public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Markus Frank <m.frank@proxmox.com>
To: pmg-devel@lists.proxmox.com
Subject: [pmg-devel] [PATCH pmg-gui v2] add OIDC configuration panel for PMG
Date: Mon,  3 Mar 2025 09:49:58 +0100	[thread overview]
Message-ID: <20250303084958.2742-1-m.frank@proxmox.com> (raw)

AuthEditOIDC.js is based on AuthEditOpenId from widget-toolkit and
adds additional configuration options for autocreate-role-assignment.

It uses sub/preferred_username for username-claim instead of the old
names (subject/username/email). Removed email option entirely as it is
incompatible with the username scheme.

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
v2:
* renamed subject to sub
* renamed username to preferred_username
* removed email entirely

 js/AuthEditOIDC.js | 270 +++++++++++++++++++++++++++++++++++++++++++++
 js/Makefile        |   1 +
 js/Utils.js        |   1 +
 3 files changed, 272 insertions(+)
 create mode 100644 js/AuthEditOIDC.js

diff --git a/js/AuthEditOIDC.js b/js/AuthEditOIDC.js
new file mode 100644
index 0000000..cda9d68
--- /dev/null
+++ b/js/AuthEditOIDC.js
@@ -0,0 +1,270 @@
+Ext.define('PMG.OIDCInputPanel', {
+    extend: 'Proxmox.panel.InputPanel',
+    xtype: 'pmgAuthOIDCPanel',
+    mixins: ['Proxmox.Mixin.CBind'],
+
+    showDefaultRealm: false,
+
+    type: 'oidc',
+
+    viewModel: {
+	data: {
+	    roleSource: '__default__',
+	    autocreate: 0,
+	},
+	formulas: {
+	    hideRoleAssignment: function(get) {
+		let autocreate = get('autocreate');
+		if (!autocreate) {
+		    return 1;
+		}
+		return autocreate === 0;
+	    },
+	    hideFixedRoleAssignment: function(get) {
+		return get('roleSource') !== 'fixed' || get('hideRoleAssignment');
+	    },
+	    hideClaimRoleAssignment: function(get) {
+		return get('roleSource') !== 'from-claim' || get('hideRoleAssignment');
+	    },
+	},
+    },
+
+    onGetValues: function(values) {
+	let me = this;
+
+	if (me.isCreate && !me.useTypeInUrl) {
+	    values.type = me.type;
+	}
+
+	if (values.source) {
+	    let autocreateRoleAssignment = {};
+	    autocreateRoleAssignment.source = values.source;
+	    if (values.source === 'fixed') {
+		autocreateRoleAssignment['fixed-role'] = values['fixed-role'];
+	    } else if (values.source === 'from-claim') {
+		autocreateRoleAssignment['role-claim'] = values['role-claim'];
+	    }
+	    values['autocreate-role-assignment'] =
+		Proxmox.Utils.printPropertyString(autocreateRoleAssignment);
+	}
+
+	if ((!values.autocreate || !values.source) && !me.isCreate) {
+	    if (values.delete) {
+		if (Ext.isArray(values.delete)) {
+		    values.delete.push('autocreate-role-assignment');
+		} else {
+		    values.delete += ',autocreate-role-assignment';
+		}
+	    } else {
+		values.delete = 'autocreate-role-assignment';
+	    }
+	}
+	delete values.source;
+	delete values['fixed-role'];
+	delete values['role-claim'];
+
+	return values;
+    },
+
+    setValues: function(values) {
+	let autocreateRoleAssignment =
+	    Proxmox.Utils.parsePropertyString(values['autocreate-role-assignment']);
+
+	if (autocreateRoleAssignment.source) {
+	    values.source = autocreateRoleAssignment.source;
+	} else {
+	    values.source = '__default__';
+	}
+
+	if (autocreateRoleAssignment.source === 'fixed') {
+	    values['fixed-role'] = autocreateRoleAssignment['fixed-role'];
+	}
+	if (autocreateRoleAssignment.source === 'from-claim') {
+	    values['role-claim'] = autocreateRoleAssignment['role-claim'];
+	}
+
+	this.callParent(arguments);
+    },
+
+
+    columnT: [
+	{
+	    xtype: 'textfield',
+	    name: 'issuer-url',
+	    fieldLabel: gettext('Issuer URL'),
+	    allowBlank: false,
+	},
+    ],
+
+    column1: [
+	{
+	    xtype: 'pmxDisplayEditField',
+	    name: 'realm',
+	    cbind: {
+		value: '{realm}',
+		editable: '{isCreate}',
+	    },
+	    fieldLabel: gettext('Realm'),
+	    allowBlank: false,
+	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Default realm'),
+	    name: 'default',
+	    value: 0,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+		hidden: '{!showDefaultRealm}',
+		disabled: '{!showDefaultRealm}',
+	    },
+	    autoEl: {
+		tag: 'div',
+		'data-qtip': gettext('Set realm as default for login'),
+	    },
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    fieldLabel: gettext('Client ID'),
+	    name: 'client-id',
+	    allowBlank: false,
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    fieldLabel: gettext('Client Key'),
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	    name: 'client-key',
+	},
+    ],
+
+    column2: [
+	{
+	    xtype: 'pmxDisplayEditField',
+	    name: 'username-claim',
+	    fieldLabel: gettext('Username Claim'),
+	    editConfig: {
+		xtype: 'proxmoxKVComboBox',
+		editable: true,
+		comboItems: [
+		    ['__default__', Proxmox.Utils.defaultText],
+		    ['sub', 'sub (subject)'],
+		    ['preferred_username', 'preferred_username'],
+		],
+	    },
+	    cbind: {
+		value: get => get('isCreate') ? '__default__' : Proxmox.Utils.defaultText,
+		deleteEmpty: '{!isCreate}',
+		editable: '{isCreate}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'scopes',
+	    fieldLabel: gettext('Scopes'),
+	    emptyText: `${Proxmox.Utils.defaultText} (email profile)`,
+	    submitEmpty: false,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxKVComboBox',
+	    name: 'prompt',
+	    fieldLabel: gettext('Prompt'),
+	    editable: true,
+	    emptyText: gettext('Auth-Provider Default'),
+	    comboItems: [
+		['__default__', gettext('Auth-Provider Default')],
+		['none', 'none'],
+		['login', 'login'],
+		['consent', 'consent'],
+		['select_account', 'select_account'],
+	    ],
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+    ],
+
+    columnB: [
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'comment',
+	    fieldLabel: gettext('Comment'),
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+	{
+	    xtype: 'displayfield',
+	    value: gettext('Autocreate Options'),
+	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Autocreate Users'),
+	    name: 'autocreate',
+	    bind: {
+		value: '{autocreate}',
+	    },
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxKVComboBox',
+	    name: 'source',
+	    fieldLabel: gettext('Source for Role Assignment'),
+	    allowBlank: false,
+	    deleteEmpty: false,
+	    comboItems: [
+		[
+		    '__default__',
+		    Proxmox.Utils.defaultText
+			+ ' (' + gettext('All auto-created users get audit role') + ')',
+		],
+		['fixed', 'Fixed role for all auto-created users'],
+		['from-claim', 'Get role from OIDC claim'],
+	    ],
+	    bind: {
+		value: '{roleSource}',
+		disabled: '{hideRoleAssignment}',
+		hidden: '{hideRoleAssignment}',
+	    },
+	},
+	{
+	    xtype: 'pmgRoleSelector',
+	    name: 'fixed-role',
+	    allowBlank: false,
+	    deleteEmpty: false,
+	    fieldLabel: gettext('Fixed Role'),
+	    bind: {
+		disabled: '{hideFixedRoleAssignment}',
+		hidden: '{hideFixedRoleAssignment}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'role-claim',
+	    allowBlank: false,
+	    deleteEmpty: false,
+	    fieldLabel: gettext('Role Claim'),
+	    bind: {
+		disabled: '{hideClaimRoleAssignment}',
+		hidden: '{hideClaimRoleAssignment}',
+	    },
+	},
+    ],
+
+    advancedColumnB: [
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'acr-values',
+	    fieldLabel: gettext('ACR Values'),
+	    submitEmpty: false,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+    ],
+});
diff --git a/js/Makefile b/js/Makefile
index d1fab9b..c984bf3 100644
--- a/js/Makefile
+++ b/js/Makefile
@@ -78,6 +78,7 @@ JSSRC=							\
 	LDAPConfig.js					\
 	UserEdit.js					\
 	UserView.js					\
+	AuthEditOIDC.js					\
 	TFAView.js					\
 	FetchmailEdit.js				\
 	FetchmailView.js				\
diff --git a/js/Utils.js b/js/Utils.js
index d4a55a8..9dbc76f 100644
--- a/js/Utils.js
+++ b/js/Utils.js
@@ -871,6 +871,7 @@ Ext.define('PMG.Utils', {
 	// use oidc instead of openid
 	Proxmox.Schema.authDomains.oidc = Proxmox.Schema.authDomains.openid;
 	Proxmox.Schema.authDomains.oidc.useTypeInUrl = false;
+	Proxmox.Schema.authDomains.oidc.ipanel = 'pmgAuthOIDCPanel';
 	delete Proxmox.Schema.authDomains.openid;
 
 	// Disable LDAP/AD as a realm until LDAP/AD login is implemented
-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


             reply	other threads:[~2025-03-03  8:50 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-03  8:49 Markus Frank [this message]
2025-03-03  8:58 ` Markus Frank
2025-03-10 14:37 ` Dominik Csapak
2025-03-11 10:22   ` Markus Frank

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250303084958.2742-1-m.frank@proxmox.com \
    --to=m.frank@proxmox.com \
    --cc=pmg-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal