mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 04:27:02 +01:00
Code Issues Actions 16 Packages Projects Releases Wiki Activity

20240817 group mail acp (#2982)

Browse source
This commit is contained in:
Firstyear 2024-08-21 09:59:50 +10:00 committed by GitHub
parent 239f4594dd
commit fbfea05c6c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 69 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
book/src/access_control/intro.md
View file

@ -65,6 +65,8 @@ groups.
| `idm_access_control_admins` | write access controls |
| `idm_account_policy_admins` | modify account policy requirements for user authentication |
| `idm_group_admins` | create and modify groups |
| `idm_mail_servers` | read mail attributes needed to be a mail server |
| `idm_mail_service_admins` | grant permissions to service accounts to act as mail servers |
| `idm_oauth2_admins` | create and modify OAuth2 integrations |
| `idm_people_admins` | create and modify persons |
| `idm_people_on_boarding` | create (but not modify) persons. Intended for use with service accounts |

35
server/lib/src/constants/acp.rs
View file

@ -1051,6 +1051,41 @@ lazy_static! {
};
}
lazy_static! {
pub static ref IDM_ACP_MAIL_SERVERS_DL8: BuiltinAcp = BuiltinAcp {
classes: vec![
EntryClass::Object,
EntryClass::AccessControlProfile,
EntryClass::AccessControlSearch,
],
name: "idm_acp_mail_servers",
uuid: UUID_IDM_ACP_MAIL_SERVERS,
description:
"Builtin IDM Control for MAIL servers to read email addresses and other needed attributes.",
receiver: BuiltinAcpReceiver::Group(vec![UUID_IDM_MAIL_SERVERS]),
target: BuiltinAcpTarget::Filter(ProtoFilter::And(vec![
ProtoFilter::Or(vec![
match_class_filter!(EntryClass::Account),
match_class_filter!(EntryClass::Group),
]),
FILTER_ANDNOT_TOMBSTONE_OR_RECYCLED.clone()
])),
search_attrs: vec![
Attribute::Class,
Attribute::Name,
Attribute::Spn,
Attribute::Uuid,
Attribute::DisplayName,
Attribute::Mail,
Attribute::Member,
Attribute::DynMember,
Attribute::MemberOf,
Attribute::GidNumber,
],
..Default::default()
};
}
lazy_static! {
pub static ref IDM_ACP_PEOPLE_SELF_WRITE_MAIL_V1: BuiltinAcp = BuiltinAcp {
classes: vec![

26
server/lib/src/constants/groups.rs
View file

@ -219,7 +219,7 @@ lazy_static! {
};
/// Builtin IDM Group for RADIUS server access delegation.
pub static ref IDM_RADIUS_SERVERS_V1: BuiltinGroup = BuiltinGroup {
pub static ref BUILTIN_IDM_RADIUS_SERVERS_V1: BuiltinGroup = BuiltinGroup {
name: "idm_radius_servers",
description: "Builtin IDM Group for RADIUS server access delegation.",
uuid: UUID_IDM_RADIUS_SERVERS,
@ -229,6 +229,26 @@ lazy_static! {
..Default::default()
};
pub static ref BUILTIN_GROUP_MAIL_SERVICE_ADMINS_DL8: BuiltinGroup = BuiltinGroup {
name: "idm_mail_service_admins",
description: "Builtin Mail Server Administration Group.",
uuid: UUID_IDM_MAIL_ADMINS,
entry_managed_by: Some(UUID_IDM_ADMINS),
members: vec![UUID_IDM_ADMINS],
..Default::default()
};
/// Builtin IDM Group for MAIL server Access delegation.
pub static ref BUILTIN_IDM_MAIL_SERVERS_DL8: BuiltinGroup = BuiltinGroup {
name: "idm_mail_servers",
description: "Builtin IDM Group for MAIL server access delegation.",
uuid: UUID_IDM_MAIL_SERVERS,
entry_managed_by: Some(UUID_IDM_MAIL_ADMINS),
members: vec![
],
..Default::default()
};
pub static ref BUILTIN_GROUP_ACCOUNT_POLICY_ADMINS: BuiltinGroup = BuiltinGroup {
name: "idm_account_policy_admins",
description: "Builtin Account Policy Administration Group.",
@ -436,10 +456,12 @@ pub fn idm_builtin_non_admin_groups() -> Vec<&'static BuiltinGroup> {
&BUILTIN_GROUP_PEOPLE_ON_BOARDING,
&BUILTIN_GROUP_SERVICE_ACCOUNT_ADMINS,
&BUILTIN_GROUP_APPLICATION_ADMINS,
&BUILTIN_GROUP_MAIL_SERVICE_ADMINS_DL8,
&IDM_GROUP_ADMINS_V1,
&IDM_ALL_PERSONS,
&IDM_ALL_ACCOUNTS,
&IDM_RADIUS_SERVERS_V1,
&BUILTIN_IDM_RADIUS_SERVERS_V1,
&BUILTIN_IDM_MAIL_SERVERS_DL8,
&IDM_PEOPLE_SELF_WRITE_MAIL_V1,
// Write deps on read, so write must be added first.
// All members must exist before we write HP

4
server/lib/src/constants/uuids.rs
View file

@ -69,6 +69,8 @@ pub const UUID_IDM_ACCOUNT_POLICY_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-
pub const UUID_IDM_PEOPLE_SELF_NAME_WRITE: Uuid = uuid!("00000000-0000-0000-0000-000000000048");
pub const UUID_IDM_CLIENT_CERTIFICATE_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000049");
pub const UUID_IDM_APPLICATION_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000050");
pub const UUID_IDM_MAIL_ADMINS: Uuid = uuid!("00000000-0000-0000-0000-000000000051");
pub const UUID_IDM_MAIL_SERVERS: Uuid = uuid!("00000000-0000-0000-0000-000000000052");
//
pub const UUID_IDM_HIGH_PRIVILEGE: Uuid = uuid!("00000000-0000-0000-0000-000000001000");
@ -431,10 +433,10 @@ pub const UUID_IDM_ACP_ACCOUNT_UNIX_EXTEND_V1: Uuid = uuid!("00000000-0000-0000-
pub const UUID_KEY_PROVIDER_INTERNAL: Uuid = uuid!("00000000-0000-0000-0000-ffffff000070");
pub const UUID_IDM_ACP_HP_CLIENT_CERTIFICATE_MANAGER: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000071");
pub const UUID_IDM_ACP_APPLICATION_ENTRY_MANAGER: Uuid =
uuid!("00000000-0000-0000-0000-ffffff000072");
pub const UUID_IDM_ACP_APPLICATION_MANAGE: Uuid = uuid!("00000000-0000-0000-0000-ffffff000073");
pub const UUID_IDM_ACP_MAIL_SERVERS: Uuid = uuid!("00000000-0000-0000-0000-ffffff000074");
// End of system ranges
pub const UUID_DOES_NOT_EXIST: Uuid = uuid!("00000000-0000-0000-0000-fffffffffffe");

6
server/lib/src/server/migrations.rs
View file

@ -617,13 +617,17 @@ impl<'a> QueryServerWriteTransaction<'a> {
IDM_ACP_SELF_WRITE_DL8.clone().into(),
IDM_ACP_APPLICATION_MANAGE_DL8.clone().into(),
IDM_ACP_APPLICATION_ENTRY_MANAGER_DL8.clone().into(),
// Add the new types for mail server
BUILTIN_GROUP_MAIL_SERVICE_ADMINS_DL8.clone().try_into()?,
BUILTIN_IDM_MAIL_SERVERS_DL8.clone().try_into()?,
IDM_ACP_MAIL_SERVERS_DL8.clone().into(),
];
idm_data
.into_iter()
.try_for_each(|entry| self.internal_migrate_or_create(entry))
.map_err(|err| {
error!(?err, "migrate_domain_6_to_7 -> Error");
error!(?err, "migrate_domain_7_to_8 -> Error");
err
})?;