From d149c4e323afa0cf8154aeece55172f24ce15e24 Mon Sep 17 00:00:00 2001
From: catvayor <catvayor@katvayor.net>
Date: Wed, 12 Mar 2025 14:48:23 +0100
Subject: [PATCH] feat(vault01/radius): ask dgsi for vlan id

---
 REUSE.toml                                    |  4 +-
 default.nix                                   |  2 +-
 machines/nixos/vault01/k-radius/default.nix   | 13 ++----
 machines/nixos/vault01/k-radius/module.nix    | 11 +++++
 .../packages/02-remove-noisy-logs.patch       | 16 -------
 .../packages/02-request-dgsi-vlan.patch       | 44 +++++++++++++++++++
 .../vault01/k-radius/packages/pykanidm.nix    |  2 +-
 7 files changed, 63 insertions(+), 29 deletions(-)
 delete mode 100644 machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch
 create mode 100644 machines/nixos/vault01/k-radius/packages/02-request-dgsi-vlan.patch

diff --git a/REUSE.toml b/REUSE.toml
index 142ad9f..4f80856 100644
--- a/REUSE.toml
+++ b/REUSE.toml
@@ -20,7 +20,7 @@ precedence = "closest"
 [[annotations]]
 SPDX-FileCopyrightText = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
 SPDX-License-Identifier = "EUPL-1.2"
-path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/01-pretalx-environment-file.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
+path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/01-pretalx-environment-file.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
 precedence = "closest"
 
 [[annotations]]
@@ -38,7 +38,7 @@ precedence = "closest"
 [[annotations]]
 SPDX-FileCopyrightText = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>"
 SPDX-License-Identifier = "EUPL-1.2"
-path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch"]
+path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch", "machines/nixos/vault01/k-radius/packages/02-request-dgsi-vlan.patch"]
 precedence = "closest"
 
 [[annotations]]
diff --git a/default.nix b/default.nix
index 8ac629e..8893889 100644
--- a/default.nix
+++ b/default.nix
@@ -96,7 +96,6 @@ let
           "machines/nixos/compute01/librenms/kanidm.patch"
           "machines/nixos/compute01/stirling-pdf/*.patch"
           "machines/nixos/vault01/k-radius/packages/01-python_path.patch"
-          "machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch"
           "machines/nixos/web01/crabfit/*.patch"
           "machines/nixos/web02/cas-eleves/01-pytest-cas.patch"
           "patches/lix/01-disable-installChecks.patch"
@@ -127,6 +126,7 @@ let
           "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch"
           "modules/nixos/extranix/0004-fix-indentation-of-ul.patch"
           "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch"
+          "machines/nixos/vault01/k-radius/packages/02-request-dgsi-vlan.patch"
         ];
         copyright = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>";
       }
diff --git a/machines/nixos/vault01/k-radius/default.nix b/machines/nixos/vault01/k-radius/default.nix
index 0c27125..47dee56 100644
--- a/machines/nixos/vault01/k-radius/default.nix
+++ b/machines/nixos/vault01/k-radius/default.nix
@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-{ config, ... }:
+{ config, pkgs, ... }:
 
 {
   imports = [ ./module.nix ];
@@ -39,17 +39,12 @@
       # before they can authenticate via RADIUS.
       radius_required_groups = [ "radius_access@sso.dgnum.eu" ];
 
-      # A mapping between Kanidm groups and VLANS
-      radius_groups = map (
-        { vlan, ... }:
-        {
-          inherit vlan;
-          spn = "vlan_${toString vlan}@sso.dgnum.eu";
-        }
-      ) config.networking.vlans-info;
+      dgsi_endpoint = "https://dgsi.dgnum.eu/isp/vlan";
     };
 
     authTokenFile = config.age.secrets."radius-auth_token_file".path;
+    dgsi_username = pkgs.writeText "username" "ISP - unsecure";
+    dgsi_password = pkgs.writeText "password" "ISP - unsecure";
   };
 
   age-secrets.autoMatch = [ "radius" ];
diff --git a/machines/nixos/vault01/k-radius/module.nix b/machines/nixos/vault01/k-radius/module.nix
index bf4ddfa..276102b 100644
--- a/machines/nixos/vault01/k-radius/module.nix
+++ b/machines/nixos/vault01/k-radius/module.nix
@@ -75,6 +75,16 @@ in
       description = "File to the auth token for the service account.";
     };
 
+    dgsi_username = mkOption {
+      type = path;
+      description = "File to the username for DGSI.";
+    };
+
+    dgsi_password = mkOption {
+      type = path;
+      description = "File to the password for DGSI.";
+    };
+
     extra-mods = mkOption {
       type = attrsOf path;
       default = { };
@@ -188,6 +198,7 @@ in
         # Copy the kanidm configuration
         cat <<EOF > /var/lib/radius/kanidm.toml
         auth_token = "$(cat "${cfg.authTokenFile}")"
+        dgsi_token = "$(echo -n "$(cat "${cfg.dgsi_username}"):$(cat "${cfg.dgsi_password}")" | base64)"
         EOF
 
         cat ${settingsFormat.generate "kanidm.toml" cfg.settings} >> /var/lib/radius/kanidm.toml
diff --git a/machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch b/machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch
deleted file mode 100644
index b542afb..0000000
--- a/machines/nixos/vault01/k-radius/packages/02-remove-noisy-logs.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/kanidm/radius/utils.py b/kanidm/radius/utils.py
-index cbd3fe1f0..41fbd05c4 100644
---- a/kanidm/radius/utils.py
-+++ b/kanidm/radius/utils.py
-@@ -25,11 +25,6 @@ def check_vlan(
-             raise ValueError("Need to pass this a kanidm_client")
- 
-     for radius_group in kanidm_client.config.radius_groups:
--        logging.debug(
--            "Checking vlan group '%s' against user group %s",
--            radius_group.spn,
--            group.spn,
--        )
-         if radius_group.spn == group.spn:
-             logging.info("returning new vlan: %s", radius_group.vlan)
-             return radius_group.vlan
diff --git a/machines/nixos/vault01/k-radius/packages/02-request-dgsi-vlan.patch b/machines/nixos/vault01/k-radius/packages/02-request-dgsi-vlan.patch
new file mode 100644
index 0000000..5b76e75
--- /dev/null
+++ b/machines/nixos/vault01/k-radius/packages/02-request-dgsi-vlan.patch
@@ -0,0 +1,44 @@
+diff --git a/kanidm/radius/__init__.py b/kanidm/radius/__init__.py
+index b44a6ff50..60c7efe7c 100644
+--- a/kanidm/radius/__init__.py
++++ b/kanidm/radius/__init__.py
+@@ -1,12 +1,14 @@
+ """ kanidm RADIUS module """
+ import asyncio
+ from aiohttp.client_exceptions import ClientConnectorError
++import base64
+ from functools import reduce
+ import json
+ import logging
+ import os
+ from pathlib import Path
+ import sys
++import requests
+ from typing import Any, Dict, Optional, Union
+ 
+ from kanidm.exceptions import NoMatchingEntries
+@@ -146,13 +148,14 @@ def authorize(
+         logging.info("User %s doesn't have a group from the required list.", name)
+         return radiusd.RLM_MODULE_REJECT
+ 
+-    # look up them in config for group vlan if possible.
+-    # TODO: work out the typing on this, WTF.
+-    uservlan: int = reduce(
+-        check_vlan,
+-        tok.groups,
+-        kanidm_client.config.radius_default_vlan,
+-    )
++    dgsi_info = requests.get(kanidm_client.config.dgsi_endpoint + "/" + name, headers={
++            "Authorization": "Basic " + kanidm_client.config.dgsi_token
++        })
++    if dgsi_info.status != 200:
++        logging.error("dgsi: error getting vlan of %s : %s.", name, dgsi_info.status)
++        return radiusd.RLM_MODULE_FAIL
++    else:
++        uservlan: int = int(dgsi_info.text)
+     if uservlan == int(0):
+         logging.info("Invalid uservlan of 0")
+ 
+-- 
+2.48.1
+
diff --git a/machines/nixos/vault01/k-radius/packages/pykanidm.nix b/machines/nixos/vault01/k-radius/packages/pykanidm.nix
index b5c0ebc..11b4d4d 100644
--- a/machines/nixos/vault01/k-radius/packages/pykanidm.nix
+++ b/machines/nixos/vault01/k-radius/packages/pykanidm.nix
@@ -26,7 +26,7 @@ buildPythonPackage rec {
   };
 
   patches = [
-    ./02-remove-noisy-logs.patch
+    ./02-request-dgsi-vlan.patch
   ];
 
   sourceRoot = "source/pykanidm";