[pbs-devel] [PATCH proxmox-backup/pwt v4 00/16] fix #5379: introduce default auth realm option

[pbs-devel] [PATCH proxmox-backup/pwt v4 00/16] fix #5379: introduce default auth realm option

[Christoph Heiss]

Fixes #5379 [0].

First, it adds an updatable `default` field to all existing editable
realms. Then it converts the PAM and PBS built-in realms to proper
realms, instead of being hard-coded in-between somewhere. 
In turns this enables editing of these realms, allowing setting whether
these realms should be the default for login or not.

For proxmox-widget-toolkit, the first three patches could in principal
be applied on their own. The others depend on the API changes as
introduced in the proxmox-backup part.

W.r.t. the inconsistency as discovered/discussed in [1], the (current)
behaviour is not changed in this series. Since both PVE and PBS use the
same realm login dialog from proxmox-widget-toolkit, I'd rather fix it
separately -- to avoid blocking this series on a completely separate
issue, which might still need some discussing.

W.r.t. to applying, proxmox-backup will need a bump of
proxmox-widget-toolkit afterwards.

[0] https://bugzilla.proxmox.com/show_bug.cgi?id=5379
[1] https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010429.html

History
=======

v3: https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010605.html
v2: https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010521.html
v1: https://lists.proxmox.com/pipermail/pbs-devel/2024-July/010250.html

Changes v3 -> v4:
  * added proper PAM/PBS realm documentation
  * reworked SimpleRealmInputPanel properties (thanks Gabriel & Hannes!)

Changes v2 -> v3:
  * rebased on latest master
  * fixed unsetting the `default` property by making it deletable
  * unset previous default realm when creating a new realm with 
    `default` set

Changes v1 -> v2:
  * rebased on latest master
  * trivial fixes as suggested by Lukas
  * add documentation to unset_default_realm()

Diffstat
========

proxmox-widget-toolkit:

Christoph Heiss (7):
  window: AuthEditBase: include more information in thrown errors
  panel: AuthView: make `useTypeInUrl` property per-realm
  panel: AuthView: use help link from schema if set
  window: add panel for editing simple, built-in realms
  schema: make PAM realm editable using new AuthSimple panel
  fix #5379: panel: AuthView: add column displaying whether the realm is
    default
  fix #5379: window: AuthEdit{LDAP,OpenId}: add 'Default realm' checkbox

 src/Makefile                 |  1 +
 src/Schema.js                |  8 +++++++-
 src/panel/AuthView.js        | 16 ++++++++++++---
 src/window/AuthEditBase.js   |  8 ++++----
 src/window/AuthEditLDAP.js   | 14 ++++++++++++-
 src/window/AuthEditOpenId.js | 13 ++++++++++++
 src/window/AuthEditSimple.js | 40 ++++++++++++++++++++++++++++++++++++
 7 files changed, 91 insertions(+), 9 deletions(-)
 create mode 100644 src/window/AuthEditSimple.js

proxmox-backup:

Christoph Heiss (9):
  fix #5379: api-types: add `default` field to all realm types
  fix #5379: api2: access: set default realm accordingly on individual
    update
  api-types: introduce proper types for PAM and PBS realms
  config: use new dedicated PAM and PBS realm types
  api2: access: add update support for built-in PAM realm
  api2: access: add update support for built-in PBS realm
  www: AccessControl: make `useTypeInUrl` property per-realm
  www: utils: make built-in pbs realm editable using new AuthSimplePanel
  docs: user-management: document `pam` and `pbs` authentication realm

 docs/user-management.rst         |  30 ++++++-
 pbs-api-types/src/ad.rs          |   7 ++
 pbs-api-types/src/ldap.rs        |   7 ++
 pbs-api-types/src/lib.rs         |  97 ++++++++++++++++++++++-
 pbs-api-types/src/openid.rs      |   7 ++
 pbs-config/src/domains.rs        |  36 ++++++++-
 src/api2/access/domain.rs        |  13 ----
 src/api2/config/access/ad.rs     |  16 ++++
 src/api2/config/access/ldap.rs   |  16 ++++
 src/api2/config/access/mod.rs    |   4 +
 src/api2/config/access/openid.rs |  16 ++++
 src/api2/config/access/pam.rs    | 130 +++++++++++++++++++++++++++++++
 src/api2/config/access/pbs.rs    | 130 +++++++++++++++++++++++++++++++
 src/bin/proxmox-backup-api.rs    |   1 +
 src/config/mod.rs                |  25 ++++++
 www/OnlineHelpInfo.js            |   8 ++
 www/Utils.js                     |   5 +-
 www/panel/AccessControl.js       |   1 -
 18 files changed, 529 insertions(+), 20 deletions(-)
 create mode 100644 src/api2/config/access/pam.rs
 create mode 100644 src/api2/config/access/pbs.rs

-- 
2.45.1



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH widget-toolkit v4 1/7] window: AuthEditBase: include more information in thrown errors

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 src/window/AuthEditBase.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/window/AuthEditBase.js b/src/window/AuthEditBase.js
index 0f272e6..be547f9 100644
--- a/src/window/AuthEditBase.js
+++ b/src/window/AuthEditBase.js
@@ -29,9 +29,9 @@ Ext.define('Proxmox.window.AuthEditBase', {
 
 	let authConfig = Proxmox.Schema.authDomains[me.authType];
 	if (!authConfig) {
-	    throw 'unknown auth type';
+	    throw `unknown auth type ${me.authType}`;
 	} else if (!authConfig.add && me.isCreate) {
-	    throw 'trying to add non addable realm';
+	    throw `trying to add non addable realm of type ${me.authType}`;
 	}
 
 	me.subject = authConfig.name;
@@ -86,9 +86,9 @@ Ext.define('Proxmox.window.AuthEditBase', {
 		    var data = response.result.data || {};
 		    // just to be sure (should not happen)
 		    // only check this when the type is not in the api path
-		    if (!me.useTypeInUrl && data.type !== me.authType) {
+		    if (!me.useTypeInUrl && data.realm !== me.authType) {
 			me.close();
-			throw "got wrong auth type";
+			throw `got wrong auth type '${me.authType}' for realm '${data.realm}'`;
 		    }
 		    me.setValues(data);
 		},
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH widget-toolkit v4 2/7] panel: AuthView: make `useTypeInUrl` property per-realm

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v3 -> v4:
  * use destructuring syntax for extracting `useTypeInUrl`

