diff --git a/pkgs/by-name/ka/kanidm/1_6.nix b/pkgs/by-name/ka/kanidm/1_6.nix new file mode 100644 index 000000000000..5d8376611906 --- /dev/null +++ b/pkgs/by-name/ka/kanidm/1_6.nix @@ -0,0 +1,6 @@ +import ./generic.nix { + version = "1.6.2"; + hash = "sha256-rfQNx6yAj1mDW7UL8mz01TqMAET9D5fL02JhHeN5zV4="; + cargoHash = "sha256-3XUAwuRKtdnMNhH92lgwgeN2rMmzgqir1+OZNaTGmks="; + patchDir = ./patches/1_6; +} diff --git a/pkgs/by-name/ka/kanidm/package.nix b/pkgs/by-name/ka/kanidm/package.nix index 0b9178b3d6a7..a71683505630 100644 --- a/pkgs/by-name/ka/kanidm/package.nix +++ b/pkgs/by-name/ka/kanidm/package.nix @@ -1 +1 @@ -import ./1_5.nix +import ./1_6.nix diff --git a/pkgs/by-name/ka/kanidm/patches/1_6/oauth2-basic-secret-modify.patch b/pkgs/by-name/ka/kanidm/patches/1_6/oauth2-basic-secret-modify.patch new file mode 100644 index 000000000000..191f06626f0f --- /dev/null +++ b/pkgs/by-name/ka/kanidm/patches/1_6/oauth2-basic-secret-modify.patch @@ -0,0 +1,159 @@ +From fc26fe5ac9e9cd65af82609c5a4966c8f756ea0f Mon Sep 17 00:00:00 2001 +From: oddlama +Date: Fri, 21 Mar 2025 16:07:54 +0100 +Subject: [PATCH 1/2] oauth2 basic secret modify + +--- + server/core/src/actors/v1_write.rs | 42 +++++++++++++++++++++++++++++ + server/core/src/https/v1.rs | 6 ++++- + server/core/src/https/v1_oauth2.rs | 29 ++++++++++++++++++++ + server/lib/src/server/migrations.rs | 16 +++++++++++ + 4 files changed, 92 insertions(+), 1 deletion(-) + +diff --git a/server/core/src/actors/v1_write.rs b/server/core/src/actors/v1_write.rs +index 732e826c8..a2b8e503f 100644 +--- a/server/core/src/actors/v1_write.rs ++++ b/server/core/src/actors/v1_write.rs +@@ -324,6 +324,48 @@ impl QueryServerWriteV1 { + .and_then(|_| idms_prox_write.commit().map(|_| ())) + } + ++ #[instrument( ++ level = "info", ++ skip_all, ++ fields(uuid = ?eventid) ++ )] ++ pub async fn handle_oauth2_basic_secret_write( ++ &self, ++ client_auth_info: ClientAuthInfo, ++ filter: Filter, ++ new_secret: String, ++ eventid: Uuid, ++ ) -> Result<(), OperationError> { ++ // Given a protoEntry, turn this into a modification set. ++ let ct = duration_from_epoch_now(); ++ let mut idms_prox_write = self.idms.proxy_write(ct).await?; ++ let ident = idms_prox_write ++ .validate_client_auth_info_to_ident(client_auth_info, ct) ++ .map_err(|e| { ++ admin_error!(err = ?e, "Invalid identity"); ++ e ++ })?; ++ ++ let modlist = ModifyList::new_purge_and_set( ++ Attribute::OAuth2RsBasicSecret, ++ Value::SecretValue(new_secret), ++ ); ++ ++ let mdf = ++ ModifyEvent::from_internal_parts(ident, &modlist, &filter, &idms_prox_write.qs_write) ++ .map_err(|e| { ++ admin_error!(err = ?e, "Failed to begin modify during handle_oauth2_basic_secret_write"); ++ e ++ })?; ++ ++ trace!(?mdf, "Begin modify event"); ++ ++ idms_prox_write ++ .qs_write ++ .modify(&mdf) ++ .and_then(|_| idms_prox_write.commit()) ++ } ++ + #[instrument( + level = "info", + skip_all, +diff --git a/server/core/src/https/v1.rs b/server/core/src/https/v1.rs +index 30de387b8..a11aa8ecd 100644 +--- a/server/core/src/https/v1.rs ++++ b/server/core/src/https/v1.rs +@@ -4,7 +4,7 @@ use axum::extract::{Path, State}; + use axum::http::{HeaderMap, HeaderValue}; + use axum::middleware::from_fn; + use axum::response::{IntoResponse, Response}; +-use axum::routing::{delete, get, post, put}; ++use axum::routing::{delete, get, post, put, patch}; + use axum::{Extension, Json, Router}; + use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite}; + use compact_jwt::{Jwk, Jws, JwsSigner}; +@@ -3129,6 +3129,10 @@ pub(crate) fn route_setup(state: ServerState) -> Router { + "/v1/oauth2/:rs_name/_basic_secret", + get(super::v1_oauth2::oauth2_id_get_basic_secret), + ) ++ .route( ++ "/v1/oauth2/:rs_name/_basic_secret", ++ patch(super::v1_oauth2::oauth2_id_patch_basic_secret), ++ ) + .route( + "/v1/oauth2/:rs_name/_scopemap/:group", + post(super::v1_oauth2::oauth2_id_scopemap_post) +diff --git a/server/core/src/https/v1_oauth2.rs b/server/core/src/https/v1_oauth2.rs +index f399539bc..ffad9921e 100644 +--- a/server/core/src/https/v1_oauth2.rs ++++ b/server/core/src/https/v1_oauth2.rs +@@ -151,6 +151,35 @@ pub(crate) async fn oauth2_id_get_basic_secret( + .map_err(WebError::from) + } + ++#[utoipa::path( ++ patch, ++ path = "/v1/oauth2/{rs_name}/_basic_secret", ++ request_body=ProtoEntry, ++ responses( ++ DefaultApiResponse, ++ ), ++ security(("token_jwt" = [])), ++ tag = "v1/oauth2", ++ operation_id = "oauth2_id_patch_basic_secret" ++)] ++/// Overwrite the basic secret for a given OAuth2 Resource Server. ++#[instrument(level = "info", skip(state, new_secret))] ++pub(crate) async fn oauth2_id_patch_basic_secret( ++ State(state): State, ++ Extension(kopid): Extension, ++ VerifiedClientInformation(client_auth_info): VerifiedClientInformation, ++ Path(rs_name): Path, ++ Json(new_secret): Json, ++) -> Result, WebError> { ++ let filter = oauth2_id(&rs_name); ++ state ++ .qe_w_ref ++ .handle_oauth2_basic_secret_write(client_auth_info, filter, new_secret, kopid.eventid) ++ .await ++ .map(Json::from) ++ .map_err(WebError::from) ++} ++ + #[utoipa::path( + patch, + path = "/v1/oauth2/{rs_name}", +diff --git a/server/lib/src/server/migrations.rs b/server/lib/src/server/migrations.rs +index fd0bca8db..8621714f2 100644 +--- a/server/lib/src/server/migrations.rs ++++ b/server/lib/src/server/migrations.rs +@@ -171,6 +171,22 @@ impl QueryServer { + reload_required = true; + }; + ++ // secret provisioning: allow idm_admin to modify OAuth2RsBasicSecret. ++ write_txn.internal_modify_uuid( ++ UUID_IDM_ACP_OAUTH2_MANAGE_V1, ++ &ModifyList::new_append( ++ Attribute::AcpCreateAttr, ++ Attribute::OAuth2RsBasicSecret.into(), ++ ), ++ )?; ++ write_txn.internal_modify_uuid( ++ UUID_IDM_ACP_OAUTH2_MANAGE_V1, ++ &ModifyList::new_append( ++ Attribute::AcpModifyPresentAttr, ++ Attribute::OAuth2RsBasicSecret.into(), ++ ), ++ )?; ++ + // Execute whatever operations we have batched up and ready to go. This is needed + // to preserve ordering of the operations - if we reloaded after a remigrate then + // we would have skipped the patch level fix which needs to have occurred *first*. +-- +2.49.0 + diff --git a/pkgs/by-name/ka/kanidm/patches/1_6/recover-account.patch b/pkgs/by-name/ka/kanidm/patches/1_6/recover-account.patch new file mode 100644 index 000000000000..1892cdf63a19 --- /dev/null +++ b/pkgs/by-name/ka/kanidm/patches/1_6/recover-account.patch @@ -0,0 +1,122 @@ +From 229165abe5be596fc2be8e285884813a1b5a38c8 Mon Sep 17 00:00:00 2001 +From: oddlama +Date: Fri, 21 Mar 2025 16:08:15 +0100 +Subject: [PATCH 2/2] recover account + +--- + server/core/src/actors/internal.rs | 5 +++-- + server/core/src/admin.rs | 6 +++--- + server/daemon/src/main.rs | 23 ++++++++++++++++++++++- + server/daemon/src/opt.rs | 7 +++++++ + 4 files changed, 35 insertions(+), 6 deletions(-) + +diff --git a/server/core/src/actors/internal.rs b/server/core/src/actors/internal.rs +index 420e72c6c..e252bca51 100644 +--- a/server/core/src/actors/internal.rs ++++ b/server/core/src/actors/internal.rs +@@ -172,17 +172,18 @@ impl QueryServerWriteV1 { + + #[instrument( + level = "info", +- skip(self, eventid), ++ skip(self, password, eventid), + fields(uuid = ?eventid) + )] + pub(crate) async fn handle_admin_recover_account( + &self, + name: String, ++ password: Option, + eventid: Uuid, + ) -> Result { + let ct = duration_from_epoch_now(); + let mut idms_prox_write = self.idms.proxy_write(ct).await?; +- let pw = idms_prox_write.recover_account(name.as_str(), None)?; ++ let pw = idms_prox_write.recover_account(name.as_str(), password.as_deref())?; + + idms_prox_write.commit().map(|()| pw) + } +diff --git a/server/core/src/admin.rs b/server/core/src/admin.rs +index 90ccb1927..85e31ddef 100644 +--- a/server/core/src/admin.rs ++++ b/server/core/src/admin.rs +@@ -24,7 +24,7 @@ pub use kanidm_proto::internal::{ + + #[derive(Serialize, Deserialize, Debug)] + pub enum AdminTaskRequest { +- RecoverAccount { name: String }, ++ RecoverAccount { name: String, password: Option }, + ShowReplicationCertificate, + RenewReplicationCertificate, + RefreshReplicationConsumer, +@@ -309,8 +309,8 @@ async fn handle_client( + + let resp = async { + match req { +- AdminTaskRequest::RecoverAccount { name } => { +- match server_rw.handle_admin_recover_account(name, eventid).await { ++ AdminTaskRequest::RecoverAccount { name, password } => { ++ match server_rw.handle_admin_recover_account(name, password, eventid).await { + Ok(password) => AdminTaskResponse::RecoverAccount { password }, + Err(e) => { + error!(err = ?e, "error during recover-account"); +diff --git a/server/daemon/src/main.rs b/server/daemon/src/main.rs +index c3b40faa0..2a57a307c 100644 +--- a/server/daemon/src/main.rs ++++ b/server/daemon/src/main.rs +@@ -923,13 +923,34 @@ async fn kanidm_main(config: Configuration, opt: KanidmdParser) -> ExitCode { + .await; + } + } +- KanidmdOpt::RecoverAccount { name, commonopts } => { ++ KanidmdOpt::RecoverAccount { name, from_environment, commonopts } => { + info!("Running account recovery ..."); + let output_mode: ConsoleOutputMode = commonopts.output_mode.to_owned().into(); ++ let password = if *from_environment { ++ match std::env::var("KANIDM_RECOVER_ACCOUNT_PASSWORD_FILE") { ++ Ok(path) => match tokio::fs::read_to_string(&path).await { ++ Ok(contents) => Some(contents), ++ Err(e) => { ++ error!("Failed to read password file '{}': {}", path, e); ++ return ExitCode::FAILURE; ++ } ++ }, ++ Err(_) => match std::env::var("KANIDM_RECOVER_ACCOUNT_PASSWORD") { ++ Ok(val) => Some(val), ++ Err(_) => { ++ error!("Neither KANIDM_RECOVER_ACCOUNT_PASSWORD_FILE nor KANIDM_RECOVER_ACCOUNT_PASSWORD was set"); ++ return ExitCode::FAILURE; ++ } ++ } ++ } ++ } else { ++ None ++ }; + submit_admin_req( + config.adminbindpath.as_str(), + AdminTaskRequest::RecoverAccount { + name: name.to_owned(), ++ password, + }, + output_mode, + ) +diff --git a/server/daemon/src/opt.rs b/server/daemon/src/opt.rs +index f1b45a5b3..ca19fb6a5 100644 +--- a/server/daemon/src/opt.rs ++++ b/server/daemon/src/opt.rs +@@ -236,6 +236,13 @@ enum KanidmdOpt { + #[clap(value_parser)] + /// The account name to recover credentials for. + name: String, ++ /// Use a password given via an environment variable. ++ /// - `KANIDM_RECOVER_ACCOUNT_PASSWORD_FILE` takes precedence and reads the desired ++ /// password from the given file ++ /// - `KANIDM_RECOVER_ACCOUNT_PASSWORD` directly takes a ++ /// password - beware that this will leave the password in the environment ++ #[clap(long = "from-environment")] ++ from_environment: bool, + #[clap(flatten)] + commonopts: CommonOpt, + }, +-- +2.49.0 + diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 9bcf62e398d2..73cf4369dcba 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -10455,8 +10455,9 @@ with pkgs; kanidm_1_4 = callPackage ../by-name/ka/kanidm/1_4.nix { kanidm = kanidm_1_4; }; kanidm_1_5 = callPackage ../by-name/ka/kanidm/1_5.nix { kanidm = kanidm_1_5; }; + kanidm_1_6 = callPackage ../by-name/ka/kanidm/1_6.nix { kanidm = kanidm_1_6; }; - kanidmWithSecretProvisioning = kanidmWithSecretProvisioning_1_5; + kanidmWithSecretProvisioning = kanidmWithSecretProvisioning_1_6; kanidmWithSecretProvisioning_1_4 = callPackage ../by-name/ka/kanidm/1_4.nix { enableSecretProvisioning = true; @@ -10466,6 +10467,10 @@ with pkgs; enableSecretProvisioning = true; }; + kanidmWithSecretProvisioning_1_6 = callPackage ../by-name/ka/kanidm/1_6.nix { + enableSecretProvisioning = true; + }; + knot-resolver = callPackage ../servers/dns/knot-resolver { systemd = systemdMinimal; # in closure already anyway };