kanidm/kanidm_tools/src/ssh_authorizedkeys.rs

#![deny(warnings)]
#![warn(unused_extern_crates)]
#![deny(clippy::unwrap_used)]
#![deny(clippy::expect_used)]
#![deny(clippy::panic)]
#![deny(clippy::unreachable)]
#![deny(clippy::await_holding_lock)]
#![deny(clippy::needless_pass_by_value)]
#![deny(clippy::trivially_copy_pass_by_ref)]

use std::path::PathBuf;

use kanidm_client::KanidmClientBuilder;

use log::{debug, error};
use structopt::StructOpt;

#[derive(Debug, StructOpt)]
struct ClientOpt {
    #[structopt(short = "d", long = "debug")]
    debug: bool,
    #[structopt(short = "H", long = "url")]
    addr: Option<String>,
    #[structopt(short = "D", long = "name")]
    username: String,
    #[structopt(parse(from_os_str), short = "C", long = "ca")]
    ca_path: Option<PathBuf>,
    #[structopt()]
    account_id: String,
}

// For now we lift a few things from the main.rs to use.
//
// usage: AuthorizedKeysCommand /usr/sbin/kanidm_ssh_authorizedkeys %u -H URL -D anonymous -C /etc/kanidm/ca.pem
//
fn main() {
    let opt = ClientOpt::from_args();
    if opt.debug {
        ::std::env::set_var("RUST_LOG", "kanidm=debug,kanidm_client=debug");
    } else {
        ::std::env::set_var("RUST_LOG", "kanidm=info,kanidm_client=info");
    }
    env_logger::init();

    let config_path: String = shellexpand::tilde("~/.config/kanidm").into_owned();
    debug!("Attempting to use config {}", "/etc/kanidm/config");
    let client_builder = match KanidmClientBuilder::new()
        .read_options_from_optional_config("/etc/kanidm/config")
        .and_then(|cb| {
            debug!("Attempting to use config {}", config_path);
            cb.read_options_from_optional_config(config_path)
        }) {
        Ok(c) => c,
        Err(e) => {
            error!("Failed to parse config (if present) -- {:?}", e);
            std::process::exit(1);
        }
    };

    let client_builder = match &opt.addr {
        Some(a) => client_builder.address(a.to_string()),
        None => client_builder,
    };

    let ca_path: Option<&str> = opt.ca_path.as_ref().map(|p| p.to_str()).flatten();
    let client_builder = match ca_path {
        Some(p) => match client_builder.add_root_certificate_filepath(p) {
            Ok(cb) => cb,
            Err(e) => {
                error!("Failed to add ca certificate -- {:?}", e);
                std::process::exit(1);
            }
        },
        None => client_builder,
    };

    let mut client = match client_builder.build() {
        Ok(c) => c,
        Err(e) => {
            error!("Failed to build client instance -- {:?}", e);
            std::process::exit(1);
        }
    };

    let r = if opt.username == "anonymous" {
        client.auth_anonymous()
    } else {
        let password = match rpassword::prompt_password_stderr("Enter password: ") {
            Ok(pw) => pw,
            Err(e) => {
                error!("Failed to retrieve password - {:?}", e);
                std::process::exit(1);
            }
        };
        client.auth_simple_password(opt.username.as_str(), password.as_str())
    };

    if r.is_err() {
        eprintln!("Error during authentication phase: {:?}", r);
        std::process::exit(1);
    }

    match client.idm_account_get_ssh_pubkeys(opt.account_id.as_str()) {
        Ok(pkeys) => pkeys.iter().for_each(|pkey| println!("{}", pkey)),
        Err(e) => error!("Failed to retrieve pubkeys - {:?}", e),
    }
}
V large cleanup 2020-08-04 04:58:11 +02:00			`#![deny(warnings)]`
			`#![warn(unused_extern_crates)]`
			`#![deny(clippy::unwrap_used)]`
			`#![deny(clippy::expect_used)]`
			`#![deny(clippy::panic)]`
			`#![deny(clippy::unreachable)]`
			`#![deny(clippy::await_holding_lock)]`
			`#![deny(clippy::needless_pass_by_value)]`
			`#![deny(clippy::trivially_copy_pass_by_ref)]`

Remove "extern crate" from binary crates 2020-01-08 11:49:26 +01:00			`use std::path::PathBuf;`

Add support for better client building (#147) Implements #134 Client Builder Pattern. This makes it much easier to build a client by making the configuration of the client lib follow a builder pattern. The error management needs a lot of work still, but for now it's rough and it works. 2019-11-19 02:50:37 +01:00			`use kanidm_client::KanidmClientBuilder;`
Remove "extern crate" from binary crates 2020-01-08 11:49:26 +01:00
V large cleanup 2020-08-04 04:58:11 +02:00			`use log::{debug, error};`
126 ssh key features (#146) Implemnt SSH public key management This implements ssh public key distribution for kanidm, enforcing that valid ssh public keys are placed into the ssh_publickey attribute, adds management tools so that accounts can self-service manage their keys, and finally adds an authorized keys command helper suitable for sshd_config to utilise. 2019-11-16 05:40:45 +01:00			`use structopt::StructOpt;`

			`#[derive(Debug, StructOpt)]`
			`struct ClientOpt {`
			`#[structopt(short = "d", long = "debug")]`
			`debug: bool,`
			`#[structopt(short = "H", long = "url")]`
Add support for better client building (#147) Implements #134 Client Builder Pattern. This makes it much easier to build a client by making the configuration of the client lib follow a builder pattern. The error management needs a lot of work still, but for now it's rough and it works. 2019-11-19 02:50:37 +01:00			`addr: Option<String>,`
126 ssh key features (#146) Implemnt SSH public key management This implements ssh public key distribution for kanidm, enforcing that valid ssh public keys are placed into the ssh_publickey attribute, adds management tools so that accounts can self-service manage their keys, and finally adds an authorized keys command helper suitable for sshd_config to utilise. 2019-11-16 05:40:45 +01:00			`#[structopt(short = "D", long = "name")]`
			`username: String,`
			`#[structopt(parse(from_os_str), short = "C", long = "ca")]`
			`ca_path: Option<PathBuf>,`
			`#[structopt()]`
			`account_id: String,`
			`}`

			`// For now we lift a few things from the main.rs to use.`
			`//`
			`// usage: AuthorizedKeysCommand /usr/sbin/kanidm_ssh_authorizedkeys %u -H URL -D anonymous -C /etc/kanidm/ca.pem`
			`//`
			`fn main() {`
			`let opt = ClientOpt::from_args();`
			`if opt.debug {`
			`::std::env::set_var("RUST_LOG", "kanidm=debug,kanidm_client=debug");`
			`} else {`
			`::std::env::set_var("RUST_LOG", "kanidm=info,kanidm_client=info");`
			`}`
			`env_logger::init();`

Add support for better client building (#147) Implements #134 Client Builder Pattern. This makes it much easier to build a client by making the configuration of the client lib follow a builder pattern. The error management needs a lot of work still, but for now it's rough and it works. 2019-11-19 02:50:37 +01:00			`let config_path: String = shellexpand::tilde("~/.config/kanidm").into_owned();`
			`debug!("Attempting to use config {}", "/etc/kanidm/config");`
V large cleanup 2020-08-04 04:58:11 +02:00			`let client_builder = match KanidmClientBuilder::new()`
Add support for better client building (#147) Implements #134 Client Builder Pattern. This makes it much easier to build a client by making the configuration of the client lib follow a builder pattern. The error management needs a lot of work still, but for now it's rough and it works. 2019-11-19 02:50:37 +01:00			`.read_options_from_optional_config("/etc/kanidm/config")`
			`.and_then(\|cb\| {`
			`debug!("Attempting to use config {}", config_path);`
			`cb.read_options_from_optional_config(config_path)`
V large cleanup 2020-08-04 04:58:11 +02:00			`}) {`
			`Ok(c) => c,`
			`Err(e) => {`
			`error!("Failed to parse config (if present) -- {:?}", e);`
			`std::process::exit(1);`
			`}`
			`};`
Add support for better client building (#147) Implements #134 Client Builder Pattern. This makes it much easier to build a client by making the configuration of the client lib follow a builder pattern. The error management needs a lot of work still, but for now it's rough and it works. 2019-11-19 02:50:37 +01:00
			`let client_builder = match &opt.addr {`
			`Some(a) => client_builder.address(a.to_string()),`
			`None => client_builder,`
			`};`

V large cleanup 2020-08-04 04:58:11 +02:00			`let ca_path: Option<&str> = opt.ca_path.as_ref().map(\|p\| p.to_str()).flatten();`
Add support for better client building (#147) Implements #134 Client Builder Pattern. This makes it much easier to build a client by making the configuration of the client lib follow a builder pattern. The error management needs a lot of work still, but for now it's rough and it works. 2019-11-19 02:50:37 +01:00			`let client_builder = match ca_path {`
V large cleanup 2020-08-04 04:58:11 +02:00			`Some(p) => match client_builder.add_root_certificate_filepath(p) {`
			`Ok(cb) => cb,`
			`Err(e) => {`
			`error!("Failed to add ca certificate -- {:?}", e);`
			`std::process::exit(1);`
			`}`
			`},`
Add support for better client building (#147) Implements #134 Client Builder Pattern. This makes it much easier to build a client by making the configuration of the client lib follow a builder pattern. The error management needs a lot of work still, but for now it's rough and it works. 2019-11-19 02:50:37 +01:00			`None => client_builder,`
			`};`

250 cookie to auth bearer (#321) Fixes #250, replacing cookies with auth-bearer tokens. This is done using fernet with randomised keys each startup. The reason for this is that in the future the size of the auth token may exceed cookie limits, so we must be able to understand and process auth bearer. Additionaly, this lets us store the tokens for say the kanidm cli as reqwest today can't persist a cookie jar. 2020-09-18 05:19:57 +02:00			`let mut client = match client_builder.build() {`
V large cleanup 2020-08-04 04:58:11 +02:00			`Ok(c) => c,`
			`Err(e) => {`
			`error!("Failed to build client instance -- {:?}", e);`
			`std::process::exit(1);`
			`}`
			`};`
126 ssh key features (#146) Implemnt SSH public key management This implements ssh public key distribution for kanidm, enforcing that valid ssh public keys are placed into the ssh_publickey attribute, adds management tools so that accounts can self-service manage their keys, and finally adds an authorized keys command helper suitable for sshd_config to utilise. 2019-11-16 05:40:45 +01:00
			`let r = if opt.username == "anonymous" {`
			`client.auth_anonymous()`
			`} else {`
V large cleanup 2020-08-04 04:58:11 +02:00			`let password = match rpassword::prompt_password_stderr("Enter password: ") {`
			`Ok(pw) => pw,`
			`Err(e) => {`
			`error!("Failed to retrieve password - {:?}", e);`
			`std::process::exit(1);`
			`}`
			`};`
126 ssh key features (#146) Implemnt SSH public key management This implements ssh public key distribution for kanidm, enforcing that valid ssh public keys are placed into the ssh_publickey attribute, adds management tools so that accounts can self-service manage their keys, and finally adds an authorized keys command helper suitable for sshd_config to utilise. 2019-11-16 05:40:45 +01:00			`client.auth_simple_password(opt.username.as_str(), password.as_str())`
			`};`

			`if r.is_err() {`
			`eprintln!("Error during authentication phase: {:?}", r);`
			`std::process::exit(1);`
			`}`

V large cleanup 2020-08-04 04:58:11 +02:00			`match client.idm_account_get_ssh_pubkeys(opt.account_id.as_str()) {`
			`Ok(pkeys) => pkeys.iter().for_each(\|pkey\| println!("{}", pkey)),`
			`Err(e) => error!("Failed to retrieve pubkeys - {:?}", e),`
126 ssh key features (#146) Implemnt SSH public key management This implements ssh public key distribution for kanidm, enforcing that valid ssh public keys are placed into the ssh_publickey attribute, adds management tools so that accounts can self-service manage their keys, and finally adds an authorized keys command helper suitable for sshd_config to utilise. 2019-11-16 05:40:45 +01:00			`}`
			`}`