Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Issue 668 #797

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

WIP: Issue 668 #797

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 3 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,6 @@ vendor.tar.*
orca/example_profiles/small/orca-edited.toml
docs/
kanidm_unix_int/pam_tester/Cargo.lock

# VSCODE
/.vscode
1 change: 1 addition & 0 deletions designs/idm_rest_layout.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,7 @@ account
GET -> let's the radius server get all required details for radius to work


TODO(mea): remove
self
====

Expand Down
6 changes: 3 additions & 3 deletions kanidm_client/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1130,9 +1130,9 @@ impl KanidmClient {
self.perform_get_request("/v1/auth/valid").await
}

// TODO(mea): self -> whoami?
pub async fn whoami(&self) -> Result<Option<(Entry, UserAuthToken)>, ClientError> {
let whoami_dest = [self.addr.as_str(), "/v1/self"].concat();
// format!("{}/v1/self", self.addr);
let whoami_dest = [self.addr.as_str(), "/v1/whoami"].concat();
debug!("{:?}", whoami_dest);
let response = self.client.get(whoami_dest.as_str());

Expand Down Expand Up @@ -1521,7 +1521,7 @@ impl KanidmClient {
}
}

pub async fn idm_account_primary_credential_complete_webuthn_registration(
pub async fn idm_account_primary_credential_complete_webauthn_registration(
MateusAmin marked this conversation as resolved.
Show resolved Hide resolved
&self,
id: &str,
rego: RegisterPublicKeyCredential,
Expand Down
7 changes: 3 additions & 4 deletions kanidmd/score/src/https/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ use kanidm::prelude::*;
use kanidm::status::StatusActor;

use serde::Serialize;
use std::path::PathBuf;
use std::fs::canonicalize;
use std::path::PathBuf;
use std::str::FromStr;
use uuid::Uuid;

Expand Down Expand Up @@ -366,7 +366,6 @@ pub fn create_https_server(
qe_w_ref: &'static QueryServerWriteV1,
qe_r_ref: &'static QueryServerReadV1,
) -> Result<(), ()> {

let jws_validator = jws_signer.get_validator().map_err(|e| {
error!(?e, "Failed to get jws validator");
})?;
Expand Down Expand Up @@ -401,7 +400,6 @@ pub fn create_https_server(

// If we are no-ui, we remove this.
if !matches!(role, ServerRole::WriteReplicaNoUI) {

let pkg_path = PathBuf::from(env!("KANIDM_WEB_UI_PKG_PATH"));
if !pkg_path.exists() {
eprintln!(
Expand Down Expand Up @@ -555,7 +553,8 @@ pub fn create_https_server(
.post(oauth2_id_scopemap_post)
.delete(oauth2_id_scopemap_delete);

let mut self_route = appserver.at("/v1/self");
// TODO(mea): self -> whoami?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "whoami" is just a reflector of details about the currently authenticated user. This is a bit of a "hold-over" from the past, where the auth-bearer tokens used to be opaque, so they couldn't be client-side introspected.

However, recently we have changed these so they CAN be client side introspected, meaning it's possible that we may NOT need the "whoami" route at all.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The lines around here:

https://github.com/kanidm/kanidm/blob/master/kanidm_tools/src/cli/common.rs#L115

You could use "uat.uuid" instead which gives you the ID of the token holder, since the tokens are JWT's internally.

let mut self_route = appserver.at("/v1/whoami");
self_route.at("/").get(whoami);

self_route.at("/_attr/:attr").get(do_nothing);
Expand Down
6 changes: 3 additions & 3 deletions kanidmd/score/tests/proto_v1_test.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1083,7 +1083,7 @@ async fn test_server_rest_webauthn_auth_lifecycle() {

// Enroll the cred after signing.
rsclient
.idm_account_primary_credential_complete_webuthn_registration(
.idm_account_primary_credential_complete_webauthn_registration(
"demo_account",
rego,
sessionid,
Expand All @@ -1106,7 +1106,7 @@ async fn test_server_rest_webauthn_auth_lifecycle() {

// Enroll the cred after signing.
rsclient
.idm_account_primary_credential_complete_webuthn_registration(
.idm_account_primary_credential_complete_webauthn_registration(
"demo_account",
rego,
sessionid,
Expand Down Expand Up @@ -1196,7 +1196,7 @@ async fn test_server_rest_webauthn_mfa_auth_lifecycle() {

// Enroll the cred after signing.
rsclient
.idm_account_primary_credential_complete_webuthn_registration(
.idm_account_primary_credential_complete_webauthn_registration(
"demo_account",
rego,
sessionid,
Expand Down