kanidmd_lib/migration_data/dl12/
groups.rs

1use crate::entry::EntryInitNew;
2use crate::prelude::*;
3use crate::value::CredentialType;
4
5use kanidm_proto::internal::{Filter, OperationError, UiHint};
6
7#[derive(Clone, Debug, Default)]
8/// Built-in group definitions
9pub struct BuiltinGroup {
10    pub name: &'static str,
11    pub description: &'static str,
12    pub uuid: uuid::Uuid,
13    pub members: Vec<uuid::Uuid>,
14    pub entry_managed_by: Option<uuid::Uuid>,
15    pub dyngroup: bool,
16    pub dyngroup_filter: Option<Filter>,
17    pub extra_attributes: Vec<(Attribute, Value)>,
18}
19
20impl TryFrom<BuiltinGroup> for EntryInitNew {
21    type Error = OperationError;
22
23    fn try_from(val: BuiltinGroup) -> Result<Self, OperationError> {
24        let mut entry = EntryInitNew::new();
25
26        if val.uuid >= DYNAMIC_RANGE_MINIMUM_UUID {
27            error!("Builtin ACP has invalid UUID! {:?}", val);
28            return Err(OperationError::InvalidUuid);
29        }
30
31        entry.add_ava(Attribute::Name, Value::new_iname(val.name));
32        entry.add_ava(Attribute::Description, Value::new_utf8s(val.description));
33        // classes for groups
34        entry.set_ava(
35            Attribute::Class,
36            vec![EntryClass::Group.into(), EntryClass::Object.into()],
37        );
38        if val.dyngroup {
39            if !val.members.is_empty() {
40                return Err(OperationError::InvalidSchemaState(format!(
41                    "Builtin dyngroup {} has members specified, this is not allowed",
42                    val.name
43                )));
44            }
45            entry.add_ava(Attribute::Class, EntryClass::DynGroup.to_value());
46            match val.dyngroup_filter {
47                Some(filter) => entry.add_ava(Attribute::DynGroupFilter, Value::JsonFilt(filter)),
48                None => {
49                    error!(
50                        "No filter specified for dyngroup '{}' this is going to break things!",
51                        val.name
52                    );
53                    return Err(OperationError::FilterGeneration);
54                }
55            };
56        }
57
58        if let Some(entry_manager) = val.entry_managed_by {
59            entry.add_ava(Attribute::EntryManagedBy, Value::Refer(entry_manager));
60        }
61
62        entry.add_ava(Attribute::Uuid, Value::Uuid(val.uuid));
63        entry.set_ava(
64            Attribute::Member,
65            val.members
66                .into_iter()
67                .map(Value::Refer)
68                .collect::<Vec<Value>>(),
69        );
70        // add any extra attributes
71        val.extra_attributes
72            .into_iter()
73            .for_each(|(attr, val)| entry.add_ava(attr, val));
74        // all done!
75        Ok(entry)
76    }
77}
78
79lazy_static! {
80    // There are our built in "roles". They encapsulate some higher level collections
81    // of roles. The intent is to allow a pretty generic and correct by default set
82    // of these use cases.
83    pub static ref BUILTIN_GROUP_SYSTEM_ADMINS_V1: BuiltinGroup = BuiltinGroup {
84        name: NAME_SYSTEM_ADMINS,
85        description: "Builtin System Administrators Group.",
86        uuid: UUID_SYSTEM_ADMINS,
87        entry_managed_by: Some(UUID_SYSTEM_ADMINS),
88        members: vec![UUID_ADMIN],
89        ..Default::default()
90    };
91
92    pub static ref BUILTIN_GROUP_IDM_ADMINS_V1: BuiltinGroup = BuiltinGroup {
93        name: NAME_IDM_ADMINS,
94        description: "Builtin IDM Administrators Group.",
95        uuid: UUID_IDM_ADMINS,
96        entry_managed_by: Some(UUID_IDM_ADMINS),
97        members: vec![UUID_IDM_ADMIN],
98        ..Default::default()
99    };
100
101    pub static ref BUILTIN_GROUP_SERVICE_DESK: BuiltinGroup = BuiltinGroup {
102        name: "idm_service_desk",
103        description: "Builtin Service Desk Group.",
104        uuid: UUID_IDM_SERVICE_DESK,
105        entry_managed_by: Some(UUID_IDM_ADMINS),
106        members: vec![],
107        ..Default::default()
108    };
109}
110
111lazy_static! {
112    // These are the "finer" roles. They encapsulate different concepts in the system.
113    // The next section is the "system style" roles. These adjust the operation of
114    // kanidm and relate to it's internals and how it functions.
115    pub static ref BUILTIN_GROUP_RECYCLE_BIN_ADMINS: BuiltinGroup = BuiltinGroup {
116        name: "idm_recycle_bin_admins",
117        description: "Builtin Recycle Bin Administrators Group.",
118        uuid: UUID_IDM_RECYCLE_BIN_ADMINS,
119        entry_managed_by: Some(UUID_SYSTEM_ADMINS),
120        members: vec![UUID_SYSTEM_ADMINS],
121        ..Default::default()
122    };
123
124    /// Builtin IDM Group for granting local domain administration rights and trust administration rights
125    pub static ref BUILTIN_GROUP_DOMAIN_ADMINS: BuiltinGroup = BuiltinGroup {
126        name: "domain_admins",
127        description: "Builtin IDM Group for granting local domain administration rights and trust administration rights.",
128        uuid: UUID_DOMAIN_ADMINS,
129        entry_managed_by: Some(UUID_SYSTEM_ADMINS),
130        members: vec![UUID_SYSTEM_ADMINS],
131        ..Default::default()
132    };
133
134    pub static ref BUILTIN_GROUP_SCHEMA_ADMINS: BuiltinGroup = BuiltinGroup {
135        name: "idm_schema_admins",
136        description: "Builtin Schema Administration Group.",
137        uuid: UUID_IDM_SCHEMA_ADMINS,
138        entry_managed_by: Some(UUID_SYSTEM_ADMINS),
139        members: vec![UUID_SYSTEM_ADMINS],
140        ..Default::default()
141    };
142
143    pub static ref BUILTIN_GROUP_ACCESS_CONTROL_ADMINS: BuiltinGroup = BuiltinGroup {
144        name: "idm_access_control_admins",
145        description: "Builtin Access Control Administration Group.",
146        entry_managed_by: Some(UUID_SYSTEM_ADMINS),
147        uuid: UUID_IDM_ACCESS_CONTROL_ADMINS,
148        members: vec![UUID_SYSTEM_ADMINS],
149        ..Default::default()
150    };
151
152    // These are the IDM roles. They concern application integration, user permissions
153    // and credential security management.
154
155    /// Builtin IDM Group for managing persons and their account details
156    pub static ref BUILTIN_GROUP_PEOPLE_ADMINS: BuiltinGroup = BuiltinGroup {
157        name: "idm_people_admins",
158        description: "Builtin People Administration Group.",
159        uuid: UUID_IDM_PEOPLE_ADMINS,
160        entry_managed_by: Some(UUID_IDM_ADMINS),
161        members: vec![UUID_IDM_ADMINS],
162        ..Default::default()
163    };
164
165    pub static ref BUILTIN_GROUP_PEOPLE_ON_BOARDING: BuiltinGroup = BuiltinGroup {
166        name: "idm_people_on_boarding",
167        description: "Builtin People On Boarding Group.",
168        uuid: UUID_IDM_PEOPLE_ON_BOARDING,
169        entry_managed_by: Some(UUID_IDM_ADMINS),
170        members: vec![],
171        ..Default::default()
172    };
173
174    /// Builtin IDM Group for granting elevated people (personal data) read permissions.
175    pub static ref BUILTIN_GROUP_PEOPLE_PII_READ: BuiltinGroup = BuiltinGroup {
176        name: NAME_IDM_PEOPLE_PII_READ,
177        description: "Builtin IDM Group for granting elevated people (personal data) read permissions.",
178        uuid: UUID_IDM_PEOPLE_PII_READ,
179        entry_managed_by: Some(UUID_IDM_ADMINS),
180        members: vec![],
181        ..Default::default()
182    };
183
184    /// Builtin IDM Group for granting people the ability to write to their own name attributes.
185    pub static ref BUILTIN_GROUP_PEOPLE_SELF_NAME_WRITE_DL7: BuiltinGroup = BuiltinGroup {
186        name: "idm_people_self_name_write",
187        description: "Builtin IDM Group denoting users that can write to their own name attributes.",
188        uuid: UUID_IDM_PEOPLE_SELF_NAME_WRITE,
189        entry_managed_by: Some(UUID_IDM_ADMINS),
190        members: vec![
191            UUID_IDM_ALL_PERSONS
192        ],
193        ..Default::default()
194    };
195
196    pub static ref BUILTIN_GROUP_SERVICE_ACCOUNT_ADMINS: BuiltinGroup = BuiltinGroup {
197        name: "idm_service_account_admins",
198        description: "Builtin Service Account Administration Group.",
199        uuid: UUID_IDM_SERVICE_ACCOUNT_ADMINS,
200        entry_managed_by: Some(UUID_IDM_ADMINS),
201        members: vec![UUID_IDM_ADMINS],
202        ..Default::default()
203    };
204
205    /// Builtin IDM Group for managing oauth2 resource server integrations to this authentication domain.
206    pub static ref BUILTIN_GROUP_OAUTH2_ADMINS: BuiltinGroup = BuiltinGroup {
207        name: "idm_oauth2_admins",
208        description: "Builtin Oauth2 Integration Administration Group.",
209        uuid: UUID_IDM_OAUTH2_ADMINS,
210        entry_managed_by: Some(UUID_IDM_ADMINS),
211        members: vec![UUID_IDM_ADMINS],
212        ..Default::default()
213    };
214
215    pub static ref BUILTIN_GROUP_RADIUS_SERVICE_ADMINS: BuiltinGroup = BuiltinGroup {
216        name: "idm_radius_service_admins",
217        description: "Builtin Radius Administration Group.",
218        uuid: UUID_IDM_RADIUS_ADMINS,
219        entry_managed_by: Some(UUID_IDM_ADMINS),
220        members: vec![UUID_IDM_ADMINS],
221        ..Default::default()
222    };
223
224    /// Builtin IDM Group for RADIUS server access delegation.
225    pub static ref BUILTIN_IDM_RADIUS_SERVERS_V1: BuiltinGroup = BuiltinGroup {
226        name: "idm_radius_servers",
227        description: "Builtin IDM Group for RADIUS server access delegation.",
228        uuid: UUID_IDM_RADIUS_SERVERS,
229        entry_managed_by: Some(UUID_IDM_RADIUS_ADMINS),
230        members: vec![
231        ],
232        ..Default::default()
233    };
234
235    pub static ref BUILTIN_GROUP_MAIL_SERVICE_ADMINS_DL8: BuiltinGroup = BuiltinGroup {
236        name: "idm_mail_service_admins",
237        description: "Builtin Mail Server Administration Group.",
238        uuid: UUID_IDM_MAIL_ADMINS,
239        entry_managed_by: Some(UUID_IDM_ADMINS),
240        members: vec![UUID_IDM_ADMINS],
241        ..Default::default()
242    };
243
244    /// Builtin IDM Group for MAIL server Access delegation.
245    pub static ref BUILTIN_IDM_MAIL_SERVERS_DL8: BuiltinGroup = BuiltinGroup {
246        name: "idm_mail_servers",
247        description: "Builtin IDM Group for MAIL server access delegation.",
248        uuid: UUID_IDM_MAIL_SERVERS,
249        entry_managed_by: Some(UUID_IDM_MAIL_ADMINS),
250        members: vec![
251        ],
252        ..Default::default()
253    };
254
255    pub static ref BUILTIN_GROUP_ACCOUNT_POLICY_ADMINS: BuiltinGroup = BuiltinGroup {
256        name: "idm_account_policy_admins",
257        description: "Builtin Account Policy Administration Group.",
258        uuid: UUID_IDM_ACCOUNT_POLICY_ADMINS,
259        entry_managed_by: Some(UUID_IDM_ADMINS),
260        members: vec![UUID_IDM_ADMINS],
261        ..Default::default()
262    };
263
264    /// Builtin IDM Group for managing posix/unix attributes on groups and users.
265    pub static ref BUILTIN_GROUP_UNIX_ADMINS: BuiltinGroup = BuiltinGroup {
266        name: "idm_unix_admins",
267        description: "Builtin Unix Administration Group.",
268        uuid: UUID_IDM_UNIX_ADMINS,
269        entry_managed_by: Some(UUID_IDM_ADMINS),
270        members: vec![UUID_IDM_ADMINS],
271        ..Default::default()
272    };
273
274    pub static ref BUILTIN_GROUP_IDM_UNIX_AUTHENTICATION_READ_V1: BuiltinGroup = BuiltinGroup {
275        name: "idm_unix_authentication_read",
276        description: "Builtin IDM group allowing service accounts to read and authenticate unix users.",
277        uuid: UUID_IDM_UNIX_AUTHENTICATION_READ,
278        entry_managed_by: Some(UUID_IDM_UNIX_ADMINS),
279        members: vec![
280            // This is to maintain compatibility right now, but will CHANGE in future.
281            UUID_ANONYMOUS,
282        ],
283        ..Default::default()
284    };
285
286
287    /// Builtin IDM Group for managing client authentication certificates.
288    pub static ref BUILTIN_GROUP_CLIENT_CERTIFICATE_ADMINS_DL7: BuiltinGroup = BuiltinGroup {
289        name: "idm_client_certificate_admins",
290        description: "Builtin Client Certificate Administration Group.",
291        uuid: UUID_IDM_CLIENT_CERTIFICATE_ADMINS,
292        entry_managed_by: Some(UUID_IDM_ADMINS),
293        members: vec![UUID_IDM_ADMINS],
294        ..Default::default()
295    };
296
297    /// Builtin IDM Group for granting elevated group write and lifecycle permissions.
298    pub static ref IDM_GROUP_ADMINS_V1: BuiltinGroup = BuiltinGroup {
299        name: "idm_group_admins",
300        description: "Builtin IDM Group for granting elevated group write and lifecycle permissions.",
301        uuid: UUID_IDM_GROUP_ADMINS,
302        entry_managed_by: Some(UUID_IDM_ADMINS),
303        members: vec![UUID_IDM_ADMINS],
304        ..Default::default()
305    };
306
307    /// Self-write of mail
308    pub static ref IDM_PEOPLE_SELF_MAIL_WRITE_DL7: BuiltinGroup = BuiltinGroup {
309        name: "idm_people_self_mail_write",
310        description: "Builtin IDM Group for people accounts to update their own mail.",
311        uuid: UUID_IDM_PEOPLE_SELF_MAIL_WRITE,
312        members: Vec::with_capacity(0),
313        ..Default::default()
314    };
315}
316
317// at some point vs code just gives up on syntax highlighting inside lazy_static...
