···

       
671
       
671
       
 
       
  };

     

       
672
       
672
       
 
       


     

       
673
       
673
       
 
       
  config = mkIf (cfg.enableClient || cfg.enableServer || cfg.enablePam) {

     

       
674
       
674
       
+
       
    warnings = lib.optionals (cfg.package.eolMessage != "") [ cfg.package.eolMessage ];

     

       
675
       
675
       
+
       


     

       
674
       
676
       
 
       
    assertions =

     

       
675
       
677
       
 
       
      let

     

       
676
       
678
       
 
       
        entityList =

     

···

       
772
       
772
       
 
       
  k3s = handleTest ./k3s { };

     

       
773
       
773
       
 
       
  kafka = handleTest ./kafka { };

     

       
774
       
774
       
 
       
  kanboard = runTest ./web-apps/kanboard.nix;

     

       
775
       
775
       
-
       
  kanidm = runTest ./kanidm.nix;

     

       
776
       
776
       
-
       
  kanidm-provisioning = runTest ./kanidm-provisioning.nix;

     

       
775
       
775
       
+
       
  kanidm =

     

       
776
       
776
       
+
       
    kanidmVersion:

     

       
777
       
777
       
+
       
    runTest {

     

       
778
       
778
       
+
       
      imports = [ ./kanidm.nix ];

     

       
779
       
779
       
+
       
      _module.args = { inherit kanidmVersion; };

     

       
780
       
780
       
+
       
    };

     

       
781
       
781
       
+
       
  kanidm-provisioning =

     

       
782
       
782
       
+
       
    kanidmVersion:

     

       
783
       
783
       
+
       
    runTest {

     

       
784
       
784
       
+
       
      imports = [ ./kanidm-provisioning.nix ];

     

       
785
       
785
       
+
       
      _module.args = { inherit kanidmVersion; };

     

       
786
       
786
       
+
       
    };

     

       
777
       
787
       
 
       
  karma = runTest ./karma.nix;

     

       
778
       
788
       
 
       
  kavita = runTest ./kavita.nix;

     

       
779
       
789
       
 
       
  kbd-setfont-decompress = runTest ./kbd-setfont-decompress.nix;

     

···

       
1
       
1
       
-
       
{ pkgs, ... }:

     

       
1
       
1
       
+
       
{ kanidmVersion, pkgs, ... }:

     

       
2
       
2
       
 
       
let

     

       
3
       
3
       
 
       
  certs = import ./common/acme/server/snakeoil-certs.nix;

     

       
4
       
4
       
 
       
  serverDomain = certs.domain;

     
···

       
13
       
13
       
 
       
  provisionAdminPassword = "very-strong-password-for-admin";

     

       
14
       
14
       
 
       
  provisionIdmAdminPassword = "very-strong-password-for-idm-admin";

     

       
15
       
15
       
 
       
  provisionIdmAdminPassword2 = "very-strong-alternative-password-for-idm-admin";

     

       
16
       
16
       
+
       


     

       
17
       
17
       
+
       
  kanidmPackage = pkgs."kanidmWithSecretProvisioning_${kanidmVersion}";

     

       
16
       
18
       
 
       
in

     

       
17
       
19
       
 
       
{

     

       
18
       
20
       
 
       
  name = "kanidm-provisioning";

     
···

       
22
       
24
       
 
       
    { pkgs, lib, ... }:

     

       
23
       
25
       
 
       
    {

     

       
24
       
26
       
 
       
      services.kanidm = {

     

       
25
       
25
       
-
       
        package = pkgs.kanidmWithSecretProvisioning_1_6;

     

       
27
       
27
       
+
       
        package = kanidmPackage;

     

       
26
       
28
       
 
       
        enableServer = true;

     

       
27
       
29
       
 
       
        serverSettings = {

     

       
28
       
30
       
 
       
          origin = "https://${serverDomain}";

     
···

       
273
       
275
       
 
       


     

       
274
       
276
       
 
       
      users.users.kanidm.shell = pkgs.bashInteractive;

     

       
275
       
277
       
 
       


     

       
276
       
276
       
-
       
      environment.systemPackages = with pkgs; [

     

       
277
       
277
       
-
       
        kanidm

     

       
278
       
278
       
-
       
        openldap

     

       
279
       
279
       
-
       
        ripgrep

     

       
280
       
280
       
-
       
        jq

     

       
278
       
278
       
+
       
      environment.systemPackages = [

     

       
279
       
279
       
+
       
        kanidmPackage

     

       
280
       
280
       
+
       
        pkgs.openldap

     

       
281
       
281
       
+
       
        pkgs.ripgrep

     

       
282
       
282
       
+
       
        pkgs.jq

     

       
281
       
283
       
 
       
      ];

     

       
282
       
284
       
 
       
    };

     

       
283
       
285
       
 
       


     

···

       
1
       
1
       
-
       
{ pkgs, ... }:

     

       
1
       
1
       
+
       
{ kanidmVersion, pkgs, ... }:

     

       
2
       
2
       
 
       
let

     

       
3
       
3
       
 
       
  certs = import ./common/acme/server/snakeoil-certs.nix;

     

       
4
       
4
       
 
       
  serverDomain = certs.domain;

     
···

       
13
       
13
       
 
       
    cp ${certs."${serverDomain}".cert} $out/snakeoil.crt

     

       
14
       
14
       
 
       
    cp ${certs."${serverDomain}".key} $out/snakeoil.key

     

       
15
       
15
       
 
       
  '';

     

       
16
       
16
       
+
       


     

       
17
       
17
       
+
       
  kanidmPackage = pkgs."kanidm_${kanidmVersion}";

     

       
16
       
18
       
 
       
in

     

       
17
       
19
       
 
       
{

     

       
18
       
20
       
 
       
  name = "kanidm";

     
···

       
25
       
27
       
 
       
    { pkgs, ... }:

     

       
26
       
28
       
 
       
    {

     

       
27
       
29
       
 
       
      services.kanidm = {

     

       
28
       
28
       
-
       
        package = pkgs.kanidm_1_6;

     

       
30
       
30
       
+
       
        package = kanidmPackage;

     

       
29
       
31
       
 
       
        enableServer = true;

     

       
30
       
32
       
 
       
        serverSettings = {

     

       
31
       
33
       
 
       
          origin = "https://${serverDomain}";

     
···

       
44
       
46
       
 
       


     

       
45
       
47
       
 
       
      users.users.kanidm.shell = pkgs.bashInteractive;

     

       
46
       
48
       
 
       


     

       
47
       
47
       
-
       
      environment.systemPackages = with pkgs; [

     

       
48
       
48
       
-
       
        kanidm

     

       
49
       
49
       
-
       
        openldap

     

       
50
       
50
       
-
       
        ripgrep

     

       
49
       
49
       
+
       
      environment.systemPackages = [

     

       
50
       
50
       
+
       
        kanidmPackage

     

       
51
       
51
       
+
       
        pkgs.openldap

     

       
52
       
52
       
+
       
        pkgs.ripgrep

     

       
51
       
53
       
 
       
      ];

     

       
52
       
54
       
 
       
    };

     

       
53
       
55
       
 
       


     
···

       
55
       
57
       
 
       
    { nodes, ... }:

     

       
56
       
58
       
 
       
    {

     

       
57
       
59
       
 
       
      services.kanidm = {

     

       
58
       
58
       
-
       
        package = pkgs.kanidm_1_6;

     

       
60
       
60
       
+
       
        package = kanidmPackage;

     

       
59
       
61
       
 
       
        enableClient = true;

     

       
60
       
62
       
 
       
        clientSettings = {

     

       
61
       
63
       
 
       
          uri = "https://${serverDomain}";

     

···

       
2
       
2
       
 
       
  version = "1.5.0";

     

       
3
       
3
       
 
       
  hash = "sha256-swrqyjA7Wgq17vd+753LDFcXrSFixVNLhTvj1bhG3DU=";

     

       
4
       
4
       
 
       
  cargoHash = "sha256-72IwS8Nk1y6xDH9y8JW2LpbhFWaq0tpORx7JQSCF5/M=";

     

       
5
       
5
       
-
       
  patchDir = ./patches/1_5;

     

       
6
       
5
       
 
       
  unsupported = true;

     

       
7
       
6
       
 
       
}

     

···

       
2
       
2
       
 
       
  version = "1.6.4";

     

       
3
       
3
       
 
       
  hash = "sha256-ui3w1HDHXHARsjQ3WtJfZbM7Xgg3ODnUneXJMQwaOMw=";

     

       
4
       
4
       
 
       
  cargoHash = "sha256-KJGELBzScwsLd6g3GR9Vk0nfDU2EjZBfXwlXJ+bZb1k=";

     

       
5
       
5
       
-
       
  patchDir = ./patches/1_6;

     

       
5
       
5
       
+
       
  eolDate = "2025-09-01";

     

       
6
       
6
       
 
       
}

     

···

       
1
       
1
       
+
       
import ./generic.nix {

     

       
2
       
2
       
+
       
  version = "1.7.1";

     

       
3
       
3
       
+
       
  hash = "sha256-CG4s6fYxTM2I/kFjD905g8/DSFkyB+0pnGVXgyRXtlE=";

     

       
4
       
4
       
+
       
  cargoHash = "sha256-9bE3hSCFBJF8f3Lm5SzEuDtEpJBbCBijUDfqGiPnRsc=";

     

       
5
       
5
       
+
       
}

     

···

       
19
       
19
       
 
       
1. `cp -r pkgs/by-name/ka/kanidm/patches/1_4 pkgs/by-name/ka/kanidm/patches/1_5`

     

       
20
       
20
       
 
       
1. Update `1_5.nix` hashes/paths, and as needed for upstream changes, `generic.nix`

     

       
21
       
21
       
 
       
1. Update `all-packages.nix` to add `kanidm_1_5` and `kanidmWithSecretProvisioning_1_5`, leave default

     

       
22
       
22
       
+
       
1. Update the previous release, e.g. `1_4.nix` and set `eolDate = "YYYY-MM-DD"` where the date is 30 days from release of 1.5.

     

       
22
       
23
       
 
       
1. Create commit, `kanidm_1_5: init at 1.5.0` - this is the only commit that will be backported

     

       
23
       
24
       
 
       


     

       
24
       
25
       
 
       
### Update default

     

···

       
2
       
2
       
 
       
  version,

     

       
3
       
3
       
 
       
  hash,

     

       
4
       
4
       
 
       
  cargoHash,

     

       
5
       
5
       
-
       
  patchDir,

     

       
6
       
6
       
-
       
  extraMeta ? { },

     

       
7
       
5
       
 
       
  unsupported ? false,

     

       
6
       
6
       
+
       
  eolDate ? null,

     

       
8
       
7
       
 
       
}:

     

       
9
       
8
       
 
       


     

       
10
       
9
       
 
       
{

     
···

       
35
       
34
       
 
       


     

       
36
       
35
       
 
       
let

     

       
37
       
36
       
 
       
  arch = if stdenv.hostPlatform.isx86_64 then "x86_64" else "generic";

     

       
37
       
37
       
+
       


     

       
38
       
38
       
+
       
  versionUnderscored = builtins.replaceStrings [ "." ] [ "_" ] (

     

       
39
       
39
       
+
       
    lib.versions.majorMinor kanidm.version

     

       
40
       
40
       
+
       
  );

     

       
41
       
41
       
+
       


     

       
42
       
42
       
+
       
  provisionPatches = [

     

       
43
       
43
       
+
       
    (./. + "/provision-patches/${versionUnderscored}/oauth2-basic-secret-modify.patch")

     

       
44
       
44
       
+
       
    (./. + "/provision-patches/${versionUnderscored}/recover-account.patch")

     

       
45
       
45
       
+
       
  ];

     

       
46
       
46
       
+
       


     

       
47
       
47
       
+
       
  upgradeNote = ''

     

       
48
       
48
       
+
       
    Please upgrade by verifying `kanidmd domain upgrade-check` and choosing the

     

       
49
       
49
       
+
       
    next version with `services.kanidm.package = pkgs.kanidm_1_x;`

     

       
50
       
50
       
+
       


     

       
51
       
51
       
+
       
    See upgrade guide at https://kanidm.github.io/kanidm/master/server_updates.html

     

       
52
       
52
       
+
       
  '';

     

       
38
       
53
       
 
       
in

     

       
39
       
39
       
-
       
rustPlatform.buildRustPackage rec {

     

       
54
       
54
       
+
       
rustPlatform.buildRustPackage (finalAttrs: {

     

       
40
       
55
       
 
       
  pname = "kanidm" + (lib.optionalString enableSecretProvisioning "-with-secret-provisioning");

     

       
41
       
56
       
 
       
  inherit version cargoHash;

     

       
42
       
57
       
 
       


     
···

       
49
       
64
       
 
       
    inherit hash;

     

       
50
       
65
       
 
       
  };

     

       
51
       
66
       
 
       


     

       
52
       
52
       
-
       
  KANIDM_BUILD_PROFILE = "release_nixpkgs_${arch}";

     

       
67
       
67
       
+
       
  env.KANIDM_BUILD_PROFILE = "release_nixpkgs_${arch}";

     

       
53
       
68
       
 
       


     

       
54
       
54
       
-
       
  patches = lib.optionals enableSecretProvisioning [

     

       
55
       
55
       
-
       
    "${patchDir}/oauth2-basic-secret-modify.patch"

     

       
56
       
56
       
-
       
    "${patchDir}/recover-account.patch"

     

       
57
       
57
       
-
       
  ];

     

       
69
       
69
       
+
       
  patches = lib.optionals enableSecretProvisioning provisionPatches;

     

       
58
       
70
       
 
       


     

       
59
       
71
       
 
       
  postPatch =

     

       
60
       
72
       
 
       
    let

     

       
61
       
61
       
-
       
      format = (formats.toml { }).generate "${KANIDM_BUILD_PROFILE}.toml";

     

       
73
       
73
       
+
       
      format = (formats.toml { }).generate "${finalAttrs.env.KANIDM_BUILD_PROFILE}.toml";

     

       
62
       
74
       
 
       
      socket_path = if stdenv.hostPlatform.isLinux then "/run/kanidmd/sock" else "/var/run/kanidm.socket";

     

       
63
       
75
       
 
       
      profile = {

     

       
64
       
76
       
 
       
        cpu_flags = if stdenv.hostPlatform.isx86_64 then "x86_64_legacy" else "none";

     
···

       
70
       
82
       
 
       
        server_admin_bind_path = socket_path;

     

       
71
       
83
       
 
       
        server_config_path = "/etc/kanidm/server.toml";

     

       
72
       
84
       
 
       
        server_ui_pkg_path = "@htmx_ui_pkg_path@";

     

       
73
       
73
       
-
       
      }

     

       
74
       
74
       
-
       
      // lib.optionalAttrs (lib.versionOlder version "1.5") {

     

       
75
       
75
       
-
       
        admin_bind_path = socket_path;

     

       
76
       
76
       
-
       
        default_config_path = "/etc/kanidm/server.toml";

     

       
77
       
77
       
-
       
        default_unix_shell_path = "${lib.getBin bashInteractive}/bin/bash";

     

       
78
       
78
       
-
       
        htmx_ui_pkg_path = "@htmx_ui_pkg_path@";

     

       
79
       
79
       
-
       
      }

     

       
80
       
80
       
-
       
      // lib.optionalAttrs (lib.versions.majorMinor version == "1.3") {

     

       
81
       
81
       
-
       
        web_ui_pkg_path = "@web_ui_pkg_path@";

     

       
82
       
85
       
 
       
      };

     

       
83
       
86
       
 
       
    in

     

       
84
       
87
       
 
       
    ''

     

       
85
       
85
       
-
       
      cp ${format profile} libs/profiles/${KANIDM_BUILD_PROFILE}.toml

     

       
86
       
86
       
-
       
      substituteInPlace libs/profiles/${KANIDM_BUILD_PROFILE}.toml --replace-fail '@htmx_ui_pkg_path@' "$out/ui/hpkg"

     

       
87
       
87
       
-
       
    ''

     

       
88
       
88
       
-
       
    + lib.optionalString (lib.versions.majorMinor version == "1.3") ''

     

       
89
       
89
       
-
       
      substituteInPlace libs/profiles/${KANIDM_BUILD_PROFILE}.toml --replace-fail '@web_ui_pkg_path@' "$out/ui/pkg"

     

       
88
       
88
       
+
       
      cp ${format profile} libs/profiles/${finalAttrs.env.KANIDM_BUILD_PROFILE}.toml

     

       
89
       
89
       
+
       
      substituteInPlace libs/profiles/${finalAttrs.env.KANIDM_BUILD_PROFILE}.toml --replace-fail '@htmx_ui_pkg_path@' "$out/ui/hpkg"

     

       
90
       
90
       
 
       
    '';

     

       
91
       
91
       
 
       


     

       
92
       
92
       
 
       
  nativeBuildInputs = [

     
···

       
108
       
108
       
 
       
  postBuild = ''

     

       
109
       
109
       
 
       
    mkdir -p $out/ui

     

       
110
       
110
       
 
       
    cp -r server/core/static $out/ui/hpkg

     

       
111
       
111
       
-
       
  ''

     

       
112
       
112
       
-
       
  + lib.optionalString (lib.versions.majorMinor version == "1.3") ''

     

       
113
       
113
       
-
       
    cp -r server/web_ui/pkg $out/ui/pkg

     

       
114
       
111
       
 
       
  '';

     

       
115
       
112
       
 
       


     

       
116
       
113
       
 
       
  # Upstream runs with the Rust equivalent of -Werror,

     
···

       
139
       
136
       
 
       


     

       
140
       
137
       
 
       
  passthru = {

     

       
141
       
138
       
 
       
    tests = {

     

       
142
       
142
       
-
       
      inherit (nixosTests) kanidm kanidm-provisioning;

     

       
139
       
139
       
+
       
      kanidm = nixosTests.kanidm versionUnderscored;

