From 1d644053876d000e4e39f21944c14bcec99e88f8 Mon Sep 17 00:00:00 2001 From: Firstyear Date: Thu, 7 Jul 2022 15:58:19 +1000 Subject: [PATCH] Fix domain info to properly version and migrate (#909) --- kanidmd/idm/src/constants/entries.rs | 3 ++- kanidmd/idm/src/constants/schema.rs | 3 ++- kanidmd/idm/src/entry.rs | 5 ++++- kanidmd/idm/src/idm/server.rs | 10 ++-------- kanidmd/idm/src/plugins/domain.rs | 16 +++++++++++++++- kanidmd/idm/src/plugins/protected.rs | 11 +++++++---- kanidmd/idm/src/schema.rs | 11 ++--------- 7 files changed, 34 insertions(+), 25 deletions(-) diff --git a/kanidmd/idm/src/constants/entries.rs b/kanidmd/idm/src/constants/entries.rs index c20cf2244..d381037b3 100644 --- a/kanidmd/idm/src/constants/entries.rs +++ b/kanidmd/idm/src/constants/entries.rs @@ -456,7 +456,8 @@ pub const JSON_DOMAIN_INFO_V1: &str = r#"{ "class": ["object", "domain_info", "system"], "name": ["domain_local"], "uuid": ["00000000-0000-0000-0000-ffffff000025"], - "description": ["This local domain's info and metadata object."] + "description": ["This local domain's info and metadata object."], + "version": ["1"] } }"#; diff --git a/kanidmd/idm/src/constants/schema.rs b/kanidmd/idm/src/constants/schema.rs index f439dcb2c..2386fa2f9 100644 --- a/kanidmd/idm/src/constants/schema.rs +++ b/kanidmd/idm/src/constants/schema.rs @@ -1079,7 +1079,8 @@ pub const JSON_SCHEMA_CLASS_DOMAIN_INFO: &str = r#" "domain_name", "domain_display_name", "fernet_private_key_str", - "es256_private_key_der" + "es256_private_key_der", + "version" ], "uuid": [ "00000000-0000-0000-0000-ffff00000052" diff --git a/kanidmd/idm/src/entry.rs b/kanidmd/idm/src/entry.rs index a1b3ccb5f..74080e66d 100644 --- a/kanidmd/idm/src/entry.rs +++ b/kanidmd/idm/src/entry.rs @@ -719,7 +719,10 @@ impl Entry { }); if !missing_must.is_empty() { - admin_warn!("Validation error, the following required (must) attributes are missing - {:?}", missing_must); + admin_warn!( + "Validation error, the following required (must) attributes are missing - {:?}", + missing_must + ); return Err(SchemaError::MissingMustAttribute(missing_must)); } diff --git a/kanidmd/idm/src/idm/server.rs b/kanidmd/idm/src/idm/server.rs index 31c319935..11caa990c 100644 --- a/kanidmd/idm/src/idm/server.rs +++ b/kanidmd/idm/src/idm/server.rs @@ -1690,10 +1690,7 @@ impl<'a> IdmServerProxyWriteTransaction<'a> { let origin = (&wre.ident.origin).into(); let label = wre.label.clone(); - let issuer = self - .qs_write - .get_domain_display_name() - .to_string(); + let issuer = self.qs_write.get_domain_display_name().to_string(); let (session, mfa_reg_next) = MfaRegSession::webauthn_new(origin, account, label, self.webauthn, issuer)?; @@ -1802,10 +1799,7 @@ impl<'a> IdmServerProxyWriteTransaction<'a> { let origin = (>e.ident.origin).into(); - let issuer = self - .qs_write - .get_domain_display_name() - .to_string(); + let issuer = self.qs_write.get_domain_display_name().to_string(); let (session, next) = MfaRegSession::totp_new(origin, account, issuer).map_err(|e| { admin_error!("Unable to start totp MfaRegSession {:?}", e); diff --git a/kanidmd/idm/src/plugins/domain.rs b/kanidmd/idm/src/plugins/domain.rs index 51caa0480..824dc6bee 100644 --- a/kanidmd/idm/src/plugins/domain.rs +++ b/kanidmd/idm/src/plugins/domain.rs @@ -77,7 +77,7 @@ impl Plugin for Domain { } fn pre_modify( - _qs: &QueryServerWriteTransaction, + qs: &QueryServerWriteTransaction, cand: &mut Vec>, _me: &ModifyEvent, ) -> Result<(), OperationError> { @@ -85,6 +85,20 @@ impl Plugin for Domain { if e.attribute_equality("class", &PVCLASS_DOMAIN_INFO) && e.attribute_equality("uuid", &PVUUID_DOMAIN_INFO) { + // We only apply this if one isn't provided. + if !e.attribute_pres("domain_name") { + let n = Value::new_iname(qs.get_domain_name()); + e.set_ava("domain_name", once(n)); + trace!("plugin_domain: Applying domain_name transform"); + } + // create the domain_display_name if it's missing + if !e.attribute_pres("domain_display_name") { + let domain_display_name = Value::new_utf8(format!("Kanidm {}", qs.get_domain_name())); + security_info!("plugin_domain: setting default domain_display_name to {:?}", domain_display_name); + + e.set_ava("domain_display_name", once(domain_display_name)); + } + if !e.attribute_pres("fernet_private_key_str") { security_info!("regenerating domain token encryption key"); let k = fernet::Fernet::generate_key(); diff --git a/kanidmd/idm/src/plugins/protected.rs b/kanidmd/idm/src/plugins/protected.rs index b23e3b4d6..3d5267de8 100644 --- a/kanidmd/idm/src/plugins/protected.rs +++ b/kanidmd/idm/src/plugins/protected.rs @@ -204,7 +204,7 @@ mod tests { ], "acp_create_class": ["object", "person", "system", "domain_info"], "acp_create_attr": [ - "name", "class", "description", "displayname", "domain_name", "domain_display_name", "domain_uuid", "domain_ssid", "uuid", "fernet_private_key_str", "es256_private_key_der" + "name", "class", "description", "displayname", "domain_name", "domain_display_name", "domain_uuid", "domain_ssid", "uuid", "fernet_private_key_str", "es256_private_key_der", "version" ] } }"#; @@ -343,7 +343,8 @@ mod tests { "domain_display_name": ["example.net.au"], "domain_ssid": ["Example_Wifi"], "fernet_private_key_str": ["ABCD"], - "es256_private_key_der" : ["MTIz"] + "es256_private_key_der" : ["MTIz"], + "version": ["1"] } }"#, ); @@ -384,7 +385,8 @@ mod tests { "domain_display_name": ["example.net.au"], "domain_ssid": ["Example_Wifi"], "fernet_private_key_str": ["ABCD"], - "es256_private_key_der" : ["MTIz"] + "es256_private_key_der" : ["MTIz"], + "version": ["1"] } }"#, ); @@ -415,7 +417,8 @@ mod tests { "domain_display_name": ["example.net.au"], "domain_ssid": ["Example_Wifi"], "fernet_private_key_str": ["ABCD"], - "es256_private_key_der" : ["MTIz"] + "es256_private_key_der" : ["MTIz"], + "version": ["1"] } }"#, ); diff --git a/kanidmd/idm/src/schema.rs b/kanidmd/idm/src/schema.rs index 8180d3345..e71093adb 100644 --- a/kanidmd/idm/src/schema.rs +++ b/kanidmd/idm/src/schema.rs @@ -1255,12 +1255,7 @@ impl<'a> SchemaWriteTransaction<'a> { description: String::from("System metadata object class"), systemmay: vec![], may: vec![], - systemmust: vec![ - AttrString::from("version"), - // Needed when we implement principalnames? - // String::from("domain"), - // String::from("hostname"), - ], + systemmust: vec![AttrString::from("version")], must: vec![], }, ); @@ -1934,9 +1929,7 @@ mod tests { assert_eq!( e_attr_invalid_may.validate(&schema), - Err(SchemaError::AttributeNotValidForClass( - "zzzzz".to_string() - )) + Err(SchemaError::AttributeNotValidForClass("zzzzz".to_string())) ); let e_attr_invalid_syn: Entry = unsafe {