[pbs-devel] [PATCH proxmox{, -backup} v5 00/11] fix #5379: introduce default auth realm option

[pbs-devel] [PATCH proxmox{, -backup} v5 00/11] fix #5379: introduce default auth realm option

[Christoph Heiss]

Fixes #5379 [0].

First, it adds an updatable `default` field to all existing editable
realms. Then it converts the PAM and PBS built-in realms to proper
realms, instead of being hard-coded in-between somewhere. 
In turns this enables editing of these realms, allowing setting whether
these realms should be the default for login or not.

For patch #3 onwards, proxmox-backup needs patches #1 & #2 applied to
pbs-api-types and a bump thereof.

The proxmox-widget-toolkit parts have already been applied [1] and
proxmox-backup also pulls in the required version (introduced with pwt
4.3.1, proxmox-backup pulls in >= 4.3.3).

W.r.t. the inconsistency as discovered/discussed in [2], the (current)
behaviour is not changed in this series. Since both PVE and PBS use the
same realm login dialog from proxmox-widget-toolkit, I'd rather fix it
separately -- to avoid blocking this series on a completely separate
issue, which might still need some discussing.

[0] https://bugzilla.proxmox.com/show_bug.cgi?id=5379
[1] https://lore.proxmox.com/pbs-devel/d56c6e30-61d7-452b-afaa-5215d8538b4e@proxmox.com/#t
[2] https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010429.html

History
=======

v4: https://lore.proxmox.com/pbs-devel/20240823110737.831304-1-c.heiss@proxmox.com/
v3: https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010605.html
v2: https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010521.html
v1: https://lists.proxmox.com/pipermail/pbs-devel/2024-July/010250.html

Changes v4 -> v5:
  * rebased on latest master, dropped already-applied pwt patches

Changes v3 -> v4:
  * added proper PAM/PBS realm documentation
  * reworked SimpleRealmInputPanel properties (thanks Gabriel & Hannes!)

Changes v2 -> v3:
  * rebased on latest master
  * fixed unsetting the `default` property by making it deletable
  * unset previous default realm when creating a new realm with 
    `default` set

Changes v1 -> v2:
  * rebased on latest master
  * trivial fixes as suggested by Lukas
  * add documentation to unset_default_realm()

Diffstat
========

proxmox:

Christoph Heiss (2):
  fix #5379: api-types: add `default` field for all realm types
  api-types: introduce proper types for PAM and PBS realms

 pbs-api-types/src/ad.rs     |   7 +++
 pbs-api-types/src/ldap.rs   |   7 +++
 pbs-api-types/src/lib.rs    | 120 +++++++++++++++++++++++++++++++++++-
 pbs-api-types/src/openid.rs |   7 +++
 4 files changed, 140 insertions(+), 1 deletion(-)

proxmox-backup:

Christoph Heiss (9):
  fix #5379: api2: access: add `default` property for all realm types
  fix #5379: api2: access: set default realm accordingly on individual
    update
  config: use new dedicated PAM and PBS realm types
  api2: access: add update support for built-in PAM realm
  api2: access: add update support for built-in PBS realm
  www: AccessControl: make `useTypeInUrl` property per-realm
  www: AccessControl: enable default realm checkbox for all realms
  www: utils: make built-in PBS realm editable using new AuthSimplePanel
  docs: user-management: document `pam` and `pbs` authentication realm

 docs/user-management.rst         |  30 ++++++-
 pbs-config/src/domains.rs        |  36 ++++++++-
 src/api2/access/domain.rs        |  13 ----
 src/api2/config/access/ad.rs     |  16 ++++
 src/api2/config/access/ldap.rs   |  16 ++++
 src/api2/config/access/mod.rs    |   4 +
 src/api2/config/access/openid.rs |  16 ++++
 src/api2/config/access/pam.rs    | 130 +++++++++++++++++++++++++++++++
 src/api2/config/access/pbs.rs    | 130 +++++++++++++++++++++++++++++++
 src/bin/proxmox-backup-api.rs    |   1 +
 src/config/mod.rs                |  25 ++++++
 www/OnlineHelpInfo.js            |   8 ++
 www/Utils.js                     |   5 +-
 www/panel/AccessControl.js       |   2 +-
 14 files changed, 413 insertions(+), 19 deletions(-)
 create mode 100644 src/api2/config/access/pam.rs
 create mode 100644 src/api2/config/access/pbs.rs

-- 
2.45.1



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox v5 1/2] fix #5379: api-types: add `default` field for all realm types

[Christoph Heiss]

The field indicates whether the realm should be the default realm to
select in the login dialog.

Per definition, the field should only ever be set to `true` on exactly
one realm - up to the consumer/storage to ensure that.

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v4 -> v5:
  * rebased to `proxmox` repo
  * added "default" api type definition for `BasicRealmInfo`

 pbs-api-types/src/ad.rs     | 7 +++++++
 pbs-api-types/src/ldap.rs   | 7 +++++++
 pbs-api-types/src/lib.rs    | 7 +++++++
 pbs-api-types/src/openid.rs | 7 +++++++
 4 files changed, 28 insertions(+)

diff --git a/pbs-api-types/src/ad.rs b/pbs-api-types/src/ad.rs
index 910571a0..5c236325 100644
--- a/pbs-api-types/src/ad.rs
+++ b/pbs-api-types/src/ad.rs
@@ -16,6 +16,10 @@ use super::{
             optional: true,
             schema: SINGLE_LINE_COMMENT_SCHEMA,
         },
+        "default": {
+            optional: true,
+            default: false,
+        },
         "verify": {
             optional: true,
             default: false,
@@ -64,6 +68,9 @@ pub struct AdRealmConfig {
     /// Comment
     #[serde(skip_serializing_if = "Option::is_none")]
     pub comment: Option<String>,
+    /// True if it should be the default realm to login in
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub default: Option<bool>,
     /// Connection security
     #[serde(skip_serializing_if = "Option::is_none")]
     pub mode: Option<LdapMode>,
diff --git a/pbs-api-types/src/ldap.rs b/pbs-api-types/src/ldap.rs
index a3e0407b..79735d93 100644
--- a/pbs-api-types/src/ldap.rs
+++ b/pbs-api-types/src/ldap.rs
@@ -29,6 +29,10 @@ pub enum LdapMode {
             optional: true,
             schema: SINGLE_LINE_COMMENT_SCHEMA,
         },
+        "default": {
+            optional: true,
+            default: false,
+        },
         "verify": {
             optional: true,
             default: false,
@@ -75,6 +79,9 @@ pub struct LdapRealmConfig {
     /// Comment
     #[serde(skip_serializing_if = "Option::is_none")]
     pub comment: Option<String>,
+    /// True if it should be the default realm to login in
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub default: Option<bool>,
     /// Connection security
     #[serde(skip_serializing_if = "Option::is_none")]
     pub mode: Option<LdapMode>,
diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index acc2fca3..e3896000 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -356,18 +356,25 @@ serde_plain::derive_fromstr_from_deserialize!(RealmType);
             optional: true,
             schema: SINGLE_LINE_COMMENT_SCHEMA,
         },
+        "default": {
+            optional: true,
+            default: false,
+        },
     },
 )]
 #[derive(Deserialize, Serialize, Clone, PartialEq)]
 #[serde(rename_all = "kebab-case")]
 /// Basic Information about a realm
 pub struct BasicRealmInfo {
+    /// Realm name
     pub realm: String,
+    // Realm type
     #[serde(rename = "type")]
     pub ty: RealmType,
     /// True if it is the default realm
     #[serde(skip_serializing_if = "Option::is_none")]
     pub default: Option<bool>,
+    /// Optional comment for this realm
     #[serde(skip_serializing_if = "Option::is_none")]
     pub comment: Option<String>,
 }
diff --git a/pbs-api-types/src/openid.rs b/pbs-api-types/src/openid.rs
index 2c95c5c6..e8ec19d9 100644
--- a/pbs-api-types/src/openid.rs
+++ b/pbs-api-types/src/openid.rs
@@ -80,6 +80,10 @@ pub const OPENID_USERNAME_CLAIM_SCHEMA: Schema = StringSchema::new(
             optional: true,
             schema: SINGLE_LINE_COMMENT_SCHEMA,
         },
+        "default": {
+            optional: true,
+            default: false,
+        },
         autocreate: {
             optional: true,
             default: false,
@@ -111,6 +115,9 @@ pub struct OpenIdRealmConfig {
     pub client_key: Option<String>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub comment: Option<String>,
+    /// True if it should be the default realm to login in
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub default: Option<bool>,
     /// Automatically create users if they do not exist.
     #[serde(skip_serializing_if = "Option::is_none")]
     pub autocreate: Option<bool>,
-- 
2.48.1



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox v5 2/2] api-types: introduce proper types for PAM and PBS realms

[Christoph Heiss]

Introducs two new, simple API types representing the built-in PAM
and PBS authentication realms.

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v4 -> v5:
  * rebased to `proxmox` repo
  * added `type` field to realms to accommodate proxmox-widget-toolkit
    change in commit ee9d92e37 ("fix: window: AuthEditBase: rename 
    variable 'realm' to 'type'")

Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * reorder new module imports
  * implement `Default` for new realms

 pbs-api-types/src/lib.rs | 113 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 112 insertions(+), 1 deletion(-)

diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index e3896000..b594de03 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -6,7 +6,8 @@ use serde::{Deserialize, Serialize};
 pub mod percent_encoding;
 
 use proxmox_schema::{
-    api, const_regex, ApiStringFormat, ApiType, ArraySchema, ReturnType, Schema, StringSchema,
+    api, const_regex, ApiStringFormat, ApiType, ArraySchema, EnumEntry, ReturnType, Schema,
+    StringSchema, Updater,
 };
 use proxmox_time::parse_daily_duration;
 
@@ -224,6 +225,20 @@ pub const REALM_ID_SCHEMA: Schema = StringSchema::new("Realm name.")
     .max_length(32)
     .schema();
 
+const PAM_REALM_ID_SCHEMA: Schema = StringSchema::new("Realm name.")
+    .format(&ApiStringFormat::Enum(&[EnumEntry::new(
+        "pam",
+        "Default PAM realm.",
+    )]))
+    .schema();
+
+const PBS_REALM_ID_SCHEMA: Schema = StringSchema::new("Realm name.")
+    .format(&ApiStringFormat::Enum(&[EnumEntry::new(
+        "pbs",
+        "Default PBS realm.",
+    )]))
+    .schema();
+
 pub const SUBSCRIPTION_KEY_SCHEMA: Schema =
     StringSchema::new("Proxmox Backup Server subscription key.")
         .format(&SUBSCRIPTION_KEY_FORMAT)
@@ -378,3 +393,99 @@ pub struct BasicRealmInfo {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub comment: Option<String>,
 }
+
+#[api(
+    properties: {
+        realm: {
+            schema: REALM_ID_SCHEMA,
+        },
+        "type": {
+            type: RealmType,
+        },
+        comment: {
+            optional: true,
+            schema: SINGLE_LINE_COMMENT_SCHEMA,
+        },
+        "default": {
+            optional: true,
+            default: false,
+        },
+    }
+)]
+#[derive(Serialize, Deserialize, Updater, Clone)]
+#[serde(rename_all = "kebab-case")]
+/// Built-in PAM realm configuration properties.
+pub struct PamRealmConfig {
+    /// Realm name. Always "pam".
+    #[updater(skip)]
+    pub realm: String,
+    /// Realm type. Always [`RealmType::Pam`].
+    #[updater(skip)]
+    #[serde(rename = "type")]
+    pub ty: RealmType,
+    /// Comment for this realm
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub comment: Option<String>,
+    /// True if it should be the default realm to login in
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub default: Option<bool>,
+}
+
+impl Default for PamRealmConfig {
+    fn default() -> Self {
+        Self {
+            realm: "pam".to_owned(),
+            ty: RealmType::Pam,
+            comment: Some("Linux PAM standard authentication".to_owned()),
+            default: None,
+        }
+    }
+}
+
+#[api(
+    properties: {
+        realm: {
+            schema: REALM_ID_SCHEMA,
+        },
+        "type": {
+            type: RealmType,
+        },
+        comment: {
+            optional: true,
+            schema: SINGLE_LINE_COMMENT_SCHEMA,
+        },
+        "default": {
+            optional: true,
+            default: false,
+        },
+    }
+)]
+#[derive(Serialize, Deserialize, Updater, Clone)]
+#[serde(rename_all = "kebab-case")]
+/// Built-in Proxmox Backup Server realm configuration properties.
+pub struct PbsRealmConfig {
+    /// Realm name. Always "pbs".
+    #[updater(skip)]
+    pub realm: String,
+    /// Realm type. Always [`RealmType::Pbs`].
+    #[updater(skip)]
+    #[serde(rename = "type")]
+    pub ty: RealmType,
+    /// Comment for this realm
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub comment: Option<String>,
+    /// True if it should be the default realm to login in
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub default: Option<bool>,
+}
+
+impl Default for PbsRealmConfig {
+    fn default() -> Self {
+        Self {
+            realm: "pbs".to_owned(),
+            ty: RealmType::Pbs,
+            comment: Some("Proxmox Backup authentication server".to_owned()),
+            default: None,
+        }
+    }
+}
-- 
2.48.1



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v5 03/11] fix #5379: api2: access: add `default` property for all realm types

[Christoph Heiss]

Now that all the realms support this field, add the required API
plumbing for it.

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Depends on patches #1 & #2 and a bump of proxmox thereof.