     

       
140
       
140
       
+
       
      kanidm-provisioning = nixosTests.kanidm-provisioning versionUnderscored;

     

       
143
       
141
       
 
       
    };

     

       
144
       
142
       
 
       


     

       
145
       
143
       
 
       
    updateScript = lib.optionals (!enableSecretProvisioning) (nix-update-script {

     

       
146
       
146
       
-
       
      # avoid spurious releases and tags such as "debs"

     

       
147
       
144
       
 
       
      extraArgs = [

     

       
148
       
145
       
 
       
        "-vr"

     

       
149
       
149
       
-
       
        "v([0-9\\.]*)"

     

       
146
       
146
       
+
       
        "v(${lib.versions.major kanidm.version}\\.${lib.versions.minor kanidm.version}\\.[0-9]*)"

     

       
150
       
147
       
 
       
        "--override-filename"

     

       
151
       
151
       
-
       
        "pkgs/by-name/ka/kanidm/${

     

       
152
       
152
       
-
       
          builtins.replaceStrings [ "." ] [ "_" ] (lib.versions.majorMinor kanidm.version)

     

       
153
       
153
       
-
       
        }.nix"

     

       
148
       
148
       
+
       
        "pkgs/by-name/ka/kanidm/${versionUnderscored}.nix"

     

       
154
       
149
       
 
       
      ];

     

       
155
       
150
       
 
       
    });

     

       
156
       
151
       
 
       


     

       
157
       
152
       
 
       
    inherit enableSecretProvisioning;

     

       
158
       
153
       
 
       
    withSecretProvisioning = kanidm.override { enableSecretProvisioning = true; };

     

       
154
       
154
       
+
       


     

       
155
       
155
       
+
       
    eolMessage = lib.optionalString (eolDate != null) ''

     

       
156
       
156
       
+
       
      kanidm ${lib.versions.majorMinor version} is deprecated and will reach end-of-life on ${eolDate}

     

       
157
       
157
       
+
       


     

       
158
       
158
       
+
       
      ${upgradeNote}

     

       
159
       
159
       
+
       
    '';

     

       
159
       
160
       
 
       
  };

     

       
160
       
161
       
 
       


     

       
161
       
162
       
 
       
  # can take over 4 hours on 2 cores and needs 16GB+ RAM

     

       
162
       
163
       
 
       
  requiredSystemFeatures = [ "big-parallel" ];

     

       
163
       
164
       
 
       


     

       
164
       
164
       
-
       
  meta =

     

       
165
       
165
       
-
       
    with lib;

     

       
166
       
166
       
-
       
    {

     

       
167
       
167
       
-
       
      changelog = "https://github.com/kanidm/kanidm/releases/tag/v${version}";

     

       
168
       
168
       
-
       
      description = "Simple, secure and fast identity management platform";

     

       
169
       
169
       
-
       
      homepage = "https://github.com/kanidm/kanidm";

     

       
170
       
170
       
-
       
      license = licenses.mpl20;

     

       
171
       
171
       
-
       
      platforms = platforms.linux ++ platforms.darwin;

     

       
172
       
172
       
-
       
      maintainers = with maintainers; [

     

       
173
       
173
       
-
       
        adamcstephens

     

       
174
       
174
       
-
       
        Flakebi

     

       
175
       
175
       
-
       
      ];

     

       
176
       
176
       
-
       
      knownVulnerabilities = lib.optionals unsupported [

     

       
177
       
177
       
-
       
        ''

     

       
178
       
178
       
-
       
          kanidm ${version} has reached EOL.

     

       
165
       
165
       
+
       
  meta = {

     

       
166
       
166
       
+
       
    changelog = "https://github.com/kanidm/kanidm/releases/tag/v${version}";

     

       
167
       
167
       
+
       
    description = "Simple, secure and fast identity management platform";

     

       
168
       
168
       
+
       
    homepage = "https://github.com/kanidm/kanidm";

     

       
169
       
169
       
+
       
    license = lib.licenses.mpl20;

     

       
170
       
170
       
+
       
    platforms = lib.platforms.linux ++ lib.platforms.darwin;

     

       
171
       
171
       
+
       
    maintainers = with lib.maintainers; [

     

       
172
       
172
       
+
       
      adamcstephens

     

       
173
       
173
       
+
       
      Flakebi

     

       
174
       
174
       
+
       
    ];

     

       
175
       
175
       
+
       
    knownVulnerabilities = lib.optionals unsupported [

     

       
176
       
176
       
+
       
      ''

     

       
177
       
177
       
+
       
        kanidm ${lib.versions.majorMinor version} has reached end-of-life.

     

       
179
       
178
       
 
       


     

       
180
       
180
       
-
       
          Please upgrade by verifying `kanidmd domain upgrade-check` and choosing the next version with `services.kanidm.package = pkgs.kanidm_1_x;`

     

       
181
       
181
       
-
       
          See upgrade guide at https://kanidm.github.io/kanidm/master/server_updates.html

     

       
182
       
182
       
-
       
        ''

     

       
183
       
183
       
-
       
      ];

     

       
184
       
184
       
-
       
    }

     

       
185
       
185
       
-
       
    // extraMeta;

     

       
186
       
186
       
-
       
}

     

       
179
       
179
       
+
       
        ${upgradeNote}

     

       
180
       
180
       
+
       
      ''

     

       
181
       
181
       
+
       
    ];

     

       
182
       
182
       
+
       
  };

     

       
183
       
183
       
+
       
})

     

···

       
1
       
1
       
+
       
From fc26fe5ac9e9cd65af82609c5a4966c8f756ea0f Mon Sep 17 00:00:00 2001

     

       
2
       
2
       
+
       
From: oddlama <oddlama@oddlama.org>

     

       
3
       
3
       
+
       
Date: Fri, 21 Mar 2025 16:07:54 +0100

     

       
4
       
4
       
+
       
Subject: [PATCH 1/2] oauth2 basic secret modify

     

       
5
       
5
       
+
       


     

       
6
       
6
       
+
       
---

     

