From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <pmg-devel-bounces@lists.proxmox.com> Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id E2BAF1FF176 for <inbox@lore.proxmox.com>; Fri, 21 Feb 2025 13:41:57 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 867DEE0A; Fri, 21 Feb 2025 13:41:57 +0100 (CET) Date: Fri, 21 Feb 2025 13:41:23 +0100 (CET) From: =?UTF-8?Q?Fabian_Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com> To: Markus Frank <m.frank@proxmox.com>, pmg-devel@lists.proxmox.com Message-ID: <2043234582.10132.1740141683339@webmail.proxmox.com> In-Reply-To: <20250218161905.17224-7-m.frank@proxmox.com> References: <20250218161905.17224-1-m.frank@proxmox.com> <20250218161905.17224-7-m.frank@proxmox.com> MIME-Version: 1.0 X-Priority: 3 Importance: Normal X-Mailer: Open-Xchange Mailer v7.10.6-Rev73 X-Originating-Client: open-xchange-appsuite X-SPAM-LEVEL: Spam detection results: 0 AWL 0.045 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pmg-devel] [PATCH pmg-api v5 6/10] api: add/update/remove realms like in PVE X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion <pmg-devel.lists.proxmox.com> List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>, <mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe> List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/> List-Post: <mailto:pmg-devel@lists.proxmox.com> List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help> List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>, <mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pmg-devel-bounces@lists.proxmox.com Sender: "pmg-devel" <pmg-devel-bounces@lists.proxmox.com> > Markus Frank <m.frank@proxmox.com> hat am 18.02.2025 17:19 CET geschrieben: > > > The name Realm.pm was chosen because a Domain.pm already exists. but the API path is still domains, and the naming inside the code/descriptions/.. is also rather inconsistent. should we settle on one or the other? > > Signed-off-by: Markus Frank <m.frank@proxmox.com> > --- > src/Makefile | 1 + > src/PMG/API2/AccessControl.pm | 10 +- > src/PMG/API2/Realm.pm | 274 ++++++++++++++++++++++++++++++++++ > 3 files changed, 284 insertions(+), 1 deletion(-) > create mode 100644 src/PMG/API2/Realm.pm > > diff --git a/src/Makefile b/src/Makefile > index 3cae7c7..e939bbd 100644 > --- a/src/Makefile > +++ b/src/Makefile > @@ -151,6 +151,7 @@ LIBSOURCES = \ > PMG/API2/Postfix.pm \ > PMG/API2/Quarantine.pm \ > PMG/API2/AccessControl.pm \ > + PMG/API2/Realm.pm \ > PMG/API2/TFA.pm \ > PMG/API2/TFAConfig.pm \ > PMG/API2/ObjectGroupHelpers.pm \ > diff --git a/src/PMG/API2/AccessControl.pm b/src/PMG/API2/AccessControl.pm > index e26ae70..f4cbc81 100644 > --- a/src/PMG/API2/AccessControl.pm > +++ b/src/PMG/API2/AccessControl.pm > @@ -12,6 +12,7 @@ use PVE::JSONSchema qw(get_standard_option); > use PMG::Utils; > use PMG::UserConfig; > use PMG::AccessControl; > +use PMG::API2::Realm; > use PMG::API2::Users; > use PMG::API2::TFA; > use PMG::TFAConfig; > @@ -30,6 +31,11 @@ __PACKAGE__->register_method ({ > path => 'tfa', > }); > > +__PACKAGE__->register_method ({ > + subclass => "PMG::API2::Realm", > + path => 'domains', realm vs domains > +}); > + > __PACKAGE__->register_method ({ > name => 'index', > path => '', > @@ -57,6 +63,7 @@ __PACKAGE__->register_method ({ > > my $res = [ > { subdir => 'ticket' }, > + { subdir => 'domains' }, > { subdir => 'password' }, > { subdir => 'users' }, > ]; > @@ -248,7 +255,8 @@ __PACKAGE__->register_method ({ > > my $username = $param->{username}; > > - if ($username !~ m/\@(pam|pmg|quarantine)$/) { > + my $realm_regex = PMG::Utils::valid_pmg_realm_regex(); > + if ($username !~ m/\@(${realm_regex})$/) { > my $realm = $param->{realm} // 'quarantine'; > $username .