mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
1979 commits 17 branches 59 tags 246 MiB
Commit graph

321 commits

Author SHA1 Message Date
Firstyear da7ed77dfa
Substring Indexing (#2905) 2024-07-20 03:12:49 +00:00
Firstyear a695e0d75f
Oauth2 in htmx (#2912) 
* Apply suggestions from code review

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-07-20 02:30:06 +00:00
Firstyear c7fcdc3e4e
Strict redirect URL enforcement (#2917) 
Add strict OAuth2 URL enforcement per the RFC. This includes a transition process for the next release so that Admins can come into compliance.
 2024-07-20 02:09:50 +00:00
Alin Trăistaru 562f352516
fix typos (#2908) 
* fix typos and misspellings
* use proper capitalization
* Apply suggestions from code review
---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-07-18 03:22:20 +00:00
Firstyear faef3d0a4b
Fix issues with suspend reported by himmelblau (#2911) 2024-07-17 10:33:04 +10:00
James Hodgkinson eddec88429
making the internals of kanidmclientconfig public for other users (#2895) 
* making the internals of kanidmclientconfig public for other users
* clippyisms
 2024-07-15 10:28:23 +00:00
Firstyear bf73332088
enable build htmx in docker (#2893) 2024-07-15 08:06:15 +00:00
Firstyear 966e26f874
Fixes the logout flow in htmx and improves the login error dialog (#2889) 2024-07-15 07:34:01 +00:00
Firstyear d7a5097527
htmx logout tidy up (#2884) 2024-07-15 07:11:00 +00:00
Firstyear d0e57442d2
Tidy up replication poll interval (#2883) 2024-07-15 06:16:24 +00:00
dependabot[bot] 404f9de47e
Bump the all group with 8 updates (#2899) 
Bumps the all group with 8 updates:

| Package | From | To |
| --- | --- | --- |
| [bytes](https://github.com/tokio-rs/bytes) | `1.6.0` | `1.6.1` |
| [clap](https://github.com/clap-rs/clap) | `4.5.8` | `4.5.9` |
| [clap_complete](https://github.com/clap-rs/clap) | `4.5.7` | `4.5.8` |
| [hyper](https://github.com/hyperium/hyper) | `1.4.0` | `1.4.1` |
| [serde_with](https://github.com/jonasbb/serde_with) | `3.8.3` | `3.9.0` |
| [syn](https://github.com/dtolnay/syn) | `2.0.69` | `2.0.71` |
| [uuid](https://github.com/uuid-rs/uuid) | `1.9.1` | `1.10.0` |
| [fantoccini](https://github.com/jonhoo/fantoccini) | `0.19.3` | `0.21.0` |


Updates `bytes` from 1.6.0 to 1.6.1
- [Release notes](https://github.com/tokio-rs/bytes/releases)
- [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md)
- [Commits](https://github.com/tokio-rs/bytes/compare/v1.6.0...v1.6.1)

Updates `clap` from 4.5.8 to 4.5.9
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.8...v4.5.9)

Updates `clap_complete` from 4.5.7 to 4.5.8
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.7...clap_complete-v4.5.8)

Updates `hyper` from 1.4.0 to 1.4.1
- [Release notes](https://github.com/hyperium/hyper/releases)
- [Changelog](https://github.com/hyperium/hyper/blob/master/CHANGELOG.md)
- [Commits](https://github.com/hyperium/hyper/compare/v1.4.0...v1.4.1)

Updates `serde_with` from 3.8.3 to 3.9.0
- [Release notes](https://github.com/jonasbb/serde_with/releases)
- [Commits](https://github.com/jonasbb/serde_with/compare/v3.8.3...v3.9.0)

Updates `syn` from 2.0.69 to 2.0.71
- [Release notes](https://github.com/dtolnay/syn/releases)
- [Commits](https://github.com/dtolnay/syn/compare/2.0.69...2.0.71)

Updates `uuid` from 1.9.1 to 1.10.0
- [Release notes](https://github.com/uuid-rs/uuid/releases)
- [Commits](https://github.com/uuid-rs/uuid/compare/1.9.1...1.10.0)

Updates `fantoccini` from 0.19.3 to 0.21.0
- [Commits](https://github.com/jonhoo/fantoccini/compare/v0.19.3...v0.21.0)

---
updated-dependencies:
- dependency-name: bytes
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: clap
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: clap_complete
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: hyper
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: serde_with
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: syn
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: uuid
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: fantoccini
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-07-14 15:22:08 -07:00
Firstyear a4a06c1172
Add a migration for future versions that will notify and warn about the removal of security keys. (#2885) 2024-07-12 02:19:43 +00:00
Firstyear 5af33ade0a
Update mtls cert lifetime (#2886) 2024-07-10 21:35:24 +00:00
Merlijn 33ca757bed
[htmx] Apps page (#2868) 
* Add htmx Apps page with halfworking navbar

Co-authored-by: Firstyear <william@blackhats.net.au>
 2024-07-10 12:07:11 +10:00
Firstyear b1480e36f0
20240703 htmx (#2870) 
Complete the remainder of the HTMX rewrite of the login page.
 2024-07-07 03:36:47 +00:00
Merlijn 4795541719
Offer configuration of images for Oauth2 resources (#2665) 2024-07-06 12:25:55 +10:00
Firstyear f9a77ee1f3
2818 2511 oauth2 urls (#2867) 
* Allow multiple origins
* Docs
* Capitalization 'n stuff

---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-07-05 23:17:26 +00:00
Firstyear 3ec9b320a1
20240620 htmx (#2854) 
* progress
* Okay, main swap works and can login with pw+totp
* Feedback
* bypassing docs tests temporarily
 2024-07-02 10:59:06 +00:00
Firstyear b58370adc8
Configurable thread count (#2847) 
* added `thread_count` configuration for the server
* added `thread_count` to orca

---------

Co-authored-by: Sebastiano Tocci <sebastiano.tocci@proton.me>
 2024-06-21 11:47:36 +10:00
Firstyear 10e15fd6b3
20240613 performance improvements (#2844) 
Thanks to @Seba-T's work with Orca, we were able to identify a number of performance issues in certain high load conditions.

This commit contains fixes for the following issues

* Unbounded Memory Growth - due to how ARCache works, to maintain temporal consistency it must retain copies of keys (not values) in a special data set for tracking. The Filter Resolve Cache was using unresolved filters as keys. This caused memory explosions when refint or memberof were updating a group with a large number of members because they would emit a query with hundreds of filter terms that would only be used once and never again, causing the ARCache haunted set to grow without bound. To limit this, we no longer cache large/complex queries for resolution, and in future we may implement some other methods to reduce this like sha256/hmac of the queries.

* When creating a new account, dyngroups would be engaged to add the account as a member due to the matching scope. However the change to the dyngroup was triggering an update of all the dyngroups *members* related memberof attributes. This would mean that adding an account would trigger every other account to be loaded an updated.

* When memberof would iterate over leaf entries and update them one at a time. This mean a large number of small fragmented queries in the case of a lot of leaf entries being updated. Now leaf entries are updated in a single stripe once groups are stabilised.

* Member of would always trigger it's members to always update. Instead, we should only update members where a difference is observed, or all members if the group's memberof itself has changed since this needs to propogate to all leaf entries. This significantly reduces the amount of writes and operations to examine the changed member of set.

* Referential integrity would examine all reference uuids on entries for validity rather than just the reference uuids that were altered within the transaction. This change means that only uuids that were *added* are validated during an operation. 

* During async write backs (delayed actions) these were performed one at a time. Instead, when possible this should be done in a single transaction as the write transaction caches all writes in memory until the commit meaning that by batching we reduce overall latency.

* In the server there can only be one write transaction and many readers. These are guarded by tokio semaphores that act as fair queues - first in gets the lock next. Due to the design of the server readers would be blocked on the *database* semaphore, and writers would block on the write semaphore and THEN the database semaphore. This arrangement was creating a situation which unfairly advantaged readers over writers, as any write would first have to become the head of it's queue, and then compete with all readers to access a db transaction. Instead, we now have a reader semaphore with size threads minus 1, clamped at a minimum of 1. This means that provided there are two or more threads, then a writer will *always* have a database handle available, and readers will pre-queue with each other before queueing on the db ticket. If there is only one thread, then writes and reads will alternate between each other fairly.
 2024-06-20 02:50:00 +00:00
Joshua M. Clulow e591b5f2cc
illumos support (#2838) 
* disable mimalloc on illumos, in part because it immediately segfaults,
  but also because we prefer libumem and link it into all Rust binaries

* switch from fs2 (unmaintained crate) to fs4 which provides the same
  interface and has wider platform support
 2024-06-15 05:20:11 +00:00
Firstyear 9c4e8bb90a
20240611 performance (#2836) 
While basking under the shade of the coolabah tree, I was overcome by an intense desire to improve the performance and memory usage of Kanidm.

This pr reduces a major source of repeated small clones, lowers default log level in testing, removes some trace fields that are both large and probably shouldn't be traced, and also changes some lto settings for release builds.
 2024-06-12 16:48:49 -07:00
dependabot[bot] ea7e52326d
Bump the all group across 1 directory with 5 updates (#2835) 
Bumps the all group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [clap](https://github.com/clap-rs/clap) | `4.5.4` | `4.5.7` |
| [clap_complete](https://github.com/clap-rs/clap) | `4.5.2` | `4.5.5` |
| [regex](https://github.com/rust-lang/regex) | `1.10.4` | `1.10.5` |
| [url](https://github.com/servo/rust-url) | `2.5.0` | `2.5.1` |
| [escargot](https://github.com/crate-ci/escargot) | `0.5.10` | `0.5.11` |



Updates `clap` from 4.5.4 to 4.5.7
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.4...v4.5.7)

Updates `clap_complete` from 4.5.2 to 4.5.5
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/clap-rs/clap/compare/clap_complete-v4.5.2...clap_complete-v4.5.5)

Updates `regex` from 1.10.4 to 1.10.5
- [Release notes](https://github.com/rust-lang/regex/releases)
- [Changelog](https://github.com/rust-lang/regex/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rust-lang/regex/compare/1.10.4...1.10.5)

Updates `url` from 2.5.0 to 2.5.1
- [Release notes](https://github.com/servo/rust-url/releases)
- [Commits](https://github.com/servo/rust-url/compare/v2.5.0...v2.5.1)

Updates `escargot` from 0.5.10 to 0.5.11
- [Changelog](https://github.com/crate-ci/escargot/blob/master/CHANGELOG.md)
- [Commits](https://github.com/crate-ci/escargot/compare/v0.5.10...v0.5.11)

---
updated-dependencies:
- dependency-name: clap
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: clap_complete
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: regex
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: url
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: escargot
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-06-11 07:47:49 -07:00
Firstyear bd6d9284c0
20240607 2417 piv (#2829) 
Add some more ground work for future PIV/x509 authentication.
 2024-06-11 00:54:57 +00:00
Daniil Egortsev 074646bcf3
fix: typos in OpenApi (#2827) 2024-06-10 17:37:19 +00:00
dependabot[bot] a3f66225de
Bump the all group with 7 updates (#2811) 
* Bump the all group with 7 updates

Bumps the all group with 7 updates:

| Package | From | To |
| --- | --- | --- |
| [kanidm-hsm-crypto](https://github.com/kanidm/hsm-crypto) | `0.1.6` | `0.2.0` |
| [base64](https://github.com/marshallpierce/rust-base64) | `0.21.7` | `0.22.1` |
| [lru](https://github.com/jeromefroe/lru-rs) | `0.8.1` | `0.12.3` |
| [proc-macro2](https://github.com/dtolnay/proc-macro2) | `1.0.84` | `1.0.85` |
| [tokio](https://github.com/tokio-rs/tokio) | `1.37.0` | `1.38.0` |
| [axum-auth](https://github.com/owez/axum-auth) | `0.4.1` | `0.7.0` |
| [jsonschema](https://github.com/Stranger6667/jsonschema-rs) | `0.17.1` | `0.18.0` |


Updates `kanidm-hsm-crypto` from 0.1.6 to 0.2.0
- [Commits](https://github.com/kanidm/hsm-crypto/commits)

Updates `base64` from 0.21.7 to 0.22.1
- [Changelog](https://github.com/marshallpierce/rust-base64/blob/master/RELEASE-NOTES.md)
- [Commits](https://github.com/marshallpierce/rust-base64/compare/v0.21.7...v0.22.1)

Updates `lru` from 0.8.1 to 0.12.3
- [Changelog](https://github.com/jeromefroe/lru-rs/blob/master/CHANGELOG.md)
- [Commits](https://github.com/jeromefroe/lru-rs/compare/0.8.1...0.12.3)

Updates `proc-macro2` from 1.0.84 to 1.0.85
- [Release notes](https://github.com/dtolnay/proc-macro2/releases)
- [Commits](https://github.com/dtolnay/proc-macro2/compare/1.0.84...1.0.85)

Updates `tokio` from 1.37.0 to 1.38.0
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.37.0...tokio-1.38.0)

Updates `axum-auth` from 0.4.1 to 0.7.0
- [Commits](https://github.com/owez/axum-auth/commits)

Updates `jsonschema` from 0.17.1 to 0.18.0
- [Release notes](https://github.com/Stranger6667/jsonschema-rs/releases)
- [Changelog](https://github.com/Stranger6667/jsonschema-rs/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Stranger6667/jsonschema-rs/compare/rust-v0.17.1...rust-v0.18.0)

---
updated-dependencies:
- dependency-name: kanidm-hsm-crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: base64
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: lru
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: proc-macro2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: tokio
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: axum-auth
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: jsonschema
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>

* updating for kanidm-hsm change

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-06-08 11:25:09 +00:00
James Hodgkinson a8b47f50d7
Double shutdown doesn't help! (#2828) 
Fixes the fact that the HTTPS server wouldn't shut down while OTLP export was enabled.
 2024-06-08 03:04:36 +00:00
Firstyear f39dd7d7a2
Add development taint flag to prevent mismatch of server versions (#2821) 
* Add development taint flag to prevent mismatch of server versions
* Update server/lib/src/constants/schema.rs

---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-06-07 09:53:30 +10:00
James Hodgkinson b074330ac5
lowering "access search" security log levels (#2819) 
They were very, very noisy, now they're only debug-noisy.
 2024-06-06 11:07:23 +10:00
James Hodgkinson 3c01a96348
Better WebAuthn and other error responses (#2608) 2024-06-05 09:57:16 +10:00
Firstyear 2c0ff46a32
20240530 nightly warnings (#2806) 
* Cleaneup
* Lots of ram saving
 2024-05-30 20:22:19 +10:00
Firstyear 1e7b94b7cf
Regrets Dot Pee Enn Gee (#2804) 
Upgrade Axum

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-05-30 12:50:45 +10:00
Firstyear a8b9dc8ee8
2756 - resolve invalid loading of dyngroups at startup (#2779) 
* 2756 - resolve invalid loading of dyngroups at startup
* Add a "patch level" migration for domain one shot fixes
 2024-05-28 02:12:44 +00:00
James Hodgkinson 1d0a606e69
WIP: serialization and domain info setting wonkiness (#2791) 2024-05-28 11:49:30 +10:00
Lukas Schulte Pelkum f5be44f2fc
fix DB_PATH variable propagation (#2797) 2024-05-25 23:27:08 +00:00
Tobias Krischer 814380a7f4
feat: add support for ldap compare request (#2780) 2024-05-25 08:28:52 +10:00
Firstyear 1e1414b38b
Add ACP checking to exists operations. (#2790) 2024-05-24 13:28:01 +10:00
Firstyear 3723abb25d
Allow name write privileges to be withheld (#2773) 2024-05-23 15:58:49 +10:00
Firstyear c1235a7186
Check for same version with backup/restore (#2789) 2024-05-23 01:48:37 +00:00
Firstyear 1e4f6e85ca
Revive Cookies. (#2788) 
* Revive Cookies.
* change from tikv-jemalloc to mimalloc.
 2024-05-23 00:45:42 +00:00
Firstyear 39ac38e266
Update our domain TGT level (#2776) 2024-05-17 16:06:14 +10:00
Firstyear 03f9943d41
Update design for KRC (#2713) 2024-05-15 01:05:11 +00:00
James Hodgkinson 7964f55d59
strip out some debug messages unless *really* debugging. (#2767) 
* kanidm cli logs on debug level - Fixes #2745
* such clippy like wow
* It's important for a wordsmith to know when to get its fixes in.
* updootin' wasms
 2024-05-14 14:56:55 +10:00
James Hodgkinson 9370eeb450
Changing TOTP "copy" box from form field to code block. (#2765) 
* Horizontal scroll bar missing from otp url box, causing potential miss copy/paste
Fixes #2762
 2024-05-14 11:16:48 +10:00
James Hodgkinson aefcdc5ee8
Fixing up build for rust 1.78, hiding things behind cfg(test) etc. (#2753) 
* fixing up build for rust 1.78, hiding things behind cfg(test) etc.
* cleaning up version identifier handling in book gen
 2024-05-07 09:00:55 +10:00
Firstyear 1fb8165825
Update Webauthn and Base64 (#2734) 2024-05-01 04:10:18 +00:00
Firstyear 59162236f5
Add some metadata for lib macros (#2735) 2024-05-01 13:34:39 +10:00
Firstyear 5ff482542b
Clean up utils password rand generation. (#2727) 
We previously used a "performance" optimisation in our password generation
that was likely not needed. This optimisation did *not* impact password
entropy or quality in the generation.

To improve clarity, swap to the Uniform distribution instead.
 2024-04-27 23:22:39 +10:00
Firstyear 2e206b2488
Release 1.2.0 prep (#2724) 
* Release 1.2.0 prep

* Update release notes based on feedback
 2024-04-26 06:56:47 +00:00
Firstyear 58cfc8bdf9
Minor upgrade fixes (#2722) 2024-04-24 17:21:45 +10:00