chore: WIP

plugins/module_utils/proxmox_datacenter_acl.py

@@ -0,0 +1,77 @@
+import dataclasses
+from dataclasses import dataclass, field
+from typing import List, Tuple
+
+from ansible_collections.finallycoffee.proxmox.plugins.module_utils.common import _proxmox_request, ProxmoxAuthInfo
+
+
+@dataclass(frozen=True)
+class ProxmoxACL:
+    path: str
+    role: str
+    propagate: bool = True
+    user: str = None
+    group: str = None
+    token: str = None
+
+
+def get_acls(auth_info: ProxmoxAuthInfo) -> List['ProxmoxACL']:
+    acl_answer = _proxmox_request('get', '/access/acl', auth_info).json()
+    return list(map(
+        lambda r: ProxmoxACL(r['path'], r['roleid'], r['propagate'],
+                             (r['ugid'] if (r['type'] == 'user') else None),
+                             (r['ugid'] if (r['type'] == 'group') else None),
+                             (r['ugid'] if (r['type'] == 'token') else None)),
+        acl_answer['data']
+    ))
+
+
+def set_acl(auth_info: ProxmoxAuthInfo, acl: ProxmoxACL, dry_run: bool, state: str = 'present') -> Tuple[dict, dict]:
+    existing_acls = get_acls(auth_info)
+    # find existing acl matching the specified one
+    try:
+        existing_acl = [x for x in existing_acls if x == acl][0]
+    except:
+        existing_acl = None
+
+    if state == 'present':
+        acl_spec = _acl_to_dict(acl) | {
+            'propagate': acl.propagate
+        }
+        if not dry_run:
+            acl_res = _proxmox_request('put', f"/access/acl", auth_info, data=acl_spec)
+            acl_res.raise_for_status()
+            if acl_res.ok and acl_res.json()['success'] == 1:
+                new_acl = acl
+        else:
+            new_acl = acl
+    elif state == 'exact':
+        # Also match on propagate and remove ACLs which match in all fields except propagation
+        pass
+    else:
+        # ACL to be removed
+        if not dry_run:
+            acl_spec = _acl_to_dict(acl) | {
+                'delete': 1
+            }
+            acl_res = _proxmox_request('put', '/access/acl', auth_info, data=acl_spec)
+            acl_res.raise_for_status()
+            if acl_res.ok:
+                new_acl = None
+        else:
+            new_acl = None
+    return dataclasses.asdict(existing_acl) if existing_acl else None, dataclasses.asdict(new_acl) if new_acl else None
+
+
+def _acl_to_dict(acl: ProxmoxACL) -> dict:
+    acl_spec = {
+        'path': acl.path,
+        'roles': acl.role,
+    }
+    if acl.user:
+        acl_spec['users'] = acl.user
+    if acl.group:
+        acl_spec['groups'] = acl.group
+    if acl.token:
+        acl_spec['tokens'] = acl.token
+    return acl_spec

plugins/module_utils/proxmox_datacenter_group.py

@@ -0,0 +1,19 @@
+from dataclasses import dataclass, field
+from typing import List, Tuple
+
+from ansible_collections.finallycoffee.proxmox.plugins.module_utils.common import _proxmox_request, ProxmoxAuthInfo
+
+
+@dataclass(frozen=True)
+class ProxmoxGroup:
+    name: str
+    members: List = field(default_factory=lambda: [])
+    comment: str = None
+
+
+def get_groups(auth_info: ProxmoxAuthInfo) -> List['ProxmoxGroups']:
+    group_answer = _proxmox_request('get', '/access/groups', auth_info).json()
+    return list(map(
+        lambda r: ProxmoxGroup(r['groupid'], r['users'].split(','), r.get('comment', '')),
+        group_answer['data']
+    ))

plugins/module_utils/proxmox_datacenter_role.py

@@ -0,0 +1,63 @@
+from dataclasses import dataclass, field
+from typing import List, Tuple
+
+from ansible_collections.finallycoffee.proxmox.plugins.module_utils.common import _proxmox_request, ProxmoxAuthInfo
+
+
+@dataclass(frozen=True)
+class ProxmoxRole:
+    name: str
+    privileges: List = field(default_factory=lambda: [])
+    built_in: bool = False
+
+
+def get_roles(auth_info: ProxmoxAuthInfo) -> List['ProxmoxRoles']:
+    role_answer = _proxmox_request('get', '/access/roles', auth_info).json()
+    return list(map(
+        lambda r: ProxmoxRole(r['roleid'], r['privs'].split(','), bool(r.get('special', False)) is True),
+        role_answer['data']
+    ))
+
+
+def set_role_data(auth_info: ProxmoxAuthInfo, role: str, privileges: list[str], dry_run: bool, state: str = 'present') -> Tuple[dict, dict]:
+    existing_role = _proxmox_request('get', f"/access/roles/{role}", auth_info)
+    existing_role_data = existing_role.json()['data']
+    new_role_data = ''
+    if state == 'present' or state == 'exact':
+        if existing_role.ok:
+            # When state is present, we only append all listed privs to existing roles,
+            # otherwise we set the role's permission list directly
+            changeset = {
+                'privs': ','.join(privileges),
+                'append': False if (state == 'exact') else True
+            }
+            if not dry_run:
+                role_res = _proxmox_request('put', f"/access/roles/{role}", auth_info, data=changeset)
+                role_res.raise_for_status()
+        else:
+            # For new roles, state being exact or present is the same thing
+            if not dry_run:
+                role_res = _proxmox_request('post', '/access/roles', auth_info, data=({
+                    'roleId': role,
+                    'privs': ','.join(privileges)
+                }))
+                role_res.raise_for_status()
+        if not dry_run:
+            if role_res.ok:
+                new_role_data = _proxmox_request('get', f"/access/roles/{role}", auth_info).json()['data']
+        else:
+            new_role_data = {'role': role, 'privs': privileges}
+    else:
+        if existing_role.ok:
+            existing_role_data = existing_role.json()['data']
+            if not dry_run:
+                role_res = _proxmox_request('delete', f"/access/role/{role}", auth_info)
+                role_res.raise_for_status()
+                if role_res.ok:
+                    new_role_data = None
+            else:
+                new_role_data = None
+        else:
+            new_role_data = None
+    return existing_role_data, new_role_data
+