[pve-devel] [PATCH container] [PATCH pve-manager] SSO feature: login with SAMLv2

[Julien BLAIS]

Part allowing to add a SAML authentication
Adding the rule that the endpoint /access/saml does not need authentication

Signed-off-by: Julien BLAIS <webmaster at jbsky.fr>
---
 PVE/HTTPServer.pm               |  3 +-
 www/manager6/Makefile           |  1 +
 www/manager6/Utils.js           |  5 +++
 www/manager6/dc/AuthEditSAML.js | 65 +++++++++++++++++++++++++++++++++
 4 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 www/manager6/dc/AuthEditSAML.js

diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index 636b562b..3e64943a 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -68,7 +68,8 @@ sub auth_handler {
 
     # explicitly allow some calls without auth
     if (($rel_uri eq '/access/domains' && $method eq 'GET') ||
-	($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST'))) {
+	($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST')) ||
+	($rel_uri eq '/access/saml' && $method eq 'GET' )) {
 	$require_auth = 0;
     }
 
diff --git a/www/manager6/Makefile b/www/manager6/Makefile
index 506b5a4e..fc89215e 100644
--- a/www/manager6/Makefile
+++ b/www/manager6/Makefile
@@ -119,6 +119,7 @@ JSSRC= 							\
 	dc/AuthEditBase.js				\
 	dc/AuthEditAD.js				\
 	dc/AuthEditLDAP.js				\
+	dc/AuthEditSAML.js				\
 	dc/AuthView.js					\
 	dc/Backup.js					\
 	dc/Cluster.js					\
diff --git a/www/manager6/Utils.js b/www/manager6/Utils.js
index d9567979..600b81e9 100644
--- a/www/manager6/Utils.js
+++ b/www/manager6/Utils.js
@@ -740,6 +740,11 @@ Ext.define('PVE.Utils', {
 	    syncipanel: 'pveAuthLDAPSyncPanel',
 	    add: true,
 	},
+	saml: {
+	    name: gettext('SAMLv2'),
+	    ipanel: 'pveAuthSAMLPanel',
+	    add: true,
+	},
 	pam: {
 	    name: 'Linux PAM',
 	    ipanel: 'pveAuthBasePanel',
diff --git a/www/manager6/dc/AuthEditSAML.js b/www/manager6/dc/AuthEditSAML.js
new file mode 100644
index 00000000..3794bccd
--- /dev/null
+++ b/www/manager6/dc/AuthEditSAML.js
@@ -0,0 +1,65 @@
+Ext.define('PVE.panel.SAMLInputPanel', {
+    extend: 'PVE.panel.AuthBase',
+    xtype: 'pveAuthSAMLPanel',
+
+    initComponent: function() {
+	let me = this;
+
+	if (me.type !== 'saml') {
+	    throw 'invalid type';
+	}
+
+	me.column1 = [
+	    {
+		xtype: 'textfield',
+		name: 'Identity_Provider_Entity_ID',
+		fieldLabel: gettext('IdP Entity ID'),
+		emptyText: '',
+		allowBlank: false,
+	    },
+	    {
+		xtype: 'textfield',
+		name: 'Identity_Provider_Url_Metadata',
+		emptyText: '',
+		fieldLabel: gettext('IdP Url Metadata'),
+		allowBlank: true,
+	    },
+	    {
+		name: 'Identity_Provider_x509_CA_Certificate',
+		emptyText: '',
+		fieldLabel: gettext('IdP x509 CA Certificate'),
+		allowBlank: true,
+		xtype: 'textarea',
+	    },
+	];
+
+	me.column2 = [
+	    {
+		xtype: 'textfield',
+		fieldLabel: gettext('SP Entity ID'),
+		allowBlank: false,
+		name: 'Service_Provider_Entity_ID',
+	    },
+	    {
+		xtype: 'textarea',
+		fieldLabel: gettext('SP Private key'),
+		allowBlank: true,
+		name: 'Service_Provider_Private_Key',
+	    }
+	];
+
+	me.callParent();
+    },
+    onGetValues: function(values) {
+	let me = this;
+
+	if (!values.verify) {
+	    if (!me.isCreate) {
+		Proxmox.Utils.assemble_field_data(values, { 'delete': 'verify' });
+	    }
+	    delete values.verify;
+	}
+
+	return me.callParent([values]);
+    },
+});
-- 
2.20.1