mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-24 04:57:00 +01:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity
2000 commits 15 branches 59 tags 246 MiB
Commit graph

219 commits

Author SHA1 Message Date
Firstyear fbc021f487
20240221 2489 cleanup api v1 (#2573) 2024-02-27 09:25:02 +00:00
James Hodgkinson 4096b8f02d
Changing to allow startup without a config file (#2582) 
* Changing to allow startup without a config file, using environment variables
 2024-02-27 15:40:00 +10:00
Firstyear adb575947f
Adjust output of claim maps for better parsing (#2566) 
* Adjust output of claim maps for better parsing
* Update python tests for OAuth2 bits
* fixing workflows for container builds

---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-02-26 13:33:32 +10:00
Sebastiano Tocci d3af1a9e1b
improved error description for commit_credential_update (#2579) 2024-02-24 00:18:38 +00:00
Firstyear 3bf16d4253
Make /status less noisy (#2574) 2024-02-22 17:34:46 +10:00
Firstyear 752bdf7578
Add system range protection (#2565) 2024-02-21 23:27:37 +10:00
James Hodgkinson 4efdb7208f
of course I started looking at clippy things and now I can't stop (#2560) 2024-02-21 00:52:10 +00:00
Firstyear 68d788a9f7
20240216 308 resource limits (#2559) 
This adds account policy based resource limits to control the maximum
number of entries that an account may query
 2024-02-21 00:15:43 +00:00
James Hodgkinson 097db70c3d
prctl compile-time fixes, also chasing lints (#2558) 
* fixing up error handling for prctl calls
* minor clippy lintypoos
* making clippy happier
* clippizing a test
* more clippy-calming
* adding tpm-udev to ubuntu flows for testing
* rebuilt wasm
* moving from rg to grep because someone doesn't like nice things
* such clippy like wow
* clippy config to the rescue
 2024-02-20 18:21:33 +10:00
Firstyear 002ab13698
Add code_challenge_methods_supported to OIDC discovery (#2525) 2024-02-15 09:17:08 +10:00
Firstyear 7567514044
Release 1.1.0-rc.16 (#2483) 2024-02-07 04:39:02 +00:00
Firstyear cdbaefe23d
Fix for incorrect domain migration rollbacks (#2482) 2024-02-07 13:11:55 +10:00
Firstyear 9050188b29
Add tools for remigration and domain level raising (#2481) 2024-02-06 10:01:06 +00:00
Firstyear ddea9c6699
Support SPN in groups claim (#2474) 2024-02-06 03:56:04 +00:00
Firstyear 23cc2e7745
Fix RUV trim (#2466) 
Fixes two major issues with replication.

The first was related to server refreshes. When a server was refreshed it would retain it's server unique id. If the server had lagged and was disconnected from replication and administrator would naturally then refresh it's database. This meant that on next tombstone purge of the server, it's RUV would jump ahead causing it's refresh-supplier to now believe it was lagging (which was not the case).

In the situation where a server is refreshed, we reset the servers unique replication ID which avoids the RUV having "jumps".

The second issue was related to RUV trimming. A server which had older RUV entries (say from servers that have been trimmed) would "taint" and re-supply those server ID's back to nodes that wanted to trim them. This also meant that on a restart of the server, that if the node had correctly trimmed the server ID, it would be re-added in memory.

This improves RUV trimming by limiting what what compare and check as a supplier to only CID's that are within the valid changelog window. This itself presented challenges with "how to determine if a server should be removed from the RUV". To achieve this we now check for "overlap" of the RUVS. If overlap isn't occurring it indicates split brain or node isolation, and replication is stopped in these cases.
 2024-02-02 15:38:45 +10:00
Firstyear d42268269a
20240125 2217 client credentials grant (#2456) 
* Huge fix of a replication problem.
* Update test
* Increase min replication level
* Client Credentials Grant implementation
 2024-02-01 02:00:29 +00:00
Firstyear 86916a3d87
Return sshkey label to cli fields (#2440) 
* Return ssh label to cli fields
 2024-01-20 17:17:57 +10:00
Firstyear b1e7cb13a5
Add rfc8414 metadata (#2434) 2024-01-19 04:14:52 +00:00
Firstyear 8e4980b2c1
Add test for delete referer invalid (#2435) 
When a delete of an entry occurs which is reference by another entry,
if the entry has a MUST schema condition on the deleted entry then the
delete should be blocked to prevent the entries structure becoming
invalid.
 2024-01-19 02:18:11 +00:00
Firstyear 8dc884f38e
2390 1980 allow native applications (#2428) 2024-01-16 10:44:12 +10:00
Firstyear a1fa59b83c
Clean RUV (#2424) 2024-01-12 09:43:20 +10:00
Firstyear 666448f787
Upgrade replication to use anchors (#2423) 
* Upgrade replication to use anchors
 2024-01-10 04:46:08 +00:00
Firstyear e9340c682e
Use case insensitive match on substrings in line with ldap (#2419) 2024-01-06 15:52:21 +10:00
Firstyear cc79b2a205
20231222 piv authentication (#2398) 
Foundations of PIV authentication
 2023-12-29 23:15:26 +00:00
Firstyear 7f27a6fcd9
Force apply idm migrations to apply access controls (#2401) 2023-12-28 12:24:29 +10:00
Firstyear fd71a748ca
Add improved domain migration framework and default MFA (#2382) 2023-12-21 14:44:20 +10:00
Firstyear 3408816932
Add DN as a virtual ldap attr (#2379) 2023-12-19 15:07:19 +10:00
James Hodgkinson a4c44bc5f9
fixing default for oauth2 request_parameter_supported metadata (#2378) 2023-12-19 11:56:47 +10:00
Firstyear 5c445a4704
20231218 ipa sync unix password (#2374) 
* Add support for importing the users password as unix password
 2023-12-18 11:20:37 +10:00
Firstyear d09c2448ff
1481 2024 access control rework (#2366) 
Rework default access controls to better separate roles and access profiles.
 2023-12-17 23:10:13 +00:00
Firstyear 854b696532
249 2024 managed by syntax (#2359) 
Allows hierarchial entry management rules.
 2023-12-07 10:00:09 +00:00
Firstyear 4bd5d584cb
20231204 ipa sync minor improvements (#2357) 2023-12-04 16:58:15 +10:00
Firstyear 76269f9de2
20231129 webauthn attestation (#2351) 
This adds full support for attestation of webauthn/passkeys.
 2023-12-03 06:13:52 +00:00
James Hodgkinson 9a464c653c
Using proper axum http headers lib for compatibility (#2348) 2023-12-01 08:55:51 +10:00
Firstyear cbdbaa8fe0
Bearer should send with same caps we accept (#2345) 2023-11-30 09:25:34 +10:00
Firstyear 31b939fca3
20231128 freeipa migration (#2338) 
* Add more weak password formats for freeipa
* Verification of freeipa migration from older ipa versions
 2023-11-29 10:43:15 +10:00
Firstyear ac299b5286
Update to the latest compact-jwt version (#2331) 2023-11-24 02:53:22 +00:00
James Hodgkinson 916bb4ec04
Adding env var configs for the server (#2329) 
* env var config for server
* I am my own clippy now
* Man, that got complicated quick
 2023-11-24 01:27:49 +00:00
Firstyear bb8914c70d
20231120 2320 sssd compat (#2328) 2023-11-22 10:18:03 +10:00
Firstyear b71b0460f3
Add test (#2323) 2023-11-19 21:56:19 +10:00
James Hodgkinson 2be287c1ff
OAuth2 scopes validation logging missing details (#2317) 
* OAuth2 scopes validation logging missing details - Fixes #2316
* clippy was mad
 2023-11-17 16:08:08 +10:00
Firstyear 47bcea7708
20231109 1122 credential class (#2300) 
* Add CredentialType for acc pol
* Reword ui hints
* Finish account policy
* Clean up artefacts
 2023-11-11 09:26:44 +10:00
James Hodgkinson 60e5935faa
Moving daemon tracing to OpenTelemetry (#2292) 
* sally forth into the great otel unknown
* make the build env identification slightly more durable
* docs updates
* wasm recompile
 2023-11-09 05:15:12 +00:00
Firstyear b7852d1d71
pw min length in account policy (#2289) 2023-11-05 10:33:25 +10:00
James Hodgkinson b9d47fe8f7
oauth2 typo (#2290) 2023-11-04 06:45:40 +00:00
Firstyear 9e5449a644
Minor improvements to incoming replication (#2279) 2023-11-02 01:21:21 +00:00
Allan dbf476fe5e
Remove unused imports and clippy lint (#2276) 
* Fix unused import errors
* Apply clippy get_first lint
* Add contributor

---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2023-11-01 05:54:29 +00:00
Samuel Cabrero c3c0b5f459
Rework ldap bind routine (#2268) 
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
 2023-11-01 15:09:22 +10:00
James Hodgkinson ef96ca6aa1
started writing docs and ended up in another rabbit hole (#2267) 
* started writing docs and ended up in another rabbit hole
* updoots
* dangit fedora
 2023-10-31 19:15:35 +10:00
William Brown ecc46bb015 Add book chapter + cli 2023-10-28 13:07:06 +10:00
NavinShrinivas b80a3b271c Cargo fmt and clippy checks 
Signed-off-by: NavinShrinivas <karupal2002@gmail.com>
 2023-10-28 13:07:06 +10:00
NavinShrinivas 12ea1c8702 Restrict posix passwords on ldap bind with config 
Signed-off-by: NavinShrinivas <karupal2002@gmail.com>
 2023-10-28 13:07:06 +10:00
Samuel Cabrero 99ba97088d
cargo fmt + clippy (#2241) 
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
 2023-10-27 04:40:24 +00:00
Firstyear afe9d28754
20231019 1122 account policy basics (#2245) 
---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2023-10-22 11:16:42 +00:00
Firstyear 6ff9082fd2
20231014 account policy (#2218) 
* Start to prep for unix+ssh keys in credupdate session
 2023-10-19 01:40:06 +00:00
James Hodgkinson 6850a17e8c
Windows build fixes and test coverage (#2220) 
* adding testing for users functions
* turning KanidmClient build error into a ClientError
* removing a redundant closure
 2023-10-17 07:18:07 +00:00
James Hodgkinson f28d5cef22
OpenAPI/swagger docs autogen (#2175) 
* always be clippyin'
* pulling oauth2 api things out into their own module
* starting openapi generation
 2023-10-14 12:39:14 +10:00
Firstyear 8bcf1935a5
20231012 346 name deny list (#2214) 
* Migrate to improved system config reload, cleanup acc pol
* Denied names feature
 2023-10-13 08:50:36 +10:00
Firstyear fbc62ea51e
fix RUV on startup, improve filter output (#2211) 2023-10-11 21:14:27 +10:00
James Hodgkinson d9da1eeca0
Chasing yaks down dark alleyways (#2207) 
* adding some test coverage because there was some rando panic-inducing thing
* ldap constants
* documenting a macro
* helpful weird errors
* the war on strings continues
* less json more better
* testing things fixing bugs
* idm_domain_reset_token_key wasn't working, added a test and fixed it (we weren't testing it)
* idm_domain_set_ldap_basedn - adding tests
* adding testing for idm_account_credential_update_cancel_mfareg
* warning of deprecation
 2023-10-11 15:44:29 +10:00
Firstyear a91bf55471
20231008 remove expect used (#2191) 
* Stop using expect on some tasks
 2023-10-08 17:39:00 +10:00
James Hodgkinson 19f9fde012
Thread naming and display (#2190) 
* sometimes handlers fail
* enums are better than strings
* clippyisms
 2023-10-08 13:08:46 +10:00
James Hodgkinson 48979b8e1a
Replication tweaks - try the most recent successful one and error less (#2189) 
* made an error less error-y and also found a way to try the last-most-working repl peer
 2023-10-07 13:09:42 +10:00
James Hodgkinson 0adc3e0dd9
Chasing wooly quadrapeds again (#2163) 
* I really like well-tended yaks
* documenting yaks
* spellink
* less surprise more good
* schema test fix
* clippyisms
 2023-10-05 12:30:46 +10:00
Firstyear f6d2bcb44b
68 20230929 replication finalisation (#2160) 
Replication is now ready for test deployments!
 2023-10-05 11:11:27 +10:00
James Hodgkinson e7f594a1c1
In-system image storage (#2112) 
* In-system image storage refers to #2057
* adding multipart feature to axum
* thanks to @Firstyear for fixing my bufs
* fixing coverage test things
* clippy-calming
* more tests, jpg acropalypse tests, benches
* spelling
* lockfile updates
* linting
 2023-10-04 17:24:12 +10:00
Firstyear cb985a2fd0
fix credential update intent defaults (#2162) 2023-09-30 20:06:44 +10:00
Firstyear 3e345174b6
68 20230919 replication configuration (#2131) 2023-09-29 12:02:13 +10:00
James Hodgkinson c7a269575c
Enforce TLS key size minimums (#2145) 
* Enforce TLS key size minimums - Fixes #2144
* at some point clippy got mad
 2023-09-26 09:59:00 +10:00
James Hodgkinson d5ed335b52
Cinco de yakko (#2108) 
* there are always more yaks
* see? ldap yaks.
* fixing stupid radius container build thing
 2023-09-16 12:11:06 +10:00
Firstyear 77da40d528
68 20230912 session consistency (#2110) 
This adds support for special-casing sessions in replication to allow them to internally trim and merge so that session revocations and creations are not lost between replicas.
 2023-09-16 09:22:11 +10:00
James Hodgkinson 383592d921
Schema dooby doo ... yon (#2103) 
Refers #1987

Notable changes:

- in server/lib/src/entry.rs - aiming to pass the enum instead of the strings
    - changed signature of add_ava to take Attribute instead of &str (which is used in the entry_init macro... which was fun)
    - set_ava<T> now takes Attribute
- added TryFrom<&AttrString> for Attribute
 2023-09-12 11:47:24 +10:00
Firstyear b3aed1df34
68 20230908 replication attrunique (#2086) 
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2023-09-12 08:50:51 +10:00
James Hodgkinson d3d80e7364
Schema-dooby-doo-part-trois (#2082) 
* adding extra_attributes field to BuiltinGroup, migrating more things.
* checkpoint 3 - ACP, easy as 1,2,3
* codespell
* now throwing error on dyngroup with defined members
 2023-09-09 09:38:47 +10:00
James Hodgkinson 4b7563adc8
CLI and test things (#2080) 
* testing things actually run is handy
* adding build mode to scripts
* uh, so I started messing with handling exit codes...
 2023-09-09 09:35:59 +10:00
Firstyear 61c59d5a5a
68 20230907 replication (#2081) 
* Test replication when nodes are valid beyond cl trim
 2023-09-08 08:59:06 +10:00
James Hodgkinson 2f312e6b2d
Removing default features from git2 package (#2078) 
* don't need ssh or https in git2 - saves 50.69s

* codespell
 2023-09-06 08:25:29 +10:00
Firstyear d1fe7b9127
68 20230829 replication referential integrity (#2048) 
* Member of works!
* Hooray, refint over replication works.
 2023-09-05 21:30:51 +10:00
James Hodgkinson d5d76d1a3c
Schema dooby doo part two (#2071) 
* scim strings!
* mapmapmap
* mapmapmap -comments and map
* updating delete teest
* fixing some tests
 2023-09-05 16:58:42 +10:00
James Hodgkinson 1d88cede1b
Yak hassling (#2059) 
* trying this query thing again
* if error show error not panic
* clippyism
* moving dependencies around and fixing log messages for healthcheck
* cleaning up some comment mess
* fixing the "debug thing breaks packaging" issue and test failures
 2023-09-05 11:50:51 +10:00
Firstyear 5bd69b81b8
Clear cache before verify on some low-level tests (#2044) 2023-08-29 12:26:29 +10:00
Firstyear 0f977d33b9
68 20230828 replication of schema (#2045) 2023-08-29 12:20:27 +10:00
Firstyear da56738dea
pam multistep auth state machine (#2022) 
Himmelblau needs to maintain some data about the state of an authentication across the course of pam exchanges.

Signed-off-by: David Mulder <dmulder@samba.org>
Co-authored-by: David Mulder <dmulder@samba.org>
 2023-08-28 09:27:29 +10:00
Samuel Cabrero 9dda8b1ad3
Authentication shortcut to get a RW session (#1993) 
* auth: Add a privileged flag to AuthStep::Init2 step to request a rw session

The privileged flag is defined as Option<bool> for compatibility with
existing clients.
 2023-08-24 09:54:33 +10:00
Sebastiano Tocci 47e953bfd2
wopsies, missing imports (#2023) 
* wopsies, missing imports
* more clippy and fmt
* adding test build for kanidm with idv-tui feature
* making codespell happy

---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2023-08-23 22:40:25 +10:00
Firstyear 2355dbfead
68 20230821 replication (#2020) 
* Resolve spn incremental replication
 2023-08-23 11:17:13 +10:00
Sebastiano Tocci eb7527379b
Configurable session timeouts (#1965) 
* added `auth_session_expiry` and `auth_privilege_expiry`
* Added `AcountPolicy` struct
* spelling and stuff
* added cli tools
 2023-08-22 11:00:43 +10:00
James Hodgkinson 05b35df413
Less human strings more enums (#1989) 
* statics or enums you choose
* acp rewrite, defined SchemaAcp as a test
* macros and targetscopes and filters oh my
 2023-08-21 17:16:43 +10:00
Firstyear f6001504a9
20230817 idv migration (#1992) 
* Must attr
* Post merge cleanup of idv
 2023-08-18 20:29:00 +10:00
Firstyear bc341af9d8
Resolve issues with dyngroup members (#1986) 2023-08-17 15:52:12 +10:00
Firstyear 0183ae6c71
Revert "sqlite where IN for id entry (#1988)" (#1991) 
This reverts commit 46f9a36a1c.
 2023-08-17 13:47:11 +10:00
James Hodgkinson 46f9a36a1c
sqlite where IN for id entry (#1988) 
Fixes #258
 2023-08-17 13:32:41 +10:00
Sebastiano Tocci 003234c2d0
Identity verification feature (#1819) 2023-08-16 21:02:48 +10:00
Firstyear 87866c568b
1982 service account access (#1985) 
* Fix issue with incorrect filter class preventing service account delete
 2023-08-16 15:33:28 +10:00
James Hodgkinson 9a6168b67d
Fixing test release (#1983) 
* Fixing cargo test --release

* more tracing less dbg
 2023-08-15 15:42:15 +10:00
James Hodgkinson aba9f6a724
Struct-ifying schema things (#1971) 
* structifying things
 2023-08-14 19:39:49 +10:00
J. B. Crawford 054b580fe6
Allow one-character usernames (#1941) 2023-08-10 08:09:18 +10:00
Sebastiano Tocci 5d96412181
replaced skip_serializing_if with skip_serializing_none (#1932) 
* replaced `skip_serializing_if` with `skip_serializing_none`
 2023-08-03 08:51:30 +10:00
Sebastiano Tocci d50373e64b
fixed serialization of oauth2 token scope (#1930) 2023-08-02 09:50:57 +10:00
Firstyear bf3e16cbd3
Resolve issue with publishing (#1925) 
* Resolve issue with publishing

* Fix version
 2023-08-01 17:25:32 +10:00