mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Allow reseting account policy values to defaults (#3306)

Browse source 
* Allow reseting account policy values to defaults

This allows the admin cli to reset account policy values to
defaults by clearing them. Due to how account policy resolves
a lack of value implies the default.
This commit is contained in:
Firstyear 2024-12-18 17:43:56 +10:00 committed by GitHub
parent 44e7348f3b
commit 1fbbf323fa
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 183 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

57
libs/client/src/group.rs
View file

@ -37,6 +37,14 @@ impl KanidmClient {
.await .await
} }
pub async fn group_account_policy_authsession_expiry_reset(
&self,
id: &str,
) -> Result<(), ClientError> {
self.perform_delete_request(&format!("/v1/group/{}/_attr/authsession_expiry", id))
.await
}
pub async fn group_account_policy_credential_type_minimum_set( pub async fn group_account_policy_credential_type_minimum_set(
&self, &self,
id: &str, id: &str,
@ -61,6 +69,17 @@ impl KanidmClient {
.await .await
} }
pub async fn group_account_policy_password_minimum_length_reset(
&self,
id: &str,
) -> Result<(), ClientError> {
self.perform_delete_request(&format!(
"/v1/group/{}/_attr/auth_password_minimum_length",
id
))
.await
}
pub async fn group_account_policy_privilege_expiry_set( pub async fn group_account_policy_privilege_expiry_set(
&self, &self,
id: &str, id: &str,
@ -73,6 +92,14 @@ impl KanidmClient {
.await .await
} }
pub async fn group_account_policy_privilege_expiry_reset(
&self,
id: &str,
) -> Result<(), ClientError> {
self.perform_delete_request(&format!("/v1/group/{}/_attr/privilege_expiry", id))
.await
}
pub async fn group_account_policy_webauthn_attestation_set( pub async fn group_account_policy_webauthn_attestation_set(
&self, &self,
id: &str, id: &str,
@ -85,6 +112,17 @@ impl KanidmClient {
.await .await
} }
pub async fn group_account_policy_webauthn_attestation_reset(
&self,
id: &str,
) -> Result<(), ClientError> {
self.perform_delete_request(&format!(
"/v1/group/{}/_attr/webauthn_attestation_ca_list",
id
))
.await
}
pub async fn group_account_policy_limit_search_max_results( pub async fn group_account_policy_limit_search_max_results(
&self, &self,
id: &str, id: &str,
@ -97,6 +135,14 @@ impl KanidmClient {
.await .await
} }
pub async fn group_account_policy_limit_search_max_results_reset(
&self,
id: &str,
) -> Result<(), ClientError> {
self.perform_delete_request(&format!("/v1/group/{}/_attr/limit_search_max_results", id))
.await
}
pub async fn group_account_policy_limit_search_max_filter_test( pub async fn group_account_policy_limit_search_max_filter_test(
&self, &self,
id: &str, id: &str,
@ -109,6 +155,17 @@ impl KanidmClient {
.await .await
} }
pub async fn group_account_policy_limit_search_max_filter_test_reset(
&self,
id: &str,
) -> Result<(), ClientError> {
self.perform_delete_request(&format!(
"/v1/group/{}/_attr/limit_search_max_filter_test",
id
))
.await
}
pub async fn group_account_policy_allow_primary_cred_fallback( pub async fn group_account_policy_allow_primary_cred_fallback(
&self, &self,
id: &str, id: &str,