Changes v4 -> v5:
  * split out pbs-api-types changes to own patch

Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * make `default` property deletable

Changes v1 -> v2:
  * no changes

 src/api2/config/access/ad.rs     | 5 +++++
 src/api2/config/access/ldap.rs   | 5 +++++
 src/api2/config/access/openid.rs | 5 +++++
 3 files changed, 15 insertions(+)

diff --git a/src/api2/config/access/ad.rs b/src/api2/config/access/ad.rs
index c202291a..4106e0f4 100644
--- a/src/api2/config/access/ad.rs
+++ b/src/api2/config/access/ad.rs
@@ -136,6 +136,8 @@ pub enum DeletableProperty {
     Port,
     /// Comment
     Comment,
+    /// Is default realm
+    Default,
     /// Verify server certificate
     Verify,
     /// Mode (ldap, ldap+starttls or ldaps),
@@ -217,6 +219,9 @@ pub async fn update_ad_realm(
                 DeletableProperty::Comment => {
                     config.comment = None;
                 }
+                DeletableProperty::Default => {
+                    config.default = None;
+                }
                 DeletableProperty::Port => {
                     config.port = None;
                 }
diff --git a/src/api2/config/access/ldap.rs b/src/api2/config/access/ldap.rs
index e60dc9c1..7dcf7990 100644
--- a/src/api2/config/access/ldap.rs
+++ b/src/api2/config/access/ldap.rs
@@ -171,6 +171,8 @@ pub enum DeletableProperty {
     Port,
     /// Comment
     Comment,
+    /// Is default realm
+    Default,
     /// Verify server certificate
     Verify,
     /// Mode (ldap, ldap+starttls or ldaps),
@@ -252,6 +254,9 @@ pub fn update_ldap_realm(
                 DeletableProperty::Comment => {
                     config.comment = None;
                 }
+                DeletableProperty::Default => {
+                    config.default = None;
+                }
                 DeletableProperty::Port => {
                     config.port = None;
                 }
diff --git a/src/api2/config/access/openid.rs b/src/api2/config/access/openid.rs
index 4901880e..2fbcd1b1 100644
--- a/src/api2/config/access/openid.rs
+++ b/src/api2/config/access/openid.rs
@@ -149,6 +149,8 @@ pub enum DeletableProperty {
     ClientKey,
     /// Delete the comment property.
     Comment,
+    /// Delete the default property.
+    Default,
     /// Delete the autocreate property
     Autocreate,
     /// Delete the scopes property
@@ -217,6 +219,9 @@ pub fn update_openid_realm(
                 DeletableProperty::Comment => {
                     config.comment = None;
                 }
+                DeletableProperty::Default => {
+                    config.default = None;
+                }
                 DeletableProperty::Autocreate => {
                     config.autocreate = None;
                 }
-- 
2.48.1



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v5 04/11] fix #5379: api2: access: set default realm accordingly on individual update

[Christoph Heiss]

Whenever the `default` field is set to `true` for any realm, the
`default` field must be unset first from all realms to ensure that only
ever exactly one realm is the default.

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v4 -> v5:
  * no changes

Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * removed early return again, which did not work as intended
  * drop unnecessary crate namespace qualification
  * also unset current default realm when creating new realm with
    `default` set
    
Changes v1 -> v2:
  * documented unset_default_realm()
  * added early return to unset_default_realm()

 pbs-config/src/domains.rs        | 15 +++++++++++++++
 src/api2/config/access/ad.rs     | 11 +++++++++++
 src/api2/config/access/ldap.rs   | 11 +++++++++++
 src/api2/config/access/openid.rs | 11 +++++++++++
 4 files changed, 48 insertions(+)

diff --git a/pbs-config/src/domains.rs b/pbs-config/src/domains.rs
index 32bd967a..d94d54a8 100644
--- a/pbs-config/src/domains.rs
+++ b/pbs-config/src/domains.rs
@@ -61,6 +61,21 @@ pub fn save_config(config: &SectionConfigData) -> Result<(), Error> {
     replace_backup_config(DOMAINS_CFG_FILENAME, raw.as_bytes())
 }
 
+/// Unsets the default login realm for users by deleting the `default` property
+/// from the respective realm.
+///
+/// This only updates the configuration as given in `config`, making it
+/// permanent is left to the caller.
+pub fn unset_default_realm(config: &mut SectionConfigData) -> Result<(), Error> {
+    for (_, data) in &mut config.sections.values_mut() {
+        if let Some(obj) = data.as_object_mut() {
+            obj.remove("default");
+        }
+    }
+
+    Ok(())
+}
+
 /// Check if a realm with the given name exists
 pub fn exists(domains: &SectionConfigData, realm: &str) -> bool {
     realm == "pbs" || realm == "pam" || domains.sections.contains_key(realm)
diff --git a/src/api2/config/access/ad.rs b/src/api2/config/access/ad.rs
index 4106e0f4..2afb16b8 100644
--- a/src/api2/config/access/ad.rs
+++ b/src/api2/config/access/ad.rs
@@ -91,6 +91,10 @@ pub async fn create_ad_realm(
         auth_helpers::store_ldap_bind_password(&config.realm, &password, &domain_config_lock)?;
     }
 
+    if let Some(true) = config.default {
+        domains::unset_default_realm(&mut domains)?;
+    }
+
     domains.set_data(&config.realm, "ad", &config)?;
 
     domains::save_config(&domains)?;
@@ -278,6 +282,13 @@ pub async fn update_ad_realm(
         }
     }
 
+    if let Some(true) = update.default {
+        domains::unset_default_realm(&mut domains)?;
+        config.default = Some(true);
+    } else {
+        config.default = None;
+    }
+
     if let Some(mode) = update.mode {
         config.mode = Some(mode);
     }
diff --git a/src/api2/config/access/ldap.rs b/src/api2/config/access/ldap.rs
index 7dcf7990..6a93ece2 100644
--- a/src/api2/config/access/ldap.rs
+++ b/src/api2/config/access/ldap.rs
@@ -81,6 +81,10 @@ pub fn create_ldap_realm(config: LdapRealmConfig, password: Option<String>) -> R
         auth_helpers::store_ldap_bind_password(&config.realm, &password, &domain_config_lock)?;
     }
 
+    if let Some(true) = config.default {
+        domains::unset_default_realm(&mut domains)?;
+    }
+
     domains.set_data(&config.realm, "ldap", &config)?;
 
     domains::save_config(&domains)?;
@@ -317,6 +321,13 @@ pub fn update_ldap_realm(
         }
     }
 
+    if let Some(true) = update.default {
+        domains::unset_default_realm(&mut domains)?;
+        config.default = Some(true);
+    } else {
+        config.default = None;
+    }
+
     if let Some(mode) = update.mode {
         config.mode = Some(mode);
     }
diff --git a/src/api2/config/access/openid.rs b/src/api2/config/access/openid.rs
index 2fbcd1b1..5b767fcc 100644
--- a/src/api2/config/access/openid.rs
+++ b/src/api2/config/access/openid.rs
@@ -65,6 +65,10 @@ pub fn create_openid_realm(config: OpenIdRealmConfig) -> Result<(), Error> {
         param_bail!("realm", "realm '{}' already exists.", config.realm);
     }
 
+    if let Some(true) = config.default {
+        domains::unset_default_realm(&mut domains)?;
+    }
+
     domains.set_data(&config.realm, "openid", &config)?;
 
     domains::save_config(&domains)?;
@@ -247,6 +251,13 @@ pub fn update_openid_realm(
         }
     }
 
+    if let Some(true) = update.default {
+        domains::unset_default_realm(&mut domains)?;
+        config.default = Some(true);
+    } else {
+        config.default = None;
+    }
+
     if let Some(issuer_url) = update.issuer_url {
         config.issuer_url = issuer_url;
     }
-- 
2.48.1



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v5 05/11] config: use new dedicated PAM and PBS realm types

[Christoph Heiss]

Currently, the built-in PAM and PBS authentication realms are (hackily)
hardcoded. Replace that with the new, proper API types for these two
realms, thus treating them like any other authentication realm.

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v4 -> v5:
  * no changes

Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * use `Default` implementation instead of hardcoding default values

 pbs-config/src/domains.rs     | 21 +++++++++++++++++++--
 src/api2/access/domain.rs     | 13 -------------
 src/bin/proxmox-backup-api.rs |  1 +
 src/config/mod.rs             | 25 +++++++++++++++++++++++++
 4 files changed, 45 insertions(+), 15 deletions(-)

diff --git a/pbs-config/src/domains.rs b/pbs-config/src/domains.rs
index d94d54a8..4ed3ec83 100644
--- a/pbs-config/src/domains.rs
+++ b/pbs-config/src/domains.rs
@@ -8,17 +8,34 @@ use proxmox_schema::{ApiType, ObjectSchema};
 use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};
 
 use crate::{open_backup_lockfile, replace_backup_config, BackupLockGuard};
-use pbs_api_types::{AdRealmConfig, LdapRealmConfig, OpenIdRealmConfig, REALM_ID_SCHEMA};
+use pbs_api_types::{
+    AdRealmConfig, LdapRealmConfig, OpenIdRealmConfig, PamRealmConfig, PbsRealmConfig,
+    REALM_ID_SCHEMA,
+};
 
 pub static CONFIG: LazyLock<SectionConfig> = LazyLock::new(init);
 
 fn init() -> SectionConfig {
+    const PAM_SCHEMA: &ObjectSchema = PamRealmConfig::API_SCHEMA.unwrap_object_schema();
+    const PBS_SCHEMA: &ObjectSchema = PbsRealmConfig::API_SCHEMA.unwrap_object_schema();
     const AD_SCHEMA: &ObjectSchema = AdRealmConfig::API_SCHEMA.unwrap_object_schema();
     const LDAP_SCHEMA: &ObjectSchema = LdapRealmConfig::API_SCHEMA.unwrap_object_schema();
     const OPENID_SCHEMA: &ObjectSchema = OpenIdRealmConfig::API_SCHEMA.unwrap_object_schema();
 
     let mut config = SectionConfig::new(&REALM_ID_SCHEMA);
 
+    config.register_plugin(SectionConfigPlugin::new(
+        "pam".to_owned(),
+        Some("realm".to_owned()),
+        PAM_SCHEMA,
+    ));
+
+    config.register_plugin(SectionConfigPlugin::new(
+        "pbs".to_owned(),
+        Some("realm".to_owned()),
+        PBS_SCHEMA,
+    ));
+
     let plugin = SectionConfigPlugin::new(
         "openid".to_string(),
         Some(String::from("realm")),
@@ -78,7 +95,7 @@ pub fn unset_default_realm(config: &mut SectionConfigData) -> Result<(), Error>
 
 /// Check if a realm with the given name exists
 pub fn exists(domains: &SectionConfigData, realm: &str) -> bool {
-    realm == "pbs" || realm == "pam" || domains.sections.contains_key(realm)
+    domains.sections.contains_key(realm)
 }
 
 // shell completion helper
diff --git a/src/api2/access/domain.rs b/src/api2/access/domain.rs
index 8f8eebda..cede714a 100644
--- a/src/api2/access/domain.rs
+++ b/src/api2/access/domain.rs
@@ -29,19 +29,6 @@ use crate::server::jobstate::Job;
 /// Authentication domain/realm index.
 fn list_domains(rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<BasicRealmInfo>, Error> {
     let mut list = Vec::new();
-
-    list.push(serde_json::from_value(json!({
-        "realm": "pam",
-        "type": "pam",
-        "comment": "Linux PAM standard authentication",
-        "default": Some(true),
-    }))?);
-    list.push(serde_json::from_value(json!({
-        "realm": "pbs",
-        "type": "pbs",
-        "comment": "Proxmox Backup authentication server",
-    }))?);
-
     let (config, digest) = pbs_config::domains::config()?;
 
     for (_, (section_type, v)) in config.sections.iter() {
diff --git a/src/bin/proxmox-backup-api.rs b/src/bin/proxmox-backup-api.rs
index 7b418755..b1abf99c 100644
--- a/src/bin/proxmox-backup-api.rs
+++ b/src/bin/proxmox-backup-api.rs
@@ -48,6 +48,7 @@ async fn run() -> Result<(), Error> {
     config::create_configdir()?;
 
     config::update_self_signed_cert(false)?;
+    config::update_default_realms()?;
 
     proxmox_backup::server::create_run_dir()?;
     proxmox_backup::server::create_state_dir()?;
diff --git a/src/config/mod.rs b/src/config/mod.rs
index 324fabca..0deb1271 100644
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@@ -12,6 +12,7 @@ use std::path::Path;
 
 use proxmox_lang::try_block;
 
+use pbs_api_types::{PamRealmConfig, PbsRealmConfig};
 use pbs_buildcfg::{self, configdir};
 
 pub mod acme;
@@ -194,3 +195,27 @@ pub(crate) fn set_proxy_certificate(cert_pem: &[u8], key_pem: &[u8]) -> Result<(
 
     Ok(())
 }
+
+pub fn update_default_realms() -> Result<(), Error> {
+    let _lock = pbs_config::domains::lock_config()?;
+    let (mut domains, _) = pbs_config::domains::config()?;
+
+    if !pbs_config::domains::exists(&domains, "pam") {
+        domains.set_data(
+            "pam",
+            "pam",
+            PamRealmConfig {
+                // Setting it as default here is safe, because if we perform this
+                // migration, the user had not had any chance to set a custom default anyway.
+                default: Some(true),
+                ..Default::default()
+            },
+        )?;
+    }
+
+    if !pbs_config::domains::exists(&domains, "pbs") {
+        domains.set_data("pbs", "pbs", PbsRealmConfig::default())?;
+    }
+
+    pbs_config::domains::save_config(&domains)
+}
-- 
2.48.1



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v5 06/11] api2: access: add update support for built-in PAM realm

[Christoph Heiss]

For the built-in PAM authentication realm, the comment and whether it
should be the default login realm can be updated. Add the required API
plumbing for it.

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v4 -> v5:
  * no changes

Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 src/api2/config/access/mod.rs |   2 +
 src/api2/config/access/pam.rs | 130 ++++++++++++++++++++++++++++++++++
 2 files changed, 132 insertions(+)
 create mode 100644 src/api2/config/access/pam.rs

diff --git a/src/api2/config/access/mod.rs b/src/api2/config/access/mod.rs
index b551e662..36ecd005 100644
--- a/src/api2/config/access/mod.rs
+++ b/src/api2/config/access/mod.rs
@@ -5,10 +5,12 @@ use proxmox_sortable_macro::sortable;
 pub mod ad;
 pub mod ldap;
 pub mod openid;
+pub mod pam;
 pub mod tfa;
 
 #[sortable]
 const SUBDIRS: SubdirMap = &sorted!([
+    ("pam", &pam::ROUTER),
     ("ad", &ad::ROUTER),
     ("ldap", &ldap::ROUTER),
     ("openid", &openid::ROUTER),
diff --git a/src/api2/config/access/pam.rs b/src/api2/config/access/pam.rs
new file mode 100644
index 00000000..04ae616b
--- /dev/null
+++ b/src/api2/config/access/pam.rs
@@ -0,0 +1,130 @@
+use ::serde::{Deserialize, Serialize};
+use anyhow::Error;
+use hex::FromHex;
+
+use proxmox_router::{Permission, Router, RpcEnvironment};
+use proxmox_schema::api;
+
+use pbs_api_types::{
+    PamRealmConfig, PamRealmConfigUpdater, PRIV_REALM_ALLOCATE, PRIV_SYS_AUDIT,
+    PROXMOX_CONFIG_DIGEST_SCHEMA,
+};
+
+use pbs_config::domains;
+
+#[api(
+    returns: {
+        type: PamRealmConfig,
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_SYS_AUDIT, false),
+    },
+)]
+/// Read the PAM realm configuration
+pub fn read_pam_realm(rpcenv: &mut dyn RpcEnvironment) -> Result<PamRealmConfig, Error> {
+    let (domains, digest) = domains::config()?;
+
+    let config = domains.lookup("pam", "pam")?;
+
+    rpcenv["digest"] = hex::encode(digest).into();
+
+    Ok(config)
+}
+
+#[api]
+#[derive(Serialize, Deserialize)]
+#[serde(rename_all = "kebab-case")]
+/// Deletable property name
+pub enum DeletableProperty {
+    /// Delete the comment property.
+    Comment,
+    /// Delete the default property.
+    Default,
+}
+
+#[api(
+    protected: true,
+    input: {
+        properties: {
+            update: {
+                type: PamRealmConfigUpdater,
+                flatten: true,
+            },
+            delete: {
+                description: "List of properties to delete.",
+                type: Array,
+                optional: true,
+                items: {
+                    type: DeletableProperty,
+                }
+            },
+            digest: {
+                optional: true,
+                schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
+            },
+        },
+    },
+    returns: {
+        type: PamRealmConfig,
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
+    },
+)]
+/// Update the PAM realm configuration
+pub fn update_pam_realm(
+    update: PamRealmConfigUpdater,
+    delete: Option<Vec<DeletableProperty>>,
+    digest: Option<String>,
+    _rpcenv: &mut dyn RpcEnvironment,
+) -> Result<(), Error> {
+    let _lock = domains::lock_config()?;
+
+    let (mut domains, expected_digest) = domains::config()?;
+
+    if let Some(ref digest) = digest {
+        let digest = <[u8; 32]>::from_hex(digest)?;
+        crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
+    }
+
+    let mut config: PamRealmConfig = domains.lookup("pam", "pam")?;
+
+    if let Some(delete) = delete {
+        for delete_prop in delete {
+            match delete_prop {
+                DeletableProperty::Comment => {
+                    config.comment = None;
+                }
+                DeletableProperty::Default => {
+                    config.default = None;
+                }
+            }
+        }
+    }
+
+    if let Some(comment) = update.comment {
+        let comment = comment.trim().to_string();
+        if comment.is_empty() {
+            config.comment = None;
+        } else {
+            config.comment = Some(comment);
+        }
+    }
+
+    if let Some(true) = update.default {
+        pbs_config::domains::unset_default_realm(&mut domains)?;
+        config.default = Some(true);
+    } else {
+        config.default = None;
+    }
+
+    domains.set_data("pam", "pam", &config)?;
+
+    domains::save_config(&domains)?;
+
+    Ok(())
+}
+
+pub const ROUTER: Router = Router::new()
+    .get(&API_METHOD_READ_PAM_REALM)
+    .put(&API_METHOD_UPDATE_PAM_REALM);
-- 
2.48.1



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v5 07/11] api2: access: add update support for built-in PBS realm

[Christoph Heiss]

For the built-in PBS authentication realm, the comment and whether it
should be the default login realm can be updated. Add the required API
plumbing for it.

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v4 -> v5:
  * no changes

Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 src/api2/config/access/mod.rs |   2 +
 src/api2/config/access/pbs.rs | 130 ++++++++++++++++++++++++++++++++++
 2 files changed, 132 insertions(+)
 create mode 100644 src/api2/config/access/pbs.rs

diff --git a/src/api2/config/access/mod.rs b/src/api2/config/access/mod.rs
index 36ecd005..1e6070c7 100644
--- a/src/api2/config/access/mod.rs
+++ b/src/api2/config/access/mod.rs
@@ -6,11 +6,13 @@ pub mod ad;
 pub mod ldap;
 pub mod openid;
 pub mod pam;
+pub mod pbs;
 pub mod tfa;
 
