auth: kanidm.db migration to v1.5.0 for provisioning
- ExecStartPre sqlite script for any kanidm version <= 1.5.0.
This commit is contained in:
Alexander Tomokhov
@@ -23,6 +23,16 @@ let
|
|||||||
kanidm-service-account-token-fp =
|
kanidm-service-account-token-fp =
|
||||||
"${keys-path}/${selfprivacy-group}/kanidm-service-account-token";
|
"${keys-path}/${selfprivacy-group}/kanidm-service-account-token";
|
||||||
|
|
||||||
|
kanidmMigrateDbScript = pkgs.writeShellScript "kanidm-db-migration-script" ''
|
||||||
|
# handle a case when kanidm database is not yet created (the first startup)
|
||||||
|
if [ -f ${config.services.kanidm.serverSettings.db_path} ]
|
||||||
|
then
|
||||||
|
set -o xtrace
|
||||||
|
# since it's the last command, it produces an exit code for systemd as well
|
||||||
|
${lib.getExe pkgs.sqlite} ${config.services.kanidm.serverSettings.db_path} < ${./kanidm-db-migration.sql}
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
|
||||||
spApiUserExecStartPostScript =
|
spApiUserExecStartPostScript =
|
||||||
pkgs.writeShellScript "spApiUserExecStartPostScript" ''
|
pkgs.writeShellScript "spApiUserExecStartPostScript" ''
|
||||||
export HOME=$RUNTIME_DIRECTORY/client_home
|
export HOME=$RUNTIME_DIRECTORY/client_home
|
||||||
@@ -199,6 +209,11 @@ lib.mkIf config.selfprivacy.sso.enable {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services.kanidm.serviceConfig.ExecStartPre =
|
||||||
|
# idempotent script to run on each startup only for kanidm v1.5.0
|
||||||
|
lib.mkIf (pkgs.kanidm.version == "1.5.0")
|
||||||
|
(lib.mkBefore [ kanidmMigrateDbScript ]);
|
||||||
|
|
||||||
systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter
|
systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter
|
||||||
[ spApiUserExecStartPostScript ];
|
[ spApiUserExecStartPostScript ];
|
||||||
|
|
||||||
|
|||||||
56
auth/kanidm-db-migration.sql
Normal file
56
auth/kanidm-db-migration.sql
Normal file
@@ -0,0 +1,56 @@
|
|||||||
|
update id2entry
|
||||||
|
set data = cast(
|
||||||
|
json_replace(
|
||||||
|
data,
|
||||||
|
'$.ent.V3.attrs.acp_create_attr.I8',
|
||||||
|
json_array(
|
||||||
|
'class','description','displayname','image','name',
|
||||||
|
'oauth2_allow_insecure_client_disable_pkce',
|
||||||
|
'oauth2_allow_localhost_redirect',
|
||||||
|
'oauth2_device_flow_enable',
|
||||||
|
'oauth2_jwt_legacy_crypto_enable',
|
||||||
|
'oauth2_prefer_short_username',
|
||||||
|
'oauth2_rs_claim_map',
|
||||||
|
'oauth2_rs_basic_secret',
|
||||||
|
'oauth2_rs_name',
|
||||||
|
'oauth2_rs_origin',
|
||||||
|
'oauth2_rs_origin_landing',
|
||||||
|
'oauth2_rs_scope_map',
|
||||||
|
'oauth2_rs_sup_scope_map',
|
||||||
|
'oauth2_strict_redirect_uri'
|
||||||
|
)
|
||||||
|
) as blob
|
||||||
|
)
|
||||||
|
where cast (id as text) = (
|
||||||
|
select json_extract(idl, '$.t.s[0]')
|
||||||
|
from idx_eq_name
|
||||||
|
where key = 'idm_acp_oauth2_manage'
|
||||||
|
);
|
||||||
|
|
||||||
|
update id2entry
|
||||||
|
set data = cast(
|
||||||
|
json_replace(
|
||||||
|
data,
|
||||||
|
'$.ent.V3.attrs.acp_modify_presentattr.I8',
|
||||||
|
json_array(
|
||||||
|
'description','displayname','image','name',
|
||||||
|
'oauth2_allow_insecure_client_disable_pkce',
|
||||||
|
'oauth2_allow_localhost_redirect',
|
||||||
|
'oauth2_device_flow_enable',
|
||||||
|
'oauth2_jwt_legacy_crypto_enable',
|
||||||
|
'oauth2_prefer_short_username',
|
||||||
|
'oauth2_rs_claim_map',
|
||||||
|
'oauth2_rs_basic_secret',
|
||||||
|
'oauth2_rs_origin',
|
||||||
|
'oauth2_rs_origin_landing',
|
||||||
|
'oauth2_rs_scope_map',
|
||||||
|
'oauth2_rs_sup_scope_map',
|
||||||
|
'oauth2_strict_redirect_uri'
|
||||||
|
)
|
||||||
|
) as blob
|
||||||
|
)
|
||||||
|
where cast (id as text) = (
|
||||||
|
select json_extract(idl, '$.t.s[0]')
|
||||||
|
from idx_eq_name
|
||||||
|
where key = 'idm_acp_oauth2_manage'
|
||||||
|
);
|
||||||
Reference in New Issue
Block a user