Implements #100. This refactors our error types to be deserialiseable, and exposes these through the clienterror type with the status codes. There is probably still a lot of improvements here to be made, but they'll be shaken out as the client libs develop I think and we start to see what errors should be exposed.
Implements #6 - create, modify and delete. These are the raw/lowlevel db commands which are really useful for administrators. They aren't intended for normal day to day use though.
This also adds a basic getting started, fixes a missing privilege, adds support for reseting another accounts password, and for server side password generation.
It's likely I'm going to reformat some of the current REST api though to use our higher level internal types.
This adds rest endpoints for schema, group, account listing and individual item getting, client lib to call these end points, and tests for all of these.
Draft of the idm server rest api layout. This is no means a final representation of what this API will look like, but it's important that the ideas and direction, as well as capabilities were documented and discussed.
Partially Implements #6 - add ability for accounts to self set password. This is good for now, as I get closer to a trial radius deployment, but I think I'm finding the rest api probably needs a better plan at this point, as well as probably the way we do the proto and the communication needs some more thoughts too.
* Implement #90 - allow self write to name, displayname, and legalname.
This is an important aspect to respecting peoples autonomy and identities
so that they can change their name when appropriate to them. Limit self read/write to live accounts, and prevent anonymous self-write
This adds the fundamentals of the basic IDM layout. It contains the needed design document, and is designed such that the default admins while powerful, still have some limits upon them.
Add initial statement on rights and ethics. It's not perfect, and I'm sure there is more input from people to be added. But it's a start, and the discussion is open.
Add support for command line options to the server. This supports server sid regeneration, persistence, address binding, tls configuration and more. This also improves TLS support in the client tools for CA cert addition to queries.
Implements #72, attribute uniqueness. This extends schema to have a field "unique" which means a value should be unique for that object, and all other live objects (recycle and tombstones excluded). Note UUID has to retain special handling in base.rs and can't usethis due to needing to check with recycled too..
Implements #60 authsession garbage collection. If we assume that an authsession is around 1024 bytes (this assumes a 16 char name + groups + claims) then this means that in 1Gb of ram we can store about 1 million in progress auth attempts. Obviously, we don't want infinite memory growth, but we can't use an LRU cache due to the future desire to use concurrent trees. So instead we prune the tree based on a timeout when we start and auth operation. Auth session id's are generated from a timestamp similar to how we'll generate replication csn's. We can then apply a diff that will split all items lower than the csn/sid and remove them from future consideration.
We set the default timeout to 5 minutes. This means that assuming 10,000 auths per second, we would require 3GB of ram to process these sessions before they are expired. We expect any deployment with such large loadings can affort 3Gb of ram :)
This adds support for authentication and credential storage to the server.
It also adds account recovery and options for integration test fixtures, refactors
to make the client library easier to manage, and support clean seperation of the
proto vs lib.
This implements strongly typed storage of data types in attribute values. This means that have the future ability to have tagged, hidden, complex or other datatypes in values rather than relying on string manipulations. It helps also to lift the burden on schema to only checking the values types on input from the protocol types, so that comparisons and other conversions will be faster. It also helps to strengthen and check values are valid earlier in conversions.
so that restarts to affect object schema are not required. This is good to allow
customisation and other extensions for advanced users, and doing it now makes it
"easier" to supply extra schema from the project core into the initialise_idm function.
This allows backup and restore of the server backend data from the command line. Backups can be taken while the server is running. Automated backups are *not* part of this yet.
This also adds a few missing files from a previous commit mistake. Opps!
Implement #2 anonymous authentication. This also puts into place the majority of the authentication framework, and starts to build the IDM layers ontop of the DB engine.
This implements access controls, including a huge amount of refactor to support
them and their resolution with the "SelfUUID" keyword. Additionally, parts of
the event structure was improved to help, normalised was added as an entry state
and more.
And there are access controls! They work, have tests, and appear sane.
