kanidmd_lib/migration_data/dl10/
mod.rs

Help
1mod access;
2pub(super) mod accounts;
3mod groups;
4mod key_providers;
5mod schema;
6mod system_config;
7
8use self::access::*;
9use self::accounts::*;
10use self::groups::*;
11use self::key_providers::*;
12use self::schema::*;
13use self::system_config::*;
14
15use crate::prelude::EntryInitNew;
16use kanidm_proto::internal::OperationError;
17
18pub fn phase_1_schema_attrs() -> Vec<EntryInitNew> {
19    vec![
20        SCHEMA_ATTR_SYNC_CREDENTIAL_PORTAL.clone().into(),
21        SCHEMA_ATTR_SYNC_YIELD_AUTHORITY.clone().into(),
22        SCHEMA_ATTR_ACCOUNT_EXPIRE.clone().into(),
23        SCHEMA_ATTR_ACCOUNT_VALID_FROM.clone().into(),
24        SCHEMA_ATTR_API_TOKEN_SESSION.clone().into(),
25        SCHEMA_ATTR_AUTH_SESSION_EXPIRY.clone().into(),
26        SCHEMA_ATTR_AUTH_PRIVILEGE_EXPIRY.clone().into(),
27        SCHEMA_ATTR_AUTH_PASSWORD_MINIMUM_LENGTH.clone().into(),
28        SCHEMA_ATTR_BADLIST_PASSWORD.clone().into(),
29        SCHEMA_ATTR_CREDENTIAL_UPDATE_INTENT_TOKEN.clone().into(),
30        SCHEMA_ATTR_ATTESTED_PASSKEYS.clone().into(),
31        SCHEMA_ATTR_DOMAIN_DISPLAY_NAME.clone().into(),
32        SCHEMA_ATTR_DOMAIN_LDAP_BASEDN.clone().into(),
33        SCHEMA_ATTR_DOMAIN_NAME.clone().into(),
34        SCHEMA_ATTR_LDAP_ALLOW_UNIX_PW_BIND.clone().into(),
35        SCHEMA_ATTR_DOMAIN_SSID.clone().into(),
36        SCHEMA_ATTR_DOMAIN_TOKEN_KEY.clone().into(),
37        SCHEMA_ATTR_DOMAIN_UUID.clone().into(),
38        SCHEMA_ATTR_DYNGROUP_FILTER.clone().into(),
39        SCHEMA_ATTR_EC_KEY_PRIVATE.clone().into(),
40        SCHEMA_ATTR_ES256_PRIVATE_KEY_DER.clone().into(),
41        SCHEMA_ATTR_FERNET_PRIVATE_KEY_STR.clone().into(),
42        SCHEMA_ATTR_GIDNUMBER.clone().into(),
43        SCHEMA_ATTR_GRANT_UI_HINT.clone().into(),
44        SCHEMA_ATTR_JWS_ES256_PRIVATE_KEY.clone().into(),
45        SCHEMA_ATTR_LOGINSHELL.clone().into(),
46        SCHEMA_ATTR_NAME_HISTORY.clone().into(),
47        SCHEMA_ATTR_NSUNIQUEID.clone().into(),
48        SCHEMA_ATTR_OAUTH2_ALLOW_INSECURE_CLIENT_DISABLE_PKCE
49            .clone()
50            .into(),
51        SCHEMA_ATTR_OAUTH2_CONSENT_SCOPE_MAP.clone().into(),
52        SCHEMA_ATTR_OAUTH2_JWT_LEGACY_CRYPTO_ENABLE.clone().into(),
53        SCHEMA_ATTR_OAUTH2_PREFER_SHORT_USERNAME.clone().into(),
54        SCHEMA_ATTR_OAUTH2_RS_BASIC_SECRET.clone().into(),
55        SCHEMA_ATTR_OAUTH2_RS_IMPLICIT_SCOPES.clone().into(),
56        SCHEMA_ATTR_OAUTH2_RS_NAME.clone().into(),
57        SCHEMA_ATTR_OAUTH2_RS_ORIGIN_LANDING.clone().into(),
58        SCHEMA_ATTR_OAUTH2_RS_SCOPE_MAP.clone().into(),
59        SCHEMA_ATTR_OAUTH2_RS_SUP_SCOPE_MAP.clone().into(),
60        SCHEMA_ATTR_OAUTH2_RS_TOKEN_KEY.clone().into(),
61        SCHEMA_ATTR_OAUTH2_SESSION.clone().into(),
62        SCHEMA_ATTR_PASSKEYS.clone().into(),
63        SCHEMA_ATTR_PRIMARY_CREDENTIAL.clone().into(),
64        SCHEMA_ATTR_PRIVATE_COOKIE_KEY.clone().into(),
65        SCHEMA_ATTR_RADIUS_SECRET.clone().into(),
66        SCHEMA_ATTR_RS256_PRIVATE_KEY_DER.clone().into(),
67        SCHEMA_ATTR_SSH_PUBLICKEY.clone().into(),
68        SCHEMA_ATTR_SYNC_COOKIE.clone().into(),
69        SCHEMA_ATTR_SYNC_TOKEN_SESSION.clone().into(),
70        SCHEMA_ATTR_UNIX_PASSWORD.clone().into(),
71        SCHEMA_ATTR_USER_AUTH_TOKEN_SESSION.clone().into(),
72        SCHEMA_ATTR_CREDENTIAL_TYPE_MINIMUM.clone().into(),
73        SCHEMA_ATTR_WEBAUTHN_ATTESTATION_CA_LIST.clone().into(),
74        // DL4
75        SCHEMA_ATTR_OAUTH2_RS_CLAIM_MAP_DL4.clone().into(),
76        SCHEMA_ATTR_OAUTH2_ALLOW_LOCALHOST_REDIRECT_DL4
77            .clone()
78            .into(),
79        // DL5
80        // DL6
81        SCHEMA_ATTR_LIMIT_SEARCH_MAX_RESULTS_DL6.clone().into(),
82        SCHEMA_ATTR_LIMIT_SEARCH_MAX_FILTER_TEST_DL6.clone().into(),
83        SCHEMA_ATTR_KEY_INTERNAL_DATA_DL6.clone().into(),
84        SCHEMA_ATTR_KEY_PROVIDER_DL6.clone().into(),
85        SCHEMA_ATTR_KEY_ACTION_ROTATE_DL6.clone().into(),
86        SCHEMA_ATTR_KEY_ACTION_REVOKE_DL6.clone().into(),
87        SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_ES256_DL6.clone().into(),
88        // DL7
89        SCHEMA_ATTR_PATCH_LEVEL_DL7.clone().into(),
90        SCHEMA_ATTR_DOMAIN_DEVELOPMENT_TAINT_DL7.clone().into(),
91        SCHEMA_ATTR_REFERS_DL7.clone().into(),
92        SCHEMA_ATTR_CERTIFICATE_DL7.clone().into(),
93        SCHEMA_ATTR_OAUTH2_RS_ORIGIN_DL7.clone().into(),
94        SCHEMA_ATTR_OAUTH2_STRICT_REDIRECT_URI_DL7.clone().into(),
95        SCHEMA_ATTR_MAIL_DL7.clone().into(),
96        SCHEMA_ATTR_LEGALNAME_DL7.clone().into(),
97        SCHEMA_ATTR_DISPLAYNAME_DL7.clone().into(),
98        // DL8
99        SCHEMA_ATTR_LINKED_GROUP_DL8.clone().into(),
100        SCHEMA_ATTR_APPLICATION_PASSWORD_DL8.clone().into(),
101        SCHEMA_ATTR_ALLOW_PRIMARY_CRED_FALLBACK_DL8.clone().into(),
102        // DL9
103        SCHEMA_ATTR_OAUTH2_DEVICE_FLOW_ENABLE_DL9.clone().into(),
104        SCHEMA_ATTR_DOMAIN_ALLOW_EASTER_EGGS_DL9.clone().into(),
105        // DL10
106        SCHEMA_ATTR_DENIED_NAME_DL10.clone().into(),
107        SCHEMA_ATTR_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES.clone().into(),
108        SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_RS256_DL6.clone().into(),
109    ]
110}
111
112pub fn phase_2_schema_classes() -> Vec<EntryInitNew> {
113    vec![
114        SCHEMA_CLASS_DYNGROUP.clone().into(),
115        SCHEMA_CLASS_ORGPERSON.clone().into(),
116        SCHEMA_CLASS_POSIXACCOUNT.clone().into(),
117        SCHEMA_CLASS_POSIXGROUP.clone().into(),
118        SCHEMA_CLASS_SYSTEM_CONFIG.clone().into(),
119        // DL4
120        SCHEMA_CLASS_OAUTH2_RS_PUBLIC_DL4.clone().into(),
121        // DL5
122        SCHEMA_CLASS_ACCOUNT_DL5.clone().into(),
123        SCHEMA_CLASS_OAUTH2_RS_BASIC_DL5.clone().into(),
124        // DL6
125        SCHEMA_CLASS_GROUP_DL6.clone().into(),
126        SCHEMA_CLASS_KEY_PROVIDER_DL6.clone().into(),
127        SCHEMA_CLASS_KEY_PROVIDER_INTERNAL_DL6.clone().into(),
128        SCHEMA_CLASS_KEY_OBJECT_DL6.clone().into(),
129        SCHEMA_CLASS_KEY_OBJECT_JWT_ES256_DL6.clone().into(),
130        SCHEMA_CLASS_KEY_OBJECT_JWE_A128GCM_DL6.clone().into(),
131        SCHEMA_CLASS_KEY_OBJECT_INTERNAL_DL6.clone().into(),
132        // DL7
133        SCHEMA_CLASS_SERVICE_ACCOUNT_DL7.clone().into(),
134        SCHEMA_CLASS_SYNC_ACCOUNT_DL7.clone().into(),
135        SCHEMA_CLASS_CLIENT_CERTIFICATE_DL7.clone().into(),
136        // DL8
137        SCHEMA_CLASS_ACCOUNT_POLICY_DL8.clone().into(),
138        SCHEMA_CLASS_APPLICATION_DL8.clone().into(),
139        SCHEMA_CLASS_PERSON_DL8.clone().into(),
140        // DL9
141        SCHEMA_CLASS_OAUTH2_RS_DL9.clone().into(),
142        // DL10
143        SCHEMA_CLASS_DOMAIN_INFO_DL10.clone().into(),
144        SCHEMA_CLASS_KEY_OBJECT_JWT_RS256.clone().into(),
145    ]
146}
147
148pub fn phase_3_key_provider() -> Vec<EntryInitNew> {
149    vec![E_KEY_PROVIDER_INTERNAL_DL6.clone()]
150}
151
152pub fn phase_4_system_entries() -> Vec<EntryInitNew> {
153    vec![
154        E_SYSTEM_INFO_V1.clone(),
155        E_DOMAIN_INFO_DL6.clone(),
156        E_SYSTEM_CONFIG_V1.clone(),
157    ]
158}
159
160pub fn phase_5_builtin_admin_entries() -> Result<Vec<EntryInitNew>, OperationError> {
161    Ok(vec![
162        BUILTIN_ACCOUNT_ADMIN.clone().into(),
163        BUILTIN_ACCOUNT_IDM_ADMIN.clone().into(),
164        BUILTIN_GROUP_SYSTEM_ADMINS_V1.clone().try_into()?,
165        BUILTIN_GROUP_IDM_ADMINS_V1.clone().try_into()?,
166        // We need to push anonymous *after* groups due to entry-managed-by
167        BUILTIN_ACCOUNT_ANONYMOUS_DL6.clone().into(),
168    ])
169}
170
171pub fn phase_6_builtin_non_admin_entries() -> Result<Vec<EntryInitNew>, OperationError> {
172    Ok(vec![
173        BUILTIN_GROUP_DOMAIN_ADMINS.clone().try_into()?,
174        BUILTIN_GROUP_SCHEMA_ADMINS.clone().try_into()?,
175        BUILTIN_GROUP_ACCESS_CONTROL_ADMINS.clone().try_into()?,
176        BUILTIN_GROUP_UNIX_ADMINS.clone().try_into()?,
177        BUILTIN_GROUP_RECYCLE_BIN_ADMINS.clone().try_into()?,
178        BUILTIN_GROUP_SERVICE_DESK.clone().try_into()?,
179        BUILTIN_GROUP_OAUTH2_ADMINS.clone().try_into()?,
180        BUILTIN_GROUP_RADIUS_SERVICE_ADMINS.clone().try_into()?,
181        BUILTIN_GROUP_ACCOUNT_POLICY_ADMINS.clone().try_into()?,
182        BUILTIN_GROUP_PEOPLE_ADMINS.clone().try_into()?,
183        BUILTIN_GROUP_PEOPLE_PII_READ.clone().try_into()?,
184        BUILTIN_GROUP_PEOPLE_ON_BOARDING.clone().try_into()?,
185        BUILTIN_GROUP_SERVICE_ACCOUNT_ADMINS.clone().try_into()?,
186        BUILTIN_GROUP_MAIL_SERVICE_ADMINS_DL8.clone().try_into()?,
187        IDM_GROUP_ADMINS_V1.clone().try_into()?,
188        IDM_ALL_PERSONS.clone().try_into()?,
189        IDM_ALL_ACCOUNTS.clone().try_into()?,
190        BUILTIN_IDM_RADIUS_SERVERS_V1.clone().try_into()?,
191        BUILTIN_IDM_MAIL_SERVERS_DL8.clone().try_into()?,
192        BUILTIN_GROUP_PEOPLE_SELF_NAME_WRITE_DL7
193            .clone()
194            .try_into()?,
195        IDM_PEOPLE_SELF_MAIL_WRITE_DL7.clone().try_into()?,
196        BUILTIN_GROUP_CLIENT_CERTIFICATE_ADMINS_DL7
197            .clone()
198            .try_into()?,
199        BUILTIN_GROUP_APPLICATION_ADMINS_DL8.clone().try_into()?,
200        // Write deps on read.clone().try_into()?, so write must be added first.
201        // All members must exist before we write HP
202        IDM_HIGH_PRIVILEGE_DL8.clone().try_into()?,
203        // other things
204        IDM_UI_ENABLE_EXPERIMENTAL_FEATURES.clone().try_into()?,
205        IDM_ACCOUNT_MAIL_READ.clone().try_into()?,
206    ])
207}
208
209pub fn phase_7_builtin_access_control_profiles() -> Vec<EntryInitNew> {
210    vec![
211        // Built in access controls.
212        IDM_ACP_RECYCLE_BIN_SEARCH_V1.clone().into(),
213        IDM_ACP_RECYCLE_BIN_REVIVE_V1.clone().into(),
214        IDM_ACP_SCHEMA_WRITE_ATTRS_V1.clone().into(),
215        IDM_ACP_SCHEMA_WRITE_CLASSES_V1.clone().into(),
216        IDM_ACP_ACP_MANAGE_V1.clone().into(),
217        IDM_ACP_GROUP_ENTRY_MANAGED_BY_MODIFY_V1.clone().into(),
218        IDM_ACP_GROUP_ENTRY_MANAGER_V1.clone().into(),
219        IDM_ACP_SYNC_ACCOUNT_MANAGE_V1.clone().into(),
220        IDM_ACP_RADIUS_SERVERS_V1.clone().into(),
221        IDM_ACP_RADIUS_SECRET_MANAGE_V1.clone().into(),
222        IDM_ACP_PEOPLE_SELF_WRITE_MAIL_V1.clone().into(),
223        IDM_ACP_ACCOUNT_SELF_WRITE_V1.clone().into(),
224        IDM_ACP_ALL_ACCOUNTS_POSIX_READ_V1.clone().into(),
225        IDM_ACP_SYSTEM_CONFIG_ACCOUNT_POLICY_MANAGE_V1
226            .clone()
227            .into(),
228        IDM_ACP_GROUP_UNIX_MANAGE_V1.clone().into(),
229        IDM_ACP_HP_GROUP_UNIX_MANAGE_V1.clone().into(),
230        IDM_ACP_GROUP_READ_V1.clone().into(),
231        IDM_ACP_ACCOUNT_UNIX_EXTEND_V1.clone().into(),
232        IDM_ACP_PEOPLE_PII_READ_V1.clone().into(),
233        IDM_ACP_PEOPLE_PII_MANAGE_V1.clone().into(),
234        IDM_ACP_PEOPLE_READ_V1.clone().into(),
235        IDM_ACP_PEOPLE_MANAGE_V1.clone().into(),
236        IDM_ACP_PEOPLE_DELETE_V1.clone().into(),
237        IDM_ACP_PEOPLE_CREDENTIAL_RESET_V1.clone().into(),
238        IDM_ACP_HP_PEOPLE_CREDENTIAL_RESET_V1.clone().into(),
239        IDM_ACP_SERVICE_ACCOUNT_CREATE_V1.clone().into(),
240        IDM_ACP_SERVICE_ACCOUNT_DELETE_V1.clone().into(),
241        IDM_ACP_SERVICE_ACCOUNT_ENTRY_MANAGER_V1.clone().into(),
242        IDM_ACP_SERVICE_ACCOUNT_ENTRY_MANAGED_BY_MODIFY_V1
243            .clone()
244            .into(),
245        IDM_ACP_HP_SERVICE_ACCOUNT_ENTRY_MANAGED_BY_MODIFY_V1
246            .clone()
247            .into(),
248        IDM_ACP_SERVICE_ACCOUNT_MANAGE_V1.clone().into(),
249        // DL4
250        // DL5
251        // DL6
252        IDM_ACP_PEOPLE_CREATE_DL6.clone().into(),
253        IDM_ACP_ACCOUNT_MAIL_READ_DL6.clone().into(),
254        // DL7
255        IDM_ACP_SELF_NAME_WRITE_DL7.clone().into(),
256        IDM_ACP_HP_CLIENT_CERTIFICATE_MANAGER_DL7.clone().into(),
257        // DL8
258        IDM_ACP_SELF_READ_DL8.clone().into(),
259        IDM_ACP_SELF_WRITE_DL8.clone().into(),
260        IDM_ACP_APPLICATION_MANAGE_DL8.clone().into(),
261        IDM_ACP_APPLICATION_ENTRY_MANAGER_DL8.clone().into(),
262        IDM_ACP_MAIL_SERVERS_DL8.clone().into(),
263        IDM_ACP_GROUP_ACCOUNT_POLICY_MANAGE_DL8.clone().into(),
264        // DL9
265        IDM_ACP_GROUP_MANAGE_DL9.clone().into(),
266        IDM_ACP_DOMAIN_ADMIN_DL9.clone().into(),
267        // DL10
268        IDM_ACP_OAUTH2_MANAGE.clone().into(),
269    ]
270}
kanidmd_lib/migration_data/dl10/mod.rs

kanidmd_lib/migration_data/dl10/
mod.rs
