mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add access control allowing all persons to read oauth2 applications. (#1136)

Browse source
This commit is contained in:
Firstyear 2022-10-19 12:17:41 +10:00 committed by GitHub
parent c7179ae2be
commit 02ca657548
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 27 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
kanidmd/lib/src/constants/acp.rs
View file

@ -1265,3 +1265,28 @@ pub const JSON_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1: &str = r#"{
"acp_modify_class": ["service_account", "person"] "acp_modify_class": ["service_account", "person"]
} }
}"#; }"#;
pub const JSON_IDM_ACP_OAUTH2_READ_PRIV_V1: &str = r#"{
"attrs": {
"class": [
"object",
"access_control_profile",
"access_control_search"
],
"name": ["idm_acp_oauth2_read_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000043"],
"description": ["Builtin IDM Control allowing persons to view oauth2 applications they can access"],
"acp_receiver": [
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000035\"]}"
],
"acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"oauth2_resource_server\"]},{\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
],
"acp_search_attr": [
"class",
"displayname",
"oauth2_rs_name",
"oauth2_rs_origin"
]
}
}"#;

1
kanidmd/lib/src/constants/uuids.rs
View file

@ -270,6 +270,7 @@ pub const _UUID_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000041"); uuid!("00000000-0000-0000-0000-ffffff000041");
pub const _UUID_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1: Uuid = pub const _UUID_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000042"); uuid!("00000000-0000-0000-0000-ffffff000042");
pub const _UUID_IDM_ACP_OAUTH2_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000043");
// End of system ranges // End of system ranges
pub const UUID_DOES_NOT_EXIST: Uuid = uuid!("00000000-0000-0000-0000-fffffffffffe"); pub const UUID_DOES_NOT_EXIST: Uuid = uuid!("00000000-0000-0000-0000-fffffffffffe");

1
kanidmd/lib/src/server.rs
View file

@ -2806,6 +2806,7 @@ impl<'a> QueryServerWriteTransaction<'a> {
JSON_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1, JSON_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1,
JSON_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1, JSON_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1,
JSON_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1, JSON_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1,
JSON_IDM_ACP_OAUTH2_READ_PRIV_V1,
]; ];
let res: Result<(), _> = idm_entries let res: Result<(), _> = idm_entries