mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

1982 service account access (#1985)

Browse source 
* Fix issue with incorrect filter class preventing service account delete
This commit is contained in:
Firstyear 2023-08-16 15:33:28 +10:00 committed by GitHub
parent 9a6168b67d
commit 87866c568b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 23 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
server/core/src/https/v1.rs
View file

@ -477,7 +477,7 @@ pub async fn service_account_id_delete(
Path(id): Path<String>, Path(id): Path<String>,
Extension(kopid): Extension<KOpId>, Extension(kopid): Extension<KOpId>,
) -> impl IntoResponse { ) -> impl IntoResponse {
let filter = filter_all!(f_eq("class", PartialValue::new_class("service_accont"))); let filter = filter_all!(f_eq("class", PartialValue::new_class("service_account")));
json_rest_event_delete_id(state, id, filter, kopid).await json_rest_event_delete_id(state, id, filter, kopid).await
} }

12
server/lib/src/entry.rs
View file

@ -1902,6 +1902,9 @@ impl<STATE> Entry<EntryValid, STATE> {
return Ok(()); return Ok(());
}; };
// Are we in the recycle bin? We soften some checks if we are.
let recycled = self.attribute_equality("class", &PVCLASS_RECYCLED);
// Do we have extensible? We still validate syntax of attrs but don't // Do we have extensible? We still validate syntax of attrs but don't
// check for valid object structures. // check for valid object structures.
let extensible = self.attribute_equality("class", &PVCLASS_EXTENSIBLE); let extensible = self.attribute_equality("class", &PVCLASS_EXTENSIBLE);
@ -2023,7 +2026,14 @@ impl<STATE> Entry<EntryValid, STATE> {
"Validation error, the following required (must) attributes are missing - {:?}", "Validation error, the following required (must) attributes are missing - {:?}",
missing_must missing_must
); );
return Err(SchemaError::MissingMustAttribute(missing_must)); // We if are in the recycle bin, we don't hard error here. This can occur when
// a migration occurs and we delete an acp, and then the related group. Because
// this would trigger refint which purges the acp_receiver_group, then this
// must value becomes unsatisfiable. So here we soften the check for recycled
// entries because they are in a "nebulous" state anyway.
if !recycled {
return Err(SchemaError::MissingMustAttribute(missing_must));
}
} }
if extensible { if extensible {

2
server/lib/src/server/delete.rs
View file

@ -163,7 +163,7 @@ impl<'a> QueryServerWriteTransaction<'a> {
self.delete(&de) self.delete(&de)
} }
#[instrument(level = "debug", skip_all)] #[instrument(level = "debug", skip(self))]
pub fn internal_delete_uuid_if_exists( pub fn internal_delete_uuid_if_exists(
&mut self, &mut self,
target_uuid: Uuid, target_uuid: Uuid,

6
unix_integration/src/idprovider/interface.rs
View file

@ -55,7 +55,11 @@ pub struct UserToken {
pub trait IdProvider { pub trait IdProvider {
async fn provider_authenticate(&self) -> Result<(), IdpError>; async fn provider_authenticate(&self) -> Result<(), IdpError>;
async fn unix_user_get(&self, id: &Id, old_token: Option<UserToken>) -> Result<UserToken, IdpError>; async fn unix_user_get(
&self,
id: &Id,
old_token: Option<UserToken>,
) -> Result<UserToken, IdpError>;
async fn unix_user_authenticate( async fn unix_user_authenticate(
&self, &self,

6
unix_integration/src/idprovider/kanidm.rs
View file

@ -79,7 +79,11 @@ impl IdProvider for KanidmProvider {
} }
} }
async fn unix_user_get(&self, id: &Id, _old_token: Option<UserToken>) -> Result<UserToken, IdpError> { async fn unix_user_get(
&self,
id: &Id,
_old_token: Option<UserToken>,
) -> Result<UserToken, IdpError> {
match self match self
.client .client
.read() .read()