[pbs-devel] [PATCH proxmox-backup v2 07/15] api: access: add routes for managing AD realms
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Nov 28 09:23:51 CET 2023
On August 16, 2023 4:47 pm, Christoph Heiss wrote:
> [..]
> diff --git a/src/api2/config/access/ad.rs b/src/api2/config/access/ad.rs
> new file mode 100644
> index 00000000..c202291a
> --- /dev/null
> +++ b/src/api2/config/access/ad.rs
> @@ -0,0 +1,348 @@
> +use anyhow::{bail, format_err, Error};
> +use hex::FromHex;
> +use serde::{Deserialize, Serialize};
> +use serde_json::Value;
>
> [..]
>
> +#[api(
> + input: {
> + properties: {},
> + },
> + returns: {
> + description: "List of configured AD realms.",
> + type: Array,
> + items: { type: AdRealmConfig },
> + },
> + access: {
> + permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
this one here
> + },
> +)]
> +/// List configured AD realms
> +pub fn list_ad_realms(
> + _param: Value,
> + rpcenv: &mut dyn RpcEnvironment,
> +) -> Result<Vec<AdRealmConfig>, Error> {
> + let (config, digest) = domains::config()?;
> +
> + let list = config.convert_to_typed_array("ad")?;
> +
> + rpcenv["digest"] = hex::encode(digest).into();
> +
> + Ok(list)
> +}
> +
> [..]
> +
> +#[api(
> + input: {
> + properties: {
> + realm: {
> + schema: REALM_ID_SCHEMA,
> + },
> + },
> + },
> + returns: { type: AdRealmConfig },
> + access: {
> + permission: &Permission::Privilege(&["access", "domains"], PRIV_SYS_AUDIT, false),
and this one here don't really agree - copied over from LDAP ;)
also, maybe this one here should check on /access/domains/{realm}
(although that might be postponed to do it in sync with the other
endpoint(s), but it would be more in line with how we handle entity ACLs
in general).
> + },
> +)]
> +/// Read the AD realm configuration
> +pub fn read_ad_realm(
> + realm: String,
> + rpcenv: &mut dyn RpcEnvironment,
> +) -> Result<AdRealmConfig, Error> {
> + let (domains, digest) = domains::config()?;
> +
> + let config = domains.lookup("ad", &realm)?;
> +
> + rpcenv["digest"] = hex::encode(digest).into();
> +
> + Ok(config)
> +}
> +
> [..]
> +
> +#[api(
> + protected: true,
> + input: {
> + properties: {
> + realm: {
> + schema: REALM_ID_SCHEMA,
> + },
> + update: {
> + type: AdRealmConfigUpdater,
> + flatten: true,
> + },
> + password: {
> + description: "AD bind password",
> + optional: true,
> + },
> + delete: {
> + description: "List of properties to delete.",
> + type: Array,
> + optional: true,
> + items: {
> + type: DeletableProperty,
> + }
> + },
> + digest: {
> + optional: true,
> + schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
> + },
> + },
> + },
> + returns: { type: AdRealmConfig },
> + access: {
> + permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
> + },
> +)]
this one here might check on /access/domains/{realm} as well - but the
same caveat as above applies, ideally we'd change that together with the
LDAP one at least.
> +/// Update an AD realm configuration
> +pub async fn update_ad_realm(
> + realm: String,
> + update: AdRealmConfigUpdater,
> + password: Option<String>,
> + delete: Option<Vec<DeletableProperty>>,
> + digest: Option<String>,
> + _rpcenv: &mut dyn RpcEnvironment,
> +) -> Result<(), Error> {
> + let domain_config_lock = domains::lock_config()?;
> +
> + let (mut domains, expected_digest) = domains::config()?;
> +
> + if let Some(ref digest) = digest {
> + let digest = <[u8; 32]>::from_hex(digest)?;
> + crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
> + }
> +
> + let mut config: AdRealmConfig = domains.lookup("ad", &realm)?;
> +
>
> [..]
>
> + domains::save_config(&domains)?;
> +
> + Ok(())
> +}
> +
> +async fn retrieve_default_naming_context(ldap_config: &LdapConfig) -> Result<String, Error> {
> + let conn = Connection::new(ldap_config.clone());
> + match conn.retrieve_root_dse_attr("defaultNamingContext").await {
> + Ok(base_dn) if !base_dn.is_empty() => Ok(base_dn[0].clone()),
> + Ok(_) => bail!("server did not provide `defaultNamingContext`"),
> + Err(err) => bail!("failed to determine base_dn: {err}"),
> + }
> +}
> +
> +const ITEM_ROUTER: Router = Router::new()
> + .get(&API_METHOD_READ_AD_REALM)
> + .put(&API_METHOD_UPDATE_AD_REALM)
> + .delete(&super::ldap::API_METHOD_DELETE_LDAP_REALM);
this seems a bit weird - as in - why doesn't that endpoint check that
it's actually being passed an LDAP realm?
> +
> +pub const ROUTER: Router = Router::new()
> + .get(&API_METHOD_LIST_AD_REALMS)
> + .post(&API_METHOD_CREATE_AD_REALM)
> + .match_all("realm", &ITEM_ROUTER);
More information about the pbs-devel
mailing list