mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fixing #520, moving cert loading into server mode (#522)

Browse source
This commit is contained in:
James Hodgkinson 2021-07-09 09:49:26 +10:00 committed by GitHub
parent 620a1717a8
commit 39a693f701
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -1,5 +1,6 @@
.DS_Store .DS_Store
.backup*_test.json
.backup_test.db .backup_test.db
/target /target
/insecure /insecure

49
kanidmd/src/server/main.rs
View file

@ -168,26 +168,6 @@ async fn main() {
// Check the permissions of the files from the configuration. // Check the permissions of the files from the configuration.
if let Some(i_str) = &(sconfig.tls_chain) {
let i_path = PathBuf::from(i_str.as_str());
let i_meta = read_file_metadata(&i_path);
if !file_permissions_readonly(&i_meta) {
eprintln!("WARNING: permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...", i_str);
}
}
if let Some(i_str) = &(sconfig.tls_key) {
let i_path = PathBuf::from(i_str.as_str());
let i_meta = read_file_metadata(&i_path);
if !file_permissions_readonly(&i_meta) {
eprintln!("WARNING: permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...", i_str);
}
if i_meta.mode() & 0o007 != 0 {
eprintln!("WARNING: {} has 'everyone' permission bits in the mode. This could be a security risk ...", i_str);
}
}
let db_path = PathBuf::from(sconfig.db_path.as_str()); let db_path = PathBuf::from(sconfig.db_path.as_str());
// We can't check the db_path permissions because it may not exist yet! // We can't check the db_path permissions because it may not exist yet!
if let Some(db_parent_path) = db_path.parent() { if let Some(db_parent_path) = db_path.parent() {
@ -219,9 +199,6 @@ async fn main() {
config.update_log_level(ll); config.update_log_level(ll);
config.update_db_path(&sconfig.db_path.as_str()); config.update_db_path(&sconfig.db_path.as_str());
config.update_db_fs_type(&sconfig.db_fs_type); config.update_db_fs_type(&sconfig.db_fs_type);
config.update_tls(&sconfig.tls_chain, &sconfig.tls_key);
config.update_bind(&sconfig.bindaddress);
config.update_ldapbind(&sconfig.ldapbindaddress);
config.update_origin(&sconfig.origin.as_str()); config.update_origin(&sconfig.origin.as_str());
config.update_db_arc_size(sconfig.db_arc_size); config.update_db_arc_size(sconfig.db_arc_size);
config.update_role(sconfig.role); config.update_role(sconfig.role);
@ -241,6 +218,32 @@ async fn main() {
match opt { match opt {
KanidmdOpt::Server(_sopt) => { KanidmdOpt::Server(_sopt) => {
eprintln!("Running in server mode ..."); eprintln!("Running in server mode ...");
// configuration options that only relate to server mode
config.update_tls(&sconfig.tls_chain, &sconfig.tls_key);
config.update_bind(&sconfig.bindaddress);
config.update_ldapbind(&sconfig.ldapbindaddress);
if let Some(i_str) = &(sconfig.tls_chain) {
let i_path = PathBuf::from(i_str.as_str());
let i_meta = read_file_metadata(&i_path);
if !file_permissions_readonly(&i_meta) {
eprintln!("WARNING: permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...", i_str);
}
}
if let Some(i_str) = &(sconfig.tls_key) {
let i_path = PathBuf::from(i_str.as_str());
let i_meta = read_file_metadata(&i_path);
if !file_permissions_readonly(&i_meta) {
eprintln!("WARNING: permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...", i_str);
}
if i_meta.mode() & 0o007 != 0 {
eprintln!("WARNING: {} has 'everyone' permission bits in the mode. This could be a security risk ...", i_str);
}
}
let sctx = create_server_core(config).await; let sctx = create_server_core(config).await;
match sctx { match sctx {
Ok(_sctx) => match tokio::signal::ctrl_c().await { Ok(_sctx) => match tokio::signal::ctrl_c().await {