ghostfox/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
nixpkgs/pkgs/servers/kanidm/provision-patches/1_6/oauth2-basic-secret-modify.patch
Dark Steveneq 646b892680
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Details
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Details
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Details
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Details
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Details
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
Details
push sheeet
2025-10-09 14:15:47 +02:00

160 lines
5.7 KiB
Diff
Raw Permalink Blame History

From fc26fe5ac9e9cd65af82609c5a4966c8f756ea0f Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Fri, 21 Mar 2025 16:07:54 +0100
Subject: [PATCH 1/2] oauth2 basic secret modify
---
server/core/src/actors/v1_write.rs | 42 +++++++++++++++++++++++++++++
server/core/src/https/v1.rs | 6 ++++-
server/core/src/https/v1_oauth2.rs | 29 ++++++++++++++++++++
server/lib/src/server/migrations.rs | 16 +++++++++++
4 files changed, 92 insertions(+), 1 deletion(-)
diff --git a/server/core/src/actors/v1_write.rs b/server/core/src/actors/v1_write.rs
index 732e826c8..a2b8e503f 100644
--- a/server/core/src/actors/v1_write.rs
+++ b/server/core/src/actors/v1_write.rs
@@ -324,6 +324,48 @@ impl QueryServerWriteV1 {
.and_then(|_| idms_prox_write.commit().map(|_| ()))
}
+ #[instrument(
+ level = "info",
+ skip_all,
+ fields(uuid = ?eventid)
+ )]
+ pub async fn handle_oauth2_basic_secret_write(
+ &self,
+ client_auth_info: ClientAuthInfo,
+ filter: Filter<FilterInvalid>,
+ new_secret: String,
+ eventid: Uuid,
+ ) -> Result<(), OperationError> {
+ // Given a protoEntry, turn this into a modification set.
+ let ct = duration_from_epoch_now();
+ let mut idms_prox_write = self.idms.proxy_write(ct).await?;
+ let ident = idms_prox_write
+ .validate_client_auth_info_to_ident(client_auth_info, ct)
+ .map_err(|e| {
+ admin_error!(err = ?e, "Invalid identity");
+ e
+ })?;
+
+ let modlist = ModifyList::new_purge_and_set(
+ Attribute::OAuth2RsBasicSecret,
+ Value::SecretValue(new_secret),
+ );
+
+ let mdf =
+ ModifyEvent::from_internal_parts(ident, &modlist, &filter, &idms_prox_write.qs_write)
+ .map_err(|e| {
+ admin_error!(err = ?e, "Failed to begin modify during handle_oauth2_basic_secret_write");
+ e
+ })?;
+
+ trace!(?mdf, "Begin modify event");
+
+ idms_prox_write
+ .qs_write
+ .modify(&mdf)
+ .and_then(|_| idms_prox_write.commit())
+ }
+
#[instrument(
level = "info",
skip_all,
diff --git a/server/core/src/https/v1.rs b/server/core/src/https/v1.rs
index 30de387b8..a11aa8ecd 100644
--- a/server/core/src/https/v1.rs
+++ b/server/core/src/https/v1.rs
@@ -4,7 +4,7 @@ use axum::extract::{Path, State};
use axum::http::{HeaderMap, HeaderValue};
use axum::middleware::from_fn;
use axum::response::{IntoResponse, Response};
-use axum::routing::{delete, get, post, put};
+use axum::routing::{delete, get, post, put, patch};
use axum::{Extension, Json, Router};
use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite};
use compact_jwt::{Jwk, Jws, JwsSigner};
@@ -3129,6 +3129,10 @@ pub(crate) fn route_setup(state: ServerState) -> Router<ServerState> {
"/v1/oauth2/:rs_name/_basic_secret",
get(super::v1_oauth2::oauth2_id_get_basic_secret),
)
+ .route(
+ "/v1/oauth2/:rs_name/_basic_secret",
+ patch(super::v1_oauth2::oauth2_id_patch_basic_secret),
+ )
.route(
"/v1/oauth2/:rs_name/_scopemap/:group",
post(super::v1_oauth2::oauth2_id_scopemap_post)
diff --git a/server/core/src/https/v1_oauth2.rs b/server/core/src/https/v1_oauth2.rs
index f399539bc..ffad9921e 100644
--- a/server/core/src/https/v1_oauth2.rs
+++ b/server/core/src/https/v1_oauth2.rs
@@ -151,6 +151,35 @@ pub(crate) async fn oauth2_id_get_basic_secret(
.map_err(WebError::from)
}
+#[utoipa::path(
+ patch,
+ path = "/v1/oauth2/{rs_name}/_basic_secret",
+ request_body=ProtoEntry,
+ responses(
+ DefaultApiResponse,
+ ),
+ security(("token_jwt" = [])),
+ tag = "v1/oauth2",
+ operation_id = "oauth2_id_patch_basic_secret"
+)]
+/// Overwrite the basic secret for a given OAuth2 Resource Server.
+#[instrument(level = "info", skip(state, new_secret))]
+pub(crate) async fn oauth2_id_patch_basic_secret(
+ State(state): State<ServerState>,
+ Extension(kopid): Extension<KOpId>,
+ VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
+ Path(rs_name): Path<String>,
+ Json(new_secret): Json<String>,
+) -> Result<Json<()>, WebError> {
+ let filter = oauth2_id(&rs_name);
+ state
+ .qe_w_ref
+ .handle_oauth2_basic_secret_write(client_auth_info, filter, new_secret, kopid.eventid)
+ .await
+ .map(Json::from)
+ .map_err(WebError::from)
+}
+
#[utoipa::path(
patch,
path = "/v1/oauth2/{rs_name}",
diff --git a/server/lib/src/server/migrations.rs b/server/lib/src/server/migrations.rs
index fd0bca8db..8621714f2 100644
--- a/server/lib/src/server/migrations.rs
+++ b/server/lib/src/server/migrations.rs
@@ -171,6 +171,22 @@ impl QueryServer {
reload_required = true;
};
+ // secret provisioning: allow idm_admin to modify OAuth2RsBasicSecret.
+ write_txn.internal_modify_uuid(
+ UUID_IDM_ACP_OAUTH2_MANAGE_V1,
+ &ModifyList::new_append(
+ Attribute::AcpCreateAttr,
+ Attribute::OAuth2RsBasicSecret.into(),
+ ),
+ )?;
+ write_txn.internal_modify_uuid(
+ UUID_IDM_ACP_OAUTH2_MANAGE_V1,
+ &ModifyList::new_append(
+ Attribute::AcpModifyPresentAttr,
+ Attribute::OAuth2RsBasicSecret.into(),
+ ),
+ )?;
+
// Execute whatever operations we have batched up and ready to go. This is needed
// to preserve ordering of the operations - if we reloaded after a remigrate then
// we would have skipped the patch level fix which needs to have occurred *first*.
--
2.49.0
Reference in New Issue View Git Blame Copy Permalink