From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pmg-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 565781FF16E
	for <inbox@lore.proxmox.com>; Mon, 17 Feb 2025 12:47:39 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 5768E1E283;
	Mon, 17 Feb 2025 12:47:37 +0100 (CET)
Date: Mon, 17 Feb 2025 12:47:00 +0100
From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: Markus Frank <m.frank@proxmox.com>
Message-ID: <20250217124700.239a0178@rosa.proxmox.com>
In-Reply-To: <20250114093010.4560-1-m.frank@proxmox.com>
References: <20250114093010.4560-1-m.frank@proxmox.com>
X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.068 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pmg-devel] [PATCH
 pve-common/perl-rs/pmg-api/widget-toolkit/pmg-gui v4 0/10] fix #3892:
 OpenID Connect
X-BeenThere: pmg-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Mail Gateway development discussion
 <pmg-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/>
List-Post: <mailto:pmg-devel@lists.proxmox.com>
List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe>
Cc: pmg-devel@lists.proxmox.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pmg-devel-bounces@lists.proxmox.com
Sender: "pmg-devel" <pmg-devel-bounces@lists.proxmox.com>

Looked a bit more through the code - looks ok as it is adapted from
the equivalent modules in PVE it should also work fine.

Currently the naming of OpenID (as we used it in PVE and PBS) vs.
OIDC/OpenID Connect (which would be more correct) in this series is quite
mixed.

I guess based on the feedback from Christoph:
https://lore.proxmox.com/pmg-devel/ohu4ixitjhxht7tpjskog5mgzqzsygpqahsfcfsnlzz4iqijqm@7cdgsj47cwwu/T/#mbdc24acf0a6120884b48f573c123b4b061f5a7a8
and Thomas:
https://lore.proxmox.com/pmg-devel/20240402112721.14405-1-m.frank@proxmox.com/T/#m4cd74983f35eeac791d43bf118ef4073f7f416d4
respectively.

As you're moving part of the common things around anyways this would be
the occasion to rename things to OIDC and pull those changes in PVE
(at least where it shares the proxmox-rs part).



On Tue, 14 Jan 2025 10:30:00 +0100
Markus Frank <m.frank@proxmox.com> wrote:

> Patch-series to enable OpenID Connect Login for PMG
> 
> apply/compile order:
> 
> pve-common: 
>  1 add Schema package with auth module that contains realm sync options
> 
> proxmox-perl-rs:
>  2 move openid code from pve-rs to common
>  3 remove empty PMG::RS::OpenId package to avoid confusion 
> 
> pmg-api:
>  4 config: add plugin system for realms
>  5 config: add openid type realm
>  6 api: add/update/remove realms like in PVE
>  7 api: openid login similar to PVE
> 
> proxmox-widget-toolkit:
>  8 fix: window: AuthEditBase: rename variable 'realm' to 'type'
> 
> pmg-gui:
>  9 login: add option to login with OpenID realm
> 10 add panel for realms to User Management
> 
> 
> 
> v4:
> * split "config: add plugin system for realms & add openid type realms"
>  patch into two patches
> * use the name 'OpenId' for filenames, but use 'OIDC' as realm type name
> * added autocreate-role option to set the role for automatically created
>  users in a realm, but currently not exposed in GUI (needs a lot of
>  changes in pmg-gui and proxmox-widget-toolkit)
> 
> 
> pve-common:
> 
> Markus Frank (1):
>   add Schema package with auth module that contains realm sync options
> 
>  src/Makefile           |  2 ++
>  src/PVE/Schema/Auth.pm | 82 ++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 84 insertions(+)
>  create mode 100644 src/PVE/Schema/Auth.pm
> 
> 
> proxmox-perl-rs:
> 
> Markus Frank (2):
>   move openid code from pve-rs to common
>   remove empty PMG::RS::OpenId package to avoid confusion
> 
>  common/pkg/Makefile      |  1 +
>  common/src/mod.rs        |  1 +
>  common/src/openid/mod.rs | 63 ++++++++++++++++++++++++++++++++++++++++
>  pmg-rs/Cargo.toml        |  1 +
>  pmg-rs/Makefile          |  1 -
>  pmg-rs/debian/control    |  1 +
>  pve-rs/src/openid/mod.rs | 32 +++++---------------
>  7 files changed, 75 insertions(+), 25 deletions(-)
>  create mode 100644 common/src/openid/mod.rs
> 
> 
> pmg-api:
> 
> Markus Frank (4):
>   config: add plugin system for realms
>   config: add openid type realm
>   api: add/update/remove realms like in PVE
>   api: openid login similar to PVE
> 
>  src/Makefile                  |   6 +
>  src/PMG/API2/AccessControl.pm |  17 ++-
>  src/PMG/API2/Authdomains.pm   | 274 ++++++++++++++++++++++++++++++++++
>  src/PMG/API2/OpenId.pm        | 243 ++++++++++++++++++++++++++++++
>  src/PMG/AccessControl.pm      |  33 ++++
>  src/PMG/Auth/OpenId.pm        |  95 ++++++++++++
>  src/PMG/Auth/PAM.pm           |  22 +++
>  src/PMG/Auth/PMG.pm           |  39 +++++
>  src/PMG/Auth/Plugin.pm        | 199 ++++++++++++++++++++++++
>  src/PMG/HTTPServer.pm         |   2 +
>  src/PMG/RESTEnvironment.pm    |  14 ++
>  src/PMG/UserConfig.pm         |  25 ++--
>  src/PMG/Utils.pm              |  29 +++-
>  13 files changed, 981 insertions(+), 17 deletions(-)
>  create mode 100644 src/PMG/API2/Authdomains.pm
>  create mode 100644 src/PMG/API2/OpenId.pm
>  create mode 100755 src/PMG/Auth/OpenId.pm
>  create mode 100755 src/PMG/Auth/PAM.pm
>  create mode 100755 src/PMG/Auth/PMG.pm
>  create mode 100755 src/PMG/Auth/Plugin.pm
> 
> 
> widget-toolkit:
> 
> Markus Frank (1):
>   fix: window: AuthEditBase: rename variable 'realm' to 'type'
> 
>  src/window/AuthEditBase.js | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> 
> pmg-gui:
> 
> Markus Frank (2):
>   login: add OpenID realms
>   add panel for realms to User Management
> 
>  js/LoginView.js      | 208 ++++++++++++++++++++++++++++++++-----------
>  js/UserManagement.js |   6 ++
>  js/Utils.js          |  23 +++++
>  3 files changed, 186 insertions(+), 51 deletions(-)
> 



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel