Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
use base qw(PVE::RESTHandler);
__PACKAGE__->register_method ({
use base qw(PVE::RESTHandler);
__PACKAGE__->register_method ({
- name => 'read_acl',
- path => '',
+ name => 'read_acl',
+ path => '',
method => 'GET',
description => "Get Access Control List (ACLs).",
method => 'GET',
description => "Get Access Control List (ACLs).",
description => "The returned list is restricted to objects where you have rights to modify permissions.",
user => 'all',
},
description => "The returned list is restricted to objects where you have rights to modify permissions.",
user => 'all',
},
},
code => sub {
my ($param) = @_;
},
code => sub {
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
my $res = [];
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
my $res = [];
}});
__PACKAGE__->register_method ({
}});
__PACKAGE__->register_method ({
check => ['perm-modify', '{path}'],
},
description => "Update Access Control List (add or remove permissions).",
parameters => {
check => ['perm-modify', '{path}'],
},
description => "Update Access Control List (add or remove permissions).",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
path => {
description => "Access control path",
type => 'string',
},
properties => {
path => {
description => "Access control path",
type => 'string',
},
description => "List of users.",
description => "List of users.",
- type => 'string', format => 'pve-userid-list',
+ type => 'string', format => 'pve-userid-list',
description => "List of groups.",
type => 'string', format => 'pve-groupid-list',
description => "List of groups.",
type => 'string', format => 'pve-groupid-list',
description => "List of roles.",
type => 'string', format => 'pve-roleid-list',
},
description => "List of roles.",
type => 'string', format => 'pve-roleid-list',
},
description => "Allow to propagate (inherit) permissions.",
description => "Allow to propagate (inherit) permissions.",
optional => 1,
default => 1,
},
delete => {
description => "Remove permissions (instead of adding it).",
optional => 1,
default => 1,
},
delete => {
description => "Remove permissions (instead of adding it).",
my ($param) = @_;
if (!($param->{users} || $param->{groups})) {
my ($param) = @_;
if (!($param->{users} || $param->{groups})) {
- raise_param_exc({
- users => "either 'users' or 'groups' is required.",
+ raise_param_exc({
+ users => "either 'users' or 'groups' is required.",
groups => "either 'users' or 'groups' is required." });
}
groups => "either 'users' or 'groups' is required." });
}
PVE::AccessControl::lock_user_config(
sub {
PVE::AccessControl::lock_user_config(
sub {
my $cfg = cfs_read_file("user.cfg");
my $propagate = 1;
my $cfg = cfs_read_file("user.cfg");
my $propagate = 1;
if (defined($param->{propagate})) {
$propagate = $param->{propagate} ? 1 : 0;
}
foreach my $role (split_list($param->{roles})) {
if (defined($param->{propagate})) {
$propagate = $param->{propagate} ? 1 : 0;
}
foreach my $role (split_list($param->{roles})) {
- die "role '$role' does not exist\n"
+ die "role '$role' does not exist\n"
if !$cfg->{roles}->{$role};
foreach my $group (split_list($param->{groups})) {
if !$cfg->{roles}->{$role};
foreach my $group (split_list($param->{groups})) {
delete($cfg->{acl}->{$path}->{users}->{$username}->{$role});
} else {
$cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate;
delete($cfg->{acl}->{$path}->{users}->{$username}->{$role});
} else {
$cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate;
use base qw(PVE::RESTHandler);
__PACKAGE__->register_method ({
use base qw(PVE::RESTHandler);
__PACKAGE__->register_method ({
- name => 'index',
- path => '',
+ name => 'index',
+ path => '',
method => 'GET',
description => "Role index.",
method => 'GET',
description => "Role index.",
user => 'all',
},
parameters => {
user => 'all',
},
parameters => {
},
code => sub {
my ($param) = @_;
},
code => sub {
my ($param) = @_;
my $res = [];
my $usercfg = cfs_read_file("user.cfg");
my $res = [];
my $usercfg = cfs_read_file("user.cfg");
foreach my $role (keys %{$usercfg->{roles}}) {
my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}});
push @$res, { roleid => $role, privs => $privs,
foreach my $role (keys %{$usercfg->{roles}}) {
my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}});
push @$res, { roleid => $role, privs => $privs,
__PACKAGE__->register_method ({
__PACKAGE__->register_method ({
check => ['perm', '/access', ['Sys.Modify']],
},
description => "Create new role.",
parameters => {
check => ['perm', '/access', ['Sys.Modify']],
},
description => "Create new role.",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
roleid => { type => 'string', format => 'pve-roleid' },
privs => { type => 'string' , format => 'pve-priv-list', optional => 1 },
properties => {
roleid => { type => 'string', format => 'pve-roleid' },
privs => { type => 'string' , format => 'pve-priv-list', optional => 1 },
PVE::AccessControl::lock_user_config(
sub {
PVE::AccessControl::lock_user_config(
sub {
my $usercfg = cfs_read_file("user.cfg");
my $role = $param->{roleid};
my $usercfg = cfs_read_file("user.cfg");
my $role = $param->{roleid};
- die "role '$role' already exists\n"
+ die "role '$role' already exists\n"
if $usercfg->{roles}->{$role};
$usercfg->{roles}->{$role} = {};
if $usercfg->{roles}->{$role};
$usercfg->{roles}->{$role} = {};
}, "create role failed");
return undef;
}, "create role failed");
return undef;
__PACKAGE__->register_method ({
__PACKAGE__->register_method ({
check => ['perm', '/access', ['Sys.Modify']],
},
description => "Create new role.",
parameters => {
check => ['perm', '/access', ['Sys.Modify']],
},
description => "Create new role.",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
roleid => { type => 'string', format => 'pve-roleid' },
privs => { type => 'string' , format => 'pve-priv-list' },
properties => {
roleid => { type => 'string', format => 'pve-roleid' },
privs => { type => 'string' , format => 'pve-priv-list' },
- append => {
- type => 'boolean',
+ append => {
+ type => 'boolean',
optional => 1,
requires => 'privs',
},
optional => 1,
requires => 'privs',
},
PVE::AccessControl::lock_user_config(
sub {
PVE::AccessControl::lock_user_config(
sub {
my $role = $param->{roleid};
my $usercfg = cfs_read_file("user.cfg");
my $role = $param->{roleid};
my $usercfg = cfs_read_file("user.cfg");
-
- die "role '$role' does not exist\n"
+
+ die "role '$role' does not exist\n"
if !$usercfg->{roles}->{$role};
$usercfg->{roles}->{$role} = {} if !$param->{append};
if !$usercfg->{roles}->{$role};
$usercfg->{roles}->{$role} = {} if !$param->{append};
}, "update role failed");
return undef;
}, "update role failed");
return undef;
# fixme: return format!
__PACKAGE__->register_method ({
# fixme: return format!
__PACKAGE__->register_method ({
- name => 'read_role',
- path => '{roleid}',
+ name => 'read_role',
+ path => '{roleid}',
user => 'all',
},
description => "Get role configuration.",
parameters => {
user => 'all',
},
description => "Get role configuration.",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
roleid => { type => 'string' , format => 'pve-roleid' },
},
properties => {
roleid => { type => 'string' , format => 'pve-roleid' },
},
die "role '$role' does not exist\n" if !$data;
return $data;
die "role '$role' does not exist\n" if !$data;
return $data;
__PACKAGE__->register_method ({
__PACKAGE__->register_method ({
check => ['perm', '/access', ['Sys.Modify']],
},
description => "Delete role.",
parameters => {
check => ['perm', '/access', ['Sys.Modify']],
},
description => "Delete role.",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
roleid => { type => 'string', format => 'pve-roleid' },
}
properties => {
roleid => { type => 'string', format => 'pve-roleid' },
}
die "role '$role' does not exist\n"
if !$usercfg->{roles}->{$role};
die "role '$role' does not exist\n"
if !$usercfg->{roles}->{$role};
die "auto-generated role '$role' can not be deleted\n"
if PVE::AccessControl::role_is_special($role);
die "auto-generated role '$role' can not be deleted\n"
if PVE::AccessControl::role_is_special($role);
cfs_write_file("user.cfg", $usercfg);
}, "delete role failed");
cfs_write_file("user.cfg", $usercfg);
}, "delete role failed");
};
__PACKAGE__->register_method ({
};
__PACKAGE__->register_method ({
- name => 'index',
- path => '',
+ name => 'index',
+ path => '',
method => 'GET',
description => "User index.",
method => 'GET',
description => "User index.",
description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
user => 'all',
},
description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.",
user => 'all',
},
},
code => sub {
my ($param) = @_;
},
code => sub {
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
my $usercfg = $rpcenv->{user_cfg};
my $authuser = $rpcenv->get_user();
my $rpcenv = PVE::RPCEnvironment::get();
my $usercfg = $rpcenv->{user_cfg};
my $authuser = $rpcenv->get_user();
my $privs = [ 'User.Modify', 'Sys.Audit' ];
my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
my $privs = [ 'User.Modify', 'Sys.Audit' ];
my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1);
my $groups = $rpcenv->filter_groups($authuser, $privs, 1);
- my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
+ my $allowed_users = $rpcenv->group_member_join([keys %$groups]);
foreach my $user (keys %{$usercfg->{users}}) {
foreach my $user (keys %{$usercfg->{users}}) {
}});
__PACKAGE__->register_method ({
}});
__PACKAGE__->register_method ({
description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
check => [ 'and',
[ 'userid-param', 'Realm.AllocateUser'],
description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm of user <userid>, and 'User.Modify' permissions to '/access/groups/<group>' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.",
check => [ 'and',
[ 'userid-param', 'Realm.AllocateUser'],
},
description => "Create new user.",
parameters => {
},
description => "Create new user.",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
userid => get_standard_option('userid'),
password => {
description => "Initial password.",
properties => {
userid => get_standard_option('userid'),
password => {
description => "Initial password.",
- type => 'string',
- optional => 1,
- minLength => 5,
- maxLength => 64
+ type => 'string',
+ optional => 1,
+ minLength => 5,
+ maxLength => 64
},
groups => {
type => 'string', format => 'pve-groupid-list',
},
groups => {
type => 'string', format => 'pve-groupid-list',
comment => { type => 'string', optional => 1 },
keys => {
description => "Keys for two factor auth (yubico).",
comment => { type => 'string', optional => 1 },
keys => {
description => "Keys for two factor auth (yubico).",
description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
minimum => 0,
optional => 1,
},
minimum => 0,
optional => 1,
},
PVE::AccessControl::lock_user_config(
sub {
PVE::AccessControl::lock_user_config(
sub {
my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
my $usercfg = cfs_read_file("user.cfg");
my $usercfg = cfs_read_file("user.cfg");
- die "user '$username' already exists\n"
+ die "user '$username' already exists\n"
if $usercfg->{users}->{$username};
if $usercfg->{users}->{$username};
PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
if defined($param->{password});
PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password})
if defined($param->{password});
}});
__PACKAGE__->register_method ({
}});
__PACKAGE__->register_method ({
- name => 'read_user',
- path => '{userid}',
+ name => 'read_user',
+ path => '{userid}',
method => 'GET',
description => "Get user configuration.",
method => 'GET',
description => "Get user configuration.",
check => ['userid-group', ['User.Modify', 'Sys.Audit']],
},
parameters => {
check => ['userid-group', ['User.Modify', 'Sys.Audit']],
},
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
userid => get_standard_option('userid'),
},
},
returns => {
properties => {
userid => get_standard_option('userid'),
},
},
returns => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
enable => { type => 'boolean' },
expire => { type => 'integer', optional => 1 },
firstname => { type => 'string', optional => 1 },
lastname => { type => 'string', optional => 1 },
email => { type => 'string', optional => 1 },
properties => {
enable => { type => 'boolean' },
expire => { type => 'integer', optional => 1 },
firstname => { type => 'string', optional => 1 },
lastname => { type => 'string', optional => 1 },
email => { type => 'string', optional => 1 },
- comment => { type => 'string', optional => 1 },
- keys => { type => 'string', optional => 1 },
+ comment => { type => 'string', optional => 1 },
+ keys => { type => 'string', optional => 1 },
groups => { type => 'array' },
}
},
code => sub {
my ($param) = @_;
groups => { type => 'array' },
}
},
code => sub {
my ($param) = @_;
- my ($username, undef, $domain) =
+ my ($username, undef, $domain) =
PVE::AccessControl::verify_username($param->{userid});
my $usercfg = cfs_read_file("user.cfg");
my $data = PVE::AccessControl::check_user_exist($usercfg, $username);
PVE::AccessControl::verify_username($param->{userid});
my $usercfg = cfs_read_file("user.cfg");
my $data = PVE::AccessControl::check_user_exist($usercfg, $username);
return &$extract_user_data($data, 1);
}});
__PACKAGE__->register_method ({
return &$extract_user_data($data, 1);
}});
__PACKAGE__->register_method ({
check => ['userid-group', ['User.Modify'], groups_param => 1 ],
},
description => "Update user configuration.",
parameters => {
check => ['userid-group', ['User.Modify'], groups_param => 1 ],
},
description => "Update user configuration.",
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
userid => get_standard_option('userid', {
completion => \&PVE::AccessControl::complete_username,
properties => {
userid => get_standard_option('userid', {
completion => \&PVE::AccessControl::complete_username,
optional => 1,
completion => \&PVE::AccessControl::complete_group,
},
optional => 1,
completion => \&PVE::AccessControl::complete_group,
},
- append => {
- type => 'boolean',
+ append => {
+ type => 'boolean',
optional => 1,
requires => 'groups',
},
optional => 1,
requires => 'groups',
},
comment => { type => 'string', optional => 1 },
keys => {
description => "Keys for two factor auth (yubico).",
comment => { type => 'string', optional => 1 },
keys => {
description => "Keys for two factor auth (yubico).",
description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
description => "Account expiration date (seconds since epoch). '0' means no expiration date.",
code => sub {
my ($param) = @_;
code => sub {
my ($param) = @_;
- my ($username, $ruid, $realm) =
+ my ($username, $ruid, $realm) =
PVE::AccessControl::verify_username($param->{userid});
PVE::AccessControl::verify_username($param->{userid});
PVE::AccessControl::lock_user_config(
sub {
PVE::AccessControl::lock_user_config(
sub {
my $usercfg = cfs_read_file("user.cfg");
PVE::AccessControl::check_user_exist($usercfg, $username);
my $usercfg = cfs_read_file("user.cfg");
PVE::AccessControl::check_user_exist($usercfg, $username);
$usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
$usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire});
- PVE::AccessControl::delete_user_group($username, $usercfg)
+ PVE::AccessControl::delete_user_group($username, $usercfg)
if (!$param->{append} && defined($param->{groups}));
if ($param->{groups}) {
if (!$param->{append} && defined($param->{groups}));
if ($param->{groups}) {
cfs_write_file("user.cfg", $usercfg);
}, "update user failed");
cfs_write_file("user.cfg", $usercfg);
}, "update user failed");
return undef;
}});
__PACKAGE__->register_method ({
return undef;
}});
__PACKAGE__->register_method ({
method => 'DELETE',
description => "Delete user.",
method => 'DELETE',
description => "Delete user.",
check => [ 'and',
[ 'userid-param', 'Realm.AllocateUser'],
[ 'userid-group', ['User.Modify']],
],
},
parameters => {
check => [ 'and',
[ 'userid-param', 'Realm.AllocateUser'],
[ 'userid-group', ['User.Modify']],
],
},
parameters => {
- additionalProperties => 0,
+ additionalProperties => 0,
properties => {
userid => get_standard_option('userid', {
completion => \&PVE::AccessControl::complete_username,
properties => {
userid => get_standard_option('userid', {
completion => \&PVE::AccessControl::complete_username,
returns => { type => 'null' },
code => sub {
my ($param) = @_;
returns => { type => 'null' },
code => sub {
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
- my ($userid, $ruid, $realm) =
+ my ($userid, $ruid, $realm) =
PVE::AccessControl::verify_username($param->{userid});
PVE::AccessControl::lock_user_config(
PVE::AccessControl::verify_username($param->{userid});
PVE::AccessControl::lock_user_config(
cfs_write_file("user.cfg", $usercfg);
}, "delete user failed");
cfs_write_file("user.cfg", $usercfg);
}, "delete user failed");
\&parse_user_config,
\&write_user_config);
\&parse_user_config,
\&write_user_config);
sub verify_username {
PVE::Auth::Plugin::verify_username(@_);
}
sub verify_username {
PVE::Auth::Plugin::verify_username(@_);
}
$secret, $username, $vmid, $node);
}
$secret, $username, $vmid, $node);
}
sub verify_spice_connect_url {
my ($connect_str) = @_;
sub verify_spice_connect_url {
my ($connect_str) = @_;
PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname);
sub verify_groupname {
my ($groupname, $noerr) = @_;
PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname);
sub verify_groupname {
my ($groupname, $noerr) = @_;
my $domainconfigfile = "domains.cfg";
my $domainconfigfile = "domains.cfg";
-cfs_register_file($domainconfigfile,
+cfs_register_file($domainconfigfile,
sub { __PACKAGE__->parse_config(@_); },
sub { __PACKAGE__->write_config(@_); });
sub { __PACKAGE__->parse_config(@_); },
sub { __PACKAGE__->write_config(@_); });
PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
sub pve_verify_realm {
my ($realm, $noerr) = @_;
PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
sub pve_verify_realm {
my ($realm, $noerr) = @_;
if ($realm !~ m/^${realm_regex}$/) {
return undef if $noerr;
if ($realm !~ m/^${realm_regex}$/) {
return undef if $noerr;
- die "value does not look like a valid realm\n";
+ die "value does not look like a valid realm\n";
}
# we only allow a limited set of characters
}
# we only allow a limited set of characters
- # colon is not allowed, because we store usernames in
+ # colon is not allowed, because we store usernames in
# colon separated lists)!
# slash is not allowed because it is used as pve API delimiter
# colon separated lists)!
# slash is not allowed because it is used as pve API delimiter
- # also see "man useradd"
+ # also see "man useradd"
if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) {
return wantarray ? ($username, $1, $2) : $username;
}
if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) {
return wantarray ? ($username, $1, $2) : $username;
}
$res->{step} = $1;
} else {
return undef;
$res->{step} = $1;
} else {
return undef;
}
return undef if !$res->{type};
}
return undef if !$res->{type};
$data->{comment} = PVE::Tools::encode_text($data->{comment});
}
}
$data->{comment} = PVE::Tools::encode_text($data->{comment});
}
}
$class->SUPER::write_config($filename, $cfg);
}
$class->SUPER::write_config($filename, $cfg);
}
projects / pve-access-control.git / commitdiff