-
-
Notifications
You must be signed in to change notification settings - Fork 14.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
kanidm: discern normal build from provisioning build and fix 1_3 patc…
…hes (#367230)
- Loading branch information
Showing
7 changed files
with
485 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,6 @@ | ||
import ./generic.nix { | ||
version = "1.4.5"; | ||
hash = "sha256-0nn/ZyjkLXWXBZasNhbeEynEN52cmZQAcgg3hLmRpdo="; | ||
cargoHash = "sha256-sLz1EdczSj0/ACLUpWex3i8ZUhNeyU/RVwuAqccLIz8="; | ||
cargoHash = "sha256-9ZB9PwVnqoCRMFXOY7ejh76hmOg7cjVpnjgJfh8aXGI="; | ||
patchDir = ./patches/1_4; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
303 changes: 303 additions & 0 deletions
303
pkgs/by-name/ka/kanidm/patches/1_3/oauth2-basic-secret-modify.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,303 @@ | ||
From 44dfbc2b9dccce86c7d7e7b54db4c989344b8c56 Mon Sep 17 00:00:00 2001 | ||
From: oddlama <[email protected]> | ||
Date: Mon, 12 Aug 2024 23:17:25 +0200 | ||
Subject: [PATCH 1/2] oauth2 basic secret modify | ||
|
||
--- | ||
server/core/src/actors/v1_write.rs | 42 ++++++++++++++++++++++++++++++ | ||
server/core/src/https/v1.rs | 6 ++++- | ||
server/core/src/https/v1_oauth2.rs | 29 +++++++++++++++++++++ | ||
server/lib/src/constants/acp.rs | 6 +++++ | ||
4 files changed, 82 insertions(+), 1 deletion(-) | ||
|
||
diff --git a/server/core/src/actors/v1_write.rs b/server/core/src/actors/v1_write.rs | ||
index e00a969fb..1cacc67b8 100644 | ||
--- a/server/core/src/actors/v1_write.rs | ||
+++ b/server/core/src/actors/v1_write.rs | ||
@@ -315,20 +315,62 @@ impl QueryServerWriteV1 { | ||
}; | ||
|
||
trace!(?del, "Begin delete event"); | ||
|
||
idms_prox_write | ||
.qs_write | ||
.delete(&del) | ||
.and_then(|_| idms_prox_write.commit().map(|_| ())) | ||
} | ||
|
||
+ #[instrument( | ||
+ level = "info", | ||
+ skip_all, | ||
+ fields(uuid = ?eventid) | ||
+ )] | ||
+ pub async fn handle_oauth2_basic_secret_write( | ||
+ &self, | ||
+ client_auth_info: ClientAuthInfo, | ||
+ filter: Filter<FilterInvalid>, | ||
+ new_secret: String, | ||
+ eventid: Uuid, | ||
+ ) -> Result<(), OperationError> { | ||
+ // Given a protoEntry, turn this into a modification set. | ||
+ let ct = duration_from_epoch_now(); | ||
+ let mut idms_prox_write = self.idms.proxy_write(ct).await; | ||
+ let ident = idms_prox_write | ||
+ .validate_client_auth_info_to_ident(client_auth_info, ct) | ||
+ .map_err(|e| { | ||
+ admin_error!(err = ?e, "Invalid identity"); | ||
+ e | ||
+ })?; | ||
+ | ||
+ let modlist = ModifyList::new_purge_and_set( | ||
+ Attribute::OAuth2RsBasicSecret, | ||
+ Value::SecretValue(new_secret), | ||
+ ); | ||
+ | ||
+ let mdf = | ||
+ ModifyEvent::from_internal_parts(ident, &modlist, &filter, &idms_prox_write.qs_write) | ||
