privatevoid.net/depot
1
1
Fork 0
Code Issues 18 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

packages/kanidm: update patchset

Browse source
This commit is contained in:
Max Headroom 2023-12-02 19:06:15 +01:00
parent b485a93df4
commit ac21ac314a
1 changed files with 50 additions and 102 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

152
patches/base/kanidm/unixd-authenticated.patch
View file

@ -1,106 +1,54 @@
diff --git a/unix_integration/src/cache.rs b/unix_integration/src/cache.rs diff --git a/unix_integration/src/idprovider/kanidm.rs b/unix_integration/src/idprovider/kanidm.rs
index d2d442ab8..6c8de0309 100644 index d1b02de0f..599dec6d5 100644
--- a/unix_integration/src/cache.rs --- a/unix_integration/src/idprovider/kanidm.rs
+++ b/unix_integration/src/cache.rs +++ b/unix_integration/src/idprovider/kanidm.rs
@@ -34,6 +34,8 @@ enum CacheState { @@ -2,6 +2,7 @@ use async_trait::async_trait;
pub struct CacheLayer { use kanidm_client::{ClientError, KanidmClient, StatusCode};
db: Db, use kanidm_proto::v1::{OperationError, UnixGroupToken, UnixUserToken};
use tokio::sync::RwLock;
+use std::env;
use super::interface::{
AuthCacheAction, AuthCredHandler, AuthRequest, AuthResult, GroupToken, Id, IdProvider,
@@ -11,12 +12,28 @@ use crate::unix_proto::PamAuthRequest;
pub struct KanidmProvider {
client: RwLock<KanidmClient>, client: RwLock<KanidmClient>,
+ auth_name: Option<String>, + auth_name: Option<String>,
+ auth_password: Option<String>, + auth_password: Option<String>,
state: Mutex<CacheState>, }
pam_allow_groups: BTreeSet<String>,
timeout_seconds: u64, impl KanidmProvider {
@@ -65,6 +67,8 @@ impl CacheLayer { pub fn new(client: KanidmClient) -> Self {
timeout_seconds: u64, + let env_username: Option<String>;
// + let env_password: Option<String>;
client: KanidmClient, + match (env::var_os("KANIDM_NAME"), env::var_os("KANIDM_PASSWORD")) {
+ auth_name: Option<String>, + (Some(username), Some(password)) => {
+ auth_password: Option<String>, + env_username = Some(username.into_string().unwrap());
pam_allow_groups: Vec<String>, + env_password = Some(password.into_string().unwrap());
default_shell: String, + },
home_prefix: String, + _ => {
@@ -91,6 +95,8 @@ impl CacheLayer { + env_username = None;
Ok(CacheLayer { + env_password = None;
db, + }
+ }
KanidmProvider {
client: RwLock::new(client), client: RwLock::new(client),
+ auth_name, + auth_name: env_username,
+ auth_password, + auth_password: env_password,
state: Mutex::new(CacheState::OfflineNextCheck(SystemTime::now())), }
timeout_seconds, }
pam_allow_groups: pam_allow_groups.into_iter().collect(), }
@@ -945,7 +951,11 @@ impl CacheLayer { @@ -73,7 +90,11 @@ impl From<UnixGroupToken> for GroupToken {
false impl IdProvider for KanidmProvider {
} // Needs .read on all types except re-auth.
CacheState::OfflineNextCheck(_time) => { async fn provider_authenticate(&self) -> Result<(), IdpError> {
- match self.client.write().await.auth_anonymous().await { - match self.client.write().await.auth_anonymous().await {
+ let auth_method = match (&self.auth_name, &self.auth_password) { + let auth_method = match (&self.auth_name, &self.auth_password) {
+ (Some(name), Some(password)) => self.client.write().await.auth_simple_password(name, password).await, + (Some(name), Some(password)) => self.client.write().await.auth_simple_password(name, password).await,
+ _ => self.client.write().await.auth_anonymous().await + _ => self.client.write().await.auth_anonymous().await
+ }; + };
+ match auth_method { + match auth_method {
Ok(_uat) => { Ok(_uat) => Ok(()),
debug!("OfflineNextCheck -> authenticated"); Err(err) => {
self.set_cachestate(CacheState::Online).await; error!(?err, "Provider authentication failed");
diff --git a/unix_integration/src/daemon.rs b/unix_integration/src/daemon.rs
index e4bf558c6..d6916d851 100644
--- a/unix_integration/src/daemon.rs
+++ b/unix_integration/src/daemon.rs
@@ -415,6 +415,24 @@ async fn main() -> ExitCode {
.env("KANIDM_CLIENT_CONFIG")
.action(ArgAction::StoreValue),
)
+ .arg(
+ Arg::new("name")
+ .takes_value(true)
+ .help("Set the name to use to authenticate")
+ .short('D')
+ .long("name")
+ .env("KANIDM_NAME")
+ .action(ArgAction::StoreValue),
+ )
+ .arg(
+ Arg::new("password")
+ .hide(true)
+ .takes_value(true)
+ .help("Set the password to use to authenticate")
+ .long("password")
+ .env("KANIDM_PASSWORD")
+ .action(ArgAction::StoreValue),
+ )
.get_matches();
if clap_args.get_flag("debug") {
@@ -510,6 +528,10 @@ async fn main() -> ExitCode {
}
}
+ let auth_username = clap_args.get_one::<String>("name");
+
+ let auth_password = clap_args.get_one::<String>("password");
+
// setup
let cb = match KanidmClientBuilder::new().read_options_from_optional_config(&cfg_path) {
Ok(v) => v,
@@ -637,6 +659,8 @@ async fn main() -> ExitCode {
cfg.db_path.as_str(), // The sqlite db path
cfg.cache_timeout,
rsclient,
+ auth_username.as_deref().cloned(),
+ auth_password.as_deref().cloned(),
cfg.pam_allowed_login_groups.clone(),
cfg.default_shell.clone(),
cfg.home_prefix.clone(),
diff --git a/unix_integration/tests/cache_layer_test.rs b/unix_integration/tests/cache_layer_test.rs
index cff5e8ba8..a68b35be2 100644
--- a/unix_integration/tests/cache_layer_test.rs
+++ b/unix_integration/tests/cache_layer_test.rs
@@ -103,6 +103,8 @@ async fn setup_test(fix_fn: Fixture) -> (CacheLayer, KanidmClient) {
"", // The sqlite db path, this is in memory.
300,
rsclient,
+ None,
+ None,
vec!["allowed_group".to_string()],
DEFAULT_SHELL.to_string(),
DEFAULT_HOME_PREFIX.to_string(),