kanidmd_lib/migration_data/dl9/
mod.rs

Help
1mod access;
2mod accounts;
3mod groups;
4mod key_providers;
5mod schema;
6mod system_config;
7
8use self::access::*;
9use self::accounts::*;
10use self::groups::*;
11use self::key_providers::*;
12use self::schema::*;
13use self::system_config::*;
14
15use crate::prelude::EntryInitNew;
16use kanidm_proto::internal::OperationError;
17
18pub fn phase_1_schema_attrs() -> Vec<EntryInitNew> {
19    vec![
20        SCHEMA_ATTR_SYNC_CREDENTIAL_PORTAL.clone().into(),
21        SCHEMA_ATTR_SYNC_YIELD_AUTHORITY.clone().into(),
22        SCHEMA_ATTR_ACCOUNT_EXPIRE.clone().into(),
23        SCHEMA_ATTR_ACCOUNT_VALID_FROM.clone().into(),
24        SCHEMA_ATTR_API_TOKEN_SESSION.clone().into(),
25        SCHEMA_ATTR_AUTH_SESSION_EXPIRY.clone().into(),
26        SCHEMA_ATTR_AUTH_PRIVILEGE_EXPIRY.clone().into(),
27        SCHEMA_ATTR_AUTH_PASSWORD_MINIMUM_LENGTH.clone().into(),
28        SCHEMA_ATTR_BADLIST_PASSWORD.clone().into(),
29        SCHEMA_ATTR_CREDENTIAL_UPDATE_INTENT_TOKEN.clone().into(),
30        SCHEMA_ATTR_ATTESTED_PASSKEYS.clone().into(),
31        SCHEMA_ATTR_DOMAIN_DISPLAY_NAME.clone().into(),
32        SCHEMA_ATTR_DOMAIN_LDAP_BASEDN.clone().into(),
33        SCHEMA_ATTR_DOMAIN_NAME.clone().into(),
34        SCHEMA_ATTR_LDAP_ALLOW_UNIX_PW_BIND.clone().into(),
35        SCHEMA_ATTR_DOMAIN_SSID.clone().into(),
36        SCHEMA_ATTR_DOMAIN_TOKEN_KEY.clone().into(),
37        SCHEMA_ATTR_DOMAIN_UUID.clone().into(),
38        SCHEMA_ATTR_DYNGROUP_FILTER.clone().into(),
39        SCHEMA_ATTR_EC_KEY_PRIVATE.clone().into(),
40        SCHEMA_ATTR_ES256_PRIVATE_KEY_DER.clone().into(),
41        SCHEMA_ATTR_FERNET_PRIVATE_KEY_STR.clone().into(),
42        SCHEMA_ATTR_GIDNUMBER.clone().into(),
43        SCHEMA_ATTR_GRANT_UI_HINT.clone().into(),
44        SCHEMA_ATTR_JWS_ES256_PRIVATE_KEY.clone().into(),
45        SCHEMA_ATTR_LOGINSHELL.clone().into(),
46        SCHEMA_ATTR_NAME_HISTORY.clone().into(),
47        SCHEMA_ATTR_NSUNIQUEID.clone().into(),
48        SCHEMA_ATTR_OAUTH2_ALLOW_INSECURE_CLIENT_DISABLE_PKCE
49            .clone()
50            .into(),
51        SCHEMA_ATTR_OAUTH2_CONSENT_SCOPE_MAP.clone().into(),
52        SCHEMA_ATTR_OAUTH2_JWT_LEGACY_CRYPTO_ENABLE.clone().into(),
53        SCHEMA_ATTR_OAUTH2_PREFER_SHORT_USERNAME.clone().into(),
54        SCHEMA_ATTR_OAUTH2_RS_BASIC_SECRET.clone().into(),
55        SCHEMA_ATTR_OAUTH2_RS_IMPLICIT_SCOPES.clone().into(),
56        SCHEMA_ATTR_OAUTH2_RS_NAME.clone().into(),
57        SCHEMA_ATTR_OAUTH2_RS_ORIGIN_LANDING.clone().into(),
58        SCHEMA_ATTR_OAUTH2_RS_SCOPE_MAP.clone().into(),
59        SCHEMA_ATTR_OAUTH2_RS_SUP_SCOPE_MAP.clone().into(),
60        SCHEMA_ATTR_OAUTH2_RS_TOKEN_KEY.clone().into(),
61        SCHEMA_ATTR_OAUTH2_SESSION.clone().into(),
62        SCHEMA_ATTR_PASSKEYS.clone().into(),
63        SCHEMA_ATTR_PRIMARY_CREDENTIAL.clone().into(),
64        SCHEMA_ATTR_PRIVATE_COOKIE_KEY.clone().into(),
65        SCHEMA_ATTR_RADIUS_SECRET.clone().into(),
66        SCHEMA_ATTR_RS256_PRIVATE_KEY_DER.clone().into(),
67        SCHEMA_ATTR_SSH_PUBLICKEY.clone().into(),
68        SCHEMA_ATTR_SYNC_COOKIE.clone().into(),
69        SCHEMA_ATTR_SYNC_TOKEN_SESSION.clone().into(),
70        SCHEMA_ATTR_UNIX_PASSWORD.clone().into(),
71        SCHEMA_ATTR_USER_AUTH_TOKEN_SESSION.clone().into(),
72        SCHEMA_ATTR_DENIED_NAME.clone().into(),
73        SCHEMA_ATTR_CREDENTIAL_TYPE_MINIMUM.clone().into(),
74        SCHEMA_ATTR_WEBAUTHN_ATTESTATION_CA_LIST.clone().into(),
75        // DL4
76        SCHEMA_ATTR_OAUTH2_RS_CLAIM_MAP_DL4.clone().into(),
77        SCHEMA_ATTR_OAUTH2_ALLOW_LOCALHOST_REDIRECT_DL4
78            .clone()
79            .into(),
80        // DL5
81        // DL6
82        SCHEMA_ATTR_LIMIT_SEARCH_MAX_RESULTS_DL6.clone().into(),
83        SCHEMA_ATTR_LIMIT_SEARCH_MAX_FILTER_TEST_DL6.clone().into(),
84        SCHEMA_ATTR_KEY_INTERNAL_DATA_DL6.clone().into(),
85        SCHEMA_ATTR_KEY_PROVIDER_DL6.clone().into(),
86        SCHEMA_ATTR_KEY_ACTION_ROTATE_DL6.clone().into(),
87        SCHEMA_ATTR_KEY_ACTION_REVOKE_DL6.clone().into(),
88        SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_ES256_DL6.clone().into(),
89        // DL7
90        SCHEMA_ATTR_PATCH_LEVEL_DL7.clone().into(),
91        SCHEMA_ATTR_DOMAIN_DEVELOPMENT_TAINT_DL7.clone().into(),
92        SCHEMA_ATTR_REFERS_DL7.clone().into(),
93        SCHEMA_ATTR_CERTIFICATE_DL7.clone().into(),
94        SCHEMA_ATTR_OAUTH2_RS_ORIGIN_DL7.clone().into(),
95        SCHEMA_ATTR_OAUTH2_STRICT_REDIRECT_URI_DL7.clone().into(),
96        SCHEMA_ATTR_MAIL_DL7.clone().into(),
97        SCHEMA_ATTR_LEGALNAME_DL7.clone().into(),
98        SCHEMA_ATTR_DISPLAYNAME_DL7.clone().into(),
99        // DL8
100        SCHEMA_ATTR_LINKED_GROUP_DL8.clone().into(),
101        SCHEMA_ATTR_APPLICATION_PASSWORD_DL8.clone().into(),
102        SCHEMA_ATTR_ALLOW_PRIMARY_CRED_FALLBACK_DL8.clone().into(),
103        // DL9
104        SCHEMA_ATTR_OAUTH2_DEVICE_FLOW_ENABLE_DL9.clone().into(),
105        SCHEMA_ATTR_DOMAIN_ALLOW_EASTER_EGGS_DL9.clone().into(),
106    ]
107}
108
109pub fn phase_2_schema_classes() -> Vec<EntryInitNew> {
110    vec![
111        SCHEMA_CLASS_DYNGROUP.clone().into(),
112        SCHEMA_CLASS_ORGPERSON.clone().into(),
113        SCHEMA_CLASS_POSIXACCOUNT.clone().into(),
114        SCHEMA_CLASS_POSIXGROUP.clone().into(),
115        SCHEMA_CLASS_SYSTEM_CONFIG.clone().into(),
116        // DL4
117        SCHEMA_CLASS_OAUTH2_RS_PUBLIC_DL4.clone().into(),
118        // DL5
119        SCHEMA_CLASS_ACCOUNT_DL5.clone().into(),
120        SCHEMA_CLASS_OAUTH2_RS_BASIC_DL5.clone().into(),
121        // DL6
122        SCHEMA_CLASS_GROUP_DL6.clone().into(),
123        SCHEMA_CLASS_KEY_PROVIDER_DL6.clone().into(),
124        SCHEMA_CLASS_KEY_PROVIDER_INTERNAL_DL6.clone().into(),
125        SCHEMA_CLASS_KEY_OBJECT_DL6.clone().into(),
126        SCHEMA_CLASS_KEY_OBJECT_JWT_ES256_DL6.clone().into(),
127        SCHEMA_CLASS_KEY_OBJECT_JWE_A128GCM_DL6.clone().into(),
128        SCHEMA_CLASS_KEY_OBJECT_INTERNAL_DL6.clone().into(),
129        // DL7
130        SCHEMA_CLASS_SERVICE_ACCOUNT_DL7.clone().into(),
131        SCHEMA_CLASS_SYNC_ACCOUNT_DL7.clone().into(),
132        SCHEMA_CLASS_CLIENT_CERTIFICATE_DL7.clone().into(),
133        // DL8
134        SCHEMA_CLASS_ACCOUNT_POLICY_DL8.clone().into(),
135        SCHEMA_CLASS_APPLICATION_DL8.clone().into(),
136        SCHEMA_CLASS_PERSON_DL8.clone().into(),
137        // DL9
138        SCHEMA_CLASS_OAUTH2_RS_DL9.clone().into(),
139        SCHEMA_CLASS_DOMAIN_INFO_DL9.clone().into(),
140    ]
141}
142
143pub fn phase_3_key_provider() -> Vec<EntryInitNew> {
144    vec![E_KEY_PROVIDER_INTERNAL_DL6.clone()]
145}
146
147pub fn phase_4_system_entries() -> Vec<EntryInitNew> {
148    vec![
149        E_SYSTEM_INFO_V1.clone(),
150        E_DOMAIN_INFO_DL6.clone(),
151        E_SYSTEM_CONFIG_V1.clone(),
152    ]
153}
154
155pub fn phase_5_builtin_admin_entries() -> Result<Vec<EntryInitNew>, OperationError> {
156    Ok(vec![
157        BUILTIN_ACCOUNT_ADMIN.clone().into(),
158        BUILTIN_ACCOUNT_IDM_ADMIN.clone().into(),
159        BUILTIN_GROUP_SYSTEM_ADMINS_V1.clone().try_into()?,
160        BUILTIN_GROUP_IDM_ADMINS_V1.clone().try_into()?,
161        // We need to push anonymous *after* groups due to entry-managed-by
162        BUILTIN_ACCOUNT_ANONYMOUS_DL6.clone().into(),
163    ])
164}
165
166pub fn phase_6_builtin_non_admin_entries() -> Result<Vec<EntryInitNew>, OperationError> {
167    Ok(vec![
168        BUILTIN_GROUP_DOMAIN_ADMINS.clone().try_into()?,
169        BUILTIN_GROUP_SCHEMA_ADMINS.clone().try_into()?,
170        BUILTIN_GROUP_ACCESS_CONTROL_ADMINS.clone().try_into()?,
171        BUILTIN_GROUP_UNIX_ADMINS.clone().try_into()?,
172        BUILTIN_GROUP_RECYCLE_BIN_ADMINS.clone().try_into()?,
173        BUILTIN_GROUP_SERVICE_DESK.clone().try_into()?,
174        BUILTIN_GROUP_OAUTH2_ADMINS.clone().try_into()?,
175        BUILTIN_GROUP_RADIUS_SERVICE_ADMINS.clone().try_into()?,
176        BUILTIN_GROUP_ACCOUNT_POLICY_ADMINS.clone().try_into()?,
177        BUILTIN_GROUP_PEOPLE_ADMINS.clone().try_into()?,
178        BUILTIN_GROUP_PEOPLE_PII_READ.clone().try_into()?,
179        BUILTIN_GROUP_PEOPLE_ON_BOARDING.clone().try_into()?,
180        BUILTIN_GROUP_SERVICE_ACCOUNT_ADMINS.clone().try_into()?,
181        BUILTIN_GROUP_MAIL_SERVICE_ADMINS_DL8.clone().try_into()?,
182        IDM_GROUP_ADMINS_V1.clone().try_into()?,
183        IDM_ALL_PERSONS.clone().try_into()?,
184        IDM_ALL_ACCOUNTS.clone().try_into()?,
185        BUILTIN_IDM_RADIUS_SERVERS_V1.clone().try_into()?,
186        BUILTIN_IDM_MAIL_SERVERS_DL8.clone().try_into()?,
187        BUILTIN_GROUP_PEOPLE_SELF_NAME_WRITE_DL7
188            .clone()
189            .try_into()?,
190        IDM_PEOPLE_SELF_MAIL_WRITE_DL7.clone().try_into()?,
191        BUILTIN_GROUP_CLIENT_CERTIFICATE_ADMINS_DL7
192            .clone()
193            .try_into()?,
194        BUILTIN_GROUP_APPLICATION_ADMINS_DL8.clone().try_into()?,
195        // Write deps on read.clone().try_into()?, so write must be added first.
196        // All members must exist before we write HP
197        IDM_HIGH_PRIVILEGE_DL8.clone().try_into()?,
198        // other things
199        IDM_UI_ENABLE_EXPERIMENTAL_FEATURES.clone().try_into()?,
200        IDM_ACCOUNT_MAIL_READ.clone().try_into()?,
201    ])
202}
203
204pub fn phase_7_builtin_access_control_profiles() -> Vec<EntryInitNew> {
205    vec![
206        // Built in access controls.
207        IDM_ACP_RECYCLE_BIN_SEARCH_V1.clone().into(),
208        IDM_ACP_RECYCLE_BIN_REVIVE_V1.clone().into(),
209        IDM_ACP_SCHEMA_WRITE_ATTRS_V1.clone().into(),
210        IDM_ACP_SCHEMA_WRITE_CLASSES_V1.clone().into(),
211        IDM_ACP_ACP_MANAGE_V1.clone().into(),
212        IDM_ACP_GROUP_ENTRY_MANAGED_BY_MODIFY_V1.clone().into(),
213        IDM_ACP_GROUP_ENTRY_MANAGER_V1.clone().into(),
214        IDM_ACP_SYNC_ACCOUNT_MANAGE_V1.clone().into(),
215        IDM_ACP_RADIUS_SERVERS_V1.clone().into(),
216        IDM_ACP_RADIUS_SECRET_MANAGE_V1.clone().into(),
217        IDM_ACP_PEOPLE_SELF_WRITE_MAIL_V1.clone().into(),
218        IDM_ACP_ACCOUNT_SELF_WRITE_V1.clone().into(),
219        IDM_ACP_ALL_ACCOUNTS_POSIX_READ_V1.clone().into(),
220        IDM_ACP_SYSTEM_CONFIG_ACCOUNT_POLICY_MANAGE_V1
221            .clone()
222            .into(),
223        IDM_ACP_GROUP_UNIX_MANAGE_V1.clone().into(),
224        IDM_ACP_HP_GROUP_UNIX_MANAGE_V1.clone().into(),
225        IDM_ACP_GROUP_READ_V1.clone().into(),
226        IDM_ACP_ACCOUNT_UNIX_EXTEND_V1.clone().into(),
227        IDM_ACP_PEOPLE_PII_READ_V1.clone().into(),
228        IDM_ACP_PEOPLE_PII_MANAGE_V1.clone().into(),
229        IDM_ACP_PEOPLE_READ_V1.clone().into(),
230        IDM_ACP_PEOPLE_MANAGE_V1.clone().into(),
231        IDM_ACP_PEOPLE_DELETE_V1.clone().into(),
232        IDM_ACP_PEOPLE_CREDENTIAL_RESET_V1.clone().into(),
233        IDM_ACP_HP_PEOPLE_CREDENTIAL_RESET_V1.clone().into(),
234        IDM_ACP_SERVICE_ACCOUNT_CREATE_V1.clone().into(),
235        IDM_ACP_SERVICE_ACCOUNT_DELETE_V1.clone().into(),
236        IDM_ACP_SERVICE_ACCOUNT_ENTRY_MANAGER_V1.clone().into(),
237        IDM_ACP_SERVICE_ACCOUNT_ENTRY_MANAGED_BY_MODIFY_V1
238            .clone()
239            .into(),
240        IDM_ACP_HP_SERVICE_ACCOUNT_ENTRY_MANAGED_BY_MODIFY_V1
241            .clone()
242            .into(),
243        IDM_ACP_SERVICE_ACCOUNT_MANAGE_V1.clone().into(),
244        // DL4
245        // DL5
246        // DL6
247        IDM_ACP_PEOPLE_CREATE_DL6.clone().into(),
248        IDM_ACP_ACCOUNT_MAIL_READ_DL6.clone().into(),
249        // DL7
250        IDM_ACP_SELF_NAME_WRITE_DL7.clone().into(),
251        IDM_ACP_HP_CLIENT_CERTIFICATE_MANAGER_DL7.clone().into(),
252        // DL8
253        IDM_ACP_SELF_READ_DL8.clone().into(),
254        IDM_ACP_SELF_WRITE_DL8.clone().into(),
255        IDM_ACP_APPLICATION_MANAGE_DL8.clone().into(),
256        IDM_ACP_APPLICATION_ENTRY_MANAGER_DL8.clone().into(),
257        IDM_ACP_MAIL_SERVERS_DL8.clone().into(),
258        IDM_ACP_GROUP_ACCOUNT_POLICY_MANAGE_DL8.clone().into(),
259        // DL9
260        IDM_ACP_OAUTH2_MANAGE_DL9.clone().into(),
261        IDM_ACP_GROUP_MANAGE_DL9.clone().into(),
262        IDM_ACP_DOMAIN_ADMIN_DL9.clone().into(),
263    ]
264}
kanidmd_lib/migration_data/dl9/mod.rs

kanidmd_lib/migration_data/dl9/
mod.rs
