From patchwork Mon May 8 17:07:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Maxim Cournoyer X-Patchwork-Id: 49879 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id DEACE27BBE9; Mon, 8 May 2023 18:08:38 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 6DFEC27BBE9 for ; Mon, 8 May 2023 18:08:36 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pw4LM-0003rd-2t; Mon, 08 May 2023 13:08:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pw4LF-0003rO-8X for guix-patches@gnu.org; Mon, 08 May 2023 13:08:06 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pw4LE-0008EB-Vq; Mon, 08 May 2023 13:08:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pw4LC-0006GI-Gk; Mon, 08 May 2023 13:08:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#63375] [cuirass v2] doc: Document authentication. References: <20230508160745.10144-1-maxim.cournoyer@gmail.com> In-Reply-To: <20230508160745.10144-1-maxim.cournoyer@gmail.com> Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: rekado@elephly.net, othacehe@gnu.org, efraim@flashner.co.il, guix-patches@gnu.org Resent-Date: Mon, 08 May 2023 17:08:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63375 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 63375@debbugs.gnu.org Cc: Maxim Cournoyer , rekado@elephly.net, othacehe@gnu.org, efraim@flashner.co.il X-Debbugs-Original-Xcc: rekado@elephly.net, othacehe@gnu.org, efraim@flashner.co.il Received: via spool by 63375-submit@debbugs.gnu.org id=B63375.168356563824011 (code B ref 63375); Mon, 08 May 2023 17:08:02 +0000 Received: (at 63375) by debbugs.gnu.org; 8 May 2023 17:07:18 +0000 Received: from localhost ([127.0.0.1]:41470 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pw4KT-0006FD-PP for submit@debbugs.gnu.org; Mon, 08 May 2023 13:07:18 -0400 Received: from mail-qk1-f175.google.com ([209.85.222.175]:60737) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pw4KR-0006Ez-O8 for 63375@debbugs.gnu.org; Mon, 08 May 2023 13:07:16 -0400 Received: by mail-qk1-f175.google.com with SMTP id af79cd13be357-75773a7bd66so182282285a.1 for <63375@debbugs.gnu.org>; Mon, 08 May 2023 10:07:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683565630; x=1686157630; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Jihl/XBxQ908nWPnD/xh/1okEVsj4UVD/jO0JmERBzs=; b=CH+1MmxfIrT2wTueGIISJkqzSQjeR76HwzLhMlCm6MEtXoLYH2BckT92JHB86r2Jqn LyPQL+qgXciCDvy0xqlcSJX5JpkzOyyPZdzT3jRnTmDCIYXF2qadnZyyTPNLUIDXmNhz MgwieaFEZrm0wv5vVD3veaJ5fCBEGmy+RiTOpgTV0zFygYndThO1bVoNEQXPoPPUaFvI BlW+Y/Cjy7My/i2I1yN1o2uMi4rZDSfVAEBwMFW7Gr4Hw24jQdSW2VoHQF4slJaRft4l 508046U0Gs1ooP6NT8BpqKtKVx2CI2JXEkJ8a3nJG3FS8TNsB9ntb1pccH+P9A+Buz76 Xx1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683565630; x=1686157630; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Jihl/XBxQ908nWPnD/xh/1okEVsj4UVD/jO0JmERBzs=; b=cx6OOaH4fxHFjlA7THPK9du1zUJVDBy9AL6N0pSh2lQ8MrP5tDwD2ne0VjFpvCIBXD VHwwBIUUkdgfxHQPTiKGch+pYiS3IJ7T07V/Fy9zeZKC/azHH6JWCsqu+6pBGN++Ur0p cQsfxsFkTGYriQpHbl3t1aJ7lLh4C8yAOCtJb98/KeKdGAJr3kwPUurKt4G093VhbugN xTfvOMfwAEkB1b73lfbn5FhysKWvjqvp7KEAf8mRGzPkm6dEseMulRkNbYSoHE7mZzei p+6cSJsiYdZA89Q/6vYH9mQazFy/VJi4u+T2Y++n1rmcCzPd3DvsgM+Rcl8Er5ikEOn7 isTg== X-Gm-Message-State: AC+VfDzVdshpakdTPk/bshDC0C2mr8I2dfL7arhyfe+RJBmGET8ibKjf tB8Y1hxs0x3euuJ3AIvjJDgqjh9MYr7PVw== X-Google-Smtp-Source: ACHHUZ47D8HpRwWdWx96h2zKbjdB7mGIf0GAUFF2NCxR15FP5bJTw9ZRHKxikmvmTDMcUFJAbR7RJg== X-Received: by 2002:ac8:5703:0:b0:3ee:d59e:24d3 with SMTP id 3-20020ac85703000000b003eed59e24d3mr16023476qtw.45.1683565629767; Mon, 08 May 2023 10:07:09 -0700 (PDT) Received: from localhost.localdomain (dsl-10-131-119.b2b2c.ca. [72.10.131.119]) by smtp.gmail.com with ESMTPSA id bw13-20020a05622a098d00b003ef13aa5b0bsm3090180qtb.82.2023.05.08.10.07.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 May 2023 10:07:09 -0700 (PDT) From: Maxim Cournoyer Date: Mon, 8 May 2023 13:07:01 -0400 Message-Id: <20230508170701.11548-1-maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * etc/new-client-cert.scm: Add script. * doc/cuirass.texi (Authentication): Document it. * Makefile.am (noinst_SCRIPTS): Register it. --- Makefile.am | 2 +- doc/cuirass.texi | 34 ++++++++++++++++ etc/new-client-cert.scm | 90 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 125 insertions(+), 1 deletion(-) create mode 100755 etc/new-client-cert.scm base-commit: cf4e3e4ac4a9c8d6f0d82b0a173826f15bbca7f3 diff --git a/Makefile.am b/Makefile.am index a40a76d..62b0860 100644 --- a/Makefile.am +++ b/Makefile.am @@ -25,7 +25,7 @@ bin_SCRIPTS = \ bin/cuirass -noinst_SCRIPTS = pre-inst-env +noinst_SCRIPTS = pre-inst-env etc/new-client-cert.scm guilesitedir = $(datarootdir)/guile/site/@GUILE_EFFECTIVE_VERSION@ guileobjectdir = $(libdir)/guile/@GUILE_EFFECTIVE_VERSION@/site-ccache diff --git a/doc/cuirass.texi b/doc/cuirass.texi index db46a33..4441996 100644 --- a/doc/cuirass.texi +++ b/doc/cuirass.texi @@ -57,6 +57,7 @@ Documentation License''. * Parameters:: Cuirass parameters. * Build modes:: Build modes. * Invocation:: How to run Cuirass. +* Authentication:: Configuring TLS authentication. * Web API:: Description of the Web API. * Database:: About the database schema. @@ -711,6 +712,39 @@ Display the actual version of @code{cuirass}. Display an help message that summarize all the options provided. @end table +@c ********************************************************************* +@node Authentication +@chapter Authentication +@cindex authentication + +It is necessary to be authenticated to accomplish some of the actions +exposed via the web interface of Cuirass, such as cancelling or +restarting a build. The authentication mechanism of Cuirass currently +relies on the use of a private TLS certificate authority. + +To automate the creation of new user certificates, the +@file{etc/new-client-cert.scm} Guile script can be used. It requires +the @command{guix} command to be available and a preexisting certificate +authority at @file{/etc/ssl-ca}. To issue a new user certificate, run +it from your home directory with: + +@example +sudo -E ./etc/new-client-cert.scm +@end example + +You will be asked to input the password for the CA private key, if any, +and again for your new certificate; save it carefully. The script +requires to run as root to have access to the private certificate +authority key; it outputs the new user certificate files in various +formats to the current working directory. + +After your new certificate is generated, it needs to be registered with +your web browser. To do so using GNU IceCat, for example, you can +navigate to @samp{Parameters -> Security -> Show certificates} and then +click the @samp{Import...} button and select to your @file{.pk12} +personal certificate file. You should now be authenticated to perform +privileged actions via the web interface of Cuirass. + @c ********************************************************************* @node Web API @chapter Web API diff --git a/etc/new-client-cert.scm b/etc/new-client-cert.scm new file mode 100755 index 0000000..fa8ac5c --- /dev/null +++ b/etc/new-client-cert.scm @@ -0,0 +1,90 @@ +#!/usr/bin/env -S guix shell guile openssl -- guile \\ +--no-auto-compile -e main -s +!# +;;;; cuirass.scm -- Cuirass public interface. +;;; Copyright © 2023 Ricardo Wurmus +;;; +;;; This file is part of Cuirass. +;;; +;;; Cuirass is free software: you can redistribute it and/or modify +;;; it under the terms of the GNU General Public License as published by +;;; the Free Software Foundation, either version 3 of the License, or +;;; (at your option) any later version. +;;; +;;; Cuirass is distributed in the hope that it will be useful, +;;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with Cuirass. If not, see . + +(use-modules (ice-9 match) + (guix build utils)) + +(define %CA-directory + "/etc/ssl-ca") + +(define CA-key + (string-append %CA-directory "/private/ca.key")) +(define CA-cert + (string-append %CA-directory "/certs/ca.crt")) + +(define* (output who file) + (string-append (getcwd) "/" who file)) + +(define (key-file who) + "Return the absolute file name of the key file for WHO." + (output who ".key")) + +(define (csr-file who) + "Return the absolute file name of the CSR file for WHO." + (output who ".csr")) + +(define (client-cert-file who) + "Return the absolute file name of the client certificate file for +WHO." + (output who ".crt")) + +(define (exported-cert-file who) + "Return the absolute file name of the pkcs12 client certificate file +for WHO. This is the file that users should import into their +browsers." + (output who ".p12")) + +(define (generate-csr! who) + "Generate a new certificate signing request and key for WHO." + (invoke "openssl" "req" "-newkey" "rsa:4096" + "-nodes" ;no password + "-subj" + (format #false "/C=DE/ST=Berlin/L=Berlin/O=GNU Guix/OU=Cuirass/CN=~a" who) + "-keyout" (key-file who) + "-out" (csr-file who))) + +(define* (generate-client-certificate! who #:key (expiry 365)) + "Generate a client certificate for WHO." + (invoke "openssl" "x509" "-req" + "-in" (csr-file who) + "-CA" CA-cert + "-CAkey" CA-key + "-out" (client-cert-file who) + "-days" (number->string expiry))) + +(define (export-p12! who) + (invoke "openssl" "pkcs12" "-export" + "-in" (client-cert-file who) + "-inkey" (key-file who) + "-out" (exported-cert-file who))) + +(define (main args) + (match (command-line) + ((script) + (set-program-arguments (list script (or (getenv "SUDO_USER") + (getenv "USER")))) + (apply main args)) + ((script who) + (generate-csr! who) + (generate-client-certificate! who) + (export-p12! who)) + ((script . rest) + (format (current-error-port) "usage: ~a [name]~%" script))))