feat: add group configuration (+)
will only check users of such group also cleaned some code: - Input doesn't need to be UTF-8 valid. - Main fuction is dead-simple, very readable. - Added some modularity. - Add some docs on behavior details.
This commit is contained in:
@@ -12,12 +12,18 @@ This is being worked on, refer to the test configuration at [`tests/nixos/config
|
||||
|
||||
Module can be easily configured with PAM arguments, for the sake of completeness refer to the source code.
|
||||
|
||||
You can `cargo doc` to find the documentation for this at `keycloak_pam > Args`.
|
||||
You can `cargo doc` to find the documentation for this at `keycloak_pam > args > Args`.
|
||||
|
||||
# Restrictions
|
||||
# Restrictions and Guarantees
|
||||
|
||||
With the purpose of being tiny and minimal, the module uses libcurl for the few requests it makes, so HTTP/S and all networking behavior is offloaded to it.
|
||||
|
||||
This is also made in rust, which means default `String` and `&str` are guaranteed to be UTF-8 encoded and invalid UTF-8 input might fail. I did try to use OS and C strings for all input, but I recommend still avoiding non-UTF8 input.
|
||||
|
||||
The code should **NEVER** panic (aside from memory management issues), no `unwrap`, `expect` or such methods should ever be used, slice indexing is avoided and errors are gracefully managed.
|
||||
|
||||
To check the group, keycloak-pam uses libc's `getgrnam_r`, this takes a buffer we hardcoded to 4 KiB, if there happens to be a group bigger than this, keycloak-pam won't be able to handle and will fail explaining this.
|
||||
|
||||
# Behavior
|
||||
|
||||
To authenticate users, the module uses the endpoint `{BASE_URL}/realms/{realm}/protocol/openid-connect/token` as a configured client. This needs a client ID and its secret that you need to get and configure per realm.
|
||||
|
||||
Reference in New Issue
Block a user