]> git.proxmox.com Git - pve-access-control.git/blob - src/PVE/CLI/pveum.pm
projects / pve-access-control.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
buildsys: split packaging and source build-systems
[pve-access-control.git] / src / PVE / CLI / pveum.pm
1 package PVE::CLI::pveum;
2
3 use strict;
4 use warnings;
5
6 use PVE::AccessControl;
7 use PVE::RPCEnvironment;
8 use PVE::API2::User;
9 use PVE::API2::Group;
10 use PVE::API2::Role;
11 use PVE::API2::ACL;
12 use PVE::API2::AccessControl;
13 use PVE::API2::Pool;
14 use PVE::API2::Domains;
15 use PVE::CLIFormatter;
16 use PVE::CLIHandler;
17 use PVE::JSONSchema qw(get_standard_option);
18 use PVE::PTY;
19 use PVE::RESTHandler;
20 use PVE::Tools qw(extract_param);
21
22 use base qw(PVE::CLIHandler);
23
24 sub setup_environment {
25 PVE::RPCEnvironment->setup_default_cli_env();
26 }
27
28 sub param_mapping {
29 my ($name) = @_;
30
31 my $mapping = {
32 'change_password' => [
33 PVE::CLIHandler::get_standard_mapping('pve-password'),
34 ],
35 'create_ticket' => [
36 PVE::CLIHandler::get_standard_mapping('pve-password', {
37 func => sub {
38 # do not accept values given on cmdline
39 return PVE::PTY::read_password('Enter password: ');
40 },
41 }),
42 ]
43 };
44
45 return $mapping->{$name};
46 }
47
48 my $print_api_result = sub {
49 my ($data, $schema, $options) = @_;
50 PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
51 };
52
53 my $print_perm_result = sub {
54 my ($data, $schema, $options) = @_;
55
56 if (!defined($options->{'output-format'}) || $options->{'output-format'} eq 'text') {
57 my $table_schema = {
58 type => 'array',
59 items => {
60 type => 'object',
61 properties => {
62 'path' => { type => 'string', title => 'ACL path' },
63 'permissions' => { type => 'string', title => 'Permissions' },
64 },
65 },
66 };
67 my $table_data = [];
68 foreach my $path (sort keys %$data) {
69 my $value = '';
70 my $curr = $data->{$path};
71 foreach my $perm (sort keys %$curr) {
72 $value .= "\n" if $value;
73 $value .= $perm;
74 $value .= " (*)" if $curr->{$perm};
75 }
76 push @$table_data, { path => $path, permissions => $value };
77 }
78 PVE::CLIFormatter::print_api_result($table_data, $table_schema, undef, $options);
79 print "Permissions marked with '(*)' have the 'propagate' flag set.\n";
80 } else {
81 PVE::CLIFormatter::print_api_result($data, $schema, undef, $options);
82 }
83 };
84
85 __PACKAGE__->register_method({
86 name => 'token_permissions',
87 path => 'token_permissions',
88 method => 'GET',
89 description => 'Retrieve effective permissions of given token.',
90 parameters => {
91 additionalProperties => 0,
92 properties => {
93 userid => get_standard_option('userid'),
94 tokenid => get_standard_option('token-subid'),
95 path => get_standard_option('acl-path', {
96 description => "Only dump this specific path, not the whole tree.",
97 optional => 1,
98 }),
99 },
100 },
101 returns => {
102 type => 'object',
103 description => 'Hash of structure "path" => "privilege" => "propagate boolean".',
104 },
105 code => sub {
106 my ($param) = @_;
107
108 my $token_subid = extract_param($param, "tokenid");
109 $param->{userid} = PVE::AccessControl::join_tokenid($param->{userid}, $token_subid);
110
111 return PVE::API2::AccessControl->permissions($param);
112 }});
113
114 our $cmddef = {
115 user => {
116 add => [ 'PVE::API2::User', 'create_user', ['userid'] ],
117 modify => [ 'PVE::API2::User', 'update_user', ['userid'] ],
118 delete => [ 'PVE::API2::User', 'delete_user', ['userid'] ],
119 list => [ 'PVE::API2::User', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
120 permissions => [ 'PVE::API2::AccessControl', 'permissions', ['userid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
121 tfa => {
122 delete => [ 'PVE::API2::AccessControl', 'change_tfa', ['userid'], { action => 'delete', key => undef, config => undef, response => undef, }, ],
123 },
124 token => {
125 add => [ 'PVE::API2::User', 'generate_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
126 modify => [ 'PVE::API2::User', 'update_token_info', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
127 remove => [ 'PVE::API2::User', 'remove_token', ['userid', 'tokenid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options ],
128 list => [ 'PVE::API2::User', 'token_index', ['userid'], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
129 permissions => [ __PACKAGE__, 'token_permissions', ['userid', 'tokenid'], {}, $print_perm_result, $PVE::RESTHandler::standard_output_options],
130 }
131 },
132 group => {
133 add => [ 'PVE::API2::Group', 'create_group', ['groupid'] ],
134 modify => [ 'PVE::API2::Group', 'update_group', ['groupid'] ],
135 delete => [ 'PVE::API2::Group', 'delete_group', ['groupid'] ],
136 list => [ 'PVE::API2::Group', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
137 },
138 role => {
139 add => [ 'PVE::API2::Role', 'create_role', ['roleid'] ],
140 modify => [ 'PVE::API2::Role', 'update_role', ['roleid'] ],
141 delete => [ 'PVE::API2::Role', 'delete_role', ['roleid'] ],
142 list => [ 'PVE::API2::Role', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
143 },
144 acl => {
145 modify => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 0 }],
146 delete => [ 'PVE::API2::ACL', 'update_acl', ['path'], { delete => 1 }],
147 list => [ 'PVE::API2::ACL', 'read_acl', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
148 },
149 pool => {
150 add => [ 'PVE::API2::Pool', 'create_pool', ['poolid'] ],
151 modify => [ 'PVE::API2::Pool', 'update_pool', ['poolid'] ],
152 delete => [ 'PVE::API2::Pool', 'delete_pool', ['poolid'] ],
153 list => [ 'PVE::API2::Pool', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
154 },
155 realm => {
156 add => [ 'PVE::API2::Domains', 'create', ['realm'] ],
157 modify => [ 'PVE::API2::Domains', 'update', ['realm'] ],
158 delete => [ 'PVE::API2::Domains', 'delete', ['realm'] ],
159 list => [ 'PVE::API2::Domains', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
160 sync => [ 'PVE::API2::Domains', 'sync', ['realm'], ],
161 },
162
163 ticket => [ 'PVE::API2::AccessControl', 'create_ticket', ['username'], undef,
164 sub {
165 my ($res) = @_;
166 print "$res->{ticket}\n";
167 }],
168
169 passwd => [ 'PVE::API2::AccessControl', 'change_password', ['userid'] ],
170
171 useradd => { alias => 'user add' },
172 usermod => { alias => 'user modify' },
173 userdel => { alias => 'user delete' },
174
175 groupadd => { alias => 'group add' },
176 groupmod => { alias => 'group modify' },
177 groupdel => { alias => 'group delete' },
178
179 roleadd => { alias => 'role add' },
180 rolemod => { alias => 'role modify' },
181 roledel => { alias => 'role delete' },
182
183 aclmod => { alias => 'acl modify' },
184 acldel => { alias => 'acl delete' },
185 };
186
187 1;
Access control framework