mirror of
https://github.com/kanidm/kanidm.git
synced 2025-02-23 12:37:00 +01:00
1399 cleanup (#1409)
This commit is contained in:
Firstyear
GitHub
parent
f1c9e92f93
commit
a5656b99f5
|
|
@ -52,6 +52,7 @@
|
|||
- [Access Profiles 2022](developers/designs/access_profiles_rework_2022.md)
|
||||
- [Access Profiles Original](developers/designs/access_profiles_and_security.md)
|
||||
- [REST Interface](developers/designs/rest_interface.md)
|
||||
- [Elevated Priv Mode](developers/designs/elevated_priv_mode.md)
|
||||
- [Python Module](developers/python.md)
|
||||
- [RADIUS Integration](developers/radius.md)
|
||||
|
||||
|
|
|
|||
|
|
@ -31,8 +31,11 @@ impl PwBadlistOpt {
|
|||
Err(e) => eprintln!("{:?}", e),
|
||||
}
|
||||
}
|
||||
PwBadlistOpt::Upload { copt, paths } => {
|
||||
let client = copt.to_client().await;
|
||||
PwBadlistOpt::Upload {
|
||||
copt,
|
||||
paths,
|
||||
dryrun,
|
||||
} => {
|
||||
info!("pre-processing - this may take a while ...");
|
||||
|
||||
let mut pwset: Vec<String> = Vec::new();
|
||||
|
|
@ -101,20 +104,29 @@ impl PwBadlistOpt {
|
|||
|
||||
let results = task_handles.join().await;
|
||||
|
||||
let filt_pwset: Vec<_> = results
|
||||
let mut filt_pwset: Vec<_> = results
|
||||
.into_iter()
|
||||
.flat_map(|res| res.expect("Thread join failure"))
|
||||
.collect();
|
||||
|
||||
filt_pwset.sort_unstable();
|
||||
|
||||
info!(
|
||||
"{} passwords passed zxcvbn, uploading ...",
|
||||
filt_pwset.len()
|
||||
);
|
||||
|
||||
if *dryrun {
|
||||
for pw in filt_pwset {
|
||||
println!("{}", pw);
|
||||
}
|
||||
} else {
|
||||
let client = copt.to_client().await;
|
||||
match client.system_password_badlist_append(filt_pwset).await {
|
||||
Ok(_) => println!("Success"),
|
||||
Err(e) => eprintln!("{:?}", e),
|
||||
}
|
||||
}
|
||||
} // End Upload
|
||||
PwBadlistOpt::Remove { copt, paths } => {
|
||||
let client = copt.to_client().await;
|
||||
|
|
|
|||
|
|
@ -715,6 +715,9 @@ pub enum PwBadlistOpt {
|
|||
copt: CommonOpt,
|
||||
#[clap(parse(from_os_str))]
|
||||
paths: Vec<PathBuf>,
|
||||
/// Perform a dry run and display the list that would have been uploaded instead.
|
||||
#[clap(short = 'n', long)]
|
||||
dryrun: bool,
|
||||
},
|
||||
#[clap[name = "remove", hide = true]]
|
||||
/// Remove the content of these lists if present in the configured
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
|
|
@ -21,9 +21,9 @@ pub const JSON_ADMIN_V1: &str = r#"{
|
|||
|
||||
lazy_static! {
|
||||
pub static ref E_ADMIN_V1: EntryInitNew = entry_init!(
|
||||
("class", CLASS_OBJECT.clone()),
|
||||
("class", CLASS_MEMBEROF.clone()),
|
||||
("class", CLASS_ACCOUNT.clone()),
|
||||
("class", CLASS_MEMBEROF.clone()),
|
||||
("class", CLASS_OBJECT.clone()),
|
||||
("class", CLASS_SERVICE_ACCOUNT.clone()),
|
||||
("name", Value::new_iname("admin")),
|
||||
("uuid", Value::Uuid(UUID_ADMIN)),
|
||||
|
|
@ -35,38 +35,52 @@ lazy_static! {
|
|||
);
|
||||
}
|
||||
|
||||
/// Builtin IDM Admin account.
|
||||
pub const JSON_IDM_ADMIN_V1: &str = r#"{
|
||||
"attrs": {
|
||||
"class": ["account", "service_account", "memberof", "object"],
|
||||
"name": ["idm_admin"],
|
||||
"uuid": ["00000000-0000-0000-0000-000000000018"],
|
||||
"description": ["Builtin IDM Admin account."],
|
||||
"displayname": ["IDM Administrator"]
|
||||
}
|
||||
}"#;
|
||||
lazy_static! {
|
||||
/// Builtin IDM Admin account.
|
||||
pub static ref E_IDM_ADMIN_V1: EntryInitNew = entry_init!(
|
||||
("class", CLASS_ACCOUNT.clone()),
|
||||
("class", CLASS_MEMBEROF.clone()),
|
||||
("class", CLASS_OBJECT.clone()),
|
||||
("class", CLASS_SERVICE_ACCOUNT.clone()),
|
||||
("name", Value::new_iname("idm_admin")),
|
||||
("uuid", Value::Uuid(UUID_IDM_ADMIN)),
|
||||
(
|
||||
"description",
|
||||
Value::new_utf8s("Builtin IDM Admin account.")
|
||||
),
|
||||
("displayname", Value::new_utf8s("IDM Administrator"))
|
||||
);
|
||||
}
|
||||
|
||||
/// Builtin IDM Administrators Group.
|
||||
pub const JSON_IDM_ADMINS_V1: &str = r#"{
|
||||
"attrs": {
|
||||
"class": ["group", "object"],
|
||||
"name": ["idm_admins"],
|
||||
"uuid": ["00000000-0000-0000-0000-000000000001"],
|
||||
"description": ["Builtin IDM Administrators Group."],
|
||||
"member": ["00000000-0000-0000-0000-000000000018"]
|
||||
}
|
||||
}"#;
|
||||
lazy_static! {
|
||||
/// Builtin IDM Administrators Group.
|
||||
pub static ref E_IDM_ADMINS_V1: EntryInitNew = entry_init!(
|
||||
("class", CLASS_GROUP.clone()),
|
||||
("class", CLASS_OBJECT.clone()),
|
||||
("name", Value::new_iname("idm_admins")),
|
||||
("uuid", Value::Uuid(UUID_IDM_ADMINS)),
|
||||
(
|
||||
"description",
|
||||
Value::new_utf8s("Builtin IDM Administrators Group.")
|
||||
),
|
||||
("member", Value::Refer(UUID_IDM_ADMIN))
|
||||
);
|
||||
}
|
||||
|
||||
/// Builtin System Administrators Group.
|
||||
pub const JSON_SYSTEM_ADMINS_V1: &str = r#"{
|
||||
"attrs": {
|
||||
"class": ["group", "object"],
|
||||
"name": ["system_admins"],
|
||||
"uuid": ["00000000-0000-0000-0000-000000000019"],
|
||||
"description": ["Builtin System Administrators Group."],
|
||||
"member": ["00000000-0000-0000-0000-000000000000"]
|
||||
}
|
||||
}"#;
|
||||
lazy_static! {
|
||||
/// Builtin System Administrators Group.
|
||||
pub static ref E_SYSTEM_ADMINS_V1: EntryInitNew = entry_init!(
|
||||
("class", CLASS_GROUP.clone()),
|
||||
("class", CLASS_OBJECT.clone()),
|
||||
("name", Value::new_iname("system_admins")),
|
||||
("uuid", Value::Uuid(UUID_SYSTEM_ADMINS)),
|
||||
(
|
||||
"description",
|
||||
Value::new_utf8s("Builtin System Administrators Group.")
|
||||
),
|
||||
("member", Value::Refer(UUID_ADMIN))
|
||||
);
|
||||
}
|
||||
|
||||
// * People read managers
|
||||
/// Builtin IDM Group for granting elevated people (personal data) read permissions.
|
||||
|
|
@ -560,23 +574,33 @@ pub const JSON_IDM_HIGH_PRIVILEGE_V1: &str = r#"{
|
|||
}
|
||||
}"#;
|
||||
|
||||
pub const JSON_SYSTEM_INFO_V1: &str = r#"{
|
||||
"attrs": {
|
||||
"class": ["object", "system_info", "system"],
|
||||
"uuid": ["00000000-0000-0000-0000-ffffff000001"],
|
||||
"description": ["System (local) info and metadata object."],
|
||||
"version": ["12"]
|
||||
}
|
||||
}"#;
|
||||
lazy_static! {
|
||||
pub static ref E_SYSTEM_INFO_V1: EntryInitNew = entry_init!(
|
||||
("class", CLASS_OBJECT.clone()),
|
||||
("class", CLASS_SYSTEM_INFO.clone()),
|
||||
("class", CLASS_SYSTEM.clone()),
|
||||
("uuid", Value::Uuid(UUID_SYSTEM_INFO)),
|
||||
(
|
||||
"description",
|
||||
Value::new_utf8s("System (local) info and metadata object.")
|
||||
),
|
||||
("version", Value::Uint32(12))
|
||||
);
|
||||
}
|
||||
|
||||
pub const JSON_DOMAIN_INFO_V1: &str = r#"{
|
||||
"attrs": {
|
||||
"class": ["object", "domain_info", "system"],
|
||||
"name": ["domain_local"],
|
||||
"uuid": ["00000000-0000-0000-0000-ffffff000025"],
|
||||
"description": ["This local domain's info and metadata object."]
|
||||
}
|
||||
}"#;
|
||||
lazy_static! {
|
||||
pub static ref E_DOMAIN_INFO_V1: EntryInitNew = entry_init!(
|
||||
("class", CLASS_OBJECT.clone()),
|
||||
("class", CLASS_DOMAIN_INFO.clone()),
|
||||
("class", CLASS_SYSTEM.clone()),
|
||||
("name", Value::new_iname("domain_local")),
|
||||
("uuid", Value::Uuid(UUID_DOMAIN_INFO)),
|
||||
(
|
||||
"description",
|
||||
Value::new_utf8s("This local domain's info and metadata object.")
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
// Anonymous should be the last object in the range here.
|
||||
pub const JSON_ANONYMOUS_V1: &str = r#"{
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
|
|
@ -5,54 +5,53 @@ use uuid::{uuid, Uuid};
|
|||
// Built in group and account ranges.
|
||||
pub const STR_UUID_ADMIN: &str = "00000000-0000-0000-0000-000000000000";
|
||||
pub const UUID_ADMIN: Uuid = uuid!("00000000-0000-0000-0000-000000000000");
|
||||
pub const _UUID_IDM_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000001");
|
||||
pub const _UUID_IDM_PEOPLE_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000002");
|
||||
pub const _UUID_IDM_PEOPLE_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000003");
|
||||
pub const _UUID_IDM_GROUP_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000004");
|
||||
pub const _UUID_IDM_ACCOUNT_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000005");
|
||||
pub const _UUID_IDM_ACCOUNT_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000006");
|
||||
pub const _UUID_IDM_RADIUS_SERVERS: Uuid = uuid!("00000000-0000-0000-0000-000000000007");
|
||||
pub const _UUID_IDM_HP_ACCOUNT_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000008");
|
||||
pub const _UUID_IDM_HP_ACCOUNT_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000009");
|
||||
pub const _UUID_IDM_SCHEMA_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000010");
|
||||
pub const _UUID_IDM_ACP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000011");
|
||||
pub const _UUID_IDM_HP_GROUP_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000012");
|
||||
pub const _UUID_IDM_PEOPLE_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000013");
|
||||
pub const _UUID_IDM_ACCOUNT_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000014");
|
||||
pub const _UUID_IDM_GROUP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000015");
|
||||
pub const _UUID_IDM_HP_ACCOUNT_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000016");
|
||||
pub const _UUID_IDM_HP_GROUP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000017");
|
||||
pub const UUID_IDM_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000001");
|
||||
pub const UUID_IDM_PEOPLE_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000002");
|
||||
pub const UUID_IDM_PEOPLE_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000003");
|
||||
pub const UUID_IDM_GROUP_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000004");
|
||||
pub const UUID_IDM_ACCOUNT_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000005");
|
||||
pub const UUID_IDM_ACCOUNT_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000006");
|
||||
pub const UUID_IDM_RADIUS_SERVERS: Uuid = uuid!("00000000-0000-0000-0000-000000000007");
|
||||
pub const UUID_IDM_HP_ACCOUNT_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000008");
|
||||
pub const UUID_IDM_HP_ACCOUNT_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000009");
|
||||
pub const UUID_IDM_SCHEMA_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000010");
|
||||
pub const UUID_IDM_ACP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000011");
|
||||
pub const UUID_IDM_HP_GROUP_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000012");
|
||||
pub const UUID_IDM_PEOPLE_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000013");
|
||||
pub const UUID_IDM_ACCOUNT_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000014");
|
||||
pub const UUID_IDM_GROUP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000015");
|
||||
pub const UUID_IDM_HP_ACCOUNT_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000016");
|
||||
pub const UUID_IDM_HP_GROUP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000017");
|
||||
pub const UUID_IDM_ADMIN: Uuid = uuid!("00000000-0000-0000-0000-000000000018");
|
||||
|
||||
pub const STR_UUID_SYSTEM_ADMINS: &str = "00000000-0000-0000-0000-000000000000";
|
||||
pub const UUID_SYSTEM_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000019");
|
||||
pub const UUID_DOMAIN_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000020");
|
||||
pub const _UUID_IDM_ACCOUNT_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000021");
|
||||
pub const _UUID_IDM_GROUP_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000022");
|
||||
pub const _UUID_IDM_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV: Uuid =
|
||||
pub const UUID_IDM_ACCOUNT_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000021");
|
||||
pub const UUID_IDM_GROUP_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000022");
|
||||
pub const UUID_IDM_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-000000000023");
|
||||
pub const _UUID_IDM_PEOPLE_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000024");
|
||||
pub const _UUID_IDM_HP_ACCOUNT_UNIX_EXTEND_PRIV: Uuid =
|
||||
pub const UUID_IDM_PEOPLE_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000024");
|
||||
pub const UUID_IDM_HP_ACCOUNT_UNIX_EXTEND_PRIV: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-000000000025");
|
||||
pub const _UUID_IDM_HP_GROUP_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000026");
|
||||
pub const _UUID_IDM_HP_OAUTH2_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000027");
|
||||
pub const _UUID_IDM_HP_PEOPLE_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000028");
|
||||
pub const _UUID_IDM_HP_PEOPLE_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000029");
|
||||
pub const _UUID_IDM_HP_PEOPLE_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000030");
|
||||
pub const UUID_IDM_HP_GROUP_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000026");
|
||||
pub const UUID_IDM_HP_OAUTH2_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000027");
|
||||
pub const UUID_IDM_HP_PEOPLE_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000028");
|
||||
pub const UUID_IDM_HP_PEOPLE_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000029");
|
||||
pub const UUID_IDM_HP_PEOPLE_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000030");
|
||||
|
||||
pub const _UUID_IDM_RADIUS_SECRET_READ_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-000000000032");
|
||||
pub const _UUID_IDM_RADIUS_SECRET_WRITE_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_RADIUS_SECRET_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-000000000032");
|
||||
pub const UUID_IDM_RADIUS_SECRET_WRITE_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-000000000031");
|
||||
pub const _UUID_IDM_PEOPLE_SELF_WRITE_MAIL_PRIV: Uuid =
|
||||
pub const UUID_IDM_PEOPLE_SELF_WRITE_MAIL_PRIV: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-000000000033");
|
||||
pub const _UUID_IDM_HP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_PRIV: Uuid =
|
||||
pub const UUID_IDM_HP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_PRIV: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-000000000034");
|
||||
|
||||
pub const UUID_IDM_ALL_PERSONS: Uuid = uuid!("00000000-0000-0000-0000-000000000035");
|
||||
pub const STR_UUID_IDM_ALL_ACCOUNTS: &str = "00000000-0000-0000-0000-000000000036";
|
||||
pub const UUID_IDM_ALL_ACCOUNTS: Uuid = uuid!("00000000-0000-0000-0000-000000000036");
|
||||
pub const _UUID_IDM_HP_SYNC_ACCOUNT_MANAGE_PRIV: Uuid =
|
||||
pub const UUID_IDM_HP_SYNC_ACCOUNT_MANAGE_PRIV: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-000000000037");
|
||||
|
||||
pub const UUID_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES: Uuid =
|
||||
|
|
@ -236,73 +235,70 @@ pub const UUID_DOMAIN_INFO: Uuid = uuid!("00000000-0000-0000-0000-ffffff000025")
|
|||
|
||||
// Access controls
|
||||
// skip 00 / 01 - see system info
|
||||
pub const _UUID_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1: Uuid =
|
||||
pub const UUID_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000002");
|
||||
pub const _UUID_IDM_ADMINS_ACP_REVIVE_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000003");
|
||||
pub const _UUID_IDM_SELF_ACP_READ_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000004");
|
||||
pub const _UUID_IDM_ALL_ACP_READ_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000006");
|
||||
pub const _UUID_IDM_ACP_PEOPLE_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000007");
|
||||
pub const _UUID_IDM_ACP_PEOPLE_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000008");
|
||||
pub const _UUID_IDM_ACP_GROUP_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000009");
|
||||
pub const _UUID_IDM_ACP_ACCOUNT_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000010");
|
||||
pub const _UUID_IDM_ACP_ACCOUNT_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000011");
|
||||
pub const _UUID_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000012");
|
||||
pub const _UUID_IDM_ACP_PEOPLE_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000013");
|
||||
pub const _UUID_IDM_ACP_RADIUS_SERVERS_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000014");
|
||||
pub const _UUID_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_ADMINS_ACP_REVIVE_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000003");
|
||||
pub const UUID_IDM_SELF_ACP_READ_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000004");
|
||||
pub const UUID_IDM_ALL_ACP_READ_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000006");
|
||||
pub const UUID_IDM_ACP_PEOPLE_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000007");
|
||||
pub const UUID_IDM_ACP_PEOPLE_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000008");
|
||||
pub const UUID_IDM_ACP_GROUP_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000009");
|
||||
pub const UUID_IDM_ACP_ACCOUNT_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000010");
|
||||
pub const UUID_IDM_ACP_ACCOUNT_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000011");
|
||||
pub const UUID_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000012");
|
||||
pub const UUID_IDM_ACP_PEOPLE_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000013");
|
||||
pub const UUID_IDM_ACP_RADIUS_SERVERS_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000014");
|
||||
pub const UUID_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000015");
|
||||
pub const _UUID_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000016");
|
||||
pub const _UUID_IDM_ACP_HP_GROUP_WRITE_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000017");
|
||||
pub const _UUID_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_ACP_HP_GROUP_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000017");
|
||||
pub const UUID_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000018");
|
||||
pub const _UUID_IDM_ACP_ACP_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000019");
|
||||
pub const _UUID_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_ACP_ACP_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000019");
|
||||
pub const UUID_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000020");
|
||||
pub const _UUID_IDM_SELF_ACP_WRITE_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000021");
|
||||
pub const _UUID_IDM_ACP_GROUP_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000022");
|
||||
pub const _UUID_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_SELF_ACP_WRITE_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000021");
|
||||
pub const UUID_IDM_ACP_GROUP_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000022");
|
||||
pub const UUID_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000023");
|
||||
pub const _UUID_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000024");
|
||||
// Skip 25 - see domain info.
|
||||
pub const _UUID_IDM_ACP_DOMAIN_ADMIN_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000026");
|
||||
pub const UUID_IDM_ACP_DOMAIN_ADMIN_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000026");
|
||||
|
||||
pub const STR_UUID_SYSTEM_CONFIG: &str = "00000000-0000-0000-0000-ffffff000027";
|
||||
pub const UUID_SYSTEM_CONFIG: Uuid = uuid!("00000000-0000-0000-0000-ffffff000027");
|
||||
|
||||
pub const _UUID_IDM_ACP_SYSTEM_CONFIG_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000028");
|
||||
pub const _UUID_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_ACP_SYSTEM_CONFIG_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000028");
|
||||
pub const UUID_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000029");
|
||||
pub const _UUID_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000030");
|
||||
pub const _UUID_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000031");
|
||||
pub const _UUID_IDM_ACP_PEOPLE_EXTEND_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000032");
|
||||
pub const _UUID_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_ACP_PEOPLE_EXTEND_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000032");
|
||||
pub const UUID_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000033");
|
||||
pub const _UUID_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000034");
|
||||
pub const _UUID_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000035");
|
||||
pub const _UUID_IDM_ACP_HP_PEOPLE_READ_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000036");
|
||||
pub const _UUID_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_ACP_HP_PEOPLE_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000036");
|
||||
pub const UUID_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000037");
|
||||
pub const _UUID_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000038");
|
||||
pub const _UUID_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000039");
|
||||
pub const _UUID_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000040");
|
||||
pub const _UUID_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_V1: Uuid =
|
||||
pub const UUID_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000041");
|
||||
pub const _UUID_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1: Uuid =
|
||||
pub const UUID_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000042");
|
||||
pub const UUID_IDM_ACP_OAUTH2_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000043");
|
||||
pub const _UUID_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1: Uuid =
|
||||
pub const UUID_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000044");
|
||||
pub const UUID_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1: Uuid =
|
||||
uuid!("00000000-0000-0000-0000-ffffff000045");
|
||||
|
|
|
|||
|
|
@ -40,6 +40,9 @@ lazy_static! {
|
|||
pub static ref PVUUID_SYSTEM_CONFIG: PartialValue = PartialValue::Uuid(UUID_SYSTEM_CONFIG);
|
||||
pub static ref PVUUID_SYSTEM_INFO: PartialValue = PartialValue::Uuid(UUID_SYSTEM_INFO);
|
||||
pub static ref CLASS_ACCESS_CONTROL_PROFILE: Value = Value::new_class("access_control_profile");
|
||||
pub static ref CLASS_ACCESS_CONTROL_CREATE: Value = Value::new_class("access_control_create");
|
||||
pub static ref CLASS_ACCESS_CONTROL_DELETE: Value = Value::new_class("access_control_delete");
|
||||
pub static ref CLASS_ACCESS_CONTROL_MODIFY: Value = Value::new_class("access_control_modify");
|
||||
pub static ref CLASS_ACCESS_CONTROL_SEARCH: Value = Value::new_class("access_control_search");
|
||||
pub static ref CLASS_ACCOUNT: Value = Value::new_class("account");
|
||||
pub static ref CLASS_ATTRIBUTETYPE: Value = Value::new_class("attributetype");
|
||||
|
|
|
|||
|
|
@ -18,8 +18,7 @@ impl DynGroup {
|
|||
fn apply_dyngroup_change(
|
||||
qs: &mut QueryServerWriteTransaction,
|
||||
ident: &Identity,
|
||||
pre_candidates: &mut Vec<Arc<EntrySealedCommitted>>,
|
||||
candidates: &mut Vec<EntryInvalidCommitted>,
|
||||
candidate_tuples: &mut Vec<(Arc<EntrySealedCommitted>, EntryInvalidCommitted)>,
|
||||
affected_uuids: &mut Vec<Uuid>,
|
||||
expect: bool,
|
||||
ident_internal: &Identity,
|
||||
|
|
@ -80,8 +79,7 @@ impl DynGroup {
|
|||
nd_group.purge_ava("member");
|
||||
}
|
||||
|
||||
pre_candidates.push(pre);
|
||||
candidates.push(nd_group);
|
||||
candidate_tuples.push((pre, nd_group));
|
||||
|
||||
// Insert to our new instances
|
||||
if dyn_groups.insts.insert(uuid, scope_i).is_none() == expect {
|
||||
|
|
@ -159,8 +157,7 @@ impl DynGroup {
|
|||
// dyn groups will see the created entries on an internal search
|
||||
// so we don't need to reference them.
|
||||
|
||||
let mut pre_candidates = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
|
||||
let mut candidates = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
|
||||
let mut candidate_tuples = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
|
||||
|
||||
// Apply existing dyn_groups to entries.
|
||||
trace!(?dyn_groups.insts);
|
||||
|
|
@ -199,8 +196,7 @@ impl DynGroup {
|
|||
affected_uuids.extend(matches.into_iter());
|
||||
affected_uuids.push(*dg_uuid);
|
||||
|
||||
pre_candidates.push(pre);
|
||||
candidates.push(d_group);
|
||||
candidate_tuples.push((pre, d_group));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -213,8 +209,7 @@ impl DynGroup {
|
|||
Self::apply_dyngroup_change(
|
||||
qs,
|
||||
ident,
|
||||
&mut pre_candidates,
|
||||
&mut candidates,
|
||||
&mut candidate_tuples,
|
||||
&mut affected_uuids,
|
||||
false,
|
||||
&ident_internal,
|
||||
|
|
@ -224,11 +219,9 @@ impl DynGroup {
|
|||
}
|
||||
|
||||
// Write back the new changes.
|
||||
debug_assert!(pre_candidates.len() == candidates.len());
|
||||
// Write this stripe if populated.
|
||||
if !pre_candidates.is_empty() {
|
||||
qs.internal_apply_writable(pre_candidates, candidates)
|
||||
.map_err(|e| {
|
||||
if !candidate_tuples.is_empty() {
|
||||
qs.internal_apply_writable(candidate_tuples).map_err(|e| {
|
||||
admin_error!("Failed to commit dyngroup set {:?}", e);
|
||||
e
|
||||
})?;
|
||||
|
|
@ -265,8 +258,7 @@ impl DynGroup {
|
|||
// lifetime here is safe since we are the sole accessor.
|
||||
let dyn_groups: &mut DynGroupCache = unsafe { &mut *(qs.get_dyngroup_cache() as *mut _) };
|
||||
|
||||
let mut pre_candidates = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
|
||||
let mut candidates = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
|
||||
let mut candidate_tuples = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
|
||||
|
||||
// If we modified a dyngroups member or filter, re-trigger it here.
|
||||
// if the event is not internal, reject (for now)
|
||||
|
|
@ -278,8 +270,7 @@ impl DynGroup {
|
|||
Self::apply_dyngroup_change(
|
||||
qs,
|
||||
ident,
|
||||
&mut pre_candidates,
|
||||
&mut candidates,
|
||||
&mut candidate_tuples,
|
||||
&mut affected_uuids,
|
||||
true,
|
||||
&ident_internal,
|
||||
|
|
@ -334,18 +325,15 @@ impl DynGroup {
|
|||
}));
|
||||
affected_uuids.push(*dg_uuid);
|
||||
|
||||
pre_candidates.push(pre);
|
||||
candidates.push(d_group);
|
||||
candidate_tuples.push((pre, d_group));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Write back the new changes.
|
||||
debug_assert!(pre_candidates.len() == candidates.len());
|
||||
// Write this stripe if populated.
|
||||
if !pre_candidates.is_empty() {
|
||||
qs.internal_apply_writable(pre_candidates, candidates)
|
||||
.map_err(|e| {
|
||||
if !candidate_tuples.is_empty() {
|
||||
qs.internal_apply_writable(candidate_tuples).map_err(|e| {
|
||||
admin_error!("Failed to commit dyngroup set {:?}", e);
|
||||
e
|
||||
})?;
|
||||
|
|
|
|||
|
|
@ -113,9 +113,6 @@ fn apply_memberof(
|
|||
while !group_affect.is_empty() {
|
||||
group_affect.sort();
|
||||
group_affect.dedup();
|
||||
// Prep the write lists
|
||||
let mut pre_candidates = Vec::with_capacity(group_affect.len());
|
||||
let mut candidates = Vec::with_capacity(group_affect.len());
|
||||
|
||||
// Ignore recycled/tombstones
|
||||
let filt = filter!(FC::Or(
|
||||
|
|
@ -125,10 +122,12 @@ fn apply_memberof(
|
|||
.collect()
|
||||
));
|
||||
|
||||
let mut work_set = qs.internal_search_writeable(&filt)?;
|
||||
let work_set = qs.internal_search_writeable(&filt)?;
|
||||
// Load the vecdeque with this batch.
|
||||
|
||||
while let Some((pre, mut tgte)) = work_set.pop() {
|
||||
let mut changes = Vec::with_capacity(work_set.len());
|
||||
|
||||
for (pre, mut tgte) in work_set.into_iter() {
|
||||
let guuid = pre.get_uuid();
|
||||
// load the entry from the db.
|
||||
if !tgte.attribute_equality("class", &PVCLASS_GROUP) {
|
||||
|
|
@ -160,18 +159,15 @@ fn apply_memberof(
|
|||
};
|
||||
|
||||
// push the entries to pre/cand
|
||||
pre_candidates.push(pre);
|
||||
candidates.push(tgte);
|
||||
changes.push((pre, tgte));
|
||||
} else {
|
||||
trace!("{:?} stable", guuid);
|
||||
}
|
||||
}
|
||||
|
||||
debug_assert!(pre_candidates.len() == candidates.len());
|
||||
// Write this stripe if populated.
|
||||
if !pre_candidates.is_empty() {
|
||||
qs.internal_apply_writable(pre_candidates, candidates)
|
||||
.map_err(|e| {
|
||||
if !changes.is_empty() {
|
||||
qs.internal_apply_writable(changes).map_err(|e| {
|
||||
admin_error!("Failed to commit memberof group set {:?}", e);
|
||||
e
|
||||
})?;
|
||||
|
|
@ -180,8 +176,7 @@ fn apply_memberof(
|
|||
}
|
||||
|
||||
// ALL GROUP MOS + DMOS ARE NOW STABLE. We can load these into other items directly.
|
||||
let mut pre_candidates = Vec::with_capacity(other_cache.len());
|
||||
let mut candidates = Vec::with_capacity(other_cache.len());
|
||||
let mut changes = Vec::with_capacity(other_cache.len());
|
||||
|
||||
other_cache
|
||||
.into_iter()
|
||||
|
|
@ -193,15 +188,14 @@ fn apply_memberof(
|
|||
if pre.get_ava_set("memberof") != tgte.get_ava_set("memberof")
|
||||
|| pre.get_ava_set("directmemberof") != tgte.get_ava_set("directmemberof")
|
||||
{
|
||||
pre_candidates.push(pre);
|
||||
candidates.push(tgte);
|
||||
changes.push((pre, tgte));
|
||||
}
|
||||
Ok(())
|
||||
})?;
|
||||
|
||||
// Turn the other_cache into a write set.
|
||||
// Write the batch out in a single stripe.
|
||||
qs.internal_apply_writable(pre_candidates, candidates)
|
||||
qs.internal_apply_writable(changes)
|
||||
// Done! 🎉
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -155,19 +155,15 @@ impl Plugin for ReferentialIntegrity {
|
|||
.map(|e| PartialValue::Refer(e.get_uuid()))
|
||||
.collect();
|
||||
|
||||
let work_set = qs.internal_search_writeable(&filt)?;
|
||||
let mut work_set = qs.internal_search_writeable(&filt)?;
|
||||
|
||||
let (pre_candidates, candidates) = work_set
|
||||
.into_iter()
|
||||
.map(|(pre, mut post)| {
|
||||
work_set.iter_mut().for_each(|(_, post)| {
|
||||
ref_types
|
||||
.values()
|
||||
.for_each(|attr| post.remove_avas(attr.name.as_str(), &removed_ids));
|
||||
(pre, post)
|
||||
})
|
||||
.unzip();
|
||||
});
|
||||
|
||||
qs.internal_apply_writable(pre_candidates, candidates)
|
||||
qs.internal_apply_writable(work_set)
|
||||
}
|
||||
|
||||
#[instrument(level = "debug", name = "verify", skip(qs))]
|
||||
|
|
|
|||
|
|
@ -365,41 +365,32 @@ impl<'a> QueryServerWriteTransaction<'a> {
|
|||
|
||||
for (_, ent) in mod_candidates.iter_mut() {
|
||||
if let Some(api_token_session) = ent.pop_ava("api_token_session") {
|
||||
let api_token_session = api_token_session.migrate_session_to_apitoken()
|
||||
let api_token_session =
|
||||
api_token_session
|
||||
.migrate_session_to_apitoken()
|
||||
.map_err(|e| {
|
||||
error!("Failed to convert api_token_session from session -> apitoken");
|
||||
e
|
||||
})?;
|
||||
|
||||
ent.set_ava_set(
|
||||
"api_token_session",
|
||||
api_token_session);
|
||||
ent.set_ava_set("api_token_session", api_token_session);
|
||||
}
|
||||
|
||||
if let Some(sync_token_session) = ent.pop_ava("sync_token_session") {
|
||||
let sync_token_session = sync_token_session.migrate_session_to_apitoken()
|
||||
let sync_token_session =
|
||||
sync_token_session
|
||||
.migrate_session_to_apitoken()
|
||||
.map_err(|e| {
|
||||
error!("Failed to convert sync_token_session from session -> apitoken");
|
||||
e
|
||||
})?;
|
||||
|
||||
ent.set_ava_set(
|
||||
"sync_token_session",
|
||||
sync_token_session);
|
||||
ent.set_ava_set("sync_token_session", sync_token_session);
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
let (
|
||||
pre_candidates,
|
||||
candidates
|
||||
) = mod_candidates
|
||||
.into_iter()
|
||||
.unzip();
|
||||
|
||||
// Apply the batch mod.
|
||||
self.internal_apply_writable(
|
||||
pre_candidates, candidates
|
||||
)
|
||||
self.internal_apply_writable(mod_candidates)
|
||||
}
|
||||
|
||||
#[instrument(level = "info", skip_all)]
|
||||
|
|
@ -512,9 +503,9 @@ impl<'a> QueryServerWriteTransaction<'a> {
|
|||
// and details. It's a pretty const thing. Also check anonymous, important to many
|
||||
// concepts.
|
||||
let res = self
|
||||
.internal_migrate_or_create_str(JSON_SYSTEM_INFO_V1)
|
||||
.and_then(|_| self.internal_migrate_or_create_str(JSON_DOMAIN_INFO_V1))
|
||||
.and_then(|_| self.internal_migrate_or_create_str(JSON_SYSTEM_CONFIG_V1));
|
||||
.internal_migrate_or_create(E_SYSTEM_INFO_V1.clone())
|
||||
.and_then(|_| self.internal_migrate_or_create(E_DOMAIN_INFO_V1.clone()))
|
||||
.and_then(|_| self.internal_migrate_or_create(E_SYSTEM_CONFIG_V1.clone()));
|
||||
if res.is_err() {
|
||||
admin_error!("initialise_idm p1 -> result {:?}", res);
|
||||
}
|
||||
|
|
@ -527,16 +518,16 @@ impl<'a> QueryServerWriteTransaction<'a> {
|
|||
// Check the admin object exists (migrations).
|
||||
// Create the default idm_admin group.
|
||||
let admin_entries = [
|
||||
JSON_ANONYMOUS_V1,
|
||||
JSON_ADMIN_V1,
|
||||
JSON_IDM_ADMIN_V1,
|
||||
JSON_IDM_ADMINS_V1,
|
||||
JSON_SYSTEM_ADMINS_V1,
|
||||
E_ANONYMOUS_V1.clone(),
|
||||
E_ADMIN_V1.clone(),
|
||||
E_IDM_ADMIN_V1.clone(),
|
||||
E_IDM_ADMINS_V1.clone(),
|
||||
E_SYSTEM_ADMINS_V1.clone(),
|
||||
];
|
||||
let res: Result<(), _> = admin_entries
|
||||
.iter()
|
||||
.into_iter()
|
||||
// Each item individually logs it's result
|
||||
.try_for_each(|e_str| self.internal_migrate_or_create_str(e_str));
|
||||
.try_for_each(|ent| self.internal_migrate_or_create(ent));
|
||||
if res.is_err() {
|
||||
admin_error!("initialise_idm p2 -> result {:?}", res);
|
||||
}
|
||||
|
|
@ -586,48 +577,6 @@ impl<'a> QueryServerWriteTransaction<'a> {
|
|||
JSON_IDM_HP_SYNC_ACCOUNT_MANAGE_PRIV,
|
||||
// All members must exist before we write HP
|
||||
JSON_IDM_HIGH_PRIVILEGE_V1,
|
||||
// Built in access controls.
|
||||
JSON_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1,
|
||||
JSON_IDM_ADMINS_ACP_REVIVE_V1,
|
||||
// JSON_IDM_ADMINS_ACP_MANAGE_V1,
|
||||
JSON_IDM_ALL_ACP_READ_V1,
|
||||
JSON_IDM_SELF_ACP_READ_V1,
|
||||
JSON_IDM_SELF_ACP_WRITE_V1,
|
||||
JSON_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_PRIV_V1,
|
||||
JSON_IDM_ACP_PEOPLE_READ_PRIV_V1,
|
||||
JSON_IDM_ACP_PEOPLE_WRITE_PRIV_V1,
|
||||
JSON_IDM_ACP_PEOPLE_MANAGE_PRIV_V1,
|
||||
JSON_IDM_ACP_GROUP_WRITE_PRIV_V1,
|
||||
JSON_IDM_ACP_GROUP_MANAGE_PRIV_V1,
|
||||
JSON_IDM_ACP_ACCOUNT_READ_PRIV_V1,
|
||||
JSON_IDM_ACP_ACCOUNT_WRITE_PRIV_V1,
|
||||
JSON_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1,
|
||||
JSON_IDM_ACP_RADIUS_SERVERS_V1,
|
||||
JSON_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1,
|
||||
JSON_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1,
|
||||
JSON_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1,
|
||||
JSON_IDM_ACP_HP_GROUP_WRITE_PRIV_V1,
|
||||
JSON_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1,
|
||||
JSON_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1,
|
||||
JSON_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1,
|
||||
JSON_IDM_ACP_ACP_MANAGE_PRIV_V1,
|
||||
JSON_IDM_ACP_DOMAIN_ADMIN_PRIV_V1,
|
||||
JSON_IDM_ACP_SYSTEM_CONFIG_PRIV_V1,
|
||||
JSON_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1,
|
||||
JSON_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1,
|
||||
JSON_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1,
|
||||
JSON_IDM_ACP_PEOPLE_EXTEND_PRIV_V1,
|
||||
JSON_IDM_ACP_HP_PEOPLE_READ_PRIV_V1,
|
||||
JSON_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1,
|
||||
JSON_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1,
|
||||
JSON_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1,
|
||||
JSON_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1,
|
||||
JSON_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1,
|
||||
JSON_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1,
|
||||
JSON_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1,
|
||||
JSON_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1,
|
||||
// JSON_IDM_ACP_OAUTH2_READ_PRIV_V1,
|
||||
JSON_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1,
|
||||
];
|
||||
|
||||
let res: Result<(), _> = idm_entries
|
||||
|
|
@ -642,6 +591,46 @@ impl<'a> QueryServerWriteTransaction<'a> {
|
|||
res?;
|
||||
|
||||
let idm_entries = [
|
||||
// Built in access controls.
|
||||
E_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1.clone(),
|
||||
E_IDM_ADMINS_ACP_REVIVE_V1.clone(),
|
||||
E_IDM_ALL_ACP_READ_V1.clone(),
|
||||
E_IDM_SELF_ACP_READ_V1.clone(),
|
||||
E_IDM_SELF_ACP_WRITE_V1.clone(),
|
||||
E_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_PRIV_V1.clone(),
|
||||
E_IDM_ACP_PEOPLE_READ_PRIV_V1.clone(),
|
||||
E_IDM_ACP_PEOPLE_WRITE_PRIV_V1.clone(),
|
||||
E_IDM_ACP_PEOPLE_MANAGE_PRIV_V1.clone(),
|
||||
E_IDM_ACP_ACCOUNT_READ_PRIV_V1.clone(),
|
||||
E_IDM_ACP_ACCOUNT_WRITE_PRIV_V1.clone(),
|
||||
E_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1.clone(),
|
||||
E_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1.clone(),
|
||||
E_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1.clone(),
|
||||
E_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1.clone(),
|
||||
E_IDM_ACP_GROUP_WRITE_PRIV_V1.clone(),
|
||||
E_IDM_ACP_GROUP_MANAGE_PRIV_V1.clone(),
|
||||
E_IDM_ACP_HP_GROUP_WRITE_PRIV_V1.clone(),
|
||||
E_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1.clone(),
|
||||
E_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1.clone(),
|
||||
E_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1.clone(),
|
||||
E_IDM_ACP_ACP_MANAGE_PRIV_V1.clone(),
|
||||
E_IDM_ACP_RADIUS_SERVERS_V1.clone(),
|
||||
E_IDM_ACP_DOMAIN_ADMIN_PRIV_V1.clone(),
|
||||
E_IDM_ACP_SYSTEM_CONFIG_PRIV_V1.clone(),
|
||||
E_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1.clone(),
|
||||
E_IDM_ACP_PEOPLE_EXTEND_PRIV_V1.clone(),
|
||||
E_IDM_ACP_HP_PEOPLE_READ_PRIV_V1.clone(),
|
||||
E_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1.clone(),
|
||||
E_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1.clone(),
|
||||
E_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1.clone(),
|
||||
E_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1.clone(),
|
||||
E_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1.clone(),
|
||||
E_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1.clone(),
|
||||
E_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1.clone(),
|
||||
E_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1.clone(),
|
||||
E_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1.clone(),
|
||||
E_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1.clone(),
|
||||
E_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1.clone(),
|
||||
E_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES.clone(),
|
||||
E_IDM_ACCOUNT_MAIL_READ_PRIV.clone(),
|
||||
E_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1.clone(),
|
||||
|
|
|
|||
|
|
@ -268,18 +268,27 @@ impl<'a> QueryServerWriteTransaction<'a> {
|
|||
#[instrument(level = "debug", skip_all)]
|
||||
pub(crate) fn internal_apply_writable(
|
||||
&mut self,
|
||||
pre_candidates: Vec<Arc<EntrySealedCommitted>>,
|
||||
candidates: Vec<Entry<EntryInvalid, EntryCommitted>>,
|
||||
candidate_tuples: Vec<(Arc<EntrySealedCommitted>, EntryInvalidCommitted)>,
|
||||
) -> Result<(), OperationError> {
|
||||
if pre_candidates.is_empty() && candidates.is_empty() {
|
||||
if candidate_tuples.is_empty() {
|
||||
// No action needed.
|
||||
return Ok(());
|
||||
}
|
||||
|
||||
if pre_candidates.len() != candidates.len() {
|
||||
admin_error!("internal_apply_writable - cand lengths differ");
|
||||
return Err(OperationError::InvalidRequestState);
|
||||
let (pre_candidates, candidates): (
|
||||
Vec<Arc<EntrySealedCommitted>>,
|
||||
Vec<EntryInvalidCommitted>,
|
||||
) = candidate_tuples.into_iter().unzip();
|
||||
|
||||
/*
|
||||
let mut pre_candidates = Vec::with_capacity(candidate_tuples.len());
|
||||
let mut candidates = Vec::with_capacity(candidate_tuples.len());
|
||||
|
||||
for (pre, post) in candidate_tuples.into_iter() {
|
||||
pre_candidates.push(pre);
|
||||
candidates.push(post);
|
||||
}
|
||||
*/
|
||||
|
||||
let res: Result<Vec<Entry<EntrySealed, EntryCommitted>>, OperationError> = candidates
|
||||
.into_iter()
|
||||
|
|
|
|||
|
|
@ -33,8 +33,8 @@ impl ValueSetSession {
|
|||
}
|
||||
|
||||
pub fn from_dbvs2(data: Vec<DbValueSession>) -> Result<ValueSet, OperationError> {
|
||||
let map = data
|
||||
.into_iter()
|
||||
let map =
|
||||
data.into_iter()
|
||||
.filter_map(|dbv| {
|
||||
match dbv {
|
||||
// MISTAKE - Skip due to lack of credential id
|
||||
|
|
|
|||
|
|
@ -244,7 +244,7 @@ async fn test_read_attrs(rsclient: &KanidmClient, id: &str, attrs: &[&str], is_r
|
|||
async fn test_write_attrs(rsclient: &KanidmClient, id: &str, attrs: &[&str], is_writeable: bool) {
|
||||
println!("Test write to {}, is writeable: {}", id, is_writeable);
|
||||
for attr in attrs.iter() {
|
||||
println!("Writing to {}", attr);
|
||||
println!("Writing to {} - ex {}", attr, is_writeable);
|
||||
let is_ok = is_attr_writable(rsclient, id, attr).await.unwrap();
|
||||
assert!(is_ok == is_writeable)
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue