mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-05-31 05:13:55 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
2378 commits 17 branches 66 tags 261 MiB
Commit graph

2378 commits

Author SHA1 Message Date
Firstyear 0b0d3421fb
Fix healthcheck to use ENV for config path () 2025-05-27 01:32:05 +00:00
James Hodgkinson 4fd56f9b0a
maint: rewrite crypto Password::try_from () 
* maint: rewrite crypto Password::try_from
* the shed is pink
 2025-05-27 09:12:38 +10:00
Kate edc65548b8
doc(book): Add option to Nextcloud Oauth2.0 example () 2025-05-26 02:36:10 +00:00
dependabot[bot] 110fa5e2ce
Bump the all group with 4 updates () 
Bumps the all group with 4 updates: [hyper-util](https://github.com/hyperium/hyper-util), [tokio](https://github.com/tokio-rs/tokio), [uuid](https://github.com/uuid-rs/uuid) and [cc](https://github.com/rust-lang/cc-rs).


Updates `hyper-util` from 0.1.11 to 0.1.12
- [Release notes](https://github.com/hyperium/hyper-util/releases)
- [Changelog](https://github.com/hyperium/hyper-util/blob/master/CHANGELOG.md)
- [Commits](https://github.com/hyperium/hyper-util/compare/v0.1.11...v0.1.12)

Updates `tokio` from 1.45.0 to 1.45.1
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.45.0...tokio-1.45.1)

Updates `uuid` from 1.16.0 to 1.17.0
- [Release notes](https://github.com/uuid-rs/uuid/releases)
- [Commits](https://github.com/uuid-rs/uuid/compare/v1.16.0...v1.17.0)

Updates `cc` from 1.2.23 to 1.2.24
- [Release notes](https://github.com/rust-lang/cc-rs/releases)
- [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.2.23...cc-v1.2.24)

---
updated-dependencies:
- dependency-name: hyper-util
  dependency-version: 0.1.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: tokio
  dependency-version: 1.45.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: uuid
  dependency-version: 1.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: cc
  dependency-version: 1.2.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-05-26 12:24:09 +10:00
Firstyear bd90d07a83
Make it clearer that the http address section is needed () 2025-05-22 06:07:13 +00:00
James Hodgkinson 1bb5b4994e
TODO trimming () 
* fix: use Url for origin instead of string
* fix: rename inputs to some oauth client functions to make naming clearer
* fix: removing HTTPOauth2Error internally
* fix: response type was wrong
* fix: clean up schema
* chore: cleaning up old TODOs
 2025-05-21 12:49:24 +00:00
Firstyear 726916322a
Investigate and reduce memory consumption of unixd () 
* Limited sqlite cache to 32mb
* Improve setting WAL mode
* support DHAT for memory profiling in future
 2025-05-21 09:57:17 +00:00
Firstyear 87fb066aff
Swap bytes mut at buffer limits () 
* Swap bytes mut at buffer limits
 2025-05-21 18:16:03 +10:00
Firstyear 5e9f2e1a69
Clippy for 1.87 () 2025-05-19 13:21:54 +00:00
Jinna Kiisuo 5635966a35
fix: Improve unixd & unixd-tasks startup coupling () 
* fix: Improve unixd & unixd-tasks startup coupling

Due to a complex interplay of the hardening present in both services,
the unixd-tasks service fails to start on a systemd technicality if 
unixd hasn't started first and created the /run/kanidm-unixd dir.

While previous methods probably should've achieved the correct result,
practical testing time and time again proved that wasn't the case all
the time and we had a race condition.

This change disallows unixd-tasks from starting if the requisite socket
doesn't exist that unixd creates. In turn unixd ensures via an Upholds
directive unixd-tasks is always running which provides a very 
quick & controlled retry logic.

In addition, this syncs missed OpenSUSE side fixes to Debian and
vice-versa. They are now identical for unixd & unixd-tasks, 
but long term we should actually have both pull from a single source 
of truth.

* fix: Drop [Install] section to create a static service

Also:
 - improve comments a bit to explain what's going on here and why.
 - Explicitly use /run instead of the legacy /var/run symlink.

---------

Co-authored-by: Firstyear <william@blackhats.net.au>
 2025-05-19 13:10:02 +00:00
dependabot[bot] 02a7e53b39
Bump the all group with 2 updates () 
Bumps the all group with 2 updates: [bitflags](https://github.com/bitflags/bitflags) and [cc](https://github.com/rust-lang/cc-rs).


Updates `bitflags` from 2.9.0 to 2.9.1
- [Release notes](https://github.com/bitflags/bitflags/releases)
- [Changelog](https://github.com/bitflags/bitflags/blob/main/CHANGELOG.md)
- [Commits](https://github.com/bitflags/bitflags/compare/2.9.0...2.9.1)

Updates `cc` from 1.2.22 to 1.2.23
- [Release notes](https://github.com/rust-lang/cc-rs/releases)
- [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.2.22...cc-v1.2.23)

---
updated-dependencies:
- dependency-name: bitflags
  dependency-version: 2.9.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: cc
  dependency-version: 1.2.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-05-19 07:34:16 +10:00
Firstyear cd850dd910
reload schema before verify () 2025-05-17 08:17:06 +00:00
Firstyear 13c3be53de
Defend against split_at panic () 2025-05-14 20:57:12 +10:00
Firstyear 6880cbf086
Fix minor issue with untagged version handling () 2025-05-14 05:27:37 +00:00
Firstyear 8a4bb41d10
Move shadow processing out of task event loop () 
As part of the recent unixd changes, we moved shadow processing to the privileged tasks daemon. In that move the handling of those files was moved into the event loop of the task handler itself, which could cause the daemon to become unresponsive for short or long periods, which then caused unixd to fail to make home directories.

This moves the shadow processing to a separate task, and only once it's ready the state flips and notifies the connected unixd caller.
 2025-05-14 15:18:40 +10:00
Firstyear 97952d5490
Dont specify config path in container () 2025-05-13 14:30:38 +10:00
Firstyear 6a85e2a21b
Accept SSHA with different salt lengths () 2025-05-13 03:19:12 +00:00
James Hodgkinson 1774f9428c
Bye poetry, hi uv for python things () 
* fix: moving from poetry to uv for python packaging
* fix: updating rlm_python to use uv for things
 2025-05-13 02:59:05 +00:00
Firstyear b7eda62e3b
Resolve flaw with ssh key parse if the key has no comment () 2025-05-13 02:39:10 +00:00
Firstyear b5cdf9dcf2
Indicate that this is an ip list, not a range () 
* Indicate that this is an ip list, not a range

We mistakenly commented that this was a range, not a list. This
has led to some confusion. Be clear it's a list of ip's, not a range.

* Support Ip Ranges instead of Ip Addresses in X-Forward-For

* Docs feedback
 2025-05-13 01:53:58 +00:00
James Hodgkinson 47b091cd49
Test for corrupted unicode in SSH keys, keep the key title on error/resubmit () 2025-05-13 00:38:32 +00:00
James Hodgkinson 8daeddb9e7
Reduce replication logging verbosity 2025-05-13 10:21:47 +10:00
dependabot[bot] 1a39c5f5a2
Bump the all group across 1 directory with 7 updates () 
Bumps the all group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [clap](https://github.com/clap-rs/clap) | `4.5.37` | `4.5.38` |
| [clap_complete](https://github.com/clap-rs/clap) | `4.5.48` | `4.5.50` |
| [rustls](https://github.com/rustls/rustls) | `0.23.26` | `0.23.27` |
| [tempfile](https://github.com/Stebalien/tempfile) | `3.19.1` | `3.20.0` |
| [tokio](https://github.com/tokio-rs/tokio) | `1.44.2` | `1.45.0` |
| [cc](https://github.com/rust-lang/cc-rs) | `1.2.21` | `1.2.22` |
| [tower-http](https://github.com/tower-rs/tower-http) | `0.6.2` | `0.6.4` |



Updates `clap` from 4.5.37 to 4.5.38
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.37...clap_complete-v4.5.38)

Updates `clap_complete` from 4.5.48 to 4.5.50
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.48...clap_complete-v4.5.50)

Updates `rustls` from 0.23.26 to 0.23.27
- [Release notes](https://github.com/rustls/rustls/releases)
- [Changelog](https://github.com/rustls/rustls/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rustls/rustls/compare/v/0.23.26...v/0.23.27)

Updates `tempfile` from 3.19.1 to 3.20.0
- [Changelog](https://github.com/Stebalien/tempfile/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Stebalien/tempfile/compare/v3.19.1...v3.20.0)

Updates `tokio` from 1.44.2 to 1.45.0
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.44.2...tokio-1.45.0)

Updates `cc` from 1.2.21 to 1.2.22
- [Release notes](https://github.com/rust-lang/cc-rs/releases)
- [Changelog](https://github.com/rust-lang/cc-rs/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rust-lang/cc-rs/compare/cc-v1.2.21...cc-v1.2.22)

Updates `tower-http` from 0.6.2 to 0.6.4
- [Release notes](https://github.com/tower-rs/tower-http/releases)
- [Commits](https://github.com/tower-rs/tower-http/compare/tower-http-0.6.2...tower-http-0.6.4)

---
updated-dependencies:
- dependency-name: clap
  dependency-version: 4.5.38
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: clap_complete
  dependency-version: 4.5.50
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: rustls
  dependency-version: 0.23.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: tempfile
  dependency-version: 3.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: tokio
  dependency-version: 1.45.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: cc
  dependency-version: 1.2.22
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: tower-http
  dependency-version: 0.6.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-05-12 01:59:07 +00:00
dependabot[bot] 5a6f4fdb22
Bump the all group in /pykanidm with 2 updates () 
Bumps the all group in /pykanidm with 2 updates: [ruff](https://github.com/astral-sh/ruff) and [mkdocs-material](https://github.com/squidfunk/mkdocs-material).


Updates `ruff` from 0.11.8 to 0.11.9
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/0.11.8...0.11.9)

Updates `mkdocs-material` from 9.6.12 to 9.6.13
- [Release notes](https://github.com/squidfunk/mkdocs-material/releases)
- [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG)
- [Commits](https://github.com/squidfunk/mkdocs-material/compare/9.6.12...9.6.13)

---
updated-dependencies:
- dependency-name: ruff
  dependency-version: 0.11.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: mkdocs-material
  dependency-version: 9.6.13
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-05-12 11:35:08 +10:00
Firstyear 43ae7f542d
cargo publish () 2025-05-09 16:46:34 +10:00
James Hodgkinson 036f069c2d fix: clippy 2025-05-09 13:10:09 +10:00
James Hodgkinson f31a1fc050 maint: typo in log message 2025-05-09 13:10:09 +10:00
William Brown 378ddadeda Set kid manually to prevent divergence 
Due to a quirk of how compact-jwt worked, the Key ID (kid) that it
would use for signing may be different to the kid that Kanidm was
using to reference the key. This was due to a change in the kid
format, that wasn't fully handled.

Now on key load, the correct kid can be set by Kanidm so that
all signatures have a kid that matches what Kanidm believes the
kid to be.
 2025-05-09 13:10:09 +10:00
William Brown bb53f17b80 Order keys in application JWKS / Fix rotation bug 
When we return the JWKS for applications to validate, the order of
that set can matter for applications which assume that the first
key in the list is the current valid key. This sorts the resultant
JWKS to ensure that the latest key is always first.

When a key was requested for rotation, if the rotation time was in
the past then the key would not be rotated. In this situation, the
server now assumes that any "past" time indicates the rotation should
occur *now* instead.
 2025-05-09 13:10:09 +10:00
William Brown 8189bc0bc4 Fix toml issues with strings 
During the toml library upgrade, strings were not parsing
correctly in the x509 replication handler.

This fixes both the string parse, but also improves our
error handling to clearly show the mistake in the config
if one exists.
 2025-05-09 13:10:09 +10:00
Firstyear 2256c79b9c
OAuth2 Client ID's should be processed as lowercase () 2025-05-09 01:36:50 +00:00
Firstyear 9e0656b30d
Resolve reload of oauth2 on startup () 2025-05-08 12:59:16 +10:00
dependabot[bot] 68c34adea6
Bump petgraph from 0.7.1 to 0.8.1 in the all group () 
Bumps the all group with 1 update: [petgraph](https://github.com/petgraph/petgraph).


Updates `petgraph` from 0.7.1 to 0.8.1
- [Release notes](https://github.com/petgraph/petgraph/releases)
- [Changelog](https://github.com/petgraph/petgraph/blob/master/CHANGELOG.md)
- [Commits](https://github.com/petgraph/petgraph/compare/petgraph@v0.7.1...petgraph@v0.8.1)

---
updated-dependencies:
- dependency-name: petgraph
  dependency-version: 0.8.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-05-05 02:28:50 +00:00
dependabot[bot] f4cbbf0090
Bump the all group in /pykanidm with 2 updates () 
Bumps the all group in /pykanidm with 2 updates: [pydantic](https://github.com/pydantic/pydantic) and [ruff](https://github.com/astral-sh/ruff).


Updates `pydantic` from 2.11.3 to 2.11.4
- [Release notes](https://github.com/pydantic/pydantic/releases)
- [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md)
- [Commits](https://github.com/pydantic/pydantic/compare/v2.11.3...v2.11.4)

Updates `ruff` from 0.11.7 to 0.11.8
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/0.11.7...0.11.8)

---
updated-dependencies:
- dependency-name: pydantic
  dependency-version: 2.11.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: ruff
  dependency-version: 0.11.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-05-05 12:20:08 +10:00
Firstyear 235e4d053a
Avoid openssl for md4 () 2025-05-04 07:16:40 +10:00
Merlijn 7a0c19e39b
Fixes , inverts the navbar button color () 2025-05-03 12:44:45 +10:00
Firstyear d6c77cdabf
Update to 1.7.0-dev () 2025-05-03 09:19:40 +10:00
Firstyear 7152f913bb
chore: Release Notes () 2025-05-02 05:00:02 +00:00
Firstyear b27fd2f3de
Do not require instances to exist during optional config load () 
* Do not require instances to exist during optional config load

We were incorrectly requiring every config file to have the named
instance be present during configuration loading. This led to a
situation where if /etc/kanidm/config didn't have a user configured
instance from their ~/.config/kanidm, that the cli would fail to
load.

* CLIPS FOR THE CLIP GODS
 2025-05-02 04:40:23 +00:00
James Hodgkinson f2d4f65bc6
Fix std::fmt::Display for some objects () 
* fix: missing comma in `std::fmt::Display` for `UnixGroupToken`
* fix: missing gidnumber on `std::fmt::Display` for `UnixUserToken`
 2025-05-01 04:21:03 +00:00
Firstyear aaf43c7b06
Drop fernet in favour of JWE () 
This drops the use of fernet from OAuth2 in favour of JWE. To achieve
this cleanly, we swap OAuth2 to using our internel key object handler
so that in future we can consider the use of pkcs11 devices. This also
makes it easier in general to handle any future cryptographic changes.
 2025-04-30 16:42:22 +10:00
Fabian Kammel d3e70bd195
docs: document how to configure oauth2 for opkssh () 
* docs: document how to configure oauth2 for opkssh
 2025-04-29 21:27:07 +00:00
Campbell He 817ecac95c
Add kanidm_ssh_authorizedkeys_direct to client deb () 
Include the `kanidm_ssh_authorizedkeys_direct` binary in the client deb.
This ensures consistency with other packages (suse, cargo, etc.).

Fix
2025-04-29 11:59:46 +10:00
dependabot[bot] ff6e97164f
Bump the all group in /pykanidm with 2 updates () 
---
updated-dependencies:
- dependency-name: aiohttp
  dependency-version: 3.11.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: ruff
  dependency-version: 0.11.7
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-04-28 10:12:41 +10:00
James Hodgkinson be4818e121
Update dependencies, fix a bunch of clippy lints () 2025-04-24 11:25:25 +10:00
Firstyear 5201ec11e8
Support spaces in ssh key comments () 2025-04-23 13:23:22 +10:00
Firstyear e97f4bc54c
20250402 3423 proxy protocol () 
Implement the PROXY protocol for IP address information from load balancers. This improves our handling and configuration of x-forward-for as well to include trusted IP ranges.
 2025-04-23 01:10:01 +00:00
Keerthi 20433f5712
fix(web): Preserve SSH key content on form validation error () 2025-04-22 17:58:45 +10:00
dependabot[bot] 8424863969
Bump the all group in /pykanidm with 3 updates () 
---
updated-dependencies:
- dependency-name: aiohttp
  dependency-version: 3.11.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: ruff
  dependency-version: 0.11.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: mkdocs-material
  dependency-version: 9.6.12
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-04-22 13:16:09 +10:00
dependabot[bot] 9b7c542b0a
Bump the all group in /pykanidm with 2 updates () 
Bumps the all group in /pykanidm with 2 updates: [pydantic](https://github.com/pydantic/pydantic) and [ruff](https://github.com/astral-sh/ruff).


Updates `pydantic` from 2.11.2 to 2.11.3
- [Release notes](https://github.com/pydantic/pydantic/releases)
- [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md)
- [Commits](https://github.com/pydantic/pydantic/compare/v2.11.2...v2.11.3)

Updates `ruff` from 0.11.4 to 0.11.5
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/0.11.4...0.11.5)

---
updated-dependencies:
- dependency-name: pydantic
  dependency-version: 2.11.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: ruff
  dependency-version: 0.11.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-04-15 10:24:43 +10:00