[pbs-devel] [PATCH pve-access-control] openid: support scopes, prompt, ACRs and arbitrary username-claim values

Dietmar Maurer dietmar at proxmox.com
Fri Aug 6 13:57:39 CEST 2021 

Depend on libpve-rs-perl (>= 0.3.0)
---
 debian/control         |  4 ++--
 src/PVE/API2/OpenId.pm | 30 ++++++++++++++++++---------
 src/PVE/Auth/OpenId.pm | 47 +++++++++++++++++++++++++++++++++++++++---
 3 files changed, 66 insertions(+), 15 deletions(-)

diff --git a/debian/control b/debian/control
index 3ef748b..3323d9b 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Build-Depends: debhelper (>= 12~),
                lintian,
                perl,
                libpve-cluster-perl,
-	       libpve-rs-perl,
+	       libpve-rs-perl (>= 0.3.0),
                pve-cluster (>= 6.1-4),
                pve-doc-generator (>= 5.3-3),
 Standards-Version: 4.5.1
@@ -28,7 +28,7 @@ Depends: libauthen-pam-perl,
          libnet-ssleay-perl,
          libpve-common-perl (>= 6.0-18),
          libpve-cluster-perl,
-	 libpve-rs-perl,
+	 libpve-rs-perl (>= 0.3.0),
          libpve-u2f-server-perl (>= 1.0-2),
          libuuid-perl,
          pve-cluster (>= 6.1-4),
diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
index 22423ba..0357b65 100644
--- a/src/PVE/API2/OpenId.pm
+++ b/src/PVE/API2/OpenId.pm
@@ -35,8 +35,21 @@ my $lookup_openid_auth = sub {
 	issuer_url => $config->{'issuer-url'},
 	client_id => $config->{'client-id'},
 	client_key => $config->{'client-key'},
+	prompt => $config->{'prompt'},
     };
 
+    if (defined(my $value = $config->{'scopes'})) {
+	my $scopes = [PVE::Tools::split_list($value)];
+	$openid_config->{'scopes'} = $scopes;
+    } else {
+	$openid_config->{'scopes'} = ['email', 'profile'];
+    }
+
+    if (defined(my $value = $config->{'acr-values'})) {
+	my $list = [PVE::Tools::split_list($value)];
+	$openid_config->{'acr_values'} = $list;
+    }
+
     my $openid = PVE::RS::OpenId->discover($openid_config, $redirect_url);
     return ($config, $openid);
 };
@@ -163,18 +176,15 @@ __PACKAGE__->register_method ({
 
 	    my $unique_name = $subject; # default
 	    if (defined(my $user_attr = $config->{'username-claim'})) {
-		if ($user_attr eq 'subject') {
+
+		if (defined(my $value = $info->{$user_attr})) {
+		    $unique_name = $value;
+		} elsif ($user_attr == 'subject') {
 		    $unique_name = $subject;
-		} elsif ($user_attr eq 'username') {
-		    my $username = $info->{'preferred_username'};
-		    die "missing claim 'preferred_username'\n" if !defined($username);
-		    $unique_name =  $username;
-		} elsif ($user_attr eq 'email') {
-		    my $email = $info->{'email'};
-		    die "missing claim 'email'\n" if !defined($email);
-		    $unique_name = $email;
+		} elsif ($user_attr == 'username' && defined(my $name = $info->{'preferred_username'})) {
+		    $unique_name = $name;
 		} else {
-		    die "got unexpected value for 'username-claim': '${user_attr}'\n";
+		    die "mising claim '${user_attr}'\n";
 		}
 	    }
 
diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
index 515d2f4..0c82aeb 100755
--- a/src/PVE/Auth/OpenId.pm
+++ b/src/PVE/Auth/OpenId.pm
@@ -6,9 +6,30 @@ use warnings;
 use PVE::Tools;
 use PVE::Auth::Plugin;
 use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
+use PVE::JSONSchema qw(get_standard_option register_standard_option);
 
 use base qw(PVE::Auth::Plugin);
 
+PVE::JSONSchema::register_format('openid-simple-name', \&verify_openid_simple_name);
+sub verify_openid_simple_name {
+    my ($name, $noerr) = @_;
+
+    if ($name !~ m/^[A-Za-z0-9\.\-_]+$/) {
+
+	die "OpenId name '$name' contains invalid characters\n" if !$noerr;
+
+	return undef;
+    }
+
+    return $name;
+}
+
+register_standard_option('openid-scope', {
+    description => 'OpenID scope',
+    type => 'string',
+    format => 'openid-simple-name',
+});
+
 sub type {
     return 'openid';
 }
@@ -30,8 +51,25 @@ sub properties {
 	    type => 'string',
 	    optional => 1,
 	    maxLength => 256,
-       },
-       autocreate => {
+	},
+	scopes => {
+	    description => 'List of OpenID scopes',
+	    type => 'string', format => 'openid-simple-name-list',
+	    optional => 1,
+	    default => 'email, profile',
+	},
+        "acr-values" => {
+	    description => 'List of OpenID ACRs.',
+	    type => 'string', format => 'openid-simple-name-list',
+	    optional => 1,
+        },
+	prompt => {
+            description => "OpenID Prompt settings.",
+	    type => 'string',
+	    format => 'openid-simple-name',
+	    optional => 1,
+        },
+	autocreate => {
 	   description => "Automatically create users if they do not exist.",
 	   optional => 1,
 	   type => 'boolean',
@@ -40,7 +78,7 @@ sub properties {
        "username-claim" => {
 	   description => "OpenID claim used to generate the unique username.",
 	   type => 'string',
-	   enum => ['subject', 'username', 'email'],
+	   format => 'openid-simple-name',
 	   optional => 1,
        },
    };
@@ -53,6 +91,9 @@ sub options {
 	 "client-key" => { optional => 1 },
 	 autocreate => { optional => 1 },
 	 "username-claim" => { optional => 1, fixed => 1 },
+	 scopes => { optional => 1 },
+	 prompt => { optional => 1 },
+	 "acr-values" => { optional => 1 },
 	 default => { optional => 1 },
 	 comment => { optional => 1 },
     };
-- 
2.30.2

More information about the pbs-devel mailing list