[pmg-devel] [PATCH pmg-api/pmg-gui/pmg-docs v5 0/5] add default realm option and OIDC configuration panel

[pmg-devel] [PATCH pmg-api/pmg-gui/pmg-docs v5 0/5] add default realm option and OIDC configuration panel

[Markus Frank]

v5:
* added 2 doc patches (4/5 and 5/5)
* added onlineHelp link to OIDC documentation in AuthEditOIDC.js

v4:
* removed the default value of the realm field in the LoginView so that
  the default realm is automatically selected.



pmg-api:

Markus Frank (1):
  Auth Plugin: stop forcing the default realm to be the pmg realm

 src/PMG/Auth/Plugin.pm | 2 --
 1 file changed, 2 deletions(-)



pmg-gui:

Markus Frank (2):
  realms: enable default realm support
  add OIDC configuration panel for PMG

 js/AuthEditOIDC.js   | 245 +++++++++++++++++++++++++++++++++++++++++++
 js/LoginView.js      |   1 -
 js/Makefile          |   1 +
 js/UserManagement.js |   1 +
 js/Utils.js          |  17 +--
 5 files changed, 258 insertions(+), 7 deletions(-)
 create mode 100644 js/AuthEditOIDC.js



pmg-docs:

Markus Frank (2):
  OIDC: rename subject to sub and username to preferred_username
  OIDC: add 'Autocreate Users with Assigned Role' description

 pmgconfig.adoc | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

[pmg-devel] [PATCH pmg-api v5 1/5] Auth Plugin: stop forcing the default realm to be the pmg realm

[Markus Frank]

This allows a different realm to be set as the default.

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
nothing changed in v5

 src/PMG/Auth/Plugin.pm | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/PMG/Auth/Plugin.pm b/src/PMG/Auth/Plugin.pm
index 9268a49..5969911 100755
--- a/src/PMG/Auth/Plugin.pm
+++ b/src/PMG/Auth/Plugin.pm
@@ -144,8 +144,6 @@ sub parse_config {
     $cfg->{ids}->{pmg}->{type} = 'pmg'; # force type
     $cfg->{ids}->{pmg}->{comment} = "Proxmox Mail Gateway authentication server"
 	if !$cfg->{ids}->{pmg}->{comment};
-    $cfg->{ids}->{pmg}->{default} = 1
-	if !$cfg->{ids}->{pmg}->{default};
 
     $cfg->{ids}->{pam}->{type} = 'pam'; # force type
     $cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

[pmg-devel] [PATCH pmg-gui v5 2/5] realms: enable default realm support

[Markus Frank]

Allow PAM and PMG realms to be edited and set as default. To make the
login view reflect the default realm setting, the value of the realm
field is removed.

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
nothing changed in v5

 js/LoginView.js      |  1 -
 js/UserManagement.js |  1 +
 js/Utils.js          | 16 ++++++++++------
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/js/LoginView.js b/js/LoginView.js
index 67940ed..cb7e43f 100644
--- a/js/LoginView.js
+++ b/js/LoginView.js
@@ -374,7 +374,6 @@ Ext.define('PMG.LoginView', {
 			    reference: 'realmfield',
 			    name: 'realm',
 			    baseUrl: '/access/auth-realm',
-			    value: 'pam',
 			},
 			{
 			    xtype: 'proxmoxLanguageSelector',
diff --git a/js/UserManagement.js b/js/UserManagement.js
index f6ada1b..79d1e3f 100644
--- a/js/UserManagement.js
+++ b/js/UserManagement.js
@@ -40,6 +40,7 @@ Ext.define('PMG.UserManagement', {
 	    itemId: 'realms',
 	    baseUrl: '/access/auth-realm',
 	    storeBaseUrl: '/access/auth-realm',
+	    showDefaultRealm: true,
 	    iconCls: 'fa fa-address-book-o',
 	},
     ],
diff --git a/js/Utils.js b/js/Utils.js
index d4a55a8..aa17d83 100644
--- a/js/Utils.js
+++ b/js/Utils.js
@@ -877,12 +877,16 @@ Ext.define('PMG.Utils', {
 	Proxmox.Schema.authDomains.ldap.add = false;
 	Proxmox.Schema.authDomains.ad.add = false;
 
-	Proxmox.Schema.authDomains.pam.edit = false;
-	Proxmox.Schema.authDomains.pmg = {
-	    add: false,
-	    edit: false,
-	    sync: false,
-	};
+	Proxmox.Schema.overrideAuthDomains({
+	    pmg: {
+		name: 'Proxmox Mail Gateway authentication server',
+		ipanel: 'pmxAuthSimplePanel',
+		add: false,
+		edit: true,
+		pwchange: true,
+		sync: false,
+	    },
+	});
 
 	// do whatever you want here
 	Proxmox.Utils.override_task_descriptions({
-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

[pmg-devel] [PATCH pmg-gui v5 3/5] add OIDC configuration panel for PMG

[Markus Frank]

AuthEditOIDC.js is based on AuthEditOpenId from widget-toolkit and
adds additional configuration options for autocreate-role-assignment.

Use sub/preferred_username for username-claim instead of the old names
(subject/username/email) because subject and username do not exist in
the current OpenID Connect specifications and the email option is
incompatible with the username scheme.

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
v5:
* added onlineHelp link to OIDC documentation in AuthEditOIDC.js

 js/AuthEditOIDC.js | 245 +++++++++++++++++++++++++++++++++++++++++++++
 js/Makefile        |   1 +
 js/Utils.js        |   1 +
 3 files changed, 247 insertions(+)
 create mode 100644 js/AuthEditOIDC.js

diff --git a/js/AuthEditOIDC.js b/js/AuthEditOIDC.js
new file mode 100644
index 0000000..5344668
--- /dev/null
+++ b/js/AuthEditOIDC.js
@@ -0,0 +1,245 @@
+Ext.define('PMG.OIDCInputPanel', {
+    extend: 'Proxmox.panel.InputPanel',
+    xtype: 'pmgAuthOIDCPanel',
+    mixins: ['Proxmox.Mixin.CBind'],
+    onlineHelp: 'user_oidc',
+
+    type: 'oidc',
+
+    viewModel: {
+	data: {
+	    roleSource: '__default__',
+	    autocreate: 0,
+	},
+	formulas: {
+	    hideFixedRoleAssignment: function(get) {
+		return get('roleSource') !== 'fixed' || !get('autocreate');
+	    },
+	    hideClaimRoleAssignment: function(get) {
+		return get('roleSource') !== 'from-claim' || !get('autocreate');
+	    },
+	},
+    },
+
+    onGetValues: function(values) {
+	let me = this;
+
+	if (me.isCreate && !me.useTypeInUrl) {
+	    values.type = me.type;
+	}
+
+	let autocreateRoleAssignment = {};
+	if (values.source) {
+	    autocreateRoleAssignment.source = values.source;
+	}
+	if (values.source === 'fixed') {
+	    autocreateRoleAssignment['fixed-role'] = values['fixed-role'];
+	} else if (values.source === 'from-claim') {
+	    autocreateRoleAssignment['role-claim'] = values['role-claim'];
+	}
+	values['autocreate-role-assignment'] = Proxmox.Utils.printPropertyString(autocreateRoleAssignment);
+	Proxmox.Utils.delete_if_default(values, 'autocreate-role-assignment', '', me.isCreate);
+
+	delete values.source;
+	delete values['fixed-role'];
+	delete values['role-claim'];
+
+	return values;
+    },
+
+    setValues: function(values) {
+	let autocreateRoleAssignment =
+	    Proxmox.Utils.parsePropertyString(values['autocreate-role-assignment']);
+
+	values.source = autocreateRoleAssignment.source ?? '__default__';
+
+	if (autocreateRoleAssignment.source === 'fixed') {
+	    values['fixed-role'] = autocreateRoleAssignment['fixed-role'];
+	}
+	if (autocreateRoleAssignment.source === 'from-claim') {
+	    values['role-claim'] = autocreateRoleAssignment['role-claim'];
+	}
+
+	this.callParent(arguments);
+    },
+
+
+    columnT: [
+	{
+	    xtype: 'textfield',
+	    name: 'issuer-url',
+	    fieldLabel: gettext('Issuer URL'),
+	    allowBlank: false,
+	},
+    ],
+
+    column1: [
+	{
+	    xtype: 'pmxDisplayEditField',
+	    name: 'realm',
+	    cbind: {
+		value: '{realm}',
+		editable: '{isCreate}',
+	    },
+	    fieldLabel: gettext('Realm'),
+	    allowBlank: false,
+	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Default realm'),
+	    name: 'default',
+	    value: 0,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	    autoEl: {
+		tag: 'div',
+		'data-qtip': gettext('Set realm as default for login'),
+	    },
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    fieldLabel: gettext('Client ID'),
+	    name: 'client-id',
+	    allowBlank: false,
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    fieldLabel: gettext('Client Key'),
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	    name: 'client-key',
+	},
+    ],
+
+    column2: [
+	{
+	    xtype: 'pmxDisplayEditField',
+	    name: 'username-claim',
+	    fieldLabel: gettext('Username Claim'),
+	    editConfig: {
+		xtype: 'proxmoxKVComboBox',
+		editable: true,
+		comboItems: [
+		    ['__default__', Proxmox.Utils.defaultText],
+		    ['sub', gettext('sub (subject)')],
+		    ['preferred_username', gettext('preferred_username')],
+		],
+	    },
+	    cbind: {
+		value: get => get('isCreate') ? '__default__' : Proxmox.Utils.defaultText,
+		deleteEmpty: '{!isCreate}',
+		editable: '{isCreate}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'scopes',
+	    fieldLabel: gettext('Scopes'),
+	    emptyText: `${Proxmox.Utils.defaultText} (email profile)`,
+	    submitEmpty: false,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxKVComboBox',
+	    name: 'prompt',
+	    fieldLabel: gettext('Prompt'),
+	    editable: true,
+	    emptyText: gettext('Auth-Provider Default'),
+	    comboItems: [
+		['__default__', gettext('Auth-Provider Default')],
+		['none', 'none'],
+		['login', 'login'],
+		['consent', 'consent'],
+		['select_account', 'select_account'],
+	    ],
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+    ],
+
+    columnB: [
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'comment',
+	    fieldLabel: gettext('Comment'),
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+	{
+	    xtype: 'displayfield',
+	    value: gettext('Autocreate Options'),
+	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Autocreate Users'),
+	    name: 'autocreate',
+	    bind: {
+		value: '{autocreate}',
+	    },
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxKVComboBox',
+	    name: 'source',
+	    fieldLabel: gettext('Source for Role Assignment'),
+	    allowBlank: false,
+	    deleteEmpty: false,
+	    comboItems: [
+		[
+		    '__default__',
+		    Proxmox.Utils.defaultText
+			+ ' (' + gettext('All auto-created users get audit role') + ')',
+		],
+		['fixed', gettext('Fixed role for all auto-created users')],
+		['from-claim', gettext('Get role from OIDC claim')],
+	    ],
+	    bind: {
+		value: '{roleSource}',
+		disabled: '{!autocreate}',
+		hidden: '{!autocreate}',
+	    },
+	},
+	{
+	    xtype: 'pmgRoleSelector',
+	    name: 'fixed-role',
+	    allowBlank: false,
+	    deleteEmpty: false,
+	    fieldLabel: gettext('Fixed Role'),
+	    bind: {
+		disabled: '{hideFixedRoleAssignment}',
+		hidden: '{hideFixedRoleAssignment}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'role-claim',
+	    allowBlank: false,
+	    deleteEmpty: false,
+	    fieldLabel: gettext('Role Claim'),
+	    bind: {
+		disabled: '{hideClaimRoleAssignment}',
+		hidden: '{hideClaimRoleAssignment}',
+	    },
+	},
+    ],
+
+    advancedColumnB: [
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'acr-values',
+	    fieldLabel: gettext('ACR Values'),
+	    submitEmpty: false,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+    ],
+});
diff --git a/js/Makefile b/js/Makefile
index d1fab9b..c984bf3 100644
--- a/js/Makefile
+++ b/js/Makefile
@@ -78,6 +78,7 @@ JSSRC=							\
 	LDAPConfig.js					\
 	UserEdit.js					\
 	UserView.js					\
+	AuthEditOIDC.js					\
 	TFAView.js					\
 	FetchmailEdit.js				\
 	FetchmailView.js				\
diff --git a/js/Utils.js b/js/Utils.js
index aa17d83..d563483 100644
--- a/js/Utils.js
+++ b/js/Utils.js
@@ -871,6 +871,7 @@ Ext.define('PMG.Utils', {
 	// use oidc instead of openid
 	Proxmox.Schema.authDomains.oidc = Proxmox.Schema.authDomains.openid;
 	Proxmox.Schema.authDomains.oidc.useTypeInUrl = false;
+	Proxmox.Schema.authDomains.oidc.ipanel = 'pmgAuthOIDCPanel';
 	delete Proxmox.Schema.authDomains.openid;
 
 	// Disable LDAP/AD as a realm until LDAP/AD login is implemented
-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

[pmg-devel] [PATCH pmg-docs v5 4/5] OIDC: rename subject to sub and username to preferred_username

[Markus Frank]

The claims subject and username do not exist in the current OpenID
Connect specifications.

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
new to v5

 pmgconfig.adoc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pmgconfig.adoc b/pmgconfig.adoc
index 7308c88..59a8f52 100644
--- a/pmgconfig.adoc
+++ b/pmgconfig.adoc
@@ -1215,24 +1215,24 @@ an entry in the {pmg} user configuration. You can either add them manually, or
 use the `autocreate` option to automatically add new users.
 
 * `Username Claim` (`username-claim`): OpenID claim used to generate the unique
-username (`subject` or `username`).
+username (`sub` or `preferred_username`).
 
 Username mapping
 ^^^^^^^^^^^^^^^^
 
 The OpenID Connect specification defines a single unique attribute
-('claim' in OpenID terms) named `subject`. By default, we use the
+('claim' in OpenID terms) named `sub` (Subject). By default, we use the
 value of this attribute to generate {pmg} usernames, by simple adding
 `@` and the realm name: `${subject}@${realm}`.
 
-Unfortunately, most OpenID servers use random strings for `subject`, like
+Unfortunately, most OpenID servers use random strings for `sub` (Subject), like
 `DGH76OKH34BNG3245SB`, so a typical username would look like
 `DGH76OKH34BNG3245SB@yourrealm`. While unique, it is difficult for
 humans to remember such random strings, making it quite impossible to
 associate real users with this.
 
 The `username-claim` setting allows you to use other attributes for
-the username mapping. Setting it to `username` is preferred if the
+the username mapping. Setting it to `preferred_username` is preferred if the
 OpenID Connect server provides that attribute and guarantees its
 uniqueness.
 
-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

[pmg-devel] [PATCH pmg-docs v5 5/5] OIDC: add 'Autocreate Users with Assigned Role' description

[Markus Frank]

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
new to v5

 pmgconfig.adoc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pmgconfig.adoc b/pmgconfig.adoc
index 59a8f52..b39961a 100644
--- a/pmgconfig.adoc
+++ b/pmgconfig.adoc
@@ -1214,6 +1214,13 @@ exist. While authentication is done at the OpenID server, all users still need
 an entry in the {pmg} user configuration. You can either add them manually, or
 use the `autocreate` option to automatically add new users.
 
+* `Autocreate Users with Assigned Role` (`autocreate-role-assignment`): By
+default, all autocreated users will be assigned the Audit role. You can either
+assign a fixed xref:pmgconfig_localuser[role] to all autocreated users (for
+example, `source=fixed,fixed-role=helpdesk`), or set a custom claim that is used
+to assign users to different roles (for example,
+`source=from-claim,role-claim=custom_role_claim`).
+
 * `Username Claim` (`username-claim`): OpenID claim used to generate the unique
 username (`sub` or `preferred_username`).
 
-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel