mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix domain info to properly version and migrate (#909)

Browse source
This commit is contained in:
Firstyear 2022-07-07 15:58:19 +10:00 committed by GitHub
parent 8b84999640
commit 1d64405387
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 34 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
kanidmd/idm/src/constants/entries.rs
View file

@ -456,7 +456,8 @@ pub const JSON_DOMAIN_INFO_V1: &str = r#"{
"class": ["object", "domain_info", "system"], "class": ["object", "domain_info", "system"],
"name": ["domain_local"], "name": ["domain_local"],
"uuid": ["00000000-0000-0000-0000-ffffff000025"], "uuid": ["00000000-0000-0000-0000-ffffff000025"],
"description": ["This local domain's info and metadata object."] "description": ["This local domain's info and metadata object."],
"version": ["1"]
} }
}"#; }"#;

3
kanidmd/idm/src/constants/schema.rs
View file

@ -1079,7 +1079,8 @@ pub const JSON_SCHEMA_CLASS_DOMAIN_INFO: &str = r#"
"domain_name", "domain_name",
"domain_display_name", "domain_display_name",
"fernet_private_key_str", "fernet_private_key_str",
"es256_private_key_der" "es256_private_key_der",
"version"
], ],
"uuid": [ "uuid": [
"00000000-0000-0000-0000-ffff00000052" "00000000-0000-0000-0000-ffff00000052"

5
kanidmd/idm/src/entry.rs
View file

@ -719,7 +719,10 @@ impl<STATE> Entry<EntryInvalid, STATE> {
}); });
if !missing_must.is_empty() { if !missing_must.is_empty() {
admin_warn!("Validation error, the following required (must) attributes are missing - {:?}", missing_must); admin_warn!(
"Validation error, the following required (must) attributes are missing - {:?}",
missing_must
);
return Err(SchemaError::MissingMustAttribute(missing_must)); return Err(SchemaError::MissingMustAttribute(missing_must));
} }

10
kanidmd/idm/src/idm/server.rs
View file

@ -1690,10 +1690,7 @@ impl<'a> IdmServerProxyWriteTransaction<'a> {
let origin = (&wre.ident.origin).into(); let origin = (&wre.ident.origin).into();
let label = wre.label.clone(); let label = wre.label.clone();
let issuer = self let issuer = self.qs_write.get_domain_display_name().to_string();
.qs_write
.get_domain_display_name()
.to_string();
let (session, mfa_reg_next) = let (session, mfa_reg_next) =
MfaRegSession::webauthn_new(origin, account, label, self.webauthn, issuer)?; MfaRegSession::webauthn_new(origin, account, label, self.webauthn, issuer)?;
@ -1802,10 +1799,7 @@ impl<'a> IdmServerProxyWriteTransaction<'a> {
let origin = (&gte.ident.origin).into(); let origin = (&gte.ident.origin).into();
let issuer = self let issuer = self.qs_write.get_domain_display_name().to_string();
.qs_write
.get_domain_display_name()
.to_string();
let (session, next) = MfaRegSession::totp_new(origin, account, issuer).map_err(|e| { let (session, next) = MfaRegSession::totp_new(origin, account, issuer).map_err(|e| {
admin_error!("Unable to start totp MfaRegSession {:?}", e); admin_error!("Unable to start totp MfaRegSession {:?}", e);

16
kanidmd/idm/src/plugins/domain.rs
View file

@ -77,7 +77,7 @@ impl Plugin for Domain {
} }
fn pre_modify( fn pre_modify(
_qs: &QueryServerWriteTransaction, qs: &QueryServerWriteTransaction,
cand: &mut Vec<Entry<EntryInvalid, EntryCommitted>>, cand: &mut Vec<Entry<EntryInvalid, EntryCommitted>>,
_me: &ModifyEvent, _me: &ModifyEvent,
) -> Result<(), OperationError> { ) -> Result<(), OperationError> {
@ -85,6 +85,20 @@ impl Plugin for Domain {
if e.attribute_equality("class", &PVCLASS_DOMAIN_INFO) if e.attribute_equality("class", &PVCLASS_DOMAIN_INFO)
&& e.attribute_equality("uuid", &PVUUID_DOMAIN_INFO) && e.attribute_equality("uuid", &PVUUID_DOMAIN_INFO)
{ {
// We only apply this if one isn't provided.
if !e.attribute_pres("domain_name") {
let n = Value::new_iname(qs.get_domain_name());
e.set_ava("domain_name", once(n));
trace!("plugin_domain: Applying domain_name transform");
}
// create the domain_display_name if it's missing
if !e.attribute_pres("domain_display_name") {
let domain_display_name = Value::new_utf8(format!("Kanidm {}", qs.get_domain_name()));
security_info!("plugin_domain: setting default domain_display_name to {:?}", domain_display_name);
e.set_ava("domain_display_name", once(domain_display_name));
}
if !e.attribute_pres("fernet_private_key_str") { if !e.attribute_pres("fernet_private_key_str") {
security_info!("regenerating domain token encryption key"); security_info!("regenerating domain token encryption key");
let k = fernet::Fernet::generate_key(); let k = fernet::Fernet::generate_key();

11
kanidmd/idm/src/plugins/protected.rs
View file

@ -204,7 +204,7 @@ mod tests {
], ],
"acp_create_class": ["object", "person", "system", "domain_info"], "acp_create_class": ["object", "person", "system", "domain_info"],
"acp_create_attr": [ "acp_create_attr": [
"name", "class", "description", "displayname", "domain_name", "domain_display_name", "domain_uuid", "domain_ssid", "uuid", "fernet_private_key_str", "es256_private_key_der" "name", "class", "description", "displayname", "domain_name", "domain_display_name", "domain_uuid", "domain_ssid", "uuid", "fernet_private_key_str", "es256_private_key_der", "version"
] ]
} }
}"#; }"#;
@ -343,7 +343,8 @@ mod tests {
"domain_display_name": ["example.net.au"], "domain_display_name": ["example.net.au"],
"domain_ssid": ["Example_Wifi"], "domain_ssid": ["Example_Wifi"],
"fernet_private_key_str": ["ABCD"], "fernet_private_key_str": ["ABCD"],
"es256_private_key_der" : ["MTIz"] "es256_private_key_der" : ["MTIz"],
"version": ["1"]
} }
}"#, }"#,
); );
@ -384,7 +385,8 @@ mod tests {
"domain_display_name": ["example.net.au"], "domain_display_name": ["example.net.au"],
"domain_ssid": ["Example_Wifi"], "domain_ssid": ["Example_Wifi"],
"fernet_private_key_str": ["ABCD"], "fernet_private_key_str": ["ABCD"],
"es256_private_key_der" : ["MTIz"] "es256_private_key_der" : ["MTIz"],
"version": ["1"]
} }
}"#, }"#,
); );
@ -415,7 +417,8 @@ mod tests {
"domain_display_name": ["example.net.au"], "domain_display_name": ["example.net.au"],
"domain_ssid": ["Example_Wifi"], "domain_ssid": ["Example_Wifi"],
"fernet_private_key_str": ["ABCD"], "fernet_private_key_str": ["ABCD"],
"es256_private_key_der" : ["MTIz"] "es256_private_key_der" : ["MTIz"],
"version": ["1"]
} }
}"#, }"#,
); );

11
kanidmd/idm/src/schema.rs
View file

@ -1255,12 +1255,7 @@ impl<'a> SchemaWriteTransaction<'a> {
description: String::from("System metadata object class"), description: String::from("System metadata object class"),
systemmay: vec![], systemmay: vec![],
may: vec![], may: vec![],
systemmust: vec![ systemmust: vec![AttrString::from("version")],
AttrString::from("version"),
// Needed when we implement principalnames?
// String::from("domain"),
// String::from("hostname"),
],
must: vec![], must: vec![],
}, },
); );
@ -1934,9 +1929,7 @@ mod tests {
assert_eq!( assert_eq!(
e_attr_invalid_may.validate(&schema), e_attr_invalid_may.validate(&schema),
Err(SchemaError::AttributeNotValidForClass( Err(SchemaError::AttributeNotValidForClass("zzzzz".to_string()))
"zzzzz".to_string()
))
); );
let e_attr_invalid_syn: Entry<EntryInvalid, EntryNew> = unsafe { let e_attr_invalid_syn: Entry<EntryInvalid, EntryNew> = unsafe {