 #[sortable]
 const SUBDIRS: SubdirMap = &sorted!([
     ("pam", &pam::ROUTER),
+    ("pbs", &pbs::ROUTER),
     ("ad", &ad::ROUTER),
     ("ldap", &ldap::ROUTER),
     ("openid", &openid::ROUTER),
diff --git a/src/api2/config/access/pbs.rs b/src/api2/config/access/pbs.rs
new file mode 100644
index 00000000..2873eabb
--- /dev/null
+++ b/src/api2/config/access/pbs.rs
@@ -0,0 +1,130 @@
+use ::serde::{Deserialize, Serialize};
+use anyhow::Error;
+use hex::FromHex;
+
+use proxmox_router::{Permission, Router, RpcEnvironment};
+use proxmox_schema::api;
+
+use pbs_api_types::{
+    PbsRealmConfig, PbsRealmConfigUpdater, PRIV_REALM_ALLOCATE, PRIV_SYS_AUDIT,
+    PROXMOX_CONFIG_DIGEST_SCHEMA,
+};
+
+use pbs_config::domains;
+
+#[api(
+    returns: {
+        type: PbsRealmConfig,
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_SYS_AUDIT, false),
+    },
+)]
+/// Read the Proxmox Backup authentication server realm configuration
+pub fn read_pbs_realm(rpcenv: &mut dyn RpcEnvironment) -> Result<PbsRealmConfig, Error> {
+    let (domains, digest) = domains::config()?;
+
+    let config = domains.lookup("pbs", "pbs")?;
+
+    rpcenv["digest"] = hex::encode(digest).into();
+
+    Ok(config)
+}
+
+#[api]
+#[derive(Serialize, Deserialize)]
+#[serde(rename_all = "kebab-case")]
+/// Deletable property name
+pub enum DeletableProperty {
+    /// Delete the comment property.
+    Comment,
+    /// Delete the default property.
+    Default,
+}
+
+#[api(
+    protected: true,
+    input: {
+        properties: {
+            update: {
+                type: PbsRealmConfigUpdater,
+                flatten: true,
+            },
+            delete: {
+                description: "List of properties to delete.",
+                type: Array,
+                optional: true,
+                items: {
+                    type: DeletableProperty,
+                }
+            },
+            digest: {
+                optional: true,
+                schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
+            },
+        },
+    },
+    returns: {
+        type: PbsRealmConfig,
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
+    },
+)]
+/// Update the Proxmox Backup authentication server realm configuration
+pub fn update_pbs_realm(
+    update: PbsRealmConfigUpdater,
+    delete: Option<Vec<DeletableProperty>>,
+    digest: Option<String>,
+    _rpcenv: &mut dyn RpcEnvironment,
+) -> Result<(), Error> {
+    let _lock = domains::lock_config()?;
+
+    let (mut domains, expected_digest) = domains::config()?;
+
+    if let Some(ref digest) = digest {
+        let digest = <[u8; 32]>::from_hex(digest)?;
+        crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
+    }
+
+    let mut config: PbsRealmConfig = domains.lookup("pbs", "pbs")?;
+
+    if let Some(delete) = delete {
+        for delete_prop in delete {
+            match delete_prop {
+                DeletableProperty::Comment => {
+                    config.comment = None;
+                }
+                DeletableProperty::Default => {
+                    config.default = None;
+                }
+            }
+        }
+    }
+
+    if let Some(comment) = update.comment {
+        let comment = comment.trim().to_string();
+        if comment.is_empty() {
+            config.comment = None;
+        } else {
+            config.comment = Some(comment);
+        }
+    }
+
+    if let Some(true) = update.default {
+        pbs_config::domains::unset_default_realm(&mut domains)?;
+        config.default = Some(true);
+    } else {
+        config.default = None;
+    }
+
+    domains.set_data("pbs", "pbs", &config)?;
+
+    domains::save_config(&domains)?;
+
+    Ok(())
+}
+
+pub const ROUTER: Router = Router::new()
+    .get(&API_METHOD_READ_PBS_REALM)
+    .put(&API_METHOD_UPDATE_PBS_REALM);
-- 
2.48.1



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v5 08/11] www: AccessControl: make `useTypeInUrl` property per-realm

[Christoph Heiss]

The built-in PAM and PBS use slightly different API paths, without the
type in the URL, as that would be redundant anyway. Thus move the
setting to per-realm.

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v4 -> v5:
  * no changes

Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 www/Utils.js               | 1 +
 www/panel/AccessControl.js | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/Utils.js b/www/Utils.js
index 2746ef0b..2a7d9b63 100644
--- a/www/Utils.js
+++ b/www/Utils.js
@@ -461,6 +461,7 @@ Ext.define('PBS.Utils', {
 		edit: false,
 		pwchange: true,
 		sync: false,
+		useTypeInUrl: false,
 	    },
 	});
 
diff --git a/www/panel/AccessControl.js b/www/panel/AccessControl.js
index d10d0891..4910510e 100644
--- a/www/panel/AccessControl.js
+++ b/www/panel/AccessControl.js
@@ -40,7 +40,6 @@ Ext.define('PBS.AccessControlPanel', {
 	{
 	    xtype: 'pmxAuthView',
 	    baseUrl: '/config/access',
-	    useTypeInUrl: true,
 	    title: gettext('Realms'),
 	    itemId: 'domains',
 	    iconCls: 'fa fa-address-book-o',
-- 
2.48.1



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v5 09/11] www: AccessControl: enable default realm checkbox for all realms

[Christoph Heiss]

This uses the functionality previously introduced in
proxmox-widget-toolkit as part of this series, which is gated behind
this flag.

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v4 -> v5:
  * new patch

 www/panel/AccessControl.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/www/panel/AccessControl.js b/www/panel/AccessControl.js
index 4910510e..c499d4b5 100644
--- a/www/panel/AccessControl.js
+++ b/www/panel/AccessControl.js
@@ -43,6 +43,7 @@ Ext.define('PBS.AccessControlPanel', {
 	    title: gettext('Realms'),
 	    itemId: 'domains',
 	    iconCls: 'fa fa-address-book-o',
+	    showDefaultRealm: true,
 	},
     ],
 
-- 
2.48.1



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v5 10/11] www: utils: make built-in PBS realm editable using new AuthSimplePanel

[Christoph Heiss]

The comment & default property can be updated for the built-in PBS
realm, which the AuthSimplePanel from proxmox-widget-toolkit implements.

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v4 -> v5:
  * no changes

Changes v3 -> v4:
  * no changes

Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 www/Utils.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/www/Utils.js b/www/Utils.js
index 2a7d9b63..6e07db11 100644
--- a/www/Utils.js
+++ b/www/Utils.js
@@ -457,8 +457,9 @@ Ext.define('PBS.Utils', {
 	Proxmox.Schema.overrideAuthDomains({
 	    pbs: {
 		name: 'Proxmox Backup authentication server',
+		ipanel: 'pmxAuthSimplePanel',
 		add: false,
-		edit: false,
+		edit: true,
 		pwchange: true,
 		sync: false,
 		useTypeInUrl: false,
-- 
2.48.1



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v5 11/11] docs: user-management: document `pam` and `pbs` authentication realm

[Christoph Heiss]

Mostly taken from pve-docs and adapted as needed.

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v4 -> v5:
  * no changes

Changes v3 -> v4:
  * new patch

 docs/user-management.rst | 30 ++++++++++++++++++++++++++++--
 www/OnlineHelpInfo.js    |  8 ++++++++
 www/Utils.js             |  1 +
 3 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/docs/user-management.rst b/docs/user-management.rst
index c670cbf6..17ef6f75 100644
--- a/docs/user-management.rst
+++ b/docs/user-management.rst
@@ -16,8 +16,8 @@ User Configuration
 choose the realm when you add a new user. Possible realms are:
 
 :pam: Linux PAM standard authentication. Use this if you want to
-      authenticate as a Linux system user (users need to exist on the
-      system).
+      authenticate as a Linux system user. The users needs to already exist on
+      the host system.
 
