From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 0E109716D7 for ; Tue, 29 Jun 2021 10:30:37 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 056FBB671 for ; Tue, 29 Jun 2021 10:30:07 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 2DEEFB666 for ; Tue, 29 Jun 2021 10:30:06 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 02EA143018 for ; Tue, 29 Jun 2021 10:30:06 +0200 (CEST) Date: Tue, 29 Jun 2021 10:29:58 +0200 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion References: <20210624081802.2090614-1-dietmar@proxmox.com> In-Reply-To: <20210624081802.2090614-1-dietmar@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid) Message-Id: <1624955370.o2p184qzjg.astroid@nora.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.601 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [ad.pm, accesscontrol.pm, pam.pm, proxmox.com, openid.pm, pve.pm, ldap.pm] Subject: Re: [pve-devel] [PATCH pve-access-control 1/4] add OpenId configuration X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jun 2021 08:30:37 -0000 On June 24, 2021 10:17 am, Dietmar Maurer wrote: > --- > src/PVE/AccessControl.pm | 2 ++ > src/PVE/Auth/Makefile | 3 +- > src/PVE/Auth/OpenId.pm | 67 ++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 71 insertions(+), 1 deletion(-) > create mode 100755 src/PVE/Auth/OpenId.pm >=20 > diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm > index 2569a35..8efb89d 100644 > --- a/src/PVE/AccessControl.pm > +++ b/src/PVE/AccessControl.pm > @@ -24,6 +24,7 @@ use PVE::Auth::AD; > use PVE::Auth::LDAP; > use PVE::Auth::PVE; > use PVE::Auth::PAM; > +use PVE::Auth::OpenId; > =20 > # load and initialize all plugins > =20 > @@ -31,6 +32,7 @@ PVE::Auth::AD->register(); > PVE::Auth::LDAP->register(); > PVE::Auth::PVE->register(); > PVE::Auth::PAM->register(); > +PVE::Auth::OpenId->register(); > PVE::Auth::Plugin->init(); > =20 > # $authdir must be writable by root only! > diff --git a/src/PVE/Auth/Makefile b/src/PVE/Auth/Makefile > index 58ae362..be7bde3 100644 > --- a/src/PVE/Auth/Makefile > +++ b/src/PVE/Auth/Makefile > @@ -4,7 +4,8 @@ AUTH_SOURCES=3D \ > PVE.pm \ > PAM.pm \ > AD.pm \ > - LDAP.pm > + LDAP.pm \ > + OpenId.pm > =20 > .PHONY: install > install: > diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm > new file mode 100755 > index 0000000..8f35575 > --- /dev/null > +++ b/src/PVE/Auth/OpenId.pm > @@ -0,0 +1,67 @@ > +package PVE::Auth::OpenId; > + > +use strict; > +use warnings; > + > +use PVE::Tools; > +use PVE::Auth::Plugin; > +use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_l= ock_file); > + > +use base qw(PVE::Auth::Plugin); > + > +sub type { > + return 'openid'; > +} > + > +sub properties { > + return { > + "issuer-url" =3D> { > + description =3D> "OpenID Issuer Url", > + type =3D> 'string', > + maxLength =3D> 256, > + }, > + "client-id" =3D> { > + description =3D> "OpenID Client ID", > + type =3D> 'string', > + maxLength =3D> 256, > + }, > + "client-key" =3D> { > + description =3D> "OpenID Client Key", > + type =3D> 'string', > + optional =3D> 1, > + maxLength =3D> 256, > + }, > + autocreate =3D> { > + description =3D> "Automatically create users if they do not exist.", > + optional =3D> 1, > + type =3D> 'boolean', > + default =3D> 0, > + }, > + "user-attr" =3D> { > + type =3D> 'string', > + enum =3D> ['subject', 'username', 'email'], > + optional =3D> 1, > + }, clashes with existing 'user_attr' for LDAP.. > + }; > +} > + > +sub options { > + return { > + "issuer-url" =3D> {}, > + "client-id" =3D> {}, > + "client-key" =3D> { optional =3D> 1 }, > + autocreate =3D> { optional =3D> 1 }, > + "user-attr" =3D> { optional =3D> 1, fixed =3D> 1 }, > + default =3D> { optional =3D> 1 }, > + comment =3D> { optional =3D> 1 }, > + }; > +} > + > +sub authenticate_user { > + my ($class, $config, $realm, $username, $password) =3D @_; > + > + die "OpenID realm does not allow password verification.\n"; > +} > + > + > +1; > --=20 > 2.30.2 >=20 >=20 > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >=20 >=20 >=20