commit cb0acd6f1e7c72b24eb1e4a8a6f3f1dd62dd268e · pyrox.dev/nixpkgs

-7

pkgs/by-name/ka/kanidm/1_4.nix

··· 1 - import ./generic.nix { 2 - version = "1.4.6"; 3 - hash = "sha256-pjJyq52wO5p34LN2Jmt0npgWBDcWin8gIX4skZ7Ff8E="; 4 - cargoHash = "sha256-33HRoH/vWPe/wOZJtQLWV9eBocbj0iR/XUu4zMehu8M="; 5 - patchDir = ./patches/1_4; 6 - unsupported = true; 7 - }

+1

pkgs/by-name/ka/kanidm/1_5.nix

··· 3 3 hash = "sha256-swrqyjA7Wgq17vd+753LDFcXrSFixVNLhTvj1bhG3DU="; 4 4 cargoHash = "sha256-72IwS8Nk1y6xDH9y8JW2LpbhFWaq0tpORx7JQSCF5/M="; 5 5 patchDir = ./patches/1_5; 6 + unsupported = true; 6 7 }

+4 -8

pkgs/by-name/ka/kanidm/README.md

··· 21 21 1. Update `all-packages.nix` to add `kanidm_1_5` and `kanidmWithSecretProvisioning_1_5`, leave default 22 22 1. Create commit, `kanidm_1_5: init at 1.5.0` - this is the only commit that will be backported 23 23 24 - ### Mark previous version deprecated 25 - 26 - 1. Update `pkgs/by-name/ka/kanidm/1_4.nix` by adding `deprecated = true;` 27 - 1. Create commit `kanidm_1_4: update default to 1.5.0, deprecate 1.4.0` 28 - 29 - ### Update default and mark deprecation 24 + ### Update default 30 25 31 26 1. `sed -i 's/1_4/1_5/' pkgs/by-name/ka/kanidm/package.nix` 32 27 1. Update `all-packages.nix` and set `kanidmWithSecretProvisioning = kanidmWithSecretProvisioning_1_5;` ··· 41 36 Kanidm versions are supported for 30 days after the release of new versions. Following the example above, 1.5.x superseding 1.4.x in 30 days, do the following near the end of the 30 day window 42 37 43 38 1. Update `pkgs/by-name/ka/kanidm/1_4.nix` by adding `unsupported = true;` 44 - 1. Update `pkgs/top-level/release.nix` and add `kanidm_1_4-1.4.6` to `permittedInsecurePackages` 39 + 1. Update `pkgs/top-level/release.nix` and add `kanidm_1_4-1.4.6` and `kanidmWithSecretProvisioning_1_4-1.4.6` to `permittedInsecurePackages` 45 40 1. Create commit `kanidm_1_4: mark EOL`, this commit alone should be backported 46 41 47 42 1. Remove the third oldest release from `all-packages.nix`, e.g. 1.3.x continuing the example. Remove `kanidm_1_3` and `kanidmWithSecretProvisioning_1_3` 48 - 1. Update `pkgs/top-level/release.nix` and remove `kanidm_1_3-1.3.3` from `permittedInsecurePackages` 43 + 1. Update `pkgs/top-level/release.nix` and remove `kanidm_1_3*` from `permittedInsecurePackages` 44 + 1. Update `pkgs/top-level/aliases.nix` and add `kanidm_1_4` and `kanidmWithSecretProvisioning_1_4-1.4.6` 49 45 1. Remove `pkgs/by-name/ka/kanidm/1_3.nix`

-303

pkgs/by-name/ka/kanidm/patches/1_3/oauth2-basic-secret-modify.patch

··· 1 - From 44dfbc2b9dccce86c7d7e7b54db4c989344b8c56 Mon Sep 17 00:00:00 2001 2 - From: oddlama <oddlama@oddlama.org> 3 - Date: Mon, 12 Aug 2024 23:17:25 +0200 4 - Subject: [PATCH 1/2] oauth2 basic secret modify 5 - 6 - --- 7 - server/core/src/actors/v1_write.rs | 42 ++++++++++++++++++++++++++++++ 8 - server/core/src/https/v1.rs | 6 ++++- 9 - server/core/src/https/v1_oauth2.rs | 29 +++++++++++++++++++++ 10 - server/lib/src/constants/acp.rs | 6 +++++ 11 - 4 files changed, 82 insertions(+), 1 deletion(-) 12 - 13 - diff --git a/server/core/src/actors/v1_write.rs b/server/core/src/actors/v1_write.rs 14 - index e00a969fb..1cacc67b8 100644 15 - --- a/server/core/src/actors/v1_write.rs 16 - +++ b/server/core/src/actors/v1_write.rs 17 - @@ -315,20 +315,62 @@ impl QueryServerWriteV1 { 18 - }; 19 - 20 - trace!(?del, "Begin delete event"); 21 - 22 - idms_prox_write 23 - .qs_write 24 - .delete(&del) 25 - .and_then(|_| idms_prox_write.commit().map(|_| ())) 26 - } 27 - 28 - + #[instrument( 29 - + level = "info", 30 - + skip_all, 31 - + fields(uuid = ?eventid) 32 - + )] 33 - + pub async fn handle_oauth2_basic_secret_write( 34 - + &self, 35 - + client_auth_info: ClientAuthInfo, 36 - + filter: Filter<FilterInvalid>, 37 - + new_secret: String, 38 - + eventid: Uuid, 39 - + ) -> Result<(), OperationError> { 40 - + // Given a protoEntry, turn this into a modification set. 41 - + let ct = duration_from_epoch_now(); 42 - + let mut idms_prox_write = self.idms.proxy_write(ct).await; 43 - + let ident = idms_prox_write 44 - + .validate_client_auth_info_to_ident(client_auth_info, ct) 45 - + .map_err(|e| { 46 - + admin_error!(err = ?e, "Invalid identity"); 47 - + e 48 - + })?; 49 - + 50 - + let modlist = ModifyList::new_purge_and_set( 51 - + Attribute::OAuth2RsBasicSecret, 52 - + Value::SecretValue(new_secret), 53 - + ); 54 - + 55 - + let mdf = 56 - + ModifyEvent::from_internal_parts(ident, &modlist, &filter, &idms_prox_write.qs_write) 57 - + .map_err(|e| { 58 - + admin_error!(err = ?e, "Failed to begin modify during handle_oauth2_basic_secret_write"); 59 - + e 60 - + })?; 61 - + 62 - + trace!(?mdf, "Begin modify event"); 63 - + 64 - + idms_prox_write 65 - + .qs_write 66 - + .modify(&mdf) 67 - + .and_then(|_| idms_prox_write.commit()) 68 - + } 69 - + 70 - #[instrument( 71 - level = "info", 72 - skip_all, 73 - fields(uuid = ?eventid) 74 - )] 75 - pub async fn handle_reviverecycled( 76 - &self, 77 - client_auth_info: ClientAuthInfo, 78 - filter: Filter<FilterInvalid>, 79 - eventid: Uuid, 80 - diff --git a/server/core/src/https/v1.rs b/server/core/src/https/v1.rs 81 - index 8aba83bb2..f1f815026 100644 82 - --- a/server/core/src/https/v1.rs 83 - +++ b/server/core/src/https/v1.rs 84 - @@ -1,17 +1,17 @@ 85 - //! The V1 API things! 86 - 87 - use axum::extract::{Path, State}; 88 - use axum::http::{HeaderMap, HeaderValue}; 89 - use axum::middleware::from_fn; 90 - use axum::response::{IntoResponse, Response}; 91 - -use axum::routing::{delete, get, post, put}; 92 - +use axum::routing::{delete, get, post, put, patch}; 93 - use axum::{Extension, Json, Router}; 94 - use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite}; 95 - use compact_jwt::{Jwk, Jws, JwsSigner}; 96 - use kanidm_proto::constants::uri::V1_AUTH_VALID; 97 - use std::net::IpAddr; 98 - use uuid::Uuid; 99 - 100 - use kanidm_proto::internal::{ 101 - ApiToken, AppLink, CUIntentToken, CURequest, CUSessionToken, CUStatus, CreateRequest, 102 - CredentialStatus, DeleteRequest, IdentifyUserRequest, IdentifyUserResponse, ModifyRequest, 103 - @@ -3119,20 +3119,24 @@ pub(crate) fn route_setup(state: ServerState) -> Router<ServerState> { 104 - ) 105 - .route( 106 - "/v1/oauth2/:rs_name/_image", 107 - post(super::v1_oauth2::oauth2_id_image_post) 108 - .delete(super::v1_oauth2::oauth2_id_image_delete), 109 - ) 110 - .route( 111 - "/v1/oauth2/:rs_name/_basic_secret", 112 - get(super::v1_oauth2::oauth2_id_get_basic_secret), 113 - ) 114 - + .route( 115 - + "/v1/oauth2/:rs_name/_basic_secret", 116 - + patch(super::v1_oauth2::oauth2_id_patch_basic_secret), 117 - + ) 118 - .route( 119 - "/v1/oauth2/:rs_name/_scopemap/:group", 120 - post(super::v1_oauth2::oauth2_id_scopemap_post) 121 - .delete(super::v1_oauth2::oauth2_id_scopemap_delete), 122 - ) 123 - .route( 124 - "/v1/oauth2/:rs_name/_sup_scopemap/:group", 125 - post(super::v1_oauth2::oauth2_id_sup_scopemap_post) 126 - .delete(super::v1_oauth2::oauth2_id_sup_scopemap_delete), 127 - ) 128 - diff --git a/server/core/src/https/v1_oauth2.rs b/server/core/src/https/v1_oauth2.rs 129 - index 5e481afab..a771aed04 100644 130 - --- a/server/core/src/https/v1_oauth2.rs 131 - +++ b/server/core/src/https/v1_oauth2.rs 132 - @@ -144,20 +144,49 @@ pub(crate) async fn oauth2_id_get_basic_secret( 133 - ) -> Result<Json<Option<String>>, WebError> { 134 - let filter = oauth2_id(&rs_name); 135 - state 136 - .qe_r_ref 137 - .handle_oauth2_basic_secret_read(client_auth_info, filter, kopid.eventid) 138 - .await 139 - .map(Json::from) 140 - .map_err(WebError::from) 141 - } 142 - 143 - +#[utoipa::path( 144 - + patch, 145 - + path = "/v1/oauth2/{rs_name}/_basic_secret", 146 - + request_body=ProtoEntry, 147 - + responses( 148 - + DefaultApiResponse, 149 - + ), 150 - + security(("token_jwt" = [])), 151 - + tag = "v1/oauth2", 152 - + operation_id = "oauth2_id_patch_basic_secret" 153 - +)] 154 - +/// Overwrite the basic secret for a given OAuth2 Resource Server. 155 - +#[instrument(level = "info", skip(state, new_secret))] 156 - +pub(crate) async fn oauth2_id_patch_basic_secret( 157 - + State(state): State<ServerState>, 158 - + Extension(kopid): Extension<KOpId>, 159 - + VerifiedClientInformation(client_auth_info): VerifiedClientInformation, 160 - + Path(rs_name): Path<String>, 161 - + Json(new_secret): Json<String>, 162 - +) -> Result<Json<()>, WebError> { 163 - + let filter = oauth2_id(&rs_name); 164 - + state 165 - + .qe_w_ref 166 - + .handle_oauth2_basic_secret_write(client_auth_info, filter, new_secret, kopid.eventid) 167 - + .await 168 - + .map(Json::from) 169 - + .map_err(WebError::from) 170 - +} 171 - + 172 - #[utoipa::path( 173 - patch, 174 - path = "/v1/oauth2/{rs_name}", 175 - request_body=ProtoEntry, 176 - responses( 177 - DefaultApiResponse, 178 - ), 179 - security(("token_jwt" = [])), 180 - tag = "v1/oauth2", 181 - operation_id = "oauth2_id_patch" 182 - diff --git a/server/lib/src/constants/acp.rs b/server/lib/src/constants/acp.rs 183 - index f3409649d..42e407b7d 100644 184 - --- a/server/lib/src/constants/acp.rs 185 - +++ b/server/lib/src/constants/acp.rs 186 - @@ -645,34 +645,36 @@ lazy_static! { 187 - Attribute::Image, 188 - ], 189 - modify_present_attrs: vec![ 190 - Attribute::Description, 191 - Attribute::DisplayName, 192 - Attribute::OAuth2RsName, 193 - Attribute::OAuth2RsOrigin, 194 - Attribute::OAuth2RsOriginLanding, 195 - Attribute::OAuth2RsSupScopeMap, 196 - Attribute::OAuth2RsScopeMap, 197 - + Attribute::OAuth2RsBasicSecret, 198 - Attribute::OAuth2AllowInsecureClientDisablePkce, 199 - Attribute::OAuth2JwtLegacyCryptoEnable, 200 - Attribute::OAuth2PreferShortUsername, 201 - Attribute::Image, 202 - ], 203 - create_attrs: vec![ 204 - Attribute::Class, 205 - Attribute::Description, 206 - Attribute::DisplayName, 207 - Attribute::OAuth2RsName, 208 - Attribute::OAuth2RsOrigin, 209 - Attribute::OAuth2RsOriginLanding, 210 - Attribute::OAuth2RsSupScopeMap, 211 - Attribute::OAuth2RsScopeMap, 212 - + Attribute::OAuth2RsBasicSecret, 213 - Attribute::OAuth2AllowInsecureClientDisablePkce, 214 - Attribute::OAuth2JwtLegacyCryptoEnable, 215 - Attribute::OAuth2PreferShortUsername, 216 - Attribute::Image, 217 - ], 218 - create_classes: vec![ 219 - EntryClass::Object, 220 - EntryClass::OAuth2ResourceServer, 221 - EntryClass::OAuth2ResourceServerBasic, 222 - EntryClass::OAuth2ResourceServerPublic, 223 - @@ -739,36 +741,38 @@ lazy_static! { 224 - Attribute::Image, 225 - ], 226 - modify_present_attrs: vec![ 227 - Attribute::Description, 228 - Attribute::DisplayName, 229 - Attribute::OAuth2RsName, 230 - Attribute::OAuth2RsOrigin, 231 - Attribute::OAuth2RsOriginLanding, 232 - Attribute::OAuth2RsSupScopeMap, 233 - Attribute::OAuth2RsScopeMap, 234 - + Attribute::OAuth2RsBasicSecret, 235 - Attribute::OAuth2AllowInsecureClientDisablePkce, 236 - Attribute::OAuth2JwtLegacyCryptoEnable, 237 - Attribute::OAuth2PreferShortUsername, 238 - Attribute::OAuth2AllowLocalhostRedirect, 239 - Attribute::OAuth2RsClaimMap, 240 - Attribute::Image, 241 - ], 242 - create_attrs: vec![ 243 - Attribute::Class, 244 - Attribute::Description, 245 - Attribute::DisplayName, 246 - Attribute::OAuth2RsName, 247 - Attribute::OAuth2RsOrigin, 248 - Attribute::OAuth2RsOriginLanding, 249 - Attribute::OAuth2RsSupScopeMap, 250 - Attribute::OAuth2RsScopeMap, 251 - + Attribute::OAuth2RsBasicSecret, 252 - Attribute::OAuth2AllowInsecureClientDisablePkce, 253 - Attribute::OAuth2JwtLegacyCryptoEnable, 254 - Attribute::OAuth2PreferShortUsername, 255 - Attribute::OAuth2AllowLocalhostRedirect, 256 - Attribute::OAuth2RsClaimMap, 257 - Attribute::Image, 258 - ], 259 - create_classes: vec![ 260 - EntryClass::Object, 261 - EntryClass::OAuth2ResourceServer, 262 - @@ -840,36 +844,38 @@ lazy_static! { 263 - Attribute::Image, 264 - ], 265 - modify_present_attrs: vec![ 266 - Attribute::Description, 267 - Attribute::DisplayName, 268 - Attribute::Name, 269 - Attribute::OAuth2RsOrigin, 270 - Attribute::OAuth2RsOriginLanding, 271 - Attribute::OAuth2RsSupScopeMap, 272 - Attribute::OAuth2RsScopeMap, 273 - + Attribute::OAuth2RsBasicSecret, 274 - Attribute::OAuth2AllowInsecureClientDisablePkce, 275 - Attribute::OAuth2JwtLegacyCryptoEnable, 276 - Attribute::OAuth2PreferShortUsername, 277 - Attribute::OAuth2AllowLocalhostRedirect, 278 - Attribute::OAuth2RsClaimMap, 279 - Attribute::Image, 280 - ], 281 - create_attrs: vec![ 282 - Attribute::Class, 283 - Attribute::Description, 284 - Attribute::Name, 285 - Attribute::OAuth2RsName, 286 - Attribute::OAuth2RsOrigin, 287 - Attribute::OAuth2RsOriginLanding, 288 - Attribute::OAuth2RsSupScopeMap, 289 - Attribute::OAuth2RsScopeMap, 290 - + Attribute::OAuth2RsBasicSecret, 291 - Attribute::OAuth2AllowInsecureClientDisablePkce, 292 - Attribute::OAuth2JwtLegacyCryptoEnable, 293 - Attribute::OAuth2PreferShortUsername, 294 - Attribute::OAuth2AllowLocalhostRedirect, 295 - Attribute::OAuth2RsClaimMap, 296 - Attribute::Image, 297 - ], 298 - create_classes: vec![ 299 - EntryClass::Object, 300 - EntryClass::Account, 301 - -- 302 - 2.45.2 303 -

-174

pkgs/by-name/ka/kanidm/patches/1_3/recover-account.patch

··· 1 - From cc8269489b56755714f07eee4671f8aa2659c014 Mon Sep 17 00:00:00 2001 2 - From: oddlama <oddlama@oddlama.org> 3 - Date: Mon, 12 Aug 2024 23:17:42 +0200 4 - Subject: [PATCH 2/2] recover account 5 - 6 - --- 7 - server/core/src/actors/internal.rs | 3 ++- 8 - server/core/src/admin.rs | 6 +++--- 9 - server/daemon/src/main.rs | 14 +++++++++++++- 10 - server/daemon/src/opt.rs | 4 ++++ 11 - 4 files changed, 22 insertions(+), 5 deletions(-) 12 - 13 - diff --git a/server/core/src/actors/internal.rs b/server/core/src/actors/internal.rs 14 - index 40c18777f..40d553b40 100644 15 - --- a/server/core/src/actors/internal.rs 16 - +++ b/server/core/src/actors/internal.rs 17 - @@ -153,25 +153,26 @@ impl QueryServerWriteV1 { 18 - } 19 - 20 - #[instrument( 21 - level = "info", 22 - - skip(self, eventid), 23 - + skip(self, password, eventid), 24 - fields(uuid = ?eventid) 25 - )] 26 - pub(crate) async fn handle_admin_recover_account( 27 - &self, 28 - name: String, 29 - + password: Option<String>, 30 - eventid: Uuid, 31 - ) -> Result<String, OperationError> { 32 - let ct = duration_from_epoch_now(); 33 - let mut idms_prox_write = self.idms.proxy_write(ct).await; 34 - - let pw = idms_prox_write.recover_account(name.as_str(), None)?; 35 - + let pw = idms_prox_write.recover_account(name.as_str(), password.as_deref())?; 36 - 37 - idms_prox_write.commit().map(|()| pw) 38 - } 39 - 40 - #[instrument( 41 - level = "info", 42 - skip_all, 43 - fields(uuid = ?eventid) 44 - )] 45 - pub(crate) async fn handle_domain_raise(&self, eventid: Uuid) -> Result<u32, OperationError> { 46 - diff --git a/server/core/src/admin.rs b/server/core/src/admin.rs 47 - index 90ccb1927..85e31ddef 100644 48 - --- a/server/core/src/admin.rs 49 - +++ b/server/core/src/admin.rs 50 - @@ -17,21 +17,21 @@ use tokio_util::codec::{Decoder, Encoder, Framed}; 51 - use tracing::{span, Instrument, Level}; 52 - use uuid::Uuid; 53 - 54 - pub use kanidm_proto::internal::{ 55 - DomainInfo as ProtoDomainInfo, DomainUpgradeCheckReport as ProtoDomainUpgradeCheckReport, 56 - DomainUpgradeCheckStatus as ProtoDomainUpgradeCheckStatus, 57 - }; 58 - 59 - #[derive(Serialize, Deserialize, Debug)] 60 - pub enum AdminTaskRequest { 61 - - RecoverAccount { name: String }, 62 - + RecoverAccount { name: String, password: Option<String> }, 63 - ShowReplicationCertificate, 64 - RenewReplicationCertificate, 65 - RefreshReplicationConsumer, 66 - DomainShow, 67 - DomainUpgradeCheck, 68 - DomainRaise, 69 - DomainRemigrate { level: Option<u32> }, 70 - } 71 - 72 - #[derive(Serialize, Deserialize, Debug)] 73 - @@ -302,22 +302,22 @@ async fn handle_client( 74 - let mut reqs = Framed::new(sock, ServerCodec); 75 - 76 - trace!("Waiting for requests ..."); 77 - while let Some(Ok(req)) = reqs.next().await { 78 - // Setup the logging span 79 - let eventid = Uuid::new_v4(); 80 - let nspan = span!(Level::INFO, "handle_admin_client_request", uuid = ?eventid); 81 - 82 - let resp = async { 83 - match req { 84 - - AdminTaskRequest::RecoverAccount { name } => { 85 - - match server_rw.handle_admin_recover_account(name, eventid).await { 86 - + AdminTaskRequest::RecoverAccount { name, password } => { 87 - + match server_rw.handle_admin_recover_account(name, password, eventid).await { 88 - Ok(password) => AdminTaskResponse::RecoverAccount { password }, 89 - Err(e) => { 90 - error!(err = ?e, "error during recover-account"); 91 - AdminTaskResponse::Error 92 - } 93 - } 94 - } 95 - AdminTaskRequest::ShowReplicationCertificate => match repl_ctrl_tx.as_mut() { 96 - Some(ctrl_tx) => show_replication_certificate(ctrl_tx).await, 97 - None => { 98 - diff --git a/server/daemon/src/main.rs b/server/daemon/src/main.rs 99 - index 577995615..a967928c9 100644 100 - --- a/server/daemon/src/main.rs 101 - +++ b/server/daemon/src/main.rs 102 - @@ -894,27 +894,39 @@ async fn kanidm_main( 103 - } else { 104 - let output_mode: ConsoleOutputMode = commonopts.output_mode.to_owned().into(); 105 - submit_admin_req( 106 - config.adminbindpath.as_str(), 107 - AdminTaskRequest::RefreshReplicationConsumer, 108 - output_mode, 109 - ) 110 - .await; 111 - } 112 - } 113 - - KanidmdOpt::RecoverAccount { name, commonopts } => { 114 - + KanidmdOpt::RecoverAccount { name, from_environment, commonopts } => { 115 - info!("Running account recovery ..."); 116 - let output_mode: ConsoleOutputMode = commonopts.output_mode.to_owned().into(); 117 - + let password = if *from_environment { 118 - + match std::env::var("KANIDM_RECOVER_ACCOUNT_PASSWORD") { 119 - + Ok(val) => Some(val), 120 - + _ => { 121 - + error!("Environment variable KANIDM_RECOVER_ACCOUNT_PASSWORD not set"); 122 - + return ExitCode::FAILURE; 123 - + } 124 - + } 125 - + } else { 126 - + None 127 - + }; 128 - submit_admin_req( 129 - config.adminbindpath.as_str(), 130 - AdminTaskRequest::RecoverAccount { 131 - name: name.to_owned(), 132 - + password, 133 - }, 134 - output_mode, 135 - ) 136 - .await; 137 - } 138 - KanidmdOpt::Database { 139 - commands: DbCommands::Reindex(_copt), 140 - } => { 141 - info!("Running in reindex mode ..."); 142 - reindex_server_core(&config).await; 143 - diff --git a/server/daemon/src/opt.rs b/server/daemon/src/opt.rs 144 - index f1b45a5b3..9c013e32e 100644 145 - --- a/server/daemon/src/opt.rs 146 - +++ b/server/daemon/src/opt.rs 147 - @@ -229,20 +229,24 @@ enum KanidmdOpt { 148 - /// Create a self-signed ca and tls certificate in the locations listed from the 149 - /// configuration. These certificates should *not* be used in production, they 150 - /// are for testing and evaluation only! 151 - CertGenerate(CommonOpt), 152 - #[clap(name = "recover-account")] 153 - /// Recover an account's password 154 - RecoverAccount { 155 - #[clap(value_parser)] 156 - /// The account name to recover credentials for. 157 - name: String, 158 - + /// Use the password given in the environment variable 159 - + /// `KANIDM_RECOVER_ACCOUNT_PASSWORD` instead of generating one. 160 - + #[clap(long = "from-environment")] 161 - + from_environment: bool, 162 - #[clap(flatten)] 163 - commonopts: CommonOpt, 164 - }, 165 - /// Display this server's replication certificate 166 - ShowReplicationCertificate { 167 - #[clap(flatten)] 168 - commonopts: CommonOpt, 169 - }, 170 - /// Renew this server's replication certificate 171 - RenewReplicationCertificate { 172 - -- 173 - 2.45.2 174 -

-308

pkgs/by-name/ka/kanidm/patches/1_4/oauth2-basic-secret-modify.patch

··· 1 - From e9dfca73e6fb80faf6fc106e7aee6b93c0908525 Mon Sep 17 00:00:00 2001 2 - From: oddlama <oddlama@oddlama.org> 3 - Date: Fri, 1 Nov 2024 12:26:17 +0100 4 - Subject: [PATCH 1/2] oauth2 basic secret modify 5 - 6 - --- 7 - server/core/src/actors/v1_write.rs | 42 ++++++++++++++++++++++++++++++ 8 - server/core/src/https/v1.rs | 6 ++++- 9 - server/core/src/https/v1_oauth2.rs | 29 +++++++++++++++++++++ 10 - server/lib/src/constants/acp.rs | 6 +++++ 11 - 4 files changed, 82 insertions(+), 1 deletion(-) 12 - 13 - diff --git a/server/core/src/actors/v1_write.rs b/server/core/src/actors/v1_write.rs 14 - index 732e826c8..0fe66503f 100644 15 - --- a/server/core/src/actors/v1_write.rs 16 - +++ b/server/core/src/actors/v1_write.rs 17 - @@ -317,20 +317,62 @@ impl QueryServerWriteV1 { 18 - }; 19 - 20 - trace!(?del, "Begin delete event"); 21 - 22 - idms_prox_write 23 - .qs_write 24 - .delete(&del) 25 - .and_then(|_| idms_prox_write.commit().map(|_| ())) 26 - } 27 - 28 - + #[instrument( 29 - + level = "info", 30 - + skip_all, 31 - + fields(uuid = ?eventid) 32 - + )] 33 - + pub async fn handle_oauth2_basic_secret_write( 34 - + &self, 35 - + client_auth_info: ClientAuthInfo, 36 - + filter: Filter<FilterInvalid>, 37 - + new_secret: String, 38 - + eventid: Uuid, 39 - + ) -> Result<(), OperationError> { 40 - + // Given a protoEntry, turn this into a modification set. 41 - + let ct = duration_from_epoch_now(); 42 - + let mut idms_prox_write = self.idms.proxy_write(ct).await?; 43 - + let ident = idms_prox_write 44 - + .validate_client_auth_info_to_ident(client_auth_info, ct) 45 - + .map_err(|e| { 46 - + admin_error!(err = ?e, "Invalid identity"); 47 - + e 48 - + })?; 49 - + 50 - + let modlist = ModifyList::new_purge_and_set( 51 - + Attribute::OAuth2RsBasicSecret, 52 - + Value::SecretValue(new_secret), 53 - + ); 54 - + 55 - + let mdf = 56 - + ModifyEvent::from_internal_parts(ident, &modlist, &filter, &idms_prox_write.qs_write) 57 - + .map_err(|e| { 58 - + admin_error!(err = ?e, "Failed to begin modify during handle_oauth2_basic_secret_write"); 59 - + e 60 - + })?; 61 - + 62 - + trace!(?mdf, "Begin modify event"); 63 - + 64 - + idms_prox_write 65 - + .qs_write 66 - + .modify(&mdf) 67 - + .and_then(|_| idms_prox_write.commit()) 68 - + } 69 - + 70 - #[instrument( 71 - level = "info", 72 - skip_all, 73 - fields(uuid = ?eventid) 74 - )] 75 - pub async fn handle_reviverecycled( 76 - &self, 77 - client_auth_info: ClientAuthInfo, 78 - filter: Filter<FilterInvalid>, 79 - eventid: Uuid, 80 - diff --git a/server/core/src/https/v1.rs b/server/core/src/https/v1.rs 81 - index c410a4b5d..cc67cac6c 100644 82 - --- a/server/core/src/https/v1.rs 83 - +++ b/server/core/src/https/v1.rs 84 - @@ -1,17 +1,17 @@ 85 - //! The V1 API things! 86 - 87 - use axum::extract::{Path, State}; 88 - use axum::http::{HeaderMap, HeaderValue}; 89 - use axum::middleware::from_fn; 90 - use axum::response::{IntoResponse, Response}; 91 - -use axum::routing::{delete, get, post, put}; 92 - +use axum::routing::{delete, get, post, put, patch}; 93 - use axum::{Extension, Json, Router}; 94 - use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite}; 95 - use compact_jwt::{Jwk, Jws, JwsSigner}; 96 - use kanidm_proto::constants::uri::V1_AUTH_VALID; 97 - use std::net::IpAddr; 98 - use uuid::Uuid; 99 - 100 - use kanidm_proto::internal::{ 101 - ApiToken, AppLink, CUIntentToken, CURequest, CUSessionToken, CUStatus, CreateRequest, 102 - CredentialStatus, DeleteRequest, IdentifyUserRequest, IdentifyUserResponse, ModifyRequest, 103 - @@ -3120,20 +3120,24 @@ pub(crate) fn route_setup(state: ServerState) -> Router<ServerState> { 104 - ) 105 - .route( 106 - "/v1/oauth2/:rs_name/_image", 107 - post(super::v1_oauth2::oauth2_id_image_post) 108 - .delete(super::v1_oauth2::oauth2_id_image_delete), 109 - ) 110 - .route( 111 - "/v1/oauth2/:rs_name/_basic_secret", 112 - get(super::v1_oauth2::oauth2_id_get_basic_secret), 113 - ) 114 - + .route( 115 - + "/v1/oauth2/:rs_name/_basic_secret", 116 - + patch(super::v1_oauth2::oauth2_id_patch_basic_secret), 117 - + ) 118 - .route( 119 - "/v1/oauth2/:rs_name/_scopemap/:group", 120 - post(super::v1_oauth2::oauth2_id_scopemap_post) 121 - .delete(super::v1_oauth2::oauth2_id_scopemap_delete), 122 - ) 123 - .route( 124 - "/v1/oauth2/:rs_name/_sup_scopemap/:group", 125 - post(super::v1_oauth2::oauth2_id_sup_scopemap_post) 126 - .delete(super::v1_oauth2::oauth2_id_sup_scopemap_delete), 127 - ) 128 - diff --git a/server/core/src/https/v1_oauth2.rs b/server/core/src/https/v1_oauth2.rs 129 - index d3966a7ad..f89c02c69 100644 130 - --- a/server/core/src/https/v1_oauth2.rs 131 - +++ b/server/core/src/https/v1_oauth2.rs 132 - @@ -144,20 +144,49 @@ pub(crate) async fn oauth2_id_get_basic_secret( 133 - ) -> Result<Json<Option<String>>, WebError> { 134 - let filter = oauth2_id(&rs_name); 135 - state 136 - .qe_r_ref 137 - .handle_oauth2_basic_secret_read(client_auth_info, filter, kopid.eventid) 138 - .await 139 - .map(Json::from) 140 - .map_err(WebError::from) 141 - } 142 - 143 - +#[utoipa::path( 144 - + patch, 145 - + path = "/v1/oauth2/{rs_name}/_basic_secret", 146 - + request_body=ProtoEntry, 147 - + responses( 148 - + DefaultApiResponse, 149 - + ), 150 - + security(("token_jwt" = [])), 151 - + tag = "v1/oauth2", 152 - + operation_id = "oauth2_id_patch_basic_secret" 153 - +)] 154 - +/// Overwrite the basic secret for a given OAuth2 Resource Server. 155 - +#[instrument(level = "info", skip(state, new_secret))] 156 - +pub(crate) async fn oauth2_id_patch_basic_secret( 157 - + State(state): State<ServerState>, 158 - + Extension(kopid): Extension<KOpId>, 159 - + VerifiedClientInformation(client_auth_info): VerifiedClientInformation, 160 - + Path(rs_name): Path<String>, 161 - + Json(new_secret): Json<String>, 162 - +) -> Result<Json<()>, WebError> { 163 - + let filter = oauth2_id(&rs_name); 164 - + state 165 - + .qe_w_ref 166 - + .handle_oauth2_basic_secret_write(client_auth_info, filter, new_secret, kopid.eventid) 167 - + .await 168 - + .map(Json::from) 169 - + .map_err(WebError::from) 170 - +} 171 - + 172 - #[utoipa::path( 173 - patch, 174 - path = "/v1/oauth2/{rs_name}", 175 - request_body=ProtoEntry, 176 - responses( 177 - DefaultApiResponse, 178 - ), 179 - security(("token_jwt" = [])), 180 - tag = "v1/oauth2", 181 - operation_id = "oauth2_id_patch" 182 - diff --git a/server/lib/src/constants/acp.rs b/server/lib/src/constants/acp.rs 183 - index be1836345..ebf4445be 100644 184 - --- a/server/lib/src/constants/acp.rs 185 - +++ b/server/lib/src/constants/acp.rs 186 - @@ -658,36 +658,38 @@ lazy_static! { 187 - Attribute::Image, 188 - ], 189 - modify_present_attrs: vec![ 190 - Attribute::Description, 191 - Attribute::DisplayName, 192 - Attribute::OAuth2RsName, 193 - Attribute::OAuth2RsOrigin, 194 - Attribute::OAuth2RsOriginLanding, 195 - Attribute::OAuth2RsSupScopeMap, 196 - Attribute::OAuth2RsScopeMap, 197 - + Attribute::OAuth2RsBasicSecret, 198 - Attribute::OAuth2AllowInsecureClientDisablePkce, 199 - Attribute::OAuth2JwtLegacyCryptoEnable, 200 - Attribute::OAuth2PreferShortUsername, 201 - Attribute::OAuth2AllowLocalhostRedirect, 202 - Attribute::OAuth2RsClaimMap, 203 - Attribute::Image, 204 - ], 205 - create_attrs: vec![ 206 - Attribute::Class, 207 - Attribute::Description, 208 - Attribute::DisplayName, 209 - Attribute::OAuth2RsName, 210 - Attribute::OAuth2RsOrigin, 211 - Attribute::OAuth2RsOriginLanding, 212 - Attribute::OAuth2RsSupScopeMap, 213 - Attribute::OAuth2RsScopeMap, 214 - + Attribute::OAuth2RsBasicSecret, 215 - Attribute::OAuth2AllowInsecureClientDisablePkce, 216 - Attribute::OAuth2JwtLegacyCryptoEnable, 217 - Attribute::OAuth2PreferShortUsername, 218 - Attribute::OAuth2AllowLocalhostRedirect, 219 - Attribute::OAuth2RsClaimMap, 220 - Attribute::Image, 221 - ], 222 - create_classes: vec![ 223 - EntryClass::Object, 224 - EntryClass::OAuth2ResourceServer, 225 - @@ -759,37 +761,39 @@ lazy_static! { 226 - Attribute::Image, 227 - ], 228 - modify_present_attrs: vec![ 229 - Attribute::Description, 230 - Attribute::DisplayName, 231 - Attribute::Name, 232 - Attribute::OAuth2RsOrigin, 233 - Attribute::OAuth2RsOriginLanding, 234 - Attribute::OAuth2RsSupScopeMap, 235 - Attribute::OAuth2RsScopeMap, 236 - + Attribute::OAuth2RsBasicSecret, 237 - Attribute::OAuth2AllowInsecureClientDisablePkce, 238 - Attribute::OAuth2JwtLegacyCryptoEnable, 239 - Attribute::OAuth2PreferShortUsername, 240 - Attribute::OAuth2AllowLocalhostRedirect, 241 - Attribute::OAuth2RsClaimMap, 242 - Attribute::Image, 243 - ], 244 - create_attrs: vec![ 245 - Attribute::Class, 246 - Attribute::Description, 247 - Attribute::Name, 248 - Attribute::DisplayName, 249 - Attribute::OAuth2RsName, 250 - Attribute::OAuth2RsOrigin, 251 - Attribute::OAuth2RsOriginLanding, 252 - Attribute::OAuth2RsSupScopeMap, 253 - Attribute::OAuth2RsScopeMap, 254 - + Attribute::OAuth2RsBasicSecret, 255 - Attribute::OAuth2AllowInsecureClientDisablePkce, 256 - Attribute::OAuth2JwtLegacyCryptoEnable, 257 - Attribute::OAuth2PreferShortUsername, 258 - Attribute::OAuth2AllowLocalhostRedirect, 259 - Attribute::OAuth2RsClaimMap, 260 - Attribute::Image, 261 - ], 262 - create_classes: vec![ 263 - EntryClass::Object, 264 - EntryClass::Account, 265 - @@ -864,38 +868,40 @@ lazy_static! { 266 - Attribute::OAuth2StrictRedirectUri, 267 - ], 268 - modify_present_attrs: vec![ 269 - Attribute::Description, 270 - Attribute::DisplayName, 271 - Attribute::Name, 272 - Attribute::OAuth2RsOrigin, 273 - Attribute::OAuth2RsOriginLanding, 274 - Attribute::OAuth2RsSupScopeMap, 275 - Attribute::OAuth2RsScopeMap, 276 - + Attribute::OAuth2RsBasicSecret, 277 - Attribute::OAuth2AllowInsecureClientDisablePkce, 278 - Attribute::OAuth2JwtLegacyCryptoEnable, 279 - Attribute::OAuth2PreferShortUsername, 280 - Attribute::OAuth2AllowLocalhostRedirect, 281 - Attribute::OAuth2RsClaimMap, 282 - Attribute::Image, 283 - Attribute::OAuth2StrictRedirectUri, 284 - ], 285 - create_attrs: vec![ 286 - Attribute::Class, 287 - Attribute::Description, 288 - Attribute::Name, 289 - Attribute::DisplayName, 290 - Attribute::OAuth2RsName, 291 - Attribute::OAuth2RsOrigin, 292 - Attribute::OAuth2RsOriginLanding, 293 - Attribute::OAuth2RsSupScopeMap, 294 - Attribute::OAuth2RsScopeMap, 295 - + Attribute::OAuth2RsBasicSecret, 296 - Attribute::OAuth2AllowInsecureClientDisablePkce, 297 - Attribute::OAuth2JwtLegacyCryptoEnable, 298 - Attribute::OAuth2PreferShortUsername, 299 - Attribute::OAuth2AllowLocalhostRedirect, 300 - Attribute::OAuth2RsClaimMap, 301 - Attribute::Image, 302 - Attribute::OAuth2StrictRedirectUri, 303 - ], 304 - create_classes: vec![ 305 - EntryClass::Object, 306 - -- 307 - 2.46.1 308 -

-174

pkgs/by-name/ka/kanidm/patches/1_4/recover-account.patch

··· 1 - From c8ed69efe3f702b19834c2659be1dd3ec2d41c17 Mon Sep 17 00:00:00 2001 2 - From: oddlama <oddlama@oddlama.org> 3 - Date: Fri, 1 Nov 2024 12:27:43 +0100 4 - Subject: [PATCH 2/2] recover account 5 - 6 - --- 7 - server/core/src/actors/internal.rs | 3 ++- 8 - server/core/src/admin.rs | 6 +++--- 9 - server/daemon/src/main.rs | 14 +++++++++++++- 10 - server/daemon/src/opt.rs | 4 ++++ 11 - 4 files changed, 22 insertions(+), 5 deletions(-) 12 - 13 - diff --git a/server/core/src/actors/internal.rs b/server/core/src/actors/internal.rs 14 - index 420e72c6c..5c4353116 100644 15 - --- a/server/core/src/actors/internal.rs 16 - +++ b/server/core/src/actors/internal.rs 17 - @@ -171,25 +171,26 @@ impl QueryServerWriteV1 { 18 - } 19 - 20 - #[instrument( 21 - level = "info", 22 - - skip(self, eventid), 23 - + skip(self, password, eventid), 24 - fields(uuid = ?eventid) 25 - )] 26 - pub(crate) async fn handle_admin_recover_account( 27 - &self, 28 - name: String, 29 - + password: Option<String>, 30 - eventid: Uuid, 31 - ) -> Result<String, OperationError> { 32 - let ct = duration_from_epoch_now(); 33 - let mut idms_prox_write = self.idms.proxy_write(ct).await?; 34 - - let pw = idms_prox_write.recover_account(name.as_str(), None)?; 35 - + let pw = idms_prox_write.recover_account(name.as_str(), password.as_deref())?; 36 - 37 - idms_prox_write.commit().map(|()| pw) 38 - } 39 - 40 - #[instrument( 41 - level = "info", 42 - skip_all, 43 - fields(uuid = ?eventid) 44 - )] 45 - pub(crate) async fn handle_domain_raise(&self, eventid: Uuid) -> Result<u32, OperationError> { 46 - diff --git a/server/core/src/admin.rs b/server/core/src/admin.rs 47 - index 90ccb1927..85e31ddef 100644 48 - --- a/server/core/src/admin.rs 49 - +++ b/server/core/src/admin.rs 50 - @@ -17,21 +17,21 @@ use tokio_util::codec::{Decoder, Encoder, Framed}; 51 - use tracing::{span, Instrument, Level}; 52 - use uuid::Uuid; 53 - 54 - pub use kanidm_proto::internal::{ 55 - DomainInfo as ProtoDomainInfo, DomainUpgradeCheckReport as ProtoDomainUpgradeCheckReport, 56 - DomainUpgradeCheckStatus as ProtoDomainUpgradeCheckStatus, 57 - }; 58 - 59 - #[derive(Serialize, Deserialize, Debug)] 60 - pub enum AdminTaskRequest { 61 - - RecoverAccount { name: String }, 62 - + RecoverAccount { name: String, password: Option<String> }, 63 - ShowReplicationCertificate, 64 - RenewReplicationCertificate, 65 - RefreshReplicationConsumer, 66 - DomainShow, 67 - DomainUpgradeCheck, 68 - DomainRaise, 69 - DomainRemigrate { level: Option<u32> }, 70 - } 71 - 72 - #[derive(Serialize, Deserialize, Debug)] 73 - @@ -302,22 +302,22 @@ async fn handle_client( 74 - let mut reqs = Framed::new(sock, ServerCodec); 75 - 76 - trace!("Waiting for requests ..."); 77 - while let Some(Ok(req)) = reqs.next().await { 78 - // Setup the logging span 79 - let eventid = Uuid::new_v4(); 80 - let nspan = span!(Level::INFO, "handle_admin_client_request", uuid = ?eventid); 81 - 82 - let resp = async { 83 - match req { 84 - - AdminTaskRequest::RecoverAccount { name } => { 85 - - match server_rw.handle_admin_recover_account(name, eventid).await { 86 - + AdminTaskRequest::RecoverAccount { name, password } => { 87 - + match server_rw.handle_admin_recover_account(name, password, eventid).await { 88 - Ok(password) => AdminTaskResponse::RecoverAccount { password }, 89 - Err(e) => { 90 - error!(err = ?e, "error during recover-account"); 91 - AdminTaskResponse::Error 92 - } 93 - } 94 - } 95 - AdminTaskRequest::ShowReplicationCertificate => match repl_ctrl_tx.as_mut() { 96 - Some(ctrl_tx) => show_replication_certificate(ctrl_tx).await, 97 - None => { 98 - diff --git a/server/daemon/src/main.rs b/server/daemon/src/main.rs 99 - index 7486d34a8..784106352 100644 100 - --- a/server/daemon/src/main.rs 101 - +++ b/server/daemon/src/main.rs 102 - @@ -903,27 +903,39 @@ async fn kanidm_main( 103 - } else { 104 - let output_mode: ConsoleOutputMode = commonopts.output_mode.to_owned().into(); 105 - submit_admin_req( 106 - config.adminbindpath.as_str(), 107 - AdminTaskRequest::RefreshReplicationConsumer, 108 - output_mode, 109 - ) 110 - .await; 111 - } 112 - } 113 - - KanidmdOpt::RecoverAccount { name, commonopts } => { 114 - + KanidmdOpt::RecoverAccount { name, from_environment, commonopts } => { 115 - info!("Running account recovery ..."); 116 - let output_mode: ConsoleOutputMode = commonopts.output_mode.to_owned().into(); 117 - + let password = if *from_environment { 118 - + match std::env::var("KANIDM_RECOVER_ACCOUNT_PASSWORD") { 119 - + Ok(val) => Some(val), 120 - + _ => { 121 - + error!("Environment variable KANIDM_RECOVER_ACCOUNT_PASSWORD not set"); 122 - + return ExitCode::FAILURE; 123 - + } 124 - + } 125 - + } else { 126 - + None 127 - + }; 128 - submit_admin_req( 129 - config.adminbindpath.as_str(), 130 - AdminTaskRequest::RecoverAccount { 131 - name: name.to_owned(), 132 - + password, 133 - }, 134 - output_mode, 135 - ) 136 - .await; 137 - } 138 - KanidmdOpt::Database { 139 - commands: DbCommands::Reindex(_copt), 140 - } => { 141 - info!("Running in reindex mode ..."); 142 - reindex_server_core(&config).await; 143 - diff --git a/server/daemon/src/opt.rs b/server/daemon/src/opt.rs 144 - index f1b45a5b3..9c013e32e 100644 145 - --- a/server/daemon/src/opt.rs 146 - +++ b/server/daemon/src/opt.rs 147 - @@ -229,20 +229,24 @@ enum KanidmdOpt { 148 - /// Create a self-signed ca and tls certificate in the locations listed from the 149 - /// configuration. These certificates should *not* be used in production, they 150 - /// are for testing and evaluation only! 151 - CertGenerate(CommonOpt), 152 - #[clap(name = "recover-account")] 153 - /// Recover an account's password 154 - RecoverAccount { 155 - #[clap(value_parser)] 156 - /// The account name to recover credentials for. 157 - name: String, 158 - + /// Use the password given in the environment variable 159 - + /// `KANIDM_RECOVER_ACCOUNT_PASSWORD` instead of generating one. 160 - + #[clap(long = "from-environment")] 161 - + from_environment: bool, 162 - #[clap(flatten)] 163 - commonopts: CommonOpt, 164 - }, 165 - /// Display this server's replication certificate 166 - ShowReplicationCertificate { 167 - #[clap(flatten)] 168 - commonopts: CommonOpt, 169 - }, 170 - /// Renew this server's replication certificate 171 - RenewReplicationCertificate { 172 - -- 173 - 2.46.1 174 -

+2

pkgs/top-level/aliases.nix

··· 973 973 kafkacat = throw "'kafkacat' has been renamed to/replaced by 'kcat'"; # Converted to throw 2024-10-17 974 974 kak-lsp = kakoune-lsp; # Added 2024-04-01 975 975 kanidm_1_3 = throw "'kanidm_1_3' has been removed as it has reached end of life"; # Added 2025-03-10 976 + kanidm_1_4 = throw "'kanidm_1_4' has been removed as it has reached end of life"; # Added 2025-06-18 977 + kanidmWithSecretProvisioning_1_4 = throw "'kanidmWithSecretProvisioning_1_4' has been removed as it has reached end of life"; # Added 2025-06-18 976 978 kdbplus = throw "'kdbplus' has been removed from nixpkgs"; # Added 2024-05-06 977 979 kdeconnect = throw "'kdeconnect' has been renamed to/replaced by 'plasma5Packages.kdeconnect-kde'"; # Converted to throw 2024-10-17 978 980 keepkey_agent = keepkey-agent; # added 2024-01-06

-5

pkgs/top-level/all-packages.nix

··· 10373 10373 10374 10374 jetty = jetty_12; 10375 10375 10376 - kanidm_1_4 = callPackage ../by-name/ka/kanidm/1_4.nix { kanidm = kanidm_1_4; }; 10377 10376 kanidm_1_5 = callPackage ../by-name/ka/kanidm/1_5.nix { kanidm = kanidm_1_5; }; 10378 10377 kanidm_1_6 = callPackage ../by-name/ka/kanidm/1_6.nix { kanidm = kanidm_1_6; }; 10379 10378 10380 10379 kanidmWithSecretProvisioning = kanidmWithSecretProvisioning_1_6; 10381 - 10382 - kanidmWithSecretProvisioning_1_4 = callPackage ../by-name/ka/kanidm/1_4.nix { 10383 - enableSecretProvisioning = true; 10384 - }; 10385 10380 10386 10381 kanidmWithSecretProvisioning_1_5 = callPackage ../by-name/ka/kanidm/1_5.nix { 10387 10382 enableSecretProvisioning = true;

+2 -1

pkgs/top-level/release.nix

··· 43 43 # so users choosing to allow don't have to rebuild them every time. 44 44 permittedInsecurePackages = [ 45 45 "olm-3.2.16" # see PR #347899 46 - "kanidm_1_4-1.4.6" 46 + "kanidm_1_5-1.5.0" 47 + "kanidmWithSecretProvisioning_1_5-1.5.0" 47 48 ]; 48 49 }; 49 50