => { type => 'string' , format => 'pve-roleid' },
139 },
140 },
141 returns => {},
142 code => sub {
143 my ($param) = @_;
144
145 my $usercfg = cfs_read_file("user.cfg");
146
147 my $role = $param->{roleid};
148
149 my $data = $usercfg->{roles}->{$role};
150
151 die "role '$role' does not exist\n" if !$data;
152
153 return $data;
154 }});
155
156
157 __PACKAGE__->register_method ({
158 name => 'delete_role',
159 protected => 1,
160 path => '{roleid}',
161 method => 'DELETE',
162 description => "Delete role.",
163 parameters => {
164 additionalProperties => 0,
165 properties => {
166 roleid => { type => 'string', format => 'pve-roleid' },
167 }
168 },
169 returns => { type => 'null' },
170 code => sub {
171 my ($param) = @_;
172
173 PVE::AccessControl::lock_user_config(
174 sub {
175
176 my $role = $param->{roleid};
177
178 my $usercfg = cfs_read_file("user.cfg");
179
180 die "role '$role' does not exist\n"
181 if !$usercfg->{roles}->{$role};
182
183 delete ($usercfg->{roles}->{$role});
184
185 # fixme: delete role from acl?
186
187 cfs_write_file("user.cfg", $usercfg);
188 }, "delete role failed");
189
190 return undef;
191 }});
192
193 1;