Struct kanidmd_lib::credential::Credential

pub struct Credential { /* private fields */ }

This is how we store credentials in the server. An account can have many credentials, and a credential can have many factors. Only successful auth to a credential as a whole unit will succeed. For example: A: Credential { password: aaa } B: Credential { password: bbb, otp: … } In this case, if we selected credential B, and then provided password “aaa” we would deny the auth as the password of B was incorrect. Additionally, while A only needs the “password”, B requires both the password and otp to be valid.

In this way, each Credential provides it’s own password requirements and policy, and requires some metadata to support this such as it’s source and strength etc.

Implementations

impl Credential

pub fn new_password_only(
    policy: &CryptoPolicy,
    cleartext: &str
) -> Result<Self, OperationError>

Create a new credential that contains a CredentialType::Password

pub fn new_generatedpassword_only(
    policy: &CryptoPolicy,
    cleartext: &str
) -> Result<Self, OperationError>

Create a new credential that contains a CredentialType::GeneratedPassword

pub fn new_passkey_only(label: String, cred: Passkey) -> Self

Create a new credential that contains a CredentialType::Webauthn

pub fn set_password(
    &self,
    policy: &CryptoPolicy,
    cleartext: &str
) -> Result<Self, OperationError>

Update the state of the Password on this credential, if a password is present. If possible this will convert the credential to a PasswordMFA in some cases, or fail in others.

pub fn append_securitykey(
    &self,
    label: String,
    cred: SecurityKey
) -> Result<Self, OperationError>

Extend this credential with another alternate webauthn credential. This is especially useful for PasswordMfa where you can have many webauthn credentials and a password generally so that one is a backup.

pub fn remove_securitykey(&self, label: &str) -> Result<Self, OperationError>

Remove a webauthn token identified by label from this Credential.

pub fn update_webauthn_properties(
    &self,
    auth_result: &AuthenticationResult
) -> Result<Option<Self>, OperationError>

After a successful authentication with Webauthn, we need to advance the credentials counter value to prevent certain classes of replay attacks.

pub fn securitykey_ref(
    &self
) -> Result<&Map<String, SecurityKey>, OperationError>

Get a reference to the contained webuthn credentials, if any.

pub fn passkey_ref(&self) -> Result<&Map<String, Passkey>, OperationError>

pub fn password_ref(&self) -> Result<&Password, OperationError>

Get a reference to the contained password, if any.

pub fn to_db_valuev1(&self) -> DbCred

Extract this credential into it’s Serialisable Database form, ready for persistence.

Trait Implementations

impl Clone for Credential

fn clone(&self) -> Credential

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Credential

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl From<&Credential> for CredentialDetail

fn from(value: &Credential) -> Self

Converts to this type from the input type.

impl PartialEq<Credential> for Credential

fn eq(&self, other: &Credential) -> bool

This method tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl TryFrom<DbCred> for Credential

type Error = ()

The type returned in the event of a conversion error.

fn try_from(value: DbCred) -> Result<Self, Self::Error>

Performs the conversion.

impl StructuralPartialEq for Credential