mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-06-01 05:43:55 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

...

29 commits
e2ac02316d ... 3e8267deeb

Author SHA1 Message Date
Merlijn 3e8267deeb
Merge 6b917f2683 into 9611a7f976 2025-02-20 23:05:27 -05:00
Sebastiano Tocci 9611a7f976
Fixes : add configurable maximum queryable attributes for LDAP () 2025-02-21 12:14:47 +10:00
ToxicMushroom 6b917f2683
Of course I ran clippy and fmt in a subdir before, classic 2025-02-15 01:29:03 +01:00
ToxicMushroom 404fc9fe47
Add ScimPerson, missing attributes to the UI and clean up navigation 
Remove AccountInfo
 2025-02-15 01:25:59 +01:00
ToxicMushroom 503738f34d
Use tracing to log scim entry attribute functions failing due to mismatched types 2025-02-14 04:25:11 +01:00
ToxicMushroom 9538787ef9
Throw out groups from this pr 
Remove log crate
Remove admin from navbar and associated accessinfo struct thing
 2025-02-14 04:18:01 +01:00
ToxicMushroom c1d1d5b643
cargo fmt 2025-02-08 03:19:37 +01:00
ToxicMushroom c79ac57297
Add account viewing 2025-02-08 03:12:59 +01:00
ToxicMushroom c67cc84017
Add ACP, remove the modify impl 2025-02-08 02:30:29 +01:00
ToxicMushroom 84fad18c42
Clean up rebase so it runs again 2025-02-07 17:23:02 +01:00
ToxicMushroom 7a3a55d3f5
Cargo fmt 2025-02-06 22:48:57 +01:00
ToxicMushroom a401bfbabc
remove the js 2025-02-06 22:48:55 +01:00
ToxicMushroom f3b1cca8ab
Apply review suggestion 2025-02-06 22:47:26 +01:00
Merlijn 60a7122e2a
Apply suggestions from code review 
Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
 2025-02-06 22:47:26 +01:00
ToxicMushroom cd9347adc2
Remove overview 2025-02-06 22:47:24 +01:00
ToxicMushroom 791b7e8979
Use new scimReferences for members 2025-02-06 22:46:54 +01:00
ToxicMushroom c3f49cfd6d
Move more to scim 2025-02-06 22:45:11 +01:00
ToxicMushroom 710ed1c68c
interim remove update stuff 2025-02-06 22:43:36 +01:00
ToxicMushroom c8f8c8da38
use suggested name 2025-02-06 22:43:36 +01:00
ToxicMushroom 4b13f6a195
feature flag for the admin access 2025-02-06 22:43:35 +01:00
ToxicMushroom 8b77be28e9
Scim getters for accounts 2025-02-06 22:42:37 +01:00
ToxicMushroom 71c3003966
General save prog 2025-02-06 22:41:47 +01:00
ToxicMushroom 5f84fc6085
Add email 2025-02-06 20:58:18 +01:00
ToxicMushroom 09852030db
Add member 2025-02-06 20:58:18 +01:00
ToxicMushroom 8e9f5e103d
Doing ui 2025-02-06 20:58:18 +01:00
ToxicMushroom 4f2747ff83
group view base 2025-02-06 20:58:18 +01:00
ToxicMushroom 15cf895356
add navigation 2025-02-06 20:58:18 +01:00
ToxicMushroom 6158e998f7
More scaffolding for groups 2025-02-06 20:58:18 +01:00
ToxicMushroom 4c8f72925c
Some progress on admin ui for managing groups and users 2025-02-06 20:56:48 +01:00
39 changed files with 827 additions and 36 deletions

1
Cargo.lock generated
View file

@ -3006,6 +3006,7 @@ dependencies = [
"sshkey-attest",
"sshkeys",
"time",
"tracing",
"url",
"urlencoding",
"utoipa",

16
libs/client/src/lib.rs
View file

@ -30,8 +30,8 @@ use compact_jwt::Jwk;
use kanidm_proto::constants::uri::V1_AUTH_VALID;
use kanidm_proto::constants::{
ATTR_DOMAIN_DISPLAY_NAME, ATTR_DOMAIN_LDAP_BASEDN, ATTR_DOMAIN_SSID, ATTR_ENTRY_MANAGED_BY,
ATTR_KEY_ACTION_REVOKE, ATTR_LDAP_ALLOW_UNIX_PW_BIND, ATTR_NAME, CLIENT_TOKEN_CACHE, KOPID,
KSESSIONID, KVERSION,
ATTR_KEY_ACTION_REVOKE, ATTR_LDAP_ALLOW_UNIX_PW_BIND, ATTR_LDAP_MAX_QUERYABLE_ATTRS, ATTR_NAME,
CLIENT_TOKEN_CACHE, KOPID, KSESSIONID, KVERSION,
};
use kanidm_proto::internal::*;
use kanidm_proto::v1::*;
@ -2082,6 +2082,18 @@ impl KanidmClient {
.await
}
/// Sets the maximum number of LDAP attributes that can be queryed in a single operation
pub async fn idm_domain_set_ldap_max_queryable_attrs(
&self,
max_queryable_attrs: usize,
) -> Result<(), ClientError> {
self.perform_put_request(
&format!("/v1/domain/_attr/{}", ATTR_LDAP_MAX_QUERYABLE_ATTRS),
vec![max_queryable_attrs.to_string()],
)
.await
}
pub async fn idm_set_ldap_allow_unix_password_bind(
&self,
enable: bool,

1
proto/Cargo.toml
View file

@ -38,6 +38,7 @@ uuid = { workspace = true, features = ["serde"] }
webauthn-rs-proto = { workspace = true }
sshkey-attest = { workspace = true }
sshkeys = { workspace = true }
tracing = { workspace = true }
[dev-dependencies]
enum-iterator = { workspace = true }

3
proto/src/attribute.rs
View file

@ -94,6 +94,7 @@ pub enum Attribute {
LdapEmailAddress,
/// An LDAP Compatible sshkeys virtual attribute
LdapKeys,
LdapMaxQueryableAttrs,
LegalName,
LimitSearchMaxResults,
LimitSearchMaxFilterTest,
@ -322,6 +323,7 @@ impl Attribute {
Attribute::LdapAllowUnixPwBind => ATTR_LDAP_ALLOW_UNIX_PW_BIND,
Attribute::LdapEmailAddress => ATTR_LDAP_EMAIL_ADDRESS,
Attribute::LdapKeys => ATTR_LDAP_KEYS,
Attribute::LdapMaxQueryableAttrs => ATTR_LDAP_MAX_QUERYABLE_ATTRS,
Attribute::LdapSshPublicKey => ATTR_LDAP_SSHPUBLICKEY,
Attribute::LegalName => ATTR_LEGALNAME,
Attribute::LimitSearchMaxResults => ATTR_LIMIT_SEARCH_MAX_RESULTS,
@ -505,6 +507,7 @@ impl Attribute {
ATTR_LDAP_ALLOW_UNIX_PW_BIND => Attribute::LdapAllowUnixPwBind,
ATTR_LDAP_EMAIL_ADDRESS => Attribute::LdapEmailAddress,
ATTR_LDAP_KEYS => Attribute::LdapKeys,
ATTR_LDAP_MAX_QUERYABLE_ATTRS => Attribute::LdapMaxQueryableAttrs,
ATTR_SSH_PUBLICKEY => Attribute::SshPublicKey,
ATTR_LEGALNAME => Attribute::LegalName,
ATTR_LINKEDGROUP => Attribute::LinkedGroup,

3
proto/src/constants.rs
View file

@ -39,6 +39,8 @@ pub const DEFAULT_SERVER_ADDRESS: &str = "127.0.0.1:8443";
pub const DEFAULT_SERVER_LOCALHOST: &str = "localhost:8443";
/// The default LDAP bind address for the Kanidm client
pub const DEFAULT_LDAP_LOCALHOST: &str = "localhost:636";
/// The default amount of attributes that can be queried in LDAP
pub const DEFAULT_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES: usize = 16;
/// Default replication configuration
pub const DEFAULT_REPLICATION_ADDRESS: &str = "127.0.0.1:8444";
pub const DEFAULT_REPLICATION_ORIGIN: &str = "repl://localhost:8444";
@ -102,6 +104,7 @@ pub const ATTR_DYNGROUP_FILTER: &str = "dyngroup_filter";
pub const ATTR_DYNGROUP: &str = "dyngroup";
pub const ATTR_DYNMEMBER: &str = "dynmember";
pub const ATTR_LDAP_EMAIL_ADDRESS: &str = "emailaddress";
pub const ATTR_LDAP_MAX_QUERYABLE_ATTRS: &str = "ldap_max_queryable_attrs";
pub const ATTR_EMAIL_ALTERNATIVE: &str = "emailalternative";
pub const ATTR_EMAIL_PRIMARY: &str = "emailprimary";
pub const ATTR_EMAIL: &str = "email";

141
proto/src/scim_v1/server.rs
View file

@ -3,12 +3,14 @@ use super::ScimOauth2ClaimMapJoinChar;
use super::ScimSshPublicKey;
use crate::attribute::Attribute;
use crate::internal::UiHint;
use crate::v1::AccountType;
use scim_proto::ScimEntryHeader;
use serde::Serialize;
use serde::{Deserialize, Serialize};
use serde_with::{base64, formats, hex::Hex, serde_as, skip_serializing_none};
use std::collections::{BTreeMap, BTreeSet};
use time::format_description::well_known::Rfc3339;
use time::OffsetDateTime;
use tracing::debug;
use url::Url;
use utoipa::ToSchema;
use uuid::Uuid;
@ -28,7 +30,7 @@ pub struct ScimEntryKanidm {
pub attrs: BTreeMap<Attribute, ScimValueKanidm>,
}
#[derive(Serialize, Debug, Clone, ToSchema)]
#[derive(Serialize, Deserialize, Debug, Clone, ToSchema)]
pub enum ScimAttributeEffectiveAccess {
/// All attributes on the entry have this permission granted
Grant,
@ -49,7 +51,7 @@ impl ScimAttributeEffectiveAccess {
}
}
#[derive(Serialize, Debug, Clone, ToSchema)]
#[derive(Serialize, Deserialize, Debug, Clone, ToSchema)]
#[serde(rename_all = "camelCase")]
pub struct ScimEffectiveAccess {
/// The identity that inherits the effective permission
@ -209,7 +211,7 @@ pub struct ScimOAuth2ClaimMap {
pub values: BTreeSet<String>,
}
#[derive(Serialize, Debug, Clone, PartialEq, Eq, ToSchema)]
#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, ToSchema)]
#[serde(rename_all = "camelCase")]
pub struct ScimReference {
pub uuid: Uuid,
@ -257,6 +259,137 @@ pub enum ScimValueKanidm {
UiHints(Vec<UiHint>),
}
#[serde_as]
#[derive(Serialize, Deserialize, Debug, Clone, ToSchema)]
pub struct ScimPerson {
pub uuid: Uuid,
pub account_type: AccountType,
pub name: String,
pub displayname: Option<String>,
pub spn: String,
pub description: Option<String>,
pub mails: Vec<ScimMail>,
pub managed_by: Option<ScimReference>,
pub groups: Vec<ScimReference>,
}
impl TryFrom<ScimEntryKanidm> for ScimPerson {
type Error = ();
fn try_from(scim_entry: ScimEntryKanidm) -> Result<Self, Self::Error> {
let uuid = scim_entry.header.id;
scim_entry.account_type();
let name = scim_entry.attr_str(&Attribute::Name).ok_or(())?.to_string();
let displayname = scim_entry
.attr_str(&Attribute::DisplayName)
.map(|s| s.to_string());
let spn = scim_entry.attr_str(&Attribute::Spn).ok_or(())?.to_string();
let description = scim_entry
.attr_str(&Attribute::Description)
.map(|t| t.to_string());
let mails = scim_entry.attr_mails().cloned().unwrap_or_default();
let groups = scim_entry
.attr_references(&Attribute::DirectMemberOf)
.cloned()
.unwrap_or(vec![]);
let managed_by = scim_entry
.attr_reference(&Attribute::EntryManagedBy)
.cloned();
Ok(ScimPerson {
uuid,
account_type: AccountType::Person,
name,
displayname,
spn,
description,
mails,
managed_by,
groups,
})
}
}
impl ScimEntryKanidm {
pub fn account_type(&self) -> Option<AccountType> {
match self.attrs.get(&Attribute::Class) {
Some(ScimValueKanidm::ArrayString(classes)) => {
if classes.contains(&format!("{}", AccountType::Person)) {
Some(AccountType::Person)
} else if classes.contains(&format!("{}", AccountType::ServiceAccount)) {
Some(AccountType::ServiceAccount)
} else {
None
}
}
Some(sv) => {
debug!("SCIM entry had the Attribute::Class attribute but it was not a ScimValueKanidm::ArrayString type, actual: {:?}", sv);
None
}
None => {
debug!("SCIM entry with no classes ??");
None
}
}
}
pub fn attr_str(&self, attr: &Attribute) -> Option<&str> {
match self.attrs.get(attr) {
Some(ScimValueKanidm::String(inner_string)) => Some(inner_string.as_str()),
Some(sv) => {
debug!("SCIM entry had the {} attribute but it was not a ScimValueKanidm::String type, actual: {:?}", attr, sv);
None
}
None => None,
}
}
pub fn attr_bool(&self, attr: &Attribute) -> Option<&bool> {
match self.attrs.get(attr) {
Some(ScimValueKanidm::Bool(inner_bool)) => Some(inner_bool),
Some(sv) => {
debug!("SCIM entry had the {} attribute but it was not a ScimValueKanidm::Bool type, actual: {:?}", attr, sv);
None
}
None => None,
}
}
pub fn attr_mails(&self) -> Option<&Vec<ScimMail>> {
match self.attrs.get(&Attribute::Mail) {
Some(ScimValueKanidm::Mail(inner_string)) => Some(inner_string),
Some(sv) => {
debug!("SCIM entry had the {} attribute but it was not a ScimValueKanidm::Mail type, actual: {:?}", Attribute::Mail, sv);
None
}
None => None,
}
}
pub fn attr_reference(&self, attr: &Attribute) -> Option<&ScimReference> {
match self.attrs.get(attr) {
Some(ScimValueKanidm::EntryReference(refer)) => Some(refer),
Some(sv) => {
debug!("SCIM entry had the {} attribute but it was not a ScimValueKanidm::ScimReference type, actual: {:?}", attr, sv);
None
}
None => None,
}
}
pub fn attr_references(&self, attr: &Attribute) -> Option<&Vec<ScimReference>> {
match self.attrs.get(attr) {
Some(ScimValueKanidm::EntryReferences(refs)) => Some(refs),
Some(sv) => {
debug!("SCIM entry had the {} attribute but it was not a ScimValueKanidm::EntryReferences type, actual: {:?}", attr, sv);
None
}
None => None,
}
}
}
impl From<bool> for ScimValueKanidm {
fn from(b: bool) -> Self {
Self::Bool(b)

2
proto/src/v1/mod.rs
View file

@ -19,7 +19,7 @@ pub use self::auth::*;
pub use self::unix::*;
/// The type of Account in use.
#[derive(Clone, Copy, Debug, ToSchema)]
#[derive(Serialize, Deserialize, Clone, Copy, Debug, ToSchema)]
pub enum AccountType {
Person,
ServiceAccount,

32
server/core/src/actors/v1_scim.rs
View file

@ -7,6 +7,7 @@ use kanidmd_lib::idm::scim::{
};
use kanidmd_lib::idm::server::IdmServerTransaction;
use kanidmd_lib::prelude::*;
use std::collections::BTreeSet;
impl QueryServerWriteV1 {
#[instrument(
@ -229,4 +230,35 @@ impl QueryServerReadV1 {
.qs_read
.scim_entry_id_get_ext(target_uuid, class, query, ident)
}
#[instrument(
level = "info",
skip_all,
fields(uuid = ?eventid)
)]
pub async fn scim_entry_search(
&self,
client_auth_info: ClientAuthInfo,
filter_intent: Filter<FilterInvalid>,
eventid: Uuid,
attrs: Option<BTreeSet<Attribute>>,
acp: bool,
) -> Result<Vec<ScimEntryKanidm>, OperationError> {
let ct = duration_from_epoch_now();
let mut idms_prox_read = self.idms.proxy_read().await?;
let ident = idms_prox_read
.validate_client_auth_info_to_ident(client_auth_info, ct)
.inspect_err(|err| {
error!(?err, "Invalid identity");
})?;
let filter = filter_all!(f_and!([f_eq(Attribute::Class, EntryClass::Account.into())]));
idms_prox_read
.qs_read
.impersonate_search_ext(filter_intent, filter, &ident, attrs, acp)?
.into_iter()
.map(|entry| entry.to_scim_kanidm(&mut idms_prox_read.qs_read))
.collect()
}
}

1
server/core/src/config.rs
View file

@ -116,7 +116,6 @@ pub struct ServerConfig {
///
/// If unset, the LDAP server will be disabled.
pub ldapbindaddress: Option<String>,
/// The role of this server, one of write_replica, write_replica_no_ui, read_only_replica, defaults to [ServerRole::WriteReplica]
#[serde(default)]
pub role: ServerRole,

185
server/core/src/https/views/admin/accounts.rs Normal file
View file

@ -0,0 +1,185 @@
use crate::https::extractors::{DomainInfo, VerifiedClientInformation};
use crate::https::middleware::KOpId;
use crate::https::views::errors::HtmxError;
use crate::https::views::navbar::NavbarCtx;
use crate::https::views::Urls;
use crate::https::ServerState;
use askama::Template;
use axum::extract::{Path, State};
use axum::http::Uri;
use axum::response::{ErrorResponse, IntoResponse, Response};
use axum::Extension;
use axum_htmx::{HxPushUrl, HxRequest};
use futures_util::TryFutureExt;
use kanidm_proto::attribute::Attribute;
use kanidm_proto::internal::OperationError;
use kanidm_proto::scim_v1::server::{ScimEffectiveAccess, ScimEntryKanidm, ScimPerson};
use kanidm_proto::scim_v1::ScimEntryGetQuery;
use kanidmd_lib::constants::EntryClass;
use kanidmd_lib::filter::{f_and, f_eq, Filter, FC};
use kanidmd_lib::idm::server::DomainInfoRead;
use kanidmd_lib::idm::ClientAuthInfo;
use std::collections::BTreeSet;
use std::str::FromStr;
use uuid::Uuid;
const ACCOUNT_ATTRIBUTES: [Attribute; 9] = [
Attribute::Uuid,
Attribute::Description,
Attribute::Name,
Attribute::DisplayName,
Attribute::Spn,
Attribute::Mail,
Attribute::Class,
Attribute::EntryManagedBy,
Attribute::DirectMemberOf,
];
#[derive(Template)]
#[template(path = "admin/admin_panel_template.html")]
pub(crate) struct AccountsView {
navbar_ctx: NavbarCtx,
partial: AccountsPartialView,
}
#[derive(Template)]
#[template(path = "admin/admin_accounts_partial.html")]
struct AccountsPartialView {
accounts: Vec<(ScimPerson, ScimEffectiveAccess)>,
}
#[derive(Template)]
#[template(path = "admin/admin_panel_template.html")]
struct AccountView {
partial: AccountViewPartial,
navbar_ctx: NavbarCtx,
}
#[derive(Template)]
#[template(path = "admin/admin_account_view_partial.html")]
struct AccountViewPartial {
account: ScimPerson,
scim_effective_access: ScimEffectiveAccess,
}
pub(crate) async fn view_account_view_get(
State(state): State<ServerState>,
HxRequest(is_htmx): HxRequest,
Extension(kopid): Extension<KOpId>,
VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
Path(uuid): Path<Uuid>,
DomainInfo(domain_info): DomainInfo,
) -> axum::response::Result<Response> {
let (account, scim_effective_access) =
get_account_info(uuid, state, &kopid, client_auth_info, domain_info.clone()).await?;
let accounts_partial = AccountViewPartial {
account,
scim_effective_access,
};
let path_string = format!("/ui/admin/account/{uuid}/view");
let uri = Uri::from_str(path_string.as_str())
.map_err(|_| HtmxError::new(&kopid, OperationError::Backend, domain_info.clone()))?;
let push_url = HxPushUrl(uri);
Ok(if is_htmx {
(push_url, accounts_partial).into_response()
} else {
(
push_url,
AccountView {
partial: accounts_partial,
navbar_ctx: NavbarCtx { domain_info },
},
)
.into_response()
})
}
pub(crate) async fn view_accounts_get(
State(state): State<ServerState>,
HxRequest(is_htmx): HxRequest,
Extension(kopid): Extension<KOpId>,
DomainInfo(domain_info): DomainInfo,
VerifiedClientInformation(client_auth_info): VerifiedClientInformation,
) -> axum::response::Result<Response> {
let accounts = get_accounts_info(state, &kopid, client_auth_info, domain_info.clone()).await?;
let accounts_partial = AccountsPartialView { accounts };
let push_url = HxPushUrl(Uri::from_static("/ui/admin/accounts"));
Ok(if is_htmx {
(push_url, accounts_partial).into_response()
} else {
(
push_url,
AccountsView {
navbar_ctx: NavbarCtx { domain_info },
partial: accounts_partial,
},
)
.into_response()
})
}
async fn get_account_info(
uuid: Uuid,
state: ServerState,
kopid: &KOpId,
client_auth_info: ClientAuthInfo,
domain_info: DomainInfoRead,
) -> Result<(ScimPerson, ScimEffectiveAccess), ErrorResponse> {
let scim_entry: ScimEntryKanidm = state
.qe_r_ref
.scim_entry_id_get(
client_auth_info.clone(),
kopid.eventid,
uuid.to_string(),
EntryClass::Account,
ScimEntryGetQuery {
attributes: Some(Vec::from(ACCOUNT_ATTRIBUTES)),
ext_access_check: true,
},
)
.map_err(|op_err| HtmxError::new(kopid, op_err, domain_info.clone()))
.await?;
if let Some(account_info) = scimentry_into_accountinfo(scim_entry) {
Ok(account_info)
} else {
Err(HtmxError::new(kopid, OperationError::InvalidState, domain_info.clone()).into())
}
}
async fn get_accounts_info(
state: ServerState,
kopid: &KOpId,
client_auth_info: ClientAuthInfo,
domain_info: DomainInfoRead,
) -> Result<Vec<(ScimPerson, ScimEffectiveAccess)>, ErrorResponse> {
let filter = filter_all!(f_and!([f_eq(Attribute::Class, EntryClass::Account.into())]));
let attrs = Some(BTreeSet::from(ACCOUNT_ATTRIBUTES));
let base: Vec<ScimEntryKanidm> = state
.qe_r_ref
.scim_entry_search(client_auth_info.clone(), filter, kopid.eventid, attrs, true)
.map_err(|op_err| HtmxError::new(kopid, op_err, domain_info.clone()))
.await?;
// TODO: inefficient to sort here
let mut accounts: Vec<_> = base
.into_iter()
// TODO: Filtering away unsuccessful entries may not be desired.
.filter_map(scimentry_into_accountinfo)
.collect();
accounts.sort_by_key(|(sp, _)| sp.uuid);
accounts.reverse();
Ok(accounts)
}
fn scimentry_into_accountinfo(
scim_entry: ScimEntryKanidm,
) -> Option<(ScimPerson, ScimEffectiveAccess)> {
let scim_effective_access = scim_entry.ext_access_check.clone()?; // TODO: This should be an error msg.
let account = ScimPerson::try_from(scim_entry).ok()?;
Some((account, scim_effective_access))
}

19
server/core/src/https/views/admin/mod.rs Normal file
View file

@ -0,0 +1,19 @@
use crate::https::ServerState;
use axum::routing::get;
use axum::Router;
use axum_htmx::HxRequestGuardLayer;
mod accounts;
pub fn admin_router() -> Router<ServerState> {
let unguarded_router = Router::new()
.route("/accounts", get(accounts::view_accounts_get))
.route(
"/account/:account_uuid/view",
get(accounts::view_account_view_get),
);
let guarded_router = Router::new().layer(HxRequestGuardLayer::new("/ui"));
Router::new().merge(unguarded_router).merge(guarded_router)
}

16
server/core/src/https/views/apps.rs
View file

@ -45,14 +45,14 @@ pub(crate) async fn view_apps_get(
.await
.map_err(|old| HtmxError::new(&kopid, old, domain_info.clone()))?;
let apps_partial = AppsPartialView { apps: app_links };
Ok({
(
HxPushUrl(Uri::from_static(Urls::Apps.as_ref())),
AppsView {
navbar_ctx: NavbarCtx { domain_info },
apps_partial: AppsPartialView { apps: app_links },
},
)
.into_response()
let apps_view = AppsView {
navbar_ctx: NavbarCtx { domain_info },
apps_partial,
};
(HxPushUrl(Uri::from_static(Urls::Apps.as_ref())), apps_view).into_response()
})
}

1
server/core/src/https/views/enrol.rs
View file

@ -105,6 +105,7 @@ pub(crate) async fn view_enrol_get(
Ok(ProfileView {
navbar_ctx: NavbarCtx { domain_info },
profile_partial: EnrolDeviceView {
menu_active_item: ProfileMenuItems::EnrolDevice,
qr_code_svg,

22
server/core/src/https/views/errors.rs
View file

@ -1,6 +1,6 @@
use axum::http::StatusCode;
use axum::response::{IntoResponse, Redirect, Response};
use axum_htmx::{HxReswap, HxRetarget, SwapOption};
use axum_htmx::{HxEvent, HxResponseTrigger, HxReswap, HxRetarget, SwapOption};
use kanidmd_lib::idm::server::DomainInfoRead;
use utoipa::ToSchema;
use uuid::Uuid;
@ -8,7 +8,7 @@ use uuid::Uuid;
use kanidm_proto::internal::OperationError;
use crate::https::middleware::KOpId;
use crate::https::views::UnrecoverableErrorView;
use crate::https::views::{ErrorToastPartial, UnrecoverableErrorView};
// #[derive(Template)]
// #[template(path = "recoverable_error_partial.html")]
// struct ErrorPartialView {
@ -41,7 +41,23 @@ impl IntoResponse for HtmxError {
| OperationError::SessionExpired
| OperationError::InvalidSessionState => Redirect::to("/ui").into_response(),
OperationError::SystemProtectedObject | OperationError::AccessDenied => {
(StatusCode::FORBIDDEN, body).into_response()
let trigger = HxResponseTrigger::after_swap([HxEvent::new(
"permissionDenied".to_string(),
)]);
(
trigger,
HxRetarget("main".to_string()),
HxReswap(SwapOption::BeforeEnd),
(
StatusCode::FORBIDDEN,
ErrorToastPartial {
err_code: inner,
operation_id: kopid,
},
)
.into_response(),
)
.into_response()
}
OperationError::NoMatchingEntries => {
(StatusCode::NOT_FOUND, body).into_response()

15
server/core/src/https/views/mod.rs
View file

@ -8,6 +8,7 @@ use axum::{
use axum_htmx::HxRequestGuardLayer;
use crate::https::views::admin::admin_router;
use constants::Urls;
use kanidmd_lib::{
idm::server::DomainInfoRead,
@ -16,6 +17,7 @@ use kanidmd_lib::{
use crate::https::ServerState;
mod admin;
mod apps;
pub(crate) mod constants;
mod cookies;
@ -36,6 +38,13 @@ struct UnrecoverableErrorView {
domain_info: DomainInfoRead,
}
#[derive(Template)]
#[template(path = "admin/error_toast.html")]
struct ErrorToastPartial {
err_code: OperationError,
operation_id: Uuid,
}
pub fn view_router() -> Router<ServerState> {
let mut unguarded_router = Router::new()
.route(
@ -122,7 +131,11 @@ pub fn view_router() -> Router<ServerState> {
.route("/api/cu_commit", post(reset::commit))
.layer(HxRequestGuardLayer::new("/ui"));
Router::new().merge(unguarded_router).merge(guarded_router)
let admin_router = admin_router();
Router::new()
.merge(unguarded_router)
.merge(guarded_router)
.nest("/admin", admin_router)
}
/// Serde deserialization decorator to map empty Strings to None,

1
server/core/src/https/views/profile.rs
View file

@ -48,6 +48,7 @@ pub(crate) async fn view_profile_get(
Ok(ProfileView {
navbar_ctx: NavbarCtx { domain_info },
profile_partial: ProfilePartialView {
menu_active_item: ProfileMenuItems::UserProfile,
can_rw,

9
server/core/static/style.css
View file

@ -20,6 +20,15 @@ body {
max-width: 680px;
}
/*
* Bootstrap 5.3 fix for input-group validation
* :has checks that a child can be selected with the selector
* + selects the next sibling.
*/
.was-validated .input-group:has(.form-control:invalid) + .invalid-feedback {
display: block !important;
}
/*
* Sidebar
*/

34
server/core/templates/admin/admin_account_details_partial.html Normal file
View file

@ -0,0 +1,34 @@
(% macro string_attr(dispname, name, value, editable, attribute) %)
(% if scim_effective_access.search.check(attribute|as_ref) %)
<div class="row mt-3">
<label for="account(( name ))" class="col-12 col-md-3 col-lg-2 col-form-label fw-bold py-0">(( dispname ))</label>
<div class="col-12 col-md-8 col-lg-6">
<input readonly class="form-control-plaintext py-0" id="account(( name ))" name="(( name ))" value="(( value ))">
</div>
</div>
(% endif %)
(% endmacro %)
<form hx-validate="true" hx-ext="bs-validation">
(% call string_attr("UUID", "uuid", account.uuid, false, Attribute::Uuid) %)
(% call string_attr("SPN", "spn", account.spn, false, Attribute::Spn) %)
(% call string_attr("Name", "name", account.name, true, Attribute::Name) %)
(% if let Some(displayname) = account.displayname %)
(% call string_attr("Displayname", "displayname", displayname, true, Attribute::DisplayName) %)
(% else %)
(% call string_attr("Displayname", "displayname", "none", true, Attribute::DisplayName) %)
(% endif %)
(% if let Some(description) = account.description %)
(% call string_attr("Description", "description", description, true, Attribute::Description) %)
(% else %)
(% call string_attr("Description", "description", "none", true, Attribute::Description) %)
(% endif %)
(% if let Some(entry_managed_by) = account.managed_by %)
(% call string_attr("Managed By", "managed_by", entry_managed_by.value, true, Attribute::EntryManagedBy) %)
(% else %)
(% call string_attr("Managed By", "managed_by", "none", true, Attribute::EntryManagedBy) %)
(% endif %)
</form>

57
server/core/templates/admin/admin_account_view_partial.html Normal file
View file

@ -0,0 +1,57 @@
(% extends "admin/admin_partial_base.html" %)
(% block accounts_item_extra_classes %)active(% endblock %)
(% block admin_page %)
<nav aria-label="breadcrumb">
<ol class="breadcrumb">
<li class="breadcrumb-item"><a href="/ui/admin/accounts" hx-target="#main">Accounts Management</a></li>
<li class="breadcrumb-item active" aria-current="page">Viewing</li>
</ol>
</nav>
(% include "admin_account_details_partial.html" %)
<hr>
(% if scim_effective_access.search.check(Attribute::Mail|as_ref) %)
<label class="mt-3 fw-bold">Emails</label>
<form hx-validate="true" hx-ext="bs-validation">
(% if account.mails.len() == 0 %)
<p>There are no email addresses associated with this account.</p>
(% else %)
<ol class="list-group col-12 col-md-8 col-lg-6">
(% for mail in account.mails %)
<li id="accountMail(( loop.index ))" class="list-group-item d-flex flex-row justify-content-between">
<div class="d-flex align-items-center">(( mail.value ))</div>
<div class="buttons float-end">
</div>
</li>
(% endfor %)
</ol>
(% endif %)
</form>
(% endif %)
(% if scim_effective_access.search.check(Attribute::DirectMemberOf|as_ref) %)
<label class="mt-3 fw-bold">DirectMemberOf</label>
<form hx-validate="true" hx-ext="bs-validation">
(% if account.groups.len() == 0 %)
<p>There are no groups this account is a direct member of.</p>
(% else %)
<ol class="list-group col-12 col-md-8 col-lg-6">
(% for group in account.groups %)
<li id="accountGroup(( loop.index ))" class="list-group-item d-flex flex-row justify-content-between">
<div class="d-flex align-items-center">(( group.value ))</div>
<div class="buttons float-end">
</div>
</li>
(% endfor %)
</ol>
(% endif %)
</form>
(% endif %)
(% endblock %)

23
server/core/templates/admin/admin_accounts_partial.html Normal file
View file

@ -0,0 +1,23 @@
(% extends "admin/admin_partial_base.html" %)
(% block accounts_item_extra_classes %)active(% endblock %)
(% block admin_page %)
<nav aria-label="breadcrumb">
<ol class="breadcrumb">
<li class="breadcrumb-item active" aria-current="page">Accounts Management</li>
</ol>
</nav>
<ul class="list-group">
(% for (account, _) in accounts %)
<li class="list-group-item d-flex flex-row justify-content-between">
<div class="d-flex align-items-center">
<a href="/ui/admin/account/(( account.uuid ))/view" hx-target="#main">(( account.name ))</a> <span class="text-secondary d-none d-lg-inline-block mx-4">(( account.uuid ))</span>
</div>
<div class="buttons float-end">
</div>
</li>
(% endfor %)
</ul>
(% endblock %)

10
server/core/templates/admin/admin_panel_template.html Normal file
View file

@ -0,0 +1,10 @@
(% extends "base_htmx_with_nav.html" %)
(% block title %)Admin Panel(% endblock %)
(% block head %)
(% endblock %)
(% block main %)
(( partial|safe ))
(% endblock %)

19
server/core/templates/admin/admin_partial_base.html Normal file
View file

@ -0,0 +1,19 @@
<main class="container-xxl pb-5">
<div class="d-flex flex-sm-row flex-column">
<div class="list-group side-menu">
<a href="/ui/admin/accounts" hx-target="#main" class="list-group-item list-group-item-action (% block accounts_item_extra_classes%)(%endblock%)">
<img src="/pkg/img/icon-accounts.svg" alt="Accounts" width="20" height="20">
Accounts</a>
<a href="/ui/admin/groups" hx-target="#main" class="list-group-item list-group-item-action (% block groups_item_extra_classes%)(%endblock%)">
<img src="/pkg/img/icon-groups.svg" alt="Groups" width="20" height="20">
Groups (placeholder)</a>
<a href="/ui/admin/oauth2" hx-target="#main" class="list-group-item list-group-item-action (% block oauth2_item_extra_classes%)(%endblock%)">
<img src="/pkg/img/icon-oauth2.svg" alt="Oauth2" width="20" height="20">
Oauth2 (placeholder)</a>
</div>
<div id="settings-window" class="flex-grow-1 ps-sm-4 pt-sm-0 pt-4">
(% block admin_page %)
(% endblock %)
</div>
</div>
</main>

12
server/core/templates/admin/error_toast.html Normal file
View file

@ -0,0 +1,12 @@
<div class="toast-container position-fixed bottom-0 end-0 p-3">
<div id="permissionDeniedToast" class="toast" role="alert" aria-live="assertive" aria-atomic="true">
<div class="toast-header">
<strong class="me-auto">Error</strong>
<button type="button" class="btn-close" data-bs-dismiss="toast" aria-label="Close"></button>
</div>
<div class="toast-body">
(( err_code )).<br>
OpId: (( operation_id ))
</div>
</div>
</div>

11
server/core/templates/admin/saved_toast.html Normal file
View file

@ -0,0 +1,11 @@
<div class="toast-container position-fixed bottom-0 end-0 p-3">
<div id="savedToast" class="toast" role="alert" aria-live="assertive" aria-atomic="true">
<div class="toast-header">
<strong class="me-auto">Success</strong>
<button type="button" class="btn-close" data-bs-dismiss="toast" aria-label="Close"></button>
</div>
<div class="toast-body">
Saved.
</div>
</div>
</div>

2
server/core/templates/base_htmx_with_nav.html
View file

@ -2,7 +2,9 @@
(% block body %)
(% include "navbar.html" %)
<div id="main">
(% block main %)(% endblock %)
</div>
(% include "signout_modal.html" %)
(% endblock %)

4
server/core/templates/navbar.html
View file

@ -1,4 +1,4 @@
<nav class="navbar navbar-expand-md kanidm_navbar mb-4">
<nav hx-boost="false" class="navbar navbar-expand-md kanidm_navbar mb-4">
<div class="container-lg">
<a class="navbar-brand d-flex align-items-center" href="/ui/apps">
(% if navbar_ctx.domain_info.image().is_some() %)
@ -39,4 +39,4 @@
</ul>
</div>
</div>
</nav>
</nav>

9
server/lib/src/constants/acp.rs
View file

@ -1045,6 +1045,7 @@ lazy_static! {
Attribute::DomainDisplayName,
Attribute::DomainName,
Attribute::DomainLdapBasedn,
Attribute::LdapMaxQueryableAttrs,
Attribute::DomainSsid,
Attribute::DomainUuid,
// Grants read access to the key object.
@ -1058,6 +1059,7 @@ lazy_static! {
Attribute::DomainDisplayName,
Attribute::DomainSsid,
Attribute::DomainLdapBasedn,
Attribute::LdapMaxQueryableAttrs,
Attribute::LdapAllowUnixPwBind,
Attribute::KeyActionRevoke,
Attribute::KeyActionRotate,
@ -1065,6 +1067,7 @@ lazy_static! {
modify_present_attrs: vec![
Attribute::DomainDisplayName,
Attribute::DomainLdapBasedn,
Attribute::LdapMaxQueryableAttrs,
Attribute::DomainSsid,
Attribute::LdapAllowUnixPwBind,
Attribute::KeyActionRevoke,
@ -1100,6 +1103,7 @@ lazy_static! {
Attribute::DomainDisplayName,
Attribute::DomainName,
Attribute::DomainLdapBasedn,
Attribute::LdapMaxQueryableAttrs,
Attribute::DomainSsid,
Attribute::DomainUuid,
Attribute::KeyInternalData,
@ -1111,6 +1115,7 @@ lazy_static! {
Attribute::DomainDisplayName,
Attribute::DomainSsid,
Attribute::DomainLdapBasedn,
Attribute::LdapMaxQueryableAttrs,
Attribute::LdapAllowUnixPwBind,
Attribute::KeyActionRevoke,
Attribute::KeyActionRotate,
@ -1119,6 +1124,7 @@ lazy_static! {
modify_present_attrs: vec![
Attribute::DomainDisplayName,
Attribute::DomainLdapBasedn,
Attribute::LdapMaxQueryableAttrs,
Attribute::DomainSsid,
Attribute::LdapAllowUnixPwBind,
Attribute::KeyActionRevoke,
@ -1156,6 +1162,7 @@ lazy_static! {
Attribute::DomainDisplayName,
Attribute::DomainName,
Attribute::DomainLdapBasedn,
Attribute::LdapMaxQueryableAttrs,
Attribute::DomainSsid,
Attribute::DomainUuid,
Attribute::KeyInternalData,
@ -1167,6 +1174,7 @@ lazy_static! {
Attribute::DomainDisplayName,
Attribute::DomainSsid,
Attribute::DomainLdapBasedn,
Attribute::LdapMaxQueryableAttrs,
Attribute::DomainAllowEasterEggs,
Attribute::LdapAllowUnixPwBind,
Attribute::KeyActionRevoke,
@ -1176,6 +1184,7 @@ lazy_static! {
modify_present_attrs: vec![
Attribute::DomainDisplayName,
Attribute::DomainLdapBasedn,
Attribute::LdapMaxQueryableAttrs,
Attribute::DomainSsid,
Attribute::DomainAllowEasterEggs,
Attribute::LdapAllowUnixPwBind,

12
server/lib/src/constants/schema.rs
View file

@ -167,6 +167,17 @@ pub static ref SCHEMA_ATTR_DOMAIN_LDAP_BASEDN: SchemaAttribute = SchemaAttribute
..Default::default()
};
pub static ref SCHEMA_ATTR_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES: SchemaAttribute = SchemaAttribute {
uuid: UUID_SCHEMA_ATTR_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES,
name: Attribute::LdapMaxQueryableAttrs,
description: "The maximum number of LDAP attributes that can be queried in one operation".to_string(),
multivalue: false,
sync_allowed: true,
syntax: SyntaxType::Uint32,
..Default::default()
};
pub static ref SCHEMA_ATTR_DOMAIN_DISPLAY_NAME: SchemaAttribute = SchemaAttribute {
uuid: UUID_SCHEMA_ATTR_DOMAIN_DISPLAY_NAME,
name: Attribute::DomainDisplayName,
@ -1227,6 +1238,7 @@ pub static ref SCHEMA_CLASS_DOMAIN_INFO_DL10: SchemaClass = SchemaClass {
systemmay: vec![
Attribute::DomainSsid,
Attribute::DomainLdapBasedn,
Attribute::LdapMaxQueryableAttrs,
Attribute::LdapAllowUnixPwBind,
Attribute::Image,
Attribute::PatchLevel,

3
server/lib/src/constants/uuids.rs
View file

@ -131,7 +131,8 @@ pub const UUID_SCHEMA_ATTR_PRIMARY_CREDENTIAL: Uuid = uuid!("00000000-0000-0000-
pub const UUID_SCHEMA_CLASS_PERSON: Uuid = uuid!("00000000-0000-0000-0000-ffff00000044");
pub const UUID_SCHEMA_CLASS_GROUP: Uuid = uuid!("00000000-0000-0000-0000-ffff00000045");
pub const UUID_SCHEMA_CLASS_ACCOUNT: Uuid = uuid!("00000000-0000-0000-0000-ffff00000046");
// GAP - 47
pub const UUID_SCHEMA_ATTR_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES: Uuid =
uuid!("00000000-0000-0000-0000-ffff00000187");
pub const UUID_SCHEMA_ATTR_ATTRIBUTENAME: Uuid = uuid!("00000000-0000-0000-0000-ffff00000048");
pub const UUID_SCHEMA_ATTR_CLASSNAME: Uuid = uuid!("00000000-0000-0000-0000-ffff00000049");
pub const UUID_SCHEMA_ATTR_LEGALNAME: Uuid = uuid!("00000000-0000-0000-0000-ffff00000050");

6
server/lib/src/event.rs
View file

@ -244,13 +244,15 @@ impl SearchEvent {
ident: &Identity,
filter: Filter<FilterValid>,
filter_orig: Filter<FilterValid>,
attrs: Option<BTreeSet<Attribute>>,
effective_access_check: bool,
) -> Self {
SearchEvent {
ident: Identity::from_impersonate(ident),
filter,
filter_orig,
attrs: None,
effective_access_check: false,
attrs,
effective_access_check,
}
}

2
server/lib/src/idm/applinks.rs
View file

@ -32,7 +32,7 @@ impl IdmServerProxyReadTransaction<'_> {
// _ext reduces the entries based on access.
let oauth2_related = self
.qs_read
.impersonate_search_ext(f_executed, f_intent, ident)?;
.impersonate_search_ext(f_executed, f_intent, ident, None, false)?;
trace!(?oauth2_related);
// Aggregate results to a Vec of AppLink

120
server/lib/src/idm/ldap.rs
View file

@ -60,6 +60,7 @@ pub struct LdapServer {
basedn: String,
dnre: Regex,
binddnre: Regex,
max_queryable_attrs: usize,
}
#[derive(Debug)]
@ -79,6 +80,12 @@ impl LdapServer {
.qs_read
.internal_search_uuid(UUID_DOMAIN_INFO)?;
// Get the maximum number of queryable attributes from the domain entry
let max_queryable_attrs = domain_entry
.get_ava_single_uint32(Attribute::LdapMaxQueryableAttrs)
.map(|u| u as usize)
.unwrap_or(DEFAULT_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES);
let basedn = domain_entry
.get_ava_single_iutf8(Attribute::DomainLdapBasedn)
.map(|s| s.to_string())
@ -154,6 +161,7 @@ impl LdapServer {
basedn,
dnre,
binddnre,
max_queryable_attrs,
})
}
@ -239,11 +247,11 @@ impl LdapServer {
let mut all_attrs = false;
let mut all_op_attrs = false;
// TODO #3406: limit the number of attributes here!
let attrs_len = sr.attrs.len();
if sr.attrs.is_empty() {
// If [], then "all" attrs
all_attrs = true;
} else {
} else if attrs_len < self.max_queryable_attrs {
sr.attrs.iter().for_each(|a| {
if a == "*" {
all_attrs = true;
@ -267,6 +275,12 @@ impl LdapServer {
}
}
})
} else {
admin_error!(
"Too many LDAP attributes requested. Maximum allowed is {}, while your search query had {}",
self.max_queryable_attrs, attrs_len
);
return Err(OperationError::ResourceLimit);
}
// We need to retain this to know what the client requested.
@ -2631,4 +2645,106 @@ mod tests {
&OperationError::InvalidAttributeName("invalid".to_string()),
);
}
#[idm_test]
async fn test_ldap_maximum_queryable_attributes(
idms: &IdmServer,
_idms_delayed: &IdmServerDelayed,
) {
// Set the max queryable attrs to 2
let mut server_txn = idms.proxy_write(duration_from_epoch_now()).await.unwrap();
let set_ldap_maximum_queryable_attrs = ModifyEvent::new_internal_invalid(
filter!(f_eq(Attribute::Uuid, PartialValue::Uuid(UUID_DOMAIN_INFO))),
ModifyList::new_purge_and_set(Attribute::LdapMaxQueryableAttrs, Value::Uint32(2)),
);
assert!(server_txn
.qs_write
.modify(&set_ldap_maximum_queryable_attrs)
.and_then(|_| server_txn.commit())
.is_ok());
let ldaps = LdapServer::new(idms).await.expect("failed to start ldap");
let usr_uuid = Uuid::new_v4();
let grp_uuid = Uuid::new_v4();
let app_uuid = Uuid::new_v4();
let app_name = "testapp1";
// Setup person, group and application
{
let e1 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Account.to_value()),
(Attribute::Class, EntryClass::Person.to_value()),
(Attribute::Name, Value::new_iname("testperson1")),
(Attribute::Uuid, Value::Uuid(usr_uuid)),
(Attribute::Description, Value::new_utf8s("testperson1")),
(Attribute::DisplayName, Value::new_utf8s("testperson1"))
);
let e2 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::Group.to_value()),
(Attribute::Name, Value::new_iname("testgroup1")),
(Attribute::Uuid, Value::Uuid(grp_uuid))
);
let e3 = entry_init!(
(Attribute::Class, EntryClass::Object.to_value()),
(Attribute::Class, EntryClass::ServiceAccount.to_value()),
(Attribute::Class, EntryClass::Application.to_value()),
(Attribute::Name, Value::new_iname(app_name)),
(Attribute::Uuid, Value::Uuid(app_uuid)),
(Attribute::LinkedGroup, Value::Refer(grp_uuid))
);
let ct = duration_from_epoch_now();
let mut server_txn = idms.proxy_write(ct).await.unwrap();
assert!(server_txn
.qs_write
.internal_create(vec![e1, e2, e3])
.and_then(|_| server_txn.commit())
.is_ok());
}
// Setup the anonymous login
let anon_t = ldaps.do_bind(idms, "", "").await.unwrap().unwrap();
assert_eq!(
anon_t.effective_session,
LdapSession::UnixBind(UUID_ANONYMOUS)
);
let invalid_search = SearchRequest {
msgid: 1,
base: "dc=example,dc=com".to_string(),
scope: LdapSearchScope::Subtree,
filter: LdapFilter::Present(Attribute::ObjectClass.to_string()),
attrs: vec![
"objectClass".to_string(),
"cn".to_string(),
"givenName".to_string(),
],
};
let valid_search = SearchRequest {
msgid: 1,
base: "dc=example,dc=com".to_string(),
scope: LdapSearchScope::Subtree,
filter: LdapFilter::Present(Attribute::ObjectClass.to_string()),
attrs: vec!["objectClass: person".to_string()],
};
let invalid_res: Result<Vec<LdapMsg>, OperationError> = ldaps
.do_search(idms, &invalid_search, &anon_t, Source::Internal)
.await;
let valid_res: Result<Vec<LdapMsg>, OperationError> = ldaps
.do_search(idms, &valid_search, &anon_t, Source::Internal)
.await;
assert_eq!(invalid_res, Err(OperationError::ResourceLimit));
assert!(valid_res.is_ok());
}
}

1
server/lib/src/plugins/protected.rs
View file

@ -25,6 +25,7 @@ lazy_static! {
// modification of some domain info types for local configuratiomn.
Attribute::DomainSsid,
Attribute::DomainLdapBasedn,
Attribute::LdapMaxQueryableAttrs,
Attribute::LdapAllowUnixPwBind,
Attribute::FernetPrivateKeyStr,
Attribute::Es256PrivateKeyDer,

1
server/lib/src/server/migrations.rs
View file

@ -430,6 +430,7 @@ impl QueryServerWriteTransaction<'_> {
let idm_schema_changes = [
SCHEMA_ATTR_DENIED_NAME_DL10.clone().into(),
SCHEMA_CLASS_DOMAIN_INFO_DL10.clone().into(),
SCHEMA_ATTR_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES.clone().into(),
];
idm_schema_changes

12
server/lib/src/server/mod.rs
View file

@ -492,7 +492,7 @@ pub trait QueryServerTransaction<'a> {
f_intent_valid: Filter<FilterValid>,
event: &Identity,
) -> Result<Vec<Arc<EntrySealedCommitted>>, OperationError> {
let se = SearchEvent::new_impersonate(event, f_valid, f_intent_valid);
let se = SearchEvent::new_impersonate(event, f_valid, f_intent_valid, None, false);
self.search(&se)
}
@ -502,8 +502,10 @@ pub trait QueryServerTransaction<'a> {
f_valid: Filter<FilterValid>,
f_intent_valid: Filter<FilterValid>,
event: &Identity,
attrs: Option<BTreeSet<Attribute>>,
acp: bool,
) -> Result<Vec<Entry<EntryReduced, EntryCommitted>>, OperationError> {
let se = SearchEvent::new_impersonate(event, f_valid, f_intent_valid);
let se = SearchEvent::new_impersonate(event, f_valid, f_intent_valid, attrs, acp);
self.search_ext(&se)
}
@ -529,6 +531,8 @@ pub trait QueryServerTransaction<'a> {
filter: Filter<FilterInvalid>,
filter_intent: Filter<FilterInvalid>,
event: &Identity,
attrs: Option<BTreeSet<Attribute>>,
acp: bool,
) -> Result<Vec<Entry<EntryReduced, EntryCommitted>>, OperationError> {
let f_valid = filter
.validate(self.get_schema())
@ -536,7 +540,7 @@ pub trait QueryServerTransaction<'a> {
let f_intent_valid = filter_intent
.validate(self.get_schema())
.map_err(OperationError::SchemaViolation)?;
self.impersonate_search_ext_valid(f_valid, f_intent_valid, event)
self.impersonate_search_ext_valid(f_valid, f_intent_valid, event, attrs, acp)
}
/// Get a single entry by its UUID. This is used heavily for internal
@ -609,7 +613,7 @@ pub trait QueryServerTransaction<'a> {
let filter_intent = filter_all!(f_eq(Attribute::Uuid, PartialValue::Uuid(uuid)));
let filter = filter!(f_eq(Attribute::Uuid, PartialValue::Uuid(uuid)));
let mut vs = self.impersonate_search_ext(filter, filter_intent, event)?;
let mut vs = self.impersonate_search_ext(filter, filter_intent, event, None, false)?;
match vs.pop() {
Some(entry) if vs.is_empty() => Ok(entry),
_ => {

13
server/testkit/tests/domain.rs
View file

@ -26,6 +26,19 @@ async fn test_idm_domain_set_ldap_basedn(rsclient: KanidmClient) {
.expect("Failed to set idm_domain_set_ldap_basedn");
}
#[kanidmd_testkit::test]
async fn test_idm_domain_set_ldap_max_queryable_attrs(rsclient: KanidmClient) {
rsclient
.auth_simple_password(ADMIN_TEST_USER, ADMIN_TEST_PASSWORD)
.await
.expect("Failed to login as admin");
rsclient
.idm_domain_set_ldap_max_queryable_attrs(30)
.await
.expect("Failed to set idm_domain_set_ldap_max_queryable_attrs");
}
#[kanidmd_testkit::test]
async fn test_idm_domain_set_display_name(rsclient: KanidmClient) {
rsclient

13
server/testkit/tests/integration.rs
View file

@ -231,6 +231,19 @@ async fn test_idm_domain_set_ldap_basedn(rsclient: KanidmClient) {
.is_err());
}
#[kanidmd_testkit::test]
async fn test_idm_domain_set_ldap_max_queryable_attrs(rsclient: KanidmClient) {
login_put_admin_idm_admins(&rsclient).await;
assert!(rsclient
.idm_domain_set_ldap_max_queryable_attrs(20)
.await
.is_ok());
assert!(rsclient
.idm_domain_set_ldap_max_queryable_attrs(10)
.await
.is_ok()); // Ideally this should be "is_err"
}
#[kanidmd_testkit::test]
/// Checks that a built-in group idm_all_persons has the "builtin" class as expected.
async fn test_all_persons_has_builtin_class(rsclient: KanidmClient) {

20
tools/cli/src/cli/domain/mod.rs
View file

@ -14,7 +14,8 @@ impl DomainOpt {
| DomainOpt::SetLdapAllowUnixPasswordBind { copt, .. }
| DomainOpt::SetAllowEasterEggs { copt, .. }
| DomainOpt::RevokeKey { copt, .. }
| DomainOpt::Show(copt) => copt.debug,
| DomainOpt::Show(copt)
| DomainOpt::SetLdapMaxQueryableAttrs { copt, .. } => copt.debug,
}
}
@ -34,6 +35,23 @@ impl DomainOpt {
Err(e) => handle_client_error(e, opt.copt.output_mode),
}
}
DomainOpt::SetLdapMaxQueryableAttrs {
copt,
new_max_queryable_attrs,
} => {
eprintln!(
"Attempting to set the maximum number of queryable LDAP attributes to: {:?}",
new_max_queryable_attrs
);
let client = copt.to_client(OpType::Write).await;
match client
.idm_domain_set_ldap_max_queryable_attrs(*new_max_queryable_attrs)
.await
{
Ok(_) => println!("Success"),
Err(e) => handle_client_error(e, copt.output_mode),
}
}
DomainOpt::SetLdapBasedn { copt, new_basedn } => {
eprintln!(
"Attempting to set the domain's ldap basedn to: {:?}",

11
tools/cli/src/opt/kanidm.rs
View file

@ -205,7 +205,6 @@ pub enum GroupAccountPolicyOpt {
copt: CommonOpt,
},
/// Set the maximum time for privilege session expiry in seconds.
#[clap(name = "privilege-expiry")]
PrivilegedSessionExpiry {
@ -215,7 +214,6 @@ pub enum GroupAccountPolicyOpt {
copt: CommonOpt,
},
/// The WebAuthn attestation CA list that should be enforced
/// on members of this group. Prevents use of passkeys that are
/// not in this list. To create this list, use `fido-mds-tool`
@ -301,7 +299,6 @@ pub enum GroupAccountPolicyOpt {
#[clap(flatten)]
copt: CommonOpt,
},
}
#[derive(Debug, Subcommand)]
@ -1320,6 +1317,14 @@ pub enum DomainOpt {
#[clap[name = "set-displayname"]]
/// Set the domain display name
SetDisplayname(OptSetDomainDisplayname),
/// Sets the maximum number of LDAP attributes that can be queried in one operation.
#[clap[name = "set-ldap-queryable-attrs"]]
SetLdapMaxQueryableAttrs {
#[clap(flatten)]
copt: CommonOpt,
#[clap(name = "maximum-queryable-attrs")]
new_max_queryable_attrs: usize,
},
#[clap[name = "set-ldap-basedn"]]
/// Change the basedn of this server. Takes effect after a server restart.
/// Examples are `o=organisation` or `dc=domain,dc=name`. Must be a valid ldap