From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id BCB8D7349E for ; Thu, 27 May 2021 23:57:50 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id B0CA2229A6 for ; Thu, 27 May 2021 23:57:20 +0200 (CEST) Received: from smtp.smtpout.orange.fr (smtp04.smtpout.orange.fr [80.12.242.126]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 9103822990 for ; Thu, 27 May 2021 23:57:19 +0200 (CEST) Received: from dovecot.localdomain ([90.118.15.232]) by mwinf5d51 with ME id 9xxD2500150Qfqq03xxDuY; Thu, 27 May 2021 23:57:13 +0200 X-ME-Helo: dovecot.localdomain X-ME-Auth: anVsaWVuLmJsYWlzNUBvcmFuZ2UuZnI= X-ME-Date: Thu, 27 May 2021 23:57:13 +0200 X-ME-IP: 90.118.15.232 From: Julien BLAIS To: pve-devel@lists.proxmox.com Cc: Julien BLAIS Date: Thu, 27 May 2021 23:55:14 +0200 Message-Id: <20210527215511.28243-4-webmaster@jbsky.fr> In-Reply-To: <20210527215511.28243-1-webmaster@jbsky.fr> References: <20210527215511.28243-1-webmaster@jbsky.fr> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 1 AWL -0.124 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods KAM_NUMSUBJECT 0.5 Subject ends in numbers excluding current years POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust RCVD_IN_MSPIKE_H2 -0.001 Average reputation (+2) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH container] [PATCH pve-manager] SSO feature: login with SAMLv2 X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2021 21:57:50 -0000 Part allowing to add a SAML authentication Adding the rule that the endpoint /access/saml does not need authentication Signed-off-by: Julien BLAIS --- PVE/HTTPServer.pm | 3 +- www/manager6/Makefile | 1 + www/manager6/Utils.js | 5 +++ www/manager6/dc/AuthEditSAML.js | 65 +++++++++++++++++++++++++++++++++ 4 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 www/manager6/dc/AuthEditSAML.js diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm index 636b562b..3e64943a 100755 --- a/PVE/HTTPServer.pm +++ b/PVE/HTTPServer.pm @@ -68,7 +68,8 @@ sub auth_handler { # explicitly allow some calls without auth if (($rel_uri eq '/access/domains' && $method eq 'GET') || - ($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST'))) { + ($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST')) || + ($rel_uri eq '/access/saml' && $method eq 'GET' )) { $require_auth = 0; } diff --git a/www/manager6/Makefile b/www/manager6/Makefile index 506b5a4e..fc89215e 100644 --- a/www/manager6/Makefile +++ b/www/manager6/Makefile @@ -119,6 +119,7 @@ JSSRC= \ dc/AuthEditBase.js \ dc/AuthEditAD.js \ dc/AuthEditLDAP.js \ + dc/AuthEditSAML.js \ dc/AuthView.js \ dc/Backup.js \ dc/Cluster.js \ diff --git a/www/manager6/Utils.js b/www/manager6/Utils.js index d9567979..600b81e9 100644 --- a/www/manager6/Utils.js +++ b/www/manager6/Utils.js @@ -740,6 +740,11 @@ Ext.define('PVE.Utils', { syncipanel: 'pveAuthLDAPSyncPanel', add: true, }, + saml: { + name: gettext('SAMLv2'), + ipanel: 'pveAuthSAMLPanel', + add: true, + }, pam: { name: 'Linux PAM', ipanel: 'pveAuthBasePanel', diff --git a/www/manager6/dc/AuthEditSAML.js b/www/manager6/dc/AuthEditSAML.js new file mode 100644 index 00000000..3794bccd --- /dev/null +++ b/www/manager6/dc/AuthEditSAML.js @@ -0,0 +1,65 @@ +Ext.define('PVE.panel.SAMLInputPanel', { + extend: 'PVE.panel.AuthBase', + xtype: 'pveAuthSAMLPanel', + + initComponent: function() { + let me = this; + + if (me.type !== 'saml') { + throw 'invalid type'; + } + + me.column1 = [ + { + xtype: 'textfield', + name: 'Identity_Provider_Entity_ID', + fieldLabel: gettext('IdP Entity ID'), + emptyText: '', + allowBlank: false, + }, + { + xtype: 'textfield', + name: 'Identity_Provider_Url_Metadata', + emptyText: '', + fieldLabel: gettext('IdP Url Metadata'), + allowBlank: true, + }, + { + name: 'Identity_Provider_x509_CA_Certificate', + emptyText: '', + fieldLabel: gettext('IdP x509 CA Certificate'), + allowBlank: true, + xtype: 'textarea', + }, + ]; + + me.column2 = [ + { + xtype: 'textfield', + fieldLabel: gettext('SP Entity ID'), + allowBlank: false, + name: 'Service_Provider_Entity_ID', + }, + { + xtype: 'textarea', + fieldLabel: gettext('SP Private key'), + allowBlank: true, + name: 'Service_Provider_Private_Key', + } + ]; + + me.callParent(); + }, + onGetValues: function(values) { + let me = this; + + if (!values.verify) { + if (!me.isCreate) { + Proxmox.Utils.assemble_field_data(values, { 'delete': 'verify' }); + } + delete values.verify; + } + + return me.callParent([values]); + }, +}); -- 2.20.1