[pbs-devel] [PATCH proxmox-backup/pwt v3 00/14] fix #5379: introduce default auth realm option

[pbs-devel] [PATCH proxmox-backup/pwt v3 00/14] fix #5379: introduce default auth realm option

[Christoph Heiss]

Fixes #5379 [0].

First, it adds an updatable `default` field to all existing editable
realms. Then it converts the PAM and PBS built-in realms to proper
realms, instead of being hard-coded in-between somewhere. 
In turns this enables editing of these realms, allowing setting whether
these realms should be the default for login or not.

For proxmox-widget-toolkit, the first three patches could in principal
be applied on their own. The others depend on the API changes as
introduced in the proxmox-backup part.

W.r.t. the inconsistency as discovered/discussed in [1], the (current)
behaviour is not changed in this series. Since both PVE and PBS use the
same realm login dialog from proxmox-widget-toolkit, I'd rather fix it
separately -- to avoid blocking this series on a completely separate
issue, which might still need some discussing.

W.r.t. to applying, proxmox-backup will need a bump of
proxmox-widget-toolkit afterwards.

[0] https://bugzilla.proxmox.com/show_bug.cgi?id=5379
[1] https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010429.html

History
=======

v2: https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010521.html
v1: https://lists.proxmox.com/pipermail/pbs-devel/2024-July/010250.html

Changes v2 -> v3:
  * rebased on latest master
  * fixed unsetting the `default` property by making it deletable
  * unset previous default realm when creating a new realm with 
    `default` set

Changes v1 -> v2:
  * rebased on latest master
  * trivial fixes as suggested by Lukas
  * add documentation to unset_default_realm()

Diffstat
========

proxmox-widget-toolkit:

Christoph Heiss (6):
  window: AuthEditBase: include more information in thrown errors
  panel: AuthView: make `useTypeInUrl` property per-realm
  window: add panel for editing simple, built-in realms
  schema: make PAM realm editable using new AuthSimple panel
  fix #5379: panel: AuthView: add column displaying whether the realm is
    default
  fix #5379: window: AuthEdit{LDAP,OpenId}: add 'Default realm' checkbox

 src/Makefile                 |  1 +
 src/Schema.js                |  7 +++++-
 src/panel/AuthView.js        | 13 +++++++++---
 src/window/AuthEditBase.js   |  8 +++----
 src/window/AuthEditLDAP.js   | 14 +++++++++++-
 src/window/AuthEditOpenId.js | 13 ++++++++++++
 src/window/AuthEditSimple.js | 41 ++++++++++++++++++++++++++++++++++++
 7 files changed, 88 insertions(+), 9 deletions(-)
 create mode 100644 src/window/AuthEditSimple.js

proxmox-backup:

Christoph Heiss (8):
  fix #5379: api-types: add `default` field to all realm types
  fix #5379: api2: access: set default realm accordingly on individual
    update
  api-types: introduce proper types for PAM and PBS realms
  config: use new dedicated PAM and PBS realm types
  api2: access: add update support for built-in PAM realm
  api2: access: add update support for built-in PBS realm
  www: AccessControl: make `useTypeInUrl` property per-realm
  www: utils: make built-in pbs realm editable using new AuthSimplePanel

 pbs-api-types/src/ad.rs          |   7 ++
 pbs-api-types/src/ldap.rs        |   7 ++
 pbs-api-types/src/lib.rs         |  97 ++++++++++++++++++++++-
 pbs-api-types/src/openid.rs      |   7 ++
 pbs-config/src/domains.rs        |  36 ++++++++-
 src/api2/access/domain.rs        |  13 ----
 src/api2/config/access/ad.rs     |  16 ++++
 src/api2/config/access/ldap.rs   |  16 ++++
 src/api2/config/access/mod.rs    |   4 +
 src/api2/config/access/openid.rs |  16 ++++
 src/api2/config/access/pam.rs    | 130 +++++++++++++++++++++++++++++++
 src/api2/config/access/pbs.rs    | 130 +++++++++++++++++++++++++++++++
 src/bin/proxmox-backup-api.rs    |   1 +
 src/config/mod.rs                |  25 ++++++
 www/Utils.js                     |   4 +-
 www/panel/AccessControl.js       |   1 -
 16 files changed, 492 insertions(+), 18 deletions(-)
 create mode 100644 src/api2/config/access/pam.rs
 create mode 100644 src/api2/config/access/pbs.rs

-- 
2.45.1



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH widget-toolkit v3 01/14] window: AuthEditBase: include more information in thrown errors

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 src/window/AuthEditBase.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/window/AuthEditBase.js b/src/window/AuthEditBase.js
index 0f272e6..be547f9 100644
--- a/src/window/AuthEditBase.js
+++ b/src/window/AuthEditBase.js
@@ -29,9 +29,9 @@ Ext.define('Proxmox.window.AuthEditBase', {
 
 	let authConfig = Proxmox.Schema.authDomains[me.authType];
 	if (!authConfig) {
-	    throw 'unknown auth type';
+	    throw `unknown auth type ${me.authType}`;
 	} else if (!authConfig.add && me.isCreate) {
-	    throw 'trying to add non addable realm';
+	    throw `trying to add non addable realm of type ${me.authType}`;
 	}
 
 	me.subject = authConfig.name;
@@ -86,9 +86,9 @@ Ext.define('Proxmox.window.AuthEditBase', {
 		    var data = response.result.data || {};
 		    // just to be sure (should not happen)
 		    // only check this when the type is not in the api path
-		    if (!me.useTypeInUrl && data.type !== me.authType) {
+		    if (!me.useTypeInUrl && data.realm !== me.authType) {
 			me.close();
-			throw "got wrong auth type";
+			throw `got wrong auth type '${me.authType}' for realm '${data.realm}'`;
 		    }
 		    me.setValues(data);
 		},
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH widget-toolkit v3 02/14] panel: AuthView: make `useTypeInUrl` property per-realm

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 src/Schema.js         | 4 ++++
 src/panel/AuthView.js | 5 ++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/Schema.js b/src/Schema.js
index 42541e0..6921986 100644
--- a/src/Schema.js
+++ b/src/Schema.js
@@ -8,6 +8,7 @@ Ext.define('Proxmox.Schema', { // a singleton
 	    edit: false,
 	    pwchange: true,
 	    sync: false,
+	    useTypeInUrl: false,
 	},
 	openid: {
 	    name: gettext('OpenID Connect Server'),
@@ -18,6 +19,7 @@ Ext.define('Proxmox.Schema', { // a singleton
 	    pwchange: false,
 	    sync: false,
 	    iconCls: 'pmx-itype-icon-openid-logo',
+	    useTypeInUrl: true,
 	},
 	ldap: {
 	    name: gettext('LDAP Server'),
@@ -28,6 +30,7 @@ Ext.define('Proxmox.Schema', { // a singleton
 	    tfa: true,
 	    pwchange: false,
 	    sync: true,
+	    useTypeInUrl: true,
 	},
 	ad: {
 	    name: gettext('Active Directory Server'),
@@ -38,6 +41,7 @@ Ext.define('Proxmox.Schema', { // a singleton
 	    tfa: true,
 	    pwchange: false,
 	    sync: true,
+	    useTypeInUrl: true,
 	},
     },
     // to add or change existing for product specific ones
diff --git a/src/panel/AuthView.js b/src/panel/AuthView.js
index 52b6cac..944a812 100644
--- a/src/panel/AuthView.js
+++ b/src/panel/AuthView.js
@@ -11,7 +11,6 @@ Ext.define('Proxmox.panel.AuthView', {
     },
 
     baseUrl: '/access/domains',
-    useTypeInUrl: false,
 
     columns: [
 	{
@@ -47,7 +46,7 @@ Ext.define('Proxmox.panel.AuthView', {
 	let me = this;
 	Ext.create('Proxmox.window.AuthEditBase', {
 	    baseUrl: me.baseUrl,
-	    useTypeInUrl: me.useTypeInUrl,
+	    useTypeInUrl: Proxmox.Schema.authDomains[authType].useTypeInUrl,
 	    authType,
 	    realm,
 	    listeners: {
@@ -123,7 +122,7 @@ Ext.define('Proxmox.panel.AuthView', {
 		xtype: 'proxmoxStdRemoveButton',
 		getUrl: (rec) => {
 		    let url = me.baseUrl;
-		    if (me.useTypeInUrl) {
+		    if (Proxmox.Schema.authDomains[rec.data.type].useTypeInUrl) {
 			url += `/${rec.get('type')}`;
 		    }
 		    url += `/${rec.getId()}`;
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH widget-toolkit v3 03/14] window: add panel for editing simple, built-in realms

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 src/Makefile                 |  1 +
 src/window/AuthEditSimple.js | 41 ++++++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 src/window/AuthEditSimple.js

diff --git a/src/Makefile b/src/Makefile
index 0478251..20ba77b 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -97,6 +97,7 @@ JSSRC=					\
 	window/AuthEditOpenId.js	\
 	window/AuthEditLDAP.js		\
 	window/AuthEditAD.js		\
+	window/AuthEditSimple.js        \
 	window/TfaWindow.js		\
 	window/AddTfaRecovery.js	\
 	window/AddTotp.js		\
diff --git a/src/window/AuthEditSimple.js b/src/window/AuthEditSimple.js
new file mode 100644
index 0000000..22932c0
--- /dev/null
+++ b/src/window/AuthEditSimple.js
@@ -0,0 +1,41 @@
+Ext.define('Proxmox.panel.SimpleRealmInputPanel', {
+    extend: 'Proxmox.panel.InputPanel',
+    xtype: 'pmxAuthSimplePanel',
+    mixins: ['Proxmox.Mixin.CBind'],
+
+    type: 'simple',
+
+    column1: [
+	{
+	    xtype: 'pmxDisplayEditField',
+	    name: 'realm',
+	    cbind: {
+		value: '{realm}',
+	    },
+	    fieldLabel: gettext('Realm'),
+	    allowBlank: false,
+	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Default realm'),
+	    name: 'default',
+	    value: 0,
+	    autoEl: {
+		tag: 'div',
+		'data-qtip': gettext('Set realm as default for login'),
+	    },
+	},
+    ],
+
+    column2: [
+    ],
+
+    columnB: [
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'comment',
+	    fieldLabel: gettext('Comment'),
+	},
+    ],
+});
+
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH widget-toolkit v3 04/14] schema: make PAM realm editable using new AuthSimple panel

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 src/Schema.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/Schema.js b/src/Schema.js
index 6921986..3a84818 100644
--- a/src/Schema.js
+++ b/src/Schema.js
@@ -4,8 +4,9 @@ Ext.define('Proxmox.Schema', { // a singleton
     authDomains: {
 	pam: {
 	    name: 'Linux PAM',
+	    ipanel: 'pmxAuthSimplePanel',
 	    add: false,
-	    edit: false,
+	    edit: true,
 	    pwchange: true,
 	    sync: false,
 	    useTypeInUrl: false,
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH widget-toolkit v3 05/14] fix #5379: panel: AuthView: add column displaying whether the realm is default

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * checkmark is now centered in the column

 src/panel/AuthView.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/panel/AuthView.js b/src/panel/AuthView.js
index 944a812..69e37fe 100644
--- a/src/panel/AuthView.js
+++ b/src/panel/AuthView.js
@@ -25,6 +25,14 @@ Ext.define('Proxmox.panel.AuthView', {
 	    sortable: true,
 	    dataIndex: 'type',
 	},
+	{
+	    header: gettext('Default'),
+	    width: 80,
+	    sortable: true,
+	    dataIndex: 'default',
+	    renderer: isDefault => isDefault ? Proxmox.Utils.renderEnabledIcon(true) : '',
+	    align: 'center',
+	},
 	{
 	    header: gettext('Comment'),
 	    sortable: false,
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH widget-toolkit v3 06/14] fix #5379: window: AuthEdit{LDAP, OpenId}: add 'Default realm' checkbox

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 src/window/AuthEditLDAP.js   | 14 +++++++++++++-
 src/window/AuthEditOpenId.js | 13 +++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/src/window/AuthEditLDAP.js b/src/window/AuthEditLDAP.js
index 388fc02..4cd1020 100644
--- a/src/window/AuthEditLDAP.js
+++ b/src/window/AuthEditLDAP.js
@@ -82,6 +82,19 @@ Ext.define('Proxmox.panel.LDAPInputPanel', {
 	    fieldLabel: gettext('Realm'),
 	    allowBlank: false,
 	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Default realm'),
+	    name: 'default',
+	    value: 0,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	    autoEl: {
+		tag: 'div',
+		'data-qtip': gettext('Set realm as default for login'),
+	    },
+	},
 	{
 	    xtype: 'proxmoxtextfield',
 	    fieldLabel: gettext('Base Domain Name'),
@@ -216,7 +229,6 @@ Ext.define('Proxmox.panel.LDAPInputPanel', {
 	    },
 	},
     ],
-
 });
 
 
diff --git a/src/window/AuthEditOpenId.js b/src/window/AuthEditOpenId.js
index 08ced99..a9ccb92 100644
--- a/src/window/AuthEditOpenId.js
+++ b/src/window/AuthEditOpenId.js
@@ -35,6 +35,19 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', {
 	    fieldLabel: gettext('Realm'),
 	    allowBlank: false,
 	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Default realm'),
+	    name: 'default',
+	    value: 0,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	    autoEl: {
+		tag: 'div',
+		'data-qtip': gettext('Set realm as default for login'),
+	    },
+	},
 	{
 	    xtype: 'proxmoxtextfield',
 	    fieldLabel: gettext('Client ID'),
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v3 07/14] fix #5379: api-types: add `default` field to all realm types

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v2 -> v3:
  * make `default` property deletable

Changes v1 -> v2:
  * no changes

 pbs-api-types/src/ad.rs          | 7 +++++++
 pbs-api-types/src/ldap.rs        | 7 +++++++
 pbs-api-types/src/openid.rs      | 7 +++++++
 src/api2/config/access/ad.rs     | 5 +++++
 src/api2/config/access/ldap.rs   | 5 +++++
 src/api2/config/access/openid.rs | 5 +++++
 6 files changed, 36 insertions(+)

diff --git a/pbs-api-types/src/ad.rs b/pbs-api-types/src/ad.rs
index 910571a0..5c236325 100644
--- a/pbs-api-types/src/ad.rs
+++ b/pbs-api-types/src/ad.rs
@@ -16,6 +16,10 @@ use super::{
             optional: true,
             schema: SINGLE_LINE_COMMENT_SCHEMA,
         },
+        "default": {
+            optional: true,
+            default: false,
+        },
         "verify": {
             optional: true,
             default: false,
@@ -64,6 +68,9 @@ pub struct AdRealmConfig {
     /// Comment
     #[serde(skip_serializing_if = "Option::is_none")]
     pub comment: Option<String>,
+    /// True if it should be the default realm to login in
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub default: Option<bool>,
     /// Connection security
     #[serde(skip_serializing_if = "Option::is_none")]
     pub mode: Option<LdapMode>,
diff --git a/pbs-api-types/src/ldap.rs b/pbs-api-types/src/ldap.rs
index a3e0407b..79735d93 100644
--- a/pbs-api-types/src/ldap.rs
+++ b/pbs-api-types/src/ldap.rs
@@ -29,6 +29,10 @@ pub enum LdapMode {
             optional: true,
             schema: SINGLE_LINE_COMMENT_SCHEMA,
         },
+        "default": {
+            optional: true,
+            default: false,
+        },
         "verify": {
             optional: true,
             default: false,
@@ -75,6 +79,9 @@ pub struct LdapRealmConfig {
     /// Comment
     #[serde(skip_serializing_if = "Option::is_none")]
     pub comment: Option<String>,
+    /// True if it should be the default realm to login in
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub default: Option<bool>,
     /// Connection security
     #[serde(skip_serializing_if = "Option::is_none")]
     pub mode: Option<LdapMode>,
diff --git a/pbs-api-types/src/openid.rs b/pbs-api-types/src/openid.rs
index 2c95c5c6..e8ec19d9 100644
--- a/pbs-api-types/src/openid.rs
+++ b/pbs-api-types/src/openid.rs
@@ -80,6 +80,10 @@ pub const OPENID_USERNAME_CLAIM_SCHEMA: Schema = StringSchema::new(
             optional: true,
             schema: SINGLE_LINE_COMMENT_SCHEMA,
         },
+        "default": {
+            optional: true,
+            default: false,
+        },
         autocreate: {
             optional: true,
             default: false,
@@ -111,6 +115,9 @@ pub struct OpenIdRealmConfig {
     pub client_key: Option<String>,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub comment: Option<String>,
+    /// True if it should be the default realm to login in
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub default: Option<bool>,
     /// Automatically create users if they do not exist.
     #[serde(skip_serializing_if = "Option::is_none")]
     pub autocreate: Option<bool>,
diff --git a/src/api2/config/access/ad.rs b/src/api2/config/access/ad.rs
index c202291a..4106e0f4 100644
--- a/src/api2/config/access/ad.rs
+++ b/src/api2/config/access/ad.rs
@@ -136,6 +136,8 @@ pub enum DeletableProperty {
     Port,
     /// Comment
     Comment,
+    /// Is default realm
+    Default,
     /// Verify server certificate
     Verify,
     /// Mode (ldap, ldap+starttls or ldaps),
@@ -217,6 +219,9 @@ pub async fn update_ad_realm(
                 DeletableProperty::Comment => {
                     config.comment = None;
                 }
+                DeletableProperty::Default => {
+                    config.default = None;
+                }
                 DeletableProperty::Port => {
                     config.port = None;
                 }
diff --git a/src/api2/config/access/ldap.rs b/src/api2/config/access/ldap.rs
index e60dc9c1..7dcf7990 100644
--- a/src/api2/config/access/ldap.rs
+++ b/src/api2/config/access/ldap.rs
@@ -171,6 +171,8 @@ pub enum DeletableProperty {
     Port,
     /// Comment
     Comment,
+    /// Is default realm
+    Default,
     /// Verify server certificate
     Verify,
     /// Mode (ldap, ldap+starttls or ldaps),
@@ -252,6 +254,9 @@ pub fn update_ldap_realm(
                 DeletableProperty::Comment => {
                     config.comment = None;
                 }
+                DeletableProperty::Default => {
+                    config.default = None;
+                }
                 DeletableProperty::Port => {
                     config.port = None;
                 }
diff --git a/src/api2/config/access/openid.rs b/src/api2/config/access/openid.rs
index 4901880e..2fbcd1b1 100644
--- a/src/api2/config/access/openid.rs
+++ b/src/api2/config/access/openid.rs
@@ -149,6 +149,8 @@ pub enum DeletableProperty {
     ClientKey,
     /// Delete the comment property.
     Comment,
+    /// Delete the default property.
+    Default,
     /// Delete the autocreate property
     Autocreate,
     /// Delete the scopes property
@@ -217,6 +219,9 @@ pub fn update_openid_realm(
                 DeletableProperty::Comment => {
                     config.comment = None;
                 }
+                DeletableProperty::Default => {
+                    config.default = None;
+                }
                 DeletableProperty::Autocreate => {
                     config.autocreate = None;
                 }
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v3 08/14] fix #5379: api2: access: set default realm accordingly on individual update

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v2 -> v3:
  * removed early return again, which did not work as intended
  * drop unnecessary crate namespace qualification
  * also unset current default realm when creating new realm with
    `default` set

Changes v1 -> v2:
  * documented unset_default_realm()
  * added early return to unset_default_realm()

 pbs-config/src/domains.rs        | 15 +++++++++++++++
 src/api2/config/access/ad.rs     | 11 +++++++++++
 src/api2/config/access/ldap.rs   | 11 +++++++++++
 src/api2/config/access/openid.rs | 11 +++++++++++
 4 files changed, 48 insertions(+)

diff --git a/pbs-config/src/domains.rs b/pbs-config/src/domains.rs
index 32bd967a..d94d54a8 100644
--- a/pbs-config/src/domains.rs
+++ b/pbs-config/src/domains.rs
@@ -61,6 +61,21 @@ pub fn save_config(config: &SectionConfigData) -> Result<(), Error> {
     replace_backup_config(DOMAINS_CFG_FILENAME, raw.as_bytes())
 }
 
+/// Unsets the default login realm for users by deleting the `default` property
+/// from the respective realm.
+///
+/// This only updates the configuration as given in `config`, making it
+/// permanent is left to the caller.
+pub fn unset_default_realm(config: &mut SectionConfigData) -> Result<(), Error> {
+    for (_, data) in &mut config.sections.values_mut() {
+        if let Some(obj) = data.as_object_mut() {
+            obj.remove("default");
+        }
+    }
+
+    Ok(())
+}
+
 /// Check if a realm with the given name exists
 pub fn exists(domains: &SectionConfigData, realm: &str) -> bool {
     realm == "pbs" || realm == "pam" || domains.sections.contains_key(realm)
diff --git a/src/api2/config/access/ad.rs b/src/api2/config/access/ad.rs
index 4106e0f4..2afb16b8 100644
--- a/src/api2/config/access/ad.rs
+++ b/src/api2/config/access/ad.rs
@@ -91,6 +91,10 @@ pub async fn create_ad_realm(
         auth_helpers::store_ldap_bind_password(&config.realm, &password, &domain_config_lock)?;
     }
 
+    if let Some(true) = config.default {
+        domains::unset_default_realm(&mut domains)?;
+    }
+
     domains.set_data(&config.realm, "ad", &config)?;
 
     domains::save_config(&domains)?;
@@ -278,6 +282,13 @@ pub async fn update_ad_realm(
         }
     }
 
+    if let Some(true) = update.default {
+        domains::unset_default_realm(&mut domains)?;
+        config.default = Some(true);
+    } else {
+        config.default = None;
+    }
+
     if let Some(mode) = update.mode {
         config.mode = Some(mode);
     }
diff --git a/src/api2/config/access/ldap.rs b/src/api2/config/access/ldap.rs
index 7dcf7990..6a93ece2 100644
--- a/src/api2/config/access/ldap.rs
+++ b/src/api2/config/access/ldap.rs
@@ -81,6 +81,10 @@ pub fn create_ldap_realm(config: LdapRealmConfig, password: Option<String>) -> R
         auth_helpers::store_ldap_bind_password(&config.realm, &password, &domain_config_lock)?;
     }
 
+    if let Some(true) = config.default {
+        domains::unset_default_realm(&mut domains)?;
+    }
+
     domains.set_data(&config.realm, "ldap", &config)?;
 
     domains::save_config(&domains)?;
@@ -317,6 +321,13 @@ pub fn update_ldap_realm(
         }
     }
 
+    if let Some(true) = update.default {
+        domains::unset_default_realm(&mut domains)?;
+        config.default = Some(true);
+    } else {
+        config.default = None;
+    }
+
     if let Some(mode) = update.mode {
         config.mode = Some(mode);
     }
diff --git a/src/api2/config/access/openid.rs b/src/api2/config/access/openid.rs
index 2fbcd1b1..5b767fcc 100644
--- a/src/api2/config/access/openid.rs
+++ b/src/api2/config/access/openid.rs
@@ -65,6 +65,10 @@ pub fn create_openid_realm(config: OpenIdRealmConfig) -> Result<(), Error> {
         param_bail!("realm", "realm '{}' already exists.", config.realm);
     }
 
+    if let Some(true) = config.default {
+        domains::unset_default_realm(&mut domains)?;
+    }
+
     domains.set_data(&config.realm, "openid", &config)?;
 
     domains::save_config(&domains)?;
@@ -247,6 +251,13 @@ pub fn update_openid_realm(
         }
     }
 
+    if let Some(true) = update.default {
+        domains::unset_default_realm(&mut domains)?;
+        config.default = Some(true);
+    } else {
+        config.default = None;
+    }
+
     if let Some(issuer_url) = update.issuer_url {
         config.issuer_url = issuer_url;
     }
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v3 09/14] api-types: introduce proper types for PAM and PBS realms

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * reorder new module imports
  * implement `Default` for new realms

 pbs-api-types/src/lib.rs | 97 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 96 insertions(+), 1 deletion(-)

diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index 635292a5..6706875c 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -6,7 +6,8 @@ use serde::{Deserialize, Serialize};
 pub mod percent_encoding;
 
 use proxmox_schema::{
-    api, const_regex, ApiStringFormat, ApiType, ArraySchema, ReturnType, Schema, StringSchema,
+    api, const_regex, ApiStringFormat, ApiType, ArraySchema, EnumEntry, ReturnType, Schema,
+    StringSchema, Updater,
 };
 use proxmox_time::parse_daily_duration;
 
@@ -218,6 +219,20 @@ pub const REALM_ID_SCHEMA: Schema = StringSchema::new("Realm name.")
     .max_length(32)
     .schema();
 
+const PAM_REALM_ID_SCHEMA: Schema = StringSchema::new("Realm name.")
+    .format(&ApiStringFormat::Enum(&[EnumEntry::new(
+        "pam",
+        "Default PAM realm.",
+    )]))
+    .schema();
+
+const PBS_REALM_ID_SCHEMA: Schema = StringSchema::new("Realm name.")
+    .format(&ApiStringFormat::Enum(&[EnumEntry::new(
+        "pbs",
+        "Default PBS realm.",
+    )]))
+    .schema();
+
 pub const SUBSCRIPTION_KEY_SCHEMA: Schema =
     StringSchema::new("Proxmox Backup Server subscription key.")
         .format(&SUBSCRIPTION_KEY_FORMAT)
@@ -364,3 +379,83 @@ pub struct BasicRealmInfo {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub comment: Option<String>,
 }
+
+#[api(
+    properties: {
+        "realm": {
+            schema: PAM_REALM_ID_SCHEMA,
+        },
+        "comment": {
+            optional: true,
+            schema: SINGLE_LINE_COMMENT_SCHEMA,
+        },
+        "default": {
+            optional: true,
+            default: false,
+        },
+    }
+)]
+#[derive(Serialize, Deserialize, Updater, Clone)]
+#[serde(rename_all = "kebab-case")]
+/// Built-in PAM realm configuration properties.
+pub struct PamRealmConfig {
+    /// Realm name. Always "pam".
+    #[updater(skip)]
+    pub realm: String,
+    /// Comment for this realm
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub comment: Option<String>,
+    /// True if it should be the default realm to login in
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub default: Option<bool>,
+}
+
+impl Default for PamRealmConfig {
+    fn default() -> Self {
+        Self {
+            realm: "pam".to_owned(),
+            comment: Some("Linux PAM standard authentication".to_owned()),
+            default: None,
+        }
+    }
+}
+
+#[api(
+    properties: {
+        "realm": {
+            schema: PBS_REALM_ID_SCHEMA,
+        },
+        "comment": {
+            optional: true,
+            schema: SINGLE_LINE_COMMENT_SCHEMA,
+        },
+        "default": {
+            optional: true,
+            default: false,
+        },
+    }
+)]
+#[derive(Serialize, Deserialize, Updater, Clone)]
+#[serde(rename_all = "kebab-case")]
+/// Built-in Proxmox Backup Server realm configuration properties.
+pub struct PbsRealmConfig {
+    /// Realm name. Always "pbs".
+    #[updater(skip)]
+    pub realm: String,
+    /// Comment for this realm
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub comment: Option<String>,
+    /// True if it should be the default realm to login in
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub default: Option<bool>,
+}
+
+impl Default for PbsRealmConfig {
+    fn default() -> Self {
+        Self {
+            realm: "pbs".to_owned(),
+            comment: Some("Proxmox Backup authentication server".to_owned()),
+            default: None,
+        }
+    }
+}
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v3 10/14] config: use new dedicated PAM and PBS realm types

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * use `Default` implementation instead of hardcoding default values

 pbs-config/src/domains.rs     | 21 +++++++++++++++++++--
 src/api2/access/domain.rs     | 13 -------------
 src/bin/proxmox-backup-api.rs |  1 +
 src/config/mod.rs             | 25 +++++++++++++++++++++++++
 4 files changed, 45 insertions(+), 15 deletions(-)

diff --git a/pbs-config/src/domains.rs b/pbs-config/src/domains.rs
index d94d54a8..4ed3ec83 100644
--- a/pbs-config/src/domains.rs
+++ b/pbs-config/src/domains.rs
@@ -8,17 +8,34 @@ use proxmox_schema::{ApiType, ObjectSchema};
 use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};
 
 use crate::{open_backup_lockfile, replace_backup_config, BackupLockGuard};
-use pbs_api_types::{AdRealmConfig, LdapRealmConfig, OpenIdRealmConfig, REALM_ID_SCHEMA};
+use pbs_api_types::{
+    AdRealmConfig, LdapRealmConfig, OpenIdRealmConfig, PamRealmConfig, PbsRealmConfig,
+    REALM_ID_SCHEMA,
+};
 
 pub static CONFIG: LazyLock<SectionConfig> = LazyLock::new(init);
 
 fn init() -> SectionConfig {
+    const PAM_SCHEMA: &ObjectSchema = PamRealmConfig::API_SCHEMA.unwrap_object_schema();
+    const PBS_SCHEMA: &ObjectSchema = PbsRealmConfig::API_SCHEMA.unwrap_object_schema();
     const AD_SCHEMA: &ObjectSchema = AdRealmConfig::API_SCHEMA.unwrap_object_schema();
     const LDAP_SCHEMA: &ObjectSchema = LdapRealmConfig::API_SCHEMA.unwrap_object_schema();
     const OPENID_SCHEMA: &ObjectSchema = OpenIdRealmConfig::API_SCHEMA.unwrap_object_schema();
 
     let mut config = SectionConfig::new(&REALM_ID_SCHEMA);
 
+    config.register_plugin(SectionConfigPlugin::new(
+        "pam".to_owned(),
+        Some("realm".to_owned()),
+        PAM_SCHEMA,
+    ));
+
+    config.register_plugin(SectionConfigPlugin::new(
+        "pbs".to_owned(),
+        Some("realm".to_owned()),
+        PBS_SCHEMA,
+    ));
+
     let plugin = SectionConfigPlugin::new(
         "openid".to_string(),
         Some(String::from("realm")),
@@ -78,7 +95,7 @@ pub fn unset_default_realm(config: &mut SectionConfigData) -> Result<(), Error>
 
 /// Check if a realm with the given name exists
 pub fn exists(domains: &SectionConfigData, realm: &str) -> bool {
-    realm == "pbs" || realm == "pam" || domains.sections.contains_key(realm)
+    domains.sections.contains_key(realm)
 }
 
 // shell completion helper
diff --git a/src/api2/access/domain.rs b/src/api2/access/domain.rs
index 8f8eebda..cede714a 100644
--- a/src/api2/access/domain.rs
+++ b/src/api2/access/domain.rs
@@ -29,19 +29,6 @@ use crate::server::jobstate::Job;
 /// Authentication domain/realm index.
 fn list_domains(rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<BasicRealmInfo>, Error> {
     let mut list = Vec::new();
-
-    list.push(serde_json::from_value(json!({
-        "realm": "pam",
-        "type": "pam",
-        "comment": "Linux PAM standard authentication",
-        "default": Some(true),
-    }))?);
-    list.push(serde_json::from_value(json!({
-        "realm": "pbs",
-        "type": "pbs",
-        "comment": "Proxmox Backup authentication server",
-    }))?);
-
     let (config, digest) = pbs_config::domains::config()?;
 
     for (_, (section_type, v)) in config.sections.iter() {
diff --git a/src/bin/proxmox-backup-api.rs b/src/bin/proxmox-backup-api.rs
index 7a72d49a..7f6ecbc9 100644
--- a/src/bin/proxmox-backup-api.rs
+++ b/src/bin/proxmox-backup-api.rs
@@ -46,6 +46,7 @@ async fn run() -> Result<(), Error> {
     config::create_configdir()?;
 
     config::update_self_signed_cert(false)?;
+    config::update_default_realms()?;
 
     proxmox_backup::server::create_run_dir()?;
     proxmox_backup::server::create_state_dir()?;
diff --git a/src/config/mod.rs b/src/config/mod.rs
index 324fabca..0deb1271 100644
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@@ -12,6 +12,7 @@ use std::path::Path;
 
 use proxmox_lang::try_block;
 
+use pbs_api_types::{PamRealmConfig, PbsRealmConfig};
 use pbs_buildcfg::{self, configdir};
 
 pub mod acme;
@@ -194,3 +195,27 @@ pub(crate) fn set_proxy_certificate(cert_pem: &[u8], key_pem: &[u8]) -> Result<(
 
     Ok(())
 }
+
+pub fn update_default_realms() -> Result<(), Error> {
+    let _lock = pbs_config::domains::lock_config()?;
+    let (mut domains, _) = pbs_config::domains::config()?;
+
+    if !pbs_config::domains::exists(&domains, "pam") {
+        domains.set_data(
+            "pam",
+            "pam",
+            PamRealmConfig {
+                // Setting it as default here is safe, because if we perform this
+                // migration, the user had not had any chance to set a custom default anyway.
+                default: Some(true),
+                ..Default::default()
+            },
+        )?;
+    }
+
+    if !pbs_config::domains::exists(&domains, "pbs") {
+        domains.set_data("pbs", "pbs", PbsRealmConfig::default())?;
+    }
+
+    pbs_config::domains::save_config(&domains)
+}
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v3 11/14] api2: access: add update support for built-in PAM realm

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 src/api2/config/access/mod.rs |   2 +
 src/api2/config/access/pam.rs | 130 ++++++++++++++++++++++++++++++++++
 2 files changed, 132 insertions(+)
 create mode 100644 src/api2/config/access/pam.rs

diff --git a/src/api2/config/access/mod.rs b/src/api2/config/access/mod.rs
index b551e662..36ecd005 100644
--- a/src/api2/config/access/mod.rs
+++ b/src/api2/config/access/mod.rs
@@ -5,10 +5,12 @@ use proxmox_sortable_macro::sortable;
 pub mod ad;
 pub mod ldap;
 pub mod openid;
+pub mod pam;
 pub mod tfa;
 
 #[sortable]
 const SUBDIRS: SubdirMap = &sorted!([
+    ("pam", &pam::ROUTER),
     ("ad", &ad::ROUTER),
     ("ldap", &ldap::ROUTER),
     ("openid", &openid::ROUTER),
diff --git a/src/api2/config/access/pam.rs b/src/api2/config/access/pam.rs
new file mode 100644
index 00000000..04ae616b
--- /dev/null
+++ b/src/api2/config/access/pam.rs
@@ -0,0 +1,130 @@
+use ::serde::{Deserialize, Serialize};
+use anyhow::Error;
+use hex::FromHex;
+
+use proxmox_router::{Permission, Router, RpcEnvironment};
+use proxmox_schema::api;
+
+use pbs_api_types::{
+    PamRealmConfig, PamRealmConfigUpdater, PRIV_REALM_ALLOCATE, PRIV_SYS_AUDIT,
+    PROXMOX_CONFIG_DIGEST_SCHEMA,
+};
+
+use pbs_config::domains;
+
+#[api(
+    returns: {
+        type: PamRealmConfig,
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_SYS_AUDIT, false),
+    },
+)]
+/// Read the PAM realm configuration
+pub fn read_pam_realm(rpcenv: &mut dyn RpcEnvironment) -> Result<PamRealmConfig, Error> {
+    let (domains, digest) = domains::config()?;
+
+    let config = domains.lookup("pam", "pam")?;
+
+    rpcenv["digest"] = hex::encode(digest).into();
+
+    Ok(config)
+}
+
+#[api]
+#[derive(Serialize, Deserialize)]
+#[serde(rename_all = "kebab-case")]
+/// Deletable property name
+pub enum DeletableProperty {
+    /// Delete the comment property.
+    Comment,
+    /// Delete the default property.
+    Default,
+}
+
+#[api(
+    protected: true,
+    input: {
+        properties: {
+            update: {
+                type: PamRealmConfigUpdater,
+                flatten: true,
+            },
+            delete: {
+                description: "List of properties to delete.",
+                type: Array,
+                optional: true,
+                items: {
+                    type: DeletableProperty,
+                }
+            },
+            digest: {
+                optional: true,
+                schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
+            },
+        },
+    },
+    returns: {
+        type: PamRealmConfig,
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
+    },
+)]
+/// Update the PAM realm configuration
+pub fn update_pam_realm(
+    update: PamRealmConfigUpdater,
+    delete: Option<Vec<DeletableProperty>>,
+    digest: Option<String>,
+    _rpcenv: &mut dyn RpcEnvironment,
+) -> Result<(), Error> {
+    let _lock = domains::lock_config()?;
+
+    let (mut domains, expected_digest) = domains::config()?;
+
+    if let Some(ref digest) = digest {
+        let digest = <[u8; 32]>::from_hex(digest)?;
+        crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
+    }
+
+    let mut config: PamRealmConfig = domains.lookup("pam", "pam")?;
+
+    if let Some(delete) = delete {
+        for delete_prop in delete {
+            match delete_prop {
+                DeletableProperty::Comment => {
+                    config.comment = None;
+                }
+                DeletableProperty::Default => {
+                    config.default = None;
+                }
+            }
+        }
+    }
+
+    if let Some(comment) = update.comment {
+        let comment = comment.trim().to_string();
+        if comment.is_empty() {
+            config.comment = None;
+        } else {
+            config.comment = Some(comment);
+        }
+    }
+
+    if let Some(true) = update.default {
+        pbs_config::domains::unset_default_realm(&mut domains)?;
+        config.default = Some(true);
+    } else {
+        config.default = None;
+    }
+
+    domains.set_data("pam", "pam", &config)?;
+
+    domains::save_config(&domains)?;
+
+    Ok(())
+}
+
+pub const ROUTER: Router = Router::new()
+    .get(&API_METHOD_READ_PAM_REALM)
+    .put(&API_METHOD_UPDATE_PAM_REALM);
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v3 12/14] api2: access: add update support for built-in PBS realm

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 src/api2/config/access/mod.rs |   2 +
 src/api2/config/access/pbs.rs | 130 ++++++++++++++++++++++++++++++++++
 2 files changed, 132 insertions(+)
 create mode 100644 src/api2/config/access/pbs.rs

diff --git a/src/api2/config/access/mod.rs b/src/api2/config/access/mod.rs
index 36ecd005..1e6070c7 100644
--- a/src/api2/config/access/mod.rs
+++ b/src/api2/config/access/mod.rs
@@ -6,11 +6,13 @@ pub mod ad;
 pub mod ldap;
 pub mod openid;
 pub mod pam;
+pub mod pbs;
 pub mod tfa;
 
 #[sortable]
 const SUBDIRS: SubdirMap = &sorted!([
     ("pam", &pam::ROUTER),
+    ("pbs", &pbs::ROUTER),
     ("ad", &ad::ROUTER),
     ("ldap", &ldap::ROUTER),
     ("openid", &openid::ROUTER),
diff --git a/src/api2/config/access/pbs.rs b/src/api2/config/access/pbs.rs
new file mode 100644
index 00000000..2873eabb
--- /dev/null
+++ b/src/api2/config/access/pbs.rs
@@ -0,0 +1,130 @@
+use ::serde::{Deserialize, Serialize};
+use anyhow::Error;
+use hex::FromHex;
+
+use proxmox_router::{Permission, Router, RpcEnvironment};
+use proxmox_schema::api;
+
+use pbs_api_types::{
+    PbsRealmConfig, PbsRealmConfigUpdater, PRIV_REALM_ALLOCATE, PRIV_SYS_AUDIT,
+    PROXMOX_CONFIG_DIGEST_SCHEMA,
+};
+
+use pbs_config::domains;
+
+#[api(
+    returns: {
+        type: PbsRealmConfig,
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_SYS_AUDIT, false),
+    },
+)]
+/// Read the Proxmox Backup authentication server realm configuration
+pub fn read_pbs_realm(rpcenv: &mut dyn RpcEnvironment) -> Result<PbsRealmConfig, Error> {
+    let (domains, digest) = domains::config()?;
+
+    let config = domains.lookup("pbs", "pbs")?;
+
+    rpcenv["digest"] = hex::encode(digest).into();
+
+    Ok(config)
+}
+
+#[api]
+#[derive(Serialize, Deserialize)]
+#[serde(rename_all = "kebab-case")]
+/// Deletable property name
+pub enum DeletableProperty {
+    /// Delete the comment property.
+    Comment,
+    /// Delete the default property.
+    Default,
+}
+
+#[api(
+    protected: true,
+    input: {
+        properties: {
+            update: {
+                type: PbsRealmConfigUpdater,
+                flatten: true,
+            },
+            delete: {
+                description: "List of properties to delete.",
+                type: Array,
+                optional: true,
+                items: {
+                    type: DeletableProperty,
+                }
+            },
+            digest: {
+                optional: true,
+                schema: PROXMOX_CONFIG_DIGEST_SCHEMA,
+            },
+        },
+    },
+    returns: {
+        type: PbsRealmConfig,
+    },
+    access: {
+        permission: &Permission::Privilege(&["access", "domains"], PRIV_REALM_ALLOCATE, false),
+    },
+)]
+/// Update the Proxmox Backup authentication server realm configuration
+pub fn update_pbs_realm(
+    update: PbsRealmConfigUpdater,
+    delete: Option<Vec<DeletableProperty>>,
+    digest: Option<String>,
+    _rpcenv: &mut dyn RpcEnvironment,
+) -> Result<(), Error> {
+    let _lock = domains::lock_config()?;
+
+    let (mut domains, expected_digest) = domains::config()?;
+
+    if let Some(ref digest) = digest {
+        let digest = <[u8; 32]>::from_hex(digest)?;
+        crate::tools::detect_modified_configuration_file(&digest, &expected_digest)?;
+    }
+
+    let mut config: PbsRealmConfig = domains.lookup("pbs", "pbs")?;
+
+    if let Some(delete) = delete {
+        for delete_prop in delete {
+            match delete_prop {
+                DeletableProperty::Comment => {
+                    config.comment = None;
+                }
+                DeletableProperty::Default => {
+                    config.default = None;
+                }
+            }
+        }
+    }
+
+    if let Some(comment) = update.comment {
+        let comment = comment.trim().to_string();
+        if comment.is_empty() {
+            config.comment = None;
+        } else {
+            config.comment = Some(comment);
+        }
+    }
+
+    if let Some(true) = update.default {
+        pbs_config::domains::unset_default_realm(&mut domains)?;
+        config.default = Some(true);
+    } else {
+        config.default = None;
+    }
+
+    domains.set_data("pbs", "pbs", &config)?;
+
+    domains::save_config(&domains)?;
+
+    Ok(())
+}
+
+pub const ROUTER: Router = Router::new()
+    .get(&API_METHOD_READ_PBS_REALM)
+    .put(&API_METHOD_UPDATE_PBS_REALM);
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v3 13/14] www: AccessControl: make `useTypeInUrl` property per-realm

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 www/Utils.js               | 1 +
 www/panel/AccessControl.js | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/Utils.js b/www/Utils.js
index 4853be36..f6688ca4 100644
--- a/www/Utils.js
+++ b/www/Utils.js
@@ -459,6 +459,7 @@ Ext.define('PBS.Utils', {
 		edit: false,
 		pwchange: true,
 		sync: false,
+		useTypeInUrl: false,
 	    },
 	});
 
diff --git a/www/panel/AccessControl.js b/www/panel/AccessControl.js
index d10d0891..4910510e 100644
--- a/www/panel/AccessControl.js
+++ b/www/panel/AccessControl.js
@@ -40,7 +40,6 @@ Ext.define('PBS.AccessControlPanel', {
 	{
 	    xtype: 'pmxAuthView',
 	    baseUrl: '/config/access',
-	    useTypeInUrl: true,
 	    title: gettext('Realms'),
 	    itemId: 'domains',
 	    iconCls: 'fa fa-address-book-o',
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v3 14/14] www: utils: make built-in pbs realm editable using new AuthSimplePanel

[Christoph Heiss]

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
Changes v2 -> v3:
  * no changes

Changes v1 -> v2:
  * no changes

 www/Utils.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/www/Utils.js b/www/Utils.js
index f6688ca4..15724958 100644
--- a/www/Utils.js
+++ b/www/Utils.js
@@ -455,8 +455,9 @@ Ext.define('PBS.Utils', {
 	Proxmox.Schema.overrideAuthDomains({
 	    pbs: {
 		name: 'Proxmox Backup authentication server',
+		ipanel: 'pmxAuthSimplePanel',
 		add: false,
-		edit: false,
+		edit: true,
 		pwchange: true,
 		sync: false,
 		useTypeInUrl: false,
-- 
2.45.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH widget-toolkit v3 03/14] window: add panel for editing simple, built-in realms

[Gabriel Goller]

On 16.08.2024 13:16, Christoph Heiss wrote:
>diff --git a/src/window/AuthEditSimple.js b/src/window/AuthEditSimple.js
>new file mode 100644
>index 0000000..22932c0
>--- /dev/null
>+++ b/src/window/AuthEditSimple.js
>@@ -0,0 +1,41 @@
>+Ext.define('Proxmox.panel.SimpleRealmInputPanel', {
>+    extend: 'Proxmox.panel.InputPanel',
>+    xtype: 'pmxAuthSimplePanel',
>+    mixins: ['Proxmox.Mixin.CBind'],
>+
>+    type: 'simple',
>+
>+    column1: [
>+	{
>+	    xtype: 'pmxDisplayEditField',
>+	    name: 'realm',
>+	    cbind: {
>+		value: '{realm}',
>+	    },
>+	    fieldLabel: gettext('Realm'),
>+	    allowBlank: false,

Hmm I think `allowBlank` is useless here, as it's not editable.

>+	},
>+	{
>+	    xtype: 'proxmoxcheckbox',
>+	    fieldLabel: gettext('Default realm'),
>+	    name: 'default',
>+	    value: 0,
>+	    autoEl: {
>+		tag: 'div',
>+		'data-qtip': gettext('Set realm as default for login'),
>+	    },
>+	},
>+    ],
>+
>+    column2: [
>+    ],
>+
>+    columnB: [
>+	{
>+	    xtype: 'proxmoxtextfield',
>+	    name: 'comment',
>+	    fieldLabel: gettext('Comment'),

But here `allowBlank: false` would be useful!

>+	},
>+    ],
>+});
>+
>-- 
>2.45.2
>
>
>
>_______________________________________________
>pbs-devel mailing list
>pbs-devel@lists.proxmox.com
>https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>
>


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH widget-toolkit v3 03/14] window: add panel for editing simple, built-in realms

[Christoph Heiss]

Thanks for the review!

On Fri, Aug 16, 2024 at 02:23:39PM GMT, Gabriel Goller wrote:
> On 16.08.2024 13:16, Christoph Heiss wrote:
> > diff --git a/src/window/AuthEditSimple.js b/src/window/AuthEditSimple.js
> > new file mode 100644
> > index 0000000..22932c0
> > --- /dev/null
> > +++ b/src/window/AuthEditSimple.js
> > @@ -0,0 +1,41 @@
> > +Ext.define('Proxmox.panel.SimpleRealmInputPanel', {
> > +    extend: 'Proxmox.panel.InputPanel',
> > +    xtype: 'pmxAuthSimplePanel',
> > +    mixins: ['Proxmox.Mixin.CBind'],
> > +
> > +    type: 'simple',
> > +
> > +    column1: [
> > +	{
> > +	    xtype: 'pmxDisplayEditField',
> > +	    name: 'realm',
> > +	    cbind: {
> > +		value: '{realm}',
> > +	    },
> > +	    fieldLabel: gettext('Realm'),
> > +	    allowBlank: false,
>
> Hmm I think `allowBlank` is useless here, as it's not editable.

Good catch! I've took the LDAP panel as base, where this field *can* be
editable. I'll remove it with the next revision.

>
> > [..]
> > +    columnB: [
> > +	{
> > +	    xtype: 'proxmoxtextfield',
> > +	    name: 'comment',
> > +	    fieldLabel: gettext('Comment'),
>
> But here `allowBlank: false` would be useful!

Sure, makes sense in that case!


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH widget-toolkit v3 03/14] window: add panel for editing simple, built-in realms

[Hannes Laimer]

On Fri Aug 16, 2024 at 1:16 PM CEST, Christoph Heiss wrote:
> Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
> ---
> Changes v2 -> v3:
>   * no changes
>
> Changes v1 -> v2:
>   * no changes
>
>  src/Makefile                 |  1 +
>  src/window/AuthEditSimple.js | 41 ++++++++++++++++++++++++++++++++++++
>  2 files changed, 42 insertions(+)
>  create mode 100644 src/window/AuthEditSimple.js
>
> diff --git a/src/Makefile b/src/Makefile
> index 0478251..20ba77b 100644
> --- a/src/Makefile
> +++ b/src/Makefile
> @@ -97,6 +97,7 @@ JSSRC=					\
>  	window/AuthEditOpenId.js	\
>  	window/AuthEditLDAP.js		\
>  	window/AuthEditAD.js		\
> +	window/AuthEditSimple.js        \
>  	window/TfaWindow.js		\
>  	window/AddTfaRecovery.js	\
>  	window/AddTotp.js		\
> diff --git a/src/window/AuthEditSimple.js b/src/window/AuthEditSimple.js
> new file mode 100644
> index 0000000..22932c0
> --- /dev/null
> +++ b/src/window/AuthEditSimple.js
> @@ -0,0 +1,41 @@
> +Ext.define('Proxmox.panel.SimpleRealmInputPanel', {
> +    extend: 'Proxmox.panel.InputPanel',
> +    xtype: 'pmxAuthSimplePanel',
> +    mixins: ['Proxmox.Mixin.CBind'],
> +
> +    type: 'simple',
> +
> +    column1: [
> +	{
> +	    xtype: 'pmxDisplayEditField',
> +	    name: 'realm',
> +	    cbind: {
> +		value: '{realm}',
> +	    },
> +	    fieldLabel: gettext('Realm'),
> +	    allowBlank: false,
> +	},
> +	{
> +	    xtype: 'proxmoxcheckbox',
> +	    fieldLabel: gettext('Default realm'),
> +	    name: 'default',
> +	    value: 0,

nit:
this should include
```
cbind: {
    deleteEmpty: '{!isCreate}'
},
```
IIRC we don't send false, so it works because we PUT, but still

> +	    autoEl: {
> +		tag: 'div',
> +		'data-qtip': gettext('Set realm as default for login'),
> +	    },
> +	},
> +    ],
> +
> +    column2: [
> +    ],
> +
> +    columnB: [
> +	{
> +	    xtype: 'proxmoxtextfield',
> +	    name: 'comment',
> +	    fieldLabel: gettext('Comment'),
> +	},
> +    ],
> +});
> +



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH proxmox-backup/pwt v3 00/14] fix #5379: introduce default auth realm option

[Hannes Laimer]

Works as described and fixes [1], the code also LGTM.
Consider this

Tested-by: Hannes Laimer <h.laimer@proxmox.com>
Reviewed-by: Hannes Laimer <h.laimer@proxmox.com>

[1] https://bugzilla.proxmox.com/show_bug.cgi?id=5379




_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH widget-toolkit v3 03/14] window: add panel for editing simple, built-in realms

[Christoph Heiss]

On Mon, Aug 19, 2024 at 04:18:54PM GMT, Hannes Laimer wrote:
> On Fri Aug 16, 2024 at 1:16 PM CEST, Christoph Heiss wrote:
> > Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
> > [..]
> > diff --git a/src/window/AuthEditSimple.js b/src/window/AuthEditSimple.js
> > new file mode 100644
> > index 0000000..22932c0
> > --- /dev/null
> > +++ b/src/window/AuthEditSimple.js
> > @@ -0,0 +1,41 @@
> > [..]
> > +	{
> > +	    xtype: 'proxmoxcheckbox',
> > +	    fieldLabel: gettext('Default realm'),
> > +	    name: 'default',
> > +	    value: 0,
>
> nit:
> this should include
> ```
> cbind: {
>     deleteEmpty: '{!isCreate}'
> },
> ```
> IIRC we don't send false, so it works because we PUT, but still
>

Since this panel is only used for built-in/pre-exisiting realms and no
new "simple" realms can be created, `isCreate` does not exist anyway.


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH widget-toolkit v3 03/14] window: add panel for editing simple, built-in realms

[Hannes Laimer]

On Thu Aug 22, 2024 at 5:19 PM CEST, Christoph Heiss wrote:
> On Mon, Aug 19, 2024 at 04:18:54PM GMT, Hannes Laimer wrote:
> > On Fri Aug 16, 2024 at 1:16 PM CEST, Christoph Heiss wrote:
> > > Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
> > > [..]
> > > diff --git a/src/window/AuthEditSimple.js b/src/window/AuthEditSimple.js
> > > new file mode 100644
> > > index 0000000..22932c0
> > > --- /dev/null
> > > +++ b/src/window/AuthEditSimple.js
> > > @@ -0,0 +1,41 @@
> > > [..]
> > > +	{
> > > +	    xtype: 'proxmoxcheckbox',
> > > +	    fieldLabel: gettext('Default realm'),
> > > +	    name: 'default',
> > > +	    value: 0,
> >
> > nit:
> > this should include
> > ```
> > cbind: {
> >     deleteEmpty: '{!isCreate}'
> > },
> > ```
> > IIRC we don't send false, so it works because we PUT, but still
> >
>
> Since this panel is only used for built-in/pre-exisiting realms and no
> new "simple" realms can be created, `isCreate` does not exist anyway.
>
ohh, right, but then just `deleteEmpty: true` without the cbind, no?

>
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH widget-toolkit v3 03/14] window: add panel for editing simple, built-in realms

[Christoph Heiss]

On Fri, Aug 23, 2024 at 08:41:06AM GMT, Hannes Laimer wrote:
> On Thu Aug 22, 2024 at 5:19 PM CEST, Christoph Heiss wrote:
> > On Mon, Aug 19, 2024 at 04:18:54PM GMT, Hannes Laimer wrote:
> > > On Fri Aug 16, 2024 at 1:16 PM CEST, Christoph Heiss wrote:
> > > > Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
> > > > [..]
> > > > diff --git a/src/window/AuthEditSimple.js b/src/window/AuthEditSimple.js
> > > > new file mode 100644
> > > > index 0000000..22932c0
> > > > --- /dev/null
> > > > +++ b/src/window/AuthEditSimple.js
> > > > @@ -0,0 +1,41 @@
> > > > [..]
> > > > +	{
> > > > +	    xtype: 'proxmoxcheckbox',
> > > > +	    fieldLabel: gettext('Default realm'),
> > > > +	    name: 'default',
> > > > +	    value: 0,
> > >
> > > nit:
> > > this should include
> > > ```
> > > cbind: {
> > >     deleteEmpty: '{!isCreate}'
> > > },
> > > ```
> > > IIRC we don't send false, so it works because we PUT, but still
> > >
> >
> > Since this panel is only used for built-in/pre-exisiting realms and no
> > new "simple" realms can be created, `isCreate` does not exist anyway.
> >
> ohh, right, but then just `deleteEmpty: true` without the cbind, no?

Sure, that makes sense. Just for completeness-sake - it works like
this too, since the API accepts an `Option<bool>` for the `default`
property - so if it's simply missing from the request, the outcome is
the same.

But setting `deleteEmpty` definitely makes the intent clearer to the
reader.


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH proxmox-backup/pwt v3 00/14] fix #5379: introduce default auth realm option

[Christoph Heiss]

v4 out: https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010673.html

On Fri, Aug 16, 2024 at 01:16:32PM GMT, Christoph Heiss wrote:
> Fixes #5379 [0].
>
> First, it adds an updatable `default` field to all existing editable
> realms. Then it converts the PAM and PBS built-in realms to proper
> realms, instead of being hard-coded in-between somewhere.
> In turns this enables editing of these realms, allowing setting whether
> these realms should be the default for login or not.
>
> For proxmox-widget-toolkit, the first three patches could in principal
> be applied on their own. The others depend on the API changes as
> introduced in the proxmox-backup part.
>
> W.r.t. the inconsistency as discovered/discussed in [1], the (current)
> behaviour is not changed in this series. Since both PVE and PBS use the
> same realm login dialog from proxmox-widget-toolkit, I'd rather fix it
> separately -- to avoid blocking this series on a completely separate
> issue, which might still need some discussing.
>
> W.r.t. to applying, proxmox-backup will need a bump of
> proxmox-widget-toolkit afterwards.
>
> [0] https://bugzilla.proxmox.com/show_bug.cgi?id=5379
> [1] https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010429.html
>
> History
> =======
>
> v2: https://lists.proxmox.com/pipermail/pbs-devel/2024-August/010521.html
> v1: https://lists.proxmox.com/pipermail/pbs-devel/2024-July/010250.html
>
> Changes v2 -> v3:
>   * rebased on latest master
>   * fixed unsetting the `default` property by making it deletable
>   * unset previous default realm when creating a new realm with
>     `default` set
>
> Changes v1 -> v2:
>   * rebased on latest master
>   * trivial fixes as suggested by Lukas
>   * add documentation to unset_default_realm()
>
> Diffstat
> ========
>
> proxmox-widget-toolkit:
>
> Christoph Heiss (6):
>   window: AuthEditBase: include more information in thrown errors
>   panel: AuthView: make `useTypeInUrl` property per-realm
>   window: add panel for editing simple, built-in realms
>   schema: make PAM realm editable using new AuthSimple panel
>   fix #5379: panel: AuthView: add column displaying whether the realm is
>     default
>   fix #5379: window: AuthEdit{LDAP,OpenId}: add 'Default realm' checkbox
>
>  src/Makefile                 |  1 +
>  src/Schema.js                |  7 +++++-
>  src/panel/AuthView.js        | 13 +++++++++---
>  src/window/AuthEditBase.js   |  8 +++----
>  src/window/AuthEditLDAP.js   | 14 +++++++++++-
>  src/window/AuthEditOpenId.js | 13 ++++++++++++
>  src/window/AuthEditSimple.js | 41 ++++++++++++++++++++++++++++++++++++
>  7 files changed, 88 insertions(+), 9 deletions(-)
>  create mode 100644 src/window/AuthEditSimple.js
>
> proxmox-backup:
>
> Christoph Heiss (8):
>   fix #5379: api-types: add `default` field to all realm types
>   fix #5379: api2: access: set default realm accordingly on individual
>     update
>   api-types: introduce proper types for PAM and PBS realms
>   config: use new dedicated PAM and PBS realm types
>   api2: access: add update support for built-in PAM realm
>   api2: access: add update support for built-in PBS realm
>   www: AccessControl: make `useTypeInUrl` property per-realm
>   www: utils: make built-in pbs realm editable using new AuthSimplePanel
>
>  pbs-api-types/src/ad.rs          |   7 ++
>  pbs-api-types/src/ldap.rs        |   7 ++
>  pbs-api-types/src/lib.rs         |  97 ++++++++++++++++++++++-
>  pbs-api-types/src/openid.rs      |   7 ++
>  pbs-config/src/domains.rs        |  36 ++++++++-
>  src/api2/access/domain.rs        |  13 ----
>  src/api2/config/access/ad.rs     |  16 ++++
>  src/api2/config/access/ldap.rs   |  16 ++++
>  src/api2/config/access/mod.rs    |   4 +
>  src/api2/config/access/openid.rs |  16 ++++
>  src/api2/config/access/pam.rs    | 130 +++++++++++++++++++++++++++++++
>  src/api2/config/access/pbs.rs    | 130 +++++++++++++++++++++++++++++++
>  src/bin/proxmox-backup-api.rs    |   1 +
>  src/config/mod.rs                |  25 ++++++
>  www/Utils.js                     |   4 +-
>  www/panel/AccessControl.js       |   1 -
>  16 files changed, 492 insertions(+), 18 deletions(-)
>  create mode 100644 src/api2/config/access/pam.rs
>  create mode 100644 src/api2/config/access/pbs.rs
>
> --
> 2.45.1
>
>
>
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>
>


_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel