From 1bca1b458588e3b5c2a0239f5820298fdfcd10f3 Mon Sep 17 00:00:00 2001 From: Max Date: Sat, 10 Jun 2023 23:28:58 +0200 Subject: [PATCH] packages/kanidm: support authentication in kanidm_unixd --- patches/base/kanidm/unixd-authenticated.patch | 106 ++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 patches/base/kanidm/unixd-authenticated.patch diff --git a/patches/base/kanidm/unixd-authenticated.patch b/patches/base/kanidm/unixd-authenticated.patch new file mode 100644 index 0000000..8be10f3 --- /dev/null +++ b/patches/base/kanidm/unixd-authenticated.patch @@ -0,0 +1,106 @@ +diff --git a/unix_integration/src/cache.rs b/unix_integration/src/cache.rs +index d2d442ab8..6c8de0309 100644 +--- a/unix_integration/src/cache.rs ++++ b/unix_integration/src/cache.rs +@@ -34,6 +34,8 @@ enum CacheState { + pub struct CacheLayer { + db: Db, + client: RwLock, ++ auth_name: Option, ++ auth_password: Option, + state: Mutex, + pam_allow_groups: BTreeSet, + timeout_seconds: u64, +@@ -65,6 +67,8 @@ impl CacheLayer { + timeout_seconds: u64, + // + client: KanidmClient, ++ auth_name: Option, ++ auth_password: Option, + pam_allow_groups: Vec, + default_shell: String, + home_prefix: String, +@@ -91,6 +95,8 @@ impl CacheLayer { + Ok(CacheLayer { + db, + client: RwLock::new(client), ++ auth_name, ++ auth_password, + state: Mutex::new(CacheState::OfflineNextCheck(SystemTime::now())), + timeout_seconds, + pam_allow_groups: pam_allow_groups.into_iter().collect(), +@@ -945,7 +951,11 @@ impl CacheLayer { + false + } + CacheState::OfflineNextCheck(_time) => { +- match self.client.write().await.auth_anonymous().await { ++ let auth_method = match (&self.auth_name, &self.auth_password) { ++ (Some(name), Some(password)) => self.client.write().await.auth_simple_password(name, password).await, ++ _ => self.client.write().await.auth_anonymous().await ++ }; ++ match auth_method { + Ok(_uat) => { + debug!("OfflineNextCheck -> authenticated"); + self.set_cachestate(CacheState::Online).await; +diff --git a/unix_integration/src/daemon.rs b/unix_integration/src/daemon.rs +index e4bf558c6..d6916d851 100644 +--- a/unix_integration/src/daemon.rs ++++ b/unix_integration/src/daemon.rs +@@ -415,6 +415,24 @@ async fn main() -> ExitCode { + .env("KANIDM_CLIENT_CONFIG") + .action(ArgAction::StoreValue), + ) ++ .arg( ++ Arg::new("name") ++ .takes_value(true) ++ .help("Set the name to use to authenticate") ++ .short('D') ++ .long("name") ++ .env("KANIDM_NAME") ++ .action(ArgAction::StoreValue), ++ ) ++ .arg( ++ Arg::new("password") ++ .hide(true) ++ .takes_value(true) ++ .help("Set the password to use to authenticate") ++ .long("password") ++ .env("KANIDM_PASSWORD") ++ .action(ArgAction::StoreValue), ++ ) + .get_matches(); + + if clap_args.get_flag("debug") { +@@ -510,6 +528,10 @@ async fn main() -> ExitCode { + } + } + ++ let auth_username = clap_args.get_one::("name"); ++ ++ let auth_password = clap_args.get_one::("password"); ++ + // setup + let cb = match KanidmClientBuilder::new().read_options_from_optional_config(&cfg_path) { + Ok(v) => v, +@@ -637,6 +659,8 @@ async fn main() -> ExitCode { + cfg.db_path.as_str(), // The sqlite db path + cfg.cache_timeout, + rsclient, ++ auth_username.as_deref().cloned(), ++ auth_password.as_deref().cloned(), + cfg.pam_allowed_login_groups.clone(), + cfg.default_shell.clone(), + cfg.home_prefix.clone(), +diff --git a/unix_integration/tests/cache_layer_test.rs b/unix_integration/tests/cache_layer_test.rs +index cff5e8ba8..a68b35be2 100644 +--- a/unix_integration/tests/cache_layer_test.rs ++++ b/unix_integration/tests/cache_layer_test.rs +@@ -103,6 +103,8 @@ async fn setup_test(fix_fn: Fixture) -> (CacheLayer, KanidmClient) { + "", // The sqlite db path, this is in memory. + 300, + rsclient, ++ None, ++ None, + vec!["allowed_group".to_string()], + DEFAULT_SHELL.to_string(), + DEFAULT_HOME_PREFIX.to_string(),