[pdm-devel] [PATCH datacenter-manager/yew-comp 0/4] fix adding users manually for openid/ldap/ad realms

[pdm-devel] [PATCH datacenter-manager/yew-comp 0/4] fix adding users manually for openid/ldap/ad realms

[Shannon Sterz]

currently, when adding a new user manually through the ui, a password
needs to be entered for all realms but the pam realm. however, only for
the pdm/product realm itself do we store a password. so don't require
these fields for any other realm.

also adds a dummy authenticator implementation for openid realms. this
is necessary, because looking up whether an authenticator is present is
used for validating that a realm exists when adding a user. so add a
dummy authenticator for openid realms.

proxmox-yew-comp:

Shannon Sterz (1):
  user panel: add a parameter to set the current product's realm

 src/user_panel.rs | 33 ++++++++++++++++++++++++++-------
 1 file changed, 26 insertions(+), 7 deletions(-)


proxmox-datacenter-manager:

Shannon Sterz (3):
  fix #7182: server: auth: add dummy openid authenticator
  ui: run cargo fmt
  ui: set prodcut realm so that the add user dialogs are rendered
    properly

 server/src/auth/mod.rs                     | 61 ++++++++++++++++++----
 ui/src/configuration/mod.rs                |  2 +-
 ui/src/configuration/subscription_panel.rs |  6 +--
 ui/src/remotes/firewall/tree.rs            |  6 +--
 4 files changed, 53 insertions(+), 22 deletions(-)


Summary over all repositories:
  5 files changed, 79 insertions(+), 29 deletions(-)

--
Generated by git-murpp 0.8.1


_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

[pdm-devel] [PATCH yew-comp 1/1] user panel: add a parameter to set the current product's realm

[Shannon Sterz]

so that password and confirm password fields can be ommitted
appropriatelly when adding users and the "change password" button is
disabled appropriatelly.

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 src/user_panel.rs | 33 ++++++++++++++++++++++++++-------
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/src/user_panel.rs b/src/user_panel.rs
index c6d0b56..547fdfe 100644
--- a/src/user_panel.rs
+++ b/src/user_panel.rs
@@ -4,7 +4,9 @@ use std::rc::Rc;
 
 use anyhow::Error;
 use proxmox_client::ApiResponseData;
+use pwt_macros::builder;
 use serde_json::Value;
+use yew::html::IntoPropValue;
 
 use proxmox_access_control::types::UserWithTokens;
 use proxmox_auth_api::types::Username;
@@ -89,7 +91,13 @@ async fn update_user(form_ctx: FormContext) -> Result<(), Error> {
 }
 
 #[derive(PartialEq, Properties)]
-pub struct UserPanel {}
+#[builder]
+pub struct UserPanel {
+    /// The realm of the current product. For example: "pdm"
+    #[builder(IntoPropValue, into_prop_value)]
+    #[prop_or_default]
+    product_realm: Option<AttrValue>,
+}
 
 impl Default for UserPanel {
     fn default() -> Self {
@@ -99,7 +107,7 @@ impl Default for UserPanel {
 
 impl UserPanel {
     pub fn new() -> Self {
-        Self {}
+        yew::props!(Self {})
     }
 }
 
@@ -119,6 +127,7 @@ pub struct ProxmoxUserPanel {
     state: LoadableComponentState<ViewState>,
     store: Store<UserWithTokens>,
     selection: Selection,
+    product_realm: Option<AttrValue>,
 }
 
 pwt::impl_deref_mut_property!(ProxmoxUserPanel, state, LoadableComponentState<ViewState>);
@@ -154,6 +163,7 @@ impl LoadableComponent for ProxmoxUserPanel {
             state: LoadableComponentState::new(),
             store,
             selection,
+            product_realm: ctx.props().product_realm.clone(),
         }
     }
 
@@ -180,7 +190,11 @@ impl LoadableComponent for ProxmoxUserPanel {
         let no_selection = self.selection.is_empty();
         let disable_change_password = self
             .get_selected_user()
-            .map(|user| user.user.userid.realm().as_str() == "pam")
+            .and_then(|user| {
+                self.product_realm
+                    .as_ref()
+                    .map(|p| p != user.user.userid.realm().as_str())
+            })
             .unwrap_or(no_selection);
 
         let toolbar = Toolbar::new()
@@ -279,8 +293,9 @@ impl ProxmoxUserPanel {
     }
 
     fn create_add_dialog(&self, ctx: &LoadableComponentContext<Self>) -> Html {
+        let product_realm = self.product_realm.clone();
         EditWindow::new(tr!("Add") + ": " + &tr!("User"))
-            .renderer(add_user_input_panel)
+            .renderer(move |form_ctx| add_user_input_panel(form_ctx, &product_realm))
             .on_submit(create_user)
             .on_done(ctx.link().change_view_callback(|_| None))
             .on_change(check_confirm_password)
@@ -484,8 +499,12 @@ fn password_change_input_panel(_form_ctx: &FormContext) -> Html {
         .into()
 }
 
-fn add_user_input_panel(form_ctx: &FormContext) -> Html {
-    let is_pam = form_ctx.read().get_field_text("realm") == "pam";
+fn add_user_input_panel(form_ctx: &FormContext, product_realm: &Option<AttrValue>) -> Html {
+    let realm = form_ctx.read().get_field_text("realm");
+    let is_product_realm = product_realm
+        .as_deref()
+        .map(|p| p == realm)
+        .unwrap_or_default();
 
     let mut panel = InputPanel::new()
         .padding(4)
@@ -506,7 +525,7 @@ fn add_user_input_panel(form_ctx: &FormContext) -> Html {
                 .submit(false),
         );
 
-    if !is_pam {
+    if is_product_realm {
         panel = panel
             .with_field(
                 tr!("Password"),
-- 
2.47.3



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

[pdm-devel] [PATCH datacenter-manager 1/3] fix #7182: server: auth: add dummy openid authenticator

[Shannon Sterz]

when manually adding users from an openid realm, the api checks
whether the realm exists. so at least a dummy implementation is needed
here.

Fixes: https://bugzilla.proxmox.com/show_bug.cgi?id=7182
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 server/src/auth/mod.rs | 61 ++++++++++++++++++++++++++++++++++--------
 1 file changed, 50 insertions(+), 11 deletions(-)

diff --git a/server/src/auth/mod.rs b/server/src/auth/mod.rs
index 82425e8..312ed72 100644
--- a/server/src/auth/mod.rs
+++ b/server/src/auth/mod.rs
@@ -16,10 +16,10 @@ use proxmox_auth_api::types::Authid;
 use proxmox_auth_api::{HMACKey, Keyring};
 use proxmox_ldap::types::{AdRealmConfig, LdapRealmConfig};
 use proxmox_rest_server::AuthError;
-use proxmox_router::UserInformation;
+use proxmox_router::{http_bail, UserInformation};
 use proxmox_tfa::api::{OpenUserChallengeData, TfaConfig};
 
-use pdm_api_types::{RealmRef, Userid};
+use pdm_api_types::{OpenIdRealmConfig, RealmRef, Userid, UsernameRef};
 
 pub mod certs;
 pub mod csrf;
@@ -189,17 +189,17 @@ pub(crate) fn lookup_authenticator(
             lock_filename: pdm_buildcfg::configdir!("/access/shadow.json.lock"),
         })),
         realm => {
-            if let Ok((domains, _digest)) = pdm_config::domains::config() {
-                if let Ok(config) = domains.lookup::<LdapRealmConfig>("ldap", realm) {
-                    return Ok(Box::new(LdapAuthenticator::new(config)));
-                }
+            let (domains, _digest) = pdm_config::domains::config()?;
 
