From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dietmar@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id EE6236C363
 for <pbs-devel@lists.proxmox.com>; Fri,  6 Aug 2021 13:58:19 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id CE89BD46C
 for <pbs-devel@lists.proxmox.com>; Fri,  6 Aug 2021 13:57:49 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 58D04D428
 for <pbs-devel@lists.proxmox.com>; Fri,  6 Aug 2021 13:57:47 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 1BD7C42F7B;
 Fri,  6 Aug 2021 13:57:47 +0200 (CEST)
From: Dietmar Maurer <dietmar@proxmox.com>
To: pbs-devel@lists.proxmox.com
Date: Fri,  6 Aug 2021 13:57:39 +0200
Message-Id: <20210806115744.1959420-4-dietmar@proxmox.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210806115744.1959420-1-dietmar@proxmox.com>
References: <20210806115744.1959420-1-dietmar@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.708 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [openid.pm]
Subject: [pbs-devel] [PATCH pve-access-control] openid: support scopes,
 prompt, ACRs and arbitrary username-claim values
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Fri, 06 Aug 2021 11:58:20 -0000

Depend on libpve-rs-perl (>= 0.3.0)
---
 debian/control         |  4 ++--
 src/PVE/API2/OpenId.pm | 30 ++++++++++++++++++---------
 src/PVE/Auth/OpenId.pm | 47 +++++++++++++++++++++++++++++++++++++++---
 3 files changed, 66 insertions(+), 15 deletions(-)

diff --git a/debian/control b/debian/control
index 3ef748b..3323d9b 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Build-Depends: debhelper (>= 12~),
                lintian,
                perl,
                libpve-cluster-perl,
-	       libpve-rs-perl,
+	       libpve-rs-perl (>= 0.3.0),
                pve-cluster (>= 6.1-4),
                pve-doc-generator (>= 5.3-3),
 Standards-Version: 4.5.1
@@ -28,7 +28,7 @@ Depends: libauthen-pam-perl,
          libnet-ssleay-perl,
          libpve-common-perl (>= 6.0-18),
          libpve-cluster-perl,
-	 libpve-rs-perl,
+	 libpve-rs-perl (>= 0.3.0),
          libpve-u2f-server-perl (>= 1.0-2),
          libuuid-perl,
          pve-cluster (>= 6.1-4),
diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
index 22423ba..0357b65 100644
--- a/src/PVE/API2/OpenId.pm
+++ b/src/PVE/API2/OpenId.pm
@@ -35,8 +35,21 @@ my $lookup_openid_auth = sub {
 	issuer_url => $config->{'issuer-url'},
 	client_id => $config->{'client-id'},
 	client_key => $config->{'client-key'},
+	prompt => $config->{'prompt'},
     };
 
+    if (defined(my $value = $config->{'scopes'})) {
+	my $scopes = [PVE::Tools::split_list($value)];
+	$openid_config->{'scopes'} = $scopes;
+    } else {
+	$openid_config->{'scopes'} = ['email', 'profile'];
+    }
+
+    if (defined(my $value = $config->{'acr-values'})) {
+	my $list = [PVE::Tools::split_list($value)];
+	$openid_config->{'acr_values'} = $list;
+    }
+
     my $openid = PVE::RS::OpenId->discover($openid_config, $redirect_url);
     return ($config, $openid);
 };
@@ -163,18 +176,15 @@ __PACKAGE__->register_method ({
 
 	    my $unique_name = $subject; # default
 	    if (defined(my $user_attr = $config->{'username-claim'})) {
-		if ($user_attr eq 'subject') {
+
+		if (defined(my $value = $info->{$user_attr})) {
+		    $unique_name = $value;
+		} elsif ($user_attr == 'subject') {
 		    $unique_name = $subject;
-		} elsif ($user_attr eq 'username') {
-		    my $username = $info->{'preferred_username'};
-		    die "missing claim 'preferred_username'\n" if !defined($username);
-		    $unique_name =  $username;
-		} elsif ($user_attr eq 'email') {
-		    my $email = $info->{'email'};
-		    die "missing claim 'email'\n" if !defined($email);
-		    $unique_name = $email;
+		} elsif ($user_attr == 'username' && defined(my $name = $info->{'preferred_username'})) {
+		    $unique_name = $name;
 		} else {
-		    die "got unexpected value for 'username-claim': '${user_attr}'\n";
+		    die "mising claim '${user_attr}'\n";
 		}
 	    }
 
diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index 515d2f4..0c82aeb 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -6,9 +6,30 @@ use warnings;
 use PVE::Tools;
 use PVE::Auth::Plugin;
 use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
+use PVE::JSONSchema qw(get_standard_option register_standard_option);
 
 use base qw(PVE::Auth::Plugin);
 
+PVE::JSONSchema::register_format('openid-simple-name', \&verify_openid_simple_name);
+sub verify_openid_simple_name {
+    my ($name, $noerr) = @_;
+
+    if ($name !~ m/^[A-Za-z0-9\.\-_]+$/) {
+
+	die "OpenId name '$name' contains invalid characters\n" if !$noerr;
+
+	return undef;
+    }
+
+    return $name;
+}
+
+register_standard_option('openid-scope', {
+    description => 'OpenID scope',
+    type => 'string',
+    format => 'openid-simple-name',
+});
+
 sub type {
     return 'openid';
 }
@@ -30,8 +51,25 @@ sub properties {
 	    type => 'string',
 	    optional => 1,
 	    maxLength => 256,
-       },
-       autocreate => {
+	},
+	scopes => {
+	    description => 'List of OpenID scopes',
+	    type => 'string', format => 'openid-simple-name-list',
+	    optional => 1,
+	    default => 'email, profile',
+	},
+        "acr-values" => {
+	    description => 'List of OpenID ACRs.',
+	    type => 'string', format => 'openid-simple-name-list',
+	    optional => 1,
+        },
+	prompt => {
+            description => "OpenID Prompt settings.",
+	    type => 'string',
+	    format => 'openid-simple-name',
+	    optional => 1,
+        },
+	autocreate => {
 	   description => "Automatically create users if they do not exist.",
 	   optional => 1,
 	   type => 'boolean',
@@ -40,7 +78,7 @@ sub properties {
        "username-claim" => {
 	   description => "OpenID claim used to generate the unique username.",
 	   type => 'string',
-	   enum => ['subject', 'username', 'email'],
+	   format => 'openid-simple-name',
 	   optional => 1,
        },
    };
@@ -53,6 +91,9 @@ sub options {
 	 "client-key" => { optional => 1 },
 	 autocreate => { optional => 1 },
 	 "username-claim" => { optional => 1, fixed => 1 },
+	 scopes => { optional => 1 },
+	 prompt => { optional => 1 },
+	 "acr-values" => { optional => 1 },
 	 default => { optional => 1 },
 	 comment => { optional => 1 },
     };
-- 
2.30.2