kanidm/kanidmd/src/lib/config.rs

//! The server configuration as processed from the startup wrapper. This controls a number of
//! variables that determine how our backends, query server, and frontends are configured.
//!
//! These components should be "per server". Any "per domain" config should be in the system
//! or domain entries that are able to be replicated.

use rand::prelude::*;
use std::fmt;
use std::str::FromStr;

#[derive(Serialize, Deserialize, Debug)]
pub struct IntegrationTestConfig {
    pub admin_user: String,
    pub admin_password: String,
}

#[derive(Serialize, Deserialize, Debug)]
pub struct TlsConfiguration {
    pub chain: String,
    pub key: String,
}

#[derive(Debug, Serialize, Deserialize, Clone, Copy)]
pub enum ServerRole {
    WriteReplica,
    WriteReplicaNoUI,
    ReadOnlyReplica,
}

impl Default for ServerRole {
    fn default() -> Self {
        ServerRole::WriteReplica
    }
}

impl ToString for ServerRole {
    fn to_string(&self) -> String {
        match self {
            ServerRole::WriteReplica => "write replica".to_string(),
            ServerRole::WriteReplicaNoUI => "write replica (no ui)".to_string(),
            ServerRole::ReadOnlyReplica => "read only replica".to_string(),
        }
    }
}

impl FromStr for ServerRole {
    type Err = &'static str;

    fn from_str(s: &str) -> Result<Self, Self::Err> {
        match s {
            "write_replica" => Ok(ServerRole::WriteReplica),
            "write_replica_no_ui" => Ok(ServerRole::WriteReplicaNoUI),
            "read_only_replica" => Ok(ServerRole::ReadOnlyReplica),
            _ => Err("Must be one of write_replica, write_replica_no_ui, read_only_replica"),
        }
    }
}

#[derive(Serialize, Deserialize, Debug, Default)]
pub struct Configuration {
    pub address: String,
    pub ldapaddress: Option<String>,
    pub threads: usize,
    // db type later
    pub db_path: String,
    pub db_fs_type: Option<String>,
    pub db_arc_size: Option<usize>,
    pub maximum_request: usize,
    pub secure_cookies: bool,
    pub tls_config: Option<TlsConfiguration>,
    pub cookie_key: [u8; 32],
    pub integration_test_config: Option<Box<IntegrationTestConfig>>,
    pub log_level: Option<u32>,
    pub origin: String,
    pub role: ServerRole,
}

impl fmt::Display for Configuration {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "address: {}, ", self.address)
            .and_then(|_| match &self.ldapaddress {
                Some(la) => write!(f, "ldap address: {}, ", la),
                None => write!(f, "ldap address: disabled, "),
            })
            .and_then(|_| write!(f, "thread count: {}, ", self.threads))
            .and_then(|_| write!(f, "dbpath: {}, ", self.db_path))
            .and_then(|_| match self.db_arc_size {
                Some(v) => write!(f, "arcsize: {}, ", v),
                None => write!(f, "arcsize: AUTO, "),
            })
            .and_then(|_| write!(f, "max request size: {}b, ", self.maximum_request))
            .and_then(|_| write!(f, "secure cookies: {}, ", self.secure_cookies))
            .and_then(|_| write!(f, "with TLS: {}, ", self.tls_config.is_some()))
            .and_then(|_| match self.log_level {
                Some(u) => write!(f, "with log_level: {:x}, ", u),
                None => write!(f, "with log_level: default, "),
            })
            .and_then(|_| write!(f, "role: {}, ", self.role.to_string()))
            .and_then(|_| {
                write!(
                    f,
                    "integration mode: {}",
                    self.integration_test_config.is_some()
                )
            })
    }
}

impl Configuration {
    pub fn new() -> Self {
        let mut c = Configuration {
            address: String::from("127.0.0.1:8080"),
            ldapaddress: None,
            threads: num_cpus::get(),
            db_path: String::from(""),
            db_fs_type: None,
            db_arc_size: None,
            maximum_request: 262_144, // 256k
            // log type
            // log path
            // TODO #63: default true in prd
            secure_cookies: !cfg!(test),
            tls_config: None,
            cookie_key: [0; 32],
            integration_test_config: None,
            log_level: None,
            origin: "https://idm.example.com".to_string(),
            role: ServerRole::WriteReplica,
        };
        let mut rng = StdRng::from_entropy();
        rng.fill(&mut c.cookie_key);
        c
    }

    pub fn update_log_level(&mut self, log_level: Option<u32>) {
        self.log_level = log_level;
    }

    pub fn update_db_path(&mut self, p: &str) {
        self.db_path = p.to_string();
    }

    pub fn update_db_arc_size(&mut self, v: Option<usize>) {
        self.db_arc_size = v
    }

    pub fn update_db_fs_type(&mut self, p: &Option<String>) {
        self.db_fs_type = p.as_ref().map(|v| v.to_lowercase());
    }

    pub fn update_bind(&mut self, b: &Option<String>) {
        self.address = b
            .as_ref()
            .cloned()
            .unwrap_or_else(|| String::from("127.0.0.1:8080"));
    }

    pub fn update_ldapbind(&mut self, l: &Option<String>) {
        self.ldapaddress = l.clone();
    }

    pub fn update_origin(&mut self, o: &str) {
        self.origin = o.to_string();
    }

    pub fn update_role(&mut self, r: ServerRole) {
        self.role = r;
    }

    pub fn update_tls(&mut self, chain: &Option<String>, key: &Option<String>) {
        match (chain, key) {
            (None, None) => {}
            (Some(chainp), Some(keyp)) => {
                let chain = chainp.to_string();
                let key = keyp.to_string();
                self.tls_config = Some(TlsConfiguration { chain, key })
            }
            _ => {
                eprintln!("ERROR: Invalid TLS configuration - must provide chain and key!");
                std::process::exit(1);
            }
        }
    }
}
Add auth docs (#463) 2021-06-02 01:42:40 +02:00			`//! The server configuration as processed from the startup wrapper. This controls a number of`
			`//! variables that determine how our backends, query server, and frontends are configured.`
			`//!`
			`//! These components should be "per server". Any "per domain" config should be in the system`
			`//! or domain entries that are able to be replicated.`

Open tickets for most todos, fix more. 2019-07-27 08:54:31 +02:00			`use rand::prelude::*;`
65 cli options (#85) Add support for command line options to the server. This supports server sid regeneration, persistence, address binding, tls configuration and more. This also improves TLS support in the client tools for CA cert addition to queries. 2019-09-14 10:21:41 +02:00			`use std::fmt;`
Add ability to pick a server role (#432) 2021-05-06 12:58:22 +02:00			`use std::str::FromStr;`
Implement backup, restore and server modes This allows backup and restore of the server backend data from the command line. Backups can be taken while the server is running. Automated backups are not part of this yet. This also adds a few missing files from a previous commit mistake. Opps! 2019-07-15 01:15:25 +02:00
3 authentication (#79) This adds support for authentication and credential storage to the server. It also adds account recovery and options for integration test fixtures, refactors to make the client library easier to manage, and support clean seperation of the proto vs lib. 2019-09-04 03:06:37 +02:00			`#[derive(Serialize, Deserialize, Debug)]`
			`pub struct IntegrationTestConfig {`
Making clippy happy (#420) 2021-04-25 03:35:56 +02:00			`pub admin_user: String,`
3 authentication (#79) This adds support for authentication and credential storage to the server. It also adds account recovery and options for integration test fixtures, refactors to make the client library easier to manage, and support clean seperation of the proto vs lib. 2019-09-04 03:06:37 +02:00			`pub admin_password: String,`
			`}`

65 cli options (#85) Add support for command line options to the server. This supports server sid regeneration, persistence, address binding, tls configuration and more. This also improves TLS support in the client tools for CA cert addition to queries. 2019-09-14 10:21:41 +02:00			`#[derive(Serialize, Deserialize, Debug)]`
			`pub struct TlsConfiguration {`
356 Use tls chain file (#358) Fixes #356 - this changes from a split ca_chain/cert configuration to a single chain file. This allows rustls in tide-rustls to present the chain correctly, and allows openssl for ldaps to present the chain correctly too. it also simplifies integration to lets encrypt which provides a chain and key file by default. 2021-02-16 02:40:25 +01:00			`pub chain: String,`
65 cli options (#85) Add support for command line options to the server. This supports server sid regeneration, persistence, address binding, tls configuration and more. This also improves TLS support in the client tools for CA cert addition to queries. 2019-09-14 10:21:41 +02:00			`pub key: String,`
			`}`

Add ability to pick a server role (#432) 2021-05-06 12:58:22 +02:00			`#[derive(Debug, Serialize, Deserialize, Clone, Copy)]`
			`pub enum ServerRole {`
			`WriteReplica,`
			`WriteReplicaNoUI,`
			`ReadOnlyReplica,`
			`}`

			`impl Default for ServerRole {`
			`fn default() -> Self {`
			`ServerRole::WriteReplica`
			`}`
			`}`

Fixing #521 - Documenting the server role (#535) 2021-07-24 07:00:08 +02:00			`impl ToString for ServerRole {`
			`fn to_string(&self) -> String {`
			`match self {`
			`ServerRole::WriteReplica => "write replica".to_string(),`
			`ServerRole::WriteReplicaNoUI => "write replica (no ui)".to_string(),`
			`ServerRole::ReadOnlyReplica => "read only replica".to_string(),`
			`}`
			`}`
			`}`

Add ability to pick a server role (#432) 2021-05-06 12:58:22 +02:00			`impl FromStr for ServerRole {`
			`type Err = &'static str;`

			`fn from_str(s: &str) -> Result<Self, Self::Err> {`
			`match s {`
			`"write_replica" => Ok(ServerRole::WriteReplica),`
			`"write_replica_no_ui" => Ok(ServerRole::WriteReplicaNoUI),`
			`"read_only_replica" => Ok(ServerRole::ReadOnlyReplica),`
			`_ => Err("Must be one of write_replica, write_replica_no_ui, read_only_replica"),`
			`}`
			`}`
			`}`

Address clippy reports attending to #![deny(warnings)] 2020-01-09 11:07:14 +01:00			`#[derive(Serialize, Deserialize, Debug, Default)]`
Improvements to integration test 2018-11-26 07:13:22 +01:00			`pub struct Configuration {`
			`pub address: String,`
199 ldap gateway (#246) adds an LDAP gateway to the server. It supports TLS if configured for the webserver, using the same parameters. It is a read only interface, only supporting bind via the configured posix password. 2020-06-10 04:07:43 +02:00			`pub ldapaddress: Option<String>,`
Improvements to integration test 2018-11-26 07:13:22 +01:00			`pub threads: usize,`
Open tickets for most todos, fix more. 2019-07-27 08:54:31 +02:00			`// db type later`
Improvements to integration test 2018-11-26 07:13:22 +01:00			`pub db_path: String,`
Support zfs page size 2020-08-04 08:52:57 +02:00			`pub db_fs_type: Option<String>,`
Idlset2, query cache, acp resolve cache (#409) 2021-04-14 01:56:40 +02:00			`pub db_arc_size: Option<usize>,`
Improvements to integration test 2018-11-26 07:13:22 +01:00			`pub maximum_request: usize,`
Update to rust 2018 and improve some todo notes 2019-04-18 03:28:33 +02:00			`pub secure_cookies: bool,`
65 cli options (#85) Add support for command line options to the server. This supports server sid regeneration, persistence, address binding, tls configuration and more. This also improves TLS support in the client tools for CA cert addition to queries. 2019-09-14 10:21:41 +02:00			`pub tls_config: Option<TlsConfiguration>,`
Open tickets for most todos, fix more. 2019-07-27 08:54:31 +02:00			`pub cookie_key: [u8; 32],`
3 authentication (#79) This adds support for authentication and credential storage to the server. It also adds account recovery and options for integration test fixtures, refactors to make the client library easier to manage, and support clean seperation of the proto vs lib. 2019-09-04 03:06:37 +02:00			`pub integration_test_config: Option<Box<IntegrationTestConfig>>,`
195 rel cleanup (#268) Fixes #195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more. 2020-06-18 02:30:42 +02:00			`pub log_level: Option<u32>,`
13 135 webauthn support (#332) Fixes #13 and Fixes #135 - webauthn and webauthn with cli. This is the core of webauthn, but only as a single factor. Some changes are still needed for webauthn as MFA and as a verified single factor. This will be made in a subsequent PR. 2020-12-02 02:12:07 +01:00			`pub origin: String,`
Add ability to pick a server role (#432) 2021-05-06 12:58:22 +02:00			`pub role: ServerRole,`
Improvements to integration test 2018-11-26 07:13:22 +01:00			`}`

65 cli options (#85) Add support for command line options to the server. This supports server sid regeneration, persistence, address binding, tls configuration and more. This also improves TLS support in the client tools for CA cert addition to queries. 2019-09-14 10:21:41 +02:00			`impl fmt::Display for Configuration {`
			`fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {`
			`write!(f, "address: {}, ", self.address)`
199 ldap gateway (#246) adds an LDAP gateway to the server. It supports TLS if configured for the webserver, using the same parameters. It is a read only interface, only supporting bind via the configured posix password. 2020-06-10 04:07:43 +02:00			`.and_then(\|_\| match &self.ldapaddress {`
			`Some(la) => write!(f, "ldap address: {}, ", la),`
			`None => write!(f, "ldap address: disabled, "),`
			`})`
65 cli options (#85) Add support for command line options to the server. This supports server sid regeneration, persistence, address binding, tls configuration and more. This also improves TLS support in the client tools for CA cert addition to queries. 2019-09-14 10:21:41 +02:00			`.and_then(\|_\| write!(f, "thread count: {}, ", self.threads))`
			`.and_then(\|_\| write!(f, "dbpath: {}, ", self.db_path))`
Idlset2, query cache, acp resolve cache (#409) 2021-04-14 01:56:40 +02:00			`.and_then(\|_\| match self.db_arc_size {`
			`Some(v) => write!(f, "arcsize: {}, ", v),`
			`None => write!(f, "arcsize: AUTO, "),`
			`})`
65 cli options (#85) Add support for command line options to the server. This supports server sid regeneration, persistence, address binding, tls configuration and more. This also improves TLS support in the client tools for CA cert addition to queries. 2019-09-14 10:21:41 +02:00			`.and_then(\|_\| write!(f, "max request size: {}b, ", self.maximum_request))`
			`.and_then(\|_\| write!(f, "secure cookies: {}, ", self.secure_cookies))`
			`.and_then(\|_\| write!(f, "with TLS: {}, ", self.tls_config.is_some()))`
181 pam nsswitch name spn (#270) This allows configuration of which attribute is presented during gid/uid resolution, adds home directory prefixing, and home directory name attribute selection. 2020-06-21 13:57:48 +02:00			`.and_then(\|_\| match self.log_level {`
			`Some(u) => write!(f, "with log_level: {:x}, ", u),`
			`None => write!(f, "with log_level: default, "),`
			`})`
Fixing #521 - Documenting the server role (#535) 2021-07-24 07:00:08 +02:00			`.and_then(\|_\| write!(f, "role: {}, ", self.role.to_string()))`
65 cli options (#85) Add support for command line options to the server. This supports server sid regeneration, persistence, address binding, tls configuration and more. This also improves TLS support in the client tools for CA cert addition to queries. 2019-09-14 10:21:41 +02:00			`.and_then(\|_\| {`
			`write!(`
			`f,`
			`"integration mode: {}",`
			`self.integration_test_config.is_some()`
			`)`
			`})`
			`}`
			`}`

Improvements to integration test 2018-11-26 07:13:22 +01:00			`impl Configuration {`
			`pub fn new() -> Self {`
Open tickets for most todos, fix more. 2019-07-27 08:54:31 +02:00			`let mut c = Configuration {`
Improvements to integration test 2018-11-26 07:13:22 +01:00			`address: String::from("127.0.0.1:8080"),`
199 ldap gateway (#246) adds an LDAP gateway to the server. It supports TLS if configured for the webserver, using the same parameters. It is a read only interface, only supporting bind via the configured posix password. 2020-06-10 04:07:43 +02:00			`ldapaddress: None,`
65 cli options (#85) Add support for command line options to the server. This supports server sid regeneration, persistence, address binding, tls configuration and more. This also improves TLS support in the client tools for CA cert addition to queries. 2019-09-14 10:21:41 +02:00			`threads: num_cpus::get(),`
Improvements to integration test 2018-11-26 07:13:22 +01:00			`db_path: String::from(""),`
Support zfs page size 2020-08-04 08:52:57 +02:00			`db_fs_type: None,`
Idlset2, query cache, acp resolve cache (#409) 2021-04-14 01:56:40 +02:00			`db_arc_size: None,`
Address clippy reports attending to #![deny(warnings)] 2020-01-09 11:07:14 +01:00			`maximum_request: 262_144, // 256k`
Update to rust 2018 and improve some todo notes 2019-04-18 03:28:33 +02:00			`// log type`
			`// log path`
Open tickets for most todos, fix more. 2019-07-27 08:54:31 +02:00			`// TODO #63: default true in prd`
Address clippy reports attending to #![deny(warnings)] 2020-01-09 11:07:14 +01:00			`secure_cookies: !cfg!(test),`
65 cli options (#85) Add support for command line options to the server. This supports server sid regeneration, persistence, address binding, tls configuration and more. This also improves TLS support in the client tools for CA cert addition to queries. 2019-09-14 10:21:41 +02:00			`tls_config: None,`
Open tickets for most todos, fix more. 2019-07-27 08:54:31 +02:00			`cookie_key: [0; 32],`
3 authentication (#79) This adds support for authentication and credential storage to the server. It also adds account recovery and options for integration test fixtures, refactors to make the client library easier to manage, and support clean seperation of the proto vs lib. 2019-09-04 03:06:37 +02:00			`integration_test_config: None,`
195 rel cleanup (#268) Fixes #195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more. 2020-06-18 02:30:42 +02:00			`log_level: None,`
13 135 webauthn support (#332) Fixes #13 and Fixes #135 - webauthn and webauthn with cli. This is the core of webauthn, but only as a single factor. Some changes are still needed for webauthn as MFA and as a verified single factor. This will be made in a subsequent PR. 2020-12-02 02:12:07 +01:00			`origin: "https://idm.example.com".to_string(),`
Add ability to pick a server role (#432) 2021-05-06 12:58:22 +02:00			`role: ServerRole::WriteReplica,`
Open tickets for most todos, fix more. 2019-07-27 08:54:31 +02:00			`};`
			`let mut rng = StdRng::from_entropy();`
			`rng.fill(&mut c.cookie_key);`
			`c`
Improvements to integration test 2018-11-26 07:13:22 +01:00			`}`
Implement backup, restore and server modes This allows backup and restore of the server backend data from the command line. Backups can be taken while the server is running. Automated backups are not part of this yet. This also adds a few missing files from a previous commit mistake. Opps! 2019-07-15 01:15:25 +02:00
195 rel cleanup (#268) Fixes #195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more. 2020-06-18 02:30:42 +02:00			`pub fn update_log_level(&mut self, log_level: Option<u32>) {`
			`self.log_level = log_level;`
			`}`

			`pub fn update_db_path(&mut self, p: &str) {`
			`self.db_path = p.to_string();`
Implement backup, restore and server modes This allows backup and restore of the server backend data from the command line. Backups can be taken while the server is running. Automated backups are not part of this yet. This also adds a few missing files from a previous commit mistake. Opps! 2019-07-15 01:15:25 +02:00			`}`
Support zfs page size 2020-08-04 08:52:57 +02:00
Idlset2, query cache, acp resolve cache (#409) 2021-04-14 01:56:40 +02:00			`pub fn update_db_arc_size(&mut self, v: Option<usize>) {`
			`self.db_arc_size = v`
			`}`

Support zfs page size 2020-08-04 08:52:57 +02:00			`pub fn update_db_fs_type(&mut self, p: &Option<String>) {`
			`self.db_fs_type = p.as_ref().map(\|v\| v.to_lowercase());`
			`}`
65 cli options (#85) Add support for command line options to the server. This supports server sid regeneration, persistence, address binding, tls configuration and more. This also improves TLS support in the client tools for CA cert addition to queries. 2019-09-14 10:21:41 +02:00
			`pub fn update_bind(&mut self, b: &Option<String>) {`
			`self.address = b`
			`.as_ref()`
Address clippy reports attending to #![deny(warnings)] 2020-01-09 11:07:14 +01:00			`.cloned()`
65 cli options (#85) Add support for command line options to the server. This supports server sid regeneration, persistence, address binding, tls configuration and more. This also improves TLS support in the client tools for CA cert addition to queries. 2019-09-14 10:21:41 +02:00			`.unwrap_or_else(\|\| String::from("127.0.0.1:8080"));`
			`}`

199 ldap gateway (#246) adds an LDAP gateway to the server. It supports TLS if configured for the webserver, using the same parameters. It is a read only interface, only supporting bind via the configured posix password. 2020-06-10 04:07:43 +02:00			`pub fn update_ldapbind(&mut self, l: &Option<String>) {`
			`self.ldapaddress = l.clone();`
			`}`

13 135 webauthn support (#332) Fixes #13 and Fixes #135 - webauthn and webauthn with cli. This is the core of webauthn, but only as a single factor. Some changes are still needed for webauthn as MFA and as a verified single factor. This will be made in a subsequent PR. 2020-12-02 02:12:07 +01:00			`pub fn update_origin(&mut self, o: &str) {`
			`self.origin = o.to_string();`
			`}`

Add ability to pick a server role (#432) 2021-05-06 12:58:22 +02:00			`pub fn update_role(&mut self, r: ServerRole) {`
			`self.role = r;`
			`}`

356 Use tls chain file (#358) Fixes #356 - this changes from a split ca_chain/cert configuration to a single chain file. This allows rustls in tide-rustls to present the chain correctly, and allows openssl for ldaps to present the chain correctly too. it also simplifies integration to lets encrypt which provides a chain and key file by default. 2021-02-16 02:40:25 +01:00			`pub fn update_tls(&mut self, chain: &Option<String>, key: &Option<String>) {`
			`match (chain, key) {`
			`(None, None) => {}`
			`(Some(chainp), Some(keyp)) => {`
			`let chain = chainp.to_string();`
			`let key = keyp.to_string();`
			`self.tls_config = Some(TlsConfiguration { chain, key })`
65 cli options (#85) Add support for command line options to the server. This supports server sid regeneration, persistence, address binding, tls configuration and more. This also improves TLS support in the client tools for CA cert addition to queries. 2019-09-14 10:21:41 +02:00			`}`
			`_ => {`
356 Use tls chain file (#358) Fixes #356 - this changes from a split ca_chain/cert configuration to a single chain file. This allows rustls in tide-rustls to present the chain correctly, and allows openssl for ldaps to present the chain correctly too. it also simplifies integration to lets encrypt which provides a chain and key file by default. 2021-02-16 02:40:25 +01:00			`eprintln!("ERROR: Invalid TLS configuration - must provide chain and key!");`
65 cli options (#85) Add support for command line options to the server. This supports server sid regeneration, persistence, address binding, tls configuration and more. This also improves TLS support in the client tools for CA cert addition to queries. 2019-09-14 10:21:41 +02:00			`std::process::exit(1);`
			`}`
			`}`
			`}`
Improvements to integration test 2018-11-26 07:13:22 +01:00			`}`