kanidmd_lib/server/access/
protected.rs

1use crate::prelude::EntryClass;
2use std::collections::BTreeSet;
3use std::sync::LazyLock;
4
5/// These entry classes may not be created or deleted, and may invoke some protection rules
6/// if on an entry.
7pub static PROTECTED_ENTRY_CLASSES: LazyLock<BTreeSet<String>> = LazyLock::new(|| {
8    let classes = vec![
9        EntryClass::System,
10        EntryClass::DomainInfo,
11        EntryClass::SystemInfo,
12        EntryClass::SystemConfig,
13        EntryClass::DynGroup,
14        EntryClass::SyncObject,
15        EntryClass::Tombstone,
16        EntryClass::Recycled,
17    ];
18
19    BTreeSet::from_iter(classes.into_iter().map(|ec| ec.into()))
20});
21
22/// Entries with these classes are protected from modifications - not that
23/// sync object is not present here as there are separate rules for that in
24/// the modification access module.
25///
26/// Recycled is also not protected here as it needs to be able to be removed
27/// by a recycle bin admin.
28pub static PROTECTED_MOD_ENTRY_CLASSES: LazyLock<BTreeSet<String>> = LazyLock::new(|| {
29    let classes = vec![
30        EntryClass::System,
31        EntryClass::DomainInfo,
32        EntryClass::SystemInfo,
33        EntryClass::SystemConfig,
34        EntryClass::DynGroup,
35        // EntryClass::SyncObject,
36        EntryClass::Tombstone,
37        EntryClass::Recycled,
38    ];
39
40    BTreeSet::from_iter(classes.into_iter().map(|ec| ec.into()))
41});
42
43/// These classes may NOT be added to ANY ENTRY
44pub static PROTECTED_MOD_PRES_ENTRY_CLASSES: LazyLock<BTreeSet<String>> = LazyLock::new(|| {
45    let classes = vec![
46        EntryClass::System,
47        EntryClass::DomainInfo,
48        EntryClass::SystemInfo,
49        EntryClass::SystemConfig,
50        EntryClass::DynGroup,
51        EntryClass::SyncObject,
52        EntryClass::Tombstone,
53        EntryClass::Recycled,
54    ];
55
56    BTreeSet::from_iter(classes.into_iter().map(|ec| ec.into()))
57});
58
59/// These classes may NOT be removed from ANY ENTRY
60pub static PROTECTED_MOD_REM_ENTRY_CLASSES: LazyLock<BTreeSet<String>> = LazyLock::new(|| {
61    let classes = vec![
62        EntryClass::System,
63        EntryClass::DomainInfo,
64        EntryClass::SystemInfo,
65        EntryClass::SystemConfig,
66        EntryClass::DynGroup,
67        EntryClass::SyncObject,
68        EntryClass::Tombstone,
69        // EntryClass::Recycled,
70    ];
71
72    BTreeSet::from_iter(classes.into_iter().map(|ec| ec.into()))
73});
74
75/// Entries with these classes may not be modified under any circumstance.
76pub static LOCKED_ENTRY_CLASSES: LazyLock<BTreeSet<String>> = LazyLock::new(|| {
77    let classes = vec![
78        EntryClass::Tombstone,
79        // EntryClass::Recycled,
80    ];
81
82    BTreeSet::from_iter(classes.into_iter().map(|ec| ec.into()))
83});