kanidm/server/lib/src/idm/radius.rs

use std::time::Duration;

use kanidm_proto::internal::RadiusAuthToken;
use time::OffsetDateTime;
use uuid::Uuid;

use crate::entry::{Entry, EntryCommitted, EntryReduced};
use crate::idm::group::Group;
use crate::prelude::*;

#[derive(Debug, Clone)]
pub(crate) struct RadiusAccount {
    pub name: String,
    pub displayname: String,
    pub uuid: Uuid,
    pub groups: Vec<Group<()>>,
    pub radius_secret: String,
    pub valid_from: Option<OffsetDateTime>,
    pub expire: Option<OffsetDateTime>,
}

impl RadiusAccount {
    pub(crate) fn try_from_entry_reduced(
        value: &Entry<EntryReduced, EntryCommitted>,
        qs: &mut QueryServerReadTransaction,
    ) -> Result<Self, OperationError> {
        if !value.attribute_equality(Attribute::Class, &EntryClass::Account.into()) {
            return Err(OperationError::MissingClass(ENTRYCLASS_ACCOUNT.into()));
        }

        let radius_secret = value
            .get_ava_single_secret(Attribute::RadiusSecret)
            .ok_or_else(|| OperationError::MissingAttribute(Attribute::RadiusSecret))?
            .to_string();

        let name = value
            .get_ava_single_iname(Attribute::Name)
            .map(|s| s.to_string())
            .ok_or_else(|| OperationError::MissingAttribute(Attribute::Name))?;

        let uuid = value.get_uuid();

        let displayname = value
            .get_ava_single_utf8(Attribute::DisplayName)
            .map(|s| s.to_string())
            .ok_or_else(|| OperationError::MissingAttribute(Attribute::DisplayName))?;

        let groups = Group::<()>::try_from_account_reduced(value, qs)?;

        let valid_from = value.get_ava_single_datetime(Attribute::AccountValidFrom);

        let expire = value.get_ava_single_datetime(Attribute::AccountExpire);

        Ok(RadiusAccount {
            name,
            displayname,
            uuid,
            groups,
            radius_secret,
            valid_from,
            expire,
        })
    }

    fn is_within_valid_time(&self, ct: Duration) -> bool {
        let cot = OffsetDateTime::UNIX_EPOCH + ct;

        let vmin = if let Some(vft) = &self.valid_from {
            // If current time greater than start time window
            vft < &cot
        } else {
            // We have no time, not expired.
            true
        };
        let vmax = if let Some(ext) = &self.expire {
            // If exp greater than ct then expired.
            &cot < ext
        } else {
            // If not present, we are not expired
            true
        };
        // Mix the results
        vmin && vmax
    }

    pub(crate) fn to_radiusauthtoken(
        &self,
        ct: Duration,
    ) -> Result<RadiusAuthToken, OperationError> {
        if !self.is_within_valid_time(ct) {
            return Err(OperationError::InvalidAccountState(
                "Account Expired".to_string(),
            ));
        }

        // If we don't have access/permission, then just error instead.
        // This includes if we don't have the secret.
        Ok(RadiusAuthToken {
            name: self.name.clone(),
            displayname: self.displayname.clone(),
            uuid: self.uuid.as_hyphenated().to_string(),
            secret: self.radius_secret.clone(),
            groups: self.groups.iter().map(|g| g.to_proto()).collect(),
        })
    }
}
Rework deps (#1079) 2022-10-01 08:08:51 +02:00			`use std::time::Duration;`
17 radius (#123) Majority of radius integration and tooling complete, including docker files. 2019-10-31 01:48:15 +01:00
20240221 2489 cleanup api v1 (#2573) 2024-02-27 10:25:02 +01:00			`use kanidm_proto::internal::RadiusAuthToken;`
Rework deps (#1079) 2022-10-01 08:08:51 +02:00			`use time::OffsetDateTime;`
			`use uuid::Uuid;`
62 idm qs cleanup (#419) 2021-04-25 03:35:02 +02:00
17 radius (#123) Majority of radius integration and tooling complete, including docker files. 2019-10-31 01:48:15 +01:00			`use crate::entry::{Entry, EntryCommitted, EntryReduced};`
Rework deps (#1079) 2022-10-01 08:08:51 +02:00			`use crate::idm::group::Group;`
			`use crate::prelude::*;`
17 radius (#123) Majority of radius integration and tooling complete, including docker files. 2019-10-31 01:48:15 +01:00
			`#[derive(Debug, Clone)]`
			`pub(crate) struct RadiusAccount {`
			`pub name: String,`
			`pub displayname: String,`
			`pub uuid: Uuid,`
Chore: Refactor Groups to be more generic (#3136) 2024-10-25 02:36:20 +02:00			`pub groups: Vec<Group<()>>,`
17 radius (#123) Majority of radius integration and tooling complete, including docker files. 2019-10-31 01:48:15 +01:00			`pub radius_secret: String,`
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these. 2020-10-10 02:31:51 +02:00			`pub valid_from: Option<OffsetDateTime>,`
			`pub expire: Option<OffsetDateTime>,`
17 radius (#123) Majority of radius integration and tooling complete, including docker files. 2019-10-31 01:48:15 +01:00			`}`

			`impl RadiusAccount {`
			`pub(crate) fn try_from_entry_reduced(`
V large cleanup 2020-08-04 04:58:11 +02:00			`value: &Entry<EntryReduced, EntryCommitted>,`
101 idlcache (#224) Fixes #101, concurrent caching of IDL and Entries. This yields a 10% improvement for test case execution, and 35% for tests run under --release mode. A lot of code around the code base was needed to be touched due to the extra need for mut in some operations and some lifetimes, but the majority of the work was in idl_arc_sqlite.rs, which has the cache layer. There are many performance gains yet to see, but most of those will come through improvement of the concread ARC and it's related BTree implementation. 2020-05-11 13:12:32 +02:00			`qs: &mut QueryServerReadTransaction,`
17 radius (#123) Majority of radius integration and tooling complete, including docker files. 2019-10-31 01:48:15 +01:00			`) -> Result<Self, OperationError> {`
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing 2023-09-16 04:11:06 +02:00			`if !value.attribute_equality(Attribute::Class, &EntryClass::Account.into()) {`
Make good on some TechDebt (#3084) adds MissingClass & MissingAttribute OperationError kinds to more strongly type our error messages. 2024-10-03 02:48:28 +02:00			`return Err(OperationError::MissingClass(ENTRYCLASS_ACCOUNT.into()));`
17 radius (#123) Majority of radius integration and tooling complete, including docker files. 2019-10-31 01:48:15 +01:00			`}`

			`let radius_secret = value`
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing 2023-09-16 04:11:06 +02:00			`.get_ava_single_secret(Attribute::RadiusSecret)`
Make good on some TechDebt (#3084) adds MissingClass & MissingAttribute OperationError kinds to more strongly type our error messages. 2024-10-03 02:48:28 +02:00			`.ok_or_else(\|\| OperationError::MissingAttribute(Attribute::RadiusSecret))?`
17 radius (#123) Majority of radius integration and tooling complete, including docker files. 2019-10-31 01:48:15 +01:00			`.to_string();`

260 entry ava interfaces (#271) Fixes #260 fixes #257 fixes #157. This is really a set of cleanups around the code base to minimise clones, choose better datastructures for specific tasks, improve the ability to pass references in certain calls and more. Generally this just makes everything a bit smoother, and really has big gains on the write path (it's about 20% faster now). 2020-06-24 13:17:46 +02:00			`let name = value`
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing 2023-09-16 04:11:06 +02:00			`.get_ava_single_iname(Attribute::Name)`
260 entry ava interfaces (#271) Fixes #260 fixes #257 fixes #157. This is really a set of cleanups around the code base to minimise clones, choose better datastructures for specific tasks, improve the ability to pass references in certain calls and more. Generally this just makes everything a bit smoother, and really has big gains on the write path (it's about 20% faster now). 2020-06-24 13:17:46 +02:00			`.map(\|s\| s.to_string())`
Make good on some TechDebt (#3084) adds MissingClass & MissingAttribute OperationError kinds to more strongly type our error messages. 2024-10-03 02:48:28 +02:00			`.ok_or_else(\|\| OperationError::MissingAttribute(Attribute::Name))?;`
17 radius (#123) Majority of radius integration and tooling complete, including docker files. 2019-10-31 01:48:15 +01:00
At some point, you have to pay for your tech debt. (#759) This replaces the unmaintained serde_cbor with serde_json in both db and IPC contexts. It changes the database on disk format to align better to how we structure values in memory making it faster to load entries when they aren't cached. And this breaks down the horrible ValueSet enum to dyn trait types, which has a huge performance improvement to the server. 2022-05-24 02:49:34 +02:00			`let uuid = value.get_uuid();`
17 radius (#123) Majority of radius integration and tooling complete, including docker files. 2019-10-31 01:48:15 +01:00
260 entry ava interfaces (#271) Fixes #260 fixes #257 fixes #157. This is really a set of cleanups around the code base to minimise clones, choose better datastructures for specific tasks, improve the ability to pass references in certain calls and more. Generally this just makes everything a bit smoother, and really has big gains on the write path (it's about 20% faster now). 2020-06-24 13:17:46 +02:00			`let displayname = value`
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing 2023-09-16 04:11:06 +02:00			`.get_ava_single_utf8(Attribute::DisplayName)`
260 entry ava interfaces (#271) Fixes #260 fixes #257 fixes #157. This is really a set of cleanups around the code base to minimise clones, choose better datastructures for specific tasks, improve the ability to pass references in certain calls and more. Generally this just makes everything a bit smoother, and really has big gains on the write path (it's about 20% faster now). 2020-06-24 13:17:46 +02:00			`.map(\|s\| s.to_string())`
Make good on some TechDebt (#3084) adds MissingClass & MissingAttribute OperationError kinds to more strongly type our error messages. 2024-10-03 02:48:28 +02:00			`.ok_or_else(\|\| OperationError::MissingAttribute(Attribute::DisplayName))?;`
17 radius (#123) Majority of radius integration and tooling complete, including docker files. 2019-10-31 01:48:15 +01:00
Chore: Refactor Groups to be more generic (#3136) 2024-10-25 02:36:20 +02:00			`let groups = Group::<()>::try_from_account_reduced(value, qs)?;`
17 radius (#123) Majority of radius integration and tooling complete, including docker files. 2019-10-31 01:48:15 +01:00
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing 2023-09-16 04:11:06 +02:00			`let valid_from = value.get_ava_single_datetime(Attribute::AccountValidFrom);`
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these. 2020-10-10 02:31:51 +02:00
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing 2023-09-16 04:11:06 +02:00			`let expire = value.get_ava_single_datetime(Attribute::AccountExpire);`
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these. 2020-10-10 02:31:51 +02:00
17 radius (#123) Majority of radius integration and tooling complete, including docker files. 2019-10-31 01:48:15 +01:00			`Ok(RadiusAccount {`
Address clippy reports attending to #![deny(warnings)] 2020-01-09 11:07:14 +01:00			`name,`
			`displayname,`
making 📎 slightly happier (#551) 2021-08-02 02:54:55 +02:00			`uuid,`
Address clippy reports attending to #![deny(warnings)] 2020-01-09 11:07:14 +01:00			`groups,`
			`radius_secret,`
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these. 2020-10-10 02:31:51 +02:00			`valid_from,`
			`expire,`
17 radius (#123) Majority of radius integration and tooling complete, including docker files. 2019-10-31 01:48:15 +01:00			`})`
			`}`

Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these. 2020-10-10 02:31:51 +02:00			`fn is_within_valid_time(&self, ct: Duration) -> bool {`
Time travelling (#1648) * yeet the time package into the future (updating min time version to 0.3.21) * CI change to catch web ui builds in future, updating SCIM requirements * removing allow deprecated flag * making references to rfc3339 formatter shorter * clippyisms * fmt 2023-05-25 00:25:16 +02:00			`let cot = OffsetDateTime::UNIX_EPOCH + ct;`
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these. 2020-10-10 02:31:51 +02:00
			`let vmin = if let Some(vft) = &self.valid_from {`
Spell checking and stuff (#1314) * codespell run and spelling fixes * some clippying * minor fmt fix * making yamllint happy * adding codespell github action 2023-01-10 04:50:53 +01:00			`// If current time greater than start time window`
Account valid-from and expiry (#322) Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these. 2020-10-10 02:31:51 +02:00			`vft < &cot`
			`} else {`
			`// We have no time, not expired.`
			`true`
			`};`
			`let vmax = if let Some(ext) = &self.expire {`
			`// If exp greater than ct then expired.`
			`&cot < ext`
			`} else {`
			`// If not present, we are not expired`
			`true`
			`};`
			`// Mix the results`
			`vmin && vmax`
			`}`

			`pub(crate) fn to_radiusauthtoken(`
			`&self,`
			`ct: Duration,`
			`) -> Result<RadiusAuthToken, OperationError> {`
			`if !self.is_within_valid_time(ct) {`
			`return Err(OperationError::InvalidAccountState(`
			`"Account Expired".to_string(),`
			`));`
			`}`

17 radius (#123) Majority of radius integration and tooling complete, including docker files. 2019-10-31 01:48:15 +01:00			`// If we don't have access/permission, then just error instead.`
			`// This includes if we don't have the secret.`
			`Ok(RadiusAuthToken {`
			`name: self.name.clone(),`
			`displayname: self.displayname.clone(),`
20220427 dependency updates (#718) 2022-04-27 05:35:26 +02:00			`uuid: self.uuid.as_hyphenated().to_string(),`
17 radius (#123) Majority of radius integration and tooling complete, including docker files. 2019-10-31 01:48:15 +01:00			`secret: self.radius_secret.clone(),`
Address clippy reports attending to #![deny(warnings)] 2020-01-09 11:07:14 +01:00			`groups: self.groups.iter().map(\|g\| g.to_proto()).collect(),`
17 radius (#123) Majority of radius integration and tooling complete, including docker files. 2019-10-31 01:48:15 +01:00			`})`
			`}`
			`}`