[pbs-devel] [PATCH proxmox-backup 0/6] add realm api/ui

[pbs-devel] [PATCH proxmox-backup 0/6] add realm api/ui

[Dominik Csapak]

adds realm management to the pbs api and ui

ui patches need the widget-toolkit patches (+bump) from [0]
api changes could be independently applied

0: https://lists.proxmox.com/pipermail/pve-devel/2021-July/049320.html

Dominik Csapak (6):
  api: access: domains: add BasicRealmInfo struct and use it
  config: acl: add PRIV_REALM_ALLOCATE
  api: access: domains: add ExtraRealmInfo and RealmInfo structs
  api: access: domains: add get/create/update/delete domain call
  ui: add Authentication tab to Access Control
  ui: add /access/domains to PermissionPathsStore

 src/api2/access/domain.rs          | 438 ++++++++++++++++++++++++++---
 src/config/acl.rs                  |   3 +
 www/Utils.js                       |   9 +
 www/form/PermissionPathSelector.js |   1 +
 www/panel/AccessControl.js         |   8 +-
 5 files changed, 424 insertions(+), 35 deletions(-)

-- 
2.30.2

[pbs-devel] [PATCH proxmox-backup 1/6] api: access: domains: add BasicRealmInfo struct and use it

[Dominik Csapak]

to have better type safety and as preparation for adding more types

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 src/api2/access/domain.rs | 101 +++++++++++++++++++++++++-------------
 1 file changed, 66 insertions(+), 35 deletions(-)

diff --git a/src/api2/access/domain.rs b/src/api2/access/domain.rs
index 69809acc..126cd8ff 100644
--- a/src/api2/access/domain.rs
+++ b/src/api2/access/domain.rs
@@ -2,33 +2,61 @@
 
 use anyhow::{Error};
 
+use serde::{Deserialize, Serialize};
 use serde_json::{json, Value};
 
-use proxmox::api::{api, Permission};
-use proxmox::api::router::Router;
+use proxmox::api::{api, Permission, Router, RpcEnvironment};
 
 use crate::api2::types::*;
 
+#[api]
+#[derive(Deserialize, Serialize, PartialEq, Eq)]
+#[serde(rename_all = "lowercase")]
+/// type of the realm
+pub enum RealmType {
+    /// The PAM realm
+    Pam,
+    /// The PBS realm
+    Pbs,
+    /// An OpenID Connect realm
+    OpenId,
+}
+
+#[api(
+    properties: {
+        realm: {
+            schema: REALM_ID_SCHEMA,
+        },
+        "type": {
+            type: RealmType,
+        },
+        comment: {
+            optional: true,
+            schema: SINGLE_LINE_COMMENT_SCHEMA,
+        },
+    },
+)]
+#[derive(Deserialize, Serialize)]
+#[serde(rename_all = "kebab-case")]
+/// Basic Information about a realm
+pub struct BasicRealmInfo {
+    pub realm: String,
+    #[serde(rename = "type")]
+    pub ty: RealmType,
+    /// True if it is the default realm
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub default: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub comment: Option<String>,
+}
+
+
 #[api(
     returns: {
-        description: "List of realms.",
+        description: "List of realms with basic info.",
         type: Array,
         items: {
-            type: Object,
-            description: "User configuration (without password).",
-            properties: {
-                realm: {
-                    schema: REALM_ID_SCHEMA,
-                },
-                comment: {
-                    schema: SINGLE_LINE_COMMENT_SCHEMA,
-                    optional: true,
-                },
-                default: {
-                    description: "Default realm.",
-                    type: bool,
-                }
-            },
+            type: BasicRealmInfo,
         }
     },
     access: {
@@ -37,29 +65,32 @@ use crate::api2::types::*;
     }
 )]
 /// Authentication domain/realm index.
-fn list_domains() -> Result<Value, Error> {
-
+fn list_domains(mut rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<BasicRealmInfo>, Error> {
     let mut list = Vec::new();
 
-    list.push(json!({ "realm": "pam", "comment": "Linux PAM standard authentication", "default": true }));
-    list.push(json!({ "realm": "pbs", "comment": "Proxmox Backup authentication server" }));
-
-    let (config, _digest) = crate::config::domains::config()?;
+    list.push(serde_json::from_value(json!({
+        "realm": "pam",
+        "type": "pam",
+        "comment": "Linux PAM standard authentication",
+        "default": Some(true),
+    }))?);
+    list.push(serde_json::from_value(json!({
+        "realm": "pbs",
+        "type": "pbs",
+        "comment": "Proxmox Backup authentication server",
+    }))?);
 
-    for (realm, (section_type, v)) in config.sections.iter() {
-        let mut item = json!({
-            "type": section_type,
-            "realm": realm,
-        });
-
-        if v["comment"].as_str().is_some() {
-            item["comment"] = v["comment"].clone();
-        }
-        list.push(item);
+    let (config, digest) = config::domains::config()?;
 
+    for (_, (section_type, v)) in config.sections.iter() {
+        let mut entry = v.clone();
+        entry["type"] = Value::from(section_type.clone());
+        list.push(serde_json::from_value(entry)?);
     }
 
-    Ok(list.into())
+    rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
+
+    Ok(list)
 }
 
 pub const ROUTER: Router = Router::new()
-- 
2.30.2

[pbs-devel] [PATCH proxmox-backup 2/6] config: acl: add PRIV_REALM_ALLOCATE

[Dominik Csapak]

will be used for realm creation/update/deletion

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 src/config/acl.rs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/config/acl.rs b/src/config/acl.rs
index e468586e..b4b3510f 100644
--- a/src/config/acl.rs
+++ b/src/config/acl.rs
@@ -72,6 +72,9 @@ constnamedbitmap! {
         PRIV_TAPE_WRITE("Tape.Write");
         /// Tape.Read allows reading tape backup configuration and media contents
         PRIV_TAPE_READ("Tape.Read");
+
+        /// Realm.Allocate allows viewing, creating, modifying and deleting realms
+        PRIV_REALM_ALLOCATE("Realm.Allocate");
     }
 }
 
-- 
2.30.2

[pbs-devel] [PATCH proxmox-backup 3/6] api: access: domains: add ExtraRealmInfo and RealmInfo structs

[Dominik Csapak]

these will be used as parameters/return types for the read/create/etc.
calls for realms

for now we copy the necessary attributes (only from openid) since
our api macros/tools are not good enought to generate the necessary
api definitions for section configs

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 src/api2/access/domain.rs | 65 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)

diff --git a/src/api2/access/domain.rs b/src/api2/access/domain.rs
index 126cd8ff..c850603a 100644
--- a/src/api2/access/domain.rs
+++ b/src/api2/access/domain.rs
@@ -8,6 +8,7 @@ use serde_json::{json, Value};
 use proxmox::api::{api, Permission, Router, RpcEnvironment};
 
 use crate::api2::types::*;
+use crate::config::domains::{OpenIdRealmConfig, OpenIdUserAttribute};
 
 #[api]
 #[derive(Deserialize, Serialize, PartialEq, Eq)]
@@ -50,6 +51,70 @@ pub struct BasicRealmInfo {
     pub comment: Option<String>,
 }
 
+#[api(
+    properties: {
+        "issuer-url": {
+            description: "OpenID Issuer Url",
+            type: String,
+            optional: true,
+        },
+        "client-id": {
+            description: "OpenID Client ID",
+            type: String,
+            optional: true,
+        },
+        "client-key": {
+            description: "OpenID Client Key",
+            type: String,
+            optional: true,
+        },
+        autocreate: {
+            description: "Automatically create users if they do not exist.",
+            optional: true,
+            type: bool,
+            default: false,
+        },
+        "username-claim": {
+            type: OpenIdUserAttribute,
+            optional: true,
+        },
+    },
+)]
+#[derive(Deserialize, Serialize)]
+#[serde(rename_all = "kebab-case")]
+/// Extra Information about a realm
+pub struct ExtraRealmInfo {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub issuer_url: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub client_id: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub client_key: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub autocreate: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub username_claim: Option<OpenIdUserAttribute>,
+}
+
+#[api(
+    properties: {
+        "info": {
+            type: BasicRealmInfo,
+        },
+        "extra": {
+            type: ExtraRealmInfo,
+        },
+    },
+)]
+#[derive(Deserialize, Serialize)]
+#[serde(rename_all = "kebab-case")]
+/// Information about a realm
+pub struct RealmInfo {
+    #[serde(flatten)]
+    pub info: BasicRealmInfo,
+    #[serde(flatten)]
+    pub extra: ExtraRealmInfo,
+}
 
 #[api(
     returns: {
-- 
2.30.2

[pbs-devel] [PATCH proxmox-backup 4/6] api: access: domains: add get/create/update/delete domain call

[Dominik Csapak]

modeled like our other section config api calls
two drawbacks of doing it this way:
* we have to copy some api properties again for the update call,
  since not all of them are updateable (username-claim)
* we only handle openid for now, which we would have to change
  when we add ldap/ad

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 src/api2/access/domain.rs | 280 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 277 insertions(+), 3 deletions(-)

diff --git a/src/api2/access/domain.rs b/src/api2/access/domain.rs
index c850603a..6b1a4743 100644
--- a/src/api2/access/domain.rs
+++ b/src/api2/access/domain.rs
@@ -1,6 +1,6 @@
 //! List Authentication domains/realms
 
-use anyhow::{Error};
+use anyhow::{bail, Error};
 
 use serde::{Deserialize, Serialize};
 use serde_json::{json, Value};
@@ -8,7 +8,11 @@ use serde_json::{json, Value};
 use proxmox::api::{api, Permission, Router, RpcEnvironment};
 
 use crate::api2::types::*;
-use crate::config::domains::{OpenIdRealmConfig, OpenIdUserAttribute};
+use crate::config::{
+    self,
+    acl::{PRIV_REALM_ALLOCATE, PRIV_SYS_AUDIT},
+    domains::{OpenIdRealmConfig, OpenIdUserAttribute},
+};
 
 #[api]
 #[derive(Deserialize, Serialize, PartialEq, Eq)]
@@ -158,5 +162,275 @@ fn list_domains(mut rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<BasicRealmInf
     Ok(list)
 }
 
+#[api(
+    input: {
+        properties: {
+            realm: {
+                schema: REALM_ID_SCHEMA,
+            },
+        },
+    },
+    returns: {
+        type: RealmInfo,
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_SYS_AUDIT | PRIV_REALM_ALLOCATE, true),
+    },
+)]
+/// Get information about a realm
+fn get_domain(realm: String, mut rpcenv: &mut dyn RpcEnvironment) -> Result<RealmInfo, Error> {
+    let entry = match realm.as_str() {
+        "pam" => json!({
+            "realm": "pam",
+            "type": "pam",
+            "comment": "Linux PAM standard authentication",
+            "default": Some(true),
+        }),
+        "pbs" => json!({
+            "realm": "pbs",
+            "type": "pbs",
+            "comment": "Proxmox Backup authentication server",
+        }),
+        _ => {
+            let (config, digest) = config::domains::config()?;
+            rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
+            if let Some((section_type, v)) = config.sections.get(&realm) {
+                let mut entry = v.clone();
+                entry["type"] = Value::from(section_type.clone());
+                entry
+            } else {
+                bail!("domain '{}' does not exist", realm);
+            }
+        }
+    };
+
+    Ok(serde_json::from_value(entry)?)
+}
+
+#[api(
+    protected: true,
+    input: {
+        properties: {
+            info: {
+                type: RealmInfo,
+                flatten: true,
+            },
+        },
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
+    },
+)]
+/// Create a realm
+fn create_domain(param: Value) -> Result<(), Error> {
+    let basic_info: BasicRealmInfo = serde_json::from_value(param.clone())?;
+
+    // for now we only have to care about openid
+    if basic_info.ty != RealmType::OpenId {
+        bail!(
+            "Cannot create realm of type '{}'",
+            serde_json::to_string(&basic_info.ty)?
+        );
+    }
+
+    let new_realm: OpenIdRealmConfig = serde_json::from_value(param)?;
+    let _lock = config::domains::lock_config()?;
+
+    let (mut config, _digest) = config::domains::config()?;
+
+    let existing: Vec<OpenIdRealmConfig> = config.convert_to_typed_array("openid")?;
+
+    for realm in existing {
+        if realm.realm == new_realm.realm {
+            bail!("Entry '{}' already exists", realm.realm);
+        }
+    }
+
+    config.set_data(&new_realm.realm, "openid", &new_realm)?;
+
+    config::domains::save_config(&config)?;
+
+    Ok(())
+}
+
+#[api]
+#[derive(Serialize, Deserialize)]
+#[serde(rename_all = "kebab-case")]
+#[allow(non_camel_case_types)]
+pub enum DeletableProperty {
+    /// Delete the comment property.
+    comment,
+    /// Delete the client-key property.
+    client_key,
+    /// Delete the autocreate property.
+    autocreate,
+}
+
+#[api(
+    protected: true,
+    input: {
+        properties: {
+            realm: {
+                schema: REALM_ID_SCHEMA,
+            },
+            comment: {
+                optional: true,
+                schema: SINGLE_LINE_COMMENT_SCHEMA,
+            },
+            "issuer-url": {
+                description: "OpenID Issuer Url",
+                type: String,
+                optional: true,
+            },
+            "client-id": {
+                description: "OpenID Client ID",
+                type: String,
+                optional: true,
+            },
+            "client-key": {
+                description: "OpenID Client Key",
+                type: String,
+                optional: true,
+            },
+            autocreate: {
+                description: "Automatically create users if they do not exist.",
+                optional: true,
+                type: bool,
+            },
+            delete: {
+                description: "List of properties to delete.",
+                type: Array,
+                optional: true,
+                items: {
+                    type: DeletableProperty,
+                }
+            },
+            digest: {
+                optional: true,
+                schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
+            },
+        },
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
+    },
+)]
+/// Update a realm
+fn update_domain(
+    realm: String,
+    comment: Option<String>,
+    issuer_url: Option<String>,
+    client_id: Option<String>,
+    client_key: Option<String>,
+    autocreate: Option<bool>,
+    delete: Option<Vec<DeletableProperty>>,
+    digest: Option<String>,
+    _rpcenv: &mut dyn RpcEnvironment,
+) -> Result<(), Error> {
+    let _lock = config::domains::lock_config()?;
+
+    let (mut config, expected_digest) = config::domains::config()?;
+
+    if let Some(ref digest) = digest {
+        let digest = proxmox::tools::hex_to_digest(digest)?;
+        crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
+    }
+
+    // only have to worry about openid for now
+    let mut data: OpenIdRealmConfig = config.lookup("openid", realm.as_str())?;
+
+    if let Some(delete) = delete {
+        for delete_prop in delete {
+            match delete_prop {
+                DeletableProperty::comment => data.comment = None,
+                DeletableProperty::client_key => data.client_key = None,
+                DeletableProperty::autocreate => data.autocreate = None,
+            }
+        }
+    }
+
+    if let Some(comment) = comment {
+        let comment = comment.trim().to_string();
+        if comment.is_empty() {
+            data.comment = None;
+        } else {
+            data.comment = Some(comment);
+        }
+    }
+
+    if let Some(issuer_url) = issuer_url {
+        data.issuer_url = issuer_url
+    };
+    if let Some(client_id) = client_id {
+        data.client_id = client_id
+    };
+    if let Some(client_key) = client_key {
+        data.client_key = if client_key.is_empty() {
+            None
+        } else {
+            Some(client_key)
+        };
+    };
+    if let Some(autocreate) = autocreate {
+        data.autocreate = Some(autocreate)
+    };
+
+    config.set_data(&realm, "openid", &data)?;
+
+    config::domains::save_config(&config)?;
+
+    Ok(())
+}
+
+#[api(
+    protected: true,
+    input: {
+        properties: {
+            realm: {
+                schema: REALM_ID_SCHEMA,
+            },
+            digest: {
+                optional: true,
+                schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
+            },
+        },
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
+    },
+)]
+/// Delete a realm
+fn delete_domain(realm: String, digest: Option<String>) -> Result<(), Error> {
+    if realm == "pam" || realm == "pbs" {
+        bail!("cannot remove realm '{}'", realm);
+    }
+    let _lock = config::domains::lock_config()?;
+
+    let (mut config, expected_digest) = config::domains::config()?;
+
+    if let Some(ref digest) = digest {
+        let digest = proxmox::tools::hex_to_digest(digest)?;
+        crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
+    }
+
+    match config.sections.get(&realm) {
+        Some(_) => {
+            config.sections.remove(&realm);
+        }
+        None => bail!("realm '{}' does not exist.", realm),
+    }
+
+    config::domains::save_config(&config)?;
+
+    Ok(())
+}
+
 pub const ROUTER: Router = Router::new()
-    .get(&API_METHOD_LIST_DOMAINS);
+    .get(&API_METHOD_LIST_DOMAINS)
+    .post(&API_METHOD_CREATE_DOMAIN)
+    .match_all("realm", &DOMAIN_ROUTER);
+
+const DOMAIN_ROUTER: Router = Router::new()
+    .get(&API_METHOD_GET_DOMAIN)
+    .put(&API_METHOD_UPDATE_DOMAIN)
+    .delete(&API_METHOD_DELETE_DOMAIN);
-- 
2.30.2

[pbs-devel] [PATCH proxmox-backup 5/6] ui: add Authentication tab to Access Control

[Dominik Csapak]

so that user can add/edit/delete realms

changes the icon of tfa to 'id-badge' so that we can keep the same icon
for authentication as pve and not have duplicate icons

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 www/Utils.js               | 9 +++++++++
 www/panel/AccessControl.js | 8 +++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/www/Utils.js b/www/Utils.js
index 6b378355..a4c533e0 100644
--- a/www/Utils.js
+++ b/www/Utils.js
@@ -406,6 +406,15 @@ Ext.define('PBS.Utils', {
 	    verify_snapshot: ['Snapshot', gettext('Verification')],
 	    zfscreate: [gettext('ZFS Storage'), gettext('Create')],
 	});
+
+	Proxmox.Utils.overrideAuthSchema({
+	    pbs: {
+		name: 'Proxmox Backup authentication server',
+		add: false,
+		edit: false,
+		pwchange: true,
+	    },
+	});
     },
 
     // Convert an ArrayBuffer to a base64url encoded string.
diff --git a/www/panel/AccessControl.js b/www/panel/AccessControl.js
index 94690cfe..bb3a6ba8 100644
--- a/www/panel/AccessControl.js
+++ b/www/panel/AccessControl.js
@@ -23,7 +23,7 @@ Ext.define('PBS.AccessControlPanel', {
 	    xtype: 'pbsTfaView',
 	    title: gettext('Two Factor Authentication'),
 	    itemId: 'tfa',
-	    iconCls: 'fa fa-key',
+	    iconCls: 'fa fa-id-badge',
 	},
 	{
 	    xtype: 'pbsTokenView',
@@ -37,6 +37,12 @@ Ext.define('PBS.AccessControlPanel', {
 	    itemId: 'permissions',
 	    iconCls: 'fa fa-unlock',
 	},
+	{
+	    xtype: 'pmxAuthView',
+	    title: gettext('Authentication'),
+	    itemId: 'domains',
+	    iconCls: 'fa fa-key',
+	},
     ],
 
 });
-- 
2.30.2

[pbs-devel] [PATCH proxmox-backup 6/6] ui: add /access/domains to PermissionPathsStore

[Dominik Csapak]

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
 www/form/PermissionPathSelector.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/form/PermissionPathSelector.js b/www/form/PermissionPathSelector.js
index cfd4e718..dd5c60b7 100644
--- a/www/form/PermissionPathSelector.js
+++ b/www/form/PermissionPathSelector.js
@@ -8,6 +8,7 @@ Ext.define('PBS.data.PermissionPathsStore', {
 	{ 'value': '/access' },
 	{ 'value': '/access/acl' },
 	{ 'value': '/access/users' },
+	{ 'value': '/access/domains' },
 	{ 'value': '/datastore' },
 	{ 'value': '/remote' },
 	{ 'value': '/system' },
-- 
2.30.2

[pbs-devel] applied-series: [PATCH proxmox-backup 0/6] add realm api/ui

[Thomas Lamprecht]

On 09.07.21 13:43, Dominik Csapak wrote:
> adds realm management to the pbs api and ui
> 
> ui patches need the widget-toolkit patches (+bump) from [0]
> api changes could be independently applied
> 
> 0: https://lists.proxmox.com/pipermail/pve-devel/2021-July/049320.html
> 
> Dominik Csapak (6):
>   api: access: domains: add BasicRealmInfo struct and use it
>   config: acl: add PRIV_REALM_ALLOCATE
>   api: access: domains: add ExtraRealmInfo and RealmInfo structs
>   api: access: domains: add get/create/update/delete domain call
>   ui: add Authentication tab to Access Control
>   ui: add /access/domains to PermissionPathsStore
> 
>  src/api2/access/domain.rs          | 438 ++++++++++++++++++++++++++---
>  src/config/acl.rs                  |   3 +
>  www/Utils.js                       |   9 +
>  www/form/PermissionPathSelector.js |   1 +
>  www/panel/AccessControl.js         |   8 +-
>  5 files changed, 424 insertions(+), 35 deletions(-)
> 



applied series, thanks!