api: access: domains: add get/create/update/delete domain call

modeled like our other section config api calls
two drawbacks of doing it this way:
* we have to copy some api properties again for the update call,
  since not all of them are updateable (username-claim)
* we only handle openid for now, which we would have to change
  when we add ldap/ad

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This commit is contained in:
Dominik Csapak 2021-07-09 13:43:59 +02:00 committed by Thomas Lamprecht
parent da7ec1d2af
commit 5117cf4f17

View File

@ -1,6 +1,6 @@
//! List Authentication domains/realms
use anyhow::{Error};
use anyhow::{bail, Error};
use serde::{Deserialize, Serialize};
use serde_json::{json, Value};
@ -8,7 +8,11 @@ use serde_json::{json, Value};
use proxmox::api::{api, Permission, Router, RpcEnvironment};
use crate::api2::types::*;
use crate::config::domains::{OpenIdRealmConfig, OpenIdUserAttribute};
use crate::config::{
self,
acl::{PRIV_REALM_ALLOCATE, PRIV_SYS_AUDIT},
domains::{OpenIdRealmConfig, OpenIdUserAttribute},
};
#[api]
#[derive(Deserialize, Serialize, PartialEq, Eq)]
@ -158,5 +162,275 @@ fn list_domains(mut rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<BasicRealmInf
Ok(list)
}
#[api(
input: {
properties: {
realm: {
schema: REALM_ID_SCHEMA,
},
},
},
returns: {
type: RealmInfo,
},
access: {
permission: &Permission::Privilege(&["access", "domains"], PRIV_SYS_AUDIT | PRIV_REALM_ALLOCATE, true),
},
)]
/// Get information about a realm
fn get_domain(realm: String, mut rpcenv: &mut dyn RpcEnvironment) -> Result<RealmInfo, Error> {
let entry = match realm.as_str() {
"pam" => json!({
"realm": "pam",
"type": "pam",
"comment": "Linux PAM standard authentication",
"default": Some(true),
}),
"pbs" => json!({
"realm": "pbs",
"type": "pbs",
"comment": "Proxmox Backup authentication server",
}),
_ => {
let (config, digest) = config::domains::config()?;
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
if let Some((section_type, v)) = config.sections.get(&realm) {
let mut entry = v.clone();
entry["type"] = Value::from(section_type.clone());
entry
} else {
bail!("domain '{}' does not exist", realm);
}
}
};
Ok(serde_json::from_value(entry)?)
}
#[api(
protected: true,
input: {
properties: {
info: {
type: RealmInfo,
flatten: true,
},
},
},
access: {
permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
},
)]
/// Create a realm
fn create_domain(param: Value) -> Result<(), Error> {
let basic_info: BasicRealmInfo = serde_json::from_value(param.clone())?;
// for now we only have to care about openid
if basic_info.ty != RealmType::OpenId {
bail!(
"Cannot create realm of type '{}'",
serde_json::to_string(&basic_info.ty)?
);
}
let new_realm: OpenIdRealmConfig = serde_json::from_value(param)?;
let _lock = config::domains::lock_config()?;
let (mut config, _digest) = config::domains::config()?;
let existing: Vec<OpenIdRealmConfig> = config.convert_to_typed_array("openid")?;
for realm in existing {
if realm.realm == new_realm.realm {
bail!("Entry '{}' already exists", realm.realm);
}
}
config.set_data(&new_realm.realm, "openid", &new_realm)?;
config::domains::save_config(&config)?;
Ok(())
}
#[api]
#[derive(Serialize, Deserialize)]
#[serde(rename_all = "kebab-case")]
#[allow(non_camel_case_types)]
pub enum DeletableProperty {
/// Delete the comment property.
comment,
/// Delete the client-key property.
client_key,
/// Delete the autocreate property.
autocreate,
}
#[api(
protected: true,
input: {
properties: {
realm: {
schema: REALM_ID_SCHEMA,
},
comment: {
optional: true,
schema: SINGLE_LINE_COMMENT_SCHEMA,
},
"issuer-url": {
description: "OpenID Issuer Url",
type: String,
optional: true,
},
"client-id": {
description: "OpenID Client ID",
type: String,
optional: true,
},
"client-key": {
description: "OpenID Client Key",
type: String,
optional: true,
},
autocreate: {
description: "Automatically create users if they do not exist.",
optional: true,
type: bool,
},
delete: {
description: "List of properties to delete.",
type: Array,
optional: true,
items: {
type: DeletableProperty,
}
},
digest: {
optional: true,
schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
},
},
},
access: {
permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
},
)]
/// Update a realm
fn update_domain(
realm: String,
comment: Option<String>,
issuer_url: Option<String>,
client_id: Option<String>,
client_key: Option<String>,
autocreate: Option<bool>,
delete: Option<Vec<DeletableProperty>>,
digest: Option<String>,
_rpcenv: &mut dyn RpcEnvironment,
) -> Result<(), Error> {
let _lock = config::domains::lock_config()?;
let (mut config, expected_digest) = config::domains::config()?;
if let Some(ref digest) = digest {
let digest = proxmox::tools::hex_to_digest(digest)?;
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
}
// only have to worry about openid for now
let mut data: OpenIdRealmConfig = config.lookup("openid", realm.as_str())?;
if let Some(delete) = delete {
for delete_prop in delete {
match delete_prop {
DeletableProperty::comment => data.comment = None,
DeletableProperty::client_key => data.client_key = None,
DeletableProperty::autocreate => data.autocreate = None,
}
}
}
if let Some(comment) = comment {
let comment = comment.trim().to_string();
if comment.is_empty() {
data.comment = None;
} else {
data.comment = Some(comment);
}
}
if let Some(issuer_url) = issuer_url {
data.issuer_url = issuer_url
};
if let Some(client_id) = client_id {
data.client_id = client_id
};
if let Some(client_key) = client_key {
data.client_key = if client_key.is_empty() {
None
} else {
Some(client_key)
};
};
if let Some(autocreate) = autocreate {
data.autocreate = Some(autocreate)
};
config.set_data(&realm, "openid", &data)?;
config::domains::save_config(&config)?;
Ok(())
}
#[api(
protected: true,
input: {
properties: {
realm: {
schema: REALM_ID_SCHEMA,
},
digest: {
optional: true,
schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
},
},
},
access: {
permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
},
)]
/// Delete a realm
fn delete_domain(realm: String, digest: Option<String>) -> Result<(), Error> {
if realm == "pam" || realm == "pbs" {
bail!("cannot remove realm '{}'", realm);
}
let _lock = config::domains::lock_config()?;
let (mut config, expected_digest) = config::domains::config()?;
if let Some(ref digest) = digest {
let digest = proxmox::tools::hex_to_digest(digest)?;
crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
}
match config.sections.get(&realm) {
Some(_) => {
config.sections.remove(&realm);
}
None => bail!("realm '{}' does not exist.", realm),
}
config::domains::save_config(&config)?;
Ok(())
}
pub const ROUTER: Router = Router::new()
.get(&API_METHOD_LIST_DOMAINS);
.get(&API_METHOD_LIST_DOMAINS)
.post(&API_METHOD_CREATE_DOMAIN)
.match_all("realm", &DOMAIN_ROUTER);
const DOMAIN_ROUTER: Router = Router::new()
.get(&API_METHOD_GET_DOMAIN)
.put(&API_METHOD_UPDATE_DOMAIN)
.delete(&API_METHOD_DELETE_DOMAIN);