[pmg-devel] [PATCH pmg-api v4 6/10] api: add/update/remove realms like in PVE
Stoiko Ivanov
s.ivanov at proxmox.com
Mon Feb 17 12:56:40 CET 2025
On Tue, 14 Jan 2025 10:30:06 +0100
Markus Frank <m.frank at proxmox.com> wrote:
> The name Authdomains.pm was chosen because a Domain.pm already exists.
why not call it Realm.pm? - would fit the authentication realm part, and
might lead to less confusion with the other use of 'domain' throughout PMG
(as in relay-domain etc.)
>
> Signed-off-by: Markus Frank <m.frank at proxmox.com>
> ---
> src/Makefile | 1 +
> src/PMG/API2/AccessControl.pm | 10 +-
> src/PMG/API2/Authdomains.pm | 274 ++++++++++++++++++++++++++++++++++
> 3 files changed, 284 insertions(+), 1 deletion(-)
> create mode 100644 src/PMG/API2/Authdomains.pm
>
> diff --git a/src/Makefile b/src/Makefile
> index 3ed0ea1..1dfe469 100644
> --- a/src/Makefile
> +++ b/src/Makefile
> @@ -151,6 +151,7 @@ LIBSOURCES = \
> PMG/API2/Postfix.pm \
> PMG/API2/Quarantine.pm \
> PMG/API2/AccessControl.pm \
> + PMG/API2/Authdomains.pm \
> PMG/API2/TFA.pm \
> PMG/API2/TFAConfig.pm \
> PMG/API2/ObjectGroupHelpers.pm \
> diff --git a/src/PMG/API2/AccessControl.pm b/src/PMG/API2/AccessControl.pm
> index e26ae70..dad679c 100644
> --- a/src/PMG/API2/AccessControl.pm
> +++ b/src/PMG/API2/AccessControl.pm
> @@ -12,6 +12,7 @@ use PVE::JSONSchema qw(get_standard_option);
> use PMG::Utils;
> use PMG::UserConfig;
> use PMG::AccessControl;
> +use PMG::API2::Authdomains;
> use PMG::API2::Users;
> use PMG::API2::TFA;
> use PMG::TFAConfig;
> @@ -30,6 +31,11 @@ __PACKAGE__->register_method ({
> path => 'tfa',
> });
>
> +__PACKAGE__->register_method ({
> + subclass => "PMG::API2::Authdomains",
> + path => 'domains',
... should then also be renamed to 'realms'
> +});
> +
> __PACKAGE__->register_method ({
> name => 'index',
> path => '',
> @@ -57,6 +63,7 @@ __PACKAGE__->register_method ({
>
> my $res = [
> { subdir => 'ticket' },
> + { subdir => 'domains' },
... here as well
> { subdir => 'password' },
> { subdir => 'users' },
> ];
> @@ -248,7 +255,8 @@ __PACKAGE__->register_method ({
>
> my $username = $param->{username};
>
> - if ($username !~ m/\@(pam|pmg|quarantine)$/) {
> + my $realm_regex = PMG::Utils::valid_pmg_realm_regex();
> + if ($username !~ m/\@(${realm_regex})$/) {
> my $realm = $param->{realm} // 'quarantine';
> $username .= "\@$realm";
> }
> diff --git a/src/PMG/API2/Authdomains.pm b/src/PMG/API2/Authdomains.pm
> new file mode 100644
> index 0000000..a93ca13
> --- /dev/null
> +++ b/src/PMG/API2/Authdomains.pm
> @@ -0,0 +1,274 @@
> +package PMG::API2::Authdomains;
.. the file and module name as well
> +
> +use strict;
> +use warnings;
> +
> +use PVE::Exception qw(raise_param_exc);
> +use PVE::INotify;
> +use PVE::JSONSchema qw(get_standard_option);
> +use PVE::RESTHandler;
> +use PVE::SafeSyslog;
> +use PVE::Tools qw(extract_param);
> +
> +use PMG::AccessControl;
> +use PMG::Auth::Plugin;
> +use PVE::Schema::Auth;
> +
> +my $domainconfigfile = "realms.cfg";
> +
> +use base qw(PVE::RESTHandler);
> +
> +__PACKAGE__->register_method ({
> + name => 'index',
> + path => '',
> + method => 'GET',
> + description => "Authentication domain index.",
> + permissions => {
> + description => "Anyone can access that, because we need that list for the login box (before the user is authenticated).",
