Fixes#13 and Fixes#135 - webauthn and webauthn with cli. This is the core of webauthn, but only as a single factor. Some changes are still needed for webauthn as MFA and as a verified single factor. This will be made in a subsequent PR.
Fixes#327 - In container run times, the default is to run as root. This may be user with virtualised containers or even to just smooth the "first run" process rather than requiring a user for the process and volumes.
This provides bruteforce protection and ratelimiting to stop
classes of attacks. This impacts all areas where a password or
authentication is performed (unix, ldap, auth).
Fixes#250, replacing cookies with auth-bearer tokens. This is done using fernet with randomised keys each startup. The reason for this is that in the future the size of the auth token may exceed cookie limits, so we must be able to understand and process auth bearer. Additionaly, this lets us store the tokens for say the kanidm cli as reqwest today can't persist a cookie jar.
Fixes#259. Thanks to the linked worked example, we can reduce a problematic set of clones during filter metadata injection. Previously we had to create a new hashset every time we went to resolve index metadata in queries, but with this change we can now just use the copy-on-write hashset instead. This will improve cache access, reduces clones, and more. In a cargo test run this takes out nearly 15% of the execution time (on my system reducing the test time by nearly 35 seconds).
https://github.com/sunshowers/borrow-complex-key-example/blob/master/src/lib.rs
This finishes some of the outstanding clippy issues that existed. Additionally, we updated all the project deps and updated libraries we could in the project. A bug exists currently in cargo outdated that is preventing further updates to this however, but that's a bit out of my hands.
this completely removes actix and actix-web from the codebase, replacing it with tokio and http-rs/tide. Due to a current temporary limit in tokio parts with openssl/libressl, rustls is used for the webserver, but I'll change this back once that issue is resolved. For now there are likely some other clippy issues, but the next step now is that I can finally run cargo outdated and update this and the other kanidm/* deps to be up to date due to no longer being held back on versions by actix. So following this, I need to finish clippy warnings, and run cargo outdated and cargo audit.
Fixes#295 on login pw upgrade. This adds support for SSHA512 to be imported at the request of @colbyprior, and adds a delayed action queue so that events can be run after-the-fact so that authentication does not need to exist under the write path.
Fixes#67 and #237 - this add's resource limits to all server accounts by default. These limits bound the size of search sets, how many entries can be tested with filter tests, disables unindexed queries, and limits the size of filters to prevent stack depth and other issues.
Fixes#61 and fixes#234 - this rewrites quite a few internals of refint and memberof to make them much more efficient compared to previously. This takes nearly 70s out of the test execution time - a full 25% of the run time of tests.
A number of other improvements have been made through out with regard to memory pre-alloc for hashset/hashmap, fixing some more types, and reducing some un-needed allocations.
Fixes#260fixes#257fixes#157. This is really a set of cleanups around the code base to minimise clones, choose better datastructures for specific tasks, improve the ability to pass references in certain calls and more. Generally this just makes everything a bit smoother, and really has big gains on the write path (it's about 20% faster now).
This allows configuration of which attribute is presented during gid/uid resolution, adds home directory prefixing, and home directory name attribute selection.
Fixes#212 and Fixes#262. This is largely a performance improvement and security improvement to how the databases are handled. The major cases are create/modify/reindex performance,
Fixes#195 pre release cleanup. This does a LOT, clippy, formatting, and much much more. It fixes a lot of parts of the book, improves server config and more.
Add's improvements to ldap compatibility. This stabilises DN formats and how they are returned, and adds the name2uuid index to help speed up binds and entry resolves on large queries. Even on the largest queries, this is able to process them rapidly, and the ldap interface now has single operation times of sub 0.001 second even on 100k entry databases with references.
adds an LDAP gateway to the server. It supports TLS if configured for the webserver, using the same parameters. It is a read only interface, only supporting bind via the configured posix password.
This adds support to do on-upgrade migrations of the previous iutf8 type to iname, iname contains a better checker of the content of the name values that will become spn's, this allows auth via spn as well as just name. This really just does a lot of clean up to make spns more viable. #181 is still outstanding, but you can currently already login via spn a posixid_to_uuid supports this, it's only the resolving of unixgroup/accounts that need to have name as Option to cause a fall back to spn when in a trust.
