[pve-devel] r4989 - pve-access-control/trunk

svn-commits at proxmox.com svn-commits at proxmox.com
Thu Aug 12 16:17:46 CEST 2010


Author: dietmar
Date: 2010-08-12 14:17:46 +0000 (Thu, 12 Aug 2010)
New Revision: 4989

Added:
   pve-access-control/trunk/Role.pm
Modified:
   pve-access-control/trunk/AccessControl.pm
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/Group.pm
   pve-access-control/trunk/Makefile
   pve-access-control/trunk/User.pm
   pve-access-control/trunk/pveum
Log:
	(delete_role): moved to Role.pm
	(modify_role): moved to Role.pm



Modified: pve-access-control/trunk/AccessControl.pm
===================================================================
--- pve-access-control/trunk/AccessControl.pm	2010-08-12 13:07:15 UTC (rev 4988)
+++ pve-access-control/trunk/AccessControl.pm	2010-08-12 14:17:46 UTC (rev 4989)
@@ -537,62 +537,22 @@
     port => '\d*',
 };
 
-sub modify_role {
-    my ($role, $opts) = @_;
+sub add_role_privs {
+    my ($role, $usercfg, $privs) = @_;
 
-    lock_user_config(sub {
-	
-	my $usercfg = read_file($userconfigpath);
+    return if !$privs;
 
-	verify_rolename($role);
+    die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role};
 
-	if ($opts->{create}) {
-	    die "can't add role '$role' - role already exists\n" if $usercfg->{roles}->{$role};	
-	    $usercfg->{roles}->{$role} = {};
-	}
-
-	die "role '$role' does not exist\n" if !$usercfg->{roles}->{$role};
-
-	$usercfg->{roles}->{$role} = {} if !$opts->{append};
-	if ($opts->{privs}) {
-	    foreach my $priv (split_list($opts->{privs})) {
-		if ($usercfg->{roles}->{$role} && defined ($valid_privs->{$priv})) {
-		    $usercfg->{roles}->{$role}->{$priv} = 1;
-		} else {
-		    warn "modify role - ignore invalid priviledge '$priv'\n";
-		} 
-	    }	
-	}
-
-	write_file($userconfigpath, $usercfg);
-    });
-
-    my $err = $@;
-
-    die "modify role failed: $err" if $err;
+    foreach my $priv (split_list($privs)) {
+	if (defined ($valid_privs->{$priv})) {
+	    $usercfg->{roles}->{$role}->{$priv} = 1;
+	} else {
+	    die "invalid priviledge '$priv'\n";
+	} 
+    }	
 }
 
-sub delete_role {
-    
-    my ($role) = @_;
-
-    lock_user_config(sub {
-
-	my $usercfg = read_file($userconfigpath);
-
-	verify_rolename($role);
-
-	delete ($usercfg->{roles}->{$role})
-	    if $usercfg->{roles}->{$role};
-
-	write_file($userconfigpath, $usercfg);
-    });
-
-    my $err = $@;
-
-    die "delete role '$role' failed: $err" if $err;
-}
-
 sub split_list {
     my $listtxt = shift || '';
 

Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2010-08-12 13:07:15 UTC (rev 4988)
+++ pve-access-control/trunk/ChangeLog	2010-08-12 14:17:46 UTC (rev 4989)
@@ -2,6 +2,8 @@
 
 	* AccessControl.pm (add_group): moved to Group.pm
 	(delete_group): moved to Group.pm
+	(delete_role): moved to Role.pm
+	(modify_role): moved to Role.pm
 
 	* User.pm: strict error checking - use 'die' instead of 'warn'
 

Modified: pve-access-control/trunk/Group.pm
===================================================================
--- pve-access-control/trunk/Group.pm	2010-08-12 13:07:15 UTC (rev 4988)
+++ pve-access-control/trunk/Group.pm	2010-08-12 14:17:46 UTC (rev 4989)
@@ -103,11 +103,16 @@
     code => sub {
 	my ($conn, $resp, $param) = @_;
 
+	my $group = $param->{groupid};
+
+	PVE::AccessControl::verify_groupname($group);
+
 	my $usercfg = read_file("usercfg");
  
-	my $data = $usercfg->{groups}->{$param->{groupid}};
-	die "no such group\n" if !$data;
+	my $data = $usercfg->{groups}->{$group};
 
+	die "group '$group' does not exist\n" if !$data;
+
 	return $data;
     }});
 

Modified: pve-access-control/trunk/Makefile
===================================================================
--- pve-access-control/trunk/Makefile	2010-08-12 13:07:15 UTC (rev 4988)
+++ pve-access-control/trunk/Makefile	2010-08-12 14:17:46 UTC (rev 4989)
@@ -17,6 +17,7 @@
 DEB=${PACKAGE}_${VERSION}-${PKGREL}_${ARCH}.deb
 
 API2_SOURCES= 		\
+	Role.pm		\
 	Group.pm	\
 	User.pm
 

Added: pve-access-control/trunk/Role.pm
===================================================================
--- pve-access-control/trunk/Role.pm	                        (rev 0)
+++ pve-access-control/trunk/Role.pm	2010-08-12 14:17:46 UTC (rev 4989)
@@ -0,0 +1,213 @@
+package PVE::API2::Role;
+
+use strict;
+use warnings;
+use PVE::INotify qw (read_file write_file);
+use PVE::AccessControl;
+
+use PVE::SafeSyslog;
+
+use Data::Dumper; # fixme: remove
+
+use PVE::RESTHandler;
+
+use base qw(PVE::RESTHandler);
+
+# fixme: index should return more/all attributes?
+__PACKAGE__->register_method ({
+    name => 'index', 
+    path => '', 
+    method => 'GET',
+    description => "Role index.",
+    parameters => {
+	additionalProperties => 0,
+	properties => {},
+    },
+    returns => {
+	type => 'array',
+	items => {
+	    type => "object",
+	    properties => {
+		id => { type => 'string' },
+	    },
+	},
+	links => [ { rel => 'child', href => "{id}" } ],
+    },
+    code => sub {
+	my ($conn, $resp, $param) = @_;
+    
+	my $res = [];
+
+	my $usercfg = read_file("usercfg");
+ 
+	foreach my $role (keys %{$usercfg->{roles}}) {
+	    push @$res, { id => $role };
+	}
+
+	return $res;
+    }});
+
+__PACKAGE__->register_method ({
+    name => 'create_role', 
+    protected => 1,
+    path => '{roleid}', 
+    method => 'POST',
+    description => "Create new role.",
+    parameters => {
+   	additionalProperties => 0,
+	properties => {
+	    roleid => { type => 'string' },
+	    privs => { type => 'string', optional => 1 },
+	},
+    },
+    returns => { type => 'null' },
+    code => sub {
+	my ($conn, $resp, $param) = @_;
+
+	PVE::AccessControl::lock_user_config(
+	    sub {
+			
+		my $usercfg = read_file("usercfg");
+
+		my $role = $param->{roleid};
+
+		PVE::AccessControl::verify_rolename($role);
+	
+		die "role '$role' already exists\n" 
+		    if $usercfg->{roles}->{$role};
+
+		$usercfg->{roles}->{$role} = {};
+
+		PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
+
+		write_file("usercfg", $usercfg);
+	    });
+
+	my $err = $@;
+
+	die "create role failed: $err" if $err;
+
+	return undef;
+    }});
+
+__PACKAGE__->register_method ({
+    name => 'update_role', 
+    protected => 1,
+    path => '{roleid}', 
+    method => 'PUT',
+    description => "Create new role.",
+    parameters => {
+   	additionalProperties => 0,
+	properties => {
+	    roleid => { type => 'string' },
+	    privs => { type => 'string' },
+	    append => { 
+		type => 'boolean', 
+		optional => 1,
+		requires => 'privs',
+	    },
+	},
+    },
+    returns => { type => 'null' },
+    code => sub {
+	my ($conn, $resp, $param) = @_;
+
+	PVE::AccessControl::lock_user_config(
+	    sub {
+			
+		my $role = $param->{roleid};
+
+		PVE::AccessControl::verify_rolename($role);
+
+		my $usercfg = read_file("usercfg");
+	
+		die "role '$role' does not exist\n" 
+		    if !$usercfg->{roles}->{$role};
+
+		$usercfg->{roles}->{$role} = {} if !$param->{append};
+
+		PVE::AccessControl::add_role_privs($role, $usercfg, $param->{privs});
+
+		write_file("usercfg", $usercfg);
+	    });
+
+	my $err = $@;
+
+	die "update role failed: $err" if $err;
+
+	return undef;
+    }});
+
+# fixme: return format!
+__PACKAGE__->register_method ({
+    name => 'read_role', 
+    path => '{roleid}', 
+    method => 'GET',
+    description => "Get role configuration.",
+    parameters => {
+   	additionalProperties => 0,
+	properties => {
+	    roleid => { type => 'string' },
+	},
+    },
+    returns => {},
+    code => sub {
+	my ($conn, $resp, $param) = @_;
+
+	my $usercfg = read_file("usercfg");
+
+	my $role = $param->{roleid};
+
+	PVE::AccessControl::verify_rolename($role);
+ 
+	my $data = $usercfg->{roles}->{$role};
+
+	die "role '$role' does not exist\n" if !$data;
+
+	return $data;
+    }});
+
+
+__PACKAGE__->register_method ({
+    name => 'delete_role', 
+    protected => 1,
+    path => '{roleid}', 
+    method => 'DELETE',
+    description => "Delete role.",
+    parameters => {
+   	additionalProperties => 0,
+	properties => {
+	    roleid => { type => 'string' },
+	}
+    },
+    returns => { type => 'null' },
+    code => sub {
+	my ($conn, $resp, $param) = @_;
+
+	PVE::AccessControl::lock_user_config(
+	    sub {
+
+		my $role = $param->{roleid};
+
+		PVE::AccessControl::verify_rolename($role);
+ 
+		my $usercfg = read_file("usercfg");
+
+		die "role '$role' does not exist\n"
+		    if !$usercfg->{roles}->{$role};
+	
+		delete ($usercfg->{roles}->{$role});
+
+		# fixme: delete role from acl?
+
+		write_file("usercfg", $usercfg);
+	    });
+
+	my $err = $@;
+
+	die "delete role failed: $err" if $err;
+	
+	return undef;
+    }});
+
+1;

Modified: pve-access-control/trunk/User.pm
===================================================================
--- pve-access-control/trunk/User.pm	2010-08-12 13:07:15 UTC (rev 4988)
+++ pve-access-control/trunk/User.pm	2010-08-12 14:17:46 UTC (rev 4989)
@@ -145,11 +145,15 @@
     code => sub {
 	my ($conn, $resp, $param) = @_;
 
+	my ($username, undef, $domain) = 
+	    PVE::AccessControl::verify_username($param->{userid});
+
 	my $usercfg = read_file("usercfg");
  
-	my $data = $usercfg->{users}->{$param->{userid}};
-	die "no such user\n" if !$data;
+	my $data = $usercfg->{users}->{$username};
 
+	die "user '$username' does not exist\n" if !$data;
+
 	return $data;
     }});
 

Modified: pve-access-control/trunk/pveum
===================================================================
--- pve-access-control/trunk/pveum	2010-08-12 13:07:15 UTC (rev 4988)
+++ pve-access-control/trunk/pveum	2010-08-12 14:17:46 UTC (rev 4989)
@@ -113,46 +113,26 @@
 
 } elsif ($cmd eq 'roleadd') {
 
-    my $opts = {};
-
-    if (!GetOptions ($opts, 'privs=s')) {
-        exit (-1);
-    }
-
     my $role = shift;
 
-    die "no role specified\n" if !$role;
+    PVE::API2::Role->cli_handler('create_role', \@ARGV, { roleid => $role });
 
-    $opts->{create} = 1;
- 
-    PVE::AccessControl::modify_role($role, $opts);
-
     exit(0);
 
 } elsif ($cmd eq 'rolemod') {
 
-    my $opts = {};
-
-    if (!GetOptions ($opts, 'append', 'privs=s')) {
-        exit (-1);
-    }
-
     my $role = shift;
 
-    die "no role specified\n" if !$role;
+    PVE::API2::Role->cli_handler('update_role', \@ARGV, { roleid => $role });
 
-    PVE::AccessControl::modify_role($role, $opts);
-
     exit(0);
 
 } elsif ($cmd eq 'roledel') {
 
     my $role = shift;
 
-    die "no role specified\n" if !$role;
+    PVE::API2::Role->cli_handler('delete_role', \@ARGV, { roleid => $role });
 
-    PVE::AccessControl::delete_role($role);
-
     exit(0);
 
 } elsif ($cmd eq 'aclmod') {



More information about the pve-devel mailing list