mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions 16 Packages Projects Releases Wiki Activity

Re-enable HW tpm support (#2531)

Browse source
This commit is contained in:
Firstyear 2024-02-17 11:30:08 +10:00 committed by GitHub
parent 62dff7565e
commit cc28fb2c4b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 352 additions and 236 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

287
Cargo.lock generated
View file

@ -19,9 +19,9 @@ checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
[[package]]
name = "ahash"
version = "0.7.7"
version = "0.7.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5a824f2aa7e75a0c98c5a504fceb80649e9c35265d44525b5f94de4771a395cd"
checksum = "891477e0c6a8957309ee5c45a6368af3ae14bb510732d2684ffa19af310920f9"
dependencies = [
"getrandom",
"once_cell",
@ -30,9 +30,9 @@ dependencies = [
[[package]]
name = "ahash"
version = "0.8.7"
version = "0.8.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "77c3a9648d43b9cd48db467b3f87fdd6e146bcc88ab0180006cef2179fe11d01"
checksum = "42cd52102d3df161c77a887b608d7a4897d7cc112886a9537b738a887a03aaff"
dependencies = [
"cfg-if",
"getrandom",
@ -475,6 +475,29 @@ dependencies = [
"serde",
]
[[package]]
name = "bindgen"
version = "0.66.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f2b84e06fc203107bfbad243f4aba2af864eb7db3b1cf46ea0a023b0b433d2a7"
dependencies = [
"bitflags 2.4.2",
"cexpr",
"clang-sys",
"lazy_static",
"lazycell",
"log",
"peeking_take_while",
"prettyplease 0.2.16",
"proc-macro2",
"quote",
"regex",
"rustc-hash",
"shlex",
"syn 2.0.48",
"which",
]
[[package]]
name = "bindgen"
version = "0.69.4"
@ -515,9 +538,9 @@ checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb"
[[package]]
name = "bitfield"
version = "0.14.0"
version = "0.13.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2d7e60934ceec538daadb9d8432424ed043a904d8e0243f3c6446bce549a46ac"
checksum = "46afbd2983a5d5a7bd740ccb198caf5b82f45c40c09c0eed36052d91cb92e719"
[[package]]
name = "bitflags"
@ -616,9 +639,9 @@ checksum = "e1e5f035d16fc623ae5f74981db80a439803888314e3a555fd6f04acd51a3205"
[[package]]
name = "bytemuck"
version = "1.14.2"
version = "1.14.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ea31d69bda4949c1c1562c1e6f042a1caefac98cdc8a298260a2ff41c1e2d42b"
checksum = "a2ef034f05691a48569bd920a96c81b9d91bbad1ab5ac7c4616c1f6ef36cb79f"
[[package]]
name = "byteorder"
@ -671,9 +694,9 @@ checksum = "17cc5e6b5ab06331c33589842070416baa137e8b0eb912b008cfd4a78ada7919"
[[package]]
name = "chrono"
version = "0.4.33"
version = "0.4.34"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9f13690e35a5e4ace198e7beea2895d29f3a9cc55015fcebe6336bd2010af9eb"
checksum = "5bc015644b92d5890fab7489e49d21f879d5c990186827d42ec511919404f38b"
dependencies = [
"android-tzdata",
"iana-time-zone",
@ -724,9 +747,9 @@ dependencies = [
[[package]]
name = "clap"
version = "4.4.18"
version = "4.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1e578d6ec4194633722ccf9544794b71b1385c3c027efe0c55db226fc880865c"
checksum = "80c21025abd42669a92efc996ef13cfb2c5c627858421ea58d5c3b331a6c134f"
dependencies = [
"clap_builder",
"clap_derive",
@ -734,30 +757,30 @@ dependencies = [
[[package]]
name = "clap_builder"
version = "4.4.18"
version = "4.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4df4df40ec50c46000231c914968278b1eb05098cf8f1b3a518a95030e71d1c7"
checksum = "458bf1f341769dfcf849846f65dffdf9146daa56bcd2a47cb4e1de9915567c99"
dependencies = [
"anstream",
"anstyle",
"clap_lex",
"strsim",
"strsim 0.11.0",
]
[[package]]
name = "clap_complete"
version = "4.4.10"
version = "4.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "abb745187d7f4d76267b37485a65e0149edd0e91a4cfcdd3f27524ad86cee9f3"
checksum = "299353be8209bd133b049bf1c63582d184a8b39fd9c04f15fe65f50f88bdfe6c"
dependencies = [
"clap",
]
[[package]]
name = "clap_derive"
version = "4.4.7"
version = "4.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cf9804afaaf59a91e75b022a30fb7229a7901f60c755489cc61c9b423b836442"
checksum = "307bc0538d5f0f83b8248db3087aa92fe504e4691294d0c96c0eabc33f47ba47"
dependencies = [
"heck",
"proc-macro2",
@ -767,9 +790,9 @@ dependencies = [
[[package]]
name = "clap_lex"
version = "0.6.0"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "702fc72eb24e5a1e48ce58027a675bc24edd52096d5397d4aea7c6dd9eca0bd1"
checksum = "98cc8fbded0c607b7ba9dd60cd98df59af97e84d24e49c8557331cfc26d301ce"
[[package]]
name = "clru"
@ -808,9 +831,9 @@ dependencies = [
[[package]]
name = "compact_jwt"
version = "0.3.3"
version = "0.3.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1c88e50516e010f137593b9e80dab437bc82c7c7bb4c5bf5dd042e30b0807dd7"
checksum = "46f626dea95ae258f9d05d2ac8e2fdb1ed98d183e0797ef304b88f205d423144"
dependencies = [
"base64 0.21.7",
"base64urlsafedata",
@ -830,7 +853,7 @@ version = "0.4.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0be4dc68bd9c37bcbd4670a644cc47494636d3e345d8d3b6db8bcd8ea65048c9"
dependencies = [
"ahash 0.7.7",
"ahash 0.7.8",
"crossbeam-epoch",
"crossbeam-queue",
"crossbeam-utils",
@ -930,9 +953,9 @@ dependencies = [
[[package]]
name = "crc32fast"
version = "1.3.2"
version = "1.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d"
checksum = "b3855a8a784b474f333699ef2bbca9db2c4a1f6d9088a90a2d25b1eb53111eaa"
dependencies = [
"cfg-if",
]
@ -1136,7 +1159,7 @@ dependencies = [
"ident_case",
"proc-macro2",
"quote",
"strsim",
"strsim 0.10.0",
"syn 1.0.109",
]
@ -1150,7 +1173,7 @@ dependencies = [
"ident_case",
"proc-macro2",
"quote",
"strsim",
"strsim 0.10.0",
"syn 2.0.48",
]
@ -1357,9 +1380,9 @@ checksum = "545b22097d44f8a9581187cdf93de7a71e4722bf51200cfaba810865b49a495d"
[[package]]
name = "either"
version = "1.9.0"
version = "1.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a26ae43d7bcc3b814de94796a5e736d4029efb0ee900c12e2d54c993ad1a1e07"
checksum = "11157ac094ffbdde99aa67b23417ebdd801842852b500e395a45a9c0aac03e4a"
[[package]]
name = "encode_unicode"
@ -1398,18 +1421,18 @@ dependencies = [
[[package]]
name = "enumflags2"
version = "0.7.8"
version = "0.7.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5998b4f30320c9d93aed72f63af821bfdac50465b75428fce77b48ec482c3939"
checksum = "3278c9d5fb675e0a51dabcf4c0d355f692b064171535ba72361be1528a9d8e8d"
dependencies = [
"enumflags2_derive",
]
[[package]]
name = "enumflags2_derive"
version = "0.7.8"
version = "0.7.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f95e2801cd355d4a1a3e3953ce6ee5ae9603a5c833455343a8bfe3f44d418246"
checksum = "5c785274071b1b420972453b306eeca06acf4633829db4223b58a2a8c5953bc4"
dependencies = [
"proc-macro2",
"quote",
@ -1434,9 +1457,9 @@ dependencies = [
[[package]]
name = "escargot"
version = "0.5.8"
version = "0.5.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "768064bd3a0e2bedcba91dc87ace90beea91acc41b6a01a3ca8e9aa8827461bf"
checksum = "704ab670cffff92792405528eb8ec3d9f00be8939d56d947f6bc809f9ae249f8"
dependencies = [
"log",
"once_cell",
@ -2456,7 +2479,7 @@ dependencies = [
"futures-sink",
"futures-util",
"http",
"indexmap 2.2.2",
"indexmap 2.2.3",
"slab",
"tokio",
"tokio-util",
@ -2485,7 +2508,7 @@ version = "0.12.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888"
dependencies = [
"ahash 0.7.7",
"ahash 0.7.8",
]
[[package]]
@ -2494,7 +2517,7 @@ version = "0.13.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "43a3c133739dddd0d2990f9a4bdf8eb4b21ef50e4851ca85ab661199821d510e"
dependencies = [
"ahash 0.8.7",
"ahash 0.8.8",
]
[[package]]
@ -2503,7 +2526,7 @@ version = "0.14.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "290f1a1d9242c78d09ce40a5e87e7554ee637af1351968159f4952f028f75604"
dependencies = [
"ahash 0.8.7",
"ahash 0.8.8",
"allocator-api2",
"serde",
]
@ -2549,9 +2572,9 @@ checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8"
[[package]]
name = "hermit-abi"
version = "0.3.5"
version = "0.3.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d0c62115964e08cb8039170eb33c1d0e2388a256930279edca206fff675f82c3"
checksum = "bd5256b483761cd23699d0da46cc6fd2ee3be420bbe6d020ae4a091e70b7e9fd"
[[package]]
name = "hex"
@ -2773,9 +2796,9 @@ dependencies = [
[[package]]
name = "indexmap"
version = "2.2.2"
version = "2.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "824b2ae422412366ba479e8111fd301f7b5faece8149317bb81925979a53f520"
checksum = "233cf39063f058ea2caae4091bf4a3ef70a653afbc026f5c4a4135d114e3c177"
dependencies = [
"equivalent",
"hashbrown 0.14.3",
@ -2819,12 +2842,12 @@ checksum = "8f518f335dce6725a761382244631d86cf0ccb2863413590b31338feb467f9c3"
[[package]]
name = "is-terminal"
version = "0.4.10"
version = "0.4.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0bad00257d07be169d870ab665980b06cdb366d792ad690bf2e76876dc503455"
checksum = "f23ff5ef2b80d608d61efee834934d862cd92461afc0560dedf493e4c033738b"
dependencies = [
"hermit-abi",
"rustix",
"libc",
"windows-sys 0.52.0",
]
@ -2863,9 +2886,9 @@ checksum = "b1a46d1a171d865aa5f83f92695765caa047a9b4cbae2cbf37dbd613a793fd4c"
[[package]]
name = "jobserver"
version = "0.1.27"
version = "0.1.28"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8c37f63953c4c63420ed5fd3d6d398c719489b9f872b9fa683262f8edd363c7d"
checksum = "ab46a6e9526ddef3ae7f787c06f0f2600639ba80ea3eade3d8e670a2230f51d6"
dependencies = [
"libc",
]
@ -2891,7 +2914,7 @@ version = "0.17.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2a071f4f7efc9a9118dfb627a0a94ef247986e1ab8606a4c806ae2b3aa3b6978"
dependencies = [
"ahash 0.8.7",
"ahash 0.8.8",
"anyhow",
"base64 0.21.7",
"bytecount",
@ -2917,9 +2940,9 @@ dependencies = [
[[package]]
name = "kanidm-hsm-crypto"
version = "0.1.5"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0605892a3d0aca88b43a2d60a381ff7307c2c741d64ff87fb7c763556305791d"
checksum = "e94124838cdc13bc8eeee3ef525e0bb4c2a86c0107f810216a8cb20c30f36557"
dependencies = [
"argon2",
"hex",
@ -2927,6 +2950,7 @@ dependencies = [
"serde",
"tracing",
"tss-esapi",
"tss-esapi-sys",
"zeroize",
]
@ -3064,7 +3088,7 @@ dependencies = [
"async-recursion",
"clap",
"clap_complete",
"compact_jwt 0.3.3",
"compact_jwt 0.3.4",
"dialoguer",
"futures-concurrency",
"kanidm_build_profiles",
@ -3117,6 +3141,7 @@ dependencies = [
"prctl",
"rpassword 7.3.1",
"rusqlite",
"sd-notify",
"selinux",
"serde",
"serde_json",
@ -3148,7 +3173,7 @@ dependencies = [
"axum-server",
"bytes",
"chrono",
"compact_jwt 0.3.3",
"compact_jwt 0.3.4",
"cron",
"filetime",
"futures",
@ -3195,7 +3220,7 @@ version = "1.2.0-dev"
dependencies = [
"base64 0.21.7",
"base64urlsafedata",
"compact_jwt 0.3.3",
"compact_jwt 0.3.4",
"concread",
"criterion",
"dyn-clone",
@ -3260,7 +3285,7 @@ name = "kanidmd_testkit"
version = "1.2.0-dev"
dependencies = [
"assert_cmd",
"compact_jwt 0.3.3",
"compact_jwt 0.3.4",
"escargot",
"fantoccini",
"futures",
@ -3582,6 +3607,12 @@ dependencies = [
"hashbrown 0.12.3",
]
[[package]]
name = "malloced"
version = "1.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6dfebb2f9e0b39509c62eead6ec7ae0c0ed45bb61d12bbcf4e976c566c5400ec"
[[package]]
name = "matchers"
version = "0.1.0"
@ -3606,17 +3637,6 @@ dependencies = [
"rand",
]
[[package]]
name = "mbox"
version = "0.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0f88d5c34d63aad11aa4321ef55ccb064af58b3ad8091079ae22bf83e5eb75d6"
dependencies = [
"libc",
"rustc_version",
"stable_deref_trait",
]
[[package]]
name = "memchr"
version = "2.7.1"
@ -3860,32 +3880,20 @@ dependencies = [
"syn 1.0.109",
]
[[package]]
name = "num-derive"
version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ed3955f1a9c7c0c15e092f9c887db08b1fc683305fdf6eb6684f22555355e202"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.48",
]
[[package]]
name = "num-integer"
version = "0.1.45"
version = "0.1.46"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9"
checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f"
dependencies = [
"autocfg",
"num-traits",
]
[[package]]
name = "num-iter"
version = "0.1.43"
version = "0.1.44"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7d03e6c028c5dc5cac6e2dec0efda81fc887605bb3d884578bb6d6bf7514e252"
checksum = "d869c01cc0c455284163fd0092f1f93835385ccab5a98a0dcc497b2f8bf055a9"
dependencies = [
"autocfg",
"num-integer",
@ -3917,9 +3925,9 @@ dependencies = [
[[package]]
name = "num-traits"
version = "0.2.17"
version = "0.2.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "39e3200413f237f41ab11ad6d161bc7239c84dcb631773ccd7de3dfe4b5c267c"
checksum = "da0df0e5185db44f69b44f26786fe401b6c293d1907744beaa7fa62b2e5a517a"
dependencies = [
"autocfg",
]
@ -4320,6 +4328,12 @@ dependencies = [
"proc-macro-hack",
]
[[package]]
name = "peeking_take_while"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"
[[package]]
name = "peg"
version = "0.8.2"
@ -4353,17 +4367,6 @@ version = "2.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
[[package]]
name = "pest"
version = "2.7.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "219c0dcc30b6a27553f9cc242972b67f75b60eb0db71f0b5462f38b058c41546"
dependencies = [
"memchr",
"thiserror",
"ucd-trie",
]
[[package]]
name = "petgraph"
version = "0.6.4"
@ -4371,7 +4374,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e1d3afd2628e69da2be385eb6f2fd57c8ac7977ceeff6dc166ff1657b0e386a9"
dependencies = [
"fixedbitset",
"indexmap 2.2.2",
"indexmap 2.2.3",
"serde",
"serde_derive",
]
@ -4980,15 +4983,6 @@ version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2"
[[package]]
name = "rustc_version"
version = "0.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f0dfe2087c51c460008730de8b57e6a320782fbfb312e1f4d520e6c6fae155ee"
dependencies = [
"semver",
]
[[package]]
name = "rusticata-macros"
version = "4.1.0"
@ -5128,7 +5122,7 @@ version = "0.6.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d6d6e616814290fe172d6514bebd9b723733ba7d68e1ab74d341a90b99a36bb4"
dependencies = [
"bindgen",
"bindgen 0.69.4",
"cc",
"dunce",
"walkdir",
@ -5136,21 +5130,9 @@ dependencies = [
[[package]]
name = "semver"
version = "0.11.0"
version = "1.0.21"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f301af10236f6df4160f7c3f04eec6dbc70ace82d23326abad5edee88801c6b6"
dependencies = [
"semver-parser",
]
[[package]]
name = "semver-parser"
version = "0.10.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "00b0bef5b7f9e0df16536d3961cfb6e84331c065b4066afb39768d0e319411f7"
dependencies = [
"pest",
]
checksum = "b97ed7a9823b74f99c7742f5336af7be5ecd3eeafcb1507d1fa93347b1d589b0"
[[package]]
name = "serde"
@ -5258,16 +5240,17 @@ dependencies = [
[[package]]
name = "serde_with"
version = "3.6.0"
version = "3.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1b0ed1662c5a68664f45b76d18deb0e234aff37207086803165c961eb695e981"
checksum = "15d167997bd841ec232f5b2b8e0e26606df2e7caa4c31b95ea9ca52b200bd270"
dependencies = [
"base64 0.21.7",
"chrono",
"hex",
"indexmap 1.9.3",
"indexmap 2.2.2",
"indexmap 2.2.3",
"serde",
"serde_derive",
"serde_json",
"serde_with_macros",
"time",
@ -5275,9 +5258,9 @@ dependencies = [
[[package]]
name = "serde_with_macros"
version = "3.6.0"
version = "3.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "568577ff0ef47b879f736cd66740e022f3672788cdf002a05a4e609ea5a6fb15"
checksum = "865f9743393e638991566a8b7a479043c2c8da94a33e0a31f18214c9cae0a64d"
dependencies = [
"darling 0.20.5",
"proc-macro2",
@ -5479,12 +5462,6 @@ dependencies = [
"sha2 0.8.2",
]
[[package]]
name = "stable_deref_trait"
version = "1.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
[[package]]
name = "static_assertions"
version = "1.1.0"
@ -5497,6 +5474,12 @@ version = "0.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
[[package]]
name = "strsim"
version = "0.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5ee073c9e4cd00e28217186dbe12796d692868f432bf2e97ee73bed0c56dfa01"
[[package]]
name = "subtle"
version = "2.5.0"
@ -5605,18 +5588,18 @@ dependencies = [
[[package]]
name = "thiserror"
version = "1.0.56"
version = "1.0.57"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d54378c645627613241d077a3a79db965db602882668f9136ac42af9ecb730ad"
checksum = "1e45bcbe8ed29775f228095caf2cd67af7a4ccf756ebff23a306bf3e8b47b24b"
dependencies = [
"thiserror-impl",
]
[[package]]
name = "thiserror-impl"
version = "1.0.56"
version = "1.0.57"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fa0faa943b50f3db30a20aa7e265dbc66076993efed8463e8de414e5d06d3471"
checksum = "a953cb265bef375dae3de6663da4d3804eee9682ea80d8e2542529b73c531c81"
dependencies = [
"proc-macro2",
"quote",
@ -5819,7 +5802,7 @@ version = "0.19.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1b5bb770da30e5cbfde35a2d7b9b8a2c4b8ef89548a7a6aeab5c9a576e3e7421"
dependencies = [
"indexmap 2.2.2",
"indexmap 2.2.3",
"toml_datetime",
"winnow",
]
@ -6037,21 +6020,24 @@ checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
[[package]]
name = "tss-esapi"
version = "7.4.0"
version = "8.0.0-alpha"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "de234df360c349f78ecd33f0816ab3842db635732212b5cfad67f2638336864e"
checksum = "3c1617a46161846de3a3d3e407cd30cb345599bc5e440c3907a59b34b75a2731"
dependencies = [
"bitfield",
"cfg-if",
"enumflags2",
"hostname-validator",
"log",
"mbox",
"num-derive 0.4.2",
"malloced",
"num-derive",
"num-traits",
"oid",
"paste 1.0.14",
"picky-asn1",
"picky-asn1-x509",
"regex",
"semver",
"serde",
"tss-esapi-sys",
"zeroize",
@ -6063,6 +6049,7 @@ version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "535cd192581c2ec4d5f82e670b1d3fbba6a23ccce8c85de387642051d7cad5b5"
dependencies = [
"bindgen 0.66.1",
"pkg-config",
"target-lexicon",
]
@ -6073,12 +6060,6 @@ version = "1.17.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825"
[[package]]
name = "ucd-trie"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ed646292ffc8188ef8ea4d1e0e0150fb15a5c2e12ad9b8fc191ae7a8a7f3c4b9"
[[package]]
name = "unicase"
version = "2.7.0"
@ -6117,9 +6098,9 @@ dependencies = [
[[package]]
name = "unicode-segmentation"
version = "1.10.1"
version = "1.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1dd624098567895118886609431a7c3b8f516e41d30e0643f03d94592a147e36"
checksum = "d4c87d22b6e3f4a18d4d40ef354e97c90fcb14dd91d7dc0aa9d8a1172ebf7202"
[[package]]
name = "unicode-width"
@ -6163,7 +6144,7 @@ version = "4.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "272ebdfbc99111033031d2f10e018836056e4d2c8e2acda76450ec7974269fa7"
dependencies = [
"indexmap 2.2.2",
"indexmap 2.2.3",
"serde",
"serde_json",
"utoipa-gen",
@ -6405,7 +6386,7 @@ dependencies = [
"futures",
"hex",
"nom",
"num-derive 0.3.3",
"num-derive",
"num-traits",
"openssl",
"rpassword 5.0.1",
@ -6754,9 +6735,9 @@ checksum = "dff9641d1cd4be8d1a070daf9e3773c5f67e78b4d9d42263020c057706765c04"
[[package]]
name = "winnow"
version = "0.5.39"
version = "0.5.40"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5389a154b01683d28c77f8f68f49dea75f0a4da32557a58f68ee51ebba472d29"
checksum = "f593a95398737aeed53e489c785df13f3618e41dbcd6718c6addbf1395aa6876"
dependencies = [
"memchr",
]

4
Cargo.toml
View file

@ -84,7 +84,7 @@ kanidmd_lib_macros = { path = "./server/lib-macros", version = "=1.2.0-dev" }
kanidmd_testkit = { path = "./server/testkit", version = "=1.2.0-dev" }
kanidm_build_profiles = { path = "./libs/profiles", version = "=1.2.0-dev" }
kanidm_client = { path = "./libs/client", version = "=1.2.0-dev" }
kanidm-hsm-crypto = "^0.1.5"
kanidm-hsm-crypto = "^0.1.6"
kanidm_lib_crypto = { path = "./libs/crypto", version = "=1.2.0-dev" }
kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "=1.2.0-dev" }
kanidm_proto = { path = "./proto", version = "=1.2.0-dev" }
@ -116,7 +116,7 @@ clap = { version = "^4.4.8", features = ["derive", "env"] }
clap_complete = "^4.4.4"
# Forced by saffron/cron
chrono = "^0.4.31"
compact_jwt = { version = "^0.3.3", default-features = false }
compact_jwt = { version = "^0.3.4", default-features = false }
concread = "^0.4.4"
cron = "0.12.0"
crossbeam = "0.8.1"

4
examples/unixd
View file

@ -15,8 +15,10 @@ pam_allowed_login_groups = ["posix_group"]
#
# * soft: A software hsm that encrypts all local key material
# * tpm: Use a tpm for all key storage and binding
# * tpm_if_possible: If a hardware tpm exists it is used, otherwise fall back to the software tpm.
# If the hardware tpm has previously been used, software tpm will not be used.
#
# Default: soft
# Default: tpm_if_possible
# hsm_type = "tpm"

2
platform/opensuse/kanidm-unixd-tasks.service
View file

@ -7,7 +7,7 @@ After=chronyd.service ntpd.service network-online.target kanidm-unixd.service
[Service]
User=root
Type=simple
Type=notify
ExecStart=/usr/sbin/kanidm_unixd_tasks
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH

2
platform/opensuse/kanidm-unixd.service
View file

@ -18,7 +18,7 @@ CacheDirectory=kanidm-unixd
RuntimeDirectory=kanidm-unixd
StateDirectory=kanidm-unixd
Type=simple
Type=notify
ExecStart=/usr/sbin/kanidm_unixd
## If you wish to setup an external HSM pin you should set:

5
server/daemon/src/main.rs
View file

@ -229,7 +229,10 @@ fn main() -> ExitCode {
// On linux when debug assertions are disabled, prevent ptrace
// from attaching to us.
#[cfg(all(target_os = "linux", not(debug_assertions)))]
prctl::set_dumpable(false);
if let Err(code) = prctl::set_dumpable(false) {
eprintln!(?code, "CRITICAL: Unable to set prctl flags");
return ExitCode::FAILURE;
}
let maybe_rt = tokio::runtime::Builder::new_multi_thread()
.enable_all()

7
unix_integration/Cargo.toml
View file

@ -90,12 +90,13 @@ tracing = { workspace = true }
uuid = { workspace = true }
walkdir = { workspace = true }
[target.'cfg(target_os = "linux")'.dependencies]
sd-notify.workspace = true
prctl.workspace = true
[target.'cfg(not(target_family = "windows"))'.dependencies]
kanidm_utils_users = { workspace = true }
[target.'cfg(target_os = "linux")'.dependencies]
prctl.workspace = true
[dev-dependencies]
kanidmd_core = { workspace = true }
kanidmd_testkit = { workspace = true }

56
unix_integration/src/daemon.rs
View file

@ -467,12 +467,53 @@ async fn write_hsm_pin(hsm_pin_path: &str) -> Result<(), Box<dyn Error>> {
Ok(())
}
#[cfg(feature = "tpm")]
fn open_tpm(tcti_name: &str) -> Option<BoxedDynTpm> {
use kanidm_hsm_crypto::tpm::TpmTss;
match TpmTss::new(tcti_name) {
Ok(tpm) => Some(BoxedDynTpm::new(tpm)),
Err(tpm_err) => {
error!(?tpm_err, "Unable to open requested tpm device");
None
}
}
}
#[cfg(not(feature = "tpm"))]
fn open_tpm(_tcti_name: &str) -> Option<BoxedDynTpm> {
error!("Hardware TPM supported was not enabled in this build. Unable to proceed");
None
}
#[cfg(feature = "tpm")]
fn open_tpm_if_possible(tcti_name: &str) -> BoxedDynTpm {
use kanidm_hsm_crypto::tpm::TpmTss;
match TpmTss::new(tcti_name) {
Ok(tpm) => BoxedDynTpm::new(tpm),
Err(tpm_err) => {
warn!(
?tpm_err,
"Unable to open requested tpm device, falling back to soft tpm"
);
BoxedDynTpm::new(SoftTpm::new())
}
}
}
#[cfg(not(feature = "tpm"))]
fn open_tpm_if_possible(_tcti_name: &str) -> BoxedDynTpm {
BoxedDynTpm::new(SoftTpm::new())
}
#[tokio::main(flavor = "current_thread")]
async fn main() -> ExitCode {
// On linux when debug assertions are disabled, prevent ptrace
// from attaching to us.
#[cfg(all(target_os = "linux", not(debug_assertions)))]
prctl::set_dumpable(false);
if let Err(code) = prctl::set_dumpable(false) {
eprintln!(?code, "CRITICAL: Unable to set prctl flags");
return ExitCode::FAILURE;
}
let cuid = get_current_uid();
let ceuid = get_effective_uid();
@ -800,9 +841,14 @@ async fn main() -> ExitCode {
HsmType::Soft => {
BoxedDynTpm::new(SoftTpm::new())
}
HsmType::TpmIfPossible => {
open_tpm_if_possible(&cfg.tpm_tcti_name)
}
HsmType::Tpm => {
error!("TPM not supported ... yet");
return ExitCode::FAILURE
match open_tpm(&cfg.tpm_tcti_name) {
Some(hsm) => hsm,
None => return ExitCode::FAILURE,
}
}
};
@ -1048,6 +1094,10 @@ async fn main() -> ExitCode {
info!("Server started ...");
// On linux, notify systemd.
#[cfg(target_os = "linux")]
let _ = sd_notify::notify(true, &[sd_notify::NotifyState::Ready]);
loop {
tokio::select! {
Ok(()) = tokio::signal::ctrl_c() => {

214
unix_integration/src/db.rs
View file

@ -16,6 +16,8 @@ use serde::{de::DeserializeOwned, Serialize};
use kanidm_hsm_crypto::{HmacKey, LoadableHmacKey, LoadableMachineKey, Tpm};
const DBV_MAIN: &str = "main";
#[async_trait]
pub trait Cache {
type Txn<'db>
@ -54,6 +56,8 @@ pub trait CacheTxn {
fn clear(&mut self) -> Result<(), CacheError>;
fn clear_hsm(&mut self) -> Result<(), CacheError>;
fn get_hsm_machine_key(&mut self) -> Result<Option<LoadableMachineKey>, CacheError>;
fn insert_hsm_machine_key(
@ -208,6 +212,32 @@ impl<'a> DbTxn<'a> {
CacheError::Sqlite
}
fn get_db_version(&self, key: &str) -> i64 {
self.conn
.query_row(
"SELECT version FROM db_version_t WHERE id = :id",
&[(":id", key)],
|row| row.get(0),
)
.unwrap_or({
// The value is missing, default to 0.
0
})
}
fn set_db_version(&self, key: &str, v: i64) -> Result<(), CacheError> {
self.conn
.execute(
"INSERT OR REPLACE INTO db_version_t (id, version) VALUES(:id, :dbv)",
named_params! {
":id": &key,
":dbv": v,
},
)
.map(|_| ())
.map_err(|e| self.sqlite_error("set db_version_t", &e))
}
fn get_account_data_name(
&mut self,
account_id: &str,
@ -358,82 +388,102 @@ impl<'a> CacheTxn for DbTxn<'a> {
.and_then(|mut wal_stmt| wal_stmt.query([]).map(|_| ()))
.map_err(|e| self.sqlite_error("account_t create", &e))?;
// Setup two tables - one for accounts, one for groups.
// correctly index the columns.
// Optional pw hash field
// This definition can never change.
self.conn
.execute(
"CREATE TABLE IF NOT EXISTS account_t (
uuid TEXT PRIMARY KEY,
name TEXT NOT NULL UNIQUE,
spn TEXT NOT NULL UNIQUE,
gidnumber INTEGER NOT NULL UNIQUE,
password BLOB,
token BLOB NOT NULL,
expiry NUMERIC NOT NULL
)
",
"CREATE TABLE IF NOT EXISTS db_version_t (
id TEXT PRIMARY KEY,
version INTEGER
)",
[],
)
.map_err(|e| self.sqlite_error("account_t create", &e))?;
.map_err(|e| self.sqlite_error("db_version_t create", &e))?;
self.conn
.execute(
"CREATE TABLE IF NOT EXISTS group_t (
uuid TEXT PRIMARY KEY,
name TEXT NOT NULL UNIQUE,
spn TEXT NOT NULL UNIQUE,
gidnumber INTEGER NOT NULL UNIQUE,
token BLOB NOT NULL,
expiry NUMERIC NOT NULL
)
",
[],
)
.map_err(|e| self.sqlite_error("group_t create", &e))?;
let db_version = self.get_db_version(DBV_MAIN);
// We defer group foreign keys here because we now manually cascade delete these when
// required. This is because insert or replace into will always delete then add
// which triggers this. So instead we defer and manually cascade.
//
// However, on accounts, we CAN delete cascade because accounts will always redefine
// their memberships on updates so this is safe to cascade on this direction.
self.conn
.execute(
"CREATE TABLE IF NOT EXISTS memberof_t (
g_uuid TEXT,
a_uuid TEXT,
FOREIGN KEY(g_uuid) REFERENCES group_t(uuid) DEFERRABLE INITIALLY DEFERRED,
FOREIGN KEY(a_uuid) REFERENCES account_t(uuid) ON DELETE CASCADE
)
",
[],
)
.map_err(|e| self.sqlite_error("memberof_t create error", &e))?;
// Create the hsm_data store. These are all generally encrypted private
// keys, and the hsm structures will decrypt these as required.
self.conn
.execute(
"CREATE TABLE IF NOT EXISTS hsm_int_t (
key TEXT PRIMARY KEY,
value BLOB NOT NULL
if db_version < 1 {
// Setup two tables - one for accounts, one for groups.
// correctly index the columns.
// Optional pw hash field
self.conn
.execute(
"CREATE TABLE IF NOT EXISTS account_t (
uuid TEXT PRIMARY KEY,
name TEXT NOT NULL UNIQUE,
spn TEXT NOT NULL UNIQUE,
gidnumber INTEGER NOT NULL UNIQUE,
password BLOB,
token BLOB NOT NULL,
expiry NUMERIC NOT NULL
)
",
[],
)
.map_err(|e| self.sqlite_error("hsm_int_t create error", &e))?;
[],
)
.map_err(|e| self.sqlite_error("account_t create", &e))?;
self.conn
.execute(
"CREATE TABLE IF NOT EXISTS hsm_data_t (
key TEXT PRIMARY KEY,
value BLOB NOT NULL
self.conn
.execute(
"CREATE TABLE IF NOT EXISTS group_t (
uuid TEXT PRIMARY KEY,
name TEXT NOT NULL UNIQUE,
spn TEXT NOT NULL UNIQUE,
gidnumber INTEGER NOT NULL UNIQUE,
token BLOB NOT NULL,
expiry NUMERIC NOT NULL
)
",
[],
)
.map_err(|e| self.sqlite_error("hsm_data_t create error", &e))?;
[],
)
.map_err(|e| self.sqlite_error("group_t create", &e))?;
// We defer group foreign keys here because we now manually cascade delete these when
// required. This is because insert or replace into will always delete then add
// which triggers this. So instead we defer and manually cascade.
//
// However, on accounts, we CAN delete cascade because accounts will always redefine
// their memberships on updates so this is safe to cascade on this direction.
self.conn
.execute(
"CREATE TABLE IF NOT EXISTS memberof_t (
g_uuid TEXT,
a_uuid TEXT,
FOREIGN KEY(g_uuid) REFERENCES group_t(uuid) DEFERRABLE INITIALLY DEFERRED,
FOREIGN KEY(a_uuid) REFERENCES account_t(uuid) ON DELETE CASCADE
)
",
[],
)
.map_err(|e| self.sqlite_error("memberof_t create error", &e))?;
// Create the hsm_data store. These are all generally encrypted private
// keys, and the hsm structures will decrypt these as required.
self.conn
.execute(
"CREATE TABLE IF NOT EXISTS hsm_int_t (
key TEXT PRIMARY KEY,
value BLOB NOT NULL
)
",
[],
)
.map_err(|e| self.sqlite_error("hsm_int_t create error", &e))?;
self.conn
.execute(
"CREATE TABLE IF NOT EXISTS hsm_data_t (
key TEXT PRIMARY KEY,
value BLOB NOT NULL
)
",
[],
)
.map_err(|e| self.sqlite_error("hsm_data_t create error", &e))?;
// Since this is the 0th migration, we have to reset the HSM here.
self.clear_hsm()?;
}
self.set_db_version(DBV_MAIN, 1)?;
Ok(())
}
@ -480,6 +530,20 @@ impl<'a> CacheTxn for DbTxn<'a> {
Ok(())
}
fn clear_hsm(&mut self) -> Result<(), CacheError> {
self.clear()?;
self.conn
.execute("DELETE FROM hsm_int_t", [])
.map_err(|e| self.sqlite_error("delete hsm_int_t", &e))?;
self.conn
.execute("DELETE FROM hsm_data_t", [])
.map_err(|e| self.sqlite_error("delete hsm_data_t", &e))?;
Ok(())
}
fn get_hsm_machine_key(&mut self) -> Result<Option<LoadableMachineKey>, CacheError> {
let mut stmt = self
.conn
@ -991,11 +1055,23 @@ mod tests {
// use std::assert_matches::assert_matches;
use super::{Cache, CacheTxn, Db};
use crate::idprovider::interface::{GroupToken, Id, UserToken};
use kanidm_hsm_crypto::{soft::SoftTpm, AuthValue, Tpm};
use kanidm_hsm_crypto::{AuthValue, Tpm};
const TESTACCOUNT1_PASSWORD_A: &str = "password a for account1 test";
const TESTACCOUNT1_PASSWORD_B: &str = "password b for account1 test";
#[cfg(feature = "tpm")]
fn setup_tpm() -> Box<dyn Tpm> {
use kanidm_hsm_crypto::tpm::TpmTss;
Box::new(TpmTss::new("device:/dev/tpmrm0").expect("Unable to build Tpm Context"))
}
#[cfg(not(feature = "tpm"))]
fn setup_tpm() -> Box<dyn Tpm> {
use kanidm_hsm_crypto::soft::SoftTpm;
Box::new(SoftTpm::new())
}
#[tokio::test]
async fn test_cache_db_account_basic() {
sketching::test_init();
@ -1232,11 +1308,7 @@ mod tests {
let mut dbtxn = db.write().await;
assert!(dbtxn.migrate().is_ok());
// Setup the hsm
// #[cfg(feature = "tpm")]
#[cfg(not(feature = "tpm"))]
let mut hsm: Box<dyn Tpm> = Box::new(SoftTpm::new());
let mut hsm = setup_tpm();
let auth_value = AuthValue::ephemeral().unwrap();

4
unix_integration/src/tasks_daemon.rs
View file

@ -363,6 +363,10 @@ async fn main() -> ExitCode {
info!("Server started ...");
// On linux, notify systemd.
#[cfg(target_os = "linux")]
let _ = sd_notify::notify(true, &[sd_notify::NotifyState::Ready]);
loop {
tokio::select! {
Ok(()) = tokio::signal::ctrl_c() => {

3
unix_integration/src/unix_config.rs
View file

@ -81,6 +81,7 @@ pub enum HsmType {
#[cfg_attr(not(feature = "tpm"), default)]
Soft,
#[cfg_attr(feature = "tpm", default)]
TpmIfPossible,
Tpm,
}
@ -88,6 +89,7 @@ impl Display for HsmType {
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
match self {
HsmType::Soft => write!(f, "Soft"),
HsmType::TpmIfPossible => write!(f, "Tpm if possible"),
HsmType::Tpm => write!(f, "Tpm"),
}
}
@ -309,6 +311,7 @@ impl KanidmUnixdConfig {
.hsm_type
.and_then(|v| match v.as_str() {
"soft" => Some(HsmType::Soft),
"tpm_if_possible" => Some(HsmType::TpmIfPossible),
"tpm" => Some(HsmType::Tpm),
_ => {
warn!("Invalid hsm_type configured, using default ...");