1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
use crate::prelude::*;
use std::collections::BTreeSet;

use super::profiles::AccessControlSearch;
use super::AccessResult;
use crate::filter::FilterValidResolved;
use std::sync::Arc;

pub(super) enum SearchResult<'a> {
    Denied,
    Grant,
    Allow(BTreeSet<&'a str>),
}

pub(super) fn apply_search_access<'a>(
    ident: &Identity,
    related_acp: &'a [(&AccessControlSearch, Filter<FilterValidResolved>)],
    entry: &'a Arc<EntrySealedCommitted>,
) -> SearchResult<'a> {
    // This could be considered "slow" due to allocs each iter with the entry. We
    // could move these out of the loop and re-use, but there are likely risks to
    // that.
    let mut denied = false;
    let mut grant = false;
    let mut constrain = BTreeSet::default();
    let mut allow = BTreeSet::default();

    // The access control profile
    match search_filter_entry(ident, related_acp, entry) {
        AccessResult::Denied => denied = true,
        AccessResult::Grant => grant = true,
        AccessResult::Ignore => {}
        AccessResult::Constrain(mut set) => constrain.append(&mut set),
        AccessResult::Allow(mut set) => allow.append(&mut set),
    };

    match search_oauth2_filter_entry(ident, entry) {
        AccessResult::Denied => denied = true,
        AccessResult::Grant => grant = true,
        AccessResult::Ignore => {}
        AccessResult::Constrain(mut set) => constrain.append(&mut set),
        AccessResult::Allow(mut set) => allow.append(&mut set),
    };

    // We'll add more modules later.

    // Now finalise the decision.

    if denied {
        SearchResult::Denied
    } else if grant {
        SearchResult::Grant
    } else {
        let allowed_attrs = if !constrain.is_empty() {
            // bit_and
            &constrain & &allow
        } else {
            allow
        };
        SearchResult::Allow(allowed_attrs)
    }
}

fn search_filter_entry<'a>(
    ident: &Identity,
    related_acp: &'a [(&AccessControlSearch, Filter<FilterValidResolved>)],
    entry: &'a Arc<EntrySealedCommitted>,
) -> AccessResult<'a> {
    // If this is an internal search, return our working set.
    match &ident.origin {
        IdentType::Internal => {
            trace!("Internal operation, bypassing access check");
            // No need to check ACS
            return AccessResult::Grant;
        }
        IdentType::Synch(_) => {
            security_critical!("Blocking sync check");
            return AccessResult::Denied;
        }
        IdentType::User(_) => {}
    };
    info!(event = %ident, "Access check for search (filter) event");

    match ident.access_scope() {
        AccessScope::Synchronise => {
            security_access!("denied ❌ - identity access scope is not permitted to search");
            return AccessResult::Denied;
        }
        AccessScope::ReadOnly | AccessScope::ReadWrite => {
            // As you were
        }
    };

    let allowed_attrs: BTreeSet<&str> = related_acp
        .iter()
        .filter_map(|(acs, f_res)| {
            // if it applies
            if entry.entry_match_no_index(f_res) {
                security_access!(entry = ?entry.get_uuid(), acs = %acs.acp.name, "entry matches acs");
                // add search_attrs to allowed.
                Some(acs.attrs.iter().map(|s| s.as_str()))
            } else {
                // should this be `security_access`?
                trace!(entry = ?entry.get_uuid(), acs = %acs.acp.name, "entry DOES NOT match acs");
                None
            }
        })
        .flatten()
        .collect();

    AccessResult::Allow(allowed_attrs)
}

fn search_oauth2_filter_entry<'a>(
    ident: &Identity,
    entry: &'a Arc<EntrySealedCommitted>,
) -> AccessResult<'a> {
    match &ident.origin {
        IdentType::Internal | IdentType::Synch(_) => AccessResult::Ignore,
        IdentType::User(iuser) => {
            let contains_o2_rs = entry
                .get_ava_as_iutf8("class")
                .map(|set| {
                    trace!(?set);
                    set.contains("oauth2_resource_server")
                })
                .unwrap_or(false);
            let contains_o2_scope_member = entry
                .get_ava_as_oauthscopemaps("oauth2_rs_scope_map")
                .and_then(|maps| ident.get_memberof().map(|mo| (maps, mo)))
                .map(|(maps, mo)| maps.keys().any(|k| mo.contains(k)))
                .unwrap_or(false);

            if contains_o2_rs && contains_o2_scope_member {
                security_access!(entry = ?entry.get_uuid(), ident = ?iuser.entry.get_uuid2rdn(), "ident is a memberof a group granted an oauth2 scope by this entry");

                return AccessResult::Allow(btreeset!(
                    "class",
                    "displayname",
                    "uuid",
                    "oauth2_rs_name",
                    "oauth2_rs_origin",
                    "oauth2_rs_origin_landing"
                ));
            }
            AccessResult::Ignore
        }
    }
}