This completely reworks how we approach and handle cryptographic keys in Kanidm. This is needed as a foundation for replication coordination which will require handling and rotation of cryptographic keys in automated ways.
This change influences many other parts of the code base in it's implementation.
The primary influences are:
* Modification of how domain user signing keys are revoked or rotated.
* Merging of all existing service-account token keys are retired (retained) keys into the domain to simplify token signing and validation
* Allowing multiple configurations of local command line tools to swap between instances using disparate signing keys.
* Modification of key retrieval to be key id based (KID), removing the need to embed the JWK into tokens
A side effect of this change is that most user authentication sessions and oauth2 sessions will have to be re-established after upgrade. However we feel that session renewal after upgrade is an expected side effect of an upgrade.
In the future this lays the ground work to remove a large number of legacy key handling processes that have evolved, which will allow large parts of code to be removed.
* otel can eprintln kthx
* started python integration tests, features
* more tests more things
* adding heaps more things
* updating docs
* fixing python test
* fixing errors, updating integration test
* Add models for OAuth2, Person, ServiceAccount and add missing endpoints
* Alias Group to GroupInfo to keep it retrocompatible
* Fixed issues from review
* adding oauth2rs_get_basic_secret
* adding oauth2rs_get_basic_secret
* Fixed mypy issues
* adding more error logs
* updating test scripts and configs
* fixing tests and validating things
* more errors
---------
Co-authored-by: Dogeek <simon.bordeyne@gmail.com>
* adding some test coverage because there was some rando panic-inducing thing
* ldap constants
* documenting a macro
* helpful weird errors
* the war on strings continues
* less json more better
* testing things fixing bugs
* idm_domain_reset_token_key wasn't working, added a test and fixed it (we weren't testing it)
* idm_domain_set_ldap_basedn - adding tests
* adding testing for idm_account_credential_update_cancel_mfareg
* warning of deprecation
logging changes:
* Offering auth mechanisms -> debug
* 404's aren't really warnings
* double tombstone message, one goes to debug
other changes:
* CSP changes to allow the bootstrap images to load
* more testing javascriptfile things, I R
* it's nice to know where things are
* putting non-rust web things in static/ instead of src/
* RequestCredentials::SameOrigin is the default, also adding a utility function to save dupe code. Wow this saved... kilobytes.
* removing commented code, fixing up codespell config
* clippyisms
* wtf, gha
* dee-gloo-ing some things
* adding some ubuntu build test things
* sigh rustwasm/wasm-pack/issues/1138
* more do_request things
* packaging things
* hilarious dev env setup script
* updated script works, all the UI works, including the experimental UI for naughty crabs
* deb package fixes
* fixed some notes
* setup experimental UI tweaks
* selinux is an optional feature
* unix_integration: add selinux config option
On SELinux systems, this setting controls whether SELinux relabeling of
newly created home directories should be performed. The default value of
this is on (even on non-SELinux systems), but the tasks daemon will
perform an additional runtime check for SELinux support and will disable
this feature automatically if this check fails.
* unix_integration: wire up home dir selinux labeling
* unix_integration: create equivalence rules in SELinux policy for aliases
* book: document selinux setting
* Add myself to CONTRIBUTORS.md
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* Update CONTRIBUTORS
* Fix debian & ubuntu packaging
* Use standard way to install pam config
* Fix simple_pkg.sh & add pam nss instructions
* Merge ssh with unixd; update CI to build for multiple os versions; upload packages to artifacts
* implementation of passkeys as an auth mech
* listing the current passkeys when asking to remove one
* tweaking insecure dev server config so passkeys will work
* Fix domain rename
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
* actually writing cert files properly now
* Updated readme with config file, fixed check for config file.
* minor tweaks to actions, removing job limits and skipping login to registry if not going to push
* removing old config.ini file
* temporarily adding Williams fixed package
* added python kanidm module
* rewrote RADIUS integration
* updated the documentation
* updating github actions to run more often
* BLEEP BLOOP ASYNCIO IS GR8
* adding config to makefile to run pykanidm tests
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Firstyear <william@blackhats.net.au>
