Allow reseting account policy values to defaults (#3306)

* Allow reseting account policy values to defaults This allows the admin cli to reset account policy values to defaults by clearing them. Due to how account policy resolves a lack of value implies the default.
2025-02-23 04:27:02 +01:00 · 2024-12-18 17:43:56 +10:00 · 2024-12-18 17:43:56 +10:00 · 1fbbf323fa
parent 44e7348f3b
commit 1fbbf323fa
3 changed files with 183 additions and 0 deletions
--- a/libs/client/src/group.rs
+++ b/libs/client/src/group.rs
@ -37,6 +37,14 @@ impl KanidmClient {
        .await
    }

+    pub async fn group_account_policy_authsession_expiry_reset(
+        &self,
+        id: &str,
+    ) -> Result<(), ClientError> {
+        self.perform_delete_request(&format!("/v1/group/{}/_attr/authsession_expiry", id))
+            .await
+    }
+
    pub async fn group_account_policy_credential_type_minimum_set(
        &self,
        id: &str,
@ -61,6 +69,17 @@ impl KanidmClient {
        .await
    }

+    pub async fn group_account_policy_password_minimum_length_reset(
+        &self,
+        id: &str,
+    ) -> Result<(), ClientError> {
+        self.perform_delete_request(&format!(
+            "/v1/group/{}/_attr/auth_password_minimum_length",
+            id
+        ))
+        .await
+    }
+
    pub async fn group_account_policy_privilege_expiry_set(
        &self,
        id: &str,
@ -73,6 +92,14 @@ impl KanidmClient {
        .await
    }

+    pub async fn group_account_policy_privilege_expiry_reset(
+        &self,
+        id: &str,
+    ) -> Result<(), ClientError> {
+        self.perform_delete_request(&format!("/v1/group/{}/_attr/privilege_expiry", id))
+            .await
+    }
+
    pub async fn group_account_policy_webauthn_attestation_set(
        &self,
        id: &str,
@ -85,6 +112,17 @@ impl KanidmClient {
        .await
    }

+    pub async fn group_account_policy_webauthn_attestation_reset(
+        &self,
+        id: &str,
+    ) -> Result<(), ClientError> {
+        self.perform_delete_request(&format!(
+            "/v1/group/{}/_attr/webauthn_attestation_ca_list",
+            id
+        ))
+        .await
+    }
+
    pub async fn group_account_policy_limit_search_max_results(
        &self,
        id: &str,
@ -97,6 +135,14 @@ impl KanidmClient {
        .await
    }

+    pub async fn group_account_policy_limit_search_max_results_reset(
+        &self,
+        id: &str,
+    ) -> Result<(), ClientError> {
+        self.perform_delete_request(&format!("/v1/group/{}/_attr/limit_search_max_results", id))
+            .await
+    }
+
    pub async fn group_account_policy_limit_search_max_filter_test(
        &self,
        id: &str,
@ -109,6 +155,17 @@ impl KanidmClient {
        .await
    }

+    pub async fn group_account_policy_limit_search_max_filter_test_reset(
+        &self,
+        id: &str,
+    ) -> Result<(), ClientError> {
+        self.perform_delete_request(&format!(
+            "/v1/group/{}/_attr/limit_search_max_filter_test",
+            id
+        ))
+        .await
+    }
+
    pub async fn group_account_policy_allow_primary_cred_fallback(
        &self,
        id: &str,
--- a/tools/cli/src/cli/group/account_policy.rs
+++ b/tools/cli/src/cli/group/account_policy.rs
@ -12,6 +12,12 @@ impl GroupAccountPolicyOpt {
            | GroupAccountPolicyOpt::LimitSearchMaxResults { copt, .. }
            | GroupAccountPolicyOpt::LimitSearchMaxFilterTest { copt, .. }
            | GroupAccountPolicyOpt::AllowPrimaryCredFallback { copt, .. }
+            | GroupAccountPolicyOpt::ResetWebauthnAttestationCaList { copt, .. }
+            | GroupAccountPolicyOpt::ResetAuthSessionExpiry { copt, .. }
+            | GroupAccountPolicyOpt::ResetPasswordMinimumLength { copt, .. }
+            | GroupAccountPolicyOpt::ResetPrivilegedSessionExpiry { copt, .. }
+            | GroupAccountPolicyOpt::ResetLimitSearchMaxResults { copt, .. }
+            | GroupAccountPolicyOpt::ResetLimitSearchMaxFilterTest { copt, .. }
            | GroupAccountPolicyOpt::PrivilegedSessionExpiry { copt, .. } => copt.debug,
        }
    }
@ -37,6 +43,19 @@ impl GroupAccountPolicyOpt {
                    println!("Updated authsession expiry.");
                }
            }
+
+            GroupAccountPolicyOpt::ResetAuthSessionExpiry { name, copt } => {
+                let client = copt.to_client(OpType::Write).await;
+                if let Err(e) = client
+                    .group_account_policy_authsession_expiry_reset(name)
+                    .await
+                {
+                    handle_client_error(e, copt.output_mode);
+                } else {
+                    println!("Successfully reset authsession expiry.");
+                }
+            }
+
            GroupAccountPolicyOpt::CredentialTypeMinimum { name, value, copt } => {
                let client = copt.to_client(OpType::Write).await;
                if let Err(e) = client
@ -59,6 +78,17 @@ impl GroupAccountPolicyOpt {
                    println!("Updated password minimum length.");
                }
            }
+            GroupAccountPolicyOpt::ResetPasswordMinimumLength { name, copt } => {
+                let client = copt.to_client(OpType::Write).await;
+                if let Err(e) = client
+                    .group_account_policy_password_minimum_length_reset(name)
+                    .await
+                {
+                    handle_client_error(e, copt.output_mode);
+                } else {
+                    println!("Successfully reset password minimum length.");
+                }
+            }
            GroupAccountPolicyOpt::PrivilegedSessionExpiry { name, expiry, copt } => {
                let client = copt.to_client(OpType::Write).await;
                if let Err(e) = client
@ -70,6 +100,17 @@ impl GroupAccountPolicyOpt {
                    println!("Updated privilege session expiry.");
                }
            }
+            GroupAccountPolicyOpt::ResetPrivilegedSessionExpiry { name, copt } => {
+                let client = copt.to_client(OpType::Write).await;
+                if let Err(e) = client
+                    .group_account_policy_privilege_expiry_reset(name)
+                    .await
+                {
+                    handle_client_error(e, copt.output_mode);
+                } else {
+                    println!("Successfully reset privilege session expiry.");
+                }
+            }
            GroupAccountPolicyOpt::WebauthnAttestationCaList {
                name,
                attestation_ca_list_json,
@ -85,6 +126,19 @@ impl GroupAccountPolicyOpt {
                    println!("Updated webauthn attestation CA list.");
                }
            }
+
+            GroupAccountPolicyOpt::ResetWebauthnAttestationCaList { name, copt } => {
+                let client = copt.to_client(OpType::Write).await;
+                if let Err(e) = client
+                    .group_account_policy_webauthn_attestation_reset(name)
+                    .await
+                {
+                    handle_client_error(e, copt.output_mode);
+                } else {
+                    println!("Successfully reset webauthn attestation CA list.");
+                }
+            }
+
            GroupAccountPolicyOpt::LimitSearchMaxResults {
                name,
                maximum,
@ -100,6 +154,17 @@ impl GroupAccountPolicyOpt {
                    println!("Updated search maximum results limit.");
                }
            }
+            GroupAccountPolicyOpt::ResetLimitSearchMaxResults { name, copt } => {
+                let client = copt.to_client(OpType::Write).await;
+                if let Err(e) = client
+                    .group_account_policy_limit_search_max_results_reset(name)
+                    .await
+                {
+                    handle_client_error(e, copt.output_mode);
+                } else {
+                    println!("Successfully reset search maximum results limit to default.");
+                }
+            }
            GroupAccountPolicyOpt::LimitSearchMaxFilterTest {
                name,
                maximum,
@ -115,6 +180,17 @@ impl GroupAccountPolicyOpt {
                    println!("Updated search maximum filter test limit.");
                }
            }
+            GroupAccountPolicyOpt::ResetLimitSearchMaxFilterTest { name, copt } => {
+                let client = copt.to_client(OpType::Write).await;
+                if let Err(e) = client
+                    .group_account_policy_limit_search_max_filter_test_reset(name)
+                    .await
+                {
+                    handle_client_error(e, copt.output_mode);
+                } else {
+                    println!("Successfully reset search maximum filter test limit.");
+                }
+            }
            GroupAccountPolicyOpt::AllowPrimaryCredFallback { name, allow, copt } => {
                let client = copt.to_client(OpType::Write).await;
                if let Err(e) = client
--- a/tools/cli/src/opt/kanidm.rs
+++ b/tools/cli/src/opt/kanidm.rs
@ -197,6 +197,8 @@ pub enum GroupAccountPolicyOpt {
        #[clap(flatten)]
        copt: CommonOpt,
    },
+
+
    /// Set the maximum time for privilege session expiry in seconds.
    #[clap(name = "privilege-expiry")]
    PrivilegedSessionExpiry {
@ -205,6 +207,8 @@ pub enum GroupAccountPolicyOpt {
        #[clap(flatten)]
        copt: CommonOpt,
    },
+
+
    /// The WebAuthn attestation CA list that should be enforced
    /// on members of this group. Prevents use of passkeys that are
    /// not in this list. To create this list, use `fido-mds-tool`
@ -216,6 +220,7 @@ pub enum GroupAccountPolicyOpt {
        #[clap(flatten)]
        copt: CommonOpt,
    },
+
    /// Sets the maximum number of entries that may be returned in a
    /// search operation.
    #[clap(name = "limit-search-max-results")]
@ -245,6 +250,51 @@ pub enum GroupAccountPolicyOpt {
        #[clap(flatten)]
        copt: CommonOpt,
    },
+
+    /// Reset the maximum time for session expiry to its default value
+    #[clap(name = "reset-auth-expiry")]
+    ResetAuthSessionExpiry {
+        name: String,
+        #[clap(flatten)]
+        copt: CommonOpt,
+    },
+    /// Reset the minimum character length of passwords to its default value.
+    #[clap(name = "reset-password-minimum-length")]
+    ResetPasswordMinimumLength {
+        name: String,
+        #[clap(flatten)]
+        copt: CommonOpt,
+    },
+    /// Reset the maximum time for privilege session expiry to its default value.
+    #[clap(name = "reset-privilege-expiry")]
+    ResetPrivilegedSessionExpiry {
+        name: String,
+        #[clap(flatten)]
+        copt: CommonOpt,
+    },
+    /// Reset the WebAuthn attestation CA list to its default value
+    /// allowing any passkey to be used by members of this group.
+    #[clap(name = "reset-webauthn-attestation-ca-list")]
+    ResetWebauthnAttestationCaList {
+        name: String,
+        #[clap(flatten)]
+        copt: CommonOpt,
+    },
+    /// Reset the searche maxmium results limit to its default value.
+    #[clap(name = "reset-limit-search-max-results")]
+    ResetLimitSearchMaxResults {
+        name: String,
+        #[clap(flatten)]
+        copt: CommonOpt,
+    },
+    /// Reset the max filter test limit to its default value.
+    #[clap(name = "reset-limit-search-max-filter-test")]
+    ResetLimitSearchMaxFilterTest {
+        name: String,
+        #[clap(flatten)]
+        copt: CommonOpt,
+    },
+
 }

 #[derive(Debug, Subcommand)]