commit caa342d9e7de4ab0e11372b72c66bf87192b155503bf692140b49e7758566f53 Author: William Brown Date: Fri Sep 15 00:10:03 2023 +0000 Accepting request 1111397 from network:samba:TESTING Pushing himmelblau to network:idm for staging. This is a more appropriate project space. OBS-URL: https://build.opensuse.org/request/show/1111397 OBS-URL: https://build.opensuse.org/package/show/network:idm/himmelblau?expand=0&rev=1 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..73d41a8 --- /dev/null +++ b/_service @@ -0,0 +1,31 @@ + + + https://github.com/openSUSE/himmelblau.git + git + stable-0.1.0 + @PARENT_TAG@+git.@TAG_OFFSET@.%h + himmelblau-(.*) + \1 + himmelblau + .git + src/kanidm/Cargo.* + enable + + + himmelblau + ^himmelblau-([^/]+) + himmelblau.spec + + + *.tar + bz2 + + + himmelblau + true + + + himmelblau + Cargo.lock + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..8d7a3c6 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/openSUSE/himmelblau.git + 2391ac03df3f8de6e510bfd8e07769984e27dfea \ No newline at end of file diff --git a/cargo_config b/cargo_config new file mode 100644 index 0000000..95219d7 --- /dev/null +++ b/cargo_config @@ -0,0 +1,10 @@ +[source.crates-io] +replace-with = "vendored-sources" + +[source."git+https://github.com/ubuntu/libnss-rs.git?branch=misc-fixes"] +git = "https://github.com/ubuntu/libnss-rs.git" +branch = "misc-fixes" +replace-with = "vendored-sources" + +[source.vendored-sources] +directory = "vendor" \ No newline at end of file diff --git a/himmelblau-0.1.0+git.2.2391ac0.tar.bz2 b/himmelblau-0.1.0+git.2.2391ac0.tar.bz2 new file mode 100644 index 0000000..c5f3450 --- /dev/null +++ b/himmelblau-0.1.0+git.2.2391ac0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8402ba9cbc4ca68798e99cf2113a16202d7c8fa1f4c7c1d711240f8d79debe12 +size 8649204 diff --git a/himmelblau.changes b/himmelblau.changes new file mode 100644 index 0000000..46ea3d7 --- /dev/null +++ b/himmelblau.changes @@ -0,0 +1,206 @@ +------------------------------------------------------------------- +Thu Sep 14 17:16:34 UTC 2023 - david.mulder@suse.com + +- Update to version 0.1.0+git.2.2391ac0: + * Update version to 0.1.0 + * Update the README + * idprovider: Fix mixed case auth failure + * daemon: Port daemon changes from kanidm + * provider: Skip provider init on silent auth and offline + * daemon: Run himmelblaud as non-root dynamic user + +------------------------------------------------------------------- +Tue Sep 12 21:12:46 UTC 2023 - david.mulder@suse.com + +- Update to version 0.0.4+git.50.112df77: + * Always match DAG where present + * Prohibit authentication with changing IDs + +------------------------------------------------------------------- +Fri Sep 08 14:16:20 UTC 2023 - david.mulder@suse.com + +- Update to version 0.0.4+git.42.d641c8b: + * Run cargo fmt and cargo clippy + * Implement DeviceAuthorizationGrant for MFA + * test: Initialize the pam_allow_groups with users + * Use new pam state machine in himmelblau + * Remove the non-functional device enrollment + * TODO: New details regarding MS auth cache + * daemon: Implement pam allow groups + * Code rearrangement + +------------------------------------------------------------------- +Thu Aug 10 14:55:54 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.4+git.30.26c26e7: + * aad-tool: Disable enrollment by default + * provider: Fetch GECOS from old token on silent acquire + * msal: Add bindings for device auth flow + * Add debug for local user ignore + * provider: Only retry auth if we're sure group read was requested + * provider: Provide user token refresh + * provider: Cause unix_group_get to respond with BadRequest + * provider: Implement provider_authenticate + +------------------------------------------------------------------- +Tue Aug 08 19:29:40 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.4+git.9.a7c5ac2: + * osc breaks with workspace errors using symlinks + * gp: Disable MDM policies by default + +------------------------------------------------------------------- +Mon Aug 07 20:31:52 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.4+git.3.b500f1f: + * Update serde version + * Update version to 0.0.4 + * Only build necessary bits of kanidm proto + * Add cache operations to daemon and aad-tool + * tests: Include local cache of rust deps + * cache: Use the kanidm cache backend + +------------------------------------------------------------------- +Mon Jul 31 21:16:59 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.3+git.10.761b4d2: + * gp: Apply chromium policies + * gp: Implement Group Policy object listing + * test: Fix build test failure + * tests: Return the correct error code from tests + * test: Separate project build from docker build + * tests: Deploy config when testing + +------------------------------------------------------------------- +Tue Jul 18 18:54:07 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.3+git.3.f0883b1: + * nss: Fix misaligned pointer dereference errors + * Fix code links + +------------------------------------------------------------------- +Mon Jul 17 19:43:26 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.3+git.1.e6847eb: + * Revert "nss: Use kanidm nss code" + * Update lib versions to match package version + * Shallow clone kanidm for pam/nss + * tests: Fix tar recursion + +------------------------------------------------------------------- +Fri Jul 14 17:23:46 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.2+git.22.1c3ce4b: + * Remove symlinks and just point to kanidm sources + * nss: Use kanidm nss code + * Add submodule commands to main Makefile + * pam: Use kanidm pam code, glue into himmelblau + * TODO: Only auth to configured domains + +------------------------------------------------------------------- +Mon Jul 10 21:19:19 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.2+git.15.d42b114: + * aad-tool: Enroll via the daemon + * config: Add func for requesting configured socket path + * aad-tool: Improve enroll options + +------------------------------------------------------------------- +Mon Jul 10 19:23:50 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.2+git.11.91df240: + * daemon: Add a systemd service + * daemon: Don't request group read scope if using Intune + * TODO: Mention the work needed for the cache + * README: Include homedir creation instructions + * daemon: If auth fails, indicate the user + +------------------------------------------------------------------- +Fri Jul 07 16:18:10 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.2+git.6.de1afd6: + * test: Ensure invalid users aren't cached + * test: Skip getent group tests failing due to nss issue + * tests: Add nss tests + * tests: Test pam auth + * msal: Allow fetching auth url + +------------------------------------------------------------------- +Wed Jun 28 16:55:26 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.2+git.0.5bfbedd: + * cache: Make the cache persistent + * TODO: Cannot fudge an initial nss request + * Use tracing for debug instead of log + * aad-tool: Fix some build warnings + * aad-tool: Add TODO comments regarding enrollment issues + * aad-tool: Always use interactive enrollment + * fix readme + * aad-tool: Save the device_id after enrollment + * aad-tool: Cannot enroll in Intune Portal directly + * aad-tool: Parse the enrollment response + * aad-tool: Add a enroll command for Azure AD device + * memcache: Only append existing group member if missing + * himmelblaud: Fix login when Intune errors on group read + * memcache: Create a memcache for user and group caching + * TODO: Group memberships + * TODO: NSS requests via GET reqs + * config: Include default for authority_host + * config: Specify constants for defaults + * Cleanup the build depencencies + * TODO: Fix the headings + * TODO: Add major reqs section + * Cause the odc provider to supply the authority_host + * TODO: Use tracing module + * Include offline logon in todo list + * Add a TODO list + * Discover the tenant_id in the same manner as Intune + * himmelblaud: Debug for unknown user/group + * himmelblaud: Fix failure to cache user + * himmelblaud: Pam Allowed and Sessions stubs + * himmelblaud: Implement NssGroupByGid and NssAccountByUid + * himmelblaud: Implement group lookups + * Include the gecos in the mem cache + * Use config for shell, homedir, uid range, tenant + * Improve Developer Readme + * config: Config should not default app_id + * Remove invalid comment + * himmelblaud: Return with failure without tenant_id + * config: Move the config to unix_common module + * himmelblaud: Make the socket path configurable + * himmelblaud: Use Intune portal when app_id unset + +------------------------------------------------------------------- +Fri Jun 02 21:16:00 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.1+git.15.f9a024e: + * Generate unix uid/gid + * himmelblaud: Stubs for NssGroupByName and NssGroups + * himmelblaud: Fix auth failure error message + * himmelblaud: Open socket with permissions for users to read/write + * msal: Fix nssaccountbyname lookup + * himmelblaud: Improve logging + * Include systemd journal logging + * msal: Fix failure parsing user token dict + * Implement simple NssAccountByName + * Implement basic NssAccounts request + * pam: Fix unused variable warning + * himmelblaud: Rewrite the daemon in Rust + * msal: Add a simple rust binding to python msal + * Remove the python daemon in favor of Rust + +------------------------------------------------------------------- +Fri May 26 20:48:17 UTC 2023 - dmulder@suse.com + +- Update to version 0.0.1+git.0.56eb9f0: + * himmelblaud: Implement nss lookups in the daemon + * himmelblaud: Allow anyone to r/w the socket + * himmelblaud: Implement simple nss getpwent name + * pam: Remove account allowed and being session impl + * unix_common: UID and GID need not match + * himmelblaud: Improve the debug output + * himmelblaud: Remove stdout debug since logging to journald + * himmelblaud: Log to the systemd journal + * nss: Add the nss module + * Improve directory structure + diff --git a/himmelblau.spec b/himmelblau.spec new file mode 100644 index 0000000..bc69f48 --- /dev/null +++ b/himmelblau.spec @@ -0,0 +1,113 @@ +# +# spec file for package himmelblau +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: himmelblau +Version: 0.1.0+git.2.2391ac0 +Release: 0 +Summary: Interoperability suite for Microsoft Azure AD and Intune +License: MPL-2.0 +URL: https://github.com/openSUSE/himmelblau +Source: %{name}-%{version}.tar.bz2 +Source1: vendor.tar.zst +Source2: cargo_config +BuildRequires: cargo-packaging +BuildRequires: libopenssl-devel +BuildRequires: pam-devel +BuildRequires: python3-devel >= 3.7 +BuildRequires: sqlite3-devel +ExclusiveArch: %{rust_tier1_arches} +Requires: python3-msal +Recommends: nss-himmelblau +Recommends: pam-himmelblau + +%description +Himmelblau is an interoperability suite for Microsoft Azure AD and Intune, which allows users to sign into a Linux machine using Azure Active Directory credentials. It relies on the Microsoft Authentication Library to communicate with the Microsoft service. + +%package -n pam-himmelblau +Summary: Azure AD authentication PAM module + +%description -n pam-himmelblau +Himmelblau is an interoperability suite for Microsoft Azure AD and Intune, which allows users to sign into a Linux machine using Azure Active Directory credentials. It relies on the Microsoft Authentication Library to communicate with the Microsoft service. + +%package -n nss-himmelblau +Summary: Azure AD authentication NSS module +Requires(post): /sbin/ldconfig +Requires(postun):/sbin/ldconfig + +%description -n nss-himmelblau +Himmelblau is an interoperability suite for Microsoft Azure AD and Intune, which allows users to sign into a Linux machine using Azure Active Directory credentials. It relies on the Microsoft Authentication Library to communicate with the Microsoft service. + +%post -n nss-himmelblau -p /sbin/ldconfig +%postun -n nss-himmelblau -p /sbin/ldconfig + +%prep +%autosetup -a1 +install -D -m 644 %{SOURCE2} .cargo/config + +%build +%{cargo_build} + +%install +install -D -d -m 0755 %{buildroot}/%{_sysconfdir}/himmelblau +cp src/config/himmelblau.conf.example %{buildroot}/%{_sysconfdir}/himmelblau/himmelblau.conf +cp target/release/libnss_%{name}.so target/release/libnss_%{name}.so.2 +install -D -d -m 0755 %{buildroot}/%{_libdir} +install -m 0755 target/release/libnss_%{name}.so.2 %{buildroot}/%{_libdir} +install -D -d -m 0755 %{buildroot}/%{_pam_moduledir} +install -m 0755 target/release/libpam_%{name}.so %{buildroot}/%{_pam_moduledir}/pam_%{name}.so +install -D -d -m 0755 %{buildroot}%{_sbindir} +install -m 0755 target/release/himmelblaud %{buildroot}/%{_sbindir} +install -m 0755 target/release/himmelblaud_tasks %{buildroot}/%{_sbindir} +install -D -d -m 0755 %{buildroot}%{_bindir} +install -m 0755 target/release/aad-tool %{buildroot}/%{_bindir} +install -D -d -m 0755 %{buildroot}%{_unitdir} +install -m 0644 %{_builddir}/%{name}-%{version}/platform/opensuse/himmelblaud.service %{buildroot}%{_unitdir}/himmelblaud.service +install -m 0644 %{_builddir}/%{name}-%{version}/platform/opensuse/himmelblaud-tasks.service %{buildroot}%{_unitdir}/himmelblaud-tasks.service + +%pre +%service_add_pre himmelblaud.service +%service_add_pre himmelblaud-tasks.service + +%post +%service_add_post himmelblaud.service +%service_add_post himmelblaud-tasks.service + +%preun +%service_del_preun himmelblaud.service +%service_del_preun himmelblaud-tasks.service + +%postun +%service_del_postun himmelblaud.service +%service_del_postun himmelblaud-tasks.service + +%files +%dir %{_sysconfdir}/himmelblau +%config %{_sysconfdir}/himmelblau/himmelblau.conf +%{_sbindir}/himmelblaud +%{_sbindir}/himmelblaud_tasks +%{_bindir}/aad-tool +%{_unitdir}/himmelblaud.service +%{_unitdir}/himmelblaud-tasks.service + +%files -n nss-himmelblau +%{_libdir}/libnss_%{name}.so.* + +%files -n pam-himmelblau +%{_pam_moduledir}/pam_%{name}.so + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..95599ef --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f994ed4f483e200fc9eaddbc862577e4e5ef539f525bc0c1576687b5684588e0 +size 33203048