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 src/Schema.js         | 4 ++++
 src/panel/AuthView.js | 7 ++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/Schema.js b/src/Schema.js
index 42541e0..6921986 100644
--- a/src/Schema.js
+++ b/src/Schema.js
@@ -8,6 +8,7 @@ Ext.define('Proxmox.Schema', { // a singleton
 	    edit: false,
 	    pwchange: true,
 	    sync: false,
+	    useTypeInUrl: false,
 	},
 	openid: {
 	    name: gettext('OpenID Connect Server'),
@@ -18,6 +19,7 @@ Ext.define('Proxmox.Schema', { // a singleton
 	    pwchange: false,
 	    sync: false,
 	    iconCls: 'pmx-itype-icon-openid-logo',
+	    useTypeInUrl: true,
 	},
 	ldap: {
 	    name: gettext('LDAP Server'),
@@ -28,6 +30,7 @@ Ext.define('Proxmox.Schema', { // a singleton
 	    tfa: true,
 	    pwchange: false,
 	    sync: true,
+	    useTypeInUrl: true,
 	},
 	ad: {
 	    name: gettext('Active Directory Server'),
@@ -38,6 +41,7 @@ Ext.define('Proxmox.Schema', { // a singleton
 	    tfa: true,
 	    pwchange: false,
 	    sync: true,
+	    useTypeInUrl: true,
 	},
     },
     // to add or change existing for product specific ones
diff --git a/src/panel/AuthView.js b/src/panel/AuthView.js
index 52b6cac..cdea14b 100644
--- a/src/panel/AuthView.js
+++ b/src/panel/AuthView.js
@@ -11,7 +11,6 @@ Ext.define('Proxmox.panel.AuthView', {
     },
 
     baseUrl: '/access/domains',
-    useTypeInUrl: false,
 
     columns: [
 	{
@@ -45,9 +44,11 @@ Ext.define('Proxmox.panel.AuthView', {
 
     openEditWindow: function(authType, realm) {
 	let me = this;
+	const { useTypeInUrl } = Proxmox.Schema.authDomains[authType];
+
 	Ext.create('Proxmox.window.AuthEditBase', {
 	    baseUrl: me.baseUrl,
-	    useTypeInUrl: me.useTypeInUrl,
+	    useTypeInUrl,
 	    authType,
 	    realm,
 	    listeners: {
@@ -123,7 +124,7 @@ Ext.define('Proxmox.panel.AuthView', {
 		xtype: 'proxmoxStdRemoveButton',
 		getUrl: (rec) => {
 		    let url = me.baseUrl;
-		    if (me.useTypeInUrl) {
+		    if (Proxmox.Schema.authDomains[rec.data.type].useTypeInUrl) {
 			url += `/${rec.get('type')}`;
 		    }
 		    url += `/${rec.getId()}`;
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH widget-toolkit v4 3/7] panel: AuthView: use help link from schema if set

[Christoph Heiss]

This can be used to set the `onlineHelp` identifier in the schema as
opposed to in the panel directly. Needed e.g. to share a panel between
PAM and PBS realm.

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v3 -> v4:
  * new patch

 src/panel/AuthView.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/panel/AuthView.js b/src/panel/AuthView.js
index cdea14b..8ebd436 100644
--- a/src/panel/AuthView.js
+++ b/src/panel/AuthView.js
@@ -44,11 +44,12 @@ Ext.define('Proxmox.panel.AuthView', {
 
     openEditWindow: function(authType, realm) {
 	let me = this;
-	const { useTypeInUrl } = Proxmox.Schema.authDomains[authType];
+	const { useTypeInUrl, onlineHelp } = Proxmox.Schema.authDomains[authType];
 
 	Ext.create('Proxmox.window.AuthEditBase', {
 	    baseUrl: me.baseUrl,
 	    useTypeInUrl,
+	    onlineHelp,
 	    authType,
 	    realm,
 	    listeners: {
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH widget-toolkit v4 4/7] window: add panel for editing simple, built-in realms

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v3 -> v4:
  * drop useless `type` assignment in panel
  * drop useless `allowBlank` from name field
  * add `deleteEmpty` to `default` field
  * add `allowBlank` and `deleteEmpty` to comment field to allow
    removing the comment althogether

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 src/Makefile                 |  1 +
 src/window/AuthEditSimple.js | 40 ++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 src/window/AuthEditSimple.js

diff --git a/src/Makefile b/src/Makefile
index 0478251..20ba77b 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -97,6 +97,7 @@ JSSRC=					\
 	window/AuthEditOpenId.js	\
 	window/AuthEditLDAP.js		\
 	window/AuthEditAD.js		\
+	window/AuthEditSimple.js        \
 	window/TfaWindow.js		\
 	window/AddTfaRecovery.js	\
 	window/AddTotp.js		\
diff --git a/src/window/AuthEditSimple.js b/src/window/AuthEditSimple.js
new file mode 100644
index 0000000..001ac91
--- /dev/null
+++ b/src/window/AuthEditSimple.js
@@ -0,0 +1,40 @@
+Ext.define('Proxmox.panel.SimpleRealmInputPanel', {
+    extend: 'Proxmox.panel.InputPanel',
+    xtype: 'pmxAuthSimplePanel',
+    mixins: ['Proxmox.Mixin.CBind'],
+
+    column1: [
+	{
+	    xtype: 'pmxDisplayEditField',
+	    name: 'realm',
+	    cbind: {
+		value: '{realm}',
+	    },
+	    fieldLabel: gettext('Realm'),
+	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Default realm'),
+	    name: 'default',
+	    value: 0,
+	    deleteEmpty: true,
+	    autoEl: {
+		tag: 'div',
+		'data-qtip': gettext('Set realm as default for login'),
+	    },
+	},
+    ],
+
+    column2: [],
+
+    columnB: [
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'comment',
+	    fieldLabel: gettext('Comment'),
+	    allowBlank: true,
+	    deleteEmpty: true,
+	},
+    ],
+});
+
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH widget-toolkit v4 5/7] schema: make PAM realm editable using new AuthSimple panel

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v3 -> v4:
  * add `onlineHelp` identifier

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 src/Schema.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/Schema.js b/src/Schema.js
index 6921986..2b1c860 100644
--- a/src/Schema.js
+++ b/src/Schema.js
@@ -4,8 +4,10 @@ Ext.define('Proxmox.Schema', { // a singleton
     authDomains: {
 	pam: {
 	    name: 'Linux PAM',
+	    ipanel: 'pmxAuthSimplePanel',
+	    onlineHelp: 'user-realms-pam',
 	    add: false,
-	    edit: false,
+	    edit: true,
 	    pwchange: true,
 	    sync: false,
 	    useTypeInUrl: false,
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH widget-toolkit v4 6/7] fix #5379: panel: AuthView: add column displaying whether the realm is default

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * checkmark is now centered in the column

 src/panel/AuthView.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/panel/AuthView.js b/src/panel/AuthView.js
index 8ebd436..c297544 100644
--- a/src/panel/AuthView.js
+++ b/src/panel/AuthView.js
@@ -25,6 +25,14 @@ Ext.define('Proxmox.panel.AuthView', {
 	    sortable: true,
 	    dataIndex: 'type',
 	},
+	{
+	    header: gettext('Default'),
+	    width: 80,
+	    sortable: true,
+	    dataIndex: 'default',
+	    renderer: isDefault => isDefault ? Proxmox.Utils.renderEnabledIcon(true) : '',
+	    align: 'center',
+	},
 	{
 	    header: gettext('Comment'),
 	    sortable: false,
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH widget-toolkit v4 7/7] fix #5379: window: AuthEdit{LDAP, OpenId}: add 'Default realm' checkbox

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 src/window/AuthEditLDAP.js   | 14 +++++++++++++-
 src/window/AuthEditOpenId.js | 13 +++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/src/window/AuthEditLDAP.js b/src/window/AuthEditLDAP.js
index 388fc02..4cd1020 100644
--- a/src/window/AuthEditLDAP.js
+++ b/src/window/AuthEditLDAP.js
@@ -82,6 +82,19 @@ Ext.define('Proxmox.panel.LDAPInputPanel', {
 	    fieldLabel: gettext('Realm'),
 	    allowBlank: false,
 	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Default realm'),
+	    name: 'default',
+	    value: 0,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	    autoEl: {
+		tag: 'div',
+		'data-qtip': gettext('Set realm as default for login'),
+	    },
+	},
 	{
 	    xtype: 'proxmoxtextfield',
 	    fieldLabel: gettext('Base Domain Name'),
@@ -216,7 +229,6 @@ Ext.define('Proxmox.panel.LDAPInputPanel', {
 	    },
 	},
     ],
-
 });
 
 
diff --git a/src/window/AuthEditOpenId.js b/src/window/AuthEditOpenId.js
index 08ced99..a9ccb92 100644
--- a/src/window/AuthEditOpenId.js
+++ b/src/window/AuthEditOpenId.js
@@ -35,6 +35,19 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', {
 	    fieldLabel: gettext('Realm'),
 	    allowBlank: false,
 	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Default realm'),
+	    name: 'default',
+	    value: 0,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	    autoEl: {
+		tag: 'div',
+		'data-qtip': gettext('Set realm as default for login'),
+	    },
+	},
 	{
 	    xtype: 'proxmoxtextfield',
 	    fieldLabel: gettext('Client ID'),
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v4 08/16] fix #5379: api-types: add `default` field to all realm types

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * make `default` property deletable

Changes v1 -> v2:
  * no changes

 pbs-api-types/src/ad.rs          | 7 +++++++
 pbs-api-types/src/ldap.rs        | 7 +++++++
 pbs-api-types/src/openid.rs      | 7 +++++++
 src/api2/config/access/ad.rs     | 5 +++++
 src/api2/config/access/ldap.rs   | 5 +++++
 src/api2/config/access/openid.rs | 5 +++++
 6 files changed, 36 insertions(+)

diff --git a/pbs-api-types/src/ad.rs b/pbs-api-types/src/ad.rs
index 910571a0..5c236325 100644
--- a/pbs-api-types/src/ad.rs
+++ b/pbs-api-types/src/ad.rs
@@ -16,6 +16,10 @@ use super::{
             optional: true,
             schema: SINGLE_LINE_COMMENT_SCHEMA,
         },
+        "default": {
+            optional: true,
+            default: false,
+        },
         "verify": {
             optional: true,
             default: false,
@@ -64,6 +68,9 @@ pub struct AdRealmConfig {
     /// Comment
     #[serde(skip_serializing_if = "Option::is_none")]
     pub comment: Option<String>,
+    /// True if it should be the default realm to login in
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub default: Option<bool>,
     /// Connection security
     #[serde(skip_serializing_if = "Option::is_none")]
     pub mode: Option<LdapMode>,
diff --git a/pbs-api-types/src/ldap.rs b/pbs-api-types/src/ldap.rs
index a3e0407b..79735d93 100644
--- a/pbs-api-types/src/ldap.rs
+++ b/pbs-api-types/src/ldap.rs
@@ -29,6 +29,10 @@ pub enum LdapMode {
             optional: true,
             schema: SINGLE_LINE_COMMENT_SCHEMA,
         },
+        "default": {
+            optional: true,
+            default: false,
+        },
         "verify": {
             optional: true,
             default: false,
@@ -75,6 +79,9 @@ pub struct LdapRealmConfig {
     /// Comment
     #[serde(skip_serializing_if = "Option::is_none")]
     pub comment: Option<String>,
+    /// True if it should be the default realm to login in
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub default: Option<bool>,
     /// Connection security
     #[serde(skip_serializing_if = "Option::is_none")]
     pub mode: Option<LdapMode>,
diff --git a/pbs-api-types/src/openid.rs b/pbs-api-types/src/openid.rs
index 2c95c5c6..e8ec19d9 100644
--- a/pbs-api-types/src/openid.rs
+++ b/pbs-api-types/src/openid.rs
@@ -80,6 +80,10 @@ pub const OPENID_USERNAME_CLAIM_SCHEMA: Schema = StringSchema::new(
             optional: true,
             schema: SINGLE_LINE_COMMENT_SCHEMA,
         },
+        "default": {
+            optional: true,
+            default: false,
+        },
         autocreate: {
             optional: true,
             default: false,
@@ -111,6 +115,9 @@ pub struct OpenIdRealmConfig {
     pub client_key: Option<String>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub comment: Option<String>,
+    /// True if it should be the default realm to login in
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub default: Option<bool>,
     /// Automatically create users if they do not exist.
     #[serde(skip_serializing_if = "Option::is_none")]
     pub autocreate: Option<bool>,
diff --git a/src/api2/config/access/ad.rs b/src/api2/config/access/ad.rs
index c202291a..4106e0f4 100644
--- a/src/api2/config/access/ad.rs
+++ b/src/api2/config/access/ad.rs
@@ -136,6 +136,8 @@ pub enum DeletableProperty {
     Port,
     /// Comment
     Comment,
+    /// Is default realm
+    Default,
     /// Verify server certificate
     Verify,
     /// Mode (ldap, ldap+starttls or ldaps),
@@ -217,6 +219,9 @@ pub async fn update_ad_realm(
                 DeletableProperty::Comment => {
                     config.comment = None;
                 }
+                DeletableProperty::Default => {
+                    config.default = None;
+                }
                 DeletableProperty::Port => {
                     config.port = None;
                 }
diff --git a/src/api2/config/access/ldap.rs b/src/api2/config/access/ldap.rs
index e60dc9c1..7dcf7990 100644
--- a/src/api2/config/access/ldap.rs
+++ b/src/api2/config/access/ldap.rs
@@ -171,6 +171,8 @@ pub enum DeletableProperty {
     Port,
     /// Comment
     Comment,
+    /// Is default realm
+    Default,
     /// Verify server certificate
     Verify,
     /// Mode (ldap, ldap+starttls or ldaps),
@@ -252,6 +254,9 @@ pub fn update_ldap_realm(
                 DeletableProperty::Comment => {
                     config.comment = None;
                 }
+                DeletableProperty::Default => {
+                    config.default = None;
+                }
                 DeletableProperty::Port => {
                     config.port = None;
                 }
diff --git a/src/api2/config/access/openid.rs b/src/api2/config/access/openid.rs
index 4901880e..2fbcd1b1 100644
--- a/src/api2/config/access/openid.rs
+++ b/src/api2/config/access/openid.rs
@@ -149,6 +149,8 @@ pub enum DeletableProperty {
     ClientKey,
     /// Delete the comment property.
     Comment,
+    /// Delete the default property.
+    Default,
     /// Delete the autocreate property
     Autocreate,
     /// Delete the scopes property
@@ -217,6 +219,9 @@ pub fn update_openid_realm(
                 DeletableProperty::Comment => {
                     config.comment = None;
                 }
+                DeletableProperty::Default => {
+                    config.default = None;
+                }
                 DeletableProperty::Autocreate => {
                     config.autocreate = None;
                 }
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v4 09/16] fix #5379: api2: access: set default realm accordingly on individual update

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * removed early return again, which did not work as intended
  * drop unnecessary crate namespace qualification
  * also unset current default realm when creating new realm with
    `default` set

Changes v1 -> v2:
  * documented unset_default_realm()
  * added early return to unset_default_realm()

 pbs-config/src/domains.rs        | 15 +++++++++++++++
 src/api2/config/access/ad.rs     | 11 +++++++++++
 src/api2/config/access/ldap.rs   | 11 +++++++++++
 src/api2/config/access/openid.rs | 11 +++++++++++
 4 files changed, 48 insertions(+)

diff --git a/pbs-config/src/domains.rs b/pbs-config/src/domains.rs
index 32bd967a..d94d54a8 100644
--- a/pbs-config/src/domains.rs
+++ b/pbs-config/src/domains.rs
@@ -61,6 +61,21 @@ pub fn save_config(config: &SectionConfigData) -> Result<(), Error> {
     replace_backup_config(DOMAINS_CFG_FILENAME, raw.as_bytes())
 }
 
+/// Unsets the default login realm for users by deleting the `default` property
+/// from the respective realm.
+///
+/// This only updates the configuration as given in `config`, making it
+/// permanent is left to the caller.
+pub fn unset_default_realm(config: &mut SectionConfigData) -> Result<(), Error> {
+    for (_, data) in &mut config.sections.values_mut() {
+        if let Some(obj) = data.as_object_mut() {
+            obj.remove("default");
+        }
+    }
+
+    Ok(())
+}
+
 /// Check if a realm with the given name exists
 pub fn exists(domains: &SectionConfigData, realm: &str) -> bool {
     realm == "pbs" || realm == "pam" || domains.sections.contains_key(realm)
diff --git a/src/api2/config/access/ad.rs b/src/api2/config/access/ad.rs
index 4106e0f4..2afb16b8 100644
--- a/src/api2/config/access/ad.rs
+++ b/src/api2/config/access/ad.rs
@@ -91,6 +91,10 @@ pub async fn create_ad_realm(
         auth_helpers::store_ldap_bind_password(&config.realm, &password, &domain_config_lock)?;
     }
 
+    if let Some(true) = config.default {
+        domains::unset_default_realm(&mut domains)?;
+    }
+
     domains.set_data(&config.realm, "ad", &config)?;
 
     domains::save_config(&domains)?;
@@ -278,6 +282,13 @@ pub async fn update_ad_realm(
         }
     }
 
+    if let Some(true) = update.default {
+        domains::unset_default_realm(&mut domains)?;
+        config.default = Some(true);
+    } else {
+        config.default = None;
+    }
+
     if let Some(mode) = update.mode {
         config.mode = Some(mode);
     }
diff --git a/src/api2/config/access/ldap.rs b/src/api2/config/access/ldap.rs
index 7dcf7990..6a93ece2 100644
--- a/src/api2/config/access/ldap.rs
+++ b/src/api2/config/access/ldap.rs
@@ -81,6 +81,10 @@ pub fn create_ldap_realm(config: LdapRealmConfig, password: Option<String>) -> R
         auth_helpers::store_ldap_bind_password(&config.realm, &password, &domain_config_lock)?;
     }
 
+    if let Some(true) = config.default {
+        domains::unset_default_realm(&mut domains)?;
+    }
+
     domains.set_data(&config.realm, "ldap", &config)?;
 
     domains::save_config(&domains)?;
@@ -317,6 +321,13 @@ pub fn update_ldap_realm(
         }
     }
 
+    if let Some(true) = update.default {
+        domains::unset_default_realm(&mut domains)?;
+        config.default = Some(true);
+    } else {
+        config.default = None;
+    }
+
     if let Some(mode) = update.mode {
         config.mode = Some(mode);
     }
diff --git a/src/api2/config/access/openid.rs b/src/api2/config/access/openid.rs
index 2fbcd1b1..5b767fcc 100644
--- a/src/api2/config/access/openid.rs
+++ b/src/api2/config/access/openid.rs
@@ -65,6 +65,10 @@ pub fn create_openid_realm(config: OpenIdRealmConfig) -> Result<(), Error> {
         param_bail!("realm", "realm '{}' already exists.", config.realm);
     }
 
+    if let Some(true) = config.default {
+        domains::unset_default_realm(&mut domains)?;
+    }
+
     domains.set_data(&config.realm, "openid", &config)?;
 
     domains::save_config(&domains)?;
@@ -247,6 +251,13 @@ pub fn update_openid_realm(
         }
     }
 
+    if let Some(true) = update.default {
+        domains::unset_default_realm(&mut domains)?;
+        config.default = Some(true);
+    } else {
+        config.default = None;
+    }
+
     if let Some(issuer_url) = update.issuer_url {
         config.issuer_url = issuer_url;
     }
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v4 10/16] api-types: introduce proper types for PAM and PBS realms

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * reorder new module imports
  * implement `Default` for new realms

 pbs-api-types/src/lib.rs | 97 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 96 insertions(+), 1 deletion(-)

diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index 635292a5..6706875c 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -6,7 +6,8 @@ use serde::{Deserialize, Serialize};
 pub mod percent_encoding;
 
 use proxmox_schema::{
-    api, const_regex, ApiStringFormat, ApiType, ArraySchema, ReturnType, Schema, StringSchema,
+    api, const_regex, ApiStringFormat, ApiType, ArraySchema, EnumEntry, ReturnType, Schema,
+    StringSchema, Updater,
 };
 use proxmox_time::parse_daily_duration;
 
@@ -218,6 +219,20 @@ pub const REALM_ID_SCHEMA: Schema = StringSchema::new("Realm name.")
     .max_length(32)
     .schema();
 
+const PAM_REALM_ID_SCHEMA: Schema = StringSchema::new("Realm name.")
+    .format(&ApiStringFormat::Enum(&[EnumEntry::new(
+        "pam",
+        "Default PAM realm.",
+    )]))
+    .schema();
+
+const PBS_REALM_ID_SCHEMA: Schema = StringSchema::new("Realm name.")
+    .format(&ApiStringFormat::Enum(&[EnumEntry::new(
+        "pbs",
+        "Default PBS realm.",
+    )]))
+    .schema();
+
 pub const SUBSCRIPTION_KEY_SCHEMA: Schema =
     StringSchema::new("Proxmox Backup Server subscription key.")
         .format(&SUBSCRIPTION_KEY_FORMAT)
@@ -364,3 +379,83 @@ pub struct BasicRealmInfo {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub comment: Option<String>,
 }
+
+#[api(
+    properties: {
+        "realm": {
+            schema: PAM_REALM_ID_SCHEMA,
+        },
+        "comment": {
+            optional: true,
+            schema: SINGLE_LINE_COMMENT_SCHEMA,
+        },
+        "default": {
+            optional: true,
+            default: false,
+        },
+    }
+)]
+#[derive(Serialize, Deserialize, Updater, Clone)]
+#[serde(rename_all = "kebab-case")]
+/// Built-in PAM realm configuration properties.
+pub struct PamRealmConfig {
+    /// Realm name. Always "pam".
+    #[updater(skip)]
+    pub realm: String,
+    /// Comment for this realm
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub comment: Option<String>,
+    /// True if it should be the default realm to login in
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub default: Option<bool>,
+}
+
+impl Default for PamRealmConfig {
+    fn default() -> Self {
+        Self {
+            realm: "pam".to_owned(),
+            comment: Some("Linux PAM standard authentication".to_owned()),
+            default: None,
+        }
+    }
+}
+
+#[api(
+    properties: {
+        "realm": {
+            schema: PBS_REALM_ID_SCHEMA,
+        },
+        "comment": {
+            optional: true,
+            schema: SINGLE_LINE_COMMENT_SCHEMA,
+        },
+        "default": {
+            optional: true,
+            default: false,
+        },
+    }
+)]
+#[derive(Serialize, Deserialize, Updater, Clone)]
+#[serde(rename_all = "kebab-case")]
+/// Built-in Proxmox Backup Server realm configuration properties.
+pub struct PbsRealmConfig {
+    /// Realm name. Always "pbs".
+    #[updater(skip)]
+    pub realm: String,
+    /// Comment for this realm
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub comment: Option<String>,
+    /// True if it should be the default realm to login in
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub default: Option<bool>,
+}
+
+impl Default for PbsRealmConfig {
+    fn default() -> Self {
+        Self {
+            realm: "pbs".to_owned(),
+            comment: Some("Proxmox Backup authentication server".to_owned()),
+            default: None,
+        }
+    }
+}
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v4 11/16] config: use new dedicated PAM and PBS realm types

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * use `Default` implementation instead of hardcoding default values

 pbs-config/src/domains.rs     | 21 +++++++++++++++++++--
 src/api2/access/domain.rs     | 13 -------------
 src/bin/proxmox-backup-api.rs |  1 +
 src/config/mod.rs             | 25 +++++++++++++++++++++++++
 4 files changed, 45 insertions(+), 15 deletions(-)

diff --git a/pbs-config/src/domains.rs b/pbs-config/src/domains.rs
index d94d54a8..4ed3ec83 100644
--- a/pbs-config/src/domains.rs
+++ b/pbs-config/src/domains.rs
@@ -8,17 +8,34 @@ use proxmox_schema::{ApiType, ObjectSchema};
 use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};
 
 use crate::{open_backup_lockfile, replace_backup_config, BackupLockGuard};
-use pbs_api_types::{AdRealmConfig, LdapRealmConfig, OpenIdRealmConfig, REALM_ID_SCHEMA};
+use pbs_api_types::{
+    AdRealmConfig, LdapRealmConfig, OpenIdRealmConfig, PamRealmConfig, PbsRealmConfig,
+    REALM_ID_SCHEMA,
+};
 
 pub static CONFIG: LazyLock<SectionConfig> = LazyLock::new(init);
 
 fn init() -> SectionConfig {
+    const PAM_SCHEMA: &ObjectSchema = PamRealmConfig::API_SCHEMA.unwrap_object_schema();
+    const PBS_SCHEMA: &ObjectSchema = PbsRealmConfig::API_SCHEMA.unwrap_object_schema();
     const AD_SCHEMA: &ObjectSchema = AdRealmConfig::API_SCHEMA.unwrap_object_schema();
     const LDAP_SCHEMA: &ObjectSchema = LdapRealmConfig::API_SCHEMA.unwrap_object_schema();
     const OPENID_SCHEMA: &ObjectSchema = OpenIdRealmConfig::API_SCHEMA.unwrap_object_schema();
 
     let mut config = SectionConfig::new(&REALM_ID_SCHEMA);
 
+    config.register_plugin(SectionConfigPlugin::new(
+        "pam".to_owned(),
+        Some("realm".to_owned()),
+        PAM_SCHEMA,
+    ));
+
+    config.register_plugin(SectionConfigPlugin::new(
+        "pbs".to_owned(),
+        Some("realm".to_owned()),
+        PBS_SCHEMA,
+    ));
+
     let plugin = SectionConfigPlugin::new(
         "openid".to_string(),
         Some(String::from("realm")),
@@ -78,7 +95,7 @@ pub fn unset_default_realm(config: &mut SectionConfigData) -> Result<(), Error>
 
 /// Check if a realm with the given name exists
 pub fn exists(domains: &SectionConfigData, realm: &str) -> bool {
-    realm == "pbs" || realm == "pam" || domains.sections.contains_key(realm)
+    domains.sections.contains_key(realm)
 }
 
 // shell completion helper
diff --git a/src/api2/access/domain.rs b/src/api2/access/domain.rs
index 8f8eebda..cede714a 100644
--- a/src/api2/access/domain.rs
+++ b/src/api2/access/domain.rs
@@ -29,19 +29,6 @@ use crate::server::jobstate::Job;
 /// Authentication domain/realm index.
 fn list_domains(rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<BasicRealmInfo>, Error> {
     let mut list = Vec::new();
-
-    list.push(serde_json::from_value(json!({
-        "realm": "pam",
-        "type": "pam",
-        "comment": "Linux PAM standard authentication",
-        "default": Some(true),
-    }))?);
-    list.push(serde_json::from_value(json!({
-        "realm": "pbs",
-        "type": "pbs",
-        "comment": "Proxmox Backup authentication server",
-    }))?);
-
     let (config, digest) = pbs_config::domains::config()?;
 
     for (_, (section_type, v)) in config.sections.iter() {
diff --git a/src/bin/proxmox-backup-api.rs b/src/bin/proxmox-backup-api.rs
index 7a72d49a..7f6ecbc9 100644
--- a/src/bin/proxmox-backup-api.rs
+++ b/src/bin/proxmox-backup-api.rs
@@ -46,6 +46,7 @@ async fn run() -> Result<(), Error> {
     config::create_configdir()?;
 
     config::update_self_signed_cert(false)?;
+    config::update_default_realms()?;
 
     proxmox_backup::server::create_run_dir()?;
     proxmox_backup::server::create_state_dir()?;
diff --git a/src/config/mod.rs b/src/config/mod.rs
index 324fabca..0deb1271 100644
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@@ -12,6 +12,7 @@ use std::path::Path;
 
 use proxmox_lang::try_block;
 
+use pbs_api_types::{PamRealmConfig, PbsRealmConfig};
 use pbs_buildcfg::{self, configdir};
 
 pub mod acme;
@@ -194,3 +195,27 @@ pub(crate) fn set_proxy_certificate(cert_pem: &[u8], key_pem: &[u8]) -> Result<(
 
     Ok(())
 }
+
+pub fn update_default_realms() -> Result<(), Error> {
+    let _lock = pbs_config::domains::lock_config()?;
+    let (mut domains, _) = pbs_config::domains::config()?;
+
+    if !pbs_config::domains::exists(&domains, "pam") {
+        domains.set_data(
+            "pam",
+            "pam",
+            PamRealmConfig {
+                // Setting it as default here is safe, because if we perform this
+                // migration, the user had not had any chance to set a custom default anyway.
+                default: Some(true),
+                ..Default::default()
+            },
+        )?;
+    }
+
+    if !pbs_config::domains::exists(&domains, "pbs") {
+        domains.set_data("pbs", "pbs", PbsRealmConfig::default())?;
+    }
+
+    pbs_config::domains::save_config(&domains)
+}
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v4 12/16] api2: access: add update support for built-in PAM realm

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 src/api2/config/access/mod.rs |   2 +
 src/api2/config/access/pam.rs | 130 ++++++++++++++++++++++++++++++++++
 2 files changed, 132 insertions(+)
 create mode 100644 src/api2/config/access/pam.rs

diff --git a/src/api2/config/access/mod.rs b/src/api2/config/access/mod.rs
index b551e662..36ecd005 100644
--- a/src/api2/config/access/mod.rs
+++ b/src/api2/config/access/mod.rs
@@ -5,10 +5,12 @@ use proxmox_sortable_macro::sortable;
 pub mod ad;
 pub mod ldap;
 pub mod openid;
+pub mod pam;
 pub mod tfa;
 
 #[sortable]
 const SUBDIRS: SubdirMap = &sorted!([
+    ("pam", &pam::ROUTER),
     ("ad", &ad::ROUTER),
     ("ldap", &ldap::ROUTER),
     ("openid", &openid::ROUTER),
diff --git a/src/api2/config/access/pam.rs b/src/api2/config/access/pam.rs
new file mode 100644
index 00000000..04ae616b
--- /dev/null
+++ b/src/api2/config/access/pam.rs
@@ -0,0 +1,130 @@
+use ::serde::{Deserialize, Serialize};
+use anyhow::Error;
+use hex::FromHex;
+
+use proxmox_router::{Permission, Router, RpcEnvironment};
+use proxmox_schema::api;
+
+use pbs_api_types::{
+    PamRealmConfig, PamRealmConfigUpdater, PRIV_REALM_ALLOCATE, PRIV_SYS_AUDIT,
+    PROXMOX_CONFIG_DIGEST_SCHEMA,
+};
+
+use pbs_config::domains;
+
+#[api(
+    returns: {
+        type: PamRealmConfig,
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_SYS_AUDIT, false),
+    },
+)]
+/// Read the PAM realm configuration
+pub fn read_pam_realm(rpcenv: &mut dyn RpcEnvironment) -> Result<PamRealmConfig, Error> {
+    let (domains, digest) = domains::config()?;
+
+    let config = domains.lookup("pam", "pam")?;
+
+    rpcenv["digest"] = hex::encode(digest).into();
+
+    Ok(config)
+}
+
+#[api]
+#[derive(Serialize, Deserialize)]
+#[serde(rename_all = "kebab-case")]
+/// Deletable property name
+pub enum DeletableProperty {
+    /// Delete the comment property.
+    Comment,
+    /// Delete the default property.
+    Default,
+}
+
+#[api(
+    protected: true,
+    input: {
+        properties: {
+            update: {
+                type: PamRealmConfigUpdater,
+                flatten: true,
+            },
+            delete: {
+                description: "List of properties to delete.",
+                type: Array,
+                optional: true,
+                items: {
+                    type: DeletableProperty,
+                }
+            },
+            digest: {
+                optional: true,
+                schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
+            },
+        },
+    },
+    returns: {
+        type: PamRealmConfig,
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
+    },
+)]
+/// Update the PAM realm configuration
+pub fn update_pam_realm(
+    update: PamRealmConfigUpdater,
+    delete: Option<Vec<DeletableProperty>>,
+    digest: Option<String>,
+    _rpcenv: &mut dyn RpcEnvironment,
+) -> Result<(), Error> {
+    let _lock = domains::lock_config()?;
+
+    let (mut domains, expected_digest) = domains::config()?;
+
+    if let Some(ref digest) = digest {
+        let digest = <[u8; 32]>::from_hex(digest)?;
+        crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
+    }
+
+    let mut config: PamRealmConfig = domains.lookup("pam", "pam")?;
+
+    if let Some(delete) = delete {
+        for delete_prop in delete {
+            match delete_prop {
+                DeletableProperty::Comment => {
+                    config.comment = None;
+                }
+                DeletableProperty::Default => {
+                    config.default = None;
+                }
+            }
+        }
+    }
+
+    if let Some(comment) = update.comment {
+        let comment = comment.trim().to_string();
+        if comment.is_empty() {
+            config.comment = None;
+        } else {
+            config.comment = Some(comment);
+        }
+    }
+
+    if let Some(true) = update.default {
+        pbs_config::domains::unset_default_realm(&mut domains)?;
+        config.default = Some(true);
+    } else {
+        config.default = None;
+    }
+
+    domains.set_data("pam", "pam", &config)?;
+
+    domains::save_config(&domains)?;
+
+    Ok(())
+}
+
+pub const ROUTER: Router = Router::new()
+    .get(&API_METHOD_READ_PAM_REALM)
+    .put(&API_METHOD_UPDATE_PAM_REALM);
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v4 13/16] api2: access: add update support for built-in PBS realm

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 src/api2/config/access/mod.rs |   2 +
 src/api2/config/access/pbs.rs | 130 ++++++++++++++++++++++++++++++++++
 2 files changed, 132 insertions(+)
 create mode 100644 src/api2/config/access/pbs.rs

diff --git a/src/api2/config/access/mod.rs b/src/api2/config/access/mod.rs
index 36ecd005..1e6070c7 100644
--- a/src/api2/config/access/mod.rs
+++ b/src/api2/config/access/mod.rs
@@ -6,11 +6,13 @@ pub mod ad;
 pub mod ldap;
 pub mod openid;
 pub mod pam;
+pub mod pbs;
 pub mod tfa;
 
 #[sortable]
 const SUBDIRS: SubdirMap = &sorted!([
     ("pam", &pam::ROUTER),
+    ("pbs", &pbs::ROUTER),
     ("ad", &ad::ROUTER),
     ("ldap", &ldap::ROUTER),
     ("openid", &openid::ROUTER),
diff --git a/src/api2/config/access/pbs.rs b/src/api2/config/access/pbs.rs
new file mode 100644
index 00000000..2873eabb
--- /dev/null
+++ b/src/api2/config/access/pbs.rs
@@ -0,0 +1,130 @@
+use ::serde::{Deserialize, Serialize};
+use anyhow::Error;
+use hex::FromHex;
+
+use proxmox_router::{Permission, Router, RpcEnvironment};
+use proxmox_schema::api;
+
+use pbs_api_types::{
+    PbsRealmConfig, PbsRealmConfigUpdater, PRIV_REALM_ALLOCATE, PRIV_SYS_AUDIT,
+    PROXMOX_CONFIG_DIGEST_SCHEMA,
+};
+
+use pbs_config::domains;
+
+#[api(
+    returns: {
+        type: PbsRealmConfig,
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_SYS_AUDIT, false),
+    },
+)]
+/// Read the Proxmox Backup authentication server realm configuration
+pub fn read_pbs_realm(rpcenv: &mut dyn RpcEnvironment) -> Result<PbsRealmConfig, Error> {
+    let (domains, digest) = domains::config()?;
+
+    let config = domains.lookup("pbs", "pbs")?;
+
+    rpcenv["digest"] = hex::encode(digest).into();
+
+    Ok(config)
+}
+
+#[api]
+#[derive(Serialize, Deserialize)]
+#[serde(rename_all = "kebab-case")]
+/// Deletable property name
+pub enum DeletableProperty {
+    /// Delete the comment property.
+    Comment,
+    /// Delete the default property.
+    Default,
+}
+
+#[api(
+    protected: true,
+    input: {
+        properties: {
+            update: {
+                type: PbsRealmConfigUpdater,
+                flatten: true,
+            },
+            delete: {
+                description: "List of properties to delete.",
+                type: Array,
+                optional: true,
+                items: {
+                    type: DeletableProperty,
+                }
+            },
+            digest: {
+                optional: true,
+                schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
+            },
+        },
+    },
+    returns: {
+        type: PbsRealmConfig,
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
+    },
+)]
+/// Update the Proxmox Backup authentication server realm configuration
+pub fn update_pbs_realm(
+    update: PbsRealmConfigUpdater,
+    delete: Option<Vec<DeletableProperty>>,
+    digest: Option<String>,
+    _rpcenv: &mut dyn RpcEnvironment,
+) -> Result<(), Error> {
+    let _lock = domains::lock_config()?;
+
+    let (mut domains, expected_digest) = domains::config()?;
+
+    if let Some(ref digest) = digest {
+        let digest = <[u8; 32]>::from_hex(digest)?;
+        crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
+    }
+
+    let mut config: PbsRealmConfig = domains.lookup("pbs", "pbs")?;
+
+    if let Some(delete) = delete {
+        for delete_prop in delete {
+            match delete_prop {
+                DeletableProperty::Comment => {
+                    config.comment = None;
+                }
+                DeletableProperty::Default => {
+                    config.default = None;
+                }
+            }
+        }
+    }
+
+    if let Some(comment) = update.comment {
+        let comment = comment.trim().to_string();
+        if comment.is_empty() {
+            config.comment = None;
+        } else {
+            config.comment = Some(comment);
+        }
+    }
+
+    if let Some(true) = update.default {
+        pbs_config::domains::unset_default_realm(&mut domains)?;
+        config.default = Some(true);
+    } else {
+        config.default = None;
+    }
+
+    domains.set_data("pbs", "pbs", &config)?;
+
+    domains::save_config(&domains)?;
+
+    Ok(())
+}
+
+pub const ROUTER: Router = Router::new()
+    .get(&API_METHOD_READ_PBS_REALM)
+    .put(&API_METHOD_UPDATE_PBS_REALM);
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v4 14/16] www: AccessControl: make `useTypeInUrl` property per-realm

