diff --git a/Cargo.lock b/Cargo.lock index 8a08d799a..9f91a08d2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1088,7 +1088,7 @@ dependencies = [ [[package]] name = "daemon" -version = "1.2.0" +version = "1.2.1" dependencies = [ "clap", "clap_complete", @@ -2930,7 +2930,7 @@ dependencies = [ [[package]] name = "kanidm-ipa-sync" -version = "1.2.0" +version = "1.2.1" dependencies = [ "chrono", "clap", @@ -2954,7 +2954,7 @@ dependencies = [ [[package]] name = "kanidm-ldap-sync" -version = "1.2.0" +version = "1.2.1" dependencies = [ "base64urlsafedata 0.5.0", "chrono", @@ -2980,7 +2980,7 @@ dependencies = [ [[package]] name = "kanidm_build_profiles" -version = "1.2.0" +version = "1.2.1" dependencies = [ "base64 0.21.7", "gix", @@ -2990,7 +2990,7 @@ dependencies = [ [[package]] name = "kanidm_client" -version = "1.2.0" +version = "1.2.1" dependencies = [ "compact_jwt 0.4.1", "hyper", @@ -3010,7 +3010,7 @@ dependencies = [ [[package]] name = "kanidm_lib_crypto" -version = "1.2.0" +version = "1.2.1" dependencies = [ "argon2", "base64 0.21.7", @@ -3029,7 +3029,7 @@ dependencies = [ [[package]] name = "kanidm_lib_file_permissions" -version = "1.2.0" +version = "1.2.1" dependencies = [ "kanidm_utils_users", "whoami", @@ -3037,7 +3037,7 @@ dependencies = [ [[package]] name = "kanidm_proto" -version = "1.2.0" +version = "1.2.1" dependencies = [ "base32", "base64urlsafedata 0.5.0", @@ -3057,7 +3057,7 @@ dependencies = [ [[package]] name = "kanidm_tools" -version = "1.2.0" +version = "1.2.1" dependencies = [ "async-recursion", "clap", @@ -3089,7 +3089,7 @@ dependencies = [ [[package]] name = "kanidm_unix_int" -version = "1.2.0" +version = "1.2.1" dependencies = [ "async-trait", "base64urlsafedata 0.5.0", @@ -3130,14 +3130,14 @@ dependencies = [ [[package]] name = "kanidm_utils_users" -version = "1.2.0" +version = "1.2.1" dependencies = [ "libc", ] [[package]] name = "kanidmd_core" -version = "1.2.0" +version = "1.2.1" dependencies = [ "async-trait", "axum", @@ -3190,7 +3190,7 @@ dependencies = [ [[package]] name = "kanidmd_lib" -version = "1.2.0" +version = "1.2.1" dependencies = [ "base64 0.21.7", "base64urlsafedata 0.5.0", @@ -3249,7 +3249,7 @@ dependencies = [ [[package]] name = "kanidmd_lib_macros" -version = "1.2.0" +version = "1.2.1" dependencies = [ "proc-macro2", "quote", @@ -3258,7 +3258,7 @@ dependencies = [ [[package]] name = "kanidmd_testkit" -version = "1.2.0" +version = "1.2.1" dependencies = [ "assert_cmd", "compact_jwt 0.4.1", @@ -3296,7 +3296,7 @@ dependencies = [ [[package]] name = "kanidmd_web_ui_admin" -version = "1.2.0" +version = "1.2.1" dependencies = [ "enum-iterator", "gloo", @@ -3318,7 +3318,7 @@ dependencies = [ [[package]] name = "kanidmd_web_ui_login_flows" -version = "1.2.0" +version = "1.2.1" dependencies = [ "gloo", "gloo-utils 0.2.0", @@ -3339,7 +3339,7 @@ dependencies = [ [[package]] name = "kanidmd_web_ui_shared" -version = "1.2.0" +version = "1.2.1" dependencies = [ "gloo", "js-sys", @@ -3358,7 +3358,7 @@ dependencies = [ [[package]] name = "kanidmd_web_ui_user" -version = "1.2.0" +version = "1.2.1" dependencies = [ "enum-iterator", "gloo", @@ -3782,7 +3782,7 @@ dependencies = [ [[package]] name = "nss_kanidm" -version = "1.2.0" +version = "1.2.1" dependencies = [ "kanidm_unix_int", "lazy_static", @@ -4163,7 +4163,7 @@ checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d" [[package]] name = "orca" -version = "1.2.0" +version = "1.2.1" dependencies = [ "async-trait", "clap", @@ -4204,7 +4204,7 @@ checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39" [[package]] name = "pam_kanidm" -version = "1.2.0" +version = "1.2.1" dependencies = [ "kanidm_unix_int", "libc", @@ -5324,7 +5324,7 @@ dependencies = [ [[package]] name = "sketching" -version = "1.2.0" +version = "1.2.1" dependencies = [ "gethostname", "num_enum", diff --git a/Cargo.toml b/Cargo.toml index 3e41001b7..0659fa00b 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -32,7 +32,7 @@ members = [ ] [workspace.package] -version = "1.2.0" +version = "1.2.1" authors = [ "William Brown ", "James Hodgkinson ", @@ -78,19 +78,19 @@ repository = "https://github.com/kanidm/kanidm/" # kanidm-hsm-crypto = { path = "../hsm-crypto" } [workspace.dependencies] -kanidmd_core = { path = "./server/core", version = "=1.2.0" } -kanidmd_lib = { path = "./server/lib", version = "=1.2.0" } -kanidmd_lib_macros = { path = "./server/lib-macros", version = "=1.2.0" } -kanidmd_testkit = { path = "./server/testkit", version = "=1.2.0" } -kanidm_build_profiles = { path = "./libs/profiles", version = "=1.2.0" } -kanidm_client = { path = "./libs/client", version = "=1.2.0" } +kanidmd_core = { path = "./server/core", version = "=1.2" } +kanidmd_lib = { path = "./server/lib", version = "=1.2" } +kanidmd_lib_macros = { path = "./server/lib-macros", version = "=1.2" } +kanidmd_testkit = { path = "./server/testkit", version = "=1.2" } +kanidm_build_profiles = { path = "./libs/profiles", version = "=1.2" } +kanidm_client = { path = "./libs/client", version = "=1.2" } kanidm-hsm-crypto = "^0.1.6" -kanidm_lib_crypto = { path = "./libs/crypto", version = "=1.2.0" } -kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "=1.2.0" } -kanidm_proto = { path = "./proto", version = "=1.2.0" } -kanidm_unix_int = { path = "./unix_integration", version = "=1.2.0" } -kanidm_utils_users = { path = "./libs/users", version = "=1.2.0" } -sketching = { path = "./libs/sketching", version = "=1.2.0" } +kanidm_lib_crypto = { path = "./libs/crypto", version = "=1.2" } +kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "=1.2" } +kanidm_proto = { path = "./proto", version = "=1.2" } +kanidm_unix_int = { path = "./unix_integration", version = "=1.2" } +kanidm_utils_users = { path = "./libs/users", version = "=1.2" } +sketching = { path = "./libs/sketching", version = "=1.2" } serde_with = "3.7.0" argon2 = { version = "0.5.3", features = ["alloc"] } diff --git a/Makefile b/Makefile index 6f47ac175..78004d6e8 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ IMAGE_BASE ?= kanidm IMAGE_VERSION ?= devel -IMAGE_EXT_VERSION ?= 1.2.0 +IMAGE_EXT_VERSION ?= 1.2.1 CONTAINER_TOOL_ARGS ?= IMAGE_ARCH ?= "linux/amd64,linux/arm64" CONTAINER_BUILD_ARGS ?= diff --git a/server/lib/src/be/idl_arc_sqlite.rs b/server/lib/src/be/idl_arc_sqlite.rs index db1b3ac22..0f8a49ede 100644 --- a/server/lib/src/be/idl_arc_sqlite.rs +++ b/server/lib/src/be/idl_arc_sqlite.rs @@ -342,6 +342,7 @@ pub trait IdlArcSqliteTransaction { fn get_identry_raw(&self, idl: &IdList) -> Result, OperationError>; + #[allow(dead_code)] fn exists_idx(&mut self, attr: &str, itype: IndexType) -> Result; fn get_idl( diff --git a/server/lib/src/constants/entries.rs b/server/lib/src/constants/entries.rs index e5c9a1c14..72f3b3a87 100644 --- a/server/lib/src/constants/entries.rs +++ b/server/lib/src/constants/entries.rs @@ -788,7 +788,7 @@ lazy_static! { Attribute::Description, Value::new_utf8s("System (local) info and metadata object.") ), - (Attribute::Version, Value::Uint32(19)) + (Attribute::Version, Value::Uint32(20)) ); pub static ref E_DOMAIN_INFO_V1: EntryInitNew = entry_init!( diff --git a/server/lib/src/plugins/gidnumber.rs b/server/lib/src/plugins/gidnumber.rs index ec5d92685..c5abe19f7 100644 --- a/server/lib/src/plugins/gidnumber.rs +++ b/server/lib/src/plugins/gidnumber.rs @@ -13,7 +13,7 @@ use crate::utils::uuid_to_gid_u32; /// system uids from 0 - 1000, and many others give user ids between 1000 to /// 2000. This whole numberspace is cursed, lets assume it's not ours. :( /// -/// Per https://systemd.io/UIDS-GIDS/, systemd claims a huge chunk of this +/// Per , systemd claims a huge chunk of this /// space to itself. As a result we can't allocate between 65536 and u32 max /// because systemd takes most of the usable range for its own containers, /// and half the range is probably going to trigger linux kernel issues. diff --git a/server/lib/src/plugins/mod.rs b/server/lib/src/plugins/mod.rs index ad379ef32..3d43d5ea0 100644 --- a/server/lib/src/plugins/mod.rs +++ b/server/lib/src/plugins/mod.rs @@ -163,6 +163,7 @@ trait Plugin { Err(OperationError::InvalidState) } + #[allow(dead_code)] fn pre_repl_incremental( _qs: &mut QueryServerWriteTransaction, _cand: &mut [(EntryIncrementalCommitted, Arc)], diff --git a/server/lib/src/server/keys/provider.rs b/server/lib/src/server/keys/provider.rs index 503f08c6f..0b6445c8c 100644 --- a/server/lib/src/server/keys/provider.rs +++ b/server/lib/src/server/keys/provider.rs @@ -119,8 +119,10 @@ impl KeyProviders { } pub trait KeyProvidersTransaction { + #[allow(dead_code)] fn get_uuid(&self, key_provider_uuid: Uuid) -> Option<&KeyProvider>; + #[allow(dead_code)] fn get_key_object(&self, key_object_uuid: Uuid) -> Option; fn get_key_object_handle(&self, key_object_uuid: Uuid) -> Option>; diff --git a/server/lib/src/server/migrations.rs b/server/lib/src/server/migrations.rs index bb1e3cfc6..72a15196a 100644 --- a/server/lib/src/server/migrations.rs +++ b/server/lib/src/server/migrations.rs @@ -161,12 +161,29 @@ impl QueryServer { // No domain info was present, so neither was the rest of the IDM. We need to bootstrap // the base entries here. if db_domain_version == 0 { + // In this path because we create the dyn groups they are immediately added to the + // dyngroup cache and begin to operate. write_txn.initialise_idm()?; - } + } else { + // #2756 - if we *aren't* creating the base IDM entries, then we + // need to force dyn groups to reload since we're now at schema + // ready. This is done indiretly by ... reloading the schema again. + // + // This is because dyngroups don't load until server phase >= schemaready + // and the reload path for these is either a change in the dyngroup entry + // itself or a change to schema reloading. Since we aren't changing the + // dyngroup here, we have to go via the schema reload path. + write_txn.force_schema_reload(); + }; // Reload as init idm affects access controls. write_txn.reload()?; + // # 2756 - automate the fix for dyngroups + if system_info_version < 20 { + write_txn.migrate_19_to_20()?; + } + // Domain info is now ready and reloaded, we can proceed. write_txn.set_phase(ServerPhase::DomainInfoReady); @@ -735,6 +752,28 @@ impl<'a> QueryServerWriteTransaction<'a> { }) } + #[instrument(level = "info", skip_all)] + /// Automate fix for #2756 - touch all dyngroups to force them to re-consider and re-write + /// their members. + pub fn migrate_19_to_20(&mut self) -> Result<(), OperationError> { + admin_warn!("starting 19 to 20 migration."); + + debug_assert!(*self.phase >= ServerPhase::SchemaReady); + + let filter = filter!(f_eq( + Attribute::Class, + EntryClass::DynGroup.into() + )); + let modlist = modlist!([m_pres(Attribute::Class, &EntryClass::DynGroup.into())]); + + self.internal_modify( + &filter, &modlist + ) + .map(|()| { + info!("forced dyngroups to re-calculate memberships"); + }) + } + #[instrument(level = "info", skip_all)] /// This migration will /// * Trigger a "once off" mfa account policy rule on all persons. diff --git a/tools/orca/src/generate.rs b/tools/orca/src/generate.rs index 7a14917d1..0b95e288d 100644 --- a/tools/orca/src/generate.rs +++ b/tools/orca/src/generate.rs @@ -13,6 +13,7 @@ use std::collections::BTreeSet; const PEOPLE_PREFIX: &str = "person"; #[derive(Debug)] +#[allow(dead_code)] pub struct PartialGroup { pub name: String, pub members: BTreeSet,