PVE/API2/Role.pm

   1 package PVE::API2::Role;
   2
   3 use strict;
   4 use warnings;
   5 use PVE::Cluster qw (cfs_read_file cfs_write_file);
   6 use PVE::AccessControl;
   7
   8 use PVE::SafeSyslog;
   9
  10 use Data::Dumper; # fixme: remove
  11
  12 use PVE::RESTHandler;
  13
  14 use base qw(PVE::RESTHandler);
  15
  16 __PACKAGE__->register_method ({
  17     name => 'index',
  18     path => '',
  19     method => 'GET',
  20     description => "Role index.",
  21     parameters => {
  22         additionalProperties => 0,
  23         properties => {},
  24     },
  25     returns => {
  26         type => 'array',
  27         items => {
  28             type => "object",
  29             properties => {
  30                 roleid => { type => 'string' },
  31             },
  32         },
  33         links => [ { rel => 'child', href => "{roleid}" } ],
  34     },
  35     code => sub {
  36         my ($param) = @_;
  37
  38         my $res = [];
  39
  40         my $usercfg = cfs_read_file("user.cfg");
  41
  42         foreach my $role (keys %{$usercfg->{roles}}) {
  43             my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}});
  44             push @$res, { roleid => $role, privs => $privs };
  45         }
  46
  47         return $res;
  48     }});
  49
  50 __PACKAGE__->register_method ({
  51     name => 'create_role',
  52     protected => 1,
  53     path => '',
  54     method => 'POST',
  55     description => "Create new role.",
  56     parameters => {
  57         additionalProperties => 0,
  58         properties => {
  59             roleid => { type => 'string', format => 'pve-roleid' },
  60             privs => { type => 'string' , format => 'pve-priv-list', optional => 1 },
  61         },
  62     },
  63     returns => { type => 'null' },
  64     code => sub {
  65         my ($param) = @_;
  66
  67         PVE::AccessControl::lock_user_config(
  68             sub {
  69
  70                 my $usercfg = cfs_read_file("user.cfg");
  71
  72                 my $role = $param->{roleid};
  73
  74                 die "role '$role' already exists\n"
  75                     if $usercfg->{roles}->{$role};
  76
  77                 $usercfg->{roles}->{$role} = {};
  78
  79                 PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
  80
  81                 cfs_write_file("user.cfg", $usercfg);
  82             }, "create role failed");
  83
  84         return undef;
  85     }});
  86
  87 __PACKAGE__->register_method ({
  88     name => 'update_role',
  89     protected => 1,
  90     path => '{roleid}',
  91     method => 'PUT',
  92     description => "Create new role.",
  93     parameters => {
  94         additionalProperties => 0,
  95         properties => {
  96             roleid => { type => 'string', format => 'pve-roleid' },
  97             privs => { type => 'string' , format => 'pve-priv-list' },
  98             append => {
  99                 type => 'boolean',
 100                 optional => 1,
 101                 requires => 'privs',
 102             },
 103         },
 104     },
 105     returns => { type => 'null' },
 106     code => sub {
 107         my ($param) = @_;
 108
 109         PVE::AccessControl::lock_user_config(
 110             sub {
 111
 112                 my $role = $param->{roleid};
 113
 114                 my $usercfg = cfs_read_file("user.cfg");
 115
 116                 die "role '$role' does not exist\n"
 117                     if !$usercfg->{roles}->{$role};
 118
 119                 $usercfg->{roles}->{$role} = {} if !$param->{append};
 120
 121                 PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
 122
 123                 cfs_write_file("user.cfg", $usercfg);
 124             }, "update role failed");
 125
 126         return undef;
 127     }});
 128
 129 # fixme: return format!
 130 __PACKAGE__->register_method ({
 131     name => 'read_role',
 132     path => '{roleid}',
 133     method => 'GET',
 134     description => "Get role configuration.",
 135     parameters => {
 136         additionalProperties => 0,
 137         properties => {
 138             roleid => { type => 'string' , format => 'pve-roleid' },
 139         },
 140     },
 141     returns => {},
 142     code => sub {
 143         my ($param) = @_;
 144
 145         my $usercfg = cfs_read_file("user.cfg");
 146
 147         my $role = $param->{roleid};
 148
 149         my $data = $usercfg->{roles}->{$role};
 150
 151         die "role '$role' does not exist\n" if !$data;
 152
 153         return $data;
 154     }});
 155
 156
 157 __PACKAGE__->register_method ({
 158     name => 'delete_role',
 159     protected => 1,
 160     path => '{roleid}',
 161     method => 'DELETE',
 162     description => "Delete role.",
 163     parameters => {
 164         additionalProperties => 0,
 165         properties => {
 166             roleid => { type => 'string', format => 'pve-roleid' },
 167         }
 168     },
 169     returns => { type => 'null' },
 170     code => sub {
 171         my ($param) = @_;
 172
 173         PVE::AccessControl::lock_user_config(
 174             sub {
 175
 176                 my $role = $param->{roleid};
 177
 178                 my $usercfg = cfs_read_file("user.cfg");
 179
 180                 die "role '$role' does not exist\n"
 181                     if !$usercfg->{roles}->{$role};
 182
 183                 delete ($usercfg->{roles}->{$role});
 184
 185                 # fixme: delete role from acl?
 186
 187                 cfs_write_file("user.cfg", $usercfg);
 188             }, "delete role failed");
 189
 190         return undef;
 191     }});
 192
 193 1;