From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pmg-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id E2BAF1FF176
	for <inbox@lore.proxmox.com>; Fri, 21 Feb 2025 13:41:57 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 867DEE0A;
	Fri, 21 Feb 2025 13:41:57 +0100 (CET)
Date: Fri, 21 Feb 2025 13:41:23 +0100 (CET)
From: =?UTF-8?Q?Fabian_Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
To: Markus Frank <m.frank@proxmox.com>, pmg-devel@lists.proxmox.com
Message-ID: <2043234582.10132.1740141683339@webmail.proxmox.com>
In-Reply-To: <20250218161905.17224-7-m.frank@proxmox.com>
References: <20250218161905.17224-1-m.frank@proxmox.com>
 <20250218161905.17224-7-m.frank@proxmox.com>
MIME-Version: 1.0
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.6-Rev73
X-Originating-Client: open-xchange-appsuite
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.045 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pmg-devel] [PATCH pmg-api v5 6/10] api: add/update/remove
 realms like in PVE
X-BeenThere: pmg-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Mail Gateway development discussion
 <pmg-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/>
List-Post: <mailto:pmg-devel@lists.proxmox.com>
List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pmg-devel-bounces@lists.proxmox.com
Sender: "pmg-devel" <pmg-devel-bounces@lists.proxmox.com>


> Markus Frank <m.frank@proxmox.com> hat am 18.02.2025 17:19 CET geschrieben:
> 
>  
> The name Realm.pm was chosen because a Domain.pm already exists.

but the API path is still domains, and the naming inside the code/descriptions/.. is also rather inconsistent. should we settle on one or the other?

> 
> Signed-off-by: Markus Frank <m.frank@proxmox.com>
> ---
>  src/Makefile                  |   1 +
>  src/PMG/API2/AccessControl.pm |  10 +-
>  src/PMG/API2/Realm.pm         | 274 ++++++++++++++++++++++++++++++++++
>  3 files changed, 284 insertions(+), 1 deletion(-)
>  create mode 100644 src/PMG/API2/Realm.pm
> 
> diff --git a/src/Makefile b/src/Makefile
> index 3cae7c7..e939bbd 100644
> --- a/src/Makefile
> +++ b/src/Makefile
> @@ -151,6 +151,7 @@ LIBSOURCES =				\
>  	PMG/API2/Postfix.pm		\
>  	PMG/API2/Quarantine.pm		\
>  	PMG/API2/AccessControl.pm	\
> +	PMG/API2/Realm.pm		\
>  	PMG/API2/TFA.pm			\
>  	PMG/API2/TFAConfig.pm		\
>  	PMG/API2/ObjectGroupHelpers.pm	\
> diff --git a/src/PMG/API2/AccessControl.pm b/src/PMG/API2/AccessControl.pm
> index e26ae70..f4cbc81 100644
> --- a/src/PMG/API2/AccessControl.pm
> +++ b/src/PMG/API2/AccessControl.pm
> @@ -12,6 +12,7 @@ use PVE::JSONSchema qw(get_standard_option);
>  use PMG::Utils;
>  use PMG::UserConfig;
>  use PMG::AccessControl;
> +use PMG::API2::Realm;
>  use PMG::API2::Users;
>  use PMG::API2::TFA;
>  use PMG::TFAConfig;
> @@ -30,6 +31,11 @@ __PACKAGE__->register_method ({
>      path => 'tfa',
>  });
>  
> +__PACKAGE__->register_method ({
> +    subclass => "PMG::API2::Realm",
> +    path => 'domains',

realm vs domains

> +});
> +
>  __PACKAGE__->register_method ({
>      name => 'index',
>      path => '',
> @@ -57,6 +63,7 @@ __PACKAGE__->register_method ({
>  
>  	my $res = [
>  	    { subdir => 'ticket' },
> +	    { subdir => 'domains' },
>  	    { subdir => 'password' },
>  	    { subdir => 'users' },
>  	];
> @@ -248,7 +255,8 @@ __PACKAGE__->register_method ({
>  
>  	my $username = $param->{username};
>  
> -	if ($username !~ m/\@(pam|pmg|quarantine)$/) {
> +	my $realm_regex = PMG::Utils::valid_pmg_realm_regex();
> +	if ($username !~ m/\@(${realm_regex})$/) {
>  	    my $realm = $param->{realm} // 'quarantine';
>  	    $username .= "\@$realm";
>  	}
> diff --git a/src/PMG/API2/Realm.pm b/src/PMG/API2/Realm.pm
> new file mode 100644
> index 0000000..da2072a
> --- /dev/null
> +++ b/src/PMG/API2/Realm.pm
> @@ -0,0 +1,274 @@
> +package PMG::API2::Realm;
> +
> +use strict;
> +use warnings;
> +
> +use PVE::Exception qw(raise_param_exc);
> +use PVE::INotify;
> +use PVE::JSONSchema qw(get_standard_option);
> +use PVE::RESTHandler;
> +use PVE::SafeSyslog;
> +use PVE::Tools qw(extract_param);
> +
> +use PMG::AccessControl;
> +use PMG::Auth::Plugin;
> +use PVE::Schema::Auth;
> +
> +my $domainconfigfile = "realms.cfg";
> +
> +use base qw(PVE::RESTHandler);
> +
> +__PACKAGE__->register_method ({
> +    name => 'index',
> +    path => '',
> +    method => 'GET',
> +    description => "Authentication domain index.",

and here it is still an authentication domain ;)

> +    permissions => {
> +	description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
> +	user => 'world',
> +    },
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {},
> +    },
> +    returns => {
> +	type => 'array',
> +	items => {
> +	    type => "object",
> +	    properties => {
> +		realm => { type => 'string' },

even though it returns realms

> +		type => { type => 'string' },
> +		tfa => {
> +		    description => "Two-factor authentication provider.",
> +		    type => 'string',
> +		    enum => [ 'yubico', 'oath' ],
> +		    optional => 1,
> +		},
> +		comment => {
> +		    description => "A comment. The GUI use this text when you select a domain (Realm) on the login window.",
> +		    type => 'string',
> +		    optional => 1,
> +		},
> +	    },
> +	},
> +	links => [ { rel => 'child', href => "{realm}" } ],
> +    },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my $res = [];
> +
> +	my $cfg = PVE::INotify::read_file($domainconfigfile);
> +	my $ids = $cfg->{ids};
> +
> +	for my $realm (keys %$ids) {
> +	    my $d = $ids->{$realm};
> +	    my $entry = { realm => $realm, type => $d->{type} };
> +	    $entry->{comment} = $d->{comment} if $d->{comment};
> +	    $entry->{default} = 1 if $d->{default};
> +	    if ($d->{tfa} && (my $tfa_cfg = PVE::Schema::Auth::parse_tfa_config($d->{tfa}))) {
> +		$entry->{tfa} = $tfa_cfg->{type};
> +	    }
> +	    push @$res, $entry;
> +	}
> +
> +	return $res;
> +    }});
> +
> +__PACKAGE__->register_method ({
> +    name => 'create',
> +    protected => 1,
> +    path => '',
> +    method => 'POST',
> +    permissions => { check => [ 'admin' ] },
> +    description => "Add an authentication server.",
> +    parameters => PMG::Auth::Plugin->createSchema(0),
> +    returns => { type => 'null' },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	# always extract, add it with hook
> +	my $password = extract_param($param, 'password');
> +
> +	PMG::Auth::Plugin::lock_domain_config(
> +	    sub {
> +		my $cfg = PVE::INotify::read_file($domainconfigfile);
> +		my $ids = $cfg->{ids};
> +
> +		my $realm = extract_param($param, 'realm');
> +		PMG::Auth::Plugin::pmg_verify_realm($realm);
> +		my $type = $param->{type};
> +		my $check_connection = extract_param($param, 'check-connection');
> +
> +		die "domain '$realm' already exists\n"
> +		    if $ids->{$realm};
> +
> +		die "unable to use reserved name '$realm'\n"
> +		    if ($realm eq 'pam' || $realm eq 'pmg');
> +
> +		die "unable to create builtin type '$type'\n"
> +		    if ($type eq 'pam' || $type eq 'pmg');
> +
> +		my $plugin = PMG::Auth::Plugin->lookup($type);
> +		my $config = $plugin->check_config($realm, $param, 1, 1);
> +
> +		if ($config->{default}) {
> +		    for my $r (keys %$ids) {
> +			delete $ids->{$r}->{default};
> +		    }
> +		}
> +
> +		$ids->{$realm} = $config;
> +
> +		my $opts = $plugin->options();
> +		if (defined($password) && !defined($opts->{password})) {
> +		    $password = undef;
> +		    warn "ignoring password parameter";
> +		}
> +		$plugin->on_add_hook($realm, $config, password => $password);
> +
> +		PVE::INotify::write_file($domainconfigfile, $cfg);
> +	    },
> +	    "add auth server failed",
> +	);
> +	return undef;
> +    }});
> +
> +__PACKAGE__->register_method ({
> +    name => 'update',
> +    path => '{realm}',
> +    method => 'PUT',
> +    permissions => { check => [ 'admin' ] },
> +    description => "Update authentication server settings.",
> +    protected => 1,
> +    parameters => PMG::Auth::Plugin->updateSchema(0),
> +    returns => { type => 'null' },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	# always extract, update in hook
> +	my $password = extract_param($param, 'password');
> +
> +	PMG::Auth::Plugin::lock_domain_config(
> +	    sub {
> +		my $cfg = PVE::INotify::read_file($domainconfigfile);
> +		my $ids = $cfg->{ids};
> +
> +		my $digest = extract_param($param, 'digest');
> +		PVE::SectionConfig::assert_if_modified($cfg, $digest);
> +
> +		my $realm = extract_param($param, 'realm');
> +		my $type = $ids->{$realm}->{type};
> +		my $check_connection = extract_param($param, 'check-connection');
> +
> +		die "domain '$realm' does not exist\n"
> +		    if !$ids->{$realm};
> +
> +		my $delete_str = extract_param($param, 'delete');
> +		die "no options specified\n"
> +		    if !$delete_str && !scalar(keys %$param) && !defined($password);
> +
> +		my $delete_pw = 0;
> +		for my $opt (PVE::Tools::split_list($delete_str)) {
> +		    delete $ids->{$realm}->{$opt};
> +		    $delete_pw = 1 if $opt eq 'password';
> +		}
> +
> +		my $plugin = PMG::Auth::Plugin->lookup($type);
> +		my $config = $plugin->check_config($realm, $param, 0, 1);
> +
> +		if ($config->{default}) {
> +		    for my $r (keys %$ids) {
> +			delete $ids->{$r}->{default};
> +		    }
> +		}
> +
> +		for my $p (keys %$config) {
> +		    $ids->{$realm}->{$p} = $config->{$p};
> +		}
> +
> +		my $opts = $plugin->options();
> +		if ($delete_pw || defined($password)) {
> +		    $plugin->on_update_hook($realm, $config, password => $password);
> +		} else {
> +		    $plugin->on_update_hook($realm, $config);
> +		}
> +
> +		PVE::INotify::write_file($domainconfigfile, $cfg);
> +	    },
> +	    "update auth server failed"
> +	);
> +	return undef;
> +    }});
> +
> +# fixme: return format!
> +__PACKAGE__->register_method ({
> +    name => 'read',
> +    path => '{realm}',
> +    method => 'GET',
> +    description => "Get auth server configuration.",
> +    permissions => { check => [ 'admin', 'qmanager', 'audit' ] },
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    realm =>  get_standard_option('realm'),
> +	},
> +    },
> +    returns => {},
> +    code => sub {
> +	my ($param) = @_;
> +
> +	my $cfg = PVE::INotify::read_file($domainconfigfile);
> +
> +	my $realm = $param->{realm};
> +
> +	my $data = $cfg->{ids}->{$realm};
> +	die "domain '$realm' does not exist\n" if !$data;
> +
> +	my $type = $data->{type};
> +
> +	$data->{digest} = $cfg->{digest};
> +
> +	return $data;
> +    }});
> +
> +
> +__PACKAGE__->register_method ({
> +    name => 'delete',
> +    path => '{realm}',
> +    method => 'DELETE',
> +    permissions => { check => [ 'admin' ] },
> +    description => "Delete an authentication server.",
> +    protected => 1,
> +    parameters => {
> +	additionalProperties => 0,
> +	properties => {
> +	    realm =>  get_standard_option('realm'),
> +	}
> +    },
> +    returns => { type => 'null' },
> +    code => sub {
> +	my ($param) = @_;
> +
> +	PMG::Auth::Plugin::lock_domain_config(
> +	    sub {
> +		my $cfg = PVE::INotify::read_file($domainconfigfile);
> +		my $ids = $cfg->{ids};
> +		my $realm = $param->{realm};
> +
> +		die "authentication domain '$realm' does not exist\n" if !$ids->{$realm};
> +
> +		my $plugin = PMG::Auth::Plugin->lookup($ids->{$realm}->{type});
> +
> +		$plugin->on_delete_hook($realm, $ids->{$realm});
> +
> +		delete $ids->{$realm};
> +
> +		PVE::INotify::write_file($domainconfigfile, $cfg);
> +	    },
> +	    "delete auth server failed",
> +	);
> +	return undef;
> +    }});
> +
> +1;
> -- 
> 2.39.5
> 
> 
> 
> _______________________________________________
> pmg-devel mailing list
> pmg-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel