kanidm_proto/
constants.rs

1//! Because consistency is great!
2//!
3pub mod uri;
4
5use std::time::Duration;
6
7/// The default location for the `kanidm` CLI tool's token cache.
8pub const CLIENT_TOKEN_CACHE: &str = "~/.cache/kanidm_tokens";
9
10/// Content type string for jpeg
11pub const CONTENT_TYPE_JPG: &str = "image/jpeg";
12/// Content type string for png
13pub const CONTENT_TYPE_PNG: &str = "image/png";
14/// Content type string for gif
15pub const CONTENT_TYPE_GIF: &str = "image/gif";
16/// Content type string for svg
17pub const CONTENT_TYPE_SVG: &str = "image/svg+xml";
18/// Content type string for webp
19pub const CONTENT_TYPE_WEBP: &str = "image/webp";
20
21// For when the user uploads things to the various image endpoints, these are the valid content-types.
22pub const VALID_IMAGE_UPLOAD_CONTENT_TYPES: [&str; 5] = [
23    CONTENT_TYPE_JPG,
24    CONTENT_TYPE_PNG,
25    CONTENT_TYPE_GIF,
26    CONTENT_TYPE_SVG,
27    CONTENT_TYPE_WEBP,
28];
29
30pub const APPLICATION_JSON: &str = "application/json";
31
32/// The "system" path for Kanidm client config
33pub const DEFAULT_CLIENT_CONFIG_PATH: &str = env!("KANIDM_CLIENT_CONFIG_PATH");
34/// The user-owned path for Kanidm client config
35pub const DEFAULT_CLIENT_CONFIG_PATH_HOME: &str = "~/.config/kanidm";
36
37/// The default HTTPS bind address for the Kanidm server
38pub const DEFAULT_SERVER_ADDRESS: &str = "127.0.0.1:8443";
39pub const DEFAULT_SERVER_LOCALHOST: &str = "localhost:8443";
40/// The default LDAP bind address for the Kanidm client
41pub const DEFAULT_LDAP_LOCALHOST: &str = "localhost:636";
42/// The default amount of attributes that can be queried in LDAP
43pub const DEFAULT_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES: usize = 16;
44/// Default replication configuration
45pub const DEFAULT_REPLICATION_ADDRESS: &str = "127.0.0.1:8444";
46pub const DEFAULT_REPLICATION_ORIGIN: &str = "repl://localhost:8444";
47
48/// Default replication poll window in seconds.
49pub const DEFAULT_REPL_TASK_POLL_INTERVAL: u64 = 15;
50
51/// Default grace window for authentication tokens. This allows a token to be
52/// validated by another replica before the backing database session has been
53/// replicated to the partner. If replication stalls until this point then
54/// the token will be considered INVALID.
55pub const AUTH_TOKEN_GRACE_WINDOW: Duration = Duration::from_secs(5 * 60);
56
57// IF YOU CHANGE THESE VALUES YOU BREAK EVERYTHING
58pub const ATTR_ACCOUNT_EXPIRE: &str = "account_expire";
59pub const ATTR_ACCOUNT_VALID_FROM: &str = "account_valid_from";
60pub const ATTR_ACCOUNT: &str = "account";
61pub const ATTR_ACP_CREATE_ATTR: &str = "acp_create_attr";
62pub const ATTR_ACP_CREATE_CLASS: &str = "acp_create_class";
63pub const ATTR_ACP_ENABLE: &str = "acp_enable";
64pub const ATTR_ACP_MODIFY_CLASS: &str = "acp_modify_class";
65pub const ATTR_ACP_MODIFY_PRESENT_CLASS: &str = "acp_modify_present_class";
66pub const ATTR_ACP_MODIFY_REMOVE_CLASS: &str = "acp_modify_remove_class";
67pub const ATTR_ACP_MODIFY_PRESENTATTR: &str = "acp_modify_presentattr";
68pub const ATTR_ACP_MODIFY_REMOVEDATTR: &str = "acp_modify_removedattr";
69pub const ATTR_ACP_RECEIVER_GROUP: &str = "acp_receiver_group";
70pub const ATTR_ACP_RECEIVER: &str = "acp_receiver";
71pub const ATTR_ACP_SEARCH_ATTR: &str = "acp_search_attr";
72pub const ATTR_ACP_TARGET_SCOPE: &str = "acp_targetscope";
73pub const ATTR_API_TOKEN_SESSION: &str = "api_token_session";
74pub const ATTR_APPLICATION_PASSWORD: &str = "application_password";
75pub const ATTR_ATTESTED_PASSKEYS: &str = "attested_passkeys";
76pub const ATTR_ATTR: &str = "attr";
77pub const ATTR_ATTRIBUTENAME: &str = "attributename";
78pub const ATTR_ATTRIBUTETYPE: &str = "attributetype";
79pub const ATTR_AUTH_SESSION_EXPIRY: &str = "authsession_expiry";
80pub const ATTR_AUTH_PASSWORD_MINIMUM_LENGTH: &str = "auth_password_minimum_length";
81pub const ATTR_BADLIST_PASSWORD: &str = "badlist_password";
82pub const ATTR_CERTIFICATE: &str = "certificate";
83pub const ATTR_CLAIM: &str = "claim";
84pub const ATTR_CLASS: &str = "class";
85pub const ATTR_CLASSNAME: &str = "classname";
86pub const ATTR_CN: &str = "cn";
87pub const ATTR_COOKIE_PRIVATE_KEY: &str = "cookie_private_key";
88pub const ATTR_CREATED_AT_CID: &str = "created_at_cid";
89pub const ATTR_CREDENTIAL_UPDATE_INTENT_TOKEN: &str = "credential_update_intent_token";
90pub const ATTR_CREDENTIAL_TYPE_MINIMUM: &str = "credential_type_minimum";
91pub const ATTR_DENIED_NAME: &str = "denied_name";
92pub const ATTR_DESCRIPTION: &str = "description";
93pub const ATTR_DIRECTMEMBEROF: &str = "directmemberof";
94pub const ATTR_DISPLAYNAME: &str = "displayname";
95pub const ATTR_DN: &str = "dn";
96pub const ATTR_DOMAIN_ALLOW_EASTER_EGGS: &str = "domain_allow_easter_eggs";
97pub const ATTR_DOMAIN_DEVELOPMENT_TAINT: &str = "domain_development_taint";
98pub const ATTR_DOMAIN_DISPLAY_NAME: &str = "domain_display_name";
99pub const ATTR_DOMAIN_LDAP_BASEDN: &str = "domain_ldap_basedn";
100pub const ATTR_DOMAIN_NAME: &str = "domain_name";
101pub const ATTR_DOMAIN_SSID: &str = "domain_ssid";
102pub const ATTR_DOMAIN_TOKEN_KEY: &str = "domain_token_key";
103pub const ATTR_DOMAIN_UUID: &str = "domain_uuid";
104pub const ATTR_DOMAIN: &str = "domain";
105pub const ATTR_DYNGROUP_FILTER: &str = "dyngroup_filter";
106pub const ATTR_DYNGROUP: &str = "dyngroup";
107pub const ATTR_DYNMEMBER: &str = "dynmember";
108pub const ATTR_LDAP_EMAIL_ADDRESS: &str = "emailaddress";
109pub const ATTR_LDAP_MAX_QUERYABLE_ATTRS: &str = "ldap_max_queryable_attrs";
110pub const ATTR_EMAIL_ALTERNATIVE: &str = "emailalternative";
111pub const ATTR_EMAIL_PRIMARY: &str = "emailprimary";
112pub const ATTR_EMAIL: &str = "email";
113pub const ATTR_ENTRYDN: &str = "entrydn";
114pub const ATTR_ENTRY_MANAGED_BY: &str = "entry_managed_by";
115pub const ATTR_ENTRYUUID: &str = "entryuuid";
116pub const ATTR_LDAP_KEYS: &str = "keys";
117pub const ATTR_LIMIT_SEARCH_MAX_RESULTS: &str = "limit_search_max_results";
118pub const ATTR_LIMIT_SEARCH_MAX_FILTER_TEST: &str = "limit_search_max_filter_test";
119pub const ATTR_EXCLUDES: &str = "excludes";
120pub const ATTR_ES256_PRIVATE_KEY_DER: &str = "es256_private_key_der";
121pub const ATTR_FERNET_PRIVATE_KEY_STR: &str = "fernet_private_key_str";
122pub const ATTR_GECOS: &str = "gecos";
123pub const ATTR_GIDNUMBER: &str = "gidnumber";
124pub const ATTR_GRANT_UI_HINT: &str = "grant_ui_hint";
125pub const ATTR_GROUP: &str = "group";
126pub const ATTR_ID_VERIFICATION_ECKEY: &str = "id_verification_eckey";
127pub const ATTR_IMAGE: &str = "image";
128pub const ATTR_INDEX: &str = "index";
129pub const ATTR_INDEXED: &str = "indexed";
130pub const ATTR_IPANTHASH: &str = "ipanthash";
131pub const ATTR_IPASSHPUBKEY: &str = "ipasshpubkey";
132pub const ATTR_JWS_ES256_PRIVATE_KEY: &str = "jws_es256_private_key";
133pub const ATTR_KEY_ACTION_ROTATE: &str = "key_action_rotate";
134pub const ATTR_KEY_ACTION_REVOKE: &str = "key_action_revoke";
135pub const ATTR_KEY_ACTION_IMPORT_JWS_ES256: &str = "key_action_import_jws_es256";
136pub const ATTR_KEY_ACTION_IMPORT_JWS_RS256: &str = "key_action_import_jws_rs256";
137pub const ATTR_KEY_INTERNAL_DATA: &str = "key_internal_data";
138pub const ATTR_KEY_PROVIDER: &str = "key_provider";
139pub const ATTR_LAST_MODIFIED_CID: &str = "last_modified_cid";
140pub const ATTR_LDAP_ALLOW_UNIX_PW_BIND: &str = "ldap_allow_unix_pw_bind";
141pub const ATTR_LEGALNAME: &str = "legalname";
142pub const ATTR_LINKEDGROUP: &str = "linked_group";
143pub const ATTR_LOGINSHELL: &str = "loginshell";
144pub const ATTR_MAIL: &str = "mail";
145pub const ATTR_MAY: &str = "may";
146pub const ATTR_MEMBER: &str = "member";
147pub const ATTR_MEMBEROF: &str = "memberof";
148pub const ATTR_MULTIVALUE: &str = "multivalue";
149pub const ATTR_MUST: &str = "must";
150pub const ATTR_NAME_HISTORY: &str = "name_history";
151pub const ATTR_NAME: &str = "name";
152pub const ATTR_NO_INDEX: &str = "no-index";
153pub const ATTR_NSACCOUNTLOCK: &str = "nsaccountlock";
154pub const ATTR_NSUNIQUEID: &str = "nsuniqueid";
155
156pub const ATTR_OAUTH2_ALLOW_INSECURE_CLIENT_DISABLE_PKCE: &str =
157    "oauth2_allow_insecure_client_disable_pkce";
158pub const ATTR_OAUTH2_ALLOW_LOCALHOST_REDIRECT: &str = "oauth2_allow_localhost_redirect";
159pub const ATTR_OAUTH2_CONSENT_SCOPE_MAP: &str = "oauth2_consent_scope_map";
160pub const ATTR_OAUTH2_DEVICE_FLOW_ENABLE: &str = "oauth2_device_flow_enable";
161pub const ATTR_OAUTH2_JWT_LEGACY_CRYPTO_ENABLE: &str = "oauth2_jwt_legacy_crypto_enable";
162pub const ATTR_OAUTH2_PREFER_SHORT_USERNAME: &str = "oauth2_prefer_short_username";
163pub const ATTR_OAUTH2_RS_BASIC_SECRET: &str = "oauth2_rs_basic_secret";
164pub const ATTR_OAUTH2_RS_CLAIM_MAP: &str = "oauth2_rs_claim_map";
165pub const ATTR_OAUTH2_RS_IMPLICIT_SCOPES: &str = "oauth2_rs_implicit_scopes";
166pub const ATTR_OAUTH2_RS_NAME: &str = "oauth2_rs_name";
167pub const ATTR_OAUTH2_RS_ORIGIN_LANDING: &str = "oauth2_rs_origin_landing";
168pub const ATTR_OAUTH2_RS_ORIGIN: &str = "oauth2_rs_origin";
169pub const ATTR_OAUTH2_RS_SCOPE_MAP: &str = "oauth2_rs_scope_map";
170pub const ATTR_OAUTH2_RS_SUP_SCOPE_MAP: &str = "oauth2_rs_sup_scope_map";
171pub const ATTR_OAUTH2_RS_TOKEN_KEY: &str = "oauth2_rs_token_key";
172pub const ATTR_OAUTH2_SESSION: &str = "oauth2_session";
173pub const ATTR_OAUTH2_STRICT_REDIRECT_URI: &str = "oauth2_strict_redirect_uri";
174pub const ATTR_OBJECTCLASS: &str = "objectclass";
175pub const ATTR_OTHER_NO_INDEX: &str = "other-no-index";
176pub const ATTR_PASSKEYS: &str = "passkeys";
177pub const ATTR_PASSWORD_IMPORT: &str = "password_import";
178pub const ATTR_PATCH_LEVEL: &str = "patch_level";
179pub const ATTR_PHANTOM: &str = "phantom";
180pub const ATTR_PRIMARY_CREDENTIAL: &str = "primary_credential";
181pub const ATTR_TOTP_IMPORT: &str = "totp_import";
182pub const ATTR_PRIVATE_COOKIE_KEY: &str = "private_cookie_key";
183pub const ATTR_PRIVILEGE_EXPIRY: &str = "privilege_expiry";
184pub const ATTR_RADIUS_SECRET: &str = "radius_secret";
185pub const ATTR_RECYCLED: &str = "recycled";
186pub const ATTR_RECYCLEDDIRECTMEMBEROF: &str = "recycled_directmemberof";
187pub const ATTR_REFERS: &str = "refers";
188pub const ATTR_REPLICATED: &str = "replicated";
189pub const ATTR_RS256_PRIVATE_KEY_DER: &str = "rs256_private_key_der";
190pub const ATTR_SCIM_SCHEMAS: &str = "schemas";
191pub const ATTR_SCOPE: &str = "scope";
192pub const ATTR_SELF: &str = "self";
193pub const ATTR_SOURCE_UUID: &str = "source_uuid";
194pub const ATTR_SPN: &str = "spn";
195pub const ATTR_SUDOHOST: &str = "sudohost";
196pub const ATTR_SUPPLEMENTS: &str = "supplements";
197pub const ATTR_LDAP_SSHPUBLICKEY: &str = "sshpublickey";
198pub const ATTR_SSH_PUBLICKEY: &str = "ssh_publickey";
199pub const ATTR_SYNC_ALLOWED: &str = "sync_allowed";
200pub const ATTR_SYNC_CLASS: &str = "sync_class";
201pub const ATTR_SYNC_COOKIE: &str = "sync_cookie";
202pub const ATTR_SYNC_CREDENTIAL_PORTAL: &str = "sync_credential_portal";
203pub const ATTR_SYNC_EXTERNAL_ID: &str = "sync_external_id";
204pub const ATTR_SYNC_EXTERNAL_UUID: &str = "sync_external_uuid";
205pub const ATTR_SYNC_PARENT_UUID: &str = "sync_parent_uuid";
206pub const ATTR_SYNC_TOKEN_SESSION: &str = "sync_token_session";
207pub const ATTR_SYNC_YIELD_AUTHORITY: &str = "sync_yield_authority";
208pub const ATTR_SYNTAX: &str = "syntax";
209pub const ATTR_SYSTEMEXCLUDES: &str = "systemexcludes";
210pub const ATTR_SYSTEMMAY: &str = "systemmay";
211pub const ATTR_SYSTEMMUST: &str = "systemmust";
212pub const ATTR_SYSTEMSUPPLEMENTS: &str = "systemsupplements";
213pub const ATTR_TERM: &str = "term";
214pub const ATTR_UID: &str = "uid";
215pub const ATTR_UIDNUMBER: &str = "uidnumber";
216pub const ATTR_UNIQUE: &str = "unique";
217pub const ATTR_UNIX_PASSWORD: &str = "unix_password";
218pub const ATTR_UNIX_PASSWORD_IMPORT: &str = "unix_password_import";
219pub const ATTR_USER_AUTH_TOKEN_SESSION: &str = "user_auth_token_session";
220pub const ATTR_USERID: &str = "userid";
221pub const ATTR_USERPASSWORD: &str = "userpassword";
222pub const ATTR_UUID: &str = "uuid";
223pub const ATTR_VERSION: &str = "version";
224pub const ATTR_WEBAUTHN_ATTESTATION_CA_LIST: &str = "webauthn_attestation_ca_list";
225pub const ATTR_ALLOW_PRIMARY_CRED_FALLBACK: &str = "allow_primary_cred_fallback";
226
227pub const SUB_ATTR_PRIMARY: &str = "primary";
228
229pub const OAUTH2_SCOPE_EMAIL: &str = ATTR_EMAIL;
230pub const OAUTH2_SCOPE_GROUPS: &str = "groups";
231pub const OAUTH2_SCOPE_SSH_PUBLICKEYS: &str = "ssh_publickeys";
232pub const OAUTH2_SCOPE_OPENID: &str = "openid";
233pub const OAUTH2_SCOPE_READ: &str = "read";
234pub const OAUTH2_SCOPE_SUPPLEMENT: &str = "supplement";
235
236pub const LDAP_ATTR_CN: &str = "cn";
237pub const LDAP_ATTR_DN: &str = "dn";
238pub const LDAP_ATTR_DISPLAY_NAME: &str = "displayname";
239pub const LDAP_ATTR_EMAIL_ALTERNATIVE: &str = "emailalternative";
240pub const LDAP_ATTR_EMAIL_PRIMARY: &str = "emailprimary";
241pub const LDAP_ATTR_ENTRYDN: &str = "entrydn";
242pub const LDAP_ATTR_ENTRYUUID: &str = "entryuuid";
243pub const LDAP_ATTR_GROUPS: &str = "groups";
244pub const LDAP_ATTR_KEYS: &str = "keys";
245pub const LDAP_ATTR_MAIL_ALTERNATIVE: &str = "mail;alternative";
246pub const LDAP_ATTR_MAIL_PRIMARY: &str = "mail;primary";
247pub const LDAP_ATTR_MAIL: &str = "mail";
248pub const LDAP_ATTR_MEMBER: &str = "member";
249pub const LDAP_ATTR_NAME: &str = "name";
250pub const LDAP_ATTR_OBJECTCLASS: &str = "objectclass";
251pub const LDAP_ATTR_OU: &str = "ou";
252pub const LDAP_ATTR_UID: &str = "uid";
253pub const LDAP_CLASS_GROUPOFNAMES: &str = "groupofnames";
254
255// Rust can't deal with this being compiled out, don't try and #[cfg()] them
256pub const TEST_ATTR_NON_EXIST: &str = "non-exist";
257pub const TEST_ATTR_TEST_ATTR: &str = "testattr";
258pub const TEST_ATTR_EXTRA: &str = "extra";
259pub const TEST_ATTR_NUMBER: &str = "testattrnumber";
260pub const TEST_ATTR_NOTALLOWED: &str = "notallowed";
261pub const TEST_ENTRYCLASS_TEST_CLASS: &str = "testclass";
262
263/// HTTP Header containing an auth session ID for when you're going through an auth flow
264pub const KSESSIONID: &str = "X-KANIDM-AUTH-SESSION-ID";
265/// HTTP Header containing the backend operation ID
266pub const KOPID: &str = "X-KANIDM-OPID";
267/// HTTP Header containing the Kanidm server version
268pub const KVERSION: &str = "X-KANIDM-VERSION";
269
270/// X-Forwarded-For header
271pub const X_FORWARDED_FOR: &str = "x-forwarded-for";
272
273// OAuth
274pub const OAUTH2_DEVICE_CODE_SESSION: &str = "oauth2_device_code_session";
275pub const OAUTH2_RESOURCE_SERVER: &str = "oauth2_resource_server";
276pub const OAUTH2_RESOURCE_SERVER_BASIC: &str = "oauth2_resource_server_basic";
277pub const OAUTH2_RESOURCE_SERVER_PUBLIC: &str = "oauth2_resource_server_public";
278
279// Access Control
280pub const ACCESS_CONTROL_CREATE: &str = "access_control_create";
281pub const ACCESS_CONTROL_DELETE: &str = "access_control_delete";
282pub const ACCESS_CONTROL_MODIFY: &str = "access_control_modify";
283pub const ACCESS_CONTROL_PROFILE: &str = "access_control_profile";
284pub const ACCESS_CONTROL_RECEIVER_ENTRY_MANAGER: &str = "access_control_receiver_entry_manager";
285pub const ACCESS_CONTROL_RECEIVER_GROUP: &str = "access_control_receiver_group";
286pub const ACCESS_CONTROL_SEARCH: &str = "access_control_search";
287pub const ACCESS_CONTROL_TARGET_SCOPE: &str = "access_control_target_scope";
288
289/// Entryclass
290pub const ENTRYCLASS_BUILTIN: &str = "builtin";
291pub const ENTRYCLASS_ACCOUNT: &str = "account";
292pub const ENTRYCLASS_ACCOUNT_POLICY: &str = "account_policy";
293pub const ENTRYCLASS_APPLICATION: &str = "application";
294pub const ENTRYCLASS_ATTRIBUTE_TYPE: &str = "attributetype";
295pub const ENTRYCLASS_CLASS: &str = "class";
296pub const ENTRYCLASS_CLASS_TYPE: &str = "classtype";
297pub const ENTRYCLASS_CLIENT_CERTIFICATE: &str = "client_certificate";
298pub const ENTRYCLASS_CONFLICT: &str = "conflict";
299pub const ENTRYCLASS_DOMAIN_INFO: &str = "domain_info";
300pub const ENTRYCLASS_DYN_GROUP: &str = "dyngroup";
301pub const ENTRYCLASS_EXTENSIBLE_OBJECT: &str = "extensibleobject";
302pub const ENTRYCLASS_GROUP: &str = "group";
303pub const ENTRYCLASS_MEMBER_OF: &str = "memberof";
304pub const ENTRYCLASS_OBJECT: &str = "object";
305pub const ENTRYCLASS_ORG_PERSON: &str = "orgperson";
306pub const ENTRYCLASS_PERSON: &str = "person";
307pub const ENTRYCLASS_POSIX_ACCOUNT: &str = "posixaccount";
308pub const ENTRYCLASS_POSIX_GROUP: &str = "posixgroup";
309pub const ENTRYCLASS_RECYCLED: &str = "recycled";
310pub const ENTRYCLASS_SERVICE: &str = "service";
311pub const ENTRYCLASS_SERVICE_ACCOUNT: &str = "service_account";
312pub const ENTRYCLASS_SYNC_ACCOUNT: &str = "sync_account";
313pub const ENTRYCLASS_SYNC_OBJECT: &str = "sync_object";
314pub const ENTRYCLASS_SYSTEM: &str = "system";
315pub const ENTRYCLASS_SYSTEM_CONFIG: &str = "system_config";
316pub const ENTRYCLASS_SYSTEM_INFO: &str = "system_info";
317pub const ENTRYCLASS_TOMBSTONE: &str = "tombstone";
318pub const ENTRYCLASS_USER: &str = "user";
319pub const ENTRYCLASS_KEY_PROVIDER: &str = "key_provider";
320pub const ENTRYCLASS_KEY_PROVIDER_INTERNAL: &str = "key_provider_internal";
321pub const ENTRYCLASS_KEY_OBJECT: &str = "key_object";
322pub const ENTRYCLASS_KEY_OBJECT_JWT_ES256: &str = "key_object_jwt_es256";
323pub const ENTRYCLASS_KEY_OBJECT_JWT_RS256: &str = "key_object_jwt_rs256";
324pub const ENTRYCLASS_KEY_OBJECT_JWE_A128GCM: &str = "key_object_jwe_a128gcm";
325pub const ENTRYCLASS_KEY_OBJECT_INTERNAL: &str = "key_object_internal";