From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 5F23D90570 for ; Tue, 2 Apr 2024 13:27:35 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id A5A264B1D for ; Tue, 2 Apr 2024 13:27:34 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 2 Apr 2024 13:27:32 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 7475544A10 for ; Tue, 2 Apr 2024 13:27:32 +0200 (CEST) From: Markus Frank To: pmg-devel@lists.proxmox.com Date: Tue, 2 Apr 2024 13:27:18 +0200 Message-Id: <20240402112721.14405-4-m.frank@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240402112721.14405-1-m.frank@proxmox.com> References: <20240402112721.14405-1-m.frank@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.034 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pmg-devel] [PATCH pmg-api 3/6] api: add/update/remove realms like in PVE X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2024 11:27:35 -0000 The name Authdomains.pm was chosen because a Domain.pm already exists. Signed-off-by: Markus Frank --- src/Makefile | 1 + src/PMG/API2/AccessControl.pm | 11 +- src/PMG/API2/Authdomains.pm | 272 ++++++++++++++++++++++++++++++++++ 3 files changed, 283 insertions(+), 1 deletion(-) create mode 100644 src/PMG/API2/Authdomains.pm diff --git a/src/Makefile b/src/Makefile index 407cc4a..92662b5 100644 --- a/src/Makefile +++ b/src/Makefile @@ -149,6 +149,7 @@ LIBSOURCES = \ PMG/API2/Postfix.pm \ PMG/API2/Quarantine.pm \ PMG/API2/AccessControl.pm \ + PMG/API2/Authdomains.pm \ PMG/API2/TFA.pm \ PMG/API2/TFAConfig.pm \ PMG/API2/ObjectGroupHelpers.pm \ diff --git a/src/PMG/API2/AccessControl.pm b/src/PMG/API2/AccessControl.pm index e26ae70..c720f59 100644 --- a/src/PMG/API2/AccessControl.pm +++ b/src/PMG/API2/AccessControl.pm @@ -12,6 +12,7 @@ use PVE::JSONSchema qw(get_standard_option); use PMG::Utils; use PMG::UserConfig; use PMG::AccessControl; +use PMG::API2::Authdomains; use PMG::API2::Users; use PMG::API2::TFA; use PMG::TFAConfig; @@ -30,6 +31,11 @@ __PACKAGE__->register_method ({ path => 'tfa', }); +__PACKAGE__->register_method ({ + subclass => "PMG::API2::Authdomains", + path => 'domains', +}); + __PACKAGE__->register_method ({ name => 'index', path => '', @@ -57,6 +63,7 @@ __PACKAGE__->register_method ({ my $res = [ { subdir => 'ticket' }, + { subdir => 'domains' }, { subdir => 'password' }, { subdir => 'users' }, ]; @@ -248,7 +255,9 @@ __PACKAGE__->register_method ({ my $username = $param->{username}; - if ($username !~ m/\@(pam|pmg|quarantine)$/) { + my $valid_pmg_realms = PMG::Utils::valid_pmg_realms(); + my $realm_list = join('|', @$valid_pmg_realms); + if ($username !~ m/\@(${realm_list})$/) { my $realm = $param->{realm} // 'quarantine'; $username .= "\@$realm"; } diff --git a/src/PMG/API2/Authdomains.pm b/src/PMG/API2/Authdomains.pm new file mode 100644 index 0000000..a283fcb --- /dev/null +++ b/src/PMG/API2/Authdomains.pm @@ -0,0 +1,272 @@ +package PMG::API2::Authdomains; + +use strict; +use warnings; + +use PVE::Exception qw(raise_param_exc); +use PVE::INotify; +use PVE::JSONSchema qw(get_standard_option); +use PVE::RESTHandler; +use PVE::SafeSyslog; +use PVE::Tools qw(extract_param); + +use PMG::AccessControl; +use PMG::Auth::Plugin; + +my $domainconfigfile = "realms.cfg"; + +use base qw(PVE::RESTHandler); + +__PACKAGE__->register_method ({ + name => 'index', + path => '', + method => 'GET', + description => "Authentication domain index.", + permissions => { + description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).", + user => 'world', + }, + parameters => { + additionalProperties => 0, + properties => {}, + }, + returns => { + type => 'array', + items => { + type => "object", + properties => { + realm => { type => 'string' }, + type => { type => 'string' }, + tfa => { + description => "Two-factor authentication provider.", + type => 'string', + enum => [ 'yubico', 'oath' ], + optional => 1, + }, + comment => { + description => "A comment. The GUI use this text when you select a domain (Realm) on the login window.", + type => 'string', + optional => 1, + }, + }, + }, + links => [ { rel => 'child', href => "{realm}" } ], + }, + code => sub { + my ($param) = @_; + + my $res = []; + + my $cfg = PVE::INotify::read_file($domainconfigfile); + my $ids = $cfg->{ids}; + + for my $realm (keys %$ids) { + my $d = $ids->{$realm}; + my $entry = { realm => $realm, type => $d->{type} }; + $entry->{comment} = $d->{comment} if $d->{comment}; + $entry->{default} = 1 if $d->{default}; + if ($d->{tfa} && (my $tfa_cfg = PMG::Auth::Plugin::parse_tfa_config($d->{tfa}))) { + $entry->{tfa} = $tfa_cfg->{type}; + } + push @$res, $entry; + } + + return $res; + }}); + +__PACKAGE__->register_method ({ + name => 'create', + protected => 1, + path => '', + method => 'POST', + permissions => { check => [ 