]> git.proxmox.com Git - pve-access-control.git/blob - src/PVE/API2/Role.pm
projects / pve-access-control.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
api: roles: whitespace and indendation clean-ups
[pve-access-control.git] / src / PVE / API2 / Role.pm
1 package PVE::API2::Role;
2
3 use strict;
4 use warnings;
5 use PVE::Cluster qw (cfs_read_file cfs_write_file);
6 use PVE::AccessControl;
7 use PVE::JSONSchema qw(get_standard_option register_standard_option);
8
9 use PVE::SafeSyslog;
10
11 use PVE::RESTHandler;
12
13 use base qw(PVE::RESTHandler);
14
15 register_standard_option('role-id', {
16 type => 'string',
17 format => 'pve-roleid',
18 });
19 register_standard_option('role-privs', {
20 type => 'string' ,
21 format => 'pve-priv-list',
22 optional => 1,
23 });
24
25 __PACKAGE__->register_method ({
26 name => 'index',
27 path => '',
28 method => 'GET',
29 description => "Role index.",
30 permissions => {
31 user => 'all',
32 },
33 parameters => {
34 additionalProperties => 0,
35 properties => {},
36 },
37 returns => {
38 type => 'array',
39 items => {
40 type => "object",
41 properties => {
42 roleid => get_standard_option('role-id'),
43 privs => get_standard_option('role-privs'),
44 special => { type => 'boolean', optional => 1, default => 0 },
45 },
46 },
47 links => [ { rel => 'child', href => "{roleid}" } ],
48 },
49 code => sub {
50 my ($param) = @_;
51
52 my $res = [];
53
54 my $usercfg = cfs_read_file("user.cfg");
55
56 foreach my $role (keys %{$usercfg->{roles}}) {
57 my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}});
58 push @$res, {
59 roleid => $role,
60 privs => $privs,
61 special => PVE::AccessControl::role_is_special($role),
62 };
63 }
64
65 return $res;
66 }});
67
68 __PACKAGE__->register_method ({
69 name => 'create_role',
70 protected => 1,
71 path => '',
72 method => 'POST',
73 permissions => {
74 check => ['perm', '/access', ['Sys.Modify']],
75 },
76 description => "Create new role.",
77 parameters => {
78 additionalProperties => 0,
79 properties => {
80 roleid => get_standard_option('role-id'),
81 privs => get_standard_option('role-privs'),
82 },
83 },
84 returns => { type => 'null' },
85 code => sub {
86 my ($param) = @_;
87
88 PVE::AccessControl::lock_user_config(sub {
89 my $usercfg = cfs_read_file("user.cfg");
90
91 my $role = $param->{roleid};
92
93 die "role '$role' already exists\n" if $usercfg->{roles}->{$role};
94
95 $usercfg->{roles}->{$role} = {};
96
97 PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
98
99 cfs_write_file("user.cfg", $usercfg);
100 }, "create role failed");
101
102 return undef;
103 }});
104
105 __PACKAGE__->register_method ({
106 name => 'update_role',
107 protected => 1,
108 path => '{roleid}',
109 method => 'PUT',
110 permissions => {
111 check => ['perm', '/access', ['Sys.Modify']],
112 },
113 description => "Update an existing role.",
114 parameters => {
115 additionalProperties => 0,
116 properties => {
117 roleid => get_standard_option('role-id'),
118 privs => get_standard_option('role-privs'),
119 append => { type => 'boolean', optional => 1, requires => 'privs' },
120 },
121 },
122 returns => { type => 'null' },
123 code => sub {
124 my ($param) = @_;
125
126 my $role = $param->{roleid};
127
128 die "auto-generated role '$role' cannot be modified\n"
129 if PVE::AccessControl::role_is_special($role);
130
131 PVE::AccessControl::lock_user_config(sub {
132 my $usercfg = cfs_read_file("user.cfg");
133
134 die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role};
135
136 $usercfg->{roles}->{$role} = {} if !$param->{append};
137
138 PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
139
140 cfs_write_file("user.cfg", $usercfg);
141 }, "update role failed");
142
143 return undef;
144 }});
145
146 __PACKAGE__->register_method ({
147 name => 'read_role',
148 path => '{roleid}',
149 method => 'GET',
150 permissions => {
151 user => 'all',
152 },
153 description => "Get role configuration.",
154 parameters => {
155 additionalProperties => 0,
156 properties => {
157 roleid => get_standard_option('role-id'),
158 },
159 },
160 returns => {
161 type => "object",
162 additionalProperties => 0,
163 properties => PVE::AccessControl::create_priv_properties(),
164 },
165 code => sub {
166 my ($param) = @_;
167
168 my $usercfg = cfs_read_file("user.cfg");
169
170 my $role = $param->{roleid};
171
172 my $data = $usercfg->{roles}->{$role};
173
174 die "role '$role' does not exist\n" if !$data;
175
176 return $data;
177 }
178 });
179
180 __PACKAGE__->register_method ({
181 name => 'delete_role',
182 protected => 1,
183 path => '{roleid}',
184 method => 'DELETE',
185 permissions => {
186 check => ['perm', '/access', ['Sys.Modify']],
187 },
188 description => "Delete role.",
189 parameters => {
190 additionalProperties => 0,
191 properties => {
192 roleid => get_standard_option('role-id'),
193 },
194 },
195 returns => { type => 'null' },
196 code => sub {
197 my ($param) = @_;
198
199 my $role = $param->{roleid};
200
201 die "auto-generated role '$role' cannot be deleted\n"
202 if PVE::AccessControl::role_is_special($role);
203
204 PVE::AccessControl::lock_user_config(sub {
205 my $usercfg = cfs_read_file("user.cfg");
206
207 die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role};
208
209 delete ($usercfg->{roles}->{$role});
210
211 # fixme: delete role from acl?
212
213 cfs_write_file("user.cfg", $usercfg);
214 }, "delete role failed");
215
216 return undef;
217 }
218 });
219
220 1;
Access control framework