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 www/Utils.js               | 1 +
 www/panel/AccessControl.js | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/Utils.js b/www/Utils.js
index 4853be36..f6688ca4 100644
--- a/www/Utils.js
+++ b/www/Utils.js
@@ -459,6 +459,7 @@ Ext.define('PBS.Utils', {
 		edit: false,
 		pwchange: true,
 		sync: false,
+		useTypeInUrl: false,
 	    },
 	});
 
diff --git a/www/panel/AccessControl.js b/www/panel/AccessControl.js
index d10d0891..4910510e 100644
--- a/www/panel/AccessControl.js
+++ b/www/panel/AccessControl.js
@@ -40,7 +40,6 @@ Ext.define('PBS.AccessControlPanel', {
 	{
 	    xtype: 'pmxAuthView',
 	    baseUrl: '/config/access',
-	    useTypeInUrl: true,
 	    title: gettext('Realms'),
 	    itemId: 'domains',
 	    iconCls: 'fa fa-address-book-o',
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v4 15/16] www: utils: make built-in pbs realm editable using new AuthSimplePanel

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 www/Utils.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/www/Utils.js b/www/Utils.js
index f6688ca4..15724958 100644
--- a/www/Utils.js
+++ b/www/Utils.js
@@ -455,8 +455,9 @@ Ext.define('PBS.Utils', {
 	Proxmox.Schema.overrideAuthDomains({
 	    pbs: {
 		name: 'Proxmox Backup authentication server',
+		ipanel: 'pmxAuthSimplePanel',
 		add: false,
-		edit: false,
+		edit: true,
 		pwchange: true,
 		sync: false,
 		useTypeInUrl: false,
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v4 16/16] docs: user-management: document `pam` and `pbs` authentication realm

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v3 -> v4:
  * new patch

 docs/user-management.rst | 30 ++++++++++++++++++++++++++++--
 www/OnlineHelpInfo.js    |  8 ++++++++
 www/Utils.js             |  1 +
 3 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/docs/user-management.rst b/docs/user-management.rst
index c670cbf6..17ef6f75 100644
--- a/docs/user-management.rst
+++ b/docs/user-management.rst
@@ -16,8 +16,8 @@ User Configuration
 choose the realm when you add a new user. Possible realms are:
 
 :pam: Linux PAM standard authentication. Use this if you want to
-      authenticate as a Linux system user (users need to exist on the
-      system).
+      authenticate as a Linux system user. The users needs to already exist on
+      the host system.
 
 :pbs: Proxmox Backup Server realm. This type stores hashed passwords in
       ``/etc/proxmox-backup/shadow.json``.
@@ -599,6 +599,32 @@ list view in the web UI, or using the command line:
 Authentication Realms
 ---------------------
 
+.. _user_realms_pam:
+
+Linux PAM
+~~~~~~~~~
+
+Linux PAM is a framework for system-wide user authentication. These users are
+created on the host system with commands such as ``adduser``.
+
+If PAM users exist on the host system, corresponding entries can be added to
+Proxmox Backup Server, to allow these users to log in via their system username
+and password.
+
+.. _user_realms_pbs:
+
+Proxmox Backup authentication server
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This is a Unix-like password store, which stores hashed passwords in
+``/etc/proxmox-backup/shadow.json``. Passwords are hashed using the SHA-256
+hashing algorithm.
+
+This is the most convenient realm for small-scale (or even mid-scale)
+installations, where users do not need access to anything outside of Proxmox
+Backup Server. In this case, users are fully managed by Proxmox Backup Server
+and are able to change their own passwords via the GUI.
+
 .. _user_realms_ldap:
 
 LDAP
diff --git a/www/OnlineHelpInfo.js b/www/OnlineHelpInfo.js
index 556e87e7..81613f62 100644
--- a/www/OnlineHelpInfo.js
+++ b/www/OnlineHelpInfo.js
@@ -431,6 +431,14 @@ const proxmoxOnlineHelpInfo = {
     "link": "/docs/user-management.html#user-tfa-lockout",
     "title": "Limits and Lockout of Two-Factor Authentication"
   },
+  "user-realms-pam": {
+    "link": "/docs/user-management.html#user-realms-pam",
+    "title": "Linux PAM"
+  },
+  "user-realms-pbs": {
+    "link": "/docs/user-management.html#user-realms-pbs",
+    "title": "Proxmox Backup authentication server"
+  },
   "user-realms-ldap": {
     "link": "/docs/user-management.html#user-realms-ldap",
     "title": "LDAP"
diff --git a/www/Utils.js b/www/Utils.js
index 15724958..15503fe1 100644
--- a/www/Utils.js
+++ b/www/Utils.js
@@ -456,6 +456,7 @@ Ext.define('PBS.Utils', {
 	    pbs: {
 		name: 'Proxmox Backup authentication server',
 		ipanel: 'pmxAuthSimplePanel',
+		onlineHelp: 'user-realms-pam',
 		add: false,
 		edit: true,
 		pwchange: true,
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] partially-applied: [PATCH proxmox-backup/pwt v4 00/16] fix #5379: introduce default auth realm option

[Thomas Lamprecht]

