Merge pull request #139420 from Flakebi/dex

dex-oidc: 2.28.1 -> 2.30.0 and add module
This commit is contained in:
Benjamin Staffin 2021-09-28 16:52:35 -04:00 committed by GitHub
commit 5c7c38f61d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 213 additions and 7 deletions

View File

@ -99,7 +99,15 @@
<para>
<link xlink:href="https://github.com/xrelkd/clipcat/">clipcat</link>,
an X11 clipboard manager written in Rust. Available at
[services.clipcat](options.html#o pt-services.clipcat.enable).
<link xlink:href="options.html#opt-services.clipcat.enable">services.clipcat</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/dexidp/dex">dex</link>,
an OpenID Connect (OIDC) identity and OAuth 2.0 provider.
Available at
<link xlink:href="options.html#opt-services.dex.enable">services.dex</link>.
</para>
</listitem>
<listitem>

View File

@ -32,8 +32,9 @@ In addition to numerous new and upgraded packages, this release has the followin
- [btrbk](https://digint.ch/btrbk/index.html), a backup tool for btrfs subvolumes, taking advantage of btrfs specific capabilities to create atomic snapshots and transfer them incrementally to your backup locations. Available as [services.btrbk](options.html#opt-services.brtbk.instances).
- [clipcat](https://github.com/xrelkd/clipcat/), an X11 clipboard manager written in Rust. Available at [services.clipcat](options.html#o
pt-services.clipcat.enable).
- [clipcat](https://github.com/xrelkd/clipcat/), an X11 clipboard manager written in Rust. Available at [services.clipcat](options.html#opt-services.clipcat.enable).
- [dex](https://github.com/dexidp/dex), an OpenID Connect (OIDC) identity and OAuth 2.0 provider. Available at [services.dex](options.html#opt-services.dex.enable).
- [geoipupdate](https://github.com/maxmind/geoipupdate), a GeoIP database updater from MaxMind. Available as [services.geoipupdate](options.html#opt-services.geoipupdate.enable).

View File

@ -963,6 +963,7 @@
./services/web-apps/calibre-web.nix
./services/web-apps/convos.nix
./services/web-apps/cryptpad.nix
./services/web-apps/dex.nix
./services/web-apps/discourse.nix
./services/web-apps/documize.nix
./services/web-apps/dokuwiki.nix

View File

@ -0,0 +1,115 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.dex;
fixClient = client: if client ? secretFile then ((builtins.removeAttrs client [ "secretFile" ]) // { secret = client.secretFile; }) else client;
filteredSettings = mapAttrs (n: v: if n == "staticClients" then (builtins.map fixClient v) else v) cfg.settings;
secretFiles = flatten (builtins.map (c: if c ? secretFile then [ c.secretFile ] else []) (cfg.settings.staticClients or []));
settingsFormat = pkgs.formats.yaml {};
configFile = settingsFormat.generate "config.yaml" filteredSettings;
startPreScript = pkgs.writeShellScript "dex-start-pre" (''
'' + (concatStringsSep "\n" (builtins.map (file: ''
${pkgs.replace-secret}/bin/replace-secret '${file}' '${file}' /run/dex/config.yaml
'') secretFiles)));
in
{
options.services.dex = {
enable = mkEnableOption "the OpenID Connect and OAuth2 identity provider";
settings = mkOption {
type = settingsFormat.type;
default = {};
example = literalExample ''
{
# External url
issuer = "http://127.0.0.1:5556/dex";
storage = {
type = "postgres";
config.host = "/var/run/postgres";
};
web = {
http = "127.0.0.1:5556";
};
enablePasswordDB = true;
staticClients = [
{
id = "oidcclient";
name = "Client";
redirectURIs = [ "https://example.com/callback" ];
secretFile = "/etc/dex/oidcclient"; # The content of `secretFile` will be written into to the config as `secret`.
}
];
}
'';
description = ''
The available options can be found in
<link xlink:href="https://github.com/dexidp/dex/blob/v${pkgs.dex.version}/config.yaml.dist">the example configuration</link>.
'';
};
};
config = mkIf cfg.enable {
systemd.services.dex = {
description = "dex identity provider";
wantedBy = [ "multi-user.target" ];
after = [ "networking.target" ] ++ (optional (cfg.settings.storage.type == "postgres") "postgresql.service");
serviceConfig = {
ExecStart = "${pkgs.dex-oidc}/bin/dex serve /run/dex/config.yaml";
ExecStartPre = [
"${pkgs.coreutils}/bin/install -m 600 ${configFile} /run/dex/config.yaml"
"+${startPreScript}"
];
RuntimeDirectory = "dex";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
BindReadOnlyPaths = [
"/nix/store"
"-/etc/resolv.conf"
"-/etc/nsswitch.conf"
"-/etc/hosts"
"-/etc/localtime"
"-/etc/dex"
];
BindPaths = optional (cfg.settings.storage.type == "postgres") "/var/run/postgresql";
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
# ProtectClock= adds DeviceAllow=char-rtc r
DeviceAllow = "";
DynamicUser = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
# Port needs to be exposed to the host network
#PrivateNetwork = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
# Would re-mount paths ignored by temporary root
#ProtectSystem = "strict";
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ];
TemporaryFileSystem = "/:ro";
# Does not work well with the temporary root
#UMask = "0066";
};
};
};
}

View File

@ -97,6 +97,7 @@ in
cryptpad = handleTest ./cryptpad.nix {};
deluge = handleTest ./deluge.nix {};
dendrite = handleTest ./dendrite.nix {};
dex-oidc = handleTest ./dex-oidc.nix {};
dhparams = handleTest ./dhparams.nix {};
disable-installer-tools = handleTest ./disable-installer-tools.nix {};
discourse = handleTest ./discourse.nix {};

78
nixos/tests/dex-oidc.nix Normal file
View File

@ -0,0 +1,78 @@
import ./make-test-python.nix ({ lib, ... }: {
name = "dex-oidc";
meta.maintainers = with lib.maintainers; [ Flakebi ];
nodes.machine = { pkgs, ... }: {
environment.systemPackages = with pkgs; [ jq ];
services.dex = {
enable = true;
settings = {
issuer = "http://127.0.0.1:8080/dex";
storage = {
type = "postgres";
config.host = "/var/run/postgresql";
};
web.http = "127.0.0.1:8080";
oauth2.skipApprovalScreen = true;
staticClients = [
{
id = "oidcclient";
name = "Client";
redirectURIs = [ "https://example.com/callback" ];
secretFile = "/etc/dex/oidcclient";
}
];
connectors = [
{
type = "mockPassword";
id = "mock";
name = "Example";
config = {
username = "admin";
password = "password";
};
}
];
};
};
# This should not be set from nix but through other means to not leak the secret.
environment.etc."dex/oidcclient" = {
mode = "0400";
user = "dex";
text = "oidcclientsecret";
};
services.postgresql = {
enable = true;
ensureDatabases =[ "dex" ];
ensureUsers = [
{
name = "dex";
ensurePermissions = { "DATABASE dex" = "ALL PRIVILEGES"; };
}
];
};
};
testScript = ''
with subtest("Web server gets ready"):
machine.wait_for_unit("dex.service")
# Wait until server accepts connections
machine.wait_until_succeeds("curl -fs 'localhost:8080/dex/auth/mock?client_id=oidcclient&response_type=code&redirect_uri=https://example.com/callback&scope=openid'")
with subtest("Login"):
state = machine.succeed("curl -fs 'localhost:8080/dex/auth/mock?client_id=oidcclient&response_type=code&redirect_uri=https://example.com/callback&scope=openid' | sed -n 's/.*state=\\(.*\\)\">.*/\\1/p'").strip()
print(f"Got state {state}")
machine.succeed(f"curl -fs 'localhost:8080/dex/auth/mock/login?back=&state={state}' -d 'login=admin&password=password'")
code = machine.succeed(f"curl -fs localhost:8080/dex/approval?req={state} | sed -n 's/.*code=\\(.*\\)&amp;.*/\\1/p'").strip()
print(f"Got approval code {code}")
bearer = machine.succeed(f"curl -fs localhost:8080/dex/token -u oidcclient:oidcclientsecret -d 'grant_type=authorization_code&redirect_uri=https://example.com/callback&code={code}' | jq .access_token -r").strip()
print(f"Got access token {bearer}")
with subtest("Get userinfo"):
assert '"sub"' in machine.succeed(
f"curl -fs localhost:8080/dex/userinfo --oauth2-bearer {bearer}"
)
'';
})

View File

@ -1,17 +1,17 @@
{ lib, buildGoModule, fetchFromGitHub }:
{ lib, buildGoModule, fetchFromGitHub, nixosTests }:
buildGoModule rec {
pname = "dex";
version = "2.28.1";
version = "2.30.0";
src = fetchFromGitHub {
owner = "dexidp";
repo = pname;
rev = "v${version}";
sha256 = "sha256-MdrkQ4qclylkan8y845BjLiL+W16iqRuNMmvWsKo+zw=";
sha256 = "sha256-Z/X9Db57eNUJdjzLCJNIW3lCRw05JP2TQ43PqKO6CiI=";
};
vendorSha256 = "sha256-rAqqvnP72BQY/qbSvqNzxh2ZUlF/rP0MR/+yqJai+KY=";
vendorSha256 = "sha256-ksN/1boBQVhevlDseVZsGUWL+Bwy4AMgGNdOPgsNNxk=";
subPackages = [
"cmd/dex"
@ -26,6 +26,8 @@ buildGoModule rec {
cp -r $src/web $out/share/web
'';
passthru.tests = { inherit (nixosTests) dex-oidc; };
meta = with lib; {
description = "OpenID Connect and OAuth2 identity provider with pluggable connectors";
homepage = "https://github.com/dexidp/dex";