mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-22 20:26:30 +01:00
Code Issues Actions 16 Packages Projects Releases Wiki Activity

Unixd build/debugging updates (#2350)

Browse source 
* noisy for no reason message
* updating build script to include unix modules
* adding restart config for kanidm systemd services
This commit is contained in:
James Hodgkinson 2023-12-03 16:34:02 +10:00 committed by GitHub
parent 76269f9de2
commit cbadf0af9b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 88 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.codespell_dictionary Normal file
View file

@ -0,0 +1,3 @@
attesation->attestation
kandim->kanidm
Kandim->kanidm

1
Makefile
View file

@ -133,6 +133,7 @@ install-tools:
codespell: ## spell-check things.
codespell:
codespell -c \
-D .codespell_dictionary \
--ignore-words .codespell_ignore \
--skip='./target,./pykanidm/.venv,./pykanidm/.mypy_cache,./.mypy_cache,./pykanidm/poetry.lock' \
--skip='./book/*.js' \

4
libs/crypto/src/lib.rs
View file

@ -13,7 +13,7 @@
use argon2::{Algorithm, Argon2, Params, PasswordHash, Version};
use base64::engine::GeneralPurpose;
use base64::{alphabet, Engine};
use tracing::{debug, error, info, trace, warn};
use tracing::{debug, error, trace, warn};
use base64::engine::general_purpose;
use base64urlsafedata::Base64UrlSafeData;
@ -378,7 +378,7 @@ impl CryptoPolicy {
pbkdf2_cost,
argon2id_params,
};
info!(pbkdf2_cost = %p.pbkdf2_cost, argon2id_m = %p.argon2id_params.m_cost(), argon2id_p = %p.argon2id_params.p_cost(), argon2id_t = %p.argon2id_params.t_cost(), );
debug!(pbkdf2_cost = %p.pbkdf2_cost, argon2id_m = %p.argon2id_params.m_cost(), argon2id_p = %p.argon2id_params.p_cost(), argon2id_t = %p.argon2id_params.t_cost(), );
p
}
}

9
platform/crossbuild/build.sh
View file

@ -29,11 +29,20 @@ CROSS_CONFIG="platform/crossbuild/${1}/Cross.toml" \
--bin kanidm_ssh_authorizedkeys \
--bin kanidm-unix \
--release
CROSS_CONFIG="platform/crossbuild/${1}/Cross.toml" \
cross build --target aarch64-unknown-linux-gnu \
-p pam_kanidm \
-p nss_kanidm \
--release
find "./target/aarch64-unknown-linux-gnu/release/" -maxdepth 1 \
-type f -not -name '*.d' \
-name 'kanidm*' \
-exec mv "{}" "${TARGET_DIR}/" \;
find "./target/aarch64-unknown-linux-gnu/release/" -maxdepth 1 \
-name '*kanidm*.so' \
-exec mv "{}" "${TARGET_DIR}/" \;
# find "${TARGET_DIR}" -name '*.d' -delete
echo "Contents of ${TARGET_DIR}"

5
platform/debian/systemd/kanidm-unixd-tasks.service
View file

@ -10,6 +10,11 @@ User=root
Type=simple
ExecStart=/usr/sbin/kanidm_unixd_tasks
# because kanidm-unixd might have failed for some reason but we need to try again later
Restart=always
RestartSec=30
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
# SystemCallFilter=@aio @basic-io @chown @file-system @io-event @network-io @sync
ProtectSystem=strict

5
platform/debian/systemd/kanidm-unixd.service
View file

@ -13,9 +13,14 @@ SupplementaryGroups=tss
UMask=0027
CacheDirectory=kanidm-unixd
RuntimeDirectory=kanidm-unixd
StateDirectory=kanidm-unixd
Type=simple
ExecStart=/usr/sbin/kanidm_unixd
# auth going down is bad, but infinite speedlooping is worse
Restart=always
RestartSec=30
# Implied by dynamic user.
# ProtectHome=

2
unix_integration/src/client.rs
View file

@ -37,7 +37,7 @@ impl Encoder<ClientRequest> for ClientCodec {
error!("socket encoding error -> {:?}", e);
IoError::new(ErrorKind::Other, "JSON encode error")
})?;
debug!("Attempting to send request -> {:?} ...", data);
debug!("Attempting to send request -> {}", msg.as_safe_string());
dst.put(data.as_slice());
Ok(())
}

7
unix_integration/src/daemon.rs
View file

@ -843,6 +843,13 @@ async fn main() -> ExitCode {
return ExitCode::FAILURE
}
if !cfg.default_shell.is_empty() {
let shell_path = PathBuf::from_str(&cfg.default_shell).expect("Failed to build a representation of your default_shell path!");
if !shell_path.exists() {
error!("Cannot find configured default shell at {}, this could cause login issues!", shell_path.display())
}
}
// Okay, the hsm is now loaded and ready to go.
let cl_inner = match Resolver::new(

8
unix_integration/src/resolver.rs
View file

@ -273,7 +273,9 @@ where
// * uuid
// Attempt to search these in the db.
let mut dbtxn = self.db.write().await;
let r = dbtxn.get_account(account_id).map_err(|_| ())?;
let r = dbtxn.get_account(account_id).map_err(|err| {
debug!("get_cached_usertoken {:?}", err);
})?;
match r {
Some((ut, ex)) => {
@ -484,6 +486,10 @@ where
Ok(mut n_tok) => {
if self.check_nxset(&n_tok.name, n_tok.gidnumber).await {
// Refuse to release the token, it's in the denied set.
debug!(
"Account {:?} is in denied set, refusing to release token. It may need to be in the allow_local_account_override configuration list.",
account_id
);
self.delete_cache_usertoken(n_tok.uuid).await?;
Ok(None)
} else {

16
unix_integration/src/tool.rs
View file

@ -61,22 +61,22 @@ async fn main() -> ExitCode {
return ExitCode::FAILURE;
};
info!("Sending request for user {}", &account_id);
let mut req = ClientRequest::PamAuthenticateInit(account_id.clone());
loop {
match call_daemon(cfg.sock_path.as_str(), req, cfg.unix_sock_timeout).await {
Ok(r) => match r {
ClientResponse::PamAuthenticateStepResponse(PamAuthResponse::Success) => {
// ClientResponse::PamStatus(Some(true)) => {
println!("auth success!");
break;
}
ClientResponse::PamAuthenticateStepResponse(PamAuthResponse::Denied) => {
// ClientResponse::PamStatus(Some(false)) => {
println!("auth failed!");
break;
}
ClientResponse::PamAuthenticateStepResponse(PamAuthResponse::Unknown) => {
// ClientResponse::PamStatus(None) => {
debug!("User may need to be in allow_local_account_override");
println!("auth user unknown");
break;
}
@ -96,7 +96,15 @@ async fn main() -> ExitCode {
});
continue;
}
_ => {
ClientResponse::PamAuthenticateStepResponse(_)
| ClientResponse::SshKeys(_)
| ClientResponse::NssAccounts(_)
| ClientResponse::NssAccount(_)
| ClientResponse::NssGroup(_)
| ClientResponse::NssGroups(_)
| ClientResponse::Ok
| ClientResponse::Error
| ClientResponse::PamStatus(_) => {
// unexpected response.
error!("Error: unexpected response -> {:?}", r);
break;

36
unix_integration/src/unix_proto.rs
View file

@ -72,6 +72,30 @@ pub enum ClientRequest {
Status,
}
impl ClientRequest {
/// Get a safe display version of the request, without credentials.
pub fn as_safe_string(&self) -> String {
match self {
ClientRequest::SshKey(id) => format!("SshKey({})", id),
ClientRequest::NssAccounts => "NssAccounts".to_string(),
ClientRequest::NssAccountByUid(id) => format!("NssAccountByUid({})", id),
ClientRequest::NssAccountByName(id) => format!("NssAccountByName({})", id),
ClientRequest::NssGroups => "NssGroups".to_string(),
ClientRequest::NssGroupByGid(id) => format!("NssGroupByGid({})", id),
ClientRequest::NssGroupByName(id) => format!("NssGroupByName({})", id),
ClientRequest::PamAuthenticateInit(id) => format!("PamAuthenticateInit({})", id),
ClientRequest::PamAuthenticateStep(_) => "PamAuthenticateStep".to_string(),
ClientRequest::PamAccountAllowed(id) => {
format!("PamAccountAllowed({})", id)
}
ClientRequest::PamAccountBeginSession(_) => "PamAccountBeginSession".to_string(),
ClientRequest::InvalidateCache => "InvalidateCache".to_string(),
ClientRequest::ClearCache => "ClearCache".to_string(),
ClientRequest::Status => "Status".to_string(),
}
}
}
#[derive(Serialize, Deserialize, Debug)]
pub enum ClientResponse {
SshKeys(Vec<String>),
@ -110,3 +134,15 @@ pub enum TaskResponse {
Success,
Error(String),
}
#[test]
fn test_clientrequest_as_safe_string() {
assert_eq!(
ClientRequest::NssAccounts.as_safe_string(),
"NssAccounts".to_string()
);
assert_eq!(
ClientRequest::SshKey("cheese".to_string()).as_safe_string(),
format!("SshKey({})", "cheese")
);
}