kanidm/kanidmd/lib/src/constants/mod.rs

// Re-export as needed

pub mod acp;
pub mod entries;
pub mod schema;
pub mod system_config;
pub mod uuids;
pub mod values;

pub use crate::constants::acp::*;
pub use crate::constants::entries::*;
pub use crate::constants::schema::*;
pub use crate::constants::system_config::*;
pub use crate::constants::uuids::*;
pub use crate::constants::values::*;

use std::time::Duration;

// Increment this as we add new schema types and values!!!
pub const SYSTEM_INDEX_VERSION: i64 = 27;
// On test builds, define to 60 seconds
#[cfg(test)]
pub const PURGE_FREQUENCY: u64 = 60;
// For production, 10 minutes.
#[cfg(not(test))]
pub const PURGE_FREQUENCY: u64 = 600;

#[cfg(test)]
/// In test, we limit the changelog to 10 minutes.
pub const CHANGELOG_MAX_AGE: u64 = 600;
#[cfg(not(test))]
/// A replica may be less than 1 day out of sync and catch up.
pub const CHANGELOG_MAX_AGE: u64 = 86400;

#[cfg(test)]
/// In test, we limit the recyclebin to 5 minutes.
pub const RECYCLEBIN_MAX_AGE: u64 = 300;
#[cfg(not(test))]
/// In production we allow 1 week
pub const RECYCLEBIN_MAX_AGE: u64 = 604_800;

// 5 minute auth session window.
pub const AUTH_SESSION_TIMEOUT: u64 = 300;
// 5 minute mfa reg window
pub const MFAREG_SESSION_TIMEOUT: u64 = 300;
pub const PW_MIN_LENGTH: usize = 10;

// Default
pub const AUTH_SESSION_EXPIRY: u64 = 3600;

// The time that a token can be used before session
// status is enforced. This needs to be longer than
// replication delay/cycle.
pub const GRACE_WINDOW: Duration = Duration::from_secs(600);

/// How long access tokens should last. This is NOT the length
/// of the refresh token, which is bound to the issuing session.
pub const OAUTH2_ACCESS_TOKEN_EXPIRY: u32 = 4 * 3600;
29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries.. 2019-12-12 23:49:32 +01:00			`// Re-export as needed`
122 password import design (#196) Implements #122 password import. This adds most of the server core framework to allow password imports from other sources, with new types easily able to be added in credential.rs. 2020-03-26 23:27:07 +01:00
			`pub mod acp;`
			`pub mod entries;`
			`pub mod schema;`
29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries.. 2019-12-12 23:49:32 +01:00			`pub mod system_config;`
122 password import design (#196) Implements #122 password import. This adds most of the server core framework to allow password imports from other sources, with new types easily able to be added in credential.rs. 2020-03-26 23:27:07 +01:00			`pub mod uuids;`
20221001 refactor (#1090) 2022-10-05 01:48:48 +02:00			`pub mod values;`
122 password import design (#196) Implements #122 password import. This adds most of the server core framework to allow password imports from other sources, with new types easily able to be added in credential.rs. 2020-03-26 23:27:07 +01:00
			`pub use crate::constants::acp::*;`
			`pub use crate::constants::entries::*;`
			`pub use crate::constants::schema::*;`
			`pub use crate::constants::system_config::*;`
			`pub use crate::constants::uuids::*;`
20221001 refactor (#1090) 2022-10-05 01:48:48 +02:00			`pub use crate::constants::values::*;`
29 password badlisting (#158) Implements #29 password badlist and quality checking. This checks all new passwords are at least length 10, pass zxcvbn and are not container in a badlist. The current badlist is a preprocessed content of rockyou from seclists, but later wwe'll update this to the top 10million badlist which when processed is about 70k entries.. 2019-12-12 23:49:32 +01:00
406 session revocation (#1123) 2022-10-17 12:09:47 +02:00			`use std::time::Duration;`

127 domain info type (#150) Implements #127 and #125. This adds domain_info support, and spn types and generation. It also correctly handles domain renaming, and has tooling to support this. It "should" work on an upgrade, due to the correct bump of index version, but I plan to test this from a backup of my production instance soon. 2019-11-29 01:48:22 +01:00			`// Increment this as we add new schema types and values!!!`
Release 1.1.0-alpha.10 (#1164) 2022-11-01 05:02:52 +01:00			`pub const SYSTEM_INDEX_VERSION: i64 = 27;`
20190607 authentication (#55) Implement #2 anonymous authentication. This also puts into place the majority of the authentication framework, and starts to build the IDM layers ontop of the DB engine. 2019-07-12 07:28:46 +02:00			`// On test builds, define to 60 seconds`
			`#[cfg(test)]`
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md 2020-05-03 08:44:01 +02:00			`pub const PURGE_FREQUENCY: u64 = 60;`
20200322 132 recyclebin 2 (#193) Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with. 2020-03-24 23:21:49 +01:00			`// For production, 10 minutes.`
20190607 authentication (#55) Implement #2 anonymous authentication. This also puts into place the majority of the authentication framework, and starts to build the IDM layers ontop of the DB engine. 2019-07-12 07:28:46 +02:00			`#[cfg(not(test))]`
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md 2020-05-03 08:44:01 +02:00			`pub const PURGE_FREQUENCY: u64 = 600;`
20200322 132 recyclebin 2 (#193) Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with. 2020-03-24 23:21:49 +01:00
			`#[cfg(test)]`
			`/// In test, we limit the changelog to 10 minutes.`
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md 2020-05-03 08:44:01 +02:00			`pub const CHANGELOG_MAX_AGE: u64 = 600;`
20200322 132 recyclebin 2 (#193) Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with. 2020-03-24 23:21:49 +01:00			`#[cfg(not(test))]`
			`/// A replica may be less than 1 day out of sync and catch up.`
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md 2020-05-03 08:44:01 +02:00			`pub const CHANGELOG_MAX_AGE: u64 = 86400;`
20200322 132 recyclebin 2 (#193) Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with. 2020-03-24 23:21:49 +01:00
			`#[cfg(test)]`
			`/// In test, we limit the recyclebin to 5 minutes.`
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md 2020-05-03 08:44:01 +02:00			`pub const RECYCLEBIN_MAX_AGE: u64 = 300;`
20200322 132 recyclebin 2 (#193) Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with. 2020-03-24 23:21:49 +01:00			`#[cfg(not(test))]`
			`/// In production we allow 1 week`
101 idlcache (#224) Fixes #101, concurrent caching of IDL and Entries. This yields a 10% improvement for test case execution, and 35% for tests run under --release mode. A lot of code around the code base was needed to be touched due to the extra need for mut in some operations and some lifetimes, but the majority of the work was in idl_arc_sqlite.rs, which has the cache layer. There are many performance gains yet to see, but most of those will come through improvement of the concread ARC and it's related BTree implementation. 2020-05-11 13:12:32 +02:00			`pub const RECYCLEBIN_MAX_AGE: u64 = 604_800;`
20200322 132 recyclebin 2 (#193) Implements #132, the recycle bin. This completes the feature, with working API's, front end tests and CLI tooling. It also includes a refactor of the CLI tools to make them a bit easier to manage/work with. 2020-03-24 23:21:49 +01:00
60 authsession gc (#80) Implements #60 authsession garbage collection. If we assume that an authsession is around 1024 bytes (this assumes a 16 char name + groups + claims) then this means that in 1Gb of ram we can store about 1 million in progress auth attempts. Obviously, we don't want infinite memory growth, but we can't use an LRU cache due to the future desire to use concurrent trees. So instead we prune the tree based on a timeout when we start and auth operation. Auth session id's are generated from a timestamp similar to how we'll generate replication csn's. We can then apply a diff that will split all items lower than the csn/sid and remove them from future consideration. We set the default timeout to 5 minutes. This means that assuming 10,000 auths per second, we would require 3GB of ram to process these sessions before they are expired. We expect any deployment with such large loadings can affort 3Gb of ram :) 2019-09-06 05:04:58 +02:00			`// 5 minute auth session window.`
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md 2020-05-03 08:44:01 +02:00			`pub const AUTH_SESSION_TIMEOUT: u64 = 300;`
12 totp (#201) Implements #12, TOTP. This adds support for TOTP to the api and server, with server side token generation, authentication and the correct URI for encoding into QR codes for client token addition. Some extra measures have been taken such as in the stepped auth to always notify on the success or failure of the TOTP first (regardless of order) to prevent PW bruteforce attacks. 2020-04-10 07:50:45 +02:00			`// 5 minute mfa reg window`
Optimized all possible constant values using const Replace all replaceable static declarations with const values. Ref: https://github.com/rust-lang/rfcs/blob/61e3dc9c1e32b9d7f72427d93e2d263a8899b0aa/text/0246-const-vs-static.md 2020-05-03 08:44:01 +02:00			`pub const MFAREG_SESSION_TIMEOUT: u64 = 300;`
			`pub const PW_MIN_LENGTH: usize = 10;`
414 clear stale credentials (#447) 2021-05-26 08:11:00 +02:00
			`// Default`
			`pub const AUTH_SESSION_EXPIRY: u64 = 3600;`
406 session revocation (#1123) 2022-10-17 12:09:47 +02:00
			`// The time that a token can be used before session`
			`// status is enforced. This needs to be longer than`
			`// replication delay/cycle.`
			`pub const GRACE_WINDOW: Duration = Duration::from_secs(600);`

			`/// How long access tokens should last. This is NOT the length`
			`/// of the refresh token, which is bound to the issuing session.`
			`pub const OAUTH2_ACCESS_TOKEN_EXPIRY: u32 = 4 * 3600;`