* [pmg-devel] [PATCH pmg-api 0/3] rename realms.cfg to realms.conf
@ 2025-02-26 17:37 Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 1/3] auth: plugin: move schema definitions from Utils to Auth::Plugin Stoiko Ivanov
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Stoiko Ivanov @ 2025-02-26 17:37 UTC (permalink / raw)
To: pmg-devel
this series is based on Markus' v8 for OIDC:
https://lore.proxmox.com/pmg-devel/20250226140740.55612-1-m.frank@proxmox.com/T/#t
it addresses the naming of realms.cfg vs. realms.conf
additionally I moved the part of the schema definitions to Auth::Plugin,
in order to not have a cyclical include.
the third patch adds realms conf to the cluster sync.
(backup already contains everything in /etc/pmg anyways - so no special
consideration needed).
tested by installing this on 2 nodes in the cluster, and logging in
via keycloak on the non-master node)
Stoiko Ivanov (3):
auth: plugin: move schema definitions from Utils to Auth::Plugin
access control: rename realms.cfg to realms.conf
cluster: add realms.conf to config-sync
src/PMG/API2/AuthRealm.pm | 16 ++++++++--------
src/PMG/API2/OIDC.pm | 5 +++--
src/PMG/AccessControl.pm | 4 ++--
src/PMG/Auth/Plugin.pm | 30 ++++++++++++++++++++++++------
src/PMG/Cluster.pm | 1 +
src/PMG/Utils.pm | 21 ++-------------------
6 files changed, 40 insertions(+), 37 deletions(-)
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pmg-devel] [PATCH pmg-api 1/3] auth: plugin: move schema definitions from Utils to Auth::Plugin
2025-02-26 17:37 [pmg-devel] [PATCH pmg-api 0/3] rename realms.cfg to realms.conf Stoiko Ivanov
@ 2025-02-26 17:37 ` Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 2/3] access control: rename realms.cfg to realms.conf Stoiko Ivanov
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Stoiko Ivanov @ 2025-02-26 17:37 UTC (permalink / raw)
To: pmg-devel
it's the class that actually needs them, and where we want
to keep the definitions.
move happens in order to not have a cyclical include
(PMG::Auth::Plugin including PMG::Utils for the schema definitions,
and PMG::Utils including PMG::Auth::Plugin to get the realms from its
config file).
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/PMG/Auth/Plugin.pm | 19 ++++++++++++++++++-
src/PMG/Utils.pm | 21 ++-------------------
2 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/src/PMG/Auth/Plugin.pm b/src/PMG/Auth/Plugin.pm
index beb8fc4..f6792ac 100755
--- a/src/PMG/Auth/Plugin.pm
+++ b/src/PMG/Auth/Plugin.pm
@@ -6,7 +6,6 @@ use warnings;
use Digest::SHA;
use Encode;
-use PMG::Utils;
use PVE::INotify;
use PVE::JSONSchema qw(get_standard_option);
use PVE::SectionConfig;
@@ -56,6 +55,24 @@ sub lock_realm_config {
}
}
+sub is_valid_realm {
+ my ($realm) = @_;
+ return 0 if !$realm;
+ return 1 if $realm eq 'pam' || $realm eq 'quarantine'; # built-in ones
+
+ my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin::realm_conf_id());
+ return exists($cfg->{ids}->{$realm}) ? 1 : 0;
+}
+
+PVE::JSONSchema::register_format('pmg-realm', \&is_valid_realm);
+
+PVE::JSONSchema::register_standard_option('realm', {
+ description => "Authentication domain ID",
+ type => 'string',
+ format => 'pmg-realm',
+ maxLength => 32,
+});
+
my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
sub pmg_verify_realm {
diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
index d440876..33f80ae 100644
--- a/src/PMG/Utils.pm
+++ b/src/PMG/Utils.pm
@@ -34,6 +34,7 @@ use Time::Local;
use Xdgmime;
use PMG::AtomicFile;
+use PMG::Auth::Plugin;
use PMG::MIMEUtils;
use PMG::MailQueue;
use PMG::SMTPPrinter;
@@ -52,30 +53,12 @@ try_decode_utf8
my $user_regex = qr![^\s:/]+!;
sub valid_pmg_realm_regex {
- my $cfg = PVE::INotify::read_file('realms.cfg');
+ my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin::realm_conf_id());
my $ids = $cfg->{ids};
my $realms = ['pam', 'quarantine', sort keys $cfg->{ids}->%* ];
return join('|', @$realms);
}
-sub is_valid_realm {
- my ($realm) = @_;
- return 0 if !$realm;
- return 1 if $realm eq 'pam' || $realm eq 'quarantine'; # built-in ones
-
- my $cfg = PVE::INotify::read_file('realms.cfg');
- return exists($cfg->{ids}->{$realm}) ? 1 : 0;
-}
-
-PVE::JSONSchema::register_format('pmg-realm', \&is_valid_realm);
-
-PVE::JSONSchema::register_standard_option('realm', {
- description => "Authentication domain ID",
- type => 'string',
- format => 'pmg-realm',
- maxLength => 32,
-});
-
PVE::JSONSchema::register_standard_option('pmg-starttime', {
description => "Only consider entries newer than 'starttime' (unix epoch). Default is 'now - 1day'.",
type => 'integer',
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pmg-devel] [PATCH pmg-api 2/3] access control: rename realms.cfg to realms.conf
2025-02-26 17:37 [pmg-devel] [PATCH pmg-api 0/3] rename realms.cfg to realms.conf Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 1/3] auth: plugin: move schema definitions from Utils to Auth::Plugin Stoiko Ivanov
@ 2025-02-26 17:37 ` Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 3/3] cluster: add realms.conf to config-sync Stoiko Ivanov
2025-02-26 20:17 ` [pmg-devel] applied-series: [PATCH pmg-api 0/3] rename realms.cfg to realms.conf Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Stoiko Ivanov @ 2025-02-26 17:37 UTC (permalink / raw)
To: pmg-devel
by defining the name once in PMG::Auth::Plugin, and using the sub
there to retrieve it where needed.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/PMG/API2/AuthRealm.pm | 16 ++++++++--------
src/PMG/API2/OIDC.pm | 5 +++--
src/PMG/AccessControl.pm | 4 ++--
src/PMG/Auth/Plugin.pm | 11 ++++++-----
4 files changed, 19 insertions(+), 17 deletions(-)
diff --git a/src/PMG/API2/AuthRealm.pm b/src/PMG/API2/AuthRealm.pm
index 57c5fea..e9fee38 100644
--- a/src/PMG/API2/AuthRealm.pm
+++ b/src/PMG/API2/AuthRealm.pm
@@ -51,7 +51,7 @@ __PACKAGE__->register_method ({
my $res = [];
- my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+ my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_conf_id());
my $ids = $cfg->{ids};
for my $realm (keys %$ids) {
@@ -82,7 +82,7 @@ __PACKAGE__->register_method ({
PMG::Auth::Plugin::lock_realm_config(
sub {
- my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+ my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_conf_id());
my $ids = $cfg->{ids};
my $realm = extract_param($param, 'realm');
@@ -117,7 +117,7 @@ __PACKAGE__->register_method ({
}
$plugin->on_add_hook($realm, $config, password => $password);
- PVE::INotify::write_file(PMG::Auth::Plugin->realm_cfg_id(), $cfg);
+ PVE::INotify::write_file(PMG::Auth::Plugin->realm_conf_id(), $cfg);
},
"add auth server failed",
);
@@ -141,7 +141,7 @@ __PACKAGE__->register_method ({
PMG::Auth::Plugin::lock_realm_config(
sub {
- my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+ my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_conf_id());
my $ids = $cfg->{ids};
my $digest = extract_param($param, 'digest');
@@ -184,7 +184,7 @@ __PACKAGE__->register_method ({
