mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
1887 commits 17 branches 59 tags 246 MiB
Commit graph

276 commits

Author SHA1 Message Date
Firstyear 7567514044
Release 1.1.0-rc.16 (#2483) 2024-02-07 04:39:02 +00:00
Firstyear cdbaefe23d
Fix for incorrect domain migration rollbacks (#2482) 2024-02-07 13:11:55 +10:00
Firstyear 9050188b29
Add tools for remigration and domain level raising (#2481) 2024-02-06 10:01:06 +00:00
Firstyear ddea9c6699
Support SPN in groups claim (#2474) 2024-02-06 03:56:04 +00:00
illode 8cd62d4d4a
Credential update tweaks (#2475) 
* Make the Credential Update page more user-friendly
 2024-02-06 03:36:22 +00:00
Firstyear 23cc2e7745
Fix RUV trim (#2466) 
Fixes two major issues with replication.

The first was related to server refreshes. When a server was refreshed it would retain it's server unique id. If the server had lagged and was disconnected from replication and administrator would naturally then refresh it's database. This meant that on next tombstone purge of the server, it's RUV would jump ahead causing it's refresh-supplier to now believe it was lagging (which was not the case).

In the situation where a server is refreshed, we reset the servers unique replication ID which avoids the RUV having "jumps".

The second issue was related to RUV trimming. A server which had older RUV entries (say from servers that have been trimmed) would "taint" and re-supply those server ID's back to nodes that wanted to trim them. This also meant that on a restart of the server, that if the node had correctly trimmed the server ID, it would be re-added in memory.

This improves RUV trimming by limiting what what compare and check as a supplier to only CID's that are within the valid changelog window. This itself presented challenges with "how to determine if a server should be removed from the RUV". To achieve this we now check for "overlap" of the RUVS. If overlap isn't occurring it indicates split brain or node isolation, and replication is stopped in these cases.
 2024-02-02 15:38:45 +10:00
Firstyear d42268269a
20240125 2217 client credentials grant (#2456) 
* Huge fix of a replication problem.
* Update test
* Increase min replication level
* Client Credentials Grant implementation
 2024-02-01 02:00:29 +00:00
James Hodgkinson c8bd1739f9
PyKanidm updates and testing (#2301) 
* otel can eprintln kthx

* started python integration tests, features

* more tests more things

* adding heaps more things

* updating docs

* fixing python test

* fixing errors, updating integration test

* Add models for OAuth2, Person, ServiceAccount and add missing endpoints

* Alias Group to GroupInfo to keep it retrocompatible

* Fixed issues from review

* adding oauth2rs_get_basic_secret

* adding oauth2rs_get_basic_secret

* Fixed mypy issues

* adding more error logs

* updating test scripts and configs

* fixing tests and validating things

* more errors

---------

Co-authored-by: Dogeek <simon.bordeyne@gmail.com>
 2024-01-31 03:27:43 +00:00
Firstyear 50c324c063
Fix inverted key/chain logic from TLS error improvement (#2453) 2024-01-24 16:51:41 +10:00
Firstyear 967bc7c9df
Improve TLS configuration errors (#2447) 
This improves the errors during TLS configuration to localise them to
the error site, as well as calling our file path diagnostics tool
to assist with permission errors.
 2024-01-23 16:13:14 +10:00
Firstyear 86916a3d87
Return sshkey label to cli fields (#2440) 
* Return ssh label to cli fields
 2024-01-20 17:17:57 +10:00
Firstyear b1e7cb13a5
Add rfc8414 metadata (#2434) 2024-01-19 04:14:52 +00:00
Firstyear 8e4980b2c1
Add test for delete referer invalid (#2435) 
When a delete of an entry occurs which is reference by another entry,
if the entry has a MUST schema condition on the deleted entry then the
delete should be blocked to prevent the entries structure becoming
invalid.
 2024-01-19 02:18:11 +00:00
Firstyear 8dc884f38e
2390 1980 allow native applications (#2428) 2024-01-16 10:44:12 +10:00
Firstyear a1fa59b83c
Clean RUV (#2424) 2024-01-12 09:43:20 +10:00
Firstyear 666448f787
Upgrade replication to use anchors (#2423) 
* Upgrade replication to use anchors
 2024-01-10 04:46:08 +00:00
Firstyear 0e44cc1dcb
Minor fixes for oidc with single page applications (#2420) 2024-01-08 23:57:14 +00:00
Firstyear e9340c682e
Use case insensitive match on substrings in line with ldap (#2419) 2024-01-06 15:52:21 +10:00
Firstyear cc79b2a205
20231222 piv authentication (#2398) 
Foundations of PIV authentication
 2023-12-29 23:15:26 +00:00
James Hodgkinson 307a66ea29
Update docs, closes SQLite Write-Ahead Logging might make page size immutable #2404 (#2405) 2023-12-30 08:34:50 +10:00
Firstyear 7f27a6fcd9
Force apply idm migrations to apply access controls (#2401) 2023-12-28 12:24:29 +10:00
cuberoot74088 a16525d520
fix backup filename and regexp pattern for cleanup (#2386) 
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2023-12-24 12:06:43 +00:00
Firstyear fd71a748ca
Add improved domain migration framework and default MFA (#2382) 2023-12-21 14:44:20 +10:00
Firstyear 77b01e3a31
Trim and lowecase usernames (#2380) 2023-12-19 06:41:12 +00:00
Firstyear 3408816932
Add DN as a virtual ldap attr (#2379) 2023-12-19 15:07:19 +10:00
James Hodgkinson a4c44bc5f9
fixing default for oauth2 request_parameter_supported metadata (#2378) 2023-12-19 11:56:47 +10:00
Firstyear 5c445a4704
20231218 ipa sync unix password (#2374) 
* Add support for importing the users password as unix password
 2023-12-18 11:20:37 +10:00
Firstyear d09c2448ff
1481 2024 access control rework (#2366) 
Rework default access controls to better separate roles and access profiles.
 2023-12-17 23:10:13 +00:00
Firstyear 854b696532
249 2024 managed by syntax (#2359) 
Allows hierarchial entry management rules.
 2023-12-07 10:00:09 +00:00
James Hodgkinson 340d41482b
typo (#2356) 2023-12-05 01:22:59 +00:00
Firstyear 4bd5d584cb
20231204 ipa sync minor improvements (#2357) 2023-12-04 16:58:15 +10:00
Firstyear 76269f9de2
20231129 webauthn attestation (#2351) 
This adds full support for attestation of webauthn/passkeys.
 2023-12-03 06:13:52 +00:00
James Hodgkinson 9a464c653c
Using proper axum http headers lib for compatibility (#2348) 2023-12-01 08:55:51 +10:00
Firstyear cbdbaa8fe0
Bearer should send with same caps we accept (#2345) 2023-11-30 09:25:34 +10:00
Firstyear 31b939fca3
20231128 freeipa migration (#2338) 
* Add more weak password formats for freeipa
* Verification of freeipa migration from older ipa versions
 2023-11-29 10:43:15 +10:00
Firstyear ac299b5286
Update to the latest compact-jwt version (#2331) 2023-11-24 02:53:22 +00:00
James Hodgkinson 916bb4ec04
Adding env var configs for the server (#2329) 
* env var config for server
* I am my own clippy now
* Man, that got complicated quick
 2023-11-24 01:27:49 +00:00
Firstyear bb8914c70d
20231120 2320 sssd compat (#2328) 2023-11-22 10:18:03 +10:00
Firstyear b71b0460f3
Add test (#2323) 2023-11-19 21:56:19 +10:00
James Hodgkinson 2be287c1ff
OAuth2 scopes validation logging missing details (#2317) 
* OAuth2 scopes validation logging missing details - Fixes #2316
* clippy was mad
 2023-11-17 16:08:08 +10:00
Firstyear 8f150ad032
20231115 oauth2 authreq (#2310) 
* fix oauth2 requests
* Fix json compat of wasm bindgen
 2023-11-15 12:41:01 +10:00
Firstyear a2a3010860
Remove serde json from wasm (#2304) 
* Remove serde json from wasm
* Fix missing json
 2023-11-12 15:38:37 +10:00
Firstyear 8a40f5ab7b
Fix spelling (#2303) 2023-11-11 03:04:35 +00:00
Firstyear 47bcea7708
20231109 1122 credential class (#2300) 
* Add CredentialType for acc pol
* Reword ui hints
* Finish account policy
* Clean up artefacts
 2023-11-11 09:26:44 +10:00
James Hodgkinson 60e5935faa
Moving daemon tracing to OpenTelemetry (#2292) 
* sally forth into the great otel unknown
* make the build env identification slightly more durable
* docs updates
* wasm recompile
 2023-11-09 05:15:12 +00:00
James Hodgkinson 12f1de8358
Update OpenAPI schema gen to actually... be kinda sorta valid. (#2296) 
* updating lockfile

* OpenAPI validation issues
Fixes #2295

* clippy sez no

* adding another validator, more specs
 2023-11-07 11:35:17 +10:00
Firstyear b7852d1d71
pw min length in account policy (#2289) 2023-11-05 10:33:25 +10:00
James Hodgkinson b9d47fe8f7
oauth2 typo (#2290) 2023-11-04 06:45:40 +00:00
James Hodgkinson 7025a9ff55
Feature: kanidm CLI pulling OpenAPI schema (#2285) 
* diag is super noisy when you actually turn on logging... even though it wasn't an error?
* adding api download-schema to the CLI
* docs
 2023-11-03 17:37:27 +10:00
James Hodgkinson cf35a7e667
Feature: configurable replication poll interval (#2283) 
* Feature: configurable replication poll interval (#2282)
* Updating log messages because REPL != LDAP
 2023-11-02 02:07:53 +00:00
Firstyear 9e5449a644
Minor improvements to incoming replication (#2279) 2023-11-02 01:21:21 +00:00
Allan dbf476fe5e
Remove unused imports and clippy lint (#2276) 
* Fix unused import errors
* Apply clippy get_first lint
* Add contributor

---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2023-11-01 05:54:29 +00:00
Samuel Cabrero c3c0b5f459
Rework ldap bind routine (#2268) 
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
 2023-11-01 15:09:22 +10:00
Firstyear a3266978c8
Disable inconsistent test (#2278) 2023-11-01 02:02:53 +00:00
William Brown 4a08b77285 make versions consistent 2023-10-31 21:24:07 +10:00
James Hodgkinson 6642139900
Release 1.1.0-rc.15-dev 2023-10-31 19:26:18 +10:00
James Hodgkinson ef96ca6aa1
started writing docs and ended up in another rabbit hole (#2267) 
* started writing docs and ended up in another rabbit hole
* updoots
* dangit fedora
 2023-10-31 19:15:35 +10:00
James Hodgkinson 3bfc347c53
CLI integration test beginnings (#2261) 
* more integration test things, using assert_cmd to test the CLI end-to-end
* packagez
* making clippy happy
* making deno happy
 2023-10-30 06:10:54 +00:00
William Brown ecc46bb015 Add book chapter + cli 2023-10-28 13:07:06 +10:00
NavinShrinivas b80a3b271c Cargo fmt and clippy checks 
Signed-off-by: NavinShrinivas <karupal2002@gmail.com>
 2023-10-28 13:07:06 +10:00
NavinShrinivas 12ea1c8702 Restrict posix passwords on ldap bind with config 
Signed-off-by: NavinShrinivas <karupal2002@gmail.com>
 2023-10-28 13:07:06 +10:00
James Hodgkinson e02328ae8b
Splitting the SPAs (#2219) 
* doing some work for enumerating how the accounts work together
* fixing up build scripts and removing extra things
* making JavaScript as_tag use the struct field names
* making shared.js a module, removing wasmloader.js
* don't compress compressed things
 2023-10-27 06:03:58 +00:00
James Hodgkinson ad3c491d07
Bug chasing (#2257) 
* service-account validity expire-at doesn't accept all time nouns as defined by docs
Fixes #2153
* realised a logic bug
* making clippy happy while I'm here
* returning an empty set from the creds if the creds attribute is not found, which is then handled downstream
 2023-10-27 05:30:38 +00:00
Samuel Cabrero 99ba97088d
cargo fmt + clippy (#2241) 
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
 2023-10-27 04:40:24 +00:00
James Hodgkinson 7dc18e4f9e
adding service account patch methods (#2255) 
* adding service_account PATCH
 2023-10-26 13:40:45 +10:00
Firstyear afe9d28754
20231019 1122 account policy basics (#2245) 
---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2023-10-22 11:16:42 +00:00
Firstyear 6ff9082fd2
20231014 account policy (#2218) 
* Start to prep for unix+ssh keys in credupdate session
 2023-10-19 01:40:06 +00:00
James Hodgkinson 6850a17e8c
Windows build fixes and test coverage (#2220) 
* adding testing for users functions
* turning KanidmClient build error into a ClientError
* removing a redundant closure
 2023-10-17 07:18:07 +00:00
James Hodgkinson eead47aec8
Fixing dependabot and its mistakes (#2232) 
* updating to utoipa 4.0.0
* hi dependabot
 2023-10-16 05:15:53 +00:00
dependabot[bot] 1a36673c46
chore(deps): bump utoipa-swagger-ui from 3.1.5 to 4.0.0 (#2224) 
Bumps [utoipa-swagger-ui](https://github.com/juhaku/utoipa) from 3.1.5 to 4.0.0.
- [Release notes](https://github.com/juhaku/utoipa/releases)
- [Commits](https://github.com/juhaku/utoipa/compare/utoipa-swagger-ui-3.1.5...utoipa-swagger-ui-4.0.0)

---
updated-dependencies:
- dependency-name: utoipa-swagger-ui
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-15 20:45:27 +00:00
James Hodgkinson f28d5cef22
OpenAPI/swagger docs autogen (#2175) 
* always be clippyin'
* pulling oauth2 api things out into their own module
* starting openapi generation
 2023-10-14 12:39:14 +10:00
Firstyear 8bcf1935a5
20231012 346 name deny list (#2214) 
* Migrate to improved system config reload, cleanup acc pol
* Denied names feature
 2023-10-13 08:50:36 +10:00
Firstyear 88da55260a
Add file diagnosis (#2210) 2023-10-12 12:09:54 +10:00
Firstyear fbc62ea51e
fix RUV on startup, improve filter output (#2211) 2023-10-11 21:14:27 +10:00
James Hodgkinson d9da1eeca0
Chasing yaks down dark alleyways (#2207) 
* adding some test coverage because there was some rando panic-inducing thing
* ldap constants
* documenting a macro
* helpful weird errors
* the war on strings continues
* less json more better
* testing things fixing bugs
* idm_domain_reset_token_key wasn't working, added a test and fixed it (we weren't testing it)
* idm_domain_set_ldap_basedn - adding tests
* adding testing for idm_account_credential_update_cancel_mfareg
* warning of deprecation
 2023-10-11 15:44:29 +10:00
dependabot[bot] d538f80fa1
chore(deps): bump axum-auth from 0.4.0 to 0.4.1 (#2200) 
Bumps [axum-auth](https://github.com/owez/axum-auth) from 0.4.0 to 0.4.1.
- [Commits](https://github.com/owez/axum-auth/compare/0.4.0...v0.4.1)

---
updated-dependencies:
- dependency-name: axum-auth
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-08 21:26:48 +00:00
Firstyear a91bf55471
20231008 remove expect used (#2191) 
* Stop using expect on some tasks
 2023-10-08 17:39:00 +10:00
James Hodgkinson 19f9fde012
Thread naming and display (#2190) 
* sometimes handlers fail
* enums are better than strings
* clippyisms
 2023-10-08 13:08:46 +10:00
James Hodgkinson 48979b8e1a
Replication tweaks - try the most recent successful one and error less (#2189) 
* made an error less error-y and also found a way to try the last-most-working repl peer
 2023-10-07 13:09:42 +10:00
James Hodgkinson 0adc3e0dd9
Chasing wooly quadrapeds again (#2163) 
* I really like well-tended yaks
* documenting yaks
* spellink
* less surprise more good
* schema test fix
* clippyisms
 2023-10-05 12:30:46 +10:00
Firstyear f6d2bcb44b
68 20230929 replication finalisation (#2160) 
Replication is now ready for test deployments!
 2023-10-05 11:11:27 +10:00
James Hodgkinson e7f594a1c1
In-system image storage (#2112) 
* In-system image storage refers to #2057
* adding multipart feature to axum
* thanks to @Firstyear for fixing my bufs
* fixing coverage test things
* clippy-calming
* more tests, jpg acropalypse tests, benches
* spelling
* lockfile updates
* linting
 2023-10-04 17:24:12 +10:00
Firstyear cb985a2fd0
fix credential update intent defaults (#2162) 2023-09-30 20:06:44 +10:00
Firstyear 3e345174b6
68 20230919 replication configuration (#2131) 2023-09-29 12:02:13 +10:00
James Hodgkinson c7a269575c
Enforce TLS key size minimums (#2145) 
* Enforce TLS key size minimums - Fixes #2144
* at some point clippy got mad
 2023-09-26 09:59:00 +10:00
James Hodgkinson c998a1eda5
bindaddress default doesn't match documentation (#2150) 
Fixes #2147
 2023-09-26 09:38:07 +10:00
James Hodgkinson d5ed335b52
Cinco de yakko (#2108) 
* there are always more yaks
* see? ldap yaks.
* fixing stupid radius container build thing
 2023-09-16 12:11:06 +10:00
Firstyear 77da40d528
68 20230912 session consistency (#2110) 
This adds support for special-casing sessions in replication to allow them to internally trim and merge so that session revocations and creations are not lost between replicas.
 2023-09-16 09:22:11 +10:00
James Hodgkinson 383592d921
Schema dooby doo ... yon (#2103) 
Refers #1987

Notable changes:

- in server/lib/src/entry.rs - aiming to pass the enum instead of the strings
    - changed signature of add_ava to take Attribute instead of &str (which is used in the entry_init macro... which was fun)
    - set_ava<T> now takes Attribute
- added TryFrom<&AttrString> for Attribute
 2023-09-12 11:47:24 +10:00
Firstyear b3aed1df34
68 20230908 replication attrunique (#2086) 
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2023-09-12 08:50:51 +10:00
James Hodgkinson d3d80e7364
Schema-dooby-doo-part-trois (#2082) 
* adding extra_attributes field to BuiltinGroup, migrating more things.
* checkpoint 3 - ACP, easy as 1,2,3
* codespell
* now throwing error on dyngroup with defined members
 2023-09-09 09:38:47 +10:00
James Hodgkinson 4b7563adc8
CLI and test things (#2080) 
* testing things actually run is handy
* adding build mode to scripts
* uh, so I started messing with handling exit codes...
 2023-09-09 09:35:59 +10:00
Firstyear 61c59d5a5a
68 20230907 replication (#2081) 
* Test replication when nodes are valid beyond cl trim
 2023-09-08 08:59:06 +10:00
James Hodgkinson 2f312e6b2d
Removing default features from git2 package (#2078) 
* don't need ssh or https in git2 - saves 50.69s

* codespell
 2023-09-06 08:25:29 +10:00
Firstyear d1fe7b9127
68 20230829 replication referential integrity (#2048) 
* Member of works!
* Hooray, refint over replication works.
 2023-09-05 21:30:51 +10:00
James Hodgkinson d5d76d1a3c
Schema dooby doo part two (#2071) 
* scim strings!
* mapmapmap
* mapmapmap -comments and map
* updating delete teest
* fixing some tests
 2023-09-05 16:58:42 +10:00
Firstyear 538429838d
When an empty body was returned, do request would error incorrectly (#2074) 2023-09-05 14:14:00 +10:00
James Hodgkinson 1d88cede1b
Yak hassling (#2059) 
* trying this query thing again
* if error show error not panic
* clippyism
* moving dependencies around and fixing log messages for healthcheck
* cleaning up some comment mess
* fixing the "debug thing breaks packaging" issue and test failures
 2023-09-05 11:50:51 +10:00
dependabot[bot] 07c9a9078e
chore(deps): bump tower-http from 0.4.3 to 0.4.4 (#2064) 
Bumps [tower-http](https://github.com/tower-rs/tower-http) from 0.4.3 to 0.4.4.
- [Release notes](https://github.com/tower-rs/tower-http/releases)
- [Commits](https://github.com/tower-rs/tower-http/compare/tower-http-0.4.3...tower-http-0.4.4)

---
updated-dependencies:
- dependency-name: tower-http
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-03 21:04:53 +00:00
Sebastiano Tocci f2e9c8a16e
Add tests for X-Forwarded-For header (kinda) (#1957) 
* Add tests for X-Forwarded-For header (kinda)
* testing for invalid header format
* added debug endpoint and got tests working
* various fixing here and there
 2023-08-31 09:31:16 +08:00