public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Markus Frank <m.frank@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: [pmg-devel] [PATCH pmg-api v6 6/12] api: add/update/remove authentication realms like in PVE
Date: Tue, 25 Feb 2025 14:36:13 +0100	[thread overview]
Message-ID: <20250225133619.42012-7-m.frank@proxmox.com> (raw)
In-Reply-To: <20250225133619.42012-1-m.frank@proxmox.com>

PMG::API2::AuthRealm is based on pve-access-control's PVE::API2::Domains.
The name AuthRealm.pm was chosen because a Domain.pm already exists.

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
v6: 
* renamed api-path domains to auth-realm
* renamed Realm to AuthRealm
* used PMG::Auth::Plugin->realm_cfg_id() instead of $domainconfigfile

 src/Makefile                  |   1 +
 src/PMG/API2/AccessControl.pm |  10 +-
 src/PMG/API2/AuthRealm.pm     | 274 ++++++++++++++++++++++++++++++++++
 src/PMG/HTTPServer.pm         |   2 +-
 4 files changed, 285 insertions(+), 2 deletions(-)
 create mode 100644 src/PMG/API2/AuthRealm.pm

diff --git a/src/Makefile b/src/Makefile
index 3cae7c7..3d3c932 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -151,6 +151,7 @@ LIBSOURCES =				\
 	PMG/API2/Postfix.pm		\
 	PMG/API2/Quarantine.pm		\
 	PMG/API2/AccessControl.pm	\
+	PMG/API2/AuthRealm.pm		\
 	PMG/API2/TFA.pm			\
 	PMG/API2/TFAConfig.pm		\
 	PMG/API2/ObjectGroupHelpers.pm	\
diff --git a/src/PMG/API2/AccessControl.pm b/src/PMG/API2/AccessControl.pm
index e26ae70..95b28ee 100644
--- a/src/PMG/API2/AccessControl.pm
+++ b/src/PMG/API2/AccessControl.pm
@@ -12,6 +12,7 @@ use PVE::JSONSchema qw(get_standard_option);
 use PMG::Utils;
 use PMG::UserConfig;
 use PMG::AccessControl;
+use PMG::API2::AuthRealm;
 use PMG::API2::Users;
 use PMG::API2::TFA;
 use PMG::TFAConfig;
@@ -30,6 +31,11 @@ __PACKAGE__->register_method ({
     path => 'tfa',
 });
 
+__PACKAGE__->register_method ({
+    subclass => "PMG::API2::AuthRealm",
+    path => 'auth-realm',
+});
+
 __PACKAGE__->register_method ({
     name => 'index',
     path => '',
@@ -57,6 +63,7 @@ __PACKAGE__->register_method ({
 
 	my $res = [
 	    { subdir => 'ticket' },
+	    { subdir => 'auth-realm' },
 	    { subdir => 'password' },
 	    { subdir => 'users' },
 	];
@@ -248,7 +255,8 @@ __PACKAGE__->register_method ({
 
 	my $username = $param->{username};
 
-	if ($username !~ m/\@(pam|pmg|quarantine)$/) {
+	my $realm_regex = PMG::Utils::valid_pmg_realm_regex();
+	if ($username !~ m/\@(${realm_regex})$/) {
 	    my $realm = $param->{realm} // 'quarantine';
 	    $username .= "\@$realm";
 	}
diff --git a/src/PMG/API2/AuthRealm.pm b/src/PMG/API2/AuthRealm.pm
new file mode 100644
index 0000000..013e5fd
--- /dev/null
+++ b/src/PMG/API2/AuthRealm.pm
@@ -0,0 +1,274 @@
+package PMG::API2::AuthRealm;
+
+use strict;
+use warnings;
+
+use PVE::Exception qw(raise_param_exc);
+use PVE::INotify;
+use PVE::JSONSchema qw(get_standard_option);
+use PVE::RESTHandler;
+use PVE::SafeSyslog;
+use PVE::Tools qw(extract_param);
+
+use PMG::AccessControl;
+use PMG::Auth::Plugin;
+use PVE::Schema::Auth;
+
+use base qw(PVE::RESTHandler);
+
+__PACKAGE__->register_method ({
+    name => 'index',
+    path => '',
+    method => 'GET',
+    description => "Authentication realm index.",
+    permissions => {
+	description => "Anyone can access that, because we need that list for the login box (before"
+	    ." the user is authenticated).",
+	user => 'world',
+    },
+    parameters => {
+	additionalProperties => 0,
+	properties => {},
+    },
+    returns => {
+	type => 'array',
+	items => {
+	    type => "object",
+	    properties => {
+		realm => { type => 'string' },
+		type => { type => 'string' },
+		tfa => {
+		    description => "Two-factor authentication provider.",
+		    type => 'string',
+		    enum => [ 'yubico', 'oath' ],
+		    optional => 1,
+		},
+		comment => {
+		    description => "A comment. The GUI use this text when you select a"
+			." authentication realm on the login window.",
+		    type => 'string',
+		    optional => 1,
+		},
+	    },
+	},
+	links => [ { rel => 'child', href => "{realm}" } ],
+    },
+    code => sub {
+	my ($param) = @_;
+
+	my $res = [];
+
+	my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+	my $ids = $cfg->{ids};
+
+	for my $realm (keys %$ids) {
+	    my $d = $ids->{$realm};
+	    my $entry = { realm => $realm, type => $d->{type} };
+	    $entry->{comment} = $d->{comment} if $d->{comment};
+	    $entry->{default} = 1 if $d->{default};
+	    if ($d->{tfa} && (my $tfa_cfg = PVE::Schema::Auth::parse_tfa_config($d->{tfa}))) {
+		$entry->{tfa} = $tfa_cfg->{type};
+	    }
+	    push @$res, $entry;
+	}
+
+	return $res;
+    }});
+
+__PACKAGE__->register_method ({
+    name => 'create',
+    protected => 1,
+    path => '',
+    method => 'POST',
+    permissions => { check => [ 'admin' ] },
+    description => "Add an authentication server.",
+    parameters => PMG::Auth::Plugin->createSchema(0),
+    returns => { type => 'null' },
+    code => sub {
+	my ($param) = @_;
+
+	# always extract, add it with hook
+	my $password = extract_param($param, 'password');
+
+	PMG::Auth::Plugin::lock_realm_config(
+	    sub {
+		my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+		my $ids = $cfg->{ids};
+
+		my $realm = extract_param($param, 'realm');
+		PMG::Auth::Plugin::pmg_verify_realm($realm);
+		my $type = $param->{type};
+		my $check_connection = extract_param($param, 'check-connection');
+
+		die "authentication realm '$realm' already exists\n"
+		    if $ids->{$realm};
+
+		die "unable to use reserved name '$realm'\n"
+		    if ($realm eq 'pam' || $realm eq 'pmg');
+
+		die "unable to create builtin type '$type'\n"
+		    if ($type eq 'pam' || $type eq 'pmg');
+
+		my $plugin = PMG::Auth::Plugin->lookup($type);
+		my $config = $plugin->check_config($realm, $param, 1, 1);
+
+		if ($config->{default}) {
+		    for my $r (keys %$ids) {
+			delete $ids->{$r}->{default};
+		    }
+		}
+
+		$ids->{$realm} = $config;
+
+		my $opts = $plugin->options();
+		if (defined($password) && !defined($opts->{password})) {
+		    $password = undef;
+		    warn "ignoring password parameter";
+		}
+		$plugin->on_add_hook($realm, $config, password => $password);
+
+		PVE::INotify::write_file(PMG::Auth::Plugin->realm_cfg_id(), $cfg);
+	    },
+	    "add auth server failed",
+	);
+	return undef;
+    }});
+
+__PACKAGE__->register_method ({
+    name => 'update',
+    path => '{realm}',
+    method => 'PUT',
+    permissions => { check => [ 'admin' ] },
+    description => "Update authentication server settings.",
+    protected => 1,
+    parameters => PMG::Auth::Plugin->updateSchema(0),
+    returns => { type => 'null' },
+    code => sub {
+	my ($param) = @_;
+
+	# always extract, update in hook
+	my $password = extract_param($param, 'password');
+
+	PMG::Auth::Plugin::lock_realm_config(
+	    sub {
+		my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+		my $ids = $cfg->{ids};
+
+		my $digest = extract_param($param, 'digest');
+		PVE::SectionConfig::assert_if_modified($cfg, $digest);
+
+		my $realm = extract_param($param, 'realm');
+		my $type = $ids->{$realm}->{type};
+		my $check_connection = extract_param($param, 'check-connection');
+
+		die "authentication realm '$realm' does not exist\n"
+		    if !$ids->{$realm};
+
+		my $delete_str = extract_param($param, 'delete');
+		die "no options specified\n"
+		    if !$delete_str && !scalar(keys %$param) && !defined($password);
+
+		my $delete_pw = 0;
+		for my $opt (PVE::Tools::split_list($delete_str)) {
+		    delete $ids->{$realm}->{$opt};
+		    $delete_pw = 1 if $opt eq 'password';
+		}
+
+		my $plugin = PMG::Auth::Plugin->lookup($type);
+		my $config = $plugin->check_config($realm, $param, 0, 1);
+
+		if ($config->{default}) {
+		    for my $r (keys %$ids) {
+			delete $ids->{$r}->{default};
+		    }
+		}
+
+		for my $p (keys %$config) {
+		    $ids->{$realm}->{$p} = $config->{$p};
+		}
+
+		my $opts = $plugin->options();
+		if ($delete_pw || defined($password)) {
+		    $plugin->on_update_hook($realm, $config, password => $password);
+		} else {
+		    $plugin->on_update_hook($realm, $config);
+		}
+
+		PVE::INotify::write_file(PMG::Auth::Plugin->realm_cfg_id(), $cfg);
+	    },
+	    "update auth server failed"
+	);
+	return undef;
+    }});
+
+# fixme: return format!
+__PACKAGE__->register_method ({
+    name => 'read',
+    path => '{realm}',
+    method => 'GET',
+    description => "Get auth server configuration.",
+    permissions => { check => [ 'admin', 'qmanager', 'audit' ] },
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    realm =>  get_standard_option('realm'),
+	},
+    },
+    returns => {},
+    code => sub {
+	my ($param) = @_;
+
+	my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+
+	my $realm = $param->{realm};
+
+	my $data = $cfg->{ids}->{$realm};
+	die "authentication realm '$realm' does not exist\n" if !$data;
+
+	my $type = $data->{type};
+
+	$data->{digest} = $cfg->{digest};
+
+	return $data;
+    }});
+
+
+__PACKAGE__->register_method ({
+    name => 'delete',
+    path => '{realm}',
+    method => 'DELETE',
+    permissions => { check => [ 'admin' ] },
+    description => "Delete an authentication server.",
+    protected => 1,
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    realm =>  get_standard_option('realm'),
+	}
+    },
+    returns => { type => 'null' },
+    code => sub {
+	my ($param) = @_;
+
+	PMG::Auth::Plugin::lock_realm_config(
+	    sub {
+		my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+		my $ids = $cfg->{ids};
+		my $realm = $param->{realm};
+
+		die "authentication realm '$realm' does not exist\n" if !$ids->{$realm};
+
+		my $plugin = PMG::Auth::Plugin->lookup($ids->{$realm}->{type});
+
+		$plugin->on_delete_hook($realm, $ids->{$realm});
+
+		delete $ids->{$realm};
+
+		PVE::INotify::write_file(PMG::Auth::Plugin->realm_cfg_id(), $cfg);
+	    },
+	    "delete auth server failed",
+	);
+	return undef;
+    }});
+
+1;
diff --git a/src/PMG/HTTPServer.pm b/src/PMG/HTTPServer.pm
index 49724fe..5e0ce3d 100644
--- a/src/PMG/HTTPServer.pm
+++ b/src/PMG/HTTPServer.pm
@@ -57,7 +57,7 @@ sub auth_handler {
     my $require_auth = 1;
 
