From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 88F0A1FF191
	for <inbox@lore.proxmox.com>; Mon,  2 Jun 2025 16:15:32 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id B980B3587A;
	Mon,  2 Jun 2025 16:15:42 +0200 (CEST)
From: Alexander Abraham <a.abraham@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Mon,  2 Jun 2025 16:14:57 +0200
Message-Id: <20250602141458.142000-3-a.abraham@proxmox.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20250602141458.142000-1-a.abraham@proxmox.com>
References: <20250602141458.142000-1-a.abraham@proxmox.com>
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.100 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [openid.pm]
Subject: [pve-devel] [PATCH pve-access-control v2 1/1] fix #5076: Changed
 audiences to an array
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

The API schema was updated so that audiences are treated
as an array of strings. The code for parsing audiences was
updated to also treat audiences like an array of strings
of a certain format.

Signed-off-by: Alexander Abraham <a.abraham@proxmox.com>
---
 src/PVE/API2/OpenId.pm |  5 ++++-
 src/PVE/Auth/OpenId.pm | 11 ++++++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
index 77410e6..97bac7c 100644
--- a/src/PVE/API2/OpenId.pm
+++ b/src/PVE/API2/OpenId.pm
@@ -45,6 +45,10 @@ my $lookup_openid_auth = sub {
 	$openid_config->{acr_values} = [ PVE::Tools::split_list($acr) ];
     }
 
+    if (defined(my $audiences = $config->{'audiences'})) {
+        $openid_config->{audiences} = $config->{'audiences'}
+    }
+
     my $openid = PVE::RS::OpenId->discover($openid_config, $redirect_url);
     return ($config, $openid);
 };
@@ -169,7 +173,6 @@ __PACKAGE__->register_method ({
 	    my $redirect_url = extract_param($param, 'redirect-url');
 
 	    my ($config, $openid) = $lookup_openid_auth->($realm, $redirect_url);
-
 	    my $info = $openid->verify_authorization_code($param->{code}, $private_auth_state);
 	    my $subject = $info->{'sub'};
 
diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index c8e4db9..4000142 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -63,6 +63,15 @@ sub properties {
 	    pattern => '^[^\x00-\x1F\x7F <>#"]*$', # Prohibit characters not allowed in URI RFC 2396.
 	    optional => 1,
 	},
+	'audiences' => {
+	    description => "Specifies the authentication claims neccessary for checking the privileges the requesting user has.",
+	    type => 'array',
+            'items' => {
+              type => 'string',
+              pattern => '^[a-zA-Z0-9-_+.]+$',
+              optional => 1
+            }
+	},
    };
 }
 
@@ -76,6 +85,7 @@ sub options {
 	prompt => { optional => 1 },
 	scopes => { optional => 1 },
 	"acr-values" => { optional => 1 },
+	"audiences" => { optional => 1 },
 	default => { optional => 1 },
 	comment => { optional => 1 },
     };
@@ -83,7 +93,6 @@ sub options {
 
 sub authenticate_user {
     my ($class, $config, $realm, $username, $password) = @_;
-
     die "OpenID realm does not allow password verification.\n";
 }
 
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel