From aba9f6a724f905d608a07543e42410cc77717b40 Mon Sep 17 00:00:00 2001 From: James Hodgkinson Date: Mon, 14 Aug 2023 19:39:49 +1000 Subject: [PATCH] Struct-ifying schema things (#1971) * structifying things --- server/lib/Cargo.toml | 19 +- server/lib/build.rs | 25 + server/lib/src/constants/schema.rs | 2552 +++++++-------------------- server/lib/src/constants/uuids.rs | 112 +- server/lib/src/schema.rs | 111 ++ server/lib/src/server/migrations.rs | 136 +- server/testkit/tests/integration.rs | 6 +- 7 files changed, 956 insertions(+), 2005 deletions(-) diff --git a/server/lib/Cargo.toml b/server/lib/Cargo.toml index 99acdf1d2..e03a15c02 100644 --- a/server/lib/Cargo.toml +++ b/server/lib/Cargo.toml @@ -42,7 +42,13 @@ num_enum = { workspace = true } openssl-sys = { workspace = true } openssl = { workspace = true } rand = { workspace = true } -regex = { workspace = true, features = ["std", "perf", "perf-inline", "unicode", "unicode-gencat"] } +regex = { workspace = true, features = [ + "std", + "perf", + "perf-inline", + "unicode", + "unicode-gencat", +] } serde = { workspace = true, features = ["derive"] } serde_cbor = { workspace = true } serde_json = { workspace = true } @@ -61,8 +67,12 @@ tracing = { workspace = true, features = ["attributes"] } url = { workspace = true, features = ["serde"] } urlencoding = { workspace = true } -uuid = { workspace = true, features = ["serde", "v4" ] } -webauthn-rs = { workspace = true, features = ["resident-key-support", "preview-features", "danger-credential-internals"] } +uuid = { workspace = true, features = ["serde", "v4"] } +webauthn-rs = { workspace = true, features = [ + "resident-key-support", + "preview-features", + "danger-credential-internals", +] } webauthn-rs-core = { workspace = true } zxcvbn = { workspace = true } serde_with = { workspace = true } @@ -87,5 +97,6 @@ futures = { workspace = true } kanidmd_lib_macros = { workspace = true } [build-dependencies] +hashbrown = { workspace = true } kanidm_build_profiles = { workspace = true } - +regex = { workspace = true } diff --git a/server/lib/build.rs b/server/lib/build.rs index 54b626248..41421eaea 100644 --- a/server/lib/build.rs +++ b/server/lib/build.rs @@ -1,5 +1,7 @@ // include!("src/lib/audit_loglevel.rs"); +use hashbrown::HashMap; + use std::env; fn main() { @@ -12,4 +14,27 @@ fn main() { } profiles::apply_profile(); + + // check we don't have duplicate UUIDs + let uuid_filename = format!( + "{}/{}", + env!("CARGO_MANIFEST_DIR"), + "src/constants/uuids.rs" + ); + let constants = std::fs::read_to_string(uuid_filename).unwrap(); + let mut uuids: HashMap = HashMap::new(); + let uuid_finder = regex::Regex::new(r#"uuid!\(\"([^\"]+)"#).unwrap(); + + for line in constants.lines() { + if let Some(caps) = uuid_finder.captures(line) { + let uuid = caps.get(1).unwrap().as_str(); + let count = uuids.entry(uuid.to_string()).or_insert(0); + *count += 1; + } + } + for (uuid, count) in uuids { + if count > 1 { + panic!("duplicate UUID: {}", uuid); + } + } } diff --git a/server/lib/src/constants/schema.rs b/server/lib/src/constants/schema.rs index 2e409936f..f5b37d180 100644 --- a/server/lib/src/constants/schema.rs +++ b/server/lib/src/constants/schema.rs @@ -1,1643 +1,586 @@ -// Core -// Schema uuids start at 00000000-0000-0000-0000-ffff00000000 - +//! Core Constants +//! +//! Schema uuids start at `00000000-0000-0000-0000-ffff00000000` +//! use crate::constants::uuids::*; -use crate::constants::values::*; -use crate::entry::{Entry, EntryInit, EntryInitNew, EntryNew}; -use crate::value::{SyntaxType, Value}; +use crate::schema::{SchemaAttribute, SchemaClass}; +use crate::value::IndexType; +use crate::value::SyntaxType; +use smartstring::alias::String as AttrString; -// system supplementary -pub const JSON_SCHEMA_ATTR_DISPLAYNAME: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The publicly visible display name of this person" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "sync_allowed": [ - "true" - ], - "attributename": [ - "displayname" - ], - "syntax": [ - "UTF8STRING" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000040" - ] - } -}"#; -pub const JSON_SCHEMA_ATTR_MAIL: &str = r#" - { - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "mail addresses of the object" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "true" - ], - "multivalue": [ - "true" - ], - "sync_allowed": [ - "true" - ], - "attributename": [ - "mail" - ], - "syntax": [ - "EMAIL_ADDRESS" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000041" - ] - } - } -"#; -pub const JSON_SCHEMA_ATTR_SSH_PUBLICKEY: &str = r#" - { - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "SSH public keys of the object" - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "true" - ], - "sync_allowed": [ - "true" - ], - "attributename": [ - "ssh_publickey" - ], - "syntax": [ - "SSHKEY" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000042" - ] - } - } -"#; -pub const JSON_SCHEMA_ATTR_PRIMARY_CREDENTIAL: &str = r#" - { - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "Primary credential material of the account for authentication interactively." - ], - "index": [ - "PRESENCE" - ], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "sync_allowed": [ - "true" - ], - "attributename": [ - "primary_credential" - ], - "syntax": [ - "CREDENTIAL" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000043" - ] - } - } -"#; -pub const JSON_SCHEMA_ATTR_LEGALNAME: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The private and sensitive legal name of this person" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "sync_allowed": [ - "true" - ], - "attributename": [ - "legalname" - ], - "syntax": [ - "UTF8STRING" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000050" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_NAME_HISTORY: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The history of names that a person has had" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "false" - ], - "multivalue": [ - "true" - ], - "sync_allowed": [ - "true" - ], - "attributename": [ - "name_history" - ], - "syntax": [ - "AUDIT_LOG_STRING" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000133" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_RADIUS_SECRET: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The accounts generated radius secret for device network authentication" - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "sync_allowed": [ - "true" - ], - "attributename": [ - "radius_secret" - ], - "syntax": [ - "SECRET_UTF8STRING" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000051" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_DOMAIN_NAME: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The domain's DNS name for webauthn and SPN generation purposes." - ], - "index": [ - "EQUALITY", - "PRESENCE" - ], - "unique": [ - "true" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "domain_name" - ], - "syntax": [ - "UTF8STRING_INAME" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000053" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_DOMAIN_LDAP_BASEDN: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The domain's optional ldap basedn. If unset defaults to domain components of domain name." - ], - "unique": [ - "true" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "domain_ldap_basedn" - ], - "syntax": [ - "UTF8STRING_INSENSITIVE" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000131" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_DOMAIN_DISPLAY_NAME: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The user-facing display name of the Kanidm domain." - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "domain_display_name" - ], - "syntax": [ - "UTF8STRING" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000098" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_DOMAIN_UUID: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The domain's uuid, used in CSN and trust relationships." - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "true" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "domain_uuid" - ], - "syntax": [ - "UUID" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000054" - ] - } -}"#; -pub const JSON_SCHEMA_ATTR_DOMAIN_SSID: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The domains site-wide SSID for device autoconfiguration of wireless" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "true" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "domain_ssid" - ], - "syntax": [ - "UTF8STRING" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000055" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_DOMAIN_TOKEN_KEY: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The domain token encryption private key (NOT USED)." - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "domain_token_key" - ], - "syntax": [ - "SECRET_UTF8STRING" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000088" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_FERNET_PRIVATE_KEY_STR: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The token encryption private key." - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "fernet_private_key_str" - ], - "syntax": [ - "SECRET_UTF8STRING" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000095" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_GIDNUMBER: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The groupid (uid) number of a group or account. This is the same value as the UID number on posix accounts for security reasons." - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "true" - ], - "multivalue": [ - "false" - ], - "sync_allowed": [ - "true" - ], - "attributename": [ - "gidnumber" - ], - "syntax": [ - "UINT32" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000056" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_BADLIST_PASSWORD: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "A password that is badlisted meaning that it can not be set as a valid password by any user account." - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "true" - ], - "attributename": [ - "badlist_password" - ], - "syntax": [ - "UTF8STRING_INSENSITIVE" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000059" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_LOGINSHELL: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "A posix users unix login shell" - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "sync_allowed": [ - "true" - ], - "attributename": [ - "loginshell" - ], - "syntax": [ - "UTF8STRING_INSENSITIVE" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000061" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_UNIX_PASSWORD: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "A posix users unix login password." - ], - "index": [ - "PRESENCE" - ], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "unix_password" - ], - "syntax": [ - "CREDENTIAL" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000062" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_NSUNIQUEID: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "A unique id compatibility for 389-ds/dsee" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "true" - ], - "multivalue": [ - "false" - ], - "sync_allowed": [ - "true" - ], - "attributename": [ - "nsuniqueid" - ], - "syntax": [ - "NSUNIQUEID" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000067" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_ACCOUNT_EXPIRE: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The datetime after which this accounnt no longer may authenticate." - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "sync_allowed": [ - "true" - ], - "attributename": [ - "account_expire" - ], - "syntax": [ - "DATETIME" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000072" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_ACCOUNT_VALID_FROM: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The datetime after which this account may commence authenticating." - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "sync_allowed": [ - "true" - ], - "attributename": [ - "account_valid_from" - ], - "syntax": [ - "DATETIME" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000073" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_OAUTH2_RS_NAME: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The unique name of an external Oauth2 resource" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "true" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "oauth2_rs_name" - ], - "syntax": [ - "UTF8STRING_INAME" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000080" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_OAUTH2_RS_ORIGIN: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The origin domain of an oauth2 resource server" - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "oauth2_rs_origin" - ], - "syntax": [ - "URL" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000081" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_OAUTH2_RS_ORIGIN_LANDING: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The landing page of an RS, that will automatically trigger the auth process." - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "oauth2_rs_origin_landing" - ], - "syntax": [ - "URL" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000120" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_OAUTH2_RS_SCOPE_MAP: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "A reference to a group mapped to scopes for the associated oauth2 resource server" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "false" - ], - "multivalue": [ - "true" - ], - "attributename": [ - "oauth2_rs_scope_map" - ], - "syntax": [ - "OAUTH_SCOPE_MAP" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000082" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_OAUTH2_RS_SUP_SCOPE_MAP: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "A reference to a group mapped to scopes for the associated oauth2 resource server" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "false" - ], - "multivalue": [ - "true" - ], - "attributename": [ - "oauth2_rs_sup_scope_map" - ], - "syntax": [ - "OAUTH_SCOPE_MAP" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000112" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_OAUTH2_RS_BASIC_SECRET: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "When using oauth2 basic authentication, the secret string of the resource server" - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "oauth2_rs_basic_secret" - ], - "syntax": [ - "SECRET_UTF8STRING" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000083" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_OAUTH2_RS_TOKEN_KEY: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "An oauth2 resource servers unique token signing key" - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "oauth2_rs_token_key" - ], - "syntax": [ - "SECRET_UTF8STRING" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000084" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_OAUTH2_RS_IMPLICIT_SCOPES: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "An oauth2 resource servers scopes that are implicitly granted to all users" - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "true" - ], - "attributename": [ - "oauth2_rs_implicit_scopes" - ], - "syntax": [ - "OAUTH_SCOPE" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000089" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_OAUTH2_CONSENT_SCOPE_MAP: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "A set of scopes mapped from a relying server to a user, where the user has previously consented to the following. If changed or deleted, consent will be re-sought." - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "false" - ], - "multivalue": [ - "true" - ], - "attributename": [ - "oauth2_consent_scope_map" - ], - "syntax": [ - "OAUTH_SCOPE_MAP" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000097" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_ES256_PRIVATE_KEY_DER: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "An es256 private key" - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "es256_private_key_der" - ], - "syntax": [ - "PRIVATE_BINARY" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000090" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_RS256_PRIVATE_KEY_DER: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "An rs256 private key" - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "rs256_private_key_der" - ], - "syntax": [ - "PRIVATE_BINARY" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000093" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_JWS_ES256_PRIVATE_KEY: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "An es256 private key for jws" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "true" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "jws_es256_private_key" - ], - "syntax": [ - "JWS_KEY_ES256" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000110" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_PRIVATE_COOKIE_KEY: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "An private cookie hmac key" - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "private_cookie_key" - ], - "syntax": [ - "PRIVATE_BINARY" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000130" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_OAUTH2_ALLOW_INSECURE_CLIENT_DISABLE_PKCE: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "Allows disabling of pkce for insecure oauth2 clients" - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "oauth2_allow_insecure_client_disable_pkce" - ], - "syntax": [ - "BOOLEAN" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000091" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_OAUTH2_JWT_LEGACY_CRYPTO_ENABLE: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "Allows enabling legacy jwt cryptograhpy for clients" - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "oauth2_jwt_legacy_crypto_enable" - ], - "syntax": [ - "BOOLEAN" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000092" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_CREDENTIAL_UPDATE_INTENT_TOKEN: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "The status of a credential update intent token" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "false" - ], - "multivalue": [ - "true" - ], - "attributename": [ - "credential_update_intent_token" - ], - "syntax": [ - "INTENT_TOKEN" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000096" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_PASSKEYS: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "A set of registered passkeys" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "false" - ], - "multivalue": [ - "true" - ], - "sync_allowed": [ - "true" - ], - "attributename": [ - "passkeys" - ], - "syntax": [ - "PASSKEY" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000099" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_DEVICEKEYS: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "A set of registered device keys" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "false" - ], - "multivalue": [ - "true" - ], - "sync_allowed": [ - "true" - ], - "attributename": [ - "devicekeys" - ], - "syntax": [ - "DEVICEKEY" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000100" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_DYNGROUP_FILTER: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "A filter describing the set of entries to add to a dynamic group" - ], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "dyngroup_filter" - ], - "syntax": [ - "JSON_FILTER" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000108" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_OAUTH2_PREFER_SHORT_USERNAME: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "Use 'name' instead of 'spn' in the preferred_username claim" - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "oauth2_prefer_short_username" - ], - "syntax": [ - "BOOLEAN" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000109" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_API_TOKEN_SESSION: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "A session entry related to an issued api token" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "true" - ], - "multivalue": [ - "true" - ], - "attributename": [ - "api_token_session" - ], - "syntax": [ - "APITOKEN" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000111" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_USER_AUTH_TOKEN_SESSION: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "A session entry related to an issued user auth token" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "true" - ], - "multivalue": [ - "true" - ], - "attributename": [ - "user_auth_token_session" - ], - "syntax": [ - "SESSION" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000113" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_OAUTH2_SESSION: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "A session entry to an active oauth2 session, bound to a parent user auth token" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "false" - ], - "multivalue": [ - "true" - ], - "attributename": [ - "oauth2_session" - ], - "syntax": [ - "OAUTH2SESSION" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000117" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_SYNC_TOKEN_SESSION: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "A session entry related to an issued sync token" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "true" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "sync_token_session" - ], - "syntax": [ - "APITOKEN" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000115" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_SYNC_COOKIE: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "A private sync cookie for a remote IDM source" - ], - "index": [], - "unique": [ - "false" - ], - "multivalue": [ - "false" - ], - "attributename": [ - "sync_cookie" - ], - "syntax": [ - "PRIVATE_BINARY" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000116" - ] - } -}"#; - -pub const JSON_SCHEMA_ATTR_GRANT_UI_HINT: &str = r#"{ - "attrs": { - "class": [ - "object", - "system", - "attributetype" - ], - "description": [ - "A ui hint that is granted via membership to a group" - ], - "index": [ - "EQUALITY" - ], - "unique": [ - "false" - ], - "multivalue": [ - "true" - ], - "attributename": [ - "grant_ui_hint" - ], - "syntax": [ - "UIHINT" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000119" - ] - } -}"#; - -lazy_static! { - pub static ref E_SCHEMA_ATTR_SYNC_CREDENTIAL_PORTAL: EntryInitNew = entry_init!( - ("class", CLASS_OBJECT.clone()), - ("class", CLASS_SYSTEM.clone()), - ("class", CLASS_ATTRIBUTETYPE.clone()), - ( - "description", - Value::new_utf8s("The url of an external credential portal for synced accounts to visit to update their credentials.") - ), - ("unique", Value::Bool(false)), - ("multivalue", Value::Bool(false)), - ("attributename", Value::new_iutf8("sync_credential_portal")), - ("syntax", Value::Syntax(SyntaxType::Url)), - ("uuid", Value::Uuid(UUID_SCHEMA_ATTR_SYNC_CREDENTIAL_PORTAL)) - ); - - pub static ref E_SCHEMA_ATTR_SYNC_YIELD_AUTHORITY: EntryInitNew = entry_init!( - ("class", CLASS_OBJECT.clone()), - ("class", CLASS_SYSTEM.clone()), - ("class", CLASS_ATTRIBUTETYPE.clone()), - ( - "description", - Value::new_utf8s("A set of attributes that have their authority yielded to Kanidm in a sync agreement.") - ), - ("unique", Value::Bool(false)), - ("multivalue", Value::Bool(true)), - ("attributename", Value::new_iutf8("sync_yield_authority")), - ("syntax", Value::Syntax(SyntaxType::Utf8StringInsensitive)), - ("uuid", Value::Uuid(UUID_SCHEMA_ATTR_SYNC_YIELD_AUTHORITY)) - ); +/// this turns a vector of &str into a vector of AttrString +macro_rules! attrstring_vec { + ($input:expr) => { + $input + .into_iter() + .map(|s| s.into()) + .collect::>() + }; } +lazy_static!( + +pub static ref SCHEMA_ATTR_DISPLAYNAME: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_DISPLAYNAME, + name: "displayname".into(), + description: "The publicly visible display name of this person".to_string(), + + index: vec![IndexType::Equality], + sync_allowed: true, + syntax: SyntaxType::Utf8String, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_MAIL: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_MAIL, + name: "mail".into(), + description: "mail addresses of the object".to_string(), + + index: vec![IndexType::Equality], + unique: true, + multivalue: true, + sync_allowed: true, + syntax: SyntaxType::EmailAddress, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_SSH_PUBLICKEY: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_SSH_PUBLICKEY, + name: "ssh_publickey".into(), + description: "SSH public keys of the object".to_string(), + + multivalue: true, + sync_allowed: true, + syntax: SyntaxType::SshKey, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_PRIMARY_CREDENTIAL: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_PRIMARY_CREDENTIAL, + name: "primary_credential".into(), + description: "Primary credential material of the account for authentication interactively.to_string().".to_string(), + + index: vec![IndexType::Presence], + sync_allowed: true, + syntax: SyntaxType::Credential, + ..Default::default() +}; +pub static ref SCHEMA_ATTR_LEGALNAME: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_LEGALNAME, + name: "legalname".into(), + description: "The private and sensitive legal name of this person".to_string(), + + index: vec![IndexType::Equality], + sync_allowed: true, + syntax: SyntaxType::Utf8String, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_NAME_HISTORY: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_NAME_HISTORY, + name: "name_history".into(), + description: "The history of names that a person has had".to_string(), + + index: vec![IndexType::Equality], + multivalue: true, + sync_allowed: true, + syntax: SyntaxType::AuditLogString, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_RADIUS_SECRET: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_RADIUS_SECRET, + name: "radius_secret".into(), + description: "The accounts generated radius secret for device network authentication".to_string(), + + sync_allowed: true, + syntax: SyntaxType::SecretUtf8String, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_DOMAIN_NAME: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_DOMAIN_NAME, + name: "domain_name".into(), + description: "The domain's DNS name for webauthn and SPN generation purposes.to_string().".to_string(), + + index: vec![IndexType::Equality, IndexType::Presence], + unique: true, + syntax: SyntaxType::Utf8StringIname, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_DOMAIN_LDAP_BASEDN: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_DOMAIN_LDAP_BASEDN, + name: "domain_ldap_basedn".into(), + description: + "The domain's optional ldap basedn. If unset defaults to domain components of domain name.".to_string(), + + unique: true, + syntax: SyntaxType::Utf8StringInsensitive, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_DOMAIN_DISPLAY_NAME: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_DOMAIN_DISPLAY_NAME, + name: "domain_display_name".into(), + description: "The user-facing display name of the Kanidm domain.to_string().".to_string(), + + index: vec![IndexType::Equality], + syntax: SyntaxType::Utf8String, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_DOMAIN_UUID: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_DOMAIN_UUID, + name: "domain_uuid".into(), + description: "The domain's uuid, used in CSN and trust relationships.to_string().".to_string(), + + index: vec![IndexType::Equality], + unique: true, + syntax: SyntaxType::Uuid, + ..Default::default() +}; +pub static ref SCHEMA_ATTR_DOMAIN_SSID: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_DOMAIN_SSID, + name: "domain_ssid".into(), + description: "The domains site-wide SSID for device autoconfiguration of wireless".to_string(), + + index: vec![IndexType::Equality], + unique: true, + syntax: SyntaxType::Utf8String, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_DOMAIN_TOKEN_KEY: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_DOMAIN_TOKEN_KEY, + name: "domain_token_key".into(), + description: "The domain token encryption private key (NOT USED).to_string().".to_string(), + + syntax: SyntaxType::SecretUtf8String, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_FERNET_PRIVATE_KEY_STR: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_FERNET_PRIVATE_KEY_STR, + name: "fernet_private_key_str".into(), + description: "The token encryption private key.to_string().".to_string(), + + syntax: SyntaxType::SecretUtf8String, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_GIDNUMBER: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_GIDNUMBER, + name: "gidnumber".into(), + description: "The groupid (uid) number of a group or account.to_string(). This is the same value as the UID number on posix accounts for security reasons.".to_string(), + + index: vec![IndexType::Equality], + unique: true, + sync_allowed: true, + syntax: SyntaxType::Uint32, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_BADLIST_PASSWORD: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_BADLIST_PASSWORD, + name: "badlist_password".into(), + description: "A password that is badlisted meaning that it can not be set as a valid password by any user account.to_string().".to_string(), + + multivalue: true, + syntax: SyntaxType::Utf8StringInsensitive, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_LOGINSHELL: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_LOGINSHELL, + name: "loginshell".into(), + description: "A POSIX user's UNIX login shell".to_string(), + + sync_allowed: true, + syntax: SyntaxType::Utf8StringInsensitive, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_UNIX_PASSWORD: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_UNIX_PASSWORD, + name: "unix_password".into(), + description: "A POSIX user's UNIX login password.to_string().".to_string(), + + index: vec![IndexType::Presence], + syntax: SyntaxType::Credential, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_NSUNIQUEID: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_NSUNIQUEID, + name: "nsuniqueid".into(), + description: "A unique id compatibility for 389-ds/dsee".to_string(), + + index: vec![IndexType::Equality], + unique: true, + sync_allowed: true, + syntax: SyntaxType::NsUniqueId, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_ACCOUNT_EXPIRE: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_ACCOUNT_EXPIRE, + name: "account_expire".into(), + description: "The datetime after which this accounnt no longer may authenticate.to_string().".to_string(), + + sync_allowed: true, + syntax: SyntaxType::DateTime, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_ACCOUNT_VALID_FROM: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_ACCOUNT_VALID_FROM, + name: "account_valid_from".into(), + description: "The datetime after which this account may commence authenticating.to_string().".to_string(), + + sync_allowed: true, + syntax: SyntaxType::DateTime, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_OAUTH2_RS_NAME: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_NAME, + name: "oauth2_rs_name".into(), + description: "The unique name of an external Oauth2 resource".to_string(), + + index: vec![IndexType::Equality], + unique: true, + syntax: SyntaxType::Utf8StringIname, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_OAUTH2_RS_ORIGIN: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_ORIGIN, + name: "oauth2_rs_origin".into(), + description: "The origin domain of an oauth2 resource server".to_string(), + + syntax: SyntaxType::Url, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_OAUTH2_RS_ORIGIN_LANDING: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_ORIGIN_LANDING, + name: "oauth2_rs_origin_landing".into(), + description: "The landing page of an RS, that will automatically trigger the auth process.to_string().".to_string(), + + syntax: SyntaxType::Url, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_OAUTH2_RS_SCOPE_MAP: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_SCOPE_MAP, + name: "oauth2_rs_scope_map".into(), + description: + "A reference to a group mapped to scopes for the associated oauth2 resource server".to_string(), + + index: vec![IndexType::Equality], + multivalue: true, + syntax: SyntaxType::OauthScopeMap, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_OAUTH2_RS_SUP_SCOPE_MAP: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_SUP_SCOPE_MAP, + name: "oauth2_rs_sup_scope_map".into(), + description: + "A reference to a group mapped to scopes for the associated oauth2 resource server".to_string(), + + index: vec![IndexType::Equality], + multivalue: true, + syntax: SyntaxType::OauthScopeMap, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_OAUTH2_RS_BASIC_SECRET: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_BASIC_SECRET, + name: "oauth2_rs_basic_secret".into(), + description: "When using oauth2 basic authentication, the secret string of the resource server".to_string(), + + syntax: SyntaxType::SecretUtf8String, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_OAUTH2_RS_TOKEN_KEY: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_TOKEN_KEY, + name: "oauth2_rs_token_key".into(), + description: "An oauth2 resource servers unique token signing key".to_string(), + + syntax: SyntaxType::SecretUtf8String, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_OAUTH2_RS_IMPLICIT_SCOPES: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_IMPLICIT_SCOPES, + name: "oauth2_rs_implicit_scopes".into(), + description: "An oauth2 resource servers scopes that are implicitly granted to all users".to_string(), + + multivalue: true, + syntax: SyntaxType::OauthScope, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_OAUTH2_CONSENT_SCOPE_MAP: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_OAUTH2_CONSENT_SCOPE_MAP, + name: "oauth2_consent_scope_map".into(), + description: "A set of scopes mapped from a relying server to a user, where the user has previously consented to the following. If changed or deleted, consent will be re-sought.".to_string(), + + index: vec![IndexType::Equality], + multivalue: true, + syntax: SyntaxType::OauthScopeMap, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_ES256_PRIVATE_KEY_DER: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_ES256_PRIVATE_KEY_DER, + name: "es256_private_key_der".into(), + description: "An es256 private key".to_string(), + + syntax: SyntaxType::PrivateBinary, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_RS256_PRIVATE_KEY_DER: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_RS256_PRIVATE_KEY_DER, + name: "rs256_private_key_der".into(), + description: "An rs256 private key".to_string(), + + syntax: SyntaxType::PrivateBinary, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_JWS_ES256_PRIVATE_KEY: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_JWS_ES256_PRIVATE_KEY, + name: "jws_es256_private_key".into(), + description: "An es256 private key for jws".to_string(), + + index: vec![IndexType::Equality], + unique: true, + syntax: SyntaxType::JwsKeyEs256, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_PRIVATE_COOKIE_KEY: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_PRIVATE_COOKIE_KEY, + name: "private_cookie_key".into(), + description: "An private cookie hmac key".to_string(), + + syntax: SyntaxType::PrivateBinary, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_OAUTH2_ALLOW_INSECURE_CLIENT_DISABLE_PKCE: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_OAUTH2_ALLOW_INSECURE_CLIENT_DISABLE_PKCE, + name: "oauth2_allow_insecure_client_disable_pkce".into(), + description: "Allows disabling of PKCE for insecure OAuth2 clients".to_string(), + + syntax: SyntaxType::Boolean, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_OAUTH2_JWT_LEGACY_CRYPTO_ENABLE: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_OAUTH2_JWT_LEGACY_CRYPTO_ENABLE, + name: "oauth2_jwt_legacy_crypto_enable".into(), + description: "Allows enabling legacy JWT cryptograhpy for clients".to_string(), + + syntax: SyntaxType::Boolean, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_CREDENTIAL_UPDATE_INTENT_TOKEN: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_CREDENTIAL_UPDATE_INTENT_TOKEN, + name: "credential_update_intent_token".into(), + description: "The status of a credential update intent token".to_string(), + + index: vec![IndexType::Equality], + multivalue: true, + syntax: SyntaxType::IntentToken, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_PASSKEYS: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_PASSKEYS, + name: "passkeys".into(), + description: "A set of registered passkeys".to_string(), + + index: vec![IndexType::Equality], + multivalue: true, + sync_allowed: true, + syntax: SyntaxType::Passkey, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_DEVICEKEYS: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_DEVICEKEYS, + name: "devicekeys".into(), + description: "A set of registered device keys".to_string(), + + index: vec![IndexType::Equality], + multivalue: true, + sync_allowed: true, + syntax: SyntaxType::DeviceKey, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_DYNGROUP_FILTER: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_DYNGROUP_FILTER, + name: "dyngroup_filter".into(), + description: "A filter describing the set of entries to add to a dynamic group".to_string(), + + syntax: SyntaxType::JsonFilter, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_OAUTH2_PREFER_SHORT_USERNAME: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_OAUTH2_PREFER_SHORT_USERNAME, + name: "oauth2_prefer_short_username".into(), + description: "Use 'name' instead of 'spn' in the preferred_username claim".to_string(), + + syntax: SyntaxType::Boolean, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_API_TOKEN_SESSION: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_API_TOKEN_SESSION, + name: "api_token_session".into(), + description: "A session entry related to an issued API token".to_string(), + + index: vec![IndexType::Equality], + unique: true, + multivalue: true, + syntax: SyntaxType::ApiToken, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_USER_AUTH_TOKEN_SESSION: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_USER_AUTH_TOKEN_SESSION, + name: "user_auth_token_session".into(), + description: "A session entry related to an issued user auth token".to_string(), + + index: vec![IndexType::Equality], + unique: true, + multivalue: true, + syntax: SyntaxType::Session, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_OAUTH2_SESSION: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_OAUTH2_SESSION, + name: "oauth2_session".into(), + description: "A session entry to an active oauth2 session, bound to a parent user auth token".to_string(), + + index: vec![IndexType::Equality], + multivalue: true, + syntax: SyntaxType::Oauth2Session, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_SYNC_TOKEN_SESSION: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_SYNC_TOKEN_SESSION, + name: "sync_token_session".into(), + description: "A session entry related to an issued sync token".to_string(), + + index: vec![IndexType::Equality], + unique: true, + syntax: SyntaxType::ApiToken, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_SYNC_COOKIE: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_SYNC_COOKIE, + name: "sync_cookie".into(), + description: "A private sync cookie for a remote IDM source".to_string(), + + syntax: SyntaxType::PrivateBinary, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_GRANT_UI_HINT: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_GRANT_UI_HINT, + name: "grant_ui_hint".into(), + description: "A UI hint that is granted via membership to a group".to_string(), + + index: vec![IndexType::Equality], + multivalue: true, + syntax: SyntaxType::UiHint, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_SYNC_CREDENTIAL_PORTAL: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_SYNC_CREDENTIAL_PORTAL, + name: "sync_credential_portal".into(), + description: "The url of an external credential portal for synced accounts to visit to update their credentials.to_string().".to_string(), + + syntax: SyntaxType::Url, + ..Default::default() +}; + +pub static ref SCHEMA_ATTR_SYNC_YIELD_AUTHORITY: SchemaAttribute = SchemaAttribute { + uuid: UUID_SCHEMA_ATTR_SYNC_YIELD_AUTHORITY, + name: "sync_yield_authority".into(), + description: "A set of attributes that have their authority yielded to Kanidm in a sync agreement.to_string().".to_string(), + + multivalue: true, + syntax: SyntaxType::Utf8StringInsensitive, + ..Default::default() +}; + // === classes === -pub const JSON_SCHEMA_CLASS_PERSON: &str = r#" - { - "attrs": { - "class": [ - "object", - "system", - "classtype" - ], - "description": [ - "Object representation of a person" - ], - "sync_allowed": [ - "true" - ], - "classname": [ - "person" - ], - "systemmay": [ - "mail", - "legalname" - ], - "systemmust": [ - "displayname", - "name" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000044" - ] - } - } -"#; +pub static ref SCHEMA_CLASS_PERSON: SchemaClass = SchemaClass { + uuid: UUID_SCHEMA_CLASS_PERSON, + name: "person".into(), + description: "Object representation of a person".to_string(), -pub const JSON_SCHEMA_CLASS_ORGPERSON: &str = r#" - { - "attrs": { - "class": [ - "object", - "system", - "classtype" - ], - "description": [ - "Object representation of an org person" - ], - "classname": [ - "orgperson" - ], - "systemmay": [ - "legalname" - ], - "systemmust": [ - "mail", - "displayname", - "name" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000094" - ] - } - } -"#; + sync_allowed: true, + systemmay: attrstring_vec!(["mail", "legalname"]), + systemmust: attrstring_vec!(["displayname", "name"]), + ..Default::default() +}; -pub const JSON_SCHEMA_CLASS_GROUP: &str = r#" - { - "attrs": { - "class": [ - "object", - "system", - "classtype" - ], - "description": [ - "Object representation of a group" - ], - "sync_allowed": [ - "true" - ], - "classname": [ - "group" - ], - "systemmay": [ - "member", - "grant_ui_hint", - "description" - ], - "systemmust": [ - "name", - "spn" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000045" - ] - } - } -"#; +pub static ref SCHEMA_CLASS_ORGPERSON: SchemaClass = SchemaClass { + uuid: UUID_SCHEMA_CLASS_ORGPERSON, + name: "orgperson".into(), + description: "Object representation of an org person".to_string(), -pub const JSON_SCHEMA_CLASS_DYNGROUP: &str = r#" - { - "attrs": { - "class": [ - "object", - "system", - "classtype" - ], - "description": [ - "Object representation of a dynamic group" - ], - "classname": [ - "dyngroup" - ], - "systemmust": [ - "dyngroup_filter" - ], - "systemmay": [ - "dynmember" - ], - "systemsupplements": [ - "group" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000107" - ] - } - } -"#; + systemmay: attrstring_vec!(["legalname"]), + systemmust: attrstring_vec!(["mail", "displayname", "name"]), + ..Default::default() +}; -pub const JSON_SCHEMA_CLASS_ACCOUNT: &str = r#" - { - "attrs": { - "class": [ - "object", - "system", - "classtype" - ], - "description": [ - "Object representation of a account" - ], - "sync_allowed": [ - "true" - ], - "classname": [ - "account" - ], - "systemmay": [ +pub static ref SCHEMA_CLASS_GROUP: SchemaClass = SchemaClass { + uuid: UUID_SCHEMA_CLASS_GROUP, + name: "group".into(), + description: "Object representation of a group".to_string(), + + sync_allowed: true, + systemmay: attrstring_vec!(["member", "grant_ui_hint", "description"]), + systemmust: attrstring_vec!(["name", "spn"]), + ..Default::default() +}; + +pub static ref SCHEMA_CLASS_DYNGROUP: SchemaClass = SchemaClass { + uuid: UUID_SCHEMA_CLASS_DYNGROUP, + name: "dyngroup".into(), + description: "Object representation of a dynamic group".to_string(), + + systemmust: attrstring_vec!(["dyngroup_filter"]), + systemmay: attrstring_vec!(["dynmember"]), + systemsupplements: attrstring_vec!(["group"]), + ..Default::default() +}; + +pub static ref SCHEMA_CLASS_ACCOUNT: SchemaClass = SchemaClass { + uuid: UUID_SCHEMA_CLASS_ACCOUNT, + name: "account".into(), + description: "Object representation of an account".to_string(), + + sync_allowed: true, + systemmay: attrstring_vec!([ "primary_credential", "passkeys", "devicekeys", @@ -1651,115 +594,57 @@ pub const JSON_SCHEMA_CLASS_ACCOUNT: &str = r#" "user_auth_token_session", "oauth2_session", "description", - "name_history" - ], - "systemmust": [ - "displayname", - "name", - "spn" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000046" - ], - "systemsupplements": [ - "person", - "service_account" - ] - } - } -"#; + "name_history", + ]), + systemmust: attrstring_vec!(["displayname", "name", "spn"]), + systemsupplements: attrstring_vec!(["person", "service_account"]), + ..Default::default() +}; -pub const JSON_SCHEMA_CLASS_SERVICE_ACCOUNT: &str = r#" - { - "attrs": { - "class": [ - "object", - "system", - "classtype" - ], - "description": [ - "Object representation of service account" - ], - "sync_allowed": [ - "true" - ], - "classname": [ - "service_account" - ], - "systemmay": [ +pub static ref SCHEMA_CLASS_SERVICE_ACCOUNT: SchemaClass = SchemaClass { + uuid: UUID_SCHEMA_CLASS_SERVICE_ACCOUNT, + name: "service_account".into(), + description: "Object representation of service account".to_string(), + + sync_allowed: true, + systemmay: attrstring_vec!([ "mail", "primary_credential", "jws_es256_private_key", - "api_token_session" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000106" - ], - "systemexcludes": [ - "person" - ] - } - } -"#; + "api_token_session", + ]), + systemexcludes: attrstring_vec!(["person"]), + ..Default::default() +}; -pub const JSON_SCHEMA_CLASS_SYNC_ACCOUNT: &str = r#" - { - "attrs": { - "class": [ - "object", - "system", - "classtype" - ], - "description": [ - "Object representation of sync account" - ], - "classname": [ - "sync_account" - ], - "systemmust": [ - "name", - "jws_es256_private_key" - ], - "systemmay": [ +pub static ref SCHEMA_CLASS_SYNC_ACCOUNT: SchemaClass = SchemaClass { + uuid: UUID_SCHEMA_CLASS_SYNC_ACCOUNT, + name: "sync_account".into(), + description: "Object representation of sync account".to_string(), + + systemmust: attrstring_vec!(["name", "jws_es256_private_key"]), + systemmay: attrstring_vec!([ "sync_token_session", "sync_cookie", "sync_credential_portal", - "sync_yield_authority" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000114" - ], - "systemexcludes": [ - "account" - ] - } - } -"#; + "sync_yield_authority", + ]), + systemexcludes: attrstring_vec!(["account"]), + ..Default::default() +}; // domain_info type // domain_uuid // domain_name <- should be the dns name? // domain_ssid <- for radius // -pub const JSON_SCHEMA_CLASS_DOMAIN_INFO: &str = r#" - { - "attrs": { - "class": [ - "object", - "system", - "classtype" - ], - "description": [ - "Local domain information and partial configuration." - ], - "classname": [ - "domain_info" - ], - "systemmay": [ - "domain_ssid", - "domain_ldap_basedn" - ], - "systemmust": [ +pub static ref SCHEMA_CLASS_DOMAIN_INFO: SchemaClass = SchemaClass { + uuid: UUID_SCHEMA_CLASS_DOMAIN_INFO, + name: "domain_info".into(), + description: "Local domain information and partial configuration.to_string().".to_string(), + + systemmay: attrstring_vec!(["domain_ssid", "domain_ldap_basedn"]), + systemmust: attrstring_vec!([ "name", "domain_uuid", "domain_name", @@ -1767,169 +652,86 @@ pub const JSON_SCHEMA_CLASS_DOMAIN_INFO: &str = r#" "fernet_private_key_str", "es256_private_key_der", "private_cookie_key", - "version" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000052" - ] - } - } -"#; + "version", + ]), + ..Default::default() +}; -pub const JSON_SCHEMA_CLASS_POSIXGROUP: &str = r#" - { - "attrs": { - "class": [ - "object", - "system", - "classtype" - ], - "description": [ - "Object representation of a posix group, requires group" - ], - "sync_allowed": [ - "true" - ], - "classname": [ - "posixgroup" - ], - "systemmust": [ - "gidnumber" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000058" - ], - "systemsupplements": [ - "group" - ] - } - } -"#; +pub static ref SCHEMA_CLASS_POSIXGROUP: SchemaClass = SchemaClass { + uuid: UUID_SCHEMA_CLASS_POSIXGROUP, + name: "posixgroup".into(), + description: "Object representation of a posix group, requires group".to_string(), -pub const JSON_SCHEMA_CLASS_POSIXACCOUNT: &str = r#" - { - "attrs": { - "class": [ - "object", - "system", - "classtype" - ], - "description": [ - "Object representation of a posix account, requires account" - ], - "sync_allowed": [ - "true" - ], - "classname": [ - "posixaccount" - ], - "systemmay": [ - "loginshell", - "unix_password" - ], - "systemmust": [ - "gidnumber" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000057" - ], - "systemsupplements": [ - "account" - ] - } - } -"#; + sync_allowed: true, + systemmust: attrstring_vec!(["gidnumber"]), + systemsupplements: attrstring_vec!(["group"]), + ..Default::default() +}; -pub const JSON_SCHEMA_CLASS_SYSTEM_CONFIG: &str = r#" - { - "attrs": { - "class": [ - "object", - "system", - "classtype" - ], - "description": [ - "The class representing a system (topologies) configuration options." - ], - "classname": [ - "system_config" - ], - "systemmay": [ - "description", - "badlist_password" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000060" - ] - } - } -"#; +pub static ref SCHEMA_CLASS_POSIXACCOUNT: SchemaClass = SchemaClass { + uuid: UUID_SCHEMA_CLASS_POSIXACCOUNT, + name: "posixaccount".into(), + description: "Object representation of a posix account, requires account".to_string(), -pub const JSON_SCHEMA_CLASS_OAUTH2_RS: &str = r#" - { - "attrs": { - "class": [ - "object", - "system", - "classtype" - ], - "description": [ - "The class representing a configured Oauth2 Resource Server" - ], - "classname": [ - "oauth2_resource_server" - ], - "systemmay": [ + sync_allowed: true, + systemmay: attrstring_vec!(["loginshell", "unix_password"]), + systemmust: attrstring_vec!(["gidnumber"]), + systemsupplements: attrstring_vec!(["account"]), + ..Default::default() +}; + +pub static ref SCHEMA_CLASS_SYSTEM_CONFIG: SchemaClass = SchemaClass { + uuid: UUID_SCHEMA_CLASS_SYSTEM_CONFIG, + name: "system_config".into(), + description: "The class representing a system (topologies) configuration options.to_string().".to_string(), + + systemmay: attrstring_vec!(["description", "badlist_password"]), + ..Default::default() +}; + +pub static ref SCHEMA_CLASS_OAUTH2_RS: SchemaClass = SchemaClass { + uuid: UUID_SCHEMA_CLASS_OAUTH2_RS, + name: "oauth2_resource_server".into(), + description: "The class representing a configured Oauth2 Resource Server".to_string(), + + systemmay: attrstring_vec!([ "description", "oauth2_rs_scope_map", "oauth2_rs_sup_scope_map", "rs256_private_key_der", "oauth2_jwt_legacy_crypto_enable", "oauth2_prefer_short_username", - "oauth2_rs_origin_landing" - ], - "systemmust": [ + "oauth2_rs_origin_landing", + ]), + systemmust: attrstring_vec!([ "oauth2_rs_name", "displayname", "oauth2_rs_origin", "oauth2_rs_token_key", - "es256_private_key_der" - ], - "uuid": [ - "00000000-0000-0000-0000-ffff00000085" - ] - } - } -"#; + "es256_private_key_der", + ]), + ..Default::default() +}; -lazy_static! { - pub static ref E_SCHEMA_CLASS_OAUTH2_RS_BASIC: EntryInitNew = entry_init!( - ("class", CLASS_OBJECT.clone()), - ("class", CLASS_SYSTEM.clone()), - ("class", CLASS_CLASSTYPE.clone()), - ( - "description", - Value::new_utf8s( - "The class representing a configured Oauth2 Resource Server authenticated with http basic authentication"), - ), - ("classname", Value::new_iutf8("oauth2_resource_server_basic")), - ("systemmay", Value::new_iutf8("oauth2_allow_insecure_client_disable_pkce")), - ("systemmust", Value::new_iutf8("oauth2_rs_basic_secret")), - ("systemexcludes", Value::new_iutf8("oauth2_resource_server_public")), - ("uuid", Value::Uuid(UUID_SCHEMA_CLASS_OAUTH2_RS_BASIC)) - ); +pub static ref SCHEMA_CLASS_OAUTH2_RS_BASIC: SchemaClass = SchemaClass { + uuid: UUID_SCHEMA_CLASS_OAUTH2_RS_BASIC, + name: "oauth2_resource_server_basic".into(), + description: "The class representing a configured Oauth2 Resource Server authenticated with http basic authentication".to_string(), - pub static ref E_SCHEMA_CLASS_OAUTH2_RS_PUBLIC: EntryInitNew = entry_init!( - ("class", CLASS_OBJECT.clone()), - ("class", CLASS_SYSTEM.clone()), - ("class", CLASS_CLASSTYPE.clone()), - ( - "description", - Value::new_utf8s( - "The class representing a configured Oauth2 Resource Server with public clients and pkce verification"), - ), - ("classname", Value::new_iutf8("oauth2_resource_server_public")), - ("systemexcludes", Value::new_iutf8("oauth2_resource_server_basic")), - ("uuid", Value::Uuid(UUID_SCHEMA_CLASS_OAUTH2_RS_PUBLIC)) - ); -} + systemmay: attrstring_vec!([ "oauth2_allow_insecure_client_disable_pkce"]), + systemmust: attrstring_vec!([ "oauth2_rs_basic_secret"]), + systemexcludes: attrstring_vec!([ "oauth2_resource_server_public"]), + ..Default::default() +}; + + +pub static ref SCHEMA_CLASS_OAUTH2_RS_PUBLIC: SchemaClass = SchemaClass { + uuid: UUID_SCHEMA_CLASS_OAUTH2_RS_PUBLIC, + name: "oauth2_resource_server_public".into(), + + description: "The class representing a configured Oauth2 Resource Server with public clients and pkce verification".to_string(), + systemexcludes: attrstring_vec!(["oauth2_resource_server_basic"]), + ..Default::default() +}; + +); diff --git a/server/lib/src/constants/uuids.rs b/server/lib/src/constants/uuids.rs index 5447a5caa..9ab34cdcd 100644 --- a/server/lib/src/constants/uuids.rs +++ b/server/lib/src/constants/uuids.rs @@ -59,7 +59,7 @@ pub const UUID_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES: Uuid = pub const UUID_IDM_ACCOUNT_MAIL_READ_PRIV: Uuid = uuid!("00000000-0000-0000-0000-000000000039"); // -pub const _UUID_IDM_HIGH_PRIVILEGE: Uuid = uuid!("00000000-0000-0000-0000-000000001000"); +pub const UUID_IDM_HIGH_PRIVILEGE: Uuid = uuid!("00000000-0000-0000-0000-000000001000"); // Builtin schema pub const UUID_SCHEMA_ATTR_CLASS: Uuid = uuid!("00000000-0000-0000-0000-ffff00000000"); @@ -110,81 +110,79 @@ pub const UUID_SCHEMA_CLASS_ACCESS_CONTROL_MODIFY: Uuid = pub const UUID_SCHEMA_CLASS_ACCESS_CONTROL_CREATE: Uuid = uuid!("00000000-0000-0000-0000-ffff00000038"); pub const UUID_SCHEMA_CLASS_SYSTEM: Uuid = uuid!("00000000-0000-0000-0000-ffff00000039"); -pub const _UUID_SCHEMA_ATTR_DISPLAYNAME: Uuid = uuid!("00000000-0000-0000-0000-ffff00000040"); -pub const _UUID_SCHEMA_ATTR_MAIL: Uuid = uuid!("00000000-0000-0000-0000-ffff00000041"); -pub const _UUID_SCHEMA_ATTR_SSH_PUBLICKEY: Uuid = uuid!("00000000-0000-0000-0000-ffff00000042"); -pub const _UUID_SCHEMA_ATTR_PRIMARY_CREDENTIAL: Uuid = - uuid!("00000000-0000-0000-0000-ffff00000043"); -pub const _UUID_SCHEMA_CLASS_PERSON: Uuid = uuid!("00000000-0000-0000-0000-ffff00000044"); -pub const _UUID_SCHEMA_CLASS_GROUP: Uuid = uuid!("00000000-0000-0000-0000-ffff00000045"); -pub const _UUID_SCHEMA_CLASS_ACCOUNT: Uuid = uuid!("00000000-0000-0000-0000-ffff00000046"); +pub const UUID_SCHEMA_ATTR_DISPLAYNAME: Uuid = uuid!("00000000-0000-0000-0000-ffff00000040"); +pub const UUID_SCHEMA_ATTR_MAIL: Uuid = uuid!("00000000-0000-0000-0000-ffff00000041"); +pub const UUID_SCHEMA_ATTR_SSH_PUBLICKEY: Uuid = uuid!("00000000-0000-0000-0000-ffff00000042"); +pub const UUID_SCHEMA_ATTR_PRIMARY_CREDENTIAL: Uuid = uuid!("00000000-0000-0000-0000-ffff00000043"); +pub const UUID_SCHEMA_CLASS_PERSON: Uuid = uuid!("00000000-0000-0000-0000-ffff00000044"); +pub const UUID_SCHEMA_CLASS_GROUP: Uuid = uuid!("00000000-0000-0000-0000-ffff00000045"); +pub const UUID_SCHEMA_CLASS_ACCOUNT: Uuid = uuid!("00000000-0000-0000-0000-ffff00000046"); // GAP - 47 pub const UUID_SCHEMA_ATTR_ATTRIBUTENAME: Uuid = uuid!("00000000-0000-0000-0000-ffff00000048"); pub const UUID_SCHEMA_ATTR_CLASSNAME: Uuid = uuid!("00000000-0000-0000-0000-ffff00000049"); -pub const _UUID_SCHEMA_ATTR_LEGALNAME: Uuid = uuid!("00000000-0000-0000-0000-ffff00000050"); -pub const _UUID_SCHEMA_ATTR_RADIUS_SECRET: Uuid = uuid!("00000000-0000-0000-0000-ffff00000051"); -pub const _UUID_SCHEMA_CLASS_DOMAIN_INFO: Uuid = uuid!("00000000-0000-0000-0000-ffff00000052"); -pub const _UUID_SCHEMA_ATTR_DOMAIN_NAME: Uuid = uuid!("00000000-0000-0000-0000-ffff00000053"); -pub const _UUID_SCHEMA_ATTR_DOMAIN_UUID: Uuid = uuid!("00000000-0000-0000-0000-ffff00000054"); -pub const _UUID_SCHEMA_ATTR_DOMAIN_SSID: Uuid = uuid!("00000000-0000-0000-0000-ffff00000055"); -pub const _UUID_SCHEMA_ATTR_GIDNUMBER: Uuid = uuid!("00000000-0000-0000-0000-ffff00000056"); -pub const _UUID_SCHEMA_CLASS_POSIXACCOUNT: Uuid = uuid!("00000000-0000-0000-0000-ffff00000057"); -pub const _UUID_SCHEMA_CLASS_POSIXGROUP: Uuid = uuid!("00000000-0000-0000-0000-ffff00000058"); -pub const _UUID_SCHEMA_ATTR_BADLIST_PASSWORD: Uuid = uuid!("00000000-0000-0000-0000-ffff00000059"); +pub const UUID_SCHEMA_ATTR_LEGALNAME: Uuid = uuid!("00000000-0000-0000-0000-ffff00000050"); +pub const UUID_SCHEMA_ATTR_RADIUS_SECRET: Uuid = uuid!("00000000-0000-0000-0000-ffff00000051"); +pub const UUID_SCHEMA_CLASS_DOMAIN_INFO: Uuid = uuid!("00000000-0000-0000-0000-ffff00000052"); +pub const UUID_SCHEMA_ATTR_DOMAIN_NAME: Uuid = uuid!("00000000-0000-0000-0000-ffff00000053"); +pub const UUID_SCHEMA_ATTR_DOMAIN_UUID: Uuid = uuid!("00000000-0000-0000-0000-ffff00000054"); +pub const UUID_SCHEMA_ATTR_DOMAIN_SSID: Uuid = uuid!("00000000-0000-0000-0000-ffff00000055"); +pub const UUID_SCHEMA_ATTR_GIDNUMBER: Uuid = uuid!("00000000-0000-0000-0000-ffff00000056"); +pub const UUID_SCHEMA_CLASS_POSIXACCOUNT: Uuid = uuid!("00000000-0000-0000-0000-ffff00000057"); +pub const UUID_SCHEMA_CLASS_POSIXGROUP: Uuid = uuid!("00000000-0000-0000-0000-ffff00000058"); +pub const UUID_SCHEMA_ATTR_BADLIST_PASSWORD: Uuid = uuid!("00000000-0000-0000-0000-ffff00000059"); pub const UUID_SCHEMA_CLASS_SYSTEM_CONFIG: Uuid = uuid!("00000000-0000-0000-0000-ffff00000060"); -pub const _UUID_SCHEMA_ATTR_LOGINSHELL: Uuid = uuid!("00000000-0000-0000-0000-ffff00000061"); -pub const _UUID_SCHEMA_ATTR_UNIX_PASSWORD: Uuid = uuid!("00000000-0000-0000-0000-ffff00000062"); +pub const UUID_SCHEMA_ATTR_LOGINSHELL: Uuid = uuid!("00000000-0000-0000-0000-ffff00000061"); +pub const UUID_SCHEMA_ATTR_UNIX_PASSWORD: Uuid = uuid!("00000000-0000-0000-0000-ffff00000062"); pub const UUID_SCHEMA_ATTR_LAST_MOD_CID: Uuid = uuid!("00000000-0000-0000-0000-ffff00000063"); pub const UUID_SCHEMA_ATTR_PHANTOM: Uuid = uuid!("00000000-0000-0000-0000-ffff00000064"); pub const UUID_SCHEMA_ATTR_CLAIM: Uuid = uuid!("00000000-0000-0000-0000-ffff00000065"); pub const UUID_SCHEMA_ATTR_PASSWORD_IMPORT: Uuid = uuid!("00000000-0000-0000-0000-ffff00000066"); -pub const _UUID_SCHEMA_ATTR_NSUNIQUEID: Uuid = uuid!("00000000-0000-0000-0000-ffff00000067"); +pub const UUID_SCHEMA_ATTR_NSUNIQUEID: Uuid = uuid!("00000000-0000-0000-0000-ffff00000067"); pub const UUID_SCHEMA_ATTR_DN: Uuid = uuid!("00000000-0000-0000-0000-ffff00000068"); -pub const _UUID_SCHEMA_ATTR_NICE: Uuid = uuid!("00000000-0000-0000-0000-ffff00000069"); +pub const UUID_SCHEMA_ATTR_NICE: Uuid = uuid!("00000000-0000-0000-0000-ffff00000069"); pub const UUID_SCHEMA_ATTR_ENTRYUUID: Uuid = uuid!("00000000-0000-0000-0000-ffff00000070"); pub const UUID_SCHEMA_ATTR_OBJECTCLASS: Uuid = uuid!("00000000-0000-0000-0000-ffff00000071"); -pub const _UUID_SCHEMA_ATTR_ACCOUNT_EXPIRE: Uuid = uuid!("00000000-0000-0000-0000-ffff00000072"); -pub const _UUID_SCHEMA_ATTR_ACCOUNT_VALID_FROM: Uuid = - uuid!("00000000-0000-0000-0000-ffff00000073"); +pub const UUID_SCHEMA_ATTR_ACCOUNT_EXPIRE: Uuid = uuid!("00000000-0000-0000-0000-ffff00000072"); +pub const UUID_SCHEMA_ATTR_ACCOUNT_VALID_FROM: Uuid = uuid!("00000000-0000-0000-0000-ffff00000073"); pub const UUID_SCHEMA_ATTR_ENTRYDN: Uuid = uuid!("00000000-0000-0000-0000-ffff00000074"); pub const UUID_SCHEMA_ATTR_EMAIL: Uuid = uuid!("00000000-0000-0000-0000-ffff00000075"); pub const UUID_SCHEMA_ATTR_EMAILADDRESS: Uuid = uuid!("00000000-0000-0000-0000-ffff00000076"); pub const UUID_SCHEMA_ATTR_KEYS: Uuid = uuid!("00000000-0000-0000-0000-ffff00000077"); pub const UUID_SCHEMA_ATTR_SSHPUBLICKEY: Uuid = uuid!("00000000-0000-0000-0000-ffff00000078"); pub const UUID_SCHEMA_ATTR_UIDNUMBER: Uuid = uuid!("00000000-0000-0000-0000-ffff00000079"); -pub const _UUID_SCHEMA_ATTR_OAUTH2_RS_NAME: Uuid = uuid!("00000000-0000-0000-0000-ffff00000080"); -pub const _UUID_SCHEMA_ATTR_OAUTH2_RS_ORIGIN: Uuid = uuid!("00000000-0000-0000-0000-ffff00000081"); -pub const _UUID_SCHEMA_ATTR_OAUTH2_RS_SCOPE_MAP: Uuid = +pub const UUID_SCHEMA_ATTR_OAUTH2_RS_NAME: Uuid = uuid!("00000000-0000-0000-0000-ffff00000080"); +pub const UUID_SCHEMA_ATTR_OAUTH2_RS_ORIGIN: Uuid = uuid!("00000000-0000-0000-0000-ffff00000081"); +pub const UUID_SCHEMA_ATTR_OAUTH2_RS_SCOPE_MAP: Uuid = uuid!("00000000-0000-0000-0000-ffff00000082"); -pub const _UUID_SCHEMA_ATTR_OAUTH2_RS_BASIC_SECRET: Uuid = +pub const UUID_SCHEMA_ATTR_OAUTH2_RS_BASIC_SECRET: Uuid = uuid!("00000000-0000-0000-0000-ffff00000083"); -pub const _UUID_SCHEMA_ATTR_OAUTH2_RS_TOKEN_KEY: Uuid = +pub const UUID_SCHEMA_ATTR_OAUTH2_RS_TOKEN_KEY: Uuid = uuid!("00000000-0000-0000-0000-ffff00000084"); pub const UUID_SCHEMA_CLASS_OAUTH2_RS: Uuid = uuid!("00000000-0000-0000-0000-ffff00000085"); pub const UUID_SCHEMA_CLASS_OAUTH2_RS_BASIC: Uuid = uuid!("00000000-0000-0000-0000-ffff00000086"); pub const UUID_SCHEMA_ATTR_CN: Uuid = uuid!("00000000-0000-0000-0000-ffff00000087"); pub const UUID_SCHEMA_ATTR_DOMAIN_TOKEN_KEY: Uuid = uuid!("00000000-0000-0000-0000-ffff00000088"); -pub const _UUID_SCHEMA_ATTR_OAUTH2_RS_IMPLICIT_SCOPES: Uuid = +pub const UUID_SCHEMA_ATTR_OAUTH2_RS_IMPLICIT_SCOPES: Uuid = uuid!("00000000-0000-0000-0000-ffff00000089"); -pub const _UUID_SCHEMA_ATTR_ES256_PRIVATE_KEY_DER: Uuid = +pub const UUID_SCHEMA_ATTR_ES256_PRIVATE_KEY_DER: Uuid = uuid!("00000000-0000-0000-0000-ffff00000090"); -pub const _UUID_SCHEMA_ATTR_OAUTH2_ALLOW_INSECURE_CLIENT_DISABLE_PKCE: Uuid = +pub const UUID_SCHEMA_ATTR_OAUTH2_ALLOW_INSECURE_CLIENT_DISABLE_PKCE: Uuid = uuid!("00000000-0000-0000-0000-ffff00000091"); -pub const _UUID_SCHEMA_ATTR_OAUTH2_JWT_LEGACY_CRYPTO_ENABLE: Uuid = +pub const UUID_SCHEMA_ATTR_OAUTH2_JWT_LEGACY_CRYPTO_ENABLE: Uuid = uuid!("00000000-0000-0000-0000-ffff00000092"); -pub const _UUID_SCHEMA_ATTR_RS256_PRIVATE_KEY_DER: Uuid = +pub const UUID_SCHEMA_ATTR_RS256_PRIVATE_KEY_DER: Uuid = uuid!("00000000-0000-0000-0000-ffff00000093"); -pub const _UUID_SCHEMA_CLASS_ORGPERSON: Uuid = uuid!("00000000-0000-0000-0000-ffff00000094"); +pub const UUID_SCHEMA_CLASS_ORGPERSON: Uuid = uuid!("00000000-0000-0000-0000-ffff00000094"); pub const UUID_SCHEMA_ATTR_FERNET_PRIVATE_KEY_STR: Uuid = uuid!("00000000-0000-0000-0000-ffff00000095"); -pub const _UUID_SCHEMA_ATTR_CREDENTIAL_UPDATE_INTENT_TOKEN: Uuid = +pub const UUID_SCHEMA_ATTR_CREDENTIAL_UPDATE_INTENT_TOKEN: Uuid = uuid!("00000000-0000-0000-0000-ffff00000096"); -pub const _UUID_SCHEMA_CLASS_OAUTH2_CONSENT_SCOPE_MAP: Uuid = +pub const UUID_SCHEMA_ATTR_OAUTH2_CONSENT_SCOPE_MAP: Uuid = uuid!("00000000-0000-0000-0000-ffff00000097"); -pub const _UUID_SCHEMA_ATTR_DOMAIN_DISPLAY_NAME: Uuid = +pub const UUID_SCHEMA_ATTR_DOMAIN_DISPLAY_NAME: Uuid = uuid!("00000000-0000-0000-0000-ffff00000098"); -pub const _UUID_SCHEMA_ATTR_PASSKEYS: Uuid = uuid!("00000000-0000-0000-0000-ffff00000099"); -pub const _UUID_SCHEMA_ATTR_DEVICEKEYS: Uuid = uuid!("00000000-0000-0000-0000-ffff00000100"); +pub const UUID_SCHEMA_ATTR_PASSKEYS: Uuid = uuid!("00000000-0000-0000-0000-ffff00000099"); +pub const UUID_SCHEMA_ATTR_DEVICEKEYS: Uuid = uuid!("00000000-0000-0000-0000-ffff00000100"); pub const UUID_SCHEMA_ATTR_SYSTEMSUPPLEMENTS: Uuid = uuid!("00000000-0000-0000-0000-ffff00000101"); pub const UUID_SCHEMA_ATTR_SUPPLEMENTS: Uuid = uuid!("00000000-0000-0000-0000-ffff00000102"); @@ -192,25 +190,24 @@ pub const UUID_SCHEMA_ATTR_SYSTEMEXCLUDES: Uuid = uuid!("00000000-0000-0000-0000 pub const UUID_SCHEMA_ATTR_EXCLUDES: Uuid = uuid!("00000000-0000-0000-0000-ffff00000104"); pub const UUID_SCHEMA_ATTR_SCOPE: Uuid = uuid!("00000000-0000-0000-0000-ffff00000105"); pub const UUID_SCHEMA_CLASS_SERVICE_ACCOUNT: Uuid = uuid!("00000000-0000-0000-0000-ffff00000106"); -pub const _UUID_SCHEMA_CLASS_DYNGROUP: Uuid = uuid!("00000000-0000-0000-0000-ffff00000107"); -pub const _UUID_SCHEMA_ATTR_DYNGROUP_FILTER: Uuid = uuid!("00000000-0000-0000-0000-ffff00000108"); -pub const _UUID_SCHEMA_ATTR_OAUTH2_PREFERR_SHORT_USERNAME: Uuid = +pub const UUID_SCHEMA_CLASS_DYNGROUP: Uuid = uuid!("00000000-0000-0000-0000-ffff00000107"); +pub const UUID_SCHEMA_ATTR_DYNGROUP_FILTER: Uuid = uuid!("00000000-0000-0000-0000-ffff00000108"); +pub const UUID_SCHEMA_ATTR_OAUTH2_PREFER_SHORT_USERNAME: Uuid = uuid!("00000000-0000-0000-0000-ffff00000109"); -pub const _UUID_SCHEMA_ATTR_JWS_ES256_PRIVATE_KEY: Uuid = +pub const UUID_SCHEMA_ATTR_JWS_ES256_PRIVATE_KEY: Uuid = uuid!("00000000-0000-0000-0000-ffff00000110"); -pub const _UUID_SCHEMA_ATTR_API_TOKEN_SESSION: Uuid = uuid!("00000000-0000-0000-0000-ffff00000111"); -pub const _UUID_SCHEMA_ATTR_OAUTH2_RS_SUP_SCOPE_MAP: Uuid = +pub const UUID_SCHEMA_ATTR_API_TOKEN_SESSION: Uuid = uuid!("00000000-0000-0000-0000-ffff00000111"); +pub const UUID_SCHEMA_ATTR_OAUTH2_RS_SUP_SCOPE_MAP: Uuid = uuid!("00000000-0000-0000-0000-ffff00000112"); -pub const _UUID_SCHEMA_ATTR_USER_AUTH_TOKEN_SESSION: Uuid = +pub const UUID_SCHEMA_ATTR_USER_AUTH_TOKEN_SESSION: Uuid = uuid!("00000000-0000-0000-0000-ffff00000113"); -pub const _UUID_SCHEMA_CLASS_SYNC_ACCOUNT: Uuid = uuid!("00000000-0000-0000-0000-ffff00000114"); -pub const _UUID_SCHEMA_ATTR_SYNC_TOKEN_SESSION: Uuid = - uuid!("00000000-0000-0000-0000-ffff00000115"); -pub const _UUID_SCHEMA_ATTR_SYNC_COOKIE: Uuid = uuid!("00000000-0000-0000-0000-ffff00000116"); -pub const _UUID_SCHEMA_ATTR_OAUTH2_SESSION: Uuid = uuid!("00000000-0000-0000-0000-ffff00000117"); +pub const UUID_SCHEMA_CLASS_SYNC_ACCOUNT: Uuid = uuid!("00000000-0000-0000-0000-ffff00000114"); +pub const UUID_SCHEMA_ATTR_SYNC_TOKEN_SESSION: Uuid = uuid!("00000000-0000-0000-0000-ffff00000115"); +pub const UUID_SCHEMA_ATTR_SYNC_COOKIE: Uuid = uuid!("00000000-0000-0000-0000-ffff00000116"); +pub const UUID_SCHEMA_ATTR_OAUTH2_SESSION: Uuid = uuid!("00000000-0000-0000-0000-ffff00000117"); pub const UUID_SCHEMA_ATTR_ACP_RECEIVER_GROUP: Uuid = uuid!("00000000-0000-0000-0000-ffff00000118"); -pub const _UUID_SCHEMA_ATTR_GRANT_UI_HINT: Uuid = uuid!("00000000-0000-0000-0000-ffff00000119"); -pub const _UUID_SCHEMA_ATTR_OAUTH2_RS_ORIGIN_LANDING: Uuid = +pub const UUID_SCHEMA_ATTR_GRANT_UI_HINT: Uuid = uuid!("00000000-0000-0000-0000-ffff00000119"); +pub const UUID_SCHEMA_ATTR_OAUTH2_RS_ORIGIN_LANDING: Uuid = uuid!("00000000-0000-0000-0000-ffff00000120"); pub const UUID_SCHEMA_ATTR_SYNC_EXTERNAL_ID: Uuid = uuid!("00000000-0000-0000-0000-ffff00000121"); @@ -224,8 +221,7 @@ pub const UUID_SCHEMA_ATTR_EMAILALTERNATIVE: Uuid = uuid!("00000000-0000-0000-00 pub const UUID_SCHEMA_ATTR_TOTP_IMPORT: Uuid = uuid!("00000000-0000-0000-0000-ffff00000128"); pub const UUID_SCHEMA_ATTR_REPLICATED: Uuid = uuid!("00000000-0000-0000-0000-ffff00000129"); pub const UUID_SCHEMA_ATTR_PRIVATE_COOKIE_KEY: Uuid = uuid!("00000000-0000-0000-0000-ffff00000130"); -pub const _UUID_SCHEMA_ATTR_DOMAIN_LDAP_BASEDN: Uuid = - uuid!("00000000-0000-0000-0000-ffff00000131"); +pub const UUID_SCHEMA_ATTR_DOMAIN_LDAP_BASEDN: Uuid = uuid!("00000000-0000-0000-0000-ffff00000131"); pub const UUID_SCHEMA_ATTR_DYNMEMBER: Uuid = uuid!("00000000-0000-0000-0000-ffff00000132"); pub const UUID_SCHEMA_ATTR_NAME_HISTORY: Uuid = uuid!("00000000-0000-0000-0000-ffff00000133"); diff --git a/server/lib/src/schema.rs b/server/lib/src/schema.rs index cf4bb4a10..de2e88584 100644 --- a/server/lib/src/schema.rs +++ b/server/lib/src/schema.rs @@ -300,6 +300,52 @@ impl SchemaAttribute { } } +impl From for EntryInitNew { + fn from(value: SchemaAttribute) -> Self { + let mut entry = EntryInitNew::new(); + + #[allow(clippy::expect_used)] + entry.set_ava( + "attributename", + vec![Value::new_iutf8(&value.name)].into_iter(), + ); + entry.add_ava("multivalue", Value::Bool(value.multivalue)); + // syntax + entry.set_ava("syntax", vec![Value::Syntax(value.syntax)]); + entry.set_ava("unique", vec![Value::Bool(value.unique)].into_iter()); + // index + entry.set_ava("index", value.index.into_iter().map(Value::Index)); + + // class + entry.set_ava( + "class", + vec![ + CLASS_OBJECT.clone(), + CLASS_SYSTEM.clone(), + CLASS_ATTRIBUTETYPE.clone(), + ], + ); + // description + entry.set_ava( + "description", + vec![Value::new_utf8s(&value.description)].into_iter(), + ); + // unique + // multivalue + + // sync_allowed + entry.set_ava( + "sync_allowed", + vec![Value::Bool(value.sync_allowed)].into_iter(), + ); + + // uid + entry.set_ava("uuid", vec![Value::Uuid(value.uuid)].into_iter()); + + entry + } +} + /// An item representing a class and the rules for that class. These rules enforce that an /// [`Entry`]'s avas conform to a set of requirements, giving structure to an entry about /// what avas must or may exist. The kanidm project provides attributes in `systemmust` and @@ -435,6 +481,71 @@ impl SchemaClass { } } +impl From for EntryInitNew { + fn from(value: SchemaClass) -> Self { + let mut entry = EntryInitNew::new(); + + #[allow(clippy::expect_used)] + entry.set_ava("classname", vec![Value::new_iutf8(&value.name)].into_iter()); + + // class + entry.set_ava( + "class", + vec![ + CLASS_OBJECT.clone(), + CLASS_SYSTEM.clone(), + CLASS_CLASSTYPE.clone(), + ], + ); + + // description + entry.set_ava( + "description", + vec![Value::new_utf8s(&value.description)].into_iter(), + ); + + // sync_allowed + entry.set_ava( + "sync_allowed", + vec![Value::Bool(value.sync_allowed)].into_iter(), + ); + + // uid + entry.set_ava("uuid", vec![Value::Uuid(value.uuid)].into_iter()); + + // systemmay + if !value.systemmay.is_empty() { + entry.set_ava( + "systemmay", + value.systemmay.iter().map(|s| Value::new_iutf8(s)), + ); + } + // systemexcludes + if !value.systemexcludes.is_empty() { + entry.set_ava( + "systemexcludes", + value.systemexcludes.iter().map(|s| Value::new_iutf8(s)), + ); + } + // systemmust + if !value.systemmust.is_empty() { + entry.set_ava( + "systemmust", + value.systemmust.iter().map(|s| Value::new_iutf8(s)), + ); + } + // systemsupplements + if !value.systemsupplements.is_empty() { + entry.set_ava( + "systemsupplements", + value.systemsupplements.iter().map(|s| Value::new_iutf8(s)), + ); + } + + entry + } +} + pub trait SchemaTransaction { fn get_classes(&self) -> &HashMap; fn get_attributes(&self) -> &HashMap; diff --git a/server/lib/src/server/migrations.rs b/server/lib/src/server/migrations.rs index faf6686ba..69a4c6ea3 100644 --- a/server/lib/src/server/migrations.rs +++ b/server/lib/src/server/migrations.rs @@ -435,8 +435,8 @@ impl<'a> QueryServerWriteTransaction<'a> { admin_debug!("initialise_schema_idm -> start ..."); let idm_schema_attrs = [ - E_SCHEMA_ATTR_SYNC_CREDENTIAL_PORTAL.clone(), - E_SCHEMA_ATTR_SYNC_YIELD_AUTHORITY.clone(), + SCHEMA_ATTR_SYNC_CREDENTIAL_PORTAL.clone().into(), + SCHEMA_ATTR_SYNC_YIELD_AUTHORITY.clone().into(), ]; let r: Result<(), _> = idm_schema_attrs @@ -449,72 +449,62 @@ impl<'a> QueryServerWriteTransaction<'a> { debug_assert!(r.is_ok()); // List of IDM schemas to init. - let idm_schema: Vec<&str> = vec![ - JSON_SCHEMA_ATTR_DISPLAYNAME, - JSON_SCHEMA_ATTR_LEGALNAME, - JSON_SCHEMA_ATTR_NAME_HISTORY, - JSON_SCHEMA_ATTR_MAIL, - JSON_SCHEMA_ATTR_SSH_PUBLICKEY, - JSON_SCHEMA_ATTR_PRIMARY_CREDENTIAL, - JSON_SCHEMA_ATTR_RADIUS_SECRET, - JSON_SCHEMA_ATTR_DOMAIN_NAME, - JSON_SCHEMA_ATTR_DOMAIN_DISPLAY_NAME, - JSON_SCHEMA_ATTR_DOMAIN_UUID, - JSON_SCHEMA_ATTR_DOMAIN_SSID, - JSON_SCHEMA_ATTR_DOMAIN_TOKEN_KEY, - JSON_SCHEMA_ATTR_FERNET_PRIVATE_KEY_STR, - JSON_SCHEMA_ATTR_GIDNUMBER, - JSON_SCHEMA_ATTR_BADLIST_PASSWORD, - JSON_SCHEMA_ATTR_LOGINSHELL, - JSON_SCHEMA_ATTR_UNIX_PASSWORD, - JSON_SCHEMA_ATTR_ACCOUNT_EXPIRE, - JSON_SCHEMA_ATTR_ACCOUNT_VALID_FROM, - JSON_SCHEMA_ATTR_OAUTH2_RS_NAME, - JSON_SCHEMA_ATTR_OAUTH2_RS_ORIGIN, - JSON_SCHEMA_ATTR_OAUTH2_RS_SCOPE_MAP, - JSON_SCHEMA_ATTR_OAUTH2_RS_IMPLICIT_SCOPES, - JSON_SCHEMA_ATTR_OAUTH2_RS_BASIC_SECRET, - JSON_SCHEMA_ATTR_OAUTH2_RS_TOKEN_KEY, - JSON_SCHEMA_ATTR_ES256_PRIVATE_KEY_DER, - JSON_SCHEMA_ATTR_OAUTH2_ALLOW_INSECURE_CLIENT_DISABLE_PKCE, - JSON_SCHEMA_ATTR_OAUTH2_JWT_LEGACY_CRYPTO_ENABLE, - JSON_SCHEMA_ATTR_RS256_PRIVATE_KEY_DER, - JSON_SCHEMA_ATTR_CREDENTIAL_UPDATE_INTENT_TOKEN, - JSON_SCHEMA_ATTR_OAUTH2_CONSENT_SCOPE_MAP, - JSON_SCHEMA_ATTR_PASSKEYS, - JSON_SCHEMA_ATTR_DEVICEKEYS, - JSON_SCHEMA_ATTR_DYNGROUP_FILTER, - JSON_SCHEMA_ATTR_JWS_ES256_PRIVATE_KEY, - JSON_SCHEMA_ATTR_API_TOKEN_SESSION, - JSON_SCHEMA_ATTR_OAUTH2_RS_SUP_SCOPE_MAP, - JSON_SCHEMA_ATTR_USER_AUTH_TOKEN_SESSION, - JSON_SCHEMA_ATTR_OAUTH2_SESSION, - JSON_SCHEMA_ATTR_NSUNIQUEID, - JSON_SCHEMA_ATTR_OAUTH2_PREFER_SHORT_USERNAME, - JSON_SCHEMA_ATTR_SYNC_TOKEN_SESSION, - JSON_SCHEMA_ATTR_SYNC_COOKIE, - JSON_SCHEMA_ATTR_GRANT_UI_HINT, - JSON_SCHEMA_ATTR_OAUTH2_RS_ORIGIN_LANDING, - JSON_SCHEMA_ATTR_DOMAIN_LDAP_BASEDN, - JSON_SCHEMA_CLASS_PERSON, - JSON_SCHEMA_CLASS_ORGPERSON, - JSON_SCHEMA_CLASS_GROUP, - JSON_SCHEMA_CLASS_DYNGROUP, - JSON_SCHEMA_CLASS_ACCOUNT, - JSON_SCHEMA_CLASS_SERVICE_ACCOUNT, - JSON_SCHEMA_CLASS_DOMAIN_INFO, - JSON_SCHEMA_CLASS_POSIXACCOUNT, - JSON_SCHEMA_CLASS_POSIXGROUP, - JSON_SCHEMA_CLASS_SYSTEM_CONFIG, - JSON_SCHEMA_CLASS_SYNC_ACCOUNT, - JSON_SCHEMA_CLASS_OAUTH2_RS, - JSON_SCHEMA_ATTR_PRIVATE_COOKIE_KEY, + let idm_schema: Vec = vec![ + SCHEMA_ATTR_MAIL.clone().into(), + SCHEMA_ATTR_ACCOUNT_EXPIRE.clone().into(), + SCHEMA_ATTR_ACCOUNT_VALID_FROM.clone().into(), + SCHEMA_ATTR_API_TOKEN_SESSION.clone().into(), + SCHEMA_ATTR_BADLIST_PASSWORD.clone().into(), + SCHEMA_ATTR_CREDENTIAL_UPDATE_INTENT_TOKEN.clone().into(), + SCHEMA_ATTR_DEVICEKEYS.clone().into(), + SCHEMA_ATTR_DISPLAYNAME.clone().into(), + SCHEMA_ATTR_DOMAIN_DISPLAY_NAME.clone().into(), + SCHEMA_ATTR_DOMAIN_LDAP_BASEDN.clone().into(), + SCHEMA_ATTR_DOMAIN_NAME.clone().into(), + SCHEMA_ATTR_DOMAIN_SSID.clone().into(), + SCHEMA_ATTR_DOMAIN_TOKEN_KEY.clone().into(), + SCHEMA_ATTR_DOMAIN_UUID.clone().into(), + SCHEMA_ATTR_DYNGROUP_FILTER.clone().into(), + SCHEMA_ATTR_ES256_PRIVATE_KEY_DER.clone().into(), + SCHEMA_ATTR_FERNET_PRIVATE_KEY_STR.clone().into(), + SCHEMA_ATTR_GIDNUMBER.clone().into(), + SCHEMA_ATTR_GRANT_UI_HINT.clone().into(), + SCHEMA_ATTR_JWS_ES256_PRIVATE_KEY.clone().into(), + SCHEMA_ATTR_LEGALNAME.clone().into(), + SCHEMA_ATTR_LOGINSHELL.clone().into(), + SCHEMA_ATTR_NAME_HISTORY.clone().into(), + SCHEMA_ATTR_NSUNIQUEID.clone().into(), + SCHEMA_ATTR_OAUTH2_ALLOW_INSECURE_CLIENT_DISABLE_PKCE + .clone() + .into(), + SCHEMA_ATTR_OAUTH2_CONSENT_SCOPE_MAP.clone().into(), + SCHEMA_ATTR_OAUTH2_JWT_LEGACY_CRYPTO_ENABLE.clone().into(), + SCHEMA_ATTR_OAUTH2_PREFER_SHORT_USERNAME.clone().into(), + SCHEMA_ATTR_OAUTH2_RS_BASIC_SECRET.clone().into(), + SCHEMA_ATTR_OAUTH2_RS_IMPLICIT_SCOPES.clone().into(), + SCHEMA_ATTR_OAUTH2_RS_NAME.clone().into(), + SCHEMA_ATTR_OAUTH2_RS_ORIGIN_LANDING.clone().into(), + SCHEMA_ATTR_OAUTH2_RS_ORIGIN.clone().into(), + SCHEMA_ATTR_OAUTH2_RS_SCOPE_MAP.clone().into(), + SCHEMA_ATTR_OAUTH2_RS_SUP_SCOPE_MAP.clone().into(), + SCHEMA_ATTR_OAUTH2_RS_TOKEN_KEY.clone().into(), + SCHEMA_ATTR_OAUTH2_SESSION.clone().into(), + SCHEMA_ATTR_PASSKEYS.clone().into(), + SCHEMA_ATTR_PRIMARY_CREDENTIAL.clone().into(), + SCHEMA_ATTR_PRIVATE_COOKIE_KEY.clone().into(), + SCHEMA_ATTR_RADIUS_SECRET.clone().into(), + SCHEMA_ATTR_RS256_PRIVATE_KEY_DER.clone().into(), + SCHEMA_ATTR_SSH_PUBLICKEY.clone().into(), + SCHEMA_ATTR_SYNC_COOKIE.clone().into(), + SCHEMA_ATTR_SYNC_TOKEN_SESSION.clone().into(), + SCHEMA_ATTR_UNIX_PASSWORD.clone().into(), + SCHEMA_ATTR_USER_AUTH_TOKEN_SESSION.clone().into(), ]; let r = idm_schema - .iter() + .into_iter() // Each item individually logs it's result - .try_for_each(|e_str| self.internal_migrate_or_create_str(e_str)); + .try_for_each(|entry| self.internal_migrate_or_create(entry)); if r.is_err() { error!(res = ?r, "initialise_schema_idm -> Error"); @@ -522,9 +512,21 @@ impl<'a> QueryServerWriteTransaction<'a> { debug_assert!(r.is_ok()); - let idm_schema_classes = [ - E_SCHEMA_CLASS_OAUTH2_RS_BASIC.clone(), - E_SCHEMA_CLASS_OAUTH2_RS_PUBLIC.clone(), + let idm_schema_classes: Vec = vec![ + SCHEMA_CLASS_ACCOUNT.clone().into(), + SCHEMA_CLASS_DOMAIN_INFO.clone().into(), + SCHEMA_CLASS_DYNGROUP.clone().into(), + SCHEMA_CLASS_GROUP.clone().into(), + SCHEMA_CLASS_OAUTH2_RS.clone().into(), + SCHEMA_CLASS_ORGPERSON.clone().into(), + SCHEMA_CLASS_PERSON.clone().into(), + SCHEMA_CLASS_POSIXACCOUNT.clone().into(), + SCHEMA_CLASS_POSIXGROUP.clone().into(), + SCHEMA_CLASS_SERVICE_ACCOUNT.clone().into(), + SCHEMA_CLASS_SYNC_ACCOUNT.clone().into(), + SCHEMA_CLASS_SYSTEM_CONFIG.clone().into(), + SCHEMA_CLASS_OAUTH2_RS_BASIC.clone().into(), + SCHEMA_CLASS_OAUTH2_RS_PUBLIC.clone().into(), ]; let r: Result<(), _> = idm_schema_classes diff --git a/server/testkit/tests/integration.rs b/server/testkit/tests/integration.rs index afb2541ae..aee818260 100644 --- a/server/testkit/tests/integration.rs +++ b/server/testkit/tests/integration.rs @@ -80,7 +80,11 @@ async fn test_webdriver_user_login(rsclient: kanidm_client::KanidmClient) { let c = get_webdriver_client().await; - handle_error!(c, c.goto(rsclient.get_url()).await, "Couldn't get URL"); + handle_error!( + c, + c.goto(rsclient.get_url().to_string()).await, + "Couldn't get URL" + ); println!("Waiting for page to load"); let mut wait_attempts = 0;