Commit graph

113 commits

Author SHA1 Message Date
James Hodgkinson bca2fbcf4e
Unix crossbuild scripts and docs (#2326)
* can build now with cargo cross
2023-11-27 06:30:21 +00:00
Firstyear 060cb729a7
Expose TPM in more interface places (#2334) 2023-11-27 14:35:59 +10:00
James Hodgkinson c1f1720ee2
Adding kanidm client config docs and notes ref #2248 (#2333) 2023-11-25 09:55:54 +10:00
James Hodgkinson 24c4f15b5e
Better errors when TPM PIN file not found (#2330) 2023-11-23 23:16:20 +00:00
Firstyear bb8914c70d
20231120 2320 sssd compat (#2328) 2023-11-22 10:18:03 +10:00
Firstyear 6dc8f1db3a
Resolve future send issue with keystore (#2311) 2023-11-20 12:46:52 +10:00
Firstyear 3bd2cc8a9f
20231101 add id cert to unixint (#2284) 2023-11-09 13:11:23 +10:00
Allan dbf476fe5e
Remove unused imports and clippy lint (#2276)
* Fix unused import errors
* Apply clippy get_first lint
* Add contributor

---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
2023-11-01 05:54:29 +00:00
Firstyear afe9d28754
20231019 1122 account policy basics (#2245)
---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
2023-10-22 11:16:42 +00:00
Firstyear bab268288a
Remove unused crate users (#2240) 2023-10-18 00:36:15 +00:00
Firstyear 88da55260a
Add file diagnosis (#2210) 2023-10-12 12:09:54 +10:00
James Hodgkinson 19f9fde012
Thread naming and display (#2190)
* sometimes handlers fail
* enums are better than strings
* clippyisms
2023-10-08 13:08:46 +10:00
Firstyear 3e345174b6
68 20230919 replication configuration (#2131) 2023-09-29 12:02:13 +10:00
James Hodgkinson a239fbdd94
Yaleman/issue989 (#2111)
* adding version command to ssh_authorizedkys
* adding version and help to kanidm_unixd_tasks
2023-09-16 14:22:03 +10:00
James Hodgkinson d5ed335b52
Cinco de yakko (#2108)
* there are always more yaks
* see? ldap yaks.
* fixing stupid radius container build thing
2023-09-16 12:11:06 +10:00
David Mulder 8401c3e1c8
Implement DeviceAuthorizationGrant for MFA (#2079)
Himmelblau will use the DeviceAuthorizationGrant
(defined in RFC8628) to perform MFA. This commit
adds the bits to Kanidm to make that possible,
using the new pam state machine code.

Signed-off-by: David Mulder <dmulder@samba.org>
2023-09-13 07:33:46 +10:00
Kenton Groombridge 0fb1cadbc7
Check in missing users crate for SELinux integration (#2050)
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2023-09-02 15:54:22 +08:00
Firstyear da56738dea
pam multistep auth state machine (#2022)
Himmelblau needs to maintain some data about the state of an authentication across the course of pam exchanges.

Signed-off-by: David Mulder <dmulder@samba.org>
Co-authored-by: David Mulder <dmulder@samba.org>
2023-08-28 09:27:29 +10:00
Firstyear cb2136cf26
Resolve incorrect time units on timeout (#2014) 2023-08-21 14:14:32 +10:00
Firstyear 0183ae6c71
Revert "sqlite where IN for id entry (#1988)" (#1991)
This reverts commit 46f9a36a1c.
2023-08-17 13:47:11 +10:00
James Hodgkinson 46f9a36a1c
sqlite where IN for id entry (#1988)
Fixes #258
2023-08-17 13:32:41 +10:00
Firstyear 87866c568b
1982 service account access (#1985)
* Fix issue with incorrect filter class preventing service account delete
2023-08-16 15:33:28 +10:00
James Hodgkinson 9a6168b67d
Fixing test release (#1983)
* Fixing cargo test --release

* more tracing less dbg
2023-08-15 15:42:15 +10:00
James Hodgkinson 83f189fed3
error handling and web server logging fixes (#1960)
* Fixing the setup_dev_environment script
* clippy calming
* handle_internalunixusertokenread throwing 500's without context
Fixes #1958
2023-08-14 20:47:49 +10:00
James Hodgkinson cc79f7eba1
Are we JSON yet? Kinda. But we're closer. (#1967) 2023-08-14 08:51:44 +10:00
David Mulder 498be4f08a
resolver: Himmelblau needs old token for refresh (#1962)
Himmelblau needs access to the old token during
a refresh otherwise the GECOS is lost (AAD
responds with everything we need except GECOS).

Signed-off-by: David Mulder <dmulder@samba.org>
2023-08-10 07:36:36 +10:00
Firstyear 270b9f8ef2
Resolve build failiures when selinux is enabled (#1927) 2023-08-01 19:08:21 +10:00
Firstyear bf3e16cbd3
Resolve issue with publishing (#1925)
* Resolve issue with publishing

* Fix version
2023-08-01 17:25:32 +10:00
Firstyear cccc20ea42
20230731 release (#1921)
* Cleanup how we check for last git commit to avoid an insecure dep
* Resolve unmaintained or old deps
* Fix ci
2023-07-31 22:27:21 +10:00
Firstyear 62ce42f8c1
Improve default shells for distros (#1920) 2023-07-31 14:58:27 +10:00
Firstyear d731b20a9d
20230728 techdebt paydown (#1909) 2023-07-31 12:20:52 +10:00
Firstyear 99b761c966
20230727 unix int modularity (#1907) 2023-07-28 10:48:56 +10:00
Firstyear 9bcd8d4737
Resolve compilation issue with tpm enabled on linux (#1902) 2023-07-25 13:12:57 +10:00
Firstyear 046a6fb298
20230720 unix int modular (#1881)
* Progress
* Db traits mostly sorted, need to get dyn working next
* updoot
2023-07-24 00:10:37 -07:00
Firstyear e17dcc0ddb
1788 admin unix socket (#1880) 2023-07-24 10:05:10 +10:00
James Hodgkinson 5cd62eb974
Upgraded clap, removing atty as a dependency (#1849)
* upgraded clap, removing atty as a dependency
* changing the PR template so when you add a list up the top it doesn't break the bottom
2023-07-13 12:19:28 +10:00
Firstyear 07580cf57a
Improve selinux in tasks daemon (#1847) 2023-07-11 15:39:28 +10:00
Firstyear 6e01c4802f
Resolve issue with order of operations causing group memberships to disappear (#1845) 2023-07-10 16:59:15 +10:00
David Mulder 76b868b4d3
Fix a typo in the unix daemon debug (#1822)
Signed-off-by: David Mulder <dmulder@samba.org>
2023-07-10 10:58:35 +10:00
James Hodgkinson cc35654388
Converting from tide to axum (#1797)
* Starting to chase down testing
* commenting out unused/inactive endpoints, adding more tests
* clippyism
* making clippy happy v2
* testing when things are not right
* moar checkpoint
* splitting up testkit things a bit
* moving https -> tide
* mad lad be crabbin
* spawning like a frog
* something something different spawning
* woot it works ish
* more server things
* adding version header to requests
* adding kopid_middleware
* well that was supposed to be an hour... four later
* more nonsense
* carrying on with the conversion
* first pass through the conversion is DONE!
* less pub more better
* session storage works better, fixed some paths
* axum-csp version thing
* try a typedheader
* better openssl config things
* updating lockfile
* http2
* actually sending JSON when we say we will!
* just about to do something dumb
* flargl
* more yak shaving
* So many clippy-isms, fixing up a query handler bleep bloop
* So many clippy-isms, fixing up a query handler bleep bloop
* fmt
* all tests pass including basic web logins and nav
* so much clippyism
* stripping out old comments
* fmt
* commenty things
* stripping out tide
* updates
* de-tiding things
* fmt
* adding optional header matching ,thanks @cuberoot74088
* oauth2 stuff to match #1807 but in axum
* CLIPPY IS FINALLY SATED
* moving scim from /v1/scim to /scim
* one day clippy will make sense
* cleanups
* removing sketching middleware
* cleanup, strip a broken test endpoint (routemap), more clippy
* docs fmt
* pulling axum-csp from the wrong cargo.toml
* docs fmt
* fmt fixes
2023-07-05 22:26:39 +10:00
Firstyear 12121bae37
Improve tasks daemon shutdown (#1806) 2023-07-04 15:53:48 +10:00
James Hodgkinson cd7f1781ad
clippy-izing an unsafe in pam (#1795) 2023-07-03 11:13:45 +10:00
Firstyear 0425122ba3
20230629 tpm keygen ... again (#1793) 2023-06-30 12:41:32 +10:00
Firstyear b752ab65b8
20230628 tpm minor issue with key regen (#1790)
* Ignore key that cant be loaded
* fix handle
2023-06-28 18:34:03 +10:00
James Hodgkinson cc1cc691f3
Started chasing noise, found some code to delete... (#1768)
logging changes:

* Offering auth mechanisms -> debug
* 404's aren't really warnings
* double tombstone message, one goes to debug

other changes:

* CSP changes to allow the bootstrap images to load
* more testing javascriptfile things, I R 
* it's nice to know where things are
* putting non-rust web things in static/ instead of src/
* RequestCredentials::SameOrigin is the default, also adding a utility function to save dupe code. Wow this saved... kilobytes.
* removing commented code, fixing up codespell config
* clippyisms
* wtf, gha
* dee-gloo-ing some things
* adding some ubuntu build test things
* sigh rustwasm/wasm-pack/issues/1138
* more do_request things
* packaging things
* hilarious dev env setup script
* updated script works, all the UI works, including the experimental UI for naughty crabs
* deb package fixes
* fixed some notes
* setup experimental UI tweaks
2023-06-27 11:38:22 +10:00
Firstyear 23eb4283e9
Improve tpm key generation - improve unix config for tpms. (#1782) 2023-06-27 10:09:19 +10:00
Firstyear a20dd3b113
Remove r2d2 - sad beep noises (#1766) 2023-06-24 16:15:31 +10:00
Firstyear f3080df628
Implement tpm binding of cached password hashes (#1754) 2023-06-21 20:33:01 +10:00
Firstyear 32a7200305
Fix block_on in ssh authorised keys (#1752) 2023-06-19 15:02:09 +10:00
Firstyear c65be8174a
Add support for argon2id (#1736) 2023-06-16 13:26:05 +10:00
Firstyear a77a7aa2a4
20230614 unix account security - move account name deny to unixd (#1733) 2023-06-15 13:24:53 +10:00
Kenton Groombridge 3c421c240d
unix_integration: also check running SELinux mode (#1704)
For kanidm_unixd_tasks, check the current SELinux mode in addition to
kernel support. If SELinux is disabled at runtime, any attempts to query
the policy will fail, so also disable SELinux features if this is the
case.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2023-06-14 08:58:26 +10:00
Firstyear 466acb4729
Move the socket startup to localise it to the acceptor (#1678) 2023-05-31 16:06:26 +10:00
Kenton Groombridge e3d5f3c8ae
SELinux support for kanidm-unixd-tasks daemon (#1661)
* selinux is an optional feature
* unix_integration: add selinux config option

On SELinux systems, this setting controls whether SELinux relabeling of
newly created home directories should be performed. The default value of
this is on (even on non-SELinux systems), but the tasks daemon will
perform an additional runtime check for SELinux support and will disable
this feature automatically if this check fails.

* unix_integration: wire up home dir selinux labeling
* unix_integration: create equivalence rules in SELinux policy for aliases
* book: document selinux setting
* Add myself to CONTRIBUTORS.md

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2023-05-30 19:51:12 +10:00
Firstyear 21d372c09f
signal handling for tasks daemon (#1651) 2023-05-25 10:43:26 +10:00
Firstyear 33f0034b80
20230424 clippppppppppppyyyyyyyy (#1574)
* Resolve a lot of clips
2023-04-26 21:55:42 +10:00
James Hodgkinson ec8e5dfc31
more-merge unixd commands (#1568)
* fixing unix packaging
* stripping out actions-rs/toolchain
* fixing an error in the qrcode def in cargo.toml
2023-04-25 22:36:17 +10:00
Firstyear ade1591554
Consolidate unix tools (#1566) 2023-04-24 19:47:52 +10:00
Firstyear 9286d3780a
1553 pam remote or local detection (#1565) 2023-04-24 10:19:28 +10:00
MinhPhan8803 00f36f280e
Server daemon logging and exit codes (#1475) 2023-03-23 14:35:42 +10:00
MinhPhan8803 1ec8b29b26
Add unixd exit code (#1453) 2023-03-20 13:15:44 +10:00
MinhPhan8803 adff3fb31a
Unixd daemon improvement (#1454) 2023-03-20 11:47:19 +10:00
Firstyear 00cca81012
1399 cleanup reorg (#1412) 2023-03-01 13:10:52 +10:00