143 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Echo	83a0c29f3d	fix: handle SSO email collision by linking existing local users ... When a user already exists with auth_provider=local and the same email, the SSO callback now links the existing user to the new SSO provider instead of failing with a unique constraint violation on email. Flow: 1) Try exact match (email+auth_provider), 2) If not found, try email-only lookup, 3) If found with different provider, link by updating auth_provider, azure_oid, oidc_sub, 4) If not found, create new user as before.	2026-05-13 18:23:32 +00:00
Echo	d76450759a	fix: add public SSO config endpoint for login page ... The SSO button on the login page was not appearing because the settings API requires authentication, but the login page cannot authenticate before the user logs in. Changes: - Backend: Add GET /api/v1/auth/sso/config public endpoint that returns only enabled, display_name, and auth_url (no secrets exposed) - Backend: Mount sso::public_router() at /api/v1/auth/sso in main.rs (was previously missing - only azure_compat_router was mounted) - Frontend: Replace settingsApi.get() call in LoginPage.tsx with ssoConfigApi.get() which calls the public endpoint - Frontend: Add SsoConfigResponse interface and ssoConfigApi helper to client.ts - Frontend: Use auth_url from config response instead of hardcoded path	2026-05-13 14:53:12 +00:00
Echo	69d2e88bbd	feat: OIDC SSO provider support (Keycloak, Azure AD, custom) ... - Refactored azure_sso.rs to sso.rs with generic OIDC provider support - Added OIDC discovery URL lookup with 1hr TTL caching - Added PKCE for all providers, client_secret optional for public clients - Added /api/v1/auth/sso/login and /api/v1/auth/sso/callback routes - Added /api/v1/auth/azure/* backward-compatible routes - Added POST /settings/sso/discover and POST /settings/sso/test endpoints - Frontend: Provider dropdown (Keycloak/Azure AD/Custom OIDC) - Frontend: Auto-fill discovery URL for Keycloak - Frontend: Discover Endpoints and Test Connection buttons - Frontend: Dynamic SSO button based on provider display name - Made migration 014 idempotent with DO blocks and IF NOT EXISTS - Fixed debian/install to use /usr/local/bin/ for binaries - Fixed frontend file path in .deb package - Reset admin password on dev server - Fixed database permissions for oidc_config table	2026-05-13 13:32:24 +00:00
Echo	e3d8569b05	feat: include notification recipients in SMTP test email	2026-05-13 00:33:41 +00:00
Echo	3b3fd8b689	fix: remove duplicate audit integrity section and consolidate email settings into SMTP	2026-05-13 00:16:20 +00:00
Echo	c8b6b01dbc	fix: resolve settings save failure - boolean type mismatch and improve error messages	2026-05-13 00:07:46 +00:00
Echo	c8b1feee19	fix: make version display dynamic from package.json instead of hardcoded	2026-05-12 23:49:14 +00:00
Echo	010d384c6a	fix: add libfontconfig1-dev to CI workflow for fontconfig build dependency	2026-05-12 23:29:28 +00:00
Echo	1426ecffc2	chore: bump version to 0.1.4	2026-05-12 23:23:43 +00:00
Echo	04abb59961	fix: clarify SMTP vs email notification UX and save-before-test	2026-05-12 23:17:47 +00:00
Echo	9352dc8a02	fix: add libfontconfig1 dependency for plotters TTF font support	2026-05-12 21:25:39 +00:00
Echo	4b5a252fc9	fix: enable plotters TTF font support to prevent PDF chart panics	2026-05-12 21:18:13 +00:00
Echo	65847c6c90	fix: use FontFamily enum for plotters chart captions to prevent font panic	2026-05-12 21:06:49 +00:00
Echo	4c91e02e58	fix: cast compliance_pct to float8 and fix PDF generation crashes	2026-05-12 20:59:21 +00:00
Echo	a1852fd55a	fix: cast compliance_pct to numeric for PostgreSQL ROUND()	2026-05-12 20:10:21 +00:00
Echo	2bbc03b937	fix: resolve 6 reporting issues - SQL schema mismatches, duplicate type, UI dropdown, chart scale, CSV error handling ... 1. Compliance CSV/PDF: Replace non-existent pd.total_packages with jsonb_array_length(pd.installed_packages) and pd.pending_patches with pd.patch_count. Fix GROUP BY to match new columns. 2. Vulnerability CSV/PDF: Replace non-existent pd.cve_data with jsonb_array_elements on pd.available_patches JSONB, extracting cve_ids via nested lateral join. Replace pd.updated_at with pd.polled_at (actual column name). 3. TypeScript: Remove duplicate PollingConfig interface declaration in frontend/src/types/index.ts. 4. ReportsPage: Replace Group ID text field with Select dropdown populated from GET /api/v1/groups, showing group names instead of requiring UUID input. 5. PDF charts: Increase embed_image scale from 0.18 to 0.28 for better visibility on A4 landscape pages. 6. Vulnerability CSV: Remove invalid (no data) comment row on query failure; return header-only CSV instead to maintain valid CSV format.	2026-05-12 19:59:03 +00:00
Echo	4c300087f2	fix: Update build-package.sh VERSION to 0.1.3	2026-05-12 17:40:09 +00:00
Echo	13cabcea77	fix: Replace console.log with console.warn in MfaSetupPage for ESLint	2026-05-12 17:26:49 +00:00
Echo	f04565ead7	style: cargo fmt --all for v0.1.3 SSO changes	2026-05-12 17:14:48 +00:00
Echo	0fb804eefb	fix: Merge duplicate @mui/icons-material import in LoginPage	2026-05-12 17:05:48 +00:00
Echo	86a6c714d4	feat: Complete Azure SSO implementation (v0.1.3) ... - Add SSO session cleanup task (10-min expiry, 60s purge interval) - Change callback to redirect to frontend with tokens as query params - Add sso_callback_url to SecurityConfig with serde default - Add SsoCallbackPage.tsx for handling SSO callback redirects - Add /auth/sso/callback public route to App.tsx - Add Sign in with Microsoft Azure button to LoginPage - Replace insecure decode_jwt_payload with verify_id_token - Implement JWKS caching (1-hour TTL) and RSA signature verification - Validate iss, aud, exp claims on id_token - Add jsonwebtoken dependency to pm-web crate - Update config.example.toml with sso_callback_url setting - Add sso_callback_url to settings response (read-only from TOML)	2026-05-12 17:01:20 +00:00
Echo	08add28b80	fix: eslint-disable for useEffect deps in UsersPage	2026-05-07 19:14:21 +00:00
Echo	cc1214a963	feat: Phase 4 - password validation, force password reset flow, account lockout, QR code for MFA	2026-05-07 17:53:16 +00:00
Echo	b5b975e7e5	feat: Phase 3 - admin user management with edit, password reset, MFA disable, search/filter	2026-05-07 16:38:24 +00:00
Echo	5cf3125a2e	feat: Phase 2 - user profile page with self-service password change and MFA management	2026-05-07 16:32:55 +00:00
Echo	0a70afbbe9	feat: Phase 1 - user/password API extensions and auth route fix	2026-05-07 16:21:53 +00:00
Echo	42392ed9c7	fix: persist auth across refreshes with onFinishHydration and safety timeout	2026-05-07 13:39:14 +00:00
Echo	73df591cd3	fix: persist auth state across page refreshes using onRehydrateStorage	2026-05-07 02:59:09 +00:00
Echo	5e63245f65	fix: add SPA fallback route to prevent F5 refresh crash	2026-05-07 02:23:21 +00:00
Echo	f0bd431779	fix: postinst auto-restart services on upgrade and build-package.sh version sync ... - debian/postinst: auto-restart patch-manager-web and patch-manager-worker on upgrade (not fresh install) - debian/postinst: list pending database migrations after upgrade - scripts/build-package.sh: update debian/control Version from VERSION variable to ensure dpkg handles upgrades correctly - tasks/lessons.md: added lessons about service restarts and version sync	2026-05-07 00:55:34 +00:00
Echo	3ebdedda65	chore: bump version to 0.1.2	2026-05-06 21:43:29 +00:00
Echo	0279caf5d2	feat: add target_host_id to service health checks ... - Add target_host_id column to host_health_checks table (nullable UUID FK) - Allow service checks to query a different host agent - Backend models, API routes, and poller updated - Frontend: host selector dropdown for service checks - Validation: target host must exist and be healthy - FK ON DELETE SET NULL: revert to own host if target deleted	2026-05-06 21:38:42 +00:00
Echo	4889ab5d0a	docs: add ESLint lesson to lessons.md	2026-05-06 17:48:08 +00:00
Echo	8bef562dbc	fix: ESLint errors and update git hooks to include ESLint ... - HostDetailPage.tsx: fix eqeqeq (!= to !==) - HostsPage.tsx: merge duplicate @mui/icons-material imports - PatchDeploymentPage.tsx: merge duplicate @mui/icons-material imports - pre-commit hook: add ESLint check - pre-push hook: add ESLint check	2026-05-06 17:46:10 +00:00
Echo	6481899cb5	chore: bump version to 0.1.1	2026-05-06 16:27:15 +00:00
Echo	0e9cb1c915	fix: add HealthCheckListResponse type to match API response structure ... - Added HealthCheckListResponse type { checks: [...], total: number } - Updated healthChecksApi.list() return type to HealthCheckListResponse - Fixed HostDetailPage to use res.data?.checks instead of Array.isArray - Added Target column to health checks table - Added git pre-commit/pre-push hooks to prevent format CI failures - Updated lessons.md	2026-05-06 16:18:29 +00:00
Echo	12d640e5de	style: cargo fmt --all to fix CI format check	2026-05-06 03:57:01 +00:00
Echo	3d9b2d4917	fix: health checks list not showing - API returns {checks:[...]} not array ... - Fixed data extraction: use res.data?.checks instead of Array.isArray(res.data) - Added Target column to health checks table showing service_name or URL - Matches the pattern used by maintenance windows (res.data?.windows)	2026-05-06 03:51:40 +00:00
Echo	00cdadafce	fix: use host() to strip CIDR mask from inet column in cert IP SANs ... The ip_address column is PostgreSQL inet type. When cast to text (ip_address::text), it includes the CIDR mask (e.g., 192.168.0.166/32). Rust IpAddr::parse() fails on CIDR notation, so the IP SAN was silently skipped in server certificates. Fix: use host(ip_address) in SQL queries to strip the CIDR mask, returning just the IP address (e.g., 192.168.0.166). Affected endpoints: - POST /hosts/:id/certificates (issue_client_cert) - POST /hosts/:id/certificates/reissue (reissue_host_cert)	2026-05-06 03:03:10 +00:00
Echo	ee33ba5740	feat: setup.sh generates CA-signed web cert instead of self-signed ... - Generate internal CA (ECDSA P-256, 10-year validity) if not present - Sign web server cert with internal CA (1-year validity) - Add SANs for hostname, short hostname, localhost, and host IP - Add EKU: serverAuth to web cert - pm-ca will load existing CA on startup - Simplify host cert section to only show agent deployment files	2026-05-06 02:08:01 +00:00
Echo	812b23d2d0	fix: simplify host cert section to only show agent deployment files ... - Remove client cert/key from KeyDisplayDialog on host detail page - Bundle download now only contains ca.crt, server.crt, server.key - Rename bundle to {hostname}-agent-certs.zip - Remove standalone client cert download button - Update dialog title and warning text - The main Certificates page still has all certs available	2026-05-06 01:58:32 +00:00
Echo	5914c9b297	feat: all-inclusive agent cert bundle - server cert + client cert + CA root in one issuance	2026-05-06 01:29:25 +00:00
Echo	aa0cb9ab3c	feat: cert bundle download with CA root, re-issue endpoint, and enhanced cert UI	2026-05-05 23:06:48 +00:00
Echo	d59597b732	feat: add Issue Certificate button and dialog to HostDetailPage	2026-05-05 21:23:49 +00:00
Echo	1aa90c7eb0	fix: add host creation form for Add Host button	2026-05-05 20:48:14 +00:00
Echo	0cfe8ba891	fix: job completion stuck in running - NULL output and status type mismatch ... Bug 1: status.output.as_deref() passes NULL when agent returns no output, but patch_job_hosts.output has NOT NULL constraint. Fix: use .unwrap_or("") to default to empty string. Bug 2: sync_job_status passes String to job_status enum column, PostgreSQL rejects implicit text-to-enum cast. Fix: add ::job_status cast in SQL UPDATE queries.	2026-05-05 20:16:26 +00:00
Echo	91c82735d1	fix: ServiceStatusData deserialization, audit_action enum, and agent HTTP client ... - Fix ServiceStatusData to match agent response (active_state, sub_state, etc.) - Add migration 009 for health_check audit_action enum values - Fix build_agent_http_client: use rustls TLS with mTLS instead of danger_accept_invalid_certs - Add detailed error logging for agent HTTP client builder	2026-05-05 15:47:01 +00:00
Echo	c51b48f7b0	fix: ServiceStatusData deserialization mismatch with agent response ... Manager expected fields: name, status, healthy, uptime_secs Agent actually returns: name, display_name, active_state, sub_state, load_state, enabled_state, main_pid, healthy Updated ServiceStatusData to match agent response format. Updated health_check_poller.rs to use new field names.	2026-05-05 15:13:41 +00:00
Echo	6eeedb1793	fix: health_check_status SQL subquery in hosts API ... - Fixed broken SQL in hosts.rs that was using Python string replacement instead of proper CASE expression for health_check_status - Added serde default for health_check_poll_interval_secs config - Fixed missing AgentClient import in health_check_poller.rs - Added /etc/patch-manager/keys to systemd ReadWritePaths - Integration test verified: health check CRUD, service/HTTP checks work	2026-05-05 14:30:16 +00:00
Echo	93828e1976	feat: health check configuration and worker engine (Phase 3+4) ... - Added health_check_poller.rs: periodic service/HTTP health checks - Added pre-patch health gate in job_executor.rs - Added waiting_health_check job status (migration 008) - Added health_check_status to HostSummary and hosts API - Added health check types and API functions to frontend - Added health check UI section to HostDetailPage - Added health check status indicators to HostsPage and PatchDeploymentPage - Added serde default for health_check_poll_interval_secs - Fixed missing AgentClient import in health_check_poller.rs - Fixed missing ws_relay import in main.rs - Fixed missing closing paren in retry_pending_jobs SQL - Added ReadWritePaths for /etc/patch-manager/keys in systemd services	2026-05-05 14:10:37 +00:00