From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id F0D9D81F4D for ; Fri, 26 Nov 2021 14:56:13 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id CDC971921E for ; Fri, 26 Nov 2021 14:55:43 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 9106E191BB for ; Fri, 26 Nov 2021 14:55:39 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 71A7444CA1 for ; Fri, 26 Nov 2021 14:55:39 +0100 (CET) From: Wolfgang Bumiller To: pmg-devel@lists.proxmox.com Date: Fri, 26 Nov 2021 14:55:04 +0100 Message-Id: <20211126135524.117846-1-w.bumiller@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.452 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [tfa.pm] Subject: [pmg-devel] [PATCH multiple 0/7] PMG TFA support X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Nov 2021 13:56:14 -0000 This touches multiple repos as it required some more ground-work on the rust side: 1) proxmox-tfa Aside from fixups and maintenance, patch 4 is the important one: The `origin` in the webauthn configuration is now *optional*. Note that the origin is generally required for webauthn, however, we also have clusters where the origin shouldn't be pinned cluster-wide. This does not really affect PVE as there we store the webauthn configuration separately and apply it only when it is used, but in PBS it's kept directly in tfa.json, and PMG for now does this too, although we *could* move it to pmg.conf or some other synced file if we wanted? That would in theory remove the need for this, but I think this is actually a more appropriate API anyway, since the two other parts of the config stay the same across a cluster, and the origin can simply be provided as an overriding parameter to the methods which actually make use of it. 2) proxmox-perl-rs pmg-rs is now moved into here, also, this contains fixups for the proxmox-tfa-crate-using pve-side. Since the newly introduced parameters are at the end and optional, and perlmod 0.9 supports trailing Option<> parameters as actual *optional* parameters, this may in theory even be API compatible with PVE, so hopefully no `Breaks` on old pve-access-control is required, but we'll see. 3) pmg-api Same login & TFA api updates as in PVE. The config API path is different, but that's not shared code anyway ;-) API2/TFA.pm is very similar to PVE, I think I got the method schemas wright, but I'm not used to the permissions system in PMG so please double-check this. The actual changes to the login code path is much shorter than in PVE since we did not actually have TFA support in there yet. 4) pmg-gui For now this only adds TFA login and the `TfaView` from WTK. The config (which in this case only means webauthn settings) part isn't there yet.