318lazy_static! {
319    pub static ref IDM_ALL_PERSONS: BuiltinGroup = BuiltinGroup {
320        name: "idm_all_persons",
321        description: "Builtin IDM dynamic group containing all persons.",
322        uuid: UUID_IDM_ALL_PERSONS,
323        members: Vec::with_capacity(0),
324        dyngroup: true,
325        dyngroup_filter: Some(
326            Filter::And(vec![
327                Filter::Eq(Attribute::Class.to_string(), EntryClass::Person.to_string()),
328                Filter::Eq(Attribute::Class.to_string(), EntryClass::Account.to_string()),
329            ])
330        ),
331        extra_attributes: vec![
332            // Enable account policy by default
333            (Attribute::Class, EntryClass::AccountPolicy.to_value()),
334            // Enforce this is a system protected object
335            (Attribute::Class, EntryClass::System.to_value()),
336            // MFA By Default
337            (Attribute::CredentialTypeMinimum, CredentialType::Mfa.into()),
338        ],
339        ..Default::default()
340    };
341
342    pub static ref IDM_ALL_ACCOUNTS: BuiltinGroup = BuiltinGroup {
343        name: NAME_IDM_ALL_ACCOUNTS,
344        description: "Builtin IDM dynamic group containing all entries that can authenticate.",
345        uuid: UUID_IDM_ALL_ACCOUNTS,
346        members: Vec::with_capacity(0),
347        dyngroup: true,
348        dyngroup_filter: Some(
349                Filter::Eq(Attribute::Class.to_string(), EntryClass::Account.to_string()),
350        ),
351        extra_attributes: vec![
352            // Enable account policy by default
353            (Attribute::Class, EntryClass::AccountPolicy.to_value()),
354            // Enforce this is a system protected object
355            (Attribute::Class, EntryClass::System.to_value()),
356        ],
357        ..Default::default()
358    };
359
360
361    pub static ref IDM_UI_ENABLE_EXPERIMENTAL_FEATURES: BuiltinGroup = BuiltinGroup {
362        name: "idm_ui_enable_experimental_features",
363        description: "Members of this group will have access to experimental web UI features.",
364        uuid: UUID_IDM_UI_ENABLE_EXPERIMENTAL_FEATURES,
365        entry_managed_by: Some(UUID_IDM_ADMINS),
366        extra_attributes: vec![
367            (Attribute::GrantUiHint, Value::UiHint(UiHint::ExperimentalFeatures))
368        ],
369        ..Default::default()
370    };
371
372    /// Members of this group will have access to read the mail attribute of all persons and service accounts.
373    pub static ref IDM_ACCOUNT_MAIL_READ: BuiltinGroup = BuiltinGroup {
374        name: "idm_account_mail_read",
375        description: "Members of this group will have access to read the mail attribute of all persons and service accounts.",
376        entry_managed_by: Some(UUID_IDM_ACCESS_CONTROL_ADMINS),
377        uuid: UUID_IDM_ACCOUNT_MAIL_READ,
378        ..Default::default()
379    };
380
381    /// This must be the last group to init to include the UUID of the other high priv groups.
382    pub static ref IDM_HIGH_PRIVILEGE_DL8: BuiltinGroup = BuiltinGroup {
383        name: "idm_high_privilege",
384        uuid: UUID_IDM_HIGH_PRIVILEGE,
385        entry_managed_by: Some(UUID_IDM_ACCESS_CONTROL_ADMINS),
386        description: "Builtin IDM provided groups with high levels of access that should be audited and limited in modification.",
387        members: vec![
388            UUID_SYSTEM_ADMINS,
389            UUID_IDM_ADMINS,
390            UUID_DOMAIN_ADMINS,
391            UUID_IDM_SERVICE_DESK,
392            UUID_IDM_RECYCLE_BIN_ADMINS,
393            UUID_IDM_SCHEMA_ADMINS,
394            UUID_IDM_ACCESS_CONTROL_ADMINS,
395            UUID_IDM_OAUTH2_ADMINS,
396            UUID_IDM_RADIUS_ADMINS,
397            UUID_IDM_ACCOUNT_POLICY_ADMINS,
398            UUID_IDM_RADIUS_SERVERS,
399            UUID_IDM_GROUP_ADMINS,
400            UUID_IDM_UNIX_ADMINS,
401            UUID_IDM_PEOPLE_PII_READ,
402            UUID_IDM_PEOPLE_ADMINS,
403            UUID_IDM_PEOPLE_ON_BOARDING,
404            UUID_IDM_SERVICE_ACCOUNT_ADMINS,
405            UUID_IDM_CLIENT_CERTIFICATE_ADMINS,
406            UUID_IDM_APPLICATION_ADMINS,
407            UUID_IDM_MAIL_ADMINS,
408            UUID_IDM_HIGH_PRIVILEGE,
409        ],
410        ..Default::default()
411    };
412
413    pub static ref BUILTIN_GROUP_APPLICATION_ADMINS_DL8: BuiltinGroup = BuiltinGroup {
414        name: "idm_application_admins",
415        uuid: UUID_IDM_APPLICATION_ADMINS,
416        description: "Builtin Application Administration Group.",
417        entry_managed_by: Some(UUID_IDM_ADMINS),
418        members: vec![UUID_IDM_ADMINS],
419        ..Default::default()
420    };
421}