Note: Copied from #170

hatched commented on 13 Nov 2019
It appears that you have to refresh the macaroon token with Candid/USSO every 24h or less. It would be great if we could increase this timeout.

mitechie commented on 13 Nov 2019
Yes please. And do we have to choose UbuntuSSO vs Azure? it went from being a non-interactive relogin process to get a new macaroon to now I have to find/click in the tab that's opened every time I try to juju status jaas for the first time of the day.

alesstimec commented on 14 Nov 2019
#171 increases timeout to 48 hours.. unless somebody has some other number in mind. Looking into the choice thingy..

Note: copied from #169

mhilton commented on 8 Nov 2019
Whenever you have to re-login with candid you are never prompted to use a different login.ubuntu.com user. This makes it really hard to change user. This needs investigating, as I suspect it's to do with a setting used by candid when redirecting to login.ubuntu.com.

Using this https://gist.github.com/cnewcome/1aaa3c3b3298f803b4b9919b92e2bcc0 to configure the TLS with candid and rbac. Just using focal instead of bionic.
But /snap/bin/canonical-rbac create-candid-agent /root/admin.keys --service-agent-file /root/rbac.agent
Command failed: HTTPSConnectionPool(host='hmaas01.hou.compute.pgs.com', port=8081): Max retries exceeded with url: /v1/u (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
Any inputs would be helpful.

Following are the snap installed.
Name Version Rev Tracking Publisher Notes
candid v1.8.1 799 latest/stable canonical✓ -
canonical-rbac 1.0.2-400-g.6e658ad 224 - canonical✓ -

to workaround the issue with postgres created a softlink

ls /etc/postgresql/ -lah
total 20K
drwxr-xr-x 3 postgres postgres 4.0K Aug 11 17:10 .
drwxr-xr-x 120 root root 12K Aug 11 17:04 ..
lrwxrwxrwx 1 root root 2 Aug 11 17:10 10 -> 12
drwxr-xr-x 3 postgres postgres 4.0K Aug 11 17:01 12

I can confirm that ca cert and cert can verify without any issues.

Candid is currently pinned to a very old version of juju/cmd (v0.0.0-20180424151504-9ce53c6f9d00). Please consider updating to v3 of juju/cmd. There's a couple small API updates required, but it's pretty straight forward.

(This was noticed while working on packaging for Debian and reviewing candid's various dependencies.)

Note: this was copied from #44

rogpeppe commented on 31 Aug 2018
Currently an agent can be associated with metadata like a name at creation time but that can't be changed afterwards. It might be useful to allow that.

albertodonato commented on 26 Sep 2018
Would it be possible to allow updating keys as well?

I installed mass, maas-cli, mass-test-db snaps.
I wanted to use candid too.
I installed candid snap, and tried to use it.

I was expecting that I should be able to configure it via the /var/snap/candid/common/{config.yaml,admin.keys} but it looks like /common/ is only used to store logs.

Instead I had to configure candid via /var/snap/candid/683/{config.yaml,admin.keys} and then restart. It seems odd, cause i fear my configuration will be lost upon snap refresh.

Can candid snap be made to use /var/snap/candid/common/{config.yaml,admin.keys} locations?

This is similar to other snaps like e.g. maas-test-db, lxd

Note: copied from #136

sjwl commented on 17 Apr 2019
Would be nice if the README at least referenced additional introductory documentation. We're currently using Candid for MAAS RBAC, but it's difficult to understand exactly what Candid does and how it does it better than other options. For example, does Candid compete with Okta or Sailpoint?

Changes to the context package in go 1.21 are causing TestTokenNotInStore to fail:

=== RUN   TestTokenNotInStore
    ussologin_test.go:122: 
        error:
          cannot handle unexported field at {[]testing.StubCall}[0].Args[0].(context.backgroundCtx).emptyCtx: 
                "context".backgroundCtx
          consider using a custom Comparer; if you control the implementation of type, you can also consider using an Exporter, AllowUnexported, or cmpopts.IgnoreUnexported
        got: 
          []testing.StubCall{
              {
                  FuncName: "GetToken",
                  Args:     {
                      context.backgroundCtx{},
                  },
              },
          }
        want:
          <same as "got">
        stack:
          /build/golang-github-canonical-candid-1.12.2/_build/src/github.com/canonical/candid/candidclient/ussologin/ussologin_test.go:122
            c.Assert(fg.Calls(), qt.DeepEquals, []jt.StubCall{{
                FuncName: "GetToken",
                Args:     []interface{}{ctx},
            }})
        
--- FAIL: TestTokenNotInStore (0.00s)

The library github.com/duo-labs/webauthn has been deprecated and development moved to github.com/go-webauthn/webauthn. Could you update candid's dependency?

We can't get groups using keycloak and candid.
Could you implement function that get groups?
https://github.com/canonical/candid/blob/master/idp/openid/openid-connect.go#L219

If I'm not wrong it is the same function that uses in usso
https://github.com/canonical/candid/blob/master/idp/usso/usso.go#L306

There is also openid as I know

I would like to use candid. I want to use Ubuntu SSO. I want to limit successful logins only to people who are in a particular team.

How do I do that?

At the moment, any Ubuntu SSO account is good enough to create login, and I don't see a way to limit logins to only people who are in a specific team.

When trying to set the LDAP identity provider, the LDAPS protocol is not supported and fails to parse.

$ sudo snap logs candid
2023-02-23T00:01:51Z systemd[1]: Started Service for snap application candid.candidsrv.
2023-02-23T00:01:51Z candid.candidsrv[809084]: STOP cannot read configuration: cannot parse "/var/snap/candid/799/config.yaml": cannot unmarshal ldap configuration: unsupported scheme "ldaps"
2023-02-23T00:01:51Z systemd[1]: snap.candid.candidsrv.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
2023-02-23T00:01:51Z systemd[1]: snap.candid.candidsrv.service: Failed with result 'exit-code'.
2023-02-23T00:01:51Z systemd[1]: snap.candid.candidsrv.service: Scheduled restart job, restart counter is at 5.
2023-02-23T00:01:51Z systemd[1]: Stopped Service for snap application candid.candidsrv.
2023-02-23T00:01:51Z systemd[1]: snap.candid.candidsrv.service: Start request repeated too quickly.
2023-02-23T00:01:51Z systemd[1]: snap.candid.candidsrv.service: Failed with result 'exit-code'.
2023-02-23T00:01:51Z systemd[1]: Failed to start Service for snap application candid.candidsrv.

This results in the app quickly hitting the restart counter and needing to manually start and stop the application to get candid working again after editing the config.

To reproduce, copy the default LDAP config from here and replace ldap:// with ldaps://

Does candid have support for webauthn and/or MFA:s with Yubikey:s with candid ?

If not, this is a feature to consider.

https://www.yubico.com/authentication-standards/webauthn/

Adding in support for MFA and in particular Yubikeys would add alot to the user experience.

With a youbikey, the user would leave the Yubikey in the device and just need to ”touch” the device to perform the authentication that comes along with candid through the browser. Adding in a MFA which would require you to enter some PIN or whatever would be a horrible experience with candid (and with juju jimm) as this would drive me mad.

Opening an authorization web page in your browser.
If it does not open, please open this URL:
http://10.0.6.32:8081/login?did=681a4139e0c0ed60fc3e4d039266fdbb117bc35f7eeac3068b3c05a7b70c77d3
user-open error: exec: "dbus-launch": executable file not found in $PATH
Certificate fingerprint: 15a638fba4279da0810b76c8cdea47d6941856e9535da5666c017d68012155fd
ok (y/n)? y
Opening an authorization web page in your browser.
If it does not open, please open this URL:
http://10.0.6.32:8081/login?did=2501ab59324753c76daf99e97e93ff18e6ee9968becf7ad6a8e835c5ecd072dc
user-open error: exec: "dbus-launch": executable file not found in $PATH
Error: cannot get discharge from "http://10.0.6.32:8081": cannot acquire discharge token: cannot wait: cannot wait: rendezvous wait timed out

This was originally raised as a juju bug 1888788

I switched my username from ju-jesse to jesse-leonard and the charm store cant recognize my account

jesse@jesse:~$juju deploy cs:~jesseleonard/charm-slurmctld-0
ERROR cannot resolve charm URL "cs:~jesseleonard/charm-slurmctld-0": cannot get "/~jesseleonard/charm-slurmctld-0/meta/any?include=id&include=supported-series&include=published": cannot get discharge from "https://api.jujucharms.com/identity": third party refused discharge: cannot discharge: could not determine identity: user ju-jesse not found

This issue was copied in from #38

tytus-kurek commented on 20 Jul 2018
In case mongodb storage backend is not run locally, it would be good to secure the connection with TLS. However, taking a look into "store/mgostore/config.go" file shows that at the moment there are is no config option to specify CA certificate which should be used for validation purposes.

fabricematrat commented on 25 Jul 2018
Workaround: Add the certificate to the set of system CA roots.

tytus-kurek commented on 14 Aug 2018
@fabricematrat The workaround you mentioned doesn't work. I suspect this is because the connection is initiated without the counterpart of the CLI "--ssl" switch. Take a look on the following:

root@candid:# mongo mongodb.example.com
MongoDB shell version v3.6.3
connecting to: mongodb://mongodb.example.com:27017/test
2018-08-14T14:39:44.760+0000 I NETWORK [thread1] Socket recv() Connection reset by peer 10.130.194.240:27017
2018-08-14T14:39:44.760+0000 I NETWORK [thread1] SocketException: remote: (NONE):0 error: SocketException socket exception [RECV_ERROR] server [10.130.194.240:27017]
2018-08-14T14:39:44.760+0000 E QUERY [thread1] Error: network error while attempting to run command 'isMaster' on host 'mongodb.example.com:27017' :
connect@src/mongo/shell/mongo.js:251:13
@(connect):1:6
exception: connect failed
root@candid:# mongo mongodb.example.com --ssl
MongoDB shell version v3.6.3
connecting to: mongodb://mongodb.example.com:27017/test
MongoDB server version: 3.6.3
Server has startup warnings:
2018-08-14T14:33:42.205+0000 I STORAGE [initandlisten]
2018-08-14T14:33:42.205+0000 I STORAGE [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2018-08-14T14:33:42.205+0000 I STORAGE [initandlisten] ** See http://dochub.mongodb.org/core/prodnotes-filesystem
2018-08-14T14:33:43.264+0000 I CONTROL [initandlisten]
2018-08-14T14:33:43.264+0000 I CONTROL [initandlisten] ** WARNING: Access control is not enabled for the database.
2018-08-14T14:33:43.264+0000 I CONTROL [initandlisten] ** Read and write access to data and configuration is unrestricted.
2018-08-14T14:33:43.265+0000 I CONTROL [initandlisten]
2018-08-14T14:33:43.265+0000 I CONTROL [initandlisten]
2018-08-14T14:33:43.265+0000 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/defrag is 'always'.
2018-08-14T14:33:43.265+0000 I CONTROL [initandlisten] ** We suggest setting it to 'never'
2018-08-14T14:33:43.265+0000 I CONTROL [initandlisten]

Perhaps candid has to be at least aware that SSL is to be used.

Running Candid in an environment where using a proxy is mandatory to access the outside world, I'm getting login errors (connection refused) trying to reach login.ubuntu.com directly instead of using the configure proxy (http-proxy).

Per the replacement wordlist, the following wording needs replacing:

./charm/layer-candid/reactive/candid.py:register_trigger(when='postgres.master.changed',
./charm/layer-candid/reactive/candid.py:    pg = endpoint_from_flag('postgres.master.available')
./charm/layer-candid/reactive/candid.py:            "connection-string": str(pg.master),
./charm/layer-candid/reactive/candid.py:@when('nrpe-external-master.available')

Is there a plan to update to juju/utils/v3? Currently candid is on v2, and makes use of utils/debugstatus which was removed in v3. However, it would be nice if candid could update to v3 of juju/utils so it's not stuck on an older version of that library.

Is this development targeting Desktop and Laptops only?
Opening a browser? In headless servers?
So, the mentioned production setting with Mongodb and pgsql means, manage and automate hundreds of instances.
So, as admin do in every Server open a browser, manually connect, fill in manually the web authentication ...
I suggest, while we are at playing in browser, add a google Captcha and find the buses and bicycles.

Candid currently depends on github.com/garyburd/go-oauth, but that repo has been archived. Please update to depend on the parent repo, github.com/gomodule/oauth1.

(This was noticed while working on packaging for Debian and reviewing candid's various dependencies.)

Currently candid uses gopkg.in to download macaroon-bakery.

As macaroon-bakery has now moved on to using normal go.mod import paths, it means that it's stuck to the latest version of the module prior to that. That means v3.0.0 from 2021.

This wasn't a huge deal for the downstream users of candid like LXD until now when Go 1.19 is out and being forced to use an old macaroon-bakery because of candid means that we don't get go-macaroon-bakery/macaroon-bakery@ccafaf7 and as a result are completely broken on Go 1.19.

When using Azure ADFS as the backend, we'd like to be able to utilize the "roles" provided in the token to populate groups and gate access. The roles are communicated via the token in the same way as groups. We don't mind if these roles show up as "groups" in RBAC, we just would like them consumed so we can assign roles based on them.

I believe for this information to be used by Canonical RBAC, it will first need to be grabbed and parsed by Candid, which is why I'm raising the request here.

Working on microk8s 1.24/stable

The charm is build from latest master branch
Still get blocked status POSTGRESQL_DSN configuration value not set after add-relation with command juju add-relation candid-k8s:db postgresql-k8s:db

bundle: kubernetes
applications:
  candid-k8s:
    charm: local:candid-k8s-0
    scale: 1
    options:
      admin-agent-public-key: c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSURyVDZSWnpZdlpKL25Pb2ZOMVNIT3hPeWkyVmpSOHozWmR2bjVpNUszZjAgdWJ1bnR1QGppbW0K
      identity-providers: "- type: static                                 \n  name:
        static\n  domain: stimec\n  description: Default identity provider\n  users:\n
        \   admin:\n      name: User One\n      email: admin\n      password: password1\n
        \     groups:\n       - group1\n    user1:\n      name: User Two\n      email:
        user1\n      password: password1\n      groups:\n       - group2\n    my-user:\n
        \     name: User Three\n      email: my-user\n      password: password1\n
        \     groups:\n      - group2"
      location: https://candid.canonical.stimec.net
    constraints: arch=amd64
  postgresql-k8s:
    charm: postgresql-k8s
    channel: edge
    revision: 32
    resources:
      postgresql-image: 27
    scale: 3
    constraints: arch=amd64
    storage:
      pgdata: kubernetes,1,1024M
    trust: true
  tls-certificates-operator:
    charm: tls-certificates-operator
    channel: latest/edge
    revision: 15
    scale: 1
    options:
      ca-common-name: jneo8
      generate-self-signed-certificates: true
    constraints: arch=amd64
relations:
- - tls-certificates-operator:certificates
  - postgresql-k8s:certificates
- - candid-k8s:db
  - postgresql-k8s:db

Note this was copied in from #43

rogpeppe commented on 31 Aug 2018
Currently an agent can be created but there's no way to change its public keys after creation. That would be useful to do (for example so an agent can rotate its own public keys over time).

According to a quick bisect I did, 99d8505 is breaking Candid for anyone who's not running it at the root of their domain.

In my case, my location is set to https://services.stgraber.org/identity. Any login attempt since that commit immediately fails with Login failed: invalid login state.

Looking at the commit, I suspect the cookie path needs to be updated to take the location into consideration.

@mhilton

When building for Debian (golang v1.17.3, not sure if other information would be useful), this test fails due to the error string including backslashes:

=== RUN   TestTimeUnmarshalJSON
=== RUN   TestTimeUnmarshalJSON/test0
=== RUN   TestTimeUnmarshalJSON/test1
=== RUN   TestTimeUnmarshalJSON/test2
    params_test.go:38: 
        error:
          error does not match regexp
        got error:
          e`parsing time "\"yesterday\"" as "\"2006-01-02T15:04:05\"": cannot parse "yesterday\"" as "2006"`
        regexp:
           `parsing time ""yesterday"" as ""2006-01-02T15:04:05"": cannot parse "yesterday"" as "2006"`
        stack:
          /build/golang-github-canonical-candid-1.11.0/_build/src/github.com/canonical/candid/idp/keystone/internal/keystone/params_test.go:38
            c.Assert(err, qt.ErrorMatches, test.expectError)
        
--- FAIL: TestTimeUnmarshalJSON (0.00s)
    --- PASS: TestTimeUnmarshalJSON/test0 (0.00s)
    --- PASS: TestTimeUnmarshalJSON/test1 (0.00s)
    --- FAIL: TestTimeUnmarshalJSON/test2 (0.00s)
FAIL

Currently candid imports both gopkg.in/juju/names.v2 and github.com/juju/names. Can those imports be consolidated to a single variety, such as github.com/juju/names/v4 (the current version of that library)?

(This was noticed while working on packaging for Debian and reviewing candid's various dependencies.)