From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Markus Frank <m.frank@proxmox.com>, pmg-devel@lists.proxmox.com
Subject: Re: [pmg-devel] [PATCH pmg-api v5 6/10] api: add/update/remove realms like in PVE
Date: Fri, 21 Feb 2025 13:41:23 +0100 (CET) [thread overview]
Message-ID: <2043234582.10132.1740141683339@webmail.proxmox.com> (raw)
In-Reply-To: <20250218161905.17224-7-m.frank@proxmox.com>
> Markus Frank <m.frank@proxmox.com> hat am 18.02.2025 17:19 CET geschrieben:
>
>
> The name Realm.pm was chosen because a Domain.pm already exists.
but the API path is still domains, and the naming inside the code/descriptions/.. is also rather inconsistent. should we settle on one or the other?
>
> Signed-off-by: Markus Frank <m.frank@proxmox.com>
> ---
> src/Makefile | 1 +
> src/PMG/API2/AccessControl.pm | 10 +-
> src/PMG/API2/Realm.pm | 274 ++++++++++++++++++++++++++++++++++
> 3 files changed, 284 insertions(+), 1 deletion(-)
> create mode 100644 src/PMG/API2/Realm.pm
>
> diff --git a/src/Makefile b/src/Makefile
> index 3cae7c7..e939bbd 100644
> --- a/src/Makefile
> +++ b/src/Makefile
> @@ -151,6 +151,7 @@ LIBSOURCES = \
> PMG/API2/Postfix.pm \
> PMG/API2/Quarantine.pm \
> PMG/API2/AccessControl.pm \
> + PMG/API2/Realm.pm \
> PMG/API2/TFA.pm \
> PMG/API2/TFAConfig.pm \
> PMG/API2/ObjectGroupHelpers.pm \
> diff --git a/src/PMG/API2/AccessControl.pm b/src/PMG/API2/AccessControl.pm
> index e26ae70..f4cbc81 100644
> --- a/src/PMG/API2/AccessControl.pm
> +++ b/src/PMG/API2/AccessControl.pm
> @@ -12,6 +12,7 @@ use PVE::JSONSchema qw(get_standard_option);
> use PMG::Utils;
> use PMG::UserConfig;
> use PMG::AccessControl;
> +use PMG::API2::Realm;
> use PMG::API2::Users;
> use PMG::API2::TFA;
> use PMG::TFAConfig;
> @@ -30,6 +31,11 @@ __PACKAGE__->register_method ({
> path => 'tfa',
> });
>
> +__PACKAGE__->register_method ({
> + subclass => "PMG::API2::Realm",
> + path => 'domains',
realm vs domains
> +});
> +
> __PACKAGE__->register_method ({
> name => 'index',
> path => '',
> @@ -57,6 +63,7 @@ __PACKAGE__->register_method ({
>
> my $res = [
> { subdir => 'ticket' },
> + { subdir => 'domains' },
> { subdir => 'password' },
> { subdir => 'users' },
> ];
> @@ -248,7 +255,8 @@ __PACKAGE__->register_method ({
>
> my $username = $param->{username};
>
> - if ($username !~ m/\@(pam|pmg|quarantine)$/) {
> + my $realm_regex = PMG::Utils::valid_pmg_realm_regex();
> + if ($username !~ m/\@(${realm_regex})$/) {
> my $realm = $param->{realm} // 'quarantine';
> $username .= "\@$realm";
> }
> diff --git a/src/PMG/API2/Realm.pm b/src/PMG/API2/Realm.pm
> new file mode 100644
> index 0000000..da2072a
> --- /dev/null
> +++ b/src/PMG/API2/Realm.pm
> @@ -0,0 +1,274 @@
> +package PMG::API2::Realm;
> +
> +use strict;
> +use warnings;
> +
> +use PVE::Exception qw(raise_param_exc);
> +use PVE::INotify;
> +use PVE::JSONSchema qw(get_standard_option);
> +use PVE::RESTHandler;
> +use PVE::SafeSyslog;
> +use PVE::Tools qw(extract_param);
> +
> +use PMG::AccessControl;
> +use PMG::Auth::Plugin;
> +use PVE::Schema::Auth;
> +
> +my $domainconfigfile = "realms.cfg";
> +
> +use base qw(PVE::RESTHandler);
> +
> +__PACKAGE__->register_method ({
> + name => 'index',
> + path => '',
> + method => 'GET',
> + description => "Authentication domain index.",
and here it is still an authentication domain ;)
> + permissions => {
> + description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
> + user => 'world',
> + },
> + parameters => {
> + additionalProperties => 0,
> + properties => {},
> + },
> + returns => {
> + type => 'array',
> + items => {
> + type => "object",
> + properties => {
> + realm => { type => 'string' },
even though it returns realms
> + type => { type => 'string' },
> + tfa => {
> + description => "Two-factor authentication provider.",
> + type => 'string',
> + enum => [ 'yubico', 'oath' ],
> + optional => 1,
> + },
> + comment => {
> + description => "A comment. The GUI use this text when you select a domain (Realm) on the login window.",
> + type => 'string',
> + optional => 1,
> + },
> + },
> + },
> + links => [ { rel => 'child', href => "{realm}" } ],
> + },
> + code => sub {
> + my ($param) = @_;
> +
> + my $res = [];
> +
> + my $cfg = PVE::INotify::read_file($domainconfigfile);
> + my $ids = $cfg->{ids};
> +
> + for my $realm (keys %$ids) {
> + my $d = $ids->{$realm};
> + my $entry = { realm => $realm, type => $d->{type} };
> + $entry->{comment} = $d->{comment} if $d->{comment};
> + $entry->{default} = 1 if $d->{default};
> + if ($d->{tfa} && (my $tfa_cfg = PVE::Schema::Auth::parse_tfa_config($d->{tfa}))) {
> + $entry->{tfa} = $tfa_cfg->{type};
> + }
> + push @$res, $entry;
> + }
> +
> + return $res;
> + }});
> +
> +__PACKAGE__->register_method ({
> + name => 'create',
> + protected => 1,
> + path => '',
> + method => 'POST',
> + permissions => { check => [ 'admin' ] },
> + description => "Add an authentication server.",
> + parameters => PMG::Auth::Plugin->createSchema(0),
> + returns => { type => 'null' },
> + code => sub {
> + my ($param) = @_;
> +
> + # always extract, add it with hook
> + my $password = extract_param($param, 'password');
> +
> + PMG::Auth::Plugin::lock_domain_config(
> + sub {
> + my $cfg = PVE::INotify::read_file($domainconfigfile);
> + my $ids = $cfg->{ids};
> +
> + my $realm = extract_param($param, 'realm');
> + PMG::Auth::Plugin::pmg_verify_realm($realm);
> + my $type = $param->{type};
> + my $check_connection = extract_param($param, 'check-connection');
> +
> + die "domain '$realm' already exists\n"
> + if $ids->{$realm};
> +
> + die "unable to use reserved name '$realm'\n"
> + if ($realm eq 'pam' || $realm eq 'pmg');
> +
> + die "unable to create builtin type '$type'\n"
> + if ($type eq 'pam' || $type eq 'pmg');
> +
> + my $plugin = PMG::Auth::Plugin->lookup($type);
> + my $config = $plugin->check_config($realm, $param, 1, 1);
> +
> + if ($config->{default}) {
> + for my $r (keys %$ids) {
> + delete $ids->{$r}->{default};
> + }
> + }
> +
> + $ids->{$realm} = $config;
> +
> + my $opts = $plugin->options();
> + if (defined($password) && !defined($opts->{password})) {
> + $password = undef;
> + warn "ignoring password parameter";
> + }
> + $plugin->on_add_hook($realm, $config, password => $password);
> +
> + PVE::INotify::write_file($domainconfigfile, $cfg);
> + },
> + "add auth server failed",
> + );
> + return undef;
> + }});
> +
> +__PACKAGE__->register_method ({
> + name => 'update',
> + path => '{realm}',
> + method => 'PUT',
> + permissions => { check => [ 'admin' ] },
> + description => "Update authentication server settings.",
> + protected => 1,
> + parameters => PMG::Auth::Plugin->updateSchema(0),
> + returns => { type => 'null' },
> + code => sub {
> + my ($param) = @_;
> +
> + # always extract, update in hook
> + my $password = extract_param($param, 'password');
> +
> + PMG::Auth::Plugin::lock_domain_config(
> + sub {
> + my $cfg = PVE::INotify::read_file($domainconfigfile);
> + my $ids = $cfg->{ids};
> +
> + my $digest = extract_param($param, 'digest');
> + PVE::SectionConfig::assert_if_modified($cfg, $digest);
> +
> + my $realm = extract_param($param, 'realm');
> + my $type = $ids->{$realm}->{type};
> + my $check_connection = extract_param($param, 'check-connection');
> +
> + die "domain '$realm' does not exist\n"
> + if !$ids->{$realm};
> +
> + my $delete_str = extract_param($param, 'delete');
> + die "no options specified\n"
> + if !$delete_str && !scalar(keys %$param) && !defined($password);
> +
> + my $delete_pw = 0;
> + for my $opt (PVE::Tools::split_list($delete_str)) {
> + delete $ids->{$realm}->{$opt};
> + $delete_pw = 1 if $opt eq 'password';
> + }
> +
> + my $plugin = PMG::Auth::Plugin->lookup($type);
> + my $config = $plugin->check_config($realm, $param, 0, 1);
> +
> + if ($config->{default}) {
> + for my $r (keys %$ids) {
> + delete $ids->{$r}->{default};
> + }
> + }
> +
> + for my $p (keys %$config) {
> + $ids->{$realm}->{$p} = $config->{$p};
> + }
> +
> + my $opts = $plugin->options();
> + if ($delete_pw || defined($password)) {
> + $plugin->on_update_hook($realm, $config, password => $password);
> + } else {
> + $plugin->on_update_hook($realm, $config);
> + }
> +
> + PVE::INotify::write_file($domainconfigfile, $cfg);
> + },
> + "update auth server failed"
> + );
> + return undef;
> + }});
> +
> +# fixme: return format!
> +__PACKAGE__->register_method ({
> + name => 'read',
> + path => '{realm}',
> + method => 'GET',
> + description => "Get auth server configuration.",
> + permissions => { check => [ 'admin', 'qmanager', 'audit' ] },
> + parameters => {
> + additionalProperties => 0,
> + properties => {
> + realm => get_standard_option('realm'),
> + },
> + },
> + returns => {},
> + code => sub {
> + my ($param) = @_;
> +
> + my $cfg = PVE::INotify::read_file($domainconfigfile);
> +
> + my $realm = $param->{realm};
> +
> + my $data = $cfg->{ids}->{$realm};
> + die "domain '$realm' does not exist\n" if !$data;
> +
> + my $type = $data->{type};
> +
> + $data->{digest} = $cfg->{digest};
> +
> + return $data;
> + }});
> +
> +
> +__PACKAGE__->register_method ({
> + name => 'delete',
> + path => '{realm}',
> + method => 'DELETE',
> + permissions => { check => [ 'admin' ] },
> + description => "Delete an authentication server.",
> + protected => 1,
> + parameters => {
> + additionalProperties => 0,
> + properties => {
> + realm => get_standard_option('realm'),
> + }
> + },
> + returns => { type => 'null' },
> + code => sub {
> + my ($param) = @_;
> +
> + PMG::Auth::Plugin::lock_domain_config(
> + sub {
> + my $cfg = PVE::INotify::read_file($domainconfigfile);
> + my $ids = $cfg->{ids};
> + my $realm = $param->{realm};
> +
> + die "authentication domain '$realm' does not exist\n" if !$ids->{$realm};
> +
> + my $plugin = PMG::Auth::Plugin->lookup($ids->{$realm}->{type});
> +
> + $plugin->on_delete_hook($realm, $ids->{$realm});
> +
> + delete $ids->{$realm};
> +
> + PVE::INotify::write_file($domainconfigfile, $cfg);
> + },
> + "delete auth server failed",
> + );
> + return undef;
> + }});
> +
> +1;
> --
> 2.39.5
>
>
>
> _______________________________________________
> pmg-devel mailing list
> pmg-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
next prev parent reply other threads:[~2025-02-21 12:41 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-18 16:18 [pmg-devel] [PATCH pve-common/perl-rs/pmg-api/widget-toolkit/pmg-gui v5 0/10] fix #3892: OpenID Connect Markus Frank
2025-02-18 16:18 ` [pmg-devel] [PATCH pve-common v5 1/10] add Schema package with auth module that contains realm sync options Markus Frank
2025-02-19 18:18 ` Stoiko Ivanov
2025-02-21 12:22 ` Fabian Grünbichler
2025-02-18 16:18 ` [pmg-devel] [PATCH proxmox-perl-rs v5 2/10] move openid code from pve-rs to common Markus Frank
2025-02-21 12:25 ` Fabian Grünbichler
2025-02-18 16:18 ` [pmg-devel] [PATCH proxmox-perl-rs v5 3/10] remove empty PMG::RS::OpenId package to avoid confusion Markus Frank
2025-02-18 16:18 ` [pmg-devel] [PATCH pmg-api v5 4/10] config: add plugin system for realms Markus Frank
2025-02-21 12:35 ` Fabian Grünbichler
2025-02-18 16:19 ` [pmg-devel] [PATCH pmg-api v5 5/10] config: add oidc type realm Markus Frank
2025-02-21 12:38 ` Fabian Grünbichler
2025-02-18 16:19 ` [pmg-devel] [PATCH pmg-api v5 6/10] api: add/update/remove realms like in PVE Markus Frank
2025-02-21 12:41 ` Fabian Grünbichler [this message]
2025-02-21 13:44 ` Markus Frank
2025-02-21 13:52 ` Fabian Grünbichler
2025-02-21 14:38 ` Stoiko Ivanov
2025-02-21 16:45 ` Thomas Lamprecht
2025-02-18 16:19 ` [pmg-devel] [PATCH pmg-api v5 7/10] api: oidc login similar to PVE Markus Frank
2025-02-19 18:31 ` Stoiko Ivanov
2025-02-21 12:44 ` Fabian Grünbichler
2025-02-18 16:19 ` [pmg-devel] [PATCH widget-toolkit v5 8/10] fix: window: AuthEditBase: rename variable 'realm' to 'type' Markus Frank
2025-02-21 12:45 ` Fabian Grünbichler
2025-02-18 16:19 ` [pmg-devel] [PATCH pmg-gui v5 09/10] login: add option to login with OIDC realm Markus Frank
2025-02-18 16:19 ` [pmg-devel] [PATCH pmg-gui v5 10/10] add panel for realms to User Management Markus Frank
2025-02-21 9:22 ` Christoph Heiss
2025-02-21 12:45 ` Fabian Grünbichler
2025-02-19 18:39 ` [pmg-devel] [PATCH pve-common/perl-rs/pmg-api/widget-toolkit/pmg-gui v5 0/10] fix #3892: OpenID Connect Stoiko Ivanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2043234582.10132.1740141683339@webmail.proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=m.frank@proxmox.com \
--cc=pmg-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.