//! `server` contains the query server, which is the main high level construction
//! to coordinate queries and operations in the server.

// This is really only used for long lived, high level types that need clone
// that otherwise can't be cloned. Think Mutex.
use std::cell::Cell;
use std::sync::Arc;
use std::time::Duration;

use concread::arcache::{ARCache, ARCacheBuilder, ARCacheReadTxn};
use concread::cowcell::*;
use hashbrown::{HashMap, HashSet};
use kanidm_proto::v1::{ConsistencyError, SchemaError};
use tokio::sync::{Semaphore, SemaphorePermit};
use tracing::trace;

use crate::access::{
    AccessControlCreate, AccessControlDelete, AccessControlModify, AccessControlSearch,
    AccessControls, AccessControlsReadTransaction, AccessControlsTransaction,
    AccessControlsWriteTransaction,
};
use crate::be::{Backend, BackendReadTransaction, BackendTransaction, BackendWriteTransaction};
// We use so many, we just import them all ...
use crate::event::{
    CreateEvent, DeleteEvent, ExistsEvent, ModifyEvent, ReviveRecycledEvent, SearchEvent,
};
use crate::filter::{Filter, FilterInvalid, FilterValid, FilterValidResolved};
use crate::identity::IdentityId;
use crate::modify::{Modify, ModifyInvalid, ModifyList, ModifyValid};
use crate::plugins::dyngroup::{DynGroup, DynGroupCache};
use crate::plugins::Plugins;
use crate::prelude::*;
use crate::repl::cid::Cid;
use crate::schema::{
    Schema, SchemaAttribute, SchemaClass, SchemaReadTransaction, SchemaTransaction,
    SchemaWriteTransaction,
};
use crate::valueset::uuid_to_proto_string;

const RESOLVE_FILTER_CACHE_MAX: usize = 4096;
const RESOLVE_FILTER_CACHE_LOCAL: usize = 0;

#[derive(Debug, Clone, PartialOrd, PartialEq, Eq)]
enum ServerPhase {
    Bootstrap,
    SchemaReady,
    Running,
}

#[derive(Debug, Clone)]
struct DomainInfo {
    d_uuid: Uuid,
    d_name: String,
    d_display: String,
}

#[derive(Clone)]
pub struct QueryServer {
    phase: Arc<CowCell<ServerPhase>>,
    s_uuid: Uuid,
    d_info: Arc<CowCell<DomainInfo>>,
    be: Backend,
    schema: Arc<Schema>,
    accesscontrols: Arc<AccessControls>,
    db_tickets: Arc<Semaphore>,
    write_ticket: Arc<Semaphore>,
    resolve_filter_cache:
        Arc<ARCache<(IdentityId, Filter<FilterValid>), Filter<FilterValidResolved>>>,
    dyngroup_cache: Arc<CowCell<DynGroupCache>>,
}

pub struct QueryServerReadTransaction<'a> {
    be_txn: BackendReadTransaction<'a>,
    // Anything else? In the future, we'll need to have a schema transaction
    // type, maybe others?
    d_info: CowCellReadTxn<DomainInfo>,
    schema: SchemaReadTransaction,
    accesscontrols: AccessControlsReadTransaction<'a>,
    _db_ticket: SemaphorePermit<'a>,
    resolve_filter_cache: Cell<
        ARCacheReadTxn<'a, (IdentityId, Filter<FilterValid>), Filter<FilterValidResolved>, ()>,
    >,
}

unsafe impl<'a> Sync for QueryServerReadTransaction<'a> {}

unsafe impl<'a> Send for QueryServerReadTransaction<'a> {}

pub struct QueryServerWriteTransaction<'a> {
    committed: bool,
    phase: CowCellWriteTxn<'a, ServerPhase>,
    d_info: CowCellWriteTxn<'a, DomainInfo>,
    cid: Cid,
    be_txn: BackendWriteTransaction<'a>,
    schema: SchemaWriteTransaction<'a>,
    accesscontrols: AccessControlsWriteTransaction<'a>,
    // We store a set of flags that indicate we need a reload of
    // schema or acp, which is tested by checking the classes of the
    // changing content.
    changed_schema: Cell<bool>,
    changed_acp: Cell<bool>,
    changed_oauth2: Cell<bool>,
    changed_domain: Cell<bool>,
    // Store the list of changed uuids for other invalidation needs?
    changed_uuid: Cell<HashSet<Uuid>>,
    _db_ticket: SemaphorePermit<'a>,
    _write_ticket: SemaphorePermit<'a>,
    resolve_filter_cache: Cell<
        ARCacheReadTxn<'a, (IdentityId, Filter<FilterValid>), Filter<FilterValidResolved>, ()>,
    >,
    dyngroup_cache: Cell<CowCellWriteTxn<'a, DynGroupCache>>,
}

pub(crate) struct ModifyPartial<'a> {
    norm_cand: Vec<Entry<EntrySealed, EntryCommitted>>,
    pre_candidates: Vec<Arc<Entry<EntrySealed, EntryCommitted>>>,
    me: &'a ModifyEvent,
}

// This is the core of the server. It implements all
// the search and modify actions, applies access controls
// and get's everything ready to push back to the fe code
/// The `QueryServerTransaction` trait provides a set of common read only operations to be
/// shared between [`QueryServerReadTransaction`] and [`QueryServerWriteTransaction`]s.
///
/// These operations tend to be high level constructions, generally different types of searches
/// that are capable of taking different types of parameters and applying access controls or not,
/// impersonating accounts, or bypassing these via internal searches.
///
/// [`QueryServerReadTransaction`]: struct.QueryServerReadTransaction.html
/// [`QueryServerWriteTransaction`]: struct.QueryServerWriteTransaction.html
pub trait QueryServerTransaction<'a> {
    type BackendTransactionType: BackendTransaction;
    fn get_be_txn(&self) -> &Self::BackendTransactionType;

    type SchemaTransactionType: SchemaTransaction;
    fn get_schema(&self) -> &Self::SchemaTransactionType;

    type AccessControlsTransactionType: AccessControlsTransaction<'a>;
    fn get_accesscontrols(&self) -> &Self::AccessControlsTransactionType;

    fn get_domain_uuid(&self) -> Uuid;

    fn get_domain_name(&self) -> &str;

    fn get_domain_display_name(&self) -> &str;

    #[allow(clippy::mut_from_ref)]
    fn get_resolve_filter_cache(
        &self,
    ) -> &mut ARCacheReadTxn<'a, (IdentityId, Filter<FilterValid>), Filter<FilterValidResolved>, ()>;

    /// Conduct a search and apply access controls to yield a set of entries that
    /// have been reduced to the set of user visible avas. Note that if you provide
    /// a `SearchEvent` for the internal user, this query will fail. It is invalid for
    /// the [`access`] module to attempt to reduce avas for internal searches, and you
    /// should use [`fn search`] instead.
    ///
    /// [`SearchEvent`]: ../event/struct.SearchEvent.html
    /// [`access`]: ../access/index.html
    /// [`fn search`]: trait.QueryServerTransaction.html#method.search
    #[instrument(level = "debug", skip_all)]
    fn search_ext(
        &self,
        se: &SearchEvent,
    ) -> Result<Vec<Entry<EntryReduced, EntryCommitted>>, OperationError> {
        /*
         * This just wraps search, but it's for the external interface
         * so as a result it also reduces the entry set's attributes at
         * the end.
         */
        let entries = self.search(se)?;

        let access = self.get_accesscontrols();
        access
            .search_filter_entry_attributes(se, entries)
            .map_err(|e| {
                // Log and fail if something went wrong.
                admin_error!(?e, "Failed to filter entry attributes");
                e
            })
        // This now returns the reduced vec.
    }

    #[instrument(level = "debug", skip_all)]
    fn search(&self, se: &SearchEvent) -> Result<Vec<Arc<EntrySealedCommitted>>, OperationError> {
        if se.ident.is_internal() {
            trace!(internal_filter = ?se.filter, "search");
        } else {
            security_info!(initiator = %se.ident, "search");
            admin_info!(external_filter = ?se.filter, "search");
        }

        // This is an important security step because it prevents us from
        // performing un-indexed searches on attr's that don't exist in the
        // server. This is why ExtensibleObject can only take schema that
        // exists in the server, not arbitrary attr names.
        //
        // This normalises and validates in a single step.
        //
        // NOTE: Filters are validated in event conversion.

        let resolve_filter_cache = self.get_resolve_filter_cache();

        let be_txn = self.get_be_txn();
        let idxmeta = be_txn.get_idxmeta_ref();
        // Now resolve all references and indexes.
        let vfr = se
            .filter
            .resolve(&se.ident, Some(idxmeta), Some(resolve_filter_cache))
            .map_err(|e| {
                admin_error!(?e, "search filter resolve failure");
                e
            })?;

        let lims = se.get_limits();

        // NOTE: We currently can't build search plugins due to the inability to hand
        // the QS wr/ro to the plugin trait. However, there shouldn't be a need for search
        // plugins, because all data transforms should be in the write path.

        let res = self.get_be_txn().search(lims, &vfr).map_err(|e| {
            admin_error!(?e, "backend failure");
            OperationError::Backend
        })?;

        // Apply ACP before we let the plugins "have at it".
        // WARNING; for external searches this is NOT the only
        // ACP application. There is a second application to reduce the
        // attribute set on the entries!
        //
        let access = self.get_accesscontrols();
        access.search_filter_entries(se, res).map_err(|e| {
            admin_error!(?e, "Unable to access filter entries");
            e
        })
    }

    #[instrument(level = "debug", skip_all)]
    fn exists(&self, ee: &ExistsEvent) -> Result<bool, OperationError> {
        let be_txn = self.get_be_txn();
        let idxmeta = be_txn.get_idxmeta_ref();

        let resolve_filter_cache = self.get_resolve_filter_cache();

        let vfr = ee
            .filter
            .resolve(&ee.ident, Some(idxmeta), Some(resolve_filter_cache))
            .map_err(|e| {
                admin_error!(?e, "Failed to resolve filter");
                e
            })?;

        let lims = ee.get_limits();

        self.get_be_txn().exists(lims, &vfr).map_err(|e| {
            admin_error!(?e, "backend failure");
            OperationError::Backend
        })
    }

    // Should this actually be names_to_uuids and we do batches?
    //  In the initial design "no", we can always write a batched
    //  interface later.
    //
    // The main question is if we need association between the name and
    // the request uuid - if we do, we need singular. If we don't, we can
    // just do the batching.
    //
    // Filter conversion likely needs 1:1, due to and/or conversions
    // but create/mod likely doesn't due to the nature of the attributes.
    //
    // In the end, singular is the simple and correct option, so lets do
    // that first, and we can add batched (and cache!) later.
    //
    // Remember, we don't care if the name is invalid, because search
    // will validate/normalise the filter we construct for us. COOL!
    fn name_to_uuid(&self, name: &str) -> Result<Uuid, OperationError> {
        // Is it just a uuid?
        Uuid::parse_str(name).or_else(|_| {
            let lname = name.to_lowercase();
            self.get_be_txn()
                .name2uuid(lname.as_str())?
                .ok_or(OperationError::NoMatchingEntries) // should we log this?
        })
    }

    fn uuid_to_spn(&self, uuid: Uuid) -> Result<Option<Value>, OperationError> {
        let r = self.get_be_txn().uuid2spn(uuid)?;

        if let Some(ref n) = r {
            // Shouldn't we be doing more graceful error handling here?
            // Or, if we know it will always be true, we should remove this.
            debug_assert!(n.is_spn() || n.is_iname());
        }

        Ok(r)
    }

    fn uuid_to_rdn(&self, uuid: Uuid) -> Result<String, OperationError> {
        // If we have a some, pass it on, else unwrap into a default.
        self.get_be_txn()
            .uuid2rdn(uuid)
            .map(|v| v.unwrap_or_else(|| format!("uuid={}", uuid.as_hyphenated())))
    }

    /// From internal, generate an "exists" event and dispatch
    #[instrument(level = "debug", skip_all)]
    fn internal_exists(&self, filter: Filter<FilterInvalid>) -> Result<bool, OperationError> {
        // Check the filter
        let f_valid = filter
            .validate(self.get_schema())
            .map_err(OperationError::SchemaViolation)?;
        // Build an exists event
        let ee = ExistsEvent::new_internal(f_valid);
        // Submit it
        self.exists(&ee)
    }

    #[instrument(level = "debug", skip_all)]
    fn internal_search(
        &self,
        filter: Filter<FilterInvalid>,
    ) -> Result<Vec<Arc<EntrySealedCommitted>>, OperationError> {
        let f_valid = filter
            .validate(self.get_schema())
            .map_err(OperationError::SchemaViolation)?;
        let se = SearchEvent::new_internal(f_valid);
        self.search(&se)
    }

    #[instrument(level = "debug", skip_all)]
    fn impersonate_search_valid(
        &self,
        f_valid: Filter<FilterValid>,
        f_intent_valid: Filter<FilterValid>,
        event: &Identity,
    ) -> Result<Vec<Arc<EntrySealedCommitted>>, OperationError> {
        let se = SearchEvent::new_impersonate(event, f_valid, f_intent_valid);
        self.search(&se)
    }

    /// Applies ACP to filter result entries.
    fn impersonate_search_ext_valid(
        &self,
        f_valid: Filter<FilterValid>,
        f_intent_valid: Filter<FilterValid>,
        event: &Identity,
    ) -> Result<Vec<Entry<EntryReduced, EntryCommitted>>, OperationError> {
        let se = SearchEvent::new_impersonate(event, f_valid, f_intent_valid);
        self.search_ext(&se)
    }

    // Who they are will go here
    fn impersonate_search(
        &self,
        filter: Filter<FilterInvalid>,
        filter_intent: Filter<FilterInvalid>,
        event: &Identity,
    ) -> Result<Vec<Arc<EntrySealedCommitted>>, OperationError> {
        let f_valid = filter
            .validate(self.get_schema())
            .map_err(OperationError::SchemaViolation)?;
        let f_intent_valid = filter_intent
            .validate(self.get_schema())
            .map_err(OperationError::SchemaViolation)?;
        self.impersonate_search_valid(f_valid, f_intent_valid, event)
    }

    #[instrument(level = "debug", skip_all)]
    fn impersonate_search_ext(
        &self,
        filter: Filter<FilterInvalid>,
        filter_intent: Filter<FilterInvalid>,
        event: &Identity,
    ) -> Result<Vec<Entry<EntryReduced, EntryCommitted>>, OperationError> {
        let f_valid = filter
            .validate(self.get_schema())
            .map_err(OperationError::SchemaViolation)?;
        let f_intent_valid = filter_intent
            .validate(self.get_schema())
            .map_err(OperationError::SchemaViolation)?;
        self.impersonate_search_ext_valid(f_valid, f_intent_valid, event)
    }

    /// Get a single entry by its UUID. This is used heavily for internal
    /// server operations, especially in login and ACP checks.
    #[instrument(level = "debug", skip_all)]
    fn internal_search_uuid(
        &self,
        uuid: &Uuid,
    ) -> Result<Arc<EntrySealedCommitted>, OperationError> {
        let filter = filter!(f_eq("uuid", PartialValue::new_uuid(*uuid)));
        let f_valid = filter.validate(self.get_schema()).map_err(|e| {
            error!(?e, "Filter Validate - SchemaViolation");
            OperationError::SchemaViolation(e)
        })?;
        let se = SearchEvent::new_internal(f_valid);

        let mut vs = self.search(&se)?;
        match vs.pop() {
            Some(entry) if vs.is_empty() => Ok(entry),
            _ => Err(OperationError::NoMatchingEntries),
        }
    }

    #[instrument(level = "debug", skip_all)]
    fn impersonate_search_ext_uuid(
        &self,
        uuid: &Uuid,
        event: &Identity,
    ) -> Result<Entry<EntryReduced, EntryCommitted>, OperationError> {
        let filter_intent = filter_all!(f_eq("uuid", PartialValue::new_uuid(*uuid)));
        let filter = filter!(f_eq("uuid", PartialValue::new_uuid(*uuid)));

        let mut vs = self.impersonate_search_ext(filter, filter_intent, event)?;
        match vs.pop() {
            Some(entry) if vs.is_empty() => Ok(entry),
            _ => Err(OperationError::NoMatchingEntries),
        }
    }

    #[instrument(level = "debug", skip_all)]
    fn impersonate_search_uuid(
        &self,
        uuid: &Uuid,
        event: &Identity,
    ) -> Result<Arc<EntrySealedCommitted>, OperationError> {
        let filter_intent = filter_all!(f_eq("uuid", PartialValue::new_uuid(*uuid)));
        let filter = filter!(f_eq("uuid", PartialValue::new_uuid(*uuid)));

        let mut vs = self.impersonate_search(filter, filter_intent, event)?;
        match vs.pop() {
            Some(entry) if vs.is_empty() => Ok(entry),
            _ => Err(OperationError::NoMatchingEntries),
        }
    }

    /// Do a schema aware conversion from a String:String to String:Value for modification
    /// present.
    fn clone_value(&self, attr: &str, value: &str) -> Result<Value, OperationError> {
        let schema = self.get_schema();

        // Should this actually be a fn of Value - no - I think that introduces issues with the
        // monomorphisation of the trait for transactions, so we should have this here.

        // Lookup the attr
        match schema.get_attributes().get(attr) {
            Some(schema_a) => {
                match schema_a.syntax {
                    SyntaxType::Utf8String => Ok(Value::new_utf8(value.to_string())),
                    SyntaxType::Utf8StringInsensitive => Ok(Value::new_iutf8(value)),
                    SyntaxType::Utf8StringIname => Ok(Value::new_iname(value)),
                    SyntaxType::Boolean => Value::new_bools(value)
                        .ok_or_else(|| OperationError::InvalidAttribute("Invalid boolean syntax".to_string())),
                    SyntaxType::SyntaxId => Value::new_syntaxs(value)
                        .ok_or_else(|| OperationError::InvalidAttribute("Invalid Syntax syntax".to_string())),
                    SyntaxType::IndexId => Value::new_indexs(value)
                        .ok_or_else(|| OperationError::InvalidAttribute("Invalid Index syntax".to_string())),
                    SyntaxType::Uuid => {
                        // It's a uuid - we do NOT check for existance, because that
                        // could be revealing or disclosing - it is up to acp to assert
                        // if we can see the value or not, and it's not up to us to
                        // assert the filter value exists.
                        Value::new_uuids(value)
                            .or_else(|| {
                                // it's not a uuid, try to resolve it.
                                // if the value is NOT found, we map to "does not exist" to allow
                                // the value to continue being evaluated, which of course, will fail
                                // all subsequent filter tests because it ... well, doesn't exist.
                                let un = self
                                    .name_to_uuid( value)
                                    .unwrap_or(UUID_DOES_NOT_EXIST);
                                Some(Value::new_uuid(un))
                            })
                            // I think this is unreachable due to how the .or_else works.
                            .ok_or_else(|| OperationError::InvalidAttribute("Invalid UUID syntax".to_string()))
                    }
                    SyntaxType::ReferenceUuid => {
                        // See comments above.
                        Value::new_refer_s(value)
                            .or_else(|| {
                                let un = self
                                    .name_to_uuid( value)
                                    .unwrap_or(UUID_DOES_NOT_EXIST);
                                Some(Value::new_refer(un))
                            })
                            // I think this is unreachable due to how the .or_else works.
                            .ok_or_else(|| OperationError::InvalidAttribute("Invalid Reference syntax".to_string()))
                    }
                    SyntaxType::JsonFilter => Value::new_json_filter_s(value)
                        .ok_or_else(|| OperationError::InvalidAttribute("Invalid Filter syntax".to_string())),
                    SyntaxType::Credential => Err(OperationError::InvalidAttribute("Credentials can not be supplied through modification - please use the IDM api".to_string())),
                    SyntaxType::SecretUtf8String => Err(OperationError::InvalidAttribute("Radius secrets can not be supplied through modification - please use the IDM api".to_string())),
                    SyntaxType::SshKey => Err(OperationError::InvalidAttribute("SSH public keys can not be supplied through modification - please use the IDM api".to_string())),
                    SyntaxType::SecurityPrincipalName => Err(OperationError::InvalidAttribute("SPNs are generated and not able to be set.".to_string())),
                    SyntaxType::Uint32 => Value::new_uint32_str(value)
                        .ok_or_else(|| OperationError::InvalidAttribute("Invalid uint32 syntax".to_string())),
                    SyntaxType::Cid => Err(OperationError::InvalidAttribute("CIDs are generated and not able to be set.".to_string())),
                    SyntaxType::NsUniqueId => Value::new_nsuniqueid_s(value)
                        .ok_or_else(|| OperationError::InvalidAttribute("Invalid NsUniqueId syntax".to_string())),
                    SyntaxType::DateTime => Value::new_datetime_s(value)
                        .ok_or_else(|| OperationError::InvalidAttribute("Invalid DateTime (rfc3339) syntax".to_string())),
                    SyntaxType::EmailAddress => Value::new_email_address_s(value)
                        .ok_or_else(|| OperationError::InvalidAttribute("Invalid Email Address syntax".to_string())),
                    SyntaxType::Url => Value::new_url_s(value)
                        .ok_or_else(|| OperationError::InvalidAttribute("Invalid Url (whatwg/url) syntax".to_string())),
                    SyntaxType::OauthScope => Value::new_oauthscope(value)
                        .ok_or_else(|| OperationError::InvalidAttribute("Invalid Oauth Scope syntax".to_string())),
                    SyntaxType::OauthScopeMap => Err(OperationError::InvalidAttribute("Oauth Scope Maps can not be supplied through modification - please use the IDM api".to_string())),
                    SyntaxType::PrivateBinary => Err(OperationError::InvalidAttribute("Private Binary Values can not be supplied through modification".to_string())),
                    SyntaxType::IntentToken => Err(OperationError::InvalidAttribute("Intent Token Values can not be supplied through modification".to_string())),
                    SyntaxType::Passkey => Err(OperationError::InvalidAttribute("Passkey Values can not be supplied through modification".to_string())),
                    SyntaxType::DeviceKey => Err(OperationError::InvalidAttribute("DeviceKey Values can not be supplied through modification".to_string())),
                    SyntaxType::Session => Err(OperationError::InvalidAttribute("Session Values can not be supplied through modification".to_string())),
                    SyntaxType::JwsKeyEs256 => Err(OperationError::InvalidAttribute("JwsKeyEs256 Values can not be supplied through modification".to_string())),
                    SyntaxType::JwsKeyRs256 => Err(OperationError::InvalidAttribute("JwsKeyRs256 Values can not be supplied through modification".to_string())),
                }
            }
            None => {
                // No attribute of this name exists - fail fast, there is no point to
                // proceed, as nothing can be satisfied.
                Err(OperationError::InvalidAttributeName(attr.to_string()))
            }
        }
    }

    fn clone_partialvalue(&self, attr: &str, value: &str) -> Result<PartialValue, OperationError> {
        let schema = self.get_schema();

        // Lookup the attr
        match schema.get_attributes().get(attr) {
            Some(schema_a) => {
                match schema_a.syntax {
                    SyntaxType::Utf8String => Ok(PartialValue::new_utf8(value.to_string())),
                    SyntaxType::Utf8StringInsensitive
                    | SyntaxType::JwsKeyEs256
                    | SyntaxType::JwsKeyRs256 => Ok(PartialValue::new_iutf8(value)),
                    SyntaxType::Utf8StringIname => Ok(PartialValue::new_iname(value)),
                    SyntaxType::Boolean => PartialValue::new_bools(value).ok_or_else(|| {
                        OperationError::InvalidAttribute("Invalid boolean syntax".to_string())
                    }),
                    SyntaxType::SyntaxId => PartialValue::new_syntaxs(value).ok_or_else(|| {
                        OperationError::InvalidAttribute("Invalid Syntax syntax".to_string())
                    }),
                    SyntaxType::IndexId => PartialValue::new_indexs(value).ok_or_else(|| {
                        OperationError::InvalidAttribute("Invalid Index syntax".to_string())
                    }),
                    SyntaxType::Uuid => {
                        PartialValue::new_uuids(value)
                            .or_else(|| {
                                // it's not a uuid, try to resolve it.
                                // if the value is NOT found, we map to "does not exist" to allow
                                // the value to continue being evaluated, which of course, will fail
                                // all subsequent filter tests because it ... well, doesn't exist.
                                let un = self.name_to_uuid(value).unwrap_or(UUID_DOES_NOT_EXIST);
                                Some(PartialValue::new_uuid(un))
                            })
                            // I think this is unreachable due to how the .or_else works.
                            .ok_or_else(|| {
                                OperationError::InvalidAttribute("Invalid UUID syntax".to_string())
                            })
                        // This avoids having unreachable code:
                        // Ok(PartialValue::new_uuids(value)
                        //     .unwrap_or_else(|| {
                        //         // it's not a uuid, try to resolve it.
                        //         // if the value is NOT found, we map to "does not exist" to allow
                        //         // the value to continue being evaluated, which of course, will fail
                        //         // all subsequent filter tests because it ... well, doesn't exist.
                        //         let un = self
                        //             .name_to_uuid( value)
                        //             .unwrap_or(*UUID_DOES_NOT_EXIST);
                        //         PartialValue::new_uuid(un)
                        //     }))
                    }
                    // ⚠️   Any types here need to also be added to update_attributes in
                    // schema.rs for reference type / cache awareness during referential
                    // integrity processing. Exceptions are self-contained value types!
                    SyntaxType::ReferenceUuid | SyntaxType::OauthScopeMap | SyntaxType::Session => {
                        // See comments above.
                        PartialValue::new_refer_s(value)
                            .or_else(|| {
                                let un = self.name_to_uuid(value).unwrap_or(UUID_DOES_NOT_EXIST);
                                Some(PartialValue::new_refer(un))
                            })
                            // I think this is unreachable due to how the .or_else works.
                            // See above case for how to avoid having unreachable code
                            .ok_or_else(|| {
                                OperationError::InvalidAttribute(
                                    "Invalid Reference syntax".to_string(),
                                )
                            })
                    }
                    SyntaxType::JsonFilter => {
                        PartialValue::new_json_filter_s(value).ok_or_else(|| {
                            OperationError::InvalidAttribute("Invalid Filter syntax".to_string())
                        })
                    }
                    SyntaxType::Credential => Ok(PartialValue::new_credential_tag(value)),
                    SyntaxType::SecretUtf8String => Ok(PartialValue::new_secret_str()),
                    SyntaxType::SshKey => Ok(PartialValue::new_sshkey_tag_s(value)),
                    SyntaxType::SecurityPrincipalName => {
                        PartialValue::new_spn_s(value).ok_or_else(|| {
                            OperationError::InvalidAttribute("Invalid spn syntax".to_string())
                        })
                    }
                    SyntaxType::Uint32 => PartialValue::new_uint32_str(value).ok_or_else(|| {
                        OperationError::InvalidAttribute("Invalid uint32 syntax".to_string())
                    }),
                    SyntaxType::Cid => PartialValue::new_cid_s(value).ok_or_else(|| {
                        OperationError::InvalidAttribute("Invalid cid syntax".to_string())
                    }),
                    SyntaxType::NsUniqueId => Ok(PartialValue::new_nsuniqueid_s(value)),
                    SyntaxType::DateTime => PartialValue::new_datetime_s(value).ok_or_else(|| {
                        OperationError::InvalidAttribute(
                            "Invalid DateTime (rfc3339) syntax".to_string(),
                        )
                    }),
                    SyntaxType::EmailAddress => Ok(PartialValue::new_email_address_s(value)),
                    SyntaxType::Url => PartialValue::new_url_s(value).ok_or_else(|| {
                        OperationError::InvalidAttribute(
                            "Invalid Url (whatwg/url) syntax".to_string(),
                        )
                    }),
                    SyntaxType::OauthScope => Ok(PartialValue::new_oauthscope(value)),
                    SyntaxType::PrivateBinary => Ok(PartialValue::PrivateBinary),
                    SyntaxType::IntentToken => PartialValue::new_intenttoken_s(value.to_string())
                        .ok_or_else(|| {
                            OperationError::InvalidAttribute(
                                "Invalid Intent Token ID (uuid) syntax".to_string(),
                            )
                        }),
                    SyntaxType::Passkey => PartialValue::new_passkey_s(value).ok_or_else(|| {
                        OperationError::InvalidAttribute("Invalid Passkey UUID syntax".to_string())
                    }),
                    SyntaxType::DeviceKey => {
                        PartialValue::new_devicekey_s(value).ok_or_else(|| {
                            OperationError::InvalidAttribute(
                                "Invalid DeviceKey UUID syntax".to_string(),
                            )
                        })
                    }
                }
            }
            None => {
                // No attribute of this name exists - fail fast, there is no point to
                // proceed, as nothing can be satisfied.
                Err(OperationError::InvalidAttributeName(attr.to_string()))
            }
        }
    }

    // In the opposite direction, we can resolve values for presentation
    fn resolve_valueset(&self, value: &ValueSet) -> Result<Vec<String>, OperationError> {
        if let Some(r_set) = value.as_refer_set() {
            let v: Result<Vec<_>, _> = r_set
                .iter()
                .copied()
                .map(|ur| {
                    let nv = self.uuid_to_spn(ur)?;
                    match nv {
                        Some(v) => Ok(v.to_proto_string_clone()),
                        None => Ok(uuid_to_proto_string(ur)),
                    }
                })
                .collect();
            v
        } else if let Some(r_map) = value.as_oauthscopemap() {
            let v: Result<Vec<_>, _> = r_map
                .iter()
                .map(|(u, m)| {
                    let nv = self.uuid_to_spn(*u)?;
                    let u = match nv {
                        Some(v) => v.to_proto_string_clone(),
                        None => uuid_to_proto_string(*u),
                    };
                    Ok(format!("{}: {:?}", u, m))
                })
                .collect();
            v
        } else {
            let v: Vec<_> = value.to_proto_string_clone_iter().collect();
            Ok(v)
        }
    }

    fn resolve_valueset_ldap(
        &self,
        value: &ValueSet,
        basedn: &str,
    ) -> Result<Vec<String>, OperationError> {
        if let Some(r_set) = value.as_refer_set() {
            let v: Result<Vec<_>, _> = r_set
                .iter()
                .copied()
                .map(|ur| {
                    let rdn = self.uuid_to_rdn(ur)?;
                    Ok(format!("{},{}", rdn, basedn))
                })
                .collect();
            v
        } else if let Some(k_set) = value.as_sshkey_map() {
            let v: Vec<_> = k_set.values().cloned().collect();
            Ok(v)
        } else {
            let v: Vec<_> = value.to_proto_string_clone_iter().collect();
            Ok(v)
        }
    }

    /// Pull the domain name from the database
    fn get_db_domain_name(&self) -> Result<String, OperationError> {
        self.internal_search_uuid(&UUID_DOMAIN_INFO)
            .and_then(|e| {
                trace!(?e);
                e.get_ava_single_iname("domain_name")
                    .map(str::to_string)
                    .ok_or(OperationError::InvalidEntryState)
            })
            .map_err(|e| {
                admin_error!(?e, "Error getting domain name");
                e
            })
    }

    fn get_domain_fernet_private_key(&self) -> Result<String, OperationError> {
        self.internal_search_uuid(&UUID_DOMAIN_INFO)
            .and_then(|e| {
                e.get_ava_single_secret("fernet_private_key_str")
                    .map(str::to_string)
                    .ok_or(OperationError::InvalidEntryState)
            })
            .map_err(|e| {
                admin_error!(?e, "Error getting domain fernet key");
                e
            })
    }

    fn get_domain_es256_private_key(&self) -> Result<Vec<u8>, OperationError> {
        self.internal_search_uuid(&UUID_DOMAIN_INFO)
            .and_then(|e| {
                e.get_ava_single_private_binary("es256_private_key_der")
                    .map(|s| s.to_vec())
                    .ok_or(OperationError::InvalidEntryState)
            })
            .map_err(|e| {
                admin_error!(?e, "Error getting domain es256 key");
                e
            })
    }

    // This is a helper to get password badlist.
    fn get_password_badlist(&self) -> Result<HashSet<String>, OperationError> {
        self.internal_search_uuid(&UUID_SYSTEM_CONFIG)
            .map(|e| match e.get_ava_iter_iutf8("badlist_password") {
                Some(vs_str_iter) => vs_str_iter.map(str::to_string).collect::<HashSet<_>>(),
                None => HashSet::default(),
            })
            .map_err(|e| {
                admin_error!(?e, "Failed to retrieve system configuration");
                e
            })
    }

    fn get_oauth2rs_set(&self) -> Result<Vec<Arc<EntrySealedCommitted>>, OperationError> {
        self.internal_search(filter!(f_eq("class", PVCLASS_OAUTH2_RS.clone(),)))
    }
}

// Actually conduct a search request
// This is the core of the server, as it processes the entire event
// applies all parts required in order and more.
impl<'a> QueryServerTransaction<'a> for QueryServerReadTransaction<'a> {
    type AccessControlsTransactionType = AccessControlsReadTransaction<'a>;
    type BackendTransactionType = BackendReadTransaction<'a>;
    type SchemaTransactionType = SchemaReadTransaction;

    fn get_be_txn(&self) -> &BackendReadTransaction<'a> {
        &self.be_txn
    }

    fn get_schema(&self) -> &SchemaReadTransaction {
        &self.schema
    }

    fn get_accesscontrols(&self) -> &AccessControlsReadTransaction<'a> {
        &self.accesscontrols
    }

    fn get_resolve_filter_cache(
        &self,
    ) -> &mut ARCacheReadTxn<'a, (IdentityId, Filter<FilterValid>), Filter<FilterValidResolved>, ()>
    {
        unsafe {
            let mptr = self.resolve_filter_cache.as_ptr();
            &mut (*mptr)
                as &mut ARCacheReadTxn<
                    'a,
                    (IdentityId, Filter<FilterValid>),
                    Filter<FilterValidResolved>,
                    (),
                >
        }
    }

    fn get_domain_uuid(&self) -> Uuid {
        self.d_info.d_uuid
    }

    fn get_domain_name(&self) -> &str {
        &self.d_info.d_name
    }

    fn get_domain_display_name(&self) -> &str {
        &self.d_info.d_display
    }
}

impl<'a> QueryServerReadTransaction<'a> {
    // Verify the data content of the server is as expected. This will probably
    // call various functions for validation, including possibly plugin
    // verifications.
    fn verify(&mut self) -> Vec<Result<(), ConsistencyError>> {
        // If we fail after backend, we need to return NOW because we can't
        // assert any other faith in the DB states.
        //  * backend
        let be_errs = self.get_be_txn().verify();

        if !be_errs.is_empty() {
            return be_errs;
        }

        //  * in memory schema consistency.
        let sc_errs = self.get_schema().validate();

        if !sc_errs.is_empty() {
            return sc_errs;
        }

        //  * Indexing (req be + sch )
        let idx_errs = self.get_be_txn().verify_indexes();

        if !idx_errs.is_empty() {
            return idx_errs;
        }

        // If anything error to this point we can't trust the verifications below. From
        // here we can just amass results.
        let mut results = Vec::new();

        // Verify all our entries. Weird flex I know, but it's needed for verifying
        // the entry changelogs are consistent to their entries.
        let schema = self.get_schema();

        let filt_all = filter!(f_pres("class"));
        let all_entries = match self.internal_search(filt_all) {
            Ok(a) => a,
            Err(_e) => return vec![Err(ConsistencyError::QueryServerSearchFailure)],
        };

        for e in all_entries {
            e.verify(schema, &mut results)
        }

        // Verify the RUV to the entry changelogs now.
        self.get_be_txn().verify_ruv(&mut results);

        // Ok entries passed, lets move on to the content.
        // Most of our checks are in the plugins, so we let them
        // do their job.

        // Now, call the plugins verification system.
        Plugins::run_verify(self, &mut results);
        // Finished

        results
    }
}

impl<'a> QueryServerTransaction<'a> for QueryServerWriteTransaction<'a> {
    type AccessControlsTransactionType = AccessControlsWriteTransaction<'a>;
    type BackendTransactionType = BackendWriteTransaction<'a>;
    type SchemaTransactionType = SchemaWriteTransaction<'a>;

    fn get_be_txn(&self) -> &BackendWriteTransaction<'a> {
        &self.be_txn
    }

    fn get_schema(&self) -> &SchemaWriteTransaction<'a> {
        &self.schema
    }

    fn get_accesscontrols(&self) -> &AccessControlsWriteTransaction<'a> {
        &self.accesscontrols
    }

    fn get_resolve_filter_cache(
        &self,
    ) -> &mut ARCacheReadTxn<'a, (IdentityId, Filter<FilterValid>), Filter<FilterValidResolved>, ()>
    {
        unsafe {
            let mptr = self.resolve_filter_cache.as_ptr();
            &mut (*mptr)
                as &mut ARCacheReadTxn<
                    'a,
                    (IdentityId, Filter<FilterValid>),
                    Filter<FilterValidResolved>,
                    (),
                >
        }
    }

    fn get_domain_uuid(&self) -> Uuid {
        self.d_info.d_uuid
    }

    /// Gets the in-memory domain_name element
    fn get_domain_name(&self) -> &str {
        &self.d_info.d_name
    }

    fn get_domain_display_name(&self) -> &str {
        &self.d_info.d_display
    }
}

impl QueryServer {
    pub fn new(be: Backend, schema: Schema, domain_name: String) -> Self {
        let (s_uuid, d_uuid) = {
            let wr = be.write();
            let res = (wr.get_db_s_uuid(), wr.get_db_d_uuid());
            #[allow(clippy::expect_used)]
            wr.commit()
                .expect("Critical - unable to commit db_s_uuid or db_d_uuid");
            res
        };

        let pool_size = be.get_pool_size();

        debug!("Server UUID -> {:?}", s_uuid);
        debug!("Domain UUID -> {:?}", d_uuid);
        debug!("Domain Name -> {:?}", domain_name);

        let d_info = Arc::new(CowCell::new(DomainInfo {
            d_uuid,
            d_name: domain_name.clone(),
            // we set the domain_display_name to the configuration file's domain_name
            // here because the database is not started, so we cannot pull it from there.
            d_display: domain_name,
        }));

        let dyngroup_cache = Arc::new(CowCell::new(DynGroupCache::default()));

        let phase = Arc::new(CowCell::new(ServerPhase::Bootstrap));

        // log_event!(log, "Starting query worker ...");

        #[allow(clippy::expect_used)]
        QueryServer {
            phase,
            s_uuid,
            d_info,
            be,
            schema: Arc::new(schema),
            accesscontrols: Arc::new(AccessControls::new()),
            db_tickets: Arc::new(Semaphore::new(pool_size as usize)),
            write_ticket: Arc::new(Semaphore::new(1)),
            resolve_filter_cache: Arc::new(
                ARCacheBuilder::new()
                    .set_size(RESOLVE_FILTER_CACHE_MAX, RESOLVE_FILTER_CACHE_LOCAL)
                    .set_reader_quiesce(true)
                    .build()
                    .expect("Failed to build resolve_filter_cache"),
            ),
            dyngroup_cache,
        }
    }

    pub fn try_quiesce(&self) {
        self.be.try_quiesce();
        self.accesscontrols.try_quiesce();
        self.resolve_filter_cache.try_quiesce();
    }

    pub async fn read(&self) -> QueryServerReadTransaction<'_> {
        // We need to ensure a db conn will be available
        #[allow(clippy::expect_used)]
        let db_ticket = self
            .db_tickets
            .acquire()
            .await
            .expect("unable to aquire db_ticket for qsr");

        QueryServerReadTransaction {
            be_txn: self.be.read(),
            schema: self.schema.read(),
            d_info: self.d_info.read(),
            accesscontrols: self.accesscontrols.read(),
            _db_ticket: db_ticket,
            resolve_filter_cache: Cell::new(self.resolve_filter_cache.read()),
        }
    }

    pub async fn write(&self, ts: Duration) -> QueryServerWriteTransaction<'_> {
        // Guarantee we are the only writer on the thread pool
        #[allow(clippy::expect_used)]
        let write_ticket = self
            .write_ticket
            .acquire()
            .await
            .expect("unable to aquire writer_ticket for qsw");
        // We need to ensure a db conn will be available
        #[allow(clippy::expect_used)]
        let db_ticket = self
            .db_tickets
            .acquire()
            .await
            .expect("unable to aquire db_ticket for qsw");

        let schema_write = self.schema.write();
        let be_txn = self.be.write();
        let d_info = self.d_info.write();
        let phase = self.phase.write();

        #[allow(clippy::expect_used)]
        let ts_max = be_txn.get_db_ts_max(ts).expect("Unable to get db_ts_max");
        let cid = Cid::new_lamport(self.s_uuid, d_info.d_uuid, ts, &ts_max);

        QueryServerWriteTransaction {
            // I think this is *not* needed, because commit is mut self which should
            // take ownership of the value, and cause the commit to "only be run
            // once".
            //
            // The commited flag is however used for abort-specific code in drop
            // which today I don't think we have ... yet.
            committed: false,
            phase,
            d_info,
            cid,
            be_txn,
            schema: schema_write,
            accesscontrols: self.accesscontrols.write(),
            changed_schema: Cell::new(false),
            changed_acp: Cell::new(false),
            changed_oauth2: Cell::new(false),
            changed_domain: Cell::new(false),
            changed_uuid: Cell::new(HashSet::new()),
            _db_ticket: db_ticket,
            _write_ticket: write_ticket,
            resolve_filter_cache: Cell::new(self.resolve_filter_cache.read()),
            dyngroup_cache: Cell::new(self.dyngroup_cache.write()),
        }
    }

    pub async fn initialise_helper(&self, ts: Duration) -> Result<(), OperationError> {
        // Check our database version - attempt to do an initial indexing
        // based on the in memory configuration
        //
        // If we ever change the core in memory schema, or the schema that we ship
        // in fixtures, we have to bump these values. This is how we manage the
        // first-run and upgrade reindexings.
        //
        // A major reason here to split to multiple transactions is to allow schema
        // reloading to occur, which causes the idxmeta to update, and allows validation
        // of the schema in the subsequent steps as we proceed.
        let mut reindex_write_1 = self.write(ts).await;
        reindex_write_1
            .upgrade_reindex(SYSTEM_INDEX_VERSION)
            .and_then(|_| reindex_write_1.commit())?;

        // Because we init the schema here, and commit, this reloads meaning
        // that the on-disk index meta has been loaded, so our subsequent
        // migrations will be correctly indexed.
        //
        // Remember, that this would normally mean that it's possible for schema
        // to be mis-indexed (IE we index the new schemas here before we read
        // the schema to tell us what's indexed), but because we have the in
        // mem schema that defines how schema is structuded, and this is all
        // marked "system", then we won't have an issue here.
        let mut ts_write_1 = self.write(ts).await;
        ts_write_1
            .initialise_schema_core()
            .and_then(|_| ts_write_1.commit())?;

        let mut ts_write_2 = self.write(ts).await;
        ts_write_2
            .initialise_schema_idm()
            .and_then(|_| ts_write_2.commit())?;

        // reindex and set to version + 1, this way when we bump the version
        // we are essetially pushing this version id back up to step write_1
        let mut reindex_write_2 = self.write(ts).await;
        reindex_write_2
            .upgrade_reindex(SYSTEM_INDEX_VERSION + 1)
            .and_then(|_| reindex_write_2.commit())?;

        // Force the schema to reload - this is so that any changes to index slope
        // analysis are now reflected correctly.
        //
        // A side effect of these reloads is that other plugins or elements that reload
        // on schema change are now setup.
        let mut slope_reload = self.write(ts).await;
        slope_reload.set_phase(ServerPhase::SchemaReady);
        slope_reload.force_schema_reload();
        slope_reload.commit()?;

        // Now, based on the system version apply migrations. You may ask "should you not
        // be doing migrations before indexes?". And this is a very good question! The issue
        // is within a migration we must be able to search for content by pres index, and those
        // rely on us being indexed! It *is* safe to index content even if the
        // migration would cause a value type change (ie name changing from iutf8s to iname) because
        // the indexing subsystem is schema/value agnostic - the fact the values still let their keys
        // be extracted, means that the pres indexes will be valid even though the entries are pending
        // migration. We must be sure to NOT use EQ/SUB indexes in the migration code however!
        let mut migrate_txn = self.write(ts).await;
        // If we are "in the process of being setup" this is 0, and the migrations will have no
        // effect as ... there is nothing to migrate! It allows reset of the version to 0 to force
        // db migrations to take place.
        let system_info_version = match migrate_txn.internal_search_uuid(&UUID_SYSTEM_INFO) {
            Ok(e) => Ok(e.get_ava_single_uint32("version").unwrap_or(0)),
            Err(OperationError::NoMatchingEntries) => Ok(0),
            Err(r) => Err(r),
        }?;
        admin_debug!(?system_info_version);

        if system_info_version < 3 {
            migrate_txn.migrate_2_to_3()?;
        }

        if system_info_version < 4 {
            migrate_txn.migrate_3_to_4()?;
        }

        if system_info_version < 5 {
            migrate_txn.migrate_4_to_5()?;
        }

        if system_info_version < 6 {
            migrate_txn.migrate_5_to_6()?;
        }

        if system_info_version < 7 {
            migrate_txn.migrate_6_to_7()?;
        }

        if system_info_version < 8 {
            migrate_txn.migrate_7_to_8()?;
        }

        if system_info_version < 9 {
            migrate_txn.migrate_8_to_9()?;
        }

        migrate_txn.commit()?;
        // Migrations complete. Init idm will now set the version as needed.

        let mut ts_write_3 = self.write(ts).await;
        ts_write_3.initialise_idm().and_then(|_| {
            ts_write_3.set_phase(ServerPhase::Running);
            ts_write_3.commit()
        })?;
        // TODO: work out if we've actually done any migrations before printing this
        admin_debug!("Database version check and migrations success! ☀️  ");
        Ok(())
    }

    pub async fn verify(&self) -> Vec<Result<(), ConsistencyError>> {
        let mut r_txn = self.read().await;
        r_txn.verify()
    }
}

impl<'a> QueryServerWriteTransaction<'a> {
    #[instrument(level = "debug", skip_all)]
    pub fn create(&mut self, ce: &CreateEvent) -> Result<(), OperationError> {
        // The create event is a raw, read only representation of the request
        // that was made to us, including information about the identity
        // performing the request.
        if !ce.ident.is_internal() {
            security_info!(name = %ce.ident, "create initiator");
        }

        // Log the request

        // TODO #67: Do we need limits on number of creates, or do we constraint
        // based on request size in the frontend?

        // Copy the entries to a writeable form, this involves assigning a
        // change id so we can track what's happening.
        let candidates: Vec<Entry<EntryInit, EntryNew>> = ce.entries.clone();

        // Do we have rights to perform these creates?
        // create_allow_operation
        let access = self.get_accesscontrols();
        let op_allow = access
            .create_allow_operation(ce, &candidates)
            .map_err(|e| {
                admin_error!("Failed to check create access {:?}", e);
                e
            })?;
        if !op_allow {
            return Err(OperationError::AccessDenied);
        }

        // Before we assign replication metadata, we need to assert these entries
        // are valid to create within the set of replication transitions. This
        // means they *can not* be recycled or tombstones!
        if candidates.iter().any(|e| e.mask_recycled_ts().is_none()) {
            admin_warn!("Refusing to create invalid entries that are attempting to bypass replication state machine.");
            return Err(OperationError::AccessDenied);
        }

        // Assign our replication metadata now, since we can proceed with this operation.
        let mut candidates: Vec<Entry<EntryInvalid, EntryNew>> = candidates
            .into_iter()
            .map(|e| e.assign_cid(self.cid.clone(), &self.schema))
            .collect();

        // run any pre plugins, giving them the list of mutable candidates.
        // pre-plugins are defined here in their correct order of calling!
        // I have no intent to make these dynamic or configurable.

        Plugins::run_pre_create_transform(self, &mut candidates, ce).map_err(|e| {
            admin_error!("Create operation failed (pre_transform plugin), {:?}", e);
            e
        })?;

        // NOTE: This is how you map from Vec<Result<T>> to Result<Vec<T>>
        // remember, that you only get the first error and the iter terminates.

        // eprintln!("{:?}", candidates);

        // Now, normalise AND validate!

        let res: Result<Vec<Entry<EntrySealed, EntryNew>>, OperationError> = candidates
            .into_iter()
            .map(|e| {
                e.validate(&self.schema)
                    .map_err(|e| {
                        admin_error!("Schema Violation in create validate {:?}", e);
                        OperationError::SchemaViolation(e)
                    })
                    .map(|e| {
                        // Then seal the changes?
                        e.seal(&self.schema)
                    })
            })
            .collect();

        let norm_cand: Vec<Entry<_, _>> = res?;

        // Run any pre-create plugins now with schema validated entries.
        // This is important for normalisation of certain types IE class
        // or attributes for these checks.
        Plugins::run_pre_create(self, &norm_cand, ce).map_err(|e| {
            admin_error!("Create operation failed (plugin), {:?}", e);
            e
        })?;

        // We may change from ce.entries later to something else?
        let commit_cand = self.be_txn.create(&self.cid, norm_cand).map_err(|e| {
            admin_error!("betxn create failure {:?}", e);
            e
        })?;

        // Run any post plugins

        Plugins::run_post_create(self, &commit_cand, ce).map_err(|e| {
            admin_error!("Create operation failed (post plugin), {:?}", e);
            e
        })?;

        // We have finished all plugs and now have a successful operation - flag if
        // schema or acp requires reload.
        if !self.changed_schema.get() {
            self.changed_schema.set(commit_cand.iter().any(|e| {
                e.attribute_equality("class", &PVCLASS_CLASSTYPE)
                    || e.attribute_equality("class", &PVCLASS_ATTRIBUTETYPE)
            }))
        }
        if !self.changed_acp.get() {
            self.changed_acp.set(
                commit_cand
                    .iter()
                    .any(|e| e.attribute_equality("class", &PVCLASS_ACP)),
            )
        }
        if !self.changed_oauth2.get() {
            self.changed_oauth2.set(
                commit_cand
                    .iter()
                    .any(|e| e.attribute_equality("class", &PVCLASS_OAUTH2_RS)),
            )
        }
        if !self.changed_domain.get() {
            self.changed_domain.set(
                commit_cand
                    .iter()
                    .any(|e| e.attribute_equality("uuid", &PVUUID_DOMAIN_INFO)),
            )
        }

        let cu = self.changed_uuid.as_ptr();
        unsafe {
            (*cu).extend(commit_cand.iter().map(|e| e.get_uuid()));
        }
        trace!(
            schema_reload = ?self.changed_schema,
            acp_reload = ?self.changed_acp,
            oauth2_reload = ?self.changed_oauth2,
            domain_reload = ?self.changed_domain,
        );

        // We are complete, finalise logging and return

        if ce.ident.is_internal() {
            trace!("Create operation success");
        } else {
            admin_info!("Create operation success");
        }
        Ok(())
    }

    #[allow(clippy::cognitive_complexity)]
    #[instrument(level = "debug", skip_all)]
    pub fn delete(&mut self, de: &DeleteEvent) -> Result<(), OperationError> {
        // Do you have access to view all the set members? Reduce based on your
        // read permissions and attrs
        // THIS IS PRETTY COMPLEX SEE THE DESIGN DOC
        // In this case we need a search, but not INTERNAL to keep the same
        // associated credentials.
        // We only need to retrieve uuid though ...
        if !de.ident.is_internal() {
            security_info!(name = %de.ident, "delete initiator");
        }

        // Now, delete only what you can see
        let pre_candidates = self
            .impersonate_search_valid(de.filter.clone(), de.filter_orig.clone(), &de.ident)
            .map_err(|e| {
                admin_error!("delete: error in pre-candidate selection {:?}", e);
                e
            })?;

        // Apply access controls to reduce the set if required.
        // delete_allow_operation
        let access = self.get_accesscontrols();
        let op_allow = access
            .delete_allow_operation(de, &pre_candidates)
            .map_err(|e| {
                admin_error!("Failed to check delete access {:?}", e);
                e
            })?;
        if !op_allow {
            return Err(OperationError::AccessDenied);
        }

        // Is the candidate set empty?
        if pre_candidates.is_empty() {
            request_error!(filter = ?de.filter, "delete: no candidates match filter");
            return Err(OperationError::NoMatchingEntries);
        };

        if pre_candidates.iter().any(|e| e.mask_tombstone().is_none()) {
            admin_warn!("Refusing to delete entries which may be an attempt to bypass replication state machine.");
            return Err(OperationError::AccessDenied);
        }

        let mut candidates: Vec<Entry<EntryInvalid, EntryCommitted>> = pre_candidates
            .iter()
            // Invalidate and assign change id's
            .map(|er| er.as_ref().clone().invalidate(self.cid.clone()))
            .collect();

        trace!(?candidates, "delete: candidates");

        // Pre delete plugs
        Plugins::run_pre_delete(self, &mut candidates, de).map_err(|e| {
            admin_error!("Delete operation failed (plugin), {:?}", e);
            e
        })?;

        trace!(?candidates, "delete: now marking candidates as recycled");

        let res: Result<Vec<Entry<EntrySealed, EntryCommitted>>, OperationError> = candidates
            .into_iter()
            .map(|e| {
                e.to_recycled()
                    .validate(&self.schema)
                    .map_err(|e| {
                        admin_error!(err = ?e, "Schema Violation in delete validate");
                        OperationError::SchemaViolation(e)
                    })
                    // seal if it worked.
                    .map(|e| e.seal(&self.schema))
            })
            .collect();

        let del_cand: Vec<Entry<_, _>> = res?;

        self.be_txn
            .modify(&self.cid, &pre_candidates, &del_cand)
            .map_err(|e| {
                // be_txn is dropped, ie aborted here.
                admin_error!("Delete operation failed (backend), {:?}", e);
                e
            })?;

        // Post delete plugins
        Plugins::run_post_delete(self, &del_cand, de).map_err(|e| {
            admin_error!("Delete operation failed (plugin), {:?}", e);
            e
        })?;

        // We have finished all plugs and now have a successful operation - flag if
        // schema or acp requires reload.
        if !self.changed_schema.get() {
            self.changed_schema.set(del_cand.iter().any(|e| {
                e.attribute_equality("class", &PVCLASS_CLASSTYPE)
                    || e.attribute_equality("class", &PVCLASS_ATTRIBUTETYPE)
            }))
        }
        if !self.changed_acp.get() {
            self.changed_acp.set(
                del_cand
                    .iter()
                    .any(|e| e.attribute_equality("class", &PVCLASS_ACP)),
            )
        }
        if !self.changed_oauth2.get() {
            self.changed_oauth2.set(
                del_cand
                    .iter()
                    .any(|e| e.attribute_equality("class", &PVCLASS_OAUTH2_RS)),
            )
        }
        if !self.changed_domain.get() {
            self.changed_domain.set(
                del_cand
                    .iter()
                    .any(|e| e.attribute_equality("uuid", &PVUUID_DOMAIN_INFO)),
            )
        }

        let cu = self.changed_uuid.as_ptr();
        unsafe {
            (*cu).extend(del_cand.iter().map(|e| e.get_uuid()));
        }

        trace!(
            schema_reload = ?self.changed_schema,
            acp_reload = ?self.changed_acp,
            oauth2_reload = ?self.changed_oauth2,
            domain_reload = ?self.changed_domain,
        );

        // Send result
        if de.ident.is_internal() {
            trace!("Delete operation success");
        } else {
            admin_info!("Delete operation success");
        }
        Ok(())
    }

    #[instrument(level = "debug", skip_all)]
    pub fn purge_tombstones(&self) -> Result<(), OperationError> {
        // purge everything that is a tombstone.
        let cid = self.cid.sub_secs(CHANGELOG_MAX_AGE).map_err(|e| {
            admin_error!("Unable to generate search cid {:?}", e);
            e
        })?;

        // Delete them - this is a TRUE delete, no going back now!
        self.be_txn
            .reap_tombstones(&cid)
            .map_err(|e| {
                admin_error!(err = ?e, "Tombstone purge operation failed (backend)");
                e
            })
            .map(|_| {
                admin_info!("Tombstone purge operation success");
            })
    }

    #[instrument(level = "debug", skip_all)]
    pub fn purge_recycled(&self) -> Result<(), OperationError> {
        // Send everything that is recycled to tombstone
        // Search all recycled
        let cid = self.cid.sub_secs(RECYCLEBIN_MAX_AGE).map_err(|e| {
            admin_error!(err = ?e, "Unable to generate search cid");
            e
        })?;
        let rc = self.internal_search(filter_all!(f_and!([
            f_eq("class", PVCLASS_RECYCLED.clone()),
            f_lt("last_modified_cid", PartialValue::new_cid(cid)),
        ])))?;

        if rc.is_empty() {
            admin_info!("No recycled present - purge operation success");
            return Ok(());
        }

        // Modify them to strip all avas except uuid
        let tombstone_cand: Result<Vec<_>, _> = rc
            .iter()
            .map(|e| {
                e.to_tombstone(self.cid.clone())
                    .validate(&self.schema)
                    .map_err(|e| {
                        admin_error!("Schema Violation in purge_recycled validate: {:?}", e);
                        OperationError::SchemaViolation(e)
                    })
                    // seal if it worked.
                    .map(|e| e.seal(&self.schema))
            })
            .collect();

        let tombstone_cand = tombstone_cand?;

        // Backend Modify
        self.be_txn
            .modify(&self.cid, &rc, &tombstone_cand)
            .map_err(|e| {
                admin_error!("Purge recycled operation failed (backend), {:?}", e);
                e
            })
            .map(|_| {
                admin_info!("Purge recycled operation success");
            })
    }

    #[instrument(level = "debug", skip_all)]
    pub fn revive_recycled(&mut self, re: &ReviveRecycledEvent) -> Result<(), OperationError> {
        // Revive an entry to live. This is a specialised function, and draws a lot of
        // inspiration from modify.
        //
        // Access is granted by the ability to ability to search the class=recycled
        // and the ability modify + remove that class from the object.
        if !re.ident.is_internal() {
            security_info!(name = %re.ident, "revive initiator");
        }

        // Get the list of pre_candidates, using impersonate search.
        let pre_candidates =
            self.impersonate_search_valid(re.filter.clone(), re.filter.clone(), &re.ident)?;

        // Is the list empty?
        if pre_candidates.is_empty() {
            if re.ident.is_internal() {
                trace!(
                    "revive: no candidates match filter ... continuing {:?}",
                    re.filter
                );
                return Ok(());
            } else {
                request_error!(
                    "revive: no candidates match filter, failure {:?}",
                    re.filter
                );
                return Err(OperationError::NoMatchingEntries);
            }
        };

        trace!("revive: pre_candidates -> {:?}", pre_candidates);

        // Check access against a "fake" modify.
        let modlist = ModifyList::new_list(vec![Modify::Removed(
            AttrString::from("class"),
            PVCLASS_RECYCLED.clone(),
        )]);

        let m_valid = modlist.validate(self.get_schema()).map_err(|e| {
            admin_error!("revive recycled modlist Schema Violation {:?}", e);
            OperationError::SchemaViolation(e)
        })?;

        let me =
            ModifyEvent::new_impersonate(&re.ident, re.filter.clone(), re.filter.clone(), m_valid);

        let access = self.get_accesscontrols();
        let op_allow = access
            .modify_allow_operation(&me, &pre_candidates)
            .map_err(|e| {
                admin_error!("Unable to check modify access {:?}", e);
                e
            })?;
        if !op_allow {
            return Err(OperationError::AccessDenied);
        }

        // Are all of the entries actually recycled?
        if pre_candidates.iter().all(|e| e.mask_recycled().is_some()) {
            admin_warn!("Refusing to revive entries that are already live!");
            return Err(OperationError::AccessDenied);
        }

        // Build the list of mods from directmo, to revive memberships.
        let mut dm_mods: HashMap<Uuid, ModifyList<ModifyInvalid>> =
            HashMap::with_capacity(pre_candidates.len());

        for e in &pre_candidates {
            // Get this entries uuid.
            let u: Uuid = e.get_uuid();

            if let Some(riter) = e.get_ava_as_refuuid("directmemberof") {
                for g_uuid in riter {
                    dm_mods
                        .entry(g_uuid)
                        .and_modify(|mlist| {
                            let m =
                                Modify::Present(AttrString::from("member"), Value::new_refer_r(&u));
                            mlist.push_mod(m);
                        })
                        .or_insert({
                            let m =
                                Modify::Present(AttrString::from("member"), Value::new_refer_r(&u));
                            ModifyList::new_list(vec![m])
                        });
                }
            }
        }

        // clone the writeable entries.
        let mut candidates: Vec<Entry<EntryInvalid, EntryCommitted>> = pre_candidates
            .iter()
            .map(|er| er.as_ref().clone().invalidate(self.cid.clone()))
            // Mutate to apply the revive.
            .map(|er| er.to_revived())
            .collect();

        // Are they all revived?
        if candidates.iter().all(|e| e.mask_recycled().is_none()) {
            admin_error!("Not all candidates were correctly revived, unable to proceed");
            return Err(OperationError::InvalidEntryState);
        }

        // Do we need to apply pre-mod?
        // Very likely, incase domain has renamed etc.
        Plugins::run_pre_modify(self, &mut candidates, &me).map_err(|e| {
            admin_error!("Revive operation failed (plugin), {:?}", e);
            e
        })?;

        // Schema validate
        let res: Result<Vec<Entry<EntrySealed, EntryCommitted>>, OperationError> = candidates
            .into_iter()
            .map(|e| {
                e.validate(&self.schema)
                    .map_err(|e| {
                        admin_error!("Schema Violation {:?}", e);
                        OperationError::SchemaViolation(e)
                    })
                    .map(|e| e.seal(&self.schema))
            })
            .collect();

        let norm_cand: Vec<Entry<_, _>> = res?;

        // build the mod partial
        let mp = ModifyPartial {
            norm_cand,
            pre_candidates,
            me: &me,
        };

        // Call modify_apply
        self.modify_apply(mp)?;

        // If and only if that succeeds, apply the direct membership modifications
        // if possible.
        for (g, mods) in dm_mods {
            // I think the filter/filter_all shouldn't matter here because the only
            // valid direct memberships should be still valid/live references, as refint
            // removes anything that was deleted even from recycled entries.
            let f = filter_all!(f_eq("uuid", PartialValue::new_uuid(g)));
            self.internal_modify(&f, &mods)?;
        }

        Ok(())
    }

    #[instrument(level = "debug", skip_all)]
    pub fn revive_recycled_legacy(
        &mut self,
        re: &ReviveRecycledEvent,
    ) -> Result<(), OperationError> {
        // Revive an entry to live. This is a specialised function, and draws a lot of
        // inspiration from modify.
        //
        //
        // Access is granted by the ability to ability to search the class=recycled
        // and the ability modify + remove that class from the object.

        // create the modify for access testing.
        // tl;dr, remove the class=recycled
        let modlist = ModifyList::new_list(vec![Modify::Removed(
            AttrString::from("class"),
            PVCLASS_RECYCLED.clone(),
        )]);

        let m_valid = modlist.validate(self.get_schema()).map_err(|e| {
            admin_error!(
                "Schema Violation in revive recycled modlist validate: {:?}",
                e
            );
            OperationError::SchemaViolation(e)
        })?;

        // Get the entries we are about to revive.
        //    we make a set of per-entry mod lists. A list of lists even ...
        let revive_cands =
            self.impersonate_search_valid(re.filter.clone(), re.filter.clone(), &re.ident)?;

        let mut dm_mods: HashMap<Uuid, ModifyList<ModifyInvalid>> =
            HashMap::with_capacity(revive_cands.len());

        for e in revive_cands {
            // Get this entries uuid.
            let u: Uuid = e.get_uuid();

            if let Some(riter) = e.get_ava_as_refuuid("directmemberof") {
                for g_uuid in riter {
                    dm_mods
                        .entry(g_uuid)
                        .and_modify(|mlist| {
                            let m =
                                Modify::Present(AttrString::from("member"), Value::new_refer_r(&u));
                            mlist.push_mod(m);
                        })
                        .or_insert({
                            let m =
                                Modify::Present(AttrString::from("member"), Value::new_refer_r(&u));
                            ModifyList::new_list(vec![m])
                        });
                }
            }
        }

        // Now impersonate the modify
        self.impersonate_modify_valid(re.filter.clone(), re.filter.clone(), m_valid, &re.ident)?;
        // If and only if that succeeds, apply the direct membership modifications
        // if possible.
        for (g, mods) in dm_mods {
            // I think the filter/filter_all shouldn't matter here because the only
            // valid direct memberships should be still valid/live references.
            let f = filter_all!(f_eq("uuid", PartialValue::new_uuid(g)));
            self.internal_modify(&f, &mods)?;
        }
        Ok(())
    }

    /// Unsafety: This is unsafe because you need to be careful about how you handle and check
    /// the Ok(None) case which occurs during internal operations, and that you DO NOT re-order
    /// and call multiple pre-applies at the same time, else you can cause DB corruption.
    #[instrument(level = "debug", skip_all)]
    pub(crate) unsafe fn modify_pre_apply<'x>(
        &mut self,
        me: &'x ModifyEvent,
    ) -> Result<Option<ModifyPartial<'x>>, OperationError> {
        // Get the candidates.
        // Modify applies a modlist to a filter, so we need to internal search
        // then apply.
        if !me.ident.is_internal() {
            security_info!(name = %me.ident, "modify initiator");
        }

        // Validate input.

        // Is the modlist non zero?
        if me.modlist.is_empty() {
            request_error!("modify: empty modify request");
            return Err(OperationError::EmptyRequest);
        }

        // Is the modlist valid?
        // This is now done in the event transform

        // Is the filter invalid to schema?
        // This is now done in the event transform

        // This also checks access controls due to use of the impersonation.
        let pre_candidates = self
            .impersonate_search_valid(me.filter.clone(), me.filter_orig.clone(), &me.ident)
            .map_err(|e| {
                admin_error!("modify: error in pre-candidate selection {:?}", e);
                e
            })?;

        if pre_candidates.is_empty() {
            if me.ident.is_internal() {
                trace!(
                    "modify: no candidates match filter ... continuing {:?}",
                    me.filter
                );
                return Ok(None);
            } else {
                request_error!(
                    "modify: no candidates match filter, failure {:?}",
                    me.filter
                );
                return Err(OperationError::NoMatchingEntries);
            }
        };

        trace!("modify: pre_candidates -> {:?}", pre_candidates);
        trace!("modify: modlist -> {:?}", me.modlist);

        // Are we allowed to make the changes we want to?
        // modify_allow_operation
        let access = self.get_accesscontrols();
        let op_allow = access
            .modify_allow_operation(me, &pre_candidates)
            .map_err(|e| {
                admin_error!("Unable to check modify access {:?}", e);
                e
            })?;
        if !op_allow {
            return Err(OperationError::AccessDenied);
        }

        // Clone a set of writeables.
        // Apply the modlist -> Remember, we have a set of origs
        // and the new modified ents.
        let mut candidates: Vec<Entry<EntryInvalid, EntryCommitted>> = pre_candidates
            .iter()
            .map(|er| er.as_ref().clone().invalidate(self.cid.clone()))
            .collect();

        candidates
            .iter_mut()
            .for_each(|er| er.apply_modlist(&me.modlist));

        trace!("modify: candidates -> {:?}", candidates);

        // Did any of the candidates now become masked?
        if candidates.iter().any(|e| e.mask_recycled_ts().is_none()) {
            admin_warn!("Refusing to apply modifications that are attempting to bypass replication state machine.");
            return Err(OperationError::AccessDenied);
        }

        // Pre mod plugins
        // We should probably supply the pre-post cands here.
        Plugins::run_pre_modify(self, &mut candidates, me).map_err(|e| {
            admin_error!("Pre-Modify operation failed (plugin), {:?}", e);
            e
        })?;

        // NOTE: There is a potential optimisation here, where if
        // candidates == pre-candidates, then we don't need to store anything
        // because we effectively just did an assert. However, like all
        // optimisations, this could be premature - so we for now, just
        // do the CORRECT thing and recommit as we may find later we always
        // want to add CSN's or other.

        let res: Result<Vec<Entry<EntrySealed, EntryCommitted>>, OperationError> = candidates
            .into_iter()
            .map(|entry| {
                entry
                    .validate(&self.schema)
                    .map_err(|e| {
                        admin_error!("Schema Violation in validation of modify_pre_apply {:?}", e);
                        OperationError::SchemaViolation(e)
                    })
                    .map(|entry| entry.seal(&self.schema))
            })
            .collect();

        let norm_cand: Vec<Entry<_, _>> = res?;

        Ok(Some(ModifyPartial {
            norm_cand,
            pre_candidates,
            me,
        }))
    }

    #[instrument(level = "debug", skip_all)]
    pub(crate) fn modify_apply(&mut self, mp: ModifyPartial<'_>) -> Result<(), OperationError> {
        let ModifyPartial {
            norm_cand,
            pre_candidates,
            me,
        } = mp;

        // Backend Modify
        self.be_txn
            .modify(&self.cid, &pre_candidates, &norm_cand)
            .map_err(|e| {
                admin_error!("Modify operation failed (backend), {:?}", e);
                e
            })?;

        // Post Plugins
        //
        // memberOf actually wants the pre cand list and the norm_cand list to see what
        // changed. Could be optimised, but this is correct still ...
        Plugins::run_post_modify(self, &pre_candidates, &norm_cand, me).map_err(|e| {
            admin_error!("Post-Modify operation failed (plugin), {:?}", e);
            e
        })?;

        // We have finished all plugs and now have a successful operation - flag if
        // schema or acp requires reload. Remember, this is a modify, so we need to check
        // pre and post cands.
        if !self.changed_schema.get() {
            self.changed_schema.set(
                norm_cand
                    .iter()
                    .chain(pre_candidates.iter().map(|e| e.as_ref()))
                    .any(|e| {
                        e.attribute_equality("class", &PVCLASS_CLASSTYPE)
                            || e.attribute_equality("class", &PVCLASS_ATTRIBUTETYPE)
                    }),
            )
        }
        if !self.changed_acp.get() {
            self.changed_acp.set(
                norm_cand
                    .iter()
                    .chain(pre_candidates.iter().map(|e| e.as_ref()))
                    .any(|e| e.attribute_equality("class", &PVCLASS_ACP)),
            )
        }
        if !self.changed_oauth2.get() {
            self.changed_oauth2.set(
                norm_cand
                    .iter()
                    .chain(pre_candidates.iter().map(|e| e.as_ref()))
                    .any(|e| e.attribute_equality("class", &PVCLASS_OAUTH2_RS)),
            )
        }
        if !self.changed_domain.get() {
            self.changed_domain.set(
                norm_cand
                    .iter()
                    .chain(pre_candidates.iter().map(|e| e.as_ref()))
                    .any(|e| e.attribute_equality("uuid", &PVUUID_DOMAIN_INFO)),
            )
        }

        let cu = self.changed_uuid.as_ptr();
        unsafe {
            (*cu).extend(
                norm_cand
                    .iter()
                    .map(|e| e.get_uuid())
                    .chain(pre_candidates.iter().map(|e| e.get_uuid())),
            );
        }

        trace!(
            schema_reload = ?self.changed_schema,
            acp_reload = ?self.changed_acp,
            oauth2_reload = ?self.changed_oauth2,
            domain_reload = ?self.changed_domain,
        );

        // return
        if me.ident.is_internal() {
            trace!("Modify operation success");
        } else {
            admin_info!("Modify operation success");
        }
        Ok(())
    }

    #[instrument(level = "debug", skip_all)]
    pub fn modify(&mut self, me: &ModifyEvent) -> Result<(), OperationError> {
        let mp = unsafe { self.modify_pre_apply(me)? };
        if let Some(mp) = mp {
            self.modify_apply(mp)
        } else {
            // No action to apply, the pre-apply said nothing to be done.
            Ok(())
        }
    }

    /// Used in conjunction with internal_batch_modify, to get a pre/post
    /// pair, where post is pre-configured with metadata to allow
    /// modificiation before submit back to internal_batch_modify
    #[instrument(level = "debug", skip_all)]
    pub(crate) fn internal_search_writeable(
        &self,
        filter: &Filter<FilterInvalid>,
    ) -> Result<Vec<EntryTuple>, OperationError> {
        let f_valid = filter
            .validate(self.get_schema())
            .map_err(OperationError::SchemaViolation)?;
        let se = SearchEvent::new_internal(f_valid);
        self.search(&se).map(|vs| {
            vs.into_iter()
                .map(|e| {
                    let writeable = e.as_ref().clone().invalidate(self.cid.clone());
                    (e, writeable)
                })
                .collect()
        })
    }

    /// Allows writing batches of modified entries without going through
    /// the modlist path. This allows more effecient batch transformations
    /// such as memberof, but at the expense that YOU must guarantee you
    /// uphold all other plugin and state rules that are important. You
    /// probably want modify instead.
    #[allow(clippy::needless_pass_by_value)]
    #[instrument(level = "debug", skip_all)]
    pub(crate) fn internal_batch_modify(
        &self,
        pre_candidates: Vec<Arc<EntrySealedCommitted>>,
        candidates: Vec<Entry<EntryInvalid, EntryCommitted>>,
    ) -> Result<(), OperationError> {
        if pre_candidates.is_empty() && candidates.is_empty() {
            // No action needed.
            return Ok(());
        }

        if pre_candidates.len() != candidates.len() {
            admin_error!("internal_batch_modify - cand lengths differ");
            return Err(OperationError::InvalidRequestState);
        }

        let res: Result<Vec<Entry<EntrySealed, EntryCommitted>>, OperationError> = candidates
            .into_iter()
            .map(|e| {
                e.validate(&self.schema)
                    .map_err(|e| {
                        admin_error!(
                            "Schema Violation in internal_batch_modify validate: {:?}",
                            e
                        );
                        OperationError::SchemaViolation(e)
                    })
                    .map(|e| e.seal(&self.schema))
            })
            .collect();

        let norm_cand: Vec<Entry<_, _>> = res?;

        if cfg!(debug_assertions) {
            pre_candidates
                .iter()
                .zip(norm_cand.iter())
                .try_for_each(|(pre, post)| {
                    if pre.get_uuid() == post.get_uuid() {
                        Ok(())
                    } else {
                        admin_error!("modify - cand sets not correctly aligned");
                        Err(OperationError::InvalidRequestState)
                    }
                })?;
        }

        // Backend Modify
        self.be_txn
            .modify(&self.cid, &pre_candidates, &norm_cand)
            .map_err(|e| {
                admin_error!("Modify operation failed (backend), {:?}", e);
                e
            })?;

        if !self.changed_schema.get() {
            self.changed_schema.set(
                norm_cand
                    .iter()
                    .chain(pre_candidates.iter().map(|e| e.as_ref()))
                    .any(|e| {
                        e.attribute_equality("class", &PVCLASS_CLASSTYPE)
                            || e.attribute_equality("class", &PVCLASS_ATTRIBUTETYPE)
                    }),
            )
        }
        if !self.changed_acp.get() {
            self.changed_acp.set(
                norm_cand
                    .iter()
                    .chain(pre_candidates.iter().map(|e| e.as_ref()))
                    .any(|e| e.attribute_equality("class", &PVCLASS_ACP)),
            )
        }
        if !self.changed_oauth2.get() {
            self.changed_oauth2.set(
                norm_cand
                    .iter()
                    .any(|e| e.attribute_equality("class", &PVCLASS_OAUTH2_RS)),
            )
        }
        if !self.changed_domain.get() {
            self.changed_domain.set(
                norm_cand
                    .iter()
                    .any(|e| e.attribute_equality("uuid", &PVUUID_DOMAIN_INFO)),
            )
        }
        let cu = self.changed_uuid.as_ptr();
        unsafe {
            (*cu).extend(
                norm_cand
                    .iter()
                    .map(|e| e.get_uuid())
                    .chain(pre_candidates.iter().map(|e| e.get_uuid())),
            );
        }
        trace!(
            schema_reload = ?self.changed_schema,
            acp_reload = ?self.changed_acp,
            oauth2_reload = ?self.changed_oauth2,
            domain_reload = ?self.changed_domain,
        );

        trace!("Modify operation success");
        Ok(())
    }

    #[allow(clippy::mut_from_ref)]
    pub(crate) fn get_dyngroup_cache(&self) -> &mut DynGroupCache {
        unsafe {
            let mptr = self.dyngroup_cache.as_ptr();
            (*mptr).get_mut()
        }
    }

    /// Migrate 2 to 3 changes the name, domain_name types from iutf8 to iname.
    #[instrument(level = "debug", skip_all)]
    pub fn migrate_2_to_3(&mut self) -> Result<(), OperationError> {
        admin_warn!("starting 2 to 3 migration. THIS MAY TAKE A LONG TIME!");
        // Get all entries where pres name or domain_name. INCLUDE TS + RECYCLE.

        let filt = filter_all!(f_or!([f_pres("name"), f_pres("domain_name"),]));

        let pre_candidates = self.internal_search(filt).map_err(|e| {
            admin_error!(err = ?e, "migrate_2_to_3 internal search failure");
            e
        })?;

        // If there is nothing, we donn't need to do anything.
        if pre_candidates.is_empty() {
            admin_info!("migrate_2_to_3 no entries to migrate, complete");
            return Ok(());
        }

        // Change the value type.
        let mut candidates: Vec<Entry<EntryInvalid, EntryCommitted>> = pre_candidates
            .iter()
            .map(|er| er.as_ref().clone().invalidate(self.cid.clone()))
            .collect();

        candidates.iter_mut().try_for_each(|er| {
            let nvs = if let Some(vs) = er.get_ava_set("name") {
                vs.migrate_iutf8_iname()?
            } else {
                None
            };
            if let Some(nvs) = nvs {
                er.set_ava_set("name", nvs)
            }

            let nvs = if let Some(vs) = er.get_ava_set("domain_name") {
                vs.migrate_iutf8_iname()?
            } else {
                None
            };
            if let Some(nvs) = nvs {
                er.set_ava_set("domain_name", nvs)
            }

            Ok(())
        })?;

        // Schema check all.
        let res: Result<Vec<Entry<EntrySealed, EntryCommitted>>, SchemaError> = candidates
            .into_iter()
            .map(|e| e.validate(&self.schema).map(|e| e.seal(&self.schema)))
            .collect();

        let norm_cand: Vec<Entry<_, _>> = match res {
            Ok(v) => v,
            Err(e) => {
                admin_error!("migrate_2_to_3 schema error -> {:?}", e);
                return Err(OperationError::SchemaViolation(e));
            }
        };

        // Write them back.
        self.be_txn
            .modify(&self.cid, &pre_candidates, &norm_cand)
            .map_err(|e| {
                admin_error!("migrate_2_to_3 modification failure -> {:?}", e);
                e
            })
        // Complete
    }

    /// Migrate 3 to 4 - this triggers a regen of the domains security token
    /// as we previously did not have it in the entry.
    #[instrument(level = "debug", skip_all)]
    pub fn migrate_3_to_4(&mut self) -> Result<(), OperationError> {
        admin_warn!("starting 3 to 4 migration.");
        let filter = filter!(f_eq("uuid", (*PVUUID_DOMAIN_INFO).clone()));
        let modlist = ModifyList::new_purge("domain_token_key");
        self.internal_modify(&filter, &modlist)
        // Complete
    }

    /// Migrate 4 to 5 - this triggers a regen of all oauth2 RS es256 der keys
    /// as we previously did not generate them on entry creation.
    #[instrument(level = "debug", skip_all)]
    pub fn migrate_4_to_5(&mut self) -> Result<(), OperationError> {
        admin_warn!("starting 4 to 5 migration.");
        let filter = filter!(f_and!([
            f_eq("class", (*PVCLASS_OAUTH2_RS).clone()),
            f_andnot(f_pres("es256_private_key_der")),
        ]));
        let modlist = ModifyList::new_purge("es256_private_key_der");
        self.internal_modify(&filter, &modlist)
        // Complete
    }

    /// Migrate 5 to 6 - This updates the domain info item to reset the token
    /// keys based on the new encryption types.
    #[instrument(level = "debug", skip_all)]
    pub fn migrate_5_to_6(&mut self) -> Result<(), OperationError> {
        admin_warn!("starting 5 to 6 migration.");
        let filter = filter!(f_eq("uuid", (*PVUUID_DOMAIN_INFO).clone()));
        let mut modlist = ModifyList::new_purge("domain_token_key");
        // We need to also push the version here so that we pass schema.
        modlist.push_mod(Modify::Present(
            AttrString::from("version"),
            Value::Uint32(0),
        ));
        self.internal_modify(&filter, &modlist)
        // Complete
    }

    /// Migrate 6 to 7
    ///
    /// Modify accounts that are not persons, to be service accounts so that the extension
    /// rules remain valid.
    #[instrument(level = "debug", skip_all)]
    pub fn migrate_6_to_7(&mut self) -> Result<(), OperationError> {
        admin_warn!("starting 6 to 7 migration.");
        let filter = filter!(f_and!([
            f_eq("class", (*PVCLASS_ACCOUNT).clone()),
            f_andnot(f_eq("class", (*PVCLASS_PERSON).clone())),
        ]));
        let modlist = ModifyList::new_append("class", Value::new_class("service_account"));
        self.internal_modify(&filter, &modlist)
        // Complete
    }

    /// Migrate 7 to 8
    ///
    /// Touch all service accounts to trigger a regen of their es256 jws keys for api tokens
    #[instrument(level = "debug", skip_all)]
    pub fn migrate_7_to_8(&mut self) -> Result<(), OperationError> {
        admin_warn!("starting 7 to 8 migration.");
        let filter = filter!(f_eq("class", (*PVCLASS_SERVICE_ACCOUNT).clone()));
        let modlist = ModifyList::new_append("class", Value::new_class("service_account"));
        self.internal_modify(&filter, &modlist)
        // Complete
    }

    /// Migrate 8 to 9
    ///
    /// This migration updates properties of oauth2 relying server properties. First, it changes
    /// the former basic value to a secret utf8string.
    ///
    /// The second change improves the current scope system to remove the implicit scope type.
    #[instrument(level = "debug", skip_all)]
    pub fn migrate_8_to_9(&mut self) -> Result<(), OperationError> {
        admin_warn!("starting 8 to 9 migration.");
        let filt = filter_all!(f_or!([
            f_eq("class", PVCLASS_OAUTH2_RS.clone()),
            f_eq("class", PVCLASS_OAUTH2_BASIC.clone()),
        ]));

        let pre_candidates = self.internal_search(filt).map_err(|e| {
            admin_error!(err = ?e, "migrate_8_to_9 internal search failure");
            e
        })?;

        // If there is nothing, we donn't need to do anything.
        if pre_candidates.is_empty() {
            admin_info!("migrate_8_to_9 no entries to migrate, complete");
            return Ok(());
        }

        // Change the value type.
        let mut candidates: Vec<Entry<EntryInvalid, EntryCommitted>> = pre_candidates
            .iter()
            .map(|er| er.as_ref().clone().invalidate(self.cid.clone()))
            .collect();

        candidates.iter_mut().try_for_each(|er| {
            // Migrate basic secrets if they exist.
            let nvs = er
                .get_ava_set("oauth2_rs_basic_secret")
                .and_then(|vs| vs.as_utf8_iter())
                .and_then(|vs_iter| {
                    ValueSetSecret::from_iter(vs_iter.map(|s: &str| s.to_string()))
                });
            if let Some(nvs) = nvs {
                er.set_ava_set("oauth2_rs_basic_secret", nvs)
            }

            // Migrate implicit scopes if they exist.
            let nv = if let Some(vs) = er.get_ava_set("oauth2_rs_implicit_scopes") {
                vs.as_oauthscope_set()
                    .map(|v| Value::OauthScopeMap(UUID_IDM_ALL_PERSONS, v.clone()))
            } else {
                None
            };

            if let Some(nv) = nv {
                er.add_ava("oauth2_rs_scope_map", nv)
            }
            er.purge_ava("oauth2_rs_implicit_scopes");

            Ok(())
        })?;

        // Schema check all.
        let res: Result<Vec<Entry<EntrySealed, EntryCommitted>>, SchemaError> = candidates
            .into_iter()
            .map(|e| e.validate(&self.schema).map(|e| e.seal(&self.schema)))
            .collect();

        let norm_cand: Vec<Entry<_, _>> = match res {
            Ok(v) => v,
            Err(e) => {
                admin_error!("migrate_8_to_9 schema error -> {:?}", e);
                return Err(OperationError::SchemaViolation(e));
            }
        };

        // Write them back.
        self.be_txn
            .modify(&self.cid, &pre_candidates, &norm_cand)
            .map_err(|e| {
                admin_error!("migrate_8_to_9 modification failure -> {:?}", e);
                e
            })
        // Complete
    }

    // These are where searches and other actions are actually implemented. This
    // is the "internal" version, where we define the event as being internal
    // only, allowing certain plugin by passes etc.

    pub fn internal_create(
        &mut self,
        entries: Vec<Entry<EntryInit, EntryNew>>,
    ) -> Result<(), OperationError> {
        // Start the audit scope
        // Create the CreateEvent
        let ce = CreateEvent::new_internal(entries);
        self.create(&ce)
    }

    pub fn internal_delete(
        &mut self,
        filter: &Filter<FilterInvalid>,
    ) -> Result<(), OperationError> {
        let f_valid = filter
            .validate(self.get_schema())
            .map_err(OperationError::SchemaViolation)?;
        let de = DeleteEvent::new_internal(f_valid);
        self.delete(&de)
    }

    #[instrument(level = "debug", skip_all)]
    pub fn internal_modify(
        &mut self,
        filter: &Filter<FilterInvalid>,
        modlist: &ModifyList<ModifyInvalid>,
    ) -> Result<(), OperationError> {
        let f_valid = filter
            .validate(self.get_schema())
            .map_err(OperationError::SchemaViolation)?;
        let m_valid = modlist
            .validate(self.get_schema())
            .map_err(OperationError::SchemaViolation)?;
        let me = ModifyEvent::new_internal(f_valid, m_valid);
        self.modify(&me)
    }

    pub fn impersonate_modify_valid(
        &mut self,
        f_valid: Filter<FilterValid>,
        f_intent_valid: Filter<FilterValid>,
        m_valid: ModifyList<ModifyValid>,
        event: &Identity,
    ) -> Result<(), OperationError> {
        let me = ModifyEvent::new_impersonate(event, f_valid, f_intent_valid, m_valid);
        self.modify(&me)
    }

    pub fn impersonate_modify(
        &mut self,
        filter: &Filter<FilterInvalid>,
        filter_intent: &Filter<FilterInvalid>,
        modlist: &ModifyList<ModifyInvalid>,
        event: &Identity,
    ) -> Result<(), OperationError> {
        let f_valid = filter.validate(self.get_schema()).map_err(|e| {
            admin_error!("filter Schema Invalid {:?}", e);
            OperationError::SchemaViolation(e)
        })?;
        let f_intent_valid = filter_intent.validate(self.get_schema()).map_err(|e| {
            admin_error!("f_intent Schema Invalid {:?}", e);
            OperationError::SchemaViolation(e)
        })?;
        let m_valid = modlist.validate(self.get_schema()).map_err(|e| {
            admin_error!("modlist Schema Invalid {:?}", e);
            OperationError::SchemaViolation(e)
        })?;
        self.impersonate_modify_valid(f_valid, f_intent_valid, m_valid, event)
    }

    pub fn impersonate_modify_gen_event(
        &mut self,
        filter: &Filter<FilterInvalid>,
        filter_intent: &Filter<FilterInvalid>,
        modlist: &ModifyList<ModifyInvalid>,
        event: &Identity,
    ) -> Result<ModifyEvent, OperationError> {
        let f_valid = filter.validate(self.get_schema()).map_err(|e| {
            admin_error!("filter Schema Invalid {:?}", e);
            OperationError::SchemaViolation(e)
        })?;
        let f_intent_valid = filter_intent.validate(self.get_schema()).map_err(|e| {
            admin_error!("f_intent Schema Invalid {:?}", e);
            OperationError::SchemaViolation(e)
        })?;
        let m_valid = modlist.validate(self.get_schema()).map_err(|e| {
            admin_error!("modlist Schema Invalid {:?}", e);
            OperationError::SchemaViolation(e)
        })?;
        Ok(ModifyEvent::new_impersonate(
            event,
            f_valid,
            f_intent_valid,
            m_valid,
        ))
    }

    // internal server operation types.
    // These just wrap the fn create/search etc, but they allow
    // creating the needed create event with the correct internal flags
    // and markers. They act as though they have the highest level privilege
    // IE there are no access control checks.

    /*
    pub fn internal_exists_or_create(
        &self,
        _e: Entry<EntryValid, EntryNew>,
    ) -> Result<(), OperationError> {
        // If the thing exists, stop.
        // if not, create from Entry.
        unimplemented!()
    }
    */

    #[instrument(level = "debug", skip_all)]
    pub fn internal_migrate_or_create_str(&mut self, e_str: &str) -> Result<(), OperationError> {
        let res = Entry::from_proto_entry_str(e_str, self)
            /*
            .and_then(|e: Entry<EntryInvalid, EntryNew>| {
                let schema = self.get_schema();
                e.validate(schema).map_err(OperationError::SchemaViolation)
            })
            */
            .and_then(|e: Entry<EntryInit, EntryNew>| self.internal_migrate_or_create(e));
        trace!(?res);
        debug_assert!(res.is_ok());
        res
    }

    pub fn internal_migrate_or_create(
        &mut self,
        e: Entry<EntryInit, EntryNew>,
    ) -> Result<(), OperationError> {
        // if the thing exists, ensure the set of attributes on
        // Entry A match and are present (but don't delete multivalue, or extended
        // attributes in the situation.
        // If not exist, create from Entry B
        //
        // This will extra classes an attributes alone!
        //
        // NOTE: gen modlist IS schema aware and will handle multivalue
        // correctly!
        trace!("internal_migrate_or_create operating on {:?}", e.get_uuid());

        let filt = match e.filter_from_attrs(&[AttrString::from("uuid")]) {
            Some(f) => f,
            None => return Err(OperationError::FilterGeneration),
        };

        trace!("internal_migrate_or_create search {:?}", filt);

        let results = self.internal_search(filt.clone())?;

        if results.is_empty() {
            // It does not exist. Create it.
            self.internal_create(vec![e])
        } else if results.len() == 1 {
            // If the thing is subset, pass
            match e.gen_modlist_assert(&self.schema) {
                Ok(modlist) => {
                    // Apply to &results[0]
                    trace!("Generated modlist -> {:?}", modlist);
                    self.internal_modify(&filt, &modlist)
                }
                Err(e) => Err(OperationError::SchemaViolation(e)),
            }
        } else {
            admin_error!(
                "Invalid Result Set - Expected One Entry for {:?} - {:?}",
                filt,
                results
            );
            Err(OperationError::InvalidDbState)
        }
    }

    /*
    pub fn internal_assert_or_create_str(
        &mut self,
        e_str: &str,
    ) -> Result<(), OperationError> {
        let res = audit_segment!( || Entry::from_proto_entry_str( e_str, self)
            .and_then(
                |e: Entry<EntryInit, EntryNew>| self.internal_assert_or_create( e)
            ));
        ltrace!( "internal_assert_or_create_str -> result {:?}", res);
        debug_assert!(res.is_ok());
        res
    }

    // Should this take a be_txn?
    pub fn internal_assert_or_create(
        &mut self,
        e: Entry<EntryInit, EntryNew>,
    ) -> Result<(), OperationError> {
        // If exists, ensure the object is exactly as provided
        // else, if not exists, create it. IE no extra or excess
        // attributes and classes.

        ltrace!(

            "internal_assert_or_create operating on {:?}",
            e.get_uuid()
        );

        // Create a filter from the entry for assertion.
        let filt = match e.filter_from_attrs(&[String::from("uuid")]) {
            Some(f) => f,
            None => return Err(OperationError::FilterGeneration),
        };

        // Does it exist? we use search here, not exists, so that if the entry does exist
        // we can compare it is identical, which avoids a delete/create cycle that would
        // trigger csn/repl each time we start up.
        match self.internal_search( filt.clone()) {
            Ok(results) => {
                if results.is_empty() {
                    // It does not exist. Create it.
                    self.internal_create( vec![e])
                } else if results.len() == 1 {
                    // it exists. To guarantee content exactly as is, we compare if it's identical.
                    if !e.compare(&results[0]) {
                        self.internal_delete( filt)
                            .and_then(|_| self.internal_create( vec![e]))
                    } else {
                        // No action required
                        Ok(())
                    }
                } else {
                    Err(OperationError::InvalidDbState)
                }
            }
            Err(er) => {
                // An error occured. pass it back up.
                Err(er)
            }
        }
    }
    */

    pub fn initialise_schema_core(&mut self) -> Result<(), OperationError> {
        admin_debug!("initialise_schema_core -> start ...");
        // Load in all the "core" schema, that we already have in "memory".
        let entries = self.schema.to_entries();

        // admin_debug!("Dumping schemas: {:?}", entries);

        // internal_migrate_or_create.
        let r: Result<_, _> = entries.into_iter().try_for_each(|e| {
            trace!(?e, "init schema entry");
            self.internal_migrate_or_create(e)
        });
        if r.is_ok() {
            admin_debug!("initialise_schema_core -> Ok!");
        } else {
            admin_error!(?r, "initialise_schema_core -> Error");
        }
        // why do we have error handling if it's always supposed to be `Ok`?
        debug_assert!(r.is_ok());
        r
    }

    pub fn initialise_schema_idm(&mut self) -> Result<(), OperationError> {
        admin_debug!("initialise_schema_idm -> start ...");
        // List of IDM schemas to init.
        let idm_schema: Vec<&str> = vec![
            JSON_SCHEMA_ATTR_DISPLAYNAME,
            JSON_SCHEMA_ATTR_LEGALNAME,
            JSON_SCHEMA_ATTR_MAIL,
            JSON_SCHEMA_ATTR_SSH_PUBLICKEY,
            JSON_SCHEMA_ATTR_PRIMARY_CREDENTIAL,
            JSON_SCHEMA_ATTR_RADIUS_SECRET,
            JSON_SCHEMA_ATTR_DOMAIN_NAME,
            JSON_SCHEMA_ATTR_DOMAIN_DISPLAY_NAME,
            JSON_SCHEMA_ATTR_DOMAIN_UUID,
            JSON_SCHEMA_ATTR_DOMAIN_SSID,
            JSON_SCHEMA_ATTR_DOMAIN_TOKEN_KEY,
            JSON_SCHEMA_ATTR_FERNET_PRIVATE_KEY_STR,
            JSON_SCHEMA_ATTR_GIDNUMBER,
            JSON_SCHEMA_ATTR_BADLIST_PASSWORD,
            JSON_SCHEMA_ATTR_LOGINSHELL,
            JSON_SCHEMA_ATTR_UNIX_PASSWORD,
            JSON_SCHEMA_ATTR_ACCOUNT_EXPIRE,
            JSON_SCHEMA_ATTR_ACCOUNT_VALID_FROM,
            JSON_SCHEMA_ATTR_OAUTH2_RS_NAME,
            JSON_SCHEMA_ATTR_OAUTH2_RS_ORIGIN,
            JSON_SCHEMA_ATTR_OAUTH2_RS_SCOPE_MAP,
            JSON_SCHEMA_ATTR_OAUTH2_RS_IMPLICIT_SCOPES,
            JSON_SCHEMA_ATTR_OAUTH2_RS_BASIC_SECRET,
            JSON_SCHEMA_ATTR_OAUTH2_RS_TOKEN_KEY,
            JSON_SCHEMA_ATTR_ES256_PRIVATE_KEY_DER,
            JSON_SCHEMA_ATTR_OAUTH2_ALLOW_INSECURE_CLIENT_DISABLE_PKCE,
            JSON_SCHEMA_ATTR_OAUTH2_JWT_LEGACY_CRYPTO_ENABLE,
            JSON_SCHEMA_ATTR_RS256_PRIVATE_KEY_DER,
            JSON_SCHEMA_ATTR_CREDENTIAL_UPDATE_INTENT_TOKEN,
            JSON_SCHEMA_ATTR_OAUTH2_CONSENT_SCOPE_MAP,
            JSON_SCHEMA_ATTR_PASSKEYS,
            JSON_SCHEMA_ATTR_DEVICEKEYS,
            JSON_SCHEMA_ATTR_DYNGROUP_FILTER,
            JSON_SCHEMA_ATTR_JWS_ES256_PRIVATE_KEY,
            JSON_SCHEMA_ATTR_API_TOKEN_SESSION,
            JSON_SCHEMA_ATTR_OAUTH2_RS_SUP_SCOPE_MAP,
            JSON_SCHEMA_ATTR_USER_AUTH_TOKEN_SESSION,
            JSON_SCHEMA_ATTR_NSUNIQUEID,
            JSON_SCHEMA_ATTR_OAUTH2_PREFER_SHORT_USERNAME,
            JSON_SCHEMA_ATTR_SYNC_TOKEN_SESSION,
            JSON_SCHEMA_ATTR_SYNC_COOKIE,
            JSON_SCHEMA_CLASS_PERSON,
            JSON_SCHEMA_CLASS_ORGPERSON,
            JSON_SCHEMA_CLASS_GROUP,
            JSON_SCHEMA_CLASS_DYNGROUP,
            JSON_SCHEMA_CLASS_ACCOUNT,
            JSON_SCHEMA_CLASS_SERVICE_ACCOUNT,
            JSON_SCHEMA_CLASS_DOMAIN_INFO,
            JSON_SCHEMA_CLASS_POSIXACCOUNT,
            JSON_SCHEMA_CLASS_POSIXGROUP,
            JSON_SCHEMA_CLASS_SYSTEM_CONFIG,
            JSON_SCHEMA_CLASS_OAUTH2_RS,
            JSON_SCHEMA_CLASS_OAUTH2_RS_BASIC,
            JSON_SCHEMA_CLASS_SYNC_ACCOUNT,
        ];

        let r = idm_schema
            .iter()
            // Each item individually logs it's result
            .try_for_each(|e_str| self.internal_migrate_or_create_str(e_str));

        if r.is_ok() {
            admin_debug!("initialise_schema_idm -> Ok!");
        } else {
            admin_error!(res = ?r, "initialise_schema_idm -> Error");
        }
        debug_assert!(r.is_ok()); // why return a result if we assert it's `Ok`?

        r
    }

    // This function is idempotent
    pub fn initialise_idm(&mut self) -> Result<(), OperationError> {
        // First, check the system_info object. This stores some server information
        // and details. It's a pretty const thing. Also check anonymous, important to many
        // concepts.
        let res = self
            .internal_migrate_or_create_str(JSON_SYSTEM_INFO_V1)
            .and_then(|_| self.internal_migrate_or_create_str(JSON_DOMAIN_INFO_V1))
            .and_then(|_| self.internal_migrate_or_create_str(JSON_SYSTEM_CONFIG_V1));
        if res.is_err() {
            admin_error!("initialise_idm p1 -> result {:?}", res);
        }
        debug_assert!(res.is_ok());
        res?;

        // The domain info now exists, we should be able to do these migrations as they will
        // cause SPN regenerations to occur

        // Check the admin object exists (migrations).
        // Create the default idm_admin group.
        let admin_entries = [
            JSON_ANONYMOUS_V1,
            JSON_ADMIN_V1,
            JSON_IDM_ADMIN_V1,
            JSON_IDM_ADMINS_V1,
            JSON_SYSTEM_ADMINS_V1,
        ];
        let res: Result<(), _> = admin_entries
            .iter()
            // Each item individually logs it's result
            .try_for_each(|e_str| self.internal_migrate_or_create_str(e_str));
        if res.is_err() {
            admin_error!("initialise_idm p2 -> result {:?}", res);
        }
        debug_assert!(res.is_ok());
        res?;

        // Create any system default schema entries.

        // Create any system default access profile entries.
        let idm_entries = [
            // Builtin dyn groups,
            JSON_IDM_ALL_PERSONS,
            JSON_IDM_ALL_ACCOUNTS,
            // Builtin groups
            JSON_IDM_PEOPLE_MANAGE_PRIV_V1,
            JSON_IDM_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1,
            JSON_IDM_PEOPLE_EXTEND_PRIV_V1,
            JSON_IDM_PEOPLE_SELF_WRITE_MAIL_PRIV_V1,
            JSON_IDM_PEOPLE_WRITE_PRIV_V1,
            JSON_IDM_PEOPLE_READ_PRIV_V1,
            JSON_IDM_HP_PEOPLE_EXTEND_PRIV_V1,
            JSON_IDM_HP_PEOPLE_WRITE_PRIV_V1,
            JSON_IDM_HP_PEOPLE_READ_PRIV_V1,
            JSON_IDM_GROUP_MANAGE_PRIV_V1,
            JSON_IDM_GROUP_WRITE_PRIV_V1,
            JSON_IDM_GROUP_UNIX_EXTEND_PRIV_V1,
            JSON_IDM_ACCOUNT_MANAGE_PRIV_V1,
            JSON_IDM_ACCOUNT_WRITE_PRIV_V1,
            JSON_IDM_ACCOUNT_UNIX_EXTEND_PRIV_V1,
            JSON_IDM_ACCOUNT_READ_PRIV_V1,
            JSON_IDM_RADIUS_SECRET_WRITE_PRIV_V1,
            JSON_IDM_RADIUS_SECRET_READ_PRIV_V1,
            JSON_IDM_RADIUS_SERVERS_V1,
            // Write deps on read, so write must be added first.
            JSON_IDM_HP_ACCOUNT_MANAGE_PRIV_V1,
            JSON_IDM_HP_ACCOUNT_WRITE_PRIV_V1,
            JSON_IDM_HP_ACCOUNT_READ_PRIV_V1,
            JSON_IDM_HP_ACCOUNT_UNIX_EXTEND_PRIV_V1,
            JSON_IDM_SCHEMA_MANAGE_PRIV_V1,
            JSON_IDM_HP_GROUP_MANAGE_PRIV_V1,
            JSON_IDM_HP_GROUP_WRITE_PRIV_V1,
            JSON_IDM_HP_GROUP_UNIX_EXTEND_PRIV_V1,
            JSON_IDM_ACP_MANAGE_PRIV_V1,
            JSON_DOMAIN_ADMINS,
            JSON_IDM_HP_OAUTH2_MANAGE_PRIV_V1,
            JSON_IDM_HP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_PRIV,
            JSON_IDM_HP_SYNC_ACCOUNT_MANAGE_PRIV,
            // All members must exist before we write HP
            JSON_IDM_HIGH_PRIVILEGE_V1,
            // Built in access controls.
            JSON_IDM_ADMINS_ACP_RECYCLE_SEARCH_V1,
            JSON_IDM_ADMINS_ACP_REVIVE_V1,
            // JSON_IDM_ADMINS_ACP_MANAGE_V1,
            JSON_IDM_ALL_ACP_READ_V1,
            JSON_IDM_SELF_ACP_READ_V1,
            JSON_IDM_SELF_ACP_WRITE_V1,
            JSON_IDM_PEOPLE_SELF_ACP_WRITE_MAIL_PRIV_V1,
            JSON_IDM_ACP_PEOPLE_READ_PRIV_V1,
            JSON_IDM_ACP_PEOPLE_WRITE_PRIV_V1,
            JSON_IDM_ACP_PEOPLE_MANAGE_PRIV_V1,
            JSON_IDM_ACP_GROUP_WRITE_PRIV_V1,
            JSON_IDM_ACP_GROUP_MANAGE_PRIV_V1,
            JSON_IDM_ACP_ACCOUNT_READ_PRIV_V1,
            JSON_IDM_ACP_ACCOUNT_WRITE_PRIV_V1,
            JSON_IDM_ACP_ACCOUNT_MANAGE_PRIV_V1,
            JSON_IDM_ACP_RADIUS_SERVERS_V1,
            JSON_IDM_ACP_HP_ACCOUNT_READ_PRIV_V1,
            JSON_IDM_ACP_HP_ACCOUNT_WRITE_PRIV_V1,
            JSON_IDM_ACP_HP_ACCOUNT_MANAGE_PRIV_V1,
            JSON_IDM_ACP_HP_GROUP_WRITE_PRIV_V1,
            JSON_IDM_ACP_HP_GROUP_MANAGE_PRIV_V1,
            JSON_IDM_ACP_SCHEMA_WRITE_ATTRS_PRIV_V1,
            JSON_IDM_ACP_SCHEMA_WRITE_CLASSES_PRIV_V1,
            JSON_IDM_ACP_ACP_MANAGE_PRIV_V1,
            JSON_IDM_ACP_DOMAIN_ADMIN_PRIV_V1,
            JSON_IDM_ACP_SYSTEM_CONFIG_PRIV_V1,
            JSON_IDM_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1,
            JSON_IDM_ACP_GROUP_UNIX_EXTEND_PRIV_V1,
            JSON_IDM_ACP_PEOPLE_ACCOUNT_PASSWORD_IMPORT_PRIV_V1,
            JSON_IDM_ACP_PEOPLE_EXTEND_PRIV_V1,
            JSON_IDM_ACP_HP_PEOPLE_READ_PRIV_V1,
            JSON_IDM_ACP_HP_PEOPLE_WRITE_PRIV_V1,
            JSON_IDM_ACP_HP_PEOPLE_EXTEND_PRIV_V1,
            JSON_IDM_HP_ACP_ACCOUNT_UNIX_EXTEND_PRIV_V1,
            JSON_IDM_HP_ACP_GROUP_UNIX_EXTEND_PRIV_V1,
            JSON_IDM_HP_ACP_OAUTH2_MANAGE_PRIV_V1,
            JSON_IDM_ACP_RADIUS_SECRET_READ_PRIV_V1,
            JSON_IDM_ACP_RADIUS_SECRET_WRITE_PRIV_V1,
            JSON_IDM_HP_ACP_SERVICE_ACCOUNT_INTO_PERSON_MIGRATE_V1,
            JSON_IDM_ACP_OAUTH2_READ_PRIV_V1,
            JSON_IDM_HP_ACP_SYNC_ACCOUNT_MANAGE_PRIV_V1,
        ];

        let res: Result<(), _> = idm_entries
            .iter()
            .try_for_each(|e_str| self.internal_migrate_or_create_str(e_str));
        if res.is_ok() {
            admin_debug!("initialise_idm -> result Ok!");
        } else {
            admin_error!(?res, "initialise_idm p3 -> result");
        }
        debug_assert!(res.is_ok());
        res?;

        self.changed_schema.set(true);
        self.changed_acp.set(true);

        Ok(())
    }

    #[instrument(level = "info", name = "reload_schema", skip(self))]
    fn reload_schema(&mut self) -> Result<(), OperationError> {
        // supply entries to the writable schema to reload from.
        // find all attributes.
        let filt = filter!(f_eq("class", PVCLASS_ATTRIBUTETYPE.clone()));
        let res = self.internal_search(filt).map_err(|e| {
            admin_error!("reload schema internal search failed {:?}", e);
            e
        })?;
        // load them.
        let attributetypes: Result<Vec<_>, _> =
            res.iter().map(|e| SchemaAttribute::try_from(e)).collect();
        let attributetypes = attributetypes.map_err(|e| {
            admin_error!("reload schema attributetypes {:?}", e);
            e
        })?;

        self.schema.update_attributes(attributetypes).map_err(|e| {
            admin_error!("reload schema update attributetypes {:?}", e);
            e
        })?;

        // find all classes
        let filt = filter!(f_eq("class", PVCLASS_CLASSTYPE.clone()));
        let res = self.internal_search(filt).map_err(|e| {
            admin_error!("reload schema internal search failed {:?}", e);
            e
        })?;
        // load them.
        let classtypes: Result<Vec<_>, _> = res.iter().map(|e| SchemaClass::try_from(e)).collect();
        let classtypes = classtypes.map_err(|e| {
            admin_error!("reload schema classtypes {:?}", e);
            e
        })?;

        self.schema.update_classes(classtypes).map_err(|e| {
            admin_error!("reload schema update classtypes {:?}", e);
            e
        })?;

        // validate.
        let valid_r = self.schema.validate();

        // Translate the result.
        if valid_r.is_empty() {
            // Now use this to reload the backend idxmeta
            trace!("Reloading idxmeta ...");
            self.be_txn
                .update_idxmeta(self.schema.reload_idxmeta())
                .map_err(|e| {
                    admin_error!("reload schema update idxmeta {:?}", e);
                    e
                })
        } else {
            // Log the failures?
            admin_error!("Schema reload failed -> {:?}", valid_r);
            Err(OperationError::ConsistencyError(valid_r))
        }?;

        // Trigger reloads on services that require post-schema reloads.
        // Mainly this is plugins.
        if *self.phase >= ServerPhase::SchemaReady {
            DynGroup::reload(self)?;
        }

        Ok(())
    }

    fn reload_accesscontrols(&mut self) -> Result<(), OperationError> {
        // supply entries to the writable access controls to reload from.
        // This has to be done in FOUR passes - one for each type!
        //
        // Note, we have to do the search, parse, then submit here, because of the
        // requirement to have the write query server reference in the parse stage - this
        // would cause a rust double-borrow if we had AccessControls to try to handle
        // the entry lists themself.
        trace!("ACP reload started ...");

        // Update search
        let filt = filter!(f_and!([
            f_eq("class", PVCLASS_ACP.clone()),
            f_eq("class", PVCLASS_ACS.clone()),
            f_andnot(f_eq("acp_enable", PV_FALSE.clone())),
        ]));

        let res = self.internal_search(filt).map_err(|e| {
            admin_error!(
                err = ?e,
                "reload accesscontrols internal search failed",
            );
            e
        })?;
        let search_acps: Result<Vec<_>, _> = res
            .iter()
            .map(|e| AccessControlSearch::try_from(self, e))
            .collect();

        let search_acps = search_acps.map_err(|e| {
            admin_error!(err = ?e, "Unable to parse search accesscontrols");
            e
        })?;

        self.accesscontrols
            .update_search(search_acps)
            .map_err(|e| {
                admin_error!(err = ?e, "Failed to update search accesscontrols");
                e
            })?;
        // Update create
        let filt = filter!(f_and!([
            f_eq("class", PVCLASS_ACP.clone()),
            f_eq("class", PVCLASS_ACC.clone()),
            f_andnot(f_eq("acp_enable", PV_FALSE.clone())),
        ]));

        let res = self.internal_search(filt).map_err(|e| {
            admin_error!(
                err = ?e,
                "reload accesscontrols internal search failed"
            );
            e
        })?;
        let create_acps: Result<Vec<_>, _> = res
            .iter()
            .map(|e| AccessControlCreate::try_from(self, e))
            .collect();

        let create_acps = create_acps.map_err(|e| {
            admin_error!(err = ?e, "Unable to parse create accesscontrols");
            e
        })?;

        self.accesscontrols
            .update_create(create_acps)
            .map_err(|e| {
                admin_error!(err = ?e, "Failed to update create accesscontrols");
                e
            })?;
        // Update modify
        let filt = filter!(f_and!([
            f_eq("class", PVCLASS_ACP.clone()),
            f_eq("class", PVCLASS_ACM.clone()),
            f_andnot(f_eq("acp_enable", PV_FALSE.clone())),
        ]));

        let res = self.internal_search(filt).map_err(|e| {
            admin_error!("reload accesscontrols internal search failed {:?}", e);
            e
        })?;
        let modify_acps: Result<Vec<_>, _> = res
            .iter()
            .map(|e| AccessControlModify::try_from(self, e))
            .collect();

        let modify_acps = modify_acps.map_err(|e| {
            admin_error!("Unable to parse modify accesscontrols {:?}", e);
            e
        })?;

        self.accesscontrols
            .update_modify(modify_acps)
            .map_err(|e| {
                admin_error!("Failed to update modify accesscontrols {:?}", e);
                e
            })?;
        // Update delete
        let filt = filter!(f_and!([
            f_eq("class", PVCLASS_ACP.clone()),
            f_eq("class", PVCLASS_ACD.clone()),
            f_andnot(f_eq("acp_enable", PV_FALSE.clone())),
        ]));

        let res = self.internal_search(filt).map_err(|e| {
            admin_error!("reload accesscontrols internal search failed {:?}", e);
            e
        })?;
        let delete_acps: Result<Vec<_>, _> = res
            .iter()
            .map(|e| AccessControlDelete::try_from(self, e))
            .collect();

        let delete_acps = delete_acps.map_err(|e| {
            admin_error!("Unable to parse delete accesscontrols {:?}", e);
            e
        })?;

        self.accesscontrols.update_delete(delete_acps).map_err(|e| {
            admin_error!("Failed to update delete accesscontrols {:?}", e);
            e
        })
    }

    fn get_db_domain_display_name(&self) -> Result<String, OperationError> {
        self.internal_search_uuid(&UUID_DOMAIN_INFO)
            .and_then(|e| {
                trace!(?e);
                e.get_ava_single_utf8("domain_display_name")
                    .map(str::to_string)
                    .ok_or(OperationError::InvalidEntryState)
            })
            .map_err(|e| {
                admin_error!(?e, "Error getting domain display name");
                e
            })
    }

    /// Pulls the domain name from the database and updates the DomainInfo data in memory
    #[instrument(level = "debug", skip_all)]
    fn reload_domain_info(&mut self) -> Result<(), OperationError> {
        let domain_name = self.get_db_domain_name()?;
        let display_name = self.get_db_domain_display_name()?;
        let mut_d_info = self.d_info.get_mut();
        if mut_d_info.d_name != domain_name {
            admin_warn!(
                "Using domain name from the database {} - was {} in memory",
                domain_name,
                mut_d_info.d_name,
            );
            admin_warn!(
                    "If you think this is an error, see https://kanidm.github.io/kanidm/stable/administrivia.html#rename-the-domain"
                );
            mut_d_info.d_name = domain_name;
        }
        mut_d_info.d_display = display_name;
        Ok(())
    }

    /// Initiate a domain display name change process. This isn't particularly scary
    /// because it's just a wibbly human-facing thing, not used for secure
    /// activities (yet)
    pub fn set_domain_display_name(&mut self, new_domain_name: &str) -> Result<(), OperationError> {
        let modl = ModifyList::new_purge_and_set(
            "domain_display_name",
            Value::new_utf8(new_domain_name.to_string()),
        );
        let udi = PVUUID_DOMAIN_INFO.clone();
        let filt = filter_all!(f_eq("uuid", udi));
        self.internal_modify(&filt, &modl)
    }

    /// Initiate a domain rename process. This is generally an internal function but it's
    /// exposed to the cli for admins to be able to initiate the process.
    pub fn domain_rename(&mut self, new_domain_name: &str) -> Result<(), OperationError> {
        // We can't use the d_info struct here, because this has the database version of the domain
        // name, not the in memory (config) version. We need to accept the domain's
        // new name from the caller so we can change this.
        unsafe { self.domain_rename_inner(new_domain_name) }
    }

    /// # Safety
    /// This is UNSAFE because while it may change the domain name, it doesn't update
    /// the running configured version of the domain name that is resident to the
    /// query server.
    ///
    /// Currently it's only used to test what happens if we rename the domain and how
    /// that impacts spns, but in the future we may need to reconsider how this is
    /// approached, especially if we have a domain re-name replicated to us. It could
    /// be that we end up needing to have this as a cow cell or similar?
    pub(crate) unsafe fn domain_rename_inner(
        &mut self,
        new_domain_name: &str,
    ) -> Result<(), OperationError> {
        let modl = ModifyList::new_purge_and_set("domain_name", Value::new_iname(new_domain_name));
        let udi = PVUUID_DOMAIN_INFO.clone();
        let filt = filter_all!(f_eq("uuid", udi));
        self.internal_modify(&filt, &modl)
    }

    pub fn reindex(&self) -> Result<(), OperationError> {
        // initiate a be reindex here. This could have been from first run checking
        // the versions, or it could just be from the cli where an admin needs to do an
        // indexing.
        self.be_txn.reindex()
    }

    fn force_schema_reload(&self) {
        self.changed_schema.set(true);
    }

    pub(crate) fn upgrade_reindex(&mut self, v: i64) -> Result<(), OperationError> {
        self.be_txn.upgrade_reindex(v)
    }

    pub fn get_changed_uuids(&self) -> &HashSet<Uuid> {
        unsafe { &(*self.changed_uuid.as_ptr()) }
    }

    pub fn get_changed_ouath2(&self) -> bool {
        self.changed_oauth2.get()
    }

    pub fn get_changed_domain(&self) -> bool {
        self.changed_domain.get()
    }

    fn set_phase(&mut self, phase: ServerPhase) {
        *self.phase = phase
    }

    pub fn commit(mut self) -> Result<(), OperationError> {
        // This could be faster if we cache the set of classes changed
        // in an operation so we can check if we need to do the reload or not
        //
        // Reload the schema from qs.
        if self.changed_schema.get() {
            self.reload_schema()?;
        }
        // Determine if we need to update access control profiles
        // based on any modifications that have occured.
        // IF SCHEMA CHANGED WE MUST ALSO RELOAD!!! IE if schema had an attr removed
        // that we rely on we MUST fail this here!!
        if self.changed_schema.get() || self.changed_acp.get() {
            self.reload_accesscontrols()?;
        } else {
            // On a reload the cache is dropped, otherwise we tell accesscontrols
            // to drop anything related that was changed.
            // self.accesscontrols
            //    .invalidate_related_cache(self.changed_uuid.into_inner().as_slice())
        }

        if self.changed_domain.get() {
            self.reload_domain_info()?;
        }

        // Now destructure the transaction ready to reset it.
        let QueryServerWriteTransaction {
            committed,
            phase,
            be_txn,
            schema,
            d_info,
            accesscontrols,
            cid,
            dyngroup_cache,
            ..
        } = self;
        debug_assert!(!committed);

        // Write the cid to the db. If this fails, we can't assume replication
        // will be stable, so return if it fails.
        be_txn.set_db_ts_max(cid.ts)?;
        // Validate the schema as we just loaded it.
        let r = schema.validate();

        if r.is_empty() {
            // Schema has been validated, so we can go ahead and commit it with the be
            // because both are consistent.
            schema
                .commit()
                .map(|_| d_info.commit())
                .map(|_| phase.commit())
                .map(|_| dyngroup_cache.into_inner().commit())
                .and_then(|_| accesscontrols.commit())
                .and_then(|_| be_txn.commit())
        } else {
            Err(OperationError::ConsistencyError(r))
        }
        // Audit done
    }
}

// Auth requests? How do we structure these ...

#[cfg(test)]
mod tests {
    use std::sync::Arc;
    use std::time::Duration;

    use kanidm_proto::v1::SchemaError;

    use crate::credential::policy::CryptoPolicy;
    use crate::credential::Credential;
    use crate::event::{CreateEvent, DeleteEvent, ModifyEvent, ReviveRecycledEvent, SearchEvent};
    use crate::prelude::*;

    #[qs_test]
    async fn test_create_user(server: &QueryServer) {
        let mut server_txn = server.write(duration_from_epoch_now()).await;
        let filt = filter!(f_eq("name", PartialValue::new_iname("testperson")));
        let admin = server_txn
            .internal_search_uuid(&UUID_ADMIN)
            .expect("failed");

        let se1 = unsafe { SearchEvent::new_impersonate_entry(admin.clone(), filt.clone()) };
        let se2 = unsafe { SearchEvent::new_impersonate_entry(admin, filt) };

        let mut e = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("class", Value::new_class("account")),
            ("name", Value::new_iname("testperson")),
            ("spn", Value::new_spn_str("testperson", "example.com")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63930").expect("uuid")
            ),
            ("description", Value::new_utf8s("testperson")),
            ("displayname", Value::new_utf8s("testperson"))
        );

        let ce = CreateEvent::new_internal(vec![e.clone()]);

        let r1 = server_txn.search(&se1).expect("search failure");
        assert!(r1.is_empty());

        let cr = server_txn.create(&ce);
        assert!(cr.is_ok());

        let r2 = server_txn.search(&se2).expect("search failure");
        debug!("--> {:?}", r2);
        assert!(r2.len() == 1);

        // We apply some member-of in the server now, so we add these before we seal.
        e.add_ava("class", Value::new_class("memberof"));
        e.add_ava("memberof", Value::new_refer(UUID_IDM_ALL_PERSONS));
        e.add_ava("directmemberof", Value::new_refer(UUID_IDM_ALL_PERSONS));
        e.add_ava("memberof", Value::new_refer(UUID_IDM_ALL_ACCOUNTS));
        e.add_ava("directmemberof", Value::new_refer(UUID_IDM_ALL_ACCOUNTS));

        let expected = unsafe { vec![Arc::new(e.into_sealed_committed())] };

        assert_eq!(r2, expected);

        assert!(server_txn.commit().is_ok());
    }

    #[qs_test]
    async fn test_init_idempotent_schema_core(server: &QueryServer) {
        {
            // Setup and abort.
            let mut server_txn = server.write(duration_from_epoch_now()).await;
            assert!(server_txn.initialise_schema_core().is_ok());
        }
        {
            let mut server_txn = server.write(duration_from_epoch_now()).await;
            assert!(server_txn.initialise_schema_core().is_ok());
            assert!(server_txn.initialise_schema_core().is_ok());
            assert!(server_txn.commit().is_ok());
        }
        {
            // Now do it again in a new txn, but abort
            let mut server_txn = server.write(duration_from_epoch_now()).await;
            assert!(server_txn.initialise_schema_core().is_ok());
        }
        {
            // Now do it again in a new txn.
            let mut server_txn = server.write(duration_from_epoch_now()).await;
            assert!(server_txn.initialise_schema_core().is_ok());
            assert!(server_txn.commit().is_ok());
        }
    }

    #[qs_test]
    async fn test_modify(server: &QueryServer) {
        // Create an object
        let mut server_txn = server.write(duration_from_epoch_now()).await;

        let e1 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("name", Value::new_iname("testperson1")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63930").expect("uuid")
            ),
            ("description", Value::new_utf8s("testperson1")),
            ("displayname", Value::new_utf8s("testperson1"))
        );

        let e2 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("name", Value::new_iname("testperson2")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63932").expect("uuid")
            ),
            ("description", Value::new_utf8s("testperson2")),
            ("displayname", Value::new_utf8s("testperson2"))
        );

        let ce = CreateEvent::new_internal(vec![e1.clone(), e2.clone()]);

        let cr = server_txn.create(&ce);
        assert!(cr.is_ok());

        // Empty Modlist (filter is valid)
        let me_emp = unsafe {
            ModifyEvent::new_internal_invalid(
                filter!(f_pres("class")),
                ModifyList::new_list(vec![]),
            )
        };
        assert!(server_txn.modify(&me_emp) == Err(OperationError::EmptyRequest));

        // Mod changes no objects
        let me_nochg = unsafe {
            ModifyEvent::new_impersonate_entry_ser(
                JSON_ADMIN_V1,
                filter!(f_eq("name", PartialValue::new_iname("flarbalgarble"))),
                ModifyList::new_list(vec![Modify::Present(
                    AttrString::from("description"),
                    Value::from("anusaosu"),
                )]),
            )
        };
        assert!(server_txn.modify(&me_nochg) == Err(OperationError::NoMatchingEntries));

        // Filter is invalid to schema - to check this due to changes in the way events are
        // handled, we put this via the internal modify function to get the modlist
        // checked for us. Normal server operation doesn't allow weird bypasses like
        // this.
        let r_inv_1 = server_txn.internal_modify(
            &filter!(f_eq("tnanuanou", PartialValue::new_iname("Flarbalgarble"))),
            &ModifyList::new_list(vec![Modify::Present(
                AttrString::from("description"),
                Value::from("anusaosu"),
            )]),
        );
        assert!(
            r_inv_1
                == Err(OperationError::SchemaViolation(
                    SchemaError::InvalidAttribute("tnanuanou".to_string())
                ))
        );

        // Mod is invalid to schema
        let me_inv_m = unsafe {
            ModifyEvent::new_internal_invalid(
                filter!(f_pres("class")),
                ModifyList::new_list(vec![Modify::Present(
                    AttrString::from("htnaonu"),
                    Value::from("anusaosu"),
                )]),
            )
        };
        assert!(
            server_txn.modify(&me_inv_m)
                == Err(OperationError::SchemaViolation(
                    SchemaError::InvalidAttribute("htnaonu".to_string())
                ))
        );

        // Mod single object
        let me_sin = unsafe {
            ModifyEvent::new_internal_invalid(
                filter!(f_eq("name", PartialValue::new_iname("testperson2"))),
                ModifyList::new_list(vec![
                    Modify::Purged(AttrString::from("description")),
                    Modify::Present(AttrString::from("description"), Value::from("anusaosu")),
                ]),
            )
        };
        assert!(server_txn.modify(&me_sin).is_ok());

        // Mod multiple object
        let me_mult = unsafe {
            ModifyEvent::new_internal_invalid(
                filter!(f_or!([
                    f_eq("name", PartialValue::new_iname("testperson1")),
                    f_eq("name", PartialValue::new_iname("testperson2")),
                ])),
                ModifyList::new_list(vec![
                    Modify::Purged(AttrString::from("description")),
                    Modify::Present(AttrString::from("description"), Value::from("anusaosu")),
                ]),
            )
        };
        assert!(server_txn.modify(&me_mult).is_ok());

        assert!(server_txn.commit().is_ok());
    }

    #[qs_test]
    async fn test_modify_invalid_class(server: &QueryServer) {
        // Test modifying an entry and adding an extra class, that would cause the entry
        // to no longer conform to schema.
        let mut server_txn = server.write(duration_from_epoch_now()).await;

        let e1 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("name", Value::new_iname("testperson1")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63930").expect("uuid")
            ),
            ("description", Value::new_utf8s("testperson1")),
            ("displayname", Value::new_utf8s("testperson1"))
        );

        let ce = CreateEvent::new_internal(vec![e1.clone()]);

        let cr = server_txn.create(&ce);
        assert!(cr.is_ok());

        // Add class but no values
        let me_sin = unsafe {
            ModifyEvent::new_internal_invalid(
                filter!(f_eq("name", PartialValue::new_iname("testperson1"))),
                ModifyList::new_list(vec![Modify::Present(
                    AttrString::from("class"),
                    Value::new_class("system_info"),
                )]),
            )
        };
        assert!(server_txn.modify(&me_sin).is_err());

        // Add multivalue where not valid
        let me_sin = unsafe {
            ModifyEvent::new_internal_invalid(
                filter!(f_eq("name", PartialValue::new_iname("testperson1"))),
                ModifyList::new_list(vec![Modify::Present(
                    AttrString::from("name"),
                    Value::new_iname("testpersonx"),
                )]),
            )
        };
        assert!(server_txn.modify(&me_sin).is_err());

        // add class and valid values?
        let me_sin = unsafe {
            ModifyEvent::new_internal_invalid(
                filter!(f_eq("name", PartialValue::new_iname("testperson1"))),
                ModifyList::new_list(vec![
                    Modify::Present(AttrString::from("class"), Value::new_class("system_info")),
                    // Modify::Present("domain".to_string(), Value::new_iutf8("domain.name")),
                    Modify::Present(AttrString::from("version"), Value::new_uint32(1)),
                ]),
            )
        };
        assert!(server_txn.modify(&me_sin).is_ok());

        // Replace a value
        let me_sin = unsafe {
            ModifyEvent::new_internal_invalid(
                filter!(f_eq("name", PartialValue::new_iname("testperson1"))),
                ModifyList::new_list(vec![
                    Modify::Purged(AttrString::from("name")),
                    Modify::Present(AttrString::from("name"), Value::new_iname("testpersonx")),
                ]),
            )
        };
        assert!(server_txn.modify(&me_sin).is_ok());
    }

    #[qs_test]
    async fn test_delete(server: &QueryServer) {
        // Create
        let mut server_txn = server.write(duration_from_epoch_now()).await;

        let e1 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("name", Value::new_iname("testperson1")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63930").expect("uuid")
            ),
            ("description", Value::new_utf8s("testperson")),
            ("displayname", Value::new_utf8s("testperson1"))
        );

        let e2 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("name", Value::new_iname("testperson2")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63932").expect("uuid")
            ),
            ("description", Value::new_utf8s("testperson")),
            ("displayname", Value::new_utf8s("testperson2"))
        );

        let e3 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("name", Value::new_iname("testperson3")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63933").expect("uuid")
            ),
            ("description", Value::new_utf8s("testperson")),
            ("displayname", Value::new_utf8s("testperson3"))
        );

        let ce = CreateEvent::new_internal(vec![e1.clone(), e2.clone(), e3.clone()]);

        let cr = server_txn.create(&ce);
        assert!(cr.is_ok());

        // Delete filter is syntax invalid
        let de_inv =
            unsafe { DeleteEvent::new_internal_invalid(filter!(f_pres("nhtoaunaoehtnu"))) };
        assert!(server_txn.delete(&de_inv).is_err());

        // Delete deletes nothing
        let de_empty = unsafe {
            DeleteEvent::new_internal_invalid(filter!(f_eq(
                "uuid",
                PartialValue::new_uuids("cc8e95b4-c24f-4d68-ba54-000000000000").unwrap()
            )))
        };
        assert!(server_txn.delete(&de_empty).is_err());

        // Delete matches one
        let de_sin = unsafe {
            DeleteEvent::new_internal_invalid(filter!(f_eq(
                "name",
                PartialValue::new_iname("testperson3")
            )))
        };
        assert!(server_txn.delete(&de_sin).is_ok());

        // Delete matches many
        let de_mult = unsafe {
            DeleteEvent::new_internal_invalid(filter!(f_eq(
                "description",
                PartialValue::new_utf8s("testperson")
            )))
        };
        assert!(server_txn.delete(&de_mult).is_ok());

        assert!(server_txn.commit().is_ok());
    }

    #[qs_test]
    async fn test_tombstone(server: &QueryServer) {
        // First we setup some timestamps
        let time_p1 = duration_from_epoch_now();
        let time_p2 = time_p1 + Duration::from_secs(CHANGELOG_MAX_AGE * 2);
        let time_p3 = time_p2 + Duration::from_secs(CHANGELOG_MAX_AGE * 2);

        let mut server_txn = server.write(time_p1).await;
        let admin = server_txn
            .internal_search_uuid(&UUID_ADMIN)
            .expect("failed");

        let filt_i_ts = filter_all!(f_eq("class", PartialValue::new_class("tombstone")));

        // Create fake external requests. Probably from admin later
        // Should we do this with impersonate instead of using the external
        let me_ts = unsafe {
            ModifyEvent::new_impersonate_entry(
                admin.clone(),
                filt_i_ts.clone(),
                ModifyList::new_list(vec![Modify::Present(
                    AttrString::from("class"),
                    Value::new_class("tombstone"),
                )]),
            )
        };

        let de_ts = unsafe { DeleteEvent::new_impersonate_entry(admin.clone(), filt_i_ts.clone()) };
        let se_ts = unsafe { SearchEvent::new_ext_impersonate_entry(admin, filt_i_ts.clone()) };

        // First, create an entry, then push it through the lifecycle.
        let e_ts = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("name", Value::new_iname("testperson1")),
            (
                "uuid",
                Value::new_uuids("9557f49c-97a5-4277-a9a5-097d17eb8317").expect("uuid")
            ),
            ("description", Value::new_utf8s("testperson1")),
            ("displayname", Value::new_utf8s("testperson1"))
        );

        let ce = CreateEvent::new_internal(vec![e_ts]);
        let cr = server_txn.create(&ce);
        assert!(cr.is_ok());

        let de_sin = unsafe {
            DeleteEvent::new_internal_invalid(filter!(f_or!([f_eq(
                "name",
                PartialValue::new_iname("testperson1")
            )])))
        };
        assert!(server_txn.delete(&de_sin).is_ok());

        // Commit
        assert!(server_txn.commit().is_ok());

        // Now, establish enough time for the recycled items to be purged.
        let mut server_txn = server.write(time_p2).await;
        assert!(server_txn.purge_recycled().is_ok());

        // Now test the tombstone properties.

        // Can it be seen (external search)
        let r1 = server_txn.search(&se_ts).expect("search failed");
        assert!(r1.is_empty());

        // Can it be deleted (external delete)
        // Should be err-no candidates.
        assert!(server_txn.delete(&de_ts).is_err());

        // Can it be modified? (external modify)
        // Should be err-no candidates
        assert!(server_txn.modify(&me_ts).is_err());

        // Can it be seen (internal search)
        // Internal search should see it.
        let r2 = server_txn
            .internal_search(filt_i_ts.clone())
            .expect("internal search failed");
        assert!(r2.len() == 1);

        // If we purge now, nothing happens, we aren't past the time window.
        assert!(server_txn.purge_tombstones().is_ok());

        let r3 = server_txn
            .internal_search(filt_i_ts.clone())
            .expect("internal search failed");
        assert!(r3.len() == 1);

        // Commit
        assert!(server_txn.commit().is_ok());

        // New txn, push the cid forward.
        let server_txn = server.write(time_p3).await;

        // Now purge
        assert!(server_txn.purge_tombstones().is_ok());

        // Assert it's gone
        // Internal search should not see it.
        let r4 = server_txn
            .internal_search(filt_i_ts)
            .expect("internal search failed");
        assert!(r4.is_empty());

        assert!(server_txn.commit().is_ok());
    }

    #[qs_test]
    async fn test_recycle_simple(server: &QueryServer) {
        // First we setup some timestamps
        let time_p1 = duration_from_epoch_now();
        let time_p2 = time_p1 + Duration::from_secs(RECYCLEBIN_MAX_AGE * 2);

        let mut server_txn = server.write(time_p1).await;
        let admin = server_txn
            .internal_search_uuid(&UUID_ADMIN)
            .expect("failed");

        let filt_i_rc = filter_all!(f_eq("class", PartialValue::new_class("recycled")));

        let filt_i_ts = filter_all!(f_eq("class", PartialValue::new_class("tombstone")));

        let filt_i_per = filter_all!(f_eq("class", PartialValue::new_class("person")));

        // Create fake external requests. Probably from admin later
        let me_rc = unsafe {
            ModifyEvent::new_impersonate_entry(
                admin.clone(),
                filt_i_rc.clone(),
                ModifyList::new_list(vec![Modify::Present(
                    AttrString::from("class"),
                    Value::new_class("recycled"),
                )]),
            )
        };

        let de_rc = unsafe { DeleteEvent::new_impersonate_entry(admin.clone(), filt_i_rc.clone()) };

        let se_rc =
            unsafe { SearchEvent::new_ext_impersonate_entry(admin.clone(), filt_i_rc.clone()) };

        let sre_rc =
            unsafe { SearchEvent::new_rec_impersonate_entry(admin.clone(), filt_i_rc.clone()) };

        let rre_rc = unsafe {
            ReviveRecycledEvent::new_impersonate_entry(
                admin,
                filter_all!(f_eq("name", PartialValue::new_iname("testperson1"))),
            )
        };

        // Create some recycled objects
        let e1 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("name", Value::new_iname("testperson1")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63930").expect("uuid")
            ),
            ("description", Value::new_utf8s("testperson1")),
            ("displayname", Value::new_utf8s("testperson1"))
        );

        let e2 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("name", Value::new_iname("testperson2")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63932").expect("uuid")
            ),
            ("description", Value::new_utf8s("testperson2")),
            ("displayname", Value::new_utf8s("testperson2"))
        );

        let ce = CreateEvent::new_internal(vec![e1, e2]);
        let cr = server_txn.create(&ce);
        assert!(cr.is_ok());

        // Now we immediately delete these to force them to the correct state.
        let de_sin = unsafe {
            DeleteEvent::new_internal_invalid(filter!(f_or!([
                f_eq("name", PartialValue::new_iname("testperson1")),
                f_eq("name", PartialValue::new_iname("testperson2")),
            ])))
        };
        assert!(server_txn.delete(&de_sin).is_ok());

        // Can it be seen (external search)
        let r1 = server_txn.search(&se_rc).expect("search failed");
        assert!(r1.is_empty());

        // Can it be deleted (external delete)
        // Should be err-no candidates.
        assert!(server_txn.delete(&de_rc).is_err());

        // Can it be modified? (external modify)
        // Should be err-no candidates
        assert!(server_txn.modify(&me_rc).is_err());

        // Can in be seen by special search? (external recycle search)
        let r2 = server_txn.search(&sre_rc).expect("search failed");
        assert!(r2.len() == 2);

        // Can it be seen (internal search)
        // Internal search should see it.
        let r2 = server_txn
            .internal_search(filt_i_rc.clone())
            .expect("internal search failed");
        assert!(r2.len() == 2);

        // There are now two paths forward
        //  revival or purge!
        assert!(server_txn.revive_recycled(&rre_rc).is_ok());

        // Not enough time has passed, won't have an effect for purge to TS
        assert!(server_txn.purge_recycled().is_ok());
        let r3 = server_txn
            .internal_search(filt_i_rc.clone())
            .expect("internal search failed");
        assert!(r3.len() == 1);

        // Commit
        assert!(server_txn.commit().is_ok());

        // Now, establish enough time for the recycled items to be purged.
        let server_txn = server.write(time_p2).await;

        //  purge to tombstone, now that time has passed.
        assert!(server_txn.purge_recycled().is_ok());

        // Should be no recycled objects.
        let r4 = server_txn
            .internal_search(filt_i_rc.clone())
            .expect("internal search failed");
        assert!(r4.is_empty());

        // There should be one tombstone
        let r5 = server_txn
            .internal_search(filt_i_ts.clone())
            .expect("internal search failed");
        assert!(r5.len() == 1);

        // There should be one entry
        let r6 = server_txn
            .internal_search(filt_i_per.clone())
            .expect("internal search failed");
        assert!(r6.len() == 1);

        assert!(server_txn.commit().is_ok());
    }

    // The delete test above should be unaffected by recycle anyway
    #[qs_test]
    async fn test_qs_recycle_advanced(server: &QueryServer) {
        // Create items
        let mut server_txn = server.write(duration_from_epoch_now()).await;
        let admin = server_txn
            .internal_search_uuid(&UUID_ADMIN)
            .expect("failed");

        let e1 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("name", Value::new_iname("testperson1")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63930").expect("uuid")
            ),
            ("description", Value::new_utf8s("testperson1")),
            ("displayname", Value::new_utf8s("testperson1"))
        );
        let ce = CreateEvent::new_internal(vec![e1]);

        let cr = server_txn.create(&ce);
        assert!(cr.is_ok());
        // Delete and ensure they became recycled.
        let de_sin = unsafe {
            DeleteEvent::new_internal_invalid(filter!(f_eq(
                "name",
                PartialValue::new_iname("testperson1")
            )))
        };
        assert!(server_txn.delete(&de_sin).is_ok());
        // Can in be seen by special search? (external recycle search)
        let filt_rc = filter_all!(f_eq("class", PartialValue::new_class("recycled")));
        let sre_rc = unsafe { SearchEvent::new_rec_impersonate_entry(admin, filt_rc.clone()) };
        let r2 = server_txn.search(&sre_rc).expect("search failed");
        assert!(r2.len() == 1);

        // Create dup uuid (rej)
        // After a delete -> recycle, create duplicate name etc.
        let cr = server_txn.create(&ce);
        assert!(cr.is_err());

        assert!(server_txn.commit().is_ok());
    }

    #[qs_test]
    async fn test_name_to_uuid(server: &QueryServer) {
        let mut server_txn = server.write(duration_from_epoch_now()).await;

        let e1 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("name", Value::new_iname("testperson1")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63930").expect("uuid")
            ),
            ("description", Value::new_utf8s("testperson1")),
            ("displayname", Value::new_utf8s("testperson1"))
        );
        let ce = CreateEvent::new_internal(vec![e1]);
        let cr = server_txn.create(&ce);
        assert!(cr.is_ok());

        // Name doesn't exist
        let r1 = server_txn.name_to_uuid("testpers");
        assert!(r1.is_err());
        // Name doesn't exist (not syntax normalised)
        let r2 = server_txn.name_to_uuid("tEsTpErS");
        assert!(r2.is_err());
        // Name does exist
        let r3 = server_txn.name_to_uuid("testperson1");
        assert!(r3.is_ok());
        // Name is not syntax normalised (but exists)
        let r4 = server_txn.name_to_uuid("tEsTpErSoN1");
        assert!(r4.is_ok());
    }

    #[qs_test]
    async fn test_uuid_to_spn(server: &QueryServer) {
        let mut server_txn = server.write(duration_from_epoch_now()).await;

        let e1 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("class", Value::new_class("account")),
            ("name", Value::new_iname("testperson1")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63930").expect("uuid")
            ),
            ("description", Value::new_utf8s("testperson1")),
            ("displayname", Value::new_utf8s("testperson1"))
        );
        let ce = CreateEvent::new_internal(vec![e1]);
        let cr = server_txn.create(&ce);
        assert!(cr.is_ok());

        // Name doesn't exist
        let r1 = server_txn
            .uuid_to_spn(Uuid::parse_str("bae3f507-e6c3-44ba-ad01-f8ff1083534a").unwrap());
        // There is nothing.
        assert!(r1 == Ok(None));
        // Name does exist
        let r3 = server_txn
            .uuid_to_spn(Uuid::parse_str("cc8e95b4-c24f-4d68-ba54-8bed76f63930").unwrap());
        println!("{:?}", r3);
        assert!(r3.unwrap().unwrap() == Value::new_spn_str("testperson1", "example.com"));
        // Name is not syntax normalised (but exists)
        let r4 = server_txn
            .uuid_to_spn(Uuid::parse_str("CC8E95B4-C24F-4D68-BA54-8BED76F63930").unwrap());
        assert!(r4.unwrap().unwrap() == Value::new_spn_str("testperson1", "example.com"));
    }

    #[qs_test]
    async fn test_uuid_to_rdn(server: &QueryServer) {
        let mut server_txn = server.write(duration_from_epoch_now()).await;

        let e1 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("class", Value::new_class("account")),
            ("name", Value::new_iname("testperson1")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63930").expect("uuid")
            ),
            ("description", Value::new_utf8s("testperson")),
            ("displayname", Value::new_utf8s("testperson1"))
        );
        let ce = CreateEvent::new_internal(vec![e1]);
        let cr = server_txn.create(&ce);
        assert!(cr.is_ok());

        // Name doesn't exist
        let r1 = server_txn
            .uuid_to_rdn(Uuid::parse_str("bae3f507-e6c3-44ba-ad01-f8ff1083534a").unwrap());
        // There is nothing.
        assert!(r1.unwrap() == "uuid=bae3f507-e6c3-44ba-ad01-f8ff1083534a");
        // Name does exist
        let r3 = server_txn
            .uuid_to_rdn(Uuid::parse_str("cc8e95b4-c24f-4d68-ba54-8bed76f63930").unwrap());
        println!("{:?}", r3);
        assert!(r3.unwrap() == "spn=testperson1@example.com");
        // Uuid is not syntax normalised (but exists)
        let r4 = server_txn
            .uuid_to_rdn(Uuid::parse_str("CC8E95B4-C24F-4D68-BA54-8BED76F63930").unwrap());
        assert!(r4.unwrap() == "spn=testperson1@example.com");
    }

    #[qs_test]
    async fn test_uuid_to_star_recycle(server: &QueryServer) {
        let mut server_txn = server.write(duration_from_epoch_now()).await;

        let e1 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("class", Value::new_class("account")),
            ("name", Value::new_iname("testperson1")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63930").expect("uuid")
            ),
            ("description", Value::new_utf8s("testperson1")),
            ("displayname", Value::new_utf8s("testperson1"))
        );

        let tuuid = Uuid::parse_str("cc8e95b4-c24f-4d68-ba54-8bed76f63930").unwrap();

        let ce = CreateEvent::new_internal(vec![e1]);
        let cr = server_txn.create(&ce);
        assert!(cr.is_ok());

        assert!(server_txn.uuid_to_rdn(tuuid) == Ok("spn=testperson1@example.com".to_string()));

        assert!(
            server_txn.uuid_to_spn(tuuid)
                == Ok(Some(Value::new_spn_str("testperson1", "example.com")))
        );

        assert!(server_txn.name_to_uuid("testperson1") == Ok(tuuid));

        // delete
        let de_sin = unsafe {
            DeleteEvent::new_internal_invalid(filter!(f_eq(
                "name",
                PartialValue::new_iname("testperson1")
            )))
        };
        assert!(server_txn.delete(&de_sin).is_ok());

        // all should fail
        assert!(
            server_txn.uuid_to_rdn(tuuid)
                == Ok("uuid=cc8e95b4-c24f-4d68-ba54-8bed76f63930".to_string())
        );

        assert!(server_txn.uuid_to_spn(tuuid) == Ok(None));

        assert!(server_txn.name_to_uuid("testperson1").is_err());

        // revive
        let admin = server_txn
            .internal_search_uuid(&UUID_ADMIN)
            .expect("failed");
        let rre_rc = unsafe {
            ReviveRecycledEvent::new_impersonate_entry(
                admin,
                filter_all!(f_eq("name", PartialValue::new_iname("testperson1"))),
            )
        };
        assert!(server_txn.revive_recycled(&rre_rc).is_ok());

        // all checks pass

        assert!(server_txn.uuid_to_rdn(tuuid) == Ok("spn=testperson1@example.com".to_string()));

        assert!(
            server_txn.uuid_to_spn(tuuid)
                == Ok(Some(Value::new_spn_str("testperson1", "example.com")))
        );

        assert!(server_txn.name_to_uuid("testperson1") == Ok(tuuid));
    }

    #[qs_test]
    async fn test_clone_value(server: &QueryServer) {
        let mut server_txn = server.write(duration_from_epoch_now()).await;
        let e1 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("name", Value::new_iname("testperson1")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63930").expect("uuid")
            ),
            ("description", Value::new_utf8s("testperson1")),
            ("displayname", Value::new_utf8s("testperson1"))
        );
        let ce = CreateEvent::new_internal(vec![e1]);
        let cr = server_txn.create(&ce);
        assert!(cr.is_ok());

        // test attr not exist
        let r1 = server_txn.clone_value(&"tausau".to_string(), &"naoeutnhaou".to_string());

        assert!(r1.is_err());

        // test attr not-normalised (error)
        // test attr not-reference
        let r2 = server_txn.clone_value(&"NaMe".to_string(), &"NaMe".to_string());

        assert!(r2.is_err());

        // test attr reference
        let r3 = server_txn.clone_value(&"member".to_string(), &"testperson1".to_string());

        assert!(r3 == Ok(Value::new_refer_s("cc8e95b4-c24f-4d68-ba54-8bed76f63930").unwrap()));

        // test attr reference already resolved.
        let r4 = server_txn.clone_value(
            &"member".to_string(),
            &"cc8e95b4-c24f-4d68-ba54-8bed76f63930".to_string(),
        );

        debug!("{:?}", r4);
        assert!(r4 == Ok(Value::new_refer_s("cc8e95b4-c24f-4d68-ba54-8bed76f63930").unwrap()));
    }

    #[qs_test]
    async fn test_dynamic_schema_class(server: &QueryServer) {
        let e1 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("testclass")),
            ("name", Value::new_iname("testobj1")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63930").expect("uuid")
            )
        );

        // Class definition
        let e_cd = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("classtype")),
            ("classname", Value::new_iutf8("testclass")),
            (
                "uuid",
                Value::new_uuids("cfcae205-31c3-484b-8ced-667d1709c5e3").expect("uuid")
            ),
            ("description", Value::new_utf8s("Test Class")),
            ("may", Value::new_iutf8("name"))
        );
        let mut server_txn = server.write(duration_from_epoch_now()).await;
        // Add a new class.
        let ce_class = CreateEvent::new_internal(vec![e_cd.clone()]);
        assert!(server_txn.create(&ce_class).is_ok());
        // Trying to add it now should fail.
        let ce_fail = CreateEvent::new_internal(vec![e1.clone()]);
        assert!(server_txn.create(&ce_fail).is_err());

        // Commit
        server_txn.commit().expect("should not fail");

        // Start a new write
        let mut server_txn = server.write(duration_from_epoch_now()).await;
        // Add the class to an object
        // should work
        let ce_work = CreateEvent::new_internal(vec![e1.clone()]);
        assert!(server_txn.create(&ce_work).is_ok());

        // Commit
        server_txn.commit().expect("should not fail");

        // Start a new write
        let mut server_txn = server.write(duration_from_epoch_now()).await;
        // delete the class
        let de_class = unsafe {
            DeleteEvent::new_internal_invalid(filter!(f_eq(
                "classname",
                PartialValue::new_class("testclass")
            )))
        };
        assert!(server_txn.delete(&de_class).is_ok());
        // Commit
        server_txn.commit().expect("should not fail");

        // Start a new write
        let mut server_txn = server.write(duration_from_epoch_now()).await;
        // Trying to add now should fail
        let ce_fail = CreateEvent::new_internal(vec![e1.clone()]);
        assert!(server_txn.create(&ce_fail).is_err());
        // Search our entry
        let testobj1 = server_txn
            .internal_search_uuid(&Uuid::parse_str("cc8e95b4-c24f-4d68-ba54-8bed76f63930").unwrap())
            .expect("failed");
        assert!(testobj1.attribute_equality("class", &PartialValue::new_class("testclass")));

        // Should still be good
        server_txn.commit().expect("should not fail");
        // Commit.
    }

    #[qs_test]
    async fn test_dynamic_schema_attr(server: &QueryServer) {
        let e1 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("extensibleobject")),
            ("name", Value::new_iname("testobj1")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63930").expect("uuid")
            ),
            ("testattr", Value::new_utf8s("test"))
        );

        // Attribute definition
        let e_ad = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("attributetype")),
            (
                "uuid",
                Value::new_uuids("cfcae205-31c3-484b-8ced-667d1709c5e3").expect("uuid")
            ),
            ("attributename", Value::new_iutf8("testattr")),
            ("description", Value::new_utf8s("Test Attribute")),
            ("multivalue", Value::new_bool(false)),
            ("unique", Value::new_bool(false)),
            ("syntax", Value::new_syntaxs("UTF8STRING").expect("syntax"))
        );

        let mut server_txn = server.write(duration_from_epoch_now()).await;
        // Add a new attribute.
        let ce_attr = CreateEvent::new_internal(vec![e_ad.clone()]);
        assert!(server_txn.create(&ce_attr).is_ok());
        // Trying to add it now should fail. (use extensible object)
        let ce_fail = CreateEvent::new_internal(vec![e1.clone()]);
        assert!(server_txn.create(&ce_fail).is_err());

        // Commit
        server_txn.commit().expect("should not fail");

        // Start a new write
        let mut server_txn = server.write(duration_from_epoch_now()).await;
        // Add the attr to an object
        // should work
        let ce_work = CreateEvent::new_internal(vec![e1.clone()]);
        assert!(server_txn.create(&ce_work).is_ok());

        // Commit
        server_txn.commit().expect("should not fail");

        // Start a new write
        let mut server_txn = server.write(duration_from_epoch_now()).await;
        // delete the attr
        let de_attr = unsafe {
            DeleteEvent::new_internal_invalid(filter!(f_eq(
                "attributename",
                PartialValue::new_iutf8("testattr")
            )))
        };
        assert!(server_txn.delete(&de_attr).is_ok());
        // Commit
        server_txn.commit().expect("should not fail");

        // Start a new write
        let mut server_txn = server.write(duration_from_epoch_now()).await;
        // Trying to add now should fail
        let ce_fail = CreateEvent::new_internal(vec![e1.clone()]);
        assert!(server_txn.create(&ce_fail).is_err());
        // Search our attribute - should FAIL
        let filt = filter!(f_eq("testattr", PartialValue::new_utf8s("test")));
        assert!(server_txn.internal_search(filt).is_err());
        // Search the entry - the attribute will still be present
        // even if we can't search on it.
        let testobj1 = server_txn
            .internal_search_uuid(&Uuid::parse_str("cc8e95b4-c24f-4d68-ba54-8bed76f63930").unwrap())
            .expect("failed");
        assert!(testobj1.attribute_equality("testattr", &PartialValue::new_utf8s("test")));

        server_txn.commit().expect("should not fail");
        // Commit.
    }

    #[qs_test]
    async fn test_modify_password_only(server: &QueryServer) {
        let e1 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("class", Value::new_class("account")),
            ("name", Value::new_iname("testperson1")),
            (
                "uuid",
                Value::new_uuids("cc8e95b4-c24f-4d68-ba54-8bed76f63930").expect("uuid")
            ),
            ("description", Value::new_utf8s("testperson1")),
            ("displayname", Value::new_utf8s("testperson1"))
        );
        let mut server_txn = server.write(duration_from_epoch_now()).await;
        // Add the entry. Today we have no syntax to take simple str to a credential
        // but honestly, that's probably okay :)
        let ce = CreateEvent::new_internal(vec![e1]);
        let cr = server_txn.create(&ce);
        assert!(cr.is_ok());

        // Build the credential.
        let p = CryptoPolicy::minimum();
        let cred = Credential::new_password_only(&p, "test_password").unwrap();
        let v_cred = Value::new_credential("primary", cred);
        assert!(v_cred.validate());

        // now modify and provide a primary credential.
        let me_inv_m = unsafe {
            ModifyEvent::new_internal_invalid(
                filter!(f_eq("name", PartialValue::new_iname("testperson1"))),
                ModifyList::new_list(vec![Modify::Present(
                    AttrString::from("primary_credential"),
                    v_cred,
                )]),
            )
        };
        // go!
        assert!(server_txn.modify(&me_inv_m).is_ok());

        // assert it exists and the password checks out
        let test_ent = server_txn
            .internal_search_uuid(&Uuid::parse_str("cc8e95b4-c24f-4d68-ba54-8bed76f63930").unwrap())
            .expect("failed");
        // get the primary ava
        let cred_ref = test_ent
            .get_ava_single_credential("primary_credential")
            .expect("Failed");
        // do a pw check.
        assert!(cred_ref.verify_password("test_password").unwrap());
    }

    fn create_user(name: &str, uuid: &str) -> Entry<EntryInit, EntryNew> {
        entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("person")),
            ("name", Value::new_iname(name)),
            ("uuid", Value::new_uuids(uuid).expect("uuid")),
            ("description", Value::new_utf8s("testperson-entry")),
            ("displayname", Value::new_utf8s(name))
        )
    }

    fn create_group(name: &str, uuid: &str, members: &[&str]) -> Entry<EntryInit, EntryNew> {
        let mut e1 = entry_init!(
            ("class", Value::new_class("object")),
            ("class", Value::new_class("group")),
            ("name", Value::new_iname(name)),
            ("uuid", Value::new_uuids(uuid).expect("uuid")),
            ("description", Value::new_utf8s("testgroup-entry"))
        );
        members
            .iter()
            .for_each(|m| e1.add_ava("member", Value::new_refer_s(m).unwrap()));
        e1
    }

    fn check_entry_has_mo(qs: &QueryServerWriteTransaction, name: &str, mo: &str) -> bool {
        let e = qs
            .internal_search(filter!(f_eq("name", PartialValue::new_iname(name))))
            .unwrap()
            .pop()
            .unwrap();

        e.attribute_equality("memberof", &PartialValue::new_refer_s(mo).unwrap())
    }

    #[qs_test]
    async fn test_revive_advanced_directmemberships(server: &QueryServer) {
        // Create items
        let mut server_txn = server.write(duration_from_epoch_now()).await;
        let admin = server_txn
            .internal_search_uuid(&UUID_ADMIN)
            .expect("failed");

        // Right need a user in a direct group.
        let u1 = create_user("u1", "22b47373-d123-421f-859e-9ddd8ab14a2a");
        let g1 = create_group(
            "g1",
            "cca2bbfc-5b43-43f3-be9e-f5b03b3defec",
            &["22b47373-d123-421f-859e-9ddd8ab14a2a"],
        );

        // Need a user in A -> B -> User, such that A/B are re-adde as MO
        let u2 = create_user("u2", "5c19a4a2-b9f0-4429-b130-5782de5fddda");
        let g2a = create_group(
            "g2a",
            "e44cf9cd-9941-44cb-a02f-307b6e15ac54",
            &["5c19a4a2-b9f0-4429-b130-5782de5fddda"],
        );
        let g2b = create_group(
            "g2b",
            "d3132e6e-18ce-4b87-bee1-1d25e4bfe96d",
            &["e44cf9cd-9941-44cb-a02f-307b6e15ac54"],
        );

        // Need a user in a group that is recycled after, then revived at the same time.
        let u3 = create_user("u3", "68467a41-6e8e-44d0-9214-a5164e75ca03");
        let g3 = create_group(
            "g3",
            "36048117-e479-45ed-aeb5-611e8d83d5b1",
            &["68467a41-6e8e-44d0-9214-a5164e75ca03"],
        );

        // A user in a group that is recycled, user is revived, THEN the group is. Group
        // should be present in MO after the second revive.
        let u4 = create_user("u4", "d696b10f-1729-4f1a-83d0-ca06525c2f59");
        let g4 = create_group(
            "g4",
            "d5c59ac6-c533-4b00-989f-d0e183f07bab",
            &["d696b10f-1729-4f1a-83d0-ca06525c2f59"],
        );

        let ce = CreateEvent::new_internal(vec![u1, g1, u2, g2a, g2b, u3, g3, u4, g4]);
        let cr = server_txn.create(&ce);
        assert!(cr.is_ok());

        // Now recycle the needed entries.
        let de = unsafe {
            DeleteEvent::new_internal_invalid(filter!(f_or(vec![
                f_eq("name", PartialValue::new_iname("u1")),
                f_eq("name", PartialValue::new_iname("u2")),
                f_eq("name", PartialValue::new_iname("u3")),
                f_eq("name", PartialValue::new_iname("g3")),
                f_eq("name", PartialValue::new_iname("u4")),
                f_eq("name", PartialValue::new_iname("g4"))
            ])))
        };
        assert!(server_txn.delete(&de).is_ok());

        // Now revive and check each one, one at a time.
        let rev1 = unsafe {
            ReviveRecycledEvent::new_impersonate_entry(
                admin.clone(),
                filter_all!(f_eq("name", PartialValue::new_iname("u1"))),
            )
        };
        assert!(server_txn.revive_recycled(&rev1).is_ok());
        // check u1 contains MO ->
        assert!(check_entry_has_mo(
            &server_txn,
            "u1",
            "cca2bbfc-5b43-43f3-be9e-f5b03b3defec"
        ));

        // Revive u2 and check it has two mo.
        let rev2 = unsafe {
            ReviveRecycledEvent::new_impersonate_entry(
                admin.clone(),
                filter_all!(f_eq("name", PartialValue::new_iname("u2"))),
            )
        };
        assert!(server_txn.revive_recycled(&rev2).is_ok());
        assert!(check_entry_has_mo(
            &server_txn,
            "u2",
            "e44cf9cd-9941-44cb-a02f-307b6e15ac54"
        ));
        assert!(check_entry_has_mo(
            &server_txn,
            "u2",
            "d3132e6e-18ce-4b87-bee1-1d25e4bfe96d"
        ));

        // Revive u3 and g3 at the same time.
        let rev3 = unsafe {
            ReviveRecycledEvent::new_impersonate_entry(
                admin.clone(),
                filter_all!(f_or(vec![
                    f_eq("name", PartialValue::new_iname("u3")),
                    f_eq("name", PartialValue::new_iname("g3"))
                ])),
            )
        };
        assert!(server_txn.revive_recycled(&rev3).is_ok());
        assert!(
            check_entry_has_mo(&server_txn, "u3", "36048117-e479-45ed-aeb5-611e8d83d5b1") == false
        );

        // Revive u4, should NOT have the MO.
        let rev4a = unsafe {
            ReviveRecycledEvent::new_impersonate_entry(
                admin.clone(),
                filter_all!(f_eq("name", PartialValue::new_iname("u4"))),
            )
        };
        assert!(server_txn.revive_recycled(&rev4a).is_ok());
        assert!(
            check_entry_has_mo(&server_txn, "u4", "d5c59ac6-c533-4b00-989f-d0e183f07bab") == false
        );

        // Now revive g4, should allow MO onto u4.
        let rev4b = unsafe {
            ReviveRecycledEvent::new_impersonate_entry(
                admin,
                filter_all!(f_eq("name", PartialValue::new_iname("g4"))),
            )
        };
        assert!(server_txn.revive_recycled(&rev4b).is_ok());
        assert!(
            check_entry_has_mo(&server_txn, "u4", "d5c59ac6-c533-4b00-989f-d0e183f07bab") == false
        );

        assert!(server_txn.commit().is_ok());
    }

    #[qs_test_no_init]
    async fn test_qs_upgrade_entry_attrs(server: &QueryServer) {
        let mut server_txn = server.write(duration_from_epoch_now()).await;
        assert!(server_txn.upgrade_reindex(SYSTEM_INDEX_VERSION).is_ok());
        assert!(server_txn.commit().is_ok());

        let mut server_txn = server.write(duration_from_epoch_now()).await;
        server_txn.initialise_schema_core().unwrap();
        server_txn.initialise_schema_idm().unwrap();
        assert!(server_txn.commit().is_ok());

        let mut server_txn = server.write(duration_from_epoch_now()).await;
        assert!(server_txn.upgrade_reindex(SYSTEM_INDEX_VERSION + 1).is_ok());
        assert!(server_txn.commit().is_ok());

        let mut server_txn = server.write(duration_from_epoch_now()).await;
        assert!(server_txn
            .internal_migrate_or_create_str(JSON_SYSTEM_INFO_V1)
            .is_ok());
        assert!(server_txn
            .internal_migrate_or_create_str(JSON_DOMAIN_INFO_V1)
            .is_ok());
        assert!(server_txn
            .internal_migrate_or_create_str(JSON_SYSTEM_CONFIG_V1)
            .is_ok());
        assert!(server_txn.commit().is_ok());

        let mut server_txn = server.write(duration_from_epoch_now()).await;
        // ++ Mod the schema to set name to the old string type
        let me_syn = unsafe {
            ModifyEvent::new_internal_invalid(
                filter!(f_or!([
                    f_eq("attributename", PartialValue::new_iutf8("name")),
                    f_eq("attributename", PartialValue::new_iutf8("domain_name")),
                ])),
                ModifyList::new_purge_and_set(
                    "syntax",
                    Value::new_syntaxs("UTF8STRING_INSENSITIVE").unwrap(),
                ),
            )
        };
        assert!(server_txn.modify(&me_syn).is_ok());
        assert!(server_txn.commit().is_ok());

        let mut server_txn = server.write(duration_from_epoch_now()).await;
        // ++ Mod domain name and name to be the old type.
        let me_dn = unsafe {
            ModifyEvent::new_internal_invalid(
                filter!(f_eq("uuid", PartialValue::new_uuid(UUID_DOMAIN_INFO))),
                ModifyList::new_list(vec![
                    Modify::Purged(AttrString::from("name")),
                    Modify::Purged(AttrString::from("domain_name")),
                    Modify::Present(AttrString::from("name"), Value::new_iutf8("domain_local")),
                    Modify::Present(
                        AttrString::from("domain_name"),
                        Value::new_iutf8("example.com"),
                    ),
                ]),
            )
        };
        assert!(server_txn.modify(&me_dn).is_ok());

        // Now, both the types are invalid.

        // WARNING! We can't commit here because this triggers domain_reload which will fail
        // due to incorrect syntax of the domain name! Run the migration in the same txn!
        // Trigger a schema reload.
        assert!(server_txn.reload_schema().is_ok());

        // We can't just re-run the migrate here because name takes it's definition from
        // in memory, and we can't re-run the initial memory gen. So we just fix it to match
        // what the migrate "would do".
        let me_syn = unsafe {
            ModifyEvent::new_internal_invalid(
                filter!(f_or!([
                    f_eq("attributename", PartialValue::new_iutf8("name")),
                    f_eq("attributename", PartialValue::new_iutf8("domain_name")),
                ])),
                ModifyList::new_purge_and_set(
                    "syntax",
                    Value::new_syntaxs("UTF8STRING_INAME").unwrap(),
                ),
            )
        };
        assert!(server_txn.modify(&me_syn).is_ok());

        // WARNING! We can't commit here because this triggers domain_reload which will fail
        // due to incorrect syntax of the domain name! Run the migration in the same txn!
        // Trigger a schema reload.
        assert!(server_txn.reload_schema().is_ok());

        // ++ Run the upgrade for X to Y
        assert!(server_txn.migrate_2_to_3().is_ok());

        assert!(server_txn.commit().is_ok());

        // Assert that it migrated and worked as expected.
        let server_txn = server.write(duration_from_epoch_now()).await;
        let domain = server_txn
            .internal_search_uuid(&UUID_DOMAIN_INFO)
            .expect("failed");
        // ++ assert all names are iname
        assert!(
            domain.get_ava_set("name").expect("no name?").syntax() == SyntaxType::Utf8StringIname
        );
        // ++ assert all domain/domain_name are iname
        assert!(
            domain
                .get_ava_set("domain_name")
                .expect("no domain_name?")
                .syntax()
                == SyntaxType::Utf8StringIname
        );
        assert!(server_txn.commit().is_ok());
    }
}