mirror of
https://github.com/kanidm/kanidm.git
synced 2025-06-01 22:03:54 +02:00
Compare commits
14 commits
75dc131239
...
4fae9f1417
Author | SHA1 | Date | |
---|---|---|---|
|
4fae9f1417 | ||
|
be4818e121 | ||
|
5201ec11e8 | ||
|
e97f4bc54c | ||
|
20433f5712 | ||
|
8424863969 | ||
|
526ab2f4c2 | ||
|
3442e3c5bc | ||
|
05ea6ffb01 | ||
|
04d2cfa936 | ||
|
0ea49daf45 | ||
|
4dd5954494 | ||
|
9c6d2a5ee2 | ||
|
8c34ae8a8a |
Cargo.lockCargo.toml
examples
libs
proto/src/scim_v1
pykanidm
server
core
lib/src
testkit-macros/src
testkit
tools
cli/src/cli/system_config
orca/src
unix_integration
common/src
nss_kanidm/src
pam_kanidm/src
resolver/tests
847
Cargo.lock
generated
847
Cargo.lock
generated
File diff suppressed because it is too large
Load diff
54
Cargo.toml
54
Cargo.toml
|
@ -118,9 +118,11 @@ codegen-units = 256
|
|||
# webauthn-rs-proto = { path = "../webauthn-rs/webauthn-rs-proto" }
|
||||
# sshkey-attest = { path = "../webauthn-rs/sshkey-attest" }
|
||||
|
||||
# kanidm-hsm-crypto = { path = "../hsm-crypto" }
|
||||
|
||||
# For BSD nss support
|
||||
libnss = { git = "https://github.com/Firstyear/libnss-rs.git", branch = "20250207-freebsd" }
|
||||
# Allow ssh keys to have comments with spaces.
|
||||
sshkeys = { git = "https://github.com/Firstyear/rust-sshkeys.git", rev = "3a081cbf7480628223bcb96fc8aaa8c19109d007" }
|
||||
|
||||
|
||||
[workspace.dependencies]
|
||||
kanidmd_core = { path = "./server/core", version = "=1.6.0-dev" }
|
||||
|
@ -138,7 +140,7 @@ kanidm_utils_users = { path = "./libs/users", version = "=1.6.0-dev" }
|
|||
scim_proto = { path = "./libs/scim_proto", version = "=1.6.0-dev" }
|
||||
sketching = { path = "./libs/sketching", version = "=1.6.0-dev" }
|
||||
|
||||
anyhow = { version = "1.0.95" }
|
||||
anyhow = { version = "1.0.98" }
|
||||
argon2 = { version = "0.5.3", features = ["alloc"] }
|
||||
askama = { version = "0.12.1", features = ["serde", "with-axum"] }
|
||||
askama_axum = { version = "0.4.0" }
|
||||
|
@ -159,7 +161,7 @@ base64 = "^0.22.1"
|
|||
base64urlsafedata = "0.5.1"
|
||||
bitflags = "^2.8.0"
|
||||
bytes = "^1.9.0"
|
||||
clap = { version = "^4.5.34", features = ["derive", "env"] }
|
||||
clap = { version = "4.5.37", features = ["derive", "env"] }
|
||||
clap_complete = "^4.5.42"
|
||||
# Forced by saffron/cron
|
||||
chrono = "^0.4.39"
|
||||
|
@ -176,16 +178,18 @@ filetime = "^0.2.24"
|
|||
fs4 = "^0.13.0"
|
||||
futures = "^0.3.31"
|
||||
futures-util = { version = "^0.3.30", features = ["sink"] }
|
||||
gix = { version = "0.64.0", default-features = false }
|
||||
hashbrown = { version = "0.14.3", features = ["serde", "inline-more", "ahash"] }
|
||||
gix = { version = "0.71.0", default-features = false }
|
||||
haproxy-protocol = { version = "0.0.1" }
|
||||
hashbrown = { version = "0.15.2", features = ["serde", "inline-more"] }
|
||||
hex = "^0.4.3"
|
||||
http = "1.2.0"
|
||||
http-body-util = "0.1"
|
||||
hyper = { version = "1.5.1", features = [
|
||||
"full",
|
||||
] } # hyper full includes client/server/http2
|
||||
hyper-util = { version = "0.1.10", features = ["server", "tokio"] }
|
||||
idlset = "^0.2.5"
|
||||
image = { version = "0.24.9", default-features = false, features = [
|
||||
image = { version = "0.25.6", default-features = false, features = [
|
||||
"gif",
|
||||
"jpeg",
|
||||
"webp",
|
||||
|
@ -198,16 +202,16 @@ lazy_static = "^1.5.0"
|
|||
ldap3_client = "^0.5.2"
|
||||
ldap3_proto = { version = "^0.5.2", features = ["serde"] }
|
||||
|
||||
libc = "^0.2.168"
|
||||
libc = "0.2.172"
|
||||
libnss = "^0.8.0"
|
||||
libsqlite3-sys = "^0.25.2"
|
||||
lodepng = "3.11.0"
|
||||
lru = "^0.13.0"
|
||||
mathru = "^0.13.0"
|
||||
lru = "0.14.0"
|
||||
mathru = "0.15.5"
|
||||
md-5 = "0.10.6"
|
||||
mimalloc = "0.1.43"
|
||||
mimalloc = "0.1.46"
|
||||
notify-debouncer-full = { version = "0.5" }
|
||||
num_enum = "^0.5.11"
|
||||
num_enum = "0.7.3"
|
||||
oauth2_ext = { version = "^4.4.2", package = "oauth2", default-features = false }
|
||||
openssl-sys = "^0.9"
|
||||
openssl = "^0.10.72"
|
||||
|
@ -229,11 +233,11 @@ tracing-core = "0.1.33"
|
|||
peg = "0.8"
|
||||
pkg-config = "^0.3.31"
|
||||
prctl = "1.0.0"
|
||||
proc-macro2 = "1.0.93"
|
||||
qrcode = "^0.12.0"
|
||||
proc-macro2 = "1.0.95"
|
||||
qrcode = "0.14.1"
|
||||
quote = "1"
|
||||
rand = "^0.8.5"
|
||||
rand_chacha = "0.3.1"
|
||||
rand = "0.9.1"
|
||||
rand_chacha = "0.9.0"
|
||||
regex = "1.11.0"
|
||||
reqwest = { version = "0.12.12", default-features = false, features = [
|
||||
"cookies",
|
||||
|
@ -243,13 +247,13 @@ reqwest = { version = "0.12.12", default-features = false, features = [
|
|||
"rustls-tls-native-roots",
|
||||
"rustls-tls-native-roots-no-provider",
|
||||
] }
|
||||
rusqlite = { version = "^0.28.0", features = ["array", "bundled"] }
|
||||
rustls = { version = "0.23.21", default-features = false, features = [
|
||||
rusqlite = { version = "0.35.0", features = ["array", "bundled"] }
|
||||
rustls = { version = "0.23.26", default-features = false, features = [
|
||||
"aws_lc_rs",
|
||||
] }
|
||||
|
||||
sd-notify = "^0.4.5"
|
||||
selinux = "^0.4.6"
|
||||
selinux = "^0.5.1"
|
||||
serde = "^1.0.217"
|
||||
serde_cbor = { version = "0.12.0-dev", package = "serde_cbor_2" }
|
||||
serde_json = "^1.0.137"
|
||||
|
@ -257,13 +261,13 @@ serde_urlencoded = "^0.7.1"
|
|||
serde_with = "3.12.0"
|
||||
sha-crypt = "0.5.0"
|
||||
sha2 = "0.10.8"
|
||||
shellexpand = "^2.1.2"
|
||||
shellexpand = "3.1.1"
|
||||
smartstring = "^1.0.1"
|
||||
smolset = "^1.3.1"
|
||||
sshkey-attest = "^0.5.0"
|
||||
sshkeys = "0.3.3"
|
||||
svg = "0.13.1"
|
||||
syn = { version = "2.0.96", features = ["full"] }
|
||||
svg = "0.18.0"
|
||||
syn = { version = "2.0.100", features = ["full"] }
|
||||
tempfile = "3.15.0"
|
||||
testkit-macros = { path = "./server/testkit-macros" }
|
||||
time = { version = "^0.3.36", features = ["formatting", "local-offset"] }
|
||||
|
@ -272,7 +276,7 @@ tokio = "^1.44.2"
|
|||
tokio-openssl = "^0.6.5"
|
||||
tokio-util = "^0.7.13"
|
||||
|
||||
toml = "^0.5.11"
|
||||
toml = "^0.8.20"
|
||||
tracing = { version = "^0.1.41", features = [
|
||||
"max_level_trace",
|
||||
"release_max_level_debug",
|
||||
|
@ -299,6 +303,6 @@ walkdir = "2"
|
|||
|
||||
x509-cert = "0.2.5"
|
||||
|
||||
zxcvbn = "^2.2.2"
|
||||
zxcvbn = "3.1.0"
|
||||
|
||||
nonempty = "0.8.1"
|
||||
nonempty = "0.11.0"
|
||||
|
|
|
@ -13,16 +13,6 @@ bindaddress = "[::]:443"
|
|||
# Defaults to "" (disabled)
|
||||
# ldapbindaddress = "[::]:636"
|
||||
#
|
||||
# HTTPS requests can be reverse proxied by a loadbalancer.
|
||||
# To preserve the original IP of the caller, these systems
|
||||
# will often add a header such as "Forwarded" or
|
||||
# "X-Forwarded-For". If set to true, then this header is
|
||||
# respected as the "authoritative" source of the IP of the
|
||||
# connected client. If you are not using a load balancer
|
||||
# then you should leave this value as default.
|
||||
# Defaults to false
|
||||
# trust_x_forward_for = false
|
||||
#
|
||||
# The path to the kanidm database.
|
||||
db_path = "/var/lib/private/kanidm/kanidm.db"
|
||||
#
|
||||
|
@ -86,6 +76,32 @@ domain = "idm.example.com"
|
|||
# origin = "https://idm.example.com"
|
||||
origin = "https://idm.example.com:8443"
|
||||
#
|
||||
|
||||
# HTTPS requests can be reverse proxied by a loadbalancer.
|
||||
# To preserve the original IP of the caller, these systems
|
||||
# will often add a header such as "Forwarded" or
|
||||
# "X-Forwarded-For". Some other proxies can use the PROXY
|
||||
# protocol v2 header.
|
||||
# This setting allows configuration of the range of trusted
|
||||
# IPs which can supply this header information, and which
|
||||
# format the information is provided in.
|
||||
# Defaults to "none" (no trusted sources)
|
||||
# Only one option can be used at a time.
|
||||
# [http_client_address_info]
|
||||
# proxy-v2 = ["127.0.0.1"]
|
||||
# # OR
|
||||
# x-forward-for = ["127.0.0.1"]
|
||||
|
||||
# LDAPS requests can be reverse proxied by a loadbalancer.
|
||||
# To preserve the original IP of the caller, these systems
|
||||
# can add a header such as the PROXY protocol v2 header.
|
||||
# This setting allows configuration of the range of trusted
|
||||
# IPs which can supply this header information, and which
|
||||
# format the information is provided in.
|
||||
# Defaults to "none" (no trusted sources)
|
||||
# [ldap_client_address_info]
|
||||
# proxy-v2 = ["127.0.0.1"]
|
||||
|
||||
[online_backup]
|
||||
# The path to the output folder for online backups
|
||||
path = "/var/lib/private/kanidm/backups/"
|
||||
|
|
|
@ -13,16 +13,6 @@ bindaddress = "[::]:8443"
|
|||
# Defaults to "" (disabled)
|
||||
# ldapbindaddress = "[::]:3636"
|
||||
#
|
||||
# HTTPS requests can be reverse proxied by a loadbalancer.
|
||||
# To preserve the original IP of the caller, these systems
|
||||
# will often add a header such as "Forwarded" or
|
||||
# "X-Forwarded-For". If set to true, then this header is
|
||||
# respected as the "authoritative" source of the IP of the
|
||||
# connected client. If you are not using a load balancer
|
||||
# then you should leave this value as default.
|
||||
# Defaults to false
|
||||
# trust_x_forward_for = false
|
||||
#
|
||||
# The path to the kanidm database.
|
||||
db_path = "/data/kanidm.db"
|
||||
#
|
||||
|
@ -85,7 +75,32 @@ domain = "idm.example.com"
|
|||
# not consistent, the server WILL refuse to start!
|
||||
# origin = "https://idm.example.com"
|
||||
origin = "https://idm.example.com:8443"
|
||||
#
|
||||
|
||||
# HTTPS requests can be reverse proxied by a loadbalancer.
|
||||
# To preserve the original IP of the caller, these systems
|
||||
# will often add a header such as "Forwarded" or
|
||||
# "X-Forwarded-For". Some other proxies can use the PROXY
|
||||
# protocol v2 header.
|
||||
# This setting allows configuration of the range of trusted
|
||||
# IPs which can supply this header information, and which
|
||||
# format the information is provided in.
|
||||
# Defaults to "none" (no trusted sources)
|
||||
# Only one option can be used at a time.
|
||||
# [http_client_address_info]
|
||||
# proxy-v2 = ["127.0.0.1"]
|
||||
# # OR
|
||||
# x-forward-for = ["127.0.0.1"]
|
||||
|
||||
# LDAPS requests can be reverse proxied by a loadbalancer.
|
||||
# To preserve the original IP of the caller, these systems
|
||||
# can add a header such as the PROXY protocol v2 header.
|
||||
# This setting allows configuration of the range of trusted
|
||||
# IPs which can supply this header information, and which
|
||||
# format the information is provided in.
|
||||
# Defaults to "none" (no trusted sources)
|
||||
# [ldap_client_address_info]
|
||||
# proxy-v2 = ["127.0.0.1"]
|
||||
|
||||
[online_backup]
|
||||
# The path to the output folder for online backups
|
||||
path = "/data/kanidm/backups/"
|
||||
|
|
|
@ -834,9 +834,9 @@ impl TryFrom<&str> for Password {
|
|||
|
||||
impl Password {
|
||||
fn bench_pbkdf2(pbkdf2_cost: usize) -> Option<Duration> {
|
||||
let mut rng = rand::thread_rng();
|
||||
let salt: Vec<u8> = (0..PBKDF2_SALT_LEN).map(|_| rng.gen()).collect();
|
||||
let input: Vec<u8> = (0..PBKDF2_SALT_LEN).map(|_| rng.gen()).collect();
|
||||
let mut rng = rand::rng();
|
||||
let salt: Vec<u8> = (0..PBKDF2_SALT_LEN).map(|_| rng.random()).collect();
|
||||
let input: Vec<u8> = (0..PBKDF2_SALT_LEN).map(|_| rng.random()).collect();
|
||||
// This is 512 bits of output
|
||||
let mut key: Vec<u8> = (0..PBKDF2_KEY_LEN).map(|_| 0).collect();
|
||||
|
||||
|
@ -855,9 +855,9 @@ impl Password {
|
|||
}
|
||||
|
||||
fn bench_argon2id(params: Params) -> Option<Duration> {
|
||||
let mut rng = rand::thread_rng();
|
||||
let salt: Vec<u8> = (0..ARGON2_SALT_LEN).map(|_| rng.gen()).collect();
|
||||
let input: Vec<u8> = (0..ARGON2_SALT_LEN).map(|_| rng.gen()).collect();
|
||||
let mut rng = rand::rng();
|
||||
let salt: Vec<u8> = (0..ARGON2_SALT_LEN).map(|_| rng.random()).collect();
|
||||
let input: Vec<u8> = (0..ARGON2_SALT_LEN).map(|_| rng.random()).collect();
|
||||
let mut key: Vec<u8> = (0..ARGON2_KEY_LEN).map(|_| 0).collect();
|
||||
|
||||
let argon = Argon2::new(Algorithm::Argon2id, Version::V0x13, params);
|
||||
|
@ -873,8 +873,8 @@ impl Password {
|
|||
|
||||
pub fn new_pbkdf2(policy: &CryptoPolicy, cleartext: &str) -> Result<Self, CryptoError> {
|
||||
let pbkdf2_cost = policy.pbkdf2_cost;
|
||||
let mut rng = rand::thread_rng();
|
||||
let salt: Vec<u8> = (0..PBKDF2_SALT_LEN).map(|_| rng.gen()).collect();
|
||||
let mut rng = rand::rng();
|
||||
let salt: Vec<u8> = (0..PBKDF2_SALT_LEN).map(|_| rng.random()).collect();
|
||||
let mut key: Vec<u8> = (0..PBKDF2_KEY_LEN).map(|_| 0).collect();
|
||||
|
||||
pbkdf2_hmac(
|
||||
|
@ -897,8 +897,8 @@ impl Password {
|
|||
|
||||
let argon = Argon2::new(Algorithm::Argon2id, version, policy.argon2id_params.clone());
|
||||
|
||||
let mut rng = rand::thread_rng();
|
||||
let salt: Vec<u8> = (0..ARGON2_SALT_LEN).map(|_| rng.gen()).collect();
|
||||
let mut rng = rand::rng();
|
||||
let salt: Vec<u8> = (0..ARGON2_SALT_LEN).map(|_| rng.random()).collect();
|
||||
let mut key: Vec<u8> = (0..ARGON2_KEY_LEN).map(|_| 0).collect();
|
||||
|
||||
argon
|
||||
|
@ -925,8 +925,8 @@ impl Password {
|
|||
|
||||
let argon = Argon2::new(Algorithm::Argon2id, version, policy.argon2id_params.clone());
|
||||
|
||||
let mut rng = rand::thread_rng();
|
||||
let salt: Vec<u8> = (0..ARGON2_SALT_LEN).map(|_| rng.gen()).collect();
|
||||
let mut rng = rand::rng();
|
||||
let salt: Vec<u8> = (0..ARGON2_SALT_LEN).map(|_| rng.random()).collect();
|
||||
let mut check_key: Vec<u8> = (0..ARGON2_KEY_LEN).map(|_| 0).collect();
|
||||
|
||||
argon
|
||||
|
|
|
@ -77,7 +77,10 @@ pub fn apply_profile() {
|
|||
.decode(contents)
|
||||
.unwrap_or_else(|_| panic!("Failed to parse profile - {} - {}", profile, contents));
|
||||
|
||||
let profile_cfg: ProfileConfig = toml::from_slice(&data)
|
||||
let data_str = String::from_utf8(data)
|
||||
.unwrap_or_else(|_| panic!("Failed to read profile data to UTF-8 string - {}", profile));
|
||||
|
||||
let profile_cfg: ProfileConfig = toml::from_str(&data_str)
|
||||
.unwrap_or_else(|_| panic!("Failed to parse profile - {} - {}", profile, contents));
|
||||
|
||||
// We have to setup for our pkg version to be passed into things correctly
|
||||
|
|
|
@ -71,7 +71,7 @@ pub enum ScimSchema {
|
|||
}
|
||||
|
||||
#[serde_as]
|
||||
#[derive(Deserialize, Serialize, Debug, Clone, ToSchema)]
|
||||
#[derive(Deserialize, Serialize, PartialEq, Eq, Debug, Clone, ToSchema)]
|
||||
#[serde(deny_unknown_fields, rename_all = "camelCase")]
|
||||
pub struct ScimMail {
|
||||
#[serde(default)]
|
||||
|
|
210
pykanidm/poetry.lock
generated
210
pykanidm/poetry.lock
generated
|
@ -14,93 +14,93 @@ files = [
|
|||
|
||||
[[package]]
|
||||
name = "aiohttp"
|
||||
version = "3.11.16"
|
||||
version = "3.11.17"
|
||||
description = "Async http client/server framework (asyncio)"
|
||||
optional = false
|
||||
python-versions = ">=3.9"
|
||||
groups = ["main", "dev"]
|
||||
files = [
|
||||
{file = "aiohttp-3.11.16-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:fb46bb0f24813e6cede6cc07b1961d4b04f331f7112a23b5e21f567da4ee50aa"},
|
||||
{file = "aiohttp-3.11.16-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:54eb3aead72a5c19fad07219acd882c1643a1027fbcdefac9b502c267242f955"},
|
||||
{file = "aiohttp-3.11.16-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:38bea84ee4fe24ebcc8edeb7b54bf20f06fd53ce4d2cc8b74344c5b9620597fd"},
|
||||
{file = "aiohttp-3.11.16-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d0666afbe984f6933fe72cd1f1c3560d8c55880a0bdd728ad774006eb4241ecd"},
|
||||
{file = "aiohttp-3.11.16-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:7ba92a2d9ace559a0a14b03d87f47e021e4fa7681dc6970ebbc7b447c7d4b7cd"},
|
||||
{file = "aiohttp-3.11.16-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3ad1d59fd7114e6a08c4814983bb498f391c699f3c78712770077518cae63ff7"},
|
||||
{file = "aiohttp-3.11.16-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:98b88a2bf26965f2015a771381624dd4b0839034b70d406dc74fd8be4cc053e3"},
|
||||
{file = "aiohttp-3.11.16-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:576f5ca28d1b3276026f7df3ec841ae460e0fc3aac2a47cbf72eabcfc0f102e1"},
|
||||
{file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:a2a450bcce4931b295fc0848f384834c3f9b00edfc2150baafb4488c27953de6"},
|
||||
{file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:37dcee4906454ae377be5937ab2a66a9a88377b11dd7c072df7a7c142b63c37c"},
|
||||
{file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:4d0c970c0d602b1017e2067ff3b7dac41c98fef4f7472ec2ea26fd8a4e8c2149"},
|
||||
{file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:004511d3413737700835e949433536a2fe95a7d0297edd911a1e9705c5b5ea43"},
|
||||
{file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:c15b2271c44da77ee9d822552201180779e5e942f3a71fb74e026bf6172ff287"},
|
||||
{file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:ad9509ffb2396483ceacb1eee9134724443ee45b92141105a4645857244aecc8"},
|
||||
{file = "aiohttp-3.11.16-cp310-cp310-win32.whl", hash = "sha256:634d96869be6c4dc232fc503e03e40c42d32cfaa51712aee181e922e61d74814"},
|
||||
{file = "aiohttp-3.11.16-cp310-cp310-win_amd64.whl", hash = "sha256:938f756c2b9374bbcc262a37eea521d8a0e6458162f2a9c26329cc87fdf06534"},
|
||||
{file = "aiohttp-3.11.16-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:8cb0688a8d81c63d716e867d59a9ccc389e97ac7037ebef904c2b89334407180"},
|
||||
{file = "aiohttp-3.11.16-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:0ad1fb47da60ae1ddfb316f0ff16d1f3b8e844d1a1e154641928ea0583d486ed"},
|
||||
{file = "aiohttp-3.11.16-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:df7db76400bf46ec6a0a73192b14c8295bdb9812053f4fe53f4e789f3ea66bbb"},
|
||||
{file = "aiohttp-3.11.16-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cc3a145479a76ad0ed646434d09216d33d08eef0d8c9a11f5ae5cdc37caa3540"},
|
||||
{file = "aiohttp-3.11.16-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d007aa39a52d62373bd23428ba4a2546eed0e7643d7bf2e41ddcefd54519842c"},
|
||||
{file = "aiohttp-3.11.16-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f6ddd90d9fb4b501c97a4458f1c1720e42432c26cb76d28177c5b5ad4e332601"},
|
||||
{file = "aiohttp-3.11.16-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0a2f451849e6b39e5c226803dcacfa9c7133e9825dcefd2f4e837a2ec5a3bb98"},
|
||||
{file = "aiohttp-3.11.16-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8df6612df74409080575dca38a5237282865408016e65636a76a2eb9348c2567"},
|
||||
{file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:78e6e23b954644737e385befa0deb20233e2dfddf95dd11e9db752bdd2a294d3"},
|
||||
{file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:696ef00e8a1f0cec5e30640e64eca75d8e777933d1438f4facc9c0cdf288a810"},
|
||||
{file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:e3538bc9fe1b902bef51372462e3d7c96fce2b566642512138a480b7adc9d508"},
|
||||
{file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:3ab3367bb7f61ad18793fea2ef71f2d181c528c87948638366bf1de26e239183"},
|
||||
{file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:56a3443aca82abda0e07be2e1ecb76a050714faf2be84256dae291182ba59049"},
|
||||
{file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:61c721764e41af907c9d16b6daa05a458f066015abd35923051be8705108ed17"},
|
||||
{file = "aiohttp-3.11.16-cp311-cp311-win32.whl", hash = "sha256:3e061b09f6fa42997cf627307f220315e313ece74907d35776ec4373ed718b86"},
|
||||
{file = "aiohttp-3.11.16-cp311-cp311-win_amd64.whl", hash = "sha256:745f1ed5e2c687baefc3c5e7b4304e91bf3e2f32834d07baaee243e349624b24"},
|
||||
{file = "aiohttp-3.11.16-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:911a6e91d08bb2c72938bc17f0a2d97864c531536b7832abee6429d5296e5b27"},
|
||||
{file = "aiohttp-3.11.16-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:6ac13b71761e49d5f9e4d05d33683bbafef753e876e8e5a7ef26e937dd766713"},
|
||||
{file = "aiohttp-3.11.16-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:fd36c119c5d6551bce374fcb5c19269638f8d09862445f85a5a48596fd59f4bb"},
|
||||
{file = "aiohttp-3.11.16-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d489d9778522fbd0f8d6a5c6e48e3514f11be81cb0a5954bdda06f7e1594b321"},
|
||||
{file = "aiohttp-3.11.16-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:69a2cbd61788d26f8f1e626e188044834f37f6ae3f937bd9f08b65fc9d7e514e"},
|
||||
{file = "aiohttp-3.11.16-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cd464ba806e27ee24a91362ba3621bfc39dbbb8b79f2e1340201615197370f7c"},
|
||||
{file = "aiohttp-3.11.16-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1ce63ae04719513dd2651202352a2beb9f67f55cb8490c40f056cea3c5c355ce"},
|
||||
{file = "aiohttp-3.11.16-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:09b00dd520d88eac9d1768439a59ab3d145065c91a8fab97f900d1b5f802895e"},
|
||||
{file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:7f6428fee52d2bcf96a8aa7b62095b190ee341ab0e6b1bcf50c615d7966fd45b"},
|
||||
{file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:13ceac2c5cdcc3f64b9015710221ddf81c900c5febc505dbd8f810e770011540"},
|
||||
{file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:fadbb8f1d4140825069db3fedbbb843290fd5f5bc0a5dbd7eaf81d91bf1b003b"},
|
||||
{file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:6a792ce34b999fbe04a7a71a90c74f10c57ae4c51f65461a411faa70e154154e"},
|
||||
{file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:f4065145bf69de124accdd17ea5f4dc770da0a6a6e440c53f6e0a8c27b3e635c"},
|
||||
{file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:fa73e8c2656a3653ae6c307b3f4e878a21f87859a9afab228280ddccd7369d71"},
|
||||
{file = "aiohttp-3.11.16-cp312-cp312-win32.whl", hash = "sha256:f244b8e541f414664889e2c87cac11a07b918cb4b540c36f7ada7bfa76571ea2"},
|
||||
{file = "aiohttp-3.11.16-cp312-cp312-win_amd64.whl", hash = "sha256:23a15727fbfccab973343b6d1b7181bfb0b4aa7ae280f36fd2f90f5476805682"},
|
||||
{file = "aiohttp-3.11.16-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:a3814760a1a700f3cfd2f977249f1032301d0a12c92aba74605cfa6ce9f78489"},
|
||||
{file = "aiohttp-3.11.16-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:9b751a6306f330801665ae69270a8a3993654a85569b3469662efaad6cf5cc50"},
|
||||
{file = "aiohttp-3.11.16-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:ad497f38a0d6c329cb621774788583ee12321863cd4bd9feee1effd60f2ad133"},
|
||||
{file = "aiohttp-3.11.16-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ca37057625693d097543bd88076ceebeb248291df9d6ca8481349efc0b05dcd0"},
|
||||
{file = "aiohttp-3.11.16-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a5abcbba9f4b463a45c8ca8b7720891200658f6f46894f79517e6cd11f3405ca"},
|
||||
{file = "aiohttp-3.11.16-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f420bfe862fb357a6d76f2065447ef6f484bc489292ac91e29bc65d2d7a2c84d"},
|
||||
{file = "aiohttp-3.11.16-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:58ede86453a6cf2d6ce40ef0ca15481677a66950e73b0a788917916f7e35a0bb"},
|
||||
{file = "aiohttp-3.11.16-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6fdec0213244c39973674ca2a7f5435bf74369e7d4e104d6c7473c81c9bcc8c4"},
|
||||
{file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:72b1b03fb4655c1960403c131740755ec19c5898c82abd3961c364c2afd59fe7"},
|
||||
{file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:780df0d837276276226a1ff803f8d0fa5f8996c479aeef52eb040179f3156cbd"},
|
||||
{file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:ecdb8173e6c7aa09eee342ac62e193e6904923bd232e76b4157ac0bfa670609f"},
|
||||
{file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:a6db7458ab89c7d80bc1f4e930cc9df6edee2200127cfa6f6e080cf619eddfbd"},
|
||||
{file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:2540ddc83cc724b13d1838026f6a5ad178510953302a49e6d647f6e1de82bc34"},
|
||||
{file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:3b4e6db8dc4879015b9955778cfb9881897339c8fab7b3676f8433f849425913"},
|
||||
{file = "aiohttp-3.11.16-cp313-cp313-win32.whl", hash = "sha256:493910ceb2764f792db4dc6e8e4b375dae1b08f72e18e8f10f18b34ca17d0979"},
|
||||
{file = "aiohttp-3.11.16-cp313-cp313-win_amd64.whl", hash = "sha256:42864e70a248f5f6a49fdaf417d9bc62d6e4d8ee9695b24c5916cb4bb666c802"},
|
||||
{file = "aiohttp-3.11.16-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:bbcba75fe879ad6fd2e0d6a8d937f34a571f116a0e4db37df8079e738ea95c71"},
|
||||
{file = "aiohttp-3.11.16-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:87a6e922b2b2401e0b0cf6b976b97f11ec7f136bfed445e16384fbf6fd5e8602"},
|
||||
{file = "aiohttp-3.11.16-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:ccf10f16ab498d20e28bc2b5c1306e9c1512f2840f7b6a67000a517a4b37d5ee"},
|
||||
{file = "aiohttp-3.11.16-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fb3d0cc5cdb926090748ea60172fa8a213cec728bd6c54eae18b96040fcd6227"},
|
||||
{file = "aiohttp-3.11.16-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d07502cc14ecd64f52b2a74ebbc106893d9a9717120057ea9ea1fd6568a747e7"},
|
||||
{file = "aiohttp-3.11.16-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:776c8e959a01e5e8321f1dec77964cb6101020a69d5a94cd3d34db6d555e01f7"},
|
||||
{file = "aiohttp-3.11.16-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0902e887b0e1d50424112f200eb9ae3dfed6c0d0a19fc60f633ae5a57c809656"},
|
||||
{file = "aiohttp-3.11.16-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e87fd812899aa78252866ae03a048e77bd11b80fb4878ce27c23cade239b42b2"},
|
||||
{file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:0a950c2eb8ff17361abd8c85987fd6076d9f47d040ebffce67dce4993285e973"},
|
||||
{file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_armv7l.whl", hash = "sha256:c10d85e81d0b9ef87970ecbdbfaeec14a361a7fa947118817fcea8e45335fa46"},
|
||||
{file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:7951decace76a9271a1ef181b04aa77d3cc309a02a51d73826039003210bdc86"},
|
||||
{file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:14461157d8426bcb40bd94deb0450a6fa16f05129f7da546090cebf8f3123b0f"},
|
||||
{file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:9756d9b9d4547e091f99d554fbba0d2a920aab98caa82a8fb3d3d9bee3c9ae85"},
|
||||
{file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:87944bd16b7fe6160607f6a17808abd25f17f61ae1e26c47a491b970fb66d8cb"},
|
||||
{file = "aiohttp-3.11.16-cp39-cp39-win32.whl", hash = "sha256:92b7ee222e2b903e0a4b329a9943d432b3767f2d5029dbe4ca59fb75223bbe2e"},
|
||||
{file = "aiohttp-3.11.16-cp39-cp39-win_amd64.whl", hash = "sha256:17ae4664031aadfbcb34fd40ffd90976671fa0c0286e6c4113989f78bebab37a"},
|
||||
{file = "aiohttp-3.11.16.tar.gz", hash = "sha256:16f8a2c9538c14a557b4d309ed4d0a7c60f0253e8ed7b6c9a2859a7582f8b1b8"},
|
||||
{file = "aiohttp-3.11.17-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:67eaabe31454d68503ddc10d805944187787b4351600aedda1724f75f3f20b6c"},
|
||||
{file = "aiohttp-3.11.17-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:7c73371bb91660eb7971336883eb05ebf3e912a0a183f5029fe6200285dd858e"},
|
||||
{file = "aiohttp-3.11.17-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:78568d883e7cabf31f110a87bb02cee70e32bbb419eed974027c26ac6be18add"},
|
||||
{file = "aiohttp-3.11.17-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3d5f480d3e35a139f0bd31d9037047cc18d6f362d1b06243b694a40f1a658ba8"},
|
||||
{file = "aiohttp-3.11.17-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:562b47fa14712e47ae7b6cf31998a4c888c35a904845e27f5ec2fc51401304e7"},
|
||||
{file = "aiohttp-3.11.17-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3875dd6571d2709697835cf5e4e7e0e1bf1d6e3aeec21b7766bbd50d9a97b8a3"},
|
||||
{file = "aiohttp-3.11.17-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9d9130c4380bb02a308c79a25d9b82e642e21bea5ad453553f35f2d490ac47bd"},
|
||||
{file = "aiohttp-3.11.17-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:71ee4844e4680e69d2acb462073b147a4c2dd6813c30c61979399feddc63b322"},
|
||||
{file = "aiohttp-3.11.17-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:e40eceff6ca85d68d07ebd1533f13727261d17b4bef7a518a6882b8448c83106"},
|
||||
{file = "aiohttp-3.11.17-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:fd89c4399ca67c0d2939211ecf8415747f4e2d855580f1efd9598eff433499ac"},
|
||||
{file = "aiohttp-3.11.17-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:9b62134921162627482056379740998c54d51412a7e678a4d84a5510d6f634a7"},
|
||||
{file = "aiohttp-3.11.17-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:3e27e266396db6d6eee76769f66b356020b22e7ae8d7d4d47c9ced6bc53c62a0"},
|
||||
{file = "aiohttp-3.11.17-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:0e93c46b7cc7476130bd396d63eafc6c458e74eddd1a1c65a2ac8e4bdb4cf1d1"},
|
||||
{file = "aiohttp-3.11.17-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:7903749414023ad7d0a46cd4816d9ac99be7552635a0b3deae0b2c9a51d0cfa6"},
|
||||
{file = "aiohttp-3.11.17-cp310-cp310-win32.whl", hash = "sha256:de96c4aba1506b225cf1ab750fdd60e1f8d9d23add6431150a43fbef0542fe18"},
|
||||
{file = "aiohttp-3.11.17-cp310-cp310-win_amd64.whl", hash = "sha256:c08753a2c4d6f9175b234fd1ee227fc68a3c95ee09d52447af25b1ecb99d5886"},
|
||||
{file = "aiohttp-3.11.17-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:9c10ede918e0d1edf9ef75cedb9ab303e509d0616020ecea42c427e3694a4d63"},
|
||||
{file = "aiohttp-3.11.17-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:127696d62e66badc3b554832343df031fd0012f080002d9074cfb735ce9c677e"},
|
||||
{file = "aiohttp-3.11.17-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:26ac39d318507a7fb79b4eee31d7f92a7198d22c0d26d2c2dee4c945172ee509"},
|
||||
{file = "aiohttp-3.11.17-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cb8e28f9b3b15ab1d840a7ffe0d7b63ee8bb01ef68c611f2ddbd5f96fa5f0e53"},
|
||||
{file = "aiohttp-3.11.17-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:01e9d930cea36405ccdcde45921a29c7e22e0b581fc570f630d72a5bcac56c8c"},
|
||||
{file = "aiohttp-3.11.17-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:dad404c74f4aad90b181db75d79338e87c852e638460003c78bdfd92c07fff3b"},
|
||||
{file = "aiohttp-3.11.17-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bf30c77f5ddb1ccf568881f9076d0840f0b9a9c94dabe03126474768f951a48a"},
|
||||
{file = "aiohttp-3.11.17-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1987db5cb7e2c21693047f8f3c07df7bed3cb13403e5df5f684fe6a8478eff85"},
|
||||
{file = "aiohttp-3.11.17-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:612a5bc4e56a52986e89f1439fca86b765682613fdebc71c01de46736b33bd34"},
|
||||
{file = "aiohttp-3.11.17-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:398a021a7207a04960a8165f53f59e0c0b7cd54fe69ab7f0895f105e391a7964"},
|
||||
{file = "aiohttp-3.11.17-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:e70a3672c734e6d792903e7b22d2f514ed8cbfa27c4a8e9171191da5c7d3c3b1"},
|
||||
{file = "aiohttp-3.11.17-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:b51c9b38d904957ff2df58bf72874634d674b228c03f5d48e143996a8da5c819"},
|
||||
{file = "aiohttp-3.11.17-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:a689fca65127d7599cfb0123c7dccb32d7eebe009d20bfa69ce93aff143dbbc1"},
|
||||
{file = "aiohttp-3.11.17-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:23120ea57904cfd920791afe5a780151cd8e99b039c35c38bb8a0d3e35af049b"},
|
||||
{file = "aiohttp-3.11.17-cp311-cp311-win32.whl", hash = "sha256:07e2c1c06c15cb95721670a69f3cbb1dae22b0914de6e362dba2228b6dd675e7"},
|
||||
{file = "aiohttp-3.11.17-cp311-cp311-win_amd64.whl", hash = "sha256:5e245caba8842f176ecc8ae1fde1ef0c89669614cb379c32e069cd0b96b3547f"},
|
||||
{file = "aiohttp-3.11.17-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:03ee8b587cc7bd345552235cd7117097c169f3a531a7239dc9a3c6b6db1cf46a"},
|
||||
{file = "aiohttp-3.11.17-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:2bd255da118f96446567d9870621a07b8f36b1130826b07f2910ef1aeb4a85c0"},
|
||||
{file = "aiohttp-3.11.17-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:2620d1cbeb688094045f06000b5b6127df2eb768cae07d95137b0e998cd6ce04"},
|
||||
{file = "aiohttp-3.11.17-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9eac3842f3258c77d35bfe93356fedbc6e5e943fd056534be71b694289b36973"},
|
||||
{file = "aiohttp-3.11.17-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:626dffeeeee34f2b5a327df05d6cb48ecfabcb141d56590d3c779accedc62d88"},
|
||||
{file = "aiohttp-3.11.17-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:aded01d2bda55b2f62a361a2d55f8c9c04436eff6220e579ca7fb72cfe68b48a"},
|
||||
{file = "aiohttp-3.11.17-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0b830715cb818efc4fbd7b9631661e3498b068f23680982d7586103333b0d4df"},
|
||||
{file = "aiohttp-3.11.17-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3ac7ac3d0a7ab5ce1076c788640274f594397603381747b3d4142beec004c44a"},
|
||||
{file = "aiohttp-3.11.17-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:9dba68088ecdd16b306513463f7e295699bc52bb09573d2bc3ff3d0e7bdc34ff"},
|
||||
{file = "aiohttp-3.11.17-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:80ba863e1e1055577f27a484b0f002b31297432016262d5f9d2dab5c6d21c5ad"},
|
||||
{file = "aiohttp-3.11.17-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:003c955924fa7d1b100599ce4f5da3ce68bd151b81b5a8c18369ba585766ed31"},
|
||||
{file = "aiohttp-3.11.17-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:6e615b94364f7ea0dc95922c351e106ffb2eded09ffd7a7102ab2e202d17bdaa"},
|
||||
{file = "aiohttp-3.11.17-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:05eb25fa6e5495b3866a3b974fe3b214d5a0b6bb862cd54b7ec4d997948aa12c"},
|
||||
{file = "aiohttp-3.11.17-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:3a3fb727360af3e94667e243cb21cf5069c0df9a70adcc81751136d53f526bc6"},
|
||||
{file = "aiohttp-3.11.17-cp312-cp312-win32.whl", hash = "sha256:93a7cfacf28887ddebd9c697d590002e8d52ac51acb4faf0d00abe1bb791339e"},
|
||||
{file = "aiohttp-3.11.17-cp312-cp312-win_amd64.whl", hash = "sha256:c43311c94200a63e31b62e82872c6dd43fe904cbb8f161c830bfe65c17583658"},
|
||||
{file = "aiohttp-3.11.17-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:57de66477af1176b3d25058594000eb32d21f82039909ef1bf865fe666c8c0ea"},
|
||||
{file = "aiohttp-3.11.17-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:d0d119d1e6d5bf930b285285aec70d66b7a7efa4914231441c7f606e86ca17e2"},
|
||||
{file = "aiohttp-3.11.17-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:d0966f0c14be863cb51e0aa56366c45a2331f46a64347b49a0e9c687c72d43c1"},
|
||||
{file = "aiohttp-3.11.17-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f24d2b1f2516953b001736f82be7cf5d3234fc90e82a2d9a33ad8cdffb28f4c5"},
|
||||
{file = "aiohttp-3.11.17-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3197cd39307747127f7a3489b6aca4286c7613e8509e65f46702831136257d12"},
|
||||
{file = "aiohttp-3.11.17-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3e4d134b96448c955e3e29e4026ee499441182bfd92f293accfa1cf1525a061b"},
|
||||
{file = "aiohttp-3.11.17-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:20c68e4411440209fd64abfb27ff5e09e5a59a0fab4dbd07808e762e6fada670"},
|
||||
{file = "aiohttp-3.11.17-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1131f61afa4a4800fd5770ab13b1587bf4d07a0a561ee6f30f58c2300675ec3b"},
|
||||
{file = "aiohttp-3.11.17-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:d3d4a383935ed1e39109e43535230b7e61781348fc2cf52c1006ae663dcbbc73"},
|
||||
{file = "aiohttp-3.11.17-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:ada2a986cdec0caa51ee787b838441eeece50cd1ea075053fef51e0c995114b4"},
|
||||
{file = "aiohttp-3.11.17-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:a118aae8008e209f100396bbd2d1d798aaa43651202c65cd2664680dd27aa061"},
|
||||
{file = "aiohttp-3.11.17-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:2bf50db2e855226363aecb78353593987bf9a0b593434814b4a1f09586a116a4"},
|
||||
{file = "aiohttp-3.11.17-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:4f1c1db9470c9aa1ab45cee80b4b7db51fa4cfc01abc5e648d991266e676ac90"},
|
||||
{file = "aiohttp-3.11.17-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:c4a92e2a228829c67f3c633a2329a8b85ed6cfe3b25047f48b4d51e92a655a87"},
|
||||
{file = "aiohttp-3.11.17-cp313-cp313-win32.whl", hash = "sha256:8962df1a29794f3204863ea6d93001a3d77cb1c4ee87f8c7683fe3fb6ec27373"},
|
||||
{file = "aiohttp-3.11.17-cp313-cp313-win_amd64.whl", hash = "sha256:71a1fd6421056980280fe490f211fe0f0c385271b42fb1440c4abcd891b2133a"},
|
||||
{file = "aiohttp-3.11.17-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:be033aceea6a8cd03cc2e2b6936beb485bb6b71907ad5a0e78bb942857b4f468"},
|
||||
{file = "aiohttp-3.11.17-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:e7874d1e620159c18c99b87f37c45a8c30abbba2678d31ae3409d7c00c995f62"},
|
||||
{file = "aiohttp-3.11.17-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:919b411fae2376d5b78901949e556bd646e5de16e0631aed5a1b00ad55b5ec40"},
|
||||
{file = "aiohttp-3.11.17-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:dffeb59c7f3414fd4da384cf76428c59b754e80d4b10d8e5d7018bed135d554d"},
|
||||
{file = "aiohttp-3.11.17-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6ff5a5c9afbdaff09bf7b4a0655f1084d6c9f562fc33df8c0f7a785480405cf8"},
|
||||
{file = "aiohttp-3.11.17-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1e4122d386a1695aee05f49a8bb4ff69c0e74b2b9db80a4d8157165327d07103"},
|
||||
{file = "aiohttp-3.11.17-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bcb753ca25397eac1d38c7112c7b910feabef198d4e411aa5957857795681a25"},
|
||||
{file = "aiohttp-3.11.17-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f29e0f47656b826d74034b612c11709842c20ebe373e398812208b84ec57f79a"},
|
||||
{file = "aiohttp-3.11.17-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:56a5acb7a715a1a1ad8ed424f7cbb2dc2950dc8b20ae2d83c2117ba5751223b1"},
|
||||
{file = "aiohttp-3.11.17-cp39-cp39-musllinux_1_2_armv7l.whl", hash = "sha256:da0bee7635aa12036269ef8a13fd0fa5549ccfe5eb9ef6c3f0ad7cc574f12e5e"},
|
||||
{file = "aiohttp-3.11.17-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:adb504bdf0691101c7c4544e25545df467ea7239097ca6c67d01b27e500037b5"},
|
||||
{file = "aiohttp-3.11.17-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:1c2e376d7f3fedb770106c40546d5f76a61e5ba3d4dac42cc60a8062022586cc"},
|
||||
{file = "aiohttp-3.11.17-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:79ae28f78f0a4a18a308d61647e3ee9cc1e641cb3ad5531db059eff68f3ee63c"},
|
||||
{file = "aiohttp-3.11.17-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:ac9f6cdb02e7376060c4243f17a402b8d895747d788426ef3b8799e7a28a4ee0"},
|
||||
{file = "aiohttp-3.11.17-cp39-cp39-win32.whl", hash = "sha256:e3bddefb2cae68be01186c89d9a41024ae929aaf9e30b65d8977b719185f7e17"},
|
||||
{file = "aiohttp-3.11.17-cp39-cp39-win_amd64.whl", hash = "sha256:8e72767d1798770acdf27a20c523b1cd29973e487f6397b181ef0e7c583acb46"},
|
||||
{file = "aiohttp-3.11.17.tar.gz", hash = "sha256:2bf3ff374c3abd7a5c6c8de3ad7ed91e0e89a8b53353314c93766c3add5a208a"},
|
||||
]
|
||||
|
||||
[package.dependencies]
|
||||
|
@ -1051,14 +1051,14 @@ pyyaml = ">=5.1"
|
|||
|
||||
[[package]]
|
||||
name = "mkdocs-material"
|
||||
version = "9.6.11"
|
||||
version = "9.6.12"
|
||||
description = "Documentation that simply works"
|
||||
optional = false
|
||||
python-versions = ">=3.8"
|
||||
groups = ["dev"]
|
||||
files = [
|
||||
{file = "mkdocs_material-9.6.11-py3-none-any.whl", hash = "sha256:47f21ef9cbf4f0ebdce78a2ceecaa5d413581a55141e4464902224ebbc0b1263"},
|
||||
{file = "mkdocs_material-9.6.11.tar.gz", hash = "sha256:0b7f4a0145c5074cdd692e4362d232fb25ef5b23328d0ec1ab287af77cc0deff"},
|
||||
{file = "mkdocs_material-9.6.12-py3-none-any.whl", hash = "sha256:92b4fbdc329e4febc267ca6e2c51e8501fa97b2225c5f4deb4d4e43550f8e61e"},
|
||||
{file = "mkdocs_material-9.6.12.tar.gz", hash = "sha256:add6a6337b29f9ea7912cb1efc661de2c369060b040eb5119855d794ea85b473"},
|
||||
]
|
||||
|
||||
[package.dependencies]
|
||||
|
@ -2083,30 +2083,30 @@ files = [
|
|||
|
||||
[[package]]
|
||||
name = "ruff"
|
||||
version = "0.11.5"
|
||||
version = "0.11.6"
|
||||
description = "An extremely fast Python linter and code formatter, written in Rust."
|
||||
optional = false
|
||||
python-versions = ">=3.7"
|
||||
groups = ["dev"]
|
||||
files = [
|
||||
{file = "ruff-0.11.5-py3-none-linux_armv6l.whl", hash = "sha256:2561294e108eb648e50f210671cc56aee590fb6167b594144401532138c66c7b"},
|
||||
{file = "ruff-0.11.5-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:ac12884b9e005c12d0bd121f56ccf8033e1614f736f766c118ad60780882a077"},
|
||||
{file = "ruff-0.11.5-py3-none-macosx_11_0_arm64.whl", hash = "sha256:4bfd80a6ec559a5eeb96c33f832418bf0fb96752de0539905cf7b0cc1d31d779"},
|
||||
{file = "ruff-0.11.5-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0947c0a1afa75dcb5db4b34b070ec2bccee869d40e6cc8ab25aca11a7d527794"},
|
||||
{file = "ruff-0.11.5-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ad871ff74b5ec9caa66cb725b85d4ef89b53f8170f47c3406e32ef040400b038"},
|
||||
{file = "ruff-0.11.5-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e6cf918390cfe46d240732d4d72fa6e18e528ca1f60e318a10835cf2fa3dc19f"},
|
||||
{file = "ruff-0.11.5-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:56145ee1478582f61c08f21076dc59153310d606ad663acc00ea3ab5b2125f82"},
|
||||
{file = "ruff-0.11.5-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e5f66f8f1e8c9fc594cbd66fbc5f246a8d91f916cb9667e80208663ec3728304"},
|
||||
{file = "ruff-0.11.5-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:80b4df4d335a80315ab9afc81ed1cff62be112bd165e162b5eed8ac55bfc8470"},
|
||||
{file = "ruff-0.11.5-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3068befab73620b8a0cc2431bd46b3cd619bc17d6f7695a3e1bb166b652c382a"},
|
||||
{file = "ruff-0.11.5-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:f5da2e710a9641828e09aa98b92c9ebbc60518fdf3921241326ca3e8f8e55b8b"},
|
||||
{file = "ruff-0.11.5-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:ef39f19cb8ec98cbc762344921e216f3857a06c47412030374fffd413fb8fd3a"},
|
||||
{file = "ruff-0.11.5-py3-none-musllinux_1_2_i686.whl", hash = "sha256:b2a7cedf47244f431fd11aa5a7e2806dda2e0c365873bda7834e8f7d785ae159"},
|
||||
{file = "ruff-0.11.5-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:81be52e7519f3d1a0beadcf8e974715b2dfc808ae8ec729ecfc79bddf8dbb783"},
|
||||
{file = "ruff-0.11.5-py3-none-win32.whl", hash = "sha256:e268da7b40f56e3eca571508a7e567e794f9bfcc0f412c4b607931d3af9c4afe"},
|
||||
{file = "ruff-0.11.5-py3-none-win_amd64.whl", hash = "sha256:6c6dc38af3cfe2863213ea25b6dc616d679205732dc0fb673356c2d69608f800"},
|
||||
{file = "ruff-0.11.5-py3-none-win_arm64.whl", hash = "sha256:67e241b4314f4eacf14a601d586026a962f4002a475aa702c69980a38087aa4e"},
|
||||
{file = "ruff-0.11.5.tar.gz", hash = "sha256:cae2e2439cb88853e421901ec040a758960b576126dab520fa08e9de431d1bef"},
|
||||
{file = "ruff-0.11.6-py3-none-linux_armv6l.whl", hash = "sha256:d84dcbe74cf9356d1bdb4a78cf74fd47c740bf7bdeb7529068f69b08272239a1"},
|
||||
{file = "ruff-0.11.6-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:9bc583628e1096148011a5d51ff3c836f51899e61112e03e5f2b1573a9b726de"},
|
||||
{file = "ruff-0.11.6-py3-none-macosx_11_0_arm64.whl", hash = "sha256:f2959049faeb5ba5e3b378709e9d1bf0cab06528b306b9dd6ebd2a312127964a"},
|
||||
{file = "ruff-0.11.6-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:63c5d4e30d9d0de7fedbfb3e9e20d134b73a30c1e74b596f40f0629d5c28a193"},
|
||||
{file = "ruff-0.11.6-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:26a4b9a4e1439f7d0a091c6763a100cef8fbdc10d68593df6f3cfa5abdd9246e"},
|
||||
{file = "ruff-0.11.6-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b5edf270223dd622218256569636dc3e708c2cb989242262fe378609eccf1308"},
|
||||
{file = "ruff-0.11.6-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:f55844e818206a9dd31ff27f91385afb538067e2dc0beb05f82c293ab84f7d55"},
|
||||
{file = "ruff-0.11.6-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1d8f782286c5ff562e4e00344f954b9320026d8e3fae2ba9e6948443fafd9ffc"},
|
||||
{file = "ruff-0.11.6-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:01c63ba219514271cee955cd0adc26a4083df1956d57847978383b0e50ffd7d2"},
|
||||
{file = "ruff-0.11.6-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:15adac20ef2ca296dd3d8e2bedc6202ea6de81c091a74661c3666e5c4c223ff6"},
|
||||
{file = "ruff-0.11.6-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:4dd6b09e98144ad7aec026f5588e493c65057d1b387dd937d7787baa531d9bc2"},
|
||||
{file = "ruff-0.11.6-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:45b2e1d6c0eed89c248d024ea95074d0e09988d8e7b1dad8d3ab9a67017a5b03"},
|
||||
{file = "ruff-0.11.6-py3-none-musllinux_1_2_i686.whl", hash = "sha256:bd40de4115b2ec4850302f1a1d8067f42e70b4990b68838ccb9ccd9f110c5e8b"},
|
||||
{file = "ruff-0.11.6-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:77cda2dfbac1ab73aef5e514c4cbfc4ec1fbef4b84a44c736cc26f61b3814cd9"},
|
||||
{file = "ruff-0.11.6-py3-none-win32.whl", hash = "sha256:5151a871554be3036cd6e51d0ec6eef56334d74dfe1702de717a995ee3d5b287"},
|
||||
{file = "ruff-0.11.6-py3-none-win_amd64.whl", hash = "sha256:cce85721d09c51f3b782c331b0abd07e9d7d5f775840379c640606d3159cae0e"},
|
||||
{file = "ruff-0.11.6-py3-none-win_arm64.whl", hash = "sha256:3567ba0d07fb170b1b48d944715e3294b77f5b7679e8ba258199a250383ccb79"},
|
||||
{file = "ruff-0.11.6.tar.gz", hash = "sha256:bec8bcc3ac228a45ccc811e45f7eb61b950dbf4cf31a67fa89352574b01c7d79"},
|
||||
]
|
||||
|
||||
[[package]]
|
||||
|
@ -2406,4 +2406,4 @@ type = ["pytest-mypy"]
|
|||
[metadata]
|
||||
lock-version = "2.1"
|
||||
python-versions = "^3.9"
|
||||
content-hash = "5bff20b92931b8e7af661259f31365c4726b29b0edb315e0de872a04d6546fd9"
|
||||
content-hash = "8d570a489cde6b6fe3eace984e3cba246f6f88bb0daba9739e1a61fd155b9091"
|
||||
|
|
|
@ -29,7 +29,7 @@ Authlib = "^1.2.0"
|
|||
|
||||
|
||||
[tool.poetry.group.dev.dependencies]
|
||||
ruff = ">=0.5.1,<0.11.6"
|
||||
ruff = ">=0.5.1,<0.11.7"
|
||||
pytest = "^8.3.4"
|
||||
mypy = "^1.14.1"
|
||||
types-requests = "^2.32.0.20241016"
|
||||
|
|
|
@ -24,7 +24,7 @@ askama = { workspace = true, features = ["with-axum"] }
|
|||
askama_axum = { workspace = true }
|
||||
axum = { workspace = true }
|
||||
axum-htmx = { workspace = true }
|
||||
axum-extra = { version = "0.9.6", features = ["cookie"] }
|
||||
axum-extra = { version = "0.9.6", features = ["cookie", "form"] }
|
||||
axum-macros = "0.4.2"
|
||||
axum-server = { version = "0.7.1", default-features = false }
|
||||
bytes = { workspace = true }
|
||||
|
@ -34,6 +34,8 @@ cron = { workspace = true }
|
|||
filetime = { workspace = true }
|
||||
futures = { workspace = true }
|
||||
futures-util = { workspace = true }
|
||||
haproxy-protocol = { workspace = true, features = ["tokio"] }
|
||||
hashbrown = { workspace = true }
|
||||
hyper = { workspace = true }
|
||||
hyper-util = { workspace = true }
|
||||
kanidm_proto = { workspace = true }
|
||||
|
|
|
@ -4,18 +4,18 @@
|
|||
//! These components should be "per server". Any "per domain" config should be in the system
|
||||
//! or domain entries that are able to be replicated.
|
||||
|
||||
use std::fmt::{self, Display};
|
||||
use std::fs::File;
|
||||
use std::io::Read;
|
||||
use std::path::{Path, PathBuf};
|
||||
use std::str::FromStr;
|
||||
|
||||
use hashbrown::HashSet;
|
||||
use kanidm_proto::constants::DEFAULT_SERVER_ADDRESS;
|
||||
use kanidm_proto::internal::FsType;
|
||||
use kanidm_proto::messages::ConsoleOutputMode;
|
||||
|
||||
use serde::Deserialize;
|
||||
use sketching::LogLevel;
|
||||
use std::fmt::{self, Display};
|
||||
use std::fs::File;
|
||||
use std::io::Read;
|
||||
use std::net::IpAddr;
|
||||
use std::path::{Path, PathBuf};
|
||||
use std::str::FromStr;
|
||||
use url::Url;
|
||||
|
||||
use crate::repl::config::ReplicationConfiguration;
|
||||
|
@ -100,6 +100,111 @@ pub struct TlsConfiguration {
|
|||
pub client_ca: Option<PathBuf>,
|
||||
}
|
||||
|
||||
#[derive(Deserialize, Debug, Clone, Default)]
|
||||
pub enum LdapAddressInfo {
|
||||
#[default]
|
||||
None,
|
||||
#[serde(rename = "proxy-v2")]
|
||||
ProxyV2(HashSet<IpAddr>),
|
||||
}
|
||||
|
||||
impl LdapAddressInfo {
|
||||
pub fn trusted_proxy_v2(&self) -> Option<HashSet<IpAddr>> {
|
||||
if let Self::ProxyV2(trusted) = self {
|
||||
Some(trusted.clone())
|
||||
} else {
|
||||
None
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl Display for LdapAddressInfo {
|
||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||
match self {
|
||||
Self::None => f.write_str("none"),
|
||||
Self::ProxyV2(trusted) => {
|
||||
f.write_str("proxy-v2 [ ")?;
|
||||
for ip in trusted {
|
||||
write!(f, "{} ", ip)?;
|
||||
}
|
||||
f.write_str("]")
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
pub(crate) enum AddressSet {
|
||||
NonContiguousIpSet(HashSet<IpAddr>),
|
||||
All,
|
||||
}
|
||||
|
||||
impl AddressSet {
|
||||
pub(crate) fn contains(&self, ip_addr: &IpAddr) -> bool {
|
||||
match self {
|
||||
Self::All => true,
|
||||
Self::NonContiguousIpSet(range) => range.contains(ip_addr),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Deserialize, Debug, Clone, Default)]
|
||||
pub enum HttpAddressInfo {
|
||||
#[default]
|
||||
None,
|
||||
#[serde(rename = "x-forward-for")]
|
||||
XForwardFor(HashSet<IpAddr>),
|
||||
// IMPORTANT: This is undocumented, and only exists for backwards compat
|
||||
// with config v1 which has a boolean toggle for this option.
|
||||
#[serde(rename = "x-forward-for-all-source-trusted")]
|
||||
XForwardForAllSourcesTrusted,
|
||||
#[serde(rename = "proxy-v2")]
|
||||
ProxyV2(HashSet<IpAddr>),
|
||||
}
|
||||
|
||||
impl HttpAddressInfo {
|
||||
pub(crate) fn trusted_x_forward_for(&self) -> Option<AddressSet> {
|
||||
match self {
|
||||
Self::XForwardForAllSourcesTrusted => Some(AddressSet::All),
|
||||
Self::XForwardFor(trusted) => Some(AddressSet::NonContiguousIpSet(trusted.clone())),
|
||||
_ => None,
|
||||
}
|
||||
}
|
||||
|
||||
pub(crate) fn trusted_proxy_v2(&self) -> Option<HashSet<IpAddr>> {
|
||||
if let Self::ProxyV2(trusted) = self {
|
||||
Some(trusted.clone())
|
||||
} else {
|
||||
None
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl Display for HttpAddressInfo {
|
||||
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
|
||||
match self {
|
||||
Self::None => f.write_str("none"),
|
||||
|
||||
Self::XForwardFor(trusted) => {
|
||||
f.write_str("x-forward-for [ ")?;
|
||||
for ip in trusted {
|
||||
write!(f, "{} ", ip)?;
|
||||
}
|
||||
f.write_str("]")
|
||||
}
|
||||
Self::XForwardForAllSourcesTrusted => {
|
||||
f.write_str("x-forward-for [ ALL SOURCES TRUSTED ]")
|
||||
}
|
||||
Self::ProxyV2(trusted) => {
|
||||
f.write_str("proxy-v2 [ ")?;
|
||||
for ip in trusted {
|
||||
write!(f, "{} ", ip)?;
|
||||
}
|
||||
f.write_str("]")
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// This is the Server Configuration as read from `server.toml` or environment variables.
|
||||
///
|
||||
/// Fields noted as "REQUIRED" are required for the server to start, even if they show as optional due to how file parsing works.
|
||||
|
@ -217,7 +322,10 @@ pub struct ServerConfigV2 {
|
|||
role: Option<ServerRole>,
|
||||
log_level: Option<LogLevel>,
|
||||
online_backup: Option<OnlineBackup>,
|
||||
trust_x_forward_for: Option<bool>,
|
||||
|
||||
http_client_address_info: Option<HttpAddressInfo>,
|
||||
ldap_client_address_info: Option<LdapAddressInfo>,
|
||||
|
||||
adminbindpath: Option<String>,
|
||||
thread_count: Option<usize>,
|
||||
maximum_request_size_bytes: Option<usize>,
|
||||
|
@ -490,7 +598,10 @@ pub struct Configuration {
|
|||
pub db_fs_type: Option<FsType>,
|
||||
pub db_arc_size: Option<usize>,
|
||||
pub maximum_request: usize,
|
||||
pub trust_x_forward_for: bool,
|
||||
|
||||
pub http_client_address_info: HttpAddressInfo,
|
||||
pub ldap_client_address_info: LdapAddressInfo,
|
||||
|
||||
pub tls_config: Option<TlsConfiguration>,
|
||||
pub integration_test_config: Option<Box<IntegrationTestConfig>>,
|
||||
pub online_backup: Option<OnlineBackup>,
|
||||
|
@ -522,7 +633,8 @@ impl Configuration {
|
|||
db_fs_type: None,
|
||||
db_arc_size: None,
|
||||
maximum_request: 256 * 1024, // 256k
|
||||
trust_x_forward_for: None,
|
||||
http_client_address_info: HttpAddressInfo::default(),
|
||||
ldap_client_address_info: LdapAddressInfo::default(),
|
||||
tls_key: None,
|
||||
tls_chain: None,
|
||||
tls_client_ca: None,
|
||||
|
@ -547,7 +659,8 @@ impl Configuration {
|
|||
db_fs_type: None,
|
||||
db_arc_size: None,
|
||||
maximum_request: 256 * 1024, // 256k
|
||||
trust_x_forward_for: false,
|
||||
http_client_address_info: HttpAddressInfo::default(),
|
||||
ldap_client_address_info: LdapAddressInfo::default(),
|
||||
tls_config: None,
|
||||
integration_test_config: None,
|
||||
online_backup: None,
|
||||
|
@ -587,7 +700,17 @@ impl fmt::Display for Configuration {
|
|||
None => write!(f, "arcsize: AUTO, "),
|
||||
}?;
|
||||
write!(f, "max request size: {}b, ", self.maximum_request)?;
|
||||
write!(f, "trust X-Forwarded-For: {}, ", self.trust_x_forward_for)?;
|
||||
write!(
|
||||
f,
|
||||
"http client address info: {}, ",
|
||||
self.http_client_address_info
|
||||
)?;
|
||||
write!(
|
||||
f,
|
||||
"ldap client address info: {}, ",
|
||||
self.ldap_client_address_info
|
||||
)?;
|
||||
|
||||
write!(f, "with TLS: {}, ", self.tls_config.is_some())?;
|
||||
match &self.online_backup {
|
||||
Some(bck) => write!(
|
||||
|
@ -642,7 +765,8 @@ pub struct ConfigurationBuilder {
|
|||
db_fs_type: Option<FsType>,
|
||||
db_arc_size: Option<usize>,
|
||||
maximum_request: usize,
|
||||
trust_x_forward_for: Option<bool>,
|
||||
http_client_address_info: HttpAddressInfo,
|
||||
ldap_client_address_info: LdapAddressInfo,
|
||||
tls_key: Option<PathBuf>,
|
||||
tls_chain: Option<PathBuf>,
|
||||
tls_client_ca: Option<PathBuf>,
|
||||
|
@ -691,8 +815,8 @@ impl ConfigurationBuilder {
|
|||
self.db_arc_size = env_config.db_arc_size;
|
||||
}
|
||||
|
||||
if env_config.trust_x_forward_for.is_some() {
|
||||
self.trust_x_forward_for = env_config.trust_x_forward_for;
|
||||
if env_config.trust_x_forward_for == Some(true) {
|
||||
self.http_client_address_info = HttpAddressInfo::XForwardForAllSourcesTrusted;
|
||||
}
|
||||
|
||||
if env_config.tls_key.is_some() {
|
||||
|
@ -813,8 +937,8 @@ impl ConfigurationBuilder {
|
|||
self.db_arc_size = config.db_arc_size;
|
||||
}
|
||||
|
||||
if config.trust_x_forward_for.is_some() {
|
||||
self.trust_x_forward_for = config.trust_x_forward_for;
|
||||
if config.trust_x_forward_for == Some(true) {
|
||||
self.http_client_address_info = HttpAddressInfo::XForwardForAllSourcesTrusted;
|
||||
}
|
||||
|
||||
if config.online_backup.is_some() {
|
||||
|
@ -893,8 +1017,12 @@ impl ConfigurationBuilder {
|
|||
self.db_arc_size = config.db_arc_size;
|
||||
}
|
||||
|
||||
if config.trust_x_forward_for.is_some() {
|
||||
self.trust_x_forward_for = config.trust_x_forward_for;
|
||||
if let Some(http_client_address_info) = config.http_client_address_info {
|
||||
self.http_client_address_info = http_client_address_info
|
||||
}
|
||||
|
||||
if let Some(ldap_client_address_info) = config.ldap_client_address_info {
|
||||
self.ldap_client_address_info = ldap_client_address_info
|
||||
}
|
||||
|
||||
if config.online_backup.is_some() {
|
||||
|
@ -930,7 +1058,8 @@ impl ConfigurationBuilder {
|
|||
db_fs_type,
|
||||
db_arc_size,
|
||||
maximum_request,
|
||||
trust_x_forward_for,
|
||||
http_client_address_info,
|
||||
ldap_client_address_info,
|
||||
tls_key,
|
||||
tls_chain,
|
||||
tls_client_ca,
|
||||
|
@ -986,7 +1115,6 @@ impl ConfigurationBuilder {
|
|||
let adminbindpath =
|
||||
adminbindpath.unwrap_or(env!("KANIDM_SERVER_ADMIN_BIND_PATH").to_string());
|
||||
let address = bindaddress.unwrap_or(DEFAULT_SERVER_ADDRESS.to_string());
|
||||
let trust_x_forward_for = trust_x_forward_for.unwrap_or_default();
|
||||
let output_mode = output_mode.unwrap_or_default();
|
||||
let role = role.unwrap_or(ServerRole::WriteReplica);
|
||||
let log_level = log_level.unwrap_or_default();
|
||||
|
@ -1000,7 +1128,8 @@ impl ConfigurationBuilder {
|
|||
db_fs_type,
|
||||
db_arc_size,
|
||||
maximum_request,
|
||||
trust_x_forward_for,
|
||||
http_client_address_info,
|
||||
ldap_client_address_info,
|
||||
tls_config,
|
||||
online_backup,
|
||||
domain,
|
||||
|
|
|
@ -63,6 +63,14 @@ fn figure_out_if_we_have_all_the_routes() {
|
|||
let source_module = relative_filename.split("/").last().unwrap();
|
||||
let source_module = source_module.split(".").next().unwrap();
|
||||
|
||||
// If the file is in certain paths, we skip them wholesale.
|
||||
if let Some(parent_path) = entry.path().parent() {
|
||||
if parent_path.ends_with("https/views") {
|
||||
println!("skipping excluded path {}", parent_path.display());
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
let file = std::fs::read_to_string(entry.path()).unwrap();
|
||||
for line in file.lines() {
|
||||
if line.contains("skip_route_check") {
|
||||
|
@ -84,13 +92,6 @@ fn figure_out_if_we_have_all_the_routes() {
|
|||
}
|
||||
// now we check the things
|
||||
for (module, routes) in found_routes {
|
||||
if ["ui", "cookies"].contains(&module.as_str()) {
|
||||
println!(
|
||||
"We can skip checking {} because it's allow-listed for docs",
|
||||
module
|
||||
);
|
||||
continue;
|
||||
}
|
||||
if module == "mod" {
|
||||
// TODO: handle this better.
|
||||
eprintln!("Skipping module mod because ... reasons");
|
||||
|
|
|
@ -5,7 +5,6 @@ use axum::{
|
|||
http::{
|
||||
header::HeaderName, header::AUTHORIZATION as AUTHORISATION, request::Parts, StatusCode,
|
||||
},
|
||||
serve::IncomingStream,
|
||||
RequestPartsExt,
|
||||
};
|
||||
|
||||
|
@ -40,7 +39,8 @@ impl FromRequestParts<ServerState> for TrustedClientIp {
|
|||
state: &ServerState,
|
||||
) -> Result<Self, Self::Rejection> {
|
||||
let ConnectInfo(ClientConnInfo {
|
||||
addr,
|
||||
connection_addr,
|
||||
client_addr,
|
||||
client_cert: _,
|
||||
}) = parts
|
||||
.extract::<ConnectInfo<ClientConnInfo>>()
|
||||
|
@ -53,7 +53,13 @@ impl FromRequestParts<ServerState> for TrustedClientIp {
|
|||
)
|
||||
})?;
|
||||
|
||||
let ip_addr = if state.trust_x_forward_for {
|
||||
let trust_x_forward_for = state
|
||||
.trust_x_forward_for_ips
|
||||
.as_ref()
|
||||
.map(|range| range.contains(&connection_addr.ip()))
|
||||
.unwrap_or_default();
|
||||
|
||||
let ip_addr = if trust_x_forward_for {
|
||||
if let Some(x_forward_for) = parts.headers.get(X_FORWARDED_FOR_HEADER) {
|
||||
// X forward for may be comma separated.
|
||||
let first = x_forward_for
|
||||
|
@ -75,10 +81,14 @@ impl FromRequestParts<ServerState> for TrustedClientIp {
|
|||
)
|
||||
})?
|
||||
} else {
|
||||
addr.ip()
|
||||
client_addr.ip()
|
||||
}
|
||||
} else {
|
||||
addr.ip()
|
||||
// This can either be the client_addr == connection_addr if there are
|
||||
// no ip address trust sources, or this is the value as reported by
|
||||
// proxy protocol header. If the proxy protocol header is used, then
|
||||
// trust_x_forward_for can never have been true so we catch here.
|
||||
client_addr.ip()
|
||||
};
|
||||
|
||||
Ok(TrustedClientIp(ip_addr))
|
||||
|
@ -97,7 +107,11 @@ impl FromRequestParts<ServerState> for VerifiedClientInformation {
|
|||
parts: &mut Parts,
|
||||
state: &ServerState,
|
||||
) -> Result<Self, Self::Rejection> {
|
||||
let ConnectInfo(ClientConnInfo { addr, client_cert }) = parts
|
||||
let ConnectInfo(ClientConnInfo {
|
||||
connection_addr,
|
||||
client_addr,
|
||||
client_cert,
|
||||
}) = parts
|
||||
.extract::<ConnectInfo<ClientConnInfo>>()
|
||||
.await
|
||||
.map_err(|_| {
|
||||
|
@ -108,7 +122,13 @@ impl FromRequestParts<ServerState> for VerifiedClientInformation {
|
|||
)
|
||||
})?;
|
||||
|
||||
let ip_addr = if state.trust_x_forward_for {
|
||||
let trust_x_forward_for = state
|
||||
.trust_x_forward_for_ips
|
||||
.as_ref()
|
||||
.map(|range| range.contains(&connection_addr.ip()))
|
||||
.unwrap_or_default();
|
||||
|
||||
let ip_addr = if trust_x_forward_for {
|
||||
if let Some(x_forward_for) = parts.headers.get(X_FORWARDED_FOR_HEADER) {
|
||||
// X forward for may be comma separated.
|
||||
let first = x_forward_for
|
||||
|
@ -130,10 +150,10 @@ impl FromRequestParts<ServerState> for VerifiedClientInformation {
|
|||
)
|
||||
})?
|
||||
} else {
|
||||
addr.ip()
|
||||
client_addr.ip()
|
||||
}
|
||||
} else {
|
||||
addr.ip()
|
||||
client_addr.ip()
|
||||
};
|
||||
|
||||
let (basic_authz, bearer_token) = if let Some(header) = parts.headers.get(AUTHORISATION) {
|
||||
|
@ -201,30 +221,30 @@ impl FromRequestParts<ServerState> for DomainInfo {
|
|||
|
||||
#[derive(Debug, Clone)]
|
||||
pub struct ClientConnInfo {
|
||||
pub addr: SocketAddr,
|
||||
/// This is the address that is *connected* to Kanidm right now
|
||||
/// for this operation.
|
||||
#[allow(dead_code)]
|
||||
pub connection_addr: SocketAddr,
|
||||
/// This is the client address as reported by a remote IP source
|
||||
/// such as x-forward-for or the PROXY protocol header
|
||||
pub client_addr: SocketAddr,
|
||||
// Only set if the certificate is VALID
|
||||
pub client_cert: Option<ClientCertInfo>,
|
||||
}
|
||||
|
||||
// This is the normal way that our extractors get the ip info
|
||||
impl Connected<ClientConnInfo> for ClientConnInfo {
|
||||
fn connect_info(target: ClientConnInfo) -> Self {
|
||||
target
|
||||
}
|
||||
}
|
||||
|
||||
// This is only used for plaintext http - in other words, integration tests only.
|
||||
impl Connected<SocketAddr> for ClientConnInfo {
|
||||
fn connect_info(addr: SocketAddr) -> Self {
|
||||
fn connect_info(connection_addr: SocketAddr) -> Self {
|
||||
ClientConnInfo {
|
||||
addr,
|
||||
client_cert: None,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl Connected<IncomingStream<'_>> for ClientConnInfo {
|
||||
fn connect_info(target: IncomingStream<'_>) -> Self {
|
||||
ClientConnInfo {
|
||||
addr: target.remote_addr(),
|
||||
client_addr: connection_addr,
|
||||
connection_addr,
|
||||
client_cert: None,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,9 +17,8 @@ mod views;
|
|||
use self::extractors::ClientConnInfo;
|
||||
use self::javascript::*;
|
||||
use crate::actors::{QueryServerReadV1, QueryServerWriteV1};
|
||||
use crate::config::{Configuration, ServerRole};
|
||||
use crate::config::{AddressSet, Configuration, ServerRole};
|
||||
use crate::CoreAction;
|
||||
|
||||
use axum::{
|
||||
body::Body,
|
||||
extract::connect_info::IntoMakeServiceWithConnectInfo,
|
||||
|
@ -29,22 +28,28 @@ use axum::{
|
|||
routing::*,
|
||||
Router,
|
||||
};
|
||||
|
||||
use axum_extra::extract::cookie::CookieJar;
|
||||
use compact_jwt::{error::JwtError, JwsCompact, JwsHs256Signer, JwsVerifier};
|
||||
use futures::pin_mut;
|
||||
use haproxy_protocol::{ProxyHdrV2, RemoteAddress};
|
||||
use hashbrown::HashSet;
|
||||
use hyper::body::Incoming;
|
||||
use hyper_util::rt::{TokioExecutor, TokioIo};
|
||||
use kanidm_lib_crypto::x509_cert::{der::Decode, x509_public_key_s256, Certificate};
|
||||
use kanidm_proto::{constants::KSESSIONID, internal::COOKIE_AUTH_SESSION_ID};
|
||||
use kanidmd_lib::{idm::ClientCertInfo, status::StatusActor};
|
||||
use openssl::ssl::{Ssl, SslAcceptor};
|
||||
|
||||
use kanidm_lib_crypto::x509_cert::{der::Decode, x509_public_key_s256, Certificate};
|
||||
|
||||
use serde::de::DeserializeOwned;
|
||||
use sketching::*;
|
||||
use std::fmt::Write;
|
||||
use std::io::ErrorKind;
|
||||
use std::net::IpAddr;
|
||||
use std::path::PathBuf;
|
||||
use std::pin::Pin;
|
||||
use std::sync::Arc;
|
||||
use std::{net::SocketAddr, str::FromStr};
|
||||
use tokio::{
|
||||
io::{AsyncRead, AsyncWrite},
|
||||
net::{TcpListener, TcpStream},
|
||||
sync::broadcast,
|
||||
sync::mpsc,
|
||||
|
@ -56,11 +61,6 @@ use tower_http::{services::ServeDir, trace::TraceLayer};
|
|||
use url::Url;
|
||||
use uuid::Uuid;
|
||||
|
||||
use std::io::ErrorKind;
|
||||
use std::path::PathBuf;
|
||||
use std::pin::Pin;
|
||||
use std::{net::SocketAddr, str::FromStr};
|
||||
|
||||
#[derive(Clone)]
|
||||
pub struct ServerState {
|
||||
pub(crate) status_ref: &'static StatusActor,
|
||||
|
@ -68,7 +68,7 @@ pub struct ServerState {
|
|||
pub(crate) qe_r_ref: &'static QueryServerReadV1,
|
||||
// Store the token management parts.
|
||||
pub(crate) jws_signer: JwsHs256Signer,
|
||||
pub(crate) trust_x_forward_for: bool,
|
||||
pub(crate) trust_x_forward_for_ips: Option<Arc<AddressSet>>,
|
||||
pub(crate) csp_header: HeaderValue,
|
||||
pub(crate) origin: Url,
|
||||
pub(crate) domain: String,
|
||||
|
@ -211,7 +211,15 @@ pub async fn create_https_server(
|
|||
error!(?err, "Unable to generate content security policy");
|
||||
})?;
|
||||
|
||||
let trust_x_forward_for = config.trust_x_forward_for;
|
||||
let trust_x_forward_for_ips = config
|
||||
.http_client_address_info
|
||||
.trusted_x_forward_for()
|
||||
.map(Arc::new);
|
||||
|
||||
let trusted_proxy_v2_ips = config
|
||||
.http_client_address_info
|
||||
.trusted_proxy_v2()
|
||||
.map(Arc::new);
|
||||
|
||||
let origin = Url::parse(&config.origin)
|
||||
// Should be impossible!
|
||||
|
@ -224,7 +232,7 @@ pub async fn create_https_server(
|
|||
qe_w_ref,
|
||||
qe_r_ref,
|
||||
jws_signer,
|
||||
trust_x_forward_for,
|
||||
trust_x_forward_for_ips,
|
||||
csp_header,
|
||||
origin,
|
||||
domain: config.domain.clone(),
|
||||
|
@ -321,35 +329,41 @@ pub async fn create_https_server(
|
|||
|
||||
info!("Starting the web server...");
|
||||
|
||||
match maybe_tls_acceptor {
|
||||
Some(tls_acceptor) => {
|
||||
let listener = match TcpListener::bind(addr).await {
|
||||
Ok(l) => l,
|
||||
Err(err) => {
|
||||
error!(?err, "Failed to bind tcp listener");
|
||||
return Err(());
|
||||
}
|
||||
};
|
||||
Ok(task::spawn(server_loop(
|
||||
tls_acceptor,
|
||||
listener,
|
||||
app,
|
||||
rx,
|
||||
server_message_tx,
|
||||
tls_acceptor_reload_rx,
|
||||
)))
|
||||
let listener = match TcpListener::bind(addr).await {
|
||||
Ok(l) => l,
|
||||
Err(err) => {
|
||||
error!(?err, "Failed to bind tcp listener");
|
||||
return Err(());
|
||||
}
|
||||
None => Ok(task::spawn(server_loop_plaintext(addr, app, rx))),
|
||||
};
|
||||
|
||||
match maybe_tls_acceptor {
|
||||
Some(tls_acceptor) => Ok(task::spawn(server_tls_loop(
|
||||
tls_acceptor,
|
||||
listener,
|
||||
app,
|
||||
rx,
|
||||
server_message_tx,
|
||||
tls_acceptor_reload_rx,
|
||||
trusted_proxy_v2_ips,
|
||||
))),
|
||||
None => Ok(task::spawn(server_plaintext_loop(
|
||||
listener,
|
||||
app,
|
||||
rx,
|
||||
trusted_proxy_v2_ips,
|
||||
))),
|
||||
}
|
||||
}
|
||||
|
||||
async fn server_loop(
|
||||
async fn server_tls_loop(
|
||||
mut tls_acceptor: SslAcceptor,
|
||||
listener: TcpListener,
|
||||
app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
|
||||
mut rx: broadcast::Receiver<CoreAction>,
|
||||
server_message_tx: broadcast::Sender<CoreAction>,
|
||||
mut tls_acceptor_reload_rx: mpsc::Receiver<SslAcceptor>,
|
||||
trusted_proxy_v2_ips: Option<Arc<HashSet<IpAddr>>>,
|
||||
) {
|
||||
pin_mut!(listener);
|
||||
|
||||
|
@ -365,7 +379,7 @@ async fn server_loop(
|
|||
Ok((stream, addr)) => {
|
||||
let tls_acceptor = tls_acceptor.clone();
|
||||
let app = app.clone();
|
||||
task::spawn(handle_conn(tls_acceptor, stream, app, addr));
|
||||
task::spawn(handle_tls_conn(tls_acceptor, stream, app, addr, trusted_proxy_v2_ips.clone()));
|
||||
}
|
||||
Err(err) => {
|
||||
error!("Web server exited with {:?}", err);
|
||||
|
@ -386,24 +400,33 @@ async fn server_loop(
|
|||
info!("Stopped {}", super::TaskName::HttpsServer);
|
||||
}
|
||||
|
||||
async fn server_loop_plaintext(
|
||||
addr: SocketAddr,
|
||||
async fn server_plaintext_loop(
|
||||
listener: TcpListener,
|
||||
app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
|
||||
mut rx: broadcast::Receiver<CoreAction>,
|
||||
trusted_proxy_v2_ips: Option<Arc<HashSet<IpAddr>>>,
|
||||
) {
|
||||
let listener = axum_server::bind(addr).serve(app);
|
||||
|
||||
pin_mut!(listener);
|
||||
|
||||
loop {
|
||||
tokio::select! {
|
||||
Ok(action) = rx.recv() => {
|
||||
match action {
|
||||
CoreAction::Shutdown =>
|
||||
break,
|
||||
CoreAction::Shutdown => break,
|
||||
}
|
||||
}
|
||||
accept = listener.accept() => {
|
||||
match accept {
|
||||
Ok((stream, addr)) => {
|
||||
let app = app.clone();
|
||||
task::spawn(handle_conn(stream, app, addr, trusted_proxy_v2_ips.clone()));
|
||||
}
|
||||
Err(err) => {
|
||||
error!("Web server exited with {:?}", err);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
_ = &mut listener => {}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -412,11 +435,38 @@ async fn server_loop_plaintext(
|
|||
|
||||
/// This handles an individual connection.
|
||||
pub(crate) async fn handle_conn(
|
||||
stream: TcpStream,
|
||||
app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
|
||||
connection_addr: SocketAddr,
|
||||
trusted_proxy_v2_ips: Option<Arc<HashSet<IpAddr>>>,
|
||||
) -> Result<(), std::io::Error> {
|
||||
let (stream, client_addr) =
|
||||
process_client_addr(stream, connection_addr, trusted_proxy_v2_ips).await?;
|
||||
|
||||
let client_conn_info = ClientConnInfo {
|
||||
connection_addr,
|
||||
client_addr,
|
||||
client_cert: None,
|
||||
};
|
||||
|
||||
// Hyper has its own `AsyncRead` and `AsyncWrite` traits and doesn't use tokio.
|
||||
// `TokioIo` converts between them.
|
||||
let stream = TokioIo::new(stream);
|
||||
|
||||
process_client_hyper(stream, app, client_conn_info).await
|
||||
}
|
||||
|
||||
/// This handles an individual connection.
|
||||
pub(crate) async fn handle_tls_conn(
|
||||
acceptor: SslAcceptor,
|
||||
stream: TcpStream,
|
||||
mut app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
|
||||
addr: SocketAddr,
|
||||
app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
|
||||
connection_addr: SocketAddr,
|
||||
trusted_proxy_v2_ips: Option<Arc<HashSet<IpAddr>>>,
|
||||
) -> Result<(), std::io::Error> {
|
||||
let (stream, client_addr) =
|
||||
process_client_addr(stream, connection_addr, trusted_proxy_v2_ips).await?;
|
||||
|
||||
let ssl = Ssl::new(acceptor.context()).map_err(|e| {
|
||||
error!("Failed to create TLS context: {:?}", e);
|
||||
std::io::Error::from(ErrorKind::ConnectionAborted)
|
||||
|
@ -459,42 +509,17 @@ pub(crate) async fn handle_conn(
|
|||
None
|
||||
};
|
||||
|
||||
let client_conn_info = ClientConnInfo { addr, client_cert };
|
||||
|
||||
debug!(?client_conn_info);
|
||||
|
||||
let svc = axum_server::service::MakeService::<ClientConnInfo, hyper::Request<Body>>::make_service(
|
||||
&mut app,
|
||||
client_conn_info,
|
||||
);
|
||||
|
||||
let svc = svc.await.map_err(|e| {
|
||||
error!("Failed to build HTTP response: {:?}", e);
|
||||
std::io::Error::from(ErrorKind::Other)
|
||||
})?;
|
||||
let client_conn_info = ClientConnInfo {
|
||||
connection_addr,
|
||||
client_addr,
|
||||
client_cert,
|
||||
};
|
||||
|
||||
// Hyper has its own `AsyncRead` and `AsyncWrite` traits and doesn't use tokio.
|
||||
// `TokioIo` converts between them.
|
||||
let stream = TokioIo::new(tls_stream);
|
||||
|
||||
// Hyper also has its own `Service` trait and doesn't use tower. We can use
|
||||
// `hyper::service::service_fn` to create a hyper `Service` that calls our app through
|
||||
// `tower::Service::call`.
|
||||
let hyper_service = hyper::service::service_fn(move |request: Request<Incoming>| {
|
||||
// We have to clone `tower_service` because hyper's `Service` uses `&self` whereas
|
||||
// tower's `Service` requires `&mut self`.
|
||||
//
|
||||
// We don't need to call `poll_ready` since `Router` is always ready.
|
||||
svc.clone().call(request)
|
||||
});
|
||||
|
||||
hyper_util::server::conn::auto::Builder::new(TokioExecutor::new())
|
||||
.serve_connection_with_upgrades(stream, hyper_service)
|
||||
.await
|
||||
.map_err(|e| {
|
||||
debug!("Failed to complete connection: {:?}", e);
|
||||
std::io::Error::from(ErrorKind::ConnectionAborted)
|
||||
})
|
||||
process_client_hyper(stream, app, client_conn_info).await
|
||||
}
|
||||
Err(error) => {
|
||||
trace!("Failed to handle connection: {:?}", error);
|
||||
|
@ -502,3 +527,83 @@ pub(crate) async fn handle_conn(
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
async fn process_client_addr(
|
||||
stream: TcpStream,
|
||||
connection_addr: SocketAddr,
|
||||
trusted_proxy_v2_ips: Option<Arc<HashSet<IpAddr>>>,
|
||||
) -> Result<(TcpStream, SocketAddr), std::io::Error> {
|
||||
let enable_proxy_v2_hdr = trusted_proxy_v2_ips
|
||||
.map(|trusted| trusted.contains(&connection_addr.ip()))
|
||||
.unwrap_or_default();
|
||||
|
||||
let (stream, client_addr) = if enable_proxy_v2_hdr {
|
||||
match ProxyHdrV2::parse_from_read(stream).await {
|
||||
Ok((stream, hdr)) => {
|
||||
let remote_socket_addr = match hdr.to_remote_addr() {
|
||||
RemoteAddress::Local => {
|
||||
debug!("PROXY protocol liveness check - will not contain client data");
|
||||
return Err(std::io::Error::from(ErrorKind::ConnectionAborted));
|
||||
}
|
||||
RemoteAddress::TcpV4 { src, dst: _ } => SocketAddr::from(src),
|
||||
RemoteAddress::TcpV6 { src, dst: _ } => SocketAddr::from(src),
|
||||
remote_addr => {
|
||||
error!(?remote_addr, "remote address in proxy header is invalid");
|
||||
return Err(std::io::Error::from(ErrorKind::ConnectionAborted));
|
||||
}
|
||||
};
|
||||
|
||||
(stream, remote_socket_addr)
|
||||
}
|
||||
Err(err) => {
|
||||
error!(?connection_addr, ?err, "Unable to process proxy v2 header");
|
||||
return Err(std::io::Error::from(ErrorKind::ConnectionAborted));
|
||||
}
|
||||
}
|
||||
} else {
|
||||
(stream, connection_addr)
|
||||
};
|
||||
|
||||
Ok((stream, client_addr))
|
||||
}
|
||||
|
||||
async fn process_client_hyper<T>(
|
||||
stream: TokioIo<T>,
|
||||
mut app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
|
||||
client_conn_info: ClientConnInfo,
|
||||
) -> Result<(), std::io::Error>
|
||||
where
|
||||
T: AsyncRead + AsyncWrite + std::marker::Unpin + std::marker::Send + 'static,
|
||||
{
|
||||
debug!(?client_conn_info);
|
||||
|
||||
let svc =
|
||||
axum_server::service::MakeService::<ClientConnInfo, hyper::Request<Body>>::make_service(
|
||||
&mut app,
|
||||
client_conn_info,
|
||||
);
|
||||
|
||||
let svc = svc.await.map_err(|e| {
|
||||
error!("Failed to build HTTP response: {:?}", e);
|
||||
std::io::Error::from(ErrorKind::Other)
|
||||
})?;
|
||||
|
||||
// Hyper also has its own `Service` trait and doesn't use tower. We can use
|
||||
// `hyper::service::service_fn` to create a hyper `Service` that calls our app through
|
||||
// `tower::Service::call`.
|
||||
let hyper_service = hyper::service::service_fn(move |request: Request<Incoming>| {
|
||||
// We have to clone `tower_service` because hyper's `Service` uses `&self` whereas
|
||||
// tower's `Service` requires `&mut self`.
|
||||
//
|
||||
// We don't need to call `poll_ready` since `Router` is always ready.
|
||||
svc.clone().call(request)
|
||||
});
|
||||
|
||||
hyper_util::server::conn::auto::Builder::new(TokioExecutor::new())
|
||||
.serve_connection_with_upgrades(stream, hyper_service)
|
||||
.await
|
||||
.map_err(|e| {
|
||||
debug!("Failed to complete connection: {:?}", e);
|
||||
std::io::Error::from(ErrorKind::ConnectionAborted)
|
||||
})
|
||||
}
|
||||
|
|
|
@ -3,7 +3,7 @@ use axum::routing::get;
|
|||
use axum::Router;
|
||||
use axum_htmx::HxRequestGuardLayer;
|
||||
|
||||
mod persons;
|
||||
pub(crate) mod persons;
|
||||
|
||||
pub fn admin_router() -> Router<ServerState> {
|
||||
let unguarded_router = Router::new()
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
use crate::https::errors::WebError;
|
||||
use crate::https::extractors::{DomainInfo, VerifiedClientInformation};
|
||||
use crate::https::middleware::KOpId;
|
||||
use crate::https::views::errors::HtmxError;
|
||||
|
@ -7,17 +8,15 @@ use crate::https::ServerState;
|
|||
use askama::Template;
|
||||
use axum::extract::{Path, State};
|
||||
use axum::http::Uri;
|
||||
use axum::response::{ErrorResponse, IntoResponse, Response};
|
||||
use axum::response::{IntoResponse, Response};
|
||||
use axum::Extension;
|
||||
use axum_htmx::{HxPushUrl, HxRequest};
|
||||
use futures_util::TryFutureExt;
|
||||
use kanidm_proto::attribute::Attribute;
|
||||
use kanidm_proto::internal::OperationError;
|
||||
use kanidm_proto::scim_v1::client::ScimFilter;
|
||||
use kanidm_proto::scim_v1::server::{ScimEffectiveAccess, ScimEntryKanidm, ScimPerson};
|
||||
use kanidm_proto::scim_v1::ScimEntryGetQuery;
|
||||
use kanidmd_lib::constants::EntryClass;
|
||||
use kanidmd_lib::idm::server::DomainInfoRead;
|
||||
use kanidmd_lib::idm::ClientAuthInfo;
|
||||
use std::str::FromStr;
|
||||
use uuid::Uuid;
|
||||
|
@ -70,7 +69,7 @@ pub(crate) async fn view_person_view_get(
|
|||
DomainInfo(domain_info): DomainInfo,
|
||||
) -> axum::response::Result<Response> {
|
||||
let (person, scim_effective_access) =
|
||||
get_person_info(uuid, state, &kopid, client_auth_info, domain_info.clone()).await?;
|
||||
get_person_info(uuid, state, &kopid, client_auth_info).await?;
|
||||
let person_partial = PersonViewPartial {
|
||||
person,
|
||||
scim_effective_access,
|
||||
|
@ -101,7 +100,7 @@ pub(crate) async fn view_persons_get(
|
|||
DomainInfo(domain_info): DomainInfo,
|
||||
VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
|
||||
) -> axum::response::Result<Response> {
|
||||
let persons = get_persons_info(state, &kopid, client_auth_info, domain_info.clone()).await?;
|
||||
let persons = get_persons_info(state, &kopid, client_auth_info).await?;
|
||||
let persons_partial = PersonsPartialView { persons };
|
||||
|
||||
let push_url = HxPushUrl(Uri::from_static("/ui/admin/persons"));
|
||||
|
@ -119,13 +118,12 @@ pub(crate) async fn view_persons_get(
|
|||
})
|
||||
}
|
||||
|
||||
async fn get_person_info(
|
||||
pub async fn get_person_info(
|
||||
uuid: Uuid,
|
||||
state: ServerState,
|
||||
kopid: &KOpId,
|
||||
client_auth_info: ClientAuthInfo,
|
||||
domain_info: DomainInfoRead,
|
||||
) -> Result<(ScimPerson, ScimEffectiveAccess), ErrorResponse> {
|
||||
) -> Result<(ScimPerson, ScimEffectiveAccess), WebError> {
|
||||
let scim_entry: ScimEntryKanidm = state
|
||||
.qe_r_ref
|
||||
.scim_entry_id_get(
|
||||
|
@ -138,13 +136,12 @@ async fn get_person_info(
|
|||
ext_access_check: true,
|
||||
},
|
||||
)
|
||||
.map_err(|op_err| HtmxError::new(kopid, op_err, domain_info.clone()))
|
||||
.await?;
|
||||
|
||||
if let Some(personinfo_info) = scimentry_into_personinfo(scim_entry) {
|
||||
Ok(personinfo_info)
|
||||
} else {
|
||||
Err(HtmxError::new(kopid, OperationError::InvalidState, domain_info.clone()).into())
|
||||
Err(WebError::from(OperationError::InvalidState))
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -152,8 +149,7 @@ async fn get_persons_info(
|
|||
state: ServerState,
|
||||
kopid: &KOpId,
|
||||
client_auth_info: ClientAuthInfo,
|
||||
domain_info: DomainInfoRead,
|
||||
) -> Result<Vec<(ScimPerson, ScimEffectiveAccess)>, ErrorResponse> {
|
||||
) -> Result<Vec<(ScimPerson, ScimEffectiveAccess)>, WebError> {
|
||||
let filter = ScimFilter::Equal(Attribute::Class.into(), EntryClass::Person.into());
|
||||
|
||||
let base: Vec<ScimEntryKanidm> = state
|
||||
|
@ -167,7 +163,6 @@ async fn get_persons_info(
|
|||
ext_access_check: true,
|
||||
},
|
||||
)
|
||||
.map_err(|op_err| HtmxError::new(kopid, op_err, domain_info.clone()))
|
||||
.await?;
|
||||
|
||||
// TODO: inefficient to sort here
|
||||
|
|
|
@ -9,17 +9,17 @@ pub(crate) enum ProfileMenuItems {
|
|||
UnixPassword,
|
||||
}
|
||||
|
||||
pub(crate) enum UiMessage {
|
||||
UnlockEdit,
|
||||
}
|
||||
|
||||
impl std::fmt::Display for UiMessage {
|
||||
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
||||
match self {
|
||||
UiMessage::UnlockEdit => write!(f, "Unlock Edit 🔒"),
|
||||
}
|
||||
}
|
||||
}
|
||||
// pub(crate) enum UiMessage {
|
||||
// UnlockEdit,
|
||||
// }
|
||||
//
|
||||
// impl std::fmt::Display for UiMessage {
|
||||
// fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
||||
// match self {
|
||||
// UiMessage::UnlockEdit => write!(f, "Unlock Edit 🔒"),
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
|
||||
pub(crate) enum Urls {
|
||||
Apps,
|
||||
|
|
|
@ -56,6 +56,7 @@ pub fn view_router() -> Router<ServerState> {
|
|||
.route("/reset", get(reset::view_reset_get))
|
||||
.route("/update_credentials", get(reset::view_self_reset_get))
|
||||
.route("/profile", get(profile::view_profile_get))
|
||||
.route("/profile/diff", get(profile::view_profile_get))
|
||||
.route("/profile/unlock", get(profile::view_profile_unlock_get))
|
||||
.route("/logout", get(login::view_logout_get))
|
||||
.route("/oauth2", get(oauth2::view_index_get));
|
||||
|
@ -129,6 +130,18 @@ pub fn view_router() -> Router<ServerState> {
|
|||
)
|
||||
.route("/api/cu_cancel", post(reset::cancel_cred_update))
|
||||
.route("/api/cu_commit", post(reset::commit))
|
||||
.route(
|
||||
"/api/user_settings/add_email",
|
||||
get(profile::view_new_email_entry_partial),
|
||||
)
|
||||
.route(
|
||||
"/api/user_settings/edit_profile",
|
||||
post(profile::view_profile_diff_start_save_post),
|
||||
)
|
||||
.route(
|
||||
"/api/user_settings/confirm_profile",
|
||||
post(profile::view_profile_diff_confirm_save_post),
|
||||
)
|
||||
.layer(HxRequestGuardLayer::new("/ui"));
|
||||
|
||||
let admin_router = admin_router();
|
||||
|
|
|
@ -1,18 +1,34 @@
|
|||
use super::constants::{ProfileMenuItems, Urls};
|
||||
use super::errors::HtmxError;
|
||||
use super::login::{LoginDisplayCtx, Reauth, ReauthPurpose};
|
||||
use super::navbar::NavbarCtx;
|
||||
use crate::https::errors::WebError;
|
||||
use crate::https::extractors::{DomainInfo, VerifiedClientInformation};
|
||||
use crate::https::middleware::KOpId;
|
||||
use crate::https::ServerState;
|
||||
use askama::Template;
|
||||
use axum::extract::State;
|
||||
use axum::response::Response;
|
||||
use askama_axum::IntoResponse;
|
||||
use axum::extract::{Query, State};
|
||||
use axum::http::Uri;
|
||||
use axum::response::{Redirect, Response};
|
||||
use axum::Extension;
|
||||
use axum_extra::extract::cookie::CookieJar;
|
||||
use axum_extra::extract::Form;
|
||||
use axum_htmx::{HxEvent, HxPushUrl, HxResponseTrigger};
|
||||
use futures_util::TryFutureExt;
|
||||
use kanidm_proto::attribute::Attribute;
|
||||
use kanidm_proto::constants::{ATTR_DISPLAYNAME, ATTR_MAIL, ATTR_NAME};
|
||||
use kanidm_proto::internal::UserAuthToken;
|
||||
|
||||
use super::constants::{ProfileMenuItems, UiMessage, Urls};
|
||||
use super::errors::HtmxError;
|
||||
use super::login::{LoginDisplayCtx, Reauth, ReauthPurpose};
|
||||
use super::navbar::NavbarCtx;
|
||||
use kanidm_proto::scim_v1::server::{ScimEffectiveAccess, ScimPerson};
|
||||
use kanidm_proto::scim_v1::ScimMail;
|
||||
use kanidmd_lib::filter::{f_id, Filter};
|
||||
use kanidmd_lib::prelude::f_and;
|
||||
use kanidmd_lib::prelude::FC;
|
||||
use serde::Deserialize;
|
||||
use serde::Serialize;
|
||||
use std::fmt;
|
||||
use std::fmt::Display;
|
||||
use std::fmt::Formatter;
|
||||
|
||||
#[derive(Template)]
|
||||
#[template(path = "user_settings.html")]
|
||||
|
@ -26,9 +42,68 @@ pub(crate) struct ProfileView {
|
|||
struct ProfilePartialView {
|
||||
menu_active_item: ProfileMenuItems,
|
||||
can_rw: bool,
|
||||
person: ScimPerson,
|
||||
scim_effective_access: ScimEffectiveAccess,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, Serialize, Deserialize)]
|
||||
pub(crate) struct SaveProfileQuery {
|
||||
#[serde(rename = "name")]
|
||||
account_name: String,
|
||||
#[serde(rename = "displayname")]
|
||||
display_name: String,
|
||||
#[serde(rename = "email_index")]
|
||||
emails_indexes: Vec<u16>,
|
||||
#[serde(rename = "emails[]")]
|
||||
emails: Vec<String>,
|
||||
// radio buttons are used to pick a primary index, remove causes holes, map back into [emails] using [emails_indexes]
|
||||
primary_email_index: u16,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, Serialize, Deserialize)]
|
||||
pub(crate) struct CommitSaveProfileQuery {
|
||||
#[serde(rename = "account_name")]
|
||||
account_name: Option<String>,
|
||||
#[serde(rename = "display_name")]
|
||||
display_name: Option<String>,
|
||||
#[serde(rename = "emails[]")]
|
||||
emails: Vec<String>,
|
||||
#[serde(rename = "new_primary_mail")]
|
||||
new_primary_mail: Option<String>,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, Serialize, Deserialize)]
|
||||
pub(crate) struct ProfileAttributes {
|
||||
account_name: String,
|
||||
display_name: String,
|
||||
email: Option<String>,
|
||||
emails: Vec<ScimMail>,
|
||||
}
|
||||
|
||||
#[derive(Template, Clone)]
|
||||
#[template(path = "user_settings/profile_changes_partial.html")]
|
||||
struct ProfileChangesPartialView {
|
||||
menu_active_item: ProfileMenuItems,
|
||||
can_rw: bool,
|
||||
person: ScimPerson,
|
||||
primary_mail: Option<String>,
|
||||
new_attrs: ProfileAttributes,
|
||||
new_primary_mail: Option<String>,
|
||||
emails_are_same: bool,
|
||||
}
|
||||
|
||||
#[derive(Template, Clone)]
|
||||
#[template(path = "user_settings/form_email_entry_partial.html")]
|
||||
pub(crate) struct FormEmailEntryListPartial {
|
||||
can_edit: bool,
|
||||
value: String,
|
||||
primary: bool,
|
||||
index: u16,
|
||||
}
|
||||
|
||||
impl Display for ProfileAttributes {
|
||||
fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
|
||||
write!(f, "{self:?}")
|
||||
}
|
||||
}
|
||||
|
||||
pub(crate) async fn view_profile_get(
|
||||
|
@ -39,7 +114,16 @@ pub(crate) async fn view_profile_get(
|
|||
) -> Result<ProfileView, WebError> {
|
||||
let uat: UserAuthToken = state
|
||||
.qe_r_ref
|
||||
.handle_whoami_uat(client_auth_info, kopid.eventid)
|
||||
.handle_whoami_uat(client_auth_info.clone(), kopid.eventid)
|
||||
.await?;
|
||||
|
||||
let (scim_person, scim_effective_access) =
|
||||
crate::https::views::admin::persons::get_person_info(
|
||||
uat.uuid,
|
||||
state,
|
||||
&kopid,
|
||||
client_auth_info.clone(),
|
||||
)
|
||||
.await?;
|
||||
|
||||
let time = time::OffsetDateTime::now_utc() + time::Duration::new(60, 0);
|
||||
|
@ -52,13 +136,210 @@ pub(crate) async fn view_profile_get(
|
|||
profile_partial: ProfilePartialView {
|
||||
menu_active_item: ProfileMenuItems::UserProfile,
|
||||
can_rw,
|
||||
account_name: uat.name().to_string(),
|
||||
display_name: uat.displayname.clone(),
|
||||
email: uat.mail_primary.clone(),
|
||||
person: scim_person,
|
||||
scim_effective_access,
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
pub(crate) async fn view_profile_diff_start_save_post(
|
||||
State(state): State<ServerState>,
|
||||
Extension(kopid): Extension<KOpId>,
|
||||
VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
|
||||
DomainInfo(domain_info): DomainInfo,
|
||||
// Form must be the last parameter because it consumes the request body
|
||||
Form(query): Form<SaveProfileQuery>,
|
||||
) -> axum::response::Result<Response> {
|
||||
let uat: UserAuthToken = state
|
||||
.qe_r_ref
|
||||
.handle_whoami_uat(client_auth_info.clone(), kopid.eventid)
|
||||
.map_err(|op_err| HtmxError::new(&kopid, op_err, domain_info.clone()))
|
||||
.await?;
|
||||
|
||||
let time = time::OffsetDateTime::now_utc() + time::Duration::new(60, 0);
|
||||
let can_rw = uat.purpose_readwrite_active(time);
|
||||
// TODO: A bit overkill to request scimEffectiveAccess here.
|
||||
let (scim_person, _) = crate::https::views::admin::persons::get_person_info(
|
||||
uat.uuid,
|
||||
state,
|
||||
&kopid,
|
||||
client_auth_info.clone(),
|
||||
)
|
||||
.await?;
|
||||
|
||||
let primary_index = query
|
||||
.emails_indexes
|
||||
.iter()
|
||||
.position(|ei| ei == &query.primary_email_index)
|
||||
.unwrap_or(0);
|
||||
let new_mails = query
|
||||
.emails
|
||||
.iter()
|
||||
.enumerate()
|
||||
.map(|(ei, email)| ScimMail {
|
||||
primary: ei == primary_index,
|
||||
value: email.to_string(),
|
||||
})
|
||||
.collect();
|
||||
let old_primary_mail = scim_person
|
||||
.mails
|
||||
.iter()
|
||||
.find(|sm| sm.primary)
|
||||
.map(|sm| sm.value.clone());
|
||||
|
||||
let emails_are_same = scim_person.mails == new_mails;
|
||||
|
||||
let profile_view = ProfileChangesPartialView {
|
||||
menu_active_item: ProfileMenuItems::UserProfile,
|
||||
can_rw,
|
||||
person: scim_person,
|
||||
primary_mail: old_primary_mail,
|
||||
new_attrs: ProfileAttributes {
|
||||
account_name: query.account_name,
|
||||
display_name: query.display_name,
|
||||
emails: new_mails,
|
||||
},
|
||||
emails_are_same,
|
||||
new_primary_mail: query.emails.get(primary_index).cloned(),
|
||||
};
|
||||
|
||||
Ok((
|
||||
HxPushUrl(Uri::from_static("/ui/profile/diff")),
|
||||
profile_view,
|
||||
)
|
||||
.into_response())
|
||||
}
|
||||
|
||||
pub(crate) async fn view_profile_diff_confirm_save_post(
|
||||
State(state): State<ServerState>,
|
||||
Extension(kopid): Extension<KOpId>,
|
||||
VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
|
||||
DomainInfo(domain_info): DomainInfo,
|
||||
// Form must be the last parameter because it consumes the request body
|
||||
Form(query): Form<CommitSaveProfileQuery>,
|
||||
) -> axum::response::Result<Response> {
|
||||
let uat: UserAuthToken = state
|
||||
.qe_r_ref
|
||||
.handle_whoami_uat(client_auth_info.clone(), kopid.eventid)
|
||||
.map_err(|op_err| HtmxError::new(&kopid, op_err, domain_info.clone()))
|
||||
.await?;
|
||||
|
||||
let filter = filter_all!(f_and!([f_id(uat.uuid.to_string().as_str())]));
|
||||
|
||||
if let Some(account_name) = query.account_name {
|
||||
state
|
||||
.qe_w_ref
|
||||
.handle_setattribute(
|
||||
client_auth_info.clone(),
|
||||
uat.uuid.to_string(),
|
||||
ATTR_NAME.to_string(),
|
||||
vec![account_name],
|
||||
filter.clone(),
|
||||
kopid.eventid,
|
||||
)
|
||||
.map_err(|op_err| HtmxError::new(&kopid, op_err, domain_info.clone()))
|
||||
.await?;
|
||||
}
|
||||
if let Some(display_name) = query.display_name {
|
||||
state
|
||||
.qe_w_ref
|
||||
.handle_setattribute(
|
||||
client_auth_info.clone(),
|
||||
uat.uuid.to_string(),
|
||||
ATTR_DISPLAYNAME.to_string(),
|
||||
vec![display_name],
|
||||
filter.clone(),
|
||||
kopid.eventid,
|
||||
)
|
||||
.map_err(|op_err| HtmxError::new(&kopid, op_err, domain_info.clone()))
|
||||
.await?;
|
||||
}
|
||||
let mut emails = query.emails;
|
||||
if let Some(primary) = query.new_primary_mail {
|
||||
emails.insert(0, primary);
|
||||
}
|
||||
|
||||
state
|
||||
.qe_w_ref
|
||||
.handle_setattribute(
|
||||
client_auth_info.clone(),
|
||||
uat.uuid.to_string(),
|
||||
ATTR_MAIL.to_string(),
|
||||
emails,
|
||||
filter.clone(),
|
||||
kopid.eventid,
|
||||
)
|
||||
.map_err(|op_err| HtmxError::new(&kopid, op_err, domain_info.clone()))
|
||||
.await?;
|
||||
|
||||
// TODO: These are normally not permitted, user should be prevented from changing non modifiable fields in the UI though
|
||||
// state
|
||||
// .qe_w_ref
|
||||
// .handle_setattribute(
|
||||
// client_auth_info.clone(),
|
||||
// uat.uuid.to_string(),
|
||||
// ATTR_EMAIL.to_string(),
|
||||
// vec![new_attrs.email.unwrap_or("".to_string())],
|
||||
// filter.clone(),
|
||||
// kopid.eventid,
|
||||
// )
|
||||
// .map_err(|op_err| HtmxError::new(&kopid, op_err))
|
||||
// .await?;
|
||||
//
|
||||
// state
|
||||
// .qe_w_ref
|
||||
// .handle_setattribute(
|
||||
// client_auth_info.clone(),
|
||||
// uat.uuid.to_string(),
|
||||
// ATTR_NAME.to_string(),
|
||||
// vec![new_attrs.account_name],
|
||||
// filter.clone(),
|
||||
// kopid.eventid,
|
||||
// )
|
||||
// .map_err(|op_err| HtmxError::new(&kopid, op_err))
|
||||
// .await?;
|
||||
|
||||
// TODO: Calling this here returns the old attributes
|
||||
match view_profile_get(
|
||||
State(state),
|
||||
Extension(kopid),
|
||||
VerifiedClientInformation(client_auth_info),
|
||||
DomainInfo(domain_info),
|
||||
)
|
||||
.await
|
||||
{
|
||||
Ok(_) => Ok(Redirect::to(Urls::Profile.as_ref()).into_response()),
|
||||
Err(e) => Ok(e.into_response()),
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Deserialize)]
|
||||
pub(crate) struct AddEmailQuery {
|
||||
// the last email index is passed so we can return an incremented id
|
||||
email_index: Option<u16>,
|
||||
}
|
||||
|
||||
// Sends the user a new email input to fill in :)
|
||||
pub(crate) async fn view_new_email_entry_partial(
|
||||
State(_state): State<ServerState>,
|
||||
VerifiedClientInformation(_client_auth_info): VerifiedClientInformation,
|
||||
Extension(_kopid): Extension<KOpId>,
|
||||
Query(email_query): Query<AddEmailQuery>,
|
||||
) -> axum::response::Result<Response> {
|
||||
let add_email_trigger =
|
||||
HxResponseTrigger::after_swap([HxEvent::new("addEmailSwapped".to_string())]);
|
||||
Ok((
|
||||
add_email_trigger,
|
||||
FormEmailEntryListPartial {
|
||||
can_edit: true,
|
||||
value: "".to_string(),
|
||||
primary: email_query.email_index.is_none(),
|
||||
index: email_query.email_index.map(|i| i + 1).unwrap_or(0),
|
||||
},
|
||||
)
|
||||
.into_response())
|
||||
}
|
||||
|
||||
pub(crate) async fn view_profile_unlock_get(
|
||||
State(state): State<ServerState>,
|
||||
VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
|
||||
|
|
|
@ -121,6 +121,7 @@ struct SetUnixCredPartial {
|
|||
struct AddSshPublicKeyPartial {
|
||||
title_error: Option<String>,
|
||||
key_error: Option<String>,
|
||||
key_value: Option<String>,
|
||||
}
|
||||
|
||||
#[derive(Serialize, Deserialize, Debug)]
|
||||
|
@ -902,6 +903,7 @@ pub(crate) async fn view_add_ssh_publickey(
|
|||
return Ok((AddSshPublicKeyPartial {
|
||||
title_error: None,
|
||||
key_error: None,
|
||||
key_value: None,
|
||||
},)
|
||||
.into_response());
|
||||
}
|
||||
|
@ -920,6 +922,7 @@ pub(crate) async fn view_add_ssh_publickey(
|
|||
return Ok((AddSshPublicKeyPartial {
|
||||
title_error: None,
|
||||
key_error: Some("Key cannot be parsed".to_string()),
|
||||
key_value: Some(new_key.key),
|
||||
},)
|
||||
.into_response());
|
||||
}
|
||||
|
@ -965,6 +968,7 @@ pub(crate) async fn view_add_ssh_publickey(
|
|||
AddSshPublicKeyPartial {
|
||||
title_error,
|
||||
key_error,
|
||||
key_value: Some(new_key.key),
|
||||
},
|
||||
)
|
||||
.into_response())
|
||||
|
|
|
@ -2,14 +2,17 @@ use crate::actors::QueryServerReadV1;
|
|||
use crate::CoreAction;
|
||||
use futures_util::sink::SinkExt;
|
||||
use futures_util::stream::StreamExt;
|
||||
use haproxy_protocol::{ProxyHdrV2, RemoteAddress};
|
||||
use hashbrown::HashSet;
|
||||
use kanidmd_lib::idm::ldap::{LdapBoundToken, LdapResponseState};
|
||||
use kanidmd_lib::prelude::*;
|
||||
use ldap3_proto::proto::LdapMsg;
|
||||
use ldap3_proto::LdapCodec;
|
||||
use openssl::ssl::{Ssl, SslAcceptor};
|
||||
use std::net;
|
||||
use std::net::{IpAddr, SocketAddr};
|
||||
use std::pin::Pin;
|
||||
use std::str::FromStr;
|
||||
use std::sync::Arc;
|
||||
use tokio::io::{AsyncRead, AsyncWrite};
|
||||
use tokio::net::{TcpListener, TcpStream};
|
||||
use tokio::sync::broadcast;
|
||||
|
@ -33,7 +36,7 @@ impl LdapSession {
|
|||
#[instrument(name = "ldap-request", skip(client_address, qe_r_ref))]
|
||||
async fn client_process_msg(
|
||||
uat: Option<LdapBoundToken>,
|
||||
client_address: net::SocketAddr,
|
||||
client_address: SocketAddr,
|
||||
protomsg: LdapMsg,
|
||||
qe_r_ref: &'static QueryServerReadV1,
|
||||
) -> Option<LdapResponseState> {
|
||||
|
@ -50,7 +53,8 @@ async fn client_process_msg(
|
|||
|
||||
async fn client_process<STREAM>(
|
||||
stream: STREAM,
|
||||
client_address: net::SocketAddr,
|
||||
client_address: SocketAddr,
|
||||
connection_address: SocketAddr,
|
||||
qe_r_ref: &'static QueryServerReadV1,
|
||||
) where
|
||||
STREAM: AsyncRead + AsyncWrite,
|
||||
|
@ -67,6 +71,8 @@ async fn client_process<STREAM>(
|
|||
let uat = session.uat.clone();
|
||||
let caddr = client_address;
|
||||
|
||||
debug!(?client_address, ?connection_address);
|
||||
|
||||
match client_process_msg(uat, caddr, protomsg, qe_r_ref).await {
|
||||
// I'd really have liked to have put this near the [LdapResponseState::Bind] but due
|
||||
// to the handing of `audit` it isn't possible due to borrows, etc.
|
||||
|
@ -112,28 +118,65 @@ async fn client_process<STREAM>(
|
|||
}
|
||||
|
||||
async fn client_tls_accept(
|
||||
tcpstream: TcpStream,
|
||||
stream: TcpStream,
|
||||
tls_acceptor: SslAcceptor,
|
||||
client_socket_addr: net::SocketAddr,
|
||||
connection_addr: SocketAddr,
|
||||
qe_r_ref: &'static QueryServerReadV1,
|
||||
trusted_proxy_v2_ips: Option<Arc<HashSet<IpAddr>>>,
|
||||
) {
|
||||
let enable_proxy_v2_hdr = trusted_proxy_v2_ips
|
||||
.map(|trusted| trusted.contains(&connection_addr.ip()))
|
||||
.unwrap_or_default();
|
||||
|
||||
let (stream, client_addr) = if enable_proxy_v2_hdr {
|
||||
match ProxyHdrV2::parse_from_read(stream).await {
|
||||
Ok((stream, hdr)) => {
|
||||
let remote_socket_addr = match hdr.to_remote_addr() {
|
||||
RemoteAddress::Local => {
|
||||
debug!("PROXY protocol liveness check - will not contain client data");
|
||||
return;
|
||||
}
|
||||
RemoteAddress::TcpV4 { src, dst: _ } => SocketAddr::from(src),
|
||||
RemoteAddress::TcpV6 { src, dst: _ } => SocketAddr::from(src),
|
||||
remote_addr => {
|
||||
error!(?remote_addr, "remote address in proxy header is invalid");
|
||||
return;
|
||||
}
|
||||
};
|
||||
|
||||
(stream, remote_socket_addr)
|
||||
}
|
||||
Err(err) => {
|
||||
error!(?connection_addr, ?err, "Unable to process proxy v2 header");
|
||||
return;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
(stream, connection_addr)
|
||||
};
|
||||
|
||||
// Start the event
|
||||
// From the parameters we need to create an SslContext.
|
||||
let mut tlsstream = match Ssl::new(tls_acceptor.context())
|
||||
.and_then(|tls_obj| SslStream::new(tls_obj, tcpstream))
|
||||
.and_then(|tls_obj| SslStream::new(tls_obj, stream))
|
||||
{
|
||||
Ok(ta) => ta,
|
||||
Err(err) => {
|
||||
error!(?err, %client_socket_addr, "LDAP TLS setup error");
|
||||
error!(?err, %client_addr, %connection_addr, "LDAP TLS setup error");
|
||||
return;
|
||||
}
|
||||
};
|
||||
if let Err(err) = SslStream::accept(Pin::new(&mut tlsstream)).await {
|
||||
error!(?err, %client_socket_addr, "LDAP TLS accept error");
|
||||
error!(?err, %client_addr, %connection_addr, "LDAP TLS accept error");
|
||||
return;
|
||||
};
|
||||
|
||||
tokio::spawn(client_process(tlsstream, client_socket_addr, qe_r_ref));
|
||||
tokio::spawn(client_process(
|
||||
tlsstream,
|
||||
client_addr,
|
||||
connection_addr,
|
||||
qe_r_ref,
|
||||
));
|
||||
}
|
||||
|
||||
/// TLS LDAP Listener, hands off to [client_tls_accept]
|
||||
|
@ -143,6 +186,7 @@ async fn ldap_tls_acceptor(
|
|||
qe_r_ref: &'static QueryServerReadV1,
|
||||
mut rx: broadcast::Receiver<CoreAction>,
|
||||
mut tls_acceptor_reload_rx: mpsc::Receiver<SslAcceptor>,
|
||||
trusted_proxy_v2_ips: Option<Arc<HashSet<IpAddr>>>,
|
||||
) {
|
||||
loop {
|
||||
tokio::select! {
|
||||
|
@ -155,7 +199,7 @@ async fn ldap_tls_acceptor(
|
|||
match accept_result {
|
||||
Ok((tcpstream, client_socket_addr)) => {
|
||||
let clone_tls_acceptor = tls_acceptor.clone();
|
||||
tokio::spawn(client_tls_accept(tcpstream, clone_tls_acceptor, client_socket_addr, qe_r_ref));
|
||||
tokio::spawn(client_tls_accept(tcpstream, clone_tls_acceptor, client_socket_addr, qe_r_ref, trusted_proxy_v2_ips.clone()));
|
||||
}
|
||||
Err(err) => {
|
||||
warn!(?err, "LDAP acceptor error, continuing");
|
||||
|
@ -187,7 +231,7 @@ async fn ldap_plaintext_acceptor(
|
|||
accept_result = listener.accept() => {
|
||||
match accept_result {
|
||||
Ok((tcpstream, client_socket_addr)) => {
|
||||
tokio::spawn(client_process(tcpstream, client_socket_addr, qe_r_ref));
|
||||
tokio::spawn(client_process(tcpstream, client_socket_addr, client_socket_addr, qe_r_ref));
|
||||
}
|
||||
Err(e) => {
|
||||
error!("LDAP acceptor error, continuing -> {:?}", e);
|
||||
|
@ -205,6 +249,7 @@ pub(crate) async fn create_ldap_server(
|
|||
qe_r_ref: &'static QueryServerReadV1,
|
||||
rx: broadcast::Receiver<CoreAction>,
|
||||
tls_acceptor_reload_rx: mpsc::Receiver<SslAcceptor>,
|
||||
trusted_proxy_v2_ips: Option<HashSet<IpAddr>>,
|
||||
) -> Result<tokio::task::JoinHandle<()>, ()> {
|
||||
if address.starts_with(":::") {
|
||||
// takes :::xxxx to xxxx
|
||||
|
@ -212,7 +257,7 @@ pub(crate) async fn create_ldap_server(
|
|||
error!("Address '{}' looks like an attempt to wildcard bind with IPv6 on port {} - please try using ldapbindaddress = '[::]:{}'", address, port, port);
|
||||
};
|
||||
|
||||
let addr = net::SocketAddr::from_str(address).map_err(|e| {
|
||||
let addr = SocketAddr::from_str(address).map_err(|e| {
|
||||
error!("Could not parse LDAP server address {} -> {:?}", address, e);
|
||||
})?;
|
||||
|
||||
|
@ -223,6 +268,8 @@ pub(crate) async fn create_ldap_server(
|
|||
);
|
||||
})?;
|
||||
|
||||
let trusted_proxy_v2_ips = trusted_proxy_v2_ips.map(Arc::new);
|
||||
|
||||
let ldap_acceptor_handle = match opt_ssl_acceptor {
|
||||
Some(ssl_acceptor) => {
|
||||
info!("Starting LDAPS interface ldaps://{} ...", address);
|
||||
|
@ -233,6 +280,7 @@ pub(crate) async fn create_ldap_server(
|
|||
qe_r_ref,
|
||||
rx,
|
||||
tls_acceptor_reload_rx,
|
||||
trusted_proxy_v2_ips,
|
||||
))
|
||||
}
|
||||
None => tokio::spawn(ldap_plaintext_acceptor(listener, qe_r_ref, rx)),
|
||||
|
|
|
@ -1087,6 +1087,7 @@ pub async fn create_server_core(
|
|||
server_read_ref,
|
||||
broadcast_tx.subscribe(),
|
||||
ldap_tls_acceptor_reload_rx,
|
||||
config.ldap_client_address_info.trusted_proxy_v2(),
|
||||
)
|
||||
.await?;
|
||||
Some(h)
|
||||
|
|
25
server/core/static/external/forms.js
vendored
Normal file
25
server/core/static/external/forms.js
vendored
Normal file
|
@ -0,0 +1,25 @@
|
|||
// This file will contain js helpers to have some interactivity on forms that we can't achieve with pure html.
|
||||
function rehook_string_list_removers() {
|
||||
const buttons = document.getElementsByClassName("kanidm-remove-list-entry");
|
||||
for (let i = 0; i < buttons.length; i++) {
|
||||
const button = buttons.item(i)
|
||||
if (button.getAttribute("kanidm_hooked") !== null) continue
|
||||
|
||||
button.addEventListener("click", (e) => {
|
||||
// Expected html nesting: div.email-entry > div.input-group > button.kanidm-remove-list-entry
|
||||
let li = button.parentElement?.parentElement;
|
||||
if (li && li.classList.contains("email-entry")) {
|
||||
li.remove();
|
||||
}
|
||||
})
|
||||
button.setAttribute("kanidm_hooked", "")
|
||||
}
|
||||
}
|
||||
|
||||
window.onload = function () {
|
||||
rehook_string_list_removers();
|
||||
document.body.addEventListener("addEmailSwapped", () => {
|
||||
rehook_string_list_removers();
|
||||
})
|
||||
};
|
||||
|
34
server/core/static/external/htmx_bs_validation.js
vendored
Normal file
34
server/core/static/external/htmx_bs_validation.js
vendored
Normal file
|
@ -0,0 +1,34 @@
|
|||
htmx.defineExtension("bs-validation", {
|
||||
onEvent: function (name, evt) {
|
||||
let form = evt.detail.elt;
|
||||
// Htmx propagates attributes onto children like button, which would break those buttons, so we return if not a form.
|
||||
if (form.tagName !== "FORM") return;
|
||||
|
||||
// check if trigger attribute and submit event exists
|
||||
// for the form
|
||||
if (!form.hasAttribute("hx-trigger")) {
|
||||
// set trigger for custom event bs-send
|
||||
form.setAttribute("hx-trigger", "bs-send");
|
||||
|
||||
// and attach the event only once
|
||||
form.addEventListener("submit", function (event) {
|
||||
if (form.checkValidity()) {
|
||||
// trigger custom event hx-trigger="bs-send"
|
||||
htmx.trigger(form, "bsSend");
|
||||
}
|
||||
|
||||
// focus the first :invalid field
|
||||
let invalidField = form.querySelector(":invalid");
|
||||
if (invalidField) {
|
||||
invalidField.focus();
|
||||
}
|
||||
|
||||
console.log("prevented htmx send, form was invalid")
|
||||
event.preventDefault()
|
||||
event.stopPropagation()
|
||||
|
||||
form.classList.add("was-validated")
|
||||
}, false)
|
||||
}
|
||||
}
|
||||
});
|
|
@ -29,6 +29,7 @@ body {
|
|||
display: block !important;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Sidebar
|
||||
*/
|
||||
|
@ -206,3 +207,7 @@ footer {
|
|||
height: var(--icon-size);
|
||||
transform: rotate(35deg);
|
||||
}
|
||||
|
||||
.cursor-pointer:hover {
|
||||
cursor: pointer;
|
||||
}
|
|
@ -16,7 +16,7 @@
|
|||
<textarea class="form-control(% if let Some(_) = key_error %) is-invalid(% endif %)" id="key-content" rows="5" name="key"
|
||||
aria-describedby="key-validation-feedback"
|
||||
placeholder="Begins with 'ssh-rsa', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521', 'ssh-ed25519', 'sk-ecdsa-sha2-nistp256@openssh.com', or 'sk-ssh-ed25519@openssh.com'"
|
||||
></textarea>
|
||||
>(% if let Some(key_value) = key_value %)(( key_value ))(% endif %)</textarea>
|
||||
<div id="key-validation-feedback" class="invalid-feedback">
|
||||
(% if let Some(key_error) = key_error %)(( key_error ))(% endif %)
|
||||
</div>
|
||||
|
|
|
@ -3,6 +3,8 @@
|
|||
(% block title %)Profile(% endblock %)
|
||||
|
||||
(% block head %)
|
||||
<script src="/pkg/external/forms.js"></script>
|
||||
<script src="/pkg/external/htmx_bs_validation.js"></script>
|
||||
(% endblock %)
|
||||
|
||||
(% block main %)
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
<div class="email-entry">
|
||||
<input hidden class="email-index-state" type="text" name="email_index" value="((index))">
|
||||
<div class="input-group mb-1">
|
||||
|
||||
<div class="input-group-text">
|
||||
<input class="form-check-input mt-0" name="primary_email_index" type="radio" value="((index))" aria-label="Primary email radio button for following text input" (% if primary %) checked (% endif %)(% if !can_edit %) disabled (% endif %)>
|
||||
</div>
|
||||
|
||||
(% if can_edit %)
|
||||
<input type="email" aria-label="Email address input ((index))" class="form-control" name="emails[]" value="(( value ))" hx-validate="true" required>
|
||||
<button type="button" class="btn btn-secondary kanidm-remove-list-entry">Remove</button>
|
||||
(% else %)
|
||||
<input type="email" aria-label="Email address input ((index))" class="form-control" name="emails[]" value="(( value ))" hx-validate="true" required disabled>
|
||||
(% endif %)
|
||||
</div>
|
||||
<div class="invalid-feedback">Please enter a valid email address.</div>
|
||||
</div>
|
|
@ -0,0 +1,7 @@
|
|||
<li class="mb-2">
|
||||
<div class="input-group">
|
||||
<input type="(( type ))" class="form-control" name="(( name ))" value="(( value ))" hx-validate="true" required>
|
||||
(% if can_rw %)<button type="button" class="btn btn-secondary kanidm-remove-list-entry">Remove</button>(% endif %)
|
||||
</div>
|
||||
<div class="invalid-feedback">(( invalid_feedback ))</div>
|
||||
</li>
|
104
server/core/templates/user_settings/profile_changes_partial.html
Normal file
104
server/core/templates/user_settings/profile_changes_partial.html
Normal file
|
@ -0,0 +1,104 @@
|
|||
(% extends "user_settings_partial_base.html" %)
|
||||
|
||||
(% block selected_setting_group %)
|
||||
Profile Difference
|
||||
(% endblock %)
|
||||
|
||||
(% block settings_vertical_point %)lg(% endblock %)
|
||||
|
||||
(% block settings_window %)
|
||||
|
||||
<form>
|
||||
(% if person.name != new_attrs.account_name %)
|
||||
<input type="hidden" name="account_name" value="(( new_attrs.account_name ))"/>
|
||||
(% endif %)
|
||||
(% if person.displayname != new_attrs.display_name %)
|
||||
<input type="hidden" name="display_name" value="(( new_attrs.display_name ))"/>
|
||||
(% endif %)
|
||||
|
||||
(% for email in new_attrs.emails %)
|
||||
(% if !email.primary %)
|
||||
<input type="hidden" name="emails[]" value="(( email.value ))"/>
|
||||
(% endif %)
|
||||
(% endfor %)
|
||||
(% if let Some(new_primary_mail) = new_primary_mail %)
|
||||
<input type="hidden" name="new_primary_mail" value="(( new_primary_mail ))"/>
|
||||
(% endif %)
|
||||
|
||||
<table class="table table-bordered overflow-x-scroll">
|
||||
<thead>
|
||||
<tr>
|
||||
<th scope="col">Attribute</th>
|
||||
<th scope="col">Old value</th>
|
||||
<th scope="col">New value</th>
|
||||
</tr>
|
||||
</thead>
|
||||
(% if person.name != new_attrs.account_name %)
|
||||
<tr>
|
||||
<th scope="row">Username</th>
|
||||
<td class="text-break">(( person.name ))</td>
|
||||
<td class="text-break">(( new_attrs.account_name ))</td>
|
||||
</tr>
|
||||
(% endif %)
|
||||
|
||||
(% if person.displayname != new_attrs.display_name %)
|
||||
<tr>
|
||||
<th scope="row">Display name</th>
|
||||
<td class="text-break">(( person.displayname ))</td>
|
||||
<td class="text-break">(( new_attrs.display_name ))</td>
|
||||
</tr>
|
||||
(% endif %)
|
||||
(% if !emails_are_same %)
|
||||
<tr>
|
||||
<th scope="row">Primary Emails</th>
|
||||
<td class="text-nowrap">
|
||||
(( primary_mail.clone().unwrap_or("none".to_string()) ))
|
||||
</td>
|
||||
<td class="text-nowrap">
|
||||
(( new_primary_mail.clone().unwrap_or("none".to_string()) ))
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th scope="row">Secondary Emails</th>
|
||||
<td class="text-break">
|
||||
<ul class="ps-3">
|
||||
(% for email in person.mails %)
|
||||
(% if !email.primary %)
|
||||
<li class="text-nowrap">(( email.value ))</li>
|
||||
(% endif %)
|
||||
(% endfor %)
|
||||
</ul>
|
||||
</td>
|
||||
<td class="text-break">
|
||||
<ul class="ps-3">
|
||||
(% for email in new_attrs.emails %)
|
||||
(% if !email.primary %)
|
||||
<li class="text-nowrap">(( email.value ))</li>
|
||||
(% endif %)
|
||||
(% endfor %)
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
(% endif %)
|
||||
</table>
|
||||
|
||||
<div class="pt-4" hx-target="#user_settings_container" hx-swap="outerHTML">
|
||||
(% if can_rw %)
|
||||
<button class="btn btn-danger" type="button" hx-get="/ui/profile" hx-target="body" hx-swap="outerHTML">Discard
|
||||
Changes
|
||||
</button>
|
||||
<button class="btn btn-primary" type="button" hx-post="/ui/api/user_settings/confirm_profile" hx-target="body"
|
||||
hx-swap="outerHTML">Confirm Changes
|
||||
</button>
|
||||
(% else %)
|
||||
<a href="/ui/profile/unlock" hx-boost="false">
|
||||
<!-- TODO: at the moment, session expiring here means progress is lost. Do we just show an error screen ? We can't pass the update state through the reauth session, and we don't have profile update sessions like cred update. -->
|
||||
<button class="btn btn-primary" type="button">Unlock Confirm 🔓</button>
|
||||
</a>
|
||||
(% endif %)
|
||||
</div>
|
||||
|
||||
</form>
|
||||
|
||||
(% endblock %)
|
||||
|
|
@ -4,40 +4,78 @@
|
|||
Profile
|
||||
(% endblock %)
|
||||
|
||||
(% macro string_attr(dispname, name, value, editable, attribute) %)
|
||||
(% if scim_effective_access.search.check(attribute|as_ref) %)
|
||||
<div class="row g-0 mt-3">
|
||||
<label for="person(( name ))" class="col-12 col-md-3 col-lg-2 col-form-label fw-bold py-0">(( dispname ))</label>
|
||||
<div class="col-12 col-md-8 col-lg-6">
|
||||
(% if scim_effective_access.modify_present.check(attribute|as_ref) %)
|
||||
<input class="form-control py-0" id="person(( name ))" name="(( name ))" value="(( value ))">
|
||||
(% else %)
|
||||
<input readonly class="form-control-plaintext py-0" id="person(( name ))" name="(( name ))" value="(( value ))">
|
||||
(% endif %)
|
||||
</div>
|
||||
</div>
|
||||
(% endif %)
|
||||
(% endmacro %)
|
||||
|
||||
(% block settings_window %)
|
||||
|
||||
<form>
|
||||
<div class="mb-2 row">
|
||||
<label for="profileUserName" class="col-12 col-md-3 col-xl-2 col-form-label">User name</label>
|
||||
<div class="col-12 col-md-6 col-lg-5">
|
||||
<input type="text" readonly class="form-control-plaintext" id="profileUserName" value="(( account_name ))">
|
||||
</div>
|
||||
</div>
|
||||
<form id="user_settings_container" class="needs-validation"
|
||||
hx-post="/ui/api/user_settings/edit_profile"
|
||||
hx-target="#main"
|
||||
hx-swap="outerHTML"
|
||||
hx-validate="true"
|
||||
hx-ext="bs-validation"
|
||||
novalidate>
|
||||
(% call string_attr("Name", "name", person.name, true, Attribute::Name) %)
|
||||
|
||||
<div class="mb-2 row">
|
||||
<label for="profileDisplayName" class="col-12 col-md-3 col-xl-2 col-form-label">Display name</label>
|
||||
<div class="col-12 col-md-6 col-lg-5">
|
||||
<input type="text" class="form-control-plaintext" id="profileDisplayName" value="(( display_name ))" disabled>
|
||||
(% call string_attr("Displayname", "displayname", person.displayname, true, Attribute::DisplayName) %)
|
||||
|
||||
<div class="mb-2">
|
||||
<div class="mt-3 mb-2 col-12 col-md-11 col-lg-8">
|
||||
<label for="profileEmail" class="fw-bold">Email addresses (% if can_rw %)(selected => primary)(% else %)(select primary)(% endif %)</label>
|
||||
(% if can_rw %)
|
||||
<a class="cursor-pointer float-end"
|
||||
hx-boost="true"
|
||||
hx-get="/ui/api/user_settings/add_email"
|
||||
hx-target="#emailAddresses"
|
||||
hx-include="#emailAddresses :last-child .email-index-state"
|
||||
hx-swap="beforeend">
|
||||
<svg xmlns="http://www.w3.org/2000/svg" fill="currentColor" class="bi bi-plus-square"
|
||||
viewBox="0 0 16 16" width="20" height="20">
|
||||
<path d="M14 1a1 1 0 0 1 1 1v12a1 1 0 0 1-1 1H2a1 1 0 0 1-1-1V2a1 1 0 0 1 1-1zM2 0a2 2 0 0 0-2 2v12a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V2a2 2 0 0 0-2-2z"></path>
|
||||
<path d="M8 4a.5.5 0 0 1 .5.5v3h3a.5.5 0 0 1 0 1h-3v3a.5.5 0 0 1-1 0v-3h-3a.5.5 0 0 1 0-1h3v-3A.5.5 0 0 1 8 4"></path>
|
||||
</svg>
|
||||
</a>
|
||||
(% endif %)
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="mb-2 row">
|
||||
<label for="profileEmail" class="col-12 col-md-3 col-xl-2 col-form-label">Email</label>
|
||||
<div class="col-12 col-md-6 col-lg-5">
|
||||
<input type="email" disabled class="form-control-plaintext" id="profileEmail" value="(( email.clone().unwrap_or("None configured".to_string())))">
|
||||
<div>
|
||||
<div class="row g-0">
|
||||
<div class="col-12 col-md-11 col-lg-8" id="emailAddresses">
|
||||
(% for (index, email) in person.mails.iter().enumerate() %)
|
||||
(% let value = email.value.clone() %)
|
||||
(% let primary = email.primary %)
|
||||
(% let can_edit = scim_effective_access.modify_present.check(Attribute::Mail|as_ref) %)
|
||||
|
||||
(% include "user_settings/form_email_entry_partial.html" %)
|
||||
|
||||
(% endfor %)
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- Edit button -->
|
||||
<!-- <div class="pt-4">
|
||||
<div class="pt-4">
|
||||
(% if can_rw %)
|
||||
<button class="btn btn-primary" type="button" hx-post="/ui/api/user_settings/edit_profile" disabled>Edit (Currently Not Working!)</button>
|
||||
<button class="btn btn-primary" type="submit">Save</button>
|
||||
(% else %)
|
||||
<a href=(Urls::ProfileUnlock) hx-boost="false">
|
||||
<button class="btn btn-primary" type="button">((UiMessage::UnlockEdit))</button>
|
||||
</a>
|
||||
<a href="/ui/profile/unlock" hx-boost="false">
|
||||
<button class="btn btn-primary" type="button">Unlock Edit 🔒</button>
|
||||
</a>
|
||||
(% endif %)
|
||||
</div> -->
|
||||
</div>
|
||||
</form>
|
||||
|
||||
(% endblock %)
|
||||
|
|
|
@ -2417,7 +2417,7 @@ mod tests {
|
|||
let lims = Limits::unlimited();
|
||||
|
||||
let r = be.search(&lims, &filt);
|
||||
assert!(r.expect("Search failed!").len() == 0);
|
||||
assert!(r.expect("Search failed!").is_empty());
|
||||
});
|
||||
}
|
||||
|
||||
|
|
|
@ -145,8 +145,8 @@ impl Totp {
|
|||
|
||||
// Create a new token with secure key and algo.
|
||||
pub fn generate_secure(step: u64) -> Self {
|
||||
let mut rng = rand::thread_rng();
|
||||
let secret: Vec<u8> = (0..SECRET_SIZE_BYTES).map(|_| rng.gen()).collect();
|
||||
let mut rng = rand::rng();
|
||||
let secret: Vec<u8> = (0..SECRET_SIZE_BYTES).map(|_| rng.random()).collect();
|
||||
let algo = TotpAlgo::Sha256;
|
||||
let digits = TotpDigits::Six;
|
||||
Totp {
|
||||
|
|
|
@ -17,6 +17,7 @@ use webauthn_rs::prelude::{
|
|||
AttestedPasskey as AttestedPasskeyV4, AttestedPasskeyRegistration, CreationChallengeResponse,
|
||||
Passkey as PasskeyV4, PasskeyRegistration, RegisterPublicKeyCredential, WebauthnError,
|
||||
};
|
||||
use zxcvbn::{zxcvbn, Score};
|
||||
|
||||
use crate::credential::totp::{Totp, TOTP_DEFAULT_STEP};
|
||||
use crate::credential::{BackupCodes, Credential};
|
||||
|
@ -1663,23 +1664,14 @@ impl IdmServerCredUpdateTransaction<'_> {
|
|||
}
|
||||
|
||||
// does the password pass zxcvbn?
|
||||
let entropy = zxcvbn::zxcvbn(cleartext, related_inputs).map_err(|e| {
|
||||
admin_error!("zxcvbn check failure (password empty?) {:?}", e);
|
||||
// Return some generic feedback when the password is this bad.
|
||||
PasswordQuality::Feedback(vec![
|
||||
PasswordFeedback::UseAFewWordsAvoidCommonPhrases,
|
||||
PasswordFeedback::AddAnotherWordOrTwo,
|
||||
PasswordFeedback::NoNeedForSymbolsDigitsOrUppercaseLetters,
|
||||
])
|
||||
})?;
|
||||
let entropy = zxcvbn(cleartext, related_inputs);
|
||||
|
||||
// PW's should always be enforced as strong as possible.
|
||||
if entropy.score() < 4 {
|
||||
if entropy.score() < Score::Four {
|
||||
// The password is too week as per:
|
||||
// https://docs.rs/zxcvbn/2.0.0/zxcvbn/struct.Entropy.html
|
||||
let feedback: zxcvbn::feedback::Feedback = entropy
|
||||
.feedback()
|
||||
.as_ref()
|
||||
.ok_or(OperationError::InvalidState)
|
||||
.cloned()
|
||||
.map_err(|e| {
|
||||
|
@ -3405,7 +3397,7 @@ mod tests {
|
|||
assert!(
|
||||
matches!(
|
||||
c_status.mfaregstate,
|
||||
MfaRegStateStatus::TotpNameTryAgain(ref val) if val == ""
|
||||
MfaRegStateStatus::TotpNameTryAgain(ref val) if val.is_empty()
|
||||
),
|
||||
"{:?}",
|
||||
c_status.mfaregstate
|
||||
|
|
|
@ -1209,7 +1209,7 @@ mod tests {
|
|||
// Searching a malformed spn shouldn't cause the query to fail
|
||||
let sr = SearchRequest {
|
||||
msgid: 1,
|
||||
base: format!("dc=example,dc=com"),
|
||||
base: "dc=example,dc=com".to_string(),
|
||||
scope: LdapSearchScope::Subtree,
|
||||
filter: LdapFilter::Or(vec![
|
||||
LdapFilter::Equality(Attribute::Name.to_string(), usr_name.to_string()),
|
||||
|
@ -1232,7 +1232,7 @@ mod tests {
|
|||
|
||||
let sr = SearchRequest {
|
||||
msgid: 1,
|
||||
base: format!("dc=example,dc=com"),
|
||||
base: "dc=example,dc=com".to_string(),
|
||||
scope: LdapSearchScope::Subtree,
|
||||
filter: LdapFilter::And(vec![
|
||||
LdapFilter::Equality(Attribute::Name.to_string(), usr_name.to_string()),
|
||||
|
|
|
@ -2992,11 +2992,12 @@ fn validate_scopes(req_scopes: &BTreeSet<String>) -> Result<(), Oauth2Error> {
|
|||
#[cfg(any(feature = "dev-oauth2-device-flow", test))]
|
||||
#[allow(dead_code)]
|
||||
fn gen_device_code() -> Result<[u8; 16], Oauth2Error> {
|
||||
let mut rng = rand::thread_rng();
|
||||
use rand::TryRngCore;
|
||||
|
||||
let mut rng = rand::rng();
|
||||
let mut result = [0u8; 16];
|
||||
// doing it here because of feature-shenanigans.
|
||||
use rand::Rng;
|
||||
if let Err(err) = rng.try_fill(&mut result) {
|
||||
if let Err(err) = rng.try_fill_bytes(&mut result) {
|
||||
error!("Failed to generate device code! {:?}", err);
|
||||
return Err(Oauth2Error::ServerError(OperationError::Backend));
|
||||
}
|
||||
|
@ -3009,8 +3010,8 @@ fn gen_device_code() -> Result<[u8; 16], Oauth2Error> {
|
|||
/// Returns (xxx-yyy-zzz, digits) where one's the human-facing code, the other is what we store in the DB.
|
||||
fn gen_user_code() -> (String, u32) {
|
||||
use rand::Rng;
|
||||
let mut rng = rand::thread_rng();
|
||||
let num: u32 = rng.gen_range(0..=999999999);
|
||||
let mut rng = rand::rng();
|
||||
let num: u32 = rng.random_range(0..=999999999);
|
||||
let result = format!("{:09}", num);
|
||||
(
|
||||
format!("{}-{}-{}", &result[0..3], &result[3..6], &result[6..9]),
|
||||
|
@ -3100,6 +3101,7 @@ mod tests {
|
|||
$code_challenge:expr,
|
||||
$scope:expr
|
||||
) => {{
|
||||
#[allow(clippy::unnecessary_to_owned)]
|
||||
let scope: BTreeSet<String> = $scope.split(" ").map(|s| s.to_string()).collect();
|
||||
|
||||
let auth_req = AuthorisationRequest {
|
||||
|
@ -7312,10 +7314,7 @@ mod tests {
|
|||
&Url::parse(example_is_not_local)
|
||||
.expect("Failed to parse example.com as a host?")
|
||||
.host()
|
||||
.expect(&format!(
|
||||
"Couldn't get a host from {}",
|
||||
example_is_not_local
|
||||
))
|
||||
.unwrap_or_else(|| panic!("Couldn't get a host from {}", example_is_not_local))
|
||||
));
|
||||
|
||||
let test_urls = [
|
||||
|
|
|
@ -21,6 +21,7 @@ use tokio::sync::{Mutex, Semaphore};
|
|||
use tracing::trace;
|
||||
use url::Url;
|
||||
use webauthn_rs::prelude::{Webauthn, WebauthnBuilder};
|
||||
use zxcvbn::{zxcvbn, Score};
|
||||
|
||||
use super::event::ReadBackupCodeEvent;
|
||||
use super::ldap::{LdapBoundToken, LdapSession};
|
||||
|
@ -235,7 +236,7 @@ impl IdmServer {
|
|||
let qs_read = self.qs.read().await?;
|
||||
|
||||
let mut sid = [0; 4];
|
||||
let mut rng = StdRng::from_entropy();
|
||||
let mut rng = StdRng::from_os_rng();
|
||||
rng.fill(&mut sid);
|
||||
|
||||
Ok(IdmServerAuthTransaction {
|
||||
|
@ -278,7 +279,7 @@ impl IdmServer {
|
|||
let qs_write = self.qs.write(ts).await?;
|
||||
|
||||
let mut sid = [0; 4];
|
||||
let mut rng = StdRng::from_entropy();
|
||||
let mut rng = StdRng::from_os_rng();
|
||||
rng.fill(&mut sid);
|
||||
|
||||
Ok(IdmServerProxyWriteTransaction {
|
||||
|
@ -1657,18 +1658,14 @@ impl IdmServerProxyWriteTransaction<'_> {
|
|||
|
||||
// does the password pass zxcvbn?
|
||||
|
||||
let entropy = zxcvbn::zxcvbn(cleartext, related_inputs).map_err(|e| {
|
||||
admin_error!("zxcvbn check failure (password empty?) {:?}", e);
|
||||
OperationError::PasswordQuality(vec![PasswordFeedback::TooShort(PW_MIN_LENGTH)])
|
||||
})?;
|
||||
let entropy = zxcvbn(cleartext, related_inputs);
|
||||
|
||||
// Unix PW's are a single factor, so we enforce good pws
|
||||
if entropy.score() < 4 {
|
||||
if entropy.score() < Score::Four {
|
||||
// The password is too week as per:
|
||||
// https://docs.rs/zxcvbn/2.0.0/zxcvbn/struct.Entropy.html
|
||||
let feedback: zxcvbn::feedback::Feedback = entropy
|
||||
.feedback()
|
||||
.as_ref()
|
||||
.ok_or(OperationError::InvalidState)
|
||||
.cloned()
|
||||
.inspect_err(|err| {
|
||||
|
|
|
@ -217,9 +217,9 @@ impl EntryChangeState {
|
|||
}
|
||||
|
||||
#[cfg(test)]
|
||||
pub(crate) fn get_attr_cid(&self, attr: Attribute) -> Option<&Cid> {
|
||||
pub(crate) fn get_attr_cid(&self, attr: &Attribute) -> Option<&Cid> {
|
||||
match &self.st {
|
||||
State::Live { at: _, changes } => changes.get(&attr),
|
||||
State::Live { at: _, changes } => changes.get(attr),
|
||||
State::Tombstone { at: _ } => None,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -705,7 +705,7 @@ async fn test_repl_increment_basic_deleted_attr(server_a: &QueryServer, server_b
|
|||
let e1_cs = e1.get_changestate();
|
||||
let e2_cs = e2.get_changestate();
|
||||
assert_eq!(e1_cs, e2_cs);
|
||||
assert!(e1_cs.get_attr_cid(Attribute::Description).is_some());
|
||||
assert!(e1_cs.get_attr_cid(&Attribute::Description).is_some());
|
||||
|
||||
server_b_txn.commit().expect("Failed to commit");
|
||||
drop(server_a_txn);
|
||||
|
|
|
@ -186,7 +186,7 @@ mod tests {
|
|||
|
||||
match desc {
|
||||
ScimValueKanidm::String(gdesc) if gdesc == "Group Description" => {}
|
||||
_ => assert!(false),
|
||||
_ => unreachable!("Expected a string"),
|
||||
};
|
||||
|
||||
// null removes attr
|
||||
|
@ -201,7 +201,7 @@ mod tests {
|
|||
.expect("Failed to resolve data type");
|
||||
|
||||
let updated_entry = server_txn.scim_put(put_event).expect("Failed to put");
|
||||
assert!(updated_entry.attrs.get(&Attribute::Description).is_none());
|
||||
assert!(!updated_entry.attrs.contains_key(&Attribute::Description));
|
||||
|
||||
// set one
|
||||
let put = ScimEntryPutKanidm {
|
||||
|
@ -234,7 +234,7 @@ mod tests {
|
|||
value: "extra_1@example.com".to_string(),
|
||||
}));
|
||||
}
|
||||
_ => assert!(false),
|
||||
_ => unreachable!("Expected 1 member"),
|
||||
};
|
||||
|
||||
// set many
|
||||
|
@ -285,7 +285,7 @@ mod tests {
|
|||
value: "extra_3@example.com".to_string(),
|
||||
}));
|
||||
}
|
||||
_ => assert!(false),
|
||||
_ => unreachable!("Expected 3 members"),
|
||||
};
|
||||
|
||||
// set many with a removal
|
||||
|
@ -333,7 +333,7 @@ mod tests {
|
|||
value: "extra_2@example.com".to_string(),
|
||||
}));
|
||||
}
|
||||
_ => assert!(false),
|
||||
_ => unreachable!("Expected 2 members"),
|
||||
};
|
||||
|
||||
// empty set removes attr
|
||||
|
@ -348,6 +348,6 @@ mod tests {
|
|||
.expect("Failed to resolve data type");
|
||||
|
||||
let updated_entry = server_txn.scim_put(put_event).expect("Failed to put");
|
||||
assert!(updated_entry.attrs.get(&Attribute::Member).is_none());
|
||||
assert!(!updated_entry.attrs.contains_key(&Attribute::Member));
|
||||
}
|
||||
}
|
||||
|
|
|
@ -4,12 +4,19 @@ use crate::schema::Schema;
|
|||
|
||||
pub struct TestConfiguration {
|
||||
pub domain_level: DomainVersion,
|
||||
// This is literally here to make clippy happy, just leave it alone!
|
||||
// if you don't believe me then remove it and run 'cargo clippy --all-targets' it'll complain
|
||||
// about "struct update has no effect, all the fields in the struct have already been specified"
|
||||
// because the domain_level was set, then we ..Default::default() the "rest"
|
||||
#[allow(dead_code)]
|
||||
pub ignore_this_field: bool,
|
||||
}
|
||||
|
||||
impl Default for TestConfiguration {
|
||||
fn default() -> Self {
|
||||
TestConfiguration {
|
||||
domain_level: DOMAIN_TGT_LEVEL,
|
||||
ignore_this_field: false,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -2,8 +2,8 @@
|
|||
|
||||
use crate::prelude::*;
|
||||
use hashbrown::HashSet;
|
||||
use rand::distributions::{Distribution, Uniform};
|
||||
use rand::{thread_rng, Rng};
|
||||
use rand::distr::{Distribution, Uniform};
|
||||
use rand::{rng, Rng};
|
||||
use std::ops::Range;
|
||||
|
||||
#[derive(Debug)]
|
||||
|
@ -35,7 +35,7 @@ pub fn uuid_from_duration(d: Duration, sid: Sid) -> Uuid {
|
|||
}
|
||||
|
||||
pub(crate) fn password_from_random_len(len: u32) -> String {
|
||||
thread_rng()
|
||||
rng()
|
||||
.sample_iter(&DistinctAlpha)
|
||||
.take(len as usize)
|
||||
.collect::<String>()
|
||||
|
@ -52,7 +52,7 @@ pub fn backup_code_from_random() -> HashSet<String> {
|
|||
pub fn readable_password_from_random() -> String {
|
||||
// 2^112 bits, means we need at least 55^20 to have as many bits of entropy.
|
||||
// this leads us to 4 groups of 5 to create 55^20
|
||||
let mut trng = thread_rng();
|
||||
let mut trng = rng();
|
||||
format!(
|
||||
"{}-{}-{}-{}",
|
||||
(&mut trng)
|
||||
|
@ -80,8 +80,9 @@ impl Distribution<char> for DistinctAlpha {
|
|||
const GEN_ASCII_STR_CHARSET: &[u8] = b"ABCDEFGHJKLMNPQRSTUVWXYZ\
|
||||
abcdefghjkpqrstuvwxyz\
|
||||
0123456789";
|
||||
|
||||
let range = Uniform::new(0, RANGE);
|
||||
// TODO: this needs to handle the error, maybe?
|
||||
#[allow(clippy::expect_used)]
|
||||
let range = Uniform::new(0, RANGE).expect("Failed to get a uniform range");
|
||||
|
||||
let n = range.sample(rng);
|
||||
GEN_ASCII_STR_CHARSET[n as usize] as char
|
||||
|
|
|
@ -683,10 +683,10 @@ mod tests {
|
|||
"value": "claire@example.com"
|
||||
}
|
||||
]"#;
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), data);
|
||||
crate::valueset::scim_json_reflexive(&vs, data);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetEmailAddress>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetEmailAddress>(&vs, &[])
|
||||
}
|
||||
|
||||
#[test]
|
||||
|
@ -711,9 +711,9 @@ mod tests {
|
|||
}
|
||||
]"#;
|
||||
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), data);
|
||||
crate::valueset::scim_json_reflexive(&vs, data);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetAddress>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetAddress>(&vs, &[])
|
||||
}
|
||||
}
|
||||
|
|
|
@ -381,6 +381,6 @@ mod tests {
|
|||
}
|
||||
]
|
||||
"#;
|
||||
crate::valueset::scim_json_reflexive(vs, data);
|
||||
crate::valueset::scim_json_reflexive(&vs, data);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -400,6 +400,6 @@ mod tests {
|
|||
}
|
||||
]
|
||||
"#;
|
||||
crate::valueset::scim_json_reflexive(vs, data);
|
||||
crate::valueset::scim_json_reflexive(&vs, data);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -185,9 +185,9 @@ mod tests {
|
|||
#[test]
|
||||
fn test_scim_boolean() {
|
||||
let vs: ValueSet = ValueSetBool::new(true);
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), "true");
|
||||
crate::valueset::scim_json_reflexive(&vs, "true");
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetBool>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetBool>(&vs, &[])
|
||||
}
|
||||
}
|
||||
|
|
|
@ -352,6 +352,6 @@ raBy6edj7W0EIH+yQxkDEwIhAI0nVKaI6duHLAvtKW6CfEQFG6jKg7dyk37YYiRD
|
|||
assert_eq!(cert.s256, expect_s256);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetCertificate>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetCertificate>(&vs, &[])
|
||||
}
|
||||
}
|
||||
|
|
|
@ -193,6 +193,6 @@ mod tests {
|
|||
let vs: ValueSet = ValueSetCid::new(Cid::new_zero());
|
||||
|
||||
let data = r#""00000000000000000000000000000000-00000000-0000-0000-0000-000000000000""#;
|
||||
crate::valueset::scim_json_reflexive(vs, data);
|
||||
crate::valueset::scim_json_reflexive(&vs, data);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1183,15 +1183,15 @@ mod tests {
|
|||
}
|
||||
]
|
||||
"#;
|
||||
crate::valueset::scim_json_reflexive(vs, data);
|
||||
crate::valueset::scim_json_reflexive(&vs, data);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn test_scim_credential_type() {
|
||||
let vs: ValueSet = ValueSetCredentialType::new(CredentialType::Mfa);
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), r#""mfa""#);
|
||||
crate::valueset::scim_json_reflexive(&vs, r#""mfa""#);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetCredentialType>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetCredentialType>(&vs, &[])
|
||||
}
|
||||
}
|
||||
|
|
|
@ -210,9 +210,9 @@ mod tests {
|
|||
let odt = OffsetDateTime::UNIX_EPOCH + Duration::from_secs(69_420);
|
||||
let vs: ValueSet = ValueSetDateTime::new(odt);
|
||||
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), r#""1970-01-01T19:17:00Z""#);
|
||||
crate::valueset::scim_json_reflexive(&vs, r#""1970-01-01T19:17:00Z""#);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetDateTime>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetDateTime>(&vs, &[])
|
||||
}
|
||||
}
|
||||
|
|
|
@ -183,9 +183,6 @@ mod tests {
|
|||
fn test_scim_hexstring() {
|
||||
let vs: ValueSet =
|
||||
ValueSetHexString::new("D68475C760A7A0F6A924C28F095573A967F600D6".to_string());
|
||||
crate::valueset::scim_json_reflexive(
|
||||
vs.clone(),
|
||||
r#""D68475C760A7A0F6A924C28F095573A967F600D6""#,
|
||||
);
|
||||
crate::valueset::scim_json_reflexive(&vs, r#""D68475C760A7A0F6A924C28F095573A967F600D6""#);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
use std::io::Cursor;
|
||||
|
||||
use image::codecs::jpeg::JpegDecoder;
|
||||
use image::ImageDecoder;
|
||||
use sketching::*;
|
||||
|
@ -79,9 +81,9 @@ pub fn has_trailer(contents: &Vec<u8>) -> Result<bool, ImageValidationError> {
|
|||
pub fn validate_decoding(
|
||||
filename: &str,
|
||||
contents: &[u8],
|
||||
limits: image::io::Limits,
|
||||
limits: image::Limits,
|
||||
) -> Result<(), ImageValidationError> {
|
||||
let mut decoder = match JpegDecoder::new(contents) {
|
||||
let mut decoder = match JpegDecoder::new(Cursor::new(contents)) {
|
||||
Ok(val) => val,
|
||||
Err(err) => {
|
||||
return Err(ImageValidationError::InvalidImage(format!(
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
#![allow(dead_code)]
|
||||
use crate::valueset::ScimResolveStatus;
|
||||
use std::fmt::Display;
|
||||
use std::io::Cursor;
|
||||
|
||||
use crate::be::dbvalue::DbValueImage;
|
||||
use crate::prelude::*;
|
||||
|
@ -37,8 +38,8 @@ pub trait ImageValueThings {
|
|||
/// A sha256 of the filename/type/contents
|
||||
fn hash_imagevalue(&self) -> String;
|
||||
|
||||
fn get_limits(&self) -> image::io::Limits {
|
||||
let mut limits = image::io::Limits::default();
|
||||
fn get_limits(&self) -> image::Limits {
|
||||
let mut limits = image::Limits::default();
|
||||
limits.max_image_height = Some(MAX_IMAGE_HEIGHT);
|
||||
limits.max_image_width = Some(MAX_IMAGE_WIDTH);
|
||||
limits
|
||||
|
@ -148,7 +149,7 @@ impl ImageValueThings for ImageValue {
|
|||
|
||||
/// validate the GIF file contents, and that it's actually a GIF
|
||||
fn validate_is_gif(&self) -> Result<(), ImageValidationError> {
|
||||
let Ok(mut decoder) = GifDecoder::new(&self.contents[..]) else {
|
||||
let Ok(mut decoder) = GifDecoder::new(Cursor::new(&self.contents[..])) else {
|
||||
return Err(ImageValidationError::InvalidImage(
|
||||
"Failed to parse GIF".to_string(),
|
||||
));
|
||||
|
@ -189,7 +190,7 @@ impl ImageValueThings for ImageValue {
|
|||
));
|
||||
}
|
||||
|
||||
let Ok(mut decoder) = WebPDecoder::new(&self.contents[..]) else {
|
||||
let Ok(mut decoder) = WebPDecoder::new(Cursor::new(&self.contents[..])) else {
|
||||
return Err(ImageValidationError::InvalidImage(
|
||||
"Failed to parse WebP file".to_string(),
|
||||
));
|
||||
|
@ -532,7 +533,7 @@ mod tests {
|
|||
"142dc7984dd548dd5dacfe2ad30f8473e3217e39b3b6c8d17a0cf6e4e24b02e0"
|
||||
]"#;
|
||||
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), data);
|
||||
crate::valueset::scim_json_reflexive(&vs, data);
|
||||
}
|
||||
*/
|
||||
}
|
||||
|
|
|
@ -226,9 +226,9 @@ mod tests {
|
|||
#[test]
|
||||
fn test_scim_iname() {
|
||||
let vs: ValueSet = ValueSetIname::new("stevo");
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), r#""stevo""#);
|
||||
crate::valueset::scim_json_reflexive(&vs, r#""stevo""#);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetIname>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetIname>(&vs, &[])
|
||||
}
|
||||
}
|
||||
|
|
|
@ -183,9 +183,9 @@ mod tests {
|
|||
#[test]
|
||||
fn test_scim_index() {
|
||||
let vs: ValueSet = ValueSetIndex::new(IndexType::Equality);
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), r#"["EQUALITY"]"#);
|
||||
crate::valueset::scim_json_reflexive(&vs, r#"["EQUALITY"]"#);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetIndex>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetIndex>(&vs, &[])
|
||||
}
|
||||
}
|
||||
|
|
|
@ -227,9 +227,9 @@ mod tests {
|
|||
#[test]
|
||||
fn test_scim_iutf8() {
|
||||
let vs: ValueSet = ValueSetIutf8::new("lowercase string");
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), r#""lowercase string""#);
|
||||
crate::valueset::scim_json_reflexive(&vs, r#""lowercase string""#);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetIutf8>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetIutf8>(&vs, &[])
|
||||
}
|
||||
}
|
||||
|
|
|
@ -205,9 +205,9 @@ mod tests {
|
|||
"{\"pres\":\"class\"}"
|
||||
]
|
||||
"#;
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), data);
|
||||
crate::valueset::scim_json_reflexive(&vs, data);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
// crate::valueset::scim_json_put_reflexive::<ValueSetJsonFilter>(vs, &[])
|
||||
// crate::valueset::scim_json_put_reflexive::<ValueSetJsonFilter>(&vs, &[])
|
||||
}
|
||||
}
|
||||
|
|
|
@ -649,6 +649,6 @@ mod tests {
|
|||
}
|
||||
]
|
||||
"#;
|
||||
crate::valueset::scim_json_reflexive(vs, data);
|
||||
crate::valueset::scim_json_reflexive(&vs, data);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -995,7 +995,7 @@ pub fn from_db_valueset_v2(dbvs: DbValueSetV2) -> Result<ValueSet, OperationErro
|
|||
}
|
||||
|
||||
#[cfg(test)]
|
||||
pub(crate) fn scim_json_reflexive(vs: ValueSet, data: &str) {
|
||||
pub(crate) fn scim_json_reflexive(vs: &ValueSet, data: &str) {
|
||||
let scim_value = vs.to_scim_value().unwrap().assume_resolved();
|
||||
|
||||
let strout = serde_json::to_string_pretty(&scim_value).unwrap();
|
||||
|
@ -1012,25 +1012,27 @@ pub(crate) fn scim_json_reflexive(vs: ValueSet, data: &str) {
|
|||
#[cfg(test)]
|
||||
pub(crate) fn scim_json_reflexive_unresolved(
|
||||
write_txn: &mut QueryServerWriteTransaction,
|
||||
vs: ValueSet,
|
||||
vs: &ValueSet,
|
||||
data: &str,
|
||||
) {
|
||||
let scim_int_value = vs.to_scim_value().unwrap().assume_unresolved();
|
||||
let scim_value = write_txn.resolve_scim_interim(scim_int_value).unwrap();
|
||||
|
||||
let strout = serde_json::to_string_pretty(&scim_value).unwrap();
|
||||
let strout = serde_json::to_string_pretty(&scim_value).expect("Failed to serialize");
|
||||
eprintln!("{}", strout);
|
||||
|
||||
let json_value: serde_json::Value = serde_json::to_value(&scim_value).unwrap();
|
||||
let json_value: serde_json::Value =
|
||||
serde_json::to_value(&scim_value).expect("Failed to convert to JSON");
|
||||
|
||||
let expect: serde_json::Value = serde_json::from_str(data).unwrap();
|
||||
let expect: serde_json::Value =
|
||||
serde_json::from_str(data).expect("Failed to parse expected JSON");
|
||||
|
||||
assert_eq!(json_value, expect);
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
pub(crate) fn scim_json_put_reflexive<T: ValueSetScimPut>(
|
||||
expect_vs: ValueSet,
|
||||
expect_vs: &ValueSet,
|
||||
additional_tests: &[(JsonValue, ValueSet)],
|
||||
) {
|
||||
let scim_value = expect_vs.to_scim_value().unwrap().assume_resolved();
|
||||
|
@ -1041,7 +1043,7 @@ pub(crate) fn scim_json_put_reflexive<T: ValueSetScimPut>(
|
|||
let generic = serde_json::to_value(scim_value).unwrap();
|
||||
// Check that we can turn back into a vs from the generic version.
|
||||
let vs = T::from_scim_json_put(generic).unwrap().assume_resolved();
|
||||
assert_eq!(&vs, &expect_vs);
|
||||
assert_eq!(&vs, expect_vs);
|
||||
|
||||
// For each additional check, assert they work as expected.
|
||||
for (jv, expect_vs) in additional_tests {
|
||||
|
@ -1053,7 +1055,7 @@ pub(crate) fn scim_json_put_reflexive<T: ValueSetScimPut>(
|
|||
#[cfg(test)]
|
||||
pub(crate) fn scim_json_put_reflexive_unresolved<T: ValueSetScimPut>(
|
||||
write_txn: &mut QueryServerWriteTransaction,
|
||||
expect_vs: ValueSet,
|
||||
expect_vs: &ValueSet,
|
||||
additional_tests: &[(JsonValue, ValueSet)],
|
||||
) {
|
||||
let scim_int_value = expect_vs.to_scim_value().unwrap().assume_unresolved();
|
||||
|
@ -1063,7 +1065,7 @@ pub(crate) fn scim_json_put_reflexive_unresolved<T: ValueSetScimPut>(
|
|||
// Check that we can turn back into a vs from the generic version.
|
||||
let vs_inter = T::from_scim_json_put(generic).unwrap().assume_unresolved();
|
||||
let vs = write_txn.resolve_valueset_intermediate(vs_inter).unwrap();
|
||||
assert_eq!(&vs, &expect_vs);
|
||||
assert_eq!(&vs, expect_vs);
|
||||
|
||||
// For each additional check, assert they work as expected.
|
||||
for (jv, expect_vs) in additional_tests {
|
||||
|
|
|
@ -189,12 +189,9 @@ mod tests {
|
|||
fn test_scim_nsuniqueid() {
|
||||
let vs: ValueSet =
|
||||
ValueSetNsUniqueId::new("3a163ca0-47624620-a18806b7-50c84c86".to_string());
|
||||
crate::valueset::scim_json_reflexive(
|
||||
vs.clone(),
|
||||
r#""3a163ca0-47624620-a18806b7-50c84c86""#,
|
||||
);
|
||||
crate::valueset::scim_json_reflexive(&vs, r#""3a163ca0-47624620-a18806b7-50c84c86""#);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetNsUniqueId>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetNsUniqueId>(&vs, &[])
|
||||
}
|
||||
}
|
||||
|
|
|
@ -898,10 +898,10 @@ mod tests {
|
|||
fn test_scim_oauth2_scope() {
|
||||
let vs: ValueSet = ValueSetOauthScope::new("fully_sick_scope_m8".to_string());
|
||||
let data = r#"["fully_sick_scope_m8"]"#;
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), data);
|
||||
crate::valueset::scim_json_reflexive(&vs, data);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetOauthScope>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetOauthScope>(&vs, &[])
|
||||
}
|
||||
|
||||
#[qs_test]
|
||||
|
@ -930,12 +930,12 @@ mod tests {
|
|||
}
|
||||
]
|
||||
"#;
|
||||
crate::valueset::scim_json_reflexive_unresolved(&mut write_txn, vs.clone(), data);
|
||||
crate::valueset::scim_json_reflexive_unresolved(&mut write_txn, &vs, data);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive_unresolved::<ValueSetOauthScopeMap>(
|
||||
&mut write_txn,
|
||||
vs,
|
||||
&vs,
|
||||
&[],
|
||||
);
|
||||
|
||||
|
@ -970,12 +970,12 @@ mod tests {
|
|||
}
|
||||
]
|
||||
"#;
|
||||
crate::valueset::scim_json_reflexive_unresolved(&mut write_txn, vs.clone(), data);
|
||||
crate::valueset::scim_json_reflexive_unresolved(&mut write_txn, &vs, data);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive_unresolved::<ValueSetOauthClaimMap>(
|
||||
&mut write_txn,
|
||||
vs,
|
||||
&vs,
|
||||
&[],
|
||||
);
|
||||
|
||||
|
|
|
@ -205,6 +205,6 @@ mod tests {
|
|||
#[test]
|
||||
fn test_scim_restricted() {
|
||||
let vs: ValueSet = ValueSetRestricted::new("Test".to_string());
|
||||
crate::valueset::scim_json_reflexive(vs, r#""Test""#);
|
||||
crate::valueset::scim_json_reflexive(&vs, r#""Test""#);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1920,7 +1920,7 @@ mod tests {
|
|||
}
|
||||
]
|
||||
"#;
|
||||
crate::valueset::scim_json_reflexive(vs, data);
|
||||
crate::valueset::scim_json_reflexive(&vs, data);
|
||||
}
|
||||
|
||||
#[test]
|
||||
|
@ -1948,6 +1948,6 @@ mod tests {
|
|||
]
|
||||
"#;
|
||||
|
||||
crate::valueset::scim_json_reflexive(vs, data);
|
||||
crate::valueset::scim_json_reflexive(&vs, data);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -188,6 +188,6 @@ mod tests {
|
|||
#[test]
|
||||
fn test_scim_spn() {
|
||||
let vs: ValueSet = ValueSetSpn::new(("claire".to_string(), "example.com".to_string()));
|
||||
crate::valueset::scim_json_reflexive(vs, r#""claire@example.com""#);
|
||||
crate::valueset::scim_json_reflexive(&vs, r#""claire@example.com""#);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -247,9 +247,9 @@ mod tests {
|
|||
}
|
||||
]
|
||||
"#;
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), data);
|
||||
crate::valueset::scim_json_reflexive(&vs, data);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetSshKey>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetSshKey>(&vs, &[])
|
||||
}
|
||||
}
|
||||
|
|
|
@ -188,9 +188,9 @@ mod tests {
|
|||
#[test]
|
||||
fn test_scim_syntax() {
|
||||
let vs: ValueSet = ValueSetSyntax::new(SyntaxType::Uuid);
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), r#""UUID""#);
|
||||
crate::valueset::scim_json_reflexive(&vs, r#""UUID""#);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetSyntax>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetSyntax>(&vs, &[])
|
||||
}
|
||||
}
|
||||
|
|
|
@ -163,9 +163,9 @@ mod tests {
|
|||
#[test]
|
||||
fn test_scim_uihint() {
|
||||
let vs: ValueSet = ValueSetUiHint::new(UiHint::PosixAccount);
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), r#"["posixaccount"]"#);
|
||||
crate::valueset::scim_json_reflexive(&vs, r#"["posixaccount"]"#);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetUiHint>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetUiHint>(&vs, &[])
|
||||
}
|
||||
}
|
||||
|
|
|
@ -196,9 +196,9 @@ mod tests {
|
|||
#[test]
|
||||
fn test_scim_uint32() {
|
||||
let vs: ValueSet = ValueSetUint32::new(69);
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), "69");
|
||||
crate::valueset::scim_json_reflexive(&vs, "69");
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetUint32>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetUint32>(&vs, &[])
|
||||
}
|
||||
}
|
||||
|
|
|
@ -183,9 +183,9 @@ mod tests {
|
|||
fn test_scim_url() {
|
||||
let u = Url::parse("https://idm.example.com").unwrap();
|
||||
let vs: ValueSet = ValueSetUrl::new(u);
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), r#""https://idm.example.com/""#);
|
||||
crate::valueset::scim_json_reflexive(&vs, r#""https://idm.example.com/""#);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetUrl>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetUrl>(&vs, &[])
|
||||
}
|
||||
}
|
||||
|
|
|
@ -246,9 +246,9 @@ mod tests {
|
|||
fn test_scim_utf8() {
|
||||
let vs: ValueSet = ValueSetUtf8::new("Test".to_string());
|
||||
// Test that the output json matches some known str
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), r#""Test""#);
|
||||
crate::valueset::scim_json_reflexive(&vs, r#""Test""#);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetUtf8>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetUtf8>(&vs, &[])
|
||||
}
|
||||
}
|
||||
|
|
|
@ -422,10 +422,10 @@ mod tests {
|
|||
|
||||
let data = r#""4d21d04a-dc0e-42eb-b850-34dd180b107f""#;
|
||||
|
||||
crate::valueset::scim_json_reflexive(vs.clone(), data);
|
||||
crate::valueset::scim_json_reflexive(&vs, data);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetUuid>(vs, &[])
|
||||
crate::valueset::scim_json_put_reflexive::<ValueSetUuid>(&vs, &[])
|
||||
}
|
||||
|
||||
#[qs_test]
|
||||
|
@ -449,12 +449,12 @@ mod tests {
|
|||
|
||||
let data = r#"[{"uuid": "4d21d04a-dc0e-42eb-b850-34dd180b107f", "value": "testperson1@example.com"}]"#;
|
||||
|
||||
crate::valueset::scim_json_reflexive_unresolved(&mut write_txn, vs.clone(), data);
|
||||
crate::valueset::scim_json_reflexive_unresolved(&mut write_txn, &vs, data);
|
||||
|
||||
// Test that we can parse json values into a valueset.
|
||||
crate::valueset::scim_json_put_reflexive_unresolved::<ValueSetRefer>(
|
||||
&mut write_txn,
|
||||
vs,
|
||||
&vs,
|
||||
&[],
|
||||
);
|
||||
|
||||
|
|
|
@ -10,16 +10,17 @@ const ALLOWED_ATTRIBUTES: &[&str] = &[
|
|||
"threads",
|
||||
"db_path",
|
||||
"maximum_request",
|
||||
"trust_x_forward_for",
|
||||
"http_client_address_info",
|
||||
"role",
|
||||
"output_mode",
|
||||
"log_level",
|
||||
"ldap",
|
||||
"with_test_env",
|
||||
];
|
||||
|
||||
#[derive(Default)]
|
||||
struct Flags {
|
||||
ldap: bool,
|
||||
target_wants_test_env: bool,
|
||||
}
|
||||
|
||||
fn parse_attributes(
|
||||
|
@ -60,8 +61,11 @@ fn parse_attributes(
|
|||
.unwrap_or_default()
|
||||
.as_str()
|
||||
{
|
||||
"with_test_env" => {
|
||||
flags.target_wants_test_env = true;
|
||||
}
|
||||
"ldap" => {
|
||||
flags.ldap = true;
|
||||
flags.target_wants_test_env = true;
|
||||
field_modifications.extend(quote! {
|
||||
ldapbindaddress: Some("on".to_string()),})
|
||||
}
|
||||
|
@ -134,7 +138,7 @@ pub(crate) fn test(args: TokenStream, item: TokenStream) -> TokenStream {
|
|||
#[::core::prelude::v1::test]
|
||||
};
|
||||
|
||||
let test_fn_args = if flags.ldap {
|
||||
let test_fn_args = if flags.target_wants_test_env {
|
||||
quote! {
|
||||
&test_env
|
||||
}
|
||||
|
|
|
@ -44,7 +44,7 @@ pub fn cli_kanidm(_input: TokenStream) -> TokenStream {
|
|||
.run()
|
||||
.unwrap();
|
||||
let mut kanidm = kanidm.command();
|
||||
kanidm.env("KANIDM_URL", &rsclient.get_url().to_string());
|
||||
kanidm.env("KANIDM_URL", rsclient.get_url().to_string());
|
||||
kanidm.env("KANIDM_TOKEN_CACHE_PATH", &token_cache_path);
|
||||
kanidm
|
||||
}
|
||||
|
|
|
@ -53,6 +53,10 @@ escargot = "0.5.13"
|
|||
# used for webdriver testing
|
||||
fantoccini = { version = "0.21.5" }
|
||||
futures = { workspace = true }
|
||||
hex = { workspace = true }
|
||||
hyper = { workspace = true }
|
||||
http-body-util = { workspace = true }
|
||||
hyper-util = { workspace = true }
|
||||
ldap3_client = { workspace = true }
|
||||
oauth2_ext = { workspace = true, default-features = false, features = [
|
||||
"reqwest",
|
||||
|
|
|
@ -15,7 +15,7 @@ use kanidm_proto::internal::{Filter, Modify, ModifyList};
|
|||
use kanidmd_core::config::{Configuration, IntegrationTestConfig};
|
||||
use kanidmd_core::{create_server_core, CoreHandle};
|
||||
use kanidmd_lib::prelude::{Attribute, NAME_SYSTEM_ADMINS};
|
||||
use std::net::TcpStream;
|
||||
use std::net::{IpAddr, Ipv4Addr, SocketAddr, TcpStream};
|
||||
use std::sync::atomic::{AtomicU16, Ordering};
|
||||
use tokio::task;
|
||||
use tracing::error;
|
||||
|
@ -64,6 +64,7 @@ fn port_loop() -> u16 {
|
|||
|
||||
pub struct AsyncTestEnvironment {
|
||||
pub rsclient: KanidmClient,
|
||||
pub http_sock_addr: SocketAddr,
|
||||
pub core_handle: CoreHandle,
|
||||
pub ldap_url: Option<Url>,
|
||||
}
|
||||
|
@ -86,8 +87,9 @@ pub async fn setup_async_test(mut config: Configuration) -> AsyncTestEnvironment
|
|||
|
||||
let ldap_url = if config.ldapbindaddress.is_some() {
|
||||
let ldapport = port_loop();
|
||||
config.ldapbindaddress = Some(format!("127.0.0.1:{}", ldapport));
|
||||
Url::parse(&format!("ldap://127.0.0.1:{}", ldapport))
|
||||
let ldap_sock_addr = SocketAddr::new(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), ldapport);
|
||||
config.ldapbindaddress = Some(ldap_sock_addr.to_string());
|
||||
Url::parse(&format!("ldap://{}", ldap_sock_addr))
|
||||
.inspect_err(|err| error!(?err, "ldap address setup"))
|
||||
.ok()
|
||||
} else {
|
||||
|
@ -95,7 +97,9 @@ pub async fn setup_async_test(mut config: Configuration) -> AsyncTestEnvironment
|
|||
};
|
||||
|
||||
// Setup the address and origin..
|
||||
config.address = format!("127.0.0.1:{}", port);
|
||||
let http_sock_addr = SocketAddr::new(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), port);
|
||||
|
||||
config.address = http_sock_addr.to_string();
|
||||
config.integration_test_config = Some(int_config);
|
||||
config.domain = "localhost".to_string();
|
||||
config.origin.clone_from(&addr);
|
||||
|
@ -123,6 +127,7 @@ pub async fn setup_async_test(mut config: Configuration) -> AsyncTestEnvironment
|
|||
|
||||
AsyncTestEnvironment {
|
||||
rsclient,
|
||||
http_sock_addr,
|
||||
core_handle,
|
||||
ldap_url,
|
||||
}
|
||||
|
|
|
@ -10,7 +10,7 @@ async fn test_v1_group_id_patch(rsclient: &KanidmClient) {
|
|||
.await;
|
||||
assert!(res.is_ok());
|
||||
|
||||
create_user(&rsclient, "foo", "foogroup").await;
|
||||
create_user(rsclient, "foo", "foogroup").await;
|
||||
|
||||
let post_body = serde_json::json!({"attrs": { ATTR_DESCRIPTION : ["Fancy group change"]}});
|
||||
|
||||
|
@ -31,7 +31,7 @@ async fn test_v1_group_id_attr_post(rsclient: &KanidmClient) {
|
|||
.await;
|
||||
assert!(res.is_ok());
|
||||
|
||||
create_user(&rsclient, "foo", "foogroup").await;
|
||||
create_user(rsclient, "foo", "foogroup").await;
|
||||
|
||||
let post_body = serde_json::json!(["foo"]);
|
||||
|
||||
|
|
|
@ -1,193 +0,0 @@
|
|||
use std::{
|
||||
net::{IpAddr, Ipv4Addr},
|
||||
str::FromStr,
|
||||
};
|
||||
|
||||
use kanidm_client::KanidmClient;
|
||||
use kanidm_proto::constants::X_FORWARDED_FOR;
|
||||
|
||||
const DEFAULT_IP_ADDRESS: IpAddr = IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1));
|
||||
|
||||
// *test where we don't trust the x-forwarded-for header
|
||||
|
||||
#[kanidmd_testkit::test(trust_x_forward_for = false)]
|
||||
async fn dont_trust_xff_send_header(rsclient: &KanidmClient) {
|
||||
let client = rsclient.client();
|
||||
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.header(
|
||||
X_FORWARDED_FOR,
|
||||
"An invalid header that will get through!!!",
|
||||
)
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
let ip_res: IpAddr = res
|
||||
.json()
|
||||
.await
|
||||
.expect("Failed to parse response as IpAddr");
|
||||
|
||||
assert_eq!(ip_res, DEFAULT_IP_ADDRESS);
|
||||
}
|
||||
|
||||
#[kanidmd_testkit::test(trust_x_forward_for = false)]
|
||||
async fn dont_trust_xff_dont_send_header(rsclient: &KanidmClient) {
|
||||
let client = rsclient.client();
|
||||
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.header(
|
||||
X_FORWARDED_FOR,
|
||||
"An invalid header that will get through!!!",
|
||||
)
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
let body = res.bytes().await.unwrap();
|
||||
let ip_res: IpAddr = serde_json::from_slice(&body).unwrap_or_else(|op| {
|
||||
panic!(
|
||||
"Failed to parse response as IpAddr: {:?} body: {:?}",
|
||||
op, body,
|
||||
)
|
||||
});
|
||||
eprintln!("Body: {:?}", body);
|
||||
assert_eq!(ip_res, DEFAULT_IP_ADDRESS);
|
||||
}
|
||||
|
||||
// *test where we trust the x-forwarded-for header
|
||||
|
||||
#[kanidmd_testkit::test(trust_x_forward_for = true)]
|
||||
async fn trust_xff_send_invalid_header_single_value(rsclient: &KanidmClient) {
|
||||
let client = rsclient.client();
|
||||
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.header(
|
||||
X_FORWARDED_FOR,
|
||||
"An invalid header that will get through!!!",
|
||||
)
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
assert_eq!(res.status(), 400);
|
||||
}
|
||||
|
||||
// TODO: Right now we reject the request only if the leftmost address is invalid. In the future that could change so we could also have a test
|
||||
// with a valid leftmost address and an invalid address later in the list. Right now it wouldn't work.
|
||||
//
|
||||
#[kanidmd_testkit::test(trust_x_forward_for = true)]
|
||||
async fn trust_xff_send_invalid_header_multiple_values(rsclient: &KanidmClient) {
|
||||
let client = rsclient.client();
|
||||
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.header(
|
||||
X_FORWARDED_FOR,
|
||||
"203.0.113.195_noooo_my_ip_address, 2001:db8:85a3:8d3:1319:8a2e:370:7348",
|
||||
)
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
assert_eq!(res.status(), 400);
|
||||
}
|
||||
|
||||
#[kanidmd_testkit::test(trust_x_forward_for = true)]
|
||||
async fn trust_xff_send_valid_header_single_ipv4_address(rsclient: &KanidmClient) {
|
||||
let ip_addr = "2001:db8:85a3:8d3:1319:8a2e:370:7348";
|
||||
|
||||
let client = rsclient.client();
|
||||
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.header(X_FORWARDED_FOR, ip_addr)
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
let ip_res: IpAddr = res
|
||||
.json()
|
||||
.await
|
||||
.expect("Failed to parse response as Vec<IpAddr>");
|
||||
|
||||
assert_eq!(ip_res, IpAddr::from_str(ip_addr).unwrap());
|
||||
}
|
||||
|
||||
#[kanidmd_testkit::test(trust_x_forward_for = true)]
|
||||
async fn trust_xff_send_valid_header_single_ipv6_address(rsclient: &KanidmClient) {
|
||||
let ip_addr = "203.0.113.195";
|
||||
|
||||
let client = rsclient.client();
|
||||
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.header(X_FORWARDED_FOR, ip_addr)
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
let ip_res: IpAddr = res
|
||||
.json()
|
||||
.await
|
||||
.expect("Failed to parse response as Vec<IpAddr>");
|
||||
|
||||
assert_eq!(ip_res, IpAddr::from_str(ip_addr).unwrap());
|
||||
}
|
||||
|
||||
#[kanidmd_testkit::test(trust_x_forward_for = true)]
|
||||
async fn trust_xff_send_valid_header_multiple_address(rsclient: &KanidmClient) {
|
||||
let first_ip_addr = "203.0.113.195, 2001:db8:85a3:8d3:1319:8a2e:370:7348";
|
||||
|
||||
let client = rsclient.client();
|
||||
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.header(X_FORWARDED_FOR, first_ip_addr)
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
let ip_res: IpAddr = res
|
||||
.json()
|
||||
.await
|
||||
.expect("Failed to parse response as Vec<IpAddr>");
|
||||
|
||||
assert_eq!(
|
||||
ip_res,
|
||||
IpAddr::from_str(first_ip_addr.split(",").collect::<Vec<&str>>()[0]).unwrap()
|
||||
);
|
||||
|
||||
let second_ip_addr = "2001:db8:85a3:8d3:1319:8a2e:370:7348, 198.51.100.178, 203.0.113.195";
|
||||
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.header(X_FORWARDED_FOR, second_ip_addr)
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
let ip_res: IpAddr = res
|
||||
.json()
|
||||
.await
|
||||
.expect("Failed to parse response as Vec<IpAddr>");
|
||||
|
||||
assert_eq!(
|
||||
ip_res,
|
||||
IpAddr::from_str(second_ip_addr.split(",").collect::<Vec<&str>>()[0]).unwrap()
|
||||
);
|
||||
}
|
||||
|
||||
#[kanidmd_testkit::test(trust_x_forward_for = true)]
|
||||
async fn trust_xff_dont_send_header(rsclient: &KanidmClient) {
|
||||
let client = rsclient.client();
|
||||
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
let ip_res: IpAddr = res
|
||||
.json()
|
||||
.await
|
||||
.expect("Failed to parse response as Vec<IpAddr>");
|
||||
|
||||
assert_eq!(ip_res, DEFAULT_IP_ADDRESS);
|
||||
}
|
|
@ -17,8 +17,8 @@ static USER_B_NAME: &str = "valid_user_b";
|
|||
#[kanidmd_testkit::test]
|
||||
async fn test_not_authenticated(rsclient: &KanidmClient) {
|
||||
// basically here we try a bit of all the possible combinations while unauthenticated to check it's not working
|
||||
setup_server(&rsclient).await;
|
||||
create_user(&rsclient, USER_A_NAME).await;
|
||||
setup_server(rsclient).await;
|
||||
create_user(rsclient, USER_A_NAME).await;
|
||||
let _ = rsclient.logout().await;
|
||||
let res = rsclient
|
||||
.idm_person_identify_user(USER_A_NAME, IdentifyUserRequest::Start)
|
||||
|
@ -47,11 +47,11 @@ async fn test_not_authenticated(rsclient: &KanidmClient) {
|
|||
|
||||
#[kanidmd_testkit::test]
|
||||
async fn test_non_existing_user_id(rsclient: &KanidmClient) {
|
||||
setup_server(&rsclient).await;
|
||||
create_user(&rsclient, USER_A_NAME).await;
|
||||
create_user(&rsclient, USER_B_NAME).await;
|
||||
setup_server(rsclient).await;
|
||||
create_user(rsclient, USER_A_NAME).await;
|
||||
create_user(rsclient, USER_B_NAME).await;
|
||||
let non_existing_user = "non_existing_user";
|
||||
login_with_user(&rsclient, USER_A_NAME).await;
|
||||
login_with_user(rsclient, USER_A_NAME).await;
|
||||
let res: Result<IdentifyUserResponse, kanidm_client::ClientError> = rsclient
|
||||
.idm_person_identify_user(non_existing_user, IdentifyUserRequest::Start)
|
||||
.await;
|
||||
|
@ -87,9 +87,9 @@ async fn test_non_existing_user_id(rsclient: &KanidmClient) {
|
|||
// Each tests is named like `test_{api input}_response_{expected api output}_or_{expected api output}`
|
||||
#[kanidmd_testkit::test]
|
||||
async fn test_start_response_identity_verification_available(rsclient: &KanidmClient) {
|
||||
setup_server(&rsclient).await;
|
||||
create_user(&rsclient, USER_A_NAME).await;
|
||||
login_with_user(&rsclient, USER_A_NAME).await;
|
||||
setup_server(rsclient).await;
|
||||
create_user(rsclient, USER_A_NAME).await;
|
||||
login_with_user(rsclient, USER_A_NAME).await;
|
||||
|
||||
let response = rsclient
|
||||
.idm_person_identify_user(USER_A_NAME, IdentifyUserRequest::Start)
|
||||
|
@ -106,10 +106,10 @@ async fn test_start_response_identity_verification_available(rsclient: &KanidmCl
|
|||
// `Start`, that is WaitForCode or ProvideCode
|
||||
#[kanidmd_testkit::test]
|
||||
async fn test_start_response_wait_for_code_or_provide_code(rsclient: &KanidmClient) {
|
||||
setup_server(&rsclient).await;
|
||||
let user_a_uuid = create_user(&rsclient, USER_A_NAME).await;
|
||||
let user_b_uuid = create_user(&rsclient, USER_B_NAME).await;
|
||||
login_with_user(&rsclient, USER_A_NAME).await;
|
||||
setup_server(rsclient).await;
|
||||
let user_a_uuid = create_user(rsclient, USER_A_NAME).await;
|
||||
let user_b_uuid = create_user(rsclient, USER_B_NAME).await;
|
||||
login_with_user(rsclient, USER_A_NAME).await;
|
||||
let response = rsclient
|
||||
.idm_person_identify_user(USER_B_NAME, IdentifyUserRequest::Start)
|
||||
.await;
|
||||
|
@ -130,10 +130,10 @@ async fn test_start_response_wait_for_code_or_provide_code(rsclient: &KanidmClie
|
|||
|
||||
#[kanidmd_testkit::test]
|
||||
async fn test_provide_code_response_code_failure_or_provide_code(rsclient: &KanidmClient) {
|
||||
setup_server(&rsclient).await;
|
||||
let user_a_uuid = create_user(&rsclient, USER_A_NAME).await;
|
||||
let user_b_uuid = create_user(&rsclient, USER_B_NAME).await;
|
||||
login_with_user(&rsclient, USER_A_NAME).await;
|
||||
setup_server(rsclient).await;
|
||||
let user_a_uuid = create_user(rsclient, USER_A_NAME).await;
|
||||
let user_b_uuid = create_user(rsclient, USER_B_NAME).await;
|
||||
login_with_user(rsclient, USER_A_NAME).await;
|
||||
let response = rsclient
|
||||
.idm_person_identify_user(
|
||||
USER_B_NAME,
|
||||
|
@ -158,12 +158,12 @@ async fn test_provide_code_response_code_failure_or_provide_code(rsclient: &Kani
|
|||
// here we actually test the full idm flow by duplicating the server
|
||||
#[kanidmd_testkit::test]
|
||||
async fn test_full_identification_flow(rsclient: &KanidmClient) {
|
||||
setup_server(&rsclient).await;
|
||||
let user_a_uuid = create_user(&rsclient, USER_A_NAME).await;
|
||||
let user_b_uuid = create_user(&rsclient, USER_B_NAME).await;
|
||||
setup_server(rsclient).await;
|
||||
let user_a_uuid = create_user(rsclient, USER_A_NAME).await;
|
||||
let user_b_uuid = create_user(rsclient, USER_B_NAME).await;
|
||||
//user A session
|
||||
let valid_user_a_client = rsclient;
|
||||
login_with_user(&valid_user_a_client, USER_A_NAME).await;
|
||||
login_with_user(valid_user_a_client, USER_A_NAME).await;
|
||||
//user B session
|
||||
let valid_user_b_client = valid_user_a_client.new_session().unwrap();
|
||||
login_with_user(&valid_user_b_client, USER_B_NAME).await;
|
||||
|
|
|
@ -76,10 +76,10 @@ async fn test_webdriver_user_login(rsclient: &KanidmClient) {
|
|||
use fantoccini::Locator;
|
||||
use kanidmd_testkit::*;
|
||||
use std::time::Duration;
|
||||
login_put_admin_idm_admins(&rsclient).await;
|
||||
login_put_admin_idm_admins(rsclient).await;
|
||||
|
||||
create_user_with_all_attrs(
|
||||
&rsclient,
|
||||
rsclient,
|
||||
NOT_ADMIN_TEST_USERNAME,
|
||||
Some(NOT_ADMIN_TEST_PASSWORD),
|
||||
)
|
||||
|
@ -89,7 +89,7 @@ async fn test_webdriver_user_login(rsclient: &KanidmClient) {
|
|||
|
||||
handle_error!(
|
||||
c,
|
||||
c.goto(&rsclient.get_url().to_string()).await,
|
||||
c.goto(rsclient.get_url().to_string()).await,
|
||||
"Couldn't get URL"
|
||||
);
|
||||
|
||||
|
@ -207,7 +207,7 @@ async fn test_webdriver_user_login(rsclient: &KanidmClient) {
|
|||
|
||||
#[kanidmd_testkit::test]
|
||||
async fn test_domain_reset_token_key(rsclient: &KanidmClient) {
|
||||
login_put_admin_idm_admins(&rsclient).await;
|
||||
login_put_admin_idm_admins(rsclient).await;
|
||||
|
||||
let token = rsclient.get_token().await.expect("No bearer token present");
|
||||
|
||||
|
@ -220,7 +220,7 @@ async fn test_domain_reset_token_key(rsclient: &KanidmClient) {
|
|||
|
||||
#[kanidmd_testkit::test]
|
||||
async fn test_idm_domain_set_ldap_basedn(rsclient: &KanidmClient) {
|
||||
login_put_admin_idm_admins(&rsclient).await;
|
||||
login_put_admin_idm_admins(rsclient).await;
|
||||
assert!(rsclient
|
||||
.idm_domain_set_ldap_basedn("dc=krabsarekool,dc=example,dc=com")
|
||||
.await
|
||||
|
@ -233,7 +233,7 @@ async fn test_idm_domain_set_ldap_basedn(rsclient: &KanidmClient) {
|
|||
|
||||
#[kanidmd_testkit::test]
|
||||
async fn test_idm_domain_set_ldap_max_queryable_attrs(rsclient: &KanidmClient) {
|
||||
login_put_admin_idm_admins(&rsclient).await;
|
||||
login_put_admin_idm_admins(rsclient).await;
|
||||
assert!(rsclient
|
||||
.idm_domain_set_ldap_max_queryable_attrs(20)
|
||||
.await
|
||||
|
@ -247,7 +247,7 @@ async fn test_idm_domain_set_ldap_max_queryable_attrs(rsclient: &KanidmClient) {
|
|||
#[kanidmd_testkit::test]
|
||||
/// Checks that a built-in group idm_all_persons has the "builtin" class as expected.
|
||||
async fn test_all_persons_has_builtin_class(rsclient: &KanidmClient) {
|
||||
login_put_admin_idm_admins(&rsclient).await;
|
||||
login_put_admin_idm_admins(rsclient).await;
|
||||
let res = rsclient
|
||||
.idm_group_get("idm_all_persons")
|
||||
.await
|
||||
|
@ -306,7 +306,7 @@ async fn test_all_persons_has_builtin_class(rsclient: &KanidmClient) {
|
|||
/// Testing the CLI doing things.
|
||||
async fn test_integration_with_assert_cmd(rsclient: KanidmClient) {
|
||||
// setup the admin things
|
||||
login_put_admin_idm_admins(&rsclient).await;
|
||||
login_put_admin_idm_admins(rsclient).await;
|
||||
|
||||
rsclient
|
||||
.idm_person_account_primary_credential_set_password(
|
||||
|
@ -334,13 +334,13 @@ async fn test_integration_with_assert_cmd(rsclient: KanidmClient) {
|
|||
assert!(anon_whoami.status.success());
|
||||
println!("Output: {:?}", anon_whoami);
|
||||
|
||||
test_cmd_admin(&token_cache_path, &rsclient, "login -D admin");
|
||||
test_cmd_admin(&token_cache_path, rsclient, "login -D admin");
|
||||
|
||||
// login as idm_admin
|
||||
test_cmd_idm_admin(&token_cache_path, &rsclient, "login -D idm_admin");
|
||||
test_cmd_idm_admin(&token_cache_path, rsclient, "login -D idm_admin");
|
||||
test_cmd_admin_split(
|
||||
&token_cache_path,
|
||||
&rsclient,
|
||||
rsclient,
|
||||
&[
|
||||
"service-account",
|
||||
"create",
|
||||
|
@ -355,13 +355,13 @@ async fn test_integration_with_assert_cmd(rsclient: KanidmClient) {
|
|||
|
||||
test_cmd_admin(
|
||||
&token_cache_path,
|
||||
&rsclient,
|
||||
rsclient,
|
||||
&format!("service-account get -D admin {}", NOT_ADMIN_TEST_USERNAME),
|
||||
);
|
||||
// updating the display name
|
||||
test_cmd_admin(
|
||||
&token_cache_path,
|
||||
&rsclient,
|
||||
rsclient,
|
||||
&format!(
|
||||
"service-account update -D admin {} --displayname cheeseballs",
|
||||
NOT_ADMIN_TEST_USERNAME
|
||||
|
@ -370,7 +370,7 @@ async fn test_integration_with_assert_cmd(rsclient: KanidmClient) {
|
|||
// updating the email
|
||||
test_cmd_admin(
|
||||
&token_cache_path,
|
||||
&rsclient,
|
||||
rsclient,
|
||||
&format!(
|
||||
"service-account update -D admin {} --mail foo@bar.com",
|
||||
NOT_ADMIN_TEST_USERNAME
|
||||
|
@ -380,7 +380,7 @@ async fn test_integration_with_assert_cmd(rsclient: KanidmClient) {
|
|||
// checking the email was changed
|
||||
let sad = test_cmd_admin(
|
||||
&token_cache_path,
|
||||
&rsclient,
|
||||
rsclient,
|
||||
&format!(
|
||||
"service-account get -D admin -o json {}",
|
||||
NOT_ADMIN_TEST_USERNAME
|
||||
|
|
324
server/testkit/tests/testkit/ip_addr_extractors.rs
Normal file
324
server/testkit/tests/testkit/ip_addr_extractors.rs
Normal file
|
@ -0,0 +1,324 @@
|
|||
use kanidm_client::KanidmClient;
|
||||
use kanidm_proto::constants::X_FORWARDED_FOR;
|
||||
use kanidmd_core::config::HttpAddressInfo;
|
||||
use kanidmd_testkit::AsyncTestEnvironment;
|
||||
use std::{
|
||||
net::{IpAddr, Ipv4Addr, SocketAddr},
|
||||
str::FromStr,
|
||||
};
|
||||
use tracing::error;
|
||||
|
||||
const DEFAULT_IP_ADDRESS: IpAddr = IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1));
|
||||
|
||||
// =====================================================
|
||||
// *test where we don't trust the x-forwarded-for header
|
||||
|
||||
#[kanidmd_testkit::test(http_client_address_info = HttpAddressInfo::None)]
|
||||
async fn dont_trust_xff_send_header(rsclient: &KanidmClient) {
|
||||
let client = rsclient.client();
|
||||
|
||||
// Send an invalid header to x forwdr for
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.header(X_FORWARDED_FOR, "a.b.c.d")
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
let ip_res: IpAddr = res
|
||||
.json()
|
||||
.await
|
||||
.expect("Failed to parse response as IpAddr");
|
||||
|
||||
assert_eq!(ip_res, DEFAULT_IP_ADDRESS);
|
||||
|
||||
// Send a valid header for xforward for, but we don't trust it.
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.header(X_FORWARDED_FOR, "203.0.113.195")
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
let ip_res: IpAddr = res
|
||||
.json()
|
||||
.await
|
||||
.expect("Failed to parse response as IpAddr");
|
||||
|
||||
assert_eq!(ip_res, DEFAULT_IP_ADDRESS);
|
||||
}
|
||||
|
||||
// =====================================================
|
||||
// *test where we do trust the x-forwarded-for header
|
||||
|
||||
#[kanidmd_testkit::test(http_client_address_info = HttpAddressInfo::XForwardFor ( [DEFAULT_IP_ADDRESS].into() ))]
|
||||
async fn trust_xff_address_set(rsclient: &KanidmClient) {
|
||||
inner_test_trust_xff(rsclient).await;
|
||||
}
|
||||
|
||||
#[kanidmd_testkit::test(http_client_address_info = HttpAddressInfo::XForwardForAllSourcesTrusted)]
|
||||
async fn trust_xff_all_addresses_trusted(rsclient: &KanidmClient) {
|
||||
inner_test_trust_xff(rsclient).await;
|
||||
}
|
||||
|
||||
async fn inner_test_trust_xff(rsclient: &KanidmClient) {
|
||||
let client = rsclient.client();
|
||||
|
||||
// An invalid address.
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.header(X_FORWARDED_FOR, "a.b.c.d")
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
// Header was invalid
|
||||
assert_eq!(res.status(), 400);
|
||||
|
||||
// An invalid address - what follows doesn't matter, even if it was valid. We only
|
||||
// care about the left most address anyway.
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.header(
|
||||
X_FORWARDED_FOR,
|
||||
"203.0.113.195_noooo_my_ip_address, 2001:db8:85a3:8d3:1319:8a2e:370:7348",
|
||||
)
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
assert_eq!(res.status(), 400);
|
||||
|
||||
// A valid ipv6 address was provided.
|
||||
let ip_addr = "2001:db8:85a3:8d3:1319:8a2e:370:7348";
|
||||
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.header(X_FORWARDED_FOR, ip_addr)
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
let ip_res: IpAddr = res
|
||||
.json()
|
||||
.await
|
||||
.expect("Failed to parse response as Vec<IpAddr>");
|
||||
|
||||
assert_eq!(ip_res, IpAddr::from_str(ip_addr).unwrap());
|
||||
|
||||
// A valid ipv4 address was provided.
|
||||
let ip_addr = "203.0.113.195";
|
||||
|
||||
let client = rsclient.client();
|
||||
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.header(X_FORWARDED_FOR, ip_addr)
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
let ip_res: IpAddr = res
|
||||
.json()
|
||||
.await
|
||||
.expect("Failed to parse response as Vec<IpAddr>");
|
||||
|
||||
assert_eq!(ip_res, IpAddr::from_str(ip_addr).unwrap());
|
||||
|
||||
// A valid ipv4 address in the leftmost field.
|
||||
let first_ip_addr = "203.0.113.195, 2001:db8:85a3:8d3:1319:8a2e:370:7348";
|
||||
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.header(X_FORWARDED_FOR, first_ip_addr)
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
let ip_res: IpAddr = res
|
||||
.json()
|
||||
.await
|
||||
.expect("Failed to parse response as Vec<IpAddr>");
|
||||
|
||||
assert_eq!(
|
||||
ip_res,
|
||||
IpAddr::from_str(first_ip_addr.split(",").collect::<Vec<&str>>()[0]).unwrap()
|
||||
);
|
||||
|
||||
// A valid ipv6 address in the left most field.
|
||||
let second_ip_addr = "2001:db8:85a3:8d3:1319:8a2e:370:7348, 198.51.100.178, 203.0.113.195";
|
||||
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.header(X_FORWARDED_FOR, second_ip_addr)
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
let ip_res: IpAddr = res
|
||||
.json()
|
||||
.await
|
||||
.expect("Failed to parse response as Vec<IpAddr>");
|
||||
|
||||
assert_eq!(
|
||||
ip_res,
|
||||
IpAddr::from_str(second_ip_addr.split(",").collect::<Vec<&str>>()[0]).unwrap()
|
||||
);
|
||||
|
||||
// If no header is sent, then the connection IP is used.
|
||||
let res = client
|
||||
.get(rsclient.make_url("/v1/debug/ipinfo"))
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
let ip_res: IpAddr = res
|
||||
.json()
|
||||
.await
|
||||
.expect("Failed to parse response as Vec<IpAddr>");
|
||||
|
||||
assert_eq!(ip_res, DEFAULT_IP_ADDRESS);
|
||||
}
|
||||
|
||||
// =====================================================
|
||||
// *test where we do trust the PROXY protocol header
|
||||
//
|
||||
// NOTE: This is MUCH HARDER TO TEST because we can't just stuff this address
|
||||
// in front of a reqwest call. We have to open raw connections and write the
|
||||
// requests to them.
|
||||
//
|
||||
// As a result, we are pretty much forced to manually dump binary headers and then
|
||||
// manually craft get reqs, followed by parsing them.
|
||||
|
||||
#[derive(Debug, PartialEq)]
|
||||
enum ProxyV2Error {
|
||||
TcpStream,
|
||||
TcpWrite,
|
||||
TornWrite,
|
||||
HttpHandshake,
|
||||
HttpRequestBuild,
|
||||
HttpRequest,
|
||||
HttpBadRequest,
|
||||
}
|
||||
|
||||
async fn proxy_v2_make_request(
|
||||
http_sock_addr: SocketAddr,
|
||||
hdr: &[u8],
|
||||
) -> Result<IpAddr, ProxyV2Error> {
|
||||
use http_body_util::BodyExt;
|
||||
use http_body_util::Empty;
|
||||
use hyper::body::Bytes;
|
||||
use hyper::Request;
|
||||
use hyper_util::rt::TokioIo;
|
||||
use tokio::io::AsyncWriteExt as _;
|
||||
use tokio::net::TcpStream;
|
||||
|
||||
let url = format!("http://{}/v1/debug/ipinfo", http_sock_addr)
|
||||
.as_str()
|
||||
.parse::<hyper::Uri>()
|
||||
.unwrap();
|
||||
|
||||
let mut stream = TcpStream::connect(http_sock_addr).await.map_err(|err| {
|
||||
error!(?err);
|
||||
ProxyV2Error::TcpStream
|
||||
})?;
|
||||
|
||||
// Write the proxyv2 header
|
||||
let nbytes = stream.write(hdr).await.map_err(|err| {
|
||||
error!(?err);
|
||||
ProxyV2Error::TcpWrite
|
||||
})?;
|
||||
|
||||
if nbytes != hdr.len() {
|
||||
return Err(ProxyV2Error::TornWrite);
|
||||
}
|
||||
|
||||
let io = TokioIo::new(stream);
|
||||
|
||||
let (mut sender, conn) = hyper::client::conn::http1::handshake(io)
|
||||
.await
|
||||
.map_err(|err| {
|
||||
error!(?err);
|
||||
ProxyV2Error::HttpHandshake
|
||||
})?;
|
||||
|
||||
// Spawn a task to poll the connection, driving the HTTP state
|
||||
tokio::task::spawn(async move {
|
||||
if let Err(err) = conn.await {
|
||||
println!("Connection failed: {:?}", err);
|
||||
}
|
||||
});
|
||||
|
||||
let authority = url.authority().unwrap().clone();
|
||||
|
||||
// Create an HTTP request with an empty body and a HOST header
|
||||
let req = Request::builder()
|
||||
.uri(url)
|
||||
.header(hyper::header::HOST, authority.as_str())
|
||||
.body(Empty::<Bytes>::new())
|
||||
.map_err(|err| {
|
||||
error!(?err);
|
||||
ProxyV2Error::HttpRequestBuild
|
||||
})?;
|
||||
|
||||
// Await the response...
|
||||
let mut res = sender.send_request(req).await.map_err(|err| {
|
||||
error!(?err);
|
||||
ProxyV2Error::HttpRequest
|
||||
})?;
|
||||
|
||||
println!("Response status: {}", res.status());
|
||||
|
||||
if res.status() != 200 {
|
||||
return Err(ProxyV2Error::HttpBadRequest);
|
||||
}
|
||||
|
||||
let mut data: Vec<u8> = Vec::new();
|
||||
|
||||
while let Some(next) = res.frame().await {
|
||||
let frame = next.unwrap();
|
||||
if let Some(chunk) = frame.data_ref() {
|
||||
data.write_all(chunk).await.unwrap();
|
||||
}
|
||||
}
|
||||
|
||||
tracing::info!(?data);
|
||||
let ip_res: IpAddr = serde_json::from_slice(&data).unwrap();
|
||||
tracing::info!(?ip_res);
|
||||
|
||||
Ok(ip_res)
|
||||
}
|
||||
|
||||
#[kanidmd_testkit::test(with_test_env = true, http_client_address_info = HttpAddressInfo::ProxyV2 ( [DEFAULT_IP_ADDRESS].into() ))]
|
||||
async fn trust_proxy_v2_address_set(test_env: &AsyncTestEnvironment) {
|
||||
// Send with no header - with proxy v2, a header is ALWAYS required
|
||||
let proxy_hdr: [u8; 0] = [];
|
||||
|
||||
let res = proxy_v2_make_request(test_env.http_sock_addr, &proxy_hdr)
|
||||
.await
|
||||
.unwrap_err();
|
||||
|
||||
// Can't send http request because proxy wasn't sent.
|
||||
assert_eq!(res, ProxyV2Error::HttpRequest);
|
||||
|
||||
// Send with a valid header
|
||||
let proxy_hdr =
|
||||
hex::decode("0d0a0d0a000d0a515549540a2111000cac180c76ac180b8fcdcb027d").unwrap();
|
||||
|
||||
let res = proxy_v2_make_request(test_env.http_sock_addr, &proxy_hdr)
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
// The header was valid
|
||||
assert_eq!(res, IpAddr::V4(Ipv4Addr::new(172, 24, 12, 118)));
|
||||
}
|
||||
|
||||
#[kanidmd_testkit::test(with_test_env = true, http_client_address_info = HttpAddressInfo::ProxyV2 ( [ IpAddr::V4(Ipv4Addr::new(10, 0, 0, 1)) ].into() ))]
|
||||
async fn trust_proxy_v2_untrusted(test_env: &AsyncTestEnvironment) {
|
||||
// Send with a valid header, but we aren't a trusted source.
|
||||
let proxy_hdr =
|
||||
hex::decode("0d0a0d0a000d0a515549540a2111000cac180c76ac180b8fcdcb027d").unwrap();
|
||||
|
||||
let res = proxy_v2_make_request(test_env.http_sock_addr, &proxy_hdr)
|
||||
.await
|
||||
.unwrap_err();
|
||||
|
||||
// Can't send http request because we aren't trusted to send it, so this
|
||||
// ends up falling into a http request that is REJECTED.
|
||||
assert_eq!(res, ProxyV2Error::HttpBadRequest);
|
||||
}
|
|
@ -2,10 +2,10 @@ mod apidocs;
|
|||
mod domain;
|
||||
mod group;
|
||||
mod http_manifest;
|
||||
mod https_extractors;
|
||||
mod https_middleware;
|
||||
mod identity_verification_tests;
|
||||
mod integration;
|
||||
mod ip_addr_extractors;
|
||||
mod ldap_basic;
|
||||
mod mtls_test;
|
||||
mod oauth2_test;
|
||||
|
|
|
@ -10,7 +10,7 @@ async fn test_v1_person_id_patch(rsclient: &KanidmClient) {
|
|||
.await;
|
||||
assert!(res.is_ok());
|
||||
|
||||
create_user(&rsclient, "foo", "foogroup").await;
|
||||
create_user(rsclient, "foo", "foogroup").await;
|
||||
|
||||
let post_body = serde_json::json!({"attrs": { ATTR_MAIL : ["crab@example.com"]}});
|
||||
|
||||
|
@ -31,7 +31,7 @@ async fn test_v1_person_id_ssh_pubkeys_post(rsclient: &KanidmClient) {
|
|||
.await;
|
||||
assert!(res.is_ok());
|
||||
|
||||
create_user(&rsclient, "foo", "foogroup").await;
|
||||
create_user(rsclient, "foo", "foogroup").await;
|
||||
|
||||
let post_body = serde_json::json!([
|
||||
"ssh-key-tag-goes-here",
|
||||
|
|
|
@ -1366,7 +1366,7 @@ async fn setup_demo_account_password(
|
|||
|
||||
#[kanidmd_testkit::test]
|
||||
async fn test_server_credential_update_session_passkey(rsclient: &KanidmClient) {
|
||||
let mut wa = setup_demo_account_passkey(&rsclient).await;
|
||||
let mut wa = setup_demo_account_passkey(rsclient).await;
|
||||
|
||||
let res = rsclient
|
||||
.auth_passkey_begin("demo_account")
|
||||
|
@ -1690,7 +1690,7 @@ async fn test_server_user_auth_token_lifecycle(rsclient: &KanidmClient) {
|
|||
|
||||
#[kanidmd_testkit::test]
|
||||
async fn test_server_user_auth_reauthentication(rsclient: &KanidmClient) {
|
||||
let mut wa = setup_demo_account_passkey(&rsclient).await;
|
||||
let mut wa = setup_demo_account_passkey(rsclient).await;
|
||||
|
||||
let res = rsclient
|
||||
.auth_passkey_begin("demo_account")
|
||||
|
@ -1869,12 +1869,12 @@ async fn start_password_session(
|
|||
|
||||
#[kanidmd_testkit::test]
|
||||
async fn test_server_user_auth_unprivileged(rsclient: &KanidmClient) {
|
||||
let (account_name, account_pass) = setup_demo_account_password(&rsclient)
|
||||
let (account_name, account_pass) = setup_demo_account_password(rsclient)
|
||||
.await
|
||||
.expect("Failed to setup demo_account");
|
||||
|
||||
let uat = start_password_session(
|
||||
&rsclient,
|
||||
rsclient,
|
||||
account_name.as_str(),
|
||||
account_pass.as_str(),
|
||||
false,
|
||||
|
@ -1892,18 +1892,13 @@ async fn test_server_user_auth_unprivileged(rsclient: &KanidmClient) {
|
|||
|
||||
#[kanidmd_testkit::test]
|
||||
async fn test_server_user_auth_privileged_shortcut(rsclient: &KanidmClient) {
|
||||
let (account_name, account_pass) = setup_demo_account_password(&rsclient)
|
||||
let (account_name, account_pass) = setup_demo_account_password(rsclient)
|
||||
.await
|
||||
.expect("Failed to setup demo_account");
|
||||
|
||||
let uat = start_password_session(
|
||||
&rsclient,
|
||||
account_name.as_str(),
|
||||
account_pass.as_str(),
|
||||
true,
|
||||
)
|
||||
.await
|
||||
.expect("Failed to start session");
|
||||
let uat = start_password_session(rsclient, account_name.as_str(), account_pass.as_str(), true)
|
||||
.await
|
||||
.expect("Failed to start session");
|
||||
|
||||
match uat.purpose {
|
||||
UatPurpose::ReadOnly => panic!("Unexpected uat purpose"),
|
||||
|
|
|
@ -6,10 +6,10 @@ use kanidmd_testkit::*;
|
|||
async fn account_id_unix_token(rsclient: &KanidmClient) {
|
||||
login_put_admin_idm_admins(rsclient).await;
|
||||
|
||||
create_user(&rsclient, "group_manager", "idm_group_manage_priv").await;
|
||||
create_user(rsclient, "group_manager", "idm_group_manage_priv").await;
|
||||
// create test user without creating new groups
|
||||
create_user(&rsclient, NOT_ADMIN_TEST_USERNAME, NAME_IDM_ADMINS).await;
|
||||
login_account(&rsclient, "group_manager").await;
|
||||
create_user(rsclient, NOT_ADMIN_TEST_USERNAME, NAME_IDM_ADMINS).await;
|
||||
login_account(rsclient, "group_manager").await;
|
||||
|
||||
let response = rsclient
|
||||
.idm_account_unix_token_get(NOT_ADMIN_TEST_USERNAME)
|
||||
|
@ -32,7 +32,7 @@ async fn account_id_unix_token(rsclient: &KanidmClient) {
|
|||
assert!(format!("{:?}", val).contains("400"));
|
||||
}
|
||||
|
||||
login_put_admin_idm_admins(&rsclient).await;
|
||||
login_put_admin_idm_admins(rsclient).await;
|
||||
|
||||
rsclient
|
||||
.idm_person_account_unix_extend(NOT_ADMIN_TEST_USERNAME, None, None)
|
||||
|
|
|
@ -5,6 +5,7 @@ use crate::{handle_client_error, PwBadlistOpt};
|
|||
use std::fs::File;
|
||||
use std::io::Read;
|
||||
use tokio::task;
|
||||
use zxcvbn::Score;
|
||||
|
||||
const CHUNK_SIZE: usize = 1000;
|
||||
|
||||
|
@ -67,10 +68,6 @@ impl PwBadlistOpt {
|
|||
info!("Have {} unique passwords to process", pwset.len());
|
||||
|
||||
// Break the list into chunks per thread availability
|
||||
// let par_count = thread::available_parallelism()
|
||||
// .expect("Failed to determine available parallelism")
|
||||
// .get();
|
||||
|
||||
let task_handles: Vec<_> = pwset
|
||||
.chunks(CHUNK_SIZE)
|
||||
.map(|chunk| chunk.to_vec())
|
||||
|
@ -82,18 +79,7 @@ impl PwBadlistOpt {
|
|||
if v.len() < 10 {
|
||||
return false;
|
||||
}
|
||||
match zxcvbn::zxcvbn(v.as_str(), &[]) {
|
||||
Ok(r) => r.score() >= 4,
|
||||
Err(e) => {
|
||||
error!(
|
||||
"zxcvbn unable to process '{}' - {:?}",
|
||||
v.as_str(),
|
||||
e
|
||||
);
|
||||
error!("adding to badlist anyway ...");
|
||||
true
|
||||
}
|
||||
}
|
||||
zxcvbn::zxcvbn(v.as_str(), &[]).score() >= Score::Four
|
||||
})
|
||||
.map(|s| s.to_string())
|
||||
.collect::<Vec<_>>();
|
||||
|
|
|
@ -8,4 +8,6 @@ pub enum Error {
|
|||
Interrupt,
|
||||
Crossbeam,
|
||||
InvalidState,
|
||||
#[allow(dead_code)]
|
||||
RandomNumber(String),
|
||||
}
|
||||
|
|
|
@ -4,8 +4,9 @@ use crate::model::ActorRole;
|
|||
use crate::profile::Profile;
|
||||
use crate::state::{Credential, Flag, Group, GroupName, Person, PreflightState, State};
|
||||
use hashbrown::HashMap;
|
||||
use rand::distributions::{Alphanumeric, DistString, Uniform};
|
||||
use rand::seq::{index, SliceRandom};
|
||||
use rand::distr::{Alphanumeric, SampleString, Uniform};
|
||||
use rand::seq::{index, IndexedRandom};
|
||||
|
||||
use rand::{Rng, SeedableRng};
|
||||
use rand_chacha::ChaCha8Rng;
|
||||
|
||||
|
@ -171,7 +172,8 @@ pub async fn populate(_client: &KanidmOrcaClient, profile: Profile) -> Result<St
|
|||
let baseline = persons.len() / 3;
|
||||
let inverse = persons.len() - baseline;
|
||||
// Randomly add extra from the inverse
|
||||
let extra = Uniform::new(0, inverse);
|
||||
let extra =
|
||||
Uniform::new(0, inverse).map_err(|err| Error::RandomNumber(err.to_string()))?;
|
||||
baseline + seeded_rng.sample(extra)
|
||||
}
|
||||
};
|
||||
|
|
|
@ -27,7 +27,7 @@ impl ActorBasic {
|
|||
pub fn new(mut cha_rng: ChaCha8Rng, warmup_time_ms: u64) -> Self {
|
||||
let max_backoff_time_in_ms = 2 * warmup_time_ms / 3;
|
||||
let randomised_backoff_time =
|
||||
Duration::from_millis(cha_rng.gen_range(0..max_backoff_time_in_ms));
|
||||
Duration::from_millis(cha_rng.random_range(0..max_backoff_time_in_ms));
|
||||
ActorBasic {
|
||||
state: State::Unauthenticated,
|
||||
randomised_backoff_time,
|
||||
|
|
|
@ -76,7 +76,7 @@ impl ActorLatencyMeasurer {
|
|||
|
||||
let max_backoff_time_in_ms = 2 * warmup_time_ms / 3;
|
||||
let randomised_backoff_time =
|
||||
Duration::from_millis(cha_rng.gen_range(0..max_backoff_time_in_ms));
|
||||
Duration::from_millis(cha_rng.random_range(0..max_backoff_time_in_ms));
|
||||
Ok(ActorLatencyMeasurer {
|
||||
state: State::Unauthenticated,
|
||||
randomised_backoff_time,
|
||||
|
|
|
@ -25,7 +25,7 @@ impl ActorReader {
|
|||
pub fn new(mut cha_rng: ChaCha8Rng, warmup_time_ms: u64) -> Self {
|
||||
let max_backoff_time_in_ms = warmup_time_ms - 1000;
|
||||
let randomised_backoff_time =
|
||||
Duration::from_millis(cha_rng.gen_range(0..max_backoff_time_in_ms));
|
||||
Duration::from_millis(cha_rng.random_range(0..max_backoff_time_in_ms));
|
||||
ActorReader {
|
||||
state: State::Unauthenticated,
|
||||
randomised_backoff_time,
|
||||
|
|
|
@ -26,7 +26,7 @@ impl ActorWriter {
|
|||
pub fn new(mut cha_rng: ChaCha8Rng, warmup_time_ms: u64) -> Self {
|
||||
let max_backoff_time_in_ms = 2 * warmup_time_ms / 3;
|
||||
let randomised_backoff_time =
|
||||
Duration::from_millis(cha_rng.gen_range(0..max_backoff_time_in_ms));
|
||||
Duration::from_millis(cha_rng.random_range(0..max_backoff_time_in_ms));
|
||||
ActorWriter {
|
||||
state: State::Unauthenticated,
|
||||
randomised_backoff_time,
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
use crate::error::Error;
|
||||
use crate::state::{GroupName, Model};
|
||||
use rand::{thread_rng, Rng};
|
||||
use rand::{rng, Rng};
|
||||
use serde::de::{value, IntoDeserializer};
|
||||
use serde::{Deserialize, Serialize};
|
||||
use std::collections::BTreeMap;
|
||||
|
@ -200,8 +200,8 @@ impl ProfileBuilder {
|
|||
} = self;
|
||||
|
||||
let seed: u64 = seed.unwrap_or_else(|| {
|
||||
let mut rng = thread_rng();
|
||||
rng.gen()
|
||||
let mut rng = rng();
|
||||
rng.random()
|
||||
});
|
||||
|
||||
//TODO: Allow to specify group properties from the CLI
|
||||
|
|
|
@ -187,7 +187,7 @@ pub async fn execute(state: State, control_rx: broadcast::Receiver<Signal>) -> R
|
|||
})
|
||||
})
|
||||
.collect::<Result<Vec<_>, _>>()?;
|
||||
let main_client_index = seeded_rng.gen_range(0..cloned_clients.len());
|
||||
let main_client_index = seeded_rng.random_range(0..cloned_clients.len());
|
||||
let main_client = cloned_clients.remove(main_client_index);
|
||||
//note that cloned_clients now contains all other clients except the first one
|
||||
|
||||
|
|
|
@ -694,7 +694,7 @@ mod tests {
|
|||
|
||||
for file in PathBuf::from(&examples_dir)
|
||||
.canonicalize()
|
||||
.expect(&format!("Can't find examples dir at {}", examples_dir))
|
||||
.unwrap_or_else(|_| panic!("Can't find examples dir at {}", examples_dir))
|
||||
.read_dir()
|
||||
.expect("Can't read examples dir!")
|
||||
{
|
||||
|
|
|
@ -71,32 +71,32 @@ impl RequestOptions {
|
|||
fn nss_fallback_unavail() {
|
||||
let req_opt = RequestOptions::fallback_unavail();
|
||||
let Response::Unavail = core::get_all_user_entries(req_opt) else {
|
||||
unreachable!();
|
||||
panic!("unrecoverable");
|
||||
};
|
||||
|
||||
let req_opt = RequestOptions::fallback_unavail();
|
||||
let Response::Unavail = core::get_user_entry_by_uid(0, req_opt) else {
|
||||
unreachable!();
|
||||
panic!("unrecoverable");
|
||||
};
|
||||
|
||||
let req_opt = RequestOptions::fallback_unavail();
|
||||
let Response::Unavail = core::get_user_entry_by_name("root".to_string(), req_opt) else {
|
||||
unreachable!();
|
||||
panic!("unrecoverable");
|
||||
};
|
||||
|
||||
let req_opt = RequestOptions::fallback_unavail();
|
||||
let Response::Unavail = core::get_all_group_entries(req_opt) else {
|
||||
unreachable!();
|
||||
panic!("unrecoverable");
|
||||
};
|
||||
|
||||
let req_opt = RequestOptions::fallback_unavail();
|
||||
let Response::Unavail = core::get_group_entry_by_gid(0, req_opt) else {
|
||||
unreachable!();
|
||||
panic!("unrecoverable");
|
||||
};
|
||||
|
||||
let req_opt = RequestOptions::fallback_unavail();
|
||||
let Response::Unavail = core::get_group_entry_by_name("root".to_string(), req_opt) else {
|
||||
unreachable!();
|
||||
panic!("unrecoverable");
|
||||
};
|
||||
}
|
||||
|
||||
|
@ -105,7 +105,7 @@ fn nss_fallback_all_user_entries() {
|
|||
let req_opt = RequestOptions::fallback_fixture();
|
||||
|
||||
let Response::Success(users) = core::get_all_user_entries(req_opt) else {
|
||||
unreachable!();
|
||||
panic!("Failed to get all user entries");
|
||||
};
|
||||
|
||||
assert_eq!(users.len(), 3);
|
||||
|
@ -129,7 +129,7 @@ fn nss_fallback_all_user_entries() {
|
|||
fn nss_fallback_user_entry_by_uid() {
|
||||
let req_opt = RequestOptions::fallback_fixture();
|
||||
let Response::Success(user) = core::get_user_entry_by_uid(0, req_opt) else {
|
||||
unreachable!();
|
||||
panic!("Failed to get user entry by uid");
|
||||
};
|
||||
|
||||
assert_eq!(user.name, "root");
|
||||
|
@ -139,7 +139,7 @@ fn nss_fallback_user_entry_by_uid() {
|
|||
|
||||
let req_opt = RequestOptions::fallback_fixture();
|
||||
let Response::Success(user) = core::get_user_entry_by_uid(1000, req_opt) else {
|
||||
unreachable!();
|
||||
panic!("Failed to get user entry by uid");
|
||||
};
|
||||
|
||||
assert_eq!(user.name, "tobias");
|
||||
|
@ -149,7 +149,7 @@ fn nss_fallback_user_entry_by_uid() {
|
|||
|
||||
let req_opt = RequestOptions::fallback_fixture();
|
||||
let Response::NotFound = core::get_user_entry_by_uid(10, req_opt) else {
|
||||
unreachable!();
|
||||
panic!("Wrong result");
|
||||
};
|
||||
}
|
||||
|
||||
|
@ -157,7 +157,7 @@ fn nss_fallback_user_entry_by_uid() {
|
|||
fn nss_fallback_user_entry_by_name() {
|
||||
let req_opt = RequestOptions::fallback_fixture();
|
||||
let Response::Success(user) = core::get_user_entry_by_name("root".to_string(), req_opt) else {
|
||||
unreachable!();
|
||||
panic!("Failed to get user entry by name");
|
||||
};
|
||||
|
||||
assert_eq!(user.name, "root");
|
||||
|
@ -167,7 +167,7 @@ fn nss_fallback_user_entry_by_name() {
|
|||
|
||||
let req_opt = RequestOptions::fallback_fixture();
|
||||
let Response::Success(user) = core::get_user_entry_by_name("ellie".to_string(), req_opt) else {
|
||||
unreachable!();
|
||||
panic!("Failed to get user entry by name");
|
||||
};
|
||||
|
||||
assert_eq!(user.name, "ellie");
|
||||
|
@ -177,7 +177,7 @@ fn nss_fallback_user_entry_by_name() {
|
|||
|
||||
let req_opt = RequestOptions::fallback_fixture();
|
||||
let Response::NotFound = core::get_user_entry_by_name("william".to_string(), req_opt) else {
|
||||
unreachable!();
|
||||
panic!("Wrong result");
|
||||
};
|
||||
}
|
||||
|
||||
|
@ -186,7 +186,7 @@ fn nss_fallback_all_group_entries() {
|
|||
let req_opt = RequestOptions::fallback_fixture();
|
||||
|
||||
let Response::Success(groups) = core::get_all_group_entries(req_opt) else {
|
||||
unreachable!();
|
||||
panic!("Failed to get all group entries");
|
||||
};
|
||||
|
||||
assert_eq!(groups.len(), 3);
|
||||
|
@ -207,7 +207,7 @@ fn nss_fallback_all_group_entries() {
|
|||
fn nss_fallback_group_entry_by_uid() {
|
||||
let req_opt = RequestOptions::fallback_fixture();
|
||||
let Response::Success(group) = core::get_group_entry_by_gid(0, req_opt) else {
|
||||
unreachable!();
|
||||
panic!("Failed to get group entry by gid");
|
||||
};
|
||||
|
||||
assert_eq!(group.name, "root");
|
||||
|
@ -216,7 +216,7 @@ fn nss_fallback_group_entry_by_uid() {
|
|||
|
||||
let req_opt = RequestOptions::fallback_fixture();
|
||||
let Response::Success(group) = core::get_group_entry_by_gid(1000, req_opt) else {
|
||||
unreachable!();
|
||||
panic!("Failed to get group entry by gid");
|
||||
};
|
||||
|
||||
assert_eq!(group.name, "tobias");
|
||||
|
@ -225,7 +225,7 @@ fn nss_fallback_group_entry_by_uid() {
|
|||
|
||||
let req_opt = RequestOptions::fallback_fixture();
|
||||
let Response::NotFound = core::get_group_entry_by_gid(10, req_opt) else {
|
||||
unreachable!();
|
||||
panic!("Wrong result");
|
||||
};
|
||||
}
|
||||
|
||||
|
@ -234,7 +234,7 @@ fn nss_fallback_group_entry_by_name() {
|
|||
let req_opt = RequestOptions::fallback_fixture();
|
||||
let Response::Success(group) = core::get_group_entry_by_name("root".to_string(), req_opt)
|
||||
else {
|
||||
unreachable!();
|
||||
panic!("Failed to get group entry by name");
|
||||
};
|
||||
|
||||
assert_eq!(group.name, "root");
|
||||
|
@ -244,7 +244,7 @@ fn nss_fallback_group_entry_by_name() {
|
|||
let req_opt = RequestOptions::fallback_fixture();
|
||||
let Response::Success(group) = core::get_group_entry_by_name("ellie".to_string(), req_opt)
|
||||
else {
|
||||
unreachable!();
|
||||
panic!("Failed to get group entry by name");
|
||||
};
|
||||
|
||||
assert_eq!(group.name, "ellie");
|
||||
|
@ -253,6 +253,6 @@ fn nss_fallback_group_entry_by_name() {
|
|||
|
||||
let req_opt = RequestOptions::fallback_fixture();
|
||||
let Response::NotFound = core::get_group_entry_by_name("william".to_string(), req_opt) else {
|
||||
unreachable!();
|
||||
panic!("Wrong result");
|
||||
};
|
||||
}
|
||||
|
|
|
@ -121,23 +121,17 @@ impl PamHandler for TestHandler {
|
|||
/// Display a message to the user.
|
||||
fn message(&self, _prompt: &str) -> PamResult<()> {
|
||||
let mut q = self.response_queue.lock().unwrap();
|
||||
match q.pop_front() {
|
||||
e => {
|
||||
eprintln!("{:?}", e);
|
||||
panic!("Invalid event transition");
|
||||
}
|
||||
}
|
||||
let e = q.pop_front();
|
||||
eprintln!("{:?}", e);
|
||||
panic!("Invalid event transition message");
|
||||
}
|
||||
|
||||
/// Display a device grant request to the user.
|
||||
fn message_device_grant(&self, _data: &DeviceAuthorizationResponse) -> PamResult<()> {
|
||||
let mut q = self.response_queue.lock().unwrap();
|
||||
match q.pop_front() {
|
||||
e => {
|
||||
eprintln!("{:?}", e);
|
||||
panic!("Invalid event transition");
|
||||
}
|
||||
}
|
||||
let e = q.pop_front();
|
||||
eprintln!("{:?}", e);
|
||||
panic!("Invalid event transition message_device_grant");
|
||||
}
|
||||
|
||||
/// Request a password from the user.
|
||||
|
@ -154,22 +148,16 @@ impl PamHandler for TestHandler {
|
|||
|
||||
fn prompt_for_pin(&self, _msg: Option<&str>) -> PamResult<Option<String>> {
|
||||
let mut q = self.response_queue.lock().unwrap();
|
||||
match q.pop_front() {
|
||||
e => {
|
||||
eprintln!("{:?}", e);
|
||||
panic!("Invalid event transition");
|
||||
}
|
||||
}
|
||||
let e = q.pop_front();
|
||||
eprintln!("{:?}", e);
|
||||
panic!("Invalid event transition prompt_for_pin");
|
||||
}
|
||||
|
||||
fn prompt_for_mfacode(&self) -> PamResult<Option<String>> {
|
||||
let mut q = self.response_queue.lock().unwrap();
|
||||
match q.pop_front() {
|
||||
e => {
|
||||
eprintln!("{:?}", e);
|
||||
panic!("Invalid event transition");
|
||||
}
|
||||
}
|
||||
let mut q = self.response_queue.lock().expect("Failed to lock mutex");
|
||||
let e = q.pop_front();
|
||||
eprintln!("{:?}", e);
|
||||
panic!("Invalid event transition prompt_for_mfacode");
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1189,7 +1189,7 @@ async fn test_cache_extend_group_members() {
|
|||
assert!(groups.iter().any(|group| {
|
||||
group.name == "extensible_group"
|
||||
&& group.members.as_slice()
|
||||
== &[
|
||||
== [
|
||||
"local_account".to_string(),
|
||||
"testaccount1@idm.example.com".to_string(),
|
||||
]
|
||||
|
|
Loading…
Reference in a new issue