RADIUS fixes (#942)

* actually writing cert files properly now * Updated readme with config file, fixed check for config file. * minor tweaks to actions, removing job limits and skipping login to registry if not going to push * removing old config.ini file * temporarily adding Williams fixed package
2025-02-23 04:27:02 +01:00 · 2022-07-22 13:04:36 +10:00 · 2022-07-22 13:04:36 +10:00 · 60f9541cdd
parent b249747e55
commit 60f9541cdd
10 changed files with 48 additions and 57 deletions
--- a/.github/workflows/docker_build_kanidm.yml
+++ b/.github/workflows/docker_build_kanidm.yml
@ -27,6 +27,8 @@ jobs:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
+        # don't log in if we're not going to push!
+        if: ${{ github.ref == 'refs/heads/master' }}
      - name: Build and push kanidmd
        id: docker_build_kanidm
        uses: docker/build-push-action@v3
@ -37,5 +39,5 @@ jobs:
          tags: ghcr.io/kanidm/kanidm:devel
          build-args: |
            "KANIDM_FEATURES="
-            "KANIDM_BUILD_OPTIONS=-j1"
+          #  "KANIDM_BUILD_OPTIONS=-j1"
          file: kanidm_tools/Dockerfile
--- a/.github/workflows/docker_build_kanidmd.yml
+++ b/.github/workflows/docker_build_kanidmd.yml
@ -16,10 +16,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+      # don't need qemu/buildx if we're not building ARM
+      #- name: Set up QEMU
+      #  uses: docker/setup-qemu-action@v2
+      #- name: Set up Docker Buildx
+      #  uses: docker/setup-buildx-action@v2
      -  # https://github.com/docker/login-action/#github-container-registry
        name: Login to GitHub Container Registry
        uses: docker/login-action@v2
@ -27,6 +28,8 @@ jobs:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
+        # don't log in if we're not going to push!
+        if: ${{ github.ref == 'refs/heads/master' }}
      - name: Build and push kanidmd
        id: docker_build_kanidmd
        uses: docker/build-push-action@v3
@ -34,6 +37,6 @@ jobs:
          push: ${{ github.ref == 'refs/heads/master' }}
          platforms: linux/amd64
          tags: ghcr.io/kanidm/kanidmd:devel
-          build-args: |
-            "KANIDM_BUILD_OPTIONS=-j1"
+          #build-args: |
+          #  "KANIDM_BUILD_OPTIONS=-j1"
          file: kanidmd/Dockerfile
--- a/.github/workflows/docker_build_radiusd.yml
+++ b/.github/workflows/docker_build_radiusd.yml
@ -27,6 +27,8 @@ jobs:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
+        # don't log in if we're not going to push!
+        if: ${{ github.ref == 'refs/heads/master' }}
      - name: Build and push radius
        id: docker_build_radius
        uses: docker/build-push-action@v3
--- a/DEVELOPER_README.md
+++ b/DEVELOPER_README.md
@ -271,11 +271,11 @@ need to
 ```shell
 docker pull ghcr.io/kanidm/radius:devel
 docker run --rm -it \
-    -v $(pwd)/config.ini:/data/config.ini \
+    -v $(pwd)/kanidm:/data/kanidm \
    ghcr.io/kanidm/radius:devel
 ```

-This assumes you have a `config.ini` file in the current working directory.
+This assumes you have a `kanidm` client configuration file in the current working directory.

 ## Building the Book

--- a/3
+++ b/3
@ -70,11 +70,10 @@ test/kanidmd:
 	@$(CONTAINER_TOOL) run --rm $(IMAGE_BASE)/server:$(IMAGE_VERSION)-builder cargo test

 test/radiusd: ## Run a test radius server
+test/radiusd: build/radiusd
 	cd kanidm_rlm_python && \
 	./run_radius_container.sh

-test/radiusd:	build/radiusd test/radiusd
-
 test:
 	cargo test

--- a/examples/kanidm
+++ b/examples/kanidm
@ -18,10 +18,10 @@ uri = "https://idm.example.com"
 username = "radius_service_account"
 password = "cr4bzr0ol"

-# radius_cert_path = "/etc/raddb/certs/cert.pem" #
-# radius_key_path = "/etc/raddb/certs/key.pem"   # the signing key for radius TLS
-# radius_dh_path = "/etc/raddb/certs/dh.pem"     # the diffie-hellman output
-# radius_ca_path = "/etc/raddb/certs/ca.pem"     # the CA certificate?
+radius_cert_path = "/certs/cert.pem" # the TLS certificate
+radius_key_path = "/certs/key.pem"   # the signing key for radius TLS
+radius_dh_path = "/certs/dh.pem"     # the diffie-hellman output
+radius_ca_path = "/certs/ca.pem"     # the CA certificate

 # A list of groups, if a user is in them, they're approved for RADIUS authentication
 radius_required_groups = [
--- a/kanidm_rlm_python/Dockerfile
+++ b/kanidm_rlm_python/Dockerfile
@ -2,6 +2,9 @@ FROM opensuse/tumbleweed:latest

 EXPOSE 1812 1813

+# TODO: remove this once the freeradius python fix has been rolled into tumbleweed main
+RUN zypper ar -f obs://home:firstyear:branches:network home:firstyear:branches:network
+
 RUN zypper --gpg-auto-import-keys refresh --force
 RUN zypper install -y \
    freeradius-client \
@ -9,9 +12,9 @@ RUN zypper install -y \
    freeradius-server-python3 \
    freeradius-server-utils \
    hostname \
-    python3 \
-    python3-devel \
-    python3-pip \
+    python310 \
+    python310-devel \
+    python310-pip \
    timezone \
    iproute2 \
    iputils \
--- a/kanidm_rlm_python/config.ini
+++ b/kanidm_rlm_python/config.ini
@ -1,27 +0,0 @@
-[kanidm_client]
-url =
-strict = true
-# Only if you want to check a specific ca root with strict = true
-# ca = /data/ca.crt
-user =
-secret =
-
-; default vlans for groups that don't specify one.
-[DEFAULT]
-vlan = 1
-
-; [group.test]
-; vlan =
-
-[radiusd]
-ca = 
-key = 
-cert = 
-dh = 
-required_group =
-cache_path =
-
-; [client.localhost]
-; ipaddr =
-; secret =
-
--- a/kanidm_rlm_python/entrypoint.py
+++ b/kanidm_rlm_python/entrypoint.py
@ -17,6 +17,12 @@ DEBUG = True
 if os.environ.get('DEBUG', False):
    DEBUG = True

+CONFIG_FILE_PATH = "/data/kanidm"
+
+CERT_SERVER_DEST = "/etc/raddb/certs/server.pem"
+CERT_CA_DEST = "/etc/raddb/certs/ca.pem"
+CERT_DH_DEST = "/etc/raddb/certs/dh.pem"
+
 # pylint: disable=unused-argument
 def _sigchild_handler(
    *args: Any,
@ -44,22 +50,25 @@ def setup_certs(
    kanidm_config_object: KanidmClientConfig,
    ) -> None:
    """ sets up certificates """
-    # copy ca to /etc/raddb/certs/ca.pem
-    if kanidm_config_object.ca_path:
-        cert_ca = Path(kanidm_config_object.ca_path).expanduser().resolve()
+
+    if kanidm_config_object.radius_ca_path:
+        cert_ca = Path(kanidm_config_object.radius_ca_path).expanduser().resolve()
        if not cert_ca.exists():
            print(f"Failed to find radiusd ca file ({cert_ca}), quitting!", file=sys.stderr)
            sys.exit(1)
-        else:
-            print(f"Looking for cert_ca in {cert_ca}", file=sys.stderr )
-        shutil.copyfile(cert_ca, '/etc/raddb/certs/ca.pem')
+        if cert_ca != CERT_CA_DEST:
+            print(f"Copying {cert_ca} to {CERT_CA_DEST}")
+            shutil.copyfile(cert_ca, CERT_CA_DEST)
+
+    # let's put some dhparams in place
    if kanidm_config_object.radius_dh_path is not None:
-    # if CONFIG.get("radiusd", "dh", fallback="") != "":
        cert_dh = Path(kanidm_config_object.radius_dh_path).expanduser().resolve()
        if not cert_dh.exists():
            print(f"Failed to find radiusd dh file ({cert_dh}), quitting!", file=sys.stderr)
            sys.exit(1)
-        shutil.copyfile(cert_dh, '/etc/raddb/certs/dh')
+        if cert_dh != CERT_DH_DEST:
+            print(f"Copying {cert_dh} to {CERT_DH_DEST}")
+            shutil.copyfile(cert_dh, CERT_DH_DEST)

    server_key = Path(kanidm_config_object.radius_key_path).expanduser().resolve()
    if not server_key.exists() or not server_key.is_file():
@ -77,7 +86,7 @@ def setup_certs(
            )
        sys.exit(1)
    # concat key + cert into /etc/raddb/certs/server.pem
-    with open('/etc/raddb/certs/server.pem', 'w', encoding='utf-8') as file_handle:
+    with open(CERT_SERVER_DEST, 'w', encoding='utf-8') as file_handle:
        file_handle.write(server_cert.read_text(encoding="utf-8"))
        file_handle.write('\n')
        file_handle.write(server_key.read_text(encoding="utf-8"))
@ -117,7 +126,7 @@ def run_radiusd() -> None:
 if __name__ == '__main__':
    signal.signal(signal.SIGCHLD, _sigchild_handler)

-    config_file = Path("/data/config.ini").expanduser().resolve()
+    config_file = Path(CONFIG_FILE_PATH).expanduser().resolve()
    if not config_file.exists:
        print(
            "Failed to find configuration file ({config_file}), quitting!",
@ -125,7 +134,7 @@ if __name__ == '__main__':
            )
        sys.exit(1)

-    kanidm_config = KanidmClientConfig.parse_obj(load_config('/data/kanidm'))
+    kanidm_config = KanidmClientConfig.parse_obj(load_config(CONFIG_FILE_PATH))
    setup_certs(kanidm_config)
    write_clients_conf(kanidm_config)
    print("Configuration set up, starting...")
--- a/kanidm_rlm_python/run_radius_container.sh
+++ b/kanidm_rlm_python/run_radius_container.sh
@ -19,6 +19,6 @@ echo "Starting the dev container..."
 docker run --rm -it \
    --network host \
    --name radiusd \
-    -v /tmp/kanidm/:/etc/raddb/certs/ \
+    -v /tmp/kanidm/:/certs/ \
    -v "${CONFIG_FILE}:/data/kanidm" \
    ${IMAGE} $@