From f1f0e82c509310d169ed6f38889a7b32244154a9 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 8 May 2020 14:09:10 +0200 Subject: [PATCH] privacyidea: address reviews --- .../modules/services/security/privacyidea.nix | 45 ++++++------------- nixos/tests/privacyidea.nix | 2 +- .../flask-versioned/default.nix | 2 +- .../python-modules}/privacyidea/default.nix | 2 + .../privacyidea/ldap-proxy.nix | 4 ++ pkgs/top-level/python-packages.nix | 4 +- 6 files changed, 24 insertions(+), 35 deletions(-) rename pkgs/{servers => development/python-modules}/privacyidea/default.nix (97%) rename pkgs/{servers => development/python-modules}/privacyidea/ldap-proxy.nix (87%) diff --git a/nixos/modules/services/security/privacyidea.nix b/nixos/modules/services/security/privacyidea.nix index 49c03afdf8c..d6abfd0e271 100644 --- a/nixos/modules/services/security/privacyidea.nix +++ b/nixos/modules/services/security/privacyidea.nix @@ -40,7 +40,7 @@ let piCfgFile = pkgs.writeText "privacyidea.cfg" '' SUPERUSER_REALM = [ '${concatStringsSep "', '" cfg.superuserRealm}' ] - SQLALCHEMY_DATABASE_URI = '${cfg.databaseURI}' + SQLALCHEMY_DATABASE_URI = 'postgresql:///privacyidea' SECRET_KEY = '${cfg.secretKey}' PI_PEPPER = '${cfg.pepper}' PI_ENCFILE = '${cfg.encFile}' @@ -65,14 +65,6 @@ in ''; }; - runDir = mkOption { - type = types.str; - default = "/run/privacyidea"; - description = '' - Directory where all PrivacyIDEA files will be placed by default. - ''; - }; - superuserRealm = mkOption { type = types.listOf types.str; default = [ "super" "administrators" ]; @@ -81,14 +73,6 @@ in ''; }; - databaseURI = mkOption { - type = types.str; - default = "postgresql:///privacyidea"; - description = '' - Database as SQLAlchemy URI to use for PrivacyIDEA. - ''; - }; - secretKey = mkOption { type = types.str; example = "t0p s3cr3t"; @@ -129,9 +113,9 @@ in ''; }; - adminPassword = mkOption { - type = types.str; - description = "Password for the admin user"; + adminPasswordFile = mkOption { + type = types.path; + description = "File containing password for the admin user"; }; adminEmail = mkOption { @@ -199,7 +183,7 @@ in uwsgi = { plugins = [ "python3" ]; pythonpath = "${penv}/${uwsgi.python3.sitePackages}"; - socket = "${cfg.runDir}/socket"; + socket = "/run/privacyidea/socket"; uid = cfg.user; gid = cfg.group; chmod-socket = 770; @@ -209,7 +193,7 @@ in processes = 4; harakiri = 60; reload-mercy = 8; - stats = "${cfg.runDir}/stats.socket"; + stats = "/run/privacyidea/stats.socket"; max-requests = 2000; limit-as = 1024; reload-on-as = 512; @@ -224,20 +208,19 @@ in path = with pkgs; [ openssl ]; environment.PRIVACYIDEA_CONFIGFILE = piCfgFile; preStart = let - pi-manage = "${pkgs.sudo}/bin/sudo -u privacyidea -H PRIVACYIDEA_CONFIGFILE=${piCfgFile} ${penv}/bin/pi-manage"; + pi-manage = "${pkgs.sudo}/bin/sudo -u privacyidea -HE ${penv}/bin/pi-manage"; pgsu = config.services.postgresql.superUser; psql = config.services.postgresql.package; in '' - mkdir -p ${cfg.stateDir} ${cfg.runDir} - chown ${cfg.user}:${cfg.group} -R ${cfg.stateDir} ${cfg.runDir} - ln -sf ${piCfgFile} ${cfg.stateDir}/privacyidea.cfg + mkdir -p ${cfg.stateDir} /run/privacyidea + chown ${cfg.user}:${cfg.group} -R ${cfg.stateDir} /run/privacyidea if ! test -e "${cfg.stateDir}/db-created"; then ${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createuser --no-superuser --no-createdb --no-createrole ${cfg.user} ${pkgs.sudo}/bin/sudo -u ${pgsu} ${psql}/bin/createdb --owner ${cfg.user} privacyidea ${pi-manage} create_enckey ${pi-manage} create_audit_keys ${pi-manage} createdb - ${pi-manage} admin add admin -e ${cfg.adminEmail} -p ${cfg.adminPassword} + ${pi-manage} admin add admin -e ${cfg.adminEmail} -p "$(cat ${cfg.adminPasswordFile})" ${pi-manage} db stamp head -d ${penv}/lib/privacyidea/migrations touch "${cfg.stateDir}/db-created" chmod g+r "${cfg.stateDir}/enckey" "${cfg.stateDir}/private.pem" @@ -255,11 +238,11 @@ in }; }; - users.extraUsers.privacyidea = mkIf (cfg.user == "privacyidea") { + users.users.privacyidea = mkIf (cfg.user == "privacyidea") { group = cfg.group; }; - users.extraGroups.privacyidea = mkIf (cfg.group == "privacyidea") {}; + users.groups.privacyidea = mkIf (cfg.group == "privacyidea") {}; }) (mkIf cfg.ldap-proxy.enable { @@ -285,11 +268,11 @@ in }; }; - users.extraUsers.pi-ldap-proxy = mkIf (cfg.ldap-proxy.user == "pi-ldap-proxy") { + users.users.pi-ldap-proxy = mkIf (cfg.ldap-proxy.user == "pi-ldap-proxy") { group = cfg.ldap-proxy.group; }; - users.extraGroups.pi-ldap-proxy = mkIf (cfg.ldap-proxy.group == "pi-ldap-proxy") {}; + users.groups.pi-ldap-proxy = mkIf (cfg.ldap-proxy.group == "pi-ldap-proxy") {}; }) ]; diff --git a/nixos/tests/privacyidea.nix b/nixos/tests/privacyidea.nix index fcca1937385..45c7cd37c24 100644 --- a/nixos/tests/privacyidea.nix +++ b/nixos/tests/privacyidea.nix @@ -14,7 +14,7 @@ import ./make-test-python.nix ({ pkgs, ...} : rec { enable = true; secretKey = "testing"; pepper = "testing"; - adminPassword = "testing"; + adminPasswordFile = pkgs.writeText "admin-password" "testing"; adminEmail = "root@localhost"; }; services.nginx = { diff --git a/pkgs/development/python-modules/flask-versioned/default.nix b/pkgs/development/python-modules/flask-versioned/default.nix index c4e9f16bceb..3bd5ef98b32 100644 --- a/pkgs/development/python-modules/flask-versioned/default.nix +++ b/pkgs/development/python-modules/flask-versioned/default.nix @@ -15,7 +15,7 @@ buildPythonPackage rec { meta = with stdenv.lib; { description = "Flask plugin to rewrite file paths to add version info"; - homepage = https://github.com/pilt/flask-versioned; + homepage = "https://github.com/pilt/flask-versioned"; license = licenses.bsd3; maintainers = with maintainers; [ globin ]; }; diff --git a/pkgs/servers/privacyidea/default.nix b/pkgs/development/python-modules/privacyidea/default.nix similarity index 97% rename from pkgs/servers/privacyidea/default.nix rename to pkgs/development/python-modules/privacyidea/default.nix index af5451a9378..84cc4530b34 100644 --- a/pkgs/servers/privacyidea/default.nix +++ b/pkgs/development/python-modules/privacyidea/default.nix @@ -30,6 +30,8 @@ buildPythonPackage rec { # issues with hardware token tests doCheck = false; + pythonImportsCheck = [ "privacyidea" ]; + postPatch = '' substituteInPlace privacyidea/lib/resolvers/LDAPIdResolver.py --replace \ "/etc/privacyidea/ldap-ca.crt" \ diff --git a/pkgs/servers/privacyidea/ldap-proxy.nix b/pkgs/development/python-modules/privacyidea/ldap-proxy.nix similarity index 87% rename from pkgs/servers/privacyidea/ldap-proxy.nix rename to pkgs/development/python-modules/privacyidea/ldap-proxy.nix index bf15acb294e..ec87186a4fd 100644 --- a/pkgs/servers/privacyidea/ldap-proxy.nix +++ b/pkgs/development/python-modules/privacyidea/ldap-proxy.nix @@ -12,8 +12,12 @@ buildPythonPackage rec { }; propagatedBuildInputs = [ twisted ldaptor configobj ]; + + # python 2 zope.interface test import path issues doCheck = false; + pythonImportsCheck = [ "pi_ldapproxy" ]; + meta = with lib; { description = "LDAP Proxy to intercept LDAP binds and authenticate against privacyIDEA"; homepage = "https://github.com/privacyidea/privacyidea-ldap-proxy"; diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index 7b246c6ce0a..4768f3ebb1b 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -3197,8 +3197,8 @@ in { priority = callPackage ../development/python-modules/priority { }; - privacyidea = callPackage ../servers/privacyidea { }; - privacyidea-ldap-proxy = callPackage ../servers/privacyidea/ldap-proxy.nix { }; + privacyidea = callPackage ../development/python-modules/privacyidea { }; + privacyidea-ldap-proxy = callPackage ../development/python-modules/privacyidea/ldap-proxy.nix { }; prov = callPackage ../development/python-modules/prov { };