auth: kanidm.db migration to v1.5.0 for provisioning

- ExecStartPre sqlite script for any kanidm version <= 1.5.0.
2025-04-21 20:21:55 +04:00
parent 69a5103f8b
commit 217fdce469
2 changed files with 71 additions and 0 deletions
--- a/auth/auth.nix
+++ b/auth/auth.nix
@@ -23,6 +23,16 @@ let
  kanidm-service-account-token-fp =
    "${keys-path}/${selfprivacy-group}/kanidm-service-account-token";

+  kanidmMigrateDbScript = pkgs.writeShellScript "kanidm-db-migration-script" ''
+    # handle a case when kanidm database is not yet created (the first startup)
+    if [ -f ${config.services.kanidm.serverSettings.db_path} ]
+    then
+        set -o xtrace
+        # since it's the last command, it produces an exit code for systemd as well
+        ${lib.getExe pkgs.sqlite} ${config.services.kanidm.serverSettings.db_path} < ${./kanidm-db-migration.sql}
+    fi
+  '';
+
  spApiUserExecStartPostScript =
    pkgs.writeShellScript "spApiUserExecStartPostScript" ''
      export HOME=$RUNTIME_DIRECTORY/client_home
@@ -199,6 +209,11 @@ lib.mkIf config.selfprivacy.sso.enable {
    };
  };

+  systemd.services.kanidm.serviceConfig.ExecStartPre =
+    # idempotent script to run on each startup only for kanidm v1.5.0
+    lib.mkIf (pkgs.kanidm.version == "1.5.0")
+      (lib.mkBefore [ kanidmMigrateDbScript ]);
+
  systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter
    [ spApiUserExecStartPostScript ];

--- a/auth/kanidm-db-migration.sql
+++ b/auth/kanidm-db-migration.sql
@@ -0,0 +1,56 @@
+update id2entry
+set data = cast(
+    json_replace(
+        data,
+        '$.ent.V3.attrs.acp_create_attr.I8',
+        json_array(
+            'class','description','displayname','image','name',
+            'oauth2_allow_insecure_client_disable_pkce',
+            'oauth2_allow_localhost_redirect',
+            'oauth2_device_flow_enable',
+            'oauth2_jwt_legacy_crypto_enable',
+            'oauth2_prefer_short_username',
+            'oauth2_rs_claim_map',
+            'oauth2_rs_basic_secret',
+            'oauth2_rs_name',
+            'oauth2_rs_origin',
+            'oauth2_rs_origin_landing',
+            'oauth2_rs_scope_map',
+            'oauth2_rs_sup_scope_map',
+            'oauth2_strict_redirect_uri'
+        )
+    ) as blob
+)
+where cast (id as text) = (
+    select json_extract(idl, '$.t.s[0]')
+    from idx_eq_name
+    where key = 'idm_acp_oauth2_manage'
+);
+
+update id2entry
+set data = cast(
+    json_replace(
+        data,
+        '$.ent.V3.attrs.acp_modify_presentattr.I8',
+        json_array(
+            'description','displayname','image','name',
+            'oauth2_allow_insecure_client_disable_pkce',
+            'oauth2_allow_localhost_redirect',
+            'oauth2_device_flow_enable',
+            'oauth2_jwt_legacy_crypto_enable',
+            'oauth2_prefer_short_username',
+            'oauth2_rs_claim_map',
+            'oauth2_rs_basic_secret',
+            'oauth2_rs_origin',
+            'oauth2_rs_origin_landing',
+            'oauth2_rs_scope_map',
+            'oauth2_rs_sup_scope_map',
+            'oauth2_strict_redirect_uri'
+        )
+    ) as blob
+)
+where cast (id as text) = (
+    select json_extract(idl, '$.t.s[0]')
+    from idx_eq_name
+    where key = 'idm_acp_oauth2_manage'
+);