api: backup: update: check permissions of delete params too

[pve-manager.git] / PVE / API2 / ACMEPlugin.pm

package PVE::API2::ACMEPlugin;

use strict;
use warnings;

use MIME::Base64;
use Storable qw(dclone);

use PVE::ACME::Challenge;
use PVE::ACME::DNSChallenge;
use PVE::ACME::StandAlone;
use PVE::Cluster qw(cfs_read_file cfs_write_file cfs_register_file cfs_lock_file);
use PVE::JSONSchema qw(register_standard_option get_standard_option);
use PVE::Tools qw(extract_param);

use base qw(PVE::RESTHandler);

my $plugin_config_file = "priv/acme/plugins.cfg";

cfs_register_file($plugin_config_file,
   sub { PVE::ACME::Challenge->parse_config(@_); },
   sub { PVE::ACME::Challenge->write_config(@_); },
);

PVE::ACME::DNSChallenge->register();
PVE::ACME::StandAlone->register();
PVE::ACME::Challenge->init();

PVE::JSONSchema::register_standard_option('pve-acme-pluginid', {
    type => 'string',
    format => 'pve-configid',
    description => 'Unique identifier for ACME plugin instance.',
});

my $plugin_type_enum = PVE::ACME::Challenge->lookup_types();

my $modify_cfg_for_api = sub {
    my ($cfg, $pluginid) = @_;

    die "ACME plugin '$pluginid' not defined\n" if !defined($cfg->{ids}->{$pluginid});

    my $plugin_cfg = dclone($cfg->{ids}->{$pluginid});
    $plugin_cfg->{plugin} = $pluginid;
    $plugin_cfg->{digest} = $cfg->{digest};

    return $plugin_cfg;
};

__PACKAGE__->register_method ({
    name => 'index',
    path => '',
    method => 'GET',
    permissions => {
        check => ['perm', '/', [ 'Sys.Modify' ]],
    },
    description => "ACME plugin index.",
    protected => 1,
    parameters => {
        additionalProperties => 0,
        properties => {
            type => {
                description => "Only list ACME plugins of a specific type",
                type => 'string',
                enum => $plugin_type_enum,
                optional => 1,
            },
        },
    },
    returns => {
        type => 'array',
        items => {
            type => "object",
            properties => {
                plugin => get_standard_option('pve-acme-pluginid'),
            },
        },
        links => [ { rel => 'child', href => "{plugin}" } ],
    },
    code => sub {
        my ($param) = @_;

        my $cfg = load_config();

        my $res = [];
        foreach my $pluginid (keys %{$cfg->{ids}}) {
            my $plugin_cfg = $modify_cfg_for_api->($cfg, $pluginid);
            next if $param->{type} && $param->{type} ne $plugin_cfg->{type};
            push @$res, $plugin_cfg;
        }

        return $res;
    }
});

__PACKAGE__->register_method({
    name => 'get_plugin_config',
    path => '{id}',
    method => 'GET',
    description => "Get ACME plugin configuration.",
    permissions => {
        check => ['perm', '/', [ 'Sys.Modify' ]],
    },
    protected => 1,
    parameters => {
        additionalProperties => 0,
        properties => {
            id => get_standard_option('pve-acme-pluginid'),
        },
    },
    returns => {
        type => 'object',
    },
    code => sub {
        my ($param) = @_;

        my $cfg = load_config();
        return $modify_cfg_for_api->($cfg, $param->{id});
    }
});

__PACKAGE__->register_method({
    name => 'add_plugin',
    path => '',
    method => 'POST',
    description => "Add ACME plugin configuration.",
    permissions => {
        check => ['perm', '/', [ 'Sys.Modify' ]],
    },
    protected => 1,
    parameters => PVE::ACME::Challenge->createSchema(),
    returns => {
        type => "null"
    },
    code => sub {
        my ($param) = @_;

        my $id = extract_param($param, 'id');
        my $type = extract_param($param, 'type');

        cfs_lock_file($plugin_config_file, undef, sub {
            my $cfg = load_config();
            die "ACME plugin ID '$id' already exists\n" if defined($cfg->{ids}->{$id});

            my $plugin = PVE::ACME::Challenge->lookup($type);
            my $opts = $plugin->check_config($id, $param, 1, 1);

            $cfg->{ids}->{$id} = $opts;
            $cfg->{ids}->{$id}->{type} = $type;

            cfs_write_file($plugin_config_file, $cfg);
        });
        die "$@" if $@;

        return undef;
    }
});

__PACKAGE__->register_method({
    name => 'update_plugin',
    path => '{id}',
    method => 'PUT',
    description => "Update ACME plugin configuration.",
    permissions => {
        check => ['perm', '/', [ 'Sys.Modify' ]],
    },
    protected => 1,
    parameters => PVE::ACME::Challenge->updateSchema(),
    returns => {
        type => "null"
    },
    code => sub {
        my ($param) = @_;

        my $id = extract_param($param, 'id');
        my $delete = extract_param($param, 'delete');
        my $digest = extract_param($param, 'digest');

        cfs_lock_file($plugin_config_file, undef, sub {
            my $cfg = load_config();
            PVE::Tools::assert_if_modified($cfg->{digest}, $digest);
            my $plugin_cfg = $cfg->{ids}->{$id};
            die "ACME plugin ID '$id' does not exist\n" if !$plugin_cfg;

            my $type = $plugin_cfg->{type};
            my $plugin = PVE::ACME::Challenge->lookup($type);

            if (defined($delete)) {
                my $schema = $plugin->private();
                my $options = $schema->{options}->{$type};
                for my $k (PVE::Tools::split_list($delete)) {
                    my $d = $options->{$k} || die "no such option '$k'\n";
                    die "unable to delete required option '$k'\n" if !$d->{optional};

                    delete $cfg->{ids}->{$id}->{$k};
                }
            }

            my $opts = $plugin->check_config($id, $param, 0, 1);
            for my $k (sort keys %$opts) {
                $plugin_cfg->{$k} = $opts->{$k};
            }

            cfs_write_file($plugin_config_file, $cfg);
        });
        die "$@" if $@;

        return undef;
    }
});

__PACKAGE__->register_method({
    name => 'delete_plugin',
    path => '{id}',
    method => 'DELETE',
    description => "Delete ACME plugin configuration.",
    permissions => {
        check => ['perm', '/', [ 'Sys.Modify' ]],
    },
    protected => 1,
    parameters => {
        additionalProperties => 0,
        properties => {
            id => get_standard_option('pve-acme-pluginid'),
        },
    },
    returns => {
        type => "null"
    },
    code => sub {
        my ($param) = @_;

        my $id = extract_param($param, 'id');

        cfs_lock_file($plugin_config_file, undef, sub {
            my $cfg = load_config();

            delete $cfg->{ids}->{$id};

            cfs_write_file($plugin_config_file, $cfg);
        });
        die "$@" if $@;

        return undef;
    }
});

sub load_config {
    # auto-adds the standalone plugin if no config is there for backwards
    # compatibility, so ALWAYS call the cfs registered parser
    return cfs_read_file($plugin_config_file);
}

1;