From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id AF7F61FF165
	for <inbox@lore.proxmox.com>; Wed, 12 Feb 2025 15:47:57 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 36979186EE;
	Wed, 12 Feb 2025 15:47:53 +0100 (CET)
Message-ID: <26f0c8f2-57f0-4064-a87d-0de9f65e316f@proxmox.com>
Date: Wed, 12 Feb 2025 15:47:49 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: pve-devel@lists.proxmox.com
References: <20250211054029.1269099-1-thomas@atskinner.net>
Content-Language: en-US
From: Mira Limbeck <m.limbeck@proxmox.com>
In-Reply-To: <20250211054029.1269099-1-thomas@atskinner.net>
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.333 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [openid.pm, plugin.pm, lib.rs, accesscontrol.pm]
Subject: Re: [pve-devel] [PATCH SERIES
 access-control/docs/manager/proxmox-openid v3] fix #4411: add support for
 openid groups
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

On 2/11/25 06:40, Thomas Skinner wrote:
> Continued work on adding support for OIDC groups. 
> 
> changes since v2:
> - Move RE for group name characters to Plugin.pm
> - Undo refactoring of user group deletion
> - Refactor logic to use hashes instead of arrays
> - Cleanup code style
> - Add RE and length limit for group claim
> - Clarify docs on suffix and automatic group creation
> 
> 
> access-control:
> 
> Thomas Skinner (1):
>   fix #4411: openid: add logic for openid groups support
> 
>  src/PVE/API2/OpenId.pm   | 79 ++++++++++++++++++++++++++++++++++++++++
>  src/PVE/AccessControl.pm |  2 +-
>  src/PVE/Auth/OpenId.pm   | 33 +++++++++++++++++
>  src/PVE/Auth/Plugin.pm   |  1 +
>  4 files changed, 114 insertions(+), 1 deletion(-)
> 
>  
> docs:
> 
> Thomas Skinner (1):
>   fix #4411: openid: add docs for openid groups support
> 
>  pveum.adoc | 44 ++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 44 insertions(+)
> 
>  
> manager:
> 
> Thomas Skinner (1):
>   fix #4411: openid: add ui config for openid groups support
> 
>  www/manager6/dc/AuthEditOpenId.js | 44 ++++++++++++++++++++++++++++---
> 
> 
> proxmox-openid:
> 
> Thomas Skinner (1):
>   fix #4411: openid: add library code for generic id token claim support
> 
>  proxmox-openid/src/lib.rs | 55 +++++++++++++++++++++++++++++++++------
> 
> 

Tested this with Authentik for now. Logging looks good when groups are
created and when users have groups removed and assigned again.
It could be nice to also log when groups are renamed because of invalid
characters that are replaced?

Group claim, adding and overwriting groups looks good.
One test group was renamed because of a `!` in its name. When changing
the replacement character it created a new group and the old one still
existed. So you can end up with lots of leftover groups if you change
the replacement character later on.


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel