From: Dietmar Maurer <dietmar@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH pve-access-control v2 2/5] add OpenId configuration
Date: Wed, 30 Jun 2021 08:10:04 +0200 [thread overview]
Message-ID: <20210630061007.3345396-3-dietmar@proxmox.com> (raw)
In-Reply-To: <20210630061007.3345396-1-dietmar@proxmox.com>
---
src/PVE/AccessControl.pm | 2 ++
src/PVE/Auth/Makefile | 3 +-
src/PVE/Auth/OpenId.pm | 68 ++++++++++++++++++++++++++++++++++++++++
3 files changed, 72 insertions(+), 1 deletion(-)
create mode 100755 src/PVE/Auth/OpenId.pm
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 8628678..3d8d01c 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -24,6 +24,7 @@ use PVE::Auth::AD;
use PVE::Auth::LDAP;
use PVE::Auth::PVE;
use PVE::Auth::PAM;
+use PVE::Auth::OpenId;
# load and initialize all plugins
@@ -31,6 +32,7 @@ PVE::Auth::AD->register();
PVE::Auth::LDAP->register();
PVE::Auth::PVE->register();
PVE::Auth::PAM->register();
+PVE::Auth::OpenId->register();
PVE::Auth::Plugin->init();
# $authdir must be writable by root only!
diff --git a/src/PVE/Auth/Makefile b/src/PVE/Auth/Makefile
index 58ae362..be7bde3 100644
--- a/src/PVE/Auth/Makefile
+++ b/src/PVE/Auth/Makefile
@@ -4,7 +4,8 @@ AUTH_SOURCES= \
PVE.pm \
PAM.pm \
AD.pm \
- LDAP.pm
+ LDAP.pm \
+ OpenId.pm
.PHONY: install
install:
diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
new file mode 100755
index 0000000..515d2f4
--- /dev/null
+++ b/src/PVE/Auth/OpenId.pm
@@ -0,0 +1,68 @@
+package PVE::Auth::OpenId;
+
+use strict;
+use warnings;
+
+use PVE::Tools;
+use PVE::Auth::Plugin;
+use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
+
+use base qw(PVE::Auth::Plugin);
+
+sub type {
+ return 'openid';
+}
+
+sub properties {
+ return {
+ "issuer-url" => {
+ description => "OpenID Issuer Url",
+ type => 'string',
+ maxLength => 256,
+ },
+ "client-id" => {
+ description => "OpenID Client ID",
+ type => 'string',
+ maxLength => 256,
+ },
+ "client-key" => {
+ description => "OpenID Client Key",
+ type => 'string',
+ optional => 1,
+ maxLength => 256,
+ },
+ autocreate => {
+ description => "Automatically create users if they do not exist.",
+ optional => 1,
+ type => 'boolean',
+ default => 0,
+ },
+ "username-claim" => {
+ description => "OpenID claim used to generate the unique username.",
+ type => 'string',
+ enum => ['subject', 'username', 'email'],
+ optional => 1,
+ },
+ };
+}
+
+sub options {
+ return {
+ "issuer-url" => {},
+ "client-id" => {},
+ "client-key" => { optional => 1 },
+ autocreate => { optional => 1 },
+ "username-claim" => { optional => 1, fixed => 1 },
+ default => { optional => 1 },
+ comment => { optional => 1 },
+ };
+}
+
+sub authenticate_user {
+ my ($class, $config, $realm, $username, $password) = @_;
+
+ die "OpenID realm does not allow password verification.\n";
+}
+
+
+1;
--
2.30.2
next prev parent reply other threads:[~2021-06-30 6:10 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-30 6:10 [pve-devel] [PATCH pve-access-control v2 0/5] add OpenId realms Dietmar Maurer
2021-06-30 6:10 ` [pve-devel] [PATCH pve-access-control v2 1/5] check_user_enabled: also check if user is expired Dietmar Maurer
2021-06-30 7:28 ` Fabian Grünbichler
2021-06-30 6:10 ` Dietmar Maurer [this message]
2021-06-30 6:10 ` [pve-devel] [PATCH pve-access-control v2 3/5] depend on libpve-rs-perl Dietmar Maurer
2021-06-30 6:10 ` [pve-devel] [PATCH pve-access-control v2 4/5] api: implement openid API Dietmar Maurer
2021-06-30 6:10 ` [pve-devel] [PATCH pve-access-control v2 5/5] implement OpenID autocreate user feature Dietmar Maurer
2021-07-01 11:38 ` [pve-devel] applied: [PATCH pve-access-control v2 0/5] add OpenId realms Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210630061007.3345396-3-dietmar@proxmox.com \
--to=dietmar@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox