diff --git a/.github/workflows/docker_build_kanidm.yml b/.github/workflows/docker_build_kanidm.yml index 783f9b533..bb396b1b5 100644 --- a/.github/workflows/docker_build_kanidm.yml +++ b/.github/workflows/docker_build_kanidm.yml @@ -27,6 +27,8 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} + # don't log in if we're not going to push! + if: ${{ github.ref == 'refs/heads/master' }} - name: Build and push kanidmd id: docker_build_kanidm uses: docker/build-push-action@v3 @@ -37,5 +39,5 @@ jobs: tags: ghcr.io/kanidm/kanidm:devel build-args: | "KANIDM_FEATURES=" - "KANIDM_BUILD_OPTIONS=-j1" + # "KANIDM_BUILD_OPTIONS=-j1" file: kanidm_tools/Dockerfile diff --git a/.github/workflows/docker_build_kanidmd.yml b/.github/workflows/docker_build_kanidmd.yml index 1645f36f4..0124791fc 100644 --- a/.github/workflows/docker_build_kanidmd.yml +++ b/.github/workflows/docker_build_kanidmd.yml @@ -16,10 +16,11 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + # don't need qemu/buildx if we're not building ARM + #- name: Set up QEMU + # uses: docker/setup-qemu-action@v2 + #- name: Set up Docker Buildx + # uses: docker/setup-buildx-action@v2 - # https://github.com/docker/login-action/#github-container-registry name: Login to GitHub Container Registry uses: docker/login-action@v2 @@ -27,6 +28,8 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} + # don't log in if we're not going to push! + if: ${{ github.ref == 'refs/heads/master' }} - name: Build and push kanidmd id: docker_build_kanidmd uses: docker/build-push-action@v3 @@ -34,6 +37,6 @@ jobs: push: ${{ github.ref == 'refs/heads/master' }} platforms: linux/amd64 tags: ghcr.io/kanidm/kanidmd:devel - build-args: | - "KANIDM_BUILD_OPTIONS=-j1" + #build-args: | + # "KANIDM_BUILD_OPTIONS=-j1" file: kanidmd/Dockerfile diff --git a/.github/workflows/docker_build_radiusd.yml b/.github/workflows/docker_build_radiusd.yml index dc934e4e4..7f0c4a2e7 100644 --- a/.github/workflows/docker_build_radiusd.yml +++ b/.github/workflows/docker_build_radiusd.yml @@ -27,6 +27,8 @@ jobs: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} + # don't log in if we're not going to push! + if: ${{ github.ref == 'refs/heads/master' }} - name: Build and push radius id: docker_build_radius uses: docker/build-push-action@v3 diff --git a/DEVELOPER_README.md b/DEVELOPER_README.md index 7738f2d20..99d0fd4a4 100644 --- a/DEVELOPER_README.md +++ b/DEVELOPER_README.md @@ -271,11 +271,11 @@ need to ```shell docker pull ghcr.io/kanidm/radius:devel docker run --rm -it \ - -v $(pwd)/config.ini:/data/config.ini \ + -v $(pwd)/kanidm:/data/kanidm \ ghcr.io/kanidm/radius:devel ``` -This assumes you have a `config.ini` file in the current working directory. +This assumes you have a `kanidm` client configuration file in the current working directory. ## Building the Book diff --git a/Makefile b/Makefile index 4b81a8d54..2f2479a50 100644 --- a/Makefile +++ b/Makefile @@ -70,11 +70,10 @@ test/kanidmd: @$(CONTAINER_TOOL) run --rm $(IMAGE_BASE)/server:$(IMAGE_VERSION)-builder cargo test test/radiusd: ## Run a test radius server +test/radiusd: build/radiusd cd kanidm_rlm_python && \ ./run_radius_container.sh -test/radiusd: build/radiusd test/radiusd - test: cargo test diff --git a/examples/kanidm b/examples/kanidm index ca75a868a..e088d197f 100644 --- a/examples/kanidm +++ b/examples/kanidm @@ -18,10 +18,10 @@ uri = "https://idm.example.com" username = "radius_service_account" password = "cr4bzr0ol" -# radius_cert_path = "/etc/raddb/certs/cert.pem" # -# radius_key_path = "/etc/raddb/certs/key.pem" # the signing key for radius TLS -# radius_dh_path = "/etc/raddb/certs/dh.pem" # the diffie-hellman output -# radius_ca_path = "/etc/raddb/certs/ca.pem" # the CA certificate? +radius_cert_path = "/certs/cert.pem" # the TLS certificate +radius_key_path = "/certs/key.pem" # the signing key for radius TLS +radius_dh_path = "/certs/dh.pem" # the diffie-hellman output +radius_ca_path = "/certs/ca.pem" # the CA certificate # A list of groups, if a user is in them, they're approved for RADIUS authentication radius_required_groups = [ diff --git a/kanidm_rlm_python/Dockerfile b/kanidm_rlm_python/Dockerfile index e711b5953..c9db9163b 100644 --- a/kanidm_rlm_python/Dockerfile +++ b/kanidm_rlm_python/Dockerfile @@ -2,6 +2,9 @@ FROM opensuse/tumbleweed:latest EXPOSE 1812 1813 +# TODO: remove this once the freeradius python fix has been rolled into tumbleweed main +RUN zypper ar -f obs://home:firstyear:branches:network home:firstyear:branches:network + RUN zypper --gpg-auto-import-keys refresh --force RUN zypper install -y \ freeradius-client \ @@ -9,9 +12,9 @@ RUN zypper install -y \ freeradius-server-python3 \ freeradius-server-utils \ hostname \ - python3 \ - python3-devel \ - python3-pip \ + python310 \ + python310-devel \ + python310-pip \ timezone \ iproute2 \ iputils \ diff --git a/kanidm_rlm_python/config.ini b/kanidm_rlm_python/config.ini deleted file mode 100644 index 928b8b7a7..000000000 --- a/kanidm_rlm_python/config.ini +++ /dev/null @@ -1,27 +0,0 @@ -[kanidm_client] -url = -strict = true -# Only if you want to check a specific ca root with strict = true -# ca = /data/ca.crt -user = -secret = - -; default vlans for groups that don't specify one. -[DEFAULT] -vlan = 1 - -; [group.test] -; vlan = - -[radiusd] -ca = -key = -cert = -dh = -required_group = -cache_path = - -; [client.localhost] -; ipaddr = -; secret = - diff --git a/kanidm_rlm_python/entrypoint.py b/kanidm_rlm_python/entrypoint.py index 80f51d3c2..eda987737 100644 --- a/kanidm_rlm_python/entrypoint.py +++ b/kanidm_rlm_python/entrypoint.py @@ -17,6 +17,12 @@ DEBUG = True if os.environ.get('DEBUG', False): DEBUG = True +CONFIG_FILE_PATH = "/data/kanidm" + +CERT_SERVER_DEST = "/etc/raddb/certs/server.pem" +CERT_CA_DEST = "/etc/raddb/certs/ca.pem" +CERT_DH_DEST = "/etc/raddb/certs/dh.pem" + # pylint: disable=unused-argument def _sigchild_handler( *args: Any, @@ -44,22 +50,25 @@ def setup_certs( kanidm_config_object: KanidmClientConfig, ) -> None: """ sets up certificates """ - # copy ca to /etc/raddb/certs/ca.pem - if kanidm_config_object.ca_path: - cert_ca = Path(kanidm_config_object.ca_path).expanduser().resolve() + + if kanidm_config_object.radius_ca_path: + cert_ca = Path(kanidm_config_object.radius_ca_path).expanduser().resolve() if not cert_ca.exists(): print(f"Failed to find radiusd ca file ({cert_ca}), quitting!", file=sys.stderr) sys.exit(1) - else: - print(f"Looking for cert_ca in {cert_ca}", file=sys.stderr ) - shutil.copyfile(cert_ca, '/etc/raddb/certs/ca.pem') + if cert_ca != CERT_CA_DEST: + print(f"Copying {cert_ca} to {CERT_CA_DEST}") + shutil.copyfile(cert_ca, CERT_CA_DEST) + + # let's put some dhparams in place if kanidm_config_object.radius_dh_path is not None: - # if CONFIG.get("radiusd", "dh", fallback="") != "": cert_dh = Path(kanidm_config_object.radius_dh_path).expanduser().resolve() if not cert_dh.exists(): print(f"Failed to find radiusd dh file ({cert_dh}), quitting!", file=sys.stderr) sys.exit(1) - shutil.copyfile(cert_dh, '/etc/raddb/certs/dh') + if cert_dh != CERT_DH_DEST: + print(f"Copying {cert_dh} to {CERT_DH_DEST}") + shutil.copyfile(cert_dh, CERT_DH_DEST) server_key = Path(kanidm_config_object.radius_key_path).expanduser().resolve() if not server_key.exists() or not server_key.is_file(): @@ -77,7 +86,7 @@ def setup_certs( ) sys.exit(1) # concat key + cert into /etc/raddb/certs/server.pem - with open('/etc/raddb/certs/server.pem', 'w', encoding='utf-8') as file_handle: + with open(CERT_SERVER_DEST, 'w', encoding='utf-8') as file_handle: file_handle.write(server_cert.read_text(encoding="utf-8")) file_handle.write('\n') file_handle.write(server_key.read_text(encoding="utf-8")) @@ -117,7 +126,7 @@ def run_radiusd() -> None: if __name__ == '__main__': signal.signal(signal.SIGCHLD, _sigchild_handler) - config_file = Path("/data/config.ini").expanduser().resolve() + config_file = Path(CONFIG_FILE_PATH).expanduser().resolve() if not config_file.exists: print( "Failed to find configuration file ({config_file}), quitting!", @@ -125,7 +134,7 @@ if __name__ == '__main__': ) sys.exit(1) - kanidm_config = KanidmClientConfig.parse_obj(load_config('/data/kanidm')) + kanidm_config = KanidmClientConfig.parse_obj(load_config(CONFIG_FILE_PATH)) setup_certs(kanidm_config) write_clients_conf(kanidm_config) print("Configuration set up, starting...") diff --git a/kanidm_rlm_python/run_radius_container.sh b/kanidm_rlm_python/run_radius_container.sh index b24f50035..30d6f9c36 100755 --- a/kanidm_rlm_python/run_radius_container.sh +++ b/kanidm_rlm_python/run_radius_container.sh @@ -19,6 +19,6 @@ echo "Starting the dev container..." docker run --rm -it \ --network host \ --name radiusd \ - -v /tmp/kanidm/:/etc/raddb/certs/ \ + -v /tmp/kanidm/:/certs/ \ -v "${CONFIG_FILE}:/data/kanidm" \ ${IMAGE} $@