 :pbs: Proxmox Backup Server realm. This type stores hashed passwords in
       ``/etc/proxmox-backup/shadow.json``.
@@ -599,6 +599,32 @@ list view in the web UI, or using the command line:
 Authentication Realms
 ---------------------
 
+.. _user_realms_pam:
+
+Linux PAM
+~~~~~~~~~
+
+Linux PAM is a framework for system-wide user authentication. These users are
+created on the host system with commands such as ``adduser``.
+
+If PAM users exist on the host system, corresponding entries can be added to
+Proxmox Backup Server, to allow these users to log in via their system username
+and password.
+
+.. _user_realms_pbs:
+
+Proxmox Backup authentication server
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This is a Unix-like password store, which stores hashed passwords in
+``/etc/proxmox-backup/shadow.json``. Passwords are hashed using the SHA-256
+hashing algorithm.
+
+This is the most convenient realm for small-scale (or even mid-scale)
+installations, where users do not need access to anything outside of Proxmox
+Backup Server. In this case, users are fully managed by Proxmox Backup Server
+and are able to change their own passwords via the GUI.
+
 .. _user_realms_ldap:
 
 LDAP
diff --git a/www/OnlineHelpInfo.js b/www/OnlineHelpInfo.js
index ebb524e4..175c230f 100644
--- a/www/OnlineHelpInfo.js
+++ b/www/OnlineHelpInfo.js
@@ -479,6 +479,14 @@ const proxmoxOnlineHelpInfo = {
     "link": "/docs/user-management.html#user-tfa-lockout",
     "title": "Limits and Lockout of Two-Factor Authentication"
   },
+  "user-realms-pam": {
+    "link": "/docs/user-management.html#user-realms-pam",
+    "title": "Linux PAM"
+  },
+  "user-realms-pbs": {
+    "link": "/docs/user-management.html#user-realms-pbs",
+    "title": "Proxmox Backup authentication server"
+  },
   "user-realms-ldap": {
     "link": "/docs/user-management.html#user-realms-ldap",
     "title": "LDAP"
diff --git a/www/Utils.js b/www/Utils.js
index 6e07db11..1bb08380 100644
--- a/www/Utils.js
+++ b/www/Utils.js
@@ -458,6 +458,7 @@ Ext.define('PBS.Utils', {
 	    pbs: {
 		name: 'Proxmox Backup authentication server',
 		ipanel: 'pmxAuthSimplePanel',
+		onlineHelp: 'user-realms-pbs',
 		add: false,
 		edit: true,
 		pwchange: true,
-- 
2.48.1



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH proxmox v5 1/2] fix #5379: api-types: add `default` field for all realm types

[Shannon Sterz]

On Fri Mar 21, 2025 at 2:45 PM CET, Christoph Heiss wrote:
> The field indicates whether the realm should be the default realm to
> select in the login dialog.
>
> Per definition, the field should only ever be set to `true` on exactly
> one realm - up to the consumer/storage to ensure that.
>
> Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
> ---
> Changes v4 -> v5:
>   * rebased to `proxmox` repo
>   * added "default" api type definition for `BasicRealmInfo`
>
>  pbs-api-types/src/ad.rs     | 7 +++++++
>  pbs-api-types/src/ldap.rs   | 7 +++++++
>  pbs-api-types/src/lib.rs    | 7 +++++++
>  pbs-api-types/src/openid.rs | 7 +++++++
>  4 files changed, 28 insertions(+)
>
> diff --git a/pbs-api-types/src/ad.rs b/pbs-api-types/src/ad.rs
> index 910571a0..5c236325 100644
> --- a/pbs-api-types/src/ad.rs
> +++ b/pbs-api-types/src/ad.rs
> @@ -16,6 +16,10 @@ use super::{
>              optional: true,
>              schema: SINGLE_LINE_COMMENT_SCHEMA,
>          },
> +        "default": {
> +            optional: true,
> +            default: false,
> +        },
>          "verify": {
>              optional: true,
>              default: false,
> @@ -64,6 +68,9 @@ pub struct AdRealmConfig {
>      /// Comment
>      #[serde(skip_serializing_if = "Option::is_none")]
>      pub comment: Option<String>,
> +    /// True if it should be the default realm to login in

tiniest of nit: "realm to login in" sounds wrong. I think you could just
remove everything after realm.

> +    #[serde(skip_serializing_if = "Option::is_none")]
> +    pub default: Option<bool>,
>      /// Connection security
>      #[serde(skip_serializing_if = "Option::is_none")]
>      pub mode: Option<LdapMode>,
> diff --git a/pbs-api-types/src/ldap.rs b/pbs-api-types/src/ldap.rs
> index a3e0407b..79735d93 100644
> --- a/pbs-api-types/src/ldap.rs
> +++ b/pbs-api-types/src/ldap.rs
> @@ -29,6 +29,10 @@ pub enum LdapMode {
>              optional: true,
>              schema: SINGLE_LINE_COMMENT_SCHEMA,
>          },
> +        "default": {
> +            optional: true,
> +            default: false,
> +        },
>          "verify": {
>              optional: true,
>              default: false,
> @@ -75,6 +79,9 @@ pub struct LdapRealmConfig {
>      /// Comment
>      #[serde(skip_serializing_if = "Option::is_none")]
>      pub comment: Option<String>,
> +    /// True if it should be the default realm to login in
> +    #[serde(skip_serializing_if = "Option::is_none")]
> +    pub default: Option<bool>,
>      /// Connection security
>      #[serde(skip_serializing_if = "Option::is_none")]
>      pub mode: Option<LdapMode>,
> diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
> index acc2fca3..e3896000 100644
> --- a/pbs-api-types/src/lib.rs
> +++ b/pbs-api-types/src/lib.rs
> @@ -356,18 +356,25 @@ serde_plain::derive_fromstr_from_deserialize!(RealmType);
>              optional: true,
>              schema: SINGLE_LINE_COMMENT_SCHEMA,
>          },
> +        "default": {
> +            optional: true,
> +            default: false,
> +        },
>      },
>  )]
>  #[derive(Deserialize, Serialize, Clone, PartialEq)]
>  #[serde(rename_all = "kebab-case")]
>  /// Basic Information about a realm
>  pub struct BasicRealmInfo {
> +    /// Realm name
>      pub realm: String,
> +    // Realm type

nit: this is not a doc-comment, just a regular one

>      #[serde(rename = "type")]
>      pub ty: RealmType,
>      /// True if it is the default realm
>      #[serde(skip_serializing_if = "Option::is_none")]
>      pub default: Option<bool>,
> +    /// Optional comment for this realm
>      #[serde(skip_serializing_if = "Option::is_none")]
>      pub comment: Option<String>,
>  }
> diff --git a/pbs-api-types/src/openid.rs b/pbs-api-types/src/openid.rs
> index 2c95c5c6..e8ec19d9 100644
> --- a/pbs-api-types/src/openid.rs
> +++ b/pbs-api-types/src/openid.rs
> @@ -80,6 +80,10 @@ pub const OPENID_USERNAME_CLAIM_SCHEMA: Schema = StringSchema::new(
>              optional: true,
>              schema: SINGLE_LINE_COMMENT_SCHEMA,
>          },
> +        "default": {
> +            optional: true,
> +            default: false,
> +        },
>          autocreate: {
>              optional: true,
>              default: false,
> @@ -111,6 +115,9 @@ pub struct OpenIdRealmConfig {
>      pub client_key: Option<String>,
>      #[serde(skip_serializing_if = "Option::is_none")]
>      pub comment: Option<String>,
> +    /// True if it should be the default realm to login in
> +    #[serde(skip_serializing_if = "Option::is_none")]
> +    pub default: Option<bool>,
>      /// Automatically create users if they do not exist.
>      #[serde(skip_serializing_if = "Option::is_none")]
>      pub autocreate: Option<bool>,



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH proxmox v5 1/2] fix #5379: api-types: add `default` field for all realm types

[Christoph Heiss]

Both good catches, thanks!
I'll fix them up for the next revision.

