From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id CA8901FF168 for ; Tue, 24 Dec 2024 21:25:50 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 6B3D119091; Tue, 24 Dec 2024 21:25:35 +0100 (CET) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735071895; x=1735676695; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Vymb2xABF1BU3Q4fuZq3lTd6kMZrIQw7SqFYD2SdVJ4=; b=goIPRAyu9dmqsooLJ5ciNiBN3BB1nhGZPFVsvD5rBxlP4B10WlsKKTzM/iin2yNUTD /+tL+KsNJTWYh4EoTJ+8V7yMpGzjnBoTgDlyeXr7gfRsuerc7QcnENqljyZKjjapM08o JbzajVjOQGrGoZGnwZYOi5Nxq4vDYKX2aLHK2vsQLpeNU2F7OUVIm1tuWlmNNzWpJwPB ZocFK0uBSr9Zq2+gOGMQprzCub1Pt2fCCTeb5Mjjbf+0JBnrN4vUo0ApvifrxcH0fJg1 vFdHtpfzvEfsg/tMELwTintzGtU8ILXVgGm4d1uzqq2I6fZJj+dqm+PAqibwnPvkc2pW W34A== X-Gm-Message-State: AOJu0YxRKNOxVAsFk4I0hkM9MzV3oZaXH7OPANucOSLSrcy3dirmgXn3 q25/TjrxW7bbivUpQzvJDo9xgszfQGQ1co9j7jPGOyw6oapMZwqjDbRPWQ== X-Gm-Gg: ASbGnctmdP4823Cn8Ak2v7xTgY0e9z04CcIYePX4Qp9Wiij7schaJvzGMXCP7yu8p7x KBPMDesfjszM2XTFXa6scw4oRCaQG1chnxShSxBcMbZGp9SMXOnSDDC79A5TPquSo+l1qdrrgXs 16xin0ASbc+NR6yWZB2WELptyedzSydT+kBnjykDT0iLF3adETfk/iTFSQ4+OmFdQSonUvP4mY/ jaoTVPwxJ9n0SmkSD278q9+9GwuxXFU5B8nA6iYNrq5frIBTPTaW250mCIhW00xgLd9xhb2/FLe vJjk4aHOd/M9KRxpS/HMEAnwCD7MQqeZ9R/0CeYsI7EyWndlcclqBaDUzITwChblfIaqeg== X-Google-Smtp-Source: AGHT+IFRGCKj/8cFWHCCuJdeOSkwq8TKXkEucH583UBUSv1lrJzuKpELh8mB7RohcNgRDOf5Je8YKw== X-Received: by 2002:a05:6902:1b8d:b0:e3c:9fb5:837a with SMTP id 3f1490d57ef6-e538c3c0c7dmr13292523276.41.1735071895021; Tue, 24 Dec 2024 12:24:55 -0800 (PST) From: Thomas Skinner To: pve-devel@lists.proxmox.com Date: Tue, 24 Dec 2024 14:24:28 -0600 Message-Id: <20241224202429.3072813-4-thomas@atskinner.net> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241224202429.3072813-1-thomas@atskinner.net> References: <20241224202429.3072813-1-thomas@atskinner.net> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.079 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy FREEMAIL_FORGED_FROMDOMAIN 0.001 2nd level domains in From and EnvelopeFrom freemail headers are different FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider HEADER_FROM_DIFFERENT_DOMAINS 0.156 From and EnvelopeFrom 2nd level mail domains are different KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust RCVD_IN_MSPIKE_H2 -0.001 Average reputation (+2) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH access-control v2 1/1] fix #4411: openid: add logic for openid groups support X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Cc: Thomas Skinner Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Signed-off-by: Thomas Skinner --- src/PVE/API2/OpenId.pm | 68 ++++++++++++++++++++++++++++++++++++++++ src/PVE/AccessControl.pm | 13 +++++--- src/PVE/Auth/OpenId.pm | 30 ++++++++++++++++++ 3 files changed, 107 insertions(+), 4 deletions(-) diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm index 77410e6..5cfe5a1 100644 --- a/src/PVE/API2/OpenId.pm +++ b/src/PVE/API2/OpenId.pm @@ -13,6 +13,7 @@ use PVE::Cluster qw(cfs_read_file cfs_write_file); use PVE::AccessControl; use PVE::JSONSchema qw(get_standard_option); use PVE::Auth::Plugin; +use PVE::Auth::OpenId; use PVE::RESTHandler; @@ -220,6 +221,73 @@ __PACKAGE__->register_method ({ $rpcenv->check_user_enabled($username); } + if (defined(my $groups_claim = $config->{'groups-claim'})) { + if (defined(my $groups_list = $info->{$groups_claim})) { + if (ref($groups_list) eq 'ARRAY') { + PVE::AccessControl::lock_user_config(sub { + my $usercfg = cfs_read_file("user.cfg"); + + # replace any invalid characters with + my $replace_character = $config->{'groups-replace-character'} // '_'; + my @oidc_groups_list = map { + $_ =~ s/[^$PVE::Auth::OpenId::groupname_regex_chars]/$replace_character/gr + } $groups_list->@*; + + # list groups that exist in pve + my @existing_groups_list = keys %{$usercfg->{groups}}; + + my @groups_intersect; + if ( $config->{'groups-autocreate'} ) { + # populate all groups in claim + @groups_intersect = @oidc_groups_list; + } + else { + # only populate groups that are in the oidc list and exist in pve + @groups_intersect = @{PVE::Tools::array_intersect( + \@oidc_groups_list, + \@existing_groups_list, + )}; + } + + # if groups should be overwritten, find and delete the ones to remove + if ( $config->{'groups-overwrite'} ) { + # get the groups that need to be removed from the user + my %groups_remove_user; + $groups_remove_user{ $_ } = undef + for keys %{$usercfg->{users}->{$username}->{groups}}; + delete $groups_remove_user{ $_ } for @groups_intersect; + + # ensure user is not a member of these groups + PVE::AccessControl::delete_user_group_single( + $username, + $usercfg, + $_, + ) for keys %groups_remove_user; + } + + # get the groups that need to be added to the user + my %groups_add_user; + $groups_add_user{ $_ } = undef for @groups_intersect; + delete $groups_add_user{ $_ } + for keys %{$usercfg->{users}->{$username}->{groups}}; + + # ensure user is a member of these groups + PVE::AccessControl::add_user_group( + $username, + $usercfg, + $_ + ) for keys %groups_add_user; + + cfs_write_file("user.cfg", $usercfg); + }, "openid group mapping failed"); + } else { + syslog('err', "groups list is not an array; groups will not be updated"); + } + } else { + syslog('err', "groups claim '$groups_claim' is not found in claims"); + } + } + my $ticket = PVE::AccessControl::assemble_ticket($username); my $csrftoken = PVE::AccessControl::assemble_csrf_prevention_token($username); my $cap = $rpcenv->compute_api_permission($username); diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm index 47f2d38..d643a00 100644 --- a/src/PVE/AccessControl.pm +++ b/src/PVE/AccessControl.pm @@ -990,12 +990,17 @@ sub delete_user_group { my ($username, $usercfg) = @_; foreach my $group (keys %{$usercfg->{groups}}) { - - delete ($usercfg->{groups}->{$group}->{users}->{$username}) - if $usercfg->{groups}->{$group}->{users}->{$username}; + delete_user_group_single($username, $usercfg, $group); } } +sub delete_user_group_single { + my ($username, $usercfg, $group) = @_; + + delete ($usercfg->{groups}->{$group}->{users}->{$username}) + if $usercfg->{groups}->{$group}->{users}->{$username}; +} + sub delete_user_acl { my ($username, $usercfg) = @_; @@ -1293,7 +1298,7 @@ PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname); sub verify_groupname { my ($groupname, $noerr) = @_; - if ($groupname !~ m/^[A-Za-z0-9\.\-_]+$/) { + if ($groupname !~ m/^[$PVE::Auth::OpenId::groupname_regex_chars]+$/) { die "group name '$groupname' contains invalid characters\n" if !$noerr; diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm index c8e4db9..d7b5574 100755 --- a/src/PVE/Auth/OpenId.pm +++ b/src/PVE/Auth/OpenId.pm @@ -9,6 +9,8 @@ use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file use base qw(PVE::Auth::Plugin); +our $groupname_regex_chars = qr/A-Za-z0-9\.\-_/; + sub type { return 'openid'; } @@ -42,6 +44,30 @@ sub properties { type => 'string', optional => 1, }, + "groups-claim" => { + description => "OpenID claim used to retrieve groups with.", + type => 'string', + optional => 1, + }, + "groups-autocreate" => { + description => "Automatically create groups if they do not exist.", + optional => 1, + type => 'boolean', + default => 0, + }, + "groups-overwrite" => { + description => "All groups will be overwritten for the user on login.", + type => 'boolean', + default => 0, + optional => 1, + }, + "groups-replace-character" => { + description => "Character used to replace any invalid characters in groups from provider.", + type => 'string', + pattern => qr/^[$groupname_regex_chars]$/, + default => '_', + optional => 1, + }, prompt => { description => "Specifies whether the Authorization Server prompts the End-User for" ." reauthentication and consent.", @@ -73,6 +99,10 @@ sub options { "client-key" => { optional => 1 }, autocreate => { optional => 1 }, "username-claim" => { optional => 1, fixed => 1 }, + "groups-claim" => { optional => 1 }, + "groups-autocreate" => { optional => 1 }, + "groups-overwrite" => { optional => 1 }, + "groups-replace-character" => { optional => 1}, prompt => { optional => 1 }, scopes => { optional => 1 }, "acr-values" => { optional => 1 }, -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel