From: Thomas Skinner <thomas@atskinner.net>
To: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
Cc: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH perl-rs v2 4/5] fix #4234: openid: adjust openid verification function for userinfo option
Date: Tue, 28 Jan 2025 21:35:57 -0600 [thread overview]
Message-ID: <CALn9RMcGHqyxxHwijBzvaSWBqJdCEO3jjDoLghGTS4E2cubigg@mail.gmail.com> (raw)
In-Reply-To: <1737709944.2rc2l2rfel.astroid@yuna.none>
On Fri, Jan 24, 2025 at 3:17 AM Fabian Grünbichler
<f.gruenbichler@proxmox.com> wrote:
>
> On December 16, 2024 5:14 am, Thomas Skinner wrote:
> > Signed-off-by: Thomas Skinner <thomas@atskinner.net>
> > ---
> > pve-rs/src/openid/mod.rs | 9 +++++++--
> > 1 file changed, 7 insertions(+), 2 deletions(-)
> >
> > diff --git a/pve-rs/src/openid/mod.rs b/pve-rs/src/openid/mod.rs
> > index 1fa7572..cd573ee 100644
> > --- a/pve-rs/src/openid/mod.rs
> > +++ b/pve-rs/src/openid/mod.rs
> > @@ -50,13 +50,18 @@ mod export {
> > }
> >
> > #[export(raw_return)]
> > - pub fn verify_authorization_code(
> > + pub fn verify_authorization_code_userinfo(
>
> we could either add a new wrapper like in proxmox-openid, keeping the
> old one around (until PVE 9.0)
>
> > #[try_from_ref] this: &OpenId,
> > code: &str,
> > private_auth_state: PrivateAuthState,
> > + disable_userinfo: bool,
>
> or make this an Option<bool> and not rename the fn so existing callers
> are not broken
Is this a backwards compatible fix? This would seem more preferable to
me and provide a reasonable default. If not, I can definitely keep the
old one around to provide backwards compat.
> > ) -> Result<Value, Error> {
> > let open_id = this.inner.lock().unwrap();
> > - let claims = open_id.verify_authorization_code_simple(code, &private_auth_state)?;
> > + let claims = open_id.verify_authorization_code_simple_userinfo(
>
> if we go the Option route, we could either select which proxmox-openid
> fn to call here, or unwrap the Option to false and just call the new
> one.
Unwrapping to false and calling the new one does make sense to me.
> the reason I'd prefer a backwards-compat implementation here is that
> without it, we need to have the following relations:
>
> pve-access-control: depends on new libpve-rs-perl
> libpve-rs-perl: breaks old pve-access-control
> libpve-rs-perl: dpends on new librust-proxmox-openid-dev
>
> whereas with a backwards-compat implementation in libpve-rs-perl we just
> need:
> pve-access-control depends on new libpve-rs-perl
> libpve-rs-perl: depends on new librust-proxmox-openid-dev
>
> which is much less entangled as all the version constraints go in the
> same direction.
Completely agree with not wanting to break backwards compat. If the
Option method is sufficient for this and we can just call the new
function with the unwrapped value, that works for me.
> > + code,
> > + &private_auth_state,
> > + disable_userinfo,
> > + )?;
> >
> > Ok(to_value(&claims)?)
> > }
> > --
> > 2.39.5
> >
> >
> > _______________________________________________
> > pve-devel mailing list
> > pve-devel@lists.proxmox.com
> > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> >
> >
> >
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-01-29 3:36 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-16 4:14 [pve-devel] [PATCH access-control/docs/manager/perl-rs/proxmox-openid v2 0/5] Make OIDC userinfo endpoint optional Thomas Skinner
2024-12-16 4:14 ` [pve-devel] [PATCH access-control v2 1/5] fix #4234: add library functions for openid optional userinfo request Thomas Skinner
2025-01-24 9:17 ` Fabian Grünbichler
2024-12-16 4:14 ` [pve-devel] [PATCH docs v2 2/5] fix #4234: add docs " Thomas Skinner
2024-12-16 4:14 ` [pve-devel] [PATCH manager v2 3/5] fix #4234: add GUI option " Thomas Skinner
2024-12-16 4:14 ` [pve-devel] [PATCH perl-rs v2 4/5] fix #4234: openid: adjust openid verification function for userinfo option Thomas Skinner
2025-01-24 9:17 ` Fabian Grünbichler
2025-01-29 3:35 ` Thomas Skinner [this message]
2025-01-29 12:24 ` Fabian Grünbichler
2024-12-16 4:14 ` [pve-devel] [PATCH proxmox v2 5/5] fix #4234: openid: add library functions for optional userinfo endpoint Thomas Skinner
2025-01-24 9:17 ` Fabian Grünbichler
2025-01-29 3:30 ` Thomas Skinner
2025-01-24 9:18 ` [pve-devel] [PATCH access-control/docs/manager/perl-rs/proxmox-openid v2 0/5] Make OIDC userinfo endpoint optional Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALn9RMcGHqyxxHwijBzvaSWBqJdCEO3jjDoLghGTS4E2cubigg@mail.gmail.com \
--to=thomas@atskinner.net \
--cc=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.