kanidm: 1.1.0-alpha.12 -> 1.1.0-beta.13

https://github.com/kanidm/kanidm/releases/tag/v1.1.0-beta.13

The kanidmd process now creates a unix socket, over which admin tasks
can be done, without having to shut kanidm down first.

The kanidm_unixd process now wants access to /etc/shadow and /etc/group,
so it can rule out collisions with the host system.
This commit is contained in:
Martin Weinelt 2023-08-01 12:56:10 +02:00
parent b6fbd87328
commit 184d15cc06
No known key found for this signature in database
GPG Key ID: 87C1E9888F856759
4 changed files with 29 additions and 5457 deletions

View File

@ -122,8 +122,8 @@ in
};
log_level = lib.mkOption {
description = lib.mdDoc "Log level of the server.";
default = "default";
type = lib.types.enum [ "default" "verbose" "perfbasic" "perffull" ];
default = "info";
type = lib.types.enum [ "info" "debug" "trace" ];
};
role = lib.mkOption {
description = lib.mdDoc "The role of this server. This affects the replication relationship and thereby available features.";
@ -236,17 +236,23 @@ in
{
StateDirectory = "kanidm";
StateDirectoryMode = "0700";
RuntimeDirectory = "kanidmd";
ExecStart = "${pkgs.kanidm}/bin/kanidmd server -c ${serverConfigFile}";
User = "kanidm";
Group = "kanidm";
BindPaths = [
# To create the socket
"/run/kanidmd:/run/kanidmd"
];
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
# This would otherwise override the CAP_NET_BIND_SERVICE capability.
PrivateUsers = lib.mkForce false;
# Port needs to be exposed to the host network
PrivateNetwork = lib.mkForce false;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
TemporaryFileSystem = "/:ro";
}
];
@ -273,6 +279,8 @@ in
"-/etc/static/kanidm"
"-/etc/ssl"
"-/etc/static/ssl"
"-/etc/passwd"
"-/etc/group"
];
BindPaths = [
# To create the socket
@ -327,6 +335,9 @@ in
# These paths are hardcoded
environment.etc = lib.mkMerge [
(lib.mkIf cfg.enableServer {
"kanidm/server.toml".source = serverConfigFile;
})
(lib.mkIf options.services.kanidm.clientSettings.isDefined {
"kanidm/config".source = clientConfigFile;
})

View File

@ -67,9 +67,10 @@ import ./make-test-python.nix ({ pkgs, ... }:
''
start_all()
server.wait_for_unit("kanidm.service")
client.wait_for_unit("network-online.target")
with subtest("Test HTTP interface"):
server.wait_until_succeeds("curl -sf https://${serverDomain} | grep Kanidm")
server.wait_until_succeeds("curl -Lsf https://${serverDomain} | grep Kanidm")
with subtest("Test LDAP interface"):
server.succeed("ldapsearch -H ldaps://${serverDomain}:636 -b '${ldapBaseDN}' -x '(name=test)'")
@ -80,15 +81,11 @@ import ./make-test-python.nix ({ pkgs, ... }:
client.succeed("kanidm logout")
with subtest("Recover idm_admin account"):
# Must stop the server for account recovery or else kanidmd fails with
# "unable to lock kanidm exclusive lock at /var/lib/kanidm/kanidm.db.klock".
server.succeed("systemctl stop kanidm")
idm_admin_password = server.succeed("su - kanidm -c 'kanidmd recover-account -c ${serverConfigFile} idm_admin 2>&1 | rg -o \'[A-Za-z0-9]{48}\' '").strip().removeprefix("'").removesuffix("'")
server.succeed("systemctl start kanidm")
with subtest("Test unixd connection"):
client.wait_for_unit("kanidm-unixd.service")
# TODO: client.wait_for_file("/run/kanidm-unixd/sock")
client.wait_for_file("/run/kanidm-unixd/sock")
client.wait_until_succeeds("kanidm-unix status | grep working!")
with subtest("Test user creation"):

File diff suppressed because it is too large Load Diff

View File

@ -4,13 +4,13 @@
, nixosTests
, rustPlatform
, fetchFromGitHub
, fetchpatch
, installShellFiles
, pkg-config
, udev
, openssl
, sqlite
, pam
, bashInteractive
}:
let
@ -18,45 +18,35 @@ let
in
rustPlatform.buildRustPackage rec {
pname = "kanidm";
version = "1.1.0-alpha.12";
version = "1.1.0-beta.13";
src = fetchFromGitHub {
owner = pname;
repo = pname;
rev = "f5924443f08e462067937a5dd0e2c19e5e1255da";
hash = "sha256-kJUxVrGpczIdOqKQbgRp1xERfKP6C0SDQgWdjtSuvZ8=";
# Latest 1.1.0-beta.13 tip
rev = "5d1e2f90e6901017ab3ef9b5fbc10e25a5451fd2";
hash = "sha256-70yeHVOrCuC+H96UC84kly3CCQ+y1RGzF5K/2FIag/o=";
};
cargoLock = {
lockFile = ./Cargo.lock;
outputHashes = {
"tracing-forest-0.1.5" = "sha256-L6auSKB4DCnZBZpx7spiikhSOD6i1W3erc3zjn+26Ao=";
};
};
cargoHash = "sha256-Qdc+E5+k9NNE4s6eAnpkam56pc2JJPahkuT4lB328cY=";
KANIDM_BUILD_PROFILE = "release_nixos_${arch}";
patches = [
(fetchpatch {
# Bring back x86_64-v1 microarchitecture level
name = "cpu-opt-level.patch";
url = "https://github.com/kanidm/kanidm/commit/59c6723f7dfb2266eae45c3b2ddd377872a7a113.patch";
hash = "sha256-8rVEYitxvdVduQ/+AD/UG3v+mgT/VxkLoxNIXczUfCQ=";
})
];
postPatch =
let
format = (formats.toml { }).generate "${KANIDM_BUILD_PROFILE}.toml";
profile = {
web_ui_pkg_path = "@web_ui_pkg_path@";
admin_bind_path = "/run/kanidmd/sock";
cpu_flags = if stdenv.isx86_64 then "x86_64_legacy" else "none";
default_config_path = "/etc/kanidm/server.toml";
default_unix_shell_path = "${lib.getBin bashInteractive}/bin/bash";
web_ui_pkg_path = "@web_ui_pkg_path@";
};
in
''
cp ${format profile} libs/profiles/${KANIDM_BUILD_PROFILE}.toml
substituteInPlace libs/profiles/${KANIDM_BUILD_PROFILE}.toml \
--replace '@web_ui_pkg_path@' "$out/ui"
--replace '@web_ui_pkg_path@' "${placeholder "out"}/ui"
'';
nativeBuildInputs = [
@ -92,6 +82,7 @@ rustPlatform.buildRustPackage rec {
passthru.tests = { inherit (nixosTests) kanidm; };
meta = with lib; {
changelog = "https://github.com/kanidm/kanidm/releases/tag/v${version}";
description = "A simple, secure and fast identity management platform";
homepage = "https://github.com/kanidm/kanidm";
license = licenses.mpl20;