mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-24 04:57:00 +01:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity

1116 UI hint (#1185)

Browse source
This commit is contained in:
Firstyear 2022-11-14 08:40:05 +10:00 committed by GitHub
parent 06c9e087cb
commit 64759ea20f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
15 changed files with 703 additions and 629 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

574
kanidmd/lib/src/access.rs
View file

File diff suppressed because it is too large Load diff

5
kanidmd/lib/src/be/idl_sqlite.rs
View file

@ -229,10 +229,9 @@ pub trait IdlSqliteTransaction {
idx_key: &str, idx_key: &str,
) -> Result<Option<IDLBitRange>, OperationError> { ) -> Result<Option<IDLBitRange>, OperationError> {
if !(self.exists_idx(attr, itype)?) { if !(self.exists_idx(attr, itype)?) {
filter_error!( debug!(
"IdlSqliteTransaction: Index {:?} {:?} not found", "IdlSqliteTransaction: Index {:?} {:?} not found",
itype, itype, attr
attr
); );
return Ok(None); return Ok(None);
} }

4
kanidmd/lib/src/be/mod.rs
View file

@ -1264,7 +1264,7 @@ impl<'a> BackendWriteTransaction<'a> {
idlayer.write_idl(attr, itype, &idx_key, &idl) idlayer.write_idl(attr, itype, &idx_key, &idl)
} }
None => { None => {
admin_error!( warn!(
"WARNING: index {:?} {:?} was not found. YOU MUST REINDEX YOUR DATABASE", "WARNING: index {:?} {:?} was not found. YOU MUST REINDEX YOUR DATABASE",
attr, itype attr, itype
); );
@ -1280,7 +1280,7 @@ impl<'a> BackendWriteTransaction<'a> {
idlayer.write_idl(attr, itype, &idx_key, &idl) idlayer.write_idl(attr, itype, &idx_key, &idl)
} }
None => { None => {
admin_error!( warn!(
"WARNING: index {:?} {:?} was not found. YOU MUST REINDEX YOUR DATABASE", "WARNING: index {:?} {:?} was not found. YOU MUST REINDEX YOUR DATABASE",
attr, itype attr, itype
); );

208
kanidmd/lib/src/constants/acp.rs
View file

@ -48,9 +48,8 @@ pub const JSON_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1: &str = r#"{
"name": ["idm_admins_acp_recycle_search"], "name": ["idm_admins_acp_recycle_search"],
"uuid": ["00000000-0000-0000-0000-ffffff000002"], "uuid": ["00000000-0000-0000-0000-ffffff000002"],
"description": ["Builtin IDM admin recycle bin search permission."], "description": ["Builtin IDM admin recycle bin search permission."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000019\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000019"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"eq\": [\"class\", \"recycled\"]}" "{\"eq\": [\"class\", \"recycled\"]}"
], ],
@ -64,9 +63,8 @@ pub const JSON_IDM_ADMINS_ACP_REVIVE_V1: &str = r#"{
"name": ["idm_admins_acp_revive"], "name": ["idm_admins_acp_revive"],
"uuid": ["00000000-0000-0000-0000-ffffff000003"], "uuid": ["00000000-0000-0000-0000-ffffff000003"],
"description": ["Builtin IDM Administrators Access Controls."], "description": ["Builtin IDM Administrators Access Controls."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000019\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000019"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"eq\":[\"class\",\"recycled\"]}" "{\"eq\":[\"class\",\"recycled\"]}"
], ],
@ -81,9 +79,8 @@ pub const JSON_IDM_SELF_ACP_READ_V1: &str = r#"{
"name": ["idm_self_acp_read"], "name": ["idm_self_acp_read"],
"uuid": ["00000000-0000-0000-0000-ffffff000004"], "uuid": ["00000000-0000-0000-0000-ffffff000004"],
"description": ["Builtin IDM Control for self read - required for whoami and many other functions."], "description": ["Builtin IDM Control for self read - required for whoami and many other functions."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000036\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000036"],
],
"acp_targetscope": [ "acp_targetscope": [
"\"self\"" "\"self\""
], ],
@ -114,9 +111,8 @@ pub const JSON_IDM_SELF_ACP_WRITE_V1: &str = r#"{
"name": ["idm_self_acp_write"], "name": ["idm_self_acp_write"],
"uuid": ["00000000-0000-0000-0000-ffffff000021"], "uuid": ["00000000-0000-0000-0000-ffffff000021"],
"description": ["Builtin IDM Control for self write - required for people to update their own identities and credentials in line with best practices."], "description": ["Builtin IDM Control for self write - required for people to update their own identities and credentials in line with best practices."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000035\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000035"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"class\",\"account\"]}, \"self\"]}" "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"class\",\"account\"]}, \"self\"]}"
], ],
@ -135,9 +131,8 @@ pub const JSON_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_PRIV_V1: &str = r#"{
"name": ["idm_people_self_acp_write_mail"], "name": ["idm_people_self_acp_write_mail"],
"uuid": ["00000000-0000-0000-0000-ffffff000041"], "uuid": ["00000000-0000-0000-0000-ffffff000041"],
"description": ["Builtin IDM Control for self write of mail for people accounts."], "description": ["Builtin IDM Control for self write of mail for people accounts."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000033\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000033"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"class\",\"account\"]}, \"self\"]}" "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"class\",\"account\"]}, \"self\"]}"
], ],
@ -156,9 +151,8 @@ pub const JSON_IDM_ALL_ACP_READ_V1: &str = r#"{
"name": ["idm_all_acp_read"], "name": ["idm_all_acp_read"],
"uuid": ["00000000-0000-0000-0000-ffffff000006"], "uuid": ["00000000-0000-0000-0000-ffffff000006"],
"description": ["Builtin IDM Control for all read - IE anonymous and all authenticated accounts."], "description": ["Builtin IDM Control for all read - IE anonymous and all authenticated accounts."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000036\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000036"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"pres\": \"class\"}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"pres\": \"class\"}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -188,9 +182,8 @@ pub const JSON_IDM_ACP_PEOPLE_READ_PRIV_V1: &str = r#"{
"name": ["idm_acp_people_read_priv"], "name": ["idm_acp_people_read_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000007"], "uuid": ["00000000-0000-0000-0000-ffffff000007"],
"description": ["Builtin IDM Control for reading personal sensitive data."], "description": ["Builtin IDM Control for reading personal sensitive data."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000002\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000002"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -210,9 +203,8 @@ pub const JSON_IDM_ACP_PEOPLE_WRITE_PRIV_V1: &str = r#"{
"name": ["idm_acp_people_write_priv"], "name": ["idm_acp_people_write_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000008"], "uuid": ["00000000-0000-0000-0000-ffffff000008"],
"description": ["Builtin IDM Control for managing personal and sensitive data."], "description": ["Builtin IDM Control for managing personal and sensitive data."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000003\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000003"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -236,9 +228,8 @@ pub const JSON_IDM_ACP_PEOPLE_MANAGE_PRIV_V1: &str = r#"{
"name": ["idm_acp_people_manage"], "name": ["idm_acp_people_manage"],
"uuid": ["00000000-0000-0000-0000-ffffff000013"], "uuid": ["00000000-0000-0000-0000-ffffff000013"],
"description": ["Builtin IDM Control for creating person (user) accounts"], "description": ["Builtin IDM Control for creating person (user) accounts"],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000013\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000013"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"class\",\"person\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"class\",\"person\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -273,9 +264,8 @@ pub const JSON_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1: &str = r#"{
"name": ["idm_acp_people_account_password_import_priv"], "name": ["idm_acp_people_account_password_import_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000031"], "uuid": ["00000000-0000-0000-0000-ffffff000031"],
"description": ["Builtin IDM Control for allowing imports of passwords to people+account types."], "description": ["Builtin IDM Control for allowing imports of passwords to people+account types."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000023\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000023"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -299,9 +289,8 @@ pub const JSON_IDM_ACP_PEOPLE_EXTEND_PRIV_V1: &str = r#"{
"name": ["idm_acp_people_extend_priv"], "name": ["idm_acp_people_extend_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000032"], "uuid": ["00000000-0000-0000-0000-ffffff000032"],
"description": ["Builtin IDM Control for allowing person class extension"], "description": ["Builtin IDM Control for allowing person class extension"],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000024\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000024"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -326,9 +315,8 @@ pub const JSON_IDM_ACP_HP_PEOPLE_READ_PRIV_V1: &str = r#"{
"name": ["idm_acp_hp_people_read_priv"], "name": ["idm_acp_hp_people_read_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000036"], "uuid": ["00000000-0000-0000-0000-ffffff000036"],
"description": ["Builtin IDM Control for reading high privilege personal sensitive data."], "description": ["Builtin IDM Control for reading high privilege personal sensitive data."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000028\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000028"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -348,9 +336,8 @@ pub const JSON_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1: &str = r#"{
"name": ["idm_acp_hp_people_write_priv"], "name": ["idm_acp_hp_people_write_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000037"], "uuid": ["00000000-0000-0000-0000-ffffff000037"],
"description": ["Builtin IDM Control for managing privilege personal and sensitive data."], "description": ["Builtin IDM Control for managing privilege personal and sensitive data."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000029\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000029"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -373,9 +360,8 @@ pub const JSON_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1: &str = r#"{
"name": ["idm_acp_hp_people_extend_priv"], "name": ["idm_acp_hp_people_extend_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000038"], "uuid": ["00000000-0000-0000-0000-ffffff000038"],
"description": ["Builtin IDM Control for allowing privilege person class extension"], "description": ["Builtin IDM Control for allowing privilege person class extension"],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000030\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000030"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -403,9 +389,8 @@ pub const JSON_IDM_ACP_GROUP_WRITE_PRIV_V1: &str = r#"{
"name": ["idm_acp_group_write_priv"], "name": ["idm_acp_group_write_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000009"], "uuid": ["00000000-0000-0000-0000-ffffff000009"],
"description": ["Builtin IDM Control for managing groups"], "description": ["Builtin IDM Control for managing groups"],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000004\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000004"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -431,9 +416,8 @@ pub const JSON_IDM_ACP_ACCOUNT_READ_PRIV_V1: &str = r#"{
"name": ["idm_acp_account_read_priv"], "name": ["idm_acp_account_read_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000010"], "uuid": ["00000000-0000-0000-0000-ffffff000010"],
"description": ["Builtin IDM Control for accounts."], "description": ["Builtin IDM Control for accounts."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000005\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000005"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -453,9 +437,8 @@ pub const JSON_IDM_ACP_ACCOUNT_WRITE_PRIV_V1: &str = r#"{
"name": ["idm_acp_account_write_priv"], "name": ["idm_acp_account_write_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000011"], "uuid": ["00000000-0000-0000-0000-ffffff000011"],
"description": ["Builtin IDM Control for managing all accounts (both person and service)."], "description": ["Builtin IDM Control for managing all accounts (both person and service)."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000006\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000006"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -479,9 +462,8 @@ pub const JSON_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1: &str = r#"{
"name": ["idm_acp_account_manage"], "name": ["idm_acp_account_manage"],
"uuid": ["00000000-0000-0000-0000-ffffff000012"], "uuid": ["00000000-0000-0000-0000-ffffff000012"],
"description": ["Builtin IDM Control for creating and deleting (service) accounts"], "description": ["Builtin IDM Control for creating and deleting (service) accounts"],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000014\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000014"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -518,9 +500,8 @@ pub const JSON_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1: &str = r#"{
"name": ["idm_acp_radius_secret_read_priv"], "name": ["idm_acp_radius_secret_read_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000039"], "uuid": ["00000000-0000-0000-0000-ffffff000039"],
"description": ["Builtin IDM Control for reading radius secrets of accounts."], "description": ["Builtin IDM Control for reading radius secrets of accounts."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000032\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000032"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -540,9 +521,8 @@ pub const JSON_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1: &str = r#"{
"name": ["idm_acp_radius_secret_write_priv"], "name": ["idm_acp_radius_secret_write_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000040"], "uuid": ["00000000-0000-0000-0000-ffffff000040"],
"description": ["Builtin IDM Control allowing writes to user radius secrets."], "description": ["Builtin IDM Control allowing writes to user radius secrets."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000031\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000031"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -565,9 +545,8 @@ pub const JSON_IDM_ACP_RADIUS_SERVERS_V1: &str = r#"{
"name": ["idm_acp_radius_servers"], "name": ["idm_acp_radius_servers"],
"uuid": ["00000000-0000-0000-0000-ffffff000014"], "uuid": ["00000000-0000-0000-0000-ffffff000014"],
"description": ["Builtin IDM Control for RADIUS servers to read credentials and other needed details."], "description": ["Builtin IDM Control for RADIUS servers to read credentials and other needed details."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000007\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000007"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"pres\": \"class\"}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"pres\": \"class\"}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -588,9 +567,8 @@ pub const JSON_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1: &str = r#"{
"name": ["idm_acp_hp_account_read_priv"], "name": ["idm_acp_hp_account_read_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000015"], "uuid": ["00000000-0000-0000-0000-ffffff000015"],
"description": ["Builtin IDM Control for reading high privilege accounts."], "description": ["Builtin IDM Control for reading high privilege accounts."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000009\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000009"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -610,9 +588,8 @@ pub const JSON_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1: &str = r#"{
"name": ["idm_acp_hp_account_write_priv"], "name": ["idm_acp_hp_account_write_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000016"], "uuid": ["00000000-0000-0000-0000-ffffff000016"],
"description": ["Builtin IDM Control for managing high privilege accounts (both person and service)."], "description": ["Builtin IDM Control for managing high privilege accounts (both person and service)."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000009\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000009"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -637,9 +614,8 @@ pub const JSON_IDM_ACP_HP_GROUP_WRITE_PRIV_V1: &str = r#"{
"name": ["idm_acp_hp_group_write_priv"], "name": ["idm_acp_hp_group_write_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000017"], "uuid": ["00000000-0000-0000-0000-ffffff000017"],
"description": ["Builtin IDM Control for managing high privilege groups"], "description": ["Builtin IDM Control for managing high privilege groups"],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000012\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000012"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -668,9 +644,8 @@ pub const JSON_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1: &str = r#"{
"name": ["idm_acp_schema_write_attrs_priv"], "name": ["idm_acp_schema_write_attrs_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000018"], "uuid": ["00000000-0000-0000-0000-ffffff000018"],
"description": ["Builtin IDM Control for management of schema attributes."], "description": ["Builtin IDM Control for management of schema attributes."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000010\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000010"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"attributetype\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"attributetype\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -729,9 +704,8 @@ pub const JSON_IDM_ACP_ACP_MANAGE_PRIV_V1: &str = r#"{
"name": ["idm_acp_acp_manage_priv"], "name": ["idm_acp_acp_manage_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000019"], "uuid": ["00000000-0000-0000-0000-ffffff000019"],
"description": ["Builtin IDM Control for access profiles management."], "description": ["Builtin IDM Control for access profiles management."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000011\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000011"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"access_control_profile\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"access_control_profile\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -740,7 +714,7 @@ pub const JSON_IDM_ACP_ACP_MANAGE_PRIV_V1: &str = r#"{
"class", "class",
"description", "description",
"acp_enable", "acp_enable",
"acp_receiver", "acp_receiver_group",
"acp_targetscope", "acp_targetscope",
"acp_search_attr", "acp_search_attr",
"acp_modify_removedattr", "acp_modify_removedattr",
@ -754,7 +728,7 @@ pub const JSON_IDM_ACP_ACP_MANAGE_PRIV_V1: &str = r#"{
"class", "class",
"description", "description",
"acp_enable", "acp_enable",
"acp_receiver", "acp_receiver_group",
"acp_targetscope", "acp_targetscope",
"acp_search_attr", "acp_search_attr",
"acp_modify_removedattr", "acp_modify_removedattr",
@ -768,7 +742,7 @@ pub const JSON_IDM_ACP_ACP_MANAGE_PRIV_V1: &str = r#"{
"class", "class",
"description", "description",
"acp_enable", "acp_enable",
"acp_receiver", "acp_receiver_group",
"acp_targetscope", "acp_targetscope",
"acp_search_attr", "acp_search_attr",
"acp_modify_removedattr", "acp_modify_removedattr",
@ -789,7 +763,7 @@ pub const JSON_IDM_ACP_ACP_MANAGE_PRIV_V1: &str = r#"{
"class", "class",
"description", "description",
"acp_enable", "acp_enable",
"acp_receiver", "acp_receiver_group",
"acp_targetscope", "acp_targetscope",
"acp_search_attr", "acp_search_attr",
"acp_modify_removedattr", "acp_modify_removedattr",
@ -820,9 +794,8 @@ pub const JSON_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1: &str = r#"{
"name": ["idm_acp_schema_write_classes_priv"], "name": ["idm_acp_schema_write_classes_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000020"], "uuid": ["00000000-0000-0000-0000-ffffff000020"],
"description": ["Builtin IDM Control for management of schema classes."], "description": ["Builtin IDM Control for management of schema classes."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000010\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000010"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"classtype\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"classtype\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -877,9 +850,8 @@ pub const JSON_IDM_ACP_GROUP_MANAGE_PRIV_V1: &str = r#"{
"name": ["idm_acp_group_manage"], "name": ["idm_acp_group_manage"],
"uuid": ["00000000-0000-0000-0000-ffffff000022"], "uuid": ["00000000-0000-0000-0000-ffffff000022"],
"description": ["Builtin IDM Control for creating and deleting groups in the directory"], "description": ["Builtin IDM Control for creating and deleting groups in the directory"],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000015\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000015"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -907,9 +879,8 @@ pub const JSON_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1: &str = r#"{
"name": ["idm_acp_hp_account_manage"], "name": ["idm_acp_hp_account_manage"],
"uuid": ["00000000-0000-0000-0000-ffffff000023"], "uuid": ["00000000-0000-0000-0000-ffffff000023"],
"description": ["Builtin IDM Control for creating and deleting hp and regular (service) accounts"], "description": ["Builtin IDM Control for creating and deleting hp and regular (service) accounts"],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000016\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000016"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -943,9 +914,8 @@ pub const JSON_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1: &str = r#"{
"name": ["idm_acp_hp_group_manage"], "name": ["idm_acp_hp_group_manage"],
"uuid": ["00000000-0000-0000-0000-ffffff000024"], "uuid": ["00000000-0000-0000-0000-ffffff000024"],
"description": ["Builtin IDM Control for creating and deleting hp and regular groups in the directory"], "description": ["Builtin IDM Control for creating and deleting hp and regular groups in the directory"],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000017\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000017"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -973,9 +943,8 @@ pub const JSON_IDM_ACP_DOMAIN_ADMIN_PRIV_V1: &str = r#"{
"name": ["idm_acp_domain_admin_priv"], "name": ["idm_acp_domain_admin_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000026"], "uuid": ["00000000-0000-0000-0000-ffffff000026"],
"description": ["Builtin IDM Control for granting domain info administration locally"], "description": ["Builtin IDM Control for granting domain info administration locally"],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000020\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000020"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"uuid\",\"00000000-0000-0000-0000-ffffff000025\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"uuid\",\"00000000-0000-0000-0000-ffffff000025\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -1014,9 +983,8 @@ pub const JSON_IDM_ACP_SYSTEM_CONFIG_PRIV_V1: &str = r#"{
"name": ["idm_acp_system_config_priv"], "name": ["idm_acp_system_config_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000028"], "uuid": ["00000000-0000-0000-0000-ffffff000028"],
"description": ["Builtin IDM Control for granting system configuration rights"], "description": ["Builtin IDM Control for granting system configuration rights"],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000019\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000019"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"uuid\",\"00000000-0000-0000-0000-ffffff000027\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"uuid\",\"00000000-0000-0000-0000-ffffff000027\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -1047,9 +1015,8 @@ pub const JSON_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: &str = r#"{
"name": ["idm_acp_account_unix_extend_priv"], "name": ["idm_acp_account_unix_extend_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000029"], "uuid": ["00000000-0000-0000-0000-ffffff000029"],
"description": ["Builtin IDM Control for managing accounts."], "description": ["Builtin IDM Control for managing accounts."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000021\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000021"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -1077,9 +1044,8 @@ pub const JSON_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1: &str = r#"{
"name": ["idm_acp_group_unix_extend_priv"], "name": ["idm_acp_group_unix_extend_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000030"], "uuid": ["00000000-0000-0000-0000-ffffff000030"],
"description": ["Builtin IDM Control for managing and extending unix groups"], "description": ["Builtin IDM Control for managing and extending unix groups"],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000022\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000022"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -1108,9 +1074,8 @@ pub const JSON_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: &str = r#"{
"name": ["idm_acp_hp_account_unix_extend_priv"], "name": ["idm_acp_hp_account_unix_extend_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000033"], "uuid": ["00000000-0000-0000-0000-ffffff000033"],
"description": ["Builtin IDM Control for managing and extending unix high privilege accounts."], "description": ["Builtin IDM Control for managing and extending unix high privilege accounts."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000025\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000025"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -1138,9 +1103,8 @@ pub const JSON_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1: &str = r#"{
"name": ["idm_acp_hp_group_unix_extend_priv"], "name": ["idm_acp_hp_group_unix_extend_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000034"], "uuid": ["00000000-0000-0000-0000-ffffff000034"],
"description": ["Builtin IDM Control for managing and extending unix high privilege groups"], "description": ["Builtin IDM Control for managing and extending unix high privilege groups"],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000026\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000026"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -1171,9 +1135,8 @@ pub const JSON_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1: &str = r#"{
"name": ["idm_acp_hp_oauth2_manage_priv"], "name": ["idm_acp_hp_oauth2_manage_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000035"], "uuid": ["00000000-0000-0000-0000-ffffff000035"],
"description": ["Builtin IDM Control for managing oauth2 resource server integrations."], "description": ["Builtin IDM Control for managing oauth2 resource server integrations."],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000027\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000027"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"oauth2_resource_server\"]},{\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"oauth2_resource_server\"]},{\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -1247,9 +1210,8 @@ pub const JSON_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1: &str = r#"{
"name": ["idm_hp_acp_service_account_into_person_migrate"], "name": ["idm_hp_acp_service_account_into_person_migrate"],
"uuid": ["00000000-0000-0000-0000-ffffff000042"], "uuid": ["00000000-0000-0000-0000-ffffff000042"],
"description": ["Builtin IDM Control allowing service accounts to be migrated into persons"], "description": ["Builtin IDM Control allowing service accounts to be migrated into persons"],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000034\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000034"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -1276,9 +1238,8 @@ pub const JSON_IDM_ACP_OAUTH2_READ_PRIV_V1: &str = r#"{
"name": ["idm_acp_oauth2_read_priv"], "name": ["idm_acp_oauth2_read_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000043"], "uuid": ["00000000-0000-0000-0000-ffffff000043"],
"description": ["Builtin IDM Control allowing persons to view oauth2 applications they can access"], "description": ["Builtin IDM Control allowing persons to view oauth2 applications they can access"],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000035\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000035"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"oauth2_resource_server\"]},{\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"oauth2_resource_server\"]},{\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],
@ -1304,9 +1265,8 @@ pub const JSON_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1: &str = r#"{
"name": ["idm_acp_hp_sync_account_manage_priv"], "name": ["idm_acp_hp_sync_account_manage_priv"],
"uuid": ["00000000-0000-0000-0000-ffffff000044"], "uuid": ["00000000-0000-0000-0000-ffffff000044"],
"description": ["Builtin IDM Control for managing IDM synchronisation accounts / connections"], "description": ["Builtin IDM Control for managing IDM synchronisation accounts / connections"],
"acp_receiver": [ "acp_receiver": [],
"{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000037\"]}" "acp_receiver_group": ["00000000-0000-0000-0000-000000000037"],
],
"acp_targetscope": [ "acp_targetscope": [
"{\"and\": [{\"eq\": [\"class\",\"sync_account\"]},{\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" "{\"and\": [{\"eq\": [\"class\",\"sync_account\"]},{\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
], ],

4
kanidmd/lib/src/constants/uuids.rs
View file

@ -23,6 +23,8 @@ pub const _UUID_IDM_GROUP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000
pub const _UUID_IDM_HP_ACCOUNT_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000016"); pub const _UUID_IDM_HP_ACCOUNT_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000016");
pub const _UUID_IDM_HP_GROUP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000017"); pub const _UUID_IDM_HP_GROUP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000017");
pub const UUID_IDM_ADMIN: Uuid = uuid!("00000000-0000-0000-0000-000000000018"); pub const UUID_IDM_ADMIN: Uuid = uuid!("00000000-0000-0000-0000-000000000018");
pub const STR_UUID_SYSTEM_ADMINS: &str = "00000000-0000-0000-0000-000000000000";
pub const UUID_SYSTEM_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000019"); pub const UUID_SYSTEM_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000019");
pub const UUID_DOMAIN_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000020"); pub const UUID_DOMAIN_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000020");
pub const _UUID_IDM_ACCOUNT_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000021"); pub const _UUID_IDM_ACCOUNT_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000021");
@ -48,6 +50,7 @@ pub const _UUID_IDM_HP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_PRIV: Uuid =
uuid!("00000000-0000-0000-0000-000000000034"); uuid!("00000000-0000-0000-0000-000000000034");
pub const UUID_IDM_ALL_PERSONS: Uuid = uuid!("00000000-0000-0000-0000-000000000035"); pub const UUID_IDM_ALL_PERSONS: Uuid = uuid!("00000000-0000-0000-0000-000000000035");
pub const STR_UUID_IDM_ALL_ACCOUNTS: &str = "00000000-0000-0000-0000-000000000036";
pub const UUID_IDM_ALL_ACCOUNTS: Uuid = uuid!("00000000-0000-0000-0000-000000000036"); pub const UUID_IDM_ALL_ACCOUNTS: Uuid = uuid!("00000000-0000-0000-0000-000000000036");
pub const _UUID_IDM_HP_SYNC_ACCOUNT_MANAGE_PRIV: Uuid = pub const _UUID_IDM_HP_SYNC_ACCOUNT_MANAGE_PRIV: Uuid =
uuid!("00000000-0000-0000-0000-000000000037"); uuid!("00000000-0000-0000-0000-000000000037");
@ -202,6 +205,7 @@ pub const _UUID_SCHEMA_ATTR_SYNC_TOKEN_SESSION: Uuid =
uuid!("00000000-0000-0000-0000-ffff00000115"); uuid!("00000000-0000-0000-0000-ffff00000115");
pub const _UUID_SCHEMA_ATTR_SYNC_COOKIE: Uuid = uuid!("00000000-0000-0000-0000-ffff00000116"); pub const _UUID_SCHEMA_ATTR_SYNC_COOKIE: Uuid = uuid!("00000000-0000-0000-0000-ffff00000116");
pub const _UUID_SCHEMA_ATTR_OAUTH2_SESSION: Uuid = uuid!("00000000-0000-0000-0000-ffff00000117"); pub const _UUID_SCHEMA_ATTR_OAUTH2_SESSION: Uuid = uuid!("00000000-0000-0000-0000-ffff00000117");
pub const UUID_SCHEMA_ATTR_ACP_RECEIVER_GROUP: Uuid = uuid!("00000000-0000-0000-0000-ffff00000118");
// System and domain infos // System and domain infos
// I'd like to strongly criticise william of the past for making poor choices about these allocations. // I'd like to strongly criticise william of the past for making poor choices about these allocations.

2
kanidmd/lib/src/entry.rs
View file

@ -390,7 +390,7 @@ impl Entry<EntryInit, EntryNew> {
) )
) )
} }
"member" | "memberof" | "directmemberof" => { "member" | "memberof" | "directmemberof" | "acp_receiver_group" => {
valueset::from_value_iter( valueset::from_value_iter(
vs.into_iter().map(|v| Value::new_refer_s(v.as_str()).unwrap() ) vs.into_iter().map(|v| Value::new_refer_s(v.as_str()).unwrap() )
) )

8
kanidmd/lib/src/idm/oauth2.rs
View file

@ -2385,9 +2385,7 @@ mod tests {
// Process it to ensure the record exists. // Process it to ensure the record exists.
let mut idms_prox_write = task::block_on(idms.proxy_write(ct)); let mut idms_prox_write = task::block_on(idms.proxy_write(ct));
assert!(idms_prox_write assert!(idms_prox_write.process_oauth2sessionrecord(&osr).is_ok());
.process_oauth2sessionrecord(&osr)
.is_ok());
assert!(idms_prox_write.commit().is_ok()); assert!(idms_prox_write.commit().is_ok());
} }
@ -2561,9 +2559,7 @@ mod tests {
// Assert that the session creation was submitted // Assert that the session creation was submitted
let session_id = match idms_delayed.async_rx.blocking_recv() { let session_id = match idms_delayed.async_rx.blocking_recv() {
Some(DelayedAction::Oauth2SessionRecord(osr)) => { Some(DelayedAction::Oauth2SessionRecord(osr)) => {
assert!(idms_prox_write assert!(idms_prox_write.process_oauth2sessionrecord(&osr).is_ok());
.process_oauth2sessionrecord(&osr)
.is_ok());
osr.session_id osr.session_id
} }
_ => { _ => {

5
kanidmd/lib/src/idm/server.rs
View file

@ -2205,10 +2205,7 @@ impl<'a> IdmServerProxyWriteTransaction<'a> {
info!(session_id = %osr.session_id, "Persisting auth session"); info!(session_id = %osr.session_id, "Persisting auth session");
// modify the account to put the session onto it. // modify the account to put the session onto it.
let modlist = ModifyList::new_append( let modlist = ModifyList::new_append("oauth2_session", session);
"oauth2_session",
session,
);
self.qs_write self.qs_write
.internal_modify( .internal_modify(

15
kanidmd/lib/src/macros.rs
View file

@ -135,9 +135,10 @@ macro_rules! run_create_test {
let ce = match $internal { let ce = match $internal {
None => CreateEvent::new_internal($create_entries.clone()), None => CreateEvent::new_internal($create_entries.clone()),
Some(e_str) => unsafe { Some(ent) => CreateEvent::new_impersonate_identity(
CreateEvent::new_impersonate_entry_ser(e_str, $create_entries.clone()) Identity::from_impersonate_entry_readwrite(ent),
}, $create_entries.clone(),
),
}; };
{ {
@ -190,8 +191,8 @@ macro_rules! run_modify_test {
let me = match $internal { let me = match $internal {
None => unsafe { ModifyEvent::new_internal_invalid($modify_filter, $modify_list) }, None => unsafe { ModifyEvent::new_internal_invalid($modify_filter, $modify_list) },
Some(e_str) => unsafe { Some(ent) => unsafe {
ModifyEvent::new_impersonate_entry_ser(e_str, $modify_filter, $modify_list) ModifyEvent::new_impersonate_entry(ent, $modify_filter, $modify_list)
}, },
}; };
@ -237,9 +238,7 @@ macro_rules! run_delete_test {
let qs = setup_test!($preload_entries); let qs = setup_test!($preload_entries);
let de = match $internal { let de = match $internal {
Some(e_str) => unsafe { Some(ent) => unsafe { DeleteEvent::new_impersonate_entry(ent, $delete_filter.clone()) },
DeleteEvent::new_impersonate_entry_ser(e_str, $delete_filter.clone())
},
None => unsafe { DeleteEvent::new_internal_invalid($delete_filter.clone()) }, None => unsafe { DeleteEvent::new_internal_invalid($delete_filter.clone()) },
}; };

63
kanidmd/lib/src/plugins/access.rs Normal file
View file

@ -0,0 +1,63 @@
// == ⚠️ Template, not used yet.
//! This plugin is responsible for pre-extraction of access related elements onto
//! entries. This is a "trade" where we sacrifice time in the write path to pre-calculate
//! a number of access related elements, and we benefit in read/write paths due to
//! optimised application of access controls.
//!
//! Additionally, this also extracts and applies a number of access adjacent elements
//! to accounts - An example being UI hints that are tied in with the ability to
//! perform an action in the webui.
pub struct AccessExtract {}
impl Plugin for AccessExtract {
fn id() -> &'static str {
"plugin_session_consistency"
}
#[instrument(
level = "debug",
name = "accessextract_pre_create_transform",
skip_all
)]
fn pre_create_transform(
_qs: &mut QueryServerWriteTransaction,
_cand: &mut Vec<Entry<EntryInvalid, EntryNew>>,
_ce: &CreateEvent,
) -> Result<(), OperationError> {
}
#[instrument(level = "debug", name = "accessextract_pre_modify", skip(_qs, cand, _me))]
fn pre_modify(
_qs: &mut QueryServerWriteTransaction,
_cand: &mut Vec<Entry<EntryInvalid, EntryCommitted>>,
_me: &ModifyEvent,
) -> Result<(), OperationError> {
}
#[instrument(level = "debug", name = "accessextract_pre_delete", skip(_qs, cand, de))]
fn pre_delete(
_qs: &mut QueryServerWriteTransaction,
// Should these be EntrySealed
_cand: &mut Vec<Entry<EntryInvalid, EntryCommitted>>,
_de: &DeleteEvent,
) -> Result<(), OperationError> {
// Clear all extracted values.
}
}
// This is outside the normal plugin interface, but when access controls are reloaded, we
// re-run to update the needed attributes on entries.
impl AccessExtract {
}
#[cfg(test)]
mod tests {
use crate::prelude::*;
}

102
kanidmd/lib/src/plugins/base.rs
View file

@ -208,38 +208,70 @@ impl Plugin for Base {
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use kanidm_proto::v1::PluginError;
use crate::prelude::*; use crate::prelude::*;
use kanidm_proto::v1::PluginError;
use std::sync::Arc;
const JSON_ADMIN_ALLOW_ALL: &'static str = r#"{ const UUID_TEST_ACCOUNT: Uuid = uuid::uuid!("cc8e95b4-c24f-4d68-ba54-8bed76f63930");
"attrs": { const UUID_TEST_GROUP: Uuid = uuid::uuid!("81ec1640-3637-4a2f-8a52-874fa3c3c92f");
"class": [ const UUID_TEST_ACP: Uuid = uuid::uuid!("acae81d6-5ea7-4bd8-8f7f-fcec4c0dd647");
"object",
"access_control_profile", lazy_static! {
"access_control_modify", pub static ref TEST_ACCOUNT: EntryInitNew = entry_init!(
"access_control_create", ("class", Value::new_class("account")),
"access_control_delete", ("class", Value::new_class("service_account")),
"access_control_search" ("class", Value::new_class("memberof")),
], ("name", Value::new_iname("test_account_1")),
"name": ["idm_admins_acp_allow_all_test"], ("displayname", Value::new_utf8s("test_account_1")),
"uuid": ["bb18f746-a409-497d-928c-5455d4aef4f7"], ("uuid", Value::new_uuid(UUID_TEST_ACCOUNT)),
"description": ["Builtin IDM Administrators Access Controls."], ("memberof", Value::new_refer(UUID_TEST_GROUP))
"acp_enable": ["true"], );
"acp_receiver": [ pub static ref TEST_GROUP: EntryInitNew = entry_init!(
"{\"eq\":[\"uuid\",\"00000000-0000-0000-0000-000000000000\"]}" ("class", Value::new_class("group")),
], ("name", Value::new_iname("test_group_a")),
"acp_targetscope": [ ("uuid", Value::new_uuid(UUID_TEST_GROUP)),
"{\"pres\":\"class\"}" ("member", Value::new_refer(UUID_TEST_ACCOUNT))
], );
"acp_search_attr": ["name", "class", "uuid"], pub static ref ALLOW_ALL: EntryInitNew = entry_init!(
"acp_modify_class": ["system"], ("class", Value::new_class("object")),
"acp_modify_removedattr": ["class", "displayname", "may", "must"], ("class", Value::new_class("access_control_profile")),
"acp_modify_presentattr": ["class", "displayname", "may", "must"], ("class", Value::new_class("access_control_modify")),
"acp_create_class": ["object", "person", "system"], ("class", Value::new_class("access_control_create")),
"acp_create_attr": ["name", "class", "description", "displayname", "uuid"] ("class", Value::new_class("access_control_delete")),
("class", Value::new_class("access_control_search")),
("name", Value::new_iname("idm_admins_acp_allow_all_test")),
("uuid", Value::new_uuid(UUID_TEST_ACP)),
("acp_receiver_group", Value::Refer(UUID_TEST_GROUP)),
(
"acp_targetscope",
Value::new_json_filter_s("{\"pres\":\"class\"}").expect("filter")
),
("acp_search_attr", Value::new_iutf8("name")),
("acp_search_attr", Value::new_iutf8("class")),
("acp_search_attr", Value::new_iutf8("uuid")),
("acp_modify_class", Value::new_iutf8("system")),
("acp_modify_removedattr", Value::new_iutf8("class")),
("acp_modify_removedattr", Value::new_iutf8("displayname")),
("acp_modify_removedattr", Value::new_iutf8("may")),
("acp_modify_removedattr", Value::new_iutf8("must")),
("acp_modify_presentattr", Value::new_iutf8("class")),
("acp_modify_presentattr", Value::new_iutf8("displayname")),
("acp_modify_presentattr", Value::new_iutf8("may")),
("acp_modify_presentattr", Value::new_iutf8("must")),
("acp_create_class", Value::new_iutf8("object")),
("acp_create_class", Value::new_iutf8("person")),
("acp_create_class", Value::new_iutf8("system")),
("acp_create_attr", Value::new_iutf8("name")),
("acp_create_attr", Value::new_iutf8("class")),
("acp_create_attr", Value::new_iutf8("description")),
("acp_create_attr", Value::new_iutf8("displayname")),
("acp_create_attr", Value::new_iutf8("uuid"))
);
pub static ref PRELOAD: Vec<EntryInitNew> =
vec![TEST_ACCOUNT.clone(), TEST_GROUP.clone(), ALLOW_ALL.clone()];
pub static ref E_TEST_ACCOUNT: Arc<EntrySealedCommitted> =
Arc::new(unsafe { TEST_ACCOUNT.clone().into_sealed_committed() });
} }
}"#;
// check create where no uuid // check create where no uuid
#[test] #[test]
@ -572,9 +604,7 @@ mod tests {
// Test an external create, it should fail. // Test an external create, it should fail.
// Testing internal create is not super needed, due to migrations at start // Testing internal create is not super needed, due to migrations at start
// up testing this every time we run :P // up testing this every time we run :P
let acp: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(JSON_ADMIN_ALLOW_ALL); let preload = PRELOAD.clone();
let preload = vec![acp];
let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str( let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(
r#"{ r#"{
@ -596,7 +626,7 @@ mod tests {
))), ))),
preload, preload,
create, create,
Some(JSON_ADMIN_V1), Some(E_TEST_ACCOUNT.clone()),
|_| {} |_| {}
); );
} }
@ -606,9 +636,7 @@ mod tests {
// Test an external create, it should fail. // Test an external create, it should fail.
// Testing internal create is not super needed, due to migrations at start // Testing internal create is not super needed, due to migrations at start
// up testing this every time we run :P // up testing this every time we run :P
let acp: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(JSON_ADMIN_ALLOW_ALL); let preload = PRELOAD.clone();
let preload = vec![acp];
let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str( let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(
r#"{ r#"{
@ -630,7 +658,7 @@ mod tests {
))), ))),
preload, preload,
create, create,
Some(JSON_ADMIN_V1), Some(E_TEST_ACCOUNT.clone()),
|_| {} |_| {}
); );
} }

180
kanidmd/lib/src/plugins/protected.rs
View file

@ -168,49 +168,116 @@ impl Plugin for Protected {
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use crate::prelude::*; use crate::prelude::*;
use std::sync::Arc;
const JSON_ADMIN_ALLOW_ALL: &'static str = r#"{ const UUID_TEST_ACCOUNT: Uuid = uuid::uuid!("cc8e95b4-c24f-4d68-ba54-8bed76f63930");
"attrs": { const UUID_TEST_GROUP: Uuid = uuid::uuid!("81ec1640-3637-4a2f-8a52-874fa3c3c92f");
"class": [ const UUID_TEST_ACP: Uuid = uuid::uuid!("acae81d6-5ea7-4bd8-8f7f-fcec4c0dd647");
"object",
"access_control_profile", lazy_static! {
"access_control_modify", pub static ref TEST_ACCOUNT: EntryInitNew = entry_init!(
"access_control_create", ("class", Value::new_class("account")),
"access_control_delete", ("class", Value::new_class("service_account")),
"access_control_search" ("class", Value::new_class("memberof")),
], ("name", Value::new_iname("test_account_1")),
"name": ["idm_admins_acp_allow_all_test"], ("displayname", Value::new_utf8s("test_account_1")),
"uuid": ["bb18f746-a409-497d-928c-5455d4aef4f7"], ("uuid", Value::new_uuid(UUID_TEST_ACCOUNT)),
"description": ["Builtin IDM Administrators Access Controls for TESTING."], ("memberof", Value::new_refer(UUID_TEST_GROUP))
"acp_enable": ["true"], );
"acp_receiver": [ pub static ref TEST_GROUP: EntryInitNew = entry_init!(
"{\"eq\":[\"uuid\",\"00000000-0000-0000-0000-000000000000\"]}" ("class", Value::new_class("group")),
], ("name", Value::new_iname("test_group_a")),
"acp_targetscope": [ ("uuid", Value::new_uuid(UUID_TEST_GROUP)),
"{\"pres\":\"class\"}" ("member", Value::new_refer(UUID_TEST_ACCOUNT))
], );
"acp_search_attr": ["name", "class", "uuid", "classname", "attributename"], pub static ref ALLOW_ALL: EntryInitNew = entry_init!(
"acp_modify_class": ["system", "domain_info"], ("class", Value::new_class("object")),
"acp_modify_removedattr": [ ("class", Value::new_class("access_control_profile")),
"class", "displayname", "may", "must", "domain_name", "domain_display_name", "domain_uuid", "domain_ssid", "fernet_private_key_str", "es256_private_key_der" ("class", Value::new_class("access_control_modify")),
], ("class", Value::new_class("access_control_create")),
"acp_modify_presentattr": [ ("class", Value::new_class("access_control_delete")),
"class", "displayname", "may", "must", "domain_name", "domain_display_name", "domain_uuid", "domain_ssid", "fernet_private_key_str", "es256_private_key_der" ("class", Value::new_class("access_control_search")),
], ("name", Value::new_iname("idm_admins_acp_allow_all_test")),
"acp_create_class": ["object", "person", "system", "domain_info"], ("uuid", Value::new_uuid(UUID_TEST_ACP)),
"acp_create_attr": [ ("acp_receiver_group", Value::Refer(UUID_TEST_GROUP)),
"name", "class", "description", "displayname", "domain_name", "domain_display_name", "domain_uuid", "domain_ssid", "uuid", "fernet_private_key_str", "es256_private_key_der", "version" (
] "acp_targetscope",
Value::new_json_filter_s("{\"pres\":\"class\"}").expect("filter")
),
("acp_search_attr", Value::new_iutf8("name")),
("acp_search_attr", Value::new_iutf8("class")),
("acp_search_attr", Value::new_iutf8("uuid")),
("acp_search_attr", Value::new_iutf8("classname")),
("acp_search_attr", Value::new_iutf8("attributename")),
("acp_modify_class", Value::new_iutf8("system")),
("acp_modify_class", Value::new_iutf8("domain_info")),
("acp_modify_removedattr", Value::new_iutf8("class")),
("acp_modify_removedattr", Value::new_iutf8("displayname")),
("acp_modify_removedattr", Value::new_iutf8("may")),
("acp_modify_removedattr", Value::new_iutf8("must")),
("acp_modify_removedattr", Value::new_iutf8("domain_name")),
(
"acp_modify_removedattr",
Value::new_iutf8("domain_display_name")
),
("acp_modify_removedattr", Value::new_iutf8("domain_uuid")),
("acp_modify_removedattr", Value::new_iutf8("domain_ssid")),
(
"acp_modify_removedattr",
Value::new_iutf8("fernet_private_key_str")
),
(
"acp_modify_removedattr",
Value::new_iutf8("es256_private_key_der")
),
("acp_modify_presentattr", Value::new_iutf8("class")),
("acp_modify_presentattr", Value::new_iutf8("displayname")),
("acp_modify_presentattr", Value::new_iutf8("may")),
("acp_modify_presentattr", Value::new_iutf8("must")),
("acp_modify_presentattr", Value::new_iutf8("domain_name")),
(
"acp_modify_presentattr",
Value::new_iutf8("domain_display_name")
),
("acp_modify_presentattr", Value::new_iutf8("domain_uuid")),
("acp_modify_presentattr", Value::new_iutf8("domain_ssid")),
(
"acp_modify_presentattr",
Value::new_iutf8("fernet_private_key_str")
),
(
"acp_modify_presentattr",
Value::new_iutf8("es256_private_key_der")
),
("acp_create_class", Value::new_iutf8("object")),
("acp_create_class", Value::new_iutf8("person")),
("acp_create_class", Value::new_iutf8("system")),
("acp_create_class", Value::new_iutf8("domain_info")),
("acp_create_attr", Value::new_iutf8("name")),
("acp_create_attr", Value::new_iutf8("class")),
("acp_create_attr", Value::new_iutf8("description")),
("acp_create_attr", Value::new_iutf8("displayname")),
("acp_create_attr", Value::new_iutf8("domain_name")),
("acp_create_attr", Value::new_iutf8("domain_display_name")),
("acp_create_attr", Value::new_iutf8("domain_uuid")),
("acp_create_attr", Value::new_iutf8("domain_ssid")),
("acp_create_attr", Value::new_iutf8("uuid")),
(
"acp_create_attr",
Value::new_iutf8("fernet_private_key_str")
),
("acp_create_attr", Value::new_iutf8("es256_private_key_der")),
("acp_create_attr", Value::new_iutf8("version"))
);
pub static ref PRELOAD: Vec<EntryInitNew> =
vec![TEST_ACCOUNT.clone(), TEST_GROUP.clone(), ALLOW_ALL.clone()];
pub static ref E_TEST_ACCOUNT: Arc<EntrySealedCommitted> =
Arc::new(unsafe { TEST_ACCOUNT.clone().into_sealed_committed() });
} }
}"#;
#[test] #[test]
fn test_pre_create_deny() { fn test_pre_create_deny() {
// Test creating with class: system is rejected. // Test creating with class: system is rejected.
let acp: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(JSON_ADMIN_ALLOW_ALL);
let preload = vec![acp];
let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str( let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(
r#"{ r#"{
"attrs": { "attrs": {
@ -223,19 +290,19 @@ mod tests {
); );
let create = vec![e.clone()]; let create = vec![e.clone()];
let preload = PRELOAD.clone();
run_create_test!( run_create_test!(
Err(OperationError::SystemProtectedObject), Err(OperationError::SystemProtectedObject),
preload, preload,
create, create,
Some(JSON_ADMIN_V1), Some(E_TEST_ACCOUNT.clone()),
|_| {} |_| {}
); );
} }
#[test] #[test]
fn test_pre_modify_system_deny() { fn test_pre_modify_system_deny() {
let acp: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(JSON_ADMIN_ALLOW_ALL);
// Test modify of class to a system is denied // Test modify of class to a system is denied
let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str( let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(
r#"{ r#"{
@ -248,7 +315,8 @@ mod tests {
}"#, }"#,
); );
let preload = vec![acp, e.clone()]; let mut preload = PRELOAD.clone();
preload.push(e.clone());
run_modify_test!( run_modify_test!(
Err(OperationError::SystemProtectedObject), Err(OperationError::SystemProtectedObject),
@ -258,7 +326,7 @@ mod tests {
m_purge("displayname"), m_purge("displayname"),
m_pres("displayname", &Value::new_utf8s("system test")), m_pres("displayname", &Value::new_utf8s("system test")),
]), ]),
Some(JSON_ADMIN_V1), Some(E_TEST_ACCOUNT.clone()),
|_| {}, |_| {},
|_| {} |_| {}
); );
@ -266,7 +334,6 @@ mod tests {
#[test] #[test]
fn test_pre_modify_class_add_deny() { fn test_pre_modify_class_add_deny() {
let acp: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(JSON_ADMIN_ALLOW_ALL);
// Show that adding a system class is denied // Show that adding a system class is denied
let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str( let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(
r#"{ r#"{
@ -279,7 +346,8 @@ mod tests {
}"#, }"#,
); );
let preload = vec![acp, e.clone()]; let mut preload = PRELOAD.clone();
preload.push(e.clone());
run_modify_test!( run_modify_test!(
Ok(()), Ok(()),
@ -289,7 +357,7 @@ mod tests {
m_pres("may", &Value::new_iutf8("name")), m_pres("may", &Value::new_iutf8("name")),
m_pres("must", &Value::new_iutf8("name")), m_pres("must", &Value::new_iutf8("name")),
]), ]),
Some(JSON_ADMIN_V1), Some(E_TEST_ACCOUNT.clone()),
|_| {}, |_| {},
|_| {} |_| {}
); );
@ -297,7 +365,6 @@ mod tests {
#[test] #[test]
fn test_pre_delete_deny() { fn test_pre_delete_deny() {
let acp: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(JSON_ADMIN_ALLOW_ALL);
// Test deleting with class: system is rejected. // Test deleting with class: system is rejected.
let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str( let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(
r#"{ r#"{
@ -310,13 +377,14 @@ mod tests {
}"#, }"#,
); );
let preload = vec![acp, e.clone()]; let mut preload = PRELOAD.clone();
preload.push(e.clone());
run_delete_test!( run_delete_test!(
Err(OperationError::SystemProtectedObject), Err(OperationError::SystemProtectedObject),
preload, preload,
filter!(f_eq("name", PartialValue::new_iname("testperson"))), filter!(f_eq("name", PartialValue::new_iname("testperson"))),
Some(JSON_ADMIN_V1), Some(E_TEST_ACCOUNT.clone()),
|_| {} |_| {}
); );
} }
@ -324,7 +392,6 @@ mod tests {
#[test] #[test]
fn test_modify_domain() { fn test_modify_domain() {
// Can edit *my* domain_ssid and domain_name // Can edit *my* domain_ssid and domain_name
let acp: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(JSON_ADMIN_ALLOW_ALL);
// Show that adding a system class is denied // Show that adding a system class is denied
let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str( let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(
r#"{ r#"{
@ -344,7 +411,8 @@ mod tests {
}"#, }"#,
); );
let preload = vec![acp, e.clone()]; let mut preload = PRELOAD.clone();
preload.push(e.clone());
run_modify_test!( run_modify_test!(
Ok(()), Ok(()),
@ -357,7 +425,7 @@ mod tests {
m_purge("domain_ssid"), m_purge("domain_ssid"),
m_pres("domain_ssid", &Value::new_utf8s("NewExampleWifi")), m_pres("domain_ssid", &Value::new_utf8s("NewExampleWifi")),
]), ]),
Some(JSON_ADMIN_V1), Some(E_TEST_ACCOUNT.clone()),
|_| {}, |_| {},
|_| {} |_| {}
); );
@ -366,8 +434,7 @@ mod tests {
#[test] #[test]
fn test_ext_create_domain() { fn test_ext_create_domain() {
// can not add a domain_info type - note the lack of class: system // can not add a domain_info type - note the lack of class: system
let acp: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(JSON_ADMIN_ALLOW_ALL);
let preload = vec![acp];
let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str( let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(
r#"{ r#"{
"attrs": { "attrs": {
@ -386,19 +453,19 @@ mod tests {
}"#, }"#,
); );
let create = vec![e]; let create = vec![e];
let preload = PRELOAD.clone();
run_create_test!( run_create_test!(
Err(OperationError::SystemProtectedObject), Err(OperationError::SystemProtectedObject),
preload, preload,
create, create,
Some(JSON_ADMIN_V1), Some(E_TEST_ACCOUNT.clone()),
|_| {} |_| {}
); );
} }
#[test] #[test]
fn test_delete_domain() { fn test_delete_domain() {
let acp: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(JSON_ADMIN_ALLOW_ALL);
// On the real thing we have a class: system, but to prove the point ... // On the real thing we have a class: system, but to prove the point ...
let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str( let e: Entry<EntryInit, EntryNew> = Entry::unsafe_from_entry_str(
r#"{ r#"{
@ -418,7 +485,8 @@ mod tests {
}"#, }"#,
); );
let preload = vec![acp, e.clone()]; let mut preload = PRELOAD.clone();
preload.push(e.clone());
run_delete_test!( run_delete_test!(
Err(OperationError::SystemProtectedObject), Err(OperationError::SystemProtectedObject),
@ -427,7 +495,7 @@ mod tests {
"name", "name",
PartialValue::new_iname("domain_example.net.au") PartialValue::new_iname("domain_example.net.au")
)), )),
Some(JSON_ADMIN_V1), Some(E_TEST_ACCOUNT.clone()),
|_| {} |_| {}
); );
} }

19
kanidmd/lib/src/schema.rs
View file

@ -975,6 +975,22 @@ impl<'a> SchemaWriteTransaction<'a> {
syntax: SyntaxType::JsonFilter, syntax: SyntaxType::JsonFilter,
}, },
); );
self.attributes.insert(
AttrString::from("acp_receiver_group"),
SchemaAttribute {
name: AttrString::from("acp_receiver_group"),
uuid: UUID_SCHEMA_ATTR_ACP_RECEIVER_GROUP,
description: String::from(
"The group that recieves this access control to allow access",
),
multivalue: false,
unique: false,
phantom: false,
index: vec![IndexType::Equality],
syntax: SyntaxType::ReferenceUuid,
},
);
self.attributes.insert( self.attributes.insert(
AttrString::from("acp_targetscope"), AttrString::from("acp_targetscope"),
SchemaAttribute { SchemaAttribute {
@ -1454,9 +1470,10 @@ impl<'a> SchemaWriteTransaction<'a> {
systemmay: vec![ systemmay: vec![
AttrString::from("acp_enable"), AttrString::from("acp_enable"),
AttrString::from("description"), AttrString::from("description"),
AttrString::from("acp_receiver"),
], ],
systemmust: vec![ systemmust: vec![
AttrString::from("acp_receiver"), AttrString::from("acp_receiver_group"),
AttrString::from("acp_targetscope"), AttrString::from("acp_targetscope"),
AttrString::from("name"), AttrString::from("name"),
], ],

6
kanidmd/lib/src/server.rs
View file

@ -1063,6 +1063,7 @@ impl QueryServer {
} }
} }
#[instrument(level = "info", name = "system_initialisation", skip_all)]
pub async fn initialise_helper(&self, ts: Duration) -> Result<(), OperationError> { pub async fn initialise_helper(&self, ts: Duration) -> Result<(), OperationError> {
// Check our database version - attempt to do an initial indexing // Check our database version - attempt to do an initial indexing
// based on the in memory configuration // based on the in memory configuration
@ -2611,6 +2612,7 @@ impl<'a> QueryServerWriteTransaction<'a> {
} }
*/ */
#[instrument(level = "info", skip_all)]
pub fn initialise_schema_core(&mut self) -> Result<(), OperationError> { pub fn initialise_schema_core(&mut self) -> Result<(), OperationError> {
admin_debug!("initialise_schema_core -> start ..."); admin_debug!("initialise_schema_core -> start ...");
// Load in all the "core" schema, that we already have in "memory". // Load in all the "core" schema, that we already have in "memory".
@ -2633,6 +2635,7 @@ impl<'a> QueryServerWriteTransaction<'a> {
r r
} }
#[instrument(level = "info", skip_all)]
pub fn initialise_schema_idm(&mut self) -> Result<(), OperationError> { pub fn initialise_schema_idm(&mut self) -> Result<(), OperationError> {
admin_debug!("initialise_schema_idm -> start ..."); admin_debug!("initialise_schema_idm -> start ...");
// List of IDM schemas to init. // List of IDM schemas to init.
@ -2710,6 +2713,7 @@ impl<'a> QueryServerWriteTransaction<'a> {
} }
// This function is idempotent // This function is idempotent
#[instrument(level = "info", skip_all)]
pub fn initialise_idm(&mut self) -> Result<(), OperationError> { pub fn initialise_idm(&mut self) -> Result<(), OperationError> {
// First, check the system_info object. This stores some server information // First, check the system_info object. This stores some server information
// and details. It's a pretty const thing. Also check anonymous, important to many // and details. It's a pretty const thing. Also check anonymous, important to many
@ -3129,6 +3133,7 @@ impl<'a> QueryServerWriteTransaction<'a> {
self.changed_schema.set(true); self.changed_schema.set(true);
} }
#[instrument(level = "info", skip_all)]
pub(crate) fn upgrade_reindex(&mut self, v: i64) -> Result<(), OperationError> { pub(crate) fn upgrade_reindex(&mut self, v: i64) -> Result<(), OperationError> {
self.be_txn.upgrade_reindex(v) self.be_txn.upgrade_reindex(v)
} }
@ -3149,6 +3154,7 @@ impl<'a> QueryServerWriteTransaction<'a> {
*self.phase = phase *self.phase = phase
} }
#[instrument(level = "info", skip_all)]
pub fn commit(mut self) -> Result<(), OperationError> { pub fn commit(mut self) -> Result<(), OperationError> {
// This could be faster if we cache the set of classes changed // This could be faster if we cache the set of classes changed
// in an operation so we can check if we need to do the reload or not // in an operation so we can check if we need to do the reload or not

11
kanidmd/testkit/tests/default_entries.rs
View file

@ -115,7 +115,7 @@ async fn is_attr_writable(rsclient: &KanidmClient, id: &str, attr: &str) -> Opti
), ),
entry => { entry => {
let new_value = match entry { let new_value = match entry {
"acp_receiver" => r#"{"eq":["memberof","00000000-0000-0000-0000-000000000011"]}"#.to_string(), "acp_receiver_group" => "00000000-0000-0000-0000-000000000011".to_string(),
"acp_targetscope" => "{\"and\": [{\"eq\": [\"class\",\"access_control_profile\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}".to_string(), "acp_targetscope" => "{\"and\": [{\"eq\": [\"class\",\"access_control_profile\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}".to_string(),
_ => id.to_string(), _ => id.to_string(),
}; };
@ -418,7 +418,12 @@ async fn test_default_entries_rbac_admins_access_control_entries(rsclient: Kanid
.await .await
.unwrap(); .unwrap();
static ACP_COMMON_ATTRS: [&str; 4] = ["name", "description", "acp_receiver", "acp_targetscope"]; static ACP_COMMON_ATTRS: [&str; 4] = [
"name",
"description",
"acp_receiver_group",
"acp_targetscope",
];
static ACP_ENTRIES: [&str; 28] = [ static ACP_ENTRIES: [&str; 28] = [
"idm_admins_acp_recycle_search", "idm_admins_acp_recycle_search",
"idm_admins_acp_revive", "idm_admins_acp_revive",
@ -513,7 +518,7 @@ async fn test_default_entries_rbac_admins_schema_entries(rsclient: KanidmClient)
"acp_modify_class", "acp_modify_class",
"acp_modify_presentattr", "acp_modify_presentattr",
"acp_modify_removedattr", "acp_modify_removedattr",
"acp_receiver", "acp_receiver_group",
"acp_search_attr", "acp_search_attr",
"acp_targetscope", "acp_targetscope",
"attributename", "attributename",