mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions 16 Packages Projects Releases Wiki Activity

RADIUS fixes (#942)

Browse source 
* actually writing cert files properly now
* Updated readme with config file, fixed check for config file.
* minor tweaks to actions, removing job limits and skipping login to registry if not going to push
* removing old config.ini file
* temporarily adding Williams fixed package
This commit is contained in:
James Hodgkinson 2022-07-22 13:04:36 +10:00 committed by GitHub
parent b249747e55
commit 60f9541cdd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 48 additions and 57 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.github/workflows/docker_build_kanidm.yml vendored
View file

@ -27,6 +27,8 @@ jobs:
registry: ghcr.io registry: ghcr.io
username: ${{ github.repository_owner }} username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
# don't log in if we're not going to push!
if: ${{ github.ref == 'refs/heads/master' }}
- name: Build and push kanidmd - name: Build and push kanidmd
id: docker_build_kanidm id: docker_build_kanidm
uses: docker/build-push-action@v3 uses: docker/build-push-action@v3
@ -37,5 +39,5 @@ jobs:
tags: ghcr.io/kanidm/kanidm:devel tags: ghcr.io/kanidm/kanidm:devel
build-args: | build-args: |
"KANIDM_FEATURES=" "KANIDM_FEATURES="
"KANIDM_BUILD_OPTIONS=-j1" # "KANIDM_BUILD_OPTIONS=-j1"
file: kanidm_tools/Dockerfile file: kanidm_tools/Dockerfile

15
.github/workflows/docker_build_kanidmd.yml vendored
View file

@ -16,10 +16,11 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: Set up QEMU # don't need qemu/buildx if we're not building ARM
uses: docker/setup-qemu-action@v2 #- name: Set up QEMU
- name: Set up Docker Buildx # uses: docker/setup-qemu-action@v2
uses: docker/setup-buildx-action@v2 #- name: Set up Docker Buildx
# uses: docker/setup-buildx-action@v2
- # https://github.com/docker/login-action/#github-container-registry - # https://github.com/docker/login-action/#github-container-registry
name: Login to GitHub Container Registry name: Login to GitHub Container Registry
uses: docker/login-action@v2 uses: docker/login-action@v2
@ -27,6 +28,8 @@ jobs:
registry: ghcr.io registry: ghcr.io
username: ${{ github.repository_owner }} username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
# don't log in if we're not going to push!
if: ${{ github.ref == 'refs/heads/master' }}
- name: Build and push kanidmd - name: Build and push kanidmd
id: docker_build_kanidmd id: docker_build_kanidmd
uses: docker/build-push-action@v3 uses: docker/build-push-action@v3
@ -34,6 +37,6 @@ jobs:
push: ${{ github.ref == 'refs/heads/master' }} push: ${{ github.ref == 'refs/heads/master' }}
platforms: linux/amd64 platforms: linux/amd64
tags: ghcr.io/kanidm/kanidmd:devel tags: ghcr.io/kanidm/kanidmd:devel
build-args: | #build-args: |
"KANIDM_BUILD_OPTIONS=-j1" # "KANIDM_BUILD_OPTIONS=-j1"
file: kanidmd/Dockerfile file: kanidmd/Dockerfile

2
.github/workflows/docker_build_radiusd.yml vendored
View file

@ -27,6 +27,8 @@ jobs:
registry: ghcr.io registry: ghcr.io
username: ${{ github.repository_owner }} username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
# don't log in if we're not going to push!
if: ${{ github.ref == 'refs/heads/master' }}
- name: Build and push radius - name: Build and push radius
id: docker_build_radius id: docker_build_radius
uses: docker/build-push-action@v3 uses: docker/build-push-action@v3

4
DEVELOPER_README.md
View file

@ -271,11 +271,11 @@ need to
```shell ```shell
docker pull ghcr.io/kanidm/radius:devel docker pull ghcr.io/kanidm/radius:devel
docker run --rm -it \ docker run --rm -it \
-v $(pwd)/config.ini:/data/config.ini \ -v $(pwd)/kanidm:/data/kanidm \
ghcr.io/kanidm/radius:devel ghcr.io/kanidm/radius:devel
``` ```
This assumes you have a `config.ini` file in the current working directory. This assumes you have a `kanidm` client configuration file in the current working directory.
## Building the Book ## Building the Book

3
Makefile
View file

@ -70,11 +70,10 @@ test/kanidmd:
@$(CONTAINER_TOOL) run --rm $(IMAGE_BASE)/server:$(IMAGE_VERSION)-builder cargo test @$(CONTAINER_TOOL) run --rm $(IMAGE_BASE)/server:$(IMAGE_VERSION)-builder cargo test
test/radiusd: ## Run a test radius server test/radiusd: ## Run a test radius server
test/radiusd: build/radiusd
cd kanidm_rlm_python && \ cd kanidm_rlm_python && \
./run_radius_container.sh ./run_radius_container.sh
test/radiusd: build/radiusd test/radiusd
test: test:
cargo test cargo test

8
examples/kanidm
View file

@ -18,10 +18,10 @@ uri = "https://idm.example.com"
username = "radius_service_account" username = "radius_service_account"
password = "cr4bzr0ol" password = "cr4bzr0ol"
# radius_cert_path = "/etc/raddb/certs/cert.pem" # radius_cert_path = "/certs/cert.pem" # the TLS certificate
# radius_key_path = "/etc/raddb/certs/key.pem" # the signing key for radius TLS radius_key_path = "/certs/key.pem" # the signing key for radius TLS
# radius_dh_path = "/etc/raddb/certs/dh.pem" # the diffie-hellman output radius_dh_path = "/certs/dh.pem" # the diffie-hellman output
# radius_ca_path = "/etc/raddb/certs/ca.pem" # the CA certificate? radius_ca_path = "/certs/ca.pem" # the CA certificate
# A list of groups, if a user is in them, they're approved for RADIUS authentication # A list of groups, if a user is in them, they're approved for RADIUS authentication
radius_required_groups = [ radius_required_groups = [

9
kanidm_rlm_python/Dockerfile
View file

@ -2,6 +2,9 @@ FROM opensuse/tumbleweed:latest
EXPOSE 1812 1813 EXPOSE 1812 1813
# TODO: remove this once the freeradius python fix has been rolled into tumbleweed main
RUN zypper ar -f obs://home:firstyear:branches:network home:firstyear:branches:network
RUN zypper --gpg-auto-import-keys refresh --force RUN zypper --gpg-auto-import-keys refresh --force
RUN zypper install -y \ RUN zypper install -y \
freeradius-client \ freeradius-client \
@ -9,9 +12,9 @@ RUN zypper install -y \
freeradius-server-python3 \ freeradius-server-python3 \
freeradius-server-utils \ freeradius-server-utils \
hostname \ hostname \
python3 \ python310 \
python3-devel \ python310-devel \
python3-pip \ python310-pip \
timezone \ timezone \
iproute2 \ iproute2 \
iputils \ iputils \

27
kanidm_rlm_python/config.ini
View file

@ -1,27 +0,0 @@
[kanidm_client]
url =
strict = true
# Only if you want to check a specific ca root with strict = true
# ca = /data/ca.crt
user =
secret =
; default vlans for groups that don't specify one.
[DEFAULT]
vlan = 1
; [group.test]
; vlan =
[radiusd]
ca =
key =
cert =
dh =
required_group =
cache_path =
; [client.localhost]
; ipaddr =
; secret =

31
kanidm_rlm_python/entrypoint.py
View file

@ -17,6 +17,12 @@ DEBUG = True
if os.environ.get('DEBUG', False): if os.environ.get('DEBUG', False):
DEBUG = True DEBUG = True
CONFIG_FILE_PATH = "/data/kanidm"
CERT_SERVER_DEST = "/etc/raddb/certs/server.pem"
CERT_CA_DEST = "/etc/raddb/certs/ca.pem"
CERT_DH_DEST = "/etc/raddb/certs/dh.pem"
# pylint: disable=unused-argument # pylint: disable=unused-argument
def _sigchild_handler( def _sigchild_handler(
*args: Any, *args: Any,
@ -44,22 +50,25 @@ def setup_certs(
kanidm_config_object: KanidmClientConfig, kanidm_config_object: KanidmClientConfig,
) -> None: ) -> None:
""" sets up certificates """ """ sets up certificates """
# copy ca to /etc/raddb/certs/ca.pem
if kanidm_config_object.ca_path: if kanidm_config_object.radius_ca_path:
cert_ca = Path(kanidm_config_object.ca_path).expanduser().resolve() cert_ca = Path(kanidm_config_object.radius_ca_path).expanduser().resolve()
if not cert_ca.exists(): if not cert_ca.exists():
print(f"Failed to find radiusd ca file ({cert_ca}), quitting!", file=sys.stderr) print(f"Failed to find radiusd ca file ({cert_ca}), quitting!", file=sys.stderr)
sys.exit(1) sys.exit(1)
else: if cert_ca != CERT_CA_DEST:
print(f"Looking for cert_ca in {cert_ca}", file=sys.stderr ) print(f"Copying {cert_ca} to {CERT_CA_DEST}")
shutil.copyfile(cert_ca, '/etc/raddb/certs/ca.pem') shutil.copyfile(cert_ca, CERT_CA_DEST)
# let's put some dhparams in place
if kanidm_config_object.radius_dh_path is not None: if kanidm_config_object.radius_dh_path is not None:
# if CONFIG.get("radiusd", "dh", fallback="") != "":
cert_dh = Path(kanidm_config_object.radius_dh_path).expanduser().resolve() cert_dh = Path(kanidm_config_object.radius_dh_path).expanduser().resolve()
if not cert_dh.exists(): if not cert_dh.exists():
print(f"Failed to find radiusd dh file ({cert_dh}), quitting!", file=sys.stderr) print(f"Failed to find radiusd dh file ({cert_dh}), quitting!", file=sys.stderr)
sys.exit(1) sys.exit(1)
shutil.copyfile(cert_dh, '/etc/raddb/certs/dh') if cert_dh != CERT_DH_DEST:
print(f"Copying {cert_dh} to {CERT_DH_DEST}")
shutil.copyfile(cert_dh, CERT_DH_DEST)
server_key = Path(kanidm_config_object.radius_key_path).expanduser().resolve() server_key = Path(kanidm_config_object.radius_key_path).expanduser().resolve()
if not server_key.exists() or not server_key.is_file(): if not server_key.exists() or not server_key.is_file():
@ -77,7 +86,7 @@ def setup_certs(
) )
sys.exit(1) sys.exit(1)
# concat key + cert into /etc/raddb/certs/server.pem # concat key + cert into /etc/raddb/certs/server.pem
with open('/etc/raddb/certs/server.pem', 'w', encoding='utf-8') as file_handle: with open(CERT_SERVER_DEST, 'w', encoding='utf-8') as file_handle:
file_handle.write(server_cert.read_text(encoding="utf-8")) file_handle.write(server_cert.read_text(encoding="utf-8"))
file_handle.write('\n') file_handle.write('\n')
file_handle.write(server_key.read_text(encoding="utf-8")) file_handle.write(server_key.read_text(encoding="utf-8"))
@ -117,7 +126,7 @@ def run_radiusd() -> None:
if __name__ == '__main__': if __name__ == '__main__':
signal.signal(signal.SIGCHLD, _sigchild_handler) signal.signal(signal.SIGCHLD, _sigchild_handler)
config_file = Path("/data/config.ini").expanduser().resolve() config_file = Path(CONFIG_FILE_PATH).expanduser().resolve()
if not config_file.exists: if not config_file.exists:
print( print(
"Failed to find configuration file ({config_file}), quitting!", "Failed to find configuration file ({config_file}), quitting!",
@ -125,7 +134,7 @@ if __name__ == '__main__':
) )
sys.exit(1) sys.exit(1)
kanidm_config = KanidmClientConfig.parse_obj(load_config('/data/kanidm')) kanidm_config = KanidmClientConfig.parse_obj(load_config(CONFIG_FILE_PATH))
setup_certs(kanidm_config) setup_certs(kanidm_config)
write_clients_conf(kanidm_config) write_clients_conf(kanidm_config)
print("Configuration set up, starting...") print("Configuration set up, starting...")

2
kanidm_rlm_python/run_radius_container.sh
View file

@ -19,6 +19,6 @@ echo "Starting the dev container..."
docker run --rm -it \ docker run --rm -it \
--network host \ --network host \
--name radiusd \ --name radiusd \
-v /tmp/kanidm/:/etc/raddb/certs/ \ -v /tmp/kanidm/:/certs/ \
-v "${CONFIG_FILE}:/data/kanidm" \ -v "${CONFIG_FILE}:/data/kanidm" \
${IMAGE} $@ ${IMAGE} $@