2019-12-12 23:49:32 +01:00
|
|
|
// Re-export as needed
|
2020-03-26 23:27:07 +01:00
|
|
|
|
|
|
|
|
pub mod acp;
|
|
|
|
|
pub mod entries;
|
|
|
|
|
pub mod schema;
|
2019-12-12 23:49:32 +01:00
|
|
|
pub mod system_config;
|
2020-03-26 23:27:07 +01:00
|
|
|
pub mod uuids;
|
2022-10-05 01:48:48 +02:00
|
|
|
pub mod values;
|
2020-03-26 23:27:07 +01:00
|
|
|
|
|
|
|
|
pub use crate::constants::acp::*;
|
|
|
|
|
pub use crate::constants::entries::*;
|
|
|
|
|
pub use crate::constants::schema::*;
|
|
|
|
|
pub use crate::constants::system_config::*;
|
|
|
|
|
pub use crate::constants::uuids::*;
|
2022-10-05 01:48:48 +02:00
|
|
|
pub use crate::constants::values::*;
|
2019-12-12 23:49:32 +01:00
|
|
|
|
2022-10-17 12:09:47 +02:00
|
|
|
use std::time::Duration;
|
|
|
|
|
|
2019-11-29 01:48:22 +01:00
|
|
|
// Increment this as we add new schema types and values!!!
|
2023-01-25 07:09:54 +01:00
|
|
|
pub const SYSTEM_INDEX_VERSION: i64 = 28;
|
2023-01-17 05:14:11 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* domain functional levels
|
|
|
|
|
*
|
|
|
|
|
* The idea here is to allow topology wide upgrades to be performed. We have to
|
|
|
|
|
* assume that across multiple kanidm instances there may be cases where we have version
|
|
|
|
|
* N and version N minus 1 as upgrades are rolled out.
|
|
|
|
|
*
|
|
|
|
|
* Imagine we set up a new cluster. Machine A and B both have level 1 support.
|
|
|
|
|
* We upgrade machine A. It has support up to level 2, but machine B does not.
|
|
|
|
|
* So the overall functional level is level 1. Then we upgrade B, which supports
|
|
|
|
|
* up to level 2. We still don't do the upgrade! The topology is still level 1
|
|
|
|
|
* unless an admin at this point *intervenes* and forces the update. OR what
|
|
|
|
|
* happens we we update machine A again and it now supports up to level 3, with
|
|
|
|
|
* a target level of 2. So we update machine A now to level 2, and that can
|
|
|
|
|
* still replicate to machine B since it also supports level 2.
|
|
|
|
|
*
|
|
|
|
|
* effectively it means that "some features" may be a "release behind" for users
|
|
|
|
|
* who don't muck with the levels, but it means that we can do mixed version
|
|
|
|
|
* upgrades.
|
|
|
|
|
*/
|
2023-02-15 01:25:51 +01:00
|
|
|
pub type DomainVersion = u32;
|
|
|
|
|
|
|
|
|
|
pub const DOMAIN_LEVEL_1: DomainVersion = 1;
|
2023-01-17 05:14:11 +01:00
|
|
|
// The minimum supported domain functional level
|
2023-02-15 01:25:51 +01:00
|
|
|
pub const DOMAIN_MIN_LEVEL: DomainVersion = DOMAIN_LEVEL_1;
|
2023-01-17 05:14:11 +01:00
|
|
|
// The target supported domain functional level
|
2023-02-15 01:25:51 +01:00
|
|
|
pub const DOMAIN_TGT_LEVEL: DomainVersion = DOMAIN_LEVEL_1;
|
2023-01-17 05:14:11 +01:00
|
|
|
// The maximum supported domain functional level
|
2023-02-15 01:25:51 +01:00
|
|
|
pub const DOMAIN_MAX_LEVEL: DomainVersion = DOMAIN_LEVEL_1;
|
2023-01-17 05:14:11 +01:00
|
|
|
|
2019-07-12 07:28:46 +02:00
|
|
|
// On test builds, define to 60 seconds
|
|
|
|
|
#[cfg(test)]
|
2020-05-03 08:44:01 +02:00
|
|
|
pub const PURGE_FREQUENCY: u64 = 60;
|
2020-03-24 23:21:49 +01:00
|
|
|
// For production, 10 minutes.
|
2019-07-12 07:28:46 +02:00
|
|
|
#[cfg(not(test))]
|
2020-05-03 08:44:01 +02:00
|
|
|
pub const PURGE_FREQUENCY: u64 = 600;
|
2020-03-24 23:21:49 +01:00
|
|
|
|
|
|
|
|
#[cfg(test)]
|
|
|
|
|
/// In test, we limit the changelog to 10 minutes.
|
2020-05-03 08:44:01 +02:00
|
|
|
pub const CHANGELOG_MAX_AGE: u64 = 600;
|
2020-03-24 23:21:49 +01:00
|
|
|
#[cfg(not(test))]
|
|
|
|
|
/// A replica may be less than 1 day out of sync and catch up.
|
2020-05-03 08:44:01 +02:00
|
|
|
pub const CHANGELOG_MAX_AGE: u64 = 86400;
|
2020-03-24 23:21:49 +01:00
|
|
|
|
|
|
|
|
#[cfg(test)]
|
|
|
|
|
/// In test, we limit the recyclebin to 5 minutes.
|
2020-05-03 08:44:01 +02:00
|
|
|
pub const RECYCLEBIN_MAX_AGE: u64 = 300;
|
2020-03-24 23:21:49 +01:00
|
|
|
#[cfg(not(test))]
|
|
|
|
|
/// In production we allow 1 week
|
2020-05-11 13:12:32 +02:00
|
|
|
pub const RECYCLEBIN_MAX_AGE: u64 = 604_800;
|
2020-03-24 23:21:49 +01:00
|
|
|
|
2019-09-06 05:04:58 +02:00
|
|
|
// 5 minute auth session window.
|
2020-05-03 08:44:01 +02:00
|
|
|
pub const AUTH_SESSION_TIMEOUT: u64 = 300;
|
2020-04-10 07:50:45 +02:00
|
|
|
// 5 minute mfa reg window
|
2020-05-03 08:44:01 +02:00
|
|
|
pub const MFAREG_SESSION_TIMEOUT: u64 = 300;
|
|
|
|
|
pub const PW_MIN_LENGTH: usize = 10;
|
2021-05-26 08:11:00 +02:00
|
|
|
|
|
|
|
|
// Default
|
|
|
|
|
pub const AUTH_SESSION_EXPIRY: u64 = 3600;
|
2023-03-27 03:38:09 +02:00
|
|
|
// Ten minutes by default;
|
|
|
|
|
pub const AUTH_PRIVILEGE_EXPIRY: u64 = 600;
|
2022-10-17 12:09:47 +02:00
|
|
|
|
|
|
|
|
// The time that a token can be used before session
|
|
|
|
|
// status is enforced. This needs to be longer than
|
|
|
|
|
// replication delay/cycle.
|
2023-02-19 04:32:47 +01:00
|
|
|
pub const GRACE_WINDOW: Duration = Duration::from_secs(300);
|
2022-10-17 12:09:47 +02:00
|
|
|
|
|
|
|
|
/// How long access tokens should last. This is NOT the length
|
|
|
|
|
/// of the refresh token, which is bound to the issuing session.
|
|
|
|
|
pub const OAUTH2_ACCESS_TOKEN_EXPIRY: u32 = 4 * 3600;
|
