[pve-devel] [PATCH access-control 4/4] domain sync: add 'no-write' parameter
Dominik Csapak
d.csapak at proxmox.com
Mon Apr 6 13:31:54 CEST 2020
this can be used to test the resulting config before actually changing
anything
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
PVE/API2/Domains.pm | 50 +++++++++++++++++++++++++++++++++++++++++----
1 file changed, 46 insertions(+), 4 deletions(-)
diff --git a/PVE/API2/Domains.pm b/PVE/API2/Domains.pm
index b42d4f6..1a5700e 100644
--- a/PVE/API2/Domains.pm
+++ b/PVE/API2/Domains.pm
@@ -341,6 +341,33 @@ my $update_groups = sub {
}
};
+my $print_users_and_groups = sub {
+ my ($config, $realm, $scope) = @_;
+
+ my $tmp_config = {
+ users => {},
+ groups => {},
+ };
+
+ if ($scope eq 'users' || $scope eq 'both') {
+ foreach my $userid (sort keys %{$config->{users}}) {
+ next if $userid !~ m/\@$realm$/;
+ $tmp_config->{users}->{$userid} = $config->{users}->{$userid};
+ }
+ }
+ if ($scope eq 'groups' || $scope eq 'both') {
+ foreach my $groupid (sort keys %{$config->{groups}}) {
+ next if $groupid !~ m/-$realm$/;
+ $tmp_config->{groups}->{$groupid} = $config->{groups}->{$groupid};
+ }
+ }
+
+ my $res = PVE::AccessControl::write_user_config("", $tmp_config);
+ $res =~ s/\n{2,}$/\n/m; # remove trailing empty lines
+ $res =~ s/^\n+//m; # remove preceding empty lines
+ print $res;
+};
+
my $parse_sync_opts = sub {
my ($param, $realmconfig) = @_;
@@ -386,7 +413,13 @@ __PACKAGE__->register_method ({
additionalProperties => 0,
properties => get_standard_option('realm-sync-options', {
realm => get_standard_option('realm'),
- })
+ 'no-write' => {
+ description => "If set, does not write anything.",
+ type => 'boolean',
+ optional => 1,
+ default => 0,
+ },
+ }),
},
returns => {
description => 'Worker Task-UPID',
@@ -398,6 +431,8 @@ __PACKAGE__->register_method ({
my $rpcenv = PVE::RPCEnvironment::get();
my $authuser = $rpcenv->get_user();
+ my $write = !(extract_param($param, 'no-write'));
+
my $realm = $param->{realm};
my $cfg = cfs_read_file($domainconfigfile);
my $realmconfig = $cfg->{ids}->{$realm};
@@ -437,12 +472,19 @@ __PACKAGE__->register_method ({
$update_groups->($usercfg, $realm, $synced_groups, $opts);
}
- cfs_write_file("user.cfg", $usercfg);
- print "successfully updated $whatstring configuration\n";
+ cfs_write_file("user.cfg", $usercfg) if $write;
+ print "successfully updated $whatstring configuration\n" if $write;
+ if (!$write) {
+ print "\nresulting user/group config lines:\n";
+ print "-----------\n";
+ $print_users_and_groups->($usercfg, $realm, $scope);
+ print "-----------\n";
+ }
}, "syncing $whatstring failed");
};
- return $rpcenv->fork_worker('auth-realm-sync', $realm, $authuser, $worker);
+ my $workerid = $write ? 'auth-realm-sync' : 'auth-realm-sync-test';
+ return $rpcenv->fork_worker($workerid, $realm, $authuser, $worker);
}});
1;
--
2.20.1
More information about the pve-devel
mailing list