diff --git a/.gitignore b/.gitignore index f18232dec..965960715 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,4 @@ altnames.cnf - .DS_Store .backup*_test.json .backup_test.db @@ -9,15 +8,13 @@ altnames.cnf test.db cargo_vendor_config /vendor -kanidm_rlm_python/test_data/certs/ -vendor.tar.gz -kanidm_rlm_python/test_data/ca.pem -loc.sh +rlm_python/test_data/certs/ +rlm_python/test_data/ca.pem +scripts/loc.sh vendor.tar.* *.patch -orca/example_profiles/small/orca-edited.toml +tools/orca/example_profiles/small/orca-edited.toml /docs/ -kanidm_unix_int/pam_tester/Cargo.lock .vscode/ # kanidm simple packaging diff --git a/Cargo.lock b/Cargo.lock index 849990cc0..39227851e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1152,9 +1152,9 @@ version = "1.1.0-alpha.12-dev" dependencies = [ "clap", "clap_complete", + "kanidm_lib_file_permissions", "kanidm_proto", "kanidmd_core", - "kanidmd_lib", "profiles", "reqwest", "serde", @@ -2270,6 +2270,30 @@ dependencies = [ "webauthn-rs-proto", ] +[[package]] +name = "kanidm_lib_crypto" +version = "0.1.0" +dependencies = [ + "base64 0.13.1", + "base64urlsafedata", + "hex", + "kanidm_proto", + "openssl", + "openssl-sys", + "rand 0.8.5", + "serde", + "sketching", + "tracing", +] + +[[package]] +name = "kanidm_lib_file_permissions" +version = "0.1.0" +dependencies = [ + "users", + "whoami", +] + [[package]] name = "kanidm_proto" version = "1.1.0-alpha.12-dev" @@ -2325,9 +2349,10 @@ dependencies = [ "clap_complete", "futures", "kanidm_client", + "kanidm_lib_crypto", + "kanidm_lib_file_permissions", "kanidm_proto", "kanidmd_core", - "kanidmd_lib", "libc", "libsqlite3-sys", "lru 0.8.1", @@ -2398,8 +2423,8 @@ dependencies = [ "futures", "futures-util", "hashbrown", - "hex", "idlset", + "kanidm_lib_crypto", "kanidm_proto", "kanidmd_lib_macros", "lazy_static", diff --git a/Cargo.toml b/Cargo.toml index 54734a43e..8e648699d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -4,23 +4,25 @@ lto = "thin" [workspace] members = [ - "iam_migrations/freeipa", - "kanidm_client", - "kanidm_proto", - "kanidm_tools", - "kanidm_unix_int", - "kanidm_unix_int/nss_kanidm", - "kanidm_unix_int/pam_kanidm", - "kanidmd_web_ui", - "kanidmd/daemon", - "kanidmd/lib", - "kanidmd/lib-macros", - "kanidmd/core", - "kanidmd/testkit", - "kanidmd/testkit-macros", - "orca", - "profiles", - "sketching" + "proto", + "tools/cli", + "tools/iam_migrations/freeipa", + "tools/orca", + "unix_integration", + "unix_integration/nss_kanidm", + "unix_integration/pam_kanidm", + "server/web_ui", + "server/daemon", + "server/lib", + "server/lib-macros", + "server/core", + "server/testkit", + "server/testkit-macros", + "libs/client", + "libs/crypto", + "libs/file_permissions", + "libs/profiles", + "libs/sketching" ] [workspace.package] @@ -69,14 +71,16 @@ http-types = "^2.12.0" idlset = "^0.2.4" # idlset = { path = "../idlset" } js-sys = "^0.3.58" -kanidmd_core = { path = "./kanidmd/core" } -kanidmd_idm = { path = "./kanidmd/idm" } -kanidmd_lib = { path = "./kanidmd/lib" } -kanidmd_lib_macros = { path = "./kanidmd/lib-macros" } -kanidmd_testkit = { path = "./kanidmd/testkit" } -kanidm_client = { path = "./kanidm_client", version = "1.1.0-alpha.11" } -kanidm_proto = { path = "./kanidm_proto", version = "1.1.0-alpha.11" } -kanidm_unix_int = { path = "./kanidm_unix_int" } +kanidmd_core = { path = "./server/core" } +kanidmd_idm = { path = "./server/idm" } +kanidmd_lib = { path = "./server/lib" } +kanidmd_lib_macros = { path = "./server/lib-macros" } +kanidm_lib_crypto = { path = "./libs/crypto" } +kanidm_lib_file_permissions = { path = "./libs/file_permissions" } +kanidmd_testkit = { path = "./server/testkit" } +kanidm_client = { path = "./libs/client", version = "1.1.0-alpha.11" } +kanidm_proto = { path = "./proto", version = "1.1.0-alpha.11" } +kanidm_unix_int = { path = "./unix_integration" } last-git-commit = "0.2.0" # REMOVE this lazy_static = "^1.4.0" @@ -100,7 +104,7 @@ openssl = "^0.10.45" paste = "^1.0.11" pkg-config = "^0.3.26" proc-macro2 = "1.0.51" -profiles = { path = "./profiles" } +profiles = { path = "./libs/profiles" } qrcode = "^0.12.0" quote = "1" r2d2 = "^0.8.9" @@ -120,12 +124,12 @@ serde_cbor = { version = "0.12.0-dev", package = "serde_cbor_2" } serde_json = "^1.0.93" serde-wasm-bindgen = "0.4" shellexpand = "^2.1.2" -sketching = { path = "./sketching" } +sketching = { path = "./libs/sketching" } smartstring = "^1.0.1" smolset = "^1.3.1" sshkeys = "^0.3.1" syn = { version = "1.0.109", features = ["full"] } -testkit-macros = { path = "./kanidmd/testkit-macros" } +testkit-macros = { path = "./server/testkit-macros" } tide = "^0.16.0" # Including brotli *very* slow, so don't do that. Including the "default" feature pulls a mime-type list from the internet on build, which isn't used. tide-compress = { version="0.10.6", default-features = false, features = [ "gzip", "regex-check" ] } diff --git a/DEVELOPER_README.md b/DEVELOPER_README.md deleted file mode 100644 index e69de29bb..000000000 diff --git a/README.md b/README.md index 51ed80e97..7c40aa143 100644 --- a/README.md +++ b/README.md @@ -52,7 +52,7 @@ See our [code of conduct] See our documentation on [rights and ethics] [code of conduct]: https://github.com/kanidm/kanidm/blob/master/CODE_OF_CONDUCT.md -[rights and ethics]: https://github.com/kanidm/kanidm/blob/master/ethics/README.md +[rights and ethics]: https://github.com/kanidm/kanidm/blob/master/project_docs/ethics/README.md ## Getting in Contact / Questions diff --git a/kanidm_book/.gitignore b/book/.gitignore similarity index 100% rename from kanidm_book/.gitignore rename to book/.gitignore diff --git a/kanidm_book/book.toml b/book/book.toml similarity index 100% rename from kanidm_book/book.toml rename to book/book.toml diff --git a/kanidm_book/src/DEVELOPER_README.md b/book/src/DEVELOPER_README.md similarity index 100% rename from kanidm_book/src/DEVELOPER_README.md rename to book/src/DEVELOPER_README.md diff --git a/kanidm_book/src/SUMMARY.md b/book/src/SUMMARY.md similarity index 98% rename from kanidm_book/src/SUMMARY.md rename to book/src/SUMMARY.md index 07cb27e30..7c3715ed5 100644 --- a/kanidm_book/src/SUMMARY.md +++ b/book/src/SUMMARY.md @@ -48,6 +48,7 @@ # For Developers - [Developer Guide](DEVELOPER_README.md) +- [FAQ](developers/faq.md) - [Design Documents]() - [Access Profiles 2022](developers/designs/access_profiles_rework_2022.md) - [Access Profiles Original](developers/designs/access_profiles_and_security.md) diff --git a/kanidm_book/src/accounts_and_groups.md b/book/src/accounts_and_groups.md similarity index 100% rename from kanidm_book/src/accounts_and_groups.md rename to book/src/accounts_and_groups.md diff --git a/kanidm_book/src/administrivia.md b/book/src/administrivia.md similarity index 100% rename from kanidm_book/src/administrivia.md rename to book/src/administrivia.md diff --git a/kanidm_book/src/backup_restore.md b/book/src/backup_restore.md similarity index 100% rename from kanidm_book/src/backup_restore.md rename to book/src/backup_restore.md diff --git a/kanidm_book/src/choosing_a_domain_name.md b/book/src/choosing_a_domain_name.md similarity index 100% rename from kanidm_book/src/choosing_a_domain_name.md rename to book/src/choosing_a_domain_name.md diff --git a/kanidm_book/src/client_tools.md b/book/src/client_tools.md similarity index 100% rename from kanidm_book/src/client_tools.md rename to book/src/client_tools.md diff --git a/kanidm_book/src/database_maint.md b/book/src/database_maint.md similarity index 100% rename from kanidm_book/src/database_maint.md rename to book/src/database_maint.md diff --git a/kanidm_book/src/developers/designs.md b/book/src/developers/designs.md similarity index 100% rename from kanidm_book/src/developers/designs.md rename to book/src/developers/designs.md diff --git a/kanidm_book/src/developers/designs/access_profiles_and_security.md b/book/src/developers/designs/access_profiles_and_security.md similarity index 100% rename from kanidm_book/src/developers/designs/access_profiles_and_security.md rename to book/src/developers/designs/access_profiles_and_security.md diff --git a/kanidm_book/src/developers/designs/access_profiles_rework_2022.md b/book/src/developers/designs/access_profiles_rework_2022.md similarity index 100% rename from kanidm_book/src/developers/designs/access_profiles_rework_2022.md rename to book/src/developers/designs/access_profiles_rework_2022.md diff --git a/designs/account_policy.rst b/book/src/developers/designs/account_policy.rst similarity index 100% rename from designs/account_policy.rst rename to book/src/developers/designs/account_policy.rst diff --git a/designs/architecture.md b/book/src/developers/designs/architecture.md similarity index 100% rename from designs/architecture.md rename to book/src/developers/designs/architecture.md diff --git a/designs/auth.rst b/book/src/developers/designs/auth.rst similarity index 100% rename from designs/auth.rst rename to book/src/developers/designs/auth.rst diff --git a/designs/auth_proto_rewrite_late_2020.rst b/book/src/developers/designs/auth_proto_rewrite_late_2020.rst similarity index 100% rename from designs/auth_proto_rewrite_late_2020.rst rename to book/src/developers/designs/auth_proto_rewrite_late_2020.rst diff --git a/designs/credential-display.rst b/book/src/developers/designs/credential-display.rst similarity index 100% rename from designs/credential-display.rst rename to book/src/developers/designs/credential-display.rst diff --git a/designs/credential-update.rst b/book/src/developers/designs/credential-update.rst similarity index 100% rename from designs/credential-update.rst rename to book/src/developers/designs/credential-update.rst diff --git a/designs/default_idm_layout.rst b/book/src/developers/designs/default_idm_layout.rst similarity index 100% rename from designs/default_idm_layout.rst rename to book/src/developers/designs/default_idm_layout.rst diff --git a/kanidm_book/src/developers/designs/designs.md b/book/src/developers/designs/designs.md similarity index 100% rename from kanidm_book/src/developers/designs/designs.md rename to book/src/developers/designs/designs.md diff --git a/designs/device-authentication.rst b/book/src/developers/designs/device-authentication.rst similarity index 100% rename from designs/device-authentication.rst rename to book/src/developers/designs/device-authentication.rst diff --git a/designs/diagrams/combined-flow.graffle b/book/src/developers/designs/diagrams/combined-flow.graffle similarity index 100% rename from designs/diagrams/combined-flow.graffle rename to book/src/developers/designs/diagrams/combined-flow.graffle diff --git a/designs/diagrams/object-lifecycle-states.graffle b/book/src/developers/designs/diagrams/object-lifecycle-states.graffle similarity index 100% rename from designs/diagrams/object-lifecycle-states.graffle rename to book/src/developers/designs/diagrams/object-lifecycle-states.graffle diff --git a/designs/diagrams/object-lifecycle-states.png b/book/src/developers/designs/diagrams/object-lifecycle-states.png similarity index 100% rename from designs/diagrams/object-lifecycle-states.png rename to book/src/developers/designs/diagrams/object-lifecycle-states.png diff --git a/designs/diagrams/search-flow.graffle b/book/src/developers/designs/diagrams/search-flow.graffle similarity index 100% rename from designs/diagrams/search-flow.graffle rename to book/src/developers/designs/diagrams/search-flow.graffle diff --git a/designs/diagrams/search-flow.png b/book/src/developers/designs/diagrams/search-flow.png similarity index 100% rename from designs/diagrams/search-flow.png rename to book/src/developers/designs/diagrams/search-flow.png diff --git a/designs/diagrams/write-flow.graffle b/book/src/developers/designs/diagrams/write-flow.graffle similarity index 100% rename from designs/diagrams/write-flow.graffle rename to book/src/developers/designs/diagrams/write-flow.graffle diff --git a/designs/diagrams/write-flow.png b/book/src/developers/designs/diagrams/write-flow.png similarity index 100% rename from designs/diagrams/write-flow.png rename to book/src/developers/designs/diagrams/write-flow.png diff --git a/designs/domain_display_name.md b/book/src/developers/designs/domain_display_name.md similarity index 100% rename from designs/domain_display_name.md rename to book/src/developers/designs/domain_display_name.md diff --git a/designs/downgrade.rst b/book/src/developers/designs/downgrade.rst similarity index 100% rename from designs/downgrade.rst rename to book/src/developers/designs/downgrade.rst diff --git a/kanidm_book/src/developers/designs/elevated_priv_mode.md b/book/src/developers/designs/elevated_priv_mode.md similarity index 100% rename from kanidm_book/src/developers/designs/elevated_priv_mode.md rename to book/src/developers/designs/elevated_priv_mode.md diff --git a/designs/idm_rest_layout.rst b/book/src/developers/designs/idm_rest_layout.rst similarity index 100% rename from designs/idm_rest_layout.rst rename to book/src/developers/designs/idm_rest_layout.rst diff --git a/designs/indexing.md b/book/src/developers/designs/indexing.md similarity index 100% rename from designs/indexing.md rename to book/src/developers/designs/indexing.md diff --git a/designs/kanidm-trust.rst b/book/src/developers/designs/kanidm-trust.rst similarity index 100% rename from designs/kanidm-trust.rst rename to book/src/developers/designs/kanidm-trust.rst diff --git a/designs/ldap_gateway.rst b/book/src/developers/designs/ldap_gateway.rst similarity index 100% rename from designs/ldap_gateway.rst rename to book/src/developers/designs/ldap_gateway.rst diff --git a/designs/logging.rst b/book/src/developers/designs/logging.rst similarity index 100% rename from designs/logging.rst rename to book/src/developers/designs/logging.rst diff --git a/designs/memberof.rst b/book/src/developers/designs/memberof.rst similarity index 100% rename from designs/memberof.rst rename to book/src/developers/designs/memberof.rst diff --git a/designs/mfa-device-enrollment-process.rst b/book/src/developers/designs/mfa-device-enrollment-process.rst similarity index 100% rename from designs/mfa-device-enrollment-process.rst rename to book/src/developers/designs/mfa-device-enrollment-process.rst diff --git a/designs/mfa_backup_code.rst b/book/src/developers/designs/mfa_backup_code.rst similarity index 100% rename from designs/mfa_backup_code.rst rename to book/src/developers/designs/mfa_backup_code.rst diff --git a/designs/migration.rst b/book/src/developers/designs/migration.rst similarity index 100% rename from designs/migration.rst rename to book/src/developers/designs/migration.rst diff --git a/designs/oauth.rst b/book/src/developers/designs/oauth.rst similarity index 100% rename from designs/oauth.rst rename to book/src/developers/designs/oauth.rst diff --git a/kanidm_book/src/developers/designs/oauth2_app_listing.md b/book/src/developers/designs/oauth2_app_listing.md similarity index 100% rename from kanidm_book/src/developers/designs/oauth2_app_listing.md rename to book/src/developers/designs/oauth2_app_listing.md diff --git a/designs/password-import.rst b/book/src/developers/designs/password-import.rst similarity index 100% rename from designs/password-import.rst rename to book/src/developers/designs/password-import.rst diff --git a/designs/radius.rst b/book/src/developers/designs/radius.rst similarity index 100% rename from designs/radius.rst rename to book/src/developers/designs/radius.rst diff --git a/designs/recycle_bin.rst b/book/src/developers/designs/recycle_bin.rst similarity index 100% rename from designs/recycle_bin.rst rename to book/src/developers/designs/recycle_bin.rst diff --git a/designs/repl_future_considerations.rst b/book/src/developers/designs/repl_future_considerations.rst similarity index 100% rename from designs/repl_future_considerations.rst rename to book/src/developers/designs/repl_future_considerations.rst diff --git a/designs/replication.rst b/book/src/developers/designs/replication.rst similarity index 100% rename from designs/replication.rst rename to book/src/developers/designs/replication.rst diff --git a/designs/resource_limits.rst b/book/src/developers/designs/resource_limits.rst similarity index 100% rename from designs/resource_limits.rst rename to book/src/developers/designs/resource_limits.rst diff --git a/kanidm_book/src/developers/designs/rest_interface.md b/book/src/developers/designs/rest_interface.md similarity index 100% rename from kanidm_book/src/developers/designs/rest_interface.md rename to book/src/developers/designs/rest_interface.md diff --git a/designs/schema_reference_types.rst b/book/src/developers/designs/schema_reference_types.rst similarity index 100% rename from designs/schema_reference_types.rst rename to book/src/developers/designs/schema_reference_types.rst diff --git a/kanidm_book/src/developers/designs/scim_migration_planning.md b/book/src/developers/designs/scim_migration_planning.md similarity index 100% rename from kanidm_book/src/developers/designs/scim_migration_planning.md rename to book/src/developers/designs/scim_migration_planning.md diff --git a/designs/session_logout.rst b/book/src/developers/designs/session_logout.rst similarity index 100% rename from designs/session_logout.rst rename to book/src/developers/designs/session_logout.rst diff --git a/designs/sudo.rst b/book/src/developers/designs/sudo.rst similarity index 100% rename from designs/sudo.rst rename to book/src/developers/designs/sudo.rst diff --git a/designs/system_protected_objects.rst b/book/src/developers/designs/system_protected_objects.rst similarity index 100% rename from designs/system_protected_objects.rst rename to book/src/developers/designs/system_protected_objects.rst diff --git a/designs/uid_gid_generation.rst b/book/src/developers/designs/uid_gid_generation.rst similarity index 100% rename from designs/uid_gid_generation.rst rename to book/src/developers/designs/uid_gid_generation.rst diff --git a/designs/unixd_homes_task.rst b/book/src/developers/designs/unixd_homes_task.rst similarity index 100% rename from designs/unixd_homes_task.rst rename to book/src/developers/designs/unixd_homes_task.rst diff --git a/FAQ.md b/book/src/developers/faq.md similarity index 100% rename from FAQ.md rename to book/src/developers/faq.md diff --git a/kanidm_book/src/developers/python.md b/book/src/developers/python.md similarity index 100% rename from kanidm_book/src/developers/python.md rename to book/src/developers/python.md diff --git a/kanidm_book/src/developers/radius.md b/book/src/developers/radius.md similarity index 100% rename from kanidm_book/src/developers/radius.md rename to book/src/developers/radius.md diff --git a/kanidm_book/src/domain_rename.md b/book/src/domain_rename.md similarity index 100% rename from kanidm_book/src/domain_rename.md rename to book/src/domain_rename.md diff --git a/kanidm_book/src/examples/k8s_ingress_example.md b/book/src/examples/k8s_ingress_example.md similarity index 100% rename from kanidm_book/src/examples/k8s_ingress_example.md rename to book/src/examples/k8s_ingress_example.md diff --git a/kanidm_book/src/frequently_asked_questions.md b/book/src/frequently_asked_questions.md similarity index 100% rename from kanidm_book/src/frequently_asked_questions.md rename to book/src/frequently_asked_questions.md diff --git a/kanidm_book/src/glossary.md b/book/src/glossary.md similarity index 100% rename from kanidm_book/src/glossary.md rename to book/src/glossary.md diff --git a/kanidm_book/src/images/kani-alert.png b/book/src/images/kani-alert.png similarity index 100% rename from kanidm_book/src/images/kani-alert.png rename to book/src/images/kani-alert.png diff --git a/kanidm_book/src/images/kani-warning.png b/book/src/images/kani-warning.png similarity index 100% rename from kanidm_book/src/images/kani-warning.png rename to book/src/images/kani-warning.png diff --git a/kanidm_book/src/installing_client_tools.md b/book/src/installing_client_tools.md similarity index 100% rename from kanidm_book/src/installing_client_tools.md rename to book/src/installing_client_tools.md diff --git a/kanidm_book/src/installing_the_server.md b/book/src/installing_the_server.md similarity index 100% rename from kanidm_book/src/installing_the_server.md rename to book/src/installing_the_server.md diff --git a/kanidm_book/src/integrations/ldap.md b/book/src/integrations/ldap.md similarity index 100% rename from kanidm_book/src/integrations/ldap.md rename to book/src/integrations/ldap.md diff --git a/kanidm_book/src/integrations/oauth2.md b/book/src/integrations/oauth2.md similarity index 100% rename from kanidm_book/src/integrations/oauth2.md rename to book/src/integrations/oauth2.md diff --git a/kanidm_book/src/integrations/pam_and_nsswitch.md b/book/src/integrations/pam_and_nsswitch.md similarity index 100% rename from kanidm_book/src/integrations/pam_and_nsswitch.md rename to book/src/integrations/pam_and_nsswitch.md diff --git a/kanidm_book/src/integrations/radius.md b/book/src/integrations/radius.md similarity index 100% rename from kanidm_book/src/integrations/radius.md rename to book/src/integrations/radius.md diff --git a/kanidm_book/src/integrations/traefik.md b/book/src/integrations/traefik.md similarity index 100% rename from kanidm_book/src/integrations/traefik.md rename to book/src/integrations/traefik.md diff --git a/kanidm_book/src/intro.md b/book/src/intro.md similarity index 100% rename from kanidm_book/src/intro.md rename to book/src/intro.md diff --git a/kanidm_book/src/monitoring.md b/book/src/monitoring.md similarity index 100% rename from kanidm_book/src/monitoring.md rename to book/src/monitoring.md diff --git a/kanidm_book/src/packaging.md b/book/src/packaging.md similarity index 100% rename from kanidm_book/src/packaging.md rename to book/src/packaging.md diff --git a/kanidm_book/src/packaging_debs.md b/book/src/packaging_debs.md similarity index 100% rename from kanidm_book/src/packaging_debs.md rename to book/src/packaging_debs.md diff --git a/kanidm_book/src/password_quality.md b/book/src/password_quality.md similarity index 100% rename from kanidm_book/src/password_quality.md rename to book/src/password_quality.md diff --git a/kanidm_book/src/posix_accounts.md b/book/src/posix_accounts.md similarity index 100% rename from kanidm_book/src/posix_accounts.md rename to book/src/posix_accounts.md diff --git a/kanidm_book/src/prepare_the_server.md b/book/src/prepare_the_server.md similarity index 100% rename from kanidm_book/src/prepare_the_server.md rename to book/src/prepare_the_server.md diff --git a/kanidm_book/src/recycle_bin.md b/book/src/recycle_bin.md similarity index 100% rename from kanidm_book/src/recycle_bin.md rename to book/src/recycle_bin.md diff --git a/kanidm_book/src/security_hardening.md b/book/src/security_hardening.md similarity index 100% rename from kanidm_book/src/security_hardening.md rename to book/src/security_hardening.md diff --git a/kanidm_book/src/server_configuration.md b/book/src/server_configuration.md similarity index 100% rename from kanidm_book/src/server_configuration.md rename to book/src/server_configuration.md diff --git a/kanidm_book/src/server_update.md b/book/src/server_update.md similarity index 100% rename from kanidm_book/src/server_update.md rename to book/src/server_update.md diff --git a/kanidm_book/src/ssh_key_dist.md b/book/src/ssh_key_dist.md similarity index 100% rename from kanidm_book/src/ssh_key_dist.md rename to book/src/ssh_key_dist.md diff --git a/kanidm_book/src/sync/concepts.md b/book/src/sync/concepts.md similarity index 100% rename from kanidm_book/src/sync/concepts.md rename to book/src/sync/concepts.md diff --git a/kanidm_book/src/sync/freeipa.md b/book/src/sync/freeipa.md similarity index 100% rename from kanidm_book/src/sync/freeipa.md rename to book/src/sync/freeipa.md diff --git a/kanidm_book/src/templates/kani-alert.md b/book/src/templates/kani-alert.md similarity index 100% rename from kanidm_book/src/templates/kani-alert.md rename to book/src/templates/kani-alert.md diff --git a/kanidm_book/src/templates/kani-warning.md b/book/src/templates/kani-warning.md similarity index 100% rename from kanidm_book/src/templates/kani-warning.md rename to book/src/templates/kani-warning.md diff --git a/kanidm_book/src/troubleshooting.md b/book/src/troubleshooting.md similarity index 100% rename from kanidm_book/src/troubleshooting.md rename to book/src/troubleshooting.md diff --git a/kanidm_book/src/troubleshooting/curl_connection_test.txt b/book/src/troubleshooting/curl_connection_test.txt similarity index 100% rename from kanidm_book/src/troubleshooting/curl_connection_test.txt rename to book/src/troubleshooting/curl_connection_test.txt diff --git a/kanidm_book/theme/favicon.png b/book/theme/favicon.png similarity index 100% rename from kanidm_book/theme/favicon.png rename to book/theme/favicon.png diff --git a/kanidmd/lib/src/credential/policy.rs b/kanidmd/lib/src/credential/policy.rs deleted file mode 100644 index e859f43e5..000000000 --- a/kanidmd/lib/src/credential/policy.rs +++ /dev/null @@ -1,46 +0,0 @@ -use std::time::Duration; - -use super::{Password, PBKDF2_MIN_NIST_COST}; - -#[derive(Debug)] -pub struct CryptoPolicy { - pub(crate) pbkdf2_cost: usize, -} - -impl CryptoPolicy { - #[cfg(test)] - pub(crate) fn minimum() -> Self { - CryptoPolicy { - pbkdf2_cost: PBKDF2_MIN_NIST_COST, - } - } - - pub fn time_target(t: Duration) -> Self { - let r = match Password::bench_pbkdf2(PBKDF2_MIN_NIST_COST * 10) { - Some(bt) => { - let ubt = bt.as_nanos() as usize; - - // Get the cost per thousand rounds - let per_thou = (PBKDF2_MIN_NIST_COST * 10) / 1000; - let t_per_thou = ubt / per_thou; - // eprintln!("{} / {}", ubt, per_thou); - - // Now we need the attacker work in nanos - let attack_time = t.as_nanos() as usize; - let r = (attack_time / t_per_thou) * 1000; - - // eprintln!("({} / {} ) * 1000", attack_time, t_per_thou); - // eprintln!("Maybe rounds -> {}", r); - - if r < PBKDF2_MIN_NIST_COST { - PBKDF2_MIN_NIST_COST - } else { - r - } - } - None => PBKDF2_MIN_NIST_COST, - }; - - CryptoPolicy { pbkdf2_cost: r } - } -} diff --git a/kanidm_client/Cargo.toml b/libs/client/Cargo.toml similarity index 100% rename from kanidm_client/Cargo.toml rename to libs/client/Cargo.toml diff --git a/kanidm_client/src/lib.rs b/libs/client/src/lib.rs similarity index 100% rename from kanidm_client/src/lib.rs rename to libs/client/src/lib.rs diff --git a/kanidm_client/src/person.rs b/libs/client/src/person.rs similarity index 100% rename from kanidm_client/src/person.rs rename to libs/client/src/person.rs diff --git a/kanidm_client/src/scim.rs b/libs/client/src/scim.rs similarity index 100% rename from kanidm_client/src/scim.rs rename to libs/client/src/scim.rs diff --git a/kanidm_client/src/service_account.rs b/libs/client/src/service_account.rs similarity index 100% rename from kanidm_client/src/service_account.rs rename to libs/client/src/service_account.rs diff --git a/kanidm_client/src/sync_account.rs b/libs/client/src/sync_account.rs similarity index 100% rename from kanidm_client/src/sync_account.rs rename to libs/client/src/sync_account.rs diff --git a/kanidm_client/src/system.rs b/libs/client/src/system.rs similarity index 100% rename from kanidm_client/src/system.rs rename to libs/client/src/system.rs diff --git a/libs/crypto/Cargo.toml b/libs/crypto/Cargo.toml new file mode 100644 index 000000000..af2ca7907 --- /dev/null +++ b/libs/crypto/Cargo.toml @@ -0,0 +1,21 @@ +[package] +name = "kanidm_lib_crypto" +version = "0.1.0" +edition = "2021" + +[dependencies] +base64.workspace = true +base64urlsafedata.workspace = true +hex.workspace = true +kanidm_proto.workspace = true + +# We need to explicitly ask for openssl-sys so that we get the version propagated +# into the build.rs for legacy feature checks. +openssl-sys.workspace = true +openssl.workspace = true +rand.workspace = true +serde = { workspace = true, features = ["derive"] } +tracing.workspace = true + +[dev-dependencies] +sketching.workspace = true diff --git a/libs/crypto/src/lib.rs b/libs/crypto/src/lib.rs new file mode 100644 index 000000000..682356998 --- /dev/null +++ b/libs/crypto/src/lib.rs @@ -0,0 +1,706 @@ +use tracing::{debug, error, warn}; + +use base64urlsafedata::Base64UrlSafeData; +use rand::Rng; +use serde::{Deserialize, Serialize}; +use std::fmt; +use std::time::{Duration, Instant}; + +use kanidm_proto::v1::OperationError; +use openssl::hash::{self, MessageDigest}; +use openssl::nid::Nid; +use openssl::pkcs5::pbkdf2_hmac; +use openssl::sha::Sha512; + +// NIST 800-63.b salt should be 112 bits -> 14 8u8. +// I choose tinfoil hat though ... +const PBKDF2_SALT_LEN: usize = 24; + +const PBKDF2_MIN_NIST_SALT_LEN: usize = 14; + +// Min number of rounds for a pbkdf2 +pub const PBKDF2_MIN_NIST_COST: usize = 10000; + +// 64 * u8 -> 512 bits of out. +const PBKDF2_KEY_LEN: usize = 64; +const PBKDF2_MIN_NIST_KEY_LEN: usize = 32; +const PBKDF2_SHA1_MIN_KEY_LEN: usize = 19; + +const DS_SSHA512_SALT_LEN: usize = 8; +const DS_SSHA512_HASH_LEN: usize = 64; + +#[derive(Serialize, Deserialize)] +#[allow(non_camel_case_types)] +pub enum DbPasswordV1 { + PBKDF2(usize, Vec, Vec), + PBKDF2_SHA1(usize, Vec, Vec), + PBKDF2_SHA512(usize, Vec, Vec), + SSHA512(Vec, Vec), + NT_MD4(Vec), +} + +#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)] +#[allow(non_camel_case_types)] +pub enum ReplPasswordV1 { + PBKDF2 { + cost: usize, + salt: Base64UrlSafeData, + hash: Base64UrlSafeData, + }, + PBKDF2_SHA1 { + cost: usize, + salt: Base64UrlSafeData, + hash: Base64UrlSafeData, + }, + PBKDF2_SHA512 { + cost: usize, + salt: Base64UrlSafeData, + hash: Base64UrlSafeData, + }, + SSHA512 { + salt: Base64UrlSafeData, + hash: Base64UrlSafeData, + }, + NT_MD4 { + hash: Base64UrlSafeData, + }, +} + +impl fmt::Debug for DbPasswordV1 { + fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { + match self { + DbPasswordV1::PBKDF2(_, _, _) => write!(f, "PBKDF2"), + DbPasswordV1::PBKDF2_SHA1(_, _, _) => write!(f, "PBKDF2_SHA1"), + DbPasswordV1::PBKDF2_SHA512(_, _, _) => write!(f, "PBKDF2_SHA512"), + DbPasswordV1::SSHA512(_, _) => write!(f, "SSHA512"), + DbPasswordV1::NT_MD4(_) => write!(f, "NT_MD4"), + } + } +} + +#[derive(Debug)] +pub struct CryptoPolicy { + pub(crate) pbkdf2_cost: usize, +} + +impl CryptoPolicy { + pub fn minimum() -> Self { + CryptoPolicy { + pbkdf2_cost: PBKDF2_MIN_NIST_COST, + } + } + + pub fn time_target(t: Duration) -> Self { + let r = match Password::bench_pbkdf2(PBKDF2_MIN_NIST_COST * 10) { + Some(bt) => { + let ubt = bt.as_nanos() as usize; + + // Get the cost per thousand rounds + let per_thou = (PBKDF2_MIN_NIST_COST * 10) / 1000; + let t_per_thou = ubt / per_thou; + // eprintln!("{} / {}", ubt, per_thou); + + // Now we need the attacker work in nanos + let attack_time = t.as_nanos() as usize; + let r = (attack_time / t_per_thou) * 1000; + + // eprintln!("({} / {} ) * 1000", attack_time, t_per_thou); + // eprintln!("Maybe rounds -> {}", r); + + if r < PBKDF2_MIN_NIST_COST { + PBKDF2_MIN_NIST_COST + } else { + r + } + } + None => PBKDF2_MIN_NIST_COST, + }; + + CryptoPolicy { pbkdf2_cost: r } + } +} + +// Why PBKDF2? Rust's bcrypt has a number of hardcodings like max pw len of 72 +// I don't really feel like adding in so many restrictions, so I'll use +// pbkdf2 in openssl because it doesn't have the same limits. +#[derive(Clone, Debug, PartialEq)] +#[allow(non_camel_case_types)] +enum Kdf { + // cost, salt, hash + PBKDF2(usize, Vec, Vec), + + // Imported types, will upgrade to the above. + // cost, salt, hash + PBKDF2_SHA1(usize, Vec, Vec), + // cost, salt, hash + PBKDF2_SHA512(usize, Vec, Vec), + // salt hash + SSHA512(Vec, Vec), + // hash + NT_MD4(Vec), +} + +#[derive(Clone, Debug, PartialEq)] +pub struct Password { + material: Kdf, +} + +impl TryFrom for Password { + type Error = (); + + fn try_from(value: DbPasswordV1) -> Result { + match value { + DbPasswordV1::PBKDF2(c, s, h) => Ok(Password { + material: Kdf::PBKDF2(c, s, h), + }), + DbPasswordV1::PBKDF2_SHA1(c, s, h) => Ok(Password { + material: Kdf::PBKDF2_SHA1(c, s, h), + }), + DbPasswordV1::PBKDF2_SHA512(c, s, h) => Ok(Password { + material: Kdf::PBKDF2_SHA512(c, s, h), + }), + DbPasswordV1::SSHA512(s, h) => Ok(Password { + material: Kdf::SSHA512(s, h), + }), + DbPasswordV1::NT_MD4(h) => Ok(Password { + material: Kdf::NT_MD4(h), + }), + } + } +} + +impl TryFrom<&ReplPasswordV1> for Password { + type Error = (); + + fn try_from(value: &ReplPasswordV1) -> Result { + match value { + ReplPasswordV1::PBKDF2 { cost, salt, hash } => Ok(Password { + material: Kdf::PBKDF2(*cost, salt.0.clone(), hash.0.clone()), + }), + ReplPasswordV1::PBKDF2_SHA1 { cost, salt, hash } => Ok(Password { + material: Kdf::PBKDF2_SHA1(*cost, salt.0.clone(), hash.0.clone()), + }), + ReplPasswordV1::PBKDF2_SHA512 { cost, salt, hash } => Ok(Password { + material: Kdf::PBKDF2_SHA512(*cost, salt.0.clone(), hash.0.clone()), + }), + ReplPasswordV1::SSHA512 { salt, hash } => Ok(Password { + material: Kdf::SSHA512(salt.0.clone(), hash.0.clone()), + }), + ReplPasswordV1::NT_MD4 { hash } => Ok(Password { + material: Kdf::NT_MD4(hash.0.clone()), + }), + } + } +} + +// OpenLDAP based their PBKDF2 implementation on passlib from python, that uses a +// non-standard base64 altchar set and padding that is not supported by +// anything else in the world. To manage this, we only ever encode to base64 with +// no pad but we have to remap ab64 to b64. This function allows b64 standard with +// padding to pass, and remaps ab64 to b64 standard with padding. +macro_rules! ab64_to_b64 { + ($ab64:expr) => {{ + let mut s = $ab64.replace(".", "+"); + match s.len() & 3 { + 0 => { + // Do nothing + } + 1 => { + // One is invalid, do nothing, we'll error in base64 + } + 2 => s.push_str("=="), + 3 => s.push_str("="), + _ => unreachable!(), + } + s + }}; +} + +impl TryFrom<&str> for Password { + type Error = (); + + // As we may add more algos, we keep the match algo single for later. + #[allow(clippy::single_match)] + fn try_from(value: &str) -> Result { + // There is probably a more efficient way to try this given different types? + + // test django - algo$salt$hash + let django_pbkdf: Vec<&str> = value.split('$').collect(); + if django_pbkdf.len() == 4 { + let algo = django_pbkdf[0]; + let cost = django_pbkdf[1]; + let salt = django_pbkdf[2]; + let hash = django_pbkdf[3]; + match algo { + "pbkdf2_sha256" => { + let c = cost.parse::().map_err(|_| ())?; + let s: Vec<_> = salt.as_bytes().to_vec(); + let h = base64::decode(hash).map_err(|_| ())?; + if h.len() < PBKDF2_MIN_NIST_KEY_LEN { + return Err(()); + } + return Ok(Password { + material: Kdf::PBKDF2(c, s, h), + }); + } + _ => {} + } + } + + if value.starts_with("ipaNTHash: ") { + let nt_md4 = match value.split_once(' ') { + Some((_, v)) => v, + None => { + unreachable!(); + } + }; + + let h = base64::decode_config(nt_md4, base64::STANDARD_NO_PAD).map_err(|_| ())?; + return Ok(Password { + material: Kdf::NT_MD4(h), + }); + } + + if value.starts_with("sambaNTPassword: ") { + let nt_md4 = match value.split_once(' ') { + Some((_, v)) => v, + None => { + unreachable!(); + } + }; + + let h = hex::decode(nt_md4).map_err(|_| ())?; + return Ok(Password { + material: Kdf::NT_MD4(h), + }); + } + + // Test 389ds formats + if let Some(ds_ssha512) = value.strip_prefix("{SSHA512}") { + let sh = base64::decode(ds_ssha512).map_err(|_| ())?; + let (h, s) = sh.split_at(DS_SSHA512_HASH_LEN); + if s.len() != DS_SSHA512_SALT_LEN { + return Err(()); + } + return Ok(Password { + material: Kdf::SSHA512(s.to_vec(), h.to_vec()), + }); + } + + // Test for OpenLDAP formats + if value.starts_with("{PBKDF2}") + || value.starts_with("{PBKDF2-SHA1}") + || value.starts_with("{PBKDF2-SHA256}") + || value.starts_with("{PBKDF2-SHA512}") + { + let ol_pbkdf2 = match value.split_once('}') { + Some((_, v)) => v, + None => { + unreachable!(); + } + }; + + let ol_pbkdf: Vec<&str> = ol_pbkdf2.split('$').collect(); + if ol_pbkdf.len() == 3 { + let cost = ol_pbkdf[0]; + let salt = ol_pbkdf[1]; + let hash = ol_pbkdf[2]; + + let c = cost.parse::().map_err(|_| ())?; + + let s = ab64_to_b64!(salt); + let s = base64::decode_config(s, base64::STANDARD.decode_allow_trailing_bits(true)) + .map_err(|e| { + error!(?e, "Invalid base64 in oldap pbkdf2-sha1"); + })?; + + let h = ab64_to_b64!(hash); + let h = base64::decode_config(h, base64::STANDARD.decode_allow_trailing_bits(true)) + .map_err(|e| { + error!(?e, "Invalid base64 in oldap pbkdf2-sha1"); + })?; + + // This is just sha1 in a trenchcoat. + if value.strip_prefix("{PBKDF2}").is_some() + || value.strip_prefix("{PBKDF2-SHA1}").is_some() + { + if h.len() < PBKDF2_SHA1_MIN_KEY_LEN { + return Err(()); + } + return Ok(Password { + material: Kdf::PBKDF2_SHA1(c, s, h), + }); + } + + if value.strip_prefix("{PBKDF2-SHA256}").is_some() { + if h.len() < PBKDF2_MIN_NIST_KEY_LEN { + return Err(()); + } + return Ok(Password { + material: Kdf::PBKDF2(c, s, h), + }); + } + + if value.strip_prefix("{PBKDF2-SHA512}").is_some() { + if h.len() < PBKDF2_MIN_NIST_KEY_LEN { + return Err(()); + } + return Ok(Password { + material: Kdf::PBKDF2_SHA512(c, s, h), + }); + } + + // Should be no way to get here! + unreachable!(); + } else { + warn!("oldap pbkdf2 found but invalid number of elements?"); + } + } + + // Nothing matched to this point. + Err(()) + } +} + +impl Password { + fn bench_pbkdf2(pbkdf2_cost: usize) -> Option { + let mut rng = rand::thread_rng(); + let salt: Vec = (0..PBKDF2_SALT_LEN).map(|_| rng.gen()).collect(); + let input: Vec = (0..PBKDF2_SALT_LEN).map(|_| rng.gen()).collect(); + // This is 512 bits of output + let mut key: Vec = (0..PBKDF2_KEY_LEN).map(|_| 0).collect(); + + let start = Instant::now(); + pbkdf2_hmac( + input.as_slice(), + salt.as_slice(), + pbkdf2_cost, + MessageDigest::sha256(), + key.as_mut_slice(), + ) + .ok()?; + let end = Instant::now(); + + end.checked_duration_since(start) + } + + fn new_pbkdf2(pbkdf2_cost: usize, cleartext: &str) -> Result { + let mut rng = rand::thread_rng(); + let salt: Vec = (0..PBKDF2_SALT_LEN).map(|_| rng.gen()).collect(); + // This is 512 bits of output + let mut key: Vec = (0..PBKDF2_KEY_LEN).map(|_| 0).collect(); + + pbkdf2_hmac( + cleartext.as_bytes(), + salt.as_slice(), + pbkdf2_cost, + MessageDigest::sha256(), + key.as_mut_slice(), + ) + .map(|()| { + // Turn key to a vec. + Kdf::PBKDF2(pbkdf2_cost, salt, key) + }) + .map_err(|_| OperationError::CryptographyError) + } + + pub fn new(policy: &CryptoPolicy, cleartext: &str) -> Result { + Self::new_pbkdf2(policy.pbkdf2_cost, cleartext).map(|material| Password { material }) + } + + pub fn verify(&self, cleartext: &str) -> Result { + match &self.material { + Kdf::PBKDF2(cost, salt, key) => { + // We have to get the number of bits to derive from our stored hash + // as some imported hash types may have variable lengths + let key_len = key.len(); + debug_assert!(key_len >= PBKDF2_MIN_NIST_KEY_LEN); + let mut chal_key: Vec = (0..key_len).map(|_| 0).collect(); + pbkdf2_hmac( + cleartext.as_bytes(), + salt.as_slice(), + *cost, + MessageDigest::sha256(), + chal_key.as_mut_slice(), + ) + .map_err(|_| OperationError::CryptographyError) + .map(|()| { + // Actually compare the outputs. + &chal_key == key + }) + } + Kdf::PBKDF2_SHA1(cost, salt, key) => { + let key_len = key.len(); + debug_assert!(key_len >= PBKDF2_SHA1_MIN_KEY_LEN); + let mut chal_key: Vec = (0..key_len).map(|_| 0).collect(); + pbkdf2_hmac( + cleartext.as_bytes(), + salt.as_slice(), + *cost, + MessageDigest::sha1(), + chal_key.as_mut_slice(), + ) + .map_err(|_| OperationError::CryptographyError) + .map(|()| { + // Actually compare the outputs. + &chal_key == key + }) + } + Kdf::PBKDF2_SHA512(cost, salt, key) => { + let key_len = key.len(); + debug_assert!(key_len >= PBKDF2_MIN_NIST_KEY_LEN); + let mut chal_key: Vec = (0..key_len).map(|_| 0).collect(); + pbkdf2_hmac( + cleartext.as_bytes(), + salt.as_slice(), + *cost, + MessageDigest::sha512(), + chal_key.as_mut_slice(), + ) + .map_err(|_| OperationError::CryptographyError) + .map(|()| { + // Actually compare the outputs. + &chal_key == key + }) + } + Kdf::SSHA512(salt, key) => { + let mut hasher = Sha512::new(); + hasher.update(cleartext.as_bytes()); + hasher.update(salt); + let r = hasher.finish(); + Ok(key == &(r.to_vec())) + } + Kdf::NT_MD4(key) => { + // We need to get the cleartext to utf16le for reasons. + let clear_utf16le: Vec = cleartext + .encode_utf16() + .map(|c| c.to_le_bytes()) + .flat_map(|i| i.into_iter()) + .collect(); + + let dgst = MessageDigest::from_nid(Nid::MD4).ok_or_else(|| { + error!("Unable to access MD4 - fips mode may be enabled, or you may need to activate the legacy provider."); + error!("For more details, see https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers"); + OperationError::CryptographyError + })?; + + hash::hash(dgst, &clear_utf16le) + .map_err(|e| { + debug!(?e); + error!("Unable to digest MD4 - fips mode may be enabled, or you may need to activate the legacy provider."); + error!("For more details, see https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers"); + OperationError::CryptographyError + }) + .map(|chal_key| chal_key.as_ref() == key) + } + } + } + + pub fn to_dbpasswordv1(&self) -> DbPasswordV1 { + match &self.material { + Kdf::PBKDF2(cost, salt, hash) => { + DbPasswordV1::PBKDF2(*cost, salt.clone(), hash.clone()) + } + Kdf::PBKDF2_SHA1(cost, salt, hash) => { + DbPasswordV1::PBKDF2_SHA1(*cost, salt.clone(), hash.clone()) + } + Kdf::PBKDF2_SHA512(cost, salt, hash) => { + DbPasswordV1::PBKDF2_SHA512(*cost, salt.clone(), hash.clone()) + } + Kdf::SSHA512(salt, hash) => DbPasswordV1::SSHA512(salt.clone(), hash.clone()), + Kdf::NT_MD4(hash) => DbPasswordV1::NT_MD4(hash.clone()), + } + } + + pub fn to_repl_v1(&self) -> ReplPasswordV1 { + match &self.material { + Kdf::PBKDF2(cost, salt, hash) => ReplPasswordV1::PBKDF2 { + cost: *cost, + salt: salt.clone().into(), + hash: hash.clone().into(), + }, + Kdf::PBKDF2_SHA1(cost, salt, hash) => ReplPasswordV1::PBKDF2_SHA1 { + cost: *cost, + salt: salt.clone().into(), + hash: hash.clone().into(), + }, + Kdf::PBKDF2_SHA512(cost, salt, hash) => ReplPasswordV1::PBKDF2_SHA512 { + cost: *cost, + salt: salt.clone().into(), + hash: hash.clone().into(), + }, + Kdf::SSHA512(salt, hash) => ReplPasswordV1::SSHA512 { + salt: salt.clone().into(), + hash: hash.clone().into(), + }, + Kdf::NT_MD4(hash) => ReplPasswordV1::NT_MD4 { + hash: hash.clone().into(), + }, + } + } + + pub fn requires_upgrade(&self) -> bool { + match &self.material { + Kdf::PBKDF2_SHA512(cost, salt, hash) | Kdf::PBKDF2(cost, salt, hash) => { + *cost < PBKDF2_MIN_NIST_COST + || salt.len() < PBKDF2_MIN_NIST_SALT_LEN + || hash.len() < PBKDF2_MIN_NIST_KEY_LEN + } + Kdf::PBKDF2_SHA1(_, _, _) | Kdf::SSHA512(_, _) | Kdf::NT_MD4(_) => true, + } + } +} + +#[cfg(test)] +mod tests { + use std::convert::TryFrom; + + use crate::*; + + #[test] + fn test_credential_simple() { + let p = CryptoPolicy::minimum(); + let c = Password::new(&p, "password").unwrap(); + assert!(c.verify("password").unwrap()); + assert!(!c.verify("password1").unwrap()); + assert!(!c.verify("Password1").unwrap()); + assert!(!c.verify("It Works!").unwrap()); + assert!(!c.verify("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa").unwrap()); + } + + #[test] + fn test_password_from_invalid() { + assert!(Password::try_from("password").is_err()) + } + + #[test] + fn test_password_from_django_pbkdf2_sha256() { + let im_pw = "pbkdf2_sha256$36000$xIEozuZVAoYm$uW1b35DUKyhvQAf1mBqMvoBDcqSD06juzyO/nmyV0+w="; + let password = "eicieY7ahchaoCh0eeTa"; + let r = Password::try_from(im_pw).expect("Failed to parse"); + assert!(r.verify(password).unwrap_or(false)); + } + + #[test] + fn test_password_from_ds_ssha512() { + let im_pw = "{SSHA512}JwrSUHkI7FTAfHRVR6KoFlSN0E3dmaQWARjZ+/UsShYlENOqDtFVU77HJLLrY2MuSp0jve52+pwtdVl2QUAHukQ0XUf5LDtM"; + let password = "password"; + let r = Password::try_from(im_pw).expect("Failed to parse"); + // Known weak, require upgrade. + assert!(r.requires_upgrade()); + assert!(r.verify(password).unwrap_or(false)); + } + + // Can be generated with: + // slappasswd -s password -o module-load=/usr/lib64/openldap/pw-argon2.so -h {ARGON2} + + #[test] + fn test_password_from_openldap_pkbdf2() { + let im_pw = "{PBKDF2}10000$IlfapjA351LuDSwYC0IQ8Q$saHqQTuYnjJN/tmAndT.8mJt.6w"; + let password = "password"; + let r = Password::try_from(im_pw).expect("Failed to parse"); + assert!(r.requires_upgrade()); + assert!(r.verify(password).unwrap_or(false)); + } + + #[test] + fn test_password_from_openldap_pkbdf2_sha1() { + let im_pw = "{PBKDF2-SHA1}10000$ZBEH6B07rgQpJSikyvMU2w$TAA03a5IYkz1QlPsbJKvUsTqNV"; + let password = "password"; + let r = Password::try_from(im_pw).expect("Failed to parse"); + assert!(r.requires_upgrade()); + assert!(r.verify(password).unwrap_or(false)); + } + + #[test] + fn test_password_from_openldap_pkbdf2_sha256() { + let im_pw = "{PBKDF2-SHA256}10000$henZGfPWw79Cs8ORDeVNrQ$1dTJy73v6n3bnTmTZFghxHXHLsAzKaAy8SksDfZBPIw"; + let password = "password"; + let r = Password::try_from(im_pw).expect("Failed to parse"); + assert!(!r.requires_upgrade()); + assert!(r.verify(password).unwrap_or(false)); + } + + #[test] + fn test_password_from_openldap_pkbdf2_sha512() { + let im_pw = "{PBKDF2-SHA512}10000$Je1Uw19Bfv5lArzZ6V3EPw$g4T/1sqBUYWl9o93MVnyQ/8zKGSkPbKaXXsT8WmysXQJhWy8MRP2JFudSL.N9RklQYgDPxPjnfum/F2f/TrppA"; + let password = "password"; + let r = Password::try_from(im_pw).expect("Failed to parse"); + assert!(!r.requires_upgrade()); + assert!(r.verify(password).unwrap_or(false)); + } + + /* + // Not supported in openssl, may need an external crate. + #[test] + fn test_password_from_openldap_argon2() { + let im_pw = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$IyTQMsvzB2JHDiWx8fq7Ew$VhYOA7AL0kbRXI5g2kOyyp8St1epkNj7WZyUY4pAIQQ" + let password = "password"; + let r = Password::try_from(im_pw).expect("Failed to parse"); + assert!(r.requires_upgrade()); + assert!(r.verify(password).unwrap_or(false)); + } + */ + + /* + * wbrown - 20221104 - I tried to programmatically enable the legacy provider, but + * it consistently "did nothing at all", meaning we have to rely on users to enable + * this for this test. + */ + + /* + #[cfg(openssl3)] + fn setup_openssl_legacy_provider() -> openssl::lib_ctx::LibCtx { + let ctx = openssl::lib_ctx::LibCtx::new() + .expect("Failed to create new library context"); + + openssl::provider::Provider::load(Some(&ctx), "legacy") + .expect("Failed to setup provider."); + + eprintln!("setup legacy provider maybe??"); + + ctx + } + */ + + #[test] + fn test_password_from_ipa_nt_hash() { + sketching::test_init(); + // Base64 no pad + let im_pw = "ipaNTHash: iEb36u6PsRetBr3YMLdYbA"; + let password = "password"; + let r = Password::try_from(im_pw).expect("Failed to parse"); + assert!(r.requires_upgrade()); + + match r.verify(password) { + Ok(r) => assert!(r), + Err(_) => { + if cfg!(openssl3) { + warn!("To run this test, enable the legacy provider."); + } else { + assert!(false); + } + } + } + } + + #[test] + fn test_password_from_samba_nt_hash() { + sketching::test_init(); + // Base64 no pad + let im_pw = "sambaNTPassword: 8846F7EAEE8FB117AD06BDD830B7586C"; + let password = "password"; + let r = Password::try_from(im_pw).expect("Failed to parse"); + assert!(r.requires_upgrade()); + match r.verify(password) { + Ok(r) => assert!(r), + Err(_) => { + if cfg!(openssl3) { + warn!("To run this test, enable the legacy provider."); + } else { + assert!(false); + } + } + } + } +} diff --git a/libs/file_permissions/Cargo.toml b/libs/file_permissions/Cargo.toml new file mode 100644 index 000000000..0d15f42f6 --- /dev/null +++ b/libs/file_permissions/Cargo.toml @@ -0,0 +1,14 @@ +[package] +name = "kanidm_lib_file_permissions" +version = "0.1.0" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] + +[target.'cfg(target_family = "windows")'.dependencies] +whoami.workspace = true + +[target.'cfg(not(target_family = "windows"))'.dependencies] +users.workspace = true diff --git a/libs/file_permissions/src/lib.rs b/libs/file_permissions/src/lib.rs new file mode 100644 index 000000000..19fd849a8 --- /dev/null +++ b/libs/file_permissions/src/lib.rs @@ -0,0 +1,46 @@ +use std::fs::Metadata; + +#[cfg(target_os = "linux")] +use std::os::linux::fs::MetadataExt; + +#[cfg(target_os = "macos")] +use std::os::macos::fs::MetadataExt; + +// #[cfg(target_os = "windows")] +// use std::os::windows::fs::MetadataExt; +#[cfg(target_family = "unix")] +use users::{get_current_gid, get_current_uid}; + +#[cfg(target_family = "unix")] +/// Check a given file's metadata is read-only for the current user (true = read-only) +pub fn readonly(meta: &Metadata) -> bool { + // Who are we running as? + let cuid = get_current_uid(); + let cgid = get_current_gid(); + + // Who owns the file? + // Who is the group owner of the file? + let f_gid = meta.st_gid(); + let f_uid = meta.st_uid(); + + let f_mode = meta.st_mode(); + + !( + // If we are the owner, we have write perms as we can alter the DAC rights + cuid == f_uid || + // If we are the group owner, check the mode bits do not have write. + (cgid == f_gid && (f_mode & 0o0020) != 0) || + // Finally, check that everyone bits don't have write. + ((f_mode & 0o0002) != 0) + ) +} + +#[cfg(not(target_family = "unix"))] +/// Check a given file's metadata is read-only for the current user (true = read-only) Stub function if you're building for windows! +pub fn readonly(meta: &Metadata) -> bool { + debug!( + "Windows target asked to check metadata on {:?} returning false", + meta + ); + false +} diff --git a/profiles/Cargo.toml b/libs/profiles/Cargo.toml similarity index 100% rename from profiles/Cargo.toml rename to libs/profiles/Cargo.toml diff --git a/profiles/build.rs b/libs/profiles/build.rs similarity index 100% rename from profiles/build.rs rename to libs/profiles/build.rs diff --git a/profiles/container_generic.toml b/libs/profiles/container_generic.toml similarity index 100% rename from profiles/container_generic.toml rename to libs/profiles/container_generic.toml diff --git a/profiles/container_x86_64_v3.toml b/libs/profiles/container_x86_64_v3.toml similarity index 100% rename from profiles/container_x86_64_v3.toml rename to libs/profiles/container_x86_64_v3.toml diff --git a/profiles/developer.toml b/libs/profiles/developer.toml similarity index 57% rename from profiles/developer.toml rename to libs/profiles/developer.toml index f50b00151..298532e1f 100644 --- a/profiles/developer.toml +++ b/libs/profiles/developer.toml @@ -1,3 +1,3 @@ -web_ui_pkg_path = "../../kanidmd_web_ui/pkg" +web_ui_pkg_path = "../web_ui/pkg" # Set to native for developer machines. cpu_flags = "native" diff --git a/profiles/release_suse_generic.toml b/libs/profiles/release_suse_generic.toml similarity index 100% rename from profiles/release_suse_generic.toml rename to libs/profiles/release_suse_generic.toml diff --git a/profiles/src/lib.rs b/libs/profiles/src/lib.rs similarity index 100% rename from profiles/src/lib.rs rename to libs/profiles/src/lib.rs diff --git a/sketching/Cargo.toml b/libs/sketching/Cargo.toml similarity index 100% rename from sketching/Cargo.toml rename to libs/sketching/Cargo.toml diff --git a/sketching/src/lib.rs b/libs/sketching/src/lib.rs similarity index 100% rename from sketching/src/lib.rs rename to libs/sketching/src/lib.rs diff --git a/sketching/src/macros.rs b/libs/sketching/src/macros.rs similarity index 100% rename from sketching/src/macros.rs rename to libs/sketching/src/macros.rs diff --git a/sketching/src/middleware.rs b/libs/sketching/src/middleware.rs similarity index 100% rename from sketching/src/middleware.rs rename to libs/sketching/src/middleware.rs diff --git a/ethics/EXAMPLES.md b/project_docs/ethics/EXAMPLES.md similarity index 100% rename from ethics/EXAMPLES.md rename to project_docs/ethics/EXAMPLES.md diff --git a/ethics/README.md b/project_docs/ethics/README.md similarity index 100% rename from ethics/README.md rename to project_docs/ethics/README.md diff --git a/kanidm_proto/Cargo.toml b/proto/Cargo.toml similarity index 100% rename from kanidm_proto/Cargo.toml rename to proto/Cargo.toml diff --git a/kanidm_proto/src/constants.rs b/proto/src/constants.rs similarity index 100% rename from kanidm_proto/src/constants.rs rename to proto/src/constants.rs diff --git a/kanidm_proto/src/internal.rs b/proto/src/internal.rs similarity index 100% rename from kanidm_proto/src/internal.rs rename to proto/src/internal.rs diff --git a/kanidm_proto/src/lib.rs b/proto/src/lib.rs similarity index 100% rename from kanidm_proto/src/lib.rs rename to proto/src/lib.rs diff --git a/kanidm_proto/src/messages.rs b/proto/src/messages.rs similarity index 100% rename from kanidm_proto/src/messages.rs rename to proto/src/messages.rs diff --git a/kanidm_proto/src/oauth2.rs b/proto/src/oauth2.rs similarity index 100% rename from kanidm_proto/src/oauth2.rs rename to proto/src/oauth2.rs diff --git a/kanidm_proto/src/scim_v1.rs b/proto/src/scim_v1.rs similarity index 100% rename from kanidm_proto/src/scim_v1.rs rename to proto/src/scim_v1.rs diff --git a/kanidm_proto/src/utils.rs b/proto/src/utils.rs similarity index 100% rename from kanidm_proto/src/utils.rs rename to proto/src/utils.rs diff --git a/kanidm_proto/src/v1.rs b/proto/src/v1.rs similarity index 100% rename from kanidm_proto/src/v1.rs rename to proto/src/v1.rs diff --git a/kanidm_rlm_python/Dockerfile b/rlm_python/Dockerfile similarity index 100% rename from kanidm_rlm_python/Dockerfile rename to rlm_python/Dockerfile diff --git a/kanidm_rlm_python/mods-available/cache b/rlm_python/mods-available/cache similarity index 100% rename from kanidm_rlm_python/mods-available/cache rename to rlm_python/mods-available/cache diff --git a/kanidm_rlm_python/mods-available/eap b/rlm_python/mods-available/eap similarity index 100% rename from kanidm_rlm_python/mods-available/eap rename to rlm_python/mods-available/eap diff --git a/kanidm_rlm_python/mods-available/python3 b/rlm_python/mods-available/python3 similarity index 100% rename from kanidm_rlm_python/mods-available/python3 rename to rlm_python/mods-available/python3 diff --git a/kanidm_rlm_python/pyproject.toml b/rlm_python/pyproject.toml similarity index 100% rename from kanidm_rlm_python/pyproject.toml rename to rlm_python/pyproject.toml diff --git a/kanidm_rlm_python/radius_entrypoint.py b/rlm_python/radius_entrypoint.py similarity index 100% rename from kanidm_rlm_python/radius_entrypoint.py rename to rlm_python/radius_entrypoint.py diff --git a/kanidm_rlm_python/run_radius_container.sh b/rlm_python/run_radius_container.sh similarity index 100% rename from kanidm_rlm_python/run_radius_container.sh rename to rlm_python/run_radius_container.sh diff --git a/kanidm_rlm_python/sites-available/check-eap-tls b/rlm_python/sites-available/check-eap-tls similarity index 100% rename from kanidm_rlm_python/sites-available/check-eap-tls rename to rlm_python/sites-available/check-eap-tls diff --git a/kanidm_rlm_python/sites-available/default b/rlm_python/sites-available/default similarity index 100% rename from kanidm_rlm_python/sites-available/default rename to rlm_python/sites-available/default diff --git a/kanidm_rlm_python/sites-available/inner-tunnel b/rlm_python/sites-available/inner-tunnel similarity index 100% rename from kanidm_rlm_python/sites-available/inner-tunnel rename to rlm_python/sites-available/inner-tunnel diff --git a/kanidm_rlm_python/test_data/config.ini b/rlm_python/test_data/config.ini similarity index 100% rename from kanidm_rlm_python/test_data/config.ini rename to rlm_python/test_data/config.ini diff --git a/kanidm_rlm_python/test_data/kanidm_radius.toml b/rlm_python/test_data/kanidm_radius.toml similarity index 100% rename from kanidm_rlm_python/test_data/kanidm_radius.toml rename to rlm_python/test_data/kanidm_radius.toml diff --git a/build_all_the_docs.sh b/scripts/build_all_the_docs.sh similarity index 100% rename from build_all_the_docs.sh rename to scripts/build_all_the_docs.sh diff --git a/check_dependabot.sh b/scripts/check_dependabot.sh similarity index 100% rename from check_dependabot.sh rename to scripts/check_dependabot.sh diff --git a/insecure_generate_tls.ps1 b/scripts/insecure_generate_tls.ps1 similarity index 100% rename from insecure_generate_tls.ps1 rename to scripts/insecure_generate_tls.ps1 diff --git a/insecure_generate_tls.sh b/scripts/insecure_generate_tls.sh similarity index 100% rename from insecure_generate_tls.sh rename to scripts/insecure_generate_tls.sh diff --git a/kanidmd/Dockerfile b/server/Dockerfile similarity index 100% rename from kanidmd/Dockerfile rename to server/Dockerfile diff --git a/kanidmd/builder.sh b/server/builder.sh similarity index 100% rename from kanidmd/builder.sh rename to server/builder.sh diff --git a/kanidmd/core/Cargo.toml b/server/core/Cargo.toml similarity index 100% rename from kanidmd/core/Cargo.toml rename to server/core/Cargo.toml diff --git a/kanidmd/core/build.rs b/server/core/build.rs similarity index 100% rename from kanidmd/core/build.rs rename to server/core/build.rs diff --git a/kanidmd/core/src/actors/mod.rs b/server/core/src/actors/mod.rs similarity index 100% rename from kanidmd/core/src/actors/mod.rs rename to server/core/src/actors/mod.rs diff --git a/kanidmd/core/src/actors/v1_read.rs b/server/core/src/actors/v1_read.rs similarity index 100% rename from kanidmd/core/src/actors/v1_read.rs rename to server/core/src/actors/v1_read.rs diff --git a/kanidmd/core/src/actors/v1_scim.rs b/server/core/src/actors/v1_scim.rs similarity index 100% rename from kanidmd/core/src/actors/v1_scim.rs rename to server/core/src/actors/v1_scim.rs diff --git a/kanidmd/core/src/actors/v1_write.rs b/server/core/src/actors/v1_write.rs similarity index 100% rename from kanidmd/core/src/actors/v1_write.rs rename to server/core/src/actors/v1_write.rs diff --git a/kanidmd/core/src/config.rs b/server/core/src/config.rs similarity index 100% rename from kanidmd/core/src/config.rs rename to server/core/src/config.rs diff --git a/kanidmd/core/src/crypto.rs b/server/core/src/crypto.rs similarity index 100% rename from kanidmd/core/src/crypto.rs rename to server/core/src/crypto.rs diff --git a/kanidmd/core/src/https/manifest.rs b/server/core/src/https/manifest.rs similarity index 100% rename from kanidmd/core/src/https/manifest.rs rename to server/core/src/https/manifest.rs diff --git a/kanidmd/core/src/https/middleware.rs b/server/core/src/https/middleware.rs similarity index 100% rename from kanidmd/core/src/https/middleware.rs rename to server/core/src/https/middleware.rs diff --git a/kanidmd/core/src/https/mod.rs b/server/core/src/https/mod.rs similarity index 100% rename from kanidmd/core/src/https/mod.rs rename to server/core/src/https/mod.rs diff --git a/kanidmd/core/src/https/oauth2.rs b/server/core/src/https/oauth2.rs similarity index 100% rename from kanidmd/core/src/https/oauth2.rs rename to server/core/src/https/oauth2.rs diff --git a/kanidmd/core/src/https/routemaps.rs b/server/core/src/https/routemaps.rs similarity index 100% rename from kanidmd/core/src/https/routemaps.rs rename to server/core/src/https/routemaps.rs diff --git a/kanidmd/core/src/https/v1.rs b/server/core/src/https/v1.rs similarity index 100% rename from kanidmd/core/src/https/v1.rs rename to server/core/src/https/v1.rs diff --git a/kanidmd/core/src/https/v1_scim.rs b/server/core/src/https/v1_scim.rs similarity index 100% rename from kanidmd/core/src/https/v1_scim.rs rename to server/core/src/https/v1_scim.rs diff --git a/kanidmd/core/src/interval.rs b/server/core/src/interval.rs similarity index 100% rename from kanidmd/core/src/interval.rs rename to server/core/src/interval.rs diff --git a/kanidmd/core/src/ldaps.rs b/server/core/src/ldaps.rs similarity index 100% rename from kanidmd/core/src/ldaps.rs rename to server/core/src/ldaps.rs diff --git a/kanidmd/core/src/lib.rs b/server/core/src/lib.rs similarity index 100% rename from kanidmd/core/src/lib.rs rename to server/core/src/lib.rs diff --git a/kanidmd/daemon/Cargo.toml b/server/daemon/Cargo.toml similarity index 96% rename from kanidmd/daemon/Cargo.toml rename to server/daemon/Cargo.toml index 145f9ee10..c2b4b7588 100644 --- a/kanidmd/daemon/Cargo.toml +++ b/server/daemon/Cargo.toml @@ -18,11 +18,9 @@ name = "kanidmd" path = "src/main.rs" [dependencies] -# Remove these! kanidm_proto.workspace = true -kanidmd_lib.workspace = true - kanidmd_core.workspace = true +kanidm_lib_file_permissions.workspace = true sketching.workspace = true clap = { workspace = true, features = ["env"] } diff --git a/kanidmd/daemon/build.rs b/server/daemon/build.rs similarity index 100% rename from kanidmd/daemon/build.rs rename to server/daemon/build.rs diff --git a/kanidmd/daemon/run_insecure_dev_server.sh b/server/daemon/run_insecure_dev_server.sh similarity index 100% rename from kanidmd/daemon/run_insecure_dev_server.sh rename to server/daemon/run_insecure_dev_server.sh diff --git a/kanidmd/daemon/src/main.rs b/server/daemon/src/main.rs similarity index 90% rename from kanidmd/daemon/src/main.rs rename to server/daemon/src/main.rs index 6dd48255e..a2f40740b 100644 --- a/kanidmd/daemon/src/main.rs +++ b/server/daemon/src/main.rs @@ -28,8 +28,6 @@ use kanidmd_core::{ domain_rename_core, recover_account_core, reindex_server_core, restore_server_core, vacuum_server_core, verify_server_core, }; -#[cfg(not(target_family = "windows"))] -use kanidmd_lib::utils::file_permissions_readonly; use sketching::tracing_forest::traits::*; use sketching::tracing_forest::util::*; use sketching::tracing_forest::{self}; @@ -168,20 +166,17 @@ async fn main() { { let cfg_meta = read_file_metadata(&(opt.commands.commonopt().config_path)); - #[cfg(target_family = "unix")] - if !file_permissions_readonly(&cfg_meta) { + if !kanidm_lib_file_permissions::readonly(&cfg_meta) { eprintln!("WARNING: permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...", opt.commands.commonopt().config_path.to_str().unwrap_or("invalid file path")); } - #[cfg(target_family = "unix")] if cfg_meta.mode() & 0o007 != 0 { eprintln!("WARNING: {} has 'everyone' permission bits in the mode. This could be a security risk ...", opt.commands.commonopt().config_path.to_str().unwrap_or("invalid file path") ); } - #[cfg(target_family = "unix")] if cfg_meta.uid() == cuid || cfg_meta.uid() == ceuid { eprintln!("WARNING: {} owned by the current uid, which may allow file permission changes. This could be a security risk ...", opt.commands.commonopt().config_path.to_str().unwrap_or("invalid file path") @@ -219,15 +214,11 @@ async fn main() { std::process::exit(1); } - // TODO: windows support for DB folder permissions checks - #[cfg(target_family = "unix")] - { - if file_permissions_readonly(&i_meta) { - eprintln!("WARNING: DB folder permissions on {} indicate it may not be RW. This could cause the server start up to fail!", db_par_path_buf.to_str().unwrap_or("invalid file path")); - } - if i_meta.mode() & 0o007 != 0 { - eprintln!("WARNING: DB folder {} has 'everyone' permission bits in the mode. This could be a security risk ...", db_par_path_buf.to_str().unwrap_or("invalid file path")); - } + if kanidm_lib_file_permissions::readonly(&i_meta) { + eprintln!("WARNING: DB folder permissions on {} indicate it may not be RW. This could cause the server start up to fail!", db_par_path_buf.to_str().unwrap_or("invalid file path")); + } + if i_meta.mode() & 0o007 != 0 { + eprintln!("WARNING: DB folder {} has 'everyone' permission bits in the mode. This could be a security risk ...", db_par_path_buf.to_str().unwrap_or("invalid file path")); } } @@ -261,36 +252,23 @@ async fn main() { if let Some(i_str) = &(sconfig.tls_chain) { let i_path = PathBuf::from(i_str.as_str()); - // TODO: windows support for DB folder permissions checks - #[cfg(not(target_family = "unix"))] - eprintln!("WARNING: permissions checks on windows aren't implemented, cannot check TLS Key at {:?}", i_path); - #[cfg(target_family = "unix")] - { - let i_meta = read_file_metadata(&i_path); - if !file_permissions_readonly(&i_meta) { - eprintln!("WARNING: permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...", i_str); - } + let i_meta = read_file_metadata(&i_path); + if !kanidm_lib_file_permissions::readonly(&i_meta) { + eprintln!("WARNING: permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...", i_str); } } if let Some(i_str) = &(sconfig.tls_key) { let i_path = PathBuf::from(i_str.as_str()); - // TODO: windows support for DB folder permissions checks - #[cfg(not(target_family = "unix"))] - eprintln!("WARNING: permissions checks on windows aren't implemented, cannot check TLS Key at {:?}", i_path); - // TODO: windows support for DB folder permissions checks - #[cfg(target_family = "unix")] - { let i_meta = read_file_metadata(&i_path); - if !file_permissions_readonly(&i_meta) { + if !kanidm_lib_file_permissions::readonly(&i_meta) { eprintln!("WARNING: permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...", i_str); } if i_meta.mode() & 0o007 != 0 { eprintln!("WARNING: {} has 'everyone' permission bits in the mode. This could be a security risk ...", i_str); } - } } let sctx = create_server_core(config, config_test).await; diff --git a/kanidmd/daemon/src/opt.rs b/server/daemon/src/opt.rs similarity index 100% rename from kanidmd/daemon/src/opt.rs rename to server/daemon/src/opt.rs diff --git a/kanidmd/lib-macros/Cargo.toml b/server/lib-macros/Cargo.toml similarity index 100% rename from kanidmd/lib-macros/Cargo.toml rename to server/lib-macros/Cargo.toml diff --git a/kanidmd/lib-macros/src/entry.rs b/server/lib-macros/src/entry.rs similarity index 100% rename from kanidmd/lib-macros/src/entry.rs rename to server/lib-macros/src/entry.rs diff --git a/kanidmd/lib-macros/src/lib.rs b/server/lib-macros/src/lib.rs similarity index 100% rename from kanidmd/lib-macros/src/lib.rs rename to server/lib-macros/src/lib.rs diff --git a/kanidmd/lib/Cargo.toml b/server/lib/Cargo.toml similarity index 98% rename from kanidmd/lib/Cargo.toml rename to server/lib/Cargo.toml index 91c1efc09..62a27c8fa 100644 --- a/kanidmd/lib/Cargo.toml +++ b/server/lib/Cargo.toml @@ -29,13 +29,11 @@ concread.workspace = true dyn-clone.workspace = true fernet = { workspace = true, features = ["fernet_danger_timestamps"] } filetime.workspace = true -futures.workspace = true futures-util.workspace = true hashbrown.workspace = true -hex.workspace = true idlset.workspace = true kanidm_proto.workspace = true -kanidmd_lib_macros.workspace = true +kanidm_lib_crypto.workspace = true lazy_static.workspace = true ldap3_proto.workspace = true libc.workspace = true @@ -89,6 +87,9 @@ users.workspace = true criterion = { workspace = true, features = ["html_reports"] } webauthn-authenticator-rs.workspace = true +futures.workspace = true +kanidmd_lib_macros.workspace = true + [build-dependencies] profiles.workspace = true diff --git a/kanidmd/lib/benches/scaling_10k.rs b/server/lib/benches/scaling_10k.rs similarity index 100% rename from kanidmd/lib/benches/scaling_10k.rs rename to server/lib/benches/scaling_10k.rs diff --git a/kanidmd/lib/build.rs b/server/lib/build.rs similarity index 100% rename from kanidmd/lib/build.rs rename to server/lib/build.rs diff --git a/kanidmd/lib/src/be/dbentry.rs b/server/lib/src/be/dbentry.rs similarity index 100% rename from kanidmd/lib/src/be/dbentry.rs rename to server/lib/src/be/dbentry.rs diff --git a/kanidmd/lib/src/be/dbvalue.rs b/server/lib/src/be/dbvalue.rs similarity index 96% rename from kanidmd/lib/src/be/dbvalue.rs rename to server/lib/src/be/dbvalue.rs index 31024b612..8489469c8 100644 --- a/kanidmd/lib/src/be/dbvalue.rs +++ b/server/lib/src/be/dbvalue.rs @@ -10,6 +10,9 @@ use webauthn_rs::prelude::{ }; use webauthn_rs_core::proto::{COSEKey, UserVerificationPolicy}; +// Re-export this as though it was here. +pub use kanidm_lib_crypto::DbPasswordV1; + #[derive(Serialize, Deserialize, Debug)] pub struct DbCidV1 { #[serde(rename = "s")] @@ -18,28 +21,6 @@ pub struct DbCidV1 { pub timestamp: Duration, } -#[derive(Serialize, Deserialize)] -#[allow(non_camel_case_types)] -pub enum DbPasswordV1 { - PBKDF2(usize, Vec, Vec), - PBKDF2_SHA1(usize, Vec, Vec), - PBKDF2_SHA512(usize, Vec, Vec), - SSHA512(Vec, Vec), - NT_MD4(Vec), -} - -impl fmt::Debug for DbPasswordV1 { - fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { - match self { - DbPasswordV1::PBKDF2(_, _, _) => write!(f, "PBKDF2"), - DbPasswordV1::PBKDF2_SHA1(_, _, _) => write!(f, "PBKDF2_SHA1"), - DbPasswordV1::PBKDF2_SHA512(_, _, _) => write!(f, "PBKDF2_SHA512"), - DbPasswordV1::SSHA512(_, _) => write!(f, "SSHA512"), - DbPasswordV1::NT_MD4(_) => write!(f, "NT_MD4"), - } - } -} - #[derive(Serialize, Deserialize, Debug)] pub enum DbValueIntentTokenStateV1 { #[serde(rename = "v")] diff --git a/kanidmd/lib/src/be/idl_arc_sqlite.rs b/server/lib/src/be/idl_arc_sqlite.rs similarity index 100% rename from kanidmd/lib/src/be/idl_arc_sqlite.rs rename to server/lib/src/be/idl_arc_sqlite.rs diff --git a/kanidmd/lib/src/be/idl_sqlite.rs b/server/lib/src/be/idl_sqlite.rs similarity index 100% rename from kanidmd/lib/src/be/idl_sqlite.rs rename to server/lib/src/be/idl_sqlite.rs diff --git a/kanidmd/lib/src/be/idxkey.rs b/server/lib/src/be/idxkey.rs similarity index 100% rename from kanidmd/lib/src/be/idxkey.rs rename to server/lib/src/be/idxkey.rs diff --git a/kanidmd/lib/src/be/mod.rs b/server/lib/src/be/mod.rs similarity index 100% rename from kanidmd/lib/src/be/mod.rs rename to server/lib/src/be/mod.rs diff --git a/kanidmd/lib/src/constants/acp.rs b/server/lib/src/constants/acp.rs similarity index 100% rename from kanidmd/lib/src/constants/acp.rs rename to server/lib/src/constants/acp.rs diff --git a/kanidmd/lib/src/constants/entries.rs b/server/lib/src/constants/entries.rs similarity index 100% rename from kanidmd/lib/src/constants/entries.rs rename to server/lib/src/constants/entries.rs diff --git a/kanidmd/lib/src/constants/mod.rs b/server/lib/src/constants/mod.rs similarity index 100% rename from kanidmd/lib/src/constants/mod.rs rename to server/lib/src/constants/mod.rs diff --git a/kanidmd/lib/src/constants/rockyou_3_10.json b/server/lib/src/constants/rockyou_3_10.json similarity index 100% rename from kanidmd/lib/src/constants/rockyou_3_10.json rename to server/lib/src/constants/rockyou_3_10.json diff --git a/kanidmd/lib/src/constants/rockyou_popular10m_3_10.json b/server/lib/src/constants/rockyou_popular10m_3_10.json similarity index 100% rename from kanidmd/lib/src/constants/rockyou_popular10m_3_10.json rename to server/lib/src/constants/rockyou_popular10m_3_10.json diff --git a/kanidmd/lib/src/constants/schema.rs b/server/lib/src/constants/schema.rs similarity index 100% rename from kanidmd/lib/src/constants/schema.rs rename to server/lib/src/constants/schema.rs diff --git a/kanidmd/lib/src/constants/system_config.rs b/server/lib/src/constants/system_config.rs similarity index 100% rename from kanidmd/lib/src/constants/system_config.rs rename to server/lib/src/constants/system_config.rs diff --git a/kanidmd/lib/src/constants/uuids.rs b/server/lib/src/constants/uuids.rs similarity index 100% rename from kanidmd/lib/src/constants/uuids.rs rename to server/lib/src/constants/uuids.rs diff --git a/kanidmd/lib/src/constants/values.rs b/server/lib/src/constants/values.rs similarity index 100% rename from kanidmd/lib/src/constants/values.rs rename to server/lib/src/constants/values.rs diff --git a/kanidmd/lib/src/credential/mod.rs b/server/lib/src/credential/mod.rs similarity index 59% rename from kanidmd/lib/src/credential/mod.rs rename to server/lib/src/credential/mod.rs index 4b97d4a77..4ed218564 100644 --- a/kanidmd/lib/src/credential/mod.rs +++ b/server/lib/src/credential/mod.rs @@ -1,49 +1,24 @@ use std::convert::TryFrom; -use std::time::{Duration, Instant}; use hashbrown::{HashMap as Map, HashSet}; use kanidm_proto::v1::{BackupCodesView, CredentialDetail, CredentialDetailType, OperationError}; -use openssl::hash::{self, MessageDigest}; -use openssl::nid::Nid; -use openssl::pkcs5::pbkdf2_hmac; -use openssl::sha::Sha512; -use rand::prelude::*; use uuid::Uuid; use webauthn_rs::prelude::{AuthenticationResult, Passkey, SecurityKey}; use webauthn_rs_core::proto::{Credential as WebauthnCredential, CredentialV3}; -use crate::be::dbvalue::{DbBackupCodeV1, DbCred, DbPasswordV1}; -use crate::repl::proto::{ - ReplBackupCodeV1, ReplCredV1, ReplPasskeyV4V1, ReplPasswordV1, ReplSecurityKeyV4V1, -}; +use crate::be::dbvalue::{DbBackupCodeV1, DbCred}; +use crate::repl::proto::{ReplBackupCodeV1, ReplCredV1, ReplPasskeyV4V1, ReplSecurityKeyV4V1}; -pub mod policy; pub mod softlock; pub mod totp; use self::totp::TOTP_DEFAULT_STEP; -use crate::credential::policy::CryptoPolicy; +use kanidm_lib_crypto::CryptoPolicy; + use crate::credential::softlock::CredSoftLockPolicy; use crate::credential::totp::Totp; -// NIST 800-63.b salt should be 112 bits -> 14 8u8. -// I choose tinfoil hat though ... -const PBKDF2_SALT_LEN: usize = 24; - -const PBKDF2_MIN_NIST_SALT_LEN: usize = 14; - -// Min number of rounds for a pbkdf2 -pub const PBKDF2_MIN_NIST_COST: usize = 10000; - -// 64 * u8 -> 512 bits of out. -const PBKDF2_KEY_LEN: usize = 64; -const PBKDF2_MIN_NIST_KEY_LEN: usize = 32; -const PBKDF2_SHA1_MIN_KEY_LEN: usize = 19; - -const DS_SSHA512_SALT_LEN: usize = 8; -const DS_SSHA512_HASH_LEN: usize = 64; - // These are in order of "relative" strength. /* #[derive(Clone, Debug)] @@ -55,436 +30,7 @@ pub enum Policy { } */ -// Why PBKDF2? Rust's bcrypt has a number of hardcodings like max pw len of 72 -// I don't really feel like adding in so many restrictions, so I'll use -// pbkdf2 in openssl because it doesn't have the same limits. -#[derive(Clone, Debug, PartialEq)] -#[allow(non_camel_case_types)] -enum Kdf { - // cost, salt, hash - PBKDF2(usize, Vec, Vec), - - // Imported types, will upgrade to the above. - // cost, salt, hash - PBKDF2_SHA1(usize, Vec, Vec), - // cost, salt, hash - PBKDF2_SHA512(usize, Vec, Vec), - // salt hash - SSHA512(Vec, Vec), - // hash - NT_MD4(Vec), -} - -#[derive(Clone, Debug, PartialEq)] -pub struct Password { - material: Kdf, -} - -impl TryFrom for Password { - type Error = (); - - fn try_from(value: DbPasswordV1) -> Result { - match value { - DbPasswordV1::PBKDF2(c, s, h) => Ok(Password { - material: Kdf::PBKDF2(c, s, h), - }), - DbPasswordV1::PBKDF2_SHA1(c, s, h) => Ok(Password { - material: Kdf::PBKDF2_SHA1(c, s, h), - }), - DbPasswordV1::PBKDF2_SHA512(c, s, h) => Ok(Password { - material: Kdf::PBKDF2_SHA512(c, s, h), - }), - DbPasswordV1::SSHA512(s, h) => Ok(Password { - material: Kdf::SSHA512(s, h), - }), - DbPasswordV1::NT_MD4(h) => Ok(Password { - material: Kdf::NT_MD4(h), - }), - } - } -} - -impl TryFrom<&ReplPasswordV1> for Password { - type Error = (); - - fn try_from(value: &ReplPasswordV1) -> Result { - match value { - ReplPasswordV1::PBKDF2 { cost, salt, hash } => Ok(Password { - material: Kdf::PBKDF2(*cost, salt.0.clone(), hash.0.clone()), - }), - ReplPasswordV1::PBKDF2_SHA1 { cost, salt, hash } => Ok(Password { - material: Kdf::PBKDF2_SHA1(*cost, salt.0.clone(), hash.0.clone()), - }), - ReplPasswordV1::PBKDF2_SHA512 { cost, salt, hash } => Ok(Password { - material: Kdf::PBKDF2_SHA512(*cost, salt.0.clone(), hash.0.clone()), - }), - ReplPasswordV1::SSHA512 { salt, hash } => Ok(Password { - material: Kdf::SSHA512(salt.0.clone(), hash.0.clone()), - }), - ReplPasswordV1::NT_MD4 { hash } => Ok(Password { - material: Kdf::NT_MD4(hash.0.clone()), - }), - } - } -} - -// OpenLDAP based their PBKDF2 implementation on passlib from python, that uses a -// non-standard base64 altchar set and padding that is not supported by -// anything else in the world. To manage this, we only ever encode to base64 with -// no pad but we have to remap ab64 to b64. This function allows b64 standard with -// padding to pass, and remaps ab64 to b64 standard with padding. -macro_rules! ab64_to_b64 { - ($ab64:expr) => {{ - let mut s = $ab64.replace(".", "+"); - match s.len() & 3 { - 0 => { - // Do nothing - } - 1 => { - // One is invalid, do nothing, we'll error in base64 - } - 2 => s.push_str("=="), - 3 => s.push_str("="), - _ => unreachable!(), - } - s - }}; -} - -impl TryFrom<&str> for Password { - type Error = (); - - // As we may add more algos, we keep the match algo single for later. - #[allow(clippy::single_match)] - fn try_from(value: &str) -> Result { - // There is probably a more efficient way to try this given different types? - - // test django - algo$salt$hash - let django_pbkdf: Vec<&str> = value.split('$').collect(); - if django_pbkdf.len() == 4 { - let algo = django_pbkdf[0]; - let cost = django_pbkdf[1]; - let salt = django_pbkdf[2]; - let hash = django_pbkdf[3]; - match algo { - "pbkdf2_sha256" => { - let c = cost.parse::().map_err(|_| ())?; - let s: Vec<_> = salt.as_bytes().to_vec(); - let h = base64::decode(hash).map_err(|_| ())?; - if h.len() < PBKDF2_MIN_NIST_KEY_LEN { - return Err(()); - } - return Ok(Password { - material: Kdf::PBKDF2(c, s, h), - }); - } - _ => {} - } - } - - if value.starts_with("ipaNTHash: ") { - let nt_md4 = match value.split_once(' ') { - Some((_, v)) => v, - None => { - unreachable!(); - } - }; - - let h = base64::decode_config(nt_md4, base64::STANDARD_NO_PAD).map_err(|_| ())?; - return Ok(Password { - material: Kdf::NT_MD4(h), - }); - } - - if value.starts_with("sambaNTPassword: ") { - let nt_md4 = match value.split_once(' ') { - Some((_, v)) => v, - None => { - unreachable!(); - } - }; - - let h = hex::decode(nt_md4).map_err(|_| ())?; - return Ok(Password { - material: Kdf::NT_MD4(h), - }); - } - - // Test 389ds formats - if let Some(ds_ssha512) = value.strip_prefix("{SSHA512}") { - let sh = base64::decode(ds_ssha512).map_err(|_| ())?; - let (h, s) = sh.split_at(DS_SSHA512_HASH_LEN); - if s.len() != DS_SSHA512_SALT_LEN { - return Err(()); - } - return Ok(Password { - material: Kdf::SSHA512(s.to_vec(), h.to_vec()), - }); - } - - // Test for OpenLDAP formats - if value.starts_with("{PBKDF2}") - || value.starts_with("{PBKDF2-SHA1}") - || value.starts_with("{PBKDF2-SHA256}") - || value.starts_with("{PBKDF2-SHA512}") - { - let ol_pbkdf2 = match value.split_once('}') { - Some((_, v)) => v, - None => { - unreachable!(); - } - }; - - let ol_pbkdf: Vec<&str> = ol_pbkdf2.split('$').collect(); - if ol_pbkdf.len() == 3 { - let cost = ol_pbkdf[0]; - let salt = ol_pbkdf[1]; - let hash = ol_pbkdf[2]; - - let c = cost.parse::().map_err(|_| ())?; - - let s = ab64_to_b64!(salt); - let s = base64::decode_config(s, base64::STANDARD.decode_allow_trailing_bits(true)) - .map_err(|e| { - error!(?e, "Invalid base64 in oldap pbkdf2-sha1"); - })?; - - let h = ab64_to_b64!(hash); - let h = base64::decode_config(h, base64::STANDARD.decode_allow_trailing_bits(true)) - .map_err(|e| { - error!(?e, "Invalid base64 in oldap pbkdf2-sha1"); - })?; - - // This is just sha1 in a trenchcoat. - if value.strip_prefix("{PBKDF2}").is_some() - || value.strip_prefix("{PBKDF2-SHA1}").is_some() - { - if h.len() < PBKDF2_SHA1_MIN_KEY_LEN { - return Err(()); - } - return Ok(Password { - material: Kdf::PBKDF2_SHA1(c, s, h), - }); - } - - if value.strip_prefix("{PBKDF2-SHA256}").is_some() { - if h.len() < PBKDF2_MIN_NIST_KEY_LEN { - return Err(()); - } - return Ok(Password { - material: Kdf::PBKDF2(c, s, h), - }); - } - - if value.strip_prefix("{PBKDF2-SHA512}").is_some() { - if h.len() < PBKDF2_MIN_NIST_KEY_LEN { - return Err(()); - } - return Ok(Password { - material: Kdf::PBKDF2_SHA512(c, s, h), - }); - } - - // Should be no way to get here! - unreachable!(); - } else { - warn!("oldap pbkdf2 found but invalid number of elements?"); - } - } - - // Nothing matched to this point. - Err(()) - } -} - -impl Password { - fn bench_pbkdf2(pbkdf2_cost: usize) -> Option { - let mut rng = rand::thread_rng(); - let salt: Vec = (0..PBKDF2_SALT_LEN).map(|_| rng.gen()).collect(); - let input: Vec = (0..PBKDF2_SALT_LEN).map(|_| rng.gen()).collect(); - // This is 512 bits of output - let mut key: Vec = (0..PBKDF2_KEY_LEN).map(|_| 0).collect(); - - let start = Instant::now(); - pbkdf2_hmac( - input.as_slice(), - salt.as_slice(), - pbkdf2_cost, - MessageDigest::sha256(), - key.as_mut_slice(), - ) - .ok()?; - let end = Instant::now(); - - end.checked_duration_since(start) - } - - fn new_pbkdf2(pbkdf2_cost: usize, cleartext: &str) -> Result { - let mut rng = rand::thread_rng(); - let salt: Vec = (0..PBKDF2_SALT_LEN).map(|_| rng.gen()).collect(); - // This is 512 bits of output - let mut key: Vec = (0..PBKDF2_KEY_LEN).map(|_| 0).collect(); - - pbkdf2_hmac( - cleartext.as_bytes(), - salt.as_slice(), - pbkdf2_cost, - MessageDigest::sha256(), - key.as_mut_slice(), - ) - .map(|()| { - // Turn key to a vec. - Kdf::PBKDF2(pbkdf2_cost, salt, key) - }) - .map_err(|_| OperationError::CryptographyError) - } - - pub fn new(policy: &CryptoPolicy, cleartext: &str) -> Result { - Self::new_pbkdf2(policy.pbkdf2_cost, cleartext).map(|material| Password { material }) - } - - pub fn verify(&self, cleartext: &str) -> Result { - match &self.material { - Kdf::PBKDF2(cost, salt, key) => { - // We have to get the number of bits to derive from our stored hash - // as some imported hash types may have variable lengths - let key_len = key.len(); - debug_assert!(key_len >= PBKDF2_MIN_NIST_KEY_LEN); - let mut chal_key: Vec = (0..key_len).map(|_| 0).collect(); - pbkdf2_hmac( - cleartext.as_bytes(), - salt.as_slice(), - *cost, - MessageDigest::sha256(), - chal_key.as_mut_slice(), - ) - .map_err(|_| OperationError::CryptographyError) - .map(|()| { - // Actually compare the outputs. - &chal_key == key - }) - } - Kdf::PBKDF2_SHA1(cost, salt, key) => { - let key_len = key.len(); - debug_assert!(key_len >= PBKDF2_SHA1_MIN_KEY_LEN); - let mut chal_key: Vec = (0..key_len).map(|_| 0).collect(); - pbkdf2_hmac( - cleartext.as_bytes(), - salt.as_slice(), - *cost, - MessageDigest::sha1(), - chal_key.as_mut_slice(), - ) - .map_err(|_| OperationError::CryptographyError) - .map(|()| { - // Actually compare the outputs. - &chal_key == key - }) - } - Kdf::PBKDF2_SHA512(cost, salt, key) => { - let key_len = key.len(); - debug_assert!(key_len >= PBKDF2_MIN_NIST_KEY_LEN); - let mut chal_key: Vec = (0..key_len).map(|_| 0).collect(); - pbkdf2_hmac( - cleartext.as_bytes(), - salt.as_slice(), - *cost, - MessageDigest::sha512(), - chal_key.as_mut_slice(), - ) - .map_err(|_| OperationError::CryptographyError) - .map(|()| { - // Actually compare the outputs. - &chal_key == key - }) - } - Kdf::SSHA512(salt, key) => { - let mut hasher = Sha512::new(); - hasher.update(cleartext.as_bytes()); - hasher.update(salt); - let r = hasher.finish(); - Ok(key == &(r.to_vec())) - } - Kdf::NT_MD4(key) => { - // We need to get the cleartext to utf16le for reasons. - let clear_utf16le: Vec = cleartext - .encode_utf16() - .map(|c| c.to_le_bytes()) - .flat_map(|i| i.into_iter()) - .collect(); - - let dgst = MessageDigest::from_nid(Nid::MD4).ok_or_else(|| { - error!("Unable to access MD4 - fips mode may be enabled, or you may need to activate the legacy provider."); - error!("For more details, see https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers"); - OperationError::CryptographyError - })?; - - hash::hash(dgst, &clear_utf16le) - .map_err(|e| { - debug!(?e); - error!("Unable to digest MD4 - fips mode may be enabled, or you may need to activate the legacy provider."); - error!("For more details, see https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers"); - OperationError::CryptographyError - }) - .map(|chal_key| chal_key.as_ref() == key) - } - } - } - - pub fn to_dbpasswordv1(&self) -> DbPasswordV1 { - match &self.material { - Kdf::PBKDF2(cost, salt, hash) => { - DbPasswordV1::PBKDF2(*cost, salt.clone(), hash.clone()) - } - Kdf::PBKDF2_SHA1(cost, salt, hash) => { - DbPasswordV1::PBKDF2_SHA1(*cost, salt.clone(), hash.clone()) - } - Kdf::PBKDF2_SHA512(cost, salt, hash) => { - DbPasswordV1::PBKDF2_SHA512(*cost, salt.clone(), hash.clone()) - } - Kdf::SSHA512(salt, hash) => DbPasswordV1::SSHA512(salt.clone(), hash.clone()), - Kdf::NT_MD4(hash) => DbPasswordV1::NT_MD4(hash.clone()), - } - } - - pub fn to_repl_v1(&self) -> ReplPasswordV1 { - match &self.material { - Kdf::PBKDF2(cost, salt, hash) => ReplPasswordV1::PBKDF2 { - cost: *cost, - salt: salt.clone().into(), - hash: hash.clone().into(), - }, - Kdf::PBKDF2_SHA1(cost, salt, hash) => ReplPasswordV1::PBKDF2_SHA1 { - cost: *cost, - salt: salt.clone().into(), - hash: hash.clone().into(), - }, - Kdf::PBKDF2_SHA512(cost, salt, hash) => ReplPasswordV1::PBKDF2_SHA512 { - cost: *cost, - salt: salt.clone().into(), - hash: hash.clone().into(), - }, - Kdf::SSHA512(salt, hash) => ReplPasswordV1::SSHA512 { - salt: salt.clone().into(), - hash: hash.clone().into(), - }, - Kdf::NT_MD4(hash) => ReplPasswordV1::NT_MD4 { - hash: hash.clone().into(), - }, - } - } - - pub fn requires_upgrade(&self) -> bool { - match &self.material { - Kdf::PBKDF2_SHA512(cost, salt, hash) | Kdf::PBKDF2(cost, salt, hash) => { - *cost < PBKDF2_MIN_NIST_COST - || salt.len() < PBKDF2_MIN_NIST_SALT_LEN - || hash.len() < PBKDF2_MIN_NIST_KEY_LEN - } - Kdf::PBKDF2_SHA1(_, _, _) | Kdf::SSHA512(_, _) | Kdf::NT_MD4(_) => true, - } - } -} +pub use kanidm_lib_crypto::Password; #[derive(Clone, Debug, PartialEq, Eq)] pub struct BackupCodes { @@ -1359,158 +905,3 @@ impl CredentialType { } } } - -#[cfg(test)] -mod tests { - use std::convert::TryFrom; - - use crate::credential::policy::CryptoPolicy; - use crate::credential::*; - - #[test] - fn test_credential_simple() { - let p = CryptoPolicy::minimum(); - let c = Credential::new_password_only(&p, "password").unwrap(); - assert!(c.verify_password("password").unwrap()); - assert!(!c.verify_password("password1").unwrap()); - assert!(!c.verify_password("Password1").unwrap()); - assert!(!c.verify_password("It Works!").unwrap()); - assert!(!c.verify_password("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa").unwrap()); - } - - #[test] - fn test_password_from_invalid() { - assert!(Password::try_from("password").is_err()) - } - - #[test] - fn test_password_from_django_pbkdf2_sha256() { - let im_pw = "pbkdf2_sha256$36000$xIEozuZVAoYm$uW1b35DUKyhvQAf1mBqMvoBDcqSD06juzyO/nmyV0+w="; - let password = "eicieY7ahchaoCh0eeTa"; - let r = Password::try_from(im_pw).expect("Failed to parse"); - assert!(r.verify(password).unwrap_or(false)); - } - - #[test] - fn test_password_from_ds_ssha512() { - let im_pw = "{SSHA512}JwrSUHkI7FTAfHRVR6KoFlSN0E3dmaQWARjZ+/UsShYlENOqDtFVU77HJLLrY2MuSp0jve52+pwtdVl2QUAHukQ0XUf5LDtM"; - let password = "password"; - let r = Password::try_from(im_pw).expect("Failed to parse"); - // Known weak, require upgrade. - assert!(r.requires_upgrade()); - assert!(r.verify(password).unwrap_or(false)); - } - - // Can be generated with: - // slappasswd -s password -o module-load=/usr/lib64/openldap/pw-argon2.so -h {ARGON2} - - #[test] - fn test_password_from_openldap_pkbdf2() { - let im_pw = "{PBKDF2}10000$IlfapjA351LuDSwYC0IQ8Q$saHqQTuYnjJN/tmAndT.8mJt.6w"; - let password = "password"; - let r = Password::try_from(im_pw).expect("Failed to parse"); - assert!(r.requires_upgrade()); - assert!(r.verify(password).unwrap_or(false)); - } - - #[test] - fn test_password_from_openldap_pkbdf2_sha1() { - let im_pw = "{PBKDF2-SHA1}10000$ZBEH6B07rgQpJSikyvMU2w$TAA03a5IYkz1QlPsbJKvUsTqNV"; - let password = "password"; - let r = Password::try_from(im_pw).expect("Failed to parse"); - assert!(r.requires_upgrade()); - assert!(r.verify(password).unwrap_or(false)); - } - - #[test] - fn test_password_from_openldap_pkbdf2_sha256() { - let im_pw = "{PBKDF2-SHA256}10000$henZGfPWw79Cs8ORDeVNrQ$1dTJy73v6n3bnTmTZFghxHXHLsAzKaAy8SksDfZBPIw"; - let password = "password"; - let r = Password::try_from(im_pw).expect("Failed to parse"); - assert!(!r.requires_upgrade()); - assert!(r.verify(password).unwrap_or(false)); - } - - #[test] - fn test_password_from_openldap_pkbdf2_sha512() { - let im_pw = "{PBKDF2-SHA512}10000$Je1Uw19Bfv5lArzZ6V3EPw$g4T/1sqBUYWl9o93MVnyQ/8zKGSkPbKaXXsT8WmysXQJhWy8MRP2JFudSL.N9RklQYgDPxPjnfum/F2f/TrppA"; - let password = "password"; - let r = Password::try_from(im_pw).expect("Failed to parse"); - assert!(!r.requires_upgrade()); - assert!(r.verify(password).unwrap_or(false)); - } - - /* - // Not supported in openssl, may need an external crate. - #[test] - fn test_password_from_openldap_argon2() { - let im_pw = "{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$IyTQMsvzB2JHDiWx8fq7Ew$VhYOA7AL0kbRXI5g2kOyyp8St1epkNj7WZyUY4pAIQQ" - let password = "password"; - let r = Password::try_from(im_pw).expect("Failed to parse"); - assert!(r.requires_upgrade()); - assert!(r.verify(password).unwrap_or(false)); - } - */ - - /* - * wbrown - 20221104 - I tried to programmatically enable the legacy provider, but - * it consistently "did nothing at all", meaning we have to rely on users to enable - * this for this test. - */ - - /* - #[cfg(openssl3)] - fn setup_openssl_legacy_provider() -> openssl::lib_ctx::LibCtx { - let ctx = openssl::lib_ctx::LibCtx::new() - .expect("Failed to create new library context"); - - openssl::provider::Provider::load(Some(&ctx), "legacy") - .expect("Failed to setup provider."); - - eprintln!("setup legacy provider maybe??"); - - ctx - } - */ - - #[test] - fn test_password_from_ipa_nt_hash() { - sketching::test_init(); - // Base64 no pad - let im_pw = "ipaNTHash: iEb36u6PsRetBr3YMLdYbA"; - let password = "password"; - let r = Password::try_from(im_pw).expect("Failed to parse"); - assert!(r.requires_upgrade()); - - match r.verify(password) { - Ok(r) => assert!(r), - Err(_) => { - if cfg!(openssl3) { - warn!("To run this test, enable the legacy provider."); - } else { - assert!(false); - } - } - } - } - - #[test] - fn test_password_from_samba_nt_hash() { - sketching::test_init(); - // Base64 no pad - let im_pw = "sambaNTPassword: 8846F7EAEE8FB117AD06BDD830B7586C"; - let password = "password"; - let r = Password::try_from(im_pw).expect("Failed to parse"); - assert!(r.requires_upgrade()); - match r.verify(password) { - Ok(r) => assert!(r), - Err(_) => { - if cfg!(openssl3) { - warn!("To run this test, enable the legacy provider."); - } else { - assert!(false); - } - } - } - } -} diff --git a/kanidmd/lib/src/credential/softlock.rs b/server/lib/src/credential/softlock.rs similarity index 100% rename from kanidmd/lib/src/credential/softlock.rs rename to server/lib/src/credential/softlock.rs diff --git a/kanidmd/lib/src/credential/totp.rs b/server/lib/src/credential/totp.rs similarity index 100% rename from kanidmd/lib/src/credential/totp.rs rename to server/lib/src/credential/totp.rs diff --git a/kanidmd/lib/src/entry.rs b/server/lib/src/entry.rs similarity index 100% rename from kanidmd/lib/src/entry.rs rename to server/lib/src/entry.rs diff --git a/kanidmd/lib/src/event.rs b/server/lib/src/event.rs similarity index 100% rename from kanidmd/lib/src/event.rs rename to server/lib/src/event.rs diff --git a/kanidmd/lib/src/filter.rs b/server/lib/src/filter.rs similarity index 100% rename from kanidmd/lib/src/filter.rs rename to server/lib/src/filter.rs diff --git a/kanidmd/lib/src/idm/account.rs b/server/lib/src/idm/account.rs similarity index 99% rename from kanidmd/lib/src/idm/account.rs rename to server/lib/src/idm/account.rs index 8047824f0..9033f38e4 100644 --- a/kanidmd/lib/src/idm/account.rs +++ b/server/lib/src/idm/account.rs @@ -12,7 +12,6 @@ use webauthn_rs::prelude::{ }; use crate::constants::UUID_ANONYMOUS; -use crate::credential::policy::CryptoPolicy; use crate::credential::softlock::CredSoftLockPolicy; use crate::credential::Credential; use crate::entry::{Entry, EntryCommitted, EntryReduced, EntrySealed}; @@ -23,6 +22,7 @@ use crate::modify::{ModifyInvalid, ModifyList}; use crate::prelude::*; use crate::schema::SchemaTransaction; use crate::value::{IntentTokenState, PartialValue, Value}; +use kanidm_lib_crypto::CryptoPolicy; macro_rules! try_from_entry { ($value:expr, $groups:expr) => {{ diff --git a/kanidmd/lib/src/idm/applinks.rs b/server/lib/src/idm/applinks.rs similarity index 100% rename from kanidmd/lib/src/idm/applinks.rs rename to server/lib/src/idm/applinks.rs diff --git a/kanidmd/lib/src/idm/authsession.rs b/server/lib/src/idm/authsession.rs similarity index 99% rename from kanidmd/lib/src/idm/authsession.rs rename to server/lib/src/idm/authsession.rs index cd2e6ee21..97398432d 100644 --- a/kanidmd/lib/src/idm/authsession.rs +++ b/server/lib/src/idm/authsession.rs @@ -1000,7 +1000,6 @@ mod tests { use webauthn_authenticator_rs::softpasskey::SoftPasskey; use webauthn_authenticator_rs::WebauthnAuthenticator; - use crate::credential::policy::CryptoPolicy; use crate::credential::totp::{Totp, TOTP_DEFAULT_STEP}; use crate::credential::{BackupCodes, Credential}; use crate::idm::authsession::{ @@ -1011,6 +1010,7 @@ mod tests { use crate::idm::AuthState; use crate::prelude::*; use crate::utils::{duration_from_epoch_now, readable_password_from_random}; + use kanidm_lib_crypto::CryptoPolicy; fn create_pw_badlist_cache() -> HashSet { let mut s = HashSet::new(); diff --git a/kanidmd/lib/src/idm/credupdatesession.rs b/server/lib/src/idm/credupdatesession.rs similarity index 100% rename from kanidmd/lib/src/idm/credupdatesession.rs rename to server/lib/src/idm/credupdatesession.rs diff --git a/kanidmd/lib/src/idm/delayed.rs b/server/lib/src/idm/delayed.rs similarity index 100% rename from kanidmd/lib/src/idm/delayed.rs rename to server/lib/src/idm/delayed.rs diff --git a/kanidmd/lib/src/idm/event.rs b/server/lib/src/idm/event.rs similarity index 100% rename from kanidmd/lib/src/idm/event.rs rename to server/lib/src/idm/event.rs diff --git a/kanidmd/lib/src/idm/group.rs b/server/lib/src/idm/group.rs similarity index 100% rename from kanidmd/lib/src/idm/group.rs rename to server/lib/src/idm/group.rs diff --git a/kanidmd/lib/src/idm/ldap.rs b/server/lib/src/idm/ldap.rs similarity index 100% rename from kanidmd/lib/src/idm/ldap.rs rename to server/lib/src/idm/ldap.rs diff --git a/kanidmd/lib/src/idm/mod.rs b/server/lib/src/idm/mod.rs similarity index 100% rename from kanidmd/lib/src/idm/mod.rs rename to server/lib/src/idm/mod.rs diff --git a/kanidmd/lib/src/idm/oauth2.rs b/server/lib/src/idm/oauth2.rs similarity index 100% rename from kanidmd/lib/src/idm/oauth2.rs rename to server/lib/src/idm/oauth2.rs diff --git a/kanidmd/lib/src/idm/radius.rs b/server/lib/src/idm/radius.rs similarity index 100% rename from kanidmd/lib/src/idm/radius.rs rename to server/lib/src/idm/radius.rs diff --git a/kanidmd/lib/src/idm/reauth.rs b/server/lib/src/idm/reauth.rs similarity index 100% rename from kanidmd/lib/src/idm/reauth.rs rename to server/lib/src/idm/reauth.rs diff --git a/kanidmd/lib/src/idm/scim.rs b/server/lib/src/idm/scim.rs similarity index 100% rename from kanidmd/lib/src/idm/scim.rs rename to server/lib/src/idm/scim.rs diff --git a/kanidmd/lib/src/idm/server.rs b/server/lib/src/idm/server.rs similarity index 99% rename from kanidmd/lib/src/idm/server.rs rename to server/lib/src/idm/server.rs index 2ee381bd6..b1164cef2 100644 --- a/kanidmd/lib/src/idm/server.rs +++ b/server/lib/src/idm/server.rs @@ -3,6 +3,8 @@ use std::str::FromStr; use std::sync::Arc; use std::time::Duration; +use kanidm_lib_crypto::CryptoPolicy; + use async_std::task; use compact_jwt::{Jws, JwsSigner, JwsUnverified, JwsValidator}; use concread::bptree::{BptreeMap, BptreeMapReadTxn, BptreeMapWriteTxn}; @@ -26,7 +28,6 @@ use webauthn_rs::prelude::{Webauthn, WebauthnBuilder}; use super::event::ReadBackupCodeEvent; use super::ldap::{LdapBoundToken, LdapSession}; -use crate::credential::policy::CryptoPolicy; use crate::credential::softlock::CredSoftLock; use crate::idm::account::Account; use crate::idm::authsession::AuthSession; @@ -2262,7 +2263,6 @@ mod tests { use time::OffsetDateTime; use uuid::Uuid; - use crate::credential::policy::CryptoPolicy; use crate::credential::{Credential, Password}; use crate::idm::account::DestroySessionTokenEvent; use crate::idm::delayed::{AuthSessionRecord, DelayedAction}; @@ -2276,6 +2276,7 @@ mod tests { use crate::modify::{Modify, ModifyList}; use crate::prelude::*; use crate::utils::duration_from_epoch_now; + use kanidm_lib_crypto::CryptoPolicy; const TEST_PASSWORD: &str = "ntaoeuntnaoeuhraohuercahu😍"; const TEST_PASSWORD_INC: &str = "ntaoentu nkrcgaeunhibwmwmqj;k wqjbkx "; diff --git a/kanidmd/lib/src/idm/serviceaccount.rs b/server/lib/src/idm/serviceaccount.rs similarity index 100% rename from kanidmd/lib/src/idm/serviceaccount.rs rename to server/lib/src/idm/serviceaccount.rs diff --git a/kanidmd/lib/src/idm/unix.rs b/server/lib/src/idm/unix.rs similarity index 99% rename from kanidmd/lib/src/idm/unix.rs rename to server/lib/src/idm/unix.rs index be00393dc..e21668d40 100644 --- a/kanidmd/lib/src/idm/unix.rs +++ b/server/lib/src/idm/unix.rs @@ -7,7 +7,8 @@ use time::OffsetDateTime; use tokio::sync::mpsc::UnboundedSender as Sender; use uuid::Uuid; -use crate::credential::policy::CryptoPolicy; +use kanidm_lib_crypto::CryptoPolicy; + use crate::credential::softlock::CredSoftLockPolicy; use crate::credential::Credential; use crate::idm::delayed::{DelayedAction, UnixPasswordUpgrade}; diff --git a/kanidmd/lib/src/lib.rs b/server/lib/src/lib.rs