From 0a6e09fd4733d877b02d1d2aee26bf90e243b2a0 Mon Sep 17 00:00:00 2001 From: Philip Abernethy Date: Thu, 21 Sep 2017 11:09:16 +0200 Subject: [PATCH] Whitespace fixes Reviewed-by: Thomas Lamprecht --- PVE/API2/ACL.pm | 44 +++++++++---------- PVE/API2/Role.pm | 71 +++++++++++++++--------------- PVE/API2/User.pm | 102 +++++++++++++++++++++---------------------- PVE/AccessControl.pm | 3 -- PVE/Auth/Plugin.pm | 14 +++--- 5 files changed, 115 insertions(+), 119 deletions(-) diff --git a/PVE/API2/ACL.pm b/PVE/API2/ACL.pm index fb4fbce..d37771b 100644 --- a/PVE/API2/ACL.pm +++ b/PVE/API2/ACL.pm @@ -14,11 +14,11 @@ use PVE::RESTHandler; use base qw(PVE::RESTHandler); __PACKAGE__->register_method ({ - name => 'read_acl', - path => '', + name => 'read_acl', + path => '', method => 'GET', description => "Get Access Control List (ACLs).", - permissions => { + permissions => { description => "The returned list is restricted to objects where you have rights to modify permissions.", user => 'all', }, @@ -42,7 +42,7 @@ __PACKAGE__->register_method ({ }, code => sub { my ($param) = @_; - + my $rpcenv = PVE::RPCEnvironment::get(); my $authuser = $rpcenv->get_user(); my $res = []; @@ -79,44 +79,44 @@ __PACKAGE__->register_method ({ }}); __PACKAGE__->register_method ({ - name => 'update_acl', + name => 'update_acl', protected => 1, - path => '', + path => '', method => 'PUT', - permissions => { + permissions => { check => ['perm-modify', '{path}'], }, description => "Update Access Control List (add or remove permissions).", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { path => { description => "Access control path", type => 'string', }, - users => { + users => { description => "List of users.", - type => 'string', format => 'pve-userid-list', + type => 'string', format => 'pve-userid-list', optional => 1, }, - groups => { + groups => { description => "List of groups.", type => 'string', format => 'pve-groupid-list', - optional => 1, + optional => 1, }, - roles => { + roles => { description => "List of roles.", type => 'string', format => 'pve-roleid-list', }, - propagate => { + propagate => { description => "Allow to propagate (inherit) permissions.", - type => 'boolean', + type => 'boolean', optional => 1, default => 1, }, delete => { description => "Remove permissions (instead of adding it).", - type => 'boolean', + type => 'boolean', optional => 1, }, }, @@ -126,8 +126,8 @@ __PACKAGE__->register_method ({ my ($param) = @_; if (!($param->{users} || $param->{groups})) { - raise_param_exc({ - users => "either 'users' or 'groups' is required.", + raise_param_exc({ + users => "either 'users' or 'groups' is required.", groups => "either 'users' or 'groups' is required." }); } @@ -136,17 +136,17 @@ __PACKAGE__->register_method ({ PVE::AccessControl::lock_user_config( sub { - + my $cfg = cfs_read_file("user.cfg"); my $propagate = 1; - + if (defined($param->{propagate})) { $propagate = $param->{propagate} ? 1 : 0; } foreach my $role (split_list($param->{roles})) { - die "role '$role' does not exist\n" + die "role '$role' does not exist\n" if !$cfg->{roles}->{$role}; foreach my $group (split_list($param->{groups})) { @@ -171,7 +171,7 @@ __PACKAGE__->register_method ({ delete($cfg->{acl}->{$path}->{users}->{$username}->{$role}); } else { $cfg->{acl}->{$path}->{users}->{$username}->{$role} = $propagate; - } + } } } diff --git a/PVE/API2/Role.pm b/PVE/API2/Role.pm index 895da82..452fc6d 100644 --- a/PVE/API2/Role.pm +++ b/PVE/API2/Role.pm @@ -12,11 +12,11 @@ use PVE::RESTHandler; use base qw(PVE::RESTHandler); __PACKAGE__->register_method ({ - name => 'index', - path => '', + name => 'index', + path => '', method => 'GET', description => "Role index.", - permissions => { + permissions => { user => 'all', }, parameters => { @@ -35,11 +35,11 @@ __PACKAGE__->register_method ({ }, code => sub { my ($param) = @_; - + my $res = []; my $usercfg = cfs_read_file("user.cfg"); - + foreach my $role (keys %{$usercfg->{roles}}) { my $privs = join(',', sort keys %{$usercfg->{roles}->{$role}}); push @$res, { roleid => $role, privs => $privs, @@ -47,19 +47,19 @@ __PACKAGE__->register_method ({ } return $res; - }}); +}}); __PACKAGE__->register_method ({ - name => 'create_role', + name => 'create_role', protected => 1, - path => '', + path => '', method => 'POST', - permissions => { + permissions => { check => ['perm', '/access', ['Sys.Modify']], }, description => "Create new role.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { roleid => { type => 'string', format => 'pve-roleid' }, privs => { type => 'string' , format => 'pve-priv-list', optional => 1 }, @@ -71,12 +71,12 @@ __PACKAGE__->register_method ({ PVE::AccessControl::lock_user_config( sub { - + my $usercfg = cfs_read_file("user.cfg"); my $role = $param->{roleid}; - die "role '$role' already exists\n" + die "role '$role' already exists\n" if $usercfg->{roles}->{$role}; $usercfg->{roles}->{$role} = {}; @@ -87,24 +87,24 @@ __PACKAGE__->register_method ({ }, "create role failed"); return undef; - }}); +}}); __PACKAGE__->register_method ({ - name => 'update_role', + name => 'update_role', protected => 1, - path => '{roleid}', + path => '{roleid}', method => 'PUT', - permissions => { + permissions => { check => ['perm', '/access', ['Sys.Modify']], }, description => "Create new role.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { roleid => { type => 'string', format => 'pve-roleid' }, privs => { type => 'string' , format => 'pve-priv-list' }, - append => { - type => 'boolean', + append => { + type => 'boolean', optional => 1, requires => 'privs', }, @@ -116,12 +116,12 @@ __PACKAGE__->register_method ({ PVE::AccessControl::lock_user_config( sub { - + my $role = $param->{roleid}; my $usercfg = cfs_read_file("user.cfg"); - - die "role '$role' does not exist\n" + + die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role}; $usercfg->{roles}->{$role} = {} if !$param->{append}; @@ -132,19 +132,19 @@ __PACKAGE__->register_method ({ }, "update role failed"); return undef; - }}); +}}); # fixme: return format! __PACKAGE__->register_method ({ - name => 'read_role', - path => '{roleid}', + name => 'read_role', + path => '{roleid}', method => 'GET', - permissions => { + permissions => { user => 'all', }, description => "Get role configuration.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { roleid => { type => 'string' , format => 'pve-roleid' }, }, @@ -162,20 +162,19 @@ __PACKAGE__->register_method ({ die "role '$role' does not exist\n" if !$data; return $data; - }}); - +}}); __PACKAGE__->register_method ({ - name => 'delete_role', + name => 'delete_role', protected => 1, - path => '{roleid}', + path => '{roleid}', method => 'DELETE', - permissions => { + permissions => { check => ['perm', '/access', ['Sys.Modify']], }, description => "Delete role.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { roleid => { type => 'string', format => 'pve-roleid' }, } @@ -193,7 +192,7 @@ __PACKAGE__->register_method ({ die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role}; - + die "auto-generated role '$role' can not be deleted\n" if PVE::AccessControl::role_is_special($role); @@ -203,8 +202,8 @@ __PACKAGE__->register_method ({ cfs_write_file("user.cfg", $usercfg); }, "delete role failed"); - + return undef; - }}); +}}); 1; diff --git a/PVE/API2/User.pm b/PVE/API2/User.pm index 602e3f0..1dc0293 100644 --- a/PVE/API2/User.pm +++ b/PVE/API2/User.pm @@ -31,11 +31,11 @@ my $extract_user_data = sub { }; __PACKAGE__->register_method ({ - name => 'index', - path => '', + name => 'index', + path => '', method => 'GET', description => "User index.", - permissions => { + permissions => { description => "The returned list is restricted to users where you have 'User.Modify' or 'Sys.Audit' permissions on '/access/groups' or on a group the user belongs too. But it always includes the current (authenticated) user.", user => 'all', }, @@ -61,7 +61,7 @@ __PACKAGE__->register_method ({ }, code => sub { my ($param) = @_; - + my $rpcenv = PVE::RPCEnvironment::get(); my $usercfg = $rpcenv->{user_cfg}; my $authuser = $rpcenv->get_user(); @@ -71,7 +71,7 @@ __PACKAGE__->register_method ({ my $privs = [ 'User.Modify', 'Sys.Audit' ]; my $canUserMod = $rpcenv->check_any($authuser, "/access/groups", $privs, 1); my $groups = $rpcenv->filter_groups($authuser, $privs, 1); - my $allowed_users = $rpcenv->group_member_join([keys %$groups]); + my $allowed_users = $rpcenv->group_member_join([keys %$groups]); foreach my $user (keys %{$usercfg->{users}}) { @@ -94,11 +94,11 @@ __PACKAGE__->register_method ({ }}); __PACKAGE__->register_method ({ - name => 'create_user', + name => 'create_user', protected => 1, - path => '', + path => '', method => 'POST', - permissions => { + permissions => { description => "You need 'Realm.AllocateUser' on '/access/realm/' on the realm of user , and 'User.Modify' permissions to '/access/groups/' for any group specified (or 'User.Modify' on '/access/groups' if you pass no groups.", check => [ 'and', [ 'userid-param', 'Realm.AllocateUser'], @@ -107,15 +107,15 @@ __PACKAGE__->register_method ({ }, description => "Create new user.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { userid => get_standard_option('userid'), password => { description => "Initial password.", - type => 'string', - optional => 1, - minLength => 5, - maxLength => 64 + type => 'string', + optional => 1, + minLength => 5, + maxLength => 64 }, groups => { type => 'string', format => 'pve-groupid-list', @@ -128,12 +128,12 @@ __PACKAGE__->register_method ({ comment => { type => 'string', optional => 1 }, keys => { description => "Keys for two factor auth (yubico).", - type => 'string', + type => 'string', optional => 1, }, - expire => { + expire => { description => "Account expiration date (seconds since epoch). '0' means no expiration date.", - type => 'integer', + type => 'integer', minimum => 0, optional => 1, }, @@ -151,14 +151,14 @@ __PACKAGE__->register_method ({ PVE::AccessControl::lock_user_config( sub { - + my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid}); - + my $usercfg = cfs_read_file("user.cfg"); - die "user '$username' already exists\n" + die "user '$username' already exists\n" if $usercfg->{users}->{$username}; - + PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password}) if defined($param->{password}); @@ -189,56 +189,56 @@ __PACKAGE__->register_method ({ }}); __PACKAGE__->register_method ({ - name => 'read_user', - path => '{userid}', + name => 'read_user', + path => '{userid}', method => 'GET', description => "Get user configuration.", - permissions => { + permissions => { check => ['userid-group', ['User.Modify', 'Sys.Audit']], }, parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { userid => get_standard_option('userid'), }, }, returns => { - additionalProperties => 0, + additionalProperties => 0, properties => { enable => { type => 'boolean' }, expire => { type => 'integer', optional => 1 }, firstname => { type => 'string', optional => 1 }, lastname => { type => 'string', optional => 1 }, email => { type => 'string', optional => 1 }, - comment => { type => 'string', optional => 1 }, - keys => { type => 'string', optional => 1 }, + comment => { type => 'string', optional => 1 }, + keys => { type => 'string', optional => 1 }, groups => { type => 'array' }, } }, code => sub { my ($param) = @_; - my ($username, undef, $domain) = + my ($username, undef, $domain) = PVE::AccessControl::verify_username($param->{userid}); my $usercfg = cfs_read_file("user.cfg"); my $data = PVE::AccessControl::check_user_exist($usercfg, $username); - + return &$extract_user_data($data, 1); }}); __PACKAGE__->register_method ({ - name => 'update_user', + name => 'update_user', protected => 1, - path => '{userid}', + path => '{userid}', method => 'PUT', - permissions => { + permissions => { check => ['userid-group', ['User.Modify'], groups_param => 1 ], }, description => "Update user configuration.", parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { userid => get_standard_option('userid', { completion => \&PVE::AccessControl::complete_username, @@ -248,8 +248,8 @@ __PACKAGE__->register_method ({ optional => 1, completion => \&PVE::AccessControl::complete_group, }, - append => { - type => 'boolean', + append => { + type => 'boolean', optional => 1, requires => 'groups', }, @@ -264,14 +264,14 @@ __PACKAGE__->register_method ({ comment => { type => 'string', optional => 1 }, keys => { description => "Keys for two factor auth (yubico).", - type => 'string', + type => 'string', optional => 1, }, - expire => { + expire => { description => "Account expiration date (seconds since epoch). '0' means no expiration date.", - type => 'integer', + type => 'integer', minimum => 0, - optional => 1 + optional => 1 }, }, }, @@ -279,12 +279,12 @@ __PACKAGE__->register_method ({ code => sub { my ($param) = @_; - my ($username, $ruid, $realm) = + my ($username, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid}); - + PVE::AccessControl::lock_user_config( sub { - + my $usercfg = cfs_read_file("user.cfg"); PVE::AccessControl::check_user_exist($usercfg, $username); @@ -293,7 +293,7 @@ __PACKAGE__->register_method ({ $usercfg->{users}->{$username}->{expire} = $param->{expire} if defined($param->{expire}); - PVE::AccessControl::delete_user_group($username, $usercfg) + PVE::AccessControl::delete_user_group($username, $usercfg) if (!$param->{append} && defined($param->{groups})); if ($param->{groups}) { @@ -314,24 +314,24 @@ __PACKAGE__->register_method ({ cfs_write_file("user.cfg", $usercfg); }, "update user failed"); - + return undef; }}); __PACKAGE__->register_method ({ - name => 'delete_user', + name => 'delete_user', protected => 1, - path => '{userid}', + path => '{userid}', method => 'DELETE', description => "Delete user.", - permissions => { + permissions => { check => [ 'and', [ 'userid-param', 'Realm.AllocateUser'], [ 'userid-group', ['User.Modify']], ], }, parameters => { - additionalProperties => 0, + additionalProperties => 0, properties => { userid => get_standard_option('userid', { completion => \&PVE::AccessControl::complete_username, @@ -341,11 +341,11 @@ __PACKAGE__->register_method ({ returns => { type => 'null' }, code => sub { my ($param) = @_; - + my $rpcenv = PVE::RPCEnvironment::get(); my $authuser = $rpcenv->get_user(); - my ($userid, $ruid, $realm) = + my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid}); PVE::AccessControl::lock_user_config( @@ -366,7 +366,7 @@ __PACKAGE__->register_method ({ cfs_write_file("user.cfg", $usercfg); }, "delete user failed"); - + return undef; }}); diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index b45abda..29c50ce 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -45,7 +45,6 @@ cfs_register_file('user.cfg', \&parse_user_config, \&write_user_config); - sub verify_username { PVE::Auth::Plugin::verify_username(@_); } @@ -172,7 +171,6 @@ sub assemble_spice_ticket { $secret, $username, $vmid, $node); } - sub verify_spice_connect_url { my ($connect_str) = @_; @@ -537,7 +535,6 @@ sub normalize_path { return $path; } - PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname); sub verify_groupname { my ($groupname, $noerr) = @_; diff --git a/PVE/Auth/Plugin.pm b/PVE/Auth/Plugin.pm index 16ef046..d5d2c06 100755 --- a/PVE/Auth/Plugin.pm +++ b/PVE/Auth/Plugin.pm @@ -13,7 +13,7 @@ use base qw(PVE::SectionConfig); my $domainconfigfile = "domains.cfg"; -cfs_register_file($domainconfigfile, +cfs_register_file($domainconfigfile, sub { __PACKAGE__->parse_config(@_); }, sub { __PACKAGE__->write_config(@_); }); @@ -32,10 +32,10 @@ my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/; PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm); sub pve_verify_realm { my ($realm, $noerr) = @_; - + if ($realm !~ m/^${realm_regex}$/) { return undef if $noerr; - die "value does not look like a valid realm\n"; + die "value does not look like a valid realm\n"; } return $realm; } @@ -62,10 +62,10 @@ sub verify_username { } # we only allow a limited set of characters - # colon is not allowed, because we store usernames in + # colon is not allowed, because we store usernames in # colon separated lists)! # slash is not allowed because it is used as pve API delimiter - # also see "man useradd" + # also see "man useradd" if ($username =~ m!^([^\s:/]+)\@(${realm_regex})$!) { return wantarray ? ($username, $1, $2) : $username; } @@ -120,7 +120,7 @@ sub parse_tfa_config { $res->{step} = $1; } else { return undef; - } + } } return undef if !$res->{type}; @@ -199,7 +199,7 @@ sub write_config { $data->{comment} = PVE::Tools::encode_text($data->{comment}); } } - + $class->SUPER::write_config($filename, $cfg); } -- 2.39.2