Add acp allowing service accounts to clear their own sessions (#1731)

2025-02-23 20:47:01 +01:00 · 2023-06-13 14:10:28 +10:00 · 2023-06-13 14:10:28 +10:00 · c5c483be98
parent 8cd45eaa35
commit c5c483be98
3 changed files with 28 additions and 0 deletions
--- a/server/lib/src/constants/acp.rs
+++ b/server/lib/src/constants/acp.rs
@ -138,6 +138,32 @@ lazy_static! {
    );
 }

+lazy_static! {
+    pub static ref E_IDM_ACCOUNT_SELF_ACP_WRITE_V1: EntryInitNew = entry_init!(
+        ("class", CLASS_OBJECT.clone()),
+        ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()),
+        ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()),
+        ("name", Value::new_iname("idm_self_account_acp_write")),
+        ("uuid", Value::Uuid(UUID_IDM_ACCOUNT_SELF_ACP_WRITE_V1)),
+        (
+            "description",
+            Value::new_utf8s("Builtin IDM Control for self write - required for accounts to update their own session state.")
+        ),
+        (
+            "acp_receiver_group",
+            Value::Refer(UUID_IDM_ALL_ACCOUNTS)
+        ),
+        (
+            "acp_targetscope",
+            Value::new_json_filter_s(
+                "{\"and\": [{\"eq\": [\"class\",\"account\"]}, \"self\"]}"
+            )
+                .expect("Invalid JSON filter")
+        ),
+        ("acp_modify_removedattr", Value::new_iutf8("user_auth_token_session"))
+    );
+}
+
 lazy_static! {
    pub static ref E_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_PRIV_V1: EntryInitNew = entry_init!(
        ("class", CLASS_OBJECT.clone()),
--- a/server/lib/src/constants/uuids.rs
+++ b/server/lib/src/constants/uuids.rs
@ -305,6 +305,7 @@ pub const UUID_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000044");
 pub const UUID_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1: Uuid =
    uuid!("00000000-0000-0000-0000-ffffff000045");
+pub const UUID_IDM_ACCOUNT_SELF_ACP_WRITE_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000046");

 // End of system ranges
 pub const UUID_DOES_NOT_EXIST: Uuid = uuid!("00000000-0000-0000-0000-fffffffffffe");
--- a/server/lib/src/server/migrations.rs
+++ b/server/lib/src/server/migrations.rs
@ -635,6 +635,7 @@ impl<'a> QueryServerWriteTransaction<'a> {
            E_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES.clone(),
            E_IDM_ACCOUNT_MAIL_READ_PRIV.clone(),
            E_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1.clone(),
+            E_IDM_ACCOUNT_SELF_ACP_WRITE_V1.clone(),
        ];

        let res: Result<(), _> = idm_entries