From 0ec4a8ebe86465c2678a052c07d7ed1439a57770 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Tue, 12 Mar 2024 16:42:36 +0100
Subject: [PATCH] chore: update kanidm module

---
 hosts/ward/guests/forgejo.nix                 |  31 +++++++++++-------
 hosts/ward/guests/kanidm.nix                  |  17 +++++++---
 modules/kanidm.nix                            |  21 ++++++++++--
 pkgs/default.nix                              |   1 +
 .../ward-kanidm/kanidm-admin-password.age     |  18 +++++-----
 .../ward-kanidm/kanidm-idm-admin-password.age | Bin 481 -> 453 bytes
 ...6c68df160840-kanidm-idm-admin-password.age |   8 +++++
 ...6f370a461fe91ce4-kanidm-admin-password.age |   8 -----
 ...3607bdc654ff-kanidm-idm-admin-password.age | Bin 372 -> 0 bytes
 ...45820ff37e8086bd-kanidm-admin-password.age | Bin 0 -> 348 bytes
 10 files changed, 68 insertions(+), 36 deletions(-)
 create mode 100644 secrets/rekeyed/ward-kanidm/1e8a4b2e02bdfebbf38a6c68df160840-kanidm-idm-admin-password.age
 delete mode 100644 secrets/rekeyed/ward-kanidm/68153eee0e2a6f1a6f370a461fe91ce4-kanidm-admin-password.age
 delete mode 100644 secrets/rekeyed/ward-kanidm/ab9136e764786f54bc873607bdc654ff-kanidm-idm-admin-password.age
 create mode 100644 secrets/rekeyed/ward-kanidm/b8e30da09314f42845820ff37e8086bd-kanidm-admin-password.age

diff --git a/hosts/ward/guests/forgejo.nix b/hosts/ward/guests/forgejo.nix
index 1f0bf3a..d3f4c24 100644
--- a/hosts/ward/guests/forgejo.nix
+++ b/hosts/ward/guests/forgejo.nix
@@ -124,9 +124,14 @@ in {
         ENABLED_ISSUE_BY_LABEL = true;
       };
       oauth2_client = {
-        ACCOUNT_LINKING = "auto";
+        # Never use auto account linking with this, otherwise users cannot change
+        # their new user name and they could potentially overtake other users accounts
+        # by setting their email address to an existing account.
+        # With "login" linking the user must choose a non-existing username first or login
+        # with the existing account to link.
+        ACCOUNT_LINKING = "login";
+        USERNAME = "nickname";
         ENABLE_AUTO_REGISTRATION = true;
-        OPENID_CONNECT_SCOPES = "email profile";
         REGISTER_EMAIL_CONFIRM = false;
         UPDATE_AVATAR = true;
       };
@@ -161,10 +166,6 @@ in {
     };
   };
 
-  # XXX: PKCE is currently not supported by gitea/forgejo,
-  # see https://github.com/go-gitea/gitea/issues/21376.
-  # Disable PKCE manually in kanidm for now.
-  # `kanidm system oauth2 warning-insecure-client-disable-pkce forgejo`
   systemd.services.gitea = {
     serviceConfig.RestartSec = "600"; # Retry every 10 minutes
     preStart = let
@@ -180,18 +181,26 @@ in {
         clientId
         "--auto-discover-url"
         "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/.well-known/openid-configuration"
-        #"--required-claim-name" "groups"
-        #"--group-claim-name" "groups"
-        #"--admin-group" "/forge_admins@${domain}"
+        "--scopes"
+        "email"
+        "--scopes"
+        "profile"
+        "--scopes"
+        "groups"
+        "--group-claim-name"
+        "groups"
+        "--admin-group"
+        "admin"
         "--skip-local-2fa"
       ];
     in
       lib.mkAfter ''
         provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
+        SECRET="$(< ${config.age.secrets.forgejo-oauth2-client-secret.path})"
         if [[ -z "$provider_id" ]]; then
-          FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${config.age.secrets.forgejo-oauth2-client-secret.path})" ${exe} admin auth add-oauth ${args}
+          ${exe} admin auth add-oauth ${args} --secret "$SECRET"
         else
-          FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${config.age.secrets.forgejo-oauth2-client-secret.path})" ${exe} admin auth update-oauth --id "$provider_id" ${args}
+          ${exe} admin auth update-oauth --id "$provider_id" ${args} --secret "$SECRET"
         fi
       '';
   };
diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix
index a15db2e..bd2db4b 100644
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@@ -136,6 +136,7 @@ in {
         originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/";
         basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
         scopeMaps."grafana.access" = ["openid" "email" "profile"];
+        # FIXME: use new group claims k thx
         supplementaryScopeMaps = {
           "grafana.admins" = ["admin"];
           "grafana.editors" = ["editor"];
@@ -151,8 +152,13 @@ in {
         originUrl = "https://${sentinelCfg.networking.providedDomains.forgejo}/";
         basicSecretFile = config.age.secrets.kanidm-oauth2-forgejo.path;
         scopeMaps."forgejo.access" = ["openid" "email" "profile"];
-        supplementaryScopeMaps = {
-          "forgejo.admins" = ["admin"];
+        # XXX: PKCE is currently not supported by gitea/forgejo,
+        # see https://github.com/go-gitea/gitea/issues/21376.
+        allowInsecureClientDisablePkce = true;
+        preferShortUsername = true;
+        claimMaps.groups = {
+          joinType = "array";
+          valuesByGroup."forgejo.admins" = ["admin"];
         };
       };
 
@@ -165,9 +171,10 @@ in {
         originUrl = "https://oauth2.${personalDomain}/";
         basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path;
         scopeMaps."web-sentinel.access" = ["openid" "email"];
-        supplementaryScopeMaps = {
-          "web-sentinel.adguardhome" = ["access_adguardhome"];
-          "web-sentinel.influxdb" = ["access_influxdb"];
+        claimMaps.groups = {
+          joinType = "array";
+          valuesByGroup."web-sentinel.adguardhome" = ["access_adguardhome"];
+          valuesByGroup."web-sentinel.influxdb" = ["access_influxdb"];
         };
       };
     };
diff --git a/modules/kanidm.nix b/modules/kanidm.nix
index 375aac5..96d7384 100644
--- a/modules/kanidm.nix
+++ b/modules/kanidm.nix
@@ -19,8 +19,10 @@
     flip
     foldl'
     getExe
+    hasInfix
     hasPrefix
     isStorePath
+    last
     mapAttrsToList
     mdDoc
     mkEnableOption
@@ -31,6 +33,7 @@
     mkPackageOption
     optional
     optionalString
+    splitString
     subtractLists
     types
     unique
@@ -112,6 +115,17 @@
     inherit (cfg.provision) groups persons systems;
   });
 
+  serverPort =
+    # ipv6:
+    if hasInfix "]:" cfg.serverSettings.bindaddress
+    then last (splitString "]:" cfg.serverSettings.bindaddress)
+    else
+      # ipv4:
+      if hasInfix "." cfg.serverSettings.bindaddress
+      then last (splitString ":" cfg.serverSettings.bindaddress)
+      # default is 8443
+      else "8443";
+
   # Only recover the admin account if a password should explicitly be provisioned
   # for the account. Otherwise it is not needed for provisioning.
   maybeRecoverAdmin = optionalString (cfg.provision.adminPasswordFile != null) ''
@@ -324,7 +338,8 @@ in {
 
       instanceUrl = mkOption {
         description = "The instance url to which the provisioning tool should connect.";
-        default = "https://localhost";
+        default = "https://localhost:${serverPort}";
+        defaultText = ''"https://localhost:<port from serverSettings.bindaddress>"'';
         type = types.str;
       };
 
@@ -335,8 +350,8 @@ in {
           dangerous when used with an external URL.
         '';
         type = types.bool;
-        default = cfg.provision.instanceUrl == "https://localhost";
-        defaultText = ''services.kanidm.provision.instanceUrl == "https://localhost"'';
+        default = hasPrefix "https://localhost:" cfg.provision.instanceUrl;
+        defaultText = ''hasPrefix "https://localhost:" cfg.provision.instanceUrl'';
       };
 
       adminPasswordFile = mkOption {
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 203d545..abb3a1d 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -19,6 +19,7 @@
           "${provisionSrc}/patches/${old.version}-recover-account.patch"
         ];
       passthru.enableSecretProvisioning = true;
+      doCheck = false;
     });
     kanidm-provision = prev.callPackage ./kanidm-provision.nix {};
     kanidm-secret-manipulator = prev.callPackage ./kanidm-secret-manipulator.nix {};
diff --git a/secrets/generated/ward-kanidm/kanidm-admin-password.age b/secrets/generated/ward-kanidm/kanidm-admin-password.age
index ade0819..39cf4fd 100644
--- a/secrets/generated/ward-kanidm/kanidm-admin-password.age
+++ b/secrets/generated/ward-kanidm/kanidm-admin-password.age
@@ -1,10 +1,10 @@
 age-encryption.org/v1
--> X25519 6f8QhIEaEPpo4rE7z2+xfSvVuBuNFA88irUfI9zcIE4
-GqmGfpdlp+g5AMhXqX9lgDC/N8R7219sAaBi0I9d9Ag
--> piv-p256 xqSe8Q Ay3ut51NNIlEQMX0khPsv125nhDXOXHmFSgSnTjbVe7n
-6IcjGzTGPgvNZ2Q2HQPa9W7WCPNdIAADA1wRMS8GZC4
--> 82t/-grease `y"L Hi< _{M
-SiPWwQNeRqL92N2g63dJ3w3+OZsSge3YoF4IKmw10dXnmThUrwZWmv0s1LlZWFlF
-zZpcto0M
---- RZDYu8mV+RbfUwjpVdPpGso9zU1T/Nr/HjJImcK6kiY
-0��&�{A��c�õ��L�,;^��U��Qp�U&��}���G����Rk�[���Җ��I��=8���Ŭ���ˑ!��
\ No newline at end of file
+-> X25519 GPGUXxxB5Cj2S0lIefvZQxCPx+RyLhTekC1DQKhq+AE
+XopnX7IBSSqsBaAzffjUI+kuQIwil4HhqnV/FqWYZAU
+-> piv-p256 xqSe8Q AnXbklxYTgrlCOwXorB5KRXT9UGiCsvUMNtkrvUUvdpJ
+UEcHDRHS5fpBUJzoeelgtCnqTh/PS5O0jWh8eSRukoE
+-> iuO-grease xi(!7 {t&2I
+bAd8XDG3V+NpXswCjj15/7h+klBqyiNy9gWgNkQPyrN8078Bh5YAHO+6Gl56MN8V
+nJxvrw
+--- 5jTQCFK/KQKkOfAGUi4AmKy0iwgM69lx6q9+18poSzM
+�?�y?PU��,��=s���|CuQla�e�'[-��J+�8��O6c�,t��fw�|\��=�+��c��C������
\ No newline at end of file
diff --git a/secrets/generated/ward-kanidm/kanidm-idm-admin-password.age b/secrets/generated/ward-kanidm/kanidm-idm-admin-password.age
index 81add5042617db146424998ede20230141b3d680..30c3c8e1788773975e37f15711adcb85d7ecfbb2 100644
GIT binary patch
delta 431
zcmV;g0Z{(o1H}W7Ab(_fPc>0zY&J+WRAO3mSa@z?b#pZ_G)Z`MS$IZ4Zb)%7LN`q>
zFKu~jZwh2YNM%BEI96mxWN=k$OE+^xVnt>*Fj_WRVrMTyZ&z<+IBINKHD)huV+t)k
zAaH4REpRe5HXwL$Q)M_&AVF_JQ%q+scXV`GIA<?#S#(cycYjc4W@s;KOJi6$Fl}u&
zOlEO<N>g)AOHB$jFiJH{VPttmIZtCkGI&c@LMu>qI95wYYGq<UGI%p>c4SF!Qh7*I
zX;lg>J|I0yHaRd=ac?bWa%Ew2WgvS?SPE-+d1h}iO;|!mNLf}ZNMtZ~L0W8BWOOom
zFEwaMGjc;uVt+|hXF^OeZZ>u{V^T3<Z$fZSdNxsPbT)NwdNxf8ST}VqS7R^=EiEk|
zNNZ;_L_}|Rc5YE`On5PAbVyM#aCL1$V@7smM^8_8W=u|OOjAf%D{?^!KHPvJLpN0&
zdU6x85vE?Fr~E6nwB}Vmm_{J0gX+X`V_4Lr&Y@NlOep-nwXnGne)=^2l91&F2AI?k
ZM9DgyfnQQ-ko7BWJyO@wk+=UHZ|ib`n-Bm1

delta 459
zcmWm7O>5I&007|OZt>*BbHKyY67tccX`Bj4nxr3T)^}-}HhS3G<!!pPP0}|_+LS?e
z5GoE~Afo;UPu>JU4~}`7CqV`tM0U`F;(men{DJ3W{rmbcxdc%l);m%GSb_<f(^AWE
zI6>+vtOIcw`C51A3JD12kf{@?<yW>cH?{TRD5E=DReq++I0p<ZOluK4ka<;QbdT@p
zfS~S^(OybLoKPU=6B`u)Dd)$g+u&I`t2?7S1g$C;E@9M`z5H~+ObbjlZ>x^hmIf8T
z5eWB8%q3pp^u&;7Gm~#^4_J1NL1cxZ%OQ|5wR&ozaP~ht*l(s1<zob6M5^V{?Hdn}
zP2S6_=~%oK5Uh*^9haaU){?jgCXu!XIz<I7k%4v7fJV2kG_l=RL^~Arl1%ko4GLBT
z=}tw{M^=@{<>{o8S#g{zrrnw$4b<&@Yz8qwQ54x!0$!L%!&$c_A=j?6L&5Oce3j3M
z3%TSgu;EW&Kkmz7OkBR2YS*5={k`$y+50=CKM(J&dFMB;&NeqcKEBx9efRv=>h#<B
xQRCBi=k@2+rF4DyWarD3<MLPf=j!yZe0J7+l<yq9yf``du&TWPYxJAH{{XHnqdNcq

diff --git a/secrets/rekeyed/ward-kanidm/1e8a4b2e02bdfebbf38a6c68df160840-kanidm-idm-admin-password.age b/secrets/rekeyed/ward-kanidm/1e8a4b2e02bdfebbf38a6c68df160840-kanidm-idm-admin-password.age
new file mode 100644
index 0000000..d98d2d4
--- /dev/null
+++ b/secrets/rekeyed/ward-kanidm/1e8a4b2e02bdfebbf38a6c68df160840-kanidm-idm-admin-password.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 QciEZQ QyX7/FtiWgoLvyffHXvVuSKDQi95Kyc3fn0fI2G+7Sw
+Bi2yLN8V+1tUBHeLAvGeaYXZ3+wInoyrEn9nMOdOU50
+-> ;-grease Zu Ht`s/,N% xA6=yx#Y 8!&Ju@
+VBbgI0sdvLsXV81KaSBTf47C7EvRPSOShvtJlbDcjJm9Z08Egb0dhxieCyCkklve
+KoOrjuy5IpGRhF4
+--- YuF5oqqskiKa/0uVqHaaOcyAYoQUJsI7YdhCSiE7WUk
+�bg��&����*#R��XжAe�$q��o����u�O"�	����=J�_V�F�O��*�U�<Q�9Ȟ�{�P��@
\ No newline at end of file
diff --git a/secrets/rekeyed/ward-kanidm/68153eee0e2a6f1a6f370a461fe91ce4-kanidm-admin-password.age b/secrets/rekeyed/ward-kanidm/68153eee0e2a6f1a6f370a461fe91ce4-kanidm-admin-password.age
deleted file mode 100644
index bbda248..0000000
--- a/secrets/rekeyed/ward-kanidm/68153eee0e2a6f1a6f370a461fe91ce4-kanidm-admin-password.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 QciEZQ BdaphQM25KBdkYRt1jz2xqRRTkx0w9B5mEa/wLnrjhw
-stL5lO8Pn5mZ1e+RV0MM3Z/PKELNsudJXpzOPcw4ZMo
--> #'H$k-grease F
-bjZu5g/zqKw7tfcOcr6A1rjCeZ9Xv5lzcDfyRffobE9hadKMmWXpI9SIvWpMGotj
-SEjIpghD5Ws
---- 9Zk53p5YyRxFy4eGNciZvQDNdWUxQZRG5usva0j/HhU
-�r�ni`�h�e�������C��!m��q�`F%����재�/ERwds���D ���+e��Z��5�F��Z#�� Jk	:�
\ No newline at end of file
diff --git a/secrets/rekeyed/ward-kanidm/ab9136e764786f54bc873607bdc654ff-kanidm-idm-admin-password.age b/secrets/rekeyed/ward-kanidm/ab9136e764786f54bc873607bdc654ff-kanidm-idm-admin-password.age
deleted file mode 100644
index 99a8c707741521bf47b0121221d13d5a45c9e9bb..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 372
zcmV-)0gL`&XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LQDbRET2UZ5
zPD@#NQ+7f&Qf6#2O)+zIFid!CT1!VcZBuw}Ic9QcW=3sDRBdljdT$CuVKq{2NjYgx
zVs2MwPB2emHe_01FG4g(Sub~YRWnsIax`^pY%xVxPiqP-J|IdmMn+pLXL4m>b7deY
zM=>BVJbEZ_3S>w_Oi^fMcx6aIY<M?xS7=02RBmTQH*YINN<~dLSwvWGXJceAVk>%f
zPjq8yW@<!mGfqQsF-dJkM`uA%L<&bsG*MAecvod+PBm#&FKaVoMG7q~Eg)xeX=iCe
zQB+4-Wo&ChNh?uQb7VqFHgR}*OJsFIa4Tt2VRLYGb8v8RSqcXl_O8utOi+`Q5yWdy
zyGVDREWuX?_FQm;-6RPt`8oCG08!<1*x`W(0cLa|$r&)ErM<9}T1Wv4r<<={*Or3}
So{Bay;ds)l^I1VT``Wo;%Y{<_

diff --git a/secrets/rekeyed/ward-kanidm/b8e30da09314f42845820ff37e8086bd-kanidm-admin-password.age b/secrets/rekeyed/ward-kanidm/b8e30da09314f42845820ff37e8086bd-kanidm-admin-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..9372378d36225a9fbd07ddcbb34e0b49f4ba7cb7
GIT binary patch
literal 348
zcmV-i0i*t5XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LQDbRET2UZV
zP+DblQ!hqJD??^+H*{7?V>Ux=Oj2emN>Fx6V_I@dXgF9hQ&Mnxc`yohRy1x-F+*~C
zc}j3fa6>m!RW~qpG;eB3QaDv}ZEae2W^O`SbZm2Obax6ZJ|J8vK}juVa%Ew2WeR6A
zPc&6TQDQh`NmErsO>l2AP-kp+Mni8fXL?RXYBW+dXJ=<sF*J5oVmD|_XmK%BZcR5$
zMO1fWZ)h}gGfN6iOISE^Q3@?BEg(s0RC!G^MK)M*M^bn;IZbABLU&3`ZA?UBI7oP9
zMoCRmHcDtUcS>1uFbV^kZ+EfmI|$>9>{e+^D1O9BbX8Q149TA#*){y6aun7i9UbF7
uGU^%e6(hs;YWe>1IV3;Vm<}+sblu77jvfk;c13tavzuH40F#vV_MFSpL49Zd

literal 0
HcmV?d00001