mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-24 13:07:00 +01:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity
kanidm/kanidmd/lib/src/constants/mod.rs

88 lines
3 KiB
Rust
Raw Normal View History

29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries..
2019-12-12 23:49:32 +01:00
// Re-export as needed
122 password import design (#196) Implements #122 password import. This adds most of the server core framework to allow password imports from other sources, with new types easily able to be added in credential.rs.
2020-03-26 23:27:07 +01:00
pub mod acp;
pub mod entries;
pub mod schema;
29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries..
2019-12-12 23:49:32 +01:00
pub mod system_config;
122 password import design (#196) Implements #122 password import. This adds most of the server core framework to allow password imports from other sources, with new types easily able to be added in credential.rs.
2020-03-26 23:27:07 +01:00
pub mod uuids;
20221001 refactor (#1090)
2022-10-05 01:48:48 +02:00
pub mod values;
122 password import design (#196) Implements #122 password import. This adds most of the server core framework to allow password imports from other sources, with new types easily able to be added in credential.rs.
2020-03-26 23:27:07 +01:00
pub use crate::constants::acp::*;
pub use crate::constants::entries::*;
pub use crate::constants::schema::*;
pub use crate::constants::system_config::*;
pub use crate::constants::uuids::*;
20221001 refactor (#1090)
2022-10-05 01:48:48 +02:00
pub use crate::constants::values::*;
29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries..
2019-12-12 23:49:32 +01:00
406 session revocation (#1123)
2022-10-17 12:09:47 +02:00
use std::time::Duration;
127 domain info type (#150) Implements #127 and #125. This adds domain_info support, and spn types and generation. It also correctly handles domain renaming, and has tooling to support this. It "should" work on an upgrade, due to the correct bump of index version, but I plan to test this from a backup of my production instance soon.
2019-11-29 01:48:22 +01:00
// Increment this as we add new schema types and values!!!
20230125 pre rel cleanup (#1347)
2023-01-25 07:09:54 +01:00
pub const SYSTEM_INDEX_VERSION: i64 = 28;
1121 multiple totp (#1325)
2023-01-17 05:14:11 +01:00
/*
* domain functional levels
*
* The idea here is to allow topology wide upgrades to be performed. We have to
* assume that across multiple kanidm instances there may be cases where we have version
* N and version N minus 1 as upgrades are rolled out.
*
* Imagine we set up a new cluster. Machine A and B both have level 1 support.
* We upgrade machine A. It has support up to level 2, but machine B does not.
* So the overall functional level is level 1. Then we upgrade B, which supports
* up to level 2. We still don't do the upgrade! The topology is still level 1
* unless an admin at this point *intervenes* and forces the update. OR what
* happens we we update machine A again and it now supports up to level 3, with
* a target level of 2. So we update machine A now to level 2, and that can
* still replicate to machine B since it also supports level 2.
*
* effectively it means that "some features" may be a "release behind" for users
* who don't muck with the levels, but it means that we can do mixed version
* upgrades.
*/
pub const DOMAIN_LEVEL_1: u32 = 1;
// The minimum supported domain functional level
pub const DOMAIN_MIN_LEVEL: u32 = DOMAIN_LEVEL_1;
// The target supported domain functional level
pub const DOMAIN_TGT_LEVEL: u32 = DOMAIN_LEVEL_1;
// The maximum supported domain functional level
pub const DOMAIN_MAX_LEVEL: u32 = DOMAIN_LEVEL_1;
20190607 authentication (#55) Implement #2 anonymous authentication. This also puts into place the majority of the authentication framework, and starts to build the IDM layers ontop of the DB engine.
2019-07-12 07:28:46 +02:00
// On test builds, define to 60 seconds
#[cfg(test)]
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md
2020-05-03 08:44:01 +02:00
pub const PURGE_FREQUENCY: u64 = 60;
20200322 132 recyclebin 2 (#193) Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with.
2020-03-24 23:21:49 +01:00
// For production, 10 minutes.
20190607 authentication (#55) Implement #2 anonymous authentication. This also puts into place the majority of the authentication framework, and starts to build the IDM layers ontop of the DB engine.
2019-07-12 07:28:46 +02:00
#[cfg(not(test))]
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md
2020-05-03 08:44:01 +02:00
pub const PURGE_FREQUENCY: u64 = 600;
20200322 132 recyclebin 2 (#193) Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with.
2020-03-24 23:21:49 +01:00
#[cfg(test)]
/// In test, we limit the changelog to 10 minutes.
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md
2020-05-03 08:44:01 +02:00
pub const CHANGELOG_MAX_AGE: u64 = 600;
20200322 132 recyclebin 2 (#193) Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with.
2020-03-24 23:21:49 +01:00
#[cfg(not(test))]
/// A replica may be less than 1 day out of sync and catch up.
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md
2020-05-03 08:44:01 +02:00
pub const CHANGELOG_MAX_AGE: u64 = 86400;
20200322 132 recyclebin 2 (#193) Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with.
2020-03-24 23:21:49 +01:00
#[cfg(test)]
/// In test, we limit the recyclebin to 5 minutes.
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md
2020-05-03 08:44:01 +02:00
pub const RECYCLEBIN_MAX_AGE: u64 = 300;
20200322 132 recyclebin 2 (#193) Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with.
2020-03-24 23:21:49 +01:00
#[cfg(not(test))]
/// In production we allow 1 week
101 idlcache (#224) Fixes #101, concurrent caching of IDL and Entries. This yields a 10% improvement for test case execution, and 35% for tests run under --release mode. A lot of code around the code base was needed to be touched due to the extra need for mut in some operations and some lifetimes, but the majority of the work was in idl_arc_sqlite.rs, which has the cache layer. There are many performance gains yet to see, but most of those will come through improvement of the concread ARC and it's related BTree implementation.
2020-05-11 13:12:32 +02:00
pub const RECYCLEBIN_MAX_AGE: u64 = 604_800;
20200322 132 recyclebin 2 (#193) Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with.
2020-03-24 23:21:49 +01:00
60 authsession gc (#80) Implements #60 authsession garbage collection. If we assume that an authsession is around 1024 bytes (this assumes a 16 char name + groups + claims) then this means that in 1Gb of ram we can store about 1 million in progress auth attempts. Obviously, we don't want infinite memory growth, but we can't use an LRU cache due to the future desire to use concurrent trees. So instead we prune the tree based on a timeout when we start and auth operation. Auth session id's are generated from a timestamp similar to how we'll generate replication csn's. We can then apply a diff that will split all items lower than the csn/sid and remove them from future consideration. We set the default timeout to 5 minutes. This means that assuming 10,000 auths per second, we would require 3GB of ram to process these sessions before they are expired. We expect any deployment with such large loadings can affort 3Gb of ram :)
2019-09-06 05:04:58 +02:00
// 5 minute auth session window.
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md
2020-05-03 08:44:01 +02:00
pub const AUTH_SESSION_TIMEOUT: u64 = 300;
12 totp (#201) Implements #12, TOTP. This adds support for TOTP to the api and server, with server side token generation, authentication and the correct URI for encoding into QR codes for client token addition. Some extra measures have been taken such as in the stepped auth to always notify on the success or failure of the TOTP first (regardless of order) to prevent PW bruteforce attacks.
2020-04-10 07:50:45 +02:00
// 5 minute mfa reg window
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md
2020-05-03 08:44:01 +02:00
pub const MFAREG_SESSION_TIMEOUT: u64 = 300;
pub const PW_MIN_LENGTH: usize = 10;
414 clear stale credentials (#447)
2021-05-26 08:11:00 +02:00
// Default
pub const AUTH_SESSION_EXPIRY: u64 = 3600;
406 session revocation (#1123)
2022-10-17 12:09:47 +02:00
// The time that a token can be used before session
// status is enforced. This needs to be longer than
// replication delay/cycle.
pub const GRACE_WINDOW: Duration = Duration::from_secs(600);
/// How long access tokens should last. This is NOT the length
/// of the refresh token, which is bound to the issuing session.
pub const OAUTH2_ACCESS_TOKEN_EXPIRY: u32 = 4 * 3600;
Reference in a new issue Copy permalink