+ .map_err(|e| { | ||
+ admin_error!(err = ?e, "Failed to begin modify during handle_oauth2_basic_secret_write"); | ||
+ e | ||
+ })?; | ||
+ | ||
+ trace!(?mdf, "Begin modify event"); | ||
+ | ||
+ idms_prox_write | ||
+ .qs_write | ||
+ .modify(&mdf) | ||
+ .and_then(|_| idms_prox_write.commit()) | ||
+ } | ||
+ | ||
#[instrument( | ||
level = "info", | ||
skip_all, | ||
fields(uuid = ?eventid) | ||
)] | ||
pub async fn handle_reviverecycled( | ||
&self, | ||
client_auth_info: ClientAuthInfo, | ||
filter: Filter<FilterInvalid>, | ||
eventid: Uuid, | ||
diff --git a/server/core/src/https/v1.rs b/server/core/src/https/v1.rs | ||
index 8aba83bb2..f1f815026 100644 | ||
--- a/server/core/src/https/v1.rs | ||
+++ b/server/core/src/https/v1.rs | ||
@@ -1,17 +1,17 @@ | ||
//! The V1 API things! | ||
|
||
use axum::extract::{Path, State}; | ||
use axum::http::{HeaderMap, HeaderValue}; | ||
use axum::middleware::from_fn; | ||
use axum::response::{IntoResponse, Response}; | ||
-use axum::routing::{delete, get, post, put}; | ||
+use axum::routing::{delete, get, post, put, patch}; | ||
use axum::{Extension, Json, Router}; | ||
use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite}; | ||
use compact_jwt::{Jwk, Jws, JwsSigner}; | ||
use kanidm_proto::constants::uri::V1_AUTH_VALID; | ||
use std::net::IpAddr; | ||
use uuid::Uuid; | ||
|
||
use kanidm_proto::internal::{ | ||
ApiToken, AppLink, CUIntentToken, CURequest, CUSessionToken, CUStatus, CreateRequest, | ||
CredentialStatus, DeleteRequest, IdentifyUserRequest, IdentifyUserResponse, ModifyRequest, | ||
@@ -3119,20 +3119,24 @@ pub(crate) fn route_setup(state: ServerState) -> Router<ServerState> { | ||
) | ||
.route( | ||
"/v1/oauth2/:rs_name/_image", | ||
post(super::v1_oauth2::oauth2_id_image_post) | ||
.delete(super::v1_oauth2::oauth2_id_image_delete), | ||
) | ||
.route( | ||
"/v1/oauth2/:rs_name/_basic_secret", | ||
get(super::v1_oauth2::oauth2_id_get_basic_secret), | ||
) | ||
+ .route( | ||
+ "/v1/oauth2/:rs_name/_basic_secret", | ||
+ patch(super::v1_oauth2::oauth2_id_patch_basic_secret), | ||
+ ) | ||
.route( | ||
"/v1/oauth2/:rs_name/_scopemap/:group", | ||
post(super::v1_oauth2::oauth2_id_scopemap_post) | ||
.delete(super::v1_oauth2::oauth2_id_scopemap_delete), | ||
) | ||
.route( | ||
"/v1/oauth2/:rs_name/_sup_scopemap/:group", | ||
post(super::v1_oauth2::oauth2_id_sup_scopemap_post) | ||
.delete(super::v1_oauth2::oauth2_id_sup_scopemap_delete), | ||
) | ||
diff --git a/server/core/src/https/v1_oauth2.rs b/server/core/src/https/v1_oauth2.rs | ||
index 5e481afab..a771aed04 100644 | ||
--- a/server/core/src/https/v1_oauth2.rs | ||
+++ b/server/core/src/https/v1_oauth2.rs | ||
@@ -144,20 +144,49 @@ pub(crate) async fn oauth2_id_get_basic_secret( | ||
) -> Result<Json<Option<String>>, WebError> { | ||
let filter = oauth2_id(&rs_name); | ||
state | ||
.qe_r_ref | ||
.handle_oauth2_basic_secret_read(client_auth_info, filter, kopid.eventid) | ||
.await | ||
.map(Json::from) | ||
.map_err(WebError::from) | ||
} | ||
|
||
+#[utoipa::path( | ||
+ patch, | ||
+ path = "/v1/oauth2/{rs_name}/_basic_secret", | ||
+ request_body=ProtoEntry, | ||
+ responses( | ||
+ DefaultApiResponse, | ||
+ ), | ||
+ security(("token_jwt" = [])), | ||
+ tag = "v1/oauth2", | ||
+ operation_id = "oauth2_id_patch_basic_secret" | ||
+)] | ||
+/// Overwrite the basic secret for a given OAuth2 Resource Server. | ||
+#[instrument(level = "info", skip(state, new_secret))] | ||
+pub(crate) async fn oauth2_id_patch_basic_secret( | ||
+ State(state): State<ServerState>, | ||
+ Extension(kopid): Extension<KOpId>, | ||
+ VerifiedClientInformation(client_auth_info): VerifiedClientInformation, | ||
+ Path(rs_name): Path<String>, | ||
+ Json(new_secret): Json<String>, | ||
+) -> Result<Json<()>, WebError> { | ||
+ let filter = oauth2_id(&rs_name); | ||
+ state | ||
+ .qe_w_ref | ||
+ .handle_oauth2_basic_secret_write(client_auth_info, filter, new_secret, kopid.eventid) | ||
+ .await | ||
+ .map(Json::from) | ||
+ .map_err(WebError::from) | ||
+} | ||
+ | ||
#[utoipa::path( | ||
patch, | ||
path = "/v1/oauth2/{rs_name}", | ||
request_body=ProtoEntry, | ||
responses( | ||
DefaultApiResponse, | ||
), | ||
security(("token_jwt" = [])), | ||
tag = "v1/oauth2", | ||
operation_id = "oauth2_id_patch" | ||
diff --git a/server/lib/src/constants/acp.rs b/server/lib/src/constants/acp.rs | ||
index f3409649d..42e407b7d 100644 | ||
--- a/server/lib/src/constants/acp.rs | ||
+++ b/server/lib/src/constants/acp.rs | ||
@@ -645,34 +645,36 @@ lazy_static! { | ||
Attribute::Image, | ||
], | ||
modify_present_attrs: vec![ | ||
Attribute::Description, | ||
Attribute::DisplayName, | ||
Attribute::OAuth2RsName, | ||
Attribute::OAuth2RsOrigin, | ||
Attribute::OAuth2RsOriginLanding, | ||
Attribute::OAuth2RsSupScopeMap, | ||
Attribute::OAuth2RsScopeMap, | ||
+ Attribute::OAuth2RsBasicSecret, | ||
Attribute::OAuth2AllowInsecureClientDisablePkce, | ||
Attribute::OAuth2JwtLegacyCryptoEnable, | ||
Attribute::OAuth2PreferShortUsername, | ||
Attribute::Image, | ||
], | ||
create_attrs: vec![ | ||
Attribute::Class, | ||
Attribute::Description, | ||
Attribute::DisplayName, | ||
Attribute::OAuth2RsName, | ||
Attribute::OAuth2RsOrigin, | ||
Attribute::OAuth2RsOriginLanding, | ||
Attribute::OAuth2RsSupScopeMap, | ||
Attribute::OAuth2RsScopeMap, | ||
+ Attribute::OAuth2RsBasicSecret, | ||
Attribute::OAuth2AllowInsecureClientDisablePkce, | ||
Attribute::OAuth2JwtLegacyCryptoEnable, | ||
Attribute::OAuth2PreferShortUsername, | ||
Attribute::Image, | ||
], | ||
create_classes: vec![ | ||
EntryClass::Object, | ||
EntryClass::OAuth2ResourceServer, | ||
EntryClass::OAuth2ResourceServerBasic, | ||
EntryClass::OAuth2ResourceServerPublic, | ||
@@ -739,36 +741,38 @@ lazy_static! { | ||
Attribute::Image, | ||
], | ||
modify_present_attrs: vec![ | ||
Attribute::Description, | ||
Attribute::DisplayName, | ||
Attribute::OAuth2RsName, | ||
Attribute::OAuth2RsOrigin, | ||
Attribute::OAuth2RsOriginLanding, | ||
Attribute::OAuth2RsSupScopeMap, | ||
Attribute::OAuth2RsScopeMap, | ||
+ Attribute::OAuth2RsBasicSecret, | ||
Attribute::OAuth2AllowInsecureClientDisablePkce, | ||
Attribute::OAuth2JwtLegacyCryptoEnable, | ||
Attribute::OAuth2PreferShortUsername, | ||
Attribute::OAuth2AllowLocalhostRedirect, | ||
Attribute::OAuth2RsClaimMap, | ||
Attribute::Image, | ||
], | ||
create_attrs: vec![ | ||
Attribute::Class, | ||
Attribute::Description, | ||
Attribute::DisplayName, | ||
Attribute::OAuth2RsName, | ||
Attribute::OAuth2RsOrigin, | ||
Attribute::OAuth2RsOriginLanding, | ||
Attribute::OAuth2RsSupScopeMap, | ||
Attribute::OAuth2RsScopeMap, | ||
+ Attribute::OAuth2RsBasicSecret, | ||
Attribute::OAuth2AllowInsecureClientDisablePkce, | ||
Attribute::OAuth2JwtLegacyCryptoEnable, | ||
Attribute::OAuth2PreferShortUsername, | ||
Attribute::OAuth2AllowLocalhostRedirect, | ||
Attribute::OAuth2RsClaimMap, | ||
Attribute::Image, | ||
], | ||
create_classes: vec![ | ||
EntryClass::Object, | ||
EntryClass::OAuth2ResourceServer, | ||
@@ -840,36 +844,38 @@ lazy_static! { | ||
Attribute::Image, | ||
], | ||
modify_present_attrs: vec![ | ||
Attribute::Description, | ||
Attribute::DisplayName, | ||
Attribute::Name, | ||
Attribute::OAuth2RsOrigin, | ||
Attribute::OAuth2RsOriginLanding, | ||
Attribute::OAuth2RsSupScopeMap, | ||
Attribute::OAuth2RsScopeMap, | ||
+ Attribute::OAuth2RsBasicSecret, | ||
Attribute::OAuth2AllowInsecureClientDisablePkce, | ||
Attribute::OAuth2JwtLegacyCryptoEnable, | ||
Attribute::OAuth2PreferShortUsername, | ||
Attribute::OAuth2AllowLocalhostRedirect, | ||
Attribute::OAuth2RsClaimMap, | ||
Attribute::Image, | ||
], | ||
create_attrs: vec![ | ||
Attribute::Class, | ||
Attribute::Description, | ||
Attribute::Name, | ||
Attribute::OAuth2RsName, | ||
Attribute::OAuth2RsOrigin, | ||
Attribute::OAuth2RsOriginLanding, | ||
Attribute::OAuth2RsSupScopeMap, | ||
Attribute::OAuth2RsScopeMap, | ||
+ Attribute::OAuth2RsBasicSecret, | ||
Attribute::OAuth2AllowInsecureClientDisablePkce, | ||
Attribute::OAuth2JwtLegacyCryptoEnable, | ||
Attribute::OAuth2PreferShortUsername, | ||
Attribute::OAuth2AllowLocalhostRedirect, | ||
Attribute::OAuth2RsClaimMap, | ||
Attribute::Image, | ||
], | ||
create_classes: vec![ | ||
EntryClass::Object, | ||
EntryClass::Account, | ||
-- | ||
2.45.2 | ||
|
Oops, something went wrong.