= "\@$realm"; > } > diff --git a/src/PMG/API2/Realm.pm b/src/PMG/API2/Realm.pm > new file mode 100644 > index 0000000..da2072a > --- /dev/null > +++ b/src/PMG/API2/Realm.pm > @@ -0,0 +1,274 @@ > +package PMG::API2::Realm; > + > +use strict; > +use warnings; > + > +use PVE::Exception qw(raise_param_exc); > +use PVE::INotify; > +use PVE::JSONSchema qw(get_standard_option); > +use PVE::RESTHandler; > +use PVE::SafeSyslog; > +use PVE::Tools qw(extract_param); > + > +use PMG::AccessControl; > +use PMG::Auth::Plugin; > +use PVE::Schema::Auth; > + > +my $domainconfigfile = "realms.cfg"; > + > +use base qw(PVE::RESTHandler); > + > +__PACKAGE__->register_method ({ > + name => 'index', > + path => '', > + method => 'GET', > + description => "Authentication domain index.", and here it is still an authentication domain ;) > + permissions => { > + description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).", > + user => 'world', > + }, > + parameters => { > + additionalProperties => 0, > + properties => {}, > + }, > + returns => { > + type => 'array', > + items => { > + type => "object", > + properties => { > + realm => { type => 'string' }, even though it returns realms > + type => { type => 'string' }, > + tfa => { > + description => "Two-factor authentication provider.", > + type => 'string', > + enum => [ 'yubico', 'oath' ], > + optional => 1, > + }, > + comment => { > + description => "A comment. The GUI use this text when you select a domain (Realm) on the login window.", > + type => 'string', > + optional => 1, > + }, > + }, > + }, > + links => [ { rel => 'child', href => "{realm}" } ], > + }, > + code => sub { > + my ($param) = @_; > + > + my $res = []; > + > + my $cfg = PVE::INotify::read_file($domainconfigfile); > + my $ids = $cfg->{ids}; > + > + for my $realm (keys %$ids) { > + my $d = $ids->{$realm}; > + my $entry = { realm => $realm, type => $d->{type} }; > + $entry->{comment} = $d->{comment} if $d->{comment}; > + $entry->{default} = 1 if $d->{default}; > + if ($d->{tfa} && (my $tfa_cfg = PVE::Schema::Auth::parse_tfa_config($d->{tfa}))) { > + $entry->{tfa} = $tfa_cfg->{type}; > + } > + push @$res, $entry; > + } > + > + return $res; > + }}); > + > +__PACKAGE__->register_method ({ > + name => 'create', > + protected => 1, > + path => '', > + method => 'POST', > + permissions => { check => [ 'admin' ] }, > + description => "Add an authentication server.", > + parameters => PMG::Auth::Plugin->createSchema(0), > + returns => { type => 'null' }, > + code => sub { > + my ($param) = @_; > + > + # always extract, add it with hook > + my $password = extract_param($param, 'password'); > + > + PMG::Auth::Plugin::lock_domain_config( > + sub { > + my $cfg = PVE::INotify::read_file($domainconfigfile); > + my $ids = $cfg->{ids}; > + > + my $realm = extract_param($param, 'realm'); > + PMG::Auth::Plugin::pmg_verify_realm($realm); > + my $type = $param->{type}; > + my $check_connection = extract_param($param, 'check-connection'); > + > + die "domain '$realm' already exists\n" > + if $ids->{$realm}; > + > + die "unable to use reserved name '$realm'\n" > + if ($realm eq 'pam' || $realm eq 'pmg'); > + > + die "unable to create builtin type '$type'\n" > + if ($type eq 'pam' || $type eq 'pmg'); > + > + my $plugin = PMG::Auth::Plugin->lookup($type); > + my $config = $plugin->check_config($realm, $param, 1, 1); > + > + if ($config->{default}) { > + for my $r (keys %$ids) { > + delete $ids->{$r}->{default}; > + } > + } > + > + $ids->{$realm} = $config; > + > + my $opts = $plugin->options(); > + if (defined($password) && !defined($opts->{password})) { > + $password = undef; > + warn "ignoring password parameter"; > + } > + $plugin->on_add_hook($realm, $config, password => $password); > + > + PVE::INotify::write_file($domainconfigfile, $cfg); > + }, > + "add auth server failed", > + ); > + return undef; > + }}); > + > +__PACKAGE__->register_method ({ > + name => 'update', > + path => '{realm}', > + method => 'PUT', > + permissions => { check => [ 'admin' ] }, > + description => "Update authentication server settings.", > + protected => 1, > + parameters => PMG::Auth::Plugin->updateSchema(0), > + returns => { type => 'null' }, > + code => sub { > + my ($param) = @_; > + > + # always extract, update in hook > + my $password = extract_param($param, 'password'); > + > + PMG::Auth::Plugin::lock_domain_config( > + sub { > + my $cfg = PVE::INotify::read_file($domainconfigfile); > + my $ids = $cfg->{ids}; > + > + my $digest = extract_param($param, 'digest'); > + PVE::SectionConfig::assert_if_modified($cfg, $digest); > + > + my $realm = extract_param($param, 'realm'); > + my $type = $ids->{$realm}->{type}; > + my $check_connection = extract_param($param, 'check-connection'); > + > + die "domain '$realm' does not exist\n" > + if !$ids->{$realm}; > + > + my $delete_str = extract_param($param, 'delete'); > + die "no options specified\n" > + if !$delete_str && !scalar(keys %$param) && !defined($password); > + > + my $delete_pw = 0; > + for my $opt (PVE::Tools::split_list($delete_str)) { > + delete $ids->{$realm}->{$opt}; > + $delete_pw = 1 if $opt eq 'password'; > + } > + > + my $plugin = PMG::Auth::Plugin->lookup($type); > + my $config = $plugin->check_config($realm, $param, 0, 1); > + > + if ($config->{default}) { > + for my $r (keys %$ids) { > + delete $ids->{$r}->{default}; > + } > + } > + > + for my $p (keys %$config) { > + $ids->{$realm}->{$p} = $config->{$p}; > + } > + > + my $opts = $plugin->options(); > + if ($delete_pw || defined($password)) { > + $plugin->on_update_hook($realm, $config, password => $password); > + } else { > + $plugin->on_update_hook($realm, $config); > + } > + > + PVE::INotify::write_file($domainconfigfile, $cfg); > + }, > + "update auth server failed" > + ); > + return undef; > + }}); > + > +# fixme: return format! > +__PACKAGE__->register_method ({ > + name => 'read', > + path => '{realm}', > + method => 'GET', > + description => "Get auth server configuration.", > + permissions => { check => [ 'admin', 'qmanager', 'audit' ] }, > + parameters => { > + additionalProperties => 0, > + properties => { > + realm => get_standard_option('realm'), > + }, > + }, > + returns => {}, > + code => sub { > + my ($param) = @_; > + > + my $cfg = PVE::INotify::read_file($domainconfigfile); > + > + my $realm = $param->{realm}; > + > + my $data = $cfg->{ids}->{$realm}; > + die "domain '$realm' does not exist\n" if !$data; > + > + my $type = $data->{type}; > + > + $data->{digest} = $cfg->{digest}; > + > + return $data; > + }}); > + > + > +__PACKAGE__->register_method ({ > + name => 'delete', > + path => '{realm}', > + method => 'DELETE', > + permissions => { check => [ 'admin' ] }, > + description => "Delete an authentication server.", > + protected => 1, > + parameters => { > + additionalProperties => 0, > + properties => { > + realm => get_standard_option('realm'), > + } > + }, > + returns => { type => 'null' }, > + code => sub { > + my ($param) = @_; > + > + PMG::Auth::Plugin::lock_domain_config( > + sub { > + my $cfg = PVE::INotify::read_file($domainconfigfile); > + my $ids = $cfg->{ids}; > + my $realm = $param->{realm}; > + > + die "authentication domain '$realm' does not exist\n" if !$ids->{$realm}; > + > + my $plugin = PMG::Auth::Plugin->lookup($ids->{$realm}->{type}); > + > + $plugin->on_delete_hook($realm, $ids->{$realm}); > + > + delete $ids->{$realm}; > + > + PVE::INotify::write_file($domainconfigfile, $cfg); > + }, > + "delete auth server failed", > + ); > + return undef; > + }}); > + > +1; > -- > 2.39.5 > > > > _______________________________________________ > pmg-devel mailing list > pmg-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel _______________________________________________ pmg-devel mailing list pmg-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel