[pve-devel] [PATCH access-control 9/9] Domains: add sync API call

Dominik Csapak d.csapak at proxmox.com
Fri Mar 6 11:05:45 CET 2020 

this api call syncs the users and groups from LDAP/AD to the
user.cfg, by default only users, but can be configured

it also implements a 'prune' mode where we first delete all
users/groups from the config and sync them again

also add this command to pveum

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
 PVE/API2/Domains.pm | 122 ++++++++++++++++++++++++++++++++++++++++++++
 PVE/CLI/pveum.pm    |   1 +
 2 files changed, 123 insertions(+)

diff --git a/PVE/API2/Domains.pm b/PVE/API2/Domains.pm
index 7f98e71..fea97dd 100644
--- a/PVE/API2/Domains.pm
+++ b/PVE/API2/Domains.pm
@@ -2,6 +2,7 @@ package PVE::API2::Domains;
 
 use strict;
 use warnings;
+use PVE::Exception qw(raise_param_exc);
 use PVE::Tools qw(extract_param);
 use PVE::Cluster qw (cfs_read_file cfs_write_file);
 use PVE::AccessControl;
@@ -244,4 +245,125 @@ __PACKAGE__->register_method ({
 	return undef;
     }});
 
+__PACKAGE__->register_method ({
+    name => 'sync',
+    path => '{realm}/sync',
+    method => 'POST',
+    permissions => {
+	description => "You need 'Realm.AllocateUser' on '/access/realm/<realm>' on the realm  and 'User.Modify' permissions to '/access/groups/'.",
+	check => [ 'and',
+		   [ 'userid-param', 'Realm.AllocateUser'],
+		   [ 'userid-group', ['User.Modify']],
+	    ],
+    },
+    description => "Syncs users and/or groups from LDAP to user.cfg. ".
+		   "NOTE: Synced groups will have the name 'name-\$realm', so ".
+		   "make sure those groups do not exist to prevent overwriting.",
+    protected => 1,
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    realm =>  get_standard_option('realm'),
+	    scope => {
+		description => "Select what to sync.",
+		type => 'string',
+		enum => [qw(users groups both)],
+		optional => 1,
+		default => 'users',
+	    },
+	    prune => {
+		description => "Remove users/groups from realm which do not exist in LDAP.",
+		type => 'boolean',
+		optional => 1,
+		default => 0,
+	    },
+	}
+    },
+    returns => { type => 'null' },
+    code => sub {
+	my ($param) = @_;
+
+	my $rpcenv = PVE::RPCEnvironment::get();
+	my $authuser = $rpcenv->get_user();
+
+
+	my $realm = $param->{realm};
+	my $cfg = cfs_read_file($domainconfigfile);
+	my $ids = $cfg->{ids};
+
+	raise_param_exc({ 'realm' => 'Realm does not exist.' }) if !defined($ids->{$realm});
+	my $type = $ids->{$realm}->{type};
+
+	if ($type ne 'ldap' && $type ne 'ad') {
+	    die "Only LDAP/AD realms can be synced.\n";
+	}
+
+	my $scope = $param->{scope} // 'users';
+	my $sync_users = $scope eq 'users' || $scope eq 'both';
+	my $sync_groups = $scope eq 'groups' || $scope eq 'both';
+
+	my $plugin = PVE::Auth::Plugin->lookup($ids->{$realm}->{type});
+
+	my $realmdata = $ids->{$realm};
+	my $users = {};
+	my $groups = {};
+
+	if ($sync_groups) {
+	    my $dnmap = {};
+	    ($users, $dnmap) = $plugin->get_users($realmdata, $realm);
+	    $groups = $plugin->get_groups($realmdata, $realm, $dnmap);
+	} else {
+	    $users = $plugin->get_users($realmdata, $realm);
+	}
+
+	PVE::AccessControl::lock_user_config(
+	    sub {
+	    my $usercfg = cfs_read_file("user.cfg");
+
+	    if ($sync_users) {
+		my $oldusers = $usercfg->{users};
+
+		if ($param->{prune}) {
+		    foreach my $userid (keys %$oldusers) {
+			next if $userid !~ m/\@$realm$/;
+			next if $users->{$userid};
+			delete $oldusers->{$userid};
+		    }
+		}
+
+		foreach my $userid (keys %$users) {
+		    my $user = $users->{$userid};
+		    if (!defined($oldusers->{$userid})) {
+			$oldusers->{$userid} = $user;
+		    } else {
+			# TODO only 'new' attributes as option?
+			my $olduser = $oldusers->{$userid};
+			foreach my $attr (keys %$user) {
+			    $olduser->{$attr} = $user->{$attr};
+			}
+		    }
+		}
+	    }
+
+	    if ($sync_groups) {
+		my $oldgroups = $usercfg->{groups};
+
+		if ($param->{prune}) {
+		    foreach my $groupid (keys %$oldgroups) {
+			next if $groupid !~ m/\-$realm$/;
+			next if $groups->{$groupid};
+			delete $oldgroups->{$groupid};
+		    }
+		}
+
+		foreach my $groupid (keys %$groups) {
+		    $oldgroups->{$groupid} = $groups->{$groupid};
+		}
+	    }
+	    cfs_write_file("user.cfg", $usercfg);
+	}, "syncing users failed");
+
+	return undef;
+    }});
+
 1;
diff --git a/PVE/CLI/pveum.pm b/PVE/CLI/pveum.pm
index d3721b6..cffd4da 100755
--- a/PVE/CLI/pveum.pm
+++ b/PVE/CLI/pveum.pm
@@ -148,6 +148,7 @@ our $cmddef = {
 	modify => [ 'PVE::API2::Domains', 'update', ['realm'] ],
 	delete => [ 'PVE::API2::Domains', 'delete', ['realm'] ],
 	list   => [ 'PVE::API2::Domains', 'index', [], {}, $print_api_result, $PVE::RESTHandler::standard_output_options],
+	sync   => [ 'PVE::API2::Domains', 'sync', ['realm'], ],
     },
 
     ticket => [ 'PVE::API2::AccessControl', 'create_ticket', ['username'], undef,
-- 
2.20.1

More information about the pve-devel mailing list