On 3/27/25 02:50, Thomas Skinner wrote:
> Signed-off-by: Thomas Skinner <tho...@atskinner.net>
> ---
> src/PVE/API2/OpenId.pm | 83 ++++++++++++++++++++++++++++++++++++++++
> src/PVE/AccessControl.pm | 2 +-
> src/PVE/Auth/OpenId.pm | 25 ++++++++++++
> src/PVE/Auth/Plugin.pm | 1 +
> 4 files changed, 110 insertions(+), 1 deletion(-)
>
> diff --git a/src/PVE/API2/OpenId.pm b/src/PVE/API2/OpenId.pm
> index 77410e6..baa4dbc 100644
> --- a/src/PVE/API2/OpenId.pm
> +++ b/src/PVE/API2/OpenId.pm
> @@ -13,6 +13,7 @@ use PVE::Cluster qw(cfs_read_file cfs_write_file);
> use PVE::AccessControl;
> use PVE::JSONSchema qw(get_standard_option);
> use PVE::Auth::Plugin;
> +use PVE::Auth::OpenId;
>
> use PVE::RESTHandler;
>
> @@ -220,6 +221,88 @@ __PACKAGE__->register_method ({
> $rpcenv->check_user_enabled($username);
> }
>
> + if (defined(my $groups_claim = $config->{'groups-claim'})) {
> + if (defined(my $groups_list = $info->{$groups_claim})) {
> + if (ref($groups_list) eq 'ARRAY') {
> + PVE::AccessControl::lock_user_config(sub {
> + my $usercfg = cfs_read_file("user.cfg");
> +
> + my $oidc_groups;
> + for my $group (@$groups_list) {
> + if
> (PVE::AccessControl::verify_groupname($group, 1)) {
> + # add realm name as suffix to group
> + $oidc_groups->{"$group-$realm"} = 1;
> + } else {
> + # ignore any groups in the list that have
> invalid characters
> + syslog(
> + 'warn',
trailing whitespace
> + "openid group '$group' contains invalid
> characters"
> + );
> + }
> + }
> +
trailing whitespace
> + # get groups that exist in OIDC and PVE
> + my $groups_intersect;
> + for my $group (keys %$oidc_groups) {
> + $groups_intersect->{$group} = 1 if
> $usercfg->{groups}->{$group};
> + }
> +
> + if ($config->{'groups-autocreate'}) {
> + # populate all groups in claim
> + $groups_intersect = $oidc_groups;
both lines above have wrong indentation (space only)
> + my $groups_to_create;
> + for my $group (keys %$oidc_groups) {
> + $groups_to_create->{$group} = 1 if
> !$usercfg->{groups}->{$group};
> + }
wrong combination of tabs and spaces, tabs - spaces - tab
> + if ($groups_to_create) {
> + # log a messages about created groups here
> + my $groups_to_create_string = join(', ',
> sort keys %$groups_to_create);
> + syslog(
> + 'info',
> + "groups created automatically from
> openid claim: $groups_to_create_string"
> + );
> + }
> + }
> +
> + # if groups should be overwritten, delete all the
> users groups first
> + if ( $config->{'groups-overwrite'} ) {
> + PVE::AccessControl::delete_user_group(
> + $username,
> + $usercfg,
> + );
> + syslog(
> + 'info',
> + "openid overwrite groups enabled; user
> '$username' removed from all groups"
> + );
> + }
> +
> + if (keys %$groups_intersect) {
> + # ensure user is a member of the groups
> + for my $group (keys %$groups_intersect) {
> + PVE::AccessControl::add_user_group(
> + $username,
> + $usercfg,
> + $group
> + );
> + }
> +
> + my $groups_intersect_string = join(', ', sort
> keys %$groups_intersect);
> + syslog(
> + 'info',
> + "openid user '$username' added to groups:
> $groups_intersect_string"
> + );
> + }
> +
> + cfs_write_file("user.cfg", $usercfg);
> + }, "openid group mapping failed");
> + } else {
> + syslog('err', "openid groups list is not an array;
> groups will not be updated");
> + }
> + } else {
> + syslog('err', "openid groups claim '$groups_claim' is not
> found in claims");
> + }
> + }
> +
> my $ticket = PVE::AccessControl::assemble_ticket($username);
> my $csrftoken =
> PVE::AccessControl::assemble_csrf_prevention_token($username);
> my $cap = $rpcenv->compute_api_permission($username);
There are some trailing whitespaces, wrongly mixed tabs and spaces, and
some space-only indentations.
The indentation scheme used [0] is not that straightforward. It can be
fixed up when applying the patch, so no need to send a v6 unless there
are some other issues.
Other than the whitespace issues the code looks good.
So consider this:
Tested-by: Mira Limbeck <m.limb...@proxmox.com>
Reviewed-by: Mira Limbeck <m.limb...@proxmox.com>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
