From 2d7ed61384e33a25dc747bb737e70c2d4b6068c1 Mon Sep 17 00:00:00 2001 From: Fugi Date: Tue, 5 Mar 2024 15:10:20 +0100 Subject: [PATCH] use portunus from nixos-unstable --- flake.lock | 17 ++++++ flake.nix | 5 +- .../0001-update-user-validation-regex.patch | 56 +++++++++++-------- modules/ldap/0002-both-ldap-and-ldaps.patch | 10 ++-- modules/ldap/0003-gecos-ascii-escape.patch | 24 ++++---- .../ldap/0004-make-givenName-optional.patch | 30 +++++----- modules/ldap/default.nix | 29 +++++++--- 7 files changed, 107 insertions(+), 64 deletions(-) diff --git a/flake.lock b/flake.lock index 59c3907..37f086d 100644 --- a/flake.lock +++ b/flake.lock @@ -190,6 +190,22 @@ "type": "github" } }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1709479366, + "narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b8697e57f10292a6165a20f03d2f42920dfaf973", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1682134069, @@ -256,6 +272,7 @@ "kpp": "kpp", "nix-index-database": "nix-index-database", "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", "print-interface": "print-interface", "sops-nix": "sops-nix", "vscode-server": "vscode-server" diff --git a/flake.nix b/flake.nix index faf38af..f84b6c8 100755 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,7 @@ { inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; nix-index-database.url = "github:nix-community/nix-index-database"; @@ -59,9 +60,9 @@ }); overlays.default = import ./overlays; nixosConfigurations = { - quitte = nixpkgs.lib.nixosSystem { + quitte = nixpkgs.lib.nixosSystem rec { system = "x86_64-linux"; - specialArgs = inputs; + specialArgs = inputs // { inherit system; }; modules = [ inputs.sops-nix.nixosModules.sops inputs.kpp.nixosModules.default diff --git a/modules/ldap/0001-update-user-validation-regex.patch b/modules/ldap/0001-update-user-validation-regex.patch index 6ae40f9..ce78894 100644 --- a/modules/ldap/0001-update-user-validation-regex.patch +++ b/modules/ldap/0001-update-user-validation-regex.patch @@ -1,25 +1,35 @@ -From f5c68898be345fb0dca5ab7b596b9cbe674f5dfb Mon Sep 17 00:00:00 2001 -From: Rouven Seifert -Date: Tue, 4 Jul 2023 15:14:00 +0200 -Subject: [PATCH] update user validation regex - ---- - internal/core/validation.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/internal/core/validation.go b/internal/core/validation.go -index 3e168b5..10dfc0a 100644 ---- a/internal/core/validation.go -+++ b/internal/core/validation.go -@@ -30,7 +30,7 @@ import ( - ) - - //this regexp copied from useradd(8) manpage --const posixAccountNamePattern = `[a-z_][a-z0-9_-]*\$?` -+const posixAccountNamePattern = `[a-z_][a-z0-9._-]*\$?` +diff --git a/cmd/portunus-orchestrator/config.go b/cmd/portunus-orchestrator/config.go +index 4db19f2..290128a 100644 +--- a/cmd/portunus-orchestrator/config.go ++++ b/cmd/portunus-orchestrator/config.go +@@ -23,7 +23,7 @@ type valueCheck struct { + } var ( - errIsMissing = errors.New("is missing") --- -2.41.0 - +- userOrGroupPattern = `^[a-z_][a-z0-9_-]*\$?$` ++ userOrGroupPattern = `^[a-z_][a-z0-9._-]*\$?$` + envDefaults = map[string]string{ + //empty value = not optional + "PORTUNUS_DEBUG": "false", +diff --git a/internal/grammars/grammars.go b/internal/grammars/grammars.go +index 1253c05..e458fd0 100644 +--- a/internal/grammars/grammars.go ++++ b/internal/grammars/grammars.go +@@ -39,7 +39,7 @@ const ( + // This regex is based on the respective format description in the useradd(8) manpage. + // + // This is only shown for documentation purposes here; use func IsPOSIXAccountName instead. +- POSIXAccountNameRegex = `^[a-z_][a-z0-9_-]*\$?$` ++ POSIXAccountNameRegex = `^[a-z_][a-z0-9._-]*\$?$` + ) + + //TODO There is also some `import "regexp"` in cmd/orchestrator/ldap.go to render +@@ -159,7 +159,7 @@ func checkByteInPOSIXAccountName(idx, length int, b byte) bool { + switch { + case (b >= 'a' && b <= 'z') || b == '_': + return true +- case (b >= '0' && b <= '9') || b == '-': ++ case (b >= '0' && b <= '9') || b == '-' || b == '.': + return idx != 0 // not allowed at start + default: + return false diff --git a/modules/ldap/0002-both-ldap-and-ldaps.patch b/modules/ldap/0002-both-ldap-and-ldaps.patch index 9ae71a5..3ebda7e 100644 --- a/modules/ldap/0002-both-ldap-and-ldaps.patch +++ b/modules/ldap/0002-both-ldap-and-ldaps.patch @@ -1,8 +1,8 @@ -diff --git a/cmd/orchestrator/ldap.go b/cmd/orchestrator/ldap.go -index ed0d466..a672046 100644 ---- a/cmd/orchestrator/ldap.go -+++ b/cmd/orchestrator/ldap.go -@@ -130,7 +130,7 @@ func runLDAPServer(environment map[string]string) { +diff --git a/cmd/portunus-orchestrator/ldap.go b/cmd/portunus-orchestrator/ldap.go +index 9564c5e..40cd2d7 100644 +--- a/cmd/portunus-orchestrator/ldap.go ++++ b/cmd/portunus-orchestrator/ldap.go +@@ -134,7 +134,7 @@ func runLDAPServer(environment map[string]string) { bindURL := "ldap:///" if environment["PORTUNUS_SLAPD_TLS_CERTIFICATE"] != "" { diff --git a/modules/ldap/0003-gecos-ascii-escape.patch b/modules/ldap/0003-gecos-ascii-escape.patch index c3918cb..83650f4 100644 --- a/modules/ldap/0003-gecos-ascii-escape.patch +++ b/modules/ldap/0003-gecos-ascii-escape.patch @@ -1,24 +1,26 @@ -diff --git a/internal/core/user.go b/internal/core/user.go -index e74ccfe..291c75b 100644 ---- a/internal/core/user.go -+++ b/internal/core/user.go -@@ -8,6 +8,7 @@ package core +diff --git a/internal/ldap/object.go b/internal/ldap/object.go +index d4e5c6f..fcefec7 100644 +--- a/internal/ldap/object.go ++++ b/internal/ldap/object.go +@@ -8,6 +8,7 @@ package ldap import ( "fmt" -+ "strconv" - ) ++ "regexp" - // User represents a single user account. -@@ -86,9 +87,9 @@ func (u User) RenderToLDAP(suffix string, allGroups map[string]Group) LDAPObject + "github.com/majewsky/portunus/internal/core" + ) +@@ -94,10 +95,11 @@ func renderUser(u core.User, dnSuffix string, allGroups []core.Group) Object { + if u.POSIX.LoginShell != "" { obj.Attributes["loginShell"] = []string{u.POSIX.LoginShell} } ++ var nonASCII = regexp.MustCompile("[^\\x00-\\x7F]") if u.POSIX.GECOS == "" { - obj.Attributes["gecos"] = []string{u.FullName()} -+ obj.Attributes["gecos"] = []string{strconv.QuoteToASCII(u.FullName())} ++ obj.Attributes["gecos"] = []string{nonASCII.ReplaceAllString(u.FullName(), "")} } else { - obj.Attributes["gecos"] = []string{u.POSIX.GECOS} -+ obj.Attributes["gecos"] = []string{strconv.QuoteToASCII(u.POSIX.GECOS)} ++ obj.Attributes["gecos"] = []string{nonASCII.ReplaceAllString(u.POSIX.GECOS, "")} } obj.Attributes["objectClass"] = append(obj.Attributes["objectClass"], "posixAccount") } diff --git a/modules/ldap/0004-make-givenName-optional.patch b/modules/ldap/0004-make-givenName-optional.patch index 4131252..4b6ecf6 100644 --- a/modules/ldap/0004-make-givenName-optional.patch +++ b/modules/ldap/0004-make-givenName-optional.patch @@ -1,8 +1,20 @@ diff --git a/internal/core/user.go b/internal/core/user.go -index e74ccfe..ce03eeb 100644 +index f45fdf7..4f93b37 100644 --- a/internal/core/user.go +++ b/internal/core/user.go -@@ -64,7 +64,6 @@ func (u User) RenderToLDAP(suffix string, allGroups map[string]Group) LDAPObject +@@ -76,7 +76,6 @@ func (u User) validateLocal(cfg *ValidationConfig) (errs errext.ErrorSet) { + MustBePosixAccountNameIf(u.LoginName, u.POSIX != nil), + )) + errs.Add(ref.Field("given_name").WrapFirst( +- MustNotBeEmpty(u.GivenName), + MustNotHaveSurroundingSpaces(u.GivenName), + )) + errs.Add(ref.Field("family_name").WrapFirst( +diff --git a/internal/ldap/object.go b/internal/ldap/object.go +index d4e5c6f..1225084 100644 +--- a/internal/ldap/object.go ++++ b/internal/ldap/object.go +@@ -73,7 +73,6 @@ func renderUser(u core.User, dnSuffix string, allGroups []core.Group) Object { "uid": {u.LoginName}, "cn": {u.FullName()}, "sn": {u.FamilyName}, @@ -10,7 +22,7 @@ index e74ccfe..ce03eeb 100644 "userPassword": {u.PasswordHash}, "isMemberOf": memberOfGroupDNames, "objectClass": {"portunusPerson", "inetOrgPerson", "organizationalPerson", "person", "top"}, -@@ -74,6 +73,9 @@ func (u User) RenderToLDAP(suffix string, allGroups map[string]Group) LDAPObject +@@ -83,6 +82,9 @@ func renderUser(u core.User, dnSuffix string, allGroups []core.Group) Object { if u.EMailAddress != "" { obj.Attributes["mail"] = []string{u.EMailAddress} } @@ -20,15 +32,3 @@ index e74ccfe..ce03eeb 100644 if len(u.SSHPublicKeys) > 0 { obj.Attributes["sshPublicKey"] = u.SSHPublicKeys } -diff --git a/internal/frontend/users.go b/internal/frontend/users.go -index 225c5b3..1a961ca 100644 ---- a/internal/frontend/users.go -+++ b/internal/frontend/users.go -@@ -168,7 +168,6 @@ func buildUserMasterdataFieldset(e core.Engine, u *core.User, state *h.FormState - Name: "given_name", - Label: "Given name", - Rules: []h.ValidationRule{ -- core.MustNotBeEmpty, - core.MustNotHaveSurroundingSpaces, - }, - }, diff --git a/modules/ldap/default.nix b/modules/ldap/default.nix index 5c276c1..12397c3 100644 --- a/modules/ldap/default.nix +++ b/modules/ldap/default.nix @@ -1,7 +1,7 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, nixpkgs-unstable, system, ... }: let domain = "auth.${config.networking.domain}"; - seed = { + seedSettings = { groups = [ { name = "admins"; @@ -43,6 +43,15 @@ let }; in { + # Use portunus from unstable branch until 24.05 is here + disabledModules = [ "services/misc/portunus.nix" ]; + imports = [ "${nixpkgs-unstable}/nixos/modules/services/misc/portunus.nix" ]; + nixpkgs.overlays = [ + (self: super: { + inherit (nixpkgs-unstable.legacyPackages.${system}) portunus; + }) + ]; + sops.secrets = { "portunus/admin-password".owner = config.services.portunus.user; "portunus/search-password".owner = config.services.portunus.user; @@ -58,12 +67,12 @@ in ./0003-gecos-ascii-escape.patch ./0004-make-givenName-optional.patch ]; + doCheck = false; # posix regex related tests break }); - inherit domain; + inherit domain seedSettings; port = 8681; dex.enable = true; - seedPath = pkgs.writeText "portunus-seed.json" (builtins.toJSON seed); ldap = { suffix = "dc=ifsr,dc=de"; @@ -75,10 +84,14 @@ in }; }; - services.dex.settings.oauth2.skipApprovalScreen = true; - services.dex.settings.frontend.issuer = "iFSR Schliboleth"; - services.dex.settings.frontend.logoURL = "https://wiki.ifsr.de/images/3/3b/LogoiFSR.png"; - services.dex.settings.frontend.theme = "dark"; + services.dex.settings = { + oauth2.skipApprovalScreen = true; + frontend = { + issuer = "iFSR Schliboleth"; + logoURL = "https://wiki.ifsr.de/images/3/3b/LogoiFSR.png"; + theme = "dark"; + }; + }; systemd.services.dex.serviceConfig = { DynamicUser = lib.mkForce false;