pyrox.dev / nixpkgs
lol
fork atom

kanidm: don't log provisioned passwords via instrumentation

This also make sure to test this in the related nixos test.

Fixes: CVE-2025-30205
Reported-By: Katherina Walshe-Grey <qenya@qenya.tel>

oddlama df0193b3 dbe55c59

options
unified split
Changed files
+10 -3
nixos
tests
kanidm-provisioning.nix
pkgs
by-name
ka
kanidm
patches
1_3
recover-account.patch
1_4
recover-account.patch
1_5
recover-account.patch
+4
nixos/tests/kanidm-provisioning.nix 
···

       
306

       
 

       
            provision.succeed('${specialisations}/credentialProvision/bin/switch-to-configuration test')


     

       
307

       
 

       
            provision_login("${provisionIdmAdminPassword}")


     

       
308

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
309

       
 

       
            # Test provisioned admin pw


     

       
310

       
 

       
            out = provision.succeed("KANIDM_PASSWORD=${provisionAdminPassword} kanidm login -D admin")


     

       
311

       
 

       
            assert_contains(out, "Login Success for admin")


     
···

       
306

       
 

       
            provision.succeed('${specialisations}/credentialProvision/bin/switch-to-configuration test')


     

       
307

       
 

       
            provision_login("${provisionIdmAdminPassword}")


     

       
308

       
 

       



     

       
309

       
+

       
            # Make sure neither password is logged


     

       
310

       
+

       
            provision.fail("journalctl --since -10m --unit kanidm.service --grep '${provisionAdminPassword}'")


     

       
311

       
+

       
            provision.fail("journalctl --since -10m --unit kanidm.service --grep '${provisionIdmAdminPassword}'")


     

       
312

       
+

       



     

       
313

       
 

       
            # Test provisioned admin pw


     

       
314

       
 

       
            out = provision.succeed("KANIDM_PASSWORD=${provisionAdminPassword} kanidm login -D admin")


     

       
315

       
 

       
            assert_contains(out, "Login Success for admin")
+2 -1
pkgs/by-name/ka/kanidm/patches/1_3/recover-account.patch 
···

       
19

       
 

       
 


     

       
20

       
 

       
     #[instrument(


     

       
21

       
 

       
         level = "info",


     

       
22

       
-

       
         skip(self, eventid),


     

       

       

       
     

       
23

       
 

       
         fields(uuid = ?eventid)


     

       
24

       
 

       
     )]


     

       
25

       
 

       
     pub(crate) async fn handle_admin_recover_account(


     
···

       
19

       
 

       
 


     

       
20

       
 

       
     #[instrument(


     

       
21

       
 

       
         level = "info",


     

       
22

       
+

       
-        skip(self, eventid),


     

       
23

       
+

       
+        skip(self, password, eventid),


     

       
24

       
 

       
         fields(uuid = ?eventid)


     

       
25

       
 

       
     )]


     

       
26

       
 

       
     pub(crate) async fn handle_admin_recover_account(
+2 -1
pkgs/by-name/ka/kanidm/patches/1_4/recover-account.patch 
···

       
19

       
 

       
 


     

       
20

       
 

       
     #[instrument(


     

       
21

       
 

       
         level = "info",


     

       
22

       
-

       
         skip(self, eventid),


     

       

       

       
     

       
23

       
 

       
         fields(uuid = ?eventid)


     

       
24

       
 

       
     )]


     

       
25

       
 

       
     pub(crate) async fn handle_admin_recover_account(


     
···

       
19

       
 

       
 


     

       
20

       
 

       
     #[instrument(


     

       
21

       
 

       
         level = "info",


     

       
22

       
+

       
-        skip(self, eventid),


     

       
23

       
+

       
+        skip(self, password, eventid),


     

       
24

       
 

       
         fields(uuid = ?eventid)


     

       
25

       
 

       
     )]


     

       
26

       
 

       
     pub(crate) async fn handle_admin_recover_account(
+2 -1
pkgs/by-name/ka/kanidm/patches/1_5/recover-account.patch 
···

       
19

       
 

       
 


     

       
20

       
 

       
     #[instrument(


     

       
21

       
 

       
         level = "info",


     

       
22

       
-

       
         skip(self, eventid),


     

       

       

       
     

       
23

       
 

       
         fields(uuid = ?eventid)


     

       
24

       
 

       
     )]


     

       
25

       
 

       
     pub(crate) async fn handle_admin_recover_account(


     
···

       
19

       
 

       
 


     

       
20

       
 

       
     #[instrument(


     

       
21

       
 

       
         level = "info",


     

       
22

       
+

       
-        skip(self, eventid),


     

       
23

       
+

       
+        skip(self, password, eventid),


     

       
24

       
 

       
         fields(uuid = ?eventid)


     

       
25

       
 

       
     )]


     

       
26

       
 

       
     pub(crate) async fn handle_admin_recover_account(