From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <w.bumiller@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id A91F97D714
 for <pve-devel@lists.proxmox.com>; Tue,  9 Nov 2021 12:27:53 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 87603AF38
 for <pve-devel@lists.proxmox.com>; Tue,  9 Nov 2021 12:27:23 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id ED966AF25
 for <pve-devel@lists.proxmox.com>; Tue,  9 Nov 2021 12:27:22 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id BE4D842CF2
 for <pve-devel@lists.proxmox.com>; Tue,  9 Nov 2021 12:27:22 +0100 (CET)
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Tue,  9 Nov 2021 12:26:49 +0100
Message-Id: <20211109112721.130935-1-w.bumiller@proxmox.com>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.570 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pve-devel] [PATCH multiple 0/9] PBS-like TFA support in PVE
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 11:27:53 -0000

This is a bigger TFA upgrade for PVE.

This also contains the code for a new rust repository which will merge
pve-rs and pmg-rs into 1 git repository.
(git clone currently only available internally as my
`proxmox-perl-rs.git` repository)

Most of the heavy lifting is now performed by the rust library.
Note that the idea is that PVE and PBS can share this code directly, but
for now the to-be-shared part is directly included here and will become
its own crate after the initial PVE integration, as PBS will require a
few changes (since the code originally hardcoded pbs types/paths/files...)

On the perl side this contains:

pve-common:
  * A small change to the ticket code to url-escape colons in
    the ticket data.
    We also do this in pbs and since we only had usernames or base64
    encoded tfa data in there this should be fine, and we want to store
    JSON data directly there to be compatible with PBS.
pve-cluster:
  * Webauthn configuration in datacenter.cfg.
    While PBS keeps this in the tfa json file, we already have the U2F
    config in datacenter.cfg in PVE, so putting it into datacenter.cfg
    seemed more consistent.
proxmox-widget-toolkit:
  * This series basically copies PBS' TFA code
pve-manager:
  * Update the login code to use the new workflow.
  * Add the new TFA panel.
  * Change the user TFA button to simply navigate to the new TFA panel
    instead of popping up the old window.
pve-access-control:
  * Switch to the rust-parse for the tfa config.
  * Update the login code to be more in line with PBS.
  * Add the TFA API we have in PBS via the rust module.

  @Thomas: This still contains a fixme about verifying the
  pve-access-control versions within the cluster...