use strict;
use warnings;
+
use PVE::Exception qw(raise_param_exc);
use PVE::Tools qw(extract_param);
use PVE::Cluster qw (cfs_read_file cfs_write_file);
return undef;
}});
+my $update_users = sub {
+ my ($usercfg, $realm, $synced_users, $opts) = @_;
+
+ print "syncing users\n";
+ $usercfg->{users} = {} if !defined($usercfg->{users});
+ my $users = $usercfg->{users};
+
+ my $oldusers = {};
+ if ($opts->{'full'}) {
+ print "full sync, deleting outdated existing users first\n";
+ foreach my $userid (sort keys %$users) {
+ next if $userid !~ m/\@$realm$/;
+
+ $oldusers->{$userid} = delete $users->{$userid};
+ if ($opts->{'purge'} && !$synced_users->{$userid}) {
+ PVE::AccessControl::delete_user_acl($userid, $usercfg);
+ print "purged user '$userid' and all its ACL entries\n";
+ } elsif (!defined($synced_users->{$userid})) {
+ print "remove user '$userid'\n";
+ }
+ }
+ }
+
+ foreach my $userid (sort keys %$synced_users) {
+ my $synced_user = $synced_users->{$userid} // {};
+ if (!defined($users->{$userid})) {
+ my $user = $users->{$userid} = $synced_user;
+
+ my $olduser = $oldusers->{$userid} // {};
+ if (defined(my $enabled = $olduser->{enable})) {
+ $user->{enable} = $enabled;
+ } elsif ($opts->{'enable-new'}) {
+ $user->{enable} = 1;
+ }
+
+ if (defined($olduser->{tokens})) {
+ $user->{tokens} = $olduser->{tokens};
+ }
+ if (defined($oldusers->{$userid})) {
+ print "updated user '$userid'\n";
+ } else {
+ print "added user '$userid'\n";
+ }
+ } else {
+ my $olduser = $users->{$userid};
+ foreach my $attr (keys %$synced_user) {
+ $olduser->{$attr} = $synced_user->{$attr};
+ }
+ print "updated user '$userid'\n";
+ }
+ }
+};
+
+my $update_groups = sub {
+ my ($usercfg, $realm, $synced_groups, $opts) = @_;
+
+ print "syncing groups\n";
+ $usercfg->{groups} = {} if !defined($usercfg->{groups});
+ my $groups = $usercfg->{groups};
+ my $oldgroups = {};
+
+ if ($opts->{full}) {
+ print "full sync, deleting outdated existing groups first\n";
+ foreach my $groupid (sort keys %$groups) {
+ next if $groupid !~ m/\-$realm$/;
+
+ my $oldgroups->{$groupid} = delete $groups->{$groupid};
+ if ($opts->{purge} && !$synced_groups->{$groupid}) {
+ print "purged group '$groupid' and all its ACL entries\n";
+ PVE::AccessControl::delete_group_acl($groupid, $usercfg)
+ } elsif (!defined($synced_groups->{$groupid})) {
+ print "removed group '$groupid'\n";
+ }
+ }
+ }
+
+ foreach my $groupid (sort keys %$synced_groups) {
+ my $synced_group = $synced_groups->{$groupid};
+ if (!defined($groups->{$groupid})) {
+ $groups->{$groupid} = $synced_group;
+ if (defined($oldgroups->{$groupid})) {
+ print "updated group '$groupid'\n";
+ } else {
+ print "added group '$groupid'\n";
+ }
+ } else {
+ my $group = $groups->{$groupid};
+ foreach my $attr (keys %$synced_group) {
+ $group->{$attr} = $synced_group->{$attr};
+ }
+ print "updated group '$groupid'\n";
+ }
+ }
+};
+
+my $parse_sync_opts = sub {
+ my ($param, $realmconfig) = @_;
+
+ my $sync_opts_fmt = PVE::JSONSchema::get_format('realm-sync-options');
+
+ my $res = {};
+ if (defined(my $cfg_opts = $realmconfig->{'sync-defaults-options'})) {
+ $res = PVE::JSONSchema::parse_property_string($sync_opts_fmt, $cfg_opts);
+ }
+
+ for my $opt (sort keys %$sync_opts_fmt) {
+ my $fmt = $sync_opts_fmt->{$opt};
+
+ if (exists $param->{$opt}) {
+ $res->{$opt} = $param->{$opt};
+ } elsif (!exists $res->{$opt}) {
+ raise_param_exc({
+ "$opt" => 'Not passed as parameter and not defined in realm default sync options.'
