Part one of #461 - this adds the syntax to support email addresses and validation of their content, and a method to serialise to the DB that can be extended with attribute tagging in the future. Part two will address administration of these values.
Fixes#180 - this adds an oddjobd style tasks daemon to the unix tools. This supports creation of home directories and the maintenance of alias symlinks to these allowing user renames. The tasks daemon is written to require root, but is seperate from the unixd daemon. Communication is via a root-only unix socket that the task daemon connects into to reduce the possibility of exploit.
Fixes#369 due to the changes to call_daemon_blocking
Fixes#202 - This adds support for enrolling and removing totp on the cli, as well as a rebuilt work flow for login to allow dynamic prompting of what credetials are required.
Fixes#320, remove double verification of filters. In addition this replaces attr strings with smartstring to allow better inling due to their static and compact nature.
Previously we would only cache "hits" - items that kanidm is aware
of and did know about. However, this mean querying a raw uid/gid
number that was not known to files or kanidm would result in kanidm
doing an online check each request.
This adds a NXcache to cache misses, so they can be served as misses,
faster, and to reduce load on the main kanidm servers.
Fixes#336
This is a rewrite of the "on the wire" json for auth. This is a breaking change required to allow webauthn to work given limitations within Webauthn as a standard and how mixed credentials are challenged for.
Fixes#13 and Fixes#135 - webauthn and webauthn with cli. This is the core of webauthn, but only as a single factor. Some changes are still needed for webauthn as MFA and as a verified single factor. This will be made in a subsequent PR.
This provides bruteforce protection and ratelimiting to stop
classes of attacks. This impacts all areas where a password or
authentication is performed (unix, ldap, auth).
Fixes#250, replacing cookies with auth-bearer tokens. This is done using fernet with randomised keys each startup. The reason for this is that in the future the size of the auth token may exceed cookie limits, so we must be able to understand and process auth bearer. Additionaly, this lets us store the tokens for say the kanidm cli as reqwest today can't persist a cookie jar.
Fixes#259. Thanks to the linked worked example, we can reduce a problematic set of clones during filter metadata injection. Previously we had to create a new hashset every time we went to resolve index metadata in queries, but with this change we can now just use the copy-on-write hashset instead. This will improve cache access, reduces clones, and more. In a cargo test run this takes out nearly 15% of the execution time (on my system reducing the test time by nearly 35 seconds).
https://github.com/sunshowers/borrow-complex-key-example/blob/master/src/lib.rs
This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
this completely removes actix and actix-web from the codebase, replacing it with tokio and http-rs/tide. Due to a current temporary limit in tokio parts with openssl/libressl, rustls is used for the webserver, but I'll change this back once that issue is resolved. For now there are likely some other clippy issues, but the next step now is that I can finally run cargo outdated and update this and the other kanidm/* deps to be up to date due to no longer being held back on versions by actix. So following this, I need to finish clippy warnings, and run cargo outdated and cargo audit.
Fixes#295 on login pw upgrade. This adds support for SSHA512 to be imported at the request of @colbyprior, and adds a delayed action queue so that events can be run after-the-fact so that authentication does not need to exist under the write path.
Fixes#61 and fixes#234 - this rewrites quite a few internals of refint and memberof to make them much more efficient compared to previously. This takes nearly 70s out of the test execution time - a full 25% of the run time of tests.
A number of other improvements have been made through out with regard to memory pre-alloc for hashset/hashmap, fixing some more types, and reducing some un-needed allocations.
Fixes#260fixes#257fixes#157. This is really a set of cleanups around the code base to minimise clones, choose better datastructures for specific tasks, improve the ability to pass references in certain calls and more. Generally this just makes everything a bit smoother, and really has big gains on the write path (it's about 20% faster now).
This allows configuration of which attribute is presented during gid/uid resolution, adds home directory prefixing, and home directory name attribute selection.
Fixes#212 and Fixes#262. This is largely a performance improvement and security improvement to how the databases are handled. The major cases are create/modify/reindex performance,
Fixes#195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
adds an LDAP gateway to the server. It supports TLS if configured for the webserver, using the same parameters. It is a read only interface, only supporting bind via the configured posix password.
Add make entry to have all cargo versions updated from VERSION file.
Add `tag_version` github action to update all cargo.toml and tag it and
push it.
Remove cargo fmt check from CI because we have problems with different
versions and fails continually. Instead, we use cargo-husky to ensure
that all people run it automatically in its local, but this is not
obligatory.
Update to version 1.0.0-rc10, according to packages published.
In future cargo will support managing all dependencies from main
Cargo.toml. Ref: https://github.com/rust-lang/cargo/issues/3931Resolve#225
Fixes#101, concurrent caching of IDL and Entries. This yields a 10% improvement for test case execution, and 35% for tests run under --release mode. A lot of code around the code base was needed to be touched due to the extra need for mut in some operations and some lifetimes, but the majority of the work was in idl_arc_sqlite.rs, which has the cache layer. There are many performance gains yet to see, but most of those will come through improvement of the concread ARC and it's related BTree implementation.
- Change base builder image to `ekidd/rust-musl-builder` for create static
binaries.
- Add two flavours: alpine and stand alone binary.
- Add makefile commands for build, test and push kanidmd images and
refactor previous code.
- Add missing things to `.dockerignore`.
- Refactor CI to use Makefile.
Add `libsqlite3-sys` crate to avoid sqlite3 missmatching version.
From [https://lib.rs/crates/libsqlite3-sys](https://lib.rs/crates/libsqlite3-sys)
> If you use the bundled feature, libsqlite3-sys will use the cc crate to compile SQLite from source and link against that. This source is embedded in the libsqlite3-sys crate and is currently SQLite 3.30.1 (as of rusqlite 0.21.0 / libsqlite3-sys 0.17.0). This is probably the simplest solution to any build problems.
Remove sqlite OS packages dependencies for build.
Also, we fix a format error to allow CI tests to pass again.
Implements #12, TOTP. This adds support for TOTP to the api and server, with server side token generation, authentication and the correct URI for encoding into QR codes for client token addition. Some extra measures have been taken such as in the stepped auth to always notify on the success or failure of the TOTP first (regardless of order) to prevent PW bruteforce attacks.
Implements #122 password import. This adds most of the server core framework to allow password imports from other sources, with new types easily able to be added in credential.rs.
