Platform 23.11 #96
1 changed files with 50 additions and 102 deletions
|
@ -1,106 +1,54 @@
|
||||||
diff --git a/unix_integration/src/cache.rs b/unix_integration/src/cache.rs
|
diff --git a/unix_integration/src/idprovider/kanidm.rs b/unix_integration/src/idprovider/kanidm.rs
|
||||||
index d2d442ab8..6c8de0309 100644
|
index d1b02de0f..599dec6d5 100644
|
||||||
--- a/unix_integration/src/cache.rs
|
--- a/unix_integration/src/idprovider/kanidm.rs
|
||||||
+++ b/unix_integration/src/cache.rs
|
+++ b/unix_integration/src/idprovider/kanidm.rs
|
||||||
@@ -34,6 +34,8 @@ enum CacheState {
|
@@ -2,6 +2,7 @@ use async_trait::async_trait;
|
||||||
pub struct CacheLayer {
|
use kanidm_client::{ClientError, KanidmClient, StatusCode};
|
||||||
db: Db,
|
use kanidm_proto::v1::{OperationError, UnixGroupToken, UnixUserToken};
|
||||||
|
use tokio::sync::RwLock;
|
||||||
|
+use std::env;
|
||||||
|
|
||||||
|
use super::interface::{
|
||||||
|
AuthCacheAction, AuthCredHandler, AuthRequest, AuthResult, GroupToken, Id, IdProvider,
|
||||||
|
@@ -11,12 +12,28 @@ use crate::unix_proto::PamAuthRequest;
|
||||||
|
|
||||||
|
pub struct KanidmProvider {
|
||||||
client: RwLock<KanidmClient>,
|
client: RwLock<KanidmClient>,
|
||||||
+ auth_name: Option<String>,
|
+ auth_name: Option<String>,
|
||||||
+ auth_password: Option<String>,
|
+ auth_password: Option<String>,
|
||||||
state: Mutex<CacheState>,
|
|
||||||
pam_allow_groups: BTreeSet<String>,
|
|
||||||
timeout_seconds: u64,
|
|
||||||
@@ -65,6 +67,8 @@ impl CacheLayer {
|
|
||||||
timeout_seconds: u64,
|
|
||||||
//
|
|
||||||
client: KanidmClient,
|
|
||||||
+ auth_name: Option<String>,
|
|
||||||
+ auth_password: Option<String>,
|
|
||||||
pam_allow_groups: Vec<String>,
|
|
||||||
default_shell: String,
|
|
||||||
home_prefix: String,
|
|
||||||
@@ -91,6 +95,8 @@ impl CacheLayer {
|
|
||||||
Ok(CacheLayer {
|
|
||||||
db,
|
|
||||||
client: RwLock::new(client),
|
|
||||||
+ auth_name,
|
|
||||||
+ auth_password,
|
|
||||||
state: Mutex::new(CacheState::OfflineNextCheck(SystemTime::now())),
|
|
||||||
timeout_seconds,
|
|
||||||
pam_allow_groups: pam_allow_groups.into_iter().collect(),
|
|
||||||
@@ -945,7 +951,11 @@ impl CacheLayer {
|
|
||||||
false
|
|
||||||
}
|
}
|
||||||
CacheState::OfflineNextCheck(_time) => {
|
|
||||||
|
impl KanidmProvider {
|
||||||
|
pub fn new(client: KanidmClient) -> Self {
|
||||||
|
+ let env_username: Option<String>;
|
||||||
|
+ let env_password: Option<String>;
|
||||||
|
+ match (env::var_os("KANIDM_NAME"), env::var_os("KANIDM_PASSWORD")) {
|
||||||
|
+ (Some(username), Some(password)) => {
|
||||||
|
+ env_username = Some(username.into_string().unwrap());
|
||||||
|
+ env_password = Some(password.into_string().unwrap());
|
||||||
|
+ },
|
||||||
|
+ _ => {
|
||||||
|
+ env_username = None;
|
||||||
|
+ env_password = None;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
KanidmProvider {
|
||||||
|
client: RwLock::new(client),
|
||||||
|
+ auth_name: env_username,
|
||||||
|
+ auth_password: env_password,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -73,7 +90,11 @@ impl From<UnixGroupToken> for GroupToken {
|
||||||
|
impl IdProvider for KanidmProvider {
|
||||||
|
// Needs .read on all types except re-auth.
|
||||||
|
async fn provider_authenticate(&self) -> Result<(), IdpError> {
|
||||||
- match self.client.write().await.auth_anonymous().await {
|
- match self.client.write().await.auth_anonymous().await {
|
||||||
+ let auth_method = match (&self.auth_name, &self.auth_password) {
|
+ let auth_method = match (&self.auth_name, &self.auth_password) {
|
||||||
+ (Some(name), Some(password)) => self.client.write().await.auth_simple_password(name, password).await,
|
+ (Some(name), Some(password)) => self.client.write().await.auth_simple_password(name, password).await,
|
||||||
+ _ => self.client.write().await.auth_anonymous().await
|
+ _ => self.client.write().await.auth_anonymous().await
|
||||||
+ };
|
+ };
|
||||||
+ match auth_method {
|
+ match auth_method {
|
||||||
Ok(_uat) => {
|
Ok(_uat) => Ok(()),
|
||||||
debug!("OfflineNextCheck -> authenticated");
|
Err(err) => {
|
||||||
self.set_cachestate(CacheState::Online).await;
|
error!(?err, "Provider authentication failed");
|
||||||
diff --git a/unix_integration/src/daemon.rs b/unix_integration/src/daemon.rs
|
|
||||||
index e4bf558c6..d6916d851 100644
|
|
||||||
--- a/unix_integration/src/daemon.rs
|
|
||||||
+++ b/unix_integration/src/daemon.rs
|
|
||||||
@@ -415,6 +415,24 @@ async fn main() -> ExitCode {
|
|
||||||
.env("KANIDM_CLIENT_CONFIG")
|
|
||||||
.action(ArgAction::StoreValue),
|
|
||||||
)
|
|
||||||
+ .arg(
|
|
||||||
+ Arg::new("name")
|
|
||||||
+ .takes_value(true)
|
|
||||||
+ .help("Set the name to use to authenticate")
|
|
||||||
+ .short('D')
|
|
||||||
+ .long("name")
|
|
||||||
+ .env("KANIDM_NAME")
|
|
||||||
+ .action(ArgAction::StoreValue),
|
|
||||||
+ )
|
|
||||||
+ .arg(
|
|
||||||
+ Arg::new("password")
|
|
||||||
+ .hide(true)
|
|
||||||
+ .takes_value(true)
|
|
||||||
+ .help("Set the password to use to authenticate")
|
|
||||||
+ .long("password")
|
|
||||||
+ .env("KANIDM_PASSWORD")
|
|
||||||
+ .action(ArgAction::StoreValue),
|
|
||||||
+ )
|
|
||||||
.get_matches();
|
|
||||||
|
|
||||||
if clap_args.get_flag("debug") {
|
|
||||||
@@ -510,6 +528,10 @@ async fn main() -> ExitCode {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ let auth_username = clap_args.get_one::<String>("name");
|
|
||||||
+
|
|
||||||
+ let auth_password = clap_args.get_one::<String>("password");
|
|
||||||
+
|
|
||||||
// setup
|
|
||||||
let cb = match KanidmClientBuilder::new().read_options_from_optional_config(&cfg_path) {
|
|
||||||
Ok(v) => v,
|
|
||||||
@@ -637,6 +659,8 @@ async fn main() -> ExitCode {
|
|
||||||
cfg.db_path.as_str(), // The sqlite db path
|
|
||||||
cfg.cache_timeout,
|
|
||||||
rsclient,
|
|
||||||
+ auth_username.as_deref().cloned(),
|
|
||||||
+ auth_password.as_deref().cloned(),
|
|
||||||
cfg.pam_allowed_login_groups.clone(),
|
|
||||||
cfg.default_shell.clone(),
|
|
||||||
cfg.home_prefix.clone(),
|
|
||||||
diff --git a/unix_integration/tests/cache_layer_test.rs b/unix_integration/tests/cache_layer_test.rs
|
|
||||||
index cff5e8ba8..a68b35be2 100644
|
|
||||||
--- a/unix_integration/tests/cache_layer_test.rs
|
|
||||||
+++ b/unix_integration/tests/cache_layer_test.rs
|
|
||||||
@@ -103,6 +103,8 @@ async fn setup_test(fix_fn: Fixture) -> (CacheLayer, KanidmClient) {
|
|
||||||
"", // The sqlite db path, this is in memory.
|
|
||||||
300,
|
|
||||||
rsclient,
|
|
||||||
+ None,
|
|
||||||
+ None,
|
|
||||||
vec!["allowed_group".to_string()],
|
|
||||||
DEFAULT_SHELL.to_string(),
|
|
||||||
DEFAULT_HOME_PREFIX.to_string(),
|
|
||||||
|
|
Loading…
Reference in a new issue