mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-05-20 07:53:55 +02:00
Code Issues Actions10 Packages Projects Releases Wiki Activity

Restrict accounts to just persons

Browse source 
Remove public attr getters on scimentrykanidm
This commit is contained in:
ToxicMushroom 2025-02-21 13:48:43 +01:00
parent 6b917f2683
commit 31bc244ee4
No known key found for this signature in database
7 changed files with 124 additions and 170 deletions

148
proto/src/scim_v1/server.rs
View file

@ -3,7 +3,6 @@ use super::ScimOauth2ClaimMapJoinChar;
use super::ScimSshPublicKey;
use crate::attribute::Attribute;
use crate::internal::UiHint;
use crate::v1::AccountType;
use scim_proto::ScimEntryHeader;
use serde::{Deserialize, Serialize};
use serde_with::{base64, formats, hex::Hex, serde_as, skip_serializing_none};
@ -263,7 +262,6 @@ pub enum ScimValueKanidm {
#[derive(Serialize, Deserialize, Debug, Clone, ToSchema)]
pub struct ScimPerson {
pub uuid: Uuid,
pub account_type: AccountType,
pub name: String,
pub displayname: Option<String>,
pub spn: String,
@ -277,29 +275,64 @@ impl TryFrom<ScimEntryKanidm> for ScimPerson {
type Error = ();
fn try_from(scim_entry: ScimEntryKanidm) -> Result<Self, Self::Error> {
let attr_str = |attr: &Attribute| -> Option<&str> {
match scim_entry.attrs.get(attr) {
Some(ScimValueKanidm::String(inner_string)) => Some(inner_string.as_str()),
Some(sv) => {
debug!("SCIM entry had the {} attribute but it was not a ScimValueKanidm::String type, actual: {:?}", attr, sv);
None
}
None => None,
}
};
let attr_mails = || -> Option<&Vec<ScimMail>> {
match scim_entry.attrs.get(&Attribute::Mail) {
Some(ScimValueKanidm::Mail(inner_string)) => Some(inner_string),
Some(sv) => {
debug!("SCIM entry had the {} attribute but it was not a ScimValueKanidm::Mail type, actual: {:?}", Attribute::Mail, sv);
None
}
None => None,
}
};
let attr_reference = |attr: &Attribute| -> Option<&ScimReference> {
match scim_entry.attrs.get(attr) {
Some(ScimValueKanidm::EntryReference(refer)) => Some(refer),
Some(sv) => {
debug!("SCIM entry had the {} attribute but it was not a ScimValueKanidm::ScimReference type, actual: {:?}", attr, sv);
None
}
None => None,
}
};
let attr_references = |attr: &Attribute| -> Option<&Vec<ScimReference>> {
match scim_entry.attrs.get(attr) {
Some(ScimValueKanidm::EntryReferences(refs)) => Some(refs),
Some(sv) => {
debug!("SCIM entry had the {} attribute but it was not a ScimValueKanidm::EntryReferences type, actual: {:?}", attr, sv);
None
}
None => None,
}
};
let uuid = scim_entry.header.id;
scim_entry.account_type();
let name = scim_entry.attr_str(&Attribute::Name).ok_or(())?.to_string();
let displayname = scim_entry
.attr_str(&Attribute::DisplayName)
.map(|s| s.to_string());
let spn = scim_entry.attr_str(&Attribute::Spn).ok_or(())?.to_string();
let description = scim_entry
.attr_str(&Attribute::Description)
.map(|t| t.to_string());
let mails = scim_entry.attr_mails().cloned().unwrap_or_default();
let groups = scim_entry
.attr_references(&Attribute::DirectMemberOf)
let name = attr_str(&Attribute::Name).ok_or(())?.to_string();
let displayname = attr_str(&Attribute::DisplayName).map(|s| s.to_string());
let spn = attr_str(&Attribute::Spn).ok_or(())?.to_string();
let description = attr_str(&Attribute::Description).map(|t| t.to_string());
let mails = attr_mails().cloned().unwrap_or_default();
let groups = attr_references(&Attribute::DirectMemberOf)
.cloned()
.unwrap_or(vec![]);
let managed_by = scim_entry
.attr_reference(&Attribute::EntryManagedBy)
.cloned();
let managed_by = attr_reference(&Attribute::EntryManagedBy).cloned();
Ok(ScimPerson {
uuid,
account_type: AccountType::Person,
name,
displayname,
spn,
@ -311,85 +344,6 @@ impl TryFrom<ScimEntryKanidm> for ScimPerson {
}
}
impl ScimEntryKanidm {
pub fn account_type(&self) -> Option<AccountType> {
match self.attrs.get(&Attribute::Class) {
Some(ScimValueKanidm::ArrayString(classes)) => {
if classes.contains(&format!("{}", AccountType::Person)) {
Some(AccountType::Person)
} else if classes.contains(&format!("{}", AccountType::ServiceAccount)) {
Some(AccountType::ServiceAccount)
} else {
None
}
}
Some(sv) => {
debug!("SCIM entry had the Attribute::Class attribute but it was not a ScimValueKanidm::ArrayString type, actual: {:?}", sv);
None
}
None => {
debug!("SCIM entry with no classes ??");
None
}
}
}
pub fn attr_str(&self, attr: &Attribute) -> Option<&str> {
match self.attrs.get(attr) {
Some(ScimValueKanidm::String(inner_string)) => Some(inner_string.as_str()),
Some(sv) => {
debug!("SCIM entry had the {} attribute but it was not a ScimValueKanidm::String type, actual: {:?}", attr, sv);
None
}
None => None,
}
}
pub fn attr_bool(&self, attr: &Attribute) -> Option<&bool> {
match self.attrs.get(attr) {
Some(ScimValueKanidm::Bool(inner_bool)) => Some(inner_bool),
Some(sv) => {
debug!("SCIM entry had the {} attribute but it was not a ScimValueKanidm::Bool type, actual: {:?}", attr, sv);
None
}
None => None,
}
}
pub fn attr_mails(&self) -> Option<&Vec<ScimMail>> {
match self.attrs.get(&Attribute::Mail) {
Some(ScimValueKanidm::Mail(inner_string)) => Some(inner_string),
Some(sv) => {
debug!("SCIM entry had the {} attribute but it was not a ScimValueKanidm::Mail type, actual: {:?}", Attribute::Mail, sv);
None
}
None => None,
}
}
pub fn attr_reference(&self, attr: &Attribute) -> Option<&ScimReference> {
match self.attrs.get(attr) {
Some(ScimValueKanidm::EntryReference(refer)) => Some(refer),
Some(sv) => {
debug!("SCIM entry had the {} attribute but it was not a ScimValueKanidm::ScimReference type, actual: {:?}", attr, sv);
None
}
None => None,
}
}
pub fn attr_references(&self, attr: &Attribute) -> Option<&Vec<ScimReference>> {
match self.attrs.get(attr) {
Some(ScimValueKanidm::EntryReferences(refs)) => Some(refs),
Some(sv) => {
debug!("SCIM entry had the {} attribute but it was not a ScimValueKanidm::EntryReferences type, actual: {:?}", attr, sv);
None
}
None => None,
}
}
}
impl From<bool> for ScimValueKanidm {
fn from(b: bool) -> Self {
Self::Bool(b)

8
server/core/src/https/views/admin/mod.rs
View file

@ -3,14 +3,14 @@ use axum::routing::get;
use axum::Router;
use axum_htmx::HxRequestGuardLayer;
mod accounts;
mod persons;
pub fn admin_router() -> Router<ServerState> {
let unguarded_router = Router::new()
.route("/accounts", get(accounts::view_accounts_get))
.route("/persons", get(persons::view_persons_get))
.route(
"/account/:account_uuid/view",
get(accounts::view_account_view_get),
"/person/:person_uuid/view",
get(persons::view_person_view_get),
);
let guarded_router = Router::new().layer(HxRequestGuardLayer::new("/ui"));

86
server/core/src/https/views/admin/accounts.rs → server/core/src/https/views/admin/persons.rs
View file

@ -23,7 +23,7 @@ use std::collections::BTreeSet;
use std::str::FromStr;
use uuid::Uuid;
const ACCOUNT_ATTRIBUTES: [Attribute; 9] = [
const PERSON_ATTRIBUTES: [Attribute; 9] = [
Attribute::Uuid,
Attribute::Description,
Attribute::Name,
@ -37,32 +37,32 @@ const ACCOUNT_ATTRIBUTES: [Attribute; 9] = [
#[derive(Template)]
#[template(path = "admin/admin_panel_template.html")]
pub(crate) struct AccountsView {
pub(crate) struct PersonsView {
navbar_ctx: NavbarCtx,
partial: AccountsPartialView,
partial: PersonsPartialView,
}
#[derive(Template)]
#[template(path = "admin/admin_accounts_partial.html")]
struct AccountsPartialView {
accounts: Vec<(ScimPerson, ScimEffectiveAccess)>,
#[template(path = "admin/admin_persons_partial.html")]
struct PersonsPartialView {
persons: Vec<(ScimPerson, ScimEffectiveAccess)>,
}
#[derive(Template)]
#[template(path = "admin/admin_panel_template.html")]
struct AccountView {
partial: AccountViewPartial,
struct PersonView {
partial: PersonViewPartial,
navbar_ctx: NavbarCtx,
}
#[derive(Template)]
#[template(path = "admin/admin_account_view_partial.html")]
struct AccountViewPartial {
account: ScimPerson,
#[template(path = "admin/admin_person_view_partial.html")]
struct PersonViewPartial {
person: ScimPerson,
scim_effective_access: ScimEffectiveAccess,
}
pub(crate) async fn view_account_view_get(
pub(crate) async fn view_person_view_get(
State(state): State<ServerState>,
HxRequest(is_htmx): HxRequest,
Extension(kopid): Extension<KOpId>,
@ -70,24 +70,24 @@ pub(crate) async fn view_account_view_get(
Path(uuid): Path<Uuid>,
DomainInfo(domain_info): DomainInfo,
) -> axum::response::Result<Response> {
let (account, scim_effective_access) =
get_account_info(uuid, state, &kopid, client_auth_info, domain_info.clone()).await?;
let accounts_partial = AccountViewPartial {
account,
let (person, scim_effective_access) =
get_person_info(uuid, state, &kopid, client_auth_info, domain_info.clone()).await?;
let person_partial = PersonViewPartial {
person,
scim_effective_access,
};
let path_string = format!("/ui/admin/account/{uuid}/view");
let path_string = format!("/ui/admin/person/{uuid}/view");
let uri = Uri::from_str(path_string.as_str())
.map_err(|_| HtmxError::new(&kopid, OperationError::Backend, domain_info.clone()))?;
let push_url = HxPushUrl(uri);
Ok(if is_htmx {
(push_url, accounts_partial).into_response()
(push_url, person_partial).into_response()
} else {
(
push_url,
AccountView {
partial: accounts_partial,
PersonView {
partial: person_partial,
navbar_ctx: NavbarCtx { domain_info },
},
)
@ -95,32 +95,32 @@ pub(crate) async fn view_account_view_get(
})
}
pub(crate) async fn view_accounts_get(
pub(crate) async fn view_persons_get(
State(state): State<ServerState>,
HxRequest(is_htmx): HxRequest,
Extension(kopid): Extension<KOpId>,
DomainInfo(domain_info): DomainInfo,
VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
) -> axum::response::Result<Response> {
let accounts = get_accounts_info(state, &kopid, client_auth_info, domain_info.clone()).await?;
let accounts_partial = AccountsPartialView { accounts };
let persons = get_persons_info(state, &kopid, client_auth_info, domain_info.clone()).await?;
let persons_partial = PersonsPartialView { persons: persons };
let push_url = HxPushUrl(Uri::from_static("/ui/admin/accounts"));
let push_url = HxPushUrl(Uri::from_static("/ui/admin/persons"));
Ok(if is_htmx {
(push_url, accounts_partial).into_response()
(push_url, persons_partial).into_response()
} else {
(
push_url,
AccountsView {
PersonsView {
navbar_ctx: NavbarCtx { domain_info },
partial: accounts_partial,
partial: persons_partial,
},
)
.into_response()
})
}
async fn get_account_info(
async fn get_person_info(
uuid: Uuid,
state: ServerState,
kopid: &KOpId,
@ -133,30 +133,30 @@ async fn get_account_info(
client_auth_info.clone(),
kopid.eventid,
uuid.to_string(),
EntryClass::Account,
EntryClass::Person,
ScimEntryGetQuery {
attributes: Some(Vec::from(ACCOUNT_ATTRIBUTES)),
attributes: Some(Vec::from(PERSON_ATTRIBUTES)),
ext_access_check: true,
},
)
.map_err(|op_err| HtmxError::new(kopid, op_err, domain_info.clone()))
.await?;
if let Some(account_info) = scimentry_into_accountinfo(scim_entry) {
Ok(account_info)
if let Some(personinfo_info) = scimentry_into_personinfo(scim_entry) {
Ok(personinfo_info)
} else {
Err(HtmxError::new(kopid, OperationError::InvalidState, domain_info.clone()).into())
}
}
async fn get_accounts_info(
async fn get_persons_info(
state: ServerState,
kopid: &KOpId,
client_auth_info: ClientAuthInfo,
domain_info: DomainInfoRead,
) -> Result<Vec<(ScimPerson, ScimEffectiveAccess)>, ErrorResponse> {
let filter = filter_all!(f_and!([f_eq(Attribute::Class, EntryClass::Account.into())]));
let attrs = Some(BTreeSet::from(ACCOUNT_ATTRIBUTES));
let filter = filter_all!(f_and!([f_eq(Attribute::Class, EntryClass::Person.into())]));
let attrs = Some(BTreeSet::from(PERSON_ATTRIBUTES));
let base: Vec<ScimEntryKanidm> = state
.qe_r_ref
.scim_entry_search(client_auth_info.clone(), filter, kopid.eventid, attrs, true)
@ -164,22 +164,22 @@ async fn get_accounts_info(
.await?;
// TODO: inefficient to sort here
let mut accounts: Vec<_> = base
let mut persons: Vec<_> = base
.into_iter()
// TODO: Filtering away unsuccessful entries may not be desired.
.filter_map(scimentry_into_accountinfo)
.filter_map(scimentry_into_personinfo)
.collect();
accounts.sort_by_key(|(sp, _)| sp.uuid);
accounts.reverse();
Ok(accounts)
persons.sort_by_key(|(sp, _)| sp.uuid);
persons.reverse();
Ok(persons)
}
fn scimentry_into_accountinfo(
fn scimentry_into_personinfo(
scim_entry: ScimEntryKanidm,
) -> Option<(ScimPerson, ScimEffectiveAccess)> {
let scim_effective_access = scim_entry.ext_access_check.clone()?; // TODO: This should be an error msg.
let account = ScimPerson::try_from(scim_entry).ok()?;
let person = ScimPerson::try_from(scim_entry).ok()?;
Some((account, scim_effective_access))
Some((person, scim_effective_access))
}

6
server/core/templates/admin/admin_partial_base.html
View file

@ -1,9 +1,9 @@
<main class="container-xxl pb-5">
<div class="d-flex flex-sm-row flex-column">
<div class="list-group side-menu">
<a href="/ui/admin/accounts" hx-target="#main" class="list-group-item list-group-item-action (% block accounts_item_extra_classes%)(%endblock%)">
<img src="/pkg/img/icon-accounts.svg" alt="Accounts" width="20" height="20">
Accounts</a>
<a href="/ui/admin/persons" hx-target="#main" class="list-group-item list-group-item-action (% block persons_item_extra_classes%)(%endblock%)">
<img src="/pkg/img/icon-accounts.svg" alt="Persons" width="20" height="20">
Persons</a>
<a href="/ui/admin/groups" hx-target="#main" class="list-group-item list-group-item-action (% block groups_item_extra_classes%)(%endblock%)">
<img src="/pkg/img/icon-groups.svg" alt="Groups" width="20" height="20">
Groups (placeholder)</a>

16
server/core/templates/admin/admin_account_details_partial.html → server/core/templates/admin/admin_person_details_partial.html
View file

@ -1,32 +1,32 @@
(% macro string_attr(dispname, name, value, editable, attribute) %)
(% if scim_effective_access.search.check(attribute|as_ref) %)
<div class="row mt-3">
<label for="account(( name ))" class="col-12 col-md-3 col-lg-2 col-form-label fw-bold py-0">(( dispname ))</label>
<label for="person(( name ))" class="col-12 col-md-3 col-lg-2 col-form-label fw-bold py-0">(( dispname ))</label>
<div class="col-12 col-md-8 col-lg-6">
<input readonly class="form-control-plaintext py-0" id="account(( name ))" name="(( name ))" value="(( value ))">
<input readonly class="form-control-plaintext py-0" id="person(( name ))" name="(( name ))" value="(( value ))">
</div>
</div>
(% endif %)
(% endmacro %)
<form hx-validate="true" hx-ext="bs-validation">
(% call string_attr("UUID", "uuid", account.uuid, false, Attribute::Uuid) %)
(% call string_attr("SPN", "spn", account.spn, false, Attribute::Spn) %)
(% call string_attr("Name", "name", account.name, true, Attribute::Name) %)
(% call string_attr("UUID", "uuid", person.uuid, false, Attribute::Uuid) %)
(% call string_attr("SPN", "spn", person.spn, false, Attribute::Spn) %)
(% call string_attr("Name", "name", person.name, true, Attribute::Name) %)
(% if let Some(displayname) = account.displayname %)
(% if let Some(displayname) = person.displayname %)
(% call string_attr("Displayname", "displayname", displayname, true, Attribute::DisplayName) %)
(% else %)
(% call string_attr("Displayname", "displayname", "none", true, Attribute::DisplayName) %)
(% endif %)
(% if let Some(description) = account.description %)
(% if let Some(description) = person.description %)
(% call string_attr("Description", "description", description, true, Attribute::Description) %)
(% else %)
(% call string_attr("Description", "description", "none", true, Attribute::Description) %)
(% endif %)
(% if let Some(entry_managed_by) = account.managed_by %)
(% if let Some(entry_managed_by) = person.managed_by %)
(% call string_attr("Managed By", "managed_by", entry_managed_by.value, true, Attribute::EntryManagedBy) %)
(% else %)
(% call string_attr("Managed By", "managed_by", "none", true, Attribute::EntryManagedBy) %)

22
server/core/templates/admin/admin_account_view_partial.html → server/core/templates/admin/admin_person_view_partial.html
View file

@ -1,28 +1,28 @@
(% extends "admin/admin_partial_base.html" %)
(% block accounts_item_extra_classes %)active(% endblock %)
(% block persons_item_extra_classes %)active(% endblock %)
(% block admin_page %)
<nav aria-label="breadcrumb">
<ol class="breadcrumb">
<li class="breadcrumb-item"><a href="/ui/admin/accounts" hx-target="#main">Accounts Management</a></li>
<li class="breadcrumb-item"><a href="/ui/admin/persons" hx-target="#main">persons Management</a></li>
<li class="breadcrumb-item active" aria-current="page">Viewing</li>
</ol>
</nav>
(% include "admin_account_details_partial.html" %)
(% include "admin_person_details_partial.html" %)
<hr>
(% if scim_effective_access.search.check(Attribute::Mail|as_ref) %)
<label class="mt-3 fw-bold">Emails</label>
<form hx-validate="true" hx-ext="bs-validation">
(% if account.mails.len() == 0 %)
<p>There are no email addresses associated with this account.</p>
(% if person.mails.len() == 0 %)
<p>There are no email addresses associated with this person.</p>
(% else %)
<ol class="list-group col-12 col-md-8 col-lg-6">
(% for mail in account.mails %)
<li id="accountMail(( loop.index ))" class="list-group-item d-flex flex-row justify-content-between">
(% for mail in person.mails %)
<li id="personMail(( loop.index ))" class="list-group-item d-flex flex-row justify-content-between">
<div class="d-flex align-items-center">(( mail.value ))</div>
<div class="buttons float-end">
</div>
@ -36,12 +36,12 @@
(% if scim_effective_access.search.check(Attribute::DirectMemberOf|as_ref) %)
<label class="mt-3 fw-bold">DirectMemberOf</label>
<form hx-validate="true" hx-ext="bs-validation">
(% if account.groups.len() == 0 %)
<p>There are no groups this account is a direct member of.</p>
(% if person.groups.len() == 0 %)
<p>There are no groups this person is a direct member of.</p>
(% else %)
<ol class="list-group col-12 col-md-8 col-lg-6">
(% for group in account.groups %)
<li id="accountGroup(( loop.index ))" class="list-group-item d-flex flex-row justify-content-between">
(% for group in person.groups %)
<li id="personGroup(( loop.index ))" class="list-group-item d-flex flex-row justify-content-between">
<div class="d-flex align-items-center">(( group.value ))</div>
<div class="buttons float-end">
</div>

8
server/core/templates/admin/admin_accounts_partial.html → server/core/templates/admin/admin_persons_partial.html
View file

@ -1,19 +1,19 @@
(% extends "admin/admin_partial_base.html" %)
(% block accounts_item_extra_classes %)active(% endblock %)
(% block persons_item_extra_classes %)active(% endblock %)
(% block admin_page %)
<nav aria-label="breadcrumb">
<ol class="breadcrumb">
<li class="breadcrumb-item active" aria-current="page">Accounts Management</li>
<li class="breadcrumb-item active" aria-current="page">Person Management</li>
</ol>
</nav>
<ul class="list-group">
(% for (account, _) in accounts %)
(% for (person, _) in persons %)
<li class="list-group-item d-flex flex-row justify-content-between">
<div class="d-flex align-items-center">
<a href="/ui/admin/account/(( account.uuid ))/view" hx-target="#main">(( account.name ))</a> <span class="text-secondary d-none d-lg-inline-block mx-4">(( account.uuid ))</span>
<a href="/ui/admin/person/(( person.uuid ))/view" hx-target="#main">(( person.name ))</a> <span class="text-secondary d-none d-lg-inline-block mx-4">(( person.uuid ))</span>
</div>
<div class="buttons float-end">
</div>