* [pmg-devel] [PATCH pmg-api 0/3] rename realms.cfg to realms.conf
@ 2025-02-26 17:37 Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 1/3] auth: plugin: move schema definitions from Utils to Auth::Plugin Stoiko Ivanov
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Stoiko Ivanov @ 2025-02-26 17:37 UTC (permalink / raw)
To: pmg-devel
this series is based on Markus' v8 for OIDC:
https://lore.proxmox.com/pmg-devel/20250226140740.55612-1-m.frank@proxmox.com/T/#t
it addresses the naming of realms.cfg vs. realms.conf
additionally I moved the part of the schema definitions to Auth::Plugin,
in order to not have a cyclical include.
the third patch adds realms conf to the cluster sync.
(backup already contains everything in /etc/pmg anyways - so no special
consideration needed).
tested by installing this on 2 nodes in the cluster, and logging in
via keycloak on the non-master node)
Stoiko Ivanov (3):
auth: plugin: move schema definitions from Utils to Auth::Plugin
access control: rename realms.cfg to realms.conf
cluster: add realms.conf to config-sync
src/PMG/API2/AuthRealm.pm | 16 ++++++++--------
src/PMG/API2/OIDC.pm | 5 +++--
src/PMG/AccessControl.pm | 4 ++--
src/PMG/Auth/Plugin.pm | 30 ++++++++++++++++++++++++------
src/PMG/Cluster.pm | 1 +
src/PMG/Utils.pm | 21 ++-------------------
6 files changed, 40 insertions(+), 37 deletions(-)
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pmg-devel] [PATCH pmg-api 1/3] auth: plugin: move schema definitions from Utils to Auth::Plugin
2025-02-26 17:37 [pmg-devel] [PATCH pmg-api 0/3] rename realms.cfg to realms.conf Stoiko Ivanov
@ 2025-02-26 17:37 ` Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 2/3] access control: rename realms.cfg to realms.conf Stoiko Ivanov
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Stoiko Ivanov @ 2025-02-26 17:37 UTC (permalink / raw)
To: pmg-devel
it's the class that actually needs them, and where we want
to keep the definitions.
move happens in order to not have a cyclical include
(PMG::Auth::Plugin including PMG::Utils for the schema definitions,
and PMG::Utils including PMG::Auth::Plugin to get the realms from its
config file).
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/PMG/Auth/Plugin.pm | 19 ++++++++++++++++++-
src/PMG/Utils.pm | 21 ++-------------------
2 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/src/PMG/Auth/Plugin.pm b/src/PMG/Auth/Plugin.pm
index beb8fc4..f6792ac 100755
--- a/src/PMG/Auth/Plugin.pm
+++ b/src/PMG/Auth/Plugin.pm
@@ -6,7 +6,6 @@ use warnings;
use Digest::SHA;
use Encode;
-use PMG::Utils;
use PVE::INotify;
use PVE::JSONSchema qw(get_standard_option);
use PVE::SectionConfig;
@@ -56,6 +55,24 @@ sub lock_realm_config {
}
}
+sub is_valid_realm {
+ my ($realm) = @_;
+ return 0 if !$realm;
+ return 1 if $realm eq 'pam' || $realm eq 'quarantine'; # built-in ones
+
+ my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin::realm_conf_id());
+ return exists($cfg->{ids}->{$realm}) ? 1 : 0;
+}
+
+PVE::JSONSchema::register_format('pmg-realm', \&is_valid_realm);
+
+PVE::JSONSchema::register_standard_option('realm', {
+ description => "Authentication domain ID",
+ type => 'string',
+ format => 'pmg-realm',
+ maxLength => 32,
+});
+
my $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
sub pmg_verify_realm {
diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
index d440876..33f80ae 100644
--- a/src/PMG/Utils.pm
+++ b/src/PMG/Utils.pm
@@ -34,6 +34,7 @@ use Time::Local;
use Xdgmime;
use PMG::AtomicFile;
+use PMG::Auth::Plugin;
use PMG::MIMEUtils;
use PMG::MailQueue;
use PMG::SMTPPrinter;
@@ -52,30 +53,12 @@ try_decode_utf8
my $user_regex = qr![^\s:/]+!;
sub valid_pmg_realm_regex {
- my $cfg = PVE::INotify::read_file('realms.cfg');
+ my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin::realm_conf_id());
my $ids = $cfg->{ids};
my $realms = ['pam', 'quarantine', sort keys $cfg->{ids}->%* ];
return join('|', @$realms);
}
-sub is_valid_realm {
- my ($realm) = @_;
- return 0 if !$realm;
- return 1 if $realm eq 'pam' || $realm eq 'quarantine'; # built-in ones
-
- my $cfg = PVE::INotify::read_file('realms.cfg');
- return exists($cfg->{ids}->{$realm}) ? 1 : 0;
-}
-
-PVE::JSONSchema::register_format('pmg-realm', \&is_valid_realm);
-
-PVE::JSONSchema::register_standard_option('realm', {
- description => "Authentication domain ID",
- type => 'string',
- format => 'pmg-realm',
- maxLength => 32,
-});
-
PVE::JSONSchema::register_standard_option('pmg-starttime', {
description => "Only consider entries newer than 'starttime' (unix epoch). Default is 'now - 1day'.",
type => 'integer',
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pmg-devel] [PATCH pmg-api 2/3] access control: rename realms.cfg to realms.conf
2025-02-26 17:37 [pmg-devel] [PATCH pmg-api 0/3] rename realms.cfg to realms.conf Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 1/3] auth: plugin: move schema definitions from Utils to Auth::Plugin Stoiko Ivanov
@ 2025-02-26 17:37 ` Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 3/3] cluster: add realms.conf to config-sync Stoiko Ivanov
2025-02-26 20:17 ` [pmg-devel] applied-series: [PATCH pmg-api 0/3] rename realms.cfg to realms.conf Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Stoiko Ivanov @ 2025-02-26 17:37 UTC (permalink / raw)
To: pmg-devel
by defining the name once in PMG::Auth::Plugin, and using the sub
there to retrieve it where needed.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/PMG/API2/AuthRealm.pm | 16 ++++++++--------
src/PMG/API2/OIDC.pm | 5 +++--
src/PMG/AccessControl.pm | 4 ++--
src/PMG/Auth/Plugin.pm | 11 ++++++-----
4 files changed, 19 insertions(+), 17 deletions(-)
diff --git a/src/PMG/API2/AuthRealm.pm b/src/PMG/API2/AuthRealm.pm
index 57c5fea..e9fee38 100644
--- a/src/PMG/API2/AuthRealm.pm
+++ b/src/PMG/API2/AuthRealm.pm
@@ -51,7 +51,7 @@ __PACKAGE__->register_method ({
my $res = [];
- my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+ my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_conf_id());
my $ids = $cfg->{ids};
for my $realm (keys %$ids) {
@@ -82,7 +82,7 @@ __PACKAGE__->register_method ({
PMG::Auth::Plugin::lock_realm_config(
sub {
- my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+ my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_conf_id());
my $ids = $cfg->{ids};
my $realm = extract_param($param, 'realm');
@@ -117,7 +117,7 @@ __PACKAGE__->register_method ({
}
$plugin->on_add_hook($realm, $config, password => $password);
- PVE::INotify::write_file(PMG::Auth::Plugin->realm_cfg_id(), $cfg);
+ PVE::INotify::write_file(PMG::Auth::Plugin->realm_conf_id(), $cfg);
},
"add auth server failed",
);
@@ -141,7 +141,7 @@ __PACKAGE__->register_method ({
PMG::Auth::Plugin::lock_realm_config(
sub {
- my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+ my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_conf_id());
my $ids = $cfg->{ids};
my $digest = extract_param($param, 'digest');
@@ -184,7 +184,7 @@ __PACKAGE__->register_method ({
$plugin->on_update_hook($realm, $config);
}
- PVE::INotify::write_file(PMG::Auth::Plugin->realm_cfg_id(), $cfg);
+ PVE::INotify::write_file(PMG::Auth::Plugin->realm_conf_id(), $cfg);
},
"update auth server failed"
);
@@ -208,7 +208,7 @@ __PACKAGE__->register_method ({
code => sub {
my ($param) = @_;
- my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+ my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_conf_id());
my $realm = $param->{realm};
@@ -242,7 +242,7 @@ __PACKAGE__->register_method ({
PMG::Auth::Plugin::lock_realm_config(
sub {
- my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+ my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_conf_id());
my $ids = $cfg->{ids};
my $realm = $param->{realm};
@@ -254,7 +254,7 @@ __PACKAGE__->register_method ({
delete $ids->{$realm};
- PVE::INotify::write_file(PMG::Auth::Plugin->realm_cfg_id(), $cfg);
+ PVE::INotify::write_file(PMG::Auth::Plugin->realm_conf_id(), $cfg);
},
"delete auth server failed",
);
diff --git a/src/PMG/API2/OIDC.pm b/src/PMG/API2/OIDC.pm
index da9c774..92ff88d 100644
--- a/src/PMG/API2/OIDC.pm
+++ b/src/PMG/API2/OIDC.pm
@@ -10,10 +10,11 @@ use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
use PVE::SafeSyslog;
use PVE::INotify;
use PVE::JSONSchema qw(get_standard_option);
+use PVE::RESTHandler;
use PMG::AccessControl;
+use PMG::Auth::Plugin;
use PMG::RESTEnvironment;
-use PVE::RESTHandler;
use base qw(PVE::RESTHandler);
@@ -22,7 +23,7 @@ my $oidc_state_path = "/var/lib/pmg";
my $lookup_oidc_auth = sub {
my ($realm, $redirect_url) = @_;
- my $cfg = PVE::INotify::read_file('realms.cfg');
+ my $cfg = PVE::INotify::read_file(PMG::Auth::Plugin::realm_conf_id());
my $ids = $cfg->{ids};
die "authentication domain '$realm' does not exist\n" if !$ids->{$realm};
diff --git a/src/PMG/AccessControl.pm b/src/PMG/AccessControl.pm
index 57d80f8..0cf8067 100644
--- a/src/PMG/AccessControl.pm
+++ b/src/PMG/AccessControl.pm
@@ -66,7 +66,7 @@ sub authenticate_user : prototype($$$) {
}
die "ldap login failed\n";
} elsif ($realm =~ m!(${realm_regex})!) {
- my $realm_cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+ my $realm_cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_conf_id());
my $cfg = $realm_cfg->{ids}->{$realm};
my $plugin = PMG::Auth::Plugin->lookup($cfg->{type});
$plugin->authenticate_user($cfg, $realm, $ruid, $password);
@@ -111,7 +111,7 @@ sub set_user_password {
} elsif ($realm eq 'pmg') {
PMG::UserConfig->set_user_password($username, $password);
} elsif ($realm =~ m!(${realm_regex})!) {
- my $realm_cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_cfg_id());
+ my $realm_cfg = PVE::INotify::read_file(PMG::Auth::Plugin->realm_conf_id());
my $cfg = $realm_cfg->{ids}->{$realm};
my $plugin = PMG::Auth::Plugin->lookup($cfg->{type});
$plugin->store_password($cfg, $realm, $username, $password);
diff --git a/src/PMG/Auth/Plugin.pm b/src/PMG/Auth/Plugin.pm
index f6792ac..1a9f68a 100755
--- a/src/PMG/Auth/Plugin.pm
+++ b/src/PMG/Auth/Plugin.pm
@@ -13,11 +13,12 @@ use PVE::Tools;
use base qw(PVE::SectionConfig);
-my $realm_cfg_id = "realms.cfg";
+my $realm_conf_id = "realms.conf";
+my $realm_conf_filename = "/etc/pmg/$realm_conf_id";
my $lockfile = "/var/lock/pmg-realms.lck";
-sub realm_cfg_id {
- return $realm_cfg_id;
+sub realm_conf_id {
+ return $realm_conf_id;
}
sub read_realms_conf {
@@ -38,8 +39,8 @@ sub write_realms_conf {
}
PVE::INotify::register_file(
- $realm_cfg_id,
- "/etc/pmg/realms.cfg",
+ $realm_conf_id,
+ $realm_conf_filename,
\&read_realms_conf,
\&write_realms_conf,
undef,
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pmg-devel] [PATCH pmg-api 3/3] cluster: add realms.conf to config-sync
2025-02-26 17:37 [pmg-devel] [PATCH pmg-api 0/3] rename realms.cfg to realms.conf Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 1/3] auth: plugin: move schema definitions from Utils to Auth::Plugin Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 2/3] access control: rename realms.cfg to realms.conf Stoiko Ivanov
@ 2025-02-26 17:37 ` Stoiko Ivanov
2025-02-26 20:17 ` [pmg-devel] applied-series: [PATCH pmg-api 0/3] rename realms.cfg to realms.conf Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Stoiko Ivanov @ 2025-02-26 17:37 UTC (permalink / raw)
To: pmg-devel
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/PMG/Cluster.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/PMG/Cluster.pm b/src/PMG/Cluster.pm
index 17ba44d..1b22774 100644
--- a/src/PMG/Cluster.pm
+++ b/src/PMG/Cluster.pm
@@ -461,6 +461,7 @@ sub sync_config_from_master {
'pmg-csrf.key',
'ldap.conf',
'user.conf',
+ 'realms.conf',
'tfa.json',
'domains',
'mynetworks',
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pmg-devel] applied-series: [PATCH pmg-api 0/3] rename realms.cfg to realms.conf
2025-02-26 17:37 [pmg-devel] [PATCH pmg-api 0/3] rename realms.cfg to realms.conf Stoiko Ivanov
` (2 preceding siblings ...)
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 3/3] cluster: add realms.conf to config-sync Stoiko Ivanov
@ 2025-02-26 20:17 ` Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Lamprecht @ 2025-02-26 20:17 UTC (permalink / raw)
To: Stoiko Ivanov, pmg-devel
Am 26.02.25 um 18:37 schrieb Stoiko Ivanov:
> this series is based on Markus' v8 for OIDC:
> https://lore.proxmox.com/pmg-devel/20250226140740.55612-1-m.frank@proxmox.com/T/#t
>
> it addresses the naming of realms.cfg vs. realms.conf
> additionally I moved the part of the schema definitions to Auth::Plugin,
> in order to not have a cyclical include.
>
> the third patch adds realms conf to the cluster sync.
> (backup already contains everything in /etc/pmg anyways - so no special
> consideration needed).
>
> tested by installing this on 2 nodes in the cluster, and logging in
> via keycloak on the non-master node)
>
> Stoiko Ivanov (3):
> auth: plugin: move schema definitions from Utils to Auth::Plugin
> access control: rename realms.cfg to realms.conf
> cluster: add realms.conf to config-sync
>
> src/PMG/API2/AuthRealm.pm | 16 ++++++++--------
> src/PMG/API2/OIDC.pm | 5 +++--
> src/PMG/AccessControl.pm | 4 ++--
> src/PMG/Auth/Plugin.pm | 30 ++++++++++++++++++++++++------
> src/PMG/Cluster.pm | 1 +
> src/PMG/Utils.pm | 21 ++-------------------
> 6 files changed, 40 insertions(+), 37 deletions(-)
>
applied, thanks!
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-02-26 20:17 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-02-26 17:37 [pmg-devel] [PATCH pmg-api 0/3] rename realms.cfg to realms.conf Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 1/3] auth: plugin: move schema definitions from Utils to Auth::Plugin Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 2/3] access control: rename realms.cfg to realms.conf Stoiko Ivanov
2025-02-26 17:37 ` [pmg-devel] [PATCH pmg-api 3/3] cluster: add realms.conf to config-sync Stoiko Ivanov
2025-02-26 20:17 ` [pmg-devel] applied-series: [PATCH pmg-api 0/3] rename realms.cfg to realms.conf Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox