Add new mail read group (#1224)

2025-02-23 12:37:00 +01:00 · 2022-11-23 23:36:53 +10:00 · 2022-11-23 23:36:53 +10:00 · 883aa5d5cb
parent 74765bab63
commit 883aa5d5cb
5 changed files with 66 additions and 1 deletions
--- a/kanidmd/lib/src/constants/acp.rs
+++ b/kanidmd/lib/src/constants/acp.rs
@ -1,3 +1,9 @@
+use crate::constants::uuids::*;
+///! Constant Entries for the IDM
+use crate::constants::values::*;
+use crate::entry::{Entry, EntryInit, EntryInitNew, EntryNew};
+use crate::value::Value;
+
 /*
 // Template acp
 pub const _UUID_IDM_ACP_XX_V1: &str = "00000000-0000-0000-0000-ffffff0000XX";
@ -326,6 +332,37 @@ pub const JSON_IDM_ACP_HP_PEOPLE_READ_PRIV_V1: &str = r#"{
    }
 }"#;

+lazy_static! {
+    pub static ref E_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1: EntryInitNew = entry_init!(
+        ("class", CLASS_OBJECT.clone()),
+        ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()),
+        ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()),
+        (
+            "name",
+            Value::new_iname("idm_acp_account_mail_read_priv")
+        ),
+        (
+            "uuid",
+            Value::new_uuid(UUID_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1)
+        ),
+        (
+            "description",
+            Value::new_utf8s(
+                "Builtin IDM Control for reading account mail attributes."
+            )
+        ),
+        (
+            "acp_receiver_group",
+            Value::Refer(UUID_IDM_ACCOUNT_MAIL_READ_PRIV)
+        ),
+        (
+            "acp_targetscope",
+            Value::new_json_filter_s("{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}").expect("filter")
+        ),
+        ("acp_search_attr", Value::new_iutf8("mail"))
+    );
+}
+
 pub const JSON_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1: &str = r#"{
    "attrs": {
        "class": [
--- a/kanidmd/lib/src/constants/entries.rs
+++ b/kanidmd/lib/src/constants/entries.rs
@ -498,6 +498,25 @@ lazy_static! {
        ),
        ("grant_ui_hint", Value::UiHint(UiHint::ExperimentalFeatures))
    );
+
+    pub static ref E_IDM_ACCOUNT_MAIL_READ_PRIV: EntryInitNew = entry_init!(
+        ("class", CLASS_OBJECT.clone()),
+        ("class", CLASS_GROUP.clone()),
+        (
+            "name",
+            Value::new_iname("idm_account_mail_read_priv")
+        ),
+        (
+            "uuid",
+            Value::new_uuid(UUID_IDM_ACCOUNT_MAIL_READ_PRIV)
+        ),
+        (
+            "description",
+            Value::new_utf8s(
+                "Members of this group will have access to read the mail attribute of all persons and service accounts."
+            )
+        )
+    );
 }

 /// This must be the last group to init to include the UUID of the other high priv groups.
--- a/kanidmd/lib/src/constants/uuids.rs
+++ b/kanidmd/lib/src/constants/uuids.rs
@ -57,6 +57,7 @@ pub const _UUID_IDM_HP_SYNC_ACCOUNT_MANAGE_PRIV: Uuid =

 pub const UUID_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES: Uuid =
    uuid!("00000000-0000-0000-0000-000000000038");
+pub const UUID_IDM_ACCOUNT_MAIL_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000039");

 //
 pub const _UUID_IDM_HIGH_PRIVILEGE: Uuid = uuid!("00000000-0000-0000-0000-000000001000");
@ -291,6 +292,8 @@ pub const _UUID_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1: Uuid =
 pub const _UUID_IDM_ACP_OAUTH2_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000043");
 pub const _UUID_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000044");
+pub const UUID_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1: Uuid =
+    uuid!("00000000-0000-0000-0000-ffffff000045");

 // End of system ranges
 pub const UUID_DOES_NOT_EXIST: Uuid = uuid!("00000000-0000-0000-0000-fffffffffffe");
--- a/kanidmd/lib/src/constants/values.rs
+++ b/kanidmd/lib/src/constants/values.rs
@ -36,6 +36,8 @@ lazy_static! {
    pub static ref PVCLASS_SYSTEM_CONFIG: PartialValue = PartialValue::new_class("system_config");
    pub static ref PVCLASS_TOMBSTONE: PartialValue = PartialValue::new_class("tombstone");
    pub static ref PVUUID_DOMAIN_INFO: PartialValue = PartialValue::new_uuid(UUID_DOMAIN_INFO);
+    pub static ref CLASS_ACCESS_CONTROL_PROFILE: Value = Value::new_class("access_control_profile");
+    pub static ref CLASS_ACCESS_CONTROL_SEARCH: Value = Value::new_class("access_control_search");
    pub static ref CLASS_ACCOUNT: Value = Value::new_class("account");
    pub static ref CLASS_DOMAIN_INFO: Value = Value::new_class("domain_info");
    pub static ref CLASS_DYNGROUP: Value = Value::new_class("dyngroup");
--- a/kanidmd/lib/src/server.rs
+++ b/kanidmd/lib/src/server.rs
@ -2859,7 +2859,11 @@ impl<'a> QueryServerWriteTransaction<'a> {
        debug_assert!(res.is_ok());
        res?;

-        let idm_entries = [E_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES.clone()];
+        let idm_entries = [
+            E_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES.clone(),
+            E_IDM_ACCOUNT_MAIL_READ_PRIV.clone(),
+            E_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1.clone(),
+        ];

        let res: Result<(), _> = idm_entries
            .into_iter()