646b892680
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
200 lines
7.8 KiB
Diff
200 lines
7.8 KiB
Diff
From cf50a972b446b0ae051cfa4b01d82a4f8077386e Mon Sep 17 00:00:00 2001
|
|
From: Benjamin Bädorf <hello@benjaminbaedorf.eu>
|
|
Date: Fri, 28 Mar 2025 19:27:42 +0100
|
|
Subject: [PATCH 1/2] oauth2 basic secret modify
|
|
|
|
---
|
|
server/core/src/actors/v1_write.rs | 42 ++++++++++++++++++++++++++++++
|
|
server/core/src/https/v1.rs | 6 ++++-
|
|
server/core/src/https/v1_oauth2.rs | 29 +++++++++++++++++++++
|
|
server/lib/src/constants/acp.rs | 8 ++++++
|
|
4 files changed, 84 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/server/core/src/actors/v1_write.rs b/server/core/src/actors/v1_write.rs
|
|
index 732e826c8..a2b8e503f 100644
|
|
--- a/server/core/src/actors/v1_write.rs
|
|
+++ b/server/core/src/actors/v1_write.rs
|
|
@@ -324,6 +324,48 @@ impl QueryServerWriteV1 {
|
|
.and_then(|_| idms_prox_write.commit().map(|_| ()))
|
|
}
|
|
|
|
+ #[instrument(
|
|
+ level = "info",
|
|
+ skip_all,
|
|
+ fields(uuid = ?eventid)
|
|
+ )]
|
|
+ pub async fn handle_oauth2_basic_secret_write(
|
|
+ &self,
|
|
+ client_auth_info: ClientAuthInfo,
|
|
+ filter: Filter<FilterInvalid>,
|
|
+ new_secret: String,
|
|
+ eventid: Uuid,
|
|
+ ) -> Result<(), OperationError> {
|
|
+ // Given a protoEntry, turn this into a modification set.
|
|
+ let ct = duration_from_epoch_now();
|
|
+ let mut idms_prox_write = self.idms.proxy_write(ct).await?;
|
|
+ let ident = idms_prox_write
|
|
+ .validate_client_auth_info_to_ident(client_auth_info, ct)
|
|
+ .map_err(|e| {
|
|
+ admin_error!(err = ?e, "Invalid identity");
|
|
+ e
|
|
+ })?;
|
|
+
|
|
+ let modlist = ModifyList::new_purge_and_set(
|
|
+ Attribute::OAuth2RsBasicSecret,
|
|
+ Value::SecretValue(new_secret),
|
|
+ );
|
|
+
|
|
+ let mdf =
|
|
+ ModifyEvent::from_internal_parts(ident, &modlist, &filter, &idms_prox_write.qs_write)
|
|
+ .map_err(|e| {
|
|
+ admin_error!(err = ?e, "Failed to begin modify during handle_oauth2_basic_secret_write");
|
|
+ e
|
|
+ })?;
|
|
+
|
|
+ trace!(?mdf, "Begin modify event");
|
|
+
|
|
+ idms_prox_write
|
|
+ .qs_write
|
|
+ .modify(&mdf)
|
|
+ .and_then(|_| idms_prox_write.commit())
|
|
+ }
|
|
+
|
|
#[instrument(
|
|
level = "info",
|
|
skip_all,
|
|
diff --git a/server/core/src/https/v1.rs b/server/core/src/https/v1.rs
|
|
index c410a4b5d..cc67cac6c 100644
|
|
--- a/server/core/src/https/v1.rs
|
|
+++ b/server/core/src/https/v1.rs
|
|
@@ -4,7 +4,7 @@ use axum::extract::{Path, State};
|
|
use axum::http::{HeaderMap, HeaderValue};
|
|
use axum::middleware::from_fn;
|
|
use axum::response::{IntoResponse, Response};
|
|
-use axum::routing::{delete, get, post, put};
|
|
+use axum::routing::{delete, get, post, put, patch};
|
|
use axum::{Extension, Json, Router};
|
|
use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite};
|
|
use compact_jwt::{Jwk, Jws, JwsSigner};
|
|
@@ -3127,6 +3127,10 @@ pub(crate) fn route_setup(state: ServerState) -> Router<ServerState> {
|
|
"/v1/oauth2/:rs_name/_basic_secret",
|
|
get(super::v1_oauth2::oauth2_id_get_basic_secret),
|
|
)
|
|
+ .route(
|
|
+ "/v1/oauth2/:rs_name/_basic_secret",
|
|
+ patch(super::v1_oauth2::oauth2_id_patch_basic_secret),
|
|
+ )
|
|
.route(
|
|
"/v1/oauth2/:rs_name/_scopemap/:group",
|
|
post(super::v1_oauth2::oauth2_id_scopemap_post)
|
|
diff --git a/server/core/src/https/v1_oauth2.rs b/server/core/src/https/v1_oauth2.rs
|
|
index f399539bc..ffad9921e 100644
|
|
--- a/server/core/src/https/v1_oauth2.rs
|
|
+++ b/server/core/src/https/v1_oauth2.rs
|
|
@@ -151,6 +151,35 @@ pub(crate) async fn oauth2_id_get_basic_secret(
|
|
.map_err(WebError::from)
|
|
}
|
|
|
|
+#[utoipa::path(
|
|
+ patch,
|
|
+ path = "/v1/oauth2/{rs_name}/_basic_secret",
|
|
+ request_body=ProtoEntry,
|
|
+ responses(
|
|
+ DefaultApiResponse,
|
|
+ ),
|
|
+ security(("token_jwt" = [])),
|
|
+ tag = "v1/oauth2",
|
|
+ operation_id = "oauth2_id_patch_basic_secret"
|
|
+)]
|
|
+/// Overwrite the basic secret for a given OAuth2 Resource Server.
|
|
+#[instrument(level = "info", skip(state, new_secret))]
|
|
+pub(crate) async fn oauth2_id_patch_basic_secret(
|
|
+ State(state): State<ServerState>,
|
|
+ Extension(kopid): Extension<KOpId>,
|
|
+ VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
|
|
+ Path(rs_name): Path<String>,
|
|
+ Json(new_secret): Json<String>,
|
|
+) -> Result<Json<()>, WebError> {
|
|
+ let filter = oauth2_id(&rs_name);
|
|
+ state
|
|
+ .qe_w_ref
|
|
+ .handle_oauth2_basic_secret_write(client_auth_info, filter, new_secret, kopid.eventid)
|
|
+ .await
|
|
+ .map(Json::from)
|
|
+ .map_err(WebError::from)
|
|
+}
|
|
+
|
|
#[utoipa::path(
|
|
patch,
|
|
path = "/v1/oauth2/{rs_name}",
|
|
diff --git a/server/lib/src/constants/acp.rs b/server/lib/src/constants/acp.rs
|
|
index 7c0487745..3cd83ad52 100644
|
|
--- a/server/lib/src/constants/acp.rs
|
|
+++ b/server/lib/src/constants/acp.rs
|
|
@@ -665,6 +665,7 @@ lazy_static! {
|
|
Attribute::OAuth2RsOriginLanding,
|
|
Attribute::OAuth2RsSupScopeMap,
|
|
Attribute::OAuth2RsScopeMap,
|
|
+ Attribute::OAuth2RsBasicSecret,
|
|
Attribute::OAuth2AllowInsecureClientDisablePkce,
|
|
Attribute::OAuth2JwtLegacyCryptoEnable,
|
|
Attribute::OAuth2PreferShortUsername,
|
|
@@ -681,6 +682,7 @@ lazy_static! {
|
|
Attribute::OAuth2RsOriginLanding,
|
|
Attribute::OAuth2RsSupScopeMap,
|
|
Attribute::OAuth2RsScopeMap,
|
|
+ Attribute::OAuth2RsBasicSecret,
|
|
Attribute::OAuth2AllowInsecureClientDisablePkce,
|
|
Attribute::OAuth2JwtLegacyCryptoEnable,
|
|
Attribute::OAuth2PreferShortUsername,
|
|
@@ -766,6 +768,7 @@ lazy_static! {
|
|
Attribute::OAuth2RsOriginLanding,
|
|
Attribute::OAuth2RsSupScopeMap,
|
|
Attribute::OAuth2RsScopeMap,
|
|
+ Attribute::OAuth2RsBasicSecret,
|
|
Attribute::OAuth2AllowInsecureClientDisablePkce,
|
|
Attribute::OAuth2JwtLegacyCryptoEnable,
|
|
Attribute::OAuth2PreferShortUsername,
|
|
@@ -783,6 +786,7 @@ lazy_static! {
|
|
Attribute::OAuth2RsOriginLanding,
|
|
Attribute::OAuth2RsSupScopeMap,
|
|
Attribute::OAuth2RsScopeMap,
|
|
+ Attribute::OAuth2RsBasicSecret,
|
|
Attribute::OAuth2AllowInsecureClientDisablePkce,
|
|
Attribute::OAuth2JwtLegacyCryptoEnable,
|
|
Attribute::OAuth2PreferShortUsername,
|
|
@@ -871,6 +875,7 @@ lazy_static! {
|
|
Attribute::OAuth2RsOriginLanding,
|
|
Attribute::OAuth2RsSupScopeMap,
|
|
Attribute::OAuth2RsScopeMap,
|
|
+ Attribute::OAuth2RsBasicSecret,
|
|
Attribute::OAuth2AllowInsecureClientDisablePkce,
|
|
Attribute::OAuth2JwtLegacyCryptoEnable,
|
|
Attribute::OAuth2PreferShortUsername,
|
|
@@ -889,6 +894,7 @@ lazy_static! {
|
|
Attribute::OAuth2RsOriginLanding,
|
|
Attribute::OAuth2RsSupScopeMap,
|
|
Attribute::OAuth2RsScopeMap,
|
|
+ Attribute::OAuth2RsBasicSecret,
|
|
Attribute::OAuth2AllowInsecureClientDisablePkce,
|
|
Attribute::OAuth2JwtLegacyCryptoEnable,
|
|
Attribute::OAuth2PreferShortUsername,
|
|
@@ -980,6 +986,7 @@ lazy_static! {
|
|
Attribute::OAuth2RsOriginLanding,
|
|
Attribute::OAuth2RsSupScopeMap,
|
|
Attribute::OAuth2RsScopeMap,
|
|
+ Attribute::OAuth2RsBasicSecret,
|
|
Attribute::OAuth2AllowInsecureClientDisablePkce,
|
|
Attribute::OAuth2JwtLegacyCryptoEnable,
|
|
Attribute::OAuth2PreferShortUsername,
|
|
@@ -999,6 +1006,7 @@ lazy_static! {
|
|
Attribute::OAuth2RsOriginLanding,
|
|
Attribute::OAuth2RsSupScopeMap,
|
|
Attribute::OAuth2RsScopeMap,
|
|
+ Attribute::OAuth2RsBasicSecret,
|
|
Attribute::OAuth2AllowInsecureClientDisablePkce,
|
|
Attribute::OAuth2JwtLegacyCryptoEnable,
|
|
Attribute::OAuth2PreferShortUsername,
|
|
--
|
|
2.47.2
|