From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pmg-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id BB52B1FF164
	for <inbox@lore.proxmox.com>; Wed,  9 Oct 2024 13:30:27 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id DE21F362C9;
	Wed,  9 Oct 2024 13:30:53 +0200 (CEST)
Date: Wed, 9 Oct 2024 13:30:19 +0200
From: Christoph Heiss <c.heiss@proxmox.com>
To: Markus Frank <m.frank@proxmox.com>
Message-ID: <ndeijynmohu27h5fvdifnpskmtlpeqregv6nynxk76t72awaiw@cugbamx4uqap>
References: <20240624090850.4683-1-m.frank@proxmox.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20240624090850.4683-1-m.frank@proxmox.com>
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.029 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [utils.pm, proxmox.com, pmg.pm, accesscontrol.pm, plugin.pm,
 auth.pm, httpserver.pm, authdomains.pm, mod.rs, userconfig.pm, oidc.pm,
 restenvironment.pm]
Subject: Re: [pmg-devel] [PATCH pve-common/proxmox-perl-rs/pmg-api/pmg-gui
 v3 0/8] fix #3892: OpenID
X-BeenThere: pmg-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Mail Gateway development discussion
 <pmg-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pmg-devel/>
List-Post: <mailto:pmg-devel@lists.proxmox.com>
List-Help: <mailto:pmg-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel>, 
 <mailto:pmg-devel-request@lists.proxmox.com?subject=subscribe>
Cc: pmg-devel@lists.proxmox.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pmg-devel-bounces@lists.proxmox.com
Sender: "pmg-devel" <pmg-devel-bounces@lists.proxmox.com>

Just tested this series using Keycloak 26.0.0 as an OpenID provider.

Everything worked fine once it was set up for the OpenID side! Login via
OpenID worked, also tested the "Autocreate Users" feature (but see below
on that). The GUI dialog panel is from proxmox-widget-toolkit, so
nothing really new there.

I noticed however that there seems to be no dedicated PAM realm in the
login window, only PMG authentication server - but you can still login
with PAM credentials. These two should be real separate realms, much
like we have it for PVE/PBS.

Also, when using the "Autocreate Users" feature - should the (PMG) role
assigned to the user maybe be configurable? Since it currently just
defaults to Auditor, as it seems. (or am I missing something?)

Lastly, patches #2 and #3 need to be rebased on the latest master
of proxmox-perl-rs, they failed to apply (resolved that manually myself
to test them out for now). All other patches in this series apply on
their respective master cleanly.

Didn't really have a look at the code yet, so might do some reviews on
that too.

On Mon, Jun 24, 2024 at 11:08:42AM GMT, Markus Frank wrote:
> Patch-series to enable OpenID Login for PMG
>
> apply/compile order:
>
> 1. pve-common: add Schema package with auth module that contains realm sync options
> 2. proxmox-perl-rs: move openid code from pve-rs to common
> 3. proxmox-perl-rs: remove empty PMG::RS::OpenId package to avoid confusion
> 4. pmg-api: config: add plugin system for realms & add openid type realms
> 5. pmg-api: api: add/update/remove realms like in PVE
> 6. pmg-api: api: openid login similar to PVE
> 7. pmg-gui: login: add option to login with OpenID realm
> 8. pmg-gui: add panel for realms to User Management
>
>
> v3 changed only in proxmox-perl-rs and "pmg-api: api: openid login similar to PVE"
>
>
> pve-common:
>
> Markus Frank (1):
>   add Schema package with auth module that contains realm sync options
>
>  src/Makefile           |  2 ++
>  src/PVE/Schema/Auth.pm | 82 ++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 84 insertions(+)
>  create mode 100644 src/PVE/Schema/Auth.pm
>
>
> proxmox-perl-rs:
>
> v3: removed PMG wrapper as Proxmox::RS:OpenId can be used instead.
>
> Markus Frank (2):
>   move openid code from pve-rs to common
>   remove empty PMG::RS::OpenId package to avoid confusion
>
>  common/pkg/Makefile      |  1 +
>  common/src/mod.rs        |  1 +
>  common/src/openid/mod.rs | 63 ++++++++++++++++++++++++++++++++++++++++
>  pmg-rs/Cargo.toml        |  1 +
>  pmg-rs/Makefile          |  1 -
>  pmg-rs/debian/control    |  1 +
>  pve-rs/src/openid/mod.rs | 32 +++++---------------
>  7 files changed, 75 insertions(+), 25 deletions(-)
>  create mode 100644 common/src/openid/mod.rs
>
>
> pmg-api:
>
> v3: use Proxmox::RS:OpenId instead of PMG::RS::OpenId
>
> Markus Frank (3):
>   config: add plugin system for realms & add openid type realms
>   api: add/update/remove realms like in PVE
>   api: openid login similar to PVE
>
>  src/Makefile                  |   5 +
>  src/PMG/API2/AccessControl.pm |  17 ++-
>  src/PMG/API2/Authdomains.pm   | 274 ++++++++++++++++++++++++++++++++++
>  src/PMG/API2/OIDC.pm          | 243 ++++++++++++++++++++++++++++++
>  src/PMG/AccessControl.pm      |  31 ++++
>  src/PMG/Auth/OIDC.pm          |  99 ++++++++++++
>  src/PMG/Auth/PMG.pm           |  28 ++++
>  src/PMG/Auth/Plugin.pm        | 193 ++++++++++++++++++++++++
>  src/PMG/HTTPServer.pm         |   2 +
>  src/PMG/RESTEnvironment.pm    |  14 ++
>  src/PMG/UserConfig.pm         |  25 ++--
>  src/PMG/Utils.pm              |  29 +++-
>  12 files changed, 943 insertions(+), 17 deletions(-)
>  create mode 100644 src/PMG/API2/Authdomains.pm
>  create mode 100644 src/PMG/API2/OIDC.pm
>  create mode 100755 src/PMG/Auth/OIDC.pm
>  create mode 100755 src/PMG/Auth/PMG.pm
>  create mode 100755 src/PMG/Auth/Plugin.pm
>
>
> pmg-gui:
>
> Markus Frank (2):
>   login: add OpenID realms
>   add panel for realms to User Management
>
>  js/LoginView.js      | 200 +++++++++++++++++++++++++++++++++----------
>  js/UserManagement.js |   6 ++
>  js/Utils.js          |  15 ++++
>  3 files changed, 174 insertions(+), 47 deletions(-)
>
> --
> 2.39.2
>
>
>
> _______________________________________________
> pmg-devel mailing list
> pmg-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
>
>


_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel