]> git.proxmox.com Git - pve-access-control.git/commitdiff
projects / pve-access-control.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6a2138e)
api: realm sync: move out group and user update to separate methods
authorThomas Lamprecht <t.lamprecht@proxmox.com>
Sat, 21 Mar 2020 14:56:51 +0000 (15:56 +0100)
committerThomas Lamprecht <t.lamprecht@proxmox.com>
Sat, 21 Mar 2020 15:21:57 +0000 (16:21 +0100)
keep the api call way smaller and clearer

On moving out some minor adaptions where made, e.g., we do not print
"remove user X" if we know that we'd add it again, but just print a
single "update user X" for that. Same for groups.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
PVE/API2/Domains.pm patch | blob | blame | history

diff --git a/PVE/API2/Domains.pm b/PVE/API2/Domains.pm
index 64d4c806ef49f196d6f4fac690de6c8c6359cd02..fa6ab782449880080e13644d1107b8fcffda3860 100644 (file)
--- a/PVE/API2/Domains.pm
+++ b/PVE/API2/Domains.pm
@@ -245,6 +245,101 @@ __PACKAGE__->register_method ({
        return undef;
     }});
 
        return undef;
     }});
 
+my $update_users = sub {
+    my ($usercfg, $realm, $synced_users, $opts) = @_;
+
+    print "syncing users\n";
+    $usercfg->{users} = {} if !defined($usercfg->{users});
+    my $users = $usercfg->{users};
+
+    my $oldusers = {};
+    if ($opts->{'full'}) {
+       print "full sync, deleting outdated existing users first\n";
+       foreach my $userid (sort keys %$users) {
+           next if $userid !~ m/\@$realm$/;
+
+           $oldusers->{$userid} = delete $users->{$userid};
+           if ($opts->{'purge'} && !$synced_users->{$userid}) {
+               PVE::AccessControl::delete_user_acl($userid, $usercfg);
+               print "purged user '$userid' and all its ACL entries\n";
+           } elsif (!defined($synced_users->{$userid})) {
+               print "remove user '$userid'\n";
+           }
+       }
+    }
+
+    foreach my $userid (sort keys %$synced_users) {
+       my $synced_user = $synced_users->{$userid} // {};
+       if (!defined($users->{$userid})) {
+           my $user = $users->{$userid} = $synced_user;
+
+           my $olduser = $oldusers->{$userid} // {};
+           if (defined(my $enabled = $olduser->{enable})) {
+               $user->{enable} = $enabled;
+           } elsif ($opts->{enable}) {
+               $user->{enable} = 1;
+           }
+
+           if (defined($olduser->{tokens})) {
+               $user->{tokens} = $olduser->{tokens};
+           }
+           if (defined($oldusers->{$userid})) {
+               print "updated user '$userid'\n";
+           } else {
+               print "added user '$userid'\n";
+           }
+       } else {
+           my $olduser = $users->{$userid};
+           foreach my $attr (keys %$synced_user) {
+               $olduser->{$attr} = $synced_user->{$attr};
+           }
+           print "updated user '$userid'\n";
+       }
+    }
+};
+
+my $update_groups = sub {
+    my ($usercfg, $realm, $synced_groups, $opts) = @_;
+
+    print "syncing groups\n";
+    $usercfg->{groups} = {} if !defined($usercfg->{groups});
+    my $groups = $usercfg->{groups};
+    my $oldgroups = {};
+
+    if ($opts->{full}) {
+       print "full sync, deleting outdated existing groups first\n";
+       foreach my $groupid (sort keys %$groups) {
+           next if $groupid !~ m/\-$realm$/;
+
+           my $oldgroups->{$groupid} = delete $groups->{$groupid};
+           if ($opts->{purge} && !$synced_groups->{$groupid}) {
+               print "purged group '$groupid' and all its ACL entries\n";
+               PVE::AccessControl::delete_group_acl($groupid, $usercfg)
+           } elsif (!defined($synced_groups->{$groupid})) {
+               print "removed group '$groupid'\n";
+           }
+       }
+    }
+
+    foreach my $groupid (sort keys %$synced_groups) {
+       my $synced_group = $synced_groups->{$groupid};
+       if (!defined($groups->{$groupid})) {
+           $groups->{$groupid} = $synced_group;
+           if (defined($oldgroups->{$groupid})) {
+               print "updated group '$groupid'\n";
+           } else {
+               print "added group '$groupid'\n";
+           }
+       } else {
+           my $group = $groups->{$groupid};
+           foreach my $attr (keys %$synced_group) {
+               $group->{$attr} = $synced_group->{$attr};
+           }
+           print "updated group '$groupid'\n";
+       }
+    }
+};
+
 __PACKAGE__->register_method ({
     name => 'sync',
     path => '{realm}/sync',
 __PACKAGE__->register_method ({
     name => 'sync',
     path => '{realm}/sync',
@@ -326,81 +421,12 @@ __PACKAGE__->register_method ({
                my $usercfg = cfs_read_file("user.cfg");
                print "got data from server, updating $whatstring\n";
 
                my $usercfg = cfs_read_file("user.cfg");
                print "got data from server, updating $whatstring\n";
 
-               if ($sync_users) {
-                   print "syncing users\n";
-                   my $oldusers = $usercfg->{users};
-
-                   my $oldtokens = {};
-                   my $oldenabled = {};
-
-                   if ($param->{full}) {
-                       print "full sync, deleting existing users first\n";
-                       foreach my $userid (keys %$oldusers) {
-                           next if $userid !~ m/\@$realm$/;
-                           # we save the old tokens 
-                           $oldtokens->{$userid} = $oldusers->{$userid}->{tokens};
-                           $oldenabled->{$userid} = $oldusers->{$userid}->{enable} // 0;
-                           delete $oldusers->{$userid};
-                           PVE::AccessControl::delete_user_acl($userid, $usercfg)
-                               if $param->{purge} && !$users->{$userid};
-                           print "removed user '$userid'\n";
-                       }
-                   }
-
-                   foreach my $userid (keys %$users) {
-                       my $user = $users->{$userid};
-                       if (!defined($oldusers->{$userid})) {
-                           $oldusers->{$userid} = $user;
-
-                           if (defined($oldenabled->{$userid})) {
-                               $oldusers->{$userid}->{enable} = $oldenabled->{$userid};
-                           } elsif ($param->{enable}) {
-                               $oldusers->{$userid}->{enable} = 1;
-                           }
-
-                           if (defined($oldtokens->{$userid})) {
-                               $oldusers->{$userid}->{tokens} = $oldtokens->{$userid};
-                           }
-
-                           print "added user '$userid'\n";
-                       } else {
-                           my $olduser = $oldusers->{$userid};
-                           foreach my $attr (keys %$user) {
-                               $olduser->{$attr} = $user->{$attr};
-                           }
-                           print "updated user '$userid'\n";
-                       }
-                   }
+               if ($scope eq 'users' || $scope eq 'both') {
+                   $update_users->($usercfg, $realm, $synced_users, $param);
                }
 
                }
 
-               if ($sync_groups) {
-                   print "syncing groups\n";
-                   my $oldgroups = $usercfg->{groups};
-
-                   if ($param->{full}) {
-                       print "full sync, deleting existing groups first\n";
-                       foreach my $groupid (keys %$oldgroups) {
-                           next if $groupid !~ m/\-$realm$/;
-                           delete $oldgroups->{$groupid};
-                           PVE::AccessControl::delete_group_acl($groupid, $usercfg)
-                               if $param->{purge} && !$groups->{$groupid};
-                           print "removed group '$groupid'\n";
-                       }
-                   }
-
-                   foreach my $groupid (keys %$groups) {
-                       my $group = $groups->{$groupid};
-                       if (!defined($oldgroups->{$groupid})) {
-                           $oldgroups->{$groupid} = $group;
-                           print "added group '$groupid'\n";
-                       } else {
-                           my $oldgroup = $oldgroups->{$groupid};
-                           foreach my $attr (keys %$group) {
-                               $oldgroup->{$attr} = $group->{$attr};
-                           }
-                           print "updated group '$groupid'\n";
-                       }
-                   }
+               if ($scope eq 'groups' || $scope eq 'both') {
+                   $update_groups->($usercfg, $realm, $synced_groups, $param);
                }
 
                cfs_write_file("user.cfg", $usercfg);
                }
 
                cfs_write_file("user.cfg", $usercfg);
Access control framework