feat: add group configuration (+)

will only check users of such group

also cleaned some code:
- Input doesn't need to be UTF-8 valid.
- Main fuction is dead-simple, very readable.
- Added some modularity.
- Add some docs on behavior details.
This commit is contained in:
2026-05-09 19:40:00 +02:00
parent d2a2baebc8
commit 0f736b1fc4
11 changed files with 224 additions and 81 deletions
+8 -2
View File
@@ -12,12 +12,18 @@ This is being worked on, refer to the test configuration at [`tests/nixos/config
Module can be easily configured with PAM arguments, for the sake of completeness refer to the source code.
You can `cargo doc` to find the documentation for this at `keycloak_pam > Args`.
You can `cargo doc` to find the documentation for this at `keycloak_pam > args > Args`.
# Restrictions
# Restrictions and Guarantees
With the purpose of being tiny and minimal, the module uses libcurl for the few requests it makes, so HTTP/S and all networking behavior is offloaded to it.
This is also made in rust, which means default `String` and `&str` are guaranteed to be UTF-8 encoded and invalid UTF-8 input might fail. I did try to use OS and C strings for all input, but I recommend still avoiding non-UTF8 input.
The code should **NEVER** panic (aside from memory management issues), no `unwrap`, `expect` or such methods should ever be used, slice indexing is avoided and errors are gracefully managed.
To check the group, keycloak-pam uses libc's `getgrnam_r`, this takes a buffer we hardcoded to 4 KiB, if there happens to be a group bigger than this, keycloak-pam won't be able to handle and will fail explaining this.
# Behavior
To authenticate users, the module uses the endpoint `{BASE_URL}/realms/{realm}/protocol/openid-connect/token` as a configured client. This needs a client ID and its secret that you need to get and configure per realm.