Am 23.08.24 um 13:07 schrieb Christoph Heiss:
> Fixes #5379 [0].
> 
> First, it adds an updatable `default` field to all existing editable
> realms. Then it converts the PAM and PBS built-in realms to proper
> realms, instead of being hard-coded in-between somewhere. 
> In turns this enables editing of these realms, allowing setting whether
> these realms should be the default for login or not.
> 
> For proxmox-widget-toolkit, the first three patches could in principal
> be applied on their own. The others depend on the API changes as
> introduced in the proxmox-backup part.
> 
> W.r.t. the inconsistency as discovered/discussed in [1], the (current)
> behaviour is not changed in this series. Since both PVE and PBS use the
> same realm login dialog from proxmox-widget-toolkit, I'd rather fix it
> separately -- to avoid blocking this series on a completely separate
> issue, which might still need some discussing.
> 
> W.r.t. to applying, proxmox-backup will need a bump of
> proxmox-widget-toolkit afterwards.
> 
> [0] https://bugzilla.proxmox.com/show_bug.cgi?id=5379
> [1] https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010429.html
> 
> History
> =======
> 
> v3: https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010605.html
> v2: https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010521.html
> v1: https://lists.proxmox.com/pipermail/pbs-devel/2024-July/010250.html
> 
> Changes v3 -> v4:
>   * added proper PAM/PBS realm documentation
>   * reworked SimpleRealmInputPanel properties (thanks Gabriel & Hannes!)
> 
> Changes v2 -> v3:
>   * rebased on latest master
>   * fixed unsetting the `default` property by making it deletable
>   * unset previous default realm when creating a new realm with 
>     `default` set
> 
> Changes v1 -> v2:
>   * rebased on latest master
>   * trivial fixes as suggested by Lukas
>   * add documentation to unset_default_realm()
> 
> Diffstat
> ========
> 
> proxmox-widget-toolkit:
> 
> Christoph Heiss (7):
>   window: AuthEditBase: include more information in thrown errors
>   panel: AuthView: make `useTypeInUrl` property per-realm
>   panel: AuthView: use help link from schema if set
>   window: add panel for editing simple, built-in realms
>   schema: make PAM realm editable using new AuthSimple panel
>   fix #5379: panel: AuthView: add column displaying whether the realm is
>     default
>   fix #5379: window: AuthEdit{LDAP,OpenId}: add 'Default realm' checkbox
> 
>  src/Makefile                 |  1 +
>  src/Schema.js                |  8 +++++++-
>  src/panel/AuthView.js        | 16 ++++++++++++---
>  src/window/AuthEditBase.js   |  8 ++++----
>  src/window/AuthEditLDAP.js   | 14 ++++++++++++-
>  src/window/AuthEditOpenId.js | 13 ++++++++++++
>  src/window/AuthEditSimple.js | 40 ++++++++++++++++++++++++++++++++++++
>  7 files changed, 91 insertions(+), 9 deletions(-)
>  create mode 100644 src/window/AuthEditSimple.js
> 

applied the widget-toolkit patches for now, thanks!

would be nice to get somebody else to test the rest once more


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH proxmox-backup/pwt v4 00/16] fix #5379: introduce default auth realm option

[Christoph Heiss]

v5: https://lore.proxmox.com/pbs-devel/20250321134541.1106117-1-c.heiss@proxmox.com/

On Fri Aug 23, 2024 at 1:07 PM CEST, Christoph Heiss wrote:
> Fixes #5379 [0].
>
> First, it adds an updatable `default` field to all existing editable
> realms. Then it converts the PAM and PBS built-in realms to proper
> realms, instead of being hard-coded in-between somewhere.
> In turns this enables editing of these realms, allowing setting whether
> these realms should be the default for login or not.
>
> For proxmox-widget-toolkit, the first three patches could in principal
> be applied on their own. The others depend on the API changes as
> introduced in the proxmox-backup part.
>
> W.r.t. the inconsistency as discovered/discussed in [1], the (current)
> behaviour is not changed in this series. Since both PVE and PBS use the
> same realm login dialog from proxmox-widget-toolkit, I'd rather fix it
> separately -- to avoid blocking this series on a completely separate
> issue, which might still need some discussing.
>
> W.r.t. to applying, proxmox-backup will need a bump of
> proxmox-widget-toolkit afterwards.
>
> [0] https://bugzilla.proxmox.com/show_bug.cgi?id=5379
> [1] https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010429.html
>
> History
> =======
>
> v3: https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010605.html
> v2: https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010521.html
> v1: https://lists.proxmox.com/pipermail/pbs-devel/2024-July/010250.html
>
> Changes v3 -> v4:
>   * added proper PAM/PBS realm documentation
>   * reworked SimpleRealmInputPanel properties (thanks Gabriel & Hannes!)
>
> Changes v2 -> v3:
>   * rebased on latest master
>   * fixed unsetting the `default` property by making it deletable
>   * unset previous default realm when creating a new realm with
>     `default` set
>
> Changes v1 -> v2:
>   * rebased on latest master
>   * trivial fixes as suggested by Lukas
>   * add documentation to unset_default_realm()
>
> Diffstat
> ========
>
> proxmox-widget-toolkit:
>
> Christoph Heiss (7):
>   window: AuthEditBase: include more information in thrown errors
>   panel: AuthView: make `useTypeInUrl` property per-realm
>   panel: AuthView: use help link from schema if set
>   window: add panel for editing simple, built-in realms
>   schema: make PAM realm editable using new AuthSimple panel
>   fix #5379: panel: AuthView: add column displaying whether the realm is
>     default
>   fix #5379: window: AuthEdit{LDAP,OpenId}: add 'Default realm' checkbox
>
>  src/Makefile                 |  1 +
>  src/Schema.js                |  8 +++++++-
>  src/panel/AuthView.js        | 16 ++++++++++++---
>  src/window/AuthEditBase.js   |  8 ++++----
>  src/window/AuthEditLDAP.js   | 14 ++++++++++++-
>  src/window/AuthEditOpenId.js | 13 ++++++++++++
>  src/window/AuthEditSimple.js | 40 ++++++++++++++++++++++++++++++++++++
>  7 files changed, 91 insertions(+), 9 deletions(-)
>  create mode 100644 src/window/AuthEditSimple.js
>
> proxmox-backup:
>
> Christoph Heiss (9):
>   fix #5379: api-types: add `default` field to all realm types
>   fix #5379: api2: access: set default realm accordingly on individual
>     update
>   api-types: introduce proper types for PAM and PBS realms
>   config: use new dedicated PAM and PBS realm types
>   api2: access: add update support for built-in PAM realm
>   api2: access: add update support for built-in PBS realm
>   www: AccessControl: make `useTypeInUrl` property per-realm
>   www: utils: make built-in pbs realm editable using new AuthSimplePanel
>   docs: user-management: document `pam` and `pbs` authentication realm
>
>  docs/user-management.rst         |  30 ++++++-
>  pbs-api-types/src/ad.rs          |   7 ++
>  pbs-api-types/src/ldap.rs        |   7 ++
>  pbs-api-types/src/lib.rs         |  97 ++++++++++++++++++++++-
>  pbs-api-types/src/openid.rs      |   7 ++
>  pbs-config/src/domains.rs        |  36 ++++++++-
>  src/api2/access/domain.rs        |  13 ----
>  src/api2/config/access/ad.rs     |  16 ++++
>  src/api2/config/access/ldap.rs   |  16 ++++
>  src/api2/config/access/mod.rs    |   4 +
>  src/api2/config/access/openid.rs |  16 ++++
>  src/api2/config/access/pam.rs    | 130 +++++++++++++++++++++++++++++++
>  src/api2/config/access/pbs.rs    | 130 +++++++++++++++++++++++++++++++
>  src/bin/proxmox-backup-api.rs    |   1 +
>  src/config/mod.rs                |  25 ++++++
>  www/OnlineHelpInfo.js            |   8 ++
>  www/Utils.js                     |   5 +-
>  www/panel/AccessControl.js       |   1 -
>  18 files changed, 529 insertions(+), 20 deletions(-)
>  create mode 100644 src/api2/config/access/pam.rs
>  create mode 100644 src/api2/config/access/pbs.rs



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel