kanidmd_lib/migration_data/dl12/
schema.rs

1//! Schema Entries
2use crate::constants::entries::{Attribute, EntryClass};
3use crate::constants::uuids::*;
4use crate::schema::{SchemaAttribute, SchemaClass};
5use crate::value::SyntaxType;
6
7lazy_static!(
8
9pub static ref SCHEMA_ATTR_DISPLAYNAME_DL7: SchemaAttribute = SchemaAttribute {
10    uuid: UUID_SCHEMA_ATTR_DISPLAYNAME,
11    name: Attribute::DisplayName,
12    description: "The publicly visible display name of this person".to_string(),
13    indexed: true,
14    sync_allowed: true,
15    syntax: SyntaxType::Utf8String,
16    ..Default::default()
17};
18
19pub static ref SCHEMA_ATTR_MAIL_DL7: SchemaAttribute = SchemaAttribute {
20    uuid: UUID_SCHEMA_ATTR_MAIL,
21    name: Attribute::Mail,
22    description: "Mail addresses of the object".to_string(),
23    indexed: true,
24    unique: true,
25    multivalue: true,
26    sync_allowed: true,
27    syntax: SyntaxType::EmailAddress,
28    ..Default::default()
29};
30
31pub static ref SCHEMA_ATTR_EC_KEY_PRIVATE: SchemaAttribute = SchemaAttribute {
32    uuid: UUID_SCHEMA_ATTR_EC_KEY_PRIVATE,
33    name: Attribute::IdVerificationEcKey,
34    description: "Account verification private key".to_string(),
35    indexed: true,
36    unique: false,
37    sync_allowed: false,
38    syntax: SyntaxType::EcKeyPrivate,
39    ..Default::default()
40};
41
42pub static ref SCHEMA_ATTR_SSH_PUBLICKEY: SchemaAttribute = SchemaAttribute {
43    uuid: UUID_SCHEMA_ATTR_SSH_PUBLICKEY,
44    name: Attribute::SshPublicKey,
45    description: "SSH public keys of the object".to_string(),
46
47    multivalue: true,
48    sync_allowed: true,
49    syntax: SyntaxType::SshKey,
50    ..Default::default()
51};
52
53pub static ref SCHEMA_ATTR_PRIMARY_CREDENTIAL: SchemaAttribute = SchemaAttribute {
54    uuid: UUID_SCHEMA_ATTR_PRIMARY_CREDENTIAL,
55    name: Attribute::PrimaryCredential,
56    description: "Primary credential material of the account for authentication interactively".to_string(),
57    indexed: true,
58    sync_allowed: true,
59    syntax: SyntaxType::Credential,
60    ..Default::default()
61};
62
63pub static ref SCHEMA_ATTR_LEGALNAME_DL7: SchemaAttribute = SchemaAttribute {
64    uuid: UUID_SCHEMA_ATTR_LEGALNAME,
65    name: Attribute::LegalName,
66    description: "The private and sensitive legal name of this person".to_string(),
67    indexed: true,
68    sync_allowed: true,
69    syntax: SyntaxType::Utf8String,
70    ..Default::default()
71};
72
73pub static ref SCHEMA_ATTR_NAME_HISTORY: SchemaAttribute = SchemaAttribute {
74    uuid: UUID_SCHEMA_ATTR_NAME_HISTORY,
75    name: Attribute::NameHistory,
76    description: "The history of names that a person has had".to_string(),
77    indexed: true,
78    multivalue: true,
79    sync_allowed: true,
80    syntax: SyntaxType::AuditLogString,
81    ..Default::default()
82};
83
84pub static ref SCHEMA_ATTR_RADIUS_SECRET: SchemaAttribute = SchemaAttribute {
85    uuid: UUID_SCHEMA_ATTR_RADIUS_SECRET,
86    name: Attribute::RadiusSecret,
87    description: "The accounts generated radius secret for device network authentication".to_string(),
88    sync_allowed: true,
89    syntax: SyntaxType::SecretUtf8String,
90    ..Default::default()
91};
92
93pub static ref SCHEMA_ATTR_DOMAIN_NAME: SchemaAttribute = SchemaAttribute {
94    uuid: UUID_SCHEMA_ATTR_DOMAIN_NAME,
95    name: Attribute::DomainName,
96    description: "The domain's DNS name for webauthn and SPN generation purposes".to_string(),
97    indexed: true,
98    unique: true,
99    syntax: SyntaxType::Utf8StringIname,
100    ..Default::default()
101};
102
103pub static ref SCHEMA_ATTR_LDAP_ALLOW_UNIX_PW_BIND: SchemaAttribute = SchemaAttribute {
104    uuid: UUID_SCHEMA_ATTR_LDAP_ALLOW_UNIX_PW_BIND,
105    name: Attribute::LdapAllowUnixPwBind,
106    description: "Configuration to enable binds to LDAP objects using their UNIX password".to_string(),
107    unique: false,
108    syntax: SyntaxType::Boolean,
109    ..Default::default()
110};
111
112pub static ref SCHEMA_ATTR_DOMAIN_LDAP_BASEDN: SchemaAttribute = SchemaAttribute {
113    uuid: UUID_SCHEMA_ATTR_DOMAIN_LDAP_BASEDN,
114    name: Attribute::DomainLdapBasedn,
115    description: "The domain's optional ldap basedn. If unset defaults to domain components of domain name".to_string(),
116    unique: true,
117    syntax: SyntaxType::Utf8StringInsensitive,
118    ..Default::default()
119};
120
121pub static ref SCHEMA_ATTR_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES: SchemaAttribute = SchemaAttribute {
122    uuid: UUID_SCHEMA_ATTR_LDAP_MAXIMUM_QUERYABLE_ATTRIBUTES,
123    name: Attribute::LdapMaxQueryableAttrs,
124    description: "The maximum number of LDAP attributes that can be queried in one operation".to_string(),
125    multivalue: false,
126    sync_allowed: true,
127    syntax: SyntaxType::Uint32,
128    ..Default::default()
129};
130
131pub static ref SCHEMA_ATTR_DOMAIN_DISPLAY_NAME: SchemaAttribute = SchemaAttribute {
132    uuid: UUID_SCHEMA_ATTR_DOMAIN_DISPLAY_NAME,
133    name: Attribute::DomainDisplayName,
134    description: "The user-facing display name of the Kanidm domain".to_string(),
135    indexed: true,
136    syntax: SyntaxType::Utf8String,
137    ..Default::default()
138};
139
140pub static ref SCHEMA_ATTR_DOMAIN_UUID: SchemaAttribute = SchemaAttribute {
141    uuid: UUID_SCHEMA_ATTR_DOMAIN_UUID,
142    name: Attribute::DomainUuid,
143    description: "The domain's uuid, used in CSN and trust relationships".to_string(),
144    indexed: true,
145    unique: true,
146    syntax: SyntaxType::Uuid,
147    ..Default::default()
148};
149
150pub static ref SCHEMA_ATTR_DOMAIN_SSID: SchemaAttribute = SchemaAttribute {
151    uuid: UUID_SCHEMA_ATTR_DOMAIN_SSID,
152    name: Attribute::DomainSsid,
153    description: "The domains site-wide SSID for device autoconfiguration of wireless".to_string(),
154    indexed: true,
155    unique: true,
156    syntax: SyntaxType::Utf8String,
157    ..Default::default()
158};
159
160pub static ref SCHEMA_ATTR_DENIED_NAME_DL10: SchemaAttribute = SchemaAttribute {
161    uuid: UUID_SCHEMA_ATTR_DENIED_NAME,
162    name: Attribute::DeniedName,
163    description: "Iname values that are not allowed to be used in 'name'.".to_string(),
164    syntax: SyntaxType::Utf8StringIname,
165    multivalue: true,
166    ..Default::default()
167};
168
169pub static ref SCHEMA_ATTR_DOMAIN_TOKEN_KEY: SchemaAttribute = SchemaAttribute {
170    uuid: UUID_SCHEMA_ATTR_DOMAIN_TOKEN_KEY,
171    name: Attribute::DomainTokenKey,
172    description: "The domain token encryption private key (NOT USED)".to_string(),
173    syntax: SyntaxType::SecretUtf8String,
174    ..Default::default()
175};
176
177pub static ref SCHEMA_ATTR_FERNET_PRIVATE_KEY_STR: SchemaAttribute = SchemaAttribute {
178    uuid: UUID_SCHEMA_ATTR_FERNET_PRIVATE_KEY_STR,
179    name: Attribute::FernetPrivateKeyStr,
180    description: "The token encryption private key".to_string(),
181
182    syntax: SyntaxType::SecretUtf8String,
183    ..Default::default()
184};
185
186pub static ref SCHEMA_ATTR_GIDNUMBER: SchemaAttribute = SchemaAttribute {
187    uuid: UUID_SCHEMA_ATTR_GIDNUMBER,
188    name: Attribute::GidNumber,
189    description: "The groupid (uid) number of a group or account.to_string(). This is the same value as the UID number on posix accounts for security reasons".to_string(),
190    indexed: true,
191    unique: true,
192    sync_allowed: true,
193    syntax: SyntaxType::Uint32,
194    ..Default::default()
195};
196
197pub static ref SCHEMA_ATTR_BADLIST_PASSWORD: SchemaAttribute = SchemaAttribute {
198    uuid: UUID_SCHEMA_ATTR_BADLIST_PASSWORD,
199    name: Attribute::BadlistPassword,
200    description: "A password that is badlisted meaning that it can not be set as a valid password by any user account".to_string(),
201    multivalue: true,
202    syntax: SyntaxType::Utf8StringInsensitive,
203    ..Default::default()
204};
205
206pub static ref SCHEMA_ATTR_AUTH_SESSION_EXPIRY: SchemaAttribute = SchemaAttribute {
207    uuid: UUID_SCHEMA_ATTR_AUTH_SESSION_EXPIRY,
208    name: Attribute::AuthSessionExpiry,
209    description: "An expiration time for an authentication session".to_string(),
210    syntax: SyntaxType::Uint32,
211    ..Default::default()
212};
213
214pub static ref SCHEMA_ATTR_AUTH_PRIVILEGE_EXPIRY: SchemaAttribute = SchemaAttribute {
215    uuid: UUID_SCHEMA_ATTR_AUTH_PRIVILEGE_EXPIRY,
216    name: Attribute::PrivilegeExpiry,
217    description: "An expiration time for a privileged authentication session".to_string(),
218    syntax: SyntaxType::Uint32,
219    ..Default::default()
220};
221
222pub static ref SCHEMA_ATTR_AUTH_PASSWORD_MINIMUM_LENGTH: SchemaAttribute = SchemaAttribute {
223    uuid: UUID_SCHEMA_ATTR_AUTH_PASSWORD_MINIMUM_LENGTH,
224    name: Attribute::AuthPasswordMinimumLength,
225    description: "Minimum length of passwords".to_string(),
226    syntax: SyntaxType::Uint32,
227    ..Default::default()
228};
229
230pub static ref SCHEMA_ATTR_LOGINSHELL: SchemaAttribute = SchemaAttribute {
231    uuid: UUID_SCHEMA_ATTR_LOGINSHELL,
232    name: Attribute::LoginShell,
233    description: "A POSIX user's UNIX login shell".to_string(),
234    sync_allowed: true,
235    syntax: SyntaxType::Utf8StringInsensitive,
236    ..Default::default()
237};
238
239pub static ref SCHEMA_ATTR_UNIX_PASSWORD: SchemaAttribute = SchemaAttribute {
240    uuid: UUID_SCHEMA_ATTR_UNIX_PASSWORD,
241    name: Attribute::UnixPassword,
242    description: "A POSIX user's UNIX login password".to_string(),
243    indexed: true,
244    syntax: SyntaxType::Credential,
245    ..Default::default()
246};
247
248pub static ref SCHEMA_ATTR_NSUNIQUEID: SchemaAttribute = SchemaAttribute {
249    uuid: UUID_SCHEMA_ATTR_NSUNIQUEID,
250    name: Attribute::NsUniqueId,
251    description: "A unique id compatibility for 389-ds/dsee".to_string(),
252    indexed: true,
253    unique: true,
254    sync_allowed: true,
255    syntax: SyntaxType::NsUniqueId,
256    ..Default::default()
257};
258
259pub static ref SCHEMA_ATTR_ACCOUNT_EXPIRE: SchemaAttribute = SchemaAttribute {
260    uuid: UUID_SCHEMA_ATTR_ACCOUNT_EXPIRE,
261    name: Attribute::AccountExpire,
262    description: "The datetime after which this account no longer may authenticate".to_string(),
263    sync_allowed: true,
264    syntax: SyntaxType::DateTime,
265    ..Default::default()
266};
267
268pub static ref SCHEMA_ATTR_ACCOUNT_VALID_FROM: SchemaAttribute = SchemaAttribute {
269    uuid: UUID_SCHEMA_ATTR_ACCOUNT_VALID_FROM,
270    name: Attribute::AccountValidFrom,
271    description: "The datetime after which this account may commence authenticating".to_string(),
272    sync_allowed: true,
273    syntax: SyntaxType::DateTime,
274    ..Default::default()
275};
276
277pub static ref SCHEMA_ATTR_WEBAUTHN_ATTESTATION_CA_LIST: SchemaAttribute = SchemaAttribute {
278    uuid: UUID_SCHEMA_ATTR_WEBAUTHN_ATTESTATION_CA_LIST,
279    name: Attribute::WebauthnAttestationCaList,
280    description: "A set of CA's that limit devices that can be used with webauthn".to_string(),
281    syntax: SyntaxType::WebauthnAttestationCaList,
282    multivalue: true,
283    ..Default::default()
284};
285
286pub static ref SCHEMA_ATTR_OAUTH2_RS_NAME: SchemaAttribute = SchemaAttribute {
287    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_NAME,
288    name: Attribute::OAuth2RsName,
289    description: "The unique name of an external Oauth2 resource".to_string(),
290    indexed: true,
291    unique: true,
292    syntax: SyntaxType::Utf8StringIname,
293    ..Default::default()
294};
295
296pub static ref SCHEMA_ATTR_OAUTH2_RS_ORIGIN_DL7: SchemaAttribute = SchemaAttribute {
297    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_ORIGIN,
298    name: Attribute::OAuth2RsOrigin,
299    description: "The origin domain of an OAuth2 client".to_string(),
300    syntax: SyntaxType::Url,
301    multivalue: true,
302    ..Default::default()
303};
304
305pub static ref SCHEMA_ATTR_OAUTH2_RS_ORIGIN_LANDING: SchemaAttribute = SchemaAttribute {
306    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_ORIGIN_LANDING,
307    name: Attribute::OAuth2RsOriginLanding,
308    description: "The landing page of an RS, that will automatically trigger the auth process".to_string(),
309    syntax: SyntaxType::Url,
310    ..Default::default()
311};
312
313// Introduced in DomainLevel4
314pub static ref SCHEMA_ATTR_OAUTH2_ALLOW_LOCALHOST_REDIRECT_DL4: SchemaAttribute = SchemaAttribute {
315    uuid: UUID_SCHEMA_ATTR_OAUTH2_ALLOW_LOCALHOST_REDIRECT,
316    name: Attribute::OAuth2AllowLocalhostRedirect,
317    description: "Allow public clients associated to this RS to redirect to localhost".to_string(),
318    syntax: SyntaxType::Boolean,
319    ..Default::default()
320};
321
322pub static ref SCHEMA_ATTR_OAUTH2_RS_CLAIM_MAP_DL4: SchemaAttribute = SchemaAttribute {
323    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_CLAIM_MAP,
324    name: Attribute::OAuth2RsClaimMap,
325    description: "A set of custom claims mapped to group memberships of accounts".to_string(),
326    indexed: true,
327    multivalue: true,
328    // CHANGE ME
329    syntax: SyntaxType::OauthClaimMap,
330    ..Default::default()
331};
332
333pub static ref SCHEMA_ATTR_OAUTH2_RS_SCOPE_MAP: SchemaAttribute = SchemaAttribute {
334    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_SCOPE_MAP,
335    name: Attribute::OAuth2RsScopeMap,
336    description: "A reference to a group mapped to scopes for the associated oauth2 resource server".to_string(),
337    indexed: true,
338    multivalue: true,
339    syntax: SyntaxType::OauthScopeMap,
340    ..Default::default()
341};
342
343pub static ref SCHEMA_ATTR_OAUTH2_RS_SUP_SCOPE_MAP: SchemaAttribute = SchemaAttribute {
344    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_SUP_SCOPE_MAP,
345    name: Attribute::OAuth2RsSupScopeMap,
346    description: "A reference to a group mapped to scopes for the associated oauth2 resource server".to_string(),
347    indexed: true,
348    multivalue: true,
349    syntax: SyntaxType::OauthScopeMap,
350    ..Default::default()
351};
352
353pub static ref SCHEMA_ATTR_OAUTH2_RS_BASIC_SECRET: SchemaAttribute = SchemaAttribute {
354    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_BASIC_SECRET,
355    name: Attribute::OAuth2RsBasicSecret,
356    description: "When using oauth2 basic authentication, the secret string of the resource server".to_string(),
357    syntax: SyntaxType::SecretUtf8String,
358    ..Default::default()
359};
360
361pub static ref SCHEMA_ATTR_OAUTH2_RS_TOKEN_KEY: SchemaAttribute = SchemaAttribute {
362    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_TOKEN_KEY,
363    name: Attribute::OAuth2RsTokenKey,
364    description: "An oauth2 resource servers unique token signing key".to_string(),
365    syntax: SyntaxType::SecretUtf8String,
366    ..Default::default()
367};
368
369pub static ref SCHEMA_ATTR_OAUTH2_RS_IMPLICIT_SCOPES: SchemaAttribute = SchemaAttribute {
370    uuid: UUID_SCHEMA_ATTR_OAUTH2_RS_IMPLICIT_SCOPES,
371    name: Attribute::OAuth2RsImplicitScopes,
372    description: "An oauth2 resource servers scopes that are implicitly granted to all users".to_string(),
373    multivalue: true,
374    syntax: SyntaxType::OauthScope,
375    ..Default::default()
376};
377
378pub static ref SCHEMA_ATTR_OAUTH2_CONSENT_SCOPE_MAP: SchemaAttribute = SchemaAttribute {
379    uuid: UUID_SCHEMA_ATTR_OAUTH2_CONSENT_SCOPE_MAP,
380    name: Attribute::OAuth2ConsentScopeMap,
381    description: "A set of scopes mapped from a relying server to a user, where the user has previously consented to the following. If changed or deleted, consent will be re-sought".to_string(),
382    indexed: true,
383    multivalue: true,
384    syntax: SyntaxType::OauthScopeMap,
385    ..Default::default()
386};
387
388pub static ref SCHEMA_ATTR_OAUTH2_STRICT_REDIRECT_URI_DL7: SchemaAttribute = SchemaAttribute {
389    uuid: UUID_SCHEMA_ATTR_OAUTH2_STRICT_REDIRECT_URI,
390    name: Attribute::OAuth2StrictRedirectUri,
391    description: "Represents if strict redirect uri enforcement is enabled.".to_string(),
392    syntax: SyntaxType::Boolean,
393    ..Default::default()
394};
395
396
397pub static ref SCHEMA_ATTR_ES256_PRIVATE_KEY_DER: SchemaAttribute = SchemaAttribute {
398    uuid: UUID_SCHEMA_ATTR_ES256_PRIVATE_KEY_DER,
399    name: Attribute::Es256PrivateKeyDer,
400    description: "An es256 private key".to_string(),
401    syntax: SyntaxType::PrivateBinary,
402    ..Default::default()
403};
404
405pub static ref SCHEMA_ATTR_RS256_PRIVATE_KEY_DER: SchemaAttribute = SchemaAttribute {
406    uuid: UUID_SCHEMA_ATTR_RS256_PRIVATE_KEY_DER,
407    name: Attribute::Rs256PrivateKeyDer,
408    description: "An rs256 private key".to_string(),
409    syntax: SyntaxType::PrivateBinary,
410    ..Default::default()
411};
412
413pub static ref SCHEMA_ATTR_JWS_ES256_PRIVATE_KEY: SchemaAttribute = SchemaAttribute {
414    uuid: UUID_SCHEMA_ATTR_JWS_ES256_PRIVATE_KEY,
415    name: Attribute::JwsEs256PrivateKey,
416    description: "An es256 private key for jws".to_string(),
417    indexed: true,
418    unique: true,
419    syntax: SyntaxType::JwsKeyEs256,
420    ..Default::default()
421};
422
423// TO BE REMOVED IN A FUTURE RELEASE
424pub static ref SCHEMA_ATTR_PRIVATE_COOKIE_KEY: SchemaAttribute = SchemaAttribute {
425    uuid: UUID_SCHEMA_ATTR_PRIVATE_COOKIE_KEY,
426    name: Attribute::PrivateCookieKey,
427    description: "An private cookie hmac key".to_string(),
428    syntax: SyntaxType::PrivateBinary,
429    ..Default::default()
430};
431
432pub static ref SCHEMA_ATTR_OAUTH2_ALLOW_INSECURE_CLIENT_DISABLE_PKCE: SchemaAttribute = SchemaAttribute {
433    uuid: UUID_SCHEMA_ATTR_OAUTH2_ALLOW_INSECURE_CLIENT_DISABLE_PKCE,
434    name: Attribute::OAuth2AllowInsecureClientDisablePkce,
435    description: "Allows disabling of PKCE for insecure OAuth2 clients".to_string(),
436    syntax: SyntaxType::Boolean,
437    ..Default::default()
438};
439
440pub static ref SCHEMA_ATTR_OAUTH2_JWT_LEGACY_CRYPTO_ENABLE: SchemaAttribute = SchemaAttribute {
441    uuid: UUID_SCHEMA_ATTR_OAUTH2_JWT_LEGACY_CRYPTO_ENABLE,
442    name: Attribute::OAuth2JwtLegacyCryptoEnable,
443    description: "Allows enabling legacy JWT cryptograhpy for clients".to_string(),
444    syntax: SyntaxType::Boolean,
445    ..Default::default()
446};
447
448pub static ref SCHEMA_ATTR_CREDENTIAL_UPDATE_INTENT_TOKEN: SchemaAttribute = SchemaAttribute {
449    uuid: UUID_SCHEMA_ATTR_CREDENTIAL_UPDATE_INTENT_TOKEN,
450    name: Attribute::CredentialUpdateIntentToken,
451    description: "The status of a credential update intent token".to_string(),
452    indexed: true,
453    multivalue: true,
454    syntax: SyntaxType::IntentToken,
455    ..Default::default()
456};
457
458pub static ref SCHEMA_ATTR_PASSKEYS: SchemaAttribute = SchemaAttribute {
459    uuid: UUID_SCHEMA_ATTR_PASSKEYS,
460    name: Attribute::PassKeys,
461    description: "A set of registered passkeys".to_string(),
462    indexed: true,
463    multivalue: true,
464    sync_allowed: true,
465    syntax: SyntaxType::Passkey,
466    ..Default::default()
467};
468
469pub static ref SCHEMA_ATTR_ATTESTED_PASSKEYS: SchemaAttribute = SchemaAttribute {
470    uuid: UUID_SCHEMA_ATTR_ATTESTED_PASSKEYS,
471    name: Attribute::AttestedPasskeys,
472    description: "A set of registered device keys".to_string(),
473    indexed: true,
474    multivalue: true,
475    sync_allowed: true,
476    syntax: SyntaxType::AttestedPasskey,
477    ..Default::default()
478};
479
480pub static ref SCHEMA_ATTR_DYNGROUP_FILTER: SchemaAttribute = SchemaAttribute {
481    uuid: UUID_SCHEMA_ATTR_DYNGROUP_FILTER,
482    name: Attribute::DynGroupFilter,
483    description: "A filter describing the set of entries to add to a dynamic group".to_string(),
484    syntax: SyntaxType::JsonFilter,
485    ..Default::default()
486};
487
488pub static ref SCHEMA_ATTR_OAUTH2_PREFER_SHORT_USERNAME: SchemaAttribute = SchemaAttribute {
489    uuid: UUID_SCHEMA_ATTR_OAUTH2_PREFER_SHORT_USERNAME,
490    name: Attribute::OAuth2PreferShortUsername,
491    description: "Use 'name' instead of 'spn' in the preferred_username claim".to_string(),
492    syntax: SyntaxType::Boolean,
493    ..Default::default()
494};
495
496pub static ref SCHEMA_ATTR_API_TOKEN_SESSION: SchemaAttribute = SchemaAttribute {
497    uuid: UUID_SCHEMA_ATTR_API_TOKEN_SESSION,
498    name: Attribute::ApiTokenSession,
499    description: "A session entry related to an issued API token".to_string(),
500    indexed: true,
501    unique: true,
502    multivalue: true,
503    syntax: SyntaxType::ApiToken,
504    ..Default::default()
505};
506
507pub static ref SCHEMA_ATTR_USER_AUTH_TOKEN_SESSION: SchemaAttribute = SchemaAttribute {
508    uuid: UUID_SCHEMA_ATTR_USER_AUTH_TOKEN_SESSION,
509    name: Attribute::UserAuthTokenSession,
510    description: "A session entry related to an issued user auth token".to_string(),
511    indexed: true,
512    unique: true,
513    multivalue: true,
514    syntax: SyntaxType::Session,
515    ..Default::default()
516};
517
518pub static ref SCHEMA_ATTR_OAUTH2_SESSION: SchemaAttribute = SchemaAttribute {
519    uuid: UUID_SCHEMA_ATTR_OAUTH2_SESSION,
520    name: Attribute::OAuth2Session,
521    description: "A session entry to an active oauth2 session, bound to a parent user auth token".to_string(),
522    indexed: true,
523    multivalue: true,
524    syntax: SyntaxType::Oauth2Session,
525    ..Default::default()
526};
527
528pub static ref SCHEMA_ATTR_SYNC_TOKEN_SESSION: SchemaAttribute = SchemaAttribute {
529    uuid: UUID_SCHEMA_ATTR_SYNC_TOKEN_SESSION,
530    name: Attribute::SyncTokenSession,
531    description: "A session entry related to an issued sync token".to_string(),
532    indexed: true,
533    unique: true,
534    syntax: SyntaxType::ApiToken,
535    ..Default::default()
536};
537
538pub static ref SCHEMA_ATTR_SYNC_COOKIE: SchemaAttribute = SchemaAttribute {
539    uuid: UUID_SCHEMA_ATTR_SYNC_COOKIE,
540    name: Attribute::SyncCookie,
541    description: "A private sync cookie for a remote IDM source".to_string(),
542    syntax: SyntaxType::PrivateBinary,
543    ..Default::default()
544};
545
546pub static ref SCHEMA_ATTR_GRANT_UI_HINT: SchemaAttribute = SchemaAttribute {
547    uuid: UUID_SCHEMA_ATTR_GRANT_UI_HINT,
548    name: Attribute::GrantUiHint,
549    description: "A UI hint that is granted via membership to a group".to_string(),
550    indexed: true,
551    multivalue: true,
552    syntax: SyntaxType::UiHint,
553    ..Default::default()
554};
555
556pub static ref SCHEMA_ATTR_SYNC_CREDENTIAL_PORTAL: SchemaAttribute = SchemaAttribute {
557    uuid: UUID_SCHEMA_ATTR_SYNC_CREDENTIAL_PORTAL,
558    name: Attribute::SyncCredentialPortal,
559    description: "The url of an external credential portal for synced accounts to visit to update their credentials".to_string(),
560    syntax: SyntaxType::Url,
561    ..Default::default()
562};
563
564pub static ref SCHEMA_ATTR_SYNC_YIELD_AUTHORITY: SchemaAttribute = SchemaAttribute {
565    uuid: UUID_SCHEMA_ATTR_SYNC_YIELD_AUTHORITY,
566    name: Attribute::SyncYieldAuthority,
567    description: "A set of attributes that have their authority yielded to Kanidm in a sync agreement".to_string(),
568    multivalue: true,
569    syntax: SyntaxType::Utf8StringInsensitive,
570    ..Default::default()
571};
572
573pub static ref SCHEMA_ATTR_CREDENTIAL_TYPE_MINIMUM: SchemaAttribute = SchemaAttribute {
574    uuid: UUID_SCHEMA_ATTR_CREDENTIAL_TYPE_MINIMUM,
575    name: Attribute::CredentialTypeMinimum,
576    description: "The minimum level of credential type that can satisfy this policy".to_string(),
577    multivalue: false,
578    syntax: SyntaxType::CredentialType,
579    ..Default::default()
580};
581
582pub static ref SCHEMA_ATTR_LIMIT_SEARCH_MAX_RESULTS_DL6: SchemaAttribute = SchemaAttribute {
583    uuid: UUID_SCHEMA_ATTR_LIMIT_SEARCH_MAX_RESULTS,
584    name: Attribute::LimitSearchMaxResults,
585    description: "The maximum number of query results that may be returned in a single operation".to_string(),
586    multivalue: false,
587    syntax: SyntaxType::Uint32,
588    ..Default::default()
589};
590
591pub static ref SCHEMA_ATTR_LIMIT_SEARCH_MAX_FILTER_TEST_DL6: SchemaAttribute = SchemaAttribute {
592    uuid: UUID_SCHEMA_ATTR_LIMIT_SEARCH_MAX_FILTER_TEST,
593    name: Attribute::LimitSearchMaxFilterTest,
594    description: "The maximum number of entries that may be examined in a partially indexed query".to_string(),
595    multivalue: false,
596    syntax: SyntaxType::Uint32,
597    ..Default::default()
598};
599
600pub static ref SCHEMA_ATTR_KEY_INTERNAL_DATA_DL6: SchemaAttribute = SchemaAttribute {
601    uuid: UUID_SCHEMA_ATTR_KEY_INTERNAL_DATA,
602    name: Attribute::KeyInternalData,
603    description: "".to_string(),
604    multivalue: true,
605    syntax: SyntaxType::KeyInternal,
606    ..Default::default()
607};
608
609pub static ref SCHEMA_ATTR_KEY_PROVIDER_DL6: SchemaAttribute = SchemaAttribute {
610    uuid: UUID_SCHEMA_ATTR_KEY_PROVIDER,
611    name: Attribute::KeyProvider,
612    description: "".to_string(),
613    multivalue: false,
614    indexed: true,
615    syntax: SyntaxType::ReferenceUuid,
616    ..Default::default()
617};
618
619pub static ref SCHEMA_ATTR_KEY_ACTION_ROTATE_DL6: SchemaAttribute = SchemaAttribute {
620    uuid: UUID_SCHEMA_ATTR_KEY_ACTION_ROTATE,
621    name: Attribute::KeyActionRotate,
622    description: "".to_string(),
623    multivalue: false,
624    // Ephemeral action.
625    phantom: true,
626    syntax: SyntaxType::DateTime,
627    ..Default::default()
628};
629
630pub static ref SCHEMA_ATTR_KEY_ACTION_REVOKE_DL6: SchemaAttribute = SchemaAttribute {
631    uuid: UUID_SCHEMA_ATTR_KEY_ACTION_REVOKE,
632    name: Attribute::KeyActionRevoke,
633    description: "".to_string(),
634    multivalue: true,
635    // Ephemeral action.
636    phantom: true,
637    syntax: SyntaxType::HexString,
638    ..Default::default()
639};
640
641pub static ref SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_ES256_DL6: SchemaAttribute = SchemaAttribute {
642    uuid: UUID_SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_ES256,
643    name: Attribute::KeyActionImportJwsEs256,
644    description: "".to_string(),
645    multivalue: true,
646    // Ephemeral action.
647    phantom: true,
648    syntax: SyntaxType::PrivateBinary,
649    ..Default::default()
650};
651
652pub static ref SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_RS256_DL6: SchemaAttribute = SchemaAttribute {
653    uuid: UUID_SCHEMA_ATTR_KEY_ACTION_IMPORT_JWS_RS256,
654    name: Attribute::KeyActionImportJwsRs256,
655    description: "".to_string(),
656    multivalue: true,
657    // Ephemeral action.
658    phantom: true,
659    syntax: SyntaxType::PrivateBinary,
660    ..Default::default()
661};
662
663pub static ref SCHEMA_ATTR_PATCH_LEVEL_DL7: SchemaAttribute = SchemaAttribute {
664    uuid: UUID_SCHEMA_ATTR_PATCH_LEVEL,
665    name: Attribute::PatchLevel,
666    description: "".to_string(),
667    syntax: SyntaxType::Uint32,
668    ..Default::default()
669};
670
671pub static ref SCHEMA_ATTR_DOMAIN_DEVELOPMENT_TAINT_DL7: SchemaAttribute = SchemaAttribute {
672    uuid: UUID_SCHEMA_ATTR_DOMAIN_DEVELOPMENT_TAINT,
673    name: Attribute::DomainDevelopmentTaint,
674    description: "A flag to show that the domain has been run on a development build, and will need additional work to upgrade/migrate.".to_string(),
675    syntax: SyntaxType::Boolean,
676    ..Default::default()
677};
678
679pub static ref SCHEMA_ATTR_DOMAIN_ALLOW_EASTER_EGGS_DL9: SchemaAttribute = SchemaAttribute {
680    uuid: UUID_SCHEMA_ATTR_DOMAIN_ALLOW_EASTER_EGGS,
681    name: Attribute::DomainAllowEasterEggs,
682    description: "A flag to enable easter eggs in the server that may not always be wanted by all users/deployments.".to_string(),
683    syntax: SyntaxType::Boolean,
684    ..Default::default()
685};
686
687pub static ref SCHEMA_ATTR_IMAGE: SchemaAttribute = SchemaAttribute {
688    uuid: UUID_SCHEMA_ATTR_IMAGE,
689    name: Attribute::Image,
690    description: "An image for display to end users.".to_string(),
691    syntax: SyntaxType::Image,
692    ..Default::default()
693};
694
695pub static ref SCHEMA_ATTR_OAUTH2_DEVICE_FLOW_ENABLE: SchemaAttribute = SchemaAttribute {
696    uuid: UUID_SCHEMA_ATTR_OAUTH2_DEVICE_FLOW_ENABLE,
697    name: Attribute::OAuth2DeviceFlowEnable,
698    description: "Enable the OAuth2 Device Flow for this client.".to_string(),
699    syntax: SyntaxType::Boolean,
700    ..Default::default()
701};
702
703pub static ref SCHEMA_ATTR_LINKED_GROUP_DL8: SchemaAttribute = SchemaAttribute {
704    uuid: UUID_SCHEMA_ATTR_LINKED_GROUP,
705    name: Attribute::LinkedGroup,
706    description: "A reference linking a group to an entry".to_string(),
707    multivalue: false,
708    indexed: true,
709    syntax: SyntaxType::ReferenceUuid,
710    ..Default::default()
711};
712
713pub static ref SCHEMA_ATTR_ALLOW_PRIMARY_CRED_FALLBACK_DL8: SchemaAttribute = SchemaAttribute {
714    uuid: UUID_SCHEMA_ATTR_ALLOW_PRIMARY_CRED_FALLBACK,
715    name: Attribute::AllowPrimaryCredFallback,
716    description: "Allow fallback to primary password if no POSIX password exists".to_string(),
717    multivalue: false,
718    syntax: SyntaxType::Boolean,
719    ..Default::default()
720};
721
722pub static ref SCHEMA_ATTR_CERTIFICATE_DL7: SchemaAttribute = SchemaAttribute {
723    uuid: UUID_SCHEMA_ATTR_CERTIFICATE,
724    name: Attribute::Certificate,
725    description: "An x509 Certificate".to_string(),
726    multivalue: false,
727    syntax: SyntaxType::Certificate,
728    ..Default::default()
729};
730
731pub static ref SCHEMA_ATTR_APPLICATION_PASSWORD_DL8: SchemaAttribute = SchemaAttribute {
732    uuid: UUID_SCHEMA_ATTR_APPLICATION_PASSWORD,
733    name: Attribute::ApplicationPassword,
734    description: "A set of application passwords".to_string(),
735    multivalue: true,
736    indexed: true,
737    syntax: SyntaxType::ApplicationPassword,
738    ..Default::default()
739};
740
741pub static ref SCHEMA_ATTR_APPLICATION_URL: SchemaAttribute = SchemaAttribute {
742    uuid: UUID_SCHEMA_ATTR_APPLICATION_URL,
743    name: Attribute::ApplicationUrl,
744    description: "The URL of an external application".to_string(),
745    syntax: SyntaxType::Url,
746    ..Default::default()
747};
748
749pub static ref SCHEMA_ATTR_MESSAGE_TEMPLATE: SchemaAttribute = SchemaAttribute {
750    uuid: UUID_SCHEMA_ATTR_MESSAGE_TEMPLATE,
751    name: Attribute::MessageTemplate,
752    description: "A JSON object containing the named message template and fields related to a message that can be substituted into the template.".to_string(),
753    syntax: SyntaxType::Message,
754    ..Default::default()
755};
756
757pub static ref SCHEMA_ATTR_SEND_AFTER: SchemaAttribute = SchemaAttribute {
758    uuid: UUID_SCHEMA_ATTR_SEND_AFTER,
759    name: Attribute::SendAfter,
760    description: "The datetime after which this message is allowed to be released to the destination".to_string(),
761    syntax: SyntaxType::DateTime,
762    indexed: true,
763    ..Default::default()
764};
765
766pub static ref SCHEMA_ATTR_DELETE_AFTER: SchemaAttribute = SchemaAttribute {
767    uuid: UUID_SCHEMA_ATTR_DELETE_AFTER,
768    name: Attribute::DeleteAfter,
769    description: "The datetime after which this entry will be deleted.".to_string(),
770    syntax: SyntaxType::DateTime,
771    indexed: true,
772    ..Default::default()
773};
774
775pub static ref SCHEMA_ATTR_SENT_AT: SchemaAttribute = SchemaAttribute {
776    uuid: UUID_SCHEMA_ATTR_SENT_AT,
777    name: Attribute::SentAt,
778    indexed: true,
779    description: "The datetime when this message was sent.".to_string(),
780    syntax: SyntaxType::DateTime,
781    ..Default::default()
782};
783
784pub static ref SCHEMA_ATTR_MAIL_DESTINATION: SchemaAttribute = SchemaAttribute {
785    uuid: UUID_SCHEMA_ATTR_MAIL_DESTINATION,
786    name: Attribute::MailDestination,
787    description: "The destination addresses that will recieve this message.".to_string(),
788    multivalue: true,
789    syntax: SyntaxType::EmailAddress,
790    ..Default::default()
791};
792
793
794pub static ref SCHEMA_ATTR_OAUTH2_ACCOUNT_PROVIDER: SchemaAttribute = SchemaAttribute {
795    uuid: UUID_SCHEMA_ATTR_OAUTH2_ACCOUNT_PROVIDER,
796    name: Attribute::OAuth2AccountProvider,
797    description: "The reference to the OAuth2 client that provides authentication for this entry.".to_string(),
798    syntax: SyntaxType::ReferenceUuid,
799    ..Default::default()
800};
801
802pub static ref SCHEMA_ATTR_OAUTH2_ACCOUNT_CREDENTIAL_UUID: SchemaAttribute = SchemaAttribute {
803    uuid: UUID_SCHEMA_ATTR_OAUTH2_ACCOUNT_CREDENTIAL_UUID,
804    name: Attribute::OAuth2AccountCredentialUuid,
805    description: "The uuid of this credential for session tracking when OAuth2 is used to authenticate.".to_string(),
806    syntax: SyntaxType::Uuid,
807    ..Default::default()
808};
809
810pub static ref SCHEMA_ATTR_OAUTH2_ACCOUNT_UNIQUE_USER_ID: SchemaAttribute = SchemaAttribute {
811    uuid: UUID_SCHEMA_ATTR_OAUTH2_ACCOUNT_UNIQUE_USER_ID,
812    name: Attribute::OAuth2AccountUniqueUserId,
813    description: "The unique user id of this account as known by the remote OAuth2 provider.".to_string(),
814    syntax: SyntaxType::Utf8String,
815    ..Default::default()
816};
817
818pub static ref SCHEMA_ATTR_OAUTH2_CLIENT_ID: SchemaAttribute = SchemaAttribute {
819    uuid: UUID_SCHEMA_ATTR_OAUTH2_CLIENT_ID,
820    name: Attribute::OAuth2ClientId,
821    description: "The OAuth2 Client ID".to_string(),
822    syntax: SyntaxType::Utf8String,
823    ..Default::default()
824};
825
826pub static ref SCHEMA_ATTR_OAUTH2_CLIENT_SECRET: SchemaAttribute = SchemaAttribute {
827    uuid: UUID_SCHEMA_ATTR_OAUTH2_CLIENT_SECRET,
828    name: Attribute::OAuth2ClientSecret,
829    description: "The OAuth2 Client Secret".to_string(),
830    // TODO: We may need a new secret type that CAN be imported from externally. Currently
831    // our secret string type denies external modification.
832    syntax: SyntaxType::Utf8String,
833    ..Default::default()
834};
835
836pub static ref SCHEMA_ATTR_OAUTH2_AUTHORISATION_ENDPOINT: SchemaAttribute = SchemaAttribute {
837    uuid: UUID_SCHEMA_ATTR_OAUTH2_AUTHORISATION_ENDPOINT,
838    name: Attribute::OAuth2AuthorisationEndpoint,
839    description: "The authorisation url of the OAuth2 provider".to_string(),
840    syntax: SyntaxType::Url,
841    ..Default::default()
842};
843
844pub static ref SCHEMA_ATTR_OAUTH2_TOKEN_ENDPOINT: SchemaAttribute = SchemaAttribute {
845    uuid: UUID_SCHEMA_ATTR_OAUTH2_TOKEN_ENDPOINT,
846    name: Attribute::OAuth2TokenEndpoint,
847    description: "The token url of the OAuth2 provider".to_string(),
848    syntax: SyntaxType::Url,
849    ..Default::default()
850};
851
852pub static ref SCHEMA_ATTR_OAUTH2_REQUEST_SCOPES: SchemaAttribute = SchemaAttribute {
853    uuid: UUID_SCHEMA_ATTR_OAUTH2_REQUEST_SCOPES,
854    name: Attribute::OAuth2RequestScopes,
855    description: "The set of scopes to request during OAuth2 authorisation requests.".to_string(),
856    multivalue: true,
857    syntax: SyntaxType::OauthScope,
858    ..Default::default()
859};
860
861pub static ref SCHEMA_ATTR_HMAC_NAME_HISTORY: SchemaAttribute = SchemaAttribute {
862    uuid: UUID_SCHEMA_ATTR_HMAC_NAME_HISTORY,
863    name: Attribute::HmacNameHistory,
864    description: "The set of all names used on an entry, HMACed to preserve privacy.".to_string(),
865    multivalue: true,
866    unique: true,
867    indexed: true,
868    syntax: SyntaxType::Sha256,
869    ..Default::default()
870};
871
872pub static ref SCHEMA_ATTR_IN_MEMORIAM: SchemaAttribute = SchemaAttribute {
873    uuid: UUID_SCHEMA_ATTR_IN_MEMORIAM_UUID,
874    name: Attribute::InMemoriam,
875    description: "The uuid of the entry that this memorial is dedicated to.".to_string(),
876    indexed: true,
877    syntax: SyntaxType::Uuid,
878    ..Default::default()
879};
880
881pub static ref SCHEMA_ATTR_ENABLED: SchemaAttribute = SchemaAttribute {
882    uuid: UUID_SCHEMA_ATTR_ENABLED,
883    name: Attribute::Enabled,
884    description: "A flag describing if a feature is enabled or disabled.".to_string(),
885    multivalue: false,
886    syntax: SyntaxType::Boolean,
887    ..Default::default()
888};
889
890// === classes ===
891pub static ref SCHEMA_CLASS_PERSON_DL8: SchemaClass = SchemaClass {
892    uuid: UUID_SCHEMA_CLASS_PERSON,
893    name: EntryClass::Person.into(),
894    description: "Object representation of a person".to_string(),
895
896    sync_allowed: true,
897    systemmay: vec![
898        Attribute::PrimaryCredential,
899        Attribute::PassKeys,
900        Attribute::AttestedPasskeys,
901        Attribute::CredentialUpdateIntentToken,
902        Attribute::SshPublicKey,
903        Attribute::RadiusSecret,
904        Attribute::OAuth2ConsentScopeMap,
905        Attribute::UserAuthTokenSession,
906        Attribute::OAuth2Session,
907        Attribute::Mail,
908        Attribute::LegalName,
909        Attribute::ApplicationPassword,
910        Attribute::IdVerificationEcKey,
911    ],
912    systemmust: vec![
913        Attribute::Name,
914    ],
915    systemexcludes: vec![EntryClass::ServiceAccount.into(), EntryClass::Application.into()],
916    ..Default::default()
917};
918
919pub static ref SCHEMA_CLASS_OAUTH2_ACCOUNT: SchemaClass = SchemaClass {
920    uuid: UUID_SCHEMA_CLASS_OAUTH2_ACCOUNT,
921    name: EntryClass::OAuth2Account.into(),
922    description: "Marker class designating that an can use OAuth2 for authentication.".to_string(),
923    sync_allowed: true,
924    systemmust: vec![
925        Attribute::OAuth2AccountProvider,
926        Attribute::OAuth2AccountUniqueUserId,
927        // This is the "credential id" that allows us to link this trust to a session.
928        Attribute::OAuth2AccountCredentialUuid,
929    ],
930    systemsupplements: vec![EntryClass::Person.into()],
931    ..Default::default()
932};
933
934pub static ref SCHEMA_CLASS_ORGPERSON: SchemaClass = SchemaClass {
935    uuid: UUID_SCHEMA_CLASS_ORGPERSON,
936    name: EntryClass::OrgPerson.into(),
937    description: "Object representation of an org person".to_string(),
938
939    systemmay: vec![
940        Attribute::LegalName
941        ],
942    systemmust: vec![
943        Attribute::Mail,
944        Attribute::DisplayName,
945        Attribute::Name
946    ],
947    ..Default::default()
948};
949
950pub static ref SCHEMA_CLASS_GROUP_DL6: SchemaClass = SchemaClass {
951    uuid: UUID_SCHEMA_CLASS_GROUP,
952    name: EntryClass::Group.into(),
953    description: "Object representation of a group".to_string(),
954
955    sync_allowed: true,
956    systemmay: vec![
957        Attribute::Member,
958        Attribute::GrantUiHint,
959        Attribute::Description,
960        Attribute::Mail,
961        Attribute::Name,
962    ],
963    systemmust: vec![
964        Attribute::Spn,
965    ],
966    ..Default::default()
967};
968
969pub static ref SCHEMA_CLASS_DYNGROUP: SchemaClass = SchemaClass {
970    uuid: UUID_SCHEMA_CLASS_DYNGROUP,
971    name: EntryClass::DynGroup.into(),
972    description: "Object representation of a dynamic group".to_string(),
973
974    systemmust: vec![Attribute::DynGroupFilter],
975    systemmay: vec![Attribute::DynMember],
976    systemsupplements: vec![EntryClass::Group.into()],
977    ..Default::default()
978};
979
980pub static ref SCHEMA_CLASS_ACCOUNT_POLICY_DL8: SchemaClass = SchemaClass {
981    uuid: UUID_SCHEMA_CLASS_ACCOUNT_POLICY,
982    name: EntryClass::AccountPolicy.into(),
983    description: "Policies applied to accounts that are members of a group".to_string(),
984
985    systemmay: vec![
986        Attribute::AuthSessionExpiry,
987        Attribute::PrivilegeExpiry,
988        Attribute::AuthPasswordMinimumLength,
989        Attribute::CredentialTypeMinimum,
990        Attribute::WebauthnAttestationCaList,
991        Attribute::LimitSearchMaxResults,
992        Attribute::LimitSearchMaxFilterTest,
993        Attribute::AllowPrimaryCredFallback,
994    ],
995    systemsupplements: vec![EntryClass::Group.into()],
996    ..Default::default()
997};
998
999pub static ref SCHEMA_CLASS_ACCOUNT_DL5: SchemaClass = SchemaClass {
1000    uuid: UUID_SCHEMA_CLASS_ACCOUNT,
1001    name: EntryClass::Account.into(),
1002    description: "Object representation of an account".to_string(),
1003
1004    sync_allowed: true,
1005    systemmay: vec![
1006        Attribute::AccountExpire,
1007        Attribute::AccountValidFrom,
1008        Attribute::NameHistory,
1009        Attribute::HmacNameHistory,
1010    ],
1011    systemmust: vec![
1012        Attribute::DisplayName,
1013        Attribute::Spn
1014    ],
1015    systemsupplements: vec![
1016        EntryClass::Person.into(),
1017        EntryClass::ServiceAccount.into(),
1018        EntryClass::OAuth2ResourceServer.into(),
1019    ],
1020    ..Default::default()
1021};
1022
1023pub static ref SCHEMA_CLASS_SERVICE_ACCOUNT_DL7: SchemaClass = SchemaClass {
1024    uuid: UUID_SCHEMA_CLASS_SERVICE_ACCOUNT,
1025    name: EntryClass::ServiceAccount.into(),
1026    description: "Object representation of service account".to_string(),
1027
1028    sync_allowed: true,
1029    systemmay: vec![
1030        Attribute::SshPublicKey,
1031        Attribute::UserAuthTokenSession,
1032        Attribute::OAuth2Session,
1033        Attribute::OAuth2ConsentScopeMap,
1034        Attribute::Description,
1035
1036        Attribute::Mail,
1037        Attribute::PrimaryCredential,
1038        Attribute::ApiTokenSession,
1039    ],
1040    systemmust: vec![
1041        Attribute::Name
1042    ],
1043    systemexcludes: vec![EntryClass::Person.into()],
1044    ..Default::default()
1045};
1046
1047pub static ref SCHEMA_CLASS_SYNC_ACCOUNT_DL7: SchemaClass = SchemaClass {
1048    uuid: UUID_SCHEMA_CLASS_SYNC_ACCOUNT,
1049    name: EntryClass::SyncAccount.into(),
1050    description: "Object representation of sync account".to_string(),
1051
1052    systemmust: vec![Attribute::Name],
1053    systemmay: vec![
1054        Attribute::SyncTokenSession,
1055        Attribute::SyncCookie,
1056        Attribute::SyncCredentialPortal,
1057        Attribute::SyncYieldAuthority,
1058    ],
1059    systemexcludes: vec![EntryClass::Account.into()],
1060    ..Default::default()
1061};
1062
1063pub static ref SCHEMA_CLASS_DOMAIN_INFO_DL10: SchemaClass = SchemaClass {
1064    uuid: UUID_SCHEMA_CLASS_DOMAIN_INFO,
1065    name: EntryClass::DomainInfo.into(),
1066    description: "Local domain information and configuration".to_string(),
1067
1068    systemmay: vec![
1069        Attribute::DomainSsid,
1070        Attribute::DomainLdapBasedn,
1071        Attribute::LdapMaxQueryableAttrs,
1072        Attribute::LdapAllowUnixPwBind,
1073        Attribute::Image,
1074        Attribute::PatchLevel,
1075        Attribute::DomainDevelopmentTaint,
1076        Attribute::DomainAllowEasterEggs,
1077        Attribute::DomainDisplayName,
1078    ],
1079    systemmust: vec![
1080        Attribute::Name,
1081        Attribute::DomainUuid,
1082        Attribute::DomainName,
1083        Attribute::Version,
1084    ],
1085    ..Default::default()
1086};
1087
1088pub static ref SCHEMA_CLASS_POSIXGROUP: SchemaClass = SchemaClass {
1089    uuid: UUID_SCHEMA_CLASS_POSIXGROUP,
1090    name: EntryClass::PosixGroup.into(),
1091    description: "Object representation of a posix group, requires group".to_string(),
1092
1093    sync_allowed: true,
1094    systemmust: vec![Attribute::GidNumber],
1095    systemsupplements: vec![EntryClass::Group.into()],
1096    ..Default::default()
1097};
1098
1099pub static ref SCHEMA_CLASS_POSIXACCOUNT: SchemaClass = SchemaClass {
1100    uuid: UUID_SCHEMA_CLASS_POSIXACCOUNT,
1101    name: EntryClass::PosixAccount.into(),
1102    description: "Object representation of a posix account, requires account".to_string(),
1103
1104    sync_allowed: true,
1105    systemmay: vec![Attribute::LoginShell, Attribute::UnixPassword],
1106    systemmust: vec![Attribute::GidNumber],
1107    systemsupplements: vec![EntryClass::Account.into()],
1108    ..Default::default()
1109};
1110
1111pub static ref SCHEMA_CLASS_SYSTEM_CONFIG: SchemaClass = SchemaClass {
1112    uuid: UUID_SCHEMA_CLASS_SYSTEM_CONFIG,
1113    name: EntryClass::SystemConfig.into(),
1114    description: "The class representing a system (topologies) configuration options".to_string(),
1115
1116    systemmay: vec![
1117        Attribute::Description,
1118        Attribute::BadlistPassword,
1119        Attribute::AuthSessionExpiry,
1120        Attribute::PrivilegeExpiry,
1121        Attribute::DeniedName
1122        ],
1123    ..Default::default()
1124};
1125
1126pub static ref SCHEMA_CLASS_OAUTH2_RS_DL9: SchemaClass = SchemaClass {
1127    uuid: UUID_SCHEMA_CLASS_OAUTH2_RS,
1128    name: EntryClass::OAuth2ResourceServer.into(),
1129    description: "The class epresenting a configured OAuth2 Client".to_string(),
1130
1131    systemmay: vec![
1132        Attribute::Description,
1133        Attribute::OAuth2RsScopeMap,
1134        Attribute::OAuth2RsSupScopeMap,
1135        Attribute::OAuth2JwtLegacyCryptoEnable,
1136        Attribute::OAuth2PreferShortUsername,
1137        Attribute::Image,
1138        Attribute::OAuth2RsClaimMap,
1139        Attribute::OAuth2Session,
1140        Attribute::OAuth2RsOrigin,
1141        Attribute::OAuth2StrictRedirectUri,
1142        Attribute::OAuth2DeviceFlowEnable,
1143        // Deprecated
1144        Attribute::Rs256PrivateKeyDer,
1145        Attribute::OAuth2RsTokenKey,
1146        Attribute::Es256PrivateKeyDer,
1147    ],
1148    systemmust: vec![
1149        Attribute::OAuth2RsOriginLanding,
1150        Attribute::Name,
1151    ],
1152    ..Default::default()
1153};
1154
1155pub static ref SCHEMA_CLASS_OAUTH2_RS_BASIC_DL5: SchemaClass = SchemaClass {
1156    uuid: UUID_SCHEMA_CLASS_OAUTH2_RS_BASIC,
1157    name: EntryClass::OAuth2ResourceServerBasic.into(),
1158    description: "The class representing a configured OAuth2 client authenticated with HTTP basic authentication".to_string(),
1159
1160    systemmay: vec![
1161        Attribute::OAuth2AllowInsecureClientDisablePkce,
1162    ],
1163    systemmust: vec![ Attribute::OAuth2RsBasicSecret],
1164    systemexcludes: vec![ EntryClass::OAuth2ResourceServerPublic.into()],
1165    ..Default::default()
1166};
1167
1168// Introduced in DomainLevel4
1169pub static ref SCHEMA_CLASS_OAUTH2_RS_PUBLIC_DL4: SchemaClass = SchemaClass {
1170    uuid: UUID_SCHEMA_CLASS_OAUTH2_RS_PUBLIC,
1171    name: EntryClass::OAuth2ResourceServerPublic.into(),
1172    description: "The class representing a configured Public OAuth2 Client with PKCE verification".to_string(),
1173
1174    systemmay: vec![Attribute::OAuth2AllowLocalhostRedirect],
1175    systemexcludes: vec![EntryClass::OAuth2ResourceServerBasic.into()],
1176    ..Default::default()
1177};
1178
1179pub static ref SCHEMA_CLASS_OAUTH2_CLIENT: SchemaClass = SchemaClass {
1180    uuid: UUID_SCHEMA_CLASS_OAUTH2_CLIENT,
1181    name: EntryClass::OAuth2Client.into(),
1182    description: "The class representing a configured OAuth2 Confidential Client acting as an authentication source".to_string(),
1183    systemmust: vec![
1184        Attribute::Name,
1185        Attribute::OAuth2ClientId,
1186        Attribute::OAuth2ClientSecret,
1187        Attribute::OAuth2AuthorisationEndpoint,
1188        Attribute::OAuth2TokenEndpoint,
1189        Attribute::OAuth2RequestScopes,
1190    ],
1191    systemmay: vec![],
1192    ..Default::default()
1193};
1194
1195// =========================================
1196// KeyProviders
1197
1198pub static ref SCHEMA_CLASS_KEY_PROVIDER_DL6: SchemaClass = SchemaClass {
1199    uuid: UUID_SCHEMA_CLASS_KEY_PROVIDER,
1200    name: EntryClass::KeyProvider.into(),
1201    description: "A provider for cryptographic key storage and operations".to_string(),
1202    systemmay: vec![
1203        Attribute::Description,
1204    ],
1205    systemmust: vec![
1206        Attribute::Name,
1207    ],
1208    systemsupplements: vec![
1209        EntryClass::KeyProviderInternal.into(),
1210    ],
1211    ..Default::default()
1212};
1213
1214pub static ref SCHEMA_CLASS_KEY_PROVIDER_INTERNAL_DL6: SchemaClass = SchemaClass {
1215    uuid: UUID_SCHEMA_CLASS_KEY_PROVIDER_INTERNAL,
1216    name: EntryClass::KeyProviderInternal.into(),
1217    description: "The Kanidm internal cryptographic key provider".to_string(),
1218    ..Default::default()
1219};
1220
1221// =========================================
1222// KeyObjects
1223
1224pub static ref SCHEMA_CLASS_KEY_OBJECT_DL6: SchemaClass = SchemaClass {
1225    uuid: UUID_SCHEMA_CLASS_KEY_OBJECT,
1226    name: EntryClass::KeyObject.into(),
1227    description: "A cryptographic key object that can be used by a provider".to_string(),
1228    systemmust: vec![
1229        Attribute::KeyProvider,
1230    ],
1231    ..Default::default()
1232};
1233
1234pub static ref SCHEMA_CLASS_KEY_OBJECT_JWT_ES256_DL6: SchemaClass = SchemaClass {
1235    uuid: UUID_SCHEMA_CLASS_KEY_OBJECT_JWT_ES256,
1236    name: EntryClass::KeyObjectJwtEs256.into(),
1237    description: "A marker class indicating that this keyobject must provide jwt es256 capability.".to_string(),
1238    systemsupplements: vec![
1239        EntryClass::KeyObject.into(),
1240    ],
1241    ..Default::default()
1242};
1243
1244pub static ref SCHEMA_CLASS_KEY_OBJECT_JWT_RS256: SchemaClass = SchemaClass {
1245    uuid: UUID_SCHEMA_CLASS_KEY_OBJECT_JWT_RS256,
1246    name: EntryClass::KeyObjectJwtRs256.into(),
1247    description: "A marker class indicating that this keyobject must provide jwt rs256 capability.".to_string(),
1248    systemsupplements: vec![
1249        EntryClass::KeyObject.into(),
1250    ],
1251    ..Default::default()
1252};
1253
1254pub static ref SCHEMA_CLASS_KEY_OBJECT_JWE_A128GCM_DL6: SchemaClass = SchemaClass {
1255    uuid: UUID_SCHEMA_CLASS_KEY_OBJECT_JWE_A128GCM,
1256    name: EntryClass::KeyObjectJweA128GCM.into(),
1257    description: "A marker class indicating that this keyobject must provide jwe aes-256-gcm capability.".to_string(),
1258    systemsupplements: vec![
1259        EntryClass::KeyObject.into(),
1260    ],
1261    ..Default::default()
1262};
1263
1264pub static ref SCHEMA_CLASS_KEY_OBJECT_HKDF_S256: SchemaClass = SchemaClass {
1265    uuid: UUID_SCHEMA_CLASS_KEY_OBJECT_HKDF_S256,
1266    name: EntryClass::KeyObjectHkdfS256.into(),
1267    description: "A marker class indicating that this keyobject must provide hmac kdf sha256 capability.".to_string(),
1268    systemsupplements: vec![
1269        EntryClass::KeyObject.into(),
1270    ],
1271    ..Default::default()
1272};
1273
1274pub static ref SCHEMA_CLASS_KEY_OBJECT_INTERNAL_DL6: SchemaClass = SchemaClass {
1275    uuid: UUID_SCHEMA_CLASS_KEY_OBJECT_INTERNAL,
1276    name: EntryClass::KeyObjectInternal.into(),
1277    description: "A cryptographic key object that can be used by the internal provider".to_string(),
1278    systemmay: vec![
1279        Attribute::KeyInternalData,
1280    ],
1281    systemsupplements: vec![
1282        EntryClass::KeyObject.into(),
1283    ],
1284    ..Default::default()
1285};
1286
1287// =========================================
1288
1289pub static ref SCHEMA_CLASS_CLIENT_CERTIFICATE_DL7: SchemaClass = SchemaClass {
1290    uuid: UUID_SCHEMA_CLASS_CLIENT_CERTIFICATE,
1291    name: EntryClass::ClientCertificate.into(),
1292    description: "A client authentication certificate".to_string(),
1293    systemmay: vec![],
1294    systemmust: vec![
1295        Attribute::Certificate,
1296        Attribute::Refers,
1297    ],
1298    ..Default::default()
1299};
1300
1301pub static ref SCHEMA_CLASS_APPLICATION: SchemaClass = SchemaClass {
1302    uuid: UUID_SCHEMA_CLASS_APPLICATION,
1303    name: EntryClass::Application.into(),
1304
1305    description: "The class representing an application".to_string(),
1306    systemmust: vec![Attribute::LinkedGroup],
1307    systemmay: vec![
1308        Attribute::ApplicationUrl,
1309    ],
1310    // I think this could change before release - I can see a world
1311    // when we may want an oauth2 application to have application passwords,
1312    // or for this to be it's own thing. But service accounts also don't
1313    // quite do enough, they have api tokens, but that's all we kind
1314    // of want from them?
1315    systemsupplements: vec![EntryClass::ServiceAccount.into()],
1316    ..Default::default()
1317};
1318
1319// Messaging
1320
1321pub static ref SCHEMA_CLASS_OUTBOUND_MESSAGE: SchemaClass = SchemaClass {
1322    uuid: UUID_SCHEMA_CLASS_OUTBOUND_MESSAGE,
1323    name: EntryClass::OutboundMessage.into(),
1324
1325    description: "A class representing a message that is to be sent externally to a user in some way, generally via email.".to_string(),
1326    systemmust: vec![
1327        Attribute::MessageTemplate,
1328        Attribute::SendAfter,
1329        Attribute::DeleteAfter,
1330    ],
1331    systemmay: vec![
1332        Attribute::SentAt,
1333        Attribute::MailDestination,
1334    ],
1335    ..Default::default()
1336
1337};
1338
1339pub static ref SCHEMA_CLASS_FEATURE: SchemaClass = SchemaClass {
1340    uuid: UUID_SCHEMA_CLASS_FEATURE,
1341    name: EntryClass::Feature.into(),
1342    description: "The class representing the state of a feature.".to_string(),
1343    systemmust: vec![
1344        Attribute::Name,
1345        Attribute::Description,
1346    ],
1347    systemmay: vec![
1348        Attribute::Enabled,
1349    ],
1350    ..Default::default()
1351};
1352
1353pub static ref SCHEMA_CLASS_MEMORIAL: SchemaClass = SchemaClass {
1354    uuid: UUID_SCHEMA_CLASS_MEMORIAL,
1355    name: EntryClass::Memorial.into(),
1356    description: "The class representing a memorial to an entry that has been deleted.".to_string(),
1357    systemmust: vec![
1358        Attribute::InMemoriam
1359    ],
1360    systemmay: vec![
1361        Attribute::HmacNameHistory
1362    ],
1363    ..Default::default()
1364};
1365
1366);