The kanidm-unixd-tasks service refuses to start before kanidm-unixd:
```
systemd[1]: Started Kanidm Local Tasks.
(xd_tasks)[29469]: kanidm-unixd-tasks.service: Failed to set up mount namespacing: /run/systemd/unit-root/run/kanidm-unixd: No such file or directory
(xd_tasks)[29469]: kanidm-unixd-tasks.service: Failed at step NAMESPACE spawning /usr/sbin/kanidm_unixd_tasks: No such file or directory
systemd[1]: kanidm-unixd-tasks.service: Main process exited, code=exited, status=226/NAMESPACE
systemd[1]: kanidm-unixd-tasks.service: Failed with result 'exit-code'.
```
Resolve this by ensuring kanidm-unixd gets activated as a dependency.
The ordering ("After") is already in place.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
When an admin configured oauth2 custom claims during the creation it
was not enforced that at least one value must be present. This led to
an incorrect logic flaw in str_concat! which didn't handle the 0 case.
This hardens str_concat! to prevent the thread crash by using itertools
for the join instead, and it enforces stricter validation on the valueset
to deny creation of empty claims.
This fix has a low security impact as only an administrator or high
level user can trigger this as a possible denial of service.
Fixes#2680Fixes#2681
* Make the ubuntu_docker_builder.sh script a bit easier to use
- Entrypoint that installs dependencies on launch
- Echo hint on how to build deb packages
* Change debian packaging version string format to fix sort order
The sort order is important so that newer packages are seen as an update
and get installed, instead of apt preferring the older versions!
With these changes, a package is generated as `kanidm_Ubuntu_22.04_1:1.1.0~rc.15-dev~202401311334+c8a9e2c_x86_64.deb`
with the version string `1:1.1.0~rc.15-dev~202401311334+c8a9e2c`
Deb package version string comparison is Complex:
https://man7.org/linux/man-pages/man7/deb-version.7.html
With the previous versioning scheme for dev packages, the git hash
ended up getting prioritized over the date string, see for example:
`dpkg --compare-versions 1.1.0-rc.15-dev-202401100453666448f lt 1.1.0-rc.15-dev-20240120072786916a3; echo $?`
-> 1 (comparison failure)
A simple schema change avoiding most dashes could rescue the hash trouble:
`dpkg --compare-versions 1.1.0~rc.15-dev-202401100453+666448f lt 1.1.0-rc.15-dev-202401200727+86916a3; echo $?`
-> 0 (comparison success)
.. But, the second problem is seeing a stable release as newer:
`dpkg --compare-versions 1.1.0~rc.15-dev~202401100453+666448f lt 1.1.0; echo $?`
-> 1 (comparison failure)
.. Which can be solved by forcing the entire dev portion to not be
interpreted as a debian version by substituting tildes:
`dpkg --compare-versions 1.1.0~rc.15-dev~202401100453+666448f lt 1.1.0; echo $?`
-> 0 (comparison success)
.. But, old schema versions still seem newer due to their debian
version:
`dpkg --compare-versions 1.1.0-rc.15-dev-202401100453666448f lt 1.1.0~rc.15-dev~202401200727+86916a3; echo $?`
-> 1 (comparison failure)
Thus, the only solution is to change the scheme and increment the epoch value once
to force all lesser default epoch versions to be seen as older:
`dpkg --compare-versions 1.1.0-rc.15-dev-202401100453666448f lt 1:1.1.0~rc.15-dev~202401200727+86916a3; echo $?`
-> 0 (comparison success)
`dpkg --compare-versions 1:1.1.0~rc.15-dev~202401200727+86916a3 lt 1:1.1.0; echo $?`
-> 0 (comparison success)
* Drop epoch field from deb filenames
GitHub Actions enforces NTFS compatible artifact filenames, ergo the
colon required for the epoch field is banned. The epoc is still in the
version field itself, just not in the filename.
---------
Co-authored-by: Jinna Kiisuo <jinna+git@nocturnal.fi>
Fixes two major issues with replication.
The first was related to server refreshes. When a server was refreshed it would retain it's server unique id. If the server had lagged and was disconnected from replication and administrator would naturally then refresh it's database. This meant that on next tombstone purge of the server, it's RUV would jump ahead causing it's refresh-supplier to now believe it was lagging (which was not the case).
In the situation where a server is refreshed, we reset the servers unique replication ID which avoids the RUV having "jumps".
The second issue was related to RUV trimming. A server which had older RUV entries (say from servers that have been trimmed) would "taint" and re-supply those server ID's back to nodes that wanted to trim them. This also meant that on a restart of the server, that if the node had correctly trimmed the server ID, it would be re-added in memory.
This improves RUV trimming by limiting what what compare and check as a supplier to only CID's that are within the valid changelog window. This itself presented challenges with "how to determine if a server should be removed from the RUV". To achieve this we now check for "overlap" of the RUVS. If overlap isn't occurring it indicates split brain or node isolation, and replication is stopped in these cases.
* otel can eprintln kthx
* started python integration tests, features
* more tests more things
* adding heaps more things
* updating docs
* fixing python test
* fixing errors, updating integration test
* Add models for OAuth2, Person, ServiceAccount and add missing endpoints
* Alias Group to GroupInfo to keep it retrocompatible
* Fixed issues from review
* adding oauth2rs_get_basic_secret
* adding oauth2rs_get_basic_secret
* Fixed mypy issues
* adding more error logs
* updating test scripts and configs
* fixing tests and validating things
* more errors
---------
Co-authored-by: Dogeek <simon.bordeyne@gmail.com>
This improves the errors during TLS configuration to localise them to
the error site, as well as calling our file path diagnostics tool
to assist with permission errors.
When a delete of an entry occurs which is reference by another entry,
if the entry has a MUST schema condition on the deleted entry then the
delete should be blocked to prevent the entries structure becoming
invalid.
* betterer errors on things
* Adding tpm-udev as a dependency of kanidm-unixd
* fixing makefile arch error
* adding jq to deb build deps
* adding kanidm deb to autobuild
* making the debian build script more resilient
