feat(vault01/radius): ask dgsi for vlan id

machines/nixos/vault01/k-radius/default.nix

@@ -39,17 +39,11 @@
       # before they can authenticate via RADIUS.
       radius_required_groups = [ "radius_access@sso.dgnum.eu" ];
 
-      # A mapping between Kanidm groups and VLANS
-      radius_groups = map (
-        { vlan, ... }:
-        {
-          inherit vlan;
-          spn = "vlan_${toString vlan}@sso.dgnum.eu";
-        }
-      ) config.networking.vlans-info;
+      dgsi_endpoint = "https://profil.dgnum.eu/api/user/";
     };
 
     authTokenFile = config.age.secrets."radius-auth_token_file".path;
+    dgsiTokenFile = config.age.secrets."radius-dgsi_token_file".path;
   };
 
   age-secrets.autoMatch = [ "radius" ];

machines/nixos/vault01/k-radius/module.nix

@@ -75,6 +75,11 @@ in
       description = "File to the auth token for the service account.";
     };
 
+    dgsiTokenFile = mkOption {
+      type = path;
+      description = "File to the token for DGSI.";
+    };
+
     extra-mods = mkOption {
       type = attrsOf path;
       default = { };
@@ -188,6 +193,7 @@ in
         # Copy the kanidm configuration
         cat <<EOF > /var/lib/radius/kanidm.toml
         auth_token = "$(cat "${cfg.authTokenFile}")"
+        dgsi_token = "$(cat "${cfg.dgsiTokenFile}")"
         EOF
 
         cat ${settingsFormat.generate "kanidm.toml" cfg.settings} >> /var/lib/radius/kanidm.toml

machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch

@@ -1,16 +0,0 @@
-diff --git a/kanidm/radius/utils.py b/kanidm/radius/utils.py
-index cbd3fe1f0..41fbd05c4 100644
---- a/kanidm/radius/utils.py
-+++ b/kanidm/radius/utils.py
-@@ -25,11 +25,6 @@ def check_vlan(
-             raise ValueError("Need to pass this a kanidm_client")
- 
-     for radius_group in kanidm_client.config.radius_groups:
--        logging.debug(
--            "Checking vlan group '%s' against user group %s",
--            radius_group.spn,
--            group.spn,
--        )
-         if radius_group.spn == group.spn:
-             logging.info("returning new vlan: %s", radius_group.vlan)
-             return radius_group.vlan

machines/nixos/vault01/k-radius/packages/04-request-dgsi-vlan.patch

@@ -0,0 +1,89 @@
+diff --git a/pykanidm/kanidm/radius/__init__.py b/pykanidm/kanidm/radius/__init__.py
+index e707cf602..167d8e006 100644
+--- a/kanidm/radius/__init__.py
++++ b/kanidm/radius/__init__.py
+@@ -8,6 +8,7 @@ import logging
+ import os
+ from pathlib import Path
+ import sys
++import requests
+ from typing import Any, Dict, Optional, Union
+ 
+ from kanidm.exceptions import NoMatchingEntries
+@@ -15,7 +16,6 @@ from kanidm.types import AuthState, RadiusTokenResponse
+ 
+ from .. import KanidmClient
+ from . import radiusd
+-from .utils import check_vlan
+ 
+ CONTAINER_CONFIG_FILE_PATH = "/data/radius.toml"
+ 
+@@ -147,13 +147,15 @@ def authorize(
+         logging.info("User %s doesn't have a group from the required list.", name)
+         return radiusd.RLM_MODULE_REJECT
+ 
+-    # look up them in config for group vlan if possible.
+-    # TODO: work out the typing on this, WTF.
+-    uservlan: int = reduce(
+-        check_vlan,
+-        tok.groups,
+-        kanidm_client.config.radius_default_vlan,
+-    )
++    dgsi_info = requests.get(kanidm_client.config.dgsi_endpoint + "/" + name, headers={
++            "Authorization": "Token " + kanidm_client.config.dgsi_token
++        })
++    if dgsi_info.status != 200:
++        logging.error("dgsi: error getting vlan of %s : %s.", name, dgsi_info.status)
++        return radiusd.RLM_MODULE_FAIL
++
++    uservlan: int = dgsi_info.json().get("vlan_id", default=kanidm_client.config.radius_default_vlan);
++
+     if uservlan == int(0):
+         logging.info("Invalid uservlan of 0")
+ 
+diff --git a/pykanidm/kanidm/radius/utils.py b/pykanidm/kanidm/radius/utils.py
+deleted file mode 100644
+index cbd3fe1f0..000000000
+--- a/kanidm/radius/utils.py
++++ /dev/null
+@@ -1,37 +0,0 @@
+-""" class utils """
+-
+-from typing import Optional
+-import logging
+-import os
+-
+-from .. import KanidmClient
+-from ..types import RadiusTokenGroup
+-
+-
+-def check_vlan(
+-    acc: int,
+-    group: RadiusTokenGroup,
+-    kanidm_client: Optional[KanidmClient] = None,
+-) -> int:
+-    """checks if a vlan is in the config,
+-
+-    acc is the default vlan
+-    """
+-    logging.debug("acc=%s", acc)
+-    if kanidm_client is None:
+-        if "KANIDM_CONFIG_FILE" in os.environ:
+-            kanidm_client = KanidmClient(config_file=os.environ["KANIDM_CONFIG_FILE"])
+-        else:
+-            raise ValueError("Need to pass this a kanidm_client")
+-
+-    for radius_group in kanidm_client.config.radius_groups:
+-        logging.debug(
+-            "Checking vlan group '%s' against user group %s",
+-            radius_group.spn,
+-            group.spn,
+-        )
+-        if radius_group.spn == group.spn:
+-            logging.info("returning new vlan: %s", radius_group.vlan)
+-            return radius_group.vlan
+-    logging.debug("returning already set vlan: %s", acc)
+-    return acc
+-- 
+2.48.1
+

machines/nixos/vault01/k-radius/packages/pykanidm.nix

@@ -18,8 +18,8 @@ buildPythonPackage {
   pyproject = true;
 
   patches = [
-    ./02-remove-noisy-logs.patch
     ./03-set-log-level.patch
+    ./04-request-dgsi-vlan.patch
   ];
 
   sourceRoot = "source/pykanidm";

machines/nixos/vault01/k-radius/packages/rlm_python.nix

@@ -11,7 +11,10 @@
 }:
 
 let
-  pythonPath = python3.pkgs.makePythonPath [ pykanidm ];
+  pythonPath = python3.pkgs.makePythonPath [
+    pykanidm
+    python3.pkgs.requests
+  ];
 in
 
 stdenv.mkDerivation rec {

machines/nixos/vault01/secrets/secrets.nix

@@ -7,6 +7,7 @@
   [
     # List of secrets for vault01
     "radius-auth_token_file"
+    "radius-dgsi_token_file"
     "radius-ca_pem_file"
     "radius-cert_pem_file"
     "radius-dh_pem_file"