use strict;
use warnings;
+
use PVE::Exception qw(raise_param_exc);
use PVE::Tools qw(extract_param);
use PVE::Cluster qw (cfs_read_file cfs_write_file);
code => sub {
my ($param) = @_;
+ # always extract, add it with hook
+ my $password = extract_param($param, 'password');
+
PVE::Auth::Plugin::lock_domain_config(
sub {
$ids->{$realm} = $config;
+ my $opts = $plugin->options();
+ if (defined($password) && !defined($opts->{password})) {
+ $password = undef;
+ warn "ignoring password parameter";
+ }
+ $plugin->on_add_hook($realm, $config, password => $password);
+
cfs_write_file($domainconfigfile, $cfg);
}, "add auth server failed");
code => sub {
my ($param) = @_;
+ # always extract, update in hook
+ my $password = extract_param($param, 'password');
+
PVE::Auth::Plugin::lock_domain_config(
sub {
my $delete_str = extract_param($param, 'delete');
die "no options specified\n" if !$delete_str && !scalar(keys %$param);
+ my $delete_pw = 0;
foreach my $opt (PVE::Tools::split_list($delete_str)) {
delete $ids->{$realm}->{$opt};
+ $delete_pw = 1 if $opt eq 'password';
}
my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
$ids->{$realm}->{$p} = $config->{$p};
}
+ my $opts = $plugin->options();
+ if ($delete_pw || defined($password)) {
+ $plugin->on_update_hook($realm, $config, password => $password);
+ } else {
+ $plugin->on_update_hook($realm, $config);
+ }
+
cfs_write_file($domainconfigfile, $cfg);
}, "update auth server failed");
my $cfg = cfs_read_file($domainconfigfile);
my $ids = $cfg->{ids};
-
my $realm = $param->{realm};
- die "domain '$realm' does not exist\n" if !$ids->{$realm};
+ die "authentication domain '$realm' does not exist\n" if !$ids->{$realm};
+
+ my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
+
+ $plugin->on_delete_hook($realm, $ids->{$realm});
delete $ids->{$realm};
my $olduser = $oldusers->{$userid} // {};
if (defined(my $enabled = $olduser->{enable})) {
$user->{enable} = $enabled;
- } elsif ($opts->{enable}) {
+ } elsif ($opts->{'enable-new'}) {
$user->{enable} = 1;
}
}
};
+my $parse_sync_opts = sub {
+ my ($param, $realmconfig) = @_;
+
+ my $sync_opts_fmt = PVE::JSONSchema::get_format('realm-sync-options');
+
+ my $cfg_defaults = {};
+ if (defined(my $cfg_opts = $realmconfig->{'sync-defaults-options'})) {
+ $cfg_defaults = PVE::JSONSchema::parse_property_string($sync_opts_fmt, $cfg_opts);
+ }
+
+ my $res = {};
+ for my $opt (sort keys %$sync_opts_fmt) {
+ my $fmt = $sync_opts_fmt->{$opt};
+
+ $res->{$opt} = $param->{$opt} // $cfg_defaults->{$opt} // $fmt->{default};
+
+ raise_param_exc({
+ "$opt" => 'Not passed as parameter and not defined in realm default sync options.'
+ }) if !defined($res->{$opt});
+ }
+ return $res;
+};
+
__PACKAGE__->register_method ({
name => 'sync',
path => '{realm}/sync',
protected => 1,
parameters => {
additionalProperties => 0,
- properties => {
- realm => get_standard_option('realm'),
- scope => {
- description => "Select what to sync.",
- type => 'string',
- enum => [qw(users groups both)],
- },
- full => {
- description => "If set, uses the LDAP Directory as source of truth, ".
- "deleting all information not contained there. ".
- "Otherwise only syncs information set explicitly.",
+ properties => get_standard_option('realm-sync-options', {
+ realm => get_standard_option('realm'),
+ 'dry-run' => {
+ description => "If set, does not write anything.",
type => 'boolean',
+ optional => 1,
+ default => 0,
},
- enable => {
- description => "Enable newly synced users.",
- type => 'boolean',
- },
- purge => {
- description => "Remove ACLs for users/groups that were removed from the config.",
- type => 'boolean',
- },
- }
+ }),
},
returns => {
description => 'Worker Task-UPID',
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
+ my $write = !(extract_param($param, 'dry-run'));
+ my $dryrunstring = $write ? '' : ' (dry run)';
+
my $realm = $param->{realm};
my $cfg = cfs_read_file($domainconfigfile);
my $realmconfig = $cfg->{ids}->{$realm};
die "Cannot sync realm type '$type'! Only LDAP/AD realms can be synced.\n";
}
+ my $opts = $parse_sync_opts->($param, $realmconfig); # can throw up
- my $scope = $param->{scope};
+ my $scope = $opts->{scope};
my $whatstring = $scope eq 'both' ? "users and groups" : $scope;
my $plugin = PVE::Auth::Plugin->lookup($type);
my $worker = sub {
- print "starting sync for realm $realm\n";
+ print "starting sync$dryrunstring for realm $realm\n";
my ($synced_users, $dnmap) = $plugin->get_users($realmconfig, $realm);
my $synced_groups = {};
print "got data from server, updating $whatstring\n";
if ($scope eq 'users' || $scope eq 'both') {
- $update_users->($usercfg, $realm, $synced_users, $param);
+ $update_users->($usercfg, $realm, $synced_users, $opts);
}
if ($scope eq 'groups' || $scope eq 'both') {
- $update_groups->($usercfg, $realm, $synced_groups, $param);
+ $update_groups->($usercfg, $realm, $synced_groups, $opts);
}
- cfs_write_file("user.cfg", $usercfg);
- print "successfully updated $whatstring configuration\n";
+ if ($write) {
+ cfs_write_file("user.cfg", $usercfg) if $write;
+ print "successfully updated $whatstring configuration\n" if $write;
+ } else {
+ print "NOTE: This is just a dry run. No actual data was written.\n";
+ }
}, "syncing $whatstring failed");
};
- return $rpcenv->fork_worker('auth-realm-sync', $realm, $authuser, $worker);
+ my $workerid = $write ? 'auth-realm-sync' : 'auth-realm-sync-test';
+ return $rpcenv->fork_worker($workerid, $realm, $authuser, $worker);
}});
1;
projects / pve-access-control.git / blobdiff