mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-06-11 18:47:47 +02:00
Code Issues Actions22 Packages Projects Releases Wiki Activity

Compare commits

...

9 commits
8c8858d5d2 ... 28105a3bea

Author SHA1 Message Date
Firstyear 28105a3bea
Merge 8fa42384ae into 97952d5490 2025-05-13 17:32:49 +08:00
Firstyear 97952d5490
Dont specify config path in container () 2025-05-13 14:30:38 +10:00
Firstyear 6a85e2a21b
Accept SSHA with different salt lengths () 2025-05-13 03:19:12 +00:00
James Hodgkinson 1774f9428c
Bye poetry, hi uv for python things () 
* fix: moving from poetry to uv for python packaging
* fix: updating rlm_python to use uv for things
 2025-05-13 02:59:05 +00:00
Firstyear b7eda62e3b
Resolve flaw with ssh key parse if the key has no comment () 2025-05-13 02:39:10 +00:00
Firstyear b5cdf9dcf2
Indicate that this is an ip list, not a range () 
* Indicate that this is an ip list, not a range

We mistakenly commented that this was a range, not a list. This
has led to some confusion. Be clear it's a list of ip's, not a range.

* Support Ip Ranges instead of Ip Addresses in X-Forward-For

* Docs feedback
 2025-05-13 01:53:58 +00:00
James Hodgkinson 47b091cd49
Test for corrupted unicode in SSH keys, keep the key title on error/resubmit () 2025-05-13 00:38:32 +00:00
James Hodgkinson 8daeddb9e7
Reduce replication logging verbosity 2025-05-13 10:21:47 +10:00
William Brown 8fa42384ae Start to implement SCIM apis 
This adds SCIM api end points, in the hope to complete and
enable these. This uses the application password feature as
a test surface for these api end points.
 2025-05-09 14:03:57 +10:00
84 changed files with 4565 additions and 3159 deletions

5
.github/workflows/kanidm_individual_book.yml vendored
View file

@ -63,10 +63,9 @@ jobs:
mv ./target/doc/* ./docs/${{ inputs.tag }}/rustdoc/
- name: pykanidm docs
run: |
python -m pip install poetry
python -m pip install uv
cd pykanidm
poetry install
poetry run mkdocs build
uv run --group docs mkdocs build
cd ..
mv pykanidm/site ./docs/${{ inputs.tag }}/pykanidm
continue-on-error: true

20
.github/workflows/pykanidm.yml vendored
View file

@ -10,32 +10,30 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
tests:
python_tests:
runs-on: ubuntu-latest
env:
UV_LINK_MODE: "copy"
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Fetch all history for .GitInfo and .Lastmod
- name: Install poetry
run: pipx install poetry
- name: Set up Python 3.10
uses: actions/setup-python@v5
with:
python-version: '3.10'
cache: 'poetry'
- name: Install uv
run: pip install --root-user-action=ignore uv
- name: Running mypy
run: |
cd pykanidm
python --version
poetry install
poetry run mypy --strict kanidm tests
uv run mypy --strict kanidm tests
uv run ty check
- name: Running Linting
run: |
cd pykanidm
poetry install
poetry run ruff check kanidm tests
uv run ruff check kanidm tests
- name: Running pytest
run: |
cd pykanidm
poetry install
poetry run pytest -v -m 'not network'
uv run pytest -v -m 'not network'

310
Cargo.lock generated
View file

@ -19,16 +19,16 @@ checksum = "512761e0bb2578dd7380c6baaa0f4ce03e84f95e960231d1dec8bf4d7d6e2627"
[[package]]
name = "ahash"
version = "0.8.11"
version = "0.8.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e89da841a80418a9b391ebaea17f5c112ffaaa96f621d2c285b5174da76b9011"
checksum = "5a15f179cd60c4584b8a8c596927aadc462e27f2ca70c04e0071964a73ba7a75"
dependencies = [
"cfg-if",
"getrandom 0.2.16",
"getrandom 0.3.3",
"once_cell",
"serde",
"version_check",
"zerocopy 0.7.35",
"zerocopy",
]
[[package]]
@ -425,9 +425,9 @@ dependencies = [
[[package]]
name = "backtrace"
version = "0.3.74"
version = "0.3.75"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8d82cb332cdfaed17ae235a638438ac4d4839913cc2af585c3c6746e8f8bee1a"
checksum = "6806a6321ec58106fea15becdad98371e28d92ccbc7c8f1b3b6dd724fe8f1002"
dependencies = [
"addr2line",
"cfg-if",
@ -695,6 +695,15 @@ dependencies = [
"windows-link",
]
[[package]]
name = "cidr"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bd1b64030216239a2e7c364b13cd96a2097ebf0dfe5025f2dedee14a23f2ab60"
dependencies = [
"serde",
]
[[package]]
name = "clang-sys"
version = "1.8.1"
@ -1671,9 +1680,9 @@ dependencies = [
[[package]]
name = "getrandom"
version = "0.3.2"
version = "0.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "73fea8450eea4bac3940448fb7ae50d91f034f941199fcd9d909a5a07aa455f0"
checksum = "26145e563e54f2cadc477553f1ec5ee650b00862f0a58bcd12cbdc5f0ea2d2f4"
dependencies = [
"cfg-if",
"js-sys",
@ -1750,7 +1759,7 @@ dependencies = [
"gix-utils 0.2.0",
"itoa",
"thiserror 2.0.12",
"winnow 0.7.9",
"winnow 0.7.10",
]
[[package]]
@ -1806,7 +1815,7 @@ dependencies = [
"smallvec",
"thiserror 2.0.12",
"unicode-bom",
"winnow 0.7.9",
"winnow 0.7.10",
]
[[package]]
@ -1996,7 +2005,7 @@ dependencies = [
"itoa",
"smallvec",
"thiserror 2.0.12",
"winnow 0.7.9",
"winnow 0.7.10",
]
[[package]]
@ -2052,9 +2061,9 @@ dependencies = [
[[package]]
name = "gix-path"
version = "0.10.17"
version = "0.10.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c091d2e887e02c3462f52252c5ea61150270c0f2657b642e8d0d6df56c16e642"
checksum = "567f65fec4ef10dfab97ae71f26a27fd4d7fe7b8e3f90c8a58551c41ff3fb65b"
dependencies = [
"bstr",
"gix-trace",
@ -2080,7 +2089,7 @@ dependencies = [
"gix-utils 0.2.0",
"maybe-async",
"thiserror 2.0.12",
"winnow 0.7.9",
"winnow 0.7.10",
]
[[package]]
@ -2112,7 +2121,7 @@ dependencies = [
"gix-validate 0.9.4",
"memmap2",
"thiserror 2.0.12",
"winnow 0.7.9",
"winnow 0.7.10",
]
[[package]]
@ -2316,9 +2325,9 @@ dependencies = [
[[package]]
name = "h2"
version = "0.4.9"
version = "0.4.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "75249d144030531f8dee69fe9cea04d3edf809a017ae445e2abdff6629e86633"
checksum = "a9421a676d1b147b16b82c9225157dc629087ef8ec4d5e2960f9437a90dac0a5"
dependencies = [
"atomic-waker",
"bytes",
@ -2552,7 +2561,7 @@ dependencies = [
"bytes",
"futures-channel",
"futures-util",
"h2 0.4.9",
"h2 0.4.10",
"http 1.3.1",
"http-body 1.0.1",
"httparse",
@ -2580,7 +2589,7 @@ dependencies = [
"tokio",
"tokio-rustls",
"tower-service",
"webpki-roots",
"webpki-roots 0.26.11",
]
[[package]]
@ -2658,21 +2667,22 @@ dependencies = [
[[package]]
name = "icu_collections"
version = "1.5.0"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "db2fa452206ebee18c4b5c2274dbf1de17008e874b4dc4f0aea9d01ca79e4526"
checksum = "200072f5d0e3614556f94a9930d5dc3e0662a652823904c3a75dc3b0af7fee47"
dependencies = [
"displaydoc",
"potential_utf",
"yoke",
"zerofrom",
"zerovec",
]
[[package]]
name = "icu_locid"
version = "1.5.0"
name = "icu_locale_core"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "13acbb8371917fc971be86fc8057c41a64b521c184808a698c02acc242dbf637"
checksum = "0cde2700ccaed3872079a65fb1a78f6c0a36c91570f28755dda67bc8f7d9f00a"
dependencies = [
"displaydoc",
"litemap",
@ -2681,31 +2691,11 @@ dependencies = [
"zerovec",
]
[[package]]
name = "icu_locid_transform"
version = "1.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "01d11ac35de8e40fdeda00d9e1e9d92525f3f9d887cdd7aa81d727596788b54e"
dependencies = [
"displaydoc",
"icu_locid",
"icu_locid_transform_data",
"icu_provider",
"tinystr",
"zerovec",
]
[[package]]
name = "icu_locid_transform_data"
version = "1.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7515e6d781098bf9f7205ab3fc7e9709d34554ae0b21ddbcb5febfa4bc7df11d"
[[package]]
name = "icu_normalizer"
version = "1.5.0"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "19ce3e0da2ec68599d193c93d088142efd7f9c5d6fc9b803774855747dc6a84f"
checksum = "436880e8e18df4d7bbc06d58432329d6458cc84531f7ac5f024e93deadb37979"
dependencies = [
"displaydoc",
"icu_collections",
@ -2713,67 +2703,54 @@ dependencies = [
"icu_properties",
"icu_provider",
"smallvec",
"utf16_iter",
"utf8_iter",
"write16",
"zerovec",
]
[[package]]
name = "icu_normalizer_data"
version = "1.5.1"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c5e8338228bdc8ab83303f16b797e177953730f601a96c25d10cb3ab0daa0cb7"
checksum = "00210d6893afc98edb752b664b8890f0ef174c8adbb8d0be9710fa66fbbf72d3"
[[package]]
name = "icu_properties"
version = "1.5.1"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "93d6020766cfc6302c15dbbc9c8778c37e62c14427cb7f6e601d849e092aeef5"
checksum = "2549ca8c7241c82f59c80ba2a6f415d931c5b58d24fb8412caa1a1f02c49139a"
dependencies = [
"displaydoc",
"icu_collections",
"icu_locid_transform",
"icu_locale_core",
"icu_properties_data",
"icu_provider",
"tinystr",
"potential_utf",
"zerotrie",
"zerovec",
]
[[package]]
name = "icu_properties_data"
version = "1.5.1"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "85fb8799753b75aee8d2a21d7c14d9f38921b54b3dbda10f5a3c7a7b82dba5e2"
checksum = "8197e866e47b68f8f7d95249e172903bec06004b18b2937f1095d40a0c57de04"
[[package]]
name = "icu_provider"
version = "1.5.0"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6ed421c8a8ef78d3e2dbc98a973be2f3770cb42b606e3ab18d6237c4dfde68d9"
checksum = "03c80da27b5f4187909049ee2d72f276f0d9f99a42c306bd0131ecfe04d8e5af"
dependencies = [
"displaydoc",
"icu_locid",
"icu_provider_macros",
"icu_locale_core",
"stable_deref_trait",
"tinystr",
"writeable",
"yoke",
"zerofrom",
"zerotrie",
"zerovec",
]
[[package]]
name = "icu_provider_macros"
version = "1.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1ec89e9337638ecdc08744df490b221a7399bf8d164eb52a665454e60e075ad6"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.101",
]
[[package]]
name = "ident_case"
version = "1.0.1"
@ -2804,9 +2781,9 @@ dependencies = [
[[package]]
name = "idna_adapter"
version = "1.2.0"
version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "daca1df1c957320b2cf139ac61e7bd64fed304c5040df000a745aa1de3b4ef71"
checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
dependencies = [
"icu_normalizer",
"icu_properties",
@ -2918,9 +2895,9 @@ checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"
[[package]]
name = "jiff"
version = "0.2.11"
version = "0.2.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "27e77966151130221b079bcec80f1f34a9e414fa489d99152a201c07fd2182bc"
checksum = "f02000660d30638906021176af16b17498bd0d12813dbfe7b276d8bc7f3c0806"
dependencies = [
"jiff-static",
"jiff-tzdb-platform",
@ -2933,9 +2910,9 @@ dependencies = [
[[package]]
name = "jiff-static"
version = "0.2.11"
version = "0.2.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "97265751f8a9a4228476f2fc17874a9e7e70e96b893368e42619880fe143b48a"
checksum = "f3c30758ddd7188629c6713fc45d1188af4f44c90582311d0c8d8c9907f60c48"
dependencies = [
"proc-macro2",
"quote",
@ -3274,6 +3251,7 @@ dependencies = [
"axum-macros",
"bytes",
"chrono",
"cidr",
"compact_jwt",
"cron",
"filetime",
@ -3383,6 +3361,7 @@ dependencies = [
name = "kanidmd_testkit"
version = "1.7.0-dev"
dependencies = [
"cidr",
"compact_jwt",
"escargot",
"fantoccini",
@ -3418,9 +3397,9 @@ dependencies = [
[[package]]
name = "kqueue"
version = "1.0.8"
version = "1.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7447f1ca1b7b563588a205fe93dea8df60fd981423a768bc1c0ded35ed147d0c"
checksum = "eac30106d7dce88daf4a3fcb4879ea939476d5074a9b7ddd0fb97fa4bed5596a"
dependencies = [
"kqueue-sys",
"libc",
@ -3438,9 +3417,9 @@ dependencies = [
[[package]]
name = "lambert_w"
version = "1.2.17"
version = "1.2.19"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dc66ddcab7f8a3cc035052b0bb1f9f7f47ac92741b3fe78974bdd356fe023a40"
checksum = "a3269cd75481b02173ffe6cb30f08e3eae78b20eb2ed6bfbdb3ce2a90446d83f"
dependencies = [
"num-complex",
"num-traits",
@ -3514,19 +3493,19 @@ checksum = "d750af042f7ef4f724306de029d18836c26c1765a54a6a3f094cbd23a7267ffa"
[[package]]
name = "libloading"
version = "0.8.6"
version = "0.8.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34"
checksum = "6a793df0d7afeac54f95b471d3af7f0d4fb975699f972341a4b76988d49cdf0c"
dependencies = [
"cfg-if",
"windows-targets 0.52.6",
"windows-targets 0.53.0",
]
[[package]]
name = "libm"
version = "0.2.13"
version = "0.2.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c9627da5196e5d8ed0b0495e61e518847578da83483c37288316d9b2e03a7f72"
checksum = "f9fbbcab51052fe104eb5e5d351cf728d30a5be1fe14d9be8a3b097481fb97de"
[[package]]
name = "libmimalloc-sys"
@ -3604,9 +3583,9 @@ checksum = "cd945864f07fe9f5371a27ad7b52a172b4b499999f1d97574c9fa68373937e12"
[[package]]
name = "litemap"
version = "0.7.5"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "23fb14cb19457329c82206317a5663005a4d404783dc74f4252769b0d5f42856"
checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956"
[[package]]
name = "litrs"
@ -3660,6 +3639,12 @@ dependencies = [
"hashbrown 0.15.3",
]
[[package]]
name = "lru-slab"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154"
[[package]]
name = "malloced"
version = "1.3.1"
@ -3694,9 +3679,9 @@ dependencies = [
[[package]]
name = "matrixmultiply"
version = "0.3.9"
version = "0.3.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9380b911e3e96d10c1f415da0876389aaf1b56759054eeb0de7df940c456ba1a"
checksum = "a06de3016e9fae57a36fd14dba131fccf49f74b40b7fbdb472f96e361ec71a08"
dependencies = [
"autocfg",
"num_cpus",
@ -3853,9 +3838,9 @@ dependencies = [
[[package]]
name = "nix"
version = "0.30.0"
version = "0.30.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "537bc3c4a347b87fd52ac6c03a02ab1302962cfd93373c5d7a112cdc337854cc"
checksum = "74523f3a35e05aba87a1d978330aef40f67b0304ac79c1c00b294c9830543db6"
dependencies = [
"bitflags 2.9.0",
"cfg-if",
@ -4531,6 +4516,15 @@ dependencies = [
"portable-atomic",
]
[[package]]
name = "potential_utf"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e5a7c30837279ca13e7c867e9e40053bc68740f988cb07f7ca6df43cc734b585"
dependencies = [
"zerovec",
]
[[package]]
name = "powerfmt"
version = "0.2.0"
@ -4543,7 +4537,7 @@ version = "0.2.21"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9"
dependencies = [
"zerocopy 0.8.25",
"zerocopy",
]
[[package]]
@ -4674,9 +4668,9 @@ checksum = "a993555f31e5a609f617c12db6250dedcac1b0a85076912c436e6fc9b2c8e6a3"
[[package]]
name = "quinn"
version = "0.11.7"
version = "0.11.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c3bd15a6f2967aef83887dcb9fec0014580467e33720d073560cf015a5683012"
checksum = "626214629cda6781b6dc1d316ba307189c85ba657213ce642d9c77670f8202c8"
dependencies = [
"bytes",
"cfg_aliases",
@ -4694,12 +4688,13 @@ dependencies = [
[[package]]
name = "quinn-proto"
version = "0.11.11"
version = "0.11.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bcbafbbdbb0f638fe3f35f3c56739f77a8a1d070cb25603226c83339b391472b"
checksum = "49df843a9161c85bb8aae55f101bc0bac8bcafd637a620d9122fd7e0b2f7422e"
dependencies = [
"bytes",
"getrandom 0.3.2",
"getrandom 0.3.3",
"lru-slab",
"rand 0.9.1",
"ring",
"rustc-hash 2.1.1",
@ -4797,7 +4792,7 @@ version = "0.9.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "99d9a13982dcf210057a8a78572b2217b667c3beacbf3a0d8b454f6f82837d38"
dependencies = [
"getrandom 0.3.2",
"getrandom 0.3.3",
]
[[package]]
@ -4808,9 +4803,9 @@ checksum = "60a357793950651c4ed0f3f52338f53b2f809f32d83a07f72909fa13e4c6c1e3"
[[package]]
name = "redox_syscall"
version = "0.5.11"
version = "0.5.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d2f103c6d277498fbceb16e84d317e2a400f160f46904d5f5410848c829511a3"
checksum = "928fca9cf2aa042393a8325b9ead81d2f0df4cb12e1e24cef072922ccd99c5af"
dependencies = [
"bitflags 2.9.0",
]
@ -4954,7 +4949,7 @@ dependencies = [
"futures-channel",
"futures-core",
"futures-util",
"h2 0.4.9",
"h2 0.4.10",
"http 1.3.1",
"http-body 1.0.1",
"http-body-util",
@ -4987,7 +4982,7 @@ dependencies = [
"wasm-bindgen",
"wasm-bindgen-futures",
"web-sys",
"webpki-roots",
"webpki-roots 0.26.11",
"windows-registry",
]
@ -5046,9 +5041,9 @@ dependencies = [
[[package]]
name = "rust-embed"
version = "8.7.0"
version = "8.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e5fbc0ee50fcb99af7cebb442e5df7b5b45e9460ffa3f8f549cd26b862bec49d"
checksum = "60e425e204264b144d4c929d126d0de524b40a961686414bab5040f7465c71be"
dependencies = [
"rust-embed-impl",
"rust-embed-utils",
@ -5168,11 +5163,12 @@ dependencies = [
[[package]]
name = "rustls-pki-types"
version = "1.11.0"
version = "1.12.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "917ce264624a4b4db1c364dcc35bfca9ded014d0a958cd47ad3e960e988ea51c"
checksum = "229a4a4c221013e7e1f1a043678c5cc39fe5171437c88fb47151a21e6f5b5c79"
dependencies = [
"web-time",
"zeroize",
]
[[package]]
@ -5630,7 +5626,7 @@ dependencies = [
[[package]]
name = "sshkeys"
version = "0.3.3"
source = "git+https://github.com/Firstyear/rust-sshkeys.git?rev=3a081cbf7480628223bcb96fc8aaa8c19109d007#3a081cbf7480628223bcb96fc8aaa8c19109d007"
source = "git+https://github.com/Firstyear/rust-sshkeys.git?rev=49cb53232115d3aea86cd059b151e376293805fc#49cb53232115d3aea86cd059b151e376293805fc"
dependencies = [
"base64 0.22.1",
"byteorder",
@ -5750,7 +5746,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e8a64e3985349f2441a1a9ef0b853f869006c3855f2cda6862a94d26ebb9d6a1"
dependencies = [
"fastrand",
"getrandom 0.3.2",
"getrandom 0.3.3",
"once_cell",
"rustix 1.0.7",
"windows-sys 0.59.0",
@ -5865,9 +5861,9 @@ dependencies = [
[[package]]
name = "tinystr"
version = "0.7.6"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9117f5d4db391c1cf6927e7bea3db74b9a1c1add8f7eda9ffd5364f40f57b82f"
checksum = "5d4f6d1145dcb577acf783d4e601bc1d76a13337bb54e6233add580b07344c8b"
dependencies = [
"displaydoc",
"zerovec",
@ -6026,7 +6022,7 @@ dependencies = [
"serde_spanned",
"toml_datetime",
"toml_write",
"winnow 0.7.9",
"winnow 0.7.10",
]
[[package]]
@ -6046,7 +6042,7 @@ dependencies = [
"axum",
"base64 0.22.1",
"bytes",
"h2 0.4.9",
"h2 0.4.10",
"http 1.3.1",
"http-body 1.0.1",
"http-body-util",
@ -6347,12 +6343,6 @@ version = "2.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "daf8dba3b7eb870caf1ddeed7bc9d2a049f3cfdfae7cb521b087cc33ae4c49da"
[[package]]
name = "utf16_iter"
version = "1.0.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c8232dd3cdaed5356e0f716d285e4b40b932ac434100fe9b7e0e8e935b9e6246"
[[package]]
name = "utf8_iter"
version = "1.0.4"
@ -6414,7 +6404,7 @@ version = "1.16.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "458f7a779bf54acc9f347480ac654f68407d3aab21269a6e3c9f922acd9e2da9"
dependencies = [
"getrandom 0.3.2",
"getrandom 0.3.3",
"serde",
]
@ -6707,9 +6697,18 @@ dependencies = [
[[package]]
name = "webpki-roots"
version = "0.26.10"
version = "0.26.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "37493cadf42a2a939ed404698ded7fb378bf301b5011f973361779a3a74f8c93"
checksum = "521bc38abb08001b01866da9f51eb7c5d647a19260e00054a8c7fd5f9e57f7a9"
dependencies = [
"webpki-roots 1.0.0",
]
[[package]]
name = "webpki-roots"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2853738d1cc4f2da3a225c18ec6c3721abb31961096e9dbf5ab35fa88b19cfdb"
dependencies = [
"rustls-pki-types",
]
@ -7133,9 +7132,9 @@ dependencies = [
[[package]]
name = "winnow"
version = "0.7.9"
version = "0.7.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d9fb597c990f03753e08d3c29efbfcf2019a003b4bf4ba19225c158e1549f0f3"
checksum = "c06928c8748d81b05c9be96aad92e1b6ff01833332f281e8cfca3be4b35fc9ec"
dependencies = [
"memchr",
]
@ -7159,17 +7158,11 @@ dependencies = [
"bitflags 2.9.0",
]
[[package]]
name = "write16"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d1890f4022759daae28ed4fe62859b1236caebfc61ede2f63ed4e695f3f6d936"
[[package]]
name = "writeable"
version = "0.5.5"
version = "0.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1e9df38ee2d2c3c5948ea468a8406ff0db0b29ae1ffde1bcf20ef305bcc95c51"
checksum = "ea2f10b9bb0928dfb1b42b65e1f9e36f7f54dbdf08457afefb38afcdec4fa2bb"
[[package]]
name = "x509-cert"
@ -7202,9 +7195,9 @@ dependencies = [
[[package]]
name = "yoke"
version = "0.7.5"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "120e6aef9aa629e3d4f52dc8cc43a015c7724194c97dfaf45180d2daf2b77f40"
checksum = "5f41bb01b8226ef4bfd589436a297c53d118f65921786300e427be8d487695cc"
dependencies = [
"serde",
"stable_deref_trait",
@ -7214,9 +7207,9 @@ dependencies = [
[[package]]
name = "yoke-derive"
version = "0.7.5"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2380878cad4ac9aac1e2435f3eb4020e8374b5f13c296cb75b4620ff8e229154"
checksum = "38da3c9736e16c5d3c8c597a9aaa5d1fa565d0532ae05e27c24aa62fb32c0ab6"
dependencies = [
"proc-macro2",
"quote",
@ -7224,33 +7217,13 @@ dependencies = [
"synstructure",
]
[[package]]
name = "zerocopy"
version = "0.7.35"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1b9b4fd18abc82b8136838da5d50bae7bdea537c574d8dc1a34ed098d6c166f0"
dependencies = [
"zerocopy-derive 0.7.35",
]
[[package]]
name = "zerocopy"
version = "0.8.25"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a1702d9583232ddb9174e01bb7c15a2ab8fb1bc6f227aa1233858c351a3ba0cb"
dependencies = [
"zerocopy-derive 0.8.25",
]
[[package]]
name = "zerocopy-derive"
version = "0.7.35"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.101",
"zerocopy-derive",
]
[[package]]
@ -7306,10 +7279,21 @@ dependencies = [
]
[[package]]
name = "zerovec"
version = "0.10.4"
name = "zerotrie"
version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "aa2b893d79df23bfb12d5461018d408ea19dfafe76c2c7ef6d4eba614f8ff079"
checksum = "36f0bbd478583f79edad978b407914f61b2972f5af6fa089686016be8f9af595"
dependencies = [
"displaydoc",
"yoke",
"zerofrom",
]
[[package]]
name = "zerovec"
version = "0.11.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4a05eb080e015ba39cc9e23bbe5e7fb04d5fb040350f99f34e338d5fdd294428"
dependencies = [
"yoke",
"zerofrom",
@ -7318,9 +7302,9 @@ dependencies = [
[[package]]
name = "zerovec-derive"
version = "0.10.3"
version = "0.11.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6eafa6dfb17584ea3e2bd6e76e0cc15ad7af12b09abdd1ca55961bed9b1063c6"
checksum = "5b96237efa0c878c64bd89c436f661be4e46b2f3eff1ebb976f7ef2321d2f58f"
dependencies = [
"proc-macro2",
"quote",

3
Cargo.toml
View file

@ -121,7 +121,7 @@ codegen-units = 256
# For BSD nss support
libnss = { git = "https://github.com/Firstyear/libnss-rs.git", branch = "20250207-freebsd" }
# Allow ssh keys to have comments with spaces.
sshkeys = { git = "https://github.com/Firstyear/rust-sshkeys.git", rev = "3a081cbf7480628223bcb96fc8aaa8c19109d007" }
sshkeys = { git = "https://github.com/Firstyear/rust-sshkeys.git", rev = "49cb53232115d3aea86cd059b151e376293805fc" }
# Branch currently carrying some needed rs256 signer patches for jwk handling,
# as main is currently working to drop openssl and may need more work before
# we commit to that change here.
@ -166,6 +166,7 @@ base64 = "^0.22.1"
base64urlsafedata = "0.5.1"
bitflags = "^2.8.0"
bytes = "^1.9.0"
cidr = "0.3.1"
clap = { version = "4.5.38", features = ["derive", "env"] }
clap_complete = "^4.5.50"
# Forced by saffron/cron

26
Makefile
View file

@ -170,7 +170,7 @@ codespell:
codespell -c \
-D .codespell_dictionary \
--ignore-words .codespell_ignore \
--skip='./target,./pykanidm/.venv,./pykanidm/.mypy_cache,./.mypy_cache,./pykanidm/poetry.lock' \
--skip='./target,./pykanidm/.venv,./pykanidm/.mypy_cache,./.mypy_cache,./pykanidm/uv.lock' \
--skip='./book/*.js' \
--skip='./book/book/*' \
--skip='./book/src/images/*' \
@ -184,21 +184,17 @@ codespell:
.PHONY: test/pykanidm/pytest
test/pykanidm/pytest: ## python library testing
cd pykanidm && \
poetry install && \
poetry run pytest -vv
uv run pytest -vv
.PHONY: test/pykanidm/lint
test/pykanidm/lint: ## python library linting
cd pykanidm && \
poetry install && \
poetry run ruff check tests kanidm
uv run ruff check tests kanidm
.PHONY: test/pykanidm/mypy
test/pykanidm/mypy: ## python library type checking
cd pykanidm && \
poetry install && \
echo "Running mypy" && \
poetry run mypy --strict tests kanidm
uv run mypy --strict tests kanidm
.PHONY: test/pykanidm
test/pykanidm: ## run the kanidm python module test suite (mypy/lint/pytest)
@ -261,15 +257,13 @@ clean_book:
docs/pykanidm/build: ## Build the mkdocs
docs/pykanidm/build:
cd pykanidm && \
poetry install && \
poetry run mkdocs build
uv run --group docs mkdocs build
.PHONY: docs/pykanidm/serve
docs/pykanidm/serve: ## Run the local mkdocs server
docs/pykanidm/serve:
cd pykanidm && \
poetry install && \
poetry run mkdocs serve
uv run --group docs mkdocs serve
########################################################################
@ -368,3 +362,11 @@ publish:
cargo publish -p kanidm_client
cargo publish -p kanidm_tools
.PHONY: rust_container
rust_container: # Build and run a container based on the Linux rust base container, with our requirements included
rust_container:
docker build --pull -t kanidm_rust -f scripts/Dockerfile.devcontainer .
docker run \
--rm -it \
--name kanidm \
--mount type=bind,source=$(PWD),target=/kanidm -w /kanidm kanidm_rust:latest

6
book/src/developers/python_module.md
View file

@ -11,13 +11,13 @@ So far it includes:
TODO: a lot of things.
## Setting up your dev environment.
## Setting up your dev environment
Setting up a dev environment can be a little complex because of the mono-repo.
1. Install poetry: `python -m pip install poetry`. This is what we use to manage the packages, and
1. Install uv: `python -m pip install uv`. This is what we use to manage the packages, and
allows you to set up virtual python environments easier.
2. Build the base environment. From within the `pykanidm` directory, run: `poetry install` This'll
2. Build the base environment. From within the `pykanidm` directory, run: `uv sync` This'll
set up a virtual environment and install all the required packages (and development-related ones)
3. Start editing!

6
book/src/developers/radius_module_development.md
View file

@ -2,10 +2,10 @@
Setting up a dev environment has some extra complexity due to the mono-repo design.
1. Install poetry: `python -m pip install poetry`. This is what we use to manage the packages, and
1. Install uv: `python -m pip install uv`. This is what we use to manage the packages, and
allows you to set up virtual python environments easier.
2. Build the base environment. From within the kanidm_rlm_python directory, run: `poetry install`
3. Install the `kanidm` python library: `poetry run python -m pip install ../pykanidm`
2. Build the base environment. From within the kanidm_rlm_python directory, run: `uv sync`
3. Install the `kanidm` python library: `uv run python -m pip install ../pykanidm`
4. Start editing!
Most IDEs will be happier if you open the `kanidm_rlm_python` or `pykanidm` directories as the base

18
examples/server.toml
View file

@ -82,25 +82,25 @@ origin = "https://idm.example.com:8443"
# will often add a header such as "Forwarded" or
# "X-Forwarded-For". Some other proxies can use the PROXY
# protocol v2 header.
# This setting allows configuration of the range of trusted
# IPs which can supply this header information, and which
# format the information is provided in.
# This setting allows configuration of the list of trusted
# IPs or IP ranges which can supply this header information,
# and which format the information is provided in.
# Defaults to "none" (no trusted sources)
# Only one option can be used at a time.
# [http_client_address_info]
# proxy-v2 = ["127.0.0.1"]
# proxy-v2 = ["127.0.0.1", "127.0.0.0/8"]
# # OR
# x-forward-for = ["127.0.0.1"]
# x-forward-for = ["127.0.0.1", "127.0.0.0/8"]
# LDAPS requests can be reverse proxied by a loadbalancer.
# To preserve the original IP of the caller, these systems
# can add a header such as the PROXY protocol v2 header.
# This setting allows configuration of the range of trusted
# IPs which can supply this header information, and which
# format the information is provided in.
# This setting allows configuration of the list of trusted
# IPs or IP ranges which can supply this header information,
# and which format the information is provided in.
# Defaults to "none" (no trusted sources)
# [ldap_client_address_info]
# proxy-v2 = ["127.0.0.1"]
# proxy-v2 = ["127.0.0.1", "127.0.0.0/8"]
[online_backup]
# The path to the output folder for online backups

18
examples/server_container.toml
View file

@ -81,25 +81,25 @@ origin = "https://idm.example.com:8443"
# will often add a header such as "Forwarded" or
# "X-Forwarded-For". Some other proxies can use the PROXY
# protocol v2 header.
# This setting allows configuration of the range of trusted
# IPs which can supply this header information, and which
# format the information is provided in.
# This setting allows configuration of the list of trusted
# IPs or IP ranges which can supply this header information,
# and which format the information is provided in.
# Defaults to "none" (no trusted sources)
# Only one option can be used at a time.
# [http_client_address_info]
# proxy-v2 = ["127.0.0.1"]
# proxy-v2 = ["127.0.0.1", "127.0.0.0/8"]
# # OR
# x-forward-for = ["127.0.0.1"]
# x-forward-for = ["127.0.0.1", "127.0.0.0/8"]
# LDAPS requests can be reverse proxied by a loadbalancer.
# To preserve the original IP of the caller, these systems
# can add a header such as the PROXY protocol v2 header.
# This setting allows configuration of the range of trusted
# IPs which can supply this header information, and which
# format the information is provided in.
# This setting allows configuration of the list of trusted
# IPs or IP ranges which can supply this header information,
# and which format the information is provided in.
# Defaults to "none" (no trusted sources)
# [ldap_client_address_info]
# proxy-v2 = ["127.0.0.1"]
# proxy-v2 = ["127.0.0.1", "127.0.0.0/8"]
[online_backup]
# The path to the output folder for online backups

19
libs/client/src/application.rs Normal file
View file

@ -0,0 +1,19 @@
use crate::{ClientError, KanidmClient};
use kanidm_proto::scim_v1::client::{ScimEntryApplication, ScimEntryApplicationPost};
impl KanidmClient {
/// Delete an application
pub async fn idm_application_delete(&self, id: &str) -> Result<(), ClientError> {
self.perform_delete_request(format!("/scim/v1/Application/{}", id).as_str())
.await
}
/// Create an application
pub async fn idm_application_create(
&self,
application: &ScimEntryApplicationPost,
) -> Result<ScimEntryApplication, ClientError> {
self.perform_post_request("/scim/v1/Application", application)
.await
}
}

1
libs/client/src/lib.rs
View file

@ -50,6 +50,7 @@ use webauthn_rs_proto::{
PublicKeyCredential, RegisterPublicKeyCredential, RequestChallengeResponse,
};
mod application;
mod domain;
mod group;
mod oauth;

2
libs/client/src/scim.rs
View file

@ -2,12 +2,10 @@ use crate::{ClientError, KanidmClient};
use kanidm_proto::scim_v1::{ScimEntryGeneric, ScimEntryGetQuery, ScimSyncRequest, ScimSyncState};
impl KanidmClient {
// TODO: testing for this
pub async fn scim_v1_sync_status(&self) -> Result<ScimSyncState, ClientError> {
self.perform_get_request("/scim/v1/Sync").await
}
// TODO: testing for this
pub async fn scim_v1_sync_update(
&self,
scim_sync_request: &ScimSyncRequest,

25
libs/crypto/src/lib.rs
View file

@ -52,7 +52,6 @@ const PBKDF2_KEY_LEN: usize = 32;
const PBKDF2_MIN_NIST_KEY_LEN: usize = 32;
const PBKDF2_SHA1_MIN_KEY_LEN: usize = 19;
const DS_SHA_SALT_LEN: usize = 8;
const DS_SHA1_HASH_LEN: usize = 20;
const DS_SHA256_HASH_LEN: usize = 32;
const DS_SHA512_HASH_LEN: usize = 64;
@ -618,10 +617,8 @@ impl TryFrom<&str> for Password {
.or_else(|| value.strip_prefix("{ssha}"))
{
let sh = general_purpose::STANDARD.decode(ds_ssha1).map_err(|_| ())?;
let (h, s) = sh.split_at(DS_SHA1_HASH_LEN);
if s.len() != DS_SHA_SALT_LEN {
return Err(());
}
let (h, s) = sh.split_at_checked(DS_SHA1_HASH_LEN).ok_or(())?;
return Ok(Password {
material: Kdf::SSHA1(s.to_vec(), h.to_vec()),
});
@ -649,10 +646,8 @@ impl TryFrom<&str> for Password {
let sh = general_purpose::STANDARD
.decode(ds_ssha256)
.map_err(|_| ())?;
let (h, s) = sh.split_at(DS_SHA256_HASH_LEN);
if s.len() != DS_SHA_SALT_LEN {
return Err(());
}
let (h, s) = sh.split_at_checked(DS_SHA256_HASH_LEN).ok_or(())?;
return Ok(Password {
material: Kdf::SSHA256(s.to_vec(), h.to_vec()),
});
@ -680,10 +675,8 @@ impl TryFrom<&str> for Password {
let sh = general_purpose::STANDARD
.decode(ds_ssha512)
.map_err(|_| ())?;
let (h, s) = sh.split_at(DS_SHA512_HASH_LEN);
if s.len() != DS_SHA_SALT_LEN {
return Err(());
}
let (h, s) = sh.split_at_checked(DS_SHA512_HASH_LEN).ok_or(())?;
return Ok(Password {
material: Kdf::SSHA512(s.to_vec(), h.to_vec()),
});
@ -1404,9 +1397,15 @@ mod tests {
#[test]
fn test_password_from_ds_ssha512() {
// from #3615
let im_pw = "{SSHA512}SvpKVQPfDUw7DbVFLVdhFUj33qx2zwkCNyfdRUEvYTloJt15HDVfhHzx6HLaKFUPBOCa/6D8lDnrybYzW+xSQC2GXBvYpn3ScVEcC+oH20I=";
let _r = Password::try_from(im_pw).expect("Failed to parse");
// Valid hash to import
let im_pw = "{SSHA512}JwrSUHkI7FTAfHRVR6KoFlSN0E3dmaQWARjZ+/UsShYlENOqDtFVU77HJLLrY2MuSp0jve52+pwtdVl2QUAHukQ0XUf5LDtM";
let _r = Password::try_from(im_pw).expect("Failed to parse");
// allow lower case of the hash type
let im_pw = "{ssha512}JwrSUHkI7FTAfHRVR6KoFlSN0E3dmaQWARjZ+/UsShYlENOqDtFVU77HJLLrY2MuSp0jve52+pwtdVl2QUAHukQ0XUf5LDtM";
let password = "password";
let r = Password::try_from(im_pw).expect("Failed to parse");

3
proto/src/attribute.rs
View file

@ -32,6 +32,7 @@ pub enum Attribute {
AcpTargetScope,
ApiTokenSession,
ApplicationPassword,
ApplicationUrl,
AttestedPasskeys,
#[default]
Attr,
@ -268,6 +269,7 @@ impl Attribute {
Attribute::AcpTargetScope => ATTR_ACP_TARGET_SCOPE,
Attribute::ApiTokenSession => ATTR_API_TOKEN_SESSION,
Attribute::ApplicationPassword => ATTR_APPLICATION_PASSWORD,
Attribute::ApplicationUrl => ATTR_APPLICATION_URL,
Attribute::AttestedPasskeys => ATTR_ATTESTED_PASSKEYS,
Attribute::Attr => ATTR_ATTR,
Attribute::AttributeName => ATTR_ATTRIBUTENAME,
@ -456,6 +458,7 @@ impl Attribute {
ATTR_ACP_TARGET_SCOPE => Attribute::AcpTargetScope,
ATTR_API_TOKEN_SESSION => Attribute::ApiTokenSession,
ATTR_APPLICATION_PASSWORD => Attribute::ApplicationPassword,
ATTR_APPLICATION_URL => Attribute::ApplicationUrl,
ATTR_ATTESTED_PASSKEYS => Attribute::AttestedPasskeys,
ATTR_ATTR => Attribute::Attr,
ATTR_ATTRIBUTENAME => Attribute::AttributeName,

1
proto/src/constants.rs
View file

@ -72,6 +72,7 @@ pub const ATTR_ACP_SEARCH_ATTR: &str = "acp_search_attr";
pub const ATTR_ACP_TARGET_SCOPE: &str = "acp_targetscope";
pub const ATTR_API_TOKEN_SESSION: &str = "api_token_session";
pub const ATTR_APPLICATION_PASSWORD: &str = "application_password";
pub const ATTR_APPLICATION_URL: &str = "application_url";
pub const ATTR_ATTESTED_PASSKEYS: &str = "attested_passkeys";
pub const ATTR_ATTR: &str = "attr";
pub const ATTR_ATTRIBUTENAME: &str = "attributename";

4
proto/src/internal/error.rs
View file

@ -213,6 +213,8 @@ pub enum OperationError {
SC0024SshPublicKeySyntaxInvalid,
SC0025UiHintSyntaxInvalid,
SC0026Utf8SyntaxInvalid,
SC0027ClassSetInvalid,
SC0028CreatedUuidsInvalid,
// Migration
MG0001InvalidReMigrationLevel,
MG0002RaiseDomainLevelExceedsMaximum,
@ -531,6 +533,8 @@ impl OperationError {
Self::SC0024SshPublicKeySyntaxInvalid => Some("A SCIM Ssh Public Key contained invalid syntax".into()),
Self::SC0025UiHintSyntaxInvalid => Some("A SCIM UiHint contained invalid syntax".into()),
Self::SC0026Utf8SyntaxInvalid => Some("A SCIM Utf8 String Scope Map contained invalid syntax".into()),
Self::SC0027ClassSetInvalid => Some("The internal set of class templates used in this create operation was invalid. THIS IS A BUG.".into()),
Self::SC0028CreatedUuidsInvalid => Some("The internal create query did not return the set of created UUIDs. THIS IS A BUG".into()),
Self::UI0001ChallengeSerialisation => Some("The WebAuthn challenge was unable to be serialised.".into()),
Self::UI0002InvalidState => Some("The credential update process returned an invalid state transition.".into()),

45
proto/src/scim_v1/client.rs
View file

@ -2,6 +2,7 @@
use super::ScimEntryGetQuery;
use super::ScimOauth2ClaimMapJoinChar;
use crate::attribute::{Attribute, SubAttribute};
use scim_proto::ScimEntryHeader;
use serde::{Deserialize, Serialize};
use serde_json::Value as JsonValue;
use serde_with::formats::PreferMany;
@ -31,6 +32,18 @@ pub struct ScimReference {
pub value: Option<String>,
}
impl<T> From<T> for ScimReference
where
T: AsRef<str>,
{
fn from(value: T) -> Self {
ScimReference {
uuid: None,
value: Some(value.as_ref().to_string()),
}
}
}
pub type ScimReferences = Vec<ScimReference>;
#[serde_as]
@ -79,6 +92,31 @@ pub struct ScimOAuth2ScopeMap {
pub scopes: BTreeSet<String>,
}
#[serde_as]
#[derive(Serialize, Debug, Clone)]
#[serde(rename_all = "snake_case")]
pub struct ScimEntryApplicationPost {
pub name: String,
pub displayname: String,
pub linked_group: ScimReference,
}
#[serde_as]
#[derive(Deserialize, Debug, Clone)]
#[serde(rename_all = "snake_case")]
pub struct ScimEntryApplication {
#[serde(flatten)]
pub header: ScimEntryHeader,
pub name: String,
pub displayname: String,
pub linked_group: Vec<super::ScimReference>,
#[serde(flatten)]
pub attrs: BTreeMap<Attribute, JsonValue>,
}
#[derive(Serialize, Debug, Clone)]
pub struct ScimEntryPutKanidm {
pub id: Uuid,
@ -90,6 +128,13 @@ pub struct ScimEntryPutKanidm {
#[derive(Deserialize, Serialize, Debug, Clone)]
pub struct ScimStrings(#[serde_as(as = "OneOrMany<_, PreferMany>")] pub Vec<String>);
#[derive(Debug, Clone, Deserialize, Default)]
pub struct ScimEntryPostGeneric {
/// Create an attribute to contain the following value state.
#[serde(flatten)]
pub attrs: BTreeMap<Attribute, JsonValue>,
}
#[derive(Debug, Clone, Deserialize, Default)]
pub struct ScimEntryPutGeneric {
// id is only used to target the entry in question

13
proto/src/scim_v1/mod.rs
View file

@ -18,13 +18,13 @@
use crate::attribute::Attribute;
use serde::{Deserialize, Serialize};
use serde_with::formats::CommaSeparator;
use serde_with::{serde_as, skip_serializing_none, StringWithSeparator};
use sshkey_attest::proto::PublicKey as SshPublicKey;
use std::collections::BTreeMap;
use std::ops::Not;
use utoipa::ToSchema;
use serde_with::formats::CommaSeparator;
use serde_with::{serde_as, skip_serializing_none, StringWithSeparator};
use uuid::Uuid;
pub use self::synch::*;
pub use scim_proto::prelude::*;
@ -86,6 +86,13 @@ pub struct ScimSshPublicKey {
pub value: SshPublicKey,
}
#[derive(Deserialize, Serialize, Debug, Clone, PartialEq, Eq, ToSchema)]
#[serde(rename_all = "camelCase")]
pub struct ScimReference {
pub uuid: Uuid,
pub value: String,
}
#[derive(Deserialize, Serialize, Debug, Clone, ToSchema)]
pub enum ScimOauth2ClaimMapJoinChar {
#[serde(rename = ",", alias = "csv")]

7
pykanidm/README.md
View file

@ -15,14 +15,14 @@ python -m pip install kanidm
Documentation can be generated by [cloning the repository](https://github.com/kanidm/kanidm) and
running `make docs/pykanidm/build`. The documentation will appear in `./pykanidm/site`. You'll need
make and the [poetry](https://pypi.org/project/poetry/) package installed.
make and the [uv](https://pypi.org/project/uv/) package installed.
## Testing
Set up your dev environment using `poetry` - `python -m pip install poetry && poetry install`.
Set up your dev environment using `uv` - `python -m pip install uv && uv sync`.
Pytest it used for testing, if you don't have a live server to test against and config set up, use
`poetry run pytest -m 'not network'`.
`uv run pytest -m 'not network'`.
## Changelog
@ -31,3 +31,4 @@ Pytest it used for testing, if you don't have a live server to test against and
| 0.0.1 | 2022-08-16 | Initial release |
| 0.0.2 | 2022-08-16 | Updated license, including test code in package |
| 0.0.3 | 2022-08-17 | Updated test suite to allow skipping of network tests |
| 1.2.0 | 2025-05-13 | Replaced poetry with uv for packaging |

9
pykanidm/kanidm/__init__.py
View file

@ -12,6 +12,7 @@ import ssl
from typing import Any, Dict, List, Optional, Tuple, Union
import aiohttp
import aiohttp.client
from pydantic import ValidationError
import yarl
@ -528,7 +529,7 @@ class KanidmClient:
response: ClientResponse[IOauth2Rs] = await self.call_get(endpoint)
if response.status_code != 200 or response.data is None:
raise ValueError(f"Failed to get oauth2 resource server: {response.content}")
return RawOAuth2Rs(**response.data).as_oauth2_rs
return RawOAuth2Rs.model_validate(response.data).as_oauth2_rs
async def oauth2_rs_secret_get(self, rs_name: str) -> str:
"""get an OAuth2 client secret"""
@ -588,7 +589,7 @@ class KanidmClient:
response: ClientResponse[IServiceAccount] = await self.call_get(endpoint)
if response.status_code != 200 or response.data is None:
raise ValueError(f"Failed to get service account: {response.content}")
return RawServiceAccount(**response.data).as_service_account
return RawServiceAccount.model_validate(response.data).as_service_account
async def service_account_create(self, name: str, displayname: str) -> ClientResponse[None]:
"""Create a service account"""
@ -675,7 +676,7 @@ class KanidmClient:
response: ClientResponse[IGroup] = await self.call_get(endpoint)
if response.status_code != 200 or response.data is None:
raise ValueError(f"Failed to get group: {response.content}")
return RawGroup(**response.data).as_group
return RawGroup.model_validate(response.data).as_group
async def group_create(self, name: str) -> ClientResponse[None]:
"""Create a group"""
@ -720,7 +721,7 @@ class KanidmClient:
response: ClientResponse[IPerson] = await self.call_get(endpoint)
if response.status_code != 200 or response.data is None:
raise ValueError(f"Failed to get person: {response.content}")
return RawPerson(**response.data).as_person
return RawPerson.model_validate(response.data).as_person
async def person_account_create(self, name: str, displayname: str) -> ClientResponse[None]:
"""Create a person account"""

14
pykanidm/kanidm/radius/__init__.py
View file

@ -49,13 +49,13 @@ def instantiate(_: Any) -> Any:
if config_path is None:
logging.error("Failed to find configuration file, checked (%s), quitting!", CONFIG_PATHS)
sys.exit(1)
kanidm_client = KanidmClient(config_file=config_path)
if kanidm_client.config.auth_token is None:
logging.error("You need to specify auth_token in the configuration file!")
sys.exit(1)
os.environ["KANIDM_CONFIG_FILE"] = config_path.as_posix()
logging.info("Config file: %s", config_path.as_posix())
else:
kanidm_client = KanidmClient(config_file=config_path)
if kanidm_client.config.auth_token is None:
logging.error("You need to specify auth_token in the configuration file!")
sys.exit(1)
os.environ["KANIDM_CONFIG_FILE"] = config_path.as_posix()
logging.info("Config file: %s", os.environ["KANIDM_CONFIG_FILE"])
return radiusd.RLM_MODULE_OK

2409
pykanidm/poetry.lock generated
View file

File diff suppressed because it is too large Load diff

92
pykanidm/pyproject.toml
View file

@ -1,18 +1,21 @@
[tool.poetry]
[project]
authors = [{ name = "James Hodgkinson", email = "james@terminaloutcomes.com" }]
license = { text = "MPL-2.0" }
requires-python = "<4.0,>=3.9"
dependencies = [
"toml>=0.10.2",
"pydantic>=2.0.0",
"aiohttp>=3.8.1",
"Authlib>=1.2.0",
]
name = "kanidm"
version = "1.0.1"
description = "Kanidm client library"
license = "MPL-2.0"
authors = ["James Hodgkinson <james@terminaloutcomes.com>"]
version = "1.2.0"
readme = "README.md"
repository = "https://github.com/kanidm/kanidm"
homepage = "https://kanidm.com/"
packages = [{ include = "kanidm" }]
keywords = ["kanidm", "idm", "api"]
classifiers = [
"Development Status :: 3 - Alpha",
"Programming Language :: Python :: 3",
@ -20,40 +23,47 @@ classifiers = [
"Programming Language :: Python :: 3.10",
"Operating System :: OS Independent",
]
[tool.poetry.dependencies]
python = "^3.9"
toml = "^0.10.2"
pydantic = ">=2.0.0,<3.0.0"
aiohttp = "^3.8.1"
Authlib = "^1.2.0"
[project.urls]
homepage = "https://kanidm.com/"
repository = "https://github.com/kanidm/kanidm"
[tool.poetry.group.dev.dependencies]
ruff = ">=0.5.1,<0.11.10"
pytest = "^8.3.4"
mypy = "^1.14.1"
types-requests = "^2.32.0.20241016"
pytest-aiohttp = "^1.1.0"
pytest-mock = "^3.14.0"
types-toml = "^0.10.8.20240310"
pylint-pydantic = "^0.3.5"
coverage = "^7.6.10"
mkdocs = "^1.6.1"
mkdocs-material = "^9.6.1"
mkdocstrings = ">=0.27,<0.30"
mkdocstrings-python = "^1.13.0"
pook = "^2.1.3"
[dependency-groups]
dev = [
"ruff>=0.5.1",
"pytest>=8.3.4",
"mypy>=1.14.1,<2.0.0",
"types-requests>=2.32.0.20241016",
"pytest-aiohttp>=1.1.0",
"pytest-mock>=3.14.0",
"types-toml>=0.10.8.20240310",
"pylint-pydantic>=0.3.5",
"coverage>=7.6.10",
"pook>=2.1.3",
"ty>=0.0.0a8",
]
docs = [
"mkdocs>=1.6.1",
"mkdocs-material>=9.6.13",
"mkdocstrings>=0.29.1",
"mkdocstrings-python>=1.16.10",
]
[build-system]
requires = ["poetry-core>=1.0.0"]
build-backend = "poetry.core.masonry.api"
requires = ["pdm-backend"]
build-backend = "pdm.backend"
[tool.pylint.MASTER]
max-line-length = 150
disable = "W0511,raise-missing-from"
extension-pkg-allow-list = "pydantic"
# https://github.com/samuelcolvin/pydantic/issues/1961#issuecomment-759522422
load-plugins = "pylint_pydantic,pylint_pytest"
[tool.pdm.build]
includes = ["kanidm"]
# [tool.pylint.MASTER]
# max-line-length = 150
# disable = "W0511,raise-missing-from"
# extension-pkg-allow-list = "pydantic"
# # https://github.com/samuelcolvin/pydantic/issues/1961#issuecomment-759522422
# load-plugins = "pylint_pydantic,pylint_pytest"
[tool.ruff]
line-length = 150
@ -64,9 +74,9 @@ line-length = 150
"F811", # pytest fixtures
]
[tool.pytest.ini_options]
asyncio_mode = "auto"
asyncio_default_fixture_loop_scope = "function"
markers = [
"network: Tests that require network access and a working backend server",
"interactive: Requires specific config and a working backend server",
@ -77,4 +87,6 @@ source = ["kanidm"]
omit = ["tests"]
[tool.mypy]
strict = true
plugins = "pydantic.mypy"
disable_error_code = "unused-ignore"

4
pykanidm/run_coverage.sh
View file

@ -1,5 +1,5 @@
#!/bin/bash
poetry run coverage run -m pytest -vvx && \
poetry run coverage html
uv run coverage run -m pytest -vvx && \
uv run coverage html

0
pykanidm/tests/__init__.py Normal file
View file

26
pykanidm/tests/test_authenticate.py
View file

@ -7,7 +7,7 @@ import pytest
from pytest_mock import MockerFixture
# pylint: disable=unused-import
from testutils import client, client_configfile, MockResponse
from .testutils import client, client_configfile, MockResponse
from kanidm import KanidmClient
from kanidm.exceptions import AuthCredFailed, AuthInitFailed
@ -25,9 +25,11 @@ async def test_auth_init(client_configfile: KanidmClient) -> None:
print("Starting client...")
print(f"Doing auth_init for {client_configfile.config.username}")
if client_configfile.config.username is None:
pytest.skip("Can't run auth test without a username/password")
result = await client_configfile.auth_init(client_configfile.config.username)
username = client_configfile.config.username
if username is None:
raise pytest.skip("Can't run auth test without a username/password") # type: ignore[call-non-callable]
result = await client_configfile.auth_init(username)
print(f"{result=}")
print(result.model_dump_json())
assert result.sessionid
@ -39,9 +41,11 @@ async def test_auth_begin(client_configfile: KanidmClient) -> None:
"""tests the auth begin step"""
print(f"Doing auth_init for {client_configfile.config.username}")
if client_configfile.config.username is None:
pytest.skip("Can't run auth test without a username/password")
result = await client_configfile.auth_init(client_configfile.config.username)
username = client_configfile.config.username
if username is None:
raise pytest.skip("Can't run auth test without a username/password") # type: ignore[call-non-callable]
result = await client_configfile.auth_init(username)
print(f"{result=}")
print("Result dict:")
print(result.model_dump_json())
@ -60,7 +64,7 @@ async def test_auth_begin(client_configfile: KanidmClient) -> None:
retval = begin_result.data
if retval is None:
raise pytest.fail("Failed to do begin_result")
raise pytest.fail("Failed to do begin_result") # type: ignore[call-non-callable]
retval["response"] = begin_result.model_dump()
@ -72,7 +76,7 @@ async def test_auth_begin(client_configfile: KanidmClient) -> None:
async def test_authenticate_flow(client_configfile: KanidmClient) -> None:
"""tests the authenticate() flow"""
if client_configfile.config.username is None or client_configfile.config.password is None:
pytest.skip("Can't run this without a username and password set in the config file")
pytest.skip("Can't run this without a username and password set in the config file") # type: ignore[call-non-callable]
client_configfile.config.auth_token = None
print(f"Doing client.authenticate for {client_configfile.config.username}")
@ -96,10 +100,10 @@ async def test_authenticate_anonymous(client_configfile: KanidmClient) -> None:
async def test_authenticate_flow_fail(client_configfile: KanidmClient) -> None:
"""tests the authenticate() flow with a valid (hopefully) username and invalid password"""
if not bool(os.getenv("RUN_SCARY_TESTS", None)):
pytest.skip(reason="Skipping because env var RUN_SCARY_TESTS isn't set")
pytest.skip("Skipping because env var RUN_SCARY_TESTS isn't set") # type: ignore[call-non-callable]
print("Starting client...")
if client_configfile.config.uri is None or client_configfile.config.username is None or client_configfile.config.password is None:
pytest.skip("Please ensure you have a username, password and uri in the config")
pytest.skip("Please ensure you have a username, password and uri in the config") # type: ignore[call-non-callable]
print(f"Doing client.authenticate for {client_configfile.config.username}")
client_configfile.config.auth_token = None

3
pykanidm/tests/test_config_loader.py
View file

@ -27,8 +27,7 @@ async def client() -> KanidmClient:
def test_load_config_file() -> None:
"""tests that the file loads"""
if not Path(EXAMPLE_CONFIG_FILE).expanduser().resolve().exists():
print("Can't find client config file", file=sys.stderr)
pytest.skip()
pytest.skip(f"Can't find client config file {EXAMPLE_CONFIG_FILE}") # type: ignore[call-non-callable]
print("Loading config file")
config = load_config(EXAMPLE_CONFIG_FILE)
assert config.get("uri") == "https://localhost:8443"

2
pykanidm/tests/test_jwt.py
View file

@ -69,7 +69,7 @@ def test_tokenstuff() -> None:
info = token_store.token_info("idm_admin")
print(f"Parsed token: {info}")
if info is None:
pytest.skip()
pytest.skip("No token!") # type: ignore[call-non-callable]
print(info.expiry_datetime)
assert (
datetime(

4
pykanidm/tests/test_oauth2.py
View file

@ -16,7 +16,7 @@ async def client() -> KanidmClient:
config_file=Path(__file__).parent.parent.parent / "examples/config_localhost",
)
except FileNotFoundError as error:
raise pytest.skip(f"File not found: {error}")
pytest.skip(f"File not found: {error}") # type: ignore[call-non-callable]
return client
@ -32,7 +32,7 @@ async def test_oauth2_rs_list(client: KanidmClient) -> None:
password = os.getenv("KANIDM_PASSWORD")
if password is None:
print("No KANIDM_PASSWORD env var set for testing")
raise pytest.skip("No KANIDM_PASSWORD env var set for testing")
pytest.skip("No KANIDM_PASSWORD env var set for testing") # type: ignore[call-non-callable]
auth_resp = await client.authenticate_password(username, password, update_internal_auth_token=True)
if auth_resp.state is None:

4
pykanidm/tests/test_radius_token.py
View file

@ -6,7 +6,7 @@ import logging
import pytest
# pylint: disable=unused-import
from testutils import client, client_configfile
from .testutils import client, client_configfile
from kanidm import KanidmClient
logging.basicConfig(level=logging.DEBUG)
@ -21,7 +21,7 @@ async def test_radius_call(client_configfile: KanidmClient) -> None:
print("Doing auth_init using token")
if client_configfile.config.auth_token is None:
pytest.skip("You can't test auth if you don't have an auth_token in ~/.config/kanidm")
pytest.skip("You can't test auth if you don't have an auth_token in ~/.config/kanidm") # type: ignore[call-non-callable]
result = await client_configfile.get_radius_token(RADIUS_TEST_USER)
print(f"{result=}")

2
pykanidm/tests/test_session_header.py
View file

@ -3,7 +3,7 @@
import pytest
import aiohttp.client_exceptions
from testutils import client
from .testutils import client
from kanidm import KanidmClient

2
pykanidm/tests/test_ssl_ca.py
View file

@ -187,7 +187,7 @@ async def test_ssl_untrusted_root_configured() -> None:
testcert = Path("./tests/badssl_trusted_ca.pem").resolve()
if not testcert.exists():
pytest.skip(f"The trusted cert is missing from {testcert}")
pytest.skip(f"The trusted cert is missing from {testcert}") # type: ignore[call-non-callable]
client = KanidmClient(
uri="https://untrusted-root.badssl.com/",

10
pykanidm/tests/testutils.py
View file

@ -2,30 +2,30 @@
from logging import DEBUG, basicConfig, getLogger
from pathlib import Path
from typing import Any
from typing import Any, Optional
import pytest
from kanidm import KanidmClient
@pytest.fixture(scope="function")
async def client() -> KanidmClient:
async def client() -> Optional[KanidmClient]:
"""sets up a client with a basic thing"""
try:
basicConfig(level=DEBUG)
return KanidmClient(uri="https://idm.example.com")
except FileNotFoundError:
raise pytest.skip("Couldn't find config file...")
pytest.skip("Couldn't find config file...") # type: ignore[call-non-callable]
@pytest.fixture(scope="function")
async def client_configfile() -> KanidmClient:
async def client_configfile() -> Optional[KanidmClient]:
"""sets up a client from a config file"""
try:
return KanidmClient(config_file=Path("~/.config/kanidm"))
except FileNotFoundError:
raise pytest.skip("Couldn't find config file...")
pytest.skip("Couldn't find config file...") # type: ignore[call-non-callable]
class MockResponse:

2200
pykanidm/uv.lock Normal file
View file

File diff suppressed because it is too large Load diff

1
rlm_python/.python-version Normal file
View file

@ -0,0 +1 @@
3.12

3
rlm_python/README.md Normal file
View file

@ -0,0 +1,3 @@
# rlm_python
Kanidm FreeRADIUS module.

15
rlm_python/pyproject.toml
View file

@ -1,2 +1,13 @@
[tool.ruff]
line-length = 150
[project]
name = "rlm-python"
version = "0.1.0"
description = "FreeRADIUS Kanidm module"
readme = "README.md"
requires-python = ">=3.10"
dependencies = ["kanidm"]
[dependency-groups]
dev = ["mypy>=1.15.0", "pytest>=8.3.5", "ruff>=0.11.9", "ty>=0.0.0a8"]
[tool.uv.sources]
kanidm = { path = "../pykanidm" }

116
rlm_python/radius_entrypoint.py
View file

@ -1,4 +1,4 @@
""" entrypoint for kanidm's RADIUS module """
"""entrypoint for kanidm's RADIUS module"""
import atexit
import os
@ -7,15 +7,16 @@ import subprocess
import shutil
import signal
import sys
from typing import Any
from typing import Any, Optional
# import toml
import kanidm.radius
from kanidm.radius import CONFIG_PATHS
from kanidm.types import KanidmClientConfig
from kanidm.utils import load_config
DEBUG = True
if os.environ.get('DEBUG', False):
if os.environ.get("DEBUG", False):
DEBUG = True
CERT_SERVER_DEST = "/etc/raddb/certs/server.pem"
@ -23,54 +24,62 @@ CERT_CA_DEST = "/etc/raddb/certs/ca.pem"
CERT_CA_DIR = "/etc/raddb/certs/"
CERT_DH_DEST = "/etc/raddb/certs/dh.pem"
# pylint: disable=unused-argument
def _sigchild_handler(
*args: Any,
**kwargs: Any,
) -> None:
""" handler for SIGCHLD call"""
) -> None:
"""handler for SIGCHLD call"""
print("Received SIGCHLD ...", file=sys.stderr)
os.waitpid(-1, os.WNOHANG)
def write_clients_conf(
kanidm_config_object: KanidmClientConfig,
) -> None:
""" writes out the config file """
) -> None:
"""writes out the config file"""
raddb_config_file = Path("/etc/raddb/clients.conf")
with raddb_config_file.open('w', encoding='utf-8') as file_handle:
with raddb_config_file.open("w", encoding="utf-8") as file_handle:
for client in kanidm_config_object.radius_clients:
file_handle.write(f"client {client.name} {{\n" )
file_handle.write(f"client {client.name} {{\n")
file_handle.write(f" ipaddr = {client.ipaddr}\n")
file_handle.write(f" secret = {client.secret}\n" )
file_handle.write(' proto = *\n')
file_handle.write('}\n')
file_handle.write(f" secret = {client.secret}\n")
file_handle.write(" proto = *\n")
file_handle.write("}\n")
def setup_certs(
kanidm_config_object: KanidmClientConfig,
) -> None:
""" sets up certificates """
) -> None:
"""sets up certificates"""
if kanidm_config_object.radius_ca_path:
cert_ca = Path(kanidm_config_object.radius_ca_path).expanduser().resolve()
if not cert_ca.exists():
print(f"Failed to find radiusd ca file ({cert_ca}), quitting!", file=sys.stderr)
print(
f"Failed to find radiusd ca file ({cert_ca}), quitting!",
file=sys.stderr,
)
sys.exit(1)
if cert_ca != CERT_CA_DEST:
if cert_ca != Path(CERT_CA_DEST):
print(f"Copying {cert_ca} to {CERT_CA_DEST}")
try:
shutil.copyfile(cert_ca, CERT_CA_DEST)
except shutil.SameFileError:
pass
# This dir can also contain crls!
if kanidm_config_object.radius_ca_dir:
cert_ca_dir = Path(kanidm_config_object.radius_ca_dir).expanduser().resolve()
if not cert_ca_dir.exists():
print(f"Failed to find radiusd ca dir ({cert_ca_dir}), quitting!", file=sys.stderr)
print(
f"Failed to find radiusd ca dir ({cert_ca_dir}), quitting!",
file=sys.stderr,
)
sys.exit(1)
if cert_ca_dir != CERT_CA_DIR:
if cert_ca_dir != Path(CERT_CA_DIR):
print(f"Copying {cert_ca_dir} to {CERT_CA_DIR}")
shutil.copytree(cert_ca_dir, CERT_CA_DIR, dirs_exist_ok=True)
@ -83,7 +92,7 @@ def setup_certs(
print(
f"Failed to find server keyfile ({server_key}), quitting!",
file=sys.stderr,
)
)
sys.exit(1)
server_cert = Path(kanidm_config_object.radius_cert_path).expanduser().resolve()
@ -91,18 +100,19 @@ def setup_certs(
print(
f"Failed to find server cert file ({server_cert}), quitting!",
file=sys.stderr,
)
)
sys.exit(1)
# concat key + cert into /etc/raddb/certs/server.pem
with open(CERT_SERVER_DEST, 'w', encoding='utf-8') as file_handle:
with open(CERT_SERVER_DEST, "w", encoding="utf-8") as file_handle:
file_handle.write(server_cert.read_text(encoding="utf-8"))
file_handle.write('\n')
file_handle.write("\n")
file_handle.write(server_key.read_text(encoding="utf-8"))
def kill_radius(
proc: subprocess.Popen,
) -> None:
""" handler to kill the radius server once the script exits """
proc: subprocess.Popen[Any],
) -> None:
"""handler to kill the radius server once the script exits"""
if proc is None:
pass
else:
@ -116,8 +126,9 @@ def kill_radius(
proc.wait()
def find_freeradius_bin() -> str:
""" finds the binary """
def find_freeradius_bin() -> Optional[str]:
"""finds the binary"""
binary_paths = [
"/usr/sbin/radiusd",
"/usr/sbin/freeradius",
@ -129,37 +140,44 @@ def find_freeradius_bin() -> str:
print(f"Failed to find FreeRADIUS binary, looked in {lookedin}")
sys.exit(1)
def run_radiusd() -> None:
""" run the server """
"""run the server"""
if DEBUG:
cmd_args = [ "-X" ]
cmd_args = ["-X"]
else:
cmd_args = [ "-f", "-l", "stdout" ]
with subprocess.Popen(
[find_freeradius_bin()] + cmd_args,
stderr=subprocess.STDOUT,
cmd_args = ["-f", "-l", "stdout"]
freeradius_bin = find_freeradius_bin()
if freeradius_bin is None:
print("Failed to find FreeRADIUS binary, quitting!", file=sys.stderr)
sys.exit(1)
else:
with subprocess.Popen(
[freeradius_bin] + cmd_args,
stderr=subprocess.STDOUT,
) as proc:
# print(proc, file=sys.stderr)
atexit.register(kill_radius, proc)
proc.wait()
# print(proc, file=sys.stderr)
atexit.register(kill_radius, proc)
proc.wait()
if __name__ == '__main__':
if __name__ == "__main__":
signal.signal(signal.SIGCHLD, _sigchild_handler)
config_file = kanidm.radius.find_radius_config_path()
if config_file is None:
print(
"Failed to find configuration file ({config_file}), quitting!",
f"Failed to find configuration file in ({CONFIG_PATHS}), quitting!",
file=sys.stderr,
)
)
sys.exit(1)
kanidm_config = KanidmClientConfig.model_validate(load_config(config_file))
setup_certs(kanidm_config)
write_clients_conf(kanidm_config)
print("Configuration set up, starting...")
try:
run_radiusd()
except KeyboardInterrupt as ki:
print(ki)
else:
kanidm_config = KanidmClientConfig.model_validate(load_config(config_file))
setup_certs(kanidm_config)
write_clients_conf(kanidm_config)
print("Configuration set up, starting...")
try:
run_radiusd()
except KeyboardInterrupt as ki:
print(ki)

1046
rlm_python/uv.lock Normal file
View file

File diff suppressed because it is too large Load diff

6
scripts/Dockerfile.devcontainer Normal file
View file

@ -0,0 +1,6 @@
FROM rust:latest
COPY ./scripts/install_ubuntu_dependencies.sh /tmp/
RUN /tmp/install_ubuntu_dependencies.sh
WORKDIR /kanidm

4
scripts/pykanidm/run.sh
View file

@ -10,9 +10,9 @@ if [ ! -d ".venv" ]; then
# shellcheck disable=SC1091
source .venv/bin/activate
pip install --upgrade pip
pip install poetry pytest ruff mypy black
pip install uv
echo "Installing in virtualenv"
pip install -e pykanidm
pip install -e .
fi
# shellcheck disable=SC1091

4
scripts/setup_dev_environment.sh
View file

@ -45,7 +45,7 @@ fi
# defaults
KANIDM_CONFIG_FILE="./insecure_server.toml"
KANIDM_URL="$(rg origin "${KANIDM_CONFIG_FILE}" | awk '{print $NF}' | tr -d '"')"
KANIDM_URL="$(grep origin "${KANIDM_CONFIG_FILE}" | awk '{print $NF}' | tr -d '"')"
KANIDM_CA_PATH="/tmp/kanidm/ca.pem"
# wait for them to shut down the server if it's running...
@ -89,7 +89,7 @@ IDM_ADMIN_USER="idm_admin@localhost"
echo "Resetting the idm_admin user..."
IDM_ADMIN_PASS_RAW="$(${KANIDMD} recover-account idm_admin -o json 2>&1)"
IDM_ADMIN_PASS="$(echo "${IDM_ADMIN_PASS_RAW}" | grep password | jq -r .password)"
if [ -z "${IDM_ADMIN_PASS}" ] || [ "${IDM_ADMIN_PASS}" == "null " ]; then
if [ -z "${IDM_ADMIN_PASS}" ] || [ "${IDM_ADMIN_PASS}" == "null" ]; then
echo "Failed to reset idm_admin password!"
echo "Raw output:"
echo "${IDM_ADMIN_PASS_RAW}"

13
scripts/test_run_release_server.sh
View file

@ -40,7 +40,6 @@ cargo run --bin kanidmd --release server &
KANIDMD_PID=$!
echo "Kanidm PID: ${KANIDMD_PID}"
if [ "$(jobs -p | wc -l)" -eq 0 ]; then
echo "Kanidmd failed to start!"
exit 1
@ -49,12 +48,18 @@ fi
ATTEMPT=0
KANIDM_CONFIG_FILE="./insecure_server.toml"
KANIDM_URL="$(rg origin "${KANIDM_CONFIG_FILE}" | awk '{print $NF}' | tr -d '"')"
if [ -f "${KANIDM_CONFIG_FILE}" ]; then
echo "Found config file ${KANIDM_CONFIG_FILE}"
else
echo "Config file ${KANIDM_CONFIG_FILE} not found!"
exit 1
fi
KANIDM_URL="$(grep origin "${KANIDM_CONFIG_FILE}" | awk '{print $NF}' | tr -d '"')"
KANIDM_CA_PATH="/tmp/kanidm/ca.pem"
while true; do
echo "Waiting for the server to start... testing ${KANIDM_URL}"
curl --cacert "${KANIDM_CA_PATH}" -fs "${KANIDM_URL}/status" >/dev/null && break
echo "Waiting for the server to start... testing url '${KANIDM_URL}'"
curl --cacert "${KANIDM_CA_PATH}" -f "${KANIDM_URL}/status" >/dev/null && break
sleep 2
ATTEMPT="$((ATTEMPT + 1))"
if [ "${ATTEMPT}" -gt 3 ]; then

2
server/Dockerfile
View file

@ -106,4 +106,4 @@ HEALTHCHECK \
--retries=3 \
CMD [ "/sbin/kanidmd", "healthcheck", "-c", "/data/server.toml"]
CMD [ "/sbin/kanidmd", "server", "-c", "/data/server.toml"]
CMD [ "/sbin/kanidmd", "server"]

1
server/core/Cargo.toml
View file

@ -27,6 +27,7 @@ axum-htmx = { workspace = true }
axum-extra = { workspace = true }
axum-macros = { workspace = true }
bytes = { workspace = true }
cidr = { workspace = true, features = ["serde"] }
chrono = { workspace = true }
compact_jwt = { workspace = true }
cron = { workspace = true }

73
server/core/src/actors/v1_scim.rs
View file

@ -1,10 +1,14 @@
use super::{QueryServerReadV1, QueryServerWriteV1};
use kanidm_proto::scim_v1::{
client::ScimFilter, server::ScimEntryKanidm, ScimEntryGetQuery, ScimSyncRequest, ScimSyncState,
client::ScimEntryPostGeneric, client::ScimFilter, server::ScimEntryKanidm, ScimEntryGetQuery,
ScimSyncRequest, ScimSyncState,
};
use kanidmd_lib::idm::scim::{
GenerateScimSyncTokenEvent, ScimSyncFinaliseEvent, ScimSyncTerminateEvent, ScimSyncUpdateEvent,
};
use kanidmd_lib::server::scim::{ScimCreateEvent, ScimDeleteEvent};
use kanidmd_lib::idm::server::IdmServerTransaction;
use kanidmd_lib::prelude::*;
@ -176,6 +180,73 @@ impl QueryServerWriteV1 {
.scim_sync_apply(&sse, &changes, ct)
.and_then(|r| idms_prox_write.commit().map(|_| r))
}
#[instrument(
level = "info",
skip_all,
fields(uuid = ?eventid)
)]
pub async fn scim_entry_create(
&self,
client_auth_info: ClientAuthInfo,
eventid: Uuid,
classes: &[EntryClass],
entry: ScimEntryPostGeneric,
) -> Result<ScimEntryKanidm, OperationError> {
let ct = duration_from_epoch_now();
let mut idms_prox_write = self.idms.proxy_write(ct).await?;
let ident = idms_prox_write
.validate_client_auth_info_to_ident(client_auth_info, ct)
.map_err(|e| {
admin_error!(err = ?e, "Invalid identity");
e
})?;
let scim_create_event =
ScimCreateEvent::try_from(ident, classes, entry, &mut idms_prox_write.qs_write)?;
idms_prox_write
.qs_write
.scim_create(scim_create_event)
.and_then(|r| idms_prox_write.commit().map(|_| r))
}
#[instrument(
level = "info",
skip_all,
fields(uuid = ?eventid)
)]
pub async fn scim_entry_id_delete(
&self,
client_auth_info: ClientAuthInfo,
eventid: Uuid,
uuid_or_name: String,
class: EntryClass,
) -> Result<(), OperationError> {
let ct = duration_from_epoch_now();
let mut idms_prox_write = self.idms.proxy_write(ct).await?;
let ident = idms_prox_write
.validate_client_auth_info_to_ident(client_auth_info, ct)
.map_err(|e| {
admin_error!(err = ?e, "Invalid identity");
e
})?;
let target = idms_prox_write
.qs_write
.name_to_uuid(uuid_or_name.as_str())
.map_err(|e| {
admin_error!(err = ?e, "Error resolving id to target");
e
})?;
let scim_delete_event = ScimDeleteEvent::new(ident, target, class);
idms_prox_write
.qs_write
.scim_delete(scim_delete_event)
.and_then(|r| idms_prox_write.commit().map(|_| r))
}
}
impl QueryServerReadV1 {

47
server/core/src/config.rs
View file

@ -4,7 +4,7 @@
//! These components should be "per server". Any "per domain" config should be in the system
//! or domain entries that are able to be replicated.
use hashbrown::HashSet;
use cidr::IpCidr;
use kanidm_proto::constants::DEFAULT_SERVER_ADDRESS;
use kanidm_proto::internal::FsType;
use kanidm_proto::messages::ConsoleOutputMode;
@ -110,11 +110,11 @@ pub enum LdapAddressInfo {
#[default]
None,
#[serde(rename = "proxy-v2")]
ProxyV2(HashSet<IpAddr>),
ProxyV2(Vec<IpCidr>),
}
impl LdapAddressInfo {
pub fn trusted_proxy_v2(&self) -> Option<HashSet<IpAddr>> {
pub fn trusted_proxy_v2(&self) -> Option<Vec<IpCidr>> {
if let Self::ProxyV2(trusted) = self {
Some(trusted.clone())
} else {
@ -139,7 +139,7 @@ impl Display for LdapAddressInfo {
}
pub(crate) enum AddressSet {
NonContiguousIpSet(HashSet<IpAddr>),
NonContiguousIpSet(Vec<IpCidr>),
All,
}
@ -147,7 +147,9 @@ impl AddressSet {
pub(crate) fn contains(&self, ip_addr: &IpAddr) -> bool {
match self {
Self::All => true,
Self::NonContiguousIpSet(range) => range.contains(ip_addr),
Self::NonContiguousIpSet(range) => {
range.iter().any(|ip_cidr| ip_cidr.contains(ip_addr))
}
}
}
}
@ -157,13 +159,13 @@ pub enum HttpAddressInfo {
#[default]
None,
#[serde(rename = "x-forward-for")]
XForwardFor(HashSet<IpAddr>),
XForwardFor(Vec<IpCidr>),
// IMPORTANT: This is undocumented, and only exists for backwards compat
// with config v1 which has a boolean toggle for this option.
#[serde(rename = "x-forward-for-all-source-trusted")]
XForwardForAllSourcesTrusted,
#[serde(rename = "proxy-v2")]
ProxyV2(HashSet<IpAddr>),
ProxyV2(Vec<IpCidr>),
}
impl HttpAddressInfo {
@ -175,7 +177,7 @@ impl HttpAddressInfo {
}
}
pub(crate) fn trusted_proxy_v2(&self) -> Option<HashSet<IpAddr>> {
pub(crate) fn trusted_proxy_v2(&self) -> Option<Vec<IpCidr>> {
if let Self::ProxyV2(trusted) = self {
Some(trusted.clone())
} else {
@ -1170,3 +1172,32 @@ impl ConfigurationBuilder {
})
}
}
#[cfg(test)]
mod tests {
use cidr::{IpCidr, Ipv4Cidr, Ipv6Cidr};
use std::net::{Ipv4Addr, Ipv6Addr};
#[test]
fn assert_cidr_parsing_behaviour() {
// Assert that we can parse individual hosts, and ranges
let parsed_ip_cidr: IpCidr = serde_json::from_str("\"127.0.0.1\"").unwrap();
let expect_ip_cidr = IpCidr::from(Ipv4Addr::new(127, 0, 0, 1));
assert_eq!(parsed_ip_cidr, expect_ip_cidr);
let parsed_ip_cidr: IpCidr = serde_json::from_str("\"127.0.0.0/8\"").unwrap();
let expect_ip_cidr = IpCidr::from(Ipv4Cidr::new(Ipv4Addr::new(127, 0, 0, 0), 8).unwrap());
assert_eq!(parsed_ip_cidr, expect_ip_cidr);
// Same for ipv6
let parsed_ip_cidr: IpCidr = serde_json::from_str("\"2001:0db8::1\"").unwrap();
let expect_ip_cidr = IpCidr::from(Ipv6Addr::new(0x2001, 0x0db8, 0, 0, 0, 0, 0, 0x0001));
assert_eq!(parsed_ip_cidr, expect_ip_cidr);
let parsed_ip_cidr: IpCidr = serde_json::from_str("\"2001:0db8::/64\"").unwrap();
let expect_ip_cidr = IpCidr::from(
Ipv6Cidr::new(Ipv6Addr::new(0x2001, 0x0db8, 0, 0, 0, 0, 0, 0), 64).unwrap(),
);
assert_eq!(parsed_ip_cidr, expect_ip_cidr);
}
}

3
server/core/src/https/apidocs/mod.rs
View file

@ -78,6 +78,8 @@ impl Modify for SecurityAddon {
super::v1_scim::scim_sync_get,
super::v1_scim::scim_entry_id_get,
super::v1_scim::scim_person_id_get,
super::v1_scim::scim_application_post,
super::v1_scim::scim_application_id_delete,
super::v1::schema_get,
super::v1::whoami,
@ -211,7 +213,6 @@ impl Modify for SecurityAddon {
schemas(
attribute::Attribute,
scim_v1::ScimSyncState,
scim_v1::ScimSyncRequest,
scim_v1::ScimSyncRetentionMode,

2
server/core/src/https/apidocs/tests.rs
View file

@ -43,7 +43,7 @@ fn figure_out_if_we_have_all_the_routes() {
.unwrap();
// work our way through the source files in this package looking for routedefs
let mut found_routes: BTreeMap<String, Vec<(String, String)>> = BTreeMap::new();
let walker = walkdir::WalkDir::new(format!("{}/src", env!("CARGO_MANIFEST_DIR")))
let walker = walkdir::WalkDir::new(format!("{}/src/https", env!("CARGO_MANIFEST_DIR")))
.follow_links(false)
.into_iter();

19
server/core/src/https/mod.rs
View file

@ -29,10 +29,10 @@ use axum::{
Router,
};
use axum_extra::extract::cookie::CookieJar;
use cidr::IpCidr;
use compact_jwt::{error::JwtError, JwsCompact, JwsHs256Signer, JwsVerifier};
use futures::pin_mut;
use haproxy_protocol::{ProxyHdrV2, RemoteAddress};
use hashbrown::HashSet;
use hyper::body::Incoming;
use hyper_util::rt::{TokioExecutor, TokioIo};
use kanidm_lib_crypto::x509_cert::{der::Decode, x509_public_key_s256, Certificate};
@ -43,7 +43,6 @@ use serde::de::DeserializeOwned;
use sketching::*;
use std::fmt::Write;
use std::io::ErrorKind;
use std::net::IpAddr;
use std::path::PathBuf;
use std::pin::Pin;
use std::sync::Arc;
@ -363,7 +362,7 @@ async fn server_tls_loop(
mut rx: broadcast::Receiver<CoreAction>,
server_message_tx: broadcast::Sender<CoreAction>,
mut tls_acceptor_reload_rx: mpsc::Receiver<SslAcceptor>,
trusted_proxy_v2_ips: Option<Arc<HashSet<IpAddr>>>,
trusted_proxy_v2_ips: Option<Arc<Vec<IpCidr>>>,
) {
pin_mut!(listener);
@ -404,7 +403,7 @@ async fn server_plaintext_loop(
listener: TcpListener,
app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
mut rx: broadcast::Receiver<CoreAction>,
trusted_proxy_v2_ips: Option<Arc<HashSet<IpAddr>>>,
trusted_proxy_v2_ips: Option<Arc<Vec<IpCidr>>>,
) {
pin_mut!(listener);
@ -438,7 +437,7 @@ pub(crate) async fn handle_conn(
stream: TcpStream,
app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
connection_addr: SocketAddr,
trusted_proxy_v2_ips: Option<Arc<HashSet<IpAddr>>>,
trusted_proxy_v2_ips: Option<Arc<Vec<IpCidr>>>,
) -> Result<(), std::io::Error> {
let (stream, client_addr) =
process_client_addr(stream, connection_addr, trusted_proxy_v2_ips).await?;
@ -462,7 +461,7 @@ pub(crate) async fn handle_tls_conn(
stream: TcpStream,
app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
connection_addr: SocketAddr,
trusted_proxy_v2_ips: Option<Arc<HashSet<IpAddr>>>,
trusted_proxy_v2_ips: Option<Arc<Vec<IpCidr>>>,
) -> Result<(), std::io::Error> {
let (stream, client_addr) =
process_client_addr(stream, connection_addr, trusted_proxy_v2_ips).await?;
@ -531,10 +530,14 @@ pub(crate) async fn handle_tls_conn(
async fn process_client_addr(
stream: TcpStream,
connection_addr: SocketAddr,
trusted_proxy_v2_ips: Option<Arc<HashSet<IpAddr>>>,
trusted_proxy_v2_ips: Option<Arc<Vec<IpCidr>>>,
) -> Result<(TcpStream, SocketAddr), std::io::Error> {
let enable_proxy_v2_hdr = trusted_proxy_v2_ips
.map(|trusted| trusted.contains(&connection_addr.ip()))
.map(|trusted| {
trusted
.iter()
.any(|ip_cidr| ip_cidr.contains(&connection_addr.ip()))
})
.unwrap_or_default();
let (stream, client_addr) = if enable_proxy_v2_hdr {

75
server/core/src/https/v1_scim.rs
View file

@ -9,10 +9,11 @@ use super::ServerState;
use crate::https::extractors::VerifiedClientInformation;
use axum::extract::{rejection::JsonRejection, DefaultBodyLimit, Path, Query, State};
use axum::response::{Html, IntoResponse, Response};
use axum::routing::{get, post};
use axum::routing::{delete, get, post};
use axum::{Extension, Json, Router};
use kanidm_proto::scim_v1::{
server::ScimEntryKanidm, ScimEntryGetQuery, ScimSyncRequest, ScimSyncState,
client::ScimEntryPostGeneric, server::ScimEntryKanidm, ScimEntryGetQuery, ScimSyncRequest,
ScimSyncState,
};
use kanidm_proto::v1::Entry as ProtoEntry;
use kanidmd_lib::prelude::*;
@ -383,6 +384,65 @@ async fn scim_person_id_get(
.map_err(WebError::from)
}
#[utoipa::path(
post,
path = "/scim/v1/Application",
responses(
(status = 200, content_type="application/json", body=ScimEntry),
ApiResponseWithout200,
),
security(("token_jwt" = [])),
tag = "scim",
operation_id = "scim_application_post"
)]
async fn scim_application_post(
State(state): State<ServerState>,
Extension(kopid): Extension<KOpId>,
VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
Json(entry_post): Json<ScimEntryPostGeneric>,
) -> Result<Json<ScimEntryKanidm>, WebError> {
state
.qe_w_ref
.scim_entry_create(
client_auth_info,
kopid.eventid,
&[
EntryClass::Account,
EntryClass::ServiceAccount,
EntryClass::Application,
],
entry_post,
)
.await
.map(Json::from)
.map_err(WebError::from)
}
#[utoipa::path(
delete,
path = "/scim/v1/Application/{id}",
responses(
(status = 200, content_type="application/json"),
ApiResponseWithout200,
),
security(("token_jwt" = [])),
tag = "scim",
operation_id = "scim_application_id_delete"
)]
async fn scim_application_id_delete(
State(state): State<ServerState>,
Path(id): Path<String>,
Extension(kopid): Extension<KOpId>,
VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
) -> Result<Json<()>, WebError> {
state
.qe_w_ref
.scim_entry_id_delete(client_auth_info, kopid.eventid, id, EntryClass::Application)
.await
.map(Json::from)
.map_err(WebError::from)
}
pub fn route_setup() -> Router<ServerState> {
Router::new()
.route(
@ -486,6 +546,17 @@ pub fn route_setup() -> Router<ServerState> {
//
// POST Send a sync update
//
//
// Application /Application Post Create a new application
//
.route("/scim/v1/Application", post(scim_application_post))
// Application /Application/{id} Delete Delete the application identified by id
//
.route(
"/scim/v1/Application/:id",
delete(scim_application_id_delete),
)
// Synchronisation routes.
.route(
"/scim/v1/Sync",
post(scim_sync_post)

12
server/core/src/https/views/reset.rs
View file

@ -119,9 +119,10 @@ struct SetUnixCredPartial {
#[derive(Template)]
#[template(path = "credential_update_add_ssh_publickey_partial.html")]
struct AddSshPublicKeyPartial {
key_title: Option<String>,
title_error: Option<String>,
key_error: Option<String>,
key_value: Option<String>,
key_error: Option<String>,
}
#[derive(Serialize, Deserialize, Debug)]
@ -901,9 +902,10 @@ pub(crate) async fn view_add_ssh_publickey(
let new_key = match opt_form {
None => {
return Ok((AddSshPublicKeyPartial {
key_title: None,
title_error: None,
key_error: None,
key_value: None,
key_error: None,
},)
.into_response());
}
@ -920,9 +922,10 @@ pub(crate) async fn view_add_ssh_publickey(
let publickey = match SshPublicKey::from_string(&new_key.key) {
Err(_) => {
return Ok((AddSshPublicKeyPartial {
key_title: Some(new_key.title),
title_error: None,
key_error: Some("Key cannot be parsed".to_string()),
key_value: Some(new_key.key),
key_error: Some("Key cannot be parsed".to_string()),
},)
.into_response());
}
@ -932,7 +935,7 @@ pub(crate) async fn view_add_ssh_publickey(
.qe_r_ref
.handle_idmcredentialupdate(
cu_session_token,
CURequest::SshPublicKey(new_key.title, publickey),
CURequest::SshPublicKey(new_key.title.clone(), publickey),
kopid.eventid,
)
.await;
@ -966,6 +969,7 @@ pub(crate) async fn view_add_ssh_publickey(
status,
HxPushUrl(Uri::from_static("/ui/reset/add_ssh_publickey")),
AddSshPublicKeyPartial {
key_title: Some(new_key.title),
title_error,
key_error,
key_value: Some(new_key.key),

16
server/core/src/ldaps.rs
View file

@ -1,15 +1,15 @@
use crate::actors::QueryServerReadV1;
use crate::CoreAction;
use cidr::IpCidr;
use futures_util::sink::SinkExt;
use futures_util::stream::StreamExt;
use haproxy_protocol::{ProxyHdrV2, RemoteAddress};
use hashbrown::HashSet;
use kanidmd_lib::idm::ldap::{LdapBoundToken, LdapResponseState};
use kanidmd_lib::prelude::*;
use ldap3_proto::proto::LdapMsg;
use ldap3_proto::LdapCodec;
use openssl::ssl::{Ssl, SslAcceptor};
use std::net::{IpAddr, SocketAddr};
use std::net::SocketAddr;
use std::pin::Pin;
use std::str::FromStr;
use std::sync::Arc;
@ -122,10 +122,14 @@ async fn client_tls_accept(
tls_acceptor: SslAcceptor,
connection_addr: SocketAddr,
qe_r_ref: &'static QueryServerReadV1,
trusted_proxy_v2_ips: Option<Arc<HashSet<IpAddr>>>,
trusted_proxy_v2_ips: Option<Arc<Vec<IpCidr>>>,
) {
let enable_proxy_v2_hdr = trusted_proxy_v2_ips
.map(|trusted| trusted.contains(&connection_addr.ip()))
.map(|trusted| {
trusted
.iter()
.any(|ip_cidr| ip_cidr.contains(&connection_addr.ip()))
})
.unwrap_or_default();
let (stream, client_addr) = if enable_proxy_v2_hdr {
@ -186,7 +190,7 @@ async fn ldap_tls_acceptor(
qe_r_ref: &'static QueryServerReadV1,
mut rx: broadcast::Receiver<CoreAction>,
mut tls_acceptor_reload_rx: mpsc::Receiver<SslAcceptor>,
trusted_proxy_v2_ips: Option<Arc<HashSet<IpAddr>>>,
trusted_proxy_v2_ips: Option<Arc<Vec<IpCidr>>>,
) {
loop {
tokio::select! {
@ -249,7 +253,7 @@ pub(crate) async fn create_ldap_server(
qe_r_ref: &'static QueryServerReadV1,
rx: broadcast::Receiver<CoreAction>,
tls_acceptor_reload_rx: mpsc::Receiver<SslAcceptor>,
trusted_proxy_v2_ips: Option<HashSet<IpAddr>>,
trusted_proxy_v2_ips: Option<Vec<IpCidr>>,
) -> Result<tokio::task::JoinHandle<()>, ()> {
if address.starts_with(":::") {
// takes :::xxxx to xxxx

22
server/core/src/repl/mod.rs
View file

@ -92,7 +92,7 @@ pub(crate) async fn create_repl_server(
Ok((repl_handle, ctrl_tx))
}
#[instrument(level = "info", skip_all)]
#[instrument(level = "debug", skip_all)]
/// This returns the remote address that worked, so you can try that first next time
async fn repl_consumer_connect_supplier(
domain: &str,
@ -116,7 +116,10 @@ async fn repl_consumer_connect_supplier(
)
.await
{
Ok(Ok(tc)) => tc,
Ok(Ok(tc)) => {
trace!("Connection established to peer on {:?}", sock_addr);
tc
}
Ok(Err(err)) => {
debug!(?err, "Failed to connect to {}", sock_addr);
continue;
@ -127,8 +130,6 @@ async fn repl_consumer_connect_supplier(
}
};
trace!("Connection established to peer on {:?}", sock_addr);
let mut tlsstream = match Ssl::new(tls_connector.context())
.and_then(|tls_obj| SslStream::new(tls_obj, tcpstream))
{
@ -236,7 +237,7 @@ async fn repl_run_consumer_refresh(
Ok(Some(addr))
}
#[instrument(level="info", skip(tls_connector, idms), fields(eventid=Uuid::new_v4().to_string()))]
#[instrument(level="debug", skip(tls_connector, idms), fields(eventid=Uuid::new_v4().to_string()))]
async fn repl_run_consumer(
domain: &str,
sock_addrs: &[SocketAddr],
@ -282,11 +283,11 @@ async fn repl_run_consumer(
changes
}
Ok(SupplierResponse::Pong) | Ok(SupplierResponse::Refresh(_)) => {
error!("Supplier Response contains invalid State");
error!("Supplier Response contains invalid state");
return None;
}
Err(err) => {
error!(?err, "consumer decode error, unable to continue.");
error!(?err, "Consumer decode error, unable to continue.");
return None;
}
}
@ -306,7 +307,7 @@ async fn repl_run_consumer(
}) {
Ok(state) => state,
Err(err) => {
error!(?err, "consumer was not able to apply changes.");
error!(?err, "Consumer was not able to apply changes.");
return None;
}
}
@ -365,7 +366,7 @@ async fn repl_run_consumer(
return None;
}
warn!("Replication refresh was successful.");
info!("Replication refresh was successful.");
Some(socket_addr)
}
@ -544,7 +545,7 @@ async fn repl_task(
info!("Replica task for {} has stopped.", origin);
}
#[instrument(level = "info", skip_all)]
#[instrument(level = "debug", skip_all)]
async fn handle_repl_conn(
max_frame_bytes: usize,
tcpstream: TcpStream,
@ -626,6 +627,7 @@ async fn handle_repl_conn(
debug!(?client_address, "replication client disconnected 🛬");
}
/// This is the main acceptor for the replication server.
async fn repl_acceptor(
listener: TcpListener,
idms: Arc<IdmServer>,

32
server/core/templates/credential_update_add_ssh_publickey_partial.html
View file

@ -6,26 +6,38 @@
hx-post="/ui/reset/add_ssh_publickey">
<div>
<label for="key-title" class="form-label">Title</label>
<input type="text" class="form-control(% if let Some(_) = title_error %) is-invalid(% endif %)" id="key-title" name="title" aria-describedby="title-validation-feedback">
<input type="text"
class="form-control(% if let Some(_) = title_error %) is-invalid(% endif %)"
id="key-title" name="title"
aria-describedby="title-validation-feedback"
autocapitalize="off" autocomplete="off" required
value="(% if let Some(key_title) = key_title %)(( key_title ))(% endif %)">
(% if let Some(title_error) = title_error %)
<div id="title-validation-feedback" class="invalid-feedback">
(% if let Some(title_error) = title_error %)(( title_error ))(% endif %)
(( title_error ))
</div>
(% endif %)
</div>
<div>
<label for="key-content" class="form-label">Key</label>
<textarea class="form-control(% if let Some(_) = key_error %) is-invalid(% endif %)" id="key-content" rows="5" name="key"
<textarea
class="form-control(% if let Some(_) = key_error %) is-invalid(% endif %)"
id="key-content" rows="5" name="key"
aria-describedby="key-validation-feedback"
placeholder="Begins with 'ssh-rsa', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521', 'ssh-ed25519', 'sk-ecdsa-sha2-nistp256@openssh.com', or 'sk-ssh-ed25519@openssh.com'"
>(% if let Some(key_value) = key_value %)(( key_value ))(% endif %)</textarea>
autocapitalize="off" autocomplete="off" required
placeholder="Begins with 'ssh-rsa', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521', 'ssh-ed25519', 'sk-ecdsa-sha2-nistp256@openssh.com', or 'sk-ssh-ed25519@openssh.com'">(% if let Some(key_value) = key_value %)(( key_value ))(% endif %)</textarea>
(% if let Some(key_error) = key_error %)
<div id="key-validation-feedback" class="invalid-feedback">
(% if let Some(key_error) = key_error %)(( key_error ))(% endif %)
(( key_error ))
</div>
</div>
(% endif%)
</div>
<div class="column-gap-2 d-flex justify-content-end mt-2" hx-target="#credentialUpdateDynamicSection">
<button type="button" class="btn btn-danger" hx-get=((Urls::CredReset)) hx-target="body">Cancel</button>
<div class="column-gap-2 d-flex justify-content-end mt-2"
hx-target="#credentialUpdateDynamicSection">
<button type="button" class="btn btn-danger"
hx-get=((Urls::CredReset)) hx-target="body">Cancel</button>
<button type="submit" class="btn btn-primary">Submit</button>
</div>
</form>
</div>

2
server/daemon/Cargo.toml
View file

@ -72,7 +72,7 @@ priority = "optional"
changelog = "../../target/debian/changelog" # Generated by platform/debian/build_debs.sh
assets = [
[ "target/release/kanidmd", "usr/bin/", "755" ],
[ "debian/group.conf", "usr/lib/sysusers.d/kandimd.conf", "644" ],
[ "debian/group.conf", "usr/lib/sysusers.d/kanidmd.conf", "644" ],
[ "debian/server.toml", "etc/kanidmd/server.toml", "640" ],
[ "../../examples/server.toml", "usr/share/kanidmd/", "444" ],
[ "../core/static/**/*", "usr/share/kanidmd/static", "444" ],

1
server/lib/src/constants/uuids.rs
View file

@ -338,6 +338,7 @@ pub const UUID_SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_RS256: Uuid =
uuid!("00000000-0000-0000-0000-ffff00000191");
pub const UUID_SCHEMA_CLASS_KEY_OBJECT_JWT_RS256: Uuid =
uuid!("00000000-0000-0000-0000-ffff00000192");
pub const UUID_SCHEMA_ATTR_APPLICATION_URL: Uuid = uuid!("00000000-0000-0000-0000-ffff00000193");
// System and domain infos
// I'd like to strongly criticise william of the past for making poor choices about these allocations.

40
server/lib/src/entry.rs
View file

@ -24,11 +24,6 @@
//! [`filter`]: ../filter/index.html
//! [`schema`]: ../schema/index.html
use std::cmp::Ordering;
pub use std::collections::BTreeSet as Set;
use std::collections::{BTreeMap as Map, BTreeMap, BTreeSet};
use std::sync::Arc;
use crate::be::dbentry::{DbEntry, DbEntryVers};
use crate::be::dbvalue::DbValueSetV2;
use crate::be::{IdxKey, IdxSlope};
@ -41,7 +36,13 @@ use crate::prelude::*;
use crate::repl::cid::Cid;
use crate::repl::entry::EntryChangeState;
use crate::repl::proto::{ReplEntryV1, ReplIncrementalEntryV1};
use crate::schema::{SchemaAttribute, SchemaClass, SchemaTransaction};
use crate::server::access::AccessEffectivePermission;
use crate::value::{
ApiToken, CredentialType, IndexType, IntentTokenState, Oauth2Session, PartialValue, Session,
SyntaxType, Value,
};
use crate::valueset::{self, ScimResolveStatus, ValueSet};
use compact_jwt::JwsEs256Signer;
use hashbrown::{HashMap, HashSet};
use kanidm_proto::internal::ImageValue;
@ -53,6 +54,10 @@ use kanidm_proto::v1::Entry as ProtoEntry;
use ldap3_proto::simple::{LdapPartialAttribute, LdapSearchResultEntry};
use openssl::ec::EcKey;
use openssl::pkey::{Private, Public};
use std::cmp::Ordering;
pub use std::collections::BTreeSet as Set;
use std::collections::{BTreeMap as Map, BTreeMap, BTreeSet};
use std::sync::Arc;
use time::OffsetDateTime;
use tracing::trace;
use uuid::Uuid;
@ -60,13 +65,6 @@ use webauthn_rs::prelude::{
AttestationCaList, AttestedPasskey as AttestedPasskeyV4, Passkey as PasskeyV4,
};
use crate::schema::{SchemaAttribute, SchemaClass, SchemaTransaction};
use crate::value::{
ApiToken, CredentialType, IndexType, IntentTokenState, Oauth2Session, PartialValue, Session,
SyntaxType, Value,
};
use crate::valueset::{self, ScimResolveStatus, ValueSet};
pub type EntryInitNew = Entry<EntryInit, EntryNew>;
pub type EntryInvalidNew = Entry<EntryInvalid, EntryNew>;
pub type EntryRefreshNew = Entry<EntryRefresh, EntryNew>;
@ -285,6 +283,18 @@ impl Default for Entry<EntryInit, EntryNew> {
}
}
impl FromIterator<(Attribute, ValueSet)> for EntryInitNew {
fn from_iter<I: IntoIterator<Item = (Attribute, ValueSet)>>(iter: I) -> Self {
let attrs = Eattrs::from_iter(iter);
Entry {
valid: EntryInit,
state: EntryNew,
attrs,
}
}
}
impl Entry<EntryInit, EntryNew> {
pub fn new() -> Self {
Entry {
@ -292,7 +302,6 @@ impl Entry<EntryInit, EntryNew> {
valid: EntryInit,
state: EntryNew,
attrs: Map::new(),
// attrs: Map::with_capacity(32),
}
}
@ -479,6 +488,11 @@ impl Entry<EntryInit, EntryNew> {
self.attrs.remove(attr);
}
/// Set the content of this ava with this valueset, ignoring the previous data.
pub fn set_ava_set(&mut self, attr: &Attribute, vs: ValueSet) {
self.attrs.insert(attr.clone(), vs);
}
/// Replace the existing content of an attribute set of this Entry, with a new set of Values.
pub fn set_ava<T>(&mut self, attr: Attribute, iter: T)
where

15
server/lib/src/event.rs
View file

@ -346,6 +346,8 @@ pub struct CreateEvent {
pub entries: Vec<Entry<EntryInit, EntryNew>>,
// Is the CreateEvent from an internal or external source?
// This may affect which plugins are run ...
/// If true, the list of created entry UUID's will be returned.
pub return_created_uuids: bool,
}
impl CreateEvent {
@ -363,7 +365,11 @@ impl CreateEvent {
// What is the correct consuming iterator here? Can we
// even do that?
match rentries {
Ok(entries) => Ok(CreateEvent { ident, entries }),
Ok(entries) => Ok(CreateEvent {
ident,
entries,
return_created_uuids: false,
}),
Err(e) => Err(e),
}
}
@ -373,13 +379,18 @@ impl CreateEvent {
ident: Identity,
entries: Vec<Entry<EntryInit, EntryNew>>,
) -> Self {
CreateEvent { ident, entries }
CreateEvent {
ident,
entries,
return_created_uuids: false,
}
}
pub fn new_internal(entries: Vec<Entry<EntryInit, EntryNew>>) -> Self {
CreateEvent {
ident: Identity::from_internal(),
entries,
return_created_uuids: false,
}
}
}

138
server/lib/src/idm/application.rs
View file

@ -255,139 +255,6 @@ mod tests {
const TEST_CURRENT_TIME: u64 = 6000;
// Tests that only the correct combinations of [Account, Person, Application and
// ServiceAccount] classes are allowed.
#[idm_test]
async fn test_idm_application_excludes(idms: &IdmServer, _idms_delayed: &mut IdmServerDelayed) {
let ct = Duration::from_secs(TEST_CURRENT_TIME);
let mut idms_prox_write = idms.proxy_write(ct).await.unwrap();
// ServiceAccount, Application and Person not allowed together
let test_grp_name = "testgroup1";
let test_grp_uuid = Uuid::new_v4();
let e1 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Group.to_value()),
(Attribute::Name, Value::new_iname(test_grp_name)),
(Attribute::Uuid, Value::Uuid(test_grp_uuid))
);
let test_entry_uuid = Uuid::new_v4();
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::Class, EntryClass::Person.to_value()),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
(
Attribute::DisplayName,
Value::new_utf8s("test_app_dispname")
),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
);
let ce = CreateEvent::new_internal(vec![e1, e2]);
let cr = idms_prox_write.qs_write.create(&ce);
assert!(cr.is_err());
// Application and Person not allowed together
let test_grp_name = "testgroup1";
let test_grp_uuid = Uuid::new_v4();
let e1 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Group.to_value()),
(Attribute::Name, Value::new_iname(test_grp_name)),
(Attribute::Uuid, Value::Uuid(test_grp_uuid))
);
let test_entry_uuid = Uuid::new_v4();
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::Class, EntryClass::Person.to_value()),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
(
Attribute::DisplayName,
Value::new_utf8s("test_app_dispname")
),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
);
let ce = CreateEvent::new_internal(vec![e1, e2]);
let cr = idms_prox_write.qs_write.create(&ce);
assert!(cr.is_err());
// Supplements not satisfied, Application supplements ServiceAccount
let test_grp_name = "testgroup1";
let test_grp_uuid = Uuid::new_v4();
let e1 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Group.to_value()),
(Attribute::Name, Value::new_iname(test_grp_name)),
(Attribute::Uuid, Value::Uuid(test_grp_uuid))
);
let test_entry_uuid = Uuid::new_v4();
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
);
let ce = CreateEvent::new_internal(vec![e1, e2]);
let cr = idms_prox_write.qs_write.create(&ce);
assert!(cr.is_err());
// Supplements not satisfied, Application supplements ServiceAccount
let test_grp_name = "testgroup1";
let test_grp_uuid = Uuid::new_v4();
let e1 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Group.to_value()),
(Attribute::Name, Value::new_iname(test_grp_name)),
(Attribute::Uuid, Value::Uuid(test_grp_uuid))
);
let test_entry_uuid = Uuid::new_v4();
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
);
let ce = CreateEvent::new_internal(vec![e1, e2]);
let cr = idms_prox_write.qs_write.create(&ce);
assert!(cr.is_err());
// Supplements satisfied, Application supplements ServiceAccount
let test_grp_name = "testgroup1";
let test_grp_uuid = Uuid::new_v4();
let e1 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Group.to_value()),
(Attribute::Name, Value::new_iname(test_grp_name)),
(Attribute::Uuid, Value::Uuid(test_grp_uuid))
);
let test_entry_uuid = Uuid::new_v4();
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
);
let ce = CreateEvent::new_internal(vec![e1, e2]);
let cr = idms_prox_write.qs_write.create(&ce);
assert!(cr.is_ok());
}
// Tests it is not possible to create an application without the linked group attribute
#[idm_test]
async fn test_idm_application_no_linked_group(
@ -404,6 +271,7 @@ mod tests {
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
@ -547,8 +415,10 @@ mod tests {
let e3 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(test_app_name)),
(Attribute::Uuid, Value::Uuid(test_app_uuid)),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
@ -647,7 +517,9 @@ mod tests {
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),

12
server/lib/src/idm/ldap.rs
View file

@ -1119,8 +1119,10 @@ mod tests {
let e3 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(app_name)),
(Attribute::Uuid, Value::Uuid(app_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp_uuid))
@ -1283,8 +1285,10 @@ mod tests {
let e3 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname("testapp1")),
(Attribute::Uuid, Value::Uuid(app_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp_uuid))
@ -1456,8 +1460,10 @@ mod tests {
let e4 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(app1_name)),
(Attribute::Uuid, Value::Uuid(app1_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp1_uuid))
@ -1465,8 +1471,10 @@ mod tests {
let e5 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(app2_name)),
(Attribute::Uuid, Value::Uuid(app2_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp2_uuid))
@ -1651,8 +1659,10 @@ mod tests {
let e3 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(app1_name)),
(Attribute::Uuid, Value::Uuid(app1_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp1_uuid))
@ -2693,8 +2703,10 @@ mod tests {
let e3 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(app_name)),
(Attribute::Uuid, Value::Uuid(app_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp_uuid))

1
server/lib/src/migration_data/dl10/mod.rs
View file

@ -106,6 +106,7 @@ pub fn phase_1_schema_attrs() -> Vec<EntryInitNew> {
SCHEMA_ATTR_DENIED_NAME_DL10.clone().into(),
SCHEMA_ATTR_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES.clone().into(),
SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_RS256_DL6.clone().into(),
// DL11
]
}

2
server/lib/src/migration_data/dl10/schema.rs
View file

@ -849,9 +849,9 @@ pub static ref SCHEMA_CLASS_ACCOUNT_DL5: SchemaClass = SchemaClass {
Attribute::Spn
],
systemsupplements: vec![
EntryClass::OAuth2ResourceServer.into(),
EntryClass::Person.into(),
EntryClass::ServiceAccount.into(),
EntryClass::OAuth2ResourceServer.into(),
],
..Default::default()
};

6
server/lib/src/migration_data/dl11/mod.rs
View file

@ -106,6 +106,9 @@ pub fn phase_1_schema_attrs() -> Vec<EntryInitNew> {
SCHEMA_ATTR_DENIED_NAME_DL10.clone().into(),
SCHEMA_ATTR_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES.clone().into(),
SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_RS256_DL6.clone().into(),
// DL11
SCHEMA_ATTR_APPLICATION_URL.clone().into(),
// DL12
]
}
@ -135,13 +138,14 @@ pub fn phase_2_schema_classes() -> Vec<EntryInitNew> {
SCHEMA_CLASS_CLIENT_CERTIFICATE_DL7.clone().into(),
// DL8
SCHEMA_CLASS_ACCOUNT_POLICY_DL8.clone().into(),
SCHEMA_CLASS_APPLICATION_DL8.clone().into(),
SCHEMA_CLASS_PERSON_DL8.clone().into(),
// DL9
SCHEMA_CLASS_OAUTH2_RS_DL9.clone().into(),
// DL10
SCHEMA_CLASS_DOMAIN_INFO_DL10.clone().into(),
SCHEMA_CLASS_KEY_OBJECT_JWT_RS256.clone().into(),
// DL11
SCHEMA_CLASS_APPLICATION.clone().into(),
]
}

21
server/lib/src/migration_data/dl11/schema.rs
View file

@ -740,6 +740,14 @@ pub static ref SCHEMA_ATTR_APPLICATION_PASSWORD_DL8: SchemaAttribute = SchemaAtt
..Default::default()
};
pub static ref SCHEMA_ATTR_APPLICATION_URL: SchemaAttribute = SchemaAttribute {
uuid: UUID_SCHEMA_ATTR_APPLICATION_URL,
name: Attribute::ApplicationUrl,
description: "The URL of an external application".to_string(),
syntax: SyntaxType::Url,
..Default::default()
};
// === classes ===
pub static ref SCHEMA_CLASS_PERSON_DL8: SchemaClass = SchemaClass {
uuid: UUID_SCHEMA_CLASS_PERSON,
@ -1104,13 +1112,20 @@ pub static ref SCHEMA_CLASS_CLIENT_CERTIFICATE_DL7: SchemaClass = SchemaClass {
..Default::default()
};
pub static ref SCHEMA_CLASS_APPLICATION_DL8: SchemaClass = SchemaClass {
pub static ref SCHEMA_CLASS_APPLICATION: SchemaClass = SchemaClass {
uuid: UUID_SCHEMA_CLASS_APPLICATION,
name: EntryClass::Application.into(),
description: "The class representing an application".to_string(),
systemmust: vec![Attribute::Name, Attribute::LinkedGroup],
systemmay: vec![Attribute::Description],
systemmust: vec![Attribute::LinkedGroup],
systemmay: vec![
Attribute::ApplicationUrl,
],
// I think this could change before release - I can see a world
// whe we may want an oauth2 application to have application passwords,
// or for this to be it's own thing. But service accounts also don't
// quite do enough, they have api tokens, but that's all we kind
// of want from them?
systemsupplements: vec![EntryClass::ServiceAccount.into()],
..Default::default()
};

4
server/lib/src/plugins/base.rs
View file

@ -365,7 +365,7 @@ mod tests {
let create = vec![e];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -468,7 +468,7 @@ mod tests {
let create = vec![e];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

2
server/lib/src/plugins/cred_import.rs
View file

@ -205,7 +205,7 @@ mod tests {
let create = vec![e];
run_create_test!(Ok(()), preload, create, None, |_| {});
run_create_test!(Ok(None), preload, create, None, |_| {});
}
#[test]

8
server/lib/src/plugins/dyngroup.rs
View file

@ -464,7 +464,7 @@ mod tests {
let create = vec![e_dyn];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -513,7 +513,7 @@ mod tests {
let create = vec![e_group];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -562,7 +562,7 @@ mod tests {
let create = vec![e_group];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -607,7 +607,7 @@ mod tests {
let create = vec![e_dyn, e_group];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

2
server/lib/src/plugins/eckeygen.rs
View file

@ -108,7 +108,7 @@ mod tests {
let create = vec![ea];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

8
server/lib/src/plugins/memberof.rs
View file

@ -858,7 +858,7 @@ mod tests {
let preload = Vec::with_capacity(0);
let create = vec![ea, eb];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -889,7 +889,7 @@ mod tests {
let preload = Vec::with_capacity(0);
let create = vec![ea, eb, ec];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -941,7 +941,7 @@ mod tests {
let preload = Vec::with_capacity(0);
let create = vec![ea, eb, ec];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -999,7 +999,7 @@ mod tests {
let preload = Vec::with_capacity(0);
let create = vec![ea, eb, ec, ed];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

2
server/lib/src/plugins/namehistory.rs
View file

@ -181,7 +181,7 @@ mod tests {
let preload = Vec::with_capacity(0);
let create = vec![ea];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

2
server/lib/src/plugins/oauth2.rs
View file

@ -153,7 +153,7 @@ mod tests {
let create = vec![e];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

4
server/lib/src/plugins/refint.rs
View file

@ -501,7 +501,7 @@ mod tests {
let create = vec![eb];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -534,7 +534,7 @@ mod tests {
let create = vec![e_group];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

4
server/lib/src/plugins/spn.rs
View file

@ -233,7 +233,7 @@ mod tests {
let preload = Vec::with_capacity(0);
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -286,7 +286,7 @@ mod tests {
let preload = Vec::with_capacity(0);
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

4
server/lib/src/repl/consumer.rs
View file

@ -343,7 +343,7 @@ impl QueryServerWriteTransaction<'_> {
}
}
#[instrument(level = "info", skip_all)]
#[instrument(level = "debug", skip_all)]
fn consumer_apply_changes_v1(
&mut self,
ctx_domain_version: DomainVersion,
@ -394,7 +394,7 @@ impl QueryServerWriteTransaction<'_> {
})?;
// == ⚠️ Below this point we begin to make changes! ==
info!(
debug!(
"Proceeding to apply incremental from domain {:?} at level {}",
ctx_domain_uuid, ctx_domain_version
);

8
server/lib/src/repl/supplier.rs
View file

@ -148,14 +148,14 @@ impl QueryServerReadTransaction<'_> {
RangeDiffStatus::Ok(ranges) => ranges,
RangeDiffStatus::Refresh { lag_range } => {
error!("Replication - Consumer is lagging and must be refreshed.");
info!(?lag_range);
debug!(?lag_range);
debug!(consumer_ranges = ?ctx_ranges);
debug!(supplier_ranges = ?our_ranges);
return Ok(ReplIncrementalContext::RefreshRequired);
}
RangeDiffStatus::Unwilling { adv_range } => {
error!("Replication - Supplier is lagging and must be investigated.");
info!(?adv_range);
debug!(?adv_range);
debug!(consumer_ranges = ?ctx_ranges);
debug!(supplier_ranges = ?our_ranges);
return Ok(ReplIncrementalContext::UnwillingToSupply);
@ -164,9 +164,7 @@ impl QueryServerReadTransaction<'_> {
lag_range,
adv_range,
} => {
error!("Replication Critical - Consumers are advanced of us, and also lagging! This must be immediately investigated!");
info!(?lag_range);
info!(?adv_range);
error!(?adv_range, ?lag_range, "Replication Critical - Consumers are advanced of us, and also lagging! This must be immediately investigated!");
debug!(consumer_ranges = ?ctx_ranges);
debug!(supplier_ranges = ?our_ranges);
return Ok(ReplIncrementalContext::UnwillingToSupply);

11
server/lib/src/server/create.rs
View file

@ -7,7 +7,7 @@ impl QueryServerWriteTransaction<'_> {
/// The create event is a raw, read only representation of the request
/// that was made to us, including information about the identity
/// performing the request.
pub fn create(&mut self, ce: &CreateEvent) -> Result<(), OperationError> {
pub fn create(&mut self, ce: &CreateEvent) -> Result<Option<Vec<Uuid>>, OperationError> {
if !ce.ident.is_internal() {
security_info!(name = %ce.ident, "create initiator");
}
@ -174,7 +174,12 @@ impl QueryServerWriteTransaction<'_> {
} else {
admin_info!("Create operation success");
}
Ok(())
if ce.return_created_uuids {
Ok(Some(commit_cand.iter().map(|e| e.get_uuid()).collect()))
} else {
Ok(None)
}
}
pub fn internal_create(
@ -182,7 +187,7 @@ impl QueryServerWriteTransaction<'_> {
entries: Vec<Entry<EntryInit, EntryNew>>,
) -> Result<(), OperationError> {
let ce = CreateEvent::new_internal(entries);
self.create(&ce)
self.create(&ce).map(|_| ())
}
}

134
server/lib/src/server/mod.rs
View file

@ -28,8 +28,6 @@ use crate::schema::{
SchemaWriteTransaction,
};
use crate::value::{CredentialType, EXTRACT_VAL_DN};
use crate::valueset::uuid_to_proto_string;
use crate::valueset::ScimValueIntermediate;
use crate::valueset::*;
use concread::arcache::{ARCacheBuilder, ARCacheReadTxn, ARCacheWriteTxn};
use concread::cowcell::*;
@ -1004,138 +1002,6 @@ pub trait QueryServerTransaction<'a> {
}
}
fn resolve_scim_json_put(
&mut self,
attr: &Attribute,
value: Option<JsonValue>,
) -> Result<Option<ValueSet>, OperationError> {
let schema = self.get_schema();
// Lookup the attr
let Some(schema_a) = schema.get_attributes().get(attr) else {
// No attribute of this name exists - fail fast, there is no point to
// proceed, as nothing can be satisfied.
return Err(OperationError::InvalidAttributeName(attr.to_string()));
};
let Some(value) = value else {
// It's a none so the value needs to be unset, and the attr DOES exist in
// schema.
return Ok(None);
};
let resolve_status = match schema_a.syntax {
SyntaxType::Utf8String => ValueSetUtf8::from_scim_json_put(value),
SyntaxType::Utf8StringInsensitive => ValueSetIutf8::from_scim_json_put(value),
SyntaxType::Uuid => ValueSetUuid::from_scim_json_put(value),
SyntaxType::Boolean => ValueSetBool::from_scim_json_put(value),
SyntaxType::SyntaxId => ValueSetSyntax::from_scim_json_put(value),
SyntaxType::IndexId => ValueSetIndex::from_scim_json_put(value),
SyntaxType::ReferenceUuid => ValueSetRefer::from_scim_json_put(value),
SyntaxType::Utf8StringIname => ValueSetIname::from_scim_json_put(value),
SyntaxType::NsUniqueId => ValueSetNsUniqueId::from_scim_json_put(value),
SyntaxType::DateTime => ValueSetDateTime::from_scim_json_put(value),
SyntaxType::EmailAddress => ValueSetEmailAddress::from_scim_json_put(value),
SyntaxType::Url => ValueSetUrl::from_scim_json_put(value),
SyntaxType::OauthScope => ValueSetOauthScope::from_scim_json_put(value),
SyntaxType::OauthScopeMap => ValueSetOauthScopeMap::from_scim_json_put(value),
SyntaxType::OauthClaimMap => ValueSetOauthClaimMap::from_scim_json_put(value),
SyntaxType::UiHint => ValueSetUiHint::from_scim_json_put(value),
SyntaxType::CredentialType => ValueSetCredentialType::from_scim_json_put(value),
SyntaxType::Certificate => ValueSetCertificate::from_scim_json_put(value),
SyntaxType::SshKey => ValueSetSshKey::from_scim_json_put(value),
SyntaxType::Uint32 => ValueSetUint32::from_scim_json_put(value),
// Not Yet ... if ever
// SyntaxType::JsonFilter => ValueSetJsonFilter::from_scim_json_put(value),
SyntaxType::JsonFilter => Err(OperationError::InvalidAttribute(
"Json Filters are not able to be set.".to_string(),
)),
// Can't be set currently as these are only internally generated for key-id's
// SyntaxType::HexString => ValueSetHexString::from_scim_json_put(value),
SyntaxType::HexString => Err(OperationError::InvalidAttribute(
"Hex strings are not able to be set.".to_string(),
)),
// Can't be set until we have better error handling in the set paths
// SyntaxType::Image => ValueSetImage::from_scim_json_put(value),
SyntaxType::Image => Err(OperationError::InvalidAttribute(
"Images are not able to be set.".to_string(),
)),
// Can't be set yet, mostly as I'm lazy
// SyntaxType::WebauthnAttestationCaList => {
// ValueSetWebauthnAttestationCaList::from_scim_json_put(value)
// }
SyntaxType::WebauthnAttestationCaList => Err(OperationError::InvalidAttribute(
"Webauthn Attestation Ca Lists are not able to be set.".to_string(),
)),
// Syntax types that can not be submitted
SyntaxType::Credential => Err(OperationError::InvalidAttribute(
"Credentials are not able to be set.".to_string(),
)),
SyntaxType::SecretUtf8String => Err(OperationError::InvalidAttribute(
"Secrets are not able to be set.".to_string(),
)),
SyntaxType::SecurityPrincipalName => Err(OperationError::InvalidAttribute(
"SPNs are not able to be set.".to_string(),
)),
SyntaxType::Cid => Err(OperationError::InvalidAttribute(
"CIDs are not able to be set.".to_string(),
)),
SyntaxType::PrivateBinary => Err(OperationError::InvalidAttribute(
"Private Binaries are not able to be set.".to_string(),
)),
SyntaxType::IntentToken => Err(OperationError::InvalidAttribute(
"Intent Tokens are not able to be set.".to_string(),
)),
SyntaxType::Passkey => Err(OperationError::InvalidAttribute(
"Passkeys are not able to be set.".to_string(),
)),
SyntaxType::AttestedPasskey => Err(OperationError::InvalidAttribute(
"Attested Passkeys are not able to be set.".to_string(),
)),
SyntaxType::Session => Err(OperationError::InvalidAttribute(
"Sessions are not able to be set.".to_string(),
)),
SyntaxType::JwsKeyEs256 => Err(OperationError::InvalidAttribute(
"Jws ES256 Private Keys are not able to be set.".to_string(),
)),
SyntaxType::JwsKeyRs256 => Err(OperationError::InvalidAttribute(
"Jws RS256 Private Keys are not able to be set.".to_string(),
)),
SyntaxType::Oauth2Session => Err(OperationError::InvalidAttribute(
"Sessions are not able to be set.".to_string(),
)),
SyntaxType::TotpSecret => Err(OperationError::InvalidAttribute(
"TOTP Secrets are not able to be set.".to_string(),
)),
SyntaxType::ApiToken => Err(OperationError::InvalidAttribute(
"API Tokens are not able to be set.".to_string(),
)),
SyntaxType::AuditLogString => Err(OperationError::InvalidAttribute(
"Audit Strings are not able to be set.".to_string(),
)),
SyntaxType::EcKeyPrivate => Err(OperationError::InvalidAttribute(
"EC Private Keys are not able to be set.".to_string(),
)),
SyntaxType::KeyInternal => Err(OperationError::InvalidAttribute(
"Key Internal Structures are not able to be set.".to_string(),
)),
SyntaxType::ApplicationPassword => Err(OperationError::InvalidAttribute(
"Application Passwords are not able to be set.".to_string(),
)),
}?;
match resolve_status {
ValueSetResolveStatus::Resolved(vs) => Ok(vs),
ValueSetResolveStatus::NeedsResolution(vs_inter) => {
self.resolve_valueset_intermediate(vs_inter)
}
}
.map(Some)
}
fn resolve_valueset_intermediate(
&mut self,
vs_inter: ValueSetIntermediate,

315
server/lib/src/server/scim.rs
View file

@ -1,23 +1,27 @@
use crate::prelude::*;
use crate::schema::{SchemaAttribute, SchemaTransaction};
use crate::server::batch_modify::{BatchModifyEvent, ModSetValid};
use kanidm_proto::scim_v1::client::ScimEntryPutGeneric;
use crate::server::ValueSetResolveStatus;
use crate::valueset::*;
use kanidm_proto::scim_v1::client::{ScimEntryPostGeneric, ScimEntryPutGeneric};
use kanidm_proto::scim_v1::JsonValue;
use std::collections::BTreeMap;
#[derive(Debug, Clone)]
#[derive(Debug)]
pub struct ScimEntryPutEvent {
/// The identity performing the change.
pub ident: Identity,
pub(crate) ident: Identity,
// future - etags to detect version changes.
/// The target entry that will be changed
pub target: Uuid,
pub(crate) target: Uuid,
/// Update an attribute to contain the following value state.
/// If the attribute is None, it is removed.
pub attrs: BTreeMap<Attribute, Option<ValueSet>>,
pub(crate) attrs: BTreeMap<Attribute, Option<ValueSet>>,
/// If an effective access check should be carried out post modification
/// of the entries
pub effective_access_check: bool,
pub(crate) effective_access_check: bool,
}
impl ScimEntryPutEvent {
@ -48,6 +52,60 @@ impl ScimEntryPutEvent {
}
}
#[derive(Debug)]
pub struct ScimCreateEvent {
pub(crate) ident: Identity,
pub(crate) entry: EntryInitNew,
}
impl ScimCreateEvent {
pub fn try_from(
ident: Identity,
classes: &[EntryClass],
entry: ScimEntryPostGeneric,
qs: &mut QueryServerWriteTransaction,
) -> Result<Self, OperationError> {
let mut entry = entry
.attrs
.into_iter()
.map(|(attr, json_value)| {
qs.resolve_scim_json_post(&attr, json_value)
.map(|kani_value| (attr, kani_value))
})
.collect::<Result<EntryInitNew, _>>()?;
let classes = ValueSetIutf8::from_iter(classes.iter().map(|cls| cls.as_ref()))
.ok_or(OperationError::SC0027ClassSetInvalid)?;
entry.set_ava_set(&Attribute::Class, classes);
Ok(ScimCreateEvent { ident, entry })
}
}
#[derive(Debug)]
pub struct ScimDeleteEvent {
/// The identity performing the change.
pub(crate) ident: Identity,
// future - etags to detect version changes.
/// The target entry that will be changed
pub(crate) target: Uuid,
/// The class of the target entry.
pub(crate) class: EntryClass,
}
impl ScimDeleteEvent {
pub fn new(ident: Identity, target: Uuid, class: EntryClass) -> Self {
ScimDeleteEvent {
ident,
target,
class,
}
}
}
impl QueryServerWriteTransaction<'_> {
/// SCIM PUT is the handler where a single entry is updated. In a SCIM PUT request
/// the request defines the state of an attribute in entirety for the update. This
@ -115,6 +173,251 @@ impl QueryServerWriteTransaction<'_> {
}
}
}
pub fn scim_create(
&mut self,
scim_create: ScimCreateEvent,
) -> Result<ScimEntryKanidm, OperationError> {
let ScimCreateEvent { ident, entry } = scim_create;
let create_event = CreateEvent {
ident,
entries: vec![entry],
return_created_uuids: true,
};
let changed_uuids = self.create(&create_event)?;
let mut changed_uuids = changed_uuids.ok_or(OperationError::SC0028CreatedUuidsInvalid)?;
let target = if let Some(target) = changed_uuids.pop() {
if !changed_uuids.is_empty() {
// Too many results!
return Err(OperationError::UniqueConstraintViolation);
}
target
} else {
// No results!
return Err(OperationError::NoMatchingEntries);
};
// Now get the entry. We handle a lot of the errors here nicely,
// but if we got to this point, they really can't happen.
let filter_intent = filter!(f_and!([f_eq(Attribute::Uuid, PartialValue::Uuid(target))]));
let f_intent_valid = filter_intent
.validate(self.get_schema())
.map_err(OperationError::SchemaViolation)?;
let f_valid = f_intent_valid.clone().into_ignore_hidden();
let se = SearchEvent {
ident: create_event.ident,
filter: f_valid,
filter_orig: f_intent_valid,
// Return all attributes
attrs: None,
effective_access_check: false,
};
let mut vs = self.search_ext(&se)?;
match vs.pop() {
Some(entry) if vs.is_empty() => entry.to_scim_kanidm(self),
_ => {
if vs.is_empty() {
Err(OperationError::NoMatchingEntries)
} else {
// Multiple entries matched, should not be possible!
Err(OperationError::UniqueConstraintViolation)
}
}
}
}
pub fn scim_delete(&mut self, scim_delete: ScimDeleteEvent) -> Result<(), OperationError> {
let ScimDeleteEvent {
ident,
target,
class,
} = scim_delete;
let filter_intent = filter!(f_eq(Attribute::Uuid, PartialValue::Uuid(target)));
let f_intent_valid = filter_intent
.validate(self.get_schema())
.map_err(OperationError::SchemaViolation)?;
let filter = filter!(f_and!([
f_eq(Attribute::Uuid, PartialValue::Uuid(target)),
f_eq(Attribute::Class, class.into())
]));
let f_valid = filter
.validate(self.get_schema())
.map_err(OperationError::SchemaViolation)?;
let de = DeleteEvent {
ident,
filter: f_valid,
filter_orig: f_intent_valid,
};
self.delete(&de)
}
pub(crate) fn resolve_scim_json_put(
&mut self,
attr: &Attribute,
value: Option<JsonValue>,
) -> Result<Option<ValueSet>, OperationError> {
let schema = self.get_schema();
// Lookup the attr
let Some(schema_a) = schema.get_attributes().get(attr) else {
// No attribute of this name exists - fail fast, there is no point to
// proceed, as nothing can be satisfied.
return Err(OperationError::InvalidAttributeName(attr.to_string()));
};
let Some(value) = value else {
// It's a none so the value needs to be unset, and the attr DOES exist in
// schema.
return Ok(None);
};
self.resolve_scim_json(schema_a, value).map(Some)
}
pub(crate) fn resolve_scim_json_post(
&mut self,
attr: &Attribute,
value: JsonValue,
) -> Result<ValueSet, OperationError> {
let schema = self.get_schema();
// Lookup the attr
let Some(schema_a) = schema.get_attributes().get(attr) else {
// No attribute of this name exists - fail fast, there is no point to
// proceed, as nothing can be satisfied.
return Err(OperationError::InvalidAttributeName(attr.to_string()));
};
self.resolve_scim_json(schema_a, value)
}
fn resolve_scim_json(
&mut self,
schema_a: &SchemaAttribute,
value: JsonValue,
) -> Result<ValueSet, OperationError> {
let resolve_status = match schema_a.syntax {
SyntaxType::Utf8String => ValueSetUtf8::from_scim_json_put(value),
SyntaxType::Utf8StringInsensitive => ValueSetIutf8::from_scim_json_put(value),
SyntaxType::Uuid => ValueSetUuid::from_scim_json_put(value),
SyntaxType::Boolean => ValueSetBool::from_scim_json_put(value),
SyntaxType::SyntaxId => ValueSetSyntax::from_scim_json_put(value),
SyntaxType::IndexId => ValueSetIndex::from_scim_json_put(value),
SyntaxType::ReferenceUuid => ValueSetRefer::from_scim_json_put(value),
SyntaxType::Utf8StringIname => ValueSetIname::from_scim_json_put(value),
SyntaxType::NsUniqueId => ValueSetNsUniqueId::from_scim_json_put(value),
SyntaxType::DateTime => ValueSetDateTime::from_scim_json_put(value),
SyntaxType::EmailAddress => ValueSetEmailAddress::from_scim_json_put(value),
SyntaxType::Url => ValueSetUrl::from_scim_json_put(value),
SyntaxType::OauthScope => ValueSetOauthScope::from_scim_json_put(value),
SyntaxType::OauthScopeMap => ValueSetOauthScopeMap::from_scim_json_put(value),
SyntaxType::OauthClaimMap => ValueSetOauthClaimMap::from_scim_json_put(value),
SyntaxType::UiHint => ValueSetUiHint::from_scim_json_put(value),
SyntaxType::CredentialType => ValueSetCredentialType::from_scim_json_put(value),
SyntaxType::Certificate => ValueSetCertificate::from_scim_json_put(value),
SyntaxType::SshKey => ValueSetSshKey::from_scim_json_put(value),
SyntaxType::Uint32 => ValueSetUint32::from_scim_json_put(value),
// Not Yet ... if ever
// SyntaxType::JsonFilter => ValueSetJsonFilter::from_scim_json_put(value),
SyntaxType::JsonFilter => Err(OperationError::InvalidAttribute(
"Json Filters are not able to be set.".to_string(),
)),
// Can't be set currently as these are only internally generated for key-id's
// SyntaxType::HexString => ValueSetHexString::from_scim_json_put(value),
SyntaxType::HexString => Err(OperationError::InvalidAttribute(
"Hex strings are not able to be set.".to_string(),
)),
// Can't be set until we have better error handling in the set paths
// SyntaxType::Image => ValueSetImage::from_scim_json_put(value),
SyntaxType::Image => Err(OperationError::InvalidAttribute(
"Images are not able to be set.".to_string(),
)),
// Can't be set yet, mostly as I'm lazy
// SyntaxType::WebauthnAttestationCaList => {
// ValueSetWebauthnAttestationCaList::from_scim_json_put(value)
// }
SyntaxType::WebauthnAttestationCaList => Err(OperationError::InvalidAttribute(
"Webauthn Attestation Ca Lists are not able to be set.".to_string(),
)),
// Syntax types that can not be submitted
SyntaxType::Credential => Err(OperationError::InvalidAttribute(
"Credentials are not able to be set.".to_string(),
)),
SyntaxType::SecretUtf8String => Err(OperationError::InvalidAttribute(
"Secrets are not able to be set.".to_string(),
)),
SyntaxType::SecurityPrincipalName => Err(OperationError::InvalidAttribute(
"SPNs are not able to be set.".to_string(),
)),
SyntaxType::Cid => Err(OperationError::InvalidAttribute(
"CIDs are not able to be set.".to_string(),
)),
SyntaxType::PrivateBinary => Err(OperationError::InvalidAttribute(
"Private Binaries are not able to be set.".to_string(),
)),
SyntaxType::IntentToken => Err(OperationError::InvalidAttribute(
"Intent Tokens are not able to be set.".to_string(),
)),
SyntaxType::Passkey => Err(OperationError::InvalidAttribute(
"Passkeys are not able to be set.".to_string(),
)),
SyntaxType::AttestedPasskey => Err(OperationError::InvalidAttribute(
"Attested Passkeys are not able to be set.".to_string(),
)),
SyntaxType::Session => Err(OperationError::InvalidAttribute(
"Sessions are not able to be set.".to_string(),
)),
SyntaxType::JwsKeyEs256 => Err(OperationError::InvalidAttribute(
"Jws ES256 Private Keys are not able to be set.".to_string(),
)),
SyntaxType::JwsKeyRs256 => Err(OperationError::InvalidAttribute(
"Jws RS256 Private Keys are not able to be set.".to_string(),
)),
SyntaxType::Oauth2Session => Err(OperationError::InvalidAttribute(
"Sessions are not able to be set.".to_string(),
)),
SyntaxType::TotpSecret => Err(OperationError::InvalidAttribute(
"TOTP Secrets are not able to be set.".to_string(),
)),
SyntaxType::ApiToken => Err(OperationError::InvalidAttribute(
"API Tokens are not able to be set.".to_string(),
)),
SyntaxType::AuditLogString => Err(OperationError::InvalidAttribute(
"Audit Strings are not able to be set.".to_string(),
)),
SyntaxType::EcKeyPrivate => Err(OperationError::InvalidAttribute(
"EC Private Keys are not able to be set.".to_string(),
)),
SyntaxType::KeyInternal => Err(OperationError::InvalidAttribute(
"Key Internal Structures are not able to be set.".to_string(),
)),
SyntaxType::ApplicationPassword => Err(OperationError::InvalidAttribute(
"Application Passwords are not able to be set.".to_string(),
)),
}?;
match resolve_status {
ValueSetResolveStatus::Resolved(vs) => Ok(vs),
ValueSetResolveStatus::NeedsResolution(vs_inter) => {
self.resolve_valueset_intermediate(vs_inter)
}
}
}
}
#[cfg(test)]

59
server/lib/src/valueset/ssh.rs
View file

@ -252,4 +252,63 @@ mod tests {
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetSshKey>(&vs, &[])
}
#[test]
/// this is a test case for bad characters in SSH keys
fn test_invalid_character() {
let ecdsa = concat!("ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEÀAAAIbmlzdHA1MjEAAACFBAGyIY7o3B",
// ^ note the À here
"tOzRiJ9vvjj96bRImwmyy5GvFSIUPlK00HitiAWGhiO1jGZKmK7220Oe4rqU3uAwA00a0758UODs+0OQHLMDRtl81l",
"zPrVSdrYEDldxH9+a86dBZhdm0è15+ODDts2LHUknsJCRRldO4o9R9VrohlF7cbyBlnhJQrR4S+Oag== william@a",
"methyst");
println!("bytes of À {:?}", "À".as_bytes());
let found_index = ecdsa.find("À").expect("Failed to find è in string");
assert_eq!(found_index, 51, "Expected index 51");
let bad_ssh_error = SshPublicKey::from_string(ecdsa);
assert!(
bad_ssh_error.is_err(),
"Expected error, but got: {:?}",
bad_ssh_error
);
if let Err(err) = bad_ssh_error {
assert_eq!(
err.to_string(),
format!("Invalid symbol 195, offset {}.", found_index - 20)
); // the offset is 31 because the string has a 20 character leading key type plus the space
}
}
#[test]
/// this is a test case for bad characters in SSH keys
fn test_assert_comments() {
// Comment is okay.
let ecdsa = concat!("ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGyIY7o3B",
"tOzRiJ9vvjj96bRImwmyy5GvFSIUPlK00HitiAWGhiO1jGZKmK7220Oe4rqU3uAwA00a0758UODs+0OQHLMDRtl81l",
"zPrVSdrYEDldxH9+a86dBZhdm0e15+ODDts2LHUknsJCRRldO4o9R9VrohlF7cbyBlnhJQrR4S+Oag== william@a",
"methyst");
let _ = SshPublicKey::from_string(ecdsa).unwrap();
// No comment is okay.
let ecdsa = concat!("ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGyIY7o3B",
"tOzRiJ9vvjj96bRImwmyy5GvFSIUPlK00HitiAWGhiO1jGZKmK7220Oe4rqU3uAwA00a0758UODs+0OQHLMDRtl81l",
"zPrVSdrYEDldxH9+a86dBZhdm0e15+ODDts2LHUknsJCRRldO4o9R9VrohlF7cbyBlnhJQrR4S+Oag==");
let _ = SshPublicKey::from_string(ecdsa).unwrap();
// No comment is okay (spaces to end of line)
let ecdsa = concat!("ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGyIY7o3B",
"tOzRiJ9vvjj96bRImwmyy5GvFSIUPlK00HitiAWGhiO1jGZKmK7220Oe4rqU3uAwA00a0758UODs+0OQHLMDRtl81l",
"zPrVSdrYEDldxH9+a86dBZhdm0e15+ODDts2LHUknsJCRRldO4o9R9VrohlF7cbyBlnhJQrR4S+Oag== ");
let _ = SshPublicKey::from_string(ecdsa).unwrap();
// Comment may have spaces
let ecdsa = concat!("ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGyIY7o3B",
"tOzRiJ9vvjj96bRImwmyy5GvFSIUPlK00HitiAWGhiO1jGZKmK7220Oe4rqU3uAwA00a0758UODs+0OQHLMDRtl81l",
"zPrVSdrYEDldxH9+a86dBZhdm0e15+ODDts2LHUknsJCRRldO4o9R9VrohlF7cbyBlnhJQrR4S+Oag== I'm a giraffe! ");
let _ = SshPublicKey::from_string(ecdsa).unwrap();
}
}

7
server/lib/src/valueset/uuid.rs
View file

@ -238,6 +238,13 @@ impl ValueSetScimPut for ValueSetRefer {
fn from_scim_json_put(value: JsonValue) -> Result<ValueSetResolveStatus, OperationError> {
use kanidm_proto::scim_v1::client::{ScimReference, ScimReferences};
// May be a single reference, lets wrap it in an array to proceed.
let value = if !value.is_array() && value.is_object() {
JsonValue::Array(vec![value])
} else {
value
};
let scim_refs: ScimReferences = serde_json::from_value(value).map_err(|err| {
warn!(?err, "Invalid SCIM reference set syntax");
OperationError::SC0002ReferenceSyntaxInvalid

1
server/testkit/Cargo.toml
View file

@ -48,6 +48,7 @@ url = { workspace = true, features = ["serde"] }
kanidm_build_profiles = { workspace = true }
[dev-dependencies]
cidr = { workspace = true }
compact_jwt = { workspace = true }
escargot = "0.5.13"
# used for webdriver testing

7
server/testkit/tests/testkit/ip_addr_extractors.rs
View file

@ -1,3 +1,4 @@
use cidr::IpCidr;
use kanidm_client::KanidmClient;
use kanidm_proto::constants::X_FORWARDED_FOR;
use kanidmd_core::config::HttpAddressInfo;
@ -51,7 +52,7 @@ async fn dont_trust_xff_send_header(rsclient: &KanidmClient) {
// =====================================================
// *test where we do trust the x-forwarded-for header
#[kanidmd_testkit::test(http_client_address_info = HttpAddressInfo::XForwardFor ( [DEFAULT_IP_ADDRESS].into() ))]
#[kanidmd_testkit::test(http_client_address_info = HttpAddressInfo::XForwardFor ( [IpCidr::from(DEFAULT_IP_ADDRESS)].into() ))]
async fn trust_xff_address_set(rsclient: &KanidmClient) {
inner_test_trust_xff(rsclient).await;
}
@ -284,7 +285,7 @@ async fn proxy_v2_make_request(
Ok(ip_res)
}
#[kanidmd_testkit::test(with_test_env = true, http_client_address_info = HttpAddressInfo::ProxyV2 ( [DEFAULT_IP_ADDRESS].into() ))]
#[kanidmd_testkit::test(with_test_env = true, http_client_address_info = HttpAddressInfo::ProxyV2 ( [IpCidr::from(DEFAULT_IP_ADDRESS)].into() ))]
async fn trust_proxy_v2_address_set(test_env: &AsyncTestEnvironment) {
// Send with no header - with proxy v2, a header is ALWAYS required
let proxy_hdr: [u8; 0] = [];
@ -308,7 +309,7 @@ async fn trust_proxy_v2_address_set(test_env: &AsyncTestEnvironment) {
assert_eq!(res, IpAddr::V4(Ipv4Addr::new(172, 24, 12, 118)));
}
#[kanidmd_testkit::test(with_test_env = true, http_client_address_info = HttpAddressInfo::ProxyV2 ( [ IpAddr::V4(Ipv4Addr::new(10, 0, 0, 1)) ].into() ))]
#[kanidmd_testkit::test(with_test_env = true, http_client_address_info = HttpAddressInfo::ProxyV2 ( [ IpCidr::from(Ipv4Addr::new(10, 0, 0, 1)) ].into() ))]
async fn trust_proxy_v2_untrusted(test_env: &AsyncTestEnvironment) {
// Send with a valid header, but we aren't a trusted source.
let proxy_hdr =

79
server/testkit/tests/testkit/ldap_basic.rs
View file

@ -1,5 +1,10 @@
use kanidmd_testkit::AsyncTestEnvironment;
use kanidm_proto::scim_v1::client::{ScimEntryApplicationPost, ScimReference};
use kanidmd_testkit::{AsyncTestEnvironment, IDM_ADMIN_TEST_PASSWORD, IDM_ADMIN_TEST_USER};
use ldap3_client::LdapClientBuilder;
use tracing::debug;
const TEST_PERSON: &str = "user_mcuserton";
const TEST_GROUP: &str = "group_mcgroupington";
#[kanidmd_testkit::test(ldap = true)]
async fn test_ldap_basic_unix_bind(test_env: &AsyncTestEnvironment) {
@ -14,3 +19,75 @@ async fn test_ldap_basic_unix_bind(test_env: &AsyncTestEnvironment) {
assert_eq!(whoami, Some("u: anonymous@localhost".to_string()));
}
#[kanidmd_testkit::test(ldap = true)]
async fn test_ldap_application_password_basic(test_env: &AsyncTestEnvironment) {
const APPLICATION_1_NAME: &str = "test_application_1";
// Remember, this isn't the exhaustive test for application password behaviours,
// those are in the main server. This is just a basic smoke test that the interfaces
// are exposed and work in a basic manner.
let idm_admin_rsclient = test_env.rsclient.new_session().unwrap();
// Create a person
idm_admin_rsclient
.auth_simple_password(IDM_ADMIN_TEST_USER, IDM_ADMIN_TEST_PASSWORD)
.await
.expect("Failed to login as admin");
idm_admin_rsclient
.idm_person_account_create(TEST_PERSON, TEST_PERSON)
.await
.expect("Failed to create the user");
idm_admin_rsclient
.idm_group_create(TEST_GROUP, None)
.await
.expect("Failed to create test group");
// Create two applications
let application_1 = ScimEntryApplicationPost {
name: APPLICATION_1_NAME.to_string(),
displayname: APPLICATION_1_NAME.to_string(),
linked_group: ScimReference::from(TEST_GROUP),
};
let application_entry = idm_admin_rsclient
.idm_application_create(&application_1)
.await
.expect("Failed to create the user");
debug!(?application_entry);
// List, get them.
// Login as the person
// Create application passwords
// Check the work.
// Check they can't cross talk.
// Done!
// let ldap_url = test_env.ldap_url.as_ref().unwrap();
// let mut ldap_client = LdapClientBuilder::new(ldap_url).build().await.unwrap();
let result = idm_admin_rsclient
.idm_application_delete(APPLICATION_1_NAME)
.await
.expect("Failed to create the user");
debug!(?result);
// Delete the applications
// Check that you can no longer bind.
// They no longer list
}