mirrors/aports
1
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2026-02-14 12:21:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
aports/testing/kanidm/initgroups-hooks.patch
Achill Gilgenast c838ce3668 testing/kanidm: upgrade to 1.8.0
2025-11-13 13:07:07 +01:00

158 lines
6.2 KiB
Diff
Raw Blame History

From 6280ed6434ad8f239d4d1eabe509c879c370879f Mon Sep 17 00:00:00 2001
From: Doridian <git@doridian.net>
Date: Sun, 29 Dec 2024 21:29:28 -0800
Subject: [PATCH] Add support for initgroups hooks in libnss_kanidm
Signed-off-by: Achill Gilgenast <achill@achill.org>
---
unix_integration/common/src/unix_proto.rs | 2 +
unix_integration/nss_kanidm/src/core.rs | 39 +++++++++++++++++++
unix_integration/nss_kanidm/src/hooks.rs | 14 +++++++
.../resolver/src/bin/kanidm_unixd.rs | 8 ++++
unix_integration/resolver/src/resolver.rs | 11 ++++++
5 files changed, 74 insertions(+)
diff --git a/unix_integration/common/src/unix_proto.rs b/unix_integration/common/src/unix_proto.rs
index 05df2019a7a5..3e44e328c86c 100644
--- a/unix_integration/common/src/unix_proto.rs
+++ b/unix_integration/common/src/unix_proto.rs
@@ -121,6 +121,7 @@ pub enum ClientRequest {
NssGroups,
NssGroupByGid(u32),
NssGroupByName(String),
+ NssGroupsByMember(String),
PamAuthenticateInit {
account_id: String,
info: PamServiceInfo,
@@ -144,6 +145,7 @@ impl ClientRequest {
ClientRequest::NssGroups => "NssGroups".to_string(),
ClientRequest::NssGroupByGid(id) => format!("NssGroupByGid({id})"),
ClientRequest::NssGroupByName(id) => format!("NssGroupByName({id})"),
+ ClientRequest::NssGroupsByMember(id) => format!("NssGroupsByMember({id})"),
ClientRequest::PamAuthenticateInit { account_id, info } => format!(
"PamAuthenticateInit{{ account_id={} tty={} pam_secvice{} rhost={} }}",
account_id,
diff --git a/unix_integration/nss_kanidm/src/core.rs b/unix_integration/nss_kanidm/src/core.rs
index 774392dddd40..0af11256fe03 100644
--- a/unix_integration/nss_kanidm/src/core.rs
+++ b/unix_integration/nss_kanidm/src/core.rs
@@ -301,6 +301,45 @@ pub fn get_group_entry_by_name(name: String, req_options: RequestOptions) -> Res
}
}
+pub fn get_group_entries_by_member(
+ member: String,
+ req_options: RequestOptions,
+) -> Response<Vec<Group>> {
+ match req_options.connect_to_daemon() {
+ Source::Daemon(daemon_client) => {
+ let req = ClientRequest::NssGroupsByMember(member);
+ daemon_client
+ .call_and_wait(req, None)
+ .map(|r| match r {
+ ClientResponse::NssGroups(l) => {
+ l.into_iter().map(group_from_nssgroup).collect()
+ }
+ _ => Vec::new(),
+ })
+ .map(Response::Success)
+ .unwrap_or_else(|_| Response::Success(vec![]))
+ }
+ Source::Fallback { users: _, groups } => {
+ if groups.is_empty() {
+ return Response::Unavail;
+ }
+
+ let membergroups = groups
+ .into_iter()
+ .filter_map(|etcgroup| {
+ if etcgroup.members.contains(&member) {
+ Some(group_from_etcgroup(etcgroup))
+ } else {
+ None
+ }
+ })
+ .collect();
+
+ Response::Success(membergroups)
+ }
+ }
+}
+
fn passwd_from_etcuser(etc: EtcUser) -> Passwd {
Passwd {
name: etc.name,
diff --git a/unix_integration/nss_kanidm/src/hooks.rs b/unix_integration/nss_kanidm/src/hooks.rs
index 62386c987db9..5b7968438965 100644
--- a/unix_integration/nss_kanidm/src/hooks.rs
+++ b/unix_integration/nss_kanidm/src/hooks.rs
@@ -3,6 +3,7 @@ use kanidm_unix_common::constants::DEFAULT_CONFIG_PATH;
use libnss::group::{Group, GroupHooks};
use libnss::interop::Response;
use libnss::passwd::{Passwd, PasswdHooks};
+use libnss::initgroups::{InitgroupsHooks};
struct KanidmPasswd;
libnss_passwd_hooks!(kanidm, KanidmPasswd);
@@ -61,3 +62,16 @@ impl GroupHooks for KanidmGroup {
core::get_group_entry_by_name(name, req_opt)
}
}
+
+struct KanidmInitgroups;
+libnss_initgroups_hooks!(kanidm, KanidmInitgroups);
+
+impl InitgroupsHooks for KanidmInitgroups {
+ fn get_entries_by_user(user: String) -> Response<Vec<Group>> {
+ let req_opt = RequestOptions::Main {
+ config_path: DEFAULT_CONFIG_PATH,
+ };
+
+ core::get_group_entries_by_member(user, req_opt)
+ }
+}
diff --git a/unix_integration/resolver/src/bin/kanidm_unixd.rs b/unix_integration/resolver/src/bin/kanidm_unixd.rs
index 95370e4a6dbe..b0feaf5dcb53 100644
--- a/unix_integration/resolver/src/bin/kanidm_unixd.rs
+++ b/unix_integration/resolver/src/bin/kanidm_unixd.rs
@@ -247,6 +247,14 @@ async fn handle_client(
error!("unable to load group, returning empty.");
ClientResponse::NssGroup(None)
}),
+ ClientRequest::NssGroupsByMember(account_id) => cachelayer
+ .get_nssgroups_member_name(account_id.as_str())
+ .await
+ .map(ClientResponse::NssGroups)
+ .unwrap_or_else(|_| {
+ error!("unable to enum groups");
+ ClientResponse::NssGroups(Vec::new())
+ }),
ClientRequest::PamAuthenticateInit { account_id, info } => {
match &pam_auth_session_state {
Some(_auth_session) => {
diff --git a/unix_integration/resolver/src/resolver.rs b/unix_integration/resolver/src/resolver.rs
index c65f5a974b77..ec5900f3457b 100644
--- a/unix_integration/resolver/src/resolver.rs
+++ b/unix_integration/resolver/src/resolver.rs
@@ -891,6 +891,17 @@ impl Resolver {
Ok(r)
}
+ pub async fn get_nssgroups_member_name(&self, account_id: &str) -> Result<Vec<NssGroup>, ()> {
+ let account_name = account_id.to_string();
+ Ok(self
+ .get_nssgroups()
+ .await
+ .unwrap_or_default()
+ .into_iter()
+ .filter(|g| g.members.contains(&account_name))
+ .collect())
+ }
+
#[instrument(level = "trace", skip_all)]
async fn get_nssgroup(&self, grp_id: Id) -> Result<Option<NssGroup>, ()> {
if let Some(mut nss_group) = self.system_provider.get_nssgroup(&grp_id).await {
--
2.51.2
Reference in New Issue View Git Blame Copy Permalink