     # explicitly allow some calls without auth
-    if (($rel_uri eq '/access/domains' && $method eq 'GET') ||
+    if (($rel_uri eq '/access/auth-realm' && $method eq 'GET') ||
 	($rel_uri eq '/quarantine/sendlink' && ($method eq 'GET' || $method eq 'POST')) ||
 	($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST'))) {
 	$require_auth = 0;
-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


  parent reply	other threads:[~2025-02-25 13:38 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-25 13:36 [pmg-devel] [PATCH pve-common/perl-rs/pmg-api/widget-toolkit/pmg-gui v6 0/12] fix #3892: OpenID Connect Markus Frank
2025-02-25 13:36 ` [pmg-devel] [PATCH pve-common v6 1/12] add Schema package with auth module that contains realm sync options Markus Frank
2025-02-25 17:24   ` Thomas Lamprecht
2025-02-25 13:36 ` [pmg-devel] [PATCH proxmox-perl-rs v6 2/12] move openid code from pve-rs to common Markus Frank
2025-02-25 13:36 ` [pmg-devel] [PATCH proxmox-perl-rs v6 3/12] remove empty PMG::RS::OpenId package to avoid confusion Markus Frank
2025-02-25 13:36 ` [pmg-devel] [PATCH pmg-api v6 4/12] config: add plugin system for authentication realms Markus Frank
2025-02-25 16:32   ` Stoiko Ivanov
2025-02-25 13:36 ` [pmg-devel] [PATCH pmg-api v6 5/12] config: add oidc type authentication realm Markus Frank
2025-02-26 10:20   ` Mira Limbeck
2025-02-25 13:36 ` Markus Frank [this message]
2025-02-25 13:36 ` [pmg-devel] [PATCH pmg-api v6 7/12] api: oidc login similar to PVE Markus Frank
2025-02-25 13:36 ` [pmg-devel] [PATCH widget-toolkit v6 08/12] fix: window: AuthEditBase: rename variable 'realm' to 'type' Markus Frank
2025-02-25 13:36 ` [pmg-devel] [PATCH widget-toolkit v6 09/12] fix: panel: AuthView: change API path in pmx-domains model Markus Frank
2025-02-25 17:33   ` Markus Frank
2025-02-25 13:36 ` [pmg-devel] [PATCH widget-toolkit v6 10/12] form: RealmComboBox: add option to change the API path Markus Frank
2025-02-25 13:36 ` [pmg-devel] [PATCH pmg-gui v6 11/12] login: add option to login with OIDC realm Markus Frank
2025-02-25 13:36 ` [pmg-devel] [PATCH pmg-gui v6 12/12] add realms panel to user management Markus Frank
2025-02-26 11:08 ` [pmg-devel] [PATCH pve-common/perl-rs/pmg-api/widget-toolkit/pmg-gui v6 0/12] fix #3892: OpenID Connect Mira Limbeck
2025-02-26 11:30   ` Lukas Wagner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250225133619.42012-7-m.frank@proxmox.com \
    --to=m.frank@proxmox.com \
    --cc=pmg-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal