[pbs-devel] [PATCH pve-access-control] openid: support scopes, prompt, ACRs and arbitrary username-claim values

public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed

From: Dietmar Maurer <dietmar@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH pve-access-control] openid: support scopes, prompt, ACRs and arbitrary username-claim values
Date: Fri,  6 Aug 2021 13:57:39 +0200	[thread overview]
Message-ID: <20210806115744.1959420-4-dietmar@proxmox.com> (raw)
In-Reply-To: <20210806115744.1959420-1-dietmar@proxmox.com>

Depend on libpve-rs-perl (>= 0.3.0)
---
 debian/control         |  4 ++--
 src/PVE/API2/OpenId.pm | 30 ++++++++++++++++++---------
 src/PVE/Auth/OpenId.pm | 47 +++++++++++++++++++++++++++++++++++++++---
 3 files changed, 66 insertions(+), 15 deletions(-)

diff --git a/debian/control b/debian/control
index 3ef748b..3323d9b 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Build-Depends: debhelper (>= 12~),
                lintian,
                perl,
                libpve-cluster-perl,
-	       libpve-rs-perl,
+	       libpve-rs-perl (>= 0.3.0),
                pve-cluster (>= 6.1-4),
                pve-doc-generator (>= 5.3-3),
 Standards-Version: 4.5.1
@@ -28,7 +28,7 @@ Depends: libauthen-pam-perl,
          libnet-ssleay-perl,
          libpve-common-perl (>= 6.0-18),
          libpve-cluster-perl,
-	 libpve-rs-perl,
+	 libpve-rs-perl (>= 0.3.0),
          libpve-u2f-server-perl (>= 1.0-2),
          libuuid-perl,
          pve-cluster (>= 6.1-4),
diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
index 22423ba..0357b65 100644
--- a/src/PVE/API2/OpenId.pm
+++ b/src/PVE/API2/OpenId.pm
@@ -35,8 +35,21 @@ my $lookup_openid_auth = sub {
 	issuer_url => $config->{'issuer-url'},
 	client_id => $config->{'client-id'},
 	client_key => $config->{'client-key'},
+	prompt => $config->{'prompt'},
     };
 
+    if (defined(my $value = $config->{'scopes'})) {
+	my $scopes = [PVE::Tools::split_list($value)];
+	$openid_config->{'scopes'} = $scopes;
+    } else {
+	$openid_config->{'scopes'} = ['email', 'profile'];
+    }
+
+    if (defined(my $value = $config->{'acr-values'})) {
+	my $list = [PVE::Tools::split_list($value)];
+	$openid_config->{'acr_values'} = $list;
+    }
+
     my $openid = PVE::RS::OpenId->discover($openid_config, $redirect_url);
     return ($config, $openid);
 };
@@ -163,18 +176,15 @@ __PACKAGE__->register_method ({
 
 	    my $unique_name = $subject; # default
 	    if (defined(my $user_attr = $config->{'username-claim'})) {
-		if ($user_attr eq 'subject') {
+
+		if (defined(my $value = $info->{$user_attr})) {
+		    $unique_name = $value;
+		} elsif ($user_attr == 'subject') {
 		    $unique_name = $subject;
-		} elsif ($user_attr eq 'username') {
-		    my $username = $info->{'preferred_username'};
-		    die "missing claim 'preferred_username'\n" if !defined($username);
-		    $unique_name =  $username;
-		} elsif ($user_attr eq 'email') {
-		    my $email = $info->{'email'};
-		    die "missing claim 'email'\n" if !defined($email);
-		    $unique_name = $email;
+		} elsif ($user_attr == 'username' && defined(my $name = $info->{'preferred_username'})) {
+		    $unique_name = $name;
 		} else {
-		    die "got unexpected value for 'username-claim': '${user_attr}'\n";
+		    die "mising claim '${user_attr}'\n";
 		}
 	    }
 
diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index 515d2f4..0c82aeb 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -6,9 +6,30 @@ use warnings;
 use PVE::Tools;
 use PVE::Auth::Plugin;
 use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
+use PVE::JSONSchema qw(get_standard_option register_standard_option);
 
 use base qw(PVE::Auth::Plugin);
 
