diff --git a/.gitignore b/.gitignore index a6edbac5c..a400144b2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +altnames.cnf .DS_Store .backup*_test.json diff --git a/DEVELOPER_README.md b/DEVELOPER_README.md index 9dfd754a3..d9b35d6e5 100644 --- a/DEVELOPER_README.md +++ b/DEVELOPER_README.md @@ -10,9 +10,13 @@ cargo doc --document-private-items --open --no-deps [designs]: https://github.com/kanidm/kanidm/tree/master/designs +### Rust Documentation + +The library documentation is [here](https://kanidm.github.io/kanidm/rustdoc/master/kanidm/). + ### Minimum Supported Rust Version -The project is expected to work on MSRV of 1.47.0. +The MSRV is specified [here](https://github.com/kanidm/kanidm/blob/master/profiles/RUST_MSRV). ### Dependencies @@ -99,31 +103,33 @@ git rebase --abort ### Development Server Quickstart for Interactive Testing -After getting the code, you will need a rust environment. Please investigate rustup for your platform -to establish this. +After getting the code, you will need a rust environment. Please investigate [rustup](https://rustup.rs) for your platform to establish this. -Once you have the source code, you need certificates to use with the server. I recommend using -let's encrypt, but if this is not possible, please use our insecure cert tool. Without certificates -authentication will fail. +Once you have the source code, you need certificates to use with the server, because without certificates, authentication will fail. - mkdir insecure - cd insecure - ../insecure_generate_tls.sh +We recommend using [Let's Encrypt](https://letsencrypt.org), but if this is not possible, please use our insecure cert tool (`insecure_generate_tls.sh`). The insecure cert tool creates `/tmp/kanidm` and puts some self-signed certificates there. -You can now build and run the server with the commands below. It will use a database in /tmp/kanidm.db +You can now build and run the server with the commands below. It will use a database in `/tmp/kanidm.db`. - cd kanidmd - cargo run -- recover_account -c ./server.toml -n admin - cargo run -- server -c ./server.toml +Create the initial database and generate an `admin` username: + + cargo run --bin kanidmd recover_account -c ./examples/insecure_server.toml -n admin + + Success - password reset to -> Et8QRJgQkMJu3v1AQxcbxRWW44qRUZPpr6BJ9fCGapAB9cT4 + +Record the password above, then run the server start command: + + cd kanidmd/daemon + cargo run --bin kanidmd server -c ../../examples/insecure_server.toml In a new terminal, you can now build and run the client tools with: - cd kanidm_tools - cargo run -- --help - cargo run -- login -H https://localhost:8443 -D anonymous -C ../insecure/ca.pem - cargo run -- self whoami -H https://localhost:8443 -D anonymous -C ../insecure/ca.pem - cargo run -- login -H https://localhost:8443 -D admin -C ../insecure/ca.pem - cargo run -- self whoami -H https://localhost:8443 -D admin -C ../insecure/ca.pem + cargo run --bin kanidm -- --help + cargo run --bin kanidm -- login -H https://localhost:8443 -D anonymous -C /tmp/kanidm/ca.pem + cargo run --bin kanidm -- self whoami -H https://localhost:8443 -D anonymous -C /tmp/kanidm/ca.pem + + cargo run --bin kanidm -- login -H https://localhost:8443 -D admin -C /tmp/kanidm/ca.pem + cargo run --bin kanidm -- self whoami -H https://localhost:8443 -D admin -C /tmp/kanidm/ca.pem ### Building the Web UI @@ -141,4 +147,6 @@ Then you are able to build the UI. The "developer" profile for kanidmd will automatically use the pkg output in this folder. -Setting different developer profiles while building is done by setting the environment variable KANIDM_BUILD_PROFILE to one of the bare filename of the TOML files in `/profiles`. For example: `KANIDM_BUILD_PROFILE=release_suse_generic cargo build --release --bin kanidmd` +Setting different developer profiles while building is done by setting the environment variable KANIDM_BUILD_PROFILE to one of the bare filename of the TOML files in `/profiles`. + +For example: `KANIDM_BUILD_PROFILE=release_suse_generic cargo build --release --bin kanidmd` diff --git a/kanidmd/server.toml b/examples/insecure_server.toml similarity index 67% rename from kanidmd/server.toml rename to examples/insecure_server.toml index 6e7c2bf3d..ccbfe4ebc 100644 --- a/kanidmd/server.toml +++ b/examples/insecure_server.toml @@ -1,12 +1,15 @@ bindaddress = "127.0.0.1:8443" ldapbindaddress = "127.0.0.1:3636" -db_path = "/tmp/kanidm.db" + db_fs_type = "zfs" -tls_chain = "../insecure/chain.pem" -tls_key = "../insecure/key.pem" +db_path = "/tmp/kanidm/kanidm.db" +tls_chain = "/tmp/kanidm/chain.pem" +tls_key = "/tmp/kanidm/key.pem" + # log_level = "perfbasic" # log_level = "quiet" log_level = "verbose" + domain = "idm.example.com" origin = "https://idm.example.com:8443" diff --git a/insecure_generate_tls.sh b/insecure_generate_tls.sh index 1aaf02565..469f4afbc 100755 --- a/insecure_generate_tls.sh +++ b/insecure_generate_tls.sh @@ -1,6 +1,23 @@ #!/bin/sh -cat > ./altnames.cnf << DEVEOF + +KANI_TMP=/tmp/kanidm/ + +ALTNAME_FILE="${KANI_TMP}altnames.cnf" +CACERT="${KANI_TMP}ca.pem" +CAKEY="${KANI_TMP}cakey.pem" + +KEYFILE="${KANI_TMP}key.pem" +CERTFILE="${KANI_TMP}cert.pem" +CSRFILE="${KANI_TMP}cert.csr" +CHAINFILE="${KANI_TMP}chain.pem" + +if [ ! -d "${KANI_TMP}" ]; then + echo "Creating temp kanidm dir: ${KANI_TMP}" + mkdir -p "${KANI_TMP}" +fi + +cat > "${ALTNAME_FILE}" << DEVEOF [req] nsComment = "Certificate" distinguished_name = req_distinguished_name @@ -44,12 +61,34 @@ IP.1 = 127.0.0.1 DEVEOF # Make the ca -openssl req -x509 -new -newkey rsa:4096 -sha256 -keyout cakey.pem -out ca.pem -days 31 -subj "/C=AU/ST=Queensland/L=Brisbane/O=INSECURE/CN=insecure.ca.localhost" -nodes -openssl genrsa -out key.pem 4096 -openssl req -sha256 -key key.pem -out cert.csr -days 31 -config altnames.cnf -new -extensions v3_req -openssl x509 -req -days 31 -in cert.csr -CA ca.pem -CAkey cakey.pem -CAcreateserial -out cert.pem -extfile altnames.cnf -extensions v3_req -sha256 +openssl req -x509 -new -newkey rsa:4096 -sha256 \ + -keyout "${CAKEY}" \ + -out "${CACERT}" \ + -days 31 \ + -subj "/C=AU/ST=Queensland/L=Brisbane/O=INSECURE/CN=insecure.ca.localhost" -nodes + +# generate the private key +openssl genrsa -out "${KEYFILE}" 4096 + +# generate the certficate signing request +openssl req -sha256 \ + -config "${ALTNAME_FILE}" \ + -days 31 \ + -new -extensions v3_req \ + -key "${KEYFILE}"\ + -out "${CSRFILE}" +# sign the cert +openssl x509 -req -days 31 \ + -extfile "${ALTNAME_FILE}" \ + -CA "${CACERT}" \ + -CAkey "${CAKEY}" \ + -CAcreateserial \ + -in "${CSRFILE}" \ + -out "${CERTFILE}" \ + -extensions v3_req -sha256 # Create the chain -cat cert.pem ca.pem > chain.pem +cat "${CERTFILE}" "${CACERT}" > "${CHAINFILE}" -echo use chain.pem, and key.pem +echo "Certificate chain is at: ${CHAINFILE}" +echo "Private key is at: ${KEYFILE}" diff --git a/kanidm_tools/src/cli/common.rs b/kanidm_tools/src/cli/common.rs index cea3177b7..08f3212c8 100644 --- a/kanidm_tools/src/cli/common.rs +++ b/kanidm_tools/src/cli/common.rs @@ -17,7 +17,10 @@ impl CommonOpt { error!("Failed to parse config (if present) -- {:?}", e); std::process::exit(1); }); - debug!("Successfully read configuration from {}", &config_path); + debug!( + "Successfully loaded configuration, looked in /etc/kanidm/config and {}", + &config_path + ); let client_builder = match &self.addr { Some(a) => client_builder.address(a.to_string()),