From patchwork Mon May 8 16:07:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Maxim Cournoyer X-Patchwork-Id: 49878 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 9798927BBEB; Mon, 8 May 2023 17:09:22 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 0982527BBE9 for ; Mon, 8 May 2023 17:09:21 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pw3QD-0003AK-MT; Mon, 08 May 2023 12:09:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pw3Q6-00039v-My for guix-patches@gnu.org; Mon, 08 May 2023 12:09:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pw3Q6-000783-Ey for guix-patches@gnu.org; Mon, 08 May 2023 12:09:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pw3Q6-0004UD-4L; Mon, 08 May 2023 12:09:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#63375] [cuirass] doc: Document authentication. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: efraim@flashner.co.il, guix-patches@gnu.org Resent-Date: Mon, 08 May 2023 16:09:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 63375 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 63375@debbugs.gnu.org Cc: Maxim Cournoyer , efraim@flashner.co.il X-Debbugs-Original-To: guix-patches@gnu.org X-Debbugs-Original-Xcc: efraim@flashner.co.il Received: via spool by submit@debbugs.gnu.org id=B.168356208717180 (code B ref -1); Mon, 08 May 2023 16:09:01 +0000 Received: (at submit) by debbugs.gnu.org; 8 May 2023 16:08:07 +0000 Received: from localhost ([127.0.0.1]:41396 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pw3PD-0004T1-4M for submit@debbugs.gnu.org; Mon, 08 May 2023 12:08:07 -0400 Received: from lists.gnu.org ([209.51.188.17]:54494) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pw3PA-0004St-Js for submit@debbugs.gnu.org; Mon, 08 May 2023 12:08:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pw3P9-0002cC-6s for guix-patches@gnu.org; Mon, 08 May 2023 12:08:04 -0400 Received: from mail-qt1-x834.google.com ([2607:f8b0:4864:20::834]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pw3P7-0006uh-As for guix-patches@gnu.org; Mon, 08 May 2023 12:08:02 -0400 Received: by mail-qt1-x834.google.com with SMTP id d75a77b69052e-3f38711680dso11062241cf.1 for ; Mon, 08 May 2023 09:08:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683562079; x=1686154079; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Jihl/XBxQ908nWPnD/xh/1okEVsj4UVD/jO0JmERBzs=; b=kzmo4+Sa7aZ9EXSzxrrwdVNyEQWhUdmSayr5MH6qy/x/2zODRNR6osyK9gdj3NAuEI er/uPyLrLWrj1IHu3E4xuBxlawpoZEN7O9afHSW3hIURjjm38dnUHJwrZ75deUOWKMP6 z2JsMfEBaMCAK8bmXNOsMnoMQSJnb77x0CPPN/7WJhwoAo4g0J39vNolIG3Y0le2p2Vr L7b8PDl8XOzKUgjvcAscKq860CcsTHVRT8pk4kf8LuznXugNFTOsmVj68hkcTSYqG4ua P8SBMXgHwQtfZYl+Rk+FCCbs2tT51S3ordiTg15FtUYqsGJqEJz0olWZ1H+DuJxSU4jz 5xYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683562079; x=1686154079; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Jihl/XBxQ908nWPnD/xh/1okEVsj4UVD/jO0JmERBzs=; b=OXLE5kPUGJkQkCRh97kmEYw6flUC7t2GDv4WXdcN+3N5IdrQF9ATITfWdeClcc1wQ2 6+rWyC3Jk1Ul+9UOJmBtvNN1hXj+2UHO5LDCOnVjSAjflr2TfhCqmfXXlERMvqigiGcy 2uRKyYSBeC3SvxzLE67n8wWuetGUQpzZCK/zz4pluoWAXjpt5zjKjQfeQyXBAiTEbNNx 2Car5YVvE6ykANv3JOJLvMBA7nLUtU46iylG8jb8qzByYTd1rDcP6U9ZfiC2/XQOFanw LTJv3DX6X60kCIu6JiyxxxUJieYbGeZlsOvSC7QvYnOZV208U2A2SwPOgEKOREGQZ57o WkLQ== X-Gm-Message-State: AC+VfDx7ryqKeWHoUlGvocZi4SB7a9iw5r6KGn/5ngzK1bQW3+hMBe2M MpfUz/a8sRHiyN43UoB0kZWgJ1OcChHGXA== X-Google-Smtp-Source: ACHHUZ4emYse4L09IaB8XHecMJycU6Uc4NZAyAMf6ZXVuL2lpSKb8XowhEgOf/w1EqLK79PFZl78cQ== X-Received: by 2002:a05:622a:189a:b0:3e4:ce24:99b3 with SMTP id v26-20020a05622a189a00b003e4ce2499b3mr15223043qtc.15.1683562079512; Mon, 08 May 2023 09:07:59 -0700 (PDT) Received: from localhost.localdomain (dsl-10-131-119.b2b2c.ca. [72.10.131.119]) by smtp.gmail.com with ESMTPSA id e7-20020a05620a12c700b007460093cccdsm2666627qkl.25.2023.05.08.09.07.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 May 2023 09:07:59 -0700 (PDT) From: Maxim Cournoyer Date: Mon, 8 May 2023 12:07:45 -0400 Message-Id: <20230508160745.10144-1-maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Received-SPF: pass client-ip=2607:f8b0:4864:20::834; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qt1-x834.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * etc/new-client-cert.scm: Add script. * doc/cuirass.texi (Authentication): Document it. * Makefile.am (noinst_SCRIPTS): Register it. --- Makefile.am | 2 +- doc/cuirass.texi | 34 ++++++++++++++++ etc/new-client-cert.scm | 90 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 125 insertions(+), 1 deletion(-) create mode 100755 etc/new-client-cert.scm base-commit: cf4e3e4ac4a9c8d6f0d82b0a173826f15bbca7f3 diff --git a/Makefile.am b/Makefile.am index a40a76d..62b0860 100644 --- a/Makefile.am +++ b/Makefile.am @@ -25,7 +25,7 @@ bin_SCRIPTS = \ bin/cuirass -noinst_SCRIPTS = pre-inst-env +noinst_SCRIPTS = pre-inst-env etc/new-client-cert.scm guilesitedir = $(datarootdir)/guile/site/@GUILE_EFFECTIVE_VERSION@ guileobjectdir = $(libdir)/guile/@GUILE_EFFECTIVE_VERSION@/site-ccache diff --git a/doc/cuirass.texi b/doc/cuirass.texi index db46a33..4441996 100644 --- a/doc/cuirass.texi +++ b/doc/cuirass.texi @@ -57,6 +57,7 @@ Documentation License''. * Parameters:: Cuirass parameters. * Build modes:: Build modes. * Invocation:: How to run Cuirass. +* Authentication:: Configuring TLS authentication. * Web API:: Description of the Web API. * Database:: About the database schema. @@ -711,6 +712,39 @@ Display the actual version of @code{cuirass}. Display an help message that summarize all the options provided. @end table +@c ********************************************************************* +@node Authentication +@chapter Authentication +@cindex authentication + +It is necessary to be authenticated to accomplish some of the actions +exposed via the web interface of Cuirass, such as cancelling or +restarting a build. The authentication mechanism of Cuirass currently +relies on the use of a private TLS certificate authority. + +To automate the creation of new user certificates, the +@file{etc/new-client-cert.scm} Guile script can be used. It requires +the @command{guix} command to be available and a preexisting certificate +authority at @file{/etc/ssl-ca}. To issue a new user certificate, run +it from your home directory with: + +@example +sudo -E ./etc/new-client-cert.scm +@end example + +You will be asked to input the password for the CA private key, if any, +and again for your new certificate; save it carefully. The script +requires to run as root to have access to the private certificate +authority key; it outputs the new user certificate files in various +formats to the current working directory. + +After your new certificate is generated, it needs to be registered with +your web browser. To do so using GNU IceCat, for example, you can +navigate to @samp{Parameters -> Security -> Show certificates} and then +click the @samp{Import...} button and select to your @file{.pk12} +personal certificate file. You should now be authenticated to perform +privileged actions via the web interface of Cuirass. + @c ********************************************************************* @node Web API @chapter Web API diff --git a/etc/new-client-cert.scm b/etc/new-client-cert.scm new file mode 100755 index 0000000..fa8ac5c --- /dev/null +++ b/etc/new-client-cert.scm @@ -0,0 +1,90 @@ +#!/usr/bin/env -S guix shell guile openssl -- guile \\ +--no-auto-compile -e main -s +!# +;;;; cuirass.scm -- Cuirass public interface. +;;; Copyright © 2023 Ricardo Wurmus +;;; +;;; This file is part of Cuirass. +;;; +;;; Cuirass is free software: you can redistribute it and/or modify +;;; it under the terms of the GNU General Public License as published by +;;; the Free Software Foundation, either version 3 of the License, or +;;; (at your option) any later version. +;;; +;;; Cuirass is distributed in the hope that it will be useful, +;;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with Cuirass. If not, see . + +(use-modules (ice-9 match) + (guix build utils)) + +(define %CA-directory + "/etc/ssl-ca") + +(define CA-key + (string-append %CA-directory "/private/ca.key")) +(define CA-cert + (string-append %CA-directory "/certs/ca.crt")) + +(define* (output who file) + (string-append (getcwd) "/" who file)) + +(define (key-file who) + "Return the absolute file name of the key file for WHO." + (output who ".key")) + +(define (csr-file who) + "Return the absolute file name of the CSR file for WHO." + (output who ".csr")) + +(define (client-cert-file who) + "Return the absolute file name of the client certificate file for +WHO." + (output who ".crt")) + +(define (exported-cert-file who) + "Return the absolute file name of the pkcs12 client certificate file +for WHO. This is the file that users should import into their +browsers." + (output who ".p12")) + +(define (generate-csr! who) + "Generate a new certificate signing request and key for WHO." + (invoke "openssl" "req" "-newkey" "rsa:4096" + "-nodes" ;no password + "-subj" + (format #false "/C=DE/ST=Berlin/L=Berlin/O=GNU Guix/OU=Cuirass/CN=~a" who) + "-keyout" (key-file who) + "-out" (csr-file who))) + +(define* (generate-client-certificate! who #:key (expiry 365)) + "Generate a client certificate for WHO." + (invoke "openssl" "x509" "-req" + "-in" (csr-file who) + "-CA" CA-cert + "-CAkey" CA-key + "-out" (client-cert-file who) + "-days" (number->string expiry))) + +(define (export-p12! who) + (invoke "openssl" "pkcs12" "-export" + "-in" (client-cert-file who) + "-inkey" (key-file who) + "-out" (exported-cert-file who))) + +(define (main args) + (match (command-line) + ((script) + (set-program-arguments (list script (or (getenv "SUDO_USER") + (getenv "USER")))) + (apply main args)) + ((script who) + (generate-csr! who) + (generate-client-certificate! who) + (export-p12! who)) + ((script . rest) + (format (current-error-port) "usage: ~a [name]~%" script))))