mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-04-21 01:35:39 +02:00
Code Issues Actions12 Packages Projects Releases Wiki Activity

Merge 998e56d648 into ad012cd6fd

Browse source
This commit is contained in:
Mark Dietzer 2025-04-05 03:31:43 +02:00 committed by GitHub
parent ad012cd6fd 998e56d648
commit 2bd3f15713
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 113 additions and 0 deletions
unix_integration
common/src
unix_proto.rs
nss_kanidm/src
core.rshooks.rs
resolver/src
bin
kanidm_unixd.rs
db.rsresolver.rs

2
unix_integration/common/src/unix_proto.rs
View file

@ -121,6 +121,7 @@ pub enum ClientRequest {
NssGroups, NssGroups,
NssGroupByGid(u32), NssGroupByGid(u32),
NssGroupByName(String), NssGroupByName(String),
NssGroupsByMember(String),
PamAuthenticateInit { PamAuthenticateInit {
account_id: String, account_id: String,
info: PamServiceInfo, info: PamServiceInfo,
@ -144,6 +145,7 @@ impl ClientRequest {
ClientRequest::NssGroups => "NssGroups".to_string(), ClientRequest::NssGroups => "NssGroups".to_string(),
ClientRequest::NssGroupByGid(id) => format!("NssGroupByGid({})", id), ClientRequest::NssGroupByGid(id) => format!("NssGroupByGid({})", id),
ClientRequest::NssGroupByName(id) => format!("NssGroupByName({})", id), ClientRequest::NssGroupByName(id) => format!("NssGroupByName({})", id),
ClientRequest::NssGroupsByMember(id) => format!("NssGroupsByMember({})", id),
ClientRequest::PamAuthenticateInit { account_id, info } => format!( ClientRequest::PamAuthenticateInit { account_id, info } => format!(
"PamAuthenticateInit{{ account_id={} tty={} pam_secvice{} rhost={} }}", "PamAuthenticateInit{{ account_id={} tty={} pam_secvice{} rhost={} }}",
account_id, account_id,

36
unix_integration/nss_kanidm/src/core.rs
View file

@ -285,6 +285,42 @@ pub fn get_group_entry_by_name(name: String, req_options: RequestOptions) -> Res
} }
} }
pub fn get_group_entries_by_member(member: String, req_options: RequestOptions) -> Response<Vec<Group>> {
match req_options.connect_to_daemon() {
Source::Daemon(mut daemon_client) => {
let req = ClientRequest::NssGroupsByMember(member);
daemon_client
.call_and_wait(&req, None)
.map(|r| match r {
ClientResponse::NssGroups(l) => {
l.into_iter().map(group_from_nssgroup).collect()
}
_ => Vec::new(),
})
.map(Response::Success)
.unwrap_or_else(|_| Response::Success(vec![]))
}
Source::Fallback { users: _, groups } => {
if groups.is_empty() {
return Response::Unavail;
}
let membergroups = groups
.into_iter()
.filter_map(|etcgroup| {
if etcgroup.members.contains(&member) {
Some(group_from_etcgroup(etcgroup))
} else {
None
}
})
.collect();
Response::Success(membergroups)
}
}
}
fn passwd_from_etcuser(etc: EtcUser) -> Passwd { fn passwd_from_etcuser(etc: EtcUser) -> Passwd {
Passwd { Passwd {
name: etc.name, name: etc.name,

14
unix_integration/nss_kanidm/src/hooks.rs
View file

@ -3,6 +3,7 @@ use kanidm_unix_common::constants::DEFAULT_CONFIG_PATH;
use libnss::group::{Group, GroupHooks}; use libnss::group::{Group, GroupHooks};
use libnss::interop::Response; use libnss::interop::Response;
use libnss::passwd::{Passwd, PasswdHooks}; use libnss::passwd::{Passwd, PasswdHooks};
use libnss::initgroups::{InitgroupsHooks};
struct KanidmPasswd; struct KanidmPasswd;
libnss_passwd_hooks!(kanidm, KanidmPasswd); libnss_passwd_hooks!(kanidm, KanidmPasswd);
@ -61,3 +62,16 @@ impl GroupHooks for KanidmGroup {
core::get_group_entry_by_name(name, req_opt) core::get_group_entry_by_name(name, req_opt)
} }
} }
struct KanidmInitgroups;
libnss_initgroups_hooks!(kanidm, KanidmInitgroups);
impl InitgroupsHooks for KanidmInitgroups {
fn get_entries_by_user(user: String) -> Response<Vec<Group>> {
let req_opt = RequestOptions::Main {
config_path: DEFAULT_CONFIG_PATH,
};
core::get_group_entries_by_member(user, req_opt)
}
}

8
unix_integration/resolver/src/bin/kanidm_unixd.rs
View file

@ -317,6 +317,14 @@ async fn handle_client(
error!("unable to load group, returning empty."); error!("unable to load group, returning empty.");
ClientResponse::NssGroup(None) ClientResponse::NssGroup(None)
}), }),
ClientRequest::NssGroupsByMember(account_id) => cachelayer
.get_nssgroups_member_name(account_id.as_str())
.await
.map(ClientResponse::NssGroups)
.unwrap_or_else(|_| {
error!("unable to enum groups");
ClientResponse::NssGroups(Vec::new())
}),
ClientRequest::PamAuthenticateInit { account_id, info } => { ClientRequest::PamAuthenticateInit { account_id, info } => {
match &pam_auth_session_state { match &pam_auth_session_state {
Some(_auth_session) => { Some(_auth_session) => {

31
unix_integration/resolver/src/db.rs
View file

@ -792,6 +792,37 @@ impl DbTxn<'_> {
} }
} }
pub fn get_user_groups(&mut self, a_uuid: Uuid) -> Result<Vec<GroupToken>, CacheError> {
let mut stmt = self
.conn
.prepare("SELECT group_t.token FROM (group_t, memberof_t) WHERE group_t.uuid = memberof_t.g_uuid AND memberof_t.a_uuid = :a_uuid")
.map_err(|e| {
self.sqlite_error("select prepare", &e)
})?;
let data_iter = stmt
.query_map([a_uuid.as_hyphenated().to_string()], |row| row.get(0))
.map_err(|e| self.sqlite_error("query_map", &e))?;
let data: Result<Vec<Vec<u8>>, _> = data_iter
.map(|v| v.map_err(|e| self.sqlite_error("map", &e)))
.collect();
let data = data?;
Ok(data
.iter()
.filter_map(|token| {
// token convert with json.
// trace!("{:?}", token);
serde_json::from_slice(token.as_slice())
.map_err(|e| {
error!("json error -> {:?}", e);
})
.ok()
})
.collect())
}
pub fn get_group_members(&mut self, g_uuid: Uuid) -> Result<Vec<UserToken>, CacheError> { pub fn get_group_members(&mut self, g_uuid: Uuid) -> Result<Vec<UserToken>, CacheError> {
let mut stmt = self let mut stmt = self
.conn .conn

22
unix_integration/resolver/src/resolver.rs
View file

@ -621,6 +621,17 @@ impl Resolver {
}) })
} }
async fn get_usergroups(&self, g_uuid: Uuid) -> Vec<String> {
let mut dbtxn = self.db.write().await;
dbtxn
.get_user_groups(g_uuid)
.unwrap_or_else(|_| Vec::new())
.into_iter()
.map(|gt| self.token_gidattr(&gt))
.collect()
}
async fn get_groupmembers(&self, g_uuid: Uuid) -> Vec<String> { async fn get_groupmembers(&self, g_uuid: Uuid) -> Vec<String> {
let mut dbtxn = self.db.write().await; let mut dbtxn = self.db.write().await;
@ -781,6 +792,17 @@ impl Resolver {
Ok(r) Ok(r)
} }
pub async fn get_nssgroups_member_name(&self, account_id: &str) -> Result<Vec<NssGroup>, ()> {
if let Some(nss_user) = self.get_nssaccount(&account_id).await {
Ok(self.get_usergroups(nss_user).await
.into_iter()
.map(|g| self.token_gidattr(&g))
.collect())
} else {
Ok(Vec::new())
}
}
async fn get_nssgroup(&self, grp_id: Id) -> Result<Option<NssGroup>, ()> { async fn get_nssgroup(&self, grp_id: Id) -> Result<Option<NssGroup>, ()> {
if let Some(mut nss_group) = self.system_provider.get_nssgroup(&grp_id).await { if let Some(mut nss_group) = self.system_provider.get_nssgroup(&grp_id).await {
debug!("system provider satisfied request"); debug!("system provider satisfied request");