From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 8BDE81FF16E
	for <inbox@lore.proxmox.com>; Mon, 31 Mar 2025 12:09:43 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 21E3A3FE10;
	Mon, 31 Mar 2025 12:09:33 +0200 (CEST)
Message-ID: <744146e8-4350-443a-950d-272b4137d99c@proxmox.com>
Date: Mon, 31 Mar 2025 12:09:29 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: pve-devel@lists.proxmox.com
References: <20250327015002.1982876-1-thomas@atskinner.net>
 <20250327015002.1982876-4-thomas@atskinner.net>
Content-Language: en-US
From: Mira Limbeck <m.limbeck@proxmox.com>
In-Reply-To: <20250327015002.1982876-4-thomas@atskinner.net>
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.284 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH access-control v5 1/1] fix #4411: openid:
 add logic for openid groups support
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

On 3/27/25 02:50, Thomas Skinner wrote:
> Signed-off-by: Thomas Skinner <thomas@atskinner.net>
> ---
>  src/PVE/API2/OpenId.pm   | 83 ++++++++++++++++++++++++++++++++++++++++
>  src/PVE/AccessControl.pm |  2 +-
>  src/PVE/Auth/OpenId.pm   | 25 ++++++++++++
>  src/PVE/Auth/Plugin.pm   |  1 +
>  4 files changed, 110 insertions(+), 1 deletion(-)
> 
> diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
> index 77410e6..baa4dbc 100644
> --- a/src/PVE/API2/OpenId.pm
> +++ b/src/PVE/API2/OpenId.pm
> @@ -13,6 +13,7 @@ use PVE::Cluster qw(cfs_read_file cfs_write_file);
>  use PVE::AccessControl;
>  use PVE::JSONSchema qw(get_standard_option);
>  use PVE::Auth::Plugin;
> +use PVE::Auth::OpenId;
>  
>  use PVE::RESTHandler;
>  
> @@ -220,6 +221,88 @@ __PACKAGE__->register_method ({
>  		$rpcenv->check_user_enabled($username);
>  	    }
>  
> +	    if (defined(my $groups_claim = $config->{'groups-claim'})) {
> +		if (defined(my $groups_list = $info->{$groups_claim})) {
> +		    if (ref($groups_list) eq 'ARRAY') {
> +			PVE::AccessControl::lock_user_config(sub {
> +			    my $usercfg = cfs_read_file("user.cfg");
> +
> +			    my $oidc_groups;
> +			    for my $group (@$groups_list) {
> +				if (PVE::AccessControl::verify_groupname($group, 1)) {
> +				    # add realm name as suffix to group
> +				    $oidc_groups->{"$group-$realm"} = 1;
> +				} else {
> +				    # ignore any groups in the list that have invalid characters
> +				    syslog(
> +					'warn', 
trailing whitespace

> +					"openid group '$group' contains invalid characters"
> +				    );
> +				}
> +			    }
> +			    
trailing whitespace

> +			    # get groups that exist in OIDC and PVE
> +			    my $groups_intersect;
> +			    for my $group (keys %$oidc_groups) {
> +				$groups_intersect->{$group} = 1 if $usercfg->{groups}->{$group};
> +			    }
> +
> +			    if ($config->{'groups-autocreate'}) {
> +                                # populate all groups in claim
> +                                $groups_intersect = $oidc_groups;
both lines above have wrong indentation (space only)

> +				my $groups_to_create;
> +				for my $group (keys %$oidc_groups) {
> +                                    $groups_to_create->{$group} = 1 if !$usercfg->{groups}->{$group};
> +			    	}
wrong combination of tabs and spaces, tabs - spaces - tab

> +				if ($groups_to_create) {
> +				    # log a messages about created groups here
> +				    my $groups_to_create_string = join(', ', sort keys %$groups_to_create);
> +				    syslog(
> +					'info', 
> +					"groups created automatically from openid claim: $groups_to_create_string"
> +				    );
> +				}
> +                            }
> +
> +			    # if groups should be overwritten, delete all the users groups first
> +			    if ( $config->{'groups-overwrite'} ) {
> +				PVE::AccessControl::delete_user_group(
> +				    $username, 
> +				    $usercfg, 
> +				);
> +				syslog(
> +				    'info', 
> +				    "openid overwrite groups enabled; user '$username' removed from all groups"
> +			    	);
> +			    }
> +			    
> +			    if (keys %$groups_intersect) {
> +				# ensure user is a member of the groups
> +				for my $group (keys %$groups_intersect) {
> +				    PVE::AccessControl::add_user_group(
> +					$username,
> +					$usercfg,
> +					$group
> +				    );
> +				}
> +
> +				my $groups_intersect_string = join(', ', sort keys %$groups_intersect);
> +				syslog(
> +				    'info', 
> +				    "openid user '$username' added to groups: $groups_intersect_string"
> +				);
> +			    }
> +
> +			    cfs_write_file("user.cfg", $usercfg);
> +			}, "openid group mapping failed");
> +		    } else {
> +			syslog('err', "openid groups list is not an array; groups will not be updated");
> +		    }
> +		} else {
> +		    syslog('err', "openid groups claim '$groups_claim' is not found in claims");
> +		}
> +	    }
> +
>  	    my $ticket = PVE::AccessControl::assemble_ticket($username);
>  	    my $csrftoken = PVE::AccessControl::assemble_csrf_prevention_token($username);
>  	    my $cap = $rpcenv->compute_api_permission($username);

There are some trailing whitespaces, wrongly mixed tabs and spaces, and
some space-only indentations.
The indentation scheme used [0] is not that straightforward. It can be
fixed up when applying the patch, so no need to send a v6 unless there
are some other issues.

Other than the whitespace issues the code looks good.
So consider this:
Tested-by: Mira Limbeck <m.limbeck@proxmox.com>
Reviewed-by: Mira Limbeck <m.limbeck@proxmox.com>



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel