Merge pull request #1071 from stgraber/main

Various bugfixes
lxc · Aug 3, 2024 · d816585 · d816585
2 parents 9180850 + f8f6d3f
commit d816585
Show file tree

Hide file tree

Showing 7 changed files with 90 additions and 8 deletions.
diff --git a/cmd/incusd/api_1.0.go b/cmd/incusd/api_1.0.go
@@ -7,6 +7,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"strings"
 
 	"github.com/lxc/incus/v6/client"
 	"github.com/lxc/incus/v6/internal/revert"
@@ -214,6 +215,12 @@ var api10 = []APIEndpoint{
 func api10Get(d *Daemon, r *http.Request) response.Response {
 	s := d.State()
 
+	// Pull the full server config.
+	fullSrvConfig, err := daemonConfigRender(s)
+	if err != nil {
+		return response.InternalError(err)
+	}
+
 	// Get the authentication methods.
 	authMethods := []string{api.AuthenticationMethodTLS}
 
@@ -231,13 +238,21 @@ func api10Get(d *Daemon, r *http.Request) response.Response {
 		AuthMethods:   authMethods,
 	}
 
+	// Populate the untrusted config (user.ui.XYZ).
+	srv.Config = map[string]string{}
+	for k, v := range fullSrvConfig {
+		if strings.HasPrefix(k, "user.ui.") {
+			srv.Config[k] = v
+		}
+	}
+
 	// If untrusted, return now
 	if d.checkTrustedClient(r) != nil {
 		return response.SyncResponseETag(true, srv, nil)
 	}
 
 	// If not authorized, return now.
-	err := s.Authorizer.CheckPermission(r.Context(), r, auth.ObjectServer(), auth.EntitlementCanView)
+	err = s.Authorizer.CheckPermission(r.Context(), r, auth.ObjectServer(), auth.EntitlementCanView)
 	if err != nil {
 		return response.SmartError(err)
 	}
@@ -379,10 +394,7 @@ func api10Get(d *Daemon, r *http.Request) response.Response {
 
 	err = s.Authorizer.CheckPermission(r.Context(), r, auth.ObjectServer(), auth.EntitlementCanEdit)
 	if err == nil {
-		fullSrv.Config, err = daemonConfigRender(s)
-		if err != nil {
-			return response.InternalError(err)
-		}
+		fullSrv.Config = fullSrvConfig
 	} else if !api.StatusErrorCheck(err, http.StatusForbidden) {
 		return response.SmartError(err)
 	}

diff --git a/cmd/incusd/networks.go b/cmd/incusd/networks.go
@@ -503,6 +503,20 @@ func networksPost(d *Daemon, r *http.Request) response.Response {
 			if err != nil {
 				return response.SmartError(err)
 			}
+
+			// Create the authorization entry and advertise the network as existing.
+			err = s.Authorizer.AddNetwork(r.Context(), projectName, req.Name)
+			if err != nil {
+				logger.Error("Failed to add network to authorizer", logger.Ctx{"name": req.Name, "project": projectName, "error": err})
+			}
+
+			n, err := network.LoadByName(s, projectName, req.Name)
+			if err != nil {
+				return response.SmartError(fmt.Errorf("Failed loading network: %w", err))
+			}
+
+			requestor := request.CreateRequestor(r)
+			s.Events.SendLifecycle(projectName, lifecycle.NetworkCreated.Event(n, requestor, nil))
 		}
 
 		err = networksPostCluster(r.Context(), s, projectName, netInfo, req, clientType, netType)

diff --git a/doc/rest-api.yaml b/doc/rest-api.yaml
@@ -5735,6 +5735,14 @@ definitions:
                 readOnly: true
                 type: array
                 x-go-name: AuthMethods
+            config:
+                additionalProperties:
+                    type: string
+                description: Server configuration map (refer to doc/server.md)
+                example:
+                    core.https_address: :8443
+                type: object
+                x-go-name: Config
             public:
                 description: Whether the server is public-only (only public endpoints are implemented)
                 example: false

diff --git a/doc/server_config.md b/doc/server_config.md
@@ -109,3 +109,9 @@ The following server options configure server-specific settings for {ref}`instan
     :start-after: <!-- config group server-miscellaneous start -->
     :end-before: <!-- config group server-miscellaneous end -->
 ```
+
+(server-options-user)=
+## User options
+
+Additional user defined configuration keys are available within the `user.` namespace.
+Note that keys starting with `user.ui.` are used for web UI configuration options and are visible even to unauthenticated users.
diff --git a/internal/server/auth/oidc/oidc.go b/internal/server/auth/oidc/oidc.go
@@ -160,6 +160,21 @@ func (o *Verifier) Login(w http.ResponseWriter, r *http.Request) {
 }
 
 func (o *Verifier) Logout(w http.ResponseWriter, r *http.Request) {
+	// Attempt to get the provider.
+	provider, _ := o.getProvider(r)
+
+	// Attempt to get the token.
+	var token string
+	cookie, err := r.Cookie("oidc_id")
+	if err == nil {
+		token = cookie.Value
+	}
+
+	// Attempt to end the OIDC session.
+	if provider != nil && token != "" {
+		_, _ = rp.EndSession(r.Context(), provider, token, fmt.Sprintf("https://%s", r.Host), "")
+	}
+
 	// Access token.
 	accessCookie := http.Cookie{
 		Name:     "oidc_access",
@@ -172,6 +187,18 @@ func (o *Verifier) Logout(w http.ResponseWriter, r *http.Request) {
 
 	http.SetCookie(w, &accessCookie)
 
+	// ID token.
+	idCookie := http.Cookie{
+		Name:     "oidc_id",
+		Path:     "/",
+		Secure:   true,
+		HttpOnly: false,
+		SameSite: http.SameSiteStrictMode,
+		Expires:  time.Unix(0, 0),
+	}
+
+	http.SetCookie(w, &idCookie)
+
 	// Refresh token.
 	refreshCookie := http.Cookie{
 		Name:     "oidc_refresh",
@@ -219,6 +246,20 @@ func (o *Verifier) Callback(w http.ResponseWriter, r *http.Request) {
 			http.SetCookie(w, &refreshCookie)
 		}
 
+		// ID token.
+		if tokens.IDToken != "" {
+			idCookie := http.Cookie{
+				Name:     "oidc_id",
+				Value:    tokens.IDToken,
+				Path:     "/",
+				Secure:   true,
+				HttpOnly: false,
+				SameSite: http.SameSiteStrictMode,
+			}
+
+			http.SetCookie(w, &idCookie)
+		}
+
 		// Send to the UI.
 		// NOTE: Once the UI does the redirection on its own, we may be able to use the referer here instead.
 		http.Redirect(w, r, "/ui/", http.StatusMovedPermanently)

diff --git a/internal/server/network/ovn/ovn_nb_actions.go b/internal/server/network/ovn/ovn_nb_actions.go
@@ -1581,8 +1581,8 @@ func (o *NB) GetLogicalSwitchPortUUID(ctx context.Context, portName OVNSwitchPor
 func (o *NB) CreateLogicalSwitchPort(ctx context.Context, switchName OVNSwitch, portName OVNSwitchPort, opts *OVNSwitchPortOpts, mayExist bool) error {
 	// Prepare the new switch port entry.
 	logicalSwitchPort := ovnNB.LogicalSwitchPort{
-		Name:        string(portName),
-		UUID:        "lsp",
+		Name: string(portName),
+		UUID: "lsp",
 	}
 
 	// Check if the entry already exists.

diff --git a/shared/api/server.go b/shared/api/server.go
@@ -155,6 +155,8 @@ type ServerPut struct {
 //
 // swagger:model
 type ServerUntrusted struct {
+	ServerPut `yaml:",inline"`
+
 	// List of supported API extensions
 	// Read only: true
 	// Example: ["etag", "patch", "network", "storage"]
@@ -192,7 +194,6 @@ type ServerUntrusted struct {
 //
 // swagger:model
 type Server struct {
-	ServerPut       `yaml:",inline"`
 	ServerUntrusted `yaml:",inline"`
 
 	// The current API user identifier