mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-06-15 04:27:45 +02:00
Code Issues Actions10 Packages Projects Releases Wiki Activity

Compare commits

...

7 commits
37a1ee72fc ... 1bffecfeb6

Author SHA1 Message Date
Firstyear 1bffecfeb6
Merge 0fe42f62bd into be4818e121 2025-04-24 17:11:38 +02:00
James Hodgkinson be4818e121
Update dependencies, fix a bunch of clippy lints () 2025-04-24 11:25:25 +10:00
William Brown 0fe42f62bd Progress 2025-04-11 09:30:44 +10:00
William Brown 298ce0c9ce Prog 2025-04-11 09:30:44 +10:00
William Brown 722a11bb81 Uhoh 2025-04-11 09:30:44 +10:00
William Brown 96f8bdcea3 What was ldap turning into scim 2025-04-11 09:30:44 +10:00
William Brown 40cc9932a5 Tidy up schema 2025-04-11 09:30:43 +10:00
94 changed files with 1485 additions and 906 deletions

779
Cargo.lock generated
View file

File diff suppressed because it is too large Load diff

49
Cargo.toml
View file

@ -118,15 +118,12 @@ codegen-units = 256
# webauthn-rs-proto = { path = "../webauthn-rs/webauthn-rs-proto" }
# sshkey-attest = { path = "../webauthn-rs/sshkey-attest" }
# kanidm-hsm-crypto = { path = "../hsm-crypto" }
# For BSD nss support
libnss = { git = "https://github.com/Firstyear/libnss-rs.git", branch = "20250207-freebsd" }
# Allow ssh keys to have comments with spaces.
sshkeys = { git = "https://github.com/Firstyear/rust-sshkeys.git", rev = "3a081cbf7480628223bcb96fc8aaa8c19109d007" }
[workspace.dependencies]
kanidmd_core = { path = "./server/core", version = "=1.6.0-dev" }
kanidmd_lib = { path = "./server/lib", version = "=1.6.0-dev" }
@ -143,7 +140,7 @@ kanidm_utils_users = { path = "./libs/users", version = "=1.6.0-dev" }
scim_proto = { path = "./libs/scim_proto", version = "=1.6.0-dev" }
sketching = { path = "./libs/sketching", version = "=1.6.0-dev" }
anyhow = { version = "1.0.95" }
anyhow = { version = "1.0.98" }
argon2 = { version = "0.5.3", features = ["alloc"] }
askama = { version = "0.12.1", features = ["serde", "with-axum"] }
askama_axum = { version = "0.4.0" }
@ -164,7 +161,7 @@ base64 = "^0.22.1"
base64urlsafedata = "0.5.1"
bitflags = "^2.8.0"
bytes = "^1.9.0"
clap = { version = "^4.5.34", features = ["derive", "env"] }
clap = { version = "4.5.37", features = ["derive", "env"] }
clap_complete = "^4.5.42"
# Forced by saffron/cron
chrono = "^0.4.39"
@ -181,9 +178,9 @@ filetime = "^0.2.24"
fs4 = "^0.13.0"
futures = "^0.3.31"
futures-util = { version = "^0.3.30", features = ["sink"] }
gix = { version = "0.64.0", default-features = false }
gix = { version = "0.71.0", default-features = false }
haproxy-protocol = { version = "0.0.1" }
hashbrown = { version = "0.14.3", features = ["serde", "inline-more", "ahash"] }
hashbrown = { version = "0.15.2", features = ["serde", "inline-more"] }
hex = "^0.4.3"
http = "1.2.0"
http-body-util = "0.1"
@ -192,7 +189,7 @@ hyper = { version = "1.5.1", features = [
] } # hyper full includes client/server/http2
hyper-util = { version = "0.1.10", features = ["server", "tokio"] }
idlset = "^0.2.5"
image = { version = "0.24.9", default-features = false, features = [
image = { version = "0.25.6", default-features = false, features = [
"gif",
"jpeg",
"webp",
@ -205,16 +202,16 @@ lazy_static = "^1.5.0"
ldap3_client = "^0.5.2"
ldap3_proto = { version = "^0.5.2", features = ["serde"] }
libc = "^0.2.168"
libc = "0.2.172"
libnss = "^0.8.0"
libsqlite3-sys = "^0.25.2"
lodepng = "3.11.0"
lru = "^0.13.0"
mathru = "^0.13.0"
lru = "0.14.0"
mathru = "0.15.5"
md-5 = "0.10.6"
mimalloc = "0.1.43"
mimalloc = "0.1.46"
notify-debouncer-full = { version = "0.5" }
num_enum = "^0.5.11"
num_enum = "0.7.3"
oauth2_ext = { version = "^4.4.2", package = "oauth2", default-features = false }
openssl-sys = "^0.9"
openssl = "^0.10.72"
@ -236,11 +233,11 @@ tracing-core = "0.1.33"
peg = "0.8"
pkg-config = "^0.3.31"
prctl = "1.0.0"
proc-macro2 = "1.0.93"
qrcode = "^0.12.0"
proc-macro2 = "1.0.95"
qrcode = "0.14.1"
quote = "1"
rand = "^0.8.5"
rand_chacha = "0.3.1"
rand = "0.9.1"
rand_chacha = "0.9.0"
regex = "1.11.0"
reqwest = { version = "0.12.12", default-features = false, features = [
"cookies",
@ -250,13 +247,13 @@ reqwest = { version = "0.12.12", default-features = false, features = [
"rustls-tls-native-roots",
"rustls-tls-native-roots-no-provider",
] }
rusqlite = { version = "^0.28.0", features = ["array", "bundled"] }
rustls = { version = "0.23.21", default-features = false, features = [
rusqlite = { version = "0.35.0", features = ["array", "bundled"] }
rustls = { version = "0.23.26", default-features = false, features = [
"aws_lc_rs",
] }
sd-notify = "^0.4.5"
selinux = "^0.4.6"
selinux = "^0.5.1"
serde = "^1.0.217"
serde_cbor = { version = "0.12.0-dev", package = "serde_cbor_2" }
serde_json = "^1.0.137"
@ -264,13 +261,13 @@ serde_urlencoded = "^0.7.1"
serde_with = "3.12.0"
sha-crypt = "0.5.0"
sha2 = "0.10.8"
shellexpand = "^2.1.2"
shellexpand = "3.1.1"
smartstring = "^1.0.1"
smolset = "^1.3.1"
sshkey-attest = "^0.5.0"
sshkeys = "0.3.3"
svg = "0.13.1"
syn = { version = "2.0.96", features = ["full"] }
svg = "0.18.0"
syn = { version = "2.0.100", features = ["full"] }
tempfile = "3.15.0"
testkit-macros = { path = "./server/testkit-macros" }
time = { version = "^0.3.36", features = ["formatting", "local-offset"] }
@ -279,7 +276,7 @@ tokio = "^1.44.2"
tokio-openssl = "^0.6.5"
tokio-util = "^0.7.13"
toml = "^0.5.11"
toml = "^0.8.20"
tracing = { version = "^0.1.41", features = [
"max_level_trace",
"release_max_level_debug",
@ -306,6 +303,6 @@ walkdir = "2"
x509-cert = "0.2.5"
zxcvbn = "^2.2.2"
zxcvbn = "3.1.0"
nonempty = "0.8.1"
nonempty = "0.11.0"

19
libs/client/src/application.rs Normal file
View file

@ -0,0 +1,19 @@
use crate::{ClientError, KanidmClient};
use kanidm_proto::scim_v1::client::{ScimEntryApplication, ScimEntryApplicationPost};
impl KanidmClient {
/// Delete an application
pub async fn idm_application_delete(&self, id: &str) -> Result<(), ClientError> {
self.perform_delete_request(format!("/scim/v1/Application/{}", id).as_str())
.await
}
/// Create an application
pub async fn idm_application_create(
&self,
application: &ScimEntryApplicationPost,
) -> Result<ScimEntryApplication, ClientError> {
self.perform_post_request("/scim/v1/Application", application)
.await
}
}

1
libs/client/src/lib.rs
View file

@ -50,6 +50,7 @@ use webauthn_rs_proto::{
PublicKeyCredential, RegisterPublicKeyCredential, RequestChallengeResponse,
};
mod application;
mod domain;
mod group;
mod oauth;

2
libs/client/src/scim.rs
View file

@ -2,12 +2,10 @@ use crate::{ClientError, KanidmClient};
use kanidm_proto::scim_v1::{ScimEntryGeneric, ScimEntryGetQuery, ScimSyncRequest, ScimSyncState};
impl KanidmClient {
// TODO: testing for this
pub async fn scim_v1_sync_status(&self) -> Result<ScimSyncState, ClientError> {
self.perform_get_request("/scim/v1/Sync").await
}
// TODO: testing for this
pub async fn scim_v1_sync_update(
&self,
scim_sync_request: &ScimSyncRequest,

24
libs/crypto/src/lib.rs
View file

@ -834,9 +834,9 @@ impl TryFrom<&str> for Password {
impl Password {
fn bench_pbkdf2(pbkdf2_cost: usize) -> Option<Duration> {
let mut rng = rand::thread_rng();
let salt: Vec<u8> = (0..PBKDF2_SALT_LEN).map(|_| rng.gen()).collect();
let input: Vec<u8> = (0..PBKDF2_SALT_LEN).map(|_| rng.gen()).collect();
let mut rng = rand::rng();
let salt: Vec<u8> = (0..PBKDF2_SALT_LEN).map(|_| rng.random()).collect();
let input: Vec<u8> = (0..PBKDF2_SALT_LEN).map(|_| rng.random()).collect();
// This is 512 bits of output
let mut key: Vec<u8> = (0..PBKDF2_KEY_LEN).map(|_| 0).collect();
@ -855,9 +855,9 @@ impl Password {
}
fn bench_argon2id(params: Params) -> Option<Duration> {
let mut rng = rand::thread_rng();
let salt: Vec<u8> = (0..ARGON2_SALT_LEN).map(|_| rng.gen()).collect();
let input: Vec<u8> = (0..ARGON2_SALT_LEN).map(|_| rng.gen()).collect();
let mut rng = rand::rng();
let salt: Vec<u8> = (0..ARGON2_SALT_LEN).map(|_| rng.random()).collect();
let input: Vec<u8> = (0..ARGON2_SALT_LEN).map(|_| rng.random()).collect();
let mut key: Vec<u8> = (0..ARGON2_KEY_LEN).map(|_| 0).collect();
let argon = Argon2::new(Algorithm::Argon2id, Version::V0x13, params);
@ -873,8 +873,8 @@ impl Password {
pub fn new_pbkdf2(policy: &CryptoPolicy, cleartext: &str) -> Result<Self, CryptoError> {
let pbkdf2_cost = policy.pbkdf2_cost;
let mut rng = rand::thread_rng();
let salt: Vec<u8> = (0..PBKDF2_SALT_LEN).map(|_| rng.gen()).collect();
let mut rng = rand::rng();
let salt: Vec<u8> = (0..PBKDF2_SALT_LEN).map(|_| rng.random()).collect();
let mut key: Vec<u8> = (0..PBKDF2_KEY_LEN).map(|_| 0).collect();
pbkdf2_hmac(
@ -897,8 +897,8 @@ impl Password {
let argon = Argon2::new(Algorithm::Argon2id, version, policy.argon2id_params.clone());
let mut rng = rand::thread_rng();
let salt: Vec<u8> = (0..ARGON2_SALT_LEN).map(|_| rng.gen()).collect();
let mut rng = rand::rng();
let salt: Vec<u8> = (0..ARGON2_SALT_LEN).map(|_| rng.random()).collect();
let mut key: Vec<u8> = (0..ARGON2_KEY_LEN).map(|_| 0).collect();
argon
@ -925,8 +925,8 @@ impl Password {
let argon = Argon2::new(Algorithm::Argon2id, version, policy.argon2id_params.clone());
let mut rng = rand::thread_rng();
let salt: Vec<u8> = (0..ARGON2_SALT_LEN).map(|_| rng.gen()).collect();
let mut rng = rand::rng();
let salt: Vec<u8> = (0..ARGON2_SALT_LEN).map(|_| rng.random()).collect();
let mut check_key: Vec<u8> = (0..ARGON2_KEY_LEN).map(|_| 0).collect();
argon

5
libs/profiles/src/lib.rs
View file

@ -77,7 +77,10 @@ pub fn apply_profile() {
.decode(contents)
.unwrap_or_else(|_| panic!("Failed to parse profile - {} - {}", profile, contents));
let profile_cfg: ProfileConfig = toml::from_slice(&data)
let data_str = String::from_utf8(data)
.unwrap_or_else(|_| panic!("Failed to read profile data to UTF-8 string - {}", profile));
let profile_cfg: ProfileConfig = toml::from_str(&data_str)
.unwrap_or_else(|_| panic!("Failed to parse profile - {} - {}", profile, contents));
// We have to setup for our pkg version to be passed into things correctly

3
proto/src/attribute.rs
View file

@ -32,6 +32,7 @@ pub enum Attribute {
AcpTargetScope,
ApiTokenSession,
ApplicationPassword,
ApplicationUrl,
AttestedPasskeys,
#[default]
Attr,
@ -267,6 +268,7 @@ impl Attribute {
Attribute::AcpTargetScope => ATTR_ACP_TARGET_SCOPE,
Attribute::ApiTokenSession => ATTR_API_TOKEN_SESSION,
Attribute::ApplicationPassword => ATTR_APPLICATION_PASSWORD,
Attribute::ApplicationUrl => ATTR_APPLICATION_URL,
Attribute::AttestedPasskeys => ATTR_ATTESTED_PASSKEYS,
Attribute::Attr => ATTR_ATTR,
Attribute::AttributeName => ATTR_ATTRIBUTENAME,
@ -454,6 +456,7 @@ impl Attribute {
ATTR_ACP_TARGET_SCOPE => Attribute::AcpTargetScope,
ATTR_API_TOKEN_SESSION => Attribute::ApiTokenSession,
ATTR_APPLICATION_PASSWORD => Attribute::ApplicationPassword,
ATTR_APPLICATION_URL => Attribute::ApplicationUrl,
ATTR_ATTESTED_PASSKEYS => Attribute::AttestedPasskeys,
ATTR_ATTR => Attribute::Attr,
ATTR_ATTRIBUTENAME => Attribute::AttributeName,

1
proto/src/constants.rs
View file

@ -72,6 +72,7 @@ pub const ATTR_ACP_SEARCH_ATTR: &str = "acp_search_attr";
pub const ATTR_ACP_TARGET_SCOPE: &str = "acp_targetscope";
pub const ATTR_API_TOKEN_SESSION: &str = "api_token_session";
pub const ATTR_APPLICATION_PASSWORD: &str = "application_password";
pub const ATTR_APPLICATION_URL: &str = "application_url";
pub const ATTR_ATTESTED_PASSKEYS: &str = "attested_passkeys";
pub const ATTR_ATTR: &str = "attr";
pub const ATTR_ATTRIBUTENAME: &str = "attributename";

4
proto/src/internal/error.rs
View file

@ -213,6 +213,8 @@ pub enum OperationError {
SC0024SshPublicKeySyntaxInvalid,
SC0025UiHintSyntaxInvalid,
SC0026Utf8SyntaxInvalid,
SC0027ClassSetInvalid,
SC0028CreatedUuidsInvalid,
// Migration
MG0001InvalidReMigrationLevel,
MG0002RaiseDomainLevelExceedsMaximum,
@ -492,6 +494,8 @@ impl OperationError {
Self::SC0024SshPublicKeySyntaxInvalid => Some("A SCIM Ssh Public Key contained invalid syntax".into()),
Self::SC0025UiHintSyntaxInvalid => Some("A SCIM UiHint contained invalid syntax".into()),
Self::SC0026Utf8SyntaxInvalid => Some("A SCIM Utf8 String Scope Map contained invalid syntax".into()),
Self::SC0027ClassSetInvalid => Some("The internal set of class templates used in this create operation was invalid. THIS IS A BUG.".into()),
Self::SC0028CreatedUuidsInvalid => Some("The internal create query did not return the set of created UUIDs. THIS IS A BUG".into()),
Self::UI0001ChallengeSerialisation => Some("The WebAuthn challenge was unable to be serialised.".into()),
Self::UI0002InvalidState => Some("The credential update process returned an invalid state transition.".into()),

45
proto/src/scim_v1/client.rs
View file

@ -2,6 +2,7 @@
use super::ScimEntryGetQuery;
use super::ScimOauth2ClaimMapJoinChar;
use crate::attribute::{Attribute, SubAttribute};
use scim_proto::ScimEntryHeader;
use serde::{Deserialize, Serialize};
use serde_json::Value as JsonValue;
use serde_with::formats::PreferMany;
@ -31,6 +32,18 @@ pub struct ScimReference {
pub value: Option<String>,
}
impl<T> From<T> for ScimReference
where
T: AsRef<str>,
{
fn from(value: T) -> Self {
ScimReference {
uuid: None,
value: Some(value.as_ref().to_string()),
}
}
}
pub type ScimReferences = Vec<ScimReference>;
#[serde_as]
@ -79,6 +92,31 @@ pub struct ScimOAuth2ScopeMap {
pub scopes: BTreeSet<String>,
}
#[serde_as]
#[derive(Serialize, Debug, Clone)]
#[serde(rename_all = "snake_case")]
pub struct ScimEntryApplicationPost {
pub name: String,
pub displayname: String,
pub linked_group: ScimReference,
}
#[serde_as]
#[derive(Deserialize, Debug, Clone)]
#[serde(rename_all = "snake_case")]
pub struct ScimEntryApplication {
#[serde(flatten)]
pub header: ScimEntryHeader,
pub name: String,
pub displayname: String,
pub linked_group: Vec<super::ScimReference>,
#[serde(flatten)]
pub attrs: BTreeMap<Attribute, JsonValue>,
}
#[derive(Serialize, Debug, Clone)]
pub struct ScimEntryPutKanidm {
pub id: Uuid,
@ -90,6 +128,13 @@ pub struct ScimEntryPutKanidm {
#[derive(Deserialize, Serialize, Debug, Clone)]
pub struct ScimStrings(#[serde_as(as = "OneOrMany<_, PreferMany>")] pub Vec<String>);
#[derive(Debug, Clone, Deserialize, Default)]
pub struct ScimEntryPostGeneric {
/// Create an attribute to contain the following value state.
#[serde(flatten)]
pub attrs: BTreeMap<Attribute, JsonValue>,
}
#[derive(Debug, Clone, Deserialize, Default)]
pub struct ScimEntryPutGeneric {
// id is only used to target the entry in question

13
proto/src/scim_v1/mod.rs
View file

@ -18,13 +18,13 @@
use crate::attribute::Attribute;
use serde::{Deserialize, Serialize};
use serde_with::formats::CommaSeparator;
use serde_with::{serde_as, skip_serializing_none, StringWithSeparator};
use sshkey_attest::proto::PublicKey as SshPublicKey;
use std::collections::BTreeMap;
use std::ops::Not;
use utoipa::ToSchema;
use serde_with::formats::CommaSeparator;
use serde_with::{serde_as, skip_serializing_none, StringWithSeparator};
use uuid::Uuid;
pub use self::synch::*;
pub use scim_proto::prelude::*;
@ -86,6 +86,13 @@ pub struct ScimSshPublicKey {
pub value: SshPublicKey,
}
#[derive(Deserialize, Serialize, Debug, Clone, PartialEq, Eq, ToSchema)]
#[serde(rename_all = "camelCase")]
pub struct ScimReference {
pub uuid: Uuid,
pub value: String,
}
#[derive(Deserialize, Serialize, Debug, Clone, ToSchema)]
pub enum ScimOauth2ClaimMapJoinChar {
#[serde(rename = ",", alias = "csv")]

73
server/core/src/actors/v1_scim.rs
View file

@ -1,10 +1,14 @@
use super::{QueryServerReadV1, QueryServerWriteV1};
use kanidm_proto::scim_v1::{
client::ScimFilter, server::ScimEntryKanidm, ScimEntryGetQuery, ScimSyncRequest, ScimSyncState,
client::ScimEntryPostGeneric, client::ScimFilter, server::ScimEntryKanidm, ScimEntryGetQuery,
ScimSyncRequest, ScimSyncState,
};
use kanidmd_lib::idm::scim::{
GenerateScimSyncTokenEvent, ScimSyncFinaliseEvent, ScimSyncTerminateEvent, ScimSyncUpdateEvent,
};
use kanidmd_lib::server::scim::{ScimCreateEvent, ScimDeleteEvent};
use kanidmd_lib::idm::server::IdmServerTransaction;
use kanidmd_lib::prelude::*;
@ -176,6 +180,73 @@ impl QueryServerWriteV1 {
.scim_sync_apply(&sse, &changes, ct)
.and_then(|r| idms_prox_write.commit().map(|_| r))
}
#[instrument(
level = "info",
skip_all,
fields(uuid = ?eventid)
)]
pub async fn scim_entry_create(
&self,
client_auth_info: ClientAuthInfo,
eventid: Uuid,
classes: &[EntryClass],
entry: ScimEntryPostGeneric,
) -> Result<ScimEntryKanidm, OperationError> {
let ct = duration_from_epoch_now();
let mut idms_prox_write = self.idms.proxy_write(ct).await?;
let ident = idms_prox_write
.validate_client_auth_info_to_ident(client_auth_info, ct)
.map_err(|e| {
admin_error!(err = ?e, "Invalid identity");
e
})?;
let scim_create_event =
ScimCreateEvent::try_from(ident, classes, entry, &mut idms_prox_write.qs_write)?;
idms_prox_write
.qs_write
.scim_create(scim_create_event)
.and_then(|r| idms_prox_write.commit().map(|_| r))
}
#[instrument(
level = "info",
skip_all,
fields(uuid = ?eventid)
)]
pub async fn scim_entry_id_delete(
&self,
client_auth_info: ClientAuthInfo,
eventid: Uuid,
uuid_or_name: String,
class: EntryClass,
) -> Result<(), OperationError> {
let ct = duration_from_epoch_now();
let mut idms_prox_write = self.idms.proxy_write(ct).await?;
let ident = idms_prox_write
.validate_client_auth_info_to_ident(client_auth_info, ct)
.map_err(|e| {
admin_error!(err = ?e, "Invalid identity");
e
})?;
let target = idms_prox_write
.qs_write
.name_to_uuid(uuid_or_name.as_str())
.map_err(|e| {
admin_error!(err = ?e, "Error resolving id to target");
e
})?;
let scim_delete_event = ScimDeleteEvent::new(ident, target, class);
idms_prox_write
.qs_write
.scim_delete(scim_delete_event)
.and_then(|r| idms_prox_write.commit().map(|_| r))
}
}
impl QueryServerReadV1 {

2
server/core/src/https/apidocs/mod.rs
View file

@ -78,6 +78,8 @@ impl Modify for SecurityAddon {
super::v1_scim::scim_sync_get,
super::v1_scim::scim_entry_id_get,
super::v1_scim::scim_person_id_get,
super::v1_scim::scim_application_post,
super::v1_scim::scim_application_id_delete,
super::v1::schema_get,
super::v1::whoami,

2
server/core/src/https/apidocs/tests.rs
View file

@ -43,7 +43,7 @@ fn figure_out_if_we_have_all_the_routes() {
.unwrap();
// work our way through the source files in this package looking for routedefs
let mut found_routes: BTreeMap<String, Vec<(String, String)>> = BTreeMap::new();
let walker = walkdir::WalkDir::new(format!("{}/src", env!("CARGO_MANIFEST_DIR")))
let walker = walkdir::WalkDir::new(format!("{}/src/https", env!("CARGO_MANIFEST_DIR")))
.follow_links(false)
.into_iter();

75
server/core/src/https/v1_scim.rs
View file

@ -9,10 +9,11 @@ use super::ServerState;
use crate::https::extractors::VerifiedClientInformation;
use axum::extract::{rejection::JsonRejection, DefaultBodyLimit, Path, Query, State};
use axum::response::{Html, IntoResponse, Response};
use axum::routing::{get, post};
use axum::routing::{delete, get, post};
use axum::{Extension, Json, Router};
use kanidm_proto::scim_v1::{
server::ScimEntryKanidm, ScimEntryGetQuery, ScimSyncRequest, ScimSyncState,
client::ScimEntryPostGeneric, server::ScimEntryKanidm, ScimEntryGetQuery, ScimSyncRequest,
ScimSyncState,
};
use kanidm_proto::v1::Entry as ProtoEntry;
use kanidmd_lib::prelude::*;
@ -383,6 +384,65 @@ async fn scim_person_id_get(
.map_err(WebError::from)
}
#[utoipa::path(
post,
path = "/scim/v1/Application",
responses(
(status = 200, content_type="application/json", body=ScimEntry),
ApiResponseWithout200,
),
security(("token_jwt" = [])),
tag = "scim",
operation_id = "scim_application_post"
)]
async fn scim_application_post(
State(state): State<ServerState>,
Extension(kopid): Extension<KOpId>,
VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
Json(entry_post): Json<ScimEntryPostGeneric>,
) -> Result<Json<ScimEntryKanidm>, WebError> {
state
.qe_w_ref
.scim_entry_create(
client_auth_info,
kopid.eventid,
&[
EntryClass::Account,
EntryClass::ServiceAccount,
EntryClass::Application,
],
entry_post,
)
.await
.map(Json::from)
.map_err(WebError::from)
}
#[utoipa::path(
delete,
path = "/scim/v1/Application/{id}",
responses(
(status = 200, content_type="application/json"),
ApiResponseWithout200,
),
security(("token_jwt" = [])),
tag = "scim",
operation_id = "scim_application_id_delete"
)]
async fn scim_application_id_delete(
State(state): State<ServerState>,
Path(id): Path<String>,
Extension(kopid): Extension<KOpId>,
VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
) -> Result<Json<()>, WebError> {
state
.qe_w_ref
.scim_entry_id_delete(client_auth_info, kopid.eventid, id, EntryClass::Application)
.await
.map(Json::from)
.map_err(WebError::from)
}
pub fn route_setup() -> Router<ServerState> {
Router::new()
.route(
@ -486,6 +546,17 @@ pub fn route_setup() -> Router<ServerState> {
//
// POST Send a sync update
//
//
// Application /Application Post Create a new application
//
.route("/scim/v1/Application", post(scim_application_post))
// Application /Application/{id} Delete Delete the application identified by id
//
.route(
"/scim/v1/Application/:id",
delete(scim_application_id_delete),
)
// Synchronisation routes.
.route(
"/scim/v1/Sync",
post(scim_sync_post)

2
server/lib/src/be/mod.rs
View file

@ -2417,7 +2417,7 @@ mod tests {
let lims = Limits::unlimited();
let r = be.search(&lims, &filt);
assert!(r.expect("Search failed!").len() == 0);
assert!(r.expect("Search failed!").is_empty());
});
}

1
server/lib/src/constants/uuids.rs
View file

@ -334,6 +334,7 @@ pub const UUID_SCHEMA_ATTR_ACP_MODIFY_PRESENT_CLASS: Uuid =
uuid!("00000000-0000-0000-0000-ffff00000189");
pub const UUID_SCHEMA_ATTR_ACP_MODIFY_REMOVE_CLASS: Uuid =
uuid!("00000000-0000-0000-0000-ffff00000190");
pub const UUID_SCHEMA_ATTR_APPLICATION_URL: Uuid = uuid!("00000000-0000-0000-0000-ffff00000191");
// System and domain infos
// I'd like to strongly criticise william of the past for making poor choices about these allocations.

4
server/lib/src/credential/totp.rs
View file

@ -145,8 +145,8 @@ impl Totp {
// Create a new token with secure key and algo.
pub fn generate_secure(step: u64) -> Self {
let mut rng = rand::thread_rng();
let secret: Vec<u8> = (0..SECRET_SIZE_BYTES).map(|_| rng.gen()).collect();
let mut rng = rand::rng();
let secret: Vec<u8> = (0..SECRET_SIZE_BYTES).map(|_| rng.random()).collect();
let algo = TotpAlgo::Sha256;
let digits = TotpDigits::Six;
Totp {

40
server/lib/src/entry.rs
View file

@ -24,11 +24,6 @@
//! [`filter`]: ../filter/index.html
//! [`schema`]: ../schema/index.html
use std::cmp::Ordering;
pub use std::collections::BTreeSet as Set;
use std::collections::{BTreeMap as Map, BTreeMap, BTreeSet};
use std::sync::Arc;
use crate::be::dbentry::{DbEntry, DbEntryVers};
use crate::be::dbvalue::DbValueSetV2;
use crate::be::{IdxKey, IdxSlope};
@ -41,7 +36,13 @@ use crate::prelude::*;
use crate::repl::cid::Cid;
use crate::repl::entry::EntryChangeState;
use crate::repl::proto::{ReplEntryV1, ReplIncrementalEntryV1};
use crate::schema::{SchemaAttribute, SchemaClass, SchemaTransaction};
use crate::server::access::AccessEffectivePermission;
use crate::value::{
ApiToken, CredentialType, IndexType, IntentTokenState, Oauth2Session, PartialValue, Session,
SyntaxType, Value,
};
use crate::valueset::{self, ScimResolveStatus, ValueSet};
use compact_jwt::JwsEs256Signer;
use hashbrown::{HashMap, HashSet};
use kanidm_proto::internal::ImageValue;
@ -53,6 +54,10 @@ use kanidm_proto::v1::Entry as ProtoEntry;
use ldap3_proto::simple::{LdapPartialAttribute, LdapSearchResultEntry};
use openssl::ec::EcKey;
use openssl::pkey::{Private, Public};
use std::cmp::Ordering;
pub use std::collections::BTreeSet as Set;
use std::collections::{BTreeMap as Map, BTreeMap, BTreeSet};
use std::sync::Arc;
use time::OffsetDateTime;
use tracing::trace;
use uuid::Uuid;
@ -60,13 +65,6 @@ use webauthn_rs::prelude::{
AttestationCaList, AttestedPasskey as AttestedPasskeyV4, Passkey as PasskeyV4,
};
use crate::schema::{SchemaAttribute, SchemaClass, SchemaTransaction};
use crate::value::{
ApiToken, CredentialType, IndexType, IntentTokenState, Oauth2Session, PartialValue, Session,
SyntaxType, Value,
};
use crate::valueset::{self, ScimResolveStatus, ValueSet};
pub type EntryInitNew = Entry<EntryInit, EntryNew>;
pub type EntryInvalidNew = Entry<EntryInvalid, EntryNew>;
pub type EntryRefreshNew = Entry<EntryRefresh, EntryNew>;
@ -285,6 +283,18 @@ impl Default for Entry<EntryInit, EntryNew> {
}
}
impl FromIterator<(Attribute, ValueSet)> for EntryInitNew {
fn from_iter<I: IntoIterator<Item = (Attribute, ValueSet)>>(iter: I) -> Self {
let attrs = Eattrs::from_iter(iter);
Entry {
valid: EntryInit,
state: EntryNew,
attrs,
}
}
}
impl Entry<EntryInit, EntryNew> {
pub fn new() -> Self {
Entry {
@ -292,7 +302,6 @@ impl Entry<EntryInit, EntryNew> {
valid: EntryInit,
state: EntryNew,
attrs: Map::new(),
// attrs: Map::with_capacity(32),
}
}
@ -479,6 +488,11 @@ impl Entry<EntryInit, EntryNew> {
self.attrs.remove(attr);
}
/// Set the content of this ava with this valueset, ignoring the previous data.
pub fn set_ava_set(&mut self, attr: &Attribute, vs: ValueSet) {
self.attrs.insert(attr.clone(), vs);
}
/// Replace the existing content of an attribute set of this Entry, with a new set of Values.
pub fn set_ava<T>(&mut self, attr: Attribute, iter: T)
where

15
server/lib/src/event.rs
View file

@ -346,6 +346,8 @@ pub struct CreateEvent {
pub entries: Vec<Entry<EntryInit, EntryNew>>,
// Is the CreateEvent from an internal or external source?
// This may affect which plugins are run ...
/// If true, the list of created entry UUID's will be returned.
pub return_created_uuids: bool,
}
impl CreateEvent {
@ -363,7 +365,11 @@ impl CreateEvent {
// What is the correct consuming iterator here? Can we
// even do that?
match rentries {
Ok(entries) => Ok(CreateEvent { ident, entries }),
Ok(entries) => Ok(CreateEvent {
ident,
entries,
return_created_uuids: false,
}),
Err(e) => Err(e),
}
}
@ -373,13 +379,18 @@ impl CreateEvent {
ident: Identity,
entries: Vec<Entry<EntryInit, EntryNew>>,
) -> Self {
CreateEvent { ident, entries }
CreateEvent {
ident,
entries,
return_created_uuids: false,
}
}
pub fn new_internal(entries: Vec<Entry<EntryInit, EntryNew>>) -> Self {
CreateEvent {
ident: Identity::from_internal(),
entries,
return_created_uuids: false,
}
}
}

138
server/lib/src/idm/application.rs
View file

@ -255,139 +255,6 @@ mod tests {
const TEST_CURRENT_TIME: u64 = 6000;
// Tests that only the correct combinations of [Account, Person, Application and
// ServiceAccount] classes are allowed.
#[idm_test]
async fn test_idm_application_excludes(idms: &IdmServer, _idms_delayed: &mut IdmServerDelayed) {
let ct = Duration::from_secs(TEST_CURRENT_TIME);
let mut idms_prox_write = idms.proxy_write(ct).await.unwrap();
// ServiceAccount, Application and Person not allowed together
let test_grp_name = "testgroup1";
let test_grp_uuid = Uuid::new_v4();
let e1 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Group.to_value()),
(Attribute::Name, Value::new_iname(test_grp_name)),
(Attribute::Uuid, Value::Uuid(test_grp_uuid))
);
let test_entry_uuid = Uuid::new_v4();
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::Class, EntryClass::Person.to_value()),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
(
Attribute::DisplayName,
Value::new_utf8s("test_app_dispname")
),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
);
let ce = CreateEvent::new_internal(vec![e1, e2]);
let cr = idms_prox_write.qs_write.create(&ce);
assert!(cr.is_err());
// Application and Person not allowed together
let test_grp_name = "testgroup1";
let test_grp_uuid = Uuid::new_v4();
let e1 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Group.to_value()),
(Attribute::Name, Value::new_iname(test_grp_name)),
(Attribute::Uuid, Value::Uuid(test_grp_uuid))
);
let test_entry_uuid = Uuid::new_v4();
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::Class, EntryClass::Person.to_value()),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
(
Attribute::DisplayName,
Value::new_utf8s("test_app_dispname")
),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
);
let ce = CreateEvent::new_internal(vec![e1, e2]);
let cr = idms_prox_write.qs_write.create(&ce);
assert!(cr.is_err());
// Supplements not satisfied, Application supplements ServiceAccount
let test_grp_name = "testgroup1";
let test_grp_uuid = Uuid::new_v4();
let e1 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Group.to_value()),
(Attribute::Name, Value::new_iname(test_grp_name)),
(Attribute::Uuid, Value::Uuid(test_grp_uuid))
);
let test_entry_uuid = Uuid::new_v4();
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
);
let ce = CreateEvent::new_internal(vec![e1, e2]);
let cr = idms_prox_write.qs_write.create(&ce);
assert!(cr.is_err());
// Supplements not satisfied, Application supplements ServiceAccount
let test_grp_name = "testgroup1";
let test_grp_uuid = Uuid::new_v4();
let e1 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Group.to_value()),
(Attribute::Name, Value::new_iname(test_grp_name)),
(Attribute::Uuid, Value::Uuid(test_grp_uuid))
);
let test_entry_uuid = Uuid::new_v4();
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
);
let ce = CreateEvent::new_internal(vec![e1, e2]);
let cr = idms_prox_write.qs_write.create(&ce);
assert!(cr.is_err());
// Supplements satisfied, Application supplements ServiceAccount
let test_grp_name = "testgroup1";
let test_grp_uuid = Uuid::new_v4();
let e1 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Group.to_value()),
(Attribute::Name, Value::new_iname(test_grp_name)),
(Attribute::Uuid, Value::Uuid(test_grp_uuid))
);
let test_entry_uuid = Uuid::new_v4();
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
);
let ce = CreateEvent::new_internal(vec![e1, e2]);
let cr = idms_prox_write.qs_write.create(&ce);
assert!(cr.is_ok());
}
// Tests it is not possible to create an application without the linked group attribute
#[idm_test]
async fn test_idm_application_no_linked_group(
@ -404,6 +271,7 @@ mod tests {
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),
@ -547,8 +415,10 @@ mod tests {
let e3 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(test_app_name)),
(Attribute::Uuid, Value::Uuid(test_app_uuid)),
(Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
@ -647,7 +517,9 @@ mod tests {
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname("test_app_name")),
(Attribute::Uuid, Value::Uuid(test_entry_uuid)),
(Attribute::Description, Value::new_utf8s("test_app_desc")),

16
server/lib/src/idm/credupdatesession.rs
View file

@ -17,6 +17,7 @@ use webauthn_rs::prelude::{
AttestedPasskey as AttestedPasskeyV4, AttestedPasskeyRegistration, CreationChallengeResponse,
Passkey as PasskeyV4, PasskeyRegistration, RegisterPublicKeyCredential, WebauthnError,
};
use zxcvbn::{zxcvbn, Score};
use crate::credential::totp::{Totp, TOTP_DEFAULT_STEP};
use crate::credential::{BackupCodes, Credential};
@ -1663,23 +1664,14 @@ impl IdmServerCredUpdateTransaction<'_> {
}
// does the password pass zxcvbn?
let entropy = zxcvbn::zxcvbn(cleartext, related_inputs).map_err(|e| {
admin_error!("zxcvbn check failure (password empty?) {:?}", e);
// Return some generic feedback when the password is this bad.
PasswordQuality::Feedback(vec![
PasswordFeedback::UseAFewWordsAvoidCommonPhrases,
PasswordFeedback::AddAnotherWordOrTwo,
PasswordFeedback::NoNeedForSymbolsDigitsOrUppercaseLetters,
])
})?;
let entropy = zxcvbn(cleartext, related_inputs);
// PW's should always be enforced as strong as possible.
if entropy.score() < 4 {
if entropy.score() < Score::Four {
// The password is too week as per:
// https://docs.rs/zxcvbn/2.0.0/zxcvbn/struct.Entropy.html
let feedback: zxcvbn::feedback::Feedback = entropy
.feedback()
.as_ref()
.ok_or(OperationError::InvalidState)
.cloned()
.map_err(|e| {
@ -3405,7 +3397,7 @@ mod tests {
assert!(
matches!(
c_status.mfaregstate,
MfaRegStateStatus::TotpNameTryAgain(ref val) if val == ""
MfaRegStateStatus::TotpNameTryAgain(ref val) if val.is_empty()
),
"{:?}",
c_status.mfaregstate

16
server/lib/src/idm/ldap.rs
View file

@ -1119,8 +1119,10 @@ mod tests {
let e3 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(app_name)),
(Attribute::Uuid, Value::Uuid(app_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp_uuid))
@ -1209,7 +1211,7 @@ mod tests {
// Searching a malformed spn shouldn't cause the query to fail
let sr = SearchRequest {
msgid: 1,
base: format!("dc=example,dc=com"),
base: "dc=example,dc=com".to_string(),
scope: LdapSearchScope::Subtree,
filter: LdapFilter::Or(vec![
LdapFilter::Equality(Attribute::Name.to_string(), usr_name.to_string()),
@ -1232,7 +1234,7 @@ mod tests {
let sr = SearchRequest {
msgid: 1,
base: format!("dc=example,dc=com"),
base: "dc=example,dc=com".to_string(),
scope: LdapSearchScope::Subtree,
filter: LdapFilter::And(vec![
LdapFilter::Equality(Attribute::Name.to_string(), usr_name.to_string()),
@ -1283,8 +1285,10 @@ mod tests {
let e3 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname("testapp1")),
(Attribute::Uuid, Value::Uuid(app_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp_uuid))
@ -1456,8 +1460,10 @@ mod tests {
let e4 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(app1_name)),
(Attribute::Uuid, Value::Uuid(app1_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp1_uuid))
@ -1465,8 +1471,10 @@ mod tests {
let e5 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(app2_name)),
(Attribute::Uuid, Value::Uuid(app2_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp2_uuid))
@ -1651,8 +1659,10 @@ mod tests {
let e3 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(app1_name)),
(Attribute::Uuid, Value::Uuid(app1_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp1_uuid))
@ -2693,8 +2703,10 @@ mod tests {
let e3 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::DisplayName, Value::new_utf8s("Application")),
(Attribute::Name, Value::new_iname(app_name)),
(Attribute::Uuid, Value::Uuid(app_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp_uuid))

17
server/lib/src/idm/oauth2.rs
View file

@ -2992,11 +2992,12 @@ fn validate_scopes(req_scopes: &BTreeSet<String>) -> Result<(), Oauth2Error> {
#[cfg(any(feature = "dev-oauth2-device-flow", test))]
#[allow(dead_code)]
fn gen_device_code() -> Result<[u8; 16], Oauth2Error> {
let mut rng = rand::thread_rng();
use rand::TryRngCore;
let mut rng = rand::rng();
let mut result = [0u8; 16];
// doing it here because of feature-shenanigans.
use rand::Rng;
if let Err(err) = rng.try_fill(&mut result) {
if let Err(err) = rng.try_fill_bytes(&mut result) {
error!("Failed to generate device code! {:?}", err);
return Err(Oauth2Error::ServerError(OperationError::Backend));
}
@ -3009,8 +3010,8 @@ fn gen_device_code() -> Result<[u8; 16], Oauth2Error> {
/// Returns (xxx-yyy-zzz, digits) where one's the human-facing code, the other is what we store in the DB.
fn gen_user_code() -> (String, u32) {
use rand::Rng;
let mut rng = rand::thread_rng();
let num: u32 = rng.gen_range(0..=999999999);
let mut rng = rand::rng();
let num: u32 = rng.random_range(0..=999999999);
let result = format!("{:09}", num);
(
format!("{}-{}-{}", &result[0..3], &result[3..6], &result[6..9]),
@ -3100,6 +3101,7 @@ mod tests {
$code_challenge:expr,
$scope:expr
) => {{
#[allow(clippy::unnecessary_to_owned)]
let scope: BTreeSet<String> = $scope.split(" ").map(|s| s.to_string()).collect();
let auth_req = AuthorisationRequest {
@ -7312,10 +7314,7 @@ mod tests {
&Url::parse(example_is_not_local)
.expect("Failed to parse example.com as a host?")
.host()
.expect(&format!(
"Couldn't get a host from {}",
example_is_not_local
))
.unwrap_or_else(|| panic!("Couldn't get a host from {}", example_is_not_local))
));
let test_urls = [

13
server/lib/src/idm/server.rs
View file

@ -21,6 +21,7 @@ use tokio::sync::{Mutex, Semaphore};
use tracing::trace;
use url::Url;
use webauthn_rs::prelude::{Webauthn, WebauthnBuilder};
use zxcvbn::{zxcvbn, Score};
use super::event::ReadBackupCodeEvent;
use super::ldap::{LdapBoundToken, LdapSession};
@ -235,7 +236,7 @@ impl IdmServer {
let qs_read = self.qs.read().await?;
let mut sid = [0; 4];
let mut rng = StdRng::from_entropy();
let mut rng = StdRng::from_os_rng();
rng.fill(&mut sid);
Ok(IdmServerAuthTransaction {
@ -278,7 +279,7 @@ impl IdmServer {
let qs_write = self.qs.write(ts).await?;
let mut sid = [0; 4];
let mut rng = StdRng::from_entropy();
let mut rng = StdRng::from_os_rng();
rng.fill(&mut sid);
Ok(IdmServerProxyWriteTransaction {
@ -1657,18 +1658,14 @@ impl IdmServerProxyWriteTransaction<'_> {
// does the password pass zxcvbn?
let entropy = zxcvbn::zxcvbn(cleartext, related_inputs).map_err(|e| {
admin_error!("zxcvbn check failure (password empty?) {:?}", e);
OperationError::PasswordQuality(vec![PasswordFeedback::TooShort(PW_MIN_LENGTH)])
})?;
let entropy = zxcvbn(cleartext, related_inputs);
// Unix PW's are a single factor, so we enforce good pws
if entropy.score() < 4 {
if entropy.score() < Score::Four {
// The password is too week as per:
// https://docs.rs/zxcvbn/2.0.0/zxcvbn/struct.Entropy.html
let feedback: zxcvbn::feedback::Feedback = entropy
.feedback()
.as_ref()
.ok_or(OperationError::InvalidState)
.cloned()
.inspect_err(|err| {

3
server/lib/src/migration_data/dl10/mod.rs
View file

@ -105,6 +105,7 @@ pub fn phase_1_schema_attrs() -> Vec<EntryInitNew> {
// DL10
SCHEMA_ATTR_DENIED_NAME_DL10.clone().into(),
SCHEMA_ATTR_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES.clone().into(),
SCHEMA_ATTR_APPLICATION_URL.clone().into(),
]
}
@ -134,7 +135,7 @@ pub fn phase_2_schema_classes() -> Vec<EntryInitNew> {
SCHEMA_CLASS_CLIENT_CERTIFICATE_DL7.clone().into(),
// DL8
SCHEMA_CLASS_ACCOUNT_POLICY_DL8.clone().into(),
SCHEMA_CLASS_APPLICATION_DL8.clone().into(),
SCHEMA_CLASS_APPLICATION.clone().into(),
SCHEMA_CLASS_PERSON_DL8.clone().into(),
// DL9
SCHEMA_CLASS_OAUTH2_RS_DL9.clone().into(),

23
server/lib/src/migration_data/dl10/schema.rs
View file

@ -729,6 +729,14 @@ pub static ref SCHEMA_ATTR_APPLICATION_PASSWORD_DL8: SchemaAttribute = SchemaAtt
..Default::default()
};
pub static ref SCHEMA_ATTR_APPLICATION_URL: SchemaAttribute = SchemaAttribute {
uuid: UUID_SCHEMA_ATTR_APPLICATION_URL,
name: Attribute::ApplicationUrl,
description: "The URL of an external application".to_string(),
syntax: SyntaxType::Url,
..Default::default()
};
// === classes ===
pub static ref SCHEMA_CLASS_PERSON_DL8: SchemaClass = SchemaClass {
uuid: UUID_SCHEMA_CLASS_PERSON,
@ -838,9 +846,9 @@ pub static ref SCHEMA_CLASS_ACCOUNT_DL5: SchemaClass = SchemaClass {
Attribute::Spn
],
systemsupplements: vec![
EntryClass::OAuth2ResourceServer.into(),
EntryClass::Person.into(),
EntryClass::ServiceAccount.into(),
EntryClass::OAuth2ResourceServer.into(),
],
..Default::default()
};
@ -1082,13 +1090,20 @@ pub static ref SCHEMA_CLASS_CLIENT_CERTIFICATE_DL7: SchemaClass = SchemaClass {
..Default::default()
};
pub static ref SCHEMA_CLASS_APPLICATION_DL8: SchemaClass = SchemaClass {
pub static ref SCHEMA_CLASS_APPLICATION: SchemaClass = SchemaClass {
uuid: UUID_SCHEMA_CLASS_APPLICATION,
name: EntryClass::Application.into(),
description: "The class representing an application".to_string(),
systemmust: vec![Attribute::Name, Attribute::LinkedGroup],
systemmay: vec![Attribute::Description],
systemmust: vec![Attribute::LinkedGroup],
systemmay: vec![
Attribute::ApplicationUrl,
],
// I think this could change before release - I can see a world
// whe we may want an oauth2 application to have application passwords,
// or for this to be it's own thing. But service accounts also don't
// quite do enough, they have api tokens, but that's all we kind
// of want from them?
systemsupplements: vec![EntryClass::ServiceAccount.into()],
..Default::default()
};

4
server/lib/src/plugins/base.rs
View file

@ -365,7 +365,7 @@ mod tests {
let create = vec![e];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -468,7 +468,7 @@ mod tests {
let create = vec![e];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

2
server/lib/src/plugins/cred_import.rs
View file

@ -205,7 +205,7 @@ mod tests {
let create = vec![e];
run_create_test!(Ok(()), preload, create, None, |_| {});
run_create_test!(Ok(None), preload, create, None, |_| {});
}
#[test]

8
server/lib/src/plugins/dyngroup.rs
View file

@ -464,7 +464,7 @@ mod tests {
let create = vec![e_dyn];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -513,7 +513,7 @@ mod tests {
let create = vec![e_group];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -562,7 +562,7 @@ mod tests {
let create = vec![e_group];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -607,7 +607,7 @@ mod tests {
let create = vec![e_dyn, e_group];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

2
server/lib/src/plugins/eckeygen.rs
View file

@ -108,7 +108,7 @@ mod tests {
let create = vec![ea];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

2
server/lib/src/plugins/jwskeygen.rs
View file

@ -136,7 +136,7 @@ mod tests {
let create = vec![e];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

8
server/lib/src/plugins/memberof.rs
View file

@ -858,7 +858,7 @@ mod tests {
let preload = Vec::with_capacity(0);
let create = vec![ea, eb];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -889,7 +889,7 @@ mod tests {
let preload = Vec::with_capacity(0);
let create = vec![ea, eb, ec];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -941,7 +941,7 @@ mod tests {
let preload = Vec::with_capacity(0);
let create = vec![ea, eb, ec];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -999,7 +999,7 @@ mod tests {
let preload = Vec::with_capacity(0);
let create = vec![ea, eb, ec, ed];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

2
server/lib/src/plugins/namehistory.rs
View file

@ -181,7 +181,7 @@ mod tests {
let preload = Vec::with_capacity(0);
let create = vec![ea];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

4
server/lib/src/plugins/refint.rs
View file

@ -501,7 +501,7 @@ mod tests {
let create = vec![eb];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -534,7 +534,7 @@ mod tests {
let create = vec![e_group];
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

4
server/lib/src/plugins/spn.rs
View file

@ -233,7 +233,7 @@ mod tests {
let preload = Vec::with_capacity(0);
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,
@ -286,7 +286,7 @@ mod tests {
let preload = Vec::with_capacity(0);
run_create_test!(
Ok(()),
Ok(None),
preload,
create,
None,

4
server/lib/src/repl/entry.rs
View file

@ -217,9 +217,9 @@ impl EntryChangeState {
}
#[cfg(test)]
pub(crate) fn get_attr_cid(&self, attr: Attribute) -> Option<&Cid> {
pub(crate) fn get_attr_cid(&self, attr: &Attribute) -> Option<&Cid> {
match &self.st {
State::Live { at: _, changes } => changes.get(&attr),
State::Live { at: _, changes } => changes.get(attr),
State::Tombstone { at: _ } => None,
}
}

2
server/lib/src/repl/tests.rs
View file

@ -705,7 +705,7 @@ async fn test_repl_increment_basic_deleted_attr(server_a: &QueryServer, server_b
let e1_cs = e1.get_changestate();
let e2_cs = e2.get_changestate();
assert_eq!(e1_cs, e2_cs);
assert!(e1_cs.get_attr_cid(Attribute::Description).is_some());
assert!(e1_cs.get_attr_cid(&Attribute::Description).is_some());
server_b_txn.commit().expect("Failed to commit");
drop(server_a_txn);

11
server/lib/src/server/create.rs
View file

@ -7,7 +7,7 @@ impl QueryServerWriteTransaction<'_> {
/// The create event is a raw, read only representation of the request
/// that was made to us, including information about the identity
/// performing the request.
pub fn create(&mut self, ce: &CreateEvent) -> Result<(), OperationError> {
pub fn create(&mut self, ce: &CreateEvent) -> Result<Option<Vec<Uuid>>, OperationError> {
if !ce.ident.is_internal() {
security_info!(name = %ce.ident, "create initiator");
}
@ -174,7 +174,12 @@ impl QueryServerWriteTransaction<'_> {
} else {
admin_info!("Create operation success");
}
Ok(())
if ce.return_created_uuids {
Ok(Some(commit_cand.iter().map(|e| e.get_uuid()).collect()))
} else {
Ok(None)
}
}
pub fn internal_create(
@ -182,7 +187,7 @@ impl QueryServerWriteTransaction<'_> {
entries: Vec<Entry<EntryInit, EntryNew>>,
) -> Result<(), OperationError> {
let ce = CreateEvent::new_internal(entries);
self.create(&ce)
self.create(&ce).map(|_| ())
}
}

134
server/lib/src/server/mod.rs
View file

@ -28,8 +28,6 @@ use crate::schema::{
SchemaWriteTransaction,
};
use crate::value::{CredentialType, EXTRACT_VAL_DN};
use crate::valueset::uuid_to_proto_string;
use crate::valueset::ScimValueIntermediate;
use crate::valueset::*;
use concread::arcache::{ARCacheBuilder, ARCacheReadTxn, ARCacheWriteTxn};
use concread::cowcell::*;
@ -1004,138 +1002,6 @@ pub trait QueryServerTransaction<'a> {
}
}
fn resolve_scim_json_put(
&mut self,
attr: &Attribute,
value: Option<JsonValue>,
) -> Result<Option<ValueSet>, OperationError> {
let schema = self.get_schema();
// Lookup the attr
let Some(schema_a) = schema.get_attributes().get(attr) else {
// No attribute of this name exists - fail fast, there is no point to
// proceed, as nothing can be satisfied.
return Err(OperationError::InvalidAttributeName(attr.to_string()));
};
let Some(value) = value else {
// It's a none so the value needs to be unset, and the attr DOES exist in
// schema.
return Ok(None);
};
let resolve_status = match schema_a.syntax {
SyntaxType::Utf8String => ValueSetUtf8::from_scim_json_put(value),
SyntaxType::Utf8StringInsensitive => ValueSetIutf8::from_scim_json_put(value),
SyntaxType::Uuid => ValueSetUuid::from_scim_json_put(value),
SyntaxType::Boolean => ValueSetBool::from_scim_json_put(value),
SyntaxType::SyntaxId => ValueSetSyntax::from_scim_json_put(value),
SyntaxType::IndexId => ValueSetIndex::from_scim_json_put(value),
SyntaxType::ReferenceUuid => ValueSetRefer::from_scim_json_put(value),
SyntaxType::Utf8StringIname => ValueSetIname::from_scim_json_put(value),
SyntaxType::NsUniqueId => ValueSetNsUniqueId::from_scim_json_put(value),
SyntaxType::DateTime => ValueSetDateTime::from_scim_json_put(value),
SyntaxType::EmailAddress => ValueSetEmailAddress::from_scim_json_put(value),
SyntaxType::Url => ValueSetUrl::from_scim_json_put(value),
SyntaxType::OauthScope => ValueSetOauthScope::from_scim_json_put(value),
SyntaxType::OauthScopeMap => ValueSetOauthScopeMap::from_scim_json_put(value),
SyntaxType::OauthClaimMap => ValueSetOauthClaimMap::from_scim_json_put(value),
SyntaxType::UiHint => ValueSetUiHint::from_scim_json_put(value),
SyntaxType::CredentialType => ValueSetCredentialType::from_scim_json_put(value),
SyntaxType::Certificate => ValueSetCertificate::from_scim_json_put(value),
SyntaxType::SshKey => ValueSetSshKey::from_scim_json_put(value),
SyntaxType::Uint32 => ValueSetUint32::from_scim_json_put(value),
// Not Yet ... if ever
// SyntaxType::JsonFilter => ValueSetJsonFilter::from_scim_json_put(value),
SyntaxType::JsonFilter => Err(OperationError::InvalidAttribute(
"Json Filters are not able to be set.".to_string(),
)),
// Can't be set currently as these are only internally generated for key-id's
// SyntaxType::HexString => ValueSetHexString::from_scim_json_put(value),
SyntaxType::HexString => Err(OperationError::InvalidAttribute(
"Hex strings are not able to be set.".to_string(),
)),
// Can't be set until we have better error handling in the set paths
// SyntaxType::Image => ValueSetImage::from_scim_json_put(value),
SyntaxType::Image => Err(OperationError::InvalidAttribute(
"Images are not able to be set.".to_string(),
)),
// Can't be set yet, mostly as I'm lazy
// SyntaxType::WebauthnAttestationCaList => {
// ValueSetWebauthnAttestationCaList::from_scim_json_put(value)
// }
SyntaxType::WebauthnAttestationCaList => Err(OperationError::InvalidAttribute(
"Webauthn Attestation Ca Lists are not able to be set.".to_string(),
)),
// Syntax types that can not be submitted
SyntaxType::Credential => Err(OperationError::InvalidAttribute(
"Credentials are not able to be set.".to_string(),
)),
SyntaxType::SecretUtf8String => Err(OperationError::InvalidAttribute(
"Secrets are not able to be set.".to_string(),
)),
SyntaxType::SecurityPrincipalName => Err(OperationError::InvalidAttribute(
"SPNs are not able to be set.".to_string(),
)),
SyntaxType::Cid => Err(OperationError::InvalidAttribute(
"CIDs are not able to be set.".to_string(),
)),
SyntaxType::PrivateBinary => Err(OperationError::InvalidAttribute(
"Private Binaries are not able to be set.".to_string(),
)),
SyntaxType::IntentToken => Err(OperationError::InvalidAttribute(
"Intent Tokens are not able to be set.".to_string(),
)),
SyntaxType::Passkey => Err(OperationError::InvalidAttribute(
"Passkeys are not able to be set.".to_string(),
)),
SyntaxType::AttestedPasskey => Err(OperationError::InvalidAttribute(
"Attested Passkeys are not able to be set.".to_string(),
)),
SyntaxType::Session => Err(OperationError::InvalidAttribute(
"Sessions are not able to be set.".to_string(),
)),
SyntaxType::JwsKeyEs256 => Err(OperationError::InvalidAttribute(
"Jws ES256 Private Keys are not able to be set.".to_string(),
)),
SyntaxType::JwsKeyRs256 => Err(OperationError::InvalidAttribute(
"Jws RS256 Private Keys are not able to be set.".to_string(),
)),
SyntaxType::Oauth2Session => Err(OperationError::InvalidAttribute(
"Sessions are not able to be set.".to_string(),
)),
SyntaxType::TotpSecret => Err(OperationError::InvalidAttribute(
"TOTP Secrets are not able to be set.".to_string(),
)),
SyntaxType::ApiToken => Err(OperationError::InvalidAttribute(
"API Tokens are not able to be set.".to_string(),
)),
SyntaxType::AuditLogString => Err(OperationError::InvalidAttribute(
"Audit Strings are not able to be set.".to_string(),
)),
SyntaxType::EcKeyPrivate => Err(OperationError::InvalidAttribute(
"EC Private Keys are not able to be set.".to_string(),
)),
SyntaxType::KeyInternal => Err(OperationError::InvalidAttribute(
"Key Internal Structures are not able to be set.".to_string(),
)),
SyntaxType::ApplicationPassword => Err(OperationError::InvalidAttribute(
"Application Passwords are not able to be set.".to_string(),
)),
}?;
match resolve_status {
ValueSetResolveStatus::Resolved(vs) => Ok(vs),
ValueSetResolveStatus::NeedsResolution(vs_inter) => {
self.resolve_valueset_intermediate(vs_inter)
}
}
.map(Some)
}
fn resolve_valueset_intermediate(
&mut self,
vs_inter: ValueSetIntermediate,

327
server/lib/src/server/scim.rs
View file

@ -1,23 +1,27 @@
use crate::prelude::*;
use crate::schema::{SchemaAttribute, SchemaTransaction};
use crate::server::batch_modify::{BatchModifyEvent, ModSetValid};
use kanidm_proto::scim_v1::client::ScimEntryPutGeneric;
use crate::server::ValueSetResolveStatus;
use crate::valueset::*;
use kanidm_proto::scim_v1::client::{ScimEntryPostGeneric, ScimEntryPutGeneric};
use kanidm_proto::scim_v1::JsonValue;
use std::collections::BTreeMap;
#[derive(Debug, Clone)]
#[derive(Debug)]
pub struct ScimEntryPutEvent {
/// The identity performing the change.
pub ident: Identity,
pub(crate) ident: Identity,
// future - etags to detect version changes.
/// The target entry that will be changed
pub target: Uuid,
pub(crate) target: Uuid,
/// Update an attribute to contain the following value state.
/// If the attribute is None, it is removed.
pub attrs: BTreeMap<Attribute, Option<ValueSet>>,
pub(crate) attrs: BTreeMap<Attribute, Option<ValueSet>>,
/// If an effective access check should be carried out post modification
/// of the entries
pub effective_access_check: bool,
pub(crate) effective_access_check: bool,
}
impl ScimEntryPutEvent {
@ -48,6 +52,60 @@ impl ScimEntryPutEvent {
}
}
#[derive(Debug)]
pub struct ScimCreateEvent {
pub(crate) ident: Identity,
pub(crate) entry: EntryInitNew,
}
impl ScimCreateEvent {
pub fn try_from(
ident: Identity,
classes: &[EntryClass],
entry: ScimEntryPostGeneric,
qs: &mut QueryServerWriteTransaction,
) -> Result<Self, OperationError> {
let mut entry = entry
.attrs
.into_iter()
.map(|(attr, json_value)| {
qs.resolve_scim_json_post(&attr, json_value)
.map(|kani_value| (attr, kani_value))
})
.collect::<Result<EntryInitNew, _>>()?;
let classes = ValueSetIutf8::from_iter(classes.iter().map(|cls| cls.as_ref()))
.ok_or(OperationError::SC0027ClassSetInvalid)?;
entry.set_ava_set(&Attribute::Class, classes);
Ok(ScimCreateEvent { ident, entry })
}
}
#[derive(Debug)]
pub struct ScimDeleteEvent {
/// The identity performing the change.
pub(crate) ident: Identity,
// future - etags to detect version changes.
/// The target entry that will be changed
pub(crate) target: Uuid,
/// The class of the target entry.
pub(crate) class: EntryClass,
}
impl ScimDeleteEvent {
pub fn new(ident: Identity, target: Uuid, class: EntryClass) -> Self {
ScimDeleteEvent {
ident,
target,
class,
}
}
}
impl QueryServerWriteTransaction<'_> {
/// SCIM PUT is the handler where a single entry is updated. In a SCIM PUT request
/// the request defines the state of an attribute in entirety for the update. This
@ -115,6 +173,251 @@ impl QueryServerWriteTransaction<'_> {
}
}
}
pub fn scim_create(
&mut self,
scim_create: ScimCreateEvent,
) -> Result<ScimEntryKanidm, OperationError> {
let ScimCreateEvent { ident, entry } = scim_create;
let create_event = CreateEvent {
ident,
entries: vec![entry],
return_created_uuids: true,
};
let changed_uuids = self.create(&create_event)?;
let mut changed_uuids = changed_uuids.ok_or(OperationError::SC0028CreatedUuidsInvalid)?;
let target = if let Some(target) = changed_uuids.pop() {
if !changed_uuids.is_empty() {
// Too many results!
return Err(OperationError::UniqueConstraintViolation);
}
target
} else {
// No results!
return Err(OperationError::NoMatchingEntries);
};
// Now get the entry. We handle a lot of the errors here nicely,
// but if we got to this point, they really can't happen.
let filter_intent = filter!(f_and!([f_eq(Attribute::Uuid, PartialValue::Uuid(target))]));
let f_intent_valid = filter_intent
.validate(self.get_schema())
.map_err(OperationError::SchemaViolation)?;
let f_valid = f_intent_valid.clone().into_ignore_hidden();
let se = SearchEvent {
ident: create_event.ident,
filter: f_valid,
filter_orig: f_intent_valid,
// Return all attributes
attrs: None,
effective_access_check: false,
};
let mut vs = self.search_ext(&se)?;
match vs.pop() {
Some(entry) if vs.is_empty() => entry.to_scim_kanidm(self),
_ => {
if vs.is_empty() {
Err(OperationError::NoMatchingEntries)
} else {
// Multiple entries matched, should not be possible!
Err(OperationError::UniqueConstraintViolation)
}
}
}
}
pub fn scim_delete(&mut self, scim_delete: ScimDeleteEvent) -> Result<(), OperationError> {
let ScimDeleteEvent {
ident,
target,
class,
} = scim_delete;
let filter_intent = filter!(f_eq(Attribute::Uuid, PartialValue::Uuid(target)));
let f_intent_valid = filter_intent
.validate(self.get_schema())
.map_err(OperationError::SchemaViolation)?;
let filter = filter!(f_and!([
f_eq(Attribute::Uuid, PartialValue::Uuid(target)),
f_eq(Attribute::Class, class.into())
]));
let f_valid = filter
.validate(self.get_schema())
.map_err(OperationError::SchemaViolation)?;
let de = DeleteEvent {
ident,
filter: f_valid,
filter_orig: f_intent_valid,
};
self.delete(&de)
}
pub(crate) fn resolve_scim_json_put(
&mut self,
attr: &Attribute,
value: Option<JsonValue>,
) -> Result<Option<ValueSet>, OperationError> {
let schema = self.get_schema();
// Lookup the attr
let Some(schema_a) = schema.get_attributes().get(attr) else {
// No attribute of this name exists - fail fast, there is no point to
// proceed, as nothing can be satisfied.
return Err(OperationError::InvalidAttributeName(attr.to_string()));
};
let Some(value) = value else {
// It's a none so the value needs to be unset, and the attr DOES exist in
// schema.
return Ok(None);
};
self.resolve_scim_json(schema_a, value).map(Some)
}
pub(crate) fn resolve_scim_json_post(
&mut self,
attr: &Attribute,
value: JsonValue,
) -> Result<ValueSet, OperationError> {
let schema = self.get_schema();
// Lookup the attr
let Some(schema_a) = schema.get_attributes().get(attr) else {
// No attribute of this name exists - fail fast, there is no point to
// proceed, as nothing can be satisfied.
return Err(OperationError::InvalidAttributeName(attr.to_string()));
};
self.resolve_scim_json(schema_a, value)
}
fn resolve_scim_json(
&mut self,
schema_a: &SchemaAttribute,
value: JsonValue,
) -> Result<ValueSet, OperationError> {
let resolve_status = match schema_a.syntax {
SyntaxType::Utf8String => ValueSetUtf8::from_scim_json_put(value),
SyntaxType::Utf8StringInsensitive => ValueSetIutf8::from_scim_json_put(value),
SyntaxType::Uuid => ValueSetUuid::from_scim_json_put(value),
SyntaxType::Boolean => ValueSetBool::from_scim_json_put(value),
SyntaxType::SyntaxId => ValueSetSyntax::from_scim_json_put(value),
SyntaxType::IndexId => ValueSetIndex::from_scim_json_put(value),
SyntaxType::ReferenceUuid => ValueSetRefer::from_scim_json_put(value),
SyntaxType::Utf8StringIname => ValueSetIname::from_scim_json_put(value),
SyntaxType::NsUniqueId => ValueSetNsUniqueId::from_scim_json_put(value),
SyntaxType::DateTime => ValueSetDateTime::from_scim_json_put(value),
SyntaxType::EmailAddress => ValueSetEmailAddress::from_scim_json_put(value),
SyntaxType::Url => ValueSetUrl::from_scim_json_put(value),
SyntaxType::OauthScope => ValueSetOauthScope::from_scim_json_put(value),
SyntaxType::OauthScopeMap => ValueSetOauthScopeMap::from_scim_json_put(value),
SyntaxType::OauthClaimMap => ValueSetOauthClaimMap::from_scim_json_put(value),
SyntaxType::UiHint => ValueSetUiHint::from_scim_json_put(value),
SyntaxType::CredentialType => ValueSetCredentialType::from_scim_json_put(value),
SyntaxType::Certificate => ValueSetCertificate::from_scim_json_put(value),
SyntaxType::SshKey => ValueSetSshKey::from_scim_json_put(value),
SyntaxType::Uint32 => ValueSetUint32::from_scim_json_put(value),
// Not Yet ... if ever
// SyntaxType::JsonFilter => ValueSetJsonFilter::from_scim_json_put(value),
SyntaxType::JsonFilter => Err(OperationError::InvalidAttribute(
"Json Filters are not able to be set.".to_string(),
)),
// Can't be set currently as these are only internally generated for key-id's
// SyntaxType::HexString => ValueSetHexString::from_scim_json_put(value),
SyntaxType::HexString => Err(OperationError::InvalidAttribute(
"Hex strings are not able to be set.".to_string(),
)),
// Can't be set until we have better error handling in the set paths
// SyntaxType::Image => ValueSetImage::from_scim_json_put(value),
SyntaxType::Image => Err(OperationError::InvalidAttribute(
"Images are not able to be set.".to_string(),
)),
// Can't be set yet, mostly as I'm lazy
// SyntaxType::WebauthnAttestationCaList => {
// ValueSetWebauthnAttestationCaList::from_scim_json_put(value)
// }
SyntaxType::WebauthnAttestationCaList => Err(OperationError::InvalidAttribute(
"Webauthn Attestation Ca Lists are not able to be set.".to_string(),
)),
// Syntax types that can not be submitted
SyntaxType::Credential => Err(OperationError::InvalidAttribute(
"Credentials are not able to be set.".to_string(),
)),
SyntaxType::SecretUtf8String => Err(OperationError::InvalidAttribute(
"Secrets are not able to be set.".to_string(),
)),
SyntaxType::SecurityPrincipalName => Err(OperationError::InvalidAttribute(
"SPNs are not able to be set.".to_string(),
)),
SyntaxType::Cid => Err(OperationError::InvalidAttribute(
"CIDs are not able to be set.".to_string(),
)),
SyntaxType::PrivateBinary => Err(OperationError::InvalidAttribute(
"Private Binaries are not able to be set.".to_string(),
)),
SyntaxType::IntentToken => Err(OperationError::InvalidAttribute(
"Intent Tokens are not able to be set.".to_string(),
)),
SyntaxType::Passkey => Err(OperationError::InvalidAttribute(
"Passkeys are not able to be set.".to_string(),
)),
SyntaxType::AttestedPasskey => Err(OperationError::InvalidAttribute(
"Attested Passkeys are not able to be set.".to_string(),
)),
SyntaxType::Session => Err(OperationError::InvalidAttribute(
"Sessions are not able to be set.".to_string(),
)),
SyntaxType::JwsKeyEs256 => Err(OperationError::InvalidAttribute(
"Jws ES256 Private Keys are not able to be set.".to_string(),
)),
SyntaxType::JwsKeyRs256 => Err(OperationError::InvalidAttribute(
"Jws RS256 Private Keys are not able to be set.".to_string(),
)),
SyntaxType::Oauth2Session => Err(OperationError::InvalidAttribute(
"Sessions are not able to be set.".to_string(),
)),
SyntaxType::TotpSecret => Err(OperationError::InvalidAttribute(
"TOTP Secrets are not able to be set.".to_string(),
)),
SyntaxType::ApiToken => Err(OperationError::InvalidAttribute(
"API Tokens are not able to be set.".to_string(),
)),
SyntaxType::AuditLogString => Err(OperationError::InvalidAttribute(
"Audit Strings are not able to be set.".to_string(),
)),
SyntaxType::EcKeyPrivate => Err(OperationError::InvalidAttribute(
"EC Private Keys are not able to be set.".to_string(),
)),
SyntaxType::KeyInternal => Err(OperationError::InvalidAttribute(
"Key Internal Structures are not able to be set.".to_string(),
)),
SyntaxType::ApplicationPassword => Err(OperationError::InvalidAttribute(
"Application Passwords are not able to be set.".to_string(),
)),
}?;
match resolve_status {
ValueSetResolveStatus::Resolved(vs) => Ok(vs),
ValueSetResolveStatus::NeedsResolution(vs_inter) => {
self.resolve_valueset_intermediate(vs_inter)
}
}
}
}
#[cfg(test)]
@ -186,7 +489,7 @@ mod tests {
match desc {
ScimValueKanidm::String(gdesc) if gdesc == "Group Description" => {}
_ => assert!(false),
_ => unreachable!("Expected a string"),
};
// null removes attr
@ -201,7 +504,7 @@ mod tests {
.expect("Failed to resolve data type");
let updated_entry = server_txn.scim_put(put_event).expect("Failed to put");
assert!(updated_entry.attrs.get(&Attribute::Description).is_none());
assert!(!updated_entry.attrs.contains_key(&Attribute::Description));
// set one
let put = ScimEntryPutKanidm {
@ -234,7 +537,7 @@ mod tests {
value: "extra_1@example.com".to_string(),
}));
}
_ => assert!(false),
_ => unreachable!("Expected 1 member"),
};
// set many
@ -285,7 +588,7 @@ mod tests {
value: "extra_3@example.com".to_string(),
}));
}
_ => assert!(false),
_ => unreachable!("Expected 3 members"),
};
// set many with a removal
@ -333,7 +636,7 @@ mod tests {
value: "extra_2@example.com".to_string(),
}));
}
_ => assert!(false),
_ => unreachable!("Expected 2 members"),
};
// empty set removes attr
@ -348,6 +651,6 @@ mod tests {
.expect("Failed to resolve data type");
let updated_entry = server_txn.scim_put(put_event).expect("Failed to put");
assert!(updated_entry.attrs.get(&Attribute::Member).is_none());
assert!(!updated_entry.attrs.contains_key(&Attribute::Member));
}
}

7
server/lib/src/testkit.rs
View file

@ -4,12 +4,19 @@ use crate::schema::Schema;
pub struct TestConfiguration {
pub domain_level: DomainVersion,
// This is literally here to make clippy happy, just leave it alone!
// if you don't believe me then remove it and run 'cargo clippy --all-targets' it'll complain
// about "struct update has no effect, all the fields in the struct have already been specified"
// because the domain_level was set, then we ..Default::default() the "rest"
#[allow(dead_code)]
pub ignore_this_field: bool,
}
impl Default for TestConfiguration {
fn default() -> Self {
TestConfiguration {
domain_level: DOMAIN_TGT_LEVEL,
ignore_this_field: false,
}
}
}

13
server/lib/src/utils.rs
View file

@ -2,8 +2,8 @@
use crate::prelude::*;
use hashbrown::HashSet;
use rand::distributions::{Distribution, Uniform};
use rand::{thread_rng, Rng};
use rand::distr::{Distribution, Uniform};
use rand::{rng, Rng};
use std::ops::Range;
#[derive(Debug)]
@ -35,7 +35,7 @@ pub fn uuid_from_duration(d: Duration, sid: Sid) -> Uuid {
}
pub(crate) fn password_from_random_len(len: u32) -> String {
thread_rng()
rng()
.sample_iter(&DistinctAlpha)
.take(len as usize)
.collect::<String>()
@ -52,7 +52,7 @@ pub fn backup_code_from_random() -> HashSet<String> {
pub fn readable_password_from_random() -> String {
// 2^112 bits, means we need at least 55^20 to have as many bits of entropy.
// this leads us to 4 groups of 5 to create 55^20
let mut trng = thread_rng();
let mut trng = rng();
format!(
"{}-{}-{}-{}",
(&mut trng)
@ -80,8 +80,9 @@ impl Distribution<char> for DistinctAlpha {
const GEN_ASCII_STR_CHARSET: &[u8] = b"ABCDEFGHJKLMNPQRSTUVWXYZ\
abcdefghjkpqrstuvwxyz\
0123456789";
let range = Uniform::new(0, RANGE);
// TODO: this needs to handle the error, maybe?
#[allow(clippy::expect_used)]
let range = Uniform::new(0, RANGE).expect("Failed to get a uniform range");
let n = range.sample(rng);
GEN_ASCII_STR_CHARSET[n as usize] as char

8
server/lib/src/valueset/address.rs
View file

@ -683,10 +683,10 @@ mod tests {
"value": "claire@example.com"
}
]"#;
crate::valueset::scim_json_reflexive(vs.clone(), data);
crate::valueset::scim_json_reflexive(&vs, data);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetEmailAddress>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetEmailAddress>(&vs, &[])
}
#[test]
@ -711,9 +711,9 @@ mod tests {
}
]"#;
crate::valueset::scim_json_reflexive(vs.clone(), data);
crate::valueset::scim_json_reflexive(&vs, data);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetAddress>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetAddress>(&vs, &[])
}
}

2
server/lib/src/valueset/apppwd.rs
View file

@ -381,6 +381,6 @@ mod tests {
}
]
"#;
crate::valueset::scim_json_reflexive(vs, data);
crate::valueset::scim_json_reflexive(&vs, data);
}
}

2
server/lib/src/valueset/auditlogstring.rs
View file

@ -400,6 +400,6 @@ mod tests {
}
]
"#;
crate::valueset::scim_json_reflexive(vs, data);
crate::valueset::scim_json_reflexive(&vs, data);
}
}

4
server/lib/src/valueset/bool.rs
View file

@ -185,9 +185,9 @@ mod tests {
#[test]
fn test_scim_boolean() {
let vs: ValueSet = ValueSetBool::new(true);
crate::valueset::scim_json_reflexive(vs.clone(), "true");
crate::valueset::scim_json_reflexive(&vs, "true");
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetBool>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetBool>(&vs, &[])
}
}

2
server/lib/src/valueset/certificate.rs
View file

@ -352,6 +352,6 @@ raBy6edj7W0EIH+yQxkDEwIhAI0nVKaI6duHLAvtKW6CfEQFG6jKg7dyk37YYiRD
assert_eq!(cert.s256, expect_s256);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetCertificate>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetCertificate>(&vs, &[])
}
}

2
server/lib/src/valueset/cid.rs
View file

@ -193,6 +193,6 @@ mod tests {
let vs: ValueSet = ValueSetCid::new(Cid::new_zero());
let data = r#""00000000000000000000000000000000-00000000-0000-0000-0000-000000000000""#;
crate::valueset::scim_json_reflexive(vs, data);
crate::valueset::scim_json_reflexive(&vs, data);
}
}

6
server/lib/src/valueset/cred.rs
View file

@ -1183,15 +1183,15 @@ mod tests {
}
]
"#;
crate::valueset::scim_json_reflexive(vs, data);
crate::valueset::scim_json_reflexive(&vs, data);
}
#[test]
fn test_scim_credential_type() {
let vs: ValueSet = ValueSetCredentialType::new(CredentialType::Mfa);
crate::valueset::scim_json_reflexive(vs.clone(), r#""mfa""#);
crate::valueset::scim_json_reflexive(&vs, r#""mfa""#);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetCredentialType>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetCredentialType>(&vs, &[])
}
}

4
server/lib/src/valueset/datetime.rs
View file

@ -210,9 +210,9 @@ mod tests {
let odt = OffsetDateTime::UNIX_EPOCH + Duration::from_secs(69_420);
let vs: ValueSet = ValueSetDateTime::new(odt);
crate::valueset::scim_json_reflexive(vs.clone(), r#""1970-01-01T19:17:00Z""#);
crate::valueset::scim_json_reflexive(&vs, r#""1970-01-01T19:17:00Z""#);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetDateTime>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetDateTime>(&vs, &[])
}
}

5
server/lib/src/valueset/hexstring.rs
View file

@ -183,9 +183,6 @@ mod tests {
fn test_scim_hexstring() {
let vs: ValueSet =
ValueSetHexString::new("D68475C760A7A0F6A924C28F095573A967F600D6".to_string());
crate::valueset::scim_json_reflexive(
vs.clone(),
r#""D68475C760A7A0F6A924C28F095573A967F600D6""#,
);
crate::valueset::scim_json_reflexive(&vs, r#""D68475C760A7A0F6A924C28F095573A967F600D6""#);
}
}

6
server/lib/src/valueset/image/jpg.rs
View file

@ -1,3 +1,5 @@
use std::io::Cursor;
use image::codecs::jpeg::JpegDecoder;
use image::ImageDecoder;
use sketching::*;
@ -79,9 +81,9 @@ pub fn has_trailer(contents: &Vec<u8>) -> Result<bool, ImageValidationError> {
pub fn validate_decoding(
filename: &str,
contents: &[u8],
limits: image::io::Limits,
limits: image::Limits,
) -> Result<(), ImageValidationError> {
let mut decoder = match JpegDecoder::new(contents) {
let mut decoder = match JpegDecoder::new(Cursor::new(contents)) {
Ok(val) => val,
Err(err) => {
return Err(ImageValidationError::InvalidImage(format!(

11
server/lib/src/valueset/image/mod.rs
View file

@ -1,6 +1,7 @@
#![allow(dead_code)]
use crate::valueset::ScimResolveStatus;
use std::fmt::Display;
use std::io::Cursor;
use crate::be::dbvalue::DbValueImage;
use crate::prelude::*;
@ -37,8 +38,8 @@ pub trait ImageValueThings {
/// A sha256 of the filename/type/contents
fn hash_imagevalue(&self) -> String;
fn get_limits(&self) -> image::io::Limits {
let mut limits = image::io::Limits::default();
fn get_limits(&self) -> image::Limits {
let mut limits = image::Limits::default();
limits.max_image_height = Some(MAX_IMAGE_HEIGHT);
limits.max_image_width = Some(MAX_IMAGE_WIDTH);
limits
@ -148,7 +149,7 @@ impl ImageValueThings for ImageValue {
/// validate the GIF file contents, and that it's actually a GIF
fn validate_is_gif(&self) -> Result<(), ImageValidationError> {
let Ok(mut decoder) = GifDecoder::new(&self.contents[..]) else {
let Ok(mut decoder) = GifDecoder::new(Cursor::new(&self.contents[..])) else {
return Err(ImageValidationError::InvalidImage(
"Failed to parse GIF".to_string(),
));
@ -189,7 +190,7 @@ impl ImageValueThings for ImageValue {
));
}
let Ok(mut decoder) = WebPDecoder::new(&self.contents[..]) else {
let Ok(mut decoder) = WebPDecoder::new(Cursor::new(&self.contents[..])) else {
return Err(ImageValidationError::InvalidImage(
"Failed to parse WebP file".to_string(),
));
@ -532,7 +533,7 @@ mod tests {
"142dc7984dd548dd5dacfe2ad30f8473e3217e39b3b6c8d17a0cf6e4e24b02e0"
]"#;
crate::valueset::scim_json_reflexive(vs.clone(), data);
crate::valueset::scim_json_reflexive(&vs, data);
}
*/
}

4
server/lib/src/valueset/iname.rs
View file

@ -226,9 +226,9 @@ mod tests {
#[test]
fn test_scim_iname() {
let vs: ValueSet = ValueSetIname::new("stevo");
crate::valueset::scim_json_reflexive(vs.clone(), r#""stevo""#);
crate::valueset::scim_json_reflexive(&vs, r#""stevo""#);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetIname>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetIname>(&vs, &[])
}
}

4
server/lib/src/valueset/index.rs
View file

@ -183,9 +183,9 @@ mod tests {
#[test]
fn test_scim_index() {
let vs: ValueSet = ValueSetIndex::new(IndexType::Equality);
crate::valueset::scim_json_reflexive(vs.clone(), r#"["EQUALITY"]"#);
crate::valueset::scim_json_reflexive(&vs, r#"["EQUALITY"]"#);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetIndex>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetIndex>(&vs, &[])
}
}

4
server/lib/src/valueset/iutf8.rs
View file

@ -227,9 +227,9 @@ mod tests {
#[test]
fn test_scim_iutf8() {
let vs: ValueSet = ValueSetIutf8::new("lowercase string");
crate::valueset::scim_json_reflexive(vs.clone(), r#""lowercase string""#);
crate::valueset::scim_json_reflexive(&vs, r#""lowercase string""#);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetIutf8>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetIutf8>(&vs, &[])
}
}

4
server/lib/src/valueset/json.rs
View file

@ -205,9 +205,9 @@ mod tests {
"{\"pres\":\"class\"}"
]
"#;
crate::valueset::scim_json_reflexive(vs.clone(), data);
crate::valueset::scim_json_reflexive(&vs, data);
// Test that we can parse json values into a valueset.
// crate::valueset::scim_json_put_reflexive::<ValueSetJsonFilter>(vs, &[])
// crate::valueset::scim_json_put_reflexive::<ValueSetJsonFilter>(&vs, &[])
}
}

2
server/lib/src/valueset/key_internal.rs
View file

@ -649,6 +649,6 @@ mod tests {
}
]
"#;
crate::valueset::scim_json_reflexive(vs, data);
crate::valueset::scim_json_reflexive(&vs, data);
}
}

20
server/lib/src/valueset/mod.rs
View file

@ -995,7 +995,7 @@ pub fn from_db_valueset_v2(dbvs: DbValueSetV2) -> Result<ValueSet, OperationErro
}
#[cfg(test)]
pub(crate) fn scim_json_reflexive(vs: ValueSet, data: &str) {
pub(crate) fn scim_json_reflexive(vs: &ValueSet, data: &str) {
let scim_value = vs.to_scim_value().unwrap().assume_resolved();
let strout = serde_json::to_string_pretty(&scim_value).unwrap();
@ -1012,25 +1012,27 @@ pub(crate) fn scim_json_reflexive(vs: ValueSet, data: &str) {
#[cfg(test)]
pub(crate) fn scim_json_reflexive_unresolved(
write_txn: &mut QueryServerWriteTransaction,
vs: ValueSet,
vs: &ValueSet,
data: &str,
) {
let scim_int_value = vs.to_scim_value().unwrap().assume_unresolved();
let scim_value = write_txn.resolve_scim_interim(scim_int_value).unwrap();
let strout = serde_json::to_string_pretty(&scim_value).unwrap();
let strout = serde_json::to_string_pretty(&scim_value).expect("Failed to serialize");
eprintln!("{}", strout);
let json_value: serde_json::Value = serde_json::to_value(&scim_value).unwrap();
let json_value: serde_json::Value =
serde_json::to_value(&scim_value).expect("Failed to convert to JSON");
let expect: serde_json::Value = serde_json::from_str(data).unwrap();
let expect: serde_json::Value =
serde_json::from_str(data).expect("Failed to parse expected JSON");
assert_eq!(json_value, expect);
}
#[cfg(test)]
pub(crate) fn scim_json_put_reflexive<T: ValueSetScimPut>(
expect_vs: ValueSet,
expect_vs: &ValueSet,
additional_tests: &[(JsonValue, ValueSet)],
) {
let scim_value = expect_vs.to_scim_value().unwrap().assume_resolved();
@ -1041,7 +1043,7 @@ pub(crate) fn scim_json_put_reflexive<T: ValueSetScimPut>(
let generic = serde_json::to_value(scim_value).unwrap();
// Check that we can turn back into a vs from the generic version.
let vs = T::from_scim_json_put(generic).unwrap().assume_resolved();
assert_eq!(&vs, &expect_vs);
assert_eq!(&vs, expect_vs);
// For each additional check, assert they work as expected.
for (jv, expect_vs) in additional_tests {
@ -1053,7 +1055,7 @@ pub(crate) fn scim_json_put_reflexive<T: ValueSetScimPut>(
#[cfg(test)]
pub(crate) fn scim_json_put_reflexive_unresolved<T: ValueSetScimPut>(
write_txn: &mut QueryServerWriteTransaction,
expect_vs: ValueSet,
expect_vs: &ValueSet,
additional_tests: &[(JsonValue, ValueSet)],
) {
let scim_int_value = expect_vs.to_scim_value().unwrap().assume_unresolved();
@ -1063,7 +1065,7 @@ pub(crate) fn scim_json_put_reflexive_unresolved<T: ValueSetScimPut>(
// Check that we can turn back into a vs from the generic version.
let vs_inter = T::from_scim_json_put(generic).unwrap().assume_unresolved();
let vs = write_txn.resolve_valueset_intermediate(vs_inter).unwrap();
assert_eq!(&vs, &expect_vs);
assert_eq!(&vs, expect_vs);
// For each additional check, assert they work as expected.
for (jv, expect_vs) in additional_tests {

7
server/lib/src/valueset/nsuniqueid.rs
View file

@ -189,12 +189,9 @@ mod tests {
fn test_scim_nsuniqueid() {
let vs: ValueSet =
ValueSetNsUniqueId::new("3a163ca0-47624620-a18806b7-50c84c86".to_string());
crate::valueset::scim_json_reflexive(
vs.clone(),
r#""3a163ca0-47624620-a18806b7-50c84c86""#,
);
crate::valueset::scim_json_reflexive(&vs, r#""3a163ca0-47624620-a18806b7-50c84c86""#);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetNsUniqueId>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetNsUniqueId>(&vs, &[])
}
}

12
server/lib/src/valueset/oauth.rs
View file

@ -898,10 +898,10 @@ mod tests {
fn test_scim_oauth2_scope() {
let vs: ValueSet = ValueSetOauthScope::new("fully_sick_scope_m8".to_string());
let data = r#"["fully_sick_scope_m8"]"#;
crate::valueset::scim_json_reflexive(vs.clone(), data);
crate::valueset::scim_json_reflexive(&vs, data);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetOauthScope>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetOauthScope>(&vs, &[])
}
#[qs_test]
@ -930,12 +930,12 @@ mod tests {
}
]
"#;
crate::valueset::scim_json_reflexive_unresolved(&mut write_txn, vs.clone(), data);
crate::valueset::scim_json_reflexive_unresolved(&mut write_txn, &vs, data);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive_unresolved::<ValueSetOauthScopeMap>(
&mut write_txn,
vs,
&vs,
&[],
);
@ -970,12 +970,12 @@ mod tests {
}
]
"#;
crate::valueset::scim_json_reflexive_unresolved(&mut write_txn, vs.clone(), data);
crate::valueset::scim_json_reflexive_unresolved(&mut write_txn, &vs, data);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive_unresolved::<ValueSetOauthClaimMap>(
&mut write_txn,
vs,
&vs,
&[],
);

2
server/lib/src/valueset/restricted.rs
View file

@ -205,6 +205,6 @@ mod tests {
#[test]
fn test_scim_restricted() {
let vs: ValueSet = ValueSetRestricted::new("Test".to_string());
crate::valueset::scim_json_reflexive(vs, r#""Test""#);
crate::valueset::scim_json_reflexive(&vs, r#""Test""#);
}
}

4
server/lib/src/valueset/session.rs
View file

@ -1920,7 +1920,7 @@ mod tests {
}
]
"#;
crate::valueset::scim_json_reflexive(vs, data);
crate::valueset::scim_json_reflexive(&vs, data);
}
#[test]
@ -1948,6 +1948,6 @@ mod tests {
]
"#;
crate::valueset::scim_json_reflexive(vs, data);
crate::valueset::scim_json_reflexive(&vs, data);
}
}

2
server/lib/src/valueset/spn.rs
View file

@ -188,6 +188,6 @@ mod tests {
#[test]
fn test_scim_spn() {
let vs: ValueSet = ValueSetSpn::new(("claire".to_string(), "example.com".to_string()));
crate::valueset::scim_json_reflexive(vs, r#""claire@example.com""#);
crate::valueset::scim_json_reflexive(&vs, r#""claire@example.com""#);
}
}

4
server/lib/src/valueset/ssh.rs
View file

@ -247,9 +247,9 @@ mod tests {
}
]
"#;
crate::valueset::scim_json_reflexive(vs.clone(), data);
crate::valueset::scim_json_reflexive(&vs, data);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetSshKey>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetSshKey>(&vs, &[])
}
}

4
server/lib/src/valueset/syntax.rs
View file

@ -188,9 +188,9 @@ mod tests {
#[test]
fn test_scim_syntax() {
let vs: ValueSet = ValueSetSyntax::new(SyntaxType::Uuid);
crate::valueset::scim_json_reflexive(vs.clone(), r#""UUID""#);
crate::valueset::scim_json_reflexive(&vs, r#""UUID""#);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetSyntax>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetSyntax>(&vs, &[])
}
}

4
server/lib/src/valueset/uihint.rs
View file

@ -163,9 +163,9 @@ mod tests {
#[test]
fn test_scim_uihint() {
let vs: ValueSet = ValueSetUiHint::new(UiHint::PosixAccount);
crate::valueset::scim_json_reflexive(vs.clone(), r#"["posixaccount"]"#);
crate::valueset::scim_json_reflexive(&vs, r#"["posixaccount"]"#);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetUiHint>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetUiHint>(&vs, &[])
}
}

4
server/lib/src/valueset/uint32.rs
View file

@ -196,9 +196,9 @@ mod tests {
#[test]
fn test_scim_uint32() {
let vs: ValueSet = ValueSetUint32::new(69);
crate::valueset::scim_json_reflexive(vs.clone(), "69");
crate::valueset::scim_json_reflexive(&vs, "69");
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetUint32>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetUint32>(&vs, &[])
}
}

4
server/lib/src/valueset/url.rs
View file

@ -183,9 +183,9 @@ mod tests {
fn test_scim_url() {
let u = Url::parse("https://idm.example.com").unwrap();
let vs: ValueSet = ValueSetUrl::new(u);
crate::valueset::scim_json_reflexive(vs.clone(), r#""https://idm.example.com/""#);
crate::valueset::scim_json_reflexive(&vs, r#""https://idm.example.com/""#);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetUrl>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetUrl>(&vs, &[])
}
}

4
server/lib/src/valueset/utf8.rs
View file

@ -246,9 +246,9 @@ mod tests {
fn test_scim_utf8() {
let vs: ValueSet = ValueSetUtf8::new("Test".to_string());
// Test that the output json matches some known str
crate::valueset::scim_json_reflexive(vs.clone(), r#""Test""#);
crate::valueset::scim_json_reflexive(&vs, r#""Test""#);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetUtf8>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetUtf8>(&vs, &[])
}
}

15
server/lib/src/valueset/uuid.rs
View file

@ -238,6 +238,13 @@ impl ValueSetScimPut for ValueSetRefer {
fn from_scim_json_put(value: JsonValue) -> Result<ValueSetResolveStatus, OperationError> {
use kanidm_proto::scim_v1::client::{ScimReference, ScimReferences};
// May be a single reference, lets wrap it in an array to proceed.
let value = if !value.is_array() && value.is_object() {
JsonValue::Array(vec![value])
} else {
value
};
let scim_refs: ScimReferences = serde_json::from_value(value).map_err(|err| {
warn!(?err, "Invalid SCIM reference set syntax");
OperationError::SC0002ReferenceSyntaxInvalid
@ -422,10 +429,10 @@ mod tests {
let data = r#""4d21d04a-dc0e-42eb-b850-34dd180b107f""#;
crate::valueset::scim_json_reflexive(vs.clone(), data);
crate::valueset::scim_json_reflexive(&vs, data);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive::<ValueSetUuid>(vs, &[])
crate::valueset::scim_json_put_reflexive::<ValueSetUuid>(&vs, &[])
}
#[qs_test]
@ -449,12 +456,12 @@ mod tests {
let data = r#"[{"uuid": "4d21d04a-dc0e-42eb-b850-34dd180b107f", "value": "testperson1@example.com"}]"#;
crate::valueset::scim_json_reflexive_unresolved(&mut write_txn, vs.clone(), data);
crate::valueset::scim_json_reflexive_unresolved(&mut write_txn, &vs, data);
// Test that we can parse json values into a valueset.
crate::valueset::scim_json_put_reflexive_unresolved::<ValueSetRefer>(
&mut write_txn,
vs,
&vs,
&[],
);

2
server/testkit-macros/src/lib.rs
View file

@ -44,7 +44,7 @@ pub fn cli_kanidm(_input: TokenStream) -> TokenStream {
.run()
.unwrap();
let mut kanidm = kanidm.command();
kanidm.env("KANIDM_URL", &rsclient.get_url().to_string());
kanidm.env("KANIDM_URL", rsclient.get_url().to_string());
kanidm.env("KANIDM_TOKEN_CACHE_PATH", &token_cache_path);
kanidm
}

4
server/testkit/tests/testkit/group.rs
View file

@ -10,7 +10,7 @@ async fn test_v1_group_id_patch(rsclient: &KanidmClient) {
.await;
assert!(res.is_ok());
create_user(&rsclient, "foo", "foogroup").await;
create_user(rsclient, "foo", "foogroup").await;
let post_body = serde_json::json!({"attrs": { ATTR_DESCRIPTION : ["Fancy group change"]}});
@ -31,7 +31,7 @@ async fn test_v1_group_id_attr_post(rsclient: &KanidmClient) {
.await;
assert!(res.is_ok());
create_user(&rsclient, "foo", "foogroup").await;
create_user(rsclient, "foo", "foogroup").await;
let post_body = serde_json::json!(["foo"]);

42
server/testkit/tests/testkit/identity_verification_tests.rs
View file

@ -17,8 +17,8 @@ static USER_B_NAME: &str = "valid_user_b";
#[kanidmd_testkit::test]
async fn test_not_authenticated(rsclient: &KanidmClient) {
// basically here we try a bit of all the possible combinations while unauthenticated to check it's not working
setup_server(&rsclient).await;
create_user(&rsclient, USER_A_NAME).await;
setup_server(rsclient).await;
create_user(rsclient, USER_A_NAME).await;
let _ = rsclient.logout().await;
let res = rsclient
.idm_person_identify_user(USER_A_NAME, IdentifyUserRequest::Start)
@ -47,11 +47,11 @@ async fn test_not_authenticated(rsclient: &KanidmClient) {
#[kanidmd_testkit::test]
async fn test_non_existing_user_id(rsclient: &KanidmClient) {
setup_server(&rsclient).await;
create_user(&rsclient, USER_A_NAME).await;
create_user(&rsclient, USER_B_NAME).await;
setup_server(rsclient).await;
create_user(rsclient, USER_A_NAME).await;
create_user(rsclient, USER_B_NAME).await;
let non_existing_user = "non_existing_user";
login_with_user(&rsclient, USER_A_NAME).await;
login_with_user(rsclient, USER_A_NAME).await;
let res: Result<IdentifyUserResponse, kanidm_client::ClientError> = rsclient
.idm_person_identify_user(non_existing_user, IdentifyUserRequest::Start)
.await;
@ -87,9 +87,9 @@ async fn test_non_existing_user_id(rsclient: &KanidmClient) {
// Each tests is named like `test_{api input}_response_{expected api output}_or_{expected api output}`
#[kanidmd_testkit::test]
async fn test_start_response_identity_verification_available(rsclient: &KanidmClient) {
setup_server(&rsclient).await;
create_user(&rsclient, USER_A_NAME).await;
login_with_user(&rsclient, USER_A_NAME).await;
setup_server(rsclient).await;
create_user(rsclient, USER_A_NAME).await;
login_with_user(rsclient, USER_A_NAME).await;
let response = rsclient
.idm_person_identify_user(USER_A_NAME, IdentifyUserRequest::Start)
@ -106,10 +106,10 @@ async fn test_start_response_identity_verification_available(rsclient: &KanidmCl
// `Start`, that is WaitForCode or ProvideCode
#[kanidmd_testkit::test]
async fn test_start_response_wait_for_code_or_provide_code(rsclient: &KanidmClient) {
setup_server(&rsclient).await;
let user_a_uuid = create_user(&rsclient, USER_A_NAME).await;
let user_b_uuid = create_user(&rsclient, USER_B_NAME).await;
login_with_user(&rsclient, USER_A_NAME).await;
setup_server(rsclient).await;
let user_a_uuid = create_user(rsclient, USER_A_NAME).await;
let user_b_uuid = create_user(rsclient, USER_B_NAME).await;
login_with_user(rsclient, USER_A_NAME).await;
let response = rsclient
.idm_person_identify_user(USER_B_NAME, IdentifyUserRequest::Start)
.await;
@ -130,10 +130,10 @@ async fn test_start_response_wait_for_code_or_provide_code(rsclient: &KanidmClie
#[kanidmd_testkit::test]
async fn test_provide_code_response_code_failure_or_provide_code(rsclient: &KanidmClient) {
setup_server(&rsclient).await;
let user_a_uuid = create_user(&rsclient, USER_A_NAME).await;
let user_b_uuid = create_user(&rsclient, USER_B_NAME).await;
login_with_user(&rsclient, USER_A_NAME).await;
setup_server(rsclient).await;
let user_a_uuid = create_user(rsclient, USER_A_NAME).await;
let user_b_uuid = create_user(rsclient, USER_B_NAME).await;
login_with_user(rsclient, USER_A_NAME).await;
let response = rsclient
.idm_person_identify_user(
USER_B_NAME,
@ -158,12 +158,12 @@ async fn test_provide_code_response_code_failure_or_provide_code(rsclient: &Kani
// here we actually test the full idm flow by duplicating the server
#[kanidmd_testkit::test]
async fn test_full_identification_flow(rsclient: &KanidmClient) {
setup_server(&rsclient).await;
let user_a_uuid = create_user(&rsclient, USER_A_NAME).await;
let user_b_uuid = create_user(&rsclient, USER_B_NAME).await;
setup_server(rsclient).await;
let user_a_uuid = create_user(rsclient, USER_A_NAME).await;
let user_b_uuid = create_user(rsclient, USER_B_NAME).await;
//user A session
let valid_user_a_client = rsclient;
login_with_user(&valid_user_a_client, USER_A_NAME).await;
login_with_user(valid_user_a_client, USER_A_NAME).await;
//user B session
let valid_user_b_client = valid_user_a_client.new_session().unwrap();
login_with_user(&valid_user_b_client, USER_B_NAME).await;

30
server/testkit/tests/testkit/integration.rs
View file

@ -76,10 +76,10 @@ async fn test_webdriver_user_login(rsclient: &KanidmClient) {
use fantoccini::Locator;
use kanidmd_testkit::*;
use std::time::Duration;
login_put_admin_idm_admins(&rsclient).await;
login_put_admin_idm_admins(rsclient).await;
create_user_with_all_attrs(
&rsclient,
rsclient,
NOT_ADMIN_TEST_USERNAME,
Some(NOT_ADMIN_TEST_PASSWORD),
)
@ -89,7 +89,7 @@ async fn test_webdriver_user_login(rsclient: &KanidmClient) {
handle_error!(
c,
c.goto(&rsclient.get_url().to_string()).await,
c.goto(rsclient.get_url().to_string()).await,
"Couldn't get URL"
);
@ -207,7 +207,7 @@ async fn test_webdriver_user_login(rsclient: &KanidmClient) {
#[kanidmd_testkit::test]
async fn test_domain_reset_token_key(rsclient: &KanidmClient) {
login_put_admin_idm_admins(&rsclient).await;
login_put_admin_idm_admins(rsclient).await;
let token = rsclient.get_token().await.expect("No bearer token present");
@ -220,7 +220,7 @@ async fn test_domain_reset_token_key(rsclient: &KanidmClient) {
#[kanidmd_testkit::test]
async fn test_idm_domain_set_ldap_basedn(rsclient: &KanidmClient) {
login_put_admin_idm_admins(&rsclient).await;
login_put_admin_idm_admins(rsclient).await;
assert!(rsclient
.idm_domain_set_ldap_basedn("dc=krabsarekool,dc=example,dc=com")
.await
@ -233,7 +233,7 @@ async fn test_idm_domain_set_ldap_basedn(rsclient: &KanidmClient) {
#[kanidmd_testkit::test]
async fn test_idm_domain_set_ldap_max_queryable_attrs(rsclient: &KanidmClient) {
login_put_admin_idm_admins(&rsclient).await;
login_put_admin_idm_admins(rsclient).await;
assert!(rsclient
.idm_domain_set_ldap_max_queryable_attrs(20)
.await
@ -247,7 +247,7 @@ async fn test_idm_domain_set_ldap_max_queryable_attrs(rsclient: &KanidmClient) {
#[kanidmd_testkit::test]
/// Checks that a built-in group idm_all_persons has the "builtin" class as expected.
async fn test_all_persons_has_builtin_class(rsclient: &KanidmClient) {
login_put_admin_idm_admins(&rsclient).await;
login_put_admin_idm_admins(rsclient).await;
let res = rsclient
.idm_group_get("idm_all_persons")
.await
@ -306,7 +306,7 @@ async fn test_all_persons_has_builtin_class(rsclient: &KanidmClient) {
/// Testing the CLI doing things.
async fn test_integration_with_assert_cmd(rsclient: KanidmClient) {
// setup the admin things
login_put_admin_idm_admins(&rsclient).await;
login_put_admin_idm_admins(rsclient).await;
rsclient
.idm_person_account_primary_credential_set_password(
@ -334,13 +334,13 @@ async fn test_integration_with_assert_cmd(rsclient: KanidmClient) {
assert!(anon_whoami.status.success());
println!("Output: {:?}", anon_whoami);
test_cmd_admin(&token_cache_path, &rsclient, "login -D admin");
test_cmd_admin(&token_cache_path, rsclient, "login -D admin");
// login as idm_admin
test_cmd_idm_admin(&token_cache_path, &rsclient, "login -D idm_admin");
test_cmd_idm_admin(&token_cache_path, rsclient, "login -D idm_admin");
test_cmd_admin_split(
&token_cache_path,
&rsclient,
rsclient,
&[
"service-account",
"create",
@ -355,13 +355,13 @@ async fn test_integration_with_assert_cmd(rsclient: KanidmClient) {
test_cmd_admin(
&token_cache_path,
&rsclient,
rsclient,
&format!("service-account get -D admin {}", NOT_ADMIN_TEST_USERNAME),
);
// updating the display name
test_cmd_admin(
&token_cache_path,
&rsclient,
rsclient,
&format!(
"service-account update -D admin {} --displayname cheeseballs",
NOT_ADMIN_TEST_USERNAME
@ -370,7 +370,7 @@ async fn test_integration_with_assert_cmd(rsclient: KanidmClient) {
// updating the email
test_cmd_admin(
&token_cache_path,
&rsclient,
rsclient,
&format!(
"service-account update -D admin {} --mail foo@bar.com",
NOT_ADMIN_TEST_USERNAME
@ -380,7 +380,7 @@ async fn test_integration_with_assert_cmd(rsclient: KanidmClient) {
// checking the email was changed
let sad = test_cmd_admin(
&token_cache_path,
&rsclient,
rsclient,
&format!(
"service-account get -D admin -o json {}",
NOT_ADMIN_TEST_USERNAME

79
server/testkit/tests/testkit/ldap_basic.rs
View file

@ -1,5 +1,10 @@
use kanidmd_testkit::AsyncTestEnvironment;
use kanidm_proto::scim_v1::client::{ScimEntryApplicationPost, ScimReference};
use kanidmd_testkit::{AsyncTestEnvironment, IDM_ADMIN_TEST_PASSWORD, IDM_ADMIN_TEST_USER};
use ldap3_client::LdapClientBuilder;
use tracing::debug;
const TEST_PERSON: &str = "user_mcuserton";
const TEST_GROUP: &str = "group_mcgroupington";
#[kanidmd_testkit::test(ldap = true)]
async fn test_ldap_basic_unix_bind(test_env: &AsyncTestEnvironment) {
@ -14,3 +19,75 @@ async fn test_ldap_basic_unix_bind(test_env: &AsyncTestEnvironment) {
assert_eq!(whoami, Some("u: anonymous@localhost".to_string()));
}
#[kanidmd_testkit::test(ldap = true)]
async fn test_ldap_application_password_basic(test_env: &AsyncTestEnvironment) {
const APPLICATION_1_NAME: &str = "test_application_1";
// Remember, this isn't the exhaustive test for application password behaviours,
// those are in the main server. This is just a basic smoke test that the interfaces
// are exposed and work in a basic manner.
let idm_admin_rsclient = test_env.rsclient.new_session().unwrap();
// Create a person
idm_admin_rsclient
.auth_simple_password(IDM_ADMIN_TEST_USER, IDM_ADMIN_TEST_PASSWORD)
.await
.expect("Failed to login as admin");
idm_admin_rsclient
.idm_person_account_create(TEST_PERSON, TEST_PERSON)
.await
.expect("Failed to create the user");
idm_admin_rsclient
.idm_group_create(TEST_GROUP, None)
.await
.expect("Failed to create test group");
// Create two applications
let application_1 = ScimEntryApplicationPost {
name: APPLICATION_1_NAME.to_string(),
displayname: APPLICATION_1_NAME.to_string(),
linked_group: ScimReference::from(TEST_GROUP),
};
let application_entry = idm_admin_rsclient
.idm_application_create(&application_1)
.await
.expect("Failed to create the user");
debug!(?application_entry);
// List, get them.
// Login as the person
// Create application passwords
// Check the work.
// Check they can't cross talk.
// Done!
// let ldap_url = test_env.ldap_url.as_ref().unwrap();
// let mut ldap_client = LdapClientBuilder::new(ldap_url).build().await.unwrap();
let result = idm_admin_rsclient
.idm_application_delete(APPLICATION_1_NAME)
.await
.expect("Failed to create the user");
debug!(?result);
// Delete the applications
// Check that you can no longer bind.
// They no longer list
}

4
server/testkit/tests/testkit/person.rs
View file

@ -10,7 +10,7 @@ async fn test_v1_person_id_patch(rsclient: &KanidmClient) {
.await;
assert!(res.is_ok());
create_user(&rsclient, "foo", "foogroup").await;
create_user(rsclient, "foo", "foogroup").await;
let post_body = serde_json::json!({"attrs": { ATTR_MAIL : ["crab@example.com"]}});
@ -31,7 +31,7 @@ async fn test_v1_person_id_ssh_pubkeys_post(rsclient: &KanidmClient) {
.await;
assert!(res.is_ok());
create_user(&rsclient, "foo", "foogroup").await;
create_user(rsclient, "foo", "foogroup").await;
let post_body = serde_json::json!([
"ssh-key-tag-goes-here",

21
server/testkit/tests/testkit/proto_v1_test.rs
View file

@ -1366,7 +1366,7 @@ async fn setup_demo_account_password(
#[kanidmd_testkit::test]
async fn test_server_credential_update_session_passkey(rsclient: &KanidmClient) {
let mut wa = setup_demo_account_passkey(&rsclient).await;
let mut wa = setup_demo_account_passkey(rsclient).await;
let res = rsclient
.auth_passkey_begin("demo_account")
@ -1690,7 +1690,7 @@ async fn test_server_user_auth_token_lifecycle(rsclient: &KanidmClient) {
#[kanidmd_testkit::test]
async fn test_server_user_auth_reauthentication(rsclient: &KanidmClient) {
let mut wa = setup_demo_account_passkey(&rsclient).await;
let mut wa = setup_demo_account_passkey(rsclient).await;
let res = rsclient
.auth_passkey_begin("demo_account")
@ -1869,12 +1869,12 @@ async fn start_password_session(
#[kanidmd_testkit::test]
async fn test_server_user_auth_unprivileged(rsclient: &KanidmClient) {
let (account_name, account_pass) = setup_demo_account_password(&rsclient)
let (account_name, account_pass) = setup_demo_account_password(rsclient)
.await
.expect("Failed to setup demo_account");
let uat = start_password_session(
&rsclient,
rsclient,
account_name.as_str(),
account_pass.as_str(),
false,
@ -1892,18 +1892,13 @@ async fn test_server_user_auth_unprivileged(rsclient: &KanidmClient) {
#[kanidmd_testkit::test]
async fn test_server_user_auth_privileged_shortcut(rsclient: &KanidmClient) {
let (account_name, account_pass) = setup_demo_account_password(&rsclient)
let (account_name, account_pass) = setup_demo_account_password(rsclient)
.await
.expect("Failed to setup demo_account");
let uat = start_password_session(
&rsclient,
account_name.as_str(),
account_pass.as_str(),
true,
)
.await
.expect("Failed to start session");
let uat = start_password_session(rsclient, account_name.as_str(), account_pass.as_str(), true)
.await
.expect("Failed to start session");
match uat.purpose {
UatPurpose::ReadOnly => panic!("Unexpected uat purpose"),

8
server/testkit/tests/testkit/unix.rs
View file

@ -6,10 +6,10 @@ use kanidmd_testkit::*;
async fn account_id_unix_token(rsclient: &KanidmClient) {
login_put_admin_idm_admins(rsclient).await;
create_user(&rsclient, "group_manager", "idm_group_manage_priv").await;
create_user(rsclient, "group_manager", "idm_group_manage_priv").await;
// create test user without creating new groups
create_user(&rsclient, NOT_ADMIN_TEST_USERNAME, NAME_IDM_ADMINS).await;
login_account(&rsclient, "group_manager").await;
create_user(rsclient, NOT_ADMIN_TEST_USERNAME, NAME_IDM_ADMINS).await;
login_account(rsclient, "group_manager").await;
let response = rsclient
.idm_account_unix_token_get(NOT_ADMIN_TEST_USERNAME)
@ -32,7 +32,7 @@ async fn account_id_unix_token(rsclient: &KanidmClient) {
assert!(format!("{:?}", val).contains("400"));
}
login_put_admin_idm_admins(&rsclient).await;
login_put_admin_idm_admins(rsclient).await;
rsclient
.idm_person_account_unix_extend(NOT_ADMIN_TEST_USERNAME, None, None)

18
tools/cli/src/cli/system_config/badlist.rs
View file

@ -5,6 +5,7 @@ use crate::{handle_client_error, PwBadlistOpt};
use std::fs::File;
use std::io::Read;
use tokio::task;
use zxcvbn::Score;
const CHUNK_SIZE: usize = 1000;
@ -67,10 +68,6 @@ impl PwBadlistOpt {
info!("Have {} unique passwords to process", pwset.len());
// Break the list into chunks per thread availability
// let par_count = thread::available_parallelism()
// .expect("Failed to determine available parallelism")
// .get();
let task_handles: Vec<_> = pwset
.chunks(CHUNK_SIZE)
.map(|chunk| chunk.to_vec())
@ -82,18 +79,7 @@ impl PwBadlistOpt {
if v.len() < 10 {
return false;
}
match zxcvbn::zxcvbn(v.as_str(), &[]) {
Ok(r) => r.score() >= 4,
Err(e) => {
error!(
"zxcvbn unable to process '{}' - {:?}",
v.as_str(),
e
);
error!("adding to badlist anyway ...");
true
}
}
zxcvbn::zxcvbn(v.as_str(), &[]).score() >= Score::Four
})
.map(|s| s.to_string())
.collect::<Vec<_>>();

2
tools/orca/src/error.rs
View file

@ -8,4 +8,6 @@ pub enum Error {
Interrupt,
Crossbeam,
InvalidState,
#[allow(dead_code)]
RandomNumber(String),
}

8
tools/orca/src/generate.rs
View file

@ -4,8 +4,9 @@ use crate::model::ActorRole;
use crate::profile::Profile;
use crate::state::{Credential, Flag, Group, GroupName, Person, PreflightState, State};
use hashbrown::HashMap;
use rand::distributions::{Alphanumeric, DistString, Uniform};
use rand::seq::{index, SliceRandom};
use rand::distr::{Alphanumeric, SampleString, Uniform};
use rand::seq::{index, IndexedRandom};
use rand::{Rng, SeedableRng};
use rand_chacha::ChaCha8Rng;
@ -171,7 +172,8 @@ pub async fn populate(_client: &KanidmOrcaClient, profile: Profile) -> Result<St
let baseline = persons.len() / 3;
let inverse = persons.len() - baseline;
// Randomly add extra from the inverse
let extra = Uniform::new(0, inverse);
let extra =
Uniform::new(0, inverse).map_err(|err| Error::RandomNumber(err.to_string()))?;
baseline + seeded_rng.sample(extra)
}
};

2
tools/orca/src/models/basic.rs
View file

@ -27,7 +27,7 @@ impl ActorBasic {
pub fn new(mut cha_rng: ChaCha8Rng, warmup_time_ms: u64) -> Self {
let max_backoff_time_in_ms = 2 * warmup_time_ms / 3;
let randomised_backoff_time =
Duration::from_millis(cha_rng.gen_range(0..max_backoff_time_in_ms));
Duration::from_millis(cha_rng.random_range(0..max_backoff_time_in_ms));
ActorBasic {
state: State::Unauthenticated,
randomised_backoff_time,

2
tools/orca/src/models/latency_measurer.rs
View file

@ -76,7 +76,7 @@ impl ActorLatencyMeasurer {
let max_backoff_time_in_ms = 2 * warmup_time_ms / 3;
let randomised_backoff_time =
Duration::from_millis(cha_rng.gen_range(0..max_backoff_time_in_ms));
Duration::from_millis(cha_rng.random_range(0..max_backoff_time_in_ms));
Ok(ActorLatencyMeasurer {
state: State::Unauthenticated,
randomised_backoff_time,

2
tools/orca/src/models/read.rs
View file

@ -25,7 +25,7 @@ impl ActorReader {
pub fn new(mut cha_rng: ChaCha8Rng, warmup_time_ms: u64) -> Self {
let max_backoff_time_in_ms = warmup_time_ms - 1000;
let randomised_backoff_time =
Duration::from_millis(cha_rng.gen_range(0..max_backoff_time_in_ms));
Duration::from_millis(cha_rng.random_range(0..max_backoff_time_in_ms));
ActorReader {
state: State::Unauthenticated,
randomised_backoff_time,

2
tools/orca/src/models/write.rs
View file

@ -26,7 +26,7 @@ impl ActorWriter {
pub fn new(mut cha_rng: ChaCha8Rng, warmup_time_ms: u64) -> Self {
let max_backoff_time_in_ms = 2 * warmup_time_ms / 3;
let randomised_backoff_time =
Duration::from_millis(cha_rng.gen_range(0..max_backoff_time_in_ms));
Duration::from_millis(cha_rng.random_range(0..max_backoff_time_in_ms));
ActorWriter {
state: State::Unauthenticated,
randomised_backoff_time,

6
tools/orca/src/profile.rs
View file

@ -1,6 +1,6 @@
use crate::error::Error;
use crate::state::{GroupName, Model};
use rand::{thread_rng, Rng};
use rand::{rng, Rng};
use serde::de::{value, IntoDeserializer};
use serde::{Deserialize, Serialize};
use std::collections::BTreeMap;
@ -200,8 +200,8 @@ impl ProfileBuilder {
} = self;
let seed: u64 = seed.unwrap_or_else(|| {
let mut rng = thread_rng();
rng.gen()
let mut rng = rng();
rng.random()
});
//TODO: Allow to specify group properties from the CLI

2
tools/orca/src/run.rs
View file

@ -187,7 +187,7 @@ pub async fn execute(state: State, control_rx: broadcast::Receiver<Signal>) -> R
})
})
.collect::<Result<Vec<_>, _>>()?;
let main_client_index = seeded_rng.gen_range(0..cloned_clients.len());
let main_client_index = seeded_rng.random_range(0..cloned_clients.len());
let main_client = cloned_clients.remove(main_client_index);
//note that cloned_clients now contains all other clients except the first one

2
unix_integration/common/src/unix_config.rs
View file

@ -694,7 +694,7 @@ mod tests {
for file in PathBuf::from(&examples_dir)
.canonicalize()
.expect(&format!("Can't find examples dir at {}", examples_dir))
.unwrap_or_else(|_| panic!("Can't find examples dir at {}", examples_dir))
.read_dir()
.expect("Can't read examples dir!")
{

40
unix_integration/nss_kanidm/src/tests.rs
View file

@ -71,32 +71,32 @@ impl RequestOptions {
fn nss_fallback_unavail() {
let req_opt = RequestOptions::fallback_unavail();
let Response::Unavail = core::get_all_user_entries(req_opt) else {
unreachable!();
panic!("unrecoverable");
};
let req_opt = RequestOptions::fallback_unavail();
let Response::Unavail = core::get_user_entry_by_uid(0, req_opt) else {
unreachable!();
panic!("unrecoverable");
};
let req_opt = RequestOptions::fallback_unavail();
let Response::Unavail = core::get_user_entry_by_name("root".to_string(), req_opt) else {
unreachable!();
panic!("unrecoverable");
};
let req_opt = RequestOptions::fallback_unavail();
let Response::Unavail = core::get_all_group_entries(req_opt) else {
unreachable!();
panic!("unrecoverable");
};
let req_opt = RequestOptions::fallback_unavail();
let Response::Unavail = core::get_group_entry_by_gid(0, req_opt) else {
unreachable!();
panic!("unrecoverable");
};
let req_opt = RequestOptions::fallback_unavail();
let Response::Unavail = core::get_group_entry_by_name("root".to_string(), req_opt) else {
unreachable!();
panic!("unrecoverable");
};
}
@ -105,7 +105,7 @@ fn nss_fallback_all_user_entries() {
let req_opt = RequestOptions::fallback_fixture();
let Response::Success(users) = core::get_all_user_entries(req_opt) else {
unreachable!();
panic!("Failed to get all user entries");
};
assert_eq!(users.len(), 3);
@ -129,7 +129,7 @@ fn nss_fallback_all_user_entries() {
fn nss_fallback_user_entry_by_uid() {
let req_opt = RequestOptions::fallback_fixture();
let Response::Success(user) = core::get_user_entry_by_uid(0, req_opt) else {
unreachable!();
panic!("Failed to get user entry by uid");
};
assert_eq!(user.name, "root");
@ -139,7 +139,7 @@ fn nss_fallback_user_entry_by_uid() {
let req_opt = RequestOptions::fallback_fixture();
let Response::Success(user) = core::get_user_entry_by_uid(1000, req_opt) else {
unreachable!();
panic!("Failed to get user entry by uid");
};
assert_eq!(user.name, "tobias");
@ -149,7 +149,7 @@ fn nss_fallback_user_entry_by_uid() {
let req_opt = RequestOptions::fallback_fixture();
let Response::NotFound = core::get_user_entry_by_uid(10, req_opt) else {
unreachable!();
panic!("Wrong result");
};
}
@ -157,7 +157,7 @@ fn nss_fallback_user_entry_by_uid() {
fn nss_fallback_user_entry_by_name() {
let req_opt = RequestOptions::fallback_fixture();
let Response::Success(user) = core::get_user_entry_by_name("root".to_string(), req_opt) else {
unreachable!();
panic!("Failed to get user entry by name");
};
assert_eq!(user.name, "root");
@ -167,7 +167,7 @@ fn nss_fallback_user_entry_by_name() {
let req_opt = RequestOptions::fallback_fixture();
let Response::Success(user) = core::get_user_entry_by_name("ellie".to_string(), req_opt) else {
unreachable!();
panic!("Failed to get user entry by name");
};
assert_eq!(user.name, "ellie");
@ -177,7 +177,7 @@ fn nss_fallback_user_entry_by_name() {
let req_opt = RequestOptions::fallback_fixture();
let Response::NotFound = core::get_user_entry_by_name("william".to_string(), req_opt) else {
unreachable!();
panic!("Wrong result");
};
}
@ -186,7 +186,7 @@ fn nss_fallback_all_group_entries() {
let req_opt = RequestOptions::fallback_fixture();
let Response::Success(groups) = core::get_all_group_entries(req_opt) else {
unreachable!();
panic!("Failed to get all group entries");
};
assert_eq!(groups.len(), 3);
@ -207,7 +207,7 @@ fn nss_fallback_all_group_entries() {
fn nss_fallback_group_entry_by_uid() {
let req_opt = RequestOptions::fallback_fixture();
let Response::Success(group) = core::get_group_entry_by_gid(0, req_opt) else {
unreachable!();
panic!("Failed to get group entry by gid");
};
assert_eq!(group.name, "root");
@ -216,7 +216,7 @@ fn nss_fallback_group_entry_by_uid() {
let req_opt = RequestOptions::fallback_fixture();
let Response::Success(group) = core::get_group_entry_by_gid(1000, req_opt) else {
unreachable!();
panic!("Failed to get group entry by gid");
};
assert_eq!(group.name, "tobias");
@ -225,7 +225,7 @@ fn nss_fallback_group_entry_by_uid() {
let req_opt = RequestOptions::fallback_fixture();
let Response::NotFound = core::get_group_entry_by_gid(10, req_opt) else {
unreachable!();
panic!("Wrong result");
};
}
@ -234,7 +234,7 @@ fn nss_fallback_group_entry_by_name() {
let req_opt = RequestOptions::fallback_fixture();
let Response::Success(group) = core::get_group_entry_by_name("root".to_string(), req_opt)
else {
unreachable!();
panic!("Failed to get group entry by name");
};
assert_eq!(group.name, "root");
@ -244,7 +244,7 @@ fn nss_fallback_group_entry_by_name() {
let req_opt = RequestOptions::fallback_fixture();
let Response::Success(group) = core::get_group_entry_by_name("ellie".to_string(), req_opt)
else {
unreachable!();
panic!("Failed to get group entry by name");
};
assert_eq!(group.name, "ellie");
@ -253,6 +253,6 @@ fn nss_fallback_group_entry_by_name() {
let req_opt = RequestOptions::fallback_fixture();
let Response::NotFound = core::get_group_entry_by_name("william".to_string(), req_opt) else {
unreachable!();
panic!("Wrong result");
};
}

38
unix_integration/pam_kanidm/src/tests.rs
View file

@ -121,23 +121,17 @@ impl PamHandler for TestHandler {
/// Display a message to the user.
fn message(&self, _prompt: &str) -> PamResult<()> {
let mut q = self.response_queue.lock().unwrap();
match q.pop_front() {
e => {
eprintln!("{:?}", e);
panic!("Invalid event transition");
}
}
let e = q.pop_front();
eprintln!("{:?}", e);
panic!("Invalid event transition message");
}
/// Display a device grant request to the user.
fn message_device_grant(&self, _data: &DeviceAuthorizationResponse) -> PamResult<()> {
let mut q = self.response_queue.lock().unwrap();
match q.pop_front() {
e => {
eprintln!("{:?}", e);
panic!("Invalid event transition");
}
}
let e = q.pop_front();
eprintln!("{:?}", e);
panic!("Invalid event transition message_device_grant");
}
/// Request a password from the user.
@ -154,22 +148,16 @@ impl PamHandler for TestHandler {
fn prompt_for_pin(&self, _msg: Option<&str>) -> PamResult<Option<String>> {
let mut q = self.response_queue.lock().unwrap();
match q.pop_front() {
e => {
eprintln!("{:?}", e);
panic!("Invalid event transition");
}
}
let e = q.pop_front();
eprintln!("{:?}", e);
panic!("Invalid event transition prompt_for_pin");
}
fn prompt_for_mfacode(&self) -> PamResult<Option<String>> {
let mut q = self.response_queue.lock().unwrap();
match q.pop_front() {
e => {
eprintln!("{:?}", e);
panic!("Invalid event transition");
}
}
let mut q = self.response_queue.lock().expect("Failed to lock mutex");
let e = q.pop_front();
eprintln!("{:?}", e);
panic!("Invalid event transition prompt_for_mfacode");
}
}

2
unix_integration/resolver/tests/cache_layer_test.rs
View file

@ -1189,7 +1189,7 @@ async fn test_cache_extend_group_members() {
assert!(groups.iter().any(|group| {
group.name == "extensible_group"
&& group.members.as_slice()
== &[
== [
"local_account".to_string(),
"testaccount1@idm.example.com".to_string(),
]