From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id CBBFC71727
 for <pve-devel@lists.proxmox.com>; Tue, 29 Jun 2021 10:13:48 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id B081DB151
 for <pve-devel@lists.proxmox.com>; Tue, 29 Jun 2021 10:13:18 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 9FBC0B131
 for <pve-devel@lists.proxmox.com>; Tue, 29 Jun 2021 10:13:17 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 6EA3A43015
 for <pve-devel@lists.proxmox.com>; Tue, 29 Jun 2021 10:13:11 +0200 (CEST)
Date: Tue, 29 Jun 2021 10:13:03 +0200
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
References: <20210624081802.2090614-1-dietmar@proxmox.com>
 <20210624081802.2090614-2-dietmar@proxmox.com>
In-Reply-To: <20210624081802.2090614-2-dietmar@proxmox.com>
MIME-Version: 1.0
User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid)
Message-Id: <1624954307.zu1un8wckr.astroid@nora.none>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.564 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 PROLO_LEO2                0.1 Meta Catches all Leo drug variations so far
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [httpserver.pm, proxmox.com]
Subject: Re: [pve-devel] [PATCH pve-manager] ui: implement OpenId login
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2021 08:13:48 -0000

not directly related to this patch - we should probably disable TFA for=20
openid realms (and their users), since TFA would need to be handled at=20
the openid provider in that case.. e.g., if I login via openid and then=20
hit TFA in the top right corner user menu, I get prompted for a password=20
to setup TFA which is of course not possible ;)

On June 24, 2021 10:17 am, Dietmar Maurer wrote:
> ---
>  PVE/HTTPServer.pm                  |   4 +-
>  www/manager6/Utils.js              |   8 +++
>  www/manager6/window/LoginWindow.js | 105 ++++++++++++++++++++++++++++-
>  3 files changed, 114 insertions(+), 3 deletions(-)
>=20
> diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
> index 636b562b..dabdf7f3 100755
> --- a/PVE/HTTPServer.pm
> +++ b/PVE/HTTPServer.pm
> @@ -68,7 +68,9 @@ sub auth_handler {
> =20
>      # explicitly allow some calls without auth
>      if (($rel_uri eq '/access/domains' && $method eq 'GET') ||
> -	($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST'=
))) {
> +	($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST'=
)) ||
> +	($rel_uri eq '/access/openid/login' &&  $method eq 'POST') ||
> +	($rel_uri eq '/access/openid/auth-url' &&  $method eq 'POST')) {
>  	$require_auth =3D 0;
>      }
> =20
> diff --git a/www/manager6/Utils.js b/www/manager6/Utils.js
> index 3415c9eb..c2d139f9 100644
> --- a/www/manager6/Utils.js
> +++ b/www/manager6/Utils.js
> @@ -1742,6 +1742,14 @@ Ext.define('PVE.Utils', {
> =20
>  	return true;
>      },
> +
> +    openid_login_param: function() {
> +	let param =3D Ext.Object.fromQueryString(window.location.search);
> +	if (param.state !=3D=3D undefined && param.code !=3D=3D undefined) {
> +	    return param;
> +	}
> +	return undefined;
> +    },
>  },
> =20
>      singleton: true,
> diff --git a/www/manager6/window/LoginWindow.js b/www/manager6/window/Log=
inWindow.js
> index 72078080..5d3d06b8 100644
> --- a/www/manager6/window/LoginWindow.js
> +++ b/www/manager6/window/LoginWindow.js
> @@ -2,6 +2,21 @@
>  Ext.define('PVE.window.LoginWindow', {
>      extend: 'Ext.window.Window',
> =20
> +    viewModel: {
> +	data: {
> +	    openid: false,
> +	},
> +	formulas: {
> +	    button_text: function(get) {
> +		if (get("openid") =3D=3D=3D true) {
> +		    return gettext("Login (OpenID redirect)");
> +		} else {
> +		    return gettext("Login");
> +		}
> +	    },
> +	},
> +    },
> +
>      controller: {
> =20
>  	xclass: 'Ext.app.ViewController',
> @@ -18,6 +33,33 @@ Ext.define('PVE.window.LoginWindow', {
>  		return;
>  	    }
> =20
> +	    let redirect_url =3D location.origin;
> +	    let params =3D form.getValues();
> +
> +	    if (this.getViewModel().data.openid =3D=3D=3D true) {
> +		let realm =3D params.realm;
> +		Proxmox.Utils.API2Request({
> +		    url: '/api2/extjs/access/openid/auth-url',
> +		    params: {
> +			realm: realm,
> +			"redirect-url": redirect_url,
> +		    },
> +		    method: 'POST',
> +		    success: function(resp, opts) {
> +			window.location =3D resp.result.data;
> +		    },
> +		    failure: function(resp, opts) {
> +			Proxmox.Utils.authClear();
> +			form.unmask();
> +			Ext.MessageBox.alert(
> +			    gettext('Error'),
> +			    gettext('OpenId redirect failed. Please try again<br>Error: ' + r=
esp.htmlStatus),
> +			);
> +		    },
> +		});
> +		return;
> +	    }
> +
>  	    view.el.mask(gettext('Please wait...'), 'x-mask-loading');
> =20
>  	    // set or clear username
> @@ -162,11 +204,21 @@ Ext.define('PVE.window.LoginWindow', {
>  		    window.location.reload();
>  		},
>  	    },
> -            'button[reference=3DloginButton]': {
> +	    'field[name=3Drealm]': {
> +		change: function(f, value) {
> +		    let record =3D f.store.getById(value);
> +		    if (record =3D=3D=3D undefined) return;
> +		    let data =3D record.data;
> +		    this.getViewModel().set("openid", data.type =3D=3D=3D "openid");
> +		},
> +	    },
> +           'button[reference=3DloginButton]': {
>  		click: 'onLogon',
>              },
>  	    '#': {
>  		show: function() {
> +		    var me =3D this;
> +
>  		    var sp =3D Ext.state.Manager.getProvider();
>  		    var checkboxField =3D this.lookupReference('saveunField');
>  		    var unField =3D this.lookupReference('usernameField');
> @@ -180,6 +232,42 @@ Ext.define('PVE.window.LoginWindow', {
>  			var pwField =3D this.lookupReference('passwordField');
>  			pwField.focus();
>  		    }
> +
> +		    let param =3D PVE.Utils.openid_login_param();
> +		    if (param !=3D=3D undefined) {
> +			Proxmox.Utils.authClear();
> +
> +			let loginForm =3D this.lookupReference('loginForm');
> +			loginForm.mask(gettext('OpenID login - please wait...'), 'x-mask-load=
ing');
> +
> +			let redirect_url =3D location.origin;
> +
> +			Proxmox.Utils.API2Request({
> +			    url: '/api2/extjs/access/openid/login',
> +			    params: {
> +				state: param.state,
> +				code: param.code,
> +				"redirect-url": redirect_url,
> +			    },
> +			    method: 'POST',
> +			    failure: function(response) {
> +				loginForm.unmask();
> +				Ext.MessageBox.alert(
> +				    gettext('Error'),
> +				    gettext('Login failed. Please try again<br>Error: ' + response.h=
tmlStatus),
> +				    function() {
> +					window.location =3D redirect_url;
> +				    },
> +				);
> +			    },
> +			    success: function(response, options) {
> +				loginForm.unmask();
> +				let data =3D response.result.data;
> +				history.replaceState(null, '', redirect_url);
> +				me.success(data);
> +			    },
> +			});
> +		    }
>  		},
>  	    },
>  	},
> @@ -217,6 +305,10 @@ Ext.define('PVE.window.LoginWindow', {
>  		itemId: 'usernameField',
>  		reference: 'usernameField',
>  		stateId: 'login-username',
> +		bind: {
> +		    visible: "{!openid}",
> +		    disabled: "{openid}",
> +		},
>  	    },
>  	    {
>  		xtype: 'textfield',
> @@ -224,6 +316,10 @@ Ext.define('PVE.window.LoginWindow', {
>  		fieldLabel: gettext('Password'),
>  		name: 'password',
>  		reference: 'passwordField',
> +		bind: {
> +		    visible: "{!openid}",
> +		    disabled: "{openid}",
> +		},
>  	    },
>  	    {
>  		xtype: 'pmxRealmComboBox',
> @@ -248,9 +344,14 @@ Ext.define('PVE.window.LoginWindow', {
>  		labelWidth: 250,
>  		labelAlign: 'right',
>  		submitValue: false,
> +		bind: {
> +		    visible: "{!openid}",
> +		},
>  	    },
>  	    {
> -		text: gettext('Login'),
> +		bind: {
> +		    text: "{button_text}",
> +		},
>  		reference: 'loginButton',
>  	    },
>  	],
> --=20
> 2.30.2
>=20
>=20
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>=20
>=20
>=20