kanidm_ssh_authorizedkeys_direct/
ssh_authorizedkeys.rs

1#![deny(warnings)]
2#![warn(unused_extern_crates)]
3#![deny(clippy::unwrap_used)]
4#![deny(clippy::expect_used)]
5#![deny(clippy::panic)]
6#![deny(clippy::unreachable)]
7#![deny(clippy::await_holding_lock)]
8#![deny(clippy::needless_pass_by_value)]
9#![deny(clippy::trivially_copy_pass_by_ref)]
10
11use std::path::PathBuf;
12
13use clap::Parser;
14use kanidm_client::{ClientError, KanidmClient, KanidmClientBuilder};
15use tracing::error;
16
17include!("opt/ssh_authorizedkeys.rs");
18
19#[cfg(not(test))]
20fn k_client_builder() -> Result<KanidmClientBuilder, ()> {
21    use kanidm_proto::constants::{DEFAULT_CLIENT_CONFIG_PATH, DEFAULT_CLIENT_CONFIG_PATH_HOME};
22    use tracing::debug;
23
24    let config_path: String = shellexpand::tilde(DEFAULT_CLIENT_CONFIG_PATH_HOME).into_owned();
25
26    debug!("Attempting to use config {}", DEFAULT_CLIENT_CONFIG_PATH);
27    KanidmClientBuilder::new()
28        .read_options_from_optional_config(DEFAULT_CLIENT_CONFIG_PATH)
29        .and_then(|cb| {
30            debug!("Attempting to use config {}", config_path);
31            cb.read_options_from_optional_config(config_path)
32        })
33        .map_err(|e| {
34            error!("Failed to parse config (if present) -- {:?}", e);
35        })
36}
37
38#[cfg(test)]
39fn k_client_builder() -> Result<KanidmClientBuilder, ()> {
40    Ok(KanidmClientBuilder::new())
41}
42
43pub(crate) fn build_configured_client(opt: &SshAuthorizedOpt) -> Result<KanidmClient, ()> {
44    if opt.debug {
45        ::std::env::set_var("RUST_LOG", "kanidm=debug,kanidm_client=debug");
46    }
47    #[cfg(not(test))]
48    tracing_subscriber::fmt::init();
49    #[cfg(test)]
50    sketching::test_init();
51
52    let client_builder = k_client_builder()?;
53
54    let client_builder = match &opt.addr {
55        Some(a) => client_builder.address(a.to_string()),
56        None => client_builder,
57    };
58
59    let ca_path = opt.ca_path.as_ref().and_then(|p| p.to_str());
60    let client_builder = match ca_path {
61        Some(p) => client_builder
62            .add_root_certificate_filepath(p)
63            .map_err(|e| {
64                error!("Failed to add ca certificate -- {:?}", e);
65            })?,
66        None => client_builder,
67    };
68
69    client_builder
70        .build()
71        .map_err(|e| error!("Failed to build client instance -- {:?}", e))
72}
73
74// For now we lift a few things from the main.rs to use.
75//
76// usage: AuthorizedKeysCommand /usr/sbin/kanidm_ssh_authorizedkeys %u -H URL -D anonymous -C /etc/kanidm/ca.pem
77//
78#[tokio::main(flavor = "current_thread")]
79async fn main() -> Result<(), ()> {
80    let opt: SshAuthorizedOpt = SshAuthorizedOpt::parse();
81    let client = build_configured_client(&opt)?;
82
83    let r = if opt.username == "anonymous" {
84        client.auth_anonymous().await
85    } else {
86        let password = dialoguer::Password::new()
87            .with_prompt("Enter password: ")
88            .interact()
89            .map_err(|e| error!("Failed to retrieve password - {:?}", e))?;
90        client
91            .auth_simple_password(opt.username.as_str(), password.as_str())
92            .await
93    };
94    if r.is_err() {
95        match r {
96            Err(ClientError::Transport(value)) => {
97                error!("Failed to connect to kanidm server: {}", value.to_string());
98            }
99            _ => error!("Error during authentication phase: {:?}", r),
100        }
101        return Err(());
102    }
103
104    client
105        .idm_account_get_ssh_pubkeys(opt.account_id.as_str())
106        .await
107        .map(|pkeys| pkeys.iter().for_each(|pkey| println!("{}", pkey)))
108        .map_err(|e| {
109            error!(
110                "Failed to retrieve SSH keys for {} - {:?}",
111                opt.account_id.to_string(),
112                e
113            )
114        })
115}
116
117#[cfg(test)]
118mod tests {
119
120    use std::path::PathBuf;
121
122    use crate::build_configured_client;
123    use crate::SshAuthorizedOpt;
124    #[test]
125    fn test_build_configured_client() {
126        let opt = SshAuthorizedOpt {
127            debug: false,
128            addr: Some("https://example.com:8443".to_string()),
129            ca_path: None,
130            username: "anonymous".to_string(),
131            account_id: "anonymous".to_string(),
132        };
133        let client = build_configured_client(&opt);
134        assert!(client.is_ok());
135    }
136
137    #[test]
138    fn test_build_configured_client_err() {
139        let opt = SshAuthorizedOpt {
140            debug: false,
141            addr: None,
142            ca_path: Some(PathBuf::from("/etc/kanidm/ca.pem")),
143            username: "anonymous".to_string(),
144            account_id: "anonymous".to_string(),
145        };
146        let client = build_configured_client(&opt);
147        assert!(client.is_err())
148    }
149}