From f500ae084a09cfcb276d2861d06945988572cef3 Mon Sep 17 00:00:00 2001
From: Nessdoor <entropy.overseer@entropic.network>
Date: Fri, 14 Feb 2025 19:45:27 +0100
Subject: [PATCH] nixos/kerberos_server: disallow combining "all" with policies
 != "get-keys"

---
 .../security/krb5/krb5-conf-format.nix        | 28 ++++++++++++-------
 .../services/system/kerberos/default.nix      | 11 ++++++++
 2 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/nixos/modules/security/krb5/krb5-conf-format.nix b/nixos/modules/security/krb5/krb5-conf-format.nix
index a17edf1e2e2d..c6af150186b5 100644
--- a/nixos/modules/security/krb5/krb5-conf-format.nix
+++ b/nixos/modules/security/krb5/krb5-conf-format.nix
@@ -61,16 +61,18 @@ rec {
             description = "Which principal the rule applies to";
           };
           access = mkOption {
-            type = either (listOf (enum [
-              "all"
-              "add"
-              "cpw"
-              "delete"
-              "get-keys"
-              "get"
-              "list"
-              "modify"
-            ])) (enum [ "all" ]);
+            type = coercedTo str singleton (
+              listOf (enum [
+                "all"
+                "add"
+                "cpw"
+                "delete"
+                "get-keys"
+                "get"
+                "list"
+                "modify"
+              ])
+            );
             default = "all";
             description = ''
               The changes the principal is allowed to make.
@@ -79,6 +81,12 @@ rec {
               The "all" permission does not imply the "get-keys" permission. This
               is consistent with the behavior of both MIT Kerberos and Heimdal.
               :::
+
+              :::{.warning}
+              Value "all" is allowed as a list member only if it appears alone
+              or accompanied by "get-keys". Any other combination involving
+              "all" will raise an exception.
+              :::
             '';
           };
           target = mkOption {
diff --git a/nixos/modules/services/system/kerberos/default.nix b/nixos/modules/services/system/kerberos/default.nix
index 90baae98624f..5e7210ca7629 100644
--- a/nixos/modules/services/system/kerberos/default.nix
+++ b/nixos/modules/services/system/kerberos/default.nix
@@ -55,6 +55,17 @@ in
         assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1;
         message = "Only one realm per server is currently supported.";
       }
+      {
+        assertion =
+          let
+            inherit (builtins) attrValues elem length;
+            realms = attrValues cfg.settings.realms;
+            accesses = lib.concatMap (r: map (a: a.access) r.acl) realms;
+            property = a: !elem "all" a || (length a <= 1) || (length a <= 2 && elem "get-keys" a);
+          in
+          builtins.all property accesses;
+        message = "Cannot specify \"all\" in a list with additional permissions other than \"get-keys\"";
+      }
     ];
 
     systemd.slices.system-kerberos-server = { };