From: Dietmar Maurer <dietmar@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATH proxmox-backup v1 12/12] implement openid user-attr configuration
Date: Tue, 22 Jun 2021 10:56:20 +0200 [thread overview]
Message-ID: <20210622085620.1551677-13-dietmar@proxmox.com> (raw)
In-Reply-To: <20210622085620.1551677-1-dietmar@proxmox.com>
---
src/api2/access.rs | 25 +++++++++++++++++++------
src/config/domains.rs | 22 ++++++++++++++++++++++
2 files changed, 41 insertions(+), 6 deletions(-)
diff --git a/src/api2/access.rs b/src/api2/access.rs
index 115779f3..6872b0db 100644
--- a/src/api2/access.rs
+++ b/src/api2/access.rs
@@ -19,7 +19,7 @@ use crate::api2::types::*;
use crate::auth_helpers::*;
use crate::server::ticket::ApiTicket;
use crate::tools::ticket::{self, Empty, Ticket};
-use crate::config::domains::{OPENID_STATE_DIR, OpenIdRealmConfig};)
+use crate::config::domains::{OPENID_STATE_DIR, OpenIdUserAttribute, OpenIdRealmConfig};
use crate::config::acl as acl_config;
use crate::config::acl::{PRIVILEGES, PRIV_PERMISSIONS_MODIFY, PRIV_SYS_AUDIT};
@@ -294,15 +294,28 @@ pub fn openid_login(
let (domains, _digest) = crate::config::domains::config()?;
let config: OpenIdRealmConfig = domains.lookup("openid", &realm)?;
-
+
let open_id = config.authenticator(&redirect_url)?;
let info = open_id.verify_authorization_code(&code, &private_auth_state)?;
// eprintln!("VERIFIED {} {:?} {:?}", info.subject().as_str(), info.name(), info.email());
- // fixme: allow to use other attributes
- let unique_name = info.subject().as_str();
+ let unique_name = match config.user_attr {
+ None | Some(OpenIdUserAttribute::Subject) => info.subject().as_str(),
+ Some(OpenIdUserAttribute::Username) => {
+ match info.preferred_username() {
+ Some(name) => name.as_str(),
+ None => bail!("missing claim 'preferred_name'"),
+ }
+ }
+ Some(OpenIdUserAttribute::Email) => {
+ match info.email() {
+ Some(name) => name.as_str(),
+ None => bail!("missing claim 'email'"),
+ }
+ }
+ };
let user_id = Userid::try_from(format!("{}@{}", unique_name, realm))?;
@@ -338,7 +351,7 @@ pub fn openid_login(
crate::server::rest::auth_logger()?
.log(format!("successful auth for user '{}'", user_id));
-
+
Ok(json!({
"username": user_id,
"ticket": ticket,
@@ -446,7 +459,7 @@ pub fn list_permissions(
let auth_id = match auth_id {
Some(auth_id) if auth_id == current_auth_id => current_auth_id,
Some(auth_id) => {
- if user_privs & PRIV_SYS_AUDIT != 0
+ if user_privs & PRIV_SYS_AUDIT != 0
|| (auth_id.is_token()
&& !current_auth_id.is_token()
&& auth_id.user() == current_auth_id.user())
diff --git a/src/config/domains.rs b/src/config/domains.rs
index 7db1f0be..a975fed1 100644
--- a/src/config/domains.rs
+++ b/src/config/domains.rs
@@ -29,6 +29,22 @@ lazy_static! {
pub static ref CONFIG: SectionConfig = init();
}
+#[api()]
+#[derive(Eq, PartialEq, Debug, Serialize, Deserialize)]
+#[serde(rename_all = "lowercase")]
+/// Use the value of this attribute/claim as unique user name. It is
+/// up to the identity provider to guarantee the uniqueness. The
+/// OpenID specification only guarantees that Subject ('sub') is unique. Also
+/// make sure that the user is not allowed to change that attribute by
+/// himself!
+pub enum OpenIdUserAttribute {
+ /// Subject (OpenId 'sub' claim)
+ Subject,
+ /// Username (OpenId 'preferred_username' claim)
+ Username,
+ /// Email (OpenId 'email' claim)
+ Email,
+}
#[api(
properties: {
@@ -58,6 +74,10 @@ lazy_static! {
type: bool,
default: false,
},
+ "user-attr": {
+ type: OpenIdUserAttribute,
+ optional: true,
+ },
},
)]
#[derive(Serialize,Deserialize)]
@@ -73,6 +93,8 @@ pub struct OpenIdRealmConfig {
pub comment: Option<String>,
#[serde(skip_serializing_if="Option::is_none")]
pub autocreate: Option<bool>,
+ #[serde(skip_serializing_if="Option::is_none")]
+ pub user_attr: Option<OpenIdUserAttribute>,
}
impl OpenIdRealmConfig {
--
2.30.2
prev parent reply other threads:[~2021-06-22 8:56 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-22 8:56 [pbs-devel] [PATH proxmox-backup v1 00/12] OpenID connect realms Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 01/12] depend on openid-connect-rs Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 02/12] config: new domains.cfg to configure openid realm Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 03/12] check_acl_path: add /access/domains Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 04/12] add API to manage openid realms Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 05/12] cli: add CLI " Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 06/12] api: add openid redirect API Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 07/12] implement new helper is_active_user_id() Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 08/12] api: add openid-login endpoint Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 09/12] ui: implement OpenId login Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 10/12] cleanup user/token is_active() check Dietmar Maurer
2021-06-22 8:56 ` [pbs-devel] [PATH proxmox-backup v1 11/12] add openid autocreate account feature Dietmar Maurer
2021-06-22 8:56 ` Dietmar Maurer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210622085620.1551677-13-dietmar@proxmox.com \
--to=dietmar@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox