Previously on schema definitions for attributes, the list of index
types was manually set on attributes. The issue with this approach is
that not all index types apply to all attribute syntaxes. This made it
error prone not just to Kanidm developers, but to future users who
want to define custom attributes and may incorrectly index those
attributes.
Instead, this changes the index value to be a boolean to indicate
if this attribute should or should not be indexed. Internally Kanidm
has a list of appropriate indexes to apply to these syntax types.
As part of this change, the tests were reviewed to find missing index
types for syntaxes, and other causes of unindexed searches which led
to some changes around the dyngroup plugin (which pushes the boundaries
of a lot of things in Kani due to how it works).
Add support for ldap servers in integration tests
This allows the ldap interface to be enabled during tests, which is
a final requirement to complete ldap application passwords.
Some oauth2 clients apparently ignore what we tell them
and request response modes we don't support.
First, we should deserialise these and error correctly.
Second, to maintain temporary compatibility, we remap
form-post to query. This will be removed in future.
* Ignore tests that are no longer used.
Each time a library or binary is added, that requires compilation to create
the *empty* test harness, which then is executed and takes multiple seconds
to start up, do nothing, and return success.
This removes test's for libraries that aren't actually using or running
any tests.
Additionally, each time a new test binary is added, that adds a ton of
compilation time, but also test execution time as the binary for each
test runner must start up, execute, and shutdown. So this merges all
the testkit integration tests to a single running which significantly
speeds up test execution.
* Improve IDL exists behaviour, improve memberof verification
Again to improve test performance. This improves the validation of idx
existance to be a faster SQLite call, caches the results as needed.
Memberof was taking up a large amount of time in verify phases of test
finalisation, and so a better in memory version has been added.
* Disable TLS native roots when not needed
* Cleanup tests that are hitting native certs, or do nothing at all
Migrations and server bootstrap are very interconnected processes
and in this we'll be addressing and improving both.
Server bootstrap was performed by creating base entries in phases,
eventually bringing up enough of the *oldest* supported server
minimum remigration level, to then allow triggering of migrations.
Migrations then applied "patches" effectively ontop of this minimum
level to update entries to what they should be in newer versions of
the server.
This scheme has it's pros and cons, but the major con was that to
remove a migration meant squashing it's content back into the
minimum remigration level, and this was a human process that was
quite error prone and difficult to automate. As well, this scheme
also led to cases where the patch migrations would sometimes *not*
reflect all the needed changes or content, or in one case was actually
undone by a patchlevel fix up that was required to address a bug.
Invariably this led to issues, and cases where a new server may have
different content to a migrated one - not exactly what we want!
This is a new migration scheme that addresses this fragility. However
what it trades is verbosity of the content.
Rather than having a base set of entries and patching/updating small
sections ontop, we have migration data folders that contain the full
set of entries as they should appear at that migration level. This
makes the bootstrap process easier as we can just apply the migration
level as a whole, and targetted to what precise version we want.
This also makes migrations more durable as the content is explicitly
copied and all entries fully applied, so there is no risk that a
migration or data change can be forgotten or applied incorrectly. We
are expressing the full state of what our builtin and provided entries
should be.
Finally this rips out a number of places where migration data was being
used as test case data. Not all of these have been replaced (notably
in authsession with Account), but the majority have and have been replaced
with clearer use of constants rather than building whole entries just to
access the name and throw them away for example.
idm_admin and admin should be exempted from the denied names process,
as these values will already be denied due to attribute uniqueness.
Additionally improved the denied names check to only validate the
name during a change, not during a modifification. This way entries
that become denied can get themself out of the pickle.
RFC 6749 once again reminds us that given the room to do silly
things, RFC authors absolutely will. In this case, it's query
parameters in redirection uris which are absolutely horrifying
and yet, here we are.
We strictly match the query pairs during the redirection to
ensure that if a query pair did allow open redirection, then
we prevent it.
* Added Botch for fixing spn query
* Got Invalid filter working. spn can now be searched on
* Addressed review comments
* Resolved Invalid filter correctly for no index
* Cleaned comments and added tests (still 1 failing)
* Added comments and fixed unit test
* Formatting
* Made Clippy Happy
Improve error message when passkey is missing PIN
Firefox still doesn't support setting a PIN on new devices. Because
of this we need a way to return a better error message for devices
that don't have UV configured.
Due to a missing equality check in value, when a domain
rename occured, the uuid2spn index differential function
did not correctly detect that the domain name had updated
which meant that the uuid2spn index was not updated. Only
this index was affected, and a manual reindex would
resolve.
While preparing for everything open, I found a small number of doc/book issues, some logging issues, and some minor performance wins. This pr is just small bits of various polish around the place.
Allow ssh_publickeys to be exposed as a claim for oauth2 and oidc
applications so that they can consume these keys for various uses.
An example could be something like gitlab which can then associate
the public keys with the users account.
* Add response_mode=fragment to discovery documents
* Add test for `response_mode=query`
* refactor OAuth 2.0 tests back into regular functions, because macros are messy
* Disallow some `response_type` x `response_mode` combinations per spec
During other testing I noticed that passkeys no longer worked
on a reauthentication. This was due to a regression in you
guessed it, cookies, where the auth session id wasn't being
removed properly.
Administrators will sometimes configure oauth2 clients with `idm_all_accounts`
as an allowed scope group. Despite anonymous being *unable* to interact with
oauth2, this still allowed oauth2 clients to be read by anonymous in this
configuration. For some users, this may be considered a public info
disclosure.
This updates to the latest webauthn-rs release. When
updating, an issue with time was found that changes
the behaviour of it's parser for rfc3339. This also
updates our tests to accomodate that change.
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
This adds further testing of SCIM sync, especially around
conversion of the SCIM Sync Person and Group types into
SCIM Entry. This test would have prevented #3298 and
#3299 from occuring.
During testing two more fixes were found. external_id should have
been required (not optional) and a group with no members would
cause a serialisation issue.
So that we can start to add some more easter eggs to the server,
we also need to respect user preferences that may not want them.
This adds a configuration setting to the domain allowing a release
build to opt-in to easter eggs, and development builds to opt-out
of them.
Rather than the generic 'invalid state' error, we now return
proper site-specific errors for credential commit failures, with
error messages to explain what went wrong.
When we added entry-managed-by, we allowed it to be set on group creation but not post-group-creation. The idea was to delegate ownership of the group. However, this has the obvious trap that an account group like idm_admins can't alter entry-managed-by post creation, needing the use of the admin account which has access control privs, or a delete and recreate of the entry.
Since the idm admin could delete and recreate the group with a new entry manager, there is functionally no difference to allowing them to modify the entry-managed-by here of low priv groups. This changes the group manager access control by default to allow this.
* Re-migrate all acps to force updating
* Update server/lib/src/server/migrations.rs
---------
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
A fault existed in the server's internal migration code, where attributes
that were multivalued would be merged rather than replaced in certain
contexts. This migration path is used for access controls, meaning that
on upgrades, attributes that were meant to be removed from access
controls or changes to access control target groups were not reflected
during the upgrade process.
This has a potentially low security impact as it may have allowed
users to change their name/displayname even if the administrator
had disable the name_self_write access control.
- Resolve an issue where oauth2 could trigger the login page to
incorrectly redirect to an oauth2 application instead of apps
- Add indication of what client application we are accessing
if the session is not yet authenticated
