mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

1399 cleanup (#1409)

Browse source
This commit is contained in:
Firstyear 2023-03-01 10:11:36 +10:00 committed by GitHub
parent f1c9e92f93
commit a5656b99f5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
15 changed files with 2421 additions and 2152 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
kanidm_book/src/SUMMARY.md
View file

@ -52,6 +52,7 @@
- [Access Profiles 2022](developers/designs/access_profiles_rework_2022.md)
- [Access Profiles Original](developers/designs/access_profiles_and_security.md)
- [REST Interface](developers/designs/rest_interface.md)
- [Elevated Priv Mode](developers/designs/elevated_priv_mode.md)
- [Python Module](developers/python.md)
- [RADIUS Integration](developers/radius.md)

24
kanidm_tools/src/cli/badlist.rs
View file

@ -31,8 +31,11 @@ impl PwBadlistOpt {
Err(e) => eprintln!("{:?}", e),
}
}
PwBadlistOpt::Upload { copt, paths } => {
let client = copt.to_client().await;
PwBadlistOpt::Upload {
copt,
paths,
dryrun,
} => {
info!("pre-processing - this may take a while ...");
let mut pwset: Vec<String> = Vec::new();
@ -101,19 +104,28 @@ impl PwBadlistOpt {
let results = task_handles.join().await;
let filt_pwset: Vec<_> = results
let mut filt_pwset: Vec<_> = results
.into_iter()
.flat_map(|res| res.expect("Thread join failure"))
.collect();
filt_pwset.sort_unstable();
info!(
"{} passwords passed zxcvbn, uploading ...",
filt_pwset.len()
);
match client.system_password_badlist_append(filt_pwset).await {
Ok(_) => println!("Success"),
Err(e) => eprintln!("{:?}", e),
if *dryrun {
for pw in filt_pwset {
println!("{}", pw);
}
} else {
let client = copt.to_client().await;
match client.system_password_badlist_append(filt_pwset).await {
Ok(_) => println!("Success"),
Err(e) => eprintln!("{:?}", e),
}
}
} // End Upload
PwBadlistOpt::Remove { copt, paths } => {

3
kanidm_tools/src/opt/kanidm.rs
View file

@ -715,6 +715,9 @@ pub enum PwBadlistOpt {
copt: CommonOpt,
#[clap(parse(from_os_str))]
paths: Vec<PathBuf>,
/// Perform a dry run and display the list that would have been uploaded instead.
#[clap(short = 'n', long)]
dryrun: bool,
},
#[clap[name = "remove", hide = true]]
/// Remove the content of these lists if present in the configured

2654
kanidmd/lib/src/constants/acp.rs
View file

File diff suppressed because it is too large Load diff

120
kanidmd/lib/src/constants/entries.rs
View file

@ -21,9 +21,9 @@ pub const JSON_ADMIN_V1: &str = r#"{
lazy_static! {
pub static ref E_ADMIN_V1: EntryInitNew = entry_init!(
("class", CLASS_OBJECT.clone()),
("class", CLASS_MEMBEROF.clone()),
("class", CLASS_ACCOUNT.clone()),
("class", CLASS_MEMBEROF.clone()),
("class", CLASS_OBJECT.clone()),
("class", CLASS_SERVICE_ACCOUNT.clone()),
("name", Value::new_iname("admin")),
("uuid", Value::Uuid(UUID_ADMIN)),
@ -35,38 +35,52 @@ lazy_static! {
);
}
/// Builtin IDM Admin account.
pub const JSON_IDM_ADMIN_V1: &str = r#"{
"attrs": {
"class": ["account", "service_account", "memberof", "object"],
"name": ["idm_admin"],
"uuid": ["00000000-0000-0000-0000-000000000018"],
"description": ["Builtin IDM Admin account."],
"displayname": ["IDM Administrator"]
}
}"#;
lazy_static! {
/// Builtin IDM Admin account.
pub static ref E_IDM_ADMIN_V1: EntryInitNew = entry_init!(
("class", CLASS_ACCOUNT.clone()),
("class", CLASS_MEMBEROF.clone()),
("class", CLASS_OBJECT.clone()),
("class", CLASS_SERVICE_ACCOUNT.clone()),
("name", Value::new_iname("idm_admin")),
("uuid", Value::Uuid(UUID_IDM_ADMIN)),
(
"description",
Value::new_utf8s("Builtin IDM Admin account.")
),
("displayname", Value::new_utf8s("IDM Administrator"))
);
}
/// Builtin IDM Administrators Group.
pub const JSON_IDM_ADMINS_V1: &str = r#"{
"attrs": {
"class": ["group", "object"],
"name": ["idm_admins"],
"uuid": ["00000000-0000-0000-0000-000000000001"],
"description": ["Builtin IDM Administrators Group."],
"member": ["00000000-0000-0000-0000-000000000018"]
}
}"#;
lazy_static! {
/// Builtin IDM Administrators Group.
pub static ref E_IDM_ADMINS_V1: EntryInitNew = entry_init!(
("class", CLASS_GROUP.clone()),
("class", CLASS_OBJECT.clone()),
("name", Value::new_iname("idm_admins")),
("uuid", Value::Uuid(UUID_IDM_ADMINS)),
(
"description",
Value::new_utf8s("Builtin IDM Administrators Group.")
),
("member", Value::Refer(UUID_IDM_ADMIN))
);
}
/// Builtin System Administrators Group.
pub const JSON_SYSTEM_ADMINS_V1: &str = r#"{
"attrs": {
"class": ["group", "object"],
"name": ["system_admins"],
"uuid": ["00000000-0000-0000-0000-000000000019"],
"description": ["Builtin System Administrators Group."],
"member": ["00000000-0000-0000-0000-000000000000"]
}
}"#;
lazy_static! {
/// Builtin System Administrators Group.
pub static ref E_SYSTEM_ADMINS_V1: EntryInitNew = entry_init!(
("class", CLASS_GROUP.clone()),
("class", CLASS_OBJECT.clone()),
("name", Value::new_iname("system_admins")),
("uuid", Value::Uuid(UUID_SYSTEM_ADMINS)),
(
"description",
Value::new_utf8s("Builtin System Administrators Group.")
),
("member", Value::Refer(UUID_ADMIN))
);
}
// * People read managers
/// Builtin IDM Group for granting elevated people (personal data) read permissions.
@ -560,23 +574,33 @@ pub const JSON_IDM_HIGH_PRIVILEGE_V1: &str = r#"{
}
}"#;
pub const JSON_SYSTEM_INFO_V1: &str = r#"{
"attrs": {
"class": ["object", "system_info", "system"],
"uuid": ["00000000-0000-0000-0000-ffffff000001"],
"description": ["System (local) info and metadata object."],
"version": ["12"]
}
}"#;
lazy_static! {
pub static ref E_SYSTEM_INFO_V1: EntryInitNew = entry_init!(
("class", CLASS_OBJECT.clone()),
("class", CLASS_SYSTEM_INFO.clone()),
("class", CLASS_SYSTEM.clone()),
("uuid", Value::Uuid(UUID_SYSTEM_INFO)),
(
"description",
Value::new_utf8s("System (local) info and metadata object.")
),
("version", Value::Uint32(12))
);
}
pub const JSON_DOMAIN_INFO_V1: &str = r#"{
"attrs": {
"class": ["object", "domain_info", "system"],
"name": ["domain_local"],
"uuid": ["00000000-0000-0000-0000-ffffff000025"],
"description": ["This local domain's info and metadata object."]
}
}"#;
lazy_static! {
pub static ref E_DOMAIN_INFO_V1: EntryInitNew = entry_init!(
("class", CLASS_OBJECT.clone()),
("class", CLASS_DOMAIN_INFO.clone()),
("class", CLASS_SYSTEM.clone()),
("name", Value::new_iname("domain_local")),
("uuid", Value::Uuid(UUID_DOMAIN_INFO)),
(
"description",
Value::new_utf8s("This local domain's info and metadata object.")
)
);
}
// Anonymous should be the last object in the range here.
pub const JSON_ANONYMOUS_V1: &str = r#"{

1318
kanidmd/lib/src/constants/system_config.rs
View file

File diff suppressed because it is too large Load diff

146
kanidmd/lib/src/constants/uuids.rs
View file

@ -5,54 +5,53 @@ use uuid::{uuid, Uuid};
// Built in group and account ranges.
pub const STR_UUID_ADMIN: &str = "00000000-0000-0000-0000-000000000000";
pub const UUID_ADMIN: Uuid = uuid!("00000000-0000-0000-0000-000000000000");
pub const _UUID_IDM_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000001");
pub const _UUID_IDM_PEOPLE_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000002");
pub const _UUID_IDM_PEOPLE_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000003");
pub const _UUID_IDM_GROUP_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000004");
pub const _UUID_IDM_ACCOUNT_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000005");
pub const _UUID_IDM_ACCOUNT_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000006");
pub const _UUID_IDM_RADIUS_SERVERS: Uuid = uuid!("00000000-0000-0000-0000-000000000007");
pub const _UUID_IDM_HP_ACCOUNT_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000008");
pub const _UUID_IDM_HP_ACCOUNT_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000009");
pub const _UUID_IDM_SCHEMA_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000010");
pub const _UUID_IDM_ACP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000011");
pub const _UUID_IDM_HP_GROUP_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000012");
pub const _UUID_IDM_PEOPLE_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000013");
pub const _UUID_IDM_ACCOUNT_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000014");
pub const _UUID_IDM_GROUP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000015");
pub const _UUID_IDM_HP_ACCOUNT_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000016");
pub const _UUID_IDM_HP_GROUP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000017");
pub const UUID_IDM_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000001");
pub const UUID_IDM_PEOPLE_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000002");
pub const UUID_IDM_PEOPLE_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000003");
pub const UUID_IDM_GROUP_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000004");
pub const UUID_IDM_ACCOUNT_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000005");
pub const UUID_IDM_ACCOUNT_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000006");
pub const UUID_IDM_RADIUS_SERVERS: Uuid = uuid!("00000000-0000-0000-0000-000000000007");
pub const UUID_IDM_HP_ACCOUNT_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000008");
pub const UUID_IDM_HP_ACCOUNT_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000009");
pub const UUID_IDM_SCHEMA_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000010");
pub const UUID_IDM_ACP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000011");
pub const UUID_IDM_HP_GROUP_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000012");
pub const UUID_IDM_PEOPLE_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000013");
pub const UUID_IDM_ACCOUNT_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000014");
pub const UUID_IDM_GROUP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000015");
pub const UUID_IDM_HP_ACCOUNT_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000016");
pub const UUID_IDM_HP_GROUP_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000017");
pub const UUID_IDM_ADMIN: Uuid = uuid!("00000000-0000-0000-0000-000000000018");
pub const STR_UUID_SYSTEM_ADMINS: &str = "00000000-0000-0000-0000-000000000000";
pub const UUID_SYSTEM_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000019");
pub const UUID_DOMAIN_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000020");
pub const _UUID_IDM_ACCOUNT_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000021");
pub const _UUID_IDM_GROUP_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000022");
pub const _UUID_IDM_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV: Uuid =
pub const UUID_IDM_ACCOUNT_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000021");
pub const UUID_IDM_GROUP_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000022");
pub const UUID_IDM_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV: Uuid =
uuid!("00000000-0000-0000-0000-000000000023");
pub const _UUID_IDM_PEOPLE_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000024");
pub const _UUID_IDM_HP_ACCOUNT_UNIX_EXTEND_PRIV: Uuid =
pub const UUID_IDM_PEOPLE_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000024");
pub const UUID_IDM_HP_ACCOUNT_UNIX_EXTEND_PRIV: Uuid =
uuid!("00000000-0000-0000-0000-000000000025");
pub const _UUID_IDM_HP_GROUP_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000026");
pub const _UUID_IDM_HP_OAUTH2_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000027");
pub const _UUID_IDM_HP_PEOPLE_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000028");
pub const _UUID_IDM_HP_PEOPLE_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000029");
pub const _UUID_IDM_HP_PEOPLE_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000030");
pub const UUID_IDM_HP_GROUP_UNIX_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000026");
pub const UUID_IDM_HP_OAUTH2_MANAGE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000027");
pub const UUID_IDM_HP_PEOPLE_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000028");
pub const UUID_IDM_HP_PEOPLE_WRITE_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000029");
pub const UUID_IDM_HP_PEOPLE_EXTEND_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000030");
pub const _UUID_IDM_RADIUS_SECRET_READ_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-000000000032");
pub const _UUID_IDM_RADIUS_SECRET_WRITE_PRIV_V1: Uuid =
pub const UUID_IDM_RADIUS_SECRET_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-000000000032");
pub const UUID_IDM_RADIUS_SECRET_WRITE_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-000000000031");
pub const _UUID_IDM_PEOPLE_SELF_WRITE_MAIL_PRIV: Uuid =
pub const UUID_IDM_PEOPLE_SELF_WRITE_MAIL_PRIV: Uuid =
uuid!("00000000-0000-0000-0000-000000000033");
pub const _UUID_IDM_HP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_PRIV: Uuid =
pub const UUID_IDM_HP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_PRIV: Uuid =
uuid!("00000000-0000-0000-0000-000000000034");
pub const UUID_IDM_ALL_PERSONS: Uuid = uuid!("00000000-0000-0000-0000-000000000035");
pub const STR_UUID_IDM_ALL_ACCOUNTS: &str = "00000000-0000-0000-0000-000000000036";
pub const UUID_IDM_ALL_ACCOUNTS: Uuid = uuid!("00000000-0000-0000-0000-000000000036");
pub const _UUID_IDM_HP_SYNC_ACCOUNT_MANAGE_PRIV: Uuid =
pub const UUID_IDM_HP_SYNC_ACCOUNT_MANAGE_PRIV: Uuid =
uuid!("00000000-0000-0000-0000-000000000037");
pub const UUID_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES: Uuid =
@ -236,73 +235,70 @@ pub const UUID_DOMAIN_INFO: Uuid = uuid!("00000000-0000-0000-0000-ffffff000025")
// Access controls
// skip 00 / 01 - see system info
pub const _UUID_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1: Uuid =
pub const UUID_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000002");
pub const _UUID_IDM_ADMINS_ACP_REVIVE_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000003");
pub const _UUID_IDM_SELF_ACP_READ_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000004");
pub const _UUID_IDM_ALL_ACP_READ_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000006");
pub const _UUID_IDM_ACP_PEOPLE_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000007");
pub const _UUID_IDM_ACP_PEOPLE_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000008");
pub const _UUID_IDM_ACP_GROUP_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000009");
pub const _UUID_IDM_ACP_ACCOUNT_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000010");
pub const _UUID_IDM_ACP_ACCOUNT_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000011");
pub const _UUID_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000012");
pub const _UUID_IDM_ACP_PEOPLE_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000013");
pub const _UUID_IDM_ACP_RADIUS_SERVERS_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000014");
pub const _UUID_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1: Uuid =
pub const UUID_IDM_ADMINS_ACP_REVIVE_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000003");
pub const UUID_IDM_SELF_ACP_READ_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000004");
pub const UUID_IDM_ALL_ACP_READ_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000006");
pub const UUID_IDM_ACP_PEOPLE_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000007");
pub const UUID_IDM_ACP_PEOPLE_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000008");
pub const UUID_IDM_ACP_GROUP_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000009");
pub const UUID_IDM_ACP_ACCOUNT_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000010");
pub const UUID_IDM_ACP_ACCOUNT_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000011");
pub const UUID_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000012");
pub const UUID_IDM_ACP_PEOPLE_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000013");
pub const UUID_IDM_ACP_RADIUS_SERVERS_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000014");
pub const UUID_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000015");
pub const _UUID_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1: Uuid =
pub const UUID_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000016");
pub const _UUID_IDM_ACP_HP_GROUP_WRITE_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000017");
pub const _UUID_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1: Uuid =
pub const UUID_IDM_ACP_HP_GROUP_WRITE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000017");
pub const UUID_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000018");
pub const _UUID_IDM_ACP_ACP_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000019");
pub const _UUID_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1: Uuid =
pub const UUID_IDM_ACP_ACP_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000019");
pub const UUID_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000020");
pub const _UUID_IDM_SELF_ACP_WRITE_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000021");
pub const _UUID_IDM_ACP_GROUP_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000022");
pub const _UUID_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1: Uuid =
pub const UUID_IDM_SELF_ACP_WRITE_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000021");
pub const UUID_IDM_ACP_GROUP_MANAGE_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000022");
pub const UUID_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000023");
pub const _UUID_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1: Uuid =
pub const UUID_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000024");
// Skip 25 - see domain info.
pub const _UUID_IDM_ACP_DOMAIN_ADMIN_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000026");
pub const UUID_IDM_ACP_DOMAIN_ADMIN_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000026");
pub const STR_UUID_SYSTEM_CONFIG: &str = "00000000-0000-0000-0000-ffffff000027";
pub const UUID_SYSTEM_CONFIG: Uuid = uuid!("00000000-0000-0000-0000-ffffff000027");
pub const _UUID_IDM_ACP_SYSTEM_CONFIG_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000028");
pub const _UUID_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: Uuid =
pub const UUID_IDM_ACP_SYSTEM_CONFIG_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000028");
pub const UUID_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000029");
pub const _UUID_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1: Uuid =
pub const UUID_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000030");
pub const _UUID_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1: Uuid =
pub const UUID_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000031");
pub const _UUID_IDM_ACP_PEOPLE_EXTEND_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000032");
pub const _UUID_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: Uuid =
pub const UUID_IDM_ACP_PEOPLE_EXTEND_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000032");
pub const UUID_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000033");
pub const _UUID_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1: Uuid =
pub const UUID_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000034");
pub const _UUID_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1: Uuid =
pub const UUID_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000035");
pub const _UUID_IDM_ACP_HP_PEOPLE_READ_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000036");
pub const _UUID_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1: Uuid =
pub const UUID_IDM_ACP_HP_PEOPLE_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000036");
pub const UUID_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000037");
pub const _UUID_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1: Uuid =
pub const UUID_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000038");
pub const _UUID_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1: Uuid =
pub const UUID_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000039");
pub const _UUID_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1: Uuid =
pub const UUID_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000040");
pub const _UUID_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_V1: Uuid =
pub const UUID_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000041");
pub const _UUID_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1: Uuid =
pub const UUID_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000042");
pub const UUID_IDM_ACP_OAUTH2_READ_PRIV_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000043");
pub const _UUID_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1: Uuid =
pub const UUID_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000044");
pub const UUID_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000045");

3
kanidmd/lib/src/constants/values.rs
View file

@ -40,6 +40,9 @@ lazy_static! {
pub static ref PVUUID_SYSTEM_CONFIG: PartialValue = PartialValue::Uuid(UUID_SYSTEM_CONFIG);
pub static ref PVUUID_SYSTEM_INFO: PartialValue = PartialValue::Uuid(UUID_SYSTEM_INFO);
pub static ref CLASS_ACCESS_CONTROL_PROFILE: Value = Value::new_class("access_control_profile");
pub static ref CLASS_ACCESS_CONTROL_CREATE: Value = Value::new_class("access_control_create");
pub static ref CLASS_ACCESS_CONTROL_DELETE: Value = Value::new_class("access_control_delete");
pub static ref CLASS_ACCESS_CONTROL_MODIFY: Value = Value::new_class("access_control_modify");
pub static ref CLASS_ACCESS_CONTROL_SEARCH: Value = Value::new_class("access_control_search");
pub static ref CLASS_ACCOUNT: Value = Value::new_class("account");
pub static ref CLASS_ATTRIBUTETYPE: Value = Value::new_class("attributetype");

48
kanidmd/lib/src/plugins/dyngroup.rs
View file

@ -18,8 +18,7 @@ impl DynGroup {
fn apply_dyngroup_change(
qs: &mut QueryServerWriteTransaction,
ident: &Identity,
pre_candidates: &mut Vec<Arc<EntrySealedCommitted>>,
candidates: &mut Vec<EntryInvalidCommitted>,
candidate_tuples: &mut Vec<(Arc<EntrySealedCommitted>, EntryInvalidCommitted)>,
affected_uuids: &mut Vec<Uuid>,
expect: bool,
ident_internal: &Identity,
@ -80,8 +79,7 @@ impl DynGroup {
nd_group.purge_ava("member");
}
pre_candidates.push(pre);
candidates.push(nd_group);
candidate_tuples.push((pre, nd_group));
// Insert to our new instances
if dyn_groups.insts.insert(uuid, scope_i).is_none() == expect {
@ -159,8 +157,7 @@ impl DynGroup {
// dyn groups will see the created entries on an internal search
// so we don't need to reference them.
let mut pre_candidates = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
let mut candidates = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
let mut candidate_tuples = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
// Apply existing dyn_groups to entries.
trace!(?dyn_groups.insts);
@ -199,8 +196,7 @@ impl DynGroup {
affected_uuids.extend(matches.into_iter());
affected_uuids.push(*dg_uuid);
pre_candidates.push(pre);
candidates.push(d_group);
candidate_tuples.push((pre, d_group));
}
}
}
@ -213,8 +209,7 @@ impl DynGroup {
Self::apply_dyngroup_change(
qs,
ident,
&mut pre_candidates,
&mut candidates,
&mut candidate_tuples,
&mut affected_uuids,
false,
&ident_internal,
@ -224,14 +219,12 @@ impl DynGroup {
}
// Write back the new changes.
debug_assert!(pre_candidates.len() == candidates.len());
// Write this stripe if populated.
if !pre_candidates.is_empty() {
qs.internal_apply_writable(pre_candidates, candidates)
.map_err(|e| {
admin_error!("Failed to commit dyngroup set {:?}", e);
e
})?;
if !candidate_tuples.is_empty() {
qs.internal_apply_writable(candidate_tuples).map_err(|e| {
admin_error!("Failed to commit dyngroup set {:?}", e);
e
})?;
}
Ok(affected_uuids)
@ -265,8 +258,7 @@ impl DynGroup {
// lifetime here is safe since we are the sole accessor.
let dyn_groups: &mut DynGroupCache = unsafe { &mut *(qs.get_dyngroup_cache() as *mut _) };
let mut pre_candidates = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
let mut candidates = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
let mut candidate_tuples = Vec::with_capacity(dyn_groups.insts.len() + cand.len());
// If we modified a dyngroups member or filter, re-trigger it here.
// if the event is not internal, reject (for now)
@ -278,8 +270,7 @@ impl DynGroup {
Self::apply_dyngroup_change(
qs,
ident,
&mut pre_candidates,
&mut candidates,
&mut candidate_tuples,
&mut affected_uuids,
true,
&ident_internal,
@ -334,21 +325,18 @@ impl DynGroup {
}));
affected_uuids.push(*dg_uuid);
pre_candidates.push(pre);
candidates.push(d_group);
candidate_tuples.push((pre, d_group));
}
}
}
// Write back the new changes.
debug_assert!(pre_candidates.len() == candidates.len());
// Write this stripe if populated.
if !pre_candidates.is_empty() {
qs.internal_apply_writable(pre_candidates, candidates)
.map_err(|e| {
admin_error!("Failed to commit dyngroup set {:?}", e);
e
})?;
if !candidate_tuples.is_empty() {
qs.internal_apply_writable(candidate_tuples).map_err(|e| {
admin_error!("Failed to commit dyngroup set {:?}", e);
e
})?;
}
Ok(affected_uuids)

32
kanidmd/lib/src/plugins/memberof.rs
View file

@ -113,9 +113,6 @@ fn apply_memberof(
while !group_affect.is_empty() {
group_affect.sort();
group_affect.dedup();
// Prep the write lists
let mut pre_candidates = Vec::with_capacity(group_affect.len());
let mut candidates = Vec::with_capacity(group_affect.len());
// Ignore recycled/tombstones
let filt = filter!(FC::Or(
@ -125,10 +122,12 @@ fn apply_memberof(
.collect()
));
let mut work_set = qs.internal_search_writeable(&filt)?;
let work_set = qs.internal_search_writeable(&filt)?;
// Load the vecdeque with this batch.
while let Some((pre, mut tgte)) = work_set.pop() {
let mut changes = Vec::with_capacity(work_set.len());
for (pre, mut tgte) in work_set.into_iter() {
let guuid = pre.get_uuid();
// load the entry from the db.
if !tgte.attribute_equality("class", &PVCLASS_GROUP) {
@ -160,28 +159,24 @@ fn apply_memberof(
};
// push the entries to pre/cand
pre_candidates.push(pre);
candidates.push(tgte);
changes.push((pre, tgte));
} else {
trace!("{:?} stable", guuid);
}
}
debug_assert!(pre_candidates.len() == candidates.len());
// Write this stripe if populated.
if !pre_candidates.is_empty() {
qs.internal_apply_writable(pre_candidates, candidates)
.map_err(|e| {
admin_error!("Failed to commit memberof group set {:?}", e);
e
})?;
if !changes.is_empty() {
qs.internal_apply_writable(changes).map_err(|e| {
admin_error!("Failed to commit memberof group set {:?}", e);
e
})?;
}
// Next loop!
}
// ALL GROUP MOS + DMOS ARE NOW STABLE. We can load these into other items directly.
let mut pre_candidates = Vec::with_capacity(other_cache.len());
let mut candidates = Vec::with_capacity(other_cache.len());
let mut changes = Vec::with_capacity(other_cache.len());
other_cache
.into_iter()
@ -193,15 +188,14 @@ fn apply_memberof(
if pre.get_ava_set("memberof") != tgte.get_ava_set("memberof")
|| pre.get_ava_set("directmemberof") != tgte.get_ava_set("directmemberof")
{
pre_candidates.push(pre);
candidates.push(tgte);
changes.push((pre, tgte));
}
Ok(())
})?;
// Turn the other_cache into a write set.
// Write the batch out in a single stripe.
qs.internal_apply_writable(pre_candidates, candidates)
qs.internal_apply_writable(changes)
// Done! 🎉
}

18
kanidmd/lib/src/plugins/refint.rs
View file

@ -155,19 +155,15 @@ impl Plugin for ReferentialIntegrity {
.map(|e| PartialValue::Refer(e.get_uuid()))
.collect();
let work_set = qs.internal_search_writeable(&filt)?;
let mut work_set = qs.internal_search_writeable(&filt)?;
let (pre_candidates, candidates) = work_set
.into_iter()
.map(|(pre, mut post)| {
ref_types
.values()
.for_each(|attr| post.remove_avas(attr.name.as_str(), &removed_ids));
(pre, post)
})
.unzip();
work_set.iter_mut().for_each(|(_, post)| {
ref_types
.values()
.for_each(|attr| post.remove_avas(attr.name.as_str(), &removed_ids));
});
qs.internal_apply_writable(pre_candidates, candidates)
qs.internal_apply_writable(work_set)
}
#[instrument(level = "debug", name = "verify", skip(qs))]

149
kanidmd/lib/src/server/migrations.rs
View file

@ -343,7 +343,7 @@ impl<'a> QueryServerWriteTransaction<'a> {
#[instrument(level = "debug", skip_all)]
pub fn migrate_11_to_12(&mut self) -> Result<(), OperationError> {
admin_warn!("starting 11 to 12 migration.");
// sync_token_session
// sync_token_session
let filter = filter!(f_or!([
f_pres("api_token_session"),
f_pres("sync_token_session"),
@ -365,41 +365,32 @@ impl<'a> QueryServerWriteTransaction<'a> {
for (_, ent) in mod_candidates.iter_mut() {
if let Some(api_token_session) = ent.pop_ava("api_token_session") {
let api_token_session = api_token_session.migrate_session_to_apitoken()
.map_err(|e| {
error!("Failed to convert api_token_session from session -> apitoken");
e
})?;
let api_token_session =
api_token_session
.migrate_session_to_apitoken()
.map_err(|e| {
error!("Failed to convert api_token_session from session -> apitoken");
e
})?;
ent.set_ava_set(
"api_token_session",
api_token_session);
ent.set_ava_set("api_token_session", api_token_session);
}
if let Some(sync_token_session) = ent.pop_ava("sync_token_session") {
let sync_token_session = sync_token_session.migrate_session_to_apitoken()
.map_err(|e| {
error!("Failed to convert sync_token_session from session -> apitoken");
e
})?;
let sync_token_session =
sync_token_session
.migrate_session_to_apitoken()
.map_err(|e| {
error!("Failed to convert sync_token_session from session -> apitoken");
e
})?;
ent.set_ava_set(
"sync_token_session",
sync_token_session);
ent.set_ava_set("sync_token_session", sync_token_session);
}
};
let (
pre_candidates,
candidates
) = mod_candidates
.into_iter()
.unzip();
}
// Apply the batch mod.
self.internal_apply_writable(
pre_candidates, candidates
)
self.internal_apply_writable(mod_candidates)
}
#[instrument(level = "info", skip_all)]
@ -512,9 +503,9 @@ impl<'a> QueryServerWriteTransaction<'a> {
// and details. It's a pretty const thing. Also check anonymous, important to many
// concepts.
let res = self
.internal_migrate_or_create_str(JSON_SYSTEM_INFO_V1)
.and_then(|_| self.internal_migrate_or_create_str(JSON_DOMAIN_INFO_V1))
.and_then(|_| self.internal_migrate_or_create_str(JSON_SYSTEM_CONFIG_V1));
.internal_migrate_or_create(E_SYSTEM_INFO_V1.clone())
.and_then(|_| self.internal_migrate_or_create(E_DOMAIN_INFO_V1.clone()))
.and_then(|_| self.internal_migrate_or_create(E_SYSTEM_CONFIG_V1.clone()));
if res.is_err() {
admin_error!("initialise_idm p1 -> result {:?}", res);
}
@ -527,16 +518,16 @@ impl<'a> QueryServerWriteTransaction<'a> {
// Check the admin object exists (migrations).
// Create the default idm_admin group.
let admin_entries = [
JSON_ANONYMOUS_V1,
JSON_ADMIN_V1,
JSON_IDM_ADMIN_V1,
JSON_IDM_ADMINS_V1,
JSON_SYSTEM_ADMINS_V1,
E_ANONYMOUS_V1.clone(),
E_ADMIN_V1.clone(),
E_IDM_ADMIN_V1.clone(),
E_IDM_ADMINS_V1.clone(),
E_SYSTEM_ADMINS_V1.clone(),
];
let res: Result<(), _> = admin_entries
.iter()
.into_iter()
// Each item individually logs it's result
.try_for_each(|e_str| self.internal_migrate_or_create_str(e_str));
.try_for_each(|ent| self.internal_migrate_or_create(ent));
if res.is_err() {
admin_error!("initialise_idm p2 -> result {:?}", res);
}
@ -586,48 +577,6 @@ impl<'a> QueryServerWriteTransaction<'a> {
JSON_IDM_HP_SYNC_ACCOUNT_MANAGE_PRIV,
// All members must exist before we write HP
JSON_IDM_HIGH_PRIVILEGE_V1,
// Built in access controls.
JSON_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1,
JSON_IDM_ADMINS_ACP_REVIVE_V1,
// JSON_IDM_ADMINS_ACP_MANAGE_V1,
JSON_IDM_ALL_ACP_READ_V1,
JSON_IDM_SELF_ACP_READ_V1,
JSON_IDM_SELF_ACP_WRITE_V1,
JSON_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_PRIV_V1,
JSON_IDM_ACP_PEOPLE_READ_PRIV_V1,
JSON_IDM_ACP_PEOPLE_WRITE_PRIV_V1,
JSON_IDM_ACP_PEOPLE_MANAGE_PRIV_V1,
JSON_IDM_ACP_GROUP_WRITE_PRIV_V1,
JSON_IDM_ACP_GROUP_MANAGE_PRIV_V1,
JSON_IDM_ACP_ACCOUNT_READ_PRIV_V1,
JSON_IDM_ACP_ACCOUNT_WRITE_PRIV_V1,
JSON_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1,
JSON_IDM_ACP_RADIUS_SERVERS_V1,
JSON_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1,
JSON_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1,
JSON_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1,
JSON_IDM_ACP_HP_GROUP_WRITE_PRIV_V1,
JSON_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1,
JSON_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1,
JSON_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1,
JSON_IDM_ACP_ACP_MANAGE_PRIV_V1,
JSON_IDM_ACP_DOMAIN_ADMIN_PRIV_V1,
JSON_IDM_ACP_SYSTEM_CONFIG_PRIV_V1,
JSON_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1,
JSON_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1,
JSON_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1,
JSON_IDM_ACP_PEOPLE_EXTEND_PRIV_V1,
JSON_IDM_ACP_HP_PEOPLE_READ_PRIV_V1,
JSON_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1,
JSON_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1,
JSON_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1,
JSON_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1,
JSON_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1,
JSON_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1,
JSON_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1,
JSON_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1,
// JSON_IDM_ACP_OAUTH2_READ_PRIV_V1,
JSON_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1,
];
let res: Result<(), _> = idm_entries
@ -642,6 +591,46 @@ impl<'a> QueryServerWriteTransaction<'a> {
res?;
let idm_entries = [
// Built in access controls.
E_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1.clone(),
E_IDM_ADMINS_ACP_REVIVE_V1.clone(),
E_IDM_ALL_ACP_READ_V1.clone(),
E_IDM_SELF_ACP_READ_V1.clone(),
E_IDM_SELF_ACP_WRITE_V1.clone(),
E_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_PRIV_V1.clone(),
E_IDM_ACP_PEOPLE_READ_PRIV_V1.clone(),
E_IDM_ACP_PEOPLE_WRITE_PRIV_V1.clone(),
E_IDM_ACP_PEOPLE_MANAGE_PRIV_V1.clone(),
E_IDM_ACP_ACCOUNT_READ_PRIV_V1.clone(),
E_IDM_ACP_ACCOUNT_WRITE_PRIV_V1.clone(),
E_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1.clone(),
E_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1.clone(),
E_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1.clone(),
E_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1.clone(),
E_IDM_ACP_GROUP_WRITE_PRIV_V1.clone(),
E_IDM_ACP_GROUP_MANAGE_PRIV_V1.clone(),
E_IDM_ACP_HP_GROUP_WRITE_PRIV_V1.clone(),
E_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1.clone(),
E_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1.clone(),
E_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1.clone(),
E_IDM_ACP_ACP_MANAGE_PRIV_V1.clone(),
E_IDM_ACP_RADIUS_SERVERS_V1.clone(),
E_IDM_ACP_DOMAIN_ADMIN_PRIV_V1.clone(),
E_IDM_ACP_SYSTEM_CONFIG_PRIV_V1.clone(),
E_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1.clone(),
E_IDM_ACP_PEOPLE_EXTEND_PRIV_V1.clone(),
E_IDM_ACP_HP_PEOPLE_READ_PRIV_V1.clone(),
E_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1.clone(),
E_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1.clone(),
E_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1.clone(),
E_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1.clone(),
E_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1.clone(),
E_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1.clone(),
E_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1.clone(),
E_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1.clone(),
E_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1.clone(),
E_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1.clone(),
E_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1.clone(),
E_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES.clone(),
E_IDM_ACCOUNT_MAIL_READ_PRIV.clone(),
E_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1.clone(),

21
kanidmd/lib/src/server/modify.rs
View file

@ -268,18 +268,27 @@ impl<'a> QueryServerWriteTransaction<'a> {
#[instrument(level = "debug", skip_all)]
pub(crate) fn internal_apply_writable(
&mut self,
pre_candidates: Vec<Arc<EntrySealedCommitted>>,
candidates: Vec<Entry<EntryInvalid, EntryCommitted>>,
candidate_tuples: Vec<(Arc<EntrySealedCommitted>, EntryInvalidCommitted)>,
) -> Result<(), OperationError> {
if pre_candidates.is_empty() && candidates.is_empty() {
if candidate_tuples.is_empty() {
// No action needed.
return Ok(());
}
if pre_candidates.len() != candidates.len() {
admin_error!("internal_apply_writable - cand lengths differ");
return Err(OperationError::InvalidRequestState);
let (pre_candidates, candidates): (
Vec<Arc<EntrySealedCommitted>>,
Vec<EntryInvalidCommitted>,
) = candidate_tuples.into_iter().unzip();
/*
let mut pre_candidates = Vec::with_capacity(candidate_tuples.len());
let mut candidates = Vec::with_capacity(candidate_tuples.len());
for (pre, post) in candidate_tuples.into_iter() {
pre_candidates.push(pre);
candidates.push(post);
}
*/
let res: Result<Vec<Entry<EntrySealed, EntryCommitted>>, OperationError> = candidates
.into_iter()

34
kanidmd/lib/src/valueset/session.rs
View file

@ -33,23 +33,23 @@ impl ValueSetSession {
}
pub fn from_dbvs2(data: Vec<DbValueSession>) -> Result<ValueSet, OperationError> {
let map = data
.into_iter()
.filter_map(|dbv| {
match dbv {
// MISTAKE - Skip due to lack of credential id
// Don't actually skip, generate a random cred id. Session cleanup will
// trim sessions on users, but if we skip blazenly we invalidate every api
// token ever issued. OOPS!
DbValueSession::V1 {
refer,
label,
expiry,
issued_at,
issued_by,
scope,
} => {
let cred_id = Uuid::new_v4();
let map =
data.into_iter()
.filter_map(|dbv| {
match dbv {
// MISTAKE - Skip due to lack of credential id
// Don't actually skip, generate a random cred id. Session cleanup will
// trim sessions on users, but if we skip blazenly we invalidate every api
// token ever issued. OOPS!
DbValueSession::V1 {
refer,
label,
expiry,
issued_at,
issued_by,
scope,
} => {
let cred_id = Uuid::new_v4();
// Convert things.
let issued_at = OffsetDateTime::parse(issued_at, time::Format::Rfc3339)

2
kanidmd/testkit/tests/default_entries.rs
View file

@ -244,7 +244,7 @@ async fn test_read_attrs(rsclient: &KanidmClient, id: &str, attrs: &[&str], is_r
async fn test_write_attrs(rsclient: &KanidmClient, id: &str, attrs: &[&str], is_writeable: bool) {
println!("Test write to {}, is writeable: {}", id, is_writeable);
for attr in attrs.iter() {
println!("Writing to {}", attr);
println!("Writing to {} - ex {}", attr, is_writeable);
let is_ok = is_attr_writable(rsclient, id, attr).await.unwrap();
assert!(is_ok == is_writeable)
}