mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
2243 commits 17 branches 59 tags 246 MiB
Commit graph

2243 commits

This branch
This branch
All branches
Author SHA1 Message Date
Vladimir Dronnikov 45f26888be
increase severity for "{:?} !⊆ allowed: {:?}" (#2648) 
Co-authored-by: Firstyear <william@blackhats.net.au>
 2024-03-12 03:08:50 +00:00
Martin Wurm a0357ad227
Add instructions on how to enable PKCE in Nextcloud (#2647) 2024-03-12 02:42:04 +00:00
Firstyear 285f4362b2
20230224 2437 orca remodel (#2591) 2024-03-09 16:09:15 +10:00
Firstyear 1887daa76a
Add initial design for key domains (#2564) 2024-03-09 14:13:10 +10:00
Firstyear e8d7010b4b
Add upgrade process, improve developer readme (#2635) 
* Add upgrade process, improve developer readme
* Rearrange some bits.
 2024-03-08 13:25:45 +10:00
Firstyear 4dc38e56c3
Doc unix client support (#2633) 2024-03-07 03:59:21 +00:00
Firstyear b4d9cdd7d5
20240301 systemd uid (#2602) 
Fixes #2601 Fixes #393 - gid numbers can be part of the systemd nspawn range.

Previously we allocated gid numbers based on the fact that uid_t is a u32, so we allowed 65536 through u32::max. However, there are two major issues with this that I didn't realise. The first is that anything greater than i32::max (2147483648) can confuse the linux kernel. 

The second is that systemd allocates 524288 through 1879048191 to itself for nspawn.

This leaves with with only a few usable ranges.

1000 through 60000
60578 through 61183
65520 through 65533
65536 through 524287
1879048192 through 2147483647

The last range being the largest is the natural and obvious area we should allocate from. This happens to nicely fall in the pattern of 0x7000_0000 through 0x7fff_ffff which allows us to take the last 24 bits of the uuid then applying a bit mask we can ensure that we end up in this range. 

There are now two major issues.

We have now changed our validation code to enforce a tighter range, but we may have already allocated users into these ranges. 

External systems like FreeIPA allocated uid/gid numbers with reckless abandon directly into these ranges. 

As a result we need to make two concessions.

We *secretly* still allow manual allocation of id's from 65536 through to 1879048191 which is the nspawn container range. This happens to be the range that freeipa allocates into. We will never generate an ID in this range, but we will allow it to ease imports since the users of these ranges already have shown they 'don't care' about that range. This also affects SCIM imports for longer term migrations. 

Second is id's that fall outside the valid ranges. In the extremely unlikely event this has occurred, a startup migration has been added to regenerate these id values for affected entries to prevent upgrade issues. 

An accidental effect of this is freeing up the range 524288 to 1879048191 for other subuid uses.
 2024-03-07 03:25:54 +00:00
Vladimir Dronnikov 221445d387
expose group patch for parity (#2628) 
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-03-07 09:54:20 +10:00
James Hodgkinson 4c1fa0d644
Adding a builtin class for all built-in things (#2603) 
* adding builtin class to builtin objects
* Resolve issues with builtin PR

---------

Co-authored-by: William Brown <william@blackhats.net.au>
 2024-03-06 01:33:14 +00:00
Vladimir Dronnikov 8175253bae
apidoc tag fixes (#2625) 
* apidoc tag fixes
* apidoc typo fixed
 2024-03-06 00:41:47 +00:00
dependabot[bot] 51cc11ee8c
chore(deps): bump mio from 0.8.10 to 0.8.11 (#2620) 
Bumps [mio](https://github.com/tokio-rs/mio) from 0.8.10 to 0.8.11.
- [Release notes](https://github.com/tokio-rs/mio/releases)
- [Changelog](https://github.com/tokio-rs/mio/blob/master/CHANGELOG.md)
- [Commits](https://github.com/tokio-rs/mio/compare/v0.8.10...v0.8.11)

---
updated-dependencies:
- dependency-name: mio
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-03-05 06:41:19 +00:00
Firstyear 47fe9c78e6
Fix missing entry managed by on anonymouns (#2623) 2024-03-05 03:43:19 +00:00
Vladimir Dronnikov 0813099fad
Notes on privilege-expiry (#2622) 2024-03-05 02:56:46 +00:00
James Hodgkinson 9d05b797ed
SPAs really are stupid sometimes (#2609) 2024-03-04 13:14:51 +10:00
Vladimir Dronnikov 1a81b437d8
apidoc fixes (#2614) 2024-03-04 02:10:01 +00:00
dependabot[bot] 0d05afc1e2
chore(deps): bump the all group in /pykanidm with 4 updates (#2615) 
Bumps the all group in /pykanidm with 4 updates: [pydantic](https://github.com/pydantic/pydantic), [mkdocs-material](https://github.com/squidfunk/mkdocs-material), [mkdocstrings](https://github.com/mkdocstrings/mkdocstrings) and [ruff](https://github.com/astral-sh/ruff).


Updates `pydantic` from 2.6.2 to 2.6.3
- [Release notes](https://github.com/pydantic/pydantic/releases)
- [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md)
- [Commits](https://github.com/pydantic/pydantic/compare/v2.6.2...v2.6.3)

Updates `mkdocs-material` from 9.5.11 to 9.5.12
- [Release notes](https://github.com/squidfunk/mkdocs-material/releases)
- [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG)
- [Commits](https://github.com/squidfunk/mkdocs-material/compare/9.5.11...9.5.12)

Updates `mkdocstrings` from 0.24.0 to 0.24.1
- [Release notes](https://github.com/mkdocstrings/mkdocstrings/releases)
- [Changelog](https://github.com/mkdocstrings/mkdocstrings/blob/main/CHANGELOG.md)
- [Commits](https://github.com/mkdocstrings/mkdocstrings/compare/0.24.0...0.24.1)

Updates `ruff` from 0.2.2 to 0.3.0
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/v0.2.2...v0.3.0)

---
updated-dependencies:
- dependency-name: pydantic
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: mkdocs-material
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: mkdocstrings
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: ruff
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-03-04 07:59:00 +10:00
Vladimir Dronnikov e1f3703f0c
Typo fixes (#2610) 
* api typo fix
* schema description typo fix
* v1 group post typo fix
 2024-03-03 17:25:44 +10:00
Firstyear 633d11a21e
Return consent scope to service account (#2605) 2024-03-02 01:30:59 +00:00
James Hodgkinson dbf59474bb
OpenAPI schema fixes (#2590) 
* OpenAPI schema fixes
* Adding OpenAPI schema checks to the release script
 2024-03-01 16:57:36 +10:00
James Hodgkinson e35f5093a0
WASM test fixing (#2595) 
* wasm test fixing
* remove flaky skip
 2024-02-29 05:13:47 +00:00
Merlijn eddca4fc86
Feature object graph (#2518) 
* Refactor: move the object graph ui to admin web ui
* Add dynamic js loading support
Load viz.js dynamically
* Add some js docs
* chore: cleanup imports
* chore: remove unused clipboard feature
chore: remove unused mermaid.sh
* Messing with the profile.release settings and reverting the changes I tried has now made the build much smaller yay :D
* Refactor: user raw search requests
Assert service-accounts properly
* refactor: new v1 proto structure
* Add self to CONTRIBUTORS.md

---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-02-29 02:25:40 +00:00
Firstyear 3760951b6d
Add domain version test framework (#2576) 
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-02-28 21:04:33 +00:00
Pavel Dostál 050b1209b9
Fix the miniflux oauth2 example (#2598) 2024-02-28 11:41:28 +00:00
Jinna Kiisuo 6d99f17253
docs(monitoring): Fix syntax for OpenTelemetry config (#2594) 
Co-authored-by: Jinna Kiisuo <jinna+git@nocturnal.fi>
 2024-02-27 13:25:38 +00:00
Firstyear fbc021f487
20240221 2489 cleanup api v1 (#2573) 2024-02-27 09:25:02 +00:00
James Hodgkinson 4096b8f02d
Changing to allow startup without a config file (#2582) 
* Changing to allow startup without a config file, using environment variables
 2024-02-27 15:40:00 +10:00
Firstyear 7b490d73dc
Allow /dev/tpmrm0 on older systemd versions (#2587) 
Older systemd versions require a specific device allow for the tpm to be accessed.
 2024-02-27 02:13:31 +00:00
Firstyear adb575947f
Adjust output of claim maps for better parsing (#2566) 
* Adjust output of claim maps for better parsing
* Update python tests for OAuth2 bits
* fixing workflows for container builds

---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-02-26 13:33:32 +10:00
dependabot[bot] 1a6400b58e
chore(deps): bump the all group in /pykanidm with 4 updates (#2585) 
Bumps the all group in /pykanidm with 4 updates: [pydantic](https://github.com/pydantic/pydantic), [coverage](https://github.com/nedbat/coveragepy), [mkdocs-material](https://github.com/squidfunk/mkdocs-material) and [pook](https://github.com/h2non/pook).


Updates `pydantic` from 2.6.1 to 2.6.2
- [Release notes](https://github.com/pydantic/pydantic/releases)
- [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md)
- [Commits](https://github.com/pydantic/pydantic/compare/v2.6.1...v2.6.2)

Updates `coverage` from 7.4.1 to 7.4.3
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](https://github.com/nedbat/coveragepy/compare/7.4.1...7.4.3)

Updates `mkdocs-material` from 9.5.9 to 9.5.11
- [Release notes](https://github.com/squidfunk/mkdocs-material/releases)
- [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG)
- [Commits](https://github.com/squidfunk/mkdocs-material/compare/9.5.9...9.5.11)

Updates `pook` from 1.4.2 to 1.4.3
- [Release notes](https://github.com/h2non/pook/releases)
- [Changelog](https://github.com/h2non/pook/blob/master/History.rst)
- [Commits](https://github.com/h2non/pook/compare/v1.4.2...v1.4.3)

---
updated-dependencies:
- dependency-name: pydantic
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: coverage
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: mkdocs-material
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: pook
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-02-26 09:00:14 +10:00
Sebastiano Tocci d3af1a9e1b
improved error description for commit_credential_update (#2579) 2024-02-24 00:18:38 +00:00
Firstyear 3bf16d4253
Make /status less noisy (#2574) 2024-02-22 17:34:46 +10:00
dependabot[bot] 8611bb7135
chore(deps): bump cryptography from 42.0.2 to 42.0.4 in /pykanidm (#2567) 
Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.2 to 42.0.4.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/42.0.2...42.0.4)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-02-22 12:12:30 +10:00
Firstyear 752bdf7578
Add system range protection (#2565) 2024-02-21 23:27:37 +10:00
Michel Le Bihan 1d34947ee9
Fix string comparison in Debian build script (#2409) 2024-02-21 02:13:20 +00:00
James Hodgkinson 4efdb7208f
of course I started looking at clippy things and now I can't stop (#2560) 2024-02-21 00:52:10 +00:00
Firstyear 68d788a9f7
20240216 308 resource limits (#2559) 
This adds account policy based resource limits to control the maximum
number of entries that an account may query
 2024-02-21 00:15:43 +00:00
Daniil Egortsev 5701da8f23
fix(oauth2): typo in basic path (#2562) 2024-02-20 22:20:37 +00:00
James Hodgkinson 5794cc5217
Adding duplicate-finder script (#2550) 
* Adding duplicate-finder script
* removing unused constant and updated doctstring
 2024-02-20 08:39:16 +00:00
James Hodgkinson 097db70c3d
prctl compile-time fixes, also chasing lints (#2558) 
* fixing up error handling for prctl calls
* minor clippy lintypoos
* making clippy happier
* clippizing a test
* more clippy-calming
* adding tpm-udev to ubuntu flows for testing
* rebuilt wasm
* moving from rg to grep because someone doesn't like nice things
* such clippy like wow
* clippy config to the rescue
 2024-02-20 18:21:33 +10:00
James Hodgkinson 84b2c4956d
Removing unused constant and updating docstring for LDAP bind address (#2556) 2024-02-20 11:10:02 +10:00
dependabot[bot] 8ec63f3e92
chore(deps-dev): bump the all group in /pykanidm with 3 updates (#2553) 
Bumps the all group in /pykanidm with 3 updates: [black](https://github.com/psf/black), [pook](https://github.com/h2non/pook) and [ruff](https://github.com/astral-sh/ruff).


Updates `black` from 24.1.1 to 24.2.0
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](https://github.com/psf/black/compare/24.1.1...24.2.0)

Updates `pook` from 1.4.0 to 1.4.2
- [Release notes](https://github.com/h2non/pook/releases)
- [Changelog](https://github.com/h2non/pook/blob/master/History.rst)
- [Commits](https://github.com/h2non/pook/compare/v1.4.0...v1.4.2)

Updates `ruff` from 0.2.1 to 0.2.2
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/v0.2.1...v0.2.2)

---
updated-dependencies:
- dependency-name: black
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: pook
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: ruff
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-02-19 08:54:50 +10:00
Firstyear ea5ff6814c
Support Policy Updates (#2536) 
* Support Policy Updates
---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-02-18 00:44:11 +00:00
dependabot[bot] 3c08be8db8
chore(deps): bump cryptography from 42.0.0 to 42.0.2 in /pykanidm (#2548) 
Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.0 to 42.0.2.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/42.0.0...42.0.2)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-02-17 22:47:09 +10:00
Firstyear cc28fb2c4b
Re-enable HW tpm support (#2531) 2024-02-17 01:30:08 +00:00
Firstyear 62dff7565e
Add further hardening for system services (#2542) 2024-02-17 00:11:32 +00:00
James Hodgkinson 7394ac86cb
fixing the test script (#2547) 2024-02-16 23:54:07 +00:00
James Hodgkinson 48f33fb8c9
when the HTTPS server fails, handle that gracefully (#2546) 2024-02-16 08:30:43 +00:00
Firstyear 816fde766f
Fix update intent ttl parameters (#2540) 2024-02-16 07:02:36 +00:00
James Hodgkinson faec47d13f
radius build workflow fixes (#2541) 
* radius build workflow fixes
 2024-02-16 03:12:59 +00:00
Firstyear 7a78cb8a80
Conflict nscd, start before sshd (#2539) 2024-02-16 02:24:37 +00:00