PVE/CLI/pveum.pm

   1 package PVE::CLI::pveum;
   2
   3 use strict;
   4 use warnings;
   5
   6 use PVE::AccessControl;
   7 use PVE::RPCEnvironment;
   8 use PVE::API2::User;
   9 use PVE::API2::Group;
  10 use PVE::API2::Role;
  11 use PVE::API2::ACL;
  12 use PVE::API2::AccessControl;
  13 use PVE::API2::Domains;
  14 use PVE::CLIFormatter;
  15 use PVE::CLIHandler;
  16 use PVE::JSONSchema qw(get_standard_option);
  17 use PVE::PTY;
  18 use PVE::RESTHandler;
  19 use PVE::Tools qw(extract_param);
  20
  21 use base qw(PVE::CLIHandler);
  22
  23 sub setup_environment {
  24     PVE::RPCEnvironment->setup_default_cli_env();
  25 }
  26
  27 sub param_mapping {
  28     my ($name) = @_;
  29
  30     my $mapping = {
  31         'change_password' => [
  32             PVE::CLIHandler::get_standard_mapping('pve-password'),
  33         ],
  34         'create_ticket' => [
  35             PVE::CLIHandler::get_standard_mapping('pve-password', {
  36                 func => sub {
  37                     # do not accept values given on cmdline
  38                     return PVE::PTY::read_password('Enter password: ');
  39                 },
  40             }),
  41         ]
  42     };
  43
  44     return $mapping->{$name};
  45 }
  46
  47 my $print_api_result = sub {
  48     my ($data, $schema, $options) = @_;
  49     PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
  50 };
  51
  52 my $print_perm_result = sub {
  53     my ($data, $schema, $options) = @_;
  54
  55     if (!defined($options->{'output-format'}) || $options->{'output-format'} eq 'text') {
  56         my $table_schema = {
  57             type => 'array',
  58             items => {
  59                 type => 'object',
  60                 properties => {
  61                     'path' => { type => 'string', title => 'ACL path' },
  62                     'permissions' => { type => 'string', title => 'Permissions' },
  63                 },
  64             },
  65         };
  66         my $table_data = [];
  67         foreach my $path (sort keys %$data) {
  68             my $value = '';
  69             my $curr = $data->{$path};
  70             foreach my $perm (sort keys %$curr) {
  71                 $value .= "\n" if $value;
  72                 $value .= $perm;
  73                 $value .= " (*)" if $curr->{$perm};
  74             }
  75             push @$table_data, { path => $path, permissions => $value };
  76         }
  77         PVE::CLIFormatter::print_api_result($table_data, $table_schema, undef, $options);
  78         print "Permissions marked with '(*)' have the 'propagate' flag set.\n";
  79     } else {
  80         PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
  81     }
  82 };
  83
  84 __PACKAGE__->register_method({
  85     name => 'token_permissions',
  86     path => 'token_permissions',
  87     method => 'GET',
  88     description => 'Retrieve effective permissions of given token.',
  89     parameters => {
  90         additionalProperties => 0,
  91         properties => {
  92             userid => get_standard_option('userid'),
  93             tokenid => get_standard_option('token-subid'),
  94             path => get_standard_option('acl-path', {
  95                 description => "Only dump this specific path, not the whole tree.",
  96                 optional => 1,
  97             }),
  98         },
  99     },
 100     returns => {
 101         type => 'object',
 102         description => 'Hash of structure "path" => "privilege" => "propagate boolean".',
 103     },
 104     code => sub {
 105         my ($param) = @_;
 106
 107         my $token_subid = extract_param($param, "tokenid");
 108         $param->{userid} = PVE::AccessControl::join_tokenid($param->{userid}, $token_subid);
 109
 110         return PVE::API2::AccessControl->permissions($param);
 111     }});
 112
 113 our $cmddef = {
 114     user => {
 115         add    => [ 'PVE::API2::User', 'create_user', ['userid'] ],
 116         modify => [ 'PVE::API2::User', 'update_user', ['userid'] ],
 117         delete => [ 'PVE::API2::User', 'delete_user', ['userid'] ],
 118         list   => [ 'PVE::API2::User', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
 119         permissions => [ 'PVE::API2::AccessControl', 'permissions', ['userid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
 120         tfa => {
 121             delete => [ 'PVE::API2::AccessControl', 'change_tfa', ['userid'], { action => 'delete', key => undef, config => undef, response => undef, }, ],
 122         },
 123         token => {
 124             add    => [ 'PVE::API2::User', 'generate_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
 125             modify    => [ 'PVE::API2::User', 'update_token_info', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
 126             remove    => [ 'PVE::API2::User', 'remove_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
 127             list   => [ 'PVE::API2::User', 'token_index', ['userid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
 128             permissions => [ __PACKAGE__, 'token_permissions', ['userid', 'tokenid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
 129         }
 130     },
 131     group => {
 132         add    => [ 'PVE::API2::Group', 'create_group', ['groupid'] ],
 133         modify => [ 'PVE::API2::Group', 'update_group', ['groupid'] ],
 134         delete => [ 'PVE::API2::Group', 'delete_group', ['groupid'] ],
 135         list   => [ 'PVE::API2::Group', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
 136     },
 137     role => {
 138         add    => [ 'PVE::API2::Role', 'create_role', ['roleid'] ],
 139         modify => [ 'PVE::API2::Role', 'update_role', ['roleid'] ],
 140         delete => [ 'PVE::API2::Role', 'delete_role', ['roleid'] ],
 141         list   => [ 'PVE::API2::Role', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
 142     },
 143     acl => {
 144         modify => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 0 }],
 145         delete => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 1 }],
 146         list   => [ 'PVE::API2::ACL', 'read_acl', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
 147     },
 148
 149     realm => {
 150         add    => [ 'PVE::API2::Domains', 'create', ['realm'] ],
 151         modify => [ 'PVE::API2::Domains', 'update', ['realm'] ],
 152         delete => [ 'PVE::API2::Domains', 'delete', ['realm'] ],
 153         list   => [ 'PVE::API2::Domains', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
 154         sync   => [ 'PVE::API2::Domains', 'sync', ['realm'], ],
 155     },
 156
 157     ticket => [ 'PVE::API2::AccessControl', 'create_ticket', ['username'], undef,
 158                 sub {
 159                     my ($res) = @_;
 160                     print "$res->{ticket}\n";
 161                 }],
 162
 163     passwd => [ 'PVE::API2::AccessControl', 'change_password', ['userid'] ],
 164
 165     useradd => { alias => 'user add' },
 166     usermod => { alias => 'user modify' },
 167     userdel => { alias => 'user delete' },
 168
 169     groupadd => { alias => 'group add' },
 170     groupmod => { alias => 'group modify' },
 171     groupdel => { alias => 'group delete' },
 172
 173     roleadd => { alias => 'role add' },
 174     rolemod => { alias => 'role modify' },
 175     roledel => { alias => 'role delete' },
 176
 177     aclmod => { alias => 'acl modify' },
 178     acldel => { alias => 'acl delete' },
 179 };
 180
 181 1;