From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
by lore.proxmox.com (Postfix) with ESMTPS id E2E071FF15E
for <inbox@lore.proxmox.com>; Tue, 11 Feb 2025 07:04:37 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 407CD1B34E;
Tue, 11 Feb 2025 07:04:34 +0100 (CET)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1739253833; x=1739858633;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=qiXVqjnAOdkYXVWMJWJ2ct3ujJP8nrbOF9GBdZ4oH8I=;
b=ffKC6/67Ump/kZ5jVdQuA530Vf2qy3c7orP3XfaZuB+jPf5buOd9b9OTM+M8ocQHWs
2dmQ6q53Fm2doBVByUU6oHd/6KebI2EXNu290lwMa0VEoRpJMXCnXdVUMAnBbm/prEtm
ncKhSennjLVu9sjGPW8qB1vGoqTZng3GP6k+eJj0bUj4X9ARe1/ZEoG9kgCBYm0Bpura
r8ZMOmxyhotS+IiDh8F9qkRZBPMFlTZN5qRZto8HxhVWejp+MjFzt3W3W6OVGOSv7lTV
ZCYQu1UjPZ/iRqN8T4FHhgPfVYwd3Mi3SHrFl1eJwgTbOqrcJiw3QyxzBQvyWkKnHOsT
f3NA==
X-Gm-Message-State: AOJu0YwONCUJGGCVKNaiOAAOjT6hZkOAwWdI4muEPexdYdMPT70uhnc4
h2pMbULqhHKTk2/p1Jn0dP5UZ/qjpf1fmji/d3LBxKYRxdKC9rf0O0vHn1lD
X-Gm-Gg: ASbGncsDIZLVF/w1NqS3M4+2nkqvBpuVKtxu2BspwfiaHOpFOvag7zc7ZdhHG2I/7OX
rL9R/Dq6okxFKkeSfmPe1JFXipejI2fDiK+4bix7eXScfOAYT+9joPT3fE0+mFV3yNNHfIISkCV
b6PgJCOBpei3EAwAMXcBjVE2OlGRVdgVPZJTuSiQ2elPETbc/ZF5Xbjw24lDLU+YNfdJ+kUZ8nm
UKDB5MALzwR63QIfIX0KvTrG4BaCZebjfFSf1wZbx24A3ql8JoA45yzdAanDPYo/OmuP3vUAwQ5
BxJOMbAARkSKWsbrOH9n82UD2P4OYxBxk5ZYICS5/e8u2aFad3bL1bgcFVTjAoOb/Uc0dyb/2Kh
lKQnpC/eEZWvFHo0UxqoHf0powEx9
X-Google-Smtp-Source: AGHT+IHSXjWHur7vuSe2RAKyZKMUSNcSgUgEv8nOGtPNGE4rSRGQLbHaa2bwpqvoCp0ix3FMEFndqg==
X-Received: by 2002:a05:690c:6113:b0:6f9:88ba:aa5d with SMTP id
00721157ae682-6f9b2873301mr145841507b3.9.1739252440909;
Mon, 10 Feb 2025 21:40:40 -0800 (PST)
From: Thomas Skinner <thomas@atskinner.net>
To: pve-devel@lists.proxmox.com
Date: Mon, 10 Feb 2025 23:40:28 -0600
Message-Id: <20250211054029.1269099-4-thomas@atskinner.net>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20250211054029.1269099-1-thomas@atskinner.net>
References: <20250211054029.1269099-1-thomas@atskinner.net>
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results: 0
AWL 0.007 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DMARC_MISSING 0.1 Missing DMARC policy
FREEMAIL_FORGED_FROMDOMAIN 0.001 2nd level domains in From and EnvelopeFrom
freemail headers are different
FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider
HEADER_FROM_DIFFERENT_DOMAINS 0.001 From and EnvelopeFrom 2nd level mail
domains are different
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/,
no trust RCVD_IN_MSPIKE_H2 0.001 Average reputation (+2)
RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
information. [plugin.pm, accesscontrol.pm, openid.pm]
Subject: [pve-devel] [PATCH access-control v3 1/1] fix #4411: openid: add
logic for openid groups support
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: Thomas Skinner <thomas@atskinner.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>
Signed-off-by: Thomas Skinner <thomas@atskinner.net>
---
src/PVE/API2/OpenId.pm | 79 ++++++++++++++++++++++++++++++++++++++++
src/PVE/AccessControl.pm | 2 +-
src/PVE/Auth/OpenId.pm | 33 +++++++++++++++++
src/PVE/Auth/Plugin.pm | 1 +
4 files changed, 114 insertions(+), 1 deletion(-)
diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
index 77410e6..818175e 100644
--- a/src/PVE/API2/OpenId.pm
+++ b/src/PVE/API2/OpenId.pm
@@ -13,6 +13,7 @@ use PVE::Cluster qw(cfs_read_file cfs_write_file);
use PVE::AccessControl;
use PVE::JSONSchema qw(get_standard_option);
use PVE::Auth::Plugin;
+use PVE::Auth::OpenId;
use PVE::RESTHandler;
@@ -220,6 +221,84 @@ __PACKAGE__->register_method ({
$rpcenv->check_user_enabled($username);
}
+ if (defined(my $groups_claim = $config->{'groups-claim'})) {
+ if (defined(my $groups_list = $info->{$groups_claim})) {
+ if (ref($groups_list) eq 'ARRAY') {
+ PVE::AccessControl::lock_user_config(sub {
+ my $usercfg = cfs_read_file("user.cfg");
+
+ # replace any invalid characters with
+ my $replace_character = $config->{'groups-replace-character'} // '_';
+ my $oidc_groups = { map {
+ $_ =~ s/[^$PVE::Auth::Plugin::groupname_regex_chars]/$replace_character/gr => 1
+ } $groups_list->@* };
+
+ # add realm name as suffix to group
+ my $suffixed_oidc_groups;
+ for my $group (keys %$oidc_groups) {
+ $suffixed_oidc_groups->{"$group-$realm"} = 1;
+ }
+ $oidc_groups = $suffixed_oidc_groups;
+
+ # get groups that exist in OIDC and PVE
+ my $groups_intersect;
+ for my $group (keys %$oidc_groups) {
+ $groups_intersect->{$group} = 1 if $usercfg->{groups}->{$group};
+ }
+
+ if ($config->{'groups-autocreate'}) {
+ # populate all groups in claim
+ $groups_intersect = $oidc_groups;
+ my $groups_to_create;
+ for my $group (keys %$oidc_groups) {
+ $groups_to_create->{$group} = 1 if !$usercfg->{groups}->{$group};
+ }
+ if ($groups_to_create) {
+ # log a messages about created groups here
+ my $groups_to_create_string = join(', ', sort keys %$groups_to_create);
+ syslog(
+ 'info',
+ "groups created automatically from openid claim: $groups_to_create_string"
+ );
+ }
+ }
+
+ # if groups should be overwritten, delete all the users groups first
+ if ( $config->{'groups-overwrite'} ) {
+ PVE::AccessControl::delete_user_group(
+ $username,
+ $usercfg,
+ );
+ syslog(
+ 'info',
+ "openid overwrite groups enabled; user '$username' removed from all groups"
+ );
+ }
+
+ # ensure user is a member of the groups
+ for my $group (keys %$groups_intersect) {
+ PVE::AccessControl::add_user_group(
+ $username,
+ $usercfg,
+ $group
+ );
+ }
+ my $groups_intersect_string = join(', ', sort keys %$groups_intersect);
+ syslog(
+ 'info',
+ "openid user '$username' added to groups: $groups_intersect_string"
+ );
+
+ cfs_write_file("user.cfg", $usercfg);
+ }, "openid group mapping failed");
+ } else {
+ syslog('err', "openid groups list is not an array; groups will not be updated");
+ }
+ } else {
+ syslog('err', "openid groups claim '$groups_claim' is not found in claims");
+ }
+ }
+
my $ticket = PVE::AccessControl::assemble_ticket($username);
my $csrftoken = PVE::AccessControl::assemble_csrf_prevention_token($username);
my $cap = $rpcenv->compute_api_permission($username);
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 47f2d38..7493c57 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -1293,7 +1293,7 @@ PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname);
sub verify_groupname {
my ($groupname, $noerr) = @_;
- if ($groupname !~ m/^[A-Za-z0-9\.\-_]+$/) {
+ if ($groupname !~ m/^[$PVE::Auth::Plugin::groupname_regex_chars]+$/) {
die "group name '$groupname' contains invalid characters\n" if !$noerr;
diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index c8e4db9..fd1cd6f 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -9,6 +9,9 @@ use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file
use base qw(PVE::Auth::Plugin);
+# include all printable ascii characters
+my $openid_claim_regex = qr/[ -~]+/;
+
sub type {
return 'openid';
}
@@ -42,6 +45,32 @@ sub properties {
type => 'string',
optional => 1,
},
+ "groups-claim" => {
+ description => "OpenID claim used to retrieve groups with.",
+ type => 'string',
+ pattern => $openid_claim_regex,
+ maxLength => 256,
+ optional => 1,
+ },
+ "groups-autocreate" => {
+ description => "Automatically create groups if they do not exist.",
+ optional => 1,
+ type => 'boolean',
+ default => 0,
+ },
+ "groups-overwrite" => {
+ description => "All groups will be overwritten for the user on login.",
+ type => 'boolean',
+ default => 0,
+ optional => 1,
+ },
+ "groups-replace-character" => {
+ description => "Character used to replace any invalid characters in groups from provider.",
+ type => 'string',
+ pattern => qr/^[$PVE::Auth::Plugin::groupname_regex_chars]$/,
+ default => '_',
+ optional => 1,
+ },
prompt => {
description => "Specifies whether the Authorization Server prompts the End-User for"
." reauthentication and consent.",
@@ -73,6 +102,10 @@ sub options {
"client-key" => { optional => 1 },
autocreate => { optional => 1 },
"username-claim" => { optional => 1, fixed => 1 },
+ "groups-claim" => { optional => 1 },
+ "groups-autocreate" => { optional => 1 },
+ "groups-overwrite" => { optional => 1 },
+ "groups-replace-character" => { optional => 1},
prompt => { optional => 1 },
scopes => { optional => 1 },
"acr-values" => { optional => 1 },
diff --git a/src/PVE/Auth/Plugin.pm b/src/PVE/Auth/Plugin.pm
index 763239f..7617044 100755
--- a/src/PVE/Auth/Plugin.pm
+++ b/src/PVE/Auth/Plugin.pm
@@ -31,6 +31,7 @@ sub lock_domain_config {
our $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
our $user_regex = qr![^\s:/]+!;
+our $groupname_regex_chars = qr/A-Za-z0-9\.\-_/;
PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
sub pve_verify_realm {
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel