mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

2756 - resolve dyngroups not loading correctly at startup (#2778)

Browse source
This commit is contained in:
Firstyear 2024-05-18 13:02:29 +10:00 committed by GitHub
parent 9efa91ae93
commit ba82b1aeaf
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 84 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
Cargo.lock generated
View file

@ -1088,7 +1088,7 @@ dependencies = [
[[package]] [[package]]
name = "daemon" name = "daemon"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"clap", "clap",
"clap_complete", "clap_complete",
@ -2930,7 +2930,7 @@ dependencies = [
[[package]] [[package]]
name = "kanidm-ipa-sync" name = "kanidm-ipa-sync"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"chrono", "chrono",
"clap", "clap",
@ -2954,7 +2954,7 @@ dependencies = [
[[package]] [[package]]
name = "kanidm-ldap-sync" name = "kanidm-ldap-sync"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"base64urlsafedata 0.5.0", "base64urlsafedata 0.5.0",
"chrono", "chrono",
@ -2980,7 +2980,7 @@ dependencies = [
[[package]] [[package]]
name = "kanidm_build_profiles" name = "kanidm_build_profiles"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"base64 0.21.7", "base64 0.21.7",
"gix", "gix",
@ -2990,7 +2990,7 @@ dependencies = [
[[package]] [[package]]
name = "kanidm_client" name = "kanidm_client"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"compact_jwt 0.4.1", "compact_jwt 0.4.1",
"hyper", "hyper",
@ -3010,7 +3010,7 @@ dependencies = [
[[package]] [[package]]
name = "kanidm_lib_crypto" name = "kanidm_lib_crypto"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"argon2", "argon2",
"base64 0.21.7", "base64 0.21.7",
@ -3029,7 +3029,7 @@ dependencies = [
[[package]] [[package]]
name = "kanidm_lib_file_permissions" name = "kanidm_lib_file_permissions"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"kanidm_utils_users", "kanidm_utils_users",
"whoami", "whoami",
@ -3037,7 +3037,7 @@ dependencies = [
[[package]] [[package]]
name = "kanidm_proto" name = "kanidm_proto"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"base32", "base32",
"base64urlsafedata 0.5.0", "base64urlsafedata 0.5.0",
@ -3057,7 +3057,7 @@ dependencies = [
[[package]] [[package]]
name = "kanidm_tools" name = "kanidm_tools"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"async-recursion", "async-recursion",
"clap", "clap",
@ -3089,7 +3089,7 @@ dependencies = [
[[package]] [[package]]
name = "kanidm_unix_int" name = "kanidm_unix_int"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"async-trait", "async-trait",
"base64urlsafedata 0.5.0", "base64urlsafedata 0.5.0",
@ -3130,14 +3130,14 @@ dependencies = [
[[package]] [[package]]
name = "kanidm_utils_users" name = "kanidm_utils_users"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"libc", "libc",
] ]
[[package]] [[package]]
name = "kanidmd_core" name = "kanidmd_core"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"async-trait", "async-trait",
"axum", "axum",
@ -3190,7 +3190,7 @@ dependencies = [
[[package]] [[package]]
name = "kanidmd_lib" name = "kanidmd_lib"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"base64 0.21.7", "base64 0.21.7",
"base64urlsafedata 0.5.0", "base64urlsafedata 0.5.0",
@ -3249,7 +3249,7 @@ dependencies = [
[[package]] [[package]]
name = "kanidmd_lib_macros" name = "kanidmd_lib_macros"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"proc-macro2", "proc-macro2",
"quote", "quote",
@ -3258,7 +3258,7 @@ dependencies = [
[[package]] [[package]]
name = "kanidmd_testkit" name = "kanidmd_testkit"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"assert_cmd", "assert_cmd",
"compact_jwt 0.4.1", "compact_jwt 0.4.1",
@ -3296,7 +3296,7 @@ dependencies = [
[[package]] [[package]]
name = "kanidmd_web_ui_admin" name = "kanidmd_web_ui_admin"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"enum-iterator", "enum-iterator",
"gloo", "gloo",
@ -3318,7 +3318,7 @@ dependencies = [
[[package]] [[package]]
name = "kanidmd_web_ui_login_flows" name = "kanidmd_web_ui_login_flows"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"gloo", "gloo",
"gloo-utils 0.2.0", "gloo-utils 0.2.0",
@ -3339,7 +3339,7 @@ dependencies = [
[[package]] [[package]]
name = "kanidmd_web_ui_shared" name = "kanidmd_web_ui_shared"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"gloo", "gloo",
"js-sys", "js-sys",
@ -3358,7 +3358,7 @@ dependencies = [
[[package]] [[package]]
name = "kanidmd_web_ui_user" name = "kanidmd_web_ui_user"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"enum-iterator", "enum-iterator",
"gloo", "gloo",
@ -3782,7 +3782,7 @@ dependencies = [
[[package]] [[package]]
name = "nss_kanidm" name = "nss_kanidm"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"kanidm_unix_int", "kanidm_unix_int",
"lazy_static", "lazy_static",
@ -4163,7 +4163,7 @@ checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d"
[[package]] [[package]]
name = "orca" name = "orca"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"async-trait", "async-trait",
"clap", "clap",
@ -4204,7 +4204,7 @@ checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39"
[[package]] [[package]]
name = "pam_kanidm" name = "pam_kanidm"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"kanidm_unix_int", "kanidm_unix_int",
"libc", "libc",
@ -5324,7 +5324,7 @@ dependencies = [
[[package]] [[package]]
name = "sketching" name = "sketching"
version = "1.2.0" version = "1.2.1"
dependencies = [ dependencies = [
"gethostname", "gethostname",
"num_enum", "num_enum",

26
Cargo.toml
View file

@ -32,7 +32,7 @@ members = [
] ]
[workspace.package] [workspace.package]
version = "1.2.0" version = "1.2.1"
authors = [ authors = [
"William Brown <william@blackhats.net.au>", "William Brown <william@blackhats.net.au>",
"James Hodgkinson <james@terminaloutcomes.com>", "James Hodgkinson <james@terminaloutcomes.com>",
@ -78,19 +78,19 @@ repository = "https://github.com/kanidm/kanidm/"
# kanidm-hsm-crypto = { path = "../hsm-crypto" } # kanidm-hsm-crypto = { path = "../hsm-crypto" }
[workspace.dependencies] [workspace.dependencies]
kanidmd_core = { path = "./server/core", version = "=1.2.0" } kanidmd_core = { path = "./server/core", version = "=1.2" }
kanidmd_lib = { path = "./server/lib", version = "=1.2.0" } kanidmd_lib = { path = "./server/lib", version = "=1.2" }
kanidmd_lib_macros = { path = "./server/lib-macros", version = "=1.2.0" } kanidmd_lib_macros = { path = "./server/lib-macros", version = "=1.2" }
kanidmd_testkit = { path = "./server/testkit", version = "=1.2.0" } kanidmd_testkit = { path = "./server/testkit", version = "=1.2" }
kanidm_build_profiles = { path = "./libs/profiles", version = "=1.2.0" } kanidm_build_profiles = { path = "./libs/profiles", version = "=1.2" }
kanidm_client = { path = "./libs/client", version = "=1.2.0" } kanidm_client = { path = "./libs/client", version = "=1.2" }
kanidm-hsm-crypto = "^0.1.6" kanidm-hsm-crypto = "^0.1.6"
kanidm_lib_crypto = { path = "./libs/crypto", version = "=1.2.0" } kanidm_lib_crypto = { path = "./libs/crypto", version = "=1.2" }
kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "=1.2.0" } kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "=1.2" }
kanidm_proto = { path = "./proto", version = "=1.2.0" } kanidm_proto = { path = "./proto", version = "=1.2" }
kanidm_unix_int = { path = "./unix_integration", version = "=1.2.0" } kanidm_unix_int = { path = "./unix_integration", version = "=1.2" }
kanidm_utils_users = { path = "./libs/users", version = "=1.2.0" } kanidm_utils_users = { path = "./libs/users", version = "=1.2" }
sketching = { path = "./libs/sketching", version = "=1.2.0" } sketching = { path = "./libs/sketching", version = "=1.2" }
serde_with = "3.7.0" serde_with = "3.7.0"
argon2 = { version = "0.5.3", features = ["alloc"] } argon2 = { version = "0.5.3", features = ["alloc"] }

2
Makefile
View file

@ -1,6 +1,6 @@
IMAGE_BASE ?= kanidm IMAGE_BASE ?= kanidm
IMAGE_VERSION ?= devel IMAGE_VERSION ?= devel
IMAGE_EXT_VERSION ?= 1.2.0 IMAGE_EXT_VERSION ?= 1.2.1
CONTAINER_TOOL_ARGS ?= CONTAINER_TOOL_ARGS ?=
IMAGE_ARCH ?= "linux/amd64,linux/arm64" IMAGE_ARCH ?= "linux/amd64,linux/arm64"
CONTAINER_BUILD_ARGS ?= CONTAINER_BUILD_ARGS ?=

1
server/lib/src/be/idl_arc_sqlite.rs
View file

@ -342,6 +342,7 @@ pub trait IdlArcSqliteTransaction {
fn get_identry_raw(&self, idl: &IdList) -> Result<Vec<IdRawEntry>, OperationError>; fn get_identry_raw(&self, idl: &IdList) -> Result<Vec<IdRawEntry>, OperationError>;
#[allow(dead_code)]
fn exists_idx(&mut self, attr: &str, itype: IndexType) -> Result<bool, OperationError>; fn exists_idx(&mut self, attr: &str, itype: IndexType) -> Result<bool, OperationError>;
fn get_idl( fn get_idl(

2
server/lib/src/constants/entries.rs
View file

@ -788,7 +788,7 @@ lazy_static! {
Attribute::Description, Attribute::Description,
Value::new_utf8s("System (local) info and metadata object.") Value::new_utf8s("System (local) info and metadata object.")
), ),
(Attribute::Version, Value::Uint32(19)) (Attribute::Version, Value::Uint32(20))
); );
pub static ref E_DOMAIN_INFO_V1: EntryInitNew = entry_init!( pub static ref E_DOMAIN_INFO_V1: EntryInitNew = entry_init!(

2
server/lib/src/plugins/gidnumber.rs
View file

@ -13,7 +13,7 @@ use crate::utils::uuid_to_gid_u32;
/// system uids from 0 - 1000, and many others give user ids between 1000 to /// system uids from 0 - 1000, and many others give user ids between 1000 to
/// 2000. This whole numberspace is cursed, lets assume it's not ours. :( /// 2000. This whole numberspace is cursed, lets assume it's not ours. :(
/// ///
/// Per https://systemd.io/UIDS-GIDS/, systemd claims a huge chunk of this /// Per <https://systemd.io/UIDS-GIDS/>, systemd claims a huge chunk of this
/// space to itself. As a result we can't allocate between 65536 and u32 max /// space to itself. As a result we can't allocate between 65536 and u32 max
/// because systemd takes most of the usable range for its own containers, /// because systemd takes most of the usable range for its own containers,
/// and half the range is probably going to trigger linux kernel issues. /// and half the range is probably going to trigger linux kernel issues.

1
server/lib/src/plugins/mod.rs
View file

@ -163,6 +163,7 @@ trait Plugin {
Err(OperationError::InvalidState) Err(OperationError::InvalidState)
} }
#[allow(dead_code)]
fn pre_repl_incremental( fn pre_repl_incremental(
_qs: &mut QueryServerWriteTransaction, _qs: &mut QueryServerWriteTransaction,
_cand: &mut [(EntryIncrementalCommitted, Arc<EntrySealedCommitted>)], _cand: &mut [(EntryIncrementalCommitted, Arc<EntrySealedCommitted>)],

2
server/lib/src/server/keys/provider.rs
View file

@ -119,8 +119,10 @@ impl KeyProviders {
} }
pub trait KeyProvidersTransaction { pub trait KeyProvidersTransaction {
#[allow(dead_code)]
fn get_uuid(&self, key_provider_uuid: Uuid) -> Option<&KeyProvider>; fn get_uuid(&self, key_provider_uuid: Uuid) -> Option<&KeyProvider>;
#[allow(dead_code)]
fn get_key_object(&self, key_object_uuid: Uuid) -> Option<KeyObjectRef>; fn get_key_object(&self, key_object_uuid: Uuid) -> Option<KeyObjectRef>;
fn get_key_object_handle(&self, key_object_uuid: Uuid) -> Option<Arc<KeyObject>>; fn get_key_object_handle(&self, key_object_uuid: Uuid) -> Option<Arc<KeyObject>>;

41
server/lib/src/server/migrations.rs
View file

@ -161,12 +161,29 @@ impl QueryServer {
// No domain info was present, so neither was the rest of the IDM. We need to bootstrap // No domain info was present, so neither was the rest of the IDM. We need to bootstrap
// the base entries here. // the base entries here.
if db_domain_version == 0 { if db_domain_version == 0 {
// In this path because we create the dyn groups they are immediately added to the
// dyngroup cache and begin to operate.
write_txn.initialise_idm()?; write_txn.initialise_idm()?;
} } else {
// #2756 - if we *aren't* creating the base IDM entries, then we
// need to force dyn groups to reload since we're now at schema
// ready. This is done indiretly by ... reloading the schema again.
//
// This is because dyngroups don't load until server phase >= schemaready
// and the reload path for these is either a change in the dyngroup entry
// itself or a change to schema reloading. Since we aren't changing the
// dyngroup here, we have to go via the schema reload path.
write_txn.force_schema_reload();
};
// Reload as init idm affects access controls. // Reload as init idm affects access controls.
write_txn.reload()?; write_txn.reload()?;
// # 2756 - automate the fix for dyngroups
if system_info_version < 20 {
write_txn.migrate_19_to_20()?;
}
// Domain info is now ready and reloaded, we can proceed. // Domain info is now ready and reloaded, we can proceed.
write_txn.set_phase(ServerPhase::DomainInfoReady); write_txn.set_phase(ServerPhase::DomainInfoReady);
@ -735,6 +752,28 @@ impl<'a> QueryServerWriteTransaction<'a> {
}) })
} }
#[instrument(level = "info", skip_all)]
/// Automate fix for #2756 - touch all dyngroups to force them to re-consider and re-write
/// their members.
pub fn migrate_19_to_20(&mut self) -> Result<(), OperationError> {
admin_warn!("starting 19 to 20 migration.");
debug_assert!(*self.phase >= ServerPhase::SchemaReady);
let filter = filter!(f_eq(
Attribute::Class,
EntryClass::DynGroup.into()
));
let modlist = modlist!([m_pres(Attribute::Class, &EntryClass::DynGroup.into())]);
self.internal_modify(
&filter, &modlist
)
.map(|()| {
info!("forced dyngroups to re-calculate memberships");
})
}
#[instrument(level = "info", skip_all)] #[instrument(level = "info", skip_all)]
/// This migration will /// This migration will
/// * Trigger a "once off" mfa account policy rule on all persons. /// * Trigger a "once off" mfa account policy rule on all persons.

1
tools/orca/src/generate.rs
View file

@ -13,6 +13,7 @@ use std::collections::BTreeSet;
const PEOPLE_PREFIX: &str = "person"; const PEOPLE_PREFIX: &str = "person";
#[derive(Debug)] #[derive(Debug)]
#[allow(dead_code)]
pub struct PartialGroup { pub struct PartialGroup {
pub name: String, pub name: String,
pub members: BTreeSet<String>, pub members: BTreeSet<String>,