From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <pmg-devel-bounces@lists.proxmox.com> Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id E1F4F1FF165 for <inbox@lore.proxmox.com>; Wed, 26 Feb 2025 11:20:32 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 1EF94FD7A; Wed, 26 Feb 2025 11:20:32 +0100 (CET) Message-ID: <177eb00e-b474-4526-86bd-a586fc945862@proxmox.com> Date: Wed, 26 Feb 2025 11:20:28 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: pmg-devel@lists.proxmox.com References: <20250225133619.42012-1-m.frank@proxmox.com> <20250225133619.42012-6-m.frank@proxmox.com> Content-Language: en-US From: Mira Limbeck <m.limbeck@proxmox.com> In-Reply-To: <20250225133619.42012-6-m.frank@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL 0.321 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [accesscontrol.pm, oidc.pm, pam.pm, plugin.pm, pmg.pm] Subject: Re: [pmg-devel] [PATCH pmg-api v6 5/12] config: add oidc type authentication realm X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion <pmg-devel.lists.proxmox.com> List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>, <mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe> List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/> List-Post: <mailto:pmg-devel@lists.proxmox.com> List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help> List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>, <mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pmg-devel-bounces@lists.proxmox.com Sender: "pmg-devel" <pmg-devel-bounces@lists.proxmox.com> On 2/25/25 14:36, Markus Frank wrote: > PMG::Auth::OIDC is based on pve-access-control's PVE::Auth::OpenId and > adds an autocreate-role option. If the autocreate option is enabled, the > user is automatically created with the Audit role. With autocreate-role > this role can be changed. > > Signed-off-by: Markus Frank <m.frank@proxmox.com> > --- > v6: added regex patterns to restrict the string types > > src/Makefile | 1 + > src/PMG/AccessControl.pm | 2 + > src/PMG/Auth/OIDC.pm | 101 +++++++++++++++++++++++++++++++++++++++ > 3 files changed, 104 insertions(+) > create mode 100755 src/PMG/Auth/OIDC.pm > > diff --git a/src/Makefile b/src/Makefile > index 659a666..3cae7c7 100644 > --- a/src/Makefile > +++ b/src/Makefile > @@ -169,6 +169,7 @@ LIBSOURCES = \ > PMG/Auth/Plugin.pm \ > PMG/Auth/PAM.pm \ > PMG/Auth/PMG.pm \ > + PMG/Auth/OIDC.pm \ > > SOURCES = ${LIBSOURCES} ${CLI_BINARIES} ${TEMPLATES_FILES} ${CONF_MANS} ${CLI_MANS} ${SERVICE_MANS} ${SERVICE_UNITS} ${TIMER_UNITS} pmg-sources.list pmg-initramfs.conf > > diff --git a/src/PMG/AccessControl.pm b/src/PMG/AccessControl.pm > index 78105c0..57d80f8 100644 > --- a/src/PMG/AccessControl.pm > +++ b/src/PMG/AccessControl.pm > @@ -15,9 +15,11 @@ use PMG::LDAPSet; > use PMG::TFAConfig; > > use PMG::Auth::Plugin; > +use PMG::Auth::OIDC; > use PMG::Auth::PAM; > use PMG::Auth::PMG; > > +PMG::Auth::OIDC->register(); > PMG::Auth::PAM->register(); > PMG::Auth::PMG->register(); > PMG::Auth::Plugin->init(); > diff --git a/src/PMG/Auth/OIDC.pm b/src/PMG/Auth/OIDC.pm > new file mode 100755 > index 0000000..600e124 > --- /dev/null > +++ b/src/PMG/Auth/OIDC.pm > @@ -0,0 +1,101 @@ > +package PMG::Auth::OIDC; > + > +use strict; > +use warnings; > + > +use PVE::Tools; > +use PMG::Auth::Plugin; > + > +use base qw(PMG::Auth::Plugin); > + > +sub type { > + return 'oidc'; > +} > + > +sub properties { > + return { > + 'issuer-url' => { > + description => "OpenID Connect Issuer Url", > + type => 'string', > + maxLength => 256, > + pattern => qr/^(https?):\/\/([a-zA-Z0-9.-]+)(:[0-9]{1,5})?(\/[^\s]*)?$/, > + }, > + 'client-id' => { > + description => "OpenID Connect Client ID", > + type => 'string', > + maxLength => 256, > + pattern => qr/^[a-zA-Z0-9._:-]+$/, > + }, > + 'client-key' => { > + description => "OpenID Connect Client Key", > + type => 'string', > + optional => 1, > + maxLength => 256, > + pattern => qr/^[a-zA-Z0-9._:-]+$/, > + }, > + autocreate => { > + description => "Automatically create users if they do not exist.", > + optional => 1, > + type => 'boolean', > + default => 0, > + }, > + 'autocreate-role' => { > + description => "Automatically create users with a specific role.", > + type => 'string', > + enum => ['admin', 'qmanager', 'audit', 'helpdesk'], > + optional => 1, > + }, In code (patch 7/12) we default to `audit`, maybe `default => 'audit'` should be added here? > + 'username-claim' => { > + description => "OpenID Connect claim used to generate the unique username.", > + type => 'string', > + optional => 1, > + pattern => qr/^[a-zA-Z0-9._:-]+$/, > + }, same as above, maybe we should add `default => 'sub'` here. In the code (patch 7/12) we default to `sub`, same as in PVE. > + prompt => { > + description => "Specifies whether the Authorization Server prompts the End-User for" > + ." reauthentication and consent.", > + type => 'string', > + pattern => '(?:none|login|consent|select_account|\S+)', # \S+ is the extension variant > + optional => 1, > + }, > + scopes => { > + description => "Specifies the scopes (user details) that should be authorized and" > + ." returned, for example 'email' or 'profile'.", > + type => 'string', # format => 'some-safe-id-list', # FIXME: TODO > + default => "email profile", > + pattern => qr/^[a-zA-Z0-9._:-]+$/, > + optional => 1, > + }, > + 'acr-values' => { > + description => "Specifies the Authentication Context Class Reference values that the" > + ."Authorization Server is being requested to use for the Auth Request.", > + type => 'string', # format => 'some-safe-id-list', # FIXME: TODO > + pattern => qr/^[a-zA-Z0-9._:-]+$/, > + optional => 1, > + }, > + }; > +} > + > +sub options { > + return { > + 'issuer-url' => {}, > + 'client-id' => {}, > + 'client-key' => { optional => 1 }, > + autocreate => { optional => 1 }, > + 'autocreate-role' => { optional => 1 }, > + 'username-claim' => { optional => 1, fixed => 1 }, > + prompt => { optional => 1 }, > + scopes => { optional => 1 }, > + 'acr-values' => { optional => 1 }, > + default => { optional => 1 }, > + comment => { optional => 1 }, > + }; > +} > + > +sub authenticate_user { > + my ($class, $config, $realm, $username, $password) = @_; > + > + die "OpenID Connect realm does not allow password verification.\n"; > +} > + > +1; _______________________________________________ pmg-devel mailing list pmg-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel