From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pmg-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 4E8451FF15E
	for <inbox@lore.proxmox.com>; Tue, 25 Feb 2025 14:37:51 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 210481D847;
	Tue, 25 Feb 2025 14:37:47 +0100 (CET)
From: Markus Frank <m.frank@proxmox.com>
To: pmg-devel@lists.proxmox.com
Date: Tue, 25 Feb 2025 14:36:07 +0100
Message-Id: <20250225133619.42012-1-m.frank@proxmox.com>
X-Mailer: git-send-email 2.39.5
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.015 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [users.pm, pmg.pm, restenvironment.pm, userconfig.pm,
 accesscontrol.pm, plugin.pm, auth.pm, pam.pm, utils.pm, httpserver.pm,
 authrealm.pm, mod.rs, oidc.pm]
Subject: [pmg-devel] [PATCH
 pve-common/perl-rs/pmg-api/widget-toolkit/pmg-gui v6 0/12] fix #3892:
 OpenID Connect
X-BeenThere: pmg-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Mail Gateway development discussion
 <pmg-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/>
List-Post: <mailto:pmg-devel@lists.proxmox.com>
List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pmg-devel-bounces@lists.proxmox.com
Sender: "pmg-devel" <pmg-devel-bounces@lists.proxmox.com>

Patch-series to enable OpenID Connect Login for PMG

apply/compile order:

pve-common:
 1 add Schema package with auth module that contains realm sync options

proxmox-perl-rs:
 2 move openid code from pve-rs to common
 3 remove empty PMG::RS::OpenId package to avoid confusion 

pmg-api:
 4 config: add plugin system for authentication realms
 5 config: add oidc type authentication realm
 6 api: add/update/remove authentication realms like in PVE
 7 api: oidc login similar to PVE

proxmox-widget-toolkit:
 8 fix: window: AuthEditBase: rename variable 'realm' to 'type'
 9 fix: panel: AuthView: change API path in pmx-domains model
10 form: RealmComboBox: add option to change the API path

pmg-gui:
11 login: add option to login with OIDC realm
12 add realms panel to user management




I still need to add the option to create users for other realms than PMG
in the API and WebUI. The autocreate option of the OIDC realm can be
used instead for now. Also the autocreate-role option needs to be
exposed to the WebUI. I will send these things as follow-up patches or
in the next iteration if this series cannot be applied yet.




v6:
* renamed Realm to AuthRealm and renamed every domain variable to realm
* changed realm API-path from access/domains to access/auth-realm
* more v6-changes described in the individual patches

v5:
* renamed openid/OpenId variables, filenames and modules to oidc/OIDC
 wherever possible
* renamed Authdomains to Realm

v4:
* split "config: add plugin system for realms & add openid type realms"
 patch into two patches
* use the name 'OpenId' for filenames, but use 'OIDC' as realm type name
* added autocreate-role option to set the role for automatically created
 users in a realm, but currently not exposed in GUI (needs a lot of
 changes in pmg-gui and proxmox-widget-toolkit)


pve-common:

Markus Frank (1):
  add Schema package with auth module that contains realm sync options

 src/Makefile           |  2 ++
 src/PVE/Schema/Auth.pm | 46 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 src/PVE/Schema/Auth.pm


proxmox-perl-rs:

Markus Frank (2):
  move openid code from pve-rs to common
  remove empty PMG::RS::OpenId package to avoid confusion

 common/pkg/Makefile      |  1 +
 common/src/mod.rs        |  1 +
 common/src/oidc/mod.rs   | 63 ++++++++++++++++++++++++++++++++++++++++
 pmg-rs/Cargo.toml        |  1 +
 pmg-rs/Makefile          |  1 -
 pmg-rs/debian/control    |  1 +
 pve-rs/src/openid/mod.rs | 32 +++++---------------
 7 files changed, 75 insertions(+), 25 deletions(-)
 create mode 100644 common/src/oidc/mod.rs


pmg-api:

Markus Frank (4):
  config: add plugin system for authentication realms
  config: add oidc type authentication realm
  api: add/update/remove authentication realms like in PVE
  api: oidc login similar to PVE

 src/Makefile                  |   6 +
 src/PMG/API2/AccessControl.pm |  17 ++-
 src/PMG/API2/AuthRealm.pm     | 274 ++++++++++++++++++++++++++++++++++
 src/PMG/API2/OIDC.pm          | 243 ++++++++++++++++++++++++++++++
 src/PMG/API2/Users.pm         |   1 +
 src/PMG/AccessControl.pm      |  40 +++++
 src/PMG/Auth/OIDC.pm          | 101 +++++++++++++
 src/PMG/Auth/PAM.pm           |  22 +++
 src/PMG/Auth/PMG.pm           |  39 +++++
 src/PMG/Auth/Plugin.pm        | 203 +++++++++++++++++++++++++
 src/PMG/HTTPServer.pm         |   4 +-
 src/PMG/RESTEnvironment.pm    |  14 ++
 src/PMG/UserConfig.pm         |  24 ++-
 src/PMG/Utils.pm              |  29 +++-
 14 files changed, 1001 insertions(+), 16 deletions(-)
 create mode 100644 src/PMG/API2/AuthRealm.pm
 create mode 100644 src/PMG/API2/OIDC.pm
 create mode 100755 src/PMG/Auth/OIDC.pm
 create mode 100755 src/PMG/Auth/PAM.pm
 create mode 100755 src/PMG/Auth/PMG.pm
 create mode 100755 src/PMG/Auth/Plugin.pm


widget-toolkit:

Markus Frank (3):
  fix: window: AuthEditBase: rename variable 'realm' to 'type'
  fix: panel: AuthView: change API path in pmx-domains model
  form: RealmComboBox: add option to change the API path

 src/form/RealmComboBox.js  |  2 ++
 src/panel/AuthView.js      | 20 ++++++++++++--------
 src/window/AuthEditBase.js |  4 ++--
 3 files changed, 16 insertions(+), 10 deletions(-)


pmg-gui:

Markus Frank (2):
  login: add option to login with OIDC realm
  add realms panel to user management

 js/LoginView.js      | 209 ++++++++++++++++++++++++++++++++-----------
 js/UserManagement.js |   7 ++
 js/Utils.js          |  16 ++++
 3 files changed, 181 insertions(+), 51 deletions(-)

-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel