From a3e8be76a55c79255b7d38e33f09a9c0926ed526 Mon Sep 17 00:00:00 2001
From: Firstyear <william@blackhats.net.au>
Date: Tue, 18 Oct 2022 19:21:08 +1000
Subject: [PATCH] Fix (#1134)

---
 kanidm_tools/src/cli/oauth2.rs    | 19 +++++++++++++++++++
 kanidm_tools/src/opt/kanidm.rs    | 10 ++++++++++
 kanidmd/lib/src/value.rs          | 28 ++++++++++++++++++++--------
 kanidmd/lib/src/valueset/iname.rs | 10 +---------
 4 files changed, 50 insertions(+), 17 deletions(-)

diff --git a/kanidm_tools/src/cli/oauth2.rs b/kanidm_tools/src/cli/oauth2.rs
index fa4e472cd..7513bc5a8 100644
--- a/kanidm_tools/src/cli/oauth2.rs
+++ b/kanidm_tools/src/cli/oauth2.rs
@@ -14,6 +14,7 @@ impl Oauth2Opt {
             Oauth2Opt::ShowBasicSecret(nopt) => nopt.copt.debug,
             Oauth2Opt::Delete(nopt) => nopt.copt.debug,
             Oauth2Opt::SetDisplayname(cbopt) => cbopt.nopt.copt.debug,
+            Oauth2Opt::SetName { nopt, .. } => nopt.copt.debug,
             Oauth2Opt::EnablePkce(nopt) => nopt.copt.debug,
             Oauth2Opt::DisablePkce(nopt) => nopt.copt.debug,
             Oauth2Opt::EnableLegacyCrypto(nopt) => nopt.copt.debug,
@@ -156,6 +157,24 @@ impl Oauth2Opt {
                     Err(e) => error!("Error -> {:?}", e),
                 }
             }
+            Oauth2Opt::SetName { nopt, name } => {
+                let client = nopt.copt.to_client().await;
+                match client
+                    .idm_oauth2_rs_update(
+                        nopt.name.as_str(),
+                        Some(name.as_str()),
+                        None,
+                        None,
+                        false,
+                        false,
+                        false,
+                    )
+                    .await
+                {
+                    Ok(_) => println!("Success"),
+                    Err(e) => error!("Error -> {:?}", e),
+                }
+            }
             Oauth2Opt::EnablePkce(nopt) => {
                 let client = nopt.copt.to_client().await;
                 match client.idm_oauth2_rs_enable_pkce(nopt.name.as_str()).await {
diff --git a/kanidm_tools/src/opt/kanidm.rs b/kanidm_tools/src/opt/kanidm.rs
index 7e028439c..03382b22d 100644
--- a/kanidm_tools/src/opt/kanidm.rs
+++ b/kanidm_tools/src/opt/kanidm.rs
@@ -650,6 +650,16 @@ pub enum Oauth2Opt {
     /// Set a new displayname for a resource server
     #[clap(name = "set_displayname")]
     SetDisplayname(Oauth2SetDisplayname),
+    /// Set a new name for this resource server. You may need to update
+    /// your integrated applications after this so that they continue to
+    /// function correctly.
+    #[clap(name = "set_name")]
+    SetName {
+        #[clap(flatten)]
+        nopt: Named,
+        #[clap(name = "newname")]
+        name: String,
+    },
     #[clap(name = "enable_pkce")]
     /// Enable PKCE on this oauth2 resource server. This defaults to being enabled.
     EnablePkce(Named),
diff --git a/kanidmd/lib/src/value.rs b/kanidmd/lib/src/value.rs
index a66d06528..10fac2bc7 100644
--- a/kanidmd/lib/src/value.rs
+++ b/kanidmd/lib/src/value.rs
@@ -1542,14 +1542,7 @@ impl Value {
         // valid. IE json filter is really a filter, or cred types have supplemental
         // data.
         match &self {
-            Value::Iname(s) => {
-                match Uuid::parse_str(s) {
-                    // It is a uuid, disallow.
-                    Ok(_) => false,
-                    // Not a uuid, check it against the re.
-                    Err(_) => INAME_RE.is_match(s) && !DISALLOWED_NAMES.contains(s.as_str()),
-                }
-            }
+            Value::Iname(s) => Value::validate_iname(s),
             /*
             Value::Cred(_) => match &self.data {
                 Some(v) => matches!(v.as_ref(), DataValue::Cred(_)),
@@ -1566,6 +1559,25 @@ impl Value {
             _ => true,
         }
     }
+
+    pub(crate) fn validate_iname(s: &str) -> bool {
+        match Uuid::parse_str(s) {
+            // It is a uuid, disallow.
+            Ok(_) => false,
+            // Not a uuid, check it against the re.
+            Err(_) => {
+                if !INAME_RE.is_match(s) {
+                    warn!("iname values may only contain limited characters - \"{}\" does not pass regex pattern \"{}\"", s, *INAME_RE);
+                    false
+                } else if DISALLOWED_NAMES.contains(s) {
+                    warn!("iname value \"{}\" is in denied list", s);
+                    false
+                } else {
+                    true
+                }
+            }
+        }
+    }
 }
 
 #[cfg(test)]
diff --git a/kanidmd/lib/src/valueset/iname.rs b/kanidmd/lib/src/valueset/iname.rs
index b65bbd6ec..56a7eeccc 100644
--- a/kanidmd/lib/src/valueset/iname.rs
+++ b/kanidmd/lib/src/valueset/iname.rs
@@ -2,7 +2,6 @@ use std::collections::BTreeSet;
 
 use crate::prelude::*;
 use crate::schema::SchemaAttribute;
-use crate::value::{DISALLOWED_NAMES, INAME_RE};
 use crate::valueset::{DbValueSetV2, ValueSet};
 
 #[derive(Debug, Clone)]
@@ -97,14 +96,7 @@ impl ValueSetT for ValueSetIname {
     }
 
     fn validate(&self, _schema_attr: &SchemaAttribute) -> bool {
-        self.set.iter().all(|s| {
-            match Uuid::parse_str(s) {
-                // It is a uuid, disallow.
-                Ok(_) => false,
-                // Not a uuid, check it against the re.
-                Err(_) => INAME_RE.is_match(s) && !DISALLOWED_NAMES.contains(s.as_str()),
-            }
-        })
+        self.set.iter().all(|s| Value::validate_iname(s.as_str()))
     }
 
     fn to_proto_string_clone_iter(&self) -> Box<dyn Iterator<Item = String> + '_> {