auth: create a proper selfprivacy-api token via auth module
- selfprivacy-api NixOS module can use selfprivacy.auth.clients option to configure its own client - when "selfprivacy-api" OAuth ID name is used, read-write token is created and idm_admins membership is set
This commit is contained in:
Alexander Tomokhov
@@ -28,6 +28,7 @@ let
|
|||||||
kanidmServiceAccountTokenName = "${oauthClientID}-service-account-token";
|
kanidmServiceAccountTokenName = "${oauthClientID}-service-account-token";
|
||||||
kanidmServiceAccountTokenFP =
|
kanidmServiceAccountTokenFP =
|
||||||
auth-passthru.mkServiceAccountTokenFP linuxGroup;
|
auth-passthru.mkServiceAccountTokenFP linuxGroup;
|
||||||
|
isRW = oauthClientID == "selfprivacy-api";
|
||||||
in
|
in
|
||||||
pkgs.writeShellScript
|
pkgs.writeShellScript
|
||||||
"${oauthClientID}-kanidm-ExecStartPost-script.sh"
|
"${oauthClientID}-kanidm-ExecStartPost-script.sh"
|
||||||
@@ -53,8 +54,8 @@ let
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# create a new read-only token for kanidm
|
# create a new token for kanidm
|
||||||
if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${kanidmServiceAccountName}" "${kanidmServiceAccountTokenName}" --output json)"
|
if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${kanidmServiceAccountName}" "${kanidmServiceAccountTokenName}" ${lib.strings.optionalString isRW "--rw"} --output json)"
|
||||||
then
|
then
|
||||||
echo "error: kanidm CLI returns an error when trying to generate service-account api-token"
|
echo "error: kanidm CLI returns an error when trying to generate service-account api-token"
|
||||||
exit 1
|
exit 1
|
||||||
@@ -77,7 +78,11 @@ let
|
|||||||
+ lib.strings.optionalString isMailserver ''
|
+ lib.strings.optionalString isMailserver ''
|
||||||
# add Kanidm service account to `idm_mail_servers` group
|
# add Kanidm service account to `idm_mail_servers` group
|
||||||
$KANIDM group add-members idm_mail_servers "${kanidmServiceAccountName}"
|
$KANIDM group add-members idm_mail_servers "${kanidmServiceAccountName}"
|
||||||
'');
|
''
|
||||||
|
+ lib.strings.optionalString isRW ''
|
||||||
|
$KANIDM group add-members idm_admins "${kanidmServiceAccountName}"
|
||||||
|
''
|
||||||
|
);
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.selfprivacy.auth = {
|
options.selfprivacy.auth = {
|
||||||
|
|||||||
@@ -16,13 +16,6 @@ let
|
|||||||
|
|
||||||
selfprivacy-group = config.users.users."selfprivacy-api".group;
|
selfprivacy-group = config.users.users."selfprivacy-api".group;
|
||||||
|
|
||||||
selfprivacy-service-account-name = "sp.selfprivacy-api.service-account";
|
|
||||||
|
|
||||||
kanidm-service-account-token-name =
|
|
||||||
"${selfprivacy-group}-service-account-token";
|
|
||||||
kanidm-service-account-token-fp =
|
|
||||||
"${keys-path}/${selfprivacy-group}/kanidm-service-account-token";
|
|
||||||
|
|
||||||
kanidmMigrateDbScript = pkgs.writeShellScript "kanidm-db-migration-script" ''
|
kanidmMigrateDbScript = pkgs.writeShellScript "kanidm-db-migration-script" ''
|
||||||
# handle a case when kanidm database is not yet created (the first startup)
|
# handle a case when kanidm database is not yet created (the first startup)
|
||||||
if [ -f ${config.services.kanidm.serverSettings.db_path} ]
|
if [ -f ${config.services.kanidm.serverSettings.db_path} ]
|
||||||
@@ -33,52 +26,6 @@ let
|
|||||||
fi
|
fi
|
||||||
'';
|
'';
|
||||||
|
|
||||||
spApiUserExecStartPostScript =
|
|
||||||
pkgs.writeShellScript "spApiUserExecStartPostScript" ''
|
|
||||||
export HOME=$RUNTIME_DIRECTORY/client_home
|
|
||||||
readonly KANIDM="${pkgs.kanidm}/bin/kanidm"
|
|
||||||
|
|
||||||
# get Kanidm service account for SelfPrivacyAPI
|
|
||||||
KANIDM_SERVICE_ACCOUNT="$($KANIDM service-account list --name idm_admin | grep -E "^name: ${selfprivacy-service-account-name}$")"
|
|
||||||
echo KANIDM_SERVICE_ACCOUNT: "$KANIDM_SERVICE_ACCOUNT"
|
|
||||||
if [ -n "$KANIDM_SERVICE_ACCOUNT" ]
|
|
||||||
then
|
|
||||||
echo "kanidm service account \"${selfprivacy-service-account-name}\" is found"
|
|
||||||
else
|
|
||||||
echo "kanidm service account \"${selfprivacy-service-account-name}\" is not found"
|
|
||||||
echo "creating new kanidm service account \"${selfprivacy-service-account-name}\""
|
|
||||||
if $KANIDM service-account create --name idm_admin "${selfprivacy-service-account-name}" "SelfPrivacy API service account" idm_admin
|
|
||||||
then
|
|
||||||
echo "kanidm service account \"${selfprivacy-service-account-name}\" created"
|
|
||||||
else
|
|
||||||
echo "error: cannot create kanidm service account \"${selfprivacy-service-account-name}\""
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
$KANIDM group add-members idm_admins "${selfprivacy-service-account-name}"
|
|
||||||
|
|
||||||
# create a new read-write token for kanidm
|
|
||||||
if ! KANIDM_SERVICE_ACCOUNT_TOKEN_JSON="$($KANIDM service-account api-token generate --name idm_admin "${selfprivacy-service-account-name}" "${kanidm-service-account-token-name}" --output json)"
|
|
||||||
then
|
|
||||||
echo "error: kanidm CLI returns an error when trying to generate service-account api-token"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
if ! KANIDM_SERVICE_ACCOUNT_TOKEN="$(echo "$KANIDM_SERVICE_ACCOUNT_TOKEN_JSON" | ${lib.getExe pkgs.jq} -r .result)"
|
|
||||||
then
|
|
||||||
echo "error: cannot get service-account API token from JSON"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! install --mode=640 \
|
|
||||||
<(printf "%s" "$KANIDM_SERVICE_ACCOUNT_TOKEN") \
|
|
||||||
${kanidm-service-account-token-fp}
|
|
||||||
then
|
|
||||||
echo "error: cannot write token to \"${kanidm-service-account-token-fp}\""
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
'';
|
|
||||||
|
|
||||||
# lua stuff for nginx for debugging only
|
# lua stuff for nginx for debugging only
|
||||||
lua_core_path = "${pkgs.luajitPackages.lua-resty-core}/lib/lua/5.1/?.lua";
|
lua_core_path = "${pkgs.luajitPackages.lua-resty-core}/lib/lua/5.1/?.lua";
|
||||||
lua_lrucache_path = "${pkgs.luajitPackages.lua-resty-lrucache}/lib/lua/5.1/?.lua";
|
lua_lrucache_path = "${pkgs.luajitPackages.lua-resty-lrucache}/lib/lua/5.1/?.lua";
|
||||||
@@ -214,9 +161,6 @@ lib.mkIf config.selfprivacy.sso.enable {
|
|||||||
lib.mkIf (pkgs.kanidm.version == "1.5.0")
|
lib.mkIf (pkgs.kanidm.version == "1.5.0")
|
||||||
(lib.mkBefore [ kanidmMigrateDbScript ]);
|
(lib.mkBefore [ kanidmMigrateDbScript ]);
|
||||||
|
|
||||||
systemd.services.kanidm.serviceConfig.ExecStartPost = lib.mkAfter
|
|
||||||
[ spApiUserExecStartPostScript ];
|
|
||||||
|
|
||||||
selfprivacy.passthru.auth = {
|
selfprivacy.passthru.auth = {
|
||||||
inherit
|
inherit
|
||||||
admins-group
|
admins-group
|
||||||
|
|||||||
10
flake.lock
generated
10
flake.lock
generated
@@ -62,11 +62,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1744640029,
|
"lastModified": 1745270427,
|
||||||
"narHash": "sha256-Rqy+HhW7weEfAc5rPmxusewuo/69sWVXlQOL2a3Y9ZU=",
|
"narHash": "sha256-EHbn9AgWTmIuRwAo7Y+sULHNN+/vN0r8h2JbTqmYxZc=",
|
||||||
"ref": "inex/add-oauth",
|
"ref": "use-auth-nixos-module",
|
||||||
"rev": "5393642f896d5fa4b9b7be215d72714554259de6",
|
"rev": "582d11c1fbea36d6fdbd0a64f782ca8f8c6a1338",
|
||||||
"revCount": 1749,
|
"revCount": 1750,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
|
"url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
|
||||||
},
|
},
|
||||||
|
|||||||
Reference in New Issue
Block a user