mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
1819 commits 17 branches 59 tags 246 MiB
Commit graph

1819 commits

This branch
This branch
All branches
Author SHA1 Message Date
Firstyear fbc021f487
20240221 2489 cleanup api v1 (#2573) 2024-02-27 09:25:02 +00:00
James Hodgkinson 4096b8f02d
Changing to allow startup without a config file (#2582) 
* Changing to allow startup without a config file, using environment variables
 2024-02-27 15:40:00 +10:00
Firstyear 7b490d73dc
Allow /dev/tpmrm0 on older systemd versions (#2587) 
Older systemd versions require a specific device allow for the tpm to be accessed.
 2024-02-27 02:13:31 +00:00
Firstyear adb575947f
Adjust output of claim maps for better parsing (#2566) 
* Adjust output of claim maps for better parsing
* Update python tests for OAuth2 bits
* fixing workflows for container builds

---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-02-26 13:33:32 +10:00
dependabot[bot] 1a6400b58e
chore(deps): bump the all group in /pykanidm with 4 updates (#2585) 
Bumps the all group in /pykanidm with 4 updates: [pydantic](https://github.com/pydantic/pydantic), [coverage](https://github.com/nedbat/coveragepy), [mkdocs-material](https://github.com/squidfunk/mkdocs-material) and [pook](https://github.com/h2non/pook).


Updates `pydantic` from 2.6.1 to 2.6.2
- [Release notes](https://github.com/pydantic/pydantic/releases)
- [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md)
- [Commits](https://github.com/pydantic/pydantic/compare/v2.6.1...v2.6.2)

Updates `coverage` from 7.4.1 to 7.4.3
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](https://github.com/nedbat/coveragepy/compare/7.4.1...7.4.3)

Updates `mkdocs-material` from 9.5.9 to 9.5.11
- [Release notes](https://github.com/squidfunk/mkdocs-material/releases)
- [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG)
- [Commits](https://github.com/squidfunk/mkdocs-material/compare/9.5.9...9.5.11)

Updates `pook` from 1.4.2 to 1.4.3
- [Release notes](https://github.com/h2non/pook/releases)
- [Changelog](https://github.com/h2non/pook/blob/master/History.rst)
- [Commits](https://github.com/h2non/pook/compare/v1.4.2...v1.4.3)

---
updated-dependencies:
- dependency-name: pydantic
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: coverage
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: mkdocs-material
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: pook
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-02-26 09:00:14 +10:00
Sebastiano Tocci d3af1a9e1b
improved error description for commit_credential_update (#2579) 2024-02-24 00:18:38 +00:00
Firstyear 3bf16d4253
Make /status less noisy (#2574) 2024-02-22 17:34:46 +10:00
dependabot[bot] 8611bb7135
chore(deps): bump cryptography from 42.0.2 to 42.0.4 in /pykanidm (#2567) 
Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.2 to 42.0.4.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/42.0.2...42.0.4)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-02-22 12:12:30 +10:00
Firstyear 752bdf7578
Add system range protection (#2565) 2024-02-21 23:27:37 +10:00
Michel Le Bihan 1d34947ee9
Fix string comparison in Debian build script (#2409) 2024-02-21 02:13:20 +00:00
James Hodgkinson 4efdb7208f
of course I started looking at clippy things and now I can't stop (#2560) 2024-02-21 00:52:10 +00:00
Firstyear 68d788a9f7
20240216 308 resource limits (#2559) 
This adds account policy based resource limits to control the maximum
number of entries that an account may query
 2024-02-21 00:15:43 +00:00
Daniil Egortsev 5701da8f23
fix(oauth2): typo in basic path (#2562) 2024-02-20 22:20:37 +00:00
James Hodgkinson 5794cc5217
Adding duplicate-finder script (#2550) 
* Adding duplicate-finder script
* removing unused constant and updated doctstring
 2024-02-20 08:39:16 +00:00
James Hodgkinson 097db70c3d
prctl compile-time fixes, also chasing lints (#2558) 
* fixing up error handling for prctl calls
* minor clippy lintypoos
* making clippy happier
* clippizing a test
* more clippy-calming
* adding tpm-udev to ubuntu flows for testing
* rebuilt wasm
* moving from rg to grep because someone doesn't like nice things
* such clippy like wow
* clippy config to the rescue
 2024-02-20 18:21:33 +10:00
James Hodgkinson 84b2c4956d
Removing unused constant and updating docstring for LDAP bind address (#2556) 2024-02-20 11:10:02 +10:00
dependabot[bot] 8ec63f3e92
chore(deps-dev): bump the all group in /pykanidm with 3 updates (#2553) 
Bumps the all group in /pykanidm with 3 updates: [black](https://github.com/psf/black), [pook](https://github.com/h2non/pook) and [ruff](https://github.com/astral-sh/ruff).


Updates `black` from 24.1.1 to 24.2.0
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](https://github.com/psf/black/compare/24.1.1...24.2.0)

Updates `pook` from 1.4.0 to 1.4.2
- [Release notes](https://github.com/h2non/pook/releases)
- [Changelog](https://github.com/h2non/pook/blob/master/History.rst)
- [Commits](https://github.com/h2non/pook/compare/v1.4.0...v1.4.2)

Updates `ruff` from 0.2.1 to 0.2.2
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/v0.2.1...v0.2.2)

---
updated-dependencies:
- dependency-name: black
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: pook
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: ruff
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-02-19 08:54:50 +10:00
Firstyear ea5ff6814c
Support Policy Updates (#2536) 
* Support Policy Updates
---------

Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-02-18 00:44:11 +00:00
dependabot[bot] 3c08be8db8
chore(deps): bump cryptography from 42.0.0 to 42.0.2 in /pykanidm (#2548) 
Bumps [cryptography](https://github.com/pyca/cryptography) from 42.0.0 to 42.0.2.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/42.0.0...42.0.2)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-02-17 22:47:09 +10:00
Firstyear cc28fb2c4b
Re-enable HW tpm support (#2531) 2024-02-17 01:30:08 +00:00
Firstyear 62dff7565e
Add further hardening for system services (#2542) 2024-02-17 00:11:32 +00:00
James Hodgkinson 7394ac86cb
fixing the test script (#2547) 2024-02-16 23:54:07 +00:00
James Hodgkinson 48f33fb8c9
when the HTTPS server fails, handle that gracefully (#2546) 2024-02-16 08:30:43 +00:00
Firstyear 816fde766f
Fix update intent ttl parameters (#2540) 2024-02-16 07:02:36 +00:00
James Hodgkinson faec47d13f
radius build workflow fixes (#2541) 
* radius build workflow fixes
 2024-02-16 03:12:59 +00:00
Firstyear 7a78cb8a80
Conflict nscd, start before sshd (#2539) 2024-02-16 02:24:37 +00:00
Firstyear a4c2e66afd
Fix incorrect documentation elements (#2533) 
This adds the account-policy section for credential-type-minimums
and fixes the replication config defaults to match the documented
behaviour.
 2024-02-16 01:58:41 +00:00
Firstyear 3549c8562f
Remove replication is in dev flag (#2535) 2024-02-16 11:39:43 +10:00
James Hodgkinson 6b44495704
Ordering auth methods in the CLI (#2508) 
* rewriting ordering of authallowed enum
* ordering the authstate in the CLI

---------

Co-authored-by: William Brown <william@blackhats.net.au>
 2024-02-15 12:31:01 +10:00
Firstyear e880a63be4
Set lowercase owner name in tag (#2534) 2024-02-15 11:48:48 +10:00
Firstyear 002ab13698
Add code_challenge_methods_supported to OIDC discovery (#2525) 2024-02-15 09:17:08 +10:00
David Mulder a315d8d440
Himmelblau requires the machine key for unix_user_get (#2523) 
I need access to the machine key here in order to
send a new request to Azure for user details.

Signed-off-by: David Mulder <dmulder@samba.org>
Co-authored-by: Firstyear <william@blackhats.net.au>
 2024-02-13 01:11:30 +00:00
Vladimir Dronnikov 2e0dd40806
Extend on Apache example (#2524) 
As per On Apache discussion
 2024-02-13 10:44:09 +10:00
dependabot[bot] f3ca0f4fa6
chore(deps): bump the all group in /pykanidm with 4 updates (#2520) 
Bumps the all group in /pykanidm with 4 updates: [pydantic](https://github.com/pydantic/pydantic), [pytest-asyncio](https://github.com/pytest-dev/pytest-asyncio), [mkdocs-material](https://github.com/squidfunk/mkdocs-material) and [ruff](https://github.com/astral-sh/ruff).


Updates `pydantic` from 2.6.0 to 2.6.1
- [Release notes](https://github.com/pydantic/pydantic/releases)
- [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md)
- [Commits](https://github.com/pydantic/pydantic/compare/v2.6.0...v2.6.1)

Updates `pytest-asyncio` from 0.23.4 to 0.23.5
- [Release notes](https://github.com/pytest-dev/pytest-asyncio/releases)
- [Commits](https://github.com/pytest-dev/pytest-asyncio/compare/v0.23.4...v0.23.5)

Updates `mkdocs-material` from 9.5.7 to 9.5.9
- [Release notes](https://github.com/squidfunk/mkdocs-material/releases)
- [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG)
- [Commits](https://github.com/squidfunk/mkdocs-material/compare/9.5.7...9.5.9)

Updates `ruff` from 0.2.0 to 0.2.1
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/v0.2.0...v0.2.1)

---
updated-dependencies:
- dependency-name: pydantic
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: pytest-asyncio
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: mkdocs-material
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: ruff
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-02-12 07:51:36 +10:00
Firstyear c892cd01d5
List of supported features (#2499) 
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2024-02-10 10:56:16 +10:00
Firstyear e3e77fe7b4
Update to latest dev version (#2486) 2024-02-08 09:54:07 +10:00
Firstyear 7567514044
Release 1.1.0-rc.16 (#2483) 2024-02-07 04:39:02 +00:00
Firstyear cdbaefe23d
Fix for incorrect domain migration rollbacks (#2482) 2024-02-07 13:11:55 +10:00
Firstyear 9050188b29
Add tools for remigration and domain level raising (#2481) 2024-02-06 10:01:06 +00:00
dependabot[bot] a1fbde9f2f
chore(deps): bump cryptography from 41.0.6 to 42.0.0 in /pykanidm (#2480) 
Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.6 to 42.0.0.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/41.0.6...42.0.0)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-02-06 15:29:54 +10:00
Firstyear ddea9c6699
Support SPN in groups claim (#2474) 2024-02-06 03:56:04 +00:00
illode 8cd62d4d4a
Credential update tweaks (#2475) 
* Make the Credential Update page more user-friendly
 2024-02-06 03:36:22 +00:00
Firstyear cd27879e7f
Oauth2 pkce faq (#2473) 2024-02-06 12:05:52 +10:00
Jinna Kiisuo aa00ac94d0
Fix debian versioning (#2472) 
* Make the ubuntu_docker_builder.sh script a bit easier to use

- Entrypoint that installs dependencies on launch
- Echo hint on how to build deb packages

* Change debian packaging version string format to fix sort order

The sort order is important so that newer packages are seen as an update
and get installed, instead of apt preferring the older versions!

With these changes, a package is generated as `kanidm_Ubuntu_22.04_1:1.1.0~rc.15-dev~202401311334+c8a9e2c_x86_64.deb`
with the version string `1:1.1.0~rc.15-dev~202401311334+c8a9e2c`

Deb package version string comparison is Complex:
https://man7.org/linux/man-pages/man7/deb-version.7.html

With the previous versioning scheme for dev packages, the git hash
ended up getting prioritized over the date string, see for example:
`dpkg --compare-versions 1.1.0-rc.15-dev-202401100453666448f lt 1.1.0-rc.15-dev-20240120072786916a3; echo $?`
-> 1 (comparison failure)

A simple schema change avoiding most dashes could rescue the hash trouble:
`dpkg --compare-versions 1.1.0~rc.15-dev-202401100453+666448f lt 1.1.0-rc.15-dev-202401200727+86916a3; echo $?`
-> 0 (comparison success)

.. But, the second problem is seeing a stable release as newer:
`dpkg --compare-versions 1.1.0~rc.15-dev~202401100453+666448f lt 1.1.0; echo $?`
-> 1 (comparison failure)

.. Which can be solved by forcing the entire dev portion to not be
interpreted as a debian version by substituting tildes:
`dpkg --compare-versions 1.1.0~rc.15-dev~202401100453+666448f lt 1.1.0; echo $?`
-> 0 (comparison success)

.. But, old schema versions still seem newer due to their debian
version:
`dpkg --compare-versions 1.1.0-rc.15-dev-202401100453666448f lt 1.1.0~rc.15-dev~202401200727+86916a3; echo $?`
-> 1 (comparison failure)

Thus, the only solution is to change the scheme and increment the epoch value once
to force all lesser default epoch versions to be seen as older:
`dpkg --compare-versions 1.1.0-rc.15-dev-202401100453666448f lt 1:1.1.0~rc.15-dev~202401200727+86916a3; echo $?`
-> 0 (comparison success)
`dpkg --compare-versions 1:1.1.0~rc.15-dev~202401200727+86916a3 lt 1:1.1.0; echo $?`
-> 0 (comparison success)

* Drop epoch field from deb filenames

GitHub Actions enforces NTFS compatible artifact filenames, ergo the
colon required for the epoch field is banned. The epoc is still in the
version field itself, just not in the filename.

---------

Co-authored-by: Jinna Kiisuo <jinna+git@nocturnal.fi>
 2024-02-05 18:06:43 +10:00
dependabot[bot] 23ae65f686
chore(deps): bump the all group in /pykanidm with 7 updates (#2479) 
Bumps the all group in /pykanidm with 7 updates:

| Package | From | To |
| --- | --- | --- |
| [pydantic](https://github.com/pydantic/pydantic) | `2.5.3` | `2.6.0` |
| [aiohttp](https://github.com/aio-libs/aiohttp) | `3.9.2` | `3.9.3` |
| [coverage](https://github.com/nedbat/coveragepy) | `7.4.0` | `7.4.1` |
| [pytest-asyncio](https://github.com/pytest-dev/pytest-asyncio) | `0.23.3` | `0.23.4` |
| [black](https://github.com/psf/black) | `23.12.1` | `24.1.1` |
| [mkdocs-material](https://github.com/squidfunk/mkdocs-material) | `9.5.4` | `9.5.7` |
| [ruff](https://github.com/astral-sh/ruff) | `0.1.14` | `0.2.0` |


Updates `pydantic` from 2.5.3 to 2.6.0
- [Release notes](https://github.com/pydantic/pydantic/releases)
- [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md)
- [Commits](https://github.com/pydantic/pydantic/compare/v2.5.3...v2.6.0)

Updates `aiohttp` from 3.9.2 to 3.9.3
- [Release notes](https://github.com/aio-libs/aiohttp/releases)
- [Changelog](https://github.com/aio-libs/aiohttp/blob/master/CHANGES.rst)
- [Commits](https://github.com/aio-libs/aiohttp/compare/v3.9.2...v3.9.3)

Updates `coverage` from 7.4.0 to 7.4.1
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](https://github.com/nedbat/coveragepy/compare/7.4.0...7.4.1)

Updates `pytest-asyncio` from 0.23.3 to 0.23.4
- [Release notes](https://github.com/pytest-dev/pytest-asyncio/releases)
- [Commits](https://github.com/pytest-dev/pytest-asyncio/compare/v0.23.3...v0.23.4)

Updates `black` from 23.12.1 to 24.1.1
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](https://github.com/psf/black/compare/23.12.1...24.1.1)

Updates `mkdocs-material` from 9.5.4 to 9.5.7
- [Release notes](https://github.com/squidfunk/mkdocs-material/releases)
- [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG)
- [Commits](https://github.com/squidfunk/mkdocs-material/compare/9.5.4...9.5.7)

Updates `ruff` from 0.1.14 to 0.2.0
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/v0.1.14...v0.2.0)

---
updated-dependencies:
- dependency-name: pydantic
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: aiohttp
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: coverage
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: pytest-asyncio
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: black
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: all
- dependency-name: mkdocs-material
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: ruff
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-02-05 13:01:27 +10:00
dependabot[bot] 881a9baafc
chore(deps): bump the all group with 1 update (#2478) 
Bumps the all group with 1 update: [mozilla-actions/sccache-action](https://github.com/mozilla-actions/sccache-action).


Updates `mozilla-actions/sccache-action` from 0.0.3 to 0.0.4
- [Release notes](https://github.com/mozilla-actions/sccache-action/releases)
- [Commits](https://github.com/mozilla-actions/sccache-action/compare/v0.0.3...v0.0.4)

---
updated-dependencies:
- dependency-name: mozilla-actions/sccache-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-02-05 08:28:10 +10:00
Firstyear 23cc2e7745
Fix RUV trim (#2466) 
Fixes two major issues with replication.

The first was related to server refreshes. When a server was refreshed it would retain it's server unique id. If the server had lagged and was disconnected from replication and administrator would naturally then refresh it's database. This meant that on next tombstone purge of the server, it's RUV would jump ahead causing it's refresh-supplier to now believe it was lagging (which was not the case).

In the situation where a server is refreshed, we reset the servers unique replication ID which avoids the RUV having "jumps".

The second issue was related to RUV trimming. A server which had older RUV entries (say from servers that have been trimmed) would "taint" and re-supply those server ID's back to nodes that wanted to trim them. This also meant that on a restart of the server, that if the node had correctly trimmed the server ID, it would be re-added in memory.

This improves RUV trimming by limiting what what compare and check as a supplier to only CID's that are within the valid changelog window. This itself presented challenges with "how to determine if a server should be removed from the RUV". To achieve this we now check for "overlap" of the RUVS. If overlap isn't occurring it indicates split brain or node isolation, and replication is stopped in these cases.
 2024-02-02 15:38:45 +10:00
Firstyear d42268269a
20240125 2217 client credentials grant (#2456) 
* Huge fix of a replication problem.
* Update test
* Increase min replication level
* Client Credentials Grant implementation
 2024-02-01 02:00:29 +00:00
Samuel Cabrero 492c3da36c
docs: Add application passwords design document (#2427) 
Related to  #41.

Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Pair-Programmed-With: Firstyear <william@blackhats.net.au>
 2024-02-01 11:18:05 +10:00
James Hodgkinson ed2bd846cc
handling master docs (#2465) 2024-02-01 00:53:50 +00:00