1mod access;
2pub(super) mod accounts;
3mod groups;
4mod key_providers;
5mod schema;
6mod system_config;
7
8use self::access::*;
9use self::accounts::*;
10use self::groups::*;
11use self::key_providers::*;
12use self::schema::*;
13use self::system_config::*;
14use crate::constants::UUID_SCHEMA_ATTR_EC_KEY_PRIVATE;
15use crate::prelude::EntryInitNew;
16use kanidm_proto::internal::OperationError;
17use uuid::Uuid;
18
19pub fn phase_1_schema_attrs() -> Vec<EntryInitNew> {
20 vec![
21 SCHEMA_ATTR_SYNC_CREDENTIAL_PORTAL.clone().into(),
22 SCHEMA_ATTR_SYNC_YIELD_AUTHORITY.clone().into(),
23 SCHEMA_ATTR_ACCOUNT_EXPIRE.clone().into(),
24 SCHEMA_ATTR_ACCOUNT_VALID_FROM.clone().into(),
25 SCHEMA_ATTR_API_TOKEN_SESSION.clone().into(),
26 SCHEMA_ATTR_AUTH_SESSION_EXPIRY.clone().into(),
27 SCHEMA_ATTR_AUTH_PRIVILEGE_EXPIRY.clone().into(),
28 SCHEMA_ATTR_AUTH_PASSWORD_MINIMUM_LENGTH.clone().into(),
29 SCHEMA_ATTR_BADLIST_PASSWORD.clone().into(),
30 SCHEMA_ATTR_CREDENTIAL_UPDATE_INTENT_TOKEN.clone().into(),
31 SCHEMA_ATTR_ATTESTED_PASSKEYS.clone().into(),
32 SCHEMA_ATTR_DOMAIN_DISPLAY_NAME.clone().into(),
33 SCHEMA_ATTR_DOMAIN_LDAP_BASEDN.clone().into(),
34 SCHEMA_ATTR_DOMAIN_NAME.clone().into(),
35 SCHEMA_ATTR_LDAP_ALLOW_UNIX_PW_BIND.clone().into(),
36 SCHEMA_ATTR_DOMAIN_SSID.clone().into(),
37 SCHEMA_ATTR_DOMAIN_TOKEN_KEY.clone().into(),
38 SCHEMA_ATTR_DOMAIN_UUID.clone().into(),
39 SCHEMA_ATTR_DYNGROUP_FILTER.clone().into(),
40 SCHEMA_ATTR_ES256_PRIVATE_KEY_DER.clone().into(),
41 SCHEMA_ATTR_FERNET_PRIVATE_KEY_STR.clone().into(),
42 SCHEMA_ATTR_GIDNUMBER.clone().into(),
43 SCHEMA_ATTR_GRANT_UI_HINT.clone().into(),
44 SCHEMA_ATTR_JWS_ES256_PRIVATE_KEY.clone().into(),
45 SCHEMA_ATTR_LOGINSHELL.clone().into(),
46 SCHEMA_ATTR_NAME_HISTORY.clone().into(),
47 SCHEMA_ATTR_NSUNIQUEID.clone().into(),
48 SCHEMA_ATTR_OAUTH2_ALLOW_INSECURE_CLIENT_DISABLE_PKCE
49 .clone()
50 .into(),
51 SCHEMA_ATTR_OAUTH2_CONSENT_SCOPE_MAP.clone().into(),
52 SCHEMA_ATTR_OAUTH2_JWT_LEGACY_CRYPTO_ENABLE.clone().into(),
53 SCHEMA_ATTR_OAUTH2_PREFER_SHORT_USERNAME.clone().into(),
54 SCHEMA_ATTR_OAUTH2_RS_BASIC_SECRET.clone().into(),
55 SCHEMA_ATTR_OAUTH2_RS_IMPLICIT_SCOPES.clone().into(),
56 SCHEMA_ATTR_OAUTH2_RS_NAME.clone().into(),
57 SCHEMA_ATTR_OAUTH2_RS_ORIGIN_LANDING.clone().into(),
58 SCHEMA_ATTR_OAUTH2_RS_SCOPE_MAP.clone().into(),
59 SCHEMA_ATTR_OAUTH2_RS_SUP_SCOPE_MAP.clone().into(),
60 SCHEMA_ATTR_OAUTH2_RS_TOKEN_KEY.clone().into(),
61 SCHEMA_ATTR_OAUTH2_SESSION.clone().into(),
62 SCHEMA_ATTR_PASSKEYS.clone().into(),
63 SCHEMA_ATTR_PRIMARY_CREDENTIAL.clone().into(),
64 SCHEMA_ATTR_PRIVATE_COOKIE_KEY.clone().into(),
65 SCHEMA_ATTR_RADIUS_SECRET.clone().into(),
66 SCHEMA_ATTR_RS256_PRIVATE_KEY_DER.clone().into(),
67 SCHEMA_ATTR_SSH_PUBLICKEY.clone().into(),
68 SCHEMA_ATTR_SYNC_COOKIE.clone().into(),
69 SCHEMA_ATTR_SYNC_TOKEN_SESSION.clone().into(),
70 SCHEMA_ATTR_UNIX_PASSWORD.clone().into(),
71 SCHEMA_ATTR_USER_AUTH_TOKEN_SESSION.clone().into(),
72 SCHEMA_ATTR_CREDENTIAL_TYPE_MINIMUM.clone().into(),
73 SCHEMA_ATTR_WEBAUTHN_ATTESTATION_CA_LIST.clone().into(),
74 SCHEMA_ATTR_OAUTH2_RS_CLAIM_MAP_DL4.clone().into(),
76 SCHEMA_ATTR_OAUTH2_ALLOW_LOCALHOST_REDIRECT_DL4
77 .clone()
78 .into(),
79 SCHEMA_ATTR_LIMIT_SEARCH_MAX_RESULTS_DL6.clone().into(),
82 SCHEMA_ATTR_LIMIT_SEARCH_MAX_FILTER_TEST_DL6.clone().into(),
83 SCHEMA_ATTR_KEY_INTERNAL_DATA_DL6.clone().into(),
84 SCHEMA_ATTR_KEY_PROVIDER_DL6.clone().into(),
85 SCHEMA_ATTR_KEY_ACTION_ROTATE_DL6.clone().into(),
86 SCHEMA_ATTR_KEY_ACTION_REVOKE_DL6.clone().into(),
87 SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_ES256_DL6.clone().into(),
88 SCHEMA_ATTR_PATCH_LEVEL_DL7.clone().into(),
90 SCHEMA_ATTR_DOMAIN_DEVELOPMENT_TAINT_DL7.clone().into(),
91 SCHEMA_ATTR_CERTIFICATE_DL7.clone().into(),
92 SCHEMA_ATTR_OAUTH2_RS_ORIGIN_DL7.clone().into(),
93 SCHEMA_ATTR_OAUTH2_STRICT_REDIRECT_URI_DL7.clone().into(),
94 SCHEMA_ATTR_MAIL_DL7.clone().into(),
95 SCHEMA_ATTR_LEGALNAME_DL7.clone().into(),
96 SCHEMA_ATTR_DISPLAYNAME_DL7.clone().into(),
97 SCHEMA_ATTR_LINKED_GROUP_DL8.clone().into(),
99 SCHEMA_ATTR_APPLICATION_PASSWORD_DL8.clone().into(),
100 SCHEMA_ATTR_ALLOW_PRIMARY_CRED_FALLBACK_DL8.clone().into(),
101 SCHEMA_ATTR_DOMAIN_ALLOW_EASTER_EGGS_DL9.clone().into(),
103 SCHEMA_ATTR_DENIED_NAME_DL10.clone().into(),
105 SCHEMA_ATTR_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES.clone().into(),
106 SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_RS256_DL6.clone().into(),
107 SCHEMA_ATTR_APPLICATION_URL.clone().into(),
109 SCHEMA_ATTR_IMAGE.clone().into(),
111 SCHEMA_ATTR_OAUTH2_DEVICE_FLOW_ENABLE.clone().into(),
112 SCHEMA_ATTR_MESSAGE_TEMPLATE.clone().into(),
113 SCHEMA_ATTR_SEND_AFTER.clone().into(),
114 SCHEMA_ATTR_DELETE_AFTER.clone().into(),
115 SCHEMA_ATTR_SENT_AT.clone().into(),
116 SCHEMA_ATTR_MAIL_DESTINATION.clone().into(),
117 SCHEMA_ATTR_OAUTH2_ACCOUNT_PROVIDER.clone().into(),
118 SCHEMA_ATTR_OAUTH2_ACCOUNT_UNIQUE_USER_ID.clone().into(),
119 SCHEMA_ATTR_OAUTH2_ACCOUNT_CREDENTIAL_UUID.clone().into(),
120 SCHEMA_ATTR_OAUTH2_CLIENT_ID.clone().into(),
121 SCHEMA_ATTR_OAUTH2_CLIENT_SECRET.clone().into(),
122 SCHEMA_ATTR_OAUTH2_AUTHORISATION_ENDPOINT.clone().into(),
123 SCHEMA_ATTR_OAUTH2_TOKEN_ENDPOINT.clone().into(),
124 SCHEMA_ATTR_OAUTH2_REQUEST_SCOPES.clone().into(),
125 SCHEMA_ATTR_HMAC_NAME_HISTORY.clone().into(),
126 SCHEMA_ATTR_ENABLED.clone().into(),
127 SCHEMA_ATTR_IN_MEMORIAM.clone().into(),
128 ]
129}
130
131pub fn phase_2_schema_classes() -> Vec<EntryInitNew> {
132 vec![
133 SCHEMA_CLASS_DYNGROUP.clone().into(),
134 SCHEMA_CLASS_ORGPERSON.clone().into(),
135 SCHEMA_CLASS_POSIXACCOUNT.clone().into(),
136 SCHEMA_CLASS_POSIXGROUP.clone().into(),
137 SCHEMA_CLASS_SYSTEM_CONFIG.clone().into(),
138 SCHEMA_CLASS_OAUTH2_RS_PUBLIC_DL4.clone().into(),
140 SCHEMA_CLASS_ACCOUNT_DL5.clone().into(),
142 SCHEMA_CLASS_OAUTH2_RS_BASIC_DL5.clone().into(),
143 SCHEMA_CLASS_GROUP_DL6.clone().into(),
145 SCHEMA_CLASS_KEY_PROVIDER_DL6.clone().into(),
146 SCHEMA_CLASS_KEY_PROVIDER_INTERNAL_DL6.clone().into(),
147 SCHEMA_CLASS_KEY_OBJECT_DL6.clone().into(),
148 SCHEMA_CLASS_KEY_OBJECT_JWT_ES256_DL6.clone().into(),
149 SCHEMA_CLASS_KEY_OBJECT_JWE_A128GCM_DL6.clone().into(),
150 SCHEMA_CLASS_KEY_OBJECT_INTERNAL_DL6.clone().into(),
151 SCHEMA_CLASS_SERVICE_ACCOUNT_DL7.clone().into(),
153 SCHEMA_CLASS_SYNC_ACCOUNT_DL7.clone().into(),
154 SCHEMA_CLASS_CLIENT_CERTIFICATE_DL7.clone().into(),
155 SCHEMA_CLASS_ACCOUNT_POLICY_DL8.clone().into(),
157 SCHEMA_CLASS_PERSON_DL8.clone().into(),
158 SCHEMA_CLASS_OAUTH2_RS_DL9.clone().into(),
160 SCHEMA_CLASS_DOMAIN_INFO_DL10.clone().into(),
162 SCHEMA_CLASS_KEY_OBJECT_JWT_RS256.clone().into(),
163 SCHEMA_CLASS_APPLICATION.clone().into(),
165 SCHEMA_CLASS_KEY_OBJECT_HKDF_S256.clone().into(),
167 SCHEMA_CLASS_OUTBOUND_MESSAGE.clone().into(),
168 SCHEMA_CLASS_OAUTH2_ACCOUNT.clone().into(),
169 SCHEMA_CLASS_OAUTH2_CLIENT.clone().into(),
170 SCHEMA_CLASS_FEATURE.clone().into(),
171 SCHEMA_CLASS_MEMORIAL.clone().into(),
172 ]
173}
174
175pub fn phase_3_key_provider() -> Vec<EntryInitNew> {
176 vec![E_KEY_PROVIDER_INTERNAL_DL6.clone()]
177}
178
179pub fn phase_4_system_entries() -> Vec<EntryInitNew> {
180 vec![
181 E_SYSTEM_INFO_V1.clone(),
182 E_DOMAIN_INFO_DL6.clone(),
183 E_SYSTEM_CONFIG_V1.clone(),
184 E_UUID_DOMAIN_ID_VERIFICATION_KEY_V1.clone(),
185 E_HMAC_NAME_HISTORY_FEATURE.clone(),
186 ]
187}
188
189pub fn phase_5_builtin_admin_entries() -> Result<Vec<EntryInitNew>, OperationError> {
190 Ok(vec![
191 BUILTIN_ACCOUNT_ADMIN.clone().into(),
192 BUILTIN_ACCOUNT_IDM_ADMIN.clone().into(),
193 BUILTIN_GROUP_SYSTEM_ADMINS_V1.clone().try_into()?,
194 BUILTIN_GROUP_IDM_ADMINS_V1.clone().try_into()?,
195 BUILTIN_ACCOUNT_ANONYMOUS_DL6.clone().into(),
197 ])
198}
199
200pub fn phase_6_builtin_non_admin_entries() -> Result<Vec<EntryInitNew>, OperationError> {
201 Ok(vec![
202 IDM_ALL_PERSONS.clone().try_into()?,
203 IDM_ALL_ACCOUNTS.clone().try_into()?,
204 BUILTIN_GROUP_DOMAIN_ADMINS.clone().try_into()?,
205 BUILTIN_GROUP_SCHEMA_ADMINS.clone().try_into()?,
206 BUILTIN_GROUP_ACCESS_CONTROL_ADMINS.clone().try_into()?,
207 BUILTIN_GROUP_UNIX_ADMINS.clone().try_into()?,
208 BUILTIN_GROUP_IDM_UNIX_AUTHENTICATION_READ_V1
209 .clone()
210 .try_into()?,
211 BUILTIN_GROUP_RECYCLE_BIN_ADMINS.clone().try_into()?,
212 BUILTIN_GROUP_SERVICE_DESK.clone().try_into()?,
213 BUILTIN_GROUP_OAUTH2_ADMINS.clone().try_into()?,
214 BUILTIN_GROUP_RADIUS_SERVICE_ADMINS.clone().try_into()?,
215 BUILTIN_GROUP_ACCOUNT_POLICY_ADMINS.clone().try_into()?,
216 BUILTIN_GROUP_PEOPLE_ADMINS.clone().try_into()?,
217 BUILTIN_GROUP_PEOPLE_PII_READ.clone().try_into()?,
218 BUILTIN_GROUP_PEOPLE_ON_BOARDING.clone().try_into()?,
219 BUILTIN_GROUP_SERVICE_ACCOUNT_ADMINS.clone().try_into()?,
220 BUILTIN_GROUP_MAIL_SERVICE_ADMINS_DL8.clone().try_into()?,
221 IDM_GROUP_ADMINS_V1.clone().try_into()?,
222 BUILTIN_IDM_RADIUS_SERVERS_V1.clone().try_into()?,
223 BUILTIN_IDM_MAIL_SERVERS_DL8.clone().try_into()?,
224 BUILTIN_GROUP_PEOPLE_SELF_NAME_WRITE_DL7
225 .clone()
226 .try_into()?,
227 IDM_PEOPLE_SELF_MAIL_WRITE_DL7.clone().try_into()?,
228 BUILTIN_GROUP_CLIENT_CERTIFICATE_ADMINS_DL7
229 .clone()
230 .try_into()?,
231 BUILTIN_GROUP_APPLICATION_ADMINS_DL8.clone().try_into()?,
232 BUILTIN_GROUP_MESSAGE_ADMINS.clone().try_into()?,
233 BUILTIN_GROUP_MESSAGE_SENDERS.clone().try_into()?,
234 BUILTIN_GROUP_OAUTH2_CLIENT_ADMINS.clone().try_into()?,
235 BUILTIN_GROUP_OAUTH2_ACCOUNT_ADMINS.clone().try_into()?,
236 IDM_HIGH_PRIVILEGE_DL8.clone().try_into()?,
239 IDM_UI_ENABLE_EXPERIMENTAL_FEATURES.clone().try_into()?,
241 IDM_ACCOUNT_MAIL_READ.clone().try_into()?,
242 ])
243}
244
245pub fn phase_7_builtin_access_control_profiles() -> Vec<EntryInitNew> {
246 vec![
247 IDM_ACP_RECYCLE_BIN_SEARCH_V1.clone().into(),
249 IDM_ACP_RECYCLE_BIN_REVIVE_V1.clone().into(),
250 IDM_ACP_SCHEMA_WRITE_ATTRS_V1.clone().into(),
251 IDM_ACP_SCHEMA_WRITE_CLASSES_V1.clone().into(),
252 IDM_ACP_ACP_MANAGE_V1.clone().into(),
253 IDM_ACP_GROUP_ENTRY_MANAGED_BY_MODIFY_V1.clone().into(),
254 IDM_ACP_GROUP_ENTRY_MANAGER_V1.clone().into(),
255 IDM_ACP_SYNC_ACCOUNT_MANAGE_V1.clone().into(),
256 IDM_ACP_RADIUS_SERVERS_V1.clone().into(),
257 IDM_ACP_RADIUS_SECRET_MANAGE_V1.clone().into(),
258 IDM_ACP_PEOPLE_SELF_WRITE_MAIL_V1.clone().into(),
259 IDM_ACP_ACCOUNT_SELF_WRITE_V1.clone().into(),
260 IDM_ACP_ALL_ACCOUNTS_POSIX_READ_V1.clone().into(),
261 IDM_ACP_SYSTEM_CONFIG_ACCOUNT_POLICY_MANAGE_V1
262 .clone()
263 .into(),
264 IDM_ACP_GROUP_UNIX_MANAGE_V1.clone().into(),
265 IDM_ACP_HP_GROUP_UNIX_MANAGE_V1.clone().into(),
266 IDM_ACP_GROUP_READ_V1.clone().into(),
267 IDM_ACP_ACCOUNT_UNIX_EXTEND_V1.clone().into(),
268 IDM_ACP_PEOPLE_PII_READ_V1.clone().into(),
269 IDM_ACP_PEOPLE_PII_MANAGE_V1.clone().into(),
270 IDM_ACP_PEOPLE_READ_V1.clone().into(),
271 IDM_ACP_PEOPLE_MANAGE_V1.clone().into(),
272 IDM_ACP_PEOPLE_DELETE_V1.clone().into(),
273 IDM_ACP_PEOPLE_CREDENTIAL_RESET_V1.clone().into(),
274 IDM_ACP_HP_PEOPLE_CREDENTIAL_RESET_V1.clone().into(),
275 IDM_ACP_SERVICE_ACCOUNT_CREATE_V1.clone().into(),
276 IDM_ACP_SERVICE_ACCOUNT_DELETE_V1.clone().into(),
277 IDM_ACP_SERVICE_ACCOUNT_ENTRY_MANAGER_V1.clone().into(),
278 IDM_ACP_SERVICE_ACCOUNT_ENTRY_MANAGED_BY_MODIFY_V1
279 .clone()
280 .into(),
281 IDM_ACP_HP_SERVICE_ACCOUNT_ENTRY_MANAGED_BY_MODIFY_V1
282 .clone()
283 .into(),
284 IDM_ACP_SERVICE_ACCOUNT_MANAGE_V1.clone().into(),
285 IDM_ACP_PEOPLE_CREATE_DL6.clone().into(),
289 IDM_ACP_ACCOUNT_MAIL_READ_DL6.clone().into(),
290 IDM_ACP_SELF_NAME_WRITE_DL7.clone().into(),
292 IDM_ACP_HP_CLIENT_CERTIFICATE_MANAGER_DL7.clone().into(),
293 IDM_ACP_SELF_READ_DL8.clone().into(),
295 IDM_ACP_SELF_WRITE_DL8.clone().into(),
296 IDM_ACP_APPLICATION_MANAGE_DL8.clone().into(),
297 IDM_ACP_APPLICATION_ENTRY_MANAGER_DL8.clone().into(),
298 IDM_ACP_MAIL_SERVERS_DL8.clone().into(),
299 IDM_ACP_GROUP_ACCOUNT_POLICY_MANAGE_DL8.clone().into(),
300 IDM_ACP_GROUP_MANAGE_DL9.clone().into(),
302 IDM_ACP_DOMAIN_ADMIN_DL9.clone().into(),
303 IDM_ACP_OAUTH2_MANAGE.clone().into(),
305 IDM_ACP_MESSAGE_MANAGE.clone().into(),
307 IDM_ACP_MESSAGE_SENDER.clone().into(),
308 IDM_ACP_OAUTH2_CLIENT_ADMIN.clone().into(),
309 IDM_ACP_OAUTH2_ACCOUNT_ENROL.clone().into(),
310 ]
311}
312
313pub fn phase_8_delete_uuids() -> Vec<Uuid> {
314 vec![UUID_SCHEMA_ATTR_EC_KEY_PRIVATE]
315}