public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH-SERIES manager] ui: user edit: improve 'keys' field
@ 2024-02-09 13:08 Fiona Ebner
  2024-02-09 13:08 ` [pve-devel] [PATCH manager 1/3] ui: user edit: protect user's TFA settings again Fiona Ebner
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Fiona Ebner @ 2024-02-09 13:08 UTC (permalink / raw)
  To: pve-devel

Nowadays, TFA is configured in the respective window, so only legacy
values require some special treatment. The only real use case for
actual legacy keys is syncing them from LDAP. I wasn't sure if it
still makes sense to keep those editable, so the series is doing the
changes towards a more restricted field gradually.

Fiona Ebner (3):
  ui: user edit: protect user's TFA settings again
  ui: user edit: hide key field except for legacy values
  ui: user edit: prohibit editing keys option

 www/manager6/dc/UserEdit.js | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

-- 
2.39.2





^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] [PATCH manager 1/3] ui: user edit: protect user's TFA settings again
  2024-02-09 13:08 [pve-devel] [PATCH-SERIES manager] ui: user edit: improve 'keys' field Fiona Ebner
@ 2024-02-09 13:08 ` Fiona Ebner
  2024-04-23 14:52   ` [pve-devel] applied: " Thomas Lamprecht
  2024-02-09 13:08 ` [pve-devel] [PATCH manager 2/3] ui: user edit: hide key field except for legacy values Fiona Ebner
  2024-02-09 13:08 ` [pve-devel] [PATCH manager 3/3] ui: user edit: prohibit editing keys option Fiona Ebner
  2 siblings, 1 reply; 5+ messages in thread
From: Fiona Ebner @ 2024-02-09 13:08 UTC (permalink / raw)
  To: pve-devel

Same rationale as in 5b25580d ("Protect the user's tfa key setting."):
it should not be possible to change the value when it's not an actual
secret but a reference to what TFA method is used or, in case of 'x',
whether TFA is used.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 www/manager6/dc/UserEdit.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/www/manager6/dc/UserEdit.js b/www/manager6/dc/UserEdit.js
index b637cd53..ad52edf0 100644
--- a/www/manager6/dc/UserEdit.js
+++ b/www/manager6/dc/UserEdit.js
@@ -162,7 +162,10 @@ Ext.define('PVE.dc.UserEdit', {
 		    var data = response.result.data;
 		    me.setValues(data);
 		    if (data.keys) {
-			if (data.keys === 'x!oath' || data.keys === 'x!u2f') {
+			if (data.keys === 'x' ||
+			    data.keys === 'x!oath' ||
+			    data.keys === 'x!u2f' ||
+			    data.keys === 'x!yubico') {
 			    me.down('[name="keys"]').setDisabled(1);
 			}
 		    }
-- 
2.39.2





^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] [PATCH manager 2/3] ui: user edit: hide key field except for legacy values
  2024-02-09 13:08 [pve-devel] [PATCH-SERIES manager] ui: user edit: improve 'keys' field Fiona Ebner
  2024-02-09 13:08 ` [pve-devel] [PATCH manager 1/3] ui: user edit: protect user's TFA settings again Fiona Ebner
@ 2024-02-09 13:08 ` Fiona Ebner
  2024-02-09 13:08 ` [pve-devel] [PATCH manager 3/3] ui: user edit: prohibit editing keys option Fiona Ebner
  2 siblings, 0 replies; 5+ messages in thread
From: Fiona Ebner @ 2024-02-09 13:08 UTC (permalink / raw)
  To: pve-devel

It should not be possible to set new legacy values via the UI, the TFA
configuration window should be used to set second factors.

Existing values are only interesting to show in case it's one of the
legacy values 'x!<TYPE>' or a legacy secret e.g. synced from LDAP. In
the latter case it's kept editable like it previously was.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 www/manager6/dc/UserEdit.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/www/manager6/dc/UserEdit.js b/www/manager6/dc/UserEdit.js
index ad52edf0..ca701312 100644
--- a/www/manager6/dc/UserEdit.js
+++ b/www/manager6/dc/UserEdit.js
@@ -168,6 +168,12 @@ Ext.define('PVE.dc.UserEdit', {
 			    data.keys === 'x!yubico') {
 			    me.down('[name="keys"]').setDisabled(1);
 			}
+			if (data.keys === 'x') {
+			    me.down('[name="keys"]').setHidden(true);
+			}
+		    } else {
+			me.down('[name="keys"]').setDisabled(true);
+			me.down('[name="keys"]').setHidden(true);
 		    }
 		},
 	    });
-- 
2.39.2





^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] [PATCH manager 3/3] ui: user edit: prohibit editing keys option
  2024-02-09 13:08 [pve-devel] [PATCH-SERIES manager] ui: user edit: improve 'keys' field Fiona Ebner
  2024-02-09 13:08 ` [pve-devel] [PATCH manager 1/3] ui: user edit: protect user's TFA settings again Fiona Ebner
  2024-02-09 13:08 ` [pve-devel] [PATCH manager 2/3] ui: user edit: hide key field except for legacy values Fiona Ebner
@ 2024-02-09 13:08 ` Fiona Ebner
  2 siblings, 0 replies; 5+ messages in thread
From: Fiona Ebner @ 2024-02-09 13:08 UTC (permalink / raw)
  To: pve-devel

by turning the field into a displayfield. The TFA configuration
window should be used to set second factors. It's still worth showing
the field in case it's a legacy value.

Editing a secret that was originally synced from LDAP is a use case
where editing the field might've still made sense, but it's arguably
better to do that on the LDAP side then and re-sync.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 www/manager6/dc/UserEdit.js | 15 ++-------------
 1 file changed, 2 insertions(+), 13 deletions(-)

diff --git a/www/manager6/dc/UserEdit.js b/www/manager6/dc/UserEdit.js
index ca701312..c9b32773 100644
--- a/www/manager6/dc/UserEdit.js
+++ b/www/manager6/dc/UserEdit.js
@@ -128,7 +128,7 @@ Ext.define('PVE.dc.UserEdit', {
 	    ],
 	    advancedItems: [
 		{
-		    xtype: 'textfield',
+		    xtype: 'displayfield',
 		    name: 'keys',
 		    fieldLabel: gettext('Key IDs'),
 		},
@@ -161,18 +161,7 @@ Ext.define('PVE.dc.UserEdit', {
 		success: function(response, options) {
 		    var data = response.result.data;
 		    me.setValues(data);
-		    if (data.keys) {
-			if (data.keys === 'x' ||
-			    data.keys === 'x!oath' ||
-			    data.keys === 'x!u2f' ||
-			    data.keys === 'x!yubico') {
-			    me.down('[name="keys"]').setDisabled(1);
-			}
-			if (data.keys === 'x') {
-			    me.down('[name="keys"]').setHidden(true);
-			}
-		    } else {
-			me.down('[name="keys"]').setDisabled(true);
+		    if (!data.keys || data.keys === 'x') {
 			me.down('[name="keys"]').setHidden(true);
 		    }
 		},
-- 
2.39.2





^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] applied: [PATCH manager 1/3] ui: user edit: protect user's TFA settings again
  2024-02-09 13:08 ` [pve-devel] [PATCH manager 1/3] ui: user edit: protect user's TFA settings again Fiona Ebner
@ 2024-04-23 14:52   ` Thomas Lamprecht
  0 siblings, 0 replies; 5+ messages in thread
From: Thomas Lamprecht @ 2024-04-23 14:52 UTC (permalink / raw)
  To: Proxmox VE development discussion, Fiona Ebner

Am 09/02/2024 um 14:08 schrieb Fiona Ebner:
> Same rationale as in 5b25580d ("Protect the user's tfa key setting."):
> it should not be possible to change the value when it's not an actual
> secret but a reference to what TFA method is used or, in case of 'x',
> whether TFA is used.
> 
> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
> ---
>  www/manager6/dc/UserEdit.js | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
>

applied this one for now, thanks!


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2024-04-23 14:52 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-09 13:08 [pve-devel] [PATCH-SERIES manager] ui: user edit: improve 'keys' field Fiona Ebner
2024-02-09 13:08 ` [pve-devel] [PATCH manager 1/3] ui: user edit: protect user's TFA settings again Fiona Ebner
2024-04-23 14:52   ` [pve-devel] applied: " Thomas Lamprecht
2024-02-09 13:08 ` [pve-devel] [PATCH manager 2/3] ui: user edit: hide key field except for legacy values Fiona Ebner
2024-02-09 13:08 ` [pve-devel] [PATCH manager 3/3] ui: user edit: prohibit editing keys option Fiona Ebner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal