connect

2025-12-24 01:43:11 +01:00 · 2024-10-23 16:49:02 -04:00
parent 4611ef3713
commit 5e6dd2e8b3
10 changed files with 114 additions and 3 deletions
--- a/salt/manager/sync_es_users.sls
+++ b/salt/manager/sync_es_users.sls
@@ -16,6 +16,7 @@ sync_es_users:
      - /opt/so/saltstack/local/salt/elasticsearch/files/users
      - /opt/so/saltstack/local/salt/elasticsearch/files/users_roles
      - /opt/so/conf/soc/soc_users_roles
+      - /opt/so/conf/soc/soc_client_roles
    - show_changes: False
    - require:
      - docker_container: so-kratos
--- a/salt/manager/tools/sbin/so-user
+++ b/salt/manager/tools/sbin/so-user
@@ -136,6 +136,7 @@ bcryptRounds=${BCRYPT_ROUNDS:-12}
 elasticUsersFile=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users}
 elasticRolesFile=${ELASTIC_ROLES_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users_roles}
 socRolesFile=${SOC_ROLES_FILE:-/opt/so/conf/soc/soc_users_roles}
+clientRolesFile=${SOC_ROLES_FILE:-/opt/so/conf/soc/soc_client_roles}
 esUID=${ELASTIC_UID:-930}
 esGID=${ELASTIC_GID:-930}
 soUID=${SOCORE_UID:-939}
@@ -282,6 +283,18 @@ function ensureRoleFileExists() {
    fi
    mv "${rolesTmpFile}" "${socRolesFile}"
  fi
+
+  if [[ ! -f "$clientRolesFile" || ! -s "$clientRolesFile" ]]; then
+    # Generate the new client roles file
+    rolesTmpFile="${clientRolesFile}.tmp"
+    createFile "$rolesTmpFile" "$soUID" "$soGID"
+
+    if [[ -d "$clientRolesFile" ]]; then
+      echo "Removing invalid roles directory created by Docker"
+      rm -fr "$clientRolesFile"
+    fi
+    mv "${rolesTmpFile}" "${clientRolesFile}"
+  fi
 }

 function syncElasticSystemUser() {
@@ -374,6 +387,9 @@ function syncElastic() {
      [[ $? != 0 ]] && fail "Unable to read role identities from database"
    done < "$socRolesFile"

+    # Append the client roles
+    cat "$clientRolesFile" >> "$rolesTmpFile"
+
  else
    echo "Database file or soc roles file does not exist yet, skipping users export"
  fi
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -726,12 +726,17 @@ add_hydra_pillars() {
  chmod 660 /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls
  touch /opt/so/saltstack/local/pillar/hydra/adv_hydra.sls
  HYDRAKEY=$(get_random_value)
+  HYDRASALT=$(get_random_value)
 	printf '%s\n'\
 		"hydra:"\
 		"  config:"\
 		"    secrets:"\
 		"      system:"\
 		"        - '$HYDRAKEY'"\
+    "    oidc:"\
+    "        subject_identifiers:"\
+    "            pairwise:"\
+    "                salt: '$HYDRASALT'"\
 		"" > /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls
 }