diff --git a/plugins/module_utils/proxmox_datacenter_acl.py b/plugins/module_utils/proxmox_datacenter_acl.py new file mode 100644 index 0000000..5e5ae31 --- /dev/null +++ b/plugins/module_utils/proxmox_datacenter_acl.py @@ -0,0 +1,77 @@ +import dataclasses +from dataclasses import dataclass, field +from typing import List, Tuple + +from ansible_collections.finallycoffee.proxmox.plugins.module_utils.common import _proxmox_request, ProxmoxAuthInfo + + +@dataclass(frozen=True) +class ProxmoxACL: + path: str + role: str + propagate: bool = True + user: str = None + group: str = None + token: str = None + + +def get_acls(auth_info: ProxmoxAuthInfo) -> List['ProxmoxACL']: + acl_answer = _proxmox_request('get', '/access/acl', auth_info).json() + return list(map( + lambda r: ProxmoxACL(r['path'], r['roleid'], r['propagate'], + (r['ugid'] if (r['type'] == 'user') else None), + (r['ugid'] if (r['type'] == 'group') else None), + (r['ugid'] if (r['type'] == 'token') else None)), + acl_answer['data'] + )) + + +def set_acl(auth_info: ProxmoxAuthInfo, acl: ProxmoxACL, dry_run: bool, state: str = 'present') -> Tuple[dict, dict]: + existing_acls = get_acls(auth_info) + # find existing acl matching the specified one + try: + existing_acl = [x for x in existing_acls if x == acl][0] + except: + existing_acl = None + + if state == 'present': + acl_spec = _acl_to_dict(acl) | { + 'propagate': acl.propagate + } + if not dry_run: + acl_res = _proxmox_request('put', f"/access/acl", auth_info, data=acl_spec) + acl_res.raise_for_status() + if acl_res.ok and acl_res.json()['success'] == 1: + new_acl = acl + else: + new_acl = acl + elif state == 'exact': + # Also match on propagate and remove ACLs which match in all fields except propagation + pass + else: + # ACL to be removed + if not dry_run: + acl_spec = _acl_to_dict(acl) | { + 'delete': 1 + } + acl_res = _proxmox_request('put', '/access/acl', auth_info, data=acl_spec) + acl_res.raise_for_status() + if acl_res.ok: + new_acl = None + else: + new_acl = None + return dataclasses.asdict(existing_acl) if existing_acl else None, dataclasses.asdict(new_acl) if new_acl else None + + +def _acl_to_dict(acl: ProxmoxACL) -> dict: + acl_spec = { + 'path': acl.path, + 'roles': acl.role, + } + if acl.user: + acl_spec['users'] = acl.user + if acl.group: + acl_spec['groups'] = acl.group + if acl.token: + acl_spec['tokens'] = acl.token + return acl_spec diff --git a/plugins/modules/acl.py b/plugins/modules/acl.py new file mode 100644 index 0000000..5e4c810 --- /dev/null +++ b/plugins/modules/acl.py @@ -0,0 +1,185 @@ +#!/usr/bin/python +# coding: utf-8 + +# (c) 2022, Johanna Dorothea Reichmann + +__metaclass__ = type + +import traceback + +from ansible.module_utils.basic import AnsibleModule + +from ansible_collections.finallycoffee.proxmox.plugins.module_utils.common import * +from ansible_collections.finallycoffee.proxmox.plugins.module_utils.proxmox_datacenter_acl import * + + +LIB_IMP_ERR = None +try: + from ansible_collections.finallycoffee.proxmox.plugins.module_utils.proxmox_datacenter_acl import set_acl + from ansible_collections.finallycoffee.proxmox.plugins.module_utils.proxmox_datacenter_acl import ProxmoxACL + HAS_LIB = True +except: + HAS_LIB = False + LIB_IMP_ERR = traceback.format_exc() + + +DOCUMENTATION = r''' +--- +module: acl +author: +- Johanna Dorothea Reichmann (transcaffeine@finally.coffee) +requirements: + - python >= 3.9 +short_description: Configures an access control list in a proxmox node +description: + - "Configue access control lists in a proxmox instance" +options: + proxmox_instance: + description: Location of the proxmox API with scheme, domain name/ip and port, e.g. https://localhost:8006 + type: str + required: true + proxmox_api_token_id: + description: The token ID containing username, realm and token name (format: user@realm!name) + type: str + required: true + proxmox_api_secret: + description: The secret + type: str + required: true + proxmox_api_verify_cert: + description: If the certificate presented for `proxmox_instance_url` should be verified + type: bool + required: false + default: true + path: + description: Path to which access should be granted. Must be a valid proxmox access control path + type: str + required: true + role: + description: The role which the user/group/token should be added to when they match the ACL + type: str + required: true + group: + description: The group to match on the ACL. Must be a valid proxmox group id + type: str + required: false + user: + description: The user to match on the ACL. Must be a valid proxmox user id + type: str + required: false + token: + description: The token to match on the ACL. Must be a valid proxmox token id + type: str + required: false + propagate: + description: Wether to allow inheriting permissions or not. + type: bool + default: true + required: false + state: + description: >- + If the access control list should be present, absent or exact. When state is exact, + the value of `propagate` is also considered, and if an existing access control rule is found + which only differs in the value of `propagate`, the old rule is removed by the module, + essentially replacing it. + type: str + choices: [present, exact, absent] + default: present + required: false +''' + +EXAMPLES = r''' +- name: Configure an admin group from LDAP as proxmox global admins + finallycoffee.proxmox.acl: + proxmox_instance: https://my.proxmox-node.local:8006 + promox_api_token_id: root@pam!token + proxmox_api_secret: supersecuretokencontent + path: / + roles: Administrator + groups: proxmox-admins-openldap + propagate: true + state: present +- name: Configure an LDAP user to use their own VM + finallycoffee.proxmox.acl: + proxmox_instance: https://my.proxmox-node.local:8006 + promox_api_token_id: root@pam!token + proxmox_api_secret: supersecuretokencontent + path: /vms/1000 + roles: PVEVMUser + groups: myusername-openldap + state: present +''' + +RETURN = r''' +acl: + description: The updated/created access control list + returned: always + type: complex + +''' + + +def main(): + _ = dict + module = AnsibleModule( + argument_spec=_( + proxmox_instance=_(required=True, type='str'), + proxmox_api_token_id=_(required=True, type='str'), + proxmox_api_secret=_(type='str', required=True, no_log=True), + proxmox_api_verify_cert=_(type='bool', required=False, default=True), + path=_(required=True, type='str'), + role=_(required=True, type='str'), + group=_(required=False, type='str'), + user=_(required=False, type='str'), + token=_(required=False, type='str'), + propagate=_(required=False, default=True, type='bool'), + state=_(type='str', required=False, default='present', choices=['present', 'exact', 'absent']) + ), + supports_check_mode=True + ) + + result = _( + changed=False, + diff={}, + message='' + ) + + realms = [] + try: + acl_spec = ProxmoxACL( + module.params['path'], + module.params['role'], + module.params['propagate'], + module.params.get('user', None), + module.params.get('group', None), + module.params.get('token', None), + ) + acl_change = set_acl(ProxmoxAuthInfo( + module.params['proxmox_instance'], + module.params['proxmox_api_token_id'], + module.params['proxmox_api_secret'], + module.params['proxmox_api_verify_cert'], + ), + acl_spec, + module.check_mode, + module.params['state']) + except IOError as owie: + result['msg'] = owie + module.exit_json(**result) + + diff_excluded_keys = [] + result['acl'] = acl_change[1] + result['diff'] = { + 'before_header': f"{acl_change[0].get('role', module.params['role'])}@{acl_change[0].get('path', module.params['path'])}" if acl_change[0] else acl_change[0], + 'after_header': f"{acl_change[1].get('role', module.params['role'])}@{acl_change[1].get('path', module.params['path'])}" if acl_change[1] else acl_change[1], + 'before': {k: v for k, v in acl_change[0].items() if k not in diff_excluded_keys} if acl_change[0] else acl_change[0], + 'after': {k: v for k, v in acl_change[1].items() if k not in diff_excluded_keys} if acl_change[1] else acl_change[1], + } + # TODO: Needs special handling for state=exact + result['changed'] = acl_change[0] != acl_change[1] + + module.exit_json(**result) + + +if __name__ == '__main__': + main()