From unknown Sun Jun 22 07:59:05 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#63375] [cuirass] doc: Document authentication. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: efraim@flashner.co.il, guix-patches@gnu.org Resent-Date: Mon, 08 May 2023 16:09:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 63375 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 63375@debbugs.gnu.org Cc: Maxim Cournoyer , efraim@flashner.co.il X-Debbugs-Original-To: guix-patches@gnu.org X-Debbugs-Original-Xcc: efraim@flashner.co.il Received: via spool by submit@debbugs.gnu.org id=B.168356208717180 (code B ref -1); Mon, 08 May 2023 16:09:01 +0000 Received: (at submit) by debbugs.gnu.org; 8 May 2023 16:08:07 +0000 Received: from localhost ([127.0.0.1]:41396 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pw3PD-0004T1-4M for submit@debbugs.gnu.org; Mon, 08 May 2023 12:08:07 -0400 Received: from lists.gnu.org ([209.51.188.17]:54494) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pw3PA-0004St-Js for submit@debbugs.gnu.org; Mon, 08 May 2023 12:08:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pw3P9-0002cC-6s for guix-patches@gnu.org; Mon, 08 May 2023 12:08:04 -0400 Received: from mail-qt1-x834.google.com ([2607:f8b0:4864:20::834]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pw3P7-0006uh-As for guix-patches@gnu.org; Mon, 08 May 2023 12:08:02 -0400 Received: by mail-qt1-x834.google.com with SMTP id d75a77b69052e-3f38711680dso11062241cf.1 for ; Mon, 08 May 2023 09:08:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683562079; x=1686154079; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Jihl/XBxQ908nWPnD/xh/1okEVsj4UVD/jO0JmERBzs=; b=kzmo4+Sa7aZ9EXSzxrrwdVNyEQWhUdmSayr5MH6qy/x/2zODRNR6osyK9gdj3NAuEI er/uPyLrLWrj1IHu3E4xuBxlawpoZEN7O9afHSW3hIURjjm38dnUHJwrZ75deUOWKMP6 z2JsMfEBaMCAK8bmXNOsMnoMQSJnb77x0CPPN/7WJhwoAo4g0J39vNolIG3Y0le2p2Vr L7b8PDl8XOzKUgjvcAscKq860CcsTHVRT8pk4kf8LuznXugNFTOsmVj68hkcTSYqG4ua P8SBMXgHwQtfZYl+Rk+FCCbs2tT51S3ordiTg15FtUYqsGJqEJz0olWZ1H+DuJxSU4jz 5xYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683562079; x=1686154079; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Jihl/XBxQ908nWPnD/xh/1okEVsj4UVD/jO0JmERBzs=; b=OXLE5kPUGJkQkCRh97kmEYw6flUC7t2GDv4WXdcN+3N5IdrQF9ATITfWdeClcc1wQ2 6+rWyC3Jk1Ul+9UOJmBtvNN1hXj+2UHO5LDCOnVjSAjflr2TfhCqmfXXlERMvqigiGcy 2uRKyYSBeC3SvxzLE67n8wWuetGUQpzZCK/zz4pluoWAXjpt5zjKjQfeQyXBAiTEbNNx 2Car5YVvE6ykANv3JOJLvMBA7nLUtU46iylG8jb8qzByYTd1rDcP6U9ZfiC2/XQOFanw LTJv3DX6X60kCIu6JiyxxxUJieYbGeZlsOvSC7QvYnOZV208U2A2SwPOgEKOREGQZ57o WkLQ== X-Gm-Message-State: AC+VfDx7ryqKeWHoUlGvocZi4SB7a9iw5r6KGn/5ngzK1bQW3+hMBe2M MpfUz/a8sRHiyN43UoB0kZWgJ1OcChHGXA== X-Google-Smtp-Source: ACHHUZ4emYse4L09IaB8XHecMJycU6Uc4NZAyAMf6ZXVuL2lpSKb8XowhEgOf/w1EqLK79PFZl78cQ== X-Received: by 2002:a05:622a:189a:b0:3e4:ce24:99b3 with SMTP id v26-20020a05622a189a00b003e4ce2499b3mr15223043qtc.15.1683562079512; Mon, 08 May 2023 09:07:59 -0700 (PDT) Received: from localhost.localdomain (dsl-10-131-119.b2b2c.ca. [72.10.131.119]) by smtp.gmail.com with ESMTPSA id e7-20020a05620a12c700b007460093cccdsm2666627qkl.25.2023.05.08.09.07.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 May 2023 09:07:59 -0700 (PDT) From: Maxim Cournoyer Date: Mon, 8 May 2023 12:07:45 -0400 Message-Id: <20230508160745.10144-1-maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::834; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qt1-x834.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) * etc/new-client-cert.scm: Add script. * doc/cuirass.texi (Authentication): Document it. * Makefile.am (noinst_SCRIPTS): Register it. --- Makefile.am | 2 +- doc/cuirass.texi | 34 ++++++++++++++++ etc/new-client-cert.scm | 90 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 125 insertions(+), 1 deletion(-) create mode 100755 etc/new-client-cert.scm diff --git a/Makefile.am b/Makefile.am index a40a76d..62b0860 100644 --- a/Makefile.am +++ b/Makefile.am @@ -25,7 +25,7 @@ bin_SCRIPTS = \ bin/cuirass -noinst_SCRIPTS = pre-inst-env +noinst_SCRIPTS = pre-inst-env etc/new-client-cert.scm guilesitedir = $(datarootdir)/guile/site/@GUILE_EFFECTIVE_VERSION@ guileobjectdir = $(libdir)/guile/@GUILE_EFFECTIVE_VERSION@/site-ccache diff --git a/doc/cuirass.texi b/doc/cuirass.texi index db46a33..4441996 100644 --- a/doc/cuirass.texi +++ b/doc/cuirass.texi @@ -57,6 +57,7 @@ Documentation License''. * Parameters:: Cuirass parameters. * Build modes:: Build modes. * Invocation:: How to run Cuirass. +* Authentication:: Configuring TLS authentication. * Web API:: Description of the Web API. * Database:: About the database schema. @@ -711,6 +712,39 @@ Display the actual version of @code{cuirass}. Display an help message that summarize all the options provided. @end table +@c ********************************************************************* +@node Authentication +@chapter Authentication +@cindex authentication + +It is necessary to be authenticated to accomplish some of the actions +exposed via the web interface of Cuirass, such as cancelling or +restarting a build. The authentication mechanism of Cuirass currently +relies on the use of a private TLS certificate authority. + +To automate the creation of new user certificates, the +@file{etc/new-client-cert.scm} Guile script can be used. It requires +the @command{guix} command to be available and a preexisting certificate +authority at @file{/etc/ssl-ca}. To issue a new user certificate, run +it from your home directory with: + +@example +sudo -E ./etc/new-client-cert.scm +@end example + +You will be asked to input the password for the CA private key, if any, +and again for your new certificate; save it carefully. The script +requires to run as root to have access to the private certificate +authority key; it outputs the new user certificate files in various +formats to the current working directory. + +After your new certificate is generated, it needs to be registered with +your web browser. To do so using GNU IceCat, for example, you can +navigate to @samp{Parameters -> Security -> Show certificates} and then +click the @samp{Import...} button and select to your @file{.pk12} +personal certificate file. You should now be authenticated to perform +privileged actions via the web interface of Cuirass. + @c ********************************************************************* @node Web API @chapter Web API diff --git a/etc/new-client-cert.scm b/etc/new-client-cert.scm new file mode 100755 index 0000000..fa8ac5c --- /dev/null +++ b/etc/new-client-cert.scm @@ -0,0 +1,90 @@ +#!/usr/bin/env -S guix shell guile openssl -- guile \\ +--no-auto-compile -e main -s +!# +;;;; cuirass.scm -- Cuirass public interface. +;;; Copyright © 2023 Ricardo Wurmus +;;; +;;; This file is part of Cuirass. +;;; +;;; Cuirass is free software: you can redistribute it and/or modify +;;; it under the terms of the GNU General Public License as published by +;;; the Free Software Foundation, either version 3 of the License, or +;;; (at your option) any later version. +;;; +;;; Cuirass is distributed in the hope that it will be useful, +;;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with Cuirass. If not, see . + +(use-modules (ice-9 match) + (guix build utils)) + +(define %CA-directory + "/etc/ssl-ca") + +(define CA-key + (string-append %CA-directory "/private/ca.key")) +(define CA-cert + (string-append %CA-directory "/certs/ca.crt")) + +(define* (output who file) + (string-append (getcwd) "/" who file)) + +(define (key-file who) + "Return the absolute file name of the key file for WHO." + (output who ".key")) + +(define (csr-file who) + "Return the absolute file name of the CSR file for WHO." + (output who ".csr")) + +(define (client-cert-file who) + "Return the absolute file name of the client certificate file for +WHO." + (output who ".crt")) + +(define (exported-cert-file who) + "Return the absolute file name of the pkcs12 client certificate file +for WHO. This is the file that users should import into their +browsers." + (output who ".p12")) + +(define (generate-csr! who) + "Generate a new certificate signing request and key for WHO." + (invoke "openssl" "req" "-newkey" "rsa:4096" + "-nodes" ;no password + "-subj" + (format #false "/C=DE/ST=Berlin/L=Berlin/O=GNU Guix/OU=Cuirass/CN=~a" who) + "-keyout" (key-file who) + "-out" (csr-file who))) + +(define* (generate-client-certificate! who #:key (expiry 365)) + "Generate a client certificate for WHO." + (invoke "openssl" "x509" "-req" + "-in" (csr-file who) + "-CA" CA-cert + "-CAkey" CA-key + "-out" (client-cert-file who) + "-days" (number->string expiry))) + +(define (export-p12! who) + (invoke "openssl" "pkcs12" "-export" + "-in" (client-cert-file who) + "-inkey" (key-file who) + "-out" (exported-cert-file who))) + +(define (main args) + (match (command-line) + ((script) + (set-program-arguments (list script (or (getenv "SUDO_USER") + (getenv "USER")))) + (apply main args)) + ((script who) + (generate-csr! who) + (generate-client-certificate! who) + (export-p12! who)) + ((script . rest) + (format (current-error-port) "usage: ~a [name]~%" script)))) base-commit: cf4e3e4ac4a9c8d6f0d82b0a173826f15bbca7f3 -- 2.39.2 From unknown Sun Jun 22 07:59:05 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#63375] [cuirass v2] doc: Document authentication. References: <20230508160745.10144-1-maxim.cournoyer@gmail.com> In-Reply-To: <20230508160745.10144-1-maxim.cournoyer@gmail.com> Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: rekado@elephly.net, othacehe@gnu.org, efraim@flashner.co.il, guix-patches@gnu.org Resent-Date: Mon, 08 May 2023 17:08:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63375 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 63375@debbugs.gnu.org Cc: Maxim Cournoyer , rekado@elephly.net,othacehe@gnu.org,efraim@flashner.co.il X-Debbugs-Original-Xcc: rekado@elephly.net,othacehe@gnu.org,efraim@flashner.co.il Received: via spool by 63375-submit@debbugs.gnu.org id=B63375.168356563824011 (code B ref 63375); Mon, 08 May 2023 17:08:02 +0000 Received: (at 63375) by debbugs.gnu.org; 8 May 2023 17:07:18 +0000 Received: from localhost ([127.0.0.1]:41470 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pw4KT-0006FD-PP for submit@debbugs.gnu.org; Mon, 08 May 2023 13:07:18 -0400 Received: from mail-qk1-f175.google.com ([209.85.222.175]:60737) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pw4KR-0006Ez-O8 for 63375@debbugs.gnu.org; Mon, 08 May 2023 13:07:16 -0400 Received: by mail-qk1-f175.google.com with SMTP id af79cd13be357-75773a7bd66so182282285a.1 for <63375@debbugs.gnu.org>; Mon, 08 May 2023 10:07:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683565630; x=1686157630; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Jihl/XBxQ908nWPnD/xh/1okEVsj4UVD/jO0JmERBzs=; b=CH+1MmxfIrT2wTueGIISJkqzSQjeR76HwzLhMlCm6MEtXoLYH2BckT92JHB86r2Jqn LyPQL+qgXciCDvy0xqlcSJX5JpkzOyyPZdzT3jRnTmDCIYXF2qadnZyyTPNLUIDXmNhz MgwieaFEZrm0wv5vVD3veaJ5fCBEGmy+RiTOpgTV0zFygYndThO1bVoNEQXPoPPUaFvI BlW+Y/Cjy7My/i2I1yN1o2uMi4rZDSfVAEBwMFW7Gr4Hw24jQdSW2VoHQF4slJaRft4l 508046U0Gs1ooP6NT8BpqKtKVx2CI2JXEkJ8a3nJG3FS8TNsB9ntb1pccH+P9A+Buz76 Xx1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683565630; x=1686157630; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Jihl/XBxQ908nWPnD/xh/1okEVsj4UVD/jO0JmERBzs=; b=cx6OOaH4fxHFjlA7THPK9du1zUJVDBy9AL6N0pSh2lQ8MrP5tDwD2ne0VjFpvCIBXD VHwwBIUUkdgfxHQPTiKGch+pYiS3IJ7T07V/Fy9zeZKC/azHH6JWCsqu+6pBGN++Ur0p cQsfxsFkTGYriQpHbl3t1aJ7lLh4C8yAOCtJb98/KeKdGAJr3kwPUurKt4G093VhbugN xTfvOMfwAEkB1b73lfbn5FhysKWvjqvp7KEAf8mRGzPkm6dEseMulRkNbYSoHE7mZzei p+6cSJsiYdZA89Q/6vYH9mQazFy/VJi4u+T2Y++n1rmcCzPd3DvsgM+Rcl8Er5ikEOn7 isTg== X-Gm-Message-State: AC+VfDzVdshpakdTPk/bshDC0C2mr8I2dfL7arhyfe+RJBmGET8ibKjf tB8Y1hxs0x3euuJ3AIvjJDgqjh9MYr7PVw== X-Google-Smtp-Source: ACHHUZ47D8HpRwWdWx96h2zKbjdB7mGIf0GAUFF2NCxR15FP5bJTw9ZRHKxikmvmTDMcUFJAbR7RJg== X-Received: by 2002:ac8:5703:0:b0:3ee:d59e:24d3 with SMTP id 3-20020ac85703000000b003eed59e24d3mr16023476qtw.45.1683565629767; Mon, 08 May 2023 10:07:09 -0700 (PDT) Received: from localhost.localdomain (dsl-10-131-119.b2b2c.ca. [72.10.131.119]) by smtp.gmail.com with ESMTPSA id bw13-20020a05622a098d00b003ef13aa5b0bsm3090180qtb.82.2023.05.08.10.07.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 May 2023 10:07:09 -0700 (PDT) From: Maxim Cournoyer Date: Mon, 8 May 2023 13:07:01 -0400 Message-Id: <20230508170701.11548-1-maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * etc/new-client-cert.scm: Add script. * doc/cuirass.texi (Authentication): Document it. * Makefile.am (noinst_SCRIPTS): Register it. --- Makefile.am | 2 +- doc/cuirass.texi | 34 ++++++++++++++++ etc/new-client-cert.scm | 90 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 125 insertions(+), 1 deletion(-) create mode 100755 etc/new-client-cert.scm diff --git a/Makefile.am b/Makefile.am index a40a76d..62b0860 100644 --- a/Makefile.am +++ b/Makefile.am @@ -25,7 +25,7 @@ bin_SCRIPTS = \ bin/cuirass -noinst_SCRIPTS = pre-inst-env +noinst_SCRIPTS = pre-inst-env etc/new-client-cert.scm guilesitedir = $(datarootdir)/guile/site/@GUILE_EFFECTIVE_VERSION@ guileobjectdir = $(libdir)/guile/@GUILE_EFFECTIVE_VERSION@/site-ccache diff --git a/doc/cuirass.texi b/doc/cuirass.texi index db46a33..4441996 100644 --- a/doc/cuirass.texi +++ b/doc/cuirass.texi @@ -57,6 +57,7 @@ Documentation License''. * Parameters:: Cuirass parameters. * Build modes:: Build modes. * Invocation:: How to run Cuirass. +* Authentication:: Configuring TLS authentication. * Web API:: Description of the Web API. * Database:: About the database schema. @@ -711,6 +712,39 @@ Display the actual version of @code{cuirass}. Display an help message that summarize all the options provided. @end table +@c ********************************************************************* +@node Authentication +@chapter Authentication +@cindex authentication + +It is necessary to be authenticated to accomplish some of the actions +exposed via the web interface of Cuirass, such as cancelling or +restarting a build. The authentication mechanism of Cuirass currently +relies on the use of a private TLS certificate authority. + +To automate the creation of new user certificates, the +@file{etc/new-client-cert.scm} Guile script can be used. It requires +the @command{guix} command to be available and a preexisting certificate +authority at @file{/etc/ssl-ca}. To issue a new user certificate, run +it from your home directory with: + +@example +sudo -E ./etc/new-client-cert.scm +@end example + +You will be asked to input the password for the CA private key, if any, +and again for your new certificate; save it carefully. The script +requires to run as root to have access to the private certificate +authority key; it outputs the new user certificate files in various +formats to the current working directory. + +After your new certificate is generated, it needs to be registered with +your web browser. To do so using GNU IceCat, for example, you can +navigate to @samp{Parameters -> Security -> Show certificates} and then +click the @samp{Import...} button and select to your @file{.pk12} +personal certificate file. You should now be authenticated to perform +privileged actions via the web interface of Cuirass. + @c ********************************************************************* @node Web API @chapter Web API diff --git a/etc/new-client-cert.scm b/etc/new-client-cert.scm new file mode 100755 index 0000000..fa8ac5c --- /dev/null +++ b/etc/new-client-cert.scm @@ -0,0 +1,90 @@ +#!/usr/bin/env -S guix shell guile openssl -- guile \\ +--no-auto-compile -e main -s +!# +;;;; cuirass.scm -- Cuirass public interface. +;;; Copyright © 2023 Ricardo Wurmus +;;; +;;; This file is part of Cuirass. +;;; +;;; Cuirass is free software: you can redistribute it and/or modify +;;; it under the terms of the GNU General Public License as published by +;;; the Free Software Foundation, either version 3 of the License, or +;;; (at your option) any later version. +;;; +;;; Cuirass is distributed in the hope that it will be useful, +;;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with Cuirass. If not, see . + +(use-modules (ice-9 match) + (guix build utils)) + +(define %CA-directory + "/etc/ssl-ca") + +(define CA-key + (string-append %CA-directory "/private/ca.key")) +(define CA-cert + (string-append %CA-directory "/certs/ca.crt")) + +(define* (output who file) + (string-append (getcwd) "/" who file)) + +(define (key-file who) + "Return the absolute file name of the key file for WHO." + (output who ".key")) + +(define (csr-file who) + "Return the absolute file name of the CSR file for WHO." + (output who ".csr")) + +(define (client-cert-file who) + "Return the absolute file name of the client certificate file for +WHO." + (output who ".crt")) + +(define (exported-cert-file who) + "Return the absolute file name of the pkcs12 client certificate file +for WHO. This is the file that users should import into their +browsers." + (output who ".p12")) + +(define (generate-csr! who) + "Generate a new certificate signing request and key for WHO." + (invoke "openssl" "req" "-newkey" "rsa:4096" + "-nodes" ;no password + "-subj" + (format #false "/C=DE/ST=Berlin/L=Berlin/O=GNU Guix/OU=Cuirass/CN=~a" who) + "-keyout" (key-file who) + "-out" (csr-file who))) + +(define* (generate-client-certificate! who #:key (expiry 365)) + "Generate a client certificate for WHO." + (invoke "openssl" "x509" "-req" + "-in" (csr-file who) + "-CA" CA-cert + "-CAkey" CA-key + "-out" (client-cert-file who) + "-days" (number->string expiry))) + +(define (export-p12! who) + (invoke "openssl" "pkcs12" "-export" + "-in" (client-cert-file who) + "-inkey" (key-file who) + "-out" (exported-cert-file who))) + +(define (main args) + (match (command-line) + ((script) + (set-program-arguments (list script (or (getenv "SUDO_USER") + (getenv "USER")))) + (apply main args)) + ((script who) + (generate-csr! who) + (generate-client-certificate! who) + (export-p12! who)) + ((script . rest) + (format (current-error-port) "usage: ~a [name]~%" script)))) base-commit: cf4e3e4ac4a9c8d6f0d82b0a173826f15bbca7f3 -- 2.39.2 From unknown Sun Jun 22 07:59:05 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#63375] [cuirass v3] doc: Document authentication. References: <20230508160745.10144-1-maxim.cournoyer@gmail.com> In-Reply-To: <20230508160745.10144-1-maxim.cournoyer@gmail.com> Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: rekado@elephly.net, othacehe@gnu.org, efraim@flashner.co.il, guix-patches@gnu.org Resent-Date: Thu, 11 May 2023 04:36:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63375 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 63375@debbugs.gnu.org Cc: Maxim Cournoyer , rekado@elephly.net, othacehe@gnu.org, efraim@flashner.co.il X-Debbugs-Original-Xcc: rekado@elephly.net, othacehe@gnu.org, efraim@flashner.co.il Received: via spool by 63375-submit@debbugs.gnu.org id=B63375.168377971728128 (code B ref 63375); Thu, 11 May 2023 04:36:02 +0000 Received: (at 63375) by debbugs.gnu.org; 11 May 2023 04:35:17 +0000 Received: from localhost ([127.0.0.1]:49425 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pwy1M-0007JZ-Q8 for submit@debbugs.gnu.org; Thu, 11 May 2023 00:35:17 -0400 Received: from mail-qv1-f47.google.com ([209.85.219.47]:48234) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pwy1J-0007JG-F9 for 63375@debbugs.gnu.org; Thu, 11 May 2023 00:35:15 -0400 Received: by mail-qv1-f47.google.com with SMTP id 6a1803df08f44-61b5da092dfso37195436d6.0 for <63375@debbugs.gnu.org>; Wed, 10 May 2023 21:35:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683779707; x=1686371707; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=+pjEMaT+IW4vSywdwA0TR1nCBnHA2/P1P10FLtluEAo=; b=H4z+SBUIeWOt1aBTg9tIC7kZXa8Ub+9Djv/QAkJ3XQrk9dtaLY/QgygYyEe8ziLKwE c4Joq0Ok8yz+AA09SnKLjy+lDll0hPsxcz0yv0J7SRL2dmgjl/iEWqvhXwd/oe4ebIz3 thReRVIBvg8AB+w32uR1gwOrkx1y8cBIktj+AHpMqSQO2Bf6uexLTnsTY0SMfEzInPnZ za+Wlmf9LU2ppqfFlh9NVDMvp9gEHH6/gJg1yc4ccBXb+33uRnS/mM47pQS71LgkHkCN 0s9/maz4BONu6ISFjAWC6l0pf1n+fJYvtiDgpXICKmlW12lKEFDDVWVqW5dSin51MLdR KXlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683779707; x=1686371707; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+pjEMaT+IW4vSywdwA0TR1nCBnHA2/P1P10FLtluEAo=; b=jzZZz1XVpTpRu/mhJRNiUgq/Zb+ZdLSKxAkYz8pY6K1M+GzsSGsxqdXwu4Y89lscIL FV49VWauNe6Rji6EVHCsQ+hE69NNKm8xv79r4sUaPQ71f825WTRA1Efp0W3MLfWdDN/b o8Uybrcfr1TM4fWzruIn1j9CaPPMfmFOyBYLq+fENnSf66qzS4+0OUq1YdE3fdh0o5Oq 1uHhaWniX423DoO4OT2D5locExXlO+5aC1L7qFsD0qOMUkG/yQ/2SHR/reB/PKT54AY7 dB6JYk5qY+KhJpdOYeJORpD6Cwc9iD9AGaK6GRLwlzA71q8NtOLk9MuWMvzeemSQZAG7 VDeQ== X-Gm-Message-State: AC+VfDxgJsLhcG9Ff4Yznua2EXGjEAiNRxiuFy96Bbrjlal1yfV+GKQP pAe+qvwQrcyKllCUGTi6d0jAMHfT+9M= X-Google-Smtp-Source: ACHHUZ7lDiclGBKdOvyo5aPh3uFhWv6PqCeNxV4IrSE/XDM/XTNJK9i5BwWV5k5AbaoXaCCrtbN3Dw== X-Received: by 2002:a05:6214:e6e:b0:621:64c7:235f with SMTP id jz14-20020a0562140e6e00b0062164c7235fmr1025197qvb.27.1683779707267; Wed, 10 May 2023 21:35:07 -0700 (PDT) Received: from localhost.localdomain (dsl-156-94.b2b2c.ca. [66.158.156.94]) by smtp.gmail.com with ESMTPSA id y10-20020a0c8eca000000b0061b731bf3c2sm2028718qvb.80.2023.05.10.21.35.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 May 2023 21:35:06 -0700 (PDT) From: Maxim Cournoyer Date: Thu, 11 May 2023 00:34:52 -0400 Message-Id: <20230511043452.14263-1-maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * etc/new-client-cert.scm: Add script. * doc/cuirass.texi (Authentication): Document it. * Makefile.am (noinst_SCRIPTS): Register it. --- Makefile.am | 2 +- doc/cuirass.texi | 86 ++++++++++++++++++++++++++++ etc/new-client-cert.scm | 121 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 208 insertions(+), 1 deletion(-) create mode 100755 etc/new-client-cert.scm diff --git a/Makefile.am b/Makefile.am index a40a76d..62b0860 100644 --- a/Makefile.am +++ b/Makefile.am @@ -25,7 +25,7 @@ bin_SCRIPTS = \ bin/cuirass -noinst_SCRIPTS = pre-inst-env +noinst_SCRIPTS = pre-inst-env etc/new-client-cert.scm guilesitedir = $(datarootdir)/guile/site/@GUILE_EFFECTIVE_VERSION@ guileobjectdir = $(libdir)/guile/@GUILE_EFFECTIVE_VERSION@/site-ccache diff --git a/doc/cuirass.texi b/doc/cuirass.texi index db46a33..728ca7f 100644 --- a/doc/cuirass.texi +++ b/doc/cuirass.texi @@ -13,6 +13,7 @@ Copyright @copyright{} 2016, 2017 Mathieu Lirzin@* Copyright @copyright{} 2017, 2020, 2021 Mathieu Othacehe@* Copyright @copyright{} 2018, 2021 Ludovic Courtès@* Copyright @copyright{} 2018 Clément Lassieur +Copyright @copyright{} 2023 Maxim Cournoyer@* @quotation Permission is granted to copy, distribute and/or modify this document @@ -57,6 +58,7 @@ Documentation License''. * Parameters:: Cuirass parameters. * Build modes:: Build modes. * Invocation:: How to run Cuirass. +* Authentication:: Configuring TLS authentication. * Web API:: Description of the Web API. * Database:: About the database schema. @@ -711,6 +713,90 @@ Display the actual version of @code{cuirass}. Display an help message that summarize all the options provided. @end table +@c ********************************************************************* +@node Authentication +@chapter Authentication +@cindex authentication + +Cuirass does not provide its own authentication mechanism; by default, +any user can do anything via its web interface. To restrict this to +only authorized users, one approach is to proxy the Cuirass web site via +a web server such as Nginx and configure the web server to require +client certificate verification for pages under the @samp{/admin} +prefix. The following minimal Nginx configuration can be used to +accomplish this on a Guix System: + +@lisp +(service nginx-service-type + (nginx-configuration + (server-blocks + (list + ;; TLS is required for authentication; serve the site via + ;; HTTPS only. + (nginx-server-configuration + (listen '("80")) + (raw-content + (list "return 308 https://$host$request_uri;"))) + + (nginx-server-configuration + (listen '("443 ssl")) + (server-name '("ci.your-host.org")) + (ssl-certificate "/etc/certs/ci.your-host.org.crt") + (ssl-certificate-key "/etc/certs/ci.your-host.org.key") + (locations + (list + ;; Proxy the whole Cuirass web site... + (nginx-location-configuration + (uri "/") + (body (list "proxy_pass http://localhost:8081;"))) + ;; ... but require authentication for the admin pages. + (nginx-location-configuration + (uri "~ ^/admin") + (body + (list "if ($ssl_client_verify != SUCCESS) \ +@{ return 403; @} proxy_pass http://localhost:8081;"))))) + (raw-content + ;; Register your self-generated certificate authority. + (list "ssl_client_certificate /etc/ssl-ca/certs/ca.crt;" + "ssl_verify_client optional;"))))))) +@end lisp + +Your host TLS certificate could have been obtained via Let's Encrypt or +directly via the @command{openssl} command, among other means. To +create a private certificate authority (CA) that can sign user +certificates, a convenience script is provided. It's main requirement +is to have the @command{guix} command available. It can be invoked +like: + +@example +sudo -E ./etc/new-client-cert.scm --generate-ca +@end example + +It should generate the @file{/etc/ssl-ca/private/ca.key} private key as +well as the @file{/etc/ssl-ca/certs/ca.crt} certificate authority as +used in the Nginx configuration above. + +To issue a new user certificate, run the same script from your home +directory with: + +@example +sudo -E ./etc/new-client-cert.scm +@end example + +You will be asked to input the password for the CA private key, if any, +and again for your new certificate; save it carefully. The script +requires to run as root to have access to the private certificate +authority key; it outputs the new user certificate files to the current +working directory. + +After your new CA-signed user certificate is generated, it needs to be +registered with your web browser. To do so using GNU IceCat, for +example, you can navigate to @samp{Parameters -> Security -> Show +certificates} and then click the @samp{Import...} button and select your +@file{.pk12} personal certificate file. The web interface of Cuirass +should now only allow authenticated users to perform administrative +tasks. + @c ********************************************************************* @node Web API @chapter Web API diff --git a/etc/new-client-cert.scm b/etc/new-client-cert.scm new file mode 100755 index 0000000..4fac772 --- /dev/null +++ b/etc/new-client-cert.scm @@ -0,0 +1,121 @@ +#!/usr/bin/env -S guix shell guile openssl -- guile \\ +--no-auto-compile -e main -s +!# +;;;; cuirass.scm -- Cuirass public interface. +;;; Copyright © 2023 Ricardo Wurmus +;;; Copyright © 2023 Maxim Cournoyer +;;; +;;; This file is part of Cuirass. +;;; +;;; Cuirass is free software: you can redistribute it and/or modify +;;; it under the terms of the GNU General Public License as published by +;;; the Free Software Foundation, either version 3 of the License, or +;;; (at your option) any later version. +;;; +;;; Cuirass is distributed in the hope that it will be useful, +;;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with Cuirass. If not, see . + +(use-modules (ice-9 format) + (ice-9 match) + (guix build utils)) + +(define %user (or (getenv "SUDO_USER") + (getenv "USER"))) + +(define %user-id (passwd:uid (getpwnam %user))) + +(define %group-id (passwd:gid (getpwnam %user))) + +(define %CA-directory + "/etc/ssl-ca") + +(define subject-template + "/C=DE/ST=Berlin/L=Berlin/O=GNU Guix/OU=Cuirass/CN=~a") + +(define CA-key + (string-append %CA-directory "/private/ca.key")) +(define CA-cert + (string-append %CA-directory "/certs/ca.crt")) + +(define* (output who file) + (string-append (getcwd) "/" who file)) + +(define (key-file who) + "Return the absolute file name of the key file for WHO." + (output who ".key")) + +(define (csr-file who) + "Return the absolute file name of the CSR file for WHO." + (output who ".csr")) + +(define (client-cert-file who) + "Return the absolute file name of the client certificate file for +WHO." + (output who ".crt")) + +(define (exported-cert-file who) + "Return the absolute file name of the pkcs12 client certificate file +for WHO. This is the file that users should import into their +browsers." + (output who ".p12")) + +(define (generate-ca!) + "Generate a private certificate authority (CA) valid for 10 years." + (mkdir-p (dirname CA-key)) + (mkdir-p (dirname CA-cert)) + (invoke "openssl" "req" "-newkey" "rsa" "-x509" "-days" "3650" + "-noenc" ;no password + "-subj" (format #false "~@?" subject-template "Cuirass CA") + "-keyout" CA-key "-out" CA-cert)) + +(define (generate-csr! who) + "Generate a new certificate signing request and key for WHO." + (let ((key (key-file who)) + (csr (csr-file who))) + (invoke "openssl" "req" "-newkey" "rsa" + "-noenc" ;no password + "-subj" (format #false "~@?" subject-template who) + "-keyout" key + "-out" csr) + (chown key %user-id %group-id) + (chown csr %user-id %group-id))) + +(define* (generate-client-certificate! who #:key (expiry 365)) + "Generate a client certificate for WHO." + (let ((cert (client-cert-file who))) + (invoke "openssl" "x509" "-req" + "-in" (csr-file who) + "-CA" CA-cert + "-CAkey" CA-key + "-out" cert + "-days" (number->string expiry)) + (chown cert %user-id %group-id))) + +(define (export-p12! who) + (let ((key (key-file who)) + (exported-cert (exported-cert-file who))) + (invoke "openssl" "pkcs12" "-export" + "-in" (client-cert-file who) + "-inkey" key + "-out" exported-cert) + (chown key %user-id %group-id) + (chown exported-cert %user-id %group-id))) + +(define (main args) + (match (command-line) + ((script) + (set-program-arguments (list script %user)) + (apply main args)) + ((script "--generate-ca") + (generate-ca!)) + ((script who) + (generate-csr! who) + (generate-client-certificate! who) + (export-p12! who)) + ((script . rest) + (format (current-error-port) "usage: ~a [--generate-ca|name]~%" script)))) base-commit: cf4e3e4ac4a9c8d6f0d82b0a173826f15bbca7f3 -- 2.39.2 From unknown Sun Jun 22 07:59:05 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#63375] [cuirass v3] doc: Document authentication. Resent-From: Simon Tournier Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 16 May 2023 15:07:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63375 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Maxim Cournoyer , 63375@debbugs.gnu.org Cc: rekado@elephly.net, othacehe@gnu.org, efraim@flashner.co.il, Maxim Cournoyer Received: via spool by 63375-submit@debbugs.gnu.org id=B63375.16842495937185 (code B ref 63375); Tue, 16 May 2023 15:07:04 +0000 Received: (at 63375) by debbugs.gnu.org; 16 May 2023 15:06:33 +0000 Received: from localhost ([127.0.0.1]:46912 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pywG0-0001rd-Ga for submit@debbugs.gnu.org; Tue, 16 May 2023 11:06:33 -0400 Received: from mail-wr1-f44.google.com ([209.85.221.44]:38131) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pywFv-0001qg-Hk for 63375@debbugs.gnu.org; Tue, 16 May 2023 11:06:29 -0400 Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-3093bf6614dso9523f8f.0 for <63375@debbugs.gnu.org>; Tue, 16 May 2023 08:06:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684249582; x=1686841582; h=mime-version:message-id:date:references:in-reply-to:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=3gzfd9VNqBlq2uvg8OijUZQgXKWz74weGKbXkQqA3cI=; b=WiM3hJVmTqN0KeseqkGZhyu5rOKB/uotfN6/LtXvu09gLrxTAwFmPuzybewDWzp8bT KZj8+UFgqqEB+erR3csf+AR+FYM0OXF6OF3ZYbQevF7ez15gF4qi3gIGtTwt2E5N8Xo9 BvJ4e4+N+ejdAFR02IqC9rV0gwMpJIAKDj0cDWrQ5mbluRQe8L9jDpawiNQRxeW8Hil5 OD6BaLqW/kB/yxxcC9voKEz01SolsGET2DBMWgkjtQfRp1yy8mkwIfgHkPnIS/o8opiH ZLyKo4rfGRiymXdwFsyDMJM+jMWoUVIHxvQluenPFd992/ApBL4JC4TMuiiJiEvEs7EH 3xzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684249582; x=1686841582; h=mime-version:message-id:date:references:in-reply-to:subject:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3gzfd9VNqBlq2uvg8OijUZQgXKWz74weGKbXkQqA3cI=; b=Rofj3cpvdQPfeR5Hzm8dzdVu6jnIxcqjiizaCALqQSYo9FNa/dpVF+zoPkUiUwPMDj UvUPEtzjUE0hTSvH9AK7mpbtPWIfBMtcEOK5Qgli4fNYjetHu9W9gGlRmBNG381nHxGX yL5hY9LIrQkB8OkPTcCgAX/D7fibZ4El/acF5nftkTW/z3bvJn2vI3MR0U1/S9f5kFkP hx9s176Ux4xHFptVyKvnOWenw2tYdhfpjkltmbINRyI94dhEzzo16H5HoB0Kzlm2rlvS dVK7M+5snUobJaxtXvCvWYq9+A/FwaHE/mOsOo1ib6AbK869r3f4kCxAT9b4nCv22zei QbRg== X-Gm-Message-State: AC+VfDxIV7Hwa043evZjw8ZEByNKOYZGseJGTNVEsP3IcZJP8MVP6jsO QbRRN+3u2r2qdCTt48qsYqI= X-Google-Smtp-Source: ACHHUZ5s5lgrCeeqG7AoNDww9QwMrk04QA9AeUEP5pBwWxZaBcvCNCpRhetR5SL0Lwc2KbOmcI6ymg== X-Received: by 2002:a5d:4fc7:0:b0:306:5f2a:8a65 with SMTP id h7-20020a5d4fc7000000b003065f2a8a65mr7653929wrw.4.1684249581906; Tue, 16 May 2023 08:06:21 -0700 (PDT) Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e]) by smtp.gmail.com with ESMTPSA id f13-20020adff58d000000b002ceacff44c7sm2880581wro.83.2023.05.16.08.06.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 May 2023 08:06:21 -0700 (PDT) From: Simon Tournier In-Reply-To: <20230511043452.14263-1-maxim.cournoyer@gmail.com> References: <20230508160745.10144-1-maxim.cournoyer@gmail.com> <20230511043452.14263-1-maxim.cournoyer@gmail.com> Date: Tue, 16 May 2023 14:23:19 +0200 Message-ID: <86fs7w79e0.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Maxim, On Thu, 11 May 2023 at 00:34, Maxim Cournoyer wrote: > * etc/new-client-cert.scm: Add script. > * doc/cuirass.texi (Authentication): Document it. > * Makefile.am (noinst_SCRIPTS): Register it. Well, this LGTM. For what my eyes are worth on this topic. :-) Cheers, simon From unknown Sun Jun 22 07:59:05 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#63375] [cuirass v3] doc: Document authentication. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 19 May 2023 03:55:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63375 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Simon Tournier Cc: Tobias Geerinckx-Rice , 63375@debbugs.gnu.org, othacehe@gnu.org, Christopher Baines , efraim@flashner.co.il, rekado@elephly.net Received: via spool by 63375-submit@debbugs.gnu.org id=B63375.16844684956831 (code B ref 63375); Fri, 19 May 2023 03:55:02 +0000 Received: (at 63375) by debbugs.gnu.org; 19 May 2023 03:54:55 +0000 Received: from localhost ([127.0.0.1]:55040 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzrCh-0001m7-0n for submit@debbugs.gnu.org; Thu, 18 May 2023 23:54:55 -0400 Received: from mail-qt1-f174.google.com ([209.85.160.174]:48636) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzrCe-0001lq-Vc for 63375@debbugs.gnu.org; Thu, 18 May 2023 23:54:53 -0400 Received: by mail-qt1-f174.google.com with SMTP id d75a77b69052e-3f69032f8a1so4119551cf.1 for <63375@debbugs.gnu.org>; Thu, 18 May 2023 20:54:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684468487; x=1687060487; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=rWLwrhRbupOTkPV26S7/L+Hj2Nw1mg+PAJu8JhaiAaY=; b=cElgWNuyUGqByw4Ya5mdC+2Ar21qDhJgQprG07Bwe2jCgyh+HVc13nV9XkZOmfX2d6 pbMsZm9gE/pn2L6b1Fe7VkG0XXDNEMWoAYNWAd1pIr7wHtQFfZOUF80xlk8g5IS6fOX3 5ihA2xRS1Ff7mFRNrxdky9l7JoogvgZGBMhQ8Z4So9piMt1fPmOEE95UFNW9JsaAaHM2 00a+UvLq5XlznpAhmHf2rHUh7ykZx29bdeB3JQ1GxaQVj2DAq9aDdpJX/1s1xZubDxZh UcMWG/fevi0dU6BMJFWOoCrgKXmuxAZIMLw1QYrRAA7wImjA1ntAkxJmqA9gfhASuLF3 EnAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684468487; x=1687060487; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=rWLwrhRbupOTkPV26S7/L+Hj2Nw1mg+PAJu8JhaiAaY=; b=HM6xfr16xtOcFQPupqF3n//xWNLnBDaoVjRC+99Cg2aSS5Ke35sh+BIIWfrvIrWgES AnmdANdsN8lG/F5QyrQjZJp4JusU/GyXxhDYeUXmkl82l8XXLZJvu01ra2t4mOwcTDxh c2T8tT3GUr/azjRJVuawtPIwVJpqO6HA1nClFddSVheVA/NFc+wGdyyR0bTAGb1+H30S XmOPG/o27USvUlSsfT9SY41sNNOA+x2FJ6bw7zAn9sgAF36v86x9VoLw/zms4Q0lgyFh 4u6+TM0VT94s9Y/LbeMM7Cr53tRAGiPXNX689lvF5SIu1/5A++jVMXGAiilgvsKAywMv Sc9A== X-Gm-Message-State: AC+VfDwcYxplQkPgbMmIT5n/DeOOTS4qk8XaSWIXKzemIG4T5HgFYs7C qw5s4DnEVD+4aZhSf5cggFI= X-Google-Smtp-Source: ACHHUZ7yNU2IB1P16qFnUhSwY/jTjJ8EQEOTKZSQYu5HxPkZPoW4g60XrCDPLu22eRPTVv9jFOERZQ== X-Received: by 2002:a05:622a:1193:b0:3f5:8b9:7249 with SMTP id m19-20020a05622a119300b003f508b97249mr1432645qtk.11.1684468487393; Thu, 18 May 2023 20:54:47 -0700 (PDT) Received: from hurd (dsl-150-33.b2b2c.ca. [66.158.150.33]) by smtp.gmail.com with ESMTPSA id u13-20020a05620a120d00b0074d1d3b2143sm849440qkj.118.2023.05.18.20.54.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 May 2023 20:54:46 -0700 (PDT) From: Maxim Cournoyer References: <20230508160745.10144-1-maxim.cournoyer@gmail.com> <20230511043452.14263-1-maxim.cournoyer@gmail.com> <86fs7w79e0.fsf@gmail.com> Date: Thu, 18 May 2023 23:54:45 -0400 In-Reply-To: <86fs7w79e0.fsf@gmail.com> (Simon Tournier's message of "Tue, 16 May 2023 14:23:19 +0200") Message-ID: <875y8pkmbe.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Simon, Simon Tournier writes: > Hi Maxim, > > On Thu, 11 May 2023 at 00:34, Maxim Cournoyer wrote: > >> * etc/new-client-cert.scm: Add script. >> * doc/cuirass.texi (Authentication): Document it. >> * Makefile.am (noinst_SCRIPTS): Register it. > > Well, this LGTM. For what my eyes are worth on this topic. :-) Thanks! I am not in the .guix-authorizations of the Cuirass repo, so I'll need one of the Shepherd committers (CC'd) to install the change. -- Thanks, Maxim From unknown Sun Jun 22 07:59:05 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Maxim Cournoyer Subject: bug#63375: closed (Re: bug#63375: [cuirass] doc: Document authentication.) Message-ID: References: <87cz1xrbfo.fsf_-_@gnu.org> <20230508160745.10144-1-maxim.cournoyer@gmail.com> X-Gnu-PR-Message: they-closed 63375 X-Gnu-PR-Package: guix-patches Reply-To: 63375@debbugs.gnu.org Date: Wed, 14 Jun 2023 21:18:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1686777482-19564-1" This is a multi-part message in MIME format... ------------=_1686777482-19564-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #63375: [cuirass] doc: Document authentication. which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 63375@debbugs.gnu.org. --=20 63375: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D63375 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1686777482-19564-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 63375-done) by debbugs.gnu.org; 14 Jun 2023 21:17:27 +0000 Received: from localhost ([127.0.0.1]:45574 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q9Xrq-00054j-UG for submit@debbugs.gnu.org; Wed, 14 Jun 2023 17:17:27 -0400 Received: from eggs.gnu.org ([209.51.188.92]:47966) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q9Xro-00054W-Hy for 63375-done@debbugs.gnu.org; Wed, 14 Jun 2023 17:17:25 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q9Xrh-0007e6-VV; Wed, 14 Jun 2023 17:17:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=lHmuriIokq3LyHJ6GEwhUy0APqHmNMoDci3Lv+RFX6I=; b=TwGhip5Ol5+/LG0lNIvG 5dfQdhU3CfNL6FiiazYeNvHdtRcyPulYCs24HanAGAEiOJAWHnG+T8x7D7lHkjN7EnXOoXt+dVz72 3cNQCXPTOA0R1nfWoAbHnvLbHJtTtKVBEd1ZPDAp+aNDxkNvE0s3kFeuZ14Aicil9usPvKBVk14fO kFqAigUu5BsdIspQL86fXEyy9VAwH3il5nGVL2NZrCrVUBnUTZhZJSPVtHb6/mXCDaY2hVoFHZ00t +ZaOlDX3uB1RvpBZVItEvozOc1jn7Skc2KKgoYIf7jjXTFUPPBvKQ9fj393Su6k5ZRTG2VoLk7InS Qsn4j8Uy4C85Xg==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q9Xrh-0002VM-HA; Wed, 14 Jun 2023 17:17:17 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxim Cournoyer Subject: Re: bug#63375: [cuirass] doc: Document authentication. References: <20230508160745.10144-1-maxim.cournoyer@gmail.com> <20230511043452.14263-1-maxim.cournoyer@gmail.com> Date: Wed, 14 Jun 2023 23:17:15 +0200 In-Reply-To: <20230511043452.14263-1-maxim.cournoyer@gmail.com> (Maxim Cournoyer's message of "Thu, 11 May 2023 00:34:52 -0400") Message-ID: <87cz1xrbfo.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 63375-done Cc: rekado@elephly.net, 63375-done@debbugs.gnu.org, efraim@flashner.co.il, othacehe@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Maxim, Maxim Cournoyer skribis: > * etc/new-client-cert.scm: Add script. > * doc/cuirass.texi (Authentication): Document it. > * Makefile.am (noinst_SCRIPTS): Register it. I had completely overlooked this patch; great work! Applied now. BTW, if you=E2=80=99re interested, I can add you to =E2=80=98.guix-authoriz= ations=E2=80=99 of course; we need to increase the bus factor. Let me know what you think! Thanks, and apologies for the delay. Ludo=E2=80=99. ------------=_1686777482-19564-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 8 May 2023 16:08:07 +0000 Received: from localhost ([127.0.0.1]:41396 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pw3PD-0004T1-4M for submit@debbugs.gnu.org; Mon, 08 May 2023 12:08:07 -0400 Received: from lists.gnu.org ([209.51.188.17]:54494) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pw3PA-0004St-Js for submit@debbugs.gnu.org; Mon, 08 May 2023 12:08:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pw3P9-0002cC-6s for guix-patches@gnu.org; Mon, 08 May 2023 12:08:04 -0400 Received: from mail-qt1-x834.google.com ([2607:f8b0:4864:20::834]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pw3P7-0006uh-As for guix-patches@gnu.org; Mon, 08 May 2023 12:08:02 -0400 Received: by mail-qt1-x834.google.com with SMTP id d75a77b69052e-3f38711680dso11062241cf.1 for ; Mon, 08 May 2023 09:08:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683562079; x=1686154079; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Jihl/XBxQ908nWPnD/xh/1okEVsj4UVD/jO0JmERBzs=; b=kzmo4+Sa7aZ9EXSzxrrwdVNyEQWhUdmSayr5MH6qy/x/2zODRNR6osyK9gdj3NAuEI er/uPyLrLWrj1IHu3E4xuBxlawpoZEN7O9afHSW3hIURjjm38dnUHJwrZ75deUOWKMP6 z2JsMfEBaMCAK8bmXNOsMnoMQSJnb77x0CPPN/7WJhwoAo4g0J39vNolIG3Y0le2p2Vr L7b8PDl8XOzKUgjvcAscKq860CcsTHVRT8pk4kf8LuznXugNFTOsmVj68hkcTSYqG4ua P8SBMXgHwQtfZYl+Rk+FCCbs2tT51S3ordiTg15FtUYqsGJqEJz0olWZ1H+DuJxSU4jz 5xYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683562079; x=1686154079; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Jihl/XBxQ908nWPnD/xh/1okEVsj4UVD/jO0JmERBzs=; b=OXLE5kPUGJkQkCRh97kmEYw6flUC7t2GDv4WXdcN+3N5IdrQF9ATITfWdeClcc1wQ2 6+rWyC3Jk1Ul+9UOJmBtvNN1hXj+2UHO5LDCOnVjSAjflr2TfhCqmfXXlERMvqigiGcy 2uRKyYSBeC3SvxzLE67n8wWuetGUQpzZCK/zz4pluoWAXjpt5zjKjQfeQyXBAiTEbNNx 2Car5YVvE6ykANv3JOJLvMBA7nLUtU46iylG8jb8qzByYTd1rDcP6U9ZfiC2/XQOFanw LTJv3DX6X60kCIu6JiyxxxUJieYbGeZlsOvSC7QvYnOZV208U2A2SwPOgEKOREGQZ57o WkLQ== X-Gm-Message-State: AC+VfDx7ryqKeWHoUlGvocZi4SB7a9iw5r6KGn/5ngzK1bQW3+hMBe2M MpfUz/a8sRHiyN43UoB0kZWgJ1OcChHGXA== X-Google-Smtp-Source: ACHHUZ4emYse4L09IaB8XHecMJycU6Uc4NZAyAMf6ZXVuL2lpSKb8XowhEgOf/w1EqLK79PFZl78cQ== X-Received: by 2002:a05:622a:189a:b0:3e4:ce24:99b3 with SMTP id v26-20020a05622a189a00b003e4ce2499b3mr15223043qtc.15.1683562079512; Mon, 08 May 2023 09:07:59 -0700 (PDT) Received: from localhost.localdomain (dsl-10-131-119.b2b2c.ca. [72.10.131.119]) by smtp.gmail.com with ESMTPSA id e7-20020a05620a12c700b007460093cccdsm2666627qkl.25.2023.05.08.09.07.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 08 May 2023 09:07:59 -0700 (PDT) From: Maxim Cournoyer To: guix-patches@gnu.org Subject: [cuirass] doc: Document authentication. Date: Mon, 8 May 2023 12:07:45 -0400 Message-Id: <20230508160745.10144-1-maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-Debbugs-CC: rekado@elephly.net X-Debbugs-CC: othacehe@gnu.org X-Debbugs-CC: efraim@flashner.co.il Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::834; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qt1-x834.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit Cc: Maxim Cournoyer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) * etc/new-client-cert.scm: Add script. * doc/cuirass.texi (Authentication): Document it. * Makefile.am (noinst_SCRIPTS): Register it. --- Makefile.am | 2 +- doc/cuirass.texi | 34 ++++++++++++++++ etc/new-client-cert.scm | 90 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 125 insertions(+), 1 deletion(-) create mode 100755 etc/new-client-cert.scm diff --git a/Makefile.am b/Makefile.am index a40a76d..62b0860 100644 --- a/Makefile.am +++ b/Makefile.am @@ -25,7 +25,7 @@ bin_SCRIPTS = \ bin/cuirass -noinst_SCRIPTS = pre-inst-env +noinst_SCRIPTS = pre-inst-env etc/new-client-cert.scm guilesitedir = $(datarootdir)/guile/site/@GUILE_EFFECTIVE_VERSION@ guileobjectdir = $(libdir)/guile/@GUILE_EFFECTIVE_VERSION@/site-ccache diff --git a/doc/cuirass.texi b/doc/cuirass.texi index db46a33..4441996 100644 --- a/doc/cuirass.texi +++ b/doc/cuirass.texi @@ -57,6 +57,7 @@ Documentation License''. * Parameters:: Cuirass parameters. * Build modes:: Build modes. * Invocation:: How to run Cuirass. +* Authentication:: Configuring TLS authentication. * Web API:: Description of the Web API. * Database:: About the database schema. @@ -711,6 +712,39 @@ Display the actual version of @code{cuirass}. Display an help message that summarize all the options provided. @end table +@c ********************************************************************* +@node Authentication +@chapter Authentication +@cindex authentication + +It is necessary to be authenticated to accomplish some of the actions +exposed via the web interface of Cuirass, such as cancelling or +restarting a build. The authentication mechanism of Cuirass currently +relies on the use of a private TLS certificate authority. + +To automate the creation of new user certificates, the +@file{etc/new-client-cert.scm} Guile script can be used. It requires +the @command{guix} command to be available and a preexisting certificate +authority at @file{/etc/ssl-ca}. To issue a new user certificate, run +it from your home directory with: + +@example +sudo -E ./etc/new-client-cert.scm +@end example + +You will be asked to input the password for the CA private key, if any, +and again for your new certificate; save it carefully. The script +requires to run as root to have access to the private certificate +authority key; it outputs the new user certificate files in various +formats to the current working directory. + +After your new certificate is generated, it needs to be registered with +your web browser. To do so using GNU IceCat, for example, you can +navigate to @samp{Parameters -> Security -> Show certificates} and then +click the @samp{Import...} button and select to your @file{.pk12} +personal certificate file. You should now be authenticated to perform +privileged actions via the web interface of Cuirass. + @c ********************************************************************* @node Web API @chapter Web API diff --git a/etc/new-client-cert.scm b/etc/new-client-cert.scm new file mode 100755 index 0000000..fa8ac5c --- /dev/null +++ b/etc/new-client-cert.scm @@ -0,0 +1,90 @@ +#!/usr/bin/env -S guix shell guile openssl -- guile \\ +--no-auto-compile -e main -s +!# +;;;; cuirass.scm -- Cuirass public interface. +;;; Copyright © 2023 Ricardo Wurmus +;;; +;;; This file is part of Cuirass. +;;; +;;; Cuirass is free software: you can redistribute it and/or modify +;;; it under the terms of the GNU General Public License as published by +;;; the Free Software Foundation, either version 3 of the License, or +;;; (at your option) any later version. +;;; +;;; Cuirass is distributed in the hope that it will be useful, +;;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with Cuirass. If not, see . + +(use-modules (ice-9 match) + (guix build utils)) + +(define %CA-directory + "/etc/ssl-ca") + +(define CA-key + (string-append %CA-directory "/private/ca.key")) +(define CA-cert + (string-append %CA-directory "/certs/ca.crt")) + +(define* (output who file) + (string-append (getcwd) "/" who file)) + +(define (key-file who) + "Return the absolute file name of the key file for WHO." + (output who ".key")) + +(define (csr-file who) + "Return the absolute file name of the CSR file for WHO." + (output who ".csr")) + +(define (client-cert-file who) + "Return the absolute file name of the client certificate file for +WHO." + (output who ".crt")) + +(define (exported-cert-file who) + "Return the absolute file name of the pkcs12 client certificate file +for WHO. This is the file that users should import into their +browsers." + (output who ".p12")) + +(define (generate-csr! who) + "Generate a new certificate signing request and key for WHO." + (invoke "openssl" "req" "-newkey" "rsa:4096" + "-nodes" ;no password + "-subj" + (format #false "/C=DE/ST=Berlin/L=Berlin/O=GNU Guix/OU=Cuirass/CN=~a" who) + "-keyout" (key-file who) + "-out" (csr-file who))) + +(define* (generate-client-certificate! who #:key (expiry 365)) + "Generate a client certificate for WHO." + (invoke "openssl" "x509" "-req" + "-in" (csr-file who) + "-CA" CA-cert + "-CAkey" CA-key + "-out" (client-cert-file who) + "-days" (number->string expiry))) + +(define (export-p12! who) + (invoke "openssl" "pkcs12" "-export" + "-in" (client-cert-file who) + "-inkey" (key-file who) + "-out" (exported-cert-file who))) + +(define (main args) + (match (command-line) + ((script) + (set-program-arguments (list script (or (getenv "SUDO_USER") + (getenv "USER")))) + (apply main args)) + ((script who) + (generate-csr! who) + (generate-client-certificate! who) + (export-p12! who)) + ((script . rest) + (format (current-error-port) "usage: ~a [name]~%" script)))) base-commit: cf4e3e4ac4a9c8d6f0d82b0a173826f15bbca7f3 -- 2.39.2 ------------=_1686777482-19564-1-- From unknown Sun Jun 22 07:59:05 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#63375] closed (Re: bug#63375: [cuirass] doc: Document authentication.) Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 15 Jun 2023 13:47:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63375 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 63375@debbugs.gnu.org X-Debbugs-Original-To: help-debbugs@gnu.org (GNU bug Tracking System) X-Debbugs-Original-Cc: 63375@debbugs.gnu.org Received: via spool by 63375-submit@debbugs.gnu.org id=B63375.168683678320031 (code B ref 63375); Thu, 15 Jun 2023 13:47:02 +0000 Received: (at 63375) by debbugs.gnu.org; 15 Jun 2023 13:46:23 +0000 Received: from localhost ([127.0.0.1]:46483 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q9nIt-0005D1-5s for submit@debbugs.gnu.org; Thu, 15 Jun 2023 09:46:23 -0400 Received: from mail-qk1-f174.google.com ([209.85.222.174]:44130) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q9nIq-0005Cm-Om for 63375@debbugs.gnu.org; Thu, 15 Jun 2023 09:46:21 -0400 Received: by mail-qk1-f174.google.com with SMTP id af79cd13be357-7620e5f303eso128050585a.0 for <63375@debbugs.gnu.org>; Thu, 15 Jun 2023 06:46:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1686836775; x=1689428775; h=content-transfer-encoding:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=BDF5EaOO9zxbcumyd7jHMhWgH1RcldyHmljrhaaIqf8=; b=IkS83botO7QJXVhDItTaJazeqk5syS7GdIQy/3XWViUMHreygIjdDWPf/+AWHs9D5t sWuU08V53vgJysV1CBzBhjqBw9JMzBkbMWQ4UpAPNTl1/FivI2yXIGYncet12n4GwDPq OCIwK4rUMIpwDxzujIPDG6ze6/CSQxq88EDcdSWlnyjbD0NPD4HZbazorAHUiIRwFtVS OE1niP1ODgcIkkj1YuIUdu90yFQ5gYhj/syyIe4Ve429tZ29vJRFeP7WzYDc3EViCI1y byXvdIlYFD2MkYsYqHutOlMvARZV9im/SPUGPs3IP8ZP19PKmTQS/9MvkqcslOPG1/T8 KjVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686836775; x=1689428775; h=content-transfer-encoding:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=BDF5EaOO9zxbcumyd7jHMhWgH1RcldyHmljrhaaIqf8=; b=OpGk3WEnrCUWu5y1HQ5uLZ3VHBXBO1QSnuO7LjAWs3kR4sgWDV7k6ik6yYjtmiyHa0 h+i2Lg85C9GmXyvSZgAeAe84aPHfUls+zaU+joMGdT0wlt76Qgf7X7CTNeV6DFD3xSug ojkC7GcKQaO68h2SPdw/T6fqED9b6pCJgfJjvpPFECtabO6FnnyVjfOzWYoqz2Yr2b00 DoQkl0mAxuVp1hxJtOY6scGv4BsU1dMQPkWMFnGoLS5DjtT7gDECdAjXmGvRucAb4KD6 bYE21W0CM0tZ/WQnZHfMaVwsuMU35AJuI7Kg5lCAmbV6tLsxJpJCGJi3qzGpicb2WTTf 9K6g== X-Gm-Message-State: AC+VfDy2grAqzMYbHFnnEIv79RK8YmiU9mOkKiHCZBlW/giY8eegmPLX Yl6RH9RdIGno14Fag/L2K2cTegyOUnGVyw== X-Google-Smtp-Source: ACHHUZ6SC2TTThvq1QB5h7cnZQAKFAmjCdLk9fNKWKmMxEpSky6VHLJXELRz4Z4A9n9CqqnUUAFQTA== X-Received: by 2002:a05:6214:234c:b0:62d:fd62:45fa with SMTP id hu12-20020a056214234c00b0062dfd6245famr8092020qvb.54.1686836774779; Thu, 15 Jun 2023 06:46:14 -0700 (PDT) Received: from hurd (dsl-151-250.b2b2c.ca. [66.158.151.250]) by smtp.gmail.com with ESMTPSA id i7-20020a056214030700b0062821057ac7sm2015251qvu.39.2023.06.15.06.46.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jun 2023 06:46:14 -0700 (PDT) From: Maxim Cournoyer References: <87cz1xrbfo.fsf_-_@gnu.org> <20230508160745.10144-1-maxim.cournoyer@gmail.com> Date: Thu, 15 Jun 2023 09:46:12 -0400 In-Reply-To: (GNU bug Tracking System's message of "Wed, 14 Jun 2023 21:18:02 +0000") Message-ID: <87h6r8vnx7.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, help-debbugs@gnu.org (GNU bug Tracking System) writes: > Your bug report > > #63375: [cuirass] doc: Document authentication. > > which was filed against the guix-patches package, has been closed. > > The explanation is attached below, along with your original report. > If you require more details, please reply to 63375@debbugs.gnu.org. > > --=20 > 63375: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D63375 > GNU Bug Tracking System > Contact help-debbugs@gnu.org with problems > > From: Ludovic Court=C3=A8s > Subject: Re: bug#63375: [cuirass] doc: Document authentication. > To: Maxim Cournoyer > Cc: rekado@elephly.net, 63375-done@debbugs.gnu.org, efraim@flashner.co.il= , othacehe@gnu.org > Date: Wed, 14 Jun 2023 23:17:15 +0200 (16 hours, 28 minutes, 1 second ago) > > Hi Maxim, > > Maxim Cournoyer skribis: > >> * etc/new-client-cert.scm: Add script. >> * doc/cuirass.texi (Authentication): Document it. >> * Makefile.am (noinst_SCRIPTS): Register it. > > I had completely overlooked this patch; great work! Applied now. > > BTW, if you=E2=80=99re interested, I can add you to =E2=80=98.guix-author= izations=E2=80=99 of > course; we need to increase the bus factor. Let me know what you think! I'd be happy to be added to it. I have at least a small UI bug I'd like to fix. > Thanks, and apologies for the delay. Thank you! --=20 Maxim