Trait kanidmd_lib::idm::server::IdmServerTransaction
source · pub trait IdmServerTransaction<'a> {
type QsTransactionType: QueryServerTransaction<'a>;
Show 13 methods
// Required method
fn get_qs_txn(&mut self) -> &mut Self::QsTransactionType;
// Provided methods
fn validate_client_auth_info_to_ident(
&mut self,
client_auth_info: ClientAuthInfo,
ct: Duration,
) -> Result<Identity, OperationError> { ... }
fn validate_client_auth_info_to_uat(
&mut self,
client_auth_info: ClientAuthInfo,
ct: Duration,
) -> Result<UserAuthToken, OperationError> { ... }
fn validate_and_parse_token_to_token(
&mut self,
jwsu: &JwsCompact,
ct: Duration,
) -> Result<Token, OperationError> { ... }
fn check_oauth2_account_uuid_valid(
&mut self,
uuid: Uuid,
session_id: Uuid,
parent_session_id: Option<Uuid>,
iat: i64,
ct: Duration,
) -> Result<Option<Arc<Entry<EntrySealed, EntryCommitted>>>, OperationError> { ... }
fn process_uat_to_identity(
&mut self,
uat: &UserAuthToken,
ct: Duration,
source: Source,
) -> Result<Identity, OperationError> { ... }
fn process_apit_to_identity(
&mut self,
apit: &ApiToken,
source: Source,
entry: Arc<EntrySealedCommitted>,
ct: Duration,
) -> Result<Identity, OperationError> { ... }
fn client_cert_info_entry(
&mut self,
client_cert_info: &ClientCertInfo,
) -> Result<Arc<EntrySealedCommitted>, OperationError> { ... }
fn client_certificate_to_identity(
&mut self,
client_cert_info: &ClientCertInfo,
ct: Duration,
source: Source,
) -> Result<Identity, OperationError> { ... }
fn client_certificate_to_user_auth_token(
&mut self,
client_cert_info: &ClientCertInfo,
ct: Duration,
) -> Result<UserAuthToken, OperationError> { ... }
fn process_ldap_uuid_to_identity(
&mut self,
uuid: &Uuid,
ct: Duration,
source: Source,
) -> Result<Identity, OperationError> { ... }
fn validate_ldap_session(
&mut self,
session: &LdapSession,
source: Source,
ct: Duration,
) -> Result<Identity, OperationError> { ... }
fn validate_sync_client_auth_info_to_ident(
&mut self,
client_auth_info: ClientAuthInfo,
ct: Duration,
) -> Result<Identity, OperationError> { ... }
}Required Associated Types§
Required Methods§
fn get_qs_txn(&mut self) -> &mut Self::QsTransactionType
Provided Methods§
sourcefn validate_client_auth_info_to_ident(
&mut self,
client_auth_info: ClientAuthInfo,
ct: Duration,
) -> Result<Identity, OperationError>
fn validate_client_auth_info_to_ident( &mut self, client_auth_info: ClientAuthInfo, ct: Duration, ) -> Result<Identity, OperationError>
This is the preferred method to transform and securely verify a token into an identity that can be used for operations and access enforcement. This function is aware of the various classes of tokens that may exist, and can appropriately check them.
The primary method of verification selection is the use of the KID parameter that we internally sign with. We can use this to select the appropriate token type and validation method.
sourcefn validate_client_auth_info_to_uat(
&mut self,
client_auth_info: ClientAuthInfo,
ct: Duration,
) -> Result<UserAuthToken, OperationError>
fn validate_client_auth_info_to_uat( &mut self, client_auth_info: ClientAuthInfo, ct: Duration, ) -> Result<UserAuthToken, OperationError>
This function is not using in authentication flows - it is a reflector of the current session state to allow a user-auth-token to be presented to the user via the whoami call.
fn validate_and_parse_token_to_token( &mut self, jwsu: &JwsCompact, ct: Duration, ) -> Result<Token, OperationError>
fn check_oauth2_account_uuid_valid( &mut self, uuid: Uuid, session_id: Uuid, parent_session_id: Option<Uuid>, iat: i64, ct: Duration, ) -> Result<Option<Arc<Entry<EntrySealed, EntryCommitted>>>, OperationError>
sourcefn process_uat_to_identity(
&mut self,
uat: &UserAuthToken,
ct: Duration,
source: Source,
) -> Result<Identity, OperationError>
fn process_uat_to_identity( &mut self, uat: &UserAuthToken, ct: Duration, source: Source, ) -> Result<Identity, OperationError>
For any event/operation to proceed, we need to attach an identity to the event for security and access processing. When that event is externally triggered via one of our various api layers, we process some type of account token into this identity. In the current server this is the UserAuthToken. For a UserAuthToken to be provided it MUST have been cryptographically verified meaning it is now a trusted source of data that we previously issued.
This is the function that is responsible for converting that UAT into something we can pin access controls and other limits and references to. This is why it is the location where validity windows are checked and other relevant session information is injected.
fn process_apit_to_identity( &mut self, apit: &ApiToken, source: Source, entry: Arc<EntrySealedCommitted>, ct: Duration, ) -> Result<Identity, OperationError>
fn client_cert_info_entry( &mut self, client_cert_info: &ClientCertInfo, ) -> Result<Arc<EntrySealedCommitted>, OperationError>
sourcefn client_certificate_to_identity(
&mut self,
client_cert_info: &ClientCertInfo,
ct: Duration,
source: Source,
) -> Result<Identity, OperationError>
fn client_certificate_to_identity( &mut self, client_cert_info: &ClientCertInfo, ct: Duration, source: Source, ) -> Result<Identity, OperationError>
Given a certificate, validate it and discover the associated entry that the certificate relates to. Currently, this relies on mapping the public key sha256 to a stored client certificate, which then links to the owner.
In the future we could consider alternate mapping strategies such as subjectAltName or subject DN, but these have subtle security risks and configuration challenges, so binary mapping is the simplest - and safest - option today.