Fixes 654 - make DEVELOPER_README valid (#656)

* updating dev readme and scripting

* fixing confusing debug message about config loading

.gitignore

@@ -1,3 +1,4 @@
+altnames.cnf
 
 .DS_Store
 .backup*_test.json

DEVELOPER_README.md

@@ -10,9 +10,13 @@ cargo doc --document-private-items --open --no-deps
 
 [designs]: https://github.com/kanidm/kanidm/tree/master/designs
 
+### Rust Documentation
+
+The library documentation is [here](https://kanidm.github.io/kanidm/rustdoc/master/kanidm/).
+
 ### Minimum Supported Rust Version
 
-The project is expected to work on MSRV of 1.47.0.
+The MSRV is specified [here](https://github.com/kanidm/kanidm/blob/master/profiles/RUST_MSRV).
 
 ### Dependencies
 
@@ -99,31 +103,33 @@ git rebase --abort
 
 ### Development Server Quickstart for Interactive Testing
 
-After getting the code, you will need a rust environment. Please investigate rustup for your platform
-to establish this.
+After getting the code, you will need a rust environment. Please investigate [rustup](https://rustup.rs) for your platform to establish this.
 
-Once you have the source code, you need certificates to use with the server. I recommend using
-let's encrypt, but if this is not possible, please use our insecure cert tool. Without certificates
-authentication will fail.
+Once you have the source code, you need certificates to use with the server, because without certificates, authentication will fail. 
 
-    mkdir insecure
-    cd insecure
-    ../insecure_generate_tls.sh
+We recommend using [Let's Encrypt](https://letsencrypt.org), but if this is not possible, please use our insecure cert tool (`insecure_generate_tls.sh`). The insecure cert tool creates `/tmp/kanidm` and puts some self-signed certificates there.
 
-You can now build and run the server with the commands below. It will use a database in /tmp/kanidm.db
+You can now build and run the server with the commands below. It will use a database in `/tmp/kanidm.db`.
 
-    cd kanidmd
-    cargo run -- recover_account -c ./server.toml -n admin
-    cargo run -- server -c ./server.toml
+Create the initial database and generate an `admin` username:
+
+    cargo run --bin kanidmd recover_account -c ./examples/insecure_server.toml -n admin
+    <snip>
+    Success - password reset to -> Et8QRJgQkMJu3v1AQxcbxRWW44qRUZPpr6BJ9fCGapAB9cT4
+
+Record the password above, then run the server start command:
+
+    cd kanidmd/daemon
+    cargo run --bin kanidmd server -c ../../examples/insecure_server.toml
 
 In a new terminal, you can now build and run the client tools with:
 
-    cd kanidm_tools
-    cargo run -- --help
-    cargo run -- login -H https://localhost:8443 -D anonymous -C ../insecure/ca.pem
-    cargo run -- self whoami -H https://localhost:8443 -D anonymous -C ../insecure/ca.pem
-    cargo run -- login -H https://localhost:8443 -D admin -C ../insecure/ca.pem
-    cargo run -- self whoami -H https://localhost:8443 -D admin -C ../insecure/ca.pem
+    cargo run --bin kanidm -- --help
+    cargo run --bin kanidm -- login -H https://localhost:8443 -D anonymous -C /tmp/kanidm/ca.pem
+    cargo run --bin kanidm -- self whoami -H https://localhost:8443 -D anonymous -C /tmp/kanidm/ca.pem
+    
+    cargo run --bin kanidm -- login -H https://localhost:8443 -D admin -C /tmp/kanidm/ca.pem
+    cargo run --bin kanidm -- self whoami -H https://localhost:8443 -D admin -C /tmp/kanidm/ca.pem
 
 ### Building the Web UI
 
@@ -141,4 +147,6 @@ Then you are able to build the UI.
 
 The "developer" profile for kanidmd will automatically use the pkg output in this folder.
 
-Setting different developer profiles while building is done by setting the environment variable KANIDM_BUILD_PROFILE to one of the bare filename of the TOML files in `/profiles`. For example: `KANIDM_BUILD_PROFILE=release_suse_generic cargo build --release --bin kanidmd`
+Setting different developer profiles while building is done by setting the environment variable KANIDM_BUILD_PROFILE to one of the bare filename of the TOML files in `/profiles`. 
+
+For example: `KANIDM_BUILD_PROFILE=release_suse_generic cargo build --release --bin kanidmd`

examples/insecure_server.toml

@@ -1,12 +1,15 @@
 bindaddress = "127.0.0.1:8443"
 ldapbindaddress = "127.0.0.1:3636"
-db_path = "/tmp/kanidm.db"
+
 db_fs_type = "zfs"
-tls_chain = "../insecure/chain.pem"
-tls_key = "../insecure/key.pem"
+db_path = "/tmp/kanidm/kanidm.db"
+tls_chain = "/tmp/kanidm/chain.pem"
+tls_key = "/tmp/kanidm/key.pem"
+
 # log_level = "perfbasic"
 # log_level = "quiet"
 log_level = "verbose"
+
 domain = "idm.example.com"
 origin = "https://idm.example.com:8443"
 

insecure_generate_tls.sh

@@ -1,6 +1,23 @@
 #!/bin/sh
 
-cat > ./altnames.cnf << DEVEOF
+
+KANI_TMP=/tmp/kanidm/
+
+ALTNAME_FILE="${KANI_TMP}altnames.cnf"
+CACERT="${KANI_TMP}ca.pem"
+CAKEY="${KANI_TMP}cakey.pem"
+
+KEYFILE="${KANI_TMP}key.pem"
+CERTFILE="${KANI_TMP}cert.pem"
+CSRFILE="${KANI_TMP}cert.csr"
+CHAINFILE="${KANI_TMP}chain.pem"
+
+if [ ! -d "${KANI_TMP}" ]; then
+    echo "Creating temp kanidm dir: ${KANI_TMP}"
+    mkdir -p "${KANI_TMP}"
+fi
+
+cat > "${ALTNAME_FILE}" << DEVEOF
 [req]
 nsComment = "Certificate"
 distinguished_name  = req_distinguished_name
@@ -44,12 +61,34 @@ IP.1 = 127.0.0.1
 DEVEOF
 
 # Make the ca
-openssl req -x509 -new -newkey rsa:4096 -sha256 -keyout cakey.pem -out ca.pem -days 31 -subj "/C=AU/ST=Queensland/L=Brisbane/O=INSECURE/CN=insecure.ca.localhost" -nodes
-openssl genrsa -out key.pem 4096
-openssl req -sha256 -key key.pem -out cert.csr -days 31 -config altnames.cnf -new -extensions v3_req
-openssl x509 -req -days 31 -in cert.csr -CA ca.pem -CAkey cakey.pem -CAcreateserial -out cert.pem -extfile altnames.cnf -extensions v3_req -sha256
+openssl req -x509 -new -newkey rsa:4096 -sha256 \
+    -keyout "${CAKEY}" \
+    -out "${CACERT}" \
+    -days 31 \
+    -subj "/C=AU/ST=Queensland/L=Brisbane/O=INSECURE/CN=insecure.ca.localhost" -nodes
+
+# generate the private key
+openssl genrsa -out "${KEYFILE}" 4096
+
+# generate the certficate signing request
+openssl req -sha256 \
+    -config "${ALTNAME_FILE}" \
+    -days 31 \
+    -new -extensions v3_req \
+    -key "${KEYFILE}"\
+    -out "${CSRFILE}"
+# sign the cert
+openssl x509 -req -days 31 \
+    -extfile "${ALTNAME_FILE}" \
+    -CA "${CACERT}" \
+    -CAkey "${CAKEY}" \
+    -CAcreateserial \
+    -in "${CSRFILE}" \
+    -out "${CERTFILE}" \
+    -extensions v3_req -sha256
 # Create the chain
-cat cert.pem ca.pem > chain.pem
+cat "${CERTFILE}" "${CACERT}" > "${CHAINFILE}"
 
-echo use chain.pem, and key.pem
+echo "Certificate chain is at: ${CHAINFILE}"
+echo "Private key is at: ${KEYFILE}"
 

kanidm_tools/src/cli/common.rs

@@ -17,7 +17,10 @@ impl CommonOpt {
                 error!("Failed to parse config (if present) -- {:?}", e);
                 std::process::exit(1);
             });
-        debug!("Successfully read configuration from {}", &config_path);
+        debug!(
+            "Successfully loaded configuration, looked in /etc/kanidm/config and {}",
+            &config_path
+        );
 
         let client_builder = match &self.addr {
             Some(a) => client_builder.address(a.to_string()),