Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Demo: ahdapactl CLI

Location: contrib/demo/ahdapactl/

Exercises all major ahdapactl subcommands against a local single-node server. This is the first demo that uses the CLI tool rather than raw curl calls, showcasing the typical admin workflow from session setup through client management, OIDC credential generation, key rotation, HBAC rule lifecycle, and audit log queries.

What it shows

  • Session management — bootstrapping a session, ahdapactl status, and ahdapactl logout.
  • Client lifecycle — creating, showing, listing, and deleting OAuth2 clients via ahdapactl clients create/show/list/delete.
  • OIDC credential generation — all three SSSD authentication methods:
    • client_secret — generates a random secret and prints it with SSSD configuration hints.
    • mtls — generates an EC P-256 key pair, builds a self-signed certificate, packages into PKCS#12 with a random password, and registers the certificate with the server. Also demonstrates --dry-run mode.
    • private_key_jwt — generates a key pair, builds a self-signed certificate, packages PKCS#12, writes a JWKS file, and registers the jwks_uri with the server.
  • Key managementahdapactl keys list and ahdapactl keys rotate, verifying that the key count increases after rotation.
  • Scope managementahdapactl scopes list.
  • HBAC rule lifecycle — create, update (add users and scopes), enable, show (verify members), disable, and delete.
  • Audit logahdapactl audit list to query recent events.

Prerequisites

  • ahdapa and ahdapactl binaries — the script looks in $PATH first, then target/release/, then target/debug/, and falls back to cargo build if neither is found.
  • python3 — for JSON extraction from CLI output.
  • curl — for session bootstrap (see below).
  • Port 8080 free (or set DEMO_PORT).

Running

# Non-interactive: runs all steps and exits 0 on pass, 1 on failure.
contrib/demo/ahdapactl/run.sh

# Interactive: same steps, then keeps the server running until Ctrl-C.
contrib/demo/ahdapactl/run.sh --interactive

Override the listen port with DEMO_PORT:

DEMO_PORT=9090 contrib/demo/ahdapactl/run.sh

Session bootstrap

ahdapactl login prompts for a password interactively (via /dev/tty), which cannot be automated in a non-interactive script. The demo bootstraps the session by logging in via curl and writing sessions.toml directly into an isolated XDG_CONFIG_HOME. All subsequent commands use ahdapactl with the bootstrapped session. The user’s real ~/.config/ahdapactl/ directory is never touched.

What the script does

  1. Finds both ahdapa and ahdapactl binaries.
  2. Starts the ahdapa server with contrib/demo/ahdapactl/ahdapa.toml and a fresh temporary database.
  3. Bootstraps a session via curl login and writes sessions.toml.
  4. Runs ahdapactl status to verify the session.
  5. Creates, shows, lists, and deletes an OAuth2 client.
  6. Generates client_secret credentials for a new client.
  7. Demonstrates --dry-run for mTLS credential generation (no file written).
  8. Generates real mTLS credentials (PKCS#12 with 0600 permissions).
  9. Generates private_key_jwt credentials (PKCS#12 + JWKS file).
  10. Lists and rotates JWT signing keys.
  11. Lists OAuth2 scopes.
  12. Performs full HBAC lifecycle: create, update, enable, show, disable, delete.
  13. Queries audit events.
  14. Logs out and verifies no sessions remain.

Interactive mode

With --interactive, the script re-bootstraps the session after the test steps complete and prints suggested commands for manual exploration. Set XDG_CONFIG_HOME as shown in the output to use ahdapactl from your shell.