mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
770 commits 17 branches 59 tags 246 MiB
Commit graph

340 commits

Author SHA1 Message Date
William Brown b6be05248c (cargo-release) version 1.1.0-alpha.8 2022-05-01 13:58:18 +10:00
Firstyear 53f3260285
Remove async references (#724) 2022-04-29 13:23:46 +10:00
Firstyear 8dc0199380
383 170 164 authentication updates 3 (#723) 2022-04-29 13:03:21 +10:00
James Hodgkinson 5eb9fa604e
Making the login path nicer, dev scripting (#721) 
* making username-not-found messages nicer
* adds a script to run a dev server easier
 2022-04-29 10:44:57 +10:00
Firstyear a58edc5128
20220427 dependency updates (#718) 2022-04-27 13:35:26 +10:00
Firstyear 9ade567a52
383 170 164 authentication updates 2 (#716) 
Add foundations for credential update sessions.
 2022-04-27 10:56:18 +10:00
Euan Kemp 9427d27141
Add a new ACP and group allowing self-service mail updates (#672) 
* Add a new ACP and group allowing self-service mail updates

This adds a new "idm_people_self_write_mail_priv" group which follows
the existing canned group+acp format closely.

This also adds a test for the functionality

See the discussion in #648 for a bit more background

* Limit the self-write ACP to targets with the "account" class

Per feedback on #672, it's better to limit these APIs specifically to
accounts.

* Fix up

Co-authored-by: Firstyear <william.brown@suse.com>
 2022-04-13 20:45:45 +10:00
Euan Kemp 0c3ce226cf
Add 'account person set' command (#667) 
* Add 'account person set' command

This command allows a user to modify, say, their legal name in a
self-service fashion.

This wasn't possible before by default since the 'extend' operation
required additional ACPs in order to operate which not every user would
have.

The new "person set" api is compatible with the default self_write ACP,
and so allows self-service modification.

* Add a short section on people attributes to the book
 2022-04-02 13:24:07 +10:00
James Hodgkinson 134235ef7f
Specifying MSRV in package now (#664) 
* specifying MSRV in package now
 2022-03-31 14:12:53 +10:00
James Hodgkinson a61ef91ac6
Fixes 654 - make DEVELOPER_README valid (#656) 
* updating dev readme and scripting

* fixing confusing debug message about config loading
 2022-03-28 08:36:25 +10:00
Firstyear bd41ef8f91
Add design doc, revive the domain wide enc token (#649) 
* Add design doc, revive the domain wide enc token, use jwt from our lib instead of bundy, update docs
 2022-03-14 17:29:04 +10:00
Firstyear fa610c6d88
106 auth concurrency (#643) 2022-03-07 09:22:35 +10:00
Firstyear f252d91e13
20220219 webui updates + source refactor + clippy go clip clip (#642) 2022-02-20 12:43:38 +10:00
Firstyear 6e1ed9ea07
Update to concread, add hooks for cache quiescing (#641) 2022-02-16 09:20:37 +10:00
Firstyear 840024f006
Change how domain names are handled in our configuration. (#639) 2022-02-15 16:17:43 +10:00
William Brown 4c74fffede Fix relative path in oauth2 workflow 2022-02-09 15:28:43 +10:00
Firstyear a2bd54c4cb
Improve access controls for IDM admins to manage account radius secrets. (#638) 
Remove need for a bundler in wasm
 2022-02-09 12:57:38 +10:00
Firstyear a0ef768fc8
Correct issuer to match url of connected client (#635) 2022-01-27 12:19:03 +10:00
Firstyear 2a282f8a89
20220104 resolve yew render issues (#632) 2022-01-09 10:47:21 +10:00
William Brown c8468199fc (cargo-release) version 1.1.0-alpha.7 2021-12-31 09:27:57 +10:00
Firstyear d25e3b338a
Pre-release update and cleanup (#631) 2021-12-31 09:11:20 +10:00
Firstyear c6c564cebb
Finalise email changes for oidc (#629) 2021-12-25 09:47:14 +10:00
Firstyear dc1dd11333
Temp use env filter (#628) 2021-12-21 11:56:23 +10:00
Firstyear 22682279aa
20211216 tracing cleanup (#627) 2021-12-17 13:54:13 +10:00
Firstyear 42df4bf1a3
Refactor of value and addition of base types for business attributes (#626) 2021-12-16 10:13:03 +10:00
James Hodgkinson 172c2e4825
Check before rename for #622 (#624) 2021-12-08 10:02:04 +10:00
James Hodgkinson b7837f3aae
add logging for oauth2 errors (#620) 2021-11-25 14:55:12 +10:00
Firstyear fad0dd86e0
Improve book and errors related to domain name and origin mismatch (#617) 2021-11-25 08:37:50 +10:00
Kerstin 492cb653e8
Make sure that effective domain actually is descendant of rp_id (#618) 2021-11-25 08:30:39 +10:00
Firstyear 0f4189a57e
278 603 OIDC implementation (#608) 2021-11-21 16:41:49 +10:00
Firstyear 761bed0569
20211010 rfc7662 token introspect (#607) 2021-10-26 13:00:02 +10:00
Firstyear c9ef4fe5df
Setup for webauthn subdomain support (#598) 2021-10-20 14:42:43 +10:00
Firstyear 8e3525c736
Fix state parameter to be string (#602) 2021-10-20 14:00:14 +10:00
James Hodgkinson a993eb9cf3
changing errors to errors (#599) 2021-10-17 21:28:04 +10:00
James Hodgkinson b0542c7e54
Adding some extra fields to logging on-request (#595) 2021-10-17 21:20:48 +10:00
Quinn f1e4a4c7e2
Integrated compiled-uuid into kanidmd/src/lib/constants/uuids.rs (#593) 2021-10-11 14:49:32 +10:00
Firstyear a09c1bc169
fixes (#589) 2021-10-10 08:44:58 +10:00
Firstyear c62b39c338
509 oauth2 scope mapping (#586) 2021-10-07 18:31:48 +10:00
Quinn d59ddcc74a
Added num-enum support for runtime enums (#585) 2021-10-02 09:02:36 +10:00
William Brown c9f4b1dc2e (cargo-release) version 1.1.0-alpha.6 2021-10-01 11:44:25 +10:00
Firstyear 573e346476
Add support for storing security token key in domain config (#581) 2021-09-25 11:24:00 +10:00
Firstyear dbb57e9a7b
Remove auditscope for tracing (#580) 2021-09-21 12:42:00 +10:00
Firstyear 2fbc92668c
Entry Arc Tracking to reduce memory footprint (#579) 2021-09-17 12:05:33 +10:00
Firstyear d2bb9cead4
Rewrite how we store the internals of valuesets in entries (#578) 2021-09-15 08:24:37 +10:00
Firstyear 0c1ad4e5fe
Swap to tide-openssl (#575) 2021-08-29 12:34:55 +10:00
Firstyear 1080e5d0b4
Start to remove audit scope :) (#574) 2021-08-26 11:48:03 +10:00
Firstyear 09e83a98c6
Fix io capture in tests (#573) 2021-08-24 14:23:53 +10:00
Firstyear 9456cac15b
Qnn idiomatic refactor (#570) 2021-08-21 14:44:55 +10:00
Quinn a3c0b8ccfe
Customized tracing for tide::Middleware logging (#544) 2021-08-19 11:04:24 +10:00
Firstyear 3f27267ea4
508 token introspect (#565) 2021-08-18 09:41:04 +10:00
Firstyear 002e3d696b
Add stricter headers (#546) 2021-08-16 13:37:15 +10:00
James Hodgkinson 80753451ca
updating well-known URI to meed OIDC spec (#563) 2021-08-11 10:17:03 +10:00
James Hodgkinson 1cb057ba1d
Improved LDAP client address logging, move AuditScope out a layer (#562) 2021-08-10 12:16:13 +10:00
Firstyear b432c79302
Resolve auth choice selection ui (#558) 2021-08-08 10:00:41 +10:00
Firstyear 87c6b45fbd
add tokio feature to async-std (#555) 2021-08-04 14:51:09 +10:00
Firstyear a00d3c01e6
20210802 favicon (#554) 2021-08-02 14:35:46 +10:00
James Hodgkinson 8737a7ad78
making 📎 slightly happier (#551) 2021-08-02 10:54:55 +10:00
cuberoot74088 b4f99c8e7a
Implement Online Backups (#25) (#536) 2021-07-31 17:13:46 +10:00
Firstyear 27b7572842
468 valueset abstraction (#538) 2021-07-30 09:45:25 +10:00
James Hodgkinson 25961b2c46
adding a check for rustc MSRV (#542) 2021-07-27 13:20:50 +10:00
Firstyear 5069df9939
Improve errors (#539) 2021-07-26 08:33:49 +10:00
Firstyear 1791f12adf
Oauth2 ui flows (#527) 2021-07-25 10:51:37 +10:00
James Hodgkinson a621cbc6a7
Fixing #521 - Documenting the server role (#535) 2021-07-24 15:00:08 +10:00
Firstyear ea080feac8
Update webauthn-rs to alpha.9 (#532) 2021-07-24 14:58:38 +10:00
James Hodgkinson 6ff74c976e
Auto-publishing the book and rustdoc. (#534) 2021-07-24 11:12:35 +10:00
Firstyear 8bc7afe007
Add wal checkpointing to startup/vacuum (#533) 2021-07-23 18:49:03 +10:00
James Hodgkinson 8b7f196b2a
Makes kanidmd bail on startup if it can't find the webpkg dir (#531) 
* Fixes #528 - DynamicUser was set to kanidmd

* Make kanidmd bail if it cannot find the web ui files
 2021-07-22 15:19:01 +10:00
cuberoot74088 8306c3bc6a
Rename to SetCredentialRequest::BackupCodeGenerate (#524) 2021-07-22 12:04:56 +10:00
James Hodgkinson 39a693f701
Fixing #520, moving cert loading into server mode (#522) 2021-07-09 09:49:26 +10:00
cuberoot74088 620a1717a8
495 backup codes cli extension (#517) 2021-07-08 12:50:55 +10:00
James Hodgkinson fc2824eec5
fixing restores on #456 (#519) 2021-07-08 10:09:15 +10:00
William Brown 4be329e946 (cargo-release) version 1.1.0-alpha.5 2021-07-07 12:04:12 +10:00
William Brown e5e760b109 Release prep 2021-07-07 12:02:46 +10:00
Firstyear e134fa5b40
Fix totp registration workflow with broken authenticators (#516) 2021-07-03 14:39:22 +10:00
Firstyear 040e9fd352
Add statistical analysis to indexes (#505) 2021-07-02 14:50:56 +10:00
Firstyear 4c6a28b7ad
511 upgrade failure - add debuging tools and improve debugging of the issue. (#512) 2021-07-01 14:51:25 +10:00
James Hodgkinson 554ff3bb1b
Fixing kanidm windows client build (#507) 2021-06-30 10:34:45 +10:00
Firstyear 1de1b2db3b
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485) 2021-06-29 14:23:39 +10:00
Firstyear 8aa0056df6
Change default totp to sha256 (#504) 2021-06-29 09:27:38 +10:00
James Hodgkinson 78e189ee34
Fixes #494 - password change user-facing responses (#499) 2021-06-28 13:05:37 +10:00
Firstyear 1b146bd00d
Fix readonly check (#496) 2021-06-27 11:30:40 +10:00
Firstyear 35d32bc5dd
Update webauthn-authenticator-rs to fix test failures (#493) 2021-06-26 11:47:21 +10:00
vcwai 9f5d8540fa
163 account recovery code (#469) 2021-06-25 12:39:05 +10:00
Quinn c2d74ced2b
Removed OperationResponse (#489) 2021-06-21 12:32:39 +10:00
Firstyear f5e2295319
20210607 orca ldap (#470) 2021-06-17 13:53:23 +10:00
Quinn 03d2fc841a
kanidm_client bool/return values (#479) 2021-06-17 12:59:34 +10:00
James Hodgkinson d8398a36b8
Arc cachesize warning fixes (#483) 2021-06-17 10:49:45 +10:00
Quinn 5e83b68fc5
Renamed fields in dbvalue (#477) 2021-06-16 08:07:42 +10:00
Firstyear ea34dc08a9
Add email syntax (#465) 
Part one of #461 - this adds the syntax to support email addresses and validation of their content, and a method to serialise to the DB that can be extended with attribute tagging in the future. Part two will address administration of these values.
 2021-06-12 10:01:44 +10:00
Firstyear 7da4fa9d7e
Add some openid stubs (#464) 2021-06-05 15:41:42 +10:00
Firstyear 2493dad4fb
Add auth docs (#463) 2021-06-02 09:42:40 +10:00
Firstyear 807af81184
64 120 session claims (#462) 2021-06-02 09:30:37 +10:00
Firstyear 033b977906
Add ldap vattr mapping (#459) 2021-05-29 12:50:16 +10:00
Firstyear e8b1089bfd
414 clear stale credentials (#447) 2021-05-26 16:11:00 +10:00
Firstyear d1f2d197eb
Fix multivalue setting of description attribute (#457) 2021-05-24 12:51:56 +10:00
James Hodgkinson 6ef4ad616a
simpler ip logging (#454) 2021-05-23 10:15:21 +10:00
James Hodgkinson ca446ddca5
I might have become clippy this time (#449) 
* clippiness

* it is really handy that we have tests

* it is still really handy that we have tests
 2021-05-22 14:48:08 +10:00
James Hodgkinson 35c1de4c45
Calming clippy's nerves, Friday edition (#448) 
* whoa clippy you are very helpful
 2021-05-21 16:35:09 +10:00
Firstyear 9d5296a34b
This allows TOTP to accept an OTP that is one step behind AKA the previous TOTP (#442) 2021-05-19 18:49:31 +10:00
James Hodgkinson 1229669785
adding env vars, making clippy happier, cleaning up some error messages (#438) 2021-05-09 22:06:58 +10:00
Firstyear e88ac01aca
20210509 cleanup clippy and audit name (#437) 2021-05-09 22:06:04 +10:00
Firstyear ebdebcaef8
277 radius pw not accept for main pw (#435) 2021-05-07 13:01:13 +10:00
Firstyear 6901a5a545
Orca - a load testing framework for Kanidm (#431) 2021-05-06 21:15:12 +10:00
Firstyear 644eb0b0d6
Add verification of name indexes (#433) 2021-05-06 21:12:02 +10:00
Firstyear 1eb777485e
Add ability to pick a server role (#432) 2021-05-06 20:58:22 +10:00
James Hodgkinson e6f34d5dc5
Adding a new verb group remove_members (#434) 
Co-authored-by: William Brown <william@blackhats.net.au>
 2021-05-06 20:47:28 +10:00
vcwai 2bd8606cb6
397 Caching password badlist (#425) 2021-05-05 14:38:32 +10:00
James Hodgkinson 77381c1a2a
User feedback improvements, also handling a permissions issue (#424) 2021-04-26 11:52:13 +10:00
William Brown f9dd0a78dc Fix concat issue 2021-04-25 11:41:50 +10:00
James Hodgkinson de431451f4
Making clippy happy (#420) 2021-04-25 11:35:56 +10:00
Firstyear 6f222f6408
62 idm qs cleanup (#419) 2021-04-25 11:35:02 +10:00
Firstyear 8da89613e3
Rough working login page (#417) 2021-04-24 10:53:19 +10:00
James Hodgkinson f97a3bf596
Make clippy happy (#415) 2021-04-19 10:20:24 +10:00
James Hodgkinson 1f991c84da
More debug messages (#413) 2021-04-16 10:49:24 +10:00
Firstyear 72dfe1b035
Idlset2, query cache, acp resolve cache (#409) 2021-04-14 09:56:40 +10:00
Firstyear 19ce30a5ef
Add lto thin (#410) 2021-04-13 12:04:27 +10:00
James Hodgkinson af1081e878
phrasing (#401) 2021-04-06 10:10:13 +10:00
William Brown b3b48b6c43 (cargo-release) version 1.1.0-alpha.4 2021-04-01 10:29:20 +10:00
William Brown 9bf4b0f052 Release Prep 2021-04-01 10:29:09 +10:00
Firstyear 988944a085
Add auth session header type (#398) 2021-04-01 07:14:15 +10:00
vcwai 8a2f3b65ec
Add badlist checking when using password login (#394) 2021-03-31 11:19:03 +10:00
Firstyear 6bc719cdb2
Base web UI (#391) 
Initial web ui (not-functional yet)
 2021-03-26 11:22:00 +10:00
Firstyear a22c8efe9e
Fix posix extend to correctly remove the matching attribute during set. (#387) 2021-03-25 10:33:37 +10:00
Firstyear db3904759d
fix displayname (#390) 2021-03-23 19:14:04 +10:00
OttoHollmann 8eb2bd9ee1
Fix Dockerfile to check return values. (#389) 2021-03-23 09:34:40 +10:00
Firstyear 29c0481cb2
Correctly return displayname (#386) 2021-03-23 09:27:01 +10:00
William Brown e1cbd325a5 Update sshkeys to resolve ssh issue 2021-03-15 10:20:54 +10:00
Firstyear adb3f819ba
Add the unixd tasks daemon (#349) 
Fixes #180 - this adds an oddjobd style tasks daemon to the unix tools. This supports creation of home directories and the maintenance of alias symlinks to these allowing user renames. The tasks daemon is written to require root, but is seperate from the unixd daemon. Communication is via a root-only unix socket that the task daemon connects into to reduce the possibility of exploit.

Fixes #369 due to the changes to call_daemon_blocking
 2021-03-13 12:33:15 +10:00
Firstyear d2ca2c5bc9
Fix pattern to match substr from ldap (#372) 2021-03-12 10:11:12 +10:00
Firstyear ff61c37ae3
Add credential display command (#370) 
Fixes #364 - this adds a credential display command to the cli, and the api so it can be used later.
 2021-03-11 11:17:13 +10:00
Firstyear dd1945dd0d
363 scaling benchmarks (#366) 
Starts on #363, adding initial scaling tests and benchmarks. Generally this is a pretty big clean up of macros and some testing elements too.
 2021-02-23 18:10:59 +10:00
Firstyear 1fb5ec8bf2
vacuum (#365) 
Fixes #362 moves vacuum to a dedicated task. This is needed as previous vacuuming on startup on large databases could cause the server to fail to start. By making this a task it avoids this error case, and makes the vacuum more predictable, and only run when required.
 2021-02-21 15:04:58 +10:00
Firstyear 3137e3d682
Complete MFA and Webauthn handlers (#360) 
Fixes #357 - this allows the password MFA handler to correct handle a mixed totp or webauthn credential with passwords. This is likely the "majority" of accounts we will see on the service.
 2021-02-20 12:41:22 +10:00
William Brown 483aa6f23d Update build 2021-02-17 18:49:03 +10:00
Firstyear f710e66f64
356 Use tls chain file (#358) 
Fixes #356 - this changes from a split ca_chain/cert configuration to a single chain file. This allows rustls in tide-rustls to present the chain correctly, and allows openssl for ldaps to present the chain correctly too. it also simplifies integration to lets encrypt which provides a chain and key file by default.
 2021-02-16 11:40:25 +10:00
William Brown 9bd54dbebe Move jemalloc to runtime only 2021-02-13 16:32:04 +10:00
Firstyear 6c79914395
306 command complete (#354) 
Fixes #306 adding command line autocompletion. These are generated to: CARGO_TARGET_DIR/item-hash/out/. These will need to be packaged for distros later, it's unclear how we could use cargo install with these as cargo doesn't support arbitrary artefacts like this (yet?).
 2021-02-13 13:46:22 +10:00
Firstyear d745b15768
Use jemallocator in main server (#353) 2021-02-10 15:08:22 +10:00
Firstyear a3d7401d03
Add clean ups based on review feedback (#351) 
* Add clean ups based on charcols suggestions
 2021-02-09 10:25:02 +10:00
Firstyear 8006142c9e
202 totp cli enrollment (#348) 
Fixes #202 - This adds support for enrolling and removing totp on the cli, as well as a rebuilt work flow for login to allow dynamic prompting of what credetials are required.
 2021-02-08 13:31:31 +10:00
Firstyear f4e31f1bb9
Improve idl behaviour (#342) 2021-01-28 09:50:43 +10:00
Firstyear 3844aadf60
Tokio1.0 (#340) 
Upgrade dependencies, with the major highlight as the upgrade to tokio 1.0
 2021-01-10 13:41:56 +10:00
William Brown 0f6bc36cee Improve docker buildr 2020-12-30 12:29:01 +10:00
Firstyear faa4b74683
320 filter double verify (#339) 
Fixes #320, remove double verification of filters. In addition this replaces attr strings with smartstring to allow better inling due to their static and compact nature.
 2020-12-30 09:53:19 +10:00
William Brown df441769ec (cargo-release) version 1.1.0-alpha.3 2020-12-28 09:51:15 +10:00
Firstyear 9dbb5ccb59
Unixd - NXCache of unknown items (#338) 
Previously we would only cache "hits" - items that kanidm is aware
of and did know about. However, this mean querying a raw uid/gid
number that was not known to files or kanidm would result in kanidm
doing an online check each request.

This adds a NXcache to cache misses, so they can be served as misses,
faster, and to reduce load on the main kanidm servers.

Fixes #336
 2020-12-28 09:41:16 +10:00
Firstyear ebdb57bbe7
WIP - Improve Auth Proto to Support Webauthn (#333) 
This is a rewrite of the "on the wire" json for auth. This is a breaking change required to allow webauthn to work given limitations within Webauthn as a standard and how mixed credentials are challenged for.
 2020-12-26 13:58:32 +10:00
Firstyear ec48edac82
13 135 webauthn support (#332) 
Fixes #13 and Fixes #135 - webauthn and webauthn with cli. This is the core of webauthn, but only as a single factor. Some changes are still needed for webauthn as MFA and as a verified single factor. This will be made in a subsequent PR.
 2020-12-02 11:12:07 +10:00
Firstyear dc319a98ac
Change root user check to warning due to container run times (#328) 
Fixes #327 - In container run times, the default is to run as root. This may be user with virtualised containers or even to just smooth the "first run" process rather than requiring a user for the process and volumes.
 2020-10-30 11:12:06 +10:00
Firstyear 1a57aa9ea0
Fixes #324 account softlocking and rate limiting (#326) 
This provides bruteforce protection and ratelimiting to stop
classes of attacks. This impacts all areas where a password or
authentication is performed (unix, ldap, auth).
 2020-10-22 14:40:31 +10:00