mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
2099 commits 17 branches 59 tags 246 MiB
Commit graph

249 commits

Author SHA1 Message Date
Firstyear 5a3e5f1e07
20241017 3107 token ttl (#3114) 2024-10-18 03:28:52 +00:00
Firstyear 2075125439
Working scim entry get for person (#3088) 2024-10-15 04:29:45 +00:00
Firstyear 1cccebd382
20241012 attr name SCIM fix (#3102) 
* Fix handling of attribute to ensure that it is consistently Attribute in scim sync
 2024-10-14 08:00:03 +10:00
Merlijn 4e125b5043
Scim add EntryReference (#3079) 
Allow references to be displayed as a complex object
 2024-10-10 00:13:45 +00:00
Firstyear c779443454
Fix Increment Replication Post Upgrade (#3089) 2024-10-05 19:53:39 +10:00
Firstyear 131ff80b32
20240921 ssh keys and unix password in credential update session (#3056) 2024-10-03 05:57:18 +00:00
Firstyear cc662f184a
20240925 cleanups (#3060) 2024-10-03 14:04:02 +10:00
CEbbinghaus d109622d71
Make good on some TechDebt (#3084) 
adds MissingClass & MissingAttribute OperationError kinds to more strongly type our error messages.
 2024-10-03 10:48:28 +10:00
CEbbinghaus dc4a438c31
Feat: Adding POSIX Password fallback (#3067) 
* Added Schema for credential fallback
* Added account polcity management to ac migration
* Refactored Ldap & Unix auth to be common
* removed unused methods and renamed unused fields
* Fixed LDAP missing Anonymous logic
* Added CLI argument for configuring primary cred fallback
 2024-10-02 19:28:36 +10:00
Firstyear cf63c6b98b
Complete the implementation of the posix account cache (#3041) 
Allow caching and checking of shadow entries (passwords)
    Cache and serve system id's
    improve some security warnings
    prepare for multi-resolver
    Allow the kanidm provider to be not configured
    Allow group extension
 2024-10-02 02:12:13 +00:00
Firstyear 90afc8207c
20240926 tech debt (#3066) 
Large clean up
 2024-10-01 10:07:08 +10:00
Firstyear 23636acbf7
Fix migration of last mod cid (#3065) 2024-09-30 09:56:48 +00:00
Firstyear e4f5c2313d
Increase totp secret size (#3061) 2024-09-30 07:45:43 +00:00
Firstyear 6065f2db60
Add rfc7009 and rfc7662 metadata to oidc discovery (#3046) 2024-09-17 03:35:43 +00:00
Firstyear d3891e301f
20240810 SCIM entry basic (#3032) 2024-09-12 12:53:43 +10:00
Firstyear f053ff7fba
CreatedAt/ModifiedAt fix (#3034) 
* fix(repl): CreatedAt/ModifiedAt attributes
 2024-09-12 11:42:16 +10:00
Firstyear 938ad90f3b
20240906 Attribute as an Enum Type (#3025) 
Changes attribute from a string to an enum - this provides many performance improvements and memory savings throughout the server.
 2024-09-09 00:53:10 +00:00
Firstyear 95fc6fc5bf
20240828 Support Larger Images, Allow Custom Domain Icons (#3016) 
Allow setting custom domain icons.
 2024-09-05 04:19:27 +00:00
Firstyear e5a5de8de3
MemberOf in search implies DirectMemberOf (#3024) 2024-09-04 22:19:40 +10:00
Firstyear 0fac1f301e
20240820 SCIM value (#2992) 
Add the basics of scim value serialisation to entries.
 2024-08-29 11:38:00 +10:00
James Hodgkinson 3eae7be0bb
OAuth2 Token Type (#3008) 
* fix(OAuth2): Invalid `token_type` for token introspection
Fixes #3005

* fix(aut): `assert_eq` instead of `assert ==`

* fix(OAuth2): IANA registry access token types

* fix(OAuth2): deserialize case insensitively
 2024-08-25 23:30:20 +00:00
Firstyear c8b9ff3274
Spattering of oauth2 stuff (#3000) 
* fix(oauth2): refresh scope constraints
 2024-08-24 14:02:16 +10:00
Firstyear 77938ed85f
Add missing group for application admin (#2991) 2024-08-21 16:58:31 +10:00
James Hodgkinson 7c3deab2c4
enforcen den clippen (#2990) 
* enforcen den clippen
* updating outdated oauth2-related docs
* sorry clippy, we tried
 2024-08-21 00:32:56 +00:00
Firstyear fbfea05c6c
20240817 group mail acp (#2982) 2024-08-21 09:59:50 +10:00
Firstyear 239f4594dd
20240810 application passwords (#2968) 
Add the server side components for application passwords. This adds the needed datatypes and handling via the ldap components.

Admin tools will be in a follow up PR. 

Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Co-authored-by: Samuel Cabrero <scabrero@suse.de>
 2024-08-20 06:44:37 +00:00
dependabot[bot] 9f4cc984db
Bump the all group with 17 updates (#2986) 
* Bump the all group with 17 updates


| Package | From | To |
| --- | --- | --- |
| [clap](https://github.com/clap-rs/clap) | `4.5.15` | `4.5.16` |
| [clap_complete](https://github.com/clap-rs/clap) | `4.5.14` | `4.5.18` |
| [concread](https://github.com/kanidm/concread) | `0.5.2` | `0.5.3` |
| [js-sys](https://github.com/rustwasm/wasm-bindgen) | `0.3.69` | `0.3.70` |
| [ldap3_client](https://github.com/kanidm/ldap3) | `0.5.0` | `0.5.1` |
| [ldap3_proto](https://github.com/kanidm/ldap3) | `0.5.0` | `0.5.1` |
| [libc](https://github.com/rust-lang/libc) | `0.2.155` | `0.2.157` |
| [lodepng](https://github.com/kornelski/lodepng-rust) | `3.10.4` | `3.10.5` |
| [serde](https://github.com/serde-rs/serde) | `1.0.206` | `1.0.208` |
| [serde_json](https://github.com/serde-rs/json) | `1.0.124` | `1.0.125` |
| [syn](https://github.com/dtolnay/syn) | `2.0.74` | `2.0.75` |
| [tokio](https://github.com/tokio-rs/tokio) | `1.39.2` | `1.39.3` |
| [wasm-bindgen](https://github.com/rustwasm/wasm-bindgen) | `0.2.92` | `0.2.93` |
| [wasm-bindgen-futures](https://github.com/rustwasm/wasm-bindgen) | `0.4.42` | `0.4.43` |
| [wasm-bindgen-test](https://github.com/rustwasm/wasm-bindgen) | `0.3.42` | `0.3.43` |
| [web-sys](https://github.com/rustwasm/wasm-bindgen) | `0.3.69` | `0.3.70` |
| [tower](https://github.com/tower-rs/tower) | `0.4.13` | `0.5.0` |


Updates `clap` from 4.5.15 to 4.5.16
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.15...clap_complete-v4.5.16)

Updates `clap_complete` from 4.5.14 to 4.5.18
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.14...clap_complete-v4.5.18)

Updates `concread` from 0.5.2 to 0.5.3
- [Commits](https://github.com/kanidm/concread/commits)

Updates `js-sys` from 0.3.69 to 0.3.70
- [Release notes](https://github.com/rustwasm/wasm-bindgen/releases)
- [Changelog](https://github.com/rustwasm/wasm-bindgen/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rustwasm/wasm-bindgen/commits)

Updates `ldap3_client` from 0.5.0 to 0.5.1
- [Changelog](https://github.com/kanidm/ldap3/blob/master/RELEASE_NOTES.md)
- [Commits](https://github.com/kanidm/ldap3/commits)

Updates `ldap3_proto` from 0.5.0 to 0.5.1
- [Changelog](https://github.com/kanidm/ldap3/blob/master/RELEASE_NOTES.md)
- [Commits](https://github.com/kanidm/ldap3/commits)

Updates `libc` from 0.2.155 to 0.2.157
- [Release notes](https://github.com/rust-lang/libc/releases)
- [Changelog](https://github.com/rust-lang/libc/blob/0.2.157/CHANGELOG.md)
- [Commits](https://github.com/rust-lang/libc/compare/0.2.155...0.2.157)

Updates `lodepng` from 3.10.4 to 3.10.5
- [Commits](https://github.com/kornelski/lodepng-rust/compare/v3.10.4...v3.10.5)

Updates `serde` from 1.0.206 to 1.0.208
- [Release notes](https://github.com/serde-rs/serde/releases)
- [Commits](https://github.com/serde-rs/serde/compare/v1.0.206...v1.0.208)

Updates `serde_json` from 1.0.124 to 1.0.125
- [Release notes](https://github.com/serde-rs/json/releases)
- [Commits](https://github.com/serde-rs/json/compare/v1.0.124...1.0.125)

Updates `syn` from 2.0.74 to 2.0.75
- [Release notes](https://github.com/dtolnay/syn/releases)
- [Commits](https://github.com/dtolnay/syn/compare/2.0.74...2.0.75)

Updates `tokio` from 1.39.2 to 1.39.3
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.39.2...tokio-1.39.3)

Updates `wasm-bindgen` from 0.2.92 to 0.2.93
- [Release notes](https://github.com/rustwasm/wasm-bindgen/releases)
- [Changelog](https://github.com/rustwasm/wasm-bindgen/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rustwasm/wasm-bindgen/compare/0.2.92...0.2.93)

Updates `wasm-bindgen-futures` from 0.4.42 to 0.4.43
- [Release notes](https://github.com/rustwasm/wasm-bindgen/releases)
- [Changelog](https://github.com/rustwasm/wasm-bindgen/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rustwasm/wasm-bindgen/commits)

Updates `wasm-bindgen-test` from 0.3.42 to 0.3.43
- [Release notes](https://github.com/rustwasm/wasm-bindgen/releases)
- [Changelog](https://github.com/rustwasm/wasm-bindgen/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rustwasm/wasm-bindgen/commits)

Updates `web-sys` from 0.3.69 to 0.3.70
- [Release notes](https://github.com/rustwasm/wasm-bindgen/releases)
- [Changelog](https://github.com/rustwasm/wasm-bindgen/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rustwasm/wasm-bindgen/commits)

Updates `tower` from 0.4.13 to 0.5.0
- [Release notes](https://github.com/tower-rs/tower/releases)
- [Commits](https://github.com/tower-rs/tower/compare/tower-0.4.13...tower-0.5.0)

---
updated-dependencies:
- dependency-name: clap
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: clap_complete
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: concread
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: js-sys
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: ldap3_client
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: ldap3_proto
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: libc
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: lodepng
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: serde
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: serde_json
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: syn
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: tokio
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: wasm-bindgen
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: wasm-bindgen-futures
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: wasm-bindgen-test
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: web-sys
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: tower
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* updates to source/packages

* making the nightly build happy

* making the nightly build happy

* making the nightly build happy

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-08-19 23:22:23 +10:00
Firstyear 36b6fda787
Mail substr index (#2981) 2024-08-18 02:49:24 +00:00
cuberoot74088 eee2df8894
Improve migration error message (#2959) 
In this migration we have checked for legacy security_keys and not gid. This makes it easier for users to understand what the issue is.
 2024-08-08 21:43:03 +00:00
James Hodgkinson d512954fe6
Docker-and-docs-fixes (#2954) 
* removing VOLUME entry from server container

* link fixing

* link fixing in docs
 2024-08-05 00:27:45 +00:00
Firstyear 3ae8453375
In honour of SebaT, error on db lock acq timeout (#2947) 2024-08-02 09:29:46 +10:00
Firstyear 1fbe65b351
Add measurement of lock acquisition (#2946) 2024-08-01 01:43:55 +00:00
Firstyear 329750981e
Update to 1.4.0-dev (#2943) 2024-08-01 00:02:11 +10:00
James Hodgkinson 2a7a009482
clippying all the things (#2931) 
* clippying all the things
 2024-07-26 07:02:37 +00:00
Firstyear 21d3f82aa1
Add scim proto to kanidm, refactor to improve serde performance. (#2933) 2024-07-26 15:54:28 +10:00
James Hodgkinson e1a1bff94d
Docs rework (#2919) 
* more markdowny linty things
* Fixes #2572 by replacing mdbook-template with github-flavoured and more markdowny alerts
 2024-07-23 02:21:56 +00:00
Firstyear da7ed77dfa
Substring Indexing (#2905) 2024-07-20 03:12:49 +00:00
Firstyear c7fcdc3e4e
Strict redirect URL enforcement (#2917) 
Add strict OAuth2 URL enforcement per the RFC. This includes a transition process for the next release so that Admins can come into compliance.
 2024-07-20 02:09:50 +00:00
Alin Trăistaru 562f352516
fix typos (#2908) 
* fix typos and misspellings
* use proper capitalization
* Apply suggestions from code review
---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-07-18 03:22:20 +00:00
James Hodgkinson eddec88429
making the internals of kanidmclientconfig public for other users (#2895) 
* making the internals of kanidmclientconfig public for other users
* clippyisms
 2024-07-15 10:28:23 +00:00
Firstyear d0e57442d2
Tidy up replication poll interval (#2883) 2024-07-15 06:16:24 +00:00
Firstyear a4a06c1172
Add a migration for future versions that will notify and warn about the removal of security keys. (#2885) 2024-07-12 02:19:43 +00:00
Firstyear 5af33ade0a
Update mtls cert lifetime (#2886) 2024-07-10 21:35:24 +00:00
Firstyear b1480e36f0
20240703 htmx (#2870) 
Complete the remainder of the HTMX rewrite of the login page.
 2024-07-07 03:36:47 +00:00
Merlijn 4795541719
Offer configuration of images for Oauth2 resources (#2665) 2024-07-06 12:25:55 +10:00
Firstyear f9a77ee1f3
2818 2511 oauth2 urls (#2867) 
* Allow multiple origins
* Docs
* Capitalization 'n stuff

---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-07-05 23:17:26 +00:00
Firstyear 10e15fd6b3
20240613 performance improvements (#2844) 
Thanks to @Seba-T's work with Orca, we were able to identify a number of performance issues in certain high load conditions.

This commit contains fixes for the following issues

* Unbounded Memory Growth - due to how ARCache works, to maintain temporal consistency it must retain copies of keys (not values) in a special data set for tracking. The Filter Resolve Cache was using unresolved filters as keys. This caused memory explosions when refint or memberof were updating a group with a large number of members because they would emit a query with hundreds of filter terms that would only be used once and never again, causing the ARCache haunted set to grow without bound. To limit this, we no longer cache large/complex queries for resolution, and in future we may implement some other methods to reduce this like sha256/hmac of the queries.

* When creating a new account, dyngroups would be engaged to add the account as a member due to the matching scope. However the change to the dyngroup was triggering an update of all the dyngroups *members* related memberof attributes. This would mean that adding an account would trigger every other account to be loaded an updated.

* When memberof would iterate over leaf entries and update them one at a time. This mean a large number of small fragmented queries in the case of a lot of leaf entries being updated. Now leaf entries are updated in a single stripe once groups are stabilised.

* Member of would always trigger it's members to always update. Instead, we should only update members where a difference is observed, or all members if the group's memberof itself has changed since this needs to propogate to all leaf entries. This significantly reduces the amount of writes and operations to examine the changed member of set.

* Referential integrity would examine all reference uuids on entries for validity rather than just the reference uuids that were altered within the transaction. This change means that only uuids that were *added* are validated during an operation. 

* During async write backs (delayed actions) these were performed one at a time. Instead, when possible this should be done in a single transaction as the write transaction caches all writes in memory until the commit meaning that by batching we reduce overall latency.

* In the server there can only be one write transaction and many readers. These are guarded by tokio semaphores that act as fair queues - first in gets the lock next. Due to the design of the server readers would be blocked on the *database* semaphore, and writers would block on the write semaphore and THEN the database semaphore. This arrangement was creating a situation which unfairly advantaged readers over writers, as any write would first have to become the head of it's queue, and then compete with all readers to access a db transaction. Instead, we now have a reader semaphore with size threads minus 1, clamped at a minimum of 1. This means that provided there are two or more threads, then a writer will *always* have a database handle available, and readers will pre-queue with each other before queueing on the db ticket. If there is only one thread, then writes and reads will alternate between each other fairly.
 2024-06-20 02:50:00 +00:00
Joshua M. Clulow e591b5f2cc
illumos support (#2838) 
* disable mimalloc on illumos, in part because it immediately segfaults,
  but also because we prefer libumem and link it into all Rust binaries

* switch from fs2 (unmaintained crate) to fs4 which provides the same
  interface and has wider platform support
 2024-06-15 05:20:11 +00:00
Firstyear 9c4e8bb90a
20240611 performance (#2836) 
While basking under the shade of the coolabah tree, I was overcome by an intense desire to improve the performance and memory usage of Kanidm.

This pr reduces a major source of repeated small clones, lowers default log level in testing, removes some trace fields that are both large and probably shouldn't be traced, and also changes some lto settings for release builds.
 2024-06-12 16:48:49 -07:00
Firstyear bd6d9284c0
20240607 2417 piv (#2829) 
Add some more ground work for future PIV/x509 authentication.
 2024-06-11 00:54:57 +00:00