From: Thomas Skinner <thomas@atskinner.net>
To: pve-devel@lists.proxmox.com
Cc: Thomas Skinner <thomas@atskinner.net>
Subject: [pve-devel] [PATCH access-control 1/1] fix #4411: openid: add logic for openid groups support
Date: Sun, 1 Sep 2024 11:55:11 -0500 [thread overview]
Message-ID: <20240901165512.687801-4-thomas@atskinner.net> (raw)
In-Reply-To: <20240901165512.687801-1-thomas@atskinner.net>
Signed-off-by: Thomas Skinner <thomas@atskinner.net>
---
src/PVE/API2/OpenId.pm | 32 ++++++++++++++++++++++++++++++++
src/PVE/Auth/OpenId.pm | 21 +++++++++++++++++++++
2 files changed, 53 insertions(+)
diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
index 77410e6..22a2188 100644
--- a/src/PVE/API2/OpenId.pm
+++ b/src/PVE/API2/OpenId.pm
@@ -220,6 +220,38 @@ __PACKAGE__->register_method ({
$rpcenv->check_user_enabled($username);
}
+ if (defined(my $groups_claim = $config->{'groups-claim'})) {
+ if (defined(my $groups_list = $info->{$groups_claim})) {
+ if (UNIVERSAL::isa($groups_list, 'ARRAY')) {
+ PVE::AccessControl::lock_user_config(sub {
+ my $usercfg = cfs_read_file("user.cfg");
+
+ # if groups should be overwritten, delete them first
+ if ( $config->{'groups-overwrite'}) {
+ PVE::AccessControl::delete_user_group($username, $usercfg);
+ }
+
+ # replace any invalid characters with
+ my $replace_character = $config->{'groups-replace-character'};
+ my @oidc_groups_list = map { $_ =~ s/[^A-Za-z0-9\.\-_]/$replace_character/gr } @{ $groups_list };
+
+ # only populate groups that are in the oidc list and exist in pve
+ my @existing_groups_list = keys %{$usercfg->{groups}};
+ my @groups_intersect = grep { my $g = $_; grep $_ eq $g, @oidc_groups_list } @existing_groups_list;
+
+ # ensure user is a member of these groups
+ map { PVE::AccessControl::add_user_group($username, $usercfg, $_) } @groups_intersect;
+
+ cfs_write_file("user.cfg", $usercfg);
+ }, "openid group mapping failed");
+ } else {
+ syslog('err', "groups list is not an array; groups will not be updated");
+ }
+ } else {
+ syslog('err', "groups claim '$groups_claim' is not found in claims");
+ }
+ }
+
my $ticket = PVE::AccessControl::assemble_ticket($username);
my $csrftoken = PVE::AccessControl::assemble_csrf_prevention_token($username);
my $cap = $rpcenv->compute_api_permission($username);
diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index c8e4db9..0e3fdc4 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -42,6 +42,24 @@ sub properties {
type => 'string',
optional => 1,
},
+ "groups-claim" => {
+ description => "OpenID claim used to retrieve groups with.",
+ type => 'string',
+ optional => 1,
+ },
+ "groups-overwrite" => {
+ description => "All groups will be overwritten for the user on login.",
+ type => 'boolean',
+ default => 0,
+ optional => 1,
+ },
+ "groups-replace-character" => {
+ description => "Character used to replace any invalid characters in groups from provider.",
+ type => 'string',
+ pattern => '^[A-Za-z0-9\.\-_]$',
+ default => '_',
+ optional => 1,
+ },
prompt => {
description => "Specifies whether the Authorization Server prompts the End-User for"
." reauthentication and consent.",
@@ -73,6 +91,9 @@ sub options {
"client-key" => { optional => 1 },
autocreate => { optional => 1 },
"username-claim" => { optional => 1, fixed => 1 },
+ "groups-claim" => { optional => 1 },
+ "groups-overwrite" => { optional => 1 },
+ "groups-replace-character" => { optional => 1},
prompt => { optional => 1 },
scopes => { optional => 1 },
"acr-values" => { optional => 1 },
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2024-09-02 8:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-01 16:55 [pve-devel] [PATCH SERIES openid/access-control/docs/manager] fix #4411: add support for openid groups Thomas Skinner
2024-09-01 16:55 ` [pve-devel] [PATCH docs 1/1] fix #4411: openid: add docs for openid groups support Thomas Skinner
2024-09-01 16:55 ` [pve-devel] [PATCH openid 1/1] fix #4411: openid: add library code " Thomas Skinner
2024-09-01 16:55 ` Thomas Skinner [this message]
2024-09-01 16:55 ` [pve-devel] [PATCH manager 1/1] fix #4411: openid: add ui config " Thomas Skinner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240901165512.687801-4-thomas@atskinner.net \
--to=thomas@atskinner.net \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox