mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-24 21:17:01 +01:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity
kanidm/kanidmd/src/lib/entry.rs
Firstyear 018039b0b2
Account valid-from and expiry (#322) 
Fixes #59 account policy and lockout. This is achived with a valid_from and expire attribute that are timestamps. Cli tools are added to manage these.
2020-10-10 10:31:51 +10:00

2428 lines
87 KiB
Rust
Raw Blame History

//! Entries are the base unit of object storage in the server. This is one of the three foundational
//! concepts along with [`filter`]s and [`schema`] that everything else builds upon.
//!
//! An [`Entry`] is a collection of attribute-value sets. There are sometimes called attribute value
//! assertions, or avas. The attribute is a "key" and it holds 1 to infinitite associtade values
//! with no ordering. An entry has many avas. A pseudo example, minus schema and typing:
//!
//! ```
//! /*
//! Entry {
//! "name": ["william"],
//! "uuid": ["..."],
//! "mail": ["maila@example.com", "mailb@example.com"],
//! }
//! */
//! ```
//!
//! There are three rules for entries:
//! * Must have an ava for UUID containing a single value.
//! * Any ava with zero values will be removed.
//! * Avas are stored with no sorting.
//!
//! For more, see the [`Entry`] type.
//!
//! [`Entry`]: struct.Entry.html
//! [`filter`]: ../filter/index.html
//! [`schema`]: ../schema/index.html
use crate::audit::AuditScope;
use crate::credential::Credential;
use crate::filter::{Filter, FilterInvalid, FilterResolved, FilterValidResolved};
use crate::ldap::ldap_attr_entry_map;
use crate::modify::{Modify, ModifyInvalid, ModifyList, ModifyValid};
use crate::repl::cid::Cid;
use crate::schema::{SchemaAttribute, SchemaClass, SchemaTransaction};
use crate::server::{
QueryServerReadTransaction, QueryServerTransaction, QueryServerWriteTransaction,
};
use crate::value::{IndexType, SyntaxType};
use crate::value::{PartialValue, Value};
use kanidm_proto::v1::Entry as ProtoEntry;
use kanidm_proto::v1::Filter as ProtoFilter;
use kanidm_proto::v1::{OperationError, SchemaError};
use crate::be::dbentry::{DbEntry, DbEntryV1, DbEntryVers};
use crate::be::IdxKey;
use ldap3_server::simple::{LdapPartialAttribute, LdapSearchResultEntry};
use std::collections::BTreeSet as Set;
use std::collections::BTreeSet;
// use std::collections::BTreeMap as Map;
use hashbrown::HashMap as Map;
use hashbrown::HashSet;
use time::OffsetDateTime;
use uuid::Uuid;
// use std::convert::TryFrom;
// use std::str::FromStr;
// make a trait entry for everything to adhere to?
// * How to get indexs out?
// * How to track pending diffs?
// Entry is really similar to serde Value, but limits the possibility
// of what certain types could be.
//
// The idea of an entry is that we have
// an entry that looks like:
//
// {
// 'class': ['object', ...],
// 'attr': ['value', ...],
// 'attr': ['value', ...],
// ...
// }
//
// When we send this as a result to clients, we could embed other objects as:
//
// {
// 'attr': [
// 'value': {
// },
// ],
// }
//
lazy_static! {
static ref CLASS_EXTENSIBLE: PartialValue = PartialValue::new_class("extensibleobject");
static ref PVCLASS_TOMBSTONE: PartialValue = PartialValue::new_class("tombstone");
static ref PVCLASS_RECYCLED: PartialValue = PartialValue::new_class("recycled");
}
// Entry should have a lifecycle of types. This is Raw (modifiable) and Entry (verified).
// This way, we can move between them, but only certain actions are possible on either
// This means modifications happen on Raw, but to move to Entry, you schema normalise.
// Vice versa, you can for free, move to Raw, but you lose the validation.
// Because this is type system it's "free" in the end, and means we force validation
// at the correct and required points of the entries life.
// This is specifically important for the commit to the backend, as we only want to
// commit validated types.
#[derive(Clone, Debug)]
pub struct EntryNew; // new
#[derive(Clone, Debug)]
pub struct EntryCommitted {
id: u64,
} // It's been in the DB, so it has an id
// pub struct EntryPurged;
#[derive(Clone, Debug)]
pub struct EntryInit;
/* |
* | Init comes from a proto entry, it's new.
* | We add the current Cid before we allow mods.
* V
*/
#[derive(Clone, Debug)]
pub struct EntryInvalid {
cid: Cid,
}
/* |
* | The changes made within this entry are validated by the schema.
* V
*/
#[derive(Clone, Debug)]
pub struct EntryValid {
// Asserted with schema, so we know it has a UUID now ...
uuid: Uuid,
cid: Cid,
}
/* |
* | The changes are extracted into the changelog as needed, creating a
* | stable database entry.
* V
*/
#[derive(Clone, Debug)]
pub struct EntrySealed {
uuid: Uuid,
}
#[derive(Clone, Debug)]
pub struct EntryReduced {
uuid: Uuid,
}
fn compare_attrs(left: &Map<String, Set<Value>>, right: &Map<String, Set<Value>>) -> bool {
// We can't shortcut based on len because cid mod may not be present.
// Build the set of all keys between both.
let allkeys: Set<&str> = left
.keys()
.filter(|k| k != &"last_modified_cid")
.chain(right.keys().filter(|k| k != &"last_modified_cid"))
.map(|s| s.as_str())
.collect();
allkeys.into_iter().all(|k| {
// Both must be Some, and both must have the same interiors.
left.get(k) == right.get(k)
})
}
/// Entry is the core data storage type of the server. Almost every aspect of the server is
/// designed to read, handle and manipulate entries.
///
/// Entries store attribute value assertions, or ava. These are sets of key-values.
///
/// Entries have a lifecycle within a single operation, and as part of replication.
/// The lifecycle for operations is defined through state and valid types. Each entry has a pair
/// Of these types at anytime. The first is the ava [`schema`] and [`access`] control assertion
/// state. This is represented by the type `VALID` as one of `EntryValid`, `EntryInvalid` or
/// `EntryReduced`. Every entry starts as `EntryInvalid`, and when checked by the schema for
/// correctness, transitions to `EntryValid`. While an entry is `EntryValid` it can not be
/// altered - you must invalidate it to `EntryInvalid`, then modify, then check again.
/// An entry that has had access controls applied moves from `EntryValid` to `EntryReduced`,
/// to show that the avas have reduced to the valid read set of the current [`event`] user.
///
/// The second type of `STATE` represents the database commit state and internal db ID's. A
/// new entry that has never been committed is `EntryNew`, but an entry that has been retrieved
/// from the database is `EntryCommitted`. This affects the operations you can apply IE modify
/// or delete.
///
/// These types exist to prevent at compile time, mishandling of Entries, to ensure they are always
/// handled with the correct lifecycles and processes.
///
/// [`schema`]: ../schema/index.html
/// [`access`]: ../access/index.html
/// [`event`]: ../event/index.html
///
pub struct Entry<VALID, STATE> {
valid: VALID,
state: STATE,
// We may need to change this to Set to allow borrow of Value -> PartialValue for lookups.
attrs: Map<String, Set<Value>>,
}
impl<VALID, STATE> std::fmt::Debug for Entry<VALID, STATE>
where
STATE: std::fmt::Debug,
VALID: std::fmt::Debug,
{
fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
f.debug_struct("Entry<EntrySealed, _>")
.field("state", &self.state)
.field("valid", &self.valid)
.finish()
}
}
impl<STATE> std::fmt::Display for Entry<EntrySealed, STATE> {
fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
write!(f, "{}", self.get_uuid())
}
}
impl<STATE> std::fmt::Display for Entry<EntryInit, STATE> {
fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
write!(f, "Entry in initial state")
}
}
impl<STATE> Entry<EntryInit, STATE> {
pub(crate) fn get_uuid(&self) -> Option<&Uuid> {
match self.attrs.get("uuid") {
Some(vs) => match vs.iter().take(1).next() {
// Uv is a value that might contain uuid - we hope it does!
Some(uv) => uv.to_uuid(),
_ => None,
},
None => None,
}
}
}
impl Entry<EntryInit, EntryNew> {
#[cfg(test)]
pub fn new() -> Self {
Entry {
// This means NEVER COMMITED
valid: EntryInit,
state: EntryNew,
attrs: Map::with_capacity(32),
}
}
// Could we consume protoentry?
//
// I think we could, but that would limit us to how protoentry works,
// where we are likely to actually change the Entry type here and how
// we store and represent types and data.
pub fn from_proto_entry(
audit: &mut AuditScope,
e: &ProtoEntry,
qs: &QueryServerWriteTransaction,
) -> Result<Self, OperationError> {
// Why not the trait? In the future we may want to extend
// this with server aware functions for changes of the
// incoming data.
// Somehow we need to take the tree of e attrs, and convert
// all ref types to our types ...
let map2: Result<Map<String, Set<Value>>, OperationError> = e
.attrs
.iter()
.map(|(k, v)| {
let nk = qs.get_schema().normalise_attr_name(k);
let nv: Result<Set<Value>, _> =
v.iter().map(|vr| qs.clone_value(audit, &nk, vr)).collect();
match nv {
Ok(nvi) => Ok((nk, nvi)),
Err(e) => Err(e),
}
})
.collect();
let x = map2?;
Ok(Entry {
// For now, we do a straight move, and we sort the incoming data
// sets so that BST works.
state: EntryNew,
valid: EntryInit,
attrs: x,
})
}
pub fn from_proto_entry_str(
audit: &mut AuditScope,
es: &str,
qs: &QueryServerWriteTransaction,
) -> Result<Self, OperationError> {
if cfg!(test) {
if es.len() > 256 {
let (dsp_es, _) = es.split_at(255);
ltrace!(audit, "Parsing -> {}...", dsp_es);
} else {
ltrace!(audit, "Parsing -> {}", es);
}
}
// str -> Proto entry
let pe: ProtoEntry = serde_json::from_str(es).map_err(|e| {
ladmin_error!(audit, "SerdeJson Failure -> {:?}", e);
OperationError::SerdeJsonError
})?;
// now call from_proto_entry
Self::from_proto_entry(audit, &pe, qs)
}
#[cfg(test)]
pub(crate) fn unsafe_from_entry_str(es: &str) -> Self {
// Just use log directly here, it's testing
// str -> proto entry
let pe: ProtoEntry = serde_json::from_str(es).expect("Invalid Proto Entry");
// use a const map to convert str -> ava
let x: Map<String, Set<Value>> = pe.attrs.into_iter()
.map(|(k, vs)| {
let attr = k.to_lowercase();
let vv: Set<Value> = match attr.as_str() {
"attributename" | "classname" | "domain" => {
vs.into_iter().map(|v| Value::new_iutf8(&v)).collect()
}
"name" | "domain_name" => {
vs.into_iter().map(|v| Value::new_iname(&v)).collect()
}
"userid" | "uidnumber" => {
warn!("WARNING: Use of unstabilised attributes userid/uidnumber");
vs.into_iter().map(|v| Value::new_iutf8(&v)).collect()
}
"class" | "acp_create_class" | "acp_modify_class" => {
vs.into_iter().map(|v| Value::new_class(v.as_str())).collect()
}
"acp_create_attr" | "acp_search_attr" | "acp_modify_removedattr" | "acp_modify_presentattr" |
"systemmay" | "may" | "systemmust" | "must"
=> {
vs.into_iter().map(|v| Value::new_attr(v.as_str())).collect()
}
"uuid" | "domain_uuid" => {
vs.into_iter().map(|v| Value::new_uuids(v.as_str())
.unwrap_or_else(|| {
warn!("WARNING: Allowing syntax incorrect attribute to be presented UTF8 string");
Value::new_utf8(v)
})
).collect()
}
"member" | "memberof" | "directmemberof" => {
vs.into_iter().map(|v| Value::new_refer_s(v.as_str()).unwrap() ).collect()
}
"acp_enable" | "multivalue" | "unique" => {
vs.into_iter().map(|v| Value::new_bools(v.as_str())
.unwrap_or_else(|| {
warn!("WARNING: Allowing syntax incorrect attribute to be presented UTF8 string");
Value::new_utf8(v)
})
).collect()
}
"syntax" => {
vs.into_iter().map(|v| Value::new_syntaxs(v.as_str())
.unwrap_or_else(|| {
warn!("WARNING: Allowing syntax incorrect attribute to be presented UTF8 string");
Value::new_utf8(v)
})
).collect()
}
"index" => {
vs.into_iter().map(|v| Value::new_indexs(v.as_str())
.unwrap_or_else(|| {
warn!("WARNING: Allowing syntax incorrect attribute to be presented UTF8 string");
Value::new_utf8(v)
})
).collect()
}
"acp_targetscope" | "acp_receiver" => {
vs.into_iter().map(|v| Value::new_json_filter(v.as_str())
.unwrap_or_else(|| {
warn!("WARNING: Allowing syntax incorrect attribute to be presented UTF8 string");
Value::new_utf8(v)
})
).collect()
}
"displayname" | "description" => {
vs.into_iter().map(|v| Value::new_utf8(v)).collect()
}
"spn" => {
vs.into_iter().map(|v| {
Value::new_spn_parse(v.as_str())
.unwrap_or_else(|| {
warn!("WARNING: Allowing syntax incorrect SPN attribute to be presented UTF8 string");
Value::new_utf8(v)
})
}).collect()
}
"gidnumber" | "version" => {
vs.into_iter().map(|v| {
Value::new_uint32_str(v.as_str())
.unwrap_or_else(|| {
warn!("WARNING: Allowing syntax incorrect UINT32 attribute to be presented UTF8 string");
Value::new_utf8(v)
})
}).collect()
}
ia => {
warn!("WARNING: Allowing invalid attribute {} to be interpretted as UTF8 string. YOU MAY ENCOUNTER ODD BEHAVIOUR!!!", ia);
vs.into_iter().map(|v| Value::new_utf8(v)).collect()
}
};
(attr, vv)
})
.collect();
// return the entry!
Entry {
valid: EntryInit,
state: EntryNew,
attrs: x,
}
}
pub fn assign_cid(mut self, cid: Cid) -> Entry<EntryInvalid, EntryNew> {
/* setup our last changed time */
self.set_last_changed(cid.clone());
Entry {
valid: EntryInvalid { cid },
state: EntryNew,
attrs: self.attrs,
}
}
pub fn compare(&self, rhs: &Entry<EntrySealed, EntryCommitted>) -> bool {
compare_attrs(&self.attrs, &rhs.attrs)
}
#[cfg(test)]
pub unsafe fn into_invalid_new(mut self) -> Entry<EntryInvalid, EntryNew> {
self.set_last_changed(Cid::new_zero());
Entry {
valid: EntryInvalid {
cid: Cid::new_zero(),
},
state: EntryNew,
attrs: self.attrs,
}
}
#[cfg(test)]
pub unsafe fn into_valid_new(self) -> Entry<EntryValid, EntryNew> {
Entry {
valid: EntryValid {
cid: Cid::new_zero(),
uuid: self.get_uuid().expect("Invalid uuid").clone(),
},
state: EntryNew,
attrs: self.attrs,
}
}
#[cfg(test)]
pub unsafe fn into_sealed_committed(self) -> Entry<EntrySealed, EntryCommitted> {
let uuid = self
.get_uuid()
.and_then(|u| Some(u.clone()))
.unwrap_or_else(|| Uuid::new_v4());
Entry {
valid: EntrySealed { uuid },
state: EntryCommitted { id: 0 },
attrs: self.attrs,
}
}
#[cfg(test)]
pub unsafe fn into_sealed_new(self) -> Entry<EntrySealed, EntryNew> {
Entry {
valid: EntrySealed {
uuid: self.get_uuid().expect("Invalid uuid").clone(),
},
state: EntryNew,
attrs: self.attrs,
}
}
#[cfg(test)]
pub fn add_ava(&mut self, attr: &str, value: Value) {
self.add_ava_int(attr, value)
}
}
impl<STATE> Entry<EntryInvalid, STATE> {
// This is only used in tests today, but I don't want to cfg test it.
pub(crate) fn get_uuid(&self) -> Option<&Uuid> {
match self.attrs.get("uuid") {
Some(vs) => match vs.iter().take(1).next() {
// Uv is a value that might contain uuid - we hope it does!
Some(uv) => uv.to_uuid(),
_ => None,
},
None => None,
}
}
pub fn validate(
self,
schema: &dyn SchemaTransaction,
) -> Result<Entry<EntryValid, STATE>, SchemaError> {
let schema_classes = schema.get_classes();
let schema_attributes = schema.get_attributes();
let uuid: Uuid = match &self.attrs.get("uuid") {
Some(vs) => match vs.iter().take(1).next() {
Some(uuid_v) => match uuid_v.to_uuid() {
Some(uuid) => *uuid,
None => return Err(SchemaError::InvalidAttribute("uuid".to_string())),
},
None => return Err(SchemaError::MissingMustAttribute(vec!["uuid".to_string()])),
},
None => return Err(SchemaError::MissingMustAttribute(vec!["uuid".to_string()])),
};
// Build the new valid entry ...
let ne = Entry {
valid: EntryValid {
uuid,
cid: self.valid.cid,
},
state: self.state,
attrs: self.attrs,
};
// Now validate it!
// We scope here to limit the time of borrow of ne.
{
// First, check we have class on the object ....
if !ne.attribute_pres("class") {
// lrequest_error!("Missing attribute class");
return Err(SchemaError::NoClassFound);
}
// Do we have extensible?
let extensible = ne.attribute_value_pres("class", &CLASS_EXTENSIBLE);
let entry_classes = ne.get_ava_set("class").ok_or(SchemaError::NoClassFound)?;
let mut invalid_classes = Vec::with_capacity(0);
let mut classes: Vec<&SchemaClass> = Vec::with_capacity(entry_classes.len());
entry_classes.iter().for_each(|c: &Value| {
// we specify types here to help me clarify a few things in the
// development process :)
match c.to_str() {
Some(s) => match schema_classes.get(s) {
Some(x) => classes.push(x),
None => invalid_classes.push(s.to_string()),
},
None => invalid_classes.push("corrupt classname".to_string()),
}
});
if !invalid_classes.is_empty() {
// lrequest_error!("Class on entry not found in schema?");
return Err(SchemaError::InvalidClass(invalid_classes));
};
// What this is really doing is taking a set of classes, and building an
// "overall" class that describes this exact object for checking. IE we
// build a super must/may set from the small class must/may sets.
// for each class
// add systemmust/must and systemmay/may to their lists
// add anything from must also into may
// Now from the set of valid classes make a list of must/may
//
// NOTE: We still need this on extensible, because we still need to satisfy
// our other must conditions as well!
let must: Result<Vec<&SchemaAttribute>, _> = classes
.iter()
// Join our class systemmmust + must into one iter
.flat_map(|cls| cls.systemmust.iter().chain(cls.must.iter()))
.map(|s| {
// This should NOT fail - if it does, it means our schema is
// in an invalid state!
Ok(schema_attributes.get(s).ok_or(SchemaError::Corrupted)?)
})
.collect();
let must = must?;
// Check that all must are inplace
// for each attr in must, check it's present on our ent
let mut missing_must = Vec::with_capacity(0);
must.iter().for_each(|attr| {
let avas = ne.get_ava(&attr.name);
if avas.is_none() {
missing_must.push(attr.name.clone());
}
});
if !missing_must.is_empty() {
return Err(SchemaError::MissingMustAttribute(missing_must));
}
if extensible {
// ladmin_warning!("Extensible Object In Use!");
ne.attrs.iter().try_for_each(|(attr_name, avas)| {
match schema_attributes.get(attr_name) {
Some(a_schema) => {
// Now, for each type we do a *full* check of the syntax
// and validity of the ava.
if a_schema.phantom {
/*
lrequest_error!(
"Attempt to add phantom attribute to extensible: {}",
attr_name
);
*/
Err(SchemaError::PhantomAttribute(attr_name.clone()))
} else {
a_schema.validate_ava(attr_name.as_str(), avas)
// .map_err(|e| lrequest_error!("Failed to validate: {}", attr_name);)
}
}
None => {
// lrequest_error!("Invalid Attribute {} for extensible object", attr_name);
Err(SchemaError::InvalidAttribute(attr_name.clone()))
}
}
})?;
} else {
// Note - we do NOT need to check phantom attributes here because they are
// not allowed to exist in the class, which means a phantom attribute can't
// be in the may/must set, and would FAIL our normal checks anyway.
// We clone string here, but it's so we can check all
// the values in "may" ar here - so we can't avoid this look up. What we
// could do though, is have &String based on the schemaattribute though?;
let may: Result<Map<&String, &SchemaAttribute>, _> = classes
.iter()
// Join our class systemmmust + must + systemmay + may into one.
.flat_map(|cls| {
cls.systemmust
.iter()
.chain(cls.must.iter())
.chain(cls.systemmay.iter())
.chain(cls.may.iter())
})
.map(|s| {
// This should NOT fail - if it does, it means our schema is
// in an invalid state!
Ok((s, schema_attributes.get(s).ok_or(SchemaError::Corrupted)?))
})
.collect();
let may = may?;
// TODO #70: Error needs to say what is missing
// We need to return *all* missing attributes, not just the first error
// we find. This will probably take a rewrite of the function definition
// to return a result<_, vec<schemaerror>> and for the schema errors to take
// information about what is invalid. It's pretty nontrivial.
// Check that any other attributes are in may
// for each attr on the object, check it's in the may+must set
ne.attrs.iter().try_for_each(|(attr_name, avas)| {
match may.get(attr_name) {
Some(a_schema) => {
// Now, for each type we do a *full* check of the syntax
// and validity of the ava.
a_schema.validate_ava(attr_name.as_str(), avas)
// .map_err(|e| lrequest_error!("Failed to validate: {}", attr_name);
}
None => {
// lrequest_error!("Invalid Attribute {} for may+must set", attr_name);
Err(SchemaError::InvalidAttribute(attr_name.clone()))
}
}
})?;
}
} // unborrow ne.
// Well, we got here, so okay!
Ok(ne)
}
}
impl<VALID, STATE> Clone for Entry<VALID, STATE>
where
VALID: Clone,
STATE: Clone,
{
// Dirty modifiable state. Works on any other state to dirty them.
fn clone(&self) -> Entry<VALID, STATE> {
Entry {
valid: self.valid.clone(),
state: self.state.clone(),
attrs: self.attrs.clone(),
}
}
}
/*
* A series of unsafe transitions allowing entries to skip certain steps in
* the process to facilitate eq/checks.
*/
impl Entry<EntryInvalid, EntryCommitted> {
#[cfg(test)]
pub unsafe fn into_valid_new(self) -> Entry<EntryValid, EntryNew> {
let uuid = self.get_uuid().expect("Invalid uuid").clone();
Entry {
valid: EntryValid {
cid: self.valid.cid,
uuid,
},
state: EntryNew,
attrs: self.attrs,
}
}
pub fn into_recycled(mut self) -> Self {
self.add_ava("class", Value::new_class("recycled"));
Entry {
valid: self.valid.clone(),
state: self.state,
attrs: self.attrs,
}
}
}
// Both invalid states can be reached from "entry -> invalidate"
impl Entry<EntryInvalid, EntryNew> {
#[cfg(test)]
pub unsafe fn into_valid_new(self) -> Entry<EntryValid, EntryNew> {
let uuid = self.get_uuid().expect("Invalid uuid").clone();
Entry {
valid: EntryValid {
cid: self.valid.cid,
uuid,
},
state: EntryNew,
attrs: self.attrs,
}
}
#[cfg(test)]
pub unsafe fn into_sealed_committed(self) -> Entry<EntrySealed, EntryCommitted> {
let uuid = self
.get_uuid()
.and_then(|u| Some(u.clone()))
.unwrap_or_else(|| Uuid::new_v4());
Entry {
valid: EntrySealed { uuid },
state: EntryCommitted { id: 0 },
attrs: self.attrs,
}
}
/*
#[cfg(test)]
pub unsafe fn into_valid_normal(self) -> Entry<EntryNormalised, EntryNew> {
Entry {
valid: EntryNormalised,
state: EntryNew,
attrs: self
.attrs
.into_iter()
.map(|(k, mut v)| {
v.sort_unstable();
(k, v)
})
.collect(),
}
}
*/
#[cfg(test)]
pub unsafe fn into_valid_committed(self) -> Entry<EntryValid, EntryCommitted> {
let uuid = self
.get_uuid()
.and_then(|u| Some(u.clone()))
.unwrap_or_else(|| Uuid::new_v4());
Entry {
valid: EntryValid {
cid: self.valid.cid,
uuid,
},
state: EntryCommitted { id: 0 },
attrs: self.attrs,
}
}
}
impl Entry<EntryInvalid, EntryCommitted> {
#[cfg(test)]
pub unsafe fn into_sealed_committed(self) -> Entry<EntrySealed, EntryCommitted> {
let uuid = self
.get_uuid()
.and_then(|u| Some(u.clone()))
.unwrap_or_else(|| Uuid::new_v4());
Entry {
valid: EntrySealed { uuid },
state: self.state,
attrs: self.attrs,
}
}
}
impl Entry<EntrySealed, EntryNew> {
#[cfg(test)]
pub unsafe fn into_sealed_committed(self) -> Entry<EntrySealed, EntryCommitted> {
Entry {
valid: self.valid,
state: EntryCommitted { id: 0 },
attrs: self.attrs,
}
}
pub fn into_sealed_committed_id(self, id: u64) -> Entry<EntrySealed, EntryCommitted> {
Entry {
valid: self.valid,
state: EntryCommitted { id },
attrs: self.attrs,
}
}
pub fn compare(&self, rhs: &Entry<EntrySealed, EntryNew>) -> bool {
compare_attrs(&self.attrs, &rhs.attrs)
}
}
type IdxDiff<'a> =
Vec<Result<(&'a String, &'a IndexType, String), (&'a String, &'a IndexType, String)>>;
impl<VALID> Entry<VALID, EntryCommitted> {
pub fn get_id(&self) -> u64 {
self.state.id
}
}
impl<STATE> Entry<EntrySealed, STATE> {
pub fn into_init(self) -> Entry<EntryInit, STATE> {
Entry {
valid: EntryInit,
state: self.state,
attrs: self.attrs,
}
}
}
impl Entry<EntrySealed, EntryCommitted> {
#[cfg(test)]
pub unsafe fn into_sealed_committed(self) -> Entry<EntrySealed, EntryCommitted> {
// NO-OP to satisfy macros.
self
}
pub fn compare(&self, rhs: &Entry<EntrySealed, EntryCommitted>) -> bool {
compare_attrs(&self.attrs, &rhs.attrs)
}
pub fn to_dbentry(&self) -> DbEntry {
// In the future this will do extra work to process uuid
// into "attributes" suitable for dbentry storage.
// How will this work with replication?
//
// Alternately, we may have higher-level types that translate entry
// into proper structures, and they themself emit/modify entries?
DbEntry {
ent: DbEntryVers::V1(DbEntryV1 {
attrs: self
.attrs
.iter()
.map(|(k, vs)| {
let dbvs: Vec<_> = vs.iter().map(|v| v.to_db_valuev1()).collect();
(k.clone(), dbvs)
})
.collect(),
}),
}
}
#[inline]
fn get_name2uuid_cands(&self) -> Set<String> {
// The cands are:
// * spn
// * name
// * gidnumber
let cands = ["spn", "name", "gidnumber"];
cands
.iter()
.filter_map(|c| {
self.attrs
.get(*c)
.map(|avs| avs.iter().map(|v| v.to_proto_string_clone()))
})
.flatten()
.collect()
}
#[inline]
pub(crate) fn get_uuid2spn(&self) -> Value {
self.attrs
.get("spn")
.and_then(|vs| vs.iter().take(1).next().cloned())
.or_else(|| {
self.attrs
.get("name")
.and_then(|vs| vs.iter().take(1).next().cloned())
})
.unwrap_or_else(|| Value::new_uuidr(self.get_uuid()))
}
#[inline]
fn get_uuid2rdn(&self) -> String {
self.attrs
.get("spn")
.and_then(|vs| {
vs.iter()
.take(1)
.next()
.map(|v| format!("spn={}", v.to_proto_string_clone()))
})
.or_else(|| {
self.attrs.get("name").and_then(|vs| {
vs.iter()
.take(1)
.next()
.map(|v| format!("name={}", v.to_proto_string_clone()))
})
})
.unwrap_or_else(|| format!("uuid={}", self.get_uuid().to_hyphenated_ref()))
}
#[inline]
pub(crate) fn mask_recycled_ts(&self) -> Option<&Self> {
// Only when cls has ts/rc then None, else lways Some(self).
match self.attrs.get("class") {
Some(cls) => {
if cls.contains(&PVCLASS_TOMBSTONE as &PartialValue)
|| cls.contains(&PVCLASS_RECYCLED as &PartialValue)
{
None
} else {
Some(self)
}
}
None => Some(self),
}
}
/// Generate the required values for a name2uuid index. IE this is
/// ALL possible names this entry COULD be known uniquely by!
pub(crate) fn idx_name2uuid_diff(
pre: Option<&Self>,
post: Option<&Self>,
) -> (
// Add
Option<Set<String>>,
// Remove
Option<Set<String>>,
) {
// needs to return gid for posix conversion
match (pre, post) {
(None, None) => {
// No action required
(None, None)
}
(None, Some(b)) => {
// We are adding this entry (or restoring it),
// so we need to add the values.
(Some(b.get_name2uuid_cands()), None)
}
(Some(a), None) => {
// Removing the entry, remove all values.
(None, Some(a.get_name2uuid_cands()))
}
(Some(a), Some(b)) => {
let pre_set = a.get_name2uuid_cands();
let post_set = b.get_name2uuid_cands();
// what is in post, but not pre (added)
let add_set: Set<_> = post_set.difference(&pre_set).cloned().collect();
// what is in pre, but not post (removed)
let rem_set: Set<_> = pre_set.difference(&post_set).cloned().collect();
(Some(add_set), Some(rem_set))
}
}
}
pub(crate) fn idx_uuid2spn_diff(
pre: Option<&Self>,
post: Option<&Self>,
) -> Option<Result<Value, ()>> {
match (pre, post) {
(None, None) => {
// no action
None
}
(None, Some(b)) => {
// add
Some(Ok(b.get_uuid2spn()))
}
(Some(_a), None) => {
// remove
Some(Err(()))
}
(Some(a), Some(b)) => {
let ia = a.get_uuid2spn();
let ib = b.get_uuid2spn();
if ia != ib {
// Add (acts as replace)
Some(Ok(ib))
} else {
// no action
None
}
}
}
}
pub(crate) fn idx_uuid2rdn_diff(
pre: Option<&Self>,
post: Option<&Self>,
) -> Option<Result<String, ()>> {
match (pre, post) {
(None, None) => {
// no action
None
}
(None, Some(b)) => {
// add
Some(Ok(b.get_uuid2rdn()))
}
(Some(_a), None) => {
// remove
Some(Err(()))
}
(Some(a), Some(b)) => {
let ia = a.get_uuid2rdn();
let ib = b.get_uuid2rdn();
if ia != ib {
// Add (acts as replace)
Some(Ok(ib))
} else {
// no action
None
}
}
}
}
// This is an associated method, not on & self so we can take options on
// both sides.
pub(crate) fn idx_diff<'a>(
idxmeta: &'a HashSet<IdxKey>,
pre: Option<&Self>,
post: Option<&Self>,
) -> IdxDiff<'a> {
// We yield a list of Result, where Ok() means "add",
// and Err() means "remove".
// the value inside the result, is a tuple of attr, itype, idx_key
match (pre, post) {
(None, None) => {
// if both are none, yield empty list.
Vec::new()
}
(Some(pre_e), None) => {
// If we are none (?), yield our pre-state as removals.
idxmeta
.iter()
.flat_map(|ikey| {
match pre_e.get_ava(ikey.attr.as_str()) {
None => Vec::new(),
Some(vs) => {
let changes: Vec<Result<_, _>> = match ikey.itype {
IndexType::EQUALITY => {
vs.flat_map(|v| {
// Turn each idx_key to the tuple of
// changes.
v.generate_idx_eq_keys().into_iter().map(|idx_key| {
Err((&ikey.attr, &ikey.itype, idx_key))
})
})
.collect()
}
IndexType::PRESENCE => {
vec![Err((&ikey.attr, &ikey.itype, "_".to_string()))]
}
IndexType::SUBSTRING => Vec::new(),
};
changes
}
}
})
.collect()
}
(None, Some(post_e)) => {
// If the pre-state is none, yield our additions.
idxmeta
.iter()
.flat_map(|ikey| {
match post_e.get_ava(ikey.attr.as_str()) {
None => Vec::new(),
Some(vs) => {
let changes: Vec<Result<_, _>> = match ikey.itype {
IndexType::EQUALITY => {
vs.flat_map(|v| {
// Turn each idx_key to the tuple of
// changes.
v.generate_idx_eq_keys().into_iter().map(|idx_key| {
Ok((&ikey.attr, &ikey.itype, idx_key))
})
})
.collect()
}
IndexType::PRESENCE => {
vec![Ok((&ikey.attr, &ikey.itype, "_".to_string()))]
}
IndexType::SUBSTRING => Vec::new(),
};
// For each value
//
changes
}
}
})
.collect()
}
(Some(pre_e), Some(post_e)) => {
assert!(pre_e.state.id == post_e.state.id);
idxmeta
.iter()
.flat_map(|ikey| {
match (
pre_e.get_ava_set(ikey.attr.as_str()),
post_e.get_ava_set(ikey.attr.as_str()),
) {
(None, None) => {
// Neither have it, do nothing.
Vec::new()
}
(Some(pre_vs), None) => {
// It existed before, but not anymore
let changes: Vec<Result<_, _>> = match ikey.itype {
IndexType::EQUALITY => {
pre_vs
.iter()
.flat_map(|v| {
// Turn each idx_key to the tuple of
// changes.
v.generate_idx_eq_keys().into_iter().map(
|idx_key| {
Err((&ikey.attr, &ikey.itype, idx_key))
},
)
})
.collect()
}
IndexType::PRESENCE => {
vec![Err((&ikey.attr, &ikey.itype, "_".to_string()))]
}
IndexType::SUBSTRING => Vec::new(),
};
changes
}
(None, Some(post_vs)) => {
// It was added now.
let changes: Vec<Result<_, _>> = match ikey.itype {
IndexType::EQUALITY => {
post_vs
.iter()
.flat_map(|v| {
// Turn each idx_key to the tuple of
// changes.
v.generate_idx_eq_keys().into_iter().map(
|idx_key| {
Ok((&ikey.attr, &ikey.itype, idx_key))
},
)
})
.collect()
}
IndexType::PRESENCE => {
vec![Ok((&ikey.attr, &ikey.itype, "_".to_string()))]
}
IndexType::SUBSTRING => Vec::new(),
};
changes
}
(Some(pre_vs), Some(post_vs)) => {
// it exists in both, we need to work out the differents within the attr.
pre_vs
.difference(&post_vs)
.map(|pre_v| {
// Was in pre, now not in post
match ikey.itype {
IndexType::EQUALITY => {
// Remove the v
pre_v
.generate_idx_eq_keys()
.into_iter()
.map(|idx_key| {
Err((&ikey.attr, &ikey.itype, idx_key))
})
.collect()
}
IndexType::PRESENCE => {
// No action - we still are "present", so nothing to do!
Vec::new()
}
IndexType::SUBSTRING => Vec::new(),
}
})
.chain(post_vs.difference(&pre_vs).map(|post_v| {
// is in post, but not in pre (add)
match ikey.itype {
IndexType::EQUALITY => {
// Remove the v
post_v
.generate_idx_eq_keys()
.into_iter()
.map(|idx_key| {
Ok((&ikey.attr, &ikey.itype, idx_key))
})
.collect()
}
IndexType::PRESENCE => {
// No action - we still are "present", so nothing to do!
Vec::new()
}
IndexType::SUBSTRING => Vec::new(),
}
}))
.flatten() // flatten all the inner vecs
.collect() // now collect to an array of changes.
}
}
})
.collect()
// End diff of the entries
}
}
}
pub fn from_dbentry(au: &mut AuditScope, db_e: DbEntry, id: u64) -> Result<Self, ()> {
// Convert attrs from db format to value
let r_attrs: Result<Map<String, Set<Value>>, ()> = match db_e.ent {
DbEntryVers::V1(v1) => v1
.attrs
.into_iter()
.map(|(k, vs)| {
let vv: Result<Set<Value>, ()> =
vs.into_iter().map(Value::from_db_valuev1).collect();
match vv {
Ok(vv) => Ok((k, vv)),
Err(()) => {
ladmin_error!(au, "from_dbentry failed on value {:?}", k);
Err(())
}
}
})
.collect(),
};
let attrs = r_attrs?;
let uuid: Uuid = *match attrs.get("uuid") {
Some(vs) => vs.iter().take(1).next(),
None => None,
}
.ok_or(())?
// Now map value -> uuid
.to_uuid()
.ok_or(())?;
Ok(Entry {
valid: EntrySealed { uuid },
state: EntryCommitted { id },
attrs,
})
}
pub unsafe fn into_reduced(self) -> Entry<EntryReduced, EntryCommitted> {
Entry {
valid: EntryReduced {
uuid: self.valid.uuid,
},
state: self.state,
attrs: self.attrs,
}
}
pub fn reduce_attributes(
self,
allowed_attrs: &BTreeSet<&str>,
) -> Entry<EntryReduced, EntryCommitted> {
// Remove all attrs from our tree that are NOT in the allowed set.
let Entry {
valid: s_valid,
state: s_state,
attrs: s_attrs,
} = self;
let f_attrs: Map<_, _> = s_attrs
.into_iter()
.filter_map(|(k, v)| {
if allowed_attrs.contains(k.as_str()) {
Some((k, v))
} else {
None
}
})
.collect();
Entry {
valid: EntryReduced { uuid: s_valid.uuid },
state: s_state,
attrs: f_attrs,
}
}
pub fn to_tombstone(&self, cid: Cid) -> Entry<EntryInvalid, EntryCommitted> {
// Duplicate this to a tombstone entry
let class_ava = btreeset![Value::new_class("object"), Value::new_class("tombstone")];
let last_mod_ava = btreeset![Value::new_cid(cid.clone())];
let mut attrs_new: Map<String, Set<Value>> = Map::new();
attrs_new.insert(
"uuid".to_string(),
btreeset![Value::new_uuidr(&self.get_uuid())],
);
attrs_new.insert("class".to_string(), class_ava);
attrs_new.insert("last_modified_cid".to_string(), last_mod_ava);
Entry {
valid: EntryInvalid { cid },
state: self.state.clone(),
attrs: attrs_new,
}
}
pub fn into_valid(self, cid: Cid) -> Entry<EntryValid, EntryCommitted> {
Entry {
valid: EntryValid {
uuid: self.valid.uuid,
cid,
},
state: self.state,
attrs: self.attrs,
}
}
}
impl<STATE> Entry<EntryValid, STATE> {
// Returns the entry in the latest DbEntry format we are aware of.
pub fn invalidate(self) -> Entry<EntryInvalid, STATE> {
Entry {
valid: EntryInvalid {
cid: self.valid.cid,
},
state: self.state,
attrs: self.attrs,
}
}
pub fn seal(self) -> Entry<EntrySealed, STATE> {
Entry {
valid: EntrySealed {
uuid: self.valid.uuid,
},
state: self.state,
attrs: self.attrs,
}
}
pub fn get_uuid(&self) -> &Uuid {
&self.valid.uuid
}
}
impl<STATE> Entry<EntrySealed, STATE> {
// Returns the entry in the latest DbEntry format we are aware of.
pub fn invalidate(mut self, cid: Cid) -> Entry<EntryInvalid, STATE> {
/* Setup our last changed time. */
self.set_last_changed(cid.clone());
Entry {
valid: EntryInvalid { cid },
state: self.state,
attrs: self.attrs,
}
}
pub fn get_uuid(&self) -> &Uuid {
&self.valid.uuid
}
#[cfg(test)]
pub unsafe fn into_invalid(mut self) -> Entry<EntryInvalid, STATE> {
self.set_last_changed(Cid::new_zero());
Entry {
valid: EntryInvalid {
cid: Cid::new_zero(),
},
state: self.state,
attrs: self.attrs,
}
}
}
impl Entry<EntryReduced, EntryCommitted> {
pub fn get_uuid(&self) -> &Uuid {
&self.valid.uuid
}
pub fn to_pe(
&self,
audit: &mut AuditScope,
qs: &QueryServerReadTransaction,
) -> Result<ProtoEntry, OperationError> {
// Turn values -> Strings.
let attrs: Result<_, _> = self
.attrs
.iter()
.map(|(k, vs)| {
let pvs: Result<Vec<String>, _> =
vs.iter().map(|v| qs.resolve_value(audit, v)).collect();
let pvs = pvs?;
Ok((k.clone(), pvs))
})
.collect();
Ok(ProtoEntry { attrs: attrs? })
}
pub fn to_ldap(
&self,
audit: &mut AuditScope,
qs: &QueryServerReadTransaction,
basedn: &str,
) -> Result<LdapSearchResultEntry, OperationError> {
let rdn = qs.uuid_to_rdn(audit, self.get_uuid())?;
let dn = format!("{},{}", rdn, basedn);
let attributes: Result<Vec<_>, _> = self
.attrs
.iter()
.map(|(k, vs)| {
let pvs: Result<Vec<String>, _> = vs
.iter()
.map(|v| qs.resolve_value_ldap(audit, v, basedn))
.collect();
let pvs = pvs?;
let ks = ldap_attr_entry_map(k.as_str());
Ok(LdapPartialAttribute {
atype: ks,
vals: pvs,
})
})
.collect();
let attributes = attributes?;
Ok(LdapSearchResultEntry { dn, attributes })
}
}
// impl<STATE> Entry<EntryValid, STATE> {
impl<VALID, STATE> Entry<VALID, STATE> {
fn add_ava_int(&mut self, attr: &str, value: Value) {
// How do we make this turn into an ok / err?
let v = self.attrs.entry(attr.to_string()).or_insert_with(Set::new);
// Here we need to actually do a check/binary search ...
v.insert(value);
// Doesn't matter if it already exists, equality will replace.
}
fn set_last_changed(&mut self, cid: Cid) {
let cv = btreeset![Value::new_cid(cid)];
let _ = self.attrs.insert("last_modified_cid".to_string(), cv);
}
#[inline(always)]
pub fn get_ava_names(&self) -> impl Iterator<Item = &str> {
// Get the set of all attribute names in the entry
self.attrs.keys().map(|a| a.as_str())
}
#[inline(always)]
pub fn get_ava(&self, attr: &str) -> Option<impl Iterator<Item = &Value>> {
self.attrs.get(attr).map(|vs| vs.iter())
}
#[inline(always)]
pub fn get_ava_set(&self, attr: &str) -> Option<&Set<Value>> {
self.attrs.get(attr)
}
#[inline(always)]
pub fn get_ava_as_str(&self, attr: &str) -> Option<impl Iterator<Item = &str>> {
self.get_ava(attr).map(|i| i.filter_map(|s| s.to_str()))
}
#[inline(always)]
pub fn get_ava_as_refuuid(&self, attr: &str) -> Option<impl Iterator<Item = &Uuid>> {
// If any value is NOT a reference, it's filtered out.
self.get_ava(attr)
.map(|i| i.filter_map(|v| v.to_ref_uuid()))
}
#[inline(always)]
pub fn get_ava_iter_sshpubkeys(&self, attr: &str) -> Option<impl Iterator<Item = &str>> {
self.get_ava(attr).map(|i| i.filter_map(|v| v.get_sshkey()))
}
// These are special types to allow returning typed values from
// an entry, if we "know" what we expect to receive.
/// This returns an array of IndexTypes, when the type is an Optional
/// multivalue in schema - IE this will *not* fail if the attribute is
/// empty, yielding and empty array instead.
///
/// However, the converstion to IndexType is fallaible, so in case of a failure
/// to convert, an Err is returned.
#[inline(always)]
// TODO: Can tis be an iterator?
pub(crate) fn get_ava_opt_index(&self, attr: &str) -> Result<Vec<&IndexType>, ()> {
match self.attrs.get(attr) {
Some(av) => {
let r: Result<Vec<_>, _> = av.iter().map(|v| v.to_indextype().ok_or(())).collect();
r
}
None => Ok(Vec::new()),
}
}
/// Returns NONE if there is more than ONE!!!!
#[inline(always)]
pub fn get_ava_single(&self, attr: &str) -> Option<&Value> {
match self.attrs.get(attr) {
Some(vs) => {
if vs.len() != 1 {
None
} else {
vs.iter().take(1).next()
}
}
None => None,
}
}
/// Get a bool from an ava
#[inline(always)]
pub fn get_ava_single_bool(&self, attr: &str) -> Option<bool> {
self.get_ava_single(attr).and_then(|a| a.to_bool())
}
#[inline(always)]
pub fn get_ava_single_uint32(&self, attr: &str) -> Option<u32> {
self.get_ava_single(attr).and_then(|a| a.to_uint32())
}
#[inline(always)]
pub fn get_ava_single_syntax(&self, attr: &str) -> Option<&SyntaxType> {
self.get_ava_single(attr).and_then(|a| a.to_syntaxtype())
}
#[inline(always)]
pub fn get_ava_single_credential(&self, attr: &str) -> Option<&Credential> {
self.get_ava_single(attr).and_then(|a| a.to_credential())
}
#[inline(always)]
pub fn get_ava_single_radiuscred(&self, attr: &str) -> Option<&str> {
self.get_ava_single(attr)
.and_then(|a| a.get_radius_secret())
}
#[inline(always)]
pub fn get_ava_single_datetime(&self, attr: &str) -> Option<OffsetDateTime> {
self.get_ava_single(attr).and_then(|a| a.to_datetime())
}
#[inline(always)]
pub fn get_ava_single_str(&self, attr: &str) -> Option<&str> {
self.get_ava_single(attr).and_then(|v| v.to_str())
}
#[inline(always)]
pub fn get_ava_single_protofilter(&self, attr: &str) -> Option<&ProtoFilter> {
self.get_ava_single(attr)
.and_then(|v: &Value| v.as_json_filter())
}
#[inline(always)]
pub(crate) fn generate_spn(&self, domain_name: &str) -> Option<Value> {
self.get_ava_single_str("name")
.map(|name| Value::new_spn_str(name, domain_name))
}
#[inline(always)]
pub fn attribute_pres(&self, attr: &str) -> bool {
// Note, we don't normalise attr name, but I think that's not
// something we should over-optimise on.
self.attrs.contains_key(attr)
}
#[inline(always)]
pub fn attribute_value_pres(&self, attr: &str, value: &PartialValue) -> bool {
// Yeah, this is techdebt, but both names of this fn are valid - we are
// checking if an attribute-value is equal to, or asserting it's present
// as a pair. So I leave both, and let the compiler work it out.
self.attribute_equality(attr, value)
}
#[inline(always)]
pub fn attribute_equality(&self, attr: &str, value: &PartialValue) -> bool {
// we assume based on schema normalisation on the way in
// that the equality here of the raw values MUST be correct.
// We also normalise filters, to ensure that their values are
// syntax valid and will correctly match here with our indexes.
match self.attrs.get(attr) {
Some(v_list) => v_list.contains(value),
None => false,
}
}
#[inline(always)]
pub fn attribute_substring(&self, attr: &str, subvalue: &PartialValue) -> bool {
match self.attrs.get(attr) {
Some(v_list) => v_list
.iter()
.fold(false, |acc, v| if acc { acc } else { v.contains(subvalue) }),
None => false,
}
}
/// Confirm if at least one value in the ava is less than subvalue.
#[inline(always)]
pub fn attribute_lessthan(&self, attr: &str, subvalue: &PartialValue) -> bool {
match self.attrs.get(attr) {
Some(v_list) => v_list
.iter()
.fold(false, |acc, v| if acc { acc } else { v.lessthan(subvalue) }),
None => false,
}
}
// Since EntryValid/Invalid is just about class adherenece, not Value correctness, we
// can now apply filters to invalid entries - why? Because even if they aren't class
// valid, we still have strict typing checks between the filter -> entry to guarantee
// they should be functional. We'll never match something that isn't syntactially valid.
#[inline(always)]
pub fn entry_match_no_index(&self, filter: &Filter<FilterValidResolved>) -> bool {
self.entry_match_no_index_inner(filter.to_inner())
}
// This is private, but exists on all types, so that valid and normal can then
// expose the simpler wrapper for entry_match_no_index only.
// Assert if this filter matches the entry (no index)
fn entry_match_no_index_inner(&self, filter: &FilterResolved) -> bool {
// Go through the filter components and check them in the entry.
// This is recursive!!!!
match filter {
FilterResolved::Eq(attr, value, _) => self.attribute_equality(attr.as_str(), value),
FilterResolved::Sub(attr, subvalue, _) => {
self.attribute_substring(attr.as_str(), subvalue)
}
FilterResolved::Pres(attr, _) => {
// Given attr, is is present in the entry?
self.attribute_pres(attr.as_str())
}
FilterResolved::LessThan(attr, subvalue, _) => {
self.attribute_lessthan(attr.as_str(), subvalue)
}
FilterResolved::Or(l) => l.iter().fold(false, |acc, f| {
// Check with ftweedal about or filter zero len correctness.
if acc {
acc
} else {
self.entry_match_no_index_inner(f)
}
}),
FilterResolved::And(l) => l.iter().fold(true, |acc, f| {
// Check with ftweedal about and filter zero len correctness.
if acc {
self.entry_match_no_index_inner(f)
} else {
acc
}
}),
FilterResolved::Inclusion(_) => {
// An inclusion doesn't make sense on an entry in isolation!
// Inclusions are part of exists queries, on search they mean
// nothing!
false
}
FilterResolved::AndNot(f) => !self.entry_match_no_index_inner(f),
}
}
pub fn filter_from_attrs(&self, attrs: &[String]) -> Option<Filter<FilterInvalid>> {
// Because we are a valid entry, a filter we create still may not
// be valid because the internal server entry templates are still
// created by humans! Plus double checking something already valid
// is not bad ...
//
// Generate a filter from the attributes requested and defined.
// Basically, this is a series of nested and's (which will be
// optimised down later: but if someone wants to solve flatten() ...)
// Take name: (a, b), name: (c, d) -> (name, a), (name, b), (name, c), (name, d)
let mut pairs: Vec<(&str, &Value)> = Vec::new();
for attr in attrs {
match self.attrs.get(attr) {
Some(values) => {
for v in values {
pairs.push((attr, v))
}
}
None => return None,
}
}
Some(filter_all!(f_and(
pairs
.into_iter()
.map(|(attr, value)| {
// We use FC directly here instead of f_eq to avoid an excess clone.
FC::Eq(attr, value.to_partialvalue())
})
.collect()
)))
}
pub fn gen_modlist_assert(
&self,
schema: &dyn SchemaTransaction,
) -> Result<ModifyList<ModifyInvalid>, SchemaError> {
// Create a modlist from this entry. We make this assuming we want the entry
// to have this one as a subset of values. This means if we have single
// values, we'll replace, if they are multivalue, we present them.
let mut mods = ModifyList::new();
for (k, vs) in self.attrs.iter() {
// WHY?! We skip uuid here because it is INVALID for a UUID
// to be in a modlist, and the base.rs plugin will fail if it
// is there. This actually doesn't matter, because to apply the
// modlist in these situations we already know the entry MUST
// exist with that UUID, we only need to conform it's other
// attributes into the same state.
//
// In the future, if we make uuid a real entry type, then this
// check can "go away" because uuid will never exist as an ava.
//
// NOTE: Remove this check when uuid becomes a real attribute.
// UUID is now a real attribute, but it also has an ava for db_entry
// conversion - so what do? If we remove it here, we could have CSN issue with
// repl on uuid conflict, but it probably shouldn't be an ava either ...
// as a result, I think we need to keep this continue line to not cause issues.
if k == "uuid" {
continue;
}
// Get the schema attribute type out.
match schema.is_multivalue(k) {
Ok(r) => {
if !r {
// As this is single value, purge then present to maintain this
// invariant
mods.push_mod(Modify::Purged(k.clone()));
}
}
// A schema error happened, fail the whole operation.
Err(e) => return Err(e),
}
for v in vs {
mods.push_mod(Modify::Present(k.clone(), v.clone()));
}
}
Ok(mods)
}
}
impl<STATE> Entry<EntryInvalid, STATE>
where
STATE: Clone,
{
// This should always work? It's only on validate that we'll build
// a list of syntax violations ...
// If this already exists, we silently drop the event? Is that an
// acceptable interface?
//
// TODO: This should take Value not &Value, would save a lot of clones
// around the codebase.
pub fn add_ava(&mut self, attr: &str, value: Value) {
self.add_ava_int(attr, value)
}
fn remove_ava(&mut self, attr: &str, value: &PartialValue) {
// It would be great to remove these extra allocations, but they
// really don't cost much :(
self.attrs.entry(attr.to_string()).and_modify(|v| {
// Here we need to actually do a check/binary search ...
v.remove(value);
});
}
// Need something that can remove by difference?
pub(crate) fn remove_avas(&mut self, attr: &str, values: &BTreeSet<PartialValue>) {
if let Some(set) = self.attrs.get_mut(attr) {
values.iter().for_each(|k| {
set.remove(k);
})
}
}
pub fn purge_ava(&mut self, attr: &str) {
self.attrs.remove(attr);
}
pub fn pop_ava(&mut self, attr: &str) -> Option<Set<Value>> {
self.attrs.remove(attr)
}
/// Provide a true ava set.
pub fn set_ava(&mut self, attr: &str, values: Set<Value>) {
// Overwrite the existing value, build a tree from the list.
let _ = self.attrs.insert(attr.to_string(), values);
}
/*
pub fn avas_mut(&mut self) -> EntryAvasMut {
EntryAvasMut {
inner: self.attrs.iter_mut(),
}
}
*/
// Should this be schemaless, relying on checks of the modlist, and the entry validate after?
// YES. Makes it very cheap.
pub fn apply_modlist(&mut self, modlist: &ModifyList<ModifyValid>) {
// -> Result<Entry<EntryInvalid, STATE>, OperationError> {
// Apply a modlist, generating a new entry that conforms to the changes.
// This is effectively clone-and-transform
// mutate
for modify in modlist {
match modify {
Modify::Present(a, v) => self.add_ava(a.as_str(), v.clone()),
Modify::Removed(a, v) => self.remove_ava(a.as_str(), v),
Modify::Purged(a) => self.purge_ava(a.as_str()),
}
}
}
}
impl<VALID, STATE> PartialEq for Entry<VALID, STATE> {
fn eq(&self, rhs: &Entry<VALID, STATE>) -> bool {
// This may look naive - but it is correct. This is because
// all items that end up in an item MUST have passed through
// schema validation and normalisation so we can assume that
// all rules were applied correctly. Thus we can just simply
// do a char-compare like this.
//
// Of course, this is only true on the "Valid" types ... the others
// are not guaranteed to support this ... but more likely that will
// just end in eager false-results. We'll never say something is true
// that should NOT be.
compare_attrs(&self.attrs, &rhs.attrs)
}
}
impl From<&SchemaAttribute> for Entry<EntryInit, EntryNew> {
fn from(s: &SchemaAttribute) -> Self {
// Convert an Attribute to an entry ... make it good!
let uuid_v = btreeset![Value::new_uuidr(&s.uuid)];
let name_v = btreeset![Value::new_iutf8(s.name.as_str())];
let desc_v = btreeset![Value::new_utf8(s.description.clone())];
let multivalue_v = btreeset![Value::from(s.multivalue)];
let unique_v = btreeset![Value::from(s.unique)];
let index_v: Set<_> = s.index.iter().map(|i| Value::from(i.clone())).collect();
let syntax_v = btreeset![Value::from(s.syntax.clone())];
// Build the Map of the attributes relevant
let mut attrs: Map<String, Set<Value>> = Map::with_capacity(16);
attrs.insert("attributename".to_string(), name_v);
attrs.insert("description".to_string(), desc_v);
attrs.insert("uuid".to_string(), uuid_v);
attrs.insert("multivalue".to_string(), multivalue_v);
attrs.insert("unique".to_string(), unique_v);
attrs.insert("index".to_string(), index_v);
attrs.insert("syntax".to_string(), syntax_v);
attrs.insert(
"class".to_string(),
btreeset![
Value::new_class("object"),
Value::new_class("system"),
Value::new_class("attributetype")
],
);
// Insert stuff.
Entry {
valid: EntryInit,
state: EntryNew,
attrs,
}
}
}
impl From<&SchemaClass> for Entry<EntryInit, EntryNew> {
fn from(s: &SchemaClass) -> Self {
let uuid_v = btreeset![Value::new_uuidr(&s.uuid)];
let name_v = btreeset![Value::new_iutf8(s.name.as_str())];
let desc_v = btreeset![Value::new_utf8(s.description.clone())];
let mut attrs: Map<String, Set<Value>> = Map::with_capacity(16);
attrs.insert("classname".to_string(), name_v);
attrs.insert("description".to_string(), desc_v);
attrs.insert("uuid".to_string(), uuid_v);
attrs.insert(
"class".to_string(),
btreeset![
Value::new_class("object"),
Value::new_class("system"),
Value::new_class("classtype")
],
);
if !s.systemmay.is_empty() {
attrs.insert(
"systemmay".to_string(),
s.systemmay
.iter()
.map(|sm| Value::new_attr(sm.as_str()))
.collect(),
);
}
if !s.systemmust.is_empty() {
attrs.insert(
"systemmust".to_string(),
s.systemmust
.iter()
.map(|sm| Value::new_attr(sm.as_str()))
.collect(),
);
}
Entry {
valid: EntryInit,
state: EntryNew,
attrs,
}
}
}
#[cfg(test)]
mod tests {
use crate::be::IdxKey;
use crate::entry::{Entry, EntryInit, EntryInvalid, EntryNew};
use crate::modify::{Modify, ModifyList};
use crate::value::{IndexType, PartialValue, Value};
use hashbrown::HashSet;
use std::collections::BTreeSet as Set;
#[test]
fn test_entry_basic() {
let mut e: Entry<EntryInit, EntryNew> = Entry::new();
e.add_ava("userid", Value::from("william"));
}
#[test]
fn test_entry_dup_value() {
// Schema doesn't matter here because we are duplicating a value
// it should fail!
// We still probably need schema here anyway to validate what we
// are adding ... Or do we validate after the changes are made in
// total?
let mut e: Entry<EntryInit, EntryNew> = Entry::new();
e.add_ava("userid", Value::from("william"));
e.add_ava("userid", Value::from("william"));
let values = e.get_ava_set("userid").expect("Failed to get ava");
// Should only be one value!
assert_eq!(values.len(), 1)
}
#[test]
fn test_entry_pres() {
let mut e: Entry<EntryInit, EntryNew> = Entry::new();
e.add_ava("userid", Value::from("william"));
assert!(e.attribute_pres("userid"));
assert!(!e.attribute_pres("name"));
}
#[test]
fn test_entry_equality() {
let mut e: Entry<EntryInit, EntryNew> = Entry::new();
e.add_ava("userid", Value::from("william"));
assert!(e.attribute_equality("userid", &PartialValue::new_utf8s("william")));
assert!(!e.attribute_equality("userid", &PartialValue::new_utf8s("test")));
assert!(!e.attribute_equality("nonexist", &PartialValue::new_utf8s("william")));
// Also test non-matching attr syntax
assert!(!e.attribute_equality("userid", &PartialValue::new_class("william")));
}
#[test]
fn test_entry_substring() {
let mut e: Entry<EntryInit, EntryNew> = Entry::new();
e.add_ava("userid", Value::from("william"));
assert!(e.attribute_substring("userid", &PartialValue::new_utf8s("william")));
assert!(e.attribute_substring("userid", &PartialValue::new_utf8s("will")));
assert!(e.attribute_substring("userid", &PartialValue::new_utf8s("liam")));
assert!(e.attribute_substring("userid", &PartialValue::new_utf8s("lli")));
assert!(!e.attribute_substring("userid", &PartialValue::new_utf8s("llim")));
assert!(!e.attribute_substring("userid", &PartialValue::new_utf8s("bob")));
assert!(!e.attribute_substring("userid", &PartialValue::new_utf8s("wl")));
}
#[test]
fn test_entry_lessthan() {
let mut e1: Entry<EntryInit, EntryNew> = Entry::new();
let pv2 = PartialValue::new_uint32(2);
let pv8 = PartialValue::new_uint32(8);
let pv10 = PartialValue::new_uint32(10);
let pv15 = PartialValue::new_uint32(15);
e1.add_ava("a", Value::new_uint32(10));
assert!(e1.attribute_lessthan("a", &pv2) == false);
assert!(e1.attribute_lessthan("a", &pv8) == false);
assert!(e1.attribute_lessthan("a", &pv10) == false);
assert!(e1.attribute_lessthan("a", &pv15) == true);
e1.add_ava("a", Value::new_uint32(8));
assert!(e1.attribute_lessthan("a", &pv2) == false);
assert!(e1.attribute_lessthan("a", &pv8) == false);
assert!(e1.attribute_lessthan("a", &pv10) == true);
assert!(e1.attribute_lessthan("a", &pv15) == true);
}
#[test]
fn test_entry_apply_modlist() {
// Test application of changes to an entry.
let mut e: Entry<EntryInvalid, EntryNew> = unsafe { Entry::new().into_invalid_new() };
e.add_ava("userid", Value::from("william"));
let present_single_mods = unsafe {
ModifyList::new_valid_list(vec![Modify::Present(
String::from("attr"),
Value::new_iutf8("value"),
)])
};
e.apply_modlist(&present_single_mods);
// Assert the changes are there
assert!(e.attribute_equality("userid", &PartialValue::new_utf8s("william")));
assert!(e.attribute_equality("attr", &PartialValue::new_iutf8("value")));
// Assert present for multivalue
let present_multivalue_mods = unsafe {
ModifyList::new_valid_list(vec![
Modify::Present(String::from("class"), Value::new_iutf8("test")),
Modify::Present(String::from("class"), Value::new_iutf8("multi_test")),
])
};
e.apply_modlist(&present_multivalue_mods);
assert!(e.attribute_equality("class", &PartialValue::new_iutf8("test")));
assert!(e.attribute_equality("class", &PartialValue::new_iutf8("multi_test")));
// Assert purge on single/multi/empty value
let purge_single_mods =
unsafe { ModifyList::new_valid_list(vec![Modify::Purged(String::from("attr"))]) };
e.apply_modlist(&purge_single_mods);
assert!(!e.attribute_pres("attr"));
let purge_multi_mods =
unsafe { ModifyList::new_valid_list(vec![Modify::Purged(String::from("class"))]) };
e.apply_modlist(&purge_multi_mods);
assert!(!e.attribute_pres("class"));
let purge_empty_mods = purge_single_mods;
e.apply_modlist(&purge_empty_mods);
// Assert removed on value that exists and doesn't exist
let remove_mods = unsafe {
ModifyList::new_valid_list(vec![Modify::Removed(
String::from("attr"),
PartialValue::new_iutf8("value"),
)])
};
e.apply_modlist(&present_single_mods);
assert!(e.attribute_equality("attr", &PartialValue::new_iutf8("value")));
e.apply_modlist(&remove_mods);
assert!(e.attrs.get("attr").unwrap().is_empty());
let remove_empty_mods = remove_mods;
e.apply_modlist(&remove_empty_mods);
assert!(e.attrs.get("attr").unwrap().is_empty());
}
#[test]
fn test_entry_idx_diff() {
let mut e1: Entry<EntryInit, EntryNew> = Entry::new();
e1.add_ava("userid", Value::from("william"));
let mut e1_mod = e1.clone();
e1_mod.add_ava("extra", Value::from("test"));
let e1 = unsafe { e1.into_sealed_committed() };
let e1_mod = unsafe { e1_mod.into_sealed_committed() };
let mut e2: Entry<EntryInit, EntryNew> = Entry::new();
e2.add_ava("userid", Value::from("claire"));
let e2 = unsafe { e2.into_sealed_committed() };
let mut idxmeta = HashSet::with_capacity(8);
idxmeta.insert(IdxKey {
attr: "userid".to_string(),
itype: IndexType::EQUALITY,
});
idxmeta.insert(IdxKey {
attr: "userid".to_string(),
itype: IndexType::PRESENCE,
});
idxmeta.insert(IdxKey {
attr: "extra".to_string(),
itype: IndexType::EQUALITY,
});
// When we do None, None, we get nothing back.
let r1 = Entry::idx_diff(&idxmeta, None, None);
eprintln!("{:?}", r1);
assert!(r1 == Vec::new());
// Check generating a delete diff
let mut del_r = Entry::idx_diff(&idxmeta, Some(&e1), None);
del_r.sort_unstable();
eprintln!("del_r {:?}", del_r);
assert!(
del_r[0]
== Err((
&"userid".to_string(),
&IndexType::EQUALITY,
"william".to_string()
))
);
assert!(del_r[1] == Err((&"userid".to_string(), &IndexType::PRESENCE, "_".to_string())));
// Check generating an add diff
let mut add_r = Entry::idx_diff(&idxmeta, None, Some(&e1));
add_r.sort_unstable();
eprintln!("{:?}", add_r);
assert!(
add_r[0]
== Ok((
&"userid".to_string(),
&IndexType::EQUALITY,
"william".to_string()
))
);
assert!(add_r[1] == Ok((&"userid".to_string(), &IndexType::PRESENCE, "_".to_string())));
// Check the mod cases now
// Check no changes
let no_r = Entry::idx_diff(&idxmeta, Some(&e1), Some(&e1));
assert!(no_r.len() == 0);
// Check "adding" an attribute.
let add_a_r = Entry::idx_diff(&idxmeta, Some(&e1), Some(&e1_mod));
assert!(
add_a_r[0]
== Ok((
&"extra".to_string(),
&IndexType::EQUALITY,
"test".to_string()
))
);
// Check "removing" an attribute.
let del_a_r = Entry::idx_diff(&idxmeta, Some(&e1_mod), Some(&e1));
assert!(
del_a_r[0]
== Err((
&"extra".to_string(),
&IndexType::EQUALITY,
"test".to_string()
))
);
// Change an attribute.
let mut chg_r = Entry::idx_diff(&idxmeta, Some(&e1), Some(&e2));
chg_r.sort_unstable();
eprintln!("{:?}", chg_r);
assert!(
chg_r[1]
== Err((
&"userid".to_string(),
&IndexType::EQUALITY,
"william".to_string()
))
);
assert!(
chg_r[0]
== Ok((
&"userid".to_string(),
&IndexType::EQUALITY,
"claire".to_string()
))
);
}
#[test]
fn test_entry_mask_recycled_ts() {
let mut e1: Entry<EntryInit, EntryNew> = Entry::new();
e1.add_ava("class", Value::new_class("person"));
let e1 = unsafe { e1.into_sealed_committed() };
assert!(e1.mask_recycled_ts().is_some());
let mut e2: Entry<EntryInit, EntryNew> = Entry::new();
e2.add_ava("class", Value::new_class("person"));
e2.add_ava("class", Value::new_class("recycled"));
let e2 = unsafe { e2.into_sealed_committed() };
assert!(e2.mask_recycled_ts().is_none());
let mut e3: Entry<EntryInit, EntryNew> = Entry::new();
e3.add_ava("class", Value::new_class("tombstone"));
let e3 = unsafe { e3.into_sealed_committed() };
assert!(e3.mask_recycled_ts().is_none());
}
#[test]
fn test_entry_idx_name2uuid_diff() {
// none, none,
let r = Entry::idx_name2uuid_diff(None, None);
assert!(r == (None, None));
// none, some - test adding an entry gives back add sets
{
let mut e: Entry<EntryInit, EntryNew> = Entry::new();
e.add_ava("class", Value::new_class("person"));
let e = unsafe { e.into_sealed_committed() };
assert!(Entry::idx_name2uuid_diff(None, Some(&e)) == (Some(Set::new()), None));
}
{
let mut e: Entry<EntryInit, EntryNew> = Entry::new();
e.add_ava("class", Value::new_class("person"));
e.add_ava("gidnumber", Value::new_uint32(1300));
e.add_ava("name", Value::new_iname("testperson"));
e.add_ava("spn", Value::new_spn_str("testperson", "example.com"));
e.add_ava(
"uuid",
Value::new_uuids("9fec0398-c46c-4df4-9df5-b0016f7d563f").unwrap(),
);
let e = unsafe { e.into_sealed_committed() };
// Note the uuid isn't present!
assert!(
Entry::idx_name2uuid_diff(None, Some(&e))
== (
Some(btreeset![
"1300".to_string(),
"testperson".to_string(),
"testperson@example.com".to_string()
]),
None
)
);
// some, none,
// Check delete, swap the order of args
assert!(
Entry::idx_name2uuid_diff(Some(&e), None)
== (
None,
Some(btreeset![
"1300".to_string(),
"testperson".to_string(),
"testperson@example.com".to_string()
])
)
);
// some, some (same), should be empty changes.
assert!(
Entry::idx_name2uuid_diff(Some(&e), Some(&e))
== (Some(Set::new()), Some(Set::new()))
);
}
// some, some (diff)
{
let mut e1: Entry<EntryInit, EntryNew> = Entry::new();
e1.add_ava("class", Value::new_class("person"));
e1.add_ava("spn", Value::new_spn_str("testperson", "example.com"));
let e1 = unsafe { e1.into_sealed_committed() };
let mut e2: Entry<EntryInit, EntryNew> = Entry::new();
e2.add_ava("class", Value::new_class("person"));
e2.add_ava("name", Value::new_iname("testperson"));
e2.add_ava("spn", Value::new_spn_str("testperson", "example.com"));
let e2 = unsafe { e2.into_sealed_committed() };
// One attr added
assert!(
Entry::idx_name2uuid_diff(Some(&e1), Some(&e2))
== (Some(btreeset!["testperson".to_string()]), Some(Set::new()))
);
// One removed
assert!(
Entry::idx_name2uuid_diff(Some(&e2), Some(&e1))
== (Some(Set::new()), Some(btreeset!["testperson".to_string()]))
);
}
// Value changed, remove old, add new.
{
let mut e1: Entry<EntryInit, EntryNew> = Entry::new();
e1.add_ava("class", Value::new_class("person"));
e1.add_ava("spn", Value::new_spn_str("testperson", "example.com"));
let e1 = unsafe { e1.into_sealed_committed() };
let mut e2: Entry<EntryInit, EntryNew> = Entry::new();
e2.add_ava("class", Value::new_class("person"));
e2.add_ava("spn", Value::new_spn_str("renameperson", "example.com"));
let e2 = unsafe { e2.into_sealed_committed() };
assert!(
Entry::idx_name2uuid_diff(Some(&e1), Some(&e2))
== (
Some(btreeset!["renameperson@example.com".to_string()]),
Some(btreeset!["testperson@example.com".to_string()])
)
);
}
}
#[test]
fn test_entry_idx_uuid2spn_diff() {
assert!(Entry::idx_uuid2spn_diff(None, None) == None);
let mut e1: Entry<EntryInit, EntryNew> = Entry::new();
e1.add_ava("spn", Value::new_spn_str("testperson", "example.com"));
let e1 = unsafe { e1.into_sealed_committed() };
let mut e2: Entry<EntryInit, EntryNew> = Entry::new();
e2.add_ava("spn", Value::new_spn_str("renameperson", "example.com"));
let e2 = unsafe { e2.into_sealed_committed() };
assert!(
Entry::idx_uuid2spn_diff(None, Some(&e1))
== Some(Ok(Value::new_spn_str("testperson", "example.com")))
);
assert!(Entry::idx_uuid2spn_diff(Some(&e1), None) == Some(Err(())));
assert!(Entry::idx_uuid2spn_diff(Some(&e1), Some(&e1)) == None);
assert!(
Entry::idx_uuid2spn_diff(Some(&e1), Some(&e2))
== Some(Ok(Value::new_spn_str("renameperson", "example.com")))
);
}
#[test]
fn test_entry_idx_uuid2rdn_diff() {
assert!(Entry::idx_uuid2rdn_diff(None, None) == None);
let mut e1: Entry<EntryInit, EntryNew> = Entry::new();
e1.add_ava("spn", Value::new_spn_str("testperson", "example.com"));
let e1 = unsafe { e1.into_sealed_committed() };
let mut e2: Entry<EntryInit, EntryNew> = Entry::new();
e2.add_ava("spn", Value::new_spn_str("renameperson", "example.com"));
let e2 = unsafe { e2.into_sealed_committed() };
assert!(
Entry::idx_uuid2rdn_diff(None, Some(&e1))
== Some(Ok("spn=testperson@example.com".to_string()))
);
assert!(Entry::idx_uuid2rdn_diff(Some(&e1), None) == Some(Err(())));
assert!(Entry::idx_uuid2rdn_diff(Some(&e1), Some(&e1)) == None);
assert!(
Entry::idx_uuid2rdn_diff(Some(&e1), Some(&e2))
== Some(Ok("spn=renameperson@example.com".to_string()))
);
}
}
Reference in a new issue View git blame Copy permalink