]> git.proxmox.com Git - pve-access-control.git/blob - src/PVE/API2/Role.pm
projects / pve-access-control.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
api: roles: cleanup imports
[pve-access-control.git] / src / PVE / API2 / Role.pm
1 package PVE::API2::Role;
2
3 use strict;
4 use warnings;
5
6 use PVE::AccessControl ();
7 use PVE::Cluster qw(cfs_read_file cfs_write_file);
8 use PVE::JSONSchema qw(get_standard_option register_standard_option);
9
10 use base qw(PVE::RESTHandler);
11
12 register_standard_option('role-id', {
13 type => 'string',
14 format => 'pve-roleid',
15 });
16 register_standard_option('role-privs', {
17 type => 'string' ,
18 format => 'pve-priv-list',
19 optional => 1,
20 });
21
22 __PACKAGE__->register_method ({
23 name => 'index',
24 path => '',
25 method => 'GET',
26 description => "Role index.",
27 permissions => {
28 user => 'all',
29 },
30 parameters => {
31 additionalProperties => 0,
32 properties => {},
33 },
34 returns => {
35 type => 'array',
36 items => {
37 type => "object",
38 properties => {
39 roleid => get_standard_option('role-id'),
40 privs => get_standard_option('role-privs'),
41 special => { type => 'boolean', optional => 1, default => 0 },
42 },
43 },
44 links => [ { rel => 'child', href => "{roleid}" } ],
45 },
46 code => sub {
47 my ($param) = @_;
48
49 my $res = [];
50
51 my $usercfg = cfs_read_file("user.cfg");
52
53 foreach my $role (keys %{$usercfg->{roles}}) {
54 my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}});
55 push @$res, {
56 roleid => $role,
57 privs => $privs,
58 special => PVE::AccessControl::role_is_special($role),
59 };
60 }
61
62 return $res;
63 }});
64
65 __PACKAGE__->register_method ({
66 name => 'create_role',
67 protected => 1,
68 path => '',
69 method => 'POST',
70 permissions => {
71 check => ['perm', '/access', ['Sys.Modify']],
72 },
73 description => "Create new role.",
74 parameters => {
75 additionalProperties => 0,
76 properties => {
77 roleid => get_standard_option('role-id'),
78 privs => get_standard_option('role-privs'),
79 },
80 },
81 returns => { type => 'null' },
82 code => sub {
83 my ($param) = @_;
84
85 PVE::AccessControl::lock_user_config(sub {
86 my $usercfg = cfs_read_file("user.cfg");
87
88 my $role = $param->{roleid};
89
90 die "role '$role' already exists\n" if $usercfg->{roles}->{$role};
91
92 $usercfg->{roles}->{$role} = {};
93
94 PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
95
96 cfs_write_file("user.cfg", $usercfg);
97 }, "create role failed");
98
99 return undef;
100 }});
101
102 __PACKAGE__->register_method ({
103 name => 'update_role',
104 protected => 1,
105 path => '{roleid}',
106 method => 'PUT',
107 permissions => {
108 check => ['perm', '/access', ['Sys.Modify']],
109 },
110 description => "Update an existing role.",
111 parameters => {
112 additionalProperties => 0,
113 properties => {
114 roleid => get_standard_option('role-id'),
115 privs => get_standard_option('role-privs'),
116 append => { type => 'boolean', optional => 1, requires => 'privs' },
117 },
118 },
119 returns => { type => 'null' },
120 code => sub {
121 my ($param) = @_;
122
123 my $role = $param->{roleid};
124
125 die "auto-generated role '$role' cannot be modified\n"
126 if PVE::AccessControl::role_is_special($role);
127
128 PVE::AccessControl::lock_user_config(sub {
129 my $usercfg = cfs_read_file("user.cfg");
130
131 die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role};
132
133 $usercfg->{roles}->{$role} = {} if !$param->{append};
134
135 PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
136
137 cfs_write_file("user.cfg", $usercfg);
138 }, "update role failed");
139
140 return undef;
141 }});
142
143 __PACKAGE__->register_method ({
144 name => 'read_role',
145 path => '{roleid}',
146 method => 'GET',
147 permissions => {
148 user => 'all',
149 },
150 description => "Get role configuration.",
151 parameters => {
152 additionalProperties => 0,
153 properties => {
154 roleid => get_standard_option('role-id'),
155 },
156 },
157 returns => {
158 type => "object",
159 additionalProperties => 0,
160 properties => PVE::AccessControl::create_priv_properties(),
161 },
162 code => sub {
163 my ($param) = @_;
164
165 my $usercfg = cfs_read_file("user.cfg");
166
167 my $role = $param->{roleid};
168
169 my $data = $usercfg->{roles}->{$role};
170
171 die "role '$role' does not exist\n" if !$data;
172
173 return $data;
174 }
175 });
176
177 __PACKAGE__->register_method ({
178 name => 'delete_role',
179 protected => 1,
180 path => '{roleid}',
181 method => 'DELETE',
182 permissions => {
183 check => ['perm', '/access', ['Sys.Modify']],
184 },
185 description => "Delete role.",
186 parameters => {
187 additionalProperties => 0,
188 properties => {
189 roleid => get_standard_option('role-id'),
190 },
191 },
192 returns => { type => 'null' },
193 code => sub {
194 my ($param) = @_;
195
196 my $role = $param->{roleid};
197
198 die "auto-generated role '$role' cannot be deleted\n"
199 if PVE::AccessControl::role_is_special($role);
200
201 PVE::AccessControl::lock_user_config(sub {
202 my $usercfg = cfs_read_file("user.cfg");
203
204 die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role};
205
206 delete ($usercfg->{roles}->{$role});
207
208 # fixme: delete role from acl?
209
210 cfs_write_file("user.cfg", $usercfg);
211 }, "delete role failed");
212
213 return undef;
214 }
215 });
216
217 1;
Access control framework