From: Dietmar Maurer <dietmar@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATH proxmox-backup v1 09/12] ui: implement OpenId login
Date: Tue, 22 Jun 2021 10:56:17 +0200 [thread overview]
Message-ID: <20210622085620.1551677-10-dietmar@proxmox.com> (raw)
In-Reply-To: <20210622085620.1551677-1-dietmar@proxmox.com>
---
src/api2/access.rs | 6 +--
www/Application.js | 8 +++-
www/LoginView.js | 100 ++++++++++++++++++++++++++++++++++++++++++++-
www/Utils.js | 8 ++++
4 files changed, 116 insertions(+), 6 deletions(-)
diff --git a/src/api2/access.rs b/src/api2/access.rs
index 5abb5cb4..e95db88b 100644
--- a/src/api2/access.rs
+++ b/src/api2/access.rs
@@ -18,7 +18,7 @@ use crate::api2::types::*;
use crate::auth_helpers::*;
use crate::server::ticket::ApiTicket;
use crate::tools::ticket::{self, Empty, Ticket};
-use crate::config::domains::OpenIdRealmConfig;
+use crate::config::domains::{OPENID_STATE_DIR, OpenIdRealmConfig};)
use crate::config::acl as acl_config;
use crate::config::acl::{PRIVILEGES, PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT};
@@ -288,10 +288,8 @@ pub fn openid_login(
) -> Result<Value, Error> {
let user_info = CachedUserInfo::new()?;
- let backup_user = crate::backup::backup_user()?;
-
let (realm, private_auth_state) =
- OpenIdAuthenticator::verify_public_auth_state(&state, backup_user.uid)?;
+ OpenIdAuthenticator::verify_public_auth_state(OPENID_STATE_DIR, &state)?;
let (domains, _digest) = crate::config::domains::config()?;
let config: OpenIdRealmConfig = domains.lookup("openid", &realm)?;
diff --git a/www/Application.js b/www/Application.js
index c4df600e..20ae26bd 100644
--- a/www/Application.js
+++ b/www/Application.js
@@ -49,9 +49,15 @@ Ext.define('PBS.Application', {
var provider = new Ext.state.LocalStorageProvider({ prefix: 'ext-pbs-' });
Ext.state.Manager.setProvider(provider);
+ let openid_login = false;
+ let param = PBS.Utils.openid_login_param();
+ if (param !== undefined) {
+ openid_login = true;
+ }
+
// show login window if not loggedin
var loggedin = Proxmox.Utils.authOK();
- if (!loggedin) {
+ if (openid_login || !loggedin) {
me.changeView('loginview', true);
} else {
me.changeView('mainview', true);
diff --git a/www/LoginView.js b/www/LoginView.js
index 6dd09646..f2fc5370 100644
--- a/www/LoginView.js
+++ b/www/LoginView.js
@@ -2,6 +2,21 @@ Ext.define('PBS.LoginView', {
extend: 'Ext.container.Container',
xtype: 'loginview',
+ viewModel: {
+ data: {
+ openid: false,
+ },
+ formulas: {
+ button_text: function(get) {
+ if (get("openid") === true) {
+ return gettext("Login (OpenID redirect)");
+ } else {
+ return gettext("Login");
+ }
+ },
+ },
+ },
+
controller: {
xclass: 'Ext.app.ViewController',
@@ -15,8 +30,33 @@ Ext.define('PBS.LoginView', {
return;
}
+ let redirect_url = location.origin;
+
let params = loginForm.getValues();
+ if (this.getViewModel().data.openid === true) {
+ let realm = params.realm;
+ try {
+ let resp = await PBS.Async.api2({
+ url: '/api2/extjs/access/domains',
+ params: {
+ realm: realm,
+ "redirect-url": redirect_url,
+ },
+ method: 'POST',
+ });
+ window.location = resp.result.data;
+ } catch (error) {
+ Proxmox.Utils.authClear();
+ loginForm.unmask();
+ Ext.MessageBox.alert(
+ gettext('Error'),
+ gettext('OpenId redirect failed. Please try again<br>Error: ' + error),
+ );
+ }
+ return;
+ }
+
params.username = params.username + '@' + params.realm;
delete params.realm;
@@ -98,6 +138,14 @@ Ext.define('PBS.LoginView', {
window.location.reload();
},
},
+ 'field[name=realm]': {
+ change: function(f, value) {
+ let record = f.store.getById(value);
+ if (record === undefined) return;
+ let data = record.data;
+ this.getViewModel().set("openid", data.type === "openid");
+ },
+ },
'button[reference=loginButton]': {
click: 'submitForm',
},
@@ -116,6 +164,43 @@ Ext.define('PBS.LoginView', {
var pwField = this.lookupReference('passwordField');
pwField.focus();
}
+
+ let param = PBS.Utils.openid_login_param();
+ if (param !== undefined) {
+ Proxmox.Utils.authClear();
+
+ let loginForm = this.lookupReference('loginForm');
+ loginForm.mask(gettext('OpenID login - please wait...'), 'x-mask-loading');
+
+ let redirect_url = location.origin;
+
+ Proxmox.Utils.API2Request({
+ url: '/api2/extjs/access/openid-login',
+ params: {
+ state: param.state,
+ code: param.code,
+ "redirect-url": redirect_url,
+ },
+ method: 'POST',
+ failure: function(response) {
+ loginForm.unmask();
+ Ext.MessageBox.alert(
+ gettext('Error'),
+ gettext('Login failed. Please try again<br>Error: ' + response.htmlStatus),
+ function() {
+ window.location = redirect_url;
+ },
+ );
+ },
+ success: function(response, options) {
+ loginForm.unmask();
+ let data = response.result.data;
+ PBS.Utils.updateLoginData(data);
+ PBS.app.changeView('mainview');
+ history.replaceState(null, '', redirect_url + '#pbsDashboard');
+ },
+ });
+ }
},
},
},
@@ -191,6 +276,10 @@ Ext.define('PBS.LoginView', {
itemId: 'usernameField',
reference: 'usernameField',
stateId: 'login-username',
+ bind: {
+ visible: "{!openid}",
+ disabled: "{openid}",
+ },
},
{
xtype: 'textfield',
@@ -199,6 +288,10 @@ Ext.define('PBS.LoginView', {
name: 'password',
itemId: 'passwordField',
reference: 'passwordField',
+ bind: {
+ visible: "{!openid}",
+ disabled: "{openid}",
+ },
},
{
xtype: 'pmxRealmComboBox',
@@ -223,9 +316,14 @@ Ext.define('PBS.LoginView', {
labelWidth: 250,
labelAlign: 'right',
submitValue: false,
+ bind: {
+ visible: "{!openid}",
+ },
},
{
- text: gettext('Login'),
+ bind: {
+ text: "{button_text}",
+ },
reference: 'loginButton',
formBind: true,
},
diff --git a/www/Utils.js b/www/Utils.js
index 6b378355..677f2204 100644
--- a/www/Utils.js
+++ b/www/Utils.js
@@ -326,6 +326,14 @@ Ext.define('PBS.Utils', {
};
},
+ openid_login_param: function() {
+ let param = Ext.Object.fromQueryString(window.location.search);
+ if (param.state !== undefined && param.code !== undefined) {
+ return param;
+ }
+ return undefined;
+ },
+
calculate_dedup_factor: function(gcstatus) {
let dedup = 1.0;
if (gcstatus['disk-bytes'] > 0) {
--
2.30.2
next prev parent reply other threads:[~2021-06-22 8:57 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-22 8:56 [pbs-devel] [PATH proxmox-backup v1 00/12] OpenID connect realms Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 01/12] depend on openid-connect-rs Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 02/12] config: new domains.cfg to configure openid realm Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 03/12] check_acl_path: add /access/domains Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 04/12] add API to manage openid realms Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 05/12] cli: add CLI " Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 06/12] api: add openid redirect API Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 07/12] implement new helper is_active_user_id() Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 08/12] api: add openid-login endpoint Dietmar Maurer
2021-06-22 8:56 ` Dietmar Maurer [this message]
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 10/12] cleanup user/token is_active() check Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 11/12] add openid autocreate account feature Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 12/12] implement openid user-attr configuration Dietmar Maurer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210622085620.1551677-10-dietmar@proxmox.com \
--to=dietmar@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.