$plugin->on_update_hook($realm, $config);
}
- PVE::INotify::write_file(PMG::Auth::Plugin->realm_cfg_id(), $cfg);
+ PVE::INotify::write_file(PMG::Auth::Plugin->realm_conf_id(), $cfg);
},
"update auth server failed"
);
@@ -208,7 +208,7 @@ __PACKAGE__->register_method ({
code => sub {
my ($param) = @_;
- my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+ my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_conf_id());
my $realm = $param->{realm};
@@ -242,7 +242,7 @@ __PACKAGE__->register_method ({
PMG::Auth::Plugin::lock_realm_config(
sub {
- my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+ my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_conf_id());
my $ids = $cfg->{ids};
my $realm = $param->{realm};
@@ -254,7 +254,7 @@ __PACKAGE__->register_method ({
delete $ids->{$realm};
- PVE::INotify::write_file(PMG::Auth::Plugin->realm_cfg_id(), $cfg);
+ PVE::INotify::write_file(PMG::Auth::Plugin->realm_conf_id(), $cfg);
},
"delete auth server failed",
);
diff --git a/src/PMG/API2/OIDC.pm b/src/PMG/API2/OIDC.pm
index da9c774..92ff88d 100644
--- a/src/PMG/API2/OIDC.pm
+++ b/src/PMG/API2/OIDC.pm
@@ -10,10 +10,11 @@ use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
use PVE::SafeSyslog;
use PVE::INotify;
use PVE::JSONSchema qw(get_standard_option);
+use PVE::RESTHandler;
use PMG::AccessControl;
+use PMG::Auth::Plugin;
use PMG::RESTEnvironment;
-use PVE::RESTHandler;
use base qw(PVE::RESTHandler);
@@ -22,7 +23,7 @@ my $oidc_state_path = "/var/lib/pmg";
my $lookup_oidc_auth = sub {
my ($realm, $redirect_url) = @_;
- my $cfg = PVE::INotify::read_file('realms.cfg');
+ my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin::realm_conf_id());
my $ids = $cfg->{ids};
die "authentication domain '$realm' does not exist\n" if !$ids->{$realm};
diff --git a/src/PMG/AccessControl.pm b/src/PMG/AccessControl.pm
index 57d80f8..0cf8067 100644
--- a/src/PMG/AccessControl.pm
+++ b/src/PMG/AccessControl.pm
@@ -66,7 +66,7 @@ sub authenticate_user : prototype($$$) {
}
die "ldap login failed\n";
} elsif ($realm =~ m!(${realm_regex})!) {
- my $realm_cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+ my $realm_cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_conf_id());
my $cfg = $realm_cfg->{ids}->{$realm};
my $plugin = PMG::Auth::Plugin->lookup($cfg->{type});
$plugin->authenticate_user($cfg, $realm, $ruid, $password);
@@ -111,7 +111,7 @@ sub set_user_password {
} elsif ($realm eq 'pmg') {
PMG::UserConfig->set_user_password($username, $password);
} elsif ($realm =~ m!(${realm_regex})!) {
- my $realm_cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+ my $realm_cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_conf_id());
my $cfg = $realm_cfg->{ids}->{$realm};
my $plugin = PMG::Auth::Plugin->lookup($cfg->{type});
$plugin->store_password($cfg, $realm, $username, $password);
diff --git a/src/PMG/Auth/Plugin.pm b/src/PMG/Auth/Plugin.pm
index f6792ac..1a9f68a 100755
--- a/src/PMG/Auth/Plugin.pm
+++ b/src/PMG/Auth/Plugin.pm
@@ -13,11 +13,12 @@ use PVE::Tools;
use base qw(PVE::SectionConfig);
-my $realm_cfg_id = "realms.cfg";
+my $realm_conf_id = "realms.conf";
+my $realm_conf_filename = "/etc/pmg/$realm_conf_id";
my $lockfile = "/var/lock/pmg-realms.lck";
-sub realm_cfg_id {
- return $realm_cfg_id;
+sub realm_conf_id {
+ return $realm_conf_id;
}
sub read_realms_conf {
@@ -38,8 +39,8 @@ sub write_realms_conf {
}
PVE::INotify::register_file(
- $realm_cfg_id,
- "/etc/pmg/realms.cfg",
+ $realm_conf_id,
+ $realm_conf_filename,
\&read_realms_conf,
\&write_realms_conf,
undef,
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pmg-devel] [PATCH pmg-api 3/3] cluster: add realms.conf to config-sync
2025-02-26 17:37 [pmg-devel] [PATCH pmg-api 0/3] rename realms.cfg to realms.conf Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 1/3] auth: plugin: move schema definitions from Utils to Auth::Plugin Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 2/3] access control: rename realms.cfg to realms.conf Stoiko Ivanov
@ 2025-02-26 17:37 ` Stoiko Ivanov
2025-02-26 20:17 ` [pmg-devel] applied-series: [PATCH pmg-api 0/3] rename realms.cfg to realms.conf Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Stoiko Ivanov @ 2025-02-26 17:37 UTC (permalink / raw)
To: pmg-devel
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/PMG/Cluster.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/PMG/Cluster.pm b/src/PMG/Cluster.pm
index 17ba44d..1b22774 100644
--- a/src/PMG/Cluster.pm
+++ b/src/PMG/Cluster.pm
@@ -461,6 +461,7 @@ sub sync_config_from_master {
'pmg-csrf.key',
'ldap.conf',
'user.conf',
+ 'realms.conf',
'tfa.json',
'domains',
'mynetworks',
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pmg-devel] applied-series: [PATCH pmg-api 0/3] rename realms.cfg to realms.conf
2025-02-26 17:37 [pmg-devel] [PATCH pmg-api 0/3] rename realms.cfg to realms.conf Stoiko Ivanov
` (2 preceding siblings ...)
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 3/3] cluster: add realms.conf to config-sync Stoiko Ivanov
@ 2025-02-26 20:17 ` Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Lamprecht @ 2025-02-26 20:17 UTC (permalink / raw)
To: Stoiko Ivanov, pmg-devel
Am 26.02.25 um 18:37 schrieb Stoiko Ivanov:
> this series is based on Markus' v8 for OIDC:
> https://lore.proxmox.com/pmg-devel/20250226140740.55612-1-m.frank@proxmox.com/T/#t
>
> it addresses the naming of realms.cfg vs. realms.conf
> additionally I moved the part of the schema definitions to Auth::Plugin,
> in order to not have a cyclical include.
>
> the third patch adds realms conf to the cluster sync.
> (backup already contains everything in /etc/pmg anyways - so no special
> consideration needed).
>
> tested by installing this on 2 nodes in the cluster, and logging in
> via keycloak on the non-master node)
>
> Stoiko Ivanov (3):
> auth: plugin: move schema definitions from Utils to Auth::Plugin
> access control: rename realms.cfg to realms.conf
> cluster: add realms.conf to config-sync
>
> src/PMG/API2/AuthRealm.pm | 16 ++++++++--------
> src/PMG/API2/OIDC.pm | 5 +++--
> src/PMG/AccessControl.pm | 4 ++--
> src/PMG/Auth/Plugin.pm | 30 ++++++++++++++++++++++++------
> src/PMG/Cluster.pm | 1 +
> src/PMG/Utils.pm | 21 ++-------------------
> 6 files changed, 40 insertions(+), 37 deletions(-)
>
applied, thanks!
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-02-26 20:17 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-02-26 17:37 [pmg-devel] [PATCH pmg-api 0/3] rename realms.cfg to realms.conf Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 1/3] auth: plugin: move schema definitions from Utils to Auth::Plugin Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 2/3] access control: rename realms.cfg to realms.conf Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 3/3] cluster: add realms.conf to config-sync Stoiko Ivanov
2025-02-26 20:17 ` [pmg-devel] applied-series: [PATCH pmg-api 0/3] rename realms.cfg to realms.conf Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal