Application passwords implementation

[scabrero]

This pull request replaces #2457 and follows the design document #2427.

It is just the server side for now.

Related to #41

Checklist

• This pr contains no AI generated code
• cargo fmt has been run
• cargo clippy has been run
• cargo test has been run and passes
• book chapter included (if relevant)
• design document included (if relevant)

[scabrero]

@Firstyear, the last test for:

Since application passwords are related to applications, on delete of an application all entries
that have a bound application password should be removed from user accounts.

fails. Any hint about how to enforce reference integrity on a "complex" attribute?

[Firstyear]

Regarding referential integrity have a look at https://github.com/kanidm/kanidm/blob/master/server/lib/src/valueset/oauth.rs#L369

It has handling for Refer as a special case, as well as Iutf8 for matching labels. You'll also notice https://github.com/kanidm/kanidm/blob/master/server/lib/src/valueset/oauth.rs#L607 which indexes the uuids of the groups related.

That way if you search an application id with PartialValue::Uuid yuo get the application itself, but PartialValue::Refer gets everything that refers to it.

That's what enables https://github.com/kanidm/kanidm/blob/master/server/lib/src/schema.rs#L771 which indicates that a reference relationship exists, and that automatically triggers https://github.com/kanidm/kanidm/blob/master/server/lib/src/plugins/refint.rs

[Firstyear]

What's the thinking behind all these being separate? What's the use case you have in mind?

[scabrero]

Creating and managing applications does not fit in any of the existing ACPs, except maybe:

• IDM_ACP_SERVICE_ACCOUT_* ?
• IDM_ACP_DOMAIN_ADMIN ?

[Firstyear]

I think we need some more thought here about this. For example what are the administrator use cases? Do we need to delegate rights?

We should look at this as "how will admins and users interact" and use that to create access controls instead.

[scabrero]

Hi @Firstyear, PR is not updated yet because I am rebasing on top of master commit by commit while addressing your comments.

[Firstyear]

Hi @Firstyear, PR is not updated yet because I am rebasing on top of master commit by commit while addressing your comments.

Ahhh okay. Sorry about that :)

Want me to wait til you are ready for me to look again then?

[scabrero]

Hi @Firstyear, PR is not updated yet because I am rebasing on top of master commit by commit while addressing your comments.

Ahhh okay. Sorry about that :)

Want me to wait til you are ready for me to look again then?

Except the refint for the ApplicationPassword struct to make the last test pass, it is now ready for a second review :)

[scabrero]

Ready for review.

[Firstyear]

Haven't finished the full review but here is the first pass.

[Firstyear]

Previous comment was "how do you envisage these access controls working with human roles and tasks", and I think you need to answer that because these access controls otherwise seem confused.

[scabrero]

Ok, I can think about two possibilities:

Use case 1, the IDM administrator creates the application, links the group, and sets up the members.
Use case 2, there is a person managing service X, e.g. mail. The IDM administrator creates the app, links a group,
and delegates group permission for the group to the X service manager who sets up the members.

[Firstyear]

Do you know what the sync_allowed attribute affects?

[scabrero]

Attribute or class can be imported from external scim?

[Firstyear]

Should we consider this being a different type rather than UnixBind since this session Enum is meant to encode "what kind of session this is" and this is an application password session, not a unix session.

[Firstyear]

What's the logic of using a string to index into this Map instead of UUID?

[scabrero]

Mainly because LdapApplicationAuthEvent carries the application name extracted from the bind DN, so we can do https://github.com/scabrero/kanidm/blob/app-passwords/server/lib/src/idm/application.rs#L178