diff --git a/Cargo.lock b/Cargo.lock
index 743d6a71b..8966ec825 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -953,9 +953,9 @@ dependencies = [
[[package]]
name = "crossbeam-channel"
-version = "0.5.14"
+version = "0.5.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "06ba6d68e24814cb8de6bb986db8222d3a027d15872cabc0d18817bc3c0e4471"
+checksum = "82b8f8f868b36967f9606790d1903570de9ceaf870a7bf9fbbd3016d636a2cb2"
dependencies = [
"crossbeam-utils",
]
@@ -1600,12 +1600,12 @@ dependencies = [
[[package]]
name = "fs4"
-version = "0.12.0"
+version = "0.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c29c30684418547d476f0b48e84f4821639119c483b1eccd566c8cd0cd05f521"
+checksum = "8640e34b88f7652208ce9e88b1a37a2ae95227d84abec377ccd3c5cfeb141ed4"
dependencies = [
- "rustix 0.38.44",
- "windows-sys 0.52.0",
+ "rustix 1.0.3",
+ "windows-sys 0.59.0",
]
[[package]]
@@ -3076,6 +3076,8 @@ dependencies = [
"futures",
"kanidm_build_profiles",
"kanidm_proto",
+ "kanidm_utils_users",
+ "selinux",
"serde",
"serde_json",
"serde_with",
@@ -3982,9 +3984,9 @@ checksum = "c2806eaa3524762875e21c3dcd057bc4b7bfa01ce4da8d46be1cd43649e1cc6b"
[[package]]
name = "openssl"
-version = "0.10.71"
+version = "0.10.72"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5e14130c6a98cd258fdcb0fb6d744152343ff729cbfcb28c656a9d12b999fbcd"
+checksum = "fedfea7d58a1f73118430a55da6a286e7b044961736ce96a16a17068ea25e5da"
dependencies = [
"bitflags 2.9.0",
"cfg-if",
@@ -4014,9 +4016,9 @@ checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
[[package]]
name = "openssl-sys"
-version = "0.9.106"
+version = "0.9.107"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8bb61ea9811cc39e3c2069f40b8b8e2e70d8569b361f879786cc7ed48b777cdd"
+checksum = "8288979acd84749c744a9014b4382d42b8f7b2592847b5afb2ed29e5d16ede07"
dependencies = [
"cc",
"libc",
@@ -5683,9 +5685,9 @@ dependencies = [
[[package]]
name = "tokio"
-version = "1.44.1"
+version = "1.44.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f382da615b842244d4b8738c82ed1275e6c5dd90c459a30941cd07080b06c91a"
+checksum = "e6b88822cbe49de4185e3a4cbf8321dd487cf5fe0c5c65695fef6346371e9c48"
dependencies = [
"backtrace",
"bytes",
diff --git a/Cargo.toml b/Cargo.toml
index 863bfa9b4..714e658ba 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -173,7 +173,7 @@ dhat = "0.3.3"
dyn-clone = "^1.0.17"
fernet = "^0.2.1"
filetime = "^0.2.24"
-fs4 = "^0.12.0"
+fs4 = "^0.13.0"
futures = "^0.3.31"
futures-util = { version = "^0.3.30", features = ["sink"] }
gix = { version = "0.64.0", default-features = false }
@@ -212,7 +212,7 @@ notify-debouncer-full = { version = "0.5" }
num_enum = "^0.5.11"
oauth2_ext = { version = "^4.4.2", package = "oauth2", default-features = false }
openssl-sys = "^0.9"
-openssl = "^0.10.70"
+openssl = "^0.10.72"
opentelemetry = { version = "0.27.0" }
opentelemetry_api = { version = "0.27.0", features = ["logs", "metrics"] }
@@ -270,7 +270,7 @@ tempfile = "3.15.0"
testkit-macros = { path = "./server/testkit-macros" }
time = { version = "^0.3.36", features = ["formatting", "local-offset"] }
-tokio = "^1.43.0"
+tokio = "^1.44.2"
tokio-openssl = "^0.6.5"
tokio-util = "^0.7.13"
diff --git a/libs/crypto/src/crypt_md5.rs b/libs/crypto/src/crypt_md5.rs
index 9a5120048..2a81438a3 100644
--- a/libs/crypto/src/crypt_md5.rs
+++ b/libs/crypto/src/crypt_md5.rs
@@ -8,7 +8,7 @@ const MD5_TRANSPOSE: &[u8] = b"\x0c\x06\x00\x0d\x07\x01\x0e\x08\x02\x0f\x09\x03\
const CRYPT_HASH64: &[u8] = b"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
pub fn md5_sha2_hash64_encode(bs: &[u8]) -> String {
- let ngroups = (bs.len() + 2) / 3;
+ let ngroups = bs.len().div_ceil(3);
let mut out = String::with_capacity(ngroups * 4);
for g in 0..ngroups {
let mut g_idx = g * 3;
diff --git a/pykanidm/poetry.lock b/pykanidm/poetry.lock
index 4c9d703ec..d4146417b 100644
--- a/pykanidm/poetry.lock
+++ b/pykanidm/poetry.lock
@@ -14,93 +14,93 @@ files = [
[[package]]
name = "aiohttp"
-version = "3.11.16"
+version = "3.11.17"
description = "Async http client/server framework (asyncio)"
optional = false
python-versions = ">=3.9"
groups = ["main", "dev"]
files = [
- {file = "aiohttp-3.11.16-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:fb46bb0f24813e6cede6cc07b1961d4b04f331f7112a23b5e21f567da4ee50aa"},
- {file = "aiohttp-3.11.16-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:54eb3aead72a5c19fad07219acd882c1643a1027fbcdefac9b502c267242f955"},
- {file = "aiohttp-3.11.16-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:38bea84ee4fe24ebcc8edeb7b54bf20f06fd53ce4d2cc8b74344c5b9620597fd"},
- {file = "aiohttp-3.11.16-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d0666afbe984f6933fe72cd1f1c3560d8c55880a0bdd728ad774006eb4241ecd"},
- {file = "aiohttp-3.11.16-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:7ba92a2d9ace559a0a14b03d87f47e021e4fa7681dc6970ebbc7b447c7d4b7cd"},
- {file = "aiohttp-3.11.16-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3ad1d59fd7114e6a08c4814983bb498f391c699f3c78712770077518cae63ff7"},
- {file = "aiohttp-3.11.16-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:98b88a2bf26965f2015a771381624dd4b0839034b70d406dc74fd8be4cc053e3"},
- {file = "aiohttp-3.11.16-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:576f5ca28d1b3276026f7df3ec841ae460e0fc3aac2a47cbf72eabcfc0f102e1"},
- {file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:a2a450bcce4931b295fc0848f384834c3f9b00edfc2150baafb4488c27953de6"},
- {file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:37dcee4906454ae377be5937ab2a66a9a88377b11dd7c072df7a7c142b63c37c"},
- {file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:4d0c970c0d602b1017e2067ff3b7dac41c98fef4f7472ec2ea26fd8a4e8c2149"},
- {file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:004511d3413737700835e949433536a2fe95a7d0297edd911a1e9705c5b5ea43"},
- {file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:c15b2271c44da77ee9d822552201180779e5e942f3a71fb74e026bf6172ff287"},
- {file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:ad9509ffb2396483ceacb1eee9134724443ee45b92141105a4645857244aecc8"},
- {file = "aiohttp-3.11.16-cp310-cp310-win32.whl", hash = "sha256:634d96869be6c4dc232fc503e03e40c42d32cfaa51712aee181e922e61d74814"},
- {file = "aiohttp-3.11.16-cp310-cp310-win_amd64.whl", hash = "sha256:938f756c2b9374bbcc262a37eea521d8a0e6458162f2a9c26329cc87fdf06534"},
- {file = "aiohttp-3.11.16-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:8cb0688a8d81c63d716e867d59a9ccc389e97ac7037ebef904c2b89334407180"},
- {file = "aiohttp-3.11.16-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:0ad1fb47da60ae1ddfb316f0ff16d1f3b8e844d1a1e154641928ea0583d486ed"},
- {file = "aiohttp-3.11.16-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:df7db76400bf46ec6a0a73192b14c8295bdb9812053f4fe53f4e789f3ea66bbb"},
- {file = "aiohttp-3.11.16-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cc3a145479a76ad0ed646434d09216d33d08eef0d8c9a11f5ae5cdc37caa3540"},
- {file = "aiohttp-3.11.16-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d007aa39a52d62373bd23428ba4a2546eed0e7643d7bf2e41ddcefd54519842c"},
- {file = "aiohttp-3.11.16-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f6ddd90d9fb4b501c97a4458f1c1720e42432c26cb76d28177c5b5ad4e332601"},
- {file = "aiohttp-3.11.16-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0a2f451849e6b39e5c226803dcacfa9c7133e9825dcefd2f4e837a2ec5a3bb98"},
- {file = "aiohttp-3.11.16-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8df6612df74409080575dca38a5237282865408016e65636a76a2eb9348c2567"},
- {file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:78e6e23b954644737e385befa0deb20233e2dfddf95dd11e9db752bdd2a294d3"},
- {file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:696ef00e8a1f0cec5e30640e64eca75d8e777933d1438f4facc9c0cdf288a810"},
- {file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:e3538bc9fe1b902bef51372462e3d7c96fce2b566642512138a480b7adc9d508"},
- {file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:3ab3367bb7f61ad18793fea2ef71f2d181c528c87948638366bf1de26e239183"},
- {file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:56a3443aca82abda0e07be2e1ecb76a050714faf2be84256dae291182ba59049"},
- {file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:61c721764e41af907c9d16b6daa05a458f066015abd35923051be8705108ed17"},
- {file = "aiohttp-3.11.16-cp311-cp311-win32.whl", hash = "sha256:3e061b09f6fa42997cf627307f220315e313ece74907d35776ec4373ed718b86"},
- {file = "aiohttp-3.11.16-cp311-cp311-win_amd64.whl", hash = "sha256:745f1ed5e2c687baefc3c5e7b4304e91bf3e2f32834d07baaee243e349624b24"},
- {file = "aiohttp-3.11.16-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:911a6e91d08bb2c72938bc17f0a2d97864c531536b7832abee6429d5296e5b27"},
- {file = "aiohttp-3.11.16-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:6ac13b71761e49d5f9e4d05d33683bbafef753e876e8e5a7ef26e937dd766713"},
- {file = "aiohttp-3.11.16-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:fd36c119c5d6551bce374fcb5c19269638f8d09862445f85a5a48596fd59f4bb"},
- {file = "aiohttp-3.11.16-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d489d9778522fbd0f8d6a5c6e48e3514f11be81cb0a5954bdda06f7e1594b321"},
- {file = "aiohttp-3.11.16-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:69a2cbd61788d26f8f1e626e188044834f37f6ae3f937bd9f08b65fc9d7e514e"},
- {file = "aiohttp-3.11.16-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cd464ba806e27ee24a91362ba3621bfc39dbbb8b79f2e1340201615197370f7c"},
- {file = "aiohttp-3.11.16-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1ce63ae04719513dd2651202352a2beb9f67f55cb8490c40f056cea3c5c355ce"},
- {file = "aiohttp-3.11.16-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:09b00dd520d88eac9d1768439a59ab3d145065c91a8fab97f900d1b5f802895e"},
- {file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:7f6428fee52d2bcf96a8aa7b62095b190ee341ab0e6b1bcf50c615d7966fd45b"},
- {file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:13ceac2c5cdcc3f64b9015710221ddf81c900c5febc505dbd8f810e770011540"},
- {file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:fadbb8f1d4140825069db3fedbbb843290fd5f5bc0a5dbd7eaf81d91bf1b003b"},
- {file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:6a792ce34b999fbe04a7a71a90c74f10c57ae4c51f65461a411faa70e154154e"},
- {file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:f4065145bf69de124accdd17ea5f4dc770da0a6a6e440c53f6e0a8c27b3e635c"},
- {file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:fa73e8c2656a3653ae6c307b3f4e878a21f87859a9afab228280ddccd7369d71"},
- {file = "aiohttp-3.11.16-cp312-cp312-win32.whl", hash = "sha256:f244b8e541f414664889e2c87cac11a07b918cb4b540c36f7ada7bfa76571ea2"},
- {file = "aiohttp-3.11.16-cp312-cp312-win_amd64.whl", hash = "sha256:23a15727fbfccab973343b6d1b7181bfb0b4aa7ae280f36fd2f90f5476805682"},
- {file = "aiohttp-3.11.16-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:a3814760a1a700f3cfd2f977249f1032301d0a12c92aba74605cfa6ce9f78489"},
- {file = "aiohttp-3.11.16-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:9b751a6306f330801665ae69270a8a3993654a85569b3469662efaad6cf5cc50"},
- {file = "aiohttp-3.11.16-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:ad497f38a0d6c329cb621774788583ee12321863cd4bd9feee1effd60f2ad133"},
- {file = "aiohttp-3.11.16-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ca37057625693d097543bd88076ceebeb248291df9d6ca8481349efc0b05dcd0"},
- {file = "aiohttp-3.11.16-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a5abcbba9f4b463a45c8ca8b7720891200658f6f46894f79517e6cd11f3405ca"},
- {file = "aiohttp-3.11.16-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f420bfe862fb357a6d76f2065447ef6f484bc489292ac91e29bc65d2d7a2c84d"},
- {file = "aiohttp-3.11.16-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:58ede86453a6cf2d6ce40ef0ca15481677a66950e73b0a788917916f7e35a0bb"},
- {file = "aiohttp-3.11.16-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6fdec0213244c39973674ca2a7f5435bf74369e7d4e104d6c7473c81c9bcc8c4"},
- {file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:72b1b03fb4655c1960403c131740755ec19c5898c82abd3961c364c2afd59fe7"},
- {file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:780df0d837276276226a1ff803f8d0fa5f8996c479aeef52eb040179f3156cbd"},
- {file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:ecdb8173e6c7aa09eee342ac62e193e6904923bd232e76b4157ac0bfa670609f"},
- {file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:a6db7458ab89c7d80bc1f4e930cc9df6edee2200127cfa6f6e080cf619eddfbd"},
- {file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:2540ddc83cc724b13d1838026f6a5ad178510953302a49e6d647f6e1de82bc34"},
- {file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:3b4e6db8dc4879015b9955778cfb9881897339c8fab7b3676f8433f849425913"},
- {file = "aiohttp-3.11.16-cp313-cp313-win32.whl", hash = "sha256:493910ceb2764f792db4dc6e8e4b375dae1b08f72e18e8f10f18b34ca17d0979"},
- {file = "aiohttp-3.11.16-cp313-cp313-win_amd64.whl", hash = "sha256:42864e70a248f5f6a49fdaf417d9bc62d6e4d8ee9695b24c5916cb4bb666c802"},
- {file = "aiohttp-3.11.16-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:bbcba75fe879ad6fd2e0d6a8d937f34a571f116a0e4db37df8079e738ea95c71"},
- {file = "aiohttp-3.11.16-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:87a6e922b2b2401e0b0cf6b976b97f11ec7f136bfed445e16384fbf6fd5e8602"},
- {file = "aiohttp-3.11.16-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:ccf10f16ab498d20e28bc2b5c1306e9c1512f2840f7b6a67000a517a4b37d5ee"},
- {file = "aiohttp-3.11.16-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fb3d0cc5cdb926090748ea60172fa8a213cec728bd6c54eae18b96040fcd6227"},
- {file = "aiohttp-3.11.16-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d07502cc14ecd64f52b2a74ebbc106893d9a9717120057ea9ea1fd6568a747e7"},
- {file = "aiohttp-3.11.16-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:776c8e959a01e5e8321f1dec77964cb6101020a69d5a94cd3d34db6d555e01f7"},
- {file = "aiohttp-3.11.16-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0902e887b0e1d50424112f200eb9ae3dfed6c0d0a19fc60f633ae5a57c809656"},
- {file = "aiohttp-3.11.16-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e87fd812899aa78252866ae03a048e77bd11b80fb4878ce27c23cade239b42b2"},
- {file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:0a950c2eb8ff17361abd8c85987fd6076d9f47d040ebffce67dce4993285e973"},
- {file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_armv7l.whl", hash = "sha256:c10d85e81d0b9ef87970ecbdbfaeec14a361a7fa947118817fcea8e45335fa46"},
- {file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:7951decace76a9271a1ef181b04aa77d3cc309a02a51d73826039003210bdc86"},
- {file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:14461157d8426bcb40bd94deb0450a6fa16f05129f7da546090cebf8f3123b0f"},
- {file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:9756d9b9d4547e091f99d554fbba0d2a920aab98caa82a8fb3d3d9bee3c9ae85"},
- {file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:87944bd16b7fe6160607f6a17808abd25f17f61ae1e26c47a491b970fb66d8cb"},
- {file = "aiohttp-3.11.16-cp39-cp39-win32.whl", hash = "sha256:92b7ee222e2b903e0a4b329a9943d432b3767f2d5029dbe4ca59fb75223bbe2e"},
- {file = "aiohttp-3.11.16-cp39-cp39-win_amd64.whl", hash = "sha256:17ae4664031aadfbcb34fd40ffd90976671fa0c0286e6c4113989f78bebab37a"},
- {file = "aiohttp-3.11.16.tar.gz", hash = "sha256:16f8a2c9538c14a557b4d309ed4d0a7c60f0253e8ed7b6c9a2859a7582f8b1b8"},
+ {file = "aiohttp-3.11.17-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:67eaabe31454d68503ddc10d805944187787b4351600aedda1724f75f3f20b6c"},
+ {file = "aiohttp-3.11.17-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:7c73371bb91660eb7971336883eb05ebf3e912a0a183f5029fe6200285dd858e"},
+ {file = "aiohttp-3.11.17-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:78568d883e7cabf31f110a87bb02cee70e32bbb419eed974027c26ac6be18add"},
+ {file = "aiohttp-3.11.17-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3d5f480d3e35a139f0bd31d9037047cc18d6f362d1b06243b694a40f1a658ba8"},
+ {file = "aiohttp-3.11.17-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:562b47fa14712e47ae7b6cf31998a4c888c35a904845e27f5ec2fc51401304e7"},
+ {file = "aiohttp-3.11.17-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3875dd6571d2709697835cf5e4e7e0e1bf1d6e3aeec21b7766bbd50d9a97b8a3"},
+ {file = "aiohttp-3.11.17-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9d9130c4380bb02a308c79a25d9b82e642e21bea5ad453553f35f2d490ac47bd"},
+ {file = "aiohttp-3.11.17-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:71ee4844e4680e69d2acb462073b147a4c2dd6813c30c61979399feddc63b322"},
+ {file = "aiohttp-3.11.17-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:e40eceff6ca85d68d07ebd1533f13727261d17b4bef7a518a6882b8448c83106"},
+ {file = "aiohttp-3.11.17-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:fd89c4399ca67c0d2939211ecf8415747f4e2d855580f1efd9598eff433499ac"},
+ {file = "aiohttp-3.11.17-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:9b62134921162627482056379740998c54d51412a7e678a4d84a5510d6f634a7"},
+ {file = "aiohttp-3.11.17-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:3e27e266396db6d6eee76769f66b356020b22e7ae8d7d4d47c9ced6bc53c62a0"},
+ {file = "aiohttp-3.11.17-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:0e93c46b7cc7476130bd396d63eafc6c458e74eddd1a1c65a2ac8e4bdb4cf1d1"},
+ {file = "aiohttp-3.11.17-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:7903749414023ad7d0a46cd4816d9ac99be7552635a0b3deae0b2c9a51d0cfa6"},
+ {file = "aiohttp-3.11.17-cp310-cp310-win32.whl", hash = "sha256:de96c4aba1506b225cf1ab750fdd60e1f8d9d23add6431150a43fbef0542fe18"},
+ {file = "aiohttp-3.11.17-cp310-cp310-win_amd64.whl", hash = "sha256:c08753a2c4d6f9175b234fd1ee227fc68a3c95ee09d52447af25b1ecb99d5886"},
+ {file = "aiohttp-3.11.17-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:9c10ede918e0d1edf9ef75cedb9ab303e509d0616020ecea42c427e3694a4d63"},
+ {file = "aiohttp-3.11.17-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:127696d62e66badc3b554832343df031fd0012f080002d9074cfb735ce9c677e"},
+ {file = "aiohttp-3.11.17-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:26ac39d318507a7fb79b4eee31d7f92a7198d22c0d26d2c2dee4c945172ee509"},
+ {file = "aiohttp-3.11.17-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cb8e28f9b3b15ab1d840a7ffe0d7b63ee8bb01ef68c611f2ddbd5f96fa5f0e53"},
+ {file = "aiohttp-3.11.17-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:01e9d930cea36405ccdcde45921a29c7e22e0b581fc570f630d72a5bcac56c8c"},
+ {file = "aiohttp-3.11.17-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:dad404c74f4aad90b181db75d79338e87c852e638460003c78bdfd92c07fff3b"},
+ {file = "aiohttp-3.11.17-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bf30c77f5ddb1ccf568881f9076d0840f0b9a9c94dabe03126474768f951a48a"},
+ {file = "aiohttp-3.11.17-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1987db5cb7e2c21693047f8f3c07df7bed3cb13403e5df5f684fe6a8478eff85"},
+ {file = "aiohttp-3.11.17-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:612a5bc4e56a52986e89f1439fca86b765682613fdebc71c01de46736b33bd34"},
+ {file = "aiohttp-3.11.17-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:398a021a7207a04960a8165f53f59e0c0b7cd54fe69ab7f0895f105e391a7964"},
+ {file = "aiohttp-3.11.17-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:e70a3672c734e6d792903e7b22d2f514ed8cbfa27c4a8e9171191da5c7d3c3b1"},
+ {file = "aiohttp-3.11.17-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:b51c9b38d904957ff2df58bf72874634d674b228c03f5d48e143996a8da5c819"},
+ {file = "aiohttp-3.11.17-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:a689fca65127d7599cfb0123c7dccb32d7eebe009d20bfa69ce93aff143dbbc1"},
+ {file = "aiohttp-3.11.17-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:23120ea57904cfd920791afe5a780151cd8e99b039c35c38bb8a0d3e35af049b"},
+ {file = "aiohttp-3.11.17-cp311-cp311-win32.whl", hash = "sha256:07e2c1c06c15cb95721670a69f3cbb1dae22b0914de6e362dba2228b6dd675e7"},
+ {file = "aiohttp-3.11.17-cp311-cp311-win_amd64.whl", hash = "sha256:5e245caba8842f176ecc8ae1fde1ef0c89669614cb379c32e069cd0b96b3547f"},
+ {file = "aiohttp-3.11.17-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:03ee8b587cc7bd345552235cd7117097c169f3a531a7239dc9a3c6b6db1cf46a"},
+ {file = "aiohttp-3.11.17-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:2bd255da118f96446567d9870621a07b8f36b1130826b07f2910ef1aeb4a85c0"},
+ {file = "aiohttp-3.11.17-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:2620d1cbeb688094045f06000b5b6127df2eb768cae07d95137b0e998cd6ce04"},
+ {file = "aiohttp-3.11.17-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9eac3842f3258c77d35bfe93356fedbc6e5e943fd056534be71b694289b36973"},
+ {file = "aiohttp-3.11.17-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:626dffeeeee34f2b5a327df05d6cb48ecfabcb141d56590d3c779accedc62d88"},
+ {file = "aiohttp-3.11.17-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:aded01d2bda55b2f62a361a2d55f8c9c04436eff6220e579ca7fb72cfe68b48a"},
+ {file = "aiohttp-3.11.17-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0b830715cb818efc4fbd7b9631661e3498b068f23680982d7586103333b0d4df"},
+ {file = "aiohttp-3.11.17-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3ac7ac3d0a7ab5ce1076c788640274f594397603381747b3d4142beec004c44a"},
+ {file = "aiohttp-3.11.17-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:9dba68088ecdd16b306513463f7e295699bc52bb09573d2bc3ff3d0e7bdc34ff"},
+ {file = "aiohttp-3.11.17-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:80ba863e1e1055577f27a484b0f002b31297432016262d5f9d2dab5c6d21c5ad"},
+ {file = "aiohttp-3.11.17-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:003c955924fa7d1b100599ce4f5da3ce68bd151b81b5a8c18369ba585766ed31"},
+ {file = "aiohttp-3.11.17-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:6e615b94364f7ea0dc95922c351e106ffb2eded09ffd7a7102ab2e202d17bdaa"},
+ {file = "aiohttp-3.11.17-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:05eb25fa6e5495b3866a3b974fe3b214d5a0b6bb862cd54b7ec4d997948aa12c"},
+ {file = "aiohttp-3.11.17-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:3a3fb727360af3e94667e243cb21cf5069c0df9a70adcc81751136d53f526bc6"},
+ {file = "aiohttp-3.11.17-cp312-cp312-win32.whl", hash = "sha256:93a7cfacf28887ddebd9c697d590002e8d52ac51acb4faf0d00abe1bb791339e"},
+ {file = "aiohttp-3.11.17-cp312-cp312-win_amd64.whl", hash = "sha256:c43311c94200a63e31b62e82872c6dd43fe904cbb8f161c830bfe65c17583658"},
+ {file = "aiohttp-3.11.17-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:57de66477af1176b3d25058594000eb32d21f82039909ef1bf865fe666c8c0ea"},
+ {file = "aiohttp-3.11.17-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:d0d119d1e6d5bf930b285285aec70d66b7a7efa4914231441c7f606e86ca17e2"},
+ {file = "aiohttp-3.11.17-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:d0966f0c14be863cb51e0aa56366c45a2331f46a64347b49a0e9c687c72d43c1"},
+ {file = "aiohttp-3.11.17-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f24d2b1f2516953b001736f82be7cf5d3234fc90e82a2d9a33ad8cdffb28f4c5"},
+ {file = "aiohttp-3.11.17-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3197cd39307747127f7a3489b6aca4286c7613e8509e65f46702831136257d12"},
+ {file = "aiohttp-3.11.17-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3e4d134b96448c955e3e29e4026ee499441182bfd92f293accfa1cf1525a061b"},
+ {file = "aiohttp-3.11.17-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:20c68e4411440209fd64abfb27ff5e09e5a59a0fab4dbd07808e762e6fada670"},
+ {file = "aiohttp-3.11.17-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1131f61afa4a4800fd5770ab13b1587bf4d07a0a561ee6f30f58c2300675ec3b"},
+ {file = "aiohttp-3.11.17-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:d3d4a383935ed1e39109e43535230b7e61781348fc2cf52c1006ae663dcbbc73"},
+ {file = "aiohttp-3.11.17-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:ada2a986cdec0caa51ee787b838441eeece50cd1ea075053fef51e0c995114b4"},
+ {file = "aiohttp-3.11.17-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:a118aae8008e209f100396bbd2d1d798aaa43651202c65cd2664680dd27aa061"},
+ {file = "aiohttp-3.11.17-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:2bf50db2e855226363aecb78353593987bf9a0b593434814b4a1f09586a116a4"},
+ {file = "aiohttp-3.11.17-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:4f1c1db9470c9aa1ab45cee80b4b7db51fa4cfc01abc5e648d991266e676ac90"},
+ {file = "aiohttp-3.11.17-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:c4a92e2a228829c67f3c633a2329a8b85ed6cfe3b25047f48b4d51e92a655a87"},
+ {file = "aiohttp-3.11.17-cp313-cp313-win32.whl", hash = "sha256:8962df1a29794f3204863ea6d93001a3d77cb1c4ee87f8c7683fe3fb6ec27373"},
+ {file = "aiohttp-3.11.17-cp313-cp313-win_amd64.whl", hash = "sha256:71a1fd6421056980280fe490f211fe0f0c385271b42fb1440c4abcd891b2133a"},
+ {file = "aiohttp-3.11.17-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:be033aceea6a8cd03cc2e2b6936beb485bb6b71907ad5a0e78bb942857b4f468"},
+ {file = "aiohttp-3.11.17-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:e7874d1e620159c18c99b87f37c45a8c30abbba2678d31ae3409d7c00c995f62"},
+ {file = "aiohttp-3.11.17-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:919b411fae2376d5b78901949e556bd646e5de16e0631aed5a1b00ad55b5ec40"},
+ {file = "aiohttp-3.11.17-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:dffeb59c7f3414fd4da384cf76428c59b754e80d4b10d8e5d7018bed135d554d"},
+ {file = "aiohttp-3.11.17-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6ff5a5c9afbdaff09bf7b4a0655f1084d6c9f562fc33df8c0f7a785480405cf8"},
+ {file = "aiohttp-3.11.17-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1e4122d386a1695aee05f49a8bb4ff69c0e74b2b9db80a4d8157165327d07103"},
+ {file = "aiohttp-3.11.17-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bcb753ca25397eac1d38c7112c7b910feabef198d4e411aa5957857795681a25"},
+ {file = "aiohttp-3.11.17-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f29e0f47656b826d74034b612c11709842c20ebe373e398812208b84ec57f79a"},
+ {file = "aiohttp-3.11.17-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:56a5acb7a715a1a1ad8ed424f7cbb2dc2950dc8b20ae2d83c2117ba5751223b1"},
+ {file = "aiohttp-3.11.17-cp39-cp39-musllinux_1_2_armv7l.whl", hash = "sha256:da0bee7635aa12036269ef8a13fd0fa5549ccfe5eb9ef6c3f0ad7cc574f12e5e"},
+ {file = "aiohttp-3.11.17-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:adb504bdf0691101c7c4544e25545df467ea7239097ca6c67d01b27e500037b5"},
+ {file = "aiohttp-3.11.17-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:1c2e376d7f3fedb770106c40546d5f76a61e5ba3d4dac42cc60a8062022586cc"},
+ {file = "aiohttp-3.11.17-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:79ae28f78f0a4a18a308d61647e3ee9cc1e641cb3ad5531db059eff68f3ee63c"},
+ {file = "aiohttp-3.11.17-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:ac9f6cdb02e7376060c4243f17a402b8d895747d788426ef3b8799e7a28a4ee0"},
+ {file = "aiohttp-3.11.17-cp39-cp39-win32.whl", hash = "sha256:e3bddefb2cae68be01186c89d9a41024ae929aaf9e30b65d8977b719185f7e17"},
+ {file = "aiohttp-3.11.17-cp39-cp39-win_amd64.whl", hash = "sha256:8e72767d1798770acdf27a20c523b1cd29973e487f6397b181ef0e7c583acb46"},
+ {file = "aiohttp-3.11.17.tar.gz", hash = "sha256:2bf3ff374c3abd7a5c6c8de3ad7ed91e0e89a8b53353314c93766c3add5a208a"},
]
[package.dependencies]
@@ -1051,14 +1051,14 @@ pyyaml = ">=5.1"
[[package]]
name = "mkdocs-material"
-version = "9.6.11"
+version = "9.6.12"
description = "Documentation that simply works"
optional = false
python-versions = ">=3.8"
groups = ["dev"]
files = [
- {file = "mkdocs_material-9.6.11-py3-none-any.whl", hash = "sha256:47f21ef9cbf4f0ebdce78a2ceecaa5d413581a55141e4464902224ebbc0b1263"},
- {file = "mkdocs_material-9.6.11.tar.gz", hash = "sha256:0b7f4a0145c5074cdd692e4362d232fb25ef5b23328d0ec1ab287af77cc0deff"},
+ {file = "mkdocs_material-9.6.12-py3-none-any.whl", hash = "sha256:92b4fbdc329e4febc267ca6e2c51e8501fa97b2225c5f4deb4d4e43550f8e61e"},
+ {file = "mkdocs_material-9.6.12.tar.gz", hash = "sha256:add6a6337b29f9ea7912cb1efc661de2c369060b040eb5119855d794ea85b473"},
]
[package.dependencies]
@@ -1529,14 +1529,14 @@ files = [
[[package]]
name = "pydantic"
-version = "2.11.2"
+version = "2.11.3"
description = "Data validation using Python type hints"
optional = false
python-versions = ">=3.9"
groups = ["main", "dev"]
files = [
- {file = "pydantic-2.11.2-py3-none-any.whl", hash = "sha256:7f17d25846bcdf89b670a86cdfe7b29a9f1c9ca23dee154221c9aa81845cfca7"},
- {file = "pydantic-2.11.2.tar.gz", hash = "sha256:2138628e050bd7a1e70b91d4bf4a91167f4ad76fdb83209b107c8d84b854917e"},
+ {file = "pydantic-2.11.3-py3-none-any.whl", hash = "sha256:a082753436a07f9ba1289c6ffa01cd93db3548776088aa917cc43b63f68fa60f"},
+ {file = "pydantic-2.11.3.tar.gz", hash = "sha256:7471657138c16adad9322fe3070c0116dd6c3ad8d649300e3cbdfe91f4db4ec3"},
]
[package.dependencies]
@@ -2083,30 +2083,30 @@ files = [
[[package]]
name = "ruff"
-version = "0.11.4"
+version = "0.11.6"
description = "An extremely fast Python linter and code formatter, written in Rust."
optional = false
python-versions = ">=3.7"
groups = ["dev"]
files = [
- {file = "ruff-0.11.4-py3-none-linux_armv6l.whl", hash = "sha256:d9f4a761ecbde448a2d3e12fb398647c7f0bf526dbc354a643ec505965824ed2"},
- {file = "ruff-0.11.4-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:8c1747d903447d45ca3d40c794d1a56458c51e5cc1bc77b7b64bd2cf0b1626cc"},
- {file = "ruff-0.11.4-py3-none-macosx_11_0_arm64.whl", hash = "sha256:51a6494209cacca79e121e9b244dc30d3414dac8cc5afb93f852173a2ecfc906"},
- {file = "ruff-0.11.4-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3f171605f65f4fc49c87f41b456e882cd0c89e4ac9d58e149a2b07930e1d466f"},
- {file = "ruff-0.11.4-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ebf99ea9af918878e6ce42098981fc8c1db3850fef2f1ada69fb1dcdb0f8e79e"},
- {file = "ruff-0.11.4-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:edad2eac42279df12e176564a23fc6f4aaeeb09abba840627780b1bb11a9d223"},
- {file = "ruff-0.11.4-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:f103a848be9ff379fc19b5d656c1f911d0a0b4e3e0424f9532ececf319a4296e"},
- {file = "ruff-0.11.4-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:193e6fac6eb60cc97b9f728e953c21cc38a20077ed64f912e9d62b97487f3f2d"},
- {file = "ruff-0.11.4-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:7af4e5f69b7c138be8dcffa5b4a061bf6ba6a3301f632a6bce25d45daff9bc99"},
- {file = "ruff-0.11.4-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:126b1bf13154aa18ae2d6c3c5efe144ec14b97c60844cfa6eb960c2a05188222"},
- {file = "ruff-0.11.4-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:e8806daaf9dfa881a0ed603f8a0e364e4f11b6ed461b56cae2b1c0cab0645304"},
- {file = "ruff-0.11.4-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:5d94bb1cc2fc94a769b0eb975344f1b1f3d294da1da9ddbb5a77665feb3a3019"},
- {file = "ruff-0.11.4-py3-none-musllinux_1_2_i686.whl", hash = "sha256:995071203d0fe2183fc7a268766fd7603afb9996785f086b0d76edee8755c896"},
- {file = "ruff-0.11.4-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:7a37ca937e307ea18156e775a6ac6e02f34b99e8c23fe63c1996185a4efe0751"},
- {file = "ruff-0.11.4-py3-none-win32.whl", hash = "sha256:0e9365a7dff9b93af933dab8aebce53b72d8f815e131796268709890b4a83270"},
- {file = "ruff-0.11.4-py3-none-win_amd64.whl", hash = "sha256:5a9fa1c69c7815e39fcfb3646bbfd7f528fa8e2d4bebdcf4c2bd0fa037a255fb"},
- {file = "ruff-0.11.4-py3-none-win_arm64.whl", hash = "sha256:d435db6b9b93d02934cf61ef332e66af82da6d8c69aefdea5994c89997c7a0fc"},
- {file = "ruff-0.11.4.tar.gz", hash = "sha256:f45bd2fb1a56a5a85fae3b95add03fb185a0b30cf47f5edc92aa0355ca1d7407"},
+ {file = "ruff-0.11.6-py3-none-linux_armv6l.whl", hash = "sha256:d84dcbe74cf9356d1bdb4a78cf74fd47c740bf7bdeb7529068f69b08272239a1"},
+ {file = "ruff-0.11.6-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:9bc583628e1096148011a5d51ff3c836f51899e61112e03e5f2b1573a9b726de"},
+ {file = "ruff-0.11.6-py3-none-macosx_11_0_arm64.whl", hash = "sha256:f2959049faeb5ba5e3b378709e9d1bf0cab06528b306b9dd6ebd2a312127964a"},
+ {file = "ruff-0.11.6-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:63c5d4e30d9d0de7fedbfb3e9e20d134b73a30c1e74b596f40f0629d5c28a193"},
+ {file = "ruff-0.11.6-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:26a4b9a4e1439f7d0a091c6763a100cef8fbdc10d68593df6f3cfa5abdd9246e"},
+ {file = "ruff-0.11.6-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b5edf270223dd622218256569636dc3e708c2cb989242262fe378609eccf1308"},
+ {file = "ruff-0.11.6-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:f55844e818206a9dd31ff27f91385afb538067e2dc0beb05f82c293ab84f7d55"},
+ {file = "ruff-0.11.6-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1d8f782286c5ff562e4e00344f954b9320026d8e3fae2ba9e6948443fafd9ffc"},
+ {file = "ruff-0.11.6-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:01c63ba219514271cee955cd0adc26a4083df1956d57847978383b0e50ffd7d2"},
+ {file = "ruff-0.11.6-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:15adac20ef2ca296dd3d8e2bedc6202ea6de81c091a74661c3666e5c4c223ff6"},
+ {file = "ruff-0.11.6-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:4dd6b09e98144ad7aec026f5588e493c65057d1b387dd937d7787baa531d9bc2"},
+ {file = "ruff-0.11.6-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:45b2e1d6c0eed89c248d024ea95074d0e09988d8e7b1dad8d3ab9a67017a5b03"},
+ {file = "ruff-0.11.6-py3-none-musllinux_1_2_i686.whl", hash = "sha256:bd40de4115b2ec4850302f1a1d8067f42e70b4990b68838ccb9ccd9f110c5e8b"},
+ {file = "ruff-0.11.6-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:77cda2dfbac1ab73aef5e514c4cbfc4ec1fbef4b84a44c736cc26f61b3814cd9"},
+ {file = "ruff-0.11.6-py3-none-win32.whl", hash = "sha256:5151a871554be3036cd6e51d0ec6eef56334d74dfe1702de717a995ee3d5b287"},
+ {file = "ruff-0.11.6-py3-none-win_amd64.whl", hash = "sha256:cce85721d09c51f3b782c331b0abd07e9d7d5f775840379c640606d3159cae0e"},
+ {file = "ruff-0.11.6-py3-none-win_arm64.whl", hash = "sha256:3567ba0d07fb170b1b48d944715e3294b77f5b7679e8ba258199a250383ccb79"},
+ {file = "ruff-0.11.6.tar.gz", hash = "sha256:bec8bcc3ac228a45ccc811e45f7eb61b950dbf4cf31a67fa89352574b01c7d79"},
]
[[package]]
@@ -2406,4 +2406,4 @@ type = ["pytest-mypy"]
[metadata]
lock-version = "2.1"
python-versions = "^3.9"
-content-hash = "e9b71c7a85a236b7962a6d6d9fc5b0fd15c9a36a3fbeeab7736fe4a8c060d496"
+content-hash = "8d570a489cde6b6fe3eace984e3cba246f6f88bb0daba9739e1a61fd155b9091"
diff --git a/pykanidm/pyproject.toml b/pykanidm/pyproject.toml
index 61ec43a9b..5a621e2e7 100644
--- a/pykanidm/pyproject.toml
+++ b/pykanidm/pyproject.toml
@@ -29,7 +29,7 @@ Authlib = "^1.2.0"
[tool.poetry.group.dev.dependencies]
-ruff = ">=0.5.1,<0.11.5"
+ruff = ">=0.5.1,<0.11.7"
pytest = "^8.3.4"
mypy = "^1.14.1"
types-requests = "^2.32.0.20241016"
diff --git a/scripts/install_ubuntu_dependencies.sh b/scripts/install_ubuntu_dependencies.sh
index 61833e3c2..fdfa6e2c8 100755
--- a/scripts/install_ubuntu_dependencies.sh
+++ b/scripts/install_ubuntu_dependencies.sh
@@ -21,6 +21,8 @@ ${SUDOCMD} apt-get update &&
cmake \
build-essential \
jq \
+ lld \
+ clang \
tpm-udev
if [ -z "${PACKAGING}" ]; then
@@ -73,10 +75,6 @@ if [ -z "$(which cargo)" ]; then
ERROR=1
fi
-if [ $ERROR -eq 0 ] && [ -z "$(which cross)" ]; then
- echo "You don't have cross installed! Installing it now..."
- cargo install -f cross
-fi
if [ $ERROR -eq 0 ] && [ -z "$(which cargo-deb)" ]; then
echo "You don't have cargo-deb installed! Installing it now..."
cargo install -f cargo-deb
diff --git a/server/core/src/https/views/reset.rs b/server/core/src/https/views/reset.rs
index 195e042a6..c6450ff3a 100644
--- a/server/core/src/https/views/reset.rs
+++ b/server/core/src/https/views/reset.rs
@@ -121,6 +121,7 @@ struct SetUnixCredPartial {
struct AddSshPublicKeyPartial {
title_error: Option<String>,
key_error: Option<String>,
+ key_value: Option<String>,
}
#[derive(Serialize, Deserialize, Debug)]
@@ -902,6 +903,7 @@ pub(crate) async fn view_add_ssh_publickey(
return Ok((AddSshPublicKeyPartial {
title_error: None,
key_error: None,
+ key_value: None,
},)
.into_response());
}
@@ -920,6 +922,7 @@ pub(crate) async fn view_add_ssh_publickey(
return Ok((AddSshPublicKeyPartial {
title_error: None,
key_error: Some("Key cannot be parsed".to_string()),
+ key_value: Some(new_key.key),
},)
.into_response());
}
@@ -965,6 +968,7 @@ pub(crate) async fn view_add_ssh_publickey(
AddSshPublicKeyPartial {
title_error,
key_error,
+ key_value: Some(new_key.key),
},
)
.into_response())
diff --git a/server/core/templates/credential_update_add_ssh_publickey_partial.html b/server/core/templates/credential_update_add_ssh_publickey_partial.html
index 141e19554..31e7c71a9 100644
--- a/server/core/templates/credential_update_add_ssh_publickey_partial.html
+++ b/server/core/templates/credential_update_add_ssh_publickey_partial.html
@@ -16,7 +16,7 @@
<textarea class="form-control(% if let Some(_) = key_error %) is-invalid(% endif %)" id="key-content" rows="5" name="key"
aria-describedby="key-validation-feedback"
placeholder="Begins with 'ssh-rsa', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521', 'ssh-ed25519', 'sk-ecdsa-sha2-nistp256@openssh.com', or 'sk-ssh-ed25519@openssh.com'"
- ></textarea>
+ >(% if let Some(key_value) = key_value %)(( key_value ))(% endif %)</textarea>
<div id="key-validation-feedback" class="invalid-feedback">
(% if let Some(key_error) = key_error %)(( key_error ))(% endif %)
</div>
diff --git a/server/daemon/src/main.rs b/server/daemon/src/main.rs
index 8f00daecd..c3b40faa0 100644
--- a/server/daemon/src/main.rs
+++ b/server/daemon/src/main.rs
@@ -465,13 +465,13 @@ async fn start_daemon(opt: KanidmdParser, config: Configuration) -> ExitCode {
return ExitCode::FAILURE;
}
- match &opt.commands {
+ let lock_was_setup = match &opt.commands {
// we aren't going to touch the DB so we can carry on
KanidmdOpt::ShowReplicationCertificate { .. }
| KanidmdOpt::RenewReplicationCertificate { .. }
| KanidmdOpt::RefreshReplicationConsumer { .. }
| KanidmdOpt::RecoverAccount { .. }
- | KanidmdOpt::HealthCheck(_) => (),
+ | KanidmdOpt::HealthCheck(_) => None,
_ => {
// Okay - Lets now create our lock and go.
#[allow(clippy::expect_used)]
@@ -482,24 +482,53 @@ async fn start_daemon(opt: KanidmdParser, config: Configuration) -> ExitCode {
let flock = match File::create(&klock_path) {
Ok(flock) => flock,
- Err(e) => {
- error!("ERROR: Refusing to start - unable to create kanidmd exclusive lock at {} - {:?}", klock_path.display(), e);
+ Err(err) => {
+ error!(
+ "ERROR: Refusing to start - unable to create kanidmd exclusive lock at {}",
+ klock_path.display()
+ );
+ error!(?err);
return ExitCode::FAILURE;
}
};
match flock.try_lock_exclusive() {
- Ok(()) => debug!("Acquired kanidm exclusive lock"),
- Err(e) => {
- error!("ERROR: Refusing to start - unable to lock kanidmd exclusive lock at {} - {:?}", klock_path.display(), e);
+ Ok(true) => debug!("Acquired kanidm exclusive lock"),
+ Ok(false) => {
+ error!(
+ "ERROR: Refusing to start - unable to lock kanidmd exclusive lock at {}",
+ klock_path.display()
+ );
error!("Is another kanidmd process running?");
return ExitCode::FAILURE;
}
+ Err(err) => {
+ error!(
+ "ERROR: Refusing to start - unable to lock kanidmd exclusive lock at {}",
+ klock_path.display()
+ );
+ error!(?err);
+ return ExitCode::FAILURE;
+ }
};
+
+ Some(klock_path)
+ }
+ };
+
+ let result_code = kanidm_main(config, opt).await;
+
+ if let Some(klock_path) = lock_was_setup {
+ if let Err(reason) = std::fs::remove_file(&klock_path) {
+ warn!(
+ ?reason,
+ "WARNING: Unable to clean up kanidmd exclusive lock at {}",
+ klock_path.display()
+ );
}
}
- kanidm_main(config, opt).await
+ result_code
}
fn main() -> ExitCode {
diff --git a/server/lib/src/repl/proto.rs b/server/lib/src/repl/proto.rs
index 5f8ca839e..7403ec9ae 100644
--- a/server/lib/src/repl/proto.rs
+++ b/server/lib/src/repl/proto.rs
@@ -165,10 +165,10 @@ impl ReplEntryV1 {
// but for now, if it's an empty set in any capacity, we map
// to None and just send the Cid since they have the same result
// on how the entry/attr state looks at each end.
- if maybe.len() > 0 {
- Some(maybe.to_db_valueset_v2())
- } else {
+ if maybe.is_empty() {
None
+ } else {
+ Some(maybe.to_db_valueset_v2())
}
);
@@ -298,10 +298,10 @@ impl ReplIncrementalEntryV1 {
let live_attr = live_attrs.get(attr_name);
let cid = cid.into();
let attr = live_attr.and_then(|maybe| {
- if maybe.len() > 0 {
- Some(maybe.to_db_valueset_v2())
- } else {
+ if maybe.is_empty() {
None
+ } else {
+ Some(maybe.to_db_valueset_v2())
}
});
diff --git a/tools/orca/src/models/read.rs b/tools/orca/src/models/read.rs
index 2f1cfc601..f11eb9984 100644
--- a/tools/orca/src/models/read.rs
+++ b/tools/orca/src/models/read.rs
@@ -83,7 +83,7 @@ impl ActorReader {
// Is this a design flaw? We probably need to know what the state was that we
// requested to move to?
match (&self.state, action, result) {
- (State::Unauthenticated { .. }, TransitionAction::Login, TransitionResult::Ok) => {
+ (State::Unauthenticated, TransitionAction::Login, TransitionResult::Ok) => {
self.state = State::Authenticated;
}
(State::Authenticated, TransitionAction::ReadSelfMemberOf, TransitionResult::Ok) => {
diff --git a/unix_integration/common/Cargo.toml b/unix_integration/common/Cargo.toml
index f25ca7a43..4690ef8a1 100644
--- a/unix_integration/common/Cargo.toml
+++ b/unix_integration/common/Cargo.toml
@@ -14,6 +14,8 @@ repository = { workspace = true }
[features]
default = ["unix"]
unix = []
+selinux = ["dep:selinux"]
+tpm = []
[lib]
name = "kanidm_unix_common"
@@ -35,6 +37,11 @@ tokio-util = { workspace = true, features = ["codec"] }
toml = { workspace = true }
tracing = { workspace = true }
+selinux = { workspace = true, optional = true }
+
+[target.'cfg(not(target_family = "windows"))'.dependencies]
+kanidm_utils_users = { workspace = true }
+
[build-dependencies]
kanidm_build_profiles = { workspace = true }
diff --git a/unix_integration/common/src/lib.rs b/unix_integration/common/src/lib.rs
index ee8f849de..94a261d4e 100644
--- a/unix_integration/common/src/lib.rs
+++ b/unix_integration/common/src/lib.rs
@@ -26,3 +26,6 @@ pub mod unix_config;
pub mod unix_passwd;
#[cfg(target_family = "unix")]
pub mod unix_proto;
+
+#[cfg(all(target_family = "unix", feature = "selinux"))]
+pub mod selinux_util;
diff --git a/unix_integration/resolver/src/selinux_util.rs b/unix_integration/common/src/selinux_util.rs
similarity index 100%
rename from unix_integration/resolver/src/selinux_util.rs
rename to unix_integration/common/src/selinux_util.rs
diff --git a/unix_integration/common/src/unix_config.rs b/unix_integration/common/src/unix_config.rs
index 02a9b43b1..09dd7d069 100644
--- a/unix_integration/common/src/unix_config.rs
+++ b/unix_integration/common/src/unix_config.rs
@@ -1,13 +1,24 @@
+//! This is configuration definitions and parser for the various unix integration
+//! tools and services. This needs to support a number of use cases like pam/nss
+//! modules parsing the config quickly and the unix daemon which has to connect to
+//! various backend sources.
+//!
+//! To achieve this the configuration has two main sections - the configuration
+//! specification which will be parsed by the tools, then the configuration as
+//! relevant to that tool.
+
+use std::env;
use std::fmt::{Display, Formatter};
use std::fs::File;
use std::io::{ErrorKind, Read};
-use std::path::Path;
+use std::path::{Path, PathBuf};
+#[cfg(all(target_family = "unix", feature = "selinux"))]
+use crate::selinux_util;
use crate::unix_passwd::UnixIntegrationError;
-use serde::Deserialize;
-
use crate::constants::*;
+use serde::Deserialize;
#[derive(Debug, Copy, Clone)]
pub enum HomeAttr {
@@ -49,35 +60,539 @@ impl Display for UidAttr {
}
}
+#[derive(Debug, Clone, Default)]
+pub enum HsmType {
+ #[cfg_attr(not(feature = "tpm"), default)]
+ Soft,
+ #[cfg_attr(feature = "tpm", default)]
+ TpmIfPossible,
+ Tpm,
+}
+
+impl Display for HsmType {
+ fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+ match self {
+ HsmType::Soft => write!(f, "Soft"),
+ HsmType::TpmIfPossible => write!(f, "Tpm if possible"),
+ HsmType::Tpm => write!(f, "Tpm"),
+ }
+ }
+}
+
+// Allowed as the large enum is only short lived at startup to the true config
+#[allow(clippy::large_enum_variant)]
+// This bit of magic lets us deserialise the old config and the new versions.
#[derive(Debug, Deserialize)]
-struct ConfigInt {
+#[serde(untagged)]
+enum ConfigUntagged {
+ Versioned(ConfigVersion),
+ Legacy(ConfigInt),
+}
+
+#[derive(Debug, Deserialize)]
+#[serde(tag = "version")]
+enum ConfigVersion {
+ #[serde(rename = "2")]
+ V2 {
+ #[serde(flatten)]
+ values: ConfigV2,
+ },
+}
+
+#[derive(Debug, Deserialize)]
+#[serde(deny_unknown_fields)]
+/// This is the version 2 of the JSON configuration specification for the unixd suite.
+struct ConfigV2 {
+ cache_db_path: Option<String>,
sock_path: Option<String>,
+ task_sock_path: Option<String>,
+
+ cache_timeout: Option<u64>,
+
+ default_shell: Option<String>,
+ home_prefix: Option<String>,
+ home_mount_prefix: Option<String>,
+ home_attr: Option<String>,
+ home_alias: Option<String>,
+ use_etc_skel: Option<bool>,
+ uid_attr_map: Option<String>,
+ gid_attr_map: Option<String>,
+ selinux: Option<bool>,
+
+ hsm_pin_path: Option<String>,
+ hsm_type: Option<String>,
+ tpm_tcti_name: Option<String>,
+
+ kanidm: Option<KanidmConfigV2>,
+}
+
+#[derive(Clone, Debug, Deserialize)]
+pub struct GroupMap {
+ pub local: String,
+ pub with: String,
+}
+
+#[derive(Debug, Deserialize)]
+struct KanidmConfigV2 {
conn_timeout: Option<u64>,
+ request_timeout: Option<u64>,
+ pam_allowed_login_groups: Option<Vec<String>>,
+ #[serde(default)]
+ map_group: Vec<GroupMap>,
+}
+
+#[derive(Debug, Deserialize)]
+/// This is the version 1 of the JSON configuration specification for the unixd suite.
+struct ConfigInt {
+ db_path: Option<String>,
+ sock_path: Option<String>,
+ task_sock_path: Option<String>,
+ conn_timeout: Option<u64>,
+ request_timeout: Option<u64>,
+ cache_timeout: Option<u64>,
+ pam_allowed_login_groups: Option<Vec<String>>,
+ default_shell: Option<String>,
+ home_prefix: Option<String>,
+ home_mount_prefix: Option<String>,
+ home_attr: Option<String>,
+ home_alias: Option<String>,
+ use_etc_skel: Option<bool>,
+ uid_attr_map: Option<String>,
+ gid_attr_map: Option<String>,
+ selinux: Option<bool>,
+ #[serde(default)]
+ allow_local_account_override: Vec<String>,
+
+ hsm_pin_path: Option<String>,
+ hsm_type: Option<String>,
+ tpm_tcti_name: Option<String>,
+
+ // Detect and warn on values in these places - this is to catch
+ // when someone is using a v2 value on a v1 config.
+ #[serde(default)]
+ cache_db_path: Option<toml::value::Value>,
+ #[serde(default)]
+ kanidm: Option<toml::value::Value>,
+}
+
+// ========================================================================
+
+#[derive(Debug)]
+/// This is the parsed Kanidm provider configuration that the Unixd resolver
+/// will use to connect to Kanidm.
+pub struct KanidmConfig {
+ pub conn_timeout: u64,
+ pub request_timeout: u64,
+ pub pam_allowed_login_groups: Vec<String>,
+ pub map_group: Vec<GroupMap>,
}
#[derive(Debug)]
-pub struct KanidmUnixdConfig {
+/// This is the parsed configuration for the Unixd resolver.
+pub struct UnixdConfig {
+ pub cache_db_path: String,
+ pub sock_path: String,
+ pub task_sock_path: String,
+ pub cache_timeout: u64,
+ pub unix_sock_timeout: u64,
+ pub default_shell: String,
+ pub home_prefix: PathBuf,
+ pub home_mount_prefix: Option<PathBuf>,
+ pub home_attr: HomeAttr,
+ pub home_alias: Option<HomeAttr>,
+ pub use_etc_skel: bool,
+ pub uid_attr_map: UidAttr,
+ pub gid_attr_map: UidAttr,
+ pub selinux: bool,
+ pub hsm_type: HsmType,
+ pub hsm_pin_path: String,
+ pub tpm_tcti_name: String,
+ pub kanidm_config: Option<KanidmConfig>,
+}
+
+impl Default for UnixdConfig {
+ fn default() -> Self {
+ UnixdConfig::new()
+ }
+}
+
+impl Display for UnixdConfig {
+ fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+ writeln!(f, "cache_db_path: {}", &self.cache_db_path)?;
+ writeln!(f, "sock_path: {}", self.sock_path)?;
+ writeln!(f, "task_sock_path: {}", self.task_sock_path)?;
+ writeln!(f, "unix_sock_timeout: {}", self.unix_sock_timeout)?;
+ writeln!(f, "cache_timeout: {}", self.cache_timeout)?;
+ writeln!(f, "default_shell: {}", self.default_shell)?;
+ writeln!(f, "home_prefix: {:?}", self.home_prefix)?;
+ match self.home_mount_prefix.as_deref() {
+ Some(val) => writeln!(f, "home_mount_prefix: {:?}", val)?,
+ None => writeln!(f, "home_mount_prefix: unset")?,
+ }
+ writeln!(f, "home_attr: {}", self.home_attr)?;
+ match self.home_alias {
+ Some(val) => writeln!(f, "home_alias: {}", val)?,
+ None => writeln!(f, "home_alias: unset")?,
+ }
+
+ writeln!(f, "uid_attr_map: {}", self.uid_attr_map)?;
+ writeln!(f, "gid_attr_map: {}", self.gid_attr_map)?;
+
+ writeln!(f, "hsm_type: {}", self.hsm_type)?;
+ writeln!(f, "tpm_tcti_name: {}", self.tpm_tcti_name)?;
+
+ writeln!(f, "selinux: {}", self.selinux)?;
+
+ if let Some(kconfig) = &self.kanidm_config {
+ writeln!(f, "kanidm: enabled")?;
+ writeln!(
+ f,
+ "kanidm pam_allowed_login_groups: {:#?}",
+ kconfig.pam_allowed_login_groups
+ )?;
+ writeln!(f, "kanidm conn_timeout: {}", kconfig.conn_timeout)?;
+ writeln!(f, "kanidm request_timeout: {}", kconfig.request_timeout)?;
+ } else {
+ writeln!(f, "kanidm: disabled")?;
+ };
+
+ Ok(())
+ }
+}
+
+impl UnixdConfig {
+ pub fn new() -> Self {
+ let cache_db_path = match env::var("KANIDM_CACHE_DB_PATH") {
+ Ok(val) => val,
+ Err(_) => DEFAULT_CACHE_DB_PATH.into(),
+ };
+ let hsm_pin_path = match env::var("KANIDM_HSM_PIN_PATH") {
+ Ok(val) => val,
+ Err(_) => DEFAULT_HSM_PIN_PATH.into(),
+ };
+
+ UnixdConfig {
+ cache_db_path,
+ sock_path: DEFAULT_SOCK_PATH.to_string(),
+ task_sock_path: DEFAULT_TASK_SOCK_PATH.to_string(),
+ unix_sock_timeout: DEFAULT_CONN_TIMEOUT * 2,
+ cache_timeout: DEFAULT_CACHE_TIMEOUT,
+ default_shell: DEFAULT_SHELL.to_string(),
+ home_prefix: DEFAULT_HOME_PREFIX.into(),
+ home_mount_prefix: None,
+ home_attr: DEFAULT_HOME_ATTR,
+ home_alias: DEFAULT_HOME_ALIAS,
+ use_etc_skel: DEFAULT_USE_ETC_SKEL,
+ uid_attr_map: DEFAULT_UID_ATTR_MAP,
+ gid_attr_map: DEFAULT_GID_ATTR_MAP,
+ selinux: DEFAULT_SELINUX,
+ hsm_pin_path,
+ hsm_type: HsmType::default(),
+ tpm_tcti_name: DEFAULT_TPM_TCTI_NAME.to_string(),
+
+ kanidm_config: None,
+ }
+ }
+
+ pub fn read_options_from_optional_config<P: AsRef<Path> + std::fmt::Debug>(
+ self,
+ config_path: P,
+ ) -> Result<Self, UnixIntegrationError> {
+ debug!("Attempting to load configuration from {:#?}", &config_path);
+ let mut f = match File::open(&config_path) {
+ Ok(f) => {
+ debug!("Successfully opened configuration file {:#?}", &config_path);
+ f
+ }
+ Err(e) => {
+ match e.kind() {
+ ErrorKind::NotFound => {
+ debug!(
+ "Configuration file {:#?} not found, skipping.",
+ &config_path
+ );
+ }
+ ErrorKind::PermissionDenied => {
+ warn!(
+ "Permission denied loading configuration file {:#?}, skipping.",
+ &config_path
+ );
+ }
+ _ => {
+ debug!(
+ "Unable to open config file {:#?} [{:?}], skipping ...",
+ &config_path, e
+ );
+ }
+ };
+ return Ok(self);
+ }
+ };
+
+ let mut contents = String::new();
+ f.read_to_string(&mut contents).map_err(|e| {
+ error!("{:?}", e);
+ UnixIntegrationError
+ })?;
+
+ let config: ConfigUntagged = toml::from_str(contents.as_str()).map_err(|e| {
+ error!("{:?}", e);
+ UnixIntegrationError
+ })?;
+
+ match config {
+ ConfigUntagged::Legacy(config) => self.apply_from_config_legacy(config),
+ ConfigUntagged::Versioned(ConfigVersion::V2 { values }) => {
+ self.apply_from_config_v2(values)
+ }
+ }
+ }
+
+ fn apply_from_config_legacy(self, config: ConfigInt) -> Result<Self, UnixIntegrationError> {
+ if config.kanidm.is_some() || config.cache_db_path.is_some() {
+ error!("You are using version=\"2\" options in a legacy config. THESE WILL NOT WORK.");
+ return Err(UnixIntegrationError);
+ }
+
+ let map_group = config
+ .allow_local_account_override
+ .iter()
+ .map(|name| GroupMap {
+ local: name.clone(),
+ with: name.clone(),
+ })
+ .collect();
+
+ let kanidm_config = Some(KanidmConfig {
+ conn_timeout: config.conn_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT),
+ request_timeout: config.request_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT * 2),
+ pam_allowed_login_groups: config.pam_allowed_login_groups.unwrap_or_default(),
+ map_group,
+ });
+
+ // Now map the values into our config.
+ Ok(UnixdConfig {
+ cache_db_path: config.db_path.unwrap_or(self.cache_db_path),
+ sock_path: config.sock_path.unwrap_or(self.sock_path),
+ task_sock_path: config.task_sock_path.unwrap_or(self.task_sock_path),
+ unix_sock_timeout: DEFAULT_CONN_TIMEOUT * 2,
+ cache_timeout: config.cache_timeout.unwrap_or(self.cache_timeout),
+ default_shell: config.default_shell.unwrap_or(self.default_shell),
+ home_prefix: config
+ .home_prefix
+ .map(|p| p.into())
+ .unwrap_or(self.home_prefix.clone()),
+ home_mount_prefix: config.home_mount_prefix.map(|p| p.into()),
+ home_attr: config
+ .home_attr
+ .and_then(|v| match v.as_str() {
+ "uuid" => Some(HomeAttr::Uuid),
+ "spn" => Some(HomeAttr::Spn),
+ "name" => Some(HomeAttr::Name),
+ _ => {
+ warn!("Invalid home_attr configured, using default ...");
+ None
+ }
+ })
+ .unwrap_or(self.home_attr),
+ home_alias: config
+ .home_alias
+ .and_then(|v| match v.as_str() {
+ "none" => Some(None),
+ "uuid" => Some(Some(HomeAttr::Uuid)),
+ "spn" => Some(Some(HomeAttr::Spn)),
+ "name" => Some(Some(HomeAttr::Name)),
+ _ => {
+ warn!("Invalid home_alias configured, using default ...");
+ None
+ }
+ })
+ .unwrap_or(self.home_alias),
+ use_etc_skel: config.use_etc_skel.unwrap_or(self.use_etc_skel),
+ uid_attr_map: config
+ .uid_attr_map
+ .and_then(|v| match v.as_str() {
+ "spn" => Some(UidAttr::Spn),
+ "name" => Some(UidAttr::Name),
+ _ => {
+ warn!("Invalid uid_attr_map configured, using default ...");
+ None
+ }
+ })
+ .unwrap_or(self.uid_attr_map),
+ gid_attr_map: config
+ .gid_attr_map
+ .and_then(|v| match v.as_str() {
+ "spn" => Some(UidAttr::Spn),
+ "name" => Some(UidAttr::Name),
+ _ => {
+ warn!("Invalid gid_attr_map configured, using default ...");
+ None
+ }
+ })
+ .unwrap_or(self.gid_attr_map),
+ selinux: match config.selinux.unwrap_or(self.selinux) {
+ #[cfg(all(target_family = "unix", feature = "selinux"))]
+ true => selinux_util::supported(),
+ _ => false,
+ },
+ hsm_pin_path: config.hsm_pin_path.unwrap_or(self.hsm_pin_path),
+ hsm_type: config
+ .hsm_type
+ .and_then(|v| match v.as_str() {
+ "soft" => Some(HsmType::Soft),
+ "tpm_if_possible" => Some(HsmType::TpmIfPossible),
+ "tpm" => Some(HsmType::Tpm),
+ _ => {
+ warn!("Invalid hsm_type configured, using default ...");
+ None
+ }
+ })
+ .unwrap_or(self.hsm_type),
+ tpm_tcti_name: config
+ .tpm_tcti_name
+ .unwrap_or(DEFAULT_TPM_TCTI_NAME.to_string()),
+ kanidm_config,
+ })
+ }
+
+ fn apply_from_config_v2(self, config: ConfigV2) -> Result<Self, UnixIntegrationError> {
+ let kanidm_config = if let Some(kconfig) = config.kanidm {
+ match &kconfig.pam_allowed_login_groups {
+ None => {
+ error!("You have a 'kanidm' section in the config but an empty pam_allowed_login_groups set. USERS CANNOT AUTH.")
+ }
+ Some(groups) => {
+ if groups.is_empty() {
+ error!("You have a 'kanidm' section in the config but an empty pam_allowed_login_groups set. USERS CANNOT AUTH.");
+ }
+ }
+ }
+ Some(KanidmConfig {
+ conn_timeout: kconfig.conn_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT),
+ request_timeout: kconfig.request_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT * 2),
+ pam_allowed_login_groups: kconfig.pam_allowed_login_groups.unwrap_or_default(),
+ map_group: kconfig.map_group,
+ })
+ } else {
+ error!(
+ "You are using a version 2 config without a 'kanidm' section. USERS CANNOT AUTH."
+ );
+ None
+ };
+
+ // Now map the values into our config.
+ Ok(UnixdConfig {
+ cache_db_path: config.cache_db_path.unwrap_or(self.cache_db_path),
+ sock_path: config.sock_path.unwrap_or(self.sock_path),
+ task_sock_path: config.task_sock_path.unwrap_or(self.task_sock_path),
+ unix_sock_timeout: DEFAULT_CONN_TIMEOUT * 2,
+ cache_timeout: config.cache_timeout.unwrap_or(self.cache_timeout),
+ default_shell: config.default_shell.unwrap_or(self.default_shell),
+ home_prefix: config
+ .home_prefix
+ .map(|p| p.into())
+ .unwrap_or(self.home_prefix.clone()),
+ home_mount_prefix: config.home_mount_prefix.map(|p| p.into()),
+ home_attr: config
+ .home_attr
+ .and_then(|v| match v.as_str() {
+ "uuid" => Some(HomeAttr::Uuid),
+ "spn" => Some(HomeAttr::Spn),
+ "name" => Some(HomeAttr::Name),
+ _ => {
+ warn!("Invalid home_attr configured, using default ...");
+ None
+ }
+ })
+ .unwrap_or(self.home_attr),
+ home_alias: config
+ .home_alias
+ .and_then(|v| match v.as_str() {
+ "none" => Some(None),
+ "uuid" => Some(Some(HomeAttr::Uuid)),
+ "spn" => Some(Some(HomeAttr::Spn)),
+ "name" => Some(Some(HomeAttr::Name)),
+ _ => {
+ warn!("Invalid home_alias configured, using default ...");
+ None
+ }
+ })
+ .unwrap_or(self.home_alias),
+ use_etc_skel: config.use_etc_skel.unwrap_or(self.use_etc_skel),
+ uid_attr_map: config
+ .uid_attr_map
+ .and_then(|v| match v.as_str() {
+ "spn" => Some(UidAttr::Spn),
+ "name" => Some(UidAttr::Name),
+ _ => {
+ warn!("Invalid uid_attr_map configured, using default ...");
+ None
+ }
+ })
+ .unwrap_or(self.uid_attr_map),
+ gid_attr_map: config
+ .gid_attr_map
+ .and_then(|v| match v.as_str() {
+ "spn" => Some(UidAttr::Spn),
+ "name" => Some(UidAttr::Name),
+ _ => {
+ warn!("Invalid gid_attr_map configured, using default ...");
+ None
+ }
+ })
+ .unwrap_or(self.gid_attr_map),
+ selinux: match config.selinux.unwrap_or(self.selinux) {
+ #[cfg(all(target_family = "unix", feature = "selinux"))]
+ true => selinux_util::supported(),
+ _ => false,
+ },
+ hsm_pin_path: config.hsm_pin_path.unwrap_or(self.hsm_pin_path),
+ hsm_type: config
+ .hsm_type
+ .and_then(|v| match v.as_str() {
+ "soft" => Some(HsmType::Soft),
+ "tpm_if_possible" => Some(HsmType::TpmIfPossible),
+ "tpm" => Some(HsmType::Tpm),
+ _ => {
+ warn!("Invalid hsm_type configured, using default ...");
+ None
+ }
+ })
+ .unwrap_or(self.hsm_type),
+ tpm_tcti_name: config
+ .tpm_tcti_name
+ .unwrap_or(DEFAULT_TPM_TCTI_NAME.to_string()),
+ kanidm_config,
+ })
+ }
+}
+
+#[derive(Debug)]
+/// This is the parsed configuration that will be used by pam/nss tools that need fast access to
+/// only the socket and timeout information related to the resolver.
+pub struct PamNssConfig {
pub sock_path: String,
// pub conn_timeout: u64,
pub unix_sock_timeout: u64,
}
-impl Default for KanidmUnixdConfig {
+impl Default for PamNssConfig {
fn default() -> Self {
- KanidmUnixdConfig::new()
+ PamNssConfig::new()
}
}
-impl Display for KanidmUnixdConfig {
+impl Display for PamNssConfig {
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
writeln!(f, "sock_path: {}", self.sock_path)?;
writeln!(f, "unix_sock_timeout: {}", self.unix_sock_timeout)
}
}
-impl KanidmUnixdConfig {
+impl PamNssConfig {
pub fn new() -> Self {
- KanidmUnixdConfig {
+ PamNssConfig {
sock_path: DEFAULT_SOCK_PATH.to_string(),
unix_sock_timeout: DEFAULT_CONN_TIMEOUT * 2,
}
@@ -124,22 +639,45 @@ impl KanidmUnixdConfig {
UnixIntegrationError
})?;
- let config: ConfigInt = toml::from_str(contents.as_str()).map_err(|e| {
+ let config: ConfigUntagged = toml::from_str(contents.as_str()).map_err(|e| {
error!("{:?}", e);
UnixIntegrationError
})?;
+ match config {
+ ConfigUntagged::Legacy(config) => self.apply_from_config_legacy(config),
+ ConfigUntagged::Versioned(ConfigVersion::V2 { values }) => {
+ self.apply_from_config_v2(values)
+ }
+ }
+ }
+
+ fn apply_from_config_legacy(self, config: ConfigInt) -> Result<Self, UnixIntegrationError> {
let unix_sock_timeout = config
.conn_timeout
.map(|v| v * 2)
.unwrap_or(self.unix_sock_timeout);
// Now map the values into our config.
- Ok(KanidmUnixdConfig {
+ Ok(PamNssConfig {
sock_path: config.sock_path.unwrap_or(self.sock_path),
unix_sock_timeout,
})
}
+
+ fn apply_from_config_v2(self, config: ConfigV2) -> Result<Self, UnixIntegrationError> {
+ let kanidm_conn_timeout = config
+ .kanidm
+ .as_ref()
+ .and_then(|k_config| k_config.conn_timeout)
+ .map(|timeout| timeout * 2);
+
+ // Now map the values into our config.
+ Ok(PamNssConfig {
+ sock_path: config.sock_path.unwrap_or(self.sock_path),
+ unix_sock_timeout: kanidm_conn_timeout.unwrap_or(self.unix_sock_timeout),
+ })
+ }
}
#[cfg(test)]
@@ -165,9 +703,12 @@ mod tests {
if filename.starts_with("unixd") {
print!("Checking that {} parses as a valid config...", filename);
- KanidmUnixdConfig::new()
+ UnixdConfig::new()
.read_options_from_optional_config(file.path())
- .expect("Failed to parse");
+ .inspect_err(|e| {
+ println!("Failed to parse: {:?}", e);
+ })
+ .expect("Failed to parse!");
println!("OK");
}
}
diff --git a/unix_integration/nss_kanidm/src/core.rs b/unix_integration/nss_kanidm/src/core.rs
index d60ba9839..a59c58581 100644
--- a/unix_integration/nss_kanidm/src/core.rs
+++ b/unix_integration/nss_kanidm/src/core.rs
@@ -1,5 +1,5 @@
use kanidm_unix_common::client_sync::DaemonClientBlocking;
-use kanidm_unix_common::unix_config::KanidmUnixdConfig;
+use kanidm_unix_common::unix_config::PamNssConfig;
use kanidm_unix_common::unix_passwd::{
read_etc_group_file, read_etc_passwd_file, EtcGroup, EtcUser,
};
@@ -36,7 +36,7 @@ impl RequestOptions {
fn connect_to_daemon(self) -> Source {
match self {
RequestOptions::Main { config_path } => {
- let maybe_client = KanidmUnixdConfig::new()
+ let maybe_client = PamNssConfig::new()
.read_options_from_optional_config(config_path)
.ok()
.and_then(|cfg| {
diff --git a/unix_integration/pam_kanidm/src/core.rs b/unix_integration/pam_kanidm/src/core.rs
index 79d3ea960..dd1ecf8ae 100644
--- a/unix_integration/pam_kanidm/src/core.rs
+++ b/unix_integration/pam_kanidm/src/core.rs
@@ -2,7 +2,7 @@ use crate::constants::PamResultCode;
use crate::module::PamResult;
use crate::pam::ModuleOptions;
use kanidm_unix_common::client_sync::DaemonClientBlocking;
-use kanidm_unix_common::unix_config::KanidmUnixdConfig;
+use kanidm_unix_common::unix_config::PamNssConfig;
use kanidm_unix_common::unix_passwd::{
read_etc_passwd_file, read_etc_shadow_file, EtcShadow, EtcUser,
};
@@ -44,7 +44,7 @@ impl RequestOptions {
fn connect_to_daemon(self) -> Source {
match self {
RequestOptions::Main { config_path } => {
- let maybe_client = KanidmUnixdConfig::new()
+ let maybe_client = PamNssConfig::new()
.read_options_from_optional_config(config_path)
.ok()
.and_then(|cfg| {
diff --git a/unix_integration/pam_kanidm/src/pam/mod.rs b/unix_integration/pam_kanidm/src/pam/mod.rs
index 0a40b1c25..6fb79a762 100755
--- a/unix_integration/pam_kanidm/src/pam/mod.rs
+++ b/unix_integration/pam_kanidm/src/pam/mod.rs
@@ -36,7 +36,7 @@ use std::convert::TryFrom;
use std::ffi::CStr;
use kanidm_unix_common::constants::DEFAULT_CONFIG_PATH;
-use kanidm_unix_common::unix_config::KanidmUnixdConfig;
+use kanidm_unix_common::unix_config::PamNssConfig;
use crate::core::{self, RequestOptions};
use crate::pam::constants::*;
@@ -50,8 +50,8 @@ use tracing_subscriber::filter::LevelFilter;
use tracing_subscriber::fmt;
use tracing_subscriber::prelude::*;
-pub fn get_cfg() -> Result<KanidmUnixdConfig, PamResultCode> {
- KanidmUnixdConfig::new()
+pub fn get_cfg() -> Result<PamNssConfig, PamResultCode> {
+ PamNssConfig::new()
.read_options_from_optional_config(DEFAULT_CONFIG_PATH)
.map_err(|_| PamResultCode::PAM_SERVICE_ERR)
}
diff --git a/unix_integration/resolver/Cargo.toml b/unix_integration/resolver/Cargo.toml
index 96e09bbee..3c6d86e18 100644
--- a/unix_integration/resolver/Cargo.toml
+++ b/unix_integration/resolver/Cargo.toml
@@ -14,8 +14,8 @@ repository = { workspace = true }
[features]
default = ["unix"]
unix = []
-selinux = ["dep:selinux"]
-tpm = ["kanidm-hsm-crypto/tpm"]
+selinux = ["dep:selinux", "kanidm_unix_common/selinux"]
+tpm = ["kanidm-hsm-crypto/tpm", "kanidm_unix_common/tpm"]
[[bin]]
name = "kanidm_unixd"
diff --git a/unix_integration/resolver/src/bin/kanidm-unix.rs b/unix_integration/resolver/src/bin/kanidm-unix.rs
index b27424769..67c07ece1 100644
--- a/unix_integration/resolver/src/bin/kanidm-unix.rs
+++ b/unix_integration/resolver/src/bin/kanidm-unix.rs
@@ -18,7 +18,7 @@ use std::process::ExitCode;
use clap::Parser;
use kanidm_unix_common::client::DaemonClient;
use kanidm_unix_common::constants::DEFAULT_CONFIG_PATH;
-use kanidm_unix_common::unix_config::KanidmUnixdConfig;
+use kanidm_unix_common::unix_config::PamNssConfig;
use kanidm_unix_common::unix_proto::{
ClientRequest, ClientResponse, PamAuthRequest, PamAuthResponse, PamServiceInfo,
};
@@ -28,8 +28,7 @@ include!("../opt/tool.rs");
macro_rules! setup_client {
() => {{
- let Ok(cfg) =
- KanidmUnixdConfig::new().read_options_from_optional_config(DEFAULT_CONFIG_PATH)
+ let Ok(cfg) = PamNssConfig::new().read_options_from_optional_config(DEFAULT_CONFIG_PATH)
else {
error!("Failed to parse {}", DEFAULT_CONFIG_PATH);
return ExitCode::FAILURE;
diff --git a/unix_integration/resolver/src/bin/kanidm_ssh_authorizedkeys.rs b/unix_integration/resolver/src/bin/kanidm_ssh_authorizedkeys.rs
index e20ff3178..4878b7b37 100644
--- a/unix_integration/resolver/src/bin/kanidm_ssh_authorizedkeys.rs
+++ b/unix_integration/resolver/src/bin/kanidm_ssh_authorizedkeys.rs
@@ -19,7 +19,7 @@ use std::process::ExitCode;
use clap::Parser;
use kanidm_unix_common::client::DaemonClient;
use kanidm_unix_common::constants::DEFAULT_CONFIG_PATH;
-use kanidm_unix_common::unix_config::KanidmUnixdConfig;
+use kanidm_unix_common::unix_config::PamNssConfig;
use kanidm_unix_common::unix_proto::{ClientRequest, ClientResponse};
include!("../opt/ssh_authorizedkeys.rs");
@@ -44,8 +44,7 @@ async fn main() -> ExitCode {
debug!("Starting authorized keys tool ...");
- let cfg = match KanidmUnixdConfig::new().read_options_from_optional_config(DEFAULT_CONFIG_PATH)
- {
+ let cfg = match PamNssConfig::new().read_options_from_optional_config(DEFAULT_CONFIG_PATH) {
Ok(c) => c,
Err(e) => {
error!("Failed to parse {}: {:?}", DEFAULT_CONFIG_PATH, e);
diff --git a/unix_integration/resolver/src/bin/kanidm_unixd.rs b/unix_integration/resolver/src/bin/kanidm_unixd.rs
index c89fc30d4..1a8e89382 100644
--- a/unix_integration/resolver/src/bin/kanidm_unixd.rs
+++ b/unix_integration/resolver/src/bin/kanidm_unixd.rs
@@ -18,6 +18,7 @@ use kanidm_hsm_crypto::{soft::SoftTpm, AuthValue, BoxedDynTpm, Tpm};
use kanidm_proto::constants::DEFAULT_CLIENT_CONFIG_PATH;
use kanidm_proto::internal::OperationError;
use kanidm_unix_common::constants::DEFAULT_CONFIG_PATH;
+use kanidm_unix_common::unix_config::{HsmType, UnixdConfig};
use kanidm_unix_common::unix_passwd::EtcDb;
use kanidm_unix_common::unix_proto::{
ClientRequest, ClientResponse, TaskRequest, TaskRequestFrame, TaskResponse,
@@ -27,7 +28,6 @@ use kanidm_unix_resolver::idprovider::interface::IdProvider;
use kanidm_unix_resolver::idprovider::kanidm::KanidmProvider;
use kanidm_unix_resolver::idprovider::system::SystemProvider;
use kanidm_unix_resolver::resolver::Resolver;
-use kanidm_unix_resolver::unix_config::{HsmType, UnixdConfig};
use kanidm_utils_users::{get_current_gid, get_current_uid, get_effective_gid, get_effective_uid};
use libc::umask;
use sketching::tracing::span;
diff --git a/unix_integration/resolver/src/bin/kanidm_unixd_tasks.rs b/unix_integration/resolver/src/bin/kanidm_unixd_tasks.rs
index ccaddc8d2..cfbf03d67 100644
--- a/unix_integration/resolver/src/bin/kanidm_unixd_tasks.rs
+++ b/unix_integration/resolver/src/bin/kanidm_unixd_tasks.rs
@@ -13,11 +13,11 @@
use bytes::{BufMut, BytesMut};
use futures::{SinkExt, StreamExt};
use kanidm_unix_common::constants::DEFAULT_CONFIG_PATH;
+use kanidm_unix_common::unix_config::UnixdConfig;
use kanidm_unix_common::unix_passwd::{parse_etc_group, parse_etc_passwd, parse_etc_shadow, EtcDb};
use kanidm_unix_common::unix_proto::{
HomeDirectoryInfo, TaskRequest, TaskRequestFrame, TaskResponse,
};
-use kanidm_unix_resolver::unix_config::UnixdConfig;
use kanidm_utils_users::{get_effective_gid, get_effective_uid};
use libc::{lchown, umask};
use notify_debouncer_full::notify::RecommendedWatcher;
@@ -43,7 +43,7 @@ use tokio_util::codec::{Decoder, Encoder, Framed};
use walkdir::WalkDir;
#[cfg(all(target_family = "unix", feature = "selinux"))]
-use kanidm_unix_resolver::selinux_util;
+use kanidm_unix_common::selinux_util;
struct TaskCodec;
diff --git a/unix_integration/resolver/src/idprovider/interface.rs b/unix_integration/resolver/src/idprovider/interface.rs
index 808386332..bc7edec86 100644
--- a/unix_integration/resolver/src/idprovider/interface.rs
+++ b/unix_integration/resolver/src/idprovider/interface.rs
@@ -194,7 +194,8 @@ impl Into<PamAuthResponse> for AuthRequest {
}
pub enum AuthResult {
- Success { token: UserToken },
+ Success,
+ SuccessUpdate { new_token: UserToken },
Denied,
Next(AuthRequest),
}
@@ -251,6 +252,7 @@ pub trait IdProvider {
async fn unix_user_online_auth_step(
&self,
_account_id: &str,
+ _current_token: Option<&UserToken>,
_cred_handler: &mut AuthCredHandler,
_pam_next_req: PamAuthRequest,
_tpm: &mut tpm::BoxedDynTpm,
@@ -290,7 +292,8 @@ pub trait IdProvider {
// TPM key.
async fn unix_user_offline_auth_step(
&self,
- _token: &UserToken,
+ _current_token: Option<&UserToken>,
+ _session_token: &UserToken,
_cred_handler: &mut AuthCredHandler,
_pam_next_req: PamAuthRequest,
_tpm: &mut tpm::BoxedDynTpm,
diff --git a/unix_integration/resolver/src/idprovider/kanidm.rs b/unix_integration/resolver/src/idprovider/kanidm.rs
index d0a6a8159..815c5113b 100644
--- a/unix_integration/resolver/src/idprovider/kanidm.rs
+++ b/unix_integration/resolver/src/idprovider/kanidm.rs
@@ -1,24 +1,22 @@
-use crate::db::KeyStoreTxn;
-use crate::unix_config::{GroupMap, KanidmConfig};
-use async_trait::async_trait;
-use hashbrown::HashMap;
-use kanidm_client::{ClientError, KanidmClient, StatusCode};
-use kanidm_proto::internal::OperationError;
-use kanidm_proto::v1::{UnixGroupToken, UnixUserToken};
-use std::collections::BTreeSet;
-use std::time::{Duration, SystemTime};
-use tokio::sync::{broadcast, Mutex};
-
-use kanidm_lib_crypto::CryptoPolicy;
-use kanidm_lib_crypto::DbPasswordV1;
-use kanidm_lib_crypto::Password;
-
use super::interface::{
tpm::{self, HmacKey, Tpm},
AuthCredHandler, AuthRequest, AuthResult, GroupToken, GroupTokenState, Id, IdProvider,
IdpError, ProviderOrigin, UserToken, UserTokenState,
};
+use crate::db::KeyStoreTxn;
+use async_trait::async_trait;
+use hashbrown::HashMap;
+use kanidm_client::{ClientError, KanidmClient, StatusCode};
+use kanidm_lib_crypto::CryptoPolicy;
+use kanidm_lib_crypto::DbPasswordV1;
+use kanidm_lib_crypto::Password;
+use kanidm_proto::internal::OperationError;
+use kanidm_proto::v1::{UnixGroupToken, UnixUserToken};
+use kanidm_unix_common::unix_config::{GroupMap, KanidmConfig};
use kanidm_unix_common::unix_proto::PamAuthRequest;
+use std::collections::BTreeSet;
+use std::time::{Duration, SystemTime};
+use tokio::sync::{broadcast, Mutex};
const KANIDM_HMAC_KEY: &str = "kanidm-hmac-key";
const KANIDM_PWV1_KEY: &str = "kanidm-pw-v1";
@@ -57,8 +55,6 @@ impl KanidmProvider {
tpm: &mut tpm::BoxedDynTpm,
machine_key: &tpm::MachineKey,
) -> Result<Self, IdpError> {
- // FUTURE: Randomised jitter on next check at startup.
-
// Initially retrieve our HMAC key.
let loadable_hmac_key: Option<tpm::LoadableHmacKey> = keystore
.get_tagged_hsm_key(KANIDM_HMAC_KEY)
@@ -250,13 +246,25 @@ impl KanidmProviderInternal {
// Proceed
CacheState::Online => true,
CacheState::OfflineNextCheck(at_time) if now >= at_time => {
- // Attempt online. If fails, return token.
self.attempt_online(tpm, now).await
}
CacheState::OfflineNextCheck(_) | CacheState::Offline => false,
}
}
+ #[instrument(level = "debug", skip_all)]
+ async fn check_online_right_meow(
+ &mut self,
+ tpm: &mut tpm::BoxedDynTpm,
+ now: SystemTime,
+ ) -> bool {
+ match self.state {
+ CacheState::Online => true,
+ CacheState::OfflineNextCheck(_) => self.attempt_online(tpm, now).await,
+ CacheState::Offline => false,
+ }
+ }
+
#[instrument(level = "debug", skip_all)]
async fn attempt_online(&mut self, _tpm: &mut tpm::BoxedDynTpm, now: SystemTime) -> bool {
let mut max_attempts = 3;
@@ -297,7 +305,7 @@ impl IdProvider for KanidmProvider {
async fn attempt_online(&self, tpm: &mut tpm::BoxedDynTpm, now: SystemTime) -> bool {
let mut inner = self.inner.lock().await;
- inner.check_online(tpm, now).await
+ inner.check_online_right_meow(tpm, now).await
}
async fn mark_next_check(&self, now: SystemTime) {
@@ -433,6 +441,7 @@ impl IdProvider for KanidmProvider {
async fn unix_user_online_auth_step(
&self,
account_id: &str,
+ current_token: Option<&UserToken>,
cred_handler: &mut AuthCredHandler,
pam_next_req: PamAuthRequest,
tpm: &mut tpm::BoxedDynTpm,
@@ -451,15 +460,23 @@ impl IdProvider for KanidmProvider {
match auth_result {
Ok(Some(n_tok)) => {
- let mut token = UserToken::from(n_tok);
- token.kanidm_update_cached_password(
+ let mut new_token = UserToken::from(n_tok);
+
+ // Update any keys that may have been in the db in the current
+ // token.
+ if let Some(previous_token) = current_token {
+ new_token.extra_keys = previous_token.extra_keys.clone();
+ }
+
+ // Set any new keys that are relevant from this authentication
+ new_token.kanidm_update_cached_password(
&inner.crypto_policy,
cred.as_str(),
tpm,
&inner.hmac_key,
);
- Ok(AuthResult::Success { token })
+ Ok(AuthResult::SuccessUpdate { new_token })
}
Ok(None) => {
// TODO: i'm not a huge fan of this rn, but currently the way we handle
@@ -554,7 +571,8 @@ impl IdProvider for KanidmProvider {
async fn unix_user_offline_auth_step(
&self,
- token: &UserToken,
+ current_token: Option<&UserToken>,
+ session_token: &UserToken,
cred_handler: &mut AuthCredHandler,
pam_next_req: PamAuthRequest,
tpm: &mut tpm::BoxedDynTpm,
@@ -563,11 +581,13 @@ impl IdProvider for KanidmProvider {
(AuthCredHandler::Password, PamAuthRequest::Password { cred }) => {
let inner = self.inner.lock().await;
- if token.kanidm_check_cached_password(cred.as_str(), tpm, &inner.hmac_key) {
+ if session_token.kanidm_check_cached_password(cred.as_str(), tpm, &inner.hmac_key) {
+ // Ensure we have either the latest token, or if none, at least the session token.
+ let new_token = current_token.unwrap_or(session_token).clone();
+
// TODO: We can update the token here and then do lockouts.
- Ok(AuthResult::Success {
- token: token.clone(),
- })
+
+ Ok(AuthResult::SuccessUpdate { new_token })
} else {
Ok(AuthResult::Denied)
}
diff --git a/unix_integration/resolver/src/lib.rs b/unix_integration/resolver/src/lib.rs
index 96b49d026..cbb1c1ee3 100644
--- a/unix_integration/resolver/src/lib.rs
+++ b/unix_integration/resolver/src/lib.rs
@@ -23,7 +23,3 @@ pub mod db;
pub mod idprovider;
#[cfg(target_family = "unix")]
pub mod resolver;
-#[cfg(all(target_family = "unix", feature = "selinux"))]
-pub mod selinux_util;
-#[cfg(target_family = "unix")]
-pub mod unix_config;
diff --git a/unix_integration/resolver/src/resolver.rs b/unix_integration/resolver/src/resolver.rs
index 6bef8dbb9..6b20c1038 100644
--- a/unix_integration/resolver/src/resolver.rs
+++ b/unix_integration/resolver/src/resolver.rs
@@ -1,18 +1,4 @@
// use async_trait::async_trait;
-use hashbrown::HashMap;
-use std::fmt::Display;
-use std::num::NonZeroUsize;
-use std::ops::DerefMut;
-use std::path::{Path, PathBuf};
-use std::string::ToString;
-use std::sync::Arc;
-use std::time::{Duration, SystemTime};
-
-use lru::LruCache;
-use time::OffsetDateTime;
-use tokio::sync::Mutex;
-use uuid::Uuid;
-
use crate::db::{Cache, Db};
use crate::idprovider::interface::{
AuthCredHandler,
@@ -30,13 +16,25 @@ use crate::idprovider::interface::{
use crate::idprovider::system::{
Shadow, SystemAuthResult, SystemProvider, SystemProviderAuthInit, SystemProviderSession,
};
-use crate::unix_config::{HomeAttr, UidAttr};
+use hashbrown::HashMap;
use kanidm_unix_common::constants::DEFAULT_SHELL_SEARCH_PATHS;
+use kanidm_unix_common::unix_config::{HomeAttr, UidAttr};
use kanidm_unix_common::unix_passwd::{EtcGroup, EtcShadow, EtcUser};
use kanidm_unix_common::unix_proto::{
HomeDirectoryInfo, NssGroup, NssUser, PamAuthRequest, PamAuthResponse, PamServiceInfo,
ProviderStatus,
};
+use lru::LruCache;
+use std::fmt::Display;
+use std::num::NonZeroUsize;
+use std::ops::DerefMut;
+use std::path::{Path, PathBuf};
+use std::string::ToString;
+use std::sync::Arc;
+use std::time::{Duration, SystemTime};
+use time::OffsetDateTime;
+use tokio::sync::Mutex;
+use uuid::Uuid;
use kanidm_hsm_crypto::BoxedDynTpm;
@@ -49,7 +47,6 @@ pub enum AuthSession {
client: Arc<dyn IdProvider + Sync + Send>,
account_id: String,
id: Id,
- token: Option<Box<UserToken>>,
cred_handler: AuthCredHandler,
/// Some authentication operations may need to spawn background tasks. These tasks need
/// to know when to stop as the caller has disconnected. This receiver allows that, so
@@ -61,7 +58,7 @@ pub enum AuthSession {
account_id: String,
id: Id,
client: Arc<dyn IdProvider + Sync + Send>,
- token: Box<UserToken>,
+ session_token: Box<UserToken>,
cred_handler: AuthCredHandler,
},
System {
@@ -227,7 +224,7 @@ impl Resolver {
// Attempt to search these in the db.
let mut dbtxn = self.db.write().await;
let r = dbtxn.get_account(account_id).map_err(|err| {
- debug!("get_cached_usertoken {:?}", err);
+ debug!(?err, "get_cached_usertoken");
})?;
drop(dbtxn);
@@ -320,7 +317,12 @@ impl Resolver {
}
}
- async fn set_cache_usertoken(&self, token: &mut UserToken) -> Result<(), ()> {
+ async fn set_cache_usertoken(
+ &self,
+ token: &mut UserToken,
+ // This is just for proof that only one write can occur at a time.
+ _tpm: &mut BoxedDynTpm,
+ ) -> Result<(), ()> {
// Set an expiry
let ex_time = SystemTime::now() + Duration::from_secs(self.timeout_seconds);
let offset = ex_time
@@ -453,6 +455,22 @@ impl Resolver {
let mut hsm_lock = self.hsm.lock().await;
+ // We need to re-acquire the token now behind the hsmlock - this is so that
+ // we know that as we write the updated token, we know that no one else has
+ // written to this token, since we are now the only task that is allowed
+ // to be in a write phase.
+ let token = if token.is_some() {
+ self.get_cached_usertoken(account_id)
+ .await
+ .map(|(_expired, option_token)| option_token)
+ .map_err(|err| {
+ debug!(?err, "get_usertoken error");
+ })?
+ } else {
+ // Was already none, leave it that way.
+ None
+ };
+
let user_get_result = if let Some(tok) = token.as_ref() {
// Re-use the provider that the token is from.
match self.client_ids.get(&tok.provider) {
@@ -488,12 +506,11 @@ impl Resolver {
}
};
- drop(hsm_lock);
-
match user_get_result {
Ok(UserTokenState::Update(mut n_tok)) => {
// We have the token!
- self.set_cache_usertoken(&mut n_tok).await?;
+ self.set_cache_usertoken(&mut n_tok, hsm_lock.deref_mut())
+ .await?;
Ok(Some(n_tok))
}
Ok(UserTokenState::NotFound) => {
@@ -960,7 +977,6 @@ impl Resolver {
client,
account_id: account_id.to_string(),
id,
- token: Some(Box::new(token)),
cred_handler,
shutdown_rx,
};
@@ -981,7 +997,7 @@ impl Resolver {
account_id: account_id.to_string(),
id,
client,
- token: Box::new(token),
+ session_token: Box::new(token),
cred_handler,
};
Ok((auth_session, next_req.into()))
@@ -1024,7 +1040,6 @@ impl Resolver {
client: client.clone(),
account_id: account_id.to_string(),
id,
- token: None,
cred_handler,
shutdown_rx,
};
@@ -1052,19 +1067,32 @@ impl Resolver {
auth_session: &mut AuthSession,
pam_next_req: PamAuthRequest,
) -> Result<PamAuthResponse, ()> {
+ let mut hsm_lock = self.hsm.lock().await;
+
let maybe_err = match &mut *auth_session {
&mut AuthSession::Online {
ref client,
ref account_id,
- id: _,
- token: _,
+ ref id,
ref mut cred_handler,
ref shutdown_rx,
} => {
- let mut hsm_lock = self.hsm.lock().await;
+ // This is not used in the authentication, but is so that any new
+ // extra keys or data on the token are updated correctly if the authentication
+ // requests an update. Since we hold the hsm_lock, no other task can
+ // update this token between now and completion of the fn.
+ let current_token = self
+ .get_cached_usertoken(id)
+ .await
+ .map(|(_expired, option_token)| option_token)
+ .map_err(|err| {
+ debug!(?err, "get_usertoken error");
+ })?;
+
let result = client
.unix_user_online_auth_step(
account_id,
+ current_token.as_ref(),
cred_handler,
pam_next_req,
hsm_lock.deref_mut(),
@@ -1073,7 +1101,7 @@ impl Resolver {
.await;
match result {
- Ok(AuthResult::Success { .. }) => {
+ Ok(AuthResult::SuccessUpdate { .. } | AuthResult::Success) => {
info!(?account_id, "Authentication Success");
}
Ok(AuthResult::Denied) => {
@@ -1089,17 +1117,29 @@ impl Resolver {
}
&mut AuthSession::Offline {
ref account_id,
- id: _,
+ ref id,
ref client,
- ref token,
+ ref session_token,
ref mut cred_handler,
} => {
+ // This is not used in the authentication, but is so that any new
+ // extra keys or data on the token are updated correctly if the authentication
+ // requests an update. Since we hold the hsm_lock, no other task can
+ // update this token between now and completion of the fn.
+ let current_token = self
+ .get_cached_usertoken(id)
+ .await
+ .map(|(_expired, option_token)| option_token)
+ .map_err(|err| {
+ debug!(?err, "get_usertoken error");
+ })?;
+
// We are offline, continue. Remember, authsession should have
// *everything you need* to proceed here!
- let mut hsm_lock = self.hsm.lock().await;
let result = client
.unix_user_offline_auth_step(
- token,
+ current_token.as_ref(),
+ session_token,
cred_handler,
pam_next_req,
hsm_lock.deref_mut(),
@@ -1107,7 +1147,7 @@ impl Resolver {
.await;
match result {
- Ok(AuthResult::Success { .. }) => {
+ Ok(AuthResult::SuccessUpdate { .. } | AuthResult::Success) => {
info!(?account_id, "Authentication Success");
}
Ok(AuthResult::Denied) => {
@@ -1158,8 +1198,13 @@ impl Resolver {
match maybe_err {
// What did the provider direct us to do next?
- Ok(AuthResult::Success { mut token }) => {
- self.set_cache_usertoken(&mut token).await?;
+ Ok(AuthResult::Success) => {
+ *auth_session = AuthSession::Success;
+ Ok(PamAuthResponse::Success)
+ }
+ Ok(AuthResult::SuccessUpdate { mut new_token }) => {
+ self.set_cache_usertoken(&mut new_token, hsm_lock.deref_mut())
+ .await?;
*auth_session = AuthSession::Success;
Ok(PamAuthResponse::Success)
diff --git a/unix_integration/resolver/src/unix_config.rs b/unix_integration/resolver/src/unix_config.rs
deleted file mode 100644
index e8a739401..000000000
--- a/unix_integration/resolver/src/unix_config.rs
+++ /dev/null
@@ -1,538 +0,0 @@
-use std::env;
-use std::fmt::{Display, Formatter};
-use std::fs::File;
-use std::io::{ErrorKind, Read};
-use std::path::{Path, PathBuf};
-
-#[cfg(all(target_family = "unix", feature = "selinux"))]
-use crate::selinux_util;
-use kanidm_unix_common::unix_passwd::UnixIntegrationError;
-
-pub(crate) use kanidm_unix_common::unix_config::{HomeAttr, UidAttr};
-
-use serde::Deserialize;
-
-use kanidm_unix_common::constants::*;
-
-// Allowed as the large enum is only short lived at startup to the true config
-#[allow(clippy::large_enum_variant)]
-// This bit of magic lets us deserialise the old config and the new versions.
-#[derive(Debug, Deserialize)]
-#[serde(untagged)]
-enum ConfigUntagged {
- Versioned(ConfigVersion),
- Legacy(ConfigInt),
-}
-
-#[derive(Debug, Deserialize)]
-#[serde(tag = "version")]
-enum ConfigVersion {
- #[serde(rename = "2")]
- V2 {
- #[serde(flatten)]
- values: ConfigV2,
- },
-}
-
-#[derive(Debug, Deserialize)]
-#[serde(deny_unknown_fields)]
-struct ConfigV2 {
- cache_db_path: Option<String>,
- sock_path: Option<String>,
- task_sock_path: Option<String>,
-
- cache_timeout: Option<u64>,
-
- default_shell: Option<String>,
- home_prefix: Option<String>,
- home_mount_prefix: Option<String>,
- home_attr: Option<String>,
- home_alias: Option<String>,
- use_etc_skel: Option<bool>,
- uid_attr_map: Option<String>,
- gid_attr_map: Option<String>,
- selinux: Option<bool>,
-
- hsm_pin_path: Option<String>,
- hsm_type: Option<String>,
- tpm_tcti_name: Option<String>,
-
- kanidm: Option<KanidmConfigV2>,
-}
-
-#[derive(Clone, Debug, Deserialize)]
-pub struct GroupMap {
- pub local: String,
- pub with: String,
-}
-
-#[derive(Debug, Deserialize)]
-struct KanidmConfigV2 {
- conn_timeout: Option<u64>,
- request_timeout: Option<u64>,
- pam_allowed_login_groups: Option<Vec<String>>,
- #[serde(default)]
- map_group: Vec<GroupMap>,
-}
-
-#[derive(Debug, Deserialize)]
-struct ConfigInt {
- db_path: Option<String>,
- sock_path: Option<String>,
- task_sock_path: Option<String>,
- conn_timeout: Option<u64>,
- request_timeout: Option<u64>,
- cache_timeout: Option<u64>,
- pam_allowed_login_groups: Option<Vec<String>>,
- default_shell: Option<String>,
- home_prefix: Option<String>,
- home_mount_prefix: Option<String>,
- home_attr: Option<String>,
- home_alias: Option<String>,
- use_etc_skel: Option<bool>,
- uid_attr_map: Option<String>,
- gid_attr_map: Option<String>,
- selinux: Option<bool>,
- #[serde(default)]
- allow_local_account_override: Vec<String>,
-
- hsm_pin_path: Option<String>,
- hsm_type: Option<String>,
- tpm_tcti_name: Option<String>,
-
- // Detect and warn on values in these places.
- #[serde(default)]
- cache_db_path: Option<toml::value::Value>,
- #[serde(default)]
- kanidm: Option<toml::value::Value>,
-}
-
-#[derive(Debug, Clone, Default)]
-pub enum HsmType {
- #[cfg_attr(not(feature = "tpm"), default)]
- Soft,
- #[cfg_attr(feature = "tpm", default)]
- TpmIfPossible,
- Tpm,
-}
-
-impl Display for HsmType {
- fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
- match self {
- HsmType::Soft => write!(f, "Soft"),
- HsmType::TpmIfPossible => write!(f, "Tpm if possible"),
- HsmType::Tpm => write!(f, "Tpm"),
- }
- }
-}
-
-#[derive(Debug)]
-pub struct UnixdConfig {
- pub cache_db_path: String,
- pub sock_path: String,
- pub task_sock_path: String,
- pub cache_timeout: u64,
- pub unix_sock_timeout: u64,
- pub default_shell: String,
- pub home_prefix: PathBuf,
- pub home_mount_prefix: Option<PathBuf>,
- pub home_attr: HomeAttr,
- pub home_alias: Option<HomeAttr>,
- pub use_etc_skel: bool,
- pub uid_attr_map: UidAttr,
- pub gid_attr_map: UidAttr,
- pub selinux: bool,
- pub hsm_type: HsmType,
- pub hsm_pin_path: String,
- pub tpm_tcti_name: String,
-
- pub kanidm_config: Option<KanidmConfig>,
-}
-
-#[derive(Debug)]
-pub struct KanidmConfig {
- pub conn_timeout: u64,
- pub request_timeout: u64,
- pub pam_allowed_login_groups: Vec<String>,
- pub map_group: Vec<GroupMap>,
-}
-
-impl Default for UnixdConfig {
- fn default() -> Self {
- UnixdConfig::new()
- }
-}
-
-impl Display for UnixdConfig {
- fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
- writeln!(f, "cache_db_path: {}", &self.cache_db_path)?;
- writeln!(f, "sock_path: {}", self.sock_path)?;
- writeln!(f, "task_sock_path: {}", self.task_sock_path)?;
- writeln!(f, "unix_sock_timeout: {}", self.unix_sock_timeout)?;
- writeln!(f, "cache_timeout: {}", self.cache_timeout)?;
- writeln!(f, "default_shell: {}", self.default_shell)?;
- writeln!(f, "home_prefix: {:?}", self.home_prefix)?;
- match self.home_mount_prefix.as_deref() {
- Some(val) => writeln!(f, "home_mount_prefix: {:?}", val)?,
- None => writeln!(f, "home_mount_prefix: unset")?,
- }
- writeln!(f, "home_attr: {}", self.home_attr)?;
- match self.home_alias {
- Some(val) => writeln!(f, "home_alias: {}", val)?,
- None => writeln!(f, "home_alias: unset")?,
- }
-
- writeln!(f, "uid_attr_map: {}", self.uid_attr_map)?;
- writeln!(f, "gid_attr_map: {}", self.gid_attr_map)?;
-
- writeln!(f, "hsm_type: {}", self.hsm_type)?;
- writeln!(f, "tpm_tcti_name: {}", self.tpm_tcti_name)?;
-
- writeln!(f, "selinux: {}", self.selinux)?;
-
- if let Some(kconfig) = &self.kanidm_config {
- writeln!(f, "kanidm: enabled")?;
- writeln!(
- f,
- "kanidm pam_allowed_login_groups: {:#?}",
- kconfig.pam_allowed_login_groups
- )?;
- writeln!(f, "kanidm conn_timeout: {}", kconfig.conn_timeout)?;
- writeln!(f, "kanidm request_timeout: {}", kconfig.request_timeout)?;
- } else {
- writeln!(f, "kanidm: disabled")?;
- };
-
- Ok(())
- }
-}
-
-impl UnixdConfig {
- pub fn new() -> Self {
- let cache_db_path = match env::var("KANIDM_CACHE_DB_PATH") {
- Ok(val) => val,
- Err(_) => DEFAULT_CACHE_DB_PATH.into(),
- };
- let hsm_pin_path = match env::var("KANIDM_HSM_PIN_PATH") {
- Ok(val) => val,
- Err(_) => DEFAULT_HSM_PIN_PATH.into(),
- };
-
- UnixdConfig {
- cache_db_path,
- sock_path: DEFAULT_SOCK_PATH.to_string(),
- task_sock_path: DEFAULT_TASK_SOCK_PATH.to_string(),
- unix_sock_timeout: DEFAULT_CONN_TIMEOUT * 2,
- cache_timeout: DEFAULT_CACHE_TIMEOUT,
- default_shell: DEFAULT_SHELL.to_string(),
- home_prefix: DEFAULT_HOME_PREFIX.into(),
- home_mount_prefix: None,
- home_attr: DEFAULT_HOME_ATTR,
- home_alias: DEFAULT_HOME_ALIAS,
- use_etc_skel: DEFAULT_USE_ETC_SKEL,
- uid_attr_map: DEFAULT_UID_ATTR_MAP,
- gid_attr_map: DEFAULT_GID_ATTR_MAP,
- selinux: DEFAULT_SELINUX,
- hsm_pin_path,
- hsm_type: HsmType::default(),
- tpm_tcti_name: DEFAULT_TPM_TCTI_NAME.to_string(),
-
- kanidm_config: None,
- }
- }
-
- pub fn read_options_from_optional_config<P: AsRef<Path> + std::fmt::Debug>(
- self,
- config_path: P,
- ) -> Result<Self, UnixIntegrationError> {
- debug!("Attempting to load configuration from {:#?}", &config_path);
- let mut f = match File::open(&config_path) {
- Ok(f) => {
- debug!("Successfully opened configuration file {:#?}", &config_path);
- f
- }
- Err(e) => {
- match e.kind() {
- ErrorKind::NotFound => {
- debug!(
- "Configuration file {:#?} not found, skipping.",
- &config_path
- );
- }
- ErrorKind::PermissionDenied => {
- warn!(
- "Permission denied loading configuration file {:#?}, skipping.",
- &config_path
- );
- }
- _ => {
- debug!(
- "Unable to open config file {:#?} [{:?}], skipping ...",
- &config_path, e
- );
- }
- };
- return Ok(self);
- }
- };
-
- let mut contents = String::new();
- f.read_to_string(&mut contents).map_err(|e| {
- error!("{:?}", e);
- UnixIntegrationError
- })?;
-
- let config: ConfigUntagged = toml::from_str(contents.as_str()).map_err(|e| {
- error!("{:?}", e);
- UnixIntegrationError
- })?;
-
- match config {
- ConfigUntagged::Legacy(config) => self.apply_from_config_legacy(config),
- ConfigUntagged::Versioned(ConfigVersion::V2 { values }) => {
- self.apply_from_config_v2(values)
- }
- }
- }
-
- fn apply_from_config_legacy(self, config: ConfigInt) -> Result<Self, UnixIntegrationError> {
- if config.kanidm.is_some() || config.cache_db_path.is_some() {
- error!("You are using version=\"2\" options in a legacy config. THESE WILL NOT WORK.");
- return Err(UnixIntegrationError);
- }
-
- let map_group = config
- .allow_local_account_override
- .iter()
- .map(|name| GroupMap {
- local: name.clone(),
- with: name.clone(),
- })
- .collect();
-
- let kanidm_config = Some(KanidmConfig {
- conn_timeout: config.conn_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT),
- request_timeout: config.request_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT * 2),
- pam_allowed_login_groups: config.pam_allowed_login_groups.unwrap_or_default(),
- map_group,
- });
-
- // Now map the values into our config.
- Ok(UnixdConfig {
- cache_db_path: config.db_path.unwrap_or(self.cache_db_path),
- sock_path: config.sock_path.unwrap_or(self.sock_path),
- task_sock_path: config.task_sock_path.unwrap_or(self.task_sock_path),
- unix_sock_timeout: DEFAULT_CONN_TIMEOUT * 2,
- cache_timeout: config.cache_timeout.unwrap_or(self.cache_timeout),
- default_shell: config.default_shell.unwrap_or(self.default_shell),
- home_prefix: config
- .home_prefix
- .map(|p| p.into())
- .unwrap_or(self.home_prefix.clone()),
- home_mount_prefix: config.home_mount_prefix.map(|p| p.into()),
- home_attr: config
- .home_attr
- .and_then(|v| match v.as_str() {
- "uuid" => Some(HomeAttr::Uuid),
- "spn" => Some(HomeAttr::Spn),
- "name" => Some(HomeAttr::Name),
- _ => {
- warn!("Invalid home_attr configured, using default ...");
- None
- }
- })
- .unwrap_or(self.home_attr),
- home_alias: config
- .home_alias
- .and_then(|v| match v.as_str() {
- "none" => Some(None),
- "uuid" => Some(Some(HomeAttr::Uuid)),
- "spn" => Some(Some(HomeAttr::Spn)),
- "name" => Some(Some(HomeAttr::Name)),
- _ => {
- warn!("Invalid home_alias configured, using default ...");
- None
- }
- })
- .unwrap_or(self.home_alias),
- use_etc_skel: config.use_etc_skel.unwrap_or(self.use_etc_skel),
- uid_attr_map: config
- .uid_attr_map
- .and_then(|v| match v.as_str() {
- "spn" => Some(UidAttr::Spn),
- "name" => Some(UidAttr::Name),
- _ => {
- warn!("Invalid uid_attr_map configured, using default ...");
- None
- }
- })
- .unwrap_or(self.uid_attr_map),
- gid_attr_map: config
- .gid_attr_map
- .and_then(|v| match v.as_str() {
- "spn" => Some(UidAttr::Spn),
- "name" => Some(UidAttr::Name),
- _ => {
- warn!("Invalid gid_attr_map configured, using default ...");
- None
- }
- })
- .unwrap_or(self.gid_attr_map),
- selinux: match config.selinux.unwrap_or(self.selinux) {
- #[cfg(all(target_family = "unix", feature = "selinux"))]
- true => selinux_util::supported(),
- _ => false,
- },
- hsm_pin_path: config.hsm_pin_path.unwrap_or(self.hsm_pin_path),
- hsm_type: config
- .hsm_type
- .and_then(|v| match v.as_str() {
- "soft" => Some(HsmType::Soft),
- "tpm_if_possible" => Some(HsmType::TpmIfPossible),
- "tpm" => Some(HsmType::Tpm),
- _ => {
- warn!("Invalid hsm_type configured, using default ...");
- None
- }
- })
- .unwrap_or(self.hsm_type),
- tpm_tcti_name: config
- .tpm_tcti_name
- .unwrap_or(DEFAULT_TPM_TCTI_NAME.to_string()),
- kanidm_config,
- })
- }
-
- fn apply_from_config_v2(self, config: ConfigV2) -> Result<Self, UnixIntegrationError> {
- let kanidm_config = if let Some(kconfig) = config.kanidm {
- Some(KanidmConfig {
- conn_timeout: kconfig.conn_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT),
- request_timeout: kconfig.request_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT * 2),
- pam_allowed_login_groups: kconfig.pam_allowed_login_groups.unwrap_or_default(),
- map_group: kconfig.map_group,
- })
- } else {
- None
- };
-
- // Now map the values into our config.
- Ok(UnixdConfig {
- cache_db_path: config.cache_db_path.unwrap_or(self.cache_db_path),
- sock_path: config.sock_path.unwrap_or(self.sock_path),
- task_sock_path: config.task_sock_path.unwrap_or(self.task_sock_path),
- unix_sock_timeout: DEFAULT_CONN_TIMEOUT * 2,
- cache_timeout: config.cache_timeout.unwrap_or(self.cache_timeout),
- default_shell: config.default_shell.unwrap_or(self.default_shell),
- home_prefix: config
- .home_prefix
- .map(|p| p.into())
- .unwrap_or(self.home_prefix.clone()),
- home_mount_prefix: config.home_mount_prefix.map(|p| p.into()),
- home_attr: config
- .home_attr
- .and_then(|v| match v.as_str() {
- "uuid" => Some(HomeAttr::Uuid),
- "spn" => Some(HomeAttr::Spn),
- "name" => Some(HomeAttr::Name),
- _ => {
- warn!("Invalid home_attr configured, using default ...");
- None
- }
- })
- .unwrap_or(self.home_attr),
- home_alias: config
- .home_alias
- .and_then(|v| match v.as_str() {
- "none" => Some(None),
- "uuid" => Some(Some(HomeAttr::Uuid)),
- "spn" => Some(Some(HomeAttr::Spn)),
- "name" => Some(Some(HomeAttr::Name)),
- _ => {
- warn!("Invalid home_alias configured, using default ...");
- None
- }
- })
- .unwrap_or(self.home_alias),
- use_etc_skel: config.use_etc_skel.unwrap_or(self.use_etc_skel),
- uid_attr_map: config
- .uid_attr_map
- .and_then(|v| match v.as_str() {
- "spn" => Some(UidAttr::Spn),
- "name" => Some(UidAttr::Name),
- _ => {
- warn!("Invalid uid_attr_map configured, using default ...");
- None
- }
- })
- .unwrap_or(self.uid_attr_map),
- gid_attr_map: config
- .gid_attr_map
- .and_then(|v| match v.as_str() {
- "spn" => Some(UidAttr::Spn),
- "name" => Some(UidAttr::Name),
- _ => {
- warn!("Invalid gid_attr_map configured, using default ...");
- None
- }
- })
- .unwrap_or(self.gid_attr_map),
- selinux: match config.selinux.unwrap_or(self.selinux) {
- #[cfg(all(target_family = "unix", feature = "selinux"))]
- true => selinux_util::supported(),
- _ => false,
- },
- hsm_pin_path: config.hsm_pin_path.unwrap_or(self.hsm_pin_path),
- hsm_type: config
- .hsm_type
- .and_then(|v| match v.as_str() {
- "soft" => Some(HsmType::Soft),
- "tpm_if_possible" => Some(HsmType::TpmIfPossible),
- "tpm" => Some(HsmType::Tpm),
- _ => {
- warn!("Invalid hsm_type configured, using default ...");
- None
- }
- })
- .unwrap_or(self.hsm_type),
- tpm_tcti_name: config
- .tpm_tcti_name
- .unwrap_or(DEFAULT_TPM_TCTI_NAME.to_string()),
- kanidm_config,
- })
- }
-}
-
-#[cfg(test)]
-mod tests {
- use std::path::PathBuf;
-
- use super::*;
-
- #[test]
- fn test_load_example_configs() {
- // Test the various included configs
-
- let examples_dir = env!("CARGO_MANIFEST_DIR").to_string() + "/../../examples/";
-
- for file in PathBuf::from(&examples_dir)
- .canonicalize()
- .expect(&format!("Can't find examples dir at {}", examples_dir))
- .read_dir()
- .expect("Can't read examples dir!")
- {
- let file = file.unwrap();
- let filename = file.file_name().into_string().unwrap();
- if filename.starts_with("unixd") {
- print!("Checking that {} parses as a valid config...", filename);
-
- UnixdConfig::new()
- .read_options_from_optional_config(file.path())
- .inspect_err(|e| {
- println!("Failed to parse: {:?}", e);
- })
- .expect("Failed to parse!");
- println!("OK");
- }
- }
- }
-}
diff --git a/unix_integration/resolver/tests/cache_layer_test.rs b/unix_integration/resolver/tests/cache_layer_test.rs
index 84c31a09a..ad85f48ec 100644
--- a/unix_integration/resolver/tests/cache_layer_test.rs
+++ b/unix_integration/resolver/tests/cache_layer_test.rs
@@ -12,13 +12,13 @@ use kanidm_unix_common::constants::{
DEFAULT_GID_ATTR_MAP, DEFAULT_HOME_ALIAS, DEFAULT_HOME_ATTR, DEFAULT_HOME_PREFIX,
DEFAULT_SHELL, DEFAULT_UID_ATTR_MAP,
};
+use kanidm_unix_common::unix_config::{GroupMap, KanidmConfig};
use kanidm_unix_common::unix_passwd::{CryptPw, EtcGroup, EtcShadow, EtcUser};
use kanidm_unix_resolver::db::{Cache, Db};
use kanidm_unix_resolver::idprovider::interface::Id;
use kanidm_unix_resolver::idprovider::kanidm::KanidmProvider;
use kanidm_unix_resolver::idprovider::system::SystemProvider;
use kanidm_unix_resolver::resolver::Resolver;
-use kanidm_unix_resolver::unix_config::{GroupMap, KanidmConfig};
use kanidmd_core::config::{Configuration, IntegrationTestConfig, ServerRole};
use kanidmd_core::create_server_core;
use kanidmd_testkit::{is_free_port, PORT_ALLOC};