From c5c483be98b07259c0115114eddae3969e912f0c Mon Sep 17 00:00:00 2001
From: Firstyear <william@blackhats.net.au>
Date: Tue, 13 Jun 2023 14:10:28 +1000
Subject: [PATCH] Add acp allowing service accounts to clear their own sessions
 (#1731)

---
 server/lib/src/constants/acp.rs     | 26 ++++++++++++++++++++++++++
 server/lib/src/constants/uuids.rs   |  1 +
 server/lib/src/server/migrations.rs |  1 +
 3 files changed, 28 insertions(+)

diff --git a/server/lib/src/constants/acp.rs b/server/lib/src/constants/acp.rs
index 05d48a01c..8715a3d14 100644
--- a/server/lib/src/constants/acp.rs
+++ b/server/lib/src/constants/acp.rs
@@ -138,6 +138,32 @@ lazy_static! {
     );
 }
 
+lazy_static! {
+    pub static ref E_IDM_ACCOUNT_SELF_ACP_WRITE_V1: EntryInitNew = entry_init!(
+        ("class", CLASS_OBJECT.clone()),
+        ("class", CLASS_ACCESS_CONTROL_PROFILE.clone()),
+        ("class", CLASS_ACCESS_CONTROL_MODIFY.clone()),
+        ("name", Value::new_iname("idm_self_account_acp_write")),
+        ("uuid", Value::Uuid(UUID_IDM_ACCOUNT_SELF_ACP_WRITE_V1)),
+        (
+            "description",
+            Value::new_utf8s("Builtin IDM Control for self write - required for accounts to update their own session state.")
+        ),
+        (
+            "acp_receiver_group",
+            Value::Refer(UUID_IDM_ALL_ACCOUNTS)
+        ),
+        (
+            "acp_targetscope",
+            Value::new_json_filter_s(
+                "{\"and\": [{\"eq\": [\"class\",\"account\"]}, \"self\"]}"
+            )
+                .expect("Invalid JSON filter")
+        ),
+        ("acp_modify_removedattr", Value::new_iutf8("user_auth_token_session"))
+    );
+}
+
 lazy_static! {
     pub static ref E_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_PRIV_V1: EntryInitNew = entry_init!(
         ("class", CLASS_OBJECT.clone()),
diff --git a/server/lib/src/constants/uuids.rs b/server/lib/src/constants/uuids.rs
index 8da00a538..8efbae02f 100644
--- a/server/lib/src/constants/uuids.rs
+++ b/server/lib/src/constants/uuids.rs
@@ -305,6 +305,7 @@ pub const UUID_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1: Uuid =
     uuid!("00000000-0000-0000-0000-ffffff000044");
 pub const UUID_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1: Uuid =
     uuid!("00000000-0000-0000-0000-ffffff000045");
+pub const UUID_IDM_ACCOUNT_SELF_ACP_WRITE_V1: Uuid = uuid!("00000000-0000-0000-0000-ffffff000046");
 
 // End of system ranges
 pub const UUID_DOES_NOT_EXIST: Uuid = uuid!("00000000-0000-0000-0000-fffffffffffe");
diff --git a/server/lib/src/server/migrations.rs b/server/lib/src/server/migrations.rs
index eb6368632..04c866aa2 100644
--- a/server/lib/src/server/migrations.rs
+++ b/server/lib/src/server/migrations.rs
@@ -635,6 +635,7 @@ impl<'a> QueryServerWriteTransaction<'a> {
             E_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES.clone(),
             E_IDM_ACCOUNT_MAIL_READ_PRIV.clone(),
             E_IDM_ACP_ACCOUNT_MAIL_READ_PRIV_V1.clone(),
+            E_IDM_ACCOUNT_SELF_ACP_WRITE_V1.clone(),
         ];
 
         let res: Result<(), _> = idm_entries