Merge 0fe42f62bd into b113262357

It was possible that a token could be updated in a way that caused
existing cached information to be lost if an event was delayed
in it's write to the user token.

To prevent this, the writes to user tokens now require the HsmLock
to be held, and refresh the token just ahead of writing to ensure
that these data can't be lost. The benefit to this approach is that
readers remain unblocked by a writer.

Cargo.lock

@@ -232,9 +232,9 @@ dependencies = [
 
 [[package]]
 name = "async-compression"
-version = "0.4.21"
+version = "0.4.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0cf008e5e1a9e9e22a7d3c9a4992e21a350290069e36d8fb72304ed17e8f2d2"
+checksum = "59a194f9d963d8099596278594b3107448656ba73831c9d8c783e613ce86da64"
 dependencies = [
  "flate2",
  "futures-core",
@@ -1167,9 +1167,9 @@ dependencies = [
 
 [[package]]
 name = "deranged"
-version = "0.4.0"
+version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c9e6a11ca8224451684bc0d7d5a7adbf8f2fd6887261a1cfc3c0432f9d4068e"
+checksum = "28cfac68e08048ae1883171632c2aef3ebc555621ae56fbccce1cbf22dd7f058"
 dependencies = [
  "powerfmt",
  "serde",
@@ -1600,12 +1600,12 @@ dependencies = [
 
 [[package]]
 name = "fs4"
-version = "0.12.0"
+version = "0.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c29c30684418547d476f0b48e84f4821639119c483b1eccd566c8cd0cd05f521"
+checksum = "8640e34b88f7652208ce9e88b1a37a2ae95227d84abec377ccd3c5cfeb141ed4"
 dependencies = [
- "rustix 0.38.44",
- "windows-sys 0.52.0",
+ "rustix 1.0.3",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -2532,14 +2532,15 @@ dependencies = [
 
 [[package]]
 name = "iana-time-zone"
-version = "0.1.61"
+version = "0.1.62"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "235e081f3925a06703c2d0117ea8b91f042756fd6e7a6e5d901e8ca1a996b220"
+checksum = "b2fd658b06e56721792c5df4475705b6cda790e9298d19d2f8af083457bcd127"
 dependencies = [
  "android_system_properties",
  "core-foundation-sys",
  "iana-time-zone-haiku",
  "js-sys",
+ "log",
  "wasm-bindgen",
  "windows-core",
 ]
@@ -2594,9 +2595,9 @@ dependencies = [
 
 [[package]]
 name = "icu_locid_transform_data"
-version = "1.5.0"
+version = "1.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fdc8ff3388f852bede6b579ad4e978ab004f139284d7b28715f773507b946f6e"
+checksum = "7515e6d781098bf9f7205ab3fc7e9709d34554ae0b21ddbcb5febfa4bc7df11d"
 
 [[package]]
 name = "icu_normalizer"
@@ -2618,9 +2619,9 @@ dependencies = [
 
 [[package]]
 name = "icu_normalizer_data"
-version = "1.5.0"
+version = "1.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8cafbf7aa791e9b22bec55a167906f9e1215fd475cd22adfcf660e03e989516"
+checksum = "c5e8338228bdc8ab83303f16b797e177953730f601a96c25d10cb3ab0daa0cb7"
 
 [[package]]
 name = "icu_properties"
@@ -2639,9 +2640,9 @@ dependencies = [
 
 [[package]]
 name = "icu_properties_data"
-version = "1.5.0"
+version = "1.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "67a8effbc3dd3e4ba1afa8ad918d5684b8868b3b26500753effea8d2eed19569"
+checksum = "85fb8799753b75aee8d2a21d7c14d9f38921b54b3dbda10f5a3c7a7b82dba5e2"
 
 [[package]]
 name = "icu_provider"
@@ -3063,6 +3064,8 @@ dependencies = [
  "futures",
  "kanidm_build_profiles",
  "kanidm_proto",
+ "kanidm_utils_users",
+ "selinux",
  "serde",
  "serde_json",
  "serde_with",
@@ -3483,9 +3486,9 @@ dependencies = [
 
 [[package]]
 name = "log"
-version = "0.4.26"
+version = "0.4.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "30bde2b3dc3671ae49d8e2e9f044c7c005836e7a023ee57cffa25ab82764bb9e"
+checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94"
 
 [[package]]
 name = "lru"
@@ -3948,15 +3951,15 @@ dependencies = [
 
 [[package]]
 name = "once_cell"
-version = "1.21.1"
+version = "1.21.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d75b0bedcc4fe52caa0e03d9f1151a323e4aa5e2d78ba3580400cd3c9e2bc4bc"
+checksum = "c2806eaa3524762875e21c3dcd057bc4b7bfa01ce4da8d46be1cd43649e1cc6b"
 
 [[package]]
 name = "openssl"
-version = "0.10.71"
+version = "0.10.72"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5e14130c6a98cd258fdcb0fb6d744152343ff729cbfcb28c656a9d12b999fbcd"
+checksum = "fedfea7d58a1f73118430a55da6a286e7b044961736ce96a16a17068ea25e5da"
 dependencies = [
  "bitflags 2.9.0",
  "cfg-if",
@@ -3986,9 +3989,9 @@ checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
 
 [[package]]
 name = "openssl-sys"
-version = "0.9.106"
+version = "0.9.107"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8bb61ea9811cc39e3c2069f40b8b8e2e70d8569b361f879786cc7ed48b777cdd"
+checksum = "8288979acd84749c744a9014b4382d42b8f7b2592847b5afb2ed29e5d16ede07"
 dependencies = [
  "cc",
  "libc",
@@ -4483,9 +4486,9 @@ dependencies = [
 
 [[package]]
 name = "quinn-udp"
-version = "0.5.10"
+version = "0.5.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e46f3055866785f6b92bc6164b76be02ca8f2eb4b002c0354b28cf4c119e5944"
+checksum = "541d0f57c6ec747a90738a52741d3221f7960e8ac2f0ff4b1a63680e033b4ab5"
 dependencies = [
  "cfg_aliases",
  "libc",
@@ -4947,9 +4950,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-webpki"
-version = "0.103.0"
+version = "0.103.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0aa4eeac2588ffff23e9d7a7e9b3f971c5fb5b7ebc9452745e0c232c64f83b2f"
+checksum = "fef8b8769aaccf73098557a87cd1816b4f9c7c16811c9c77142aa695c16f2c03"
 dependencies = [
  "ring",
  "rustls-pki-types",
@@ -5576,9 +5579,9 @@ dependencies = [
 
 [[package]]
 name = "time"
-version = "0.3.40"
+version = "0.3.41"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d9c75b47bdff86fa3334a3db91356b8d7d86a9b839dab7d0bdc5c3d3a077618"
+checksum = "8a7619e19bc266e0f9c5e6686659d394bc57973859340060a69221e57dbc0c40"
 dependencies = [
  "deranged",
  "itoa",
@@ -5599,9 +5602,9 @@ checksum = "c9e9a38711f559d9e3ce1cdb06dd7c5b8ea546bc90052da6d06bb76da74bb07c"
 
 [[package]]
 name = "time-macros"
-version = "0.2.21"
+version = "0.2.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "29aa485584182073ed57fd5004aa09c371f021325014694e432313345865fd04"
+checksum = "3526739392ec93fd8b359c8e98514cb3e8e021beb4e5f597b00a0221f8ed8a49"
 dependencies = [
  "num-conv",
  "time-core",
@@ -5655,9 +5658,9 @@ dependencies = [
 
 [[package]]
 name = "tokio"
-version = "1.44.1"
+version = "1.44.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f382da615b842244d4b8738c82ed1275e6c5dd90c459a30941cd07080b06c91a"
+checksum = "e6b88822cbe49de4185e3a4cbf8321dd487cf5fe0c5c65695fef6346371e9c48"
 dependencies = [
  "backtrace",
  "bytes",

Cargo.toml

@@ -173,7 +173,7 @@ dhat = "0.3.3"
 dyn-clone = "^1.0.17"
 fernet = "^0.2.1"
 filetime = "^0.2.24"
-fs4 = "^0.12.0"
+fs4 = "^0.13.0"
 futures = "^0.3.31"
 futures-util = { version = "^0.3.30", features = ["sink"] }
 gix = { version = "0.64.0", default-features = false }
@@ -210,7 +210,7 @@ notify-debouncer-full = { version = "0.5" }
 num_enum = "^0.5.11"
 oauth2_ext = { version = "^4.4.2", package = "oauth2", default-features = false }
 openssl-sys = "^0.9"
-openssl = "^0.10.70"
+openssl = "^0.10.72"
 
 opentelemetry = { version = "0.27.0" }
 opentelemetry_api = { version = "0.27.0", features = ["logs", "metrics"] }
@@ -268,7 +268,7 @@ tempfile = "3.15.0"
 testkit-macros = { path = "./server/testkit-macros" }
 time = { version = "^0.3.36", features = ["formatting", "local-offset"] }
 
-tokio = "^1.43.0"
+tokio = "^1.44.2"
 tokio-openssl = "^0.6.5"
 tokio-util = "^0.7.13"
 

book/src/SUMMARY.md

@@ -53,7 +53,6 @@
 
 - [Service Integration Examples](examples/readme.md)
   - [Kubernetes Ingress](examples/kubernetes_ingress.md)
-  - [OAuth2 Examples](integrations/oauth2/examples.md)
   - [Traefik](examples/traefik.md)
 
 - [Replication](repl/readme.md)

examples/server.toml

@@ -1,3 +1,6 @@
+# The server configuration file version.
+version = "2"
+
 #   The webserver bind address. Requires TLS certificates.
 #   If the port is set to 443 you may require the
 #   NET_BIND_SERVICE capability.

examples/server_container.toml

@@ -1,3 +1,6 @@
+# The server configuration file version.
+version = "2"
+
 #   The webserver bind address. Requires TLS certificates.
 #   If the port is set to 443 you may require the
 #   NET_BIND_SERVICE capability.

libs/client/src/application.rs

@@ -0,0 +1,19 @@
+use crate::{ClientError, KanidmClient};
+use kanidm_proto::scim_v1::client::{ScimEntryApplication, ScimEntryApplicationPost};
+
+impl KanidmClient {
+    /// Delete an application
+    pub async fn idm_application_delete(&self, id: &str) -> Result<(), ClientError> {
+        self.perform_delete_request(format!("/scim/v1/Application/{}", id).as_str())
+            .await
+    }
+
+    /// Create an application
+    pub async fn idm_application_create(
+        &self,
+        application: &ScimEntryApplicationPost,
+    ) -> Result<ScimEntryApplication, ClientError> {
+        self.perform_post_request("/scim/v1/Application", application)
+            .await
+    }
+}

libs/client/src/lib.rs

@@ -50,6 +50,7 @@ use webauthn_rs_proto::{
     PublicKeyCredential, RegisterPublicKeyCredential, RequestChallengeResponse,
 };
 
+mod application;
 mod domain;
 mod group;
 mod oauth;

libs/client/src/scim.rs

@@ -2,12 +2,10 @@ use crate::{ClientError, KanidmClient};
 use kanidm_proto::scim_v1::{ScimEntryGeneric, ScimEntryGetQuery, ScimSyncRequest, ScimSyncState};
 
 impl KanidmClient {
-    // TODO: testing for this
     pub async fn scim_v1_sync_status(&self) -> Result<ScimSyncState, ClientError> {
         self.perform_get_request("/scim/v1/Sync").await
     }
 
-    // TODO: testing for this
     pub async fn scim_v1_sync_update(
         &self,
         scim_sync_request: &ScimSyncRequest,

libs/crypto/src/crypt_md5.rs

@@ -8,7 +8,7 @@ const MD5_TRANSPOSE: &[u8] = b"\x0c\x06\x00\x0d\x07\x01\x0e\x08\x02\x0f\x09\x03\
 const CRYPT_HASH64: &[u8] = b"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
 
 pub fn md5_sha2_hash64_encode(bs: &[u8]) -> String {
-    let ngroups = (bs.len() + 2) / 3;
+    let ngroups = bs.len().div_ceil(3);
     let mut out = String::with_capacity(ngroups * 4);
     for g in 0..ngroups {
         let mut g_idx = g * 3;

proto/src/attribute.rs

@@ -22,6 +22,8 @@ pub enum Attribute {
     AcpCreateClass,
     AcpEnable,
     AcpModifyClass,
+    AcpModifyPresentClass,
+    AcpModifyRemoveClass,
     AcpModifyPresentAttr,
     AcpModifyRemovedAttr,
     AcpReceiver,
@@ -30,6 +32,7 @@ pub enum Attribute {
     AcpTargetScope,
     ApiTokenSession,
     ApplicationPassword,
+    ApplicationUrl,
     AttestedPasskeys,
     #[default]
     Attr,
@@ -255,6 +258,8 @@ impl Attribute {
             Attribute::AcpCreateClass => ATTR_ACP_CREATE_CLASS,
             Attribute::AcpEnable => ATTR_ACP_ENABLE,
             Attribute::AcpModifyClass => ATTR_ACP_MODIFY_CLASS,
+            Attribute::AcpModifyPresentClass => ATTR_ACP_MODIFY_PRESENT_CLASS,
+            Attribute::AcpModifyRemoveClass => ATTR_ACP_MODIFY_REMOVE_CLASS,
             Attribute::AcpModifyPresentAttr => ATTR_ACP_MODIFY_PRESENTATTR,
             Attribute::AcpModifyRemovedAttr => ATTR_ACP_MODIFY_REMOVEDATTR,
             Attribute::AcpReceiver => ATTR_ACP_RECEIVER,
@@ -263,6 +268,7 @@ impl Attribute {
             Attribute::AcpTargetScope => ATTR_ACP_TARGET_SCOPE,
             Attribute::ApiTokenSession => ATTR_API_TOKEN_SESSION,
             Attribute::ApplicationPassword => ATTR_APPLICATION_PASSWORD,
+            Attribute::ApplicationUrl => ATTR_APPLICATION_URL,
             Attribute::AttestedPasskeys => ATTR_ATTESTED_PASSKEYS,
             Attribute::Attr => ATTR_ATTR,
             Attribute::AttributeName => ATTR_ATTRIBUTENAME,
@@ -440,6 +446,8 @@ impl Attribute {
             ATTR_ACP_CREATE_CLASS => Attribute::AcpCreateClass,
             ATTR_ACP_ENABLE => Attribute::AcpEnable,
             ATTR_ACP_MODIFY_CLASS => Attribute::AcpModifyClass,
+            ATTR_ACP_MODIFY_PRESENT_CLASS => Attribute::AcpModifyPresentClass,
+            ATTR_ACP_MODIFY_REMOVE_CLASS => Attribute::AcpModifyRemoveClass,
             ATTR_ACP_MODIFY_PRESENTATTR => Attribute::AcpModifyPresentAttr,
             ATTR_ACP_MODIFY_REMOVEDATTR => Attribute::AcpModifyRemovedAttr,
             ATTR_ACP_RECEIVER => Attribute::AcpReceiver,
@@ -448,6 +456,7 @@ impl Attribute {
             ATTR_ACP_TARGET_SCOPE => Attribute::AcpTargetScope,
             ATTR_API_TOKEN_SESSION => Attribute::ApiTokenSession,
             ATTR_APPLICATION_PASSWORD => Attribute::ApplicationPassword,
+            ATTR_APPLICATION_URL => Attribute::ApplicationUrl,
             ATTR_ATTESTED_PASSKEYS => Attribute::AttestedPasskeys,
             ATTR_ATTR => Attribute::Attr,
             ATTR_ATTRIBUTENAME => Attribute::AttributeName,

proto/src/constants.rs

@@ -62,6 +62,8 @@ pub const ATTR_ACP_CREATE_ATTR: &str = "acp_create_attr";
 pub const ATTR_ACP_CREATE_CLASS: &str = "acp_create_class";
 pub const ATTR_ACP_ENABLE: &str = "acp_enable";
 pub const ATTR_ACP_MODIFY_CLASS: &str = "acp_modify_class";
+pub const ATTR_ACP_MODIFY_PRESENT_CLASS: &str = "acp_modify_present_class";
+pub const ATTR_ACP_MODIFY_REMOVE_CLASS: &str = "acp_modify_remove_class";
 pub const ATTR_ACP_MODIFY_PRESENTATTR: &str = "acp_modify_presentattr";
 pub const ATTR_ACP_MODIFY_REMOVEDATTR: &str = "acp_modify_removedattr";
 pub const ATTR_ACP_RECEIVER_GROUP: &str = "acp_receiver_group";
@@ -70,6 +72,7 @@ pub const ATTR_ACP_SEARCH_ATTR: &str = "acp_search_attr";
 pub const ATTR_ACP_TARGET_SCOPE: &str = "acp_targetscope";
 pub const ATTR_API_TOKEN_SESSION: &str = "api_token_session";
 pub const ATTR_APPLICATION_PASSWORD: &str = "application_password";
+pub const ATTR_APPLICATION_URL: &str = "application_url";
 pub const ATTR_ATTESTED_PASSKEYS: &str = "attested_passkeys";
 pub const ATTR_ATTR: &str = "attr";
 pub const ATTR_ATTRIBUTENAME: &str = "attributename";

proto/src/internal/error.rs

@@ -213,6 +213,8 @@ pub enum OperationError {
     SC0024SshPublicKeySyntaxInvalid,
     SC0025UiHintSyntaxInvalid,
     SC0026Utf8SyntaxInvalid,
+    SC0027ClassSetInvalid,
+    SC0028CreatedUuidsInvalid,
     // Migration
     MG0001InvalidReMigrationLevel,
     MG0002RaiseDomainLevelExceedsMaximum,
@@ -492,6 +494,8 @@ impl OperationError {
             Self::SC0024SshPublicKeySyntaxInvalid => Some("A SCIM Ssh Public Key contained invalid syntax".into()),
             Self::SC0025UiHintSyntaxInvalid => Some("A SCIM UiHint contained invalid syntax".into()),
             Self::SC0026Utf8SyntaxInvalid => Some("A SCIM Utf8 String Scope Map contained invalid syntax".into()),
+            Self::SC0027ClassSetInvalid => Some("The internal set of class templates used in this create operation was invalid. THIS IS A BUG.".into()),
+            Self::SC0028CreatedUuidsInvalid => Some("The internal create query did not return the set of created UUIDs. THIS IS A BUG".into()),
 
             Self::UI0001ChallengeSerialisation => Some("The WebAuthn challenge was unable to be serialised.".into()),
             Self::UI0002InvalidState => Some("The credential update process returned an invalid state transition.".into()),

proto/src/scim_v1/client.rs

@@ -2,6 +2,7 @@
 use super::ScimEntryGetQuery;
 use super::ScimOauth2ClaimMapJoinChar;
 use crate::attribute::{Attribute, SubAttribute};
+use scim_proto::ScimEntryHeader;
 use serde::{Deserialize, Serialize};
 use serde_json::Value as JsonValue;
 use serde_with::formats::PreferMany;
@@ -31,6 +32,18 @@ pub struct ScimReference {
     pub value: Option<String>,
 }
 
+impl<T> From<T> for ScimReference
+where
+    T: AsRef<str>,
+{
+    fn from(value: T) -> Self {
+        ScimReference {
+            uuid: None,
+            value: Some(value.as_ref().to_string()),
+        }
+    }
+}
+
 pub type ScimReferences = Vec<ScimReference>;
 
 #[serde_as]
@@ -79,6 +92,31 @@ pub struct ScimOAuth2ScopeMap {
     pub scopes: BTreeSet<String>,
 }
 
+#[serde_as]
+#[derive(Serialize, Debug, Clone)]
+#[serde(rename_all = "snake_case")]
+pub struct ScimEntryApplicationPost {
+    pub name: String,
+    pub displayname: String,
+    pub linked_group: ScimReference,
+}
+
+#[serde_as]
+#[derive(Deserialize, Debug, Clone)]
+#[serde(rename_all = "snake_case")]
+pub struct ScimEntryApplication {
+    #[serde(flatten)]
+    pub header: ScimEntryHeader,
+
+    pub name: String,
+    pub displayname: String,
+
+    pub linked_group: Vec<super::ScimReference>,
+
+    #[serde(flatten)]
+    pub attrs: BTreeMap<Attribute, JsonValue>,
+}
+
 #[derive(Serialize, Debug, Clone)]
 pub struct ScimEntryPutKanidm {
     pub id: Uuid,
@@ -90,6 +128,13 @@ pub struct ScimEntryPutKanidm {
 #[derive(Deserialize, Serialize, Debug, Clone)]
 pub struct ScimStrings(#[serde_as(as = "OneOrMany<_, PreferMany>")] pub Vec<String>);
 
+#[derive(Debug, Clone, Deserialize, Default)]
+pub struct ScimEntryPostGeneric {
+    /// Create an attribute to contain the following value state.
+    #[serde(flatten)]
+    pub attrs: BTreeMap<Attribute, JsonValue>,
+}
+
 #[derive(Debug, Clone, Deserialize, Default)]
 pub struct ScimEntryPutGeneric {
     // id is only used to target the entry in question

proto/src/scim_v1/mod.rs

@@ -18,13 +18,13 @@
 
 use crate::attribute::Attribute;
 use serde::{Deserialize, Serialize};
+use serde_with::formats::CommaSeparator;
+use serde_with::{serde_as, skip_serializing_none, StringWithSeparator};
 use sshkey_attest::proto::PublicKey as SshPublicKey;
 use std::collections::BTreeMap;
 use std::ops::Not;
 use utoipa::ToSchema;
-
-use serde_with::formats::CommaSeparator;
-use serde_with::{serde_as, skip_serializing_none, StringWithSeparator};
+use uuid::Uuid;
 
 pub use self::synch::*;
 pub use scim_proto::prelude::*;
@@ -86,6 +86,13 @@ pub struct ScimSshPublicKey {
     pub value: SshPublicKey,
 }
 
+#[derive(Deserialize, Serialize, Debug, Clone, PartialEq, Eq, ToSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct ScimReference {
+    pub uuid: Uuid,
+    pub value: String,
+}
+
 #[derive(Deserialize, Serialize, Debug, Clone, ToSchema)]
 pub enum ScimOauth2ClaimMapJoinChar {
     #[serde(rename = ",", alias = "csv")]

proto/src/scim_v1/server.rs

@@ -33,7 +33,7 @@ pub enum ScimAttributeEffectiveAccess {
     /// All attributes on the entry have this permission granted
     Grant,
     /// All attributes on the entry have this permission denied
-    Denied,
+    Deny,
     /// The following attributes on the entry have this permission granted
     Allow(BTreeSet<Attribute>),
 }
@@ -43,7 +43,7 @@ impl ScimAttributeEffectiveAccess {
     pub fn check(&self, attr: &Attribute) -> bool {
         match self {
             Self::Grant => true,
-            Self::Denied => false,
+            Self::Deny => false,
             Self::Allow(set) => set.contains(attr),
         }
     }

pykanidm/poetry.lock

@@ -14,93 +14,93 @@ files = [
 
 [[package]]
 name = "aiohttp"
-version = "3.11.14"
+version = "3.11.16"
 description = "Async http client/server framework (asyncio)"
 optional = false
 python-versions = ">=3.9"
 groups = ["main", "dev"]
 files = [
-    {file = "aiohttp-3.11.14-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:e2bc827c01f75803de77b134afdbf74fa74b62970eafdf190f3244931d7a5c0d"},
-    {file = "aiohttp-3.11.14-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:e365034c5cf6cf74f57420b57682ea79e19eb29033399dd3f40de4d0171998fa"},
-    {file = "aiohttp-3.11.14-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:c32593ead1a8c6aabd58f9d7ee706e48beac796bb0cb71d6b60f2c1056f0a65f"},
-    {file = "aiohttp-3.11.14-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b4e7c7ec4146a94a307ca4f112802a8e26d969018fabed526efc340d21d3e7d0"},
-    {file = "aiohttp-3.11.14-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c8b2df9feac55043759aa89f722a967d977d80f8b5865a4153fc41c93b957efc"},
-    {file = "aiohttp-3.11.14-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c7571f99525c76a6280f5fe8e194eeb8cb4da55586c3c61c59c33a33f10cfce7"},
-    {file = "aiohttp-3.11.14-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b59d096b5537ec7c85954cb97d821aae35cfccce3357a2cafe85660cc6295628"},
-    {file = "aiohttp-3.11.14-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b42dbd097abb44b3f1156b4bf978ec5853840802d6eee2784857be11ee82c6a0"},
-    {file = "aiohttp-3.11.14-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:b05774864c87210c531b48dfeb2f7659407c2dda8643104fb4ae5e2c311d12d9"},
-    {file = "aiohttp-3.11.14-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:4e2e8ef37d4bc110917d038807ee3af82700a93ab2ba5687afae5271b8bc50ff"},
-    {file = "aiohttp-3.11.14-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:e9faafa74dbb906b2b6f3eb9942352e9e9db8d583ffed4be618a89bd71a4e914"},
-    {file = "aiohttp-3.11.14-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:7e7abe865504f41b10777ac162c727af14e9f4db9262e3ed8254179053f63e6d"},
-    {file = "aiohttp-3.11.14-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:4848ae31ad44330b30f16c71e4f586cd5402a846b11264c412de99fa768f00f3"},
-    {file = "aiohttp-3.11.14-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:2d0b46abee5b5737cb479cc9139b29f010a37b1875ee56d142aefc10686a390b"},
-    {file = "aiohttp-3.11.14-cp310-cp310-win32.whl", hash = "sha256:a0d2c04a623ab83963576548ce098baf711a18e2c32c542b62322a0b4584b990"},
-    {file = "aiohttp-3.11.14-cp310-cp310-win_amd64.whl", hash = "sha256:5409a59d5057f2386bb8b8f8bbcfb6e15505cedd8b2445db510563b5d7ea1186"},
-    {file = "aiohttp-3.11.14-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:f296d637a50bb15fb6a229fbb0eb053080e703b53dbfe55b1e4bb1c5ed25d325"},
-    {file = "aiohttp-3.11.14-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:ec6cd1954ca2bbf0970f531a628da1b1338f594bf5da7e361e19ba163ecc4f3b"},
-    {file = "aiohttp-3.11.14-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:572def4aad0a4775af66d5a2b5923c7de0820ecaeeb7987dcbccda2a735a993f"},
-    {file = "aiohttp-3.11.14-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1c68e41c4d576cd6aa6c6d2eddfb32b2acfb07ebfbb4f9da991da26633a3db1a"},
-    {file = "aiohttp-3.11.14-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:99b8bbfc8111826aa8363442c0fc1f5751456b008737ff053570f06a151650b3"},
-    {file = "aiohttp-3.11.14-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:4b0a200e85da5c966277a402736a96457b882360aa15416bf104ca81e6f5807b"},
-    {file = "aiohttp-3.11.14-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d173c0ac508a2175f7c9a115a50db5fd3e35190d96fdd1a17f9cb10a6ab09aa1"},
-    {file = "aiohttp-3.11.14-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:413fe39fd929329f697f41ad67936f379cba06fcd4c462b62e5b0f8061ee4a77"},
-    {file = "aiohttp-3.11.14-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:65c75b14ee74e8eeff2886321e76188cbe938d18c85cff349d948430179ad02c"},
-    {file = "aiohttp-3.11.14-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:321238a42ed463848f06e291c4bbfb3d15ba5a79221a82c502da3e23d7525d06"},
-    {file = "aiohttp-3.11.14-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:59a05cdc636431f7ce843c7c2f04772437dd816a5289f16440b19441be6511f1"},
-    {file = "aiohttp-3.11.14-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:daf20d9c3b12ae0fdf15ed92235e190f8284945563c4b8ad95b2d7a31f331cd3"},
-    {file = "aiohttp-3.11.14-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:05582cb2d156ac7506e68b5eac83179faedad74522ed88f88e5861b78740dc0e"},
-    {file = "aiohttp-3.11.14-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:12c5869e7ddf6b4b1f2109702b3cd7515667b437da90a5a4a50ba1354fe41881"},
-    {file = "aiohttp-3.11.14-cp311-cp311-win32.whl", hash = "sha256:92868f6512714efd4a6d6cb2bfc4903b997b36b97baea85f744229f18d12755e"},
-    {file = "aiohttp-3.11.14-cp311-cp311-win_amd64.whl", hash = "sha256:bccd2cb7aa5a3bfada72681bdb91637094d81639e116eac368f8b3874620a654"},
-    {file = "aiohttp-3.11.14-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:70ab0f61c1a73d3e0342cedd9a7321425c27a7067bebeeacd509f96695b875fc"},
-    {file = "aiohttp-3.11.14-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:602d4db80daf4497de93cb1ce00b8fc79969c0a7cf5b67bec96fa939268d806a"},
-    {file = "aiohttp-3.11.14-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:3a8a0d127c10b8d89e69bbd3430da0f73946d839e65fec00ae48ca7916a31948"},
-    {file = "aiohttp-3.11.14-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ca9f835cdfedcb3f5947304e85b8ca3ace31eef6346d8027a97f4de5fb687534"},
-    {file = "aiohttp-3.11.14-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:8aa5c68e1e68fff7cd3142288101deb4316b51f03d50c92de6ea5ce646e6c71f"},
-    {file = "aiohttp-3.11.14-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3b512f1de1c688f88dbe1b8bb1283f7fbeb7a2b2b26e743bb2193cbadfa6f307"},
-    {file = "aiohttp-3.11.14-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:cc9253069158d57e27d47a8453d8a2c5a370dc461374111b5184cf2f147a3cc3"},
-    {file = "aiohttp-3.11.14-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:0b2501f1b981e70932b4a552fc9b3c942991c7ae429ea117e8fba57718cdeed0"},
-    {file = "aiohttp-3.11.14-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:28a3d083819741592685762d51d789e6155411277050d08066537c5edc4066e6"},
-    {file = "aiohttp-3.11.14-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:0df3788187559c262922846087e36228b75987f3ae31dd0a1e5ee1034090d42f"},
-    {file = "aiohttp-3.11.14-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:9e73fa341d8b308bb799cf0ab6f55fc0461d27a9fa3e4582755a3d81a6af8c09"},
-    {file = "aiohttp-3.11.14-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:51ba80d473eb780a329d73ac8afa44aa71dfb521693ccea1dea8b9b5c4df45ce"},
-    {file = "aiohttp-3.11.14-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:8d1dd75aa4d855c7debaf1ef830ff2dfcc33f893c7db0af2423ee761ebffd22b"},
-    {file = "aiohttp-3.11.14-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:41cf0cefd9e7b5c646c2ef529c8335e7eafd326f444cc1cdb0c47b6bc836f9be"},
-    {file = "aiohttp-3.11.14-cp312-cp312-win32.whl", hash = "sha256:948abc8952aff63de7b2c83bfe3f211c727da3a33c3a5866a0e2cf1ee1aa950f"},
-    {file = "aiohttp-3.11.14-cp312-cp312-win_amd64.whl", hash = "sha256:3b420d076a46f41ea48e5fcccb996f517af0d406267e31e6716f480a3d50d65c"},
-    {file = "aiohttp-3.11.14-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:8d14e274828561db91e4178f0057a915f3af1757b94c2ca283cb34cbb6e00b50"},
-    {file = "aiohttp-3.11.14-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:f30fc72daf85486cdcdfc3f5e0aea9255493ef499e31582b34abadbfaafb0965"},
-    {file = "aiohttp-3.11.14-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:4edcbe34e6dba0136e4cabf7568f5a434d89cc9de5d5155371acda275353d228"},
-    {file = "aiohttp-3.11.14-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1a7169ded15505f55a87f8f0812c94c9412623c744227b9e51083a72a48b68a5"},
-    {file = "aiohttp-3.11.14-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ad1f2fb9fe9b585ea4b436d6e998e71b50d2b087b694ab277b30e060c434e5db"},
-    {file = "aiohttp-3.11.14-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:20412c7cc3720e47a47e63c0005f78c0c2370020f9f4770d7fc0075f397a9fb0"},
-    {file = "aiohttp-3.11.14-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6dd9766da617855f7e85f27d2bf9a565ace04ba7c387323cd3e651ac4329db91"},
-    {file = "aiohttp-3.11.14-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:599b66582f7276ebefbaa38adf37585e636b6a7a73382eb412f7bc0fc55fb73d"},
-    {file = "aiohttp-3.11.14-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:b41693b7388324b80f9acfabd479bd1c84f0bc7e8f17bab4ecd9675e9ff9c734"},
-    {file = "aiohttp-3.11.14-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:86135c32d06927339c8c5e64f96e4eee8825d928374b9b71a3c42379d7437058"},
-    {file = "aiohttp-3.11.14-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:04eb541ce1e03edc1e3be1917a0f45ac703e913c21a940111df73a2c2db11d73"},
-    {file = "aiohttp-3.11.14-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:dc311634f6f28661a76cbc1c28ecf3b3a70a8edd67b69288ab7ca91058eb5a33"},
-    {file = "aiohttp-3.11.14-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:69bb252bfdca385ccabfd55f4cd740d421dd8c8ad438ded9637d81c228d0da49"},
-    {file = "aiohttp-3.11.14-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:2b86efe23684b58a88e530c4ab5b20145f102916bbb2d82942cafec7bd36a647"},
-    {file = "aiohttp-3.11.14-cp313-cp313-win32.whl", hash = "sha256:b9c60d1de973ca94af02053d9b5111c4fbf97158e139b14f1be68337be267be6"},
-    {file = "aiohttp-3.11.14-cp313-cp313-win_amd64.whl", hash = "sha256:0a29be28e60e5610d2437b5b2fed61d6f3dcde898b57fb048aa5079271e7f6f3"},
-    {file = "aiohttp-3.11.14-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:14fc03508359334edc76d35b2821832f092c8f092e4b356e74e38419dfe7b6de"},
-    {file = "aiohttp-3.11.14-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:92007c89a8cb7be35befa2732b0b32bf3a394c1b22ef2dff0ef12537d98a7bda"},
-    {file = "aiohttp-3.11.14-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:6d3986112e34eaa36e280dc8286b9dd4cc1a5bcf328a7f147453e188f6fe148f"},
-    {file = "aiohttp-3.11.14-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:749f1eb10e51dbbcdba9df2ef457ec060554842eea4d23874a3e26495f9e87b1"},
-    {file = "aiohttp-3.11.14-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:781c8bd423dcc4641298c8c5a2a125c8b1c31e11f828e8d35c1d3a722af4c15a"},
-    {file = "aiohttp-3.11.14-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:997b57e38aa7dc6caab843c5e042ab557bc83a2f91b7bd302e3c3aebbb9042a1"},
-    {file = "aiohttp-3.11.14-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3a8b0321e40a833e381d127be993b7349d1564b756910b28b5f6588a159afef3"},
-    {file = "aiohttp-3.11.14-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8778620396e554b758b59773ab29c03b55047841d8894c5e335f12bfc45ebd28"},
-    {file = "aiohttp-3.11.14-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:e906da0f2bcbf9b26cc2b144929e88cb3bf943dd1942b4e5af066056875c7618"},
-    {file = "aiohttp-3.11.14-cp39-cp39-musllinux_1_2_armv7l.whl", hash = "sha256:87f0e003fb4dd5810c7fbf47a1239eaa34cd929ef160e0a54c570883125c4831"},
-    {file = "aiohttp-3.11.14-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:7f2dadece8b85596ac3ab1ec04b00694bdd62abc31e5618f524648d18d9dd7fa"},
-    {file = "aiohttp-3.11.14-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:fe846f0a98aa9913c2852b630cd39b4098f296e0907dd05f6c7b30d911afa4c3"},
-    {file = "aiohttp-3.11.14-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:ced66c5c6ad5bcaf9be54560398654779ec1c3695f1a9cf0ae5e3606694a000a"},
-    {file = "aiohttp-3.11.14-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:a40087b82f83bd671cbeb5f582c233d196e9653220404a798798bfc0ee189fff"},
-    {file = "aiohttp-3.11.14-cp39-cp39-win32.whl", hash = "sha256:95d7787f2bcbf7cb46823036a8d64ccfbc2ffc7d52016b4044d901abceeba3db"},
-    {file = "aiohttp-3.11.14-cp39-cp39-win_amd64.whl", hash = "sha256:22a8107896877212130c58f74e64b77f7007cb03cea8698be317272643602d45"},
-    {file = "aiohttp-3.11.14.tar.gz", hash = "sha256:d6edc538c7480fa0a3b2bdd705f8010062d74700198da55d16498e1b49549b9c"},
+    {file = "aiohttp-3.11.16-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:fb46bb0f24813e6cede6cc07b1961d4b04f331f7112a23b5e21f567da4ee50aa"},
+    {file = "aiohttp-3.11.16-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:54eb3aead72a5c19fad07219acd882c1643a1027fbcdefac9b502c267242f955"},
+    {file = "aiohttp-3.11.16-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:38bea84ee4fe24ebcc8edeb7b54bf20f06fd53ce4d2cc8b74344c5b9620597fd"},
+    {file = "aiohttp-3.11.16-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d0666afbe984f6933fe72cd1f1c3560d8c55880a0bdd728ad774006eb4241ecd"},
+    {file = "aiohttp-3.11.16-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:7ba92a2d9ace559a0a14b03d87f47e021e4fa7681dc6970ebbc7b447c7d4b7cd"},
+    {file = "aiohttp-3.11.16-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3ad1d59fd7114e6a08c4814983bb498f391c699f3c78712770077518cae63ff7"},
+    {file = "aiohttp-3.11.16-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:98b88a2bf26965f2015a771381624dd4b0839034b70d406dc74fd8be4cc053e3"},
+    {file = "aiohttp-3.11.16-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:576f5ca28d1b3276026f7df3ec841ae460e0fc3aac2a47cbf72eabcfc0f102e1"},
+    {file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:a2a450bcce4931b295fc0848f384834c3f9b00edfc2150baafb4488c27953de6"},
+    {file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:37dcee4906454ae377be5937ab2a66a9a88377b11dd7c072df7a7c142b63c37c"},
+    {file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:4d0c970c0d602b1017e2067ff3b7dac41c98fef4f7472ec2ea26fd8a4e8c2149"},
+    {file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:004511d3413737700835e949433536a2fe95a7d0297edd911a1e9705c5b5ea43"},
+    {file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:c15b2271c44da77ee9d822552201180779e5e942f3a71fb74e026bf6172ff287"},
+    {file = "aiohttp-3.11.16-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:ad9509ffb2396483ceacb1eee9134724443ee45b92141105a4645857244aecc8"},
+    {file = "aiohttp-3.11.16-cp310-cp310-win32.whl", hash = "sha256:634d96869be6c4dc232fc503e03e40c42d32cfaa51712aee181e922e61d74814"},
+    {file = "aiohttp-3.11.16-cp310-cp310-win_amd64.whl", hash = "sha256:938f756c2b9374bbcc262a37eea521d8a0e6458162f2a9c26329cc87fdf06534"},
+    {file = "aiohttp-3.11.16-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:8cb0688a8d81c63d716e867d59a9ccc389e97ac7037ebef904c2b89334407180"},
+    {file = "aiohttp-3.11.16-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:0ad1fb47da60ae1ddfb316f0ff16d1f3b8e844d1a1e154641928ea0583d486ed"},
+    {file = "aiohttp-3.11.16-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:df7db76400bf46ec6a0a73192b14c8295bdb9812053f4fe53f4e789f3ea66bbb"},
+    {file = "aiohttp-3.11.16-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cc3a145479a76ad0ed646434d09216d33d08eef0d8c9a11f5ae5cdc37caa3540"},
+    {file = "aiohttp-3.11.16-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d007aa39a52d62373bd23428ba4a2546eed0e7643d7bf2e41ddcefd54519842c"},
+    {file = "aiohttp-3.11.16-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f6ddd90d9fb4b501c97a4458f1c1720e42432c26cb76d28177c5b5ad4e332601"},
+    {file = "aiohttp-3.11.16-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0a2f451849e6b39e5c226803dcacfa9c7133e9825dcefd2f4e837a2ec5a3bb98"},
+    {file = "aiohttp-3.11.16-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8df6612df74409080575dca38a5237282865408016e65636a76a2eb9348c2567"},
+    {file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:78e6e23b954644737e385befa0deb20233e2dfddf95dd11e9db752bdd2a294d3"},
+    {file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:696ef00e8a1f0cec5e30640e64eca75d8e777933d1438f4facc9c0cdf288a810"},
+    {file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:e3538bc9fe1b902bef51372462e3d7c96fce2b566642512138a480b7adc9d508"},
+    {file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:3ab3367bb7f61ad18793fea2ef71f2d181c528c87948638366bf1de26e239183"},
+    {file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:56a3443aca82abda0e07be2e1ecb76a050714faf2be84256dae291182ba59049"},
+    {file = "aiohttp-3.11.16-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:61c721764e41af907c9d16b6daa05a458f066015abd35923051be8705108ed17"},
+    {file = "aiohttp-3.11.16-cp311-cp311-win32.whl", hash = "sha256:3e061b09f6fa42997cf627307f220315e313ece74907d35776ec4373ed718b86"},
+    {file = "aiohttp-3.11.16-cp311-cp311-win_amd64.whl", hash = "sha256:745f1ed5e2c687baefc3c5e7b4304e91bf3e2f32834d07baaee243e349624b24"},
+    {file = "aiohttp-3.11.16-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:911a6e91d08bb2c72938bc17f0a2d97864c531536b7832abee6429d5296e5b27"},
+    {file = "aiohttp-3.11.16-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:6ac13b71761e49d5f9e4d05d33683bbafef753e876e8e5a7ef26e937dd766713"},
+    {file = "aiohttp-3.11.16-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:fd36c119c5d6551bce374fcb5c19269638f8d09862445f85a5a48596fd59f4bb"},
+    {file = "aiohttp-3.11.16-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d489d9778522fbd0f8d6a5c6e48e3514f11be81cb0a5954bdda06f7e1594b321"},
+    {file = "aiohttp-3.11.16-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:69a2cbd61788d26f8f1e626e188044834f37f6ae3f937bd9f08b65fc9d7e514e"},
+    {file = "aiohttp-3.11.16-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cd464ba806e27ee24a91362ba3621bfc39dbbb8b79f2e1340201615197370f7c"},
+    {file = "aiohttp-3.11.16-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1ce63ae04719513dd2651202352a2beb9f67f55cb8490c40f056cea3c5c355ce"},
+    {file = "aiohttp-3.11.16-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:09b00dd520d88eac9d1768439a59ab3d145065c91a8fab97f900d1b5f802895e"},
+    {file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:7f6428fee52d2bcf96a8aa7b62095b190ee341ab0e6b1bcf50c615d7966fd45b"},
+    {file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:13ceac2c5cdcc3f64b9015710221ddf81c900c5febc505dbd8f810e770011540"},
+    {file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:fadbb8f1d4140825069db3fedbbb843290fd5f5bc0a5dbd7eaf81d91bf1b003b"},
+    {file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:6a792ce34b999fbe04a7a71a90c74f10c57ae4c51f65461a411faa70e154154e"},
+    {file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:f4065145bf69de124accdd17ea5f4dc770da0a6a6e440c53f6e0a8c27b3e635c"},
+    {file = "aiohttp-3.11.16-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:fa73e8c2656a3653ae6c307b3f4e878a21f87859a9afab228280ddccd7369d71"},
+    {file = "aiohttp-3.11.16-cp312-cp312-win32.whl", hash = "sha256:f244b8e541f414664889e2c87cac11a07b918cb4b540c36f7ada7bfa76571ea2"},
+    {file = "aiohttp-3.11.16-cp312-cp312-win_amd64.whl", hash = "sha256:23a15727fbfccab973343b6d1b7181bfb0b4aa7ae280f36fd2f90f5476805682"},
+    {file = "aiohttp-3.11.16-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:a3814760a1a700f3cfd2f977249f1032301d0a12c92aba74605cfa6ce9f78489"},
+    {file = "aiohttp-3.11.16-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:9b751a6306f330801665ae69270a8a3993654a85569b3469662efaad6cf5cc50"},
+    {file = "aiohttp-3.11.16-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:ad497f38a0d6c329cb621774788583ee12321863cd4bd9feee1effd60f2ad133"},
+    {file = "aiohttp-3.11.16-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ca37057625693d097543bd88076ceebeb248291df9d6ca8481349efc0b05dcd0"},
+    {file = "aiohttp-3.11.16-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a5abcbba9f4b463a45c8ca8b7720891200658f6f46894f79517e6cd11f3405ca"},
+    {file = "aiohttp-3.11.16-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:f420bfe862fb357a6d76f2065447ef6f484bc489292ac91e29bc65d2d7a2c84d"},
+    {file = "aiohttp-3.11.16-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:58ede86453a6cf2d6ce40ef0ca15481677a66950e73b0a788917916f7e35a0bb"},
+    {file = "aiohttp-3.11.16-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6fdec0213244c39973674ca2a7f5435bf74369e7d4e104d6c7473c81c9bcc8c4"},
+    {file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:72b1b03fb4655c1960403c131740755ec19c5898c82abd3961c364c2afd59fe7"},
+    {file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:780df0d837276276226a1ff803f8d0fa5f8996c479aeef52eb040179f3156cbd"},
+    {file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:ecdb8173e6c7aa09eee342ac62e193e6904923bd232e76b4157ac0bfa670609f"},
+    {file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:a6db7458ab89c7d80bc1f4e930cc9df6edee2200127cfa6f6e080cf619eddfbd"},
+    {file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:2540ddc83cc724b13d1838026f6a5ad178510953302a49e6d647f6e1de82bc34"},
+    {file = "aiohttp-3.11.16-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:3b4e6db8dc4879015b9955778cfb9881897339c8fab7b3676f8433f849425913"},
+    {file = "aiohttp-3.11.16-cp313-cp313-win32.whl", hash = "sha256:493910ceb2764f792db4dc6e8e4b375dae1b08f72e18e8f10f18b34ca17d0979"},
+    {file = "aiohttp-3.11.16-cp313-cp313-win_amd64.whl", hash = "sha256:42864e70a248f5f6a49fdaf417d9bc62d6e4d8ee9695b24c5916cb4bb666c802"},
+    {file = "aiohttp-3.11.16-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:bbcba75fe879ad6fd2e0d6a8d937f34a571f116a0e4db37df8079e738ea95c71"},
+    {file = "aiohttp-3.11.16-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:87a6e922b2b2401e0b0cf6b976b97f11ec7f136bfed445e16384fbf6fd5e8602"},
+    {file = "aiohttp-3.11.16-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:ccf10f16ab498d20e28bc2b5c1306e9c1512f2840f7b6a67000a517a4b37d5ee"},
+    {file = "aiohttp-3.11.16-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fb3d0cc5cdb926090748ea60172fa8a213cec728bd6c54eae18b96040fcd6227"},
+    {file = "aiohttp-3.11.16-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d07502cc14ecd64f52b2a74ebbc106893d9a9717120057ea9ea1fd6568a747e7"},
+    {file = "aiohttp-3.11.16-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:776c8e959a01e5e8321f1dec77964cb6101020a69d5a94cd3d34db6d555e01f7"},
+    {file = "aiohttp-3.11.16-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0902e887b0e1d50424112f200eb9ae3dfed6c0d0a19fc60f633ae5a57c809656"},
+    {file = "aiohttp-3.11.16-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e87fd812899aa78252866ae03a048e77bd11b80fb4878ce27c23cade239b42b2"},
+    {file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:0a950c2eb8ff17361abd8c85987fd6076d9f47d040ebffce67dce4993285e973"},
+    {file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_armv7l.whl", hash = "sha256:c10d85e81d0b9ef87970ecbdbfaeec14a361a7fa947118817fcea8e45335fa46"},
+    {file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:7951decace76a9271a1ef181b04aa77d3cc309a02a51d73826039003210bdc86"},
+    {file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:14461157d8426bcb40bd94deb0450a6fa16f05129f7da546090cebf8f3123b0f"},
+    {file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:9756d9b9d4547e091f99d554fbba0d2a920aab98caa82a8fb3d3d9bee3c9ae85"},
+    {file = "aiohttp-3.11.16-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:87944bd16b7fe6160607f6a17808abd25f17f61ae1e26c47a491b970fb66d8cb"},
+    {file = "aiohttp-3.11.16-cp39-cp39-win32.whl", hash = "sha256:92b7ee222e2b903e0a4b329a9943d432b3767f2d5029dbe4ca59fb75223bbe2e"},
+    {file = "aiohttp-3.11.16-cp39-cp39-win_amd64.whl", hash = "sha256:17ae4664031aadfbcb34fd40ffd90976671fa0c0286e6c4113989f78bebab37a"},
+    {file = "aiohttp-3.11.16.tar.gz", hash = "sha256:16f8a2c9538c14a557b4d309ed4d0a7c60f0253e8ed7b6c9a2859a7582f8b1b8"},
 ]
 
 [package.dependencies]
@@ -193,14 +193,14 @@ tests-mypy = ["mypy (>=1.11.1) ; platform_python_implementation == \"CPython\" a
 
 [[package]]
 name = "authlib"
-version = "1.5.1"
+version = "1.5.2"
 description = "The ultimate Python library in building OAuth and OpenID Connect servers and clients."
 optional = false
 python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "authlib-1.5.1-py2.py3-none-any.whl", hash = "sha256:8408861cbd9b4ea2ff759b00b6f02fd7d81ac5a56d0b2b22c08606c6049aae11"},
-    {file = "authlib-1.5.1.tar.gz", hash = "sha256:5cbc85ecb0667312c1cdc2f9095680bb735883b123fb509fde1e65b1c5df972e"},
+    {file = "authlib-1.5.2-py2.py3-none-any.whl", hash = "sha256:8804dd4402ac5e4a0435ac49e0b6e19e395357cfa632a3f624dcb4f6df13b4b1"},
+    {file = "authlib-1.5.2.tar.gz", hash = "sha256:fe85ec7e50c5f86f1e2603518bb3b4f632985eb4a355e52256530790e326c512"},
 ]
 
 [package.dependencies]
@@ -462,75 +462,75 @@ files = [
 
 [[package]]
 name = "coverage"
-version = "7.7.1"
+version = "7.8.0"
 description = "Code coverage measurement for Python"
 optional = false
 python-versions = ">=3.9"
 groups = ["dev"]
 files = [
-    {file = "coverage-7.7.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:553ba93f8e3c70e1b0031e4dfea36aba4e2b51fe5770db35e99af8dc5c5a9dfe"},
-    {file = "coverage-7.7.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:44683f2556a56c9a6e673b583763096b8efbd2df022b02995609cf8e64fc8ae0"},
-    {file = "coverage-7.7.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:02fad4f8faa4153db76f9246bc95c1d99f054f4e0a884175bff9155cf4f856cb"},
-    {file = "coverage-7.7.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4c181ceba2e6808ede1e964f7bdc77bd8c7eb62f202c63a48cc541e5ffffccb6"},
-    {file = "coverage-7.7.1-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:80b5b207a8b08c6a934b214e364cab2fa82663d4af18981a6c0a9e95f8df7602"},
-    {file = "coverage-7.7.1-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:25fe40967717bad0ce628a0223f08a10d54c9d739e88c9cbb0f77b5959367542"},
-    {file = "coverage-7.7.1-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:881cae0f9cbd928c9c001487bb3dcbfd0b0af3ef53ae92180878591053be0cb3"},
-    {file = "coverage-7.7.1-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:c90e9141e9221dd6fbc16a2727a5703c19443a8d9bf7d634c792fa0287cee1ab"},
-    {file = "coverage-7.7.1-cp310-cp310-win32.whl", hash = "sha256:ae13ed5bf5542d7d4a0a42ff5160e07e84adc44eda65ddaa635c484ff8e55917"},
-    {file = "coverage-7.7.1-cp310-cp310-win_amd64.whl", hash = "sha256:171e9977c6a5d2b2be9efc7df1126fd525ce7cad0eb9904fe692da007ba90d81"},
-    {file = "coverage-7.7.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:1165490be0069e34e4f99d08e9c5209c463de11b471709dfae31e2a98cbd49fd"},
-    {file = "coverage-7.7.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:44af11c00fd3b19b8809487630f8a0039130d32363239dfd15238e6d37e41a48"},
-    {file = "coverage-7.7.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fbba59022e7c20124d2f520842b75904c7b9f16c854233fa46575c69949fb5b9"},
-    {file = "coverage-7.7.1-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:af94fb80e4f159f4d93fb411800448ad87b6039b0500849a403b73a0d36bb5ae"},
-    {file = "coverage-7.7.1-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:eae79f8e3501133aa0e220bbc29573910d096795882a70e6f6e6637b09522133"},
-    {file = "coverage-7.7.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:e33426a5e1dc7743dd54dfd11d3a6c02c5d127abfaa2edd80a6e352b58347d1a"},
-    {file = "coverage-7.7.1-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:b559adc22486937786731dac69e57296cb9aede7e2687dfc0d2696dbd3b1eb6b"},
-    {file = "coverage-7.7.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:b838a91e84e1773c3436f6cc6996e000ed3ca5721799e7789be18830fad009a2"},
-    {file = "coverage-7.7.1-cp311-cp311-win32.whl", hash = "sha256:2c492401bdb3a85824669d6a03f57b3dfadef0941b8541f035f83bbfc39d4282"},
-    {file = "coverage-7.7.1-cp311-cp311-win_amd64.whl", hash = "sha256:1e6f867379fd033a0eeabb1be0cffa2bd660582b8b0c9478895c509d875a9d9e"},
-    {file = "coverage-7.7.1-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:eff187177d8016ff6addf789dcc421c3db0d014e4946c1cc3fbf697f7852459d"},
-    {file = "coverage-7.7.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:2444fbe1ba1889e0b29eb4d11931afa88f92dc507b7248f45be372775b3cef4f"},
-    {file = "coverage-7.7.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:177d837339883c541f8524683e227adcaea581eca6bb33823a2a1fdae4c988e1"},
-    {file = "coverage-7.7.1-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:15d54ecef1582b1d3ec6049b20d3c1a07d5e7f85335d8a3b617c9960b4f807e0"},
-    {file = "coverage-7.7.1-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:75c82b27c56478d5e1391f2e7b2e7f588d093157fa40d53fd9453a471b1191f2"},
-    {file = "coverage-7.7.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:315ff74b585110ac3b7ab631e89e769d294f303c6d21302a816b3554ed4c81af"},
-    {file = "coverage-7.7.1-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:4dd532dac197d68c478480edde74fd4476c6823355987fd31d01ad9aa1e5fb59"},
-    {file = "coverage-7.7.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:385618003e3d608001676bb35dc67ae3ad44c75c0395d8de5780af7bb35be6b2"},
-    {file = "coverage-7.7.1-cp312-cp312-win32.whl", hash = "sha256:63306486fcb5a827449464f6211d2991f01dfa2965976018c9bab9d5e45a35c8"},
-    {file = "coverage-7.7.1-cp312-cp312-win_amd64.whl", hash = "sha256:37351dc8123c154fa05b7579fdb126b9f8b1cf42fd6f79ddf19121b7bdd4aa04"},
-    {file = "coverage-7.7.1-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:eebd927b86761a7068a06d3699fd6c20129becf15bb44282db085921ea0f1585"},
-    {file = "coverage-7.7.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:2a79c4a09765d18311c35975ad2eb1ac613c0401afdd9cb1ca4110aeb5dd3c4c"},
-    {file = "coverage-7.7.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8b1c65a739447c5ddce5b96c0a388fd82e4bbdff7251396a70182b1d83631019"},
-    {file = "coverage-7.7.1-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:392cc8fd2b1b010ca36840735e2a526fcbd76795a5d44006065e79868cc76ccf"},
-    {file = "coverage-7.7.1-cp313-cp313-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9bb47cc9f07a59a451361a850cb06d20633e77a9118d05fd0f77b1864439461b"},
-    {file = "coverage-7.7.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:b4c144c129343416a49378e05c9451c34aae5ccf00221e4fa4f487db0816ee2f"},
-    {file = "coverage-7.7.1-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:bc96441c9d9ca12a790b5ae17d2fa6654da4b3962ea15e0eabb1b1caed094777"},
-    {file = "coverage-7.7.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:3d03287eb03186256999539d98818c425c33546ab4901028c8fa933b62c35c3a"},
-    {file = "coverage-7.7.1-cp313-cp313-win32.whl", hash = "sha256:8fed429c26b99641dc1f3a79179860122b22745dd9af36f29b141e178925070a"},
-    {file = "coverage-7.7.1-cp313-cp313-win_amd64.whl", hash = "sha256:092b134129a8bb940c08b2d9ceb4459af5fb3faea77888af63182e17d89e1cf1"},
-    {file = "coverage-7.7.1-cp313-cp313t-macosx_10_13_x86_64.whl", hash = "sha256:d3154b369141c3169b8133973ac00f63fcf8d6dbcc297d788d36afbb7811e511"},
-    {file = "coverage-7.7.1-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:264ff2bcce27a7f455b64ac0dfe097680b65d9a1a293ef902675fa8158d20b24"},
-    {file = "coverage-7.7.1-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ba8480ebe401c2f094d10a8c4209b800a9b77215b6c796d16b6ecdf665048950"},
-    {file = "coverage-7.7.1-cp313-cp313t-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:520af84febb6bb54453e7fbb730afa58c7178fd018c398a8fcd8e269a79bf96d"},
-    {file = "coverage-7.7.1-cp313-cp313t-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:88d96127ae01ff571d465d4b0be25c123789cef88ba0879194d673fdea52f54e"},
-    {file = "coverage-7.7.1-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:0ce92c5a9d7007d838456f4b77ea159cb628187a137e1895331e530973dcf862"},
-    {file = "coverage-7.7.1-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:0dab4ef76d7b14f432057fdb7a0477e8bffca0ad39ace308be6e74864e632271"},
-    {file = "coverage-7.7.1-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:7e688010581dbac9cab72800e9076e16f7cccd0d89af5785b70daa11174e94de"},
-    {file = "coverage-7.7.1-cp313-cp313t-win32.whl", hash = "sha256:e52eb31ae3afacdacfe50705a15b75ded67935770c460d88c215a9c0c40d0e9c"},
-    {file = "coverage-7.7.1-cp313-cp313t-win_amd64.whl", hash = "sha256:a6b6b3bd121ee2ec4bd35039319f3423d0be282b9752a5ae9f18724bc93ebe7c"},
-    {file = "coverage-7.7.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:34a3bf6b92e6621fc4dcdaab353e173ccb0ca9e4bfbcf7e49a0134c86c9cd303"},
-    {file = "coverage-7.7.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:d6874929d624d3a670f676efafbbc747f519a6121b581dd41d012109e70a5ebd"},
-    {file = "coverage-7.7.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7ba5ff236c87a7b7aa1441a216caf44baee14cbfbd2256d306f926d16b026578"},
-    {file = "coverage-7.7.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:452735fafe8ff5918236d5fe1feac322b359e57692269c75151f9b4ee4b7e1bc"},
-    {file = "coverage-7.7.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f5f99a93cecf799738e211f9746dc83749b5693538fbfac279a61682ba309387"},
-    {file = "coverage-7.7.1-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:11dd6f52c2a7ce8bf0a5f3b6e4a8eb60e157ffedc3c4b4314a41c1dfbd26ce58"},
-    {file = "coverage-7.7.1-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:b52edb940d087e2a96e73c1523284a2e94a4e66fa2ea1e2e64dddc67173bad94"},
-    {file = "coverage-7.7.1-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:d2e73e2ac468536197e6b3ab79bc4a5c9da0f078cd78cfcc7fe27cf5d1195ef0"},
-    {file = "coverage-7.7.1-cp39-cp39-win32.whl", hash = "sha256:18f544356bceef17cc55fcf859e5664f06946c1b68efcea6acdc50f8f6a6e776"},
-    {file = "coverage-7.7.1-cp39-cp39-win_amd64.whl", hash = "sha256:d66ff48ab3bb6f762a153e29c0fc1eb5a62a260217bc64470d7ba602f5886d20"},
-    {file = "coverage-7.7.1-pp39.pp310.pp311-none-any.whl", hash = "sha256:5b7b02e50d54be6114cc4f6a3222fec83164f7c42772ba03b520138859b5fde1"},
-    {file = "coverage-7.7.1-py3-none-any.whl", hash = "sha256:822fa99dd1ac686061e1219b67868e25d9757989cf2259f735a4802497d6da31"},
-    {file = "coverage-7.7.1.tar.gz", hash = "sha256:199a1272e642266b90c9f40dec7fd3d307b51bf639fa0d15980dc0b3246c1393"},
+    {file = "coverage-7.8.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:2931f66991175369859b5fd58529cd4b73582461877ecfd859b6549869287ffe"},
+    {file = "coverage-7.8.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:52a523153c568d2c0ef8826f6cc23031dc86cffb8c6aeab92c4ff776e7951b28"},
+    {file = "coverage-7.8.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5c8a5c139aae4c35cbd7cadca1df02ea8cf28a911534fc1b0456acb0b14234f3"},
+    {file = "coverage-7.8.0-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:5a26c0c795c3e0b63ec7da6efded5f0bc856d7c0b24b2ac84b4d1d7bc578d676"},
+    {file = "coverage-7.8.0-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:821f7bcbaa84318287115d54becb1915eece6918136c6f91045bb84e2f88739d"},
+    {file = "coverage-7.8.0-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:a321c61477ff8ee705b8a5fed370b5710c56b3a52d17b983d9215861e37b642a"},
+    {file = "coverage-7.8.0-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:ed2144b8a78f9d94d9515963ed273d620e07846acd5d4b0a642d4849e8d91a0c"},
+    {file = "coverage-7.8.0-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:042e7841a26498fff7a37d6fda770d17519982f5b7d8bf5278d140b67b61095f"},
+    {file = "coverage-7.8.0-cp310-cp310-win32.whl", hash = "sha256:f9983d01d7705b2d1f7a95e10bbe4091fabc03a46881a256c2787637b087003f"},
+    {file = "coverage-7.8.0-cp310-cp310-win_amd64.whl", hash = "sha256:5a570cd9bd20b85d1a0d7b009aaf6c110b52b5755c17be6962f8ccd65d1dbd23"},
+    {file = "coverage-7.8.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:e7ac22a0bb2c7c49f441f7a6d46c9c80d96e56f5a8bc6972529ed43c8b694e27"},
+    {file = "coverage-7.8.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:bf13d564d310c156d1c8e53877baf2993fb3073b2fc9f69790ca6a732eb4bfea"},
+    {file = "coverage-7.8.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a5761c70c017c1b0d21b0815a920ffb94a670c8d5d409d9b38857874c21f70d7"},
+    {file = "coverage-7.8.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e5ff52d790c7e1628241ffbcaeb33e07d14b007b6eb00a19320c7b8a7024c040"},
+    {file = "coverage-7.8.0-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d39fc4817fd67b3915256af5dda75fd4ee10621a3d484524487e33416c6f3543"},
+    {file = "coverage-7.8.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:b44674870709017e4b4036e3d0d6c17f06a0e6d4436422e0ad29b882c40697d2"},
+    {file = "coverage-7.8.0-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:8f99eb72bf27cbb167b636eb1726f590c00e1ad375002230607a844d9e9a2318"},
+    {file = "coverage-7.8.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:b571bf5341ba8c6bc02e0baeaf3b061ab993bf372d982ae509807e7f112554e9"},
+    {file = "coverage-7.8.0-cp311-cp311-win32.whl", hash = "sha256:e75a2ad7b647fd8046d58c3132d7eaf31b12d8a53c0e4b21fa9c4d23d6ee6d3c"},
+    {file = "coverage-7.8.0-cp311-cp311-win_amd64.whl", hash = "sha256:3043ba1c88b2139126fc72cb48574b90e2e0546d4c78b5299317f61b7f718b78"},
+    {file = "coverage-7.8.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:bbb5cc845a0292e0c520656d19d7ce40e18d0e19b22cb3e0409135a575bf79fc"},
+    {file = "coverage-7.8.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:4dfd9a93db9e78666d178d4f08a5408aa3f2474ad4d0e0378ed5f2ef71640cb6"},
+    {file = "coverage-7.8.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f017a61399f13aa6d1039f75cd467be388d157cd81f1a119b9d9a68ba6f2830d"},
+    {file = "coverage-7.8.0-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:0915742f4c82208ebf47a2b154a5334155ed9ef9fe6190674b8a46c2fb89cb05"},
+    {file = "coverage-7.8.0-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8a40fcf208e021eb14b0fac6bdb045c0e0cab53105f93ba0d03fd934c956143a"},
+    {file = "coverage-7.8.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:a1f406a8e0995d654b2ad87c62caf6befa767885301f3b8f6f73e6f3c31ec3a6"},
+    {file = "coverage-7.8.0-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:77af0f6447a582fdc7de5e06fa3757a3ef87769fbb0fdbdeba78c23049140a47"},
+    {file = "coverage-7.8.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:f2d32f95922927186c6dbc8bc60df0d186b6edb828d299ab10898ef3f40052fe"},
+    {file = "coverage-7.8.0-cp312-cp312-win32.whl", hash = "sha256:769773614e676f9d8e8a0980dd7740f09a6ea386d0f383db6821df07d0f08545"},
+    {file = "coverage-7.8.0-cp312-cp312-win_amd64.whl", hash = "sha256:e5d2b9be5b0693cf21eb4ce0ec8d211efb43966f6657807f6859aab3814f946b"},
+    {file = "coverage-7.8.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:5ac46d0c2dd5820ce93943a501ac5f6548ea81594777ca585bf002aa8854cacd"},
+    {file = "coverage-7.8.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:771eb7587a0563ca5bb6f622b9ed7f9d07bd08900f7589b4febff05f469bea00"},
+    {file = "coverage-7.8.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:42421e04069fb2cbcbca5a696c4050b84a43b05392679d4068acbe65449b5c64"},
+    {file = "coverage-7.8.0-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:554fec1199d93ab30adaa751db68acec2b41c5602ac944bb19187cb9a41a8067"},
+    {file = "coverage-7.8.0-cp313-cp313-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5aaeb00761f985007b38cf463b1d160a14a22c34eb3f6a39d9ad6fc27cb73008"},
+    {file = "coverage-7.8.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:581a40c7b94921fffd6457ffe532259813fc68eb2bdda60fa8cc343414ce3733"},
+    {file = "coverage-7.8.0-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:f319bae0321bc838e205bf9e5bc28f0a3165f30c203b610f17ab5552cff90323"},
+    {file = "coverage-7.8.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:04bfec25a8ef1c5f41f5e7e5c842f6b615599ca8ba8391ec33a9290d9d2db3a3"},
+    {file = "coverage-7.8.0-cp313-cp313-win32.whl", hash = "sha256:dd19608788b50eed889e13a5d71d832edc34fc9dfce606f66e8f9f917eef910d"},
+    {file = "coverage-7.8.0-cp313-cp313-win_amd64.whl", hash = "sha256:a9abbccd778d98e9c7e85038e35e91e67f5b520776781d9a1e2ee9d400869487"},
+    {file = "coverage-7.8.0-cp313-cp313t-macosx_10_13_x86_64.whl", hash = "sha256:18c5ae6d061ad5b3e7eef4363fb27a0576012a7447af48be6c75b88494c6cf25"},
+    {file = "coverage-7.8.0-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:95aa6ae391a22bbbce1b77ddac846c98c5473de0372ba5c463480043a07bff42"},
+    {file = "coverage-7.8.0-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e013b07ba1c748dacc2a80e69a46286ff145935f260eb8c72df7185bf048f502"},
+    {file = "coverage-7.8.0-cp313-cp313t-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d766a4f0e5aa1ba056ec3496243150698dc0481902e2b8559314368717be82b1"},
+    {file = "coverage-7.8.0-cp313-cp313t-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ad80e6b4a0c3cb6f10f29ae4c60e991f424e6b14219d46f1e7d442b938ee68a4"},
+    {file = "coverage-7.8.0-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:b87eb6fc9e1bb8f98892a2458781348fa37e6925f35bb6ceb9d4afd54ba36c73"},
+    {file = "coverage-7.8.0-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:d1ba00ae33be84066cfbe7361d4e04dec78445b2b88bdb734d0d1cbab916025a"},
+    {file = "coverage-7.8.0-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:f3c38e4e5ccbdc9198aecc766cedbb134b2d89bf64533973678dfcf07effd883"},
+    {file = "coverage-7.8.0-cp313-cp313t-win32.whl", hash = "sha256:379fe315e206b14e21db5240f89dc0774bdd3e25c3c58c2c733c99eca96f1ada"},
+    {file = "coverage-7.8.0-cp313-cp313t-win_amd64.whl", hash = "sha256:2e4b6b87bb0c846a9315e3ab4be2d52fac905100565f4b92f02c445c8799e257"},
+    {file = "coverage-7.8.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:fa260de59dfb143af06dcf30c2be0b200bed2a73737a8a59248fcb9fa601ef0f"},
+    {file = "coverage-7.8.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:96121edfa4c2dfdda409877ea8608dd01de816a4dc4a0523356067b305e4e17a"},
+    {file = "coverage-7.8.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6b8af63b9afa1031c0ef05b217faa598f3069148eeee6bb24b79da9012423b82"},
+    {file = "coverage-7.8.0-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:89b1f4af0d4afe495cd4787a68e00f30f1d15939f550e869de90a86efa7e0814"},
+    {file = "coverage-7.8.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:94ec0be97723ae72d63d3aa41961a0b9a6f5a53ff599813c324548d18e3b9e8c"},
+    {file = "coverage-7.8.0-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:8a1d96e780bdb2d0cbb297325711701f7c0b6f89199a57f2049e90064c29f6bd"},
+    {file = "coverage-7.8.0-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:f1d8a2a57b47142b10374902777e798784abf400a004b14f1b0b9eaf1e528ba4"},
+    {file = "coverage-7.8.0-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:cf60dd2696b457b710dd40bf17ad269d5f5457b96442f7f85722bdb16fa6c899"},
+    {file = "coverage-7.8.0-cp39-cp39-win32.whl", hash = "sha256:be945402e03de47ba1872cd5236395e0f4ad635526185a930735f66710e1bd3f"},
+    {file = "coverage-7.8.0-cp39-cp39-win_amd64.whl", hash = "sha256:90e7fbc6216ecaffa5a880cdc9c77b7418c1dcb166166b78dbc630d07f278cc3"},
+    {file = "coverage-7.8.0-pp39.pp310.pp311-none-any.whl", hash = "sha256:b8194fb8e50d556d5849753de991d390c5a1edeeba50f68e3a9253fbd8bf8ccd"},
+    {file = "coverage-7.8.0-py3-none-any.whl", hash = "sha256:dbf364b4c5e7bae9250528167dfe40219b62e2d573c854d74be213e1e52069f7"},
+    {file = "coverage-7.8.0.tar.gz", hash = "sha256:7a3d62b3b03b4b6fd41a085f3574874cf946cb4604d2b4d3e8dca8cd570ca501"},
 ]
 
 [package.extras]
@@ -1051,21 +1051,21 @@ pyyaml = ">=5.1"
 
 [[package]]
 name = "mkdocs-material"
-version = "9.6.10"
+version = "9.6.11"
 description = "Documentation that simply works"
 optional = false
 python-versions = ">=3.8"
 groups = ["dev"]
 files = [
-    {file = "mkdocs_material-9.6.10-py3-none-any.whl", hash = "sha256:36168548df4e2ddeb9a334ddae4ab9c388ccfea4dd50ffee657d22b93dcb1c3e"},
-    {file = "mkdocs_material-9.6.10.tar.gz", hash = "sha256:25a453c1f24f34fcf1f53680c03d2c1421b52ce5247f4468153c87a70cd5f1fc"},
+    {file = "mkdocs_material-9.6.11-py3-none-any.whl", hash = "sha256:47f21ef9cbf4f0ebdce78a2ceecaa5d413581a55141e4464902224ebbc0b1263"},
+    {file = "mkdocs_material-9.6.11.tar.gz", hash = "sha256:0b7f4a0145c5074cdd692e4362d232fb25ef5b23328d0ec1ab287af77cc0deff"},
 ]
 
 [package.dependencies]
 babel = ">=2.10,<3.0"
 backrefs = ">=5.7.post1,<6.0"
 colorama = ">=0.4,<1.0"
-jinja2 = ">=3.0,<4.0"
+jinja2 = ">=3.1,<4.0"
 markdown = ">=3.2,<4.0"
 mkdocs = ">=1.6,<2.0"
 mkdocs-material-extensions = ">=1.3,<2.0"
@@ -1093,14 +1093,14 @@ files = [
 
 [[package]]
 name = "mkdocstrings"
-version = "0.29.0"
+version = "0.29.1"
 description = "Automatic documentation from sources, for MkDocs."
 optional = false
 python-versions = ">=3.9"
 groups = ["dev"]
 files = [
-    {file = "mkdocstrings-0.29.0-py3-none-any.whl", hash = "sha256:8ea98358d2006f60befa940fdebbbc88a26b37ecbcded10be726ba359284f73d"},
-    {file = "mkdocstrings-0.29.0.tar.gz", hash = "sha256:3657be1384543ce0ee82112c3e521bbf48e41303aa0c229b9ffcccba057d922e"},
+    {file = "mkdocstrings-0.29.1-py3-none-any.whl", hash = "sha256:37a9736134934eea89cbd055a513d40a020d87dfcae9e3052c2a6b8cd4af09b6"},
+    {file = "mkdocstrings-0.29.1.tar.gz", hash = "sha256:8722f8f8c5cd75da56671e0a0c1bbed1df9946c0cef74794d6141b34011abd42"},
 ]
 
 [package.dependencies]
@@ -1111,7 +1111,6 @@ MarkupSafe = ">=1.1"
 mkdocs = ">=1.6"
 mkdocs-autorefs = ">=1.4"
 pymdown-extensions = ">=6.3"
-typing-extensions = {version = ">=4.1", markers = "python_version < \"3.10\""}
 
 [package.extras]
 crystal = ["mkdocstrings-crystal (>=0.3.4)"]
@@ -1120,14 +1119,14 @@ python-legacy = ["mkdocstrings-python-legacy (>=0.2.1)"]
 
 [[package]]
 name = "mkdocstrings-python"
-version = "1.16.8"
+version = "1.16.10"
 description = "A Python handler for mkdocstrings."
 optional = false
 python-versions = ">=3.9"
 groups = ["dev"]
 files = [
-    {file = "mkdocstrings_python-1.16.8-py3-none-any.whl", hash = "sha256:211b7aaf776cd45578ecb531e5ad0d3a35a8be9101a6bfa10de38a69af9d8fd8"},
-    {file = "mkdocstrings_python-1.16.8.tar.gz", hash = "sha256:9453ccae69be103810c1cf6435ce71c8f714ae37fef4d87d16aa92a7c800fe1d"},
+    {file = "mkdocstrings_python-1.16.10-py3-none-any.whl", hash = "sha256:63bb9f01f8848a644bdb6289e86dc38ceddeaa63ecc2e291e3b2ca52702a6643"},
+    {file = "mkdocstrings_python-1.16.10.tar.gz", hash = "sha256:f9eedfd98effb612ab4d0ed6dd2b73aff6eba5215e0a65cea6d877717f75502e"},
 ]
 
 [package.dependencies]
@@ -1530,19 +1529,19 @@ files = [
 
 [[package]]
 name = "pydantic"
-version = "2.11.1"
+version = "2.11.2"
 description = "Data validation using Python type hints"
 optional = false
 python-versions = ">=3.9"
 groups = ["main", "dev"]
 files = [
-    {file = "pydantic-2.11.1-py3-none-any.whl", hash = "sha256:5b6c415eee9f8123a14d859be0c84363fec6b1feb6b688d6435801230b56e0b8"},
-    {file = "pydantic-2.11.1.tar.gz", hash = "sha256:442557d2910e75c991c39f4b4ab18963d57b9b55122c8b2a9cd176d8c29ce968"},
+    {file = "pydantic-2.11.2-py3-none-any.whl", hash = "sha256:7f17d25846bcdf89b670a86cdfe7b29a9f1c9ca23dee154221c9aa81845cfca7"},
+    {file = "pydantic-2.11.2.tar.gz", hash = "sha256:2138628e050bd7a1e70b91d4bf4a91167f4ad76fdb83209b107c8d84b854917e"},
 ]
 
 [package.dependencies]
 annotated-types = ">=0.6.0"
-pydantic-core = "2.33.0"
+pydantic-core = "2.33.1"
 typing-extensions = ">=4.12.2"
 typing-inspection = ">=0.4.0"
 
@@ -1552,111 +1551,111 @@ timezone = ["tzdata ; python_version >= \"3.9\" and platform_system == \"Windows
 
 [[package]]
 name = "pydantic-core"
-version = "2.33.0"
+version = "2.33.1"
 description = "Core functionality for Pydantic validation and serialization"
 optional = false
 python-versions = ">=3.9"
 groups = ["main", "dev"]
 files = [
-    {file = "pydantic_core-2.33.0-cp310-cp310-macosx_10_12_x86_64.whl", hash = "sha256:71dffba8fe9ddff628c68f3abd845e91b028361d43c5f8e7b3f8b91d7d85413e"},
-    {file = "pydantic_core-2.33.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:abaeec1be6ed535a5d7ffc2e6c390083c425832b20efd621562fbb5bff6dc518"},
-    {file = "pydantic_core-2.33.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:759871f00e26ad3709efc773ac37b4d571de065f9dfb1778012908bcc36b3a73"},
-    {file = "pydantic_core-2.33.0-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:dcfebee69cd5e1c0b76a17e17e347c84b00acebb8dd8edb22d4a03e88e82a207"},
-    {file = "pydantic_core-2.33.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1b1262b912435a501fa04cd213720609e2cefa723a07c92017d18693e69bf00b"},
-    {file = "pydantic_core-2.33.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:4726f1f3f42d6a25678c67da3f0b10f148f5655813c5aca54b0d1742ba821b8f"},
-    {file = "pydantic_core-2.33.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e790954b5093dff1e3a9a2523fddc4e79722d6f07993b4cd5547825c3cbf97b5"},
-    {file = "pydantic_core-2.33.0-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:34e7fb3abe375b5c4e64fab75733d605dda0f59827752debc99c17cb2d5f3276"},
-    {file = "pydantic_core-2.33.0-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:ecb158fb9b9091b515213bed3061eb7deb1d3b4e02327c27a0ea714ff46b0760"},
-    {file = "pydantic_core-2.33.0-cp310-cp310-musllinux_1_1_armv7l.whl", hash = "sha256:4d9149e7528af8bbd76cc055967e6e04617dcb2a2afdaa3dea899406c5521faa"},
-    {file = "pydantic_core-2.33.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:e81a295adccf73477220e15ff79235ca9dcbcee4be459eb9d4ce9a2763b8386c"},
-    {file = "pydantic_core-2.33.0-cp310-cp310-win32.whl", hash = "sha256:f22dab23cdbce2005f26a8f0c71698457861f97fc6318c75814a50c75e87d025"},
-    {file = "pydantic_core-2.33.0-cp310-cp310-win_amd64.whl", hash = "sha256:9cb2390355ba084c1ad49485d18449b4242da344dea3e0fe10babd1f0db7dcfc"},
-    {file = "pydantic_core-2.33.0-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:a608a75846804271cf9c83e40bbb4dab2ac614d33c6fd5b0c6187f53f5c593ef"},
-    {file = "pydantic_core-2.33.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:e1c69aa459f5609dec2fa0652d495353accf3eda5bdb18782bc5a2ae45c9273a"},
-    {file = "pydantic_core-2.33.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b9ec80eb5a5f45a2211793f1c4aeddff0c3761d1c70d684965c1807e923a588b"},
-    {file = "pydantic_core-2.33.0-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:e925819a98318d17251776bd3d6aa9f3ff77b965762155bdad15d1a9265c4cfd"},
-    {file = "pydantic_core-2.33.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5bf68bb859799e9cec3d9dd8323c40c00a254aabb56fe08f907e437005932f2b"},
-    {file = "pydantic_core-2.33.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1b2ea72dea0825949a045fa4071f6d5b3d7620d2a208335207793cf29c5a182d"},
-    {file = "pydantic_core-2.33.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1583539533160186ac546b49f5cde9ffc928062c96920f58bd95de32ffd7bffd"},
-    {file = "pydantic_core-2.33.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:23c3e77bf8a7317612e5c26a3b084c7edeb9552d645742a54a5867635b4f2453"},
-    {file = "pydantic_core-2.33.0-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:a7a7f2a3f628d2f7ef11cb6188bcf0b9e1558151d511b974dfea10a49afe192b"},
-    {file = "pydantic_core-2.33.0-cp311-cp311-musllinux_1_1_armv7l.whl", hash = "sha256:f1fb026c575e16f673c61c7b86144517705865173f3d0907040ac30c4f9f5915"},
-    {file = "pydantic_core-2.33.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:635702b2fed997e0ac256b2cfbdb4dd0bf7c56b5d8fba8ef03489c03b3eb40e2"},
-    {file = "pydantic_core-2.33.0-cp311-cp311-win32.whl", hash = "sha256:07b4ced28fccae3f00626eaa0c4001aa9ec140a29501770a88dbbb0966019a86"},
-    {file = "pydantic_core-2.33.0-cp311-cp311-win_amd64.whl", hash = "sha256:4927564be53239a87770a5f86bdc272b8d1fbb87ab7783ad70255b4ab01aa25b"},
-    {file = "pydantic_core-2.33.0-cp311-cp311-win_arm64.whl", hash = "sha256:69297418ad644d521ea3e1aa2e14a2a422726167e9ad22b89e8f1130d68e1e9a"},
-    {file = "pydantic_core-2.33.0-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:6c32a40712e3662bebe524abe8abb757f2fa2000028d64cc5a1006016c06af43"},
-    {file = "pydantic_core-2.33.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:8ec86b5baa36f0a0bfb37db86c7d52652f8e8aa076ab745ef7725784183c3fdd"},
-    {file = "pydantic_core-2.33.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4deac83a8cc1d09e40683be0bc6d1fa4cde8df0a9bf0cda5693f9b0569ac01b6"},
-    {file = "pydantic_core-2.33.0-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:175ab598fb457a9aee63206a1993874badf3ed9a456e0654273e56f00747bbd6"},
-    {file = "pydantic_core-2.33.0-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5f36afd0d56a6c42cf4e8465b6441cf546ed69d3a4ec92724cc9c8c61bd6ecf4"},
-    {file = "pydantic_core-2.33.0-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0a98257451164666afafc7cbf5fb00d613e33f7e7ebb322fbcd99345695a9a61"},
-    {file = "pydantic_core-2.33.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ecc6d02d69b54a2eb83ebcc6f29df04957f734bcf309d346b4f83354d8376862"},
-    {file = "pydantic_core-2.33.0-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:1a69b7596c6603afd049ce7f3835bcf57dd3892fc7279f0ddf987bebed8caa5a"},
-    {file = "pydantic_core-2.33.0-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:ea30239c148b6ef41364c6f51d103c2988965b643d62e10b233b5efdca8c0099"},
-    {file = "pydantic_core-2.33.0-cp312-cp312-musllinux_1_1_armv7l.whl", hash = "sha256:abfa44cf2f7f7d7a199be6c6ec141c9024063205545aa09304349781b9a125e6"},
-    {file = "pydantic_core-2.33.0-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:20d4275f3c4659d92048c70797e5fdc396c6e4446caf517ba5cad2db60cd39d3"},
-    {file = "pydantic_core-2.33.0-cp312-cp312-win32.whl", hash = "sha256:918f2013d7eadea1d88d1a35fd4a1e16aaf90343eb446f91cb091ce7f9b431a2"},
-    {file = "pydantic_core-2.33.0-cp312-cp312-win_amd64.whl", hash = "sha256:aec79acc183865bad120b0190afac467c20b15289050648b876b07777e67ea48"},
-    {file = "pydantic_core-2.33.0-cp312-cp312-win_arm64.whl", hash = "sha256:5461934e895968655225dfa8b3be79e7e927e95d4bd6c2d40edd2fa7052e71b6"},
-    {file = "pydantic_core-2.33.0-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:f00e8b59e1fc8f09d05594aa7d2b726f1b277ca6155fc84c0396db1b373c4555"},
-    {file = "pydantic_core-2.33.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:1a73be93ecef45786d7d95b0c5e9b294faf35629d03d5b145b09b81258c7cd6d"},
-    {file = "pydantic_core-2.33.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ff48a55be9da6930254565ff5238d71d5e9cd8c5487a191cb85df3bdb8c77365"},
-    {file = "pydantic_core-2.33.0-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:26a4ea04195638dcd8c53dadb545d70badba51735b1594810e9768c2c0b4a5da"},
-    {file = "pydantic_core-2.33.0-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:41d698dcbe12b60661f0632b543dbb119e6ba088103b364ff65e951610cb7ce0"},
-    {file = "pydantic_core-2.33.0-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:ae62032ef513fe6281ef0009e30838a01057b832dc265da32c10469622613885"},
-    {file = "pydantic_core-2.33.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f225f3a3995dbbc26affc191d0443c6c4aa71b83358fd4c2b7d63e2f6f0336f9"},
-    {file = "pydantic_core-2.33.0-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:5bdd36b362f419c78d09630cbaebc64913f66f62bda6d42d5fbb08da8cc4f181"},
-    {file = "pydantic_core-2.33.0-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:2a0147c0bef783fd9abc9f016d66edb6cac466dc54a17ec5f5ada08ff65caf5d"},
-    {file = "pydantic_core-2.33.0-cp313-cp313-musllinux_1_1_armv7l.whl", hash = "sha256:c860773a0f205926172c6644c394e02c25421dc9a456deff16f64c0e299487d3"},
-    {file = "pydantic_core-2.33.0-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:138d31e3f90087f42aa6286fb640f3c7a8eb7bdae829418265e7e7474bd2574b"},
-    {file = "pydantic_core-2.33.0-cp313-cp313-win32.whl", hash = "sha256:d20cbb9d3e95114325780f3cfe990f3ecae24de7a2d75f978783878cce2ad585"},
-    {file = "pydantic_core-2.33.0-cp313-cp313-win_amd64.whl", hash = "sha256:ca1103d70306489e3d006b0f79db8ca5dd3c977f6f13b2c59ff745249431a606"},
-    {file = "pydantic_core-2.33.0-cp313-cp313-win_arm64.whl", hash = "sha256:6291797cad239285275558e0a27872da735b05c75d5237bbade8736f80e4c225"},
-    {file = "pydantic_core-2.33.0-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:7b79af799630af263eca9ec87db519426d8c9b3be35016eddad1832bac812d87"},
-    {file = "pydantic_core-2.33.0-cp313-cp313t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:eabf946a4739b5237f4f56d77fa6668263bc466d06a8036c055587c130a46f7b"},
-    {file = "pydantic_core-2.33.0-cp313-cp313t-win_amd64.whl", hash = "sha256:8a1d581e8cdbb857b0e0e81df98603376c1a5c34dc5e54039dcc00f043df81e7"},
-    {file = "pydantic_core-2.33.0-cp39-cp39-macosx_10_12_x86_64.whl", hash = "sha256:7c9c84749f5787781c1c45bb99f433402e484e515b40675a5d121ea14711cf61"},
-    {file = "pydantic_core-2.33.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:64672fa888595a959cfeff957a654e947e65bbe1d7d82f550417cbd6898a1d6b"},
-    {file = "pydantic_core-2.33.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:26bc7367c0961dec292244ef2549afa396e72e28cc24706210bd44d947582c59"},
-    {file = "pydantic_core-2.33.0-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ce72d46eb201ca43994303025bd54d8a35a3fc2a3495fac653d6eb7205ce04f4"},
-    {file = "pydantic_core-2.33.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:14229c1504287533dbf6b1fc56f752ce2b4e9694022ae7509631ce346158de11"},
-    {file = "pydantic_core-2.33.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:085d8985b1c1e48ef271e98a658f562f29d89bda98bf120502283efbc87313eb"},
-    {file = "pydantic_core-2.33.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:31860fbda80d8f6828e84b4a4d129fd9c4535996b8249cfb8c720dc2a1a00bb8"},
-    {file = "pydantic_core-2.33.0-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:f200b2f20856b5a6c3a35f0d4e344019f805e363416e609e9b47c552d35fd5ea"},
-    {file = "pydantic_core-2.33.0-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:5f72914cfd1d0176e58ddc05c7a47674ef4222c8253bf70322923e73e14a4ac3"},
-    {file = "pydantic_core-2.33.0-cp39-cp39-musllinux_1_1_armv7l.whl", hash = "sha256:91301a0980a1d4530d4ba7e6a739ca1a6b31341252cb709948e0aca0860ce0ae"},
-    {file = "pydantic_core-2.33.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:7419241e17c7fbe5074ba79143d5523270e04f86f1b3a0dff8df490f84c8273a"},
-    {file = "pydantic_core-2.33.0-cp39-cp39-win32.whl", hash = "sha256:7a25493320203005d2a4dac76d1b7d953cb49bce6d459d9ae38e30dd9f29bc9c"},
-    {file = "pydantic_core-2.33.0-cp39-cp39-win_amd64.whl", hash = "sha256:82a4eba92b7ca8af1b7d5ef5f3d9647eee94d1f74d21ca7c21e3a2b92e008358"},
-    {file = "pydantic_core-2.33.0-pp310-pypy310_pp73-macosx_10_12_x86_64.whl", hash = "sha256:e2762c568596332fdab56b07060c8ab8362c56cf2a339ee54e491cd503612c50"},
-    {file = "pydantic_core-2.33.0-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:5bf637300ff35d4f59c006fff201c510b2b5e745b07125458a5389af3c0dff8c"},
-    {file = "pydantic_core-2.33.0-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:62c151ce3d59ed56ebd7ce9ce5986a409a85db697d25fc232f8e81f195aa39a1"},
-    {file = "pydantic_core-2.33.0-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9ee65f0cc652261744fd07f2c6e6901c914aa6c5ff4dcfaf1136bc394d0dd26b"},
-    {file = "pydantic_core-2.33.0-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:024d136ae44d233e6322027bbf356712b3940bee816e6c948ce4b90f18471b3d"},
-    {file = "pydantic_core-2.33.0-pp310-pypy310_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:e37f10f6d4bc67c58fbd727108ae1d8b92b397355e68519f1e4a7babb1473442"},
-    {file = "pydantic_core-2.33.0-pp310-pypy310_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:502ed542e0d958bd12e7c3e9a015bce57deaf50eaa8c2e1c439b512cb9db1e3a"},
-    {file = "pydantic_core-2.33.0-pp310-pypy310_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:715c62af74c236bf386825c0fdfa08d092ab0f191eb5b4580d11c3189af9d330"},
-    {file = "pydantic_core-2.33.0-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:bccc06fa0372151f37f6b69834181aa9eb57cf8665ed36405fb45fbf6cac3bae"},
-    {file = "pydantic_core-2.33.0-pp311-pypy311_pp73-macosx_10_12_x86_64.whl", hash = "sha256:5d8dc9f63a26f7259b57f46a7aab5af86b2ad6fbe48487500bb1f4b27e051e4c"},
-    {file = "pydantic_core-2.33.0-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:30369e54d6d0113d2aa5aee7a90d17f225c13d87902ace8fcd7bbf99b19124db"},
-    {file = "pydantic_core-2.33.0-pp311-pypy311_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f3eb479354c62067afa62f53bb387827bee2f75c9c79ef25eef6ab84d4b1ae3b"},
-    {file = "pydantic_core-2.33.0-pp311-pypy311_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0310524c833d91403c960b8a3cf9f46c282eadd6afd276c8c5edc617bd705dc9"},
-    {file = "pydantic_core-2.33.0-pp311-pypy311_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:eddb18a00bbb855325db27b4c2a89a4ba491cd6a0bd6d852b225172a1f54b36c"},
-    {file = "pydantic_core-2.33.0-pp311-pypy311_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:ade5dbcf8d9ef8f4b28e682d0b29f3008df9842bb5ac48ac2c17bc55771cc976"},
-    {file = "pydantic_core-2.33.0-pp311-pypy311_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:2c0afd34f928383e3fd25740f2050dbac9d077e7ba5adbaa2227f4d4f3c8da5c"},
-    {file = "pydantic_core-2.33.0-pp311-pypy311_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:7da333f21cd9df51d5731513a6d39319892947604924ddf2e24a4612975fb936"},
-    {file = "pydantic_core-2.33.0-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:4b6d77c75a57f041c5ee915ff0b0bb58eabb78728b69ed967bc5b780e8f701b8"},
-    {file = "pydantic_core-2.33.0-pp39-pypy39_pp73-macosx_10_12_x86_64.whl", hash = "sha256:ba95691cf25f63df53c1d342413b41bd7762d9acb425df8858d7efa616c0870e"},
-    {file = "pydantic_core-2.33.0-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:4f1ab031feb8676f6bd7c85abec86e2935850bf19b84432c64e3e239bffeb1ec"},
-    {file = "pydantic_core-2.33.0-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:58c1151827eef98b83d49b6ca6065575876a02d2211f259fb1a6b7757bd24dd8"},
-    {file = "pydantic_core-2.33.0-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a66d931ea2c1464b738ace44b7334ab32a2fd50be023d863935eb00f42be1778"},
-    {file = "pydantic_core-2.33.0-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:0bcf0bab28995d483f6c8d7db25e0d05c3efa5cebfd7f56474359e7137f39856"},
-    {file = "pydantic_core-2.33.0-pp39-pypy39_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:89670d7a0045acb52be0566df5bc8b114ac967c662c06cf5e0c606e4aadc964b"},
-    {file = "pydantic_core-2.33.0-pp39-pypy39_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:b716294e721d8060908dbebe32639b01bfe61b15f9f57bcc18ca9a0e00d9520b"},
-    {file = "pydantic_core-2.33.0-pp39-pypy39_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:fc53e05c16697ff0c1c7c2b98e45e131d4bfb78068fffff92a82d169cbb4c7b7"},
-    {file = "pydantic_core-2.33.0-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:68504959253303d3ae9406b634997a2123a0b0c1da86459abbd0ffc921695eac"},
-    {file = "pydantic_core-2.33.0.tar.gz", hash = "sha256:40eb8af662ba409c3cbf4a8150ad32ae73514cd7cb1f1a2113af39763dd616b3"},
+    {file = "pydantic_core-2.33.1-cp310-cp310-macosx_10_12_x86_64.whl", hash = "sha256:3077cfdb6125cc8dab61b155fdd714663e401f0e6883f9632118ec12cf42df26"},
+    {file = "pydantic_core-2.33.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:8ffab8b2908d152e74862d276cf5017c81a2f3719f14e8e3e8d6b83fda863927"},
+    {file = "pydantic_core-2.33.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5183e4f6a2d468787243ebcd70cf4098c247e60d73fb7d68d5bc1e1beaa0c4db"},
+    {file = "pydantic_core-2.33.1-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:398a38d323f37714023be1e0285765f0a27243a8b1506b7b7de87b647b517e48"},
+    {file = "pydantic_core-2.33.1-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:87d3776f0001b43acebfa86f8c64019c043b55cc5a6a2e313d728b5c95b46969"},
+    {file = "pydantic_core-2.33.1-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c566dd9c5f63d22226409553531f89de0cac55397f2ab8d97d6f06cfce6d947e"},
+    {file = "pydantic_core-2.33.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a0d5f3acc81452c56895e90643a625302bd6be351e7010664151cc55b7b97f89"},
+    {file = "pydantic_core-2.33.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d3a07fadec2a13274a8d861d3d37c61e97a816beae717efccaa4b36dfcaadcde"},
+    {file = "pydantic_core-2.33.1-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:f99aeda58dce827f76963ee87a0ebe75e648c72ff9ba1174a253f6744f518f65"},
+    {file = "pydantic_core-2.33.1-cp310-cp310-musllinux_1_1_armv7l.whl", hash = "sha256:902dbc832141aa0ec374f4310f1e4e7febeebc3256f00dc359a9ac3f264a45dc"},
+    {file = "pydantic_core-2.33.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:fe44d56aa0b00d66640aa84a3cbe80b7a3ccdc6f0b1ca71090696a6d4777c091"},
+    {file = "pydantic_core-2.33.1-cp310-cp310-win32.whl", hash = "sha256:ed3eb16d51257c763539bde21e011092f127a2202692afaeaccb50db55a31383"},
+    {file = "pydantic_core-2.33.1-cp310-cp310-win_amd64.whl", hash = "sha256:694ad99a7f6718c1a498dc170ca430687a39894a60327f548e02a9c7ee4b6504"},
+    {file = "pydantic_core-2.33.1-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:6e966fc3caaf9f1d96b349b0341c70c8d6573bf1bac7261f7b0ba88f96c56c24"},
+    {file = "pydantic_core-2.33.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:bfd0adeee563d59c598ceabddf2c92eec77abcb3f4a391b19aa7366170bd9e30"},
+    {file = "pydantic_core-2.33.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:91815221101ad3c6b507804178a7bb5cb7b2ead9ecd600041669c8d805ebd595"},
+    {file = "pydantic_core-2.33.1-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:9fea9c1869bb4742d174a57b4700c6dadea951df8b06de40c2fedb4f02931c2e"},
+    {file = "pydantic_core-2.33.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1d20eb4861329bb2484c021b9d9a977566ab16d84000a57e28061151c62b349a"},
+    {file = "pydantic_core-2.33.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0fb935c5591573ae3201640579f30128ccc10739b45663f93c06796854405505"},
+    {file = "pydantic_core-2.33.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c964fd24e6166420d18fb53996d8c9fd6eac9bf5ae3ec3d03015be4414ce497f"},
+    {file = "pydantic_core-2.33.1-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:681d65e9011f7392db5aa002b7423cc442d6a673c635668c227c6c8d0e5a4f77"},
+    {file = "pydantic_core-2.33.1-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:e100c52f7355a48413e2999bfb4e139d2977a904495441b374f3d4fb4a170961"},
+    {file = "pydantic_core-2.33.1-cp311-cp311-musllinux_1_1_armv7l.whl", hash = "sha256:048831bd363490be79acdd3232f74a0e9951b11b2b4cc058aeb72b22fdc3abe1"},
+    {file = "pydantic_core-2.33.1-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:bdc84017d28459c00db6f918a7272a5190bec3090058334e43a76afb279eac7c"},
+    {file = "pydantic_core-2.33.1-cp311-cp311-win32.whl", hash = "sha256:32cd11c5914d1179df70406427097c7dcde19fddf1418c787540f4b730289896"},
+    {file = "pydantic_core-2.33.1-cp311-cp311-win_amd64.whl", hash = "sha256:2ea62419ba8c397e7da28a9170a16219d310d2cf4970dbc65c32faf20d828c83"},
+    {file = "pydantic_core-2.33.1-cp311-cp311-win_arm64.whl", hash = "sha256:fc903512177361e868bc1f5b80ac8c8a6e05fcdd574a5fb5ffeac5a9982b9e89"},
+    {file = "pydantic_core-2.33.1-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:1293d7febb995e9d3ec3ea09caf1a26214eec45b0f29f6074abb004723fc1de8"},
+    {file = "pydantic_core-2.33.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:99b56acd433386c8f20be5c4000786d1e7ca0523c8eefc995d14d79c7a081498"},
+    {file = "pydantic_core-2.33.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:35a5ec3fa8c2fe6c53e1b2ccc2454398f95d5393ab398478f53e1afbbeb4d939"},
+    {file = "pydantic_core-2.33.1-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:b172f7b9d2f3abc0efd12e3386f7e48b576ef309544ac3a63e5e9cdd2e24585d"},
+    {file = "pydantic_core-2.33.1-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9097b9f17f91eea659b9ec58148c0747ec354a42f7389b9d50701610d86f812e"},
+    {file = "pydantic_core-2.33.1-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cc77ec5b7e2118b152b0d886c7514a4653bcb58c6b1d760134a9fab915f777b3"},
+    {file = "pydantic_core-2.33.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d5e3d15245b08fa4a84cefc6c9222e6f37c98111c8679fbd94aa145f9a0ae23d"},
+    {file = "pydantic_core-2.33.1-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:ef99779001d7ac2e2461d8ab55d3373fe7315caefdbecd8ced75304ae5a6fc6b"},
+    {file = "pydantic_core-2.33.1-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:fc6bf8869e193855e8d91d91f6bf59699a5cdfaa47a404e278e776dd7f168b39"},
+    {file = "pydantic_core-2.33.1-cp312-cp312-musllinux_1_1_armv7l.whl", hash = "sha256:b1caa0bc2741b043db7823843e1bde8aaa58a55a58fda06083b0569f8b45693a"},
+    {file = "pydantic_core-2.33.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:ec259f62538e8bf364903a7d0d0239447059f9434b284f5536e8402b7dd198db"},
+    {file = "pydantic_core-2.33.1-cp312-cp312-win32.whl", hash = "sha256:e14f369c98a7c15772b9da98987f58e2b509a93235582838bd0d1d8c08b68fda"},
+    {file = "pydantic_core-2.33.1-cp312-cp312-win_amd64.whl", hash = "sha256:1c607801d85e2e123357b3893f82c97a42856192997b95b4d8325deb1cd0c5f4"},
+    {file = "pydantic_core-2.33.1-cp312-cp312-win_arm64.whl", hash = "sha256:8d13f0276806ee722e70a1c93da19748594f19ac4299c7e41237fc791d1861ea"},
+    {file = "pydantic_core-2.33.1-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:70af6a21237b53d1fe7b9325b20e65cbf2f0a848cf77bed492b029139701e66a"},
+    {file = "pydantic_core-2.33.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:282b3fe1bbbe5ae35224a0dbd05aed9ccabccd241e8e6b60370484234b456266"},
+    {file = "pydantic_core-2.33.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4b315e596282bbb5822d0c7ee9d255595bd7506d1cb20c2911a4da0b970187d3"},
+    {file = "pydantic_core-2.33.1-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:1dfae24cf9921875ca0ca6a8ecb4bb2f13c855794ed0d468d6abbec6e6dcd44a"},
+    {file = "pydantic_core-2.33.1-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6dd8ecfde08d8bfadaea669e83c63939af76f4cf5538a72597016edfa3fad516"},
+    {file = "pydantic_core-2.33.1-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2f593494876eae852dc98c43c6f260f45abdbfeec9e4324e31a481d948214764"},
+    {file = "pydantic_core-2.33.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:948b73114f47fd7016088e5186d13faf5e1b2fe83f5e320e371f035557fd264d"},
+    {file = "pydantic_core-2.33.1-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:e11f3864eb516af21b01e25fac915a82e9ddad3bb0fb9e95a246067398b435a4"},
+    {file = "pydantic_core-2.33.1-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:549150be302428b56fdad0c23c2741dcdb5572413776826c965619a25d9c6bde"},
+    {file = "pydantic_core-2.33.1-cp313-cp313-musllinux_1_1_armv7l.whl", hash = "sha256:495bc156026efafd9ef2d82372bd38afce78ddd82bf28ef5276c469e57c0c83e"},
+    {file = "pydantic_core-2.33.1-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:ec79de2a8680b1a67a07490bddf9636d5c2fab609ba8c57597e855fa5fa4dacd"},
+    {file = "pydantic_core-2.33.1-cp313-cp313-win32.whl", hash = "sha256:ee12a7be1742f81b8a65b36c6921022301d466b82d80315d215c4c691724986f"},
+    {file = "pydantic_core-2.33.1-cp313-cp313-win_amd64.whl", hash = "sha256:ede9b407e39949d2afc46385ce6bd6e11588660c26f80576c11c958e6647bc40"},
+    {file = "pydantic_core-2.33.1-cp313-cp313-win_arm64.whl", hash = "sha256:aa687a23d4b7871a00e03ca96a09cad0f28f443690d300500603bd0adba4b523"},
+    {file = "pydantic_core-2.33.1-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:401d7b76e1000d0dd5538e6381d28febdcacb097c8d340dde7d7fc6e13e9f95d"},
+    {file = "pydantic_core-2.33.1-cp313-cp313t-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7aeb055a42d734c0255c9e489ac67e75397d59c6fbe60d155851e9782f276a9c"},
+    {file = "pydantic_core-2.33.1-cp313-cp313t-win_amd64.whl", hash = "sha256:338ea9b73e6e109f15ab439e62cb3b78aa752c7fd9536794112e14bee02c8d18"},
+    {file = "pydantic_core-2.33.1-cp39-cp39-macosx_10_12_x86_64.whl", hash = "sha256:5ab77f45d33d264de66e1884fca158bc920cb5e27fd0764a72f72f5756ae8bdb"},
+    {file = "pydantic_core-2.33.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:e7aaba1b4b03aaea7bb59e1b5856d734be011d3e6d98f5bcaa98cb30f375f2ad"},
+    {file = "pydantic_core-2.33.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7fb66263e9ba8fea2aa85e1e5578980d127fb37d7f2e292773e7bc3a38fb0c7b"},
+    {file = "pydantic_core-2.33.1-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:3f2648b9262607a7fb41d782cc263b48032ff7a03a835581abbf7a3bec62bcf5"},
+    {file = "pydantic_core-2.33.1-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:723c5630c4259400818b4ad096735a829074601805d07f8cafc366d95786d331"},
+    {file = "pydantic_core-2.33.1-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d100e3ae783d2167782391e0c1c7a20a31f55f8015f3293647544df3f9c67824"},
+    {file = "pydantic_core-2.33.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:177d50460bc976a0369920b6c744d927b0ecb8606fb56858ff542560251b19e5"},
+    {file = "pydantic_core-2.33.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:a3edde68d1a1f9af1273b2fe798997b33f90308fb6d44d8550c89fc6a3647cf6"},
+    {file = "pydantic_core-2.33.1-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:a62c3c3ef6a7e2c45f7853b10b5bc4ddefd6ee3cd31024754a1a5842da7d598d"},
+    {file = "pydantic_core-2.33.1-cp39-cp39-musllinux_1_1_armv7l.whl", hash = "sha256:c91dbb0ab683fa0cd64a6e81907c8ff41d6497c346890e26b23de7ee55353f96"},
+    {file = "pydantic_core-2.33.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:9f466e8bf0a62dc43e068c12166281c2eca72121dd2adc1040f3aa1e21ef8599"},
+    {file = "pydantic_core-2.33.1-cp39-cp39-win32.whl", hash = "sha256:ab0277cedb698749caada82e5d099dc9fed3f906a30d4c382d1a21725777a1e5"},
+    {file = "pydantic_core-2.33.1-cp39-cp39-win_amd64.whl", hash = "sha256:5773da0ee2d17136b1f1c6fbde543398d452a6ad2a7b54ea1033e2daa739b8d2"},
+    {file = "pydantic_core-2.33.1-pp310-pypy310_pp73-macosx_10_12_x86_64.whl", hash = "sha256:5c834f54f8f4640fd7e4b193f80eb25a0602bba9e19b3cd2fc7ffe8199f5ae02"},
+    {file = "pydantic_core-2.33.1-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:049e0de24cf23766f12cc5cc71d8abc07d4a9deb9061b334b62093dedc7cb068"},
+    {file = "pydantic_core-2.33.1-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1a28239037b3d6f16916a4c831a5a0eadf856bdd6d2e92c10a0da3a59eadcf3e"},
+    {file = "pydantic_core-2.33.1-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9d3da303ab5f378a268fa7d45f37d7d85c3ec19769f28d2cc0c61826a8de21fe"},
+    {file = "pydantic_core-2.33.1-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:25626fb37b3c543818c14821afe0fd3830bc327a43953bc88db924b68c5723f1"},
+    {file = "pydantic_core-2.33.1-pp310-pypy310_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:3ab2d36e20fbfcce8f02d73c33a8a7362980cff717926bbae030b93ae46b56c7"},
+    {file = "pydantic_core-2.33.1-pp310-pypy310_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:2f9284e11c751b003fd4215ad92d325d92c9cb19ee6729ebd87e3250072cdcde"},
+    {file = "pydantic_core-2.33.1-pp310-pypy310_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:048c01eee07d37cbd066fc512b9d8b5ea88ceeb4e629ab94b3e56965ad655add"},
+    {file = "pydantic_core-2.33.1-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:5ccd429694cf26af7997595d627dd2637e7932214486f55b8a357edaac9dae8c"},
+    {file = "pydantic_core-2.33.1-pp311-pypy311_pp73-macosx_10_12_x86_64.whl", hash = "sha256:3a371dc00282c4b84246509a5ddc808e61b9864aa1eae9ecc92bb1268b82db4a"},
+    {file = "pydantic_core-2.33.1-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:f59295ecc75a1788af8ba92f2e8c6eeaa5a94c22fc4d151e8d9638814f85c8fc"},
+    {file = "pydantic_core-2.33.1-pp311-pypy311_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:08530b8ac922003033f399128505f513e30ca770527cc8bbacf75a84fcc2c74b"},
+    {file = "pydantic_core-2.33.1-pp311-pypy311_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bae370459da6a5466978c0eacf90690cb57ec9d533f8e63e564ef3822bfa04fe"},
+    {file = "pydantic_core-2.33.1-pp311-pypy311_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:e3de2777e3b9f4d603112f78006f4ae0acb936e95f06da6cb1a45fbad6bdb4b5"},
+    {file = "pydantic_core-2.33.1-pp311-pypy311_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:3a64e81e8cba118e108d7126362ea30e021291b7805d47e4896e52c791be2761"},
+    {file = "pydantic_core-2.33.1-pp311-pypy311_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:52928d8c1b6bda03cc6d811e8923dffc87a2d3c8b3bfd2ce16471c7147a24850"},
+    {file = "pydantic_core-2.33.1-pp311-pypy311_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:1b30d92c9412beb5ac6b10a3eb7ef92ccb14e3f2a8d7732e2d739f58b3aa7544"},
+    {file = "pydantic_core-2.33.1-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:f995719707e0e29f0f41a8aa3bcea6e761a36c9136104d3189eafb83f5cec5e5"},
+    {file = "pydantic_core-2.33.1-pp39-pypy39_pp73-macosx_10_12_x86_64.whl", hash = "sha256:7edbc454a29fc6aeae1e1eecba4f07b63b8d76e76a748532233c4c167b4cb9ea"},
+    {file = "pydantic_core-2.33.1-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:ad05b683963f69a1d5d2c2bdab1274a31221ca737dbbceaa32bcb67359453cdd"},
+    {file = "pydantic_core-2.33.1-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:df6a94bf9452c6da9b5d76ed229a5683d0306ccb91cca8e1eea883189780d568"},
+    {file = "pydantic_core-2.33.1-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7965c13b3967909a09ecc91f21d09cfc4576bf78140b988904e94f130f188396"},
+    {file = "pydantic_core-2.33.1-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:3f1fdb790440a34f6ecf7679e1863b825cb5ffde858a9197f851168ed08371e5"},
+    {file = "pydantic_core-2.33.1-pp39-pypy39_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:5277aec8d879f8d05168fdd17ae811dd313b8ff894aeeaf7cd34ad28b4d77e33"},
+    {file = "pydantic_core-2.33.1-pp39-pypy39_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:8ab581d3530611897d863d1a649fb0644b860286b4718db919bfd51ece41f10b"},
+    {file = "pydantic_core-2.33.1-pp39-pypy39_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:0483847fa9ad5e3412265c1bd72aad35235512d9ce9d27d81a56d935ef489672"},
+    {file = "pydantic_core-2.33.1-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:de9e06abe3cc5ec6a2d5f75bc99b0bdca4f5c719a5b34026f8c57efbdecd2ee3"},
+    {file = "pydantic_core-2.33.1.tar.gz", hash = "sha256:bcc9c6fdb0ced789245b02b7d6603e17d1563064ddcfc36f046b61c0c05dd9df"},
 ]
 
 [package.dependencies]
@@ -2084,30 +2083,30 @@ files = [
 
 [[package]]
 name = "ruff"
-version = "0.11.2"
+version = "0.11.4"
 description = "An extremely fast Python linter and code formatter, written in Rust."
 optional = false
 python-versions = ">=3.7"
 groups = ["dev"]
 files = [
-    {file = "ruff-0.11.2-py3-none-linux_armv6l.whl", hash = "sha256:c69e20ea49e973f3afec2c06376eb56045709f0212615c1adb0eda35e8a4e477"},
-    {file = "ruff-0.11.2-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:2c5424cc1c4eb1d8ecabe6d4f1b70470b4f24a0c0171356290b1953ad8f0e272"},
-    {file = "ruff-0.11.2-py3-none-macosx_11_0_arm64.whl", hash = "sha256:ecf20854cc73f42171eedb66f006a43d0a21bfb98a2523a809931cda569552d9"},
-    {file = "ruff-0.11.2-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0c543bf65d5d27240321604cee0633a70c6c25c9a2f2492efa9f6d4b8e4199bb"},
-    {file = "ruff-0.11.2-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:20967168cc21195db5830b9224be0e964cc9c8ecf3b5a9e3ce19876e8d3a96e3"},
-    {file = "ruff-0.11.2-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:955a9ce63483999d9f0b8f0b4a3ad669e53484232853054cc8b9d51ab4c5de74"},
-    {file = "ruff-0.11.2-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:86b3a27c38b8fce73bcd262b0de32e9a6801b76d52cdb3ae4c914515f0cef608"},
-    {file = "ruff-0.11.2-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a3b66a03b248c9fcd9d64d445bafdf1589326bee6fc5c8e92d7562e58883e30f"},
-    {file = "ruff-0.11.2-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0397c2672db015be5aa3d4dac54c69aa012429097ff219392c018e21f5085147"},
-    {file = "ruff-0.11.2-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:869bcf3f9abf6457fbe39b5a37333aa4eecc52a3b99c98827ccc371a8e5b6f1b"},
-    {file = "ruff-0.11.2-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:2a2b50ca35457ba785cd8c93ebbe529467594087b527a08d487cf0ee7b3087e9"},
-    {file = "ruff-0.11.2-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:7c69c74bf53ddcfbc22e6eb2f31211df7f65054bfc1f72288fc71e5f82db3eab"},
-    {file = "ruff-0.11.2-py3-none-musllinux_1_2_i686.whl", hash = "sha256:6e8fb75e14560f7cf53b15bbc55baf5ecbe373dd5f3aab96ff7aa7777edd7630"},
-    {file = "ruff-0.11.2-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:842a472d7b4d6f5924e9297aa38149e5dcb1e628773b70e6387ae2c97a63c58f"},
-    {file = "ruff-0.11.2-py3-none-win32.whl", hash = "sha256:aca01ccd0eb5eb7156b324cfaa088586f06a86d9e5314b0eb330cb48415097cc"},
-    {file = "ruff-0.11.2-py3-none-win_amd64.whl", hash = "sha256:3170150172a8f994136c0c66f494edf199a0bbea7a409f649e4bc8f4d7084080"},
-    {file = "ruff-0.11.2-py3-none-win_arm64.whl", hash = "sha256:52933095158ff328f4c77af3d74f0379e34fd52f175144cefc1b192e7ccd32b4"},
-    {file = "ruff-0.11.2.tar.gz", hash = "sha256:ec47591497d5a1050175bdf4e1a4e6272cddff7da88a2ad595e1e326041d8d94"},
+    {file = "ruff-0.11.4-py3-none-linux_armv6l.whl", hash = "sha256:d9f4a761ecbde448a2d3e12fb398647c7f0bf526dbc354a643ec505965824ed2"},
+    {file = "ruff-0.11.4-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:8c1747d903447d45ca3d40c794d1a56458c51e5cc1bc77b7b64bd2cf0b1626cc"},
+    {file = "ruff-0.11.4-py3-none-macosx_11_0_arm64.whl", hash = "sha256:51a6494209cacca79e121e9b244dc30d3414dac8cc5afb93f852173a2ecfc906"},
+    {file = "ruff-0.11.4-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3f171605f65f4fc49c87f41b456e882cd0c89e4ac9d58e149a2b07930e1d466f"},
+    {file = "ruff-0.11.4-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ebf99ea9af918878e6ce42098981fc8c1db3850fef2f1ada69fb1dcdb0f8e79e"},
+    {file = "ruff-0.11.4-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:edad2eac42279df12e176564a23fc6f4aaeeb09abba840627780b1bb11a9d223"},
+    {file = "ruff-0.11.4-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:f103a848be9ff379fc19b5d656c1f911d0a0b4e3e0424f9532ececf319a4296e"},
+    {file = "ruff-0.11.4-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:193e6fac6eb60cc97b9f728e953c21cc38a20077ed64f912e9d62b97487f3f2d"},
+    {file = "ruff-0.11.4-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:7af4e5f69b7c138be8dcffa5b4a061bf6ba6a3301f632a6bce25d45daff9bc99"},
+    {file = "ruff-0.11.4-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:126b1bf13154aa18ae2d6c3c5efe144ec14b97c60844cfa6eb960c2a05188222"},
+    {file = "ruff-0.11.4-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:e8806daaf9dfa881a0ed603f8a0e364e4f11b6ed461b56cae2b1c0cab0645304"},
+    {file = "ruff-0.11.4-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:5d94bb1cc2fc94a769b0eb975344f1b1f3d294da1da9ddbb5a77665feb3a3019"},
+    {file = "ruff-0.11.4-py3-none-musllinux_1_2_i686.whl", hash = "sha256:995071203d0fe2183fc7a268766fd7603afb9996785f086b0d76edee8755c896"},
+    {file = "ruff-0.11.4-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:7a37ca937e307ea18156e775a6ac6e02f34b99e8c23fe63c1996185a4efe0751"},
+    {file = "ruff-0.11.4-py3-none-win32.whl", hash = "sha256:0e9365a7dff9b93af933dab8aebce53b72d8f815e131796268709890b4a83270"},
+    {file = "ruff-0.11.4-py3-none-win_amd64.whl", hash = "sha256:5a9fa1c69c7815e39fcfb3646bbfd7f528fa8e2d4bebdcf4c2bd0fa037a255fb"},
+    {file = "ruff-0.11.4-py3-none-win_arm64.whl", hash = "sha256:d435db6b9b93d02934cf61ef332e66af82da6d8c69aefdea5994c89997c7a0fc"},
+    {file = "ruff-0.11.4.tar.gz", hash = "sha256:f45bd2fb1a56a5a85fae3b95add03fb185a0b30cf47f5edc92aa0355ca1d7407"},
 ]
 
 [[package]]
@@ -2407,4 +2406,4 @@ type = ["pytest-mypy"]
 [metadata]
 lock-version = "2.1"
 python-versions = "^3.9"
-content-hash = "ff06861c63e94fd59af8657d81f865f0e1f4130055b164952a75d739254014c3"
+content-hash = "e9b71c7a85a236b7962a6d6d9fc5b0fd15c9a36a3fbeeab7736fe4a8c060d496"

pykanidm/pyproject.toml

@@ -29,7 +29,7 @@ Authlib = "^1.2.0"
 
 
 [tool.poetry.group.dev.dependencies]
-ruff = ">=0.5.1,<0.11.3"
+ruff = ">=0.5.1,<0.11.5"
 pytest = "^8.3.4"
 mypy = "^1.14.1"
 types-requests = "^2.32.0.20241016"

scripts/install_ubuntu_dependencies.sh

@@ -21,6 +21,8 @@ ${SUDOCMD} apt-get update &&
         cmake \
         build-essential \
         jq \
+        lld \
+        clang \
         tpm-udev
 
 if [ -z "${PACKAGING}" ]; then
@@ -73,10 +75,6 @@ if [ -z "$(which cargo)" ]; then
     ERROR=1
 fi
 
-if [ $ERROR -eq 0 ] && [ -z "$(which cross)" ]; then
-    echo "You don't have cross installed! Installing it now..."
-    cargo install -f cross
-fi
 if [ $ERROR -eq 0 ] && [ -z "$(which cargo-deb)" ]; then
     echo "You don't have cargo-deb installed! Installing it now..."
     cargo install -f cargo-deb

scripts/pykanidm/integration_test.py

@@ -25,7 +25,7 @@ def recover_account(username: str) -> str:
         "recover-account",
         username,
         "--config",
-        "../../examples/insecure_server.toml",
+        "./insecure_server.toml",
         "--output",
         "json",
     ]

scripts/setup_dev_environment.sh

@@ -44,7 +44,7 @@ fi
 
 
 # defaults
-KANIDM_CONFIG_FILE="../../examples/insecure_server.toml"
+KANIDM_CONFIG_FILE="./insecure_server.toml"
 KANIDM_URL="$(rg origin "${KANIDM_CONFIG_FILE}" | awk '{print $NF}' | tr -d '"')"
 KANIDM_CA_PATH="/tmp/kanidm/ca.pem"
 
@@ -83,7 +83,7 @@ if [ "${REMOVE_TEST_DB}" -eq 1 ]; then
     rm /tmp/kanidm/kanidm.db || true
 fi
 
-export KANIDM_CONFIG="../../examples/insecure_server.toml"
+export KANIDM_CONFIG="./insecure_server.toml"
 IDM_ADMIN_USER="idm_admin@localhost"
 
 echo "Resetting the idm_admin user..."

scripts/test_run_release_server.sh

@@ -25,7 +25,7 @@ if [ ! -f "run_insecure_dev_server.sh" ]; then
     exit 1
 fi
 
-export KANIDM_CONFIG="../../examples/insecure_server.toml"
+export KANIDM_CONFIG="./insecure_server.toml"
 
 mkdir -p /tmp/kanidm/client_ca
 
@@ -48,7 +48,7 @@ fi
 
 ATTEMPT=0
 
-KANIDM_CONFIG_FILE="../../examples/insecure_server.toml"
+KANIDM_CONFIG_FILE="./insecure_server.toml"
 KANIDM_URL="$(rg origin "${KANIDM_CONFIG_FILE}" | awk '{print $NF}' | tr -d '"')"
 KANIDM_CA_PATH="/tmp/kanidm/ca.pem"
 

server/core/src/actors/v1_read.rs

@@ -191,7 +191,7 @@ impl QueryServerReadV1 {
     pub async fn handle_online_backup(
         &self,
         msg: OnlineBackupEvent,
-        outpath: &str,
+        outpath: &Path,
         versions: usize,
     ) -> Result<(), OperationError> {
         trace!(eventid = ?msg.eventid, "Begin online backup event");
@@ -200,12 +200,12 @@ impl QueryServerReadV1 {
 
         #[allow(clippy::unwrap_used)]
         let timestamp = now.format(&Rfc3339).unwrap();
-        let dest_file = format!("{}/backup-{}.json", outpath, timestamp);
+        let dest_file = outpath.join(format!("backup-{}.json", timestamp));
 
-        if Path::new(&dest_file).exists() {
+        if dest_file.exists() {
             error!(
                 "Online backup file {} already exists, will not overwrite it.",
-                dest_file
+                dest_file.display()
             );
             return Err(OperationError::InvalidState);
         }
@@ -218,10 +218,14 @@ impl QueryServerReadV1 {
                 .get_be_txn()
                 .backup(&dest_file)
                 .map(|()| {
-                    info!("Online backup created {} successfully", dest_file);
+                    info!("Online backup created {} successfully", dest_file.display());
                 })
                 .map_err(|e| {
-                    error!("Online backup failed to create {}: {:?}", dest_file, e);
+                    error!(
+                        "Online backup failed to create {}: {:?}",
+                        dest_file.display(),
+                        e
+                    );
                     OperationError::InvalidState
                 })?;
         }
@@ -267,7 +271,11 @@ impl QueryServerReadV1 {
                 }
             }
             Err(e) => {
-                error!("Online backup cleanup error read dir {}: {}", outpath, e);
+                error!(
+                    "Online backup cleanup error read dir {}: {}",
+                    outpath.display(),
+                    e
+                );
                 return Err(OperationError::InvalidState);
             }
         }

server/core/src/actors/v1_scim.rs

@@ -1,10 +1,14 @@
 use super::{QueryServerReadV1, QueryServerWriteV1};
 use kanidm_proto::scim_v1::{
-    client::ScimFilter, server::ScimEntryKanidm, ScimEntryGetQuery, ScimSyncRequest, ScimSyncState,
+    client::ScimEntryPostGeneric, client::ScimFilter, server::ScimEntryKanidm, ScimEntryGetQuery,
+    ScimSyncRequest, ScimSyncState,
 };
 use kanidmd_lib::idm::scim::{
     GenerateScimSyncTokenEvent, ScimSyncFinaliseEvent, ScimSyncTerminateEvent, ScimSyncUpdateEvent,
 };
+
+use kanidmd_lib::server::scim::{ScimCreateEvent, ScimDeleteEvent};
+
 use kanidmd_lib::idm::server::IdmServerTransaction;
 use kanidmd_lib::prelude::*;
 
@@ -176,6 +180,73 @@ impl QueryServerWriteV1 {
             .scim_sync_apply(&sse, &changes, ct)
             .and_then(|r| idms_prox_write.commit().map(|_| r))
     }
+
+    #[instrument(
+        level = "info",
+        skip_all,
+        fields(uuid = ?eventid)
+    )]
+    pub async fn scim_entry_create(
+        &self,
+        client_auth_info: ClientAuthInfo,
+        eventid: Uuid,
+        classes: &[EntryClass],
+        entry: ScimEntryPostGeneric,
+    ) -> Result<ScimEntryKanidm, OperationError> {
+        let ct = duration_from_epoch_now();
+        let mut idms_prox_write = self.idms.proxy_write(ct).await?;
+        let ident = idms_prox_write
+            .validate_client_auth_info_to_ident(client_auth_info, ct)
+            .map_err(|e| {
+                admin_error!(err = ?e, "Invalid identity");
+                e
+            })?;
+
+        let scim_create_event =
+            ScimCreateEvent::try_from(ident, classes, entry, &mut idms_prox_write.qs_write)?;
+
+        idms_prox_write
+            .qs_write
+            .scim_create(scim_create_event)
+            .and_then(|r| idms_prox_write.commit().map(|_| r))
+    }
+
+    #[instrument(
+        level = "info",
+        skip_all,
+        fields(uuid = ?eventid)
+    )]
+    pub async fn scim_entry_id_delete(
+        &self,
+        client_auth_info: ClientAuthInfo,
+        eventid: Uuid,
+        uuid_or_name: String,
+        class: EntryClass,
+    ) -> Result<(), OperationError> {
+        let ct = duration_from_epoch_now();
+        let mut idms_prox_write = self.idms.proxy_write(ct).await?;
+        let ident = idms_prox_write
+            .validate_client_auth_info_to_ident(client_auth_info, ct)
+            .map_err(|e| {
+                admin_error!(err = ?e, "Invalid identity");
+                e
+            })?;
+
+        let target = idms_prox_write
+            .qs_write
+            .name_to_uuid(uuid_or_name.as_str())
+            .map_err(|e| {
+                admin_error!(err = ?e, "Error resolving id to target");
+                e
+            })?;
+
+        let scim_delete_event = ScimDeleteEvent::new(ident, target, class);
+
+        idms_prox_write
+            .qs_write
+            .scim_delete(scim_delete_event)
+            .and_then(|r| idms_prox_write.commit().map(|_| r))
+    }
 }
 
 impl QueryServerReadV1 {

server/core/src/https/apidocs/mod.rs

@@ -78,6 +78,8 @@ impl Modify for SecurityAddon {
         super::v1_scim::scim_sync_get,
         super::v1_scim::scim_entry_id_get,
         super::v1_scim::scim_person_id_get,
+        super::v1_scim::scim_application_post,
+        super::v1_scim::scim_application_id_delete,
 
         super::v1::schema_get,
         super::v1::whoami,

server/core/src/https/apidocs/tests.rs

@@ -43,7 +43,7 @@ fn figure_out_if_we_have_all_the_routes() {
             .unwrap();
     // work our way through the source files in this package looking for routedefs
     let mut found_routes: BTreeMap<String, Vec<(String, String)>> = BTreeMap::new();
-    let walker = walkdir::WalkDir::new(format!("{}/src", env!("CARGO_MANIFEST_DIR")))
+    let walker = walkdir::WalkDir::new(format!("{}/src/https", env!("CARGO_MANIFEST_DIR")))
         .follow_links(false)
         .into_iter();
 

server/core/src/https/v1_scim.rs

@@ -9,10 +9,11 @@ use super::ServerState;
 use crate::https::extractors::VerifiedClientInformation;
 use axum::extract::{rejection::JsonRejection, DefaultBodyLimit, Path, Query, State};
 use axum::response::{Html, IntoResponse, Response};
-use axum::routing::{get, post};
+use axum::routing::{delete, get, post};
 use axum::{Extension, Json, Router};
 use kanidm_proto::scim_v1::{
-    server::ScimEntryKanidm, ScimEntryGetQuery, ScimSyncRequest, ScimSyncState,
+    client::ScimEntryPostGeneric, server::ScimEntryKanidm, ScimEntryGetQuery, ScimSyncRequest,
+    ScimSyncState,
 };
 use kanidm_proto::v1::Entry as ProtoEntry;
 use kanidmd_lib::prelude::*;
@@ -383,6 +384,65 @@ async fn scim_person_id_get(
         .map_err(WebError::from)
 }
 
+#[utoipa::path(
+    post,
+    path = "/scim/v1/Application",
+    responses(
+        (status = 200, content_type="application/json", body=ScimEntry),
+        ApiResponseWithout200,
+    ),
+    security(("token_jwt" = [])),
+    tag = "scim",
+    operation_id = "scim_application_post"
+)]
+async fn scim_application_post(
+    State(state): State<ServerState>,
+    Extension(kopid): Extension<KOpId>,
+    VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
+    Json(entry_post): Json<ScimEntryPostGeneric>,
+) -> Result<Json<ScimEntryKanidm>, WebError> {
+    state
+        .qe_w_ref
+        .scim_entry_create(
+            client_auth_info,
+            kopid.eventid,
+            &[
+                EntryClass::Account,
+                EntryClass::ServiceAccount,
+                EntryClass::Application,
+            ],
+            entry_post,
+        )
+        .await
+        .map(Json::from)
+        .map_err(WebError::from)
+}
+
+#[utoipa::path(
+    delete,
+    path = "/scim/v1/Application/{id}",
+    responses(
+        (status = 200, content_type="application/json"),
+        ApiResponseWithout200,
+    ),
+    security(("token_jwt" = [])),
+    tag = "scim",
+    operation_id = "scim_application_id_delete"
+)]
+async fn scim_application_id_delete(
+    State(state): State<ServerState>,
+    Path(id): Path<String>,
+    Extension(kopid): Extension<KOpId>,
+    VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
+) -> Result<Json<()>, WebError> {
+    state
+        .qe_w_ref
+        .scim_entry_id_delete(client_auth_info, kopid.eventid, id, EntryClass::Application)
+        .await
+        .map(Json::from)
+        .map_err(WebError::from)
+}
+
 pub fn route_setup() -> Router<ServerState> {
     Router::new()
         .route(
@@ -486,6 +546,17 @@ pub fn route_setup() -> Router<ServerState> {
         //
         //                            POST                   Send a sync update
         //
+        //
+        //  Application   /Application     Post              Create a new application
+        //
+        .route("/scim/v1/Application", post(scim_application_post))
+        //  Application   /Application/{id}     Delete      Delete the application identified by id
+        //
+        .route(
+            "/scim/v1/Application/:id",
+            delete(scim_application_id_delete),
+        )
+        // Synchronisation routes.
         .route(
             "/scim/v1/Sync",
             post(scim_sync_post)

server/core/src/interval.rs

@@ -112,19 +112,19 @@ impl IntervalActor {
         if !op.exists() {
             info!(
                 "Online backup output folder '{}' does not exist, trying to create it.",
-                outpath
+                outpath.display()
             );
             fs::create_dir_all(&outpath).map_err(|e| {
                 error!(
                     "Online backup failed to create output directory '{}': {}",
-                    outpath.clone(),
+                    outpath.display(),
                     e
                 )
             })?;
         }
 
         if !op.is_dir() {
-            error!("Online backup output '{}' is not a directory or we are missing permissions to access it.", outpath);
+            error!("Online backup output '{}' is not a directory or we are missing permissions to access it.", outpath.display());
             return Err(());
         }
 
@@ -148,7 +148,7 @@ impl IntervalActor {
                         if let Err(e) = server
                             .handle_online_backup(
                                 OnlineBackupEvent::new(),
-                                outpath.clone().as_str(),
+                                &outpath,
                                 versions,
                             )
                             .await

server/core/src/lib.rs

@@ -36,9 +36,10 @@ mod ldaps;
 mod repl;
 mod utils;
 
-use std::fmt::{Display, Formatter};
-use std::sync::Arc;
-
+use crate::actors::{QueryServerReadV1, QueryServerWriteV1};
+use crate::admin::AdminActor;
+use crate::config::{Configuration, ServerRole};
+use crate::interval::IntervalActor;
 use crate::utils::touch_file_or_quit;
 use compact_jwt::{JwsHs256Signer, JwsSigner};
 use kanidm_proto::internal::OperationError;
@@ -50,17 +51,14 @@ use kanidmd_lib::status::StatusActor;
 use kanidmd_lib::value::CredentialType;
 #[cfg(not(target_family = "windows"))]
 use libc::umask;
-
+use std::fmt::{Display, Formatter};
+use std::path::Path;
+use std::sync::Arc;
 use tokio::sync::broadcast;
+use tokio::sync::mpsc;
 use tokio::sync::Notify;
 use tokio::task;
 
-use crate::actors::{QueryServerReadV1, QueryServerWriteV1};
-use crate::admin::AdminActor;
-use crate::config::{Configuration, ServerRole};
-use crate::interval::IntervalActor;
-use tokio::sync::mpsc;
-
 // === internal setup helpers
 
 fn setup_backend(config: &Configuration, schema: &Schema) -> Result<Backend, OperationError> {
@@ -80,7 +78,7 @@ fn setup_backend_vacuum(
     let pool_size: u32 = config.threads as u32;
 
     let cfg = BackendConfig::new(
-        config.db_path.as_str(),
+        config.db_path.as_deref(),
         pool_size,
         config.db_fs_type.unwrap_or_default(),
         config.db_arc_size,
@@ -335,7 +333,7 @@ pub fn dbscan_restore_quarantined_core(config: &Configuration, id: u64) {
     };
 }
 
-pub fn backup_server_core(config: &Configuration, dst_path: &str) {
+pub fn backup_server_core(config: &Configuration, dst_path: &Path) {
     let schema = match Schema::new() {
         Ok(s) => s,
         Err(e) => {
@@ -371,8 +369,11 @@ pub fn backup_server_core(config: &Configuration, dst_path: &str) {
     // Let the txn abort, even on success.
 }
 
-pub async fn restore_server_core(config: &Configuration, dst_path: &str) {
-    touch_file_or_quit(config.db_path.as_str());
+pub async fn restore_server_core(config: &Configuration, dst_path: &Path) {
+    // If it's an in memory database, we don't need to touch anything
+    if let Some(db_path) = config.db_path.as_ref() {
+        touch_file_or_quit(db_path);
+    }
 
     // First, we provide the in-memory schema so that core attrs are indexed correctly.
     let schema = match Schema::new() {
@@ -1011,7 +1012,7 @@ pub async fn create_server_core(
     let tls_accepter_reload_task_notify = tls_acceptor_reload_notify.clone();
     let tls_config = config.tls_config.clone();
 
-    let ldap_configured = config.ldapaddress.is_some();
+    let ldap_configured = config.ldapbindaddress.is_some();
     let (ldap_tls_acceptor_reload_tx, ldap_tls_acceptor_reload_rx) = mpsc::channel(1);
     let (http_tls_acceptor_reload_tx, http_tls_acceptor_reload_rx) = mpsc::channel(1);
 
@@ -1076,7 +1077,7 @@ pub async fn create_server_core(
     };
 
     // If we have been requested to init LDAP, configure it now.
-    let maybe_ldap_acceptor_handle = match &config.ldapaddress {
+    let maybe_ldap_acceptor_handle = match &config.ldapbindaddress {
         Some(la) => {
             let opt_ldap_ssl_acceptor = maybe_tls_acceptor.clone();
 

server/core/src/utils.rs

@@ -1,32 +1,39 @@
 use filetime::FileTime;
 use std::fs::File;
 use std::io::ErrorKind;
-use std::path::PathBuf;
+use std::path::Path;
 use std::time::SystemTime;
 
-pub fn touch_file_or_quit(file_path: &str) {
+pub fn touch_file_or_quit<P: AsRef<Path>>(file_path: P) {
     /*
     Attempt to touch the file file_path, will quit the application if it fails for any reason.
 
     Will also create a new file if it doesn't already exist.
     */
-    if PathBuf::from(file_path).exists() {
+
+    let file_path: &Path = file_path.as_ref();
+
+    if file_path.exists() {
         let t = FileTime::from_system_time(SystemTime::now());
         match filetime::set_file_times(file_path, t, t) {
             Ok(_) => debug!(
                 "Successfully touched existing file {}, can continue",
-                file_path
+                file_path.display()
             ),
             Err(e) => {
                 match e.kind() {
                     ErrorKind::PermissionDenied => {
                         // we bail here because you won't be able to write them back...
-                        error!("Permission denied writing to {}, quitting.", file_path)
+                        error!(
+                            "Permission denied writing to {}, quitting.",
+                            file_path.display()
+                        )
                     }
                     _ => {
                         error!(
                             "Failed to write to {} due to error: {:?} ... quitting.",
-                            file_path, e
+                            file_path.display(),
+                            e
                         )
                     }
                 }
@@ -35,11 +42,12 @@ pub fn touch_file_or_quit(file_path: &str) {
         }
     } else {
         match File::create(file_path) {
-            Ok(_) => debug!("Successfully touched new file {}", file_path),
+            Ok(_) => debug!("Successfully touched new file {}", file_path.display()),
             Err(e) => {
                 error!(
                     "Failed to write to {} due to error: {:?} ... quitting.",
-                    file_path, e
+                    file_path.display(),
+                    e
                 );
                 std::process::exit(1);
             }

server/daemon/insecure_server.toml

@@ -1,3 +1,4 @@
+version = "2"
 bindaddress = "[::]:8443"
 ldapbindaddress = "127.0.0.1:3636"
 

server/daemon/run_insecure_dev_server.sh

@@ -22,7 +22,7 @@ fi
 
 mkdir -p "${KANI_TMP}"/client_ca
 
-CONFIG_FILE=${CONFIG_FILE:="${SCRIPT_DIR}/../../examples/insecure_server.toml"}
+CONFIG_FILE=${CONFIG_FILE:="${SCRIPT_DIR}/insecure_server.toml"}
 
 if [ ! -f "${CONFIG_FILE}" ]; then
     echo "Couldn't find configuration file at ${CONFIG_FILE}, please ensure you're running this script from its base directory (${SCRIPT_DIR})."

server/daemon/src/main.rs

@@ -37,7 +37,7 @@ use kanidmd_core::admin::{
     AdminTaskRequest, AdminTaskResponse, ClientCodec, ProtoDomainInfo,
     ProtoDomainUpgradeCheckReport, ProtoDomainUpgradeCheckStatus,
 };
-use kanidmd_core::config::{Configuration, ServerConfig};
+use kanidmd_core::config::{CliConfig, Configuration, EnvironmentConfig, ServerConfigUntagged};
 use kanidmd_core::{
     backup_server_core, cert_generate_core, create_server_core, dbscan_get_id2entry_core,
     dbscan_list_id2entry_core, dbscan_list_index_analysis_core, dbscan_list_index_core,
@@ -379,17 +379,13 @@ fn check_file_ownership(opt: &KanidmdParser) -> Result<(), ExitCode> {
 }
 
 // We have to do this because we can't use tracing until we've started the logging pipeline, and we can't start the logging pipeline until the tokio runtime's doing its thing.
-async fn start_daemon(
-    opt: KanidmdParser,
-    mut config: Configuration,
-    sconfig: ServerConfig,
-) -> ExitCode {
+async fn start_daemon(opt: KanidmdParser, config: Configuration) -> ExitCode {
     // if we have a server config and it has an OTEL URL, then we'll start the logging pipeline now.
 
     // TODO: only send to stderr when we're not in a TTY
     let sub = match sketching::otel::start_logging_pipeline(
-        &sconfig.otel_grpc_url,
-        sconfig.log_level.unwrap_or_default(),
+        &config.otel_grpc_url,
+        config.log_level,
         "kanidmd",
     ) {
         Err(err) => {
@@ -423,8 +419,8 @@ async fn start_daemon(
         return err;
     };
 
-    if let Some(db_path) = sconfig.db_path.as_ref() {
-        let db_pathbuf = PathBuf::from(db_path.as_str());
+    if let Some(db_path) = config.db_path.as_ref() {
+        let db_pathbuf = db_path.to_path_buf();
         // We can't check the db_path permissions because it may not exist yet!
         if let Some(db_parent_path) = db_pathbuf.parent() {
             if !db_parent_path.exists() {
@@ -464,72 +460,75 @@ async fn start_daemon(
                 warn!("WARNING: DB folder {} has 'everyone' permission bits in the mode. This could be a security risk ...", db_par_path_buf.to_str().unwrap_or("invalid file path"));
             }
         }
-        config.update_db_path(db_path);
     } else {
         error!("No db_path set in configuration, server startup will FAIL!");
         return ExitCode::FAILURE;
     }
 
-    if let Some(origin) = sconfig.origin.clone() {
-        config.update_origin(&origin);
-    } else {
-        error!("No origin set in configuration, server startup will FAIL!");
-        return ExitCode::FAILURE;
-    }
-
-    if let Some(domain) = sconfig.domain.clone() {
-        config.update_domain(&domain);
-    } else {
-        error!("No domain set in configuration, server startup will FAIL!");
-        return ExitCode::FAILURE;
-    }
-
-    config.update_db_arc_size(sconfig.get_db_arc_size());
-    config.update_role(sconfig.role);
-    config.update_output_mode(opt.commands.commonopt().output_mode.to_owned().into());
-    config.update_trust_x_forward_for(sconfig.trust_x_forward_for);
-    config.update_admin_bind_path(&sconfig.adminbindpath);
-    config.update_replication_config(sconfig.repl_config.clone());
-
-    match &opt.commands {
+    let lock_was_setup = match &opt.commands {
         // we aren't going to touch the DB so we can carry on
         KanidmdOpt::ShowReplicationCertificate { .. }
         | KanidmdOpt::RenewReplicationCertificate { .. }
         | KanidmdOpt::RefreshReplicationConsumer { .. }
         | KanidmdOpt::RecoverAccount { .. }
-        | KanidmdOpt::HealthCheck(_) => (),
+        | KanidmdOpt::HealthCheck(_) => None,
         _ => {
             // Okay - Lets now create our lock and go.
             #[allow(clippy::expect_used)]
-            let klock_path = match sconfig.db_path.clone() {
-                Some(val) => format!("{}.klock", val),
-                None => std::env::temp_dir()
-                    .join("kanidmd.klock")
-                    .to_str()
-                    .expect("Unable to create klock path, this is a critical error!")
-                    .to_string(),
+            let klock_path = match config.db_path.clone() {
+                Some(val) => val.with_extension("klock"),
+                None => std::env::temp_dir().join("kanidmd.klock"),
             };
 
             let flock = match File::create(&klock_path) {
                 Ok(flock) => flock,
-                Err(e) => {
-                    error!("ERROR: Refusing to start - unable to create kanidmd exclusive lock at {} - {:?}", klock_path, e);
+                Err(err) => {
+                    error!(
+                        "ERROR: Refusing to start - unable to create kanidmd exclusive lock at {}",
+                        klock_path.display()
+                    );
+                    error!(?err);
                     return ExitCode::FAILURE;
                 }
             };
 
             match flock.try_lock_exclusive() {
-                Ok(()) => debug!("Acquired kanidm exclusive lock"),
-                Err(e) => {
-                    error!("ERROR: Refusing to start - unable to lock kanidmd exclusive lock at {} - {:?}", klock_path, e);
+                Ok(true) => debug!("Acquired kanidm exclusive lock"),
+                Ok(false) => {
+                    error!(
+                        "ERROR: Refusing to start - unable to lock kanidmd exclusive lock at {}",
+                        klock_path.display()
+                    );
                     error!("Is another kanidmd process running?");
                     return ExitCode::FAILURE;
                 }
+                Err(err) => {
+                    error!(
+                        "ERROR: Refusing to start - unable to lock kanidmd exclusive lock at {}",
+                        klock_path.display()
+                    );
+                    error!(?err);
+                    return ExitCode::FAILURE;
+                }
             };
+
+            Some(klock_path)
+        }
+    };
+
+    let result_code = kanidm_main(config, opt).await;
+
+    if let Some(klock_path) = lock_was_setup {
+        if let Err(reason) = std::fs::remove_file(&klock_path) {
+            warn!(
+                ?reason,
+                "WARNING: Unable to clean up kanidmd exclusive lock at {}",
+                klock_path.display()
+            );
         }
     }
 
-    kanidm_main(sconfig, config, opt).await
+    result_code
 }
 
 fn main() -> ExitCode {
@@ -556,10 +555,6 @@ fn main() -> ExitCode {
         return ExitCode::SUCCESS;
     };
 
-    //we set up a list of these so we can set the log config THEN log out the errors.
-    let mut config_error: Vec<String> = Vec::new();
-    let mut config = Configuration::new();
-
     if env!("KANIDM_SERVER_CONFIG_PATH").is_empty() {
         println!("CRITICAL: Kanidmd was not built correctly and is missing a valid KANIDM_SERVER_CONFIG_PATH value");
         return ExitCode::FAILURE;
@@ -581,49 +576,56 @@ fn main() -> ExitCode {
         }
     };
 
-    let sconfig = match ServerConfig::new(maybe_config_path) {
-        Ok(c) => Some(c),
-        Err(e) => {
-            config_error.push(format!("Config Parse failure {:?}", e));
+    let maybe_sconfig = if let Some(config_path) = maybe_config_path {
+        match ServerConfigUntagged::new(config_path) {
+            Ok(c) => Some(c),
+            Err(err) => {
+                eprintln!("ERROR: Configuration Parse Failure: {:?}", err);
+                return ExitCode::FAILURE;
+            }
+        }
+    } else {
+        eprintln!("WARNING: No configuration path was provided, relying on environment variables.");
+        None
+    };
+
+    let envconfig = match EnvironmentConfig::new() {
+        Ok(ec) => ec,
+        Err(err) => {
+            eprintln!("ERROR: Environment Configuration Parse Failure: {:?}", err);
             return ExitCode::FAILURE;
         }
     };
 
-    // Get information on the windows username
-    #[cfg(target_family = "windows")]
-    get_user_details_windows();
+    let cli_config = CliConfig {
+        output_mode: Some(opt.commands.commonopt().output_mode.to_owned().into()),
+    };
 
-    if !config_error.is_empty() {
-        println!("There were errors on startup, which prevent the server from starting:");
-        for e in config_error {
-            println!(" - {}", e);
-        }
+    let is_server = matches!(&opt.commands, KanidmdOpt::Server(_));
+
+    let config = Configuration::build()
+        .add_env_config(envconfig)
+        .add_opt_toml_config(maybe_sconfig)
+        // We always set threads to 1 unless it's the main server.
+        .add_cli_config(cli_config)
+        .is_server_mode(is_server)
+        .finish();
+
+    let Some(config) = config else {
+        eprintln!(
+            "ERROR: Unable to build server configuration from provided configuration inputs."
+        );
         return ExitCode::FAILURE;
-    }
-
-    let sconfig = match sconfig {
-        Some(val) => val,
-        None => {
-            println!("Somehow you got an empty ServerConfig after error checking? Cannot start!");
-            return ExitCode::FAILURE;
-        }
     };
 
     // ===========================================================================
     // Config ready
 
-    // We always set threads to 1 unless it's the main server.
-    if matches!(&opt.commands, KanidmdOpt::Server(_)) {
-        // If not updated, will default to maximum
-        if let Some(threads) = sconfig.thread_count {
-            config.update_threads_count(threads);
-        }
-    } else {
-        config.update_threads_count(1);
-    };
+    // Get information on the windows username
+    #[cfg(target_family = "windows")]
+    get_user_details_windows();
 
     // Start the runtime
-
     let maybe_rt = tokio::runtime::Builder::new_multi_thread()
         .worker_threads(config.threads)
         .enable_all()
@@ -643,16 +645,12 @@ fn main() -> ExitCode {
         }
     };
 
-    rt.block_on(start_daemon(opt, config, sconfig))
+    rt.block_on(start_daemon(opt, config))
 }
 
 /// Build and execute the main server. The ServerConfig are the configuration options
 /// that we are processing into the config for the main server.
-async fn kanidm_main(
-    sconfig: ServerConfig,
-    mut config: Configuration,
-    opt: KanidmdParser,
-) -> ExitCode {
+async fn kanidm_main(config: Configuration, opt: KanidmdParser) -> ExitCode {
     match &opt.commands {
         KanidmdOpt::Server(_sopt) | KanidmdOpt::ConfigTest(_sopt) => {
             let config_test = matches!(&opt.commands, KanidmdOpt::ConfigTest(_));
@@ -662,88 +660,90 @@ async fn kanidm_main(
                 info!("Running in server mode ...");
             };
 
-            // configuration options that only relate to server mode
-            config.update_config_for_server_mode(&sconfig);
-
-            if let Some(i_str) = &(sconfig.tls_chain) {
-                let i_path = PathBuf::from(i_str.as_str());
-                let i_meta = match metadata(&i_path) {
-                    Ok(m) => m,
-                    Err(e) => {
-                        error!(
-                            "Unable to read metadata for TLS chain file '{}' - {:?}",
-                            &i_path.to_str().unwrap_or("invalid file path"),
-                            e
-                        );
-                        let diag = kanidm_lib_file_permissions::diagnose_path(&i_path);
-                        info!(%diag);
-                        return ExitCode::FAILURE;
+            // Verify the TLs configs.
+            if let Some(tls_config) = config.tls_config.as_ref() {
+                {
+                    let i_meta = match metadata(&tls_config.chain) {
+                        Ok(m) => m,
+                        Err(e) => {
+                            error!(
+                                "Unable to read metadata for TLS chain file '{}' - {:?}",
+                                tls_config.chain.display(),
+                                e
+                            );
+                            let diag =
+                                kanidm_lib_file_permissions::diagnose_path(&tls_config.chain);
+                            info!(%diag);
+                            return ExitCode::FAILURE;
+                        }
+                    };
+                    if !kanidm_lib_file_permissions::readonly(&i_meta) {
+                        warn!("permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...", tls_config.chain.display());
                     }
-                };
-                if !kanidm_lib_file_permissions::readonly(&i_meta) {
-                    warn!("permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...", i_str);
                 }
-            }
 
-            if let Some(i_str) = &(sconfig.tls_key) {
-                let i_path = PathBuf::from(i_str.as_str());
-
-                let i_meta = match metadata(&i_path) {
-                    Ok(m) => m,
-                    Err(e) => {
-                        error!(
-                            "Unable to read metadata for TLS key file '{}' - {:?}",
-                            &i_path.to_str().unwrap_or("invalid file path"),
-                            e
-                        );
-                        let diag = kanidm_lib_file_permissions::diagnose_path(&i_path);
-                        info!(%diag);
-                        return ExitCode::FAILURE;
+                {
+                    let i_meta = match metadata(&tls_config.key) {
+                        Ok(m) => m,
+                        Err(e) => {
+                            error!(
+                                "Unable to read metadata for TLS key file '{}' - {:?}",
+                                tls_config.key.display(),
+                                e
+                            );
+                            let diag = kanidm_lib_file_permissions::diagnose_path(&tls_config.key);
+                            info!(%diag);
+                            return ExitCode::FAILURE;
+                        }
+                    };
+                    if !kanidm_lib_file_permissions::readonly(&i_meta) {
+                        warn!("permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...", tls_config.key.display());
+                    }
+                    #[cfg(not(target_os = "windows"))]
+                    if i_meta.mode() & 0o007 != 0 {
+                        warn!("WARNING: {} has 'everyone' permission bits in the mode. This could be a security risk ...", tls_config.key.display());
                     }
-                };
-                if !kanidm_lib_file_permissions::readonly(&i_meta) {
-                    warn!("permissions on {} may not be secure. Should be readonly to running uid. This could be a security risk ...", i_str);
-                }
-                #[cfg(not(target_os = "windows"))]
-                if i_meta.mode() & 0o007 != 0 {
-                    warn!("WARNING: {} has 'everyone' permission bits in the mode. This could be a security risk ...", i_str);
-                }
-            }
-
-            if let Some(ca_dir) = &(sconfig.tls_client_ca) {
-                // check that the TLS client CA config option is what we expect
-                let ca_dir_path = PathBuf::from(&ca_dir);
-                if !ca_dir_path.exists() {
-                    error!(
-                        "TLS CA folder {} does not exist, server startup will FAIL!",
-                        ca_dir
-                    );
-                    let diag = kanidm_lib_file_permissions::diagnose_path(&ca_dir_path);
-                    info!(%diag);
                 }
 
-                let i_meta = match metadata(&ca_dir_path) {
-                    Ok(m) => m,
-                    Err(e) => {
-                        error!("Unable to read metadata for '{}' - {:?}", ca_dir, e);
+                if let Some(ca_dir) = tls_config.client_ca.as_ref() {
+                    // check that the TLS client CA config option is what we expect
+                    let ca_dir_path = PathBuf::from(&ca_dir);
+                    if !ca_dir_path.exists() {
+                        error!(
+                            "TLS CA folder {} does not exist, server startup will FAIL!",
+                            ca_dir.display()
+                        );
                         let diag = kanidm_lib_file_permissions::diagnose_path(&ca_dir_path);
                         info!(%diag);
+                    }
+
+                    let i_meta = match metadata(&ca_dir_path) {
+                        Ok(m) => m,
+                        Err(e) => {
+                            error!(
+                                "Unable to read metadata for '{}' - {:?}",
+                                ca_dir.display(),
+                                e
+                            );
+                            let diag = kanidm_lib_file_permissions::diagnose_path(&ca_dir_path);
+                            info!(%diag);
+                            return ExitCode::FAILURE;
+                        }
+                    };
+                    if !i_meta.is_dir() {
+                        error!(
+                            "ERROR: Refusing to run - TLS Client CA folder {} may not be a directory",
+                            ca_dir.display()
+                        );
                         return ExitCode::FAILURE;
                     }
-                };
-                if !i_meta.is_dir() {
-                    error!(
-                        "ERROR: Refusing to run - TLS Client CA folder {} may not be a directory",
-                        ca_dir
-                    );
-                    return ExitCode::FAILURE;
-                }
-                if kanidm_lib_file_permissions::readonly(&i_meta) {
-                    warn!("WARNING: TLS Client CA folder permissions on {} indicate it may not be RW. This could cause the server start up to fail!", ca_dir);
-                }
-                #[cfg(not(target_os = "windows"))]
-                if i_meta.mode() & 0o007 != 0 {
-                    warn!("WARNING: TLS Client CA folder {} has 'everyone' permission bits in the mode. This could be a security risk ...", ca_dir);
+                    if kanidm_lib_file_permissions::readonly(&i_meta) {
+                        warn!("WARNING: TLS Client CA folder permissions on {} indicate it may not be RW. This could cause the server start up to fail!", ca_dir.display());
+                    }
+                    #[cfg(not(target_os = "windows"))]
+                    if i_meta.mode() & 0o007 != 0 {
+                        warn!("WARNING: TLS Client CA folder {} has 'everyone' permission bits in the mode. This could be a security risk ...", ca_dir.display());
+                    }
                 }
             }
 
@@ -753,14 +753,6 @@ async fn kanidm_main(
                 #[cfg(target_os = "linux")]
                 {
                     let _ = sd_notify::notify(true, &[sd_notify::NotifyState::Ready]);
-                    // Undocumented systemd feature - all messages should have a monotonic usec sent
-                    // with them. In some cases like "reloading" messages, it is undocumented but
-                    // failure to send this message causes the reload to fail.
-                    if let Ok(monotonic_usec) = sd_notify::NotifyState::monotonic_usec_now() {
-                        let _ = sd_notify::notify(true, &[monotonic_usec]);
-                    } else {
-                        error!("CRITICAL!!! Unable to access clock monotonic time. SYSTEMD WILL KILL US.");
-                    };
                     let _ = sd_notify::notify(
                         true,
                         &[sd_notify::NotifyState::Status("Started Kanidm 🦀")],
@@ -774,86 +766,80 @@ async fn kanidm_main(
                             {
                                 let mut listener = sctx.subscribe();
                                 tokio::select! {
-                                                Ok(()) = tokio::signal::ctrl_c() => {
-                                                    break
-                                                }
-                                                Some(()) = async move {
-                                                    let sigterm = tokio::signal::unix::SignalKind::terminate();
-                                                    #[allow(clippy::unwrap_used)]
-                                                    tokio::signal::unix::signal(sigterm).unwrap().recv().await
-                                                } => {
-                                                    break
-                                                }
-                                                Some(()) = async move {
-                                                    let sigterm = tokio::signal::unix::SignalKind::alarm();
-                                                    #[allow(clippy::unwrap_used)]
-                                                    tokio::signal::unix::signal(sigterm).unwrap().recv().await
-                                                } => {
-                                                    // Ignore
-                                                }
-                                                Some(()) = async move {
-                                                    let sigterm = tokio::signal::unix::SignalKind::hangup();
-                                                    #[allow(clippy::unwrap_used)]
-                                                    tokio::signal::unix::signal(sigterm).unwrap().recv().await
-                                                } => {
-                                                    // Reload TLS certificates
-                                                    // systemd has a special reload handler for this.
-                                                    #[cfg(target_os = "linux")]
-                                                    {
-                                                    let _ = sd_notify::notify(true, &[sd_notify::NotifyState::Reloading]);
-                                                    // CRITICAL - if you do not send a monotonic usec message after a reloading
-                                                    // message, your service WILL BE KILLED.
-                                if let Ok(monotonic_usec) = sd_notify::NotifyState::monotonic_usec_now() {
-                                let _ =
-                                    sd_notify::notify(true, &[monotonic_usec]);
-                                } else {
-                                    error!("CRITICAL!!! Unable to access clock monotonic time. SYSTEMD WILL KILL US.");
-                                };
-                                                    let _ = sd_notify::notify(true, &[sd_notify::NotifyState::Status("Reloading ...")]);
-                                                    }
+                                    Ok(()) = tokio::signal::ctrl_c() => {
+                                        break
+                                    }
+                                    Some(()) = async move {
+                                        let sigterm = tokio::signal::unix::SignalKind::terminate();
+                                        #[allow(clippy::unwrap_used)]
+                                        tokio::signal::unix::signal(sigterm).unwrap().recv().await
+                                    } => {
+                                        break
+                                    }
+                                    Some(()) = async move {
+                                        let sigterm = tokio::signal::unix::SignalKind::alarm();
+                                        #[allow(clippy::unwrap_used)]
+                                        tokio::signal::unix::signal(sigterm).unwrap().recv().await
+                                    } => {
+                                        // Ignore
+                                    }
+                                    Some(()) = async move {
+                                        let sigterm = tokio::signal::unix::SignalKind::hangup();
+                                        #[allow(clippy::unwrap_used)]
+                                        tokio::signal::unix::signal(sigterm).unwrap().recv().await
+                                    } => {
+                                        // Reload TLS certificates
+                                        // systemd has a special reload handler for this.
+                                        #[cfg(target_os = "linux")]
+                                        {
+                                            if let Ok(monotonic_usec) = sd_notify::NotifyState::monotonic_usec_now() {
+                                                let _ = sd_notify::notify(true, &[sd_notify::NotifyState::Reloading, monotonic_usec]);
+                                                let _ = sd_notify::notify(true, &[sd_notify::NotifyState::Status("Reloading ...")]);
+                                            } else {
+                                                error!("CRITICAL!!! Unable to access clock monotonic time. SYSTEMD WILL KILL US.");
+                                            };
+                                        }
 
-                                                    sctx.tls_acceptor_reload().await;
+                                        sctx.tls_acceptor_reload().await;
 
-                                                    // Systemd freaks out if you send the ready state too fast after the
-                                                    // reload state and can kill Kanidmd as a result.
-                                                    tokio::time::sleep(std::time::Duration::from_secs(5)).await;
+                                        // Systemd freaks out if you send the ready state too fast after the
+                                        // reload state and can kill Kanidmd as a result.
+                                        tokio::time::sleep(std::time::Duration::from_secs(5)).await;
 
-                                                    #[cfg(target_os = "linux")]
-                                                    {
-                                                    let _ = sd_notify::notify(true, &[sd_notify::NotifyState::Ready]);
-                                if let Ok(monotonic_usec) = sd_notify::NotifyState::monotonic_usec_now() {
-                                let _ =
-                                    sd_notify::notify(true, &[monotonic_usec]);
-                                } else {
-                                    error!("CRITICAL!!! Unable to access clock monotonic time. SYSTEMD WILL KILL US.");
-                                };
-                                                    let _ = sd_notify::notify(true, &[sd_notify::NotifyState::Status("Reload Success")]);
-                                                    }
+                                        #[cfg(target_os = "linux")]
+                                        {
+                                            if let Ok(monotonic_usec) = sd_notify::NotifyState::monotonic_usec_now() {
+                                                let _ = sd_notify::notify(true, &[sd_notify::NotifyState::Ready, monotonic_usec]);
+                                                let _ = sd_notify::notify(true, &[sd_notify::NotifyState::Status("Reload Success")]);
+                                            } else {
+                                                error!("CRITICAL!!! Unable to access clock monotonic time. SYSTEMD WILL KILL US.");
+                                            };
+                                        }
 
-                                                    info!("Reload complete");
-                                                }
-                                                Some(()) = async move {
-                                                    let sigterm = tokio::signal::unix::SignalKind::user_defined1();
-                                                    #[allow(clippy::unwrap_used)]
-                                                    tokio::signal::unix::signal(sigterm).unwrap().recv().await
-                                                } => {
-                                                    // Ignore
-                                                }
-                                                Some(()) = async move {
-                                                    let sigterm = tokio::signal::unix::SignalKind::user_defined2();
-                                                    #[allow(clippy::unwrap_used)]
-                                                    tokio::signal::unix::signal(sigterm).unwrap().recv().await
-                                                } => {
-                                                    // Ignore
-                                                }
-                                                // we got a message on thr broadcast from somewhere else
-                                                Ok(msg) = async move {
-                                                    listener.recv().await
-                                                } => {
-                                                    debug!("Main loop received message: {:?}", msg);
-                                                    break
-                                                }
-                                            }
+                                        info!("Reload complete");
+                                    }
+                                    Some(()) = async move {
+                                        let sigterm = tokio::signal::unix::SignalKind::user_defined1();
+                                        #[allow(clippy::unwrap_used)]
+                                        tokio::signal::unix::signal(sigterm).unwrap().recv().await
+                                    } => {
+                                        // Ignore
+                                    }
+                                    Some(()) = async move {
+                                        let sigterm = tokio::signal::unix::SignalKind::user_defined2();
+                                        #[allow(clippy::unwrap_used)]
+                                        tokio::signal::unix::signal(sigterm).unwrap().recv().await
+                                    } => {
+                                        // Ignore
+                                    }
+                                    // we got a message on thr broadcast from somewhere else
+                                    Ok(msg) = async move {
+                                        listener.recv().await
+                                    } => {
+                                        debug!("Main loop received message: {:?}", msg);
+                                        break
+                                    }
+                                }
                             }
                             #[cfg(target_family = "windows")]
                             {
@@ -880,34 +866,19 @@ async fn kanidm_main(
         }
         KanidmdOpt::CertGenerate(_sopt) => {
             info!("Running in certificate generate mode ...");
-            config.update_config_for_server_mode(&sconfig);
             cert_generate_core(&config);
         }
         KanidmdOpt::Database {
             commands: DbCommands::Backup(bopt),
         } => {
             info!("Running in backup mode ...");
-            let p = match bopt.path.to_str() {
-                Some(p) => p,
-                None => {
-                    error!("Invalid backup path");
-                    return ExitCode::FAILURE;
-                }
-            };
-            backup_server_core(&config, p);
+            backup_server_core(&config, &bopt.path);
         }
         KanidmdOpt::Database {
             commands: DbCommands::Restore(ropt),
         } => {
             info!("Running in restore mode ...");
-            let p = match ropt.path.to_str() {
-                Some(p) => p,
-                None => {
-                    error!("Invalid restore path");
-                    return ExitCode::FAILURE;
-                }
-            };
-            restore_server_core(&config, p).await;
+            restore_server_core(&config, &ropt.path).await;
         }
         KanidmdOpt::Database {
             commands: DbCommands::Verify(_vopt),
@@ -1088,8 +1059,6 @@ async fn kanidm_main(
             vacuum_server_core(&config);
         }
         KanidmdOpt::HealthCheck(sopt) => {
-            config.update_config_for_server_mode(&sconfig);
-
             debug!("{sopt:?}");
 
             let healthcheck_url = match &sopt.check_origin {
@@ -1110,12 +1079,15 @@ async fn kanidm_main(
                 .danger_accept_invalid_hostnames(!sopt.verify_tls)
                 .https_only(true);
 
-            client = match &sconfig.tls_chain {
+            client = match &config.tls_config {
                 None => client,
-                Some(ca_cert) => {
-                    debug!("Trying to load {} to build a CA cert path", ca_cert);
+                Some(tls_config) => {
+                    debug!(
+                        "Trying to load {} to build a CA cert path",
+                        tls_config.chain.display()
+                    );
                     // if the ca_cert file exists, then we'll use it
-                    let ca_cert_path = PathBuf::from(ca_cert);
+                    let ca_cert_path = tls_config.chain.clone();
                     match ca_cert_path.exists() {
                         true => {
                             let mut cert_buf = Vec::new();
@@ -1148,7 +1120,10 @@ async fn kanidm_main(
                             client
                         }
                         false => {
-                            warn!("Couldn't find ca cert {} but carrying on...", ca_cert);
+                            warn!(
+                                "Couldn't find ca cert {} but carrying on...",
+                                tls_config.chain.display()
+                            );
                             client
                         }
                     }

server/lib/src/be/idl_sqlite.rs

@@ -1,27 +1,21 @@
-use std::collections::{BTreeMap, BTreeSet, VecDeque};
-use std::convert::{TryFrom, TryInto};
-use std::sync::Arc;
-use std::sync::Mutex;
-use std::time::Duration;
-
 use super::keystorage::{KeyHandle, KeyHandleId};
-
-// use crate::valueset;
-use hashbrown::HashMap;
-use idlset::v2::IDLBitRange;
-use kanidm_proto::internal::{ConsistencyError, OperationError};
-use rusqlite::vtab::array::Array;
-use rusqlite::{Connection, OpenFlags, OptionalExtension};
-use uuid::Uuid;
-
 use crate::be::dbentry::DbIdentSpn;
 use crate::be::dbvalue::DbCidV1;
 use crate::be::{BackendConfig, IdList, IdRawEntry, IdxKey, IdxSlope};
 use crate::entry::{Entry, EntryCommitted, EntrySealed};
 use crate::prelude::*;
 use crate::value::{IndexType, Value};
-
-// use uuid::Uuid;
+use hashbrown::HashMap;
+use idlset::v2::IDLBitRange;
+use kanidm_proto::internal::{ConsistencyError, OperationError};
+use rusqlite::vtab::array::Array;
+use rusqlite::{Connection, OpenFlags, OptionalExtension};
+use std::collections::{BTreeMap, BTreeSet, VecDeque};
+use std::convert::{TryFrom, TryInto};
+use std::sync::Arc;
+use std::sync::Mutex;
+use std::time::Duration;
+use uuid::Uuid;
 
 const DBV_ID2ENTRY: &str = "id2entry";
 const DBV_INDEXV: &str = "indexv";
@@ -1712,7 +1706,7 @@ impl IdlSqliteWriteTransaction {
 
 impl IdlSqlite {
     pub fn new(cfg: &BackendConfig, vacuum: bool) -> Result<Self, OperationError> {
-        if cfg.path.is_empty() {
+        if cfg.path.as_os_str().is_empty() {
             debug_assert_eq!(cfg.pool_size, 1);
         }
         // If provided, set the page size to match the tuning we want. By default we use 4096. The VACUUM
@@ -1734,8 +1728,7 @@ impl IdlSqlite {
 
         // Initial setup routines.
         {
-            let vconn =
-                Connection::open_with_flags(cfg.path.as_str(), flags).map_err(sqlite_error)?;
+            let vconn = Connection::open_with_flags(&cfg.path, flags).map_err(sqlite_error)?;
 
             vconn
                 .execute_batch(
@@ -1764,8 +1757,7 @@ impl IdlSqlite {
             );
             */
 
-            let vconn =
-                Connection::open_with_flags(cfg.path.as_str(), flags).map_err(sqlite_error)?;
+            let vconn = Connection::open_with_flags(&cfg.path, flags).map_err(sqlite_error)?;
 
             vconn
                 .execute_batch("PRAGMA wal_checkpoint(TRUNCATE);")
@@ -1786,8 +1778,7 @@ impl IdlSqlite {
                 OperationError::SqliteError
             })?;
 
-            let vconn =
-                Connection::open_with_flags(cfg.path.as_str(), flags).map_err(sqlite_error)?;
+            let vconn = Connection::open_with_flags(&cfg.path, flags).map_err(sqlite_error)?;
 
             vconn
                 .pragma_update(None, "page_size", cfg.fstype as u32)
@@ -1821,7 +1812,7 @@ impl IdlSqlite {
             .map(|i| {
                 trace!("Opening Connection {}", i);
                 let conn =
-                    Connection::open_with_flags(cfg.path.as_str(), flags).map_err(sqlite_error);
+                    Connection::open_with_flags(&cfg.path, flags).map_err(sqlite_error);
                 match conn {
                     Ok(conn) => {
                         // We need to set the cachesize at this point as well.

server/lib/src/be/mod.rs

@@ -4,20 +4,6 @@
 //! is to persist content safely to disk, load that content, and execute queries
 //! utilising indexes in the most effective way possible.
 
-use std::collections::BTreeMap;
-use std::fs;
-use std::ops::DerefMut;
-use std::sync::Arc;
-use std::time::Duration;
-
-use concread::cowcell::*;
-use hashbrown::{HashMap as Map, HashSet};
-use idlset::v2::IDLBitRange;
-use idlset::AndNot;
-use kanidm_proto::internal::{ConsistencyError, OperationError};
-use tracing::{trace, trace_span};
-use uuid::Uuid;
-
 use crate::be::dbentry::{DbBackup, DbEntry};
 use crate::be::dbrepl::DbReplMeta;
 use crate::entry::Entry;
@@ -31,6 +17,19 @@ use crate::repl::ruv::{
 };
 use crate::utils::trigraph_iter;
 use crate::value::{IndexType, Value};
+use concread::cowcell::*;
+use hashbrown::{HashMap as Map, HashSet};
+use idlset::v2::IDLBitRange;
+use idlset::AndNot;
+use kanidm_proto::internal::{ConsistencyError, OperationError};
+use std::collections::BTreeMap;
+use std::fs;
+use std::ops::DerefMut;
+use std::path::{Path, PathBuf};
+use std::sync::Arc;
+use std::time::Duration;
+use tracing::{trace, trace_span};
+use uuid::Uuid;
 
 pub(crate) mod dbentry;
 pub(crate) mod dbrepl;
@@ -132,7 +131,7 @@ impl IdxMeta {
 
 #[derive(Clone)]
 pub struct BackendConfig {
-    path: String,
+    path: PathBuf,
     pool_size: u32,
     db_name: &'static str,
     fstype: FsType,
@@ -141,10 +140,16 @@ pub struct BackendConfig {
 }
 
 impl BackendConfig {
-    pub fn new(path: &str, pool_size: u32, fstype: FsType, arcsize: Option<usize>) -> Self {
+    pub fn new(
+        path: Option<&Path>,
+        pool_size: u32,
+        fstype: FsType,
+        arcsize: Option<usize>,
+    ) -> Self {
         BackendConfig {
             pool_size,
-            path: path.to_string(),
+            // This means if path is None, that "" implies an sqlite in memory/ram only database.
+            path: path.unwrap_or_else(|| Path::new("")).to_path_buf(),
             db_name: "main",
             fstype,
             arcsize,
@@ -154,7 +159,7 @@ impl BackendConfig {
     pub(crate) fn new_test(db_name: &'static str) -> Self {
         BackendConfig {
             pool_size: 1,
-            path: "".to_string(),
+            path: PathBuf::from(""),
             db_name,
             fstype: FsType::Generic,
             arcsize: Some(2048),
@@ -936,7 +941,7 @@ pub trait BackendTransaction {
         self.get_ruv().verify(&entries, results);
     }
 
-    fn backup(&mut self, dst_path: &str) -> Result<(), OperationError> {
+    fn backup(&mut self, dst_path: &Path) -> Result<(), OperationError> {
         let repl_meta = self.get_ruv().to_db_backup_ruv();
 
         // load all entries into RAM, may need to change this later
@@ -1808,7 +1813,7 @@ impl<'a> BackendWriteTransaction<'a> {
         Ok(slope)
     }
 
-    pub fn restore(&mut self, src_path: &str) -> Result<(), OperationError> {
+    pub fn restore(&mut self, src_path: &Path) -> Result<(), OperationError> {
         let serialized_string = fs::read_to_string(src_path).map_err(|e| {
             admin_error!("fs::read_to_string {:?}", e);
             OperationError::FsError
@@ -2121,7 +2126,7 @@ impl Backend {
         debug!(db_tickets = ?cfg.pool_size, profile = %env!("KANIDM_PROFILE_NAME"), cpu_flags = %env!("KANIDM_CPU_FLAGS"));
 
         // If in memory, reduce pool to 1
-        if cfg.path.is_empty() {
+        if cfg.path.as_os_str().is_empty() {
             cfg.pool_size = 1;
         }
 
@@ -2207,13 +2212,6 @@ impl Backend {
 
 #[cfg(test)]
 mod tests {
-    use std::fs;
-    use std::iter::FromIterator;
-    use std::sync::Arc;
-    use std::time::Duration;
-
-    use idlset::v2::IDLBitRange;
-
     use super::super::entry::{Entry, EntryInit, EntryNew};
     use super::Limits;
     use super::{
@@ -2223,6 +2221,12 @@ mod tests {
     use crate::prelude::*;
     use crate::repl::cid::Cid;
     use crate::value::{IndexType, PartialValue, Value};
+    use idlset::v2::IDLBitRange;
+    use std::fs;
+    use std::iter::FromIterator;
+    use std::path::Path;
+    use std::sync::Arc;
+    use std::time::Duration;
 
     lazy_static! {
         static ref CID_ZERO: Cid = Cid::new_zero();
@@ -2597,11 +2601,9 @@ mod tests {
 
     #[test]
     fn test_be_backup_restore() {
-        let db_backup_file_name = format!(
-            "{}/.backup_test.json",
-            option_env!("OUT_DIR").unwrap_or("/tmp")
-        );
-        eprintln!(" ⚠️   {db_backup_file_name}");
+        let db_backup_file_name =
+            Path::new(option_env!("OUT_DIR").unwrap_or("/tmp")).join(".backup_test.json");
+        eprintln!(" ⚠️   {}", db_backup_file_name.display());
         run_test!(|be: &mut BackendWriteTransaction| {
             // Important! Need db metadata setup!
             be.reset_db_s_uuid().unwrap();
@@ -2656,11 +2658,9 @@ mod tests {
 
     #[test]
     fn test_be_backup_restore_tampered() {
-        let db_backup_file_name = format!(
-            "{}/.backup2_test.json",
-            option_env!("OUT_DIR").unwrap_or("/tmp")
-        );
-        eprintln!(" ⚠️   {db_backup_file_name}");
+        let db_backup_file_name =
+            Path::new(option_env!("OUT_DIR").unwrap_or("/tmp")).join(".backup2_test.json");
+        eprintln!(" ⚠️   {}", db_backup_file_name.display());
         run_test!(|be: &mut BackendWriteTransaction| {
             // Important! Need db metadata setup!
             be.reset_db_s_uuid().unwrap();

server/lib/src/constants/uuids.rs

@@ -330,6 +330,11 @@ pub const UUID_SCHEMA_ATTR_DOMAIN_ALLOW_EASTER_EGGS: Uuid =
 pub const UUID_SCHEMA_ATTR_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES: Uuid =
     uuid!("00000000-0000-0000-0000-ffff00000187");
 pub const UUID_SCHEMA_ATTR_INDEXED: Uuid = uuid!("00000000-0000-0000-0000-ffff00000188");
+pub const UUID_SCHEMA_ATTR_ACP_MODIFY_PRESENT_CLASS: Uuid =
+    uuid!("00000000-0000-0000-0000-ffff00000189");
+pub const UUID_SCHEMA_ATTR_ACP_MODIFY_REMOVE_CLASS: Uuid =
+    uuid!("00000000-0000-0000-0000-ffff00000190");
+pub const UUID_SCHEMA_ATTR_APPLICATION_URL: Uuid = uuid!("00000000-0000-0000-0000-ffff00000191");
 
 // System and domain infos
 // I'd like to strongly criticise william of the past for making poor choices about these allocations.

server/lib/src/entry.rs

@@ -24,11 +24,6 @@
 //! [`filter`]: ../filter/index.html
 //! [`schema`]: ../schema/index.html
 
-use std::cmp::Ordering;
-pub use std::collections::BTreeSet as Set;
-use std::collections::{BTreeMap as Map, BTreeMap, BTreeSet};
-use std::sync::Arc;
-
 use crate::be::dbentry::{DbEntry, DbEntryVers};
 use crate::be::dbvalue::DbValueSetV2;
 use crate::be::{IdxKey, IdxSlope};
@@ -41,7 +36,13 @@ use crate::prelude::*;
 use crate::repl::cid::Cid;
 use crate::repl::entry::EntryChangeState;
 use crate::repl::proto::{ReplEntryV1, ReplIncrementalEntryV1};
+use crate::schema::{SchemaAttribute, SchemaClass, SchemaTransaction};
 use crate::server::access::AccessEffectivePermission;
+use crate::value::{
+    ApiToken, CredentialType, IndexType, IntentTokenState, Oauth2Session, PartialValue, Session,
+    SyntaxType, Value,
+};
+use crate::valueset::{self, ScimResolveStatus, ValueSet};
 use compact_jwt::JwsEs256Signer;
 use hashbrown::{HashMap, HashSet};
 use kanidm_proto::internal::ImageValue;
@@ -53,6 +54,10 @@ use kanidm_proto::v1::Entry as ProtoEntry;
 use ldap3_proto::simple::{LdapPartialAttribute, LdapSearchResultEntry};
 use openssl::ec::EcKey;
 use openssl::pkey::{Private, Public};
+use std::cmp::Ordering;
+pub use std::collections::BTreeSet as Set;
+use std::collections::{BTreeMap as Map, BTreeMap, BTreeSet};
+use std::sync::Arc;
 use time::OffsetDateTime;
 use tracing::trace;
 use uuid::Uuid;
@@ -60,13 +65,6 @@ use webauthn_rs::prelude::{
     AttestationCaList, AttestedPasskey as AttestedPasskeyV4, Passkey as PasskeyV4,
 };
 
-use crate::schema::{SchemaAttribute, SchemaClass, SchemaTransaction};
-use crate::value::{
-    ApiToken, CredentialType, IndexType, IntentTokenState, Oauth2Session, PartialValue, Session,
-    SyntaxType, Value,
-};
-use crate::valueset::{self, ScimResolveStatus, ValueSet};
-
 pub type EntryInitNew = Entry<EntryInit, EntryNew>;
 pub type EntryInvalidNew = Entry<EntryInvalid, EntryNew>;
 pub type EntryRefreshNew = Entry<EntryRefresh, EntryNew>;
@@ -285,6 +283,18 @@ impl Default for Entry<EntryInit, EntryNew> {
     }
 }
 
+impl FromIterator<(Attribute, ValueSet)> for EntryInitNew {
+    fn from_iter<I: IntoIterator<Item = (Attribute, ValueSet)>>(iter: I) -> Self {
+        let attrs = Eattrs::from_iter(iter);
+
+        Entry {
+            valid: EntryInit,
+            state: EntryNew,
+            attrs,
+        }
+    }
+}
+
 impl Entry<EntryInit, EntryNew> {
     pub fn new() -> Self {
         Entry {
@@ -292,7 +302,6 @@ impl Entry<EntryInit, EntryNew> {
             valid: EntryInit,
             state: EntryNew,
             attrs: Map::new(),
-            // attrs: Map::with_capacity(32),
         }
     }
 
@@ -479,6 +488,11 @@ impl Entry<EntryInit, EntryNew> {
         self.attrs.remove(attr);
     }
 
+    /// Set the content of this ava with this valueset, ignoring the previous data.
+    pub fn set_ava_set(&mut self, attr: &Attribute, vs: ValueSet) {
+        self.attrs.insert(attr.clone(), vs);
+    }
+
     /// Replace the existing content of an attribute set of this Entry, with a new set of Values.
     pub fn set_ava<T>(&mut self, attr: Attribute, iter: T)
     where

server/lib/src/event.rs

@@ -346,6 +346,8 @@ pub struct CreateEvent {
     pub entries: Vec<Entry<EntryInit, EntryNew>>,
     // Is the CreateEvent from an internal or external source?
     // This may affect which plugins are run ...
+    /// If true, the list of created entry UUID's will be returned.
+    pub return_created_uuids: bool,
 }
 
 impl CreateEvent {
@@ -363,7 +365,11 @@ impl CreateEvent {
         // What is the correct consuming iterator here? Can we
         // even do that?
         match rentries {
-            Ok(entries) => Ok(CreateEvent { ident, entries }),
+            Ok(entries) => Ok(CreateEvent {
+                ident,
+                entries,
+                return_created_uuids: false,
+            }),
             Err(e) => Err(e),
         }
     }
@@ -373,13 +379,18 @@ impl CreateEvent {
         ident: Identity,
         entries: Vec<Entry<EntryInit, EntryNew>>,
     ) -> Self {
-        CreateEvent { ident, entries }
+        CreateEvent {
+            ident,
+            entries,
+            return_created_uuids: false,
+        }
     }
 
     pub fn new_internal(entries: Vec<Entry<EntryInit, EntryNew>>) -> Self {
         CreateEvent {
             ident: Identity::from_internal(),
             entries,
+            return_created_uuids: false,
         }
     }
 }

server/lib/src/idm/application.rs

@@ -255,139 +255,6 @@ mod tests {
 
     const TEST_CURRENT_TIME: u64 = 6000;
 
-    // Tests that only the correct combinations of [Account, Person, Application and
-    // ServiceAccount] classes are allowed.
-    #[idm_test]
-    async fn test_idm_application_excludes(idms: &IdmServer, _idms_delayed: &mut IdmServerDelayed) {
-        let ct = Duration::from_secs(TEST_CURRENT_TIME);
-        let mut idms_prox_write = idms.proxy_write(ct).await.unwrap();
-
-        // ServiceAccount, Application and Person not allowed together
-        let test_grp_name = "testgroup1";
-        let test_grp_uuid = Uuid::new_v4();
-        let e1 = entry_init!(
-            (Attribute::Class, EntryClass::Object.to_value()),
-            (Attribute::Class, EntryClass::Group.to_value()),
-            (Attribute::Name, Value::new_iname(test_grp_name)),
-            (Attribute::Uuid, Value::Uuid(test_grp_uuid))
-        );
-        let test_entry_uuid = Uuid::new_v4();
-        let e2 = entry_init!(
-            (Attribute::Class, EntryClass::Object.to_value()),
-            (Attribute::Class, EntryClass::Account.to_value()),
-            (Attribute::Class, EntryClass::ServiceAccount.to_value()),
-            (Attribute::Class, EntryClass::Application.to_value()),
-            (Attribute::Class, EntryClass::Person.to_value()),
-            (Attribute::Name, Value::new_iname("test_app_name")),
-            (Attribute::Uuid, Value::Uuid(test_entry_uuid)),
-            (Attribute::Description, Value::new_utf8s("test_app_desc")),
-            (
-                Attribute::DisplayName,
-                Value::new_utf8s("test_app_dispname")
-            ),
-            (Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
-        );
-        let ce = CreateEvent::new_internal(vec![e1, e2]);
-        let cr = idms_prox_write.qs_write.create(&ce);
-        assert!(cr.is_err());
-
-        // Application and Person not allowed together
-        let test_grp_name = "testgroup1";
-        let test_grp_uuid = Uuid::new_v4();
-        let e1 = entry_init!(
-            (Attribute::Class, EntryClass::Object.to_value()),
-            (Attribute::Class, EntryClass::Group.to_value()),
-            (Attribute::Name, Value::new_iname(test_grp_name)),
-            (Attribute::Uuid, Value::Uuid(test_grp_uuid))
-        );
-        let test_entry_uuid = Uuid::new_v4();
-        let e2 = entry_init!(
-            (Attribute::Class, EntryClass::Object.to_value()),
-            (Attribute::Class, EntryClass::Account.to_value()),
-            (Attribute::Class, EntryClass::Application.to_value()),
-            (Attribute::Class, EntryClass::Person.to_value()),
-            (Attribute::Name, Value::new_iname("test_app_name")),
-            (Attribute::Uuid, Value::Uuid(test_entry_uuid)),
-            (Attribute::Description, Value::new_utf8s("test_app_desc")),
-            (
-                Attribute::DisplayName,
-                Value::new_utf8s("test_app_dispname")
-            ),
-            (Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
-        );
-        let ce = CreateEvent::new_internal(vec![e1, e2]);
-        let cr = idms_prox_write.qs_write.create(&ce);
-        assert!(cr.is_err());
-
-        // Supplements not satisfied, Application supplements ServiceAccount
-        let test_grp_name = "testgroup1";
-        let test_grp_uuid = Uuid::new_v4();
-        let e1 = entry_init!(
-            (Attribute::Class, EntryClass::Object.to_value()),
-            (Attribute::Class, EntryClass::Group.to_value()),
-            (Attribute::Name, Value::new_iname(test_grp_name)),
-            (Attribute::Uuid, Value::Uuid(test_grp_uuid))
-        );
-        let test_entry_uuid = Uuid::new_v4();
-        let e2 = entry_init!(
-            (Attribute::Class, EntryClass::Object.to_value()),
-            (Attribute::Class, EntryClass::Account.to_value()),
-            (Attribute::Class, EntryClass::Application.to_value()),
-            (Attribute::Name, Value::new_iname("test_app_name")),
-            (Attribute::Uuid, Value::Uuid(test_entry_uuid)),
-            (Attribute::Description, Value::new_utf8s("test_app_desc")),
-            (Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
-        );
-        let ce = CreateEvent::new_internal(vec![e1, e2]);
-        let cr = idms_prox_write.qs_write.create(&ce);
-        assert!(cr.is_err());
-
-        // Supplements not satisfied, Application supplements ServiceAccount
-        let test_grp_name = "testgroup1";
-        let test_grp_uuid = Uuid::new_v4();
-        let e1 = entry_init!(
-            (Attribute::Class, EntryClass::Object.to_value()),
-            (Attribute::Class, EntryClass::Group.to_value()),
-            (Attribute::Name, Value::new_iname(test_grp_name)),
-            (Attribute::Uuid, Value::Uuid(test_grp_uuid))
-        );
-        let test_entry_uuid = Uuid::new_v4();
-        let e2 = entry_init!(
-            (Attribute::Class, EntryClass::Object.to_value()),
-            (Attribute::Class, EntryClass::Application.to_value()),
-            (Attribute::Name, Value::new_iname("test_app_name")),
-            (Attribute::Uuid, Value::Uuid(test_entry_uuid)),
-            (Attribute::Description, Value::new_utf8s("test_app_desc")),
-            (Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
-        );
-        let ce = CreateEvent::new_internal(vec![e1, e2]);
-        let cr = idms_prox_write.qs_write.create(&ce);
-        assert!(cr.is_err());
-
-        // Supplements satisfied, Application supplements ServiceAccount
-        let test_grp_name = "testgroup1";
-        let test_grp_uuid = Uuid::new_v4();
-        let e1 = entry_init!(
-            (Attribute::Class, EntryClass::Object.to_value()),
-            (Attribute::Class, EntryClass::Group.to_value()),
-            (Attribute::Name, Value::new_iname(test_grp_name)),
-            (Attribute::Uuid, Value::Uuid(test_grp_uuid))
-        );
-        let test_entry_uuid = Uuid::new_v4();
-        let e2 = entry_init!(
-            (Attribute::Class, EntryClass::Object.to_value()),
-            (Attribute::Class, EntryClass::Application.to_value()),
-            (Attribute::Class, EntryClass::ServiceAccount.to_value()),
-            (Attribute::Name, Value::new_iname("test_app_name")),
-            (Attribute::Uuid, Value::Uuid(test_entry_uuid)),
-            (Attribute::Description, Value::new_utf8s("test_app_desc")),
-            (Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
-        );
-        let ce = CreateEvent::new_internal(vec![e1, e2]);
-        let cr = idms_prox_write.qs_write.create(&ce);
-        assert!(cr.is_ok());
-    }
-
     // Tests it is not possible to create an application without the linked group attribute
     #[idm_test]
     async fn test_idm_application_no_linked_group(
@@ -404,6 +271,7 @@ mod tests {
             (Attribute::Class, EntryClass::Account.to_value()),
             (Attribute::Class, EntryClass::ServiceAccount.to_value()),
             (Attribute::Class, EntryClass::Application.to_value()),
+            (Attribute::DisplayName, Value::new_utf8s("Application")),
             (Attribute::Name, Value::new_iname("test_app_name")),
             (Attribute::Uuid, Value::Uuid(test_entry_uuid)),
             (Attribute::Description, Value::new_utf8s("test_app_desc")),
@@ -547,8 +415,10 @@ mod tests {
 
             let e3 = entry_init!(
                 (Attribute::Class, EntryClass::Object.to_value()),
+                (Attribute::Class, EntryClass::Account.to_value()),
                 (Attribute::Class, EntryClass::ServiceAccount.to_value()),
                 (Attribute::Class, EntryClass::Application.to_value()),
+                (Attribute::DisplayName, Value::new_utf8s("Application")),
                 (Attribute::Name, Value::new_iname(test_app_name)),
                 (Attribute::Uuid, Value::Uuid(test_app_uuid)),
                 (Attribute::LinkedGroup, Value::Refer(test_grp_uuid))
@@ -647,7 +517,9 @@ mod tests {
         let e2 = entry_init!(
             (Attribute::Class, EntryClass::Object.to_value()),
             (Attribute::Class, EntryClass::ServiceAccount.to_value()),
+            (Attribute::Class, EntryClass::Account.to_value()),
             (Attribute::Class, EntryClass::Application.to_value()),
+            (Attribute::DisplayName, Value::new_utf8s("Application")),
             (Attribute::Name, Value::new_iname("test_app_name")),
             (Attribute::Uuid, Value::Uuid(test_entry_uuid)),
             (Attribute::Description, Value::new_utf8s("test_app_desc")),

server/lib/src/idm/credupdatesession.rs

@@ -599,19 +599,19 @@ impl IdmServerProxyWriteTransaction<'_> {
         }
 
         let eperm_search_primary_cred = match &eperm.search {
-            Access::Denied => false,
+            Access::Deny => false,
             Access::Grant => true,
             Access::Allow(attrs) => attrs.contains(&Attribute::PrimaryCredential),
         };
 
         let eperm_mod_primary_cred = match &eperm.modify_pres {
-            Access::Denied => false,
+            Access::Deny => false,
             Access::Grant => true,
             Access::Allow(attrs) => attrs.contains(&Attribute::PrimaryCredential),
         };
 
         let eperm_rem_primary_cred = match &eperm.modify_rem {
-            Access::Denied => false,
+            Access::Deny => false,
             Access::Grant => true,
             Access::Allow(attrs) => attrs.contains(&Attribute::PrimaryCredential),
         };
@@ -620,19 +620,19 @@ impl IdmServerProxyWriteTransaction<'_> {
             eperm_search_primary_cred && eperm_mod_primary_cred && eperm_rem_primary_cred;
 
         let eperm_search_passkeys = match &eperm.search {
-            Access::Denied => false,
+            Access::Deny => false,
             Access::Grant => true,
             Access::Allow(attrs) => attrs.contains(&Attribute::PassKeys),
         };
 
         let eperm_mod_passkeys = match &eperm.modify_pres {
-            Access::Denied => false,
+            Access::Deny => false,
             Access::Grant => true,
             Access::Allow(attrs) => attrs.contains(&Attribute::PassKeys),
         };
 
         let eperm_rem_passkeys = match &eperm.modify_rem {
-            Access::Denied => false,
+            Access::Deny => false,
             Access::Grant => true,
             Access::Allow(attrs) => attrs.contains(&Attribute::PassKeys),
         };
@@ -640,19 +640,19 @@ impl IdmServerProxyWriteTransaction<'_> {
         let passkeys_can_edit = eperm_search_passkeys && eperm_mod_passkeys && eperm_rem_passkeys;
 
         let eperm_search_attested_passkeys = match &eperm.search {
-            Access::Denied => false,
+            Access::Deny => false,
             Access::Grant => true,
             Access::Allow(attrs) => attrs.contains(&Attribute::AttestedPasskeys),
         };
 
         let eperm_mod_attested_passkeys = match &eperm.modify_pres {
-            Access::Denied => false,
+            Access::Deny => false,
             Access::Grant => true,
             Access::Allow(attrs) => attrs.contains(&Attribute::AttestedPasskeys),
         };
 
         let eperm_rem_attested_passkeys = match &eperm.modify_rem {
-            Access::Denied => false,
+            Access::Deny => false,
             Access::Grant => true,
             Access::Allow(attrs) => attrs.contains(&Attribute::AttestedPasskeys),
         };
@@ -662,19 +662,19 @@ impl IdmServerProxyWriteTransaction<'_> {
             && eperm_rem_attested_passkeys;
 
         let eperm_search_unixcred = match &eperm.search {
-            Access::Denied => false,
+            Access::Deny => false,
             Access::Grant => true,
             Access::Allow(attrs) => attrs.contains(&Attribute::UnixPassword),
         };
 
         let eperm_mod_unixcred = match &eperm.modify_pres {
-            Access::Denied => false,
+            Access::Deny => false,
             Access::Grant => true,
             Access::Allow(attrs) => attrs.contains(&Attribute::UnixPassword),
         };
 
         let eperm_rem_unixcred = match &eperm.modify_rem {
-            Access::Denied => false,
+            Access::Deny => false,
             Access::Grant => true,
             Access::Allow(attrs) => attrs.contains(&Attribute::UnixPassword),
         };
@@ -685,19 +685,19 @@ impl IdmServerProxyWriteTransaction<'_> {
             && eperm_rem_unixcred;
 
         let eperm_search_sshpubkey = match &eperm.search {
-            Access::Denied => false,
+            Access::Deny => false,
             Access::Grant => true,
             Access::Allow(attrs) => attrs.contains(&Attribute::SshPublicKey),
         };
 
         let eperm_mod_sshpubkey = match &eperm.modify_pres {
-            Access::Denied => false,
+            Access::Deny => false,
             Access::Grant => true,
             Access::Allow(attrs) => attrs.contains(&Attribute::SshPublicKey),
         };
 
         let eperm_rem_sshpubkey = match &eperm.modify_rem {
-            Access::Denied => false,
+            Access::Deny => false,
             Access::Grant => true,
             Access::Allow(attrs) => attrs.contains(&Attribute::SshPublicKey),
         };
@@ -726,7 +726,7 @@ impl IdmServerProxyWriteTransaction<'_> {
             })?;
 
             match &eperm.search {
-                Access::Denied => false,
+                Access::Deny => false,
                 Access::Grant => true,
                 Access::Allow(attrs) => attrs.contains(&Attribute::SyncCredentialPortal),
             }

server/lib/src/idm/ldap.rs

@@ -1119,8 +1119,10 @@ mod tests {
 
             let e3 = entry_init!(
                 (Attribute::Class, EntryClass::Object.to_value()),
+                (Attribute::Class, EntryClass::Account.to_value()),
                 (Attribute::Class, EntryClass::ServiceAccount.to_value()),
                 (Attribute::Class, EntryClass::Application.to_value()),
+                (Attribute::DisplayName, Value::new_utf8s("Application")),
                 (Attribute::Name, Value::new_iname(app_name)),
                 (Attribute::Uuid, Value::Uuid(app_uuid)),
                 (Attribute::LinkedGroup, Value::Refer(grp_uuid))
@@ -1283,8 +1285,10 @@ mod tests {
 
             let e3 = entry_init!(
                 (Attribute::Class, EntryClass::Object.to_value()),
+                (Attribute::Class, EntryClass::Account.to_value()),
                 (Attribute::Class, EntryClass::ServiceAccount.to_value()),
                 (Attribute::Class, EntryClass::Application.to_value()),
+                (Attribute::DisplayName, Value::new_utf8s("Application")),
                 (Attribute::Name, Value::new_iname("testapp1")),
                 (Attribute::Uuid, Value::Uuid(app_uuid)),
                 (Attribute::LinkedGroup, Value::Refer(grp_uuid))
@@ -1456,8 +1460,10 @@ mod tests {
 
             let e4 = entry_init!(
                 (Attribute::Class, EntryClass::Object.to_value()),
+                (Attribute::Class, EntryClass::Account.to_value()),
                 (Attribute::Class, EntryClass::ServiceAccount.to_value()),
                 (Attribute::Class, EntryClass::Application.to_value()),
+                (Attribute::DisplayName, Value::new_utf8s("Application")),
                 (Attribute::Name, Value::new_iname(app1_name)),
                 (Attribute::Uuid, Value::Uuid(app1_uuid)),
                 (Attribute::LinkedGroup, Value::Refer(grp1_uuid))
@@ -1465,8 +1471,10 @@ mod tests {
 
             let e5 = entry_init!(
                 (Attribute::Class, EntryClass::Object.to_value()),
+                (Attribute::Class, EntryClass::Account.to_value()),
                 (Attribute::Class, EntryClass::ServiceAccount.to_value()),
                 (Attribute::Class, EntryClass::Application.to_value()),
+                (Attribute::DisplayName, Value::new_utf8s("Application")),
                 (Attribute::Name, Value::new_iname(app2_name)),
                 (Attribute::Uuid, Value::Uuid(app2_uuid)),
                 (Attribute::LinkedGroup, Value::Refer(grp2_uuid))
@@ -1651,8 +1659,10 @@ mod tests {
 
             let e3 = entry_init!(
                 (Attribute::Class, EntryClass::Object.to_value()),
+                (Attribute::Class, EntryClass::Account.to_value()),
                 (Attribute::Class, EntryClass::ServiceAccount.to_value()),
                 (Attribute::Class, EntryClass::Application.to_value()),
+                (Attribute::DisplayName, Value::new_utf8s("Application")),
                 (Attribute::Name, Value::new_iname(app1_name)),
                 (Attribute::Uuid, Value::Uuid(app1_uuid)),
                 (Attribute::LinkedGroup, Value::Refer(grp1_uuid))
@@ -2693,8 +2703,10 @@ mod tests {
 
             let e3 = entry_init!(
                 (Attribute::Class, EntryClass::Object.to_value()),
+                (Attribute::Class, EntryClass::Account.to_value()),
                 (Attribute::Class, EntryClass::ServiceAccount.to_value()),
                 (Attribute::Class, EntryClass::Application.to_value()),
+                (Attribute::DisplayName, Value::new_utf8s("Application")),
                 (Attribute::Name, Value::new_iname(app_name)),
                 (Attribute::Uuid, Value::Uuid(app_uuid)),
                 (Attribute::LinkedGroup, Value::Refer(grp_uuid))

server/lib/src/migration_data/dl10/access.rs

@@ -72,6 +72,8 @@ pub struct BuiltinAcp {
     modify_present_attrs: Vec<Attribute>,
     modify_removed_attrs: Vec<Attribute>,
     modify_classes: Vec<EntryClass>,
+    modify_present_classes: Vec<EntryClass>,
+    modify_remove_classes: Vec<EntryClass>,
     create_classes: Vec<EntryClass>,
     create_attrs: Vec<Attribute>,
 }
@@ -159,9 +161,19 @@ impl From<BuiltinAcp> for EntryInitNew {
         value.modify_removed_attrs.into_iter().for_each(|attr| {
             entry.add_ava(Attribute::AcpModifyRemovedAttr, Value::from(attr));
         });
+
         value.modify_classes.into_iter().for_each(|class| {
             entry.add_ava(Attribute::AcpModifyClass, Value::from(class));
         });
+
+        value.modify_present_classes.into_iter().for_each(|class| {
+            entry.add_ava(Attribute::AcpModifyPresentClass, Value::from(class));
+        });
+
+        value.modify_remove_classes.into_iter().for_each(|class| {
+            entry.add_ava(Attribute::AcpModifyRemoveClass, Value::from(class));
+        });
+
         value.create_classes.into_iter().for_each(|class| {
             entry.add_ava(Attribute::AcpCreateClass, Value::from(class));
         });
@@ -214,7 +226,7 @@ lazy_static! {
             ATTR_RECYCLED.to_string()
         )),
         modify_removed_attrs: vec![Attribute::Class],
-        modify_classes: vec![EntryClass::Recycled],
+        modify_remove_classes: vec![EntryClass::Recycled],
         ..Default::default()
     };
 }
@@ -425,6 +437,7 @@ lazy_static! {
             EntryClass::AccessControlCreate,
             EntryClass::AccessControlDelete,
         ],
+        ..Default::default()
     };
 }
 

server/lib/src/migration_data/dl10/mod.rs

@@ -105,6 +105,7 @@ pub fn phase_1_schema_attrs() -> Vec<EntryInitNew> {
         // DL10
         SCHEMA_ATTR_DENIED_NAME_DL10.clone().into(),
         SCHEMA_ATTR_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES.clone().into(),
+        SCHEMA_ATTR_APPLICATION_URL.clone().into(),
     ]
 }
 
@@ -134,7 +135,7 @@ pub fn phase_2_schema_classes() -> Vec<EntryInitNew> {
         SCHEMA_CLASS_CLIENT_CERTIFICATE_DL7.clone().into(),
         // DL8
         SCHEMA_CLASS_ACCOUNT_POLICY_DL8.clone().into(),
-        SCHEMA_CLASS_APPLICATION_DL8.clone().into(),
+        SCHEMA_CLASS_APPLICATION.clone().into(),
         SCHEMA_CLASS_PERSON_DL8.clone().into(),
         // DL9
         SCHEMA_CLASS_OAUTH2_RS_DL9.clone().into(),

server/lib/src/migration_data/dl10/schema.rs

@@ -729,6 +729,14 @@ pub static ref SCHEMA_ATTR_APPLICATION_PASSWORD_DL8: SchemaAttribute = SchemaAtt
     ..Default::default()
 };
 
+pub static ref SCHEMA_ATTR_APPLICATION_URL: SchemaAttribute = SchemaAttribute {
+    uuid: UUID_SCHEMA_ATTR_APPLICATION_URL,
+    name: Attribute::ApplicationUrl,
+    description: "The URL of an external application".to_string(),
+    syntax: SyntaxType::Url,
+    ..Default::default()
+};
+
 // === classes ===
 pub static ref SCHEMA_CLASS_PERSON_DL8: SchemaClass = SchemaClass {
     uuid: UUID_SCHEMA_CLASS_PERSON,
@@ -838,9 +846,9 @@ pub static ref SCHEMA_CLASS_ACCOUNT_DL5: SchemaClass = SchemaClass {
         Attribute::Spn
     ],
     systemsupplements: vec![
+        EntryClass::OAuth2ResourceServer.into(),
         EntryClass::Person.into(),
         EntryClass::ServiceAccount.into(),
-        EntryClass::OAuth2ResourceServer.into(),
     ],
     ..Default::default()
 };
@@ -1082,13 +1090,20 @@ pub static ref SCHEMA_CLASS_CLIENT_CERTIFICATE_DL7: SchemaClass = SchemaClass {
     ..Default::default()
 };
 
-pub static ref SCHEMA_CLASS_APPLICATION_DL8: SchemaClass = SchemaClass {
+pub static ref SCHEMA_CLASS_APPLICATION: SchemaClass = SchemaClass {
     uuid: UUID_SCHEMA_CLASS_APPLICATION,
     name: EntryClass::Application.into(),
 
     description: "The class representing an application".to_string(),
-    systemmust: vec![Attribute::Name, Attribute::LinkedGroup],
-    systemmay: vec![Attribute::Description],
+    systemmust: vec![Attribute::LinkedGroup],
+    systemmay: vec![
+        Attribute::ApplicationUrl,
+    ],
+    // I think this could change before release - I can see a world
+    // whe we may want an oauth2 application to have application passwords,
+    // or for this to be it's own thing. But service accounts also don't
+    // quite do enough, they have api tokens, but that's all we kind
+    // of want from them?
     systemsupplements: vec![EntryClass::ServiceAccount.into()],
     ..Default::default()
 };

server/lib/src/plugins/base.rs

@@ -365,7 +365,7 @@ mod tests {
         let create = vec![e];
 
         run_create_test!(
-            Ok(()),
+            Ok(None),
             preload,
             create,
             None,
@@ -468,7 +468,7 @@ mod tests {
         let create = vec![e];
 
         run_create_test!(
-            Ok(()),
+            Ok(None),
             preload,
             create,
             None,
@@ -695,7 +695,6 @@ mod tests {
 
         let e = entry_init!(
             (Attribute::Class, EntryClass::Person.to_value()),
-            (Attribute::Class, EntryClass::System.to_value()),
             (Attribute::Name, Value::new_iname("testperson")),
             (Attribute::DisplayName, Value::new_iname("testperson")),
             (
@@ -726,7 +725,6 @@ mod tests {
 
         let e = entry_init!(
             (Attribute::Class, EntryClass::Person.to_value()),
-            (Attribute::Class, EntryClass::System.to_value()),
             (Attribute::Name, Value::new_iname("testperson")),
             (Attribute::DisplayName, Value::new_iname("testperson")),
             (

server/lib/src/plugins/cred_import.rs

@@ -205,7 +205,7 @@ mod tests {
 
         let create = vec![e];
 
-        run_create_test!(Ok(()), preload, create, None, |_| {});
+        run_create_test!(Ok(None), preload, create, None, |_| {});
     }
 
     #[test]

server/lib/src/plugins/dyngroup.rs

@@ -464,7 +464,7 @@ mod tests {
         let create = vec![e_dyn];
 
         run_create_test!(
-            Ok(()),
+            Ok(None),
             preload,
             create,
             None,
@@ -513,7 +513,7 @@ mod tests {
         let create = vec![e_group];
 
         run_create_test!(
-            Ok(()),
+            Ok(None),
             preload,
             create,
             None,
@@ -562,7 +562,7 @@ mod tests {
         let create = vec![e_group];
 
         run_create_test!(
-            Ok(()),
+            Ok(None),
             preload,
             create,
             None,
@@ -607,7 +607,7 @@ mod tests {
         let create = vec![e_dyn, e_group];
 
         run_create_test!(
-            Ok(()),
+            Ok(None),
             preload,
             create,
             None,

server/lib/src/plugins/eckeygen.rs

@@ -108,7 +108,7 @@ mod tests {
 
         let create = vec![ea];
         run_create_test!(
-            Ok(()),
+            Ok(None),
             preload,
             create,
             None,

server/lib/src/plugins/jwskeygen.rs

@@ -136,7 +136,7 @@ mod tests {
         let create = vec![e];
 
         run_create_test!(
-            Ok(()),
+            Ok(None),
             preload,
             create,
             None,

server/lib/src/plugins/memberof.rs

@@ -858,7 +858,7 @@ mod tests {
         let preload = Vec::with_capacity(0);
         let create = vec![ea, eb];
         run_create_test!(
-            Ok(()),
+            Ok(None),
             preload,
             create,
             None,
@@ -889,7 +889,7 @@ mod tests {
         let preload = Vec::with_capacity(0);
         let create = vec![ea, eb, ec];
         run_create_test!(
-            Ok(()),
+            Ok(None),
             preload,
             create,
             None,
@@ -941,7 +941,7 @@ mod tests {
         let preload = Vec::with_capacity(0);
         let create = vec![ea, eb, ec];
         run_create_test!(
-            Ok(()),
+            Ok(None),
             preload,
             create,
             None,
@@ -999,7 +999,7 @@ mod tests {
         let preload = Vec::with_capacity(0);
         let create = vec![ea, eb, ec, ed];
         run_create_test!(
-            Ok(()),
+            Ok(None),
             preload,
             create,
             None,

server/lib/src/plugins/mod.rs

@@ -22,7 +22,6 @@ mod jwskeygen;
 mod keyobject;
 mod memberof;
 mod namehistory;
-mod protected;
 mod refint;
 mod session;
 mod spn;
@@ -44,6 +43,7 @@ trait Plugin {
         Err(OperationError::InvalidState)
     }
 
+    #[allow(dead_code)]
     fn pre_create(
         _qs: &mut QueryServerWriteTransaction,
         // List of what we will commit that is valid?
@@ -243,13 +243,13 @@ impl Plugins {
         attrunique::AttrUnique::pre_create_transform(qs, cand, ce)
     }
 
-    #[instrument(level = "debug", name = "plugins::run_pre_create", skip_all)]
+    #[instrument(level = "trace", name = "plugins::run_pre_create", skip_all)]
     pub fn run_pre_create(
-        qs: &mut QueryServerWriteTransaction,
-        cand: &[Entry<EntrySealed, EntryNew>],
-        ce: &CreateEvent,
+        _qs: &mut QueryServerWriteTransaction,
+        _cand: &[Entry<EntrySealed, EntryNew>],
+        _ce: &CreateEvent,
     ) -> Result<(), OperationError> {
-        protected::Protected::pre_create(qs, cand, ce)
+        Ok(())
     }
 
     #[instrument(level = "debug", name = "plugins::run_post_create", skip_all)]
@@ -269,7 +269,6 @@ impl Plugins {
         cand: &mut Vec<Entry<EntryInvalid, EntryCommitted>>,
         me: &ModifyEvent,
     ) -> Result<(), OperationError> {
-        protected::Protected::pre_modify(qs, pre_cand, cand, me)?;
         base::Base::pre_modify(qs, pre_cand, cand, me)?;
         valuedeny::ValueDeny::pre_modify(qs, pre_cand, cand, me)?;
         cred_import::CredImport::pre_modify(qs, pre_cand, cand, me)?;
@@ -305,7 +304,6 @@ impl Plugins {
         cand: &mut Vec<Entry<EntryInvalid, EntryCommitted>>,
         me: &BatchModifyEvent,
     ) -> Result<(), OperationError> {
-        protected::Protected::pre_batch_modify(qs, pre_cand, cand, me)?;
         base::Base::pre_batch_modify(qs, pre_cand, cand, me)?;
         valuedeny::ValueDeny::pre_batch_modify(qs, pre_cand, cand, me)?;
         cred_import::CredImport::pre_batch_modify(qs, pre_cand, cand, me)?;
@@ -340,7 +338,6 @@ impl Plugins {
         cand: &mut Vec<Entry<EntryInvalid, EntryCommitted>>,
         de: &DeleteEvent,
     ) -> Result<(), OperationError> {
-        protected::Protected::pre_delete(qs, cand, de)?;
         memberof::MemberOf::pre_delete(qs, cand, de)
     }
 

server/lib/src/plugins/namehistory.rs

@@ -181,7 +181,7 @@ mod tests {
         let preload = Vec::with_capacity(0);
         let create = vec![ea];
         run_create_test!(
-            Ok(()),
+            Ok(None),
             preload,
             create,
             None,

server/lib/src/plugins/protected.rs

@@ -1,690 +0,0 @@
-// System protected objects. Items matching specific requirements
-// may only have certain modifications performed.
-
-use hashbrown::HashSet;
-use std::sync::Arc;
-
-use crate::event::{CreateEvent, DeleteEvent, ModifyEvent};
-use crate::modify::Modify;
-use crate::plugins::Plugin;
-use crate::prelude::*;
-
-pub struct Protected {}
-
-// Here is the declaration of all the attrs that can be altered by
-// a call on a system object. We trust they are allowed because
-// schema will have checked this, and we don't allow class changes!
-
-lazy_static! {
-    static ref ALLOWED_ATTRS: HashSet<Attribute> = {
-        let attrs = vec![
-        // Allow modification of some schema class types to allow local extension
-        // of schema types.
-        Attribute::Must,
-        Attribute::May,
-        // modification of some domain info types for local configuratiomn.
-        Attribute::DomainSsid,
-        Attribute::DomainLdapBasedn,
-        Attribute::LdapMaxQueryableAttrs,
-        Attribute::LdapAllowUnixPwBind,
-        Attribute::FernetPrivateKeyStr,
-        Attribute::Es256PrivateKeyDer,
-        Attribute::KeyActionRevoke,
-        Attribute::KeyActionRotate,
-        Attribute::IdVerificationEcKey,
-        Attribute::BadlistPassword,
-        Attribute::DeniedName,
-        Attribute::DomainDisplayName,
-        Attribute::Image,
-        // modification of account policy values for dyngroup.
-        Attribute::AuthSessionExpiry,
-        Attribute::AuthPasswordMinimumLength,
-        Attribute::CredentialTypeMinimum,
-        Attribute::PrivilegeExpiry,
-        Attribute::WebauthnAttestationCaList,
-        Attribute::LimitSearchMaxResults,
-        Attribute::LimitSearchMaxFilterTest,
-        Attribute::AllowPrimaryCredFallback,
-        ];
-
-        let mut m = HashSet::with_capacity(attrs.len());
-        m.extend(attrs);
-
-        m
-    };
-
-    static ref PROTECTED_ENTRYCLASSES: Vec<EntryClass> =
-        vec![
-            EntryClass::System,
-            EntryClass::DomainInfo,
-            EntryClass::SystemInfo,
-            EntryClass::SystemConfig,
-            EntryClass::DynGroup,
-            EntryClass::SyncObject,
-            EntryClass::Tombstone,
-            EntryClass::Recycled,
-        ];
-}
-
-impl Plugin for Protected {
-    fn id() -> &'static str {
-        "plugin_protected"
-    }
-
-    #[instrument(level = "debug", name = "protected_pre_create", skip_all)]
-    fn pre_create(
-        _qs: &mut QueryServerWriteTransaction,
-        // List of what we will commit that is valid?
-        cand: &[Entry<EntrySealed, EntryNew>],
-        ce: &CreateEvent,
-    ) -> Result<(), OperationError> {
-        if ce.ident.is_internal() {
-            trace!("Internal operation, not enforcing system object protection");
-            return Ok(());
-        }
-
-        cand.iter().try_fold((), |(), cand| {
-            if PROTECTED_ENTRYCLASSES
-                .iter()
-                .any(|c| cand.attribute_equality(Attribute::Class, &c.to_partialvalue()))
-            {
-                trace!("Rejecting operation during pre_create check");
-                Err(OperationError::SystemProtectedObject)
-            } else {
-                Ok(())
-            }
-        })
-    }
-
-    #[instrument(level = "debug", name = "protected_pre_modify", skip_all)]
-    fn pre_modify(
-        _qs: &mut QueryServerWriteTransaction,
-        _pre_cand: &[Arc<EntrySealedCommitted>],
-        cand: &mut Vec<EntryInvalidCommitted>,
-        me: &ModifyEvent,
-    ) -> Result<(), OperationError> {
-        if me.ident.is_internal() {
-            trace!("Internal operation, not enforcing system object protection");
-            return Ok(());
-        }
-        // Prevent adding class: system, domain_info, tombstone, or recycled.
-        me.modlist.iter().try_fold((), |(), m| match m {
-            Modify::Present(a, v) => {
-                if a == Attribute::Class.as_ref()
-                    && PROTECTED_ENTRYCLASSES.iter().any(|c| v == &c.to_value())
-                {
-                    trace!("Rejecting operation during pre_modify check");
-                    Err(OperationError::SystemProtectedObject)
-                } else {
-                    Ok(())
-                }
-            }
-            _ => Ok(()),
-        })?;
-
-        // HARD block mods on tombstone or recycle. We soft block on the rest as they may
-        // have some allowed attrs.
-        cand.iter().try_fold((), |(), cand| {
-            if cand.attribute_equality(Attribute::Class, &EntryClass::Tombstone.into())
-                || cand.attribute_equality(Attribute::Class, &EntryClass::Recycled.into())
-            {
-                Err(OperationError::SystemProtectedObject)
-            } else {
-                Ok(())
-            }
-        })?;
-
-        // if class: system, check the mods are "allowed"
-        let system_pres = cand.iter().any(|c| {
-            // We don't need to check for domain info here because domain_info has a class
-            // system also. We just need to block it from being created.
-            c.attribute_equality(Attribute::Class, &EntryClass::System.into())
-        });
-
-        trace!("class: system -> {}", system_pres);
-        // No system types being altered, return.
-        if !system_pres {
-            return Ok(());
-        }
-
-        // Something altered is system, check if it's allowed.
-        me.modlist.into_iter().try_fold((), |(), m| {
-            // Already hit an error, move on.
-            let a = match m {
-                Modify::Present(a, _)
-                | Modify::Removed(a, _)
-                | Modify::Set(a, _)
-                | Modify::Purged(a) => Some(a),
-                Modify::Assert(_, _) => None,
-            };
-            if let Some(attr) = a {
-                match ALLOWED_ATTRS.contains(attr) {
-                    true => Ok(()),
-                    false => {
-                        trace!("If you're getting this, you need to modify the ALLOWED_ATTRS list");
-                        Err(OperationError::SystemProtectedObject)
-                    }
-                }
-            } else {
-                // Was not a mod needing checking
-                Ok(())
-            }
-        })
-    }
-
-    #[instrument(level = "debug", name = "protected_pre_batch_modify", skip_all)]
-    fn pre_batch_modify(
-        _qs: &mut QueryServerWriteTransaction,
-        _pre_cand: &[Arc<EntrySealedCommitted>],
-        cand: &mut Vec<EntryInvalidCommitted>,
-        me: &BatchModifyEvent,
-    ) -> Result<(), OperationError> {
-        if me.ident.is_internal() {
-            trace!("Internal operation, not enforcing system object protection");
-            return Ok(());
-        }
-
-        me.modset
-            .values()
-            .flat_map(|ml| ml.iter())
-            .try_fold((), |(), m| match m {
-                Modify::Present(a, v) => {
-                    if a == Attribute::Class.as_ref()
-                        && PROTECTED_ENTRYCLASSES.iter().any(|c| v == &c.to_value())
-                    {
-                        trace!("Rejecting operation during pre_batch_modify check");
-                        Err(OperationError::SystemProtectedObject)
-                    } else {
-                        Ok(())
-                    }
-                }
-                _ => Ok(()),
-            })?;
-
-        // HARD block mods on tombstone or recycle. We soft block on the rest as they may
-        // have some allowed attrs.
-        cand.iter().try_fold((), |(), cand| {
-            if cand.attribute_equality(Attribute::Class, &EntryClass::Tombstone.into())
-                || cand.attribute_equality(Attribute::Class, &EntryClass::Recycled.into())
-            {
-                Err(OperationError::SystemProtectedObject)
-            } else {
-                Ok(())
-            }
-        })?;
-
-        // if class: system, check the mods are "allowed"
-        let system_pres = cand.iter().any(|c| {
-            // We don't need to check for domain info here because domain_info has a class
-            // system also. We just need to block it from being created.
-            c.attribute_equality(Attribute::Class, &EntryClass::System.into())
-        });
-
-        trace!("{}: system -> {}", Attribute::Class, system_pres);
-        // No system types being altered, return.
-        if !system_pres {
-            return Ok(());
-        }
-
-        // Something altered is system, check if it's allowed.
-        me.modset
-            .values()
-            .flat_map(|ml| ml.iter())
-            .try_fold((), |(), m| {
-                // Already hit an error, move on.
-                let a = match m {
-                    Modify::Present(a, _) | Modify::Removed(a, _) | Modify::Set(a, _) | Modify::Purged(a) => Some(a),
-                    Modify::Assert(_, _) => None,
-                };
-                if let Some(attr) = a {
-                    match ALLOWED_ATTRS.contains(attr) {
-                        true => Ok(()),
-                        false => {
-
-                        trace!("Rejecting operation during pre_batch_modify check, if you're getting this check ALLOWED_ATTRS");
-                            Err(OperationError::SystemProtectedObject)
-                        },
-                    }
-                } else {
-                    // Was not a mod needing checking
-                    Ok(())
-                }
-            })
-    }
-
-    #[instrument(level = "debug", name = "protected_pre_delete", skip_all)]
-    fn pre_delete(
-        _qs: &mut QueryServerWriteTransaction,
-        // Should these be EntrySealed
-        cand: &mut Vec<Entry<EntryInvalid, EntryCommitted>>,
-        de: &DeleteEvent,
-    ) -> Result<(), OperationError> {
-        if de.ident.is_internal() {
-            trace!("Internal operation, not enforcing system object protection");
-            return Ok(());
-        }
-
-        cand.iter().try_fold((), |(), cand| {
-            if PROTECTED_ENTRYCLASSES
-                .iter()
-                .any(|c| cand.attribute_equality(Attribute::Class, &c.to_partialvalue()))
-            {
-                trace!("Rejecting operation during pre_delete check");
-                Err(OperationError::SystemProtectedObject)
-            } else {
-                Ok(())
-            }
-        })
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use crate::prelude::*;
-    use std::sync::Arc;
-
-    const UUID_TEST_ACCOUNT: Uuid = uuid::uuid!("cc8e95b4-c24f-4d68-ba54-8bed76f63930");
-    const UUID_TEST_GROUP: Uuid = uuid::uuid!("81ec1640-3637-4a2f-8a52-874fa3c3c92f");
-    const UUID_TEST_ACP: Uuid = uuid::uuid!("acae81d6-5ea7-4bd8-8f7f-fcec4c0dd647");
-
-    lazy_static! {
-        pub static ref TEST_ACCOUNT: EntryInitNew = entry_init!(
-            (Attribute::Class, EntryClass::Account.to_value()),
-            (Attribute::Class, EntryClass::ServiceAccount.to_value()),
-            (Attribute::Class, EntryClass::MemberOf.to_value()),
-            (Attribute::Name, Value::new_iname("test_account_1")),
-            (Attribute::DisplayName, Value::new_utf8s("test_account_1")),
-            (Attribute::Uuid, Value::Uuid(UUID_TEST_ACCOUNT)),
-            (Attribute::MemberOf, Value::Refer(UUID_TEST_GROUP))
-        );
-        pub static ref TEST_GROUP: EntryInitNew = entry_init!(
-            (Attribute::Class, EntryClass::Group.to_value()),
-            (Attribute::Name, Value::new_iname("test_group_a")),
-            (Attribute::Uuid, Value::Uuid(UUID_TEST_GROUP)),
-            (Attribute::Member, Value::Refer(UUID_TEST_ACCOUNT))
-        );
-        pub static ref ALLOW_ALL: EntryInitNew = entry_init!(
-            (Attribute::Class, EntryClass::Object.to_value()),
-            (
-                Attribute::Class,
-                EntryClass::AccessControlProfile.to_value()
-            ),
-            (
-                Attribute::Class,
-                EntryClass::AccessControlTargetScope.to_value()
-            ),
-            (
-                Attribute::Class,
-                EntryClass::AccessControlReceiverGroup.to_value()
-            ),
-            (Attribute::Class, EntryClass::AccessControlModify.to_value()),
-            (Attribute::Class, EntryClass::AccessControlCreate.to_value()),
-            (Attribute::Class, EntryClass::AccessControlDelete.to_value()),
-            (Attribute::Class, EntryClass::AccessControlSearch.to_value()),
-            (
-                Attribute::Name,
-                Value::new_iname("idm_admins_acp_allow_all_test")
-            ),
-            (Attribute::Uuid, Value::Uuid(UUID_TEST_ACP)),
-            (Attribute::AcpReceiverGroup, Value::Refer(UUID_TEST_GROUP)),
-            (
-                Attribute::AcpTargetScope,
-                Value::new_json_filter_s("{\"pres\":\"class\"}").expect("filter")
-            ),
-            (Attribute::AcpSearchAttr, Value::from(Attribute::Name)),
-            (Attribute::AcpSearchAttr, Value::from(Attribute::Class)),
-            (Attribute::AcpSearchAttr, Value::from(Attribute::Uuid)),
-            (Attribute::AcpSearchAttr, Value::new_iutf8("classname")),
-            (
-                Attribute::AcpSearchAttr,
-                Value::new_iutf8(Attribute::AttributeName.as_ref())
-            ),
-            (Attribute::AcpModifyClass, EntryClass::System.to_value()),
-            (Attribute::AcpModifyClass, Value::new_iutf8("domain_info")),
-            (
-                Attribute::AcpModifyRemovedAttr,
-                Value::from(Attribute::Class)
-            ),
-            (
-                Attribute::AcpModifyRemovedAttr,
-                Value::from(Attribute::DisplayName)
-            ),
-            (Attribute::AcpModifyRemovedAttr, Value::from(Attribute::May)),
-            (
-                Attribute::AcpModifyRemovedAttr,
-                Value::from(Attribute::Must)
-            ),
-            (
-                Attribute::AcpModifyRemovedAttr,
-                Value::from(Attribute::DomainName)
-            ),
-            (
-                Attribute::AcpModifyRemovedAttr,
-                Value::from(Attribute::DomainDisplayName)
-            ),
-            (
-                Attribute::AcpModifyRemovedAttr,
-                Value::from(Attribute::DomainUuid)
-            ),
-            (
-                Attribute::AcpModifyRemovedAttr,
-                Value::from(Attribute::DomainSsid)
-            ),
-            (
-                Attribute::AcpModifyRemovedAttr,
-                Value::from(Attribute::FernetPrivateKeyStr)
-            ),
-            (
-                Attribute::AcpModifyRemovedAttr,
-                Value::from(Attribute::Es256PrivateKeyDer)
-            ),
-            (
-                Attribute::AcpModifyRemovedAttr,
-                Value::from(Attribute::PrivateCookieKey)
-            ),
-            (
-                Attribute::AcpModifyPresentAttr,
-                Value::from(Attribute::Class)
-            ),
-            (
-                Attribute::AcpModifyPresentAttr,
-                Value::from(Attribute::DisplayName)
-            ),
-            (Attribute::AcpModifyPresentAttr, Value::from(Attribute::May)),
-            (
-                Attribute::AcpModifyPresentAttr,
-                Value::from(Attribute::Must)
-            ),
-            (
-                Attribute::AcpModifyPresentAttr,
-                Value::from(Attribute::DomainName)
-            ),
-            (
-                Attribute::AcpModifyPresentAttr,
-                Value::from(Attribute::DomainDisplayName)
-            ),
-            (
-                Attribute::AcpModifyPresentAttr,
-                Value::from(Attribute::DomainUuid)
-            ),
-            (
-                Attribute::AcpModifyPresentAttr,
-                Value::from(Attribute::DomainSsid)
-            ),
-            (
-                Attribute::AcpModifyPresentAttr,
-                Value::from(Attribute::FernetPrivateKeyStr)
-            ),
-            (
-                Attribute::AcpModifyPresentAttr,
-                Value::from(Attribute::Es256PrivateKeyDer)
-            ),
-            (
-                Attribute::AcpModifyPresentAttr,
-                Value::from(Attribute::PrivateCookieKey)
-            ),
-            (Attribute::AcpCreateClass, EntryClass::Object.to_value()),
-            (Attribute::AcpCreateClass, EntryClass::Account.to_value()),
-            (Attribute::AcpCreateClass, EntryClass::Person.to_value()),
-            (Attribute::AcpCreateClass, EntryClass::System.to_value()),
-            (Attribute::AcpCreateClass, EntryClass::DomainInfo.to_value()),
-            (Attribute::AcpCreateAttr, Value::from(Attribute::Name)),
-            (Attribute::AcpCreateAttr, EntryClass::Class.to_value(),),
-            (
-                Attribute::AcpCreateAttr,
-                Value::from(Attribute::Description),
-            ),
-            (
-                Attribute::AcpCreateAttr,
-                Value::from(Attribute::DisplayName),
-            ),
-            (Attribute::AcpCreateAttr, Value::from(Attribute::DomainName),),
-            (
-                Attribute::AcpCreateAttr,
-                Value::from(Attribute::DomainDisplayName)
-            ),
-            (Attribute::AcpCreateAttr, Value::from(Attribute::DomainUuid)),
-            (Attribute::AcpCreateAttr, Value::from(Attribute::DomainSsid)),
-            (Attribute::AcpCreateAttr, Value::from(Attribute::Uuid)),
-            (
-                Attribute::AcpCreateAttr,
-                Value::from(Attribute::FernetPrivateKeyStr)
-            ),
-            (
-                Attribute::AcpCreateAttr,
-                Value::from(Attribute::Es256PrivateKeyDer)
-            ),
-            (
-                Attribute::AcpCreateAttr,
-                Value::from(Attribute::PrivateCookieKey)
-            ),
-            (Attribute::AcpCreateAttr, Value::from(Attribute::Version))
-        );
-        pub static ref PRELOAD: Vec<EntryInitNew> =
-            vec![TEST_ACCOUNT.clone(), TEST_GROUP.clone(), ALLOW_ALL.clone()];
-        pub static ref E_TEST_ACCOUNT: Arc<EntrySealedCommitted> =
-            Arc::new(TEST_ACCOUNT.clone().into_sealed_committed());
-    }
-
-    #[test]
-    fn test_pre_create_deny() {
-        // Test creating with class: system is rejected.
-        let e = entry_init!(
-            (Attribute::Class, EntryClass::Account.to_value()),
-            (Attribute::Class, EntryClass::Person.to_value()),
-            (Attribute::Class, EntryClass::System.to_value()),
-            (Attribute::Name, Value::new_iname("testperson")),
-            (
-                Attribute::DisplayName,
-                Value::Utf8("testperson".to_string())
-            )
-        );
-
-        let create = vec![e];
-        let preload = PRELOAD.clone();
-
-        run_create_test!(
-            Err(OperationError::SystemProtectedObject),
-            preload,
-            create,
-            Some(E_TEST_ACCOUNT.clone()),
-            |_| {}
-        );
-    }
-
-    #[test]
-    fn test_pre_modify_system_deny() {
-        // Test modify of class to a system is denied
-        let e = entry_init!(
-            (Attribute::Class, EntryClass::Account.to_value()),
-            (Attribute::Class, EntryClass::Person.to_value()),
-            (Attribute::Class, EntryClass::System.to_value()),
-            (Attribute::Name, Value::new_iname("testperson")),
-            (
-                Attribute::DisplayName,
-                Value::Utf8("testperson".to_string())
-            )
-        );
-
-        let mut preload = PRELOAD.clone();
-        preload.push(e);
-
-        run_modify_test!(
-            Err(OperationError::SystemProtectedObject),
-            preload,
-            filter!(f_eq(Attribute::Name, PartialValue::new_iname("testperson"))),
-            modlist!([
-                m_purge(Attribute::DisplayName),
-                m_pres(Attribute::DisplayName, &Value::new_utf8s("system test")),
-            ]),
-            Some(E_TEST_ACCOUNT.clone()),
-            |_| {},
-            |_| {}
-        );
-    }
-
-    #[test]
-    fn test_pre_modify_class_add_deny() {
-        // Show that adding a system class is denied
-        // TODO: replace this with a `SchemaClass` object
-        let e = entry_init!(
-            (Attribute::Class, EntryClass::Object.to_value()),
-            (Attribute::Class, EntryClass::ClassType.to_value()),
-            (Attribute::ClassName, Value::new_iutf8("testclass")),
-            (
-                Attribute::Uuid,
-                Value::Uuid(uuid::uuid!("66c68b2f-d02c-4243-8013-7946e40fe321"))
-            ),
-            (
-                Attribute::Description,
-                Value::Utf8("class test".to_string())
-            )
-        );
-        let mut preload = PRELOAD.clone();
-        preload.push(e);
-
-        run_modify_test!(
-            Ok(()),
-            preload,
-            filter!(f_eq(
-                Attribute::ClassName,
-                PartialValue::new_iutf8("testclass")
-            )),
-            modlist!([
-                m_pres(Attribute::May, &Value::from(Attribute::Name)),
-                m_pres(Attribute::Must, &Value::from(Attribute::Name)),
-            ]),
-            Some(E_TEST_ACCOUNT.clone()),
-            |_| {},
-            |_| {}
-        );
-    }
-
-    #[test]
-    fn test_pre_delete_deny() {
-        // Test deleting with class: system is rejected.
-        let e = entry_init!(
-            (Attribute::Class, EntryClass::Account.to_value()),
-            (Attribute::Class, EntryClass::Person.to_value()),
-            (Attribute::Class, EntryClass::System.to_value()),
-            (Attribute::Name, Value::new_iname("testperson")),
-            (
-                Attribute::DisplayName,
-                Value::Utf8("testperson".to_string())
-            )
-        );
-
-        let mut preload = PRELOAD.clone();
-        preload.push(e);
-
-        run_delete_test!(
-            Err(OperationError::SystemProtectedObject),
-            preload,
-            filter!(f_eq(Attribute::Name, PartialValue::new_iname("testperson"))),
-            Some(E_TEST_ACCOUNT.clone()),
-            |_| {}
-        );
-    }
-
-    #[test]
-    fn test_modify_domain() {
-        // Can edit *my* domain_ssid and domain_name
-        // Show that adding a system class is denied
-        let e = entry_init!(
-            (Attribute::Class, EntryClass::DomainInfo.to_value()),
-            (Attribute::Name, Value::new_iname("domain_example.net.au")),
-            (Attribute::Uuid, Value::Uuid(uuid::uuid!("96fd1112-28bc-48ae-9dda-5acb4719aaba"))),
-            (
-                Attribute::Description,
-                Value::new_utf8s("Demonstration of a remote domain's info being created for uuid generation in test_modify_domain")
-            ),
-            (Attribute::DomainUuid, Value::Uuid(uuid::uuid!("96fd1112-28bc-48ae-9dda-5acb4719aaba"))),
-            (Attribute::DomainName, Value::new_iname("example.net.au")),
-            (Attribute::DomainDisplayName, Value::Utf8("example.net.au".to_string())),
-            (Attribute::DomainSsid, Value::Utf8("Example_Wifi".to_string())),
-            (Attribute::Version, Value::Uint32(1))
-        );
-
-        let mut preload = PRELOAD.clone();
-        preload.push(e);
-
-        run_modify_test!(
-            Ok(()),
-            preload,
-            filter!(f_eq(
-                Attribute::Name,
-                PartialValue::new_iname("domain_example.net.au")
-            )),
-            modlist!([
-                m_purge(Attribute::DomainSsid),
-                m_pres(Attribute::DomainSsid, &Value::new_utf8s("NewExampleWifi")),
-            ]),
-            Some(E_TEST_ACCOUNT.clone()),
-            |_| {},
-            |_| {}
-        );
-    }
-
-    #[test]
-    fn test_ext_create_domain() {
-        // can not add a domain_info type - note the lack of class: system
-        let e = entry_init!(
-            (Attribute::Class, EntryClass::DomainInfo.to_value()),
-            (Attribute::Name, Value::new_iname("domain_example.net.au")),
-            (Attribute::Uuid, Value::Uuid(uuid::uuid!("96fd1112-28bc-48ae-9dda-5acb4719aaba"))),
-            (
-                Attribute::Description,
-                Value::new_utf8s("Demonstration of a remote domain's info being created for uuid generation in test_modify_domain")
-            ),
-            (Attribute::DomainUuid, Value::Uuid(uuid::uuid!("96fd1112-28bc-48ae-9dda-5acb4719aaba"))),
-            (Attribute::DomainName, Value::new_iname("example.net.au")),
-            (Attribute::DomainDisplayName, Value::Utf8("example.net.au".to_string())),
-            (Attribute::DomainSsid, Value::Utf8("Example_Wifi".to_string())),
-            (Attribute::Version, Value::Uint32(1))
-        );
-
-        let create = vec![e];
-        let preload = PRELOAD.clone();
-
-        run_create_test!(
-            Err(OperationError::SystemProtectedObject),
-            preload,
-            create,
-            Some(E_TEST_ACCOUNT.clone()),
-            |_| {}
-        );
-    }
-
-    #[test]
-    fn test_delete_domain() {
-        // On the real thing we have a class: system, but to prove the point ...
-        let e = entry_init!(
-            (Attribute::Class, EntryClass::DomainInfo.to_value()),
-            (Attribute::Name, Value::new_iname("domain_example.net.au")),
-            (Attribute::Uuid, Value::Uuid(uuid::uuid!("96fd1112-28bc-48ae-9dda-5acb4719aaba"))),
-            (
-                Attribute::Description,
-                Value::new_utf8s("Demonstration of a remote domain's info being created for uuid generation in test_modify_domain")
-            ),
-            (Attribute::DomainUuid, Value::Uuid(uuid::uuid!("96fd1112-28bc-48ae-9dda-5acb4719aaba"))),
-            (Attribute::DomainName, Value::new_iname("example.net.au")),
-            (Attribute::DomainDisplayName, Value::Utf8("example.net.au".to_string())),
-            (Attribute::DomainSsid, Value::Utf8("Example_Wifi".to_string())),
-            (Attribute::Version, Value::Uint32(1))
-        );
-
-        let mut preload = PRELOAD.clone();
-        preload.push(e);
-
-        run_delete_test!(
-            Err(OperationError::SystemProtectedObject),
-            preload,
-            filter!(f_eq(
-                Attribute::Name,
-                PartialValue::new_iname("domain_example.net.au")
-            )),
-            Some(E_TEST_ACCOUNT.clone()),
-            |_| {}
-        );
-    }
-}

server/lib/src/plugins/refint.rs

@@ -501,7 +501,7 @@ mod tests {
         let create = vec![eb];
 
         run_create_test!(
-            Ok(()),
+            Ok(None),
             preload,
             create,
             None,
@@ -534,7 +534,7 @@ mod tests {
         let create = vec![e_group];
 
         run_create_test!(
-            Ok(()),
+            Ok(None),
             preload,
             create,
             None,

server/lib/src/plugins/spn.rs

@@ -233,7 +233,7 @@ mod tests {
         let preload = Vec::with_capacity(0);
 
         run_create_test!(
-            Ok(()),
+            Ok(None),
             preload,
             create,
             None,
@@ -286,7 +286,7 @@ mod tests {
         let preload = Vec::with_capacity(0);
 
         run_create_test!(
-            Ok(()),
+            Ok(None),
             preload,
             create,
             None,

server/lib/src/repl/proto.rs

@@ -165,10 +165,10 @@ impl ReplEntryV1 {
                                 // but for now, if it's an empty set in any capacity, we map
                                 // to None and just send the Cid since they have the same result
                                 // on how the entry/attr state looks at each end.
-                                if maybe.len() > 0 {
-                                    Some(maybe.to_db_valueset_v2())
-                                } else {
+                                if maybe.is_empty() {
                                     None
+                                } else {
+                                    Some(maybe.to_db_valueset_v2())
                                 }
                             );
 
@@ -298,10 +298,10 @@ impl ReplIncrementalEntryV1 {
                             let live_attr = live_attrs.get(attr_name);
                             let cid = cid.into();
                             let attr = live_attr.and_then(|maybe| {
-                                if maybe.len() > 0 {
-                                    Some(maybe.to_db_valueset_v2())
-                                } else {
+                                if maybe.is_empty() {
                                     None
+                                } else {
+                                    Some(maybe.to_db_valueset_v2())
                                 }
                             });
 

server/lib/src/schema.rs

@@ -1366,6 +1366,36 @@ impl SchemaWriteTransaction<'_> {
                 syntax: SyntaxType::Utf8StringInsensitive,
             },
         );
+        self.attributes.insert(
+                Attribute::AcpModifyPresentClass,
+                SchemaAttribute {
+                    name: Attribute::AcpModifyPresentClass,
+                    uuid: UUID_SCHEMA_ATTR_ACP_MODIFY_PRESENT_CLASS,
+                    description: String::from("The set of class values that could be asserted or added to an entry. Only applies to modify::present operations on class."),
+                    multivalue: true,
+                    unique: false,
+                    phantom: false,
+                    sync_allowed: false,
+                    replicated: Replicated::True,
+                    indexed: false,
+                    syntax: SyntaxType::Utf8StringInsensitive,
+                },
+            );
+        self.attributes.insert(
+                Attribute::AcpModifyRemoveClass,
+                SchemaAttribute {
+                    name: Attribute::AcpModifyRemoveClass,
+                    uuid: UUID_SCHEMA_ATTR_ACP_MODIFY_REMOVE_CLASS,
+                    description: String::from("The set of class values that could be asserted or added to an entry. Only applies to modify::remove operations on class."),
+                    multivalue: true,
+                    unique: false,
+                    phantom: false,
+                    sync_allowed: false,
+                    replicated: Replicated::True,
+                    indexed: false,
+                    syntax: SyntaxType::Utf8StringInsensitive,
+                },
+            );
         self.attributes.insert(
             Attribute::EntryManagedBy,
             SchemaAttribute {
@@ -2069,6 +2099,8 @@ impl SchemaWriteTransaction<'_> {
                     Attribute::AcpModifyRemovedAttr,
                     Attribute::AcpModifyPresentAttr,
                     Attribute::AcpModifyClass,
+                    Attribute::AcpModifyPresentClass,
+                    Attribute::AcpModifyRemoveClass,
                 ],
                 ..Default::default()
             },

server/lib/src/server/access/create.rs

@@ -1,16 +1,17 @@
 use super::profiles::{
     AccessControlCreateResolved, AccessControlReceiverCondition, AccessControlTargetCondition,
 };
+use super::protected::PROTECTED_ENTRY_CLASSES;
 use crate::prelude::*;
 use std::collections::BTreeSet;
 
 pub(super) enum CreateResult {
-    Denied,
+    Deny,
     Grant,
 }
 
 enum IResult {
-    Denied,
+    Deny,
     Grant,
     Ignore,
 }
@@ -25,25 +26,25 @@ pub(super) fn apply_create_access<'a>(
 
     // This module can never yield a grant.
     match protected_filter_entry(ident, entry) {
-        IResult::Denied => denied = true,
+        IResult::Deny => denied = true,
         IResult::Grant | IResult::Ignore => {}
     }
 
     match create_filter_entry(ident, related_acp, entry) {
-        IResult::Denied => denied = true,
+        IResult::Deny => denied = true,
         IResult::Grant => grant = true,
         IResult::Ignore => {}
     }
 
     if denied {
         // Something explicitly said no.
-        CreateResult::Denied
+        CreateResult::Deny
     } else if grant {
         // Something said yes
         CreateResult::Grant
     } else {
         // Nothing said yes.
-        CreateResult::Denied
+        CreateResult::Deny
     }
 }
 
@@ -60,7 +61,7 @@ fn create_filter_entry<'a>(
         }
         IdentType::Synch(_) => {
             security_critical!("Blocking sync check");
-            return IResult::Denied;
+            return IResult::Deny;
         }
         IdentType::User(_) => {}
     };
@@ -69,7 +70,7 @@ fn create_filter_entry<'a>(
     match ident.access_scope() {
         AccessScope::ReadOnly | AccessScope::Synchronise => {
             security_access!("denied ❌ - identity access scope is not permitted to create");
-            return IResult::Denied;
+            return IResult::Deny;
         }
         AccessScope::ReadWrite => {
             // As you were
@@ -96,7 +97,7 @@ fn create_filter_entry<'a>(
         Some(s) => s.collect(),
         None => {
             admin_error!("Class set failed to build - corrupted entry?");
-            return IResult::Denied;
+            return IResult::Deny;
         }
     };
 
@@ -173,22 +174,22 @@ fn protected_filter_entry(ident: &Identity, entry: &Entry<EntryInit, EntryNew>)
         }
         IdentType::Synch(_) => {
             security_access!("sync agreements may not directly create entities");
-            IResult::Denied
+            IResult::Deny
         }
         IdentType::User(_) => {
             // Now check things ...
-
-            // For now we just block create on sync object
-            if let Some(classes) = entry.get_ava_set(Attribute::Class) {
-                if classes.contains(&EntryClass::SyncObject.into()) {
-                    // Block the mod
-                    security_access!("attempt to create with protected class type");
-                    IResult::Denied
-                } else {
+            if let Some(classes) = entry.get_ava_as_iutf8(Attribute::Class) {
+                if classes.is_disjoint(&PROTECTED_ENTRY_CLASSES) {
+                    // It's different, go ahead
                     IResult::Ignore
+                } else {
+                    // Block the mod, something is present
+                    security_access!("attempt to create with protected class type");
+                    IResult::Deny
                 }
             } else {
-                // Nothing to check.
+                // Nothing to check - this entry will fail to create anyway because it has
+                // no classes
                 IResult::Ignore
             }
         }

server/lib/src/server/access/delete.rs

@@ -1,16 +1,17 @@
 use super::profiles::{
     AccessControlDeleteResolved, AccessControlReceiverCondition, AccessControlTargetCondition,
 };
+use super::protected::PROTECTED_ENTRY_CLASSES;
 use crate::prelude::*;
 use std::sync::Arc;
 
 pub(super) enum DeleteResult {
-    Denied,
+    Deny,
     Grant,
 }
 
 enum IResult {
-    Denied,
+    Deny,
     Grant,
     Ignore,
 }
@@ -24,25 +25,25 @@ pub(super) fn apply_delete_access<'a>(
     let mut grant = false;
 
     match protected_filter_entry(ident, entry) {
-        IResult::Denied => denied = true,
+        IResult::Deny => denied = true,
         IResult::Grant | IResult::Ignore => {}
     }
 
     match delete_filter_entry(ident, related_acp, entry) {
-        IResult::Denied => denied = true,
+        IResult::Deny => denied = true,
         IResult::Grant => grant = true,
         IResult::Ignore => {}
     }
 
     if denied {
         // Something explicitly said no.
-        DeleteResult::Denied
+        DeleteResult::Deny
     } else if grant {
         // Something said yes
         DeleteResult::Grant
     } else {
         // Nothing said yes.
-        DeleteResult::Denied
+        DeleteResult::Deny
     }
 }
 
@@ -59,7 +60,7 @@ fn delete_filter_entry<'a>(
         }
         IdentType::Synch(_) => {
             security_critical!("Blocking sync check");
-            return IResult::Denied;
+            return IResult::Deny;
         }
         IdentType::User(_) => {}
     };
@@ -68,7 +69,7 @@ fn delete_filter_entry<'a>(
     match ident.access_scope() {
         AccessScope::ReadOnly | AccessScope::Synchronise => {
             security_access!("denied ❌ - identity access scope is not permitted to delete");
-            return IResult::Denied;
+            return IResult::Deny;
         }
         AccessScope::ReadWrite => {
             // As you were
@@ -152,28 +153,30 @@ fn protected_filter_entry(ident: &Identity, entry: &Arc<EntrySealedCommitted>) -
         }
         IdentType::Synch(_) => {
             security_access!("sync agreements may not directly delete entities");
-            IResult::Denied
+            IResult::Deny
         }
         IdentType::User(_) => {
-            // Now check things ...
-
-            // For now we just block create on sync object
-            if let Some(classes) = entry.get_ava_set(Attribute::Class) {
-                if classes.contains(&EntryClass::SyncObject.into()) {
-                    // Block the mod
-                    security_access!("attempt to delete with protected class type");
-                    return IResult::Denied;
-                }
-            };
-
             // Prevent deletion of entries that exist in the system controlled entry range.
             if entry.get_uuid() <= UUID_ANONYMOUS {
                 security_access!("attempt to delete system builtin entry");
-                return IResult::Denied;
+                return IResult::Deny;
             }
 
-            // Checks exhausted, no more input from us
-            IResult::Ignore
+            // Prevent deleting some protected types.
+            if let Some(classes) = entry.get_ava_as_iutf8(Attribute::Class) {
+                if classes.is_disjoint(&PROTECTED_ENTRY_CLASSES) {
+                    // It's different, go ahead
+                    IResult::Ignore
+                } else {
+                    // Block the mod, something is present
+                    security_access!("attempt to create with protected class type");
+                    IResult::Deny
+                }
+            } else {
+                // Nothing to check - this entry will fail to create anyway because it has
+                // no classes
+                IResult::Ignore
+            }
         }
     }
 }

server/lib/src/server/access/mod.rs

@@ -50,12 +50,13 @@ mod create;
 mod delete;
 mod modify;
 pub mod profiles;
+mod protected;
 mod search;
 
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub enum Access {
     Grant,
-    Denied,
+    Deny,
     Allow(BTreeSet<Attribute>),
 }
 
@@ -63,7 +64,7 @@ impl From<&Access> for ScimAttributeEffectiveAccess {
     fn from(value: &Access) -> Self {
         match value {
             Access::Grant => Self::Grant,
-            Access::Denied => Self::Denied,
+            Access::Deny => Self::Deny,
             Access::Allow(set) => Self::Allow(set.clone()),
         }
     }
@@ -72,7 +73,7 @@ impl From<&Access> for ScimAttributeEffectiveAccess {
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub enum AccessClass {
     Grant,
-    Denied,
+    Deny,
     Allow(BTreeSet<AttrString>),
 }
 
@@ -86,12 +87,22 @@ pub struct AccessEffectivePermission {
     pub search: Access,
     pub modify_pres: Access,
     pub modify_rem: Access,
-    pub modify_class: AccessClass,
+    pub modify_pres_class: AccessClass,
+    pub modify_rem_class: AccessClass,
 }
 
-pub enum AccessResult {
+pub enum AccessBasicResult {
     // Deny this operation unconditionally.
-    Denied,
+    Deny,
+    // Unbounded allow, provided no deny state exists.
+    Grant,
+    // This module makes no decisions about this entry.
+    Ignore,
+}
+
+pub enum AccessSrchResult {
+    // Deny this operation unconditionally.
+    Deny,
     // Unbounded allow, provided no deny state exists.
     Grant,
     // This module makes no decisions about this entry.
@@ -99,24 +110,37 @@ pub enum AccessResult {
     // Limit the allowed attr set to this - this doesn't
     // allow anything, it constrains what might be allowed
     // by a later module.
-    Constrain(BTreeSet<Attribute>),
-    // Allow these attributes within constraints.
-    Allow(BTreeSet<Attribute>),
+    /*
+    Constrain {
+        attr: BTreeSet<Attribute>,
+    },
+    */
+    Allow { attr: BTreeSet<Attribute> },
 }
 
-#[allow(dead_code)]
-pub enum AccessResultClass<'a> {
+pub enum AccessModResult<'a> {
     // Deny this operation unconditionally.
-    Denied,
-    // Unbounded allow, provided no denied exists.
-    Grant,
+    Deny,
+    // Unbounded allow, provided no deny state exists.
+    // Grant,
     // This module makes no decisions about this entry.
     Ignore,
     // Limit the allowed attr set to this - this doesn't
-    // allow anything, it constrains what might be allowed.
-    Constrain(BTreeSet<&'a str>),
-    // Allow these attributes within constraints.
-    Allow(BTreeSet<&'a str>),
+    // allow anything, it constrains what might be allowed
+    // by a later module.
+    Constrain {
+        pres_attr: BTreeSet<Attribute>,
+        rem_attr: BTreeSet<Attribute>,
+        pres_cls: Option<BTreeSet<&'a str>>,
+        rem_cls: Option<BTreeSet<&'a str>>,
+    },
+    // Allow these modifications within constraints.
+    Allow {
+        pres_attr: BTreeSet<Attribute>,
+        rem_attr: BTreeSet<Attribute>,
+        pres_class: BTreeSet<&'a str>,
+        rem_class: BTreeSet<&'a str>,
+    },
 }
 
 // =========================================================================
@@ -303,7 +327,7 @@ pub trait AccessControlsTransaction<'a> {
             .into_iter()
             .filter(|e| {
                 match apply_search_access(ident, related_acp.as_slice(), e) {
-                    SearchResult::Denied => false,
+                    SearchResult::Deny => false,
                     SearchResult::Grant => true,
                     SearchResult::Allow(allowed_attrs) => {
                         // The allow set constrained.
@@ -401,7 +425,7 @@ pub trait AccessControlsTransaction<'a> {
             .into_iter()
             .filter_map(|entry| {
                 match apply_search_access(&se.ident, &search_related_acp, &entry) {
-                    SearchResult::Denied => {
+                    SearchResult::Deny => {
                         None
                     }
                     SearchResult::Grant => {
@@ -536,7 +560,8 @@ pub trait AccessControlsTransaction<'a> {
         // Build the set of classes that we to work on, only in terms of "addition". To remove
         // I think we have no limit, but ... william of the future may find a problem with this
         // policy.
-        let mut requested_classes: BTreeSet<&str> = Default::default();
+        let mut requested_pres_classes: BTreeSet<&str> = Default::default();
+        let mut requested_rem_classes: BTreeSet<&str> = Default::default();
 
         for modify in me.modlist.iter() {
             match modify {
@@ -548,27 +573,33 @@ pub trait AccessControlsTransaction<'a> {
                         // existence, and second, we would have failed the mod at schema checking
                         // earlier in the process as these were not correctly type. As a result
                         // we can trust these to be correct here and not to be "None".
-                        requested_classes.extend(v.to_str())
+                        requested_pres_classes.extend(v.to_str())
                     }
                 }
                 Modify::Removed(a, v) => {
                     if a == Attribute::Class.as_ref() {
-                        requested_classes.extend(v.to_str())
+                        requested_rem_classes.extend(v.to_str())
                     }
                 }
                 Modify::Set(a, v) => {
                     if a == Attribute::Class.as_ref() {
-                        // flatten to remove the option down to an iterator
-                        requested_classes.extend(v.as_iutf8_iter().into_iter().flatten())
+                        // This is a reasonably complex case - we actually have to contemplate
+                        // the difference between what exists and what doesn't, but that's per-entry.
+                        //
+                        // for now, we treat this as both pres and rem, but I think that ultimately
+                        // to fix this we need to make all modifies apply in terms of "batch mod"
+                        requested_pres_classes.extend(v.as_iutf8_iter().into_iter().flatten());
+                        requested_rem_classes.extend(v.as_iutf8_iter().into_iter().flatten());
                     }
                 }
                 _ => {}
             }
         }
 
-        debug!(?requested_pres, "Requested present set");
-        debug!(?requested_rem, "Requested remove set");
-        debug!(?requested_classes, "Requested class set");
+        debug!(?requested_pres, "Requested present attribute set");
+        debug!(?requested_rem, "Requested remove attribute set");
+        debug!(?requested_pres_classes, "Requested present class set");
+        debug!(?requested_rem_classes, "Requested remove class set");
 
         let sync_agmts = self.get_sync_agreements();
 
@@ -576,9 +607,16 @@ pub trait AccessControlsTransaction<'a> {
             debug!(entry_id = %e.get_display_id());
 
             match apply_modify_access(&me.ident, related_acp.as_slice(), sync_agmts, e) {
-                ModifyResult::Denied => false,
+                ModifyResult::Deny => false,
                 ModifyResult::Grant => true,
-                ModifyResult::Allow { pres, rem, cls } => {
+                ModifyResult::Allow {
+                    pres,
+                    rem,
+                    pres_cls,
+                    rem_cls,
+                } => {
+                    let mut decision = true;
+
                     if !requested_pres.is_subset(&pres) {
                         security_error!("requested_pres is not a subset of allowed");
                         security_error!(
@@ -586,23 +624,41 @@ pub trait AccessControlsTransaction<'a> {
                             requested_pres,
                             pres
                         );
-                        false
-                    } else if !requested_rem.is_subset(&rem) {
+                        decision = false
+                    };
+
+                    if !requested_rem.is_subset(&rem) {
                         security_error!("requested_rem is not a subset of allowed");
                         security_error!("requested_rem: {:?} !⊆ allowed: {:?}", requested_rem, rem);
-                        false
-                    } else if !requested_classes.is_subset(&cls) {
-                        security_error!("requested_classes is not a subset of allowed");
+                        decision = false;
+                    };
+
+                    if !requested_pres_classes.is_subset(&pres_cls) {
+                        security_error!("requested_pres_classes is not a subset of allowed");
                         security_error!(
-                            "requested_classes: {:?} !⊆ allowed: {:?}",
-                            requested_classes,
-                            cls
+                            "requested_pres_classes: {:?} !⊆ allowed: {:?}",
+                            requested_pres_classes,
+                            pres_cls
                         );
-                        false
-                    } else {
+                        decision = false;
+                    };
+
+                    if !requested_rem_classes.is_subset(&rem_cls) {
+                        security_error!("requested_rem_classes is not a subset of allowed");
+                        security_error!(
+                            "requested_rem_classes: {:?} !⊆ allowed: {:?}",
+                            requested_rem_classes,
+                            rem_cls
+                        );
+                        decision = false;
+                    }
+
+                    if decision {
                         debug!("passed pres, rem, classes check.");
-                        true
-                    } // if acc == false
+                    }
+
+                    // Yield the result
+                    decision
                 }
             }
         });
@@ -668,47 +724,55 @@ pub trait AccessControlsTransaction<'a> {
                 })
                 .collect();
 
-            // Build the set of classes that we to work on, only in terms of "addition". To remove
-            // I think we have no limit, but ... william of the future may find a problem with this
-            // policy.
-            let requested_classes: BTreeSet<&str> = modlist
-                .iter()
-                .filter_map(|m| match m {
+            let mut requested_pres_classes: BTreeSet<&str> = Default::default();
+            let mut requested_rem_classes: BTreeSet<&str> = Default::default();
+
+            for modify in modlist.iter() {
+                match modify {
                     Modify::Present(a, v) => {
                         if a == Attribute::Class.as_ref() {
-                            // Here we have an option<&str> which could mean there is a risk of
-                            // a malicious entity attempting to trick us by masking class mods
-                            // in non-iutf8 types. However, the server first won't respect their
-                            // existence, and second, we would have failed the mod at schema checking
-                            // earlier in the process as these were not correctly type. As a result
-                            // we can trust these to be correct here and not to be "None".
-                            v.to_str()
-                        } else {
-                            None
+                            requested_pres_classes.extend(v.to_str())
                         }
                     }
                     Modify::Removed(a, v) => {
                         if a == Attribute::Class.as_ref() {
-                            v.to_str()
-                        } else {
-                            None
+                            requested_rem_classes.extend(v.to_str())
                         }
                     }
-                    _ => None,
-                })
-                .collect();
+                    Modify::Set(a, v) => {
+                        if a == Attribute::Class.as_ref() {
+                            // This is a reasonably complex case - we actually have to contemplate
+                            // the difference between what exists and what doesn't, but that's per-entry.
+                            //
+                            // for now, we treat this as both pres and rem, but I think that ultimately
+                            // to fix this we need to make all modifies apply in terms of "batch mod"
+                            requested_pres_classes.extend(v.as_iutf8_iter().into_iter().flatten());
+                            requested_rem_classes.extend(v.as_iutf8_iter().into_iter().flatten());
+                        }
+                    }
+                    _ => {}
+                }
+            }
 
             debug!(?requested_pres, "Requested present set");
             debug!(?requested_rem, "Requested remove set");
-            debug!(?requested_classes, "Requested class set");
+            debug!(?requested_pres_classes, "Requested present class set");
+            debug!(?requested_rem_classes, "Requested remove class set");
             debug!(entry_id = %e.get_display_id());
 
             let sync_agmts = self.get_sync_agreements();
 
             match apply_modify_access(&me.ident, related_acp.as_slice(), sync_agmts, e) {
-                ModifyResult::Denied => false,
+                ModifyResult::Deny => false,
                 ModifyResult::Grant => true,
-                ModifyResult::Allow { pres, rem, cls } => {
+                ModifyResult::Allow {
+                    pres,
+                    rem,
+                    pres_cls,
+                    rem_cls,
+                } => {
+                    let mut decision = true;
+
                     if !requested_pres.is_subset(&pres) {
                         security_error!("requested_pres is not a subset of allowed");
                         security_error!(
@@ -716,23 +780,41 @@ pub trait AccessControlsTransaction<'a> {
                             requested_pres,
                             pres
                         );
-                        false
-                    } else if !requested_rem.is_subset(&rem) {
+                        decision = false
+                    };
+
+                    if !requested_rem.is_subset(&rem) {
                         security_error!("requested_rem is not a subset of allowed");
                         security_error!("requested_rem: {:?} !⊆ allowed: {:?}", requested_rem, rem);
-                        false
-                    } else if !requested_classes.is_subset(&cls) {
-                        security_error!("requested_classes is not a subset of allowed");
+                        decision = false;
+                    };
+
+                    if !requested_pres_classes.is_subset(&pres_cls) {
+                        security_error!("requested_pres_classes is not a subset of allowed");
                         security_error!(
                             "requested_classes: {:?} !⊆ allowed: {:?}",
-                            requested_classes,
-                            cls
+                            requested_pres_classes,
+                            pres_cls
                         );
-                        false
-                    } else {
-                        security_access!("passed pres, rem, classes check.");
-                        true
-                    } // if acc == false
+                        decision = false;
+                    };
+
+                    if !requested_rem_classes.is_subset(&rem_cls) {
+                        security_error!("requested_rem_classes is not a subset of allowed");
+                        security_error!(
+                            "requested_classes: {:?} !⊆ allowed: {:?}",
+                            requested_rem_classes,
+                            rem_cls
+                        );
+                        decision = false;
+                    }
+
+                    if decision {
+                        debug!("passed pres, rem, classes check.");
+                    }
+
+                    // Yield the result
+                    decision
                 }
             }
         });
@@ -780,7 +862,7 @@ pub trait AccessControlsTransaction<'a> {
         // For each entry
         let r = entries.iter().all(|e| {
             match apply_create_access(&ce.ident, related_acp.as_slice(), e) {
-                CreateResult::Denied => false,
+                CreateResult::Deny => false,
                 CreateResult::Grant => true,
             }
         });
@@ -836,7 +918,7 @@ pub trait AccessControlsTransaction<'a> {
         // For each entry
         let r = entries.iter().all(|e| {
             match apply_delete_access(&de.ident, related_acp.as_slice(), e) {
-                DeleteResult::Denied => false,
+                DeleteResult::Deny => false,
                 DeleteResult::Grant => true,
             }
         });
@@ -925,7 +1007,7 @@ pub trait AccessControlsTransaction<'a> {
     ) -> AccessEffectivePermission {
         // == search ==
         let search_effective = match apply_search_access(ident, search_related_acp, entry) {
-            SearchResult::Denied => Access::Denied,
+            SearchResult::Deny => Access::Deny,
             SearchResult::Grant => Access::Grant,
             SearchResult::Allow(allowed_attrs) => {
                 // Bound by requested attrs?
@@ -934,14 +1016,30 @@ pub trait AccessControlsTransaction<'a> {
         };
 
         // == modify ==
-        let (modify_pres, modify_rem, modify_class) =
+        let (modify_pres, modify_rem, modify_pres_class, modify_rem_class) =
             match apply_modify_access(ident, modify_related_acp, sync_agmts, entry) {
-                ModifyResult::Denied => (Access::Denied, Access::Denied, AccessClass::Denied),
-                ModifyResult::Grant => (Access::Grant, Access::Grant, AccessClass::Grant),
-                ModifyResult::Allow { pres, rem, cls } => (
+                ModifyResult::Deny => (
+                    Access::Deny,
+                    Access::Deny,
+                    AccessClass::Deny,
+                    AccessClass::Deny,
+                ),
+                ModifyResult::Grant => (
+                    Access::Grant,
+                    Access::Grant,
+                    AccessClass::Grant,
+                    AccessClass::Grant,
+                ),
+                ModifyResult::Allow {
+                    pres,
+                    rem,
+                    pres_cls,
+                    rem_cls,
+                } => (
                     Access::Allow(pres.into_iter().collect()),
                     Access::Allow(rem.into_iter().collect()),
-                    AccessClass::Allow(cls.into_iter().map(|s| s.into()).collect()),
+                    AccessClass::Allow(pres_cls.into_iter().map(|s| s.into()).collect()),
+                    AccessClass::Allow(rem_cls.into_iter().map(|s| s.into()).collect()),
                 ),
             };
 
@@ -949,7 +1047,7 @@ pub trait AccessControlsTransaction<'a> {
         let delete_status = apply_delete_access(ident, delete_related_acp, entry);
 
         let delete = match delete_status {
-            DeleteResult::Denied => false,
+            DeleteResult::Deny => false,
             DeleteResult::Grant => true,
         };
 
@@ -960,7 +1058,8 @@ pub trait AccessControlsTransaction<'a> {
             search: search_effective,
             modify_pres,
             modify_rem,
-            modify_class,
+            modify_pres_class,
+            modify_rem_class,
         }
     }
 }
@@ -2166,6 +2265,8 @@ mod tests {
             "name class",
             // And the class allowed is account
             EntryClass::Account.into(),
+            // And the class allowed is account
+            EntryClass::Account.into(),
         );
         // Allow member, class is group. IE not account
         let acp_deny = AccessControlModify::from_raw(
@@ -2182,8 +2283,8 @@ mod tests {
             "member class",
             // Allow rem name and class
             "member class",
-            // And the class allowed is account
-            "group",
+            EntryClass::Group.into(),
+            EntryClass::Group.into(),
         );
         // Does not have a pres or rem class in attrs
         let acp_no_class = AccessControlModify::from_raw(
@@ -2201,7 +2302,8 @@ mod tests {
             // Allow rem name and class
             "name class",
             // And the class allowed is NOT an account ...
-            "group",
+            EntryClass::Group.into(),
+            EntryClass::Group.into(),
         );
 
         // Test allowed pres
@@ -2287,6 +2389,7 @@ mod tests {
             "name class",
             // And the class allowed is account
             EntryClass::Account.into(),
+            EntryClass::Account.into(),
         );
 
         test_acp_modify!(&me_pres_ro, vec![acp_allow.clone()], &r_set, false);
@@ -2614,7 +2717,8 @@ mod tests {
                 search: Access::Allow(btreeset![Attribute::Name]),
                 modify_pres: Access::Allow(BTreeSet::new()),
                 modify_rem: Access::Allow(BTreeSet::new()),
-                modify_class: AccessClass::Allow(BTreeSet::new()),
+                modify_pres_class: AccessClass::Allow(BTreeSet::new()),
+                modify_rem_class: AccessClass::Allow(BTreeSet::new()),
             }]
         )
     }
@@ -2647,6 +2751,7 @@ mod tests {
                 Attribute::Name.as_ref(),
                 Attribute::Name.as_ref(),
                 EntryClass::Object.into(),
+                EntryClass::Object.into(),
             )],
             &r_set,
             vec![AccessEffectivePermission {
@@ -2656,7 +2761,8 @@ mod tests {
                 search: Access::Allow(BTreeSet::new()),
                 modify_pres: Access::Allow(btreeset![Attribute::Name]),
                 modify_rem: Access::Allow(btreeset![Attribute::Name]),
-                modify_class: AccessClass::Allow(btreeset![EntryClass::Object.into()]),
+                modify_pres_class: AccessClass::Allow(btreeset![EntryClass::Object.into()]),
+                modify_rem_class: AccessClass::Allow(btreeset![EntryClass::Object.into()]),
             }]
         )
     }
@@ -2796,6 +2902,7 @@ mod tests {
             &format!("{} {}", Attribute::UserAuthTokenSession, Attribute::Name),
             // And the class allowed is account, we don't use it though.
             EntryClass::Account.into(),
+            EntryClass::Account.into(),
         );
 
         // NOTE! Syntax doesn't matter here, we just need to assert if the attr exists
@@ -3296,6 +3403,7 @@ mod tests {
             "name class",
             // And the class allowed is account
             EntryClass::Account.into(),
+            EntryClass::Account.into(),
         );
 
         // Test allowed pres
@@ -3424,4 +3532,185 @@ mod tests {
         // Finally test it!
         test_acp_search_reduce!(&se_anon_ro, vec![acp], r_set, ex_anon_some);
     }
+
+    #[test]
+    fn test_access_protected_deny_create() {
+        sketching::test_init();
+
+        let ev1 = entry_init!(
+            (Attribute::Class, EntryClass::Account.to_value()),
+            (Attribute::Name, Value::new_iname("testperson1")),
+            (Attribute::Uuid, Value::Uuid(UUID_TEST_ACCOUNT_1))
+        );
+        let r1_set = vec![ev1];
+
+        let ev2 = entry_init!(
+            (Attribute::Class, EntryClass::Account.to_value()),
+            (Attribute::Class, EntryClass::System.to_value()),
+            (Attribute::Name, Value::new_iname("testperson1")),
+            (Attribute::Uuid, Value::Uuid(UUID_TEST_ACCOUNT_1))
+        );
+
+        let r2_set = vec![ev2];
+
+        let ce_admin = CreateEvent::new_impersonate_identity(
+            Identity::from_impersonate_entry_readwrite(E_TEST_ACCOUNT_1.clone()),
+            vec![],
+        );
+
+        let acp = AccessControlCreate::from_raw(
+            "test_create",
+            Uuid::new_v4(),
+            // Apply to admin
+            UUID_TEST_GROUP_1,
+            // To create matching filter testperson
+            // Can this be empty?
+            filter_valid!(f_eq(
+                Attribute::Name,
+                PartialValue::new_iname("testperson1")
+            )),
+            // classes
+            EntryClass::Account.into(),
+            // attrs
+            "class name uuid",
+        );
+
+        // Test allowed to create
+        test_acp_create!(&ce_admin, vec![acp.clone()], &r1_set, true);
+        // Test reject create (not allowed attr)
+        test_acp_create!(&ce_admin, vec![acp.clone()], &r2_set, false);
+    }
+
+    #[test]
+    fn test_access_protected_deny_delete() {
+        sketching::test_init();
+
+        let ev1 = entry_init!(
+            (Attribute::Class, EntryClass::Account.to_value()),
+            (Attribute::Name, Value::new_iname("testperson1")),
+            (Attribute::Uuid, Value::Uuid(UUID_TEST_ACCOUNT_1))
+        )
+        .into_sealed_committed();
+        let r1_set = vec![Arc::new(ev1)];
+
+        let ev2 = entry_init!(
+            (Attribute::Class, EntryClass::Account.to_value()),
+            (Attribute::Class, EntryClass::System.to_value()),
+            (Attribute::Name, Value::new_iname("testperson1")),
+            (Attribute::Uuid, Value::Uuid(UUID_TEST_ACCOUNT_1))
+        )
+        .into_sealed_committed();
+
+        let r2_set = vec![Arc::new(ev2)];
+
+        let de = DeleteEvent::new_impersonate_entry(
+            E_TEST_ACCOUNT_1.clone(),
+            filter_all!(f_eq(
+                Attribute::Name,
+                PartialValue::new_iname("testperson1")
+            )),
+        );
+
+        let acp = AccessControlDelete::from_raw(
+            "test_delete",
+            Uuid::new_v4(),
+            // Apply to admin
+            UUID_TEST_GROUP_1,
+            // To delete testperson
+            filter_valid!(f_eq(
+                Attribute::Name,
+                PartialValue::new_iname("testperson1")
+            )),
+        );
+
+        // Test allowed to delete
+        test_acp_delete!(&de, vec![acp.clone()], &r1_set, true);
+        // Test not allowed to delete
+        test_acp_delete!(&de, vec![acp.clone()], &r2_set, false);
+    }
+
+    #[test]
+    fn test_access_protected_deny_modify() {
+        sketching::test_init();
+
+        let ev1 = entry_init!(
+            (Attribute::Class, EntryClass::Account.to_value()),
+            (Attribute::Name, Value::new_iname("testperson1")),
+            (Attribute::Uuid, Value::Uuid(UUID_TEST_ACCOUNT_1))
+        )
+        .into_sealed_committed();
+        let r1_set = vec![Arc::new(ev1)];
+
+        let ev2 = entry_init!(
+            (Attribute::Class, EntryClass::Account.to_value()),
+            (Attribute::Class, EntryClass::System.to_value()),
+            (Attribute::Name, Value::new_iname("testperson1")),
+            (Attribute::Uuid, Value::Uuid(UUID_TEST_ACCOUNT_1))
+        )
+        .into_sealed_committed();
+
+        let r2_set = vec![Arc::new(ev2)];
+
+        // Allow name and class, class is account
+        let acp_allow = AccessControlModify::from_raw(
+            "test_modify_allow",
+            Uuid::new_v4(),
+            // Apply to admin
+            UUID_TEST_GROUP_1,
+            // To modify testperson
+            filter_valid!(f_eq(
+                Attribute::Name,
+                PartialValue::new_iname("testperson1")
+            )),
+            // Allow pres disp name and class
+            "displayname class",
+            // Allow rem disp name and class
+            "displayname class",
+            // And the classes allowed to add/rem are as such
+            "system recycled",
+            "system recycled",
+        );
+
+        let me_pres = ModifyEvent::new_impersonate_entry(
+            E_TEST_ACCOUNT_1.clone(),
+            filter_all!(f_eq(
+                Attribute::Name,
+                PartialValue::new_iname("testperson1")
+            )),
+            modlist!([m_pres(Attribute::DisplayName, &Value::new_utf8s("value"))]),
+        );
+
+        // Test allowed pres
+        test_acp_modify!(&me_pres, vec![acp_allow.clone()], &r1_set, true);
+
+        // Test not allowed pres (due to system class)
+        test_acp_modify!(&me_pres, vec![acp_allow.clone()], &r2_set, false);
+
+        // Test that we can not remove class::system
+        let me_rem_sys = ModifyEvent::new_impersonate_entry(
+            E_TEST_ACCOUNT_1.clone(),
+            filter_all!(f_eq(
+                Attribute::Class,
+                PartialValue::new_iname("testperson1")
+            )),
+            modlist!([m_remove(
+                Attribute::Class,
+                &EntryClass::System.to_partialvalue()
+            )]),
+        );
+
+        test_acp_modify!(&me_rem_sys, vec![acp_allow.clone()], &r2_set, false);
+
+        // Ensure that we can't add recycled.
+        let me_pres = ModifyEvent::new_impersonate_entry(
+            E_TEST_ACCOUNT_1.clone(),
+            filter_all!(f_eq(
+                Attribute::Name,
+                PartialValue::new_iname("testperson1")
+            )),
+            modlist!([m_pres(Attribute::Class, &EntryClass::Recycled.to_value())]),
+        );
+
+        test_acp_modify!(&me_pres, vec![acp_allow.clone()], &r1_set, false);
+    }
 }

server/lib/src/server/access/modify.rs

@@ -1,21 +1,25 @@
-use crate::prelude::*;
-use hashbrown::HashMap;
-use std::collections::BTreeSet;
-
 use super::profiles::{
     AccessControlModify, AccessControlModifyResolved, AccessControlReceiverCondition,
     AccessControlTargetCondition,
 };
-use super::{AccessResult, AccessResultClass};
+use super::protected::{
+    LOCKED_ENTRY_CLASSES, PROTECTED_MOD_ENTRY_CLASSES, PROTECTED_MOD_PRES_ENTRY_CLASSES,
+    PROTECTED_MOD_REM_ENTRY_CLASSES,
+};
+use super::{AccessBasicResult, AccessModResult};
+use crate::prelude::*;
+use hashbrown::HashMap;
+use std::collections::BTreeSet;
 use std::sync::Arc;
 
 pub(super) enum ModifyResult<'a> {
-    Denied,
+    Deny,
     Grant,
     Allow {
         pres: BTreeSet<Attribute>,
         rem: BTreeSet<Attribute>,
-        cls: BTreeSet<&'a str>,
+        pres_cls: BTreeSet<&'a str>,
+        rem_cls: BTreeSet<&'a str>,
     },
 }
 
@@ -27,12 +31,17 @@ pub(super) fn apply_modify_access<'a>(
 ) -> ModifyResult<'a> {
     let mut denied = false;
     let mut grant = false;
+
     let mut constrain_pres = BTreeSet::default();
     let mut allow_pres = BTreeSet::default();
     let mut constrain_rem = BTreeSet::default();
     let mut allow_rem = BTreeSet::default();
-    let mut constrain_cls = BTreeSet::default();
-    let mut allow_cls = BTreeSet::default();
+
+    let mut constrain_pres_cls = BTreeSet::default();
+    let mut allow_pres_cls = BTreeSet::default();
+
+    let mut constrain_rem_cls = BTreeSet::default();
+    let mut allow_rem_cls = BTreeSet::default();
 
     // Some useful references.
     //  - needed for checking entry manager conditions.
@@ -43,28 +52,53 @@ pub(super) fn apply_modify_access<'a>(
     // kind of being three operations all in one.
 
     match modify_ident_test(ident) {
-        AccessResult::Denied => denied = true,
-        AccessResult::Grant => grant = true,
-        AccessResult::Ignore => {}
-        AccessResult::Constrain(mut set) => constrain_pres.append(&mut set),
-        AccessResult::Allow(mut set) => allow_pres.append(&mut set),
+        AccessBasicResult::Deny => denied = true,
+        AccessBasicResult::Grant => grant = true,
+        AccessBasicResult::Ignore => {}
+    }
+
+    // Check with protected if we should proceed.
+    match modify_protected_attrs(ident, entry) {
+        AccessModResult::Deny => denied = true,
+        AccessModResult::Constrain {
+            mut pres_attr,
+            mut rem_attr,
+            pres_cls,
+            rem_cls,
+        } => {
+            constrain_rem.append(&mut rem_attr);
+            constrain_pres.append(&mut pres_attr);
+
+            if let Some(mut pres_cls) = pres_cls {
+                constrain_pres_cls.append(&mut pres_cls);
+            }
+
+            if let Some(mut rem_cls) = rem_cls {
+                constrain_rem_cls.append(&mut rem_cls);
+            }
+        }
+        // Can't grant.
+        // AccessModResult::Grant |
+        // Can't allow
+        AccessModResult::Allow { .. } | AccessModResult::Ignore => {}
     }
 
     if !grant && !denied {
-        // Check with protected if we should proceed.
-
         // If it's a sync entry, constrain it.
         match modify_sync_constrain(ident, entry, sync_agreements) {
-            AccessResult::Denied => denied = true,
-            AccessResult::Constrain(mut set) => {
-                constrain_rem.extend(set.iter().cloned());
-                constrain_pres.append(&mut set)
+            AccessModResult::Deny => denied = true,
+            AccessModResult::Constrain {
+                mut pres_attr,
+                mut rem_attr,
+                ..
+            } => {
+                constrain_rem.append(&mut rem_attr);
+                constrain_pres.append(&mut pres_attr);
             }
             // Can't grant.
-            AccessResult::Grant |
+            // AccessModResult::Grant |
             // Can't allow
-            AccessResult::Allow(_) |
-            AccessResult::Ignore => {}
+            AccessModResult::Allow { .. } | AccessModResult::Ignore => {}
         }
 
         // Setup the acp's here
@@ -122,35 +156,27 @@ pub(super) fn apply_modify_access<'a>(
             .collect();
 
         match modify_pres_test(scoped_acp.as_slice()) {
-            AccessResult::Denied => denied = true,
+            AccessModResult::Deny => denied = true,
             // Can never return a unilateral grant.
-            AccessResult::Grant => {}
-            AccessResult::Ignore => {}
-            AccessResult::Constrain(mut set) => constrain_pres.append(&mut set),
-            AccessResult::Allow(mut set) => allow_pres.append(&mut set),
-        }
-
-        match modify_rem_test(scoped_acp.as_slice()) {
-            AccessResult::Denied => denied = true,
-            // Can never return a unilateral grant.
-            AccessResult::Grant => {}
-            AccessResult::Ignore => {}
-            AccessResult::Constrain(mut set) => constrain_rem.append(&mut set),
-            AccessResult::Allow(mut set) => allow_rem.append(&mut set),
-        }
-
-        match modify_cls_test(scoped_acp.as_slice()) {
-            AccessResultClass::Denied => denied = true,
-            // Can never return a unilateral grant.
-            AccessResultClass::Grant => {}
-            AccessResultClass::Ignore => {}
-            AccessResultClass::Constrain(mut set) => constrain_cls.append(&mut set),
-            AccessResultClass::Allow(mut set) => allow_cls.append(&mut set),
+            // AccessModResult::Grant => {}
+            AccessModResult::Ignore => {}
+            AccessModResult::Constrain { .. } => {}
+            AccessModResult::Allow {
+                mut pres_attr,
+                mut rem_attr,
+                mut pres_class,
+                mut rem_class,
+            } => {
+                allow_pres.append(&mut pres_attr);
+                allow_rem.append(&mut rem_attr);
+                allow_pres_cls.append(&mut pres_class);
+                allow_rem_cls.append(&mut rem_class);
+            }
         }
     }
 
     if denied {
-        ModifyResult::Denied
+        ModifyResult::Deny
     } else if grant {
         ModifyResult::Grant
     } else {
@@ -168,31 +194,48 @@ pub(super) fn apply_modify_access<'a>(
             allow_rem
         };
 
-        let allowed_cls = if !constrain_cls.is_empty() {
+        let mut allowed_pres_cls = if !constrain_pres_cls.is_empty() {
             // bit_and
-            &constrain_cls & &allow_cls
+            &constrain_pres_cls & &allow_pres_cls
         } else {
-            allow_cls
+            allow_pres_cls
         };
 
+        let mut allowed_rem_cls = if !constrain_rem_cls.is_empty() {
+            // bit_and
+            &constrain_rem_cls & &allow_rem_cls
+        } else {
+            allow_rem_cls
+        };
+
+        // Deny these classes from being part of any addition or removal to an entry
+        for protected_cls in PROTECTED_MOD_PRES_ENTRY_CLASSES.iter() {
+            allowed_pres_cls.remove(protected_cls.as_str());
+        }
+
+        for protected_cls in PROTECTED_MOD_REM_ENTRY_CLASSES.iter() {
+            allowed_rem_cls.remove(protected_cls.as_str());
+        }
+
         ModifyResult::Allow {
             pres: allowed_pres,
             rem: allowed_rem,
-            cls: allowed_cls,
+            pres_cls: allowed_pres_cls,
+            rem_cls: allowed_rem_cls,
         }
     }
 }
 
-fn modify_ident_test(ident: &Identity) -> AccessResult {
+fn modify_ident_test(ident: &Identity) -> AccessBasicResult {
     match &ident.origin {
         IdentType::Internal => {
             trace!("Internal operation, bypassing access check");
             // No need to check ACS
-            return AccessResult::Grant;
+            return AccessBasicResult::Grant;
         }
         IdentType::Synch(_) => {
             security_critical!("Blocking sync check");
-            return AccessResult::Denied;
+            return AccessBasicResult::Deny;
         }
         IdentType::User(_) => {}
     };
@@ -201,53 +244,56 @@ fn modify_ident_test(ident: &Identity) -> AccessResult {
     match ident.access_scope() {
         AccessScope::ReadOnly | AccessScope::Synchronise => {
             security_access!("denied ❌ - identity access scope is not permitted to modify");
-            return AccessResult::Denied;
+            return AccessBasicResult::Deny;
         }
         AccessScope::ReadWrite => {
             // As you were
         }
     };
 
-    AccessResult::Ignore
+    AccessBasicResult::Ignore
 }
 
-fn modify_pres_test(scoped_acp: &[&AccessControlModify]) -> AccessResult {
-    let allowed_pres: BTreeSet<Attribute> = scoped_acp
+fn modify_pres_test<'a>(scoped_acp: &[&'a AccessControlModify]) -> AccessModResult<'a> {
+    let pres_attr: BTreeSet<Attribute> = scoped_acp
         .iter()
         .flat_map(|acp| acp.presattrs.iter().cloned())
         .collect();
-    AccessResult::Allow(allowed_pres)
-}
 
-fn modify_rem_test(scoped_acp: &[&AccessControlModify]) -> AccessResult {
-    let allowed_rem: BTreeSet<Attribute> = scoped_acp
+    let rem_attr: BTreeSet<Attribute> = scoped_acp
         .iter()
         .flat_map(|acp| acp.remattrs.iter().cloned())
         .collect();
-    AccessResult::Allow(allowed_rem)
-}
 
-// TODO: Should this be reverted to the Str borrow method? Or do we try to change
-// to EntryClass?
-fn modify_cls_test<'a>(scoped_acp: &[&'a AccessControlModify]) -> AccessResultClass<'a> {
-    let allowed_classes: BTreeSet<&'a str> = scoped_acp
+    let pres_class: BTreeSet<&'a str> = scoped_acp
         .iter()
-        .flat_map(|acp| acp.classes.iter().map(|s| s.as_str()))
+        .flat_map(|acp| acp.pres_classes.iter().map(|s| s.as_str()))
         .collect();
-    AccessResultClass::Allow(allowed_classes)
+
+    let rem_class: BTreeSet<&'a str> = scoped_acp
+        .iter()
+        .flat_map(|acp| acp.rem_classes.iter().map(|s| s.as_str()))
+        .collect();
+
+    AccessModResult::Allow {
+        pres_attr,
+        rem_attr,
+        pres_class,
+        rem_class,
+    }
 }
 
-fn modify_sync_constrain(
+fn modify_sync_constrain<'a>(
     ident: &Identity,
     entry: &Arc<EntrySealedCommitted>,
     sync_agreements: &HashMap<Uuid, BTreeSet<Attribute>>,
-) -> AccessResult {
+) -> AccessModResult<'a> {
     match &ident.origin {
-        IdentType::Internal => AccessResult::Ignore,
+        IdentType::Internal => AccessModResult::Ignore,
         IdentType::Synch(_) => {
             // Allowed to mod sync objects. Later we'll probably need to check the limits of what
             // it can do if we go that way.
-            AccessResult::Ignore
+            AccessModResult::Ignore
         }
         IdentType::User(_) => {
             // We need to meet these conditions.
@@ -259,7 +305,7 @@ fn modify_sync_constrain(
                 .unwrap_or(false);
 
             if !is_sync {
-                return AccessResult::Ignore;
+                return AccessModResult::Ignore;
             }
 
             if let Some(sync_uuid) = entry.get_ava_single_refer(Attribute::SyncParentUuid) {
@@ -274,11 +320,115 @@ fn modify_sync_constrain(
                     set.extend(sync_yield_authority.iter().cloned())
                 }
 
-                AccessResult::Constrain(set)
+                AccessModResult::Constrain {
+                    pres_attr: set.clone(),
+                    rem_attr: set,
+                    pres_cls: None,
+                    rem_cls: None,
+                }
             } else {
                 warn!(entry = ?entry.get_uuid(), "sync_parent_uuid not found on sync object, preventing all access");
-                AccessResult::Denied
+                AccessModResult::Deny
             }
         }
     }
 }
+
+/// Verify if the modification runs into limits that are defined by our protection rules.
+fn modify_protected_attrs<'a>(
+    ident: &Identity,
+    entry: &Arc<EntrySealedCommitted>,
+) -> AccessModResult<'a> {
+    match &ident.origin {
+        IdentType::Internal | IdentType::Synch(_) => {
+            // We don't constraint or influence these.
+            AccessModResult::Ignore
+        }
+        IdentType::User(_) => {
+            if let Some(classes) = entry.get_ava_as_iutf8(Attribute::Class) {
+                if classes.is_disjoint(&PROTECTED_MOD_ENTRY_CLASSES) {
+                    // Not protected, go ahead
+                    AccessModResult::Ignore
+                } else {
+                    // Okay, the entry is protected, apply the full ruleset.
+                    modify_protected_entry_attrs(classes)
+                }
+            } else {
+                // Nothing to check - this entry will fail to modify anyway because it has
+                // no classes
+                AccessModResult::Ignore
+            }
+        }
+    }
+}
+
+fn modify_protected_entry_attrs<'a>(classes: &BTreeSet<String>) -> AccessModResult<'a> {
+    // This is where the majority of the logic is - this contains the modification
+    // rules as they apply.
+
+    // First check for the hard-deny rules.
+    if !classes.is_disjoint(&LOCKED_ENTRY_CLASSES) {
+        // Hard deny attribute modifications to these types.
+        return AccessModResult::Deny;
+    }
+
+    let mut constrain_attrs = BTreeSet::default();
+
+    // Allows removal of the recycled class specifically on recycled entries.
+    if classes.contains(EntryClass::Recycled.into()) {
+        constrain_attrs.extend([Attribute::Class]);
+    }
+
+    if classes.contains(EntryClass::ClassType.into()) {
+        constrain_attrs.extend([Attribute::May, Attribute::Must]);
+    }
+
+    if classes.contains(EntryClass::SystemConfig.into()) {
+        constrain_attrs.extend([Attribute::BadlistPassword]);
+    }
+
+    // Allow domain settings.
+    if classes.contains(EntryClass::DomainInfo.into()) {
+        constrain_attrs.extend([
+            Attribute::DomainSsid,
+            Attribute::DomainLdapBasedn,
+            Attribute::LdapMaxQueryableAttrs,
+            Attribute::LdapAllowUnixPwBind,
+            Attribute::FernetPrivateKeyStr,
+            Attribute::Es256PrivateKeyDer,
+            Attribute::KeyActionRevoke,
+            Attribute::KeyActionRotate,
+            Attribute::IdVerificationEcKey,
+            Attribute::DeniedName,
+            Attribute::DomainDisplayName,
+            Attribute::Image,
+        ]);
+    }
+
+    // Allow account policy related attributes to be changed on dyngroup
+    if classes.contains(EntryClass::DynGroup.into()) {
+        constrain_attrs.extend([
+            Attribute::AuthSessionExpiry,
+            Attribute::AuthPasswordMinimumLength,
+            Attribute::CredentialTypeMinimum,
+            Attribute::PrivilegeExpiry,
+            Attribute::WebauthnAttestationCaList,
+            Attribute::LimitSearchMaxResults,
+            Attribute::LimitSearchMaxFilterTest,
+            Attribute::AllowPrimaryCredFallback,
+        ]);
+    }
+
+    // If we don't constrain the attributes at all, we have to deny the change
+    // from proceeding.
+    if constrain_attrs.is_empty() {
+        AccessModResult::Deny
+    } else {
+        AccessModResult::Constrain {
+            pres_attr: constrain_attrs.clone(),
+            rem_attr: constrain_attrs,
+            pres_cls: None,
+            rem_cls: None,
+        }
+    }
+}

server/lib/src/server/access/profiles.rs

@@ -266,9 +266,10 @@ pub struct AccessControlModifyResolved<'a> {
 #[derive(Debug, Clone)]
 pub struct AccessControlModify {
     pub acp: AccessControlProfile,
-    pub classes: Vec<AttrString>,
     pub presattrs: Vec<Attribute>,
     pub remattrs: Vec<Attribute>,
+    pub pres_classes: Vec<AttrString>,
+    pub rem_classes: Vec<AttrString>,
 }
 
 impl AccessControlModify {
@@ -293,14 +294,25 @@ impl AccessControlModify {
             .map(|i| i.map(Attribute::from).collect())
             .unwrap_or_default();
 
-        let classes = value
+        let classes: Vec<AttrString> = value
             .get_ava_iter_iutf8(Attribute::AcpModifyClass)
             .map(|i| i.map(AttrString::from).collect())
             .unwrap_or_default();
 
+        let pres_classes = value
+            .get_ava_iter_iutf8(Attribute::AcpModifyPresentClass)
+            .map(|i| i.map(AttrString::from).collect())
+            .unwrap_or_else(|| classes.clone());
+
+        let rem_classes = value
+            .get_ava_iter_iutf8(Attribute::AcpModifyRemoveClass)
+            .map(|i| i.map(AttrString::from).collect())
+            .unwrap_or_else(|| classes);
+
         Ok(AccessControlModify {
             acp: AccessControlProfile::try_from(qs, value)?,
-            classes,
+            pres_classes,
+            rem_classes,
             presattrs,
             remattrs,
         })
@@ -316,7 +328,8 @@ impl AccessControlModify {
         targetscope: Filter<FilterValid>,
         presattrs: &str,
         remattrs: &str,
-        classes: &str,
+        pres_classes: &str,
+        rem_classes: &str,
     ) -> Self {
         AccessControlModify {
             acp: AccessControlProfile {
@@ -325,7 +338,14 @@ impl AccessControlModify {
                 receiver: AccessControlReceiver::Group(btreeset!(receiver)),
                 target: AccessControlTarget::Scope(targetscope),
             },
-            classes: classes.split_whitespace().map(AttrString::from).collect(),
+            pres_classes: pres_classes
+                .split_whitespace()
+                .map(AttrString::from)
+                .collect(),
+            rem_classes: rem_classes
+                .split_whitespace()
+                .map(AttrString::from)
+                .collect(),
             presattrs: presattrs.split_whitespace().map(Attribute::from).collect(),
             remattrs: remattrs.split_whitespace().map(Attribute::from).collect(),
         }
@@ -340,7 +360,8 @@ impl AccessControlModify {
         target: AccessControlTarget,
         presattrs: &str,
         remattrs: &str,
-        classes: &str,
+        pres_classes: &str,
+        rem_classes: &str,
     ) -> Self {
         AccessControlModify {
             acp: AccessControlProfile {
@@ -349,7 +370,14 @@ impl AccessControlModify {
                 receiver: AccessControlReceiver::EntryManager,
                 target,
             },
-            classes: classes.split_whitespace().map(AttrString::from).collect(),
+            pres_classes: pres_classes
+                .split_whitespace()
+                .map(AttrString::from)
+                .collect(),
+            rem_classes: rem_classes
+                .split_whitespace()
+                .map(AttrString::from)
+                .collect(),
             presattrs: presattrs.split_whitespace().map(Attribute::from).collect(),
             remattrs: remattrs.split_whitespace().map(Attribute::from).collect(),
         }

server/lib/src/server/access/protected.rs

@@ -0,0 +1,83 @@
+use crate::prelude::EntryClass;
+use std::collections::BTreeSet;
+use std::sync::LazyLock;
+
+/// These entry classes may not be created or deleted, and may invoke some protection rules
+/// if on an entry.
+pub static PROTECTED_ENTRY_CLASSES: LazyLock<BTreeSet<String>> = LazyLock::new(|| {
+    let classes = vec![
+        EntryClass::System,
+        EntryClass::DomainInfo,
+        EntryClass::SystemInfo,
+        EntryClass::SystemConfig,
+        EntryClass::DynGroup,
+        EntryClass::SyncObject,
+        EntryClass::Tombstone,
+        EntryClass::Recycled,
+    ];
+
+    BTreeSet::from_iter(classes.into_iter().map(|ec| ec.into()))
+});
+
+/// Entries with these classes are protected from modifications - not that
+/// sync object is not present here as there are separate rules for that in
+/// the modification access module.
+///
+/// Recycled is also not protected here as it needs to be able to be removed
+/// by a recycle bin admin.
+pub static PROTECTED_MOD_ENTRY_CLASSES: LazyLock<BTreeSet<String>> = LazyLock::new(|| {
+    let classes = vec![
+        EntryClass::System,
+        EntryClass::DomainInfo,
+        EntryClass::SystemInfo,
+        EntryClass::SystemConfig,
+        EntryClass::DynGroup,
+        // EntryClass::SyncObject,
+        EntryClass::Tombstone,
+        EntryClass::Recycled,
+    ];
+
+    BTreeSet::from_iter(classes.into_iter().map(|ec| ec.into()))
+});
+
+/// These classes may NOT be added to ANY ENTRY
+pub static PROTECTED_MOD_PRES_ENTRY_CLASSES: LazyLock<BTreeSet<String>> = LazyLock::new(|| {
+    let classes = vec![
+        EntryClass::System,
+        EntryClass::DomainInfo,
+        EntryClass::SystemInfo,
+        EntryClass::SystemConfig,
+        EntryClass::DynGroup,
+        EntryClass::SyncObject,
+        EntryClass::Tombstone,
+        EntryClass::Recycled,
+    ];
+
+    BTreeSet::from_iter(classes.into_iter().map(|ec| ec.into()))
+});
+
+/// These classes may NOT be removed from ANY ENTRY
+pub static PROTECTED_MOD_REM_ENTRY_CLASSES: LazyLock<BTreeSet<String>> = LazyLock::new(|| {
+    let classes = vec![
+        EntryClass::System,
+        EntryClass::DomainInfo,
+        EntryClass::SystemInfo,
+        EntryClass::SystemConfig,
+        EntryClass::DynGroup,
+        EntryClass::SyncObject,
+        EntryClass::Tombstone,
+        // EntryClass::Recycled,
+    ];
+
+    BTreeSet::from_iter(classes.into_iter().map(|ec| ec.into()))
+});
+
+/// Entries with these classes may not be modified under any circumstance.
+pub static LOCKED_ENTRY_CLASSES: LazyLock<BTreeSet<String>> = LazyLock::new(|| {
+    let classes = vec![
+        EntryClass::Tombstone,
+        // EntryClass::Recycled,
+    ];
+
+    BTreeSet::from_iter(classes.into_iter().map(|ec| ec.into()))
+});

server/lib/src/server/access/search.rs

@@ -4,11 +4,11 @@ use std::collections::BTreeSet;
 use super::profiles::{
     AccessControlReceiverCondition, AccessControlSearchResolved, AccessControlTargetCondition,
 };
-use super::AccessResult;
+use super::AccessSrchResult;
 use std::sync::Arc;
 
 pub(super) enum SearchResult {
-    Denied,
+    Deny,
     Grant,
     Allow(BTreeSet<Attribute>),
 }
@@ -23,32 +23,32 @@ pub(super) fn apply_search_access(
     // that.
     let mut denied = false;
     let mut grant = false;
-    let mut constrain = BTreeSet::default();
+    let constrain = BTreeSet::default();
     let mut allow = BTreeSet::default();
 
     // The access control profile
     match search_filter_entry(ident, related_acp, entry) {
-        AccessResult::Denied => denied = true,
-        AccessResult::Grant => grant = true,
-        AccessResult::Ignore => {}
-        AccessResult::Constrain(mut set) => constrain.append(&mut set),
-        AccessResult::Allow(mut set) => allow.append(&mut set),
+        AccessSrchResult::Deny => denied = true,
+        AccessSrchResult::Grant => grant = true,
+        AccessSrchResult::Ignore => {}
+        // AccessSrchResult::Constrain { mut attr } => constrain.append(&mut attr),
+        AccessSrchResult::Allow { mut attr } => allow.append(&mut attr),
     };
 
     match search_oauth2_filter_entry(ident, entry) {
-        AccessResult::Denied => denied = true,
-        AccessResult::Grant => grant = true,
-        AccessResult::Ignore => {}
-        AccessResult::Constrain(mut set) => constrain.append(&mut set),
-        AccessResult::Allow(mut set) => allow.append(&mut set),
+        AccessSrchResult::Deny => denied = true,
+        AccessSrchResult::Grant => grant = true,
+        AccessSrchResult::Ignore => {}
+        // AccessSrchResult::Constrain { mut attr } => constrain.append(&mut attr),
+        AccessSrchResult::Allow { mut attr } => allow.append(&mut attr),
     };
 
     match search_sync_account_filter_entry(ident, entry) {
-        AccessResult::Denied => denied = true,
-        AccessResult::Grant => grant = true,
-        AccessResult::Ignore => {}
-        AccessResult::Constrain(mut set) => constrain.append(&mut set),
-        AccessResult::Allow(mut set) => allow.append(&mut set),
+        AccessSrchResult::Deny => denied = true,
+        AccessSrchResult::Grant => grant = true,
+        AccessSrchResult::Ignore => {}
+        // AccessSrchResult::Constrain{ mut attr } => constrain.append(&mut attr),
+        AccessSrchResult::Allow { mut attr } => allow.append(&mut attr),
     };
 
     // We'll add more modules later.
@@ -56,7 +56,7 @@ pub(super) fn apply_search_access(
     // Now finalise the decision.
 
     if denied {
-        SearchResult::Denied
+        SearchResult::Deny
     } else if grant {
         SearchResult::Grant
     } else {
@@ -74,17 +74,17 @@ fn search_filter_entry(
     ident: &Identity,
     related_acp: &[AccessControlSearchResolved],
     entry: &Arc<EntrySealedCommitted>,
-) -> AccessResult {
+) -> AccessSrchResult {
     // If this is an internal search, return our working set.
     match &ident.origin {
         IdentType::Internal => {
             trace!(uuid = ?entry.get_display_id(), "Internal operation, bypassing access check");
             // No need to check ACS
-            return AccessResult::Grant;
+            return AccessSrchResult::Grant;
         }
         IdentType::Synch(_) => {
             security_debug!(uuid = ?entry.get_display_id(), "Blocking sync check");
-            return AccessResult::Denied;
+            return AccessSrchResult::Deny;
         }
         IdentType::User(_) => {}
     };
@@ -95,7 +95,7 @@ fn search_filter_entry(
             security_debug!(
                 "denied ❌ - identity access scope 'Synchronise' is not permitted to search"
             );
-            return AccessResult::Denied;
+            return AccessSrchResult::Deny;
         }
         AccessScope::ReadOnly | AccessScope::ReadWrite => {
             // As you were
@@ -161,16 +161,21 @@ fn search_filter_entry(
         .flatten()
         .collect();
 
-    AccessResult::Allow(allowed_attrs)
+    AccessSrchResult::Allow {
+        attr: allowed_attrs,
+    }
 }
 
-fn search_oauth2_filter_entry(ident: &Identity, entry: &Arc<EntrySealedCommitted>) -> AccessResult {
+fn search_oauth2_filter_entry(
+    ident: &Identity,
+    entry: &Arc<EntrySealedCommitted>,
+) -> AccessSrchResult {
     match &ident.origin {
-        IdentType::Internal | IdentType::Synch(_) => AccessResult::Ignore,
+        IdentType::Internal | IdentType::Synch(_) => AccessSrchResult::Ignore,
         IdentType::User(iuser) => {
             if iuser.entry.get_uuid() == UUID_ANONYMOUS {
                 debug!("Anonymous can't access OAuth2 entries, ignoring");
-                return AccessResult::Ignore;
+                return AccessSrchResult::Ignore;
             }
 
             let contains_o2_rs = entry
@@ -190,16 +195,18 @@ fn search_oauth2_filter_entry(ident: &Identity, entry: &Arc<EntrySealedCommitted
             if contains_o2_rs && contains_o2_scope_member {
                 security_debug!(entry = ?entry.get_uuid(), ident = ?iuser.entry.get_uuid2rdn(), "ident is a memberof a group granted an oauth2 scope by this entry");
 
-                return AccessResult::Allow(btreeset!(
-                    Attribute::Class,
-                    Attribute::DisplayName,
-                    Attribute::Uuid,
-                    Attribute::Name,
-                    Attribute::OAuth2RsOriginLanding,
-                    Attribute::Image
-                ));
+                return AccessSrchResult::Allow {
+                    attr: btreeset!(
+                        Attribute::Class,
+                        Attribute::DisplayName,
+                        Attribute::Uuid,
+                        Attribute::Name,
+                        Attribute::OAuth2RsOriginLanding,
+                        Attribute::Image
+                    ),
+                };
             }
-            AccessResult::Ignore
+            AccessSrchResult::Ignore
         }
     }
 }
@@ -207,9 +214,9 @@ fn search_oauth2_filter_entry(ident: &Identity, entry: &Arc<EntrySealedCommitted
 fn search_sync_account_filter_entry(
     ident: &Identity,
     entry: &Arc<EntrySealedCommitted>,
-) -> AccessResult {
+) -> AccessSrchResult {
     match &ident.origin {
-        IdentType::Internal | IdentType::Synch(_) => AccessResult::Ignore,
+        IdentType::Internal | IdentType::Synch(_) => AccessSrchResult::Ignore,
         IdentType::User(iuser) => {
             // Is the user a synced object?
             let is_user_sync_account = iuser
@@ -244,16 +251,18 @@ fn search_sync_account_filter_entry(
                         // We finally got here!
                         security_debug!(entry = ?entry.get_uuid(), ident = ?iuser.entry.get_uuid2rdn(), "ident is a synchronised account from this sync account");
 
-                        return AccessResult::Allow(btreeset!(
-                            Attribute::Class,
-                            Attribute::Uuid,
-                            Attribute::SyncCredentialPortal
-                        ));
+                        return AccessSrchResult::Allow {
+                            attr: btreeset!(
+                                Attribute::Class,
+                                Attribute::Uuid,
+                                Attribute::SyncCredentialPortal
+                            ),
+                        };
                     }
                 }
             }
             // Fall through
-            AccessResult::Ignore
+            AccessSrchResult::Ignore
         }
     }
 }

server/lib/src/server/create.rs

@@ -7,7 +7,7 @@ impl QueryServerWriteTransaction<'_> {
     /// The create event is a raw, read only representation of the request
     /// that was made to us, including information about the identity
     /// performing the request.
-    pub fn create(&mut self, ce: &CreateEvent) -> Result<(), OperationError> {
+    pub fn create(&mut self, ce: &CreateEvent) -> Result<Option<Vec<Uuid>>, OperationError> {
         if !ce.ident.is_internal() {
             security_info!(name = %ce.ident, "create initiator");
         }
@@ -174,7 +174,12 @@ impl QueryServerWriteTransaction<'_> {
         } else {
             admin_info!("Create operation success");
         }
-        Ok(())
+
+        if ce.return_created_uuids {
+            Ok(Some(commit_cand.iter().map(|e| e.get_uuid()).collect()))
+        } else {
+            Ok(None)
+        }
     }
 
     pub fn internal_create(
@@ -182,7 +187,7 @@ impl QueryServerWriteTransaction<'_> {
         entries: Vec<Entry<EntryInit, EntryNew>>,
     ) -> Result<(), OperationError> {
         let ce = CreateEvent::new_internal(entries);
-        self.create(&ce)
+        self.create(&ce).map(|_| ())
     }
 }
 

server/lib/src/server/mod.rs

@@ -28,8 +28,6 @@ use crate::schema::{
     SchemaWriteTransaction,
 };
 use crate::value::{CredentialType, EXTRACT_VAL_DN};
-use crate::valueset::uuid_to_proto_string;
-use crate::valueset::ScimValueIntermediate;
 use crate::valueset::*;
 use concread::arcache::{ARCacheBuilder, ARCacheReadTxn, ARCacheWriteTxn};
 use concread::cowcell::*;
@@ -1004,138 +1002,6 @@ pub trait QueryServerTransaction<'a> {
         }
     }
 
-    fn resolve_scim_json_put(
-        &mut self,
-        attr: &Attribute,
-        value: Option<JsonValue>,
-    ) -> Result<Option<ValueSet>, OperationError> {
-        let schema = self.get_schema();
-        // Lookup the attr
-        let Some(schema_a) = schema.get_attributes().get(attr) else {
-            // No attribute of this name exists - fail fast, there is no point to
-            // proceed, as nothing can be satisfied.
-            return Err(OperationError::InvalidAttributeName(attr.to_string()));
-        };
-
-        let Some(value) = value else {
-            // It's a none so the value needs to be unset, and the attr DOES exist in
-            // schema.
-            return Ok(None);
-        };
-
-        let resolve_status = match schema_a.syntax {
-            SyntaxType::Utf8String => ValueSetUtf8::from_scim_json_put(value),
-            SyntaxType::Utf8StringInsensitive => ValueSetIutf8::from_scim_json_put(value),
-            SyntaxType::Uuid => ValueSetUuid::from_scim_json_put(value),
-            SyntaxType::Boolean => ValueSetBool::from_scim_json_put(value),
-            SyntaxType::SyntaxId => ValueSetSyntax::from_scim_json_put(value),
-            SyntaxType::IndexId => ValueSetIndex::from_scim_json_put(value),
-            SyntaxType::ReferenceUuid => ValueSetRefer::from_scim_json_put(value),
-            SyntaxType::Utf8StringIname => ValueSetIname::from_scim_json_put(value),
-            SyntaxType::NsUniqueId => ValueSetNsUniqueId::from_scim_json_put(value),
-            SyntaxType::DateTime => ValueSetDateTime::from_scim_json_put(value),
-            SyntaxType::EmailAddress => ValueSetEmailAddress::from_scim_json_put(value),
-            SyntaxType::Url => ValueSetUrl::from_scim_json_put(value),
-            SyntaxType::OauthScope => ValueSetOauthScope::from_scim_json_put(value),
-            SyntaxType::OauthScopeMap => ValueSetOauthScopeMap::from_scim_json_put(value),
-            SyntaxType::OauthClaimMap => ValueSetOauthClaimMap::from_scim_json_put(value),
-            SyntaxType::UiHint => ValueSetUiHint::from_scim_json_put(value),
-            SyntaxType::CredentialType => ValueSetCredentialType::from_scim_json_put(value),
-            SyntaxType::Certificate => ValueSetCertificate::from_scim_json_put(value),
-            SyntaxType::SshKey => ValueSetSshKey::from_scim_json_put(value),
-            SyntaxType::Uint32 => ValueSetUint32::from_scim_json_put(value),
-
-            // Not Yet ... if ever
-            // SyntaxType::JsonFilter => ValueSetJsonFilter::from_scim_json_put(value),
-            SyntaxType::JsonFilter => Err(OperationError::InvalidAttribute(
-                "Json Filters are not able to be set.".to_string(),
-            )),
-            // Can't be set currently as these are only internally generated for key-id's
-            // SyntaxType::HexString => ValueSetHexString::from_scim_json_put(value),
-            SyntaxType::HexString => Err(OperationError::InvalidAttribute(
-                "Hex strings are not able to be set.".to_string(),
-            )),
-
-            // Can't be set until we have better error handling in the set paths
-            // SyntaxType::Image => ValueSetImage::from_scim_json_put(value),
-            SyntaxType::Image => Err(OperationError::InvalidAttribute(
-                "Images are not able to be set.".to_string(),
-            )),
-
-            // Can't be set yet, mostly as I'm lazy
-            // SyntaxType::WebauthnAttestationCaList => {
-            //    ValueSetWebauthnAttestationCaList::from_scim_json_put(value)
-            // }
-            SyntaxType::WebauthnAttestationCaList => Err(OperationError::InvalidAttribute(
-                "Webauthn Attestation Ca Lists are not able to be set.".to_string(),
-            )),
-
-            // Syntax types that can not be submitted
-            SyntaxType::Credential => Err(OperationError::InvalidAttribute(
-                "Credentials are not able to be set.".to_string(),
-            )),
-            SyntaxType::SecretUtf8String => Err(OperationError::InvalidAttribute(
-                "Secrets are not able to be set.".to_string(),
-            )),
-            SyntaxType::SecurityPrincipalName => Err(OperationError::InvalidAttribute(
-                "SPNs are not able to be set.".to_string(),
-            )),
-            SyntaxType::Cid => Err(OperationError::InvalidAttribute(
-                "CIDs are not able to be set.".to_string(),
-            )),
-            SyntaxType::PrivateBinary => Err(OperationError::InvalidAttribute(
-                "Private Binaries are not able to be set.".to_string(),
-            )),
-            SyntaxType::IntentToken => Err(OperationError::InvalidAttribute(
-                "Intent Tokens are not able to be set.".to_string(),
-            )),
-            SyntaxType::Passkey => Err(OperationError::InvalidAttribute(
-                "Passkeys are not able to be set.".to_string(),
-            )),
-            SyntaxType::AttestedPasskey => Err(OperationError::InvalidAttribute(
-                "Attested Passkeys are not able to be set.".to_string(),
-            )),
-            SyntaxType::Session => Err(OperationError::InvalidAttribute(
-                "Sessions are not able to be set.".to_string(),
-            )),
-            SyntaxType::JwsKeyEs256 => Err(OperationError::InvalidAttribute(
-                "Jws ES256 Private Keys are not able to be set.".to_string(),
-            )),
-            SyntaxType::JwsKeyRs256 => Err(OperationError::InvalidAttribute(
-                "Jws RS256 Private Keys are not able to be set.".to_string(),
-            )),
-            SyntaxType::Oauth2Session => Err(OperationError::InvalidAttribute(
-                "Sessions are not able to be set.".to_string(),
-            )),
-            SyntaxType::TotpSecret => Err(OperationError::InvalidAttribute(
-                "TOTP Secrets are not able to be set.".to_string(),
-            )),
-            SyntaxType::ApiToken => Err(OperationError::InvalidAttribute(
-                "API Tokens are not able to be set.".to_string(),
-            )),
-            SyntaxType::AuditLogString => Err(OperationError::InvalidAttribute(
-                "Audit Strings are not able to be set.".to_string(),
-            )),
-            SyntaxType::EcKeyPrivate => Err(OperationError::InvalidAttribute(
-                "EC Private Keys are not able to be set.".to_string(),
-            )),
-            SyntaxType::KeyInternal => Err(OperationError::InvalidAttribute(
-                "Key Internal Structures are not able to be set.".to_string(),
-            )),
-            SyntaxType::ApplicationPassword => Err(OperationError::InvalidAttribute(
-                "Application Passwords are not able to be set.".to_string(),
-            )),
-        }?;
-
-        match resolve_status {
-            ValueSetResolveStatus::Resolved(vs) => Ok(vs),
-            ValueSetResolveStatus::NeedsResolution(vs_inter) => {
-                self.resolve_valueset_intermediate(vs_inter)
-            }
-        }
-        .map(Some)
-    }
-
     fn resolve_valueset_intermediate(
         &mut self,
         vs_inter: ValueSetIntermediate,

server/lib/src/server/scim.rs

@@ -1,23 +1,27 @@
 use crate::prelude::*;
+use crate::schema::{SchemaAttribute, SchemaTransaction};
 use crate::server::batch_modify::{BatchModifyEvent, ModSetValid};
-use kanidm_proto::scim_v1::client::ScimEntryPutGeneric;
+use crate::server::ValueSetResolveStatus;
+use crate::valueset::*;
+use kanidm_proto::scim_v1::client::{ScimEntryPostGeneric, ScimEntryPutGeneric};
+use kanidm_proto::scim_v1::JsonValue;
 use std::collections::BTreeMap;
 
-#[derive(Debug, Clone)]
+#[derive(Debug)]
 pub struct ScimEntryPutEvent {
     /// The identity performing the change.
-    pub ident: Identity,
+    pub(crate) ident: Identity,
 
     // future - etags to detect version changes.
     /// The target entry that will be changed
-    pub target: Uuid,
+    pub(crate) target: Uuid,
     /// Update an attribute to contain the following value state.
     /// If the attribute is None, it is removed.
-    pub attrs: BTreeMap<Attribute, Option<ValueSet>>,
+    pub(crate) attrs: BTreeMap<Attribute, Option<ValueSet>>,
 
     /// If an effective access check should be carried out post modification
     /// of the entries
-    pub effective_access_check: bool,
+    pub(crate) effective_access_check: bool,
 }
 
 impl ScimEntryPutEvent {
@@ -48,6 +52,60 @@ impl ScimEntryPutEvent {
     }
 }
 
+#[derive(Debug)]
+pub struct ScimCreateEvent {
+    pub(crate) ident: Identity,
+    pub(crate) entry: EntryInitNew,
+}
+
+impl ScimCreateEvent {
+    pub fn try_from(
+        ident: Identity,
+        classes: &[EntryClass],
+        entry: ScimEntryPostGeneric,
+        qs: &mut QueryServerWriteTransaction,
+    ) -> Result<Self, OperationError> {
+        let mut entry = entry
+            .attrs
+            .into_iter()
+            .map(|(attr, json_value)| {
+                qs.resolve_scim_json_post(&attr, json_value)
+                    .map(|kani_value| (attr, kani_value))
+            })
+            .collect::<Result<EntryInitNew, _>>()?;
+
+        let classes = ValueSetIutf8::from_iter(classes.iter().map(|cls| cls.as_ref()))
+            .ok_or(OperationError::SC0027ClassSetInvalid)?;
+
+        entry.set_ava_set(&Attribute::Class, classes);
+
+        Ok(ScimCreateEvent { ident, entry })
+    }
+}
+
+#[derive(Debug)]
+pub struct ScimDeleteEvent {
+    /// The identity performing the change.
+    pub(crate) ident: Identity,
+
+    // future - etags to detect version changes.
+    /// The target entry that will be changed
+    pub(crate) target: Uuid,
+
+    /// The class of the target entry.
+    pub(crate) class: EntryClass,
+}
+
+impl ScimDeleteEvent {
+    pub fn new(ident: Identity, target: Uuid, class: EntryClass) -> Self {
+        ScimDeleteEvent {
+            ident,
+            target,
+            class,
+        }
+    }
+}
+
 impl QueryServerWriteTransaction<'_> {
     /// SCIM PUT is the handler where a single entry is updated. In a SCIM PUT request
     /// the request defines the state of an attribute in entirety for the update. This
@@ -115,6 +173,251 @@ impl QueryServerWriteTransaction<'_> {
             }
         }
     }
+
+    pub fn scim_create(
+        &mut self,
+        scim_create: ScimCreateEvent,
+    ) -> Result<ScimEntryKanidm, OperationError> {
+        let ScimCreateEvent { ident, entry } = scim_create;
+
+        let create_event = CreateEvent {
+            ident,
+            entries: vec![entry],
+            return_created_uuids: true,
+        };
+
+        let changed_uuids = self.create(&create_event)?;
+
+        let mut changed_uuids = changed_uuids.ok_or(OperationError::SC0028CreatedUuidsInvalid)?;
+
+        let target = if let Some(target) = changed_uuids.pop() {
+            if !changed_uuids.is_empty() {
+                // Too many results!
+                return Err(OperationError::UniqueConstraintViolation);
+            }
+
+            target
+        } else {
+            // No results!
+            return Err(OperationError::NoMatchingEntries);
+        };
+
+        // Now get the entry. We handle a lot of the errors here nicely,
+        // but if we got to this point, they really can't happen.
+        let filter_intent = filter!(f_and!([f_eq(Attribute::Uuid, PartialValue::Uuid(target))]));
+
+        let f_intent_valid = filter_intent
+            .validate(self.get_schema())
+            .map_err(OperationError::SchemaViolation)?;
+
+        let f_valid = f_intent_valid.clone().into_ignore_hidden();
+
+        let se = SearchEvent {
+            ident: create_event.ident,
+            filter: f_valid,
+            filter_orig: f_intent_valid,
+            // Return all attributes
+            attrs: None,
+            effective_access_check: false,
+        };
+
+        let mut vs = self.search_ext(&se)?;
+        match vs.pop() {
+            Some(entry) if vs.is_empty() => entry.to_scim_kanidm(self),
+            _ => {
+                if vs.is_empty() {
+                    Err(OperationError::NoMatchingEntries)
+                } else {
+                    // Multiple entries matched, should not be possible!
+                    Err(OperationError::UniqueConstraintViolation)
+                }
+            }
+        }
+    }
+
+    pub fn scim_delete(&mut self, scim_delete: ScimDeleteEvent) -> Result<(), OperationError> {
+        let ScimDeleteEvent {
+            ident,
+            target,
+            class,
+        } = scim_delete;
+
+        let filter_intent = filter!(f_eq(Attribute::Uuid, PartialValue::Uuid(target)));
+        let f_intent_valid = filter_intent
+            .validate(self.get_schema())
+            .map_err(OperationError::SchemaViolation)?;
+
+        let filter = filter!(f_and!([
+            f_eq(Attribute::Uuid, PartialValue::Uuid(target)),
+            f_eq(Attribute::Class, class.into())
+        ]));
+        let f_valid = filter
+            .validate(self.get_schema())
+            .map_err(OperationError::SchemaViolation)?;
+
+        let de = DeleteEvent {
+            ident,
+            filter: f_valid,
+            filter_orig: f_intent_valid,
+        };
+
+        self.delete(&de)
+    }
+
+    pub(crate) fn resolve_scim_json_put(
+        &mut self,
+        attr: &Attribute,
+        value: Option<JsonValue>,
+    ) -> Result<Option<ValueSet>, OperationError> {
+        let schema = self.get_schema();
+        // Lookup the attr
+        let Some(schema_a) = schema.get_attributes().get(attr) else {
+            // No attribute of this name exists - fail fast, there is no point to
+            // proceed, as nothing can be satisfied.
+            return Err(OperationError::InvalidAttributeName(attr.to_string()));
+        };
+
+        let Some(value) = value else {
+            // It's a none so the value needs to be unset, and the attr DOES exist in
+            // schema.
+            return Ok(None);
+        };
+
+        self.resolve_scim_json(schema_a, value).map(Some)
+    }
+
+    pub(crate) fn resolve_scim_json_post(
+        &mut self,
+        attr: &Attribute,
+        value: JsonValue,
+    ) -> Result<ValueSet, OperationError> {
+        let schema = self.get_schema();
+        // Lookup the attr
+        let Some(schema_a) = schema.get_attributes().get(attr) else {
+            // No attribute of this name exists - fail fast, there is no point to
+            // proceed, as nothing can be satisfied.
+            return Err(OperationError::InvalidAttributeName(attr.to_string()));
+        };
+
+        self.resolve_scim_json(schema_a, value)
+    }
+
+    fn resolve_scim_json(
+        &mut self,
+        schema_a: &SchemaAttribute,
+        value: JsonValue,
+    ) -> Result<ValueSet, OperationError> {
+        let resolve_status = match schema_a.syntax {
+            SyntaxType::Utf8String => ValueSetUtf8::from_scim_json_put(value),
+            SyntaxType::Utf8StringInsensitive => ValueSetIutf8::from_scim_json_put(value),
+            SyntaxType::Uuid => ValueSetUuid::from_scim_json_put(value),
+            SyntaxType::Boolean => ValueSetBool::from_scim_json_put(value),
+            SyntaxType::SyntaxId => ValueSetSyntax::from_scim_json_put(value),
+            SyntaxType::IndexId => ValueSetIndex::from_scim_json_put(value),
+            SyntaxType::ReferenceUuid => ValueSetRefer::from_scim_json_put(value),
+            SyntaxType::Utf8StringIname => ValueSetIname::from_scim_json_put(value),
+            SyntaxType::NsUniqueId => ValueSetNsUniqueId::from_scim_json_put(value),
+            SyntaxType::DateTime => ValueSetDateTime::from_scim_json_put(value),
+            SyntaxType::EmailAddress => ValueSetEmailAddress::from_scim_json_put(value),
+            SyntaxType::Url => ValueSetUrl::from_scim_json_put(value),
+            SyntaxType::OauthScope => ValueSetOauthScope::from_scim_json_put(value),
+            SyntaxType::OauthScopeMap => ValueSetOauthScopeMap::from_scim_json_put(value),
+            SyntaxType::OauthClaimMap => ValueSetOauthClaimMap::from_scim_json_put(value),
+            SyntaxType::UiHint => ValueSetUiHint::from_scim_json_put(value),
+            SyntaxType::CredentialType => ValueSetCredentialType::from_scim_json_put(value),
+            SyntaxType::Certificate => ValueSetCertificate::from_scim_json_put(value),
+            SyntaxType::SshKey => ValueSetSshKey::from_scim_json_put(value),
+            SyntaxType::Uint32 => ValueSetUint32::from_scim_json_put(value),
+
+            // Not Yet ... if ever
+            // SyntaxType::JsonFilter => ValueSetJsonFilter::from_scim_json_put(value),
+            SyntaxType::JsonFilter => Err(OperationError::InvalidAttribute(
+                "Json Filters are not able to be set.".to_string(),
+            )),
+            // Can't be set currently as these are only internally generated for key-id's
+            // SyntaxType::HexString => ValueSetHexString::from_scim_json_put(value),
+            SyntaxType::HexString => Err(OperationError::InvalidAttribute(
+                "Hex strings are not able to be set.".to_string(),
+            )),
+
+            // Can't be set until we have better error handling in the set paths
+            // SyntaxType::Image => ValueSetImage::from_scim_json_put(value),
+            SyntaxType::Image => Err(OperationError::InvalidAttribute(
+                "Images are not able to be set.".to_string(),
+            )),
+
+            // Can't be set yet, mostly as I'm lazy
+            // SyntaxType::WebauthnAttestationCaList => {
+            //    ValueSetWebauthnAttestationCaList::from_scim_json_put(value)
+            // }
+            SyntaxType::WebauthnAttestationCaList => Err(OperationError::InvalidAttribute(
+                "Webauthn Attestation Ca Lists are not able to be set.".to_string(),
+            )),
+
+            // Syntax types that can not be submitted
+            SyntaxType::Credential => Err(OperationError::InvalidAttribute(
+                "Credentials are not able to be set.".to_string(),
+            )),
+            SyntaxType::SecretUtf8String => Err(OperationError::InvalidAttribute(
+                "Secrets are not able to be set.".to_string(),
+            )),
+            SyntaxType::SecurityPrincipalName => Err(OperationError::InvalidAttribute(
+                "SPNs are not able to be set.".to_string(),
+            )),
+            SyntaxType::Cid => Err(OperationError::InvalidAttribute(
+                "CIDs are not able to be set.".to_string(),
+            )),
+            SyntaxType::PrivateBinary => Err(OperationError::InvalidAttribute(
+                "Private Binaries are not able to be set.".to_string(),
+            )),
+            SyntaxType::IntentToken => Err(OperationError::InvalidAttribute(
+                "Intent Tokens are not able to be set.".to_string(),
+            )),
+            SyntaxType::Passkey => Err(OperationError::InvalidAttribute(
+                "Passkeys are not able to be set.".to_string(),
+            )),
+            SyntaxType::AttestedPasskey => Err(OperationError::InvalidAttribute(
+                "Attested Passkeys are not able to be set.".to_string(),
+            )),
+            SyntaxType::Session => Err(OperationError::InvalidAttribute(
+                "Sessions are not able to be set.".to_string(),
+            )),
+            SyntaxType::JwsKeyEs256 => Err(OperationError::InvalidAttribute(
+                "Jws ES256 Private Keys are not able to be set.".to_string(),
+            )),
+            SyntaxType::JwsKeyRs256 => Err(OperationError::InvalidAttribute(
+                "Jws RS256 Private Keys are not able to be set.".to_string(),
+            )),
+            SyntaxType::Oauth2Session => Err(OperationError::InvalidAttribute(
+                "Sessions are not able to be set.".to_string(),
+            )),
+            SyntaxType::TotpSecret => Err(OperationError::InvalidAttribute(
+                "TOTP Secrets are not able to be set.".to_string(),
+            )),
+            SyntaxType::ApiToken => Err(OperationError::InvalidAttribute(
+                "API Tokens are not able to be set.".to_string(),
+            )),
+            SyntaxType::AuditLogString => Err(OperationError::InvalidAttribute(
+                "Audit Strings are not able to be set.".to_string(),
+            )),
+            SyntaxType::EcKeyPrivate => Err(OperationError::InvalidAttribute(
+                "EC Private Keys are not able to be set.".to_string(),
+            )),
+            SyntaxType::KeyInternal => Err(OperationError::InvalidAttribute(
+                "Key Internal Structures are not able to be set.".to_string(),
+            )),
+            SyntaxType::ApplicationPassword => Err(OperationError::InvalidAttribute(
+                "Application Passwords are not able to be set.".to_string(),
+            )),
+        }?;
+
+        match resolve_status {
+            ValueSetResolveStatus::Resolved(vs) => Ok(vs),
+            ValueSetResolveStatus::NeedsResolution(vs_inter) => {
+                self.resolve_valueset_intermediate(vs_inter)
+            }
+        }
+    }
 }
 
 #[cfg(test)]

server/lib/src/valueset/uuid.rs

@@ -238,6 +238,13 @@ impl ValueSetScimPut for ValueSetRefer {
     fn from_scim_json_put(value: JsonValue) -> Result<ValueSetResolveStatus, OperationError> {
         use kanidm_proto::scim_v1::client::{ScimReference, ScimReferences};
 
+        // May be a single reference, lets wrap it in an array to proceed.
+        let value = if !value.is_array() && value.is_object() {
+            JsonValue::Array(vec![value])
+        } else {
+            value
+        };
+
         let scim_refs: ScimReferences = serde_json::from_value(value).map_err(|err| {
             warn!(?err, "Invalid SCIM reference set syntax");
             OperationError::SC0002ReferenceSyntaxInvalid

server/testkit-macros/src/entry.rs

@@ -63,7 +63,7 @@ fn parse_attributes(
             "ldap" => {
                 flags.ldap = true;
                 field_modifications.extend(quote! {
-                ldapaddress: Some("on".to_string()),})
+                ldapbindaddress: Some("on".to_string()),})
             }
             _ => {
                 let field_name = p.value().left.to_token_stream(); // here we can use to_token_stream as we know we're iterating over ExprAssigns

server/testkit/src/lib.rs

@@ -84,9 +84,9 @@ pub async fn setup_async_test(mut config: Configuration) -> AsyncTestEnvironment
 
     let addr = format!("http://localhost:{}", port);
 
-    let ldap_url = if config.ldapaddress.is_some() {
+    let ldap_url = if config.ldapbindaddress.is_some() {
         let ldapport = port_loop();
-        config.ldapaddress = Some(format!("127.0.0.1:{}", ldapport));
+        config.ldapbindaddress = Some(format!("127.0.0.1:{}", ldapport));
         Url::parse(&format!("ldap://127.0.0.1:{}", ldapport))
             .inspect_err(|err| error!(?err, "ldap address setup"))
             .ok()

server/testkit/tests/testkit/ldap_basic.rs

@@ -1,5 +1,10 @@
-use kanidmd_testkit::AsyncTestEnvironment;
+use kanidm_proto::scim_v1::client::{ScimEntryApplicationPost, ScimReference};
+use kanidmd_testkit::{AsyncTestEnvironment, IDM_ADMIN_TEST_PASSWORD, IDM_ADMIN_TEST_USER};
 use ldap3_client::LdapClientBuilder;
+use tracing::debug;
+
+const TEST_PERSON: &str = "user_mcuserton";
+const TEST_GROUP: &str = "group_mcgroupington";
 
 #[kanidmd_testkit::test(ldap = true)]
 async fn test_ldap_basic_unix_bind(test_env: &AsyncTestEnvironment) {
@@ -14,3 +19,75 @@ async fn test_ldap_basic_unix_bind(test_env: &AsyncTestEnvironment) {
 
     assert_eq!(whoami, Some("u: anonymous@localhost".to_string()));
 }
+
+#[kanidmd_testkit::test(ldap = true)]
+async fn test_ldap_application_password_basic(test_env: &AsyncTestEnvironment) {
+    const APPLICATION_1_NAME: &str = "test_application_1";
+
+    // Remember, this isn't the exhaustive test for application password behaviours,
+    // those are in the main server. This is just a basic smoke test that the interfaces
+    // are exposed and work in a basic manner.
+
+    let idm_admin_rsclient = test_env.rsclient.new_session().unwrap();
+
+    // Create a person
+
+    idm_admin_rsclient
+        .auth_simple_password(IDM_ADMIN_TEST_USER, IDM_ADMIN_TEST_PASSWORD)
+        .await
+        .expect("Failed to login as admin");
+
+    idm_admin_rsclient
+        .idm_person_account_create(TEST_PERSON, TEST_PERSON)
+        .await
+        .expect("Failed to create the user");
+
+    idm_admin_rsclient
+        .idm_group_create(TEST_GROUP, None)
+        .await
+        .expect("Failed to create test group");
+
+    // Create two applications
+
+    let application_1 = ScimEntryApplicationPost {
+        name: APPLICATION_1_NAME.to_string(),
+        displayname: APPLICATION_1_NAME.to_string(),
+        linked_group: ScimReference::from(TEST_GROUP),
+    };
+
+    let application_entry = idm_admin_rsclient
+        .idm_application_create(&application_1)
+        .await
+        .expect("Failed to create the user");
+
+    debug!(?application_entry);
+
+    // List, get them.
+
+    // Login as the person
+
+    // Create application passwords
+
+    // Check the work.
+
+    // Check they can't cross talk.
+
+    // Done!
+
+    // let ldap_url = test_env.ldap_url.as_ref().unwrap();
+
+    // let mut ldap_client = LdapClientBuilder::new(ldap_url).build().await.unwrap();
+
+    let result = idm_admin_rsclient
+        .idm_application_delete(APPLICATION_1_NAME)
+        .await
+        .expect("Failed to create the user");
+
+    debug!(?result);
+
+    // Delete the applications
+
+    // Check that you can no longer bind.
+
+    // They no longer list
+}

tools/orca/src/models/read.rs

@@ -83,7 +83,7 @@ impl ActorReader {
         // Is this a design flaw? We probably need to know what the state was that we
         // requested to move to?
         match (&self.state, action, result) {
-            (State::Unauthenticated { .. }, TransitionAction::Login, TransitionResult::Ok) => {
+            (State::Unauthenticated, TransitionAction::Login, TransitionResult::Ok) => {
                 self.state = State::Authenticated;
             }
             (State::Authenticated, TransitionAction::ReadSelfMemberOf, TransitionResult::Ok) => {

unix_integration/common/Cargo.toml

@@ -14,6 +14,8 @@ repository = { workspace = true }
 [features]
 default = ["unix"]
 unix = []
+selinux = ["dep:selinux"]
+tpm = []
 
 [lib]
 name = "kanidm_unix_common"
@@ -35,6 +37,11 @@ tokio-util = { workspace = true, features = ["codec"] }
 toml = { workspace = true }
 tracing = { workspace = true }
 
+selinux = { workspace = true, optional = true }
+
+[target.'cfg(not(target_family = "windows"))'.dependencies]
+kanidm_utils_users = { workspace = true }
+
 [build-dependencies]
 kanidm_build_profiles = { workspace = true }
 

unix_integration/common/src/lib.rs

@@ -26,3 +26,6 @@ pub mod unix_config;
 pub mod unix_passwd;
 #[cfg(target_family = "unix")]
 pub mod unix_proto;
+
+#[cfg(all(target_family = "unix", feature = "selinux"))]
+pub mod selinux_util;

unix_integration/common/src/unix_config.rs

@@ -1,13 +1,24 @@
+//! This is configuration definitions and parser for the various unix integration
+//! tools and services. This needs to support a number of use cases like pam/nss
+//! modules parsing the config quickly and the unix daemon which has to connect to
+//! various backend sources.
+//!
+//! To achieve this the configuration has two main sections - the configuration
+//! specification which will be parsed by the tools, then the configuration as
+//! relevant to that tool.
+
+use std::env;
 use std::fmt::{Display, Formatter};
 use std::fs::File;
 use std::io::{ErrorKind, Read};
-use std::path::Path;
+use std::path::{Path, PathBuf};
 
+#[cfg(all(target_family = "unix", feature = "selinux"))]
+use crate::selinux_util;
 use crate::unix_passwd::UnixIntegrationError;
 
-use serde::Deserialize;
-
 use crate::constants::*;
+use serde::Deserialize;
 
 #[derive(Debug, Copy, Clone)]
 pub enum HomeAttr {
@@ -49,35 +60,539 @@ impl Display for UidAttr {
     }
 }
 
+#[derive(Debug, Clone, Default)]
+pub enum HsmType {
+    #[cfg_attr(not(feature = "tpm"), default)]
+    Soft,
+    #[cfg_attr(feature = "tpm", default)]
+    TpmIfPossible,
+    Tpm,
+}
+
+impl Display for HsmType {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        match self {
+            HsmType::Soft => write!(f, "Soft"),
+            HsmType::TpmIfPossible => write!(f, "Tpm if possible"),
+            HsmType::Tpm => write!(f, "Tpm"),
+        }
+    }
+}
+
+// Allowed as the large enum is only short lived at startup to the true config
+#[allow(clippy::large_enum_variant)]
+// This bit of magic lets us deserialise the old config and the new versions.
 #[derive(Debug, Deserialize)]
-struct ConfigInt {
+#[serde(untagged)]
+enum ConfigUntagged {
+    Versioned(ConfigVersion),
+    Legacy(ConfigInt),
+}
+
+#[derive(Debug, Deserialize)]
+#[serde(tag = "version")]
+enum ConfigVersion {
+    #[serde(rename = "2")]
+    V2 {
+        #[serde(flatten)]
+        values: ConfigV2,
+    },
+}
+
+#[derive(Debug, Deserialize)]
+#[serde(deny_unknown_fields)]
+/// This is the version 2 of the JSON configuration specification for the unixd suite.
+struct ConfigV2 {
+    cache_db_path: Option<String>,
     sock_path: Option<String>,
+    task_sock_path: Option<String>,
+
+    cache_timeout: Option<u64>,
+
+    default_shell: Option<String>,
+    home_prefix: Option<String>,
+    home_mount_prefix: Option<String>,
+    home_attr: Option<String>,
+    home_alias: Option<String>,
+    use_etc_skel: Option<bool>,
+    uid_attr_map: Option<String>,
+    gid_attr_map: Option<String>,
+    selinux: Option<bool>,
+
+    hsm_pin_path: Option<String>,
+    hsm_type: Option<String>,
+    tpm_tcti_name: Option<String>,
+
+    kanidm: Option<KanidmConfigV2>,
+}
+
+#[derive(Clone, Debug, Deserialize)]
+pub struct GroupMap {
+    pub local: String,
+    pub with: String,
+}
+
+#[derive(Debug, Deserialize)]
+struct KanidmConfigV2 {
     conn_timeout: Option<u64>,
+    request_timeout: Option<u64>,
+    pam_allowed_login_groups: Option<Vec<String>>,
+    #[serde(default)]
+    map_group: Vec<GroupMap>,
+}
+
+#[derive(Debug, Deserialize)]
+/// This is the version 1 of the JSON configuration specification for the unixd suite.
+struct ConfigInt {
+    db_path: Option<String>,
+    sock_path: Option<String>,
+    task_sock_path: Option<String>,
+    conn_timeout: Option<u64>,
+    request_timeout: Option<u64>,
+    cache_timeout: Option<u64>,
+    pam_allowed_login_groups: Option<Vec<String>>,
+    default_shell: Option<String>,
+    home_prefix: Option<String>,
+    home_mount_prefix: Option<String>,
+    home_attr: Option<String>,
+    home_alias: Option<String>,
+    use_etc_skel: Option<bool>,
+    uid_attr_map: Option<String>,
+    gid_attr_map: Option<String>,
+    selinux: Option<bool>,
+    #[serde(default)]
+    allow_local_account_override: Vec<String>,
+
+    hsm_pin_path: Option<String>,
+    hsm_type: Option<String>,
+    tpm_tcti_name: Option<String>,
+
+    // Detect and warn on values in these places - this is to catch
+    // when someone is using a v2 value on a v1 config.
+    #[serde(default)]
+    cache_db_path: Option<toml::value::Value>,
+    #[serde(default)]
+    kanidm: Option<toml::value::Value>,
+}
+
+// ========================================================================
+
+#[derive(Debug)]
+/// This is the parsed Kanidm provider configuration that the Unixd resolver
+/// will use to connect to Kanidm.
+pub struct KanidmConfig {
+    pub conn_timeout: u64,
+    pub request_timeout: u64,
+    pub pam_allowed_login_groups: Vec<String>,
+    pub map_group: Vec<GroupMap>,
 }
 
 #[derive(Debug)]
-pub struct KanidmUnixdConfig {
+/// This is the parsed configuration for the Unixd resolver.
+pub struct UnixdConfig {
+    pub cache_db_path: String,
+    pub sock_path: String,
+    pub task_sock_path: String,
+    pub cache_timeout: u64,
+    pub unix_sock_timeout: u64,
+    pub default_shell: String,
+    pub home_prefix: PathBuf,
+    pub home_mount_prefix: Option<PathBuf>,
+    pub home_attr: HomeAttr,
+    pub home_alias: Option<HomeAttr>,
+    pub use_etc_skel: bool,
+    pub uid_attr_map: UidAttr,
+    pub gid_attr_map: UidAttr,
+    pub selinux: bool,
+    pub hsm_type: HsmType,
+    pub hsm_pin_path: String,
+    pub tpm_tcti_name: String,
+    pub kanidm_config: Option<KanidmConfig>,
+}
+
+impl Default for UnixdConfig {
+    fn default() -> Self {
+        UnixdConfig::new()
+    }
+}
+
+impl Display for UnixdConfig {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        writeln!(f, "cache_db_path: {}", &self.cache_db_path)?;
+        writeln!(f, "sock_path: {}", self.sock_path)?;
+        writeln!(f, "task_sock_path: {}", self.task_sock_path)?;
+        writeln!(f, "unix_sock_timeout: {}", self.unix_sock_timeout)?;
+        writeln!(f, "cache_timeout: {}", self.cache_timeout)?;
+        writeln!(f, "default_shell: {}", self.default_shell)?;
+        writeln!(f, "home_prefix: {:?}", self.home_prefix)?;
+        match self.home_mount_prefix.as_deref() {
+            Some(val) => writeln!(f, "home_mount_prefix: {:?}", val)?,
+            None => writeln!(f, "home_mount_prefix: unset")?,
+        }
+        writeln!(f, "home_attr: {}", self.home_attr)?;
+        match self.home_alias {
+            Some(val) => writeln!(f, "home_alias: {}", val)?,
+            None => writeln!(f, "home_alias: unset")?,
+        }
+
+        writeln!(f, "uid_attr_map: {}", self.uid_attr_map)?;
+        writeln!(f, "gid_attr_map: {}", self.gid_attr_map)?;
+
+        writeln!(f, "hsm_type: {}", self.hsm_type)?;
+        writeln!(f, "tpm_tcti_name: {}", self.tpm_tcti_name)?;
+
+        writeln!(f, "selinux: {}", self.selinux)?;
+
+        if let Some(kconfig) = &self.kanidm_config {
+            writeln!(f, "kanidm: enabled")?;
+            writeln!(
+                f,
+                "kanidm pam_allowed_login_groups: {:#?}",
+                kconfig.pam_allowed_login_groups
+            )?;
+            writeln!(f, "kanidm conn_timeout: {}", kconfig.conn_timeout)?;
+            writeln!(f, "kanidm request_timeout: {}", kconfig.request_timeout)?;
+        } else {
+            writeln!(f, "kanidm: disabled")?;
+        };
+
+        Ok(())
+    }
+}
+
+impl UnixdConfig {
+    pub fn new() -> Self {
+        let cache_db_path = match env::var("KANIDM_CACHE_DB_PATH") {
+            Ok(val) => val,
+            Err(_) => DEFAULT_CACHE_DB_PATH.into(),
+        };
+        let hsm_pin_path = match env::var("KANIDM_HSM_PIN_PATH") {
+            Ok(val) => val,
+            Err(_) => DEFAULT_HSM_PIN_PATH.into(),
+        };
+
+        UnixdConfig {
+            cache_db_path,
+            sock_path: DEFAULT_SOCK_PATH.to_string(),
+            task_sock_path: DEFAULT_TASK_SOCK_PATH.to_string(),
+            unix_sock_timeout: DEFAULT_CONN_TIMEOUT * 2,
+            cache_timeout: DEFAULT_CACHE_TIMEOUT,
+            default_shell: DEFAULT_SHELL.to_string(),
+            home_prefix: DEFAULT_HOME_PREFIX.into(),
+            home_mount_prefix: None,
+            home_attr: DEFAULT_HOME_ATTR,
+            home_alias: DEFAULT_HOME_ALIAS,
+            use_etc_skel: DEFAULT_USE_ETC_SKEL,
+            uid_attr_map: DEFAULT_UID_ATTR_MAP,
+            gid_attr_map: DEFAULT_GID_ATTR_MAP,
+            selinux: DEFAULT_SELINUX,
+            hsm_pin_path,
+            hsm_type: HsmType::default(),
+            tpm_tcti_name: DEFAULT_TPM_TCTI_NAME.to_string(),
+
+            kanidm_config: None,
+        }
+    }
+
+    pub fn read_options_from_optional_config<P: AsRef<Path> + std::fmt::Debug>(
+        self,
+        config_path: P,
+    ) -> Result<Self, UnixIntegrationError> {
+        debug!("Attempting to load configuration from {:#?}", &config_path);
+        let mut f = match File::open(&config_path) {
+            Ok(f) => {
+                debug!("Successfully opened configuration file {:#?}", &config_path);
+                f
+            }
+            Err(e) => {
+                match e.kind() {
+                    ErrorKind::NotFound => {
+                        debug!(
+                            "Configuration file {:#?} not found, skipping.",
+                            &config_path
+                        );
+                    }
+                    ErrorKind::PermissionDenied => {
+                        warn!(
+                            "Permission denied loading configuration file {:#?}, skipping.",
+                            &config_path
+                        );
+                    }
+                    _ => {
+                        debug!(
+                            "Unable to open config file {:#?} [{:?}], skipping ...",
+                            &config_path, e
+                        );
+                    }
+                };
+                return Ok(self);
+            }
+        };
+
+        let mut contents = String::new();
+        f.read_to_string(&mut contents).map_err(|e| {
+            error!("{:?}", e);
+            UnixIntegrationError
+        })?;
+
+        let config: ConfigUntagged = toml::from_str(contents.as_str()).map_err(|e| {
+            error!("{:?}", e);
+            UnixIntegrationError
+        })?;
+
+        match config {
+            ConfigUntagged::Legacy(config) => self.apply_from_config_legacy(config),
+            ConfigUntagged::Versioned(ConfigVersion::V2 { values }) => {
+                self.apply_from_config_v2(values)
+            }
+        }
+    }
+
+    fn apply_from_config_legacy(self, config: ConfigInt) -> Result<Self, UnixIntegrationError> {
+        if config.kanidm.is_some() || config.cache_db_path.is_some() {
+            error!("You are using version=\"2\" options in a legacy config. THESE WILL NOT WORK.");
+            return Err(UnixIntegrationError);
+        }
+
+        let map_group = config
+            .allow_local_account_override
+            .iter()
+            .map(|name| GroupMap {
+                local: name.clone(),
+                with: name.clone(),
+            })
+            .collect();
+
+        let kanidm_config = Some(KanidmConfig {
+            conn_timeout: config.conn_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT),
+            request_timeout: config.request_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT * 2),
+            pam_allowed_login_groups: config.pam_allowed_login_groups.unwrap_or_default(),
+            map_group,
+        });
+
+        // Now map the values into our config.
+        Ok(UnixdConfig {
+            cache_db_path: config.db_path.unwrap_or(self.cache_db_path),
+            sock_path: config.sock_path.unwrap_or(self.sock_path),
+            task_sock_path: config.task_sock_path.unwrap_or(self.task_sock_path),
+            unix_sock_timeout: DEFAULT_CONN_TIMEOUT * 2,
+            cache_timeout: config.cache_timeout.unwrap_or(self.cache_timeout),
+            default_shell: config.default_shell.unwrap_or(self.default_shell),
+            home_prefix: config
+                .home_prefix
+                .map(|p| p.into())
+                .unwrap_or(self.home_prefix.clone()),
+            home_mount_prefix: config.home_mount_prefix.map(|p| p.into()),
+            home_attr: config
+                .home_attr
+                .and_then(|v| match v.as_str() {
+                    "uuid" => Some(HomeAttr::Uuid),
+                    "spn" => Some(HomeAttr::Spn),
+                    "name" => Some(HomeAttr::Name),
+                    _ => {
+                        warn!("Invalid home_attr configured, using default ...");
+                        None
+                    }
+                })
+                .unwrap_or(self.home_attr),
+            home_alias: config
+                .home_alias
+                .and_then(|v| match v.as_str() {
+                    "none" => Some(None),
+                    "uuid" => Some(Some(HomeAttr::Uuid)),
+                    "spn" => Some(Some(HomeAttr::Spn)),
+                    "name" => Some(Some(HomeAttr::Name)),
+                    _ => {
+                        warn!("Invalid home_alias configured, using default ...");
+                        None
+                    }
+                })
+                .unwrap_or(self.home_alias),
+            use_etc_skel: config.use_etc_skel.unwrap_or(self.use_etc_skel),
+            uid_attr_map: config
+                .uid_attr_map
+                .and_then(|v| match v.as_str() {
+                    "spn" => Some(UidAttr::Spn),
+                    "name" => Some(UidAttr::Name),
+                    _ => {
+                        warn!("Invalid uid_attr_map configured, using default ...");
+                        None
+                    }
+                })
+                .unwrap_or(self.uid_attr_map),
+            gid_attr_map: config
+                .gid_attr_map
+                .and_then(|v| match v.as_str() {
+                    "spn" => Some(UidAttr::Spn),
+                    "name" => Some(UidAttr::Name),
+                    _ => {
+                        warn!("Invalid gid_attr_map configured, using default ...");
+                        None
+                    }
+                })
+                .unwrap_or(self.gid_attr_map),
+            selinux: match config.selinux.unwrap_or(self.selinux) {
+                #[cfg(all(target_family = "unix", feature = "selinux"))]
+                true => selinux_util::supported(),
+                _ => false,
+            },
+            hsm_pin_path: config.hsm_pin_path.unwrap_or(self.hsm_pin_path),
+            hsm_type: config
+                .hsm_type
+                .and_then(|v| match v.as_str() {
+                    "soft" => Some(HsmType::Soft),
+                    "tpm_if_possible" => Some(HsmType::TpmIfPossible),
+                    "tpm" => Some(HsmType::Tpm),
+                    _ => {
+                        warn!("Invalid hsm_type configured, using default ...");
+                        None
+                    }
+                })
+                .unwrap_or(self.hsm_type),
+            tpm_tcti_name: config
+                .tpm_tcti_name
+                .unwrap_or(DEFAULT_TPM_TCTI_NAME.to_string()),
+            kanidm_config,
+        })
+    }
+
+    fn apply_from_config_v2(self, config: ConfigV2) -> Result<Self, UnixIntegrationError> {
+        let kanidm_config = if let Some(kconfig) = config.kanidm {
+            match &kconfig.pam_allowed_login_groups {
+                None => {
+                    error!("You have a 'kanidm' section in the config but an empty pam_allowed_login_groups set. USERS CANNOT AUTH.")
+                }
+                Some(groups) => {
+                    if groups.is_empty() {
+                        error!("You have a 'kanidm' section in the config but an empty pam_allowed_login_groups set. USERS CANNOT AUTH.");
+                    }
+                }
+            }
+            Some(KanidmConfig {
+                conn_timeout: kconfig.conn_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT),
+                request_timeout: kconfig.request_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT * 2),
+                pam_allowed_login_groups: kconfig.pam_allowed_login_groups.unwrap_or_default(),
+                map_group: kconfig.map_group,
+            })
+        } else {
+            error!(
+                "You are using a version 2 config without a 'kanidm' section. USERS CANNOT AUTH."
+            );
+            None
+        };
+
+        // Now map the values into our config.
+        Ok(UnixdConfig {
+            cache_db_path: config.cache_db_path.unwrap_or(self.cache_db_path),
+            sock_path: config.sock_path.unwrap_or(self.sock_path),
+            task_sock_path: config.task_sock_path.unwrap_or(self.task_sock_path),
+            unix_sock_timeout: DEFAULT_CONN_TIMEOUT * 2,
+            cache_timeout: config.cache_timeout.unwrap_or(self.cache_timeout),
+            default_shell: config.default_shell.unwrap_or(self.default_shell),
+            home_prefix: config
+                .home_prefix
+                .map(|p| p.into())
+                .unwrap_or(self.home_prefix.clone()),
+            home_mount_prefix: config.home_mount_prefix.map(|p| p.into()),
+            home_attr: config
+                .home_attr
+                .and_then(|v| match v.as_str() {
+                    "uuid" => Some(HomeAttr::Uuid),
+                    "spn" => Some(HomeAttr::Spn),
+                    "name" => Some(HomeAttr::Name),
+                    _ => {
+                        warn!("Invalid home_attr configured, using default ...");
+                        None
+                    }
+                })
+                .unwrap_or(self.home_attr),
+            home_alias: config
+                .home_alias
+                .and_then(|v| match v.as_str() {
+                    "none" => Some(None),
+                    "uuid" => Some(Some(HomeAttr::Uuid)),
+                    "spn" => Some(Some(HomeAttr::Spn)),
+                    "name" => Some(Some(HomeAttr::Name)),
+                    _ => {
+                        warn!("Invalid home_alias configured, using default ...");
+                        None
+                    }
+                })
+                .unwrap_or(self.home_alias),
+            use_etc_skel: config.use_etc_skel.unwrap_or(self.use_etc_skel),
+            uid_attr_map: config
+                .uid_attr_map
+                .and_then(|v| match v.as_str() {
+                    "spn" => Some(UidAttr::Spn),
+                    "name" => Some(UidAttr::Name),
+                    _ => {
+                        warn!("Invalid uid_attr_map configured, using default ...");
+                        None
+                    }
+                })
+                .unwrap_or(self.uid_attr_map),
+            gid_attr_map: config
+                .gid_attr_map
+                .and_then(|v| match v.as_str() {
+                    "spn" => Some(UidAttr::Spn),
+                    "name" => Some(UidAttr::Name),
+                    _ => {
+                        warn!("Invalid gid_attr_map configured, using default ...");
+                        None
+                    }
+                })
+                .unwrap_or(self.gid_attr_map),
+            selinux: match config.selinux.unwrap_or(self.selinux) {
+                #[cfg(all(target_family = "unix", feature = "selinux"))]
+                true => selinux_util::supported(),
+                _ => false,
+            },
+            hsm_pin_path: config.hsm_pin_path.unwrap_or(self.hsm_pin_path),
+            hsm_type: config
+                .hsm_type
+                .and_then(|v| match v.as_str() {
+                    "soft" => Some(HsmType::Soft),
+                    "tpm_if_possible" => Some(HsmType::TpmIfPossible),
+                    "tpm" => Some(HsmType::Tpm),
+                    _ => {
+                        warn!("Invalid hsm_type configured, using default ...");
+                        None
+                    }
+                })
+                .unwrap_or(self.hsm_type),
+            tpm_tcti_name: config
+                .tpm_tcti_name
+                .unwrap_or(DEFAULT_TPM_TCTI_NAME.to_string()),
+            kanidm_config,
+        })
+    }
+}
+
+#[derive(Debug)]
+/// This is the parsed configuration that will be used by pam/nss tools that need fast access to
+/// only the socket and timeout information related to the resolver.
+pub struct PamNssConfig {
     pub sock_path: String,
     // pub conn_timeout: u64,
     pub unix_sock_timeout: u64,
 }
 
-impl Default for KanidmUnixdConfig {
+impl Default for PamNssConfig {
     fn default() -> Self {
-        KanidmUnixdConfig::new()
+        PamNssConfig::new()
     }
 }
 
-impl Display for KanidmUnixdConfig {
+impl Display for PamNssConfig {
     fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
         writeln!(f, "sock_path: {}", self.sock_path)?;
         writeln!(f, "unix_sock_timeout: {}", self.unix_sock_timeout)
     }
 }
 
-impl KanidmUnixdConfig {
+impl PamNssConfig {
     pub fn new() -> Self {
-        KanidmUnixdConfig {
+        PamNssConfig {
             sock_path: DEFAULT_SOCK_PATH.to_string(),
             unix_sock_timeout: DEFAULT_CONN_TIMEOUT * 2,
         }
@@ -124,22 +639,45 @@ impl KanidmUnixdConfig {
             UnixIntegrationError
         })?;
 
-        let config: ConfigInt = toml::from_str(contents.as_str()).map_err(|e| {
+        let config: ConfigUntagged = toml::from_str(contents.as_str()).map_err(|e| {
             error!("{:?}", e);
             UnixIntegrationError
         })?;
 
+        match config {
+            ConfigUntagged::Legacy(config) => self.apply_from_config_legacy(config),
+            ConfigUntagged::Versioned(ConfigVersion::V2 { values }) => {
+                self.apply_from_config_v2(values)
+            }
+        }
+    }
+
+    fn apply_from_config_legacy(self, config: ConfigInt) -> Result<Self, UnixIntegrationError> {
         let unix_sock_timeout = config
             .conn_timeout
             .map(|v| v * 2)
             .unwrap_or(self.unix_sock_timeout);
 
         // Now map the values into our config.
-        Ok(KanidmUnixdConfig {
+        Ok(PamNssConfig {
             sock_path: config.sock_path.unwrap_or(self.sock_path),
             unix_sock_timeout,
         })
     }
+
+    fn apply_from_config_v2(self, config: ConfigV2) -> Result<Self, UnixIntegrationError> {
+        let kanidm_conn_timeout = config
+            .kanidm
+            .as_ref()
+            .and_then(|k_config| k_config.conn_timeout)
+            .map(|timeout| timeout * 2);
+
+        // Now map the values into our config.
+        Ok(PamNssConfig {
+            sock_path: config.sock_path.unwrap_or(self.sock_path),
+            unix_sock_timeout: kanidm_conn_timeout.unwrap_or(self.unix_sock_timeout),
+        })
+    }
 }
 
 #[cfg(test)]
@@ -165,9 +703,12 @@ mod tests {
             if filename.starts_with("unixd") {
                 print!("Checking that {} parses as a valid config...", filename);
 
-                KanidmUnixdConfig::new()
+                UnixdConfig::new()
                     .read_options_from_optional_config(file.path())
-                    .expect("Failed to parse");
+                    .inspect_err(|e| {
+                        println!("Failed to parse: {:?}", e);
+                    })
+                    .expect("Failed to parse!");
                 println!("OK");
             }
         }

unix_integration/nss_kanidm/src/core.rs

@@ -1,5 +1,5 @@
 use kanidm_unix_common::client_sync::DaemonClientBlocking;
-use kanidm_unix_common::unix_config::KanidmUnixdConfig;
+use kanidm_unix_common::unix_config::PamNssConfig;
 use kanidm_unix_common::unix_passwd::{
     read_etc_group_file, read_etc_passwd_file, EtcGroup, EtcUser,
 };
@@ -36,7 +36,7 @@ impl RequestOptions {
     fn connect_to_daemon(self) -> Source {
         match self {
             RequestOptions::Main { config_path } => {
-                let maybe_client = KanidmUnixdConfig::new()
+                let maybe_client = PamNssConfig::new()
                     .read_options_from_optional_config(config_path)
                     .ok()
                     .and_then(|cfg| {

unix_integration/pam_kanidm/src/core.rs

@@ -2,7 +2,7 @@ use crate::constants::PamResultCode;
 use crate::module::PamResult;
 use crate::pam::ModuleOptions;
 use kanidm_unix_common::client_sync::DaemonClientBlocking;
-use kanidm_unix_common::unix_config::KanidmUnixdConfig;
+use kanidm_unix_common::unix_config::PamNssConfig;
 use kanidm_unix_common::unix_passwd::{
     read_etc_passwd_file, read_etc_shadow_file, EtcShadow, EtcUser,
 };
@@ -44,7 +44,7 @@ impl RequestOptions {
     fn connect_to_daemon(self) -> Source {
         match self {
             RequestOptions::Main { config_path } => {
-                let maybe_client = KanidmUnixdConfig::new()
+                let maybe_client = PamNssConfig::new()
                     .read_options_from_optional_config(config_path)
                     .ok()
                     .and_then(|cfg| {

unix_integration/pam_kanidm/src/pam/mod.rs

@@ -36,7 +36,7 @@ use std::convert::TryFrom;
 use std::ffi::CStr;
 
 use kanidm_unix_common::constants::DEFAULT_CONFIG_PATH;
-use kanidm_unix_common::unix_config::KanidmUnixdConfig;
+use kanidm_unix_common::unix_config::PamNssConfig;
 
 use crate::core::{self, RequestOptions};
 use crate::pam::constants::*;
@@ -50,8 +50,8 @@ use tracing_subscriber::filter::LevelFilter;
 use tracing_subscriber::fmt;
 use tracing_subscriber::prelude::*;
 
-pub fn get_cfg() -> Result<KanidmUnixdConfig, PamResultCode> {
-    KanidmUnixdConfig::new()
+pub fn get_cfg() -> Result<PamNssConfig, PamResultCode> {
+    PamNssConfig::new()
         .read_options_from_optional_config(DEFAULT_CONFIG_PATH)
         .map_err(|_| PamResultCode::PAM_SERVICE_ERR)
 }

unix_integration/resolver/Cargo.toml

@@ -14,8 +14,8 @@ repository = { workspace = true }
 [features]
 default = ["unix"]
 unix = []
-selinux = ["dep:selinux"]
-tpm = ["kanidm-hsm-crypto/tpm"]
+selinux = ["dep:selinux", "kanidm_unix_common/selinux"]
+tpm = ["kanidm-hsm-crypto/tpm", "kanidm_unix_common/tpm"]
 
 [[bin]]
 name = "kanidm_unixd"

unix_integration/resolver/src/bin/kanidm-unix.rs

@@ -18,7 +18,7 @@ use std::process::ExitCode;
 use clap::Parser;
 use kanidm_unix_common::client::DaemonClient;
 use kanidm_unix_common::constants::DEFAULT_CONFIG_PATH;
-use kanidm_unix_common::unix_config::KanidmUnixdConfig;
+use kanidm_unix_common::unix_config::PamNssConfig;
 use kanidm_unix_common::unix_proto::{
     ClientRequest, ClientResponse, PamAuthRequest, PamAuthResponse, PamServiceInfo,
 };
@@ -28,8 +28,7 @@ include!("../opt/tool.rs");
 
 macro_rules! setup_client {
     () => {{
-        let Ok(cfg) =
-            KanidmUnixdConfig::new().read_options_from_optional_config(DEFAULT_CONFIG_PATH)
+        let Ok(cfg) = PamNssConfig::new().read_options_from_optional_config(DEFAULT_CONFIG_PATH)
         else {
             error!("Failed to parse {}", DEFAULT_CONFIG_PATH);
             return ExitCode::FAILURE;

unix_integration/resolver/src/bin/kanidm_ssh_authorizedkeys.rs

@@ -19,7 +19,7 @@ use std::process::ExitCode;
 use clap::Parser;
 use kanidm_unix_common::client::DaemonClient;
 use kanidm_unix_common::constants::DEFAULT_CONFIG_PATH;
-use kanidm_unix_common::unix_config::KanidmUnixdConfig;
+use kanidm_unix_common::unix_config::PamNssConfig;
 use kanidm_unix_common::unix_proto::{ClientRequest, ClientResponse};
 
 include!("../opt/ssh_authorizedkeys.rs");
@@ -44,8 +44,7 @@ async fn main() -> ExitCode {
 
     debug!("Starting authorized keys tool ...");
 
-    let cfg = match KanidmUnixdConfig::new().read_options_from_optional_config(DEFAULT_CONFIG_PATH)
-    {
+    let cfg = match PamNssConfig::new().read_options_from_optional_config(DEFAULT_CONFIG_PATH) {
         Ok(c) => c,
         Err(e) => {
             error!("Failed to parse {}: {:?}", DEFAULT_CONFIG_PATH, e);

unix_integration/resolver/src/bin/kanidm_unixd.rs

@@ -18,6 +18,7 @@ use kanidm_hsm_crypto::{soft::SoftTpm, AuthValue, BoxedDynTpm, Tpm};
 use kanidm_proto::constants::DEFAULT_CLIENT_CONFIG_PATH;
 use kanidm_proto::internal::OperationError;
 use kanidm_unix_common::constants::DEFAULT_CONFIG_PATH;
+use kanidm_unix_common::unix_config::{HsmType, UnixdConfig};
 use kanidm_unix_common::unix_passwd::EtcDb;
 use kanidm_unix_common::unix_proto::{
     ClientRequest, ClientResponse, TaskRequest, TaskRequestFrame, TaskResponse,
@@ -27,7 +28,6 @@ use kanidm_unix_resolver::idprovider::interface::IdProvider;
 use kanidm_unix_resolver::idprovider::kanidm::KanidmProvider;
 use kanidm_unix_resolver::idprovider::system::SystemProvider;
 use kanidm_unix_resolver::resolver::Resolver;
-use kanidm_unix_resolver::unix_config::{HsmType, UnixdConfig};
 use kanidm_utils_users::{get_current_gid, get_current_uid, get_effective_gid, get_effective_uid};
 use libc::umask;
 use sketching::tracing::span;

unix_integration/resolver/src/bin/kanidm_unixd_tasks.rs

@@ -13,11 +13,11 @@
 use bytes::{BufMut, BytesMut};
 use futures::{SinkExt, StreamExt};
 use kanidm_unix_common::constants::DEFAULT_CONFIG_PATH;
+use kanidm_unix_common::unix_config::UnixdConfig;
 use kanidm_unix_common::unix_passwd::{parse_etc_group, parse_etc_passwd, parse_etc_shadow, EtcDb};
 use kanidm_unix_common::unix_proto::{
     HomeDirectoryInfo, TaskRequest, TaskRequestFrame, TaskResponse,
 };
-use kanidm_unix_resolver::unix_config::UnixdConfig;
 use kanidm_utils_users::{get_effective_gid, get_effective_uid};
 use libc::{lchown, umask};
 use notify_debouncer_full::notify::RecommendedWatcher;
@@ -43,7 +43,7 @@ use tokio_util::codec::{Decoder, Encoder, Framed};
 use walkdir::WalkDir;
 
 #[cfg(all(target_family = "unix", feature = "selinux"))]
-use kanidm_unix_resolver::selinux_util;
+use kanidm_unix_common::selinux_util;
 
 struct TaskCodec;
 

unix_integration/resolver/src/idprovider/interface.rs

@@ -194,7 +194,8 @@ impl Into<PamAuthResponse> for AuthRequest {
 }
 
 pub enum AuthResult {
-    Success { token: UserToken },
+    Success,
+    SuccessUpdate { new_token: UserToken },
     Denied,
     Next(AuthRequest),
 }
@@ -251,6 +252,7 @@ pub trait IdProvider {
     async fn unix_user_online_auth_step(
         &self,
         _account_id: &str,
+        _current_token: Option<&UserToken>,
         _cred_handler: &mut AuthCredHandler,
         _pam_next_req: PamAuthRequest,
         _tpm: &mut tpm::BoxedDynTpm,
@@ -290,7 +292,8 @@ pub trait IdProvider {
     // TPM key.
     async fn unix_user_offline_auth_step(
         &self,
-        _token: &UserToken,
+        _current_token: Option<&UserToken>,
+        _session_token: &UserToken,
         _cred_handler: &mut AuthCredHandler,
         _pam_next_req: PamAuthRequest,
         _tpm: &mut tpm::BoxedDynTpm,

unix_integration/resolver/src/idprovider/kanidm.rs

@@ -1,24 +1,22 @@
-use crate::db::KeyStoreTxn;
-use crate::unix_config::{GroupMap, KanidmConfig};
-use async_trait::async_trait;
-use hashbrown::HashMap;
-use kanidm_client::{ClientError, KanidmClient, StatusCode};
-use kanidm_proto::internal::OperationError;
-use kanidm_proto::v1::{UnixGroupToken, UnixUserToken};
-use std::collections::BTreeSet;
-use std::time::{Duration, SystemTime};
-use tokio::sync::{broadcast, Mutex};
-
-use kanidm_lib_crypto::CryptoPolicy;
-use kanidm_lib_crypto::DbPasswordV1;
-use kanidm_lib_crypto::Password;
-
 use super::interface::{
     tpm::{self, HmacKey, Tpm},
     AuthCredHandler, AuthRequest, AuthResult, GroupToken, GroupTokenState, Id, IdProvider,
     IdpError, ProviderOrigin, UserToken, UserTokenState,
 };
+use crate::db::KeyStoreTxn;
+use async_trait::async_trait;
+use hashbrown::HashMap;
+use kanidm_client::{ClientError, KanidmClient, StatusCode};
+use kanidm_lib_crypto::CryptoPolicy;
+use kanidm_lib_crypto::DbPasswordV1;
+use kanidm_lib_crypto::Password;
+use kanidm_proto::internal::OperationError;
+use kanidm_proto::v1::{UnixGroupToken, UnixUserToken};
+use kanidm_unix_common::unix_config::{GroupMap, KanidmConfig};
 use kanidm_unix_common::unix_proto::PamAuthRequest;
+use std::collections::BTreeSet;
+use std::time::{Duration, SystemTime};
+use tokio::sync::{broadcast, Mutex};
 
 const KANIDM_HMAC_KEY: &str = "kanidm-hmac-key";
 const KANIDM_PWV1_KEY: &str = "kanidm-pw-v1";
@@ -57,8 +55,6 @@ impl KanidmProvider {
         tpm: &mut tpm::BoxedDynTpm,
         machine_key: &tpm::MachineKey,
     ) -> Result<Self, IdpError> {
-        // FUTURE: Randomised jitter on next check at startup.
-
         // Initially retrieve our HMAC key.
         let loadable_hmac_key: Option<tpm::LoadableHmacKey> = keystore
             .get_tagged_hsm_key(KANIDM_HMAC_KEY)
@@ -250,13 +246,25 @@ impl KanidmProviderInternal {
             // Proceed
             CacheState::Online => true,
             CacheState::OfflineNextCheck(at_time) if now >= at_time => {
-                // Attempt online. If fails, return token.
                 self.attempt_online(tpm, now).await
             }
             CacheState::OfflineNextCheck(_) | CacheState::Offline => false,
         }
     }
 
+    #[instrument(level = "debug", skip_all)]
+    async fn check_online_right_meow(
+        &mut self,
+        tpm: &mut tpm::BoxedDynTpm,
+        now: SystemTime,
+    ) -> bool {
+        match self.state {
+            CacheState::Online => true,
+            CacheState::OfflineNextCheck(_) => self.attempt_online(tpm, now).await,
+            CacheState::Offline => false,
+        }
+    }
+
     #[instrument(level = "debug", skip_all)]
     async fn attempt_online(&mut self, _tpm: &mut tpm::BoxedDynTpm, now: SystemTime) -> bool {
         let mut max_attempts = 3;
@@ -297,7 +305,7 @@ impl IdProvider for KanidmProvider {
 
     async fn attempt_online(&self, tpm: &mut tpm::BoxedDynTpm, now: SystemTime) -> bool {
         let mut inner = self.inner.lock().await;
-        inner.check_online(tpm, now).await
+        inner.check_online_right_meow(tpm, now).await
     }
 
     async fn mark_next_check(&self, now: SystemTime) {
@@ -433,6 +441,7 @@ impl IdProvider for KanidmProvider {
     async fn unix_user_online_auth_step(
         &self,
         account_id: &str,
+        current_token: Option<&UserToken>,
         cred_handler: &mut AuthCredHandler,
         pam_next_req: PamAuthRequest,
         tpm: &mut tpm::BoxedDynTpm,
@@ -451,15 +460,23 @@ impl IdProvider for KanidmProvider {
 
                 match auth_result {
                     Ok(Some(n_tok)) => {
-                        let mut token = UserToken::from(n_tok);
-                        token.kanidm_update_cached_password(
+                        let mut new_token = UserToken::from(n_tok);
+
+                        // Update any keys that may have been in the db in the current
+                        // token.
+                        if let Some(previous_token) = current_token {
+                            new_token.extra_keys = previous_token.extra_keys.clone();
+                        }
+
+                        // Set any new keys that are relevant from this authentication
+                        new_token.kanidm_update_cached_password(
                             &inner.crypto_policy,
                             cred.as_str(),
                             tpm,
                             &inner.hmac_key,
                         );
 
-                        Ok(AuthResult::Success { token })
+                        Ok(AuthResult::SuccessUpdate { new_token })
                     }
                     Ok(None) => {
                         // TODO: i'm not a huge fan of this rn, but currently the way we handle
@@ -554,7 +571,8 @@ impl IdProvider for KanidmProvider {
 
     async fn unix_user_offline_auth_step(
         &self,
-        token: &UserToken,
+        current_token: Option<&UserToken>,
+        session_token: &UserToken,
         cred_handler: &mut AuthCredHandler,
         pam_next_req: PamAuthRequest,
         tpm: &mut tpm::BoxedDynTpm,
@@ -563,11 +581,13 @@ impl IdProvider for KanidmProvider {
             (AuthCredHandler::Password, PamAuthRequest::Password { cred }) => {
                 let inner = self.inner.lock().await;
 
-                if token.kanidm_check_cached_password(cred.as_str(), tpm, &inner.hmac_key) {
+                if session_token.kanidm_check_cached_password(cred.as_str(), tpm, &inner.hmac_key) {
+                    // Ensure we have either the latest token, or if none, at least the session token.
+                    let new_token = current_token.unwrap_or(session_token).clone();
+
                     // TODO: We can update the token here and then do lockouts.
-                    Ok(AuthResult::Success {
-                        token: token.clone(),
-                    })
+
+                    Ok(AuthResult::SuccessUpdate { new_token })
                 } else {
                     Ok(AuthResult::Denied)
                 }

unix_integration/resolver/src/lib.rs

@@ -23,7 +23,3 @@ pub mod db;
 pub mod idprovider;
 #[cfg(target_family = "unix")]
 pub mod resolver;
-#[cfg(all(target_family = "unix", feature = "selinux"))]
-pub mod selinux_util;
-#[cfg(target_family = "unix")]
-pub mod unix_config;

unix_integration/resolver/src/resolver.rs

@@ -1,18 +1,4 @@
 // use async_trait::async_trait;
-use hashbrown::HashMap;
-use std::fmt::Display;
-use std::num::NonZeroUsize;
-use std::ops::DerefMut;
-use std::path::{Path, PathBuf};
-use std::string::ToString;
-use std::sync::Arc;
-use std::time::{Duration, SystemTime};
-
-use lru::LruCache;
-use time::OffsetDateTime;
-use tokio::sync::Mutex;
-use uuid::Uuid;
-
 use crate::db::{Cache, Db};
 use crate::idprovider::interface::{
     AuthCredHandler,
@@ -30,13 +16,25 @@ use crate::idprovider::interface::{
 use crate::idprovider::system::{
     Shadow, SystemAuthResult, SystemProvider, SystemProviderAuthInit, SystemProviderSession,
 };
-use crate::unix_config::{HomeAttr, UidAttr};
+use hashbrown::HashMap;
 use kanidm_unix_common::constants::DEFAULT_SHELL_SEARCH_PATHS;
+use kanidm_unix_common::unix_config::{HomeAttr, UidAttr};
 use kanidm_unix_common::unix_passwd::{EtcGroup, EtcShadow, EtcUser};
 use kanidm_unix_common::unix_proto::{
     HomeDirectoryInfo, NssGroup, NssUser, PamAuthRequest, PamAuthResponse, PamServiceInfo,
     ProviderStatus,
 };
+use lru::LruCache;
+use std::fmt::Display;
+use std::num::NonZeroUsize;
+use std::ops::DerefMut;
+use std::path::{Path, PathBuf};
+use std::string::ToString;
+use std::sync::Arc;
+use std::time::{Duration, SystemTime};
+use time::OffsetDateTime;
+use tokio::sync::Mutex;
+use uuid::Uuid;
 
 use kanidm_hsm_crypto::BoxedDynTpm;
 
@@ -49,7 +47,6 @@ pub enum AuthSession {
         client: Arc<dyn IdProvider + Sync + Send>,
         account_id: String,
         id: Id,
-        token: Option<Box<UserToken>>,
         cred_handler: AuthCredHandler,
         /// Some authentication operations may need to spawn background tasks. These tasks need
         /// to know when to stop as the caller has disconnected. This receiver allows that, so
@@ -61,7 +58,7 @@ pub enum AuthSession {
         account_id: String,
         id: Id,
         client: Arc<dyn IdProvider + Sync + Send>,
-        token: Box<UserToken>,
+        session_token: Box<UserToken>,
         cred_handler: AuthCredHandler,
     },
     System {
@@ -227,7 +224,7 @@ impl Resolver {
         //  Attempt to search these in the db.
         let mut dbtxn = self.db.write().await;
         let r = dbtxn.get_account(account_id).map_err(|err| {
-            debug!("get_cached_usertoken {:?}", err);
+            debug!(?err, "get_cached_usertoken");
         })?;
 
         drop(dbtxn);
@@ -320,7 +317,12 @@ impl Resolver {
         }
     }
 
-    async fn set_cache_usertoken(&self, token: &mut UserToken) -> Result<(), ()> {
+    async fn set_cache_usertoken(
+        &self,
+        token: &mut UserToken,
+        // This is just for proof that only one write can occur at a time.
+        _tpm: &mut BoxedDynTpm,
+    ) -> Result<(), ()> {
         // Set an expiry
         let ex_time = SystemTime::now() + Duration::from_secs(self.timeout_seconds);
         let offset = ex_time
@@ -453,6 +455,22 @@ impl Resolver {
 
         let mut hsm_lock = self.hsm.lock().await;
 
+        // We need to re-acquire the token now behind the hsmlock - this is so that
+        // we know that as we write the updated token, we know that no one else has
+        // written to this token, since we are now the only task that is allowed
+        // to be in a write phase.
+        let token = if token.is_some() {
+            self.get_cached_usertoken(account_id)
+                .await
+                .map(|(_expired, option_token)| option_token)
+                .map_err(|err| {
+                    debug!(?err, "get_usertoken error");
+                })?
+        } else {
+            // Was already none, leave it that way.
+            None
+        };
+
         let user_get_result = if let Some(tok) = token.as_ref() {
             // Re-use the provider that the token is from.
             match self.client_ids.get(&tok.provider) {
@@ -488,12 +506,11 @@ impl Resolver {
             }
         };
 
-        drop(hsm_lock);
-
         match user_get_result {
             Ok(UserTokenState::Update(mut n_tok)) => {
                 // We have the token!
-                self.set_cache_usertoken(&mut n_tok).await?;
+                self.set_cache_usertoken(&mut n_tok, hsm_lock.deref_mut())
+                    .await?;
                 Ok(Some(n_tok))
             }
             Ok(UserTokenState::NotFound) => {
@@ -960,7 +977,6 @@ impl Resolver {
                             client,
                             account_id: account_id.to_string(),
                             id,
-                            token: Some(Box::new(token)),
                             cred_handler,
                             shutdown_rx,
                         };
@@ -981,7 +997,7 @@ impl Resolver {
                             account_id: account_id.to_string(),
                             id,
                             client,
-                            token: Box::new(token),
+                            session_token: Box::new(token),
                             cred_handler,
                         };
                         Ok((auth_session, next_req.into()))
@@ -1024,7 +1040,6 @@ impl Resolver {
                             client: client.clone(),
                             account_id: account_id.to_string(),
                             id,
-                            token: None,
                             cred_handler,
                             shutdown_rx,
                         };
@@ -1052,19 +1067,32 @@ impl Resolver {
         auth_session: &mut AuthSession,
         pam_next_req: PamAuthRequest,
     ) -> Result<PamAuthResponse, ()> {
+        let mut hsm_lock = self.hsm.lock().await;
+
         let maybe_err = match &mut *auth_session {
             &mut AuthSession::Online {
                 ref client,
                 ref account_id,
-                id: _,
-                token: _,
+                ref id,
                 ref mut cred_handler,
                 ref shutdown_rx,
             } => {
-                let mut hsm_lock = self.hsm.lock().await;
+                // This is not used in the authentication, but is so that any new
+                // extra keys or data on the token are updated correctly if the authentication
+                // requests an update. Since we hold the hsm_lock, no other task can
+                // update this token between now and completion of the fn.
+                let current_token = self
+                    .get_cached_usertoken(id)
+                    .await
+                    .map(|(_expired, option_token)| option_token)
+                    .map_err(|err| {
+                        debug!(?err, "get_usertoken error");
+                    })?;
+
                 let result = client
                     .unix_user_online_auth_step(
                         account_id,
+                        current_token.as_ref(),
                         cred_handler,
                         pam_next_req,
                         hsm_lock.deref_mut(),
@@ -1073,7 +1101,7 @@ impl Resolver {
                     .await;
 
                 match result {
-                    Ok(AuthResult::Success { .. }) => {
+                    Ok(AuthResult::SuccessUpdate { .. } | AuthResult::Success) => {
                         info!(?account_id, "Authentication Success");
                     }
                     Ok(AuthResult::Denied) => {
@@ -1089,17 +1117,29 @@ impl Resolver {
             }
             &mut AuthSession::Offline {
                 ref account_id,
-                id: _,
+                ref id,
                 ref client,
-                ref token,
+                ref session_token,
                 ref mut cred_handler,
             } => {
+                // This is not used in the authentication, but is so that any new
+                // extra keys or data on the token are updated correctly if the authentication
+                // requests an update. Since we hold the hsm_lock, no other task can
+                // update this token between now and completion of the fn.
+                let current_token = self
+                    .get_cached_usertoken(id)
+                    .await
+                    .map(|(_expired, option_token)| option_token)
+                    .map_err(|err| {
+                        debug!(?err, "get_usertoken error");
+                    })?;
+
                 // We are offline, continue. Remember, authsession should have
                 // *everything you need* to proceed here!
-                let mut hsm_lock = self.hsm.lock().await;
                 let result = client
                     .unix_user_offline_auth_step(
-                        token,
+                        current_token.as_ref(),
+                        session_token,
                         cred_handler,
                         pam_next_req,
                         hsm_lock.deref_mut(),
@@ -1107,7 +1147,7 @@ impl Resolver {
                     .await;
 
                 match result {
-                    Ok(AuthResult::Success { .. }) => {
+                    Ok(AuthResult::SuccessUpdate { .. } | AuthResult::Success) => {
                         info!(?account_id, "Authentication Success");
                     }
                     Ok(AuthResult::Denied) => {
@@ -1158,8 +1198,13 @@ impl Resolver {
 
         match maybe_err {
             // What did the provider direct us to do next?
-            Ok(AuthResult::Success { mut token }) => {
-                self.set_cache_usertoken(&mut token).await?;
+            Ok(AuthResult::Success) => {
+                *auth_session = AuthSession::Success;
+                Ok(PamAuthResponse::Success)
+            }
+            Ok(AuthResult::SuccessUpdate { mut new_token }) => {
+                self.set_cache_usertoken(&mut new_token, hsm_lock.deref_mut())
+                    .await?;
                 *auth_session = AuthSession::Success;
 
                 Ok(PamAuthResponse::Success)

unix_integration/resolver/src/unix_config.rs

@@ -1,538 +0,0 @@
-use std::env;
-use std::fmt::{Display, Formatter};
-use std::fs::File;
-use std::io::{ErrorKind, Read};
-use std::path::{Path, PathBuf};
-
-#[cfg(all(target_family = "unix", feature = "selinux"))]
-use crate::selinux_util;
-use kanidm_unix_common::unix_passwd::UnixIntegrationError;
-
-pub(crate) use kanidm_unix_common::unix_config::{HomeAttr, UidAttr};
-
-use serde::Deserialize;
-
-use kanidm_unix_common::constants::*;
-
-// Allowed as the large enum is only short lived at startup to the true config
-#[allow(clippy::large_enum_variant)]
-// This bit of magic lets us deserialise the old config and the new versions.
-#[derive(Debug, Deserialize)]
-#[serde(untagged)]
-enum ConfigUntagged {
-    Versioned(ConfigVersion),
-    Legacy(ConfigInt),
-}
-
-#[derive(Debug, Deserialize)]
-#[serde(tag = "version")]
-enum ConfigVersion {
-    #[serde(rename = "2")]
-    V2 {
-        #[serde(flatten)]
-        values: ConfigV2,
-    },
-}
-
-#[derive(Debug, Deserialize)]
-#[serde(deny_unknown_fields)]
-struct ConfigV2 {
-    cache_db_path: Option<String>,
-    sock_path: Option<String>,
-    task_sock_path: Option<String>,
-
-    cache_timeout: Option<u64>,
-
-    default_shell: Option<String>,
-    home_prefix: Option<String>,
-    home_mount_prefix: Option<String>,
-    home_attr: Option<String>,
-    home_alias: Option<String>,
-    use_etc_skel: Option<bool>,
-    uid_attr_map: Option<String>,
-    gid_attr_map: Option<String>,
-    selinux: Option<bool>,
-
-    hsm_pin_path: Option<String>,
-    hsm_type: Option<String>,
-    tpm_tcti_name: Option<String>,
-
-    kanidm: Option<KanidmConfigV2>,
-}
-
-#[derive(Clone, Debug, Deserialize)]
-pub struct GroupMap {
-    pub local: String,
-    pub with: String,
-}
-
-#[derive(Debug, Deserialize)]
-struct KanidmConfigV2 {
-    conn_timeout: Option<u64>,
-    request_timeout: Option<u64>,
-    pam_allowed_login_groups: Option<Vec<String>>,
-    #[serde(default)]
-    map_group: Vec<GroupMap>,
-}
-
-#[derive(Debug, Deserialize)]
-struct ConfigInt {
-    db_path: Option<String>,
-    sock_path: Option<String>,
-    task_sock_path: Option<String>,
-    conn_timeout: Option<u64>,
-    request_timeout: Option<u64>,
-    cache_timeout: Option<u64>,
-    pam_allowed_login_groups: Option<Vec<String>>,
-    default_shell: Option<String>,
-    home_prefix: Option<String>,
-    home_mount_prefix: Option<String>,
-    home_attr: Option<String>,
-    home_alias: Option<String>,
-    use_etc_skel: Option<bool>,
-    uid_attr_map: Option<String>,
-    gid_attr_map: Option<String>,
-    selinux: Option<bool>,
-    #[serde(default)]
-    allow_local_account_override: Vec<String>,
-
-    hsm_pin_path: Option<String>,
-    hsm_type: Option<String>,
-    tpm_tcti_name: Option<String>,
-
-    // Detect and warn on values in these places.
-    #[serde(default)]
-    cache_db_path: Option<toml::value::Value>,
-    #[serde(default)]
-    kanidm: Option<toml::value::Value>,
-}
-
-#[derive(Debug, Clone, Default)]
-pub enum HsmType {
-    #[cfg_attr(not(feature = "tpm"), default)]
-    Soft,
-    #[cfg_attr(feature = "tpm", default)]
-    TpmIfPossible,
-    Tpm,
-}
-
-impl Display for HsmType {
-    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
-        match self {
-            HsmType::Soft => write!(f, "Soft"),
-            HsmType::TpmIfPossible => write!(f, "Tpm if possible"),
-            HsmType::Tpm => write!(f, "Tpm"),
-        }
-    }
-}
-
-#[derive(Debug)]
-pub struct UnixdConfig {
-    pub cache_db_path: String,
-    pub sock_path: String,
-    pub task_sock_path: String,
-    pub cache_timeout: u64,
-    pub unix_sock_timeout: u64,
-    pub default_shell: String,
-    pub home_prefix: PathBuf,
-    pub home_mount_prefix: Option<PathBuf>,
-    pub home_attr: HomeAttr,
-    pub home_alias: Option<HomeAttr>,
-    pub use_etc_skel: bool,
-    pub uid_attr_map: UidAttr,
-    pub gid_attr_map: UidAttr,
-    pub selinux: bool,
-    pub hsm_type: HsmType,
-    pub hsm_pin_path: String,
-    pub tpm_tcti_name: String,
-
-    pub kanidm_config: Option<KanidmConfig>,
-}
-
-#[derive(Debug)]
-pub struct KanidmConfig {
-    pub conn_timeout: u64,
-    pub request_timeout: u64,
-    pub pam_allowed_login_groups: Vec<String>,
-    pub map_group: Vec<GroupMap>,
-}
-
-impl Default for UnixdConfig {
-    fn default() -> Self {
-        UnixdConfig::new()
-    }
-}
-
-impl Display for UnixdConfig {
-    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
-        writeln!(f, "cache_db_path: {}", &self.cache_db_path)?;
-        writeln!(f, "sock_path: {}", self.sock_path)?;
-        writeln!(f, "task_sock_path: {}", self.task_sock_path)?;
-        writeln!(f, "unix_sock_timeout: {}", self.unix_sock_timeout)?;
-        writeln!(f, "cache_timeout: {}", self.cache_timeout)?;
-        writeln!(f, "default_shell: {}", self.default_shell)?;
-        writeln!(f, "home_prefix: {:?}", self.home_prefix)?;
-        match self.home_mount_prefix.as_deref() {
-            Some(val) => writeln!(f, "home_mount_prefix: {:?}", val)?,
-            None => writeln!(f, "home_mount_prefix: unset")?,
-        }
-        writeln!(f, "home_attr: {}", self.home_attr)?;
-        match self.home_alias {
-            Some(val) => writeln!(f, "home_alias: {}", val)?,
-            None => writeln!(f, "home_alias: unset")?,
-        }
-
-        writeln!(f, "uid_attr_map: {}", self.uid_attr_map)?;
-        writeln!(f, "gid_attr_map: {}", self.gid_attr_map)?;
-
-        writeln!(f, "hsm_type: {}", self.hsm_type)?;
-        writeln!(f, "tpm_tcti_name: {}", self.tpm_tcti_name)?;
-
-        writeln!(f, "selinux: {}", self.selinux)?;
-
-        if let Some(kconfig) = &self.kanidm_config {
-            writeln!(f, "kanidm: enabled")?;
-            writeln!(
-                f,
-                "kanidm pam_allowed_login_groups: {:#?}",
-                kconfig.pam_allowed_login_groups
-            )?;
-            writeln!(f, "kanidm conn_timeout: {}", kconfig.conn_timeout)?;
-            writeln!(f, "kanidm request_timeout: {}", kconfig.request_timeout)?;
-        } else {
-            writeln!(f, "kanidm: disabled")?;
-        };
-
-        Ok(())
-    }
-}
-
-impl UnixdConfig {
-    pub fn new() -> Self {
-        let cache_db_path = match env::var("KANIDM_CACHE_DB_PATH") {
-            Ok(val) => val,
-            Err(_) => DEFAULT_CACHE_DB_PATH.into(),
-        };
-        let hsm_pin_path = match env::var("KANIDM_HSM_PIN_PATH") {
-            Ok(val) => val,
-            Err(_) => DEFAULT_HSM_PIN_PATH.into(),
-        };
-
-        UnixdConfig {
-            cache_db_path,
-            sock_path: DEFAULT_SOCK_PATH.to_string(),
-            task_sock_path: DEFAULT_TASK_SOCK_PATH.to_string(),
-            unix_sock_timeout: DEFAULT_CONN_TIMEOUT * 2,
-            cache_timeout: DEFAULT_CACHE_TIMEOUT,
-            default_shell: DEFAULT_SHELL.to_string(),
-            home_prefix: DEFAULT_HOME_PREFIX.into(),
-            home_mount_prefix: None,
-            home_attr: DEFAULT_HOME_ATTR,
-            home_alias: DEFAULT_HOME_ALIAS,
-            use_etc_skel: DEFAULT_USE_ETC_SKEL,
-            uid_attr_map: DEFAULT_UID_ATTR_MAP,
-            gid_attr_map: DEFAULT_GID_ATTR_MAP,
-            selinux: DEFAULT_SELINUX,
-            hsm_pin_path,
-            hsm_type: HsmType::default(),
-            tpm_tcti_name: DEFAULT_TPM_TCTI_NAME.to_string(),
-
-            kanidm_config: None,
-        }
-    }
-
-    pub fn read_options_from_optional_config<P: AsRef<Path> + std::fmt::Debug>(
-        self,
-        config_path: P,
-    ) -> Result<Self, UnixIntegrationError> {
-        debug!("Attempting to load configuration from {:#?}", &config_path);
-        let mut f = match File::open(&config_path) {
-            Ok(f) => {
-                debug!("Successfully opened configuration file {:#?}", &config_path);
-                f
-            }
-            Err(e) => {
-                match e.kind() {
-                    ErrorKind::NotFound => {
-                        debug!(
-                            "Configuration file {:#?} not found, skipping.",
-                            &config_path
-                        );
-                    }
-                    ErrorKind::PermissionDenied => {
-                        warn!(
-                            "Permission denied loading configuration file {:#?}, skipping.",
-                            &config_path
-                        );
-                    }
-                    _ => {
-                        debug!(
-                            "Unable to open config file {:#?} [{:?}], skipping ...",
-                            &config_path, e
-                        );
-                    }
-                };
-                return Ok(self);
-            }
-        };
-
-        let mut contents = String::new();
-        f.read_to_string(&mut contents).map_err(|e| {
-            error!("{:?}", e);
-            UnixIntegrationError
-        })?;
-
-        let config: ConfigUntagged = toml::from_str(contents.as_str()).map_err(|e| {
-            error!("{:?}", e);
-            UnixIntegrationError
-        })?;
-
-        match config {
-            ConfigUntagged::Legacy(config) => self.apply_from_config_legacy(config),
-            ConfigUntagged::Versioned(ConfigVersion::V2 { values }) => {
-                self.apply_from_config_v2(values)
-            }
-        }
-    }
-
-    fn apply_from_config_legacy(self, config: ConfigInt) -> Result<Self, UnixIntegrationError> {
-        if config.kanidm.is_some() || config.cache_db_path.is_some() {
-            error!("You are using version=\"2\" options in a legacy config. THESE WILL NOT WORK.");
-            return Err(UnixIntegrationError);
-        }
-
-        let map_group = config
-            .allow_local_account_override
-            .iter()
-            .map(|name| GroupMap {
-                local: name.clone(),
-                with: name.clone(),
-            })
-            .collect();
-
-        let kanidm_config = Some(KanidmConfig {
-            conn_timeout: config.conn_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT),
-            request_timeout: config.request_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT * 2),
-            pam_allowed_login_groups: config.pam_allowed_login_groups.unwrap_or_default(),
-            map_group,
-        });
-
-        // Now map the values into our config.
-        Ok(UnixdConfig {
-            cache_db_path: config.db_path.unwrap_or(self.cache_db_path),
-            sock_path: config.sock_path.unwrap_or(self.sock_path),
-            task_sock_path: config.task_sock_path.unwrap_or(self.task_sock_path),
-            unix_sock_timeout: DEFAULT_CONN_TIMEOUT * 2,
-            cache_timeout: config.cache_timeout.unwrap_or(self.cache_timeout),
-            default_shell: config.default_shell.unwrap_or(self.default_shell),
-            home_prefix: config
-                .home_prefix
-                .map(|p| p.into())
-                .unwrap_or(self.home_prefix.clone()),
-            home_mount_prefix: config.home_mount_prefix.map(|p| p.into()),
-            home_attr: config
-                .home_attr
-                .and_then(|v| match v.as_str() {
-                    "uuid" => Some(HomeAttr::Uuid),
-                    "spn" => Some(HomeAttr::Spn),
-                    "name" => Some(HomeAttr::Name),
-                    _ => {
-                        warn!("Invalid home_attr configured, using default ...");
-                        None
-                    }
-                })
-                .unwrap_or(self.home_attr),
-            home_alias: config
-                .home_alias
-                .and_then(|v| match v.as_str() {
-                    "none" => Some(None),
-                    "uuid" => Some(Some(HomeAttr::Uuid)),
-                    "spn" => Some(Some(HomeAttr::Spn)),
-                    "name" => Some(Some(HomeAttr::Name)),
-                    _ => {
-                        warn!("Invalid home_alias configured, using default ...");
-                        None
-                    }
-                })
-                .unwrap_or(self.home_alias),
-            use_etc_skel: config.use_etc_skel.unwrap_or(self.use_etc_skel),
-            uid_attr_map: config
-                .uid_attr_map
-                .and_then(|v| match v.as_str() {
-                    "spn" => Some(UidAttr::Spn),
-                    "name" => Some(UidAttr::Name),
-                    _ => {
-                        warn!("Invalid uid_attr_map configured, using default ...");
-                        None
-                    }
-                })
-                .unwrap_or(self.uid_attr_map),
-            gid_attr_map: config
-                .gid_attr_map
-                .and_then(|v| match v.as_str() {
-                    "spn" => Some(UidAttr::Spn),
-                    "name" => Some(UidAttr::Name),
-                    _ => {
-                        warn!("Invalid gid_attr_map configured, using default ...");
-                        None
-                    }
-                })
-                .unwrap_or(self.gid_attr_map),
-            selinux: match config.selinux.unwrap_or(self.selinux) {
-                #[cfg(all(target_family = "unix", feature = "selinux"))]
-                true => selinux_util::supported(),
-                _ => false,
-            },
-            hsm_pin_path: config.hsm_pin_path.unwrap_or(self.hsm_pin_path),
-            hsm_type: config
-                .hsm_type
-                .and_then(|v| match v.as_str() {
-                    "soft" => Some(HsmType::Soft),
-                    "tpm_if_possible" => Some(HsmType::TpmIfPossible),
-                    "tpm" => Some(HsmType::Tpm),
-                    _ => {
-                        warn!("Invalid hsm_type configured, using default ...");
-                        None
-                    }
-                })
-                .unwrap_or(self.hsm_type),
-            tpm_tcti_name: config
-                .tpm_tcti_name
-                .unwrap_or(DEFAULT_TPM_TCTI_NAME.to_string()),
-            kanidm_config,
-        })
-    }
-
-    fn apply_from_config_v2(self, config: ConfigV2) -> Result<Self, UnixIntegrationError> {
-        let kanidm_config = if let Some(kconfig) = config.kanidm {
-            Some(KanidmConfig {
-                conn_timeout: kconfig.conn_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT),
-                request_timeout: kconfig.request_timeout.unwrap_or(DEFAULT_CONN_TIMEOUT * 2),
-                pam_allowed_login_groups: kconfig.pam_allowed_login_groups.unwrap_or_default(),
-                map_group: kconfig.map_group,
-            })
-        } else {
-            None
-        };
-
-        // Now map the values into our config.
-        Ok(UnixdConfig {
-            cache_db_path: config.cache_db_path.unwrap_or(self.cache_db_path),
-            sock_path: config.sock_path.unwrap_or(self.sock_path),
-            task_sock_path: config.task_sock_path.unwrap_or(self.task_sock_path),
-            unix_sock_timeout: DEFAULT_CONN_TIMEOUT * 2,
-            cache_timeout: config.cache_timeout.unwrap_or(self.cache_timeout),
-            default_shell: config.default_shell.unwrap_or(self.default_shell),
-            home_prefix: config
-                .home_prefix
-                .map(|p| p.into())
-                .unwrap_or(self.home_prefix.clone()),
-            home_mount_prefix: config.home_mount_prefix.map(|p| p.into()),
-            home_attr: config
-                .home_attr
-                .and_then(|v| match v.as_str() {
-                    "uuid" => Some(HomeAttr::Uuid),
-                    "spn" => Some(HomeAttr::Spn),
-                    "name" => Some(HomeAttr::Name),
-                    _ => {
-                        warn!("Invalid home_attr configured, using default ...");
-                        None
-                    }
-                })
-                .unwrap_or(self.home_attr),
-            home_alias: config
-                .home_alias
-                .and_then(|v| match v.as_str() {
-                    "none" => Some(None),
-                    "uuid" => Some(Some(HomeAttr::Uuid)),
-                    "spn" => Some(Some(HomeAttr::Spn)),
-                    "name" => Some(Some(HomeAttr::Name)),
-                    _ => {
-                        warn!("Invalid home_alias configured, using default ...");
-                        None
-                    }
-                })
-                .unwrap_or(self.home_alias),
-            use_etc_skel: config.use_etc_skel.unwrap_or(self.use_etc_skel),
-            uid_attr_map: config
-                .uid_attr_map
-                .and_then(|v| match v.as_str() {
-                    "spn" => Some(UidAttr::Spn),
-                    "name" => Some(UidAttr::Name),
-                    _ => {
-                        warn!("Invalid uid_attr_map configured, using default ...");
-                        None
-                    }
-                })
-                .unwrap_or(self.uid_attr_map),
-            gid_attr_map: config
-                .gid_attr_map
-                .and_then(|v| match v.as_str() {
-                    "spn" => Some(UidAttr::Spn),
-                    "name" => Some(UidAttr::Name),
-                    _ => {
-                        warn!("Invalid gid_attr_map configured, using default ...");
-                        None
-                    }
-                })
-                .unwrap_or(self.gid_attr_map),
-            selinux: match config.selinux.unwrap_or(self.selinux) {
-                #[cfg(all(target_family = "unix", feature = "selinux"))]
-                true => selinux_util::supported(),
-                _ => false,
-            },
-            hsm_pin_path: config.hsm_pin_path.unwrap_or(self.hsm_pin_path),
-            hsm_type: config
-                .hsm_type
-                .and_then(|v| match v.as_str() {
-                    "soft" => Some(HsmType::Soft),
-                    "tpm_if_possible" => Some(HsmType::TpmIfPossible),
-                    "tpm" => Some(HsmType::Tpm),
-                    _ => {
-                        warn!("Invalid hsm_type configured, using default ...");
-                        None
-                    }
-                })
-                .unwrap_or(self.hsm_type),
-            tpm_tcti_name: config
-                .tpm_tcti_name
-                .unwrap_or(DEFAULT_TPM_TCTI_NAME.to_string()),
-            kanidm_config,
-        })
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use std::path::PathBuf;
-
-    use super::*;
-
-    #[test]
-    fn test_load_example_configs() {
-        // Test the various included configs
-
-        let examples_dir = env!("CARGO_MANIFEST_DIR").to_string() + "/../../examples/";
-
-        for file in PathBuf::from(&examples_dir)
-            .canonicalize()
-            .expect(&format!("Can't find examples dir at {}", examples_dir))
-            .read_dir()
-            .expect("Can't read examples dir!")
-        {
-            let file = file.unwrap();
-            let filename = file.file_name().into_string().unwrap();
-            if filename.starts_with("unixd") {
-                print!("Checking that {} parses as a valid config...", filename);
-
-                UnixdConfig::new()
-                    .read_options_from_optional_config(file.path())
-                    .inspect_err(|e| {
-                        println!("Failed to parse: {:?}", e);
-                    })
-                    .expect("Failed to parse!");
-                println!("OK");
-            }
-        }
-    }
-}

unix_integration/resolver/tests/cache_layer_test.rs

@@ -12,13 +12,13 @@ use kanidm_unix_common::constants::{
     DEFAULT_GID_ATTR_MAP, DEFAULT_HOME_ALIAS, DEFAULT_HOME_ATTR, DEFAULT_HOME_PREFIX,
     DEFAULT_SHELL, DEFAULT_UID_ATTR_MAP,
 };
+use kanidm_unix_common::unix_config::{GroupMap, KanidmConfig};
 use kanidm_unix_common::unix_passwd::{CryptPw, EtcGroup, EtcShadow, EtcUser};
 use kanidm_unix_resolver::db::{Cache, Db};
 use kanidm_unix_resolver::idprovider::interface::Id;
 use kanidm_unix_resolver::idprovider::kanidm::KanidmProvider;
 use kanidm_unix_resolver::idprovider::system::SystemProvider;
 use kanidm_unix_resolver::resolver::Resolver;
-use kanidm_unix_resolver::unix_config::{GroupMap, KanidmConfig};
 use kanidmd_core::config::{Configuration, IntegrationTestConfig, ServerRole};
 use kanidmd_core::create_server_core;
 use kanidmd_testkit::{is_free_port, PORT_ALLOC};
@@ -70,7 +70,7 @@ async fn setup_test(fix_fn: Fixture) -> (Resolver, KanidmClient) {
     });
 
     // Setup the config ...
-    let mut config = Configuration::new();
+    let mut config = Configuration::new_for_test();
     config.address = format!("127.0.0.1:{}", port);
     config.integration_test_config = Some(int_config);
     config.role = ServerRole::WriteReplicaNoUI;