From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 7CFE21FF170 for ; Mon, 2 Sep 2024 10:06:03 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 8DDC936A0C; Mon, 2 Sep 2024 10:05:51 +0200 (CEST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725209727; x=1725814527; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=R80ZN3pPYafzenhFTYzafMbwKID1SkoGbBtkywcE7qs=; b=aPUDcXvQpJOQADdAZ7wDlK2ozS7B04tz0HHJHbM1bmHEFhYPzZdEHJ2sRAFBdMOwwR 7pmaE6QXFcGRR7deF5YSxl89foRhW6Z6Mg4EGg7FnQv5btZ+U2oERCPbtteH5GbhJNcF AN57lSyw1H6iPVaLtc6+wcdDe6ZB8p1Z+28mFG8x2qtJedPRM35LktlkpxwbIIl7Vw+o Zy3ODUE7GoreBH6LSxv7AtROKDjhAlDsZk8/UK/75lYKbDc7YSXEg07GUtJsSUrV5YPC bJclOaQmaQZnZuBijzpVQllzSGfoGUtJBe7rSBCZhSgSrtTExqa+7VgDCJhzMwNc6HHJ Q99A== X-Gm-Message-State: AOJu0Yxs7PUX702e5aoeaTiOBTHgEhIbEvT+GtTCB25lWZ3R7aoaGjEb squ4U/1YINYdsWtM7/CFUzEw+ZkzD3wC2SZYPjbG3XOyD8slFsWzJTpV5Q== X-Google-Smtp-Source: AGHT+IGeOP6bDA2n/bUFhEx1bvsvpCiYQAkOV9Tib7fJGqQn7zXNLxvkA/P1tWn2PfwJ//qWte0CnA== X-Received: by 2002:a05:690c:60c7:b0:6af:8f7a:28b2 with SMTP id 00721157ae682-6d40d78eda8mr78556587b3.8.1725209726537; Sun, 01 Sep 2024 09:55:26 -0700 (PDT) From: Thomas Skinner To: pve-devel@lists.proxmox.com Date: Sun, 1 Sep 2024 11:55:11 -0500 Message-Id: <20240901165512.687801-4-thomas@atskinner.net> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240901165512.687801-1-thomas@atskinner.net> References: <20240901165512.687801-1-thomas@atskinner.net> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.001 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy FREEMAIL_FORGED_FROMDOMAIN 0.001 2nd level domains in From and EnvelopeFrom freemail headers are different FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider HEADER_FROM_DIFFERENT_DOMAINS 0.25 From and EnvelopeFrom 2nd level mail domains are different KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_MSPIKE_H2 -0.001 Average reputation (+2) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - X-Mailman-Approved-At: Mon, 02 Sep 2024 10:05:47 +0200 Subject: [pve-devel] [PATCH access-control 1/1] fix #4411: openid: add logic for openid groups support X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Thomas Skinner Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Signed-off-by: Thomas Skinner --- src/PVE/API2/OpenId.pm | 32 ++++++++++++++++++++++++++++++++ src/PVE/Auth/OpenId.pm | 21 +++++++++++++++++++++ 2 files changed, 53 insertions(+) diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm index 77410e6..22a2188 100644 --- a/src/PVE/API2/OpenId.pm +++ b/src/PVE/API2/OpenId.pm @@ -220,6 +220,38 @@ __PACKAGE__->register_method ({ $rpcenv->check_user_enabled($username); } + if (defined(my $groups_claim = $config->{'groups-claim'})) { + if (defined(my $groups_list = $info->{$groups_claim})) { + if (UNIVERSAL::isa($groups_list, 'ARRAY')) { + PVE::AccessControl::lock_user_config(sub { + my $usercfg = cfs_read_file("user.cfg"); + + # if groups should be overwritten, delete them first + if ( $config->{'groups-overwrite'}) { + PVE::AccessControl::delete_user_group($username, $usercfg); + } + + # replace any invalid characters with + my $replace_character = $config->{'groups-replace-character'}; + my @oidc_groups_list = map { $_ =~ s/[^A-Za-z0-9\.\-_]/$replace_character/gr } @{ $groups_list }; + + # only populate groups that are in the oidc list and exist in pve + my @existing_groups_list = keys %{$usercfg->{groups}}; + my @groups_intersect = grep { my $g = $_; grep $_ eq $g, @oidc_groups_list } @existing_groups_list; + + # ensure user is a member of these groups + map { PVE::AccessControl::add_user_group($username, $usercfg, $_) } @groups_intersect; + + cfs_write_file("user.cfg", $usercfg); + }, "openid group mapping failed"); + } else { + syslog('err', "groups list is not an array; groups will not be updated"); + } + } else { + syslog('err', "groups claim '$groups_claim' is not found in claims"); + } + } + my $ticket = PVE::AccessControl::assemble_ticket($username); my $csrftoken = PVE::AccessControl::assemble_csrf_prevention_token($username); my $cap = $rpcenv->compute_api_permission($username); diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm index c8e4db9..0e3fdc4 100755 --- a/src/PVE/Auth/OpenId.pm +++ b/src/PVE/Auth/OpenId.pm @@ -42,6 +42,24 @@ sub properties { type => 'string', optional => 1, }, + "groups-claim" => { + description => "OpenID claim used to retrieve groups with.", + type => 'string', + optional => 1, + }, + "groups-overwrite" => { + description => "All groups will be overwritten for the user on login.", + type => 'boolean', + default => 0, + optional => 1, + }, + "groups-replace-character" => { + description => "Character used to replace any invalid characters in groups from provider.", + type => 'string', + pattern => '^[A-Za-z0-9\.\-_]$', + default => '_', + optional => 1, + }, prompt => { description => "Specifies whether the Authorization Server prompts the End-User for" ." reauthentication and consent.", @@ -73,6 +91,9 @@ sub options { "client-key" => { optional => 1 }, autocreate => { optional => 1 }, "username-claim" => { optional => 1, fixed => 1 }, + "groups-claim" => { optional => 1 }, + "groups-overwrite" => { optional => 1 }, + "groups-replace-character" => { optional => 1}, prompt => { optional => 1 }, scopes => { optional => 1 }, "acr-values" => { optional => 1 }, -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel