1982 service account access (#1985)

* Fix issue with incorrect filter class preventing service account delete
2025-02-23 12:37:00 +01:00 · 2023-08-16 15:33:28 +10:00 · 2023-08-16 15:33:28 +10:00 · 87866c568b
parent 9a6168b67d
commit 87866c568b
5 changed files with 23 additions and 5 deletions
--- a/server/core/src/https/v1.rs
+++ b/server/core/src/https/v1.rs
@ -477,7 +477,7 @@ pub async fn service_account_id_delete(
    Path(id): Path<String>,
    Extension(kopid): Extension<KOpId>,
 ) -> impl IntoResponse {
-    let filter = filter_all!(f_eq("class", PartialValue::new_class("service_accont")));
+    let filter = filter_all!(f_eq("class", PartialValue::new_class("service_account")));
    json_rest_event_delete_id(state, id, filter, kopid).await
 }

--- a/server/lib/src/entry.rs
+++ b/server/lib/src/entry.rs
@ -1902,6 +1902,9 @@ impl<STATE> Entry<EntryValid, STATE> {
            return Ok(());
        };

+        // Are we in the recycle bin? We soften some checks if we are.
+        let recycled = self.attribute_equality("class", &PVCLASS_RECYCLED);
+
        // Do we have extensible? We still validate syntax of attrs but don't
        // check for valid object structures.
        let extensible = self.attribute_equality("class", &PVCLASS_EXTENSIBLE);
@ -2023,7 +2026,14 @@ impl<STATE> Entry<EntryValid, STATE> {
                "Validation error, the following required (must) attributes are missing - {:?}",
                missing_must
            );
-            return Err(SchemaError::MissingMustAttribute(missing_must));
+            // We if are in the recycle bin, we don't hard error here. This can occur when
+            // a migration occurs and we delete an acp, and then the related group. Because
+            // this would trigger refint which purges the acp_receiver_group, then this
+            // must value becomes unsatisfiable. So here we soften the check for recycled
+            // entries because they are in a "nebulous" state anyway.
+            if !recycled {
+                return Err(SchemaError::MissingMustAttribute(missing_must));
+            }
        }

        if extensible {
--- a/server/lib/src/server/delete.rs
+++ b/server/lib/src/server/delete.rs
@ -163,7 +163,7 @@ impl<'a> QueryServerWriteTransaction<'a> {
        self.delete(&de)
    }

-    #[instrument(level = "debug", skip_all)]
+    #[instrument(level = "debug", skip(self))]
    pub fn internal_delete_uuid_if_exists(
        &mut self,
        target_uuid: Uuid,
--- a/unix_integration/src/idprovider/interface.rs
+++ b/unix_integration/src/idprovider/interface.rs
@ -55,7 +55,11 @@ pub struct UserToken {
 pub trait IdProvider {
    async fn provider_authenticate(&self) -> Result<(), IdpError>;

-    async fn unix_user_get(&self, id: &Id, old_token: Option<UserToken>) -> Result<UserToken, IdpError>;
+    async fn unix_user_get(
+        &self,
+        id: &Id,
+        old_token: Option<UserToken>,
+    ) -> Result<UserToken, IdpError>;

    async fn unix_user_authenticate(
        &self,
--- a/unix_integration/src/idprovider/kanidm.rs
+++ b/unix_integration/src/idprovider/kanidm.rs
@ -79,7 +79,11 @@ impl IdProvider for KanidmProvider {
        }
    }

-    async fn unix_user_get(&self, id: &Id, _old_token: Option<UserToken>) -> Result<UserToken, IdpError> {
+    async fn unix_user_get(
+        &self,
+        id: &Id,
+        _old_token: Option<UserToken>,
+    ) -> Result<UserToken, IdpError> {
        match self
            .client
            .read()