'admin' ] }, + description => "Add an authentication server.", + parameters => PMG::Auth::Plugin->createSchema(0), + returns => { type => 'null' }, + code => sub { + my ($param) = @_; + + # always extract, add it with hook + my $password = extract_param($param, 'password'); + + PMG::Auth::Plugin::lock_domain_config( + sub { + my $cfg = PVE::INotify::read_file($domainconfigfile); + my $ids = $cfg->{ids}; + + my $realm = extract_param($param, 'realm'); + my $type = $param->{type}; + my $check_connection = extract_param($param, 'check-connection'); + + die "domain '$realm' already exists\n" + if $ids->{$realm}; + + die "unable to use reserved name '$realm'\n" + if ($realm eq 'pam' || $realm eq 'pve'); + + die "unable to create builtin type '$type'\n" + if ($type eq 'pam' || $type eq 'pve'); + + my $plugin = PMG::Auth::Plugin->lookup($type); + my $config = $plugin->check_config($realm, $param, 1, 1); + + if ($config->{default}) { + for my $r (keys %$ids) { + delete $ids->{$r}->{default}; + } + } + + $ids->{$realm} = $config; + + my $opts = $plugin->options(); + if (defined($password) && !defined($opts->{password})) { + $password = undef; + warn "ignoring password parameter"; + } + $plugin->on_add_hook($realm, $config, password => $password); + + PVE::INotify::write_file($domainconfigfile, $cfg); + }, + "add auth server failed", + ); + return undef; + }}); + +__PACKAGE__->register_method ({ + name => 'update', + path => '{realm}', + method => 'PUT', + permissions => { check => [ 'admin' ] }, + description => "Update authentication server settings.", + protected => 1, + parameters => PMG::Auth::Plugin->updateSchema(0), + returns => { type => 'null' }, + code => sub { + my ($param) = @_; + + # always extract, update in hook + my $password = extract_param($param, 'password'); + + PMG::Auth::Plugin::lock_domain_config( + sub { + my $cfg = PVE::INotify::read_file($domainconfigfile); + my $ids = $cfg->{ids}; + + my $digest = extract_param($param, 'digest'); + PVE::SectionConfig::assert_if_modified($cfg, $digest); + + my $realm = extract_param($param, 'realm'); + my $type = $ids->{$realm}->{type}; + my $check_connection = extract_param($param, 'check-connection'); + + die "domain '$realm' does not exist\n" + if !$ids->{$realm}; + + my $delete_str = extract_param($param, 'delete'); + die "no options specified\n" + if !$delete_str && !scalar(keys %$param) && !defined($password); + + my $delete_pw = 0; + for my $opt (PVE::Tools::split_list($delete_str)) { + delete $ids->{$realm}->{$opt}; + $delete_pw = 1 if $opt eq 'password'; + } + + my $plugin = PMG::Auth::Plugin->lookup($type); + my $config = $plugin->check_config($realm, $param, 0, 1); + + if ($config->{default}) { + for my $r (keys %$ids) { + delete $ids->{$r}->{default}; + } + } + + for my $p (keys %$config) { + $ids->{$realm}->{$p} = $config->{$p}; + } + + my $opts = $plugin->options(); + if ($delete_pw || defined($password)) { + $plugin->on_update_hook($realm, $config, password => $password); + } else { + $plugin->on_update_hook($realm, $config); + } + + PVE::INotify::write_file($domainconfigfile, $cfg); + }, + "update auth server failed" + ); + return undef; + }}); + +# fixme: return format! +__PACKAGE__->register_method ({ + name => 'read', + path => '{realm}', + method => 'GET', + description => "Get auth server configuration.", + permissions => { check => [ 'admin', 'qmanager', 'audit' ] }, + parameters => { + additionalProperties => 0, + properties => { + realm => get_standard_option('realm'), + }, + }, + returns => {}, + code => sub { + my ($param) = @_; + + my $cfg = PVE::INotify::read_file($domainconfigfile); + + my $realm = $param->{realm}; + + my $data = $cfg->{ids}->{$realm}; + die "domain '$realm' does not exist\n" if !$data; + + my $type = $data->{type}; + + $data->{digest} = $cfg->{digest}; + + return $data; + }}); + + +__PACKAGE__->register_method ({ + name => 'delete', + path => '{realm}', + method => 'DELETE', + permissions => { check => [ 'admin' ] }, + description => "Delete an authentication server.", + protected => 1, + parameters => { + additionalProperties => 0, + properties => { + realm => get_standard_option('realm'), + } + }, + returns => { type => 'null' }, + code => sub { + my ($param) = @_; + + PMG::Auth::Plugin::lock_domain_config( + sub { + my $cfg = PVE::INotify::read_file($domainconfigfile); + my $ids = $cfg->{ids}; + my $realm = $param->{realm}; + + die "authentication domain '$realm' does not exist\n" if !$ids->{$realm}; + + my $plugin = PMG::Auth::Plugin->lookup($ids->{$realm}->{type}); + + $plugin->on_delete_hook($realm, $ids->{$realm}); + + delete $ids->{$realm}; + + PVE::INotify::write_file($domainconfigfile, $cfg); + }, + "delete auth server failed", + ); + return undef; + }}); + +1; -- 2.39.2