Re: [pve-devel] [PATCH access-control v5 1/1] fix #4411: openid: add logic for openid groups support

From: Mira Limbeck <m.limbeck@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH access-control v5 1/1] fix #4411: openid: add logic for openid groups support
Date: Mon, 31 Mar 2025 12:09:29 +0200	[thread overview]
Message-ID: <744146e8-4350-443a-950d-272b4137d99c@proxmox.com> (raw)
In-Reply-To: <20250327015002.1982876-4-thomas@atskinner.net>

On 3/27/25 02:50, Thomas Skinner wrote:
> Signed-off-by: Thomas Skinner <thomas@atskinner.net>
> ---
>  src/PVE/API2/OpenId.pm   | 83 ++++++++++++++++++++++++++++++++++++++++
>  src/PVE/AccessControl.pm |  2 +-
>  src/PVE/Auth/OpenId.pm   | 25 ++++++++++++
>  src/PVE/Auth/Plugin.pm   |  1 +
>  4 files changed, 110 insertions(+), 1 deletion(-)
> 
> diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
> index 77410e6..baa4dbc 100644
> --- a/src/PVE/API2/OpenId.pm
> +++ b/src/PVE/API2/OpenId.pm
> @@ -13,6 +13,7 @@ use PVE::Cluster qw(cfs_read_file cfs_write_file);
>  use PVE::AccessControl;
>  use PVE::JSONSchema qw(get_standard_option);
>  use PVE::Auth::Plugin;
> +use PVE::Auth::OpenId;
>  
>  use PVE::RESTHandler;
>  
> @@ -220,6 +221,88 @@ __PACKAGE__->register_method ({
>  		$rpcenv->check_user_enabled($username);
>  	    }
>  
> +	    if (defined(my $groups_claim = $config->{'groups-claim'})) {
> +		if (defined(my $groups_list = $info->{$groups_claim})) {
> +		    if (ref($groups_list) eq 'ARRAY') {
> +			PVE::AccessControl::lock_user_config(sub {
> +			    my $usercfg = cfs_read_file("user.cfg");
> +
> +			    my $oidc_groups;
> +			    for my $group (@$groups_list) {
> +				if (PVE::AccessControl::verify_groupname($group, 1)) {
> +				    # add realm name as suffix to group
> +				    $oidc_groups->{"$group-$realm"} = 1;
> +				} else {
> +				    # ignore any groups in the list that have invalid characters
> +				    syslog(
> +					'warn', 
trailing whitespace

> +					"openid group '$group' contains invalid characters"
> +				    );
> +				}
> +			    }
> +			    
trailing whitespace

> +			    # get groups that exist in OIDC and PVE
> +			    my $groups_intersect;
> +			    for my $group (keys %$oidc_groups) {
> +				$groups_intersect->{$group} = 1 if $usercfg->{groups}->{$group};
> +			    }
> +
> +			    if ($config->{'groups-autocreate'}) {
> +                                # populate all groups in claim
> +                                $groups_intersect = $oidc_groups;
both lines above have wrong indentation (space only)

> +				my $groups_to_create;
> +				for my $group (keys %$oidc_groups) {
> +                                    $groups_to_create->{$group} = 1 if !$usercfg->{groups}->{$group};
> +			    	}
wrong combination of tabs and spaces, tabs - spaces - tab

> +				if ($groups_to_create) {
> +				    # log a messages about created groups here
> +				    my $groups_to_create_string = join(', ', sort keys %$groups_to_create);
> +				    syslog(
> +					'info', 
> +					"groups created automatically from openid claim: $groups_to_create_string"
> +				    );
> +				}
> +                            }
> +
> +			    # if groups should be overwritten, delete all the users groups first
> +			    if ( $config->{'groups-overwrite'} ) {
> +				PVE::AccessControl::delete_user_group(
> +				    $username, 
> +				    $usercfg, 
> +				);
> +				syslog(
> +				    'info', 
> +				    "openid overwrite groups enabled; user '$username' removed from all groups"
> +			    	);
> +			    }
> +			    
> +			    if (keys %$groups_intersect) {
> +				# ensure user is a member of the groups
> +				for my $group (keys %$groups_intersect) {
> +				    PVE::AccessControl::add_user_group(
> +					$username,
> +					$usercfg,
> +					$group
> +				    );
> +				}
> +
> +				my $groups_intersect_string = join(', ', sort keys %$groups_intersect);
> +				syslog(
> +				    'info', 
> +				    "openid user '$username' added to groups: $groups_intersect_string"
> +				);
> +			    }
> +
> +			    cfs_write_file("user.cfg", $usercfg);
> +			}, "openid group mapping failed");
> +		    } else {
> +			syslog('err', "openid groups list is not an array; groups will not be updated");
> +		    }
> +		} else {
> +		    syslog('err', "openid groups claim '$groups_claim' is not found in claims");
> +		}
> +	    }
> +
>  	    my $ticket = PVE::AccessControl::assemble_ticket($username);
>  	    my $csrftoken = PVE::AccessControl::assemble_csrf_prevention_token($username);
>  	    my $cap = $rpcenv->compute_api_permission($username);

There are some trailing whitespaces, wrongly mixed tabs and spaces, and
some space-only indentations.
The indentation scheme used [0] is not that straightforward. It can be
fixed up when applying the patch, so no need to send a v6 unless there
are some other issues.

Other than the whitespace issues the code looks good.
So consider this:
Tested-by: Mira Limbeck <m.limbeck@proxmox.com>
Reviewed-by: Mira Limbeck <m.limbeck@proxmox.com>

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel