fix(ntfy/patch): use upstreamed HashedPassword

2025-06-06 15:30:35 +02:00 · 2025-06-06 15:30:35 +02:00 · 43243b07c5
commit 43243b07c5
parent 125c59b7f8
5 changed files with 9 additions and 133 deletions
--- a/REUSE.toml
+++ b/REUSE.toml
@ -41,12 +41,6 @@ SPDX-License-Identifier = "EUPL-1.2"
 path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch", "patches/nixpkgs/02-action-validator.patch", "machines/nixos/vault01/k-radius/packages/04-request-dgsi-vlan.patch"]
 precedence = "closest"

-[[annotations]]
-SPDX-FileCopyrightText = "2025 Lubin Bailly <lubin.bailly@dgnum.eu>"
-SPDX-License-Identifier = "EUPL-1.2"
-path = ["machines/nixos/web01/ntfy-sh/hash-mgmt.patch"]
-precedence = "closest"
-
 [[annotations]]
 SPDX-FileCopyrightText = ["2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>", "2025 Lubin Bailly <lubin.bailly@dgnum.eu>"]
 SPDX-License-Identifier = "EUPL-1.2"
--- a/default.nix
+++ b/default.nix
@ -151,12 +151,6 @@ let
        ];
        copyright = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>";
      }
-      {
-        path = [
-          "machines/nixos/web01/ntfy-sh/hash-mgmt.patch"
-        ];
-        copyright = "2025 Lubin Bailly <lubin.bailly@dgnum.eu>";
-      }
      {
        path = [
          "patches/nixpkgs/09-rename-autocreate-to-verify_bucket_exists.patch"
--- a/machines/nixos/web01/ntfy-sh/default.nix
+++ b/machines/nixos/web01/ntfy-sh/default.nix
@ -32,7 +32,11 @@ in
  nixpkgs.overlays = [
    (_: super: {
      ntfy-sh = super.ntfy-sh.overrideAttrs (o: {
-        patches = o.patches or [ ] ++ [ ./hash-mgmt.patch ];
+        patches = o.patches or [ ] ++ [
+          (super.fetchurl {
+            url = "https://github.com/binwiederhier/ntfy/pull/1340.patch";
+          })
+        ];
      });
    })
  ];
--- a/machines/nixos/web01/ntfy-sh/hash-mgmt.patch
+++ b/machines/nixos/web01/ntfy-sh/hash-mgmt.patch
@ -1,109 +0,0 @@
-From a14edcbb0f746baecd983c2bea06248ddeffe1d2 Mon Sep 17 00:00:00 2001
-From: catvayor <catvayor@katvayor.net>
-Date: Fri, 16 May 2025 18:18:19 +0200
-Subject: [PATCH] feat(auth): allow to manage hashed password directly
-
---
- cmd/user.go     | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
- user/manager.go | 13 +++++++++----
- 2 files changed, 57 insertions(+), 4 deletions(-)
-
-diff --git a/cmd/user.go b/cmd/user.go
-index af3afe54..8618fdc0 100644
--- a/cmd/user.go
-+++ b/cmd/user.go
-@@ -93,6 +93,26 @@ Example:
- You may set the NTFY_PASSWORD environment variable to pass the new password. This is 
- useful if you are updating users via scripts.
- 
-+`,
-+		},
-+		{
-+			Name:      "change-pass-hash",
-+			Aliases:   []string{"chph"},
-+			Usage:     "Changes a user's password hash",
-+			UsageText: "ntfy user change-pass USERNAME\nNTFY_PASSWORD=... ntfy user change-pass USERNAME",
-+			Action:    execUserChangePassHashed,
-+			Description: `Change the password hash for the given user.
-+
-+The new password hash will be read from STDIN, and it'll be confirmed by typing
-+it twice.
-+
-+Example:
-+  ntfy user change-pass phil
-+  NTFY_PASSWORD=.. ntfy user change-pass phil
-+
-+You may set the NTFY_PASSWORD environment variable to pass the new password hash. This is
-+useful if you are updating users via scripts.
-+
- `,
- 		},
- 		{
-@@ -256,6 +276,34 @@ func execUserChangePass(c *cli.Context) error {
- 	return nil
- }
- 
-+func execUserChangePassHashed(c *cli.Context) error {
-+	username := c.Args().Get(0)
-+	password := os.Getenv("NTFY_PASSWORD")
-+	if username == "" {
-+		return errors.New("username expected, type 'ntfy user change-pass --help' for help")
-+	} else if username == userEveryone || username == user.Everyone {
-+		return errors.New("username not allowed")
-+	}
-+	manager, err := createUserManager(c)
-+	if err != nil {
-+		return err
-+	}
-+	if _, err := manager.User(username); err == user.ErrUserNotFound {
-+		return fmt.Errorf("user %s does not exist", username)
-+	}
-+	if password == "" {
-+		password, err = readPasswordAndConfirm(c)
-+		if err != nil {
-+			return err
-+		}
-+	}
-+	if err := manager.ChangePasswordHashed(username, []byte(password)); err != nil {
-+		return err
-+	}
-+	fmt.Fprintf(c.App.ErrWriter, "changed password for user %s\n", username)
-+	return nil
-+}
-+
- func execUserChangeRole(c *cli.Context) error {
- 	username := c.Args().Get(0)
- 	role := user.Role(c.Args().Get(1))
-diff --git a/user/manager.go b/user/manager.go
-index 9f54625f..19f7be40 100644
--- a/user/manager.go
-+++ b/user/manager.go
-@@ -1191,16 +1191,21 @@ func (a *Manager) ReservationOwner(topic string) (string, error) {
- 	return ownerUserID, nil
- }
- 
-+// ChangePassword changes a user's password
-+func (a *Manager) ChangePasswordHashed(username string, hash []byte) error {
-+	if _, err := a.db.Exec(updateUserPassQuery, hash, username); err != nil {
-+		return err
-+	}
-+	return nil
-+}
-+
- // ChangePassword changes a user's password
- func (a *Manager) ChangePassword(username, password string) error {
- 	hash, err := bcrypt.GenerateFromPassword([]byte(password), a.bcryptCost)
- 	if err != nil {
- 		return err
- 	}
-	if _, err := a.db.Exec(updateUserPassQuery, hash, username); err != nil {
-		return err
-	}
-	return nil
-+	return a.ChangePasswordHashed(username, hash)
- }
- 
- // ChangeRole changes a user's role. When a role is changed from RoleUser to RoleAdmin,
-- 
-2.49.0
-
--- a/modules/nixos/ntfy-sh/ntfy-acl.py
+++ b/modules/nixos/ntfy-sh/ntfy-acl.py
@ -17,27 +17,20 @@ def create_user(u: str, role: str, passwordFile: str, hashedPassword: str):
    if passwordFile != None:
        with open(passwordFile) as pwd_fp:
            env = {"NTFY_PASSWORD": pwd_fp.read().strip()}
-
-        ntfy("user", "add", f"--role={role}", u, env=env)
    else:
-        env = {"NTFY_PASSWORD": hashedPassword}
+        env = {"NTFY_PASSWORD_HASH": hashedPassword}

-        ntfy("user", "add", f"--role={role}", u, env=env)
-        # HACK: add does not supports hashedPassword entry
-        ntfy("user", "change-pass-hash", u, env=env)
+    ntfy("user", "add", f"--role={role}", u, env=env)

 def update_user(u: str, role: str, passwordFile: str, hashedPassword: str):
    # Update the user with the required role and password
    if passwordFile != None:
        with open(passwordFile) as pwd_fp:
            env = {"NTFY_PASSWORD": pwd_fp.read().strip()}
-
-        ntfy("user", "change-pass", u, env=env)
    else:
-        env = {"NTFY_PASSWORD": hashedPassword}
-
-        ntfy("user", "change-pass-hash", u, env=env)
+        env = {"NTFY_PASSWORD_HASH": hashedPassword}

+    ntfy("user", "change-pass", u, env=env)
    ntfy("user", "change-role", u, role)