2756 - resolve dyngroups not loading correctly at startup (#2778)

2025-02-23 04:27:02 +01:00 · 2024-05-18 13:02:29 +10:00 · 2024-05-18 13:02:29 +10:00 · ba82b1aeaf
parent 9efa91ae93
commit ba82b1aeaf
10 changed files with 84 additions and 40 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1088,7 +1088,7 @@ dependencies = [

 [[package]]
 name = "daemon"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "clap",
 "clap_complete",
@ -2930,7 +2930,7 @@ dependencies = [

 [[package]]
 name = "kanidm-ipa-sync"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "chrono",
 "clap",
@ -2954,7 +2954,7 @@ dependencies = [

 [[package]]
 name = "kanidm-ldap-sync"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "base64urlsafedata 0.5.0",
 "chrono",
@ -2980,7 +2980,7 @@ dependencies = [

 [[package]]
 name = "kanidm_build_profiles"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "base64 0.21.7",
 "gix",
@ -2990,7 +2990,7 @@ dependencies = [

 [[package]]
 name = "kanidm_client"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "compact_jwt 0.4.1",
 "hyper",
@ -3010,7 +3010,7 @@ dependencies = [

 [[package]]
 name = "kanidm_lib_crypto"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "argon2",
 "base64 0.21.7",
@ -3029,7 +3029,7 @@ dependencies = [

 [[package]]
 name = "kanidm_lib_file_permissions"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "kanidm_utils_users",
 "whoami",
@ -3037,7 +3037,7 @@ dependencies = [

 [[package]]
 name = "kanidm_proto"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "base32",
 "base64urlsafedata 0.5.0",
@ -3057,7 +3057,7 @@ dependencies = [

 [[package]]
 name = "kanidm_tools"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "async-recursion",
 "clap",
@ -3089,7 +3089,7 @@ dependencies = [

 [[package]]
 name = "kanidm_unix_int"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "async-trait",
 "base64urlsafedata 0.5.0",
@ -3130,14 +3130,14 @@ dependencies = [

 [[package]]
 name = "kanidm_utils_users"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "libc",
 ]

 [[package]]
 name = "kanidmd_core"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "async-trait",
 "axum",
@ -3190,7 +3190,7 @@ dependencies = [

 [[package]]
 name = "kanidmd_lib"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "base64 0.21.7",
 "base64urlsafedata 0.5.0",
@ -3249,7 +3249,7 @@ dependencies = [

 [[package]]
 name = "kanidmd_lib_macros"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "proc-macro2",
 "quote",
@ -3258,7 +3258,7 @@ dependencies = [

 [[package]]
 name = "kanidmd_testkit"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "assert_cmd",
 "compact_jwt 0.4.1",
@ -3296,7 +3296,7 @@ dependencies = [

 [[package]]
 name = "kanidmd_web_ui_admin"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "enum-iterator",
 "gloo",
@ -3318,7 +3318,7 @@ dependencies = [

 [[package]]
 name = "kanidmd_web_ui_login_flows"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "gloo",
 "gloo-utils 0.2.0",
@ -3339,7 +3339,7 @@ dependencies = [

 [[package]]
 name = "kanidmd_web_ui_shared"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "gloo",
 "js-sys",
@ -3358,7 +3358,7 @@ dependencies = [

 [[package]]
 name = "kanidmd_web_ui_user"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "enum-iterator",
 "gloo",
@ -3782,7 +3782,7 @@ dependencies = [

 [[package]]
 name = "nss_kanidm"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "kanidm_unix_int",
 "lazy_static",
@ -4163,7 +4163,7 @@ checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d"

 [[package]]
 name = "orca"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "async-trait",
 "clap",
@ -4204,7 +4204,7 @@ checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39"

 [[package]]
 name = "pam_kanidm"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "kanidm_unix_int",
 "libc",
@ -5324,7 +5324,7 @@ dependencies = [

 [[package]]
 name = "sketching"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
 "gethostname",
 "num_enum",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -32,7 +32,7 @@ members = [
 ]

 [workspace.package]
-version = "1.2.0"
+version = "1.2.1"
 authors = [
    "William Brown <william@blackhats.net.au>",
    "James Hodgkinson <james@terminaloutcomes.com>",
@ -78,19 +78,19 @@ repository = "https://github.com/kanidm/kanidm/"
 # kanidm-hsm-crypto = { path = "../hsm-crypto" }

 [workspace.dependencies]
-kanidmd_core = { path = "./server/core", version = "=1.2.0" }
-kanidmd_lib = { path = "./server/lib", version = "=1.2.0" }
-kanidmd_lib_macros = { path = "./server/lib-macros", version = "=1.2.0" }
-kanidmd_testkit = { path = "./server/testkit", version = "=1.2.0" }
-kanidm_build_profiles = { path = "./libs/profiles", version = "=1.2.0" }
-kanidm_client = { path = "./libs/client", version = "=1.2.0" }
+kanidmd_core = { path = "./server/core", version = "=1.2" }
+kanidmd_lib = { path = "./server/lib", version = "=1.2" }
+kanidmd_lib_macros = { path = "./server/lib-macros", version = "=1.2" }
+kanidmd_testkit = { path = "./server/testkit", version = "=1.2" }
+kanidm_build_profiles = { path = "./libs/profiles", version = "=1.2" }
+kanidm_client = { path = "./libs/client", version = "=1.2" }
 kanidm-hsm-crypto = "^0.1.6"
-kanidm_lib_crypto = { path = "./libs/crypto", version = "=1.2.0" }
-kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "=1.2.0" }
-kanidm_proto = { path = "./proto", version = "=1.2.0" }
-kanidm_unix_int = { path = "./unix_integration", version = "=1.2.0" }
-kanidm_utils_users = { path = "./libs/users", version = "=1.2.0" }
-sketching = { path = "./libs/sketching", version = "=1.2.0" }
+kanidm_lib_crypto = { path = "./libs/crypto", version = "=1.2" }
+kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "=1.2" }
+kanidm_proto = { path = "./proto", version = "=1.2" }
+kanidm_unix_int = { path = "./unix_integration", version = "=1.2" }
+kanidm_utils_users = { path = "./libs/users", version = "=1.2" }
+sketching = { path = "./libs/sketching", version = "=1.2" }

 serde_with = "3.7.0"
 argon2 = { version = "0.5.3", features = ["alloc"] }
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 IMAGE_BASE ?= kanidm
 IMAGE_VERSION ?= devel
-IMAGE_EXT_VERSION ?= 1.2.0
+IMAGE_EXT_VERSION ?= 1.2.1
 CONTAINER_TOOL_ARGS ?=
 IMAGE_ARCH ?= "linux/amd64,linux/arm64"
 CONTAINER_BUILD_ARGS ?=
--- a/server/lib/src/be/idl_arc_sqlite.rs
+++ b/server/lib/src/be/idl_arc_sqlite.rs
@ -342,6 +342,7 @@ pub trait IdlArcSqliteTransaction {

    fn get_identry_raw(&self, idl: &IdList) -> Result<Vec<IdRawEntry>, OperationError>;

+    #[allow(dead_code)]
    fn exists_idx(&mut self, attr: &str, itype: IndexType) -> Result<bool, OperationError>;

    fn get_idl(
--- a/server/lib/src/constants/entries.rs
+++ b/server/lib/src/constants/entries.rs
@ -788,7 +788,7 @@ lazy_static! {
            Attribute::Description,
            Value::new_utf8s("System (local) info and metadata object.")
        ),
-        (Attribute::Version, Value::Uint32(19))
+        (Attribute::Version, Value::Uint32(20))
    );

    pub static ref E_DOMAIN_INFO_V1: EntryInitNew = entry_init!(
--- a/server/lib/src/plugins/gidnumber.rs
+++ b/server/lib/src/plugins/gidnumber.rs
@ -13,7 +13,7 @@ use crate::utils::uuid_to_gid_u32;
 /// system uids from 0 - 1000, and many others give user ids between 1000 to
 /// 2000. This whole numberspace is cursed, lets assume it's not ours. :(
 ///
-/// Per https://systemd.io/UIDS-GIDS/, systemd claims a huge chunk of this
+/// Per <https://systemd.io/UIDS-GIDS/>, systemd claims a huge chunk of this
 /// space to itself. As a result we can't allocate between 65536 and u32 max
 /// because systemd takes most of the usable range for its own containers,
 /// and half the range is probably going to trigger linux kernel issues.
--- a/server/lib/src/plugins/mod.rs
+++ b/server/lib/src/plugins/mod.rs
@ -163,6 +163,7 @@ trait Plugin {
        Err(OperationError::InvalidState)
    }

+    #[allow(dead_code)]
    fn pre_repl_incremental(
        _qs: &mut QueryServerWriteTransaction,
        _cand: &mut [(EntryIncrementalCommitted, Arc<EntrySealedCommitted>)],
--- a/server/lib/src/server/keys/provider.rs
+++ b/server/lib/src/server/keys/provider.rs
@ -119,8 +119,10 @@ impl KeyProviders {
 }

 pub trait KeyProvidersTransaction {
+    #[allow(dead_code)]
    fn get_uuid(&self, key_provider_uuid: Uuid) -> Option<&KeyProvider>;

+    #[allow(dead_code)]
    fn get_key_object(&self, key_object_uuid: Uuid) -> Option<KeyObjectRef>;

    fn get_key_object_handle(&self, key_object_uuid: Uuid) -> Option<Arc<KeyObject>>;
--- a/server/lib/src/server/migrations.rs
+++ b/server/lib/src/server/migrations.rs
@ -161,12 +161,29 @@ impl QueryServer {
        // No domain info was present, so neither was the rest of the IDM. We need to bootstrap
        // the base entries here.
        if db_domain_version == 0 {
+            // In this path because we create the dyn groups they are immediately added to the
+            // dyngroup cache and begin to operate.
            write_txn.initialise_idm()?;
-        }
+        } else {
+            // #2756 - if we *aren't* creating the base IDM entries, then we
+            // need to force dyn groups to reload since we're now at schema
+            // ready. This is done indiretly by ... reloading the schema again.
+            //
+            // This is because dyngroups don't load until server phase >= schemaready
+            // and the reload path for these is either a change in the dyngroup entry
+            // itself or a change to schema reloading. Since we aren't changing the
+            // dyngroup here, we have to go via the schema reload path.
+            write_txn.force_schema_reload();
+        };

        // Reload as init idm affects access controls.
        write_txn.reload()?;

+        // # 2756 - automate the fix for dyngroups
+        if system_info_version < 20 {
+            write_txn.migrate_19_to_20()?;
+        }
+
        // Domain info is now ready and reloaded, we can proceed.
        write_txn.set_phase(ServerPhase::DomainInfoReady);

@ -735,6 +752,28 @@ impl<'a> QueryServerWriteTransaction<'a> {
        })
    }

+    #[instrument(level = "info", skip_all)]
+    /// Automate fix for #2756 - touch all dyngroups to force them to re-consider and re-write
+    /// their members.
+    pub fn migrate_19_to_20(&mut self) -> Result<(), OperationError> {
+        admin_warn!("starting 19 to 20 migration.");
+
+        debug_assert!(*self.phase >= ServerPhase::SchemaReady);
+
+        let filter = filter!(f_eq(
+            Attribute::Class,
+            EntryClass::DynGroup.into()
+        ));
+        let modlist = modlist!([m_pres(Attribute::Class, &EntryClass::DynGroup.into())]);
+
+        self.internal_modify(
+            &filter, &modlist
+        )
+        .map(|()| {
+            info!("forced dyngroups to re-calculate memberships");
+        })
+    }
+
    #[instrument(level = "info", skip_all)]
    /// This migration will
    ///  * Trigger a "once off" mfa account policy rule on all persons.
--- a/tools/orca/src/generate.rs
+++ b/tools/orca/src/generate.rs
@ -13,6 +13,7 @@ use std::collections::BTreeSet;
 const PEOPLE_PREFIX: &str = "person";

 #[derive(Debug)]
+#[allow(dead_code)]
 pub struct PartialGroup {
    pub name: String,
    pub members: BTreeSet<String>,