+PVE::JSONSchema::register_format('openid-simple-name', \&verify_openid_simple_name);
+sub verify_openid_simple_name {
+    my ($name, $noerr) = @_;
+
+    if ($name !~ m/^[A-Za-z0-9\.\-_]+$/) {
+
+	die "OpenId name '$name' contains invalid characters\n" if !$noerr;
+
+	return undef;
+    }
+
+    return $name;
+}
+
+register_standard_option('openid-scope', {
+    description => 'OpenID scope',
+    type => 'string',
+    format => 'openid-simple-name',
+});
+
 sub type {
     return 'openid';
 }
@@ -30,8 +51,25 @@ sub properties {
 	    type => 'string',
 	    optional => 1,
 	    maxLength => 256,
-       },
-       autocreate => {
+	},
+	scopes => {
+	    description => 'List of OpenID scopes',
+	    type => 'string', format => 'openid-simple-name-list',
+	    optional => 1,
+	    default => 'email, profile',
+	},
+        "acr-values" => {
+	    description => 'List of OpenID ACRs.',
+	    type => 'string', format => 'openid-simple-name-list',
+	    optional => 1,
+        },
+	prompt => {
+            description => "OpenID Prompt settings.",
+	    type => 'string',
+	    format => 'openid-simple-name',
+	    optional => 1,
+        },
+	autocreate => {
 	   description => "Automatically create users if they do not exist.",
 	   optional => 1,
 	   type => 'boolean',
@@ -40,7 +78,7 @@ sub properties {
        "username-claim" => {
 	   description => "OpenID claim used to generate the unique username.",
 	   type => 'string',
-	   enum => ['subject', 'username', 'email'],
+	   format => 'openid-simple-name',
 	   optional => 1,
        },
    };
@@ -53,6 +91,9 @@ sub options {
 	 "client-key" => { optional => 1 },
 	 autocreate => { optional => 1 },
 	 "username-claim" => { optional => 1, fixed => 1 },
+	 scopes => { optional => 1 },
+	 prompt => { optional => 1 },
+	 "acr-values" => { optional => 1 },
 	 default => { optional => 1 },
 	 comment => { optional => 1 },
     };
-- 
2.30.2

next prev parent reply	other threads:[~2021-08-06 11:58 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-06 11:57 [pbs-devel] [PATCH proxmox-openid-rs v2 1/6] allow to configure used scopes Dietmar Maurer
2021-08-06 11:57 ` [pbs-devel] [PATCH pve-rs] depend on proxmox-openid 0.7.0, bump version to 0.3.0 Dietmar Maurer
2021-08-06 11:57 ` [pbs-devel] [PATCH proxmox-backup v2] openid: allow to configure scopes, prompt, ACRs and arbitrary username-claim values Dietmar Maurer
2021-08-06 11:57 ` Dietmar Maurer [this message]
2021-08-06 11:57 ` [pbs-devel] [PATCH proxmox-openid-rs v2 2/6] also return data from UserInfo endpoint Dietmar Maurer
2021-08-06 11:57 ` [pbs-devel] [PATCH proxmox-openid-rs v2 3/6] new helper verify_authorization_code_simple() Dietmar Maurer
2021-08-06 11:57 ` [pbs-devel] [PATCH proxmox-openid-rs v2 4/6] allow to configure prompt behaviour Dietmar Maurer
2021-08-06 11:57 ` [pbs-devel] [PATCH proxmox-openid-rs v2 5/6] allow to configure acr values Dietmar Maurer
2021-08-06 11:57 ` [pbs-devel] [PATCH proxmox-openid-rs v2 6/6] bump version to 0.7.0-1 Dietmar Maurer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210806115744.1959420-4-dietmar@proxmox.com \
    --to=dietmar@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal