20220501 fix logging (#730)

kanidm_book/src/administrivia.md

@@ -151,6 +151,9 @@ Third, trigger the database domain rename process.
 
     docker run --rm -i -t -v kandimd:/data \
         kanidm/server:latest /sbin/kanidmd domain_name_change -c /data/server.toml
+
+Finally, you can now start your instance again.
+
     docker start <container name>
 
 # Raw actions

kanidm_book/src/server_configuration.md

@@ -83,22 +83,22 @@ You will also need a config file in the volume named `server.toml` (Within the c
 
 An example is located in [examples/server.toml](../../examples/server.toml).
 
-### Domain Name
+> **WARNING** You MUST set the `domain` name correctly, aligned with your `origin`, else the server
+> may refuse to start, or some features (e.g. webauthn, oauth) may not work correctly!
 
-You then *MUST* set your domain name so that security principal names (spn's) are generated correctly.
+### Check the configuration is valid.
-This domain name _must_ match the url/origin of the server that you plan to use to interact with
-so that other features work correctly. It is possible to change this domain name later.
 
-    docker run --rm -i -t -v kanidmd:/data kanidm/server:latest /sbin/kanidmd domain_name_change -c /data/server.toml -n idm.example.com
+You should test your configuration is valid before you proceed.
 
-> **WARNING** You MUST set the domain name correctly, aligned with your origin, else the server
+    docker run --rm -i -t -v kandimd:/data \
-> may refuse to start, or some features may not work correctly!
+        kanidm/server:latest /sbin/kanidmd configtest -c /data/server.toml
 
 ### Default Admin Account
 
 Then you can setup the initial admin account and initialise the database into your volume.
 
-    docker run --rm -i -t -v kanidmd:/data kanidm/server:latest /sbin/kanidmd recover_account -c /data/server.toml -n admin
+    docker run --rm -i -t -v kanidmd:/data \
+        kanidm/server:latest /sbin/kanidmd recover_account -c /data/server.toml -n admin
 
 ### Run the Server
 

kanidm_client/src/lib.rs

@@ -122,10 +122,6 @@ impl KanidmClientBuilder {
             let path = Path::new(ca_path);
             let ca_meta = read_file_metadata(&path)?;
 
-            if !ca_meta.permissions().readonly() {
-                warn!("permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...", ca_path);
-            }
-
             #[cfg(target_family = "unix")]
             if ca_meta.uid() != 0 || ca_meta.gid() != 0 {
                 warn!(
@@ -133,6 +129,11 @@ impl KanidmClientBuilder {
                     ca_path
                 );
             }
+
+            #[cfg(target_family = "unix")]
+            if ca_meta.mode() != 0o644 {
+                warn!("permissions on {} may not be secure. Should be set to 0644. This could be a security risk ...", ca_path);
+            }
         }
 
         // TODO #725: Handle these errors better, or at least provide diagnostics - this currently fails silently

project_docs/RELEASE_CHECKLIST.md

@@ -13,10 +13,18 @@
 * cargo test
 
 * Update RELEASE_NOTES.md
+* git commit
 
 * cargo release --no-dev-version --skip-push --skip-publish --skip-tag  1.1.0-alpha.X
 * git rebase -i HEAD~X
 * git tag v1.1.0-alpha.x
+* git branch v1.1.0-alpha.x
+* git checkout v1.1.0-alpha.x
+
+// Check it
+
+* git push origin v1.1.0-alpha.x
+* git push origin master
 
 * release kanidm_proto
 * release kanidmd/kanidm