feat: Start implementing IdMapping provider (#486)

Author: gtema

src/assignment/backend/sql/assignment/list.rs

@@ -198,8 +198,8 @@ pub async fn list_for_multiple_actors_and_targets(
 
 /// Select regular assignments.
 ///
-/// Return Vec<Assignment> for the regular role assignments or `None` when no corresponding targets
-/// were given in the query parameters.
+/// Return Vec<Assignment> for the regular role assignments or `None` when no
+/// corresponding targets were given in the query parameters.
 async fn list_for_multiple_actors_and_targets_regular(
     db: &DatabaseConnection,
     params: &RoleAssignmentListForMultipleActorTargetParameters,
@@ -255,8 +255,8 @@ async fn list_for_multiple_actors_and_targets_regular(
 
 /// Select system assignments.
 ///
-/// Return Vec<Assignment> for the regular role assignments or `None` when no corresponding targets
-/// were given in the query parameters.
+/// Return Vec<Assignment> for the regular role assignments or `None` when no
+/// corresponding targets were given in the query parameters.
 async fn list_for_multiple_actors_and_targets_system(
     db: &DatabaseConnection,
     params: &RoleAssignmentListForMultipleActorTargetParameters,

src/config.rs

@@ -58,10 +58,14 @@ pub struct Config {
     //#[serde(default)]
     pub database: DatabaseSection,
 
-    /// Identity provider configuration configuration.
+    /// Identity provider configuration.
     #[serde(default)]
     pub identity: IdentityProvider,
 
+    /// Identity mapping provider configuration.
+    #[serde(default)]
+    pub identity_mapping: IdentityMappingProvider,
+
     /// API policy enforcement.
     #[serde(default)]
     pub api_policy: PolicyProvider,
@@ -251,6 +255,7 @@ impl FederationProvider {
             .unwrap_or(Utc::now())
     }
 }
+
 /// Identity provider.
 #[derive(Debug, Deserialize, Clone)]
 pub struct IdentityProvider {
@@ -285,6 +290,22 @@ impl Default for IdentityProvider {
     }
 }
 
+/// Identity mapping provider.
+#[derive(Debug, Deserialize, Clone)]
+pub struct IdentityMappingProvider {
+    /// Identity provider driver.
+    #[serde(default = "default_sql_driver")]
+    pub driver: String,
+}
+
+impl Default for IdentityMappingProvider {
+    fn default() -> Self {
+        Self {
+            driver: default_sql_driver(),
+        }
+    }
+}
+
 /// Resource provider (domain, project).
 #[derive(Debug, Deserialize, Clone)]
 pub struct ResourceProvider {

src/error.rs

@@ -21,6 +21,7 @@ use crate::assignment::error::*;
 use crate::catalog::error::*;
 use crate::federation::error::*;
 use crate::identity::error::*;
+use crate::identity_mapping::error::*;
 use crate::policy::*;
 use crate::resource::error::*;
 use crate::revoke::error::*;
@@ -70,6 +71,14 @@ pub enum KeystoneError {
         source: IdentityProviderError,
     },
 
+    /// Identity mapping provider.
+    #[error(transparent)]
+    IdentityMappingError {
+        /// The source of the error.
+        #[from]
+        source: IdentityMappingError,
+    },
+
     /// IO error.
     #[error(transparent)]
     IO {

src/identity/backends/fake.rs

@@ -30,9 +30,10 @@ use crate::identity::types::*;
 
 /// List users.
 ///
-/// List users in the database. Fetch matching `user` table entries first. Afterwards fetch in
-/// parallel `local_user`, `nonlocal_user`, `federated_user`, `user_option` entries merging results
-/// to the proper entry. For the local users additionally passwords are being retrieved to identify
+/// List users in the database. Fetch matching `user` table entries first.
+/// Afterwards fetch in parallel `local_user`, `nonlocal_user`,
+/// `federated_user`, `user_option` entries merging results to the proper entry.
+/// For the local users additionally passwords are being retrieved to identify
 /// the password expiration date.
 pub async fn list(
     conf: &Config,
@@ -101,8 +102,8 @@ pub async fn list(
         )
         .await?;
 
-    // Determine the date for which users with the last activity earlier than are determined as
-    // inactive.
+    // Determine the date for which users with the last activity earlier than are
+    // determined as inactive.
     let last_activity_cutof_date = conf.get_user_last_activity_cutof_date();
 
     let mut results: Vec<UserResponse> = Vec::new();

src/identity/backends/sql/user/list.rs

@@ -12,171 +12,10 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-use chrono::{DateTime, Utc};
-use std::collections::HashSet;
-
 pub mod group;
+pub mod provider_api;
 pub mod user;
 
-use async_trait::async_trait;
-
-use crate::auth::AuthenticatedInfo;
-use crate::identity::IdentityProviderError;
-pub use crate::identity::types::group::{Group, GroupCreate, GroupListParameters};
-pub use crate::identity::types::user::*;
-use crate::keystone::ServiceState;
-
-#[async_trait]
-pub trait IdentityApi: Send + Sync + Clone {
-    async fn authenticate_by_password(
-        &self,
-        state: &ServiceState,
-        auth: &UserPasswordAuthRequest,
-    ) -> Result<AuthenticatedInfo, IdentityProviderError>;
-
-    async fn list_users(
-        &self,
-        state: &ServiceState,
-        params: &UserListParameters,
-    ) -> Result<impl IntoIterator<Item = UserResponse>, IdentityProviderError>;
-
-    async fn get_user<'a>(
-        &self,
-        state: &ServiceState,
-        user_id: &'a str,
-    ) -> Result<Option<UserResponse>, IdentityProviderError>;
-
-    async fn find_federated_user<'a>(
-        &self,
-        state: &ServiceState,
-        idp_id: &'a str,
-        unique_id: &'a str,
-    ) -> Result<Option<UserResponse>, IdentityProviderError>;
-
-    async fn create_user(
-        &self,
-        state: &ServiceState,
-        user: UserCreate,
-    ) -> Result<UserResponse, IdentityProviderError>;
-
-    async fn delete_user<'a>(
-        &self,
-        state: &ServiceState,
-        user_id: &'a str,
-    ) -> Result<(), IdentityProviderError>;
-
-    async fn list_groups(
-        &self,
-        state: &ServiceState,
-        params: &GroupListParameters,
-    ) -> Result<impl IntoIterator<Item = Group>, IdentityProviderError>;
-
-    async fn get_group<'a>(
-        &self,
-        state: &ServiceState,
-        group_id: &'a str,
-    ) -> Result<Option<Group>, IdentityProviderError>;
-
-    async fn create_group(
-        &self,
-        state: &ServiceState,
-        group: GroupCreate,
-    ) -> Result<Group, IdentityProviderError>;
-
-    async fn delete_group<'a>(
-        &self,
-        state: &ServiceState,
-        group_id: &'a str,
-    ) -> Result<(), IdentityProviderError>;
-
-    /// List groups the user is a member of.
-    async fn list_groups_of_user<'a>(
-        &self,
-        state: &ServiceState,
-        user_id: &'a str,
-    ) -> Result<impl IntoIterator<Item = Group>, IdentityProviderError>;
-
-    /// Add the user to the single group.
-    async fn add_user_to_group<'a>(
-        &self,
-        state: &ServiceState,
-        user_id: &'a str,
-        group_id: &'a str,
-    ) -> Result<(), IdentityProviderError>;
-
-    /// Add the user to the single group with expiration.
-    async fn add_user_to_group_expiring<'a>(
-        &self,
-        state: &ServiceState,
-        user_id: &'a str,
-        group_id: &'a str,
-        idp_id: &'a str,
-    ) -> Result<(), IdentityProviderError>;
-
-    /// Add user group memberships as specified by (uid, gid) tuples.
-    async fn add_users_to_groups<'a>(
-        &self,
-        state: &ServiceState,
-        memberships: Vec<(&'a str, &'a str)>,
-    ) -> Result<(), IdentityProviderError>;
-
-    /// Add expiring user group memberships as specified by (uid, gid) tuples.
-    async fn add_users_to_groups_expiring<'a>(
-        &self,
-        state: &ServiceState,
-        memberships: Vec<(&'a str, &'a str)>,
-        idp_id: &'a str,
-    ) -> Result<(), IdentityProviderError>;
-
-    /// Remove the user from the single group.
-    async fn remove_user_from_group<'a>(
-        &self,
-        state: &ServiceState,
-        user_id: &'a str,
-        group_id: &'a str,
-    ) -> Result<(), IdentityProviderError>;
-
-    /// Remove the user from the single group with expiration.
-    async fn remove_user_from_group_expiring<'a>(
-        &self,
-        state: &ServiceState,
-        user_id: &'a str,
-        group_id: &'a str,
-        idp_id: &'a str,
-    ) -> Result<(), IdentityProviderError>;
-
-    /// Remove the user from specified groups.
-    async fn remove_user_from_groups<'a>(
-        &self,
-        state: &ServiceState,
-        user_id: &'a str,
-        group_ids: HashSet<&'a str>,
-    ) -> Result<(), IdentityProviderError>;
-
-    /// Remove the user from specified groups with expiration.
-    async fn remove_user_from_groups_expiring<'a>(
-        &self,
-        state: &ServiceState,
-        user_id: &'a str,
-        group_ids: HashSet<&'a str>,
-        idp_id: &'a str,
-    ) -> Result<(), IdentityProviderError>;
-
-    /// Set group memberships of the user.
-    async fn set_user_groups<'a>(
-        &self,
-        state: &ServiceState,
-        user_id: &'a str,
-        group_ids: HashSet<&'a str>,
-    ) -> Result<(), IdentityProviderError>;
-
-    /// Set expiring group memberships of the user.
-    async fn set_user_groups_expiring<'a>(
-        &self,
-        state: &ServiceState,
-        user_id: &'a str,
-        group_ids: HashSet<&'a str>,
-        idp_id: &'a str,
-        last_verified: Option<&'a DateTime<Utc>>,
-    ) -> Result<(), IdentityProviderError>;
-}
+pub use group::*;
+pub use provider_api::IdentityApi;
+pub use user::*;