tyler
/
proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

openid_login: vertify that firstname, lastname and email fits our schema definitions 

If not, we do not copy the values to our user.cfg.
This commit is contained in:
Dietmar Maurer 2021-11-10 06:44:40 +01:00
parent 4beb7d2dbe
commit 68fd9ca6d6
1 changed files with 18 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/api2/access/openid.rs
View File

@ -9,11 +9,11 @@ use proxmox::{identity, sortable};
use proxmox_router::{ use proxmox_router::{
http_err, list_subdirs_api_method, Router, RpcEnvironment, SubdirMap, Permission, http_err, list_subdirs_api_method, Router, RpcEnvironment, SubdirMap, Permission,
}; };
use proxmox_schema::api; use proxmox_schema::{api, parse_simple_value};
use proxmox_openid::{OpenIdAuthenticator, OpenIdConfig}; use proxmox_openid::{OpenIdAuthenticator, OpenIdConfig};
use pbs_api_types::{Userid, User, REALM_ID_SCHEMA}; use pbs_api_types::{User, Userid, EMAIL_SCHEMA, FIRST_NAME_SCHEMA, LAST_NAME_SCHEMA, REALM_ID_SCHEMA};
use pbs_buildcfg::PROXMOX_BACKUP_RUN_DIR_M; use pbs_buildcfg::PROXMOX_BACKUP_RUN_DIR_M;
use pbs_tools::ticket::Ticket; use pbs_tools::ticket::Ticket;
use pbs_config::domains::{OpenIdUserAttribute, OpenIdRealmConfig}; use pbs_config::domains::{OpenIdUserAttribute, OpenIdRealmConfig};
@ -128,14 +128,27 @@ pub fn openid_login(
if config.autocreate.unwrap_or(false) { if config.autocreate.unwrap_or(false) {
use pbs_config::user; use pbs_config::user;
let _lock = open_backup_lockfile(user::USER_CFG_LOCKFILE, None, true)?; let _lock = open_backup_lockfile(user::USER_CFG_LOCKFILE, None, true)?;
let firstname = info.given_name().and_then(|n| n.get(None))
.filter(|n| parse_simple_value(n, &FIRST_NAME_SCHEMA).is_ok())
.map(|n| n.to_string());
let lastname = info.family_name().and_then(|n| n.get(None))
.filter(|n| parse_simple_value(n, &LAST_NAME_SCHEMA).is_ok())
.map(|n| n.to_string());
let email = info.email()
.filter(|n| parse_simple_value(n, &EMAIL_SCHEMA).is_ok())
.map(|e| e.to_string());
let user = User { let user = User {
userid: user_id.clone(), userid: user_id.clone(),
comment: None, comment: None,
enable: None, enable: None,
expire: None, expire: None,
firstname: info.given_name().and_then(|n| n.get(None)).map(|n| n.to_string()), firstname,
lastname: info.family_name().and_then(|n| n.get(None)).map(|n| n.to_string()), lastname,
email: info.email().map(|e| e.to_string()), email,
}; };
let (mut config, _digest) = user::config()?; let (mut config, _digest) = user::config()?;
if config.sections.get(user.userid.as_str()).is_some() { if config.sections.get(user.userid.as_str()).is_some() {