packages/kanidm: update patchset
This commit is contained in:
parent
b485a93df4
commit
ac21ac314a
1 changed files with 50 additions and 102 deletions
|
|
@ -1,106 +1,54 @@
|
|||
diff --git a/unix_integration/src/cache.rs b/unix_integration/src/cache.rs
|
||||
index d2d442ab8..6c8de0309 100644
|
||||
--- a/unix_integration/src/cache.rs
|
||||
+++ b/unix_integration/src/cache.rs
|
||||
@@ -34,6 +34,8 @@ enum CacheState {
|
||||
pub struct CacheLayer {
|
||||
db: Db,
|
||||
diff --git a/unix_integration/src/idprovider/kanidm.rs b/unix_integration/src/idprovider/kanidm.rs
|
||||
index d1b02de0f..599dec6d5 100644
|
||||
--- a/unix_integration/src/idprovider/kanidm.rs
|
||||
+++ b/unix_integration/src/idprovider/kanidm.rs
|
||||
@@ -2,6 +2,7 @@ use async_trait::async_trait;
|
||||
use kanidm_client::{ClientError, KanidmClient, StatusCode};
|
||||
use kanidm_proto::v1::{OperationError, UnixGroupToken, UnixUserToken};
|
||||
use tokio::sync::RwLock;
|
||||
+use std::env;
|
||||
|
||||
use super::interface::{
|
||||
AuthCacheAction, AuthCredHandler, AuthRequest, AuthResult, GroupToken, Id, IdProvider,
|
||||
@@ -11,12 +12,28 @@ use crate::unix_proto::PamAuthRequest;
|
||||
|
||||
pub struct KanidmProvider {
|
||||
client: RwLock<KanidmClient>,
|
||||
+ auth_name: Option<String>,
|
||||
+ auth_password: Option<String>,
|
||||
state: Mutex<CacheState>,
|
||||
pam_allow_groups: BTreeSet<String>,
|
||||
timeout_seconds: u64,
|
||||
@@ -65,6 +67,8 @@ impl CacheLayer {
|
||||
timeout_seconds: u64,
|
||||
//
|
||||
client: KanidmClient,
|
||||
+ auth_name: Option<String>,
|
||||
+ auth_password: Option<String>,
|
||||
pam_allow_groups: Vec<String>,
|
||||
default_shell: String,
|
||||
home_prefix: String,
|
||||
@@ -91,6 +95,8 @@ impl CacheLayer {
|
||||
Ok(CacheLayer {
|
||||
db,
|
||||
client: RwLock::new(client),
|
||||
+ auth_name,
|
||||
+ auth_password,
|
||||
state: Mutex::new(CacheState::OfflineNextCheck(SystemTime::now())),
|
||||
timeout_seconds,
|
||||
pam_allow_groups: pam_allow_groups.into_iter().collect(),
|
||||
@@ -945,7 +951,11 @@ impl CacheLayer {
|
||||
false
|
||||
}
|
||||
CacheState::OfflineNextCheck(_time) => {
|
||||
|
||||
impl KanidmProvider {
|
||||
pub fn new(client: KanidmClient) -> Self {
|
||||
+ let env_username: Option<String>;
|
||||
+ let env_password: Option<String>;
|
||||
+ match (env::var_os("KANIDM_NAME"), env::var_os("KANIDM_PASSWORD")) {
|
||||
+ (Some(username), Some(password)) => {
|
||||
+ env_username = Some(username.into_string().unwrap());
|
||||
+ env_password = Some(password.into_string().unwrap());
|
||||
+ },
|
||||
+ _ => {
|
||||
+ env_username = None;
|
||||
+ env_password = None;
|
||||
+ }
|
||||
+ }
|
||||
KanidmProvider {
|
||||
client: RwLock::new(client),
|
||||
+ auth_name: env_username,
|
||||
+ auth_password: env_password,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -73,7 +90,11 @@ impl From<UnixGroupToken> for GroupToken {
|
||||
impl IdProvider for KanidmProvider {
|
||||
// Needs .read on all types except re-auth.
|
||||
async fn provider_authenticate(&self) -> Result<(), IdpError> {
|
||||
- match self.client.write().await.auth_anonymous().await {
|
||||
+ let auth_method = match (&self.auth_name, &self.auth_password) {
|
||||
+ (Some(name), Some(password)) => self.client.write().await.auth_simple_password(name, password).await,
|
||||
+ _ => self.client.write().await.auth_anonymous().await
|
||||
+ };
|
||||
+ match auth_method {
|
||||
Ok(_uat) => {
|
||||
debug!("OfflineNextCheck -> authenticated");
|
||||
self.set_cachestate(CacheState::Online).await;
|
||||
diff --git a/unix_integration/src/daemon.rs b/unix_integration/src/daemon.rs
|
||||
index e4bf558c6..d6916d851 100644
|
||||
--- a/unix_integration/src/daemon.rs
|
||||
+++ b/unix_integration/src/daemon.rs
|
||||
@@ -415,6 +415,24 @@ async fn main() -> ExitCode {
|
||||
.env("KANIDM_CLIENT_CONFIG")
|
||||
.action(ArgAction::StoreValue),
|
||||
)
|
||||
+ .arg(
|
||||
+ Arg::new("name")
|
||||
+ .takes_value(true)
|
||||
+ .help("Set the name to use to authenticate")
|
||||
+ .short('D')
|
||||
+ .long("name")
|
||||
+ .env("KANIDM_NAME")
|
||||
+ .action(ArgAction::StoreValue),
|
||||
+ )
|
||||
+ .arg(
|
||||
+ Arg::new("password")
|
||||
+ .hide(true)
|
||||
+ .takes_value(true)
|
||||
+ .help("Set the password to use to authenticate")
|
||||
+ .long("password")
|
||||
+ .env("KANIDM_PASSWORD")
|
||||
+ .action(ArgAction::StoreValue),
|
||||
+ )
|
||||
.get_matches();
|
||||
|
||||
if clap_args.get_flag("debug") {
|
||||
@@ -510,6 +528,10 @@ async fn main() -> ExitCode {
|
||||
}
|
||||
}
|
||||
|
||||
+ let auth_username = clap_args.get_one::<String>("name");
|
||||
+
|
||||
+ let auth_password = clap_args.get_one::<String>("password");
|
||||
+
|
||||
// setup
|
||||
let cb = match KanidmClientBuilder::new().read_options_from_optional_config(&cfg_path) {
|
||||
Ok(v) => v,
|
||||
@@ -637,6 +659,8 @@ async fn main() -> ExitCode {
|
||||
cfg.db_path.as_str(), // The sqlite db path
|
||||
cfg.cache_timeout,
|
||||
rsclient,
|
||||
+ auth_username.as_deref().cloned(),
|
||||
+ auth_password.as_deref().cloned(),
|
||||
cfg.pam_allowed_login_groups.clone(),
|
||||
cfg.default_shell.clone(),
|
||||
cfg.home_prefix.clone(),
|
||||
diff --git a/unix_integration/tests/cache_layer_test.rs b/unix_integration/tests/cache_layer_test.rs
|
||||
index cff5e8ba8..a68b35be2 100644
|
||||
--- a/unix_integration/tests/cache_layer_test.rs
|
||||
+++ b/unix_integration/tests/cache_layer_test.rs
|
||||
@@ -103,6 +103,8 @@ async fn setup_test(fix_fn: Fixture) -> (CacheLayer, KanidmClient) {
|
||||
"", // The sqlite db path, this is in memory.
|
||||
300,
|
||||
rsclient,
|
||||
+ None,
|
||||
+ None,
|
||||
vec!["allowed_group".to_string()],
|
||||
DEFAULT_SHELL.to_string(),
|
||||
DEFAULT_HOME_PREFIX.to_string(),
|
||||
Ok(_uat) => Ok(()),
|
||||
Err(err) => {
|
||||
error!(?err, "Provider authentication failed");
|
||||
|
|
|
|||
Loading…
Reference in a new issue