mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
2191 commits 17 branches 59 tags 246 MiB
Commit graph

267 commits

Author SHA1 Message Date
Firstyear 013661bbf4 Allow modification of password minimum length (#3345) 
Allow all account policy values to be altered on system protected
objects.
 2025-01-09 11:50:47 +10:00
Firstyear 51a976fed5 Ignore anonymous in oauth2 read allow access (#3336) 
Administrators will sometimes configure oauth2 clients with `idm_all_accounts`
as an allowed scope group. Despite anonymous being *unable* to interact with
oauth2, this still allowed oauth2 clients to be read by anonymous in this
configuration. For some users, this may be considered a public info
disclosure.
 2025-01-08 09:40:48 +10:00
Firstyear fee2d3b0d6 Resolve passkey regression (#3343) 
During other testing I noticed that passkeys no longer worked
on a reauthentication. This was due to a regression in you
guessed it, cookies, where the auth session id wasn't being
removed properly.
 2025-01-08 09:40:28 +10:00
Firstyear 2f7279d8db Further SCIM sync testing, minor fixes (#3305) 
This adds further testing of SCIM sync, especially around
conversion of the SCIM Sync Person and Group types into
SCIM Entry. This test would have prevented #3298 and
 #3299 from occuring.

During testing two more fixes were found. external_id should have
been required (not optional) and a group with no members would
cause a serialisation issue.
 2024-12-21 17:22:02 +10:00
Firstyear ab8ef8d977 Use specific errors for intent token revoked (#3291) 
Rather than the generic 'invalid state' error, we now return
proper site-specific errors for credential commit failures, with
error messages to explain what went wrong.
 2024-12-21 17:14:51 +10:00
James Hodgkinson dafc98b1db Allow OAuth2 loopback redirects if the path matches (#3252) 2024-12-03 14:00:23 +10:00
Georg 6458660a24 Correct spelling of occurred (#3222) 
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
 2024-11-22 12:14:06 +10:00
Firstyear a6ecff0caa Prevent Invalid MFA Reg States (#3194) 2024-11-10 14:06:08 +10:00
Firstyear 69ceb6c4f7 Hoist max_age to prevent incorrect deserialisation (#3190) 2024-11-10 14:06:08 +10:00
Firstyear 4f55b1cc33 Re-migrate all acps to force updating (#3184) 
* Re-migrate all acps to force updating

* Update server/lib/src/server/migrations.rs

---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-11-08 14:19:10 +10:00
Firstyear c3e42ba257 security - low - fault in migrations (#3182) 
A fault existed in the server's internal migration code, where attributes
that were multivalued would be merged rather than replaced in certain
contexts. This migration path is used for access controls, meaning that
on upgrades, attributes that were meant to be removed from access
controls or changes to access control target groups were not reflected
during the upgrade process.

This has a potentially low security impact as it may have allowed
users to change their name/displayname even if the administrator
had disable the name_self_write access control.
 2024-11-07 14:33:11 +10:00
George Wu daba216803 Update missing inputmode numeric when adding a new TOTP. (#3160) 2024-10-30 12:24:36 +10:00
Firstyear 8afdc065bb Improve OAuth2 authorisation ux (#3158) 
- Resolve an issue where oauth2 could trigger the login page to
  incorrectly redirect to an oauth2 application instead of apps
- Add indication of what client application we are accessing
  if the session is not yet authenticated
 2024-10-29 18:16:27 +10:00
Firstyear 2e6d940691
Remove WASM (#3148) 
liberal party took over, more cuts
 2024-10-26 17:19:13 +10:00
Wei Jian Gan bc55313d87
Harmonize UI and remove unused css (#3033) 
-------

Co-authored-by: Wei Jian Gan <wg@danicapension.dk>
Co-authored-by: William Brown <william@blackhats.net.au>
 2024-10-26 04:47:44 +00:00
James Hodgkinson 151a9ad90f
ripping out some extra packages (#3146) 2024-10-26 02:27:56 +00:00
James Hodgkinson 5a709520dc
OAuth2 Device flow foundations (#3098) 2024-10-26 12:08:48 +10:00
CEbbinghaus dc56a3217d
Chore: Refactor Groups to be more generic (#3136) 2024-10-25 00:36:20 +00:00
Firstyear 5a3e5f1e07
20241017 3107 token ttl (#3114) 2024-10-18 03:28:52 +00:00
Firstyear 2075125439
Working scim entry get for person (#3088) 2024-10-15 04:29:45 +00:00
Firstyear 1cccebd382
20241012 attr name SCIM fix (#3102) 
* Fix handling of attribute to ensure that it is consistently Attribute in scim sync
 2024-10-14 08:00:03 +10:00
Merlijn 4e125b5043
Scim add EntryReference (#3079) 
Allow references to be displayed as a complex object
 2024-10-10 00:13:45 +00:00
Firstyear c779443454
Fix Increment Replication Post Upgrade (#3089) 2024-10-05 19:53:39 +10:00
Firstyear 131ff80b32
20240921 ssh keys and unix password in credential update session (#3056) 2024-10-03 05:57:18 +00:00
Firstyear cc662f184a
20240925 cleanups (#3060) 2024-10-03 14:04:02 +10:00
CEbbinghaus d109622d71
Make good on some TechDebt (#3084) 
adds MissingClass & MissingAttribute OperationError kinds to more strongly type our error messages.
 2024-10-03 10:48:28 +10:00
CEbbinghaus dc4a438c31
Feat: Adding POSIX Password fallback (#3067) 
* Added Schema for credential fallback
* Added account polcity management to ac migration
* Refactored Ldap & Unix auth to be common
* removed unused methods and renamed unused fields
* Fixed LDAP missing Anonymous logic
* Added CLI argument for configuring primary cred fallback
 2024-10-02 19:28:36 +10:00
Firstyear cf63c6b98b
Complete the implementation of the posix account cache (#3041) 
Allow caching and checking of shadow entries (passwords)
    Cache and serve system id's
    improve some security warnings
    prepare for multi-resolver
    Allow the kanidm provider to be not configured
    Allow group extension
 2024-10-02 02:12:13 +00:00
Firstyear 90afc8207c
20240926 tech debt (#3066) 
Large clean up
 2024-10-01 10:07:08 +10:00
Firstyear 23636acbf7
Fix migration of last mod cid (#3065) 2024-09-30 09:56:48 +00:00
Firstyear e4f5c2313d
Increase totp secret size (#3061) 2024-09-30 07:45:43 +00:00
Firstyear 6065f2db60
Add rfc7009 and rfc7662 metadata to oidc discovery (#3046) 2024-09-17 03:35:43 +00:00
Firstyear d3891e301f
20240810 SCIM entry basic (#3032) 2024-09-12 12:53:43 +10:00
Firstyear f053ff7fba
CreatedAt/ModifiedAt fix (#3034) 
* fix(repl): CreatedAt/ModifiedAt attributes
 2024-09-12 11:42:16 +10:00
Firstyear 938ad90f3b
20240906 Attribute as an Enum Type (#3025) 
Changes attribute from a string to an enum - this provides many performance improvements and memory savings throughout the server.
 2024-09-09 00:53:10 +00:00
Firstyear 95fc6fc5bf
20240828 Support Larger Images, Allow Custom Domain Icons (#3016) 
Allow setting custom domain icons.
 2024-09-05 04:19:27 +00:00
Firstyear e5a5de8de3
MemberOf in search implies DirectMemberOf (#3024) 2024-09-04 22:19:40 +10:00
Firstyear 0fac1f301e
20240820 SCIM value (#2992) 
Add the basics of scim value serialisation to entries.
 2024-08-29 11:38:00 +10:00
James Hodgkinson 3eae7be0bb
OAuth2 Token Type (#3008) 
* fix(OAuth2): Invalid `token_type` for token introspection
Fixes #3005

* fix(aut): `assert_eq` instead of `assert ==`

* fix(OAuth2): IANA registry access token types

* fix(OAuth2): deserialize case insensitively
 2024-08-25 23:30:20 +00:00
Firstyear c8b9ff3274
Spattering of oauth2 stuff (#3000) 
* fix(oauth2): refresh scope constraints
 2024-08-24 14:02:16 +10:00
Firstyear 77938ed85f
Add missing group for application admin (#2991) 2024-08-21 16:58:31 +10:00
James Hodgkinson 7c3deab2c4
enforcen den clippen (#2990) 
* enforcen den clippen
* updating outdated oauth2-related docs
* sorry clippy, we tried
 2024-08-21 00:32:56 +00:00
Firstyear fbfea05c6c
20240817 group mail acp (#2982) 2024-08-21 09:59:50 +10:00
Firstyear 239f4594dd
20240810 application passwords (#2968) 
Add the server side components for application passwords. This adds the needed datatypes and handling via the ldap components.

Admin tools will be in a follow up PR. 

Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Co-authored-by: Samuel Cabrero <scabrero@suse.de>
 2024-08-20 06:44:37 +00:00
dependabot[bot] 9f4cc984db
Bump the all group with 17 updates (#2986) 
* Bump the all group with 17 updates


| Package | From | To |
| --- | --- | --- |
| [clap](https://github.com/clap-rs/clap) | `4.5.15` | `4.5.16` |
| [clap_complete](https://github.com/clap-rs/clap) | `4.5.14` | `4.5.18` |
| [concread](https://github.com/kanidm/concread) | `0.5.2` | `0.5.3` |
| [js-sys](https://github.com/rustwasm/wasm-bindgen) | `0.3.69` | `0.3.70` |
| [ldap3_client](https://github.com/kanidm/ldap3) | `0.5.0` | `0.5.1` |
| [ldap3_proto](https://github.com/kanidm/ldap3) | `0.5.0` | `0.5.1` |
| [libc](https://github.com/rust-lang/libc) | `0.2.155` | `0.2.157` |
| [lodepng](https://github.com/kornelski/lodepng-rust) | `3.10.4` | `3.10.5` |
| [serde](https://github.com/serde-rs/serde) | `1.0.206` | `1.0.208` |
| [serde_json](https://github.com/serde-rs/json) | `1.0.124` | `1.0.125` |
| [syn](https://github.com/dtolnay/syn) | `2.0.74` | `2.0.75` |
| [tokio](https://github.com/tokio-rs/tokio) | `1.39.2` | `1.39.3` |
| [wasm-bindgen](https://github.com/rustwasm/wasm-bindgen) | `0.2.92` | `0.2.93` |
| [wasm-bindgen-futures](https://github.com/rustwasm/wasm-bindgen) | `0.4.42` | `0.4.43` |
| [wasm-bindgen-test](https://github.com/rustwasm/wasm-bindgen) | `0.3.42` | `0.3.43` |
| [web-sys](https://github.com/rustwasm/wasm-bindgen) | `0.3.69` | `0.3.70` |
| [tower](https://github.com/tower-rs/tower) | `0.4.13` | `0.5.0` |


Updates `clap` from 4.5.15 to 4.5.16
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.15...clap_complete-v4.5.16)

Updates `clap_complete` from 4.5.14 to 4.5.18
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.14...clap_complete-v4.5.18)

Updates `concread` from 0.5.2 to 0.5.3
- [Commits](https://github.com/kanidm/concread/commits)

Updates `js-sys` from 0.3.69 to 0.3.70
- [Release notes](https://github.com/rustwasm/wasm-bindgen/releases)
- [Changelog](https://github.com/rustwasm/wasm-bindgen/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rustwasm/wasm-bindgen/commits)

Updates `ldap3_client` from 0.5.0 to 0.5.1
- [Changelog](https://github.com/kanidm/ldap3/blob/master/RELEASE_NOTES.md)
- [Commits](https://github.com/kanidm/ldap3/commits)

Updates `ldap3_proto` from 0.5.0 to 0.5.1
- [Changelog](https://github.com/kanidm/ldap3/blob/master/RELEASE_NOTES.md)
- [Commits](https://github.com/kanidm/ldap3/commits)

Updates `libc` from 0.2.155 to 0.2.157
- [Release notes](https://github.com/rust-lang/libc/releases)
- [Changelog](https://github.com/rust-lang/libc/blob/0.2.157/CHANGELOG.md)
- [Commits](https://github.com/rust-lang/libc/compare/0.2.155...0.2.157)

Updates `lodepng` from 3.10.4 to 3.10.5
- [Commits](https://github.com/kornelski/lodepng-rust/compare/v3.10.4...v3.10.5)

Updates `serde` from 1.0.206 to 1.0.208
- [Release notes](https://github.com/serde-rs/serde/releases)
- [Commits](https://github.com/serde-rs/serde/compare/v1.0.206...v1.0.208)

Updates `serde_json` from 1.0.124 to 1.0.125
- [Release notes](https://github.com/serde-rs/json/releases)
- [Commits](https://github.com/serde-rs/json/compare/v1.0.124...1.0.125)

Updates `syn` from 2.0.74 to 2.0.75
- [Release notes](https://github.com/dtolnay/syn/releases)
- [Commits](https://github.com/dtolnay/syn/compare/2.0.74...2.0.75)

Updates `tokio` from 1.39.2 to 1.39.3
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.39.2...tokio-1.39.3)

Updates `wasm-bindgen` from 0.2.92 to 0.2.93
- [Release notes](https://github.com/rustwasm/wasm-bindgen/releases)
- [Changelog](https://github.com/rustwasm/wasm-bindgen/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rustwasm/wasm-bindgen/compare/0.2.92...0.2.93)

Updates `wasm-bindgen-futures` from 0.4.42 to 0.4.43
- [Release notes](https://github.com/rustwasm/wasm-bindgen/releases)
- [Changelog](https://github.com/rustwasm/wasm-bindgen/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rustwasm/wasm-bindgen/commits)

Updates `wasm-bindgen-test` from 0.3.42 to 0.3.43
- [Release notes](https://github.com/rustwasm/wasm-bindgen/releases)
- [Changelog](https://github.com/rustwasm/wasm-bindgen/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rustwasm/wasm-bindgen/commits)

Updates `web-sys` from 0.3.69 to 0.3.70
- [Release notes](https://github.com/rustwasm/wasm-bindgen/releases)
- [Changelog](https://github.com/rustwasm/wasm-bindgen/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rustwasm/wasm-bindgen/commits)

Updates `tower` from 0.4.13 to 0.5.0
- [Release notes](https://github.com/tower-rs/tower/releases)
- [Commits](https://github.com/tower-rs/tower/compare/tower-0.4.13...tower-0.5.0)

---
updated-dependencies:
- dependency-name: clap
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: clap_complete
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: concread
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: js-sys
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: ldap3_client
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: ldap3_proto
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: libc
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: lodepng
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: serde
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: serde_json
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: syn
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: tokio
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: wasm-bindgen
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: wasm-bindgen-futures
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: wasm-bindgen-test
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: web-sys
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: tower
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* updates to source/packages

* making the nightly build happy

* making the nightly build happy

* making the nightly build happy

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-08-19 23:22:23 +10:00
Firstyear 36b6fda787
Mail substr index (#2981) 2024-08-18 02:49:24 +00:00
cuberoot74088 eee2df8894
Improve migration error message (#2959) 
In this migration we have checked for legacy security_keys and not gid. This makes it easier for users to understand what the issue is.
 2024-08-08 21:43:03 +00:00
James Hodgkinson d512954fe6
Docker-and-docs-fixes (#2954) 
* removing VOLUME entry from server container

* link fixing

* link fixing in docs
 2024-08-05 00:27:45 +00:00
Firstyear 3ae8453375
In honour of SebaT, error on db lock acq timeout (#2947) 2024-08-02 09:29:46 +10:00
Firstyear 1fbe65b351
Add measurement of lock acquisition (#2946) 2024-08-01 01:43:55 +00:00