+ }) if !$fmt->{optional};
+ $res->{$opt} = $fmt->{default} if exists $fmt->{default};
+ }
+ }
+ return $res;
+};
+
__PACKAGE__->register_method ({
name => 'sync',
path => '{realm}/sync',
method => 'POST',
permissions => {
- description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm and 'User.Modify' permissions to '/access/groups/'.",
+ description => "'Realm.AllocateUser' on '/access/realm/<realm>' and "
+ ." 'User.Modify' permissions to '/access/groups/'.",
check => [ 'and',
- [ 'userid-param', 'Realm.AllocateUser'],
- [ 'userid-group', ['User.Modify']],
- ],
+ [ 'userid-param', 'Realm.AllocateUser' ],
+ [ 'userid-group', ['User.Modify'] ],
+ ],
},
- description => "Syncs users and/or groups from LDAP to user.cfg. ".
- "NOTE: Synced groups will have the name 'name-\$realm', so ".
- "make sure those groups do not exist to prevent overwriting.",
+ description => "Syncs users and/or groups from the configured LDAP to user.cfg."
+ ." NOTE: Synced groups will have the name 'name-\$realm', so make sure"
+ ." those groups do not exist to prevent overwriting.",
protected => 1,
parameters => {
additionalProperties => 0,
- properties => {
- realm => get_standard_option('realm'),
- scope => {
- description => "Select what to sync.",
- type => 'string',
- enum => [qw(users groups both)],
- },
- full => {
- description => "If set, uses the LDAP Directory as source of truth, ".
- "deleting all information not contained there. ".
- "Otherwise only syncs information set explicitly.",
- type => 'boolean',
- },
- enable => {
- description => "Enable newly synced users.",
- type => 'boolean',
- },
- purge => {
- description => "Remove ACLs for users/groups that were removed from the config.",
- type => 'boolean',
- },
- }
+ properties => get_standard_option('realm-sync-options', {
+ realm => get_standard_option('realm'),
+ })
+ },
+ returns => {
+ description => 'Worker Task-UPID',
+ type => 'string'
},
- returns => { type => 'string' },
code => sub {
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
-
my $realm = $param->{realm};
my $cfg = cfs_read_file($domainconfigfile);
- my $ids = $cfg->{ids};
+ my $realmconfig = $cfg->{ids}->{$realm};
- raise_param_exc({ 'realm' => 'Realm does not exist.' }) if !defined($ids->{$realm});
- my $type = $ids->{$realm}->{type};
+ raise_param_exc({ 'realm' => 'Realm does not exist.' }) if !defined($realmconfig);
+ my $type = $realmconfig->{type};
if ($type ne 'ldap' && $type ne 'ad') {
- die "Only LDAP/AD realms can be synced.\n";
- }
-
- my $scope = $param->{scope};
- my $sync_users;
- my $sync_groups;
-
- my $errorstring = "syncing ";
- if ($scope eq 'users') {
- $errorstring .= "users ";
- $sync_users = 1;
- } elsif ($scope eq 'groups') {
- $errorstring .= "groups ";
- $sync_groups = 1;
- } elsif ($scope eq 'both') {
- $errorstring .= "users and groups ";
- $sync_users = $sync_groups = 1;
+ die "Cannot sync realm type '$type'! Only LDAP/AD realms can be synced.\n";
}
- $errorstring .= "failed.";
- my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
+ my $opts = $parse_sync_opts->($param, $realmconfig); # can throw up
- my $realmdata = $ids->{$realm};
- my $users = {};
- my $groups = {};
+ my $scope = $opts->{scope};
+ my $whatstring = $scope eq 'both' ? "users and groups" : $scope;
+ my $plugin = PVE::Auth::Plugin->lookup($type);
my $worker = sub {
- print "starting sync for $realm\n";
- if ($sync_groups) {
- my $dnmap = {};
- ($users, $dnmap) = $plugin->get_users($realmdata, $realm);
- $groups = $plugin->get_groups($realmdata, $realm, $dnmap);
- } else {
- $users = $plugin->get_users($realmdata, $realm);
+ print "starting sync for realm $realm\n";
+
+ my ($synced_users, $dnmap) = $plugin->get_users($realmconfig, $realm);
+ my $synced_groups = {};
+ if ($scope eq 'groups' || $scope eq 'both') {
+ $synced_groups = $plugin->get_groups($realmconfig, $realm, $dnmap);
}
- PVE::AccessControl::lock_user_config(
- sub {
+ PVE::AccessControl::lock_user_config(sub {
my $usercfg = cfs_read_file("user.cfg");
- print "got data from server, modifying users/groups\n";
-
- if ($sync_users) {
- print "syncing users\n";
- my $oldusers = $usercfg->{users};
-
- my $oldtokens = {};
- my $oldenabled = {};
-
- if ($param->{full}) {
- print "full sync, deleting existing users first\n";
- foreach my $userid (keys %$oldusers) {
- next if $userid !~ m/\@$realm$/;
- # we save the old tokens
- $oldtokens->{$userid} = $oldusers->{$userid}->{tokens};
- $oldenabled->{$userid} = $oldusers->{$userid}->{enable} // 0;
- delete $oldusers->{$userid};
- PVE::AccessControl::delete_user_acl($userid, $usercfg)
- if $param->{purge} && !$users->{$userid};
- print "removed user '$userid'\n";
- }
- }
+ print "got data from server, updating $whatstring\n";
- foreach my $userid (keys %$users) {
- my $user = $users->{$userid};
- if (!defined($oldusers->{$userid})) {
- $oldusers->{$userid} = $user;
-
- if (defined($oldenabled->{$userid})) {
- $oldusers->{$userid}->{enable} = $oldenabled->{$userid};
- } elsif ($param->{enable}) {
- $oldusers->{$userid}->{enable} = 1;
- }
-
- if (defined($oldtokens->{$userid})) {
- $oldusers->{$userid}->{tokens} = $oldtokens->{$userid};
- }
-
- print "added user '$userid'\n";
- } else {
- my $olduser = $oldusers->{$userid};
- foreach my $attr (keys %$user) {
- $olduser->{$attr} = $user->{$attr};
- }
- print "updated user '$userid'\n";
- }
- }
+ if ($scope eq 'users' || $scope eq 'both') {
+ $update_users->($usercfg, $realm, $synced_users, $opts);
}
- if ($sync_groups) {
- print "syncing groups\n";
- my $oldgroups = $usercfg->{groups};
-
- if ($param->{full}) {
- print "full sync, deleting existing groups first\n";
- foreach my $groupid (keys %$oldgroups) {
- next if $groupid !~ m/\-$realm$/;
- delete $oldgroups->{$groupid};
- PVE::AccessControl::delete_group_acl($groupid, $usercfg)
- if $param->{purge} && !$groups->{$groupid};
- print "removed group '$groupid'\n";
- }
- }
-
- foreach my $groupid (keys %$groups) {
- my $group = $groups->{$groupid};
- if (!defined($oldgroups->{$groupid})) {
- $oldgroups->{$groupid} = $group;
- print "added group '$groupid'\n";
- } else {
- my $oldgroup = $oldgroups->{$groupid};
- foreach my $attr (keys %$group) {
- $oldgroup->{$attr} = $group->{$attr};
- }
- print "updated group '$groupid'\n";
- }
- }
+ if ($scope eq 'groups' || $scope eq 'both') {
+ $update_groups->($usercfg, $realm, $synced_groups, $opts);
}
+
cfs_write_file("user.cfg", $usercfg);
- print "updated user.cfg\n";
- }, $errorstring);
+ print "successfully updated $whatstring configuration\n";
+ }, "syncing $whatstring failed");
};
- return $rpcenv->fork_worker('ldapsync', $realm, $authuser, $worker);
+ return $rpcenv->fork_worker('auth-realm-sync', $realm, $authuser, $worker);
}});
1;
projects / pve-access-control.git / blobdiff