Commit graph

64 commits

Author SHA1 Message Date
William Brown 722a11bb81 Uhoh 2025-04-11 09:30:44 +10:00
William Brown 96f8bdcea3 What was ldap turning into scim 2025-04-11 09:30:44 +10:00
Firstyear bf1e9b0989
Make schema indexing a boolean instead of index types ()
Previously on schema definitions for attributes, the list of index
types was manually set on attributes. The issue with this approach is
that not all index types apply to all attribute syntaxes. This made it
error prone not just to Kanidm developers, but to future users who
want to define custom attributes and may incorrectly index those
attributes.

Instead, this changes the index value to be a boolean to indicate
if this attribute should or should not be indexed. Internally Kanidm
has a list of appropriate indexes to apply to these syntax types.

As part of this change, the tests were reviewed to find missing index
types for syntaxes, and other causes of unindexed searches which led
to some changes around the dyngroup plugin (which pushes the boundaries
of a lot of things in Kani due to how it works).
2025-03-21 02:13:54 +00:00
CEbbinghaus 7a9bb9eac2
Feat: Allowing spn query with non-spn structured data in LDAP ()
* Added Botch for fixing spn query

* Got Invalid filter working. spn can now be searched on

* Addressed review comments

* Resolved Invalid filter correctly for no index

* Cleaned comments and added tests (still 1 failing)

* Added comments and fixed unit test

* Formatting

* Made Clippy Happy
2025-02-08 06:37:28 +00:00
Firstyear b3be758b74
20250114 3325 SCIM access control ()
Add an extended query operation to return effective access controls so that UI's can dynamically display what is or is not editable on an entry.
2025-01-20 11:28:22 +00:00
Firstyear 1a29aa7301
Add ssh_publickeys as a claim for oauth2 ()
Allow ssh_publickeys to be exposed as a claim for oauth2 and oidc
applications so that they can consume these keys for various uses.
An example could be something like gitlab which can then associate
the public keys with the users account.
2025-01-08 08:21:28 +00:00
Firstyear ea0e63cc2a
20240927 SCIM put () 2024-11-30 06:56:17 +00:00
Firstyear 853f787327
security - low - fault in migrations ()
A fault existed in the server's internal migration code, where attributes
that were multivalued would be merged rather than replaced in certain
contexts. This migration path is used for access controls, meaning that
on upgrades, attributes that were meant to be removed from access
controls or changes to access control target groups were not reflected
during the upgrade process.

This has a potentially low security impact as it may have allowed
users to change their name/displayname even if the administrator
had disable the name_self_write access control.
2024-11-07 14:32:37 +10:00
CEbbinghaus dc56a3217d
Chore: Refactor Groups to be more generic () 2024-10-25 00:36:20 +00:00
Firstyear 2075125439
Working scim entry get for person () 2024-10-15 04:29:45 +00:00
Merlijn 4e125b5043
Scim add EntryReference ()
Allow references to be displayed as a complex object
2024-10-10 00:13:45 +00:00
Firstyear cc662f184a
20240925 cleanups () 2024-10-03 14:04:02 +10:00
Firstyear 90afc8207c
20240926 tech debt ()
Large clean up
2024-10-01 10:07:08 +10:00
Firstyear 23636acbf7
Fix migration of last mod cid () 2024-09-30 09:56:48 +00:00
Firstyear d3891e301f
20240810 SCIM entry basic () 2024-09-12 12:53:43 +10:00
Firstyear f053ff7fba
CreatedAt/ModifiedAt fix ()
* fix(repl): CreatedAt/ModifiedAt attributes
2024-09-12 11:42:16 +10:00
Firstyear 938ad90f3b
20240906 Attribute as an Enum Type ()
Changes attribute from a string to an enum - this provides many performance improvements and memory savings throughout the server.
2024-09-09 00:53:10 +00:00
Firstyear 0fac1f301e
20240820 SCIM value ()
Add the basics of scim value serialisation to entries.
2024-08-29 11:38:00 +10:00
James Hodgkinson 3eae7be0bb
OAuth2 Token Type ()
* fix(OAuth2): Invalid `token_type` for token introspection
Fixes 

* fix(aut): `assert_eq` instead of `assert ==`

* fix(OAuth2): IANA registry access token types

* fix(OAuth2): deserialize case insensitively
2024-08-25 23:30:20 +00:00
James Hodgkinson 7c3deab2c4
enforcen den clippen ()
* enforcen den clippen
* updating outdated oauth2-related docs
* sorry clippy, we tried
2024-08-21 00:32:56 +00:00
Firstyear 239f4594dd
20240810 application passwords ()
Add the server side components for application passwords. This adds the needed datatypes and handling via the ldap components.

Admin tools will be in a follow up PR. 

Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Co-authored-by: Samuel Cabrero <scabrero@suse.de>
2024-08-20 06:44:37 +00:00
Firstyear da7ed77dfa
Substring Indexing () 2024-07-20 03:12:49 +00:00
Alin Trăistaru 562f352516
fix typos ()
* fix typos and misspellings
* use proper capitalization
* Apply suggestions from code review
---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
2024-07-18 03:22:20 +00:00
Firstyear 10e15fd6b3
20240613 performance improvements ()
Thanks to @Seba-T's work with Orca, we were able to identify a number of performance issues in certain high load conditions.

This commit contains fixes for the following issues

* Unbounded Memory Growth - due to how ARCache works, to maintain temporal consistency it must retain copies of keys (not values) in a special data set for tracking. The Filter Resolve Cache was using unresolved filters as keys. This caused memory explosions when refint or memberof were updating a group with a large number of members because they would emit a query with hundreds of filter terms that would only be used once and never again, causing the ARCache haunted set to grow without bound. To limit this, we no longer cache large/complex queries for resolution, and in future we may implement some other methods to reduce this like sha256/hmac of the queries.

* When creating a new account, dyngroups would be engaged to add the account as a member due to the matching scope. However the change to the dyngroup was triggering an update of all the dyngroups *members* related memberof attributes. This would mean that adding an account would trigger every other account to be loaded an updated.

* When memberof would iterate over leaf entries and update them one at a time. This mean a large number of small fragmented queries in the case of a lot of leaf entries being updated. Now leaf entries are updated in a single stripe once groups are stabilised.

* Member of would always trigger it's members to always update. Instead, we should only update members where a difference is observed, or all members if the group's memberof itself has changed since this needs to propogate to all leaf entries. This significantly reduces the amount of writes and operations to examine the changed member of set.

* Referential integrity would examine all reference uuids on entries for validity rather than just the reference uuids that were altered within the transaction. This change means that only uuids that were *added* are validated during an operation. 

* During async write backs (delayed actions) these were performed one at a time. Instead, when possible this should be done in a single transaction as the write transaction caches all writes in memory until the commit meaning that by batching we reduce overall latency.

* In the server there can only be one write transaction and many readers. These are guarded by tokio semaphores that act as fair queues - first in gets the lock next. Due to the design of the server readers would be blocked on the *database* semaphore, and writers would block on the write semaphore and THEN the database semaphore. This arrangement was creating a situation which unfairly advantaged readers over writers, as any write would first have to become the head of it's queue, and then compete with all readers to access a db transaction. Instead, we now have a reader semaphore with size threads minus 1, clamped at a minimum of 1. This means that provided there are two or more threads, then a writer will *always* have a database handle available, and readers will pre-queue with each other before queueing on the db ticket. If there is only one thread, then writes and reads will alternate between each other fairly.
2024-06-20 02:50:00 +00:00
Firstyear 2c0ff46a32
20240530 nightly warnings ()
* Cleaneup
* Lots of ram saving
2024-05-30 20:22:19 +10:00
Firstyear 3723abb25d
Allow name write privileges to be withheld () 2024-05-23 15:58:49 +10:00
James Hodgkinson 7964f55d59
strip out some debug messages unless *really* debugging. ()
* kanidm cli logs on debug level - Fixes 
* such clippy like wow
* It's important for a wordsmith to know when to get its fixes in.
* updootin' wasms
2024-05-14 14:56:55 +10:00
Firstyear d7834b52e6
Begin the basis of the key provider model ()
This completely reworks how we approach and handle cryptographic keys in Kanidm. This is needed as a foundation for replication coordination which will require handling and rotation of cryptographic keys in automated ways. 

This change influences many other parts of the code base in it's implementation.

The primary influences are:

* Modification of how domain user signing keys are revoked or rotated.
* Merging of all existing service-account token keys are retired (retained) keys into the domain to simplify token signing and validation
* Allowing multiple configurations of local command line tools to swap between instances using disparate signing keys.
* Modification of key retrieval to be key id based (KID), removing the need to embed the JWK into tokens

A side effect of this change is that most user authentication sessions and oauth2 sessions will have to be re-established after upgrade. However we feel that session renewal after upgrade is an expected side effect of an upgrade. 

In the future this lays the ground work to remove a large number of legacy key handling processes that have evolved, which will allow large parts of code to be removed.
2024-04-15 23:44:37 +00:00
Firstyear b4d9cdd7d5
20240301 systemd uid ()
Fixes  Fixes  - gid numbers can be part of the systemd nspawn range.

Previously we allocated gid numbers based on the fact that uid_t is a u32, so we allowed 65536 through u32::max. However, there are two major issues with this that I didn't realise. The first is that anything greater than i32::max (2147483648) can confuse the linux kernel. 

The second is that systemd allocates 524288 through 1879048191 to itself for nspawn.

This leaves with with only a few usable ranges.

1000 through 60000
60578 through 61183
65520 through 65533
65536 through 524287
1879048192 through 2147483647

The last range being the largest is the natural and obvious area we should allocate from. This happens to nicely fall in the pattern of 0x7000_0000 through 0x7fff_ffff which allows us to take the last 24 bits of the uuid then applying a bit mask we can ensure that we end up in this range. 

There are now two major issues.

We have now changed our validation code to enforce a tighter range, but we may have already allocated users into these ranges. 

External systems like FreeIPA allocated uid/gid numbers with reckless abandon directly into these ranges. 

As a result we need to make two concessions.

We *secretly* still allow manual allocation of id's from 65536 through to 1879048191 which is the nspawn container range. This happens to be the range that freeipa allocates into. We will never generate an ID in this range, but we will allow it to ease imports since the users of these ranges already have shown they 'don't care' about that range. This also affects SCIM imports for longer term migrations. 

Second is id's that fall outside the valid ranges. In the extremely unlikely event this has occurred, a startup migration has been added to regenerate these id values for affected entries to prevent upgrade issues. 

An accidental effect of this is freeing up the range 524288 to 1879048191 for other subuid uses.
2024-03-07 03:25:54 +00:00
Firstyear fbc021f487
20240221 2489 cleanup api v1 () 2024-02-27 09:25:02 +00:00
James Hodgkinson 097db70c3d
prctl compile-time fixes, also chasing lints ()
* fixing up error handling for prctl calls
* minor clippy lintypoos
* making clippy happier
* clippizing a test
* more clippy-calming
* adding tpm-udev to ubuntu flows for testing
* rebuilt wasm
* moving from rg to grep because someone doesn't like nice things
* such clippy like wow
* clippy config to the rescue
2024-02-20 18:21:33 +10:00
Firstyear d42268269a
20240125 2217 client credentials grant ()
* Huge fix of a replication problem.
* Update test
* Increase min replication level
* Client Credentials Grant implementation
2024-02-01 02:00:29 +00:00
Firstyear 3408816932
Add DN as a virtual ldap attr () 2023-12-19 15:07:19 +10:00
Firstyear d09c2448ff
1481 2024 access control rework ()
Rework default access controls to better separate roles and access profiles.
2023-12-17 23:10:13 +00:00
Firstyear 76269f9de2
20231129 webauthn attestation ()
This adds full support for attestation of webauthn/passkeys.
2023-12-03 06:13:52 +00:00
Firstyear ac299b5286
Update to the latest compact-jwt version () 2023-11-24 02:53:22 +00:00
Firstyear bb8914c70d
20231120 2320 sssd compat () 2023-11-22 10:18:03 +10:00
Firstyear 47bcea7708
20231109 1122 credential class ()
* Add CredentialType for acc pol
* Reword ui hints
* Finish account policy
* Clean up artefacts
2023-11-11 09:26:44 +10:00
Firstyear 6ff9082fd2
20231014 account policy ()
* Start to prep for unix+ssh keys in credupdate session
2023-10-19 01:40:06 +00:00
James Hodgkinson 6850a17e8c
Windows build fixes and test coverage ()
* adding testing for users functions
* turning KanidmClient build error into a ClientError
* removing a redundant closure
2023-10-17 07:18:07 +00:00
James Hodgkinson 0adc3e0dd9
Chasing wooly quadrapeds again ()
* I really like well-tended yaks
* documenting yaks
* spellink
* less surprise more good
* schema test fix
* clippyisms
2023-10-05 12:30:46 +10:00
Firstyear f6d2bcb44b
68 20230929 replication finalisation ()
Replication is now ready for test deployments!
2023-10-05 11:11:27 +10:00
James Hodgkinson e7f594a1c1
In-system image storage ()
* In-system image storage refers to 
* adding multipart feature to axum
* thanks to @Firstyear for fixing my bufs
* fixing coverage test things
* clippy-calming
* more tests, jpg acropalypse tests, benches
* spelling
* lockfile updates
* linting
2023-10-04 17:24:12 +10:00
James Hodgkinson d5ed335b52
Cinco de yakko ()
* there are always more yaks
* see? ldap yaks.
* fixing stupid radius container build thing
2023-09-16 12:11:06 +10:00
Firstyear 77da40d528
68 20230912 session consistency ()
This adds support for special-casing sessions in replication to allow them to internally trim and merge so that session revocations and creations are not lost between replicas.
2023-09-16 09:22:11 +10:00
James Hodgkinson 383592d921
Schema dooby doo ... yon ()
Refers 

Notable changes:

- in server/lib/src/entry.rs - aiming to pass the enum instead of the strings
    - changed signature of add_ava to take Attribute instead of &str (which is used in the entry_init macro... which was fun)
    - set_ava<T> now takes Attribute
- added TryFrom<&AttrString> for Attribute
2023-09-12 11:47:24 +10:00
Firstyear b3aed1df34
68 20230908 replication attrunique ()
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
2023-09-12 08:50:51 +10:00
James Hodgkinson d5d76d1a3c
Schema dooby doo part two ()
* scim strings!
* mapmapmap
* mapmapmap -comments and map
* updating delete teest
* fixing some tests
2023-09-05 16:58:42 +10:00
Firstyear 2355dbfead
68 20230821 replication ()
* Resolve spn incremental replication
2023-08-23 11:17:13 +10:00
James Hodgkinson 05b35df413
Less human strings more enums ()
* statics or enums you choose
* acp rewrite, defined SchemaAcp as a test
* macros and targetscopes and filters oh my
2023-08-21 17:16:43 +10:00