tfa: expose 'allow_subdomains' property

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

diff --git a/proxmox-tfa/src/api/webauthn.rs b/proxmox-tfa/src/api/webauthn.rs
index 4e90007d9fcbf8c1448d3d7df7bb138f57b152da..0f908229de55db274c9ee41b4836c52053ef1d7e 100644 (file)
--- a/proxmox-tfa/src/api/webauthn.rs
+++ b/proxmox-tfa/src/api/webauthn.rs
@@ -57,7 +57,7 @@ impl From<OriginUrl> for String {
 #[cfg_attr(feature = "api-types", derive(Updater))]
 /// Server side webauthn server configuration.
 #[derive(Clone, Deserialize, Serialize)]
-#[serde(deny_unknown_fields)]
+#[serde(deny_unknown_fields, rename_all = "kebab-case")]
 pub struct WebauthnConfig {
     /// Relying party name. Any text identifier.
     ///
@@ -75,6 +75,15 @@ pub struct WebauthnConfig {
     ///
     /// Changing this *will* break existing credentials.
     pub id: String,
+
+    /// If an `origin` is specified, this specifies whether subdomains should be considered valid
+    /// as well.
+    ///
+    /// May be changed at any time.
+    ///
+    /// Defaults to `true`.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub allow_subdomains: Option<bool>,
 }
 
 impl WebauthnConfig {
@@ -97,6 +106,7 @@ impl WebauthnConfig {
                 .ok_or_else(|| format_err!("missing webauthn origin"))?,
             rp: &self.rp,
             id: &self.id,
+            allow_subdomains: self.allow_subdomains.unwrap_or(true),
         })
     }
 }
@@ -105,6 +115,7 @@ pub(super) struct WebauthnConfigInstance<'a> {
     rp: &'a str,
     origin: &'a Url,
     id: &'a str,
+    allow_subdomains: bool,
 }
 
 /// For now we just implement this on the configuration this way.
@@ -123,6 +134,10 @@ impl<'a> webauthn_rs::WebauthnConfig for WebauthnConfigInstance<'a> {
     fn get_relying_party_id(&self) -> &str {
         self.id
     }
+
+    fn allow_subdomains_origin(&self) -> bool {
+        self.allow_subdomains
+    }
 }
 
 /// A webauthn registration challenge.