From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: Markus Frank <m.frank@proxmox.com>
Cc: pmg-devel@lists.proxmox.com
Subject: Re: [pmg-devel] [PATCH pmg-api v4 6/10] api: add/update/remove realms like in PVE
Date: Mon, 17 Feb 2025 12:56:40 +0100 [thread overview]
Message-ID: <20250217125640.21db40f0@rosa.proxmox.com> (raw)
In-Reply-To: <20250114093010.4560-7-m.frank@proxmox.com>
On Tue, 14 Jan 2025 10:30:06 +0100
Markus Frank <m.frank@proxmox.com> wrote:
> The name Authdomains.pm was chosen because a Domain.pm already exists.
why not call it Realm.pm? - would fit the authentication realm part, and
might lead to less confusion with the other use of 'domain' throughout PMG
(as in relay-domain etc.)
>
> Signed-off-by: Markus Frank <m.frank@proxmox.com>
> ---
> src/Makefile | 1 +
> src/PMG/API2/AccessControl.pm | 10 +-
> src/PMG/API2/Authdomains.pm | 274 ++++++++++++++++++++++++++++++++++
> 3 files changed, 284 insertions(+), 1 deletion(-)
> create mode 100644 src/PMG/API2/Authdomains.pm
>
> diff --git a/src/Makefile b/src/Makefile
> index 3ed0ea1..1dfe469 100644
> --- a/src/Makefile
> +++ b/src/Makefile
> @@ -151,6 +151,7 @@ LIBSOURCES = \
> PMG/API2/Postfix.pm \
> PMG/API2/Quarantine.pm \
> PMG/API2/AccessControl.pm \
> + PMG/API2/Authdomains.pm \
> PMG/API2/TFA.pm \
> PMG/API2/TFAConfig.pm \
> PMG/API2/ObjectGroupHelpers.pm \
> diff --git a/src/PMG/API2/AccessControl.pm b/src/PMG/API2/AccessControl.pm
> index e26ae70..dad679c 100644
> --- a/src/PMG/API2/AccessControl.pm
> +++ b/src/PMG/API2/AccessControl.pm
> @@ -12,6 +12,7 @@ use PVE::JSONSchema qw(get_standard_option);
> use PMG::Utils;
> use PMG::UserConfig;
> use PMG::AccessControl;
> +use PMG::API2::Authdomains;
> use PMG::API2::Users;
> use PMG::API2::TFA;
> use PMG::TFAConfig;
> @@ -30,6 +31,11 @@ __PACKAGE__->register_method ({
> path => 'tfa',
> });
>
> +__PACKAGE__->register_method ({
> + subclass => "PMG::API2::Authdomains",
> + path => 'domains',
... should then also be renamed to 'realms'
> +});
> +
> __PACKAGE__->register_method ({
> name => 'index',
> path => '',
> @@ -57,6 +63,7 @@ __PACKAGE__->register_method ({
>
> my $res = [
> { subdir => 'ticket' },
> + { subdir => 'domains' },
... here as well
> { subdir => 'password' },
> { subdir => 'users' },
> ];
> @@ -248,7 +255,8 @@ __PACKAGE__->register_method ({
>
> my $username = $param->{username};
>
> - if ($username !~ m/\@(pam|pmg|quarantine)$/) {
> + my $realm_regex = PMG::Utils::valid_pmg_realm_regex();
> + if ($username !~ m/\@(${realm_regex})$/) {
> my $realm = $param->{realm} // 'quarantine';
> $username .= "\@$realm";
> }
> diff --git a/src/PMG/API2/Authdomains.pm b/src/PMG/API2/Authdomains.pm
> new file mode 100644
> index 0000000..a93ca13
> --- /dev/null
> +++ b/src/PMG/API2/Authdomains.pm
> @@ -0,0 +1,274 @@
> +package PMG::API2::Authdomains;
.. the file and module name as well
> +
> +use strict;
> +use warnings;
> +
> +use PVE::Exception qw(raise_param_exc);
> +use PVE::INotify;
> +use PVE::JSONSchema qw(get_standard_option);
> +use PVE::RESTHandler;
> +use PVE::SafeSyslog;
> +use PVE::Tools qw(extract_param);
> +
> +use PMG::AccessControl;
> +use PMG::Auth::Plugin;
> +use PVE::Schema::Auth;
> +
> +my $domainconfigfile = "realms.cfg";
> +
> +use base qw(PVE::RESTHandler);
> +
> +__PACKAGE__->register_method ({
> + name => 'index',
> + path => '',
> + method => 'GET',
> + description => "Authentication domain index.",
> + permissions => {
> + description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
> + user => 'world',
> + },
> + parameters => {
> + additionalProperties => 0,
> + properties => {},
> + },
> + returns => {
> + type => 'array',
> + items => {
> + type => "object",
> + properties => {
> + realm => { type => 'string' },
> + type => { type => 'string' },
> + tfa => {
> + description => "Two-factor authentication provider.",
> + type => 'string',
> + enum => [ 'yubico', 'oath' ],
> + optional => 1,
> + },
> + comment => {
> + description => "A comment. The GUI use this text when you select a domain (Realm) on the login window.",
> + type => 'string',
> + optional => 1,
> + },
> + },
> + },
> + links => [ { rel => 'child', href => "{realm}" } ],
> + },
> + code => sub {
> + my ($param) = @_;
> +
> + my $res = [];
> +
> + my $cfg = PVE::INotify::read_file($domainconfigfile);
> + my $ids = $cfg->{ids};
> +
> + for my $realm (keys %$ids) {
> + my $d = $ids->{$realm};
> + my $entry = { realm => $realm, type => $d->{type} };
> + $entry->{comment} = $d->{comment} if $d->{comment};
> + $entry->{default} = 1 if $d->{default};
> + if ($d->{tfa} && (my $tfa_cfg = PVE::Schema::Auth::parse_tfa_config($d->{tfa}))) {
> + $entry->{tfa} = $tfa_cfg->{type};
> + }
> + push @$res, $entry;
> + }
> +
> + return $res;
> + }});
> +
> +__PACKAGE__->register_method ({
> + name => 'create',
> + protected => 1,
> + path => '',
> + method => 'POST',
> + permissions => { check => [ 'admin' ] },
> + description => "Add an authentication server.",
> + parameters => PMG::Auth::Plugin->createSchema(0),
> + returns => { type => 'null' },
> + code => sub {
> + my ($param) = @_;
> +
> + # always extract, add it with hook
> + my $password = extract_param($param, 'password');
> +
> + PMG::Auth::Plugin::lock_domain_config(
> + sub {
> + my $cfg = PVE::INotify::read_file($domainconfigfile);
> + my $ids = $cfg->{ids};
> +
> + my $realm = extract_param($param, 'realm');
> + PMG::Auth::Plugin::pmg_verify_realm($realm);
> + my $type = $param->{type};
> + my $check_connection = extract_param($param, 'check-connection');
> +
> + die "domain '$realm' already exists\n"
> + if $ids->{$realm};
> +
> + die "unable to use reserved name '$realm'\n"
> + if ($realm eq 'pam' || $realm eq 'pmg');
> +
> + die "unable to create builtin type '$type'\n"
> + if ($type eq 'pam' || $type eq 'pmg');
> +
> + my $plugin = PMG::Auth::Plugin->lookup($type);
> + my $config = $plugin->check_config($realm, $param, 1, 1);
> +
> + if ($config->{default}) {
> + for my $r (keys %$ids) {
> + delete $ids->{$r}->{default};
> + }
> + }
> +
> + $ids->{$realm} = $config;
> +
> + my $opts = $plugin->options();
> + if (defined($password) && !defined($opts->{password})) {
> + $password = undef;
> + warn "ignoring password parameter";
> + }
> + $plugin->on_add_hook($realm, $config, password => $password);
> +
> + PVE::INotify::write_file($domainconfigfile, $cfg);
> + },
> + "add auth server failed",
> + );
> + return undef;
> + }});
> +
> +__PACKAGE__->register_method ({
> + name => 'update',
> + path => '{realm}',
> + method => 'PUT',
> + permissions => { check => [ 'admin' ] },
> + description => "Update authentication server settings.",
> + protected => 1,
> + parameters => PMG::Auth::Plugin->updateSchema(0),
> + returns => { type => 'null' },
> + code => sub {
> + my ($param) = @_;
> +
> + # always extract, update in hook
> + my $password = extract_param($param, 'password');
> +
> + PMG::Auth::Plugin::lock_domain_config(
> + sub {
> + my $cfg = PVE::INotify::read_file($domainconfigfile);
> + my $ids = $cfg->{ids};
> +
> + my $digest = extract_param($param, 'digest');
> + PVE::SectionConfig::assert_if_modified($cfg, $digest);
> +
> + my $realm = extract_param($param, 'realm');
> + my $type = $ids->{$realm}->{type};
> + my $check_connection = extract_param($param, 'check-connection');
> +
> + die "domain '$realm' does not exist\n"
> + if !$ids->{$realm};
> +
> + my $delete_str = extract_param($param, 'delete');
> + die "no options specified\n"
> + if !$delete_str && !scalar(keys %$param) && !defined($password);
> +
> + my $delete_pw = 0;
> + for my $opt (PVE::Tools::split_list($delete_str)) {
> + delete $ids->{$realm}->{$opt};
> + $delete_pw = 1 if $opt eq 'password';
> + }
> +
> + my $plugin = PMG::Auth::Plugin->lookup($type);
> + my $config = $plugin->check_config($realm, $param, 0, 1);
> +
> + if ($config->{default}) {
> + for my $r (keys %$ids) {
> + delete $ids->{$r}->{default};
> + }
> + }
> +
> + for my $p (keys %$config) {
> + $ids->{$realm}->{$p} = $config->{$p};
> + }
> +
> + my $opts = $plugin->options();
> + if ($delete_pw || defined($password)) {
> + $plugin->on_update_hook($realm, $config, password => $password);
> + } else {
> + $plugin->on_update_hook($realm, $config);
> + }
> +
> + PVE::INotify::write_file($domainconfigfile, $cfg);
> + },
> + "update auth server failed"
> + );
> + return undef;
> + }});
> +
> +# fixme: return format!
> +__PACKAGE__->register_method ({
> + name => 'read',
> + path => '{realm}',
> + method => 'GET',
> + description => "Get auth server configuration.",
> + permissions => { check => [ 'admin', 'qmanager', 'audit' ] },
> + parameters => {
> + additionalProperties => 0,
> + properties => {
> + realm => get_standard_option('realm'),
> + },
> + },
> + returns => {},
> + code => sub {
> + my ($param) = @_;
> +
> + my $cfg = PVE::INotify::read_file($domainconfigfile);
> +
> + my $realm = $param->{realm};
> +
> + my $data = $cfg->{ids}->{$realm};
> + die "domain '$realm' does not exist\n" if !$data;
> +
> + my $type = $data->{type};
> +
> + $data->{digest} = $cfg->{digest};
> +
> + return $data;
> + }});
> +
> +
> +__PACKAGE__->register_method ({
> + name => 'delete',
> + path => '{realm}',
> + method => 'DELETE',
> + permissions => { check => [ 'admin' ] },
> + description => "Delete an authentication server.",
> + protected => 1,
> + parameters => {
> + additionalProperties => 0,
> + properties => {
> + realm => get_standard_option('realm'),
> + }
> + },
> + returns => { type => 'null' },
> + code => sub {
> + my ($param) = @_;
> +
> + PMG::Auth::Plugin::lock_domain_config(
> + sub {
> + my $cfg = PVE::INotify::read_file($domainconfigfile);
> + my $ids = $cfg->{ids};
> + my $realm = $param->{realm};
> +
> + die "authentication domain '$realm' does not exist\n" if !$ids->{$realm};
> +
> + my $plugin = PMG::Auth::Plugin->lookup($ids->{$realm}->{type});
> +
> + $plugin->on_delete_hook($realm, $ids->{$realm});
> +
> + delete $ids->{$realm};
> +
> + PVE::INotify::write_file($domainconfigfile, $cfg);
> + },
> + "delete auth server failed",
> + );
> + return undef;
> + }});
> +
> +1;
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
next prev parent reply other threads:[~2025-02-17 11:56 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-14 9:30 [pmg-devel] [PATCH pve-common/perl-rs/pmg-api/widget-toolkit/pmg-gui v4 0/10] fix #3892: OpenID Connect Markus Frank
2025-01-14 9:30 ` [pmg-devel] [PATCH pve-common v4 1/10] add Schema package with auth module that contains realm sync options Markus Frank
2025-01-14 9:30 ` [pmg-devel] [PATCH proxmox-perl-rs v4 2/10] move openid code from pve-rs to common Markus Frank
2025-02-17 11:50 ` Stoiko Ivanov
2025-01-14 9:30 ` [pmg-devel] [PATCH proxmox-perl-rs v4 3/10] remove empty PMG::RS::OpenId package to avoid confusion Markus Frank
2025-01-14 9:30 ` [pmg-devel] [PATCH pmg-api v4 4/10] config: add plugin system for realms Markus Frank
2025-01-14 9:30 ` [pmg-devel] [PATCH pmg-api v4 5/10] config: add openid type realm Markus Frank
2025-01-14 9:30 ` [pmg-devel] [PATCH pmg-api v4 6/10] api: add/update/remove realms like in PVE Markus Frank
2025-02-17 11:56 ` Stoiko Ivanov [this message]
2025-01-14 9:30 ` [pmg-devel] [PATCH pmg-api v4 7/10] api: openid login similar to PVE Markus Frank
2025-02-17 12:02 ` Stoiko Ivanov
2025-01-14 9:30 ` [pmg-devel] [PATCH widget-toolkit v4 8/10] fix: window: AuthEditBase: rename variable 'realm' to 'type' Markus Frank
2025-01-14 9:30 ` [pmg-devel] [PATCH pmg-gui v4 09/10] login: add OpenID realms Markus Frank
2025-01-14 9:30 ` [pmg-devel] [PATCH pmg-gui v4 10/10] add panel for realms to User Management Markus Frank
2025-02-14 17:49 ` [pmg-devel] [PATCH pve-common/perl-rs/pmg-api/widget-toolkit/pmg-gui v4 0/10] fix #3892: OpenID Connect Stoiko Ivanov
2025-02-17 11:47 ` Stoiko Ivanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250217125640.21db40f0@rosa.proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=m.frank@proxmox.com \
--cc=pmg-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.