From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 871F61FF165
	for <inbox@lore.proxmox.com>; Wed, 12 Feb 2025 15:51:47 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 8A85618A43;
	Wed, 12 Feb 2025 15:51:43 +0100 (CET)
Message-ID: <f3732723-d617-47a9-a7be-652f0893b6ed@proxmox.com>
Date: Wed, 12 Feb 2025 15:51:39 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: pve-devel@lists.proxmox.com
References: <20250211054029.1269099-1-thomas@atskinner.net>
 <20250211054029.1269099-4-thomas@atskinner.net>
Content-Language: en-US
From: Mira Limbeck <m.limbeck@proxmox.com>
In-Reply-To: <20250211054029.1269099-4-thomas@atskinner.net>
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.330 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH access-control v3 1/1] fix #4411: openid:
 add logic for openid groups support
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

On 2/11/25 06:40, Thomas Skinner wrote:
> Signed-off-by: Thomas Skinner <thomas@atskinner.net>
> ---
>  src/PVE/API2/OpenId.pm   | 79 ++++++++++++++++++++++++++++++++++++++++
>  src/PVE/AccessControl.pm |  2 +-
>  src/PVE/Auth/OpenId.pm   | 33 +++++++++++++++++
>  src/PVE/Auth/Plugin.pm   |  1 +
>  4 files changed, 114 insertions(+), 1 deletion(-)
> 
> diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
> index 77410e6..818175e 100644
> --- a/src/PVE/API2/OpenId.pm
> +++ b/src/PVE/API2/OpenId.pm
> @@ -13,6 +13,7 @@ use PVE::Cluster qw(cfs_read_file cfs_write_file);
>  use PVE::AccessControl;
>  use PVE::JSONSchema qw(get_standard_option);
>  use PVE::Auth::Plugin;
> +use PVE::Auth::OpenId;
>  
>  use PVE::RESTHandler;
>  
> @@ -220,6 +221,84 @@ __PACKAGE__->register_method ({
>  		$rpcenv->check_user_enabled($username);
>  	    }
>  
> +	    if (defined(my $groups_claim = $config->{'groups-claim'})) {
> +		if (defined(my $groups_list = $info->{$groups_claim})) {
> +		    if (ref($groups_list) eq 'ARRAY') {
> +			PVE::AccessControl::lock_user_config(sub {
> +			    my $usercfg = cfs_read_file("user.cfg");
> +
> +			    # replace any invalid characters with
> +			    my $replace_character = $config->{'groups-replace-character'} // '_';
> +			    my $oidc_groups = { map { 
> +				$_ =~ s/[^$PVE::Auth::Plugin::groupname_regex_chars]/$replace_character/gr => 1
> +			    } $groups_list->@* };
maybe we could log any of those replacements here? doing this silently
may lead to confusion when groups don't match

> +
> +			    # add realm name as suffix to group
> +			    my $suffixed_oidc_groups;
> +			    for my $group (keys %$oidc_groups) {
> +				$suffixed_oidc_groups->{"$group-$realm"} = 1;
> +			    }
> +			    $oidc_groups = $suffixed_oidc_groups;
> +			    
> +			    # get groups that exist in OIDC and PVE
> +			    my $groups_intersect;
> +			    for my $group (keys %$oidc_groups) {
> +				$groups_intersect->{$group} = 1 if $usercfg->{groups}->{$group};
> +			    }
> +
> +			    if ($config->{'groups-autocreate'}) {
> +                                # populate all groups in claim
> +                                $groups_intersect = $oidc_groups;
> +				my $groups_to_create;
> +				for my $group (keys %$oidc_groups) {
> +                                    $groups_to_create->{$group} = 1 if !$usercfg->{groups}->{$group};
> +			    	}
> +				if ($groups_to_create) {
> +				    # log a messages about created groups here
> +				    my $groups_to_create_string = join(', ', sort keys %$groups_to_create);
> +				    syslog(
> +					'info', 
> +					"groups created automatically from openid claim: $groups_to_create_string"
> +				    );
> +				}
> +                            }
> +
> +			    # if groups should be overwritten, delete all the users groups first
> +			    if ( $config->{'groups-overwrite'} ) {
> +				PVE::AccessControl::delete_user_group(
> +				    $username, 
> +				    $usercfg, 
> +				);
> +				syslog(
> +				    'info', 
> +				    "openid overwrite groups enabled; user '$username' removed from all groups"
> +			    	);
> +			    }
> +			    
> +			    # ensure user is a member of the groups
> +			    for my $group (keys %$groups_intersect) {
> +				PVE::AccessControl::add_user_group(
> +				    $username,
> +				    $usercfg,
> +				    $group
> +				);
> +			    }
> +			    my $groups_intersect_string = join(', ', sort keys %$groups_intersect);
> +			    syslog(
> +				'info', 
> +				"openid user '$username' added to groups: $groups_intersect_string"
> +			    );
> +
> +			    cfs_write_file("user.cfg", $usercfg);
> +			}, "openid group mapping failed");
> +		    } else {
> +			syslog('err', "openid groups list is not an array; groups will not be updated");
> +		    }
> +		} else {
> +		    syslog('err', "openid groups claim '$groups_claim' is not found in claims");
> +		}
> +	    }
> +
>  	    my $ticket = PVE::AccessControl::assemble_ticket($username);
>  	    my $csrftoken = PVE::AccessControl::assemble_csrf_prevention_token($username);
>  	    my $cap = $rpcenv->compute_api_permission($username);
> diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
> index 47f2d38..7493c57 100644
> --- a/src/PVE/AccessControl.pm
> +++ b/src/PVE/AccessControl.pm
> @@ -1293,7 +1293,7 @@ PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname);
>  sub verify_groupname {
>      my ($groupname, $noerr) = @_;
>  
> -    if ($groupname !~ m/^[A-Za-z0-9\.\-_]+$/) {
> +    if ($groupname !~ m/^[$PVE::Auth::Plugin::groupname_regex_chars]+$/) {
>  
>  	die "group name '$groupname' contains invalid characters\n" if !$noerr;
>  
> diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
> index c8e4db9..fd1cd6f 100755
> --- a/src/PVE/Auth/OpenId.pm
> +++ b/src/PVE/Auth/OpenId.pm
> @@ -9,6 +9,9 @@ use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file
>  
>  use base qw(PVE::Auth::Plugin);
>  
> +# include all printable ascii characters
> +my $openid_claim_regex = qr/[ -~]+/;
> +
>  sub type {
>      return 'openid';
>  }
> @@ -42,6 +45,32 @@ sub properties {
>  	    type => 'string',
>  	    optional => 1,
>  	},
> +	"groups-claim" => {
> +	    description => "OpenID claim used to retrieve groups with.",
> +	    type => 'string',
> +	    pattern => $openid_claim_regex,
> +	    maxLength => 256,
> +	    optional => 1,
> +	},
> +	"groups-autocreate" => {
> +	    description => "Automatically create groups if they do not exist.",
> +	    optional => 1,
> +	    type => 'boolean',
> +	    default => 0,
> +	},
> +	"groups-overwrite" => {
> +	    description => "All groups will be overwritten for the user on login.",
> +	    type => 'boolean',
> +	    default => 0,
> +	    optional => 1,
> +	},
> +	"groups-replace-character" => {
> +	    description => "Character used to replace any invalid characters in groups from provider.",
> +	    type => 'string',
> +	    pattern => qr/^[$PVE::Auth::Plugin::groupname_regex_chars]$/,
> +	    default => '_',
> +	    optional => 1,
> +	},
>  	prompt => {
>  	    description => "Specifies whether the Authorization Server prompts the End-User for"
>  	        ." reauthentication and consent.",
> @@ -73,6 +102,10 @@ sub options {
>  	"client-key" => { optional => 1 },
>  	autocreate => { optional => 1 },
>  	"username-claim" => { optional => 1, fixed => 1 },
> +	"groups-claim" => { optional => 1 },
> +	"groups-autocreate" => { optional => 1 },
> +	"groups-overwrite" => { optional => 1 },
> +	"groups-replace-character" => { optional => 1},
>  	prompt => { optional => 1 },
>  	scopes => { optional => 1 },
>  	"acr-values" => { optional => 1 },
> diff --git a/src/PVE/Auth/Plugin.pm b/src/PVE/Auth/Plugin.pm
> index 763239f..7617044 100755
> --- a/src/PVE/Auth/Plugin.pm
> +++ b/src/PVE/Auth/Plugin.pm
> @@ -31,6 +31,7 @@ sub lock_domain_config {
>  
>  our $realm_regex = qr/[A-Za-z][A-Za-z0-9\.\-_]+/;
>  our $user_regex = qr![^\s:/]+!;
> +our $groupname_regex_chars = qr/A-Za-z0-9\.\-_/;
>  
>  PVE::JSONSchema::register_format('pve-realm', \&pve_verify_realm);
>  sub pve_verify_realm {



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel