mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-04-24 19:25:39 +02:00
Code Issues Actions10 Packages Projects Releases Wiki Activity

Merge 0fe42f62bd into b113262357

Browse source
This commit is contained in:
Firstyear 2025-04-10 23:35:15 +00:00 committed by GitHub
parent b113262357 0fe42f62bd
commit 62e6b35168
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
33 changed files with 730 additions and 324 deletions

19
libs/client/src/application.rs Normal file
View file

@ -0,0 +1,19 @@
use crate::{ClientError, KanidmClient};
use kanidm_proto::scim_v1::client::{ScimEntryApplication, ScimEntryApplicationPost};
impl KanidmClient {
/// Delete an application
pub async fn idm_application_delete(&self, id: &str) -> Result<(), ClientError> {
self.perform_delete_request(format!("/scim/v1/Application/{}", id).as_str())
.await
}
/// Create an application
pub async fn idm_application_create(
&self,
application: &ScimEntryApplicationPost,
) -> Result<ScimEntryApplication, ClientError> {
self.perform_post_request("/scim/v1/Application", application)
.await
}
}

1
libs/client/src/lib.rs
View file

@ -50,6 +50,7 @@ use webauthn_rs_proto::{
PublicKeyCredential, RegisterPublicKeyCredential, RequestChallengeResponse,
};
mod application;
mod domain;
mod group;
mod oauth;

2
libs/client/src/scim.rs
View file

@ -2,12 +2,10 @@ use crate::{ClientError, KanidmClient};
use kanidm_proto::scim_v1::{ScimEntryGeneric, ScimEntryGetQuery, ScimSyncRequest, ScimSyncState};
impl KanidmClient {
// TODO: testing for this
pub async fn scim_v1_sync_status(&self) -> Result<ScimSyncState, ClientError> {
self.perform_get_request("/scim/v1/Sync").await
}
// TODO: testing for this
pub async fn scim_v1_sync_update(
&self,
scim_sync_request: &ScimSyncRequest,

3
proto/src/attribute.rs
View file

@ -32,6 +32,7 @@ pub enum Attribute {
AcpTargetScope,
ApiTokenSession,
ApplicationPassword,
ApplicationUrl,
AttestedPasskeys,
#[default]
Attr,
@ -267,6 +268,7 @@ impl Attribute {
Attribute::AcpTargetScope => ATTR_ACP_TARGET_SCOPE,
Attribute::ApiTokenSession => ATTR_API_TOKEN_SESSION,
Attribute::ApplicationPassword => ATTR_APPLICATION_PASSWORD,
Attribute::ApplicationUrl => ATTR_APPLICATION_URL,
Attribute::AttestedPasskeys => ATTR_ATTESTED_PASSKEYS,
Attribute::Attr => ATTR_ATTR,
Attribute::AttributeName => ATTR_ATTRIBUTENAME,
@ -454,6 +456,7 @@ impl Attribute {
ATTR_ACP_TARGET_SCOPE => Attribute::AcpTargetScope,
ATTR_API_TOKEN_SESSION => Attribute::ApiTokenSession,
ATTR_APPLICATION_PASSWORD => Attribute::ApplicationPassword,
ATTR_APPLICATION_URL => Attribute::ApplicationUrl,
ATTR_ATTESTED_PASSKEYS => Attribute::AttestedPasskeys,
ATTR_ATTR => Attribute::Attr,
ATTR_ATTRIBUTENAME => Attribute::AttributeName,

1
proto/src/constants.rs
View file

@ -72,6 +72,7 @@ pub const ATTR_ACP_SEARCH_ATTR: &str = "acp_search_attr";
pub const ATTR_ACP_TARGET_SCOPE: &str = "acp_targetscope";
pub const ATTR_API_TOKEN_SESSION: &str = "api_token_session";
pub const ATTR_APPLICATION_PASSWORD: &str = "application_password";
pub const ATTR_APPLICATION_URL: &str = "application_url";
pub const ATTR_ATTESTED_PASSKEYS: &str = "attested_passkeys";
pub const ATTR_ATTR: &str = "attr";
pub const ATTR_ATTRIBUTENAME: &str = "attributename";

4
proto/src/internal/error.rs
View file

@ -213,6 +213,8 @@ pub enum OperationError {
SC0024SshPublicKeySyntaxInvalid,
SC0025UiHintSyntaxInvalid,
SC0026Utf8SyntaxInvalid,
SC0027ClassSetInvalid,
SC0028CreatedUuidsInvalid,
// Migration
MG0001InvalidReMigrationLevel,
MG0002RaiseDomainLevelExceedsMaximum,
@ -492,6 +494,8 @@ impl OperationError {
Self::SC0024SshPublicKeySyntaxInvalid => Some("A SCIM Ssh Public Key contained invalid syntax".into()),
Self::SC0025UiHintSyntaxInvalid => Some("A SCIM UiHint contained invalid syntax".into()),
Self::SC0026Utf8SyntaxInvalid => Some("A SCIM Utf8 String Scope Map contained invalid syntax".into()),
Self::SC0027ClassSetInvalid => Some("The internal set of class templates used in this create operation was invalid. THIS IS A BUG.".into()),
Self::SC0028CreatedUuidsInvalid => Some("The internal create query did not return the set of created UUIDs. THIS IS A BUG".into()),
Self::UI0001ChallengeSerialisation => Some("The WebAuthn challenge was unable to be serialised.".into()),
Self::UI0002InvalidState => Some("The credential update process returned an invalid state transition.".into()),

45
proto/src/scim_v1/client.rs
View file

@ -2,6 +2,7 @@
use super::ScimEntryGetQuery;
use super::ScimOauth2ClaimMapJoinChar;
use crate::attribute::{Attribute, SubAttribute};
use scim_proto::ScimEntryHeader;
use serde::{Deserialize, Serialize};
use serde_json::Value as JsonValue;
use serde_with::formats::PreferMany;
@ -31,6 +32,18 @@ pub struct ScimReference {
pub value: Option<String>,
}
impl<T> From<T> for ScimReference
where
T: AsRef<str>,
{
fn from(value: T) -> Self {
ScimReference {
uuid: None,
value: Some(value.as_ref().to_string()),
}
}
}
pub type ScimReferences = Vec<ScimReference>;
#[serde_as]
@ -79,6 +92,31 @@ pub struct ScimOAuth2ScopeMap {
pub scopes: BTreeSet<String>,
}
#[serde_as]
#[derive(Serialize, Debug, Clone)]
#[serde(rename_all = "snake_case")]
pub struct ScimEntryApplicationPost {
pub name: String,
pub displayname: String,
pub linked_group: ScimReference,
}
#[serde_as]
#[derive(Deserialize, Debug, Clone)]
#[serde(rename_all = "snake_case")]
pub struct ScimEntryApplication {
#[serde(flatten)]
pub header: ScimEntryHeader,
pub name: String,
pub displayname: String,
pub linked_group: Vec<super::ScimReference>,
#[serde(flatten)]
pub attrs: BTreeMap<Attribute, JsonValue>,
}
#[derive(Serialize, Debug, Clone)]
pub struct ScimEntryPutKanidm {
pub id: Uuid,
@ -90,6 +128,13 @@ pub struct ScimEntryPutKanidm {
#[derive(Deserialize, Serialize, Debug, Clone)]
pub struct ScimStrings(#[serde_as(as = "OneOrMany<_, PreferMany>")] pub Vec<String>);
#[derive(Debug, Clone, Deserialize, Default)]
pub struct ScimEntryPostGeneric {
/// Create an attribute to contain the following value state.
#[serde(flatten)]
pub attrs: BTreeMap<Attribute, JsonValue>,
}
#[derive(Debug, Clone, Deserialize, Default)]
pub struct ScimEntryPutGeneric {
// id is only used to target the entry in question

13
proto/src/scim_v1/mod.rs
View file

@ -18,13 +18,13 @@
use crate::attribute::Attribute;
use serde::{Deserialize, Serialize};
use serde_with::formats::CommaSeparator;
use serde_with::{serde_as, skip_serializing_none, StringWithSeparator};
use sshkey_attest::proto::PublicKey as SshPublicKey;
use std::collections::BTreeMap;
use std::ops::Not;
use utoipa::ToSchema;
use serde_with::formats::CommaSeparator;
use serde_with::{serde_as, skip_serializing_none, StringWithSeparator};
use uuid::Uuid;
pub use self::synch::*;
pub use scim_proto::prelude::*;
@ -86,6 +86,13 @@ pub struct ScimSshPublicKey {
pub value: SshPublicKey,
}
#[derive(Deserialize, Serialize, Debug, Clone, PartialEq, Eq, ToSchema)]
#[serde(rename_all = "camelCase")]
pub struct ScimReference {
pub uuid: Uuid,
pub value: String,
}
#[derive(Deserialize, Serialize, Debug, Clone, ToSchema)]
pub enum ScimOauth2ClaimMapJoinChar {
#[serde(rename = ",", alias = "csv")]

73
server/core/src/actors/v1_scim.rs
View file

@ -1,10 +1,14 @@
use super::{QueryServerReadV1, QueryServerWriteV1};
use kanidm_proto::scim_v1::{
client::ScimFilter, server::ScimEntryKanidm, ScimEntryGetQuery, ScimSyncRequest, ScimSyncState,
client::ScimEntryPostGeneric, client::ScimFilter, server::ScimEntryKanidm, ScimEntryGetQuery,
ScimSyncRequest, ScimSyncState,
};
use kanidmd_lib::idm::scim::{
GenerateScimSyncTokenEvent, ScimSyncFinaliseEvent, ScimSyncTerminateEvent, ScimSyncUpdateEvent,
};
use kanidmd_lib::server::scim::{ScimCreateEvent, ScimDeleteEvent};
use kanidmd_lib::idm::server::IdmServerTransaction;
use kanidmd_lib::prelude::*;
@ -176,6 +180,73 @@ impl QueryServerWriteV1 {
.scim_sync_apply(&sse, &changes, ct)
.and_then(|r| idms_prox_write.commit().map(|_| r))
}
#[instrument(
level = "info",
skip_all,
fields(uuid = ?eventid)
)]
pub async fn scim_entry_create(
&self,
client_auth_info: ClientAuthInfo,
eventid: Uuid,
classes: &[EntryClass],
entry: ScimEntryPostGeneric,
) -> Result<ScimEntryKanidm, OperationError> {
let ct = duration_from_epoch_now();
let mut idms_prox_write = self.idms.proxy_write(ct).await?;
let ident = idms_prox_write
.validate_client_auth_info_to_ident(client_auth_info, ct)
.map_err(|e| {
admin_error!(err = ?e, "Invalid identity");
e
})?;
let scim_create_event =
ScimCreateEvent::try_from(ident, classes, entry, &mut idms_prox_write.qs_write)?;
idms_prox_write
.qs_write
.scim_create(scim_create_event)
.and_then(|r| idms_prox_write.commit().map(|_| r))
}
#[instrument(
level = "info",
skip_all,
fields(uuid = ?eventid)
)]
pub async fn scim_entry_id_delete(
&self,
client_auth_info: ClientAuthInfo,
eventid: Uuid,
uuid_or_name: String,
class: EntryClass,
) -> Result<(), OperationError> {
let ct = duration_from_epoch_now();
let mut idms_prox_write = self.idms.proxy_write(ct).await?;
let ident = idms_prox_write
.validate_client_auth_info_to_ident(client_auth_info, ct)
.map_err(|e| {
admin_error!(err = ?e, "Invalid identity");
e
})?;
let target = idms_prox_write
.qs_write
.name_to_uuid(uuid_or_name.as_str())
.map_err(|e| {
admin_error!(err = ?e, "Error resolving id to target");
e
})?;
let scim_delete_event = ScimDeleteEvent::new(ident, target, class);
idms_prox_write
.qs_write
.scim_delete(scim_delete_event)
.and_then(|r| idms_prox_write.commit().map(|_| r))
}
}
impl QueryServerReadV1 {

2
server/core/src/https/apidocs/mod.rs
View file

@ -78,6 +78,8 @@ impl Modify for SecurityAddon {
super::v1_scim::scim_sync_get,
super::v1_scim::scim_entry_id_get,
super::v1_scim::scim_person_id_get,
super::v1_scim::scim_application_post,
super::v1_scim::scim_application_id_delete,
super::v1::schema_get,
super::v1::whoami,

2
server/core/src/https/apidocs/tests.rs
View file

@ -43,7 +43,7 @@ fn figure_out_if_we_have_all_the_routes() {
.unwrap();
// work our way through the source files in this package looking for routedefs
let mut found_routes: BTreeMap<String, Vec<(String, String)>> = BTreeMap::new();
let walker = walkdir::WalkDir::new(format!("{}/src", env!("CARGO_MANIFEST_DIR")))
let walker = walkdir::WalkDir::new(format!("{}/src/https", env!("CARGO_MANIFEST_DIR")))
.follow_links(false)
.into_iter();

75
server/core/src/https/v1_scim.rs
View file

@ -9,10 +9,11 @@ use super::ServerState;
use crate::https::extractors::VerifiedClientInformation;
use axum::extract::{rejection::JsonRejection, DefaultBodyLimit, Path, Query, State};
use axum::response::{Html, IntoResponse, Response};
use axum::routing::{get, post};
use axum::routing::{delete, get, post};
use axum::{Extension, Json, Router};
use kanidm_proto::scim_v1::{
server::ScimEntryKanidm, ScimEntryGetQuery, ScimSyncRequest, ScimSyncState,
client::ScimEntryPostGeneric, server::ScimEntryKanidm, ScimEntryGetQuery, ScimSyncRequest,
ScimSyncState,
};
use kanidm_proto::v1::Entry as ProtoEntry;
use kanidmd_lib::prelude::*;
@ -383,6 +384,65 @@ async fn scim_person_id_get(
.map_err(WebError::from)
}
#[utoipa::path(
post,
path = "/scim/v1/Application",
responses(
(status = 200, content_type="application/json", body=ScimEntry),
ApiResponseWithout200,
),
security(("token_jwt" = [])),
tag = "scim",
operation_id = "scim_application_post"
)]
async fn scim_application_post(
State(state): State<ServerState>,
Extension(kopid): Extension<KOpId>,
VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
Json(entry_post): Json<ScimEntryPostGeneric>,
) -> Result<Json<ScimEntryKanidm>, WebError> {
state
.qe_w_ref
.scim_entry_create(
client_auth_info,
kopid.eventid,
&[
EntryClass::Account,
EntryClass::ServiceAccount,
EntryClass::Application,
],
entry_post,
)
.await
.map(Json::from)
.map_err(WebError::from)
}
#[utoipa::path(
delete,
path = "/scim/v1/Application/{id}",
responses(
(status = 200, content_type="application/json"),
ApiResponseWithout200,
),
security(("token_jwt" = [])),
tag = "scim",
operation_id = "scim_application_id_delete"
)]
async fn scim_application_id_delete(
State(state): State<ServerState>,
Path(id): Path<String>,
Extension(kopid): Extension<KOpId>,
VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
) -> Result<Json<()>, WebError> {
state
.qe_w_ref
.scim_entry_id_delete(client_auth_info, kopid.eventid, id, EntryClass::Application)
.await
.map(Json::from)
.map_err(WebError::from)
}
pub fn route_setup() -> Router<ServerState> {
Router::new()
.route(
@ -486,6 +546,17 @@ pub fn route_setup() -> Router<ServerState> {
//
// POST Send a sync update
//
//
// Application /Application Post Create a new application
//
.route("/scim/v1/Application", post(scim_application_post))
// Application /Application/{id} Delete Delete the application identified by id
//
.route(
"/scim/v1/Application/:id",
delete(scim_application_id_delete),
)
// Synchronisation routes.
.route(
"/scim/v1/Sync",
post(scim_sync_post)

1
server/lib/src/constants/uuids.rs
View file

@ -334,6 +334,7 @@ pub const UUID_SCHEMA_ATTR_ACP_MODIFY_PRESENT_CLASS: Uuid =
uuid!("00000000-0000-0000-0000-ffff00000189");
pub const UUID_SCHEMA_ATTR_ACP_MODIFY_REMOVE_CLASS: Uuid =
uuid!("00000000-0000-0000-0000-ffff00000190");
pub const UUID_SCHEMA_ATTR_APPLICATION_URL: Uuid = uuid!("00000000-0000-0000-0000-ffff00000191");
// System and domain infos
// I'd like to strongly criticise william of the past for making poor choices about these allocations.

40
server/lib/src/entry.rs
View file

@ -24,11 +24,6 @@
//! [`filter`]: ../filter/index.html
//! [`schema`]: ../schema/index.html
use std::cmp::Ordering;
pub use std::collections::BTreeSet as Set;
use std::collections::{BTreeMap as Map, BTreeMap, BTreeSet};
use std::sync::Arc;
use crate::be::dbentry::{DbEntry, DbEntryVers};
use crate::be::dbvalue::DbValueSetV2;
use crate::be::{IdxKey, IdxSlope};
@ -41,7 +36,13 @@ use crate::prelude::*;
use crate::repl::cid::Cid;
use crate::repl::entry::EntryChangeState;
use crate::repl::proto::{ReplEntryV1, ReplIncrementalEntryV1};
use crate::schema::{SchemaAttribute, SchemaClass, SchemaTransaction};
use crate::server::access::AccessEffectivePermission;
use crate::value::{
ApiToken, CredentialType, IndexType, IntentTokenState, Oauth2Session, PartialValue, Session,
SyntaxType, Value,
};
use crate::valueset::{self, ScimResolveStatus, ValueSet};
use compact_jwt::JwsEs256Signer;
use hashbrown::{HashMap, HashSet};
use kanidm_proto::internal::ImageValue;
@ -53,6 +54,10 @@ use kanidm_proto::v1::Entry as ProtoEntry;
use ldap3_proto::simple::{LdapPartialAttribute, LdapSearchResultEntry};
use openssl::ec::EcKey;
use openssl::pkey::{Private, Public};
use std::cmp::Ordering;
pub use std::collections::BTreeSet as Set;
use std::collections::{BTreeMap as Map, BTreeMap, BTreeSet};
use std::sync::Arc;
use time::OffsetDateTime;
use tracing::trace;
use uuid::Uuid;
@ -60,13 +65,6 @@ use webauthn_rs::prelude::{
AttestationCaList, AttestedPasskey as AttestedPasskeyV4, Passkey as PasskeyV4,
};
use crate::schema::{SchemaAttribute, SchemaClass, SchemaTransaction};
use crate::value::{
ApiToken, CredentialType, IndexType, IntentTokenState, Oauth2Session, PartialValue, Session,
SyntaxType, Value,
};
use crate::valueset::{self, ScimResolveStatus, ValueSet};
pub type EntryInitNew = Entry<EntryInit, EntryNew>;
pub type EntryInvalidNew = Entry<EntryInvalid, EntryNew>;
pub type EntryRefreshNew = Entry<EntryRefresh, EntryNew>;
@ -285,6 +283,18 @@ impl Default for Entry<EntryInit, EntryNew> {
}
}
impl FromIterator<(Attribute, ValueSet)> for EntryInitNew {
fn from_iter<I: IntoIterator<Item = (Attribute, ValueSet)>>(iter: I) -> Self {
let attrs = Eattrs::from_iter(iter);
Entry {
valid: EntryInit,
state: EntryNew,
attrs,
}
}
}
impl Entry<EntryInit, EntryNew> {
pub fn new() -> Self {
Entry {
@ -292,7 +302,6 @@ impl Entry<EntryInit, EntryNew> {
valid: EntryInit,
state: EntryNew,
attrs: Map::new(),
// attrs: Map::with_capacity(32),
}
}
@ -479,6 +488,11 @@ impl Entry<EntryInit, EntryNew> {
self.attrs.remove(attr);
}
/// Set the content of this ava with this valueset, ignoring the previous data.
pub fn set_ava_set(&mut self, attr: &Attribute, vs: ValueSet) {
self.attrs.insert(attr.clone(), vs);
}
/// Replace the existing content of an attribute set of this Entry, with a new set of Values.
pub fn set_ava<T>(&mut self, attr: Attribute, iter: T)
where

15
server/lib/src/event.rs
View file

@ -346,6 +346,8 @@ pub struct CreateEvent {
pub entries: Vec<Entry<EntryInit, EntryNew>>,
// Is the CreateEvent from an internal or external source?
// This may affect which plugins are run ...
/// If true, the list of created entry UUID's will be returned.
pub return_created_uuids: bool,
}
impl CreateEvent {
@ -363,7 +365,11 @@ impl CreateEvent {
// What is the correct consuming iterator here? Can we
// even do that?
match rentries {
Ok(entries) => Ok(CreateEvent { ident, entries }),
Ok(entries) => Ok(CreateEvent {
ident,
entries,
return_created_uuids: false,
}),
Err(e) => Err(e),
}
}
@ -373,13 +379,18 @@ impl CreateEvent {
ident: Identity,
entries: Vec<Entry<EntryInit, EntryNew>>,
) -> Self {
CreateEvent { ident, entries }
CreateEvent {
ident,
entries,
return_created_uuids: false,
}
}
pub fn new_internal(entries: Vec<Entry<EntryInit, EntryNew>>) -> Self {
CreateEvent {
ident: Identity::from_internal(),
entries,
return_created_uuids: false,
}
}
}

138
server/lib/src/idm/application.rs
View file

@ -255,139 +255,6 @@ mod tests {
const TEST_CURRENT_TIME: u64 = 6000;
// Tests that only the correct combinations of [Account, Person, Application and
// ServiceAccount] classes are allowed.
#[idm_test]
async fn test_idm_application_excludes(idms: &IdmServer, _idms_delayed: &mut IdmServerDelayed) {
let ct = Duration::from_secs(TEST_CURRENT_TIME);
let mut idms_prox_write = idms.proxy_write(ct).await.unwrap();
// ServiceAccount, Application and Person not allowed together
let test_grp_name = "testgroup1";
let test_grp_uuid = Uuid::new_v4();
let e1 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Group.to_value()),
(Attribute::Name, Value::new_iname(test_grp_name)),
(Attribute::Uuid, Value::Uuid(test_grp_uuid))
);
let test_entry_uuid = Uuid::new_v4();
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::Class, EntryClass::Person.to_value()),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
(
Attribute::DisplayName,
Value::new_utf8s("test_app_dispname")
),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
);
let ce = CreateEvent::new_internal(vec![e1, e2]);
let cr = idms_prox_write.qs_write.create(&ce);
assert!(cr.is_err());
// Application and Person not allowed together
let test_grp_name = "testgroup1";
let test_grp_uuid = Uuid::new_v4();
let e1 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Group.to_value()),
(Attribute::Name, Value::new_iname(test_grp_name)),
(Attribute::Uuid, Value::Uuid(test_grp_uuid))
);
let test_entry_uuid = Uuid::new_v4();
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::Class, EntryClass::Person.to_value()),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
(
Attribute::DisplayName,
Value::new_utf8s("test_app_dispname")
),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
);
let ce = CreateEvent::new_internal(vec![e1, e2]);
let cr = idms_prox_write.qs_write.create(&ce);
assert!(cr.is_err());
// Supplements not satisfied, Application supplements ServiceAccount
let test_grp_name = "testgroup1";
let test_grp_uuid = Uuid::new_v4();
let e1 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Group.to_value()),
(Attribute::Name, Value::new_iname(test_grp_name)),
(Attribute::Uuid, Value::Uuid(test_grp_uuid))
);
let test_entry_uuid = Uuid::new_v4();
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
);
let ce = CreateEvent::new_internal(vec![e1, e2]);
let cr = idms_prox_write.qs_write.create(&ce);
assert!(cr.is_err());
// Supplements not satisfied, Application supplements ServiceAccount
let test_grp_name = "testgroup1";
let test_grp_uuid = Uuid::new_v4();
let e1 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Group.to_value()),
(Attribute::Name, Value::new_iname(test_grp_name)),
(Attribute::Uuid, Value::Uuid(test_grp_uuid))
);
let test_entry_uuid = Uuid::new_v4();
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
);
let ce = CreateEvent::new_internal(vec![e1, e2]);
let cr = idms_prox_write.qs_write.create(&ce);
assert!(cr.is_err());
// Supplements satisfied, Application supplements ServiceAccount
let test_grp_name = "testgroup1";
let test_grp_uuid = Uuid::new_v4();
let e1 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Group.to_value()),
(Attribute::Name, Value::new_iname(test_grp_name)),
(Attribute::Uuid, Value::Uuid(test_grp_uuid))
);
let test_entry_uuid = Uuid::new_v4();
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
);
let ce = CreateEvent::new_internal(vec![e1, e2]);
let cr = idms_prox_write.qs_write.create(&ce);
assert!(cr.is_ok());
}
// Tests it is not possible to create an application without the linked group attribute
#[idm_test]
async fn test_idm_application_no_linked_group(
@ -404,6 +271,7 @@ mod tests {
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
@ -547,8 +415,10 @@ mod tests {
let e3 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(test_app_name)),
(Attribute::Uuid, Value::Uuid(test_app_uuid)),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
@ -647,7 +517,9 @@ mod tests {
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),

12
server/lib/src/idm/ldap.rs
View file

@ -1119,8 +1119,10 @@ mod tests {
let e3 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(app_name)),
(Attribute::Uuid, Value::Uuid(app_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp_uuid))
@ -1283,8 +1285,10 @@ mod tests {
let e3 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname("testapp1")),
(Attribute::Uuid, Value::Uuid(app_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp_uuid))
@ -1456,8 +1460,10 @@ mod tests {
let e4 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(app1_name)),
(Attribute::Uuid, Value::Uuid(app1_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp1_uuid))
@ -1465,8 +1471,10 @@ mod tests {
let e5 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(app2_name)),
(Attribute::Uuid, Value::Uuid(app2_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp2_uuid))
@ -1651,8 +1659,10 @@ mod tests {
let e3 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(app1_name)),
(Attribute::Uuid, Value::Uuid(app1_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp1_uuid))
@ -2693,8 +2703,10 @@ mod tests {
let e3 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(app_name)),
(Attribute::Uuid, Value::Uuid(app_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp_uuid))

3
server/lib/src/migration_data/dl10/mod.rs
View file

@ -105,6 +105,7 @@ pub fn phase_1_schema_attrs() -> Vec<EntryInitNew> {
// DL10
SCHEMA_ATTR_DENIED_NAME_DL10.clone().into(),
SCHEMA_ATTR_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES.clone().into(),
SCHEMA_ATTR_APPLICATION_URL.clone().into(),
]
}
@ -134,7 +135,7 @@ pub fn phase_2_schema_classes() -> Vec<EntryInitNew> {
SCHEMA_CLASS_CLIENT_CERTIFICATE_DL7.clone().into(),
// DL8
SCHEMA_CLASS_ACCOUNT_POLICY_DL8.clone().into(),
SCHEMA_CLASS_APPLICATION_DL8.clone().into(),
SCHEMA_CLASS_APPLICATION.clone().into(),
SCHEMA_CLASS_PERSON_DL8.clone().into(),
// DL9
SCHEMA_CLASS_OAUTH2_RS_DL9.clone().into(),

23
server/lib/src/migration_data/dl10/schema.rs
View file

@ -729,6 +729,14 @@ pub static ref SCHEMA_ATTR_APPLICATION_PASSWORD_DL8: SchemaAttribute = SchemaAtt
..Default::default()
};
pub static ref SCHEMA_ATTR_APPLICATION_URL: SchemaAttribute = SchemaAttribute {
uuid: UUID_SCHEMA_ATTR_APPLICATION_URL,
name: Attribute::ApplicationUrl,
description: "The URL of an external application".to_string(),
syntax: SyntaxType::Url,
..Default::default()
};
// === classes ===
pub static ref SCHEMA_CLASS_PERSON_DL8: SchemaClass = SchemaClass {
uuid: UUID_SCHEMA_CLASS_PERSON,
@ -838,9 +846,9 @@ pub static ref SCHEMA_CLASS_ACCOUNT_DL5: SchemaClass = SchemaClass {
Attribute::Spn
],
systemsupplements: vec![
EntryClass::OAuth2ResourceServer.into(),
EntryClass::Person.into(),
EntryClass::ServiceAccount.into(),
EntryClass::OAuth2ResourceServer.into(),
],
..Default::default()
};
@ -1082,13 +1090,20 @@ pub static ref SCHEMA_CLASS_CLIENT_CERTIFICATE_DL7: SchemaClass = SchemaClass {
..Default::default()
};
pub static ref SCHEMA_CLASS_APPLICATION_DL8: SchemaClass = SchemaClass {
pub static ref SCHEMA_CLASS_APPLICATION: SchemaClass = SchemaClass {
uuid: UUID_SCHEMA_CLASS_APPLICATION,
name: EntryClass::Application.into(),
description: "The class representing an application".to_string(),
systemmust: vec![Attribute::Name, Attribute::LinkedGroup],
systemmay: vec![Attribute::Description],
systemmust: vec![Attribute::LinkedGroup],
systemmay: vec![
Attribute::ApplicationUrl,
],
// I think this could change before release - I can see a world
// whe we may want an oauth2 application to have application passwords,
// or for this to be it's own thing. But service accounts also don't
// quite do enough, they have api tokens, but that's all we kind
// of want from them?
systemsupplements: vec![EntryClass::ServiceAccount.into()],
..Default::default()
};

4
server/lib/src/plugins/base.rs
View file

@ -365,7 +365,7 @@ mod tests {
let create = vec![e];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -468,7 +468,7 @@ mod tests {
let create = vec![e];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

2
server/lib/src/plugins/cred_import.rs
View file

@ -205,7 +205,7 @@ mod tests {
let create = vec![e];
run_create_test!(Ok(()), preload, create, None, |_| {});
run_create_test!(Ok(None), preload, create, None, |_| {});
}
#[test]

8
server/lib/src/plugins/dyngroup.rs
View file

@ -464,7 +464,7 @@ mod tests {
let create = vec![e_dyn];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -513,7 +513,7 @@ mod tests {
let create = vec![e_group];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -562,7 +562,7 @@ mod tests {
let create = vec![e_group];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -607,7 +607,7 @@ mod tests {
let create = vec![e_dyn, e_group];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

2
server/lib/src/plugins/eckeygen.rs
View file

@ -108,7 +108,7 @@ mod tests {
let create = vec![ea];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

2
server/lib/src/plugins/jwskeygen.rs
View file

@ -136,7 +136,7 @@ mod tests {
let create = vec![e];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

8
server/lib/src/plugins/memberof.rs
View file

@ -858,7 +858,7 @@ mod tests {
let preload = Vec::with_capacity(0);
let create = vec![ea, eb];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -889,7 +889,7 @@ mod tests {
let preload = Vec::with_capacity(0);
let create = vec![ea, eb, ec];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -941,7 +941,7 @@ mod tests {
let preload = Vec::with_capacity(0);
let create = vec![ea, eb, ec];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -999,7 +999,7 @@ mod tests {
let preload = Vec::with_capacity(0);
let create = vec![ea, eb, ec, ed];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

2
server/lib/src/plugins/namehistory.rs
View file

@ -181,7 +181,7 @@ mod tests {
let preload = Vec::with_capacity(0);
let create = vec![ea];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

4
server/lib/src/plugins/refint.rs
View file

@ -501,7 +501,7 @@ mod tests {
let create = vec![eb];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -534,7 +534,7 @@ mod tests {
let create = vec![e_group];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

4
server/lib/src/plugins/spn.rs
View file

@ -233,7 +233,7 @@ mod tests {
let preload = Vec::with_capacity(0);
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -286,7 +286,7 @@ mod tests {
let preload = Vec::with_capacity(0);
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

11
server/lib/src/server/create.rs
View file

@ -7,7 +7,7 @@ impl QueryServerWriteTransaction<'_> {
/// The create event is a raw, read only representation of the request
/// that was made to us, including information about the identity
/// performing the request.
pub fn create(&mut self, ce: &CreateEvent) -> Result<(), OperationError> {
pub fn create(&mut self, ce: &CreateEvent) -> Result<Option<Vec<Uuid>>, OperationError> {
if !ce.ident.is_internal() {
security_info!(name = %ce.ident, "create initiator");
}
@ -174,7 +174,12 @@ impl QueryServerWriteTransaction<'_> {
} else {
admin_info!("Create operation success");
}
Ok(())
if ce.return_created_uuids {
Ok(Some(commit_cand.iter().map(|e| e.get_uuid()).collect()))
} else {
Ok(None)
}
}
pub fn internal_create(
@ -182,7 +187,7 @@ impl QueryServerWriteTransaction<'_> {
entries: Vec<Entry<EntryInit, EntryNew>>,
) -> Result<(), OperationError> {
let ce = CreateEvent::new_internal(entries);
self.create(&ce)
self.create(&ce).map(|_| ())
}
}

134
server/lib/src/server/mod.rs
View file

@ -28,8 +28,6 @@ use crate::schema::{
SchemaWriteTransaction,
};
use crate::value::{CredentialType, EXTRACT_VAL_DN};
use crate::valueset::uuid_to_proto_string;
use crate::valueset::ScimValueIntermediate;
use crate::valueset::*;
use concread::arcache::{ARCacheBuilder, ARCacheReadTxn, ARCacheWriteTxn};
use concread::cowcell::*;
@ -1004,138 +1002,6 @@ pub trait QueryServerTransaction<'a> {
}
}
fn resolve_scim_json_put(
&mut self,
attr: &Attribute,
value: Option<JsonValue>,
) -> Result<Option<ValueSet>, OperationError> {
let schema = self.get_schema();
// Lookup the attr
let Some(schema_a) = schema.get_attributes().get(attr) else {
// No attribute of this name exists - fail fast, there is no point to
// proceed, as nothing can be satisfied.
return Err(OperationError::InvalidAttributeName(attr.to_string()));
};
let Some(value) = value else {
// It's a none so the value needs to be unset, and the attr DOES exist in
// schema.
return Ok(None);
};
let resolve_status = match schema_a.syntax {
SyntaxType::Utf8String => ValueSetUtf8::from_scim_json_put(value),
SyntaxType::Utf8StringInsensitive => ValueSetIutf8::from_scim_json_put(value),
SyntaxType::Uuid => ValueSetUuid::from_scim_json_put(value),
SyntaxType::Boolean => ValueSetBool::from_scim_json_put(value),
SyntaxType::SyntaxId => ValueSetSyntax::from_scim_json_put(value),
SyntaxType::IndexId => ValueSetIndex::from_scim_json_put(value),
SyntaxType::ReferenceUuid => ValueSetRefer::from_scim_json_put(value),
SyntaxType::Utf8StringIname => ValueSetIname::from_scim_json_put(value),
SyntaxType::NsUniqueId => ValueSetNsUniqueId::from_scim_json_put(value),
SyntaxType::DateTime => ValueSetDateTime::from_scim_json_put(value),
SyntaxType::EmailAddress => ValueSetEmailAddress::from_scim_json_put(value),
SyntaxType::Url => ValueSetUrl::from_scim_json_put(value),
SyntaxType::OauthScope => ValueSetOauthScope::from_scim_json_put(value),
SyntaxType::OauthScopeMap => ValueSetOauthScopeMap::from_scim_json_put(value),
SyntaxType::OauthClaimMap => ValueSetOauthClaimMap::from_scim_json_put(value),
SyntaxType::UiHint => ValueSetUiHint::from_scim_json_put(value),
SyntaxType::CredentialType => ValueSetCredentialType::from_scim_json_put(value),
SyntaxType::Certificate => ValueSetCertificate::from_scim_json_put(value),
SyntaxType::SshKey => ValueSetSshKey::from_scim_json_put(value),
SyntaxType::Uint32 => ValueSetUint32::from_scim_json_put(value),
// Not Yet ... if ever
// SyntaxType::JsonFilter => ValueSetJsonFilter::from_scim_json_put(value),
SyntaxType::JsonFilter => Err(OperationError::InvalidAttribute(
"Json Filters are not able to be set.".to_string(),
)),
// Can't be set currently as these are only internally generated for key-id's
// SyntaxType::HexString => ValueSetHexString::from_scim_json_put(value),
SyntaxType::HexString => Err(OperationError::InvalidAttribute(
"Hex strings are not able to be set.".to_string(),
)),
// Can't be set until we have better error handling in the set paths
// SyntaxType::Image => ValueSetImage::from_scim_json_put(value),
SyntaxType::Image => Err(OperationError::InvalidAttribute(
"Images are not able to be set.".to_string(),
)),
// Can't be set yet, mostly as I'm lazy
// SyntaxType::WebauthnAttestationCaList => {
// ValueSetWebauthnAttestationCaList::from_scim_json_put(value)
// }
SyntaxType::WebauthnAttestationCaList => Err(OperationError::InvalidAttribute(
"Webauthn Attestation Ca Lists are not able to be set.".to_string(),
)),
// Syntax types that can not be submitted
SyntaxType::Credential => Err(OperationError::InvalidAttribute(
"Credentials are not able to be set.".to_string(),
)),
SyntaxType::SecretUtf8String => Err(OperationError::InvalidAttribute(
"Secrets are not able to be set.".to_string(),
)),
SyntaxType::SecurityPrincipalName => Err(OperationError::InvalidAttribute(
"SPNs are not able to be set.".to_string(),
)),
SyntaxType::Cid => Err(OperationError::InvalidAttribute(
"CIDs are not able to be set.".to_string(),
)),
SyntaxType::PrivateBinary => Err(OperationError::InvalidAttribute(
"Private Binaries are not able to be set.".to_string(),
)),
SyntaxType::IntentToken => Err(OperationError::InvalidAttribute(
"Intent Tokens are not able to be set.".to_string(),
)),
SyntaxType::Passkey => Err(OperationError::InvalidAttribute(
"Passkeys are not able to be set.".to_string(),
)),
SyntaxType::AttestedPasskey => Err(OperationError::InvalidAttribute(
"Attested Passkeys are not able to be set.".to_string(),
)),
SyntaxType::Session => Err(OperationError::InvalidAttribute(
"Sessions are not able to be set.".to_string(),
)),
SyntaxType::JwsKeyEs256 => Err(OperationError::InvalidAttribute(
"Jws ES256 Private Keys are not able to be set.".to_string(),
)),
SyntaxType::JwsKeyRs256 => Err(OperationError::InvalidAttribute(
"Jws RS256 Private Keys are not able to be set.".to_string(),
)),
SyntaxType::Oauth2Session => Err(OperationError::InvalidAttribute(
"Sessions are not able to be set.".to_string(),
)),
SyntaxType::TotpSecret => Err(OperationError::InvalidAttribute(
"TOTP Secrets are not able to be set.".to_string(),
)),
SyntaxType::ApiToken => Err(OperationError::InvalidAttribute(
"API Tokens are not able to be set.".to_string(),
)),
SyntaxType::AuditLogString => Err(OperationError::InvalidAttribute(
"Audit Strings are not able to be set.".to_string(),
)),
SyntaxType::EcKeyPrivate => Err(OperationError::InvalidAttribute(
"EC Private Keys are not able to be set.".to_string(),
)),
SyntaxType::KeyInternal => Err(OperationError::InvalidAttribute(
"Key Internal Structures are not able to be set.".to_string(),
)),
SyntaxType::ApplicationPassword => Err(OperationError::InvalidAttribute(
"Application Passwords are not able to be set.".to_string(),
)),
}?;
match resolve_status {
ValueSetResolveStatus::Resolved(vs) => Ok(vs),
ValueSetResolveStatus::NeedsResolution(vs_inter) => {
self.resolve_valueset_intermediate(vs_inter)
}
}
.map(Some)
}
fn resolve_valueset_intermediate(
&mut self,
vs_inter: ValueSetIntermediate,

315
server/lib/src/server/scim.rs
View file

@ -1,23 +1,27 @@
use crate::prelude::*;
use crate::schema::{SchemaAttribute, SchemaTransaction};
use crate::server::batch_modify::{BatchModifyEvent, ModSetValid};
use kanidm_proto::scim_v1::client::ScimEntryPutGeneric;
use crate::server::ValueSetResolveStatus;
use crate::valueset::*;
use kanidm_proto::scim_v1::client::{ScimEntryPostGeneric, ScimEntryPutGeneric};
use kanidm_proto::scim_v1::JsonValue;
use std::collections::BTreeMap;
#[derive(Debug, Clone)]
#[derive(Debug)]
pub struct ScimEntryPutEvent {
/// The identity performing the change.
pub ident: Identity,
pub(crate) ident: Identity,
// future - etags to detect version changes.
/// The target entry that will be changed
pub target: Uuid,
pub(crate) target: Uuid,
/// Update an attribute to contain the following value state.
/// If the attribute is None, it is removed.
pub attrs: BTreeMap<Attribute, Option<ValueSet>>,
pub(crate) attrs: BTreeMap<Attribute, Option<ValueSet>>,
/// If an effective access check should be carried out post modification
/// of the entries
pub effective_access_check: bool,
pub(crate) effective_access_check: bool,
}
impl ScimEntryPutEvent {
@ -48,6 +52,60 @@ impl ScimEntryPutEvent {
}
}
#[derive(Debug)]
pub struct ScimCreateEvent {
pub(crate) ident: Identity,
pub(crate) entry: EntryInitNew,
}
impl ScimCreateEvent {
pub fn try_from(
ident: Identity,
classes: &[EntryClass],
entry: ScimEntryPostGeneric,
qs: &mut QueryServerWriteTransaction,
) -> Result<Self, OperationError> {
let mut entry = entry
.attrs
.into_iter()
.map(|(attr, json_value)| {
qs.resolve_scim_json_post(&attr, json_value)
.map(|kani_value| (attr, kani_value))
})
.collect::<Result<EntryInitNew, _>>()?;
let classes = ValueSetIutf8::from_iter(classes.iter().map(|cls| cls.as_ref()))
.ok_or(OperationError::SC0027ClassSetInvalid)?;
entry.set_ava_set(&Attribute::Class, classes);
Ok(ScimCreateEvent { ident, entry })
}
}
#[derive(Debug)]
pub struct ScimDeleteEvent {
/// The identity performing the change.
pub(crate) ident: Identity,
// future - etags to detect version changes.
/// The target entry that will be changed
pub(crate) target: Uuid,
/// The class of the target entry.
pub(crate) class: EntryClass,
}
impl ScimDeleteEvent {
pub fn new(ident: Identity, target: Uuid, class: EntryClass) -> Self {
ScimDeleteEvent {
ident,
target,
class,
}
}
}
impl QueryServerWriteTransaction<'_> {
/// SCIM PUT is the handler where a single entry is updated. In a SCIM PUT request
/// the request defines the state of an attribute in entirety for the update. This
@ -115,6 +173,251 @@ impl QueryServerWriteTransaction<'_> {
}
}
}
pub fn scim_create(
&mut self,
scim_create: ScimCreateEvent,
) -> Result<ScimEntryKanidm, OperationError> {
let ScimCreateEvent { ident, entry } = scim_create;
let create_event = CreateEvent {
ident,
entries: vec![entry],
return_created_uuids: true,
};
let changed_uuids = self.create(&create_event)?;
let mut changed_uuids = changed_uuids.ok_or(OperationError::SC0028CreatedUuidsInvalid)?;
let target = if let Some(target) = changed_uuids.pop() {
if !changed_uuids.is_empty() {
// Too many results!
return Err(OperationError::UniqueConstraintViolation);
}
target
} else {
// No results!
return Err(OperationError::NoMatchingEntries);
};
// Now get the entry. We handle a lot of the errors here nicely,
// but if we got to this point, they really can't happen.
let filter_intent = filter!(f_and!([f_eq(Attribute::Uuid, PartialValue::Uuid(target))]));
let f_intent_valid = filter_intent
.validate(self.get_schema())
.map_err(OperationError::SchemaViolation)?;
let f_valid = f_intent_valid.clone().into_ignore_hidden();
let se = SearchEvent {
ident: create_event.ident,
filter: f_valid,
filter_orig: f_intent_valid,
// Return all attributes
attrs: None,
effective_access_check: false,
};
let mut vs = self.search_ext(&se)?;
match vs.pop() {
Some(entry) if vs.is_empty() => entry.to_scim_kanidm(self),
_ => {
if vs.is_empty() {
Err(OperationError::NoMatchingEntries)
} else {
// Multiple entries matched, should not be possible!
Err(OperationError::UniqueConstraintViolation)
}
}
}
}
pub fn scim_delete(&mut self, scim_delete: ScimDeleteEvent) -> Result<(), OperationError> {
let ScimDeleteEvent {
ident,
target,
class,
} = scim_delete;
let filter_intent = filter!(f_eq(Attribute::Uuid, PartialValue::Uuid(target)));
let f_intent_valid = filter_intent
.validate(self.get_schema())
.map_err(OperationError::SchemaViolation)?;
let filter = filter!(f_and!([
f_eq(Attribute::Uuid, PartialValue::Uuid(target)),
f_eq(Attribute::Class, class.into())
]));
let f_valid = filter
.validate(self.get_schema())
.map_err(OperationError::SchemaViolation)?;
let de = DeleteEvent {
ident,
filter: f_valid,
filter_orig: f_intent_valid,
};
self.delete(&de)
}
pub(crate) fn resolve_scim_json_put(
&mut self,
attr: &Attribute,
value: Option<JsonValue>,
) -> Result<Option<ValueSet>, OperationError> {
let schema = self.get_schema();
// Lookup the attr
let Some(schema_a) = schema.get_attributes().get(attr) else {
// No attribute of this name exists - fail fast, there is no point to
// proceed, as nothing can be satisfied.
return Err(OperationError::InvalidAttributeName(attr.to_string()));
};
let Some(value) = value else {
// It's a none so the value needs to be unset, and the attr DOES exist in
// schema.
return Ok(None);
};
self.resolve_scim_json(schema_a, value).map(Some)
}
pub(crate) fn resolve_scim_json_post(
&mut self,
attr: &Attribute,
value: JsonValue,
) -> Result<ValueSet, OperationError> {
let schema = self.get_schema();
// Lookup the attr
let Some(schema_a) = schema.get_attributes().get(attr) else {
// No attribute of this name exists - fail fast, there is no point to
// proceed, as nothing can be satisfied.
return Err(OperationError::InvalidAttributeName(attr.to_string()));
};
self.resolve_scim_json(schema_a, value)
}
fn resolve_scim_json(
&mut self,
schema_a: &SchemaAttribute,
value: JsonValue,
) -> Result<ValueSet, OperationError> {
let resolve_status = match schema_a.syntax {
SyntaxType::Utf8String => ValueSetUtf8::from_scim_json_put(value),
SyntaxType::Utf8StringInsensitive => ValueSetIutf8::from_scim_json_put(value),
SyntaxType::Uuid => ValueSetUuid::from_scim_json_put(value),
SyntaxType::Boolean => ValueSetBool::from_scim_json_put(value),
SyntaxType::SyntaxId => ValueSetSyntax::from_scim_json_put(value),
SyntaxType::IndexId => ValueSetIndex::from_scim_json_put(value),
SyntaxType::ReferenceUuid => ValueSetRefer::from_scim_json_put(value),
SyntaxType::Utf8StringIname => ValueSetIname::from_scim_json_put(value),
SyntaxType::NsUniqueId => ValueSetNsUniqueId::from_scim_json_put(value),
SyntaxType::DateTime => ValueSetDateTime::from_scim_json_put(value),
SyntaxType::EmailAddress => ValueSetEmailAddress::from_scim_json_put(value),
SyntaxType::Url => ValueSetUrl::from_scim_json_put(value),
SyntaxType::OauthScope => ValueSetOauthScope::from_scim_json_put(value),
SyntaxType::OauthScopeMap => ValueSetOauthScopeMap::from_scim_json_put(value),
SyntaxType::OauthClaimMap => ValueSetOauthClaimMap::from_scim_json_put(value),
SyntaxType::UiHint => ValueSetUiHint::from_scim_json_put(value),
SyntaxType::CredentialType => ValueSetCredentialType::from_scim_json_put(value),
SyntaxType::Certificate => ValueSetCertificate::from_scim_json_put(value),
SyntaxType::SshKey => ValueSetSshKey::from_scim_json_put(value),
SyntaxType::Uint32 => ValueSetUint32::from_scim_json_put(value),
// Not Yet ... if ever
// SyntaxType::JsonFilter => ValueSetJsonFilter::from_scim_json_put(value),
SyntaxType::JsonFilter => Err(OperationError::InvalidAttribute(
"Json Filters are not able to be set.".to_string(),
)),
// Can't be set currently as these are only internally generated for key-id's
// SyntaxType::HexString => ValueSetHexString::from_scim_json_put(value),
SyntaxType::HexString => Err(OperationError::InvalidAttribute(
"Hex strings are not able to be set.".to_string(),
)),
// Can't be set until we have better error handling in the set paths
// SyntaxType::Image => ValueSetImage::from_scim_json_put(value),
SyntaxType::Image => Err(OperationError::InvalidAttribute(
"Images are not able to be set.".to_string(),
)),
// Can't be set yet, mostly as I'm lazy
// SyntaxType::WebauthnAttestationCaList => {
// ValueSetWebauthnAttestationCaList::from_scim_json_put(value)
// }
SyntaxType::WebauthnAttestationCaList => Err(OperationError::InvalidAttribute(
"Webauthn Attestation Ca Lists are not able to be set.".to_string(),
)),
// Syntax types that can not be submitted
SyntaxType::Credential => Err(OperationError::InvalidAttribute(
"Credentials are not able to be set.".to_string(),
)),
SyntaxType::SecretUtf8String => Err(OperationError::InvalidAttribute(
"Secrets are not able to be set.".to_string(),
)),
SyntaxType::SecurityPrincipalName => Err(OperationError::InvalidAttribute(
"SPNs are not able to be set.".to_string(),
)),
SyntaxType::Cid => Err(OperationError::InvalidAttribute(
"CIDs are not able to be set.".to_string(),
)),
SyntaxType::PrivateBinary => Err(OperationError::InvalidAttribute(
"Private Binaries are not able to be set.".to_string(),
)),
SyntaxType::IntentToken => Err(OperationError::InvalidAttribute(
"Intent Tokens are not able to be set.".to_string(),
)),
SyntaxType::Passkey => Err(OperationError::InvalidAttribute(
"Passkeys are not able to be set.".to_string(),
)),
SyntaxType::AttestedPasskey => Err(OperationError::InvalidAttribute(
"Attested Passkeys are not able to be set.".to_string(),
)),
SyntaxType::Session => Err(OperationError::InvalidAttribute(
"Sessions are not able to be set.".to_string(),
)),
SyntaxType::JwsKeyEs256 => Err(OperationError::InvalidAttribute(
"Jws ES256 Private Keys are not able to be set.".to_string(),
)),
SyntaxType::JwsKeyRs256 => Err(OperationError::InvalidAttribute(
"Jws RS256 Private Keys are not able to be set.".to_string(),
)),
SyntaxType::Oauth2Session => Err(OperationError::InvalidAttribute(
"Sessions are not able to be set.".to_string(),
)),
SyntaxType::TotpSecret => Err(OperationError::InvalidAttribute(
"TOTP Secrets are not able to be set.".to_string(),
)),
SyntaxType::ApiToken => Err(OperationError::InvalidAttribute(
"API Tokens are not able to be set.".to_string(),
)),
SyntaxType::AuditLogString => Err(OperationError::InvalidAttribute(
"Audit Strings are not able to be set.".to_string(),
)),
SyntaxType::EcKeyPrivate => Err(OperationError::InvalidAttribute(
"EC Private Keys are not able to be set.".to_string(),
)),
SyntaxType::KeyInternal => Err(OperationError::InvalidAttribute(
"Key Internal Structures are not able to be set.".to_string(),
)),
SyntaxType::ApplicationPassword => Err(OperationError::InvalidAttribute(
"Application Passwords are not able to be set.".to_string(),
)),
}?;
match resolve_status {
ValueSetResolveStatus::Resolved(vs) => Ok(vs),
ValueSetResolveStatus::NeedsResolution(vs_inter) => {
self.resolve_valueset_intermediate(vs_inter)
}
}
}
}
#[cfg(test)]

7
server/lib/src/valueset/uuid.rs
View file

@ -238,6 +238,13 @@ impl ValueSetScimPut for ValueSetRefer {
fn from_scim_json_put(value: JsonValue) -> Result<ValueSetResolveStatus, OperationError> {
use kanidm_proto::scim_v1::client::{ScimReference, ScimReferences};
// May be a single reference, lets wrap it in an array to proceed.
let value = if !value.is_array() && value.is_object() {
JsonValue::Array(vec![value])
} else {
value
};
let scim_refs: ScimReferences = serde_json::from_value(value).map_err(|err| {
warn!(?err, "Invalid SCIM reference set syntax");
OperationError::SC0002ReferenceSyntaxInvalid

79
server/testkit/tests/testkit/ldap_basic.rs
View file

@ -1,5 +1,10 @@
use kanidmd_testkit::AsyncTestEnvironment;
use kanidm_proto::scim_v1::client::{ScimEntryApplicationPost, ScimReference};
use kanidmd_testkit::{AsyncTestEnvironment, IDM_ADMIN_TEST_PASSWORD, IDM_ADMIN_TEST_USER};
use ldap3_client::LdapClientBuilder;
use tracing::debug;
const TEST_PERSON: &str = "user_mcuserton";
const TEST_GROUP: &str = "group_mcgroupington";
#[kanidmd_testkit::test(ldap = true)]
async fn test_ldap_basic_unix_bind(test_env: &AsyncTestEnvironment) {
@ -14,3 +19,75 @@ async fn test_ldap_basic_unix_bind(test_env: &AsyncTestEnvironment) {
assert_eq!(whoami, Some("u: anonymous@localhost".to_string()));
}
#[kanidmd_testkit::test(ldap = true)]
async fn test_ldap_application_password_basic(test_env: &AsyncTestEnvironment) {
const APPLICATION_1_NAME: &str = "test_application_1";
// Remember, this isn't the exhaustive test for application password behaviours,
// those are in the main server. This is just a basic smoke test that the interfaces
// are exposed and work in a basic manner.
let idm_admin_rsclient = test_env.rsclient.new_session().unwrap();
// Create a person
idm_admin_rsclient
.auth_simple_password(IDM_ADMIN_TEST_USER, IDM_ADMIN_TEST_PASSWORD)
.await
.expect("Failed to login as admin");
idm_admin_rsclient
.idm_person_account_create(TEST_PERSON, TEST_PERSON)
.await
.expect("Failed to create the user");
idm_admin_rsclient
.idm_group_create(TEST_GROUP, None)
.await
.expect("Failed to create test group");
// Create two applications
let application_1 = ScimEntryApplicationPost {
name: APPLICATION_1_NAME.to_string(),
displayname: APPLICATION_1_NAME.to_string(),
linked_group: ScimReference::from(TEST_GROUP),
};
let application_entry = idm_admin_rsclient
.idm_application_create(&application_1)
.await
.expect("Failed to create the user");
debug!(?application_entry);
// List, get them.
// Login as the person
// Create application passwords
// Check the work.
// Check they can't cross talk.
// Done!
// let ldap_url = test_env.ldap_url.as_ref().unwrap();
// let mut ldap_client = LdapClientBuilder::new(ldap_url).build().await.unwrap();
let result = idm_admin_rsclient
.idm_application_delete(APPLICATION_1_NAME)
.await
.expect("Failed to create the user");
debug!(?result);
// Delete the applications
// Check that you can no longer bind.
// They no longer list
}