Accepting request 1297840 from network:idm

OBS-URL: https://build.opensuse.org/request/show/1297840
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/kanidm?expand=0&rev=53

_service

@@ -3,7 +3,7 @@
     <param name="url">https://github.com/kanidm/kanidm.git</param>
     <param name="versionformat">@PARENT_TAG@~git@TAG_OFFSET@.%h</param>
     <param name="scm">git</param>
-    <param name="revision">1.3.0</param>
+    <param name="revision">1.7.0</param>
     <param name="match-tag">v*</param>
     <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
     <param name="versionrewrite-replacement">\1</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/kanidm/kanidm.git</param>
-              <param name="changesrevision">f075d13e165f0587054e2c91bc9175b7b1f2a806</param></service></servicedata>
+              <param name="changesrevision">130a31d295c8d93c9efb8151d211e7d47f0ecc1a</param></service></servicedata>

kanidm-1.3.3~git0.f075d13.tar.zst

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ea1ecccc0cb1ac71c30ee3b5442b271222e4c2b607f609a07b4cfeab371a44af
-size 11628892

kanidm-1.7.1~git0.130a31d29.tar.zst

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4f2fd2f0577ab17f368c8dce164ec0bd24a2401053a4989208da98867585da7d
+size 6925653

kanidm.changes

@@ -1,3 +1,677 @@
+-------------------------------------------------------------------
+Wed Aug 06 01:11:19 UTC 2025 - william.brown@suse.com
+
+- Update to version 1.7.1~git0.130a31d29:
+  * Release 1.7.1
+  * Update tracing-forest
+  * Handle SEC1 private key (#3761)
+
+-------------------------------------------------------------------
+Fri Aug 01 04:52:46 UTC 2025 - william.brown@suse.com
+
+- Update to version 1.7.0~git0.621ac7be0:
+  * Release 1.7.0
+  * Fix a couple of commands in the OAuth2 Proxy examples (#3758)
+
+-------------------------------------------------------------------
+Thu Jul 31 01:22:06 UTC 2025 - william.brown@suse.com
+
+- Update to version 1.7.0-pre~git0.7d9da9dc8:
+  * Release 1.7.0-pre
+  * 20250729 pre release (#3756)
+  * Helps to enable features like defer spans (#3755)
+  * Downgrade notify-debouncer (#3747)
+  * Reduce memory usage on unixd (#3754)
+  * Bump the all group with 4 updates (#3753)
+  * 20250723 application passwords again (#3748)
+  * Docs oauth2 examples (#3750)
+  * Groups WebUI, modify description (#3734)
+  * Improve replication logging (#3746)
+  * 20250711 type migrations (#3741)
+  * Bump the all group with 3 updates (#3743)
+  * Use constants for /etc/shadow and related paths (#3740)
+  * fix: don't show people's whole tokens in debugs (#3742)
+  * Updates to makefile (#3736)
+  * Add a new paragraph in the installation quickstart for installing required client tools, and clarify the client tool setup paragraph (#3735)
+  * Bump the all group with 4 updates (#3737)
+  * Add ppc64le support for docker images (#3733)
+  * Basic interface to get and regenerate the RADIUS password (#3728)
+  * book: fix command example in pam_and_nsswitch.md (#3732)
+  * fix docgen (#3731)
+  * Fix for Failed to deserialize query: missing field 'state' (#3726)
+  * Add user facing SCIM pagination / sorting (#3725)
+  * Admin UI Group name modification (#3717)
+  * fix typo in documentation: tls_path to tls_key (#3727)
+  * Pre-validate and extract UAT into ClientAuthInfo (#3714)
+  * Security policy updates (re: #3719) (#3722)
+  * Fix using wrong template when setting POSIX password (#3719) (#3720)
+  * Resolve startup failure with client TLS certificates (#3712)
+  * Bump the all group with 2 updates (#3718)
+  * Simple group list (#3713)
+  * Update repos (#3711)
+  * 20250621 application passwords (#3700)
+  * Update docs, doc fmt (#3710)
+  * Apply review feedback
+  * Correctly log connection information
+  * Refactor middleware/extractors
+  * [htmx] basic profile updating (#2994)
+  * Correct 389DS command (#3707)
+  * Schema again (#3706)
+  * examples: small grammar fix (#3705)
+  * Clippy (#3702)
+  * 20250627 update hsm crypto (#3701)
+  * Update 389 content sync instructions (#3699)
+  * Corrections to radius examples (#3697)
+  * fix: wording (#3696)
+  * Update radius.md (Explain: NAS == Network Access Server) (#3691)
+  * updating docs around packages (#3695)
+  * 20250618 rustls (#3687)
+  * fix: error message that wasn't an error (#3690)
+  * Only generate passwords on service accounts (#3688)
+  * Add hmac 256 for cryptography operations (#3663)
+  * Update Nextcloud example (#3683)
+  * Bump the all group with 8 updates (#3684)
+  * Allow deferring spans in unixd (#3680)
+  * OpenSUSE build fix (#3681)
+  * Dark mode improvements (#3660)
+  * Add port examples for server.toml (#3679)
+  * Fix SCIM filter parser for quoted values with spaces and escaped quotes (#3673)
+  * fix: strip comments from UNIX files before parsing (#3674)
+  * Bump the all group across 1 directory with 11 updates (#3675)
+  * Start to implement SCIM apis (#3535)
+  * Fix healthcheck to use ENV for config path (#3656)
+  * maint: rewrite crypto Password::try_from (#3637)
+  * doc(book): Add  option to Nextcloud Oauth2.0 example (#3654)
+  * Bump the all group with 4 updates (#3655)
+  * Make it clearer that the http address section is needed (#3652)
+  * TODO trimming (#3641)
+  * Investigate and reduce memory consumption of unixd (#3645)
+  * Swap bytes mut at buffer limits (#3651)
+  * Clippy for 1.87 (#3644)
+  * fix: Improve unixd & unixd-tasks startup coupling (#3638)
+  * Bump the all group with 2 updates (#3648)
+  * reload schema before verify (#3643)
+  * Defend against split_at panic (#3636)
+  * Fix minor issue with untagged version handling (#3634)
+  * Move shadow processing out of task event loop (#3631)
+  * Dont specify config path in container (#3630)
+  * Accept SSHA with different salt lengths (#3629)
+  * Bye poetry, hi uv for python things (#3627)
+  * Resolve flaw with ssh key parse if the key has no comment (#3628)
+  * Indicate that this is an ip list, not a range (#3626)
+  * Test for corrupted unicode in SSH keys, keep the key title on error/resubmit (#3618)
+  * Reduce replication logging verbosity
+  * Bump the all group across 1 directory with 7 updates (#3623)
+  * Bump the all group in /pykanidm with 2 updates (#3621)
+  * cargo publish (#3613)
+  * fix: clippy
+  * maint: typo in log message
+  * Set kid manually to prevent divergence
+  * Order keys in application JWKS / Fix rotation bug
+  * Fix toml issues with strings
+  * OAuth2 Client ID's should be processed as lowercase (#3605)
+  * Resolve reload of oauth2 on startup (#3604)
+  * Bump petgraph from 0.7.1 to 0.8.1 in the all group (#3595)
+  * Bump the all group in /pykanidm with 2 updates (#3596)
+  * Avoid openssl for md4 (#3594)
+  * Fixes #3586, inverts the navbar button color (#3593)
+  * Update to 1.7.0-dev (#3592)
+
+-------------------------------------------------------------------
+Thu Jun 12 05:27:20 UTC 2025 - william.brown@suse.com
+
+- Update to version 1.6.4~git2.a4b3b0f7b:
+  * Remove dead code
+  * OpenSUSE build fix
+
+-------------------------------------------------------------------
+Wed Jun 11 06:24:08 UTC 2025 - william.brown@suse.com
+
+- Update to version 1.6.4~git0.e1d26ed10:
+  * Release 1.6.4
+  * Allow deferring spans in unixd
+  * Dark mode improvements (#3660)
+  * Fix SCIM filter parser for quoted values with spaces and escaped quotes (#3673)
+  * fix: strip comments from UNIX files before parsing (#3674)
+  * Fix healthcheck to use ENV for config path (#3656)
+  * Investigate and reduce memory consumption of unixd (#3645)
+  * Swap bytes mut at buffer limits (#3651)
+  * fix: Improve unixd & unixd-tasks startup coupling (#3638)
+  * reload schema before verify (#3643)
+  * Defend against split_at panic (#3636)
+
+-------------------------------------------------------------------
+Wed May 14 05:48:26 UTC 2025 - william.brown@suse.com
+
+- Update to version 1.6.3~git0.389493eb1:
+  * Release 1.6.3
+  * Fix minor issue with untagged version handling (#3634)
+  * Move shadow processing out of task event loop (#3631)
+  * Dont specify config path in container (#3630)
+  * Accept SSHA with different salt lengths (#3629)
+  * Resolve flaw with ssh key parse if the key has no comment (#3628)
+  * Indicate that this is an ip list, not a range (#3626)
+  * Test for corrupted unicode in SSH keys, keep the key title on error/resubmit (#3618)
+  * Reduce replication logging verbosity
+  * cargo publish (#3613)
+
+-------------------------------------------------------------------
+Fri May 09 03:36:32 UTC 2025 - william.brown@suse.com
+
+- Update to version 1.6.2~git0.a20663ea8:
+  * Release 1.6.2
+  * fix: clippy
+  * maint: typo in log message
+  * Set kid manually to prevent divergence
+  * Order keys in application JWKS / Fix rotation bug
+  * Fix toml issues with strings
+
+-------------------------------------------------------------------
+Thu May 08 03:18:30 UTC 2025 - william.brown@suse.com
+
+- Update to version 1.6.1~git0.2e4429eca:
+  * Release 1.6.1
+  * Resolve reload of oauth2 on startup (#3604)
+
+-------------------------------------------------------------------
+Wed May  7 04:40:56 UTC 2025 - William Brown <william.brown@suse.com>
+
+- bsc#1242642 - CVE-2025-3416 - openssl use after free
+
+-------------------------------------------------------------------
+Wed May 07 04:10:43 UTC 2025 - william.brown@suse.com
+
+- Update to version 1.6.0~git0.d7ae0f336:
+  * Release 1.6.0
+  * Avoid openssl for md4
+  * Fixes #3586, inverts the navbar button color (#3593)
+  * Release 1.6.0-pre
+  * chore: Release Notes (#3588)
+  * Do not require instances to exist during optional config load (#3591)
+  * Fix std::fmt::Display for some objects (#3587)
+  * Drop fernet in favour of JWE (#3577)
+  * docs: document how to configure oauth2 for opkssh (#3566)
+  * Add kanidm_ssh_authorizedkeys_direct to client deb (#3585)
+  * Bump the all group in /pykanidm with 2 updates (#3581)
+  * Update dependencies, fix a bunch of clippy lints (#3576)
+  * Support spaces in ssh key comments (#3575)
+  * 20250402 3423 proxy protocol (#3542)
+  * fix(web): Preserve SSH key content on form validation error (#3574)
+  * Bump the all group in /pykanidm with 3 updates (#3572)
+  * Bump the all group in /pykanidm with 2 updates (#3564)
+  * Bump crossbeam-channel from 0.5.14 to 0.5.15 in the cargo group (#3560)
+  * Improve token handling (#3553)
+  * Bump tokio from 1.44.1 to 1.44.2 in the cargo group (#3549)
+  * Update fs4 and improve klock handling (#3551)
+  * Less footguns (#3552)
+  * Unify unix config parser (#3533)
+  * Bump openssl from 0.10.71 to 0.10.72 in the cargo group (#3544)
+  * Bump the all group in /pykanidm with 8 updates (#3547)
+  * implement notify-reload protocol (#3540)
+  * Allow versioning of server configs (#3515)
+  * 20250314 remove protected plugin (#3504)
+  * Bump the all group with 10 updates (#3539)
+  * Bump mozilla-actions/sccache-action from 0.0.8 to 0.0.9 in the all group (#3538)
+  * Bump the all group in /pykanidm with 4 updates (#3537)
+  * Add max_ber_size to freeipa sync (#3530)
+  * Bump the all group in /pykanidm with 5 updates (#3524)
+  * Update Concread
+  * Update developer_ethics.md (#3520)
+  * Update examples.md (#3519)
+  * Make schema indexing a boolean instead of index types (#3517)
+  * Add missing lld dependency and fix syntax typo (#3490)
+  * Update shell.nix to work with stable nixpkgs (#3514)
+  * Improve unixd tasks channel comments (#3510)
+  * Update kanidm_ppa_automation reference to latest (#3512)
+  * Add set-description to group tooling (#3511)
+  * packaging: Add kanidmd deb package, update documentation (#3506)
+  * Bump the all group in /pykanidm with 5 updates (#3508)
+  * 20250313 unixd system cache (#3501)
+  * Support rfc2307 memberUid in sync operations. (#3466)
+  * Bump mozilla-actions/sccache-action from 0.0.7 to 0.0.8 in the all group (#3496)
+  * Update Traefik config example to remove invalid label (#3500)
+  * Add uid/gid allocation table (#3498)
+  * 20250225 ldap testing in testkit (#3460)
+  * Bump the all group in /pykanidm with 5 updates (#3494)
+  * Bump ring from 0.17.10 to 0.17.13 in the cargo group (#3491)
+  * Handle form-post as a response mode (#3467)
+  * book: fix english (#3487)
+  * Correct paths with Kanidm Tools Container (#3486)
+  * 20250225 improve test performance (#3459)
+  * Bump the all group in /pykanidm with 8 updates (#3484)
+  * Use lld by default on linux (#3477)
+  * 20250213 patch used wrong acp (#3432)
+  * Android support (#3475)
+  * Changed all CI/CD builds to locked (#3471)
+  * Make it a bit clearer that providers are needed (#3468)
+  * Fix incorrect credential generation in radius docs (#3465)
+  * Add crypt formats for password import (#3458)
+  * build: Create daemon image from scratch (#3452)
+  * address webfinger doc feedbacks (#3446)
+  * Bump the all group across 1 directory with 5 updates (#3453)
+  * [htmx] Admin ui for groups and users management (#3019)
+  * Fixes #3406: add configurable maximum queryable attributes for LDAP (#3431)
+  * Accept invalid certs and fix token_cache_path (#3439)
+  * Accept lowercase ldap pwd hashes (#3444)
+  * TOTP label verification (#3419)
+  * Rewrite WebFinger docs (#3443)
+  * doc: fix formatting of URL table, remove Caddyfile instructions (#3442)
+  * book: add OAuth2 Proxy example (#3434)
+  * Exempt idm_admin and admin from denied names. (#3429)
+  * Book fixes (#3433)
+  * ci: uniform Docker builds (#3430)
+  * 20240213 3413 domain displayname (#3425)
+  * Correct path to kanidm config example in documentation. (#3424)
+  * Support redirect uris with query parameters (#3422)
+  * Update to 1.6.0-dev (#3418)
+  * Remove white background from square logo. (#3417)
+  * feat: Added webfinger implementation (#3410)
+  * Bump the all group in /pykanidm with 7 updates (#3412)
+
+-------------------------------------------------------------------
+Wed May 07 03:48:37 UTC 2025 - william.brown@suse.com
+
+- Update to version 1.5.0~git2.21c2a1bd0:
+  * fix: documentation fail (#3555)
+
+-------------------------------------------------------------------
+Fri Feb 21 23:57:44 UTC 2025 - William Brown <william.brown@suse.com>
+
+- Enable aarch64 for Fedora/Centos
+
+-------------------------------------------------------------------
+Sat Feb 15 03:46:27 UTC 2025 - William Brown <william.brown@suse.com>
+
+- Fix building on CentOS_9
+
+-------------------------------------------------------------------
+Tue Feb 11 06:37:21 UTC 2025 - william.brown@suse.com
+
+- Update to version 1.5.0~git1.0fa57fc:
+  * Update makefile for docker
+  * Release 1.5.0
+  * 20250209 pre release (#3409)
+  * 20250206 freebsd ports (#3404)
+  * Resolve kanidm-unix auth-test bug (#3405)
+  * chore: Remove empty scopemaps (#3170)
+  * Feat: Allowing spn query with non-spn structured data in LDAP (#3400)
+  * SSH Keys in Credentials Update (#3027)
+  * 20250205 3369 firefox pin (#3403)
+  * Correctly return that uuid2spn changed on domain rename (#3402)
+  * Fix the password reset form and possible resolver issue (#3398)
+  * Add handle_group_error to cli client (#3399)
+  * Improve spans in unixd (#3397)
+  * Allow OAuth2 with empty state parameter (#3396)
+  * #3387 - RADIUS Startup fixin's (#3388)
+  * Allow POST on oauth userinfo (#3395)
+  * OpenBSD support (#3381)
+  * Bump openssl from 0.10.69 to 0.10.70 in the cargo group (#3391)
+  * Add /.well-known/change-password endpoint (#3382)
+  * Bump the all group across 1 directory with 7 updates (#3385)
+  * extend oauth2 examples with gitea (#3351)
+  * Bump the all group with 22 updates (#3376)
+  * Book: Added small section on primary cred fallback (#3365)
+  * Added shell.nix to create dev environment (#3362)
+  * fix(ci): Add setup-oras step to include ORAS CLI for container builds on ubuntu-24.04. (#3368)
+  * 20250114 3325 SCIM access control (#3359)
+  * Small UI updates. (#3361)
+  * Bump the all group in /pykanidm with 2 updates (#3366)
+  * Repair systemd reload notifications (#3355)
+  * fix: unrecoverable error page doesn't include logo or domain name (#3352)
+  * Bump jinja2 from 3.1.4 to 3.1.5 in /pykanidm in the pip group (#3358)
+  * Bump the all group in /pykanidm with 4 updates (#3356)
+  * 20250110 eo fixes (#3353)
+  * fix(server/config): reduce string allocations (#3350)
+  * Add ssh_publickeys as a claim for oauth2 (#3346)
+  * Allow modification of password minimum length (#3345)
+  * Add OAuth2 `response_mode=fragment` (#3335)
+  * Resolve passkey regression (#3343)
+  * Renaming "TOTP" in the login flow (#3338)
+  * Bump the all group in /pykanidm with 3 updates (#3339)
+  * Bump actions/checkout from 2 to 4 in the all group (#3341)
+  * Add support for prefers-color-scheme using Bootstrap classes. (#3327)
+  * Fix /var/run/kanidm-unixd permission (#3342)
+  * Javascript linting (#3329)
+  * Ignore anonymous in oauth2 read allow access (#3336)
+  * cookies don't clear unless you set domain (#3332)
+  * 20250102 freebsd client (#3333)
+  * fix: PAM on Debian, enable use_first_pass by default (#3326)
+  * Bump the all group with 6 updates (#3324)
+  * Bump the all group in /pykanidm with 2 updates (#3323)
+  * Bump the all group with 3 updates (#3317)
+  * Bump the all group in /pykanidm with 7 updates (#3316)
+  * nss/pam resolver should reauth faster (#3309)
+  * Update to latest webauthn-rs/time (#3315)
+  * kanidm-unixd example config enfixening (#3314)
+  * Further SCIM sync testing, minor fixes (#3305)
+  * book: explain how to use fido-mds-tool (#3231)
+  * client: read attestation CA list JSON from file (#3232)
+  * Automatically trigger passkeys on login view (#3307)
+  * Re-add enrol another device flow
+  * Improved Cookie Removal
+  * Allow opt-in of easter eggs (#3308)
+  * Allow reseting account policy values to defaults (#3306)
+  * Incorrect member name in groups (#3302)
+  * SCIM Sync Missing Annotation (#3300)
+  * Ignore system users for UPG synthesiseation (#3297)
+  * Limit OAuth2 resumption to session (#3296)
+  * Use specific errors for intent token revoked (#3291)
+  * Autocomplete password during reauth with TOTP (#3290)
+  * Bump the all group with 6 updates (#3294)
+  * Bump mozilla-actions/sccache-action from 0.0.6 to 0.0.7 in the all group (#3295)
+  * Bump the all group in /pykanidm with 2 updates (#3293)
+  * remove unused webauthn features. (#3286)
+  * Add CORS headers to jwks and userinfo (#3283)
+  * Cleanup webauthn features (#3285)
+  * Minor tweaks to cred reset ui (#3284)
+  * Bump the all group across 1 directory with 6 updates (#3280)
+  * Allow group managers to modify entry-managed-by (#3272)
+  * pykanidm: Make a little dry. (#3281)
+  * Bump the all group with 5 updates (#3278)
+  * pykanidm: Add retrieving credential reset token for a person. (#3279)
+  * Cleanup of println and other outputs (#3266)
+  * Canonicalize path for user shell check (#3265)
+  * Check DNS on replication loop start not at task start (#3243)
+  * Work around systemd race condition (#3262)
+  * fix(docstrings): minor lack of formatting breaking things (#3260)
+  * Devcontainertainertainer (#3251)
+  * grafana: update example to work with strict redirect uri checking (#3259)
+  * Bump the all group in /pykanidm with 5 updates (#3257)
+  * Bump the all group with 6 updates (#3258)
+  * 20240927 SCIM put (#3151)
+  * Clear invalid tokens from unix resolver (#3256)
+  * Clippy Lints (#3255)
+  * Allow OAuth2 loopback redirects if the path matches (#3252)
+  * Correctly display domain name on login (#3254)
+  * Display account_id during success/deny paths in unixd (#3253)
+  * s/idm_people_self_write_mail/idm_people_self_mail_write/g (#3250)
+  * handle missing map_group setting in config (#3242)
+  * owncloud: Add SameSite=Lax config for cross-domain auth (#3245)
+  * Bump the all group across 1 directory with 7 updates (#3238)
+  * Yaleman/issue3229 (#3239)
+  * Bump the all group across 1 directory with 12 updates (#3235)
+  * Update to latest fido-mds-tool (#3230)
+  * Warn when v2 options are used in v1 unixd config (#3228)
+  * Bump aiohttp from 3.10.10 to 3.10.11 in /pykanidm in the pip group (#3223)
+  * Resolve UI Auth Loop with OAuth2 (#3226)
+  * Harden transport in pam unixd (#3227)
+  * Improve warning around invalid JWT deserialisation (#3224)
+  * Update and fix server config files in examples. (#3225)
+  * Change CLI oauth2 command from set-display-name to set-displayname for consistency. (#3212)
+  * Add docs on customising Kanidm. (#3209)
+  * Correct spelling of occurred (#3222)
+  * Bump the all group across 1 directory with 13 updates (#3202)
+  * UI/Feature polish (#3191)
+  * Prevent Invalid MFA Reg States (#3194)
+  * Change CSS for applications so SVG scales nicely in Firefox. (#3200)
+  * 20241109 3185 max age (#3196)
+  * Hoist max_age to prevent incorrect deserialisation (#3190)
+  * Use correct oauth2 manage acp (#3186)
+  * Re-migrate all acps to force updating (#3184)
+  * Bump the all group across 1 directory with 2 updates (#3180)
+  * security - low - fault in migrations (#3182)
+  * fix(kanidmd): Print replication cert to stdout (#3179)
+  * Correct missing CSP header (#3177)
+  * Resolve pam services not always having a tty (#3176)
+  * Resolve incorrect handling of rhost in pam (#3171)
+  * chore: Made oauth2 scopes required in CLI (#3165)
+  * More "choosing a domain" revision (#3161)
+  * Bump jsonschema from 0.21.0 to 0.26.0 in the all group (#3157)
+  * Update missing inputmode numeric when adding a new TOTP. (#3160)
+  * Improve OAuth2 authorisation ux (#3158)
+  * Fix attribute scim sync attribute naming (#3159)
+  * Change to text input and use numeric mode for TOTP prompts. (#3154)
+  * Bump the all group in /pykanidm with 3 updates (#3156)
+  * Fix release note date and typos (#3153)
+  * Begin 1.5.0 Development Cycle (#3150)
+
+-------------------------------------------------------------------
+Tue Feb 11 06:35:23 UTC 2025 - william.brown@suse.com
+
+- Update to version 1.4.6~git1.3f47d7f:
+  * fix: PAM on Debian, enable use_first_pass by default (#3326)
+
+-------------------------------------------------------------------
+Thu Jan 23 23:42:52 UTC 2025 - william.brown@suse.com
+
+- Update to version 1.4.6~git0.3ce4e0f:
+  * Release 1.4.6
+  * Small UI updates. (#3361)
+  * Allow modification of password minimum length (#3345)
+  * Ignore anonymous in oauth2 read allow access (#3336)
+  * Resolve passkey regression (#3343)
+  * Renaming "TOTP" in the login flow (#3338)
+  * cookies don't clear unless you set domain (#3332)
+
+-------------------------------------------------------------------
+Sat Dec 21 07:57:16 UTC 2024 - william.brown@suse.com
+
+- Update to version 1.4.5~git0.a7fabde:
+  * Release 1.4.5
+  * nss/pam resolver should reauth faster (#3309)
+  * Further SCIM sync testing, minor fixes (#3305)
+  * Automatically trigger passkeys on login view (#3307)
+  * Re-add enrol another device flow
+  * Improved Cookie Removal
+  * Allow reseting account policy values to defaults (#3306)
+  * Incorrect member name in groups (#3302)
+  * SCIM Sync Missing Annotation (#3300)
+  * Ignore system users for UPG synthesiseation (#3297)
+  * Limit OAuth2 resumption to session (#3296)
+  * Use specific errors for intent token revoked (#3291)
+  * Autocomplete password during reauth with TOTP (#3290)
+  * Add CORS headers to jwks and userinfo (#3283)
+
+-------------------------------------------------------------------
+Wed Dec 11 03:12:47 UTC 2024 - William Brown <william.brown@suse.com>
+
+- Require system-user-nobody to prevent install ordering issue with
+  invalid rpc/statd users
+
+-------------------------------------------------------------------
+Tue Dec 03 05:55:52 UTC 2024 - william.brown@suse.com
+
+- Update to version 1.4.4~git0.c3dbf83:
+  * Release 1.4.4
+  * Check DNS on replication loop start not at task start (#3243)
+  * Work around systemd race condition (#3262)
+  * Clear invalid tokens from unix resolver (#3256)
+  * Allow OAuth2 loopback redirects if the path matches (#3252)
+  * Correctly display domain name on login (#3254)
+  * Display account_id during success/deny paths in unixd (#3253)
+  * s/idm_people_self_write_mail/idm_people_self_mail_write/g (#3250)
+  * handle missing map_group setting in config (#3242)
+  * owncloud: Add SameSite=Lax config for cross-domain auth (#3245)
+  * Yaleman/issue3229 (#3239)
+
+-------------------------------------------------------------------
+Fri Nov 22 07:08:34 UTC 2024 - william.brown@suse.com
+
+- Update to version 1.4.3~git1.078625c:
+  * Update to latest fido-mds-tool (#3230)
+
+-------------------------------------------------------------------
+Fri Nov 22 06:52:53 UTC 2024 - william.brown@suse.com
+
+- Update to version 1.4.3~git0.fb00176:
+  * Release 1.4.3
+  * Warn when v2 options are used in v1 unixd config (#3228)
+  * Resolve UI Auth Loop with OAuth2 (#3226)
+  * Harden transport in pam unixd (#3227)
+  * Improve warning around invalid JWT deserialisation (#3224)
+  * Update and fix server config files in examples. (#3225)
+  * Change CLI oauth2 command from set-display-name to set-displayname for consistency. (#3212)
+  * Add docs on customising Kanidm. (#3209)
+  * Correct spelling of occurred (#3222)
+  * UI/Feature polish (#3191)
+  * Prevent Invalid MFA Reg States (#3194)
+  * Change CSS for applications so SVG scales nicely in Firefox. (#3200)
+  * 20241109 3185 max age (#3196)
+  * Hoist max_age to prevent incorrect deserialisation (#3190)
+  * Release 1.4.2
+  * Re-migrate all acps to force updating (#3184)
+  * security - low - fault in migrations (#3182)
+
+-------------------------------------------------------------------
+Tue Nov 05 05:13:11 UTC 2024 - william.brown@suse.com
+
+- Update to version 1.4.1~git0.ad93202:
+  * Release 1.4.1
+  * Correct missing CSP header (#3177)
+  * Resolve pam services not always having a tty (#3176)
+
+-------------------------------------------------------------------
+Sun Nov 03 00:17:17 UTC 2024 - william.brown@suse.com
+
+- Update to version 1.4.0~git2.770efa8:
+  * Resolve incorrect handling of rhost in pam (#3171)
+
+-------------------------------------------------------------------
+Fri Nov 01 02:24:42 UTC 2024 - william.brown@suse.com
+
+- Update to version 1.4.0~git1.c297c3f:
+  * Docker makefile latest
+  * Release 1.4.0
+  * chore: Made oauth2 scopes required in CLI (#3165)
+  * More "choosing a domain" revision (#3161)
+  * Update missing inputmode numeric when adding a new TOTP. (#3160)
+  * Improve OAuth2 authorisation ux (#3158)
+  * Fix attribute scim sync attribute naming (#3159)
+  * Change to text input and use numeric mode for TOTP prompts. (#3154)
+  * Fix release note date and typos (#3153)
+  * Release 1.4.0-pre
+  * Release Notes (#3149)
+  * Remove WASM (#3148)
+  * Rewrite "choosing a domain", add other considerations (#3147)
+  * Harmonize UI and remove unused css (#3033)
+  * ripping out some extra packages (#3146)
+  * OAuth2 Device flow foundations (#3098)
+  * htmx by default (#3145)
+  * Support reloading via systemd (#3144)
+  * Chore: Refactor Groups to be more generic (#3136)
+  * 20241024 1271 cert reload on SIGHUP (#3140)
+  * Update docs, improve locking (#3141)
+  * 2856 - use tags for containers on build (#3139)
+  * Fix image when too smol (#3138)
+  * yale's rabbit-hole-chasing-htmx-fixing-megapatch (#3135)
+  * ipinfo should be single value (#3137)
+  * Tidy the reauth ui (#3130)
+  * Add missing schemas to get OpenAPI validation to pass. (#3129)
+  * Change some OperationError into HTTP Bad Request (400). (#3125)
+  * Bump the all group with 11 updates (#3127)
+  * Bump the all group in /pykanidm with 5 updates (#3128)
+  * Fill in some Swagger API docs for a few v1 endpoints. (#3126)
+  * Diagram Improvements in Book (#3124)
+  * Fix passkey auth flow redirects (#3123)
+  * Improve handling of inaccesible shadow file (#3122)
+  * Log HTTP Not Found (404) as info log level. (#3119)
+  * more errors for the people (#3121)
+  * 20241017 unixd home (#3113)
+  * 20241017 3107 token ttl (#3114)
+  * docs: Update kanidm_ppa instructions for new repo logic (#3117)
+  * fix(lint) minor lint fix for unnecessary match use (#3118)
+  * Totp input changes (#3115)
+  * Add the strict flag on client creates for developers (#3111)
+  * Working scim entry get for person (#3088)
+  * Add nss testframework and fallback when daemon offline (#3093)
+  * Improve deb packaging, add aarch64 (#3083)
+  * Cache buster buster (#3091)
+  * fix(http): status content type should be JSON (#3096)
+  * Bump the all group across 1 directory with 7 updates (#3106)
+  * Bump the all group across 1 directory with 10 updates (#3103)
+  * 20241012 attr name SCIM fix (#3102)
+  * Scim add EntryReference  (#3079)
+  * Bump the all group across 1 directory with 3 updates (#3094)
+  * Fix Increment Replication Post Upgrade (#3089)
+  * Remove white background from square logo (#3087)
+  * Add support for group extension (#3081)
+  * 20240921 ssh keys and unix password in credential update session (#3056)
+  * Fix landing and redirect URLs for GitLab, add some useful links (#3055)
+  * [htmx] Make it harder to miss the save button on the cred update page (#3013)
+  * Add example Outline config (#3076)
+  * 20240925 cleanups (#3060)
+  * Add instructions for unlinking Homebrew Rust on macOS (#3085)
+  * Don't reprompt for login when no session exists in cli (#3082)
+  * Make good on some TechDebt (#3084)
+  * Feat: Adding POSIX Password fallback (#3067)
+  * Bump the all group across 1 directory with 13 updates (#3080)
+  * Complete the implementation of the posix account cache (#3041)
+  * 20240926 tech debt (#3066)
+  * Fix migration of last mod cid (#3065)
+  * Increase totp secret size (#3061)
+  * Bump mozilla-actions/sccache-action from 0.0.5 to 0.0.6 in the all group (#3075)
+  * Improve pipe handling on linux (#3069)
+  * reformat oauth2 URL list, highlight legacy bits (#3062)
+  * scim_proto: fix incorrect language tag (#3064)
+  * Add ownCloud example config (#3059)
+  * Add example config for JetBrains Hub / YouTrack (#3058)
+  * Bump the all group with 8 updates (#3053)
+  * Bump the all group in /pykanidm with 3 updates (#3054)
+  * Document basic authenticating GitLab to Kanidm (#3050)
+  * fix(doc): updating docker container ref (#3049)
+  * Resolve incorrect SCIM Sync serialisation (#3047)
+  * CLI image error nicening (#3037)
+  * Add rfc7009 and rfc7662 metadata to oidc discovery (#3046)
+  * More openapi tweaks (#3038)
+  * Bump the all group with 6 updates (#3044)
+  * Bump the all group in /pykanidm with 3 updates (#3043)
+  * fix(docs): make it clearer that bearer auth is a thing (#3031)
+  * implements additional traits for filter types (#3036)
+  * 20240810 SCIM entry basic (#3032)
+  * CreatedAt/ModifiedAt fix (#3034)
+  * Pykanidm fixes (#3030)
+  * 20240906 Attribute as an Enum Type (#3025)
+  * Bump the all group with 9 updates (#3029)
+  * Bump the all group in /pykanidm with 4 updates (#3028)
+  * Credentials page/Self cred update flow UI improvements (#3012)
+  * 20240828 Support Larger Images, Allow Custom Domain Icons (#3016)
+  * MemberOf in search implies DirectMemberOf (#3024)
+  * fix(kanidm): don't allow empty string fields on CLI (#3018)
+  * Bump cryptography from 42.0.4 to 43.0.1 in /pykanidm in the pip group (#3023)
+  * generate completions for elvish and fish (#3015)
+  * Bump the all group with 4 updates (#3021)
+  * Bump the all group in /pykanidm with 3 updates (#3022)
+  * 20240820 SCIM value (#2992)
+  * fix(daemon): handling IPv6 addresses in healthcheck (#3004)
+  * fix(webui): Javascript errors after server-side update blocking login. Fixed after cache invalidating (#3011)
+  * OAuth2 Token Type (#3008)
+  * Bump the all group in /pykanidm with 4 updates (#3007)
+  * Bump the all group with 8 updates (#3006)
+  * Spattering of oauth2 stuff (#3000)
+  * Doc multi instance (#2997)
+  * Expose group rename (#2999)
+  * feat: self cred update flow (#2995)
+  * Better Error Message (#2998)
+  * Add missing group for application admin (#2991)
+  * enforcen den clippen (#2990)
+  * 20240817 group mail acp (#2982)
+  * 20240810 application passwords (#2968)
+  * Bump the all group with 17 updates (#2986)
+  * Bump the all group in /pykanidm with 3 updates (#2985)
+  * Mail substr index (#2981)
+  * Doc format, add api-token section (#2975)
+  * [HTMX] small profile improvements (#2974)
+  * Foundations of pam/nss multi resolver
+  * TLS, no seriously. (#2963)
+  * Update suse.md to avoid Authentication token manipulation error (#2973)
+  * Add Alpine Linux installation instructions (#2871)
+  * Bump the all group across 1 directory with 10 updates (#2966)
+  * [HTMX] User settings (#2929)
+  * Bump the all group in /pykanidm with 2 updates (#2965)
+  * Docs updates (#2961)
+  * Bump aiohttp from 3.10.0 to 3.10.2 in /pykanidm in the pip group (#2962)
+  * Prevent bug in pam (#2960)
+  * Improve migration error message (#2959)
+  * Fix incorrect logic in cred update flow (#2956)
+  * Docker-and-docs-fixes (#2954)
+  * Bump the all group in /pykanidm with 5 updates (#2952)
+  * Bump the all group with 10 updates (#2953)
+  * Added orca flag to extend privileged authentication expiry (#2949)
+  * In honour of SebaT, error on db lock acq timeout (#2947)
+  * Add measurement of lock acquisition (#2946)
+  * [htmx] Credential Update page  (#2897)
+  * Update to 1.4.0-dev (#2943)
+
 -------------------------------------------------------------------
 Thu Sep 12 00:23:51 UTC 2024 - William Brown <william.brown@suse.com>
 

kanidm.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package kanidm
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
 %define configdir %{_sysconfdir}/kanidm
 
 Name:           kanidm
-Version:        1.3.3~git0.f075d13
+Version:        1.7.1~git0.130a31d29
 Release:        0
 Summary:        A identity management service and clients.
 License:        ( Apache-2.0 OR BSL-1.0 ) AND ( Apache-2.0 OR ISC OR MIT ) AND ( Apache-2.0 OR MIT ) AND ( Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT ) AND ( CC0-1.0 OR Apache-2.0 ) AND ( MIT OR Apache-2.0 OR Zlib ) AND ( Unlicense OR MIT ) AND ( Zlib OR Apache-2.0 OR MIT ) AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND CC0-1.0 AND ISC AND MIT AND MPL-2.0 AND MPL-2.0+
@@ -29,12 +29,12 @@ Source:         kanidm-%{version}.tar.zst
 Source1:        vendor.tar.zst
 
 BuildRequires:  cargo
-BuildRequires:  cargo-packaging
 %if 0%{?is_opensuse}
+BuildRequires:  cargo-packaging
 BuildRequires:  llvm-clang >= 13
 %else
-# Sle is missing these provides.
+BuildRequires:  clang >= 13
-BuildRequires:  clang15
+BuildRequires:  lld >= 13
 %endif
 BuildRequires:  libselinux-devel
 BuildRequires:  libudev-devel
@@ -59,7 +59,11 @@ BuildRequires:  libopenssl-3-devel
 Requires:       %{name}-clients
 Requires:       %{name}-unixd-clients
 
+%if 0%{?is_opensuse}
 ExclusiveArch:  %{rust_tier1_arches}
+%else
+ExclusiveArch:  x86_64 aarch64
+%endif
 
 %description
 An identity management platform written in rust that supports RADIUS, SSH Key management
@@ -90,6 +94,9 @@ Requires:       tpm2-tss
 %else
 Requires:       system-user-tss
 Requires:       tpm2.0-tools
+# progress.o.o #170107 - prevent an error for installing system-user-nobody due to invalid /etc/passwd
+# configuration of the statd and rpc users.
+Requires:       system-user-nobody
 %endif
 
 %description unixd-clients
@@ -117,10 +124,15 @@ export KANIDM_BUILD_PROFILE=%{kanidm_profile}
 # export RUSTC_LOG='rustc_codegen_ssa::back::link=info'
 # Dump the target features of this cpu.
 rustc --print target-cpus
+
+%if 0%{?is_opensuse}
 # Override buildflags, we want to use clang + lld here. It's much better/faster than bfd.
-%define build_rustflags -C linker=clang -C link-arg=-fuse-ld=/usr/lib/rustlib/%{_arch}-unknown-linux-gnu/bin/gcc-ld/ld.lld -C debuginfo=2 -C incremental=false
+%define build_rustflags -C linker=clang -C link-arg=-fuse-ld=/usr/lib/rustlib/%{_arch}-unknown-linux-gnu/bin/gcc-ld/ld.lld
 
 %{cargo_build} --features=kanidm_unix_int/tpm,kanidm_unix_int/selinux
+%else
+CARGO_INCREMENTAL=0 CARGO_FEATURE_VENDORED=1 RUSTFLAGS="-Clink-arg=-Wl,-z,relro,-z,now -C debuginfo=2 -C strip=none -C linker=clang -C link-arg=-fuse-ld=lld" cargo build --release --features=kanidm_unix_int/selinux
+%endif
 
 %install
 install -D -d -m 0755 %{buildroot}%{_sysconfdir}
@@ -175,7 +187,7 @@ install -m 0755 %{_builddir}/kanidm-%{version}/target/release/build/completions/
 install -m 0755 %{_builddir}/kanidm-%{version}/target/release/build/completions/kanidm_ssh_authorizedkeys.bash %{buildroot}%{_sysconfdir}/bash_completion.d/kanidm_ssh_authorizedkeys.sh
 
 cp -r %{_builddir}/kanidm-%{version}/book/src/ %{buildroot}%{_datadir}/kanidm/docs/
-cp -r %{_builddir}/kanidm-%{version}/server/web_ui/pkg %{buildroot}%{_datadir}/kanidm/ui/pkg
+cp -r %{_builddir}/kanidm-%{version}/server/core/static %{buildroot}%{_datadir}/kanidm/ui/hpkg
 
 ## End install
 
@@ -264,10 +276,10 @@ cp -r %{_builddir}/kanidm-%{version}/server/web_ui/pkg %{buildroot}%{_datadir}/k
 %{_unitdir}/kanidm-ipa-sync.service
 %dir %{_datadir}/kanidm
 %dir %{_datadir}/kanidm/ui
-%dir %{_datadir}/kanidm/ui/pkg
+%dir %{_datadir}/kanidm/ui/hpkg
-%dir %{_datadir}/kanidm/ui/pkg/external
+%dir %{_datadir}/kanidm/ui/hpkg/external
-%{_datadir}/kanidm/ui/pkg/*
+%{_datadir}/kanidm/ui/hpkg/*
-%{_datadir}/kanidm/ui/pkg/external/*
+%{_datadir}/kanidm/ui/hpkg/external/*
 %dir %{configdir}
 %config(noreplace) %{configdir}/server.toml
 %dir %{_sysconfdir}/zsh_completion.d

vendor.tar.zst

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:59dc51d23d78ff8cb7d6fce2810142e7d03bb3523ce5fa6cb2306f0e0c6f5ede
+oid sha256:4d9ac5aee0bfba307bb4f73b7cf0e8ac8c78d99cf0806ce56690ab31fef1f403
-size 69311053
+size 73231204