From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 624AD1FF136 for ; Mon, 23 Mar 2026 13:26:32 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id ECEBA15B7C; Mon, 23 Mar 2026 13:26:47 +0100 (CET) Content-Type: text/plain; charset=UTF-8 Date: Mon, 23 Mar 2026 13:26:28 +0100 Message-Id: Subject: Re: [PATCH pve-manager 1/5] notifications: Add OAuth2 parameters to schema and add/update endpoints From: "Lukas Wagner" To: "Arthur Bied-Charreton" , Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Mailer: aerc 0.21.0-0-g5549850facc2-dirty References: <20260213160415.609868-1-a.bied-charreton@proxmox.com> <20260213160415.609868-12-a.bied-charreton@proxmox.com> In-Reply-To: <20260213160415.609868-12-a.bied-charreton@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1774268742864 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.049 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: H5OAXLYTW2S22XDHSXHXRUCG2WY7FH2Z X-Message-ID-Hash: H5OAXLYTW2S22XDHSXHXRUCG2WY7FH2Z X-MailFrom: l.wagner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Fri Feb 13, 2026 at 5:04 PM CET, Arthur Bied-Charreton wrote: > Add auth-method, as well as optional > oauth2-{client-id,client-secret,tenant-id,refresh-token} parameters to > prepare for OAuth2 support. > > The auth-method parameter was previously implicit and inferred by > proxmox-notify based on the presence of a password. It is now made > explicit, however still kept optional and explicitly inferred in the > {update,create}_endpoint handlers to avoid breaking the API. This should also mention the API restructuring and why it was done. > > Signed-off-by: Arthur Bied-Charreton > --- > PVE/API2/Cluster/Notifications.pm | 110 +++++++++++++++++++++++------- > 1 file changed, 87 insertions(+), 23 deletions(-) > > diff --git a/PVE/API2/Cluster/Notifications.pm b/PVE/API2/Cluster/Notific= ations.pm > index 8b455227..e7acea49 100644 > --- a/PVE/API2/Cluster/Notifications.pm > +++ b/PVE/API2/Cluster/Notifications.pm > @@ -941,6 +941,13 @@ my $smtp_properties =3D { > default =3D> 'tls', > optional =3D> 1, > }, > + 'auth-method' =3D> { > + description =3D> > + 'Determine which authentication method shall be used for the= connection.', > + type =3D> 'string', > + enum =3D> [qw(google-oauth2 microsoft-oauth2 plain none)], > + optional =3D> 1, > + }, > username =3D> { > description =3D> 'Username for SMTP authentication', > type =3D> 'string', > @@ -951,6 +958,26 @@ my $smtp_properties =3D { > type =3D> 'string', > optional =3D> 1, > }, > + 'oauth2-client-id' =3D> { > + description =3D> 'OAuth2 client ID', > + type =3D> 'string', > + optional =3D> 1, > + }, > + 'oauth2-client-secret' =3D> { > + description =3D> 'OAuth2 client secret', > + type =3D> 'string', > + optional =3D> 1, > + }, > + 'oauth2-tenant-id' =3D> { > + description =3D> 'OAuth2 tenant ID', The description here should probably mention that this is only needed for microsoft-oauth2 > + type =3D> 'string', > + optional =3D> 1, > + }, > + 'oauth2-refresh-token' =3D> { > + description =3D> 'OAuth2 refresh token', > + type =3D> 'string', > + optional =3D> 1, > + }, > mailto =3D> { > type =3D> 'array', > items =3D> { > @@ -1108,6 +1135,11 @@ __PACKAGE__->register_method({ > my $mode =3D extract_param($param, 'mode'); > my $username =3D extract_param($param, 'username'); > my $password =3D extract_param($param, 'password'); > + my $auth_method =3D extract_param($param, 'auth-method'); > + my $oauth2_client_secret =3D extract_param($param, 'oauth2-clien= t-secret'); > + my $oauth2_client_id =3D extract_param($param, 'oauth2-client-id= '); > + my $oauth2_tenant_id =3D extract_param($param, 'oauth2-tenant-id= '); > + my $oauth2_refresh_token =3D extract_param($param, 'oauth2-refre= sh-token'); > my $mailto =3D extract_param($param, 'mailto'); > my $mailto_user =3D extract_param($param, 'mailto-user'); > my $from_address =3D extract_param($param, 'from-address'); > @@ -1115,23 +1147,37 @@ __PACKAGE__->register_method({ > my $comment =3D extract_param($param, 'comment'); > my $disable =3D extract_param($param, 'disable'); > =20 > + if (!defined $auth_method) { > + $auth_method =3D defined($password) ? 'plain' : 'none'; > + } > + > eval { > PVE::Notify::lock_config(sub { > my $config =3D PVE::Notify::read_config(); > =20 > $config->add_smtp_endpoint( > - $name, > - $server, > - $port, > - $mode, > - $username, > - $password, > - $mailto, > - $mailto_user, > - $from_address, > - $author, > - $comment, > - $disable, > + { > + name =3D> $name, > + server =3D> $server, > + port =3D> $port, > + mode =3D> $mode, > + username =3D> $username, > + 'auth-method' =3D> $auth_method, > + 'oauth2-client-id' =3D> $oauth2_client_id, > + 'oauth2-tenant-id' =3D> $oauth2_tenant_id, > + mailto =3D> defined($mailto) ? $mailto : [], > + 'mailto-user' =3D> defined($mailto_user) ? $mail= to_user : [], > + 'from-address' =3D> $from_address, > + author =3D> $author, > + comment =3D> $comment, > + disable =3D> $disable, > + }, > + { > + name =3D> $name, > + password =3D> $password, > + 'oauth2-client-secret' =3D> $oauth2_client_secre= t, > + }, > + $oauth2_refresh_token, > ); > =20 > PVE::Notify::write_config($config); > @@ -1187,6 +1233,11 @@ __PACKAGE__->register_method({ > my $mode =3D extract_param($param, 'mode'); > my $username =3D extract_param($param, 'username'); > my $password =3D extract_param($param, 'password'); > + my $auth_method =3D extract_param($param, 'auth-method'); > + my $oauth2_client_secret =3D extract_param($param, 'oauth2-clien= t-secret'); > + my $oauth2_client_id =3D extract_param($param, 'oauth2-client-id= '); > + my $oauth2_tenant_id =3D extract_param($param, 'oauth2-tenant-id= '); > + my $oauth2_refresh_token =3D extract_param($param, 'oauth2-refre= sh-token'); > my $mailto =3D extract_param($param, 'mailto'); > my $mailto_user =3D extract_param($param, 'mailto-user'); > my $from_address =3D extract_param($param, 'from-address'); > @@ -1197,23 +1248,36 @@ __PACKAGE__->register_method({ > my $delete =3D extract_param($param, 'delete'); > my $digest =3D extract_param($param, 'digest'); > =20 > + if (!defined $auth_method) { > + $auth_method =3D defined($password) ? 'plain' : 'none'; > + } > + > eval { > PVE::Notify::lock_config(sub { > my $config =3D PVE::Notify::read_config(); > =20 > $config->update_smtp_endpoint( > $name, > - $server, > - $port, > - $mode, > - $username, > - $password, > - $mailto, > - $mailto_user, > - $from_address, > - $author, > - $comment, > - $disable, > + { > + server =3D> $server, > + port =3D> $port, > + mode =3D> $mode, > + username =3D> $username, > + 'auth-method' =3D> $auth_method, > + 'oauth2-client-id' =3D> $oauth2_client_id, > + 'oauth2-tenant-id' =3D> $oauth2_tenant_id, > + mailto =3D> defined($mailto) ? $mailto : [], > + 'mailto-user' =3D> defined($mailto_user) ? $mail= to_user : [], > + 'from-address' =3D> $from_address, > + author =3D> $author, > + comment =3D> $comment, > + disable =3D> $disable, > + }, > + { > + password =3D> $password, > + 'oauth2-client-secret' =3D> $oauth2_client_secre= t, > + }, > + $oauth2_refresh_token, > $delete, > $digest, > );