similarity index 100% rename from kanidmd/lib/src/lib.rs rename to server/lib/src/lib.rs diff --git a/kanidmd/lib/src/macros.rs b/server/lib/src/macros.rs similarity index 100% rename from kanidmd/lib/src/macros.rs rename to server/lib/src/macros.rs diff --git a/kanidmd/lib/src/modify.rs b/server/lib/src/modify.rs similarity index 100% rename from kanidmd/lib/src/modify.rs rename to server/lib/src/modify.rs diff --git a/kanidmd/lib/src/plugins/access.rs b/server/lib/src/plugins/access.rs similarity index 100% rename from kanidmd/lib/src/plugins/access.rs rename to server/lib/src/plugins/access.rs diff --git a/kanidmd/lib/src/plugins/attrunique.rs b/server/lib/src/plugins/attrunique.rs similarity index 100% rename from kanidmd/lib/src/plugins/attrunique.rs rename to server/lib/src/plugins/attrunique.rs diff --git a/kanidmd/lib/src/plugins/base.rs b/server/lib/src/plugins/base.rs similarity index 100% rename from kanidmd/lib/src/plugins/base.rs rename to server/lib/src/plugins/base.rs diff --git a/kanidmd/lib/src/plugins/cred_import.rs b/server/lib/src/plugins/cred_import.rs similarity index 99% rename from kanidmd/lib/src/plugins/cred_import.rs rename to server/lib/src/plugins/cred_import.rs index 820ebd7ee..18e34376b 100644 --- a/kanidmd/lib/src/plugins/cred_import.rs +++ b/server/lib/src/plugins/cred_import.rs @@ -126,10 +126,10 @@ impl CredImport { #[cfg(test)] mod tests { - use crate::credential::policy::CryptoPolicy; use crate::credential::totp::{Totp, TOTP_DEFAULT_STEP}; use crate::credential::{Credential, CredentialType}; use crate::prelude::*; + use kanidm_lib_crypto::CryptoPolicy; use kanidm_proto::v1::PluginError; const IMPORT_HASH: &str = diff --git a/kanidmd/lib/src/plugins/domain.rs b/server/lib/src/plugins/domain.rs similarity index 100% rename from kanidmd/lib/src/plugins/domain.rs rename to server/lib/src/plugins/domain.rs diff --git a/kanidmd/lib/src/plugins/dyngroup.rs b/server/lib/src/plugins/dyngroup.rs similarity index 100% rename from kanidmd/lib/src/plugins/dyngroup.rs rename to server/lib/src/plugins/dyngroup.rs diff --git a/kanidmd/lib/src/plugins/gidnumber.rs b/server/lib/src/plugins/gidnumber.rs similarity index 100% rename from kanidmd/lib/src/plugins/gidnumber.rs rename to server/lib/src/plugins/gidnumber.rs diff --git a/kanidmd/lib/src/plugins/jwskeygen.rs b/server/lib/src/plugins/jwskeygen.rs similarity index 100% rename from kanidmd/lib/src/plugins/jwskeygen.rs rename to server/lib/src/plugins/jwskeygen.rs diff --git a/kanidmd/lib/src/plugins/memberof.rs b/server/lib/src/plugins/memberof.rs similarity index 100% rename from kanidmd/lib/src/plugins/memberof.rs rename to server/lib/src/plugins/memberof.rs diff --git a/kanidmd/lib/src/plugins/mod.rs b/server/lib/src/plugins/mod.rs similarity index 100% rename from kanidmd/lib/src/plugins/mod.rs rename to server/lib/src/plugins/mod.rs diff --git a/kanidmd/lib/src/plugins/protected.rs b/server/lib/src/plugins/protected.rs similarity index 100% rename from kanidmd/lib/src/plugins/protected.rs rename to server/lib/src/plugins/protected.rs diff --git a/kanidmd/lib/src/plugins/refint.rs b/server/lib/src/plugins/refint.rs similarity index 99% rename from kanidmd/lib/src/plugins/refint.rs rename to server/lib/src/plugins/refint.rs index f26e561c1..1fd331170 100644 --- a/kanidmd/lib/src/plugins/refint.rs +++ b/server/lib/src/plugins/refint.rs @@ -260,8 +260,8 @@ mod tests { use time::OffsetDateTime; use uuid::uuid; - use crate::credential::policy::CryptoPolicy; use crate::credential::Credential; + use kanidm_lib_crypto::CryptoPolicy; // The create references a uuid that doesn't exist - reject #[test] diff --git a/kanidmd/lib/src/plugins/session.rs b/server/lib/src/plugins/session.rs similarity index 99% rename from kanidmd/lib/src/plugins/session.rs rename to server/lib/src/plugins/session.rs index bff5e9379..1d54bd51a 100644 --- a/kanidmd/lib/src/plugins/session.rs +++ b/server/lib/src/plugins/session.rs @@ -153,8 +153,8 @@ mod tests { use time::OffsetDateTime; use uuid::uuid; - use crate::credential::policy::CryptoPolicy; use crate::credential::Credential; + use kanidm_lib_crypto::CryptoPolicy; // Test expiry of old sessions diff --git a/kanidmd/lib/src/plugins/spn.rs b/server/lib/src/plugins/spn.rs similarity index 100% rename from kanidmd/lib/src/plugins/spn.rs rename to server/lib/src/plugins/spn.rs diff --git a/kanidmd/lib/src/repl/cid.rs b/server/lib/src/repl/cid.rs similarity index 100% rename from kanidmd/lib/src/repl/cid.rs rename to server/lib/src/repl/cid.rs diff --git a/kanidmd/lib/src/repl/consumer.rs b/server/lib/src/repl/consumer.rs similarity index 100% rename from kanidmd/lib/src/repl/consumer.rs rename to server/lib/src/repl/consumer.rs diff --git a/kanidmd/lib/src/repl/entry-changelog.rs b/server/lib/src/repl/entry-changelog.rs similarity index 100% rename from kanidmd/lib/src/repl/entry-changelog.rs rename to server/lib/src/repl/entry-changelog.rs diff --git a/kanidmd/lib/src/repl/entry.rs b/server/lib/src/repl/entry.rs similarity index 100% rename from kanidmd/lib/src/repl/entry.rs rename to server/lib/src/repl/entry.rs diff --git a/kanidmd/lib/src/repl/mod.rs b/server/lib/src/repl/mod.rs similarity index 100% rename from kanidmd/lib/src/repl/mod.rs rename to server/lib/src/repl/mod.rs diff --git a/kanidmd/lib/src/repl/proto.rs b/server/lib/src/repl/proto.rs similarity index 95% rename from kanidmd/lib/src/repl/proto.rs rename to server/lib/src/repl/proto.rs index 9c9ae7fa2..249cf886d 100644 --- a/kanidmd/lib/src/repl/proto.rs +++ b/server/lib/src/repl/proto.rs @@ -13,6 +13,9 @@ use webauthn_rs::prelude::{ DeviceKey as DeviceKeyV4, Passkey as PasskeyV4, SecurityKey as SecurityKeyV4, }; +// Re-export this for our own usage. +pub use kanidm_lib_crypto::ReplPasswordV1; + #[derive(Serialize, Deserialize, Debug, PartialEq, Eq)] pub struct ReplCidV1 { #[serde(rename = "t")] @@ -80,33 +83,6 @@ pub struct ReplTotpV1 { pub digits: u8, } -#[derive(Serialize, Deserialize, Debug, PartialEq, Eq)] -#[allow(non_camel_case_types)] -pub enum ReplPasswordV1 { - PBKDF2 { - cost: usize, - salt: Base64UrlSafeData, - hash: Base64UrlSafeData, - }, - PBKDF2_SHA1 { - cost: usize, - salt: Base64UrlSafeData, - hash: Base64UrlSafeData, - }, - PBKDF2_SHA512 { - cost: usize, - salt: Base64UrlSafeData, - hash: Base64UrlSafeData, - }, - SSHA512 { - salt: Base64UrlSafeData, - hash: Base64UrlSafeData, - }, - NT_MD4 { - hash: Base64UrlSafeData, - }, -} - #[derive(Serialize, Deserialize, Debug, PartialEq, Eq)] pub struct ReplBackupCodeV1 { pub codes: BTreeSet, diff --git a/kanidmd/lib/src/repl/ruv.rs b/server/lib/src/repl/ruv.rs similarity index 100% rename from kanidmd/lib/src/repl/ruv.rs rename to server/lib/src/repl/ruv.rs diff --git a/kanidmd/lib/src/repl/supplier.rs b/server/lib/src/repl/supplier.rs similarity index 100% rename from kanidmd/lib/src/repl/supplier.rs rename to server/lib/src/repl/supplier.rs diff --git a/kanidmd/lib/src/repl/tests.rs b/server/lib/src/repl/tests.rs similarity index 100% rename from kanidmd/lib/src/repl/tests.rs rename to server/lib/src/repl/tests.rs diff --git a/kanidmd/lib/src/schema.rs b/server/lib/src/schema.rs similarity index 100% rename from kanidmd/lib/src/schema.rs rename to server/lib/src/schema.rs diff --git a/kanidmd/lib/src/server/access/create.rs b/server/lib/src/server/access/create.rs similarity index 100% rename from kanidmd/lib/src/server/access/create.rs rename to server/lib/src/server/access/create.rs diff --git a/kanidmd/lib/src/server/access/delete.rs b/server/lib/src/server/access/delete.rs similarity index 100% rename from kanidmd/lib/src/server/access/delete.rs rename to server/lib/src/server/access/delete.rs diff --git a/kanidmd/lib/src/server/access/mod.rs b/server/lib/src/server/access/mod.rs similarity index 100% rename from kanidmd/lib/src/server/access/mod.rs rename to server/lib/src/server/access/mod.rs diff --git a/kanidmd/lib/src/server/access/modify.rs b/server/lib/src/server/access/modify.rs similarity index 100% rename from kanidmd/lib/src/server/access/modify.rs rename to server/lib/src/server/access/modify.rs diff --git a/kanidmd/lib/src/server/access/profiles.rs b/server/lib/src/server/access/profiles.rs similarity index 100% rename from kanidmd/lib/src/server/access/profiles.rs rename to server/lib/src/server/access/profiles.rs diff --git a/kanidmd/lib/src/server/access/search.rs b/server/lib/src/server/access/search.rs similarity index 100% rename from kanidmd/lib/src/server/access/search.rs rename to server/lib/src/server/access/search.rs diff --git a/kanidmd/lib/src/server/batch_modify.rs b/server/lib/src/server/batch_modify.rs similarity index 100% rename from kanidmd/lib/src/server/batch_modify.rs rename to server/lib/src/server/batch_modify.rs diff --git a/kanidmd/lib/src/server/create.rs b/server/lib/src/server/create.rs similarity index 100% rename from kanidmd/lib/src/server/create.rs rename to server/lib/src/server/create.rs diff --git a/kanidmd/lib/src/server/delete.rs b/server/lib/src/server/delete.rs similarity index 100% rename from kanidmd/lib/src/server/delete.rs rename to server/lib/src/server/delete.rs diff --git a/kanidmd/lib/src/server/identity.rs b/server/lib/src/server/identity.rs similarity index 100% rename from kanidmd/lib/src/server/identity.rs rename to server/lib/src/server/identity.rs diff --git a/kanidmd/lib/src/server/migrations.rs b/server/lib/src/server/migrations.rs similarity index 100% rename from kanidmd/lib/src/server/migrations.rs rename to server/lib/src/server/migrations.rs diff --git a/kanidmd/lib/src/server/mod.rs b/server/lib/src/server/mod.rs similarity index 100% rename from kanidmd/lib/src/server/mod.rs rename to server/lib/src/server/mod.rs diff --git a/kanidmd/lib/src/server/modify.rs b/server/lib/src/server/modify.rs similarity index 99% rename from kanidmd/lib/src/server/modify.rs rename to server/lib/src/server/modify.rs index 8c1daa9b5..1a0c9f2fe 100644 --- a/kanidmd/lib/src/server/modify.rs +++ b/server/lib/src/server/modify.rs @@ -466,9 +466,9 @@ impl<'a> QueryServerWriteTransaction<'a> { #[cfg(test)] mod tests { - use crate::credential::policy::CryptoPolicy; use crate::credential::Credential; use crate::prelude::*; + use kanidm_lib_crypto::CryptoPolicy; #[qs_test] async fn test_modify(server: &QueryServer) { diff --git a/kanidmd/lib/src/server/recycle.rs b/server/lib/src/server/recycle.rs similarity index 100% rename from kanidmd/lib/src/server/recycle.rs rename to server/lib/src/server/recycle.rs diff --git a/kanidmd/lib/src/status.rs b/server/lib/src/status.rs similarity index 100% rename from kanidmd/lib/src/status.rs rename to server/lib/src/status.rs diff --git a/kanidmd/lib/src/testkit.rs b/server/lib/src/testkit.rs similarity index 100% rename from kanidmd/lib/src/testkit.rs rename to server/lib/src/testkit.rs diff --git a/kanidmd/lib/src/utils.rs b/server/lib/src/utils.rs similarity index 100% rename from kanidmd/lib/src/utils.rs rename to server/lib/src/utils.rs diff --git a/kanidmd/lib/src/value.rs b/server/lib/src/value.rs similarity index 100% rename from kanidmd/lib/src/value.rs rename to server/lib/src/value.rs diff --git a/kanidmd/lib/src/valueset/address.rs b/server/lib/src/valueset/address.rs similarity index 100% rename from kanidmd/lib/src/valueset/address.rs rename to server/lib/src/valueset/address.rs diff --git a/kanidmd/lib/src/valueset/binary.rs b/server/lib/src/valueset/binary.rs similarity index 100% rename from kanidmd/lib/src/valueset/binary.rs rename to server/lib/src/valueset/binary.rs diff --git a/kanidmd/lib/src/valueset/bool.rs b/server/lib/src/valueset/bool.rs similarity index 100% rename from kanidmd/lib/src/valueset/bool.rs rename to server/lib/src/valueset/bool.rs diff --git a/kanidmd/lib/src/valueset/cid.rs b/server/lib/src/valueset/cid.rs similarity index 100% rename from kanidmd/lib/src/valueset/cid.rs rename to server/lib/src/valueset/cid.rs diff --git a/kanidmd/lib/src/valueset/cred.rs b/server/lib/src/valueset/cred.rs similarity index 100% rename from kanidmd/lib/src/valueset/cred.rs rename to server/lib/src/valueset/cred.rs diff --git a/kanidmd/lib/src/valueset/datetime.rs b/server/lib/src/valueset/datetime.rs similarity index 100% rename from kanidmd/lib/src/valueset/datetime.rs rename to server/lib/src/valueset/datetime.rs diff --git a/kanidmd/lib/src/valueset/iname.rs b/server/lib/src/valueset/iname.rs similarity index 100% rename from kanidmd/lib/src/valueset/iname.rs rename to server/lib/src/valueset/iname.rs diff --git a/kanidmd/lib/src/valueset/index.rs b/server/lib/src/valueset/index.rs similarity index 100% rename from kanidmd/lib/src/valueset/index.rs rename to server/lib/src/valueset/index.rs diff --git a/kanidmd/lib/src/valueset/iutf8.rs b/server/lib/src/valueset/iutf8.rs similarity index 100% rename from kanidmd/lib/src/valueset/iutf8.rs rename to server/lib/src/valueset/iutf8.rs diff --git a/kanidmd/lib/src/valueset/json.rs b/server/lib/src/valueset/json.rs similarity index 100% rename from kanidmd/lib/src/valueset/json.rs rename to server/lib/src/valueset/json.rs diff --git a/kanidmd/lib/src/valueset/jws.rs b/server/lib/src/valueset/jws.rs similarity index 100% rename from kanidmd/lib/src/valueset/jws.rs rename to server/lib/src/valueset/jws.rs diff --git a/kanidmd/lib/src/valueset/mod.rs b/server/lib/src/valueset/mod.rs similarity index 100% rename from kanidmd/lib/src/valueset/mod.rs rename to server/lib/src/valueset/mod.rs diff --git a/kanidmd/lib/src/valueset/nsuniqueid.rs b/server/lib/src/valueset/nsuniqueid.rs similarity index 100% rename from kanidmd/lib/src/valueset/nsuniqueid.rs rename to server/lib/src/valueset/nsuniqueid.rs diff --git a/kanidmd/lib/src/valueset/oauth.rs b/server/lib/src/valueset/oauth.rs similarity index 100% rename from kanidmd/lib/src/valueset/oauth.rs rename to server/lib/src/valueset/oauth.rs diff --git a/kanidmd/lib/src/valueset/restricted.rs b/server/lib/src/valueset/restricted.rs similarity index 100% rename from kanidmd/lib/src/valueset/restricted.rs rename to server/lib/src/valueset/restricted.rs diff --git a/kanidmd/lib/src/valueset/secret.rs b/server/lib/src/valueset/secret.rs similarity index 100% rename from kanidmd/lib/src/valueset/secret.rs rename to server/lib/src/valueset/secret.rs diff --git a/kanidmd/lib/src/valueset/session.rs b/server/lib/src/valueset/session.rs similarity index 100% rename from kanidmd/lib/src/valueset/session.rs rename to server/lib/src/valueset/session.rs diff --git a/kanidmd/lib/src/valueset/spn.rs b/server/lib/src/valueset/spn.rs similarity index 100% rename from kanidmd/lib/src/valueset/spn.rs rename to server/lib/src/valueset/spn.rs diff --git a/kanidmd/lib/src/valueset/ssh.rs b/server/lib/src/valueset/ssh.rs similarity index 100% rename from kanidmd/lib/src/valueset/ssh.rs rename to server/lib/src/valueset/ssh.rs diff --git a/kanidmd/lib/src/valueset/syntax.rs b/server/lib/src/valueset/syntax.rs similarity index 100% rename from kanidmd/lib/src/valueset/syntax.rs rename to server/lib/src/valueset/syntax.rs diff --git a/kanidmd/lib/src/valueset/totp.rs b/server/lib/src/valueset/totp.rs similarity index 100% rename from kanidmd/lib/src/valueset/totp.rs rename to server/lib/src/valueset/totp.rs diff --git a/kanidmd/lib/src/valueset/uihint.rs b/server/lib/src/valueset/uihint.rs similarity index 100% rename from kanidmd/lib/src/valueset/uihint.rs rename to server/lib/src/valueset/uihint.rs diff --git a/kanidmd/lib/src/valueset/uint32.rs b/server/lib/src/valueset/uint32.rs similarity index 100% rename from kanidmd/lib/src/valueset/uint32.rs rename to server/lib/src/valueset/uint32.rs diff --git a/kanidmd/lib/src/valueset/url.rs b/server/lib/src/valueset/url.rs similarity index 100% rename from kanidmd/lib/src/valueset/url.rs rename to server/lib/src/valueset/url.rs diff --git a/kanidmd/lib/src/valueset/utf8.rs b/server/lib/src/valueset/utf8.rs similarity index 100% rename from kanidmd/lib/src/valueset/utf8.rs rename to server/lib/src/valueset/utf8.rs diff --git a/kanidmd/lib/src/valueset/uuid.rs b/server/lib/src/valueset/uuid.rs similarity index 100% rename from kanidmd/lib/src/valueset/uuid.rs rename to server/lib/src/valueset/uuid.rs diff --git a/kanidmd/testkit-macros/Cargo.toml b/server/testkit-macros/Cargo.toml similarity index 100% rename from kanidmd/testkit-macros/Cargo.toml rename to server/testkit-macros/Cargo.toml diff --git a/kanidmd/testkit-macros/src/entry.rs b/server/testkit-macros/src/entry.rs similarity index 100% rename from kanidmd/testkit-macros/src/entry.rs rename to server/testkit-macros/src/entry.rs diff --git a/kanidmd/testkit-macros/src/lib.rs b/server/testkit-macros/src/lib.rs similarity index 100% rename from kanidmd/testkit-macros/src/lib.rs rename to server/testkit-macros/src/lib.rs diff --git a/kanidmd/testkit/Cargo.toml b/server/testkit/Cargo.toml similarity index 100% rename from kanidmd/testkit/Cargo.toml rename to server/testkit/Cargo.toml index 05de9e982..fdad6da36 100644 --- a/kanidmd/testkit/Cargo.toml +++ b/server/testkit/Cargo.toml @@ -20,10 +20,7 @@ kanidm_client.workspace = true kanidm_proto.workspace = true kanidmd_core.workspace = true kanidmd_lib.workspace = true -futures.workspace = true -webauthn-authenticator-rs.workspace = true -oauth2_ext = { workspace = true, default-features = false } url = { workspace = true, features = ["serde"] } reqwest = { workspace = true, default-features = false } @@ -39,3 +36,6 @@ profiles.workspace = true [dev-dependencies] compact_jwt.workspace = true serde_json.workspace = true +webauthn-authenticator-rs.workspace = true +oauth2_ext = { workspace = true, default-features = false } +futures.workspace = true diff --git a/kanidmd/testkit/build.rs b/server/testkit/build.rs similarity index 100% rename from kanidmd/testkit/build.rs rename to server/testkit/build.rs diff --git a/kanidmd/testkit/src/lib.rs b/server/testkit/src/lib.rs similarity index 100% rename from kanidmd/testkit/src/lib.rs rename to server/testkit/src/lib.rs diff --git a/kanidmd/testkit/tests/default_entries.rs b/server/testkit/tests/default_entries.rs similarity index 100% rename from kanidmd/testkit/tests/default_entries.rs rename to server/testkit/tests/default_entries.rs diff --git a/kanidmd/testkit/tests/https_middleware.rs b/server/testkit/tests/https_middleware.rs similarity index 100% rename from kanidmd/testkit/tests/https_middleware.rs rename to server/testkit/tests/https_middleware.rs diff --git a/kanidmd/testkit/tests/oauth2_test.rs b/server/testkit/tests/oauth2_test.rs similarity index 100% rename from kanidmd/testkit/tests/oauth2_test.rs rename to server/testkit/tests/oauth2_test.rs diff --git a/kanidmd/testkit/tests/proto_v1_test.rs b/server/testkit/tests/proto_v1_test.rs similarity index 100% rename from kanidmd/testkit/tests/proto_v1_test.rs rename to server/testkit/tests/proto_v1_test.rs diff --git a/kanidmd/testkit/tests/scim_test.rs b/server/testkit/tests/scim_test.rs similarity index 100% rename from kanidmd/testkit/tests/scim_test.rs rename to server/testkit/tests/scim_test.rs diff --git a/kanidmd_web_ui/Cargo.toml b/server/web_ui/Cargo.toml similarity index 97% rename from kanidmd_web_ui/Cargo.toml rename to server/web_ui/Cargo.toml index 3deeef159..7a38d5a60 100644 --- a/kanidmd_web_ui/Cargo.toml +++ b/server/web_ui/Cargo.toml @@ -35,7 +35,7 @@ compact_jwt = { workspace = true, default-features = false, features = ["unsafe_ gloo = { workspace = true } gloo-net = { workspace = true } js-sys = { workspace = true } -kanidm_proto = { path = "../kanidm_proto", features = ["wasm"] } +kanidm_proto = { workspace = true, features = ["wasm"] } qrcode = { workspace = true, default-features = false, features = ["svg"] } serde = { workspace = true, features = ["derive"] } serde_json = { workspace = true } diff --git a/kanidmd_web_ui/LICENSE.md b/server/web_ui/LICENSE.md similarity index 100% rename from kanidmd_web_ui/LICENSE.md rename to server/web_ui/LICENSE.md diff --git a/kanidmd_web_ui/README.md b/server/web_ui/README.md similarity index 100% rename from kanidmd_web_ui/README.md rename to server/web_ui/README.md diff --git a/kanidmd_web_ui/build_wasm.sh b/server/web_ui/build_wasm.sh similarity index 100% rename from kanidmd_web_ui/build_wasm.sh rename to server/web_ui/build_wasm.sh diff --git a/kanidmd_web_ui/build_wasm_dev.sh b/server/web_ui/build_wasm_dev.sh similarity index 100% rename from kanidmd_web_ui/build_wasm_dev.sh rename to server/web_ui/build_wasm_dev.sh diff --git a/kanidmd_web_ui/build_wasm_release.sh b/server/web_ui/build_wasm_release.sh similarity index 100% rename from kanidmd_web_ui/build_wasm_release.sh rename to server/web_ui/build_wasm_release.sh diff --git a/kanidmd_web_ui/pkg/ANYTHING_HERE_WILL_BE_DELETED_ADD_TO_SRC b/server/web_ui/pkg/ANYTHING_HERE_WILL_BE_DELETED_ADD_TO_SRC similarity index 100% rename from kanidmd_web_ui/pkg/ANYTHING_HERE_WILL_BE_DELETED_ADD_TO_SRC rename to server/web_ui/pkg/ANYTHING_HERE_WILL_BE_DELETED_ADD_TO_SRC diff --git a/kanidmd_web_ui/pkg/LICENSE.md b/server/web_ui/pkg/LICENSE.md similarity index 100% rename from kanidmd_web_ui/pkg/LICENSE.md rename to server/web_ui/pkg/LICENSE.md diff --git a/kanidmd_web_ui/pkg/README.md b/server/web_ui/pkg/README.md similarity index 100% rename from kanidmd_web_ui/pkg/README.md rename to server/web_ui/pkg/README.md diff --git a/kanidmd_web_ui/pkg/external/bootstrap.bundle.min.js b/server/web_ui/pkg/external/bootstrap.bundle.min.js similarity index 100% rename from kanidmd_web_ui/pkg/external/bootstrap.bundle.min.js rename to server/web_ui/pkg/external/bootstrap.bundle.min.js diff --git a/kanidmd_web_ui/pkg/external/bootstrap.bundle.min.js.map b/server/web_ui/pkg/external/bootstrap.bundle.min.js.map similarity index 100% rename from kanidmd_web_ui/pkg/external/bootstrap.bundle.min.js.map rename to server/web_ui/pkg/external/bootstrap.bundle.min.js.map diff --git a/kanidmd_web_ui/pkg/external/bootstrap.min.css b/server/web_ui/pkg/external/bootstrap.min.css similarity index 100% rename from kanidmd_web_ui/pkg/external/bootstrap.min.css rename to server/web_ui/pkg/external/bootstrap.min.css diff --git a/kanidmd_web_ui/pkg/external/bootstrap.min.css.map b/server/web_ui/pkg/external/bootstrap.min.css.map similarity index 100% rename from kanidmd_web_ui/pkg/external/bootstrap.min.css.map rename to server/web_ui/pkg/external/bootstrap.min.css.map diff --git a/kanidmd_web_ui/pkg/external/confetti.js b/server/web_ui/pkg/external/confetti.js similarity index 100% rename from kanidmd_web_ui/pkg/external/confetti.js rename to server/web_ui/pkg/external/confetti.js diff --git a/kanidmd_web_ui/pkg/img/apple-touch-icon.png b/server/web_ui/pkg/img/apple-touch-icon.png similarity index 100% rename from kanidmd_web_ui/pkg/img/apple-touch-icon.png rename to server/web_ui/pkg/img/apple-touch-icon.png diff --git a/kanidmd_web_ui/pkg/img/favicon.png b/server/web_ui/pkg/img/favicon.png similarity index 100% rename from kanidmd_web_ui/pkg/img/favicon.png rename to server/web_ui/pkg/img/favicon.png diff --git a/kanidmd_web_ui/pkg/img/icon-accounts.svg b/server/web_ui/pkg/img/icon-accounts.svg similarity index 100% rename from kanidmd_web_ui/pkg/img/icon-accounts.svg rename to server/web_ui/pkg/img/icon-accounts.svg diff --git a/kanidmd_web_ui/pkg/img/icon-groups.svg b/server/web_ui/pkg/img/icon-groups.svg similarity index 100% rename from kanidmd_web_ui/pkg/img/icon-groups.svg rename to server/web_ui/pkg/img/icon-groups.svg diff --git a/kanidmd_web_ui/pkg/img/icon-oauth2.svg b/server/web_ui/pkg/img/icon-oauth2.svg similarity index 100% rename from kanidmd_web_ui/pkg/img/icon-oauth2.svg rename to server/web_ui/pkg/img/icon-oauth2.svg diff --git a/kanidmd_web_ui/pkg/img/icon-person.svg b/server/web_ui/pkg/img/icon-person.svg similarity index 100% rename from kanidmd_web_ui/pkg/img/icon-person.svg rename to server/web_ui/pkg/img/icon-person.svg diff --git a/kanidmd_web_ui/pkg/img/icon-robot.svg b/server/web_ui/pkg/img/icon-robot.svg similarity index 100% rename from kanidmd_web_ui/pkg/img/icon-robot.svg rename to server/web_ui/pkg/img/icon-robot.svg diff --git a/kanidmd_web_ui/pkg/img/kani-waving.svg b/server/web_ui/pkg/img/kani-waving.svg similarity index 100% rename from kanidmd_web_ui/pkg/img/kani-waving.svg rename to server/web_ui/pkg/img/kani-waving.svg diff --git a/kanidmd_web_ui/pkg/img/logo-180.png b/server/web_ui/pkg/img/logo-180.png similarity index 100% rename from kanidmd_web_ui/pkg/img/logo-180.png rename to server/web_ui/pkg/img/logo-180.png diff --git a/kanidmd_web_ui/pkg/img/logo-192.png b/server/web_ui/pkg/img/logo-192.png similarity index 100% rename from kanidmd_web_ui/pkg/img/logo-192.png rename to server/web_ui/pkg/img/logo-192.png diff --git a/kanidmd_web_ui/pkg/img/logo-256.png b/server/web_ui/pkg/img/logo-256.png similarity index 100% rename from kanidmd_web_ui/pkg/img/logo-256.png rename to server/web_ui/pkg/img/logo-256.png diff --git a/kanidmd_web_ui/pkg/img/logo-512.png b/server/web_ui/pkg/img/logo-512.png similarity index 100% rename from kanidmd_web_ui/pkg/img/logo-512.png rename to server/web_ui/pkg/img/logo-512.png diff --git a/kanidmd_web_ui/pkg/img/logo-square.svg b/server/web_ui/pkg/img/logo-square.svg similarity index 100% rename from kanidmd_web_ui/pkg/img/logo-square.svg rename to server/web_ui/pkg/img/logo-square.svg diff --git a/kanidmd_web_ui/pkg/kanidmd_web_ui.js b/server/web_ui/pkg/kanidmd_web_ui.js similarity index 100% rename from kanidmd_web_ui/pkg/kanidmd_web_ui.js rename to server/web_ui/pkg/kanidmd_web_ui.js diff --git a/kanidmd_web_ui/pkg/kanidmd_web_ui_bg.wasm b/server/web_ui/pkg/kanidmd_web_ui_bg.wasm similarity index 100% rename from kanidmd_web_ui/pkg/kanidmd_web_ui_bg.wasm rename to server/web_ui/pkg/kanidmd_web_ui_bg.wasm diff --git a/kanidmd_web_ui/pkg/package.json b/server/web_ui/pkg/package.json similarity index 100% rename from kanidmd_web_ui/pkg/package.json rename to server/web_ui/pkg/package.json diff --git a/kanidmd_web_ui/pkg/style.css b/server/web_ui/pkg/style.css similarity index 100% rename from kanidmd_web_ui/pkg/style.css rename to server/web_ui/pkg/style.css diff --git a/kanidmd_web_ui/pkg/wasmloader.js b/server/web_ui/pkg/wasmloader.js similarity index 100% rename from kanidmd_web_ui/pkg/wasmloader.js rename to server/web_ui/pkg/wasmloader.js diff --git a/kanidmd_web_ui/src/components/admin_accounts.rs b/server/web_ui/src/components/admin_accounts.rs similarity index 100% rename from kanidmd_web_ui/src/components/admin_accounts.rs rename to server/web_ui/src/components/admin_accounts.rs diff --git a/kanidmd_web_ui/src/components/admin_groups.rs b/server/web_ui/src/components/admin_groups.rs similarity index 100% rename from kanidmd_web_ui/src/components/admin_groups.rs rename to server/web_ui/src/components/admin_groups.rs diff --git a/kanidmd_web_ui/src/components/admin_menu.rs b/server/web_ui/src/components/admin_menu.rs similarity index 100% rename from kanidmd_web_ui/src/components/admin_menu.rs rename to server/web_ui/src/components/admin_menu.rs diff --git a/kanidmd_web_ui/src/components/admin_oauth2.rs b/server/web_ui/src/components/admin_oauth2.rs similarity index 100% rename from kanidmd_web_ui/src/components/admin_oauth2.rs rename to server/web_ui/src/components/admin_oauth2.rs diff --git a/kanidmd_web_ui/src/components/change_unix_password.rs b/server/web_ui/src/components/change_unix_password.rs similarity index 100% rename from kanidmd_web_ui/src/components/change_unix_password.rs rename to server/web_ui/src/components/change_unix_password.rs diff --git a/kanidmd_web_ui/src/components/mod.rs b/server/web_ui/src/components/mod.rs similarity index 100% rename from kanidmd_web_ui/src/components/mod.rs rename to server/web_ui/src/components/mod.rs diff --git a/kanidmd_web_ui/src/constants.rs b/server/web_ui/src/constants.rs similarity index 100% rename from kanidmd_web_ui/src/constants.rs rename to server/web_ui/src/constants.rs diff --git a/kanidmd_web_ui/src/credential/delete.rs b/server/web_ui/src/credential/delete.rs similarity index 100% rename from kanidmd_web_ui/src/credential/delete.rs rename to server/web_ui/src/credential/delete.rs diff --git a/kanidmd_web_ui/src/credential/mod.rs b/server/web_ui/src/credential/mod.rs similarity index 100% rename from kanidmd_web_ui/src/credential/mod.rs rename to server/web_ui/src/credential/mod.rs diff --git a/kanidmd_web_ui/src/credential/passkey.rs b/server/web_ui/src/credential/passkey.rs similarity index 100% rename from kanidmd_web_ui/src/credential/passkey.rs rename to server/web_ui/src/credential/passkey.rs diff --git a/kanidmd_web_ui/src/credential/passkeyremove.rs b/server/web_ui/src/credential/passkeyremove.rs similarity index 100% rename from kanidmd_web_ui/src/credential/passkeyremove.rs rename to server/web_ui/src/credential/passkeyremove.rs diff --git a/kanidmd_web_ui/src/credential/pwmodal.rs b/server/web_ui/src/credential/pwmodal.rs similarity index 100% rename from kanidmd_web_ui/src/credential/pwmodal.rs rename to server/web_ui/src/credential/pwmodal.rs diff --git a/kanidmd_web_ui/src/credential/reset.rs b/server/web_ui/src/credential/reset.rs similarity index 100% rename from kanidmd_web_ui/src/credential/reset.rs rename to server/web_ui/src/credential/reset.rs diff --git a/kanidmd_web_ui/src/credential/totpmodal.rs b/server/web_ui/src/credential/totpmodal.rs similarity index 100% rename from kanidmd_web_ui/src/credential/totpmodal.rs rename to server/web_ui/src/credential/totpmodal.rs diff --git a/kanidmd_web_ui/src/credential/totpremove.rs b/server/web_ui/src/credential/totpremove.rs similarity index 100% rename from kanidmd_web_ui/src/credential/totpremove.rs rename to server/web_ui/src/credential/totpremove.rs diff --git a/kanidmd_web_ui/src/error.rs b/server/web_ui/src/error.rs similarity index 100% rename from kanidmd_web_ui/src/error.rs rename to server/web_ui/src/error.rs diff --git a/kanidmd_web_ui/src/external/bootstrap.bundle.min.js b/server/web_ui/src/external/bootstrap.bundle.min.js similarity index 100% rename from kanidmd_web_ui/src/external/bootstrap.bundle.min.js rename to server/web_ui/src/external/bootstrap.bundle.min.js diff --git a/kanidmd_web_ui/src/external/bootstrap.bundle.min.js.map b/server/web_ui/src/external/bootstrap.bundle.min.js.map similarity index 100% rename from kanidmd_web_ui/src/external/bootstrap.bundle.min.js.map rename to server/web_ui/src/external/bootstrap.bundle.min.js.map diff --git a/kanidmd_web_ui/src/external/bootstrap.min.css b/server/web_ui/src/external/bootstrap.min.css similarity index 100% rename from kanidmd_web_ui/src/external/bootstrap.min.css rename to server/web_ui/src/external/bootstrap.min.css diff --git a/kanidmd_web_ui/src/external/bootstrap.min.css.map b/server/web_ui/src/external/bootstrap.min.css.map similarity index 100% rename from kanidmd_web_ui/src/external/bootstrap.min.css.map rename to server/web_ui/src/external/bootstrap.min.css.map diff --git a/kanidmd_web_ui/src/external/confetti.js b/server/web_ui/src/external/confetti.js similarity index 100% rename from kanidmd_web_ui/src/external/confetti.js rename to server/web_ui/src/external/confetti.js diff --git a/kanidmd_web_ui/src/img/apple-touch-icon.png b/server/web_ui/src/img/apple-touch-icon.png similarity index 100% rename from kanidmd_web_ui/src/img/apple-touch-icon.png rename to server/web_ui/src/img/apple-touch-icon.png diff --git a/kanidmd_web_ui/src/img/favicon.png b/server/web_ui/src/img/favicon.png similarity index 100% rename from kanidmd_web_ui/src/img/favicon.png rename to server/web_ui/src/img/favicon.png diff --git a/kanidmd_web_ui/src/img/icon-accounts.svg b/server/web_ui/src/img/icon-accounts.svg similarity index 100% rename from kanidmd_web_ui/src/img/icon-accounts.svg rename to server/web_ui/src/img/icon-accounts.svg diff --git a/kanidmd_web_ui/src/img/icon-groups.svg b/server/web_ui/src/img/icon-groups.svg similarity index 100% rename from kanidmd_web_ui/src/img/icon-groups.svg rename to server/web_ui/src/img/icon-groups.svg diff --git a/kanidmd_web_ui/src/img/icon-oauth2.svg b/server/web_ui/src/img/icon-oauth2.svg similarity index 100% rename from kanidmd_web_ui/src/img/icon-oauth2.svg rename to server/web_ui/src/img/icon-oauth2.svg diff --git a/kanidmd_web_ui/src/img/icon-person.svg b/server/web_ui/src/img/icon-person.svg similarity index 100% rename from kanidmd_web_ui/src/img/icon-person.svg rename to server/web_ui/src/img/icon-person.svg diff --git a/kanidmd_web_ui/src/img/icon-robot.svg b/server/web_ui/src/img/icon-robot.svg similarity index 100% rename from kanidmd_web_ui/src/img/icon-robot.svg rename to server/web_ui/src/img/icon-robot.svg diff --git a/kanidmd_web_ui/src/img/kani-waving.svg b/server/web_ui/src/img/kani-waving.svg similarity index 100% rename from kanidmd_web_ui/src/img/kani-waving.svg rename to server/web_ui/src/img/kani-waving.svg diff --git a/kanidmd_web_ui/src/img/logo-180.png b/server/web_ui/src/img/logo-180.png similarity index 100% rename from kanidmd_web_ui/src/img/logo-180.png rename to server/web_ui/src/img/logo-180.png diff --git a/kanidmd_web_ui/src/img/logo-192.png b/server/web_ui/src/img/logo-192.png similarity index 100% rename from kanidmd_web_ui/src/img/logo-192.png rename to server/web_ui/src/img/logo-192.png diff --git a/kanidmd_web_ui/src/img/logo-256.png b/server/web_ui/src/img/logo-256.png similarity index 100% rename from kanidmd_web_ui/src/img/logo-256.png rename to server/web_ui/src/img/logo-256.png diff --git a/kanidmd_web_ui/src/img/logo-512.png b/server/web_ui/src/img/logo-512.png similarity index 100% rename from kanidmd_web_ui/src/img/logo-512.png rename to server/web_ui/src/img/logo-512.png diff --git a/kanidmd_web_ui/src/img/logo-square.svg b/server/web_ui/src/img/logo-square.svg similarity index 100% rename from kanidmd_web_ui/src/img/logo-square.svg rename to server/web_ui/src/img/logo-square.svg diff --git a/kanidmd_web_ui/src/lib.rs b/server/web_ui/src/lib.rs similarity index 100% rename from kanidmd_web_ui/src/lib.rs rename to server/web_ui/src/lib.rs diff --git a/kanidmd_web_ui/src/login.rs b/server/web_ui/src/login.rs similarity index 100% rename from kanidmd_web_ui/src/login.rs rename to server/web_ui/src/login.rs diff --git a/kanidmd_web_ui/src/macros.rs b/server/web_ui/src/macros.rs similarity index 100% rename from kanidmd_web_ui/src/macros.rs rename to server/web_ui/src/macros.rs diff --git a/kanidmd_web_ui/src/manager.rs b/server/web_ui/src/manager.rs similarity index 100% rename from kanidmd_web_ui/src/manager.rs rename to server/web_ui/src/manager.rs diff --git a/kanidmd_web_ui/src/models/mod.rs b/server/web_ui/src/models/mod.rs similarity index 100% rename from kanidmd_web_ui/src/models/mod.rs rename to server/web_ui/src/models/mod.rs diff --git a/kanidmd_web_ui/src/oauth2.rs b/server/web_ui/src/oauth2.rs similarity index 100% rename from kanidmd_web_ui/src/oauth2.rs rename to server/web_ui/src/oauth2.rs diff --git a/kanidmd_web_ui/src/style.css b/server/web_ui/src/style.css similarity index 100% rename from kanidmd_web_ui/src/style.css rename to server/web_ui/src/style.css diff --git a/kanidmd_web_ui/src/utils.rs b/server/web_ui/src/utils.rs similarity index 100% rename from kanidmd_web_ui/src/utils.rs rename to server/web_ui/src/utils.rs diff --git a/kanidmd_web_ui/src/views/apps.rs b/server/web_ui/src/views/apps.rs similarity index 100% rename from kanidmd_web_ui/src/views/apps.rs rename to server/web_ui/src/views/apps.rs diff --git a/kanidmd_web_ui/src/views/components.rs b/server/web_ui/src/views/components.rs similarity index 100% rename from kanidmd_web_ui/src/views/components.rs rename to server/web_ui/src/views/components.rs diff --git a/kanidmd_web_ui/src/views/mod.rs b/server/web_ui/src/views/mod.rs similarity index 100% rename from kanidmd_web_ui/src/views/mod.rs rename to server/web_ui/src/views/mod.rs diff --git a/kanidmd_web_ui/src/views/profile.rs b/server/web_ui/src/views/profile.rs similarity index 100% rename from kanidmd_web_ui/src/views/profile.rs rename to server/web_ui/src/views/profile.rs diff --git a/kanidmd_web_ui/src/views/security.rs b/server/web_ui/src/views/security.rs similarity index 100% rename from kanidmd_web_ui/src/views/security.rs rename to server/web_ui/src/views/security.rs diff --git a/kanidmd_web_ui/src/wasmloader.js b/server/web_ui/src/wasmloader.js similarity index 100% rename from kanidmd_web_ui/src/wasmloader.js rename to server/web_ui/src/wasmloader.js diff --git a/kanidmd_web_ui/tests/test.rs b/server/web_ui/tests/test.rs similarity index 100% rename from kanidmd_web_ui/tests/test.rs rename to server/web_ui/tests/test.rs diff --git a/kanidm_tools/Cargo.toml b/tools/cli/Cargo.toml similarity index 100% rename from kanidm_tools/Cargo.toml rename to tools/cli/Cargo.toml diff --git a/kanidm_tools/Dockerfile b/tools/cli/Dockerfile similarity index 100% rename from kanidm_tools/Dockerfile rename to tools/cli/Dockerfile diff --git a/kanidm_tools/build.rs b/tools/cli/build.rs similarity index 100% rename from kanidm_tools/build.rs rename to tools/cli/build.rs diff --git a/kanidm_tools/example.create.account.json b/tools/cli/example.create.account.json similarity index 100% rename from kanidm_tools/example.create.account.json rename to tools/cli/example.create.account.json diff --git a/kanidm_tools/example.create.group.json b/tools/cli/example.create.group.json similarity index 100% rename from kanidm_tools/example.create.group.json rename to tools/cli/example.create.group.json diff --git a/kanidm_tools/example.modify.idm_admin.json b/tools/cli/example.modify.idm_admin.json similarity index 100% rename from kanidm_tools/example.modify.idm_admin.json rename to tools/cli/example.modify.idm_admin.json diff --git a/kanidm_tools/example.modify.json b/tools/cli/example.modify.json similarity index 100% rename from kanidm_tools/example.modify.json rename to tools/cli/example.modify.json diff --git a/kanidm_tools/src/cli/badlist.rs b/tools/cli/src/cli/badlist.rs similarity index 100% rename from kanidm_tools/src/cli/badlist.rs rename to tools/cli/src/cli/badlist.rs diff --git a/kanidm_tools/src/cli/common.rs b/tools/cli/src/cli/common.rs similarity index 100% rename from kanidm_tools/src/cli/common.rs rename to tools/cli/src/cli/common.rs diff --git a/kanidm_tools/src/cli/domain.rs b/tools/cli/src/cli/domain.rs similarity index 100% rename from kanidm_tools/src/cli/domain.rs rename to tools/cli/src/cli/domain.rs diff --git a/kanidm_tools/src/cli/group.rs b/tools/cli/src/cli/group.rs similarity index 100% rename from kanidm_tools/src/cli/group.rs rename to tools/cli/src/cli/group.rs diff --git a/kanidm_tools/src/cli/lib.rs b/tools/cli/src/cli/lib.rs similarity index 100% rename from kanidm_tools/src/cli/lib.rs rename to tools/cli/src/cli/lib.rs diff --git a/kanidm_tools/src/cli/main.rs b/tools/cli/src/cli/main.rs similarity index 100% rename from kanidm_tools/src/cli/main.rs rename to tools/cli/src/cli/main.rs diff --git a/kanidm_tools/src/cli/oauth2.rs b/tools/cli/src/cli/oauth2.rs similarity index 100% rename from kanidm_tools/src/cli/oauth2.rs rename to tools/cli/src/cli/oauth2.rs diff --git a/kanidm_tools/src/cli/person.rs b/tools/cli/src/cli/person.rs similarity index 100% rename from kanidm_tools/src/cli/person.rs rename to tools/cli/src/cli/person.rs diff --git a/kanidm_tools/src/cli/raw.rs b/tools/cli/src/cli/raw.rs similarity index 100% rename from kanidm_tools/src/cli/raw.rs rename to tools/cli/src/cli/raw.rs diff --git a/kanidm_tools/src/cli/recycle.rs b/tools/cli/src/cli/recycle.rs similarity index 100% rename from kanidm_tools/src/cli/recycle.rs rename to tools/cli/src/cli/recycle.rs diff --git a/kanidm_tools/src/cli/serviceaccount.rs b/tools/cli/src/cli/serviceaccount.rs similarity index 100% rename from kanidm_tools/src/cli/serviceaccount.rs rename to tools/cli/src/cli/serviceaccount.rs diff --git a/kanidm_tools/src/cli/session.rs b/tools/cli/src/cli/session.rs similarity index 100% rename from kanidm_tools/src/cli/session.rs rename to tools/cli/src/cli/session.rs diff --git a/kanidm_tools/src/cli/synch.rs b/tools/cli/src/cli/synch.rs similarity index 100% rename from kanidm_tools/src/cli/synch.rs rename to tools/cli/src/cli/synch.rs diff --git a/kanidm_tools/src/cli/webauthn/mod.rs b/tools/cli/src/cli/webauthn/mod.rs similarity index 100% rename from kanidm_tools/src/cli/webauthn/mod.rs rename to tools/cli/src/cli/webauthn/mod.rs diff --git a/kanidm_tools/src/cli/webauthn/mozilla.rs b/tools/cli/src/cli/webauthn/mozilla.rs similarity index 100% rename from kanidm_tools/src/cli/webauthn/mozilla.rs rename to tools/cli/src/cli/webauthn/mozilla.rs diff --git a/kanidm_tools/src/cli/webauthn/win10.rs b/tools/cli/src/cli/webauthn/win10.rs similarity index 100% rename from kanidm_tools/src/cli/webauthn/win10.rs rename to tools/cli/src/cli/webauthn/win10.rs diff --git a/kanidm_tools/src/opt/kanidm.rs b/tools/cli/src/opt/kanidm.rs similarity index 100% rename from kanidm_tools/src/opt/kanidm.rs rename to tools/cli/src/opt/kanidm.rs diff --git a/kanidm_tools/src/opt/ssh_authorizedkeys.rs b/tools/cli/src/opt/ssh_authorizedkeys.rs similarity index 100% rename from kanidm_tools/src/opt/ssh_authorizedkeys.rs rename to tools/cli/src/opt/ssh_authorizedkeys.rs diff --git a/kanidm_tools/src/ssh_authorizedkeys.rs b/tools/cli/src/ssh_authorizedkeys.rs similarity index 100% rename from kanidm_tools/src/ssh_authorizedkeys.rs rename to tools/cli/src/ssh_authorizedkeys.rs diff --git a/iam_migrations/README.md b/tools/iam_migrations/README.md similarity index 100% rename from iam_migrations/README.md rename to tools/iam_migrations/README.md diff --git a/iam_migrations/freeipa/00config-mod.ldif b/tools/iam_migrations/freeipa/00config-mod.ldif similarity index 100% rename from iam_migrations/freeipa/00config-mod.ldif rename to tools/iam_migrations/freeipa/00config-mod.ldif diff --git a/iam_migrations/freeipa/01test-sync.sh b/tools/iam_migrations/freeipa/01test-sync.sh similarity index 100% rename from iam_migrations/freeipa/01test-sync.sh rename to tools/iam_migrations/freeipa/01test-sync.sh diff --git a/iam_migrations/freeipa/Cargo.toml b/tools/iam_migrations/freeipa/Cargo.toml similarity index 100% rename from iam_migrations/freeipa/Cargo.toml rename to tools/iam_migrations/freeipa/Cargo.toml diff --git a/iam_migrations/freeipa/notes.txt b/tools/iam_migrations/freeipa/notes.txt similarity index 100% rename from iam_migrations/freeipa/notes.txt rename to tools/iam_migrations/freeipa/notes.txt diff --git a/iam_migrations/freeipa/src/config.rs b/tools/iam_migrations/freeipa/src/config.rs similarity index 100% rename from iam_migrations/freeipa/src/config.rs rename to tools/iam_migrations/freeipa/src/config.rs diff --git a/iam_migrations/freeipa/src/error.rs b/tools/iam_migrations/freeipa/src/error.rs similarity index 100% rename from iam_migrations/freeipa/src/error.rs rename to tools/iam_migrations/freeipa/src/error.rs diff --git a/iam_migrations/freeipa/src/main.rs b/tools/iam_migrations/freeipa/src/main.rs similarity index 100% rename from iam_migrations/freeipa/src/main.rs rename to tools/iam_migrations/freeipa/src/main.rs diff --git a/iam_migrations/freeipa/src/opt.rs b/tools/iam_migrations/freeipa/src/opt.rs similarity index 100% rename from iam_migrations/freeipa/src/opt.rs rename to tools/iam_migrations/freeipa/src/opt.rs diff --git a/iam_migrations/freeipa/src/tests.rs b/tools/iam_migrations/freeipa/src/tests.rs similarity index 100% rename from iam_migrations/freeipa/src/tests.rs rename to tools/iam_migrations/freeipa/src/tests.rs diff --git a/orca/Cargo.toml b/tools/orca/Cargo.toml similarity index 100% rename from orca/Cargo.toml rename to tools/orca/Cargo.toml diff --git a/orca/build.rs b/tools/orca/build.rs similarity index 100% rename from orca/build.rs rename to tools/orca/build.rs diff --git a/orca/example_profiles/small/access.json b/tools/orca/example_profiles/small/access.json similarity index 100% rename from orca/example_profiles/small/access.json rename to tools/orca/example_profiles/small/access.json diff --git a/orca/example_profiles/small/data.json b/tools/orca/example_profiles/small/data.json similarity index 100% rename from orca/example_profiles/small/data.json rename to tools/orca/example_profiles/small/data.json diff --git a/tools/orca/example_profiles/small/orca-edited.toml b/tools/orca/example_profiles/small/orca-edited.toml new file mode 100644 index 000000000..0e9a5e216 --- /dev/null +++ b/tools/orca/example_profiles/small/orca-edited.toml @@ -0,0 +1,21 @@ +name = "Orca Small Example" +data = "data.json" +results = "/tmp/small_results" + +[ds_config] +uri = "ldaps://172.24.20.4:49153" +base_dn = "dc=example,dc=com" +dm_pw = "ds9n539EaYtD2CsGOUATsOUeyFy4OZVPAN6jEEm.WP52NVz7j.VLhAVG5twbcaSoa" + +[kani_http_config] +uri = "https://172.24.20.4:8443" +admin_pw = "YWySv7W65D1Zq001jgT1zxg5TEsz6ex80MQ9EKDG7t0RrQU0" + +[kani_ldap_config] +uri = "https://172.24.20.4:8443" +ldap_uri = "ldaps://172.24.20.4:3636" +admin_pw = "YWySv7W65D1Zq001jgT1zxg5TEsz6ex80MQ9EKDG7t0RrQU0" +base_dn = "dc=example,dc=com" + +# [search_basic_config] + diff --git a/orca/example_profiles/small/orca.toml b/tools/orca/example_profiles/small/orca.toml similarity index 100% rename from orca/example_profiles/small/orca.toml rename to tools/orca/example_profiles/small/orca.toml diff --git a/orca/src/data.rs b/tools/orca/src/data.rs similarity index 100% rename from orca/src/data.rs rename to tools/orca/src/data.rs diff --git a/orca/src/ds.rs b/tools/orca/src/ds.rs similarity index 100% rename from orca/src/ds.rs rename to tools/orca/src/ds.rs diff --git a/orca/src/generate.rs b/tools/orca/src/generate.rs similarity index 100% rename from orca/src/generate.rs rename to tools/orca/src/generate.rs diff --git a/orca/src/ipa.rs b/tools/orca/src/ipa.rs similarity index 100% rename from orca/src/ipa.rs rename to tools/orca/src/ipa.rs diff --git a/orca/src/kani.rs b/tools/orca/src/kani.rs similarity index 100% rename from orca/src/kani.rs rename to tools/orca/src/kani.rs diff --git a/orca/src/ldap.rs b/tools/orca/src/ldap.rs similarity index 100% rename from orca/src/ldap.rs rename to tools/orca/src/ldap.rs diff --git a/orca/src/main.rs b/tools/orca/src/main.rs similarity index 100% rename from orca/src/main.rs rename to tools/orca/src/main.rs diff --git a/orca/src/opt.rs b/tools/orca/src/opt.rs similarity index 100% rename from orca/src/opt.rs rename to tools/orca/src/opt.rs diff --git a/orca/src/preprocess.rs b/tools/orca/src/preprocess.rs similarity index 100% rename from orca/src/preprocess.rs rename to tools/orca/src/preprocess.rs diff --git a/orca/src/profile.rs b/tools/orca/src/profile.rs similarity index 100% rename from orca/src/profile.rs rename to tools/orca/src/profile.rs diff --git a/orca/src/runner/mod.rs b/tools/orca/src/runner/mod.rs similarity index 100% rename from orca/src/runner/mod.rs rename to tools/orca/src/runner/mod.rs diff --git a/orca/src/runner/search.rs b/tools/orca/src/runner/search.rs similarity index 100% rename from orca/src/runner/search.rs rename to tools/orca/src/runner/search.rs diff --git a/orca/src/setup.rs b/tools/orca/src/setup.rs similarity index 100% rename from orca/src/setup.rs rename to tools/orca/src/setup.rs diff --git a/kanidm_unix_int/Cargo.toml b/unix_integration/Cargo.toml similarity index 95% rename from kanidm_unix_int/Cargo.toml rename to unix_integration/Cargo.toml index 8a02ddfc5..d89fc5ebb 100644 --- a/kanidm_unix_int/Cargo.toml +++ b/unix_integration/Cargo.toml @@ -63,9 +63,8 @@ libsqlite3-sys.workspace = true lru.workspace = true kanidm_client.workspace = true kanidm_proto.workspace = true -# This is just used for password hashing and tests, so we could -# clean this up -kanidmd_lib.workspace = true +kanidm_lib_crypto.workspace = true +kanidm_lib_file_permissions.workspace = true r2d2.workspace = true r2d2_sqlite.workspace = true @@ -92,4 +91,3 @@ kanidmd_core.workspace = true clap = { workspace = true, features = ["derive"] } clap_complete.workspace = true profiles.workspace = true - diff --git a/kanidm_unix_int/build.rs b/unix_integration/build.rs similarity index 100% rename from kanidm_unix_int/build.rs rename to unix_integration/build.rs diff --git a/kanidm_unix_int/nss_kanidm/Cargo.toml b/unix_integration/nss_kanidm/Cargo.toml similarity index 100% rename from kanidm_unix_int/nss_kanidm/Cargo.toml rename to unix_integration/nss_kanidm/Cargo.toml diff --git a/kanidm_unix_int/nss_kanidm/src/implementation.rs b/unix_integration/nss_kanidm/src/implementation.rs similarity index 100% rename from kanidm_unix_int/nss_kanidm/src/implementation.rs rename to unix_integration/nss_kanidm/src/implementation.rs diff --git a/kanidm_unix_int/nss_kanidm/src/lib.rs b/unix_integration/nss_kanidm/src/lib.rs similarity index 100% rename from kanidm_unix_int/nss_kanidm/src/lib.rs rename to unix_integration/nss_kanidm/src/lib.rs diff --git a/kanidm_unix_int/pam_kanidm/Cargo.toml b/unix_integration/pam_kanidm/Cargo.toml similarity index 100% rename from kanidm_unix_int/pam_kanidm/Cargo.toml rename to unix_integration/pam_kanidm/Cargo.toml diff --git a/kanidm_unix_int/pam_kanidm/build.rs b/unix_integration/pam_kanidm/build.rs similarity index 100% rename from kanidm_unix_int/pam_kanidm/build.rs rename to unix_integration/pam_kanidm/build.rs diff --git a/kanidm_unix_int/pam_kanidm/src/lib.rs b/unix_integration/pam_kanidm/src/lib.rs similarity index 100% rename from kanidm_unix_int/pam_kanidm/src/lib.rs rename to unix_integration/pam_kanidm/src/lib.rs diff --git a/kanidm_unix_int/pam_kanidm/src/pam/constants.rs b/unix_integration/pam_kanidm/src/pam/constants.rs similarity index 100% rename from kanidm_unix_int/pam_kanidm/src/pam/constants.rs rename to unix_integration/pam_kanidm/src/pam/constants.rs diff --git a/kanidm_unix_int/pam_kanidm/src/pam/conv.rs b/unix_integration/pam_kanidm/src/pam/conv.rs similarity index 100% rename from kanidm_unix_int/pam_kanidm/src/pam/conv.rs rename to unix_integration/pam_kanidm/src/pam/conv.rs diff --git a/kanidm_unix_int/pam_kanidm/src/pam/items.rs b/unix_integration/pam_kanidm/src/pam/items.rs similarity index 100% rename from kanidm_unix_int/pam_kanidm/src/pam/items.rs rename to unix_integration/pam_kanidm/src/pam/items.rs diff --git a/kanidm_unix_int/pam_kanidm/src/pam/macros.rs b/unix_integration/pam_kanidm/src/pam/macros.rs similarity index 100% rename from kanidm_unix_int/pam_kanidm/src/pam/macros.rs rename to unix_integration/pam_kanidm/src/pam/macros.rs diff --git a/kanidm_unix_int/pam_kanidm/src/pam/mod.rs b/unix_integration/pam_kanidm/src/pam/mod.rs similarity index 100% rename from kanidm_unix_int/pam_kanidm/src/pam/mod.rs rename to unix_integration/pam_kanidm/src/pam/mod.rs diff --git a/kanidm_unix_int/pam_kanidm/src/pam/module.rs b/unix_integration/pam_kanidm/src/pam/module.rs similarity index 100% rename from kanidm_unix_int/pam_kanidm/src/pam/module.rs rename to unix_integration/pam_kanidm/src/pam/module.rs diff --git a/kanidm_unix_int/src/cache.rs b/unix_integration/src/cache.rs similarity index 100% rename from kanidm_unix_int/src/cache.rs rename to unix_integration/src/cache.rs diff --git a/kanidm_unix_int/src/cache_clear.rs b/unix_integration/src/cache_clear.rs similarity index 100% rename from kanidm_unix_int/src/cache_clear.rs rename to unix_integration/src/cache_clear.rs diff --git a/kanidm_unix_int/src/cache_invalidate.rs b/unix_integration/src/cache_invalidate.rs similarity index 93% rename from kanidm_unix_int/src/cache_invalidate.rs rename to unix_integration/src/cache_invalidate.rs index 0309ca9bf..6190f8079 100644 --- a/kanidm_unix_int/src/cache_invalidate.rs +++ b/unix_integration/src/cache_invalidate.rs @@ -29,7 +29,10 @@ async fn main() { ::std::env::set_var("RUST_LOG", "kanidm=debug,kanidm_client=debug"); } if opt.version { - println!("{}", kanidm_proto::utils::get_version("kanidm_cache_invalidate")); + println!( + "{}", + kanidm_proto::utils::get_version("kanidm_cache_invalidate") + ); std::process::exit(0); } sketching::tracing_subscriber::fmt::init(); diff --git a/kanidm_unix_int/src/client.rs b/unix_integration/src/client.rs similarity index 100% rename from kanidm_unix_int/src/client.rs rename to unix_integration/src/client.rs diff --git a/kanidm_unix_int/src/client_sync.rs b/unix_integration/src/client_sync.rs similarity index 100% rename from kanidm_unix_int/src/client_sync.rs rename to unix_integration/src/client_sync.rs diff --git a/kanidm_unix_int/src/constants.rs b/unix_integration/src/constants.rs similarity index 100% rename from kanidm_unix_int/src/constants.rs rename to unix_integration/src/constants.rs diff --git a/kanidm_unix_int/src/daemon.rs b/unix_integration/src/daemon.rs similarity index 99% rename from kanidm_unix_int/src/daemon.rs rename to unix_integration/src/daemon.rs index e635f13ed..987e94a7d 100644 --- a/kanidm_unix_int/src/daemon.rs +++ b/unix_integration/src/daemon.rs @@ -28,7 +28,7 @@ use kanidm_unix_common::cache::CacheLayer; use kanidm_unix_common::constants::DEFAULT_CONFIG_PATH; use kanidm_unix_common::unix_config::KanidmUnixdConfig; use kanidm_unix_common::unix_proto::{ClientRequest, ClientResponse, TaskRequest, TaskResponse}; -use kanidmd_lib::utils::file_permissions_readonly; + use libc::umask; use sketching::tracing_forest::traits::*; use sketching::tracing_forest::util::*; @@ -461,7 +461,7 @@ async fn main() { return } }; - if !file_permissions_readonly(&cfg_meta) { + if !kanidm_lib_file_permissions::readonly(&cfg_meta) { warn!("permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...", cfg_path_str ); @@ -493,7 +493,7 @@ async fn main() { return } }; - if !file_permissions_readonly(&unixd_meta) { + if !kanidm_lib_file_permissions::readonly(&unixd_meta) { warn!("permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...", unixd_path_str); } @@ -579,7 +579,7 @@ async fn main() { ); return } - if !file_permissions_readonly(&i_meta) { + if !kanidm_lib_file_permissions::readonly(&i_meta) { warn!("WARNING: DB folder permissions on {} indicate it may not be RW. This could cause the server start up to fail!", db_par_path_buf.to_str() .unwrap_or("") ); diff --git a/kanidm_unix_int/src/daemon_status.rs b/unix_integration/src/daemon_status.rs similarity index 94% rename from kanidm_unix_int/src/daemon_status.rs rename to unix_integration/src/daemon_status.rs index ea76b4aac..927ffb83a 100644 --- a/kanidm_unix_int/src/daemon_status.rs +++ b/unix_integration/src/daemon_status.rs @@ -30,7 +30,10 @@ fn main() { ::std::env::set_var("RUST_LOG", "kanidm=debug,kanidm_client=debug"); } if opt.version { - println!("{}", kanidm_proto::utils::get_version("kanidm_unixd_status")); + println!( + "{}", + kanidm_proto::utils::get_version("kanidm_unixd_status") + ); std::process::exit(0); } sketching::tracing_subscriber::fmt::init(); diff --git a/kanidm_unix_int/src/db.rs b/unix_integration/src/db.rs similarity index 99% rename from kanidm_unix_int/src/db.rs rename to unix_integration/src/db.rs index 6306c84d1..cabd871b7 100644 --- a/kanidm_unix_int/src/db.rs +++ b/unix_integration/src/db.rs @@ -2,10 +2,10 @@ use std::convert::TryFrom; use std::fmt; use std::time::Duration; +use kanidm_lib_crypto::CryptoPolicy; +use kanidm_lib_crypto::DbPasswordV1; +use kanidm_lib_crypto::Password; use kanidm_proto::v1::{UnixGroupToken, UnixUserToken}; -use kanidmd_lib::be::dbvalue::DbPasswordV1; -use kanidmd_lib::credential::policy::CryptoPolicy; -use kanidmd_lib::credential::Password; use libc::umask; use r2d2::Pool; use r2d2_sqlite::SqliteConnectionManager; diff --git a/kanidm_unix_int/src/lib.rs b/unix_integration/src/lib.rs similarity index 100% rename from kanidm_unix_int/src/lib.rs rename to unix_integration/src/lib.rs diff --git a/kanidm_unix_int/src/opt/cache_clear.rs b/unix_integration/src/opt/cache_clear.rs similarity index 100% rename from kanidm_unix_int/src/opt/cache_clear.rs rename to unix_integration/src/opt/cache_clear.rs diff --git a/kanidm_unix_int/src/opt/cache_invalidate.rs b/unix_integration/src/opt/cache_invalidate.rs similarity index 100% rename from kanidm_unix_int/src/opt/cache_invalidate.rs rename to unix_integration/src/opt/cache_invalidate.rs diff --git a/kanidm_unix_int/src/opt/ssh_authorizedkeys.rs b/unix_integration/src/opt/ssh_authorizedkeys.rs similarity index 100% rename from kanidm_unix_int/src/opt/ssh_authorizedkeys.rs rename to unix_integration/src/opt/ssh_authorizedkeys.rs diff --git a/kanidm_unix_int/src/opt/unixd_status.rs b/unix_integration/src/opt/unixd_status.rs similarity index 100% rename from kanidm_unix_int/src/opt/unixd_status.rs rename to unix_integration/src/opt/unixd_status.rs diff --git a/kanidm_unix_int/src/ssh_authorizedkeys.rs b/unix_integration/src/ssh_authorizedkeys.rs similarity index 94% rename from kanidm_unix_int/src/ssh_authorizedkeys.rs rename to unix_integration/src/ssh_authorizedkeys.rs index a366cac2b..2f13e0bf3 100644 --- a/kanidm_unix_int/src/ssh_authorizedkeys.rs +++ b/unix_integration/src/ssh_authorizedkeys.rs @@ -31,7 +31,10 @@ async fn main() { ::std::env::set_var("RUST_LOG", "kanidm=debug,kanidm_client=debug"); } if opt.version { - println!("{}", kanidm_proto::utils::get_version("kanidm_ssh_authorizedkeys")); + println!( + "{}", + kanidm_proto::utils::get_version("kanidm_ssh_authorizedkeys") + ); std::process::exit(0); } sketching::tracing_subscriber::fmt::init(); diff --git a/kanidm_unix_int/src/tasks_daemon.rs b/unix_integration/src/tasks_daemon.rs similarity index 100% rename from kanidm_unix_int/src/tasks_daemon.rs rename to unix_integration/src/tasks_daemon.rs diff --git a/kanidm_unix_int/src/test_auth.rs b/unix_integration/src/test_auth.rs similarity index 100% rename from kanidm_unix_int/src/test_auth.rs rename to unix_integration/src/test_auth.rs diff --git a/kanidm_unix_int/src/unix_config.rs b/unix_integration/src/unix_config.rs similarity index 100% rename from kanidm_unix_int/src/unix_config.rs rename to unix_integration/src/unix_config.rs diff --git a/kanidm_unix_int/src/unix_proto.rs b/unix_integration/src/unix_proto.rs similarity index 100% rename from kanidm_unix_int/src/unix_proto.rs rename to unix_integration/src/unix_proto.rs diff --git a/kanidm_unix_int/tests/cache_layer_test.rs b/unix_integration/tests/cache_layer_test.rs similarity index 100% rename from kanidm_unix_int/tests/cache_layer_test.rs rename to unix_integration/tests/cache_layer_test.rs