mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-24 04:57:00 +01:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity

Fixing the kanidmd healthcheck (#1789)

Browse source 
* fixing the health check
* fixing pages while I am here
* flipping options like I flip burgers
* using the config-supplied cert
This commit is contained in:
James Hodgkinson 2023-06-28 19:41:24 +10:00 committed by GitHub
parent 9a3c12a79d
commit 3e4c8f6241
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 79 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
.github/workflows/kanidm_book.yml vendored
View file

@ -53,6 +53,7 @@ jobs:
fanout: fanout:
uses: './.github/workflows/kanidm_individual_book.yml' uses: './.github/workflows/kanidm_individual_book.yml'
needs: pre_deploy needs: pre_deploy
if: ${{ github.action_ref == 'refs/heads/master' && github.repository == 'kanidm/kanidm' && github.event == 'merge' }}
strategy: strategy:
fail-fast: false fail-fast: false
@ -70,13 +71,14 @@ jobs:
deploy: deploy:
environment: environment:
name: github-pages name: "github-pages"
url: ${{ steps.deployment.outputs.page_url }} url: ${{ steps.deployment.outputs.page_url }}
needs: needs:
- pre_deploy - pre_deploy
- fanout - fanout
- docs_master - docs_master
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: ${{ github.action_ref == 'refs/heads/master' && github.repository == 'kanidm/kanidm' && github.event == 'merge' }}
steps: steps:
- name: Setup Pages - name: Setup Pages
uses: actions/configure-pages@v3 uses: actions/configure-pages@v3
@ -97,18 +99,6 @@ jobs:
path: ./docs/ path: ./docs/
env: env:
ACTIONS_RUNNER_DEBUG: true ACTIONS_RUNNER_DEBUG: true
# - name: Log more stuff
# run: |
# echo "Currently in $(pwd)"
# mkdir -p docs && find $(pwd) -ls > ./docs/manifest.txt
# env:
# ACTIONS_RUNNER_DEBUG: true
# - name: Upload docs dir as an artifact
# # https://github.com/actions/upload-artifact
# uses: actions/upload-artifact@v3
# with:
# name: logs
# path: docs/
- name: Extract the files - name: Extract the files
run: | run: |
pwd pwd

1
book/book.toml
View file

@ -12,5 +12,6 @@ title = "Kanidm Administration"
[output.html] [output.html]
edit-url-template = "https://github.com/kanidm/kanidm/edit/master/book/{path}" edit-url-template = "https://github.com/kanidm/kanidm/edit/master/book/{path}"
git-repository-url = "https://github.com/kanidm/kanidm" git-repository-url = "https://github.com/kanidm/kanidm"
git-repository-icon = "fa-github"
[preprocessor.template] [preprocessor.template]

78
server/daemon/src/main.rs
View file

@ -17,6 +17,7 @@ static ALLOC: tikv_jemallocator::Jemalloc = tikv_jemallocator::Jemalloc;
use std::fs::{metadata, File}; use std::fs::{metadata, File};
// This works on both unix and windows. // This works on both unix and windows.
use fs2::FileExt; use fs2::FileExt;
use kanidm_proto::messages::ConsoleOutputMode;
#[cfg(target_family = "unix")] #[cfg(target_family = "unix")]
use std::os::unix::fs::MetadataExt; use std::os::unix::fs::MetadataExt;
use std::path::PathBuf; use std::path::PathBuf;
@ -284,6 +285,10 @@ async fn main() -> ExitCode {
config.update_output_mode(opt.commands.commonopt().output_mode.to_owned().into()); config.update_output_mode(opt.commands.commonopt().output_mode.to_owned().into());
config.update_trust_x_forward_for(sconfig.trust_x_forward_for); config.update_trust_x_forward_for(sconfig.trust_x_forward_for);
match &opt.commands {
// we aren't going to touch the DB so we can carry on
KanidmdOpt::HealthCheck(_) => (),
_ => {
// Okay - Lets now create our lock and go. // Okay - Lets now create our lock and go.
let klock_path = format!("{}.klock" ,sconfig.db_path.as_str()); let klock_path = format!("{}.klock" ,sconfig.db_path.as_str());
let flock = match File::create(&klock_path) { let flock = match File::create(&klock_path) {
@ -302,6 +307,8 @@ async fn main() -> ExitCode {
return ExitCode::FAILURE return ExitCode::FAILURE
} }
}; };
}
}
/* /*
// Apply any cli overrides, normally debug level. // Apply any cli overrides, normally debug level.
@ -523,36 +530,50 @@ async fn main() -> ExitCode {
debug!("{sopt:?}"); debug!("{sopt:?}");
let healthcheck_url = format!("https://{}/status", config.address);
let healthcheck_url = match &sopt.check_origin {
true => format!("{}/status", config.origin),
false => format!("https://{}/status", config.address),
};
debug!("Checking {healthcheck_url}"); debug!("Checking {healthcheck_url}");
let client = reqwest::ClientBuilder::new() let mut client = reqwest::ClientBuilder::new()
.danger_accept_invalid_certs(sopt.no_verify_tls) .danger_accept_invalid_certs(!sopt.verify_tls)
.danger_accept_invalid_hostnames(sopt.no_verify_tls) .danger_accept_invalid_hostnames(!sopt.verify_tls)
.https_only(true); .https_only(true);
// TODO: work out how to pull the CA from the chain
// client = match config.tls_config {
// Some(tls_config) => {
// eprintln!("{:?}", tls_config);
// let mut buf = Vec::new();
// File::open(tls_config.chain)
// .unwrap()
// .read_to_end(&mut buf)
// .unwrap();
// eprintln!("buf: {:?}", buf);
// match reqwest::Certificate::from_pem(&buf){
// Ok(cert) => client.add_root_certificate(cert),
// Err(err) => {
// error!("Failed to read TLS chain: {err:?}");
// client
// }
// }
// },
// None => client, client = match &sconfig.tls_chain {
// }; None => client,
Some(ca_cert) => {
debug!("Trying to load {}", ca_cert);
// if the ca_cert file exists, then we'll use it
let ca_cert_path = PathBuf::from(ca_cert);
match ca_cert_path.exists() {
true => {
let ca_contents = std::fs::read_to_string(ca_cert_path.clone()).expect(&format!("Failed to read {}!", ca_cert));
let content = ca_contents
.split("-----END CERTIFICATE-----")
.into_iter()
.filter_map(|c| if c.trim().is_empty() { None } else { Some(c.trim().to_string())})
.collect::<Vec<String>>();
let content = content.last().expect(&format!("Failed to pull the last chunk of {} as a valid certificate!", ca_cert));
let content = format!("{}-----END CERTIFICATE-----", content);
let ca_cert_parsed = reqwest::Certificate::from_pem(content.as_bytes())
.expect(&format!("Failed to parse {} as a valid certificate!\n{}", ca_cert, content));
client.add_root_certificate(ca_cert_parsed)
},
false => {
warn!("Couldn't find ca cert {} but carrying on...", ca_cert);
client
}
}
}
};
let client = client let client = client
.build() .build()
@ -576,7 +597,16 @@ async fn main() -> ExitCode {
} }
}; };
debug!("Request: {req:?}"); debug!("Request: {req:?}");
let output_mode: ConsoleOutputMode = sopt.commonopts.output_mode.to_owned().into();
match output_mode {
ConsoleOutputMode::JSON => {
println!("{{\"result\":\"OK\"}}")
},
ConsoleOutputMode::Text => {
info!("OK") info!("OK")
},
}
} }
KanidmdOpt::Version(_) => {} KanidmdOpt::Version(_) => {}
} }

5
server/daemon/src/opt.rs
View file

@ -75,7 +75,10 @@ struct DbScanListIndex {
struct HealthCheckArgs { struct HealthCheckArgs {
/// Disable TLS verification /// Disable TLS verification
#[clap(short, long, action)] #[clap(short, long, action)]
no_verify_tls: bool, verify_tls: bool,
/// Check the 'origin' URL from the server configuration file, instead of the 'address'
#[clap(short='O', long, action)]
check_origin: bool,
#[clap(flatten)] #[clap(flatten)]
commonopts: CommonOpt, commonopts: CommonOpt,
} }