thary/sp-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

style: format tree

Browse Source
This commit is contained in:
nhnn
2025-06-18 19:53:44 +03:00
parent ed990906bd
commit 86233cac27
44 changed files with 2523 additions and 2253 deletions
Download Patch File Download Diff File Expand all files Collapse all files

291
auth/auth-module.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mkOption
@@ -7,12 +12,12 @@ let
auth-passthru = config.selfprivacy.passthru.auth;
keys-path = auth-passthru.keys-path;
# generate OAuth2 client secret
mkKanidmExecStartPreScript = oauthClientID: linuxGroup:
mkKanidmExecStartPreScript =
oauthClientID: linuxGroup:
let
secretFP = auth-passthru.mkOAuth2ClientSecretFP linuxGroup;
in
pkgs.writeShellScript
"${oauthClientID}-kanidm-ExecStartPre-script.sh" ''
pkgs.writeShellScript "${oauthClientID}-kanidm-ExecStartPre-script.sh" ''
set -o pipefail
set -o errexit
if ! [ -f "${secretFP}" ]
@@ -22,17 +27,16 @@ let
chmod 640 "${secretFP}"
fi
'';
mkKanidmExecStartPostScript = oauthClientID: linuxGroup: isMailserver:
mkKanidmExecStartPostScript =
oauthClientID: linuxGroup: isMailserver:
let
kanidmServiceAccountName = "sp.${oauthClientID}.service-account";
kanidmServiceAccountTokenName = "${oauthClientID}-service-account-token";
kanidmServiceAccountTokenFP =
auth-passthru.mkServiceAccountTokenFP linuxGroup;
kanidmServiceAccountTokenFP = auth-passthru.mkServiceAccountTokenFP linuxGroup;
isRW = oauthClientID == "selfprivacy-api";
in
pkgs.writeShellScript
"${oauthClientID}-kanidm-ExecStartPost-script.sh"
(''
pkgs.writeShellScript "${oauthClientID}-kanidm-ExecStartPost-script.sh" (
''
export HOME=$RUNTIME_DIRECTORY/client_home
readonly KANIDM="${pkgs.kanidm}/bin/kanidm"
@@ -82,13 +86,12 @@ let
+ lib.strings.optionalString isRW ''
$KANIDM group add-members idm_admins "${kanidmServiceAccountName}"
''
);
);
in
{
options.selfprivacy.auth = {
clients = mkOption {
description =
"Configurations for OAuth2 & LDAP servers clients services. Corresponding Kanidm provisioning configuration and systemd scripts are generated.";
description = "Configurations for OAuth2 & LDAP servers clients services. Corresponding Kanidm provisioning configuration and systemd scripts are generated.";
default = { };
type = types.attrsOf (
types.submodule {
@@ -107,69 +110,58 @@ in
};
enablePkce = mkOption {
type = lib.types.bool;
description =
"Whether PKCE must be used between client and Kanidm.";
description = "Whether PKCE must be used between client and Kanidm.";
default = false;
};
adminsGroup = mkOption {
type =
types.nullOr (lib.types.strMatching "sp\.[A-Za-z0-9]+\.admins");
description =
"Name of admins group in Kanidm, whose members have admin level access to resources (service) associated with OAuth2 client authorization.";
type = types.nullOr (lib.types.strMatching "sp\.[A-Za-z0-9]+\.admins");
description = "Name of admins group in Kanidm, whose members have admin level access to resources (service) associated with OAuth2 client authorization.";
default = null;
};
usersGroup = mkOption {
type =
types.nullOr (lib.types.strMatching "sp\.[A-Za-z0-9]+\.users");
description =
"Name of users group in Kanidm, whose members have user level access to resources (service) associated with OAuth2 client authorization.";
type = types.nullOr (lib.types.strMatching "sp\.[A-Za-z0-9]+\.users");
description = "Name of users group in Kanidm, whose members have user level access to resources (service) associated with OAuth2 client authorization.";
default = null;
};
originLanding = mkOption {
type = types.nullOr lib.types.str;
description =
"The origin landing of the service for OAuth2 redirects.";
description = "The origin landing of the service for OAuth2 redirects.";
};
originUrl = mkOption {
type = types.nullOr lib.types.str;
description =
"The origin URL of the service for OAuth2 redirects.";
description = "The origin URL of the service for OAuth2 redirects.";
};
subdomain = lib.mkOption {
type =
lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
description = "Subdomain of the service.";
};
# when true, "name" is passed to a service instead of "name@domain"
useShortPreferredUsername = mkOption {
description =
"Use 'name' instead of 'spn' in the preferred_username claim.";
description = "Use 'name' instead of 'spn' in the preferred_username claim.";
type = types.bool;
default = true;
};
linuxUserOfClient = mkOption {
type = types.nullOr lib.types.str;
description =
"Name of a Linux OAuth2 client user, under which it should get access through a folder with keys.";
description = "Name of a Linux OAuth2 client user, under which it should get access through a folder with keys.";
default = null;
};
linuxGroupOfClient = mkOption {
type = types.nullOr lib.types.str;
description =
"Name of Linux OAuth2 client group, under which it should read an OAuth2 client secret file.";
description = "Name of Linux OAuth2 client group, under which it should read an OAuth2 client secret file.";
default = null;
};
isTokenNeeded = mkOption {
description =
"Whether a read-only needs to be generated for LDAP access.";
description = "Whether a read-only needs to be generated for LDAP access.";
type = types.bool;
default = false;
};
clientSystemdUnits = mkOption {
description = "A list of systemd services, which depend on OAuth service";
# taken from nixos/lib/systemd-lib.nix: unitNameType
type = types.listOf
(types.strMatching "[a-zA-Z0-9@%:_.\\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)");
type = types.listOf (
types.strMatching "[a-zA-Z0-9@%:_.\\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)"
);
};
scopeMaps = mkOption {
description = ''
@@ -231,133 +223,132 @@ in
};
config = lib.mkIf config.selfprivacy.sso.enable (
let
clientsAttrsList = lib.attrsets.mapAttrsToList
(name: attrs: attrs // rec {
clientID =
if attrs.clientID == null
then name
else attrs.clientID;
displayName =
if attrs.displayName == null
then clientID
else attrs.displayName;
adminsGroup =
if attrs.adminsGroup == null
then "sp.${clientID}.admins"
else attrs.adminsGroup;
usersGroup =
if attrs.usersGroup == null
then "sp.${clientID}.users"
else attrs.usersGroup;
basicSecretFile =
"${keys-path}/${linuxGroupOfClient}/kanidm-oauth-client-secret";
linuxUserOfClient =
if attrs.linuxUserOfClient == null
then clientID
else attrs.linuxUserOfClient;
clientsAttrsList = lib.attrsets.mapAttrsToList (
name: attrs:
attrs
// rec {
clientID = if attrs.clientID == null then name else attrs.clientID;
displayName = if attrs.displayName == null then clientID else attrs.displayName;
adminsGroup = if attrs.adminsGroup == null then "sp.${clientID}.admins" else attrs.adminsGroup;
usersGroup = if attrs.usersGroup == null then "sp.${clientID}.users" else attrs.usersGroup;
basicSecretFile = "${keys-path}/${linuxGroupOfClient}/kanidm-oauth-client-secret";
linuxUserOfClient = if attrs.linuxUserOfClient == null then clientID else attrs.linuxUserOfClient;
linuxGroupOfClient =
if attrs.linuxGroupOfClient == null
then clientID
else attrs.linuxGroupOfClient;
