2756 - resolve dyngroups not loading correctly at startup (#2778)

Cargo.toml

@@ -32,7 +32,7 @@ members = [
 ]
 
 [workspace.package]
-version = "1.2.0"
+version = "1.2.1"
 authors = [
     "William Brown <william@blackhats.net.au>",
     "James Hodgkinson <james@terminaloutcomes.com>",
@@ -78,19 +78,19 @@ repository = "https://github.com/kanidm/kanidm/"
 # kanidm-hsm-crypto = { path = "../hsm-crypto" }
 
 [workspace.dependencies]
-kanidmd_core = { path = "./server/core", version = "=1.2.0" }
-kanidmd_lib = { path = "./server/lib", version = "=1.2.0" }
-kanidmd_lib_macros = { path = "./server/lib-macros", version = "=1.2.0" }
-kanidmd_testkit = { path = "./server/testkit", version = "=1.2.0" }
-kanidm_build_profiles = { path = "./libs/profiles", version = "=1.2.0" }
-kanidm_client = { path = "./libs/client", version = "=1.2.0" }
+kanidmd_core = { path = "./server/core", version = "=1.2" }
+kanidmd_lib = { path = "./server/lib", version = "=1.2" }
+kanidmd_lib_macros = { path = "./server/lib-macros", version = "=1.2" }
+kanidmd_testkit = { path = "./server/testkit", version = "=1.2" }
+kanidm_build_profiles = { path = "./libs/profiles", version = "=1.2" }
+kanidm_client = { path = "./libs/client", version = "=1.2" }
 kanidm-hsm-crypto = "^0.1.6"
-kanidm_lib_crypto = { path = "./libs/crypto", version = "=1.2.0" }
-kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "=1.2.0" }
-kanidm_proto = { path = "./proto", version = "=1.2.0" }
-kanidm_unix_int = { path = "./unix_integration", version = "=1.2.0" }
-kanidm_utils_users = { path = "./libs/users", version = "=1.2.0" }
-sketching = { path = "./libs/sketching", version = "=1.2.0" }
+kanidm_lib_crypto = { path = "./libs/crypto", version = "=1.2" }
+kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "=1.2" }
+kanidm_proto = { path = "./proto", version = "=1.2" }
+kanidm_unix_int = { path = "./unix_integration", version = "=1.2" }
+kanidm_utils_users = { path = "./libs/users", version = "=1.2" }
+sketching = { path = "./libs/sketching", version = "=1.2" }
 
 serde_with = "3.7.0"
 argon2 = { version = "0.5.3", features = ["alloc"] }

Makefile

@@ -1,6 +1,6 @@
 IMAGE_BASE ?= kanidm
 IMAGE_VERSION ?= devel
-IMAGE_EXT_VERSION ?= 1.2.0
+IMAGE_EXT_VERSION ?= 1.2.1
 CONTAINER_TOOL_ARGS ?=
 IMAGE_ARCH ?= "linux/amd64,linux/arm64"
 CONTAINER_BUILD_ARGS ?=

server/lib/src/be/idl_arc_sqlite.rs

@@ -342,6 +342,7 @@ pub trait IdlArcSqliteTransaction {
 
     fn get_identry_raw(&self, idl: &IdList) -> Result<Vec<IdRawEntry>, OperationError>;
 
+    #[allow(dead_code)]
     fn exists_idx(&mut self, attr: &str, itype: IndexType) -> Result<bool, OperationError>;
 
     fn get_idl(

server/lib/src/constants/entries.rs

@@ -788,7 +788,7 @@ lazy_static! {
             Attribute::Description,
             Value::new_utf8s("System (local) info and metadata object.")
         ),
-        (Attribute::Version, Value::Uint32(19))
+        (Attribute::Version, Value::Uint32(20))
     );
 
     pub static ref E_DOMAIN_INFO_V1: EntryInitNew = entry_init!(

server/lib/src/plugins/gidnumber.rs

@@ -13,7 +13,7 @@ use crate::utils::uuid_to_gid_u32;
 /// system uids from 0 - 1000, and many others give user ids between 1000 to
 /// 2000. This whole numberspace is cursed, lets assume it's not ours. :(
 ///
-/// Per https://systemd.io/UIDS-GIDS/, systemd claims a huge chunk of this
+/// Per <https://systemd.io/UIDS-GIDS/>, systemd claims a huge chunk of this
 /// space to itself. As a result we can't allocate between 65536 and u32 max
 /// because systemd takes most of the usable range for its own containers,
 /// and half the range is probably going to trigger linux kernel issues.

server/lib/src/plugins/mod.rs

@@ -163,6 +163,7 @@ trait Plugin {
         Err(OperationError::InvalidState)
     }
 
+    #[allow(dead_code)]
     fn pre_repl_incremental(
         _qs: &mut QueryServerWriteTransaction,
         _cand: &mut [(EntryIncrementalCommitted, Arc<EntrySealedCommitted>)],

server/lib/src/server/keys/provider.rs

@@ -119,8 +119,10 @@ impl KeyProviders {
 }
 
 pub trait KeyProvidersTransaction {
+    #[allow(dead_code)]
     fn get_uuid(&self, key_provider_uuid: Uuid) -> Option<&KeyProvider>;
 
+    #[allow(dead_code)]
     fn get_key_object(&self, key_object_uuid: Uuid) -> Option<KeyObjectRef>;
 
     fn get_key_object_handle(&self, key_object_uuid: Uuid) -> Option<Arc<KeyObject>>;

server/lib/src/server/migrations.rs

@@ -161,12 +161,29 @@ impl QueryServer {
         // No domain info was present, so neither was the rest of the IDM. We need to bootstrap
         // the base entries here.
         if db_domain_version == 0 {
+            // In this path because we create the dyn groups they are immediately added to the
+            // dyngroup cache and begin to operate.
             write_txn.initialise_idm()?;
-        }
+        } else {
+            // #2756 - if we *aren't* creating the base IDM entries, then we
+            // need to force dyn groups to reload since we're now at schema
+            // ready. This is done indiretly by ... reloading the schema again.
+            //
+            // This is because dyngroups don't load until server phase >= schemaready
+            // and the reload path for these is either a change in the dyngroup entry
+            // itself or a change to schema reloading. Since we aren't changing the
+            // dyngroup here, we have to go via the schema reload path.
+            write_txn.force_schema_reload();
+        };
 
         // Reload as init idm affects access controls.
         write_txn.reload()?;
 
+        // # 2756 - automate the fix for dyngroups
+        if system_info_version < 20 {
+            write_txn.migrate_19_to_20()?;
+        }
+
         // Domain info is now ready and reloaded, we can proceed.
         write_txn.set_phase(ServerPhase::DomainInfoReady);
 
@@ -735,6 +752,28 @@ impl<'a> QueryServerWriteTransaction<'a> {
         })
     }
 
+    #[instrument(level = "info", skip_all)]
+    /// Automate fix for #2756 - touch all dyngroups to force them to re-consider and re-write
+    /// their members.
+    pub fn migrate_19_to_20(&mut self) -> Result<(), OperationError> {
+        admin_warn!("starting 19 to 20 migration.");
+
+        debug_assert!(*self.phase >= ServerPhase::SchemaReady);
+
+        let filter = filter!(f_eq(
+            Attribute::Class,
+            EntryClass::DynGroup.into()
+        ));
+        let modlist = modlist!([m_pres(Attribute::Class, &EntryClass::DynGroup.into())]);
+
+        self.internal_modify(
+            &filter, &modlist
+        )
+        .map(|()| {
+            info!("forced dyngroups to re-calculate memberships");
+        })
+    }
+
     #[instrument(level = "info", skip_all)]
     /// This migration will
     ///  * Trigger a "once off" mfa account policy rule on all persons.

tools/orca/src/generate.rs

@@ -13,6 +13,7 @@ use std::collections::BTreeSet;
 const PEOPLE_PREFIX: &str = "person";
 
 #[derive(Debug)]
+#[allow(dead_code)]
 pub struct PartialGroup {
     pub name: String,
     pub members: BTreeSet<String>,