From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <pmg-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
by lore.proxmox.com (Postfix) with ESMTPS id BFAE91FF16F
for <inbox@lore.proxmox.com>; Thu, 27 Feb 2025 09:47:09 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 510C02C5CA;
Thu, 27 Feb 2025 09:47:08 +0100 (CET)
Message-ID: <d7b318b3-53c5-428a-858e-c595d736f7f8@proxmox.com>
Date: Thu, 27 Feb 2025 09:46:34 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird Beta
To: Markus Frank <m.frank@proxmox.com>, pmg-devel@lists.proxmox.com
References: <20250227075517.3364-1-m.frank@proxmox.com>
<20250227075517.3364-2-m.frank@proxmox.com>
Content-Language: en-GB, de-AT
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Autocrypt: addr=t.lamprecht@proxmox.com; keydata=
xsFNBFsLjcYBEACsaQP6uTtw/xHTUCKF4VD4/Wfg7gGn47+OfCKJQAD+Oyb3HSBkjclopC5J
uXsB1vVOfqVYE6PO8FlD2L5nxgT3SWkc6Ka634G/yGDU3ZC3C/7NcDVKhSBI5E0ww4Qj8s9w
OQRloemb5LOBkJNEUshkWRTHHOmk6QqFB/qBPW2COpAx6oyxVUvBCgm/1S0dAZ9gfkvpqFSD
90B5j3bL6i9FIv3YGUCgz6Ue3f7u+HsEAew6TMtlt90XV3vT4M2IOuECG/pXwTy7NtmHaBQ7
UJBcwSOpDEweNob50+9B4KbnVn1ydx+K6UnEcGDvUWBkREccvuExvupYYYQ5dIhRFf3fkS4+
wMlyAFh8PQUgauod+vqs45FJaSgTqIALSBsEHKEs6IoTXtnnpbhu3p6XBin4hunwoBFiyYt6
YHLAM1yLfCyX510DFzX/Ze2hLqatqzY5Wa7NIXqYYelz7tXiuCLHP84+sV6JtEkeSUCuOiUY
virj6nT/nJK8m0BzdR6FgGtNxp7RVXFRz/+mwijJVLpFsyG1i0Hmv2zTn3h2nyGK/I6yhFNt
dX69y5hbo6LAsRjLUvZeHXpTU4TrpN/WiCjJblbj5um5eEr4yhcwhVmG102puTtuCECsDucZ
jpKpUqzXlpLbzG/dp9dXFH3MivvfuaHrg3MtjXY1i+/Oxyp5iwARAQABzTNUaG9tYXMgTGFt
cHJlY2h0IChBdXRoLTQpIDx0LmxhbXByZWNodEBwcm94bW94LmNvbT7CwY4EEwEIADgWIQQO
R4qbEl/pah9K6VrTZCM6gDZWBgUCWwuNxgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAK
CRDTZCM6gDZWBm/jD/4+6JB2s67eaqoP6x9VGaXNGJPCscwzLuxDTCG90G9FYu29VcXtubH/
bPwsyBbNUQpqTm/s4XboU2qpS5ykCuTjqavrcP33tdkYfGcItj2xMipJ1i3TWvpikQVsX42R
G64wovLs/dvpTYphRZkg5DwhgTmy3mRkmofFCTa+//MOcNOORltemp984tWjpR3bUJETNWpF
sKGZHa3N4kCNxb7A+VMsJZ/1gN3jbQbQG7GkJtnHlWkw9rKCYqBtWrnrHa4UAvSa9M/XCIAB
FThFGqZI1ojdVlv5gd6b/nWxfOPrLlSxbUo5FZ1i/ycj7/24nznW1V4ykG9iUld4uYUY86bB
UGSjew1KYp9FmvKiwEoB+zxNnuEQfS7/Bj1X9nxizgweiHIyFsRqgogTvLh403QMSGNSoArk
tqkorf1U+VhEncIn4H3KksJF0njZKfilrieOO7Vuot1xKr9QnYrZzJ7m7ZxJ/JfKGaRHXkE1
feMmrvZD1AtdUATZkoeQtTOpMu4r6IQRfSdwm/CkppZXfDe50DJxAMDWwfK2rr2bVkNg/yZI
tKLBS0YgRTIynkvv0h8d9dIjiicw3RMeYXyqOnSWVva2r+tl+JBaenr8YTQw0zARrhC0mttu
cIZGnVEvQuDwib57QLqMjQaC1gazKHvhA15H5MNxUhwm229UmdH3KM7BTQRbC43GARAAyTkR
D6KRJ9Xa2fVMh+6f186q0M3ni+5tsaVhUiykxjsPgkuWXWW9MbLpYXkzX6h/RIEKlo2BGA95
QwG5+Ya2Bo3g7FGJHAkXY6loq7DgMp5/TVQ8phsSv3WxPTJLCBq6vNBamp5hda4cfXFUymsy
HsJy4dtgkrPQ/bnsdFDCRUuhJHopnAzKHN8APXpKU6xV5e3GE4LwFsDhNHfH/m9+2yO/trcD
txSFpyftbK2gaMERHgA8SKkzRhiwRTt9w5idOfpJVkYRsgvuSGZ0pcD4kLCOIFrer5xXudk6
NgJc36XkFRMnwqrL/bB4k6Pi2u5leyqcXSLyBgeHsZJxg6Lcr2LZ35+8RQGPOw9C0ItmRjtY
ZpGKPlSxjxA1WHT2YlF9CEt3nx7c4C3thHHtqBra6BGPyW8rvtq4zRqZRLPmZ0kt/kiMPhTM
8wZAlObbATVrUMcZ/uNjRv2vU9O5aTAD9E5r1B0dlqKgxyoImUWB0JgpILADaT3VybDd3C8X
s6Jt8MytUP+1cEWt9VKo4vY4Jh5vwrJUDLJvzpN+TsYCZPNVj18+jf9uGRaoK6W++DdMAr5l
gQiwsNgf9372dbMI7pt2gnT5/YdG+ZHnIIlXC6OUonA1Ro/Itg90Q7iQySnKKkqqnWVc+qO9
GJbzcGykxD6EQtCSlurt3/5IXTA7t6sAEQEAAcLBdgQYAQgAIBYhBA5HipsSX+lqH0rpWtNk
IzqANlYGBQJbC43GAhsMAAoJENNkIzqANlYGD1sP/ikKgHgcspEKqDED9gQrTBvipH85si0j
/Jwu/tBtnYjLgKLh2cjv1JkgYYjb3DyZa1pLsIv6rGnPX9bH9IN03nqirC/Q1Y1lnbNTynPk
IflgvsJjoTNZjgu1wUdQlBgL/JhUp1sIYID11jZphgzfDgp/E6ve/8xE2HMAnf4zAfJaKgD0
F+fL1DlcdYUditAiYEuN40Ns/abKs8I1MYx7Yglu3RzJfBzV4t86DAR+OvuF9v188WrFwXCS
RSf4DmJ8tntyNej+DVGUnmKHupLQJO7uqCKB/1HLlMKc5G3GLoGqJliHjUHUAXNzinlpE2Vj
C78pxpwxRNg2ilE3AhPoAXrY5qED5PLE9sLnmQ9AzRcMMJUXjTNEDxEYbF55SdGBHHOAcZtA
kEQKub86e+GHA+Z8oXQSGeSGOkqHi7zfgW1UexddTvaRwE6AyZ6FxTApm8wq8NT2cryWPWTF
BDSGB3ujWHMM8ERRYJPcBSjTvt0GcEqnd+OSGgxTkGOdufn51oz82zfpVo1t+J/FNz6MRMcg
8nEC+uKvgzH1nujxJ5pRCBOquFZaGn/p71Yr0oVitkttLKblFsqwa+10Lt6HBxm+2+VLp4Ja
0WZNncZciz3V3cuArpan/ZhhyiWYV5FD0pOXPCJIx7WS9PTtxiv0AOS4ScWEUmBxyhFeOpYa DrEx
In-Reply-To: <20250227075517.3364-2-m.frank@proxmox.com>
X-SPAM-LEVEL: Spam detection results: 0
AWL -0.041 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DMARC_MISSING 0.1 Missing DMARC policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
Subject: Re: [pmg-devel] [PATCH widget-toolkit v1 1/2] window: add optional
autocreate-role selector to openid realm edit
X-BeenThere: pmg-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Mail Gateway development discussion
<pmg-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>,
<mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/>
List-Post: <mailto:pmg-devel@lists.proxmox.com>
List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>,
<mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pmg-devel-bounces@lists.proxmox.com
Sender: "pmg-devel" <pmg-devel-bounces@lists.proxmox.com>
Am 27.02.25 um 08:55 schrieb Markus Frank:
> The enableRoleSelector option enables the role selector, and
> roleSelector can be overridden with a specific role selector such as
> pmgRoleSelector (displayfield is used as a placeholder for the role
> selector).
>
> Signed-off-by: Markus Frank <m.frank@proxmox.com>
> ---
> src/panel/AuthView.js | 4 ++++
> src/window/AuthEditBase.js | 6 ++++++
> src/window/AuthEditOpenId.js | 35 +++++++++++++++++++++++------------
> 3 files changed, 33 insertions(+), 12 deletions(-)
>
> diff --git a/src/panel/AuthView.js b/src/panel/AuthView.js
> index 7bebf0d..2f777fc 100644
> --- a/src/panel/AuthView.js
> +++ b/src/panel/AuthView.js
> @@ -14,6 +14,8 @@ Ext.define('Proxmox.panel.AuthView', {
>
> baseUrl: '/access/domains',
> storeBaseUrl: '/access/domains',
> + enableRoleSelector: false,
> + roleSelector: 'displayfield',
meh, this "common" component really gets overly-specialized, would have been
probably much easier to maintain and flexible if we copied that over to PMG..
Anyhow, I'd favor changing the configuration for role-assignment, having just
a fixed one is IMO not really ideal, and as is the "autocreate-role" property
is confusing (no role gets autocreated) and not flexible enough.
I'd rather transform the backend into something like the diff below, maybe
skipping the from-claim for today as such a format then would be easy to
extend later anyway.
The UI component might be better off for now to get a generic extraColumn1/2
parameter to avoid having to add an over-specialized one for every product
specific feature (@Dominik, what do you think about that?).
----8<----
diff --git a/src/PMG/API2/OIDC.pm b/src/PMG/API2/OIDC.pm
index 92ff88d..f2cba60 100644
--- a/src/PMG/API2/OIDC.pm
+++ b/src/PMG/API2/OIDC.pm
@@ -204,7 +204,21 @@ __PACKAGE__->register_method ({
if (defined(my $family_name = $info->{'family_name'})) {
$entry->{lastname} = $family_name;
}
- $entry->{role} = $config->{'autocreate-role'} // 'audit';
+ $entry->{role} = 'audit'; # default
+ if (my $role_assignment_raw = $config->{'autocreate-role-assignment'}) {
+ my $role_assignment =
+ PVE::Plugin::Auth::OIDC::parse_autocreate_role_assignment($role_assignment_raw);
+
+ if ($role_assignment->{source} eq 'fixed') {
+ $entry->{role} = $role_assignment->{'fixed-role'};
+ } elsif ($role_assignment->{source} eq 'fixed') {
+ my $role_attr = $role_assignment->{'role-claim'};
+ $entry->{role} = $info->{$role_attr}
+ or die "required '$role_attr' role-claim attribute not found, cannot autocreate user\n";
+ } else {
+ die "unkown role assignment source '$role_assignment->{source}' - implement me";
+ }
+ }
$entry->{userid} = $username;
$entry->{username} = $unique_name;
$entry->{realm} = $realm;
diff --git a/src/PMG/Auth/OIDC.pm b/src/PMG/Auth/OIDC.pm
index 4129d47..26a1e3f 100755
--- a/src/PMG/Auth/OIDC.pm
+++ b/src/PMG/Auth/OIDC.pm
@@ -4,6 +4,8 @@ use strict;
use warnings;
use PVE::Tools;
+use PVE::JSONSchema qw(parse_property_string);
+
use PMG::Auth::Plugin;
use base qw(PMG::Auth::Plugin);
@@ -12,6 +14,44 @@ sub type {
return 'oidc';
}
+my $autocreate_role_assignment_format = {
+ source => {
+ type => 'string',
+ enum => ['fixed', 'from-claim'],
+ default => 'fixed',
+ description => "How the access role for a newly auto-created user should be selected.",
+ },
+ 'fixed-role' => {
+ type => 'string',
+ enum => ['admin', 'qmanager', 'audit', 'helpdesk'],
+ default => 'audit',
+ optional => 1,
+ description => "The fixed role that should be assigned to auto-created users.",
+ },
+ 'role-claim' => {
+ description => "OIDC claim used to assign the unique username.",
+ type => 'string',
+ default => 'role',
+ optional => 1,
+ pattern => qr/^[a-zA-Z0-9._:-]+$/,
+ },
+};
+
+
+sub parse_autocreate_role_assignment {
+ my ($raw) = @_;
+ return undef if !$raw or !length($raw);
+
+ my $role_assignment = parse_property_string($autocreate_role_assignment_format, $raw);
+ $role_assignment->{'fixed-role'} = 'audit'
+ if $role_assignment->{'source'} eq 'fixed' && !defined($role_assignment->{'fixed-role'});
+
+ $role_assignment->{'role-claim'} = 'role'
+ if $role_assignment->{'source'} eq 'from-clain' && !defined($role_assignment->{'role-claim'});
+
+ return $role_assignment;
+}
+
sub properties {
return {
'issuer-url' => {
@@ -39,11 +79,10 @@ sub properties {
type => 'boolean',
default => 0,
},
- 'autocreate-role' => {
- description => "Automatically create users with a specific role.",
- type => 'string',
- enum => ['admin', 'qmanager', 'audit', 'helpdesk'],
- default => 'audit',
+ 'autocreate-role-assignment' => {
+ description => "Defines which role should be assigned to auto-created users.",
+ type => 'string', format => $autocreate_role_assignment_format,
+ default => 'source=fixed,fixed-role=auditor',
optional => 1,
},
'username-claim' => {
@@ -84,7 +123,7 @@ sub options {
'client-id' => {},
'client-key' => { optional => 1 },
autocreate => { optional => 1 },
- 'autocreate-role' => { optional => 1 },
+ 'autocreate-role-assignment' => { optional => 1 },
'username-claim' => { optional => 1, fixed => 1 },
prompt => { optional => 1 },
scopes => { optional => 1 },
_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel