-7

pkgs/by-name/ka/kanidm/1_4.nix

reviewed

··· 1 1 - import ./generic.nix { 2 2 - version = "1.4.6"; 3 3 - hash = "sha256-pjJyq52wO5p34LN2Jmt0npgWBDcWin8gIX4skZ7Ff8E="; 4 4 - cargoHash = "sha256-33HRoH/vWPe/wOZJtQLWV9eBocbj0iR/XUu4zMehu8M="; 5 5 - patchDir = ./patches/1_4; 6 6 - unsupported = true; 7 7 - }

+1

pkgs/by-name/ka/kanidm/1_5.nix

reviewed

··· 3 3 hash = "sha256-swrqyjA7Wgq17vd+753LDFcXrSFixVNLhTvj1bhG3DU="; 4 4 cargoHash = "sha256-72IwS8Nk1y6xDH9y8JW2LpbhFWaq0tpORx7JQSCF5/M="; 5 5 patchDir = ./patches/1_5; 6 6 + unsupported = true; 6 7 }

+4 -8

pkgs/by-name/ka/kanidm/README.md

reviewed

··· 21 21 1. Update `all-packages.nix` to add `kanidm_1_5` and `kanidmWithSecretProvisioning_1_5`, leave default 22 22 1. Create commit, `kanidm_1_5: init at 1.5.0` - this is the only commit that will be backported 23 23 24 24 - ### Mark previous version deprecated 25 25 - 26 26 - 1. Update `pkgs/by-name/ka/kanidm/1_4.nix` by adding `deprecated = true;` 27 27 - 1. Create commit `kanidm_1_4: update default to 1.5.0, deprecate 1.4.0` 28 28 - 29 29 - ### Update default and mark deprecation 24 24 + ### Update default 30 25 31 26 1. `sed -i 's/1_4/1_5/' pkgs/by-name/ka/kanidm/package.nix` 32 27 1. Update `all-packages.nix` and set `kanidmWithSecretProvisioning = kanidmWithSecretProvisioning_1_5;` ··· 36 41 Kanidm versions are supported for 30 days after the release of new versions. Following the example above, 1.5.x superseding 1.4.x in 30 days, do the following near the end of the 30 day window 37 42 38 43 1. Update `pkgs/by-name/ka/kanidm/1_4.nix` by adding `unsupported = true;` 39 39 - 1. Update `pkgs/top-level/release.nix` and add `kanidm_1_4-1.4.6` to `permittedInsecurePackages` 44 44 + 1. Update `pkgs/top-level/release.nix` and add `kanidm_1_4-1.4.6` and `kanidmWithSecretProvisioning_1_4-1.4.6` to `permittedInsecurePackages` 40 45 1. Create commit `kanidm_1_4: mark EOL`, this commit alone should be backported 41 46 42 47 1. Remove the third oldest release from `all-packages.nix`, e.g. 1.3.x continuing the example. Remove `kanidm_1_3` and `kanidmWithSecretProvisioning_1_3` 43 43 - 1. Update `pkgs/top-level/release.nix` and remove `kanidm_1_3-1.3.3` from `permittedInsecurePackages` 48 48 + 1. Update `pkgs/top-level/release.nix` and remove `kanidm_1_3*` from `permittedInsecurePackages` 49 49 + 1. Update `pkgs/top-level/aliases.nix` and add `kanidm_1_4` and `kanidmWithSecretProvisioning_1_4-1.4.6` 44 50 1. Remove `pkgs/by-name/ka/kanidm/1_3.nix`

-303

pkgs/by-name/ka/kanidm/patches/1_3/oauth2-basic-secret-modify.patch

reviewed

··· 1 1 - From 44dfbc2b9dccce86c7d7e7b54db4c989344b8c56 Mon Sep 17 00:00:00 2001 2 2 - From: oddlama <oddlama@oddlama.org> 3 3 - Date: Mon, 12 Aug 2024 23:17:25 +0200 4 4 - Subject: [PATCH 1/2] oauth2 basic secret modify 5 5 - 6 6 - --- 7 7 - server/core/src/actors/v1_write.rs | 42 ++++++++++++++++++++++++++++++ 8 8 - server/core/src/https/v1.rs | 6 ++++- 9 9 - server/core/src/https/v1_oauth2.rs | 29 +++++++++++++++++++++ 10 10 - server/lib/src/constants/acp.rs | 6 +++++ 11 11 - 4 files changed, 82 insertions(+), 1 deletion(-) 12 12 - 13 13 - diff --git a/server/core/src/actors/v1_write.rs b/server/core/src/actors/v1_write.rs 14 14 - index e00a969fb..1cacc67b8 100644 15 15 - --- a/server/core/src/actors/v1_write.rs 16 16 - +++ b/server/core/src/actors/v1_write.rs 17 17 - @@ -315,20 +315,62 @@ impl QueryServerWriteV1 { 18 18 - }; 19 19 - 20 20 - trace!(?del, "Begin delete event"); 21 21 - 22 22 - idms_prox_write 23 23 - .qs_write 24 24 - .delete(&del) 25 25 - .and_then(|_| idms_prox_write.commit().map(|_| ())) 26 26 - } 27 27 - 28 28 - + #[instrument( 29 29 - + level = "info", 30 30 - + skip_all, 31 31 - + fields(uuid = ?eventid) 32 32 - + )] 33 33 - + pub async fn handle_oauth2_basic_secret_write( 34 34 - + &self, 35 35 - + client_auth_info: ClientAuthInfo, 36 36 - + filter: Filter<FilterInvalid>, 37 37 - + new_secret: String, 38 38 - + eventid: Uuid, 39 39 - + ) -> Result<(), OperationError> { 40 40 - + // Given a protoEntry, turn this into a modification set. 41 41 - + let ct = duration_from_epoch_now(); 42 42 - + let mut idms_prox_write = self.idms.proxy_write(ct).await; 43 43 - + let ident = idms_prox_write 44 44 - + .validate_client_auth_info_to_ident(client_auth_info, ct) 45 45 - + .map_err(|e| { 46 46 - + admin_error!(err = ?e, "Invalid identity"); 47 47 - + e 48 48 - + })?; 49 49 - + 50 50 - + let modlist = ModifyList::new_purge_and_set( 51 51 - + Attribute::OAuth2RsBasicSecret, 52 52 - + Value::SecretValue(new_secret), 53 53 - + ); 54 54 - + 55 55 - + let mdf = 56 56 - + ModifyEvent::from_internal_parts(ident, &modlist, &filter, &idms_prox_write.qs_write) 57 57 - + .map_err(|e| { 58 58 - + admin_error!(err = ?e, "Failed to begin modify during handle_oauth2_basic_secret_write"); 59 59 - + e 60 60 - + })?; 61 61 - + 62 62 - + trace!(?mdf, "Begin modify event"); 63 63 - + 64 64 - + idms_prox_write 65 65 - + .qs_write 66 66 - + .modify(&mdf) 67 67 - + .and_then(|_| idms_prox_write.commit()) 68 68 - + } 69 69 - + 70 70 - #[instrument( 71 71 - level = "info", 72 72 - skip_all, 73 73 - fields(uuid = ?eventid) 74 74 - )] 75 75 - pub async fn handle_reviverecycled( 76 76 - &self, 77 77 - client_auth_info: ClientAuthInfo, 78 78 - filter: Filter<FilterInvalid>, 79 79 - eventid: Uuid, 80 80 - diff --git a/server/core/src/https/v1.rs b/server/core/src/https/v1.rs 81 81 - index 8aba83bb2..f1f815026 100644 82 82 - --- a/server/core/src/https/v1.rs 83 83 - +++ b/server/core/src/https/v1.rs 84 84 - @@ -1,17 +1,17 @@ 85 85 - //! The V1 API things! 86 86 - 87 87 - use axum::extract::{Path, State}; 88 88 - use axum::http::{HeaderMap, HeaderValue}; 89 89 - use axum::middleware::from_fn; 90 90 - use axum::response::{IntoResponse, Response}; 91 91 - -use axum::routing::{delete, get, post, put}; 92 92 - +use axum::routing::{delete, get, post, put, patch}; 93 93 - use axum::{Extension, Json, Router}; 94 94 - use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite}; 95 95 - use compact_jwt::{Jwk, Jws, JwsSigner}; 96 96 - use kanidm_proto::constants::uri::V1_AUTH_VALID; 97 97 - use std::net::IpAddr; 98 98 - use uuid::Uuid; 99 99 - 100 100 - use kanidm_proto::internal::{ 101 101 - ApiToken, AppLink, CUIntentToken, CURequest, CUSessionToken, CUStatus, CreateRequest, 102 102 - CredentialStatus, DeleteRequest, IdentifyUserRequest, IdentifyUserResponse, ModifyRequest, 103 103 - @@ -3119,20 +3119,24 @@ pub(crate) fn route_setup(state: ServerState) -> Router<ServerState> { 104 104 - ) 105 105 - .route( 106 106 - "/v1/oauth2/:rs_name/_image", 107 107 - post(super::v1_oauth2::oauth2_id_image_post) 108 108 - .delete(super::v1_oauth2::oauth2_id_image_delete), 109 109 - ) 110 110 - .route( 111 111 - "/v1/oauth2/:rs_name/_basic_secret", 112 112 - get(super::v1_oauth2::oauth2_id_get_basic_secret), 113 113 - ) 114 114 - + .route( 115 115 - + "/v1/oauth2/:rs_name/_basic_secret", 116 116 - + patch(super::v1_oauth2::oauth2_id_patch_basic_secret), 117 117 - + ) 118 118 - .route( 119 119 - "/v1/oauth2/:rs_name/_scopemap/:group", 120 120 - post(super::v1_oauth2::oauth2_id_scopemap_post) 121 121 - .delete(super::v1_oauth2::oauth2_id_scopemap_delete), 122 122 - ) 123 123 - .route( 124 124 - "/v1/oauth2/:rs_name/_sup_scopemap/:group", 125 125 - post(super::v1_oauth2::oauth2_id_sup_scopemap_post) 126 126 - .delete(super::v1_oauth2::oauth2_id_sup_scopemap_delete), 127 127 - ) 128 128 - diff --git a/server/core/src/https/v1_oauth2.rs b/server/core/src/https/v1_oauth2.rs 129 129 - index 5e481afab..a771aed04 100644 130 130 - --- a/server/core/src/https/v1_oauth2.rs 131 131 - +++ b/server/core/src/https/v1_oauth2.rs 132 132 - @@ -144,20 +144,49 @@ pub(crate) async fn oauth2_id_get_basic_secret( 133 133 - ) -> Result<Json<Option<String>>, WebError> { 134 134 - let filter = oauth2_id(&rs_name); 135 135 - state 136 136 - .qe_r_ref 137 137 - .handle_oauth2_basic_secret_read(client_auth_info, filter, kopid.eventid) 138 138 - .await 139 139 - .map(Json::from) 140 140 - .map_err(WebError::from) 141 141 - } 142 142 - 143 143 - +#[utoipa::path( 144 144 - + patch, 145 145 - + path = "/v1/oauth2/{rs_name}/_basic_secret", 146 146 - + request_body=ProtoEntry, 147 147 - + responses( 148 148 - + DefaultApiResponse, 149 149 - + ), 150 150 - + security(("token_jwt" = [])), 151 151 - + tag = "v1/oauth2", 152 152 - + operation_id = "oauth2_id_patch_basic_secret" 153 153 - +)] 154 154 - +/// Overwrite the basic secret for a given OAuth2 Resource Server. 155 155 - +#[instrument(level = "info", skip(state, new_secret))] 156 156 - +pub(crate) async fn oauth2_id_patch_basic_secret( 157 157 - + State(state): State<ServerState>, 158 158 - + Extension(kopid): Extension<KOpId>, 159 159 - + VerifiedClientInformation(client_auth_info): VerifiedClientInformation, 160 160 - + Path(rs_name): Path<String>, 161 161 - + Json(new_secret): Json<String>, 162 162 - +) -> Result<Json<()>, WebError> { 163 163 - + let filter = oauth2_id(&rs_name); 164 164 - + state 165 165 - + .qe_w_ref 166 166 - + .handle_oauth2_basic_secret_write(client_auth_info, filter, new_secret, kopid.eventid) 167 167 - + .await 168 168 - + .map(Json::from) 169 169 - + .map_err(WebError::from) 170 170 - +} 171 171 - + 172 172 - #[utoipa::path( 173 173 - patch, 174 174 - path = "/v1/oauth2/{rs_name}", 175 175 - request_body=ProtoEntry, 176 176 - responses( 177 177 - DefaultApiResponse, 178 178 - ), 179 179 - security(("token_jwt" = [])), 180 180 - tag = "v1/oauth2", 181 181 - operation_id = "oauth2_id_patch" 182 182 - diff --git a/server/lib/src/constants/acp.rs b/server/lib/src/constants/acp.rs 183 183 - index f3409649d..42e407b7d 100644 184 184 - --- a/server/lib/src/constants/acp.rs 185 185 - +++ b/server/lib/src/constants/acp.rs 186 186 - @@ -645,34 +645,36 @@ lazy_static! { 187 187 - Attribute::Image, 188 188 - ], 189 189 - modify_present_attrs: vec![ 190 190 - Attribute::Description, 191 191 - Attribute::DisplayName, 192 192 - Attribute::OAuth2RsName, 193 193 - Attribute::OAuth2RsOrigin, 194 194 - Attribute::OAuth2RsOriginLanding, 195 195 - Attribute::OAuth2RsSupScopeMap, 196 196 - Attribute::OAuth2RsScopeMap, 197 197 - + Attribute::OAuth2RsBasicSecret, 198 198 - Attribute::OAuth2AllowInsecureClientDisablePkce, 199 199 - Attribute::OAuth2JwtLegacyCryptoEnable, 200 200 - Attribute::OAuth2PreferShortUsername, 201 201 - Attribute::Image, 202 202 - ], 203 203 - create_attrs: vec![ 204 204 - Attribute::Class, 205 205 - Attribute::Description, 206 206 - Attribute::DisplayName, 207 207 - Attribute::OAuth2RsName, 208 208 - Attribute::OAuth2RsOrigin, 209 209 - Attribute::OAuth2RsOriginLanding, 210 210 - Attribute::OAuth2RsSupScopeMap, 211 211 - Attribute::OAuth2RsScopeMap, 212 212 - + Attribute::OAuth2RsBasicSecret, 213 213 - Attribute::OAuth2AllowInsecureClientDisablePkce, 214 214 - Attribute::OAuth2JwtLegacyCryptoEnable, 215 215 - Attribute::OAuth2PreferShortUsername, 216 216 - Attribute::Image, 217 217 - ], 218 218 - create_classes: vec![ 219 219 - EntryClass::Object, 220 220 - EntryClass::OAuth2ResourceServer, 221 221 - EntryClass::OAuth2ResourceServerBasic, 222 222 - EntryClass::OAuth2ResourceServerPublic, 223 223 - @@ -739,36 +741,38 @@ lazy_static! { 224 224 - Attribute::Image, 225 225 - ], 226 226 - modify_present_attrs: vec![ 227 227 - Attribute::Description, 228 228 - Attribute::DisplayName, 229 229 - Attribute::OAuth2RsName, 230 230 - Attribute::OAuth2RsOrigin, 231 231 - Attribute::OAuth2RsOriginLanding, 232 232 - Attribute::OAuth2RsSupScopeMap, 233 233 - Attribute::OAuth2RsScopeMap, 234 234 - + Attribute::OAuth2RsBasicSecret, 235 235 - Attribute::OAuth2AllowInsecureClientDisablePkce, 236 236 - Attribute::OAuth2JwtLegacyCryptoEnable, 237 237 - Attribute::OAuth2PreferShortUsername, 238 238 - Attribute::OAuth2AllowLocalhostRedirect, 239 239 - Attribute::OAuth2RsClaimMap, 240 240 - Attribute::Image, 241 241 - ], 242 242 - create_attrs: vec![ 243 243 - Attribute::Class, 244 244 - Attribute::Description, 245 245 - Attribute::DisplayName, 246 246 - Attribute::OAuth2RsName, 247 247 - Attribute::OAuth2RsOrigin, 248 248 - Attribute::OAuth2RsOriginLanding, 249 249 - Attribute::OAuth2RsSupScopeMap, 250 250 - Attribute::OAuth2RsScopeMap, 251 251 - + Attribute::OAuth2RsBasicSecret, 252 252 - Attribute::OAuth2AllowInsecureClientDisablePkce, 253 253 - Attribute::OAuth2JwtLegacyCryptoEnable, 254 254 - Attribute::OAuth2PreferShortUsername, 255 255 - Attribute::OAuth2AllowLocalhostRedirect, 256 256 - Attribute::OAuth2RsClaimMap, 257 257 - Attribute::Image, 258 258 - ], 259 259 - create_classes: vec![ 260 260 - EntryClass::Object, 261 261 - EntryClass::OAuth2ResourceServer, 262 262 - @@ -840,36 +844,38 @@ lazy_static! { 263 263 - Attribute::Image, 264 264 - ], 265 265 - modify_present_attrs: vec![ 266 266 - Attribute::Description, 267 267 - Attribute::DisplayName, 268 268 - Attribute::Name, 269 269 - Attribute::OAuth2RsOrigin, 270 270 - Attribute::OAuth2RsOriginLanding, 271 271 - Attribute::OAuth2RsSupScopeMap, 272 272 - Attribute::OAuth2RsScopeMap, 273 273 - + Attribute::OAuth2RsBasicSecret, 274 274 - Attribute::OAuth2AllowInsecureClientDisablePkce, 275 275 - Attribute::OAuth2JwtLegacyCryptoEnable, 276 276 - Attribute::OAuth2PreferShortUsername, 277 277 - Attribute::OAuth2AllowLocalhostRedirect, 278 278 - Attribute::OAuth2RsClaimMap, 279 279 - Attribute::Image, 280 280 - ], 281 281 - create_attrs: vec![ 282 282 - Attribute::Class, 283 283 - Attribute::Description, 284 284 - Attribute::Name, 285 285 - Attribute::OAuth2RsName, 286 286 - Attribute::OAuth2RsOrigin, 287 287 - Attribute::OAuth2RsOriginLanding, 288 288 - Attribute::OAuth2RsSupScopeMap, 289 289 - Attribute::OAuth2RsScopeMap, 290 290 - + Attribute::OAuth2RsBasicSecret, 291 291 - Attribute::OAuth2AllowInsecureClientDisablePkce, 292 292 - Attribute::OAuth2JwtLegacyCryptoEnable, 293 293 - Attribute::OAuth2PreferShortUsername, 294 294 - Attribute::OAuth2AllowLocalhostRedirect, 295 295 - Attribute::OAuth2RsClaimMap, 296 296 - Attribute::Image, 297 297 - ], 298 298 - create_classes: vec![ 299 299 - EntryClass::Object, 300 300 - EntryClass::Account, 301 301 - -- 302 302 - 2.45.2 303 303 -

-174

pkgs/by-name/ka/kanidm/patches/1_3/recover-account.patch

reviewed

··· 1 1 - From cc8269489b56755714f07eee4671f8aa2659c014 Mon Sep 17 00:00:00 2001 2 2 - From: oddlama <oddlama@oddlama.org> 3 3 - Date: Mon, 12 Aug 2024 23:17:42 +0200 4 4 - Subject: [PATCH 2/2] recover account 5 5 - 6 6 - --- 7 7 - server/core/src/actors/internal.rs | 3 ++- 8 8 - server/core/src/admin.rs | 6 +++--- 9 9 - server/daemon/src/main.rs | 14 +++++++++++++- 10 10 - server/daemon/src/opt.rs | 4 ++++ 11 11 - 4 files changed, 22 insertions(+), 5 deletions(-) 12 12 - 13 13 - diff --git a/server/core/src/actors/internal.rs b/server/core/src/actors/internal.rs 14 14 - index 40c18777f..40d553b40 100644 15 15 - --- a/server/core/src/actors/internal.rs 16 16 - +++ b/server/core/src/actors/internal.rs 17 17 - @@ -153,25 +153,26 @@ impl QueryServerWriteV1 { 18 18 - } 19 19 - 20 20 - #[instrument( 21 21 - level = "info", 22 22 - - skip(self, eventid), 23 23 - + skip(self, password, eventid), 24 24 - fields(uuid = ?eventid) 25 25 - )] 26 26 - pub(crate) async fn handle_admin_recover_account( 27 27 - &self, 28 28 - name: String, 29 29 - + password: Option<String>, 30 30 - eventid: Uuid, 31 31 - ) -> Result<String, OperationError> { 32 32 - let ct = duration_from_epoch_now(); 33 33 - let mut idms_prox_write = self.idms.proxy_write(ct).await; 34 34 - - let pw = idms_prox_write.recover_account(name.as_str(), None)?; 35 35 - + let pw = idms_prox_write.recover_account(name.as_str(), password.as_deref())?; 36 36 - 37 37 - idms_prox_write.commit().map(|()| pw) 38 38 - } 39 39 - 40 40 - #[instrument( 41 41 - level = "info", 42 42 - skip_all, 43 43 - fields(uuid = ?eventid) 44 44 - )] 45 45 - pub(crate) async fn handle_domain_raise(&self, eventid: Uuid) -> Result<u32, OperationError> { 46 46 - diff --git a/server/core/src/admin.rs b/server/core/src/admin.rs 47 47 - index 90ccb1927..85e31ddef 100644 48 48 - --- a/server/core/src/admin.rs 49 49 - +++ b/server/core/src/admin.rs 50 50 - @@ -17,21 +17,21 @@ use tokio_util::codec::{Decoder, Encoder, Framed}; 51 51 - use tracing::{span, Instrument, Level}; 52 52 - use uuid::Uuid; 53 53 - 54 54 - pub use kanidm_proto::internal::{ 55 55 - DomainInfo as ProtoDomainInfo, DomainUpgradeCheckReport as ProtoDomainUpgradeCheckReport, 56 56 - DomainUpgradeCheckStatus as ProtoDomainUpgradeCheckStatus, 57 57 - }; 58 58 - 59 59 - #[derive(Serialize, Deserialize, Debug)] 60 60 - pub enum AdminTaskRequest { 61 61 - - RecoverAccount { name: String }, 62 62 - + RecoverAccount { name: String, password: Option<String> }, 63 63 - ShowReplicationCertificate, 64 64 - RenewReplicationCertificate, 65 65 - RefreshReplicationConsumer, 66 66 - DomainShow, 67 67 - DomainUpgradeCheck, 68 68 - DomainRaise, 69 69 - DomainRemigrate { level: Option<u32> }, 70 70 - } 71 71 - 72 72 - #[derive(Serialize, Deserialize, Debug)] 73 73 - @@ -302,22 +302,22 @@ async fn handle_client( 74 74 - let mut reqs = Framed::new(sock, ServerCodec); 75 75 - 76 76 - trace!("Waiting for requests ..."); 77 77 - while let Some(Ok(req)) = reqs.next().await { 78 78 - // Setup the logging span 79 79 - let eventid = Uuid::new_v4(); 80 80 - let nspan = span!(Level::INFO, "handle_admin_client_request", uuid = ?eventid); 81 81 - 82 82 - let resp = async { 83 83 - match req { 84 84 - - AdminTaskRequest::RecoverAccount { name } => { 85 85 - - match server_rw.handle_admin_recover_account(name, eventid).await { 86 86 - + AdminTaskRequest::RecoverAccount { name, password } => { 87 87 - + match server_rw.handle_admin_recover_account(name, password, eventid).await { 88 88 - Ok(password) => AdminTaskResponse::RecoverAccount { password }, 89 89 - Err(e) => { 90 90 - error!(err = ?e, "error during recover-account"); 91 91 - AdminTaskResponse::Error 92 92 - } 93 93 - } 94 94 - } 95 95 - AdminTaskRequest::ShowReplicationCertificate => match repl_ctrl_tx.as_mut() { 96 96 - Some(ctrl_tx) => show_replication_certificate(ctrl_tx).await, 97 97 - None => { 98 98 - diff --git a/server/daemon/src/main.rs b/server/daemon/src/main.rs 99 99 - index 577995615..a967928c9 100644 100 100 - --- a/server/daemon/src/main.rs 101 101 - +++ b/server/daemon/src/main.rs 102 102 - @@ -894,27 +894,39 @@ async fn kanidm_main( 103 103 - } else { 104 104 - let output_mode: ConsoleOutputMode = commonopts.output_mode.to_owned().into(); 105 105 - submit_admin_req( 106 106 - config.adminbindpath.as_str(), 107 107 - AdminTaskRequest::RefreshReplicationConsumer, 108 108 - output_mode, 109 109 - ) 110 110 - .await; 111 111 - } 112 112 - } 113 113 - - KanidmdOpt::RecoverAccount { name, commonopts } => { 114 114 - + KanidmdOpt::RecoverAccount { name, from_environment, commonopts } => { 115 115 - info!("Running account recovery ..."); 116 116 - let output_mode: ConsoleOutputMode = commonopts.output_mode.to_owned().into(); 117 117 - + let password = if *from_environment { 118 118 - + match std::env::var("KANIDM_RECOVER_ACCOUNT_PASSWORD") { 119 119 - + Ok(val) => Some(val), 120 120 - + _ => { 121 121 - + error!("Environment variable KANIDM_RECOVER_ACCOUNT_PASSWORD not set"); 122 122 - + return ExitCode::FAILURE; 123 123 - + } 124 124 - + } 125 125 - + } else { 126 126 - + None 127 127 - + }; 128 128 - submit_admin_req( 129 129 - config.adminbindpath.as_str(), 130 130 - AdminTaskRequest::RecoverAccount { 131 131 - name: name.to_owned(), 132 132 - + password, 133 133 - }, 134 134 - output_mode, 135 135 - ) 136 136 - .await; 137 137 - } 138 138 - KanidmdOpt::Database { 139 139 - commands: DbCommands::Reindex(_copt), 140 140 - } => { 141 141 - info!("Running in reindex mode ..."); 142 142 - reindex_server_core(&config).await; 143 143 - diff --git a/server/daemon/src/opt.rs b/server/daemon/src/opt.rs 144 144 - index f1b45a5b3..9c013e32e 100644 145 145 - --- a/server/daemon/src/opt.rs 146 146 - +++ b/server/daemon/src/opt.rs 147 147 - @@ -229,20 +229,24 @@ enum KanidmdOpt { 148 148 - /// Create a self-signed ca and tls certificate in the locations listed from the 149 149 - /// configuration. These certificates should *not* be used in production, they 150 150 - /// are for testing and evaluation only! 151 151 - CertGenerate(CommonOpt), 152 152 - #[clap(name = "recover-account")] 153 153 - /// Recover an account's password 154 154 - RecoverAccount { 155 155 - #[clap(value_parser)] 156 156 - /// The account name to recover credentials for. 157 157 - name: String, 158 158 - + /// Use the password given in the environment variable 159 159 - + /// `KANIDM_RECOVER_ACCOUNT_PASSWORD` instead of generating one. 160 160 - + #[clap(long = "from-environment")] 161 161 - + from_environment: bool, 162 162 - #[clap(flatten)] 163 163 - commonopts: CommonOpt, 164 164 - }, 165 165 - /// Display this server's replication certificate 166 166 - ShowReplicationCertificate { 167 167 - #[clap(flatten)] 168 168 - commonopts: CommonOpt, 169 169 - }, 170 170 - /// Renew this server's replication certificate 171 171 - RenewReplicationCertificate { 172 172 - -- 173 173 - 2.45.2 174 174 -

-308

pkgs/by-name/ka/kanidm/patches/1_4/oauth2-basic-secret-modify.patch

reviewed

··· 1 1 - From e9dfca73e6fb80faf6fc106e7aee6b93c0908525 Mon Sep 17 00:00:00 2001 2 2 - From: oddlama <oddlama@oddlama.org> 3 3 - Date: Fri, 1 Nov 2024 12:26:17 +0100 4 4 - Subject: [PATCH 1/2] oauth2 basic secret modify 5 5 - 6 6 - --- 7 7 - server/core/src/actors/v1_write.rs | 42 ++++++++++++++++++++++++++++++ 8 8 - server/core/src/https/v1.rs | 6 ++++- 9 9 - server/core/src/https/v1_oauth2.rs | 29 +++++++++++++++++++++ 10 10 - server/lib/src/constants/acp.rs | 6 +++++ 11 11 - 4 files changed, 82 insertions(+), 1 deletion(-) 12 12 - 13 13 - diff --git a/server/core/src/actors/v1_write.rs b/server/core/src/actors/v1_write.rs 14 14 - index 732e826c8..0fe66503f 100644 15 15 - --- a/server/core/src/actors/v1_write.rs 16 16 - +++ b/server/core/src/actors/v1_write.rs 17 17 - @@ -317,20 +317,62 @@ impl QueryServerWriteV1 { 18 18 - }; 19 19 - 20 20 - trace!(?del, "Begin delete event"); 21 21 - 22 22 - idms_prox_write 23 23 - .qs_write 24 24 - .delete(&del) 25 25 - .and_then(|_| idms_prox_write.commit().map(|_| ())) 26 26 - } 27 27 - 28 28 - + #[instrument( 29 29 - + level = "info", 30 30 - + skip_all, 31 31 - + fields(uuid = ?eventid) 32 32 - + )] 33 33 - + pub async fn handle_oauth2_basic_secret_write( 34 34 - + &self, 35 35 - + client_auth_info: ClientAuthInfo, 36 36 - + filter: Filter<FilterInvalid>, 37 37 - + new_secret: String, 38 38 - + eventid: Uuid, 39 39 - + ) -> Result<(), OperationError> { 40 40 - + // Given a protoEntry, turn this into a modification set. 41 41 - + let ct = duration_from_epoch_now(); 42 42 - + let mut idms_prox_write = self.idms.proxy_write(ct).await?; 43 43 - + let ident = idms_prox_write 44 44 - + .validate_client_auth_info_to_ident(client_auth_info, ct) 45 45 - + .map_err(|e| { 46 46 - + admin_error!(err = ?e, "Invalid identity"); 47 47 - + e 48 48 - + })?; 49 49 - + 50 50 - + let modlist = ModifyList::new_purge_and_set( 51 51 - + Attribute::OAuth2RsBasicSecret, 52 52 - + Value::SecretValue(new_secret), 53 53 - + ); 54 54 - + 55 55 - + let mdf = 56 56 - + ModifyEvent::from_internal_parts(ident, &modlist, &filter, &idms_prox_write.qs_write) 57 57 - + .map_err(|e| { 58 58 - + admin_error!(err = ?e, "Failed to begin modify during handle_oauth2_basic_secret_write"); 59 59 - + e 60 60 - + })?; 61 61 - + 62 62 - + trace!(?mdf, "Begin modify event"); 63 63 - + 64 64 - + idms_prox_write 65 65 - + .qs_write 66 66 - + .modify(&mdf) 67 67 - + .and_then(|_| idms_prox_write.commit()) 68 68 - + } 69 69 - + 70 70 - #[instrument( 71 71 - level = "info", 72 72 - skip_all, 73 73 - fields(uuid = ?eventid) 74 74 - )] 75 75 - pub async fn handle_reviverecycled( 76 76 - &self, 77 77 - client_auth_info: ClientAuthInfo, 78 78 - filter: Filter<FilterInvalid>, 79 79 - eventid: Uuid, 80 80 - diff --git a/server/core/src/https/v1.rs b/server/core/src/https/v1.rs 81 81 - index c410a4b5d..cc67cac6c 100644 82 82 - --- a/server/core/src/https/v1.rs 83 83 - +++ b/server/core/src/https/v1.rs 84 84 - @@ -1,17 +1,17 @@ 85 85 - //! The V1 API things! 86 86 - 87 87 - use axum::extract::{Path, State}; 88 88 - use axum::http::{HeaderMap, HeaderValue}; 89 89 - use axum::middleware::from_fn; 90 90 - use axum::response::{IntoResponse, Response}; 91 91 - -use axum::routing::{delete, get, post, put}; 92 92 - +use axum::routing::{delete, get, post, put, patch}; 93 93 - use axum::{Extension, Json, Router}; 94 94 - use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite}; 95 95 - use compact_jwt::{Jwk, Jws, JwsSigner}; 96 96 - use kanidm_proto::constants::uri::V1_AUTH_VALID; 97 97 - use std::net::IpAddr; 98 98 - use uuid::Uuid; 99 99 - 100 100 - use kanidm_proto::internal::{ 101 101 - ApiToken, AppLink, CUIntentToken, CURequest, CUSessionToken, CUStatus, CreateRequest, 102 102 - CredentialStatus, DeleteRequest, IdentifyUserRequest, IdentifyUserResponse, ModifyRequest, 103 103 - @@ -3120,20 +3120,24 @@ pub(crate) fn route_setup(state: ServerState) -> Router<ServerState> { 104 104 - ) 105 105 - .route( 106 106 - "/v1/oauth2/:rs_name/_image", 107 107 - post(super::v1_oauth2::oauth2_id_image_post) 108 108 - .delete(super::v1_oauth2::oauth2_id_image_delete), 109 109 - ) 110 110 - .route( 111 111 - "/v1/oauth2/:rs_name/_basic_secret", 112 112 - get(super::v1_oauth2::oauth2_id_get_basic_secret), 113 113 - ) 114 114 - + .route( 115 115 - + "/v1/oauth2/:rs_name/_basic_secret", 116 116 - + patch(super::v1_oauth2::oauth2_id_patch_basic_secret), 117 117 - + ) 118 118 - .route( 119 119 - "/v1/oauth2/:rs_name/_scopemap/:group", 120 120 - post(super::v1_oauth2::oauth2_id_scopemap_post) 121 121 - .delete(super::v1_oauth2::oauth2_id_scopemap_delete), 122 122 - ) 123 123 - .route( 124 124 - "/v1/oauth2/:rs_name/_sup_scopemap/:group", 125 125 - post(super::v1_oauth2::oauth2_id_sup_scopemap_post) 126 126 - .delete(super::v1_oauth2::oauth2_id_sup_scopemap_delete), 127 127 - ) 128 128 - diff --git a/server/core/src/https/v1_oauth2.rs b/server/core/src/https/v1_oauth2.rs 129 129 - index d3966a7ad..f89c02c69 100644 130 130 - --- a/server/core/src/https/v1_oauth2.rs 131 131 - +++ b/server/core/src/https/v1_oauth2.rs 132 132 - @@ -144,20 +144,49 @@ pub(crate) async fn oauth2_id_get_basic_secret( 133 133 - ) -> Result<Json<Option<String>>, WebError> { 134 134 - let filter = oauth2_id(&rs_name); 135 135 - state 136 136 - .qe_r_ref 137 137 - .handle_oauth2_basic_secret_read(client_auth_info, filter, kopid.eventid) 138 138 - .await 139 139 - .map(Json::from) 140 140 - .map_err(WebError::from) 141 141 - } 142 142 - 143 143 - +#[utoipa::path( 144 144 - + patch, 145 145 - + path = "/v1/oauth2/{rs_name}/_basic_secret", 146 146 - + request_body=ProtoEntry, 147 147 - + responses( 148 148 - + DefaultApiResponse, 149 149 - + ), 150 150 - + security(("token_jwt" = [])), 151 151 - + tag = "v1/oauth2", 152 152 - + operation_id = "oauth2_id_patch_basic_secret" 153 153 - +)] 154 154 - +/// Overwrite the basic secret for a given OAuth2 Resource Server. 155 155 - +#[instrument(level = "info", skip(state, new_secret))] 156 156 - +pub(crate) async fn oauth2_id_patch_basic_secret( 157 157 - + State(state): State<ServerState>, 158 158 - + Extension(kopid): Extension<KOpId>, 159 159 - + VerifiedClientInformation(client_auth_info): VerifiedClientInformation, 160 160 - + Path(rs_name): Path<String>, 161 161 - + Json(new_secret): Json<String>, 162 162 - +) -> Result<Json<()>, WebError> { 163 163 - + let filter = oauth2_id(&rs_name); 164 164 - + state 165 165 - + .qe_w_ref 166 166 - + .handle_oauth2_basic_secret_write(client_auth_info, filter, new_secret, kopid.eventid) 167 167 - + .await 168 168 - + .map(Json::from) 169 169 - + .map_err(WebError::from) 170 170 - +} 171 171 - + 172 172 - #[utoipa::path( 173 173 - patch, 174 174 - path = "/v1/oauth2/{rs_name}", 175 175 - request_body=ProtoEntry, 176 176 - responses( 177 177 - DefaultApiResponse, 178 178 - ), 179 179 - security(("token_jwt" = [])), 180 180 - tag = "v1/oauth2", 181 181 - operation_id = "oauth2_id_patch" 182 182 - diff --git a/server/lib/src/constants/acp.rs b/server/lib/src/constants/acp.rs 183 183 - index be1836345..ebf4445be 100644 184 184 - --- a/server/lib/src/constants/acp.rs 185 185 - +++ b/server/lib/src/constants/acp.rs 186 186 - @@ -658,36 +658,38 @@ lazy_static! { 187 187 - Attribute::Image, 188 188 - ], 189 189 - modify_present_attrs: vec![ 190 190 - Attribute::Description, 191 191 - Attribute::DisplayName, 192 192 - Attribute::OAuth2RsName, 193 193 - Attribute::OAuth2RsOrigin, 194 194 - Attribute::OAuth2RsOriginLanding, 195 195 - Attribute::OAuth2RsSupScopeMap, 196 196 - Attribute::OAuth2RsScopeMap, 197 197 - + Attribute::OAuth2RsBasicSecret, 198 198 - Attribute::OAuth2AllowInsecureClientDisablePkce, 199 199 - Attribute::OAuth2JwtLegacyCryptoEnable, 200 200 - Attribute::OAuth2PreferShortUsername, 201 201 - Attribute::OAuth2AllowLocalhostRedirect, 202 202 - Attribute::OAuth2RsClaimMap, 203 203 - Attribute::Image, 204 204 - ], 205 205 - create_attrs: vec![ 206 206 - Attribute::Class, 207 207 - Attribute::Description, 208 208 - Attribute::DisplayName, 209 209 - Attribute::OAuth2RsName, 210 210 - Attribute::OAuth2RsOrigin, 211 211 - Attribute::OAuth2RsOriginLanding, 212 212 - Attribute::OAuth2RsSupScopeMap, 213 213 - Attribute::OAuth2RsScopeMap, 214 214 - + Attribute::OAuth2RsBasicSecret, 215 215 - Attribute::OAuth2AllowInsecureClientDisablePkce, 216 216 - Attribute::OAuth2JwtLegacyCryptoEnable, 217 217 - Attribute::OAuth2PreferShortUsername, 218 218 - Attribute::OAuth2AllowLocalhostRedirect, 219 219 - Attribute::OAuth2RsClaimMap, 220 220 - Attribute::Image, 221 221 - ], 222 222 - create_classes: vec![ 223 223 - EntryClass::Object, 224 224 - EntryClass::OAuth2ResourceServer, 225 225 - @@ -759,37 +761,39 @@ lazy_static! { 226 226 - Attribute::Image, 227 227 - ], 228 228 - modify_present_attrs: vec![ 229 229 - Attribute::Description, 230 230 - Attribute::DisplayName, 231 231 - Attribute::Name, 232 232 - Attribute::OAuth2RsOrigin, 233 233 - Attribute::OAuth2RsOriginLanding, 234 234 - Attribute::OAuth2RsSupScopeMap, 235 235 - Attribute::OAuth2RsScopeMap, 236 236 - + Attribute::OAuth2RsBasicSecret, 237 237 - Attribute::OAuth2AllowInsecureClientDisablePkce, 238 238 - Attribute::OAuth2JwtLegacyCryptoEnable, 239 239 - Attribute::OAuth2PreferShortUsername, 240 240 - Attribute::OAuth2AllowLocalhostRedirect, 241 241 - Attribute::OAuth2RsClaimMap, 242 242 - Attribute::Image, 243 243 - ], 244 244 - create_attrs: vec![ 245 245 - Attribute::Class, 246 246 - Attribute::Description, 247 247 - Attribute::Name, 248 248 - Attribute::DisplayName, 249 249 - Attribute::OAuth2RsName, 250 250 - Attribute::OAuth2RsOrigin, 251 251 - Attribute::OAuth2RsOriginLanding, 252 252 - Attribute::OAuth2RsSupScopeMap, 253 253 - Attribute::OAuth2RsScopeMap, 254 254 - + Attribute::OAuth2RsBasicSecret, 255 255 - Attribute::OAuth2AllowInsecureClientDisablePkce, 256 256 - Attribute::OAuth2JwtLegacyCryptoEnable, 257 257 - Attribute::OAuth2PreferShortUsername, 258 258 - Attribute::OAuth2AllowLocalhostRedirect, 259 259 - Attribute::OAuth2RsClaimMap, 260 260 - Attribute::Image, 261 261 - ], 262 262 - create_classes: vec![ 263 263 - EntryClass::Object, 264 264 - EntryClass::Account, 265 265 - @@ -864,38 +868,40 @@ lazy_static! { 266 266 - Attribute::OAuth2StrictRedirectUri, 267 267 - ], 268 268 - modify_present_attrs: vec![ 269 269 - Attribute::Description, 270 270 - Attribute::DisplayName, 271 271 - Attribute::Name, 272 272 - Attribute::OAuth2RsOrigin, 273 273 - Attribute::OAuth2RsOriginLanding, 274 274 - Attribute::OAuth2RsSupScopeMap, 275 275 - Attribute::OAuth2RsScopeMap, 276 276 - + Attribute::OAuth2RsBasicSecret, 277 277 - Attribute::OAuth2AllowInsecureClientDisablePkce, 278 278 - Attribute::OAuth2JwtLegacyCryptoEnable, 279 279 - Attribute::OAuth2PreferShortUsername, 280 280 - Attribute::OAuth2AllowLocalhostRedirect, 281 281 - Attribute::OAuth2RsClaimMap, 282 282 - Attribute::Image, 283 283 - Attribute::OAuth2StrictRedirectUri, 284 284 - ], 285 285 - create_attrs: vec![ 286 286 - Attribute::Class, 287 287 - Attribute::Description, 288 288 - Attribute::Name, 289 289 - Attribute::DisplayName, 290 290 - Attribute::OAuth2RsName, 291 291 - Attribute::OAuth2RsOrigin, 292 292 - Attribute::OAuth2RsOriginLanding, 293 293 - Attribute::OAuth2RsSupScopeMap, 294 294 - Attribute::OAuth2RsScopeMap, 295 295 - + Attribute::OAuth2RsBasicSecret, 296 296 - Attribute::OAuth2AllowInsecureClientDisablePkce, 297 297 - Attribute::OAuth2JwtLegacyCryptoEnable, 298 298 - Attribute::OAuth2PreferShortUsername, 299 299 - Attribute::OAuth2AllowLocalhostRedirect, 300 300 - Attribute::OAuth2RsClaimMap, 301 301 - Attribute::Image, 302 302 - Attribute::OAuth2StrictRedirectUri, 303 303 - ], 304 304 - create_classes: vec![ 305 305 - EntryClass::Object, 306 306 - -- 307 307 - 2.46.1 308 308 -

-174

pkgs/by-name/ka/kanidm/patches/1_4/recover-account.patch

reviewed

··· 1 1 - From c8ed69efe3f702b19834c2659be1dd3ec2d41c17 Mon Sep 17 00:00:00 2001 2 2 - From: oddlama <oddlama@oddlama.org> 3 3 - Date: Fri, 1 Nov 2024 12:27:43 +0100 4 4 - Subject: [PATCH 2/2] recover account 5 5 - 6 6 - --- 7 7 - server/core/src/actors/internal.rs | 3 ++- 8 8 - server/core/src/admin.rs | 6 +++--- 9 9 - server/daemon/src/main.rs | 14 +++++++++++++- 10 10 - server/daemon/src/opt.rs | 4 ++++ 11 11 - 4 files changed, 22 insertions(+), 5 deletions(-) 12 12 - 13 13 - diff --git a/server/core/src/actors/internal.rs b/server/core/src/actors/internal.rs 14 14 - index 420e72c6c..5c4353116 100644 15 15 - --- a/server/core/src/actors/internal.rs 16 16 - +++ b/server/core/src/actors/internal.rs 17 17 - @@ -171,25 +171,26 @@ impl QueryServerWriteV1 { 18 18 - } 19 19 - 20 20 - #[instrument( 21 21 - level = "info", 22 22 - - skip(self, eventid), 23 23 - + skip(self, password, eventid), 24 24 - fields(uuid = ?eventid) 25 25 - )] 26 26 - pub(crate) async fn handle_admin_recover_account( 27 27 - &self, 28 28 - name: String, 29 29 - + password: Option<String>, 30 30 - eventid: Uuid, 31 31 - ) -> Result<String, OperationError> { 32 32 - let ct = duration_from_epoch_now(); 33 33 - let mut idms_prox_write = self.idms.proxy_write(ct).await?; 34 34 - - let pw = idms_prox_write.recover_account(name.as_str(), None)?; 35 35 - + let pw = idms_prox_write.recover_account(name.as_str(), password.as_deref())?; 36 36 - 37 37 - idms_prox_write.commit().map(|()| pw) 38 38 - } 39 39 - 40 40 - #[instrument( 41 41 - level = "info", 42 42 - skip_all, 43 43 - fields(uuid = ?eventid) 44 44 - )] 45 45 - pub(crate) async fn handle_domain_raise(&self, eventid: Uuid) -> Result<u32, OperationError> { 46 46 - diff --git a/server/core/src/admin.rs b/server/core/src/admin.rs 47 47 - index 90ccb1927..85e31ddef 100644 48 48 - --- a/server/core/src/admin.rs 49 49 - +++ b/server/core/src/admin.rs 50 50 - @@ -17,21 +17,21 @@ use tokio_util::codec::{Decoder, Encoder, Framed}; 51 51 - use tracing::{span, Instrument, Level}; 52 52 - use uuid::Uuid; 53 53 - 54 54 - pub use kanidm_proto::internal::{ 55 55 - DomainInfo as ProtoDomainInfo, DomainUpgradeCheckReport as ProtoDomainUpgradeCheckReport, 56 56 - DomainUpgradeCheckStatus as ProtoDomainUpgradeCheckStatus, 57 57 - }; 58 58 - 59 59 - #[derive(Serialize, Deserialize, Debug)] 60 60 - pub enum AdminTaskRequest { 61 61 - - RecoverAccount { name: String }, 62 62 - + RecoverAccount { name: String, password: Option<String> }, 63 63 - ShowReplicationCertificate, 64 64 - RenewReplicationCertificate, 65 65 - RefreshReplicationConsumer, 66 66 - DomainShow, 67 67 - DomainUpgradeCheck, 68 68 - DomainRaise, 69 69 - DomainRemigrate { level: Option<u32> }, 70 70 - } 71 71 - 72 72 - #[derive(Serialize, Deserialize, Debug)] 73 73 - @@ -302,22 +302,22 @@ async fn handle_client( 74 74 - let mut reqs = Framed::new(sock, ServerCodec); 75 75 - 76 76 - trace!("Waiting for requests ..."); 77 77 - while let Some(Ok(req)) = reqs.next().await { 78 78 - // Setup the logging span 79 79 - let eventid = Uuid::new_v4(); 80 80 - let nspan = span!(Level::INFO, "handle_admin_client_request", uuid = ?eventid); 81 81 - 82 82 - let resp = async { 83 83 - match req { 84 84 - - AdminTaskRequest::RecoverAccount { name } => { 85 85 - - match server_rw.handle_admin_recover_account(name, eventid).await { 86 86 - + AdminTaskRequest::RecoverAccount { name, password } => { 87 87 - + match server_rw.handle_admin_recover_account(name, password, eventid).await { 88 88 - Ok(password) => AdminTaskResponse::RecoverAccount { password }, 89 89 - Err(e) => { 90 90 - error!(err = ?e, "error during recover-account"); 91 91 - AdminTaskResponse::Error 92 92 - } 93 93 - } 94 94 - } 95 95 - AdminTaskRequest::ShowReplicationCertificate => match repl_ctrl_tx.as_mut() { 96 96 - Some(ctrl_tx) => show_replication_certificate(ctrl_tx).await, 97 97 - None => { 98 98 - diff --git a/server/daemon/src/main.rs b/server/daemon/src/main.rs 99 99 - index 7486d34a8..784106352 100644 100 100 - --- a/server/daemon/src/main.rs 101 101 - +++ b/server/daemon/src/main.rs 102 102 - @@ -903,27 +903,39 @@ async fn kanidm_main( 103 103 - } else { 104 104 - let output_mode: ConsoleOutputMode = commonopts.output_mode.to_owned().into(); 105 105 - submit_admin_req( 106 106 - config.adminbindpath.as_str(), 107 107 - AdminTaskRequest::RefreshReplicationConsumer, 108 108 - output_mode, 109 109 - ) 110 110 - .await; 111 111 - } 112 112 - } 113 113 - - KanidmdOpt::RecoverAccount { name, commonopts } => { 114 114 - + KanidmdOpt::RecoverAccount { name, from_environment, commonopts } => { 115 115 - info!("Running account recovery ..."); 116 116 - let output_mode: ConsoleOutputMode = commonopts.output_mode.to_owned().into(); 117 117 - + let password = if *from_environment { 118 118 - + match std::env::var("KANIDM_RECOVER_ACCOUNT_PASSWORD") { 119 119 - + Ok(val) => Some(val), 120 120 - + _ => { 121 121 - + error!("Environment variable KANIDM_RECOVER_ACCOUNT_PASSWORD not set"); 122 122 - + return ExitCode::FAILURE; 123 123 - + } 124 124 - + } 125 125 - + } else { 126 126 - + None 127 127 - + }; 128 128 - submit_admin_req( 129 129 - config.adminbindpath.as_str(), 130 130 - AdminTaskRequest::RecoverAccount { 131 131 - name: name.to_owned(), 132 132 - + password, 133 133 - }, 134 134 - output_mode, 135 135 - ) 136 136 - .await; 137 137 - } 138 138 - KanidmdOpt::Database { 139 139 - commands: DbCommands::Reindex(_copt), 140 140 - } => { 141 141 - info!("Running in reindex mode ..."); 142 142 - reindex_server_core(&config).await; 143 143 - diff --git a/server/daemon/src/opt.rs b/server/daemon/src/opt.rs 144 144 - index f1b45a5b3..9c013e32e 100644 145 145 - --- a/server/daemon/src/opt.rs 146 146 - +++ b/server/daemon/src/opt.rs 147 147 - @@ -229,20 +229,24 @@ enum KanidmdOpt { 148 148 - /// Create a self-signed ca and tls certificate in the locations listed from the 149 149 - /// configuration. These certificates should *not* be used in production, they 150 150 - /// are for testing and evaluation only! 151 151 - CertGenerate(CommonOpt), 152 152 - #[clap(name = "recover-account")] 153 153 - /// Recover an account's password 154 154 - RecoverAccount { 155 155 - #[clap(value_parser)] 156 156 - /// The account name to recover credentials for. 157 157 - name: String, 158 158 - + /// Use the password given in the environment variable 159 159 - + /// `KANIDM_RECOVER_ACCOUNT_PASSWORD` instead of generating one. 160 160 - + #[clap(long = "from-environment")] 161 161 - + from_environment: bool, 162 162 - #[clap(flatten)] 163 163 - commonopts: CommonOpt, 164 164 - }, 165 165 - /// Display this server's replication certificate 166 166 - ShowReplicationCertificate { 167 167 - #[clap(flatten)] 168 168 - commonopts: CommonOpt, 169 169 - }, 170 170 - /// Renew this server's replication certificate 171 171 - RenewReplicationCertificate { 172 172 - -- 173 173 - 2.46.1 174 174 -

+2

pkgs/top-level/aliases.nix

reviewed

··· 973 973 kafkacat = throw "'kafkacat' has been renamed to/replaced by 'kcat'"; # Converted to throw 2024-10-17 974 974 kak-lsp = kakoune-lsp; # Added 2024-04-01 975 975 kanidm_1_3 = throw "'kanidm_1_3' has been removed as it has reached end of life"; # Added 2025-03-10 976 976 + kanidm_1_4 = throw "'kanidm_1_4' has been removed as it has reached end of life"; # Added 2025-06-18 977 977 + kanidmWithSecretProvisioning_1_4 = throw "'kanidmWithSecretProvisioning_1_4' has been removed as it has reached end of life"; # Added 2025-06-18 976 978 kdbplus = throw "'kdbplus' has been removed from nixpkgs"; # Added 2024-05-06 977 979 kdeconnect = throw "'kdeconnect' has been renamed to/replaced by 'plasma5Packages.kdeconnect-kde'"; # Converted to throw 2024-10-17 978 980 keepkey_agent = keepkey-agent; # added 2024-01-06

-5

pkgs/top-level/all-packages.nix

reviewed

··· 10373 10373 10374 10374 jetty = jetty_12; 10375 10375 10376 10376 - kanidm_1_4 = callPackage ../by-name/ka/kanidm/1_4.nix { kanidm = kanidm_1_4; }; 10377 10376 kanidm_1_5 = callPackage ../by-name/ka/kanidm/1_5.nix { kanidm = kanidm_1_5; }; 10378 10377 kanidm_1_6 = callPackage ../by-name/ka/kanidm/1_6.nix { kanidm = kanidm_1_6; }; 10379 10378 10380 10379 kanidmWithSecretProvisioning = kanidmWithSecretProvisioning_1_6; 10381 10381 - 10382 10382 - kanidmWithSecretProvisioning_1_4 = callPackage ../by-name/ka/kanidm/1_4.nix { 10383 10383 - enableSecretProvisioning = true; 10384 10384 - }; 10385 10380 10386 10381 kanidmWithSecretProvisioning_1_5 = callPackage ../by-name/ka/kanidm/1_5.nix { 10387 10382 enableSecretProvisioning = true;

+2 -1

pkgs/top-level/release.nix

reviewed

··· 43 43 # so users choosing to allow don't have to rebuild them every time. 44 44 permittedInsecurePackages = [ 45 45 "olm-3.2.16" # see PR #347899 46 46 - "kanidm_1_4-1.4.6" 46 46 + "kanidm_1_5-1.5.0" 47 47 + "kanidmWithSecretProvisioning_1_5-1.5.0" 47 48 ]; 48 49 }; 49 50