[pve-devel] [PATCH access-control 4/4] domain sync: add 'no-write' parameter

Dominik Csapak d.csapak at proxmox.com
Mon Apr 6 13:31:54 CEST 2020


this can be used to test the resulting config before actually changing
anything

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
 PVE/API2/Domains.pm | 50 +++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 46 insertions(+), 4 deletions(-)

diff --git a/PVE/API2/Domains.pm b/PVE/API2/Domains.pm
index b42d4f6..1a5700e 100644
--- a/PVE/API2/Domains.pm
+++ b/PVE/API2/Domains.pm
@@ -341,6 +341,33 @@ my $update_groups = sub {
     }
 };
 
+my $print_users_and_groups = sub {
+    my ($config, $realm, $scope) = @_;
+
+    my $tmp_config = {
+	users => {},
+	groups => {},
+    };
+
+    if ($scope eq 'users' || $scope eq 'both') {
+	foreach my $userid (sort keys %{$config->{users}}) {
+	    next if $userid !~ m/\@$realm$/;
+	    $tmp_config->{users}->{$userid} = $config->{users}->{$userid};
+	}
+    }
+    if ($scope eq 'groups' || $scope eq 'both') {
+	foreach my $groupid (sort keys %{$config->{groups}}) {
+	    next if $groupid !~ m/-$realm$/;
+	    $tmp_config->{groups}->{$groupid} = $config->{groups}->{$groupid};
+	}
+    }
+
+    my $res = PVE::AccessControl::write_user_config("", $tmp_config);
+    $res =~ s/\n{2,}$/\n/m; # remove trailing empty lines
+    $res =~ s/^\n+//m; # remove preceding empty lines
+    print $res;
+};
+
 my $parse_sync_opts = sub {
     my ($param, $realmconfig) = @_;
 
@@ -386,7 +413,13 @@ __PACKAGE__->register_method ({
 	additionalProperties => 0,
 	properties => get_standard_option('realm-sync-options', {
 	    realm => get_standard_option('realm'),
-	})
+	    'no-write' => {
+		description => "If set, does not write anything.",
+		type => 'boolean',
+		optional => 1,
+		default => 0,
+	    },
+	}),
     },
     returns => {
 	description => 'Worker Task-UPID',
@@ -398,6 +431,8 @@ __PACKAGE__->register_method ({
 	my $rpcenv = PVE::RPCEnvironment::get();
 	my $authuser = $rpcenv->get_user();
 
+	my $write = !(extract_param($param, 'no-write'));
+
 	my $realm = $param->{realm};
 	my $cfg = cfs_read_file($domainconfigfile);
 	my $realmconfig = $cfg->{ids}->{$realm};
@@ -437,12 +472,19 @@ __PACKAGE__->register_method ({
 		    $update_groups->($usercfg, $realm, $synced_groups, $opts);
 		}
 
-		cfs_write_file("user.cfg", $usercfg);
-		print "successfully updated $whatstring configuration\n";
+		cfs_write_file("user.cfg", $usercfg) if $write;
+		print "successfully updated $whatstring configuration\n" if $write;
+		if (!$write) {
+		    print "\nresulting user/group config lines:\n";
+		    print "-----------\n";
+		    $print_users_and_groups->($usercfg, $realm, $scope);
+		    print "-----------\n";
+		}
 	    }, "syncing $whatstring failed");
 	};
 
-	return $rpcenv->fork_worker('auth-realm-sync', $realm, $authuser, $worker);
+	my $workerid = $write ? 'auth-realm-sync' : 'auth-realm-sync-test';
+	return $rpcenv->fork_worker($workerid, $realm, $authuser, $worker);
     }});
 
 1;
-- 
2.20.1





More information about the pve-devel mailing list