enforcen den clippen (#2990)

* enforcen den clippen * updating outdated oauth2-related docs * sorry clippy, we tried
2025-02-23 04:27:02 +01:00 · 2024-08-21 10:32:56 +10:00 · 2024-08-21 10:32:56 +10:00 · 7c3deab2c4
parent fbfea05c6c
commit 7c3deab2c4
50 changed files with 377 additions and 522 deletions
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,10 +1,11 @@
 # Change summary
 -
 Fixes #
 Checklist
 - [ ] This PR contains no AI generated code
 - [ ] `cargo fmt` has been run
 - [ ] `cargo clippy` has been run
 - [ ] `cargo test` has been run and passes
 - [ ] book chapter included (if relevant)
 - [ ] design document included (if relevant)
--- a/.github/workflows/clippy.yml
+++ b/.github/workflows/clippy.yml
@ -1,11 +1,9 @@
 ---
-name: Clippy
+name: Linting checks
-# Trigger the workflow on push or pull request
+# Trigger the workflow on push
 "on":
  push:
    branches-ignore:
      - master
  pull_request:
 env:
@ -34,7 +32,15 @@ jobs:
            pkg-config \
            tpm-udev \
            libtss2-dev
-
+      - name: "Run clippy"
-      - name: "Run clippy (ignores errors, this is just a check)"
+        run: cargo clippy --lib --bins --examples --all-features
-        run: cargo clippy --all-features --all-targets
+  fmt:
-        continue-on-error: true
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Setup sccache
        uses: mozilla-actions/sccache-action@v0.0.5
        with:
          version: "v0.4.2"
      - name: "Run cargo fmt"
        run: cargo fmt --check
--- a/.github/workflows/wasm_test.yml.disabled
+++ b/.github/workflows/wasm_test.yml.disabled
--- a/book/src/integrations/oauth2.md
+++ b/book/src/integrations/oauth2.md
@ -124,12 +124,12 @@ Once created you can view the details of the client.
 ```bash
 kanidm system oauth2 get nextcloud
 ---
 name: nextcloud
 class: oauth2_resource_server
 class: oauth2_resource_server_basic
 class: object
 displayname: Nextcloud Production
 oauth2_rs_basic_secret: hidden
 oauth2_rs_name: nextcloud
 oauth2_rs_origin_landing: https://nextcloud.example.com
 oauth2_rs_token_key: hidden
 ```
@ -144,7 +144,7 @@ kanidm system oauth2 show-basic-secret nextcloud
 ### Configure the Client/Resource Server
-On your client, you should configure the client ID as the `oauth2_rs_name` from Kanidm, and the
+On your client, you should configure the client ID as the `name` from Kanidm, and the
 password to be the value shown in `oauth2_rs_basic_secret`. Ensure that the code
 challenge/verification method is set to S256.
--- a/book/src/integrations/oauth2/examples.md
+++ b/book/src/integrations/oauth2/examples.md
@ -61,7 +61,7 @@ OAUTH2_PROVIDER = "oidc";
 OAUTH2_CLIENT_ID = "miniflux";
 OAUTH2_CLIENT_SECRET = "<oauth2_rs_basic_secret>";
 OAUTH2_REDIRECT_URL = "https://feeds.example.com/oauth2/oidc/callback";
-OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://idm.example.com/oauth2/openid/<oauth2_rs_name>";
+OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://idm.example.com/oauth2/openid/<name>";
 ```
 ## Nextcloud
@ -227,14 +227,14 @@ Vouch Proxy supports multiple OAuth and OIDC login providers. To configure it yo
 oauth:
  auth_url: https://idm.wherekanidmruns.com/ui/oauth2
  callback_url: https://login.wherevouchproxyruns.com/auth
-  client_id: <oauth2_rs_name> # Found in kanidm system oauth2 get XXXX (should be the same as XXXX)
+  client_id: <name> # Found in kanidm system oauth2 get XXXX (should be the same as XXXX)
  client_secret: <oauth2_rs_basic_secret> # Found in kanidm system oauth2 get XXXX
  code_challenge_method: S256
  provider: oidc
  scopes:
    - email # Required due to vouch proxy reliance on mail as a primary identifier
  token_url: https://idm.wherekanidmruns.com/oauth2/token
-  user_info_url: https://idm.wherekanidmruns.com/oauth2/openid/<oauth2_rs_name>/userinfo
+  user_info_url: https://idm.wherekanidmruns.com/oauth2/openid/<name>/userinfo
 ```
 The `email` scope needs to be passed and thus the mail attribute needs to exist on the account:
--- a/clippy.toml
+++ b/clippy.toml
@ -16,4 +16,5 @@ disallowed-types = ["std::collections::HashMap", "std::collections::HashSet"]
 allow-expect-in-tests = true
 allow-unwrap-in-tests = true
 allow-panic-in-tests = true
 allow-dbg-in-tests = true
--- a/libs/scim_proto/src/group.rs
+++ b/libs/scim_proto/src/group.rs
@ -4,7 +4,7 @@ use url::Url;
 use uuid::Uuid;
 #[derive(Serialize, Deserialize, Debug, Clone)]
-struct Member {
+pub struct Member {
    value: Uuid,
    #[serde(rename = "$ref")]
    ref_: Url,
@ -13,7 +13,7 @@ struct Member {
 #[derive(Serialize, Deserialize, Debug, Clone)]
 #[serde(rename_all = "camelCase")]
-struct Group {
+pub struct Group {
    #[serde(flatten)]
    entry: ScimEntry,
--- a/libs/scim_proto/src/user.rs
+++ b/libs/scim_proto/src/user.rs
@ -8,7 +8,7 @@ use serde::{Deserialize, Serialize};
 #[derive(Serialize, Deserialize, Debug, Clone)]
 #[serde(rename_all = "camelCase")]
-struct Name {
+pub struct Name {
    // The full name including all middle names and titles
    formatted: Option<String>,
    family_name: Option<String>,
@ -32,7 +32,7 @@ enum Language {
 // https://datatracker.ietf.org/doc/html/rfc5646
 #[allow(non_camel_case_types)]
 #[derive(Serialize, Deserialize, Debug, Clone)]
-enum Locale {
+pub enum Locale {
    en,
    #[serde(rename = "en-AU")]
    en_AU,
@ -57,7 +57,7 @@ impl fmt::Display for Locale {
 #[allow(non_camel_case_types)]
 #[derive(Serialize, Deserialize, Debug, Clone)]
-enum Timezone {
+pub enum Timezone {
    #[serde(rename = "Australia/Brisbane")]
    australia_brisbane,
    #[serde(rename = "America/Los_Angeles")]
@ -87,7 +87,7 @@ pub struct MultiValueAttr {
 #[derive(Serialize, Deserialize, Debug, Clone)]
 #[serde(rename_all = "camelCase")]
-struct Photo {
+pub struct Photo {
    #[serde(rename = "type")]
    type_: Option<String>,
    primary: Option<bool>,
@ -98,7 +98,7 @@ struct Photo {
 }
 #[derive(Serialize, Deserialize, Debug, Clone)]
-struct Binary {
+pub struct Binary {
    #[serde(rename = "type")]
    type_: Option<String>,
    primary: Option<bool>,
@ -110,7 +110,7 @@ struct Binary {
 #[derive(Serialize, Deserialize, Debug, Clone)]
 #[serde(rename_all = "camelCase")]
-struct Address {
+pub struct Address {
    #[serde(rename = "type")]
    type_: Option<String>,
    primary: Option<bool>,
@ -132,7 +132,7 @@ enum Membership {
 #[derive(Serialize, Deserialize, Debug, Clone)]
 #[serde(rename_all = "camelCase")]
-struct Group {
+pub struct Group {
    #[serde(rename = "type")]
    type_: Option<String>,
    #[serde(rename = "$ref")]
@ -143,7 +143,7 @@ struct Group {
 #[derive(Serialize, Deserialize, Debug, Clone)]
 #[serde(rename_all = "camelCase")]
-struct User {
+pub struct User {
    #[serde(flatten)]
    entry: ScimEntry,
    // required, must be unique, string.
--- a/proto/src/internal/error.rs
+++ b/proto/src/internal/error.rs
@ -79,6 +79,7 @@ pub enum OperationError {
    SchemaViolation(SchemaError),
    Plugin(PluginError),
    FilterGeneration,
    FilterParseError,
    FilterUuidResolution,
    InvalidAttributeName(String),
    InvalidAttribute(String),
@ -260,6 +261,7 @@ impl OperationError {
            Self::SchemaViolation(_) => None,
            Self::Plugin(_) => None,
            Self::FilterGeneration => None,
            Self::FilterParseError => None,
            Self::FilterUuidResolution => None,
            Self::InvalidAttributeName(_) => None,
            Self::InvalidAttribute(_) => None,
--- a/server/core/src/repl/codec.rs
+++ b/server/core/src/repl/codec.rs
@ -216,7 +216,7 @@ mod tests {
        // Clear buffer - setup a request with a length > allowed max.
        buf.clear();
-        let len_bytes = (34 as u64).to_be_bytes();
+        let len_bytes = (34_u64).to_be_bytes();
        buf.extend_from_slice(&len_bytes);
        // Even though the buf len is only 8, this will error as the overall
@ -226,7 +226,7 @@ mod tests {
        // Assert that we request more data on a validly sized req
        buf.clear();
-        let len_bytes = (20 as u64).to_be_bytes();
+        let len_bytes = (20_u64).to_be_bytes();
        buf.extend_from_slice(&len_bytes);
        // Pad in some extra bytes.
        buf.extend_from_slice(&zero);
--- a/server/lib/benches/image_benches.rs
+++ b/server/lib/benches/image_benches.rs
@ -13,9 +13,7 @@ pub fn bench_png_lodepng_validate(c: &mut Criterion) {
            env!("CARGO_MANIFEST_DIR")
        ));
        let contents = black_box(std::fs::read(filename).unwrap());
-        b.iter(|| {
+        b.iter(|| png::png_lodepng_validate(&contents, black_box("oversize_dimensions.png")))
            png::png_lodepng_validate(&contents, black_box(&"oversize_dimensions.png".to_string()))
        })
    });
    group.bench_function("png_lodepng_validate_ok", |b| {
        let filename = black_box(format!(
@ -23,9 +21,7 @@ pub fn bench_png_lodepng_validate(c: &mut Criterion) {
            env!("CARGO_MANIFEST_DIR")
        ));
        let contents = black_box(std::fs::read(filename).unwrap());
-        b.iter(|| {
+        b.iter(|| png::png_lodepng_validate(&contents, black_box("oversize_dimensions.png")))
            png::png_lodepng_validate(&contents, black_box(&"oversize_dimensions.png".to_string()))
        })
    });
    group.finish();
 }
--- a/server/lib/src/be/mod.rs
+++ b/server/lib/src/be/mod.rs
@ -2269,7 +2269,7 @@ mod tests {
        ($be:expr, $ent:expr) => {{
            let ei = $ent.clone().into_sealed_committed();
            let filt = ei
-                .filter_from_attrs(&vec![Attribute::Uuid.into()])
+                .filter_from_attrs(&[Attribute::Uuid.into()])
                .expect("failed to generate filter")
                .into_valid_resolved();
            let lims = Limits::unlimited();
@ -2282,7 +2282,7 @@ mod tests {
        ($be:expr, $ent:expr, $attr:expr) => {{
            let ei = $ent.clone().into_sealed_committed();
            let filt = ei
-                .filter_from_attrs(&vec![Attribute::UserId.into()])
+                .filter_from_attrs(&[Attribute::UserId.into()])
                .expect("failed to generate filter")
                .into_valid_resolved();
            let lims = Limits::unlimited();
@ -2586,16 +2586,10 @@ mod tests {
            let result = fs::remove_file(&db_backup_file_name);
-            match result {
+            if let Err(e) = result {
                Err(e) => {
                // if the error is the file is not found, that's what we want so continue,
                // otherwise return the error
-                    match e.kind() {
+                if e.kind() == std::io::ErrorKind::NotFound {}
                        std::io::ErrorKind::NotFound => {}
                        _ => (),
                    }
                }
                _ => (),
            }
            be.backup(&db_backup_file_name).expect("Backup failed!");
@ -2650,16 +2644,10 @@ mod tests {
            let result = fs::remove_file(&db_backup_file_name);
-            match result {
+            if let Err(e) = result {
                Err(e) => {
                // if the error is the file is not found, that's what we want so continue,
                // otherwise return the error
-                    match e.kind() {
+                if e.kind() == std::io::ErrorKind::NotFound {}
                        std::io::ErrorKind::NotFound => {}
                        _ => (),
                    }
                }
                _ => (),
            }
            be.backup(&db_backup_file_name).expect("Backup failed!");
@ -2856,11 +2844,7 @@ mod tests {
            );
            let uuid_p_idl = be
-                .load_test_idl(
+                .load_test_idl("not_indexed", IndexType::Presence, "_")
                    &"not_indexed".to_string(),
                    IndexType::Presence,
                    &"_".to_string(),
                )
                .unwrap(); // unwrap the result
            assert_eq!(uuid_p_idl, None);
--- a/server/lib/src/constants/entries.rs
+++ b/server/lib/src/constants/entries.rs
@ -21,7 +21,7 @@ use uuid::Uuid;
 #[test]
 fn test_valueattribute_as_str() {
    assert!(Attribute::Class.as_ref() == "class");
-    assert!(Attribute::Class.to_string() == String::from("class"));
+    assert!(Attribute::Class.to_string() == *"class");
 }
 #[test]
--- a/server/lib/src/credential/softlock.rs
+++ b/server/lib/src/credential/softlock.rs
@ -200,10 +200,7 @@ impl CredSoftLock {
    #[cfg(test)]
    pub fn is_state_init(&self) -> bool {
-        match self.state {
+        matches!(self.state, LockState::Init)
            LockState::Init => true,
            _ => false,
        }
    }
    #[cfg(test)]
--- a/server/lib/src/credential/totp.rs
+++ b/server/lib/src/credential/totp.rs
@ -50,7 +50,7 @@ impl Into<u8> for TotpDigits {
    }
 }
-#[derive(Debug, Clone, PartialEq, Eq)]
+#[derive(Debug, Clone, PartialEq, Eq, Copy)]
 pub enum TotpAlgo {
    Sha1,
    Sha256,
@ -58,7 +58,7 @@ pub enum TotpAlgo {
 }
 impl TotpAlgo {
-    pub(crate) fn digest(&self, key: &[u8], counter: u64) -> Result<Vec<u8>, TotpError> {
+    pub(crate) fn digest(self, key: &[u8], counter: u64) -> Result<Vec<u8>, TotpError> {
        let key = PKey::hmac(key).map_err(|_e| TotpError::OpenSSLError)?;
        let mut signer =
            match self {
@ -297,104 +297,104 @@ mod tests {
    }
    fn do_test(
-        key: Vec<u8>,
+        key: &[u8],
        algo: TotpAlgo,
        secs: u64,
        step: u64,
        digits: TotpDigits,
-        expect: Result<u32, TotpError>,
+        expect: &Result<u32, TotpError>,
    ) {
-        let otp = Totp::new(key.clone(), step, algo.clone(), digits);
+        let otp = Totp::new(key.to_vec(), step, algo, digits);
        let d = Duration::from_secs(secs);
        let r = otp.do_totp_duration_from_epoch(&d);
        debug!(
            "key: {:?}, algo: {:?}, time: {:?}, step: {:?}, expect: {:?} == {:?}",
            key, algo, secs, step, expect, r
        );
-        assert!(r == expect);
+        assert_eq!(&r, expect);
    }
    #[test]
    fn totp_sha1_vectors() {
        do_test(
-            vec![0x00, 0x00, 0x00, 0x00],
+            &[0x00, 0x00, 0x00, 0x00],
            TotpAlgo::Sha1,
            1585368920,
            TOTP_DEFAULT_STEP,
            TotpDigits::Six,
-            Ok(728926),
+            &Ok(728926),
        );
        do_test(
-            vec![0x00, 0x00, 0x00, 0x00],
+            &[0x00, 0x00, 0x00, 0x00],
            TotpAlgo::Sha1,
            1585368920,
            TOTP_DEFAULT_STEP,
            TotpDigits::Eight,
-            Ok(74728926),
+            &Ok(74728926),
        );
        do_test(
-            vec![0x00, 0xaa, 0xbb, 0xcc],
+            &[0x00, 0xaa, 0xbb, 0xcc],
            TotpAlgo::Sha1,
            1585369498,
            TOTP_DEFAULT_STEP,
            TotpDigits::Six,
-            Ok(985074),
+            &Ok(985074),
        );
    }
    #[test]
    fn totp_sha256_vectors() {
        do_test(
-            vec![0x00, 0x00, 0x00, 0x00],
+            &[0x00, 0x00, 0x00, 0x00],
            TotpAlgo::Sha256,
            1585369682,
            TOTP_DEFAULT_STEP,
            TotpDigits::Six,
-            Ok(795483),
+            &Ok(795483),
        );
        do_test(
-            vec![0x00, 0x00, 0x00, 0x00],
+            &[0x00, 0x00, 0x00, 0x00],
            TotpAlgo::Sha256,
            1585369682,
            TOTP_DEFAULT_STEP,
            TotpDigits::Eight,
-            Ok(11795483),
+            &Ok(11795483),
        );
        do_test(
-            vec![0x00, 0xaa, 0xbb, 0xcc],
+            &[0x00, 0xaa, 0xbb, 0xcc],
            TotpAlgo::Sha256,
            1585369689,
            TOTP_DEFAULT_STEP,
            TotpDigits::Six,
-            Ok(728402),
+            &Ok(728402),
        );
    }
    #[test]
    fn totp_sha512_vectors() {
        do_test(
-            vec![0x00, 0x00, 0x00, 0x00],
+            &[0x00, 0x00, 0x00, 0x00],
            TotpAlgo::Sha512,
            1585369775,
            TOTP_DEFAULT_STEP,
            TotpDigits::Six,
-            Ok(587735),
+            &Ok(587735),
        );
        do_test(
-            vec![0x00, 0x00, 0x00, 0x00],
+            &[0x00, 0x00, 0x00, 0x00],
            TotpAlgo::Sha512,
            1585369775,
            TOTP_DEFAULT_STEP,
            TotpDigits::Eight,
-            Ok(14587735),
+            &Ok(14587735),
        );
        do_test(
-            vec![0x00, 0xaa, 0xbb, 0xcc],
+            &[0x00, 0xaa, 0xbb, 0xcc],
            TotpAlgo::Sha512,
            1585369780,
            TOTP_DEFAULT_STEP,
            TotpDigits::Six,
-            Ok(952181),
+            &Ok(952181),
        );
    }
--- a/server/lib/src/entry.rs
+++ b/server/lib/src/entry.rs
@ -3383,9 +3383,8 @@ where
                    self.purge_ava(Attribute::try_from(attr)?);
                }
                Modify::Assert(attr, value) => {
-                    self.assert_ava(attr.to_owned(), value).map_err(|e| {
+                    self.assert_ava(attr.to_owned(), value).inspect_err(|_e| {
                        error!("Modification assertion was not met. {} {:?}", attr, value);
                        e
                    })?;
                }
            }
@ -3530,8 +3529,8 @@ mod tests {
        // are adding ... Or do we validate after the changes are made in
        // total?
        let mut e: Entry<EntryInit, EntryNew> = Entry::new();
-        e.add_ava(Attribute::UserId.into(), Value::from("william"));
+        e.add_ava(Attribute::UserId, Value::from("william"));
-        e.add_ava(Attribute::UserId.into(), Value::from("william"));
+        e.add_ava(Attribute::UserId, Value::from("william"));
        let values = e.get_ava_set(Attribute::UserId).expect("Failed to get ava");
        // Should only be one value!
@ -3541,7 +3540,7 @@ mod tests {
    #[test]
    fn test_entry_pres() {
        let mut e: Entry<EntryInit, EntryNew> = Entry::new();
-        e.add_ava(Attribute::UserId.into(), Value::from("william"));
+        e.add_ava(Attribute::UserId, Value::from("william"));
        assert!(e.attribute_pres(Attribute::UserId));
        assert!(!e.attribute_pres(Attribute::Name));
@ -3551,34 +3550,22 @@ mod tests {
    fn test_entry_equality() {
        let mut e: Entry<EntryInit, EntryNew> = Entry::new();
-        e.add_ava(Attribute::UserId.into(), Value::from("william"));
+        e.add_ava(Attribute::UserId, Value::from("william"));
-        assert!(e.attribute_equality(
+        assert!(e.attribute_equality(Attribute::UserId, &PartialValue::new_utf8s("william")));
            Attribute::UserId.into(),
            &PartialValue::new_utf8s("william")
        ));
        assert!(!e.attribute_equality(Attribute::UserId, &PartialValue::new_utf8s("test")));
-        assert!(!e.attribute_equality(
+        assert!(!e.attribute_equality(Attribute::NonExist, &PartialValue::new_utf8s("william")));
            Attribute::NonExist.into(),
            &PartialValue::new_utf8s("william")
        ));
        // Also test non-matching attr syntax
-        assert!(!e.attribute_equality(
+        assert!(!e.attribute_equality(Attribute::UserId, &PartialValue::new_iutf8("william")));
            Attribute::UserId.into(),
            &PartialValue::new_iutf8("william")
        ));
    }
    #[test]
    fn test_entry_substring() {
        let mut e: Entry<EntryInit, EntryNew> = Entry::new();
-        e.add_ava(Attribute::UserId.into(), Value::from("william"));
+        e.add_ava(Attribute::UserId, Value::from("william"));
-        assert!(e.attribute_substring(
+        assert!(e.attribute_substring(Attribute::UserId, &PartialValue::new_utf8s("william")));
            Attribute::UserId.into(),
            &PartialValue::new_utf8s("william")
        ));
        assert!(e.attribute_substring(Attribute::UserId, &PartialValue::new_utf8s("will")));
        assert!(e.attribute_substring(Attribute::UserId, &PartialValue::new_utf8s("liam")));
        assert!(e.attribute_substring(Attribute::UserId, &PartialValue::new_utf8s("lli")));
@ -3630,7 +3617,7 @@ mod tests {
        // Test application of changes to an entry.
        let mut e: Entry<EntryInvalid, EntryNew> = Entry::new().into_invalid_new();
-        e.add_ava(Attribute::UserId.into(), Value::from("william"));
+        e.add_ava(Attribute::UserId, Value::from("william"));
        let present_single_mods = ModifyList::new_valid_list(vec![Modify::Present(
            Attribute::Attr.into(),
@ -3640,10 +3627,7 @@ mod tests {
        assert!(e.apply_modlist(&present_single_mods).is_ok());
        // Assert the changes are there
-        assert!(e.attribute_equality(
+        assert!(e.attribute_equality(Attribute::UserId, &PartialValue::new_utf8s("william")));
            Attribute::UserId.into(),
            &PartialValue::new_utf8s("william")
        ));
        assert!(e.attribute_equality(Attribute::Attr, &PartialValue::new_iutf8("value")));
        // Assert present for multivalue
@ -3655,10 +3639,7 @@ mod tests {
        assert!(e.apply_modlist(&present_multivalue_mods).is_ok());
        assert!(e.attribute_equality(Attribute::Class, &PartialValue::new_iutf8("test")));
-        assert!(e.attribute_equality(
+        assert!(e.attribute_equality(Attribute::Class, &PartialValue::new_iutf8("multi_test")));
            Attribute::Class.into(),
            &PartialValue::new_iutf8("multi_test")
        ));
        // Assert purge on single/multi/empty value
        let purge_single_mods =
@ -3688,13 +3669,13 @@ mod tests {
        assert!(e.apply_modlist(&present_single_mods).is_ok());
        assert!(e.attribute_equality(Attribute::Attr, &PartialValue::new_iutf8("value")));
        assert!(e.apply_modlist(&remove_mods).is_ok());
-        assert!(e.attrs.get(Attribute::Attr.as_ref()).is_none());
+        assert!(!e.attrs.contains_key(Attribute::Attr.as_ref()));
        let remove_empty_mods = remove_mods;
        assert!(e.apply_modlist(&remove_empty_mods).is_ok());
-        assert!(e.attrs.get(Attribute::Attr.as_ref()).is_none());
+        assert!(!e.attrs.contains_key(Attribute::Attr.as_ref()));
    }
    #[test]
@ -3702,7 +3683,7 @@ mod tests {
        let mut e1: Entry<EntryInit, EntryNew> = Entry::new();
        e1.add_ava(Attribute::UserId, Value::from("william"));
        let mut e1_mod = e1.clone();
-        e1_mod.add_ava(Attribute::Extra.into(), Value::from("test"));
+        e1_mod.add_ava(Attribute::Extra, Value::from("test"));
        let e1 = e1.into_sealed_committed();
        let e1_mod = e1_mod.into_sealed_committed();
--- a/server/lib/src/filter.rs
+++ b/server/lib/src/filter.rs
@ -14,6 +14,7 @@ use std::fmt;
 use std::hash::Hash;
 use std::iter;
 use std::num::NonZeroU8;
 use std::str::FromStr;
 use std::sync::Arc;
 use concread::arcache::{ARCache, ARCacheReadTxn};
@ -643,18 +644,6 @@ impl Filter<FilterInvalid> {
        }
    }
    /// ⚠️  - Blindly accept a filter from a string, panicking if it fails to parse.
    /// This is a TEST ONLY method and will never be exposed in production.
    #[cfg(test)]
    pub fn from_str(fc: &str) -> Self {
        let f: FC = serde_json::from_str(fc).expect("Failure parsing filter!");
        Filter {
            state: FilterInvalid {
                inner: FilterComp::new(f),
            },
        }
    }
    pub fn validate(
        &self,
        schema: &dyn SchemaTransaction,
@ -717,6 +706,18 @@ impl Filter<FilterInvalid> {
    }
 }
 impl FromStr for Filter<FilterInvalid> {
    type Err = OperationError;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        let f: FC = serde_json::from_str(s).map_err(|_| OperationError::FilterParseError)?;
        Ok(Filter {
            state: FilterInvalid {
                inner: FilterComp::new(f),
            },
        })
    }
 }
 impl FilterComp {
    fn new(fc: FC) -> Self {
        match fc {
--- a/server/lib/src/idm/account.rs
+++ b/server/lib/src/idm/account.rs
@ -999,9 +999,8 @@ impl<'a> IdmServerProxyReadTransaction<'a> {
                                                issued_at: s.issued_at,
                                                purpose,
                                            })
-                                            .map_err(|e| {
+                                            .inspect_err(|_e| {
                                                admin_error!("Invalid user auth token {}", u);
                                                e
                                            })
                                    })
                                    .collect::<Result<Vec<_>, _>>()
--- a/server/lib/src/idm/application.rs
+++ b/server/lib/src/idm/application.rs
@ -301,7 +301,7 @@ mod tests {
        );
        let ce = CreateEvent::new_internal(vec![e1, e2]);
        let cr = idms_prox_write.qs_write.create(&ce);
-        assert!(!cr.is_ok());
+        assert!(cr.is_err());
        // Application and Person not allowed together
        let test_grp_name = "testgroup1";
@ -329,7 +329,7 @@ mod tests {
        );
        let ce = CreateEvent::new_internal(vec![e1, e2]);
        let cr = idms_prox_write.qs_write.create(&ce);
-        assert!(!cr.is_ok());
+        assert!(cr.is_err());
        // Supplements not satisfied, Application supplements ServiceAccount
        let test_grp_name = "testgroup1";
@ -352,7 +352,7 @@ mod tests {
        );
        let ce = CreateEvent::new_internal(vec![e1, e2]);
        let cr = idms_prox_write.qs_write.create(&ce);
-        assert!(!cr.is_ok());
+        assert!(cr.is_err());
        // Supplements not satisfied, Application supplements ServiceAccount
        let test_grp_name = "testgroup1";
@ -374,7 +374,7 @@ mod tests {
        );
        let ce = CreateEvent::new_internal(vec![e1, e2]);
        let cr = idms_prox_write.qs_write.create(&ce);
-        assert!(!cr.is_ok());
+        assert!(cr.is_err());
        // Supplements satisfied, Application supplements ServiceAccount
        let test_grp_name = "testgroup1";
@ -427,7 +427,7 @@ mod tests {
        let ce = CreateEvent::new_internal(vec![e1]);
        let cr = idms_prox_write.qs_write.create(&ce);
-        assert!(!cr.is_ok());
+        assert!(cr.is_err());
    }
    // Tests creating an applicatin with a real linked group attribute
--- a/server/lib/src/idm/applinks.rs
+++ b/server/lib/src/idm/applinks.rs
@ -176,7 +176,7 @@ mod tests {
            .list_applinks(&ident)
            .expect("Failed to access related apps");
-        let app = apps.get(0).expect("No apps return!");
+        let app = apps.first().expect("No apps return!");
        assert!(match app {
            AppLink::Oauth2 {
--- a/server/lib/src/idm/authsession.rs
+++ b/server/lib/src/idm/authsession.rs
@ -1837,7 +1837,7 @@ mod tests {
        match audit_rx.try_recv() {
            Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        }
        // === Now begin a new session, and use a good pw.
@ -1868,7 +1868,7 @@ mod tests {
        match async_rx.blocking_recv() {
            Some(DelayedAction::AuthSessionRecord(_)) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        }
        drop(async_tx);
@ -1938,7 +1938,7 @@ mod tests {
        match audit_rx.try_recv() {
            Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        }
        drop(async_tx);
@ -1955,7 +1955,7 @@ mod tests {
            account: account.clone(),
            account_policy: ResolvedAccountPolicy::default(),
            issue: AuthIssueSession::Token,
-            webauthn: webauthn,
+            webauthn,
            ct: duration_from_epoch_now(),
            client_auth_info: Source::Internal.into(),
        };
@ -1995,7 +1995,7 @@ mod tests {
            account: account.clone(),
            account_policy: ResolvedAccountPolicy::default(),
            issue: AuthIssueSession::Token,
-            webauthn: webauthn,
+            webauthn,
            ct: duration_from_epoch_now(),
            client_auth_info: Source::Internal.into(),
        };
@ -2040,7 +2040,7 @@ mod tests {
            account: account.clone(),
            account_policy: ResolvedAccountPolicy::default(),
            issue: AuthIssueSession::Token,
-            webauthn: webauthn,
+            webauthn,
            ct: duration_from_epoch_now(),
            client_auth_info: Source::Internal.into(),
        };
@ -2126,7 +2126,7 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2150,7 +2150,7 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
        // check send bad totp, should fail immediate
@ -2171,7 +2171,7 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2205,7 +2205,7 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2239,7 +2239,7 @@ mod tests {
            match async_rx.blocking_recv() {
                Some(DelayedAction::AuthSessionRecord(_)) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2312,7 +2312,7 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2458,7 +2458,7 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2486,11 +2486,11 @@ mod tests {
            // Check the async counter update was sent.
            match async_rx.blocking_recv() {
                Some(DelayedAction::WebauthnCounterIncrement(_)) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
            match async_rx.blocking_recv() {
                Some(DelayedAction::AuthSessionRecord(_)) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2519,7 +2519,7 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2567,7 +2567,7 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2617,7 +2617,7 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2639,7 +2639,7 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2671,7 +2671,7 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2710,13 +2710,13 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
            // Check the async counter update was sent.
            match async_rx.blocking_recv() {
                Some(DelayedAction::WebauthnCounterIncrement(_)) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2756,11 +2756,11 @@ mod tests {
            // Check the async counter update was sent.
            match async_rx.blocking_recv() {
                Some(DelayedAction::WebauthnCounterIncrement(_)) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
            match async_rx.blocking_recv() {
                Some(DelayedAction::AuthSessionRecord(_)) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2821,7 +2821,7 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2843,7 +2843,7 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2873,7 +2873,7 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2912,13 +2912,13 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
            // Check the async counter update was sent.
            match async_rx.blocking_recv() {
                Some(DelayedAction::WebauthnCounterIncrement(_)) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2951,7 +2951,7 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -2984,7 +2984,7 @@ mod tests {
            match async_rx.blocking_recv() {
                Some(DelayedAction::AuthSessionRecord(_)) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -3024,11 +3024,11 @@ mod tests {
            // Check the async counter update was sent.
            match async_rx.blocking_recv() {
                Some(DelayedAction::WebauthnCounterIncrement(_)) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
            match async_rx.blocking_recv() {
                Some(DelayedAction::AuthSessionRecord(_)) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -3100,7 +3100,7 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
        // check send wrong backup code, should fail immediate
@ -3121,7 +3121,7 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
        // check send good backup code, should continue
@ -3154,13 +3154,13 @@ mod tests {
            match audit_rx.try_recv() {
                Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
        // Can't process BackupCodeRemoval without the server instance
        match async_rx.blocking_recv() {
            Some(DelayedAction::BackupCodeRemoval(_)) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        }
        // check send good backup code, should continue
@ -3194,13 +3194,13 @@ mod tests {
        // Can't process BackupCodeRemoval without the server instance
        match async_rx.blocking_recv() {
            Some(DelayedAction::BackupCodeRemoval(_)) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        }
        // There will be a auth session record too
        match async_rx.blocking_recv() {
            Some(DelayedAction::AuthSessionRecord(_)) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        }
        // TOTP should also work:
@ -3236,7 +3236,7 @@ mod tests {
        // There will be a auth session record too
        match async_rx.blocking_recv() {
            Some(DelayedAction::AuthSessionRecord(_)) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        }
        drop(async_tx);
@ -3313,7 +3313,7 @@ mod tests {
            match async_rx.blocking_recv() {
                Some(DelayedAction::AuthSessionRecord(_)) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
@ -3346,7 +3346,7 @@ mod tests {
            match async_rx.blocking_recv() {
                Some(DelayedAction::AuthSessionRecord(_)) => {}
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            }
        }
--- a/server/lib/src/idm/credupdatesession.rs
+++ b/server/lib/src/idm/credupdatesession.rs
@ -2952,53 +2952,40 @@ mod tests {
            .credential_primary_set_password(&cust, ct, "password")
            .unwrap_err();
        trace!(?err);
-        assert!(match err {
+        assert!(
-            OperationError::PasswordQuality(details)
+            matches!(err, OperationError::PasswordQuality(details) if details == vec!(PasswordFeedback::TooShort(PW_MIN_LENGTH),))
-                if details == vec!(PasswordFeedback::TooShort(PW_MIN_LENGTH),) =>
+        );
                true,
            _ => false,
        });
        let err = cutxn
            .credential_primary_set_password(&cust, ct, "password1234")
            .unwrap_err();
        trace!(?err);
-        assert!(match err {
+        assert!(
-            OperationError::PasswordQuality(details)
+            matches!(err, OperationError::PasswordQuality(details) if details
                if details
            == vec!(
                PasswordFeedback::AddAnotherWordOrTwo,
                PasswordFeedback::ThisIsACommonPassword,
-                    ) =>
+            ))
-                true,
+        );
            _ => false,
        });
        let err = cutxn
            .credential_primary_set_password(&cust, ct, &radius_secret)
            .unwrap_err();
        trace!(?err);
-        assert!(match err {
+        assert!(
-            OperationError::PasswordQuality(details)
+            matches!(err, OperationError::PasswordQuality(details) if details == vec!(PasswordFeedback::DontReusePasswords,))
-                if details == vec!(PasswordFeedback::DontReusePasswords,) =>
+        );
                true,
            _ => false,
        });
        let err = cutxn
            .credential_primary_set_password(&cust, ct, "testperson2023")
            .unwrap_err();
        trace!(?err);
-        assert!(match err {
+        assert!(
-            OperationError::PasswordQuality(details)
+            matches!(err, OperationError::PasswordQuality(details) if details == vec!(
                if details
                    == vec!(
            PasswordFeedback::NamesAndSurnamesByThemselvesAreEasyToGuess,
            PasswordFeedback::AvoidDatesAndYearsThatAreAssociatedWithYou,
-                    ) =>
+                   ))
-                true,
+        );
            _ => false,
        });
        let err = cutxn
            .credential_primary_set_password(
@ -3008,12 +2995,9 @@ mod tests {
            )
            .unwrap_err();
        trace!(?err);
-        assert!(match err {
+        assert!(
-            OperationError::PasswordQuality(details)
+            matches!(err, OperationError::PasswordQuality(details) if details == vec!(PasswordFeedback::BadListed))
-                if details == vec!(PasswordFeedback::BadListed) =>
+        );
                true,
            _ => false,
        });
        assert!(c_status.can_commit);
@ -3066,12 +3050,9 @@ mod tests {
            .credential_primary_set_password(&cust, ct, &pw)
            .unwrap_err();
        trace!(?err);
-        assert!(match err {
+        assert!(
-            OperationError::PasswordQuality(details)
+            matches!(err, OperationError::PasswordQuality(details) if details == vec!(PasswordFeedback::TooShort(test_pw_min_length),))
-                if details == vec!(PasswordFeedback::TooShort(test_pw_min_length),) =>
+        );
                true,
            _ => false,
        });
        // Test pw len of len minus 1
        let pw = password_from_random_len(test_pw_min_length - 1);
@ -3079,12 +3060,8 @@ mod tests {
            .credential_primary_set_password(&cust, ct, &pw)
            .unwrap_err();
        trace!(?err);
-        assert!(match err {
+        assert!(matches!(err,OperationError::PasswordQuality(details)
-            OperationError::PasswordQuality(details)
+                if details == vec!(PasswordFeedback::TooShort(test_pw_min_length),)));
                if details == vec!(PasswordFeedback::TooShort(test_pw_min_length),) =>
                true,
            _ => false,
        });
        // Test pw len of exact len
        let pw = password_from_random_len(test_pw_min_length);
@ -3492,11 +3469,7 @@ mod tests {
            .expect("Failed to initiate passkey registration");
        assert!(matches!(c_status.mfaregstate, MfaRegStateStatus::None));
-        assert!(matches!(
+        assert!(c_status.primary.as_ref().is_none());
            // Should be none.
            c_status.primary.as_ref(),
            None
        ));
        // Check we have the passkey
        trace!(?c_status);
@ -4215,7 +4188,7 @@ mod tests {
        // meets criteria.
        match idms_audit.audit_rx().try_recv() {
            Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        }
        //  Update creds
--- a/server/lib/src/idm/identityverification.rs
+++ b/server/lib/src/idm/identityverification.rs
@ -508,7 +508,7 @@ mod test {
        );
        let Ok(IdentifyUserResponse::ProvideCode { totp, .. }) = res_higher_user else {
-            return assert!(false);
+            panic!();
        };
        let res_lower_user_wrong = idms_prox_read.handle_identify_user_submit_code(
@ -532,7 +532,7 @@ mod test {
        // now we need to get the code from the lower_user and submit it to the higher_user
        let Ok(IdentifyUserResponse::ProvideCode { totp, .. }) = res_lower_user_correct else {
-            return assert!(false);
+            panic!("Invalid");
        };
        let res_higher_user_2_wrong = idms_prox_read.handle_identify_user_submit_code(
@ -600,7 +600,7 @@ mod test {
            ..
        }) = res_higher_user
        else {
-            return assert!(false);
+            panic!();
        };
        // then we get the lower user code
@ -619,7 +619,7 @@ mod test {
        {
            assert_ne!(higher_user_totp, lower_user_totp);
        } else {
-            assert!(false);
+            debug_assert!(false);
        }
    }
--- a/server/lib/src/idm/ldap.rs
+++ b/server/lib/src/idm/ldap.rs
@ -910,7 +910,7 @@ mod tests {
            ldaps.do_bind(idms, "", "test").await.unwrap_err() == OperationError::NotAuthenticated
        );
        let admin_t = ldaps.do_bind(idms, "admin", TEST_PASSWORD).await.unwrap();
-        assert!(admin_t.is_none() == true);
+        assert!(admin_t.is_none());
        // Setting UNIX_PW_BIND flag to true :
        let mut idms_prox_write = idms.proxy_write(duration_from_epoch_now()).await.unwrap();
@ -1138,7 +1138,7 @@ mod tests {
        let sr = SearchRequest {
            msgid: 1,
-            base: format!("dc=example,dc=com"),
+            base: "dc=example,dc=com".to_string(),
            scope: LdapSearchScope::Subtree,
            filter: LdapFilter::Present(Attribute::ObjectClass.to_string()),
            attrs: vec!["*".to_string()],
@ -1148,7 +1148,7 @@ mod tests {
            .do_search(idms, &sr, &anon_t, Source::Internal)
            .await
            .unwrap();
-        assert!(r1.len() > 0);
+        assert!(!r1.is_empty());
        assert!(r1.len() == r2.len());
    }
@ -1722,7 +1722,7 @@ mod tests {
                    (Attribute::Uuid, "cc8e95b4-c24f-4d68-ba54-8bed76f63930")
                );
            }
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
        // Check that when we request +, we get all attrs and the vattrs
@ -1764,7 +1764,7 @@ mod tests {
                    (Attribute::LdapKeys, ssh_ed25519)
                );
            }
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
        // Check that when we request an attr by name, we get all of them correctly.
@ -1801,7 +1801,7 @@ mod tests {
                    (Attribute::LdapKeys, ssh_ed25519)
                );
            }
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
    }
@ -1927,7 +1927,7 @@ mod tests {
                    (Attribute::Name, "testperson1")
                );
            }
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
        // Inspect the token to get its uuid out.
@ -1984,7 +1984,7 @@ mod tests {
                    )
                );
            }
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
        // ======= test with a substring search
@ -2039,7 +2039,7 @@ mod tests {
                    )
                );
            }
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
    }
@ -2110,7 +2110,7 @@ mod tests {
                    )
                );
            }
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
    }
@ -2167,7 +2167,7 @@ mod tests {
                );
                assert!(lsre.attributes.is_empty());
            }
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
        // If we request 1.1 and another attr, 1.1 is IGNORED.
@ -2200,7 +2200,7 @@ mod tests {
                    )
                );
            }
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
    }
@ -2238,7 +2238,7 @@ mod tests {
                    ("defaultnamingcontext", "dc=example,dc=com")
                );
            }
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
        drop(ldaps);
@ -2291,7 +2291,7 @@ mod tests {
                    ("defaultnamingcontext", "o=kanidmproject")
                );
            }
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
    }
@ -2399,7 +2399,7 @@ mod tests {
                    )
                );
            }
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
    }
@ -2435,13 +2435,13 @@ mod tests {
        assert!(anon_t.effective_session == LdapSession::UnixBind(UUID_ANONYMOUS));
        #[track_caller]
-        fn assert_compare_result(r: &Vec<LdapMsg>, code: LdapResultCode) {
+        fn assert_compare_result(r: &[LdapMsg], code: &LdapResultCode) {
            assert!(r.len() == 1);
            match &r[0].op {
                LdapOp::CompareResult(lcr) => {
-                    assert_eq!(lcr.code, code);
+                    assert_eq!(&lcr.code, code);
                }
-                _ => assert!(false),
+                _ => panic!("Oh no"),
            };
        }
@ -2457,7 +2457,7 @@ mod tests {
                .do_compare(idms, &cr, &anon_t, Source::Internal)
                .await
                .unwrap(),
-            LdapResultCode::CompareTrue,
+            &LdapResultCode::CompareTrue,
        );
        let cr = CompareRequest {
@ -2472,7 +2472,7 @@ mod tests {
                .do_compare(idms, &cr, &anon_t, Source::Internal)
                .await
                .unwrap(),
-            LdapResultCode::CompareTrue,
+            &LdapResultCode::CompareTrue,
        );
        let cr = CompareRequest {
@ -2486,7 +2486,7 @@ mod tests {
                .do_compare(idms, &cr, &anon_t, Source::Internal)
                .await
                .unwrap(),
-            LdapResultCode::CompareFalse,
+            &LdapResultCode::CompareFalse,
        );
        let cr = CompareRequest {
@ -2500,7 +2500,7 @@ mod tests {
                .do_compare(idms, &cr, &anon_t, Source::Internal)
                .await
                .unwrap(),
-            LdapResultCode::NoSuchObject,
+            &LdapResultCode::NoSuchObject,
        );
        let cr = CompareRequest {
--- a/server/lib/src/idm/oauth2.rs
+++ b/server/lib/src/idm/oauth2.rs
@ -2629,7 +2629,7 @@ fn extra_claims_for_account(
        extra_claims.insert(claim_name.to_string(), claim_value.to_json_value());
    }
-    if scopes.contains(&"groups".to_string()) {
+    if scopes.contains("groups") {
        extra_claims.insert(
            "groups".to_string(),
            account
@ -3107,10 +3107,7 @@ mod tests {
        );
        // Should be in the consent phase;
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -3172,10 +3169,7 @@ mod tests {
        );
        // Should be in the consent phase;
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -3447,10 +3441,7 @@ mod tests {
            OAUTH2_SCOPE_OPENID.to_string()
        );
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -3527,10 +3518,7 @@ mod tests {
            OAUTH2_SCOPE_OPENID.to_string()
        );
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -3695,10 +3683,7 @@ mod tests {
        trace!(?consent_request);
        // Should be in the consent phase;
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -3820,10 +3805,7 @@ mod tests {
            OAUTH2_SCOPE_OPENID.to_string()
        );
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -3914,10 +3896,7 @@ mod tests {
            OAUTH2_SCOPE_OPENID.to_string()
        );
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -4083,10 +4062,7 @@ mod tests {
            OAUTH2_SCOPE_OPENID.to_string()
        );
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -4187,10 +4163,10 @@ mod tests {
                    &ResolvedAccountPolicy::test_policy(),
                )
                .expect("Unable to create uat");
-            let ident2 = idms_prox_write
+
            idms_prox_write
                .process_uat_to_identity(&uat2, ct, Source::Internal)
-                .expect("Unable to process uat");
+                .expect("Unable to process uat")
            ident2
        };
        let idms_prox_read = idms.proxy_read().await.unwrap();
@ -4206,10 +4182,7 @@ mod tests {
            OAUTH2_SCOPE_OPENID.to_string()
        );
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -4518,10 +4491,7 @@ mod tests {
            OAUTH2_SCOPE_OPENID.to_string()
        );
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -4703,10 +4673,7 @@ mod tests {
            OAUTH2_SCOPE_OPENID.to_string()
        );
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -4791,10 +4758,7 @@ mod tests {
            "openid groups".to_string()
        );
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -4846,11 +4810,11 @@ mod tests {
            .expect("Failed to verify oidc");
        // does our id_token contain the expected groups?
-        assert!(oidc.claims.contains_key(&"groups".to_string()));
+        assert!(oidc.claims.contains_key("groups"));
        assert!(oidc
            .claims
-            .get(&"groups".to_string())
+            .get("groups")
            .expect("unable to find key")
            .as_array()
            .unwrap()
@ -4862,9 +4826,7 @@ mod tests {
            .expect("failed to get userinfo");
        // does the userinfo endpoint provide the same groups?
-        assert!(
+        assert!(oidc.claims.get("groups") == userinfo.claims.get("groups"));
            oidc.claims.get(&"groups".to_string()) == userinfo.claims.get(&"groups".to_string())
        );
    }
    //  Check insecure pkce behaviour.
@ -4954,10 +4916,7 @@ mod tests {
            OAUTH2_SCOPE_OPENID.to_string()
        );
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -5029,10 +4988,7 @@ mod tests {
        );
        // Should be in the consent phase;
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -5064,10 +5020,7 @@ mod tests {
        );
        // Should be in the consent phase;
-        let _permit_success = if let AuthoriseResponse::Permitted(permit_success) = consent_request
+        let AuthoriseResponse::Permitted(_permit_success) = consent_request else {
        {
            permit_success
        } else {
            unreachable!();
        };
@ -5128,10 +5081,7 @@ mod tests {
            .expect("Oauth2 authorisation failed");
        // Should be in the consent phase;
-        let _consent_token =
+        let AuthoriseResponse::ConsentRequested { .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -5195,7 +5145,7 @@ mod tests {
            ..
        } = consent_request
        {
-            assert!(scopes.contains(&"newscope".to_string()));
+            assert!(scopes.contains("newscope"));
            consent_token
        } else {
            unreachable!();
@ -5226,10 +5176,7 @@ mod tests {
        );
        // Should be in the consent phase;
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -5329,10 +5276,7 @@ mod tests {
            .expect("Failed to perform OAuth2 authorisation request.");
        // Should be in the consent phase;
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -5421,10 +5365,7 @@ mod tests {
        );
        // Should be in the consent phase;
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -6002,10 +5943,7 @@ mod tests {
            OAUTH2_SCOPE_OPENID.to_string()
        );
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
@ -6191,10 +6129,7 @@ mod tests {
            .expect("OAuth2 authorisation failed");
        // Should be in the consent phase;
-        let consent_token =
+        let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request else {
            if let AuthoriseResponse::ConsentRequested { consent_token, .. } = consent_request {
                consent_token
            } else {
            unreachable!();
        };
--- a/server/lib/src/idm/reauth.rs
+++ b/server/lib/src/idm/reauth.rs
@ -708,7 +708,7 @@ mod tests {
        // There should be a queued audit event
        match idms_audit.audit_rx().try_recv() {
            Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        }
        // Start the re-auth - MUST FAIL!
--- a/server/lib/src/idm/scim.rs
+++ b/server/lib/src/idm/scim.rs
@ -310,9 +310,8 @@ impl<'a> IdmServerProxyWriteTransaction<'a> {
            .qs_write
            // .internal_search(f_all_sync.clone())
            .internal_exists(f_all_sync.clone())
-            .map_err(|e| {
+            .inspect_err(|_e| {
                error!("Failed to determine existing entries set");
                e
            })?;
        /*
@ -354,15 +353,15 @@ impl<'a> IdmServerProxyWriteTransaction<'a> {
            self.qs_write
                .internal_modify(&f_all_sync, &mods)
-                .map_err(|e| {
+                .inspect_err(|_e| {
                    error!("Failed to modify sync objects to grant authority to kanidm");
                    e
                })?;
        };
-        self.qs_write.internal_delete(&delete_filter).map_err(|e| {
+        self.qs_write
            .internal_delete(&delete_filter)
            .inspect_err(|e| {
                error!(?e, "Failed to terminate sync account");
            e
            })
    }
 }
@ -381,9 +380,8 @@ impl<'a> IdmServerProxyWriteTransaction<'a> {
        let entry = self
            .qs_write
            .internal_search_uuid(ste.target)
-            .map_err(|e| {
+            .inspect_err(|e| {
                admin_error!(?e, "Failed to search sync account");
                e
            })?;
        let sync_account = SyncAccount::try_from_entry_rw(&entry).map_err(|e| {
@ -1678,7 +1676,7 @@ mod tests {
            .internal_modify_uuid(
                UUID_DOMAIN_INFO,
                &ModifyList::new_append(
-                    Attribute::KeyActionRevoke.into(),
+                    Attribute::KeyActionRevoke,
                    Value::HexString(revoke_kid.to_string()),
                ),
            )
--- a/server/lib/src/idm/server.rs
+++ b/server/lib/src/idm/server.rs
@ -2585,7 +2585,7 @@ mod tests {
        // There should be a queued audit event
        match idms_audit.audit_rx().try_recv() {
            Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        }
        idms_auth.commit().expect("Must not fail");
@ -2774,7 +2774,7 @@ mod tests {
            .await;
        match a1 {
            Ok(Some(_tok)) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
        // Check bad password
        let uuae_bad = UnixUserAuthEvent::new_internal(UUID_ADMIN, TEST_PASSWORD_INC);
@ -2783,7 +2783,7 @@ mod tests {
            .await;
        match a2 {
            Ok(None) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
        assert!(idms_auth.commit().is_ok());
@ -2804,7 +2804,7 @@ mod tests {
            .await;
        match a3 {
            Ok(None) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
        assert!(idms_auth.commit().is_ok());
    }
@ -2927,7 +2927,7 @@ mod tests {
            .await;
        match a1 {
            Ok(Some(_tok)) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
        idms_auth.commit().expect("Must not fail");
        // The upgrade was queued
@ -2941,7 +2941,7 @@ mod tests {
            .await;
        match a2 {
            Ok(Some(_tok)) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
        idms_auth.commit().expect("Must not fail");
        // No delayed action was queued.
@ -3076,13 +3076,13 @@ mod tests {
        // badpw?
        match a1 {
            Ok(None) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
        let a2 = idms_auth.auth_unix(&uuae_good, time_high).await;
        match a2 {
            Ok(None) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
        idms_auth.commit().expect("Must not fail");
@ -3139,7 +3139,7 @@ mod tests {
        if tok_r.is_err() {
            // Ok?
        } else {
-            assert!(false);
+            debug_assert!(false);
        }
        let tok_r = idms_prox_read.get_radiusauthtoken(&rate, time_high);
@ -3147,7 +3147,7 @@ mod tests {
        if tok_r.is_err() {
            // Ok?
        } else {
-            assert!(false);
+            debug_assert!(false);
        }
    }
@ -3201,7 +3201,7 @@ mod tests {
        // There should be a queued audit event
        match idms_audit.audit_rx().try_recv() {
            Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        }
        idms_auth.commit().expect("Must not fail");
@ -3367,7 +3367,7 @@ mod tests {
        match idms_audit.audit_rx().try_recv() {
            Ok(AuditEvent::AuthenticationDenied { .. }) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        }
        idms_auth.commit().expect("Must not fail");
@ -3441,7 +3441,7 @@ mod tests {
            .await;
        match a2 {
            Ok(None) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
        // Now if we immediately auth again, should fail at same time due to SL
@ -3450,7 +3450,7 @@ mod tests {
            .await;
        match a1 {
            Ok(None) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
        // And then later, works because of SL lifting.
@ -3459,7 +3459,7 @@ mod tests {
            .await;
        match a1 {
            Ok(Some(_tok)) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        };
        assert!(idms_auth.commit().is_ok());
@ -3493,7 +3493,7 @@ mod tests {
        // In X time it should be INVALID
        match idms_prox_read.validate_client_auth_info_to_ident(token.into(), expiry) {
            Err(OperationError::SessionExpired) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        }
    }
@ -3628,7 +3628,7 @@ mod tests {
            .get_key_object(UUID_DOMAIN_INFO)
            .and_then(|object| {
                object
-                    .jws_public_jwk(&token_kid)
+                    .jws_public_jwk(token_kid)
                    .expect("Unable to access uat jwk")
            })
            .expect("No jwk by this kid");
@ -3668,7 +3668,7 @@ mod tests {
            .validate_client_auth_info_to_ident(uat_unverified.clone().into(), post_grace)
        {
            Err(OperationError::SessionExpired) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        }
        drop(idms_prox_read);
@ -3699,7 +3699,7 @@ mod tests {
            .validate_client_auth_info_to_ident(uat_unverified.clone().into(), post_grace)
        {
            Err(OperationError::SessionExpired) => {}
-            _ => assert!(false),
+            _ => panic!("Oh no"),
        }
    }
@ -4059,7 +4059,7 @@ mod tests {
        let me_reset_tokens = ModifyEvent::new_internal_invalid(
            filter!(f_eq(Attribute::Uuid, PartialValue::Uuid(UUID_DOMAIN_INFO))),
            ModifyList::new_append(
-                Attribute::KeyActionRevoke.into(),
+                Attribute::KeyActionRevoke,
                Value::HexString(revoke_kid.to_string()),
            ),
        );
--- a/server/lib/src/plugins/base.rs
+++ b/server/lib/src/plugins/base.rs
@ -459,7 +459,7 @@ mod tests {
                    .expect("Internal search failure");
                let ue = cands.first().expect("No cand");
                assert!(ue.attribute_equality(
-                    Attribute::Uuid.into(),
+                    Attribute::Uuid,
                    &PartialValue::Uuid(uuid!("79724141-3603-4060-b6bb-35c72772611d"))
                ));
            }
--- a/server/lib/src/plugins/cred_import.rs
+++ b/server/lib/src/plugins/cred_import.rs
@ -342,7 +342,7 @@ mod tests {
                        assert!(webauthn.is_empty());
                        assert!(backup_code.is_none());
                    }
-                    _ => assert!(false),
+                    _ => panic!("Oh no"),
                };
            }
        );
@ -406,7 +406,7 @@ mod tests {
                        assert!(totp.get("a") == Some(&totp_a));
                        assert!(totp.get("b") == Some(&totp_b));
                    }
-                    _ => assert!(false),
+                    _ => panic!("Oh no"),
                };
            }
        );
--- a/server/lib/src/plugins/dyngroup.rs
+++ b/server/lib/src/plugins/dyngroup.rs
@ -471,7 +471,7 @@ mod tests {
                    )))
                    .expect("Internal search failure");
-                let d_group = cands.get(0).expect("Unable to access group.");
+                let d_group = cands.first().expect("Unable to access group.");
                let members = d_group
                    .get_ava_set(Attribute::DynMember)
                    .expect("No members on dyn group");
@ -520,7 +520,7 @@ mod tests {
                    )))
                    .expect("Internal search failure");
-                let d_group = cands.get(0).expect("Unable to access group.");
+                let d_group = cands.first().expect("Unable to access group.");
                let members = d_group
                    .get_ava_set(Attribute::DynMember)
                    .expect("No members on dyn group");
@ -569,7 +569,7 @@ mod tests {
                    )))
                    .expect("Internal search failure");
-                let d_group = cands.get(0).expect("Unable to access group.");
+                let d_group = cands.first().expect("Unable to access group.");
                assert!(d_group.get_ava_set(Attribute::DynMember).is_none());
            }
        );
@ -614,7 +614,7 @@ mod tests {
                    )))
                    .expect("Internal search failure");
-                let d_group = cands.get(0).expect("Unable to access group.");
+                let d_group = cands.first().expect("Unable to access group.");
                let members = d_group
                    .get_ava_set(Attribute::DynMember)
                    .expect("No members on dyn group");
@ -676,7 +676,7 @@ mod tests {
                    )))
                    .expect("Internal search failure");
-                let d_group = cands.get(0).expect("Unable to access group.");
+                let d_group = cands.first().expect("Unable to access group.");
                let members = d_group
                    .get_ava_set(Attribute::DynMember)
                    .expect("No members on dyn group");
@ -737,7 +737,7 @@ mod tests {
                    )))
                    .expect("Internal search failure");
-                let d_group = cands.get(0).expect("Unable to access group.");
+                let d_group = cands.first().expect("Unable to access group.");
                assert!(d_group.get_ava_set(Attribute::DynMember).is_none());
            }
        );
@ -788,7 +788,7 @@ mod tests {
                    )))
                    .expect("Internal search failure");
-                let d_group = cands.get(0).expect("Unable to access group.");
+                let d_group = cands.first().expect("Unable to access group.");
                let members = d_group
                    .get_ava_set(Attribute::DynMember)
                    .expect("No members on dyn group");
@ -841,7 +841,7 @@ mod tests {
                    )))
                    .expect("Internal search failure");
-                let d_group = cands.get(0).expect("Unable to access group.");
+                let d_group = cands.first().expect("Unable to access group.");
                let members = d_group
                    .get_ava_set(Attribute::DynMember)
                    .expect("No members on dyn group");
@ -896,7 +896,7 @@ mod tests {
                    )))
                    .expect("Internal search failure");
-                let d_group = cands.get(0).expect("Unable to access group.");
+                let d_group = cands.first().expect("Unable to access group.");
                let members = d_group
                    .get_ava_set(Attribute::DynMember)
                    .expect("No members on dyn group");
@ -948,7 +948,7 @@ mod tests {
                    )))
                    .expect("Internal search failure");
-                let d_group = cands.get(0).expect("Unable to access group.");
+                let d_group = cands.first().expect("Unable to access group.");
                assert!(d_group.get_ava_set(Attribute::DynMember).is_none());
            }
        );
@ -991,7 +991,7 @@ mod tests {
                    )))
                    .expect("Internal search failure");
-                let d_group = cands.get(0).expect("Unable to access group.");
+                let d_group = cands.first().expect("Unable to access group.");
                assert!(d_group.get_ava_set(Attribute::DynMember).is_none());
            }
        );
@ -1038,7 +1038,7 @@ mod tests {
                    )))
                    .expect("Internal search failure");
-                let d_group = cands.get(0).expect("Unable to access group.");
+                let d_group = cands.first().expect("Unable to access group.");
                assert!(d_group.get_ava_set(Attribute::MemberOf).is_none());
            }
        );
--- a/server/lib/src/plugins/gidnumber.rs
+++ b/server/lib/src/plugins/gidnumber.rs
@ -73,9 +73,8 @@ fn apply_gidnumber<T: Clone>(
        let u_ref = e
            .get_uuid()
            .ok_or(OperationError::InvalidEntryState)
-            .map_err(|e| {
+            .inspect_err(|_e| {
                admin_error!("Invalid Entry State - Missing UUID");
                e
            })?;
        let gid = uuid_to_gid_u32(u_ref);
--- a/server/lib/src/plugins/session.rs
+++ b/server/lib/src/plugins/session.rs
@ -627,7 +627,7 @@ mod tests {
        // Mod again - remove the parent session.
        let modlist = ModifyList::new_remove(
-            Attribute::UserAuthTokenSession.into(),
+            Attribute::UserAuthTokenSession,
            PartialValue::Refer(parent_id),
        );
@ -650,7 +650,7 @@ mod tests {
        // The oauth2 session is also removed.
        let session = entry
-            .get_ava_as_oauth2session_map(Attribute::OAuth2Session.into())
+            .get_ava_as_oauth2session_map(Attribute::OAuth2Session)
            .and_then(|sessions| sessions.get(&session_id))
            .expect("No session map found");
        assert!(matches!(session.state, SessionState::RevokedAt(_)));
@ -751,7 +751,7 @@ mod tests {
        let entry = server_txn.internal_search_uuid(tuuid).expect("failed");
        let session = entry
-            .get_ava_as_oauth2session_map(Attribute::OAuth2Session.into())
+            .get_ava_as_oauth2session_map(Attribute::OAuth2Session)
            .and_then(|sessions| sessions.get(&session_id))
            .expect("No session map found");
        assert!(matches!(session.state, SessionState::NeverExpires));
@ -780,7 +780,7 @@ mod tests {
        // Note it's a not condition now.
        let session = entry
-            .get_ava_as_oauth2session_map(Attribute::OAuth2Session.into())
+            .get_ava_as_oauth2session_map(Attribute::OAuth2Session)
            .and_then(|sessions| sessions.get(&session_id))
            .expect("No session map found");
        assert!(matches!(session.state, SessionState::RevokedAt(_)));
--- a/server/lib/src/server/batch_modify.rs
+++ b/server/lib/src/server/batch_modify.rs
@ -123,9 +123,8 @@ impl<'a> QueryServerWriteTransaction<'a> {
                            // Return if success
                            .map(|()| ent_mut)
                            // Error log otherwise.
-                            .map_err(|e| {
+                            .inspect_err(|_e| {
                                error!("Modification failed for {}", u);
                                e
                            })
                    })
            })
--- a/server/lib/src/server/modify.rs
+++ b/server/lib/src/server/modify.rs
@ -106,9 +106,8 @@ impl<'a> QueryServerWriteTransaction<'a> {
            .collect();
        candidates.iter_mut().try_for_each(|er| {
-            er.apply_modlist(&me.modlist).map_err(|e| {
+            er.apply_modlist(&me.modlist).inspect_err(|_e| {
                error!("Modification failed for {:?}", er.get_uuid());
                e
            })
        })?;
--- a/server/lib/src/server/recycle.rs
+++ b/server/lib/src/server/recycle.rs
@ -18,9 +18,8 @@ impl<'a> QueryServerWriteTransaction<'a> {
                error!(err = ?e, "Tombstone purge operation failed (backend)");
                e
            })
-            .map(|res| {
+            .inspect(|_res| {
                admin_info!("Tombstone purge operation success");
                res
            })
    }
--- a/server/lib/src/valueset/address.rs
+++ b/server/lib/src/valueset/address.rs
@ -561,7 +561,7 @@ mod tests {
        let vs2 = valueset::from_db_valueset_v2(vs.to_db_valueset_v2())
            .expect("Failed to construct vs2 from dbvalue");
-        assert!(&vs == &vs2);
+        assert_eq!(&vs, &vs2);
        assert!(vs.to_email_address_primary_str() == vs2.to_email_address_primary_str());
        // Remove primary, assert it's gone and that the "first" address is assigned.
@ -575,7 +575,7 @@ mod tests {
        // Restore from dbv1, alice persisted.
        let vs3 = valueset::from_db_valueset_v2(vs.to_db_valueset_v2())
            .expect("Failed to construct vs2 from dbvalue");
-        assert!(&vs == &vs3);
+        assert_eq!(&vs, &vs3);
        assert!(vs3.len() == 2);
        assert!(vs3
            .as_emailaddress_set()
--- a/server/lib/src/valueset/auditlogstring.rs
+++ b/server/lib/src/valueset/auditlogstring.rs
@ -257,7 +257,10 @@ mod tests {
        // Now merge in with a set that has a value that is newer.
        #[allow(clippy::bool_assert_comparison, clippy::assertions_on_constants)]
        {
            assert!(100 > AUDIT_LOG_STRING_CAPACITY);
        }
        let other_vs: ValueSet = ValueSetAuditLogString::new(
            // Notice that 0 here is older than our other set items.
@ -321,7 +324,10 @@ mod tests {
        // Now merge in with a set that has a value that is newer.
        #[allow(clippy::bool_assert_comparison, clippy::assertions_on_constants)]
        {
            assert!(100 > AUDIT_LOG_STRING_CAPACITY);
        }
        let other_vs: ValueSet = ValueSetAuditLogString::new(
            // Notice that 0 here is older than our other set items.
--- a/server/lib/src/valueset/image/mod.rs
+++ b/server/lib/src/valueset/image/mod.rs
@ -531,6 +531,6 @@ fn test_imagevalue_things() {
            let res = image.validate_image();
            trace!("SVG Validation result of {}: {:?}", filename, &res);
            assert!(res.is_ok());
-            assert_eq!(image.hash_imagevalue().is_empty(), false);
+            assert!(!image.hash_imagevalue().is_empty());
        })
 }
--- a/server/lib/src/valueset/image/png.rs
+++ b/server/lib/src/valueset/image/png.rs
@ -133,7 +133,7 @@ fn test_png_consume_chunks_until_iend() {
    testchunks.extend([0, 0, 0, 1]); // the 4-byte checksum which we ignore
    let expected: [u8; 0] = [];
    let testchunks_slice = testchunks.as_slice();
-    let res = png_consume_chunks_until_iend(&testchunks_slice);
+    let res = png_consume_chunks_until_iend(testchunks_slice);
    // simple, valid image works
    match res {
@ -150,7 +150,7 @@ fn test_png_consume_chunks_until_iend() {
    let mut x = 11;
    while x > 0 {
        let newslice = &testchunks_slice[0..=x];
-        let res = png_consume_chunks_until_iend(&newslice);
+        let res = png_consume_chunks_until_iend(newslice);
        trace!("chunkstatus at size {} {:?}", x, &res);
        assert!(res.is_err());
        x -= 1;
--- a/server/lib/src/valueset/session.rs
+++ b/server/lib/src/valueset/session.rs
@ -1752,7 +1752,7 @@ mod tests {
                type_: AuthType::Passkey,
            },
        ))
-        .chain((0..SESSION_MAXIMUM).into_iter().map(|_| {
+        .chain((0..SESSION_MAXIMUM).map(|_| {
            (
                Uuid::new_v4(),
                Session {
--- a/server/testkit/examples/enumerating_access.rs
+++ b/server/testkit/examples/enumerating_access.rs
@ -80,7 +80,7 @@ where
    /// The uuidmap is a map of uuids to EntryInitNew objects, which we use to get the name of the objects
    fn as_mermaid(&mut self, uuidmap: &BTreeMap<T, EntryInitNew>) -> String {
-        let mut res = format!("graph RL;\n");
+        let mut res = "graph RL;\n".to_string();
        for (left, right, _weight) in self.all_edges() {
            let left = uuidmap.get(&left).unwrap();
            let right = uuidmap.get(&right).unwrap();
@ -103,7 +103,7 @@ async fn enumerate_default_groups(/*_client: KanidmClient*/) {
    builtin_accounts().into_iter().for_each(|account| {
        // println!("adding builtin {}", account.uuid);
-        uuidmap.insert(account.uuid, account.clone().try_into().unwrap());
+        uuidmap.insert(account.uuid, account.clone().into());
        graph.add_node(account.uuid);
    });
--- a/server/testkit/tests/identity_verification_tests.rs
+++ b/server/testkit/tests/identity_verification_tests.rs
@ -7,11 +7,11 @@ use kanidmd_lib::prelude::Attribute;
 use kanidmd_testkit::ADMIN_TEST_PASSWORD;
 use reqwest::StatusCode;
-static UNIVERSAL_PW: &'static str = "eicieY7ahchaoCh0eeTa";
+static UNIVERSAL_PW: &str = "eicieY7ahchaoCh0eeTa";
-static USER_A_NAME: &'static str = "valid_user_a";
+static USER_A_NAME: &str = "valid_user_a";
-static USER_B_NAME: &'static str = "valid_user_b";
+static USER_B_NAME: &str = "valid_user_b";
 // TEST ON ERROR OUTCOMES
 // These tests check that invalid requests return the expected error
@ -203,7 +203,7 @@ async fn test_full_identification_flow(rsclient: KanidmClient) {
    // we check that the user A got a WaitForCode
    let IdentifyUserResponse::ProvideCode { step: _, totp } = higher_user_req_1 else {
-        return assert!(false);
+        panic!();
        // we check that the user B got the code
    };
    // we now try to submit the wrong code and we check that we get CodeFailure
@ -230,7 +230,7 @@ async fn test_full_identification_flow(rsclient: KanidmClient) {
        .unwrap();
    // if the totp was correct we must get a ProvideCode
    let IdentifyUserResponse::ProvideCode { step: _, totp } = lower_user_req_2_right else {
-        return assert!(false);
+        panic!();
    };
    // we now try to do the same thing with user B: we first submit the wrong code expecting CodeFailure,
    // and then we submit the right one expecting Success
--- a/server/testkit/tests/integration.rs
+++ b/server/testkit/tests/integration.rs
@ -215,7 +215,7 @@ async fn test_domain_reset_token_key(rsclient: KanidmClient) {
    let key_id = jwt.kid().expect("token does not have a key id");
-    assert!(rsclient.idm_domain_revoke_key(&key_id).await.is_ok());
+    assert!(rsclient.idm_domain_revoke_key(key_id).await.is_ok());
 }
 #[kanidmd_testkit::test]
--- a/server/testkit/tests/oauth2_test.rs
+++ b/server/testkit/tests/oauth2_test.rs
@ -267,7 +267,7 @@ async fn test_oauth2_openid_basic_flow(rsclient: KanidmClient) {
    } = consent_req
    {
        // Note the supplemental scope here (admin)
-        assert!(scopes.contains(&"admin".to_string()));
+        assert!(scopes.contains("admin"));
        consent_token
    } else {
        unreachable!();
@ -655,7 +655,7 @@ async fn test_oauth2_openid_public_flow(rsclient: KanidmClient) {
    } = consent_req
    {
        // Note the supplemental scope here (admin)
-        assert!(scopes.contains(&"admin".to_string()));
+        assert!(scopes.contains("admin"));
        consent_token
    } else {
        unreachable!();
--- a/server/testkit/tests/proto_v1_test.rs
+++ b/server/testkit/tests/proto_v1_test.rs
@ -726,7 +726,7 @@ async fn test_server_rest_posix_auth_lifecycle(rsclient: KanidmClient) {
        .await;
    match r1 {
        Ok(Some(_tok)) => {}
-        _ => assert!(false),
+        _ => panic!("Oh no"),
    };
    // attempt to verify (bad, anon-conn)
@ -735,7 +735,7 @@ async fn test_server_rest_posix_auth_lifecycle(rsclient: KanidmClient) {
        .await;
    match r2 {
        Ok(None) => {}
-        _ => assert!(false),
+        _ => panic!("Oh no"),
    };
    // lock? (admin-conn)
@ -754,7 +754,7 @@ async fn test_server_rest_posix_auth_lifecycle(rsclient: KanidmClient) {
        .await;
    match r3 {
        Ok(None) => {}
-        _ => assert!(false),
+        _ => panic!("Oh no"),
    };
 }
@ -1060,7 +1060,7 @@ async fn test_server_credential_update_session_pw(rsclient: KanidmClient) {
        .unwrap();
    // Logout, we don't need any auth now.
-    let _ = rsclient.logout();
+    let _ = rsclient.logout().await;
    // Exchange the intent token
    let (session_token, _status) = rsclient
        .idm_account_credential_update_exchange(intent_token)
@ -1085,7 +1085,7 @@ async fn test_server_credential_update_session_pw(rsclient: KanidmClient) {
        .unwrap();
    // Assert it now works.
-    let _ = rsclient.logout();
+    let _ = rsclient.logout().await;
    let res = rsclient
        .auth_simple_password("demo_account", "eicieY7ahchaoCh0eeTa")
        .await;
@ -1135,7 +1135,7 @@ async fn test_server_credential_update_session_totp_pw(rsclient: KanidmClient) {
        .unwrap();
    // Logout, we don't need any auth now, the intent tokens care for it.
-    let _ = rsclient.logout();
+    let _ = rsclient.logout().await;
    // Exchange the intent token
    let (session_token, _statu) = rsclient
        .idm_account_credential_update_exchange(intent_token)
@ -1193,7 +1193,7 @@ async fn test_server_credential_update_session_totp_pw(rsclient: KanidmClient) {
        .expect("Failed to do totp?");
    // Assert it now works.
-    let _ = rsclient.logout();
+    let _ = rsclient.logout().await;
    let res = rsclient
        .auth_password_totp("demo_account", "sohdi3iuHo6mai7noh0a", totp_chal)
        .await;
@ -1232,7 +1232,7 @@ async fn test_server_credential_update_session_totp_pw(rsclient: KanidmClient) {
        .unwrap();
    // Assert it now works.
-    let _ = rsclient.logout();
+    let _ = rsclient.logout().await;
    let res = rsclient
        .auth_simple_password("demo_account", "sohdi3iuHo6mai7noh0a")
        .await;
@ -1264,7 +1264,7 @@ async fn setup_demo_account_passkey(rsclient: &KanidmClient) -> WebauthnAuthenti
        .unwrap();
    // Logout, we don't need any auth now.
-    let _ = rsclient.logout();
+    let _ = rsclient.logout().await;
    // Exchange the intent token
    let (session_token, _status) = rsclient
        .idm_account_credential_update_exchange(intent_token)
@ -1312,7 +1312,7 @@ async fn setup_demo_account_passkey(rsclient: &KanidmClient) -> WebauthnAuthenti
        .unwrap();
    // Assert it now works.
-    let _ = rsclient.logout();
+    let _ = rsclient.logout().await;
    wa
 }
@ -1467,7 +1467,7 @@ async fn test_server_api_token_lifecycle(rsclient: KanidmClient) {
        .idm_service_account_add_attr(
            test_service_account_username,
            Attribute::Mail.as_ref(),
-            &vec!["test@example.com"]
+            &["test@example.com"]
        )
        .await
        .is_ok());
@ -1602,7 +1602,7 @@ async fn test_server_user_auth_token_lifecycle(rsclient: KanidmClient) {
            .unwrap();
        // Logout, we don't need any auth now.
-        let _ = rsclient.logout();
+        let _ = rsclient.logout().await;
        // Exchange the intent token
        let (session_token, _status) = rsclient
            .idm_account_credential_update_exchange(intent_token)
@ -1624,7 +1624,7 @@ async fn test_server_user_auth_token_lifecycle(rsclient: KanidmClient) {
    // Auth as the user.
-    let _ = rsclient.logout();
+    let _ = rsclient.logout().await;
    let res = rsclient
        .auth_simple_password("demo_account", "eicieY7ahchaoCh0eeTa")
        .await;
--- a/server/testkit/tests/scim_test.rs
+++ b/server/testkit/tests/scim_test.rs
@ -53,7 +53,7 @@ async fn test_sync_account_lifecycle(rsclient: KanidmClient) {
    let url_a = sync_entry
        .attrs
        .get("sync_credential_portal")
-        .and_then(|x| x.get(0));
+        .and_then(|x| x.first());
    assert_eq!(
        url_a.map(|s| s.as_str()),
--- a/server/web_ui/shared/tests/test.rs
+++ b/server/web_ui/shared/tests/test.rs
@ -1,19 +0,0 @@
 //! Test harnesses for WASM things.
 //!
 //! Here be crabs with troubling pasts.
 //!
 //! Run this on a mac with Safari using the following command:
 //!
 //! ```shell
 //! wasm-pack test --chrome --headless
 //!```
 //!
 use wasm_bindgen_test::*;
 wasm_bindgen_test_configure!(run_in_browser);
 #[wasm_bindgen_test]
 fn if_this_fails_then_oh_no() {
    assert_eq!(1, 1);
 }
--- a/unix_integration/resolver/src/selinux_util.rs
+++ b/unix_integration/resolver/src/selinux_util.rs
@ -14,10 +14,10 @@ pub fn supported() -> bool {
        return false;
    }
    // check if SELinux is actually running
-    match current_mode() {
+    matches!(
-        SELinuxMode::Permissive | SELinuxMode::Enforcing => true,
+        current_mode(),
-        _ => false,
+        SELinuxMode::Permissive | SELinuxMode::Enforcing
-    }
+    )
 }
 fn do_setfscreatecon_for_path(path_raw: &Path, labeler: &Labeler<File>) -> Result<(), String> {
@ -27,9 +27,7 @@ fn do_setfscreatecon_for_path(path_raw: &Path, labeler: &Labeler<File>) -> Resul
        Ok(context) => context
            .set_for_new_file_system_objects(true)
            .map_err(|_| "Failed setting creation context home directory path".to_string()),
-        Err(_) => {
+        Err(_) => Err("Failed looking up default context for home directory path".to_string()),
            return Err("Failed looking up default context for home directory path".to_string());
        }
    }
 }
@ -97,7 +95,7 @@ impl SelinuxLabeler {
                sel_lookup_path_raw,
            } => {
                let sel_lookup_path = sel_lookup_path_raw.join(path.as_ref());
-                do_setfscreatecon_for_path(&sel_lookup_path, &labeler)
+                do_setfscreatecon_for_path(&sel_lookup_path, labeler)
            }
        }
    }
--- a/unix_integration/resolver/tests/cache_layer_test.rs
+++ b/unix_integration/resolver/tests/cache_layer_test.rs
@ -56,7 +56,7 @@ async fn setup_test(fix_fn: Fixture) -> (Resolver, KanidmClient) {
        #[allow(clippy::assertions_on_constants)]
        if counter >= 5 {
            eprintln!("Unable to allocate port!");
-            assert!(false);
+            debug_assert!(false);
        }
    };