Fixes#357 - this allows the password MFA handler to correct handle a mixed totp or webauthn credential with passwords. This is likely the "majority" of accounts we will see on the service.
Fixes#202 - This adds support for enrolling and removing totp on the cli, as well as a rebuilt work flow for login to allow dynamic prompting of what credetials are required.
Previously we would only cache "hits" - items that kanidm is aware
of and did know about. However, this mean querying a raw uid/gid
number that was not known to files or kanidm would result in kanidm
doing an online check each request.
This adds a NXcache to cache misses, so they can be served as misses,
faster, and to reduce load on the main kanidm servers.
Fixes#336
This is a rewrite of the "on the wire" json for auth. This is a breaking change required to allow webauthn to work given limitations within Webauthn as a standard and how mixed credentials are challenged for.
Fixes#13 and Fixes#135 - webauthn and webauthn with cli. This is the core of webauthn, but only as a single factor. Some changes are still needed for webauthn as MFA and as a verified single factor. This will be made in a subsequent PR.
Fixes#250, replacing cookies with auth-bearer tokens. This is done using fernet with randomised keys each startup. The reason for this is that in the future the size of the auth token may exceed cookie limits, so we must be able to understand and process auth bearer. Additionaly, this lets us store the tokens for say the kanidm cli as reqwest today can't persist a cookie jar.
this completely removes actix and actix-web from the codebase, replacing it with tokio and http-rs/tide. Due to a current temporary limit in tokio parts with openssl/libressl, rustls is used for the webserver, but I'll change this back once that issue is resolved. For now there are likely some other clippy issues, but the next step now is that I can finally run cargo outdated and update this and the other kanidm/* deps to be up to date due to no longer being held back on versions by actix. So following this, I need to finish clippy warnings, and run cargo outdated and cargo audit.
Fixes#195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
Fixes#101, concurrent caching of IDL and Entries. This yields a 10% improvement for test case execution, and 35% for tests run under --release mode. A lot of code around the code base was needed to be touched due to the extra need for mut in some operations and some lifetimes, but the majority of the work was in idl_arc_sqlite.rs, which has the cache layer. There are many performance gains yet to see, but most of those will come through improvement of the concread ARC and it's related BTree implementation.
Implements #12, TOTP. This adds support for TOTP to the api and server, with server side token generation, authentication and the correct URI for encoding into QR codes for client token addition. Some extra measures have been taken such as in the stepped auth to always notify on the success or failure of the TOTP first (regardless of order) to prevent PW bruteforce attacks.
Implements #122 password import. This adds most of the server core framework to allow password imports from other sources, with new types easily able to be added in credential.rs.
Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with.
Implements #129, pam and nsswitch daemon capability. This is stage 1, which adds a localhost unix domain socket resolver, a ssh key client, support to the server for generating unix tokens, an async client lib, and client handles for adding posix extensions to accounts and groups.
Implements #127 and #125. This adds domain_info support, and spn types and generation. It also correctly handles domain renaming, and has tooling to support this. It "should" work on an upgrade, due to the correct bump of index version, but I plan to test this from a backup of my production instance soon.
Implements #134 Client Builder Pattern. This makes it much easier to build a client by making the configuration of the client lib follow a builder pattern. The error management needs a lot of work still, but for now it's rough and it works.
Implemnt SSH public key management
This implements ssh public key distribution for kanidm, enforcing that
valid ssh public keys are placed into the ssh_publickey attribute, adds
management tools so that accounts can self-service manage their keys,
and finally adds an authorized keys command helper suitable for
sshd_config to utilise.
Implements #100. This refactors our error types to be deserialiseable, and exposes these through the clienterror type with the status codes. There is probably still a lot of improvements here to be made, but they'll be shaken out as the client libs develop I think and we start to see what errors should be exposed.
Implements #6 - create, modify and delete. These are the raw/lowlevel db commands which are really useful for administrators. They aren't intended for normal day to day use though.
This also adds a basic getting started, fixes a missing privilege, adds support for reseting another accounts password, and for server side password generation.
It's likely I'm going to reformat some of the current REST api though to use our higher level internal types.
This adds rest endpoints for schema, group, account listing and individual item getting, client lib to call these end points, and tests for all of these.
Partially Implements #6 - add ability for accounts to self set password. This is good for now, as I get closer to a trial radius deployment, but I think I'm finding the rest api probably needs a better plan at this point, as well as probably the way we do the proto and the communication needs some more thoughts too.
This adds the fundamentals of the basic IDM layout. It contains the needed design document, and is designed such that the default admins while powerful, still have some limits upon them.