       
7
       
7
       
+
       
 server/core/src/actors/v1_write.rs  | 42 +++++++++++++++++++++++++++++

     

       
8
       
8
       
+
       
 server/core/src/https/v1.rs         |  6 ++++-

     

       
9
       
9
       
+
       
 server/core/src/https/v1_oauth2.rs  | 29 ++++++++++++++++++++

     

       
10
       
10
       
+
       
 server/lib/src/server/migrations.rs | 16 +++++++++++

     

       
11
       
11
       
+
       
 4 files changed, 92 insertions(+), 1 deletion(-)

     

       
12
       
12
       
+
       


     

       
13
       
13
       
+
       
diff --git a/server/core/src/actors/v1_write.rs b/server/core/src/actors/v1_write.rs

     

       
14
       
14
       
+
       
index 732e826c8..a2b8e503f 100644

     

       
15
       
15
       
+
       
--- a/server/core/src/actors/v1_write.rs

     

       
16
       
16
       
+
       
+++ b/server/core/src/actors/v1_write.rs

     

       
17
       
17
       
+
       
@@ -324,6 +324,48 @@ impl QueryServerWriteV1 {

     

       
18
       
18
       
+
       
             .and_then(|_| idms_prox_write.commit().map(|_| ()))

     

       
19
       
19
       
+
       
     }

     

       
20
       
20
       
+
       
 

     

       
21
       
21
       
+
       
+    #[instrument(

     

       
22
       
22
       
+
       
+        level = "info",

     

       
23
       
23
       
+
       
+        skip_all,

     

       
24
       
24
       
+
       
+        fields(uuid = ?eventid)

     

       
25
       
25
       
+
       
+    )]

     

       
26
       
26
       
+
       
+    pub async fn handle_oauth2_basic_secret_write(

     

       
27
       
27
       
+
       
+        &self,

     

       
28
       
28
       
+
       
+        client_auth_info: ClientAuthInfo,

     

       
29
       
29
       
+
       
+        filter: Filter<FilterInvalid>,

     

       
30
       
30
       
+
       
+        new_secret: String,

     

       
31
       
31
       
+
       
+        eventid: Uuid,

     

       
32
       
32
       
+
       
+    ) -> Result<(), OperationError> {

     

       
33
       
33
       
+
       
+        // Given a protoEntry, turn this into a modification set.

     

       
34
       
34
       
+
       
+        let ct = duration_from_epoch_now();

     

       
35
       
35
       
+
       
+        let mut idms_prox_write = self.idms.proxy_write(ct).await?;

     

       
36
       
36
       
+
       
+        let ident = idms_prox_write

     

       
37
       
37
       
+
       
+            .validate_client_auth_info_to_ident(client_auth_info, ct)

     

       
38
       
38
       
+
       
+            .map_err(|e| {

     

       
39
       
39
       
+
       
+                admin_error!(err = ?e, "Invalid identity");

     

       
40
       
40
       
+
       
+                e

     

       
41
       
41
       
+
       
+            })?;

     

       
42
       
42
       
+
       
+

     

       
43
       
43
       
+
       
+        let modlist = ModifyList::new_purge_and_set(

     

       
44
       
44
       
+
       
+            Attribute::OAuth2RsBasicSecret,

     

       
45
       
45
       
+
       
+            Value::SecretValue(new_secret),

     

       
46
       
46
       
+
       
+        );

     

       
47
       
47
       
+
       
+

     

       
48
       
48
       
+
       
+        let mdf =

     

       
49
       
49
       
+
       
+            ModifyEvent::from_internal_parts(ident, &modlist, &filter, &idms_prox_write.qs_write)

     

       
50
       
50
       
+
       
+                .map_err(|e| {

     

       
51
       
51
       
+
       
+                admin_error!(err = ?e, "Failed to begin modify during handle_oauth2_basic_secret_write");

     

       
52
       
52
       
+
       
+                e

     

       
53
       
53
       
+
       
+            })?;

     

       
54
       
54
       
+
       
+

     

       
55
       
55
       
+
       
+        trace!(?mdf, "Begin modify event");

     

       
56
       
56
       
+
       
+

     

       
57
       
57
       
+
       
+        idms_prox_write

     

       
58
       
58
       
+
       
+            .qs_write

     

       
59
       
59
       
+
       
+            .modify(&mdf)

     

       
60
       
60
       
+
       
+            .and_then(|_| idms_prox_write.commit())

     

       
61
       
61
       
+
       
+    }

     

       
62
       
62
       
+
       
+

     

       
63
       
63
       
+
       
     #[instrument(

     

       
64
       
64
       
+
       
         level = "info",

     

       
65
       
65
       
+
       
         skip_all,

     

       
66
       
66
       
+
       
diff --git a/server/core/src/https/v1.rs b/server/core/src/https/v1.rs

     

       
67
       
67
       
+
       
index 30de387b8..a11aa8ecd 100644

     

       
68
       
68
       
+
       
--- a/server/core/src/https/v1.rs

     

       
69
       
69
       
+
       
+++ b/server/core/src/https/v1.rs

     

       
70
       
70
       
+
       
@@ -4,7 +4,7 @@ use axum::extract::{Path, State};

     

       
71
       
71
       
+
       
 use axum::http::{HeaderMap, HeaderValue};

     

       
72
       
72
       
+
       
 use axum::middleware::from_fn;

     

       
73
       
73
       
+
       
 use axum::response::{IntoResponse, Response};

     

       
74
       
74
       
+
       
-use axum::routing::{delete, get, post, put};

     

       
75
       
75
       
+
       
+use axum::routing::{delete, get, post, put, patch};

     

       
76
       
76
       
+
       
 use axum::{Extension, Json, Router};

     

       
77
       
77
       
+
       
 use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite};

     

       
78
       
78
       
+
       
 use compact_jwt::{Jwk, Jws, JwsSigner};

     

       
79
       
79
       
+
       
@@ -3129,6 +3129,10 @@ pub(crate) fn route_setup(state: ServerState) -> Router<ServerState> {

     

       
80
       
80
       
+
       
             "/v1/oauth2/:rs_name/_basic_secret",

     

       
81
       
81
       
+
       
             get(super::v1_oauth2::oauth2_id_get_basic_secret),

     

       
82
       
82
       
+
       
         )

     

       
83
       
83
       
+
       
+        .route(

     

       
84
       
84
       
+
       
+            "/v1/oauth2/:rs_name/_basic_secret",

     

       
85
       
85
       
+
       
+            patch(super::v1_oauth2::oauth2_id_patch_basic_secret),

     

       
86
       
86
       
+
       
+        )

     

       
87
       
87
       
+
       
         .route(

     

       
88
       
88
       
+
       
             "/v1/oauth2/:rs_name/_scopemap/:group",

     

       
89
       
89
       
+
       
             post(super::v1_oauth2::oauth2_id_scopemap_post)

     

       
90
       
90
       
+
       
diff --git a/server/core/src/https/v1_oauth2.rs b/server/core/src/https/v1_oauth2.rs

     

       
91
       
91
       
+
       
index f399539bc..ffad9921e 100644

     

       
92
       
92
       
+
       
--- a/server/core/src/https/v1_oauth2.rs

     

       
93
       
93
       
+
       
+++ b/server/core/src/https/v1_oauth2.rs

     

       
94
       
94
       
+
       
@@ -151,6 +151,35 @@ pub(crate) async fn oauth2_id_get_basic_secret(

     

       
95
       
95
       
+
       
         .map_err(WebError::from)

     

       
96
       
96
       
+
       
 }

     

       
97
       
97
       
+
       
 

     

       
98
       
98
       
+
       
+#[utoipa::path(

     

       
99
       
99
       
+
       
+    patch,

     

       
100
       
100
       
+
       
+    path = "/v1/oauth2/{rs_name}/_basic_secret",

     

       
101
       
101
       
+
       
+    request_body=ProtoEntry,

     

       
102
       
102
       
+
       
+    responses(

     

       
103
       
103
       
+
       
+        DefaultApiResponse,

     

       
104
       
104
       
+
       
+    ),

     

       
105
       
105
       
+
       
+    security(("token_jwt" = [])),

     

       
106
       
106
       
+
       
+    tag = "v1/oauth2",

     

       
107
       
107
       
+
       
+    operation_id = "oauth2_id_patch_basic_secret"

     

       
108
       
108
       
+
       
+)]

     

       
109
       
109
       
+
       
+/// Overwrite the basic secret for a given OAuth2 Resource Server.

     

       
110
       
110
       
+
       
+#[instrument(level = "info", skip(state, new_secret))]

     

       
111
       
111
       
+
       
+pub(crate) async fn oauth2_id_patch_basic_secret(

     

       
112
       
112
       
+
       
+    State(state): State<ServerState>,

     

       
113
       
113
       
+
       
+    Extension(kopid): Extension<KOpId>,

     

       
114
       
114
       
+
       
+    VerifiedClientInformation(client_auth_info): VerifiedClientInformation,

     

       
115
       
115
       
+
       
+    Path(rs_name): Path<String>,

     

       
116
       
116
       
+
       
+    Json(new_secret): Json<String>,

     

       
117
       
117
       
+
       
+) -> Result<Json<()>, WebError> {

     

       
118
       
118
       
+
       
+    let filter = oauth2_id(&rs_name);

     

       
119
       
119
       
+
       
+    state

     

       
120
       
120
       
+
       
+        .qe_w_ref

     

       
121
       
121
       
+
       
+        .handle_oauth2_basic_secret_write(client_auth_info, filter, new_secret, kopid.eventid)

     

       
122
       
122
       
+
       
+        .await

     

       
123
       
123
       
+
       
+        .map(Json::from)

     

       
124
       
124
       
+
       
+        .map_err(WebError::from)

     

       
125
       
125
       
+
       
+}

     

       
126
       
126
       
+
       
+

     

       
127
       
127
       
+
       
 #[utoipa::path(

     

       
128
       
128
       
+
       
     patch,

     

       
129
       
129
       
+
       
     path = "/v1/oauth2/{rs_name}",

     

       
130
       
130
       
+
       
diff --git a/server/lib/src/server/migrations.rs b/server/lib/src/server/migrations.rs

     

       
131
       
131
       
+
       
index fd0bca8db..8621714f2 100644

     

       
132
       
132
       
+
       
--- a/server/lib/src/server/migrations.rs

     

       
133
       
133
       
+
       
+++ b/server/lib/src/server/migrations.rs

     

       
134
       
134
       
+
       
@@ -171,6 +171,22 @@ impl QueryServer {

     

       
135
       
135
       
+
       
             reload_required = true;

     

       
136
       
136
       
+
       
         };

     

       
137
       
137
       
+
       
 

     

       
138
       
138
       
+
       
+        // secret provisioning: allow idm_admin to modify OAuth2RsBasicSecret.

     

       
139
       
139
       
+
       
+        write_txn.internal_modify_uuid(

     

       
140
       
140
       
+
       
+            UUID_IDM_ACP_OAUTH2_MANAGE_V1,

     

       
141
       
141
       
+
       
+            &ModifyList::new_append(

     

       
142
       
142
       
+
       
+                Attribute::AcpCreateAttr,

     

       
143
       
143
       
+
       
+                Attribute::OAuth2RsBasicSecret.into(),

     

       
144
       
144
       
+
       
+            ),

     

       
145
       
145
       
+
       
+        )?;

     

       
146
       
146
       
+
       
+        write_txn.internal_modify_uuid(

     

       
147
       
147
       
+
       
+            UUID_IDM_ACP_OAUTH2_MANAGE_V1,

     

       
148
       
148
       
+
       
+            &ModifyList::new_append(

     

       
149
       
149
       
+
       
+                Attribute::AcpModifyPresentAttr,

     

       
150
       
150
       
+
       
+                Attribute::OAuth2RsBasicSecret.into(),

     

       
151
       
151
       
+
       
+            ),

     

       
152
       
152
       
+
       
+        )?;

     

       
153
       
153
       
+
       
+

     

       
154
       
154
       
+
       
         // Execute whatever operations we have batched up and ready to go. This is needed

     

       
155
       
155
       
+
       
         // to preserve ordering of the operations - if we reloaded after a remigrate then

     

       
156
       
156
       
+
       
         // we would have skipped the patch level fix which needs to have occurred *first*.

     

       
157
       
157
       
+
       
-- 

     

       
158
       
158
       
+
       
2.49.0

     

       
159
       
159
       
+
       


     

···

       
1
       
1
       
+
       
From 229165abe5be596fc2be8e285884813a1b5a38c8 Mon Sep 17 00:00:00 2001

     

       
2
       
2
       
+
       
From: oddlama <oddlama@oddlama.org>

     

       
3
       
3
       
+
       
Date: Fri, 21 Mar 2025 16:08:15 +0100

     

       
4
       
4
       
+
       
Subject: [PATCH 2/2] recover account

     

       
5
       
5
       
+
       


     

       
6
       
6
       
+
       
---

     

       
7
       
7
       
+
       
 server/core/src/actors/internal.rs |  5 +++--

     

       
8
       
8
       
+
       
 server/core/src/admin.rs           |  6 +++---

     

       
9
       
9
       
+
       
 server/daemon/src/main.rs          | 23 ++++++++++++++++++++++-

     

       
10
       
10
       
+
       
 server/daemon/src/opt.rs           |  7 +++++++

     

       
11
       
11
       
+
       
 4 files changed, 35 insertions(+), 6 deletions(-)

     

       
12
       
12
       
+
       


     

       
13
       
13
       
+
       
diff --git a/server/core/src/actors/internal.rs b/server/core/src/actors/internal.rs

     

       
14
       
14
       
+
       
index 420e72c6c..e252bca51 100644

     

       
15
       
15
       
+
       
--- a/server/core/src/actors/internal.rs

     

       
16
       
16
       
+
       
+++ b/server/core/src/actors/internal.rs

     

       
17
       
17
       
+
       
@@ -172,17 +172,18 @@ impl QueryServerWriteV1 {

     

       
18
       
18
       
+
       
 

     

       
19
       
19
       
+
       
     #[instrument(

     

       
20
       
20
       
+
       
         level = "info",

     

       
21
       
21
       
+
       
-        skip(self, eventid),

     

       
22
       
22
       
+
       
+        skip(self, password, eventid),

     

       
23
       
23
       
+
       
         fields(uuid = ?eventid)

     

       
24
       
24
       
+
       
     )]

     

       
25
       
25
       
+
       
     pub(crate) async fn handle_admin_recover_account(

     

       
26
       
26
       
+
       
         &self,

     

       
27
       
27
       
+
       
         name: String,

     

       
28
       
28
       
+
       
+        password: Option<String>,

     

       
29
       
29
       
+
       
         eventid: Uuid,

     

       
30
       
30
       
+
       
     ) -> Result<String, OperationError> {

     

       
31
       
31
       
+
       
         let ct = duration_from_epoch_now();

     

       
32
       
32
       
+
       
         let mut idms_prox_write = self.idms.proxy_write(ct).await?;

     

       
33
       
33
       
+
       
-        let pw = idms_prox_write.recover_account(name.as_str(), None)?;

     

       
34
       
34
       
+
       
+        let pw = idms_prox_write.recover_account(name.as_str(), password.as_deref())?;

     

       
35
       
35
       
+
       
 

     

       
36
       
36
       
+
       
         idms_prox_write.commit().map(|()| pw)

     

       
37
       
37
       
+
       
     }

     

       
38
       
38
       
+
       
diff --git a/server/core/src/admin.rs b/server/core/src/admin.rs

     

       
39
       
39
       
+
       
index 90ccb1927..85e31ddef 100644

     

       
40
       
40
       
+
       
--- a/server/core/src/admin.rs

     

       
41
       
41
       
+
       
+++ b/server/core/src/admin.rs

     

       
42
       
42
       
+
       
@@ -24,7 +24,7 @@ pub use kanidm_proto::internal::{

     

       
43
       
43
       
+
       
 

     

       
44
       
44
       
+
       
 #[derive(Serialize, Deserialize, Debug)]

     

       
45
       
45
       
+
       
 pub enum AdminTaskRequest {

     

       
46
       
46
       
+
       
-    RecoverAccount { name: String },

     

       
47
       
47
       
+
       
+    RecoverAccount { name: String, password: Option<String> },

     

       
48
       
48
       
+
       
     ShowReplicationCertificate,

     

       
49
       
49
       
+
       
     RenewReplicationCertificate,

     

       
50
       
50
       
+
       
     RefreshReplicationConsumer,

     

       
51
       
51
       
+
       
@@ -309,8 +309,8 @@ async fn handle_client(

     

       
52
       
52
       
+
       
 

     

       
53
       
53
       
+
       
         let resp = async {

     

       
54
       
54
       
+
       
             match req {

     

       
55
       
55
       
+
       
-                AdminTaskRequest::RecoverAccount { name } => {

     

       
56
       
56
       
+
       
-                    match server_rw.handle_admin_recover_account(name, eventid).await {

     

       
57
       
57
       
+
       
+                AdminTaskRequest::RecoverAccount { name, password } => {

     

       
58
       
58
       
+
       
+                    match server_rw.handle_admin_recover_account(name, password, eventid).await {

     

       
59
       
59
       
+
       
                         Ok(password) => AdminTaskResponse::RecoverAccount { password },

     

       
60
       
60
       
+
       
                         Err(e) => {

     

       
61
       
61
       
+
       
                             error!(err = ?e, "error during recover-account");

     

       
62
       
62
       
+
       
diff --git a/server/daemon/src/main.rs b/server/daemon/src/main.rs

     

       
63
       
63
       
+
       
index c3b40faa0..2a57a307c 100644

     

       
64
       
64
       
+
       
--- a/server/daemon/src/main.rs

     

       
65
       
65
       
+
       
+++ b/server/daemon/src/main.rs

     

       
66
       
66
       
+
       
@@ -923,13 +923,34 @@ async fn kanidm_main(config: Configuration, opt: KanidmdParser) -> ExitCode {

     

       
67
       
67
       
+
       
                 .await;

     

       
68
       
68
       
+
       
             }

     

       
69
       
69
       
+
       
         }

     

       
70
       
70
       
+
       
-        KanidmdOpt::RecoverAccount { name, commonopts } => {

     

       
71
       
71
       
+
       
+        KanidmdOpt::RecoverAccount { name, from_environment, commonopts } => {

     

       
72
       
72
       
+
       
             info!("Running account recovery ...");

     

       
73
       
73
       
+
       
             let output_mode: ConsoleOutputMode = commonopts.output_mode.to_owned().into();

     

       
74
       
74
       
+
       
+            let password = if *from_environment {

     

       
75
       
75
       
+
       
+                match std::env::var("KANIDM_RECOVER_ACCOUNT_PASSWORD_FILE") {

     

       
76
       
76
       
+
       
+                    Ok(path) => match tokio::fs::read_to_string(&path).await {

     

       
77
       
77
       
+
       
+                        Ok(contents) => Some(contents),

     

       
78
       
78
       
+
       
+                        Err(e) => {

     

       
79
       
79
       
+
       
+                            error!("Failed to read password file '{}': {}", path, e);

     

       
80
       
80
       
+
       
+                            return ExitCode::FAILURE;

     

       
81
       
81
       
+
       
+                        }

     

       
82
       
82
       
+
       
+                    },

     

       
83
       
83
       
+
       
+                    Err(_) => match std::env::var("KANIDM_RECOVER_ACCOUNT_PASSWORD") {

     

       
84
       
84
       
+
       
+                        Ok(val) => Some(val),

     

       
85
       
85
       
+
       
+                        Err(_) => {

     

       
86
       
86
       
+
       
+                            error!("Neither KANIDM_RECOVER_ACCOUNT_PASSWORD_FILE nor KANIDM_RECOVER_ACCOUNT_PASSWORD was set");

     

       
87
       
87
       
+
       
+                            return ExitCode::FAILURE;

     

       
88
       
88
       
+
       
+                        }

     

       
89
       
89
       
+
       
+                    }

     

       
90
       
90
       
+
       
+                }

     

       
91
       
91
       
+
       
+            } else {

     

       
92
       
92
       
+
       
+                None

     

       
93
       
93
       
+
       
+            };

     

       
94
       
94
       
+
       
             submit_admin_req(

     

       
95
       
95
       
+
       
                 config.adminbindpath.as_str(),

     

       
96
       
96
       
+
       
                 AdminTaskRequest::RecoverAccount {

     

       
97
       
97
       
+
       
                     name: name.to_owned(),

     

       
98
       
98
       
+
       
+                    password,

     

       
99
       
99
       
+
       
                 },

     

       
100
       
100
       
+
       
                 output_mode,

     

       
101
       
101
       
+
       
             )

     

       
102
       
102
       
+
       
diff --git a/server/daemon/src/opt.rs b/server/daemon/src/opt.rs

     

       
103
       
103
       
+
       
index f1b45a5b3..ca19fb6a5 100644

     

       
104
       
104
       
+
       
--- a/server/daemon/src/opt.rs

     

       
105
       
105
       
+
       
+++ b/server/daemon/src/opt.rs

     

       
106
       
106
       
+
       
@@ -236,6 +236,13 @@ enum KanidmdOpt {

     

       
107
       
107
       
+
       
         #[clap(value_parser)]

     

       
108
       
108
       
+
       
         /// The account name to recover credentials for.

     

       
109
       
109
       
+
       
         name: String,

     

       
110
       
110
       
+
       
+        /// Use a password given via an environment variable.

     

       
111
       
111
       
+
       
+        /// - `KANIDM_RECOVER_ACCOUNT_PASSWORD_FILE` takes precedence and reads the desired

     

       
112
       
112
       
+
       
+        ///    password from the given file

     

       
113
       
113
       
+
       
+        /// - `KANIDM_RECOVER_ACCOUNT_PASSWORD` directly takes a

     

       
114
       
114
       
+
       
+        ///    password - beware that this will leave the password in the environment

     

       
115
       
115
       
+
       
+        #[clap(long = "from-environment")]

     

       
116
       
116
       
+
       
+        from_environment: bool,

     

       
117
       
117
       
+
       
         #[clap(flatten)]

     

       
118
       
118
       
+
       
         commonopts: CommonOpt,

     

       
119
       
119
       
+
       
     },

     

       
120
       
120
       
+
       
-- 

     

       
121
       
121
       
+
       
2.49.0

     

       
122
       
122
       
+
       


     

···

       
10136
       
10136
       
 
       


     

       
10137
       
10137
       
 
       
  kanidm_1_5 = callPackage ../by-name/ka/kanidm/1_5.nix { kanidm = kanidm_1_5; };

     

       
10138
       
10138
       
 
       
  kanidm_1_6 = callPackage ../by-name/ka/kanidm/1_6.nix { kanidm = kanidm_1_6; };

     

       
10139
       
10139
       
+
       
  kanidm_1_7 = callPackage ../by-name/ka/kanidm/1_7.nix { kanidm = kanidm_1_7; };

     

       
10139
       
10140
       
 
       


     

       
10140
       
10141
       
 
       
  kanidmWithSecretProvisioning = kanidmWithSecretProvisioning_1_6;

     

       
10141
       
10142
       
 
       


     
···

       
10144
       
10145
       
 
       
  };

     

       
10145
       
10146
       
 
       


     

       
10146
       
10147
       
 
       
  kanidmWithSecretProvisioning_1_6 = callPackage ../by-name/ka/kanidm/1_6.nix {

     

       
10148
       
10148
       
+
       
    enableSecretProvisioning = true;

     

       
10149
       
10149
       
+
       
  };

     

       
10150
       
10150
       
+
       


     

       
10151
       
10151
       
+
       
  kanidmWithSecretProvisioning_1_7 = callPackage ../by-name/ka/kanidm/1_7.nix {

     

       
10147
       
10152
       
 
       
    enableSecretProvisioning = true;

     

       
10148
       
10153
       
 
       
  };

     

       
10149
       
10154