Commit graph

241 commits

Author SHA1 Message Date
Firstyear 3bf16d4253
Make /status less noisy (#2574) 2024-02-22 17:34:46 +10:00
Firstyear 752bdf7578
Add system range protection (#2565) 2024-02-21 23:27:37 +10:00
James Hodgkinson 4efdb7208f
of course I started looking at clippy things and now I can't stop (#2560) 2024-02-21 00:52:10 +00:00
Firstyear 68d788a9f7
20240216 308 resource limits (#2559)
This adds account policy based resource limits to control the maximum
number of entries that an account may query
2024-02-21 00:15:43 +00:00
Daniil Egortsev 5701da8f23
fix(oauth2): typo in basic path (#2562) 2024-02-20 22:20:37 +00:00
James Hodgkinson 097db70c3d
prctl compile-time fixes, also chasing lints (#2558)
* fixing up error handling for prctl calls
* minor clippy lintypoos
* making clippy happier
* clippizing a test
* more clippy-calming
* adding tpm-udev to ubuntu flows for testing
* rebuilt wasm
* moving from rg to grep because someone doesn't like nice things
* such clippy like wow
* clippy config to the rescue
2024-02-20 18:21:33 +10:00
James Hodgkinson 84b2c4956d
Removing unused constant and updating docstring for LDAP bind address (#2556) 2024-02-20 11:10:02 +10:00
Firstyear cc28fb2c4b
Re-enable HW tpm support (#2531) 2024-02-17 01:30:08 +00:00
Firstyear 62dff7565e
Add further hardening for system services (#2542) 2024-02-17 00:11:32 +00:00
James Hodgkinson 48f33fb8c9
when the HTTPS server fails, handle that gracefully (#2546) 2024-02-16 08:30:43 +00:00
Firstyear 816fde766f
Fix update intent ttl parameters (#2540) 2024-02-16 07:02:36 +00:00
Firstyear a4c2e66afd
Fix incorrect documentation elements (#2533)
This adds the account-policy section for credential-type-minimums
and fixes the replication config defaults to match the documented
behaviour.
2024-02-16 01:58:41 +00:00
Firstyear 3549c8562f
Remove replication is in dev flag (#2535) 2024-02-16 11:39:43 +10:00
Firstyear 002ab13698
Add code_challenge_methods_supported to OIDC discovery (#2525) 2024-02-15 09:17:08 +10:00
Firstyear e3e77fe7b4
Update to latest dev version (#2486) 2024-02-08 09:54:07 +10:00
Firstyear 7567514044
Release 1.1.0-rc.16 (#2483) 2024-02-07 04:39:02 +00:00
Firstyear cdbaefe23d
Fix for incorrect domain migration rollbacks (#2482) 2024-02-07 13:11:55 +10:00
Firstyear 9050188b29
Add tools for remigration and domain level raising (#2481) 2024-02-06 10:01:06 +00:00
Firstyear ddea9c6699
Support SPN in groups claim (#2474) 2024-02-06 03:56:04 +00:00
illode 8cd62d4d4a
Credential update tweaks (#2475)
* Make the Credential Update page more user-friendly
2024-02-06 03:36:22 +00:00
Firstyear 23cc2e7745
Fix RUV trim (#2466)
Fixes two major issues with replication.

The first was related to server refreshes. When a server was refreshed it would retain it's server unique id. If the server had lagged and was disconnected from replication and administrator would naturally then refresh it's database. This meant that on next tombstone purge of the server, it's RUV would jump ahead causing it's refresh-supplier to now believe it was lagging (which was not the case).

In the situation where a server is refreshed, we reset the servers unique replication ID which avoids the RUV having "jumps".

The second issue was related to RUV trimming. A server which had older RUV entries (say from servers that have been trimmed) would "taint" and re-supply those server ID's back to nodes that wanted to trim them. This also meant that on a restart of the server, that if the node had correctly trimmed the server ID, it would be re-added in memory.

This improves RUV trimming by limiting what what compare and check as a supplier to only CID's that are within the valid changelog window. This itself presented challenges with "how to determine if a server should be removed from the RUV". To achieve this we now check for "overlap" of the RUVS. If overlap isn't occurring it indicates split brain or node isolation, and replication is stopped in these cases.
2024-02-02 15:38:45 +10:00
Firstyear d42268269a
20240125 2217 client credentials grant (#2456)
* Huge fix of a replication problem.
* Update test
* Increase min replication level
* Client Credentials Grant implementation
2024-02-01 02:00:29 +00:00
James Hodgkinson c8bd1739f9
PyKanidm updates and testing (#2301)
* otel can eprintln kthx

* started python integration tests, features

* more tests more things

* adding heaps more things

* updating docs

* fixing python test

* fixing errors, updating integration test

* Add models for OAuth2, Person, ServiceAccount and add missing endpoints

* Alias Group to GroupInfo to keep it retrocompatible

* Fixed issues from review

* adding oauth2rs_get_basic_secret

* adding oauth2rs_get_basic_secret

* Fixed mypy issues

* adding more error logs

* updating test scripts and configs

* fixing tests and validating things

* more errors

---------

Co-authored-by: Dogeek <simon.bordeyne@gmail.com>
2024-01-31 03:27:43 +00:00
Firstyear 50c324c063
Fix inverted key/chain logic from TLS error improvement (#2453) 2024-01-24 16:51:41 +10:00
Firstyear 967bc7c9df
Improve TLS configuration errors (#2447)
This improves the errors during TLS configuration to localise them to
the error site, as well as calling our file path diagnostics tool
to assist with permission errors.
2024-01-23 16:13:14 +10:00
Firstyear 86916a3d87
Return sshkey label to cli fields (#2440)
* Return ssh label to cli fields
2024-01-20 17:17:57 +10:00
Firstyear b1e7cb13a5
Add rfc8414 metadata (#2434) 2024-01-19 04:14:52 +00:00
Firstyear 8e4980b2c1
Add test for delete referer invalid (#2435)
When a delete of an entry occurs which is reference by another entry,
if the entry has a MUST schema condition on the deleted entry then the
delete should be blocked to prevent the entries structure becoming
invalid.
2024-01-19 02:18:11 +00:00
Firstyear 8dc884f38e
2390 1980 allow native applications (#2428) 2024-01-16 10:44:12 +10:00
Firstyear a1fa59b83c
Clean RUV (#2424) 2024-01-12 09:43:20 +10:00
Firstyear 666448f787
Upgrade replication to use anchors (#2423)
* Upgrade replication to use anchors
2024-01-10 04:46:08 +00:00
Firstyear 0e44cc1dcb
Minor fixes for oidc with single page applications (#2420) 2024-01-08 23:57:14 +00:00
Firstyear e9340c682e
Use case insensitive match on substrings in line with ldap (#2419) 2024-01-06 15:52:21 +10:00
Firstyear cc79b2a205
20231222 piv authentication (#2398)
Foundations of PIV authentication
2023-12-29 23:15:26 +00:00
James Hodgkinson 307a66ea29
Update docs, closes SQLite Write-Ahead Logging might make page size immutable #2404 (#2405) 2023-12-30 08:34:50 +10:00
Firstyear 7f27a6fcd9
Force apply idm migrations to apply access controls (#2401) 2023-12-28 12:24:29 +10:00
cuberoot74088 a16525d520
fix backup filename and regexp pattern for cleanup (#2386)
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
2023-12-24 12:06:43 +00:00
Firstyear fd71a748ca
Add improved domain migration framework and default MFA (#2382) 2023-12-21 14:44:20 +10:00
Firstyear 77b01e3a31
Trim and lowecase usernames (#2380) 2023-12-19 06:41:12 +00:00
Firstyear 3408816932
Add DN as a virtual ldap attr (#2379) 2023-12-19 15:07:19 +10:00
James Hodgkinson a4c44bc5f9
fixing default for oauth2 request_parameter_supported metadata (#2378) 2023-12-19 11:56:47 +10:00
Firstyear 5c445a4704
20231218 ipa sync unix password (#2374)
* Add support for importing the users password as unix password
2023-12-18 11:20:37 +10:00
Firstyear d09c2448ff
1481 2024 access control rework (#2366)
Rework default access controls to better separate roles and access profiles.
2023-12-17 23:10:13 +00:00
Firstyear 854b696532
249 2024 managed by syntax (#2359)
Allows hierarchial entry management rules.
2023-12-07 10:00:09 +00:00
James Hodgkinson 340d41482b
typo (#2356) 2023-12-05 01:22:59 +00:00
Firstyear 4bd5d584cb
20231204 ipa sync minor improvements (#2357) 2023-12-04 16:58:15 +10:00
Firstyear 76269f9de2
20231129 webauthn attestation (#2351)
This adds full support for attestation of webauthn/passkeys.
2023-12-03 06:13:52 +00:00
James Hodgkinson 9a464c653c
Using proper axum http headers lib for compatibility (#2348) 2023-12-01 08:55:51 +10:00
Firstyear cbdbaa8fe0
Bearer should send with same caps we accept (#2345) 2023-11-30 09:25:34 +10:00
Firstyear 31b939fca3
20231128 freeipa migration (#2338)
* Add more weak password formats for freeipa
* Verification of freeipa migration from older ipa versions
2023-11-29 10:43:15 +10:00