orca/
kani.rs

1use kanidm_client::{KanidmClient, KanidmClientBuilder};
2
3use crate::error::Error;
4use crate::profile::Profile;
5
6// This client contains our admin and idm_admin connections that are
7// pre-authenticated for use against the kanidm server. In addition,
8// new clients can be requested for our test actors.
9pub struct KanidmOrcaClient {
10    #[allow(dead_code)]
11    admin_client: KanidmClient,
12    idm_admin_client: KanidmClient,
13    // In future we probably need a way to connect to all the nodes?
14    // Or we just need all their uris.
15}
16
17impl KanidmOrcaClient {
18    pub async fn new(profile: &Profile) -> Result<Self, Error> {
19        let admin_client = KanidmClientBuilder::new()
20            .address(profile.control_uri().to_string())
21            .danger_accept_invalid_hostnames(true)
22            .danger_accept_invalid_certs(true)
23            .request_timeout(1200)
24            .build()
25            .map_err(|err| {
26                error!(?err, "Unable to create kanidm client");
27                Error::KanidmClient
28            })?;
29
30        admin_client
31            .auth_simple_password("admin", profile.admin_password())
32            .await
33            .map_err(|err| {
34                error!(?err, "Unable to authenticate as admin");
35                Error::KanidmClient
36            })?;
37
38        let idm_admin_client = admin_client.new_session().map_err(|err| {
39            error!(?err, "Unable to create new session");
40            Error::KanidmClient
41        })?;
42
43        idm_admin_client
44            .auth_simple_password("idm_admin", profile.idm_admin_password())
45            .await
46            .map_err(|err| {
47                error!(?err, "Unable to authenticate as idm_admin");
48                Error::KanidmClient
49            })?;
50
51        Ok(KanidmOrcaClient {
52            admin_client,
53            idm_admin_client,
54        })
55    }
56
57    pub async fn disable_mfa_requirement(&self) -> Result<(), Error> {
58        self.idm_admin_client
59            .group_account_policy_credential_type_minimum_set("idm_all_persons", "any")
60            .await
61            .map_err(|err| {
62                error!(?err, "Unable to modify idm_all_persons policy");
63                Error::KanidmClient
64            })
65    }
66
67    pub async fn extend_privilege_expiry(&self) -> Result<(), Error> {
68        self.idm_admin_client
69            .group_account_policy_privilege_expiry_set("idm_all_persons", 3600)
70            .await
71            .map_err(|err| {
72                error!(?err, "Unable to modify idm_all_persons policy");
73                Error::KanidmClient
74            })?;
75
76        self.idm_admin_client
77            .group_account_policy_privilege_expiry_set("idm_all_accounts", 3600)
78            .await
79            .map_err(|err| {
80                error!(?err, "Unable to modify idm_all_accounts policy");
81                Error::KanidmClient
82            })
83    }
84
85    pub async fn person_exists(&self, username: &str) -> Result<bool, Error> {
86        self.idm_admin_client
87            .idm_person_account_get(username)
88            .await
89            .map(|e| e.is_some())
90            .map_err(|err| {
91                error!(?err, ?username, "Unable to check person");
92                Error::KanidmClient
93            })
94    }
95
96    pub async fn person_create(&self, username: &str, display_name: &str) -> Result<(), Error> {
97        self.idm_admin_client
98            .idm_person_account_create(username, display_name)
99            .await
100            .map_err(|err| {
101                error!(?err, ?username, "Unable to create person");
102                Error::KanidmClient
103            })
104    }
105
106    pub async fn person_set_primary_password_only(
107        &self,
108        username: &str,
109        password: &str,
110    ) -> Result<(), Error> {
111        self.idm_admin_client
112            .idm_person_account_primary_credential_set_password(username, password)
113            .await
114            .map_err(|err| {
115                error!(?err, ?username, "Unable to set person password");
116                Error::KanidmClient
117            })
118    }
119
120    pub async fn group_set_members(&self, group_name: &str, members: &[&str]) -> Result<(), Error> {
121        self.idm_admin_client
122            .idm_group_set_members(group_name, members)
123            .await
124            .map_err(|err| {
125                error!(?err, ?group_name, "Unable to set group members");
126                Error::KanidmClient
127            })
128    }
129
130    pub async fn group_add_members(&self, group_name: &str, members: &[&str]) -> Result<(), Error> {
131        self.idm_admin_client
132            .idm_group_add_members(group_name, members)
133            .await
134            .map_err(|err| {
135                error!(?err, ?group_name, "Unable to add group members");
136                Error::KanidmClient
137            })
138    }
139
140    pub async fn group_exists(&self, group_name: &str) -> Result<bool, Error> {
141        self.idm_admin_client
142            .idm_group_get(group_name)
143            .await
144            .map(|e| e.is_some())
145            .map_err(|err| {
146                error!(?err, ?group_name, "Unable to check group");
147                Error::KanidmClient
148            })
149    }
150
151    pub async fn group_create(&self, group_name: &str) -> Result<(), Error> {
152        self.idm_admin_client
153            .idm_group_create(group_name, Some("idm_admins"))
154            .await
155            .map_err(|err| {
156                error!(?err, ?group_name, "Unable to create group");
157                Error::KanidmClient
158            })
159    }
160}