mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Alter filter generation to exclude empty conditions (#1877)

Browse source
This commit is contained in:
Firstyear 2023-07-19 11:42:18 +10:00 committed by GitHub
parent 4f3f7e2708
commit 578e064b10
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 27 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
tools/iam_migrations/freeipa/src/main.rs
View file

@ -597,7 +597,7 @@ async fn process_ipa_sync_result(
// On a refresh, we need to search and fix up to make sure TOTP/USER sets are // On a refresh, we need to search and fix up to make sure TOTP/USER sets are
// consistent. // consistent.
if !is_initialise { let search_filter = if !is_initialise {
// If the totp's related user is NOT in our sync repl, we need to fetch them. // If the totp's related user is NOT in our sync repl, we need to fetch them.
let fetch_user: Vec<&str> = totp_entries let fetch_user: Vec<&str> = totp_entries
.keys() .keys()
@ -614,13 +614,22 @@ async fn process_ipa_sync_result(
.collect(); .collect();
// Create filter (could hit a limit, may need to split this search). // Create filter (could hit a limit, may need to split this search).
let totp_conditions: Vec<_> = fetch_totps_for let totp_conditions: Vec<_> = fetch_totps_for
.iter() .iter()
.map(|dn| LdapFilter::Equality("ipatokenowner".to_string(), dn.to_string())) .map(|dn| LdapFilter::Equality("ipatokenowner".to_string(), dn.to_string()))
.collect(); .collect();
let user_conditions = fetch_user let mut or_filter = Vec::with_capacity(2);
if !totp_conditions.is_empty() {
or_filter.push(LdapFilter::And(vec![
LdapFilter::Equality("objectclass".to_string(), "ipatoken".to_string()),
LdapFilter::Equality("objectclass".to_string(), "ipatokentotp".to_string()),
LdapFilter::Or(totp_conditions),
]));
}
let user_conditions: Vec<_> = fetch_user
.iter() .iter()
.filter_map(|dn| { .filter_map(|dn| {
// We have to split the DN to it's RDN because lol. // We have to split the DN to it's RDN because lol.
@ -630,22 +639,27 @@ async fn process_ipa_sync_result(
}) })
.collect(); .collect();
let filter = LdapFilter::Or(vec![ if !user_conditions.is_empty() {
LdapFilter::And(vec![ or_filter.push(LdapFilter::And(vec![
LdapFilter::Equality("objectclass".to_string(), "ipatoken".to_string()),
LdapFilter::Equality("objectclass".to_string(), "ipatokentotp".to_string()),
LdapFilter::Or(totp_conditions),
]),
LdapFilter::And(vec![
LdapFilter::Equality("objectclass".to_string(), "person".to_string()), LdapFilter::Equality("objectclass".to_string(), "person".to_string()),
LdapFilter::Equality("objectclass".to_string(), "ipantuserattrs".to_string()), LdapFilter::Equality("objectclass".to_string(), "ipantuserattrs".to_string()),
LdapFilter::Equality("objectclass".to_string(), "posixaccount".to_string()), LdapFilter::Equality("objectclass".to_string(), "posixaccount".to_string()),
LdapFilter::Or(user_conditions), LdapFilter::Or(user_conditions),
]), ]));
]); }
if or_filter.is_empty() {
None
} else {
Some(LdapFilter::Or(or_filter))
}
} else {
None
};
// If we have something that needs lookup, apply now.
if let Some(filter) = search_filter {
debug!(?filter); debug!(?filter);
// Search - we use syncrepl here and discard the cookie because we need the // Search - we use syncrepl here and discard the cookie because we need the
// entry uuid to be given from the nsuniqueid else we have issues. // entry uuid to be given from the nsuniqueid else we have issues.
let mode = proto::SyncRequestMode::RefreshOnly; let mode = proto::SyncRequestMode::RefreshOnly;