New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Application passwords implementation #2578
base: master
Are you sure you want to change the base?
Conversation
@Firstyear, the last test for:
fails. Any hint about how to enforce reference integrity on a "complex" attribute? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regarding referential integrity have a look at https://github.com/kanidm/kanidm/blob/master/server/lib/src/valueset/oauth.rs#L369
It has handling for Refer as a special case, as well as Iutf8 for matching labels. You'll also notice https://github.com/kanidm/kanidm/blob/master/server/lib/src/valueset/oauth.rs#L607 which indexes the uuids of the groups related.
That way if you search an application id with PartialValue::Uuid yuo get the application itself, but PartialValue::Refer gets everything that refers to it.
That's what enables https://github.com/kanidm/kanidm/blob/master/server/lib/src/schema.rs#L771 which indicates that a reference relationship exists, and that automatically triggers https://github.com/kanidm/kanidm/blob/master/server/lib/src/plugins/refint.rs
server/lib/src/constants/acp.rs
Outdated
create_classes: vec![EntryClass::Object, EntryClass::Application], | ||
..Default::default() | ||
}; | ||
pub static ref IDM_ACP_APPLICATION_MANAGE_V1: BuiltinAcp = BuiltinAcp { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the thinking behind all these being separate? What's the use case you have in mind?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Creating and managing applications does not fit in any of the existing ACPs, except maybe:
IDM_ACP_SERVICE_ACCOUT_*
?IDM_ACP_DOMAIN_ADMIN
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need some more thought here about this. For example what are the administrator use cases? Do we need to delegate rights?
We should look at this as "how will admins and users interact" and use that to create access controls instead.
Hi @Firstyear, PR is not updated yet because I am rebasing on top of master commit by commit while addressing your comments. |
Ahhh okay. Sorry about that :) Want me to wait til you are ready for me to look again then? |
Except the refint for the ApplicationPassword struct to make the last test pass, it is now ready for a second review :) |
Ready for review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haven't finished the full review but here is the first pass.
// needs to be able to assign to entry managed by | ||
lazy_static! { | ||
pub static ref IDM_ACP_APPLICATION_CREATE_DL6: BuiltinAcp = BuiltinAcp { | ||
classes: vec![ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Previous comment was "how do you envisage these access controls working with human roles and tasks", and I think you need to answer that because these access controls otherwise seem confused.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I can think about two possibilities:
Use case 1, the IDM administrator creates the application, links the group, and sets up the members.
Use case 2, there is a person managing service X, e.g. mail. The IDM administrator creates the app, links a group,
and delegates group permission for the group to the X service manager who sets up the members.
description: "A reference to the group linked to the entry".to_string(), | ||
|
||
multivalue: false, | ||
sync_allowed: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you know what the sync_allowed attribute affects?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Attribute or class can be imported from external scim?
server/lib/src/idm/account.rs
Outdated
return Ok(Some(LdapBoundToken { | ||
spn: self.spn.clone(), | ||
session_id, | ||
effective_session: LdapSession::UnixBind(self.uuid), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we consider this being a different type rather than UnixBind since this session Enum is meant to encode "what kind of session this is" and this is an application password session, not a unix session.
|
||
#[derive(Clone)] | ||
struct LdapApplicationsInner { | ||
set: HashMap<String, Application>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the logic of using a string to index into this Map instead of UUID?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mainly because LdapApplicationAuthEvent
carries the application name extracted from the bind DN, so we can do https://github.com/scabrero/kanidm/blob/app-passwords/server/lib/src/idm/application.rs#L178
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
and not used Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
TODO: How to test without client side? Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
This is how the application passwords will be serialized and stored in the backend. It will be a vector of DbValueApplicationPassword, each one having its uuid, application uuid, label and DbPasswordV1. Signed-off-by: Samuel Cabrero <scabrero@suse.de>
This is how the data is serialized/deserialized from replication Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
This pull request replaces #2457 and follows the design document #2427.
It is just the server side for now.
Related to #41
Checklist