From d2c329f33028c80129716c95db6558c2d17c0749 Mon Sep 17 00:00:00 2001 From: George Wu Date: Sun, 27 Oct 2024 16:57:28 -0700 Subject: [PATCH] Change to text input and use numeric mode for TOTP prompts. (#3154) * Change to text input and use inputmode numeric for TOTP prompts. * Fix some typos. --- book/src/developers/designs/domain_join_machine_accounts.md | 4 ++-- book/src/developers/designs/kanidm-trust.rst | 2 +- book/src/developers/designs/profile_display.md | 4 ++-- book/src/developers/designs/unixd_multi_resolver_2024.md | 6 +++--- book/src/frequently_asked_questions.md | 2 +- book/src/integrations/oauth2/examples.md | 4 ++-- examples/server.toml | 4 ++-- proto/src/scim_v1/mod.rs | 4 ++-- server/core/templates/login.html | 3 ++- server/core/templates/login_totp.html | 3 ++- tools/cli/src/cli/person.rs | 4 ++-- tools/cli/src/opt/kanidm.rs | 2 +- unix_integration/pam_kanidm/src/core.rs | 2 +- .../resolver/debian/kanidm_unix_int.kanidm-unixd.service | 2 +- unix_integration/resolver/src/idprovider/interface.rs | 4 ++-- unix_integration/resolver/src/resolver.rs | 2 +- 16 files changed, 27 insertions(+), 25 deletions(-) diff --git a/book/src/developers/designs/domain_join_machine_accounts.md b/book/src/developers/designs/domain_join_machine_accounts.md index 3442e2250..ce787d1a3 100644 --- a/book/src/developers/designs/domain_join_machine_accounts.md +++ b/book/src/developers/designs/domain_join_machine_accounts.md @@ -7,10 +7,10 @@ support machine accounts also know as domain joining. ### Limiting Unix Password Auth -Currently unix password authentication is targetted as the method for sudo. Initial access to the +Currently unix password authentication is targeted as the method for sudo. Initial access to the machine should come from ssh keys (and in future, ctap2). -In order to maintain compatability with LDAP style authentication, we allow "anonymous hosts" to +In order to maintain compatibility with LDAP style authentication, we allow "anonymous hosts" to retrieve ssh public keys, and then perform sudo authentication. This has the obvious caveat that anyone can stand up a machine that trusts a Kanidm instance. This diff --git a/book/src/developers/designs/kanidm-trust.rst b/book/src/developers/designs/kanidm-trust.rst index 85616974d..548d65c00 100644 --- a/book/src/developers/designs/kanidm-trust.rst +++ b/book/src/developers/designs/kanidm-trust.rst @@ -38,7 +38,7 @@ There are different ways we can scope a trust out, each with pros-cons. Here are may implement some controls around which subject DN's to allow/deny, but this is pretty fraught with landminds. You don't know who exists until they login! * Azure AD individual account trusting. Instead of trusting a whole domain you allow a user from - a remote tennant to access your resources. You don't trust everyone in their tennant, just that + a remote tenant to access your resources. You don't trust everyone in their tenant, just that one account that you can invite. You can then revoke them as needed. * Group-trust - FreeIPA does this with AD. It's still like kerberos, but you only trust a subset of the users determined by "groups" from the trusted site. diff --git a/book/src/developers/designs/profile_display.md b/book/src/developers/designs/profile_display.md index 26bdadc9c..5cbe4779d 100644 --- a/book/src/developers/designs/profile_display.md +++ b/book/src/developers/designs/profile_display.md @@ -65,12 +65,12 @@ same. // TODO: Should a user be allowed to relabel their kanidm ssh keys ? Due to their long length they should be line-wrapped into a text field so the entirety is visible when shown. To reduce visible clutter and inconsistent spacing we will put the values into -collapsable elements. +collapsible elements. These collapsed elements must include: - label -- value's key type (ECDSA, rsa, ect..) and may include: +- value's key type (ECDSA, rsa, etc..) and may include: - value's comment, truncated to some max length #### Editing keys diff --git a/book/src/developers/designs/unixd_multi_resolver_2024.md b/book/src/developers/designs/unixd_multi_resolver_2024.md index 9a72a06ba..b16f962c3 100644 --- a/book/src/developers/designs/unixd_multi_resolver_2024.md +++ b/book/src/developers/designs/unixd_multi_resolver_2024.md @@ -54,7 +54,7 @@ to improve it as a result. This will necesitate a major rework of the project. The current design treated the client as a trivial communication layer. The daemon/event loop contained all state including if the resolver was online or offline. Additionally the TPM and -password caching operations primarily occured in the daemon layer, which limited the access of these +password caching operations primarily occurred in the daemon layer, which limited the access of these features to the client backend itself. ### Future Features @@ -130,7 +130,7 @@ future. #### CTAP2 / TPM-PIN We want to allow local authentication with CTAP2 or a TPM with PIN. Both provide stronger assurances -of both who the user is, and that they are in posession of a specific cryptographic device. The nice +of both who the user is, and that they are in possession of a specific cryptographic device. The nice part of this is that they both implement hardware bruteforce protections. For soft-tpm we can emulate this with a strict bruteforce lockout prevention mechanism. @@ -384,7 +384,7 @@ and rely on sqlite heavily. We should migrate to a primarily in-memory cache, where sqlite is used only for persistence. The sqlite content should be optionally able to be encrypted by a TPM bound key. -To obsfucate details, the sqlite db should be a single table of key:value where keys are uuids +To obfuscate details, the sqlite db should be a single table of key:value where keys are uuids associated to the item. The uuid is a local detail, not related to the provider. The cache should move to a concread based concurrent tree which will also allow us to multi-thread diff --git a/book/src/frequently_asked_questions.md b/book/src/frequently_asked_questions.md index 6051063e2..a8f49543a 100644 --- a/book/src/frequently_asked_questions.md +++ b/book/src/frequently_asked_questions.md @@ -75,7 +75,7 @@ administrator. While they may not have direct access to the client/application s still use this `client_id+secret` to then carry out the authorisation code interception attack listed. -For confidential clients (refered to as a `basic` client in Kanidm due to the use of HTTP Basic for +For confidential clients (referred to as a `basic` client in Kanidm due to the use of HTTP Basic for `client_id+secret` presentation) PKCE may optionally be disabled. This can allow authorisation code attacks to be carried out - however _if_ TLS is used and the `client_secret` never leaks, then these attacks will not be possible. Since there are many public references to system administrators diff --git a/book/src/integrations/oauth2/examples.md b/book/src/integrations/oauth2/examples.md index e6f48f18e..3cdb25bbe 100644 --- a/book/src/integrations/oauth2/examples.md +++ b/book/src/integrations/oauth2/examples.md @@ -261,7 +261,7 @@ using OAuth2:
Upload a Kanidm or other organisational logo. - + This will appear on the login form (with no text) to prompt users to sign in. @@ -480,7 +480,7 @@ with some limitations: It will set the user's preferred name on *first* log in *only*. -To set up a *new* self-hosted Outline instance to authenicate with Kanidm: +To set up a *new* self-hosted Outline instance to authenticate with Kanidm: 1. Add an email address to your regular Kanidm account, if it doesn't have one already: diff --git a/examples/server.toml b/examples/server.toml index 71f9530c2..c8e9b25be 100644 --- a/examples/server.toml +++ b/examples/server.toml @@ -23,7 +23,7 @@ bindaddress = "[::]:443" # The path to the kanidm database. db_path = "/var/lib/private/kanidm/kanidm.db" # -# If you have a known filesystem, kanidm can tune the +# If you have a known filesystem, kanidm can tune the # database page size to match. Valid choices are: # [zfs, other] # If you are unsure about this leave it as the default @@ -45,7 +45,7 @@ db_path = "/var/lib/private/kanidm/kanidm.db" # db_arc_size = 2048 # # TLS chain and key in pem format. Both must be present. -# If the server recieves a SIGHUP, these files will be +# If the server receives a SIGHUP, these files will be # re-read and reloaded if their content is valid. tls_chain = "/var/lib/private/kanidm/chain.pem" tls_key = "/var/lib/private/kanidm/key.pem" diff --git a/proto/src/scim_v1/mod.rs b/proto/src/scim_v1/mod.rs index 0b912daec..ac17bce53 100644 --- a/proto/src/scim_v1/mod.rs +++ b/proto/src/scim_v1/mod.rs @@ -11,10 +11,10 @@ //! The [scim_proto] library, which is generic over all scim implementations. //! //! The client module, which describes how a client should transmit entries, and -//! how it should parse them when it recieves them. +//! how it should parse them when it receives them. //! //! The server module, which describes how a server should transmit entries and -//! how it should recieve them. +//! how it should receive them. use crate::attribute::Attribute; use serde::{Deserialize, Serialize}; diff --git a/server/core/templates/login.html b/server/core/templates/login.html index e1a0567e6..9a5b89e63 100644 --- a/server/core/templates/login.html +++ b/server/core/templates/login.html @@ -36,7 +36,8 @@ class="d-none" id="totp" name="totp" - type="number" + type="text" + inputmode="numeric" autocomplete="one-time-code" value="" /> diff --git a/server/core/templates/login_totp.html b/server/core/templates/login_totp.html index 3bbf391b4..5a17dc5cd 100644 --- a/server/core/templates/login_totp.html +++ b/server/core/templates/login_totp.html @@ -15,7 +15,8 @@ class="autofocus form-control" id="totp" name="totp" - type="number" + type="text" + inputmode="numeric" autocomplete="one-time-code" value="(( totp ))" required=true diff --git a/tools/cli/src/cli/person.rs b/tools/cli/src/cli/person.rs index 98be76acf..0626af6c5 100644 --- a/tools/cli/src/cli/person.rs +++ b/tools/cli/src/cli/person.rs @@ -1219,7 +1219,7 @@ async fn sshkey_add_prompt(session_token: &CUSessionToken, client: &KanidmClient ClientErrorHttp(_, Some(DuplicateKey), _) => { eprintln!("SSH Public Key already exists in this account"); } - _ => eprintln!("An error occured -> {:?}", err), + _ => eprintln!("An error occurred -> {:?}", err), } break; } else { @@ -1249,7 +1249,7 @@ async fn sshkey_remove_prompt(session_token: &CUSessionToken, client: &KanidmCli ClientErrorHttp(_, Some(NoMatchingEntries), _) => { eprintln!("SSH Public Key does not exist. Keys were NOT removed."); } - _ => eprintln!("An error occured -> {:?}", err), + _ => eprintln!("An error occurred -> {:?}", err), } } else { println!("Successfully removed SSH Public Key"); diff --git a/tools/cli/src/opt/kanidm.rs b/tools/cli/src/opt/kanidm.rs index eb47614f2..7b3ba4180 100644 --- a/tools/cli/src/opt/kanidm.rs +++ b/tools/cli/src/opt/kanidm.rs @@ -1147,7 +1147,7 @@ pub enum Oauth2Opt { DisablePkce(Named), #[clap(name = "warning-enable-legacy-crypto")] /// Enable legacy signing crypto on this oauth2 client. This defaults to being disabled. - /// You only need to enable this for openid clients that do not support modern crytopgraphic + /// You only need to enable this for openid clients that do not support modern cryptographic /// operations. EnableLegacyCrypto(Named), /// Disable legacy signing crypto on this oauth2 client. This is the default. diff --git a/unix_integration/pam_kanidm/src/core.rs b/unix_integration/pam_kanidm/src/core.rs index cb5954ceb..79d3ea960 100644 --- a/unix_integration/pam_kanidm/src/core.rs +++ b/unix_integration/pam_kanidm/src/core.rs @@ -140,7 +140,7 @@ pub fn sm_authenticate_connected( let client_response = match daemon_client.call_and_wait(&req, timeout) { Ok(r) => r, Err(err) => { - // Something unrecoverable occured, bail and stop everything + // Something unrecoverable occurred, bail and stop everything error!(?err, "PAM_AUTH_ERR"); return PamResultCode::PAM_AUTH_ERR; } diff --git a/unix_integration/resolver/debian/kanidm_unix_int.kanidm-unixd.service b/unix_integration/resolver/debian/kanidm_unix_int.kanidm-unixd.service index c773e6cda..954ec8aa7 100644 --- a/unix_integration/resolver/debian/kanidm_unix_int.kanidm-unixd.service +++ b/unix_integration/resolver/debian/kanidm_unix_int.kanidm-unixd.service @@ -7,7 +7,7 @@ After=chronyd.service nscd.service ntpd.service network-online.target Before=systemd-user-sessions.service sshd.service nss-user-lookup.target Wants=nss-user-lookup.target # While it seems confusing, we need to be after nscd.service so that the -# Conflicts will triger and then automatically stop it. +# Conflicts will trigger and then automatically stop it. Conflicts=nscd.service [Service] diff --git a/unix_integration/resolver/src/idprovider/interface.rs b/unix_integration/resolver/src/idprovider/interface.rs index 9fb32ae12..b0de997cf 100644 --- a/unix_integration/resolver/src/idprovider/interface.rs +++ b/unix_integration/resolver/src/idprovider/interface.rs @@ -159,7 +159,7 @@ pub enum AuthRequest { MFAPoll { /// Message to display to the user. msg: String, - /// Interval in seconds between poll attemts. + /// Interval in seconds between poll attempts. polling_interval: u32, }, MFAPollWait, @@ -209,7 +209,7 @@ pub trait IdProvider { async fn attempt_online(&self, _tpm: &mut tpm::BoxedDynTpm, _now: SystemTime) -> bool; /// Mark that this provider should attempt to go online next time it - /// recieves a request + /// receives a request async fn mark_next_check(&self, _now: SystemTime); /// Force this provider offline immediately. diff --git a/unix_integration/resolver/src/resolver.rs b/unix_integration/resolver/src/resolver.rs index 8204ca062..d640b87dc 100644 --- a/unix_integration/resolver/src/resolver.rs +++ b/unix_integration/resolver/src/resolver.rs @@ -51,7 +51,7 @@ pub enum AuthSession { token: Option>, cred_handler: AuthCredHandler, /// Some authentication operations may need to spawn background tasks. These tasks need - /// to know when to stop as the caller has disconnected. This reciever allows that, so + /// to know when to stop as the caller has disconnected. This receiver allows that, so /// that tasks which .resubscribe() to this channel can then select! on it and be notified /// when they need to stop. shutdown_rx: broadcast::Receiver<()>,