From 52d1c1b96645455c6d397cd8131dcfede7e1b3fb Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Wed, 30 Jun 2021 08:10:04 +0200
Subject: [PATCH] add OpenId configuration

---
 src/PVE/AccessControl.pm |  2 ++
 src/PVE/Auth/Makefile    |  3 +-
 src/PVE/Auth/OpenId.pm   | 68 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100755 src/PVE/Auth/OpenId.pm

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 8628678..3d8d01c 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -24,6 +24,7 @@ use PVE::Auth::AD;
 use PVE::Auth::LDAP;
 use PVE::Auth::PVE;
 use PVE::Auth::PAM;
+use PVE::Auth::OpenId;
 
 # load and initialize all plugins
 
@@ -31,6 +32,7 @@ PVE::Auth::AD->register();
 PVE::Auth::LDAP->register();
 PVE::Auth::PVE->register();
 PVE::Auth::PAM->register();
+PVE::Auth::OpenId->register();
 PVE::Auth::Plugin->init();
 
 # $authdir must be writable by root only!
diff --git a/src/PVE/Auth/Makefile b/src/PVE/Auth/Makefile
index 58ae362..be7bde3 100644
--- a/src/PVE/Auth/Makefile
+++ b/src/PVE/Auth/Makefile
@@ -4,7 +4,8 @@ AUTH_SOURCES= 		 	\
 	PVE.pm		 	\
 	PAM.pm		 	\
 	AD.pm		 	\
-	LDAP.pm
+	LDAP.pm			\
+	OpenId.pm
 
 .PHONY: install
 install:
diff --git a/src/PVE/Auth/OpenId.pm b/src/PVE/Auth/OpenId.pm
new file mode 100755
index 0000000..515d2f4
--- /dev/null
+++ b/src/PVE/Auth/OpenId.pm
@@ -0,0 +1,68 @@
+package PVE::Auth::OpenId;
+
+use strict;
+use warnings;
+
+use PVE::Tools;
+use PVE::Auth::Plugin;
+use PVE::Cluster qw(cfs_register_file cfs_read_file cfs_write_file cfs_lock_file);
+
+use base qw(PVE::Auth::Plugin);
+
+sub type {
+    return 'openid';
+}
+
+sub properties {
+    return {
+	"issuer-url" => {
+	    description => "OpenID Issuer Url",
+	    type => 'string',
+	    maxLength => 256,
+	},
+	"client-id" => {
+            description => "OpenID Client ID",
+            type => 'string',
+	    maxLength => 256,
+       },
+       "client-key" => {
+	    description => "OpenID Client Key",
+	    type => 'string',
+	    optional => 1,
+	    maxLength => 256,
+       },
+       autocreate => {
+	   description => "Automatically create users if they do not exist.",
+	   optional => 1,
+	   type => 'boolean',
+	   default => 0,
+       },
+       "username-claim" => {
+	   description => "OpenID claim used to generate the unique username.",
+	   type => 'string',
+	   enum => ['subject', 'username', 'email'],
+	   optional => 1,
+       },
+   };
+}
+
+sub options {
+    return {
+	"issuer-url" => {},
+	 "client-id" => {},
+	 "client-key" => { optional => 1 },
+	 autocreate => { optional => 1 },
+	 "username-claim" => { optional => 1, fixed => 1 },
+	 default => { optional => 1 },
+	 comment => { optional => 1 },
+    };
+}
+
+sub authenticate_user {
+    my ($class, $config, $realm, $username, $password) = @_;
+
+    die "OpenID realm does not allow password verification.\n";
+}
+
+
+1;
-- 
2.39.2