kanidm_proto/scim_v1/
synch.rs

1use serde::{Deserialize, Serialize};
2use serde_with::{base64, formats, serde_as};
3use utoipa::ToSchema;
4use uuid::Uuid;
5
6use scim_proto::user::MultiValueAttr;
7use scim_proto::{ScimEntry, ScimEntryHeader};
8use serde_with::skip_serializing_none;
9
10#[serde_as]
11#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, ToSchema)]
12pub enum ScimSyncState {
13    Refresh,
14    Active {
15        #[serde_as(as = "base64::Base64<base64::UrlSafe, formats::Unpadded>")]
16        cookie: Vec<u8>,
17    },
18}
19
20#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, ToSchema)]
21pub enum ScimSyncRetentionMode {
22    /// No actions are to be taken - only update or create entries in the
23    /// entries set.
24    Ignore,
25    /// All entries that have their uuid present in this set are retained.
26    /// Anything not present will be deleted.
27    Retain(Vec<Uuid>),
28    /// Any entry with its UUID in this set will be deleted. Anything not
29    /// present will be retained.
30    Delete(Vec<Uuid>),
31}
32
33#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, ToSchema)]
34pub struct ScimSyncRequest {
35    pub from_state: ScimSyncState,
36    pub to_state: ScimSyncState,
37
38    // These entries are created with serde_json::to_value(ScimSyncGroup) for
39    // example. This is how we can mix/match the different types.
40    pub entries: Vec<ScimEntry>,
41
42    pub retain: ScimSyncRetentionMode,
43}
44
45impl ScimSyncRequest {
46    pub fn need_refresh(from_state: ScimSyncState) -> Self {
47        ScimSyncRequest {
48            from_state,
49            to_state: ScimSyncState::Refresh,
50            entries: Vec::default(),
51            retain: ScimSyncRetentionMode::Ignore,
52        }
53    }
54}
55
56pub const SCIM_SCHEMA_SYNC_1: &str = "urn:ietf:params:scim:schemas:kanidm:sync:1:";
57pub const SCIM_SCHEMA_SYNC_ACCOUNT: &str = "urn:ietf:params:scim:schemas:kanidm:sync:1:account";
58pub const SCIM_SCHEMA_SYNC_GROUP: &str = "urn:ietf:params:scim:schemas:kanidm:sync:1:group";
59pub const SCIM_SCHEMA_SYNC_PERSON: &str = "urn:ietf:params:scim:schemas:kanidm:sync:1:person";
60pub const SCIM_SCHEMA_SYNC_POSIXACCOUNT: &str =
61    "urn:ietf:params:scim:schemas:kanidm:sync:1:posixaccount";
62pub const SCIM_SCHEMA_SYNC_POSIXGROUP: &str =
63    "urn:ietf:params:scim:schemas:kanidm:sync:1:posixgroup";
64
65pub const SCIM_ALGO: &str = "algo";
66pub const SCIM_DIGITS: &str = "digits";
67pub const SCIM_SECRET: &str = "secret";
68pub const SCIM_STEP: &str = "step";
69
70#[derive(Serialize, Deserialize, Debug, Clone)]
71pub struct ScimTotp {
72    /// maps to "label" in kanidm.
73    pub external_id: String,
74    pub secret: String,
75    pub algo: String,
76    pub step: u32,
77    pub digits: u32,
78}
79
80#[derive(Serialize, Deserialize, Debug, Clone)]
81pub struct ScimSshPubKey {
82    pub label: String,
83    pub value: String,
84}
85
86#[skip_serializing_none]
87#[derive(Serialize, Deserialize, Debug, Clone)]
88#[serde(rename_all = "snake_case")]
89pub struct ScimSyncPerson {
90    #[serde(flatten)]
91    pub entry: ScimEntryHeader,
92
93    pub name: String,
94    pub displayname: String,
95    pub gidnumber: Option<u32>,
96    pub password_import: Option<String>,
97    pub unix_password_import: Option<String>,
98    #[serde(default, skip_serializing_if = "Vec::is_empty")]
99    pub totp_import: Vec<ScimTotp>,
100    pub loginshell: Option<String>,
101    #[serde(default, skip_serializing_if = "Vec::is_empty")]
102    pub mail: Vec<MultiValueAttr>,
103    #[serde(default, skip_serializing_if = "Vec::is_empty")]
104    pub ssh_publickey: Vec<ScimSshPubKey>,
105    pub account_valid_from: Option<String>,
106    pub account_expire: Option<String>,
107}
108
109impl TryInto<ScimEntry> for ScimSyncPerson {
110    type Error = serde_json::Error;
111
112    fn try_into(self) -> Result<ScimEntry, Self::Error> {
113        serde_json::to_value(self).and_then(serde_json::from_value)
114    }
115}
116
117pub struct ScimSyncPersonBuilder {
118    inner: ScimSyncPerson,
119}
120
121impl ScimSyncPerson {
122    pub fn builder(
123        id: Uuid,
124        external_id: String,
125        name: String,
126        displayname: String,
127    ) -> ScimSyncPersonBuilder {
128        ScimSyncPersonBuilder {
129            inner: ScimSyncPerson {
130                entry: ScimEntryHeader {
131                    schemas: vec![
132                        SCIM_SCHEMA_SYNC_ACCOUNT.to_string(),
133                        SCIM_SCHEMA_SYNC_PERSON.to_string(),
134                    ],
135                    id,
136                    external_id: Some(external_id),
137                    meta: None,
138                },
139                name,
140                displayname,
141                gidnumber: None,
142                password_import: None,
143                unix_password_import: None,
144                totp_import: Vec::with_capacity(0),
145                loginshell: None,
146                mail: Vec::with_capacity(0),
147                ssh_publickey: Vec::with_capacity(0),
148                account_valid_from: None,
149                account_expire: None,
150            },
151        }
152    }
153}
154
155impl ScimSyncPersonBuilder {
156    pub fn set_password_import(mut self, password_import: Option<String>) -> Self {
157        self.inner.password_import = password_import;
158        self
159    }
160
161    pub fn set_unix_password_import(mut self, unix_password_import: Option<String>) -> Self {
162        self.inner.unix_password_import = unix_password_import;
163        self
164    }
165
166    pub fn set_totp_import(mut self, totp_import: Vec<ScimTotp>) -> Self {
167        self.inner.totp_import = totp_import;
168        self
169    }
170
171    pub fn set_mail(mut self, mail: Vec<MultiValueAttr>) -> Self {
172        self.inner.mail = mail;
173        self
174    }
175
176    pub fn set_ssh_publickey(mut self, ssh_publickey: Vec<ScimSshPubKey>) -> Self {
177        self.inner.ssh_publickey = ssh_publickey;
178        self
179    }
180
181    pub fn set_login_shell(mut self, loginshell: Option<String>) -> Self {
182        self.inner.loginshell = loginshell;
183        self
184    }
185
186    pub fn set_account_valid_from(mut self, account_valid_from: Option<String>) -> Self {
187        self.inner.account_valid_from = account_valid_from;
188        self
189    }
190
191    pub fn set_account_expire(mut self, account_expire: Option<String>) -> Self {
192        self.inner.account_expire = account_expire;
193        self
194    }
195
196    pub fn set_gidnumber(mut self, gidnumber: Option<u32>) -> Self {
197        self.inner.gidnumber = gidnumber;
198        if self.inner.gidnumber.is_some() {
199            self.inner.entry.schemas = vec![
200                SCIM_SCHEMA_SYNC_ACCOUNT.to_string(),
201                SCIM_SCHEMA_SYNC_PERSON.to_string(),
202                SCIM_SCHEMA_SYNC_POSIXACCOUNT.to_string(),
203            ];
204        } else {
205            self.inner.entry.schemas = vec![
206                SCIM_SCHEMA_SYNC_ACCOUNT.to_string(),
207                SCIM_SCHEMA_SYNC_PERSON.to_string(),
208            ];
209        }
210        self
211    }
212
213    pub fn build(self) -> ScimSyncPerson {
214        self.inner
215    }
216}
217
218#[derive(Serialize, Deserialize, Debug, Clone)]
219pub struct ScimExternalMember {
220    pub external_id: String,
221}
222
223#[skip_serializing_none]
224#[derive(Serialize, Deserialize, Debug, Clone)]
225#[serde(rename_all = "snake_case")]
226pub struct ScimSyncGroup {
227    #[serde(flatten)]
228    pub entry: ScimEntryHeader,
229
230    pub name: String,
231    pub description: Option<String>,
232    pub gidnumber: Option<u32>,
233    #[serde(default, skip_serializing_if = "Vec::is_empty")]
234    pub member: Vec<ScimExternalMember>,
235}
236
237impl TryInto<ScimEntry> for ScimSyncGroup {
238    type Error = serde_json::Error;
239
240    fn try_into(self) -> Result<ScimEntry, Self::Error> {
241        serde_json::to_value(self).and_then(serde_json::from_value)
242    }
243}
244
245#[derive(Serialize, Deserialize, Debug, Clone)]
246#[serde(rename_all = "camelCase")]
247pub struct ScimSyncGroupBuilder {
248    inner: ScimSyncGroup,
249}
250
251impl ScimSyncGroup {
252    pub fn builder(id: Uuid, external_id: String, name: String) -> ScimSyncGroupBuilder {
253        ScimSyncGroupBuilder {
254            inner: ScimSyncGroup {
255                entry: ScimEntryHeader {
256                    schemas: vec![SCIM_SCHEMA_SYNC_GROUP.to_string()],
257                    id,
258                    external_id: Some(external_id),
259                    meta: None,
260                },
261                name,
262                description: None,
263                gidnumber: None,
264                member: Vec::with_capacity(0),
265            },
266        }
267    }
268}
269
270impl ScimSyncGroupBuilder {
271    pub fn set_description(mut self, desc: Option<String>) -> Self {
272        self.inner.description = desc;
273        self
274    }
275
276    pub fn set_gidnumber(mut self, gidnumber: Option<u32>) -> Self {
277        self.inner.gidnumber = gidnumber;
278        if self.inner.gidnumber.is_some() {
279            self.inner.entry.schemas = vec![
280                SCIM_SCHEMA_SYNC_GROUP.to_string(),
281                SCIM_SCHEMA_SYNC_POSIXGROUP.to_string(),
282            ];
283        } else {
284            self.inner.entry.schemas = vec![SCIM_SCHEMA_SYNC_GROUP.to_string()];
285        }
286        self
287    }
288
289    pub fn set_members<I>(mut self, member_iter: I) -> Self
290    where
291        I: Iterator<Item = String>,
292    {
293        self.inner.member = member_iter
294            .map(|external_id| ScimExternalMember { external_id })
295            .collect();
296        self
297    }
298
299    pub fn build(self) -> ScimSyncGroup {
300        self.inner
301    }
302}