> + user => 'world',
> + },
> + parameters => {
> + additionalProperties => 0,
> + properties => {},
> + },
> + returns => {
> + type => 'array',
> + items => {
> + type => "object",
> + properties => {
> + realm => { type => 'string' },
> + type => { type => 'string' },
> + tfa => {
> + description => "Two-factor authentication provider.",
> + type => 'string',
> + enum => [ 'yubico', 'oath' ],
> + optional => 1,
> + },
> + comment => {
> + description => "A comment. The GUI use this text when you select a domain (Realm) on the login window.",
> + type => 'string',
> + optional => 1,
> + },
> + },
> + },
> + links => [ { rel => 'child', href => "{realm}" } ],
> + },
> + code => sub {
> + my ($param) = @_;
> +
> + my $res = [];
> +
> + my $cfg = PVE::INotify::read_file($domainconfigfile);
> + my $ids = $cfg->{ids};
> +
> + for my $realm (keys %$ids) {
> + my $d = $ids->{$realm};
> + my $entry = { realm => $realm, type => $d->{type} };
> + $entry->{comment} = $d->{comment} if $d->{comment};
> + $entry->{default} = 1 if $d->{default};
> + if ($d->{tfa} && (my $tfa_cfg = PVE::Schema::Auth::parse_tfa_config($d->{tfa}))) {
> + $entry->{tfa} = $tfa_cfg->{type};
> + }
> + push @$res, $entry;
> + }
> +
> + return $res;
> + }});
> +
> +__PACKAGE__->register_method ({
> + name => 'create',
> + protected => 1,
> + path => '',
> + method => 'POST',
> + permissions => { check => [ 'admin' ] },
> + description => "Add an authentication server.",
> + parameters => PMG::Auth::Plugin->createSchema(0),
> + returns => { type => 'null' },
> + code => sub {
> + my ($param) = @_;
> +
> + # always extract, add it with hook
> + my $password = extract_param($param, 'password');
> +
> + PMG::Auth::Plugin::lock_domain_config(
> + sub {
> + my $cfg = PVE::INotify::read_file($domainconfigfile);
> + my $ids = $cfg->{ids};
> +
> + my $realm = extract_param($param, 'realm');
> + PMG::Auth::Plugin::pmg_verify_realm($realm);
> + my $type = $param->{type};
> + my $check_connection = extract_param($param, 'check-connection');
> +
> + die "domain '$realm' already exists\n"
> + if $ids->{$realm};
> +
> + die "unable to use reserved name '$realm'\n"
> + if ($realm eq 'pam' || $realm eq 'pmg');
> +
> + die "unable to create builtin type '$type'\n"
> + if ($type eq 'pam' || $type eq 'pmg');
> +
> + my $plugin = PMG::Auth::Plugin->lookup($type);
> + my $config = $plugin->check_config($realm, $param, 1, 1);
> +
> + if ($config->{default}) {
> + for my $r (keys %$ids) {
> + delete $ids->{$r}->{default};
> + }
> + }
> +
> + $ids->{$realm} = $config;
> +
> + my $opts = $plugin->options();
> + if (defined($password) && !defined($opts->{password})) {
> + $password = undef;
> + warn "ignoring password parameter";
> + }
> + $plugin->on_add_hook($realm, $config, password => $password);
> +
> + PVE::INotify::write_file($domainconfigfile, $cfg);
> + },
> + "add auth server failed",
> + );
> + return undef;
> + }});
> +
> +__PACKAGE__->register_method ({
> + name => 'update',
> + path => '{realm}',
> + method => 'PUT',
> + permissions => { check => [ 'admin' ] },
> + description => "Update authentication server settings.",
> + protected => 1,
> + parameters => PMG::Auth::Plugin->updateSchema(0),
> + returns => { type => 'null' },
> + code => sub {
> + my ($param) = @_;
> +
> + # always extract, update in hook
> + my $password = extract_param($param, 'password');
> +
> + PMG::Auth::Plugin::lock_domain_config(
> + sub {
> + my $cfg = PVE::INotify::read_file($domainconfigfile);
> + my $ids = $cfg->{ids};
> +
> + my $digest = extract_param($param, 'digest');
> + PVE::SectionConfig::assert_if_modified($cfg, $digest);
> +
> + my $realm = extract_param($param, 'realm');
> + my $type = $ids->{$realm}->{type};
> + my $check_connection = extract_param($param, 'check-connection');
> +
> + die "domain '$realm' does not exist\n"
> + if !$ids->{$realm};
> +
> + my $delete_str = extract_param($param, 'delete');
> + die "no options specified\n"
> + if !$delete_str && !scalar(keys %$param) && !defined($password);
> +
> + my $delete_pw = 0;
> + for my $opt (PVE::Tools::split_list($delete_str)) {
> + delete $ids->{$realm}->{$opt};
> + $delete_pw = 1 if $opt eq 'password';
> + }
> +
> + my $plugin = PMG::Auth::Plugin->lookup($type);
> + my $config = $plugin->check_config($realm, $param, 0, 1);
> +
> + if ($config->{default}) {
> + for my $r (keys %$ids) {
> + delete $ids->{$r}->{default};
> + }
> + }
> +
> + for my $p (keys %$config) {
> + $ids->{$realm}->{$p} = $config->{$p};
> + }
> +
> + my $opts = $plugin->options();
> + if ($delete_pw || defined($password)) {
> + $plugin->on_update_hook($realm, $config, password => $password);
> + } else {
> + $plugin->on_update_hook($realm, $config);
> + }
> +
> + PVE::INotify::write_file($domainconfigfile, $cfg);
> + },
> + "update auth server failed"
> + );
> + return undef;
> + }});
> +
> +# fixme: return format!
> +__PACKAGE__->register_method ({
> + name => 'read',
> + path => '{realm}',
> + method => 'GET',
> + description => "Get auth server configuration.",
> + permissions => { check => [ 'admin', 'qmanager', 'audit' ] },
> + parameters => {
> + additionalProperties => 0,
> + properties => {
> + realm => get_standard_option('realm'),
> + },
> + },
> + returns => {},
> + code => sub {
> + my ($param) = @_;
> +
> + my $cfg = PVE::INotify::read_file($domainconfigfile);
> +
> + my $realm = $param->{realm};
> +
> + my $data = $cfg->{ids}->{$realm};
> + die "domain '$realm' does not exist\n" if !$data;
> +
> + my $type = $data->{type};
> +
> + $data->{digest} = $cfg->{digest};
> +
> + return $data;
> + }});
> +
> +
> +__PACKAGE__->register_method ({
> + name => 'delete',
> + path => '{realm}',
> + method => 'DELETE',
> + permissions => { check => [ 'admin' ] },
> + description => "Delete an authentication server.",
> + protected => 1,
> + parameters => {
> + additionalProperties => 0,
> + properties => {
> + realm => get_standard_option('realm'),
> + }
> + },
> + returns => { type => 'null' },
> + code => sub {
> + my ($param) = @_;
> +
> + PMG::Auth::Plugin::lock_domain_config(
> + sub {
> + my $cfg = PVE::INotify::read_file($domainconfigfile);
> + my $ids = $cfg->{ids};
> + my $realm = $param->{realm};
> +
> + die "authentication domain '$realm' does not exist\n" if !$ids->{$realm};
> +
> + my $plugin = PMG::Auth::Plugin->lookup($ids->{$realm}->{type});
> +
> + $plugin->on_delete_hook($realm, $ids->{$realm});
> +
> + delete $ids->{$realm};
> +
> + PVE::INotify::write_file($domainconfigfile, $cfg);
> + },
> + "delete auth server failed",
> + );
> + return undef;
> + }});
> +
> +1;
More information about the pmg-devel
mailing list