diff --git a/Cargo.lock b/Cargo.lock index 5b3bff811..b15221bad 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -19,9 +19,9 @@ checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" [[package]] name = "ahash" -version = "0.7.7" +version = "0.7.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a824f2aa7e75a0c98c5a504fceb80649e9c35265d44525b5f94de4771a395cd" +checksum = "891477e0c6a8957309ee5c45a6368af3ae14bb510732d2684ffa19af310920f9" dependencies = [ "getrandom", "once_cell", @@ -30,9 +30,9 @@ dependencies = [ [[package]] name = "ahash" -version = "0.8.7" +version = "0.8.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "77c3a9648d43b9cd48db467b3f87fdd6e146bcc88ab0180006cef2179fe11d01" +checksum = "42cd52102d3df161c77a887b608d7a4897d7cc112886a9537b738a887a03aaff" dependencies = [ "cfg-if", "getrandom", @@ -475,6 +475,29 @@ dependencies = [ "serde", ] +[[package]] +name = "bindgen" +version = "0.66.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f2b84e06fc203107bfbad243f4aba2af864eb7db3b1cf46ea0a023b0b433d2a7" +dependencies = [ + "bitflags 2.4.2", + "cexpr", + "clang-sys", + "lazy_static", + "lazycell", + "log", + "peeking_take_while", + "prettyplease 0.2.16", + "proc-macro2", + "quote", + "regex", + "rustc-hash", + "shlex", + "syn 2.0.48", + "which", +] + [[package]] name = "bindgen" version = "0.69.4" @@ -515,9 +538,9 @@ checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb" [[package]] name = "bitfield" -version = "0.14.0" +version = "0.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d7e60934ceec538daadb9d8432424ed043a904d8e0243f3c6446bce549a46ac" +checksum = "46afbd2983a5d5a7bd740ccb198caf5b82f45c40c09c0eed36052d91cb92e719" [[package]] name = "bitflags" @@ -616,9 +639,9 @@ checksum = "e1e5f035d16fc623ae5f74981db80a439803888314e3a555fd6f04acd51a3205" [[package]] name = "bytemuck" -version = "1.14.2" +version = "1.14.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ea31d69bda4949c1c1562c1e6f042a1caefac98cdc8a298260a2ff41c1e2d42b" +checksum = "a2ef034f05691a48569bd920a96c81b9d91bbad1ab5ac7c4616c1f6ef36cb79f" [[package]] name = "byteorder" @@ -671,9 +694,9 @@ checksum = "17cc5e6b5ab06331c33589842070416baa137e8b0eb912b008cfd4a78ada7919" [[package]] name = "chrono" -version = "0.4.33" +version = "0.4.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9f13690e35a5e4ace198e7beea2895d29f3a9cc55015fcebe6336bd2010af9eb" +checksum = "5bc015644b92d5890fab7489e49d21f879d5c990186827d42ec511919404f38b" dependencies = [ "android-tzdata", "iana-time-zone", @@ -724,9 +747,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.4.18" +version = "4.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e578d6ec4194633722ccf9544794b71b1385c3c027efe0c55db226fc880865c" +checksum = "80c21025abd42669a92efc996ef13cfb2c5c627858421ea58d5c3b331a6c134f" dependencies = [ "clap_builder", "clap_derive", @@ -734,30 +757,30 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.4.18" +version = "4.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4df4df40ec50c46000231c914968278b1eb05098cf8f1b3a518a95030e71d1c7" +checksum = "458bf1f341769dfcf849846f65dffdf9146daa56bcd2a47cb4e1de9915567c99" dependencies = [ "anstream", "anstyle", "clap_lex", - "strsim", + "strsim 0.11.0", ] [[package]] name = "clap_complete" -version = "4.4.10" +version = "4.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "abb745187d7f4d76267b37485a65e0149edd0e91a4cfcdd3f27524ad86cee9f3" +checksum = "299353be8209bd133b049bf1c63582d184a8b39fd9c04f15fe65f50f88bdfe6c" dependencies = [ "clap", ] [[package]] name = "clap_derive" -version = "4.4.7" +version = "4.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cf9804afaaf59a91e75b022a30fb7229a7901f60c755489cc61c9b423b836442" +checksum = "307bc0538d5f0f83b8248db3087aa92fe504e4691294d0c96c0eabc33f47ba47" dependencies = [ "heck", "proc-macro2", @@ -767,9 +790,9 @@ dependencies = [ [[package]] name = "clap_lex" -version = "0.6.0" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "702fc72eb24e5a1e48ce58027a675bc24edd52096d5397d4aea7c6dd9eca0bd1" +checksum = "98cc8fbded0c607b7ba9dd60cd98df59af97e84d24e49c8557331cfc26d301ce" [[package]] name = "clru" @@ -808,9 +831,9 @@ dependencies = [ [[package]] name = "compact_jwt" -version = "0.3.3" +version = "0.3.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1c88e50516e010f137593b9e80dab437bc82c7c7bb4c5bf5dd042e30b0807dd7" +checksum = "46f626dea95ae258f9d05d2ac8e2fdb1ed98d183e0797ef304b88f205d423144" dependencies = [ "base64 0.21.7", "base64urlsafedata", @@ -830,7 +853,7 @@ version = "0.4.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0be4dc68bd9c37bcbd4670a644cc47494636d3e345d8d3b6db8bcd8ea65048c9" dependencies = [ - "ahash 0.7.7", + "ahash 0.7.8", "crossbeam-epoch", "crossbeam-queue", "crossbeam-utils", @@ -930,9 +953,9 @@ dependencies = [ [[package]] name = "crc32fast" -version = "1.3.2" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d" +checksum = "b3855a8a784b474f333699ef2bbca9db2c4a1f6d9088a90a2d25b1eb53111eaa" dependencies = [ "cfg-if", ] @@ -1136,7 +1159,7 @@ dependencies = [ "ident_case", "proc-macro2", "quote", - "strsim", + "strsim 0.10.0", "syn 1.0.109", ] @@ -1150,7 +1173,7 @@ dependencies = [ "ident_case", "proc-macro2", "quote", - "strsim", + "strsim 0.10.0", "syn 2.0.48", ] @@ -1357,9 +1380,9 @@ checksum = "545b22097d44f8a9581187cdf93de7a71e4722bf51200cfaba810865b49a495d" [[package]] name = "either" -version = "1.9.0" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a26ae43d7bcc3b814de94796a5e736d4029efb0ee900c12e2d54c993ad1a1e07" +checksum = "11157ac094ffbdde99aa67b23417ebdd801842852b500e395a45a9c0aac03e4a" [[package]] name = "encode_unicode" @@ -1398,18 +1421,18 @@ dependencies = [ [[package]] name = "enumflags2" -version = "0.7.8" +version = "0.7.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5998b4f30320c9d93aed72f63af821bfdac50465b75428fce77b48ec482c3939" +checksum = "3278c9d5fb675e0a51dabcf4c0d355f692b064171535ba72361be1528a9d8e8d" dependencies = [ "enumflags2_derive", ] [[package]] name = "enumflags2_derive" -version = "0.7.8" +version = "0.7.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f95e2801cd355d4a1a3e3953ce6ee5ae9603a5c833455343a8bfe3f44d418246" +checksum = "5c785274071b1b420972453b306eeca06acf4633829db4223b58a2a8c5953bc4" dependencies = [ "proc-macro2", "quote", @@ -1434,9 +1457,9 @@ dependencies = [ [[package]] name = "escargot" -version = "0.5.8" +version = "0.5.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "768064bd3a0e2bedcba91dc87ace90beea91acc41b6a01a3ca8e9aa8827461bf" +checksum = "704ab670cffff92792405528eb8ec3d9f00be8939d56d947f6bc809f9ae249f8" dependencies = [ "log", "once_cell", @@ -2456,7 +2479,7 @@ dependencies = [ "futures-sink", "futures-util", "http", - "indexmap 2.2.2", + "indexmap 2.2.3", "slab", "tokio", "tokio-util", @@ -2485,7 +2508,7 @@ version = "0.12.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888" dependencies = [ - "ahash 0.7.7", + "ahash 0.7.8", ] [[package]] @@ -2494,7 +2517,7 @@ version = "0.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "43a3c133739dddd0d2990f9a4bdf8eb4b21ef50e4851ca85ab661199821d510e" dependencies = [ - "ahash 0.8.7", + "ahash 0.8.8", ] [[package]] @@ -2503,7 +2526,7 @@ version = "0.14.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "290f1a1d9242c78d09ce40a5e87e7554ee637af1351968159f4952f028f75604" dependencies = [ - "ahash 0.8.7", + "ahash 0.8.8", "allocator-api2", "serde", ] @@ -2549,9 +2572,9 @@ checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8" [[package]] name = "hermit-abi" -version = "0.3.5" +version = "0.3.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d0c62115964e08cb8039170eb33c1d0e2388a256930279edca206fff675f82c3" +checksum = "bd5256b483761cd23699d0da46cc6fd2ee3be420bbe6d020ae4a091e70b7e9fd" [[package]] name = "hex" @@ -2773,9 +2796,9 @@ dependencies = [ [[package]] name = "indexmap" -version = "2.2.2" +version = "2.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "824b2ae422412366ba479e8111fd301f7b5faece8149317bb81925979a53f520" +checksum = "233cf39063f058ea2caae4091bf4a3ef70a653afbc026f5c4a4135d114e3c177" dependencies = [ "equivalent", "hashbrown 0.14.3", @@ -2819,12 +2842,12 @@ checksum = "8f518f335dce6725a761382244631d86cf0ccb2863413590b31338feb467f9c3" [[package]] name = "is-terminal" -version = "0.4.10" +version = "0.4.12" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0bad00257d07be169d870ab665980b06cdb366d792ad690bf2e76876dc503455" +checksum = "f23ff5ef2b80d608d61efee834934d862cd92461afc0560dedf493e4c033738b" dependencies = [ "hermit-abi", - "rustix", + "libc", "windows-sys 0.52.0", ] @@ -2863,9 +2886,9 @@ checksum = "b1a46d1a171d865aa5f83f92695765caa047a9b4cbae2cbf37dbd613a793fd4c" [[package]] name = "jobserver" -version = "0.1.27" +version = "0.1.28" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8c37f63953c4c63420ed5fd3d6d398c719489b9f872b9fa683262f8edd363c7d" +checksum = "ab46a6e9526ddef3ae7f787c06f0f2600639ba80ea3eade3d8e670a2230f51d6" dependencies = [ "libc", ] @@ -2891,7 +2914,7 @@ version = "0.17.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2a071f4f7efc9a9118dfb627a0a94ef247986e1ab8606a4c806ae2b3aa3b6978" dependencies = [ - "ahash 0.8.7", + "ahash 0.8.8", "anyhow", "base64 0.21.7", "bytecount", @@ -2917,9 +2940,9 @@ dependencies = [ [[package]] name = "kanidm-hsm-crypto" -version = "0.1.5" +version = "0.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0605892a3d0aca88b43a2d60a381ff7307c2c741d64ff87fb7c763556305791d" +checksum = "e94124838cdc13bc8eeee3ef525e0bb4c2a86c0107f810216a8cb20c30f36557" dependencies = [ "argon2", "hex", @@ -2927,6 +2950,7 @@ dependencies = [ "serde", "tracing", "tss-esapi", + "tss-esapi-sys", "zeroize", ] @@ -3064,7 +3088,7 @@ dependencies = [ "async-recursion", "clap", "clap_complete", - "compact_jwt 0.3.3", + "compact_jwt 0.3.4", "dialoguer", "futures-concurrency", "kanidm_build_profiles", @@ -3117,6 +3141,7 @@ dependencies = [ "prctl", "rpassword 7.3.1", "rusqlite", + "sd-notify", "selinux", "serde", "serde_json", @@ -3148,7 +3173,7 @@ dependencies = [ "axum-server", "bytes", "chrono", - "compact_jwt 0.3.3", + "compact_jwt 0.3.4", "cron", "filetime", "futures", @@ -3195,7 +3220,7 @@ version = "1.2.0-dev" dependencies = [ "base64 0.21.7", "base64urlsafedata", - "compact_jwt 0.3.3", + "compact_jwt 0.3.4", "concread", "criterion", "dyn-clone", @@ -3260,7 +3285,7 @@ name = "kanidmd_testkit" version = "1.2.0-dev" dependencies = [ "assert_cmd", - "compact_jwt 0.3.3", + "compact_jwt 0.3.4", "escargot", "fantoccini", "futures", @@ -3582,6 +3607,12 @@ dependencies = [ "hashbrown 0.12.3", ] +[[package]] +name = "malloced" +version = "1.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6dfebb2f9e0b39509c62eead6ec7ae0c0ed45bb61d12bbcf4e976c566c5400ec" + [[package]] name = "matchers" version = "0.1.0" @@ -3606,17 +3637,6 @@ dependencies = [ "rand", ] -[[package]] -name = "mbox" -version = "0.6.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0f88d5c34d63aad11aa4321ef55ccb064af58b3ad8091079ae22bf83e5eb75d6" -dependencies = [ - "libc", - "rustc_version", - "stable_deref_trait", -] - [[package]] name = "memchr" version = "2.7.1" @@ -3860,32 +3880,20 @@ dependencies = [ "syn 1.0.109", ] -[[package]] -name = "num-derive" -version = "0.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed3955f1a9c7c0c15e092f9c887db08b1fc683305fdf6eb6684f22555355e202" -dependencies = [ - "proc-macro2", - "quote", - "syn 2.0.48", -] - [[package]] name = "num-integer" -version = "0.1.45" +version = "0.1.46" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9" +checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f" dependencies = [ - "autocfg", "num-traits", ] [[package]] name = "num-iter" -version = "0.1.43" +version = "0.1.44" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7d03e6c028c5dc5cac6e2dec0efda81fc887605bb3d884578bb6d6bf7514e252" +checksum = "d869c01cc0c455284163fd0092f1f93835385ccab5a98a0dcc497b2f8bf055a9" dependencies = [ "autocfg", "num-integer", @@ -3917,9 +3925,9 @@ dependencies = [ [[package]] name = "num-traits" -version = "0.2.17" +version = "0.2.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "39e3200413f237f41ab11ad6d161bc7239c84dcb631773ccd7de3dfe4b5c267c" +checksum = "da0df0e5185db44f69b44f26786fe401b6c293d1907744beaa7fa62b2e5a517a" dependencies = [ "autocfg", ] @@ -4320,6 +4328,12 @@ dependencies = [ "proc-macro-hack", ] +[[package]] +name = "peeking_take_while" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099" + [[package]] name = "peg" version = "0.8.2" @@ -4353,17 +4367,6 @@ version = "2.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e" -[[package]] -name = "pest" -version = "2.7.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "219c0dcc30b6a27553f9cc242972b67f75b60eb0db71f0b5462f38b058c41546" -dependencies = [ - "memchr", - "thiserror", - "ucd-trie", -] - [[package]] name = "petgraph" version = "0.6.4" @@ -4371,7 +4374,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e1d3afd2628e69da2be385eb6f2fd57c8ac7977ceeff6dc166ff1657b0e386a9" dependencies = [ "fixedbitset", - "indexmap 2.2.2", + "indexmap 2.2.3", "serde", "serde_derive", ] @@ -4980,15 +4983,6 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2" -[[package]] -name = "rustc_version" -version = "0.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f0dfe2087c51c460008730de8b57e6a320782fbfb312e1f4d520e6c6fae155ee" -dependencies = [ - "semver", -] - [[package]] name = "rusticata-macros" version = "4.1.0" @@ -5128,7 +5122,7 @@ version = "0.6.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d6d6e616814290fe172d6514bebd9b723733ba7d68e1ab74d341a90b99a36bb4" dependencies = [ - "bindgen", + "bindgen 0.69.4", "cc", "dunce", "walkdir", @@ -5136,21 +5130,9 @@ dependencies = [ [[package]] name = "semver" -version = "0.11.0" +version = "1.0.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f301af10236f6df4160f7c3f04eec6dbc70ace82d23326abad5edee88801c6b6" -dependencies = [ - "semver-parser", -] - -[[package]] -name = "semver-parser" -version = "0.10.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "00b0bef5b7f9e0df16536d3961cfb6e84331c065b4066afb39768d0e319411f7" -dependencies = [ - "pest", -] +checksum = "b97ed7a9823b74f99c7742f5336af7be5ecd3eeafcb1507d1fa93347b1d589b0" [[package]] name = "serde" @@ -5258,16 +5240,17 @@ dependencies = [ [[package]] name = "serde_with" -version = "3.6.0" +version = "3.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1b0ed1662c5a68664f45b76d18deb0e234aff37207086803165c961eb695e981" +checksum = "15d167997bd841ec232f5b2b8e0e26606df2e7caa4c31b95ea9ca52b200bd270" dependencies = [ "base64 0.21.7", "chrono", "hex", "indexmap 1.9.3", - "indexmap 2.2.2", + "indexmap 2.2.3", "serde", + "serde_derive", "serde_json", "serde_with_macros", "time", @@ -5275,9 +5258,9 @@ dependencies = [ [[package]] name = "serde_with_macros" -version = "3.6.0" +version = "3.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "568577ff0ef47b879f736cd66740e022f3672788cdf002a05a4e609ea5a6fb15" +checksum = "865f9743393e638991566a8b7a479043c2c8da94a33e0a31f18214c9cae0a64d" dependencies = [ "darling 0.20.5", "proc-macro2", @@ -5479,12 +5462,6 @@ dependencies = [ "sha2 0.8.2", ] -[[package]] -name = "stable_deref_trait" -version = "1.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3" - [[package]] name = "static_assertions" version = "1.1.0" @@ -5497,6 +5474,12 @@ version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" +[[package]] +name = "strsim" +version = "0.11.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5ee073c9e4cd00e28217186dbe12796d692868f432bf2e97ee73bed0c56dfa01" + [[package]] name = "subtle" version = "2.5.0" @@ -5605,18 +5588,18 @@ dependencies = [ [[package]] name = "thiserror" -version = "1.0.56" +version = "1.0.57" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d54378c645627613241d077a3a79db965db602882668f9136ac42af9ecb730ad" +checksum = "1e45bcbe8ed29775f228095caf2cd67af7a4ccf756ebff23a306bf3e8b47b24b" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.56" +version = "1.0.57" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fa0faa943b50f3db30a20aa7e265dbc66076993efed8463e8de414e5d06d3471" +checksum = "a953cb265bef375dae3de6663da4d3804eee9682ea80d8e2542529b73c531c81" dependencies = [ "proc-macro2", "quote", @@ -5819,7 +5802,7 @@ version = "0.19.15" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1b5bb770da30e5cbfde35a2d7b9b8a2c4b8ef89548a7a6aeab5c9a576e3e7421" dependencies = [ - "indexmap 2.2.2", + "indexmap 2.2.3", "toml_datetime", "winnow", ] @@ -6037,21 +6020,24 @@ checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b" [[package]] name = "tss-esapi" -version = "7.4.0" +version = "8.0.0-alpha" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "de234df360c349f78ecd33f0816ab3842db635732212b5cfad67f2638336864e" +checksum = "3c1617a46161846de3a3d3e407cd30cb345599bc5e440c3907a59b34b75a2731" dependencies = [ "bitfield", + "cfg-if", "enumflags2", "hostname-validator", "log", - "mbox", - "num-derive 0.4.2", + "malloced", + "num-derive", "num-traits", "oid", + "paste 1.0.14", "picky-asn1", "picky-asn1-x509", "regex", + "semver", "serde", "tss-esapi-sys", "zeroize", @@ -6063,6 +6049,7 @@ version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "535cd192581c2ec4d5f82e670b1d3fbba6a23ccce8c85de387642051d7cad5b5" dependencies = [ + "bindgen 0.66.1", "pkg-config", "target-lexicon", ] @@ -6073,12 +6060,6 @@ version = "1.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825" -[[package]] -name = "ucd-trie" -version = "0.1.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed646292ffc8188ef8ea4d1e0e0150fb15a5c2e12ad9b8fc191ae7a8a7f3c4b9" - [[package]] name = "unicase" version = "2.7.0" @@ -6117,9 +6098,9 @@ dependencies = [ [[package]] name = "unicode-segmentation" -version = "1.10.1" +version = "1.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1dd624098567895118886609431a7c3b8f516e41d30e0643f03d94592a147e36" +checksum = "d4c87d22b6e3f4a18d4d40ef354e97c90fcb14dd91d7dc0aa9d8a1172ebf7202" [[package]] name = "unicode-width" @@ -6163,7 +6144,7 @@ version = "4.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "272ebdfbc99111033031d2f10e018836056e4d2c8e2acda76450ec7974269fa7" dependencies = [ - "indexmap 2.2.2", + "indexmap 2.2.3", "serde", "serde_json", "utoipa-gen", @@ -6405,7 +6386,7 @@ dependencies = [ "futures", "hex", "nom", - "num-derive 0.3.3", + "num-derive", "num-traits", "openssl", "rpassword 5.0.1", @@ -6754,9 +6735,9 @@ checksum = "dff9641d1cd4be8d1a070daf9e3773c5f67e78b4d9d42263020c057706765c04" [[package]] name = "winnow" -version = "0.5.39" +version = "0.5.40" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5389a154b01683d28c77f8f68f49dea75f0a4da32557a58f68ee51ebba472d29" +checksum = "f593a95398737aeed53e489c785df13f3618e41dbcd6718c6addbf1395aa6876" dependencies = [ "memchr", ] diff --git a/Cargo.toml b/Cargo.toml index 5908fa708..c6de834f5 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -84,7 +84,7 @@ kanidmd_lib_macros = { path = "./server/lib-macros", version = "=1.2.0-dev" } kanidmd_testkit = { path = "./server/testkit", version = "=1.2.0-dev" } kanidm_build_profiles = { path = "./libs/profiles", version = "=1.2.0-dev" } kanidm_client = { path = "./libs/client", version = "=1.2.0-dev" } -kanidm-hsm-crypto = "^0.1.5" +kanidm-hsm-crypto = "^0.1.6" kanidm_lib_crypto = { path = "./libs/crypto", version = "=1.2.0-dev" } kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "=1.2.0-dev" } kanidm_proto = { path = "./proto", version = "=1.2.0-dev" } @@ -116,7 +116,7 @@ clap = { version = "^4.4.8", features = ["derive", "env"] } clap_complete = "^4.4.4" # Forced by saffron/cron chrono = "^0.4.31" -compact_jwt = { version = "^0.3.3", default-features = false } +compact_jwt = { version = "^0.3.4", default-features = false } concread = "^0.4.4" cron = "0.12.0" crossbeam = "0.8.1" diff --git a/examples/unixd b/examples/unixd index 516b7c828..7dd8b96c1 100644 --- a/examples/unixd +++ b/examples/unixd @@ -15,8 +15,10 @@ pam_allowed_login_groups = ["posix_group"] # # * soft: A software hsm that encrypts all local key material # * tpm: Use a tpm for all key storage and binding +# * tpm_if_possible: If a hardware tpm exists it is used, otherwise fall back to the software tpm. +# If the hardware tpm has previously been used, software tpm will not be used. # -# Default: soft +# Default: tpm_if_possible # hsm_type = "tpm" diff --git a/platform/opensuse/kanidm-unixd-tasks.service b/platform/opensuse/kanidm-unixd-tasks.service index 4aabbb8eb..11d298275 100644 --- a/platform/opensuse/kanidm-unixd-tasks.service +++ b/platform/opensuse/kanidm-unixd-tasks.service @@ -7,7 +7,7 @@ After=chronyd.service ntpd.service network-online.target kanidm-unixd.service [Service] User=root -Type=simple +Type=notify ExecStart=/usr/sbin/kanidm_unixd_tasks CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH diff --git a/platform/opensuse/kanidm-unixd.service b/platform/opensuse/kanidm-unixd.service index f817189af..32c2fbd7a 100644 --- a/platform/opensuse/kanidm-unixd.service +++ b/platform/opensuse/kanidm-unixd.service @@ -18,7 +18,7 @@ CacheDirectory=kanidm-unixd RuntimeDirectory=kanidm-unixd StateDirectory=kanidm-unixd -Type=simple +Type=notify ExecStart=/usr/sbin/kanidm_unixd ## If you wish to setup an external HSM pin you should set: diff --git a/server/daemon/src/main.rs b/server/daemon/src/main.rs index 9d189b9e6..e52da20b8 100644 --- a/server/daemon/src/main.rs +++ b/server/daemon/src/main.rs @@ -229,7 +229,10 @@ fn main() -> ExitCode { // On linux when debug assertions are disabled, prevent ptrace // from attaching to us. #[cfg(all(target_os = "linux", not(debug_assertions)))] - prctl::set_dumpable(false); + if let Err(code) = prctl::set_dumpable(false) { + eprintln!(?code, "CRITICAL: Unable to set prctl flags"); + return ExitCode::FAILURE; + } let maybe_rt = tokio::runtime::Builder::new_multi_thread() .enable_all() diff --git a/unix_integration/Cargo.toml b/unix_integration/Cargo.toml index 2c64c5c1f..725e9314b 100644 --- a/unix_integration/Cargo.toml +++ b/unix_integration/Cargo.toml @@ -90,12 +90,13 @@ tracing = { workspace = true } uuid = { workspace = true } walkdir = { workspace = true } +[target.'cfg(target_os = "linux")'.dependencies] +sd-notify.workspace = true +prctl.workspace = true + [target.'cfg(not(target_family = "windows"))'.dependencies] kanidm_utils_users = { workspace = true } -[target.'cfg(target_os = "linux")'.dependencies] -prctl.workspace = true - [dev-dependencies] kanidmd_core = { workspace = true } kanidmd_testkit = { workspace = true } diff --git a/unix_integration/src/daemon.rs b/unix_integration/src/daemon.rs index e72c6457b..c0fe2012f 100644 --- a/unix_integration/src/daemon.rs +++ b/unix_integration/src/daemon.rs @@ -467,12 +467,53 @@ async fn write_hsm_pin(hsm_pin_path: &str) -> Result<(), Box> { Ok(()) } +#[cfg(feature = "tpm")] +fn open_tpm(tcti_name: &str) -> Option { + use kanidm_hsm_crypto::tpm::TpmTss; + match TpmTss::new(tcti_name) { + Ok(tpm) => Some(BoxedDynTpm::new(tpm)), + Err(tpm_err) => { + error!(?tpm_err, "Unable to open requested tpm device"); + None + } + } +} + +#[cfg(not(feature = "tpm"))] +fn open_tpm(_tcti_name: &str) -> Option { + error!("Hardware TPM supported was not enabled in this build. Unable to proceed"); + None +} + +#[cfg(feature = "tpm")] +fn open_tpm_if_possible(tcti_name: &str) -> BoxedDynTpm { + use kanidm_hsm_crypto::tpm::TpmTss; + match TpmTss::new(tcti_name) { + Ok(tpm) => BoxedDynTpm::new(tpm), + Err(tpm_err) => { + warn!( + ?tpm_err, + "Unable to open requested tpm device, falling back to soft tpm" + ); + BoxedDynTpm::new(SoftTpm::new()) + } + } +} + +#[cfg(not(feature = "tpm"))] +fn open_tpm_if_possible(_tcti_name: &str) -> BoxedDynTpm { + BoxedDynTpm::new(SoftTpm::new()) +} + #[tokio::main(flavor = "current_thread")] async fn main() -> ExitCode { // On linux when debug assertions are disabled, prevent ptrace // from attaching to us. #[cfg(all(target_os = "linux", not(debug_assertions)))] - prctl::set_dumpable(false); + if let Err(code) = prctl::set_dumpable(false) { + eprintln!(?code, "CRITICAL: Unable to set prctl flags"); + return ExitCode::FAILURE; + } let cuid = get_current_uid(); let ceuid = get_effective_uid(); @@ -800,9 +841,14 @@ async fn main() -> ExitCode { HsmType::Soft => { BoxedDynTpm::new(SoftTpm::new()) } + HsmType::TpmIfPossible => { + open_tpm_if_possible(&cfg.tpm_tcti_name) + } HsmType::Tpm => { - error!("TPM not supported ... yet"); - return ExitCode::FAILURE + match open_tpm(&cfg.tpm_tcti_name) { + Some(hsm) => hsm, + None => return ExitCode::FAILURE, + } } }; @@ -1048,6 +1094,10 @@ async fn main() -> ExitCode { info!("Server started ..."); + // On linux, notify systemd. + #[cfg(target_os = "linux")] + let _ = sd_notify::notify(true, &[sd_notify::NotifyState::Ready]); + loop { tokio::select! { Ok(()) = tokio::signal::ctrl_c() => { diff --git a/unix_integration/src/db.rs b/unix_integration/src/db.rs index 1c72281ae..fa842888c 100644 --- a/unix_integration/src/db.rs +++ b/unix_integration/src/db.rs @@ -16,6 +16,8 @@ use serde::{de::DeserializeOwned, Serialize}; use kanidm_hsm_crypto::{HmacKey, LoadableHmacKey, LoadableMachineKey, Tpm}; +const DBV_MAIN: &str = "main"; + #[async_trait] pub trait Cache { type Txn<'db> @@ -54,6 +56,8 @@ pub trait CacheTxn { fn clear(&mut self) -> Result<(), CacheError>; + fn clear_hsm(&mut self) -> Result<(), CacheError>; + fn get_hsm_machine_key(&mut self) -> Result, CacheError>; fn insert_hsm_machine_key( @@ -208,6 +212,32 @@ impl<'a> DbTxn<'a> { CacheError::Sqlite } + fn get_db_version(&self, key: &str) -> i64 { + self.conn + .query_row( + "SELECT version FROM db_version_t WHERE id = :id", + &[(":id", key)], + |row| row.get(0), + ) + .unwrap_or({ + // The value is missing, default to 0. + 0 + }) + } + + fn set_db_version(&self, key: &str, v: i64) -> Result<(), CacheError> { + self.conn + .execute( + "INSERT OR REPLACE INTO db_version_t (id, version) VALUES(:id, :dbv)", + named_params! { + ":id": &key, + ":dbv": v, + }, + ) + .map(|_| ()) + .map_err(|e| self.sqlite_error("set db_version_t", &e)) + } + fn get_account_data_name( &mut self, account_id: &str, @@ -358,82 +388,102 @@ impl<'a> CacheTxn for DbTxn<'a> { .and_then(|mut wal_stmt| wal_stmt.query([]).map(|_| ())) .map_err(|e| self.sqlite_error("account_t create", &e))?; - // Setup two tables - one for accounts, one for groups. - // correctly index the columns. - // Optional pw hash field + // This definition can never change. self.conn .execute( - "CREATE TABLE IF NOT EXISTS account_t ( - uuid TEXT PRIMARY KEY, - name TEXT NOT NULL UNIQUE, - spn TEXT NOT NULL UNIQUE, - gidnumber INTEGER NOT NULL UNIQUE, - password BLOB, - token BLOB NOT NULL, - expiry NUMERIC NOT NULL - ) - ", + "CREATE TABLE IF NOT EXISTS db_version_t ( + id TEXT PRIMARY KEY, + version INTEGER + )", [], ) - .map_err(|e| self.sqlite_error("account_t create", &e))?; + .map_err(|e| self.sqlite_error("db_version_t create", &e))?; - self.conn - .execute( - "CREATE TABLE IF NOT EXISTS group_t ( - uuid TEXT PRIMARY KEY, - name TEXT NOT NULL UNIQUE, - spn TEXT NOT NULL UNIQUE, - gidnumber INTEGER NOT NULL UNIQUE, - token BLOB NOT NULL, - expiry NUMERIC NOT NULL - ) - ", - [], - ) - .map_err(|e| self.sqlite_error("group_t create", &e))?; + let db_version = self.get_db_version(DBV_MAIN); - // We defer group foreign keys here because we now manually cascade delete these when - // required. This is because insert or replace into will always delete then add - // which triggers this. So instead we defer and manually cascade. - // - // However, on accounts, we CAN delete cascade because accounts will always redefine - // their memberships on updates so this is safe to cascade on this direction. - self.conn - .execute( - "CREATE TABLE IF NOT EXISTS memberof_t ( - g_uuid TEXT, - a_uuid TEXT, - FOREIGN KEY(g_uuid) REFERENCES group_t(uuid) DEFERRABLE INITIALLY DEFERRED, - FOREIGN KEY(a_uuid) REFERENCES account_t(uuid) ON DELETE CASCADE - ) - ", - [], - ) - .map_err(|e| self.sqlite_error("memberof_t create error", &e))?; - - // Create the hsm_data store. These are all generally encrypted private - // keys, and the hsm structures will decrypt these as required. - self.conn - .execute( - "CREATE TABLE IF NOT EXISTS hsm_int_t ( - key TEXT PRIMARY KEY, - value BLOB NOT NULL + if db_version < 1 { + // Setup two tables - one for accounts, one for groups. + // correctly index the columns. + // Optional pw hash field + self.conn + .execute( + "CREATE TABLE IF NOT EXISTS account_t ( + uuid TEXT PRIMARY KEY, + name TEXT NOT NULL UNIQUE, + spn TEXT NOT NULL UNIQUE, + gidnumber INTEGER NOT NULL UNIQUE, + password BLOB, + token BLOB NOT NULL, + expiry NUMERIC NOT NULL ) ", - [], - ) - .map_err(|e| self.sqlite_error("hsm_int_t create error", &e))?; + [], + ) + .map_err(|e| self.sqlite_error("account_t create", &e))?; - self.conn - .execute( - "CREATE TABLE IF NOT EXISTS hsm_data_t ( - key TEXT PRIMARY KEY, - value BLOB NOT NULL + self.conn + .execute( + "CREATE TABLE IF NOT EXISTS group_t ( + uuid TEXT PRIMARY KEY, + name TEXT NOT NULL UNIQUE, + spn TEXT NOT NULL UNIQUE, + gidnumber INTEGER NOT NULL UNIQUE, + token BLOB NOT NULL, + expiry NUMERIC NOT NULL ) ", - [], - ) - .map_err(|e| self.sqlite_error("hsm_data_t create error", &e))?; + [], + ) + .map_err(|e| self.sqlite_error("group_t create", &e))?; + + // We defer group foreign keys here because we now manually cascade delete these when + // required. This is because insert or replace into will always delete then add + // which triggers this. So instead we defer and manually cascade. + // + // However, on accounts, we CAN delete cascade because accounts will always redefine + // their memberships on updates so this is safe to cascade on this direction. + self.conn + .execute( + "CREATE TABLE IF NOT EXISTS memberof_t ( + g_uuid TEXT, + a_uuid TEXT, + FOREIGN KEY(g_uuid) REFERENCES group_t(uuid) DEFERRABLE INITIALLY DEFERRED, + FOREIGN KEY(a_uuid) REFERENCES account_t(uuid) ON DELETE CASCADE + ) + ", + [], + ) + .map_err(|e| self.sqlite_error("memberof_t create error", &e))?; + + // Create the hsm_data store. These are all generally encrypted private + // keys, and the hsm structures will decrypt these as required. + self.conn + .execute( + "CREATE TABLE IF NOT EXISTS hsm_int_t ( + key TEXT PRIMARY KEY, + value BLOB NOT NULL + ) + ", + [], + ) + .map_err(|e| self.sqlite_error("hsm_int_t create error", &e))?; + + self.conn + .execute( + "CREATE TABLE IF NOT EXISTS hsm_data_t ( + key TEXT PRIMARY KEY, + value BLOB NOT NULL + ) + ", + [], + ) + .map_err(|e| self.sqlite_error("hsm_data_t create error", &e))?; + + // Since this is the 0th migration, we have to reset the HSM here. + self.clear_hsm()?; + } + + self.set_db_version(DBV_MAIN, 1)?; Ok(()) } @@ -480,6 +530,20 @@ impl<'a> CacheTxn for DbTxn<'a> { Ok(()) } + fn clear_hsm(&mut self) -> Result<(), CacheError> { + self.clear()?; + + self.conn + .execute("DELETE FROM hsm_int_t", []) + .map_err(|e| self.sqlite_error("delete hsm_int_t", &e))?; + + self.conn + .execute("DELETE FROM hsm_data_t", []) + .map_err(|e| self.sqlite_error("delete hsm_data_t", &e))?; + + Ok(()) + } + fn get_hsm_machine_key(&mut self) -> Result, CacheError> { let mut stmt = self .conn @@ -991,11 +1055,23 @@ mod tests { // use std::assert_matches::assert_matches; use super::{Cache, CacheTxn, Db}; use crate::idprovider::interface::{GroupToken, Id, UserToken}; - use kanidm_hsm_crypto::{soft::SoftTpm, AuthValue, Tpm}; + use kanidm_hsm_crypto::{AuthValue, Tpm}; const TESTACCOUNT1_PASSWORD_A: &str = "password a for account1 test"; const TESTACCOUNT1_PASSWORD_B: &str = "password b for account1 test"; + #[cfg(feature = "tpm")] + fn setup_tpm() -> Box { + use kanidm_hsm_crypto::tpm::TpmTss; + Box::new(TpmTss::new("device:/dev/tpmrm0").expect("Unable to build Tpm Context")) + } + + #[cfg(not(feature = "tpm"))] + fn setup_tpm() -> Box { + use kanidm_hsm_crypto::soft::SoftTpm; + Box::new(SoftTpm::new()) + } + #[tokio::test] async fn test_cache_db_account_basic() { sketching::test_init(); @@ -1232,11 +1308,7 @@ mod tests { let mut dbtxn = db.write().await; assert!(dbtxn.migrate().is_ok()); - // Setup the hsm - // #[cfg(feature = "tpm")] - - #[cfg(not(feature = "tpm"))] - let mut hsm: Box = Box::new(SoftTpm::new()); + let mut hsm = setup_tpm(); let auth_value = AuthValue::ephemeral().unwrap(); diff --git a/unix_integration/src/tasks_daemon.rs b/unix_integration/src/tasks_daemon.rs index b9ecb7e73..29afc7f1c 100644 --- a/unix_integration/src/tasks_daemon.rs +++ b/unix_integration/src/tasks_daemon.rs @@ -363,6 +363,10 @@ async fn main() -> ExitCode { info!("Server started ..."); + // On linux, notify systemd. + #[cfg(target_os = "linux")] + let _ = sd_notify::notify(true, &[sd_notify::NotifyState::Ready]); + loop { tokio::select! { Ok(()) = tokio::signal::ctrl_c() => { diff --git a/unix_integration/src/unix_config.rs b/unix_integration/src/unix_config.rs index f3dbb1499..f1fd1d910 100644 --- a/unix_integration/src/unix_config.rs +++ b/unix_integration/src/unix_config.rs @@ -81,6 +81,7 @@ pub enum HsmType { #[cfg_attr(not(feature = "tpm"), default)] Soft, #[cfg_attr(feature = "tpm", default)] + TpmIfPossible, Tpm, } @@ -88,6 +89,7 @@ impl Display for HsmType { fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result { match self { HsmType::Soft => write!(f, "Soft"), + HsmType::TpmIfPossible => write!(f, "Tpm if possible"), HsmType::Tpm => write!(f, "Tpm"), } } @@ -309,6 +311,7 @@ impl KanidmUnixdConfig { .hsm_type .and_then(|v| match v.as_str() { "soft" => Some(HsmType::Soft), + "tpm_if_possible" => Some(HsmType::TpmIfPossible), "tpm" => Some(HsmType::Tpm), _ => { warn!("Invalid hsm_type configured, using default ...");