diff --git a/conf/broker.conf.d/00-migration-allowed_users.conf b/conf/broker.conf.d/00-migration-allowed_users.conf new file mode 100644 index 00000000..d1b977fd --- /dev/null +++ b/conf/broker.conf.d/00-migration-allowed_users.conf @@ -0,0 +1,11 @@ +## This file was generated during the broker upgrade process. DO NOT EDIT. +## +## This file adds the 'allowed_users' option and sets it to 'ALL' +## to preserve backward compatibility, as the default for this +## option is 'OWNER'. +## For more information, refer to 10-allowed_users.conf. +## +## If you want to use the new default setting, simply delete this file. + +[users] +allowed_users = ALL diff --git a/conf/broker.conf.d/10-allowed_users.conf b/conf/broker.conf.d/10-allowed_users.conf new file mode 100644 index 00000000..33377e52 --- /dev/null +++ b/conf/broker.conf.d/10-allowed_users.conf @@ -0,0 +1,28 @@ +[users] +## 'allowed_users' specifies the users who are permitted to log in after +## successfully authenticating with the Identity Provider. +## Values are separated by commas. Supported values: +## - 'OWNER': Grants access to the user specified in the 'owner' option +## (see below). This is the default. +## - 'ALL': Grants access to all users who successfully authenticate +## with the Identity Provider. +## - : Grants access to specific additional users +## (e.g. user1@example.com). +## Example: allowed_users = OWNER,user1@example.com,admin@example.com +#allowed_users = OWNER + +## 'owner' specifies the user assigned the owner role. This user is +## permitted to log in if 'OWNER' is included in the 'allowed_users' +## option. +## +## If this option is left unset, the first user to successfully log in +## via this broker will automatically be assigned the owner role. A +## drop-in configuration file will be created in broker.conf.d/ to set +## the 'owner' option. +## +## To disable automatic assignment, you can either: +## 1. Explicitly set this option to an empty value (e.g. owner = "") +## 2. Remove 'OWNER' from the 'allowed_users' option +## +## Example: owner = user2@example.com +#owner = diff --git a/snap/hooks/post-refresh b/snap/hooks/post-refresh new file mode 100755 index 00000000..0813e5f5 --- /dev/null +++ b/snap/hooks/post-refresh @@ -0,0 +1,34 @@ +#!/bin/sh +set -eu + +echo "post-refresh hook" >> /tmp/snap.log # TODO: Only for debugging + +PREVIOUS_VERSION=$(snapctl get previous-version) +echo "Previous version: $PREVIOUS_VERSION" >> /tmp/snap.log + +INITIAL_ALLOWED_USERS_VERSION="0.2.0" + +version_less_than() { + [ "$(printf '%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ] +} + +should_transition_to_allowed_users() { + # Transition to allowed users if: + # - previous-version is not set (that means that the previous version is + # older than 0.2.0, i.e. the version where we introduced setting the + # previous-version in the pre-refresh hook). + # - previous-version is set, but it is less than 0.2.0. That should never + # happen, but we check it to give an example how the previous-version + # can be used to transition data from older versions. + [ -z "${PREVIOUS_VERSION:-}" ] || version_less_than "${PREVIOUS_VERSION:-}" "${INITIAL_ALLOWED_USERS_VERSION:-}" +} + +transition_to_allowed_users() { + echo "Transitioning to allowed users" >> /tmp/snap.log # TODO: Only for debugging + mkdir ${SNAP_DATA}/broker.conf.d + cp --update=none ${SNAP}/conf/broker.conf.d.orig/* ${SNAP_DATA}/broker.conf.d/ +} + +if should_transition_to_allowed_users; then + transition_to_allowed_users +fi diff --git a/snap/hooks/pre-refresh b/snap/hooks/pre-refresh new file mode 100644 index 00000000..50fd4a35 --- /dev/null +++ b/snap/hooks/pre-refresh @@ -0,0 +1,6 @@ +#!/bin/sh +set -eu + +echo "pre-refresh hook" >> /tmp/snap.log # TODO: Only for debugging + +snapctl set previous-version=${SNAP_VERSION} diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 24c23a0c..b835c3fc 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -38,6 +38,7 @@ parts: organize: "authd.conf": "conf/authd/oidc.conf" "broker.conf": "conf/broker.conf.orig" + "broker.conf.d": "conf/broker.conf.d.orig" # Build the snap version from the git repository and current tree state. version: source: .