[pve-devel] [PATCH pve-manager] ui: implement OpenId login

Fabian Grünbichler f.gruenbichler at proxmox.com
Tue Jun 29 10:13:03 CEST 2021


not directly related to this patch - we should probably disable TFA for 
openid realms (and their users), since TFA would need to be handled at 
the openid provider in that case.. e.g., if I login via openid and then 
hit TFA in the top right corner user menu, I get prompted for a password 
to setup TFA which is of course not possible ;)

On June 24, 2021 10:17 am, Dietmar Maurer wrote:
> ---
>  PVE/HTTPServer.pm                  |   4 +-
>  www/manager6/Utils.js              |   8 +++
>  www/manager6/window/LoginWindow.js | 105 ++++++++++++++++++++++++++++-
>  3 files changed, 114 insertions(+), 3 deletions(-)
> 
> diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
> index 636b562b..dabdf7f3 100755
> --- a/PVE/HTTPServer.pm
> +++ b/PVE/HTTPServer.pm
> @@ -68,7 +68,9 @@ sub auth_handler {
>  
>      # explicitly allow some calls without auth
>      if (($rel_uri eq '/access/domains' && $method eq 'GET') ||
> -	($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST'))) {
> +	($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST')) ||
> +	($rel_uri eq '/access/openid/login' &&  $method eq 'POST') ||
> +	($rel_uri eq '/access/openid/auth-url' &&  $method eq 'POST')) {
>  	$require_auth = 0;
>      }
>  
> diff --git a/www/manager6/Utils.js b/www/manager6/Utils.js
> index 3415c9eb..c2d139f9 100644
> --- a/www/manager6/Utils.js
> +++ b/www/manager6/Utils.js
> @@ -1742,6 +1742,14 @@ Ext.define('PVE.Utils', {
>  
>  	return true;
>      },
> +
> +    openid_login_param: function() {
> +	let param = Ext.Object.fromQueryString(window.location.search);
> +	if (param.state !== undefined && param.code !== undefined) {
> +	    return param;
> +	}
> +	return undefined;
> +    },
>  },
>  
>      singleton: true,
> diff --git a/www/manager6/window/LoginWindow.js b/www/manager6/window/LoginWindow.js
> index 72078080..5d3d06b8 100644
> --- a/www/manager6/window/LoginWindow.js
> +++ b/www/manager6/window/LoginWindow.js
> @@ -2,6 +2,21 @@
>  Ext.define('PVE.window.LoginWindow', {
>      extend: 'Ext.window.Window',
>  
> +    viewModel: {
> +	data: {
> +	    openid: false,
> +	},
> +	formulas: {
> +	    button_text: function(get) {
> +		if (get("openid") === true) {
> +		    return gettext("Login (OpenID redirect)");
> +		} else {
> +		    return gettext("Login");
> +		}
> +	    },
> +	},
> +    },
> +
>      controller: {
>  
>  	xclass: 'Ext.app.ViewController',
> @@ -18,6 +33,33 @@ Ext.define('PVE.window.LoginWindow', {
>  		return;
>  	    }
>  
> +	    let redirect_url = location.origin;
> +	    let params = form.getValues();
> +
> +	    if (this.getViewModel().data.openid === true) {
> +		let realm = params.realm;
> +		Proxmox.Utils.API2Request({
> +		    url: '/api2/extjs/access/openid/auth-url',
> +		    params: {
> +			realm: realm,
> +			"redirect-url": redirect_url,
> +		    },
> +		    method: 'POST',
> +		    success: function(resp, opts) {
> +			window.location = resp.result.data;
> +		    },
> +		    failure: function(resp, opts) {
> +			Proxmox.Utils.authClear();
> +			form.unmask();
> +			Ext.MessageBox.alert(
> +			    gettext('Error'),
> +			    gettext('OpenId redirect failed. Please try again<br>Error: ' + resp.htmlStatus),
> +			);
> +		    },
> +		});
> +		return;
> +	    }
> +
>  	    view.el.mask(gettext('Please wait...'), 'x-mask-loading');
>  
>  	    // set or clear username
> @@ -162,11 +204,21 @@ Ext.define('PVE.window.LoginWindow', {
>  		    window.location.reload();
>  		},
>  	    },
> -            'button[reference=loginButton]': {
> +	    'field[name=realm]': {
> +		change: function(f, value) {
> +		    let record = f.store.getById(value);
> +		    if (record === undefined) return;
> +		    let data = record.data;
> +		    this.getViewModel().set("openid", data.type === "openid");
> +		},
> +	    },
> +           'button[reference=loginButton]': {
>  		click: 'onLogon',
>              },
>  	    '#': {
>  		show: function() {
> +		    var me = this;
> +
>  		    var sp = Ext.state.Manager.getProvider();
>  		    var checkboxField = this.lookupReference('saveunField');
>  		    var unField = this.lookupReference('usernameField');
> @@ -180,6 +232,42 @@ Ext.define('PVE.window.LoginWindow', {
>  			var pwField = this.lookupReference('passwordField');
>  			pwField.focus();
>  		    }
> +
> +		    let param = PVE.Utils.openid_login_param();
> +		    if (param !== undefined) {
> +			Proxmox.Utils.authClear();
> +
> +			let loginForm = this.lookupReference('loginForm');
> +			loginForm.mask(gettext('OpenID login - please wait...'), 'x-mask-loading');
> +
> +			let redirect_url = location.origin;
> +
> +			Proxmox.Utils.API2Request({
> +			    url: '/api2/extjs/access/openid/login',
> +			    params: {
> +				state: param.state,
> +				code: param.code,
> +				"redirect-url": redirect_url,
> +			    },
> +			    method: 'POST',
> +			    failure: function(response) {
> +				loginForm.unmask();
> +				Ext.MessageBox.alert(
> +				    gettext('Error'),
> +				    gettext('Login failed. Please try again<br>Error: ' + response.htmlStatus),
> +				    function() {
> +					window.location = redirect_url;
> +				    },
> +				);
> +			    },
> +			    success: function(response, options) {
> +				loginForm.unmask();
> +				let data = response.result.data;
> +				history.replaceState(null, '', redirect_url);
> +				me.success(data);
> +			    },
> +			});
> +		    }
>  		},
>  	    },
>  	},
> @@ -217,6 +305,10 @@ Ext.define('PVE.window.LoginWindow', {
>  		itemId: 'usernameField',
>  		reference: 'usernameField',
>  		stateId: 'login-username',
> +		bind: {
> +		    visible: "{!openid}",
> +		    disabled: "{openid}",
> +		},
>  	    },
>  	    {
>  		xtype: 'textfield',
> @@ -224,6 +316,10 @@ Ext.define('PVE.window.LoginWindow', {
>  		fieldLabel: gettext('Password'),
>  		name: 'password',
>  		reference: 'passwordField',
> +		bind: {
> +		    visible: "{!openid}",
> +		    disabled: "{openid}",
> +		},
>  	    },
>  	    {
>  		xtype: 'pmxRealmComboBox',
> @@ -248,9 +344,14 @@ Ext.define('PVE.window.LoginWindow', {
>  		labelWidth: 250,
>  		labelAlign: 'right',
>  		submitValue: false,
> +		bind: {
> +		    visible: "{!openid}",
> +		},
>  	    },
>  	    {
> -		text: gettext('Login'),
> +		bind: {
> +		    text: "{button_text}",
> +		},
>  		reference: 'loginButton',
>  	    },
>  	],
> -- 
> 2.30.2
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 





More information about the pve-devel mailing list