Beta1 bugfixes

docs/config/config.html

@@ -7,7 +7,7 @@
 
 
         <!-- Custom HTML head -->
-        
+
         <meta name="description" content="">
         <meta name="viewport" content="width=device-width, initial-scale=1">
         <meta name="theme-color" content="#ffffff" />
@@ -172,7 +172,7 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # registrations with 'user@gmail.com' (default: '')
 #USER_REG_DOMAIN_RESTRICTION=some-domain.com
 
-# If set to 'true', this will validate the remote peer IP address with each request 
+# If set to 'true', this will validate the remote peer IP address with each request
 # and compare it with the IP which was used during the initial session creation / login.
 # If the IP is different, the session will be rejected.
 # This is a security hardening and prevents stolen access credentials, for instance if
@@ -181,10 +181,10 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # only happen if an attacker has direct access to the machine itself.
 #
 # If your users are using mobile networks and get new IP addresses all the time, this
-# means they have to do a new login each time. This is no big deal at all with 
+# means they have to do a new login each time. This is no big deal at all with
 # Webauthn / FIDO keys anyway and should not be a reason to deactivate this feature.
 #
-# Caution: If you are running behind a reverse proxy which does not provide the 
+# Caution: If you are running behind a reverse proxy which does not provide the
 # X-FORWARDED-FOR header correctly, or you have the PROXY_MODE in this config disabled,
 # this feature will not work. You can validate the IPs for each session in the Admin
 # UI. If these are correct, your setup is okay.
@@ -301,7 +301,7 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # will be DELETED and OVERWRITTEN with a migration from the
 # given database with this variable. Can be used to migrate
 # between different databases.
-# 
+#
 # !!! USE WITH CARE !!!
 #MIGRATE_DB_FROM=sqlite:data/rauthy.db
 
@@ -312,7 +312,7 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 ############# E-MAIL ################
 #####################################
 
-# Will be used as the prefix for the E-Mail subject for each E-Mail 
+# Will be used as the prefix for the E-Mail subject for each E-Mail
 # that will be sent out to a client.
 # This can be used to further customize your deployment.
 # default: &quot;Rauthy IAM&quot;
@@ -353,16 +353,16 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 
 # The time in ms when to log a warning, if a request waited
 # longer than this time. This is an indicator, that you have
-# more concurrent logins than allowed and may need config 
+# more concurrent logins than allowed and may need config
 # adjustments,
 # if this happens more often. (default: 500)
 #HASH_AWAIT_WARN_TIME=500
 
-# JWKS auto rotate cronjob. This will (by default) rotate 
-# all JWKs every 1. day of the month. If you need smaller 
+# JWKS auto rotate cronjob. This will (by default) rotate
+# all JWKs every 1. day of the month. If you need smaller
 # intervals, you may adjust this value. For security reasons,
 # you cannot fully disable it.
-# In a HA deployment, this job will only be executed on the 
+# In a HA deployment, this job will only be executed on the
 # current cache leader at that time.
 # Format: &quot;sec min hour day_of_month month day_of_week year&quot;
 # default: &quot;0 30 3 1 * * *&quot;
@@ -397,10 +397,8 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # If left empty, no messages will be sent to Slack.
 #EVENT_SLACK_WEBHOOK=
 
-# TODO Matrix
-
-# The notification level for events. Works the same way as a logging level. 
-# For instance: 'notice' means send out a notifications for all events with 
+# The notification level for events. Works the same way as a logging level.
+# For instance: 'notice' means send out a notifications for all events with
 # the info level or higher.
 # Possible values:
 # - info
@@ -415,8 +413,8 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # default: 'notice'
 EVENT_NOTIFY_LEVEL_SLACK=notice
 
-# Define the level from which on events should be persisted inside the 
-# database. All events with a lower level will be lost, if there is no 
+# Define the level from which on events should be persisted inside the
+# database. All events with a lower level will be lost, if there is no
 # active event subscriber.
 # Possible values:
 # - info
@@ -439,7 +437,7 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # The level for the generated Event after a user has reset its password
 # default: notice
 EVENT_LEVEL_USER_PASSWORD_RESET=notice
-# The level for the generated Event after a user has been given the 
+# The level for the generated Event after a user has been given the
 # 'rauthy_admin' role
 # default: notice
 EVENT_LEVEL_RAUTHY_ADMIN=notice
@@ -449,26 +447,26 @@ <h1 id="reference-config"><a class="header" href="#reference-config">Reference C
 # The level for the generated Event after the JWKS has been rotated
 # default: notice
 EVENT_LEVEL_JWKS_ROTATE=notice
-# The level for the generated Event after DB secrets have been migrated 
+# The level for the generated Event after DB secrets have been migrated
 # to a new key
 # default: notice
 EVENT_LEVEL_SECRETS_MIGRATED=notice
-# The level for the generated Event after a Rauthy instance has been 
+# The level for the generated Event after a Rauthy instance has been
 # started
 # default: info
 EVENT_LEVEL_RAUTHY_START=info
-# The level for the generated Event after a Rauthy entered a healthy 
+# The level for the generated Event after a Rauthy entered a healthy
 # state (again)
 # default: notice
 EVENT_LEVEL_RAUTHY_HEALTHY=notice
-# The level for the generated Event after a Rauthy entered an unhealthy 
+# The level for the generated Event after a Rauthy entered an unhealthy
 #state
 # default: critical
 EVENT_LEVEL_RAUTHY_UNHEALTHY=critical
 # The level for the generated Event after an IP has been blacklisted
 # default: warning
 EVENT_LEVEL_IP_BLACKLISTED=warning
-# The level for the generated Event after certain amounts of false 
+# The level for the generated Event after certain amounts of false
 # logins from an IP
 # default: criticao
 EVENT_LEVEL_FAILED_LOGINS_25=critical

frontend/src/routes/oidc/authorize/+page.svelte

@@ -395,7 +395,7 @@
 
     .errMsg {
         max-width: 15rem;
-        margin: -5px 10px 0 10px;
+        margin: -5px 10px 0 5px;
         color: var(--col-err)
     }
 

migrations/sqlite/12_clients_force_mfa.sql

@@ -1,3 +1,5 @@
+-- modify the clients table and add 'force_mfa'
+
 alter table clients
     rename to clients_old;
 
@@ -65,3 +67,51 @@ select id,
        challenge,
        false as force_mfa
 from clients_old;
+
+-- recreate all tables with foreign keys to clients
+
+-- colors
+alter table colors
+    rename to colors_old;
+
+create table colors
+(
+    client_id varchar(36) not null
+        constraint colors_pk
+            primary key
+        constraint colors_clients_id_fk
+            references clients
+            on update cascade
+            on delete cascade,
+    data      blob not null
+);
+
+insert into colors(client_id, data)
+select client_id, data
+from colors_old;
+
+-- logos
+alter table logos
+    rename to logos_old;
+
+create table logos
+(
+    client_id varchar(36) not null
+        constraint logos_pk
+            primary key
+        constraint logos_clients_id_fk
+            references clients
+            on update cascade
+            on delete cascade,
+    data     blob not null
+);
+
+insert into logos(client_id, data)
+select client_id, data
+from logos_old;
+
+-- finally, drop all the old tables
+
+drop table colors_old;
+drop table logos_old;
+drop table clients_old;

rauthy-book/src/config/config.md

@@ -243,13 +243,14 @@ JWK_AUTOROTATE_CRON="0 30 3 1 * * *"
 #EVENT_MATRIX_ROOM_ID=
 #EVENT_MATRIX_ACCESS_TOKEN=
 #EVENT_MATRIX_USER_PASSWORD=
+# May be set to disable the TLS validation for the Matrix client.
+# default: false
+#EVENT_MATRIX_DANGER_DISABLE_TLS_VALIDATION=false
 
 # The Webhook for Slack Notifications.
 # If left empty, no messages will be sent to Slack.
 #EVENT_SLACK_WEBHOOK=
 
-# TODO Matrix
-
 # The notification level for events. Works the same way as a logging level. 
 # For instance: 'notice' means send out a notifications for all events with 
 # the info level or higher.

rauthy-main/src/logging.rs

@@ -19,7 +19,10 @@ pub fn setup_logging() -> tracing::Level {
         "trace" => Level::TRACE,
         _ => panic!("Log Level must be one of the following: error, warn, info, debug, trace"),
     };
-    let filter = format!("{},async_nats=info,hyper=info", log_level.as_str());
+    let filter = format!(
+        "{},async_nats=info,hyper=info,matrix_sdk_crypto=error",
+        log_level.as_str()
+    );
     env::set_var("RUST_LOG", &filter);
     if log_level == Level::TRACE {
         env::set_var("RUST_BACKTRACE", "1");

rauthy-models/src/entity/api_keys.rs

@@ -7,11 +7,11 @@ use rauthy_common::utils::{decrypt, encrypt, get_rand};
 use redhac::{cache_del, cache_get, cache_get_from, cache_get_value, cache_put};
 use ring::digest;
 use serde::{Deserialize, Serialize};
-use sqlx::{query, query_as};
+use sqlx::{query, query_as, FromRow};
 use tracing::error;
 use utoipa::ToSchema;
 
-#[derive(Debug, Clone, Serialize, Deserialize)]
+#[derive(Debug, Clone, Serialize, Deserialize, FromRow)]
 pub struct ApiKeyEntity {
     pub name: String,
     pub secret: Vec<u8>,

rauthy-models/src/events/notifier.rs

@@ -105,7 +105,6 @@ impl EventNotifier {
         }
 
         // Matrix
-        // Matrix setup
         if let Ok(user_id) = env::var("EVENT_MATRIX_USER_ID") {
             let level = env::var("EVENT_NOTIFY_LEVEL_MATRIX")
                 .map(|level| {
@@ -125,8 +124,19 @@ impl EventNotifier {
                 panic!("Specific one of: EVENT_MATRIX_ACCESS_TOKEN or EVENT_MATRIX_USER_PASSWORD");
             }
 
-            let notifier =
-                NotifierMatrix::try_new(&user_id, &room_id, access_token, user_password).await?;
+            let disable_tls_validation = env::var("EVENT_MATRIX_DANGER_DISABLE_TLS_VALIDATION")
+                .unwrap_or_else(|_| "false".to_string())
+                .parse::<bool>()
+                .expect("Cannot parse EVENT_MATRIX_DANGER_DISABLE_TLS_VALIDATION to bool");
+
+            let notifier = NotifierMatrix::try_new(
+                &user_id,
+                &room_id,
+                access_token,
+                user_password,
+                disable_tls_validation,
+            )
+            .await?;
             NOTIFIER_MATRIX
                 .set((level.value(), notifier))
                 .expect("init_notifiers should only be called once");

rauthy-models/src/migration/db_migrate.rs

@@ -1,4 +1,21 @@
+use actix_web::web;
+use argon2::password_hash::SaltString;
+use argon2::{Algorithm, Argon2, Params, PasswordHasher, Version};
+use jwt_simple::algorithms::{
+    Ed25519KeyPair, EdDSAKeyPairLike, RS256KeyPair, RS384KeyPair, RS512KeyPair, RSAKeyPairLike,
+};
+use rand_core::OsRng;
+use sqlx::Row;
+use time::OffsetDateTime;
+use tracing::{debug, info};
+
+use rauthy_common::constants::{ADMIN_FORCE_MFA, DB_TYPE, DEV_MODE};
+use rauthy_common::error_response::ErrorResponse;
+use rauthy_common::utils::{encrypt, get_rand};
+use rauthy_common::DbType;
+
 use crate::app_state::DbPool;
+use crate::entity::api_keys::ApiKeyEntity;
 use crate::entity::clients::Client;
 use crate::entity::colors::ColorEntity;
 use crate::entity::config::ConfigEntity;
@@ -13,20 +30,6 @@ use crate::entity::sessions::Session;
 use crate::entity::user_attr::{UserAttrConfigEntity, UserAttrValueEntity};
 use crate::entity::users::User;
 use crate::entity::webauthn::PasskeyEntity;
-use actix_web::web;
-use argon2::password_hash::SaltString;
-use argon2::{Algorithm, Argon2, Params, PasswordHasher, Version};
-use jwt_simple::algorithms::{
-    Ed25519KeyPair, EdDSAKeyPairLike, RS256KeyPair, RS384KeyPair, RS512KeyPair, RSAKeyPairLike,
-};
-use rand_core::OsRng;
-use rauthy_common::constants::{ADMIN_FORCE_MFA, DB_TYPE, DEV_MODE};
-use rauthy_common::error_response::ErrorResponse;
-use rauthy_common::utils::{encrypt, get_rand};
-use rauthy_common::DbType;
-use sqlx::Row;
-use time::OffsetDateTime;
-use tracing::{debug, info};
 
 pub async fn anti_lockout(db: &DbPool, issuer: &str) -> Result<(), ErrorResponse> {
     debug!("Executing anti_lockout_check");
@@ -283,6 +286,27 @@ pub async fn migrate_from_sqlite(
         .await?;
     }
 
+    // API KEYS
+    let before = sqlx::query_as::<_, ApiKeyEntity>("SELECT * FROM api_keys")
+        .fetch_all(&db_from)
+        .await?;
+    sqlx::query!("DELETE FROM api_keys").execute(db_to).await?;
+    for b in before {
+        sqlx::query(
+            r#"INSERT INTO
+            api_keys (name, secret, created, expires, enc_key_id, access)
+            VALUES ($1, $2, $3, $4, $5, $6)"#,
+        )
+        .bind(b.name)
+        .bind(b.secret)
+        .bind(b.created)
+        .bind(b.expires)
+        .bind(b.enc_key_id)
+        .bind(b.access)
+        .execute(db_to)
+        .await?;
+    }
+
     // USERS
     let before = sqlx::query_as::<_, User>("select * from users")
         .fetch_all(&db_from)
@@ -636,6 +660,27 @@ pub async fn migrate_from_postgres(
         .await?;
     }
 
+    // API KEYS
+    let before = sqlx::query_as::<_, ApiKeyEntity>("SELECT * FROM api_keys")
+        .fetch_all(&db_from)
+        .await?;
+    sqlx::query!("DELETE FROM api_keys").execute(db_to).await?;
+    for b in before {
+        sqlx::query(
+            r#"INSERT INTO
+            api_keys (name, secret, created, expires, enc_key_id, access)
+            VALUES ($1, $2, $3, $4, $5, $6)"#,
+        )
+        .bind(b.name)
+        .bind(b.secret)
+        .bind(b.created)
+        .bind(b.expires)
+        .bind(b.enc_key_id)
+        .bind(b.access)
+        .execute(db_to)
+        .await?;
+    }
+
     // USERS
     let before = sqlx::query_as::<_, User>("select * from rauthy.users")
         .fetch_all(&db_from)

rauthy-notify/src/lib.rs

@@ -71,7 +71,9 @@ impl Notification {
                 .timeout(Duration::from_secs(10))
                 .user_agent(format!("Rauthy v{} Notifier", RAUTHY_VERSION))
                 .min_tls_version(tls::Version::TLS_1_2)
-                .pool_idle_timeout(Duration::from_secs(300))
+                .pool_idle_timeout(Duration::from_secs(600))
+                .http2_keep_alive_while_idle(true)
+                // TODO impl config var to add private CA and disable TLS verify
                 .build()
                 .unwrap()
         })