Commit graph

38 commits

Author SHA1 Message Date
James Hodgkinson 7c3deab2c4
enforcen den clippen ()
* enforcen den clippen
* updating outdated oauth2-related docs
* sorry clippy, we tried
2024-08-21 00:32:56 +00:00
James Hodgkinson 2a7a009482
clippying all the things ()
* clippying all the things
2024-07-26 07:02:37 +00:00
Firstyear da7ed77dfa
Substring Indexing () 2024-07-20 03:12:49 +00:00
Firstyear 9c4e8bb90a
20240611 performance ()
While basking under the shade of the coolabah tree, I was overcome by an intense desire to improve the performance and memory usage of Kanidm.

This pr reduces a major source of repeated small clones, lowers default log level in testing, removes some trace fields that are both large and probably shouldn't be traced, and also changes some lto settings for release builds.
2024-06-12 16:48:49 -07:00
Firstyear 2c0ff46a32
20240530 nightly warnings ()
* Cleaneup
* Lots of ram saving
2024-05-30 20:22:19 +10:00
Firstyear c1235a7186
Check for same version with backup/restore () 2024-05-23 01:48:37 +00:00
Firstyear d7834b52e6
Begin the basis of the key provider model ()
This completely reworks how we approach and handle cryptographic keys in Kanidm. This is needed as a foundation for replication coordination which will require handling and rotation of cryptographic keys in automated ways. 

This change influences many other parts of the code base in it's implementation.

The primary influences are:

* Modification of how domain user signing keys are revoked or rotated.
* Merging of all existing service-account token keys are retired (retained) keys into the domain to simplify token signing and validation
* Allowing multiple configurations of local command line tools to swap between instances using disparate signing keys.
* Modification of key retrieval to be key id based (KID), removing the need to embed the JWK into tokens

A side effect of this change is that most user authentication sessions and oauth2 sessions will have to be re-established after upgrade. However we feel that session renewal after upgrade is an expected side effect of an upgrade. 

In the future this lays the ground work to remove a large number of legacy key handling processes that have evolved, which will allow large parts of code to be removed.
2024-04-15 23:44:37 +00:00
Firstyear 3760951b6d
Add domain version test framework ()
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
2024-02-28 21:04:33 +00:00
Firstyear fbc021f487
20240221 2489 cleanup api v1 () 2024-02-27 09:25:02 +00:00
James Hodgkinson 4efdb7208f
of course I started looking at clippy things and now I can't stop () 2024-02-21 00:52:10 +00:00
Firstyear 68d788a9f7
20240216 308 resource limits ()
This adds account policy based resource limits to control the maximum
number of entries that an account may query
2024-02-21 00:15:43 +00:00
James Hodgkinson 097db70c3d
prctl compile-time fixes, also chasing lints ()
* fixing up error handling for prctl calls
* minor clippy lintypoos
* making clippy happier
* clippizing a test
* more clippy-calming
* adding tpm-udev to ubuntu flows for testing
* rebuilt wasm
* moving from rg to grep because someone doesn't like nice things
* such clippy like wow
* clippy config to the rescue
2024-02-20 18:21:33 +10:00
Firstyear 23cc2e7745
Fix RUV trim ()
Fixes two major issues with replication.

The first was related to server refreshes. When a server was refreshed it would retain it's server unique id. If the server had lagged and was disconnected from replication and administrator would naturally then refresh it's database. This meant that on next tombstone purge of the server, it's RUV would jump ahead causing it's refresh-supplier to now believe it was lagging (which was not the case).

In the situation where a server is refreshed, we reset the servers unique replication ID which avoids the RUV having "jumps".

The second issue was related to RUV trimming. A server which had older RUV entries (say from servers that have been trimmed) would "taint" and re-supply those server ID's back to nodes that wanted to trim them. This also meant that on a restart of the server, that if the node had correctly trimmed the server ID, it would be re-added in memory.

This improves RUV trimming by limiting what what compare and check as a supplier to only CID's that are within the valid changelog window. This itself presented challenges with "how to determine if a server should be removed from the RUV". To achieve this we now check for "overlap" of the RUVS. If overlap isn't occurring it indicates split brain or node isolation, and replication is stopped in these cases.
2024-02-02 15:38:45 +10:00
Firstyear 666448f787
Upgrade replication to use anchors ()
* Upgrade replication to use anchors
2024-01-10 04:46:08 +00:00
Firstyear bb8914c70d
20231120 2320 sssd compat () 2023-11-22 10:18:03 +10:00
James Hodgkinson ef96ca6aa1
started writing docs and ended up in another rabbit hole ()
* started writing docs and ended up in another rabbit hole
* updoots
* dangit fedora
2023-10-31 19:15:35 +10:00
Firstyear 8bcf1935a5
20231012 346 name deny list ()
* Migrate to improved system config reload, cleanup acc pol
* Denied names feature
2023-10-13 08:50:36 +10:00
Firstyear a91bf55471
20231008 remove expect used ()
* Stop using expect on some tasks
2023-10-08 17:39:00 +10:00
Firstyear f6d2bcb44b
68 20230929 replication finalisation ()
Replication is now ready for test deployments!
2023-10-05 11:11:27 +10:00
Firstyear 3e345174b6
68 20230919 replication configuration () 2023-09-29 12:02:13 +10:00
James Hodgkinson d5ed335b52
Cinco de yakko ()
* there are always more yaks
* see? ldap yaks.
* fixing stupid radius container build thing
2023-09-16 12:11:06 +10:00
James Hodgkinson 383592d921
Schema dooby doo ... yon ()
Refers 

Notable changes:

- in server/lib/src/entry.rs - aiming to pass the enum instead of the strings
    - changed signature of add_ava to take Attribute instead of &str (which is used in the entry_init macro... which was fun)
    - set_ava<T> now takes Attribute
- added TryFrom<&AttrString> for Attribute
2023-09-12 11:47:24 +10:00
James Hodgkinson d5d76d1a3c
Schema dooby doo part two ()
* scim strings!
* mapmapmap
* mapmapmap -comments and map
* updating delete teest
* fixing some tests
2023-09-05 16:58:42 +10:00
James Hodgkinson 1d88cede1b
Yak hassling ()
* trying this query thing again
* if error show error not panic
* clippyism
* moving dependencies around and fixing log messages for healthcheck
* cleaning up some comment mess
* fixing the "debug thing breaks packaging" issue and test failures
2023-09-05 11:50:51 +10:00
Firstyear 5bd69b81b8
Clear cache before verify on some low-level tests () 2023-08-29 12:26:29 +10:00
Firstyear 0f977d33b9
68 20230828 replication of schema () 2023-08-29 12:20:27 +10:00
Firstyear da56738dea
pam multistep auth state machine ()
Himmelblau needs to maintain some data about the state of an authentication across the course of pam exchanges.

Signed-off-by: David Mulder <dmulder@samba.org>
Co-authored-by: David Mulder <dmulder@samba.org>
2023-08-28 09:27:29 +10:00
Firstyear 2355dbfead
68 20230821 replication ()
* Resolve spn incremental replication
2023-08-23 11:17:13 +10:00
James Hodgkinson 05b35df413
Less human strings more enums ()
* statics or enums you choose
* acp rewrite, defined SchemaAcp as a test
* macros and targetscopes and filters oh my
2023-08-21 17:16:43 +10:00
Firstyear bc341af9d8
Resolve issues with dyngroup members () 2023-08-17 15:52:12 +10:00
Firstyear d731b20a9d
20230728 techdebt paydown () 2023-07-31 12:20:52 +10:00
Firstyear 8f282e3a30
68 20230720 replication improvements () 2023-07-27 12:30:22 +10:00
Firstyear 83e4d3a85e
Improve durability of migrations () 2023-07-03 12:20:11 +10:00
James Hodgkinson cc1cc691f3
Started chasing noise, found some code to delete... ()
logging changes:

* Offering auth mechanisms -> debug
* 404's aren't really warnings
* double tombstone message, one goes to debug

other changes:

* CSP changes to allow the bootstrap images to load
* more testing javascriptfile things, I R 
* it's nice to know where things are
* putting non-rust web things in static/ instead of src/
* RequestCredentials::SameOrigin is the default, also adding a utility function to save dupe code. Wow this saved... kilobytes.
* removing commented code, fixing up codespell config
* clippyisms
* wtf, gha
* dee-gloo-ing some things
* adding some ubuntu build test things
* sigh rustwasm/wasm-pack/issues/1138
* more do_request things
* packaging things
* hilarious dev env setup script
* updated script works, all the UI works, including the experimental UI for naughty crabs
* deb package fixes
* fixed some notes
* setup experimental UI tweaks
2023-06-27 11:38:22 +10:00
James Hodgkinson f25bd5bb65
Kanidmd is a bit noisy ()
* the log_level config option works in kanidmd now
* anon event -> debug
* some more debuggy things
* removing some dupe events for the same thing
2023-06-24 15:56:01 +10:00
Firstyear 48c620e43a
20230508 replication incremental () 2023-05-23 13:25:22 +10:00
Firstyear 6afb15ca92
20230505 replication groundwork - ruv consistency improvements () 2023-05-08 18:25:27 +10:00
Firstyear 00cca81012
1399 cleanup reorg () 2023-03-01 13:10:52 +10:00
Renamed from kanidmd/lib/src/be/mod.rs (Browse further)