Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries..
Implements #23 gidnumber generation. This automatically creates gid numbers for posixaccounts and posixgroups based on the UUID of the object. Alternately, these can be provided if manual allocation is desired. This is an important step in posix attribute support.
Implements #88, acp_enable becomes optional. This is important with regard to migrations. When we migrate, if an attribute is present in the migration we always set the value in the case of a single-value attribute (multivalues interleave). This means an admin who may set acp_enable to false on default shipped access controls would have them forcefully re-activated on each server restart. This change makes acp_enable optional, and removes it from the migration. If NOT present on an ACP, it's considered "true", so that when an admin overrides this value to false, we will permanently respect that choice.
Implements #127 and #125. This adds domain_info support, and spn types and generation. It also correctly handles domain renaming, and has tooling to support this. It "should" work on an upgrade, due to the correct bump of index version, but I plan to test this from a backup of my production instance soon.
Implements #134 Client Builder Pattern. This makes it much easier to build a client by making the configuration of the client lib follow a builder pattern. The error management needs a lot of work still, but for now it's rough and it works.
Implemnt SSH public key management
This implements ssh public key distribution for kanidm, enforcing that
valid ssh public keys are placed into the ssh_publickey attribute, adds
management tools so that accounts can self-service manage their keys,
and finally adds an authorized keys command helper suitable for
sshd_config to utilise.
Implements #100. This refactors our error types to be deserialiseable, and exposes these through the clienterror type with the status codes. There is probably still a lot of improvements here to be made, but they'll be shaken out as the client libs develop I think and we start to see what errors should be exposed.
Implements #6 - create, modify and delete. These are the raw/lowlevel db commands which are really useful for administrators. They aren't intended for normal day to day use though.
This also adds a basic getting started, fixes a missing privilege, adds support for reseting another accounts password, and for server side password generation.
It's likely I'm going to reformat some of the current REST api though to use our higher level internal types.
This adds rest endpoints for schema, group, account listing and individual item getting, client lib to call these end points, and tests for all of these.
Draft of the idm server rest api layout. This is no means a final representation of what this API will look like, but it's important that the ideas and direction, as well as capabilities were documented and discussed.
Partially Implements #6 - add ability for accounts to self set password. This is good for now, as I get closer to a trial radius deployment, but I think I'm finding the rest api probably needs a better plan at this point, as well as probably the way we do the proto and the communication needs some more thoughts too.
* Implement #90 - allow self write to name, displayname, and legalname.
This is an important aspect to respecting peoples autonomy and identities
so that they can change their name when appropriate to them. Limit self read/write to live accounts, and prevent anonymous self-write
This adds the fundamentals of the basic IDM layout. It contains the needed design document, and is designed such that the default admins while powerful, still have some limits upon them.
Add initial statement on rights and ethics. It's not perfect, and I'm sure there is more input from people to be added. But it's a start, and the discussion is open.
Add support for command line options to the server. This supports server sid regeneration, persistence, address binding, tls configuration and more. This also improves TLS support in the client tools for CA cert addition to queries.
Implements #72, attribute uniqueness. This extends schema to have a field "unique" which means a value should be unique for that object, and all other live objects (recycle and tombstones excluded). Note UUID has to retain special handling in base.rs and can't usethis due to needing to check with recycled too..
Implements #60 authsession garbage collection. If we assume that an authsession is around 1024 bytes (this assumes a 16 char name + groups + claims) then this means that in 1Gb of ram we can store about 1 million in progress auth attempts. Obviously, we don't want infinite memory growth, but we can't use an LRU cache due to the future desire to use concurrent trees. So instead we prune the tree based on a timeout when we start and auth operation. Auth session id's are generated from a timestamp similar to how we'll generate replication csn's. We can then apply a diff that will split all items lower than the csn/sid and remove them from future consideration.
We set the default timeout to 5 minutes. This means that assuming 10,000 auths per second, we would require 3GB of ram to process these sessions before they are expired. We expect any deployment with such large loadings can affort 3Gb of ram :)
This adds support for authentication and credential storage to the server.
It also adds account recovery and options for integration test fixtures, refactors
to make the client library easier to manage, and support clean seperation of the
proto vs lib.
This implements strongly typed storage of data types in attribute values. This means that have the future ability to have tagged, hidden, complex or other datatypes in values rather than relying on string manipulations. It helps also to lift the burden on schema to only checking the values types on input from the protocol types, so that comparisons and other conversions will be faster. It also helps to strengthen and check values are valid earlier in conversions.
