diff --git a/.gitignore b/.gitignore index e1f4673..5547837 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ **.so +result \ No newline at end of file diff --git a/README.md b/README.md index 86ee01c..ec5a78e 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ This allows for cross compiling to arm64 when using MacOS as a dev platform: ```bash docker build -t pam-builder . docker create --name extract pam-builder -docker cp extract:/src/supa_jitdb_pam.so ./pam_jwt_pg.so +docker cp extract:/src/supa_jitdb_pam.so ./pam_jit_pg.so docker rm extract ``` @@ -14,7 +14,7 @@ Build with nix (using docker as a standin here for a linux host): ```bash docker build -t nix-go-pam -f Dockerfile_nix . docker create --name temp nix-go-pam -docker cp temp:/app/result/lib/security/pam_jwt_pg.so ./pam_jwt_pg_nix.so +docker cp temp:/app/result/lib/security/pam_jit_pg.so ./pam_jwt_pg_nix.so docker rm temp ``` @@ -29,14 +29,14 @@ Copy the `.so` to the server. And add to the correct pam location, normally: In the case of `nix` builds, such as the Supabase image, it needs to go the nix store: ``` -cp pam_jwt_pg.so /nix/store/*-linux-pam-1.6.0/lib/security/ +cp pam_jit_pg.so /nix/store/*-linux-pam-1.6.0/lib/security/ ``` Next setup `/etc/pam.d/postgresql` with the following ``` -auth required pam_jwt_pg.so jwks=https://auth.supabase.green/auth/v1/.well-known/jwks.json mappings=/tmp/users.yaml -account required pam_jwt_pg.so jwks=https://auth.supabase.green/auth/v1/.well-known/jwks.json mappings=/tmp/users.yaml +auth required pam_jit_pg.so jwks=https://auth.supabase.green/auth/v1/.well-known/jwks.json mappings=/tmp/users.yaml +account required pam_jit_pg.so jwks=https://auth.supabase.green/auth/v1/.well-known/jwks.json mappings=/tmp/users.yaml ``` The `apiUrl` value should point to the URL of a valid api that accepts the PAT and/or JWT for authentication. The API should return a JSON struct with the roles the user associated to the PAT/JWT is allowed to assume: diff --git a/default.nix b/default.nix index f1ead38..d30a786 100644 --- a/default.nix +++ b/default.nix @@ -21,14 +21,14 @@ pkgs.buildGoModule { # Build as shared library for PAM buildPhase = '' runHook preBuild - go build -buildmode=c-shared -o pam_jwt_pg.so + go build -buildmode=c-shared -o pam_jit_pg.so runHook postBuild ''; installPhase = '' runHook preInstall mkdir -p $out/lib/security - cp pam_jwt_pg.so $out/lib/security/ + cp pam_jit_pg.so $out/lib/security/ runHook postInstall ''; diff --git a/flake.nix b/flake.nix index afc97ba..61ef95a 100644 --- a/flake.nix +++ b/flake.nix @@ -3,37 +3,45 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + flake-utils.url = "github:numtide/flake-utils"; }; - outputs = { self, nixpkgs }: - let - systems = [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" ]; - forAllSystems = f: builtins.listToAttrs (map (system: { - name = system; - value = f system; - }) systems); - in { - packages = forAllSystems (system: - let - pkgs = import nixpkgs { inherit system; }; - in { - default = pkgs.stdenv.mkDerivation { + outputs = { self, nixpkgs, flake-utils }: + flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" ] (system: + let + pkgs = import nixpkgs { inherit system; }; + + makeGatekeeper = { go ? pkgs.go }: + let + buildGoModule = pkgs.buildGoModule.override { inherit go; }; + in + buildGoModule { pname = "gatekeeper"; version = "0.1.0"; src = ./.; - buildInputs = [ pkgs.pam pkgs.gcc ]; + vendorHash = "sha256-pdF+bhvZQwd2iSEHVtDAGihkYZGSaQaFdsF8MSrWuKQ="; + + buildInputs = [ pkgs.pam ] ++ pkgs.lib.optionals pkgs.stdenv.isDarwin [ + pkgs.darwin.apple_sdk.frameworks.Security + ]; - # Assuming your pam module source is pam_foo.c buildPhase = '' - go build -buildmode=c-shared -o pam_jwt_pg.so + runHook preBuild + go build -buildmode=c-shared -o pam_jit_pg.so + runHook postBuild ''; installPhase = '' + runHook preInstall mkdir -p $out/lib/security - cp pam_jwt_pg.so $out/lib/security/ + cp pam_jit_pg.so $out/lib/security/ + runHook postInstall ''; }; - }); - }; + in { + packages.default = makeGatekeeper { }; + + lib.makeGatekeeper = makeGatekeeper; + }); }