kanidmd_lib/migration_data/dl12/
groups.rs

1use crate::entry::EntryInitNew;
2use crate::prelude::*;
3use crate::value::CredentialType;
4
5use kanidm_proto::internal::{Filter, OperationError, UiHint};
6
7#[derive(Clone, Debug, Default)]
8/// Built-in group definitions
9pub struct BuiltinGroup {
10    pub name: &'static str,
11    pub description: &'static str,
12    pub uuid: uuid::Uuid,
13    pub members: Vec<uuid::Uuid>,
14    pub entry_managed_by: Option<uuid::Uuid>,
15    pub dyngroup: bool,
16    pub dyngroup_filter: Option<Filter>,
17    pub extra_attributes: Vec<(Attribute, Value)>,
18}
19
20impl TryFrom<BuiltinGroup> for EntryInitNew {
21    type Error = OperationError;
22
23    fn try_from(val: BuiltinGroup) -> Result<Self, OperationError> {
24        let mut entry = EntryInitNew::new();
25
26        if val.uuid >= DYNAMIC_RANGE_MINIMUM_UUID {
27            error!("Builtin ACP has invalid UUID! {:?}", val);
28            return Err(OperationError::InvalidUuid);
29        }
30
31        entry.add_ava(Attribute::Name, Value::new_iname(val.name));
32        entry.add_ava(Attribute::Description, Value::new_utf8s(val.description));
33        // classes for groups
34        entry.set_ava(
35            Attribute::Class,
36            vec![EntryClass::Group.into(), EntryClass::Object.into()],
37        );
38        if val.dyngroup {
39            if !val.members.is_empty() {
40                return Err(OperationError::InvalidSchemaState(format!(
41                    "Builtin dyngroup {} has members specified, this is not allowed",
42                    val.name
43                )));
44            }
45            entry.add_ava(Attribute::Class, EntryClass::DynGroup.to_value());
46            match val.dyngroup_filter {
47                Some(filter) => entry.add_ava(Attribute::DynGroupFilter, Value::JsonFilt(filter)),
48                None => {
49                    error!(
50                        "No filter specified for dyngroup '{}' this is going to break things!",
51                        val.name
52                    );
53                    return Err(OperationError::FilterGeneration);
54                }
55            };
56        }
57
58        if let Some(entry_manager) = val.entry_managed_by {
59            entry.add_ava(Attribute::EntryManagedBy, Value::Refer(entry_manager));
60        }
61
62        entry.add_ava(Attribute::Uuid, Value::Uuid(val.uuid));
63        entry.set_ava(
64            Attribute::Member,
65            val.members
66                .into_iter()
67                .map(Value::Refer)
68                .collect::<Vec<Value>>(),
69        );
70        // add any extra attributes
71        val.extra_attributes
72            .into_iter()
73            .for_each(|(attr, val)| entry.add_ava(attr, val));
74        // all done!
75        Ok(entry)
76    }
77}
78
79lazy_static! {
80    // There are our built in "roles". They encapsulate some higher level collections
81    // of roles. The intent is to allow a pretty generic and correct by default set
82    // of these use cases.
83    pub static ref BUILTIN_GROUP_SYSTEM_ADMINS_V1: BuiltinGroup = BuiltinGroup {
84        name: NAME_SYSTEM_ADMINS,
85        description: "Builtin System Administrators Group.",
86        uuid: UUID_SYSTEM_ADMINS,
87        entry_managed_by: Some(UUID_SYSTEM_ADMINS),
88        members: vec![UUID_ADMIN],
89        ..Default::default()
90    };
91
92    pub static ref BUILTIN_GROUP_IDM_ADMINS_V1: BuiltinGroup = BuiltinGroup {
93        name: NAME_IDM_ADMINS,
94        description: "Builtin IDM Administrators Group.",
95        uuid: UUID_IDM_ADMINS,
96        entry_managed_by: Some(UUID_IDM_ADMINS),
97        members: vec![UUID_IDM_ADMIN],
98        ..Default::default()
99    };
100
101    pub static ref BUILTIN_GROUP_SERVICE_DESK: BuiltinGroup = BuiltinGroup {
102        name: "idm_service_desk",
103        description: "Builtin Service Desk Group.",
104        uuid: UUID_IDM_SERVICE_DESK,
105        entry_managed_by: Some(UUID_IDM_ADMINS),
106        members: vec![],
107        ..Default::default()
108    };
109}
110
111lazy_static! {
112    // These are the "finer" roles. They encapsulate different concepts in the system.
113    // The next section is the "system style" roles. These adjust the operation of
114    // kanidm and relate to it's internals and how it functions.
115    pub static ref BUILTIN_GROUP_RECYCLE_BIN_ADMINS: BuiltinGroup = BuiltinGroup {
116        name: "idm_recycle_bin_admins",
117        description: "Builtin Recycle Bin Administrators Group.",
118        uuid: UUID_IDM_RECYCLE_BIN_ADMINS,
119        entry_managed_by: Some(UUID_SYSTEM_ADMINS),
120        members: vec![UUID_SYSTEM_ADMINS],
121        ..Default::default()
122    };
123
124    /// Builtin IDM Group for granting local domain administration rights and trust administration rights
125    pub static ref BUILTIN_GROUP_DOMAIN_ADMINS: BuiltinGroup = BuiltinGroup {
126        name: "domain_admins",
127        description: "Builtin IDM Group for granting local domain administration rights and trust administration rights.",
128        uuid: UUID_DOMAIN_ADMINS,
129        entry_managed_by: Some(UUID_SYSTEM_ADMINS),
130        members: vec![UUID_SYSTEM_ADMINS],
131        ..Default::default()
132    };
133
134    pub static ref BUILTIN_GROUP_SCHEMA_ADMINS: BuiltinGroup = BuiltinGroup {
135        name: "idm_schema_admins",
136        description: "Builtin Schema Administration Group.",
137        uuid: UUID_IDM_SCHEMA_ADMINS,
138        entry_managed_by: Some(UUID_SYSTEM_ADMINS),
139        members: vec![UUID_SYSTEM_ADMINS],
140        ..Default::default()
141    };
142
143    pub static ref BUILTIN_GROUP_ACCESS_CONTROL_ADMINS: BuiltinGroup = BuiltinGroup {
144        name: "idm_access_control_admins",
145        description: "Builtin Access Control Administration Group.",
146        entry_managed_by: Some(UUID_SYSTEM_ADMINS),
147        uuid: UUID_IDM_ACCESS_CONTROL_ADMINS,
148        members: vec![UUID_SYSTEM_ADMINS],
149        ..Default::default()
150    };
151
152    // These are the IDM roles. They concern application integration, user permissions
153    // and credential security management.
154
155    /// Builtin IDM Group for managing persons and their account details
156    pub static ref BUILTIN_GROUP_PEOPLE_ADMINS: BuiltinGroup = BuiltinGroup {
157        name: "idm_people_admins",
158        description: "Builtin People Administration Group.",
159        uuid: UUID_IDM_PEOPLE_ADMINS,
160        entry_managed_by: Some(UUID_IDM_ADMINS),
161        members: vec![UUID_IDM_ADMINS],
162        ..Default::default()
163    };
164
165    pub static ref BUILTIN_GROUP_PEOPLE_ON_BOARDING: BuiltinGroup = BuiltinGroup {
166        name: "idm_people_on_boarding",
167        description: "Builtin People On Boarding Group.",
168        uuid: UUID_IDM_PEOPLE_ON_BOARDING,
169        entry_managed_by: Some(UUID_IDM_ADMINS),
170        members: vec![],
171        ..Default::default()
172    };
173
174    /// Builtin IDM Group for granting elevated people (personal data) read permissions.
175    pub static ref BUILTIN_GROUP_PEOPLE_PII_READ: BuiltinGroup = BuiltinGroup {
176        name: NAME_IDM_PEOPLE_PII_READ,
177        description: "Builtin IDM Group for granting elevated people (personal data) read permissions.",
178        uuid: UUID_IDM_PEOPLE_PII_READ,
179        entry_managed_by: Some(UUID_IDM_ADMINS),
180        members: vec![],
181        ..Default::default()
182    };
183
184    /// Builtin IDM Group for granting people the ability to write to their own name attributes.
185    pub static ref BUILTIN_GROUP_PEOPLE_SELF_NAME_WRITE_DL7: BuiltinGroup = BuiltinGroup {
186        name: "idm_people_self_name_write",
187        description: "Builtin IDM Group denoting users that can write to their own name attributes.",
188        uuid: UUID_IDM_PEOPLE_SELF_NAME_WRITE,
189        entry_managed_by: Some(UUID_IDM_ADMINS),
190        members: vec![
191            UUID_IDM_ALL_PERSONS
192        ],
193        ..Default::default()
194    };
195
196    pub static ref BUILTIN_GROUP_SERVICE_ACCOUNT_ADMINS: BuiltinGroup = BuiltinGroup {
197        name: "idm_service_account_admins",
198        description: "Builtin Service Account Administration Group.",
199        uuid: UUID_IDM_SERVICE_ACCOUNT_ADMINS,
200        entry_managed_by: Some(UUID_IDM_ADMINS),
201        members: vec![UUID_IDM_ADMINS],
202        ..Default::default()
203    };
204
205    /// Builtin IDM Group for managing oauth2 resource server integrations to this authentication domain.
206    pub static ref BUILTIN_GROUP_OAUTH2_ADMINS: BuiltinGroup = BuiltinGroup {
207        name: "idm_oauth2_admins",
208        description: "Builtin Oauth2 Integration Administration Group.",
209        uuid: UUID_IDM_OAUTH2_ADMINS,
210        entry_managed_by: Some(UUID_IDM_ADMINS),
211        members: vec![UUID_IDM_ADMINS],
212        ..Default::default()
213    };
214
215    pub static ref BUILTIN_GROUP_RADIUS_SERVICE_ADMINS: BuiltinGroup = BuiltinGroup {
216        name: "idm_radius_service_admins",
217        description: "Builtin Radius Administration Group.",
218        uuid: UUID_IDM_RADIUS_ADMINS,
219        entry_managed_by: Some(UUID_IDM_ADMINS),
220        members: vec![UUID_IDM_ADMINS],
221        ..Default::default()
222    };
223
224    /// Builtin IDM Group for RADIUS server access delegation.
225    pub static ref BUILTIN_IDM_RADIUS_SERVERS_V1: BuiltinGroup = BuiltinGroup {
226        name: "idm_radius_servers",
227        description: "Builtin IDM Group for RADIUS server access delegation.",
228        uuid: UUID_IDM_RADIUS_SERVERS,
229        entry_managed_by: Some(UUID_IDM_RADIUS_ADMINS),
230        members: vec![
231        ],
232        ..Default::default()
233    };
234
235    pub static ref BUILTIN_GROUP_MAIL_SERVICE_ADMINS_DL8: BuiltinGroup = BuiltinGroup {
236        name: "idm_mail_service_admins",
237        description: "Builtin Mail Server Administration Group.",
238        uuid: UUID_IDM_MAIL_ADMINS,
239        entry_managed_by: Some(UUID_IDM_ADMINS),
240        members: vec![UUID_IDM_ADMINS],
241        ..Default::default()
242    };
243
244    /// Builtin IDM Group for MAIL server Access delegation.
245    pub static ref BUILTIN_IDM_MAIL_SERVERS_DL8: BuiltinGroup = BuiltinGroup {
246        name: "idm_mail_servers",
247        description: "Builtin IDM Group for MAIL server access delegation.",
248        uuid: UUID_IDM_MAIL_SERVERS,
249        entry_managed_by: Some(UUID_IDM_MAIL_ADMINS),
250        members: vec![
251        ],
252        ..Default::default()
253    };
254
255    pub static ref BUILTIN_GROUP_ACCOUNT_POLICY_ADMINS: BuiltinGroup = BuiltinGroup {
256        name: "idm_account_policy_admins",
257        description: "Builtin Account Policy Administration Group.",
258        uuid: UUID_IDM_ACCOUNT_POLICY_ADMINS,
259        entry_managed_by: Some(UUID_IDM_ADMINS),
260        members: vec![UUID_IDM_ADMINS],
261        ..Default::default()
262    };
263
264    /// Builtin IDM Group for managing posix/unix attributes on groups and users.
265    pub static ref BUILTIN_GROUP_UNIX_ADMINS: BuiltinGroup = BuiltinGroup {
266        name: "idm_unix_admins",
267        description: "Builtin Unix Administration Group.",
268        uuid: UUID_IDM_UNIX_ADMINS,
269        entry_managed_by: Some(UUID_IDM_ADMINS),
270        members: vec![UUID_IDM_ADMINS],
271        ..Default::default()
272    };
273
274    pub static ref BUILTIN_GROUP_IDM_UNIX_AUTHENTICATION_READ_V1: BuiltinGroup = BuiltinGroup {
275        name: "idm_unix_authentication_read",
276        description: "Builtin IDM group allowing service accounts to read and authenticate unix users.",
277        uuid: UUID_IDM_UNIX_AUTHENTICATION_READ,
278        entry_managed_by: Some(UUID_IDM_UNIX_ADMINS),
279        members: vec![
280            // This is to maintain compatibility right now, but will CHANGE in future.
281            UUID_ANONYMOUS,
282        ],
283        ..Default::default()
284    };
285
286
287    /// Builtin IDM Group for managing client authentication certificates.
288    pub static ref BUILTIN_GROUP_CLIENT_CERTIFICATE_ADMINS_DL7: BuiltinGroup = BuiltinGroup {
289        name: "idm_client_certificate_admins",
290        description: "Builtin Client Certificate Administration Group.",
291        uuid: UUID_IDM_CLIENT_CERTIFICATE_ADMINS,
292        entry_managed_by: Some(UUID_IDM_ADMINS),
293        members: vec![UUID_IDM_ADMINS],
294        ..Default::default()
295    };
296
297    /// Builtin IDM Group for granting elevated group write and lifecycle permissions.
298    pub static ref IDM_GROUP_ADMINS_V1: BuiltinGroup = BuiltinGroup {
299        name: "idm_group_admins",
300        description: "Builtin IDM Group for granting elevated group write and lifecycle permissions.",
301        uuid: UUID_IDM_GROUP_ADMINS,
302        entry_managed_by: Some(UUID_IDM_ADMINS),
303        members: vec![UUID_IDM_ADMINS],
304        ..Default::default()
305    };
306
307    /// Self-write of mail
308    pub static ref IDM_PEOPLE_SELF_MAIL_WRITE_DL7: BuiltinGroup = BuiltinGroup {
309        name: "idm_people_self_mail_write",
310        description: "Builtin IDM Group for people accounts to update their own mail.",
311        uuid: UUID_IDM_PEOPLE_SELF_MAIL_WRITE,
312        members: Vec::with_capacity(0),
313        ..Default::default()
314    };
315
316    pub static ref BUILTIN_GROUP_MESSAGE_ADMINS: BuiltinGroup = BuiltinGroup {
317        name: "idm_message_admins",
318        description: "Builtin Message Administration Group.",
319        uuid: UUID_IDM_MESSAGE_ADMINS,
320        entry_managed_by: Some(UUID_IDM_ADMINS),
321        members: vec![UUID_IDM_ADMINS],
322        ..Default::default()
323    };
324
325    /// Builtin IDM Group for message senders to relay and process queued messages.
326    pub static ref BUILTIN_GROUP_MESSAGE_SENDERS: BuiltinGroup = BuiltinGroup {
327        name: "idm_message_senders",
328        description: "Builtin IDM Group for message senders to read and process queued messages.",
329        uuid: UUID_IDM_MESSAGE_SENDERS,
330        entry_managed_by: Some(UUID_IDM_MESSAGE_ADMINS),
331        members: Vec::with_capacity(0),
332        ..Default::default()
333    };
334
335    pub static ref BUILTIN_GROUP_OAUTH2_CLIENT_ADMINS: BuiltinGroup = BuiltinGroup {
336        name: "idm_oauth2_client_admins",
337        description: "Builtin Domain Trust Administration Group.",
338        uuid: UUID_IDM_OAUTH2_CLIENT_ADMINS,
339        entry_managed_by: Some(UUID_SYSTEM_ADMINS),
340        members: vec![UUID_SYSTEM_ADMINS],
341        ..Default::default()
342    };
343
344    pub static ref BUILTIN_GROUP_OAUTH2_ACCOUNT_ADMINS: BuiltinGroup = BuiltinGroup {
345        name: "idm_oauth2_account_admins",
346        description: "Builtin Domain Trust Administration Group.",
347        uuid: UUID_IDM_OAUTH2_ACCOUNT_ADMINS,
348        entry_managed_by: Some(UUID_IDM_ADMINS),
349        members: vec![UUID_IDM_ADMINS],
350        ..Default::default()
351    };
352}
353
354// at some point vs code just gives up on syntax highlighting inside lazy_static...
355lazy_static! {
356    pub static ref IDM_ALL_PERSONS: BuiltinGroup = BuiltinGroup {
357        name: "idm_all_persons",
358        description: "Builtin IDM dynamic group containing all persons.",
359        uuid: UUID_IDM_ALL_PERSONS,
360        members: Vec::with_capacity(0),
361        dyngroup: true,
362        dyngroup_filter: Some(
363            Filter::And(vec![
364                Filter::Eq(Attribute::Class.to_string(), EntryClass::Person.to_string()),
365                Filter::Eq(Attribute::Class.to_string(), EntryClass::Account.to_string()),
366            ])
367        ),
368        extra_attributes: vec![
369            // Enable account policy by default
370            (Attribute::Class, EntryClass::AccountPolicy.to_value()),
371            // Enforce this is a system protected object
372            (Attribute::Class, EntryClass::System.to_value()),
373            // MFA By Default
374            (Attribute::CredentialTypeMinimum, CredentialType::Mfa.into()),
375        ],
376        ..Default::default()
377    };
378
379    pub static ref IDM_ALL_ACCOUNTS: BuiltinGroup = BuiltinGroup {
380        name: NAME_IDM_ALL_ACCOUNTS,
381        description: "Builtin IDM dynamic group containing all entries that can authenticate.",
382        uuid: UUID_IDM_ALL_ACCOUNTS,
383        members: Vec::with_capacity(0),
384        dyngroup: true,
385        dyngroup_filter: Some(
386                Filter::Eq(Attribute::Class.to_string(), EntryClass::Account.to_string()),
387        ),
388        extra_attributes: vec![
389            // Enable account policy by default
390            (Attribute::Class, EntryClass::AccountPolicy.to_value()),
391            // Enforce this is a system protected object
392            (Attribute::Class, EntryClass::System.to_value()),
393        ],
394        ..Default::default()
395    };
396
397
398    pub static ref IDM_UI_ENABLE_EXPERIMENTAL_FEATURES: BuiltinGroup = BuiltinGroup {
399        name: "idm_ui_enable_experimental_features",
400        description: "Members of this group will have access to experimental web UI features.",
401        uuid: UUID_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES,
402        entry_managed_by: Some(UUID_IDM_ADMINS),
403        extra_attributes: vec![
404            (Attribute::GrantUiHint, Value::UiHint(UiHint::ExperimentalFeatures))
405        ],
406        ..Default::default()
407    };
408
409    /// Members of this group will have access to read the mail attribute of all persons and service accounts.
410    pub static ref IDM_ACCOUNT_MAIL_READ: BuiltinGroup = BuiltinGroup {
411        name: "idm_account_mail_read",
412        description: "Members of this group will have access to read the mail attribute of all persons and service accounts.",
413        entry_managed_by: Some(UUID_IDM_ACCESS_CONTROL_ADMINS),
414        uuid: UUID_IDM_ACCOUNT_MAIL_READ,
415        ..Default::default()
416    };
417
418    /// This must be the last group to init to include the UUID of the other high priv groups.
419    pub static ref IDM_HIGH_PRIVILEGE_DL8: BuiltinGroup = BuiltinGroup {
420        name: "idm_high_privilege",
421        uuid: UUID_IDM_HIGH_PRIVILEGE,
422        entry_managed_by: Some(UUID_IDM_ACCESS_CONTROL_ADMINS),
423        description: "Builtin IDM provided groups with high levels of access that should be audited and limited in modification.",
424        members: vec![
425            UUID_SYSTEM_ADMINS,
426            UUID_IDM_ADMINS,
427            UUID_DOMAIN_ADMINS,
428            UUID_IDM_SERVICE_DESK,
429            UUID_IDM_RECYCLE_BIN_ADMINS,
430            UUID_IDM_SCHEMA_ADMINS,
431            UUID_IDM_ACCESS_CONTROL_ADMINS,
432            UUID_IDM_OAUTH2_ADMINS,
433            UUID_IDM_RADIUS_ADMINS,
434            UUID_IDM_ACCOUNT_POLICY_ADMINS,
435            UUID_IDM_RADIUS_SERVERS,
436            UUID_IDM_GROUP_ADMINS,
437            UUID_IDM_UNIX_ADMINS,
438            UUID_IDM_PEOPLE_PII_READ,
439            UUID_IDM_PEOPLE_ADMINS,
440            UUID_IDM_PEOPLE_ON_BOARDING,
441            UUID_IDM_SERVICE_ACCOUNT_ADMINS,
442            UUID_IDM_CLIENT_CERTIFICATE_ADMINS,
443            UUID_IDM_APPLICATION_ADMINS,
444            UUID_IDM_MAIL_ADMINS,
445            UUID_IDM_MESSAGE_ADMINS,
446            UUID_IDM_MESSAGE_SENDERS,
447            UUID_IDM_OAUTH2_CLIENT_ADMINS,
448            UUID_IDM_OAUTH2_ACCOUNT_ADMINS,
449            UUID_IDM_HIGH_PRIVILEGE,
450        ],
451        ..Default::default()
452    };
453
454    pub static ref BUILTIN_GROUP_APPLICATION_ADMINS_DL8: BuiltinGroup = BuiltinGroup {
455        name: "idm_application_admins",
456        uuid: UUID_IDM_APPLICATION_ADMINS,
457        description: "Builtin Application Administration Group.",
458        entry_managed_by: Some(UUID_IDM_ADMINS),
459        members: vec![UUID_IDM_ADMINS],
460        ..Default::default()
461    };
462}