nathan/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2026-06-05 21:03:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/pam: Refactor for performance & readability (#525090)

Browse Source
This commit is contained in:
Florian Klink
2026-05-28 10:59:19 +00:00
committed by GitHub
parent 3cf42558f8 4eb838f5d2
commit 16664e055b
1 changed files with 53 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
nixos/modules/security/pam.nix
View File

@@ -8,6 +8,21 @@
...
}:
let
inherit (lib)
attrNames
catAttrs
concatLines
concatMap
filter
unique
flip
elem
attrValues
concatMapStrings
hasPrefix
concatStringsSep
sort
;
moduleSettingsType =
with lib.types;
@@ -881,41 +896,30 @@ let
text =
let
ensureUniqueOrder =
type: rules:
let
checkPair =
a: b:
assert lib.assertMsg (a.order != b.order)
"security.pam.services.${name}.rules.${type}: rules '${a.name}' and '${b.name}' cannot have the same order value (${toString a.order})";
b;
checked = lib.zipListsWith checkPair rules (lib.drop 1 rules);
in
lib.take 1 rules ++ checked;
# Formats a string for use in `module-arguments`. See `man pam.conf`.
formatModuleArgument =
token: if lib.hasInfix " " token then "[${lib.replaceStrings [ "]" ] [ "\\]" ] token}]" else token;
formatRules =
type:
lib.pipe cfg.rules.${type} [
lib.attrValues
(lib.filter (rule: rule.enable))
(lib.sort (a: b: a.order < b.order))
(ensureUniqueOrder type)
(map (
rule:
lib.concatStringsSep " " (
[
type
rule.control
rule.modulePath
]
++ map formatModuleArgument rule.args
++ [ "# ${rule.name} (order ${toString rule.order})" ]
concatStringsSep "\n" (
map
(
rule:
"${type} ${rule.control} ${rule.modulePath}${
if rule.args == [ ] then "" else " " + concatStringsSep " " (map formatModuleArgument rule.args)
} # ${rule.name} (order ${toString rule.order})"
)
))
(lib.concatStringsSep "\n")
];
(
sort (
a: b:
if a.order != b.order then
a.order < b.order
else
throw "security.pam.services.${name}.rules.${type}: rules '${a.name}' and '${b.name}' cannot have the same order value (${toString a.order})"
) (filter (rule: rule.enable) (attrValues cfg.rules.${type}))
)
);
in
lib.mkDefault ''
# Account management.
@@ -2637,35 +2641,29 @@ in
};
security.apparmor.includes."abstractions/pam" =
lib.concatMapStrings (name: "r ${config.environment.etc."pam.d/${name}".source},\n") (
lib.attrNames enabledServices
concatMapStrings (name: "r ${config.environment.etc."pam.d/${name}".source},\n") (
attrNames enabledServices
)
+ (
with lib;
pipe enabledServices [
lib.attrValues
(catAttrs "rules")
(lib.concatMap lib.attrValues)
(lib.concatMap lib.attrValues)
(lib.filter (rule: rule.enable))
(lib.filter (
let
types = concatMap attrValues (catAttrs "rules" (attrValues enabledServices));
rules = concatMap attrValues types;
isDirect = flip elem [
"include"
"substack"
];
activeRules = filter (rule: rule.enable && !isDirect rule.control) rules;
modulePaths = concatMap (
rule:
!builtins.elem rule.control [
"include"
"substack"
]
))
(lib.catAttrs "modulePath")
(map (
modulePath:
lib.throwIfNot (lib.hasPrefix "/" modulePath)
''non-absolute PAM modulePath "${modulePath}" is unsupported by apparmor''
modulePath
))
lib.unique
(map (module: "mr ${module},"))
concatLines
]
if (!hasPrefix "/" rule.modulePath) then
throw ''non-absolute PAM modulePath "${rule.modulePath}" is unsupported by apparmor''
else
[ rule.modulePath ]
) activeRules;
in
concatLines (map (module: "mr ${module},") (unique modulePaths))
);
security.sudo.extraConfig = optionalSudoConfigForSSHAgentAuth;