From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <pmg-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
by lore.proxmox.com (Postfix) with ESMTPS id DE15A1FF15C
for <inbox@lore.proxmox.com>; Wed, 19 Mar 2025 14:31:17 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 5E755AC61;
Wed, 19 Mar 2025 14:31:07 +0100 (CET)
From: Markus Frank <m.frank@proxmox.com>
To: pmg-devel@lists.proxmox.com
Date: Wed, 19 Mar 2025 14:29:59 +0100
Message-Id: <20250319132959.5149-4-m.frank@proxmox.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20250319132959.5149-1-m.frank@proxmox.com>
References: <20250319132959.5149-1-m.frank@proxmox.com>
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results: 0
AWL -0.008 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DMARC_MISSING 0.1 Missing DMARC policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
Subject: [pmg-devel] [PATCH pmg-gui v4 3/3] add OIDC configuration panel for
PMG
X-BeenThere: pmg-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Mail Gateway development discussion
<pmg-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>,
<mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/>
List-Post: <mailto:pmg-devel@lists.proxmox.com>
List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>,
<mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pmg-devel-bounces@lists.proxmox.com
Sender: "pmg-devel" <pmg-devel-bounces@lists.proxmox.com>
AuthEditOIDC.js is based on AuthEditOpenId from widget-toolkit and
adds additional configuration options for autocreate-role-assignment.
Use sub/preferred_username for username-claim instead of the old names
(subject/username/email) because subject and username do not exist in
the current OpenID Connect specifications and the email option is
incompatible with the username scheme.
Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
no changes in v4
js/AuthEditOIDC.js | 244 +++++++++++++++++++++++++++++++++++++++++++++
js/Makefile | 1 +
js/Utils.js | 1 +
3 files changed, 246 insertions(+)
create mode 100644 js/AuthEditOIDC.js
diff --git a/js/AuthEditOIDC.js b/js/AuthEditOIDC.js
new file mode 100644
index 0000000..ad6683f
--- /dev/null
+++ b/js/AuthEditOIDC.js
@@ -0,0 +1,244 @@
+Ext.define('PMG.OIDCInputPanel', {
+ extend: 'Proxmox.panel.InputPanel',
+ xtype: 'pmgAuthOIDCPanel',
+ mixins: ['Proxmox.Mixin.CBind'],
+
+ type: 'oidc',
+
+ viewModel: {
+ data: {
+ roleSource: '__default__',
+ autocreate: 0,
+ },
+ formulas: {
+ hideFixedRoleAssignment: function(get) {
+ return get('roleSource') !== 'fixed' || !get('autocreate');
+ },
+ hideClaimRoleAssignment: function(get) {
+ return get('roleSource') !== 'from-claim' || !get('autocreate');
+ },
+ },
+ },
+
+ onGetValues: function(values) {
+ let me = this;
+
+ if (me.isCreate && !me.useTypeInUrl) {
+ values.type = me.type;
+ }
+
+ let autocreateRoleAssignment = {};
+ if (values.source) {
+ autocreateRoleAssignment.source = values.source;
+ }
+ if (values.source === 'fixed') {
+ autocreateRoleAssignment['fixed-role'] = values['fixed-role'];
+ } else if (values.source === 'from-claim') {
+ autocreateRoleAssignment['role-claim'] = values['role-claim'];
+ }
+ values['autocreate-role-assignment'] = Proxmox.Utils.printPropertyString(autocreateRoleAssignment);
+ Proxmox.Utils.delete_if_default(values, 'autocreate-role-assignment', '', me.isCreate);
+
+ delete values.source;
+ delete values['fixed-role'];
+ delete values['role-claim'];
+
+ return values;
+ },
+
+ setValues: function(values) {
+ let autocreateRoleAssignment =
+ Proxmox.Utils.parsePropertyString(values['autocreate-role-assignment']);
+
+ values.source = autocreateRoleAssignment.source ?? '__default__';
+
+ if (autocreateRoleAssignment.source === 'fixed') {
+ values['fixed-role'] = autocreateRoleAssignment['fixed-role'];
+ }
+ if (autocreateRoleAssignment.source === 'from-claim') {
+ values['role-claim'] = autocreateRoleAssignment['role-claim'];
+ }
+
+ this.callParent(arguments);
+ },
+
+
+ columnT: [
+ {
+ xtype: 'textfield',
+ name: 'issuer-url',
+ fieldLabel: gettext('Issuer URL'),
+ allowBlank: false,
+ },
+ ],
+
+ column1: [
+ {
+ xtype: 'pmxDisplayEditField',
+ name: 'realm',
+ cbind: {
+ value: '{realm}',
+ editable: '{isCreate}',
+ },
+ fieldLabel: gettext('Realm'),
+ allowBlank: false,
+ },
+ {
+ xtype: 'proxmoxcheckbox',
+ fieldLabel: gettext('Default realm'),
+ name: 'default',
+ value: 0,
+ cbind: {
+ deleteEmpty: '{!isCreate}',
+ },
+ autoEl: {
+ tag: 'div',
+ 'data-qtip': gettext('Set realm as default for login'),
+ },
+ },
+ {
+ xtype: 'proxmoxtextfield',
+ fieldLabel: gettext('Client ID'),
+ name: 'client-id',
+ allowBlank: false,
+ },
+ {
+ xtype: 'proxmoxtextfield',
+ fieldLabel: gettext('Client Key'),
+ cbind: {
+ deleteEmpty: '{!isCreate}',
+ },
+ name: 'client-key',
+ },
+ ],
+
+ column2: [
+ {
+ xtype: 'pmxDisplayEditField',
+ name: 'username-claim',
+ fieldLabel: gettext('Username Claim'),
+ editConfig: {
+ xtype: 'proxmoxKVComboBox',
+ editable: true,
+ comboItems: [
+ ['__default__', Proxmox.Utils.defaultText],
+ ['sub', gettext('sub (subject)')],
+ ['preferred_username', gettext('preferred_username')],
+ ],
+ },
+ cbind: {
+ value: get => get('isCreate') ? '__default__' : Proxmox.Utils.defaultText,
+ deleteEmpty: '{!isCreate}',
+ editable: '{isCreate}',
+ },
+ },
+ {
+ xtype: 'proxmoxtextfield',
+ name: 'scopes',
+ fieldLabel: gettext('Scopes'),
+ emptyText: `${Proxmox.Utils.defaultText} (email profile)`,
+ submitEmpty: false,
+ cbind: {
+ deleteEmpty: '{!isCreate}',
+ },
+ },
+ {
+ xtype: 'proxmoxKVComboBox',
+ name: 'prompt',
+ fieldLabel: gettext('Prompt'),
+ editable: true,
+ emptyText: gettext('Auth-Provider Default'),
+ comboItems: [
+ ['__default__', gettext('Auth-Provider Default')],
+ ['none', 'none'],
+ ['login', 'login'],
+ ['consent', 'consent'],
+ ['select_account', 'select_account'],
+ ],
+ cbind: {
+ deleteEmpty: '{!isCreate}',
+ },
+ },
+ ],
+
+ columnB: [
+ {
+ xtype: 'proxmoxtextfield',
+ name: 'comment',
+ fieldLabel: gettext('Comment'),
+ cbind: {
+ deleteEmpty: '{!isCreate}',
+ },
+ },
+ {
+ xtype: 'displayfield',
+ value: gettext('Autocreate Options'),
+ },
+ {
+ xtype: 'proxmoxcheckbox',
+ fieldLabel: gettext('Autocreate Users'),
+ name: 'autocreate',
+ bind: {
+ value: '{autocreate}',
+ },
+ cbind: {
+ deleteEmpty: '{!isCreate}',
+ },
+ },
+ {
+ xtype: 'proxmoxKVComboBox',
+ name: 'source',
+ fieldLabel: gettext('Source for Role Assignment'),
+ allowBlank: false,
+ deleteEmpty: false,
+ comboItems: [
+ [
+ '__default__',
+ Proxmox.Utils.defaultText
+ + ' (' + gettext('All auto-created users get audit role') + ')',
+ ],
+ ['fixed', gettext('Fixed role for all auto-created users')],
+ ['from-claim', gettext('Get role from OIDC claim')],
+ ],
+ bind: {
+ value: '{roleSource}',
+ disabled: '{!autocreate}',
+ hidden: '{!autocreate}',
+ },
+ },
+ {
+ xtype: 'pmgRoleSelector',
+ name: 'fixed-role',
+ allowBlank: false,
+ deleteEmpty: false,
+ fieldLabel: gettext('Fixed Role'),
+ bind: {
+ disabled: '{hideFixedRoleAssignment}',
+ hidden: '{hideFixedRoleAssignment}',
+ },
+ },
+ {
+ xtype: 'proxmoxtextfield',
+ name: 'role-claim',
+ allowBlank: false,
+ deleteEmpty: false,
+ fieldLabel: gettext('Role Claim'),
+ bind: {
+ disabled: '{hideClaimRoleAssignment}',
+ hidden: '{hideClaimRoleAssignment}',
+ },
+ },
+ ],
+
+ advancedColumnB: [
+ {
+ xtype: 'proxmoxtextfield',
+ name: 'acr-values',
+ fieldLabel: gettext('ACR Values'),
+ submitEmpty: false,
+ cbind: {
+ deleteEmpty: '{!isCreate}',
+ },
+ },
+ ],
+});
diff --git a/js/Makefile b/js/Makefile
index d1fab9b..c984bf3 100644
--- a/js/Makefile
+++ b/js/Makefile
@@ -78,6 +78,7 @@ JSSRC= \
LDAPConfig.js \
UserEdit.js \
UserView.js \
+ AuthEditOIDC.js \
TFAView.js \
FetchmailEdit.js \
FetchmailView.js \
diff --git a/js/Utils.js b/js/Utils.js
index aa17d83..d563483 100644
--- a/js/Utils.js
+++ b/js/Utils.js
@@ -871,6 +871,7 @@ Ext.define('PMG.Utils', {
// use oidc instead of openid
Proxmox.Schema.authDomains.oidc = Proxmox.Schema.authDomains.openid;
Proxmox.Schema.authDomains.oidc.useTypeInUrl = false;
+ Proxmox.Schema.authDomains.oidc.ipanel = 'pmgAuthOIDCPanel';
delete Proxmox.Schema.authDomains.openid;
// Disable LDAP/AD as a realm until LDAP/AD login is implemented
--
2.39.5
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel