From f40679cd524bdc2645393c21a8a425b831cd3dac Mon Sep 17 00:00:00 2001
From: sinavir <36380103+sinavir@users.noreply.github.com>
Date: Thu, 20 Feb 2025 09:07:48 +0100
Subject: [PATCH] Accept invalid certs and fix token_cache_path (#3439)

* Add accept-invalid-certs option for cli
* Fix token_cache_path behavior

---------

Co-authored-by: sinavir <sinavir@sinavir.fr>
---
 libs/client/src/lib.rs      |  9 ++++++++-
 tools/cli/src/cli/common.rs | 12 ++++++++++++
 tools/cli/src/opt/kanidm.rs |  7 +++++++
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/libs/client/src/lib.rs b/libs/client/src/lib.rs
index e664019d3..9913a8db4 100644
--- a/libs/client/src/lib.rs
+++ b/libs/client/src/lib.rs
@@ -94,7 +94,7 @@ pub struct KanidmClientConfigInstance {
     pub verify_hostnames: Option<bool>,
     /// Whether to verify the Certificate Authority details of the server's TLS certificate, defaults to `true`.
     ///
-    /// Environment variable is slightly inverted - `KANIDM_SKIP_HOSTNAME_VERIFICATION`.
+    /// Environment variable is slightly inverted - `KANIDM_ACCEPT_INVALID_CERTS`.
     pub verify_ca: Option<bool>,
     /// Optionally you can specify the path of a CA certificate to use for verifying the server, if you're not using one trusted by your system certificate store.
     ///
@@ -453,6 +453,13 @@ impl KanidmClientBuilder {
         }
     }
 
+    pub fn set_token_cache_path(self, token_cache_path: Option<String>) -> Self {
+        KanidmClientBuilder {
+            token_cache_path,
+            ..self
+        }
+    }
+
     #[allow(clippy::result_unit_err)]
     pub fn add_root_certificate_filepath(self, ca_path: &str) -> Result<Self, ClientError> {
         //Okay we have a ca to add. Let's read it in and setup.
diff --git a/tools/cli/src/cli/common.rs b/tools/cli/src/cli/common.rs
index 009a9c07b..986c091a2 100644
--- a/tools/cli/src/cli/common.rs
+++ b/tools/cli/src/cli/common.rs
@@ -91,6 +91,18 @@ impl CommonOpt {
             false => client_builder,
         };
 
+        let client_builder = match self.accept_invalid_certs {
+            true => {
+                warn!(
+                    "TLS Certificate Verification disabled!!! This can lead to credential and account compromise!!!"
+                );
+                client_builder.danger_accept_invalid_certs(true)
+            }
+            false => client_builder,
+        };
+
+        let client_builder = client_builder.set_token_cache_path(self.token_cache_path.clone());
+
         client_builder.build().unwrap_or_else(|e| {
             error!("Failed to build client instance -- {:?}", e);
             std::process::exit(1);
diff --git a/tools/cli/src/opt/kanidm.rs b/tools/cli/src/opt/kanidm.rs
index 1fb39d0ba..201021f03 100644
--- a/tools/cli/src/opt/kanidm.rs
+++ b/tools/cli/src/opt/kanidm.rs
@@ -87,6 +87,13 @@ pub struct CommonOpt {
         default_value_t = false
     )]
     skip_hostname_verification: bool,
+    /// Don't verify CA
+    #[clap(
+        long = "accept-invalid-certs",
+        env = "KANIDM_ACCEPT_INVALID_CERTS",
+        default_value_t = false
+    )]
+    accept_invalid_certs: bool,
     /// Path to a file to cache tokens in, defaults to ~/.cache/kanidm_tokens
     #[clap(short, long, env = "KANIDM_TOKEN_CACHE_PATH", hide = true, default_value = None,
     value_parser = clap::builder::NonEmptyStringValueParser::new())]