kanidm/server/lib/src/constants/mod.rs

// Re-export as needed

pub mod acp;
pub mod entries;
pub mod groups;
pub mod schema;
pub mod system_config;
pub mod uuids;
pub mod values;

pub use crate::constants::acp::*;
pub use crate::constants::entries::*;
pub use crate::constants::groups::*;
pub use crate::constants::schema::*;
pub use crate::constants::system_config::*;
pub use crate::constants::uuids::*;
pub use crate::constants::values::*;

use std::time::Duration;

// Increment this as we add new schema types and values!!!
pub const SYSTEM_INDEX_VERSION: i64 = 30;

/*
 * domain functional levels
 *
 * The idea here is to allow topology wide upgrades to be performed. We have to
 * assume that across multiple kanidm instances there may be cases where we have version
 * N and version N minus 1 as upgrades are rolled out.
 *
 * Imagine we set up a new cluster. Machine A and B both have level 1 support.
 * We upgrade machine A. It has support up to level 2, but machine B does not.
 * So the overall functional level is level 1. Then we upgrade B, which supports
 * up to level 2. We still don't do the upgrade! The topology is still level 1
 * unless an admin at this point *intervenes* and forces the update. OR what
 * happens we we update machine A again and it now supports up to level 3, with
 * a target level of 2. So we update machine A now to level 2, and that can
 * still replicate to machine B since it also supports level 2.
 *
 * effectively it means that "some features" may be a "release behind" for users
 * who don't muck with the levels, but it means that we can do mixed version
 * upgrades.
 */
pub type DomainVersion = u32;

pub const DOMAIN_LEVEL_0: DomainVersion = 0;
pub const DOMAIN_LEVEL_1: DomainVersion = 1;
pub const DOMAIN_LEVEL_2: DomainVersion = 2;
pub const DOMAIN_LEVEL_3: DomainVersion = 3;
pub const DOMAIN_LEVEL_4: DomainVersion = 4;
pub const DOMAIN_LEVEL_5: DomainVersion = 5;
// The minimum supported domain functional level
pub const DOMAIN_MIN_LEVEL: DomainVersion = DOMAIN_LEVEL_5;
// The target supported domain functional level
pub const DOMAIN_TGT_LEVEL: DomainVersion = DOMAIN_LEVEL_5;
// The maximum supported domain functional level
pub const DOMAIN_MAX_LEVEL: DomainVersion = DOMAIN_LEVEL_5;

// On test builds define to 60 seconds
#[cfg(test)]
pub const PURGE_FREQUENCY: u64 = 60;
// For production 10 minutes.
#[cfg(not(test))]
pub const PURGE_FREQUENCY: u64 = 600;

#[cfg(test)]
/// In test, we limit the changelog to 10 minutes.
pub const CHANGELOG_MAX_AGE: u64 = 600;
#[cfg(not(test))]
/// A replica may be up to 7 days out of sync before being denied updates.
pub const CHANGELOG_MAX_AGE: u64 = 7 * 86400;

#[cfg(test)]
/// In test, we limit the recyclebin to 5 minutes.
pub const RECYCLEBIN_MAX_AGE: u64 = 300;
#[cfg(not(test))]
/// In production we allow 1 week
pub const RECYCLEBIN_MAX_AGE: u64 = 7 * 86400;

// 5 minute auth session window.
pub const AUTH_SESSION_TIMEOUT: u64 = 300;
// 5 minute mfa reg window
pub const MFAREG_SESSION_TIMEOUT: u64 = 300;
pub const PW_MIN_LENGTH: u32 = 10;

// Maximum - Sessions have no upper bound.
pub const MAXIMUM_AUTH_SESSION_EXPIRY: u32 = u32::MAX;
// Default - sessions last for 1 day
pub const DEFAULT_AUTH_SESSION_EXPIRY: u32 = 86400;
pub const DEFAULT_AUTH_SESSION_LIMITED_EXPIRY: u32 = 3600;
// Maximum - privileges last for 1 hour.
pub const MAXIMUM_AUTH_PRIVILEGE_EXPIRY: u32 = 3600;
// Default - privileges last for 10 minutes.
pub const DEFAULT_AUTH_PRIVILEGE_EXPIRY: u32 = 600;
// Default - oauth refresh tokens last for 16 hours.
pub const OAUTH_REFRESH_TOKEN_EXPIRY: u64 = 3600 * 8;

// The time that a token can be used before session
// status is enforced. This needs to be longer than
// replication delay/cycle.
pub const GRACE_WINDOW: Duration = Duration::from_secs(300);

/// How long access tokens should last. This is NOT the length
/// of the refresh token, which is bound to the issuing session.
pub const OAUTH2_ACCESS_TOKEN_EXPIRY: u32 = 15 * 60;

/// The amount of time a suppliers clock can be "ahead" before
/// we warn about possible clock synchronisation issues.
pub const REPL_SUPPLIER_ADVANCE_WINDOW: Duration = Duration::from_secs(600);
29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries.. 2019-12-12 23:49:32 +01:00			`// Re-export as needed`
122 password import design (#196) Implements #122 password import. This adds most of the server core framework to allow password imports from other sources, with new types easily able to be added in credential.rs. 2020-03-26 23:27:07 +01:00
			`pub mod acp;`
			`pub mod entries;`
Windows build fixes and test coverage (#2220) * adding testing for users functions * turning KanidmClient build error into a ClientError * removing a redundant closure 2023-10-17 09:18:07 +02:00			`pub mod groups;`
122 password import design (#196) Implements #122 password import. This adds most of the server core framework to allow password imports from other sources, with new types easily able to be added in credential.rs. 2020-03-26 23:27:07 +01:00			`pub mod schema;`
29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries.. 2019-12-12 23:49:32 +01:00			`pub mod system_config;`
122 password import design (#196) Implements #122 password import. This adds most of the server core framework to allow password imports from other sources, with new types easily able to be added in credential.rs. 2020-03-26 23:27:07 +01:00			`pub mod uuids;`
20221001 refactor (#1090) 2022-10-05 01:48:48 +02:00			`pub mod values;`
122 password import design (#196) Implements #122 password import. This adds most of the server core framework to allow password imports from other sources, with new types easily able to be added in credential.rs. 2020-03-26 23:27:07 +01:00
			`pub use crate::constants::acp::*;`
			`pub use crate::constants::entries::*;`
Windows build fixes and test coverage (#2220) * adding testing for users functions * turning KanidmClient build error into a ClientError * removing a redundant closure 2023-10-17 09:18:07 +02:00			`pub use crate::constants::groups::*;`
122 password import design (#196) Implements #122 password import. This adds most of the server core framework to allow password imports from other sources, with new types easily able to be added in credential.rs. 2020-03-26 23:27:07 +01:00			`pub use crate::constants::schema::*;`
			`pub use crate::constants::system_config::*;`
			`pub use crate::constants::uuids::*;`
20221001 refactor (#1090) 2022-10-05 01:48:48 +02:00			`pub use crate::constants::values::*;`
29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries.. 2019-12-12 23:49:32 +01:00
406 session revocation (#1123) 2022-10-17 12:09:47 +02:00			`use std::time::Duration;`

127 domain info type (#150) Implements #127 and #125. This adds domain_info support, and spn types and generation. It also correctly handles domain renaming, and has tooling to support this. It "should" work on an upgrade, due to the correct bump of index version, but I plan to test this from a backup of my production instance soon. 2019-11-29 01:48:22 +01:00			`// Increment this as we add new schema types and values!!!`
Release 1.1.0-beta.13 (#1922) 2023-08-01 07:12:35 +02:00			`pub const SYSTEM_INDEX_VERSION: i64 = 30;`
1121 multiple totp (#1325) 2023-01-17 05:14:11 +01:00
			`/*`
			`* domain functional levels`
			`*`
			`* The idea here is to allow topology wide upgrades to be performed. We have to`
			`* assume that across multiple kanidm instances there may be cases where we have version`
			`* N and version N minus 1 as upgrades are rolled out.`
			`*`
			`* Imagine we set up a new cluster. Machine A and B both have level 1 support.`
			`* We upgrade machine A. It has support up to level 2, but machine B does not.`
			`* So the overall functional level is level 1. Then we upgrade B, which supports`
			`* up to level 2. We still don't do the upgrade! The topology is still level 1`
			`* unless an admin at this point intervenes and forces the update. OR what`
			`* happens we we update machine A again and it now supports up to level 3, with`
			`* a target level of 2. So we update machine A now to level 2, and that can`
			`* still replicate to machine B since it also supports level 2.`
			`*`
			`* effectively it means that "some features" may be a "release behind" for users`
			`* who don't muck with the levels, but it means that we can do mixed version`
			`* upgrades.`
			`*/`
20230130 hackweek replication (#1358) Add initial support for refreshing the content of a new server in a replication topology. This is embedded in test cases only for now. 2023-02-15 01:25:51 +01:00			`pub type DomainVersion = u32;`

20240125 2217 client credentials grant (#2456) * Huge fix of a replication problem. * Update test * Increase min replication level * Client Credentials Grant implementation 2024-02-01 03:00:29 +01:00			`pub const DOMAIN_LEVEL_0: DomainVersion = 0;`
20230130 hackweek replication (#1358) Add initial support for refreshing the content of a new server in a replication topology. This is embedded in test cases only for now. 2023-02-15 01:25:51 +01:00			`pub const DOMAIN_LEVEL_1: DomainVersion = 1;`
1481 2024 access control rework (#2366) Rework default access controls to better separate roles and access profiles. 2023-12-18 00:10:13 +01:00			`pub const DOMAIN_LEVEL_2: DomainVersion = 2;`
Add improved domain migration framework and default MFA (#2382) 2023-12-21 05:44:20 +01:00			`pub const DOMAIN_LEVEL_3: DomainVersion = 3;`
2390 1980 allow native applications (#2428) 2024-01-16 01:44:12 +01:00			`pub const DOMAIN_LEVEL_4: DomainVersion = 4;`
20240125 2217 client credentials grant (#2456) * Huge fix of a replication problem. * Update test * Increase min replication level * Client Credentials Grant implementation 2024-02-01 03:00:29 +01:00			`pub const DOMAIN_LEVEL_5: DomainVersion = 5;`
1121 multiple totp (#1325) 2023-01-17 05:14:11 +01:00			`// The minimum supported domain functional level`
20240125 2217 client credentials grant (#2456) * Huge fix of a replication problem. * Update test * Increase min replication level * Client Credentials Grant implementation 2024-02-01 03:00:29 +01:00			`pub const DOMAIN_MIN_LEVEL: DomainVersion = DOMAIN_LEVEL_5;`
1121 multiple totp (#1325) 2023-01-17 05:14:11 +01:00			`// The target supported domain functional level`
20240125 2217 client credentials grant (#2456) * Huge fix of a replication problem. * Update test * Increase min replication level * Client Credentials Grant implementation 2024-02-01 03:00:29 +01:00			`pub const DOMAIN_TGT_LEVEL: DomainVersion = DOMAIN_LEVEL_5;`
1121 multiple totp (#1325) 2023-01-17 05:14:11 +01:00			`// The maximum supported domain functional level`
20240125 2217 client credentials grant (#2456) * Huge fix of a replication problem. * Update test * Increase min replication level * Client Credentials Grant implementation 2024-02-01 03:00:29 +01:00			`pub const DOMAIN_MAX_LEVEL: DomainVersion = DOMAIN_LEVEL_5;`
1121 multiple totp (#1325) 2023-01-17 05:14:11 +01:00
Fix RUV trim (#2466) Fixes two major issues with replication. The first was related to server refreshes. When a server was refreshed it would retain it's server unique id. If the server had lagged and was disconnected from replication and administrator would naturally then refresh it's database. This meant that on next tombstone purge of the server, it's RUV would jump ahead causing it's refresh-supplier to now believe it was lagging (which was not the case). In the situation where a server is refreshed, we reset the servers unique replication ID which avoids the RUV having "jumps". The second issue was related to RUV trimming. A server which had older RUV entries (say from servers that have been trimmed) would "taint" and re-supply those server ID's back to nodes that wanted to trim them. This also meant that on a restart of the server, that if the node had correctly trimmed the server ID, it would be re-added in memory. This improves RUV trimming by limiting what what compare and check as a supplier to only CID's that are within the valid changelog window. This itself presented challenges with "how to determine if a server should be removed from the RUV". To achieve this we now check for "overlap" of the RUVS. If overlap isn't occurring it indicates split brain or node isolation, and replication is stopped in these cases. 2024-02-02 06:38:45 +01:00			`// On test builds define to 60 seconds`
20190607 authentication (#55) Implement #2 anonymous authentication. This also puts into place the majority of the authentication framework, and starts to build the IDM layers ontop of the DB engine. 2019-07-12 07:28:46 +02:00			`#[cfg(test)]`
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md 2020-05-03 08:44:01 +02:00			`pub const PURGE_FREQUENCY: u64 = 60;`
Fix RUV trim (#2466) Fixes two major issues with replication. The first was related to server refreshes. When a server was refreshed it would retain it's server unique id. If the server had lagged and was disconnected from replication and administrator would naturally then refresh it's database. This meant that on next tombstone purge of the server, it's RUV would jump ahead causing it's refresh-supplier to now believe it was lagging (which was not the case). In the situation where a server is refreshed, we reset the servers unique replication ID which avoids the RUV having "jumps". The second issue was related to RUV trimming. A server which had older RUV entries (say from servers that have been trimmed) would "taint" and re-supply those server ID's back to nodes that wanted to trim them. This also meant that on a restart of the server, that if the node had correctly trimmed the server ID, it would be re-added in memory. This improves RUV trimming by limiting what what compare and check as a supplier to only CID's that are within the valid changelog window. This itself presented challenges with "how to determine if a server should be removed from the RUV". To achieve this we now check for "overlap" of the RUVS. If overlap isn't occurring it indicates split brain or node isolation, and replication is stopped in these cases. 2024-02-02 06:38:45 +01:00			`// For production 10 minutes.`
20190607 authentication (#55) Implement #2 anonymous authentication. This also puts into place the majority of the authentication framework, and starts to build the IDM layers ontop of the DB engine. 2019-07-12 07:28:46 +02:00			`#[cfg(not(test))]`
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md 2020-05-03 08:44:01 +02:00			`pub const PURGE_FREQUENCY: u64 = 600;`
20200322 132 recyclebin 2 (#193) Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with. 2020-03-24 23:21:49 +01:00
			`#[cfg(test)]`
			`/// In test, we limit the changelog to 10 minutes.`
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md 2020-05-03 08:44:01 +02:00			`pub const CHANGELOG_MAX_AGE: u64 = 600;`
20200322 132 recyclebin 2 (#193) Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with. 2020-03-24 23:21:49 +01:00			`#[cfg(not(test))]`
20240125 2217 client credentials grant (#2456) * Huge fix of a replication problem. * Update test * Increase min replication level * Client Credentials Grant implementation 2024-02-01 03:00:29 +01:00			`/// A replica may be up to 7 days out of sync before being denied updates.`
			`pub const CHANGELOG_MAX_AGE: u64 = 7 * 86400;`
20200322 132 recyclebin 2 (#193) Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with. 2020-03-24 23:21:49 +01:00
			`#[cfg(test)]`
			`/// In test, we limit the recyclebin to 5 minutes.`
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md 2020-05-03 08:44:01 +02:00			`pub const RECYCLEBIN_MAX_AGE: u64 = 300;`
20200322 132 recyclebin 2 (#193) Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with. 2020-03-24 23:21:49 +01:00			`#[cfg(not(test))]`
			`/// In production we allow 1 week`
20240125 2217 client credentials grant (#2456) * Huge fix of a replication problem. * Update test * Increase min replication level * Client Credentials Grant implementation 2024-02-01 03:00:29 +01:00			`pub const RECYCLEBIN_MAX_AGE: u64 = 7 * 86400;`
20200322 132 recyclebin 2 (#193) Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with. 2020-03-24 23:21:49 +01:00
60 authsession gc (#80) Implements #60 authsession garbage collection. If we assume that an authsession is around 1024 bytes (this assumes a 16 char name + groups + claims) then this means that in 1Gb of ram we can store about 1 million in progress auth attempts. Obviously, we don't want infinite memory growth, but we can't use an LRU cache due to the future desire to use concurrent trees. So instead we prune the tree based on a timeout when we start and auth operation. Auth session id's are generated from a timestamp similar to how we'll generate replication csn's. We can then apply a diff that will split all items lower than the csn/sid and remove them from future consideration. We set the default timeout to 5 minutes. This means that assuming 10,000 auths per second, we would require 3GB of ram to process these sessions before they are expired. We expect any deployment with such large loadings can affort 3Gb of ram :) 2019-09-06 05:04:58 +02:00			`// 5 minute auth session window.`
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md 2020-05-03 08:44:01 +02:00			`pub const AUTH_SESSION_TIMEOUT: u64 = 300;`
12 totp (#201) Implements #12, TOTP. This adds support for TOTP to the api and server, with server side token generation, authentication and the correct URI for encoding into QR codes for client token addition. Some extra measures have been taken such as in the stepped auth to always notify on the success or failure of the TOTP first (regardless of order) to prevent PW bruteforce attacks. 2020-04-10 07:50:45 +02:00			`// 5 minute mfa reg window`
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md 2020-05-03 08:44:01 +02:00			`pub const MFAREG_SESSION_TIMEOUT: u64 = 300;`
pw min length in account policy (#2289) 2023-11-05 01:33:25 +01:00			`pub const PW_MIN_LENGTH: u32 = 10;`
414 clear stale credentials (#447) 2021-05-26 08:11:00 +02:00
20231019 1122 account policy basics (#2245) --------- Co-authored-by: James Hodgkinson <james@terminaloutcomes.com> 2023-10-22 13:16:42 +02:00			`// Maximum - Sessions have no upper bound.`
			`pub const MAXIMUM_AUTH_SESSION_EXPIRY: u32 = u32::MAX;`
			`// Default - sessions last for 1 day`
68 20230912 session consistency (#2110) This adds support for special-casing sessions in replication to allow them to internally trim and merge so that session revocations and creations are not lost between replicas. 2023-09-16 01:22:11 +02:00			`pub const DEFAULT_AUTH_SESSION_EXPIRY: u32 = 86400;`
			`pub const DEFAULT_AUTH_SESSION_LIMITED_EXPIRY: u32 = 3600;`
20231019 1122 account policy basics (#2245) --------- Co-authored-by: James Hodgkinson <james@terminaloutcomes.com> 2023-10-22 13:16:42 +02:00			`// Maximum - privileges last for 1 hour.`
			`pub const MAXIMUM_AUTH_PRIVILEGE_EXPIRY: u32 = 3600;`
20230330 oauth2 refresh tokens (#1502) 2023-04-20 00:34:21 +02:00			`// Default - privileges last for 10 minutes.`
Configurable session timeouts (#1965) * added `auth_session_expiry` and `auth_privilege_expiry` * Added `AcountPolicy` struct * spelling and stuff * added cli tools 2023-08-22 03:00:43 +02:00			`pub const DEFAULT_AUTH_PRIVILEGE_EXPIRY: u32 = 600;`
20230330 oauth2 refresh tokens (#1502) 2023-04-20 00:34:21 +02:00			`// Default - oauth refresh tokens last for 16 hours.`
			`pub const OAUTH_REFRESH_TOKEN_EXPIRY: u64 = 3600 * 8;`
406 session revocation (#1123) 2022-10-17 12:09:47 +02:00
			`// The time that a token can be used before session`
			`// status is enforced. This needs to be longer than`
			`// replication delay/cycle.`
1115 store credential ids per session (#1386) 2023-02-19 04:32:47 +01:00			`pub const GRACE_WINDOW: Duration = Duration::from_secs(300);`
406 session revocation (#1123) 2022-10-17 12:09:47 +02:00
			`/// How long access tokens should last. This is NOT the length`
			`/// of the refresh token, which is bound to the issuing session.`
20230330 oauth2 refresh tokens (#1502) 2023-04-20 00:34:21 +02:00			`pub const OAUTH2_ACCESS_TOKEN_EXPIRY: u32 = 15 * 60;`
Minor improvements to incoming replication (#2279) 2023-11-02 02:21:21 +01:00
			`/// The amount of time a suppliers clock can be "ahead" before`
			`/// we warn about possible clock synchronisation issues.`
			`pub const REPL_SUPPLIER_ADVANCE_WINDOW: Duration = Duration::from_secs(600);`