kanidmd_lib/constants/
mod.rs

1// Re-export as needed
2
3pub mod entries;
4pub mod uuids;
5pub mod values;
6
7pub use self::entries::*;
8pub use self::uuids::*;
9pub use self::values::*;
10
11use std::time::Duration;
12
13// This value no longer requires incrementing during releases. It only
14// serves as a "once off" marker so that we know when the initial db
15// index is performed on first-run.
16//
17// It's also useful if we need to force a reindex due to a bug though :)
18pub const SYSTEM_INDEX_VERSION: i64 = 32;
19
20/*
21 * domain functional levels
22 *
23 * The idea here is to allow topology wide upgrades to be performed. We have to
24 * assume that across multiple kanidm instances there may be cases where we have version
25 * N and version N minus 1 as upgrades are rolled out.
26 *
27 * Imagine we set up a new cluster. Machine A and B both have level 1 support.
28 * We upgrade machine A. It has support up to level 2, but machine B does not.
29 * So the overall functional level is level 1. Then we upgrade B, which supports
30 * up to level 2. We still don't do the upgrade! The topology is still level 1
31 * unless an admin at this point *intervenes* and forces the update. OR what
32 * happens we we update machine A again and it now supports up to level 3, with
33 * a target level of 2. So we update machine A now to level 2, and that can
34 * still replicate to machine B since it also supports level 2.
35 *
36 * effectively it means that "some features" may be a "release behind" for users
37 * who don't muck with the levels, but it means that we can do mixed version
38 * upgrades.
39 */
40pub type DomainVersion = u32;
41
42/// Domain level 0 - this indicates that this instance
43/// is a new install and has never had a domain level
44/// previously.
45pub const DOMAIN_LEVEL_0: DomainVersion = 0;
46
47/// Domain Level introduced with 1.3.0.
48/// Deprecated as of 1.5.0
49pub const DOMAIN_LEVEL_7: DomainVersion = 7;
50
51/// Domain Level introduced with 1.4.0.
52/// Deprecated as of 1.6.0
53pub const DOMAIN_LEVEL_8: DomainVersion = 8;
54
55/// Domain Level introduced with 1.5.0.
56/// Deprecated as of 1.7.0
57pub const DOMAIN_LEVEL_9: DomainVersion = 9;
58pub const PATCH_LEVEL_2: u32 = 2;
59
60/// Domain Level introduced with 1.6.0.
61/// Deprecated as of 1.8.0
62pub const DOMAIN_LEVEL_10: DomainVersion = 10;
63
64/// Domain Level introduced with 1.7.0.
65/// Deprecated as of 1.9.0
66pub const DOMAIN_LEVEL_11: DomainVersion = 11;
67
68/// Domain Level introduced with 1.8.0.
69/// Deprecated as of 1.10.0
70pub const DOMAIN_LEVEL_12: DomainVersion = 12;
71
72/// Domain Level introduced with 1.9.0.
73/// Deprecated as of 1.11.0
74pub const DOMAIN_LEVEL_13: DomainVersion = 13;
75
76// The target supported domain functional level. During development this is
77// the NEXT level that users will upgrade too. In other words if we are
78// developing 1.6.0-dev, then we need to set TGT_LEVEL to 10 which is
79// the corresponding level.
80pub const DOMAIN_TGT_LEVEL: DomainVersion = DOMAIN_LEVEL_12;
81// The current patch level if any out of band fixes are required.
82pub const DOMAIN_TGT_PATCH_LEVEL: u32 = PATCH_LEVEL_2;
83
84// The maximum supported domain functional level
85pub const DOMAIN_MAX_LEVEL: DomainVersion = DOMAIN_LEVEL_13;
86
87// The minimum level that we can re-migrate from.
88// This should be DOMAIN_TGT_LEVEL minus 2
89pub const DOMAIN_MIN_REMIGRATION_LEVEL: DomainVersion = DOMAIN_LEVEL_9;
90
91// The minimum supported domain functional level (for replication)
92pub const DOMAIN_MIN_LEVEL: DomainVersion = DOMAIN_TGT_LEVEL;
93// The previous releases domain functional level
94pub const DOMAIN_PREVIOUS_TGT_LEVEL: DomainVersion = DOMAIN_TGT_LEVEL - 1;
95// The target domain functional level for the SUBSEQUENT release/dev cycle.
96pub const DOMAIN_TGT_NEXT_LEVEL: DomainVersion = DOMAIN_TGT_LEVEL + 1;
97
98// On test builds define to 60 seconds
99#[cfg(test)]
100pub const PURGE_FREQUENCY: u64 = 60;
101// For production 10 minutes.
102#[cfg(not(test))]
103pub const PURGE_FREQUENCY: u64 = 600;
104
105/// The number of delayed actions to consider per write transaction. Higher
106/// values allow more coalescing to occur, but may consume more ram and cause
107/// some latency while dequeuing and writing those operations.
108pub const DELAYED_ACTION_BATCH_SIZE: usize = 256;
109
110/// The amount of time to wait to acquire a database ticket before timing out.
111/// Higher values allow greater operation queuing but can cause feedback
112/// loops where operations will stall for long periods.
113pub const DB_LOCK_ACQUIRE_TIMEOUT_MILLIS: u64 = 5000;
114
115#[cfg(test)]
116/// In test, we limit the changelog to 10 minutes.
117pub const CHANGELOG_MAX_AGE: u64 = 600;
118#[cfg(not(test))]
119/// A replica may be up to 7 days out of sync before being denied updates.
120pub const CHANGELOG_MAX_AGE: u64 = 7 * 86400;
121
122#[cfg(test)]
123/// In test, we limit the recyclebin to 5 minutes.
124pub const RECYCLEBIN_MAX_AGE: u64 = 300;
125#[cfg(not(test))]
126/// In production we allow 1 week
127pub const RECYCLEBIN_MAX_AGE: u64 = 7 * 86400;
128
129// 5 minute auth session window.
130pub const AUTH_SESSION_TIMEOUT: u64 = 300;
131// 5 minute mfa reg window
132pub const MFAREG_SESSION_TIMEOUT: u64 = 300;
133pub const PW_MIN_LENGTH: u32 = 10;
134
135// Maximum - Sessions have no upper bound.
136pub const MAXIMUM_AUTH_SESSION_EXPIRY: u32 = u32::MAX;
137// Default - sessions last for 1 day
138pub const DEFAULT_AUTH_SESSION_EXPIRY: u32 = 86400;
139// Maximum - privileges last for 1 hour.
140pub const MAXIMUM_AUTH_PRIVILEGE_EXPIRY: u32 = 3600;
141// Default - privileges last for 10 minutes.
142pub const DEFAULT_AUTH_PRIVILEGE_EXPIRY: u32 = 600;
143// Default - directly privileged sessions only last 1 hour.
144pub const DEFAULT_AUTH_SESSION_LIMITED_EXPIRY: u32 = 3600;
145// Default - oauth refresh tokens last for 16 hours.
146pub const OAUTH_REFRESH_TOKEN_EXPIRY: u64 = 3600 * 16;
147
148/// How long access tokens should last. This is NOT the length
149/// of the refresh token, which is bound to the issuing session.
150pub const OAUTH2_ACCESS_TOKEN_EXPIRY: u32 = 15 * 60;
151
152/// The amount of time a suppliers clock can be "ahead" before
153/// we warn about possible clock synchronisation issues.
154pub const REPL_SUPPLIER_ADVANCE_WINDOW: Duration = Duration::from_secs(600);
155
156/// The number of days that the default replication MTLS cert lasts for when
157/// configured manually. Defaults to 4 years (including 1 day for the leap year).
158pub const REPL_MTLS_CERTIFICATE_DAYS: u32 = 1461;
159
160/// The default number of entries that a user may retrieve in a search
161pub const DEFAULT_LIMIT_SEARCH_MAX_RESULTS: u64 = 1024;
162/// The default number of entries than an api token may retrieve in a search;
163pub const DEFAULT_LIMIT_API_SEARCH_MAX_RESULTS: u64 = u64::MAX >> 1;
164/// the default number of entries that may be examined in a partially indexed
165/// query.
166pub const DEFAULT_LIMIT_SEARCH_MAX_FILTER_TEST: u64 = 2048;
167/// the default number of entries that may be examined in a partially indexed
168/// query by an api token.
169pub const DEFAULT_LIMIT_API_SEARCH_MAX_FILTER_TEST: u64 = 16384;
170/// The maximum number of items in a filter, regardless of nesting level.
171pub const DEFAULT_LIMIT_FILTER_MAX_ELEMENTS: u64 = 32;
172
173/// The maximum amount of recursion allowed in a filter.
174pub const DEFAULT_LIMIT_FILTER_DEPTH_MAX: u64 = 12;
175
176/// The maximum number of sessions allowed on a single entry.
177pub(crate) const SESSION_MAXIMUM: usize = 48;