diff --git a/kanidm_book/src/SUMMARY.md b/kanidm_book/src/SUMMARY.md index 1b0a3f35c..07cb27e30 100644 --- a/kanidm_book/src/SUMMARY.md +++ b/kanidm_book/src/SUMMARY.md @@ -52,6 +52,7 @@ - [Access Profiles 2022](developers/designs/access_profiles_rework_2022.md) - [Access Profiles Original](developers/designs/access_profiles_and_security.md) - [REST Interface](developers/designs/rest_interface.md) + - [Elevated Priv Mode](developers/designs/elevated_priv_mode.md) - [Python Module](developers/python.md) - [RADIUS Integration](developers/radius.md) diff --git a/kanidm_tools/src/cli/badlist.rs b/kanidm_tools/src/cli/badlist.rs index 505d8e61d..5abce9e53 100644 --- a/kanidm_tools/src/cli/badlist.rs +++ b/kanidm_tools/src/cli/badlist.rs @@ -31,8 +31,11 @@ impl PwBadlistOpt { Err(e) => eprintln!("{:?}", e), } } - PwBadlistOpt::Upload { copt, paths } => { - let client = copt.to_client().await; + PwBadlistOpt::Upload { + copt, + paths, + dryrun, + } => { info!("pre-processing - this may take a while ..."); let mut pwset: Vec = Vec::new(); @@ -101,19 +104,28 @@ impl PwBadlistOpt { let results = task_handles.join().await; - let filt_pwset: Vec<_> = results + let mut filt_pwset: Vec<_> = results .into_iter() .flat_map(|res| res.expect("Thread join failure")) .collect(); + filt_pwset.sort_unstable(); + info!( "{} passwords passed zxcvbn, uploading ...", filt_pwset.len() ); - match client.system_password_badlist_append(filt_pwset).await { - Ok(_) => println!("Success"), - Err(e) => eprintln!("{:?}", e), + if *dryrun { + for pw in filt_pwset { + println!("{}", pw); + } + } else { + let client = copt.to_client().await; + match client.system_password_badlist_append(filt_pwset).await { + Ok(_) => println!("Success"), + Err(e) => eprintln!("{:?}", e), + } } } // End Upload PwBadlistOpt::Remove { copt, paths } => { diff --git a/kanidm_tools/src/opt/kanidm.rs b/kanidm_tools/src/opt/kanidm.rs index b9151aace..47d674b05 100644 --- a/kanidm_tools/src/opt/kanidm.rs +++ b/kanidm_tools/src/opt/kanidm.rs @@ -715,6 +715,9 @@ pub enum PwBadlistOpt { copt: CommonOpt, #[clap(parse(from_os_str))] paths: Vec, + /// Perform a dry run and display the list that would have been uploaded instead. + #[clap(short = 'n', long)] + dryrun: bool, }, #[clap[name = "remove", hide = true]] /// Remove the content of these lists if present in the configured diff --git a/kanidmd/lib/src/constants/acp.rs b/kanidmd/lib/src/constants/acp.rs index 646cd7393..00c6a9089 100644 --- a/kanidmd/lib/src/constants/acp.rs +++ b/kanidmd/lib/src/constants/acp.rs @@ -4,333 +4,386 @@ use crate::constants::values::*; use crate::entry::{Entry, EntryInit, EntryInitNew, EntryNew}; use crate::value::Value; -/* -// Template acp -pub const _UUID_IDM_ACP_XX_V1: &str = "00000000-0000-0000-0000-ffffff0000XX"; -pub const JSON_IDM_ACP_XX_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search", - "access_control_modify", - "access_control_create", - "access_control_delete" - ], - "name": ["idm_acp_xx"], - "uuid": ["00000000-0000-0000-0000-ffffff0000XX"], - "description": ["Builtin IDM Control for xx"], - "acp_receiver": [ - "{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-0000000000XX\"]}" - ], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"attr\",\"value\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ +lazy_static! { + pub static ref E_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_admins_acp_recycle_search")), + ("uuid", Value::Uuid(UUID_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM admin recycle bin search permission.") + ), + ("acp_receiver_group", Value::Refer(UUID_SYSTEM_ADMINS)), + ( + "acp_targetscope", + Value::new_json_filter_s("{\"eq\": [\"class\", \"recycled\"]}").unwrap() + ), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("class")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_search_attr", Value::new_iutf8("last_modified_cid")) + ); +} - ], - "acp_modify_removedattr": [ +lazy_static! { + pub static ref E_IDM_ADMINS_ACP_REVIVE_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("name", Value::new_iname("idm_admins_acp_revive")), + ("uuid", Value::Uuid(UUID_IDM_ADMINS_ACP_REVIVE_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM admin recycle bin revive permission.") + ), + ("acp_receiver_group", Value::Refer(UUID_SYSTEM_ADMINS)), + ( + "acp_targetscope", + Value::new_json_filter_s("{\"eq\":[\"class\",\"recycled\"]}").unwrap() + ), + ("acp_modify_removedattr", Value::new_iutf8("class")), + ("acp_modify_class", Value::new_iutf8("recycled")) + ); +} - ], - "acp_modify_presentattr": [ +lazy_static! { + pub static ref E_IDM_SELF_ACP_READ_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_self_acp_read")), + ("uuid", Value::Uuid(UUID_IDM_SELF_ACP_READ_V1)), + ( + "description", + Value::new_utf8s( + "Builtin IDM Control for self read - required for whoami and many other functions" + ) + ), + ("acp_receiver_group", Value::Refer(UUID_IDM_ALL_ACCOUNTS)), + ( + "acp_targetscope", + Value::new_json_filter_s("\"self\"").unwrap() + ), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("spn")), + ("acp_search_attr", Value::new_iutf8("displayname")), + ("acp_search_attr", Value::new_iutf8("legalname")), + ("acp_search_attr", Value::new_iutf8("class")), + ("acp_search_attr", Value::new_iutf8("memberof")), + ("acp_search_attr", Value::new_iutf8("mail")), + ("acp_search_attr", Value::new_iutf8("radius_secret")), + ("acp_search_attr", Value::new_iutf8("gidnumber")), + ("acp_search_attr", Value::new_iutf8("loginshell")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_search_attr", Value::new_iutf8("account_expire")), + ("acp_search_attr", Value::new_iutf8("account_valid_from")), + ("acp_search_attr", Value::new_iutf8("primary_credential")), + ( + "acp_search_attr", + Value::new_iutf8("user_auth_token_session") + ), + ("acp_search_attr", Value::new_iutf8("passkeys")), + ("acp_search_attr", Value::new_iutf8("devicekeys")) + ); +} - ], - "acp_modify_class": [ +lazy_static! { + pub static ref E_IDM_SELF_ACP_WRITE_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("name", Value::new_iname("idm_self_acp_write")), + ("uuid", Value::Uuid(UUID_IDM_SELF_ACP_WRITE_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for self write - required for people to update their own identities and credentials in line with best practices.") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_ALL_PERSONS) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"class\",\"account\"]}, \"self\"]}" + ).unwrap() + ), + ("acp_modify_removedattr", Value::new_iutf8("name")), + ("acp_modify_removedattr", Value::new_iutf8("displayname")), + ("acp_modify_removedattr", Value::new_iutf8("legalname")), + ("acp_modify_removedattr", Value::new_iutf8("radius_secret")), + ("acp_modify_removedattr", Value::new_iutf8("primary_credential")), + ("acp_modify_removedattr", Value::new_iutf8("ssh_publickey")), + ("acp_modify_removedattr", Value::new_iutf8("unix_password")), + ("acp_modify_removedattr", Value::new_iutf8("passkeys")), + ("acp_modify_removedattr", Value::new_iutf8("devicekeys")), + ("acp_modify_removedattr", Value::new_iutf8("user_auth_token_session")), - ], - "acp_create_attr": [ + ("acp_modify_presentattr", Value::new_iutf8("name")), + ("acp_modify_presentattr", Value::new_iutf8("displayname")), + ("acp_modify_presentattr", Value::new_iutf8("legalname")), + ("acp_modify_presentattr", Value::new_iutf8("radius_secret")), + ("acp_modify_presentattr", Value::new_iutf8("primary_credential")), + ("acp_modify_presentattr", Value::new_iutf8("ssh_publickey")), + ("acp_modify_presentattr", Value::new_iutf8("unix_password")), + ("acp_modify_presentattr", Value::new_iutf8("passkeys")), + ("acp_modify_presentattr", Value::new_iutf8("devicekeys")) + ); +} - ], - "acp_create_class": [ +lazy_static! { + pub static ref E_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("name", Value::new_iname("idm_people_self_acp_write_mail")), + ("uuid", Value::Uuid(UUID_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for self write of mail for people accounts.") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_PEOPLE_SELF_WRITE_MAIL_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"class\",\"account\"]}, \"self\"]}" + ).unwrap() + ), + ("acp_modify_removedattr", Value::new_iutf8("mail")), + ("acp_modify_presentattr", Value::new_iutf8("mail")) + ); +} - ] - } -}"#; -*/ +lazy_static! { + pub static ref E_IDM_ALL_ACP_READ_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_all_acp_read")), + ("uuid", Value::Uuid(UUID_IDM_ALL_ACP_READ_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for all read - e.g. anonymous and all authenticated accounts.") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_ALL_ACCOUNTS) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"pres\": \"class\"}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("spn")), + ("acp_search_attr", Value::new_iutf8("displayname")), + ("acp_search_attr", Value::new_iutf8("class")), + ("acp_search_attr", Value::new_iutf8("memberof")), + ("acp_search_attr", Value::new_iutf8("member")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_search_attr", Value::new_iutf8("gidnumber")), + ("acp_search_attr", Value::new_iutf8("loginshell")), + ("acp_search_attr", Value::new_iutf8("ssh_publickey")) + ); +} -pub const JSON_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1: &str = r#"{ - "attrs": { - "class": ["object", "access_control_profile", "access_control_search"], - "name": ["idm_admins_acp_recycle_search"], - "uuid": ["00000000-0000-0000-0000-ffffff000002"], - "description": ["Builtin IDM admin recycle bin search permission."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000019"], - "acp_targetscope": [ - "{\"eq\": [\"class\", \"recycled\"]}" - ], - "acp_search_attr": ["name", "class", "uuid", "last_modified_cid"] - } -}"#; +lazy_static! { + pub static ref E_IDM_ACP_PEOPLE_READ_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_people_read_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_PEOPLE_READ_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for reading personal sensitive data.") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_PEOPLE_READ_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("displayname")), + ("acp_search_attr", Value::new_iutf8("legalname")), + ("acp_search_attr", Value::new_iutf8("mail")) + ); +} -pub const JSON_IDM_ADMINS_ACP_REVIVE_V1: &str = r#"{ - "attrs": { - "class": ["object", "access_control_profile", "access_control_modify"], - "name": ["idm_admins_acp_revive"], - "uuid": ["00000000-0000-0000-0000-ffffff000003"], - "description": ["Builtin IDM Administrators Access Controls."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000019"], - "acp_targetscope": [ - "{\"eq\":[\"class\",\"recycled\"]}" - ], - "acp_modify_removedattr": ["class"], - "acp_modify_class": ["recycled"] - } -}"#; +lazy_static! { + pub static ref E_IDM_ACP_PEOPLE_WRITE_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("name", Value::new_iname("idm_acp_people_write_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_PEOPLE_WRITE_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for managing personal and sensitive data.") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_PEOPLE_WRITE_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_modify_removedattr", Value::new_iutf8("name")), + ("acp_modify_removedattr", Value::new_iutf8("displayname")), + ("acp_modify_removedattr", Value::new_iutf8("legalname")), + ("acp_modify_removedattr", Value::new_iutf8("mail")), -pub const JSON_IDM_SELF_ACP_READ_V1: &str = r#"{ - "attrs": { - "class": ["object", "access_control_profile", "access_control_search"], - "name": ["idm_self_acp_read"], - "uuid": ["00000000-0000-0000-0000-ffffff000004"], - "description": ["Builtin IDM Control for self read - required for whoami and many other functions."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000036"], - "acp_targetscope": [ - "\"self\"" - ], - "acp_search_attr": [ - "name", - "spn", - "displayname", - "legalname", - "class", - "memberof", - "radius_secret", - "gidnumber", - "loginshell", - "uuid", - "account_expire", - "account_valid_from", - "primary_credential", - "user_auth_token_session", - "passkeys", - "devicekeys" - ] - } -}"#; + ("acp_modify_presentattr", Value::new_iutf8("name")), + ("acp_modify_presentattr", Value::new_iutf8("displayname")), + ("acp_modify_presentattr", Value::new_iutf8("legalname")), + ("acp_modify_presentattr", Value::new_iutf8("mail")) + ); +} -pub const JSON_IDM_SELF_ACP_WRITE_V1: &str = r#"{ - "attrs": { - "class": ["object", "access_control_profile", "access_control_modify"], - "name": ["idm_self_acp_write"], - "uuid": ["00000000-0000-0000-0000-ffffff000021"], - "description": ["Builtin IDM Control for self write - required for people to update their own identities and credentials in line with best practices."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000035"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"class\",\"account\"]}, \"self\"]}" - ], - "acp_modify_removedattr": [ - "name", "displayname", "legalname", "radius_secret", "primary_credential", "ssh_publickey", "unix_password", "passkeys", "devicekeys", "user_auth_token_session" - ], - "acp_modify_presentattr": [ - "name", "displayname", "legalname", "radius_secret", "primary_credential", "ssh_publickey", "unix_password", "passkeys", "devicekeys" - ] - } -}"#; +lazy_static! { + pub static ref E_IDM_ACP_PEOPLE_MANAGE_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_DELETE.clone()), + ("class", CLASS_ACCESS_CONTROL_CREATE.clone()), + ("name", Value::new_iname("idm_acp_people_manage")), + ("uuid", Value::Uuid(UUID_IDM_ACP_PEOPLE_MANAGE_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for creating person (user) accounts") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_PEOPLE_MANAGE_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"class\",\"person\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_create_attr", Value::new_iutf8("class")), + ("acp_create_attr", Value::new_iutf8("name")), + ("acp_create_attr", Value::new_iutf8("displayname")), + ("acp_create_attr", Value::new_iutf8("legalname")), + ("acp_create_attr", Value::new_iutf8("primary_credential")), + ("acp_create_attr", Value::new_iutf8("ssh_publickey")), + ("acp_create_attr", Value::new_iutf8("mail")), + ("acp_create_attr", Value::new_iutf8("account_expire")), + ("acp_create_attr", Value::new_iutf8("account_valid_from")), + ("acp_create_attr", Value::new_iutf8("passkeys")), + ("acp_create_attr", Value::new_iutf8("devicekeys")), + ("acp_create_class", Value::new_iutf8("object")), + ("acp_create_class", Value::new_iutf8("account")), + ("acp_create_class", Value::new_iutf8("person")) + ); +} -pub const JSON_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_PRIV_V1: &str = r#"{ - "attrs": { - "class": ["object", "access_control_profile", "access_control_modify"], - "name": ["idm_people_self_acp_write_mail"], - "uuid": ["00000000-0000-0000-0000-ffffff000041"], - "description": ["Builtin IDM Control for self write of mail for people accounts."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000033"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"class\",\"account\"]}, \"self\"]}" - ], - "acp_modify_removedattr": [ - "mail" - ], - "acp_modify_presentattr": [ - "mail" - ] - } -}"#; - -pub const JSON_IDM_ALL_ACP_READ_V1: &str = r#"{ - "attrs": { - "class": ["object", "access_control_profile", "access_control_search"], - "name": ["idm_all_acp_read"], - "uuid": ["00000000-0000-0000-0000-ffffff000006"], - "description": ["Builtin IDM Control for all read - IE anonymous and all authenticated accounts."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000036"], - "acp_targetscope": [ - "{\"and\": [{\"pres\": \"class\"}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "name", - "spn", - "displayname", - "class", - "memberof", - "member", - "uuid", - "gidnumber", - "loginshell", - "ssh_publickey" - ] - } -}"#; - -// 7 people read acp JSON_IDM_PEOPLE_READ_PRIV_V1 -pub const JSON_IDM_ACP_PEOPLE_READ_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search" - ], - "name": ["idm_acp_people_read_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000007"], - "description": ["Builtin IDM Control for reading personal sensitive data."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000002"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "name", "displayname", "legalname", "mail" - ] - } -}"#; -// 8 people write acp JSON_IDM_PEOPLE_WRITE_PRIV_V1 -pub const JSON_IDM_ACP_PEOPLE_WRITE_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_modify" - ], - "name": ["idm_acp_people_write_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000008"], - "description": ["Builtin IDM Control for managing personal and sensitive data."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000003"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_modify_removedattr": [ - "name", "displayname", "legalname", "mail" - ], - "acp_modify_presentattr": [ - "name", "displayname", "legalname", "mail" - ] - } -}"#; -// 13 user (person) account create acp JSON_IDM_PERSON_ACCOUNT_CREATE_PRIV_V1 -pub const JSON_IDM_ACP_PEOPLE_MANAGE_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_delete", - "access_control_create" - ], - "name": ["idm_acp_people_manage"], - "uuid": ["00000000-0000-0000-0000-ffffff000013"], - "description": ["Builtin IDM Control for creating person (user) accounts"], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000013"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"class\",\"person\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_create_attr": [ - "class", - "name", - "displayname", - "legalname", - "primary_credential", - "passkeys", - "devicekeys", - "user_auth_token_session", - "ssh_publickey", - "mail" - ], - "acp_create_class": [ - "object", "person", "account" - ] - } -}"#; // 31 - password import modification priv // right now, create requires you to have access to every attribute in a single snapshot, // so people will need to two step (create then import pw). Later we could add another // acp that allows the create here too? Should it be separate? -pub const JSON_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_modify" - ], - "name": ["idm_acp_people_account_password_import_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000031"], - "description": ["Builtin IDM Control for allowing imports of passwords to people+account types."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000023"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_modify_removedattr": [ - "password_import" - ], - "acp_modify_presentattr": [ - "password_import" - ] - } -}"#; +lazy_static! { + pub static ref E_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("name", Value::new_iname("idm_acp_people_account_password_import_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for allowing imports of passwords to people+account types.") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_modify_removedattr", Value::new_iutf8("password_import")), + ("acp_modify_presentattr", Value::new_iutf8("password_import")) + ); +} -// -pub const JSON_IDM_ACP_PEOPLE_EXTEND_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_modify" - ], - "name": ["idm_acp_people_extend_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000032"], - "description": ["Builtin IDM Control for allowing person class extension"], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000024"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_modify_removedattr": [ - "name", "displayname", "legalname", "mail" - ], - "acp_modify_presentattr": [ - "class", "name", "displayname", "legalname", "mail" - ], - "acp_modify_class": ["person"] - } -}"#; +lazy_static! { + pub static ref E_IDM_ACP_PEOPLE_EXTEND_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("name", Value::new_iname("idm_acp_people_extend_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_PEOPLE_EXTEND_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for allowing person class extension") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_PEOPLE_EXTEND_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_modify_removedattr", Value::new_iutf8("name")), + ("acp_modify_removedattr", Value::new_iutf8("displayname")), + ("acp_modify_removedattr", Value::new_iutf8("legalname")), + ("acp_modify_removedattr", Value::new_iutf8("mail")), + ("acp_modify_presentattr", Value::new_iutf8("class")), + ("acp_modify_presentattr", Value::new_iutf8("name")), + ("acp_modify_presentattr", Value::new_iutf8("displayname")), + ("acp_modify_presentattr", Value::new_iutf8("legalname")), + ("acp_modify_presentattr", Value::new_iutf8("name")), + ("acp_modify_class", Value::new_iutf8("person")) + ); +} -// -- hp people -pub const JSON_IDM_ACP_HP_PEOPLE_READ_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search" - ], - "name": ["idm_acp_hp_people_read_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000036"], - "description": ["Builtin IDM Control for reading high privilege personal sensitive data."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000028"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "name", "displayname", "legalname", "mail" - ] - } -}"#; +lazy_static! { + pub static ref E_IDM_ACP_HP_PEOPLE_READ_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_hp_people_read_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_HP_PEOPLE_READ_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for reading high privilege personal sensitive data.") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_HP_PEOPLE_READ_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("displayname")), + ("acp_search_attr", Value::new_iutf8("legalname")), + ("acp_search_attr", Value::new_iutf8("mail")) + ); +} lazy_static! { pub static ref E_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1: EntryInitNew = entry_init!( @@ -364,610 +417,739 @@ lazy_static! { ); } -pub const JSON_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_modify" - ], - "name": ["idm_acp_hp_people_write_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000037"], - "description": ["Builtin IDM Control for managing privilege personal and sensitive data."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000029"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_modify_removedattr": [ - "name", "displayname", "legalname", "mail" - ], - "acp_modify_presentattr": [ - "name", "displayname", "legalname", "mail" - ] - } -}"#; +lazy_static! { + pub static ref E_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("name", Value::new_iname("idm_acp_hp_people_write_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for managing privilege personal and sensitive data.") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_HP_PEOPLE_WRITE_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_modify_removedattr", Value::new_iutf8("name")), + ("acp_modify_removedattr", Value::new_iutf8("displayname")), + ("acp_modify_removedattr", Value::new_iutf8("legalname")), + ("acp_modify_removedattr", Value::new_iutf8("mail")), + ("acp_modify_presentattr", Value::new_iutf8("name")), + ("acp_modify_presentattr", Value::new_iutf8("displayname")), + ("acp_modify_presentattr", Value::new_iutf8("legalname")), + ("acp_modify_presentattr", Value::new_iutf8("name")) + ); +} -pub const JSON_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_modify" - ], - "name": ["idm_acp_hp_people_extend_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000038"], - "description": ["Builtin IDM Control for allowing privilege person class extension"], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000030"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_modify_removedattr": [ - "name", "displayname", "legalname", "mail" - ], - "acp_modify_presentattr": [ - "class", "name", "displayname", "legalname", "mail" - ], - "acp_modify_class": ["person"] - } -}"#; +lazy_static! { + pub static ref E_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("name", Value::new_iname("idm_acp_hp_people_extend_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for allowing privilege person class extension") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_HP_PEOPLE_EXTEND_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_modify_removedattr", Value::new_iutf8("name")), + ("acp_modify_removedattr", Value::new_iutf8("displayname")), + ("acp_modify_removedattr", Value::new_iutf8("legalname")), + ("acp_modify_removedattr", Value::new_iutf8("mail")), + ("acp_modify_presentattr", Value::new_iutf8("class")), + ("acp_modify_presentattr", Value::new_iutf8("name")), + ("acp_modify_presentattr", Value::new_iutf8("displayname")), + ("acp_modify_presentattr", Value::new_iutf8("legalname")), + ("acp_modify_presentattr", Value::new_iutf8("name")), + ("acp_modify_class", Value::new_iutf8("person")) + ); +} // -- end people -// 9 group write acp JSON_IDM_GROUP_WRITE_PRIV_V1 -pub const JSON_IDM_ACP_GROUP_WRITE_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search", - "access_control_modify" - ], - "name": ["idm_acp_group_write_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000009"], - "description": ["Builtin IDM Control for managing groups"], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000004"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "class", "name", "spn", "uuid", "description", "member" - ], - "acp_modify_removedattr": [ - "name", "description", "member" - ], - "acp_modify_presentattr": [ - "name", "description", "member" - ] - } -}"#; -// 10 account read acp JSON_IDM_ACCOUNT_READ_PRIV_V1 -pub const JSON_IDM_ACP_ACCOUNT_READ_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search" - ], - "name": ["idm_acp_account_read_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000010"], - "description": ["Builtin IDM Control for accounts."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000005"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "class", "name", "spn", "uuid", "displayname", "ssh_publickey", "primary_credential", "memberof", "mail", "gidnumber", "account_expire", "account_valid_from", "passkeys", "devicekeys", "api_token_session", "user_auth_token_session" - ] - } -}"#; -// 11 account write acp JSON_IDM_ACCOUNT_WRITE_PRIV_V1 -pub const JSON_IDM_ACP_ACCOUNT_WRITE_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_modify" - ], - "name": ["idm_acp_account_write_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000011"], - "description": ["Builtin IDM Control for managing all accounts (both person and service)."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000006"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_modify_removedattr": [ - "name", "displayname", "ssh_publickey", "primary_credential", "mail", "account_expire", "account_valid_from", "passkeys", "devicekeys", "api_token_session", "user_auth_token_session" - ], - "acp_modify_presentattr": [ - "name", "displayname", "ssh_publickey", "primary_credential", "mail", "account_expire", "account_valid_from", "passkeys", "devicekeys", "api_token_session" - ] - } -}"#; -// 12 service account create acp (only admins?) JSON_IDM_SERVICE_ACCOUNT_CREATE_PRIV_V1 -pub const JSON_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_delete", - "access_control_create" - ], - "name": ["idm_acp_account_manage"], - "uuid": ["00000000-0000-0000-0000-ffffff000012"], - "description": ["Builtin IDM Control for creating and deleting (service) accounts"], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000014"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_create_attr": [ - "class", - "name", - "displayname", +lazy_static! { + pub static ref E_IDM_ACP_GROUP_WRITE_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_group_write_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_GROUP_WRITE_PRIV_V1)), + ( "description", - "primary_credential", - "ssh_publickey", - "mail", - "account_expire", - "account_valid_from", - "passkeys", - "devicekeys" - ], - "acp_create_class": [ - "object", "account", "service_account" - ] - } -}"#; + Value::new_utf8s("Builtin IDM Control for managing groups") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_GROUP_WRITE_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_search_attr", Value::new_iutf8("spn")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_search_attr", Value::new_iutf8("description")), + ("acp_search_attr", Value::new_iutf8("member")), + ("acp_modify_removedattr", Value::new_iutf8("name")), + ("acp_modify_removedattr", Value::new_iutf8("description")), + ("acp_modify_removedattr", Value::new_iutf8("member")), + ("acp_modify_presentattr", Value::new_iutf8("name")), + ("acp_modify_presentattr", Value::new_iutf8("description")), + ("acp_modify_presentattr", Value::new_iutf8("member")) + ); +} + +lazy_static! { + pub static ref E_IDM_ACP_ACCOUNT_READ_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_account_read_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_ACCOUNT_READ_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for reading accounts.") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_ACCOUNT_READ_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("class")), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("spn")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_search_attr", Value::new_iutf8("displayname")), + ("acp_search_attr", Value::new_iutf8("ssh_publickey")), + ("acp_search_attr", Value::new_iutf8("primary_credential")), + ("acp_search_attr", Value::new_iutf8("memberof")), + ("acp_search_attr", Value::new_iutf8("mail")), + ("acp_search_attr", Value::new_iutf8("gidnumber")), + ("acp_search_attr", Value::new_iutf8("account_expire")), + ("acp_search_attr", Value::new_iutf8("account_valid_from")), + ("acp_search_attr", Value::new_iutf8("passkeys")), + ("acp_search_attr", Value::new_iutf8("devicekeys")), + ("acp_search_attr", Value::new_iutf8("api_token_session")), + ("acp_search_attr", Value::new_iutf8("user_auth_token_session")) + ); +} + +lazy_static! { + pub static ref E_IDM_ACP_ACCOUNT_WRITE_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("name", Value::new_iname("idm_acp_account_write_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_ACCOUNT_WRITE_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for managing all accounts (both person and service).") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_ACCOUNT_WRITE_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_modify_removedattr", Value::new_iutf8("name")), + ("acp_modify_removedattr", Value::new_iutf8("displayname")), + ("acp_modify_removedattr", Value::new_iutf8("ssh_publickey")), + ("acp_modify_removedattr", Value::new_iutf8("primary_credential")), + ("acp_modify_removedattr", Value::new_iutf8("mail")), + ("acp_modify_removedattr", Value::new_iutf8("account_expire")), + ("acp_modify_removedattr", Value::new_iutf8("account_valid_from")), + ("acp_modify_removedattr", Value::new_iutf8("passkeys")), + ("acp_modify_removedattr", Value::new_iutf8("devicekeys")), + ("acp_modify_removedattr", Value::new_iutf8("api_token_session")), + ("acp_modify_removedattr", Value::new_iutf8("user_auth_token_session")), + + ("acp_modify_presentattr", Value::new_iutf8("name")), + ("acp_modify_presentattr", Value::new_iutf8("displayname")), + ("acp_modify_presentattr", Value::new_iutf8("ssh_publickey")), + ("acp_modify_presentattr", Value::new_iutf8("primary_credential")), + ("acp_modify_presentattr", Value::new_iutf8("mail")), + ("acp_modify_presentattr", Value::new_iutf8("account_expire")), + ("acp_modify_presentattr", Value::new_iutf8("account_valid_from")), + ("acp_modify_presentattr", Value::new_iutf8("passkeys")), + ("acp_modify_presentattr", Value::new_iutf8("devicekeys")), + ("acp_modify_presentattr", Value::new_iutf8("api_token_session")) + ); +} + +lazy_static! { + pub static ref E_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_DELETE.clone()), + ("class", CLASS_ACCESS_CONTROL_CREATE.clone()), + ("name", Value::new_iname("idm_acp_account_manage")), + ("uuid", Value::Uuid(UUID_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for creating and deleting (service) accounts") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_ACCOUNT_MANAGE_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_create_attr", Value::new_iutf8("class")), + ("acp_create_attr", Value::new_iutf8("name")), + ("acp_create_attr", Value::new_iutf8("displayname")), + ("acp_create_attr", Value::new_iutf8("description")), + ("acp_create_attr", Value::new_iutf8("primary_credential")), + ("acp_create_attr", Value::new_iutf8("ssh_publickey")), + ("acp_create_attr", Value::new_iutf8("mail")), + ("acp_create_attr", Value::new_iutf8("account_expire")), + ("acp_create_attr", Value::new_iutf8("account_valid_from")), + ("acp_create_attr", Value::new_iutf8("passkeys")), + ("acp_create_attr", Value::new_iutf8("devicekeys")), + ("acp_create_class", Value::new_iutf8("object")), + ("acp_create_class", Value::new_iutf8("account")), + ("acp_create_class", Value::new_iutf8("service_account")) + ); +} // 14 radius read acp JSON_IDM_RADIUS_SERVERS_V1 // The targetscope of this could change later to a "radius access" group or similar so we can add/remove // users from having radius access easier. -pub const JSON_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search" - ], - "name": ["idm_acp_radius_secret_read_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000039"], - "description": ["Builtin IDM Control for reading radius secrets of accounts."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000032"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "radius_secret" - ] - } -}"#; +lazy_static! { + pub static ref E_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_radius_secret_read_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for reading user radius secrets.") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_RADIUS_SECRET_READ_PRIV_V1) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("radius_secret")) + ); +} -pub const JSON_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_modify" - ], - "name": ["idm_acp_radius_secret_write_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000040"], - "description": ["Builtin IDM Control allowing writes to user radius secrets."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000031"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_modify_removedattr": [ - "radius_secret" - ], - "acp_modify_presentattr": [ - "radius_secret" - ] - } -}"#; +lazy_static! { + pub static ref E_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("name", Value::new_iname("idm_acp_radius_secret_write_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control allowing writes to user radius secrets.") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_RADIUS_SECRET_WRITE_PRIV_V1) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_modify_removedattr", Value::new_iutf8("radius_secret")), + ("acp_modify_presentattr", Value::new_iutf8("radius_secret")) -pub const JSON_IDM_ACP_RADIUS_SERVERS_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search" - ], - "name": ["idm_acp_radius_servers"], - "uuid": ["00000000-0000-0000-0000-ffffff000014"], - "description": ["Builtin IDM Control for RADIUS servers to read credentials and other needed details."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000007"], - "acp_targetscope": [ + ); +} + +lazy_static! { + pub static ref E_IDM_ACP_RADIUS_SERVERS_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_radius_servers")), + ("uuid", Value::Uuid(UUID_IDM_ACP_RADIUS_SERVERS_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for RADIUS servers to read credentials and other needed details.") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_RADIUS_SERVERS) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( "{\"and\": [{\"pres\": \"class\"}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "name", "spn", "uuid", "radius_secret" - ] - } -}"#; + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("spn")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_search_attr", Value::new_iutf8("radius_secret")) + ); +} -// 15 high priv account read JSON_IDM_HP_ACCOUNT_READ_PRIV_V1 -pub const JSON_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search" - ], - "name": ["idm_acp_hp_account_read_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000015"], - "description": ["Builtin IDM Control for reading high privilege accounts."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000009"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "class", "name", "spn", "uuid", "displayname", "ssh_publickey", "primary_credential", "memberof", "account_expire", "account_valid_from", "passkeys", "devicekeys", "api_token_session", "user_auth_token_session" - ] - } -}"#; -// 16 high priv account write JSON_IDM_HP_ACCOUNT_WRITE_PRIV_V1 -pub const JSON_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_modify" - ], - "name": ["idm_acp_hp_account_write_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000016"], - "description": ["Builtin IDM Control for managing high privilege accounts (both person and service)."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000009"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_modify_removedattr": [ - "name", "displayname", "ssh_publickey", "primary_credential", "account_expire", "account_valid_from", "passkeys", "devicekeys", "api_token_session", "user_auth_token_session" - ], - "acp_modify_presentattr": [ - "name", "displayname", "ssh_publickey", "primary_credential", "account_expire", "account_valid_from", "passkeys", "devicekeys", "api_token_session" - ] - } -}"#; - -// 17 high priv group write --> JSON_IDM_HP_GROUP_WRITE_PRIV_V1 (12) -pub const JSON_IDM_ACP_HP_GROUP_WRITE_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search", - "access_control_modify" - ], - "name": ["idm_acp_hp_group_write_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000017"], - "description": ["Builtin IDM Control for managing high privilege groups"], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000012"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "class", "name", "uuid", "description", "member" - ], - "acp_modify_removedattr": [ - "name", "description", "member" - ], - "acp_modify_presentattr": [ - "name", "description", "member" - ] - } -}"#; - -// 18 schema write JSON_IDM_SCHEMA_WRITE_PRIV_V1 -pub const JSON_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search", - "access_control_modify", - "access_control_create" - ], - "name": ["idm_acp_schema_write_attrs_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000018"], - "description": ["Builtin IDM Control for management of schema attributes."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000010"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"attributetype\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "class", +lazy_static! { + pub static ref E_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_hp_account_read_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1)), + ( "description", - "index", - "unique", - "multivalue", - "attributename", - "syntax", - "uuid" - ], - "acp_modify_removedattr": [ - "description", - "index", - "unique", - "multivalue", - "syntax" - ], - "acp_modify_presentattr": [ - "description", - "index", - "unique", - "multivalue", - "syntax" - ], - "acp_modify_class": [], - "acp_create_attr": [ - "class", - "description", - "index", - "unique", - "multivalue", - "attributename", - "syntax", - "uuid" - ], - "acp_create_class": [ - "object", "attributetype" - ] - } -}"#; - -// 19 acp read/write -pub const JSON_IDM_ACP_ACP_MANAGE_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search", - "access_control_modify", - "access_control_create", - "access_control_delete" - ], - "name": ["idm_acp_acp_manage_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000019"], - "description": ["Builtin IDM Control for access profiles management."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000011"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"access_control_profile\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "name", - "class", - "description", - "acp_enable", + Value::new_utf8s("Builtin IDM Control for reading high privilege accounts.") + ), + ( "acp_receiver_group", + Value::Refer(UUID_IDM_HP_ACCOUNT_READ_PRIV) + ), + ( "acp_targetscope", - "acp_search_attr", - "acp_modify_removedattr", - "acp_modify_presentattr", - "acp_modify_class", - "acp_create_class", - "acp_create_attr" - ], - "acp_modify_removedattr": [ - "name", - "class", - "description", - "acp_enable", - "acp_receiver_group", - "acp_targetscope", - "acp_search_attr", - "acp_modify_removedattr", - "acp_modify_presentattr", - "acp_modify_class", - "acp_create_class", - "acp_create_attr" - ], - "acp_modify_presentattr": [ - "name", - "class", - "description", - "acp_enable", - "acp_receiver_group", - "acp_targetscope", - "acp_search_attr", - "acp_modify_removedattr", - "acp_modify_presentattr", - "acp_modify_class", - "acp_create_class", - "acp_create_attr" - ], - "acp_modify_class": [ - "access_control_profile", - "access_control_search", - "access_control_modify", - "access_control_create", - "access_control_delete" - ], - "acp_create_attr": [ - "name", - "class", - "description", - "acp_enable", - "acp_receiver_group", - "acp_targetscope", - "acp_search_attr", - "acp_modify_removedattr", - "acp_modify_presentattr", - "acp_modify_class", - "acp_create_class", - "acp_create_attr" - ], - "acp_create_class": [ - "access_control_profile", - "access_control_search", - "access_control_modify", - "access_control_create", - "access_control_delete" - ] - } -}"#; + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("class")), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("spn")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_search_attr", Value::new_iutf8("displayname")), + ("acp_search_attr", Value::new_iutf8("ssh_publickey")), + ("acp_search_attr", Value::new_iutf8("primary_credential")), + ("acp_search_attr", Value::new_iutf8("memberof")), + ("acp_search_attr", Value::new_iutf8("account_expire")), + ("acp_search_attr", Value::new_iutf8("account_valid_from")), + ("acp_search_attr", Value::new_iutf8("passkeys")), + ("acp_search_attr", Value::new_iutf8("devicekeys")), + ("acp_search_attr", Value::new_iutf8("api_token_session")), + ("acp_search_attr", Value::new_iutf8("user_auth_token_session")) + ); +} -pub const JSON_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search", - "access_control_modify", - "access_control_create" - ], - "name": ["idm_acp_schema_write_classes_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000020"], - "description": ["Builtin IDM Control for management of schema classes."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000010"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"classtype\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "class", +lazy_static! { + pub static ref E_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("name", Value::new_iname("idm_acp_hp_account_write_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1)), + ( "description", - "classname", - "systemmay", - "may", - "systemmust", - "must", - "uuid" - ], - "acp_modify_removedattr": [ - "class", + Value::new_utf8s("Builtin IDM Control for managing high privilege accounts (both person and service).") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_HP_ACCOUNT_WRITE_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_modify_removedattr", Value::new_iutf8("name")), + ("acp_modify_removedattr", Value::new_iutf8("displayname")), + ("acp_modify_removedattr", Value::new_iutf8("ssh_publickey")), + ("acp_modify_removedattr", Value::new_iutf8("primary_credential")), + ("acp_modify_removedattr", Value::new_iutf8("account_expire")), + ("acp_modify_removedattr", Value::new_iutf8("account_valid_from")), + ("acp_modify_removedattr", Value::new_iutf8("passkeys")), + ("acp_modify_removedattr", Value::new_iutf8("devicekeys")), + ("acp_modify_removedattr", Value::new_iutf8("api_token_session")), + ("acp_modify_removedattr", Value::new_iutf8("user_auth_token_session")), + + ("acp_modify_presentattr", Value::new_iutf8("name")), + ("acp_modify_presentattr", Value::new_iutf8("displayname")), + ("acp_modify_presentattr", Value::new_iutf8("ssh_publickey")), + ("acp_modify_presentattr", Value::new_iutf8("primary_credential")), + ("acp_modify_presentattr", Value::new_iutf8("account_expire")), + ("acp_modify_presentattr", Value::new_iutf8("account_valid_from")), + ("acp_modify_presentattr", Value::new_iutf8("passkeys")), + ("acp_modify_presentattr", Value::new_iutf8("devicekeys")), + ("acp_modify_presentattr", Value::new_iutf8("api_token_session")) + ); +} + +lazy_static! { + pub static ref E_IDM_ACP_HP_GROUP_WRITE_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_hp_group_write_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_HP_GROUP_WRITE_PRIV_V1)), + ( "description", - "may", - "must" - ], - "acp_modify_presentattr": [ - "class", + Value::new_utf8s("Builtin IDM Control for managing high privilege groups") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_HP_GROUP_WRITE_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_search_attr", Value::new_iutf8("spn")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_search_attr", Value::new_iutf8("description")), + ("acp_search_attr", Value::new_iutf8("member")), + ("acp_modify_removedattr", Value::new_iutf8("name")), + ("acp_modify_removedattr", Value::new_iutf8("description")), + ("acp_modify_removedattr", Value::new_iutf8("member")), + ("acp_modify_presentattr", Value::new_iutf8("name")), + ("acp_modify_presentattr", Value::new_iutf8("description")), + ("acp_modify_presentattr", Value::new_iutf8("member")) + ); +} + +lazy_static! { + pub static ref E_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_CREATE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_schema_write_attrs_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1)), + ( "description", - "may", - "must" - ], - "acp_modify_class": [], - "acp_create_attr": [ - "class", + Value::new_utf8s("Builtin IDM Control for management of schema attributes.") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_SCHEMA_MANAGE_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"attributetype\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("class")), + ("acp_search_attr", Value::new_iutf8("description")), + ("acp_search_attr", Value::new_iutf8("index")), + ("acp_search_attr", Value::new_iutf8("unique")), + ("acp_search_attr", Value::new_iutf8("multivalue")), + ("acp_search_attr", Value::new_iutf8("attributename")), + ("acp_search_attr", Value::new_iutf8("syntax")), + ("acp_search_attr", Value::new_iutf8("uuid")), + + ("acp_modify_removedattr", Value::new_iutf8("description")), + ("acp_modify_removedattr", Value::new_iutf8("index")), + ("acp_modify_removedattr", Value::new_iutf8("unique")), + ("acp_modify_removedattr", Value::new_iutf8("multivalue")), + ("acp_modify_removedattr", Value::new_iutf8("syntax")), + + ("acp_modify_presentattr", Value::new_iutf8("description")), + ("acp_modify_presentattr", Value::new_iutf8("index")), + ("acp_modify_presentattr", Value::new_iutf8("unique")), + ("acp_modify_presentattr", Value::new_iutf8("multivalue")), + ("acp_modify_presentattr", Value::new_iutf8("syntax")), + + ("acp_create_attr", Value::new_iutf8("class")), + ("acp_create_attr", Value::new_iutf8("description")), + ("acp_create_attr", Value::new_iutf8("index")), + ("acp_create_attr", Value::new_iutf8("unique")), + ("acp_create_attr", Value::new_iutf8("multivalue")), + ("acp_create_attr", Value::new_iutf8("attributename")), + ("acp_create_attr", Value::new_iutf8("syntax")), + ("acp_create_attr", Value::new_iutf8("uuid")), + + ("acp_create_class", Value::new_iutf8("object")), + ("acp_create_class", Value::new_iutf8("attributetype")) + ); +} + +lazy_static! { + pub static ref E_IDM_ACP_ACP_MANAGE_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_CREATE.clone()), + ("class", CLASS_ACCESS_CONTROL_DELETE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_acp_manage_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_ACP_MANAGE_PRIV_V1)), + ( "description", - "classname", - "may", - "must", - "uuid" - ], - "acp_create_class": [ - "object", "classtype" - ] - } -}"#; + Value::new_utf8s("Builtin IDM Control for access profiles management.") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_ACP_MANAGE_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"access_control_profile\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("class")), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("description")), + ("acp_search_attr", Value::new_iutf8("acp_enable")), + ("acp_search_attr", Value::new_iutf8("acp_receiver_group")), + ("acp_search_attr", Value::new_iutf8("acp_targetscope")), + ("acp_search_attr", Value::new_iutf8("acp_search_attr")), + ("acp_search_attr", Value::new_iutf8("acp_modify_removedattr")), + ("acp_search_attr", Value::new_iutf8("acp_modify_presentattr")), + ("acp_search_attr", Value::new_iutf8("acp_modify_class")), + ("acp_search_attr", Value::new_iutf8("acp_create_class")), + ("acp_search_attr", Value::new_iutf8("acp_create_attr")), + + ("acp_modify_removedattr", Value::new_iutf8("class")), + ("acp_modify_removedattr", Value::new_iutf8("name")), + ("acp_modify_removedattr", Value::new_iutf8("description")), + ("acp_modify_removedattr", Value::new_iutf8("acp_enable")), + ("acp_modify_removedattr", Value::new_iutf8("acp_receiver_group")), + ("acp_modify_removedattr", Value::new_iutf8("acp_targetscope")), + ("acp_modify_removedattr", Value::new_iutf8("acp_search_attr")), + ("acp_modify_removedattr", Value::new_iutf8("acp_modify_removedattr")), + ("acp_modify_removedattr", Value::new_iutf8("acp_modify_presentattr")), + ("acp_modify_removedattr", Value::new_iutf8("acp_modify_class")), + ("acp_modify_removedattr", Value::new_iutf8("acp_create_class")), + ("acp_modify_removedattr", Value::new_iutf8("acp_create_attr")), + + ("acp_modify_presentattr", Value::new_iutf8("class")), + ("acp_modify_presentattr", Value::new_iutf8("name")), + ("acp_modify_presentattr", Value::new_iutf8("description")), + ("acp_modify_presentattr", Value::new_iutf8("acp_enable")), + ("acp_modify_presentattr", Value::new_iutf8("acp_receiver_group")), + ("acp_modify_presentattr", Value::new_iutf8("acp_targetscope")), + ("acp_modify_presentattr", Value::new_iutf8("acp_search_attr")), + ("acp_modify_presentattr", Value::new_iutf8("acp_modify_removedattr")), + ("acp_modify_presentattr", Value::new_iutf8("acp_modify_presentattr")), + ("acp_modify_presentattr", Value::new_iutf8("acp_modify_class")), + ("acp_modify_presentattr", Value::new_iutf8("acp_create_class")), + ("acp_modify_presentattr", Value::new_iutf8("acp_create_attr")), + + ("acp_create_attr", Value::new_iutf8("class")), + ("acp_create_attr", Value::new_iutf8("name")), + ("acp_create_attr", Value::new_iutf8("description")), + ("acp_create_attr", Value::new_iutf8("acp_enable")), + ("acp_create_attr", Value::new_iutf8("acp_receiver_group")), + ("acp_create_attr", Value::new_iutf8("acp_targetscope")), + ("acp_create_attr", Value::new_iutf8("acp_search_attr")), + ("acp_create_attr", Value::new_iutf8("acp_modify_removedattr")), + ("acp_create_attr", Value::new_iutf8("acp_modify_presentattr")), + ("acp_create_attr", Value::new_iutf8("acp_modify_class")), + ("acp_create_attr", Value::new_iutf8("acp_create_class")), + ("acp_create_attr", Value::new_iutf8("acp_create_attr")), + + + ("acp_modify_class", Value::new_iutf8("access_control_profile")), + ("acp_modify_class", Value::new_iutf8("access_control_search")), + ("acp_modify_class", Value::new_iutf8("access_control_modify")), + ("acp_modify_class", Value::new_iutf8("access_control_create")), + ("acp_modify_class", Value::new_iutf8("access_control_delete")), + + ("acp_create_class", Value::new_iutf8("access_control_profile")), + ("acp_create_class", Value::new_iutf8("access_control_search")), + ("acp_create_class", Value::new_iutf8("access_control_modify")), + ("acp_create_class", Value::new_iutf8("access_control_create")), + ("acp_create_class", Value::new_iutf8("access_control_delete")) + ); +} + +lazy_static! { + pub static ref E_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_CREATE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_schema_write_classes_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for management of schema classes.") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_SCHEMA_MANAGE_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"classtype\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("class")), + ("acp_search_attr", Value::new_iutf8("classname")), + ("acp_search_attr", Value::new_iutf8("description")), + ("acp_search_attr", Value::new_iutf8("systemmay")), + ("acp_search_attr", Value::new_iutf8("may")), + ("acp_search_attr", Value::new_iutf8("systemmust")), + ("acp_search_attr", Value::new_iutf8("must")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_modify_removedattr", Value::new_iutf8("class")), + ("acp_modify_removedattr", Value::new_iutf8("description")), + ("acp_modify_removedattr", Value::new_iutf8("may")), + ("acp_modify_removedattr", Value::new_iutf8("must")), + ("acp_modify_presentattr", Value::new_iutf8("name")), + ("acp_modify_presentattr", Value::new_iutf8("description")), + ("acp_modify_presentattr", Value::new_iutf8("may")), + ("acp_modify_presentattr", Value::new_iutf8("must")), + ("acp_create_attr", Value::new_iutf8("class")), + ("acp_create_attr", Value::new_iutf8("classname")), + ("acp_create_attr", Value::new_iutf8("description")), + ("acp_create_attr", Value::new_iutf8("may")), + ("acp_create_attr", Value::new_iutf8("must")), + ("acp_create_attr", Value::new_iutf8("uuid")), + ("acp_create_class", Value::new_iutf8("object")), + ("acp_create_class", Value::new_iutf8("classtype")) + ); +} // 21 - anonymous / everyone schema read. -// 22 - group create right -pub const JSON_IDM_ACP_GROUP_MANAGE_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_delete", - "access_control_create" - ], - "name": ["idm_acp_group_manage"], - "uuid": ["00000000-0000-0000-0000-ffffff000022"], - "description": ["Builtin IDM Control for creating and deleting groups in the directory"], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000015"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_create_attr": [ - "class", - "name", +lazy_static! { + pub static ref E_IDM_ACP_GROUP_MANAGE_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_DELETE.clone()), + ("class", CLASS_ACCESS_CONTROL_CREATE.clone()), + ("name", Value::new_iname("idm_acp_group_manage")), + ("uuid", Value::Uuid(UUID_IDM_ACP_GROUP_MANAGE_PRIV_V1)), + ( "description", - "member" - ], - "acp_create_class": [ - "object", "group" - ] - } -}"#; + Value::new_utf8s("Builtin IDM Control for creating and deleting groups in the directory") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_GROUP_MANAGE_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_create_attr", Value::new_iutf8("class")), + ("acp_create_attr", Value::new_iutf8("name")), + ("acp_create_attr", Value::new_iutf8("description")), + ("acp_create_attr", Value::new_iutf8("member")), + ("acp_create_class", Value::new_iutf8("object")), + ("acp_create_class", Value::new_iutf8("group")) + ); +} -// 23 - HP account manage -pub const JSON_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_delete", - "access_control_create" - ], - "name": ["idm_acp_hp_account_manage"], - "uuid": ["00000000-0000-0000-0000-ffffff000023"], - "description": ["Builtin IDM Control for creating and deleting hp and regular (service) accounts"], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000016"], - "acp_targetscope": [ +lazy_static! { + pub static ref E_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_DELETE.clone()), + ("class", CLASS_ACCESS_CONTROL_CREATE.clone()), + ("name", Value::new_iname("idm_acp_hp_account_manage")), + ("uuid", Value::Uuid(UUID_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for creating and deleting hp and regular (service) accounts") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_HP_ACCOUNT_MANAGE_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_create_attr": [ - "class", - "name", - "displayname", - "description", - "primary_credential", - "ssh_publickey", - "account_expire", - "account_valid_from", - "passkeys", - "devicekeys" - ], - "acp_create_class": [ - "object", "account", "service_account" - ] - } -}"#; + ).unwrap() + ), + ("acp_create_attr", Value::new_iutf8("class")), + ("acp_create_attr", Value::new_iutf8("name")), + ("acp_create_attr", Value::new_iutf8("displayname")), + ("acp_create_attr", Value::new_iutf8("description")), + ("acp_create_attr", Value::new_iutf8("primary_credential")), + ("acp_create_attr", Value::new_iutf8("ssh_publickey")), + ("acp_create_attr", Value::new_iutf8("account_expire")), + ("acp_create_attr", Value::new_iutf8("account_valid_from")), + ("acp_create_attr", Value::new_iutf8("passkeys")), + ("acp_create_attr", Value::new_iutf8("devicekeys")), + ("acp_create_class", Value::new_iutf8("object")), + ("acp_create_class", Value::new_iutf8("account")), + ("acp_create_class", Value::new_iutf8("service_account")) + ); +} -// 24 - hp group manage -pub const JSON_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_delete", - "access_control_create" - ], - "name": ["idm_acp_hp_group_manage"], - "uuid": ["00000000-0000-0000-0000-ffffff000024"], - "description": ["Builtin IDM Control for creating and deleting hp and regular groups in the directory"], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000017"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_create_attr": [ - "class", - "name", +lazy_static! { + pub static ref E_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_DELETE.clone()), + ("class", CLASS_ACCESS_CONTROL_CREATE.clone()), + ("name", Value::new_iname("idm_acp_hp_group_manage")), + ("uuid", Value::Uuid(UUID_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1)), + ( "description", - "member" - ], - "acp_create_class": [ - "object", "group" - ] - } -}"#; + Value::new_utf8s("Builtin IDM Control for creating and deleting hp and regular groups in the directory") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_HP_GROUP_MANAGE_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_create_attr", Value::new_iutf8("class")), + ("acp_create_attr", Value::new_iutf8("name")), + ("acp_create_attr", Value::new_iutf8("description")), + ("acp_create_attr", Value::new_iutf8("member")), + ("acp_create_class", Value::new_iutf8("object")), + ("acp_create_class", Value::new_iutf8("group")) + ); +} // 28 - domain admins acp pub const JSON_IDM_ACP_DOMAIN_ADMIN_PRIV_V1: &str = r#"{ @@ -1011,340 +1193,392 @@ pub const JSON_IDM_ACP_DOMAIN_ADMIN_PRIV_V1: &str = r#"{ } }"#; -// 28 - system config -pub const JSON_IDM_ACP_SYSTEM_CONFIG_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search", - "access_control_modify" - ], - "name": ["idm_acp_system_config_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000028"], - "description": ["Builtin IDM Control for granting system configuration rights"], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000019"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"uuid\",\"00000000-0000-0000-0000-ffffff000027\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "name", - "uuid", +lazy_static! { + pub static ref E_IDM_ACP_DOMAIN_ADMIN_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_domain_admin_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_DOMAIN_ADMIN_PRIV_V1)), + ( "description", - "badlist_password" - ], - "acp_modify_removedattr": [ - "badlist_password" - ], - "acp_modify_presentattr": [ - "badlist_password" - ] - } -}"#; + Value::new_utf8s("Builtin IDM Control for granting domain info administration locally") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_DOMAIN_ADMINS) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"uuid\",\"00000000-0000-0000-0000-ffffff000025\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_search_attr", Value::new_iutf8("domain_display_name")), + ("acp_search_attr", Value::new_iutf8("domain_name")), + ("acp_search_attr", Value::new_iutf8("domain_ssid")), + ("acp_search_attr", Value::new_iutf8("domain_uuid")), + ("acp_search_attr", Value::new_iutf8("es256_private_key_der")), + ("acp_search_attr", Value::new_iutf8("fernet_private_key_str")), + ("acp_search_attr", Value::new_iutf8("cookie_private_key")), + ("acp_modify_removedattr", Value::new_iutf8("domain_display_name")), + ("acp_modify_removedattr", Value::new_iutf8("domain_ssid")), + ("acp_modify_removedattr", Value::new_iutf8("es256_private_key_der")), + ("acp_modify_removedattr", Value::new_iutf8("cookie_private_key")), + ("acp_modify_removedattr", Value::new_iutf8("fernet_private_key_str")), + ("acp_modify_presentattr", Value::new_iutf8("domain_display_name")), + ("acp_modify_presentattr", Value::new_iutf8("domain_ssid")) + ); +} -// 29 account unix extend -pub const JSON_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_search", - "access_control_profile", - "access_control_modify" - ], - "name": ["idm_acp_account_unix_extend_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000029"], - "description": ["Builtin IDM Control for managing accounts."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000021"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "class", "name", "spn", "uuid", "description", "gidnumber", "loginshell", "unix_password" - ], - "acp_modify_removedattr": [ - "loginshell", "gidnumber", "unix_password" - ], - "acp_modify_presentattr": [ - "class", "loginshell", "gidnumber", "unix_password" - ], - "acp_modify_class": ["posixaccount"] - } -}"#; -// 30 group unix extend -pub const JSON_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search", - "access_control_modify" - ], - "name": ["idm_acp_group_unix_extend_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000030"], - "description": ["Builtin IDM Control for managing and extending unix groups"], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000022"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "class", "name", "spn", "uuid", "description", "member", "gidnumber" - ], - "acp_modify_removedattr": [ - "gidnumber" - ], - "acp_modify_presentattr": [ - "class", "gidnumber" - ], - "acp_modify_class": ["posixgroup"] - } -}"#; +lazy_static! { + pub static ref E_IDM_ACP_SYSTEM_CONFIG_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_system_config_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_SYSTEM_CONFIG_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for granting system configuration rights") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_SYSTEM_ADMINS) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"uuid\",\"00000000-0000-0000-0000-ffffff000027\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_search_attr", Value::new_iutf8("description")), + ("acp_search_attr", Value::new_iutf8("badlist_password")), + ("acp_modify_removedattr", Value::new_iutf8("badlist_password")), + ("acp_modify_presentattr", Value::new_iutf8("badlist_password")) + ); +} -// 33 hp account unix extend -pub const JSON_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_search", - "access_control_profile", - "access_control_modify" - ], - "name": ["idm_acp_hp_account_unix_extend_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000033"], - "description": ["Builtin IDM Control for managing and extending unix high privilege accounts."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000025"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "class", "name", "spn", "uuid", "description", "gidnumber", "loginshell", "unix_password" - ], - "acp_modify_removedattr": [ - "loginshell", "gidnumber", "unix_password" - ], - "acp_modify_presentattr": [ - "class", "loginshell", "gidnumber", "unix_password" - ], - "acp_modify_class": ["posixaccount"] - } -}"#; -// 34 hp group unix extend -pub const JSON_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search", - "access_control_modify" - ], - "name": ["idm_acp_hp_group_unix_extend_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000034"], - "description": ["Builtin IDM Control for managing and extending unix high privilege groups"], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000026"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "class", "name", "spn", "uuid", "description", "member", "gidnumber" - ], - "acp_modify_removedattr": [ - "gidnumber" - ], - "acp_modify_presentattr": [ - "class", "gidnumber" - ], - "acp_modify_class": ["posixgroup"] - } -}"#; +lazy_static! { + pub static ref E_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_account_unix_extend_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for managing and extending unix accounts") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_ACCOUNT_UNIX_EXTEND_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("class")), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_search_attr", Value::new_iutf8("spn")), + ("acp_search_attr", Value::new_iutf8("description")), + ("acp_search_attr", Value::new_iutf8("gidnumber")), + ("acp_search_attr", Value::new_iutf8("loginshell")), + ("acp_search_attr", Value::new_iutf8("unix_password")), + ("acp_modify_removedattr", Value::new_iutf8("gidnumber")), + ("acp_modify_removedattr", Value::new_iutf8("loginshell")), + ("acp_modify_removedattr", Value::new_iutf8("unix_password")), + ("acp_modify_presentattr", Value::new_iutf8("class")), + ("acp_modify_presentattr", Value::new_iutf8("gidnumber")), + ("acp_modify_presentattr", Value::new_iutf8("loginshell")), + ("acp_modify_presentattr", Value::new_iutf8("unix_password")), + ("acp_modify_class", Value::new_iutf8("posixaccount")) + ); +} -// 35 oauth2 manage -pub const JSON_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search", - "access_control_modify", - "access_control_delete", - "access_control_create" - ], - "name": ["idm_acp_hp_oauth2_manage_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000035"], - "description": ["Builtin IDM Control for managing oauth2 resource server integrations."], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000027"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"oauth2_resource_server\"]},{\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "class", +lazy_static! { + pub static ref E_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_group_unix_extend_priv")), + ("uuid", Value::Uuid(UUID_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1)), + ( "description", - "displayname", - "oauth2_rs_name", - "oauth2_rs_origin", - "oauth2_rs_origin_landing", - "oauth2_rs_scope_map", - "oauth2_rs_sup_scope_map", - "oauth2_rs_basic_secret", - "oauth2_rs_token_key", - "es256_private_key_der", - "oauth2_allow_insecure_client_disable_pkce", - "rs256_private_key_der", - "oauth2_jwt_legacy_crypto_enable", - "oauth2_prefer_short_username" - ], - "acp_modify_removedattr": [ - "description", - "displayname", - "oauth2_rs_name", - "oauth2_rs_origin", - "oauth2_rs_origin_landing", - "oauth2_rs_scope_map", - "oauth2_rs_sup_scope_map", - "oauth2_rs_basic_secret", - "oauth2_rs_token_key", - "es256_private_key_der", - "oauth2_allow_insecure_client_disable_pkce", - "rs256_private_key_der", - "oauth2_jwt_legacy_crypto_enable", - "oauth2_prefer_short_username" - ], - "acp_modify_presentattr": [ - "description", - "displayname", - "oauth2_rs_name", - "oauth2_rs_origin", - "oauth2_rs_origin_landing", - "oauth2_rs_sup_scope_map", - "oauth2_rs_scope_map", - "oauth2_allow_insecure_client_disable_pkce", - "oauth2_jwt_legacy_crypto_enable", - "oauth2_prefer_short_username" - ], - "acp_modify_class": [], - "acp_create_attr": [ - "class", - "description", - "displayname", - "oauth2_rs_name", - "oauth2_rs_origin", - "oauth2_rs_origin_landing", - "oauth2_rs_sup_scope_map", - "oauth2_rs_scope_map", - "oauth2_allow_insecure_client_disable_pkce", - "oauth2_jwt_legacy_crypto_enable", - "oauth2_prefer_short_username" - ], - "acp_create_class": ["oauth2_resource_server", "oauth2_resource_server_basic", "object"] - } -}"#; + Value::new_utf8s("Builtin IDM Control for managing and extending unix groups") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_GROUP_UNIX_EXTEND_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("class")), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_search_attr", Value::new_iutf8("spn")), + ("acp_search_attr", Value::new_iutf8("description")), + ("acp_search_attr", Value::new_iutf8("member")), + ("acp_search_attr", Value::new_iutf8("gidnumber")), + ("acp_modify_removedattr", Value::new_iutf8("gidnumber")), + ("acp_modify_presentattr", Value::new_iutf8("class")), + ("acp_modify_presentattr", Value::new_iutf8("gidnumber")), + ("acp_modify_class", Value::new_iutf8("posixgroup")) + ); +} -pub const JSON_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_search", - "access_control_profile", - "access_control_modify" - ], - "name": ["idm_hp_acp_service_account_into_person_migrate"], - "uuid": ["00000000-0000-0000-0000-ffffff000042"], - "description": ["Builtin IDM Control allowing service accounts to be migrated into persons"], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000034"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "class", "name", "uuid" - ], - "acp_modify_removedattr": [ - "class" - ], - "acp_modify_presentattr": [ - "class" - ], - "acp_modify_class": ["service_account", "person"] - } -}"#; +lazy_static! { + pub static ref E_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_hp_account_unix_extend_priv")), + ("uuid", Value::Uuid(UUID_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for managing and extending unix accounts") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_HP_ACCOUNT_UNIX_EXTEND_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("class")), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_search_attr", Value::new_iutf8("spn")), + ("acp_search_attr", Value::new_iutf8("description")), + ("acp_search_attr", Value::new_iutf8("gidnumber")), + ("acp_search_attr", Value::new_iutf8("loginshell")), + ("acp_search_attr", Value::new_iutf8("unix_password")), + ("acp_modify_removedattr", Value::new_iutf8("gidnumber")), + ("acp_modify_removedattr", Value::new_iutf8("loginshell")), + ("acp_modify_removedattr", Value::new_iutf8("unix_password")), + ("acp_modify_presentattr", Value::new_iutf8("class")), + ("acp_modify_presentattr", Value::new_iutf8("gidnumber")), + ("acp_modify_presentattr", Value::new_iutf8("loginshell")), + ("acp_modify_presentattr", Value::new_iutf8("unix_password")), + ("acp_modify_class", Value::new_iutf8("posixaccount")) + ); +} -/* -// Removed in favour of a dynamic check inside of access.rs that is based on membership to an -// oauth2 rs. -pub const JSON_IDM_ACP_OAUTH2_READ_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search" - ], - "name": ["idm_acp_oauth2_read_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000043"], - "description": ["Builtin IDM Control allowing persons to view oauth2 applications they can access"], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000035"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"oauth2_resource_server\"]},{\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "class", - "displayname", - "oauth2_rs_name", - "oauth2_rs_origin", - "oauth2_rs_origin_landing" - ] - } -}"#; -*/ +lazy_static! { + pub static ref E_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_hp_group_unix_extend_priv")), + ("uuid", Value::Uuid(UUID_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1)), + ( + "description", + Value::new_utf8s("Builtin IDM Control for managing and extending unix high privilege groups") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_HP_GROUP_UNIX_EXTEND_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"group\"]}, {\"eq\": [\"memberof\",\"00000000-0000-0000-0000-000000001000\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("class")), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_search_attr", Value::new_iutf8("spn")), + ("acp_search_attr", Value::new_iutf8("description")), + ("acp_search_attr", Value::new_iutf8("member")), + ("acp_search_attr", Value::new_iutf8("gidnumber")), + ("acp_modify_removedattr", Value::new_iutf8("gidnumber")), + ("acp_modify_presentattr", Value::new_iutf8("class")), + ("acp_modify_presentattr", Value::new_iutf8("gidnumber")), + ("acp_modify_class", Value::new_iutf8("posixgroup")) + ); +} -pub const JSON_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1: &str = r#"{ - "attrs": { - "class": [ - "object", - "access_control_profile", - "access_control_search", - "access_control_modify", - "access_control_delete", - "access_control_create" - ], - "name": ["idm_acp_hp_sync_account_manage_priv"], - "uuid": ["00000000-0000-0000-0000-ffffff000044"], - "description": ["Builtin IDM Control for managing IDM synchronisation accounts / connections"], - "acp_receiver": [], - "acp_receiver_group": ["00000000-0000-0000-0000-000000000037"], - "acp_targetscope": [ - "{\"and\": [{\"eq\": [\"class\",\"sync_account\"]},{\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" - ], - "acp_search_attr": [ - "class", - "name", +lazy_static! { + pub static ref E_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_CREATE.clone()), + ("class", CLASS_ACCESS_CONTROL_DELETE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_hp_oauth2_manage_priv")), + ("uuid", Value::Uuid(UUID_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1)), + ( "description", - "jws_es256_private_key", - "sync_token_session", - "sync_cookie" - ], - "acp_modify_removedattr": [ - "name", + Value::new_utf8s("Builtin IDM Control for managing oauth2 resource server integrations.") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_HP_OAUTH2_MANAGE_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"oauth2_resource_server\"]},{\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("class")), + ("acp_search_attr", Value::new_iutf8("description")), + ("acp_search_attr", Value::new_iutf8("displayname")), + ("acp_search_attr", Value::new_iutf8("oauth2_rs_name")), + ("acp_search_attr", Value::new_iutf8("oauth2_rs_origin")), + ("acp_search_attr", Value::new_iutf8("oauth2_rs_origin_landing")), + ("acp_search_attr", Value::new_iutf8("oauth2_rs_scope_map")), + ("acp_search_attr", Value::new_iutf8("oauth2_rs_sup_scope_map")), + ("acp_search_attr", Value::new_iutf8("oauth2_rs_basic_secret")), + ("acp_search_attr", Value::new_iutf8("oauth2_rs_token_key")), + ("acp_search_attr", Value::new_iutf8("es256_private_key_der")), + ("acp_search_attr", Value::new_iutf8("oauth2_allow_insecure_client_disable_pkce")), + ("acp_search_attr", Value::new_iutf8("rs256_private_key_der")), + ("acp_search_attr", Value::new_iutf8("oauth2_jwt_legacy_crypto_enable")), + ("acp_search_attr", Value::new_iutf8("oauth2_prefer_short_username")), + + ("acp_modify_removedattr", Value::new_iutf8("description")), + ("acp_modify_removedattr", Value::new_iutf8("displayname")), + ("acp_modify_removedattr", Value::new_iutf8("oauth2_rs_name")), + ("acp_modify_removedattr", Value::new_iutf8("oauth2_rs_origin")), + ("acp_modify_removedattr", Value::new_iutf8("oauth2_rs_origin_landing")), + ("acp_modify_removedattr", Value::new_iutf8("oauth2_rs_scope_map")), + ("acp_modify_removedattr", Value::new_iutf8("oauth2_rs_sup_scope_map")), + ("acp_modify_removedattr", Value::new_iutf8("oauth2_rs_basic_secret")), + ("acp_modify_removedattr", Value::new_iutf8("oauth2_rs_token_key")), + ("acp_modify_removedattr", Value::new_iutf8("es256_private_key_der")), + ("acp_modify_removedattr", Value::new_iutf8("oauth2_allow_insecure_client_disable_pkce")), + ("acp_modify_removedattr", Value::new_iutf8("rs256_private_key_der")), + ("acp_modify_removedattr", Value::new_iutf8("oauth2_jwt_legacy_crypto_enable")), + ("acp_modify_removedattr", Value::new_iutf8("oauth2_prefer_short_username")), + + + ("acp_modify_presentattr", Value::new_iutf8("description")), + ("acp_modify_presentattr", Value::new_iutf8("displayname")), + ("acp_modify_presentattr", Value::new_iutf8("oauth2_rs_name")), + ("acp_modify_presentattr", Value::new_iutf8("oauth2_rs_origin")), + ("acp_modify_presentattr", Value::new_iutf8("oauth2_rs_origin_landing")), + ("acp_modify_presentattr", Value::new_iutf8("oauth2_rs_sup_scope_map")), + ("acp_modify_presentattr", Value::new_iutf8("oauth2_rs_scope_map")), + ("acp_modify_presentattr", Value::new_iutf8("oauth2_allow_insecure_client_disable_pkce")), + ("acp_modify_presentattr", Value::new_iutf8("oauth2_jwt_legacy_crypto_enable")), + ("acp_modify_presentattr", Value::new_iutf8("oauth2_prefer_short_username")), + + ("acp_create_attr", Value::new_iutf8("class")), + ("acp_create_attr", Value::new_iutf8("description")), + ("acp_create_attr", Value::new_iutf8("displayname")), + ("acp_create_attr", Value::new_iutf8("oauth2_rs_name")), + ("acp_create_attr", Value::new_iutf8("oauth2_rs_origin")), + ("acp_create_attr", Value::new_iutf8("oauth2_rs_origin_landing")), + ("acp_create_attr", Value::new_iutf8("oauth2_rs_sup_scope_map")), + ("acp_create_attr", Value::new_iutf8("oauth2_rs_scope_map")), + ("acp_create_attr", Value::new_iutf8("oauth2_allow_insecure_client_disable_pkce")), + ("acp_create_attr", Value::new_iutf8("oauth2_jwt_legacy_crypto_enable")), + ("acp_create_attr", Value::new_iutf8("oauth2_prefer_short_username")), + + + ("acp_create_class", Value::new_iutf8("object")), + ("acp_create_class", Value::new_iutf8("oauth2_resource_server")), + ("acp_create_class", Value::new_iutf8("oauth2_resource_server_basic")) + ); +} + +lazy_static! { + pub static ref E_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_hp_acp_service_account_into_person_migrate")), + ("uuid", Value::Uuid(UUID_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1)), + ( "description", - "jws_es256_private_key", - "sync_token_session", - "sync_cookie" - ], - "acp_modify_presentattr": [ - "name", + Value::new_utf8s("Builtin IDM Control allowing service accounts to be migrated into persons") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_HP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("class")), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("uuid")), + ("acp_modify_removedattr", Value::new_iutf8("class")), + ("acp_modify_presentattr", Value::new_iutf8("class")), + ("acp_modify_class", Value::new_iutf8("service_account")), + ("acp_modify_class", Value::new_iutf8("person")) + ); +} + +lazy_static! { + pub static ref E_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()), + ("class", CLASS_ACCESS_CONTROL_CREATE.clone()), + ("class", CLASS_ACCESS_CONTROL_DELETE.clone()), + ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()), + ("class", CLASS_ACCESS_CONTROL_SEARCH.clone()), + ("name", Value::new_iname("idm_acp_hp_sync_account_manage_priv")), + ("uuid", Value::Uuid(UUID_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1)), + ( "description", - "sync_token_session" - ], - "acp_modify_class": [], - "acp_create_attr": [ - "class", - "name", - "description" - ], - "acp_create_class": ["sync_account", "object"] - } -}"#; + Value::new_utf8s("Builtin IDM Control for managing IDM synchronisation accounts / connections") + ), + ( + "acp_receiver_group", + Value::Refer(UUID_IDM_HP_SYNC_ACCOUNT_MANAGE_PRIV) + ), + ( + "acp_targetscope", + Value::new_json_filter_s( + "{\"and\": [{\"eq\": [\"class\",\"sync_account\"]},{\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}" + ).unwrap() + ), + ("acp_search_attr", Value::new_iutf8("class")), + ("acp_search_attr", Value::new_iutf8("name")), + ("acp_search_attr", Value::new_iutf8("description")), + ("acp_search_attr", Value::new_iutf8("jws_es256_private_key")), + ("acp_search_attr", Value::new_iutf8("sync_token_session")), + ("acp_search_attr", Value::new_iutf8("sync_cookie")), + ("acp_modify_removedattr", Value::new_iutf8("name")), + ("acp_modify_removedattr", Value::new_iutf8("description")), + ("acp_modify_removedattr", Value::new_iutf8("jws_es256_private_key")), + ("acp_modify_removedattr", Value::new_iutf8("sync_token_session")), + ("acp_modify_removedattr", Value::new_iutf8("sync_cookie")), + ("acp_modify_presentattr", Value::new_iutf8("name")), + ("acp_modify_presentattr", Value::new_iutf8("description")), + ("acp_modify_presentattr", Value::new_iutf8("sync_token_session")), + ("acp_create_attr", Value::new_iutf8("class")), + ("acp_create_attr", Value::new_iutf8("name")), + ("acp_create_attr", Value::new_iutf8("description")), + ("acp_create_class", Value::new_iutf8("object")), + ("acp_create_class", Value::new_iutf8("sync_account")) + ); +} diff --git a/kanidmd/lib/src/constants/entries.rs b/kanidmd/lib/src/constants/entries.rs index 5be7c0d15..449507c88 100644 --- a/kanidmd/lib/src/constants/entries.rs +++ b/kanidmd/lib/src/constants/entries.rs @@ -21,9 +21,9 @@ pub const JSON_ADMIN_V1: &str = r#"{ lazy_static! { pub static ref E_ADMIN_V1: EntryInitNew = entry_init!( - ("class", CLASS_OBJECT.clone()), - ("class", CLASS_MEMBEROF.clone()), ("class", CLASS_ACCOUNT.clone()), + ("class", CLASS_MEMBEROF.clone()), + ("class", CLASS_OBJECT.clone()), ("class", CLASS_SERVICE_ACCOUNT.clone()), ("name", Value::new_iname("admin")), ("uuid", Value::Uuid(UUID_ADMIN)), @@ -35,38 +35,52 @@ lazy_static! { ); } -/// Builtin IDM Admin account. -pub const JSON_IDM_ADMIN_V1: &str = r#"{ - "attrs": { - "class": ["account", "service_account", "memberof", "object"], - "name": ["idm_admin"], - "uuid": ["00000000-0000-0000-0000-000000000018"], - "description": ["Builtin IDM Admin account."], - "displayname": ["IDM Administrator"] - } -}"#; +lazy_static! { + /// Builtin IDM Admin account. + pub static ref E_IDM_ADMIN_V1: EntryInitNew = entry_init!( + ("class", CLASS_ACCOUNT.clone()), + ("class", CLASS_MEMBEROF.clone()), + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_SERVICE_ACCOUNT.clone()), + ("name", Value::new_iname("idm_admin")), + ("uuid", Value::Uuid(UUID_IDM_ADMIN)), + ( + "description", + Value::new_utf8s("Builtin IDM Admin account.") + ), + ("displayname", Value::new_utf8s("IDM Administrator")) + ); +} -/// Builtin IDM Administrators Group. -pub const JSON_IDM_ADMINS_V1: &str = r#"{ - "attrs": { - "class": ["group", "object"], - "name": ["idm_admins"], - "uuid": ["00000000-0000-0000-0000-000000000001"], - "description": ["Builtin IDM Administrators Group."], - "member": ["00000000-0000-0000-0000-000000000018"] - } -}"#; +lazy_static! { + /// Builtin IDM Administrators Group. + pub static ref E_IDM_ADMINS_V1: EntryInitNew = entry_init!( + ("class", CLASS_GROUP.clone()), + ("class", CLASS_OBJECT.clone()), + ("name", Value::new_iname("idm_admins")), + ("uuid", Value::Uuid(UUID_IDM_ADMINS)), + ( + "description", + Value::new_utf8s("Builtin IDM Administrators Group.") + ), + ("member", Value::Refer(UUID_IDM_ADMIN)) + ); +} -/// Builtin System Administrators Group. -pub const JSON_SYSTEM_ADMINS_V1: &str = r#"{ - "attrs": { - "class": ["group", "object"], - "name": ["system_admins"], - "uuid": ["00000000-0000-0000-0000-000000000019"], - "description": ["Builtin System Administrators Group."], - "member": ["00000000-0000-0000-0000-000000000000"] - } -}"#; +lazy_static! { + /// Builtin System Administrators Group. + pub static ref E_SYSTEM_ADMINS_V1: EntryInitNew = entry_init!( + ("class", CLASS_GROUP.clone()), + ("class", CLASS_OBJECT.clone()), + ("name", Value::new_iname("system_admins")), + ("uuid", Value::Uuid(UUID_SYSTEM_ADMINS)), + ( + "description", + Value::new_utf8s("Builtin System Administrators Group.") + ), + ("member", Value::Refer(UUID_ADMIN)) + ); +} // * People read managers /// Builtin IDM Group for granting elevated people (personal data) read permissions. @@ -560,23 +574,33 @@ pub const JSON_IDM_HIGH_PRIVILEGE_V1: &str = r#"{ } }"#; -pub const JSON_SYSTEM_INFO_V1: &str = r#"{ - "attrs": { - "class": ["object", "system_info", "system"], - "uuid": ["00000000-0000-0000-0000-ffffff000001"], - "description": ["System (local) info and metadata object."], - "version": ["12"] - } -}"#; +lazy_static! { + pub static ref E_SYSTEM_INFO_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_SYSTEM_INFO.clone()), + ("class", CLASS_SYSTEM.clone()), + ("uuid", Value::Uuid(UUID_SYSTEM_INFO)), + ( + "description", + Value::new_utf8s("System (local) info and metadata object.") + ), + ("version", Value::Uint32(12)) + ); +} -pub const JSON_DOMAIN_INFO_V1: &str = r#"{ - "attrs": { - "class": ["object", "domain_info", "system"], - "name": ["domain_local"], - "uuid": ["00000000-0000-0000-0000-ffffff000025"], - "description": ["This local domain's info and metadata object."] - } -}"#; +lazy_static! { + pub static ref E_DOMAIN_INFO_V1: EntryInitNew = entry_init!( + ("class", CLASS_OBJECT.clone()), + ("class", CLASS_DOMAIN_INFO.clone()), + ("class", CLASS_SYSTEM.clone()), + ("name", Value::new_iname("domain_local")), + ("uuid", Value::Uuid(UUID_DOMAIN_INFO)), + ( + "description", + Value::new_utf8s("This local domain's info and metadata object.") + ) + ); +} // Anonymous should be the last object in the range here. pub const JSON_ANONYMOUS_V1: &str = r#"{ diff --git a/kanidmd/lib/src/constants/system_config.rs b/kanidmd/lib/src/constants/system_config.rs index 22b822ce6..d5b7c923d 100644 --- a/kanidmd/lib/src/constants/system_config.rs +++ b/kanidmd/lib/src/constants/system_config.rs @@ -1,649 +1,669 @@ -/// Default entries for system_config -/// This is separated because the password badlist section may become very long -pub const JSON_SYSTEM_CONFIG_V1: &str = r####"{ - "attrs": { - "class": ["object", "system_config", "system"], - "uuid": ["00000000-0000-0000-0000-ffffff000027"], - "description": ["System (replicated) configuration options."], - "badlist_password": [ - "bad@no3IBTyqHu$list", - "demo_badlist_shohfie3aeci2oobur0aru9uushah6EiPi2woh4hohngoighaiRuepieN3ongoo1", - "100preteamare", - "14defebrero", - "1life1love", - "1life2live", - "1love1life", - "1love4life", - "212224236248", - "2813308004", - "2fast2furious", - "2gether4ever", - "2pacshakur", - "30secondstomars", - "3doorsdown", - "6cyclemind", - "
>, - candidates: &mut Vec, + candidate_tuples: &mut Vec<(Arc, EntryInvalidCommitted)>, affected_uuids: &mut Vec, expect: bool, ident_internal: &Identity, @@ -80,8 +79,7 @@ impl DynGroup { nd_group.purge_ava("member"); } - pre_candidates.push(pre); - candidates.push(nd_group); + candidate_tuples.push((pre, nd_group)); // Insert to our new instances if dyn_groups.insts.insert(uuid, scope_i).is_none() == expect { @@ -159,8 +157,7 @@ impl DynGroup { // dyn groups will see the created entries on an internal search // so we don't need to reference them. - let mut pre_candidates = Vec::with_capacity(dyn_groups.insts.len() + cand.len()); - let mut candidates = Vec::with_capacity(dyn_groups.insts.len() + cand.len()); + let mut candidate_tuples = Vec::with_capacity(dyn_groups.insts.len() + cand.len()); // Apply existing dyn_groups to entries. trace!(?dyn_groups.insts); @@ -199,8 +196,7 @@ impl DynGroup { affected_uuids.extend(matches.into_iter()); affected_uuids.push(*dg_uuid); - pre_candidates.push(pre); - candidates.push(d_group); + candidate_tuples.push((pre, d_group)); } } } @@ -213,8 +209,7 @@ impl DynGroup { Self::apply_dyngroup_change( qs, ident, - &mut pre_candidates, - &mut candidates, + &mut candidate_tuples, &mut affected_uuids, false, &ident_internal, @@ -224,14 +219,12 @@ impl DynGroup { } // Write back the new changes. - debug_assert!(pre_candidates.len() == candidates.len()); // Write this stripe if populated. - if !pre_candidates.is_empty() { - qs.internal_apply_writable(pre_candidates, candidates) - .map_err(|e| { - admin_error!("Failed to commit dyngroup set {:?}", e); - e - })?; + if !candidate_tuples.is_empty() { + qs.internal_apply_writable(candidate_tuples).map_err(|e| { + admin_error!("Failed to commit dyngroup set {:?}", e); + e + })?; } Ok(affected_uuids) @@ -265,8 +258,7 @@ impl DynGroup { // lifetime here is safe since we are the sole accessor. let dyn_groups: &mut DynGroupCache = unsafe { &mut *(qs.get_dyngroup_cache() as *mut _) }; - let mut pre_candidates = Vec::with_capacity(dyn_groups.insts.len() + cand.len()); - let mut candidates = Vec::with_capacity(dyn_groups.insts.len() + cand.len()); + let mut candidate_tuples = Vec::with_capacity(dyn_groups.insts.len() + cand.len()); // If we modified a dyngroups member or filter, re-trigger it here. // if the event is not internal, reject (for now) @@ -278,8 +270,7 @@ impl DynGroup { Self::apply_dyngroup_change( qs, ident, - &mut pre_candidates, - &mut candidates, + &mut candidate_tuples, &mut affected_uuids, true, &ident_internal, @@ -334,21 +325,18 @@ impl DynGroup { })); affected_uuids.push(*dg_uuid); - pre_candidates.push(pre); - candidates.push(d_group); + candidate_tuples.push((pre, d_group)); } } } // Write back the new changes. - debug_assert!(pre_candidates.len() == candidates.len()); // Write this stripe if populated. - if !pre_candidates.is_empty() { - qs.internal_apply_writable(pre_candidates, candidates) - .map_err(|e| { - admin_error!("Failed to commit dyngroup set {:?}", e); - e - })?; + if !candidate_tuples.is_empty() { + qs.internal_apply_writable(candidate_tuples).map_err(|e| { + admin_error!("Failed to commit dyngroup set {:?}", e); + e + })?; } Ok(affected_uuids) diff --git a/kanidmd/lib/src/plugins/memberof.rs b/kanidmd/lib/src/plugins/memberof.rs index 6fe126fba..8eb58cee4 100644 --- a/kanidmd/lib/src/plugins/memberof.rs +++ b/kanidmd/lib/src/plugins/memberof.rs @@ -113,9 +113,6 @@ fn apply_memberof( while !group_affect.is_empty() { group_affect.sort(); group_affect.dedup(); - // Prep the write lists - let mut pre_candidates = Vec::with_capacity(group_affect.len()); - let mut candidates = Vec::with_capacity(group_affect.len()); // Ignore recycled/tombstones let filt = filter!(FC::Or( @@ -125,10 +122,12 @@ fn apply_memberof( .collect() )); - let mut work_set = qs.internal_search_writeable(&filt)?; + let work_set = qs.internal_search_writeable(&filt)?; // Load the vecdeque with this batch. - while let Some((pre, mut tgte)) = work_set.pop() { + let mut changes = Vec::with_capacity(work_set.len()); + + for (pre, mut tgte) in work_set.into_iter() { let guuid = pre.get_uuid(); // load the entry from the db. if !tgte.attribute_equality("class", &PVCLASS_GROUP) { @@ -160,28 +159,24 @@ fn apply_memberof( }; // push the entries to pre/cand - pre_candidates.push(pre); - candidates.push(tgte); + changes.push((pre, tgte)); } else { trace!("{:?} stable", guuid); } } - debug_assert!(pre_candidates.len() == candidates.len()); // Write this stripe if populated. - if !pre_candidates.is_empty() { - qs.internal_apply_writable(pre_candidates, candidates) - .map_err(|e| { - admin_error!("Failed to commit memberof group set {:?}", e); - e - })?; + if !changes.is_empty() { + qs.internal_apply_writable(changes).map_err(|e| { + admin_error!("Failed to commit memberof group set {:?}", e); + e + })?; } // Next loop! } // ALL GROUP MOS + DMOS ARE NOW STABLE. We can load these into other items directly. - let mut pre_candidates = Vec::with_capacity(other_cache.len()); - let mut candidates = Vec::with_capacity(other_cache.len()); + let mut changes = Vec::with_capacity(other_cache.len()); other_cache .into_iter() @@ -193,15 +188,14 @@ fn apply_memberof( if pre.get_ava_set("memberof") != tgte.get_ava_set("memberof") || pre.get_ava_set("directmemberof") != tgte.get_ava_set("directmemberof") { - pre_candidates.push(pre); - candidates.push(tgte); + changes.push((pre, tgte)); } Ok(()) })?; // Turn the other_cache into a write set. // Write the batch out in a single stripe. - qs.internal_apply_writable(pre_candidates, candidates) + qs.internal_apply_writable(changes) // Done! 🎉 } diff --git a/kanidmd/lib/src/plugins/refint.rs b/kanidmd/lib/src/plugins/refint.rs index c9766ceb4..f26e561c1 100644 --- a/kanidmd/lib/src/plugins/refint.rs +++ b/kanidmd/lib/src/plugins/refint.rs @@ -155,19 +155,15 @@ impl Plugin for ReferentialIntegrity { .map(|e| PartialValue::Refer(e.get_uuid())) .collect(); - let work_set = qs.internal_search_writeable(&filt)?; + let mut work_set = qs.internal_search_writeable(&filt)?; - let (pre_candidates, candidates) = work_set - .into_iter() - .map(|(pre, mut post)| { - ref_types - .values() - .for_each(|attr| post.remove_avas(attr.name.as_str(), &removed_ids)); - (pre, post) - }) - .unzip(); + work_set.iter_mut().for_each(|(_, post)| { + ref_types + .values() + .for_each(|attr| post.remove_avas(attr.name.as_str(), &removed_ids)); + }); - qs.internal_apply_writable(pre_candidates, candidates) + qs.internal_apply_writable(work_set) } #[instrument(level = "debug", name = "verify", skip(qs))] diff --git a/kanidmd/lib/src/server/migrations.rs b/kanidmd/lib/src/server/migrations.rs index 863927054..569cd696c 100644 --- a/kanidmd/lib/src/server/migrations.rs +++ b/kanidmd/lib/src/server/migrations.rs @@ -343,7 +343,7 @@ impl<'a> QueryServerWriteTransaction<'a> { #[instrument(level = "debug", skip_all)] pub fn migrate_11_to_12(&mut self) -> Result<(), OperationError> { admin_warn!("starting 11 to 12 migration."); - // sync_token_session + // sync_token_session let filter = filter!(f_or!([ f_pres("api_token_session"), f_pres("sync_token_session"), @@ -365,41 +365,32 @@ impl<'a> QueryServerWriteTransaction<'a> { for (_, ent) in mod_candidates.iter_mut() { if let Some(api_token_session) = ent.pop_ava("api_token_session") { - let api_token_session = api_token_session.migrate_session_to_apitoken() - .map_err(|e| { - error!("Failed to convert api_token_session from session -> apitoken"); - e - })?; + let api_token_session = + api_token_session + .migrate_session_to_apitoken() + .map_err(|e| { + error!("Failed to convert api_token_session from session -> apitoken"); + e + })?; - ent.set_ava_set( - "api_token_session", - api_token_session); + ent.set_ava_set("api_token_session", api_token_session); } if let Some(sync_token_session) = ent.pop_ava("sync_token_session") { - let sync_token_session = sync_token_session.migrate_session_to_apitoken() - .map_err(|e| { - error!("Failed to convert sync_token_session from session -> apitoken"); - e - })?; + let sync_token_session = + sync_token_session + .migrate_session_to_apitoken() + .map_err(|e| { + error!("Failed to convert sync_token_session from session -> apitoken"); + e + })?; - ent.set_ava_set( - "sync_token_session", - sync_token_session); + ent.set_ava_set("sync_token_session", sync_token_session); } - }; - - let ( - pre_candidates, - candidates - ) = mod_candidates - .into_iter() - .unzip(); + } // Apply the batch mod. - self.internal_apply_writable( - pre_candidates, candidates - ) + self.internal_apply_writable(mod_candidates) } #[instrument(level = "info", skip_all)] @@ -512,9 +503,9 @@ impl<'a> QueryServerWriteTransaction<'a> { // and details. It's a pretty const thing. Also check anonymous, important to many // concepts. let res = self - .internal_migrate_or_create_str(JSON_SYSTEM_INFO_V1) - .and_then(|_| self.internal_migrate_or_create_str(JSON_DOMAIN_INFO_V1)) - .and_then(|_| self.internal_migrate_or_create_str(JSON_SYSTEM_CONFIG_V1)); + .internal_migrate_or_create(E_SYSTEM_INFO_V1.clone()) + .and_then(|_| self.internal_migrate_or_create(E_DOMAIN_INFO_V1.clone())) + .and_then(|_| self.internal_migrate_or_create(E_SYSTEM_CONFIG_V1.clone())); if res.is_err() { admin_error!("initialise_idm p1 -> result {:?}", res); } @@ -527,16 +518,16 @@ impl<'a> QueryServerWriteTransaction<'a> { // Check the admin object exists (migrations). // Create the default idm_admin group. let admin_entries = [ - JSON_ANONYMOUS_V1, - JSON_ADMIN_V1, - JSON_IDM_ADMIN_V1, - JSON_IDM_ADMINS_V1, - JSON_SYSTEM_ADMINS_V1, + E_ANONYMOUS_V1.clone(), + E_ADMIN_V1.clone(), + E_IDM_ADMIN_V1.clone(), + E_IDM_ADMINS_V1.clone(), + E_SYSTEM_ADMINS_V1.clone(), ]; let res: Result<(), _> = admin_entries - .iter() + .into_iter() // Each item individually logs it's result - .try_for_each(|e_str| self.internal_migrate_or_create_str(e_str)); + .try_for_each(|ent| self.internal_migrate_or_create(ent)); if res.is_err() { admin_error!("initialise_idm p2 -> result {:?}", res); } @@ -586,48 +577,6 @@ impl<'a> QueryServerWriteTransaction<'a> { JSON_IDM_HP_SYNC_ACCOUNT_MANAGE_PRIV, // All members must exist before we write HP JSON_IDM_HIGH_PRIVILEGE_V1, - // Built in access controls. - JSON_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1, - JSON_IDM_ADMINS_ACP_REVIVE_V1, - // JSON_IDM_ADMINS_ACP_MANAGE_V1, - JSON_IDM_ALL_ACP_READ_V1, - JSON_IDM_SELF_ACP_READ_V1, - JSON_IDM_SELF_ACP_WRITE_V1, - JSON_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_PRIV_V1, - JSON_IDM_ACP_PEOPLE_READ_PRIV_V1, - JSON_IDM_ACP_PEOPLE_WRITE_PRIV_V1, - JSON_IDM_ACP_PEOPLE_MANAGE_PRIV_V1, - JSON_IDM_ACP_GROUP_WRITE_PRIV_V1, - JSON_IDM_ACP_GROUP_MANAGE_PRIV_V1, - JSON_IDM_ACP_ACCOUNT_READ_PRIV_V1, - JSON_IDM_ACP_ACCOUNT_WRITE_PRIV_V1, - JSON_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1, - JSON_IDM_ACP_RADIUS_SERVERS_V1, - JSON_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1, - JSON_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1, - JSON_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1, - JSON_IDM_ACP_HP_GROUP_WRITE_PRIV_V1, - JSON_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1, - JSON_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1, - JSON_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1, - JSON_IDM_ACP_ACP_MANAGE_PRIV_V1, - JSON_IDM_ACP_DOMAIN_ADMIN_PRIV_V1, - JSON_IDM_ACP_SYSTEM_CONFIG_PRIV_V1, - JSON_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1, - JSON_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1, - JSON_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1, - JSON_IDM_ACP_PEOPLE_EXTEND_PRIV_V1, - JSON_IDM_ACP_HP_PEOPLE_READ_PRIV_V1, - JSON_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1, - JSON_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1, - JSON_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1, - JSON_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1, - JSON_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1, - JSON_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1, - JSON_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1, - JSON_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1, - // JSON_IDM_ACP_OAUTH2_READ_PRIV_V1, - JSON_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1, ]; let res: Result<(), _> = idm_entries @@ -642,6 +591,46 @@ impl<'a> QueryServerWriteTransaction<'a> { res?; let idm_entries = [ + // Built in access controls. + E_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1.clone(), + E_IDM_ADMINS_ACP_REVIVE_V1.clone(), + E_IDM_ALL_ACP_READ_V1.clone(), + E_IDM_SELF_ACP_READ_V1.clone(), + E_IDM_SELF_ACP_WRITE_V1.clone(), + E_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_PRIV_V1.clone(), + E_IDM_ACP_PEOPLE_READ_PRIV_V1.clone(), + E_IDM_ACP_PEOPLE_WRITE_PRIV_V1.clone(), + E_IDM_ACP_PEOPLE_MANAGE_PRIV_V1.clone(), + E_IDM_ACP_ACCOUNT_READ_PRIV_V1.clone(), + E_IDM_ACP_ACCOUNT_WRITE_PRIV_V1.clone(), + E_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1.clone(), + E_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1.clone(), + E_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1.clone(), + E_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1.clone(), + E_IDM_ACP_GROUP_WRITE_PRIV_V1.clone(), + E_IDM_ACP_GROUP_MANAGE_PRIV_V1.clone(), + E_IDM_ACP_HP_GROUP_WRITE_PRIV_V1.clone(), + E_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1.clone(), + E_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1.clone(), + E_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1.clone(), + E_IDM_ACP_ACP_MANAGE_PRIV_V1.clone(), + E_IDM_ACP_RADIUS_SERVERS_V1.clone(), + E_IDM_ACP_DOMAIN_ADMIN_PRIV_V1.clone(), + E_IDM_ACP_SYSTEM_CONFIG_PRIV_V1.clone(), + E_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1.clone(), + E_IDM_ACP_PEOPLE_EXTEND_PRIV_V1.clone(), + E_IDM_ACP_HP_PEOPLE_READ_PRIV_V1.clone(), + E_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1.clone(), + E_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1.clone(), + E_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1.clone(), + E_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1.clone(), + E_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1.clone(), + E_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1.clone(), + E_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1.clone(), + E_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1.clone(), + E_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1.clone(), + E_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1.clone(), + E_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1.clone(), E_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES.clone(), E_IDM_ACCOUNT_MAIL_READ_PRIV.clone(), E_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1.clone(), diff --git a/kanidmd/lib/src/server/modify.rs b/kanidmd/lib/src/server/modify.rs index f77be33d6..8c1daa9b5 100644 --- a/kanidmd/lib/src/server/modify.rs +++ b/kanidmd/lib/src/server/modify.rs @@ -268,18 +268,27 @@ impl<'a> QueryServerWriteTransaction<'a> { #[instrument(level = "debug", skip_all)] pub(crate) fn internal_apply_writable( &mut self, - pre_candidates: Vec>, - candidates: Vec>, + candidate_tuples: Vec<(Arc, EntryInvalidCommitted)>, ) -> Result<(), OperationError> { - if pre_candidates.is_empty() && candidates.is_empty() { + if candidate_tuples.is_empty() { // No action needed. return Ok(()); } - if pre_candidates.len() != candidates.len() { - admin_error!("internal_apply_writable - cand lengths differ"); - return Err(OperationError::InvalidRequestState); + let (pre_candidates, candidates): ( + Vec>, + Vec, + ) = candidate_tuples.into_iter().unzip(); + + /* + let mut pre_candidates = Vec::with_capacity(candidate_tuples.len()); + let mut candidates = Vec::with_capacity(candidate_tuples.len()); + + for (pre, post) in candidate_tuples.into_iter() { + pre_candidates.push(pre); + candidates.push(post); } + */ let res: Result>, OperationError> = candidates .into_iter() diff --git a/kanidmd/lib/src/valueset/session.rs b/kanidmd/lib/src/valueset/session.rs index eabd1c29b..f47d369a7 100644 --- a/kanidmd/lib/src/valueset/session.rs +++ b/kanidmd/lib/src/valueset/session.rs @@ -33,23 +33,23 @@ impl ValueSetSession { } pub fn from_dbvs2(data: Vec) -> Result { - let map = data - .into_iter() - .filter_map(|dbv| { - match dbv { - // MISTAKE - Skip due to lack of credential id - // Don't actually skip, generate a random cred id. Session cleanup will - // trim sessions on users, but if we skip blazenly we invalidate every api - // token ever issued. OOPS! - DbValueSession::V1 { - refer, - label, - expiry, - issued_at, - issued_by, - scope, - } => { - let cred_id = Uuid::new_v4(); + let map = + data.into_iter() + .filter_map(|dbv| { + match dbv { + // MISTAKE - Skip due to lack of credential id + // Don't actually skip, generate a random cred id. Session cleanup will + // trim sessions on users, but if we skip blazenly we invalidate every api + // token ever issued. OOPS! + DbValueSession::V1 { + refer, + label, + expiry, + issued_at, + issued_by, + scope, + } => { + let cred_id = Uuid::new_v4(); // Convert things. let issued_at = OffsetDateTime::parse(issued_at, time::Format::Rfc3339) diff --git a/kanidmd/testkit/tests/default_entries.rs b/kanidmd/testkit/tests/default_entries.rs index 2a0ccf121..3951cee68 100644 --- a/kanidmd/testkit/tests/default_entries.rs +++ b/kanidmd/testkit/tests/default_entries.rs @@ -244,7 +244,7 @@ async fn test_read_attrs(rsclient: &KanidmClient, id: &str, attrs: &[&str], is_r async fn test_write_attrs(rsclient: &KanidmClient, id: &str, attrs: &[&str], is_writeable: bool) { println!("Test write to {}, is writeable: {}", id, is_writeable); for attr in attrs.iter() { - println!("Writing to {}", attr); + println!("Writing to {} - ex {}", attr, is_writeable); let is_ok = is_attr_writable(rsclient, id, attr).await.unwrap(); assert!(is_ok == is_writeable) }