kanidmd_lib/migration_data/dl13/
schema.rs

1//! Schema Entries
2use crate::constants::entries::{Attribute, EntryClass};
3use crate::constants::uuids::*;
4use crate::schema::{SchemaAttribute, SchemaClass};
5use crate::value::SyntaxType;
6
7lazy_static!(
8
9pub static ref SCHEMA_ATTR_DISPLAYNAME_DL7: SchemaAttribute = SchemaAttribute {
10    uuid: UUID_SCHEMA_ATTR_DISPLAYNAME,
11    name: Attribute::DisplayName,
12    description: "The publicly visible display name of this person".to_string(),
13    indexed: true,
14    sync_allowed: true,
15    syntax: SyntaxType::Utf8String,
16    ..Default::default()
17};
18
19pub static ref SCHEMA_ATTR_MAIL_DL7: SchemaAttribute = SchemaAttribute {
20    uuid: UUID_SCHEMA_ATTR_MAIL,
21    name: Attribute::Mail,
22    description: "Mail addresses of the object".to_string(),
23    indexed: true,
24    unique: true,
25    multivalue: true,
26    sync_allowed: true,
27    syntax: SyntaxType::EmailAddress,
28    ..Default::default()
29};
30
31pub static ref SCHEMA_ATTR_SSH_PUBLICKEY: SchemaAttribute = SchemaAttribute {
32    uuid: UUID_SCHEMA_ATTR_SSH_PUBLICKEY,
33    name: Attribute::SshPublicKey,
34    description: "SSH public keys of the object".to_string(),
35
36    multivalue: true,
37    sync_allowed: true,
38    syntax: SyntaxType::SshKey,
39    ..Default::default()
40};
41
42pub static ref SCHEMA_ATTR_PRIMARY_CREDENTIAL: SchemaAttribute = SchemaAttribute {
43    uuid: UUID_SCHEMA_ATTR_PRIMARY_CREDENTIAL,
44    name: Attribute::PrimaryCredential,
45    description: "Primary credential material of the account for authentication interactively".to_string(),
46    indexed: true,
47    sync_allowed: true,
48    syntax: SyntaxType::Credential,
49    ..Default::default()
50};
51
52pub static ref SCHEMA_ATTR_LEGALNAME_DL7: SchemaAttribute = SchemaAttribute {
53    uuid: UUID_SCHEMA_ATTR_LEGALNAME,
54    name: Attribute::LegalName,
55    description: "The private and sensitive legal name of this person".to_string(),
56    indexed: true,
57    sync_allowed: true,
58    syntax: SyntaxType::Utf8String,
59    ..Default::default()
60};
61
62pub static ref SCHEMA_ATTR_NAME_HISTORY: SchemaAttribute = SchemaAttribute {
63    uuid: UUID_SCHEMA_ATTR_NAME_HISTORY,
64    name: Attribute::NameHistory,
65    description: "The history of names that a person has had".to_string(),
66    indexed: true,
67    multivalue: true,
68    sync_allowed: true,
69    syntax: SyntaxType::AuditLogString,
70    ..Default::default()
71};
72
73pub static ref SCHEMA_ATTR_RADIUS_SECRET: SchemaAttribute = SchemaAttribute {
74    uuid: UUID_SCHEMA_ATTR_RADIUS_SECRET,
75    name: Attribute::RadiusSecret,
76    description: "The accounts generated radius secret for device network authentication".to_string(),
77    sync_allowed: true,
78    syntax: SyntaxType::SecretUtf8String,
79    ..Default::default()
80};
81
82pub static ref SCHEMA_ATTR_DOMAIN_NAME: SchemaAttribute = SchemaAttribute {
83    uuid: UUID_SCHEMA_ATTR_DOMAIN_NAME,
84    name: Attribute::DomainName,
85    description: "The domain's DNS name for webauthn and SPN generation purposes".to_string(),
86    indexed: true,
87    unique: true,
88    syntax: SyntaxType::Utf8StringIname,
89    ..Default::default()
90};
91
92pub static ref SCHEMA_ATTR_LDAP_ALLOW_UNIX_PW_BIND: SchemaAttribute = SchemaAttribute {
93    uuid: UUID_SCHEMA_ATTR_LDAP_ALLOW_UNIX_PW_BIND,
94    name: Attribute::LdapAllowUnixPwBind,
95    description: "Configuration to enable binds to LDAP objects using their UNIX password".to_string(),
96    unique: false,
97    syntax: SyntaxType::Boolean,
98    ..Default::default()
99};
100
101pub static ref SCHEMA_ATTR_DOMAIN_LDAP_BASEDN: SchemaAttribute = SchemaAttribute {
102    uuid: UUID_SCHEMA_ATTR_DOMAIN_LDAP_BASEDN,
103    name: Attribute::DomainLdapBasedn,
104    description: "The domain's optional ldap basedn. If unset defaults to domain components of domain name".to_string(),
105    unique: true,
106    syntax: SyntaxType::Utf8StringInsensitive,
107    ..Default::default()
108};
109
110pub static ref SCHEMA_ATTR_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES: SchemaAttribute = SchemaAttribute {
111    uuid: UUID_SCHEMA_ATTR_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES,
112    name: Attribute::LdapMaxQueryableAttrs,
113    description: "The maximum number of LDAP attributes that can be queried in one operation".to_string(),
114    multivalue: false,
115    sync_allowed: true,
116    syntax: SyntaxType::Uint32,
117    ..Default::default()
118};
119
120pub static ref SCHEMA_ATTR_DOMAIN_DISPLAY_NAME: SchemaAttribute = SchemaAttribute {
121    uuid: UUID_SCHEMA_ATTR_DOMAIN_DISPLAY_NAME,
122    name: Attribute::DomainDisplayName,
123    description: "The user-facing display name of the Kanidm domain".to_string(),
124    indexed: true,
125    syntax: SyntaxType::Utf8String,
126    ..Default::default()
127};
128
129pub static ref SCHEMA_ATTR_DOMAIN_UUID: SchemaAttribute = SchemaAttribute {
130    uuid: UUID_SCHEMA_ATTR_DOMAIN_UUID,
131    name: Attribute::DomainUuid,
132    description: "The domain's uuid, used in CSN and trust relationships".to_string(),
133    indexed: true,
134    unique: true,
135    syntax: SyntaxType::Uuid,
136    ..Default::default()
137};
138
139pub static ref SCHEMA_ATTR_DOMAIN_SSID: SchemaAttribute = SchemaAttribute {
140    uuid: UUID_SCHEMA_ATTR_DOMAIN_SSID,
141    name: Attribute::DomainSsid,
142    description: "The domains site-wide SSID for device autoconfiguration of wireless".to_string(),
143    indexed: true,
144    unique: true,
145    syntax: SyntaxType::Utf8String,
146    ..Default::default()
147};
148
149pub static ref SCHEMA_ATTR_DENIED_NAME_DL10: SchemaAttribute = SchemaAttribute {
150    uuid: UUID_SCHEMA_ATTR_DENIED_NAME,
151    name: Attribute::DeniedName,
152    description: "Iname values that are not allowed to be used in 'name'.".to_string(),
153    syntax: SyntaxType::Utf8StringIname,
154    multivalue: true,
155    ..Default::default()
156};
157
158pub static ref SCHEMA_ATTR_DOMAIN_TOKEN_KEY: SchemaAttribute = SchemaAttribute {
159    uuid: UUID_SCHEMA_ATTR_DOMAIN_TOKEN_KEY,
160    name: Attribute::DomainTokenKey,
161    description: "The domain token encryption private key (NOT USED)".to_string(),
162    syntax: SyntaxType::SecretUtf8String,
163    ..Default::default()
164};
165
166pub static ref SCHEMA_ATTR_FERNET_PRIVATE_KEY_STR: SchemaAttribute = SchemaAttribute {
167    uuid: UUID_SCHEMA_ATTR_FERNET_PRIVATE_KEY_STR,
168    name: Attribute::FernetPrivateKeyStr,
169    description: "The token encryption private key".to_string(),
170
171    syntax: SyntaxType::SecretUtf8String,
172    ..Default::default()
173};
174
175pub static ref SCHEMA_ATTR_GIDNUMBER: SchemaAttribute = SchemaAttribute {
176    uuid: UUID_SCHEMA_ATTR_GIDNUMBER,
177    name: Attribute::GidNumber,
178    description: "The groupid (uid) number of a group or account.to_string(). This is the same value as the UID number on posix accounts for security reasons".to_string(),
179    indexed: true,
180    unique: true,
181    sync_allowed: true,
182    syntax: SyntaxType::Uint32,
183    ..Default::default()
184};
185
186pub static ref SCHEMA_ATTR_BADLIST_PASSWORD: SchemaAttribute = SchemaAttribute {
187    uuid: UUID_SCHEMA_ATTR_BADLIST_PASSWORD,
188    name: Attribute::BadlistPassword,
189    description: "A password that is badlisted meaning that it can not be set as a valid password by any user account".to_string(),
190    multivalue: true,
191    syntax: SyntaxType::Utf8StringInsensitive,
192    ..Default::default()
193};
194
195pub static ref SCHEMA_ATTR_AUTH_SESSION_EXPIRY: SchemaAttribute = SchemaAttribute {
196    uuid: UUID_SCHEMA_ATTR_AUTH_SESSION_EXPIRY,
197    name: Attribute::AuthSessionExpiry,
198    description: "An expiration time for an authentication session".to_string(),
199    syntax: SyntaxType::Uint32,
200    ..Default::default()
201};
202
203pub static ref SCHEMA_ATTR_AUTH_PRIVILEGE_EXPIRY: SchemaAttribute = SchemaAttribute {
204    uuid: UUID_SCHEMA_ATTR_AUTH_PRIVILEGE_EXPIRY,
205    name: Attribute::PrivilegeExpiry,
206    description: "An expiration time for a privileged authentication session".to_string(),
207    syntax: SyntaxType::Uint32,
208    ..Default::default()
209};
210
211pub static ref SCHEMA_ATTR_AUTH_PASSWORD_MINIMUM_LENGTH: SchemaAttribute = SchemaAttribute {
212    uuid: UUID_SCHEMA_ATTR_AUTH_PASSWORD_MINIMUM_LENGTH,
213    name: Attribute::AuthPasswordMinimumLength,
214    description: "Minimum length of passwords".to_string(),
215    syntax: SyntaxType::Uint32,
216    ..Default::default()
217};
218
219pub static ref SCHEMA_ATTR_LOGINSHELL: SchemaAttribute = SchemaAttribute {
220    uuid: UUID_SCHEMA_ATTR_LOGINSHELL,
221    name: Attribute::LoginShell,
222    description: "A POSIX user's UNIX login shell".to_string(),
223    sync_allowed: true,
224    syntax: SyntaxType::Utf8StringInsensitive,
225    ..Default::default()
226};
227
228pub static ref SCHEMA_ATTR_UNIX_PASSWORD: SchemaAttribute = SchemaAttribute {
229    uuid: UUID_SCHEMA_ATTR_UNIX_PASSWORD,
230    name: Attribute::UnixPassword,
231    description: "A POSIX user's UNIX login password".to_string(),
232    indexed: true,
233    syntax: SyntaxType::Credential,
234    ..Default::default()
235};
236
237pub static ref SCHEMA_ATTR_NSUNIQUEID: SchemaAttribute = SchemaAttribute {
238    uuid: UUID_SCHEMA_ATTR_NSUNIQUEID,
239    name: Attribute::NsUniqueId,
240    description: "A unique id compatibility for 389-ds/dsee".to_string(),
241    indexed: true,
242    unique: true,
243    sync_allowed: true,
244    syntax: SyntaxType::NsUniqueId,
245    ..Default::default()
246};
247
248pub static ref SCHEMA_ATTR_ACCOUNT_EXPIRE: SchemaAttribute = SchemaAttribute {
249    uuid: UUID_SCHEMA_ATTR_ACCOUNT_EXPIRE,
250    name: Attribute::AccountExpire,
251    description: "The datetime after which this account no longer may authenticate".to_string(),
252    sync_allowed: true,
253    syntax: SyntaxType::DateTime,
254    ..Default::default()
255};
256
257pub static ref SCHEMA_ATTR_ACCOUNT_VALID_FROM: SchemaAttribute = SchemaAttribute {
258    uuid: UUID_SCHEMA_ATTR_ACCOUNT_VALID_FROM,
259    name: Attribute::AccountValidFrom,
260    description: "The datetime after which this account may commence authenticating".to_string(),
261    sync_allowed: true,
262    syntax: SyntaxType::DateTime,
263    ..Default::default()
264};
265
266pub static ref SCHEMA_ATTR_WEBAUTHN_ATTESTATION_CA_LIST: SchemaAttribute = SchemaAttribute {
267    uuid: UUID_SCHEMA_ATTR_WEBAUTHN_ATTESTATION_CA_LIST,
268    name: Attribute::WebauthnAttestationCaList,
269    description: "A set of CA's that limit devices that can be used with webauthn".to_string(),
270    syntax: SyntaxType::WebauthnAttestationCaList,
271    multivalue: true,
272    ..Default::default()
273};
274
275pub static ref SCHEMA_ATTR_OAUTH2_RS_NAME: SchemaAttribute = SchemaAttribute {
276    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_NAME,
277    name: Attribute::OAuth2RsName,
278    description: "The unique name of an external Oauth2 resource".to_string(),
279    indexed: true,
280    unique: true,
281    syntax: SyntaxType::Utf8StringIname,
282    ..Default::default()
283};
284
285pub static ref SCHEMA_ATTR_OAUTH2_RS_ORIGIN_DL7: SchemaAttribute = SchemaAttribute {
286    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_ORIGIN,
287    name: Attribute::OAuth2RsOrigin,
288    description: "The origin domain of an OAuth2 client".to_string(),
289    syntax: SyntaxType::Url,
290    multivalue: true,
291    ..Default::default()
292};
293
294pub static ref SCHEMA_ATTR_OAUTH2_RS_ORIGIN_LANDING: SchemaAttribute = SchemaAttribute {
295    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_ORIGIN_LANDING,
296    name: Attribute::OAuth2RsOriginLanding,
297    description: "The landing page of an RS, that will automatically trigger the auth process".to_string(),
298    syntax: SyntaxType::Url,
299    ..Default::default()
300};
301
302// Introduced in DomainLevel4
303pub static ref SCHEMA_ATTR_OAUTH2_ALLOW_LOCALHOST_REDIRECT_DL4: SchemaAttribute = SchemaAttribute {
304    uuid: UUID_SCHEMA_ATTR_OAUTH2_ALLOW_LOCALHOST_REDIRECT,
305    name: Attribute::OAuth2AllowLocalhostRedirect,
306    description: "Allow public clients associated to this RS to redirect to localhost".to_string(),
307    syntax: SyntaxType::Boolean,
308    ..Default::default()
309};
310
311pub static ref SCHEMA_ATTR_OAUTH2_RS_CLAIM_MAP_DL4: SchemaAttribute = SchemaAttribute {
312    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_CLAIM_MAP,
313    name: Attribute::OAuth2RsClaimMap,
314    description: "A set of custom claims mapped to group memberships of accounts".to_string(),
315    indexed: true,
316    multivalue: true,
317    // CHANGE ME
318    syntax: SyntaxType::OauthClaimMap,
319    ..Default::default()
320};
321
322pub static ref SCHEMA_ATTR_OAUTH2_RS_SCOPE_MAP: SchemaAttribute = SchemaAttribute {
323    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_SCOPE_MAP,
324    name: Attribute::OAuth2RsScopeMap,
325    description: "A reference to a group mapped to scopes for the associated oauth2 resource server".to_string(),
326    indexed: true,
327    multivalue: true,
328    syntax: SyntaxType::OauthScopeMap,
329    ..Default::default()
330};
331
332pub static ref SCHEMA_ATTR_OAUTH2_RS_SUP_SCOPE_MAP: SchemaAttribute = SchemaAttribute {
333    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_SUP_SCOPE_MAP,
334    name: Attribute::OAuth2RsSupScopeMap,
335    description: "A reference to a group mapped to scopes for the associated oauth2 resource server".to_string(),
336    indexed: true,
337    multivalue: true,
338    syntax: SyntaxType::OauthScopeMap,
339    ..Default::default()
340};
341
342pub static ref SCHEMA_ATTR_OAUTH2_RS_BASIC_SECRET: SchemaAttribute = SchemaAttribute {
343    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_BASIC_SECRET,
344    name: Attribute::OAuth2RsBasicSecret,
345    description: "When using oauth2 basic authentication, the secret string of the resource server".to_string(),
346    syntax: SyntaxType::SecretUtf8String,
347    ..Default::default()
348};
349
350pub static ref SCHEMA_ATTR_OAUTH2_RS_TOKEN_KEY: SchemaAttribute = SchemaAttribute {
351    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_TOKEN_KEY,
352    name: Attribute::OAuth2RsTokenKey,
353    description: "An oauth2 resource servers unique token signing key".to_string(),
354    syntax: SyntaxType::SecretUtf8String,
355    ..Default::default()
356};
357
358pub static ref SCHEMA_ATTR_OAUTH2_RS_IMPLICIT_SCOPES: SchemaAttribute = SchemaAttribute {
359    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_IMPLICIT_SCOPES,
360    name: Attribute::OAuth2RsImplicitScopes,
361    description: "An oauth2 resource servers scopes that are implicitly granted to all users".to_string(),
362    multivalue: true,
363    syntax: SyntaxType::OauthScope,
364    ..Default::default()
365};
366
367pub static ref SCHEMA_ATTR_OAUTH2_CONSENT_SCOPE_MAP: SchemaAttribute = SchemaAttribute {
368    uuid: UUID_SCHEMA_ATTR_OAUTH2_CONSENT_SCOPE_MAP,
369    name: Attribute::OAuth2ConsentScopeMap,
370    description: "A set of scopes mapped from a relying server to a user, where the user has previously consented to the following. If changed or deleted, consent will be re-sought".to_string(),
371    indexed: true,
372    multivalue: true,
373    syntax: SyntaxType::OauthScopeMap,
374    ..Default::default()
375};
376
377pub static ref SCHEMA_ATTR_OAUTH2_STRICT_REDIRECT_URI_DL7: SchemaAttribute = SchemaAttribute {
378    uuid: UUID_SCHEMA_ATTR_OAUTH2_STRICT_REDIRECT_URI,
379    name: Attribute::OAuth2StrictRedirectUri,
380    description: "Represents if strict redirect uri enforcement is enabled.".to_string(),
381    syntax: SyntaxType::Boolean,
382    ..Default::default()
383};
384
385
386pub static ref SCHEMA_ATTR_ES256_PRIVATE_KEY_DER: SchemaAttribute = SchemaAttribute {
387    uuid: UUID_SCHEMA_ATTR_ES256_PRIVATE_KEY_DER,
388    name: Attribute::Es256PrivateKeyDer,
389    description: "An es256 private key".to_string(),
390    syntax: SyntaxType::PrivateBinary,
391    ..Default::default()
392};
393
394pub static ref SCHEMA_ATTR_RS256_PRIVATE_KEY_DER: SchemaAttribute = SchemaAttribute {
395    uuid: UUID_SCHEMA_ATTR_RS256_PRIVATE_KEY_DER,
396    name: Attribute::Rs256PrivateKeyDer,
397    description: "An rs256 private key".to_string(),
398    syntax: SyntaxType::PrivateBinary,
399    ..Default::default()
400};
401
402pub static ref SCHEMA_ATTR_JWS_ES256_PRIVATE_KEY: SchemaAttribute = SchemaAttribute {
403    uuid: UUID_SCHEMA_ATTR_JWS_ES256_PRIVATE_KEY,
404    name: Attribute::JwsEs256PrivateKey,
405    description: "An es256 private key for jws".to_string(),
406    indexed: true,
407    unique: true,
408    syntax: SyntaxType::JwsKeyEs256,
409    ..Default::default()
410};
411
412// TO BE REMOVED IN A FUTURE RELEASE
413pub static ref SCHEMA_ATTR_PRIVATE_COOKIE_KEY: SchemaAttribute = SchemaAttribute {
414    uuid: UUID_SCHEMA_ATTR_PRIVATE_COOKIE_KEY,
415    name: Attribute::PrivateCookieKey,
416    description: "An private cookie hmac key".to_string(),
417    syntax: SyntaxType::PrivateBinary,
418    ..Default::default()
419};
420
421pub static ref SCHEMA_ATTR_OAUTH2_ALLOW_INSECURE_CLIENT_DISABLE_PKCE: SchemaAttribute = SchemaAttribute {
422    uuid: UUID_SCHEMA_ATTR_OAUTH2_ALLOW_INSECURE_CLIENT_DISABLE_PKCE,
423    name: Attribute::OAuth2AllowInsecureClientDisablePkce,
424    description: "Allows disabling of PKCE for insecure OAuth2 clients".to_string(),
425    syntax: SyntaxType::Boolean,
426    ..Default::default()
427};
428
429pub static ref SCHEMA_ATTR_OAUTH2_JWT_LEGACY_CRYPTO_ENABLE: SchemaAttribute = SchemaAttribute {
430    uuid: UUID_SCHEMA_ATTR_OAUTH2_JWT_LEGACY_CRYPTO_ENABLE,
431    name: Attribute::OAuth2JwtLegacyCryptoEnable,
432    description: "Allows enabling legacy JWT cryptograhpy for clients".to_string(),
433    syntax: SyntaxType::Boolean,
434    ..Default::default()
435};
436
437pub static ref SCHEMA_ATTR_CREDENTIAL_UPDATE_INTENT_TOKEN: SchemaAttribute = SchemaAttribute {
438    uuid: UUID_SCHEMA_ATTR_CREDENTIAL_UPDATE_INTENT_TOKEN,
439    name: Attribute::CredentialUpdateIntentToken,
440    description: "The status of a credential update intent token".to_string(),
441    indexed: true,
442    multivalue: true,
443    syntax: SyntaxType::IntentToken,
444    ..Default::default()
445};
446
447pub static ref SCHEMA_ATTR_PASSKEYS: SchemaAttribute = SchemaAttribute {
448    uuid: UUID_SCHEMA_ATTR_PASSKEYS,
449    name: Attribute::PassKeys,
450    description: "A set of registered passkeys".to_string(),
451    indexed: true,
452    multivalue: true,
453    sync_allowed: true,
454    syntax: SyntaxType::Passkey,
455    ..Default::default()
456};
457
458pub static ref SCHEMA_ATTR_ATTESTED_PASSKEYS: SchemaAttribute = SchemaAttribute {
459    uuid: UUID_SCHEMA_ATTR_ATTESTED_PASSKEYS,
460    name: Attribute::AttestedPasskeys,
461    description: "A set of registered device keys".to_string(),
462    indexed: true,
463    multivalue: true,
464    sync_allowed: true,
465    syntax: SyntaxType::AttestedPasskey,
466    ..Default::default()
467};
468
469pub static ref SCHEMA_ATTR_DYNGROUP_FILTER: SchemaAttribute = SchemaAttribute {
470    uuid: UUID_SCHEMA_ATTR_DYNGROUP_FILTER,
471    name: Attribute::DynGroupFilter,
472    description: "A filter describing the set of entries to add to a dynamic group".to_string(),
473    syntax: SyntaxType::JsonFilter,
474    ..Default::default()
475};
476
477pub static ref SCHEMA_ATTR_OAUTH2_PREFER_SHORT_USERNAME: SchemaAttribute = SchemaAttribute {
478    uuid: UUID_SCHEMA_ATTR_OAUTH2_PREFER_SHORT_USERNAME,
479    name: Attribute::OAuth2PreferShortUsername,
480    description: "Use 'name' instead of 'spn' in the preferred_username claim".to_string(),
481    syntax: SyntaxType::Boolean,
482    ..Default::default()
483};
484
485pub static ref SCHEMA_ATTR_API_TOKEN_SESSION: SchemaAttribute = SchemaAttribute {
486    uuid: UUID_SCHEMA_ATTR_API_TOKEN_SESSION,
487    name: Attribute::ApiTokenSession,
488    description: "A session entry related to an issued API token".to_string(),
489    indexed: true,
490    unique: true,
491    multivalue: true,
492    syntax: SyntaxType::ApiToken,
493    ..Default::default()
494};
495
496pub static ref SCHEMA_ATTR_USER_AUTH_TOKEN_SESSION: SchemaAttribute = SchemaAttribute {
497    uuid: UUID_SCHEMA_ATTR_USER_AUTH_TOKEN_SESSION,
498    name: Attribute::UserAuthTokenSession,
499    description: "A session entry related to an issued user auth token".to_string(),
500    indexed: true,
501    unique: true,
502    multivalue: true,
503    syntax: SyntaxType::Session,
504    ..Default::default()
505};
506
507pub static ref SCHEMA_ATTR_OAUTH2_SESSION: SchemaAttribute = SchemaAttribute {
508    uuid: UUID_SCHEMA_ATTR_OAUTH2_SESSION,
509    name: Attribute::OAuth2Session,
510    description: "A session entry to an active oauth2 session, bound to a parent user auth token".to_string(),
511    indexed: true,
512    multivalue: true,
513    syntax: SyntaxType::Oauth2Session,
514    ..Default::default()
515};
516
517pub static ref SCHEMA_ATTR_SYNC_TOKEN_SESSION: SchemaAttribute = SchemaAttribute {
518    uuid: UUID_SCHEMA_ATTR_SYNC_TOKEN_SESSION,
519    name: Attribute::SyncTokenSession,
520    description: "A session entry related to an issued sync token".to_string(),
521    indexed: true,
522    unique: true,
523    syntax: SyntaxType::ApiToken,
524    ..Default::default()
525};
526
527pub static ref SCHEMA_ATTR_SYNC_COOKIE: SchemaAttribute = SchemaAttribute {
528    uuid: UUID_SCHEMA_ATTR_SYNC_COOKIE,
529    name: Attribute::SyncCookie,
530    description: "A private sync cookie for a remote IDM source".to_string(),
531    syntax: SyntaxType::PrivateBinary,
532    ..Default::default()
533};
534
535pub static ref SCHEMA_ATTR_GRANT_UI_HINT: SchemaAttribute = SchemaAttribute {
536    uuid: UUID_SCHEMA_ATTR_GRANT_UI_HINT,
537    name: Attribute::GrantUiHint,
538    description: "A UI hint that is granted via membership to a group".to_string(),
539    indexed: true,
540    multivalue: true,
541    syntax: SyntaxType::UiHint,
542    ..Default::default()
543};
544
545pub static ref SCHEMA_ATTR_SYNC_CREDENTIAL_PORTAL: SchemaAttribute = SchemaAttribute {
546    uuid: UUID_SCHEMA_ATTR_SYNC_CREDENTIAL_PORTAL,
547    name: Attribute::SyncCredentialPortal,
548    description: "The url of an external credential portal for synced accounts to visit to update their credentials".to_string(),
549    syntax: SyntaxType::Url,
550    ..Default::default()
551};
552
553pub static ref SCHEMA_ATTR_SYNC_YIELD_AUTHORITY: SchemaAttribute = SchemaAttribute {
554    uuid: UUID_SCHEMA_ATTR_SYNC_YIELD_AUTHORITY,
555    name: Attribute::SyncYieldAuthority,
556    description: "A set of attributes that have their authority yielded to Kanidm in a sync agreement".to_string(),
557    multivalue: true,
558    syntax: SyntaxType::Utf8StringInsensitive,
559    ..Default::default()
560};
561
562pub static ref SCHEMA_ATTR_CREDENTIAL_TYPE_MINIMUM: SchemaAttribute = SchemaAttribute {
563    uuid: UUID_SCHEMA_ATTR_CREDENTIAL_TYPE_MINIMUM,
564    name: Attribute::CredentialTypeMinimum,
565    description: "The minimum level of credential type that can satisfy this policy".to_string(),
566    multivalue: false,
567    syntax: SyntaxType::CredentialType,
568    ..Default::default()
569};
570
571pub static ref SCHEMA_ATTR_LIMIT_SEARCH_MAX_RESULTS_DL6: SchemaAttribute = SchemaAttribute {
572    uuid: UUID_SCHEMA_ATTR_LIMIT_SEARCH_MAX_RESULTS,
573    name: Attribute::LimitSearchMaxResults,
574    description: "The maximum number of query results that may be returned in a single operation".to_string(),
575    multivalue: false,
576    syntax: SyntaxType::Uint32,
577    ..Default::default()
578};
579
580pub static ref SCHEMA_ATTR_LIMIT_SEARCH_MAX_FILTER_TEST_DL6: SchemaAttribute = SchemaAttribute {
581    uuid: UUID_SCHEMA_ATTR_LIMIT_SEARCH_MAX_FILTER_TEST,
582    name: Attribute::LimitSearchMaxFilterTest,
583    description: "The maximum number of entries that may be examined in a partially indexed query".to_string(),
584    multivalue: false,
585    syntax: SyntaxType::Uint32,
586    ..Default::default()
587};
588
589pub static ref SCHEMA_ATTR_KEY_INTERNAL_DATA_DL6: SchemaAttribute = SchemaAttribute {
590    uuid: UUID_SCHEMA_ATTR_KEY_INTERNAL_DATA,
591    name: Attribute::KeyInternalData,
592    description: "".to_string(),
593    multivalue: true,
594    syntax: SyntaxType::KeyInternal,
595    ..Default::default()
596};
597
598pub static ref SCHEMA_ATTR_KEY_PROVIDER_DL6: SchemaAttribute = SchemaAttribute {
599    uuid: UUID_SCHEMA_ATTR_KEY_PROVIDER,
600    name: Attribute::KeyProvider,
601    description: "".to_string(),
602    multivalue: false,
603    indexed: true,
604    syntax: SyntaxType::ReferenceUuid,
605    ..Default::default()
606};
607
608pub static ref SCHEMA_ATTR_KEY_ACTION_ROTATE_DL6: SchemaAttribute = SchemaAttribute {
609    uuid: UUID_SCHEMA_ATTR_KEY_ACTION_ROTATE,
610    name: Attribute::KeyActionRotate,
611    description: "".to_string(),
612    multivalue: false,
613    // Ephemeral action.
614    phantom: true,
615    syntax: SyntaxType::DateTime,
616    ..Default::default()
617};
618
619pub static ref SCHEMA_ATTR_KEY_ACTION_REVOKE_DL6: SchemaAttribute = SchemaAttribute {
620    uuid: UUID_SCHEMA_ATTR_KEY_ACTION_REVOKE,
621    name: Attribute::KeyActionRevoke,
622    description: "".to_string(),
623    multivalue: true,
624    // Ephemeral action.
625    phantom: true,
626    syntax: SyntaxType::HexString,
627    ..Default::default()
628};
629
630pub static ref SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_ES256_DL6: SchemaAttribute = SchemaAttribute {
631    uuid: UUID_SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_ES256,
632    name: Attribute::KeyActionImportJwsEs256,
633    description: "".to_string(),
634    multivalue: true,
635    // Ephemeral action.
636    phantom: true,
637    syntax: SyntaxType::PrivateBinary,
638    ..Default::default()
639};
640
641pub static ref SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_RS256_DL6: SchemaAttribute = SchemaAttribute {
642    uuid: UUID_SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_RS256,
643    name: Attribute::KeyActionImportJwsRs256,
644    description: "".to_string(),
645    multivalue: true,
646    // Ephemeral action.
647    phantom: true,
648    syntax: SyntaxType::PrivateBinary,
649    ..Default::default()
650};
651
652pub static ref SCHEMA_ATTR_PATCH_LEVEL_DL7: SchemaAttribute = SchemaAttribute {
653    uuid: UUID_SCHEMA_ATTR_PATCH_LEVEL,
654    name: Attribute::PatchLevel,
655    description: "".to_string(),
656    syntax: SyntaxType::Uint32,
657    ..Default::default()
658};
659
660pub static ref SCHEMA_ATTR_DOMAIN_DEVELOPMENT_TAINT_DL7: SchemaAttribute = SchemaAttribute {
661    uuid: UUID_SCHEMA_ATTR_DOMAIN_DEVELOPMENT_TAINT,
662    name: Attribute::DomainDevelopmentTaint,
663    description: "A flag to show that the domain has been run on a development build, and will need additional work to upgrade/migrate.".to_string(),
664    syntax: SyntaxType::Boolean,
665    ..Default::default()
666};
667
668pub static ref SCHEMA_ATTR_DOMAIN_ALLOW_EASTER_EGGS_DL9: SchemaAttribute = SchemaAttribute {
669    uuid: UUID_SCHEMA_ATTR_DOMAIN_ALLOW_EASTER_EGGS,
670    name: Attribute::DomainAllowEasterEggs,
671    description: "A flag to enable easter eggs in the server that may not always be wanted by all users/deployments.".to_string(),
672    syntax: SyntaxType::Boolean,
673    ..Default::default()
674};
675
676pub static ref SCHEMA_ATTR_IMAGE: SchemaAttribute = SchemaAttribute {
677    uuid: UUID_SCHEMA_ATTR_IMAGE,
678    name: Attribute::Image,
679    description: "An image for display to end users.".to_string(),
680    syntax: SyntaxType::Image,
681    ..Default::default()
682};
683
684pub static ref SCHEMA_ATTR_OAUTH2_DEVICE_FLOW_ENABLE: SchemaAttribute = SchemaAttribute {
685    uuid: UUID_SCHEMA_ATTR_OAUTH2_DEVICE_FLOW_ENABLE,
686    name: Attribute::OAuth2DeviceFlowEnable,
687    description: "Enable the OAuth2 Device Flow for this client.".to_string(),
688    syntax: SyntaxType::Boolean,
689    ..Default::default()
690};
691
692pub static ref SCHEMA_ATTR_LINKED_GROUP_DL8: SchemaAttribute = SchemaAttribute {
693    uuid: UUID_SCHEMA_ATTR_LINKED_GROUP,
694    name: Attribute::LinkedGroup,
695    description: "A reference linking a group to an entry".to_string(),
696    multivalue: false,
697    indexed: true,
698    syntax: SyntaxType::ReferenceUuid,
699    ..Default::default()
700};
701
702pub static ref SCHEMA_ATTR_ALLOW_PRIMARY_CRED_FALLBACK_DL8: SchemaAttribute = SchemaAttribute {
703    uuid: UUID_SCHEMA_ATTR_ALLOW_PRIMARY_CRED_FALLBACK,
704    name: Attribute::AllowPrimaryCredFallback,
705    description: "Allow fallback to primary password if no POSIX password exists".to_string(),
706    multivalue: false,
707    syntax: SyntaxType::Boolean,
708    ..Default::default()
709};
710
711pub static ref SCHEMA_ATTR_CERTIFICATE_DL7: SchemaAttribute = SchemaAttribute {
712    uuid: UUID_SCHEMA_ATTR_CERTIFICATE,
713    name: Attribute::Certificate,
714    description: "An x509 Certificate".to_string(),
715    multivalue: false,
716    syntax: SyntaxType::Certificate,
717    ..Default::default()
718};
719
720pub static ref SCHEMA_ATTR_APPLICATION_PASSWORD_DL8: SchemaAttribute = SchemaAttribute {
721    uuid: UUID_SCHEMA_ATTR_APPLICATION_PASSWORD,
722    name: Attribute::ApplicationPassword,
723    description: "A set of application passwords".to_string(),
724    multivalue: true,
725    indexed: true,
726    syntax: SyntaxType::ApplicationPassword,
727    ..Default::default()
728};
729
730pub static ref SCHEMA_ATTR_APPLICATION_URL: SchemaAttribute = SchemaAttribute {
731    uuid: UUID_SCHEMA_ATTR_APPLICATION_URL,
732    name: Attribute::ApplicationUrl,
733    description: "The URL of an external application".to_string(),
734    syntax: SyntaxType::Url,
735    ..Default::default()
736};
737
738pub static ref SCHEMA_ATTR_MESSAGE_TEMPLATE: SchemaAttribute = SchemaAttribute {
739    uuid: UUID_SCHEMA_ATTR_MESSAGE_TEMPLATE,
740    name: Attribute::MessageTemplate,
741    description: "A JSON object containing the named message template and fields related to a message that can be substituted into the template.".to_string(),
742    syntax: SyntaxType::Message,
743    ..Default::default()
744};
745
746pub static ref SCHEMA_ATTR_SEND_AFTER: SchemaAttribute = SchemaAttribute {
747    uuid: UUID_SCHEMA_ATTR_SEND_AFTER,
748    name: Attribute::SendAfter,
749    description: "The datetime after which this message is allowed to be released to the destination".to_string(),
750    syntax: SyntaxType::DateTime,
751    indexed: true,
752    ..Default::default()
753};
754
755pub static ref SCHEMA_ATTR_DELETE_AFTER: SchemaAttribute = SchemaAttribute {
756    uuid: UUID_SCHEMA_ATTR_DELETE_AFTER,
757    name: Attribute::DeleteAfter,
758    description: "The datetime after which this entry will be deleted.".to_string(),
759    syntax: SyntaxType::DateTime,
760    indexed: true,
761    ..Default::default()
762};
763
764pub static ref SCHEMA_ATTR_SENT_AT: SchemaAttribute = SchemaAttribute {
765    uuid: UUID_SCHEMA_ATTR_SENT_AT,
766    name: Attribute::SentAt,
767    indexed: true,
768    description: "The datetime when this message was sent.".to_string(),
769    syntax: SyntaxType::DateTime,
770    ..Default::default()
771};
772
773pub static ref SCHEMA_ATTR_MAIL_DESTINATION: SchemaAttribute = SchemaAttribute {
774    uuid: UUID_SCHEMA_ATTR_MAIL_DESTINATION,
775    name: Attribute::MailDestination,
776    description: "The destination addresses that will recieve this message.".to_string(),
777    multivalue: true,
778    syntax: SyntaxType::EmailAddress,
779    ..Default::default()
780};
781
782
783pub static ref SCHEMA_ATTR_OAUTH2_ACCOUNT_PROVIDER: SchemaAttribute = SchemaAttribute {
784    uuid: UUID_SCHEMA_ATTR_OAUTH2_ACCOUNT_PROVIDER,
785    name: Attribute::OAuth2AccountProvider,
786    description: "The reference to the OAuth2 client that provides authentication for this entry.".to_string(),
787    syntax: SyntaxType::ReferenceUuid,
788    ..Default::default()
789};
790
791pub static ref SCHEMA_ATTR_OAUTH2_ACCOUNT_CREDENTIAL_UUID: SchemaAttribute = SchemaAttribute {
792    uuid: UUID_SCHEMA_ATTR_OAUTH2_ACCOUNT_CREDENTIAL_UUID,
793    name: Attribute::OAuth2AccountCredentialUuid,
794    description: "The uuid of this credential for session tracking when OAuth2 is used to authenticate.".to_string(),
795    syntax: SyntaxType::Uuid,
796    ..Default::default()
797};
798
799pub static ref SCHEMA_ATTR_OAUTH2_ACCOUNT_UNIQUE_USER_ID: SchemaAttribute = SchemaAttribute {
800    uuid: UUID_SCHEMA_ATTR_OAUTH2_ACCOUNT_UNIQUE_USER_ID,
801    name: Attribute::OAuth2AccountUniqueUserId,
802    description: "The unique user id of this account as known by the remote OAuth2 provider.".to_string(),
803    syntax: SyntaxType::Utf8String,
804    ..Default::default()
805};
806
807pub static ref SCHEMA_ATTR_OAUTH2_CLIENT_ID: SchemaAttribute = SchemaAttribute {
808    uuid: UUID_SCHEMA_ATTR_OAUTH2_CLIENT_ID,
809    name: Attribute::OAuth2ClientId,
810    description: "The OAuth2 Client ID".to_string(),
811    syntax: SyntaxType::Utf8String,
812    ..Default::default()
813};
814
815pub static ref SCHEMA_ATTR_OAUTH2_CLIENT_SECRET: SchemaAttribute = SchemaAttribute {
816    uuid: UUID_SCHEMA_ATTR_OAUTH2_CLIENT_SECRET,
817    name: Attribute::OAuth2ClientSecret,
818    description: "The OAuth2 Client Secret".to_string(),
819    // TODO: We may need a new secret type that CAN be imported from externally. Currently
820    // our secret string type denies external modification.
821    syntax: SyntaxType::Utf8String,
822    ..Default::default()
823};
824
825pub static ref SCHEMA_ATTR_OAUTH2_AUTHORISATION_ENDPOINT: SchemaAttribute = SchemaAttribute {
826    uuid: UUID_SCHEMA_ATTR_OAUTH2_AUTHORISATION_ENDPOINT,
827    name: Attribute::OAuth2AuthorisationEndpoint,
828    description: "The authorisation url of the OAuth2 provider".to_string(),
829    syntax: SyntaxType::Url,
830    ..Default::default()
831};
832
833pub static ref SCHEMA_ATTR_OAUTH2_TOKEN_ENDPOINT: SchemaAttribute = SchemaAttribute {
834    uuid: UUID_SCHEMA_ATTR_OAUTH2_TOKEN_ENDPOINT,
835    name: Attribute::OAuth2TokenEndpoint,
836    description: "The token url of the OAuth2 provider".to_string(),
837    syntax: SyntaxType::Url,
838    ..Default::default()
839};
840
841pub static ref SCHEMA_ATTR_OAUTH2_REQUEST_SCOPES: SchemaAttribute = SchemaAttribute {
842    uuid: UUID_SCHEMA_ATTR_OAUTH2_REQUEST_SCOPES,
843    name: Attribute::OAuth2RequestScopes,
844    description: "The set of scopes to request during OAuth2 authorisation requests.".to_string(),
845    multivalue: true,
846    syntax: SyntaxType::OauthScope,
847    ..Default::default()
848};
849
850pub static ref SCHEMA_ATTR_HMAC_NAME_HISTORY: SchemaAttribute = SchemaAttribute {
851    uuid: UUID_SCHEMA_ATTR_HMAC_NAME_HISTORY,
852    name: Attribute::HmacNameHistory,
853    description: "The set of all names used on an entry, HMACed to preserve privacy.".to_string(),
854    multivalue: true,
855    unique: true,
856    indexed: true,
857    syntax: SyntaxType::Sha256,
858    ..Default::default()
859};
860
861pub static ref SCHEMA_ATTR_IN_MEMORIAM: SchemaAttribute = SchemaAttribute {
862    uuid: UUID_SCHEMA_ATTR_IN_MEMORIAM_UUID,
863    name: Attribute::InMemoriam,
864    description: "The uuid of the entry that this memorial is dedicated to.".to_string(),
865    indexed: true,
866    syntax: SyntaxType::Uuid,
867    ..Default::default()
868};
869
870pub static ref SCHEMA_ATTR_ENABLED: SchemaAttribute = SchemaAttribute {
871    uuid: UUID_SCHEMA_ATTR_ENABLED,
872    name: Attribute::Enabled,
873    description: "A flag describing if a feature is enabled or disabled.".to_string(),
874    multivalue: false,
875    syntax: SyntaxType::Boolean,
876    ..Default::default()
877};
878
879// === classes ===
880pub static ref SCHEMA_CLASS_PERSON_DL8: SchemaClass = SchemaClass {
881    uuid: UUID_SCHEMA_CLASS_PERSON,
882    name: EntryClass::Person.into(),
883    description: "Object representation of a person".to_string(),
884
885    sync_allowed: true,
886    systemmay: vec![
887        Attribute::PrimaryCredential,
888        Attribute::PassKeys,
889        Attribute::AttestedPasskeys,
890        Attribute::CredentialUpdateIntentToken,
891        Attribute::SshPublicKey,
892        Attribute::RadiusSecret,
893        Attribute::OAuth2ConsentScopeMap,
894        Attribute::UserAuthTokenSession,
895        Attribute::OAuth2Session,
896        Attribute::Mail,
897        Attribute::LegalName,
898        Attribute::ApplicationPassword,
899    ],
900    systemmust: vec![
901        Attribute::Name,
902    ],
903    systemexcludes: vec![EntryClass::ServiceAccount.into(), EntryClass::Application.into()],
904    ..Default::default()
905};
906
907pub static ref SCHEMA_CLASS_OAUTH2_ACCOUNT: SchemaClass = SchemaClass {
908    uuid: UUID_SCHEMA_CLASS_OAUTH2_ACCOUNT,
909    name: EntryClass::OAuth2Account.into(),
910    description: "Marker class designating that an can use OAuth2 for authentication.".to_string(),
911    sync_allowed: true,
912    systemmust: vec![
913        Attribute::OAuth2AccountProvider,
914        Attribute::OAuth2AccountUniqueUserId,
915        // This is the "credential id" that allows us to link this trust to a session.
916        Attribute::OAuth2AccountCredentialUuid,
917    ],
918    systemsupplements: vec![EntryClass::Person.into()],
919    ..Default::default()
920};
921
922pub static ref SCHEMA_CLASS_ORGPERSON: SchemaClass = SchemaClass {
923    uuid: UUID_SCHEMA_CLASS_ORGPERSON,
924    name: EntryClass::OrgPerson.into(),
925    description: "Object representation of an org person".to_string(),
926
927    systemmay: vec![
928        Attribute::LegalName
929        ],
930    systemmust: vec![
931        Attribute::Mail,
932        Attribute::DisplayName,
933        Attribute::Name
934    ],
935    ..Default::default()
936};
937
938pub static ref SCHEMA_CLASS_GROUP_DL6: SchemaClass = SchemaClass {
939    uuid: UUID_SCHEMA_CLASS_GROUP,
940    name: EntryClass::Group.into(),
941    description: "Object representation of a group".to_string(),
942
943    sync_allowed: true,
944    systemmay: vec![
945        Attribute::Member,
946        Attribute::GrantUiHint,
947        Attribute::Description,
948        Attribute::Mail,
949        Attribute::Name,
950    ],
951    systemmust: vec![
952        Attribute::Spn,
953    ],
954    ..Default::default()
955};
956
957pub static ref SCHEMA_CLASS_DYNGROUP: SchemaClass = SchemaClass {
958    uuid: UUID_SCHEMA_CLASS_DYNGROUP,
959    name: EntryClass::DynGroup.into(),
960    description: "Object representation of a dynamic group".to_string(),
961
962    systemmust: vec![Attribute::DynGroupFilter],
963    systemmay: vec![Attribute::DynMember],
964    systemsupplements: vec![EntryClass::Group.into()],
965    ..Default::default()
966};
967
968pub static ref SCHEMA_CLASS_ACCOUNT_POLICY_DL8: SchemaClass = SchemaClass {
969    uuid: UUID_SCHEMA_CLASS_ACCOUNT_POLICY,
970    name: EntryClass::AccountPolicy.into(),
971    description: "Policies applied to accounts that are members of a group".to_string(),
972
973    systemmay: vec![
974        Attribute::AuthSessionExpiry,
975        Attribute::PrivilegeExpiry,
976        Attribute::AuthPasswordMinimumLength,
977        Attribute::CredentialTypeMinimum,
978        Attribute::WebauthnAttestationCaList,
979        Attribute::LimitSearchMaxResults,
980        Attribute::LimitSearchMaxFilterTest,
981        Attribute::AllowPrimaryCredFallback,
982    ],
983    systemsupplements: vec![EntryClass::Group.into()],
984    ..Default::default()
985};
986
987pub static ref SCHEMA_CLASS_ACCOUNT_DL5: SchemaClass = SchemaClass {
988    uuid: UUID_SCHEMA_CLASS_ACCOUNT,
989    name: EntryClass::Account.into(),
990    description: "Object representation of an account".to_string(),
991
992    sync_allowed: true,
993    systemmay: vec![
994        Attribute::AccountExpire,
995        Attribute::AccountValidFrom,
996        Attribute::NameHistory,
997        Attribute::HmacNameHistory,
998    ],
999    systemmust: vec![
1000        Attribute::DisplayName,
1001        Attribute::Spn
1002    ],
1003    systemsupplements: vec![
1004        EntryClass::Person.into(),
1005        EntryClass::ServiceAccount.into(),
1006        EntryClass::OAuth2ResourceServer.into(),
1007    ],
1008    ..Default::default()
1009};
1010
1011pub static ref SCHEMA_CLASS_SERVICE_ACCOUNT_DL7: SchemaClass = SchemaClass {
1012    uuid: UUID_SCHEMA_CLASS_SERVICE_ACCOUNT,
1013    name: EntryClass::ServiceAccount.into(),
1014    description: "Object representation of service account".to_string(),
1015
1016    sync_allowed: true,
1017    systemmay: vec![
1018        Attribute::SshPublicKey,
1019        Attribute::UserAuthTokenSession,
1020        Attribute::OAuth2Session,
1021        Attribute::OAuth2ConsentScopeMap,
1022        Attribute::Description,
1023
1024        Attribute::Mail,
1025        Attribute::PrimaryCredential,
1026        Attribute::ApiTokenSession,
1027    ],
1028    systemmust: vec![
1029        Attribute::Name
1030    ],
1031    systemexcludes: vec![EntryClass::Person.into()],
1032    ..Default::default()
1033};
1034
1035pub static ref SCHEMA_CLASS_SYNC_ACCOUNT_DL7: SchemaClass = SchemaClass {
1036    uuid: UUID_SCHEMA_CLASS_SYNC_ACCOUNT,
1037    name: EntryClass::SyncAccount.into(),
1038    description: "Object representation of sync account".to_string(),
1039
1040    systemmust: vec![Attribute::Name],
1041    systemmay: vec![
1042        Attribute::SyncTokenSession,
1043        Attribute::SyncCookie,
1044        Attribute::SyncCredentialPortal,
1045        Attribute::SyncYieldAuthority,
1046    ],
1047    systemexcludes: vec![EntryClass::Account.into()],
1048    ..Default::default()
1049};
1050
1051pub static ref SCHEMA_CLASS_DOMAIN_INFO_DL10: SchemaClass = SchemaClass {
1052    uuid: UUID_SCHEMA_CLASS_DOMAIN_INFO,
1053    name: EntryClass::DomainInfo.into(),
1054    description: "Local domain information and configuration".to_string(),
1055
1056    systemmay: vec![
1057        Attribute::DomainSsid,
1058        Attribute::DomainLdapBasedn,
1059        Attribute::LdapMaxQueryableAttrs,
1060        Attribute::LdapAllowUnixPwBind,
1061        Attribute::Image,
1062        Attribute::PatchLevel,
1063        Attribute::DomainDevelopmentTaint,
1064        Attribute::DomainAllowEasterEggs,
1065        Attribute::DomainDisplayName,
1066    ],
1067    systemmust: vec![
1068        Attribute::Name,
1069        Attribute::DomainUuid,
1070        Attribute::DomainName,
1071        Attribute::Version,
1072    ],
1073    ..Default::default()
1074};
1075
1076pub static ref SCHEMA_CLASS_POSIXGROUP: SchemaClass = SchemaClass {
1077    uuid: UUID_SCHEMA_CLASS_POSIXGROUP,
1078    name: EntryClass::PosixGroup.into(),
1079    description: "Object representation of a posix group, requires group".to_string(),
1080
1081    sync_allowed: true,
1082    systemmust: vec![Attribute::GidNumber],
1083    systemsupplements: vec![EntryClass::Group.into()],
1084    ..Default::default()
1085};
1086
1087pub static ref SCHEMA_CLASS_POSIXACCOUNT: SchemaClass = SchemaClass {
1088    uuid: UUID_SCHEMA_CLASS_POSIXACCOUNT,
1089    name: EntryClass::PosixAccount.into(),
1090    description: "Object representation of a posix account, requires account".to_string(),
1091
1092    sync_allowed: true,
1093    systemmay: vec![Attribute::LoginShell, Attribute::UnixPassword],
1094    systemmust: vec![Attribute::GidNumber],
1095    systemsupplements: vec![EntryClass::Account.into()],
1096    ..Default::default()
1097};
1098
1099pub static ref SCHEMA_CLASS_SYSTEM_CONFIG: SchemaClass = SchemaClass {
1100    uuid: UUID_SCHEMA_CLASS_SYSTEM_CONFIG,
1101    name: EntryClass::SystemConfig.into(),
1102    description: "The class representing a system (topologies) configuration options".to_string(),
1103
1104    systemmay: vec![
1105        Attribute::Description,
1106        Attribute::BadlistPassword,
1107        Attribute::AuthSessionExpiry,
1108        Attribute::PrivilegeExpiry,
1109        Attribute::DeniedName
1110        ],
1111    ..Default::default()
1112};
1113
1114pub static ref SCHEMA_CLASS_OAUTH2_RS_DL9: SchemaClass = SchemaClass {
1115    uuid: UUID_SCHEMA_CLASS_OAUTH2_RS,
1116    name: EntryClass::OAuth2ResourceServer.into(),
1117    description: "The class epresenting a configured OAuth2 Client".to_string(),
1118
1119    systemmay: vec![
1120        Attribute::Description,
1121        Attribute::OAuth2RsScopeMap,
1122        Attribute::OAuth2RsSupScopeMap,
1123        Attribute::OAuth2JwtLegacyCryptoEnable,
1124        Attribute::OAuth2PreferShortUsername,
1125        Attribute::Image,
1126        Attribute::OAuth2RsClaimMap,
1127        Attribute::OAuth2Session,
1128        Attribute::OAuth2RsOrigin,
1129        Attribute::OAuth2StrictRedirectUri,
1130        Attribute::OAuth2DeviceFlowEnable,
1131        // Deprecated
1132        Attribute::Rs256PrivateKeyDer,
1133        Attribute::OAuth2RsTokenKey,
1134        Attribute::Es256PrivateKeyDer,
1135    ],
1136    systemmust: vec![
1137        Attribute::OAuth2RsOriginLanding,
1138        Attribute::Name,
1139    ],
1140    ..Default::default()
1141};
1142
1143pub static ref SCHEMA_CLASS_OAUTH2_RS_BASIC_DL5: SchemaClass = SchemaClass {
1144    uuid: UUID_SCHEMA_CLASS_OAUTH2_RS_BASIC,
1145    name: EntryClass::OAuth2ResourceServerBasic.into(),
1146    description: "The class representing a configured OAuth2 client authenticated with HTTP basic authentication".to_string(),
1147
1148    systemmay: vec![
1149        Attribute::OAuth2AllowInsecureClientDisablePkce,
1150    ],
1151    systemmust: vec![ Attribute::OAuth2RsBasicSecret],
1152    systemexcludes: vec![ EntryClass::OAuth2ResourceServerPublic.into()],
1153    ..Default::default()
1154};
1155
1156// Introduced in DomainLevel4
1157pub static ref SCHEMA_CLASS_OAUTH2_RS_PUBLIC_DL4: SchemaClass = SchemaClass {
1158    uuid: UUID_SCHEMA_CLASS_OAUTH2_RS_PUBLIC,
1159    name: EntryClass::OAuth2ResourceServerPublic.into(),
1160    description: "The class representing a configured Public OAuth2 Client with PKCE verification".to_string(),
1161
1162    systemmay: vec![Attribute::OAuth2AllowLocalhostRedirect],
1163    systemexcludes: vec![EntryClass::OAuth2ResourceServerBasic.into()],
1164    ..Default::default()
1165};
1166
1167pub static ref SCHEMA_CLASS_OAUTH2_CLIENT: SchemaClass = SchemaClass {
1168    uuid: UUID_SCHEMA_CLASS_OAUTH2_CLIENT,
1169    name: EntryClass::OAuth2Client.into(),
1170    description: "The class representing a configured OAuth2 Confidential Client acting as an authentication source".to_string(),
1171    systemmust: vec![
1172        Attribute::Name,
1173        Attribute::OAuth2ClientId,
1174        Attribute::OAuth2ClientSecret,
1175        Attribute::OAuth2AuthorisationEndpoint,
1176        Attribute::OAuth2TokenEndpoint,
1177        Attribute::OAuth2RequestScopes,
1178    ],
1179    systemmay: vec![],
1180    ..Default::default()
1181};
1182
1183// =========================================
1184// KeyProviders
1185
1186pub static ref SCHEMA_CLASS_KEY_PROVIDER_DL6: SchemaClass = SchemaClass {
1187    uuid: UUID_SCHEMA_CLASS_KEY_PROVIDER,
1188    name: EntryClass::KeyProvider.into(),
1189    description: "A provider for cryptographic key storage and operations".to_string(),
1190    systemmay: vec![
1191        Attribute::Description,
1192    ],
1193    systemmust: vec![
1194        Attribute::Name,
1195    ],
1196    systemsupplements: vec![
1197        EntryClass::KeyProviderInternal.into(),
1198    ],
1199    ..Default::default()
1200};
1201
1202pub static ref SCHEMA_CLASS_KEY_PROVIDER_INTERNAL_DL6: SchemaClass = SchemaClass {
1203    uuid: UUID_SCHEMA_CLASS_KEY_PROVIDER_INTERNAL,
1204    name: EntryClass::KeyProviderInternal.into(),
1205    description: "The Kanidm internal cryptographic key provider".to_string(),
1206    ..Default::default()
1207};
1208
1209// =========================================
1210// KeyObjects
1211
1212pub static ref SCHEMA_CLASS_KEY_OBJECT_DL6: SchemaClass = SchemaClass {
1213    uuid: UUID_SCHEMA_CLASS_KEY_OBJECT,
1214    name: EntryClass::KeyObject.into(),
1215    description: "A cryptographic key object that can be used by a provider".to_string(),
1216    systemmust: vec![
1217        Attribute::KeyProvider,
1218    ],
1219    ..Default::default()
1220};
1221
1222pub static ref SCHEMA_CLASS_KEY_OBJECT_JWT_ES256_DL6: SchemaClass = SchemaClass {
1223    uuid: UUID_SCHEMA_CLASS_KEY_OBJECT_JWT_ES256,
1224    name: EntryClass::KeyObjectJwtEs256.into(),
1225    description: "A marker class indicating that this keyobject must provide jwt es256 capability.".to_string(),
1226    systemsupplements: vec![
1227        EntryClass::KeyObject.into(),
1228    ],
1229    ..Default::default()
1230};
1231
1232pub static ref SCHEMA_CLASS_KEY_OBJECT_JWT_RS256: SchemaClass = SchemaClass {
1233    uuid: UUID_SCHEMA_CLASS_KEY_OBJECT_JWT_RS256,
1234    name: EntryClass::KeyObjectJwtRs256.into(),
1235    description: "A marker class indicating that this keyobject must provide jwt rs256 capability.".to_string(),
1236    systemsupplements: vec![
1237        EntryClass::KeyObject.into(),
1238    ],
1239    ..Default::default()
1240};
1241
1242pub static ref SCHEMA_CLASS_KEY_OBJECT_JWE_A128GCM_DL6: SchemaClass = SchemaClass {
1243    uuid: UUID_SCHEMA_CLASS_KEY_OBJECT_JWE_A128GCM,
1244    name: EntryClass::KeyObjectJweA128GCM.into(),
1245    description: "A marker class indicating that this keyobject must provide jwe aes-256-gcm capability.".to_string(),
1246    systemsupplements: vec![
1247        EntryClass::KeyObject.into(),
1248    ],
1249    ..Default::default()
1250};
1251
1252pub static ref SCHEMA_CLASS_KEY_OBJECT_HKDF_S256: SchemaClass = SchemaClass {
1253    uuid: UUID_SCHEMA_CLASS_KEY_OBJECT_HKDF_S256,
1254    name: EntryClass::KeyObjectHkdfS256.into(),
1255    description: "A marker class indicating that this keyobject must provide hmac kdf sha256 capability.".to_string(),
1256    systemsupplements: vec![
1257        EntryClass::KeyObject.into(),
1258    ],
1259    ..Default::default()
1260};
1261
1262pub static ref SCHEMA_CLASS_KEY_OBJECT_INTERNAL_DL6: SchemaClass = SchemaClass {
1263    uuid: UUID_SCHEMA_CLASS_KEY_OBJECT_INTERNAL,
1264    name: EntryClass::KeyObjectInternal.into(),
1265    description: "A cryptographic key object that can be used by the internal provider".to_string(),
1266    systemmay: vec![
1267        Attribute::KeyInternalData,
1268    ],
1269    systemsupplements: vec![
1270        EntryClass::KeyObject.into(),
1271    ],
1272    ..Default::default()
1273};
1274
1275// =========================================
1276
1277pub static ref SCHEMA_CLASS_CLIENT_CERTIFICATE_DL7: SchemaClass = SchemaClass {
1278    uuid: UUID_SCHEMA_CLASS_CLIENT_CERTIFICATE,
1279    name: EntryClass::ClientCertificate.into(),
1280    description: "A client authentication certificate".to_string(),
1281    systemmay: vec![],
1282    systemmust: vec![
1283        Attribute::Certificate,
1284        Attribute::Refers,
1285    ],
1286    ..Default::default()
1287};
1288
1289pub static ref SCHEMA_CLASS_APPLICATION: SchemaClass = SchemaClass {
1290    uuid: UUID_SCHEMA_CLASS_APPLICATION,
1291    name: EntryClass::Application.into(),
1292
1293    description: "The class representing an application".to_string(),
1294    systemmust: vec![Attribute::LinkedGroup],
1295    systemmay: vec![
1296        Attribute::ApplicationUrl,
1297    ],
1298    // I think this could change before release - I can see a world
1299    // when we may want an oauth2 application to have application passwords,
1300    // or for this to be it's own thing. But service accounts also don't
1301    // quite do enough, they have api tokens, but that's all we kind
1302    // of want from them?
1303    systemsupplements: vec![EntryClass::ServiceAccount.into()],
1304    ..Default::default()
1305};
1306
1307// Messaging
1308
1309pub static ref SCHEMA_CLASS_OUTBOUND_MESSAGE: SchemaClass = SchemaClass {
1310    uuid: UUID_SCHEMA_CLASS_OUTBOUND_MESSAGE,
1311    name: EntryClass::OutboundMessage.into(),
1312
1313    description: "A class representing a message that is to be sent externally to a user in some way, generally via email.".to_string(),
1314    systemmust: vec![
1315        Attribute::MessageTemplate,
1316        Attribute::SendAfter,
1317        Attribute::DeleteAfter,
1318    ],
1319    systemmay: vec![
1320        Attribute::SentAt,
1321        Attribute::MailDestination,
1322    ],
1323    ..Default::default()
1324
1325};
1326
1327pub static ref SCHEMA_CLASS_FEATURE: SchemaClass = SchemaClass {
1328    uuid: UUID_SCHEMA_CLASS_FEATURE,
1329    name: EntryClass::Feature.into(),
1330    description: "The class representing the state of a feature.".to_string(),
1331    systemmust: vec![
1332        Attribute::Name,
1333        Attribute::Description,
1334    ],
1335    systemmay: vec![
1336        Attribute::Enabled,
1337    ],
1338    ..Default::default()
1339};
1340
1341pub static ref SCHEMA_CLASS_MEMORIAL: SchemaClass = SchemaClass {
1342    uuid: UUID_SCHEMA_CLASS_MEMORIAL,
1343    name: EntryClass::Memorial.into(),
1344    description: "The class representing a memorial to an entry that has been deleted.".to_string(),
1345    systemmust: vec![
1346        Attribute::InMemoriam
1347    ],
1348    systemmay: vec![
1349        Attribute::HmacNameHistory
1350    ],
1351    ..Default::default()
1352};
1353
1354);