[pve-devel] [PATCH container] [PATCH pve-manager] SSO feature: login with SAMLv2
Julien BLAIS
webmaster at jbsky.fr
Thu May 27 23:55:14 CEST 2021
Part allowing to add a SAML authentication
Adding the rule that the endpoint /access/saml does not need authentication
Signed-off-by: Julien BLAIS <webmaster at jbsky.fr>
---
PVE/HTTPServer.pm | 3 +-
www/manager6/Makefile | 1 +
www/manager6/Utils.js | 5 +++
www/manager6/dc/AuthEditSAML.js | 65 +++++++++++++++++++++++++++++++++
4 files changed, 73 insertions(+), 1 deletion(-)
create mode 100644 www/manager6/dc/AuthEditSAML.js
diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index 636b562b..3e64943a 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -68,7 +68,8 @@ sub auth_handler {
# explicitly allow some calls without auth
if (($rel_uri eq '/access/domains' && $method eq 'GET') ||
- ($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST'))) {
+ ($rel_uri eq '/access/ticket' && ($method eq 'GET' || $method eq 'POST')) ||
+ ($rel_uri eq '/access/saml' && $method eq 'GET' )) {
$require_auth = 0;
}
diff --git a/www/manager6/Makefile b/www/manager6/Makefile
index 506b5a4e..fc89215e 100644
--- a/www/manager6/Makefile
+++ b/www/manager6/Makefile
@@ -119,6 +119,7 @@ JSSRC= \
dc/AuthEditBase.js \
dc/AuthEditAD.js \
dc/AuthEditLDAP.js \
+ dc/AuthEditSAML.js \
dc/AuthView.js \
dc/Backup.js \
dc/Cluster.js \
diff --git a/www/manager6/Utils.js b/www/manager6/Utils.js
index d9567979..600b81e9 100644
--- a/www/manager6/Utils.js
+++ b/www/manager6/Utils.js
@@ -740,6 +740,11 @@ Ext.define('PVE.Utils', {
syncipanel: 'pveAuthLDAPSyncPanel',
add: true,
},
+ saml: {
+ name: gettext('SAMLv2'),
+ ipanel: 'pveAuthSAMLPanel',
+ add: true,
+ },
pam: {
name: 'Linux PAM',
ipanel: 'pveAuthBasePanel',
diff --git a/www/manager6/dc/AuthEditSAML.js b/www/manager6/dc/AuthEditSAML.js
new file mode 100644
index 00000000..3794bccd
--- /dev/null
+++ b/www/manager6/dc/AuthEditSAML.js
@@ -0,0 +1,65 @@
+Ext.define('PVE.panel.SAMLInputPanel', {
+ extend: 'PVE.panel.AuthBase',
+ xtype: 'pveAuthSAMLPanel',
+
+ initComponent: function() {
+ let me = this;
+
+ if (me.type !== 'saml') {
+ throw 'invalid type';
+ }
+
+ me.column1 = [
+ {
+ xtype: 'textfield',
+ name: 'Identity_Provider_Entity_ID',
+ fieldLabel: gettext('IdP Entity ID'),
+ emptyText: '',
+ allowBlank: false,
+ },
+ {
+ xtype: 'textfield',
+ name: 'Identity_Provider_Url_Metadata',
+ emptyText: '',
+ fieldLabel: gettext('IdP Url Metadata'),
+ allowBlank: true,
+ },
+ {
+ name: 'Identity_Provider_x509_CA_Certificate',
+ emptyText: '',
+ fieldLabel: gettext('IdP x509 CA Certificate'),
+ allowBlank: true,
+ xtype: 'textarea',
+ },
+ ];
+
+ me.column2 = [
+ {
+ xtype: 'textfield',
+ fieldLabel: gettext('SP Entity ID'),
+ allowBlank: false,
+ name: 'Service_Provider_Entity_ID',
+ },
+ {
+ xtype: 'textarea',
+ fieldLabel: gettext('SP Private key'),
+ allowBlank: true,
+ name: 'Service_Provider_Private_Key',
+ }
+ ];
+
+ me.callParent();
+ },
+ onGetValues: function(values) {
+ let me = this;
+
+ if (!values.verify) {
+ if (!me.isCreate) {
+ Proxmox.Utils.assemble_field_data(values, { 'delete': 'verify' });
+ }
+ delete values.verify;
+ }
+
+ return me.callParent([values]);
+ },
+});
--
2.20.1
More information about the pve-devel
mailing list