mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-05-17 22:43:55 +02:00
Code Issues Actions10 Packages Projects Releases Wiki Activity

Accept invalid certs and fix token_cache_path ()

Browse source 
* Add accept-invalid-certs option for cli
* Fix token_cache_path behavior

---------

Co-authored-by: sinavir <sinavir@sinavir.fr>
This commit is contained in:
sinavir 2025-02-20 09:07:48 +01:00 committed by GitHub
parent 52824b58f1
commit f40679cd52
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 27 additions and 1 deletions
libs/client/src
lib.rs
tools/cli/src
cli
common.rs
opt
kanidm.rs

9
libs/client/src/lib.rs
View file

@ -94,7 +94,7 @@ pub struct KanidmClientConfigInstance {
pub verify_hostnames: Option<bool>, pub verify_hostnames: Option<bool>,
/// Whether to verify the Certificate Authority details of the server's TLS certificate, defaults to `true`. /// Whether to verify the Certificate Authority details of the server's TLS certificate, defaults to `true`.
/// ///
/// Environment variable is slightly inverted - `KANIDM_SKIP_HOSTNAME_VERIFICATION`. /// Environment variable is slightly inverted - `KANIDM_ACCEPT_INVALID_CERTS`.
pub verify_ca: Option<bool>, pub verify_ca: Option<bool>,
/// Optionally you can specify the path of a CA certificate to use for verifying the server, if you're not using one trusted by your system certificate store. /// Optionally you can specify the path of a CA certificate to use for verifying the server, if you're not using one trusted by your system certificate store.
/// ///
@ -453,6 +453,13 @@ impl KanidmClientBuilder {
} }
} }
pub fn set_token_cache_path(self, token_cache_path: Option<String>) -> Self {
KanidmClientBuilder {
token_cache_path,
..self
}
}
#[allow(clippy::result_unit_err)] #[allow(clippy::result_unit_err)]
pub fn add_root_certificate_filepath(self, ca_path: &str) -> Result<Self, ClientError> { pub fn add_root_certificate_filepath(self, ca_path: &str) -> Result<Self, ClientError> {
//Okay we have a ca to add. Let's read it in and setup. //Okay we have a ca to add. Let's read it in and setup.

12
tools/cli/src/cli/common.rs
View file

@ -91,6 +91,18 @@ impl CommonOpt {
false => client_builder, false => client_builder,
}; };
let client_builder = match self.accept_invalid_certs {
true => {
warn!(
"TLS Certificate Verification disabled!!! This can lead to credential and account compromise!!!"
);
client_builder.danger_accept_invalid_certs(true)
}
false => client_builder,
};
let client_builder = client_builder.set_token_cache_path(self.token_cache_path.clone());
client_builder.build().unwrap_or_else(|e| { client_builder.build().unwrap_or_else(|e| {
error!("Failed to build client instance -- {:?}", e); error!("Failed to build client instance -- {:?}", e);
std::process::exit(1); std::process::exit(1);

7
tools/cli/src/opt/kanidm.rs
View file

@ -87,6 +87,13 @@ pub struct CommonOpt {
default_value_t = false default_value_t = false
)] )]
skip_hostname_verification: bool, skip_hostname_verification: bool,
/// Don't verify CA
#[clap(
long = "accept-invalid-certs",
env = "KANIDM_ACCEPT_INVALID_CERTS",
default_value_t = false
)]
accept_invalid_certs: bool,
/// Path to a file to cache tokens in, defaults to ~/.cache/kanidm_tokens /// Path to a file to cache tokens in, defaults to ~/.cache/kanidm_tokens
#[clap(short, long, env = "KANIDM_TOKEN_CACHE_PATH", hide = true, default_value = None, #[clap(short, long, env = "KANIDM_TOKEN_CACHE_PATH", hide = true, default_value = None,
value_parser = clap::builder::NonEmptyStringValueParser::new())] value_parser = clap::builder::NonEmptyStringValueParser::new())]