-                if let Ok(config) = domains.lookup::<AdRealmConfig>("ad", realm) {
-                    return Ok(Box::new(AdAuthenticator::new(config)));
-                }
+            if let Ok(config) = domains.lookup::<LdapRealmConfig>("ldap", realm) {
+                Ok(Box::new(LdapAuthenticator::new(config)))
+            } else if let Ok(config) = domains.lookup::<AdRealmConfig>("ad", realm) {
+                Ok(Box::new(AdAuthenticator::new(config)))
+            } else if domains.lookup::<OpenIdRealmConfig>("openid", realm).is_ok() {
+                Ok(Box::new(OpenIdAuthenticator()))
+            } else {
+                bail!("unknwon realm {realm}");
             }
-
-            bail!("unknwon realm {realm}");
         }
     }
 }
@@ -234,3 +234,42 @@ impl LockedTfaConfig for PdmLockedTfaConfig {
         tfa::write(&self.config)
     }
 }
+
+struct OpenIdAuthenticator();
+/// When a user is manually added, the lookup_authenticator is called to verify that
+/// the realm exists. Thus, it is necessary to have an (empty) implementation for
+/// OpendID as well.
+impl Authenticator for OpenIdAuthenticator {
+    fn authenticate_user<'a>(
+        &'a self,
+        _username: &'a UsernameRef,
+        _password: &'a str,
+        _client_ip: Option<&'a IpAddr>,
+    ) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
+        Box::pin(async move {
+            http_bail!(
+                NOT_IMPLEMENTED,
+                "password authentication is not implemented for OpenID realms"
+            );
+        })
+    }
+
+    fn store_password(
+        &self,
+        _username: &UsernameRef,
+        _password: &str,
+        _client_ip: Option<&IpAddr>,
+    ) -> Result<(), Error> {
+        http_bail!(
+            NOT_IMPLEMENTED,
+            "storing passwords is not implemented for OpenID realms"
+        );
+    }
+
+    fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
+        http_bail!(
+            NOT_IMPLEMENTED,
+            "storing passwords is not implemented for OpenID realms"
+        );
+    }
+}
-- 
2.47.3



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

[pdm-devel] [PATCH datacenter-manager 2/3] ui: run cargo fmt

[Shannon Sterz]

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 ui/src/configuration/subscription_panel.rs | 6 +-----
 ui/src/remotes/firewall/tree.rs            | 6 +-----
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/ui/src/configuration/subscription_panel.rs b/ui/src/configuration/subscription_panel.rs
index 4cbb60e..9e51d47 100644
--- a/ui/src/configuration/subscription_panel.rs
+++ b/ui/src/configuration/subscription_panel.rs
@@ -41,11 +41,7 @@ pub struct ProxmoxSubscriptionPanel {
     checking: bool,
 }
 
-pwt::impl_deref_mut_property!(
-    ProxmoxSubscriptionPanel,
-    state,
-    LoadableComponentState<()>
-);
+pwt::impl_deref_mut_property!(ProxmoxSubscriptionPanel, state, LoadableComponentState<()>);
 
 impl LoadableComponent for ProxmoxSubscriptionPanel {
     type Message = Msg;
diff --git a/ui/src/remotes/firewall/tree.rs b/ui/src/remotes/firewall/tree.rs
index 594df97..41a53f8 100644
--- a/ui/src/remotes/firewall/tree.rs
+++ b/ui/src/remotes/firewall/tree.rs
@@ -163,11 +163,7 @@ pub struct FirewallTreeComponent {
     tree_collapsed: bool,
 }
 
-pwt::impl_deref_mut_property!(
-    FirewallTreeComponent,
-    state,
-    LoadableComponentState<()>
-);
+pwt::impl_deref_mut_property!(FirewallTreeComponent, state, LoadableComponentState<()>);
 
 impl FirewallTreeComponent {
     fn reset_tree_for_loading(&mut self) {
-- 
2.47.3



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

[pdm-devel] [PATCH datacenter-manager 3/3] ui: set prodcut realm so that the add user dialogs are rendered properly

[Shannon Sterz]

without setting this the add user dialog won't display the fields for
the password and confirming the password anymore

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 ui/src/configuration/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ui/src/configuration/mod.rs b/ui/src/configuration/mod.rs
index 18fc396..6ffb64b 100644
--- a/ui/src/configuration/mod.rs
+++ b/ui/src/configuration/mod.rs
@@ -68,7 +68,7 @@ pub fn access_control() -> Html {
                 Container::new()
                     .class("pwt-content-spacer")
                     .class(pwt::css::FlexFit)
-                    .with_child(UserPanel::new())
+                    .with_child(UserPanel::new().product_realm(AttrValue::from("pdm")))
                     // forces a reload when the tab becomes visible again
                     .key(format!(
                         "user-management-{}",
-- 
2.47.3



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel