diff --git a/.github/workflows/kanidm_book.yml b/.github/workflows/kanidm_book.yml index b2aee1c68..8af17d2d4 100644 --- a/.github/workflows/kanidm_book.yml +++ b/.github/workflows/kanidm_book.yml @@ -53,6 +53,7 @@ jobs: fanout: uses: './.github/workflows/kanidm_individual_book.yml' needs: pre_deploy + if: ${{ github.action_ref == 'refs/heads/master' && github.repository == 'kanidm/kanidm' && github.event == 'merge' }} strategy: fail-fast: false @@ -70,13 +71,14 @@ jobs: deploy: environment: - name: github-pages + name: "github-pages" url: ${{ steps.deployment.outputs.page_url }} needs: - pre_deploy - fanout - docs_master runs-on: ubuntu-latest + if: ${{ github.action_ref == 'refs/heads/master' && github.repository == 'kanidm/kanidm' && github.event == 'merge' }} steps: - name: Setup Pages uses: actions/configure-pages@v3 @@ -97,18 +99,6 @@ jobs: path: ./docs/ env: ACTIONS_RUNNER_DEBUG: true - # - name: Log more stuff - # run: | - # echo "Currently in $(pwd)" - # mkdir -p docs && find $(pwd) -ls > ./docs/manifest.txt - # env: - # ACTIONS_RUNNER_DEBUG: true - # - name: Upload docs dir as an artifact - # # https://github.com/actions/upload-artifact - # uses: actions/upload-artifact@v3 - # with: - # name: logs - # path: docs/ - name: Extract the files run: | pwd diff --git a/book/book.toml b/book/book.toml index 18bdae454..b4a47afdf 100644 --- a/book/book.toml +++ b/book/book.toml @@ -12,5 +12,6 @@ title = "Kanidm Administration" [output.html] edit-url-template = "https://github.com/kanidm/kanidm/edit/master/book/{path}" git-repository-url = "https://github.com/kanidm/kanidm" +git-repository-icon = "fa-github" [preprocessor.template] diff --git a/server/daemon/src/main.rs b/server/daemon/src/main.rs index 4f32ced73..efeccf0a8 100644 --- a/server/daemon/src/main.rs +++ b/server/daemon/src/main.rs @@ -17,6 +17,7 @@ static ALLOC: tikv_jemallocator::Jemalloc = tikv_jemallocator::Jemalloc; use std::fs::{metadata, File}; // This works on both unix and windows. use fs2::FileExt; +use kanidm_proto::messages::ConsoleOutputMode; #[cfg(target_family = "unix")] use std::os::unix::fs::MetadataExt; use std::path::PathBuf; @@ -284,24 +285,30 @@ async fn main() -> ExitCode { config.update_output_mode(opt.commands.commonopt().output_mode.to_owned().into()); config.update_trust_x_forward_for(sconfig.trust_x_forward_for); - // Okay - Lets now create our lock and go. - let klock_path = format!("{}.klock" ,sconfig.db_path.as_str()); - let flock = match File::create(&klock_path) { - Ok(flock) => flock, - Err(e) => { - error!("ERROR: Refusing to start - unable to create kanidm exclusive lock at {} - {:?}", klock_path, e); - return ExitCode::FAILURE - } - }; + match &opt.commands { + // we aren't going to touch the DB so we can carry on + KanidmdOpt::HealthCheck(_) => (), + _ => { + // Okay - Lets now create our lock and go. + let klock_path = format!("{}.klock" ,sconfig.db_path.as_str()); + let flock = match File::create(&klock_path) { + Ok(flock) => flock, + Err(e) => { + error!("ERROR: Refusing to start - unable to create kanidm exclusive lock at {} - {:?}", klock_path, e); + return ExitCode::FAILURE + } + }; - match flock.try_lock_exclusive() { - Ok(()) => debug!("Acquired kanidm exclusive lock"), - Err(e) => { - error!("ERROR: Refusing to start - unable to lock kanidm exclusive lock at {} - {:?}", klock_path, e); - error!("Is another kanidm process running?"); - return ExitCode::FAILURE + match flock.try_lock_exclusive() { + Ok(()) => debug!("Acquired kanidm exclusive lock"), + Err(e) => { + error!("ERROR: Refusing to start - unable to lock kanidm exclusive lock at {} - {:?}", klock_path, e); + error!("Is another kanidm process running?"); + return ExitCode::FAILURE + } + }; } - }; + } /* // Apply any cli overrides, normally debug level. @@ -523,36 +530,50 @@ async fn main() -> ExitCode { debug!("{sopt:?}"); - let healthcheck_url = format!("https://{}/status", config.address); + + let healthcheck_url = match &sopt.check_origin { + true => format!("{}/status", config.origin), + false => format!("https://{}/status", config.address), + }; + debug!("Checking {healthcheck_url}"); - let client = reqwest::ClientBuilder::new() - .danger_accept_invalid_certs(sopt.no_verify_tls) - .danger_accept_invalid_hostnames(sopt.no_verify_tls) + let mut client = reqwest::ClientBuilder::new() + .danger_accept_invalid_certs(!sopt.verify_tls) + .danger_accept_invalid_hostnames(!sopt.verify_tls) .https_only(true); - // TODO: work out how to pull the CA from the chain - // client = match config.tls_config { - // Some(tls_config) => { - // eprintln!("{:?}", tls_config); - // let mut buf = Vec::new(); - // File::open(tls_config.chain) - // .unwrap() - // .read_to_end(&mut buf) - // .unwrap(); - // eprintln!("buf: {:?}", buf); - // match reqwest::Certificate::from_pem(&buf){ - // Ok(cert) => client.add_root_certificate(cert), - // Err(err) => { - // error!("Failed to read TLS chain: {err:?}"); - // client - // } - // } - // }, - // None => client, - // }; + + client = match &sconfig.tls_chain { + None => client, + Some(ca_cert) => { + debug!("Trying to load {}", ca_cert); + // if the ca_cert file exists, then we'll use it + let ca_cert_path = PathBuf::from(ca_cert); + match ca_cert_path.exists() { + true => { + let ca_contents = std::fs::read_to_string(ca_cert_path.clone()).expect(&format!("Failed to read {}!", ca_cert)); + let content = ca_contents + .split("-----END CERTIFICATE-----") + .into_iter() + .filter_map(|c| if c.trim().is_empty() { None } else { Some(c.trim().to_string())}) + .collect::>(); + let content = content.last().expect(&format!("Failed to pull the last chunk of {} as a valid certificate!", ca_cert)); + let content = format!("{}-----END CERTIFICATE-----", content); + + let ca_cert_parsed = reqwest::Certificate::from_pem(content.as_bytes()) + .expect(&format!("Failed to parse {} as a valid certificate!\n{}", ca_cert, content)); + client.add_root_certificate(ca_cert_parsed) + }, + false => { + warn!("Couldn't find ca cert {} but carrying on...", ca_cert); + client + } + } + } + }; let client = client .build() @@ -576,7 +597,16 @@ async fn main() -> ExitCode { } }; debug!("Request: {req:?}"); - info!("OK") + let output_mode: ConsoleOutputMode = sopt.commonopts.output_mode.to_owned().into(); + match output_mode { + ConsoleOutputMode::JSON => { + println!("{{\"result\":\"OK\"}}") + }, + ConsoleOutputMode::Text => { + info!("OK") + }, + } + } KanidmdOpt::Version(_) => {} } diff --git a/server/daemon/src/opt.rs b/server/daemon/src/opt.rs index acb530e02..eb0245ae0 100644 --- a/server/daemon/src/opt.rs +++ b/server/daemon/src/opt.rs @@ -75,7 +75,10 @@ struct DbScanListIndex { struct HealthCheckArgs { /// Disable TLS verification #[clap(short, long, action)] - no_verify_tls: bool, + verify_tls: bool, + /// Check the 'origin' URL from the server configuration file, instead of the 'address' + #[clap(short='O', long, action)] + check_origin: bool, #[clap(flatten)] commonopts: CommonOpt, }