From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id B1FC1820CE for ; Fri, 26 Nov 2021 18:35:21 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 9F5E21BC02 for ; Fri, 26 Nov 2021 18:34:51 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id F314A1BBF2 for ; Fri, 26 Nov 2021 18:34:49 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id BF341459D1 for ; Fri, 26 Nov 2021 18:34:49 +0100 (CET) Date: Fri, 26 Nov 2021 18:34:48 +0100 From: Stoiko Ivanov To: Wolfgang Bumiller Cc: pmg-devel@lists.proxmox.com Message-ID: <20211126183448.75d4e5ed@rosa.proxmox.com> In-Reply-To: <20211126135524.117846-1-w.bumiller@proxmox.com> References: <20211126135524.117846-1-w.bumiller@proxmox.com> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.293 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com, tfa.pm] Subject: Re: [pmg-devel] [PATCH multiple 0/7] PMG TFA support X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Nov 2021 17:35:21 -0000 Huge thanks for your work on this! * gave it a quick spin on a freshly setup PMG from ISO (by adding a user and setting up TOTP for it) - works as advertised * quickly glanced over the code (e.g. diffing API2/TFA.pm between PVE and PMG) - sent a mail with 2 minor notes to one of the patches * will do a more thorough review on Monday Thanks again! On Fri, 26 Nov 2021 14:55:04 +0100 Wolfgang Bumiller wrote: > This touches multiple repos as it required some more ground-work on the > rust side: > > 1) proxmox-tfa > Aside from fixups and maintenance, patch 4 is the important one: > The `origin` in the webauthn configuration is now *optional*. > > Note that the origin is generally required for webauthn, however, we > also have clusters where the origin shouldn't be pinned cluster-wide. > > This does not really affect PVE as there we store the webauthn > configuration separately and apply it only when it is used, but in > PBS it's kept directly in tfa.json, and PMG for now does this too, > although we *could* move it to pmg.conf or some other synced file if > we wanted? > That would in theory remove the need for this, but I think this is > actually a more appropriate API anyway, since the two other parts of > the config stay the same across a cluster, and the origin can simply > be provided as an overriding parameter to the methods which actually > make use of it. > > 2) proxmox-perl-rs > pmg-rs is now moved into here, also, this contains fixups for the > proxmox-tfa-crate-using pve-side. > Since the newly introduced parameters are at the end and optional, > and perlmod 0.9 supports trailing Option<> parameters as actual > *optional* parameters, this may in theory even be API compatible with > PVE, so hopefully no `Breaks` on old pve-access-control is required, > but we'll see. Option<> at the end translating to optional parameters in perl sounds very nice! (thinking about replacing the set_proxy method for my ACME-proxy series) > > 3) pmg-api > Same login & TFA api updates as in PVE. The config API path is > different, but that's not shared code anyway ;-) > API2/TFA.pm is very similar to PVE, I think I got the method schemas > wright, but I'm not used to the permissions system in PMG so please > double-check this. > The actual changes to the login code path is much shorter than in PVE > since we did not actually have TFA support in there yet. > > 4) pmg-gui > For now this only adds TFA login and the `TfaView` from WTK. The > config (which in this case only means webauthn settings) part isn't > there yet. > > > _______________________________________________ > pmg-devel mailing list > pmg-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel > >