mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add test for delete referer invalid (#2435)

Browse source 
When a delete of an entry occurs which is reference by another entry,
if the entry has a MUST schema condition on the deleted entry then the
delete should be blocked to prevent the entries structure becoming
invalid.
This commit is contained in:
Firstyear 2024-01-19 12:18:11 +10:00 committed by GitHub
parent 6c1950aa7b
commit 8e4980b2c1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 52 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

53
server/lib/src/plugins/refint.rs
View file

@ -861,9 +861,60 @@ mod tests {
// Delete of something that is referenced - must remove ref in other (unless would make inconsistent) // Delete of something that is referenced - must remove ref in other (unless would make inconsistent)
// //
// this is the invalid case, where the reference is MUST. // this is the invalid case, where the reference is MUST.
//
// There are very few types in the server where this condition exists. The primary example
// is access controls, where a target group is a must condition referencing the
// group that the access control applies to.
//
// This means that the delete of the group will be blocked because it would make the access control
// structurally invalid.
#[test] #[test]
fn test_delete_remove_referent_invalid() { fn test_delete_remove_referent_invalid() {
// TODO: uh.. wot let target_uuid = Uuid::new_v4();
let e_group: Entry<EntryInit, EntryNew> = entry_init!(
(Attribute::Class, EntryClass::Group.to_value()),
(Attribute::Name, Value::new_iname("testgroup_a")),
(Attribute::Description, Value::new_utf8s("testgroup")),
(Attribute::Uuid, Value::Uuid(target_uuid))
);
let e_acp: Entry<EntryInit, EntryNew> = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(
Attribute::Class,
EntryClass::AccessControlProfile.to_value()
),
(
Attribute::Class,
EntryClass::AccessControlReceiverGroup.to_value()
),
(
Attribute::Class,
EntryClass::AccessControlTargetScope.to_value()
),
(Attribute::Name, Value::new_iname("acp_referer")),
(Attribute::AcpReceiverGroup, Value::Refer(target_uuid)),
(
Attribute::AcpTargetScope,
Value::new_json_filter_s("{\"eq\":[\"name\",\"a\"]}").expect("filter")
)
);
let preload = vec![e_group, e_acp];
run_delete_test!(
Err(OperationError::SchemaViolation(
SchemaError::MissingMustAttribute(vec!["acp_receiver_group".to_string()])
)),
preload,
filter!(f_eq(
Attribute::Name,
PartialValue::new_iname("testgroup_a")
)),
None,
|_qs: &mut QueryServerWriteTransaction| {}
);
} }
// Delete of something that holds references. // Delete of something that holds references.