93 lines
2.7 KiB
Bash
Executable file
93 lines
2.7 KiB
Bash
Executable file
#!/usr/bin/env nix-shell
|
|
#!nix-shell -i bash -p ripgrep oath-toolkit
|
|
|
|
set -euo pipefail
|
|
|
|
FAKE_PASSWORD="f0rTkN0x1s_cool"
|
|
function kdrun {
|
|
podman exec -it kanidm "$@"
|
|
}
|
|
echo "Resetting kanidm admin credentials"
|
|
admin_password="$(kdrun kanidmd recover-account admin | rg '.*new_password: "([^"]+)"' -r '$1')"
|
|
idm_password="$(kdrun kanidmd recover-account idm_admin | rg '.*new_password: "([^"]+)"' -r '$1')"
|
|
|
|
echo "admin password: $admin_password"
|
|
echo "idm_admin password: $idm_password"
|
|
|
|
# start a kanidm client in the background for an hour
|
|
podman kill kanidm-client &>/dev/null || true
|
|
sleep 0.2
|
|
|
|
podman run -itd --rm \
|
|
--network host \
|
|
--name kanidm-client \
|
|
-v "$PWD/client.toml:/root/.config/kanidm:ro" \
|
|
docker.io/kanidm/tools:1.3.1 \
|
|
bash -c 'sleep 3600' \
|
|
>/dev/null 2>&1
|
|
sleep 0.2
|
|
|
|
function krun {
|
|
podman exec -it kanidm-client "$@"
|
|
}
|
|
|
|
# setup sessions for both admin accounts
|
|
echo "$admin_password" | krun kanidm login -D admin
|
|
echo "$idm_password" | krun kanidm login -D idm_admin
|
|
|
|
function create_user {
|
|
username="$1"; shift
|
|
echo "Creating person (user) '${username}'..."
|
|
# krun kanidm person delete "$username" --name idm_admin
|
|
krun kanidm person create "$username" "$username user" --name idm_admin
|
|
krun kanidm person update "$username" --legalname "$username Lastname" --mail "${username}@example.com" --name idm_admin
|
|
|
|
(
|
|
sleep 0.1
|
|
echo "pass"
|
|
sleep 0.1
|
|
echo "$FAKE_PASSWORD"
|
|
sleep 0.1
|
|
echo "$FAKE_PASSWORD"
|
|
sleep 0.1
|
|
# echo "totp"
|
|
# sleep 0.1
|
|
# echo "totpname"
|
|
# sleep 0.25
|
|
# totp_uri="$(rg 'TOTP URI: (.+)' /tmp/create-user-log.txt -r '$1')"
|
|
# totp_secret="$(echo "$totp_uri" | rg '.*?secret=([^&]+).*' -r '$1')"
|
|
# totp_code="$(oathtool --totp=SHA256 -b "$totp_secret")"
|
|
# echo "$totp_code"
|
|
# sleep 0.1
|
|
echo "commit"
|
|
sleep 0.1
|
|
echo "y"
|
|
sleep 0.1
|
|
echo "end"
|
|
) | krun kanidm person credential update "$username" --name idm_admin | tee /tmp/create-user-log.txt
|
|
}
|
|
|
|
# setup loose policies for testing
|
|
krun kanidm group account-policy credential-type-minimum idm_all_persons any --name idm_admin
|
|
|
|
# some groups
|
|
app="yourcloud"
|
|
adm_group="${app}--admins"
|
|
krun kanidm group create "$adm_group" --name idm_admin
|
|
|
|
# create our OAuth 2 application
|
|
krun kanidm system oauth2 create "$app" "Yourcloud" "http://localhost:3000" --name idm_admin
|
|
krun kanidm system oauth2 update-scope-map "$app" "$adm_group" admin openid email read --name idm_admin
|
|
|
|
# TODO: expired/disabled users?
|
|
# for u in alice bob user1 user2 user3; do
|
|
# create_user "$u"
|
|
# done
|
|
for u in gilfoyle dinesh; do
|
|
create_user "$u"
|
|
done
|
|
|
|
# add users to groups
|
|
# krun kanidm group add-members "$adm_group" gilfoyle --name idm_admin
|
|
# krun kanidm group add-members "$adm_group" dinesh --name idm_admin
|