kanidm_proto/scim_v1/
synch.rs

1use serde::{Deserialize, Serialize};
2use serde_with::{base64, formats, serde_as};
3use utoipa::ToSchema;
4use uuid::Uuid;
5
6use scim_proto::user::MultiValueAttr;
7use scim_proto::{ScimEntry, ScimEntryHeader};
8use serde_with::skip_serializing_none;
9
10#[serde_as]
11#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, ToSchema)]
12pub enum ScimSyncState {
13    Refresh,
14    Active {
15        #[serde_as(as = "base64::Base64<base64::UrlSafe, formats::Unpadded>")]
16        cookie: Vec<u8>,
17    },
18}
19
20#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, ToSchema)]
21pub enum ScimSyncRetentionMode {
22    /// No actions are to be taken - only update or create entries in the
23    /// entries set.
24    Ignore,
25    /// All entries that have their uuid present in this set are retained.
26    /// Anything not present will be deleted.
27    Retain(Vec<Uuid>),
28    /// Any entry with its UUID in this set will be deleted. Anything not
29    /// present will be retained.
30    Delete(Vec<Uuid>),
31}
32
33#[derive(Serialize, Deserialize, Debug, Clone, PartialEq, Eq, ToSchema)]
34pub struct ScimSyncRequest {
35    pub from_state: ScimSyncState,
36    pub to_state: ScimSyncState,
37
38    // These entries are created with serde_json::to_value(ScimSyncGroup) for
39    // example. This is how we can mix/match the different types.
40    pub entries: Vec<ScimEntry>,
41
42    pub retain: ScimSyncRetentionMode,
43}
44
45impl ScimSyncRequest {
46    pub fn need_refresh(from_state: ScimSyncState) -> Self {
47        ScimSyncRequest {
48            from_state,
49            to_state: ScimSyncState::Refresh,
50            entries: Vec::default(),
51            retain: ScimSyncRetentionMode::Ignore,
52        }
53    }
54}
55
56pub const SCIM_SCHEMA_SYNC_1: &str = "urn:ietf:params:scim:schemas:kanidm:sync:1:";
57pub const SCIM_SCHEMA_SYNC_ACCOUNT: &str = "urn:ietf:params:scim:schemas:kanidm:sync:1:account";
58pub const SCIM_SCHEMA_SYNC_GROUP: &str = "urn:ietf:params:scim:schemas:kanidm:sync:1:group";
59pub const SCIM_SCHEMA_SYNC_PERSON: &str = "urn:ietf:params:scim:schemas:kanidm:sync:1:person";
60pub const SCIM_SCHEMA_SYNC_OAUTH2_ACCOUNT: &str =
61    "urn:ietf:params:scim:schemas:kanidm:sync:1:oauth2_account";
62pub const SCIM_SCHEMA_SYNC_POSIXACCOUNT: &str =
63    "urn:ietf:params:scim:schemas:kanidm:sync:1:posixaccount";
64pub const SCIM_SCHEMA_SYNC_POSIXGROUP: &str =
65    "urn:ietf:params:scim:schemas:kanidm:sync:1:posixgroup";
66
67pub const SCIM_ALGO: &str = "algo";
68pub const SCIM_DIGITS: &str = "digits";
69pub const SCIM_SECRET: &str = "secret";
70pub const SCIM_STEP: &str = "step";
71
72#[derive(Serialize, Deserialize, Debug, Clone)]
73pub struct ScimTotp {
74    /// maps to "label" in kanidm.
75    pub external_id: String,
76    pub secret: String,
77    pub algo: String,
78    pub step: u32,
79    pub digits: u32,
80}
81
82#[derive(Serialize, Deserialize, Debug, Clone)]
83pub struct ScimSshPubKey {
84    pub label: String,
85    pub value: String,
86}
87
88#[skip_serializing_none]
89#[derive(Serialize, Deserialize, Debug, Clone)]
90#[serde(rename_all = "snake_case")]
91pub struct ScimSyncPerson {
92    #[serde(flatten)]
93    pub entry: ScimEntryHeader,
94
95    pub name: String,
96    pub displayname: String,
97    pub gidnumber: Option<u32>,
98    pub password_import: Option<String>,
99    pub unix_password_import: Option<String>,
100    #[serde(default, skip_serializing_if = "Vec::is_empty")]
101    pub totp_import: Vec<ScimTotp>,
102    pub loginshell: Option<String>,
103    #[serde(default, skip_serializing_if = "Vec::is_empty")]
104    pub mail: Vec<MultiValueAttr>,
105    #[serde(default, skip_serializing_if = "Vec::is_empty")]
106    pub ssh_publickey: Vec<ScimSshPubKey>,
107    pub account_valid_from: Option<String>,
108    pub account_expire: Option<String>,
109    pub oauth2_account_provider: Option<Uuid>,
110    pub oauth2_account_unique_user_id: Option<String>,
111}
112
113impl TryInto<ScimEntry> for ScimSyncPerson {
114    type Error = serde_json::Error;
115
116    fn try_into(self) -> Result<ScimEntry, Self::Error> {
117        serde_json::to_value(self).and_then(serde_json::from_value)
118    }
119}
120
121pub struct ScimSyncPersonBuilder {
122    inner: ScimSyncPerson,
123}
124
125impl ScimSyncPerson {
126    pub fn builder(
127        id: Uuid,
128        external_id: String,
129        name: String,
130        displayname: String,
131    ) -> ScimSyncPersonBuilder {
132        ScimSyncPersonBuilder {
133            inner: ScimSyncPerson {
134                entry: ScimEntryHeader {
135                    schemas: vec![
136                        SCIM_SCHEMA_SYNC_ACCOUNT.to_string(),
137                        SCIM_SCHEMA_SYNC_PERSON.to_string(),
138                    ],
139                    id,
140                    external_id: Some(external_id),
141                    meta: None,
142                },
143                name,
144                displayname,
145                gidnumber: None,
146                password_import: None,
147                unix_password_import: None,
148                totp_import: Vec::with_capacity(0),
149                loginshell: None,
150                mail: Vec::with_capacity(0),
151                ssh_publickey: Vec::with_capacity(0),
152                account_valid_from: None,
153                account_expire: None,
154                oauth2_account_provider: None,
155                oauth2_account_unique_user_id: None,
156            },
157        }
158    }
159}
160
161impl ScimSyncPersonBuilder {
162    pub fn set_password_import(mut self, password_import: Option<String>) -> Self {
163        self.inner.password_import = password_import;
164        self
165    }
166
167    pub fn set_unix_password_import(mut self, unix_password_import: Option<String>) -> Self {
168        self.inner.unix_password_import = unix_password_import;
169        self
170    }
171
172    pub fn set_totp_import(mut self, totp_import: Vec<ScimTotp>) -> Self {
173        self.inner.totp_import = totp_import;
174        self
175    }
176
177    pub fn set_mail(mut self, mail: Vec<MultiValueAttr>) -> Self {
178        self.inner.mail = mail;
179        self
180    }
181
182    pub fn set_ssh_publickey(mut self, ssh_publickey: Vec<ScimSshPubKey>) -> Self {
183        self.inner.ssh_publickey = ssh_publickey;
184        self
185    }
186
187    pub fn set_login_shell(mut self, loginshell: Option<String>) -> Self {
188        self.inner.loginshell = loginshell;
189        self
190    }
191
192    pub fn set_account_valid_from(mut self, account_valid_from: Option<String>) -> Self {
193        self.inner.account_valid_from = account_valid_from;
194        self
195    }
196
197    pub fn set_account_expire(mut self, account_expire: Option<String>) -> Self {
198        self.inner.account_expire = account_expire;
199        self
200    }
201
202    pub fn set_gidnumber(mut self, gidnumber: Option<u32>) -> Self {
203        self.inner.gidnumber = gidnumber;
204        if self.inner.gidnumber.is_some() {
205            self.inner.entry.schemas = vec![
206                SCIM_SCHEMA_SYNC_ACCOUNT.to_string(),
207                SCIM_SCHEMA_SYNC_PERSON.to_string(),
208                SCIM_SCHEMA_SYNC_POSIXACCOUNT.to_string(),
209            ];
210        } else {
211            self.inner.entry.schemas = vec![
212                SCIM_SCHEMA_SYNC_ACCOUNT.to_string(),
213                SCIM_SCHEMA_SYNC_PERSON.to_string(),
214            ];
215        }
216        self
217    }
218
219    pub fn set_oauth2_account_provider(mut self, maybe_provider: Option<(Uuid, String)>) -> Self {
220        if let Some((provider, unique_user_id)) = maybe_provider {
221            self.inner
222                .entry
223                .schemas
224                .push(SCIM_SCHEMA_SYNC_OAUTH2_ACCOUNT.to_string());
225            self.inner.oauth2_account_provider = Some(provider);
226            self.inner.oauth2_account_unique_user_id = Some(unique_user_id);
227        } else {
228            self.inner
229                .entry
230                .schemas
231                .retain(|x| x != SCIM_SCHEMA_SYNC_OAUTH2_ACCOUNT);
232            self.inner.oauth2_account_provider = None;
233            self.inner.oauth2_account_unique_user_id = None;
234        }
235        self
236    }
237
238    pub fn build(self) -> ScimSyncPerson {
239        self.inner
240    }
241}
242
243#[derive(Serialize, Deserialize, Debug, Clone)]
244pub struct ScimExternalMember {
245    pub external_id: String,
246}
247
248#[skip_serializing_none]
249#[derive(Serialize, Deserialize, Debug, Clone)]
250#[serde(rename_all = "snake_case")]
251pub struct ScimSyncGroup {
252    #[serde(flatten)]
253    pub entry: ScimEntryHeader,
254
255    pub name: String,
256    pub description: Option<String>,
257    pub gidnumber: Option<u32>,
258    #[serde(default, skip_serializing_if = "Vec::is_empty")]
259    pub member: Vec<ScimExternalMember>,
260}
261
262impl TryInto<ScimEntry> for ScimSyncGroup {
263    type Error = serde_json::Error;
264
265    fn try_into(self) -> Result<ScimEntry, Self::Error> {
266        serde_json::to_value(self).and_then(serde_json::from_value)
267    }
268}
269
270#[derive(Serialize, Deserialize, Debug, Clone)]
271#[serde(rename_all = "camelCase")]
272pub struct ScimSyncGroupBuilder {
273    inner: ScimSyncGroup,
274}
275
276impl ScimSyncGroup {
277    pub fn builder(id: Uuid, external_id: String, name: String) -> ScimSyncGroupBuilder {
278        ScimSyncGroupBuilder {
279            inner: ScimSyncGroup {
280                entry: ScimEntryHeader {
281                    schemas: vec![SCIM_SCHEMA_SYNC_GROUP.to_string()],
282                    id,
283                    external_id: Some(external_id),
284                    meta: None,
285                },
286                name,
287                description: None,
288                gidnumber: None,
289                member: Vec::with_capacity(0),
290            },
291        }
292    }
293}
294
295impl ScimSyncGroupBuilder {
296    pub fn set_description(mut self, desc: Option<String>) -> Self {
297        self.inner.description = desc;
298        self
299    }
300
301    pub fn set_gidnumber(mut self, gidnumber: Option<u32>) -> Self {
302        self.inner.gidnumber = gidnumber;
303        if self.inner.gidnumber.is_some() {
304            self.inner.entry.schemas = vec![
305                SCIM_SCHEMA_SYNC_GROUP.to_string(),
306                SCIM_SCHEMA_SYNC_POSIXGROUP.to_string(),
307            ];
308        } else {
309            self.inner.entry.schemas = vec![SCIM_SCHEMA_SYNC_GROUP.to_string()];
310        }
311        self
312    }
313
314    pub fn set_members<I>(mut self, member_iter: I) -> Self
315    where
316        I: Iterator<Item = String>,
317    {
318        self.inner.member = member_iter
319            .map(|external_id| ScimExternalMember { external_id })
320            .collect();
321        self
322    }
323
324    pub fn build(self) -> ScimSyncGroup {
325        self.inner
326    }
327}
kanidm_proto/scim_v1/synch.rs

kanidm_proto/scim_v1/
synch.rs
