20221008 access profile improvements (#1101)

2025-02-23 20:47:01 +01:00 · 2022-10-09 11:59:10 +10:00 · 2022-10-09 11:59:10 +10:00 · ba62f6aef6
parent b6b41c8471
commit ba62f6aef6
5 changed files with 32 additions and 6 deletions
--- a/kanidmd/lib/src/access.rs
+++ b/kanidmd/lib/src/access.rs
@ -279,7 +279,16 @@ struct AccessControlProfile {
    // the acp update routine.
    #[allow(dead_code)]
    uuid: Uuid,
+    // Must be
+    //   Group
    receiver: Filter<FilterValid>,
+    // or
+    //  Filter
+    //  Group
+    //  Self
+    // and
+    //  exclude
+    //    Group
    targetscope: Filter<FilterValid>,
 }

--- a/kanidmd/lib/src/constants/acp.rs
+++ b/kanidmd/lib/src/constants/acp.rs
@ -82,7 +82,7 @@ pub const JSON_IDM_SELF_ACP_READ_V1: &str = r#"{
        "uuid": ["00000000-0000-0000-0000-ffffff000004"],
        "description": ["Builtin IDM Control for self read - required for whoami and many other functions."],
        "acp_receiver": [
-            "{\"and\": [\"self\", {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
+            "{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000036\"]}"
        ],
        "acp_targetscope": [
            "\"self\""
@ -114,7 +114,7 @@ pub const JSON_IDM_SELF_ACP_WRITE_V1: &str = r#"{
        "uuid": ["00000000-0000-0000-0000-ffffff000021"],
        "description": ["Builtin IDM Control for self write - required for people to update their own identities and credentials in line with best practices."],
        "acp_receiver": [
-            "{\"and\": [\"self\", {\"eq\": [\"class\", \"person\"]}, {\"eq\": [\"class\", \"account\"]}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}, {\"eq\": [\"uuid\", \"00000000-0000-0000-0000-ffffffffffff\"]}]}}]}"
+            "{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000035\"]}"
        ],
        "acp_targetscope": [
            "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"class\",\"account\"]}, \"self\"]}"
@ -156,7 +156,7 @@ pub const JSON_IDM_ALL_ACP_READ_V1: &str = r#"{
        "uuid": ["00000000-0000-0000-0000-ffffff000006"],
        "description": ["Builtin IDM Control for all read - IE anonymous and all authenticated accounts."],
        "acp_receiver": [
-            "{\"pres\":\"class\"}"
+            "{\"eq\":[\"memberof\",\"00000000-0000-0000-0000-000000000036\"]}"
        ],
        "acp_targetscope": [
            "{\"and\": [{\"pres\": \"class\"}, {\"andnot\": {\"or\": [{\"eq\": [\"class\", \"tombstone\"]}, {\"eq\": [\"class\", \"recycled\"]}]}}]}"
--- a/kanidmd/lib/src/constants/entries.rs
+++ b/kanidmd/lib/src/constants/entries.rs
@ -420,9 +420,21 @@ pub const JSON_IDM_ALL_PERSONS: &str = r#"{
        "class": ["dyngroup", "group", "object"],
        "name": ["idm_all_persons"],
        "uuid": ["00000000-0000-0000-0000-000000000035"],
-        "description": ["Builtin IDM dynamic group containing all persons"],
+        "description": ["Builtin IDM dynamic group containing all persons that can authenticate"],
        "dyngroup_filter": [
-            "{\"eq\":[\"class\",\"person\"]}"
+            "{\"and\": [{\"eq\": [\"class\",\"person\"]}, {\"eq\": [\"class\",\"account\"]}]}"
+        ]
+    }
+}"#;
+
+pub const JSON_IDM_ALL_ACCOUNTS: &str = r#"{
+    "attrs": {
+        "class": ["dyngroup", "group", "object"],
+        "name": ["idm_all_accounts"],
+        "uuid": ["00000000-0000-0000-0000-000000000036"],
+        "description": ["Builtin IDM dynamic group containing all entries that can authenticate."],
+        "dyngroup_filter": [
+            "{\"eq\":[\"class\",\"account\"]}"
        ]
    }
 }"#;
--- a/kanidmd/lib/src/constants/uuids.rs
+++ b/kanidmd/lib/src/constants/uuids.rs
@ -47,7 +47,7 @@ pub const _UUID_IDM_HP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_PRIV: Uuid =
    uuid!("00000000-0000-0000-0000-000000000034");

 pub const UUID_IDM_ALL_PERSONS: Uuid = uuid!("00000000-0000-0000-0000-000000000035");
-
+pub const UUID_IDM_ALL_ACCOUNTS: Uuid = uuid!("00000000-0000-0000-0000-000000000036");
 //
 pub const _UUID_IDM_HIGH_PRIVILEGE: Uuid = uuid!("00000000-0000-0000-0000-000000001000");

--- a/kanidmd/lib/src/server.rs
+++ b/kanidmd/lib/src/server.rs
@ -2641,6 +2641,7 @@ impl<'a> QueryServerWriteTransaction<'a> {
        let idm_entries = [
            // Builtin dyn groups,
            JSON_IDM_ALL_PERSONS,
+            JSON_IDM_ALL_ACCOUNTS,
            // Builtin groups
            JSON_IDM_PEOPLE_MANAGE_PRIV_V1,
            JSON_IDM_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1,
@ -3125,7 +3126,9 @@ mod tests {
            let mut e = entry_init!(
                ("class", Value::new_class("object")),
                ("class", Value::new_class("person")),
+                ("class", Value::new_class("account")),
                ("name", Value::new_iname("testperson")),
+                ("spn", Value::new_spn_str("testperson", "example.com")),
                (
                    "uuid",
                    Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63930").expect("uuid")
@ -3150,6 +3153,8 @@ mod tests {
            e.add_ava("class", Value::new_class("memberof"));
            e.add_ava("memberof", Value::new_refer(UUID_IDM_ALL_PERSONS));
            e.add_ava("directmemberof", Value::new_refer(UUID_IDM_ALL_PERSONS));
+            e.add_ava("memberof", Value::new_refer(UUID_IDM_ALL_ACCOUNTS));
+            e.add_ava("directmemberof", Value::new_refer(UUID_IDM_ALL_ACCOUNTS));

            let expected = unsafe { vec![Arc::new(e.into_sealed_committed())] };