if attrs.linuxGroupOfClient == null then clientID else attrs.linuxGroupOfClient;
originLanding =
if attrs.originLanding == null
then "https://${attrs.subdomain}.${config.selfprivacy.domain}/"
else attrs.originLanding;
if attrs.originLanding == null then
"https://${attrs.subdomain}.${config.selfprivacy.domain}/"
else
attrs.originLanding;
scopeMaps =
if attrs.scopeMaps == null
then { "${usersGroup}" = [ "email" "openid" "profile" ]; }
else attrs.scopeMaps;
})
config.selfprivacy.auth.clients;
if attrs.scopeMaps == null then
{
"${usersGroup}" = [
"email"
"openid"
"profile"
];
}
else
attrs.scopeMaps;
}
) config.selfprivacy.auth.clients;
in
{
# for each OAuth2 client: member of the `keys` group for directory access
users.groups.keys.members = lib.mkMerge (lib.forEach
clientsAttrsList
({ linuxUserOfClient, ... }: [ linuxUserOfClient ])
users.groups.keys.members = lib.mkMerge (
lib.forEach clientsAttrsList ({ linuxUserOfClient, ... }: [ linuxUserOfClient ])
);
systemd.tmpfiles.settings."kanidm-secrets" = lib.mkMerge (lib.forEach
clientsAttrsList
({ linuxGroupOfClient, ... }: {
"${keys-path}/${linuxGroupOfClient}".d = {
user = "kanidm";
group = linuxGroupOfClient;
mode = "2750";
};
})
systemd.tmpfiles.settings."kanidm-secrets" = lib.mkMerge (
lib.forEach clientsAttrsList (
{ linuxGroupOfClient, ... }:
{
"${keys-path}/${linuxGroupOfClient}".d = {
user = "kanidm";
group = linuxGroupOfClient;
mode = "2750";
};
}
)
);
# for each OAuth2 client: scripts with Kanidm CLI commands
systemd.services.kanidm = {
before =
lib.lists.concatMap
({ clientSystemdUnits, ... }: clientSystemdUnits)
clientsAttrsList;
serviceConfig =
lib.mkMerge (lib.forEach
clientsAttrsList
({ clientID, isTokenNeeded, linuxGroupOfClient, isMailserver, ... }:
{
ExecStartPre = [
# "-" prefix means to ignore exit code of prefixed script
("-" + mkKanidmExecStartPreScript clientID linuxGroupOfClient)
];
ExecStartPost = lib.mkIf isTokenNeeded
(lib.mkAfter [
("-" +
mkKanidmExecStartPostScript
clientID
linuxGroupOfClient
isMailserver)
]);
}));
before = lib.lists.concatMap ({ clientSystemdUnits, ... }: clientSystemdUnits) clientsAttrsList;
serviceConfig = lib.mkMerge (
lib.forEach clientsAttrsList (
{
clientID,
isTokenNeeded,
linuxGroupOfClient,
isMailserver,
...
}:
{
ExecStartPre = [
# "-" prefix means to ignore exit code of prefixed script
("-" + mkKanidmExecStartPreScript clientID linuxGroupOfClient)
];
ExecStartPost = lib.mkIf isTokenNeeded (
lib.mkAfter [
("-" + mkKanidmExecStartPostScript clientID linuxGroupOfClient isMailserver)
]
);
}
)
);
};
# for each OAuth2 client: Kanidm provisioning options
services.kanidm.provision = lib.mkMerge (lib.forEach
clientsAttrsList
({ adminsGroup
, basicSecretFile
, claimMaps
, clientID
, displayName
, enablePkce
, imageFile
, originLanding
, originUrl
, scopeMaps
, useShortPreferredUsername
, usersGroup
, ...
}: {
groups = lib.mkIf (clientID != "selfprivacy-api") {
"${adminsGroup}".members =
[ auth-passthru.admins-group ];
"${usersGroup}".members =
[ adminsGroup auth-passthru.full-users-group ];
};
systems.oauth2.${clientID} = {
inherit
basicSecretFile
claimMaps
displayName
imageFile
originLanding
originUrl
scopeMaps
;
preferShortUsername = useShortPreferredUsername;
allowInsecureClientDisablePkce = ! enablePkce;
removeOrphanedClaimMaps = true;
services.kanidm.provision = lib.mkMerge (
lib.forEach clientsAttrsList (
{
adminsGroup,
basicSecretFile,
claimMaps,
clientID,
displayName,
enablePkce,
imageFile,
originLanding,
originUrl,
scopeMaps,
useShortPreferredUsername,
usersGroup,
...
}:
{
groups = lib.mkIf (clientID != "selfprivacy-api") {
"${adminsGroup}".members = [ auth-passthru.admins-group ];
"${usersGroup}".members = [
adminsGroup
auth-passthru.full-users-group
];
};
systems.oauth2.${clientID} = {
inherit
basicSecretFile
claimMaps
displayName
imageFile
originLanding
originUrl
scopeMaps
;
preferShortUsername = useShortPreferredUsername;
allowInsecureClientDisablePkce = !enablePkce;
removeOrphanedClaimMaps = true;
# NOTE https://github.com/oddlama/kanidm-provision/issues/15
# add more scopes when a user is a member of specific group
# currently not possible due to https://github.com/kanidm/kanidm/issues/2882#issuecomment-2564490144
# supplementaryScopeMaps."${admins-group}" =
# [ "read:admin" "write:admin" ];
};
}));
# NOTE https://github.com/oddlama/kanidm-provision/issues/15
# add more scopes when a user is a member of specific group
# currently not possible due to https://github.com/kanidm/kanidm/issues/2882#issuecomment-2564490144
# supplementaryScopeMaps."${admins-group}" =
# [ "read:admin" "write:admin" ];
};
}
)
);
}
);
}

44
auth/auth.nix
View File

@@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
domain = config.selfprivacy.domain;
subdomain = "auth";
@@ -38,7 +43,6 @@ lib.mkIf config.selfprivacy.sso.enable {
"127.0.0.1" = [ auth-fqdn ];
};
# kanidm uses TLS in internal connection with nginx too
# FIXME revise this: maybe kanidm must not have access to a public TLS
users.groups."acmereceivers".members = [ "kanidm" ];
@@ -69,16 +73,13 @@ lib.mkIf config.selfprivacy.sso.enable {
origin = "https://" + auth-fqdn;
# TODO revise this: maybe kanidm must not have access to a public TLS
tls_chain =
"${config.security.acme.certs.${domain}.directory}/fullchain.pem";
tls_key =
"${config.security.acme.certs.${domain}.directory}/key.pem";
tls_chain = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
# nginx should proxy requests to it
bindaddress = kanidm-bind-address;
ldapbindaddress =
"${ldap-host}:${toString ldap-port}";
ldapbindaddress = "${ldap-host}:${toString ldap-port}";
# kanidm is behind a proxy
trust_x_forward_for = true;
@@ -101,8 +102,7 @@ lib.mkIf config.selfprivacy.sso.enable {
services.nginx = {
enable = true;
additionalModules =
lib.mkIf config.selfprivacy.sso.debug [ pkgs.nginxModules.lua ];
additionalModules = lib.mkIf config.selfprivacy.sso.debug [ pkgs.nginxModules.lua ];
commonHttpConfig = lib.mkIf config.selfprivacy.sso.debug ''
log_format kanidm escape=none '$request $status\n'
'[Request body]: $request_body\n'
@@ -158,8 +158,7 @@ lib.mkIf config.selfprivacy.sso.enable {
systemd.services.kanidm.serviceConfig.ExecStartPre =
# idempotent script to run on each startup only for kanidm v1.5.0
lib.mkIf (pkgs.kanidm.version == "1.5.0")
(lib.mkBefore [ kanidmMigrateDbScript ]);
lib.mkIf (pkgs.kanidm.version == "1.5.0") (lib.mkBefore [ kanidmMigrateDbScript ]);
selfprivacy.passthru.auth = {
inherit
@@ -171,25 +170,20 @@ lib.mkIf config.selfprivacy.sso.enable {
keys-path
;
oauth2-introspection-url-prefix = client_id: "https://${client_id}:";
oauth2-introspection-url-postfix =
"@${auth-fqdn}/oauth2/token/introspect";
oauth2-discovery-url = client_id:
"https://${auth-fqdn}/oauth2/openid/${client_id}/.well-known/openid-configuration";
oauth2-introspection-url-postfix = "@${auth-fqdn}/oauth2/token/introspect";
oauth2-discovery-url =
client_id: "https://${auth-fqdn}/oauth2/openid/${client_id}/.well-known/openid-configuration";
oauth2-provider-name = "Kanidm";
oauth2-systemd-service = "kanidm.service";
# e.g. "dc=mydomain,dc=com"
ldap-base-dn =
lib.strings.concatMapStringsSep
","
(x: "dc=" + x)
(lib.strings.splitString "." domain);
ldap-base-dn = lib.strings.concatMapStringsSep "," (x: "dc=" + x) (
lib.strings.splitString "." domain
);
# TODO consider to pass a value or throw exception if token is not generated
mkServiceAccountTokenFP = linuxGroup:
"${keys-path}/${linuxGroup}/kanidm-service-account-token";
mkServiceAccountTokenFP = linuxGroup: "${keys-path}/${linuxGroup}/kanidm-service-account-token";
mkOAuth2ClientSecretFP = linuxGroup:
"${keys-path}/${linuxGroup}/kanidm-oauth-client-secret";
mkOAuth2ClientSecretFP = linuxGroup: "${keys-path}/${linuxGroup}/kanidm-oauth-client-secret";
};
}

177
auth/kanidm.nix
View File

@@ -1,8 +1,9 @@
{ config
, lib
, options
, pkgs
, ...
{
config,
lib,
options,
pkgs,
...
}:
let
inherit (lib)
@@ -40,7 +41,9 @@ let
cfg = config.services.kanidm;
settingsFormat = pkgs.formats.toml { };
# Remove null values, so we can document optional values that don't end up in the generated TOML file.
filterConfig = converge (a: filterAttrsRecursive (_: v: v != null) (builtins.removeAttrs a [ "provision" ]));
filterConfig = converge (
a: filterAttrsRecursive (_: v: v != null) (builtins.removeAttrs a [ "provision" ])
);
serverConfigFile = settingsFormat.generate "server.toml" (filterConfig cfg.serverSettings);
clientConfigFile = settingsFormat.generate "kanidm-config.toml" (filterConfig cfg.clientSettings);
unixConfigFile = settingsFormat.generate "kanidm-unixd.toml" (filterConfig cfg.unixSettings);
@@ -54,17 +57,16 @@ let
# paths, no new bind mount is added. Adding subpaths caused problems on ofborg.
hasPrefixInList =
list: newPath: any (path: hasPrefix (builtins.toString path) (builtins.toString newPath)) list;
mergePaths = foldl'
(
merged: newPath:
let
# If the new path is a prefix to some existing path, we need to filter it out
filteredPaths = filter (p: !hasPrefix (builtins.toString newPath) (builtins.toString p)) merged;
# If a prefix of the new path is already in the list, do not add it
filteredNew = optional (!hasPrefixInList filteredPaths newPath) newPath;
in
filteredPaths ++ filteredNew
) [ ];
mergePaths = foldl' (
merged: newPath:
let
# If the new path is a prefix to some existing path, we need to filter it out
filteredPaths = filter (p: !hasPrefix (builtins.toString newPath) (builtins.toString p)) merged;
# If a prefix of the new path is already in the list, do not add it
filteredNew = optional (!hasPrefixInList filteredPaths newPath) newPath;
in
filteredPaths ++ filteredNew
) [ ];
defaultServiceConfig = {
# Setting the type to notify enables additional healthchecks, ensuring units
@@ -127,19 +129,20 @@ let
filterPresent = filterAttrs (_: v: v.present);
selfprivacy-admin-groups-regex = "^sp\.([[:alnum:]]+\.|)admins$";
is-selfprivacy-admin-group = name:
! builtins.isNull (builtins.match selfprivacy-admin-groups-regex name);
is-selfprivacy-admin-group =
name: !builtins.isNull (builtins.match selfprivacy-admin-groups-regex name);
isGroupNonOverwritable = g: false
|| ! g ? members
isGroupNonOverwritable =
g:
false
|| !g ? members
|| g ? members && g.members == [ ]
|| g ? members && builtins.any is-selfprivacy-admin-group g.members;
provisionStateJson = pkgs.writeText "provision-state.json" (
builtins.toJSON {
inherit (cfg.provision) persons systems;
groups =
lib.attrsets.filterAttrs (_n: v: ! isGroupNonOverwritable v) cfg.provision.groups;
groups = lib.attrsets.filterAttrs (_n: v: !isGroupNonOverwritable v) cfg.provision.groups;
}
);
@@ -182,8 +185,9 @@ let
fi
'';
groupsToCreateAndPopulate =
lib.attrsets.filterAttrs (_n: isGroupNonOverwritable) cfg.provision.groups;
groupsToCreateAndPopulate = lib.attrsets.filterAttrs (
_n: isGroupNonOverwritable
) cfg.provision.groups;
createGroups = ''
for group_name in ${lib.strings.concatStringsSep " " (builtins.attrNames groupsToCreateAndPopulate)}
@@ -199,9 +203,9 @@ let
done
'';
createAndPopulateGroups =
lib.concatLines ([ createGroups ]
++ (lib.mapAttrsToList populateGroup groupsToCreateAndPopulate));
createAndPopulateGroups = lib.concatLines (
[ createGroups ] ++ (lib.mapAttrsToList populateGroup groupsToCreateAndPopulate)
);
postStartScript = pkgs.writeShellScript "post-start" ''
set -euo pipefail
@@ -250,11 +254,11 @@ let
last (splitString "]:" cfg.serverSettings.bindaddress)
else
# ipv4:
if hasInfix "." cfg.serverSettings.bindaddress then
last (splitString ":" cfg.serverSettings.bindaddress)
# default is 8443
else
"8443";
if hasInfix "." cfg.serverSettings.bindaddress then
last (splitString ":" cfg.serverSettings.bindaddress)
# default is 8443
else
"8443";
in
{
options.services.kanidm = {
@@ -476,11 +480,9 @@ in
config.members = concatLists (
flip mapAttrsToList cfg.provision.persons (
person: personCfg:
optional
(
personCfg.present && builtins.elem groupSubmod.config._module.args.name personCfg.groups
)
person
optional (
personCfg.present && builtins.elem groupSubmod.config._module.args.name personCfg.groups
) person
)
);
})
@@ -683,12 +685,9 @@ in
++ entityList "oauth2" cfg.provision.systems.oauth2;
# Accumulate entities by name. Track corresponding entity types for later duplicate check.
entitiesByName = foldl'
(
acc: { type, name }: acc // { ${name} = (acc.${name} or [ ]) ++ [ type ]; }
)
{ }
entities;
entitiesByName = foldl' (
acc: { type, name }: acc // { ${name} = (acc.${name} or [ ]) ++ [ type ]; }
) { } entities;
assertGroupsKnown =
opt: groups:
@@ -800,59 +799,59 @@ in
]
++ flip mapAttrsToList (filterPresent cfg.provision.persons) (
person: personCfg:
assertGroupsKnown "services.kanidm.provision.persons.${person}.groups" personCfg.groups
assertGroupsKnown "services.kanidm.provision.persons.${person}.groups" personCfg.groups
)
++ flip mapAttrsToList (filterPresent cfg.provision.groups) (
group: groupCfg:
assertEntitiesKnown "services.kanidm.provision.groups.${group}.members" groupCfg.members
assertEntitiesKnown "services.kanidm.provision.groups.${group}.members" groupCfg.members
)
++ concatLists (
flip mapAttrsToList (filterPresent cfg.provision.systems.oauth2) (
oauth2: oauth2Cfg:
[
(assertGroupsKnown "services.kanidm.provision.systems.oauth2.${oauth2}.scopeMaps" (
attrNames oauth2Cfg.scopeMaps
))
(assertGroupsKnown "services.kanidm.provision.systems.oauth2.${oauth2}.supplementaryScopeMaps" (
attrNames oauth2Cfg.supplementaryScopeMaps
))
]
++ concatLists (
flip mapAttrsToList oauth2Cfg.claimMaps (
claim: claimCfg: [
(assertGroupsKnown "services.kanidm.provision.systems.oauth2.${oauth2}.claimMaps.${claim}.valuesByGroup" (
attrNames claimCfg.valuesByGroup
))
# At least one group must map to a value in each claim map
{
assertion =
(cfg.provision.enable && cfg.enableServer)
-> any (xs: xs != [ ]) (attrValues claimCfg.valuesByGroup);
message = "services.kanidm.provision.systems.oauth2.${oauth2}.claimMaps.${claim} does not specify any values for any group";
}
# Public clients cannot define a basic secret
{
assertion =
(cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> oauth2Cfg.basicSecretFile == null;
message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot specify a basic secret";
}
# Public clients cannot disable PKCE
{
assertion =
(cfg.provision.enable && cfg.enableServer && oauth2Cfg.public)
-> !oauth2Cfg.allowInsecureClientDisablePkce;
message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot disable PKCE";
}
# Non-public clients cannot enable localhost redirects
{
assertion =
(cfg.provision.enable && cfg.enableServer && !oauth2Cfg.public)
-> !oauth2Cfg.enableLocalhostRedirects;
message = "services.kanidm.provision.systems.oauth2.${oauth2} is a non-public client and thus cannot enable localhost redirects";
}
]
)
[
(assertGroupsKnown "services.kanidm.provision.systems.oauth2.${oauth2}.scopeMaps" (
attrNames oauth2Cfg.scopeMaps
))
(assertGroupsKnown "services.kanidm.provision.systems.oauth2.${oauth2}.supplementaryScopeMaps" (
attrNames oauth2Cfg.supplementaryScopeMaps
))
]
++ concatLists (
flip mapAttrsToList oauth2Cfg.claimMaps (
claim: claimCfg: [
(assertGroupsKnown "services.kanidm.provision.systems.oauth2.${oauth2}.claimMaps.${claim}.valuesByGroup" (
attrNames claimCfg.valuesByGroup
))
# At least one group must map to a value in each claim map
{
assertion =
(cfg.provision.enable && cfg.enableServer)
-> any (xs: xs != [ ]) (attrValues claimCfg.valuesByGroup);
message = "services.kanidm.provision.systems.oauth2.${oauth2}.claimMaps.${claim} does not specify any values for any group";
}
# Public clients cannot define a basic secret
{
assertion =
(cfg.provision.enable && cfg.enableServer && oauth2Cfg.public) -> oauth2Cfg.basicSecretFile == null;
message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot specify a basic secret";
}
# Public clients cannot disable PKCE
{
assertion =
(cfg.provision.enable && cfg.enableServer && oauth2Cfg.public)
-> !oauth2Cfg.allowInsecureClientDisablePkce;
message = "services.kanidm.provision.systems.oauth2.${oauth2} is a public client and thus cannot disable PKCE";
}
# Non-public clients cannot enable localhost redirects
{
assertion =
(cfg.provision.enable && cfg.enableServer && !oauth2Cfg.public)
-> !oauth2Cfg.enableLocalhostRedirects;
message = "services.kanidm.provision.systems.oauth2.${oauth2} is a non-public client and thus cannot enable localhost redirects";
}
]
)
)
)
);