76
tools/cli/src/cli/group/account_policy.rs
View file

@ -12,6 +12,12 @@ impl GroupAccountPolicyOpt {
| GroupAccountPolicyOpt::LimitSearchMaxResults { copt, .. } | GroupAccountPolicyOpt::LimitSearchMaxResults { copt, .. }
| GroupAccountPolicyOpt::LimitSearchMaxFilterTest { copt, .. } | GroupAccountPolicyOpt::LimitSearchMaxFilterTest { copt, .. }
| GroupAccountPolicyOpt::AllowPrimaryCredFallback { copt, .. } | GroupAccountPolicyOpt::AllowPrimaryCredFallback { copt, .. }
| GroupAccountPolicyOpt::ResetWebauthnAttestationCaList { copt, .. }
| GroupAccountPolicyOpt::ResetAuthSessionExpiry { copt, .. }
| GroupAccountPolicyOpt::ResetPasswordMinimumLength { copt, .. }
| GroupAccountPolicyOpt::ResetPrivilegedSessionExpiry { copt, .. }
| GroupAccountPolicyOpt::ResetLimitSearchMaxResults { copt, .. }
| GroupAccountPolicyOpt::ResetLimitSearchMaxFilterTest { copt, .. }
| GroupAccountPolicyOpt::PrivilegedSessionExpiry { copt, .. } => copt.debug, | GroupAccountPolicyOpt::PrivilegedSessionExpiry { copt, .. } => copt.debug,
} }
} }
@ -37,6 +43,19 @@ impl GroupAccountPolicyOpt {
println!("Updated authsession expiry."); println!("Updated authsession expiry.");
} }
} }
GroupAccountPolicyOpt::ResetAuthSessionExpiry { name, copt } => {
let client = copt.to_client(OpType::Write).await;
if let Err(e) = client
.group_account_policy_authsession_expiry_reset(name)
.await
{
handle_client_error(e, copt.output_mode);
} else {
println!("Successfully reset authsession expiry.");
}
}
GroupAccountPolicyOpt::CredentialTypeMinimum { name, value, copt } => { GroupAccountPolicyOpt::CredentialTypeMinimum { name, value, copt } => {
let client = copt.to_client(OpType::Write).await; let client = copt.to_client(OpType::Write).await;
if let Err(e) = client if let Err(e) = client
@ -59,6 +78,17 @@ impl GroupAccountPolicyOpt {
println!("Updated password minimum length."); println!("Updated password minimum length.");
} }
} }
GroupAccountPolicyOpt::ResetPasswordMinimumLength { name, copt } => {
let client = copt.to_client(OpType::Write).await;
if let Err(e) = client
.group_account_policy_password_minimum_length_reset(name)
.await
{
handle_client_error(e, copt.output_mode);
} else {
println!("Successfully reset password minimum length.");
}
}
GroupAccountPolicyOpt::PrivilegedSessionExpiry { name, expiry, copt } => { GroupAccountPolicyOpt::PrivilegedSessionExpiry { name, expiry, copt } => {
let client = copt.to_client(OpType::Write).await; let client = copt.to_client(OpType::Write).await;
if let Err(e) = client if let Err(e) = client
@ -70,6 +100,17 @@ impl GroupAccountPolicyOpt {
println!("Updated privilege session expiry."); println!("Updated privilege session expiry.");
} }
} }
GroupAccountPolicyOpt::ResetPrivilegedSessionExpiry { name, copt } => {
let client = copt.to_client(OpType::Write).await;
if let Err(e) = client
.group_account_policy_privilege_expiry_reset(name)
.await
{
handle_client_error(e, copt.output_mode);
} else {
println!("Successfully reset privilege session expiry.");
}
}
GroupAccountPolicyOpt::WebauthnAttestationCaList { GroupAccountPolicyOpt::WebauthnAttestationCaList {
name, name,
attestation_ca_list_json, attestation_ca_list_json,
@ -85,6 +126,19 @@ impl GroupAccountPolicyOpt {
println!("Updated webauthn attestation CA list."); println!("Updated webauthn attestation CA list.");
} }
} }
GroupAccountPolicyOpt::ResetWebauthnAttestationCaList { name, copt } => {
let client = copt.to_client(OpType::Write).await;
if let Err(e) = client
.group_account_policy_webauthn_attestation_reset(name)
.await
{
handle_client_error(e, copt.output_mode);
} else {
println!("Successfully reset webauthn attestation CA list.");
}
}
GroupAccountPolicyOpt::LimitSearchMaxResults { GroupAccountPolicyOpt::LimitSearchMaxResults {
name, name,
maximum, maximum,
@ -100,6 +154,17 @@ impl GroupAccountPolicyOpt {
println!("Updated search maximum results limit."); println!("Updated search maximum results limit.");
} }
} }
GroupAccountPolicyOpt::ResetLimitSearchMaxResults { name, copt } => {
let client = copt.to_client(OpType::Write).await;
if let Err(e) = client
.group_account_policy_limit_search_max_results_reset(name)
.await
{
handle_client_error(e, copt.output_mode);
} else {
println!("Successfully reset search maximum results limit to default.");
}
}
GroupAccountPolicyOpt::LimitSearchMaxFilterTest { GroupAccountPolicyOpt::LimitSearchMaxFilterTest {
name, name,
maximum, maximum,
@ -115,6 +180,17 @@ impl GroupAccountPolicyOpt {
println!("Updated search maximum filter test limit."); println!("Updated search maximum filter test limit.");
} }
} }
GroupAccountPolicyOpt::ResetLimitSearchMaxFilterTest { name, copt } => {
let client = copt.to_client(OpType::Write).await;
if let Err(e) = client
.group_account_policy_limit_search_max_filter_test_reset(name)
.await
{
handle_client_error(e, copt.output_mode);
} else {
println!("Successfully reset search maximum filter test limit.");
}
}
GroupAccountPolicyOpt::AllowPrimaryCredFallback { name, allow, copt } => { GroupAccountPolicyOpt::AllowPrimaryCredFallback { name, allow, copt } => {
let client = copt.to_client(OpType::Write).await; let client = copt.to_client(OpType::Write).await;
if let Err(e) = client if let Err(e) = client

50
tools/cli/src/opt/kanidm.rs
View file

@ -197,6 +197,8 @@ pub enum GroupAccountPolicyOpt {
#[clap(flatten)] #[clap(flatten)]
copt: CommonOpt, copt: CommonOpt,
}, },
/// Set the maximum time for privilege session expiry in seconds. /// Set the maximum time for privilege session expiry in seconds.
#[clap(name = "privilege-expiry")] #[clap(name = "privilege-expiry")]
PrivilegedSessionExpiry { PrivilegedSessionExpiry {
@ -205,6 +207,8 @@ pub enum GroupAccountPolicyOpt {
#[clap(flatten)] #[clap(flatten)]
copt: CommonOpt, copt: CommonOpt,
}, },
/// The WebAuthn attestation CA list that should be enforced /// The WebAuthn attestation CA list that should be enforced
/// on members of this group. Prevents use of passkeys that are /// on members of this group. Prevents use of passkeys that are
/// not in this list. To create this list, use `fido-mds-tool` /// not in this list. To create this list, use `fido-mds-tool`
@ -216,6 +220,7 @@ pub enum GroupAccountPolicyOpt {
#[clap(flatten)] #[clap(flatten)]
copt: CommonOpt, copt: CommonOpt,
}, },
/// Sets the maximum number of entries that may be returned in a /// Sets the maximum number of entries that may be returned in a
/// search operation. /// search operation.
#[clap(name = "limit-search-max-results")] #[clap(name = "limit-search-max-results")]
@ -245,6 +250,51 @@ pub enum GroupAccountPolicyOpt {
#[clap(flatten)] #[clap(flatten)]
copt: CommonOpt, copt: CommonOpt,
}, },
/// Reset the maximum time for session expiry to its default value
#[clap(name = "reset-auth-expiry")]
ResetAuthSessionExpiry {
name: String,
#[clap(flatten)]
copt: CommonOpt,
},
/// Reset the minimum character length of passwords to its default value.
#[clap(name = "reset-password-minimum-length")]
ResetPasswordMinimumLength {
name: String,
#[clap(flatten)]
copt: CommonOpt,
},
/// Reset the maximum time for privilege session expiry to its default value.
#[clap(name = "reset-privilege-expiry")]
ResetPrivilegedSessionExpiry {
name: String,
#[clap(flatten)]
copt: CommonOpt,
},
/// Reset the WebAuthn attestation CA list to its default value
/// allowing any passkey to be used by members of this group.
#[clap(name = "reset-webauthn-attestation-ca-list")]
ResetWebauthnAttestationCaList {
name: String,
#[clap(flatten)]
copt: CommonOpt,
},
/// Reset the searche maxmium results limit to its default value.
#[clap(name = "reset-limit-search-max-results")]
ResetLimitSearchMaxResults {
name: String,
#[clap(flatten)]
copt: CommonOpt,
},
/// Reset the max filter test limit to its default value.
#[clap(name = "reset-limit-search-max-filter-test")]
ResetLimitSearchMaxFilterTest {
name: String,
#[clap(flatten)]
copt: CommonOpt,
},
} }
#[derive(Debug, Subcommand)] #[derive(Debug, Subcommand)]