thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix auth: name of /run/keys/* folder equals to linux group name

Browse Source
This commit is contained in:
Alexander Tomokhov
2025-04-11 16:34:50 +04:00
parent b87c37afa2
commit 63ce4d9143
1 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
auth/auth-module.nix
View File

@@ -8,9 +8,9 @@ let
keys-path = auth-passthru.keys-path; keys-path = auth-passthru.keys-path;
# TODO consider tmpfiles.d for creating a directory in ${keys-path} # TODO consider tmpfiles.d for creating a directory in ${keys-path}
# generate OAuth2 client secret # generate OAuth2 client secret
mkKanidmExecStartPreScript = oauthClientID: mkKanidmExecStartPreScript = oauthClientID: linuxGroup:
let let
secretFP = auth-passthru.mkOAuth2ClientSecretFP oauthClientID; secretFP = auth-passthru.mkOAuth2ClientSecretFP linuxGroup;
in in
pkgs.writeShellScript pkgs.writeShellScript
"${oauthClientID}-kanidm-ExecStartPre-script.sh" '' "${oauthClientID}-kanidm-ExecStartPre-script.sh" ''
@@ -18,12 +18,12 @@ let
"${lib.getExe pkgs.openssl}" rand -base64 -out "${secretFP}" 32 && \ "${lib.getExe pkgs.openssl}" rand -base64 -out "${secretFP}" 32 && \
chmod 640 "${secretFP}" chmod 640 "${secretFP}"
''; '';
mkKanidmExecStartPostScript = oauthClientID: mkKanidmExecStartPostScript = oauthClientID: linuxGroup:
let let
kanidmServiceAccountName = "sp.${oauthClientID}.service-account"; kanidmServiceAccountName = "sp.${oauthClientID}.service-account";
kanidmServiceAccountTokenName = "${oauthClientID}-service-account-token"; kanidmServiceAccountTokenName = "${oauthClientID}-service-account-token";
kanidmServiceAccountTokenFP = kanidmServiceAccountTokenFP =
auth-passthru.mkServiceAccountTokenFP oauthClientID; auth-passthru.mkServiceAccountTokenFP linuxGroup;
in in
pkgs.writeShellScript pkgs.writeShellScript
"${oauthClientID}-kanidm-ExecStartPost-script.sh" "${oauthClientID}-kanidm-ExecStartPost-script.sh"
@@ -226,7 +226,7 @@ in
then "sp.${clientID}.users" then "sp.${clientID}.users"
else attrs.usersGroup; else attrs.usersGroup;
basicSecretFile = basicSecretFile =
"${keys-path}/${clientID}/kanidm-oauth-client-secret"; "${keys-path}/${linuxGroupOfClient}/kanidm-oauth-client-secret";
linuxUserOfClient = linuxUserOfClient =
if attrs.linuxUserOfClient == null if attrs.linuxUserOfClient == null
then clientID then clientID
@@ -273,13 +273,16 @@ in
serviceConfig = serviceConfig =
lib.mkMerge (lib.forEach lib.mkMerge (lib.forEach
clientsAttrsList clientsAttrsList
({ clientID, isTokenNeeded, ... }: { ({ clientID, isTokenNeeded, linuxGroupOfClient, ... }: {
ExecStartPre = [ ExecStartPre = [
# "-" prefix means to ignore exit code of prefixed script # "-" prefix means to ignore exit code of prefixed script
("-" + mkKanidmExecStartPreScript clientID) ("-" + mkKanidmExecStartPreScript clientID linuxGroupOfClient)
]; ];
ExecStartPost = lib.mkIf isTokenNeeded ExecStartPost = lib.mkIf isTokenNeeded
(lib.mkAfter [ ("-" + mkKanidmExecStartPostScript clientID) ]); (lib.mkAfter [
("-" +
mkKanidmExecStartPostScript clientID linuxGroupOfClient)
]);
})); }));
}; };