mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions 16 Packages Projects Releases Wiki Activity

Remove scripts that are no longer required (#1759)

Browse source
This commit is contained in:
Firstyear 2023-06-21 15:52:19 +10:00 committed by GitHub
parent 41d8fece68
commit 4725d625af
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 14 additions and 304 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
book/src/DEVELOPER_README.md
View file

@ -259,15 +259,11 @@ is critical.
Once you have the source code, you need encryption certificates to use with the server, because
without certificates, authentication will fail.
We recommend using [Let's Encrypt](https://letsencrypt.org), but if this is not possible, please use
our insecure certificate tool (`scripts/insecure_generate_tls.sh`). The insecure certificate tool
creates `/tmp/kanidm` and puts some self-signed certificates there.
**NOTE:** Windows developers can use `scripts/insecure_generate_tls.ps1`, which puts everything
(including a templated config file) in `$TEMP\kanidm`. Please adjust paths below to suit.
We recommend using [Let's Encrypt](https://letsencrypt.org), but if this is not possible kanidmd
will create self-signed certificates in `/tmp/kanidm`.
You can now build and run the server with the commands below. It will use a database in
`/tmp/kanidm.db`.
`/tmp/kanidm/kanidm.db`.
Create the initial database and generate an `admin` password:

106
scripts/insecure_generate_tls.ps1
View file

@ -1,106 +0,0 @@
$ErrorActionPreference = "Stop"
$KANI_TMP="$Env:TEMP\kanidm\"
$ALTNAME_FILE="${KANI_TMP}altnames.cnf"
$CACERT="${KANI_TMP}ca.pem"
$CAKEY="${KANI_TMP}cakey.pem"
$KEYFILE="${KANI_TMP}key.pem"
$CERTFILE="${KANI_TMP}cert.pem"
$CSRFILE="${KANI_TMP}cert.csr"
$CHAINFILE="${KANI_TMP}chain.pem"
# $DHFILE="${KANI_TMP}dh.pem"
$CONFIG_FILE="${KANI_TMP}server.toml"
if (Test-Path -Path "$KANI_TMP" ) {
Write-Output "Output dir exists at $KANI_TMP"
} else {
Write-Warning "Output dir missing at $KANI_TMP"
$result = New-Item -Path "$KANI_TMP" -ItemType Directory
}
if ( $(Test-Path -Path "examples\insecure_server.toml") -eq $false ) {
Write-Error "You need to run this from the base dir of the repo!"
exit 1
}
# Building the config file
$CONFIG = Get-Content "examples\insecure_server.toml"
$CONFIG = $CONFIG -replace "/tmp/kanidm/", "$KANI_TMP"
$CONFIG = $CONFIG -replace "\\", "/"
$CONFIG | Set-Content "${CONFIG_FILE}" -Force
$ALTNAME_FILE_CONTENTS = @'
[req]
nsComment = "Certificate"
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Queensland
localityName = Locality Name (eg, city)
localityName_default = Brisbane
0.organizationName = Organization Name (eg, company)
0.organizationName_default = INSECURE EXAMPLE
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = kanidm
commonName = Common Name (eg, your name or your servers hostname)
commonName_max = 64
commonName_default = localhost
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1
'@
Write-Output "Creating cert template"
$result = New-Item -Path "$ALTNAME_FILE" -ItemType File -Value "$ALTNAME_FILE_CONTENTS" -Force
write-debug $result
Write-Output "Generate the CA"
openssl req -x509 -new -newkey rsa:4096 -sha256 -keyout "${CAKEY}" -out "${CACERT}" -days 31 -subj "/C=AU/ST=Queensland/L=Brisbane/O=INSECURE/CN=insecure.ca.localhost" -nodes
if ( $LastExitCode -ne 0 ){
exit 1
}
Write-Output "Generating the private key"
openssl genrsa -out "${KEYFILE}" 4096
if ( $LastExitCode -ne 0 ){
exit 1
}
Write-Output "Generating the certificate signing request"
openssl req -sha256 -config "${ALTNAME_FILE}" -days 31 -new -extensions v3_req -key "${KEYFILE}" -out "${CSRFILE}"
if ( $LastExitCode -ne 0 ){
exit 1
}
Write-Output "Signing the certificate"
openssl x509 -req -days 31 -extfile "${ALTNAME_FILE}" -CA "${CACERT}" -CAkey "${CAKEY}" -CAcreateserial -in "${CSRFILE}" -out "${CERTFILE}" -extensions v3_req -sha256
Write-Output "Creating the certificate chain"
Get-Content "${CERTFILE}" ,"${CACERT}" | Set-Content "${CHAINFILE}" -Force
Write-Output "Certificate chain is at: ${CHAINFILE}"
Write-Output "Private key is at: ${KEYFILE}"
Write-Output "The configuration file is at: ${CONFIG_FILE}"

190
scripts/insecure_generate_tls.sh
View file

@ -1,190 +0,0 @@
#!/bin/sh
set -e
# you can set the hostname if you want, but it'll default to localhost
if [ -z "$CERT_HOSTNAME" ]; then
CERT_HOSTNAME="localhost"
fi
# also where the files are stored
if [ -z "$KANI_TMP" ]; then
KANI_TMP=/tmp/kanidm/
fi
ALTNAME_FILE="${KANI_TMP}altnames.cnf"
CANAME_FILE="${KANI_TMP}ca.cnf"
CACERT="${KANI_TMP}ca.pem"
CAKEY="${KANI_TMP}cakey.pem"
CADB="${KANI_TMP}ca.txt"
CASRL="${KANI_TMP}ca.srl"
KEYFILE="${KANI_TMP}key.pem"
CERTFILE="${KANI_TMP}cert.pem"
CSRFILE="${KANI_TMP}cert.csr"
CHAINFILE="${KANI_TMP}chain.pem"
DHFILE="${KANI_TMP}dh.pem"
if [ ! -d "${KANI_TMP}" ]; then
echo "Creating temp kanidm dir: ${KANI_TMP}"
mkdir -p "${KANI_TMP}"
fi
cat > "${CANAME_FILE}" << DEVEOF
[req]
nsComment = "Certificate Authority"
distinguished_name = req_distinguished_name
req_extensions = v3_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Queensland
localityName = Locality Name (eg, city)
localityName_default = Brisbane
0.organizationName = Organization Name (eg, company)
0.organizationName_default = INSECURE EXAMPLE
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = kanidm
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
commonName_default = insecure.ca.localhost
[ v3_ca ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
DEVEOF
cat > "${ALTNAME_FILE}" << DEVEOF
[ca]
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = ${KANI_TMP}
certs = ${KANI_TMP}
crl_dir = ${KANI_TMP}
new_certs_dir = ${KANI_TMP}
database = ${CADB}
serial = ${CASRL}
# The root key and root certificate.
private_key = ${CAKEY}
certificate = ${CACERT}
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
preserve = no
policy = policy_loose
[ policy_loose ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
nsComment = "Certificate"
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Queensland
localityName = Locality Name (eg, city)
localityName_default = Brisbane
0.organizationName = Organization Name (eg, company)
0.organizationName_default = INSECURE EXAMPLE
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = kanidm
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
commonName_default = ${CERT_HOSTNAME}
[ v3_req ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "Server Certificate"
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1
DEVEOF
touch ${CADB}
echo 1000 > ${CASRL}
echo "Make the ca key..."
openssl ecparam -genkey -name prime256v1 -noout -out "${CAKEY}"
echo "Self sign the CA..."
openssl req -batch -config "${CANAME_FILE}" \
-key "${CAKEY}" \
-new -x509 -days +31 \
-sha256 -extensions v3_ca \
-out "${CACERT}" \
-nodes
echo "Generating the server private key..."
openssl ecparam -genkey -name prime256v1 -noout -out "${KEYFILE}"
echo "Generating the certificate signing request..."
openssl req -sha256 -new \
-batch \
-config "${ALTNAME_FILE}" -extensions v3_req \
-key "${KEYFILE}"\
-nodes \
-out "${CSRFILE}"
echo "Signing the certificate..."
openssl ca -config "${ALTNAME_FILE}" \
-batch \
-extensions v3_req \
-days 31 -notext -md sha256 \
-in "${CSRFILE}" \
-out "${CERTFILE}"
# Create the chain
cat "${CERTFILE}" "${CACERT}" > "${CHAINFILE}"
# create the dh file for RADIUS
openssl dhparam -in "${CAFILE}" -out "${DHFILE}" 2048
echo "Certificate chain is at: ${CHAINFILE}"
echo "Private key is at: ${KEYFILE}"
echo ""
echo "**Remember** the default action is to store the files in /tmp/ so they'll be deleted on reboot! Set the KANI_TMP environment variable before running this script if you want to change that. You'll need to update server config elsewhere if you do, however."

10
server/daemon/run_insecure_dev_server.sh
View file

@ -6,6 +6,16 @@ if [ -z "$KANI_CARGO_OPTS" ]; then
KANI_CARGO_OPTS=""
fi
# also where the files are stored
if [ -z "$KANI_TMP" ]; then
KANI_TMP=/tmp/kanidm/
fi
if [ ! -d "${KANI_TMP}" ]; then
echo "Creating temp kanidm dir: ${KANI_TMP}"
mkdir -p "${KANI_TMP}"
fi
CONFIG_FILE="../../examples/insecure_server.toml"
if [ ! -f "${CONFIG_FILE}" ]; then

2
tools/cli/src/opt/kanidm.rs
View file

@ -138,7 +138,7 @@ pub struct AccountNamedExpireDateTimeOpt {
#[clap(flatten)]
copt: CommonOpt,
#[clap(name = "datetime", verbatim_doc_comment)]
/// This accepts mulitple options:
/// This accepts multiple options:
/// - An RFC3339 time of the format "YYYY-MM-DDTHH:MM:SS+TZ", "2020-09-25T11:22:02+10:00"
/// - One of "any", "clear" or "never" to remove account expiry.
/// - "epoch" to set the expiry to the UNIX epoch