[pmg-devel] [PATCH widget-toolkit/pmg-api v1 0/2] add roleSelector for OIDC

public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed

* [pmg-devel] [PATCH widget-toolkit/pmg-api v1 0/2] add roleSelector for OIDC
@ 2025-02-27  7:55 Markus Frank
  2025-02-27  7:55 ` [pmg-devel] [PATCH widget-toolkit v1 1/2] window: add optional autocreate-role selector to openid realm edit Markus Frank
  2025-02-27  7:55 ` [pmg-devel] [PATCH pmg-gui v1 2/2] realm: enable role selector for realm edit windows Markus Frank
  0 siblings, 2 replies; 4+ messages in thread
From: Markus Frank @ 2025-02-27  7:55 UTC (permalink / raw)
  To: pmg-devel

Add a role selector to allow setting the autocreate-role in the WebUI.

widget-toolkit:

Markus Frank (1):
  window: add optional autocreate-role selector to openid realm edit

 src/panel/AuthView.js        |  4 ++++
 src/window/AuthEditBase.js   |  6 ++++++
 src/window/AuthEditOpenId.js | 35 +++++++++++++++++++++++------------
 3 files changed, 33 insertions(+), 12 deletions(-)

pmg-gui

Markus Frank (1):
  realm: enable role selector for realm edit windows

 js/UserManagement.js | 2 ++
 1 file changed, 2 insertions(+)

-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pmg-devel] [PATCH widget-toolkit v1 1/2] window: add optional autocreate-role selector to openid realm edit
  2025-02-27  7:55 [pmg-devel] [PATCH widget-toolkit/pmg-api v1 0/2] add roleSelector for OIDC Markus Frank
@ 2025-02-27  7:55 ` Markus Frank
  2025-02-27  8:46   ` Thomas Lamprecht
  2025-02-27  7:55 ` [pmg-devel] [PATCH pmg-gui v1 2/2] realm: enable role selector for realm edit windows Markus Frank
  1 sibling, 1 reply; 4+ messages in thread
From: Markus Frank @ 2025-02-27  7:55 UTC (permalink / raw)
  To: pmg-devel

The enableRoleSelector option enables the role selector, and
roleSelector can be overridden with a specific role selector such as
pmgRoleSelector (displayfield is used as a placeholder for the role
selector).

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
 src/panel/AuthView.js        |  4 ++++
 src/window/AuthEditBase.js   |  6 ++++++
 src/window/AuthEditOpenId.js | 35 +++++++++++++++++++++++------------
 3 files changed, 33 insertions(+), 12 deletions(-)

diff --git a/src/panel/AuthView.js b/src/panel/AuthView.js
index 7bebf0d..2f777fc 100644
--- a/src/panel/AuthView.js
+++ b/src/panel/AuthView.js
@@ -14,6 +14,8 @@ Ext.define('Proxmox.panel.AuthView', {
 
     baseUrl: '/access/domains',
     storeBaseUrl: '/access/domains',
+    enableRoleSelector: false,
+    roleSelector: 'displayfield',
 
     columns: [
 	{
@@ -54,6 +56,8 @@ Ext.define('Proxmox.panel.AuthView', {
 
 	Ext.create('Proxmox.window.AuthEditBase', {
 	    baseUrl: me.baseUrl,
+	    enableRoleSelector: me.enableRoleSelector,
+	    roleSelector: me.roleSelector,
 	    useTypeInUrl,
 	    onlineHelp,
 	    authType,
diff --git a/src/window/AuthEditBase.js b/src/window/AuthEditBase.js
index e044235..861d082 100644
--- a/src/window/AuthEditBase.js
+++ b/src/window/AuthEditBase.js
@@ -12,6 +12,8 @@ Ext.define('Proxmox.window.AuthEditBase', {
 
     baseurl: '/access/domains',
     useTypeInUrl: false,
+    enableRoleSelector: false,
+    roleSelector: 'displayfield',
 
     initComponent: function() {
 	var me = this;
@@ -53,6 +55,8 @@ Ext.define('Proxmox.window.AuthEditBase', {
 			title: gettext('General'),
 			realm: me.realm,
 			xtype: authConfig.ipanel,
+			enableRoleSelector: me.enableRoleSelector,
+			roleSelector: me.roleSelector,
 			isCreate: me.isCreate,
 			useTypeInUrl: me.useTypeInUrl,
 			type: me.authType,
@@ -71,6 +75,8 @@ Ext.define('Proxmox.window.AuthEditBase', {
 	    items = [{
 		realm: me.realm,
 		xtype: authConfig.ipanel,
+		enableRoleSelector: me.enableRoleSelector,
+		roleSelector: me.roleSelector,
 		isCreate: me.isCreate,
 		useTypeInUrl: me.useTypeInUrl,
 		type: me.authType,
diff --git a/src/window/AuthEditOpenId.js b/src/window/AuthEditOpenId.js
index ed0a6dc..3610c71 100644
--- a/src/window/AuthEditOpenId.js
+++ b/src/window/AuthEditOpenId.js
@@ -66,18 +66,6 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', {
 	    },
 	    name: 'client-key',
 	},
-    ],
-
-    column2: [
-	{
-	    xtype: 'proxmoxcheckbox',
-	    fieldLabel: gettext('Autocreate Users'),
-	    name: 'autocreate',
-	    value: 0,
-	    cbind: {
-		deleteEmpty: '{!isCreate}',
-	    },
-	},
 	{
 	    xtype: 'pmxDisplayEditField',
 	    name: 'username-claim',
@@ -98,6 +86,29 @@ Ext.define('Proxmox.panel.OpenIDInputPanel', {
 		editable: '{isCreate}',
 	    },
 	},
+    ],
+
+    column2: [
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Autocreate Users'),
+	    name: 'autocreate',
+	    value: 0,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+	{
+	    name: 'autocreate-role',
+	    allowBlank: true,
+	    deleteEmpty: false,
+	    fieldLabel: gettext('Autocreate Role'),
+	    cbind: {
+		xtype: '{roleSelector}',
+		disabled: '{!enableRoleSelector}',
+		hidden: '{!enableRoleSelector}',
+	    },
+	},
 	{
 	    xtype: 'proxmoxtextfield',
 	    name: 'scopes',
-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [pmg-devel] [PATCH widget-toolkit v1 1/2] window: add optional autocreate-role selector to openid realm edit
  2025-02-27  7:55 ` [pmg-devel] [PATCH widget-toolkit v1 1/2] window: add optional autocreate-role selector to openid realm edit Markus Frank
@ 2025-02-27  8:46   ` Thomas Lamprecht
  0 siblings, 0 replies; 4+ messages in thread
From: Thomas Lamprecht @ 2025-02-27  8:46 UTC (permalink / raw)
  To: Markus Frank, pmg-devel

Am 27.02.25 um 08:55 schrieb Markus Frank:
> The enableRoleSelector option enables the role selector, and
> roleSelector can be overridden with a specific role selector such as
> pmgRoleSelector (displayfield is used as a placeholder for the role
> selector).
> 
> Signed-off-by: Markus Frank <m.frank@proxmox.com>
> ---
>  src/panel/AuthView.js        |  4 ++++
>  src/window/AuthEditBase.js   |  6 ++++++
>  src/window/AuthEditOpenId.js | 35 +++++++++++++++++++++++------------
>  3 files changed, 33 insertions(+), 12 deletions(-)
> 
> diff --git a/src/panel/AuthView.js b/src/panel/AuthView.js
> index 7bebf0d..2f777fc 100644
> --- a/src/panel/AuthView.js
> +++ b/src/panel/AuthView.js
> @@ -14,6 +14,8 @@ Ext.define('Proxmox.panel.AuthView', {
>  
>      baseUrl: '/access/domains',
>      storeBaseUrl: '/access/domains',
> +    enableRoleSelector: false,
> +    roleSelector: 'displayfield',

meh, this "common" component really gets overly-specialized, would have been
probably much easier to maintain and flexible if we copied that over to PMG..

Anyhow, I'd favor changing the configuration for role-assignment, having just
a fixed one is IMO not really ideal, and as is the "autocreate-role" property
is confusing (no role gets autocreated) and not flexible enough.

I'd rather transform the backend into something like the diff below, maybe
skipping the from-claim for today as such a format then would be easy to
extend later anyway.

The UI component might be better off for now to get a generic extraColumn1/2
parameter to avoid having to add an over-specialized one for every product
specific feature (@Dominik, what do you think about that?).

----8<----
diff --git a/src/PMG/API2/OIDC.pm b/src/PMG/API2/OIDC.pm
index 92ff88d..f2cba60 100644
--- a/src/PMG/API2/OIDC.pm
+++ b/src/PMG/API2/OIDC.pm
@@ -204,7 +204,21 @@ __PACKAGE__->register_method ({
                    if (defined(my $family_name = $info->{'family_name'})) {
                        $entry->{lastname} = $family_name;
                    }
-                   $entry->{role} = $config->{'autocreate-role'} // 'audit';
+                   $entry->{role} = 'audit'; # default
+                   if (my $role_assignment_raw = $config->{'autocreate-role-assignment'}) {
+                       my $role_assignment =
+                           PVE::Plugin::Auth::OIDC::parse_autocreate_role_assignment($role_assignment_raw);
+
+                       if ($role_assignment->{source} eq 'fixed') {
+                           $entry->{role} = $role_assignment->{'fixed-role'};
+                       } elsif ($role_assignment->{source} eq 'fixed') {
+                           my $role_attr = $role_assignment->{'role-claim'};
+                           $entry->{role} = $info->{$role_attr}
+                               or die "required '$role_attr' role-claim attribute not found, cannot autocreate user\n";
+                       } else {
+                           die "unkown role assignment source '$role_assignment->{source}' - implement me";
+                       }
+                   }
                    $entry->{userid} = $username;
                    $entry->{username} = $unique_name;
                    $entry->{realm} = $realm;
diff --git a/src/PMG/Auth/OIDC.pm b/src/PMG/Auth/OIDC.pm
index 4129d47..26a1e3f 100755
--- a/src/PMG/Auth/OIDC.pm
+++ b/src/PMG/Auth/OIDC.pm
@@ -4,6 +4,8 @@ use strict;
 use warnings;
 
 use PVE::Tools;
+use PVE::JSONSchema qw(parse_property_string);
+
 use PMG::Auth::Plugin;
 
 use base qw(PMG::Auth::Plugin);
@@ -12,6 +14,44 @@ sub type {
     return 'oidc';
 }
 
+my $autocreate_role_assignment_format = {
+    source => {
+       type => 'string',
+       enum => ['fixed', 'from-claim'],
+       default => 'fixed',
+       description => "How the access role for a newly auto-created user should be selected.",
+    },
+    'fixed-role' => {
+       type => 'string',
+       enum => ['admin', 'qmanager', 'audit', 'helpdesk'],
+       default => 'audit',
+       optional => 1,
+       description => "The fixed role that should be assigned to auto-created users.",
+    },
+    'role-claim' => {
+       description => "OIDC claim used to assign the unique username.",
+       type => 'string',
+       default => 'role',
+       optional => 1,
+       pattern => qr/^[a-zA-Z0-9._:-]+$/,
+    },
+};
+
+
+sub parse_autocreate_role_assignment {
+    my ($raw) = @_;
+    return undef if !$raw or !length($raw);
+
+    my $role_assignment = parse_property_string($autocreate_role_assignment_format, $raw);
+    $role_assignment->{'fixed-role'} = 'audit'
+       if $role_assignment->{'source'} eq 'fixed' && !defined($role_assignment->{'fixed-role'});
+
+    $role_assignment->{'role-claim'} = 'role'
+       if $role_assignment->{'source'} eq 'from-clain' && !defined($role_assignment->{'role-claim'});
+
+    return $role_assignment;
+}
+
 sub properties {
     return {
        'issuer-url' => {
@@ -39,11 +79,10 @@ sub properties {
            type => 'boolean',
            default => 0,
        },
-       'autocreate-role' => {
-           description => "Automatically create users with a specific role.",
-           type => 'string',
-           enum => ['admin', 'qmanager', 'audit', 'helpdesk'],
-           default => 'audit',
+       'autocreate-role-assignment' => {
+           description => "Defines which role should be assigned to auto-created users.",
+           type => 'string', format => $autocreate_role_assignment_format,
+           default => 'source=fixed,fixed-role=auditor',
            optional => 1,
        },
        'username-claim' => {
@@ -84,7 +123,7 @@ sub options {
        'client-id' => {},
        'client-key' => { optional => 1 },
        autocreate => { optional => 1 },
-       'autocreate-role' => { optional => 1 },
+       'autocreate-role-assignment' => { optional => 1 },
        'username-claim' => { optional => 1, fixed => 1 },
        prompt => { optional => 1 },
        scopes => { optional => 1 },


_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pmg-devel] [PATCH pmg-gui v1 2/2] realm: enable role selector for realm edit windows
  2025-02-27  7:55 [pmg-devel] [PATCH widget-toolkit/pmg-api v1 0/2] add roleSelector for OIDC Markus Frank
  2025-02-27  7:55 ` [pmg-devel] [PATCH widget-toolkit v1 1/2] window: add optional autocreate-role selector to openid realm edit Markus Frank
@ 2025-02-27  7:55 ` Markus Frank
  1 sibling, 0 replies; 4+ messages in thread
From: Markus Frank @ 2025-02-27  7:55 UTC (permalink / raw)
  To: pmg-devel

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
 js/UserManagement.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/js/UserManagement.js b/js/UserManagement.js
index f6ada1b..9cf17c6 100644
--- a/js/UserManagement.js
+++ b/js/UserManagement.js
@@ -40,6 +40,8 @@ Ext.define('PMG.UserManagement', {
 	    itemId: 'realms',
 	    baseUrl: '/access/auth-realm',
 	    storeBaseUrl: '/access/auth-realm',
+	    enableRoleSelector: true,
+	    roleSelector: 'pmgRoleSelector',
 	    iconCls: 'fa fa-address-book-o',
 	},
     ],
-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-02-27  8:47 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-02-27  7:55 [pmg-devel] [PATCH widget-toolkit/pmg-api v1 0/2] add roleSelector for OIDC Markus Frank
2025-02-27  7:55 ` [pmg-devel] [PATCH widget-toolkit v1 1/2] window: add optional autocreate-role selector to openid realm edit Markus Frank
2025-02-27  8:46   ` Thomas Lamprecht
2025-02-27  7:55 ` [pmg-devel] [PATCH pmg-gui v1 2/2] realm: enable role selector for realm edit windows Markus Frank

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal