[pbs-devel] [PATCH proxmox-backup 4/6] api: access: domains: add get/create/update/delete domain call

Dominik Csapak d.csapak at proxmox.com
Fri Jul 9 13:43:59 CEST 2021


modeled like our other section config api calls
two drawbacks of doing it this way:
* we have to copy some api properties again for the update call,
  since not all of them are updateable (username-claim)
* we only handle openid for now, which we would have to change
  when we add ldap/ad

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
 src/api2/access/domain.rs | 280 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 277 insertions(+), 3 deletions(-)

diff --git a/src/api2/access/domain.rs b/src/api2/access/domain.rs
index c850603a..6b1a4743 100644
--- a/src/api2/access/domain.rs
+++ b/src/api2/access/domain.rs
@@ -1,6 +1,6 @@
 //! List Authentication domains/realms
 
-use anyhow::{Error};
+use anyhow::{bail, Error};
 
 use serde::{Deserialize, Serialize};
 use serde_json::{json, Value};
@@ -8,7 +8,11 @@ use serde_json::{json, Value};
 use proxmox::api::{api, Permission, Router, RpcEnvironment};
 
 use crate::api2::types::*;
-use crate::config::domains::{OpenIdRealmConfig, OpenIdUserAttribute};
+use crate::config::{
+    self,
+    acl::{PRIV_REALM_ALLOCATE, PRIV_SYS_AUDIT},
+    domains::{OpenIdRealmConfig, OpenIdUserAttribute},
+};
 
 #[api]
 #[derive(Deserialize, Serialize, PartialEq, Eq)]
@@ -158,5 +162,275 @@ fn list_domains(mut rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<BasicRealmInf
     Ok(list)
 }
 
+#[api(
+    input: {
+        properties: {
+            realm: {
+                schema: REALM_ID_SCHEMA,
+            },
+        },
+    },
+    returns: {
+        type: RealmInfo,
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_SYS_AUDIT | PRIV_REALM_ALLOCATE, true),
+    },
+)]
+/// Get information about a realm
+fn get_domain(realm: String, mut rpcenv: &mut dyn RpcEnvironment) -> Result<RealmInfo, Error> {
+    let entry = match realm.as_str() {
+        "pam" => json!({
+            "realm": "pam",
+            "type": "pam",
+            "comment": "Linux PAM standard authentication",
+            "default": Some(true),
+        }),
+        "pbs" => json!({
+            "realm": "pbs",
+            "type": "pbs",
+            "comment": "Proxmox Backup authentication server",
+        }),
+        _ => {
+            let (config, digest) = config::domains::config()?;
+            rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
+            if let Some((section_type, v)) = config.sections.get(&realm) {
+                let mut entry = v.clone();
+                entry["type"] = Value::from(section_type.clone());
+                entry
+            } else {
+                bail!("domain '{}' does not exist", realm);
+            }
+        }
+    };
+
+    Ok(serde_json::from_value(entry)?)
+}
+
+#[api(
+    protected: true,
+    input: {
+        properties: {
+            info: {
+                type: RealmInfo,
+                flatten: true,
+            },
+        },
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
+    },
+)]
+/// Create a realm
+fn create_domain(param: Value) -> Result<(), Error> {
+    let basic_info: BasicRealmInfo = serde_json::from_value(param.clone())?;
+
+    // for now we only have to care about openid
+    if basic_info.ty != RealmType::OpenId {
+        bail!(
+            "Cannot create realm of type '{}'",
+            serde_json::to_string(&basic_info.ty)?
+        );
+    }
+
+    let new_realm: OpenIdRealmConfig = serde_json::from_value(param)?;
+    let _lock = config::domains::lock_config()?;
+
+    let (mut config, _digest) = config::domains::config()?;
+
+    let existing: Vec<OpenIdRealmConfig> = config.convert_to_typed_array("openid")?;
+
+    for realm in existing {
+        if realm.realm == new_realm.realm {
+            bail!("Entry '{}' already exists", realm.realm);
+        }
+    }
+
+    config.set_data(&new_realm.realm, "openid", &new_realm)?;
+
+    config::domains::save_config(&config)?;
+
+    Ok(())
+}
+
+#[api]
+#[derive(Serialize, Deserialize)]
+#[serde(rename_all = "kebab-case")]
+#[allow(non_camel_case_types)]
+pub enum DeletableProperty {
+    /// Delete the comment property.
+    comment,
+    /// Delete the client-key property.
+    client_key,
+    /// Delete the autocreate property.
+    autocreate,
+}
+
+#[api(
+    protected: true,
+    input: {
+        properties: {
+            realm: {
+                schema: REALM_ID_SCHEMA,
+            },
+            comment: {
+                optional: true,
+                schema: SINGLE_LINE_COMMENT_SCHEMA,
+            },
+            "issuer-url": {
+                description: "OpenID Issuer Url",
+                type: String,
+                optional: true,
+            },
+            "client-id": {
+                description: "OpenID Client ID",
+                type: String,
+                optional: true,
+            },
+            "client-key": {
+                description: "OpenID Client Key",
+                type: String,
+                optional: true,
+            },
+            autocreate: {
+                description: "Automatically create users if they do not exist.",
+                optional: true,
+                type: bool,
+            },
+            delete: {
+                description: "List of properties to delete.",
+                type: Array,
+                optional: true,
+                items: {
+                    type: DeletableProperty,
+                }
+            },
+            digest: {
+                optional: true,
+                schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
+            },
+        },
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
+    },
+)]
+/// Update a realm
+fn update_domain(
+    realm: String,
+    comment: Option<String>,
+    issuer_url: Option<String>,
+    client_id: Option<String>,
+    client_key: Option<String>,
+    autocreate: Option<bool>,
+    delete: Option<Vec<DeletableProperty>>,
+    digest: Option<String>,
+    _rpcenv: &mut dyn RpcEnvironment,
+) -> Result<(), Error> {
+    let _lock = config::domains::lock_config()?;
+
+    let (mut config, expected_digest) = config::domains::config()?;
+
+    if let Some(ref digest) = digest {
+        let digest = proxmox::tools::hex_to_digest(digest)?;
+        crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
+    }
+
+    // only have to worry about openid for now
+    let mut data: OpenIdRealmConfig = config.lookup("openid", realm.as_str())?;
+
+    if let Some(delete) = delete {
+        for delete_prop in delete {
+            match delete_prop {
+                DeletableProperty::comment => data.comment = None,
+                DeletableProperty::client_key => data.client_key = None,
+                DeletableProperty::autocreate => data.autocreate = None,
+            }
+        }
+    }
+
+    if let Some(comment) = comment {
+        let comment = comment.trim().to_string();
+        if comment.is_empty() {
+            data.comment = None;
+        } else {
+            data.comment = Some(comment);
+        }
+    }
+
+    if let Some(issuer_url) = issuer_url {
+        data.issuer_url = issuer_url
+    };
+    if let Some(client_id) = client_id {
+        data.client_id = client_id
+    };
+    if let Some(client_key) = client_key {
+        data.client_key = if client_key.is_empty() {
+            None
+        } else {
+            Some(client_key)
+        };
+    };
+    if let Some(autocreate) = autocreate {
+        data.autocreate = Some(autocreate)
+    };
+
+    config.set_data(&realm, "openid", &data)?;
+
+    config::domains::save_config(&config)?;
+
+    Ok(())
+}
+
+#[api(
+    protected: true,
+    input: {
+        properties: {
+            realm: {
+                schema: REALM_ID_SCHEMA,
+            },
+            digest: {
+                optional: true,
+                schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
+            },
+        },
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
+    },
+)]
+/// Delete a realm
+fn delete_domain(realm: String, digest: Option<String>) -> Result<(), Error> {
+    if realm == "pam" || realm == "pbs" {
+        bail!("cannot remove realm '{}'", realm);
+    }
+    let _lock = config::domains::lock_config()?;
+
+    let (mut config, expected_digest) = config::domains::config()?;
+
+    if let Some(ref digest) = digest {
+        let digest = proxmox::tools::hex_to_digest(digest)?;
+        crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
+    }
+
+    match config.sections.get(&realm) {
+        Some(_) => {
+            config.sections.remove(&realm);
+        }
+        None => bail!("realm '{}' does not exist.", realm),
+    }
+
+    config::domains::save_config(&config)?;
+
+    Ok(())
+}
+
 pub const ROUTER: Router = Router::new()
-    .get(&API_METHOD_LIST_DOMAINS);
+    .get(&API_METHOD_LIST_DOMAINS)
+    .post(&API_METHOD_CREATE_DOMAIN)
+    .match_all("realm", &DOMAIN_ROUTER);
+
+const DOMAIN_ROUTER: Router = Router::new()
+    .get(&API_METHOD_GET_DOMAIN)
+    .put(&API_METHOD_UPDATE_DOMAIN)
+    .delete(&API_METHOD_DELETE_DOMAIN);
-- 
2.30.2






More information about the pbs-devel mailing list