On Fri Mar 21, 2025 at 5:04 PM CET, Shannon Sterz wrote:
> On Fri Mar 21, 2025 at 2:45 PM CET, Christoph Heiss wrote:
[..]
>> diff --git a/pbs-api-types/src/ad.rs b/pbs-api-types/src/ad.rs
>> index 910571a0..5c236325 100644
>> --- a/pbs-api-types/src/ad.rs
>> +++ b/pbs-api-types/src/ad.rs
>> @@ -64,6 +68,9 @@ pub struct AdRealmConfig {
>>      /// Comment
>>      #[serde(skip_serializing_if = "Option::is_none")]
>>      pub comment: Option<String>,
>> +    /// True if it should be the default realm to login in
>
> tiniest of nit: "realm to login in" sounds wrong. I think you could just
> remove everything after realm.

Yeah, sounds good, I'll change it to that!

>
>> +    #[serde(skip_serializing_if = "Option::is_none")]
>> +    pub default: Option<bool>,
>>      /// Connection security
>>      #[serde(skip_serializing_if = "Option::is_none")]
>>      pub mode: Option<LdapMode>,
[..]
>> diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
>> index acc2fca3..e3896000 100644
>> --- a/pbs-api-types/src/lib.rs
>> +++ b/pbs-api-types/src/lib.rs
[..]
>>  #[derive(Deserialize, Serialize, Clone, PartialEq)]
>>  #[serde(rename_all = "kebab-case")]
>>  /// Basic Information about a realm
>>  pub struct BasicRealmInfo {
>> +    /// Realm name
>>      pub realm: String,
>> +    // Realm type
>
> nit: this is not a doc-comment, just a regular one
>
>>      #[serde(rename = "type")]
>>      pub ty: RealmType,
>>      /// True if it is the default realm
>>      #[serde(skip_serializing_if = "Option::is_none")]
>>      pub default: Option<bool>,
>> +    /// Optional comment for this realm
>>      #[serde(skip_serializing_if = "Option::is_none")]
>>      pub comment: Option<String>,
>>  }


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH proxmox{, -backup} v5 00/11] fix #5379: introduce default auth realm option

[Lukas Wagner]

On  2025-03-21 14:45, Christoph Heiss wrote:
> Fixes #5379 [0].
> 
> First, it adds an updatable `default` field to all existing editable
> realms. Then it converts the PAM and PBS built-in realms to proper
> realms, instead of being hard-coded in-between somewhere. 
> In turns this enables editing of these realms, allowing setting whether
> these realms should be the default for login or not.
> 
> For patch #3 onwards, proxmox-backup needs patches #1 & #2 applied to
> pbs-api-types and a bump thereof.
> 
> The proxmox-widget-toolkit parts have already been applied [1] and
> proxmox-backup also pulls in the required version (introduced with pwt
> 4.3.1, proxmox-backup pulls in >= 4.3.3).
> 
> W.r.t. the inconsistency as discovered/discussed in [2], the (current)
> behaviour is not changed in this series. Since both PVE and PBS use the
> same realm login dialog from proxmox-widget-toolkit, I'd rather fix it
> separately -- to avoid blocking this series on a completely separate
> issue, which might still need some discussing.
> 
> [0] https://bugzilla.proxmox.com/show_bug.cgi?id=5379
> [1] https://lore.proxmox.com/pbs-devel/d56c6e30-61d7-452b-afaa-5215d8538b4e@proxmox.com/#t
> [2] https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010429.html
> 

Gave this a quick test on the lastest master branches. Setting a default realm
works as expected. The statefulness of the login window even if a default
is configured [your 2] still feels odd to me, but as you have said, this is consistent with
PVE and can be changed in a separate series, if we decide that we want that.

Only skimmed over the code since I already did a review of v1;
looks good to me so far. The nits that Shannon raised can be fixed in v6 or in a followup.

Reviewed-by: Lukas Wagner <l.wagner@proxmox.com>
Tested-by: Lukas Wagner <l.wagner@proxmox.com>

-- 
- Lukas



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] applied-series: [PATCH proxmox{, -backup} v5 00/11] fix #5379: introduce default auth realm option

[Thomas Lamprecht]

Am 21.03.25 um 14:45 schrieb Christoph Heiss:
> Diffstat
> ========
> 
> proxmox:
> 
> Christoph Heiss (2):
>   fix #5379: api-types: add `default` field for all realm types
>   api-types: introduce proper types for PAM and PBS realms
> 
>  pbs-api-types/src/ad.rs     |   7 +++
>  pbs-api-types/src/ldap.rs   |   7 +++
>  pbs-api-types/src/lib.rs    | 120 +++++++++++++++++++++++++++++++++++-
>  pbs-api-types/src/openid.rs |   7 +++
>  4 files changed, 140 insertions(+), 1 deletion(-)
> 
> proxmox-backup:
> 
> Christoph Heiss (9):
>   fix #5379: api2: access: add `default` property for all realm types
>   fix #5379: api2: access: set default realm accordingly on individual
>     update
>   config: use new dedicated PAM and PBS realm types
>   api2: access: add update support for built-in PAM realm
>   api2: access: add update support for built-in PBS realm
>   www: AccessControl: make `useTypeInUrl` property per-realm
>   www: AccessControl: enable default realm checkbox for all realms
>   www: utils: make built-in PBS realm editable using new AuthSimplePanel
>   docs: user-management: document `pam` and `pbs` authentication realm
> 
>  docs/user-management.rst         |  30 ++++++-
>  pbs-config/src/domains.rs        |  36 ++++++++-
>  src/api2/access/domain.rs        |  13 ----
>  src/api2/config/access/ad.rs     |  16 ++++
>  src/api2/config/access/ldap.rs   |  16 ++++
>  src/api2/config/access/mod.rs    |   4 +
>  src/api2/config/access/openid.rs |  16 ++++
>  src/api2/config/access/pam.rs    | 130 +++++++++++++++++++++++++++++++
>  src/api2/config/access/pbs.rs    | 130 +++++++++++++++++++++++++++++++
>  src/bin/proxmox-backup-api.rs    |   1 +
>  src/config/mod.rs                |  25 ++++++
>  www/OnlineHelpInfo.js            |   8 ++
>  www/Utils.js                     |   5 +-
>  www/panel/AccessControl.js       |   2 +-
>  14 files changed, 413 insertions(+), 19 deletions(-)
>  create mode 100644 src/api2/config/access/pam.rs
>  create mode 100644 src/api2/config/access/pbs.rs
> 


applied, with Shannon comment addressed albeit I used slightly different
wording, also so small style/consistency nits in the commit subjects
adapted, thanks!


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel