[pbs-devel] [PATCH proxmox-backup 4/6] api: access: domains: add get/create/update/delete domain call
Dominik Csapak
d.csapak at proxmox.com
Fri Jul 9 13:43:59 CEST 2021
modeled like our other section config api calls
two drawbacks of doing it this way:
* we have to copy some api properties again for the update call,
since not all of them are updateable (username-claim)
* we only handle openid for now, which we would have to change
when we add ldap/ad
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
src/api2/access/domain.rs | 280 +++++++++++++++++++++++++++++++++++++-
1 file changed, 277 insertions(+), 3 deletions(-)
diff --git a/src/api2/access/domain.rs b/src/api2/access/domain.rs
index c850603a..6b1a4743 100644
--- a/src/api2/access/domain.rs
+++ b/src/api2/access/domain.rs
@@ -1,6 +1,6 @@
//! List Authentication domains/realms
-use anyhow::{Error};
+use anyhow::{bail, Error};
use serde::{Deserialize, Serialize};
use serde_json::{json, Value};
@@ -8,7 +8,11 @@ use serde_json::{json, Value};
use proxmox::api::{api, Permission, Router, RpcEnvironment};
use crate::api2::types::*;
-use crate::config::domains::{OpenIdRealmConfig, OpenIdUserAttribute};
+use crate::config::{
+ self,
+ acl::{PRIV_REALM_ALLOCATE, PRIV_SYS_AUDIT},
+ domains::{OpenIdRealmConfig, OpenIdUserAttribute},
+};
#[api]
#[derive(Deserialize, Serialize, PartialEq, Eq)]
@@ -158,5 +162,275 @@ fn list_domains(mut rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<BasicRealmInf
Ok(list)
}
+#[api(
+ input: {
+ properties: {
+ realm: {
+ schema: REALM_ID_SCHEMA,
+ },
+ },
+ },
+ returns: {
+ type: RealmInfo,
+ },
+ access: {
+ permission: &Permission::Privilege(&["access", "domains"], PRIV_SYS_AUDIT | PRIV_REALM_ALLOCATE, true),
+ },
+)]
+/// Get information about a realm
+fn get_domain(realm: String, mut rpcenv: &mut dyn RpcEnvironment) -> Result<RealmInfo, Error> {
+ let entry = match realm.as_str() {
+ "pam" => json!({
+ "realm": "pam",
+ "type": "pam",
+ "comment": "Linux PAM standard authentication",
+ "default": Some(true),
+ }),
+ "pbs" => json!({
+ "realm": "pbs",
+ "type": "pbs",
+ "comment": "Proxmox Backup authentication server",
+ }),
+ _ => {
+ let (config, digest) = config::domains::config()?;
+ rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
+ if let Some((section_type, v)) = config.sections.get(&realm) {
+ let mut entry = v.clone();
+ entry["type"] = Value::from(section_type.clone());
+ entry
+ } else {
+ bail!("domain '{}' does not exist", realm);
+ }
+ }
+ };
+
+ Ok(serde_json::from_value(entry)?)
+}
+
+#[api(
+ protected: true,
+ input: {
+ properties: {
+ info: {
+ type: RealmInfo,
+ flatten: true,
+ },
+ },
+ },
+ access: {
+ permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
+ },
+)]
+/// Create a realm
+fn create_domain(param: Value) -> Result<(), Error> {
+ let basic_info: BasicRealmInfo = serde_json::from_value(param.clone())?;
+
+ // for now we only have to care about openid
+ if basic_info.ty != RealmType::OpenId {
+ bail!(
+ "Cannot create realm of type '{}'",
+ serde_json::to_string(&basic_info.ty)?
+ );
+ }
+
+ let new_realm: OpenIdRealmConfig = serde_json::from_value(param)?;
+ let _lock = config::domains::lock_config()?;
+
+ let (mut config, _digest) = config::domains::config()?;
+
+ let existing: Vec<OpenIdRealmConfig> = config.convert_to_typed_array("openid")?;
+
+ for realm in existing {
+ if realm.realm == new_realm.realm {
+ bail!("Entry '{}' already exists", realm.realm);
+ }
+ }
+
+ config.set_data(&new_realm.realm, "openid", &new_realm)?;
+
+ config::domains::save_config(&config)?;
+
+ Ok(())
+}
+
+#[api]
+#[derive(Serialize, Deserialize)]
+#[serde(rename_all = "kebab-case")]
+#[allow(non_camel_case_types)]
+pub enum DeletableProperty {
+ /// Delete the comment property.
+ comment,
+ /// Delete the client-key property.
+ client_key,
+ /// Delete the autocreate property.
+ autocreate,
+}
+
+#[api(
+ protected: true,
+ input: {
+ properties: {
+ realm: {
+ schema: REALM_ID_SCHEMA,
+ },
+ comment: {
+ optional: true,
+ schema: SINGLE_LINE_COMMENT_SCHEMA,
+ },
+ "issuer-url": {
+ description: "OpenID Issuer Url",
+ type: String,
+ optional: true,
+ },
+ "client-id": {
+ description: "OpenID Client ID",
+ type: String,
+ optional: true,
+ },
+ "client-key": {
+ description: "OpenID Client Key",
+ type: String,
+ optional: true,
+ },
+ autocreate: {
+ description: "Automatically create users if they do not exist.",
+ optional: true,
+ type: bool,
+ },
+ delete: {
+ description: "List of properties to delete.",
+ type: Array,
+ optional: true,
+ items: {
+ type: DeletableProperty,
+ }
+ },
+ digest: {
+ optional: true,
+ schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
+ },
+ },
+ },
+ access: {
+ permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
+ },
+)]
+/// Update a realm
+fn update_domain(
+ realm: String,
+ comment: Option<String>,
+ issuer_url: Option<String>,
+ client_id: Option<String>,
+ client_key: Option<String>,
+ autocreate: Option<bool>,
+ delete: Option<Vec<DeletableProperty>>,
+ digest: Option<String>,
+ _rpcenv: &mut dyn RpcEnvironment,
+) -> Result<(), Error> {
+ let _lock = config::domains::lock_config()?;
+
+ let (mut config, expected_digest) = config::domains::config()?;
+
+ if let Some(ref digest) = digest {
+ let digest = proxmox::tools::hex_to_digest(digest)?;
+ crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
+ }
+
+ // only have to worry about openid for now
+ let mut data: OpenIdRealmConfig = config.lookup("openid", realm.as_str())?;
+
+ if let Some(delete) = delete {
+ for delete_prop in delete {
+ match delete_prop {
+ DeletableProperty::comment => data.comment = None,
+ DeletableProperty::client_key => data.client_key = None,
+ DeletableProperty::autocreate => data.autocreate = None,
+ }
+ }
+ }
+
+ if let Some(comment) = comment {
+ let comment = comment.trim().to_string();
+ if comment.is_empty() {
+ data.comment = None;
+ } else {
+ data.comment = Some(comment);
+ }
+ }
+
+ if let Some(issuer_url) = issuer_url {
+ data.issuer_url = issuer_url
+ };
+ if let Some(client_id) = client_id {
+ data.client_id = client_id
+ };
+ if let Some(client_key) = client_key {
+ data.client_key = if client_key.is_empty() {
+ None
+ } else {
+ Some(client_key)
+ };
+ };
+ if let Some(autocreate) = autocreate {
+ data.autocreate = Some(autocreate)
+ };
+
+ config.set_data(&realm, "openid", &data)?;
+
+ config::domains::save_config(&config)?;
+
+ Ok(())
+}
+
+#[api(
+ protected: true,
+ input: {
+ properties: {
+ realm: {
+ schema: REALM_ID_SCHEMA,
+ },
+ digest: {
+ optional: true,
+ schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
+ },
+ },
+ },
+ access: {
+ permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
+ },
+)]
+/// Delete a realm
+fn delete_domain(realm: String, digest: Option<String>) -> Result<(), Error> {
+ if realm == "pam" || realm == "pbs" {
+ bail!("cannot remove realm '{}'", realm);
+ }
+ let _lock = config::domains::lock_config()?;
+
+ let (mut config, expected_digest) = config::domains::config()?;
+
+ if let Some(ref digest) = digest {
+ let digest = proxmox::tools::hex_to_digest(digest)?;
+ crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
+ }
+
+ match config.sections.get(&realm) {
+ Some(_) => {
+ config.sections.remove(&realm);
+ }
+ None => bail!("realm '{}' does not exist.", realm),
+ }
+
+ config::domains::save_config(&config)?;
+
+ Ok(())
+}
+
pub const ROUTER: Router = Router::new()
- .get(&API_METHOD_LIST_DOMAINS);
+ .get(&API_METHOD_LIST_DOMAINS)
+ .post(&API_METHOD_CREATE_DOMAIN)
+ .match_all("realm", &DOMAIN_ROUTER);
+
+const DOMAIN_ROUTER: Router = Router::new()
+ .get(&API_METHOD_GET_DOMAIN)
+ .put(&API_METHOD_UPDATE_DOMAIN)
+ .delete(&API_METHOD_DELETE_DOMAIN);
--
2.30.2
More information about the pbs-devel
mailing list