From eaea730e42201ddbedbbf377179d12bb9b2f1a20 Mon Sep 17 00:00:00 2001 From: zofskeez <24611656+zofskeez@users.noreply.github.com> Date: Fri, 19 Jun 2026 13:32:08 +0000 Subject: [PATCH 1/2] auto: openapi spec update --- openapi.json | 15460 ++++++++++++++++++++++++++----------------------- 1 file changed, 8339 insertions(+), 7121 deletions(-) diff --git a/openapi.json b/openapi.json index 53e5fde..8bad4e3 100644 --- a/openapi.json +++ b/openapi.json @@ -29722,77 +29722,8 @@ } } }, - "/{pki_external_ca_mount_path}/lookup/cert/{serial}": { - "description": "Return information about a certificate", - "parameters": [ - { - "name": "serial", - "description": "Serial number", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "pki_external_ca_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki-external-ca" - }, - "required": true - } - ], - "get": { - "operationId": "pki-external-ca-read-lookup-cert-serial", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - } - }, - "/{pki_external_ca_mount_path}/lookup/order/{order_id}": { - "description": "Check order status", - "parameters": [ - { - "name": "order_id", - "description": "Order ID", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "pki_external_ca_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki-external-ca" - }, - "required": true - } - ], - "get": { - "operationId": "pki-external-ca-read-lookup-order-order_id", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - } - }, - "/{pki_external_ca_mount_path}/lookup/orders/": { + "/{pki_external_ca_mount_path}/config/dns/": { + "description": "List all DNS configurations", "parameters": [ { "name": "pki_external_ca_mount_path", @@ -29806,7 +29737,7 @@ } ], "get": { - "operationId": "pki-external-ca-list-lookup-orders", + "operationId": "pki-external-ca-list-config-dns", "tags": [ "secrets" ], @@ -29838,7 +29769,8 @@ } } }, - "/{pki_external_ca_mount_path}/role/": { + "/{pki_external_ca_mount_path}/config/dns/aws-route53/": { + "description": "List aws-route53 DNS configurations", "parameters": [ { "name": "pki_external_ca_mount_path", @@ -29852,7 +29784,7 @@ } ], "get": { - "operationId": "pki-external-ca-list-role", + "operationId": "pki-external-ca-list-config-dns-aws-route53", "tags": [ "secrets" ], @@ -29884,12 +29816,12 @@ } } }, - "/{pki_external_ca_mount_path}/role/{name}": { - "description": "Role configuration", + "/{pki_external_ca_mount_path}/config/dns/aws-route53/{name}": { + "description": "Configure AWS Route53 DNS provider for DNS-01 ACME challenges", "parameters": [ { "name": "name", - "description": "Name of the role", + "description": "Name of the aws-route53 DNS configuration", "in": "path", "schema": { "type": "string" @@ -29909,18 +29841,25 @@ ], "x-vault-createSupported": true, "get": { - "operationId": "pki-external-ca-read-role-name", + "operationId": "pki-external-ca-read-config-dns-aws-route53", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiExternalCaReadConfigDnsAwsRoute53Response" + } + } + } } } }, "post": { - "operationId": "pki-external-ca-write-role-name", + "operationId": "pki-external-ca-write-config-dns-aws-route53", "tags": [ "secrets" ], @@ -29929,40 +29868,39 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiExternalCaWriteRoleNameRequest" + "$ref": "#/components/schemas/PkiExternalCaWriteConfigDnsAwsRoute53Request" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiExternalCaWriteConfigDnsAwsRoute53Response" + } + } + } } } }, "delete": { - "operationId": "pki-external-ca-delete-role-name", + "operationId": "pki-external-ca-delete-config-dns-aws-route53", "tags": [ "secrets" ], "responses": { "204": { - "description": "empty body" + "description": "No Content - Successfully deleted" } } } }, - "/{pki_external_ca_mount_path}/role/{name}/active-orders/": { + "/{pki_external_ca_mount_path}/config/dns/azure-dns/": { + "description": "List azure-dns DNS configurations", "parameters": [ - { - "name": "name", - "description": "Name of the role", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_external_ca_mount_path", "description": "Path that the backend was mounted at", @@ -29975,7 +29913,7 @@ } ], "get": { - "operationId": "pki-external-ca-list-role-name-active-orders", + "operationId": "pki-external-ca-list-config-dns-azure-dns", "tags": [ "secrets" ], @@ -30007,12 +29945,12 @@ } } }, - "/{pki_external_ca_mount_path}/role/{name}/cached": { - "description": "Retrieve a previously issued certificate from cache", + "/{pki_external_ca_mount_path}/config/dns/azure-dns/{name}": { + "description": "Configure Azure DNS provider for DNS-01 ACME challenges", "parameters": [ { "name": "name", - "description": "Name of the role", + "description": "Name of the azure-dns DNS configuration", "in": "path", "schema": { "type": "string" @@ -30030,43 +29968,27 @@ "required": true } ], + "x-vault-createSupported": true, "get": { - "operationId": "pki-external-ca-read-role-name-cached", + "operationId": "pki-external-ca-read-config-dns-azure-dns", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiExternalCaReadConfigDnsAzureDnsResponse" + } + } + } } } - } - }, - "/{pki_external_ca_mount_path}/role/{name}/new-order": { - "description": "Create a new ACME order for a role", - "parameters": [ - { - "name": "name", - "description": "Name of the role", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "pki_external_ca_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki-external-ca" - }, - "required": true - } - ], + }, "post": { - "operationId": "pki-external-ca-write-role-name-new-order", + "operationId": "pki-external-ca-write-config-dns-azure-dns", "tags": [ "secrets" ], @@ -30075,39 +29997,39 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiExternalCaWriteRoleNameNewOrderRequest" + "$ref": "#/components/schemas/PkiExternalCaWriteConfigDnsAzureDnsRequest" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiExternalCaWriteConfigDnsAzureDnsResponse" + } + } + } + } + } + }, + "delete": { + "operationId": "pki-external-ca-delete-config-dns-azure-dns", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "No Content - Successfully deleted" } } } }, - "/{pki_external_ca_mount_path}/role/{name}/order/{order_id}/challenge": { - "description": "Get challenge for one of order's identifiers", + "/{pki_external_ca_mount_path}/config/dns/google-cloud-dns/": { + "description": "List google-cloud-dns DNS configurations", "parameters": [ - { - "name": "name", - "description": "Name of the role", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "order_id", - "description": "Order ID", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_external_ca_mount_path", "description": "Path that the backend was mounted at", @@ -30120,32 +30042,44 @@ } ], "get": { - "operationId": "pki-external-ca-read-role-name-order-order_id-challenge", + "operationId": "pki-external-ca-list-config-dns-google-cloud-dns", "tags": [ "secrets" ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } } } } }, - "/{pki_external_ca_mount_path}/role/{name}/order/{order_id}/fetch-cert": { - "description": "Report ready challenge for one of order's identifiers", + "/{pki_external_ca_mount_path}/config/dns/google-cloud-dns/{name}": { + "description": "Configure Google Cloud DNS provider for DNS-01 ACME challenges", "parameters": [ { "name": "name", - "description": "Name of the role", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "order_id", - "description": "Order ID", + "description": "Name of the google-cloud-dns DNS configuration", "in": "path", "schema": { "type": "string" @@ -30163,52 +30097,27 @@ "required": true } ], + "x-vault-createSupported": true, "get": { - "operationId": "pki-external-ca-read-role-name-order-order_id-fetch-cert", + "operationId": "pki-external-ca-read-config-dns-google-cloud-dns", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiExternalCaReadConfigDnsGoogleCloudDnsResponse" + } + } + } } } - } - }, - "/{pki_external_ca_mount_path}/role/{name}/order/{order_id}/fulfilled-challenge": { - "description": "Report ready challenge for one of order's identifiers", - "parameters": [ - { - "name": "name", - "description": "Name of the role", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "order_id", - "description": "Order ID", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "pki_external_ca_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki-external-ca" - }, - "required": true - } - ], + }, "post": { - "operationId": "pki-external-ca-write-role-name-order-order_id-fulfilled-challenge", + "operationId": "pki-external-ca-write-config-dns-google-cloud-dns", "tags": [ "secrets" ], @@ -30217,39 +30126,39 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiExternalCaWriteRoleNameOrderOrder_idFulfilledChallengeRequest" + "$ref": "#/components/schemas/PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse" + } + } + } + } + } + }, + "delete": { + "operationId": "pki-external-ca-delete-config-dns-google-cloud-dns", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "No Content - Successfully deleted" } } } }, - "/{pki_external_ca_mount_path}/role/{name}/order/{order_id}/revoke": { - "description": "Revoke an order's certificate with a specified reason", + "/{pki_external_ca_mount_path}/config/dns/rfc2136/": { + "description": "List rfc2136 DNS configurations", "parameters": [ - { - "name": "name", - "description": "Name of the role", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "order_id", - "description": "Order ID", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_external_ca_mount_path", "description": "Path that the backend was mounted at", @@ -30261,43 +30170,45 @@ "required": true } ], - "post": { - "operationId": "pki-external-ca-write-role-name-order-order_id-revoke", + "get": { + "operationId": "pki-external-ca-list-config-dns-rfc2136", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiExternalCaWriteRoleNameOrderOrder_idRevokeRequest" - } - } + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true } - }, + ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } } } } }, - "/{pki_external_ca_mount_path}/role/{name}/order/{order_id}/status": { - "description": "Check order status", + "/{pki_external_ca_mount_path}/config/dns/rfc2136/{name}": { + "description": "Configure RFC2136 DNS provider for DNS-01 ACME challenges", "parameters": [ { "name": "name", - "description": "Name of the role", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "order_id", - "description": "Order ID", + "description": "Name of the rfc2136 DNS configuration", "in": "path", "schema": { "type": "string" @@ -30315,44 +30226,27 @@ "required": true } ], + "x-vault-createSupported": true, "get": { - "operationId": "pki-external-ca-read-role-name-order-order_id-status", + "operationId": "pki-external-ca-read-config-dns-rfc2136", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiExternalCaReadConfigDnsRfc2136Response" + } + } + } } } - } - }, - "/{pki_mount_path}/acme/account/{kid}": { - "description": "An endpoint implementing the standard ACME protocol", - "parameters": [ - { - "name": "kid", - "description": "The key identifier provided by the CA", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki" - }, - "required": true - } - ], - "x-vault-unauthenticated": true, + }, "post": { - "operationId": "pki-write-acme-account-kid", + "operationId": "pki-external-ca-write-config-dns-rfc2136", "tags": [ "secrets" ], @@ -30361,44 +30255,52 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteAcmeAccountKidRequest" + "$ref": "#/components/schemas/PkiExternalCaWriteConfigDnsRfc2136Request" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiExternalCaWriteConfigDnsRfc2136Response" + } + } + } + } + } + }, + "delete": { + "operationId": "pki-external-ca-delete-config-dns-rfc2136", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "No Content - Successfully deleted" } } } }, - "/{pki_mount_path}/acme/authorization/{auth_id}": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_external_ca_mount_path}/dns/test/workflow": { + "description": "Tests a DNS provider by creating a TXT record", "parameters": [ { - "name": "auth_id", - "description": "ACME authorization identifier value", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "pki_mount_path", + "name": "pki_external_ca_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "pki" + "default": "pki-external-ca" }, "required": true } ], - "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-acme-authorization-auth_id", + "operationId": "pki-external-ca-write-dns-test-workflow", "tags": [ "secrets" ], @@ -30407,33 +30309,31 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteAcmeAuthorizationAuth_idRequest" + "$ref": "#/components/schemas/PkiExternalCaWriteDnsTestWorkflowRequest" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiExternalCaWriteDnsTestWorkflowResponse" + } + } + } } } } }, - "/{pki_mount_path}/acme/challenge/{auth_id}/{challenge_type}": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_external_ca_mount_path}/lookup/cert/{serial}": { + "description": "Return information about a certificate", "parameters": [ { - "name": "auth_id", - "description": "ACME authorization identifier value", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "challenge_type", - "description": "ACME challenge type", + "name": "serial", + "description": "Serial number", "in": "path", "schema": { "type": "string" @@ -30441,32 +30341,21 @@ "required": true }, { - "name": "pki_mount_path", + "name": "pki_external_ca_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "pki" + "default": "pki-external-ca" }, "required": true } ], - "x-vault-unauthenticated": true, - "post": { - "operationId": "pki-write-acme-challenge-auth_id-challenge_type", + "get": { + "operationId": "pki-external-ca-read-lookup-cert-serial", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteAcmeChallengeAuth_idChallenge_typeRequest" - } - } - } - }, "responses": { "200": { "description": "OK" @@ -30474,23 +30363,31 @@ } } }, - "/{pki_mount_path}/acme/directory": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_external_ca_mount_path}/lookup/order/{order_id}": { + "description": "Check order status", "parameters": [ { - "name": "pki_mount_path", + "name": "order_id", + "description": "Order ID", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_external_ca_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "pki" + "default": "pki-external-ca" }, "required": true } ], - "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-acme-directory", + "operationId": "pki-external-ca-read-lookup-order-order_id", "tags": [ "secrets" ], @@ -30501,22 +30398,21 @@ } } }, - "/{pki_mount_path}/acme/mgmt/account/keyid/": { - "description": "List all ACME account key identifiers.", + "/{pki_external_ca_mount_path}/lookup/orders/": { "parameters": [ { - "name": "pki_mount_path", + "name": "pki_external_ca_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "pki" + "default": "pki-external-ca" }, "required": true } ], "get": { - "operationId": "pki-list-acme-account-keys", + "operationId": "pki-external-ca-list-lookup-orders", "tags": [ "secrets" ], @@ -30548,79 +30444,89 @@ } } }, - "/{pki_mount_path}/acme/mgmt/account/keyid/{keyid}": { - "description": "Fetch the details or update the status of an ACME account by key identifier.", + "/{pki_external_ca_mount_path}/role/": { "parameters": [ { - "name": "keyid", - "description": "The key identifier of the account.", + "name": "pki_external_ca_mount_path", + "description": "Path that the backend was mounted at", "in": "path", "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki" + "type": "string", + "default": "pki-external-ca" }, "required": true } ], "get": { - "operationId": "pki-read-acme-key-id", + "operationId": "pki-external-ca-list-role", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK" + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true } - } - }, - "post": { - "operationId": "pki-write-acme-key-id", - "tags": [ - "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteAcmeKeyIdRequest" - } - } - } - }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } } } } }, - "/{pki_mount_path}/acme/new-account": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_external_ca_mount_path}/role/{name}": { + "description": "Role configuration", "parameters": [ { - "name": "pki_mount_path", + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_external_ca_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "pki" + "default": "pki-external-ca" }, "required": true } ], - "x-vault-unauthenticated": true, + "x-vault-createSupported": true, + "get": { + "operationId": "pki-external-ca-read-role-name", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, "post": { - "operationId": "pki-write-acme-new-account", + "operationId": "pki-external-ca-write-role-name", "tags": [ "secrets" ], @@ -30629,7 +30535,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteAcmeNewAccountRequest" + "$ref": "#/components/schemas/PkiExternalCaWriteRoleNameRequest" } } } @@ -30639,34 +30545,67 @@ "description": "OK" } } + }, + "delete": { + "operationId": "pki-external-ca-delete-role-name", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } } }, - "/{pki_mount_path}/acme/new-eab": { - "description": "Generate external account bindings to be used for ACME", + "/{pki_external_ca_mount_path}/role/{name}/active-orders/": { "parameters": [ { - "name": "pki_mount_path", + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_external_ca_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "pki" + "default": "pki-external-ca" }, "required": true } ], - "post": { - "operationId": "pki-generate-eab-key", + "get": { + "operationId": "pki-external-ca-list-role-name-active-orders", "tags": [ "secrets" ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiGenerateEabKeyResponse" + "$ref": "#/components/schemas/StandardListResponse" } } } @@ -30674,23 +30613,31 @@ } } }, - "/{pki_mount_path}/acme/new-nonce": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_external_ca_mount_path}/role/{name}/cached": { + "description": "Retrieve a previously issued certificate from cache", "parameters": [ { - "name": "pki_mount_path", + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_external_ca_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "pki" + "default": "pki-external-ca" }, "required": true } ], - "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-acme-new-nonce", + "operationId": "pki-external-ca-read-role-name-cached", "tags": [ "secrets" ], @@ -30701,23 +30648,31 @@ } } }, - "/{pki_mount_path}/acme/new-order": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_external_ca_mount_path}/role/{name}/new-order": { + "description": "Create a new ACME order for a role", "parameters": [ { - "name": "pki_mount_path", + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_external_ca_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "pki" + "default": "pki-external-ca" }, "required": true } ], - "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-acme-new-order", + "operationId": "pki-external-ca-write-role-name-new-order", "tags": [ "secrets" ], @@ -30726,7 +30681,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteAcmeNewOrderRequest" + "$ref": "#/components/schemas/PkiExternalCaWriteRoleNameNewOrderRequest" } } } @@ -30738,12 +30693,21 @@ } } }, - "/{pki_mount_path}/acme/order/{order_id}": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_external_ca_mount_path}/role/{name}/order/{order_id}/challenge": { + "description": "Get challenge for one of order's identifiers", "parameters": [ + { + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "order_id", - "description": "The ACME order identifier to fetch", + "description": "Order ID", "in": "path", "schema": { "type": "string" @@ -30751,32 +30715,21 @@ "required": true }, { - "name": "pki_mount_path", + "name": "pki_external_ca_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "pki" + "default": "pki-external-ca" }, "required": true } ], - "x-vault-unauthenticated": true, - "post": { - "operationId": "pki-write-acme-order-order_id", + "get": { + "operationId": "pki-external-ca-read-role-name-order-order_id-challenge", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteAcmeOrderOrder_idRequest" - } - } - } - }, "responses": { "200": { "description": "OK" @@ -30784,12 +30737,21 @@ } } }, - "/{pki_mount_path}/acme/order/{order_id}/cert": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_external_ca_mount_path}/role/{name}/order/{order_id}/fetch-cert": { + "description": "Report ready challenge for one of order's identifiers", "parameters": [ + { + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "order_id", - "description": "The ACME order identifier to fetch", + "description": "Order ID", "in": "path", "schema": { "type": "string" @@ -30797,32 +30759,21 @@ "required": true }, { - "name": "pki_mount_path", + "name": "pki_external_ca_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "pki" + "default": "pki-external-ca" }, "required": true } ], - "x-vault-unauthenticated": true, - "post": { - "operationId": "pki-write-acme-order-order_id-cert", + "get": { + "operationId": "pki-external-ca-read-role-name-order-order_id-fetch-cert", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteAcmeOrderOrder_idCertRequest" - } - } - } - }, "responses": { "200": { "description": "OK" @@ -30830,12 +30781,12 @@ } } }, - "/{pki_mount_path}/acme/order/{order_id}/finalize": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_external_ca_mount_path}/role/{name}/order/{order_id}/fulfilled-challenge": { + "description": "Report ready challenge for one of order's identifiers", "parameters": [ { - "name": "order_id", - "description": "The ACME order identifier to fetch", + "name": "name", + "description": "Name of the role", "in": "path", "schema": { "type": "string" @@ -30843,19 +30794,27 @@ "required": true }, { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", + "name": "order_id", + "description": "Order ID", "in": "path", "schema": { - "type": "string", - "default": "pki" + "type": "string" + }, + "required": true + }, + { + "name": "pki_external_ca_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki-external-ca" }, "required": true } ], - "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-acme-order-order_id-finalize", + "operationId": "pki-external-ca-write-role-name-order-order_id-fulfilled-challenge", "tags": [ "secrets" ], @@ -30864,7 +30823,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteAcmeOrderOrder_idFinalizeRequest" + "$ref": "#/components/schemas/PkiExternalCaWriteRoleNameOrderOrder_idFulfilledChallengeRequest" } } } @@ -30876,23 +30835,40 @@ } } }, - "/{pki_mount_path}/acme/orders": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_external_ca_mount_path}/role/{name}/order/{order_id}/revoke": { + "description": "Revoke an order's certificate with a specified reason", "parameters": [ { - "name": "pki_mount_path", + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "order_id", + "description": "Order ID", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_external_ca_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "pki" + "default": "pki-external-ca" }, "required": true } ], - "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-acme-orders", + "operationId": "pki-external-ca-write-role-name-order-order_id-revoke", "tags": [ "secrets" ], @@ -30901,7 +30877,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteAcmeOrdersRequest" + "$ref": "#/components/schemas/PkiExternalCaWriteRoleNameOrderOrder_idRevokeRequest" } } } @@ -30913,36 +30889,43 @@ } } }, - "/{pki_mount_path}/acme/revoke-cert": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_external_ca_mount_path}/role/{name}/order/{order_id}/status": { + "description": "Check order status", "parameters": [ { - "name": "pki_mount_path", + "name": "name", + "description": "Name of the role", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "order_id", + "description": "Order ID", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_external_ca_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "pki" + "default": "pki-external-ca" }, "required": true } ], - "x-vault-unauthenticated": true, - "post": { - "operationId": "pki-write-acme-revoke-cert", + "get": { + "operationId": "pki-external-ca-read-role-name-order-order_id-status", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteAcmeRevokeCertRequest" - } - } - } - }, "responses": { "200": { "description": "OK" @@ -30950,9 +30933,18 @@ } } }, - "/{pki_mount_path}/batch/certs": { - "description": "Fetches a map of serial numbers to certificate (pem).", + "/{pki_mount_path}/acme/account/{kid}": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ + { + "name": "kid", + "description": "The key identifier provided by the CA", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -30964,8 +30956,9 @@ "required": true } ], + "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-batch-certs", + "operationId": "pki-write-acme-account-kid", "tags": [ "secrets" ], @@ -30974,28 +30967,30 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteBatchCertsRequest" + "$ref": "#/components/schemas/PkiWriteAcmeAccountKidRequest" } } } }, "responses": { "200": { - "description": "", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteBatchCertsResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/ca": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/acme/authorization/{auth_id}": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ + { + "name": "auth_id", + "description": "ACME authorization identifier value", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -31008,28 +31003,49 @@ } ], "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-ca-der", + "post": { + "operationId": "pki-write-acme-authorization-auth_id", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadCaDerResponse" - } + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeAuthorizationAuth_idRequest" } } } + }, + "responses": { + "200": { + "description": "OK" + } } } }, - "/{pki_mount_path}/ca/pem": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/acme/challenge/{auth_id}/{challenge_type}": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ + { + "name": "auth_id", + "description": "ACME authorization identifier value", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "challenge_type", + "description": "ACME challenge type", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -31042,27 +31058,30 @@ } ], "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-ca-pem", + "post": { + "operationId": "pki-write-acme-challenge-auth_id-challenge_type", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadCaPemResponse" - } + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeChallengeAuth_idChallenge_typeRequest" } } } + }, + "responses": { + "200": { + "description": "OK" + } } } }, - "/{pki_mount_path}/ca_chain": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/acme/directory": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { "name": "pki_mount_path", @@ -31077,26 +31096,19 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-ca-chain-pem", + "operationId": "pki-read-acme-directory", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadCaChainPemResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/cert-metadata/": { - "description": "Lists all stored Certificate Metadata within the Local Cluster", + "/{pki_mount_path}/acme/mgmt/account/keyid/": { + "description": "List all ACME account key identifiers.", "parameters": [ { "name": "pki_mount_path", @@ -31110,7 +31122,7 @@ } ], "get": { - "operationId": "pki-list-cert-metadata", + "operationId": "pki-list-acme-account-keys", "tags": [ "secrets" ], @@ -31142,12 +31154,12 @@ } } }, - "/{pki_mount_path}/cert-metadata/{serial}": { - "description": "Fetches Client-Set Metadata About a Certificate (if it exists)", + "/{pki_mount_path}/acme/mgmt/account/keyid/{keyid}": { + "description": "Fetch the details or update the status of an ACME account by key identifier.", "parameters": [ { - "name": "serial", - "description": "Certificate serial number, in colon- or hyphen-separated octal", + "name": "keyid", + "description": "The key identifier of the account.", "in": "path", "schema": { "type": "string" @@ -31166,26 +31178,40 @@ } ], "get": { - "operationId": "pki-read-cert-metadata", + "operationId": "pki-read-acme-key-id", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadCertMetadataResponse" - } + "description": "OK" + } + } + }, + "post": { + "operationId": "pki-write-acme-key-id", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeKeyIdRequest" } } } + }, + "responses": { + "200": { + "description": "OK" + } } } }, - "/{pki_mount_path}/cert/ca_chain": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/acme/new-account": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { "name": "pki_mount_path", @@ -31199,27 +31225,30 @@ } ], "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-cert-ca-chain", + "post": { + "operationId": "pki-write-acme-new-account", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadCertCaChainResponse" - } + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeNewAccountRequest" } } } + }, + "responses": { + "200": { + "description": "OK" + } } } }, - "/{pki_mount_path}/cert/crl": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/acme/new-eab": { + "description": "Generate external account bindings to be used for ACME", "parameters": [ { "name": "pki_mount_path", @@ -31232,9 +31261,8 @@ "required": true } ], - "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-cert-crl", + "post": { + "operationId": "pki-generate-eab-key", "tags": [ "secrets" ], @@ -31244,7 +31272,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiReadCertCrlResponse" + "$ref": "#/components/schemas/PkiGenerateEabKeyResponse" } } } @@ -31252,8 +31280,8 @@ } } }, - "/{pki_mount_path}/cert/delta-crl": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/acme/new-nonce": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { "name": "pki_mount_path", @@ -31268,26 +31296,19 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-cert-delta-crl", + "operationId": "pki-read-acme-new-nonce", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadCertDeltaCrlResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/cert/unified-crl": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/acme/new-order": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { "name": "pki_mount_path", @@ -31301,28 +31322,40 @@ } ], "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-cert-unified-crl", + "post": { + "operationId": "pki-write-acme-new-order", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadCertUnifiedCrlResponse" - } + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeNewOrderRequest" } } } + }, + "responses": { + "200": { + "description": "OK" + } } } }, - "/{pki_mount_path}/cert/unified-delta-crl": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/acme/order/{order_id}": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -31335,31 +31368,34 @@ } ], "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-cert-unified-delta-crl", + "post": { + "operationId": "pki-write-acme-order-order_id", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadCertUnifiedDeltaCrlResponse" - } + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeOrderOrder_idRequest" } } } + }, + "responses": { + "200": { + "description": "OK" + } } } }, - "/{pki_mount_path}/cert/{serial}": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/acme/order/{order_id}/cert": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "serial", - "description": "Certificate serial number, in colon- or hyphen-separated octal", + "name": "order_id", + "description": "The ACME order identifier to fetch", "in": "path", "schema": { "type": "string" @@ -31378,31 +31414,34 @@ } ], "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-cert", + "post": { + "operationId": "pki-write-acme-order-order_id-cert", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadCertResponse" - } + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeOrderOrder_idCertRequest" } } } + }, + "responses": { + "200": { + "description": "OK" + } } } }, - "/{pki_mount_path}/cert/{serial}/raw": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/acme/order/{order_id}/finalize": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "serial", - "description": "Certificate serial number, in colon- or hyphen-separated octal", + "name": "order_id", + "description": "The ACME order identifier to fetch", "in": "path", "schema": { "type": "string" @@ -31421,37 +31460,31 @@ } ], "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-cert-raw-der", + "post": { + "operationId": "pki-write-acme-order-order_id-finalize", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadCertRawDerResponse" - } + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeOrderOrder_idFinalizeRequest" } } } + }, + "responses": { + "200": { + "description": "OK" + } } } }, - "/{pki_mount_path}/cert/{serial}/raw/pem": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/acme/orders": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ - { - "name": "serial", - "description": "Certificate serial number, in colon- or hyphen-separated octal", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -31464,27 +31497,30 @@ } ], "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-cert-raw-pem", + "post": { + "operationId": "pki-write-acme-orders", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadCertRawPemResponse" - } + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeOrdersRequest" } } } + }, + "responses": { + "200": { + "description": "OK" + } } } }, - "/{pki_mount_path}/certs/": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/acme/revoke-cert": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { "name": "pki_mount_path", @@ -31497,41 +31533,31 @@ "required": true } ], - "get": { - "operationId": "pki-list-certs", + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-acme-revoke-cert", "tags": [ "secrets" ], - "parameters": [ - { - "name": "list", - "description": "Must be set to `true`", - "in": "query", - "schema": { - "type": "string", - "enum": [ - "true" - ] - }, - "required": true + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteAcmeRevokeCertRequest" + } + } } - ], + }, "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/StandardListResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/certs/revocation-queue/": { - "description": "List all pending, cross-cluster revocations known to the local cluster.", + "/{pki_mount_path}/batch/certs": { + "description": "Fetches a map of serial numbers to certificate (pem).", "parameters": [ { "name": "pki_mount_path", @@ -31544,32 +31570,28 @@ "required": true } ], - "get": { - "operationId": "pki-list-certs-revocation-queue", + "post": { + "operationId": "pki-write-batch-certs", "tags": [ "secrets" ], - "parameters": [ - { - "name": "list", - "description": "Must be set to `true`", - "in": "query", - "schema": { - "type": "string", - "enum": [ - "true" - ] - }, - "required": true + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteBatchCertsRequest" + } + } } - ], + }, "responses": { "200": { - "description": "OK", + "description": "", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/StandardListResponse" + "$ref": "#/components/schemas/PkiWriteBatchCertsResponse" } } } @@ -31577,8 +31599,8 @@ } } }, - "/{pki_mount_path}/certs/revoked/": { - "description": "List all revoked serial numbers within the local cluster", + "/{pki_mount_path}/ca": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "parameters": [ { "name": "pki_mount_path", @@ -31591,32 +31613,19 @@ "required": true } ], + "x-vault-unauthenticated": true, "get": { - "operationId": "pki-list-revoked-certs", + "operationId": "pki-read-ca-der", "tags": [ "secrets" ], - "parameters": [ - { - "name": "list", - "description": "Must be set to `true`", - "in": "query", - "schema": { - "type": "string", - "enum": [ - "true" - ] - }, - "required": true - } - ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/StandardListResponse" + "$ref": "#/components/schemas/PkiReadCaDerResponse" } } } @@ -31624,8 +31633,8 @@ } } }, - "/{pki_mount_path}/certs/unified-revoked/": { - "description": "List all revoked serial numbers within this cluster's unified storage area.", + "/{pki_mount_path}/ca/pem": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "parameters": [ { "name": "pki_mount_path", @@ -31638,32 +31647,19 @@ "required": true } ], + "x-vault-unauthenticated": true, "get": { - "operationId": "pki-list-unified-revoked-certs", + "operationId": "pki-read-ca-pem", "tags": [ "secrets" ], - "parameters": [ - { - "name": "list", - "description": "Must be set to `true`", - "in": "query", - "schema": { - "type": "string", - "enum": [ - "true" - ] - }, - "required": true - } - ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiListUnifiedRevokedCertsResponse" + "$ref": "#/components/schemas/PkiReadCaPemResponse" } } } @@ -31671,8 +31667,8 @@ } } }, - "/{pki_mount_path}/cmp": { - "description": "CMPv2 Endpoint", + "/{pki_mount_path}/ca_chain": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "parameters": [ { "name": "pki_mount_path", @@ -31686,20 +31682,27 @@ } ], "x-vault-unauthenticated": true, - "post": { - "operationId": "pki-write-cmp", + "get": { + "operationId": "pki-read-ca-chain-pem", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCaChainPemResponse" + } + } + } } } } }, - "/{pki_mount_path}/config/acme": { - "description": "Configuration of ACME Endpoints", + "/{pki_mount_path}/cert-metadata/": { + "description": "Lists all stored Certificate Metadata within the Local Cluster", "parameters": [ { "name": "pki_mount_path", @@ -31713,41 +31716,50 @@ } ], "get": { - "operationId": "pki-read-acme-configuration", + "operationId": "pki-list-cert-metadata", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK" + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true } - } - }, - "post": { - "operationId": "pki-configure-acme", - "tags": [ - "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiConfigureAcmeRequest" - } - } - } - }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } } } } }, - "/{pki_mount_path}/config/auto-tidy": { - "description": "Modifies the current configuration for automatic tidy execution.", + "/{pki_mount_path}/cert-metadata/{serial}": { + "description": "Fetches Client-Set Metadata About a Certificate (if it exists)", "parameters": [ + { + "name": "serial", + "description": "Certificate serial number, in colon- or hyphen-separated octal", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -31760,7 +31772,7 @@ } ], "get": { - "operationId": "pki-read-auto-tidy-configuration", + "operationId": "pki-read-cert-metadata", "tags": [ "secrets" ], @@ -31770,35 +31782,41 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiReadAutoTidyConfigurationResponse" + "$ref": "#/components/schemas/PkiReadCertMetadataResponse" } } } } } - }, - "post": { - "operationId": "pki-configure-auto-tidy", + } + }, + "/{pki_mount_path}/cert/ca_chain": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-cert-ca-chain", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiConfigureAutoTidyRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiConfigureAutoTidyResponse" + "$ref": "#/components/schemas/PkiReadCertCaChainResponse" } } } @@ -31806,8 +31824,8 @@ } } }, - "/{pki_mount_path}/config/ca": { - "description": "Set the CA certificate and private key used for generated credentials.", + "/{pki_mount_path}/cert/crl": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "parameters": [ { "name": "pki_mount_path", @@ -31820,28 +31838,19 @@ "required": true } ], - "post": { - "operationId": "pki-configure-ca", + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-cert-crl", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiConfigureCaRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiConfigureCaResponse" + "$ref": "#/components/schemas/PkiReadCertCrlResponse" } } } @@ -31849,8 +31858,8 @@ } } }, - "/{pki_mount_path}/config/cluster": { - "description": "Set cluster-local configuration, including address to this PR cluster.", + "/{pki_mount_path}/cert/delta-crl": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "parameters": [ { "name": "pki_mount_path", @@ -31863,8 +31872,9 @@ "required": true } ], + "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-cluster-configuration", + "operationId": "pki-read-cert-delta-crl", "tags": [ "secrets" ], @@ -31874,35 +31884,41 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiReadClusterConfigurationResponse" + "$ref": "#/components/schemas/PkiReadCertDeltaCrlResponse" } } } } } - }, - "post": { - "operationId": "pki-configure-cluster", + } + }, + "/{pki_mount_path}/cert/unified-crl": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-cert-unified-crl", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiConfigureClusterRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiConfigureClusterResponse" + "$ref": "#/components/schemas/PkiReadCertUnifiedCrlResponse" } } } @@ -31910,8 +31926,8 @@ } } }, - "/{pki_mount_path}/config/cmp": { - "description": "Configuration of CMPv2 Endpoint", + "/{pki_mount_path}/cert/unified-delta-crl": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "parameters": [ { "name": "pki_mount_path", @@ -31924,42 +31940,38 @@ "required": true } ], + "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-cmpv2-configuration", + "operationId": "pki-read-cert-unified-delta-crl", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK" - } - } - }, - "post": { - "operationId": "pki-configure-cmp", - "tags": [ - "secrets" - ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiConfigureCmpRequest" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCertUnifiedDeltaCrlResponse" + } } } } - }, - "responses": { - "200": { - "description": "OK" - } } } }, - "/{pki_mount_path}/config/crl": { - "description": "Configure the CRL expiration.", + "/{pki_mount_path}/cert/{serial}": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "parameters": [ + { + "name": "serial", + "description": "Certificate serial number, in colon- or hyphen-separated octal", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -31971,46 +31983,19 @@ "required": true } ], + "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-crl-configuration", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadCrlConfigurationResponse" - } - } - } - } - } - }, - "post": { - "operationId": "pki-configure-crl", + "operationId": "pki-read-cert", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiConfigureCrlRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiConfigureCrlResponse" + "$ref": "#/components/schemas/PkiReadCertResponse" } } } @@ -32018,9 +32003,18 @@ } } }, - "/{pki_mount_path}/config/est": { - "description": "Configuration of EST Endpoint", + "/{pki_mount_path}/cert/{serial}/raw": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "parameters": [ + { + "name": "serial", + "description": "Certificate serial number, in colon- or hyphen-separated octal", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -32032,42 +32026,38 @@ "required": true } ], + "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-est-configuration", + "operationId": "pki-read-cert-raw-der", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK" - } - } - }, - "post": { - "operationId": "pki-configure-est", - "tags": [ - "secrets" - ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiConfigureEstRequest" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCertRawDerResponse" + } } } } - }, - "responses": { - "200": { - "description": "OK" - } } } }, - "/{pki_mount_path}/config/external-policy": { - "description": "Configure an Certificate Issuance External Policy Service (CIEPS)", + "/{pki_mount_path}/cert/{serial}/raw/pem": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "parameters": [ + { + "name": "serial", + "description": "Certificate serial number, in colon- or hyphen-separated octal", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -32079,8 +32069,9 @@ "required": true } ], + "x-vault-unauthenticated": true, "get": { - "operationId": "pki-configure-external-policy", + "operationId": "pki-read-cert-raw-pem", "tags": [ "secrets" ], @@ -32090,37 +32081,16 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiConfigureExternalPolicyResponse" + "$ref": "#/components/schemas/PkiReadCertRawPemResponse" } } } } } - }, - "post": { - "operationId": "pki-configure-external-policy", - "tags": [ - "secrets" - ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiConfigureExternalPolicyRequest" - } - } - } - }, - "responses": { - "200": { - "description": "OK" - } - } } }, - "/{pki_mount_path}/config/issuers": { - "description": "Read and set the default issuer certificate for signing.", + "/{pki_mount_path}/certs/": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "parameters": [ { "name": "pki_mount_path", @@ -32134,45 +32104,31 @@ } ], "get": { - "operationId": "pki-read-issuers-configuration", + "operationId": "pki-list-certs", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadIssuersConfigurationResponse" - } - } - } + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true } - } - }, - "post": { - "operationId": "pki-configure-issuers", - "tags": [ - "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiConfigureIssuersRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiConfigureIssuersResponse" + "$ref": "#/components/schemas/StandardListResponse" } } } @@ -32180,8 +32136,8 @@ } } }, - "/{pki_mount_path}/config/keys": { - "description": "Read and set the default key used for signing", + "/{pki_mount_path}/certs/revocation-queue/": { + "description": "List all pending, cross-cluster revocations known to the local cluster.", "parameters": [ { "name": "pki_mount_path", @@ -32195,45 +32151,31 @@ } ], "get": { - "operationId": "pki-read-keys-configuration", + "operationId": "pki-list-certs-revocation-queue", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadKeysConfigurationResponse" - } - } - } + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true } - } - }, - "post": { - "operationId": "pki-configure-keys", - "tags": [ - "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiConfigureKeysRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiConfigureKeysResponse" + "$ref": "#/components/schemas/StandardListResponse" } } } @@ -32241,8 +32183,8 @@ } } }, - "/{pki_mount_path}/config/scep": { - "description": "Configuration of SCEP Endpoint", + "/{pki_mount_path}/certs/revoked/": { + "description": "List all revoked serial numbers within the local cluster", "parameters": [ { "name": "pki_mount_path", @@ -32256,40 +32198,40 @@ } ], "get": { - "operationId": "pki-read-scep-configuration", + "operationId": "pki-list-revoked-certs", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK" + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true } - } - }, - "post": { - "operationId": "pki-configure-scep", - "tags": [ - "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiConfigureScepRequest" - } - } - } - }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } } } } }, - "/{pki_mount_path}/config/urls": { - "description": "Set the URLs for the issuing CA, CRL distribution points, and OCSP servers.", + "/{pki_mount_path}/certs/unified-revoked/": { + "description": "List all revoked serial numbers within this cluster's unified storage area.", "parameters": [ { "name": "pki_mount_path", @@ -32303,45 +32245,31 @@ } ], "get": { - "operationId": "pki-read-urls-configuration", + "operationId": "pki-list-unified-revoked-certs", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadUrlsConfigurationResponse" - } - } - } + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true } - } - }, - "post": { - "operationId": "pki-configure-urls", - "tags": [ - "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiConfigureUrlsRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiConfigureUrlsResponse" + "$ref": "#/components/schemas/PkiListUnifiedRevokedCertsResponse" } } } @@ -32349,8 +32277,8 @@ } } }, - "/{pki_mount_path}/crl": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/cmp": { + "description": "CMPv2 Endpoint", "parameters": [ { "name": "pki_mount_path", @@ -32364,27 +32292,20 @@ } ], "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-crl-der", + "post": { + "operationId": "pki-write-cmp", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadCrlDerResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/crl/delta": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/config/acme": { + "description": "Configuration of ACME Endpoints", "parameters": [ { "name": "pki_mount_path", @@ -32397,28 +32318,41 @@ "required": true } ], - "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-crl-delta", + "operationId": "pki-read-acme-configuration", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadCrlDeltaResponse" - } + "description": "OK" + } + } + }, + "post": { + "operationId": "pki-configure-acme", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureAcmeRequest" } } } + }, + "responses": { + "200": { + "description": "OK" + } } } }, - "/{pki_mount_path}/crl/delta/pem": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/config/auto-tidy": { + "description": "Modifies the current configuration for automatic tidy execution.", "parameters": [ { "name": "pki_mount_path", @@ -32431,9 +32365,8 @@ "required": true } ], - "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-crl-delta-pem", + "operationId": "pki-read-auto-tidy-configuration", "tags": [ "secrets" ], @@ -32443,41 +32376,35 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiReadCrlDeltaPemResponse" + "$ref": "#/components/schemas/PkiReadAutoTidyConfigurationResponse" } } } } } - } - }, - "/{pki_mount_path}/crl/pem": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", - "parameters": [ - { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki" - }, - "required": true - } - ], - "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-crl-pem", + }, + "post": { + "operationId": "pki-configure-auto-tidy", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureAutoTidyRequest" + } + } + } + }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiReadCrlPemResponse" + "$ref": "#/components/schemas/PkiConfigureAutoTidyResponse" } } } @@ -32485,8 +32412,8 @@ } } }, - "/{pki_mount_path}/crl/rotate": { - "description": "Force a rebuild of the CRL.", + "/{pki_mount_path}/config/ca": { + "description": "Set the CA certificate and private key used for generated credentials.", "parameters": [ { "name": "pki_mount_path", @@ -32499,18 +32426,28 @@ "required": true } ], - "get": { - "operationId": "pki-rotate-crl", + "post": { + "operationId": "pki-configure-ca", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureCaRequest" + } + } + } + }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiRotateCrlResponse" + "$ref": "#/components/schemas/PkiConfigureCaResponse" } } } @@ -32518,8 +32455,8 @@ } } }, - "/{pki_mount_path}/crl/rotate-delta": { - "description": "Force a rebuild of the delta CRL.", + "/{pki_mount_path}/config/cluster": { + "description": "Set cluster-local configuration, including address to this PR cluster.", "parameters": [ { "name": "pki_mount_path", @@ -32533,7 +32470,7 @@ } ], "get": { - "operationId": "pki-rotate-delta-crl", + "operationId": "pki-read-cluster-configuration", "tags": [ "secrets" ], @@ -32543,7 +32480,35 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiRotateDeltaCrlResponse" + "$ref": "#/components/schemas/PkiReadClusterConfigurationResponse" + } + } + } + } + } + }, + "post": { + "operationId": "pki-configure-cluster", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureClusterRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureClusterResponse" } } } @@ -32551,8 +32516,8 @@ } } }, - "/{pki_mount_path}/eab/": { - "description": "list external account bindings to be used for ACME", + "/{pki_mount_path}/config/cmp": { + "description": "Configuration of CMPv2 Endpoint", "parameters": [ { "name": "pki_mount_path", @@ -32566,74 +32531,40 @@ } ], "get": { - "operationId": "pki-list-eab-keys", + "operationId": "pki-read-cmpv2-configuration", "tags": [ "secrets" ], - "parameters": [ - { - "name": "list", - "description": "Must be set to `true`", - "in": "query", - "schema": { - "type": "string", - "enum": [ - "true" - ] - }, - "required": true - } - ], "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiListEabKeysResponse" - } - } - } + "description": "OK" } } - } - }, - "/{pki_mount_path}/eab/{key_id}": { - "description": "Delete an external account binding id prior to its use within an ACME account", - "parameters": [ - { - "name": "key_id", - "description": "EAB key identifier", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki" - }, - "required": true - } - ], - "delete": { - "operationId": "pki-delete-eab-key", + }, + "post": { + "operationId": "pki-configure-cmp", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureCmpRequest" + } + } + } + }, "responses": { - "204": { - "description": "empty body" + "200": { + "description": "OK" } } } }, - "/{pki_mount_path}/est/cacerts": { + "/{pki_mount_path}/config/crl": { + "description": "Configure the CRL expiration.", "parameters": [ { "name": "pki_mount_path", @@ -32646,46 +32577,55 @@ "required": true } ], - "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-est-cacerts", + "operationId": "pki-read-crl-configuration", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCrlConfigurationResponse" + } + } + } } } - } - }, - "/{pki_mount_path}/est/simpleenroll": { - "parameters": [ - { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki" - }, - "required": true - } - ], - "x-vault-unauthenticated": true, + }, "post": { - "operationId": "pki-write-est-simpleenroll", + "operationId": "pki-configure-crl", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureCrlRequest" + } + } + } + }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureCrlResponse" + } + } + } } } } }, - "/{pki_mount_path}/est/simplereenroll": { + "/{pki_mount_path}/config/est": { + "description": "Configuration of EST Endpoint", "parameters": [ { "name": "pki_mount_path", @@ -32698,9 +32638,8 @@ "required": true } ], - "x-vault-unauthenticated": true, - "post": { - "operationId": "pki-write-est-simplereenroll", + "get": { + "operationId": "pki-read-est-configuration", "tags": [ "secrets" ], @@ -32709,34 +32648,9 @@ "description": "OK" } } - } - }, - "/{pki_mount_path}/external-policy/acme/account/{kid}": { - "description": "An endpoint implementing the standard ACME protocol", - "parameters": [ - { - "name": "kid", - "description": "The key identifier provided by the CA", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki" - }, - "required": true - } - ], - "x-vault-unauthenticated": true, + }, "post": { - "operationId": "pki-write-external-policy-acme-account-kid", + "operationId": "pki-configure-est", "tags": [ "secrets" ], @@ -32745,7 +32659,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeAccountKidRequest" + "$ref": "#/components/schemas/PkiConfigureEstRequest" } } } @@ -32757,18 +32671,9 @@ } } }, - "/{pki_mount_path}/external-policy/acme/authorization/{auth_id}": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/config/external-policy": { + "description": "Configure an Certificate Issuance External Policy Service (CIEPS)", "parameters": [ - { - "name": "auth_id", - "description": "ACME authorization identifier value", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -32780,9 +32685,26 @@ "required": true } ], - "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-configure-external-policy", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureExternalPolicyResponse" + } + } + } + } + } + }, "post": { - "operationId": "pki-write-external-policy-acme-authorization-auth_id", + "operationId": "pki-configure-external-policy", "tags": [ "secrets" ], @@ -32791,7 +32713,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeAuthorizationAuth_idRequest" + "$ref": "#/components/schemas/PkiConfigureExternalPolicyRequest" } } } @@ -32803,27 +32725,9 @@ } } }, - "/{pki_mount_path}/external-policy/acme/challenge/{auth_id}/{challenge_type}": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/config/issuers": { + "description": "Read and set the default issuer certificate for signing.", "parameters": [ - { - "name": "auth_id", - "description": "ACME authorization identifier value", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "challenge_type", - "description": "ACME challenge type", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -32835,9 +32739,26 @@ "required": true } ], - "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-issuers-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadIssuersConfigurationResponse" + } + } + } + } + } + }, "post": { - "operationId": "pki-write-external-policy-acme-challenge-auth_id-challenge_type", + "operationId": "pki-configure-issuers", "tags": [ "secrets" ], @@ -32846,20 +32767,27 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeChallengeAuth_idChallenge_typeRequest" + "$ref": "#/components/schemas/PkiConfigureIssuersRequest" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureIssuersResponse" + } + } + } } } } }, - "/{pki_mount_path}/external-policy/acme/directory": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/config/keys": { + "description": "Read and set the default key used for signing", "parameters": [ { "name": "pki_mount_path", @@ -32872,36 +32800,26 @@ "required": true } ], - "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-external-policy-acme-directory", + "operationId": "pki-read-keys-configuration", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadKeysConfigurationResponse" + } + } + } } } - } - }, - "/{pki_mount_path}/external-policy/acme/new-account": { - "description": "An endpoint implementing the standard ACME protocol", - "parameters": [ - { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki" - }, - "required": true - } - ], - "x-vault-unauthenticated": true, + }, "post": { - "operationId": "pki-write-external-policy-acme-new-account", + "operationId": "pki-configure-keys", "tags": [ "secrets" ], @@ -32910,44 +32828,18 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeNewAccountRequest" + "$ref": "#/components/schemas/PkiConfigureKeysRequest" } } } }, - "responses": { - "200": { - "description": "OK" - } - } - } - }, - "/{pki_mount_path}/external-policy/acme/new-eab": { - "description": "Generate external account bindings to be used for ACME", - "parameters": [ - { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki" - }, - "required": true - } - ], - "post": { - "operationId": "pki-generate-eab-key", - "tags": [ - "secrets" - ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiGenerateEabKeyResponse" + "$ref": "#/components/schemas/PkiConfigureKeysResponse" } } } @@ -32955,8 +32847,8 @@ } } }, - "/{pki_mount_path}/external-policy/acme/new-nonce": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/config/scep": { + "description": "Configuration of SCEP Endpoint", "parameters": [ { "name": "pki_mount_path", @@ -32969,9 +32861,8 @@ "required": true } ], - "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-external-policy-acme-new-nonce", + "operationId": "pki-read-scep-configuration", "tags": [ "secrets" ], @@ -32980,25 +32871,9 @@ "description": "OK" } } - } - }, - "/{pki_mount_path}/external-policy/acme/new-order": { - "description": "An endpoint implementing the standard ACME protocol", - "parameters": [ - { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki" - }, - "required": true - } - ], - "x-vault-unauthenticated": true, + }, "post": { - "operationId": "pki-write-external-policy-acme-new-order", + "operationId": "pki-configure-scep", "tags": [ "secrets" ], @@ -33007,7 +32882,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeNewOrderRequest" + "$ref": "#/components/schemas/PkiConfigureScepRequest" } } } @@ -33019,18 +32894,9 @@ } } }, - "/{pki_mount_path}/external-policy/acme/order/{order_id}": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/config/urls": { + "description": "Set the URLs for the issuing CA, CRL distribution points, and OCSP servers.", "parameters": [ - { - "name": "order_id", - "description": "The ACME order identifier to fetch", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -33042,9 +32908,26 @@ "required": true } ], - "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-urls-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadUrlsConfigurationResponse" + } + } + } + } + } + }, "post": { - "operationId": "pki-write-external-policy-acme-order-order_id", + "operationId": "pki-configure-urls", "tags": [ "secrets" ], @@ -33053,30 +32936,28 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeOrderOrder_idRequest" + "$ref": "#/components/schemas/PkiConfigureUrlsRequest" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiConfigureUrlsResponse" + } + } + } } } } }, - "/{pki_mount_path}/external-policy/acme/order/{order_id}/cert": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/crl": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "parameters": [ - { - "name": "order_id", - "description": "The ACME order identifier to fetch", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -33089,40 +32970,28 @@ } ], "x-vault-unauthenticated": true, - "post": { - "operationId": "pki-write-external-policy-acme-order-order_id-cert", + "get": { + "operationId": "pki-read-crl-der", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeOrderOrder_idCertRequest" - } - } - } - }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCrlDerResponse" + } + } + } } } } }, - "/{pki_mount_path}/external-policy/acme/order/{order_id}/finalize": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/crl/delta": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "parameters": [ - { - "name": "order_id", - "description": "The ACME order identifier to fetch", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -33135,30 +33004,27 @@ } ], "x-vault-unauthenticated": true, - "post": { - "operationId": "pki-write-external-policy-acme-order-order_id-finalize", + "get": { + "operationId": "pki-read-crl-delta", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeOrderOrder_idFinalizeRequest" - } - } - } - }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCrlDeltaResponse" + } + } + } } } } }, - "/{pki_mount_path}/external-policy/acme/orders": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/crl/delta/pem": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "parameters": [ { "name": "pki_mount_path", @@ -33172,30 +33038,27 @@ } ], "x-vault-unauthenticated": true, - "post": { - "operationId": "pki-write-external-policy-acme-orders", + "get": { + "operationId": "pki-read-crl-delta-pem", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeOrdersRequest" - } - } - } - }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCrlDeltaPemResponse" + } + } + } } } } }, - "/{pki_mount_path}/external-policy/acme/revoke-cert": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/crl/pem": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "parameters": [ { "name": "pki_mount_path", @@ -33209,30 +33072,27 @@ } ], "x-vault-unauthenticated": true, - "post": { - "operationId": "pki-write-external-policy-acme-revoke-cert", + "get": { + "operationId": "pki-read-crl-pem", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeRevokeCertRequest" - } - } - } - }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadCrlPemResponse" + } + } + } } } } }, - "/{pki_mount_path}/external-policy/issue": { - "description": "Request a certificate to be generated and verified by an external policy service.", + "/{pki_mount_path}/crl/rotate": { + "description": "Force a rebuild of the CRL.", "parameters": [ { "name": "pki_mount_path", @@ -33245,28 +33105,18 @@ "required": true } ], - "post": { - "operationId": "pki-write-external-policy-issue", + "get": { + "operationId": "pki-rotate-crl", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyIssueRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyIssueResponse" + "$ref": "#/components/schemas/PkiRotateCrlResponse" } } } @@ -33274,19 +33124,9 @@ } } }, - "/{pki_mount_path}/external-policy/issue/{policy}": { - "description": "Request a certificate to be generated and verified by an external policy service.", + "/{pki_mount_path}/crl/rotate-delta": { + "description": "Force a rebuild of the delta CRL.", "parameters": [ - { - "name": "policy", - "description": "The policy name to pass through to the external service.", - "in": "path", - "schema": { - "type": "string", - "pattern": "\\w([\\w-.]*\\w)?" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -33298,28 +33138,18 @@ "required": true } ], - "post": { - "operationId": "pki-write-external-policy-issue-policy", + "get": { + "operationId": "pki-rotate-delta-crl", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyIssuePolicyRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyIssuePolicyResponse" + "$ref": "#/components/schemas/PkiRotateDeltaCrlResponse" } } } @@ -33327,8 +33157,8 @@ } } }, - "/{pki_mount_path}/external-policy/sign": { - "description": "Request a certificate request to be signed and verified by an external policy service.", + "/{pki_mount_path}/eab/": { + "description": "list external account bindings to be used for ACME", "parameters": [ { "name": "pki_mount_path", @@ -33341,28 +33171,32 @@ "required": true } ], - "post": { - "operationId": "pki-write-external-policy-sign", + "get": { + "operationId": "pki-list-eab-keys", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicySignRequest" - } - } + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true } - }, + ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicySignResponse" + "$ref": "#/components/schemas/PkiListEabKeysResponse" } } } @@ -33370,9 +33204,18 @@ } } }, - "/{pki_mount_path}/external-policy/sign-intermediate": { - "description": "Request a CA certificate to be signed by an issuer after verification by an external policy service.", + "/{pki_mount_path}/eab/{key_id}": { + "description": "Delete an external account binding id prior to its use within an ACME account", "parameters": [ + { + "name": "key_id", + "description": "EAB key identifier", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -33384,48 +33227,46 @@ "required": true } ], - "post": { - "operationId": "pki-write-external-policy-sign-intermediate", + "delete": { + "operationId": "pki-delete-eab-key", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicySignIntermediateRequest" - } - } - } - }, "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicySignIntermediateResponse" - } - } - } + "204": { + "description": "empty body" } } } }, - "/{pki_mount_path}/external-policy/sign-intermediate/{policy}": { - "description": "Request a CA certificate to be signed by an issuer after verification by an external policy service.", + "/{pki_mount_path}/est/cacerts": { "parameters": [ { - "name": "policy", - "description": "The policy name to pass through to the external service.", + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "pattern": "\\w([\\w-.]*\\w)?" + "default": "pki" }, "required": true - }, + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-est-cacerts", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/est/simpleenroll": { + "parameters": [ { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -33437,48 +33278,21 @@ "required": true } ], + "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-external-policy-sign-intermediate-policy", + "operationId": "pki-write-est-simpleenroll", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicySignIntermediatePolicyRequest" - } - } - } - }, "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicySignIntermediatePolicyResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/external-policy/sign/{policy}": { - "description": "Request a certificate request to be signed and verified by an external policy service.", + "/{pki_mount_path}/est/simplereenroll": { "parameters": [ - { - "name": "policy", - "description": "The policy name to pass through to the external service.", - "in": "path", - "schema": { - "type": "string", - "pattern": "\\w([\\w-.]*\\w)?" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -33490,36 +33304,20 @@ "required": true } ], + "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-external-policy-sign-policy", + "operationId": "pki-write-est-simplereenroll", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicySignPolicyRequest" - } - } - } - }, "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicySignPolicyResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/external-policy/{policy}/acme/account/{kid}": { + "/{pki_mount_path}/external-policy/acme/account/{kid}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -33531,15 +33329,6 @@ }, "required": true }, - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -33553,7 +33342,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-external-policy-policy-acme-account-kid", + "operationId": "pki-write-external-policy-acme-account-kid", "tags": [ "secrets" ], @@ -33562,7 +33351,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeAccountKidRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeAccountKidRequest" } } } @@ -33574,7 +33363,7 @@ } } }, - "/{pki_mount_path}/external-policy/{policy}/acme/authorization/{auth_id}": { + "/{pki_mount_path}/external-policy/acme/authorization/{auth_id}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -33586,15 +33375,6 @@ }, "required": true }, - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -33608,7 +33388,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-external-policy-policy-acme-authorization-auth_id", + "operationId": "pki-write-external-policy-acme-authorization-auth_id", "tags": [ "secrets" ], @@ -33617,7 +33397,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeAuthorizationAuth_idRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeAuthorizationAuth_idRequest" } } } @@ -33629,7 +33409,7 @@ } } }, - "/{pki_mount_path}/external-policy/{policy}/acme/challenge/{auth_id}/{challenge_type}": { + "/{pki_mount_path}/external-policy/acme/challenge/{auth_id}/{challenge_type}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -33650,15 +33430,6 @@ }, "required": true }, - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -33672,7 +33443,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-external-policy-policy-acme-challenge-auth_id-challenge_type", + "operationId": "pki-write-external-policy-acme-challenge-auth_id-challenge_type", "tags": [ "secrets" ], @@ -33681,7 +33452,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeChallengeAuth_idChallenge_typeRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeChallengeAuth_idChallenge_typeRequest" } } } @@ -33693,18 +33464,9 @@ } } }, - "/{pki_mount_path}/external-policy/{policy}/acme/directory": { + "/{pki_mount_path}/external-policy/acme/directory": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -33718,7 +33480,7 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-external-policy-policy-acme-directory", + "operationId": "pki-read-external-policy-acme-directory", "tags": [ "secrets" ], @@ -33729,21 +33491,12 @@ } } }, - "/{pki_mount_path}/external-policy/{policy}/acme/new-account": { + "/{pki_mount_path}/external-policy/acme/new-account": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", @@ -33754,7 +33507,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-external-policy-policy-acme-new-account", + "operationId": "pki-write-external-policy-acme-new-account", "tags": [ "secrets" ], @@ -33763,7 +33516,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeNewAccountRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeNewAccountRequest" } } } @@ -33775,18 +33528,9 @@ } } }, - "/{pki_mount_path}/external-policy/{policy}/acme/new-eab": { + "/{pki_mount_path}/external-policy/acme/new-eab": { "description": "Generate external account bindings to be used for ACME", "parameters": [ - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -33817,18 +33561,9 @@ } } }, - "/{pki_mount_path}/external-policy/{policy}/acme/new-nonce": { + "/{pki_mount_path}/external-policy/acme/new-nonce": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -33842,7 +33577,7 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-external-policy-policy-acme-new-nonce", + "operationId": "pki-read-external-policy-acme-new-nonce", "tags": [ "secrets" ], @@ -33853,18 +33588,9 @@ } } }, - "/{pki_mount_path}/external-policy/{policy}/acme/new-order": { + "/{pki_mount_path}/external-policy/acme/new-order": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -33878,7 +33604,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-external-policy-policy-acme-new-order", + "operationId": "pki-write-external-policy-acme-new-order", "tags": [ "secrets" ], @@ -33887,7 +33613,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeNewOrderRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeNewOrderRequest" } } } @@ -33899,7 +33625,7 @@ } } }, - "/{pki_mount_path}/external-policy/{policy}/acme/order/{order_id}": { + "/{pki_mount_path}/external-policy/acme/order/{order_id}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -33911,15 +33637,6 @@ }, "required": true }, - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -33933,7 +33650,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-external-policy-policy-acme-order-order_id", + "operationId": "pki-write-external-policy-acme-order-order_id", "tags": [ "secrets" ], @@ -33942,7 +33659,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeOrderOrder_idRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeOrderOrder_idRequest" } } } @@ -33954,7 +33671,7 @@ } } }, - "/{pki_mount_path}/external-policy/{policy}/acme/order/{order_id}/cert": { + "/{pki_mount_path}/external-policy/acme/order/{order_id}/cert": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -33966,15 +33683,6 @@ }, "required": true }, - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -33988,7 +33696,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-external-policy-policy-acme-order-order_id-cert", + "operationId": "pki-write-external-policy-acme-order-order_id-cert", "tags": [ "secrets" ], @@ -33997,7 +33705,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeOrderOrder_idCertRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeOrderOrder_idCertRequest" } } } @@ -34009,7 +33717,7 @@ } } }, - "/{pki_mount_path}/external-policy/{policy}/acme/order/{order_id}/finalize": { + "/{pki_mount_path}/external-policy/acme/order/{order_id}/finalize": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -34021,15 +33729,6 @@ }, "required": true }, - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -34043,7 +33742,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-external-policy-policy-acme-order-order_id-finalize", + "operationId": "pki-write-external-policy-acme-order-order_id-finalize", "tags": [ "secrets" ], @@ -34052,7 +33751,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeOrderOrder_idFinalizeRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeOrderOrder_idFinalizeRequest" } } } @@ -34064,18 +33763,9 @@ } } }, - "/{pki_mount_path}/external-policy/{policy}/acme/orders": { + "/{pki_mount_path}/external-policy/acme/orders": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -34089,7 +33779,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-external-policy-policy-acme-orders", + "operationId": "pki-write-external-policy-acme-orders", "tags": [ "secrets" ], @@ -34098,7 +33788,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeOrdersRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeOrdersRequest" } } } @@ -34110,18 +33800,9 @@ } } }, - "/{pki_mount_path}/external-policy/{policy}/acme/revoke-cert": { + "/{pki_mount_path}/external-policy/acme/revoke-cert": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -34135,7 +33816,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-external-policy-policy-acme-revoke-cert", + "operationId": "pki-write-external-policy-acme-revoke-cert", "tags": [ "secrets" ], @@ -34144,7 +33825,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeRevokeCertRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyAcmeRevokeCertRequest" } } } @@ -34156,8 +33837,8 @@ } } }, - "/{pki_mount_path}/integrations/guardium": { - "description": "Configuration of Guardium Integration Endpoint", + "/{pki_mount_path}/external-policy/issue": { + "description": "Request a certificate to be generated and verified by an external policy service.", "parameters": [ { "name": "pki_mount_path", @@ -34170,22 +33851,8 @@ "required": true } ], - "x-vault-displayAttrs": { - "name": "Guardium Integration" - }, - "get": { - "operationId": "pki-read-integration-guardium", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - }, "post": { - "operationId": "pki-write-integration-guardium", + "operationId": "pki-write-external-policy-issue", "tags": [ "secrets" ], @@ -34194,21 +33861,38 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIntegrationGuardiumRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyIssueRequest" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteExternalPolicyIssueResponse" + } + } + } } } } }, - "/{pki_mount_path}/intermediate/cross-sign": { - "description": "Generate a new CSR and private key used for signing.", + "/{pki_mount_path}/external-policy/issue/{policy}": { + "description": "Request a certificate to be generated and verified by an external policy service.", "parameters": [ + { + "name": "policy", + "description": "The policy name to pass through to the external service.", + "in": "path", + "schema": { + "type": "string", + "pattern": "\\w([\\w-.]*\\w)?" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -34221,7 +33905,7 @@ } ], "post": { - "operationId": "pki-cross-sign-intermediate", + "operationId": "pki-write-external-policy-issue-policy", "tags": [ "secrets" ], @@ -34230,7 +33914,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiCrossSignIntermediateRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyIssuePolicyRequest" } } } @@ -34241,7 +33925,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiCrossSignIntermediateResponse" + "$ref": "#/components/schemas/PkiWriteExternalPolicyIssuePolicyResponse" } } } @@ -34249,23 +33933,9 @@ } } }, - "/{pki_mount_path}/intermediate/generate/{exported}": { - "description": "Generate a new CSR and private key used for signing.", + "/{pki_mount_path}/external-policy/sign": { + "description": "Request a certificate request to be signed and verified by an external policy service.", "parameters": [ - { - "name": "exported", - "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", - "in": "path", - "schema": { - "type": "string", - "enum": [ - "internal", - "external", - "kms" - ] - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -34278,7 +33948,7 @@ } ], "post": { - "operationId": "pki-generate-intermediate", + "operationId": "pki-write-external-policy-sign", "tags": [ "secrets" ], @@ -34287,7 +33957,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiGenerateIntermediateRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicySignRequest" } } } @@ -34298,7 +33968,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiGenerateIntermediateResponse" + "$ref": "#/components/schemas/PkiWriteExternalPolicySignResponse" } } } @@ -34306,8 +33976,8 @@ } } }, - "/{pki_mount_path}/intermediate/set-signed": { - "description": "Provide the signed intermediate CA cert.", + "/{pki_mount_path}/external-policy/sign-intermediate": { + "description": "Request a CA certificate to be signed by an issuer after verification by an external policy service.", "parameters": [ { "name": "pki_mount_path", @@ -34321,7 +33991,7 @@ } ], "post": { - "operationId": "pki-set-signed-intermediate", + "operationId": "pki-write-external-policy-sign-intermediate", "tags": [ "secrets" ], @@ -34330,7 +34000,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiSetSignedIntermediateRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicySignIntermediateRequest" } } } @@ -34341,7 +34011,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiSetSignedIntermediateResponse" + "$ref": "#/components/schemas/PkiWriteExternalPolicySignIntermediateResponse" } } } @@ -34349,15 +34019,16 @@ } } }, - "/{pki_mount_path}/issue/{role}": { - "description": "Request a certificate using a certain role with the provided details.", + "/{pki_mount_path}/external-policy/sign-intermediate/{policy}": { + "description": "Request a CA certificate to be signed by an issuer after verification by an external policy service.", "parameters": [ { - "name": "role", - "description": "The desired role with configuration for this request", + "name": "policy", + "description": "The policy name to pass through to the external service.", "in": "path", "schema": { - "type": "string" + "type": "string", + "pattern": "\\w([\\w-.]*\\w)?" }, "required": true }, @@ -34373,7 +34044,7 @@ } ], "post": { - "operationId": "pki-issue-with-role", + "operationId": "pki-write-external-policy-sign-intermediate-policy", "tags": [ "secrets" ], @@ -34382,7 +34053,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssueWithRoleRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicySignIntermediatePolicyRequest" } } } @@ -34393,7 +34064,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssueWithRoleResponse" + "$ref": "#/components/schemas/PkiWriteExternalPolicySignIntermediatePolicyResponse" } } } @@ -34401,16 +34072,16 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}": { - "description": "Fetch a single issuer certificate.", + "/{pki_mount_path}/external-policy/sign/{policy}": { + "description": "Request a certificate request to be signed and verified by an external policy service.", "parameters": [ { - "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "name": "policy", + "description": "The policy name to pass through to the external service.", "in": "path", "schema": { "type": "string", - "default": "default" + "pattern": "\\w([\\w-.]*\\w)?" }, "required": true }, @@ -34425,98 +34096,41 @@ "required": true } ], - "get": { - "operationId": "pki-read-issuer", + "post": { + "operationId": "pki-write-external-policy-sign-policy", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteExternalPolicySignPolicyRequest" + } + } + } + }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiReadIssuerResponse" + "$ref": "#/components/schemas/PkiWriteExternalPolicySignPolicyResponse" } } } } } - }, - "post": { - "operationId": "pki-write-issuer", - "tags": [ - "secrets" - ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerRequest" - } - } - } - }, - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerResponse" - } - } - } - } - } - }, - "patch": { - "operationId": "pki-patch-issuer", - "tags": [ - "secrets" - ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiPatchIssuerRequest" - } - } - } - }, - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiPatchIssuerResponse" - } - } - } - } - } - }, - "delete": { - "operationId": "pki-delete-issuer", - "tags": [ - "secrets" - ], - "responses": { - "204": { - "description": "No Content" - } - } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/acme/account/{kid}": { + "/{pki_mount_path}/external-policy/{policy}/acme/account/{kid}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", + "name": "kid", + "description": "The key identifier provided by the CA", "in": "path", "schema": { "type": "string" @@ -34524,8 +34138,8 @@ "required": true }, { - "name": "kid", - "description": "The key identifier provided by the CA", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -34545,7 +34159,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-acme-account-kid", + "operationId": "pki-write-external-policy-policy-acme-account-kid", "tags": [ "secrets" ], @@ -34554,7 +34168,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeAccountKidRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeAccountKidRequest" } } } @@ -34566,7 +34180,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/acme/authorization/{auth_id}": { + "/{pki_mount_path}/external-policy/{policy}/acme/authorization/{auth_id}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -34579,8 +34193,8 @@ "required": true }, { - "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -34600,7 +34214,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-acme-authorization-auth_id", + "operationId": "pki-write-external-policy-policy-acme-authorization-auth_id", "tags": [ "secrets" ], @@ -34609,7 +34223,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeAuthorizationAuth_idRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeAuthorizationAuth_idRequest" } } } @@ -34621,7 +34235,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/acme/challenge/{auth_id}/{challenge_type}": { + "/{pki_mount_path}/external-policy/{policy}/acme/challenge/{auth_id}/{challenge_type}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -34643,8 +34257,8 @@ "required": true }, { - "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -34664,7 +34278,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-acme-challenge-auth_id-challenge_type", + "operationId": "pki-write-external-policy-policy-acme-challenge-auth_id-challenge_type", "tags": [ "secrets" ], @@ -34673,7 +34287,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeChallengeAuth_idChallenge_typeRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeChallengeAuth_idChallenge_typeRequest" } } } @@ -34685,12 +34299,12 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/acme/directory": { + "/{pki_mount_path}/external-policy/{policy}/acme/directory": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -34710,7 +34324,7 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-issuer-issuer_ref-acme-directory", + "operationId": "pki-read-external-policy-policy-acme-directory", "tags": [ "secrets" ], @@ -34721,12 +34335,12 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/acme/new-account": { + "/{pki_mount_path}/external-policy/{policy}/acme/new-account": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -34746,7 +34360,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-acme-new-account", + "operationId": "pki-write-external-policy-policy-acme-new-account", "tags": [ "secrets" ], @@ -34755,7 +34369,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeNewAccountRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeNewAccountRequest" } } } @@ -34767,12 +34381,12 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/acme/new-eab": { + "/{pki_mount_path}/external-policy/{policy}/acme/new-eab": { "description": "Generate external account bindings to be used for ACME", "parameters": [ { - "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -34791,7 +34405,7 @@ } ], "post": { - "operationId": "pki-generate-eab-key-for-issuer", + "operationId": "pki-generate-eab-key", "tags": [ "secrets" ], @@ -34801,7 +34415,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiGenerateEabKeyForIssuerResponse" + "$ref": "#/components/schemas/PkiGenerateEabKeyResponse" } } } @@ -34809,12 +34423,12 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/acme/new-nonce": { + "/{pki_mount_path}/external-policy/{policy}/acme/new-nonce": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -34834,7 +34448,7 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-issuer-issuer_ref-acme-new-nonce", + "operationId": "pki-read-external-policy-policy-acme-new-nonce", "tags": [ "secrets" ], @@ -34845,12 +34459,12 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/acme/new-order": { + "/{pki_mount_path}/external-policy/{policy}/acme/new-order": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -34870,7 +34484,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-acme-new-order", + "operationId": "pki-write-external-policy-policy-acme-new-order", "tags": [ "secrets" ], @@ -34879,7 +34493,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeNewOrderRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeNewOrderRequest" } } } @@ -34891,12 +34505,12 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/acme/order/{order_id}": { + "/{pki_mount_path}/external-policy/{policy}/acme/order/{order_id}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", + "name": "order_id", + "description": "The ACME order identifier to fetch", "in": "path", "schema": { "type": "string" @@ -34904,8 +34518,8 @@ "required": true }, { - "name": "order_id", - "description": "The ACME order identifier to fetch", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -34925,7 +34539,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-acme-order-order_id", + "operationId": "pki-write-external-policy-policy-acme-order-order_id", "tags": [ "secrets" ], @@ -34934,7 +34548,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeOrderOrder_idRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeOrderOrder_idRequest" } } } @@ -34946,12 +34560,12 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/acme/order/{order_id}/cert": { + "/{pki_mount_path}/external-policy/{policy}/acme/order/{order_id}/cert": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", + "name": "order_id", + "description": "The ACME order identifier to fetch", "in": "path", "schema": { "type": "string" @@ -34959,8 +34573,8 @@ "required": true }, { - "name": "order_id", - "description": "The ACME order identifier to fetch", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -34980,7 +34594,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-acme-order-order_id-cert", + "operationId": "pki-write-external-policy-policy-acme-order-order_id-cert", "tags": [ "secrets" ], @@ -34989,7 +34603,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeOrderOrder_idCertRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeOrderOrder_idCertRequest" } } } @@ -35001,12 +34615,12 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/acme/order/{order_id}/finalize": { + "/{pki_mount_path}/external-policy/{policy}/acme/order/{order_id}/finalize": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", + "name": "order_id", + "description": "The ACME order identifier to fetch", "in": "path", "schema": { "type": "string" @@ -35014,8 +34628,8 @@ "required": true }, { - "name": "order_id", - "description": "The ACME order identifier to fetch", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -35035,7 +34649,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-acme-order-order_id-finalize", + "operationId": "pki-write-external-policy-policy-acme-order-order_id-finalize", "tags": [ "secrets" ], @@ -35044,7 +34658,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeOrderOrder_idFinalizeRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeOrderOrder_idFinalizeRequest" } } } @@ -35056,12 +34670,12 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/acme/orders": { + "/{pki_mount_path}/external-policy/{policy}/acme/orders": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -35081,7 +34695,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-acme-orders", + "operationId": "pki-write-external-policy-policy-acme-orders", "tags": [ "secrets" ], @@ -35090,7 +34704,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeOrdersRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeOrdersRequest" } } } @@ -35102,12 +34716,12 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/acme/revoke-cert": { + "/{pki_mount_path}/external-policy/{policy}/acme/revoke-cert": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -35127,7 +34741,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-acme-revoke-cert", + "operationId": "pki-write-external-policy-policy-acme-revoke-cert", "tags": [ "secrets" ], @@ -35136,7 +34750,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeRevokeCertRequest" + "$ref": "#/components/schemas/PkiWriteExternalPolicyPolicyAcmeRevokeCertRequest" } } } @@ -35148,19 +34762,9 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/crl": { - "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "/{pki_mount_path}/integrations/guardium": { + "description": "Configuration of Guardium Integration Endpoint", "parameters": [ - { - "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", - "in": "path", - "schema": { - "type": "string", - "default": "default" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -35172,39 +34776,45 @@ "required": true } ], - "x-vault-unauthenticated": true, + "x-vault-displayAttrs": { + "name": "Guardium Integration" + }, "get": { - "operationId": "pki-issuer-read-crl", + "operationId": "pki-read-integration-guardium", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiIssuerReadCrlResponse" - } + "description": "OK" + } + } + }, + "post": { + "operationId": "pki-write-integration-guardium", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIntegrationGuardiumRequest" } } } + }, + "responses": { + "200": { + "description": "OK" + } } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/crl/delta": { - "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "/{pki_mount_path}/intermediate/cross-sign": { + "description": "Generate a new CSR and private key used for signing.", "parameters": [ - { - "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", - "in": "path", - "schema": { - "type": "string", - "default": "default" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -35216,19 +34826,28 @@ "required": true } ], - "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-issuer-read-crl-delta", + "post": { + "operationId": "pki-cross-sign-intermediate", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiCrossSignIntermediateRequest" + } + } + } + }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerReadCrlDeltaResponse" + "$ref": "#/components/schemas/PkiCrossSignIntermediateResponse" } } } @@ -35236,16 +34855,20 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/crl/delta/der": { - "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "/{pki_mount_path}/intermediate/generate/{exported}": { + "description": "Generate a new CSR and private key used for signing.", "parameters": [ { - "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "name": "exported", + "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", "in": "path", "schema": { "type": "string", - "default": "default" + "enum": [ + "internal", + "external", + "kms" + ] }, "required": true }, @@ -35260,19 +34883,28 @@ "required": true } ], - "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-issuer-read-crl-delta-der", + "post": { + "operationId": "pki-generate-intermediate", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateIntermediateRequest" + } + } + } + }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerReadCrlDeltaDerResponse" + "$ref": "#/components/schemas/PkiGenerateIntermediateResponse" } } } @@ -35280,19 +34912,9 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/crl/delta/pem": { - "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "/{pki_mount_path}/intermediate/set-signed": { + "description": "Provide the signed intermediate CA cert.", "parameters": [ - { - "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", - "in": "path", - "schema": { - "type": "string", - "default": "default" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -35304,19 +34926,28 @@ "required": true } ], - "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-issuer-read-crl-delta-pem", + "post": { + "operationId": "pki-set-signed-intermediate", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiSetSignedIntermediateRequest" + } + } + } + }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerReadCrlDeltaPemResponse" + "$ref": "#/components/schemas/PkiSetSignedIntermediateResponse" } } } @@ -35324,16 +34955,15 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/crl/der": { - "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "/{pki_mount_path}/issue/{role}": { + "description": "Request a certificate using a certain role with the provided details.", "parameters": [ { - "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "name": "role", + "description": "The desired role with configuration for this request", "in": "path", "schema": { - "type": "string", - "default": "default" + "type": "string" }, "required": true }, @@ -35348,19 +34978,28 @@ "required": true } ], - "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-issuer-read-crl-der", + "post": { + "operationId": "pki-issue-with-role", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssueWithRoleRequest" + } + } + } + }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerReadCrlDerResponse" + "$ref": "#/components/schemas/PkiIssueWithRoleResponse" } } } @@ -35368,8 +35007,8 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/crl/pem": { - "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "/{pki_mount_path}/issuer/{issuer_ref}": { + "description": "Fetch a single issuer certificate.", "parameters": [ { "name": "issuer_ref", @@ -35392,9 +35031,8 @@ "required": true } ], - "x-vault-unauthenticated": true, "get": { - "operationId": "pki-issuer-read-crl-pem", + "operationId": "pki-read-issuer", "tags": [ "secrets" ], @@ -35404,86 +35042,43 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerReadCrlPemResponse" + "$ref": "#/components/schemas/PkiReadIssuerResponse" } } } } } - } - }, - "/{pki_mount_path}/issuer/{issuer_ref}/der": { - "description": "Fetch a single issuer certificate.", - "parameters": [ - { - "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", - "in": "path", - "schema": { - "type": "string", - "default": "default" - }, - "required": true - }, - { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki" - }, - "required": true - } - ], - "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-issuer-der", + }, + "post": { + "operationId": "pki-write-issuer", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerRequest" + } + } + } + }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiReadIssuerDerResponse" + "$ref": "#/components/schemas/PkiWriteIssuerResponse" } } } - }, - "304": { - "description": "Not Modified" } } - } - }, - "/{pki_mount_path}/issuer/{issuer_ref}/export-private": { - "parameters": [ - { - "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", - "in": "path", - "schema": { - "type": "string", - "default": "default" - }, - "required": true - }, - { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki" - }, - "required": true - } - ], - "post": { - "operationId": "pki-write-issuer-issuer_ref-export-private", + }, + "patch": { + "operationId": "pki-patch-issuer", "tags": [ "secrets" ], @@ -35492,7 +35087,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExportPrivateRequest" + "$ref": "#/components/schemas/PkiPatchIssuerRequest" } } } @@ -35503,18 +35098,26 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExportPrivateResponse" + "$ref": "#/components/schemas/PkiPatchIssuerResponse" } } } - }, - "304": { - "description": "Not Modified" + } + } + }, + "delete": { + "operationId": "pki-delete-issuer", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "No Content" } } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/account/{kid}": { + "/{pki_mount_path}/issuer/{issuer_ref}/acme/account/{kid}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -35548,7 +35151,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-account-kid", + "operationId": "pki-write-issuer-issuer_ref-acme-account-kid", "tags": [ "secrets" ], @@ -35557,7 +35160,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeAccountKidRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeAccountKidRequest" } } } @@ -35569,7 +35172,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/authorization/{auth_id}": { + "/{pki_mount_path}/issuer/{issuer_ref}/acme/authorization/{auth_id}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -35603,7 +35206,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-authorization-auth_id", + "operationId": "pki-write-issuer-issuer_ref-acme-authorization-auth_id", "tags": [ "secrets" ], @@ -35612,7 +35215,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeAuthorizationAuth_idRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeAuthorizationAuth_idRequest" } } } @@ -35624,7 +35227,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/challenge/{auth_id}/{challenge_type}": { + "/{pki_mount_path}/issuer/{issuer_ref}/acme/challenge/{auth_id}/{challenge_type}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -35667,7 +35270,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-challenge-auth_id-challenge_type", + "operationId": "pki-write-issuer-issuer_ref-acme-challenge-auth_id-challenge_type", "tags": [ "secrets" ], @@ -35676,7 +35279,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeChallengeAuth_idChallenge_typeRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeChallengeAuth_idChallenge_typeRequest" } } } @@ -35688,7 +35291,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/directory": { + "/{pki_mount_path}/issuer/{issuer_ref}/acme/directory": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -35713,7 +35316,7 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-issuer-issuer_ref-external-policy-acme-directory", + "operationId": "pki-read-issuer-issuer_ref-acme-directory", "tags": [ "secrets" ], @@ -35724,7 +35327,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/new-account": { + "/{pki_mount_path}/issuer/{issuer_ref}/acme/new-account": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -35749,7 +35352,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-new-account", + "operationId": "pki-write-issuer-issuer_ref-acme-new-account", "tags": [ "secrets" ], @@ -35758,7 +35361,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeNewAccountRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeNewAccountRequest" } } } @@ -35770,7 +35373,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/new-eab": { + "/{pki_mount_path}/issuer/{issuer_ref}/acme/new-eab": { "description": "Generate external account bindings to be used for ACME", "parameters": [ { @@ -35812,7 +35415,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/new-nonce": { + "/{pki_mount_path}/issuer/{issuer_ref}/acme/new-nonce": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -35837,7 +35440,7 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-issuer-issuer_ref-external-policy-acme-new-nonce", + "operationId": "pki-read-issuer-issuer_ref-acme-new-nonce", "tags": [ "secrets" ], @@ -35848,7 +35451,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/new-order": { + "/{pki_mount_path}/issuer/{issuer_ref}/acme/new-order": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -35873,7 +35476,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-new-order", + "operationId": "pki-write-issuer-issuer_ref-acme-new-order", "tags": [ "secrets" ], @@ -35882,7 +35485,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeNewOrderRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeNewOrderRequest" } } } @@ -35894,7 +35497,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/order/{order_id}": { + "/{pki_mount_path}/issuer/{issuer_ref}/acme/order/{order_id}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -35928,7 +35531,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-order-order_id", + "operationId": "pki-write-issuer-issuer_ref-acme-order-order_id", "tags": [ "secrets" ], @@ -35937,7 +35540,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeOrderOrder_idRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeOrderOrder_idRequest" } } } @@ -35949,7 +35552,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/order/{order_id}/cert": { + "/{pki_mount_path}/issuer/{issuer_ref}/acme/order/{order_id}/cert": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -35983,7 +35586,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-order-order_id-cert", + "operationId": "pki-write-issuer-issuer_ref-acme-order-order_id-cert", "tags": [ "secrets" ], @@ -35992,7 +35595,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeOrderOrder_idCertRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeOrderOrder_idCertRequest" } } } @@ -36004,7 +35607,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/order/{order_id}/finalize": { + "/{pki_mount_path}/issuer/{issuer_ref}/acme/order/{order_id}/finalize": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -36038,7 +35641,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-order-order_id-finalize", + "operationId": "pki-write-issuer-issuer_ref-acme-order-order_id-finalize", "tags": [ "secrets" ], @@ -36047,7 +35650,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeOrderOrder_idFinalizeRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeOrderOrder_idFinalizeRequest" } } } @@ -36059,7 +35662,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/orders": { + "/{pki_mount_path}/issuer/{issuer_ref}/acme/orders": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -36084,7 +35687,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-orders", + "operationId": "pki-write-issuer-issuer_ref-acme-orders", "tags": [ "secrets" ], @@ -36093,7 +35696,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeOrdersRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeOrdersRequest" } } } @@ -36105,7 +35708,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/revoke-cert": { + "/{pki_mount_path}/issuer/{issuer_ref}/acme/revoke-cert": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -36130,7 +35733,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-revoke-cert", + "operationId": "pki-write-issuer-issuer_ref-acme-revoke-cert", "tags": [ "secrets" ], @@ -36139,7 +35742,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeRevokeCertRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refAcmeRevokeCertRequest" } } } @@ -36151,15 +35754,16 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/issue": { - "description": "Request a certificate to be generated and verified by an external policy service.", + "/{pki_mount_path}/issuer/{issuer_ref}/crl": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", "parameters": [ { "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", "in": "path", "schema": { - "type": "string" + "type": "string", + "default": "default" }, "required": true }, @@ -36174,28 +35778,19 @@ "required": true } ], - "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-issue", + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-issuer-read-crl", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyIssueRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyIssueResponse" + "$ref": "#/components/schemas/PkiIssuerReadCrlResponse" } } } @@ -36203,25 +35798,16 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/issue/{policy}": { - "description": "Request a certificate to be generated and verified by an external policy service.", + "/{pki_mount_path}/issuer/{issuer_ref}/crl/delta": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", "parameters": [ { "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "policy", - "description": "The policy name to pass through to the external service.", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", "in": "path", "schema": { "type": "string", - "pattern": "\\w([\\w-.]*\\w)?" + "default": "default" }, "required": true }, @@ -36236,28 +35822,19 @@ "required": true } ], - "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-issue-policy", + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-issuer-read-crl-delta", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyIssuePolicyRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyIssuePolicyResponse" + "$ref": "#/components/schemas/PkiIssuerReadCrlDeltaResponse" } } } @@ -36265,15 +35842,16 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/sign": { - "description": "Request a certificate request to be signed and verified by an external policy service.", + "/{pki_mount_path}/issuer/{issuer_ref}/crl/delta/der": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", "parameters": [ { "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", "in": "path", "schema": { - "type": "string" + "type": "string", + "default": "default" }, "required": true }, @@ -36288,28 +35866,19 @@ "required": true } ], - "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-sign", + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-issuer-read-crl-delta-der", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicySignRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicySignResponse" + "$ref": "#/components/schemas/PkiIssuerReadCrlDeltaDerResponse" } } } @@ -36317,15 +35886,16 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/sign-intermediate": { - "description": "Request a CA certificate to be signed by an issuer after verification by an external policy service.", + "/{pki_mount_path}/issuer/{issuer_ref}/crl/delta/pem": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", "parameters": [ { "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", "in": "path", "schema": { - "type": "string" + "type": "string", + "default": "default" }, "required": true }, @@ -36340,28 +35910,19 @@ "required": true } ], - "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-sign-intermediate", + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-issuer-read-crl-delta-pem", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicySignIntermediateRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicySignIntermediateResponse" + "$ref": "#/components/schemas/PkiIssuerReadCrlDeltaPemResponse" } } } @@ -36369,25 +35930,16 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/sign-intermediate/{policy}": { - "description": "Request a CA certificate to be signed by an issuer after verification by an external policy service.", + "/{pki_mount_path}/issuer/{issuer_ref}/crl/der": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", "parameters": [ { "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "policy", - "description": "The policy name to pass through to the external service.", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", "in": "path", "schema": { "type": "string", - "pattern": "\\w([\\w-.]*\\w)?" + "default": "default" }, "required": true }, @@ -36402,28 +35954,19 @@ "required": true } ], - "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-sign-intermediate-policy", + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-issuer-read-crl-der", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicySignIntermediatePolicyRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicySignIntermediatePolicyResponse" + "$ref": "#/components/schemas/PkiIssuerReadCrlDerResponse" } } } @@ -36431,25 +35974,16 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/sign/{policy}": { - "description": "Request a certificate request to be signed and verified by an external policy service.", + "/{pki_mount_path}/issuer/{issuer_ref}/crl/pem": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", "parameters": [ { "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "policy", - "description": "The policy name to pass through to the external service.", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", "in": "path", "schema": { "type": "string", - "pattern": "\\w([\\w-.]*\\w)?" + "default": "default" }, "required": true }, @@ -36464,28 +35998,19 @@ "required": true } ], - "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-sign-policy", + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-issuer-read-crl-pem", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicySignPolicyRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicySignPolicyResponse" + "$ref": "#/components/schemas/PkiIssuerReadCrlPemResponse" } } } @@ -36493,33 +36018,16 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/account/{kid}": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/issuer/{issuer_ref}/der": { + "description": "Fetch a single issuer certificate.", "parameters": [ { "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "kid", - "description": "The key identifier provided by the CA", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", "in": "path", "schema": { - "type": "string" + "type": "string", + "default": "default" }, "required": true }, @@ -36535,40 +36043,86 @@ } ], "x-vault-unauthenticated": true, - "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-account-kid", + "get": { + "operationId": "pki-read-issuer-der", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeAccountKidRequest" - } - } - } - }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadIssuerDerResponse" + } + } + } + }, + "304": { + "description": "Not Modified" } } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/authorization/{auth_id}": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/issuer/{issuer_ref}/export-private": { "parameters": [ { - "name": "auth_id", - "description": "ACME authorization identifier value", + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", "in": "path", "schema": { - "type": "string" + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" }, "required": true + } + ], + "post": { + "operationId": "pki-write-issuer-issuer_ref-export-private", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExportPrivateRequest" + } + } + } }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExportPrivateResponse" + } + } + } + }, + "304": { + "description": "Not Modified" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/account/{kid}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ { "name": "issuer_ref", "description": "Reference to an existing issuer name or issuer id", @@ -36579,8 +36133,8 @@ "required": true }, { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", + "name": "kid", + "description": "The key identifier provided by the CA", "in": "path", "schema": { "type": "string" @@ -36600,7 +36154,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-authorization-auth_id", + "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-account-kid", "tags": [ "secrets" ], @@ -36609,7 +36163,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeAuthorizationAuth_idRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeAccountKidRequest" } } } @@ -36621,7 +36175,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/challenge/{auth_id}/{challenge_type}": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/authorization/{auth_id}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -36634,8 +36188,8 @@ "required": true }, { - "name": "challenge_type", - "description": "ACME challenge type", + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", "in": "path", "schema": { "type": "string" @@ -36643,8 +36197,45 @@ "required": true }, { - "name": "issuer_ref", - "description": "Reference to an existing issuer name or issuer id", + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-authorization-auth_id", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeAuthorizationAuth_idRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/challenge/{auth_id}/{challenge_type}": { + "description": "An endpoint implementing the standard ACME protocol", + "parameters": [ + { + "name": "auth_id", + "description": "ACME authorization identifier value", "in": "path", "schema": { "type": "string" @@ -36652,8 +36243,17 @@ "required": true }, { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", + "name": "challenge_type", + "description": "ACME challenge type", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", "in": "path", "schema": { "type": "string" @@ -36673,7 +36273,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-challenge-auth_id-challenge_type", + "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-challenge-auth_id-challenge_type", "tags": [ "secrets" ], @@ -36682,7 +36282,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeChallengeAuth_idChallenge_typeRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeChallengeAuth_idChallenge_typeRequest" } } } @@ -36694,7 +36294,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/directory": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/directory": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -36706,15 +36306,6 @@ }, "required": true }, - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -36728,7 +36319,7 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-issuer-issuer_ref-external-policy-policy-acme-directory", + "operationId": "pki-read-issuer-issuer_ref-external-policy-acme-directory", "tags": [ "secrets" ], @@ -36739,7 +36330,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/new-account": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/new-account": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -36751,15 +36342,6 @@ }, "required": true }, - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -36773,7 +36355,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-new-account", + "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-new-account", "tags": [ "secrets" ], @@ -36782,7 +36364,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeNewAccountRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeNewAccountRequest" } } } @@ -36794,7 +36376,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/new-eab": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/new-eab": { "description": "Generate external account bindings to be used for ACME", "parameters": [ { @@ -36806,15 +36388,6 @@ }, "required": true }, - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -36845,7 +36418,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/new-nonce": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/new-nonce": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -36857,15 +36430,6 @@ }, "required": true }, - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -36879,7 +36443,7 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-issuer-issuer_ref-external-policy-policy-acme-new-nonce", + "operationId": "pki-read-issuer-issuer_ref-external-policy-acme-new-nonce", "tags": [ "secrets" ], @@ -36890,7 +36454,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/new-order": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/new-order": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -36902,15 +36466,6 @@ }, "required": true }, - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -36924,7 +36479,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-new-order", + "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-new-order", "tags": [ "secrets" ], @@ -36933,7 +36488,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeNewOrderRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeNewOrderRequest" } } } @@ -36945,7 +36500,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/order/{order_id}": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/order/{order_id}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -36966,15 +36521,6 @@ }, "required": true }, - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -36988,7 +36534,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-order-order_id", + "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-order-order_id", "tags": [ "secrets" ], @@ -36997,7 +36543,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeOrderOrder_idRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeOrderOrder_idRequest" } } } @@ -37009,7 +36555,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/order/{order_id}/cert": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/order/{order_id}/cert": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -37030,15 +36576,6 @@ }, "required": true }, - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -37052,7 +36589,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-order-order_id-cert", + "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-order-order_id-cert", "tags": [ "secrets" ], @@ -37061,7 +36598,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeOrderOrder_idCertRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeOrderOrder_idCertRequest" } } } @@ -37073,7 +36610,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/order/{order_id}/finalize": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/order/{order_id}/finalize": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -37094,15 +36631,6 @@ }, "required": true }, - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -37116,7 +36644,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-order-order_id-finalize", + "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-order-order_id-finalize", "tags": [ "secrets" ], @@ -37125,7 +36653,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeOrderOrder_idFinalizeRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeOrderOrder_idFinalizeRequest" } } } @@ -37137,7 +36665,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/orders": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/orders": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -37149,15 +36677,6 @@ }, "required": true }, - { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -37171,7 +36690,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-orders", + "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-orders", "tags": [ "secrets" ], @@ -37180,7 +36699,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeOrdersRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeOrdersRequest" } } } @@ -37192,7 +36711,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/revoke-cert": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/acme/revoke-cert": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -37205,8 +36724,45 @@ "required": true }, { - "name": "policy", - "description": "The policy name to pass through to the CIEPS service", + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-external-policy-acme-revoke-cert", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyAcmeRevokeCertRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/issue": { + "description": "Request a certificate to be generated and verified by an external policy service.", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", "in": "path", "schema": { "type": "string" @@ -37224,9 +36780,8 @@ "required": true } ], - "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-revoke-cert", + "operationId": "pki-write-issuer-issuer_ref-external-policy-issue", "tags": [ "secrets" ], @@ -37235,37 +36790,44 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeRevokeCertRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyIssueRequest" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyIssueResponse" + } + } + } } } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/issue/{role}": { - "description": "Request a certificate using a certain role with the provided details.", + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/issue/{policy}": { + "description": "Request a certificate to be generated and verified by an external policy service.", "parameters": [ { "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "description": "Reference to an existing issuer name or issuer id", "in": "path", "schema": { - "type": "string", - "default": "default" + "type": "string" }, "required": true }, { - "name": "role", - "description": "The desired role with configuration for this request", + "name": "policy", + "description": "The policy name to pass through to the external service.", "in": "path", "schema": { - "type": "string" + "type": "string", + "pattern": "\\w([\\w-.]*\\w)?" }, "required": true }, @@ -37281,7 +36843,7 @@ } ], "post": { - "operationId": "pki-issuer-issue-with-role", + "operationId": "pki-write-issuer-issuer_ref-external-policy-issue-policy", "tags": [ "secrets" ], @@ -37290,7 +36852,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerIssueWithRoleRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyIssuePolicyRequest" } } } @@ -37301,7 +36863,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerIssueWithRoleResponse" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyIssuePolicyResponse" } } } @@ -37309,16 +36871,15 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/json": { - "description": "Fetch a single issuer certificate.", + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/sign": { + "description": "Request a certificate request to be signed and verified by an external policy service.", "parameters": [ { "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "description": "Reference to an existing issuer name or issuer id", "in": "path", "schema": { - "type": "string", - "default": "default" + "type": "string" }, "required": true }, @@ -37333,39 +36894,44 @@ "required": true } ], - "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-issuer-json", + "post": { + "operationId": "pki-write-issuer-issuer_ref-external-policy-sign", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicySignRequest" + } + } + } + }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiReadIssuerJsonResponse" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicySignResponse" } } } - }, - "304": { - "description": "Not Modified" } } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/pem": { - "description": "Fetch a single issuer certificate.", + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/sign-intermediate": { + "description": "Request a CA certificate to be signed by an issuer after verification by an external policy service.", "parameters": [ { "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "description": "Reference to an existing issuer name or issuer id", "in": "path", "schema": { - "type": "string", - "default": "default" + "type": "string" }, "required": true }, @@ -37380,39 +36946,54 @@ "required": true } ], - "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-issuer-pem", + "post": { + "operationId": "pki-write-issuer-issuer_ref-external-policy-sign-intermediate", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicySignIntermediateRequest" + } + } + } + }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiReadIssuerPemResponse" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicySignIntermediateResponse" } } } - }, - "304": { - "description": "Not Modified" } } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/resign-crls": { - "description": "Combine and sign with the provided issuer different CRLs", + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/sign-intermediate/{policy}": { + "description": "Request a CA certificate to be signed by an issuer after verification by an external policy service.", "parameters": [ { "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "policy", + "description": "The policy name to pass through to the external service.", "in": "path", "schema": { "type": "string", - "default": "default" + "pattern": "\\w([\\w-.]*\\w)?" }, "required": true }, @@ -37428,7 +37009,7 @@ } ], "post": { - "operationId": "pki-issuer-resign-crls", + "operationId": "pki-write-issuer-issuer_ref-external-policy-sign-intermediate-policy", "tags": [ "secrets" ], @@ -37437,7 +37018,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerResignCrlsRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicySignIntermediatePolicyRequest" } } } @@ -37448,7 +37029,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerResignCrlsResponse" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicySignIntermediatePolicyResponse" } } } @@ -37456,16 +37037,25 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/revoke": { - "description": "Revoke the specified issuer certificate.", + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/sign/{policy}": { + "description": "Request a certificate request to be signed and verified by an external policy service.", "parameters": [ { "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "policy", + "description": "The policy name to pass through to the external service.", "in": "path", "schema": { "type": "string", - "default": "default" + "pattern": "\\w([\\w-.]*\\w)?" }, "required": true }, @@ -37481,17 +37071,27 @@ } ], "post": { - "operationId": "pki-revoke-issuer", + "operationId": "pki-write-issuer-issuer_ref-external-policy-sign-policy", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicySignPolicyRequest" + } + } + } + }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiRevokeIssuerResponse" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicySignPolicyResponse" } } } @@ -37499,7 +37099,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/account/{kid}": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/account/{kid}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -37521,8 +37121,8 @@ "required": true }, { - "name": "role", - "description": "The desired role for the acme request", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -37542,7 +37142,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-account-kid", + "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-account-kid", "tags": [ "secrets" ], @@ -37551,7 +37151,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeAccountKidRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeAccountKidRequest" } } } @@ -37563,7 +37163,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/authorization/{auth_id}": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/authorization/{auth_id}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -37585,8 +37185,8 @@ "required": true }, { - "name": "role", - "description": "The desired role for the acme request", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -37606,7 +37206,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-authorization-auth_id", + "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-authorization-auth_id", "tags": [ "secrets" ], @@ -37615,7 +37215,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeAuthorizationAuth_idRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeAuthorizationAuth_idRequest" } } } @@ -37627,7 +37227,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/challenge/{auth_id}/{challenge_type}": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/challenge/{auth_id}/{challenge_type}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -37658,8 +37258,8 @@ "required": true }, { - "name": "role", - "description": "The desired role for the acme request", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -37679,7 +37279,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-challenge-auth_id-challenge_type", + "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-challenge-auth_id-challenge_type", "tags": [ "secrets" ], @@ -37688,7 +37288,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeChallengeAuth_idChallenge_typeRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeChallengeAuth_idChallenge_typeRequest" } } } @@ -37700,7 +37300,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/directory": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/directory": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -37713,8 +37313,8 @@ "required": true }, { - "name": "role", - "description": "The desired role for the acme request", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -37734,7 +37334,7 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-issuer-issuer_ref-roles-role-acme-directory", + "operationId": "pki-read-issuer-issuer_ref-external-policy-policy-acme-directory", "tags": [ "secrets" ], @@ -37745,7 +37345,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/new-account": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/new-account": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -37758,8 +37358,8 @@ "required": true }, { - "name": "role", - "description": "The desired role for the acme request", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -37779,7 +37379,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-new-account", + "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-new-account", "tags": [ "secrets" ], @@ -37788,7 +37388,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeNewAccountRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeNewAccountRequest" } } } @@ -37800,7 +37400,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/new-eab": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/new-eab": { "description": "Generate external account bindings to be used for ACME", "parameters": [ { @@ -37813,8 +37413,8 @@ "required": true }, { - "name": "role", - "description": "The desired role for the acme request", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -37833,7 +37433,7 @@ } ], "post": { - "operationId": "pki-generate-eab-key-for-issuer-and-role", + "operationId": "pki-generate-eab-key-for-issuer", "tags": [ "secrets" ], @@ -37843,7 +37443,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiGenerateEabKeyForIssuerAndRoleResponse" + "$ref": "#/components/schemas/PkiGenerateEabKeyForIssuerResponse" } } } @@ -37851,7 +37451,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/new-nonce": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/new-nonce": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -37864,8 +37464,8 @@ "required": true }, { - "name": "role", - "description": "The desired role for the acme request", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -37885,7 +37485,7 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-issuer-issuer_ref-roles-role-acme-new-nonce", + "operationId": "pki-read-issuer-issuer_ref-external-policy-policy-acme-new-nonce", "tags": [ "secrets" ], @@ -37896,7 +37496,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/new-order": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/new-order": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -37909,8 +37509,8 @@ "required": true }, { - "name": "role", - "description": "The desired role for the acme request", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -37930,7 +37530,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-new-order", + "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-new-order", "tags": [ "secrets" ], @@ -37939,7 +37539,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeNewOrderRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeNewOrderRequest" } } } @@ -37951,7 +37551,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/order/{order_id}": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/order/{order_id}": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -37973,8 +37573,8 @@ "required": true }, { - "name": "role", - "description": "The desired role for the acme request", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -37994,7 +37594,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-order-order_id", + "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-order-order_id", "tags": [ "secrets" ], @@ -38003,7 +37603,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeOrderOrder_idRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeOrderOrder_idRequest" } } } @@ -38015,7 +37615,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/order/{order_id}/cert": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/order/{order_id}/cert": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -38037,8 +37637,8 @@ "required": true }, { - "name": "role", - "description": "The desired role for the acme request", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -38058,7 +37658,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-order-order_id-cert", + "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-order-order_id-cert", "tags": [ "secrets" ], @@ -38067,7 +37667,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeOrderOrder_idCertRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeOrderOrder_idCertRequest" } } } @@ -38079,7 +37679,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/order/{order_id}/finalize": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/order/{order_id}/finalize": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -38101,8 +37701,8 @@ "required": true }, { - "name": "role", - "description": "The desired role for the acme request", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -38122,7 +37722,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-order-order_id-finalize", + "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-order-order_id-finalize", "tags": [ "secrets" ], @@ -38131,7 +37731,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeOrderOrder_idFinalizeRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeOrderOrder_idFinalizeRequest" } } } @@ -38143,7 +37743,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/orders": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/orders": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -38156,8 +37756,8 @@ "required": true }, { - "name": "role", - "description": "The desired role for the acme request", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -38177,7 +37777,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-orders", + "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-orders", "tags": [ "secrets" ], @@ -38186,7 +37786,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeOrdersRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeOrdersRequest" } } } @@ -38198,7 +37798,7 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/revoke-cert": { + "/{pki_mount_path}/issuer/{issuer_ref}/external-policy/{policy}/acme/revoke-cert": { "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { @@ -38211,8 +37811,8 @@ "required": true }, { - "name": "role", - "description": "The desired role for the acme request", + "name": "policy", + "description": "The policy name to pass through to the CIEPS service", "in": "path", "schema": { "type": "string" @@ -38232,7 +37832,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-revoke-cert", + "operationId": "pki-write-issuer-issuer_ref-external-policy-policy-acme-revoke-cert", "tags": [ "secrets" ], @@ -38241,7 +37841,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeRevokeCertRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refExternalPolicyPolicyAcmeRevokeCertRequest" } } } @@ -38253,8 +37853,8 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/sign-intermediate": { - "description": "Issue an intermediate CA certificate based on the provided CSR.", + "/{pki_mount_path}/issuer/{issuer_ref}/issue/{role}": { + "description": "Request a certificate using a certain role with the provided details.", "parameters": [ { "name": "issuer_ref", @@ -38266,6 +37866,15 @@ }, "required": true }, + { + "name": "role", + "description": "The desired role with configuration for this request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -38278,7 +37887,7 @@ } ], "post": { - "operationId": "pki-issuer-sign-intermediate", + "operationId": "pki-issuer-issue-with-role", "tags": [ "secrets" ], @@ -38287,7 +37896,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerSignIntermediateRequest" + "$ref": "#/components/schemas/PkiIssuerIssueWithRoleRequest" } } } @@ -38298,7 +37907,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerSignIntermediateResponse" + "$ref": "#/components/schemas/PkiIssuerIssueWithRoleResponse" } } } @@ -38306,8 +37915,8 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/sign-revocation-list": { - "description": "Generate and sign a CRL based on the provided parameters.", + "/{pki_mount_path}/issuer/{issuer_ref}/json": { + "description": "Fetch a single issuer certificate.", "parameters": [ { "name": "issuer_ref", @@ -38330,37 +37939,31 @@ "required": true } ], - "post": { - "operationId": "pki-issuer-sign-revocation-list", + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-issuer-json", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiIssuerSignRevocationListRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerSignRevocationListResponse" + "$ref": "#/components/schemas/PkiReadIssuerJsonResponse" } } } + }, + "304": { + "description": "Not Modified" } } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/sign-self-issued": { - "description": "Re-issue a self-signed certificate based on the provided certificate.", + "/{pki_mount_path}/issuer/{issuer_ref}/pem": { + "description": "Fetch a single issuer certificate.", "parameters": [ { "name": "issuer_ref", @@ -38383,37 +37986,31 @@ "required": true } ], - "post": { - "operationId": "pki-issuer-sign-self-issued", + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-issuer-pem", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiIssuerSignSelfIssuedRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerSignSelfIssuedResponse" + "$ref": "#/components/schemas/PkiReadIssuerPemResponse" } } } + }, + "304": { + "description": "Not Modified" } } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/sign-verbatim": { - "description": "Issue a certificate directly based on the provided CSR.", + "/{pki_mount_path}/issuer/{issuer_ref}/resign-crls": { + "description": "Combine and sign with the provided issuer different CRLs", "parameters": [ { "name": "issuer_ref", @@ -38437,7 +38034,7 @@ } ], "post": { - "operationId": "pki-issuer-sign-verbatim", + "operationId": "pki-issuer-resign-crls", "tags": [ "secrets" ], @@ -38446,7 +38043,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerSignVerbatimRequest" + "$ref": "#/components/schemas/PkiIssuerResignCrlsRequest" } } } @@ -38457,7 +38054,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerSignVerbatimResponse" + "$ref": "#/components/schemas/PkiIssuerResignCrlsResponse" } } } @@ -38465,8 +38062,8 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/sign-verbatim/{role}": { - "description": "Issue a certificate directly based on the provided CSR.", + "/{pki_mount_path}/issuer/{issuer_ref}/revoke": { + "description": "Revoke the specified issuer certificate.", "parameters": [ { "name": "issuer_ref", @@ -38478,15 +38075,6 @@ }, "required": true }, - { - "name": "role", - "description": "The desired role with configuration for this request", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -38499,27 +38087,17 @@ } ], "post": { - "operationId": "pki-issuer-sign-verbatim-with-role", + "operationId": "pki-revoke-issuer", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiIssuerSignVerbatimWithRoleRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerSignVerbatimWithRoleResponse" + "$ref": "#/components/schemas/PkiRevokeIssuerResponse" } } } @@ -38527,22 +38105,30 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/sign/{role}": { - "description": "Request certificates using a certain role with the provided details.", + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/account/{kid}": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "description": "Reference to an existing issuer name or issuer id", "in": "path", "schema": { - "type": "string", - "default": "default" + "type": "string" + }, + "required": true + }, + { + "name": "kid", + "description": "The key identifier provided by the CA", + "in": "path", + "schema": { + "type": "string" }, "required": true }, { "name": "role", - "description": "The desired role with configuration for this request", + "description": "The desired role for the acme request", "in": "path", "schema": { "type": "string" @@ -38560,8 +38146,9 @@ "required": true } ], + "x-vault-unauthenticated": true, "post": { - "operationId": "pki-issuer-sign-with-role", + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-account-kid", "tags": [ "secrets" ], @@ -38570,35 +38157,45 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerSignWithRoleRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeAccountKidRequest" } } } }, "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiIssuerSignWithRoleResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/unified-crl": { - "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/authorization/{auth_id}": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ + { + "name": "auth_id", + "description": "ACME authorization identifier value", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "description": "Reference to an existing issuer name or issuer id", "in": "path", "schema": { - "type": "string", - "default": "default" + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" }, "required": true }, @@ -38614,35 +38211,64 @@ } ], "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-issuer-read-unified-crl", + "post": { + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-authorization-auth_id", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiIssuerReadUnifiedCrlResponse" - } + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeAuthorizationAuth_idRequest" } } } - } + }, + "responses": { + "200": { + "description": "OK" + } + } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/unified-crl/delta": { - "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/challenge/{auth_id}/{challenge_type}": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ + { + "name": "auth_id", + "description": "ACME authorization identifier value", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "challenge_type", + "description": "ACME challenge type", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "description": "Reference to an existing issuer name or issuer id", "in": "path", "schema": { - "type": "string", - "default": "default" + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" }, "required": true }, @@ -38658,35 +38284,46 @@ } ], "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-issuer-read-unified-crl-delta", + "post": { + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-challenge-auth_id-challenge_type", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiIssuerReadUnifiedCrlDeltaResponse" - } + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeChallengeAuth_idChallenge_typeRequest" } } } + }, + "responses": { + "200": { + "description": "OK" + } } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/unified-crl/delta/der": { - "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/directory": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "description": "Reference to an existing issuer name or issuer id", "in": "path", "schema": { - "type": "string", - "default": "default" + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" }, "required": true }, @@ -38703,34 +38340,35 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-issuer-read-unified-crl-delta-der", + "operationId": "pki-read-issuer-issuer_ref-roles-role-acme-directory", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiIssuerReadUnifiedCrlDeltaDerResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/unified-crl/delta/pem": { - "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/new-account": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "description": "Reference to an existing issuer name or issuer id", "in": "path", "schema": { - "type": "string", - "default": "default" + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" }, "required": true }, @@ -38746,35 +38384,46 @@ } ], "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-issuer-read-unified-crl-delta-pem", + "post": { + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-new-account", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiIssuerReadUnifiedCrlDeltaPemResponse" - } + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeNewAccountRequest" } } } + }, + "responses": { + "200": { + "description": "OK" + } } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/unified-crl/der": { - "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/new-eab": { + "description": "Generate external account bindings to be used for ACME", "parameters": [ { "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "description": "Reference to an existing issuer name or issuer id", "in": "path", "schema": { - "type": "string", - "default": "default" + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" }, "required": true }, @@ -38789,9 +38438,8 @@ "required": true } ], - "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-issuer-read-unified-crl-der", + "post": { + "operationId": "pki-generate-eab-key-for-issuer-and-role", "tags": [ "secrets" ], @@ -38801,7 +38449,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuerReadUnifiedCrlDerResponse" + "$ref": "#/components/schemas/PkiGenerateEabKeyForIssuerAndRoleResponse" } } } @@ -38809,53 +38457,27 @@ } } }, - "/{pki_mount_path}/issuer/{issuer_ref}/unified-crl/pem": { - "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/new-nonce": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { "name": "issuer_ref", - "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "description": "Reference to an existing issuer name or issuer id", "in": "path", "schema": { - "type": "string", - "default": "default" + "type": "string" }, "required": true }, { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", + "name": "role", + "description": "The desired role for the acme request", "in": "path", "schema": { - "type": "string", - "default": "pki" + "type": "string" }, "required": true - } - ], - "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-issuer-read-unified-crl-pem", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiIssuerReadUnifiedCrlPemResponse" - } - } - } - } - } - } - }, - "/{pki_mount_path}/issuers/": { - "description": "Fetch a list of CA certificates.", - "parameters": [ + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -38869,52 +38491,35 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-list-issuers", + "operationId": "pki-read-issuer-issuer_ref-roles-role-acme-new-nonce", "tags": [ "secrets" ], - "parameters": [ - { - "name": "list", - "description": "Must be set to `true`", - "in": "query", - "schema": { - "type": "string", - "enum": [ - "true" - ] - }, - "required": true - } - ], "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiListIssuersResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/issuers/generate/intermediate/{exported}": { - "description": "Generate a new CSR and private key used for signing.", + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/new-order": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "exported", - "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", "in": "path", "schema": { - "type": "string", - "enum": [ - "internal", - "external", - "kms" - ] + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" }, "required": true }, @@ -38929,8 +38534,9 @@ "required": true } ], + "x-vault-unauthenticated": true, "post": { - "operationId": "pki-issuers-generate-intermediate", + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-new-order", "tags": [ "secrets" ], @@ -38939,39 +38545,45 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuersGenerateIntermediateRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeNewOrderRequest" } } } }, "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiIssuersGenerateIntermediateResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/issuers/generate/root/{exported}": { - "description": "Generate a new CA certificate and private key used for signing.", + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/order/{order_id}": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "exported", - "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", "in": "path", "schema": { - "type": "string", - "enum": [ - "internal", - "external", - "kms" - ] + "type": "string" + }, + "required": true + }, + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" }, "required": true }, @@ -38986,8 +38598,9 @@ "required": true } ], + "x-vault-unauthenticated": true, "post": { - "operationId": "pki-issuers-generate-root", + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-order-order_id", "tags": [ "secrets" ], @@ -38996,28 +38609,48 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuersGenerateRootRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeOrderOrder_idRequest" } } } }, "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiIssuersGenerateRootResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/issuers/import/bundle": { - "description": "Import the specified issuing certificates.", + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/order/{order_id}/cert": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -39029,8 +38662,9 @@ "required": true } ], + "x-vault-unauthenticated": true, "post": { - "operationId": "pki-issuers-import-bundle", + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-order-order_id-cert", "tags": [ "secrets" ], @@ -39039,28 +38673,48 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuersImportBundleRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeOrderOrder_idCertRequest" } } } }, "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiIssuersImportBundleResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/issuers/import/cert": { - "description": "Import the specified issuing certificates.", + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/order/{order_id}/finalize": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -39072,8 +38726,9 @@ "required": true } ], + "x-vault-unauthenticated": true, "post": { - "operationId": "pki-issuers-import-cert", + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-order-order_id-finalize", "tags": [ "secrets" ], @@ -39082,35 +38737,36 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiIssuersImportCertRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeOrderOrder_idFinalizeRequest" } } } }, "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiIssuersImportCertResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/key/{key_ref}": { - "description": "Fetch a single issuer key", + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/orders": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "key_ref", - "description": "Reference to key; either \"default\" for the configured default key, an identifier of a key, or the name assigned to the key.", + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", "in": "path", "schema": { - "type": "string", - "default": "default" + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" }, "required": true }, @@ -39125,26 +38781,9 @@ "required": true } ], - "get": { - "operationId": "pki-read-key", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiReadKeyResponse" - } - } - } - } - } - }, + "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-key", + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-orders", "tags": [ "secrets" ], @@ -39153,39 +38792,39 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteKeyRequest" + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeOrdersRequest" } } } }, "responses": { - "204": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteKeyResponse" - } - } - } - } - } - }, - "delete": { - "operationId": "pki-delete-key", - "tags": [ - "secrets" - ], - "responses": { - "204": { - "description": "No Content" + "200": { + "description": "OK" } } } }, - "/{pki_mount_path}/keys/": { - "description": "Fetch a list of all issuer keys", + "/{pki_mount_path}/issuer/{issuer_ref}/roles/{role}/acme/revoke-cert": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to an existing issuer name or issuer id", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -39197,42 +38836,42 @@ "required": true } ], - "get": { - "operationId": "pki-list-keys", + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-issuer-issuer_ref-roles-role-acme-revoke-cert", "tags": [ "secrets" ], - "parameters": [ - { - "name": "list", - "description": "Must be set to `true`", - "in": "query", - "schema": { - "type": "string", - "enum": [ - "true" - ] - }, - "required": true - } - ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiListKeysResponse" - } + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteIssuerIssuer_refRolesRoleAcmeRevokeCertRequest" } } } + }, + "responses": { + "200": { + "description": "OK" + } } } }, - "/{pki_mount_path}/keys/generate/exported": { - "description": "Generate a new private key used for signing.", + "/{pki_mount_path}/issuer/{issuer_ref}/sign-intermediate": { + "description": "Issue an intermediate CA certificate based on the provided CSR.", "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -39245,7 +38884,7 @@ } ], "post": { - "operationId": "pki-generate-exported-key", + "operationId": "pki-issuer-sign-intermediate", "tags": [ "secrets" ], @@ -39254,7 +38893,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiGenerateExportedKeyRequest" + "$ref": "#/components/schemas/PkiIssuerSignIntermediateRequest" } } } @@ -39265,7 +38904,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiGenerateExportedKeyResponse" + "$ref": "#/components/schemas/PkiIssuerSignIntermediateResponse" } } } @@ -39273,9 +38912,19 @@ } } }, - "/{pki_mount_path}/keys/generate/internal": { - "description": "Generate a new private key used for signing.", + "/{pki_mount_path}/issuer/{issuer_ref}/sign-revocation-list": { + "description": "Generate and sign a CRL based on the provided parameters.", "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -39288,7 +38937,7 @@ } ], "post": { - "operationId": "pki-generate-internal-key", + "operationId": "pki-issuer-sign-revocation-list", "tags": [ "secrets" ], @@ -39297,7 +38946,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiGenerateInternalKeyRequest" + "$ref": "#/components/schemas/PkiIssuerSignRevocationListRequest" } } } @@ -39308,7 +38957,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiGenerateInternalKeyResponse" + "$ref": "#/components/schemas/PkiIssuerSignRevocationListResponse" } } } @@ -39316,9 +38965,19 @@ } } }, - "/{pki_mount_path}/keys/generate/kms": { - "description": "Generate a new private key used for signing.", + "/{pki_mount_path}/issuer/{issuer_ref}/sign-self-issued": { + "description": "Re-issue a self-signed certificate based on the provided certificate.", "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -39331,7 +38990,7 @@ } ], "post": { - "operationId": "pki-generate-kms-key", + "operationId": "pki-issuer-sign-self-issued", "tags": [ "secrets" ], @@ -39340,7 +38999,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiGenerateKmsKeyRequest" + "$ref": "#/components/schemas/PkiIssuerSignSelfIssuedRequest" } } } @@ -39351,7 +39010,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiGenerateKmsKeyResponse" + "$ref": "#/components/schemas/PkiIssuerSignSelfIssuedResponse" } } } @@ -39359,9 +39018,19 @@ } } }, - "/{pki_mount_path}/keys/import": { - "description": "Import the specified key.", + "/{pki_mount_path}/issuer/{issuer_ref}/sign-verbatim": { + "description": "Issue a certificate directly based on the provided CSR.", "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -39374,7 +39043,7 @@ } ], "post": { - "operationId": "pki-import-key", + "operationId": "pki-issuer-sign-verbatim", "tags": [ "secrets" ], @@ -39383,7 +39052,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiImportKeyRequest" + "$ref": "#/components/schemas/PkiIssuerSignVerbatimRequest" } } } @@ -39394,7 +39063,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiImportKeyResponse" + "$ref": "#/components/schemas/PkiIssuerSignVerbatimResponse" } } } @@ -39402,39 +39071,22 @@ } } }, - "/{pki_mount_path}/ocsp": { - "description": "Query a certificate's revocation status through OCSP'", + "/{pki_mount_path}/issuer/{issuer_ref}/sign-verbatim/{role}": { + "description": "Issue a certificate directly based on the provided CSR.", "parameters": [ { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", "in": "path", "schema": { "type": "string", - "default": "pki" + "default": "default" }, "required": true - } - ], - "x-vault-unauthenticated": true, - "post": { - "operationId": "pki-query-ocsp", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - } - }, - "/{pki_mount_path}/ocsp/{req}": { - "description": "Query a certificate's revocation status through OCSP'", - "parameters": [ + }, { - "name": "req", - "description": "base-64 encoded ocsp request", + "name": "role", + "description": "The desired role with configuration for this request", "in": "path", "schema": { "type": "string" @@ -39452,35 +39104,8 @@ "required": true } ], - "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-query-ocsp-with-get-req", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - } - }, - "/{pki_mount_path}/revoke": { - "description": "Revoke a certificate by serial number or with explicit certificate. When calling /revoke-with-key, the private key corresponding to the certificate must be provided to authenticate the request.", - "parameters": [ - { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki" - }, - "required": true - } - ], "post": { - "operationId": "pki-revoke", + "operationId": "pki-issuer-sign-verbatim-with-role", "tags": [ "secrets" ], @@ -39489,7 +39114,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiRevokeRequest" + "$ref": "#/components/schemas/PkiIssuerSignVerbatimWithRoleRequest" } } } @@ -39500,7 +39125,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiRevokeResponse" + "$ref": "#/components/schemas/PkiIssuerSignVerbatimWithRoleResponse" } } } @@ -39508,9 +39133,28 @@ } } }, - "/{pki_mount_path}/revoke-with-key": { - "description": "Revoke a certificate by serial number or with explicit certificate. When calling /revoke-with-key, the private key corresponding to the certificate must be provided to authenticate the request.", + "/{pki_mount_path}/issuer/{issuer_ref}/sign/{role}": { + "description": "Request certificates using a certain role with the provided details.", "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role with configuration for this request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -39523,7 +39167,7 @@ } ], "post": { - "operationId": "pki-revoke-with-key", + "operationId": "pki-issuer-sign-with-role", "tags": [ "secrets" ], @@ -39532,7 +39176,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiRevokeWithKeyRequest" + "$ref": "#/components/schemas/PkiIssuerSignWithRoleRequest" } } } @@ -39543,7 +39187,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiRevokeWithKeyResponse" + "$ref": "#/components/schemas/PkiIssuerSignWithRoleResponse" } } } @@ -39551,9 +39195,19 @@ } } }, - "/{pki_mount_path}/roles/": { - "description": "List the existing roles in this backend", + "/{pki_mount_path}/issuer/{issuer_ref}/unified-crl": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -39565,32 +39219,19 @@ "required": true } ], + "x-vault-unauthenticated": true, "get": { - "operationId": "pki-list-roles", + "operationId": "pki-issuer-read-unified-crl", "tags": [ "secrets" ], - "parameters": [ - { - "name": "list", - "description": "Must be set to `true`", - "in": "query", - "schema": { - "type": "string", - "enum": [ - "true" - ] - }, - "required": true - } - ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/StandardListResponse" + "$ref": "#/components/schemas/PkiIssuerReadUnifiedCrlResponse" } } } @@ -39598,15 +39239,16 @@ } } }, - "/{pki_mount_path}/roles/{name}": { - "description": "Manage the roles that can be created with this backend.", + "/{pki_mount_path}/issuer/{issuer_ref}/unified-crl/delta": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", "parameters": [ { - "name": "name", - "description": "Name of the role", + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", "in": "path", "schema": { - "type": "string" + "type": "string", + "default": "default" }, "required": true }, @@ -39621,8 +39263,9 @@ "required": true } ], + "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-role", + "operationId": "pki-issuer-read-unified-crl-delta", "tags": [ "secrets" ], @@ -39632,99 +39275,68 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiReadRoleResponse" + "$ref": "#/components/schemas/PkiIssuerReadUnifiedCrlDeltaResponse" } } } } } - }, - "post": { - "operationId": "pki-write-role", - "tags": [ - "secrets" - ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteRoleRequest" - } - } - } - }, - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteRoleResponse" - } - } - } - } + } + }, + "/{pki_mount_path}/issuer/{issuer_ref}/unified-crl/delta/der": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", + "parameters": [ + { + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", + "in": "path", + "schema": { + "type": "string", + "default": "default" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true } - }, - "patch": { - "operationId": "pki-patch-role", + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-issuer-read-unified-crl-delta-der", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiPatchRoleRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiPatchRoleResponse" + "$ref": "#/components/schemas/PkiIssuerReadUnifiedCrlDeltaDerResponse" } } } } } - }, - "delete": { - "operationId": "pki-delete-role", - "tags": [ - "secrets" - ], - "responses": { - "204": { - "description": "No Content" - } - } } }, - "/{pki_mount_path}/roles/{role}/acme/account/{kid}": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/issuer/{issuer_ref}/unified-crl/delta/pem": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", "parameters": [ { - "name": "kid", - "description": "The key identifier provided by the CA", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "role", - "description": "The desired role for the acme request", + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", "in": "path", "schema": { - "type": "string" + "type": "string", + "default": "default" }, "required": true }, @@ -39740,46 +39352,35 @@ } ], "x-vault-unauthenticated": true, - "post": { - "operationId": "pki-write-roles-role-acme-account-kid", + "get": { + "operationId": "pki-issuer-read-unified-crl-delta-pem", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeAccountKidRequest" - } - } - } - }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerReadUnifiedCrlDeltaPemResponse" + } + } + } } } } }, - "/{pki_mount_path}/roles/{role}/acme/authorization/{auth_id}": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/issuer/{issuer_ref}/unified-crl/der": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", "parameters": [ { - "name": "auth_id", - "description": "ACME authorization identifier value", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "role", - "description": "The desired role for the acme request", + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", "in": "path", "schema": { - "type": "string" + "type": "string", + "default": "default" }, "required": true }, @@ -39795,55 +39396,35 @@ } ], "x-vault-unauthenticated": true, - "post": { - "operationId": "pki-write-roles-role-acme-authorization-auth_id", + "get": { + "operationId": "pki-issuer-read-unified-crl-der", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeAuthorizationAuth_idRequest" - } - } - } - }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerReadUnifiedCrlDerResponse" + } + } + } } } } }, - "/{pki_mount_path}/roles/{role}/acme/challenge/{auth_id}/{challenge_type}": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/issuer/{issuer_ref}/unified-crl/pem": { + "description": "Fetch an issuer's Certificate Revocation Log (CRL).", "parameters": [ { - "name": "auth_id", - "description": "ACME authorization identifier value", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "challenge_type", - "description": "ACME challenge type", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "role", - "description": "The desired role for the acme request", + "name": "issuer_ref", + "description": "Reference to a existing issuer; either \"default\" for the configured default issuer, an identifier or the name assigned to the issuer.", "in": "path", "schema": { - "type": "string" + "type": "string", + "default": "default" }, "required": true }, @@ -39859,40 +39440,28 @@ } ], "x-vault-unauthenticated": true, - "post": { - "operationId": "pki-write-roles-role-acme-challenge-auth_id-challenge_type", + "get": { + "operationId": "pki-issuer-read-unified-crl-pem", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeChallengeAuth_idChallenge_typeRequest" - } - } - } - }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuerReadUnifiedCrlPemResponse" + } + } + } } } } }, - "/{pki_mount_path}/roles/{role}/acme/directory": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/issuers/": { + "description": "Fetch a list of CA certificates.", "parameters": [ - { - "name": "role", - "description": "The desired role for the acme request", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -39906,26 +39475,52 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-roles-role-acme-directory", + "operationId": "pki-list-issuers", "tags": [ "secrets" ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiListIssuersResponse" + } + } + } } } } }, - "/{pki_mount_path}/roles/{role}/acme/new-account": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/issuers/generate/intermediate/{exported}": { + "description": "Generate a new CSR and private key used for signing.", "parameters": [ { - "name": "role", - "description": "The desired role for the acme request", + "name": "exported", + "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", "in": "path", "schema": { - "type": "string" + "type": "string", + "enum": [ + "internal", + "external", + "kms" + ] }, "required": true }, @@ -39940,9 +39535,8 @@ "required": true } ], - "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-roles-role-acme-new-account", + "operationId": "pki-issuers-generate-intermediate", "tags": [ "secrets" ], @@ -39951,27 +39545,39 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeNewAccountRequest" + "$ref": "#/components/schemas/PkiIssuersGenerateIntermediateRequest" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuersGenerateIntermediateResponse" + } + } + } } } } }, - "/{pki_mount_path}/roles/{role}/acme/new-eab": { - "description": "Generate external account bindings to be used for ACME", + "/{pki_mount_path}/issuers/generate/root/{exported}": { + "description": "Generate a new CA certificate and private key used for signing.", "parameters": [ { - "name": "role", - "description": "The desired role for the acme request", + "name": "exported", + "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", "in": "path", "schema": { - "type": "string" + "type": "string", + "enum": [ + "internal", + "external", + "kms" + ] }, "required": true }, @@ -39987,17 +39593,27 @@ } ], "post": { - "operationId": "pki-generate-eab-key-for-role", + "operationId": "pki-issuers-generate-root", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuersGenerateRootRequest" + } + } + } + }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiGenerateEabKeyForRoleResponse" + "$ref": "#/components/schemas/PkiIssuersGenerateRootResponse" } } } @@ -40005,18 +39621,9 @@ } } }, - "/{pki_mount_path}/roles/{role}/acme/new-nonce": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/issuers/import/bundle": { + "description": "Import the specified issuing certificates.", "parameters": [ - { - "name": "role", - "description": "The desired role for the acme request", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -40028,31 +39635,38 @@ "required": true } ], - "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-roles-role-acme-new-nonce", + "post": { + "operationId": "pki-issuers-import-bundle", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuersImportBundleRequest" + } + } + } + }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuersImportBundleResponse" + } + } + } } } } }, - "/{pki_mount_path}/roles/{role}/acme/new-order": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/issuers/import/cert": { + "description": "Import the specified issuing certificates.", "parameters": [ - { - "name": "role", - "description": "The desired role for the acme request", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -40064,9 +39678,8 @@ "required": true } ], - "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-roles-role-acme-new-order", + "operationId": "pki-issuers-import-cert", "tags": [ "secrets" ], @@ -40075,36 +39688,35 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeNewOrderRequest" + "$ref": "#/components/schemas/PkiIssuersImportCertRequest" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiIssuersImportCertResponse" + } + } + } } } } }, - "/{pki_mount_path}/roles/{role}/acme/order/{order_id}": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/key/{key_ref}": { + "description": "Fetch a single issuer key", "parameters": [ { - "name": "order_id", - "description": "The ACME order identifier to fetch", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "role", - "description": "The desired role for the acme request", + "name": "key_ref", + "description": "Reference to key; either \"default\" for the configured default key, an identifier of a key, or the name assigned to the key.", "in": "path", "schema": { - "type": "string" + "type": "string", + "default": "default" }, "required": true }, @@ -40119,9 +39731,26 @@ "required": true } ], - "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadKeyResponse" + } + } + } + } + } + }, "post": { - "operationId": "pki-write-roles-role-acme-order-order_id", + "operationId": "pki-write-key", "tags": [ "secrets" ], @@ -40130,39 +39759,39 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeOrderOrder_idRequest" + "$ref": "#/components/schemas/PkiWriteKeyRequest" } } } }, "responses": { - "200": { - "description": "OK" + "204": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteKeyResponse" + } + } + } + } + } + }, + "delete": { + "operationId": "pki-delete-key", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "No Content" } } } }, - "/{pki_mount_path}/roles/{role}/acme/order/{order_id}/cert": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/keys/": { + "description": "Fetch a list of all issuer keys", "parameters": [ - { - "name": "order_id", - "description": "The ACME order identifier to fetch", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "role", - "description": "The desired role for the acme request", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -40174,50 +39803,42 @@ "required": true } ], - "x-vault-unauthenticated": true, - "post": { - "operationId": "pki-write-roles-role-acme-order-order_id-cert", + "get": { + "operationId": "pki-list-keys", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeOrderOrder_idCertRequest" - } - } + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true } - }, + ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiListKeysResponse" + } + } + } } } } }, - "/{pki_mount_path}/roles/{role}/acme/order/{order_id}/finalize": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/keys/generate/exported": { + "description": "Generate a new private key used for signing.", "parameters": [ - { - "name": "order_id", - "description": "The ACME order identifier to fetch", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "role", - "description": "The desired role for the acme request", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -40229,9 +39850,8 @@ "required": true } ], - "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-roles-role-acme-order-order_id-finalize", + "operationId": "pki-generate-exported-key", "tags": [ "secrets" ], @@ -40240,30 +39860,28 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeOrderOrder_idFinalizeRequest" + "$ref": "#/components/schemas/PkiGenerateExportedKeyRequest" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateExportedKeyResponse" + } + } + } } } } }, - "/{pki_mount_path}/roles/{role}/acme/orders": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/keys/generate/internal": { + "description": "Generate a new private key used for signing.", "parameters": [ - { - "name": "role", - "description": "The desired role for the acme request", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -40275,9 +39893,8 @@ "required": true } ], - "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-roles-role-acme-orders", + "operationId": "pki-generate-internal-key", "tags": [ "secrets" ], @@ -40286,30 +39903,28 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeOrdersRequest" + "$ref": "#/components/schemas/PkiGenerateInternalKeyRequest" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateInternalKeyResponse" + } + } + } } } } }, - "/{pki_mount_path}/roles/{role}/acme/revoke-cert": { - "description": "An endpoint implementing the standard ACME protocol", + "/{pki_mount_path}/keys/generate/kms": { + "description": "Generate a new private key used for signing.", "parameters": [ - { - "name": "role", - "description": "The desired role for the acme request", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -40321,9 +39936,8 @@ "required": true } ], - "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-roles-role-acme-revoke-cert", + "operationId": "pki-generate-kms-key", "tags": [ "secrets" ], @@ -40332,30 +39946,71 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeRevokeCertRequest" + "$ref": "#/components/schemas/PkiGenerateKmsKeyRequest" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateKmsKeyResponse" + } + } + } } } } }, - "/{pki_mount_path}/roles/{role}/cmp": { - "description": "CMPv2 Endpoint", + "/{pki_mount_path}/keys/import": { + "description": "Import the specified key.", "parameters": [ { - "name": "role", - "description": "The desired role for the EST request", + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", "in": "path", "schema": { - "type": "string" + "type": "string", + "default": "pki" }, "required": true + } + ], + "post": { + "operationId": "pki-import-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiImportKeyRequest" + } + } + } }, + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiImportKeyResponse" + } + } + } + } + } + } + }, + "/{pki_mount_path}/ocsp": { + "description": "Query a certificate's revocation status through OCSP'", + "parameters": [ { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -40369,7 +40024,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-roles-role-cmp", + "operationId": "pki-query-ocsp", "tags": [ "secrets" ], @@ -40380,11 +40035,12 @@ } } }, - "/{pki_mount_path}/roles/{role}/est/cacerts": { + "/{pki_mount_path}/ocsp/{req}": { + "description": "Query a certificate's revocation status through OCSP'", "parameters": [ { - "name": "role", - "description": "The desired role for the EST request", + "name": "req", + "description": "base-64 encoded ocsp request", "in": "path", "schema": { "type": "string" @@ -40404,7 +40060,7 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-roles-role-est-cacerts", + "operationId": "pki-query-ocsp-with-get-req", "tags": [ "secrets" ], @@ -40415,17 +40071,9 @@ } } }, - "/{pki_mount_path}/roles/{role}/est/simpleenroll": { + "/{pki_mount_path}/revoke": { + "description": "Revoke a certificate by serial number or with explicit certificate. When calling /revoke-with-key, the private key corresponding to the certificate must be provided to authenticate the request.", "parameters": [ - { - "name": "role", - "description": "The desired role for the EST request", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -40437,30 +40085,38 @@ "required": true } ], - "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-roles-role-est-simpleenroll", + "operationId": "pki-revoke", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRevokeRequest" + } + } + } + }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRevokeResponse" + } + } + } } } } }, - "/{pki_mount_path}/roles/{role}/est/simplereenroll": { + "/{pki_mount_path}/revoke-with-key": { + "description": "Revoke a certificate by serial number or with explicit certificate. When calling /revoke-with-key, the private key corresponding to the certificate must be provided to authenticate the request.", "parameters": [ - { - "name": "role", - "description": "The desired role for the EST request", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -40472,30 +40128,38 @@ "required": true } ], - "x-vault-unauthenticated": true, "post": { - "operationId": "pki-write-roles-role-est-simplereenroll", + "operationId": "pki-revoke-with-key", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRevokeWithKeyRequest" + } + } + } + }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRevokeWithKeyResponse" + } + } + } } } } }, - "/{pki_mount_path}/roles/{role}/scep": { + "/{pki_mount_path}/roles/": { + "description": "List the existing roles in this backend", "parameters": [ - { - "name": "role", - "description": "The desired role for the SCEP request", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -40507,35 +40171,45 @@ "required": true } ], - "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-roles-role-scep", + "operationId": "pki-list-roles", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK" + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true } - } - }, - "post": { - "operationId": "pki-write-roles-role-scep", - "tags": [ - "secrets" ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } } } } }, - "/{pki_mount_path}/roles/{role}/scep/pkiclient.exe": { + "/{pki_mount_path}/roles/{name}": { + "description": "Manage the roles that can be created with this backend.", "parameters": [ { - "name": "role", - "description": "The desired role for the SCEP request", + "name": "name", + "description": "Name of the role", "in": "path", "schema": { "type": "string" @@ -40553,87 +40227,26 @@ "required": true } ], - "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-roles-role-scep-pkiclient-exe", + "operationId": "pki-read-role", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiReadRoleResponse" + } + } + } } } }, "post": { - "operationId": "pki-write-roles-role-scep-pkiclient-exe", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - } - }, - "/{pki_mount_path}/root": { - "description": "Deletes the root CA key to allow a new one to be generated.", - "parameters": [ - { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki" - }, - "required": true - } - ], - "x-vault-sudo": true, - "delete": { - "operationId": "pki-delete-root", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - } - }, - "/{pki_mount_path}/root/generate/{exported}": { - "description": "Generate a new CA certificate and private key used for signing.", - "parameters": [ - { - "name": "exported", - "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", - "in": "path", - "schema": { - "type": "string", - "enum": [ - "internal", - "external", - "kms" - ] - }, - "required": true - }, - { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki" - }, - "required": true - } - ], - "post": { - "operationId": "pki-generate-root", + "operationId": "pki-write-role", "tags": [ "secrets" ], @@ -40642,7 +40255,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiGenerateRootRequest" + "$ref": "#/components/schemas/PkiWriteRoleRequest" } } } @@ -40653,30 +40266,15 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiGenerateRootResponse" + "$ref": "#/components/schemas/PkiWriteRoleResponse" } } } } } - } - }, - "/{pki_mount_path}/root/replace": { - "description": "Read and set the default issuer certificate for signing.", - "parameters": [ - { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "pki" - }, - "required": true - } - ], - "post": { - "operationId": "pki-replace-root", + }, + "patch": { + "operationId": "pki-patch-role", "tags": [ "secrets" ], @@ -40685,7 +40283,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiReplaceRootRequest" + "$ref": "#/components/schemas/PkiPatchRoleRequest" } } } @@ -40696,28 +40294,43 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiReplaceRootResponse" + "$ref": "#/components/schemas/PkiPatchRoleResponse" } } } } } + }, + "delete": { + "operationId": "pki-delete-role", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "No Content" + } + } } }, - "/{pki_mount_path}/root/rotate/{exported}": { - "description": "Generate a new CA certificate and private key used for signing.", + "/{pki_mount_path}/roles/{role}/acme/account/{kid}": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "exported", - "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", + "name": "kid", + "description": "The key identifier provided by the CA", "in": "path", "schema": { - "type": "string", - "enum": [ - "internal", - "external", - "kms" - ] + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" }, "required": true }, @@ -40732,8 +40345,9 @@ "required": true } ], + "x-vault-unauthenticated": true, "post": { - "operationId": "pki-rotate-root", + "operationId": "pki-write-roles-role-acme-account-kid", "tags": [ "secrets" ], @@ -40742,28 +40356,39 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiRotateRootRequest" + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeAccountKidRequest" } } } }, "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiRotateRootResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/root/sign-intermediate": { - "description": "Issue an intermediate CA certificate based on the provided CSR.", + "/{pki_mount_path}/roles/{role}/acme/authorization/{auth_id}": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ + { + "name": "auth_id", + "description": "ACME authorization identifier value", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -40775,8 +40400,9 @@ "required": true } ], + "x-vault-unauthenticated": true, "post": { - "operationId": "pki-root-sign-intermediate", + "operationId": "pki-write-roles-role-acme-authorization-auth_id", "tags": [ "secrets" ], @@ -40785,28 +40411,48 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiRootSignIntermediateRequest" + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeAuthorizationAuth_idRequest" } } } }, "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiRootSignIntermediateResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/root/sign-self-issued": { - "description": "Re-issue a self-signed certificate based on the provided certificate.", + "/{pki_mount_path}/roles/{role}/acme/challenge/{auth_id}/{challenge_type}": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ + { + "name": "auth_id", + "description": "ACME authorization identifier value", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "challenge_type", + "description": "ACME challenge type", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -40818,9 +40464,9 @@ "required": true } ], - "x-vault-sudo": true, + "x-vault-unauthenticated": true, "post": { - "operationId": "pki-root-sign-self-issued", + "operationId": "pki-write-roles-role-acme-challenge-auth_id-challenge_type", "tags": [ "secrets" ], @@ -40829,27 +40475,30 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiRootSignSelfIssuedRequest" + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeChallengeAuth_idChallenge_typeRequest" } } } }, "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiRootSignSelfIssuedResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/scep": { + "/{pki_mount_path}/roles/{role}/acme/directory": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -40863,18 +40512,7 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-scep", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - }, - "post": { - "operationId": "pki-write-scep", + "operationId": "pki-read-roles-role-acme-directory", "tags": [ "secrets" ], @@ -40885,36 +40523,45 @@ } } }, - "/{pki_mount_path}/scep/pkiclient.exe": { + "/{pki_mount_path}/roles/{role}/acme/new-account": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { - "name": "pki_mount_path", - "description": "Path that the backend was mounted at", + "name": "role", + "description": "The desired role for the acme request", "in": "path", "schema": { - "type": "string", + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", "default": "pki" }, "required": true } ], "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-scep-pkiclient-exe", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - }, "post": { - "operationId": "pki-write-scep-pkiclient-exe", + "operationId": "pki-write-roles-role-acme-new-account", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeNewAccountRequest" + } + } + } + }, "responses": { "200": { "description": "OK" @@ -40922,9 +40569,18 @@ } } }, - "/{pki_mount_path}/sign-verbatim": { - "description": "Issue a certificate directly based on the provided CSR.", + "/{pki_mount_path}/roles/{role}/acme/new-eab": { + "description": "Generate external account bindings to be used for ACME", "parameters": [ + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -40937,27 +40593,17 @@ } ], "post": { - "operationId": "pki-sign-verbatim", + "operationId": "pki-generate-eab-key-for-role", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiSignVerbatimRequest" - } - } - } - }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiSignVerbatimResponse" + "$ref": "#/components/schemas/PkiGenerateEabKeyForRoleResponse" } } } @@ -40965,12 +40611,12 @@ } } }, - "/{pki_mount_path}/sign-verbatim/{role}": { - "description": "Issue a certificate directly based on the provided CSR.", + "/{pki_mount_path}/roles/{role}/acme/new-nonce": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { "name": "role", - "description": "The desired role with configuration for this request", + "description": "The desired role for the acme request", "in": "path", "schema": { "type": "string" @@ -40988,41 +40634,25 @@ "required": true } ], - "post": { - "operationId": "pki-sign-verbatim-with-role", + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-roles-role-acme-new-nonce", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiSignVerbatimWithRoleRequest" - } - } - } - }, "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiSignVerbatimWithRoleResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/sign/{role}": { - "description": "Request certificates using a certain role with the provided details.", + "/{pki_mount_path}/roles/{role}/acme/new-order": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ { "name": "role", - "description": "The desired role with configuration for this request", + "description": "The desired role for the acme request", "in": "path", "schema": { "type": "string" @@ -41040,8 +40670,9 @@ "required": true } ], + "x-vault-unauthenticated": true, "post": { - "operationId": "pki-sign-with-role", + "operationId": "pki-write-roles-role-acme-new-order", "tags": [ "secrets" ], @@ -41050,28 +40681,39 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiSignWithRoleRequest" + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeNewOrderRequest" } } } }, "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiSignWithRoleResponse" - } - } - } + "description": "OK" } } } }, - "/{pki_mount_path}/tidy": { - "description": "Tidy up the backend by removing expired certificates, revocation information, or both.", + "/{pki_mount_path}/roles/{role}/acme/order/{order_id}": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -41083,8 +40725,9 @@ "required": true } ], + "x-vault-unauthenticated": true, "post": { - "operationId": "pki-tidy", + "operationId": "pki-write-roles-role-acme-order-order_id", "tags": [ "secrets" ], @@ -41093,21 +40736,39 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/PkiTidyRequest" + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeOrderOrder_idRequest" } } } }, "responses": { - "202": { - "description": "Accepted" + "200": { + "description": "OK" } } } }, - "/{pki_mount_path}/tidy-cancel": { - "description": "Cancels a currently running tidy operation.", + "/{pki_mount_path}/roles/{role}/acme/order/{order_id}/cert": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -41119,28 +40780,50 @@ "required": true } ], + "x-vault-unauthenticated": true, "post": { - "operationId": "pki-tidy-cancel", + "operationId": "pki-write-roles-role-acme-order-order_id-cert", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiTidyCancelResponse" - } + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeOrderOrder_idCertRequest" } } } + }, + "responses": { + "200": { + "description": "OK" + } } } }, - "/{pki_mount_path}/tidy-status": { - "description": "Returns the status of the tidy operation.", + "/{pki_mount_path}/roles/{role}/acme/order/{order_id}/finalize": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ + { + "name": "order_id", + "description": "The ACME order identifier to fetch", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -41152,28 +40835,41 @@ "required": true } ], - "get": { - "operationId": "pki-tidy-status", + "x-vault-unauthenticated": true, + "post": { + "operationId": "pki-write-roles-role-acme-order-order_id-finalize", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/PkiTidyStatusResponse" - } + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeOrderOrder_idFinalizeRequest" } } } + }, + "responses": { + "200": { + "description": "OK" + } } } }, - "/{pki_mount_path}/unified-crl": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/roles/{role}/acme/orders": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -41186,21 +40882,40 @@ } ], "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-unified-crl-der", + "post": { + "operationId": "pki-write-roles-role-acme-orders", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK" - } - } - } - }, - "/{pki_mount_path}/unified-crl/delta": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeOrdersRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/roles/{role}/acme/revoke-cert": { + "description": "An endpoint implementing the standard ACME protocol", "parameters": [ + { + "name": "role", + "description": "The desired role for the acme request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -41213,11 +40928,21 @@ } ], "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-unified-crl-delta", + "post": { + "operationId": "pki-write-roles-role-acme-revoke-cert", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiWriteRolesRoleAcmeRevokeCertRequest" + } + } + } + }, "responses": { "200": { "description": "OK" @@ -41225,9 +40950,18 @@ } } }, - "/{pki_mount_path}/unified-crl/delta/pem": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/roles/{role}/cmp": { + "description": "CMPv2 Endpoint", "parameters": [ + { + "name": "role", + "description": "The desired role for the EST request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -41240,8 +40974,8 @@ } ], "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-read-unified-crl-delta-pem", + "post": { + "operationId": "pki-write-roles-role-cmp", "tags": [ "secrets" ], @@ -41252,9 +40986,17 @@ } } }, - "/{pki_mount_path}/unified-crl/pem": { - "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "/{pki_mount_path}/roles/{role}/est/cacerts": { "parameters": [ + { + "name": "role", + "description": "The desired role for the EST request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -41268,7 +41010,7 @@ ], "x-vault-unauthenticated": true, "get": { - "operationId": "pki-read-unified-crl-pem", + "operationId": "pki-read-roles-role-est-cacerts", "tags": [ "secrets" ], @@ -41279,9 +41021,17 @@ } } }, - "/{pki_mount_path}/unified-ocsp": { - "description": "Query a certificate's revocation status through OCSP'", + "/{pki_mount_path}/roles/{role}/est/simpleenroll": { "parameters": [ + { + "name": "role", + "description": "The desired role for the EST request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, { "name": "pki_mount_path", "description": "Path that the backend was mounted at", @@ -41295,7 +41045,7 @@ ], "x-vault-unauthenticated": true, "post": { - "operationId": "pki-query-unified-ocsp", + "operationId": "pki-write-roles-role-est-simpleenroll", "tags": [ "secrets" ], @@ -41306,12 +41056,11 @@ } } }, - "/{pki_mount_path}/unified-ocsp/{req}": { - "description": "Query a certificate's revocation status through OCSP'", + "/{pki_mount_path}/roles/{role}/est/simplereenroll": { "parameters": [ { - "name": "req", - "description": "base-64 encoded ocsp request", + "name": "role", + "description": "The desired role for the EST request", "in": "path", "schema": { "type": "string" @@ -41330,8 +41079,8 @@ } ], "x-vault-unauthenticated": true, - "get": { - "operationId": "pki-query-unified-ocsp-with-get-req", + "post": { + "operationId": "pki-write-roles-role-est-simplereenroll", "tags": [ "secrets" ], @@ -41342,59 +41091,31 @@ } } }, - "/{rabbitmq_mount_path}/config/connection": { - "description": "Configure the connection URI, username, and password to talk to RabbitMQ management HTTP API.", + "/{pki_mount_path}/roles/{role}/scep": { "parameters": [ { - "name": "rabbitmq_mount_path", - "description": "Path that the backend was mounted at", + "name": "role", + "description": "The desired role for the SCEP request", "in": "path", "schema": { - "type": "string", - "default": "rabbitmq" + "type": "string" }, "required": true - } - ], - "post": { - "summary": "Configure the connection URI, username, and password to talk to RabbitMQ management HTTP API.", - "operationId": "rabbit-mq-configure-connection", - "tags": [ - "secrets" - ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/RabbitMqConfigureConnectionRequest" - } - } - } }, - "responses": { - "200": { - "description": "OK" - } - } - } - }, - "/{rabbitmq_mount_path}/config/lease": { - "description": "Configure the lease parameters for generated credentials", - "parameters": [ { - "name": "rabbitmq_mount_path", + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "rabbitmq" + "default": "pki" }, "required": true } ], + "x-vault-unauthenticated": true, "get": { - "operationId": "rabbit-mq-read-lease-configuration", + "operationId": "pki-read-roles-role-scep", "tags": [ "secrets" ], @@ -41405,20 +41126,10 @@ } }, "post": { - "operationId": "rabbit-mq-configure-lease", + "operationId": "pki-write-roles-role-scep", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/RabbitMqConfigureLeaseRequest" - } - } - } - }, "responses": { "200": { "description": "OK" @@ -41426,12 +41137,11 @@ } } }, - "/{rabbitmq_mount_path}/creds/{name}": { - "description": "Request RabbitMQ credentials for a certain role.", + "/{pki_mount_path}/roles/{role}/scep/pkiclient.exe": { "parameters": [ { - "name": "name", - "description": "Name of the role.", + "name": "role", + "description": "The desired role for the SCEP request", "in": "path", "schema": { "type": "string" @@ -41439,19 +41149,30 @@ "required": true }, { - "name": "rabbitmq_mount_path", + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "rabbitmq" + "default": "pki" }, "required": true } ], + "x-vault-unauthenticated": true, "get": { - "summary": "Request RabbitMQ credentials for a certain role.", - "operationId": "rabbit-mq-request-credentials", + "operationId": "pki-read-roles-role-scep-pkiclient-exe", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, + "post": { + "operationId": "pki-write-roles-role-scep-pkiclient-exe", "tags": [ "secrets" ], @@ -41462,92 +41183,63 @@ } } }, - "/{rabbitmq_mount_path}/roles/": { - "description": "Manage the roles that can be created with this backend.", + "/{pki_mount_path}/root": { + "description": "Deletes the root CA key to allow a new one to be generated.", "parameters": [ { - "name": "rabbitmq_mount_path", + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "rabbitmq" + "default": "pki" }, "required": true } ], - "get": { - "summary": "Manage the roles that can be created with this backend.", - "operationId": "rabbit-mq-list-roles", + "x-vault-sudo": true, + "delete": { + "operationId": "pki-delete-root", "tags": [ "secrets" ], - "parameters": [ - { - "name": "list", - "description": "Must be set to `true`", - "in": "query", - "schema": { - "type": "string", - "enum": [ - "true" - ] - }, - "required": true - } - ], "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/StandardListResponse" - } - } - } + "description": "OK" } } } }, - "/{rabbitmq_mount_path}/roles/{name}": { - "description": "Manage the roles that can be created with this backend.", + "/{pki_mount_path}/root/generate/{exported}": { + "description": "Generate a new CA certificate and private key used for signing.", "parameters": [ { - "name": "name", - "description": "Name of the role.", + "name": "exported", + "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", "in": "path", "schema": { - "type": "string" + "type": "string", + "enum": [ + "internal", + "external", + "kms" + ] }, "required": true }, { - "name": "rabbitmq_mount_path", + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "rabbitmq" + "default": "pki" }, "required": true } ], - "get": { - "summary": "Manage the roles that can be created with this backend.", - "operationId": "rabbit-mq-read-role", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - }, "post": { - "summary": "Manage the roles that can be created with this backend.", - "operationId": "rabbit-mq-write-role", + "operationId": "pki-generate-root", "tags": [ "secrets" ], @@ -41556,94 +41248,41 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/RabbitMqWriteRoleRequest" + "$ref": "#/components/schemas/PkiGenerateRootRequest" } } } }, "responses": { "200": { - "description": "OK" - } - } - }, - "delete": { - "summary": "Manage the roles that can be created with this backend.", - "operationId": "rabbit-mq-delete-role", - "tags": [ - "secrets" - ], - "responses": { - "204": { - "description": "empty body" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiGenerateRootResponse" + } + } + } } } } }, - "/{spiffe_mount_path}/^.well-known/keys$": { - "description": "Retrieve public keys", - "parameters": [ - { - "name": "spiffe_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "spiffe" - }, - "required": true - } - ] - }, - "/{spiffe_mount_path}/^.well-known/openid-configuration$": { - "description": "Query OIDC configurations", - "parameters": [ - { - "name": "spiffe_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "spiffe" - }, - "required": true - } - ] - }, - "/{spiffe_mount_path}/config": { - "description": "Configuration that is applicable to this SPIFFE backend.", + "/{pki_mount_path}/root/replace": { + "description": "Read and set the default issuer certificate for signing.", "parameters": [ { - "name": "spiffe_mount_path", + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "spiffe" + "default": "pki" }, "required": true } ], - "get": { - "operationId": "spiffe-configure", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/SpiffeConfigureResponse" - } - } - } - } - } - }, "post": { - "operationId": "spiffe-configure", + "operationId": "pki-replace-root", "tags": [ "secrets" ], @@ -41652,7 +41291,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/SpiffeConfigureRequest" + "$ref": "#/components/schemas/PkiReplaceRootRequest" } } } @@ -41663,7 +41302,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/SpiffeConfigureResponse" + "$ref": "#/components/schemas/PkiReplaceRootResponse" } } } @@ -41671,46 +41310,56 @@ } } }, - "/{spiffe_mount_path}/role/": { - "description": "List all SPIFFE roles", + "/{pki_mount_path}/root/rotate/{exported}": { + "description": "Generate a new CA certificate and private key used for signing.", "parameters": [ { - "name": "spiffe_mount_path", + "name": "exported", + "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", + "in": "path", + "schema": { + "type": "string", + "enum": [ + "internal", + "external", + "kms" + ] + }, + "required": true + }, + { + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "spiffe" + "default": "pki" }, "required": true } ], - "get": { - "operationId": "spiffe-list-role", + "post": { + "operationId": "pki-rotate-root", "tags": [ "secrets" ], - "parameters": [ - { - "name": "list", - "description": "Must be set to `true`", - "in": "query", - "schema": { - "type": "string", - "enum": [ - "true" - ] - }, - "required": true + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiRotateRootRequest" + } + } } - ], + }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/StandardListResponse" + "$ref": "#/components/schemas/PkiRotateRootResponse" } } } @@ -41718,50 +41367,22 @@ } } }, - "/{spiffe_mount_path}/role/{name}": { - "description": "Manage the roles that can be created with the SPIFFE backend.", + "/{pki_mount_path}/root/sign-intermediate": { + "description": "Issue an intermediate CA certificate based on the provided CSR.", "parameters": [ { - "name": "name", - "description": "The name of the role", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "spiffe_mount_path", + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "spiffe" + "default": "pki" }, "required": true } ], - "x-vault-createSupported": true, - "get": { - "operationId": "spiffe-configure", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/SpiffeConfigureResponse" - } - } - } - } - } - }, "post": { - "operationId": "spiffe-configure", + "operationId": "pki-root-sign-intermediate", "tags": [ "secrets" ], @@ -41770,7 +41391,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/SpiffeConfigureRequest" + "$ref": "#/components/schemas/PkiRootSignIntermediateRequest" } } } @@ -41781,25 +41402,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/SpiffeConfigureResponse" - } - } - } - } - } - }, - "delete": { - "operationId": "spiffe-configure", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/SpiffeConfigureResponse" + "$ref": "#/components/schemas/PkiRootSignIntermediateResponse" } } } @@ -41807,30 +41410,23 @@ } } }, - "/{spiffe_mount_path}/role/{role}/mintjwt": { + "/{pki_mount_path}/root/sign-self-issued": { + "description": "Re-issue a self-signed certificate based on the provided certificate.", "parameters": [ { - "name": "role", - "description": "The name of the role to use for minting the JWT", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "spiffe_mount_path", + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "spiffe" + "default": "pki" }, "required": true } ], + "x-vault-sudo": true, "post": { - "operationId": "spiffe-create", + "operationId": "pki-root-sign-self-issued", "tags": [ "secrets" ], @@ -41839,7 +41435,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/SpiffeCreateRequest" + "$ref": "#/components/schemas/PkiRootSignSelfIssuedRequest" } } } @@ -41850,7 +41446,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/SpiffeCreateResponse" + "$ref": "#/components/schemas/PkiRootSignSelfIssuedResponse" } } } @@ -41858,35 +41454,36 @@ } } }, - "/{spiffe_mount_path}/rotate_jwks": { - "description": "Rotate the JWT signing key.", + "/{pki_mount_path}/scep": { "parameters": [ { - "name": "spiffe_mount_path", + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "spiffe" + "default": "pki" }, "required": true } ], - "post": { - "operationId": "spiffe-rotate", + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-scep", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/SpiffeRotateRequest" - } - } + "responses": { + "200": { + "description": "OK" } - }, + } + }, + "post": { + "operationId": "pki-write-scep", + "tags": [ + "secrets" + ], "responses": { "200": { "description": "OK" @@ -41894,23 +41491,22 @@ } } }, - "/{spiffe_mount_path}/trust_bundle/web": { - "description": "Retrieve SPIFFE trust bundle.", + "/{pki_mount_path}/scep/pkiclient.exe": { "parameters": [ { - "name": "spiffe_mount_path", + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "spiffe" + "default": "pki" }, "required": true } ], "x-vault-unauthenticated": true, "get": { - "operationId": "spiffe-read", + "operationId": "pki-read-scep-pkiclient-exe", "tags": [ "secrets" ], @@ -41919,122 +41515,35 @@ "description": "OK" } } - } - }, - "/{ssh_mount_path}/config/ca": { - "description": "Set the SSH private key used for signing certificates.", - "parameters": [ - { - "name": "ssh_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "ssh" - }, - "required": true - } - ], - "get": { - "operationId": "ssh-read-ca-configuration", - "tags": [ - "secrets" - ], - "parameters": [ - { - "name": "read_snapshot_id", - "description": "Targets the read operation to the provided loaded snapshot Id", - "in": "query", - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "description": "OK" - } - } }, "post": { - "operationId": "ssh-configure-ca", + "operationId": "pki-write-scep-pkiclient-exe", "tags": [ "secrets" ], - "parameters": [ - { - "name": "recover_snapshot_id", - "description": "Triggers a recover operation using the given snapshot ID. Request body is ignored when a recover operation is requested.", - "in": "query", - "schema": { - "type": "string" - }, - "deprecated": true - }, - { - "name": "X-Vault-Recover-Snapshot-Id", - "description": "Triggers a recover operation using the given snapshot ID. Request body is ignored when a recover operation is requested.", - "in": "header", - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/SshConfigureCaRequest" - } - } - } - }, "responses": { "200": { "description": "OK" } } - }, - "delete": { - "operationId": "ssh-delete-ca-configuration", - "tags": [ - "secrets" - ], - "responses": { - "204": { - "description": "empty body" - } - } } }, - "/{ssh_mount_path}/config/zeroaddress": { - "description": "Assign zero address as default CIDR block for select roles.", + "/{pki_mount_path}/sign-verbatim": { + "description": "Issue a certificate directly based on the provided CSR.", "parameters": [ { - "name": "ssh_mount_path", + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "ssh" + "default": "pki" }, "required": true } ], - "get": { - "operationId": "ssh-read-zero-address-configuration", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - }, "post": { - "operationId": "ssh-configure-zero-address", + "operationId": "pki-sign-verbatim", "tags": [ "secrets" ], @@ -42043,35 +41552,31 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/SshConfigureZeroAddressRequest" + "$ref": "#/components/schemas/PkiSignVerbatimRequest" } } } }, "responses": { "200": { - "description": "OK" - } - } - }, - "delete": { - "operationId": "ssh-delete-zero-address-configuration", - "tags": [ - "secrets" - ], - "responses": { - "204": { - "description": "empty body" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiSignVerbatimResponse" + } + } + } } } } }, - "/{ssh_mount_path}/creds/{role}": { - "description": "Creates a credential for establishing SSH connection with the remote host.", + "/{pki_mount_path}/sign-verbatim/{role}": { + "description": "Issue a certificate directly based on the provided CSR.", "parameters": [ { "name": "role", - "description": "[Required] Name of the role", + "description": "The desired role with configuration for this request", "in": "path", "schema": { "type": "string" @@ -42079,19 +41584,18 @@ "required": true }, { - "name": "ssh_mount_path", + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "ssh" + "default": "pki" }, "required": true } ], "post": { - "summary": "Creates a credential for establishing SSH connection with the remote host.", - "operationId": "ssh-generate-credentials", + "operationId": "pki-sign-verbatim-with-role", "tags": [ "secrets" ], @@ -42100,24 +41604,31 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/SshGenerateCredentialsRequest" + "$ref": "#/components/schemas/PkiSignVerbatimWithRoleRequest" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiSignVerbatimWithRoleResponse" + } + } + } } } } }, - "/{ssh_mount_path}/issue/{role}": { - "description": "Request a certificate using a certain role with the provided details.", + "/{pki_mount_path}/sign/{role}": { + "description": "Request certificates using a certain role with the provided details.", "parameters": [ { "name": "role", - "description": "The desired role with configuration for this request.", + "description": "The desired role with configuration for this request", "in": "path", "schema": { "type": "string" @@ -42125,18 +41636,18 @@ "required": true }, { - "name": "ssh_mount_path", + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "ssh" + "default": "pki" }, "required": true } ], "post": { - "operationId": "ssh-issue-certificate", + "operationId": "pki-sign-with-role", "tags": [ "secrets" ], @@ -42145,35 +41656,41 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/SshIssueCertificateRequest" + "$ref": "#/components/schemas/PkiSignWithRoleRequest" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiSignWithRoleResponse" + } + } + } } } } }, - "/{ssh_mount_path}/lookup": { - "description": "List all the roles associated with the given IP address.", + "/{pki_mount_path}/tidy": { + "description": "Tidy up the backend by removing expired certificates, revocation information, or both.", "parameters": [ { - "name": "ssh_mount_path", + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "ssh" + "default": "pki" }, "required": true } ], "post": { - "summary": "List all the roles associated with the given IP address.", - "operationId": "ssh-list-roles-by-ip", + "operationId": "pki-tidy", "tags": [ "secrets" ], @@ -42182,86 +41699,77 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/SshListRolesByIpRequest" + "$ref": "#/components/schemas/PkiTidyRequest" } } } }, "responses": { - "200": { - "description": "OK" + "202": { + "description": "Accepted" } } } }, - "/{ssh_mount_path}/public_key": { - "description": "Retrieve the public key.", + "/{pki_mount_path}/tidy-cancel": { + "description": "Cancels a currently running tidy operation.", "parameters": [ { - "name": "ssh_mount_path", + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "ssh" + "default": "pki" }, "required": true } ], - "x-vault-unauthenticated": true, - "get": { - "summary": "Retrieve the public key.", - "operationId": "ssh-read-public-key", + "post": { + "operationId": "pki-tidy-cancel", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/PkiTidyCancelResponse" + } + } + } } } } }, - "/{ssh_mount_path}/roles/": { - "description": "Manage the 'roles' that can be created with this backend.", + "/{pki_mount_path}/tidy-status": { + "description": "Returns the status of the tidy operation.", "parameters": [ { - "name": "ssh_mount_path", + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "ssh" + "default": "pki" }, "required": true } ], "get": { - "operationId": "ssh-list-roles", + "operationId": "pki-tidy-status", "tags": [ "secrets" ], - "parameters": [ - { - "name": "list", - "description": "Must be set to `true`", - "in": "query", - "schema": { - "type": "string", - "enum": [ - "true" - ] - }, - "required": true - } - ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/SshListRolesResponse" + "$ref": "#/components/schemas/PkiTidyStatusResponse" } } } @@ -42269,32 +41777,23 @@ } } }, - "/{ssh_mount_path}/roles/{role}": { - "description": "Manage the 'roles' that can be created with this backend.", + "/{pki_mount_path}/unified-crl": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "parameters": [ { - "name": "role", - "description": "[Required for all types] Name of the role being created.", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "ssh_mount_path", + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "ssh" + "default": "pki" }, "required": true } ], + "x-vault-unauthenticated": true, "get": { - "summary": "Manage the 'roles' that can be created with this backend.", - "operationId": "ssh-read-role", + "operationId": "pki-read-unified-crl-der", "tags": [ "secrets" ], @@ -42303,81 +41802,109 @@ "description": "OK" } } - }, - "post": { - "summary": "Manage the 'roles' that can be created with this backend.", - "operationId": "ssh-write-role", + } + }, + "/{pki_mount_path}/unified-crl/delta": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-unified-crl-delta", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/SshWriteRoleRequest" - } - } - } - }, "responses": { "200": { "description": "OK" } } - }, - "delete": { - "summary": "Manage the 'roles' that can be created with this backend.", - "operationId": "ssh-delete-role", + } + }, + "/{pki_mount_path}/unified-crl/delta/pem": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", + "parameters": [ + { + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "pki" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-unified-crl-delta-pem", "tags": [ "secrets" ], "responses": { - "204": { - "description": "empty body" + "200": { + "description": "OK" } } } }, - "/{ssh_mount_path}/sign/{role}": { - "description": "Request signing an SSH key using a certain role with the provided details.", + "/{pki_mount_path}/unified-crl/pem": { + "description": "Fetch a CA, CRL, CA Chain, or non-revoked certificate.", "parameters": [ { - "name": "role", - "description": "The desired role with configuration for this request.", + "name": "pki_mount_path", + "description": "Path that the backend was mounted at", "in": "path", "schema": { - "type": "string" + "type": "string", + "default": "pki" }, "required": true - }, + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-read-unified-crl-pem", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{pki_mount_path}/unified-ocsp": { + "description": "Query a certificate's revocation status through OCSP'", + "parameters": [ { - "name": "ssh_mount_path", + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "ssh" + "default": "pki" }, "required": true } ], + "x-vault-unauthenticated": true, "post": { - "summary": "Request signing an SSH key using a certain role with the provided details.", - "operationId": "ssh-sign-certificate", + "operationId": "pki-query-unified-ocsp", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/SshSignCertificateRequest" - } - } - } - }, "responses": { "200": { "description": "OK" @@ -42385,51 +41912,59 @@ } } }, - "/{ssh_mount_path}/tidy/dynamic-keys": { - "description": "This endpoint removes the stored host keys used for the removed Dynamic Key feature, if present.", + "/{pki_mount_path}/unified-ocsp/{req}": { + "description": "Query a certificate's revocation status through OCSP'", "parameters": [ { - "name": "ssh_mount_path", + "name": "req", + "description": "base-64 encoded ocsp request", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "pki_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "ssh" + "default": "pki" }, "required": true } ], - "delete": { - "summary": "This endpoint removes the stored host keys used for the removed Dynamic Key feature, if present.", - "operationId": "ssh-tidy-dynamic-host-keys", + "x-vault-unauthenticated": true, + "get": { + "operationId": "pki-query-unified-ocsp-with-get-req", "tags": [ "secrets" ], "responses": { - "204": { - "description": "empty body" + "200": { + "description": "OK" } } } }, - "/{ssh_mount_path}/verify": { - "description": "Validate the OTP provided by Vault SSH Agent.", + "/{rabbitmq_mount_path}/config/connection": { + "description": "Configure the connection URI, username, and password to talk to RabbitMQ management HTTP API.", "parameters": [ { - "name": "ssh_mount_path", + "name": "rabbitmq_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "ssh" + "default": "rabbitmq" }, "required": true } ], - "x-vault-unauthenticated": true, "post": { - "summary": "Validate the OTP provided by Vault SSH Agent.", - "operationId": "ssh-verify-otp", + "summary": "Configure the connection URI, username, and password to talk to RabbitMQ management HTTP API.", + "operationId": "rabbit-mq-configure-connection", "tags": [ "secrets" ], @@ -42438,7 +41973,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/SshVerifyOtpRequest" + "$ref": "#/components/schemas/RabbitMqConfigureConnectionRequest" } } } @@ -42450,23 +41985,22 @@ } } }, - "/{terraform_mount_path}/config": { - "description": "Configure the Terraform Cloud / Enterprise backend.", + "/{rabbitmq_mount_path}/config/lease": { + "description": "Configure the lease parameters for generated credentials", "parameters": [ { - "name": "terraform_mount_path", + "name": "rabbitmq_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "terraform" + "default": "rabbitmq" }, "required": true } ], - "x-vault-createSupported": true, "get": { - "operationId": "terraform-cloud-read-configuration", + "operationId": "rabbit-mq-read-lease-configuration", "tags": [ "secrets" ], @@ -42477,7 +42011,7 @@ } }, "post": { - "operationId": "terraform-cloud-configure", + "operationId": "rabbit-mq-configure-lease", "tags": [ "secrets" ], @@ -42486,7 +42020,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TerraformCloudConfigureRequest" + "$ref": "#/components/schemas/RabbitMqConfigureLeaseRequest" } } } @@ -42496,25 +42030,14 @@ "description": "OK" } } - }, - "delete": { - "operationId": "terraform-cloud-delete-configuration", - "tags": [ - "secrets" - ], - "responses": { - "204": { - "description": "empty body" - } - } } }, - "/{terraform_mount_path}/creds/{name}": { - "description": "Generate a Terraform Cloud or Enterprise API token from a specific Vault role.", + "/{rabbitmq_mount_path}/creds/{name}": { + "description": "Request RabbitMQ credentials for a certain role.", "parameters": [ { "name": "name", - "description": "Name of the role", + "description": "Name of the role.", "in": "path", "schema": { "type": "string" @@ -42522,29 +42045,19 @@ "required": true }, { - "name": "terraform_mount_path", + "name": "rabbitmq_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "terraform" + "default": "rabbitmq" }, "required": true } ], "get": { - "operationId": "terraform-cloud-generate-credentials", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - }, - "post": { - "operationId": "terraform-cloud-generate-credentials2", + "summary": "Request RabbitMQ credentials for a certain role.", + "operationId": "rabbit-mq-request-credentials", "tags": [ "secrets" ], @@ -42555,22 +42068,23 @@ } } }, - "/{terraform_mount_path}/role/": { - "description": "List the existing roles in Terraform Cloud / Enterprise backend", + "/{rabbitmq_mount_path}/roles/": { + "description": "Manage the roles that can be created with this backend.", "parameters": [ { - "name": "terraform_mount_path", + "name": "rabbitmq_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "terraform" + "default": "rabbitmq" }, "required": true } ], "get": { - "operationId": "terraform-cloud-list-roles", + "summary": "Manage the roles that can be created with this backend.", + "operationId": "rabbit-mq-list-roles", "tags": [ "secrets" ], @@ -42602,12 +42116,12 @@ } } }, - "/{terraform_mount_path}/role/{name}": { - "description": "Manages the Vault role for generating Terraform Cloud / Enterprise tokens.", + "/{rabbitmq_mount_path}/roles/{name}": { + "description": "Manage the roles that can be created with this backend.", "parameters": [ { "name": "name", - "description": "Name of the role", + "description": "Name of the role.", "in": "path", "schema": { "type": "string" @@ -42615,18 +42129,19 @@ "required": true }, { - "name": "terraform_mount_path", + "name": "rabbitmq_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "terraform" + "default": "rabbitmq" }, "required": true } ], "get": { - "operationId": "terraform-cloud-read-role", + "summary": "Manage the roles that can be created with this backend.", + "operationId": "rabbit-mq-read-role", "tags": [ "secrets" ], @@ -42637,7 +42152,8 @@ } }, "post": { - "operationId": "terraform-cloud-write-role", + "summary": "Manage the roles that can be created with this backend.", + "operationId": "rabbit-mq-write-role", "tags": [ "secrets" ], @@ -42646,7 +42162,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TerraformCloudWriteRoleRequest" + "$ref": "#/components/schemas/RabbitMqWriteRoleRequest" } } } @@ -42658,7 +42174,8 @@ } }, "delete": { - "operationId": "terraform-cloud-delete-role", + "summary": "Manage the roles that can be created with this backend.", + "operationId": "rabbit-mq-delete-role", "tags": [ "secrets" ], @@ -42669,77 +42186,70 @@ } } }, - "/{terraform_mount_path}/rotate-role/{name}": { - "description": "Request to rotate the credentials for a team or organization.", + "/{spiffe_mount_path}/^.well-known/keys$": { + "description": "Retrieve public keys", "parameters": [ { - "name": "name", - "description": "Name of the team or organization role", + "name": "spiffe_mount_path", + "description": "Path that the backend was mounted at", "in": "path", "schema": { - "type": "string" + "type": "string", + "default": "spiffe" }, "required": true - }, + } + ] + }, + "/{spiffe_mount_path}/^.well-known/openid-configuration$": { + "description": "Query OIDC configurations", + "parameters": [ { - "name": "terraform_mount_path", + "name": "spiffe_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "terraform" + "default": "spiffe" }, "required": true } - ], - "post": { - "operationId": "terraform-cloud-rotate-role", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - } + ] }, - "/{totp_mount_path}/code/{name}": { - "description": "Request time-based one-time use password or validate a password for a certain key .", + "/{spiffe_mount_path}/config": { + "description": "Configuration that is applicable to this SPIFFE backend.", "parameters": [ { - "name": "name", - "description": "Name of the key.", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "totp_mount_path", + "name": "spiffe_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "totp" + "default": "spiffe" }, "required": true } ], "get": { - "operationId": "totp-generate-code", + "operationId": "spiffe-configure", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SpiffeConfigureResponse" + } + } + } } } }, "post": { - "operationId": "totp-validate-code", + "operationId": "spiffe-configure", "tags": [ "secrets" ], @@ -42748,35 +42258,41 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TotpValidateCodeRequest" + "$ref": "#/components/schemas/SpiffeConfigureRequest" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SpiffeConfigureResponse" + } + } + } } } } }, - "/{totp_mount_path}/keys/": { - "description": "Manage the keys that can be created with this backend.", + "/{spiffe_mount_path}/role/": { + "description": "List all SPIFFE roles", "parameters": [ { - "name": "totp_mount_path", + "name": "spiffe_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "totp" + "default": "spiffe" }, "required": true } ], "get": { - "summary": "Manage the keys that can be created with this backend.", - "operationId": "totp-list-keys", + "operationId": "spiffe-list-role", "tags": [ "secrets" ], @@ -42808,12 +42324,12 @@ } } }, - "/{totp_mount_path}/keys/{name}": { - "description": "Manage the keys that can be created with this backend.", + "/{spiffe_mount_path}/role/{name}": { + "description": "Manage the roles that can be created with the SPIFFE backend.", "parameters": [ { "name": "name", - "description": "Name of the key.", + "description": "The name of the role", "in": "path", "schema": { "type": "string" @@ -42821,29 +42337,37 @@ "required": true }, { - "name": "totp_mount_path", + "name": "spiffe_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "totp" + "default": "spiffe" }, "required": true } ], + "x-vault-createSupported": true, "get": { - "operationId": "totp-read-key", + "operationId": "spiffe-configure", "tags": [ "secrets" ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SpiffeConfigureResponse" + } + } + } } } }, "post": { - "operationId": "totp-create-key", + "operationId": "spiffe-configure", "tags": [ "secrets" ], @@ -42852,69 +42376,87 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TotpCreateKeyRequest" + "$ref": "#/components/schemas/SpiffeConfigureRequest" } } } }, "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SpiffeConfigureResponse" + } + } + } } } }, "delete": { - "operationId": "totp-delete-key", + "operationId": "spiffe-configure", "tags": [ "secrets" ], "responses": { - "204": { - "description": "empty body" + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SpiffeConfigureResponse" + } + } + } } } } }, - "/{transform_mount_path}/alphabet/": { - "description": "List the existing alphabets in this secret engine.", + "/{spiffe_mount_path}/role/{role}/mintjwt": { "parameters": [ { - "name": "transform_mount_path", + "name": "role", + "description": "The name of the role to use for minting the JWT", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "spiffe_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "spiffe" }, "required": true } ], - "get": { - "operationId": "transform-list-alphabets", + "post": { + "operationId": "spiffe-create", "tags": [ "secrets" ], - "parameters": [ - { - "name": "list", - "description": "Must be set to `true`", - "in": "query", - "schema": { - "type": "string", - "enum": [ - "true" - ] - }, - "required": true + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SpiffeCreateRequest" + } + } } - ], + }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/StandardListResponse" + "$ref": "#/components/schemas/SpiffeCreateResponse" } } } @@ -42922,43 +42464,22 @@ } } }, - "/{transform_mount_path}/alphabet/{name}": { - "description": "Read, write, and delete alphabets.", + "/{spiffe_mount_path}/rotate_jwks": { + "description": "Rotate the JWT signing key.", "parameters": [ { - "name": "name", - "description": "The name of the alphabet.", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "transform_mount_path", + "name": "spiffe_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "spiffe" }, "required": true } ], - "x-vault-createSupported": true, - "get": { - "operationId": "transform-read-alphabet", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - }, "post": { - "operationId": "transform-write-alphabet", + "operationId": "spiffe-rotate", "tags": [ "secrets" ], @@ -42967,7 +42488,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformWriteAlphabetRequest" + "$ref": "#/components/schemas/SpiffeRotateRequest" } } } @@ -42977,39 +42498,64 @@ "description": "OK" } } - }, - "delete": { - "operationId": "transform-delete-alphabet", + } + }, + "/{spiffe_mount_path}/trust_bundle/web": { + "description": "Retrieve SPIFFE trust bundle.", + "parameters": [ + { + "name": "spiffe_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "spiffe" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "get": { + "operationId": "spiffe-read", "tags": [ "secrets" ], "responses": { - "204": { - "description": "empty body" + "200": { + "description": "OK" } } } }, - "/{transform_mount_path}/cache-config": { - "description": "Configure caching strategy", + "/{ssh_mount_path}/config/ca": { + "description": "Set the SSH private key used for signing certificates.", "parameters": [ { - "name": "transform_mount_path", + "name": "ssh_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "ssh" }, "required": true } ], "get": { - "summary": "Returns the size of the active cache", - "operationId": "transform-read-cache-configuration", + "operationId": "ssh-read-ca-configuration", "tags": [ "secrets" ], + "parameters": [ + { + "name": "read_snapshot_id", + "description": "Targets the read operation to the provided loaded snapshot Id", + "in": "query", + "schema": { + "type": "string" + } + } + ], "responses": { "200": { "description": "OK" @@ -43017,17 +42563,35 @@ } }, "post": { - "summary": "Configures a new cache of the specified size", - "operationId": "transform-configure-cache", + "operationId": "ssh-configure-ca", "tags": [ "secrets" ], + "parameters": [ + { + "name": "recover_snapshot_id", + "description": "Triggers a recover operation using the given snapshot ID. Request body is ignored when a recover operation is requested.", + "in": "query", + "schema": { + "type": "string" + }, + "deprecated": true + }, + { + "name": "X-Vault-Recover-Snapshot-Id", + "description": "Triggers a recover operation using the given snapshot ID. Request body is ignored when a recover operation is requested.", + "in": "header", + "schema": { + "type": "string" + } + } + ], "requestBody": { "required": true, "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformConfigureCacheRequest" + "$ref": "#/components/schemas/SshConfigureCaRequest" } } } @@ -43037,34 +42601,46 @@ "description": "OK" } } + }, + "delete": { + "operationId": "ssh-delete-ca-configuration", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } } }, - "/{transform_mount_path}/decode/{role_name}": { - "description": "Decode a provided value using the specified transformation.", + "/{ssh_mount_path}/config/zeroaddress": { + "description": "Assign zero address as default CIDR block for select roles.", "parameters": [ { - "name": "role_name", - "description": "The name of the role.", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "transform_mount_path", + "name": "ssh_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "ssh" }, "required": true } ], - "x-vault-createSupported": true, + "get": { + "operationId": "ssh-read-zero-address-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, "post": { - "operationId": "transform-decode", + "operationId": "ssh-configure-zero-address", "tags": [ "secrets" ], @@ -43073,7 +42649,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformDecodeRequest" + "$ref": "#/components/schemas/SshConfigureZeroAddressRequest" } } } @@ -43083,23 +42659,25 @@ "description": "OK" } } + }, + "delete": { + "operationId": "ssh-delete-zero-address-configuration", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } } }, - "/{transform_mount_path}/decode/{role_name}/{decode_format}": { - "description": "Decode a provided value using the specified transformation.", + "/{ssh_mount_path}/creds/{role}": { + "description": "Creates a credential for establishing SSH connection with the remote host.", "parameters": [ { - "name": "decode_format", - "description": "The name of the decode format to use for decoding. If one is not specified, the template's pattern will be used. Only applicable for FPE transformations.", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "role_name", - "description": "The name of the role.", + "name": "role", + "description": "[Required] Name of the role", "in": "path", "schema": { "type": "string" @@ -43107,19 +42685,19 @@ "required": true }, { - "name": "transform_mount_path", + "name": "ssh_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "ssh" }, "required": true } ], - "x-vault-createSupported": true, "post": { - "operationId": "transform-decode-with-format", + "summary": "Creates a credential for establishing SSH connection with the remote host.", + "operationId": "ssh-generate-credentials", "tags": [ "secrets" ], @@ -43128,7 +42706,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformDecodeWithFormatRequest" + "$ref": "#/components/schemas/SshGenerateCredentialsRequest" } } } @@ -43140,12 +42718,12 @@ } } }, - "/{transform_mount_path}/encode/{role_name}": { - "description": "Encode a provided value using the specified transformation.", + "/{ssh_mount_path}/issue/{role}": { + "description": "Request a certificate using a certain role with the provided details.", "parameters": [ { - "name": "role_name", - "description": "The name of the role.", + "name": "role", + "description": "The desired role with configuration for this request.", "in": "path", "schema": { "type": "string" @@ -43153,19 +42731,18 @@ "required": true }, { - "name": "transform_mount_path", + "name": "ssh_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "ssh" }, "required": true } ], - "x-vault-createSupported": true, "post": { - "operationId": "transform-encode", + "operationId": "ssh-issue-certificate", "tags": [ "secrets" ], @@ -43174,7 +42751,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformEncodeRequest" + "$ref": "#/components/schemas/SshIssueCertificateRequest" } } } @@ -43186,31 +42763,23 @@ } } }, - "/{transform_mount_path}/metadata/{role_name}": { - "description": "Retrieve metadata associated with the token.", + "/{ssh_mount_path}/lookup": { + "description": "List all the roles associated with the given IP address.", "parameters": [ { - "name": "role_name", - "description": "The name of the role.", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "transform_mount_path", + "name": "ssh_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "ssh" }, "required": true } ], "post": { - "operationId": "transform-retrieve-token-metadata", + "summary": "List all the roles associated with the given IP address.", + "operationId": "ssh-list-roles-by-ip", "tags": [ "secrets" ], @@ -43219,7 +42788,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformRetrieveTokenMetadataRequest" + "$ref": "#/components/schemas/SshListRolesByIpRequest" } } } @@ -43231,22 +42800,50 @@ } } }, - "/{transform_mount_path}/role/": { - "description": "List the existing roles in this backend.", + "/{ssh_mount_path}/public_key": { + "description": "Retrieve the public key.", "parameters": [ { - "name": "transform_mount_path", + "name": "ssh_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "ssh" }, "required": true } ], + "x-vault-unauthenticated": true, "get": { - "operationId": "transform-list-roles", + "summary": "Retrieve the public key.", + "operationId": "ssh-read-public-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{ssh_mount_path}/roles/": { + "description": "Manage the 'roles' that can be created with this backend.", + "parameters": [ + { + "name": "ssh_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ssh" + }, + "required": true + } + ], + "get": { + "operationId": "ssh-list-roles", "tags": [ "secrets" ], @@ -43270,7 +42867,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/StandardListResponse" + "$ref": "#/components/schemas/SshListRolesResponse" } } } @@ -43278,12 +42875,12 @@ } } }, - "/{transform_mount_path}/role/{name}": { - "description": "Read, write, and delete roles.", + "/{ssh_mount_path}/roles/{role}": { + "description": "Manage the 'roles' that can be created with this backend.", "parameters": [ { - "name": "name", - "description": "The name of the role.", + "name": "role", + "description": "[Required for all types] Name of the role being created.", "in": "path", "schema": { "type": "string" @@ -43291,19 +42888,19 @@ "required": true }, { - "name": "transform_mount_path", + "name": "ssh_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "ssh" }, "required": true } ], - "x-vault-createSupported": true, "get": { - "operationId": "transform-read-role", + "summary": "Manage the 'roles' that can be created with this backend.", + "operationId": "ssh-read-role", "tags": [ "secrets" ], @@ -43314,7 +42911,8 @@ } }, "post": { - "operationId": "transform-write-role", + "summary": "Manage the 'roles' that can be created with this backend.", + "operationId": "ssh-write-role", "tags": [ "secrets" ], @@ -43323,7 +42921,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformWriteRoleRequest" + "$ref": "#/components/schemas/SshWriteRoleRequest" } } } @@ -43335,7 +42933,8 @@ } }, "delete": { - "operationId": "transform-delete-role", + "summary": "Manage the 'roles' that can be created with this backend.", + "operationId": "ssh-delete-role", "tags": [ "secrets" ], @@ -43346,78 +42945,134 @@ } } }, - "/{transform_mount_path}/stores/": { + "/{ssh_mount_path}/sign/{role}": { + "description": "Request signing an SSH key using a certain role with the provided details.", "parameters": [ { - "name": "transform_mount_path", + "name": "role", + "description": "The desired role with configuration for this request.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "ssh_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "ssh" }, "required": true } ], - "get": { - "operationId": "transform-list-stores", + "post": { + "summary": "Request signing an SSH key using a certain role with the provided details.", + "operationId": "ssh-sign-certificate", "tags": [ "secrets" ], - "parameters": [ - { - "name": "list", - "description": "Must be set to `true`", - "in": "query", - "schema": { - "type": "string", - "enum": [ - "true" - ] - }, - "required": true + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SshSignCertificateRequest" + } + } } - ], + }, "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/StandardListResponse" - } - } - } + "description": "OK" } } } }, - "/{transform_mount_path}/stores/{name}": { - "description": "Read, write, and delete transform stores.", + "/{ssh_mount_path}/tidy/dynamic-keys": { + "description": "This endpoint removes the stored host keys used for the removed Dynamic Key feature, if present.", "parameters": [ { - "name": "name", - "description": "The name of the store.", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "transform_mount_path", + "name": "ssh_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "ssh" }, "required": true } ], - "x-vault-createSupported": true, - "get": { - "operationId": "transform-read-store", + "delete": { + "summary": "This endpoint removes the stored host keys used for the removed Dynamic Key feature, if present.", + "operationId": "ssh-tidy-dynamic-host-keys", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{ssh_mount_path}/verify": { + "description": "Validate the OTP provided by Vault SSH Agent.", + "parameters": [ + { + "name": "ssh_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "ssh" + }, + "required": true + } + ], + "x-vault-unauthenticated": true, + "post": { + "summary": "Validate the OTP provided by Vault SSH Agent.", + "operationId": "ssh-verify-otp", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SshVerifyOtpRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{terraform_mount_path}/config": { + "description": "Configure the Terraform Cloud / Enterprise backend.", + "parameters": [ + { + "name": "terraform_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "terraform" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "get": { + "operationId": "terraform-cloud-read-configuration", "tags": [ "secrets" ], @@ -43428,7 +43083,7 @@ } }, "post": { - "operationId": "transform-write-store", + "operationId": "terraform-cloud-configure", "tags": [ "secrets" ], @@ -43437,7 +43092,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformWriteStoreRequest" + "$ref": "#/components/schemas/TerraformCloudConfigureRequest" } } } @@ -43449,7 +43104,7 @@ } }, "delete": { - "operationId": "transform-delete-store", + "operationId": "terraform-cloud-delete-configuration", "tags": [ "secrets" ], @@ -43460,11 +43115,12 @@ } } }, - "/{transform_mount_path}/stores/{name}/schema": { + "/{terraform_mount_path}/creds/{name}": { + "description": "Generate a Terraform Cloud or Enterprise API token from a specific Vault role.", "parameters": [ { "name": "name", - "description": "The name of the store.", + "description": "Name of the role", "in": "path", "schema": { "type": "string" @@ -43472,31 +43128,32 @@ "required": true }, { - "name": "transform_mount_path", + "name": "terraform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "terraform" }, "required": true } ], - "post": { - "operationId": "transform-apply-store-schema", + "get": { + "operationId": "terraform-cloud-generate-credentials", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/TransformApplyStoreSchemaRequest" - } - } + "responses": { + "200": { + "description": "OK" } - }, + } + }, + "post": { + "operationId": "terraform-cloud-generate-credentials2", + "tags": [ + "secrets" + ], "responses": { "200": { "description": "OK" @@ -43504,22 +43161,22 @@ } } }, - "/{transform_mount_path}/template/": { - "description": "List the existing templates in this backend.", + "/{terraform_mount_path}/role/": { + "description": "List the existing roles in Terraform Cloud / Enterprise backend", "parameters": [ { - "name": "transform_mount_path", + "name": "terraform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "terraform" }, "required": true } ], "get": { - "operationId": "transform-list-templates", + "operationId": "terraform-cloud-list-roles", "tags": [ "secrets" ], @@ -43551,12 +43208,12 @@ } } }, - "/{transform_mount_path}/template/{name}": { - "description": "Read, write, and delete templates.", + "/{terraform_mount_path}/role/{name}": { + "description": "Manages the Vault role for generating Terraform Cloud / Enterprise tokens.", "parameters": [ { "name": "name", - "description": "The name of the template.", + "description": "Name of the role", "in": "path", "schema": { "type": "string" @@ -43564,19 +43221,18 @@ "required": true }, { - "name": "transform_mount_path", + "name": "terraform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "terraform" }, "required": true } ], - "x-vault-createSupported": true, "get": { - "operationId": "transform-read-template", + "operationId": "terraform-cloud-read-role", "tags": [ "secrets" ], @@ -43587,7 +43243,7 @@ } }, "post": { - "operationId": "transform-write-template", + "operationId": "terraform-cloud-write-role", "tags": [ "secrets" ], @@ -43596,7 +43252,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformWriteTemplateRequest" + "$ref": "#/components/schemas/TerraformCloudWriteRoleRequest" } } } @@ -43608,7 +43264,7 @@ } }, "delete": { - "operationId": "transform-delete-template", + "operationId": "terraform-cloud-delete-role", "tags": [ "secrets" ], @@ -43619,60 +43275,12 @@ } } }, - "/{transform_mount_path}/tokenization/keys/": { - "description": "Managed named encryption keys", - "parameters": [ - { - "name": "transform_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "transform" - }, - "required": true - } - ], - "get": { - "summary": "Managed named encryption keys", - "operationId": "transform-list-tokenization-keys", - "tags": [ - "secrets" - ], - "parameters": [ - { - "name": "list", - "description": "Must be set to `true`", - "in": "query", - "schema": { - "type": "string", - "enum": [ - "true" - ] - }, - "required": true - } - ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/StandardListResponse" - } - } - } - } - } - } - }, - "/{transform_mount_path}/tokenization/keys/{name}": { - "description": "Managed named encryption keys", + "/{terraform_mount_path}/rotate-role/{name}": { + "description": "Request to rotate the credentials for a team or organization.", "parameters": [ { "name": "name", - "description": "Name of the transform", + "description": "Name of the team or organization role", "in": "path", "schema": { "type": "string" @@ -43680,19 +43288,18 @@ "required": true }, { - "name": "transform_mount_path", + "name": "terraform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "terraform" }, "required": true } ], - "get": { - "summary": "Managed named encryption keys", - "operationId": "transform-read-tokenization-key", + "post": { + "operationId": "terraform-cloud-rotate-role", "tags": [ "secrets" ], @@ -43703,12 +43310,12 @@ } } }, - "/{transform_mount_path}/tokenization/keys/{name}/config": { - "description": "Configure a named encryption key", + "/{totp_mount_path}/code/{name}": { + "description": "Request time-based one-time use password or validate a password for a certain key .", "parameters": [ { "name": "name", - "description": "Name of the transform", + "description": "Name of the key.", "in": "path", "schema": { "type": "string" @@ -43716,19 +43323,29 @@ "required": true }, { - "name": "transform_mount_path", + "name": "totp_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "totp" }, "required": true } ], + "get": { + "operationId": "totp-generate-code", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, "post": { - "summary": "Configure a named encryption key", - "operationId": "transform-configure-named-encryption-key", + "operationId": "totp-validate-code", "tags": [ "secrets" ], @@ -43737,7 +43354,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformConfigureNamedEncryptionKeyRequest" + "$ref": "#/components/schemas/TotpValidateCodeRequest" } } } @@ -43749,94 +43366,60 @@ } } }, - "/{transform_mount_path}/tokenization/keys/{name}/rotate": { - "description": "Rotate key used for tokenization", + "/{totp_mount_path}/keys/": { + "description": "Manage the keys that can be created with this backend.", "parameters": [ { - "name": "name", - "description": "Name of the transformation", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "transform_mount_path", + "name": "totp_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "totp" }, "required": true } ], - "post": { - "summary": "Rotate key used for tokenization", - "operationId": "transform-rotate-tokenization-key", + "get": { + "summary": "Manage the keys that can be created with this backend.", + "operationId": "totp-list-keys", "tags": [ "secrets" ], - "responses": { - "200": { - "description": "OK" - } - } - } - }, - "/{transform_mount_path}/tokenization/keys/{name}/trim": { - "description": "Trim key versions of a named key", - "parameters": [ - { - "name": "name", - "description": "Name of the transformation", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "transform_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "transform" - }, - "required": true - } - ], - "post": { - "summary": "Trim key versions of a named key", - "operationId": "transform-trim-key-versions", - "tags": [ - "secrets" - ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/TransformTrimKeyVersionsRequest" - } - } + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true } - }, + ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } } } } }, - "/{transform_mount_path}/tokenized/{role_name}": { - "description": "Check if the supplied value was tokenized, given that the token is still not expired.", + "/{totp_mount_path}/keys/{name}": { + "description": "Manage the keys that can be created with this backend.", "parameters": [ { - "name": "role_name", - "description": "The name of the role.", + "name": "name", + "description": "Name of the key.", "in": "path", "schema": { "type": "string" @@ -43844,74 +43427,29 @@ "required": true }, { - "name": "transform_mount_path", + "name": "totp_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transform" + "default": "totp" }, "required": true } ], - "post": { - "operationId": "transform-check-tokenized", + "get": { + "operationId": "totp-read-key", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/TransformCheckTokenizedRequest" - } - } - } - }, "responses": { "200": { "description": "OK" } } }, - "delete": { - "operationId": "transform-check-tokenized", - "tags": [ - "secrets" - ], - "responses": { - "204": { - "description": "empty body" - } - } - } - }, - "/{transform_mount_path}/tokens/{role_name}": { - "description": "Lookup the token by plaintext and optionally expiration.", - "parameters": [ - { - "name": "role_name", - "description": "The name of the role.", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "transform_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "transform" - }, - "required": true - } - ], "post": { - "operationId": "transform-look-up-token", + "operationId": "totp-create-key", "tags": [ "secrets" ], @@ -43920,7 +43458,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformLookUpTokenRequest" + "$ref": "#/components/schemas/TotpCreateKeyRequest" } } } @@ -43932,7 +43470,7 @@ } }, "delete": { - "operationId": "transform-look-up-token", + "operationId": "totp-delete-key", "tags": [ "secrets" ], @@ -43943,7 +43481,8 @@ } } }, - "/{transform_mount_path}/transformation/": { + "/{transform_mount_path}/alphabet/": { + "description": "List the existing alphabets in this secret engine.", "parameters": [ { "name": "transform_mount_path", @@ -43957,7 +43496,7 @@ } ], "get": { - "operationId": "transform-list-transformations", + "operationId": "transform-list-alphabets", "tags": [ "secrets" ], @@ -43989,12 +43528,12 @@ } } }, - "/{transform_mount_path}/transformation/{name}": { - "description": "Read, write, and delete transformations", + "/{transform_mount_path}/alphabet/{name}": { + "description": "Read, write, and delete alphabets.", "parameters": [ { "name": "name", - "description": "The name of the transformation.", + "description": "The name of the alphabet.", "in": "path", "schema": { "type": "string" @@ -44014,7 +43553,7 @@ ], "x-vault-createSupported": true, "get": { - "operationId": "transform-read-transformation", + "operationId": "transform-read-alphabet", "tags": [ "secrets" ], @@ -44025,7 +43564,7 @@ } }, "post": { - "operationId": "transform-write-transformation", + "operationId": "transform-write-alphabet", "tags": [ "secrets" ], @@ -44034,7 +43573,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformWriteTransformationRequest" + "$ref": "#/components/schemas/TransformWriteAlphabetRequest" } } } @@ -44046,7 +43585,7 @@ } }, "delete": { - "operationId": "transform-delete-transformation", + "operationId": "transform-delete-alphabet", "tags": [ "secrets" ], @@ -44057,7 +43596,8 @@ } } }, - "/{transform_mount_path}/transformations/fpe/": { + "/{transform_mount_path}/cache-config": { + "description": "Configure caching strategy", "parameters": [ { "name": "transform_mount_path", @@ -44071,44 +43611,46 @@ } ], "get": { - "operationId": "transform-list-fpe-transformations", + "summary": "Returns the size of the active cache", + "operationId": "transform-read-cache-configuration", "tags": [ "secrets" ], - "parameters": [ - { - "name": "list", - "description": "Must be set to `true`", - "in": "query", - "schema": { - "type": "string", - "enum": [ - "true" - ] - }, - "required": true - } - ], "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/StandardListResponse" - } + "description": "OK" + } + } + }, + "post": { + "summary": "Configures a new cache of the specified size", + "operationId": "transform-configure-cache", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransformConfigureCacheRequest" } } } + }, + "responses": { + "200": { + "description": "OK" + } } } }, - "/{transform_mount_path}/transformations/fpe/{name}": { - "description": "Read, write, and delete 'fpe' transformations.", + "/{transform_mount_path}/decode/{role_name}": { + "description": "Decode a provided value using the specified transformation.", "parameters": [ { - "name": "name", - "description": "The name of the transformation.", + "name": "role_name", + "description": "The name of the role.", "in": "path", "schema": { "type": "string" @@ -44127,19 +43669,8 @@ } ], "x-vault-createSupported": true, - "get": { - "operationId": "transform-read-fpe-transformation", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - }, "post": { - "operationId": "transform-write-fpe-transformation", + "operationId": "transform-decode", "tags": [ "secrets" ], @@ -44148,7 +43679,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformWriteFpeTransformationRequest" + "$ref": "#/components/schemas/TransformDecodeRequest" } } } @@ -44158,25 +43689,23 @@ "description": "OK" } } - }, - "delete": { - "operationId": "transform-delete-fpe-transformation", - "tags": [ - "secrets" - ], - "responses": { - "204": { - "description": "empty body" - } - } } }, - "/{transform_mount_path}/transformations/fpe/{name}/import": { - "description": "Create 'fpe' transformations with imported keys.", + "/{transform_mount_path}/decode/{role_name}/{decode_format}": { + "description": "Decode a provided value using the specified transformation.", "parameters": [ { - "name": "name", - "description": "The name of the transformation.", + "name": "decode_format", + "description": "The name of the decode format to use for decoding. If one is not specified, the template's pattern will be used. Only applicable for FPE transformations.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "role_name", + "description": "The name of the role.", "in": "path", "schema": { "type": "string" @@ -44196,7 +43725,7 @@ ], "x-vault-createSupported": true, "post": { - "operationId": "transform-create-fpe-transformation-with-imported-keys", + "operationId": "transform-decode-with-format", "tags": [ "secrets" ], @@ -44205,7 +43734,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformCreateFpeTransformationWithImportedKeysRequest" + "$ref": "#/components/schemas/TransformDecodeWithFormatRequest" } } } @@ -44217,21 +43746,113 @@ } } }, - "/{transform_mount_path}/transformations/masking/": { + "/{transform_mount_path}/encode/{role_name}": { + "description": "Encode a provided value using the specified transformation.", "parameters": [ { - "name": "transform_mount_path", - "description": "Path that the backend was mounted at", + "name": "role_name", + "description": "The name of the role.", "in": "path", "schema": { - "type": "string", - "default": "transform" + "type": "string" + }, + "required": true + }, + { + "name": "transform_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transform" + }, + "required": true + } + ], + "x-vault-createSupported": true, + "post": { + "operationId": "transform-encode", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransformEncodeRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transform_mount_path}/metadata/{role_name}": { + "description": "Retrieve metadata associated with the token.", + "parameters": [ + { + "name": "role_name", + "description": "The name of the role.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transform_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transform" + }, + "required": true + } + ], + "post": { + "operationId": "transform-retrieve-token-metadata", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransformRetrieveTokenMetadataRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transform_mount_path}/role/": { + "description": "List the existing roles in this backend.", + "parameters": [ + { + "name": "transform_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transform" }, "required": true } ], "get": { - "operationId": "transform-list-masking-transformations", + "operationId": "transform-list-roles", "tags": [ "secrets" ], @@ -44263,12 +43884,12 @@ } } }, - "/{transform_mount_path}/transformations/masking/{name}": { - "description": "Read, write, and delete 'masking' transformations.", + "/{transform_mount_path}/role/{name}": { + "description": "Read, write, and delete roles.", "parameters": [ { "name": "name", - "description": "The name of the transformation.", + "description": "The name of the role.", "in": "path", "schema": { "type": "string" @@ -44288,7 +43909,7 @@ ], "x-vault-createSupported": true, "get": { - "operationId": "transform-read-masking-transformation", + "operationId": "transform-read-role", "tags": [ "secrets" ], @@ -44299,7 +43920,7 @@ } }, "post": { - "operationId": "transform-write-masking-transformation", + "operationId": "transform-write-role", "tags": [ "secrets" ], @@ -44308,7 +43929,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformWriteMaskingTransformationRequest" + "$ref": "#/components/schemas/TransformWriteRoleRequest" } } } @@ -44320,7 +43941,7 @@ } }, "delete": { - "operationId": "transform-delete-masking-transformation", + "operationId": "transform-delete-role", "tags": [ "secrets" ], @@ -44331,7 +43952,7 @@ } } }, - "/{transform_mount_path}/transformations/tokenization/": { + "/{transform_mount_path}/stores/": { "parameters": [ { "name": "transform_mount_path", @@ -44345,7 +43966,7 @@ } ], "get": { - "operationId": "transform-list-tokenization-transformations", + "operationId": "transform-list-stores", "tags": [ "secrets" ], @@ -44377,12 +43998,12 @@ } } }, - "/{transform_mount_path}/transformations/tokenization/export-decoded/{name}": { - "description": "Export decoded tokens and their original values.", + "/{transform_mount_path}/stores/{name}": { + "description": "Read, write, and delete transform stores.", "parameters": [ { "name": "name", - "description": "The name of the transformation.", + "description": "The name of the store.", "in": "path", "schema": { "type": "string" @@ -44400,9 +44021,20 @@ "required": true } ], - "x-vault-sudo": true, + "x-vault-createSupported": true, + "get": { + "operationId": "transform-read-store", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, "post": { - "operationId": "transform-export-decoded-tokenization-tokens", + "operationId": "transform-write-store", "tags": [ "secrets" ], @@ -44411,7 +44043,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformExportDecodedTokenizationTokensRequest" + "$ref": "#/components/schemas/TransformWriteStoreRequest" } } } @@ -44421,14 +44053,24 @@ "description": "OK" } } + }, + "delete": { + "operationId": "transform-delete-store", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } } }, - "/{transform_mount_path}/transformations/tokenization/restore/{name}": { - "description": "Restore tokenization state.", + "/{transform_mount_path}/stores/{name}/schema": { "parameters": [ { "name": "name", - "description": "The name of the transformation.", + "description": "The name of the store.", "in": "path", "schema": { "type": "string" @@ -44447,7 +44089,7 @@ } ], "post": { - "operationId": "transform-restore-tokenization-state", + "operationId": "transform-apply-store-schema", "tags": [ "secrets" ], @@ -44456,7 +44098,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformRestoreTokenizationStateRequest" + "$ref": "#/components/schemas/TransformApplyStoreSchemaRequest" } } } @@ -44468,18 +44110,9 @@ } } }, - "/{transform_mount_path}/transformations/tokenization/snapshot/{name}": { - "description": "Snapshot current tokenization state.", + "/{transform_mount_path}/template/": { + "description": "List the existing templates in this backend.", "parameters": [ - { - "name": "name", - "description": "The name of the transformation.", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "transform_mount_path", "description": "Path that the backend was mounted at", @@ -44491,34 +44124,45 @@ "required": true } ], - "post": { - "operationId": "transform-snapshot-tokenization-state", + "get": { + "operationId": "transform-list-templates", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/TransformSnapshotTokenizationStateRequest" - } - } + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true } - }, + ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } } } } }, - "/{transform_mount_path}/transformations/tokenization/{name}": { - "description": "Read, write, and delete 'tokenization' transformations.", + "/{transform_mount_path}/template/{name}": { + "description": "Read, write, and delete templates.", "parameters": [ { "name": "name", - "description": "The name of the transformation.", + "description": "The name of the template.", "in": "path", "schema": { "type": "string" @@ -44538,7 +44182,7 @@ ], "x-vault-createSupported": true, "get": { - "operationId": "transform-read-tokenization-transformation", + "operationId": "transform-read-template", "tags": [ "secrets" ], @@ -44549,7 +44193,7 @@ } }, "post": { - "operationId": "transform-write-tokenization-transformation", + "operationId": "transform-write-template", "tags": [ "secrets" ], @@ -44558,7 +44202,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformWriteTokenizationTransformationRequest" + "$ref": "#/components/schemas/TransformWriteTemplateRequest" } } } @@ -44570,7 +44214,7 @@ } }, "delete": { - "operationId": "transform-delete-tokenization-transformation", + "operationId": "transform-delete-template", "tags": [ "secrets" ], @@ -44581,18 +44225,9 @@ } } }, - "/{transform_mount_path}/transformations/tokenization/{name}/import": { - "description": "Create 'tokenization' transformations with imported keys.", + "/{transform_mount_path}/tokenization/keys/": { + "description": "Managed named encryption keys", "parameters": [ - { - "name": "name", - "description": "The name of the transformation.", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "transform_mount_path", "description": "Path that the backend was mounted at", @@ -44604,35 +44239,46 @@ "required": true } ], - "x-vault-createSupported": true, - "post": { - "operationId": "transform-create-tokenization-transformation-with-imported-keys", + "get": { + "summary": "Managed named encryption keys", + "operationId": "transform-list-tokenization-keys", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/TransformCreateTokenizationTransformationWithImportedKeysRequest" - } - } - } - }, - "responses": { - "200": { - "description": "OK" - } - } - } - }, - "/{transform_mount_path}/transformations/tokenization/{name}/import_version": { - "description": "Import a new key version into a 'tokenization transformation' with an imported key.", + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } + } + } + } + }, + "/{transform_mount_path}/tokenization/keys/{name}": { + "description": "Managed named encryption keys", "parameters": [ { "name": "name", - "description": "The name of the transformation.", + "description": "Name of the transform", "in": "path", "schema": { "type": "string" @@ -44650,21 +44296,12 @@ "required": true } ], - "post": { - "operationId": "transform-import-key-version-into-tokenization-transformation", + "get": { + "summary": "Managed named encryption keys", + "operationId": "transform-read-tokenization-key", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/TransformImportKeyVersionIntoTokenizationTransformationRequest" - } - } - } - }, "responses": { "200": { "description": "OK" @@ -44672,12 +44309,12 @@ } } }, - "/{transform_mount_path}/validate/{role_name}": { - "description": "Check if the supplied token is still valid or not.", + "/{transform_mount_path}/tokenization/keys/{name}/config": { + "description": "Configure a named encryption key", "parameters": [ { - "name": "role_name", - "description": "The name of the role.", + "name": "name", + "description": "Name of the transform", "in": "path", "schema": { "type": "string" @@ -44696,7 +44333,8 @@ } ], "post": { - "operationId": "transform-validate-token", + "summary": "Configure a named encryption key", + "operationId": "transform-configure-named-encryption-key", "tags": [ "secrets" ], @@ -44705,7 +44343,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransformValidateTokenRequest" + "$ref": "#/components/schemas/TransformConfigureNamedEncryptionKeyRequest" } } } @@ -44717,39 +44355,12 @@ } } }, - "/{transform_mount_path}/wrapping_key": { - "description": "Returns the public key to use for wrapping imported keys", - "parameters": [ - { - "name": "transform_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "transform" - }, - "required": true - } - ], - "get": { - "summary": "Returns the public key to use for wrapping imported keys", - "operationId": "transform-retrieve-wrapping-key", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - } - }, - "/{transit_mount_path}/backup/{name}": { - "description": "Backup the named key", + "/{transform_mount_path}/tokenization/keys/{name}/rotate": { + "description": "Rotate key used for tokenization", "parameters": [ { "name": "name", - "description": "Name of the key", + "description": "Name of the transformation", "in": "path", "schema": { "type": "string" @@ -44757,19 +44368,19 @@ "required": true }, { - "name": "transit_mount_path", + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], - "get": { - "summary": "Backup the named key", - "operationId": "transit-back-up-key", + "post": { + "summary": "Rotate key used for tokenization", + "operationId": "transform-rotate-tokenization-key", "tags": [ "secrets" ], @@ -44780,21 +44391,12 @@ } } }, - "/{transit_mount_path}/byok-export/{destination}/{source}": { - "description": "Securely export named encryption or signing key", + "/{transform_mount_path}/tokenization/keys/{name}/trim": { + "description": "Trim key versions of a named key", "parameters": [ { - "name": "destination", - "description": "Destination key to export to; usually the public wrapping key of another Transit instance.", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "source", - "description": "Source key to export; could be any present key within Transit.", + "name": "name", + "description": "Name of the transformation", "in": "path", "schema": { "type": "string" @@ -44802,22 +44404,32 @@ "required": true }, { - "name": "transit_mount_path", + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], - "get": { - "summary": "Securely export named encryption or signing key", - "operationId": "transit-byok-key", + "post": { + "summary": "Trim key versions of a named key", + "operationId": "transform-trim-key-versions", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransformTrimKeyVersionsRequest" + } + } + } + }, "responses": { "200": { "description": "OK" @@ -44825,30 +44437,12 @@ } } }, - "/{transit_mount_path}/byok-export/{destination}/{source}/{version}": { - "description": "Securely export named encryption or signing key", + "/{transform_mount_path}/tokenized/{role_name}": { + "description": "Check if the supplied value was tokenized, given that the token is still not expired.", "parameters": [ { - "name": "destination", - "description": "Destination key to export to; usually the public wrapping key of another Transit instance.", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "source", - "description": "Source key to export; could be any present key within Transit.", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "version", - "description": "Optional version of the key to export, else all key versions are exported.", + "name": "role_name", + "description": "The name of the role.", "in": "path", "schema": { "type": "string" @@ -44856,58 +44450,18 @@ "required": true }, { - "name": "transit_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "transit" - }, - "required": true - } - ], - "get": { - "summary": "Securely export named encryption or signing key", - "operationId": "transit-byok-key-version", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - } - }, - "/{transit_mount_path}/cache-config": { - "description": "Configure caching strategy", - "parameters": [ - { - "name": "transit_mount_path", + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], - "get": { - "summary": "Returns the size of the active cache", - "operationId": "transit-read-cache-configuration", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK" - } - } - }, "post": { - "summary": "Configures a new cache of the specified size", - "operationId": "transit-configure-cache", + "operationId": "transform-check-tokenized", "tags": [ "secrets" ], @@ -44916,7 +44470,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitConfigureCacheRequest" + "$ref": "#/components/schemas/TransformCheckTokenizedRequest" } } } @@ -44926,14 +44480,25 @@ "description": "OK" } } + }, + "delete": { + "operationId": "transform-check-tokenized", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } } }, - "/{transit_mount_path}/cmac/{name}": { - "description": "Generate a CMAC for input data using the named key", + "/{transform_mount_path}/tokens/{role_name}": { + "description": "Lookup the token by plaintext and optionally expiration.", "parameters": [ { - "name": "name", - "description": "The key to use for the CMAC function", + "name": "role_name", + "description": "The name of the role.", "in": "path", "schema": { "type": "string" @@ -44941,18 +44506,18 @@ "required": true }, { - "name": "transit_mount_path", + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], "post": { - "operationId": "transit-generate-cmac", + "operationId": "transform-look-up-token", "tags": [ "secrets" ], @@ -44961,7 +44526,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitGenerateCmacRequest" + "$ref": "#/components/schemas/TransformLookUpTokenRequest" } } } @@ -44971,78 +44536,91 @@ "description": "OK" } } + }, + "delete": { + "operationId": "transform-look-up-token", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } } }, - "/{transit_mount_path}/cmac/{name}/{url_mac_length}": { - "description": "Generate a CMAC for input data using the named key", + "/{transform_mount_path}/transformation/": { "parameters": [ { - "name": "name", - "description": "The key to use for the CMAC function", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "url_mac_length", - "description": "MAC length to use (POST URL parameter), overrides mac_length", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "transit_mount_path", + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], - "post": { - "operationId": "transit-generate-cmac-with-mac-length", + "get": { + "operationId": "transform-list-transformations", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/TransitGenerateCmacWithMacLengthRequest" - } - } + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true } - }, + ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } } } } }, - "/{transit_mount_path}/config/keys": { - "description": "Configuration common across all keys", + "/{transform_mount_path}/transformation/{name}": { + "description": "Read, write, and delete transformations", "parameters": [ { - "name": "transit_mount_path", + "name": "name", + "description": "The name of the transformation.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], + "x-vault-createSupported": true, "get": { - "operationId": "transit-read-keys-configuration", + "operationId": "transform-read-transformation", "tags": [ "secrets" ], @@ -45053,7 +44631,7 @@ } }, "post": { - "operationId": "transit-configure-keys", + "operationId": "transform-write-transformation", "tags": [ "secrets" ], @@ -45062,7 +44640,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitConfigureKeysRequest" + "$ref": "#/components/schemas/TransformWriteTransformationRequest" } } } @@ -45072,78 +44650,71 @@ "description": "OK" } } + }, + "delete": { + "operationId": "transform-delete-transformation", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } } }, - "/{transit_mount_path}/datakey/{plaintext}/{name}": { - "description": "Generate a data key", + "/{transform_mount_path}/transformations/fpe/": { "parameters": [ { - "name": "name", - "description": "The backend key used for encrypting the data key", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "plaintext", - "description": "\"plaintext\" will return the key in both plaintext and ciphertext; \"wrapped\" will return the ciphertext only.", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "transit_mount_path", + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], - "post": { - "summary": "Generate a data key", - "operationId": "transit-generate-data-key", + "get": { + "operationId": "transform-list-fpe-transformations", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/TransitGenerateDataKeyRequest" - } - } + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true } - }, + ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } } } } }, - "/{transit_mount_path}/datakeys/{type}/{name}": { - "description": "Generate multiple data keys", + "/{transform_mount_path}/transformations/fpe/{name}": { + "description": "Read, write, and delete 'fpe' transformations.", "parameters": [ { "name": "name", - "description": "The backend key used for encrypting the data key", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "type", - "description": "\"plaintext\" will return the key in both plaintext and ciphertext; \"wrapped\" will return the ciphertext only.", + "description": "The name of the transformation.", "in": "path", "schema": { "type": "string" @@ -45151,19 +44722,30 @@ "required": true }, { - "name": "transit_mount_path", + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], + "x-vault-createSupported": true, + "get": { + "operationId": "transform-read-fpe-transformation", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, "post": { - "summary": "Generate multiple data keys", - "operationId": "transit-generate-data-key", + "operationId": "transform-write-fpe-transformation", "tags": [ "secrets" ], @@ -45172,7 +44754,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitGenerateDataKeyRequest" + "$ref": "#/components/schemas/TransformWriteFpeTransformationRequest" } } } @@ -45182,14 +44764,25 @@ "description": "OK" } } + }, + "delete": { + "operationId": "transform-delete-fpe-transformation", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } } }, - "/{transit_mount_path}/decrypt/{name}": { - "description": "Decrypt a ciphertext value using a named key", + "/{transform_mount_path}/transformations/fpe/{name}/import": { + "description": "Create 'fpe' transformations with imported keys.", "parameters": [ { "name": "name", - "description": "Name of the key", + "description": "The name of the transformation.", "in": "path", "schema": { "type": "string" @@ -45197,19 +44790,19 @@ "required": true }, { - "name": "transit_mount_path", + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], + "x-vault-createSupported": true, "post": { - "summary": "Decrypt a ciphertext value using a named key", - "operationId": "transit-decrypt", + "operationId": "transform-create-fpe-transformation-with-imported-keys", "tags": [ "secrets" ], @@ -45218,7 +44811,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitDecryptRequest" + "$ref": "#/components/schemas/TransformCreateFpeTransformationWithImportedKeysRequest" } } } @@ -45230,67 +44823,58 @@ } } }, - "/{transit_mount_path}/derivedkeys/{type}/{name}": { - "description": "Generate data keys derived from the named key's HMAC key using the provided salt, info, and indices'", + "/{transform_mount_path}/transformations/masking/": { "parameters": [ { - "name": "name", - "description": "The backend key used for encrypting the data key", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "type", - "description": "\"plaintext\" will return the key in both plaintext and ciphertext; \"wrapped\" will return the ciphertext only.", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "transit_mount_path", + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], - "post": { - "summary": "Generate data keys derived from the named key's HMAC key\nusing the provided salt, info, and indices'", - "operationId": "transit-generate-derivedkeys", + "get": { + "operationId": "transform-list-masking-transformations", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/TransitGenerateDerivedkeysRequest" - } - } - } - }, - "responses": { + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], + "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } } } } }, - "/{transit_mount_path}/encrypt/{name}": { - "description": "Encrypt a plaintext value or a batch of plaintext blocks using a named key", + "/{transform_mount_path}/transformations/masking/{name}": { + "description": "Read, write, and delete 'masking' transformations.", "parameters": [ { "name": "name", - "description": "Name of the key", + "description": "The name of the transformation.", "in": "path", "schema": { "type": "string" @@ -45298,20 +44882,30 @@ "required": true }, { - "name": "transit_mount_path", + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], "x-vault-createSupported": true, + "get": { + "operationId": "transform-read-masking-transformation", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, "post": { - "summary": "Encrypt a plaintext value or a batch of plaintext\nblocks using a named key", - "operationId": "transit-encrypt", + "operationId": "transform-write-masking-transformation", "tags": [ "secrets" ], @@ -45320,7 +44914,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitEncryptRequest" + "$ref": "#/components/schemas/TransformWriteMaskingTransformationRequest" } } } @@ -45330,77 +44924,71 @@ "description": "OK" } } + }, + "delete": { + "operationId": "transform-delete-masking-transformation", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } } }, - "/{transit_mount_path}/export/{type}/{name}": { - "description": "Export named encryption or signing key", + "/{transform_mount_path}/transformations/tokenization/": { "parameters": [ { - "name": "name", - "description": "Name of the key", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "type", - "description": "Type of key to export (encryption-key, signing-key, hmac-key, public-key, cmac-key)", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "transit_mount_path", + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], "get": { - "summary": "Export named encryption or signing key", - "operationId": "transit-export-key", + "operationId": "transform-list-tokenization-transformations", "tags": [ "secrets" ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } } } } }, - "/{transit_mount_path}/export/{type}/{name}/{version}": { - "description": "Export named encryption or signing key", + "/{transform_mount_path}/transformations/tokenization/export-decoded/{name}": { + "description": "Export decoded tokens and their original values.", "parameters": [ { "name": "name", - "description": "Name of the key", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "type", - "description": "Type of key to export (encryption-key, signing-key, hmac-key, public-key, cmac-key)", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "version", - "description": "Version of the key", + "description": "The name of the transformation.", "in": "path", "schema": { "type": "string" @@ -45408,22 +44996,32 @@ "required": true }, { - "name": "transit_mount_path", + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], - "get": { - "summary": "Export named encryption or signing key", - "operationId": "transit-export-key-version", + "x-vault-sudo": true, + "post": { + "operationId": "transform-export-decoded-tokenization-tokens", "tags": [ "secrets" ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransformExportDecodedTokenizationTokensRequest" + } + } + } + }, "responses": { "200": { "description": "OK" @@ -45431,23 +45029,31 @@ } } }, - "/{transit_mount_path}/hash": { - "description": "Generate a hash sum for input data", + "/{transform_mount_path}/transformations/tokenization/restore/{name}": { + "description": "Restore tokenization state.", "parameters": [ { - "name": "transit_mount_path", + "name": "name", + "description": "The name of the transformation.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], "post": { - "summary": "Generate a hash sum for input data", - "operationId": "transit-hash", + "operationId": "transform-restore-tokenization-state", "tags": [ "secrets" ], @@ -45456,7 +45062,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitHashRequest" + "$ref": "#/components/schemas/TransformRestoreTokenizationStateRequest" } } } @@ -45468,12 +45074,12 @@ } } }, - "/{transit_mount_path}/hash/{urlalgorithm}": { - "description": "Generate a hash sum for input data", + "/{transform_mount_path}/transformations/tokenization/snapshot/{name}": { + "description": "Snapshot current tokenization state.", "parameters": [ { - "name": "urlalgorithm", - "description": "Algorithm to use (POST URL parameter)", + "name": "name", + "description": "The name of the transformation.", "in": "path", "schema": { "type": "string" @@ -45481,19 +45087,18 @@ "required": true }, { - "name": "transit_mount_path", + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], "post": { - "summary": "Generate a hash sum for input data", - "operationId": "transit-hash-with-algorithm", + "operationId": "transform-snapshot-tokenization-state", "tags": [ "secrets" ], @@ -45502,7 +45107,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitHashWithAlgorithmRequest" + "$ref": "#/components/schemas/TransformSnapshotTokenizationStateRequest" } } } @@ -45514,12 +45119,12 @@ } } }, - "/{transit_mount_path}/hmac/{name}": { - "description": "Generate an HMAC for input data using the named key", + "/{transform_mount_path}/transformations/tokenization/{name}": { + "description": "Read, write, and delete 'tokenization' transformations.", "parameters": [ { "name": "name", - "description": "The key to use for the HMAC function", + "description": "The name of the transformation.", "in": "path", "schema": { "type": "string" @@ -45527,19 +45132,30 @@ "required": true }, { - "name": "transit_mount_path", + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], + "x-vault-createSupported": true, + "get": { + "operationId": "transform-read-tokenization-transformation", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, "post": { - "summary": "Generate an HMAC for input data using the named key", - "operationId": "transit-generate-hmac", + "operationId": "transform-write-tokenization-transformation", "tags": [ "secrets" ], @@ -45548,7 +45164,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitGenerateHmacRequest" + "$ref": "#/components/schemas/TransformWriteTokenizationTransformationRequest" } } } @@ -45558,23 +45174,25 @@ "description": "OK" } } + }, + "delete": { + "operationId": "transform-delete-tokenization-transformation", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } } }, - "/{transit_mount_path}/hmac/{name}/{urlalgorithm}": { - "description": "Generate an HMAC for input data using the named key", + "/{transform_mount_path}/transformations/tokenization/{name}/import": { + "description": "Create 'tokenization' transformations with imported keys.", "parameters": [ { "name": "name", - "description": "The key to use for the HMAC function", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, - { - "name": "urlalgorithm", - "description": "Algorithm to use (POST URL parameter)", + "description": "The name of the transformation.", "in": "path", "schema": { "type": "string" @@ -45582,19 +45200,19 @@ "required": true }, { - "name": "transit_mount_path", + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], + "x-vault-createSupported": true, "post": { - "summary": "Generate an HMAC for input data using the named key", - "operationId": "transit-generate-hmac-with-algorithm", + "operationId": "transform-create-tokenization-transformation-with-imported-keys", "tags": [ "secrets" ], @@ -45603,7 +45221,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitGenerateHmacWithAlgorithmRequest" + "$ref": "#/components/schemas/TransformCreateTokenizationTransformationWithImportedKeysRequest" } } } @@ -45615,60 +45233,57 @@ } } }, - "/{transit_mount_path}/keys/": { - "description": "Managed named encryption keys", + "/{transform_mount_path}/transformations/tokenization/{name}/import_version": { + "description": "Import a new key version into a 'tokenization transformation' with an imported key.", "parameters": [ { - "name": "transit_mount_path", + "name": "name", + "description": "The name of the transformation.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], - "get": { - "summary": "Managed named encryption keys", - "operationId": "transit-list-keys", + "post": { + "operationId": "transform-import-key-version-into-tokenization-transformation", "tags": [ "secrets" ], - "parameters": [ - { - "name": "list", - "description": "Must be set to `true`", - "in": "query", - "schema": { - "type": "string", - "enum": [ - "true" - ] - }, - "required": true + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransformImportKeyVersionIntoTokenizationTransformationRequest" + } + } } - ], + }, "responses": { "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/StandardListResponse" - } - } - } + "description": "OK" } } } }, - "/{transit_mount_path}/keys/{name}": { - "description": "Managed named encryption keys", + "/{transform_mount_path}/validate/{role_name}": { + "description": "Check if the supplied token is still valid or not.", "parameters": [ { - "name": "name", - "description": "Name of the key.", + "name": "role_name", + "description": "The name of the role.", "in": "path", "schema": { "type": "string" @@ -45676,36 +45291,18 @@ "required": true }, { - "name": "transit_mount_path", + "name": "transform_mount_path", "description": "Path that the backend was mounted at", "in": "path", "schema": { "type": "string", - "default": "transit" + "default": "transform" }, "required": true } ], - "get": { - "operationId": "transit-read-key", - "tags": [ - "secrets" - ], - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/TransitReadKeyResponse" - } - } - } - } - } - }, "post": { - "operationId": "transit-create-key", + "operationId": "transform-validate-token", "tags": [ "secrets" ], @@ -45714,7 +45311,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitCreateKeyRequest" + "$ref": "#/components/schemas/TransformValidateTokenRequest" } } } @@ -45724,21 +45321,37 @@ "description": "OK" } } - }, - "delete": { - "operationId": "transit-delete-key", + } + }, + "/{transform_mount_path}/wrapping_key": { + "description": "Returns the public key to use for wrapping imported keys", + "parameters": [ + { + "name": "transform_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transform" + }, + "required": true + } + ], + "get": { + "summary": "Returns the public key to use for wrapping imported keys", + "operationId": "transform-retrieve-wrapping-key", "tags": [ "secrets" ], "responses": { - "204": { - "description": "empty body" + "200": { + "description": "OK" } } } }, - "/{transit_mount_path}/keys/{name}/config": { - "description": "Configure a named encryption key", + "/{transit_mount_path}/backup/{name}": { + "description": "Backup the named key", "parameters": [ { "name": "name", @@ -45760,22 +45373,12 @@ "required": true } ], - "post": { - "summary": "Configure a named encryption key", - "operationId": "transit-configure-key", + "get": { + "summary": "Backup the named key", + "operationId": "transit-back-up-key", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/TransitConfigureKeyRequest" - } - } - } - }, "responses": { "200": { "description": "OK" @@ -45783,12 +45386,21 @@ } } }, - "/{transit_mount_path}/keys/{name}/csr": { - "description": "Create a CSR from a key in transit", + "/{transit_mount_path}/byok-export/{destination}/{source}": { + "description": "Securely export named encryption or signing key", "parameters": [ { - "name": "name", - "description": "Name of the key", + "name": "destination", + "description": "Destination key to export to; usually the public wrapping key of another Transit instance.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "source", + "description": "Source key to export; could be any present key within Transit.", "in": "path", "schema": { "type": "string" @@ -45806,21 +45418,12 @@ "required": true } ], - "post": { - "operationId": "transit-generate-csr-for-key", + "get": { + "summary": "Securely export named encryption or signing key", + "operationId": "transit-byok-key", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/TransitGenerateCsrForKeyRequest" - } - } - } - }, "responses": { "200": { "description": "OK" @@ -45828,12 +45431,30 @@ } } }, - "/{transit_mount_path}/keys/{name}/import": { - "description": "Imports an externally-generated key into a new transit key", + "/{transit_mount_path}/byok-export/{destination}/{source}/{version}": { + "description": "Securely export named encryption or signing key", "parameters": [ { - "name": "name", - "description": "The name of the key", + "name": "destination", + "description": "Destination key to export to; usually the public wrapping key of another Transit instance.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "source", + "description": "Source key to export; could be any present key within Transit.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "version", + "description": "Optional version of the key to export, else all key versions are exported.", "in": "path", "schema": { "type": "string" @@ -45851,22 +45472,12 @@ "required": true } ], - "post": { - "summary": "Imports an externally-generated key into a new transit key", - "operationId": "transit-import-key", + "get": { + "summary": "Securely export named encryption or signing key", + "operationId": "transit-byok-key-version", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/TransitImportKeyRequest" - } - } - } - }, "responses": { "200": { "description": "OK" @@ -45874,18 +45485,9 @@ } } }, - "/{transit_mount_path}/keys/{name}/import_version": { - "description": "Imports an externally-generated key into an existing imported key", + "/{transit_mount_path}/cache-config": { + "description": "Configure caching strategy", "parameters": [ - { - "name": "name", - "description": "The name of the key", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "transit_mount_path", "description": "Path that the backend was mounted at", @@ -45897,9 +45499,21 @@ "required": true } ], + "get": { + "summary": "Returns the size of the active cache", + "operationId": "transit-read-cache-configuration", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + }, "post": { - "summary": "Imports an externally-generated key into an existing imported key", - "operationId": "transit-import-key-version", + "summary": "Configures a new cache of the specified size", + "operationId": "transit-configure-cache", "tags": [ "secrets" ], @@ -45908,7 +45522,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitImportKeyVersionRequest" + "$ref": "#/components/schemas/TransitConfigureCacheRequest" } } } @@ -45920,12 +45534,12 @@ } } }, - "/{transit_mount_path}/keys/{name}/rotate": { - "description": "Rotate named encryption key", + "/{transit_mount_path}/cmac/{name}": { + "description": "Generate a CMAC for input data using the named key", "parameters": [ { "name": "name", - "description": "Name of the key", + "description": "The key to use for the CMAC function", "in": "path", "schema": { "type": "string" @@ -45944,8 +45558,7 @@ } ], "post": { - "summary": "Rotate named encryption key", - "operationId": "transit-rotate-key", + "operationId": "transit-generate-cmac", "tags": [ "secrets" ], @@ -45954,7 +45567,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitRotateKeyRequest" + "$ref": "#/components/schemas/TransitGenerateCmacRequest" } } } @@ -45966,12 +45579,21 @@ } } }, - "/{transit_mount_path}/keys/{name}/set-certificate": { - "description": "Imports an externally-signed certificate chain into an existing key version", + "/{transit_mount_path}/cmac/{name}/{url_mac_length}": { + "description": "Generate a CMAC for input data using the named key", "parameters": [ { "name": "name", - "description": "Name of the key", + "description": "The key to use for the CMAC function", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "url_mac_length", + "description": "MAC length to use (POST URL parameter), overrides mac_length", "in": "path", "schema": { "type": "string" @@ -45990,7 +45612,7 @@ } ], "post": { - "operationId": "transit-set-certificate-for-key", + "operationId": "transit-generate-cmac-with-mac-length", "tags": [ "secrets" ], @@ -45999,7 +45621,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitSetCertificateForKeyRequest" + "$ref": "#/components/schemas/TransitGenerateCmacWithMacLengthRequest" } } } @@ -46011,18 +45633,9 @@ } } }, - "/{transit_mount_path}/keys/{name}/trim": { - "description": "Trim key versions of a named key", + "/{transit_mount_path}/config/keys": { + "description": "Configuration common across all keys", "parameters": [ - { - "name": "name", - "description": "Name of the key", - "in": "path", - "schema": { - "type": "string" - }, - "required": true - }, { "name": "transit_mount_path", "description": "Path that the backend was mounted at", @@ -46034,46 +45647,19 @@ "required": true } ], - "post": { - "summary": "Trim key versions of a named key", - "operationId": "transit-trim-key", + "get": { + "operationId": "transit-read-keys-configuration", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/TransitTrimKeyRequest" - } - } - } - }, "responses": { "200": { "description": "OK" } } - } - }, - "/{transit_mount_path}/random": { - "description": "Generate random bytes", - "parameters": [ - { - "name": "transit_mount_path", - "description": "Path that the backend was mounted at", - "in": "path", - "schema": { - "type": "string", - "default": "transit" - }, - "required": true - } - ], + }, "post": { - "summary": "Generate random bytes", - "operationId": "transit-generate-random", + "operationId": "transit-configure-keys", "tags": [ "secrets" ], @@ -46082,7 +45668,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitGenerateRandomRequest" + "$ref": "#/components/schemas/TransitConfigureKeysRequest" } } } @@ -46094,16 +45680,24 @@ } } }, - "/{transit_mount_path}/random/{source}": { - "description": "Generate random bytes", + "/{transit_mount_path}/datakey/{plaintext}/{name}": { + "description": "Generate a data key", "parameters": [ { - "name": "source", - "description": "Which system to source random data from, ether \"platform\", \"seal\", or \"all\".", + "name": "name", + "description": "The backend key used for encrypting the data key", "in": "path", "schema": { - "type": "string", - "default": "platform" + "type": "string" + }, + "required": true + }, + { + "name": "plaintext", + "description": "\"plaintext\" will return the key in both plaintext and ciphertext; \"wrapped\" will return the ciphertext only.", + "in": "path", + "schema": { + "type": "string" }, "required": true }, @@ -46119,8 +45713,8 @@ } ], "post": { - "summary": "Generate random bytes", - "operationId": "transit-generate-random-with-source", + "summary": "Generate a data key", + "operationId": "transit-generate-data-key", "tags": [ "secrets" ], @@ -46129,7 +45723,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitGenerateRandomWithSourceRequest" + "$ref": "#/components/schemas/TransitGenerateDataKeyRequest" } } } @@ -46141,22 +45735,21 @@ } } }, - "/{transit_mount_path}/random/{source}/{urlbytes}": { - "description": "Generate random bytes", + "/{transit_mount_path}/datakeys/{type}/{name}": { + "description": "Generate multiple data keys", "parameters": [ { - "name": "source", - "description": "Which system to source random data from, ether \"platform\", \"seal\", or \"all\".", + "name": "name", + "description": "The backend key used for encrypting the data key", "in": "path", "schema": { - "type": "string", - "default": "platform" + "type": "string" }, "required": true }, { - "name": "urlbytes", - "description": "The number of bytes to generate (POST URL parameter)", + "name": "type", + "description": "\"plaintext\" will return the key in both plaintext and ciphertext; \"wrapped\" will return the ciphertext only.", "in": "path", "schema": { "type": "string" @@ -46175,8 +45768,8 @@ } ], "post": { - "summary": "Generate random bytes", - "operationId": "transit-generate-random-with-source-and-bytes", + "summary": "Generate multiple data keys", + "operationId": "transit-generate-data-key", "tags": [ "secrets" ], @@ -46185,7 +45778,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitGenerateRandomWithSourceAndBytesRequest" + "$ref": "#/components/schemas/TransitGenerateDataKeyRequest" } } } @@ -46197,12 +45790,12 @@ } } }, - "/{transit_mount_path}/random/{urlbytes}": { - "description": "Generate random bytes", + "/{transit_mount_path}/decrypt/{name}": { + "description": "Decrypt a ciphertext value using a named key", "parameters": [ { - "name": "urlbytes", - "description": "The number of bytes to generate (POST URL parameter)", + "name": "name", + "description": "Name of the key", "in": "path", "schema": { "type": "string" @@ -46221,8 +45814,8 @@ } ], "post": { - "summary": "Generate random bytes", - "operationId": "transit-generate-random-with-bytes", + "summary": "Decrypt a ciphertext value using a named key", + "operationId": "transit-decrypt", "tags": [ "secrets" ], @@ -46231,7 +45824,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitGenerateRandomWithBytesRequest" + "$ref": "#/components/schemas/TransitDecryptRequest" } } } @@ -46243,49 +45836,21 @@ } } }, - "/{transit_mount_path}/restore": { - "description": "Restore the named key", + "/{transit_mount_path}/derivedkeys/{type}/{name}": { + "description": "Generate data keys derived from the named key's HMAC key using the provided salt, info, and indices'", "parameters": [ { - "name": "transit_mount_path", - "description": "Path that the backend was mounted at", + "name": "name", + "description": "The backend key used for encrypting the data key", "in": "path", "schema": { - "type": "string", - "default": "transit" + "type": "string" }, "required": true - } - ], - "post": { - "summary": "Restore the named key", - "operationId": "transit-restore-key", - "tags": [ - "secrets" - ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/TransitRestoreKeyRequest" - } - } - } }, - "responses": { - "200": { - "description": "OK" - } - } - } - }, - "/{transit_mount_path}/restore/{name}": { - "description": "Restore the named key", - "parameters": [ { - "name": "name", - "description": "If set, this will be the name of the restored key.", + "name": "type", + "description": "\"plaintext\" will return the key in both plaintext and ciphertext; \"wrapped\" will return the ciphertext only.", "in": "path", "schema": { "type": "string" @@ -46304,8 +45869,8 @@ } ], "post": { - "summary": "Restore the named key", - "operationId": "transit-restore-and-rename-key", + "summary": "Generate data keys derived from the named key's HMAC key\nusing the provided salt, info, and indices'", + "operationId": "transit-generate-derivedkeys", "tags": [ "secrets" ], @@ -46314,7 +45879,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitRestoreAndRenameKeyRequest" + "$ref": "#/components/schemas/TransitGenerateDerivedkeysRequest" } } } @@ -46326,8 +45891,8 @@ } } }, - "/{transit_mount_path}/rewrap/{name}": { - "description": "Rewrap ciphertext", + "/{transit_mount_path}/encrypt/{name}": { + "description": "Encrypt a plaintext value or a batch of plaintext blocks using a named key", "parameters": [ { "name": "name", @@ -46349,9 +45914,10 @@ "required": true } ], + "x-vault-createSupported": true, "post": { - "summary": "Rewrap ciphertext", - "operationId": "transit-rewrap", + "summary": "Encrypt a plaintext value or a batch of plaintext\nblocks using a named key", + "operationId": "transit-encrypt", "tags": [ "secrets" ], @@ -46360,7 +45926,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitRewrapRequest" + "$ref": "#/components/schemas/TransitEncryptRequest" } } } @@ -46372,12 +45938,21 @@ } } }, - "/{transit_mount_path}/sign/{name}": { - "description": "Generate a signature for input data using the named key", + "/{transit_mount_path}/export/{type}/{name}": { + "description": "Export named encryption or signing key", "parameters": [ { "name": "name", - "description": "The key to use", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "type", + "description": "Type of key to export (encryption-key, signing-key, hmac-key, public-key, cmac-key)", "in": "path", "schema": { "type": "string" @@ -46395,22 +45970,12 @@ "required": true } ], - "post": { - "summary": "Generate a signature for input data using the named key", - "operationId": "transit-sign", + "get": { + "summary": "Export named encryption or signing key", + "operationId": "transit-export-key", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/TransitSignRequest" - } - } - } - }, "responses": { "200": { "description": "OK" @@ -46418,12 +45983,12 @@ } } }, - "/{transit_mount_path}/sign/{name}/{urlalgorithm}": { - "description": "Generate a signature for input data using the named key", + "/{transit_mount_path}/export/{type}/{name}/{version}": { + "description": "Export named encryption or signing key", "parameters": [ { "name": "name", - "description": "The key to use", + "description": "Name of the key", "in": "path", "schema": { "type": "string" @@ -46431,8 +45996,17 @@ "required": true }, { - "name": "urlalgorithm", - "description": "Hash algorithm to use (POST URL parameter)", + "name": "type", + "description": "Type of key to export (encryption-key, signing-key, hmac-key, public-key, cmac-key)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "version", + "description": "Version of the key", "in": "path", "schema": { "type": "string" @@ -46450,22 +46024,12 @@ "required": true } ], - "post": { - "summary": "Generate a signature for input data using the named key", - "operationId": "transit-sign-with-algorithm", + "get": { + "summary": "Export named encryption or signing key", + "operationId": "transit-export-key-version", "tags": [ "secrets" ], - "requestBody": { - "required": true, - "content": { - "application/json": { - "schema": { - "$ref": "#/components/schemas/TransitSignWithAlgorithmRequest" - } - } - } - }, "responses": { "200": { "description": "OK" @@ -46473,12 +46037,49 @@ } } }, - "/{transit_mount_path}/verify/{name}": { - "description": "Verify a signature or HMAC for input data created using the named key", + "/{transit_mount_path}/hash": { + "description": "Generate a hash sum for input data", "parameters": [ { - "name": "name", - "description": "The key to use", + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate a hash sum for input data", + "operationId": "transit-hash", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitHashRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/hash/{urlalgorithm}": { + "description": "Generate a hash sum for input data", + "parameters": [ + { + "name": "urlalgorithm", + "description": "Algorithm to use (POST URL parameter)", "in": "path", "schema": { "type": "string" @@ -46497,8 +46098,8 @@ } ], "post": { - "summary": "Verify a signature or HMAC for input data created using the named key", - "operationId": "transit-verify", + "summary": "Generate a hash sum for input data", + "operationId": "transit-hash-with-algorithm", "tags": [ "secrets" ], @@ -46507,7 +46108,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitVerifyRequest" + "$ref": "#/components/schemas/TransitHashWithAlgorithmRequest" } } } @@ -46519,12 +46120,58 @@ } } }, - "/{transit_mount_path}/verify/{name}/{urlalgorithm}": { - "description": "Verify a signature or HMAC for input data created using the named key", + "/{transit_mount_path}/hmac/{name}": { + "description": "Generate an HMAC for input data using the named key", "parameters": [ { "name": "name", - "description": "The key to use", + "description": "The key to use for the HMAC function", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate an HMAC for input data using the named key", + "operationId": "transit-generate-hmac", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitGenerateHmacRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/hmac/{name}/{urlalgorithm}": { + "description": "Generate an HMAC for input data using the named key", + "parameters": [ + { + "name": "name", + "description": "The key to use for the HMAC function", "in": "path", "schema": { "type": "string" @@ -46533,7 +46180,7 @@ }, { "name": "urlalgorithm", - "description": "Hash algorithm to use (POST URL parameter)", + "description": "Algorithm to use (POST URL parameter)", "in": "path", "schema": { "type": "string" @@ -46552,8 +46199,8 @@ } ], "post": { - "summary": "Verify a signature or HMAC for input data created using the named key", - "operationId": "transit-verify-with-algorithm", + "summary": "Generate an HMAC for input data using the named key", + "operationId": "transit-generate-hmac-with-algorithm", "tags": [ "secrets" ], @@ -46562,7 +46209,7 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/TransitVerifyWithAlgorithmRequest" + "$ref": "#/components/schemas/TransitGenerateHmacWithAlgorithmRequest" } } } @@ -46574,8 +46221,8 @@ } } }, - "/{transit_mount_path}/wrapping_key": { - "description": "Returns the public key to use for wrapping imported keys", + "/{transit_mount_path}/keys/": { + "description": "Managed named encryption keys", "parameters": [ { "name": "transit_mount_path", @@ -46589,69 +46236,1028 @@ } ], "get": { - "summary": "Returns the public key to use for wrapping imported keys", - "operationId": "transit-read-wrapping-key", + "summary": "Managed named encryption keys", + "operationId": "transit-list-keys", "tags": [ "secrets" ], + "parameters": [ + { + "name": "list", + "description": "Must be set to `true`", + "in": "query", + "schema": { + "type": "string", + "enum": [ + "true" + ] + }, + "required": true + } + ], "responses": { "200": { - "description": "OK" + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/StandardListResponse" + } + } + } } } } - } - }, - "components": { - "schemas": { - "AliCloudConfigureRequest": { - "type": "object", - "properties": { - "access_key": { - "type": "string", - "description": "Access key with appropriate permissions." + }, + "/{transit_mount_path}/keys/{name}": { + "description": "Managed named encryption keys", + "parameters": [ + { + "name": "name", + "description": "Name of the key.", + "in": "path", + "schema": { + "type": "string" }, - "secret_key": { + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { "type": "string", - "description": "Secret key with appropriate permissions." + "default": "transit" + }, + "required": true + } + ], + "get": { + "operationId": "transit-read-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitReadKeyResponse" + } + } + } } } }, - "AliCloudLoginRequest": { - "type": "object", - "properties": { - "identity_request_headers": { - "type": "string", - "description": "The request headers. This must include the headers over which AliCloud has included a signature." - }, - "identity_request_url": { - "type": "string", - "description": "Base64-encoded full URL against which to make the AliCloud request." - }, - "role": { - "type": "string", - "description": "Name of the role against which the login is being attempted. If a matching role is not found, login fails." + "post": { + "operationId": "transit-create-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitCreateKeyRequest" + } + } } }, - "required": [ - "role" - ] + "responses": { + "200": { + "description": "OK" + } + } }, - "AliCloudWriteAuthRoleRequest": { - "type": "object", - "properties": { - "alias_metadata": { - "type": "object", - "description": "The metadata to be tied to generated entity alias. This should be a list or map containing the metadata in key value pairs", - "format": "kvpairs", - "x-vault-displayAttrs": { - "name": "Token Alias Metadata", - "group": "Tokens" - } - }, - "arn": { - "type": "string", - "description": "ARN of the RAM to bind to this role." + "delete": { + "operationId": "transit-delete-key", + "tags": [ + "secrets" + ], + "responses": { + "204": { + "description": "empty body" + } + } + } + }, + "/{transit_mount_path}/keys/{name}/config": { + "description": "Configure a named encryption key", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Configure a named encryption key", + "operationId": "transit-configure-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitConfigureKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/keys/{name}/csr": { + "description": "Create a CSR from a key in transit", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "operationId": "transit-generate-csr-for-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitGenerateCsrForKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/keys/{name}/import": { + "description": "Imports an externally-generated key into a new transit key", + "parameters": [ + { + "name": "name", + "description": "The name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Imports an externally-generated key into a new transit key", + "operationId": "transit-import-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitImportKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/keys/{name}/import_version": { + "description": "Imports an externally-generated key into an existing imported key", + "parameters": [ + { + "name": "name", + "description": "The name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Imports an externally-generated key into an existing imported key", + "operationId": "transit-import-key-version", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitImportKeyVersionRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/keys/{name}/rotate": { + "description": "Rotate named encryption key", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Rotate named encryption key", + "operationId": "transit-rotate-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitRotateKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/keys/{name}/set-certificate": { + "description": "Imports an externally-signed certificate chain into an existing key version", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "operationId": "transit-set-certificate-for-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitSetCertificateForKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/keys/{name}/trim": { + "description": "Trim key versions of a named key", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Trim key versions of a named key", + "operationId": "transit-trim-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitTrimKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/random": { + "description": "Generate random bytes", + "parameters": [ + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate random bytes", + "operationId": "transit-generate-random", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitGenerateRandomRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/random/{source}": { + "description": "Generate random bytes", + "parameters": [ + { + "name": "source", + "description": "Which system to source random data from, ether \"platform\", \"seal\", or \"all\".", + "in": "path", + "schema": { + "type": "string", + "default": "platform" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate random bytes", + "operationId": "transit-generate-random-with-source", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitGenerateRandomWithSourceRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/random/{source}/{urlbytes}": { + "description": "Generate random bytes", + "parameters": [ + { + "name": "source", + "description": "Which system to source random data from, ether \"platform\", \"seal\", or \"all\".", + "in": "path", + "schema": { + "type": "string", + "default": "platform" + }, + "required": true + }, + { + "name": "urlbytes", + "description": "The number of bytes to generate (POST URL parameter)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate random bytes", + "operationId": "transit-generate-random-with-source-and-bytes", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitGenerateRandomWithSourceAndBytesRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/random/{urlbytes}": { + "description": "Generate random bytes", + "parameters": [ + { + "name": "urlbytes", + "description": "The number of bytes to generate (POST URL parameter)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate random bytes", + "operationId": "transit-generate-random-with-bytes", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitGenerateRandomWithBytesRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/restore": { + "description": "Restore the named key", + "parameters": [ + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Restore the named key", + "operationId": "transit-restore-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitRestoreKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/restore/{name}": { + "description": "Restore the named key", + "parameters": [ + { + "name": "name", + "description": "If set, this will be the name of the restored key.", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Restore the named key", + "operationId": "transit-restore-and-rename-key", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitRestoreAndRenameKeyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/rewrap/{name}": { + "description": "Rewrap ciphertext", + "parameters": [ + { + "name": "name", + "description": "Name of the key", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Rewrap ciphertext", + "operationId": "transit-rewrap", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitRewrapRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/sign/{name}": { + "description": "Generate a signature for input data using the named key", + "parameters": [ + { + "name": "name", + "description": "The key to use", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate a signature for input data using the named key", + "operationId": "transit-sign", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitSignRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/sign/{name}/{urlalgorithm}": { + "description": "Generate a signature for input data using the named key", + "parameters": [ + { + "name": "name", + "description": "The key to use", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "urlalgorithm", + "description": "Hash algorithm to use (POST URL parameter)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Generate a signature for input data using the named key", + "operationId": "transit-sign-with-algorithm", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitSignWithAlgorithmRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/verify/{name}": { + "description": "Verify a signature or HMAC for input data created using the named key", + "parameters": [ + { + "name": "name", + "description": "The key to use", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Verify a signature or HMAC for input data created using the named key", + "operationId": "transit-verify", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitVerifyRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/verify/{name}/{urlalgorithm}": { + "description": "Verify a signature or HMAC for input data created using the named key", + "parameters": [ + { + "name": "name", + "description": "The key to use", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "urlalgorithm", + "description": "Hash algorithm to use (POST URL parameter)", + "in": "path", + "schema": { + "type": "string" + }, + "required": true + }, + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "post": { + "summary": "Verify a signature or HMAC for input data created using the named key", + "operationId": "transit-verify-with-algorithm", + "tags": [ + "secrets" + ], + "requestBody": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/TransitVerifyWithAlgorithmRequest" + } + } + } + }, + "responses": { + "200": { + "description": "OK" + } + } + } + }, + "/{transit_mount_path}/wrapping_key": { + "description": "Returns the public key to use for wrapping imported keys", + "parameters": [ + { + "name": "transit_mount_path", + "description": "Path that the backend was mounted at", + "in": "path", + "schema": { + "type": "string", + "default": "transit" + }, + "required": true + } + ], + "get": { + "summary": "Returns the public key to use for wrapping imported keys", + "operationId": "transit-read-wrapping-key", + "tags": [ + "secrets" + ], + "responses": { + "200": { + "description": "OK" + } + } + } + } + }, + "components": { + "schemas": { + "AliCloudConfigureRequest": { + "type": "object", + "properties": { + "access_key": { + "type": "string", + "description": "Access key with appropriate permissions." + }, + "secret_key": { + "type": "string", + "description": "Secret key with appropriate permissions." + } + } + }, + "AliCloudLoginRequest": { + "type": "object", + "properties": { + "identity_request_headers": { + "type": "string", + "description": "The request headers. This must include the headers over which AliCloud has included a signature." + }, + "identity_request_url": { + "type": "string", + "description": "Base64-encoded full URL against which to make the AliCloud request." + }, + "role": { + "type": "string", + "description": "Name of the role against which the login is being attempted. If a matching role is not found, login fails." + } + }, + "required": [ + "role" + ] + }, + "AliCloudWriteAuthRoleRequest": { + "type": "object", + "properties": { + "alias_metadata": { + "type": "object", + "description": "The metadata to be tied to generated entity alias. This should be a list or map containing the metadata in key value pairs", + "format": "kvpairs", + "x-vault-displayAttrs": { + "name": "Token Alias Metadata", + "group": "Tokens" + } + }, + "arn": { + "type": "string", + "description": "ARN of the RAM to bind to this role." }, "bound_cidrs": { "type": "array", @@ -56654,149 +57260,418 @@ "description": "The pixel size of the generated square QR code.", "default": 200 }, - "skew": { + "skew": { + "type": "integer", + "description": "The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.", + "default": 1 + } + } + }, + "MfaValidateRequest": { + "type": "object", + "properties": { + "mfa_payload": { + "type": "object", + "description": "A map from MFA method ID to a slice of passcodes or an empty slice if the method does not use passcodes", + "format": "map" + }, + "mfa_request_id": { + "type": "string", + "description": "ID for this MFA request" + } + }, + "required": [ + "mfa_payload", + "mfa_request_id" + ] + }, + "MfaWriteLoginEnforcementRequest": { + "type": "object", + "properties": { + "auth_method_accessors": { + "type": "array", + "description": "Array of auth mount accessor IDs", + "items": { + "type": "string" + } + }, + "auth_method_types": { + "type": "array", + "description": "Array of auth mount types", + "items": { + "type": "string" + } + }, + "identity_entity_ids": { + "type": "array", + "description": "Array of identity entity IDs", + "items": { + "type": "string" + } + }, + "identity_group_ids": { + "type": "array", + "description": "Array of identity group IDs", + "items": { + "type": "string" + } + }, + "mfa_method_ids": { + "type": "array", + "description": "Array of Method IDs that determine what methods will be enforced", + "items": { + "type": "string" + } + } + }, + "required": [ + "mfa_method_ids" + ] + }, + "MongoDbAtlasConfigureRequest": { + "type": "object", + "properties": { + "private_key": { + "type": "string", + "description": "MongoDB Atlas Programmatic Private Key", + "x-vault-displayAttrs": { + "sensitive": true + } + }, + "public_key": { + "type": "string", + "description": "MongoDB Atlas Programmatic Public Key" + } + }, + "required": [ + "private_key", + "public_key" + ] + }, + "MongoDbAtlasWriteRoleRequest": { + "type": "object", + "properties": { + "cidr_blocks": { + "type": "array", + "description": "Access list entry in CIDR notation to be added for the API key. Optional for organization and project keys.", + "items": { + "type": "string" + } + }, + "ip_addresses": { + "type": "array", + "description": "IP address to be added to the access list for the API key. Optional for organization and project keys.", + "items": { + "type": "string" + } + }, + "max_ttl": { + "type": "string", + "description": "The maximum allowed lifetime of credentials issued using this role.", + "format": "duration" + }, + "organization_id": { + "type": "string", + "description": "Organization ID required for an organization API key" + }, + "project_id": { + "type": "string", + "description": "Project ID the project API key belongs to." + }, + "project_roles": { + "type": "array", + "description": "Roles assigned when an organization API Key is assigned to a project API key", + "items": { + "type": "string" + } + }, + "roles": { + "type": "array", + "description": "List of roles that the API Key should be granted. A minimum of one role must be provided. Any roles provided must be valid for the assigned Project, required for organization and project keys.", + "items": { + "type": "string" + } + }, + "ttl": { + "type": "string", + "description": "Duration in seconds after which the issued credential should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults.", + "format": "duration" + } + }, + "required": [ + "roles" + ] + }, + "MountsAuthReadTuningInformationResponse": { + "type": "object", + "properties": { + "allowed_managed_keys": { + "type": "array", + "items": { + "type": "string" + } + }, + "allowed_response_headers": { + "type": "array", + "items": { + "type": "string" + } + }, + "audit_non_hmac_request_keys": { + "type": "array", + "items": { + "type": "string" + } + }, + "audit_non_hmac_response_keys": { + "type": "array", + "items": { + "type": "string" + } + }, + "default_lease_ttl": { + "type": "integer" + }, + "description": { + "type": "string" + }, + "external_entropy_access": { + "type": "boolean" + }, + "force_no_cache": { + "type": "boolean" + }, + "identity_token_key": { + "type": "string" + }, + "listing_visibility": { + "type": "string" + }, + "max_lease_ttl": { + "type": "integer" + }, + "options": { + "type": "object", + "format": "map" + }, + "override_pinned_version": { + "type": "boolean", + "description": "If true, plugin_version will override the pinned version", + "default": false + }, + "passthrough_request_headers": { + "type": "array", + "items": { + "type": "string" + } + }, + "plugin_version": { + "type": "string" + }, + "token_type": { + "type": "string" + }, + "trim_request_trailing_slashes": { + "type": "boolean" + }, + "user_lockout_counter_reset_duration": { + "type": "integer", + "format": "int64" + }, + "user_lockout_disable": { + "type": "boolean" + }, + "user_lockout_duration": { + "type": "integer", + "format": "int64" + }, + "user_lockout_threshold": { "type": "integer", - "description": "The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.", - "default": 1 + "format": "int64" } } }, - "MfaValidateRequest": { - "type": "object", - "properties": { - "mfa_payload": { - "type": "object", - "description": "A map from MFA method ID to a slice of passcodes or an empty slice if the method does not use passcodes", - "format": "map" - }, - "mfa_request_id": { - "type": "string", - "description": "ID for this MFA request" - } - }, - "required": [ - "mfa_payload", - "mfa_request_id" - ] - }, - "MfaWriteLoginEnforcementRequest": { + "MountsAuthTuneConfigurationParametersRequest": { "type": "object", "properties": { - "auth_method_accessors": { + "allowed_response_headers": { "type": "array", - "description": "Array of auth mount accessor IDs", + "description": "A list of headers to whitelist and allow a plugin to set on responses.", "items": { "type": "string" } }, - "auth_method_types": { + "audit_non_hmac_request_keys": { "type": "array", - "description": "Array of auth mount types", + "description": "The list of keys in the request data object that will not be HMAC'd by audit devices.", "items": { "type": "string" } }, - "identity_entity_ids": { + "audit_non_hmac_response_keys": { "type": "array", - "description": "Array of identity entity IDs", + "description": "The list of keys in the response data object that will not be HMAC'd by audit devices.", "items": { "type": "string" } }, - "identity_group_ids": { - "type": "array", - "description": "Array of identity group IDs", - "items": { - "type": "string" - } + "default_lease_ttl": { + "type": "string", + "description": "The default lease TTL for this mount." }, - "mfa_method_ids": { + "description": { + "type": "string", + "description": "User-friendly description for this credential backend." + }, + "identity_token_key": { + "type": "string", + "description": "The name of the key used to sign plugin identity tokens. Defaults to the default key." + }, + "listing_visibility": { + "type": "string", + "description": "Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and 'hidden', with the empty default ('') behaving like 'hidden'." + }, + "max_lease_ttl": { + "type": "string", + "description": "The max lease TTL for this mount." + }, + "options": { + "type": "object", + "description": "The options to pass into the backend. Should be a json object with string keys and values.", + "format": "kvpairs" + }, + "override_pinned_version": { + "type": "boolean", + "description": "If true, plugin_version will override the pinned version", + "default": false + }, + "passthrough_request_headers": { "type": "array", - "description": "Array of Method IDs that determine what methods will be enforced", + "description": "A list of headers to whitelist and pass from the request to the plugin.", "items": { "type": "string" } + }, + "plugin_version": { + "type": "string", + "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." + }, + "token_type": { + "type": "string", + "description": "The type of token to issue (service or batch)." + }, + "trim_request_trailing_slashes": { + "type": "boolean" + }, + "user_lockout_config": { + "type": "object", + "description": "The user lockout configuration to pass into the backend. Should be a json object with string keys and values.", + "format": "map" } - }, - "required": [ - "mfa_method_ids" - ] + } }, - "MongoDbAtlasConfigureRequest": { + "MountsEnableSecretsEngineRequest": { "type": "object", "properties": { - "private_key": { + "config": { + "type": "object", + "description": "Configuration for this mount, such as default_lease_ttl and max_lease_ttl.", + "format": "map" + }, + "description": { "type": "string", - "description": "MongoDB Atlas Programmatic Private Key", - "x-vault-displayAttrs": { - "sensitive": true - } + "description": "User-friendly description for this mount." }, - "public_key": { + "external_entropy_access": { + "type": "boolean", + "description": "Whether to give the mount access to Vault's external entropy.", + "default": false + }, + "local": { + "type": "boolean", + "description": "Mark the mount as a local mount, which is not replicated and is unaffected by replication.", + "default": false + }, + "options": { + "type": "object", + "description": "The options to pass into the backend. Should be a json object with string keys and values.", + "format": "kvpairs" + }, + "plugin_name": { "type": "string", - "description": "MongoDB Atlas Programmatic Public Key" + "description": "Name of the plugin to mount based from the name registered in the plugin catalog." + }, + "plugin_version": { + "type": "string", + "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." + }, + "seal_wrap": { + "type": "boolean", + "description": "Whether to turn on seal wrapping for the mount.", + "default": false + }, + "type": { + "type": "string", + "description": "The type of the backend. Example: \"passthrough\"" } - }, - "required": [ - "private_key", - "public_key" - ] + } }, - "MongoDbAtlasWriteRoleRequest": { + "MountsReadConfigurationResponse": { "type": "object", "properties": { - "cidr_blocks": { - "type": "array", - "description": "Access list entry in CIDR notation to be added for the API key. Optional for organization and project keys.", - "items": { - "type": "string" - } + "accessor": { + "type": "string" }, - "ip_addresses": { - "type": "array", - "description": "IP address to be added to the access list for the API key. Optional for organization and project keys.", - "items": { - "type": "string" - } + "config": { + "type": "object", + "description": "Configuration for this mount, such as default_lease_ttl and max_lease_ttl.", + "format": "map" }, - "max_ttl": { - "type": "string", - "description": "The maximum allowed lifetime of credentials issued using this role.", - "format": "duration" + "deprecation_status": { + "type": "string" }, - "organization_id": { + "description": { "type": "string", - "description": "Organization ID required for an organization API key" + "description": "User-friendly description for this mount." }, - "project_id": { + "external_entropy_access": { + "type": "boolean" + }, + "local": { + "type": "boolean", + "description": "Mark the mount as a local mount, which is not replicated and is unaffected by replication.", + "default": false + }, + "options": { + "type": "object", + "description": "The options to pass into the backend. Should be a json object with string keys and values.", + "format": "kvpairs" + }, + "plugin_version": { "type": "string", - "description": "Project ID the project API key belongs to." + "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." }, - "project_roles": { - "type": "array", - "description": "Roles assigned when an organization API Key is assigned to a project API key", - "items": { - "type": "string" - } + "running_plugin_version": { + "type": "string" }, - "roles": { - "type": "array", - "description": "List of roles that the API Key should be granted. A minimum of one role must be provided. Any roles provided must be valid for the assigned Project, required for organization and project keys.", - "items": { - "type": "string" - } + "running_sha256": { + "type": "string" }, - "ttl": { + "seal_wrap": { + "type": "boolean", + "description": "Whether to turn on seal wrapping for the mount.", + "default": false + }, + "type": { "type": "string", - "description": "Duration in seconds after which the issued credential should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults.", - "format": "duration" + "description": "The type of the backend. Example: \"passthrough\"" + }, + "uuid": { + "type": "string" } - }, - "required": [ - "roles" - ] + } }, - "MountsAuthReadTuningInformationResponse": { + "MountsReadTuningInformationResponse": { "type": "object", "properties": { "allowed_managed_keys": { @@ -56807,6 +57682,7 @@ }, "allowed_response_headers": { "type": "array", + "description": "A list of headers to whitelist and allow a plugin to set on responses.", "items": { "type": "string" } @@ -56824,10 +57700,19 @@ } }, "default_lease_ttl": { - "type": "integer" + "type": "integer", + "description": "The default lease TTL for this mount." + }, + "delegated_auth_accessors": { + "type": "array", + "description": "A list of auth accessors that the mount is allowed to delegate authentication too", + "items": { + "type": "string" + } }, "description": { - "type": "string" + "type": "string", + "description": "User-friendly description for this credential backend." }, "external_entropy_access": { "type": "boolean" @@ -56842,11 +57727,13 @@ "type": "string" }, "max_lease_ttl": { - "type": "integer" + "type": "integer", + "description": "The max lease TTL for this mount." }, "options": { "type": "object", - "format": "map" + "description": "The options to pass into the backend. Should be a json object with string keys and values.", + "format": "kvpairs" }, "override_pinned_version": { "type": "boolean", @@ -56860,10 +57747,12 @@ } }, "plugin_version": { - "type": "string" + "type": "string", + "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." }, "token_type": { - "type": "string" + "type": "string", + "description": "The type of token to issue (service or batch)." }, "trim_request_trailing_slashes": { "type": "boolean" @@ -56885,9 +57774,15 @@ } } }, - "MountsAuthTuneConfigurationParametersRequest": { + "MountsTuneConfigurationParametersRequest": { "type": "object", "properties": { + "allowed_managed_keys": { + "type": "array", + "items": { + "type": "string" + } + }, "allowed_response_headers": { "type": "array", "description": "A list of headers to whitelist and allow a plugin to set on responses.", @@ -56913,6 +57808,12 @@ "type": "string", "description": "The default lease TTL for this mount." }, + "delegated_auth_accessors": { + "type": "array", + "items": { + "type": "string" + } + }, "description": { "type": "string", "description": "User-friendly description for this credential backend." @@ -56955,7 +57856,8 @@ "description": "The type of token to issue (service or batch)." }, "trim_request_trailing_slashes": { - "type": "boolean" + "type": "boolean", + "description": "Whether to trim a trailing slash on incoming requests to this mount" }, "user_lockout_config": { "type": "object", @@ -56964,542 +57866,651 @@ } } }, - "MountsEnableSecretsEngineRequest": { + "NomadConfigureAccessRequest": { "type": "object", "properties": { - "config": { - "type": "object", - "description": "Configuration for this mount, such as default_lease_ttl and max_lease_ttl.", - "format": "map" + "address": { + "type": "string", + "description": "Nomad server address" }, - "description": { + "ca_cert": { "type": "string", - "description": "User-friendly description for this mount." + "description": "CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded." }, - "external_entropy_access": { - "type": "boolean", - "description": "Whether to give the mount access to Vault's external entropy.", - "default": false + "client_cert": { + "type": "string", + "description": "Client certificate used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key." }, - "local": { - "type": "boolean", - "description": "Mark the mount as a local mount, which is not replicated and is unaffected by replication.", - "default": false + "client_key": { + "type": "string", + "description": "Client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert." }, - "options": { - "type": "object", - "description": "The options to pass into the backend. Should be a json object with string keys and values.", - "format": "kvpairs" + "max_token_name_length": { + "type": "integer", + "description": "Max length for name of generated Nomad tokens" }, - "plugin_name": { + "token": { "type": "string", - "description": "Name of the plugin to mount based from the name registered in the plugin catalog." - }, - "plugin_version": { + "description": "Token for API calls" + } + } + }, + "NomadConfigureLeaseRequest": { + "type": "object", + "properties": { + "max_ttl": { "type": "string", - "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." + "description": "Duration after which the issued token should not be allowed to be renewed", + "format": "duration" }, - "seal_wrap": { + "ttl": { + "type": "string", + "description": "Duration before which the issued token needs renewal", + "format": "duration" + } + } + }, + "NomadWriteRoleRequest": { + "type": "object", + "properties": { + "global": { "type": "boolean", - "description": "Whether to turn on seal wrapping for the mount.", - "default": false + "description": "Boolean value describing if the token should be global or not. Defaults to false." + }, + "policies": { + "type": "array", + "description": "Comma-separated string or list of policies as previously created in Nomad. Required for 'client' token.", + "items": { + "type": "string" + } }, "type": { "type": "string", - "description": "The type of the backend. Example: \"passthrough\"" + "description": "Which type of token to create: 'client' or 'management'. If a 'management' token, the \"policies\" parameter is not required. Defaults to 'client'.", + "default": "client" } } }, - "MountsReadConfigurationResponse": { + "OauthResourceServerListProfilesResponse": { "type": "object", "properties": { - "accessor": { - "type": "string" + "keys": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "OauthResourceServerReadProfileResponse": { + "type": "object", + "properties": { + "audiences": { + "type": "array", + "description": "List of allowed audiences (aud claim).", + "items": { + "type": "string" + } }, - "config": { - "type": "object", - "description": "Configuration for this mount, such as default_lease_ttl and max_lease_ttl.", - "format": "map" + "clock_skew_leeway": { + "type": "string", + "description": "Leeway for clock skew in seconds.", + "format": "duration" }, - "deprecation_status": { - "type": "string" + "config_id": { + "type": "string", + "description": "Stable unique identifier for this OAuth Resource Server Configuration profile." }, - "description": { + "enabled": { + "type": "boolean", + "description": "Whether this profile is enabled for JWT validation. Disabled profiles are ignored" + }, + "issuer_id": { "type": "string", - "description": "User-friendly description for this mount." + "description": "The issuer ID (iss claim) to validate against." }, - "external_entropy_access": { - "type": "boolean" + "jwks_ca_pem": { + "type": "string", + "description": "Optional CA certificate for JWKS URI TLS validation." }, - "local": { + "jwt_type": { + "type": "string", + "description": "The JWT type: 'access_token' or 'transaction_token'." + }, + "no_default_policy": { "type": "boolean", - "description": "Mark the mount as a local mount, which is not replicated and is unaffected by replication.", - "default": false + "description": "If true, JWT-authenticated tokens omit the default policy unless it is applied elsewhere." }, - "options": { - "type": "object", - "description": "The options to pass into the backend. Should be a json object with string keys and values.", - "format": "kvpairs" + "optional_authorization_details": { + "type": "boolean", + "description": "If true, authorization_details claim is optional for OAuth 2.0 JWTs using this OAuth resource server. By default (false), authorization_details is mandatory." }, - "plugin_version": { + "profile_name": { "type": "string", - "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." + "description": "The name of the OAuth Resource Server Configuration profile." }, - "running_plugin_version": { - "type": "string" + "public_keys": { + "type": "array", + "description": "List of static public keys with key_id and pem fields", + "items": { + "type": "object" + } }, - "running_sha256": { - "type": "string" + "supported_algorithms": { + "type": "array", + "description": "List of supported signing algorithms.", + "items": { + "type": "string" + } }, - "seal_wrap": { + "use_jwks": { "type": "boolean", - "description": "Whether to turn on seal wrapping for the mount.", - "default": false + "description": "If true, use JWKS URI for key validation profile names." }, - "type": { + "user_claim": { + "type": "string", + "description": "The claim to use as the user identifier (default: sub)." + } + } + }, + "OauthResourceServerUpdateProfileRequest": { + "type": "object", + "properties": { + "audiences": { + "type": "array", + "description": "List of allowed audiences (aud claim).", + "items": { + "type": "string" + } + }, + "clock_skew_leeway": { + "type": "string", + "description": "Leeway for clock skew in seconds.", + "format": "duration" + }, + "enabled": { + "type": "boolean", + "description": "Whether this profile is enabled for JWT validation. Disabled profiles are ignored. Default: true.", + "default": true + }, + "issuer_id": { + "type": "string", + "description": "The issuer ID (iss claim) to validate against." + }, + "jwks_ca_pem": { + "type": "string", + "description": "Optional CA certificate for JWKS URI TLS validation." + }, + "jwks_uri": { + "type": "string", + "description": "The JWKS URI to fetch public keys from (required if use_jwks=true)." + }, + "jwt_type": { + "type": "string", + "description": "The JWT type: 'access_token' or 'transaction_token'.", + "default": "access_token" + }, + "no_default_policy": { + "type": "boolean", + "description": "If true, JWT-authenticated tokens omit the default policy unless it is applied elsewhere." + }, + "optional_authorization_details": { + "type": "boolean", + "description": "If true, authorization_details claim is optional for OAuth 2.0 JWTs using this OAuth resource server. By default (false), authorization_details is mandatory." + }, + "public_keys": { + "type": "array", + "description": "List of static public keys with key_id and pem fields (required if use_jwks=false).", + "items": { + "type": "object" + } + }, + "supported_algorithms": { + "type": "array", + "description": "List of supported signing algorithms (e.g., RS256, ES256).", + "items": { + "type": "string" + } + }, + "use_jwks": { + "type": "boolean", + "description": "If true, use JWKS URI for key validation; if false, use static public keys.", + "default": true + }, + "user_claim": { + "type": "string", + "description": "The claim to use as the user identifier (default: sub).", + "default": "sub" + } + }, + "required": [ + "issuer_id" + ] + }, + "OciConfigureRequest": { + "type": "object", + "properties": { + "home_tenancy_id": { "type": "string", - "description": "The type of the backend. Example: \"passthrough\"" - }, - "uuid": { - "type": "string" + "description": "The tenancy id of the account." } } }, - "MountsReadTuningInformationResponse": { + "OciLoginRequest": { "type": "object", "properties": { - "allowed_managed_keys": { - "type": "array", - "items": { - "type": "string" - } - }, - "allowed_response_headers": { - "type": "array", - "description": "A list of headers to whitelist and allow a plugin to set on responses.", - "items": { - "type": "string" + "request_headers": { + "type": "string", + "description": "The signed headers of the client" + } + } + }, + "OciWriteRoleRequest": { + "type": "object", + "properties": { + "alias_metadata": { + "type": "object", + "description": "The metadata to be tied to generated entity alias. This should be a list or map containing the metadata in key value pairs", + "format": "kvpairs", + "x-vault-displayAttrs": { + "name": "Token Alias Metadata", + "group": "Tokens" } }, - "audit_non_hmac_request_keys": { + "ocid_list": { "type": "array", + "description": "A comma separated list of Group or Dynamic Group OCIDs that are allowed to take this role.", "items": { "type": "string" } }, - "audit_non_hmac_response_keys": { + "token_bound_cidrs": { "type": "array", + "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", "items": { "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Bound CIDRs", + "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "group": "Tokens" } }, - "default_lease_ttl": { - "type": "integer", - "description": "The default lease TTL for this mount." - }, - "delegated_auth_accessors": { - "type": "array", - "description": "A list of auth accessors that the mount is allowed to delegate authentication too", - "items": { - "type": "string" + "token_explicit_max_ttl": { + "type": "string", + "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Explicit Maximum TTL", + "group": "Tokens" } }, - "description": { + "token_max_ttl": { "type": "string", - "description": "User-friendly description for this credential backend." - }, - "external_entropy_access": { - "type": "boolean" - }, - "force_no_cache": { - "type": "boolean" - }, - "identity_token_key": { - "type": "string" + "description": "The maximum lifetime of the generated token", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Maximum TTL", + "group": "Tokens" + } }, - "listing_visibility": { - "type": "string" + "token_no_default_policy": { + "type": "boolean", + "description": "If true, the 'default' policy will not automatically be added to generated tokens", + "x-vault-displayAttrs": { + "name": "Do Not Attach 'default' Policy To Generated Tokens", + "group": "Tokens" + } }, - "max_lease_ttl": { + "token_num_uses": { "type": "integer", - "description": "The max lease TTL for this mount." - }, - "options": { - "type": "object", - "description": "The options to pass into the backend. Should be a json object with string keys and values.", - "format": "kvpairs" + "description": "The maximum number of times a token may be used, a value of zero means unlimited", + "x-vault-displayAttrs": { + "name": "Maximum Uses of Generated Tokens", + "group": "Tokens" + } }, - "override_pinned_version": { - "type": "boolean", - "description": "If true, plugin_version will override the pinned version", - "default": false + "token_period": { + "type": "string", + "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Period", + "group": "Tokens" + } }, - "passthrough_request_headers": { + "token_policies": { "type": "array", + "description": "Comma-separated list of policies", "items": { "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Generated Token's Policies", + "description": "A list of policies that will apply to the generated token for this user.", + "group": "Tokens" } }, - "plugin_version": { + "token_ttl": { "type": "string", - "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." + "description": "The initial ttl of the token to generate", + "format": "duration", + "x-vault-displayAttrs": { + "name": "Generated Token's Initial TTL", + "group": "Tokens" + } }, "token_type": { "type": "string", - "description": "The type of token to issue (service or batch)." - }, - "trim_request_trailing_slashes": { - "type": "boolean" - }, - "user_lockout_counter_reset_duration": { - "type": "integer", - "format": "int64" - }, - "user_lockout_disable": { - "type": "boolean" - }, - "user_lockout_duration": { - "type": "integer", - "format": "int64" - }, - "user_lockout_threshold": { - "type": "integer", - "format": "int64" + "description": "The type of token to generate, service or batch", + "default": "default-service", + "x-vault-displayAttrs": { + "name": "Generated Token's Type", + "group": "Tokens" + } } } }, - "MountsTuneConfigurationParametersRequest": { + "OidcConfigureRequest": { "type": "object", "properties": { - "allowed_managed_keys": { - "type": "array", - "items": { - "type": "string" - } - }, - "allowed_response_headers": { - "type": "array", - "description": "A list of headers to whitelist and allow a plugin to set on responses.", - "items": { - "type": "string" - } + "issuer": { + "type": "string", + "description": "Issuer URL to be used in the iss claim of the token. If not set, Vault's app_addr will be used." + } + } + }, + "OidcIntrospectRequest": { + "type": "object", + "properties": { + "client_id": { + "type": "string", + "description": "Optional client_id to verify" }, - "audit_non_hmac_request_keys": { - "type": "array", - "description": "The list of keys in the request data object that will not be HMAC'd by audit devices.", - "items": { - "type": "string" - } + "token": { + "type": "string", + "description": "Token to verify" + } + } + }, + "OidcListClientsResponse": { + "type": "object", + "properties": { + "key_info": { + "type": "object", + "description": "EAB details keyed by the eab key id", + "format": "map" }, - "audit_non_hmac_response_keys": { + "keys": { "type": "array", - "description": "The list of keys in the response data object that will not be HMAC'd by audit devices.", + "description": "A list of unused eab keys", "items": { "type": "string" } + } + } + }, + "OidcListProvidersResponse": { + "type": "object", + "properties": { + "key_info": { + "type": "object", + "description": "EAB details keyed by the eab key id", + "format": "map" }, - "default_lease_ttl": { - "type": "string", - "description": "The default lease TTL for this mount." - }, - "delegated_auth_accessors": { + "keys": { "type": "array", + "description": "A list of unused eab keys", "items": { "type": "string" } - }, - "description": { - "type": "string", - "description": "User-friendly description for this credential backend." - }, - "identity_token_key": { - "type": "string", - "description": "The name of the key used to sign plugin identity tokens. Defaults to the default key." - }, - "listing_visibility": { + } + } + }, + "OidcProviderAuthorizeWithParametersRequest": { + "type": "object", + "properties": { + "client_id": { "type": "string", - "description": "Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and 'hidden', with the empty default ('') behaving like 'hidden'." + "description": "The ID of the requesting client." }, - "max_lease_ttl": { + "code_challenge": { "type": "string", - "description": "The max lease TTL for this mount." + "description": "The code challenge derived from the code verifier." }, - "options": { - "type": "object", - "description": "The options to pass into the backend. Should be a json object with string keys and values.", - "format": "kvpairs" + "code_challenge_method": { + "type": "string", + "description": "The method that was used to derive the code challenge. The following methods are supported: 'S256', 'plain'. Defaults to 'plain'.", + "default": "plain" }, - "override_pinned_version": { - "type": "boolean", - "description": "If true, plugin_version will override the pinned version", - "default": false + "max_age": { + "type": "integer", + "description": "The allowable elapsed time in seconds since the last time the end-user was actively authenticated." }, - "passthrough_request_headers": { - "type": "array", - "description": "A list of headers to whitelist and pass from the request to the plugin.", - "items": { - "type": "string" - } + "nonce": { + "type": "string", + "description": "The value that will be returned in the ID token nonce claim after a token exchange." }, - "plugin_version": { + "redirect_uri": { "type": "string", - "description": "The semantic version of the plugin to use, or image tag if oci_image is provided." + "description": "The redirection URI to which the response will be sent." }, - "token_type": { + "response_type": { "type": "string", - "description": "The type of token to issue (service or batch)." + "description": "The OIDC authentication flow to be used. The following response types are supported: 'code'" }, - "trim_request_trailing_slashes": { - "type": "boolean", - "description": "Whether to trim a trailing slash on incoming requests to this mount" + "scope": { + "type": "string", + "description": "A space-delimited, case-sensitive list of scopes to be requested. The 'openid' scope is required." }, - "user_lockout_config": { - "type": "object", - "description": "The user lockout configuration to pass into the backend. Should be a json object with string keys and values.", - "format": "map" + "state": { + "type": "string", + "description": "The value used to maintain state between the authentication request and client." } - } + }, + "required": [ + "client_id", + "redirect_uri", + "response_type", + "scope" + ] }, - "NomadConfigureAccessRequest": { + "OidcProviderTokenRequest": { "type": "object", "properties": { - "address": { + "client_id": { "type": "string", - "description": "Nomad server address" + "description": "The ID of the requesting client." }, - "ca_cert": { + "client_secret": { "type": "string", - "description": "CA certificate to use when verifying Nomad server certificate, must be x509 PEM encoded." + "description": "The secret of the requesting client." }, - "client_cert": { + "code": { "type": "string", - "description": "Client certificate used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_key." + "description": "The authorization code received from the provider's authorization endpoint." }, - "client_key": { + "code_verifier": { "type": "string", - "description": "Client key used for Nomad's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert." + "description": "The code verifier associated with the authorization code." }, - "max_token_name_length": { - "type": "integer", - "description": "Max length for name of generated Nomad tokens" + "grant_type": { + "type": "string", + "description": "The authorization grant type. The following grant types are supported: 'authorization_code'." }, - "token": { + "redirect_uri": { "type": "string", - "description": "Token for API calls" + "description": "The callback location where the authentication response was sent." } - } + }, + "required": [ + "code", + "grant_type", + "redirect_uri" + ] }, - "NomadConfigureLeaseRequest": { + "OidcRotateKeyRequest": { "type": "object", "properties": { - "max_ttl": { - "type": "string", - "description": "Duration after which the issued token should not be allowed to be renewed", - "format": "duration" - }, - "ttl": { + "verification_ttl": { "type": "string", - "description": "Duration before which the issued token needs renewal", + "description": "Controls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key.", "format": "duration" } } }, - "NomadWriteRoleRequest": { + "OidcWriteAssignmentRequest": { "type": "object", "properties": { - "global": { - "type": "boolean", - "description": "Boolean value describing if the token should be global or not. Defaults to false." - }, - "policies": { + "entity_ids": { "type": "array", - "description": "Comma-separated string or list of policies as previously created in Nomad. Required for 'client' token.", + "description": "Comma separated string or array of identity entity IDs", "items": { "type": "string" } }, - "type": { - "type": "string", - "description": "Which type of token to create: 'client' or 'management'. If a 'management' token, the \"policies\" parameter is not required. Defaults to 'client'.", - "default": "client" - } - } - }, - "OauthResourceServerListProfilesResponse": { - "type": "object", - "properties": { - "keys": { + "group_ids": { "type": "array", + "description": "Comma separated string or array of identity group IDs", "items": { "type": "string" } } } }, - "OauthResourceServerReadProfileResponse": { + "OidcWriteClientRequest": { "type": "object", "properties": { - "audiences": { + "access_token_ttl": { + "type": "string", + "description": "The time-to-live for access tokens obtained by the client.", + "format": "duration", + "default": "24h" + }, + "assignments": { "type": "array", - "description": "List of allowed audiences (aud claim).", + "description": "Comma separated string or array of assignment resources.", "items": { "type": "string" } }, - "clock_skew_leeway": { - "type": "string", - "description": "Leeway for clock skew in seconds.", - "format": "duration" - }, - "config_id": { - "type": "string", - "description": "Stable unique identifier for this OAuth Resource Server Configuration profile." - }, - "enabled": { - "type": "boolean", - "description": "Whether this profile is enabled for JWT validation. Disabled profiles are ignored" - }, - "issuer_id": { - "type": "string", - "description": "The issuer ID (iss claim) to validate against." - }, - "jwks_ca_pem": { + "client_type": { "type": "string", - "description": "Optional CA certificate for JWKS URI TLS validation." + "description": "The client type based on its ability to maintain confidentiality of credentials. The following client types are supported: 'confidential', 'public'. Defaults to 'confidential'.", + "default": "confidential" }, - "jwt_type": { + "id_token_ttl": { "type": "string", - "description": "The JWT type: 'access_token' or 'transaction_token'." - }, - "no_default_policy": { - "type": "boolean", - "description": "If true, JWT-authenticated tokens omit the default policy unless it is applied elsewhere." - }, - "optional_authorization_details": { - "type": "boolean", - "description": "If true, authorization_details claim is optional for OAuth 2.0 JWTs using this OAuth resource server. By default (false), authorization_details is mandatory." + "description": "The time-to-live for ID tokens obtained by the client.", + "format": "duration", + "default": "24h" }, - "profile_name": { + "key": { "type": "string", - "description": "The name of the OAuth Resource Server Configuration profile." + "description": "A reference to a named key resource. Cannot be modified after creation. Defaults to the 'default' key.", + "default": "default" }, - "public_keys": { + "redirect_uris": { "type": "array", - "description": "List of static public keys with key_id and pem fields", + "description": "Comma separated string or array of redirect URIs used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.", "items": { - "type": "object" + "type": "string" } + } + } + }, + "OidcWriteKeyRequest": { + "type": "object", + "properties": { + "algorithm": { + "type": "string", + "description": "Signing algorithm to use. This will default to RS256.", + "default": "RS256" }, - "supported_algorithms": { + "allowed_client_ids": { "type": "array", - "description": "List of supported signing algorithms.", + "description": "Comma separated string or array of role client ids allowed to use this key for signing. If empty no roles are allowed. If \"*\" all roles are allowed.", "items": { "type": "string" } }, - "use_jwks": { - "type": "boolean", - "description": "If true, use JWKS URI for key validation profile names." + "rotation_period": { + "type": "string", + "description": "How often to generate a new keypair.", + "format": "duration", + "default": "24h" }, - "user_claim": { + "verification_ttl": { "type": "string", - "description": "The claim to use as the user identifier (default: sub)." + "description": "Controls how long the public portion of a key will be available for verification after being rotated.", + "format": "duration", + "default": "24h" } } }, - "OauthResourceServerUpdateProfileRequest": { + "OidcWriteProviderRequest": { "type": "object", "properties": { - "audiences": { + "allowed_client_ids": { "type": "array", - "description": "List of allowed audiences (aud claim).", + "description": "The client IDs that are permitted to use the provider", "items": { "type": "string" } }, - "clock_skew_leeway": { - "type": "string", - "description": "Leeway for clock skew in seconds.", - "format": "duration" - }, - "enabled": { - "type": "boolean", - "description": "Whether this profile is enabled for JWT validation. Disabled profiles are ignored. Default: true.", - "default": true - }, - "issuer_id": { - "type": "string", - "description": "The issuer ID (iss claim) to validate against." - }, - "jwks_ca_pem": { - "type": "string", - "description": "Optional CA certificate for JWKS URI TLS validation." - }, - "jwks_uri": { - "type": "string", - "description": "The JWKS URI to fetch public keys from (required if use_jwks=true)." - }, - "jwt_type": { + "issuer": { "type": "string", - "description": "The JWT type: 'access_token' or 'transaction_token'.", - "default": "access_token" - }, - "no_default_policy": { - "type": "boolean", - "description": "If true, JWT-authenticated tokens omit the default policy unless it is applied elsewhere." - }, - "optional_authorization_details": { - "type": "boolean", - "description": "If true, authorization_details claim is optional for OAuth 2.0 JWTs using this OAuth resource server. By default (false), authorization_details is mandatory." - }, - "public_keys": { - "type": "array", - "description": "List of static public keys with key_id and pem fields (required if use_jwks=false).", - "items": { - "type": "object" - } + "description": "Specifies what will be used for the iss claim of ID tokens." }, - "supported_algorithms": { + "scopes_supported": { "type": "array", - "description": "List of supported signing algorithms (e.g., RS256, ES256).", + "description": "The scopes supported for requesting on the provider", "items": { "type": "string" } + } + } + }, + "OidcWriteRoleRequest": { + "type": "object", + "properties": { + "client_id": { + "type": "string", + "description": "Optional client_id" }, - "use_jwks": { - "type": "boolean", - "description": "If true, use JWKS URI for key validation; if false, use static public keys.", - "default": true + "key": { + "type": "string", + "description": "The OIDC key to use for generating tokens. The specified key must already exist." }, - "user_claim": { + "template": { "type": "string", - "description": "The claim to use as the user identifier (default: sub).", - "default": "sub" + "description": "The template string to use for generating tokens. This may be in string-ified JSON or base64 format." + }, + "ttl": { + "type": "string", + "description": "TTL of the tokens generated against the role.", + "format": "duration", + "default": "24h" } }, "required": [ - "issuer_id" + "key" ] }, - "OciConfigureRequest": { + "OidcWriteScopeRequest": { "type": "object", "properties": { - "home_tenancy_id": { + "description": { "type": "string", - "description": "The tenancy id of the account." - } - } - }, - "OciLoginRequest": { - "type": "object", - "properties": { - "request_headers": { + "description": "The description of the scope" + }, + "template": { "type": "string", - "description": "The signed headers of the client" + "description": "The template string to use for the scope. This may be in string-ified JSON or base64 format." } } }, - "OciWriteRoleRequest": { + "OktaConfigureRequest": { "type": "object", "properties": { "alias_metadata": { @@ -57511,13 +58522,55 @@ "group": "Tokens" } }, - "ocid_list": { - "type": "array", - "description": "A comma separated list of Group or Dynamic Group OCIDs that are allowed to take this role.", - "items": { - "type": "string" + "api_token": { + "type": "string", + "description": "Okta API key.", + "x-vault-displayAttrs": { + "name": "API Token" + } + }, + "base_url": { + "type": "string", + "description": "The base domain to use for the Okta API. When not specified in the configuration, \"okta.com\" is used.", + "x-vault-displayAttrs": { + "name": "Base URL" + } + }, + "bypass_okta_mfa": { + "type": "boolean", + "description": "When set true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.", + "x-vault-displayAttrs": { + "name": "Bypass Okta MFA" + } + }, + "max_ttl": { + "type": "string", + "description": "Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.", + "format": "duration", + "deprecated": true + }, + "org_name": { + "type": "string", + "description": "Name of the organization to be used in the Okta API.", + "x-vault-displayAttrs": { + "name": "Organization Name" } }, + "organization": { + "type": "string", + "description": "Use org_name instead.", + "deprecated": true + }, + "production": { + "type": "boolean", + "description": "Use base_url instead.", + "deprecated": true + }, + "token": { + "type": "string", + "description": "Use api_token instead.", + "deprecated": true + }, "token_bound_cidrs": { "type": "array", "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", @@ -57575,7 +58628,7 @@ }, "token_policies": { "type": "array", - "description": "Comma-separated list of policies", + "description": "Comma-separated list of policies. This will apply to all tokens generated by this auth method, in addition to any configured for specific users/groups.", "items": { "type": "string" }, @@ -57602,1773 +58655,1930 @@ "name": "Generated Token's Type", "group": "Tokens" } + }, + "ttl": { + "type": "string", + "description": "Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.", + "format": "duration", + "deprecated": true } } }, - "OidcConfigureRequest": { + "OktaLoginRequest": { "type": "object", "properties": { - "issuer": { + "nonce": { "type": "string", - "description": "Issuer URL to be used in the iss claim of the token. If not set, Vault's app_addr will be used." + "description": "Nonce provided if performing login that requires number verification challenge. Logins through the vault login CLI command will automatically generate a nonce." + }, + "password": { + "type": "string", + "description": "Password for this user." + }, + "provider": { + "type": "string", + "description": "Preferred factor provider." + }, + "totp": { + "type": "string", + "description": "TOTP passcode." } } }, - "OidcIntrospectRequest": { + "OktaWriteGroupRequest": { "type": "object", "properties": { - "client_id": { + "policies": { + "type": "array", + "description": "Comma-separated list of policies associated to the group.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "description": "A list of policies associated to the group." + } + } + } + }, + "OktaWriteUserRequest": { + "type": "object", + "properties": { + "groups": { + "type": "array", + "description": "List of groups associated with the user.", + "items": { + "type": "string" + } + }, + "policies": { + "type": "array", + "description": "List of policies associated with the user.", + "items": { + "type": "string" + } + } + } + }, + "PatchRequest": { + "type": "object", + "properties": { + "attributes": { + "type": "array", + "description": "A comma-separated list of attribute names to include in the response.", + "items": { + "type": "string" + } + }, + "count": { + "type": "integer", + "description": "The desired number of results per page." + }, + "excludedAttributes": { + "type": "array", + "description": "A comma-separated list of attribute names to exclude from the response.", + "items": { + "type": "string" + } + }, + "startIndex": { + "type": "integer", + "description": "The 1-based index of the first result to return." + } + } + }, + "PersonaCreateRequest": { + "type": "object", + "properties": { + "entity_id": { "type": "string", - "description": "Optional client_id to verify" + "description": "Entity ID to which this persona belongs to" }, - "token": { + "id": { "type": "string", - "description": "Token to verify" + "description": "ID of the persona" + }, + "metadata": { + "type": "object", + "description": "Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2", + "format": "kvpairs" + }, + "mount_accessor": { + "type": "string", + "description": "Mount accessor to which this persona belongs to" + }, + "name": { + "type": "string", + "description": "Name of the persona" } } }, - "OidcListClientsResponse": { + "PersonaUpdateByIdRequest": { "type": "object", "properties": { - "key_info": { + "entity_id": { + "type": "string", + "description": "Entity ID to which this persona should be tied to" + }, + "metadata": { "type": "object", - "description": "EAB details keyed by the eab key id", - "format": "map" + "description": "Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2", + "format": "kvpairs" + }, + "mount_accessor": { + "type": "string", + "description": "Mount accessor to which this persona belongs to" + }, + "name": { + "type": "string", + "description": "Name of the persona" + } + } + }, + "PkiConfigureAcmeRequest": { + "type": "object", + "properties": { + "allow_role_ext_key_usage": { + "type": "boolean", + "description": "whether the ExtKeyUsage field from a role is used, defaults to false meaning that certificate will be signed with ServerAuth.", + "default": false + }, + "allowed_issuers": { + "type": "array", + "description": "which issuers are allowed for use with ACME; by default, this will only be the primary (default) issuer", + "items": { + "type": "string" + }, + "default": [ + "*" + ] + }, + "allowed_roles": { + "type": "array", + "description": "which roles are allowed for use with ACME; by default via '*', these will be all roles including sign-verbatim; when concrete role names are specified, any default_directory_policy role must be included to allow usage of the default acme directories under /pki/acme/directory and /pki/issuer/:issuer_id/acme/directory.", + "items": { + "type": "string" + }, + "default": [ + "*" + ] }, - "keys": { + "challenge_excluded_ip_ranges": { "type": "array", - "description": "A list of unused eab keys", + "description": "List of CIDR blocks that are excluded from ACME challenge validation. IPs within these ranges will be rejected for validation. Can be individual IPs or CIDR notation. This list takes precedence over challenge_permitted_ip_ranges.", "items": { "type": "string" - } - } - } - }, - "OidcListProvidersResponse": { - "type": "object", - "properties": { - "key_info": { - "type": "object", - "description": "EAB details keyed by the eab key id", - "format": "map" + }, + "default": [] }, - "keys": { + "challenge_permitted_ip_ranges": { "type": "array", - "description": "A list of unused eab keys", + "description": "List of CIDR blocks that are permitted for ACME challenge validation. If set, only IPs within these ranges will be allowed for validation. Can be individual IPs or CIDR notation.", "items": { "type": "string" - } + }, + "default": [] + }, + "default_directory_policy": { + "type": "string", + "description": "the policy to be used for non-role-qualified ACME requests; by default ACME issuance will be otherwise unrestricted, equivalent to the sign-verbatim endpoint; one may also specify a role to use as this policy, as \"role:\", the specified role must be allowed by allowed_roles", + "default": "sign-verbatim" + }, + "dns_resolver": { + "type": "string", + "description": "DNS resolver to use for domain resolution on this mount. Defaults to using the default system resolver. Must be in the format :, with both parts mandatory.", + "default": "" + }, + "eab_policy": { + "type": "string", + "description": "Specify the policy to use for external account binding behaviour, 'not-required', 'new-account-required' or 'always-required'", + "default": "always-required" + }, + "enabled": { + "type": "boolean", + "description": "whether ACME is enabled, defaults to false meaning that clusters will by default not get ACME support", + "default": false + }, + "max_ttl": { + "type": "string", + "description": "Specify the maximum TTL for ACME certificates. Role TTL values will be limited to this value", + "format": "duration", + "default": 7776000 } } }, - "OidcProviderAuthorizeWithParametersRequest": { + "PkiConfigureAutoTidyRequest": { "type": "object", "properties": { - "client_id": { + "acme_account_safety_buffer": { "type": "string", - "description": "The ID of the requesting client." + "description": "The amount of time that must pass after creation that an account with no orders is marked revoked, and the amount of time after being marked revoked or deactivated.", + "format": "duration", + "default": 2592000 }, - "code_challenge": { + "enabled": { + "type": "boolean", + "description": "Set to true to enable automatic tidy operations." + }, + "interval_duration": { "type": "string", - "description": "The code challenge derived from the code verifier." + "description": "Interval at which to run an auto-tidy operation. This is the time between tidy invocations (after one finishes to the start of the next). Running a manual tidy will reset this duration.", + "format": "duration", + "default": 43200 }, - "code_challenge_method": { + "issuer_safety_buffer": { "type": "string", - "description": "The method that was used to derive the code challenge. The following methods are supported: 'S256', 'plain'. Defaults to 'plain'.", - "default": "plain" + "description": "The amount of extra time that must have passed beyond issuer's expiration before it is removed from the backend storage. Defaults to 8760 hours (1 year).", + "format": "duration", + "default": 31536000 }, - "max_age": { - "type": "integer", - "description": "The allowable elapsed time in seconds since the last time the end-user was actively authenticated." + "maintain_stored_certificate_counts": { + "type": "boolean", + "description": "This configures whether stored certificates are counted upon initialization of the backend, and whether during normal operation, a running count of certificates stored is maintained.", + "default": false }, - "nonce": { + "max_startup_backoff_duration": { "type": "string", - "description": "The value that will be returned in the ID token nonce claim after a token exchange." + "description": "The maximum amount of time in seconds auto-tidy will be delayed after startup.", + "format": "duration", + "default": 900 }, - "redirect_uri": { + "min_startup_backoff_duration": { "type": "string", - "description": "The redirection URI to which the response will be sent." + "description": "The minimum amount of time in seconds auto-tidy will be delayed after startup.", + "format": "duration", + "default": 300 }, - "response_type": { + "pause_duration": { "type": "string", - "description": "The OIDC authentication flow to be used. The following response types are supported: 'code'" + "description": "The amount of time to wait between processing certificates. This allows operators to change the execution profile of tidy to take consume less resources by slowing down how long it takes to run. Note that the entire list of certificates will be stored in memory during the entire tidy operation, but resources to read/process/update existing entries will be spread out over a greater period of time. By default this is zero seconds.", + "default": "0s" }, - "scope": { + "publish_stored_certificate_count_metrics": { + "type": "boolean", + "description": "This configures whether the stored certificate count is published to the metrics consumer. It does not affect if the stored certificate count is maintained, and if maintained, it will be available on the tidy-status endpoint.", + "default": false + }, + "revocation_queue_safety_buffer": { "type": "string", - "description": "A space-delimited, case-sensitive list of scopes to be requested. The 'openid' scope is required." + "description": "The amount of time that must pass from the cross-cluster revocation request being initiated to when it will be slated for removal. Setting this too low may remove valid revocation requests before the owning cluster has a chance to process them, especially if the cluster is offline.", + "format": "duration", + "default": 172800 }, - "state": { + "safety_buffer": { "type": "string", - "description": "The value used to maintain state between the authentication request and client." + "description": "The amount of extra time that must have passed beyond certificate expiration before it is removed from the backend storage and/or revocation list. Defaults to 72 hours.", + "format": "duration", + "default": 259200 + }, + "tidy_acme": { + "type": "boolean", + "description": "Set to true to enable tidying ACME accounts, orders and authorizations. ACME orders are tidied (deleted) safety_buffer after the certificate associated with them expires, or after the order and relevant authorizations have expired if no certificate was produced. Authorizations are tidied with the corresponding order. When a valid ACME Account is at least acme_account_safety_buffer old, and has no remaining orders associated with it, the account is marked as revoked. After another acme_account_safety_buffer has passed from the revocation or deactivation date, a revoked or deactivated ACME account is deleted.", + "default": false + }, + "tidy_cert_metadata": { + "type": "boolean", + "description": "Set to true to enable tidying up certificate metadata" + }, + "tidy_cert_store": { + "type": "boolean", + "description": "Set to true to enable tidying up the certificate store" + }, + "tidy_cmpv2_nonce_store": { + "type": "boolean", + "description": "Set to true to enable tidying up the CMPv2 nonce store" + }, + "tidy_cross_cluster_revoked_certs": { + "type": "boolean", + "description": "Set to true to enable tidying up the cross-cluster revoked certificate store. Only runs on the active primary node." + }, + "tidy_expired_issuers": { + "type": "boolean", + "description": "Set to true to automatically remove expired issuers past the issuer_safety_buffer. No keys will be removed as part of this operation." + }, + "tidy_move_legacy_ca_bundle": { + "type": "boolean", + "description": "Set to true to move the legacy ca_bundle from /config/ca_bundle to /config/ca_bundle.bak. This prevents downgrades to pre-Vault 1.11 versions (as older PKI engines do not know about the new multi-issuer storage layout), but improves the performance on seal wrapped PKI mounts. This will only occur if at least issuer_safety_buffer time has occurred after the initial storage migration. This backup is saved in case of an issue in future migrations. Operators may consider removing it via sys/raw if they desire. The backup will be removed via a DELETE /root call, but note that this removes ALL issuers within the mount (and is thus not desirable in most operational scenarios)." + }, + "tidy_revocation_list": { + "type": "boolean", + "description": "Deprecated; synonym for 'tidy_revoked_certs" + }, + "tidy_revocation_queue": { + "type": "boolean", + "description": "Set to true to remove stale revocation queue entries that haven't been confirmed by any active cluster. Only runs on the active primary node", + "default": false + }, + "tidy_revoked_cert_issuer_associations": { + "type": "boolean", + "description": "Set to true to validate issuer associations on revocation entries. This helps increase the performance of CRL building and OCSP responses." + }, + "tidy_revoked_certs": { + "type": "boolean", + "description": "Set to true to expire all revoked and expired certificates, removing them both from the CRL and from storage. The CRL will be rotated if this causes any values to be removed." } - }, - "required": [ - "client_id", - "redirect_uri", - "response_type", - "scope" - ] + } }, - "OidcProviderTokenRequest": { + "PkiConfigureAutoTidyResponse": { "type": "object", "properties": { - "client_id": { - "type": "string", - "description": "The ID of the requesting client." + "acme_account_safety_buffer": { + "type": "integer", + "description": "Safety buffer after creation after which accounts lacking orders are revoked" }, - "client_secret": { - "type": "string", - "description": "The secret of the requesting client." + "enabled": { + "type": "boolean", + "description": "Specifies whether automatic tidy is enabled or not" }, - "code": { - "type": "string", - "description": "The authorization code received from the provider's authorization endpoint." + "interval_duration": { + "type": "integer", + "description": "Specifies the duration between automatic tidy operation" }, - "code_verifier": { + "issuer_safety_buffer": { + "type": "integer", + "description": "Issuer safety buffer" + }, + "maintain_stored_certificate_counts": { + "type": "boolean" + }, + "max_startup_backoff_duration": { + "type": "integer", + "description": "The maximum amount of time in seconds auto-tidy will be delayed after startup" + }, + "min_startup_backoff_duration": { + "type": "integer", + "description": "The minimum amount of time in seconds auto-tidy will be delayed after startup" + }, + "pause_duration": { "type": "string", - "description": "The code verifier associated with the authorization code." + "description": "Duration to pause between tidying certificates" + }, + "publish_stored_certificate_count_metrics": { + "type": "boolean" + }, + "revocation_queue_safety_buffer": { + "type": "integer" + }, + "safety_buffer": { + "type": "integer", + "description": "Safety buffer time duration" + }, + "tidy_acme": { + "type": "boolean", + "description": "Tidy Unused Acme Accounts, and Orders" + }, + "tidy_cert_metadata": { + "type": "boolean", + "description": "Tidy cert metadata" + }, + "tidy_cert_store": { + "type": "boolean", + "description": "Specifies whether to tidy up the certificate store" + }, + "tidy_cmpv2_nonce_store": { + "type": "boolean", + "description": "Tidy CMPv2 nonce store" + }, + "tidy_cross_cluster_revoked_certs": { + "type": "boolean", + "description": "Tidy the cross-cluster revoked certificate store" + }, + "tidy_expired_issuers": { + "type": "boolean", + "description": "Specifies whether tidy expired issuers" + }, + "tidy_move_legacy_ca_bundle": { + "type": "boolean" + }, + "tidy_revocation_queue": { + "type": "boolean" }, - "grant_type": { - "type": "string", - "description": "The authorization grant type. The following grant types are supported: 'authorization_code'." + "tidy_revoked_cert_issuer_associations": { + "type": "boolean", + "description": "Specifies whether to associate revoked certificates with their corresponding issuers" }, - "redirect_uri": { - "type": "string", - "description": "The callback location where the authentication response was sent." + "tidy_revoked_certs": { + "type": "boolean", + "description": "Specifies whether to remove all invalid and expired certificates from storage" } - }, - "required": [ - "code", - "grant_type", - "redirect_uri" - ] + } }, - "OidcRotateKeyRequest": { + "PkiConfigureCaRequest": { "type": "object", "properties": { - "verification_ttl": { + "pem_bundle": { "type": "string", - "description": "Controls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key.", - "format": "duration" + "description": "PEM-format, concatenated unencrypted secret key and certificate." } } }, - "OidcWriteAssignmentRequest": { + "PkiConfigureCaResponse": { "type": "object", "properties": { - "entity_ids": { + "existing_issuers": { "type": "array", - "description": "Comma separated string or array of identity entity IDs", + "description": "Existing issuers specified as part of the import bundle of this request", "items": { "type": "string" } }, - "group_ids": { + "existing_keys": { "type": "array", - "description": "Comma separated string or array of identity group IDs", + "description": "Existing keys specified as part of the import bundle of this request", "items": { "type": "string" } - } - } - }, - "OidcWriteClientRequest": { - "type": "object", - "properties": { - "access_token_ttl": { - "type": "string", - "description": "The time-to-live for access tokens obtained by the client.", - "format": "duration", - "default": "24h" }, - "assignments": { + "imported_issuers": { "type": "array", - "description": "Comma separated string or array of assignment resources.", + "description": "Net-new issuers imported as a part of this request", "items": { "type": "string" } }, - "client_type": { - "type": "string", - "description": "The client type based on its ability to maintain confidentiality of credentials. The following client types are supported: 'confidential', 'public'. Defaults to 'confidential'.", - "default": "confidential" - }, - "id_token_ttl": { - "type": "string", - "description": "The time-to-live for ID tokens obtained by the client.", - "format": "duration", - "default": "24h" - }, - "key": { - "type": "string", - "description": "A reference to a named key resource. Cannot be modified after creation. Defaults to the 'default' key.", - "default": "default" - }, - "redirect_uris": { + "imported_keys": { "type": "array", - "description": "Comma separated string or array of redirect URIs used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.", + "description": "Net-new keys imported as a part of this request", "items": { "type": "string" } + }, + "mapping": { + "type": "object", + "description": "A mapping of issuer_id to key_id for all issuers included in this request", + "format": "map" } } }, - "OidcWriteKeyRequest": { + "PkiConfigureClusterRequest": { "type": "object", "properties": { - "algorithm": { + "aia_path": { "type": "string", - "description": "Signing algorithm to use. This will default to RS256.", - "default": "RS256" - }, - "allowed_client_ids": { - "type": "array", - "description": "Comma separated string or array of role client ids allowed to use this key for signing. If empty no roles are allowed. If \"*\" all roles are allowed.", - "items": { - "type": "string" - } + "description": "Optional URI to this mount's AIA distribution point; may refer to an external non-Vault responder. This is for resolving AIA URLs and providing the {{cluster_aia_path}} template parameter and will not be used for other purposes. As such, unlike path above, this could safely be an insecure transit mechanism (like HTTP without TLS). For example: http://cdn.example.com/pr1/pki" }, - "rotation_period": { + "path": { "type": "string", - "description": "How often to generate a new keypair.", - "format": "duration", - "default": "24h" + "description": "Canonical URI to this mount on this performance replication cluster's external address. This is for resolving AIA URLs and providing the {{cluster_path}} template parameter but might be used for other purposes in the future. This should only point back to this particular PR replica and should not ever point to another PR cluster. It may point to any node in the PR replica, including standby nodes, and need not always point to the active node. For example: https://pr1.vault.example.com:8200/v1/pki" + } + } + }, + "PkiConfigureClusterResponse": { + "type": "object", + "properties": { + "aia_path": { + "type": "string", + "description": "Optional URI to this mount's AIA distribution point; may refer to an external non-Vault responder. This is for resolving AIA URLs and providing the {{cluster_aia_path}} template parameter and will not be used for other purposes. As such, unlike path above, this could safely be an insecure transit mechanism (like HTTP without TLS). For example: http://cdn.example.com/pr1/pki" }, - "verification_ttl": { + "path": { "type": "string", - "description": "Controls how long the public portion of a key will be available for verification after being rotated.", - "format": "duration", - "default": "24h" + "description": "Canonical URI to this mount on this performance replication cluster's external address. This is for resolving AIA URLs and providing the {{cluster_path}} template parameter but might be used for other purposes in the future. This should only point back to this particular PR replica and should not ever point to another PR cluster. It may point to any node in the PR replica, including standby nodes, and need not always point to the active node. For example: https://pr1.vault.example.com:8200/v1/pki" } } }, - "OidcWriteProviderRequest": { + "PkiConfigureCmpRequest": { "type": "object", "properties": { - "allowed_client_ids": { + "audit_fields": { "type": "array", - "description": "The client IDs that are permitted to use the provider", + "description": "Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. Options are: [csr common_name alt_names ip_sans uri_sans other_sans signature_bits exclude_cn_from_sans ou organization country locality province street_address postal_code serial_number use_pss key_type key_bits add_basic_constraints]", "items": { "type": "string" - } + }, + "default": [ + "common_name", + "alt_names", + "ip_sans", + "uri_sans" + ] }, - "issuer": { + "authenticators": { + "type": "object", + "description": "A map of authentication type to authentication parameters", + "format": "map" + }, + "default_path_policy": { "type": "string", - "description": "Specifies what will be used for the iss claim of ID tokens." + "description": "the policy to be used for non-role-qualified CMP requests; valid values are 'sign-verbatim ', or \"role:\" to specify a role to use as this policy." }, - "scopes_supported": { + "disabled_validations": { "type": "array", - "description": "The scopes supported for requesting on the provider", + "description": "A comma-separated list of validations not to perform on CMPv2 messages. Possible entries are DisableCertTimeValidation and DisableMatchingKeyIdValidation.", "items": { "type": "string" } + }, + "enable_sentinel_parsing": { + "type": "boolean", + "description": "Parse CSR to that its fields can be used by sentinel policies.", + "default": false + }, + "enabled": { + "type": "boolean", + "description": "whether CMPv2 is enabled, defaults to false", + "default": false } } }, - "OidcWriteRoleRequest": { + "PkiConfigureCrlRequest": { "type": "object", "properties": { - "client_id": { - "type": "string", - "description": "Optional client_id" + "auto_rebuild": { + "type": "boolean", + "description": "If set to true, enables automatic rebuilding of the CRL" }, - "key": { + "auto_rebuild_grace_period": { "type": "string", - "description": "The OIDC key to use for generating tokens. The specified key must already exist." + "description": "The time before the CRL expires to automatically rebuild it, when enabled. Must be shorter than the CRL expiry. Defaults to 12h.", + "default": "12h" }, - "template": { - "type": "string", - "description": "The template string to use for generating tokens. This may be in string-ified JSON or base64 format." + "cross_cluster_revocation": { + "type": "boolean", + "description": "Whether to enable a global, cross-cluster revocation queue. Must be used with auto_rebuild=true." }, - "ttl": { + "delta_rebuild_interval": { "type": "string", - "description": "TTL of the tokens generated against the role.", - "format": "duration", - "default": "24h" - } - }, - "required": [ - "key" - ] - }, - "OidcWriteScopeRequest": { - "type": "object", - "properties": { - "description": { + "description": "The time between delta CRL rebuilds if a new revocation has occurred. Must be shorter than the CRL expiry. Defaults to 15m.", + "default": "15m" + }, + "disable": { + "type": "boolean", + "description": "If set to true, disables generating the CRL entirely." + }, + "enable_delta": { + "type": "boolean", + "description": "Whether to enable delta CRLs between authoritative CRL rebuilds" + }, + "expiry": { "type": "string", - "description": "The description of the scope" + "description": "The amount of time the generated CRL should be valid; defaults to 72 hours", + "default": "72h" }, - "template": { + "max_crl_entries": { + "type": "integer", + "description": "The maximum number of entries the CRL can contain. This is meant as a guard against accidental runaway revocations overloading Vault storage. If this limit is exceeded writing the CRL will fail. If set to -1 this limit is disabled.", + "default": 100000 + }, + "ocsp_disable": { + "type": "boolean", + "description": "If set to true, ocsp unauthorized responses will be returned." + }, + "ocsp_expiry": { "type": "string", - "description": "The template string to use for the scope. This may be in string-ified JSON or base64 format." + "description": "The amount of time an OCSP response will be valid (controls the NextUpdate field); defaults to 12 hours", + "default": "1h" + }, + "unified_crl": { + "type": "boolean", + "description": "If set to true enables global replication of revocation entries, also enabling unified versions of OCSP and CRLs if their respective features are enabled. disable for CRLs and ocsp_disable for OCSP.", + "default": "false" + }, + "unified_crl_on_existing_paths": { + "type": "boolean", + "description": "If set to true, existing CRL and OCSP paths will return the unified CRL instead of a response based on cluster-local data", + "default": "false" } } }, - "OktaConfigureRequest": { + "PkiConfigureCrlResponse": { "type": "object", "properties": { - "alias_metadata": { - "type": "object", - "description": "The metadata to be tied to generated entity alias. This should be a list or map containing the metadata in key value pairs", - "format": "kvpairs", - "x-vault-displayAttrs": { - "name": "Token Alias Metadata", - "group": "Tokens" - } + "auto_rebuild": { + "type": "boolean", + "description": "If set to true, enables automatic rebuilding of the CRL" }, - "api_token": { + "auto_rebuild_grace_period": { "type": "string", - "description": "Okta API key.", - "x-vault-displayAttrs": { - "name": "API Token" - } + "description": "The time before the CRL expires to automatically rebuild it, when enabled. Must be shorter than the CRL expiry. Defaults to 12h.", + "default": "12h" }, - "base_url": { + "cross_cluster_revocation": { + "type": "boolean", + "description": "Whether to enable a global, cross-cluster revocation queue. Must be used with auto_rebuild=true." + }, + "delta_rebuild_interval": { "type": "string", - "description": "The base domain to use for the Okta API. When not specified in the configuration, \"okta.com\" is used.", - "x-vault-displayAttrs": { - "name": "Base URL" - } + "description": "The time between delta CRL rebuilds if a new revocation has occurred. Must be shorter than the CRL expiry. Defaults to 15m.", + "default": "15m" }, - "bypass_okta_mfa": { + "disable": { "type": "boolean", - "description": "When set true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.", - "x-vault-displayAttrs": { - "name": "Bypass Okta MFA" - } + "description": "If set to true, disables generating the CRL entirely." }, - "max_ttl": { - "type": "string", - "description": "Use \"token_max_ttl\" instead. If this and \"token_max_ttl\" are both specified, only \"token_max_ttl\" will be used.", - "format": "duration", - "deprecated": true + "enable_delta": { + "type": "boolean", + "description": "Whether to enable delta CRLs between authoritative CRL rebuilds" }, - "org_name": { + "expiry": { "type": "string", - "description": "Name of the organization to be used in the Okta API.", - "x-vault-displayAttrs": { - "name": "Organization Name" - } + "description": "The amount of time the generated CRL should be valid; defaults to 72 hours", + "default": "72h" }, - "organization": { - "type": "string", - "description": "Use org_name instead.", - "deprecated": true + "max_crl_entries": { + "type": "integer", + "description": "The maximum number of entries the CRL can contain. This is meant as a guard against accidental runaway revocations overloading Vault storage. If this limit is exceeded writing the CRL will fail. If set to -1 this limit is disabled.", + "default": 100000 }, - "production": { + "ocsp_disable": { "type": "boolean", - "description": "Use base_url instead.", - "deprecated": true + "description": "If set to true, ocsp unauthorized responses will be returned." }, - "token": { + "ocsp_expiry": { "type": "string", - "description": "Use api_token instead.", - "deprecated": true + "description": "The amount of time an OCSP response will be valid (controls the NextUpdate field); defaults to 12 hours", + "default": "1h" }, - "token_bound_cidrs": { + "unified_crl": { + "type": "boolean", + "description": "If set to true enables global replication of revocation entries, also enabling unified versions of OCSP and CRLs if their respective features are enabled. disable for CRLs and ocsp_disable for OCSP.", + "default": "false" + }, + "unified_crl_on_existing_paths": { + "type": "boolean", + "description": "If set to true, existing CRL and OCSP paths will return the unified CRL instead of a response based on cluster-local data", + "default": "false" + } + } + }, + "PkiConfigureEstRequest": { + "type": "object", + "properties": { + "audit_fields": { "type": "array", - "description": "Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", + "description": "Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. Options are: [csr common_name alt_names ip_sans uri_sans other_sans signature_bits exclude_cn_from_sans ou organization country locality province street_address postal_code serial_number use_pss key_type key_bits add_basic_constraints]", "items": { "type": "string" }, - "x-vault-displayAttrs": { - "name": "Generated Token's Bound CIDRs", - "description": "A list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.", - "group": "Tokens" - } + "default": [ + "common_name", + "alt_names", + "ip_sans", + "uri_sans" + ] }, - "token_explicit_max_ttl": { - "type": "string", - "description": "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.", - "format": "duration", - "x-vault-displayAttrs": { - "name": "Generated Token's Explicit Maximum TTL", - "group": "Tokens" - } + "authenticators": { + "type": "object", + "description": "A map of authentication type to authentication parameters", + "format": "map" }, - "token_max_ttl": { + "default_mount": { + "type": "boolean", + "description": "Indicates if this mount owns the .well-known/est mount path", + "default": false + }, + "default_path_policy": { "type": "string", - "description": "The maximum lifetime of the generated token", - "format": "duration", - "x-vault-displayAttrs": { - "name": "Generated Token's Maximum TTL", - "group": "Tokens" - } + "description": "the policy of the default EST responder path, required if default_mount is true" }, - "token_no_default_policy": { + "enable_sentinel_parsing": { "type": "boolean", - "description": "If true, the 'default' policy will not automatically be added to generated tokens", - "x-vault-displayAttrs": { - "name": "Do Not Attach 'default' Policy To Generated Tokens", - "group": "Tokens" - } + "description": "Parse CSR to that its fields can be used by sentinel policies.", + "default": false }, - "token_num_uses": { - "type": "integer", - "description": "The maximum number of times a token may be used, a value of zero means unlimited", - "x-vault-displayAttrs": { - "name": "Maximum Uses of Generated Tokens", - "group": "Tokens" - } + "enabled": { + "type": "boolean", + "description": "whether EST is enabled, defaults to false", + "default": false }, - "token_period": { + "label_to_path_policy": { + "type": "object", + "description": "The EST label to register and its associated role path", + "format": "map" + } + } + }, + "PkiConfigureExternalPolicyRequest": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether the external validation engine is enabled at all for this mount", + "default": false + }, + "entity_jmespath": { "type": "string", - "description": "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").", - "format": "duration", - "x-vault-displayAttrs": { - "name": "Generated Token's Period", - "group": "Tokens" - } + "description": "A JMESPath search string that will extract the entity meta data to be sent to the CIEPS service. If blank, none of the entity metadata will be sent to the service.", + "default": "" }, - "token_policies": { - "type": "array", - "description": "Comma-separated list of policies. This will apply to all tokens generated by this auth method, in addition to any configured for specific users/groups.", - "items": { - "type": "string" - }, - "x-vault-displayAttrs": { - "name": "Generated Token's Policies", - "description": "A list of policies that will apply to the generated token for this user.", - "group": "Tokens" - } + "external_service_url": { + "type": "string", + "description": "The URL where the external policy service is accessible to vault", + "default": "" }, - "token_ttl": { + "group_jmespath": { "type": "string", - "description": "The initial ttl of the token to generate", + "description": "A JMESPath search string that will extract the entity group information to be sent to the CIEPS service. If blank, none of the group entity metadata will be sent to the service.", + "default": "" + }, + "timeout": { + "type": "string", + "description": "This is how long any particular request should wait for a timeout", "format": "duration", - "x-vault-displayAttrs": { - "name": "Generated Token's Initial TTL", - "group": "Tokens" - } + "default": 15 }, - "token_type": { + "trusted_ca": { "type": "string", - "description": "The type of token to generate, service or batch", - "default": "default-service", - "x-vault-displayAttrs": { - "name": "Generated Token's Type", - "group": "Tokens" - } + "description": "If this is set, vault will trust any leaf-certificate issued by this certificate to be the external policy service", + "default": "" }, - "ttl": { + "trusted_leaf_certificate_bundle": { "type": "string", - "description": "Use \"token_ttl\" instead. If this and \"token_ttl\" are both specified, only \"token_ttl\" will be used.", - "format": "duration", - "deprecated": true + "description": "This is the PEM of the leaf certificate(s) that vault will expect to do certificate pinning", + "default": "" + }, + "vault_client_cert_bundle": { + "type": "string", + "description": "The vault client certificate used to authenticate vault to the external policy engine, and theprivate key to use it.", + "default": "" } } }, - "OktaLoginRequest": { + "PkiConfigureExternalPolicyResponse": { "type": "object", "properties": { - "nonce": { + "enabled": { + "type": "boolean", + "description": "Whether the external validation engine is enabled at all for this mount", + "default": false + }, + "entity_jmespath": { "type": "string", - "description": "Nonce provided if performing login that requires number verification challenge. Logins through the vault login CLI command will automatically generate a nonce." + "description": "A JMESPath search string that will extract the entity meta data to be sent to the CIEPS service. If blank, none of the entity metadata will be sent to the service.", + "default": "" }, - "password": { + "external_service_last_updated": { "type": "string", - "description": "Password for this user." + "description": "Timestamp of the last update of the external policy engine configuration, (empty if never configured)" }, - "provider": { + "external_service_url": { "type": "string", - "description": "Preferred factor provider." + "description": "The URL where the external policy service is accessible to vault", + "default": "" }, - "totp": { + "external_service_validated": { + "type": "boolean", + "description": "Has the current user configuration been successfully used since the last update" + }, + "group_jmespath": { "type": "string", - "description": "TOTP passcode." - } - } - }, - "OktaWriteGroupRequest": { - "type": "object", - "properties": { - "policies": { - "type": "array", - "description": "Comma-separated list of policies associated to the group.", - "items": { - "type": "string" - }, - "x-vault-displayAttrs": { - "description": "A list of policies associated to the group." - } + "description": "A JMESPath search string that will extract the entity group information to be sent to the CIEPS service. If blank, none of the group entity metadata will be sent to the service.", + "default": "" + }, + "last_successful_request": { + "type": "string", + "description": "Timestamp of the last successful request with the policy engine (empty if no request has succeeded on this mount)" + }, + "timeout": { + "type": "string", + "description": "This is how long any particular request should wait for a timeout", + "format": "duration", + "default": 15 + }, + "trusted_ca": { + "type": "string", + "description": "If this is set, vault will trust any leaf-certificate issued by this certificate to be the external policy service", + "default": "" + }, + "trusted_leaf_certificate_bundle": { + "type": "string", + "description": "This is the PEM of the leaf certificate(s) that vault will expect to do certificate pinning", + "default": "" + }, + "vault_client_cert_bundle_no_keys": { + "type": "string", + "description": "The vault client certificate used to authenticate vault to the external policy engine", + "default": "" } } }, - "OktaWriteUserRequest": { + "PkiConfigureIssuersRequest": { "type": "object", "properties": { - "groups": { - "type": "array", - "description": "List of groups associated with the user.", - "items": { - "type": "string" - } + "default": { + "type": "string", + "description": "Reference (name or identifier) to the default issuer." }, - "policies": { - "type": "array", - "description": "List of policies associated with the user.", - "items": { - "type": "string" - } + "default_follows_latest_issuer": { + "type": "boolean", + "description": "Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false.", + "default": false } } }, - "PatchRequest": { + "PkiConfigureIssuersResponse": { "type": "object", "properties": { - "attributes": { - "type": "array", - "description": "A comma-separated list of attribute names to include in the response.", - "items": { - "type": "string" - } - }, - "count": { - "type": "integer", - "description": "The desired number of results per page." - }, - "excludedAttributes": { - "type": "array", - "description": "A comma-separated list of attribute names to exclude from the response.", - "items": { - "type": "string" - } + "default": { + "type": "string", + "description": "Reference (name or identifier) to the default issuer." }, - "startIndex": { - "type": "integer", - "description": "The 1-based index of the first result to return." + "default_follows_latest_issuer": { + "type": "boolean", + "description": "Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false." } } }, - "PersonaCreateRequest": { + "PkiConfigureKeysRequest": { "type": "object", "properties": { - "entity_id": { - "type": "string", - "description": "Entity ID to which this persona belongs to" - }, - "id": { - "type": "string", - "description": "ID of the persona" - }, - "metadata": { - "type": "object", - "description": "Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2", - "format": "kvpairs" - }, - "mount_accessor": { - "type": "string", - "description": "Mount accessor to which this persona belongs to" - }, - "name": { + "default": { "type": "string", - "description": "Name of the persona" + "description": "Reference (name or identifier) of the default key." } } }, - "PersonaUpdateByIdRequest": { + "PkiConfigureKeysResponse": { "type": "object", "properties": { - "entity_id": { - "type": "string", - "description": "Entity ID to which this persona should be tied to" - }, - "metadata": { - "type": "object", - "description": "Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2", - "format": "kvpairs" - }, - "mount_accessor": { - "type": "string", - "description": "Mount accessor to which this persona belongs to" - }, - "name": { + "default": { "type": "string", - "description": "Name of the persona" + "description": "Reference (name or identifier) to the default issuer." } } }, - "PkiConfigureAcmeRequest": { + "PkiConfigureScepRequest": { "type": "object", "properties": { - "allow_role_ext_key_usage": { - "type": "boolean", - "description": "whether the ExtKeyUsage field from a role is used, defaults to false meaning that certificate will be signed with ServerAuth.", - "default": false - }, - "allowed_issuers": { + "allowed_digest_algorithms": { "type": "array", - "description": "which issuers are allowed for use with ACME; by default, this will only be the primary (default) issuer", + "description": "the list of allowed digest algorithms for SCEP requests", "items": { "type": "string" }, - "default": [ - "*" + "enum": [ + "sha-1", + "sha-256", + "sha-384", + "sha-512" ] }, - "allowed_roles": { + "allowed_encryption_algorithms": { "type": "array", - "description": "which roles are allowed for use with ACME; by default via '*', these will be all roles including sign-verbatim; when concrete role names are specified, any default_directory_policy role must be included to allow usage of the default acme directories under /pki/acme/directory and /pki/issuer/:issuer_id/acme/directory.", + "description": "the list of allowed encryption algorithms for SCEP requests", "items": { "type": "string" }, - "default": [ - "*" + "enum": [ + "des-cbc", + "3des-cbc", + "aes128-cbc", + "aes256-cbc", + "aes128-gcm", + "aes256-gcm" ] }, - "challenge_excluded_ip_ranges": { - "type": "array", - "description": "List of CIDR blocks that are excluded from ACME challenge validation. IPs within these ranges will be rejected for validation. Can be individual IPs or CIDR notation. This list takes precedence over challenge_permitted_ip_ranges.", - "items": { - "type": "string" - }, - "default": [] - }, - "challenge_permitted_ip_ranges": { - "type": "array", - "description": "List of CIDR blocks that are permitted for ACME challenge validation. If set, only IPs within these ranges will be allowed for validation. Can be individual IPs or CIDR notation.", - "items": { - "type": "string" - }, - "default": [] - }, - "default_directory_policy": { - "type": "string", - "description": "the policy to be used for non-role-qualified ACME requests; by default ACME issuance will be otherwise unrestricted, equivalent to the sign-verbatim endpoint; one may also specify a role to use as this policy, as \"role:\", the specified role must be allowed by allowed_roles", - "default": "sign-verbatim" - }, - "dns_resolver": { - "type": "string", - "description": "DNS resolver to use for domain resolution on this mount. Defaults to using the default system resolver. Must be in the format :, with both parts mandatory.", - "default": "" - }, - "eab_policy": { - "type": "string", - "description": "Specify the policy to use for external account binding behaviour, 'not-required', 'new-account-required' or 'always-required'", - "default": "always-required" - }, - "enabled": { - "type": "boolean", - "description": "whether ACME is enabled, defaults to false meaning that clusters will by default not get ACME support", - "default": false + "authenticators": { + "type": "object", + "description": "A map of authentication type to authentication parameters", + "format": "map" }, - "max_ttl": { - "type": "string", - "description": "Specify the maximum TTL for ACME certificates. Role TTL values will be limited to this value", - "format": "duration", - "default": 7776000 - } - } - }, - "PkiConfigureAutoTidyRequest": { - "type": "object", - "properties": { - "acme_account_safety_buffer": { + "default_path_policy": { "type": "string", - "description": "The amount of time that must pass after creation that an account with no orders is marked revoked, and the amount of time after being marked revoked or deactivated.", - "format": "duration", - "default": 2592000 + "description": "the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or \"role:\" to specify a role to use as this policy." }, "enabled": { "type": "boolean", - "description": "Set to true to enable automatic tidy operations." - }, - "interval_duration": { - "type": "string", - "description": "Interval at which to run an auto-tidy operation. This is the time between tidy invocations (after one finishes to the start of the next). Running a manual tidy will reset this duration.", - "format": "duration", - "default": 43200 - }, - "issuer_safety_buffer": { - "type": "string", - "description": "The amount of extra time that must have passed beyond issuer's expiration before it is removed from the backend storage. Defaults to 8760 hours (1 year).", - "format": "duration", - "default": 31536000 - }, - "maintain_stored_certificate_counts": { - "type": "boolean", - "description": "This configures whether stored certificates are counted upon initialization of the backend, and whether during normal operation, a running count of certificates stored is maintained.", - "default": false - }, - "max_startup_backoff_duration": { - "type": "string", - "description": "The maximum amount of time in seconds auto-tidy will be delayed after startup.", - "format": "duration", - "default": 900 - }, - "min_startup_backoff_duration": { - "type": "string", - "description": "The minimum amount of time in seconds auto-tidy will be delayed after startup.", - "format": "duration", - "default": 300 - }, - "pause_duration": { - "type": "string", - "description": "The amount of time to wait between processing certificates. This allows operators to change the execution profile of tidy to take consume less resources by slowing down how long it takes to run. Note that the entire list of certificates will be stored in memory during the entire tidy operation, but resources to read/process/update existing entries will be spread out over a greater period of time. By default this is zero seconds.", - "default": "0s" - }, - "publish_stored_certificate_count_metrics": { - "type": "boolean", - "description": "This configures whether the stored certificate count is published to the metrics consumer. It does not affect if the stored certificate count is maintained, and if maintained, it will be available on the tidy-status endpoint.", + "description": "whether SCEP is enabled, defaults to false", "default": false }, - "revocation_queue_safety_buffer": { - "type": "string", - "description": "The amount of time that must pass from the cross-cluster revocation request being initiated to when it will be slated for removal. Setting this too low may remove valid revocation requests before the owning cluster has a chance to process them, especially if the cluster is offline.", - "format": "duration", - "default": 172800 + "external_validation": { + "type": "object", + "description": "A map that specifies 3rd party validation of SCEP requests", + "format": "map" }, - "safety_buffer": { + "log_level": { "type": "string", - "description": "The amount of extra time that must have passed beyond certificate expiration before it is removed from the backend storage and/or revocation list. Defaults to 72 hours.", - "format": "duration", - "default": 259200 - }, - "tidy_acme": { - "type": "boolean", - "description": "Set to true to enable tidying ACME accounts, orders and authorizations. ACME orders are tidied (deleted) safety_buffer after the certificate associated with them expires, or after the order and relevant authorizations have expired if no certificate was produced. Authorizations are tidied with the corresponding order. When a valid ACME Account is at least acme_account_safety_buffer old, and has no remaining orders associated with it, the account is marked as revoked. After another acme_account_safety_buffer has passed from the revocation or deactivation date, a revoked or deactivated ACME account is deleted.", - "default": false - }, - "tidy_cert_metadata": { - "type": "boolean", - "description": "Set to true to enable tidying up certificate metadata" + "description": "the log level to use for logging SCEP-specific requests, reset to vault-default by setting this to the empty string", + "default": "" }, - "tidy_cert_store": { + "restrict_ca_chain_to_issuer": { "type": "boolean", - "description": "Set to true to enable tidying up the certificate store" + "description": "if true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount" + } + } + }, + "PkiConfigureUrlsRequest": { + "type": "object", + "properties": { + "crl_distribution_points": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the CRL distribution points attribute. See also RFC 5280 Section 4.2.1.13.", + "items": { + "type": "string" + } }, - "tidy_cmpv2_nonce_store": { - "type": "boolean", - "description": "Set to true to enable tidying up the CMPv2 nonce store" + "delta_crl_distribution_points": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the Delta CRL distribution points attribute. See also RFC 5280 Section 4.2.1.15.", + "items": { + "type": "string" + } }, - "tidy_cross_cluster_revoked_certs": { + "enable_templating": { "type": "boolean", - "description": "Set to true to enable tidying up the cross-cluster revoked certificate store. Only runs on the active primary node." + "description": "Whether or not to enabling templating of the above AIA fields. When templating is enabled the special values '{{issuer_id}}', '{{cluster_path}}', and '{{cluster_aia_path}}' are available, but the addresses are not checked for URI validity until issuance time. Using '{{cluster_path}}' requires /config/cluster's 'path' member to be set on all PR Secondary clusters and using '{{cluster_aia_path}}' requires /config/cluster's 'aia_path' member to be set on all PR secondary clusters.", + "default": false }, - "tidy_expired_issuers": { - "type": "boolean", - "description": "Set to true to automatically remove expired issuers past the issuer_safety_buffer. No keys will be removed as part of this operation." + "issuing_certificates": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the issuing certificate attribute. See also RFC 5280 Section 4.2.2.1.", + "items": { + "type": "string" + } }, - "tidy_move_legacy_ca_bundle": { - "type": "boolean", - "description": "Set to true to move the legacy ca_bundle from /config/ca_bundle to /config/ca_bundle.bak. This prevents downgrades to pre-Vault 1.11 versions (as older PKI engines do not know about the new multi-issuer storage layout), but improves the performance on seal wrapped PKI mounts. This will only occur if at least issuer_safety_buffer time has occurred after the initial storage migration. This backup is saved in case of an issue in future migrations. Operators may consider removing it via sys/raw if they desire. The backup will be removed via a DELETE /root call, but note that this removes ALL issuers within the mount (and is thus not desirable in most operational scenarios)." + "ocsp_servers": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the OCSP servers attribute. See also RFC 5280 Section 4.2.2.1.", + "items": { + "type": "string" + } + } + } + }, + "PkiConfigureUrlsResponse": { + "type": "object", + "properties": { + "crl_distribution_points": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the CRL distribution points attribute. See also RFC 5280 Section 4.2.1.13.", + "items": { + "type": "string" + } }, - "tidy_revocation_list": { - "type": "boolean", - "description": "Deprecated; synonym for 'tidy_revoked_certs" + "delta_crl_distribution_points": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the Delta CRL distribution points attribute. See also RFC 5280 Section 4.2.1.15.", + "items": { + "type": "string" + } }, - "tidy_revocation_queue": { + "enable_templating": { "type": "boolean", - "description": "Set to true to remove stale revocation queue entries that haven't been confirmed by any active cluster. Only runs on the active primary node", + "description": "Whether or not to enabling templating of the above AIA fields. When templating is enabled the special values '{{issuer_id}}' and '{{cluster_path}}' are available, but the addresses are not checked for URI validity until issuance time. This requires /config/cluster's path to be set on all PR Secondary clusters.", "default": false }, - "tidy_revoked_cert_issuer_associations": { - "type": "boolean", - "description": "Set to true to validate issuer associations on revocation entries. This helps increase the performance of CRL building and OCSP responses." + "issuing_certificates": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the issuing certificate attribute. See also RFC 5280 Section 4.2.2.1.", + "items": { + "type": "string" + } }, - "tidy_revoked_certs": { - "type": "boolean", - "description": "Set to true to expire all revoked and expired certificates, removing them both from the CRL and from storage. The CRL will be rotated if this causes any values to be removed." + "ocsp_servers": { + "type": "array", + "description": "Comma-separated list of URLs to be used for the OCSP servers attribute. See also RFC 5280 Section 4.2.2.1.", + "items": { + "type": "string" + } } } }, - "PkiConfigureAutoTidyResponse": { + "PkiCrossSignIntermediateRequest": { "type": "object", "properties": { - "acme_account_safety_buffer": { - "type": "integer", - "description": "Safety buffer after creation after which accounts lacking orders are revoked" - }, - "enabled": { + "add_basic_constraints": { "type": "boolean", - "description": "Specifies whether automatic tidy is enabled or not" - }, - "interval_duration": { - "type": "integer", - "description": "Specifies the duration between automatic tidy operation" + "description": "Whether to add a Basic Constraints extension with CA: true. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services." }, - "issuer_safety_buffer": { - "type": "integer", - "description": "Issuer safety buffer" + "alt_names": { + "type": "string", + "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.", + "x-vault-displayAttrs": { + "name": "DNS/Email Subject Alternative Names (SANs)" + } }, - "maintain_stored_certificate_counts": { - "type": "boolean" + "common_name": { + "type": "string", + "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans." }, - "max_startup_backoff_duration": { - "type": "integer", - "description": "The maximum amount of time in seconds auto-tidy will be delayed after startup" + "country": { + "type": "array", + "description": "If set, Country will be set to this value.", + "items": { + "type": "string" + } }, - "min_startup_backoff_duration": { - "type": "integer", - "description": "The minimum amount of time in seconds auto-tidy will be delayed after startup" + "exclude_cn_from_sans": { + "type": "boolean", + "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", + "default": false, + "x-vault-displayAttrs": { + "name": "Exclude Common Name from Subject Alternative Names (SANs)" + } }, - "pause_duration": { + "exported": { "type": "string", - "description": "Duration to pause between tidying certificates" + "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", + "enum": [ + "internal", + "external", + "kms" + ] }, - "publish_stored_certificate_count_metrics": { - "type": "boolean" + "format": { + "type": "string", + "description": "Format for returned data. Can be \"pem\", \"der\" or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", + "enum": [ + "pem", + "der", + "pem_bundle" + ], + "default": "pem", + "x-vault-displayAttrs": { + "value": "pem" + } }, - "revocation_queue_safety_buffer": { - "type": "integer" + "ip_sans": { + "type": "array", + "description": "The requested IP SANs, if any, in a comma-delimited list", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "IP Subject Alternative Names (SANs)" + } }, - "safety_buffer": { + "key_bits": { "type": "integer", - "description": "Safety buffer time duration" - }, - "tidy_acme": { - "type": "boolean", - "description": "Tidy Unused Acme Accounts, and Orders" + "description": "The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, 4096 or 8192; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } }, - "tidy_cert_metadata": { - "type": "boolean", - "description": "Tidy cert metadata" + "key_name": { + "type": "string", + "description": "Provide a name to the generated or existing key, the name must be unique across all keys and not be the reserved value 'default'" }, - "tidy_cert_store": { - "type": "boolean", - "description": "Specifies whether to tidy up the certificate store" + "key_ref": { + "type": "string", + "description": "Reference to a existing key; either \"default\" for the configured default key, an identifier or the name assigned to the key.", + "default": "default" }, - "tidy_cmpv2_nonce_store": { - "type": "boolean", - "description": "Tidy CMPv2 nonce store" + "key_type": { + "type": "string", + "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.", + "enum": [ + "rsa", + "ec", + "ed25519" + ], + "default": "rsa", + "x-vault-displayAttrs": { + "value": "rsa" + } }, - "tidy_cross_cluster_revoked_certs": { - "type": "boolean", - "description": "Tidy the cross-cluster revoked certificate store" + "key_usage": { + "type": "array", + "description": "Specifies key_usage to encode in the certificate signing request. This is a comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. If not set, key usage will not appear on the CSR.", + "items": { + "type": "string" + }, + "default": [] }, - "tidy_expired_issuers": { - "type": "boolean", - "description": "Specifies whether tidy expired issuers" + "locality": { + "type": "array", + "description": "If set, Locality will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Locality/City" + } }, - "tidy_move_legacy_ca_bundle": { - "type": "boolean" + "managed_key_id": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types." }, - "tidy_revocation_queue": { - "type": "boolean" + "managed_key_name": { + "type": "string", + "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types." }, - "tidy_revoked_cert_issuer_associations": { - "type": "boolean", - "description": "Specifies whether to associate revoked certificates with their corresponding issuers" + "not_after": { + "type": "string", + "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" }, - "tidy_revoked_certs": { - "type": "boolean", - "description": "Specifies whether to remove all invalid and expired certificates from storage" - } - } - }, - "PkiConfigureCaRequest": { - "type": "object", - "properties": { - "pem_bundle": { + "not_before_duration": { "type": "string", - "description": "PEM-format, concatenated unencrypted secret key and certificate." - } - } - }, - "PkiConfigureCaResponse": { - "type": "object", - "properties": { - "existing_issuers": { - "type": "array", - "description": "Existing issuers specified as part of the import bundle of this request", - "items": { - "type": "string" + "description": "The duration before now which the certificate needs to be backdated by.", + "format": "duration", + "default": 30, + "x-vault-displayAttrs": { + "value": 30 } }, - "existing_keys": { + "organization": { "type": "array", - "description": "Existing keys specified as part of the import bundle of this request", + "description": "If set, O (Organization) will be set to this value.", "items": { "type": "string" } }, - "imported_issuers": { + "other_sans": { "type": "array", - "description": "Net-new issuers imported as a part of this request", + "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", "items": { "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Other SANs" } }, - "imported_keys": { + "ou": { "type": "array", - "description": "Net-new keys imported as a part of this request", + "description": "If set, OU (OrganizationalUnit) will be set to this value.", "items": { "type": "string" + }, + "x-vault-displayAttrs": { + "name": "OU (Organizational Unit)" } }, - "mapping": { - "type": "object", - "description": "A mapping of issuer_id to key_id for all issuers included in this request", - "format": "map" - } - } - }, - "PkiConfigureClusterRequest": { - "type": "object", - "properties": { - "aia_path": { - "type": "string", - "description": "Optional URI to this mount's AIA distribution point; may refer to an external non-Vault responder. This is for resolving AIA URLs and providing the {{cluster_aia_path}} template parameter and will not be used for other purposes. As such, unlike path above, this could safely be an insecure transit mechanism (like HTTP without TLS). For example: http://cdn.example.com/pr1/pki" - }, - "path": { - "type": "string", - "description": "Canonical URI to this mount on this performance replication cluster's external address. This is for resolving AIA URLs and providing the {{cluster_path}} template parameter but might be used for other purposes in the future. This should only point back to this particular PR replica and should not ever point to another PR cluster. It may point to any node in the PR replica, including standby nodes, and need not always point to the active node. For example: https://pr1.vault.example.com:8200/v1/pki" - } - } - }, - "PkiConfigureClusterResponse": { - "type": "object", - "properties": { - "aia_path": { - "type": "string", - "description": "Optional URI to this mount's AIA distribution point; may refer to an external non-Vault responder. This is for resolving AIA URLs and providing the {{cluster_aia_path}} template parameter and will not be used for other purposes. As such, unlike path above, this could safely be an insecure transit mechanism (like HTTP without TLS). For example: http://cdn.example.com/pr1/pki" - }, - "path": { - "type": "string", - "description": "Canonical URI to this mount on this performance replication cluster's external address. This is for resolving AIA URLs and providing the {{cluster_path}} template parameter but might be used for other purposes in the future. This should only point back to this particular PR replica and should not ever point to another PR cluster. It may point to any node in the PR replica, including standby nodes, and need not always point to the active node. For example: https://pr1.vault.example.com:8200/v1/pki" - } - } - }, - "PkiConfigureCmpRequest": { - "type": "object", - "properties": { - "audit_fields": { + "postal_code": { "type": "array", - "description": "Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. Options are: [csr common_name alt_names ip_sans uri_sans other_sans signature_bits exclude_cn_from_sans ou organization country locality province street_address postal_code serial_number use_pss key_type key_bits add_basic_constraints]", + "description": "If set, Postal Code will be set to this value.", "items": { "type": "string" }, - "default": [ - "common_name", - "alt_names", - "ip_sans", - "uri_sans" - ] - }, - "authenticators": { - "type": "object", - "description": "A map of authentication type to authentication parameters", - "format": "map" + "x-vault-displayAttrs": { + "name": "Postal Code" + } }, - "default_path_policy": { + "private_key_format": { "type": "string", - "description": "the policy to be used for non-role-qualified CMP requests; valid values are 'sign-verbatim ', or \"role:\" to specify a role to use as this policy." + "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", + "enum": [ + "", + "der", + "pem", + "pkcs8" + ], + "default": "der", + "x-vault-displayAttrs": { + "value": "der" + } }, - "disabled_validations": { + "province": { "type": "array", - "description": "A comma-separated list of validations not to perform on CMPv2 messages. Possible entries are DisableCertTimeValidation and DisableMatchingKeyIdValidation.", + "description": "If set, Province will be set to this value.", "items": { "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Province/State" } }, - "enable_sentinel_parsing": { - "type": "boolean", - "description": "Parse CSR to that its fields can be used by sentinel policies.", - "default": false - }, - "enabled": { - "type": "boolean", - "description": "whether CMPv2 is enabled, defaults to false", - "default": false - } - } - }, - "PkiConfigureCrlRequest": { - "type": "object", - "properties": { - "auto_rebuild": { - "type": "boolean", - "description": "If set to true, enables automatic rebuilding of the CRL" - }, - "auto_rebuild_grace_period": { - "type": "string", - "description": "The time before the CRL expires to automatically rebuild it, when enabled. Must be shorter than the CRL expiry. Defaults to 12h.", - "default": "12h" - }, - "cross_cluster_revocation": { - "type": "boolean", - "description": "Whether to enable a global, cross-cluster revocation queue. Must be used with auto_rebuild=true." - }, - "delta_rebuild_interval": { - "type": "string", - "description": "The time between delta CRL rebuilds if a new revocation has occurred. Must be shorter than the CRL expiry. Defaults to 15m.", - "default": "15m" - }, - "disable": { - "type": "boolean", - "description": "If set to true, disables generating the CRL entirely." - }, - "enable_delta": { - "type": "boolean", - "description": "Whether to enable delta CRLs between authoritative CRL rebuilds" - }, - "expiry": { + "serial_number": { "type": "string", - "description": "The amount of time the generated CRL should be valid; defaults to 72 hours", - "default": "72h" + "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." }, - "max_crl_entries": { + "signature_bits": { "type": "integer", - "description": "The maximum number of entries the CRL can contain. This is meant as a guard against accidental runaway revocations overloading Vault storage. If this limit is exceeded writing the CRL will fail. If set to -1 this limit is disabled.", - "default": 100000 + "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).", + "default": 0, + "x-vault-displayAttrs": { + "value": 0 + } }, - "ocsp_disable": { - "type": "boolean", - "description": "If set to true, ocsp unauthorized responses will be returned." + "street_address": { + "type": "array", + "description": "If set, Street Address will be set to this value.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "Street Address" + } }, - "ocsp_expiry": { + "ttl": { "type": "string", - "description": "The amount of time an OCSP response will be valid (controls the NextUpdate field); defaults to 12 hours", - "default": "1h" - }, - "unified_crl": { - "type": "boolean", - "description": "If set to true enables global replication of revocation entries, also enabling unified versions of OCSP and CRLs if their respective features are enabled. disable for CRLs and ocsp_disable for OCSP.", - "default": "false" + "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.", + "format": "duration", + "x-vault-displayAttrs": { + "name": "TTL" + } }, - "unified_crl_on_existing_paths": { - "type": "boolean", - "description": "If set to true, existing CRL and OCSP paths will return the unified CRL instead of a response based on cluster-local data", - "default": "false" + "uri_sans": { + "type": "array", + "description": "The requested URI SANs, if any, in a comma-delimited list.", + "items": { + "type": "string" + }, + "x-vault-displayAttrs": { + "name": "URI Subject Alternative Names (SANs)" + } } } }, - "PkiConfigureCrlResponse": { + "PkiCrossSignIntermediateResponse": { "type": "object", "properties": { - "auto_rebuild": { - "type": "boolean", - "description": "If set to true, enables automatic rebuilding of the CRL" - }, - "auto_rebuild_grace_period": { - "type": "string", - "description": "The time before the CRL expires to automatically rebuild it, when enabled. Must be shorter than the CRL expiry. Defaults to 12h.", - "default": "12h" - }, - "cross_cluster_revocation": { - "type": "boolean", - "description": "Whether to enable a global, cross-cluster revocation queue. Must be used with auto_rebuild=true." - }, - "delta_rebuild_interval": { - "type": "string", - "description": "The time between delta CRL rebuilds if a new revocation has occurred. Must be shorter than the CRL expiry. Defaults to 15m.", - "default": "15m" - }, - "disable": { - "type": "boolean", - "description": "If set to true, disables generating the CRL entirely." - }, - "enable_delta": { - "type": "boolean", - "description": "Whether to enable delta CRLs between authoritative CRL rebuilds" - }, - "expiry": { + "csr": { "type": "string", - "description": "The amount of time the generated CRL should be valid; defaults to 72 hours", - "default": "72h" - }, - "max_crl_entries": { - "type": "integer", - "description": "The maximum number of entries the CRL can contain. This is meant as a guard against accidental runaway revocations overloading Vault storage. If this limit is exceeded writing the CRL will fail. If set to -1 this limit is disabled.", - "default": 100000 - }, - "ocsp_disable": { - "type": "boolean", - "description": "If set to true, ocsp unauthorized responses will be returned." + "description": "Certificate signing request." }, - "ocsp_expiry": { + "key_id": { "type": "string", - "description": "The amount of time an OCSP response will be valid (controls the NextUpdate field); defaults to 12 hours", - "default": "1h" - }, - "unified_crl": { - "type": "boolean", - "description": "If set to true enables global replication of revocation entries, also enabling unified versions of OCSP and CRLs if their respective features are enabled. disable for CRLs and ocsp_disable for OCSP.", - "default": "false" + "description": "Id of the key." }, - "unified_crl_on_existing_paths": { - "type": "boolean", - "description": "If set to true, existing CRL and OCSP paths will return the unified CRL instead of a response based on cluster-local data", - "default": "false" + "private_key": { + "type": "string", + "description": "Generated private key." + }, + "private_key_type": { + "type": "string", + "description": "Specifies the format used for marshaling the private key." } } }, - "PkiConfigureEstRequest": { + "PkiExternalCaCreateConfigAcmeAccountNameImportRequest": { "type": "object", "properties": { - "audit_fields": { - "type": "array", - "description": "Fields parsed from the CSR that appear in the audit and can be used by sentinel policies. Options are: [csr common_name alt_names ip_sans uri_sans other_sans signature_bits exclude_cn_from_sans ou organization country locality province street_address postal_code serial_number use_pss key_type key_bits add_basic_constraints]", - "items": { - "type": "string" - }, - "default": [ - "common_name", - "alt_names", - "ip_sans", - "uri_sans" - ] - }, - "authenticators": { - "type": "object", - "description": "A map of authentication type to authentication parameters", - "format": "map" - }, - "default_mount": { - "type": "boolean", - "description": "Indicates if this mount owns the .well-known/est mount path", - "default": false - }, - "default_path_policy": { + "account_key": { "type": "string", - "description": "the policy of the default EST responder path, required if default_mount is true" - }, - "enable_sentinel_parsing": { - "type": "boolean", - "description": "Parse CSR to that its fields can be used by sentinel policies.", - "default": false + "description": "PEM encoded private key for the ACME account" }, - "enabled": { - "type": "boolean", - "description": "whether EST is enabled, defaults to false", - "default": false + "directory_url": { + "type": "string", + "description": "ACME Directory URL" }, - "label_to_path_policy": { - "type": "object", - "description": "The EST label to register and its associated role path", - "format": "map" + "trusted_ca": { + "type": "string", + "description": "Trusted CA certificates for the ACME server" } - } + }, + "required": [ + "account_key", + "directory_url" + ] }, - "PkiConfigureExternalPolicyRequest": { + "PkiExternalCaReadConfigDnsAwsRoute53Response": { "type": "object", "properties": { - "enabled": { - "type": "boolean", - "description": "Whether the external validation engine is enabled at all for this mount", - "default": false + "access_key_id": { + "type": "string", + "description": "AWS access key ID for Route53 API access" }, - "entity_jmespath": { + "assume_role_arn": { "type": "string", - "description": "A JMESPath search string that will extract the entity meta data to be sent to the CIEPS service. If blank, none of the entity metadata will be sent to the service.", - "default": "" + "description": "AWS IAM role ARN to assume for Route53 operations" }, - "external_service_url": { + "creation_date": { "type": "string", - "description": "The URL where the external policy service is accessible to vault", - "default": "" + "description": "Configuration creation timestamp", + "format": "date-time" }, - "group_jmespath": { + "external_id": { "type": "string", - "description": "A JMESPath search string that will extract the entity group information to be sent to the CIEPS service. If blank, none of the group entity metadata will be sent to the service.", - "default": "" + "description": "External ID for AWS STS AssumeRole" }, - "timeout": { + "hosted_zone_id": { "type": "string", - "description": "This is how long any particular request should wait for a timeout", - "format": "duration", - "default": 15 + "description": "AWS Route53 hosted zone ID" }, - "trusted_ca": { + "identifiers": { + "type": "array", + "description": "List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com)", + "items": { + "type": "string" + } + }, + "last_update_date": { "type": "string", - "description": "If this is set, vault will trust any leaf-certificate issued by this certificate to be the external policy service", - "default": "" + "description": "Configuration last update timestamp", + "format": "date-time" }, - "trusted_leaf_certificate_bundle": { + "name": { "type": "string", - "description": "This is the PEM of the leaf certificate(s) that vault will expect to do certificate pinning", - "default": "" + "description": "Name of the aws-route53 DNS configuration" }, - "vault_client_cert_bundle": { + "region": { "type": "string", - "description": "The vault client certificate used to authenticate vault to the external policy engine, and theprivate key to use it.", - "default": "" + "description": "AWS region for Route53 operations" + }, + "ttl": { + "type": "string", + "description": "TTL for DNS TXT records used in DNS-01 challenges", + "format": "duration", + "default": "60s" } } }, - "PkiConfigureExternalPolicyResponse": { + "PkiExternalCaReadConfigDnsAzureDnsResponse": { "type": "object", "properties": { - "enabled": { - "type": "boolean", - "description": "Whether the external validation engine is enabled at all for this mount", - "default": false - }, - "entity_jmespath": { + "client_id": { "type": "string", - "description": "A JMESPath search string that will extract the entity meta data to be sent to the CIEPS service. If blank, none of the entity metadata will be sent to the service.", - "default": "" + "description": "Azure service principal client ID" }, - "external_service_last_updated": { + "creation_date": { "type": "string", - "description": "Timestamp of the last update of the external policy engine configuration, (empty if never configured)" + "description": "Configuration creation timestamp", + "format": "date-time" }, - "external_service_url": { + "environment": { "type": "string", - "description": "The URL where the external policy service is accessible to vault", - "default": "" + "description": "Azure cloud environment (AzurePublic, AzureChina, AzureGovernment; default: AzurePublic)" }, - "external_service_validated": { - "type": "boolean", - "description": "Has the current user configuration been successfully used since the last update" + "identifiers": { + "type": "array", + "description": "List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com)", + "items": { + "type": "string" + } }, - "group_jmespath": { + "last_update_date": { "type": "string", - "description": "A JMESPath search string that will extract the entity group information to be sent to the CIEPS service. If blank, none of the group entity metadata will be sent to the service.", - "default": "" + "description": "Configuration last update timestamp", + "format": "date-time" }, - "last_successful_request": { + "name": { "type": "string", - "description": "Timestamp of the last successful request with the policy engine (empty if no request has succeeded on this mount)" + "description": "Name of the azure-dns DNS configuration" }, - "timeout": { + "resource_group_name": { "type": "string", - "description": "This is how long any particular request should wait for a timeout", - "format": "duration", - "default": 15 + "description": "Azure resource group name containing the DNS zone" }, - "trusted_ca": { + "subscription_id": { "type": "string", - "description": "If this is set, vault will trust any leaf-certificate issued by this certificate to be the external policy service", - "default": "" + "description": "Azure subscription ID" }, - "trusted_leaf_certificate_bundle": { + "tenant_id": { "type": "string", - "description": "This is the PEM of the leaf certificate(s) that vault will expect to do certificate pinning", - "default": "" + "description": "Azure tenant ID" }, - "vault_client_cert_bundle_no_keys": { + "ttl": { "type": "string", - "description": "The vault client certificate used to authenticate vault to the external policy engine", - "default": "" + "description": "TTL for DNS TXT records used in DNS-01 challenges", + "format": "duration", + "default": "1m" + }, + "zone_name": { + "type": "string", + "description": "Azure DNS zone name" } } }, - "PkiConfigureIssuersRequest": { + "PkiExternalCaReadConfigDnsGoogleCloudDnsResponse": { "type": "object", "properties": { - "default": { + "creation_date": { "type": "string", - "description": "Reference (name or identifier) to the default issuer." + "description": "Configuration creation timestamp", + "format": "date-time" }, - "default_follows_latest_issuer": { - "type": "boolean", - "description": "Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false.", - "default": false - } - } - }, - "PkiConfigureIssuersResponse": { - "type": "object", - "properties": { - "default": { + "identifiers": { + "type": "array", + "description": "List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com)", + "items": { + "type": "string" + } + }, + "impersonate_service_account": { "type": "string", - "description": "Reference (name or identifier) to the default issuer." + "description": "Service account email to impersonate" }, - "default_follows_latest_issuer": { - "type": "boolean", - "description": "Whether the default issuer should automatically follow the latest generated or imported issuer. Defaults to false." - } - } - }, - "PkiConfigureKeysRequest": { - "type": "object", - "properties": { - "default": { + "last_update_date": { "type": "string", - "description": "Reference (name or identifier) of the default key." - } - } - }, - "PkiConfigureKeysResponse": { - "type": "object", - "properties": { - "default": { + "description": "Configuration last update timestamp", + "format": "date-time" + }, + "name": { "type": "string", - "description": "Reference (name or identifier) to the default issuer." + "description": "Name of the google-cloud-dns DNS configuration" + }, + "project": { + "type": "string", + "description": "GCP project name" + }, + "ttl": { + "type": "string", + "description": "TTL for DNS TXT records used in DNS-01 challenges", + "format": "duration", + "default": "10s" + }, + "zone_name": { + "type": "string", + "description": "GCP DNS zone name" } } }, - "PkiConfigureScepRequest": { + "PkiExternalCaReadConfigDnsRfc2136Response": { "type": "object", "properties": { - "allowed_digest_algorithms": { - "type": "array", - "description": "the list of allowed digest algorithms for SCEP requests", - "items": { - "type": "string" - }, - "enum": [ - "sha-1", - "sha-256", - "sha-384", - "sha-512" - ] + "creation_date": { + "type": "string", + "description": "Configuration creation timestamp", + "format": "date-time" }, - "allowed_encryption_algorithms": { + "identifiers": { "type": "array", - "description": "the list of allowed encryption algorithms for SCEP requests", + "description": "List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com)", "items": { "type": "string" - }, - "enum": [ - "des-cbc", - "3des-cbc", - "aes128-cbc", - "aes256-cbc", - "aes128-gcm", - "aes256-gcm" - ] + } }, - "authenticators": { - "type": "object", - "description": "A map of authentication type to authentication parameters", - "format": "map" + "last_update_date": { + "type": "string", + "description": "Configuration last update timestamp", + "format": "date-time" }, - "default_path_policy": { + "name": { "type": "string", - "description": "the policy to be used for non-role-qualified SCEP requests; valid values are 'sign-verbatim', or \"role:\" to specify a role to use as this policy." + "description": "Name of the rfc2136 DNS configuration" }, - "enabled": { - "type": "boolean", - "description": "whether SCEP is enabled, defaults to false", - "default": false + "nameserver": { + "type": "string", + "description": "DNS server address (IP:port format, e.g., 192.168.1.1:53)" }, - "external_validation": { - "type": "object", - "description": "A map that specifies 3rd party validation of SCEP requests", - "format": "map" + "tsig_algorithm": { + "type": "string", + "description": "TSIG algorithm (e.g., hmac-sha256, hmac-sha512). Defaults to hmac-sha256" }, - "log_level": { + "tsig_key_name": { "type": "string", - "description": "the log level to use for logging SCEP-specific requests, reset to vault-default by setting this to the empty string", - "default": "" + "description": "TSIG key name for authenticated DNS updates" }, - "restrict_ca_chain_to_issuer": { - "type": "boolean", - "description": "if true, only return the issuer CA, otherwise the entire CA certificate chain will be returned if available from the PKI mount" + "ttl": { + "type": "string", + "description": "TTL for DNS TXT records used in DNS-01 challenges", + "format": "duration", + "default": "60s" } } }, - "PkiConfigureUrlsRequest": { + "PkiExternalCaWriteConfigAcmeAccountNameRequest": { "type": "object", "properties": { - "crl_distribution_points": { - "type": "array", - "description": "Comma-separated list of URLs to be used for the CRL distribution points attribute. See also RFC 5280 Section 4.2.1.13.", - "items": { - "type": "string" - } + "directory_url": { + "type": "string", + "description": "ACME Directory URL" }, - "delta_crl_distribution_points": { - "type": "array", - "description": "Comma-separated list of URLs to be used for the Delta CRL distribution points attribute. See also RFC 5280 Section 4.2.1.15.", - "items": { - "type": "string" - } + "eab_key": { + "type": "string", + "description": "A base64 URL encoded external binding token to create the initial account" }, - "enable_templating": { - "type": "boolean", - "description": "Whether or not to enabling templating of the above AIA fields. When templating is enabled the special values '{{issuer_id}}', '{{cluster_path}}', and '{{cluster_aia_path}}' are available, but the addresses are not checked for URI validity until issuance time. Using '{{cluster_path}}' requires /config/cluster's 'path' member to be set on all PR Secondary clusters and using '{{cluster_aia_path}}' requires /config/cluster's 'aia_path' member to be set on all PR secondary clusters.", - "default": false + "eab_kid": { + "type": "string", + "description": "The external binding key id to create the initial account" }, - "issuing_certificates": { + "email_contacts": { "type": "array", - "description": "Comma-separated list of URLs to be used for the issuing certificate attribute. See also RFC 5280 Section 4.2.2.1.", + "description": "EmailContacts email addresses", "items": { "type": "string" } }, - "ocsp_servers": { - "type": "array", - "description": "Comma-separated list of URLs to be used for the OCSP servers attribute. See also RFC 5280 Section 4.2.2.1.", - "items": { - "type": "string" - } + "key_type": { + "type": "string", + "description": "Key type to generate for the account key", + "enum": [ + "ec-256", + "ec-384", + "ec-521", + "rsa-2048", + "rsa-4096", + "rsa-8192" + ], + "default": "ec-256" + }, + "trusted_ca": { + "type": "string", + "description": "Trusted CA certificates for the ACME server" + } + }, + "required": [ + "directory_url", + "email_contacts" + ] + }, + "PkiExternalCaWriteConfigAcmeAccountNameRotateKeyRequest": { + "type": "object", + "properties": { + "force": { + "type": "boolean", + "description": "Force the rotation of an account if orders are still pending" + }, + "key_type": { + "type": "string", + "description": "Key type to generate for the new account key", + "enum": [ + "ec-256", + "ec-384", + "ec-521", + "rsa-2048", + "rsa-4096", + "rsa-8192" + ], + "default": "ec-256" } } }, - "PkiConfigureUrlsResponse": { + "PkiExternalCaWriteConfigDnsAwsRoute53Request": { "type": "object", "properties": { - "crl_distribution_points": { - "type": "array", - "description": "Comma-separated list of URLs to be used for the CRL distribution points attribute. See also RFC 5280 Section 4.2.1.13.", - "items": { - "type": "string" - } + "access_key_id": { + "type": "string", + "description": "AWS access key ID for Route53 API access" }, - "delta_crl_distribution_points": { - "type": "array", - "description": "Comma-separated list of URLs to be used for the Delta CRL distribution points attribute. See also RFC 5280 Section 4.2.1.15.", - "items": { - "type": "string" - } + "assume_role_arn": { + "type": "string", + "description": "AWS IAM role ARN to assume for Route53 operations" }, - "enable_templating": { - "type": "boolean", - "description": "Whether or not to enabling templating of the above AIA fields. When templating is enabled the special values '{{issuer_id}}' and '{{cluster_path}}' are available, but the addresses are not checked for URI validity until issuance time. This requires /config/cluster's path to be set on all PR Secondary clusters.", - "default": false + "external_id": { + "type": "string", + "description": "External ID for AWS STS AssumeRole" }, - "issuing_certificates": { - "type": "array", - "description": "Comma-separated list of URLs to be used for the issuing certificate attribute. See also RFC 5280 Section 4.2.2.1.", - "items": { - "type": "string" - } + "hosted_zone_id": { + "type": "string", + "description": "AWS Route53 hosted zone ID" }, - "ocsp_servers": { + "identifiers": { "type": "array", - "description": "Comma-separated list of URLs to be used for the OCSP servers attribute. See also RFC 5280 Section 4.2.2.1.", + "description": "List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com)", "items": { "type": "string" } + }, + "region": { + "type": "string", + "description": "AWS region for Route53 operations" + }, + "secret_access_key": { + "type": "string", + "description": "AWS secret access key for Route53 API access" + }, + "ttl": { + "type": "string", + "description": "TTL for DNS TXT records used in DNS-01 challenges", + "format": "duration", + "default": "60s" } } }, - "PkiCrossSignIntermediateRequest": { + "PkiExternalCaWriteConfigDnsAwsRoute53Response": { "type": "object", "properties": { - "add_basic_constraints": { - "type": "boolean", - "description": "Whether to add a Basic Constraints extension with CA: true. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services." + "access_key_id": { + "type": "string", + "description": "AWS access key ID for Route53 API access" }, - "alt_names": { + "assume_role_arn": { "type": "string", - "description": "The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.", - "x-vault-displayAttrs": { - "name": "DNS/Email Subject Alternative Names (SANs)" - } + "description": "AWS IAM role ARN to assume for Route53 operations" }, - "common_name": { + "creation_date": { "type": "string", - "description": "The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans." + "description": "Configuration creation timestamp", + "format": "date-time" }, - "country": { + "external_id": { + "type": "string", + "description": "External ID for AWS STS AssumeRole" + }, + "hosted_zone_id": { + "type": "string", + "description": "AWS Route53 hosted zone ID" + }, + "identifiers": { "type": "array", - "description": "If set, Country will be set to this value.", + "description": "List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com)", "items": { "type": "string" } }, - "exclude_cn_from_sans": { - "type": "boolean", - "description": "If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).", - "default": false, - "x-vault-displayAttrs": { - "name": "Exclude Common Name from Subject Alternative Names (SANs)" - } + "last_update_date": { + "type": "string", + "description": "Configuration last update timestamp", + "format": "date-time" }, - "exported": { + "name": { "type": "string", - "description": "Must be \"internal\", \"exported\" or \"kms\". If set to \"exported\", the generated private key will be returned. This is your *only* chance to retrieve the private key!", - "enum": [ - "internal", - "external", - "kms" - ] + "description": "Name of the aws-route53 DNS configuration" }, - "format": { + "region": { "type": "string", - "description": "Format for returned data. Can be \"pem\", \"der\" or \"pem_bundle\". If \"pem_bundle\", any private key and issuing cert will be appended to the certificate pem. If \"der\", the value will be base64 encoded. Defaults to \"pem\".", - "enum": [ - "pem", - "der", - "pem_bundle" - ], - "default": "pem", - "x-vault-displayAttrs": { - "value": "pem" - } + "description": "AWS region for Route53 operations" }, - "ip_sans": { + "ttl": { + "type": "string", + "description": "TTL for DNS TXT records used in DNS-01 challenges", + "format": "duration", + "default": "60s" + } + } + }, + "PkiExternalCaWriteConfigDnsAzureDnsRequest": { + "type": "object", + "properties": { + "client_id": { + "type": "string", + "description": "Azure service principal client ID" + }, + "client_secret": { + "type": "string", + "description": "Azure service principal client secret" + }, + "environment": { + "type": "string", + "description": "Azure cloud environment (AzurePublic, AzureChina, AzureGovernment; default: AzurePublic)" + }, + "identifiers": { "type": "array", - "description": "The requested IP SANs, if any, in a comma-delimited list", + "description": "List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com)", "items": { "type": "string" - }, - "x-vault-displayAttrs": { - "name": "IP Subject Alternative Names (SANs)" } }, - "key_bits": { - "type": "integer", - "description": "The number of bits to use. Allowed values are 0 (universal default); with rsa key_type: 2048 (default), 3072, 4096 or 8192; with ec key_type: 224, 256 (default), 384, or 521; ignored with ed25519.", - "default": 0, - "x-vault-displayAttrs": { - "value": 0 - } + "resource_group_name": { + "type": "string", + "description": "Azure resource group name containing the DNS zone" }, - "key_name": { + "subscription_id": { "type": "string", - "description": "Provide a name to the generated or existing key, the name must be unique across all keys and not be the reserved value 'default'" + "description": "Azure subscription ID" }, - "key_ref": { + "tenant_id": { "type": "string", - "description": "Reference to a existing key; either \"default\" for the configured default key, an identifier or the name assigned to the key.", - "default": "default" + "description": "Azure tenant ID" }, - "key_type": { + "ttl": { "type": "string", - "description": "The type of key to use; defaults to RSA. \"rsa\" \"ec\" and \"ed25519\" are the only valid values.", - "enum": [ - "rsa", - "ec", - "ed25519" - ], - "default": "rsa", - "x-vault-displayAttrs": { - "value": "rsa" - } + "description": "TTL for DNS TXT records used in DNS-01 challenges", + "format": "duration", + "default": "1m" }, - "key_usage": { - "type": "array", - "description": "Specifies key_usage to encode in the certificate signing request. This is a comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the \"KeyUsage\" part of the name. If not set, key usage will not appear on the CSR.", - "items": { - "type": "string" - }, - "default": [] + "zone_name": { + "type": "string", + "description": "Azure DNS zone name" + } + } + }, + "PkiExternalCaWriteConfigDnsAzureDnsResponse": { + "type": "object", + "properties": { + "client_id": { + "type": "string", + "description": "Azure service principal client ID" }, - "locality": { + "creation_date": { + "type": "string", + "description": "Configuration creation timestamp", + "format": "date-time" + }, + "environment": { + "type": "string", + "description": "Azure cloud environment (AzurePublic, AzureChina, AzureGovernment; default: AzurePublic)" + }, + "identifiers": { "type": "array", - "description": "If set, Locality will be set to this value.", + "description": "List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com)", "items": { "type": "string" - }, - "x-vault-displayAttrs": { - "name": "Locality/City" } }, - "managed_key_id": { + "last_update_date": { "type": "string", - "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_name is required. Ignored for other types." + "description": "Configuration last update timestamp", + "format": "date-time" }, - "managed_key_name": { + "name": { "type": "string", - "description": "The name of the managed key to use when the exported type is kms. When kms type is the key type, this field or managed_key_id is required. Ignored for other types." + "description": "Name of the azure-dns DNS configuration" }, - "not_after": { + "resource_group_name": { "type": "string", - "description": "Set the not after field of the certificate with specified date value. The value format should be given in UTC format YYYY-MM-ddTHH:MM:SSZ" + "description": "Azure resource group name containing the DNS zone" }, - "not_before_duration": { + "subscription_id": { "type": "string", - "description": "The duration before now which the certificate needs to be backdated by.", + "description": "Azure subscription ID" + }, + "tenant_id": { + "type": "string", + "description": "Azure tenant ID" + }, + "ttl": { + "type": "string", + "description": "TTL for DNS TXT records used in DNS-01 challenges", "format": "duration", - "default": 30, - "x-vault-displayAttrs": { - "value": 30 - } + "default": "1m" }, - "organization": { - "type": "array", - "description": "If set, O (Organization) will be set to this value.", - "items": { - "type": "string" - } + "zone_name": { + "type": "string", + "description": "Azure DNS zone name" + } + } + }, + "PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest": { + "type": "object", + "properties": { + "credentials": { + "type": "string", + "description": "GCP service account credentials as JSON content" }, - "other_sans": { + "identifiers": { "type": "array", - "description": "Requested other SANs, in an array with the format ;UTF8: for each entry.", + "description": "List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com)", "items": { "type": "string" - }, - "x-vault-displayAttrs": { - "name": "Other SANs" } }, - "ou": { - "type": "array", - "description": "If set, OU (OrganizationalUnit) will be set to this value.", - "items": { - "type": "string" - }, - "x-vault-displayAttrs": { - "name": "OU (Organizational Unit)" - } + "impersonate_service_account": { + "type": "string", + "description": "Service account email to impersonate" }, - "postal_code": { - "type": "array", - "description": "If set, Postal Code will be set to this value.", - "items": { - "type": "string" - }, - "x-vault-displayAttrs": { - "name": "Postal Code" - } + "project": { + "type": "string", + "description": "GCP project name" }, - "private_key_format": { + "ttl": { "type": "string", - "description": "Format for the returned private key. Generally the default will be controlled by the \"format\" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to \"pkcs8\" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to \"der\".", - "enum": [ - "", - "der", - "pem", - "pkcs8" - ], - "default": "der", - "x-vault-displayAttrs": { - "value": "der" - } + "description": "TTL for DNS TXT records used in DNS-01 challenges", + "format": "duration", + "default": "10s" }, - "province": { + "zone_name": { + "type": "string", + "description": "GCP DNS zone name" + } + } + }, + "PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse": { + "type": "object", + "properties": { + "creation_date": { + "type": "string", + "description": "Configuration creation timestamp", + "format": "date-time" + }, + "identifiers": { "type": "array", - "description": "If set, Province will be set to this value.", + "description": "List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com)", "items": { "type": "string" - }, - "x-vault-displayAttrs": { - "name": "Province/State" } }, - "serial_number": { + "impersonate_service_account": { "type": "string", - "description": "The Subject's requested serial number, if any. See RFC 4519 Section 2.31 'serialNumber' for a description of this field. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. This has no impact on the final certificate's Serial Number field." + "description": "Service account email to impersonate" }, - "signature_bits": { - "type": "integer", - "description": "The number of bits to use in the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384, and 512 for SHA-2-512. Defaults to 0 to automatically detect based on key length (SHA-2-256 for RSA keys, and matching the curve size for NIST P-Curves).", - "default": 0, - "x-vault-displayAttrs": { - "value": 0 - } + "last_update_date": { + "type": "string", + "description": "Configuration last update timestamp", + "format": "date-time" }, - "street_address": { - "type": "array", - "description": "If set, Street Address will be set to this value.", - "items": { - "type": "string" - }, - "x-vault-displayAttrs": { - "name": "Street Address" - } + "name": { + "type": "string", + "description": "Name of the google-cloud-dns DNS configuration" + }, + "project": { + "type": "string", + "description": "GCP project name" }, "ttl": { "type": "string", - "description": "The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.", + "description": "TTL for DNS TXT records used in DNS-01 challenges", "format": "duration", - "x-vault-displayAttrs": { - "name": "TTL" - } + "default": "10s" }, - "uri_sans": { + "zone_name": { + "type": "string", + "description": "GCP DNS zone name" + } + } + }, + "PkiExternalCaWriteConfigDnsRfc2136Request": { + "type": "object", + "properties": { + "identifiers": { "type": "array", - "description": "The requested URI SANs, if any, in a comma-delimited list.", + "description": "List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com)", "items": { "type": "string" - }, - "x-vault-displayAttrs": { - "name": "URI Subject Alternative Names (SANs)" } + }, + "nameserver": { + "type": "string", + "description": "DNS server address (IP:port format, e.g., 192.168.1.1:53)" + }, + "tsig_algorithm": { + "type": "string", + "description": "TSIG algorithm (e.g., hmac-sha256, hmac-sha512). Defaults to hmac-sha256" + }, + "tsig_key_name": { + "type": "string", + "description": "TSIG key name for authenticated DNS updates" + }, + "tsig_secret": { + "type": "string", + "description": "TSIG secret (base64 encoded) for authenticated DNS updates" + }, + "ttl": { + "type": "string", + "description": "TTL for DNS TXT records used in DNS-01 challenges", + "format": "duration", + "default": "60s" } } }, - "PkiCrossSignIntermediateResponse": { + "PkiExternalCaWriteConfigDnsRfc2136Response": { "type": "object", "properties": { - "csr": { + "creation_date": { "type": "string", - "description": "Certificate signing request." + "description": "Configuration creation timestamp", + "format": "date-time" }, - "key_id": { + "identifiers": { + "type": "array", + "description": "List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com)", + "items": { + "type": "string" + } + }, + "last_update_date": { "type": "string", - "description": "Id of the key." + "description": "Configuration last update timestamp", + "format": "date-time" }, - "private_key": { + "name": { "type": "string", - "description": "Generated private key." + "description": "Name of the rfc2136 DNS configuration" }, - "private_key_type": { + "nameserver": { "type": "string", - "description": "Specifies the format used for marshaling the private key." + "description": "DNS server address (IP:port format, e.g., 192.168.1.1:53)" + }, + "tsig_algorithm": { + "type": "string", + "description": "TSIG algorithm (e.g., hmac-sha256, hmac-sha512). Defaults to hmac-sha256" + }, + "tsig_key_name": { + "type": "string", + "description": "TSIG key name for authenticated DNS updates" + }, + "ttl": { + "type": "string", + "description": "TTL for DNS TXT records used in DNS-01 challenges", + "format": "duration", + "default": "60s" } } }, - "PkiExternalCaCreateConfigAcmeAccountNameImportRequest": { + "PkiExternalCaWriteDnsTestWorkflowRequest": { "type": "object", "properties": { - "account_key": { + "identifier": { "type": "string", - "description": "PEM encoded private key for the ACME account" + "description": "The DNS identifier (domain name) to test with" }, - "directory_url": { + "omit_cleanup": { + "type": "boolean", + "description": "Do not perform any cleanup operations, useful for testing and manual validation a record was created within the DNS provider", + "default": false + }, + "provider_name": { "type": "string", - "description": "ACME Directory URL" + "description": "The name of the DNS provider configuration to test" }, - "trusted_ca": { + "provider_type": { "type": "string", - "description": "Trusted CA certificates for the ACME server" + "description": "The DNS provider type" } }, "required": [ - "account_key", - "directory_url" + "identifier", + "provider_name", + "provider_type" ] }, - "PkiExternalCaWriteConfigAcmeAccountNameRequest": { + "PkiExternalCaWriteDnsTestWorkflowResponse": { "type": "object", "properties": { - "directory_url": { + "identifier": { "type": "string", - "description": "ACME Directory URL" + "description": "The identifier that was tested" }, - "eab_key": { + "message": { "type": "string", - "description": "A base64 URL encoded external binding token to create the initial account" + "description": "Status message describing the test result" }, - "eab_kid": { + "provider_name": { "type": "string", - "description": "The external binding key id to create the initial account" - }, - "email_contacts": { - "type": "array", - "description": "EmailContacts email addresses", - "items": { - "type": "string" - } + "description": "The provider name that was tested" }, - "key_type": { + "provider_type": { "type": "string", - "description": "Key type to generate for the account key", - "enum": [ - "ec-256", - "ec-384", - "ec-521", - "rsa-2048", - "rsa-4096", - "rsa-8192" - ], - "default": "ec-256" + "description": "The provider type that was tested" }, - "trusted_ca": { + "record_name": { "type": "string", - "description": "Trusted CA certificates for the ACME server" - } - }, - "required": [ - "directory_url", - "email_contacts" - ] - }, - "PkiExternalCaWriteConfigAcmeAccountNameRotateKeyRequest": { - "type": "object", - "properties": { - "force": { - "type": "boolean", - "description": "Force the rotation of an account if orders are still pending" + "description": "The DNS record name that was created" }, - "key_type": { - "type": "string", - "description": "Key type to generate for the new account key", - "enum": [ - "ec-256", - "ec-384", - "ec-521", - "rsa-2048", - "rsa-4096", - "rsa-8192" - ], - "default": "ec-256" + "success": { + "type": "boolean", + "description": "Whether the test was successful" } } }, @@ -59494,6 +60704,14 @@ ], "default": "cn_first" }, + "dns_provider_name": { + "type": "string", + "description": "The DNS provider configuration to use for DNS-01 challenges (optional)" + }, + "dns_provider_type": { + "type": "string", + "description": "The DNS provider type (required when dns_provider_name is provided)" + }, "force": { "type": "boolean", "description": "Force deletion even when active orders exist" From e7418cbfa68994d34bc6449f1f157bcce95ab9c0 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Fri, 19 Jun 2026 13:32:53 +0000 Subject: [PATCH 2/2] auto: generated client updates --- .openapi-generator/FILES | 14 + src/apis/SecretsApi.ts | 936 ++++++++++++++++++ ...ternalCaReadConfigDnsAwsRoute53Response.ts | 141 +++ ...ExternalCaReadConfigDnsAzureDnsResponse.ts | 149 +++ ...alCaReadConfigDnsGoogleCloudDnsResponse.ts | 125 +++ ...iExternalCaReadConfigDnsRfc2136Response.ts | 125 +++ ...ternalCaWriteConfigDnsAwsRoute53Request.ts | 125 +++ ...ernalCaWriteConfigDnsAwsRoute53Response.ts | 141 +++ ...ExternalCaWriteConfigDnsAzureDnsRequest.ts | 133 +++ ...xternalCaWriteConfigDnsAzureDnsResponse.ts | 149 +++ ...alCaWriteConfigDnsGoogleCloudDnsRequest.ts | 109 ++ ...lCaWriteConfigDnsGoogleCloudDnsResponse.ts | 125 +++ ...iExternalCaWriteConfigDnsRfc2136Request.ts | 109 ++ ...ExternalCaWriteConfigDnsRfc2136Response.ts | 125 +++ ...kiExternalCaWriteDnsTestWorkflowRequest.ts | 96 ++ ...iExternalCaWriteDnsTestWorkflowResponse.ts | 109 ++ .../PkiExternalCaWriteRoleNameRequest.ts | 16 + src/models/index.ts | 14 + 18 files changed, 2741 insertions(+) create mode 100644 src/models/PkiExternalCaReadConfigDnsAwsRoute53Response.ts create mode 100644 src/models/PkiExternalCaReadConfigDnsAzureDnsResponse.ts create mode 100644 src/models/PkiExternalCaReadConfigDnsGoogleCloudDnsResponse.ts create mode 100644 src/models/PkiExternalCaReadConfigDnsRfc2136Response.ts create mode 100644 src/models/PkiExternalCaWriteConfigDnsAwsRoute53Request.ts create mode 100644 src/models/PkiExternalCaWriteConfigDnsAwsRoute53Response.ts create mode 100644 src/models/PkiExternalCaWriteConfigDnsAzureDnsRequest.ts create mode 100644 src/models/PkiExternalCaWriteConfigDnsAzureDnsResponse.ts create mode 100644 src/models/PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest.ts create mode 100644 src/models/PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse.ts create mode 100644 src/models/PkiExternalCaWriteConfigDnsRfc2136Request.ts create mode 100644 src/models/PkiExternalCaWriteConfigDnsRfc2136Response.ts create mode 100644 src/models/PkiExternalCaWriteDnsTestWorkflowRequest.ts create mode 100644 src/models/PkiExternalCaWriteDnsTestWorkflowResponse.ts diff --git a/.openapi-generator/FILES b/.openapi-generator/FILES index 496e25f..37836e9 100644 --- a/.openapi-generator/FILES +++ b/.openapi-generator/FILES @@ -337,8 +337,22 @@ src/models/PkiConfigureUrlsResponse.ts src/models/PkiCrossSignIntermediateRequest.ts src/models/PkiCrossSignIntermediateResponse.ts src/models/PkiExternalCaCreateConfigAcmeAccountNameImportRequest.ts +src/models/PkiExternalCaReadConfigDnsAwsRoute53Response.ts +src/models/PkiExternalCaReadConfigDnsAzureDnsResponse.ts +src/models/PkiExternalCaReadConfigDnsGoogleCloudDnsResponse.ts +src/models/PkiExternalCaReadConfigDnsRfc2136Response.ts src/models/PkiExternalCaWriteConfigAcmeAccountNameRequest.ts src/models/PkiExternalCaWriteConfigAcmeAccountNameRotateKeyRequest.ts +src/models/PkiExternalCaWriteConfigDnsAwsRoute53Request.ts +src/models/PkiExternalCaWriteConfigDnsAwsRoute53Response.ts +src/models/PkiExternalCaWriteConfigDnsAzureDnsRequest.ts +src/models/PkiExternalCaWriteConfigDnsAzureDnsResponse.ts +src/models/PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest.ts +src/models/PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse.ts +src/models/PkiExternalCaWriteConfigDnsRfc2136Request.ts +src/models/PkiExternalCaWriteConfigDnsRfc2136Response.ts +src/models/PkiExternalCaWriteDnsTestWorkflowRequest.ts +src/models/PkiExternalCaWriteDnsTestWorkflowResponse.ts src/models/PkiExternalCaWriteRoleNameNewOrderRequest.ts src/models/PkiExternalCaWriteRoleNameOrderOrderIdFulfilledChallengeRequest.ts src/models/PkiExternalCaWriteRoleNameOrderOrderIdRevokeRequest.ts diff --git a/src/apis/SecretsApi.ts b/src/apis/SecretsApi.ts index b5cf71b..e0c2dd7 100644 --- a/src/apis/SecretsApi.ts +++ b/src/apis/SecretsApi.ts @@ -123,8 +123,22 @@ import type { PkiCrossSignIntermediateRequest, PkiCrossSignIntermediateResponse, PkiExternalCaCreateConfigAcmeAccountNameImportRequest, + PkiExternalCaReadConfigDnsAwsRoute53Response, + PkiExternalCaReadConfigDnsAzureDnsResponse, + PkiExternalCaReadConfigDnsGoogleCloudDnsResponse, + PkiExternalCaReadConfigDnsRfc2136Response, PkiExternalCaWriteConfigAcmeAccountNameRequest, PkiExternalCaWriteConfigAcmeAccountNameRotateKeyRequest, + PkiExternalCaWriteConfigDnsAwsRoute53Request, + PkiExternalCaWriteConfigDnsAwsRoute53Response, + PkiExternalCaWriteConfigDnsAzureDnsRequest, + PkiExternalCaWriteConfigDnsAzureDnsResponse, + PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest, + PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse, + PkiExternalCaWriteConfigDnsRfc2136Request, + PkiExternalCaWriteConfigDnsRfc2136Response, + PkiExternalCaWriteDnsTestWorkflowRequest, + PkiExternalCaWriteDnsTestWorkflowResponse, PkiExternalCaWriteRoleNameNewOrderRequest, PkiExternalCaWriteRoleNameOrderOrderIdFulfilledChallengeRequest, PkiExternalCaWriteRoleNameOrderOrderIdRevokeRequest, @@ -653,10 +667,38 @@ import { PkiCrossSignIntermediateResponseToJSON, PkiExternalCaCreateConfigAcmeAccountNameImportRequestFromJSON, PkiExternalCaCreateConfigAcmeAccountNameImportRequestToJSON, + PkiExternalCaReadConfigDnsAwsRoute53ResponseFromJSON, + PkiExternalCaReadConfigDnsAwsRoute53ResponseToJSON, + PkiExternalCaReadConfigDnsAzureDnsResponseFromJSON, + PkiExternalCaReadConfigDnsAzureDnsResponseToJSON, + PkiExternalCaReadConfigDnsGoogleCloudDnsResponseFromJSON, + PkiExternalCaReadConfigDnsGoogleCloudDnsResponseToJSON, + PkiExternalCaReadConfigDnsRfc2136ResponseFromJSON, + PkiExternalCaReadConfigDnsRfc2136ResponseToJSON, PkiExternalCaWriteConfigAcmeAccountNameRequestFromJSON, PkiExternalCaWriteConfigAcmeAccountNameRequestToJSON, PkiExternalCaWriteConfigAcmeAccountNameRotateKeyRequestFromJSON, PkiExternalCaWriteConfigAcmeAccountNameRotateKeyRequestToJSON, + PkiExternalCaWriteConfigDnsAwsRoute53RequestFromJSON, + PkiExternalCaWriteConfigDnsAwsRoute53RequestToJSON, + PkiExternalCaWriteConfigDnsAwsRoute53ResponseFromJSON, + PkiExternalCaWriteConfigDnsAwsRoute53ResponseToJSON, + PkiExternalCaWriteConfigDnsAzureDnsRequestFromJSON, + PkiExternalCaWriteConfigDnsAzureDnsRequestToJSON, + PkiExternalCaWriteConfigDnsAzureDnsResponseFromJSON, + PkiExternalCaWriteConfigDnsAzureDnsResponseToJSON, + PkiExternalCaWriteConfigDnsGoogleCloudDnsRequestFromJSON, + PkiExternalCaWriteConfigDnsGoogleCloudDnsRequestToJSON, + PkiExternalCaWriteConfigDnsGoogleCloudDnsResponseFromJSON, + PkiExternalCaWriteConfigDnsGoogleCloudDnsResponseToJSON, + PkiExternalCaWriteConfigDnsRfc2136RequestFromJSON, + PkiExternalCaWriteConfigDnsRfc2136RequestToJSON, + PkiExternalCaWriteConfigDnsRfc2136ResponseFromJSON, + PkiExternalCaWriteConfigDnsRfc2136ResponseToJSON, + PkiExternalCaWriteDnsTestWorkflowRequestFromJSON, + PkiExternalCaWriteDnsTestWorkflowRequestToJSON, + PkiExternalCaWriteDnsTestWorkflowResponseFromJSON, + PkiExternalCaWriteDnsTestWorkflowResponseToJSON, PkiExternalCaWriteRoleNameNewOrderRequestFromJSON, PkiExternalCaWriteRoleNameNewOrderRequestToJSON, PkiExternalCaWriteRoleNameOrderOrderIdFulfilledChallengeRequestFromJSON, @@ -2720,6 +2762,26 @@ export interface SecretsApiPkiExternalCaDeleteConfigAcmeAccountNameRequest { pki_external_ca_mount_path: string; } +export interface SecretsApiPkiExternalCaDeleteConfigDnsAwsRoute53Request { + name: string; + pki_external_ca_mount_path: string; +} + +export interface SecretsApiPkiExternalCaDeleteConfigDnsAzureDnsRequest { + name: string; + pki_external_ca_mount_path: string; +} + +export interface SecretsApiPkiExternalCaDeleteConfigDnsGoogleCloudDnsRequest { + name: string; + pki_external_ca_mount_path: string; +} + +export interface SecretsApiPkiExternalCaDeleteConfigDnsRfc2136Request { + name: string; + pki_external_ca_mount_path: string; +} + export interface SecretsApiPkiExternalCaDeleteRoleNameRequest { name: string; pki_external_ca_mount_path: string; @@ -2730,6 +2792,31 @@ export interface SecretsApiPkiExternalCaListConfigAcmeAccountRequest { list: SecretsApiPkiExternalCaListConfigAcmeAccountListEnum; } +export interface SecretsApiPkiExternalCaListConfigDnsRequest { + pki_external_ca_mount_path: string; + list: SecretsApiPkiExternalCaListConfigDnsListEnum; +} + +export interface SecretsApiPkiExternalCaListConfigDnsAwsRoute53Request { + pki_external_ca_mount_path: string; + list: SecretsApiPkiExternalCaListConfigDnsAwsRoute53ListEnum; +} + +export interface SecretsApiPkiExternalCaListConfigDnsAzureDnsRequest { + pki_external_ca_mount_path: string; + list: SecretsApiPkiExternalCaListConfigDnsAzureDnsListEnum; +} + +export interface SecretsApiPkiExternalCaListConfigDnsGoogleCloudDnsRequest { + pki_external_ca_mount_path: string; + list: SecretsApiPkiExternalCaListConfigDnsGoogleCloudDnsListEnum; +} + +export interface SecretsApiPkiExternalCaListConfigDnsRfc2136Request { + pki_external_ca_mount_path: string; + list: SecretsApiPkiExternalCaListConfigDnsRfc2136ListEnum; +} + export interface SecretsApiPkiExternalCaListLookupOrdersRequest { pki_external_ca_mount_path: string; list: SecretsApiPkiExternalCaListLookupOrdersListEnum; @@ -2751,6 +2838,26 @@ export interface SecretsApiPkiExternalCaReadConfigAcmeAccountNameRequest { pki_external_ca_mount_path: string; } +export interface SecretsApiPkiExternalCaReadConfigDnsAwsRoute53Request { + name: string; + pki_external_ca_mount_path: string; +} + +export interface SecretsApiPkiExternalCaReadConfigDnsAzureDnsRequest { + name: string; + pki_external_ca_mount_path: string; +} + +export interface SecretsApiPkiExternalCaReadConfigDnsGoogleCloudDnsRequest { + name: string; + pki_external_ca_mount_path: string; +} + +export interface SecretsApiPkiExternalCaReadConfigDnsRfc2136Request { + name: string; + pki_external_ca_mount_path: string; +} + export interface SecretsApiPkiExternalCaReadLookupCertSerialRequest { serial: string; pki_external_ca_mount_path: string; @@ -2801,6 +2908,35 @@ export interface SecretsApiPkiExternalCaWriteConfigAcmeAccountNameRotateKeyOpera PkiExternalCaWriteConfigAcmeAccountNameRotateKeyRequest: PkiExternalCaWriteConfigAcmeAccountNameRotateKeyRequest; } +export interface SecretsApiPkiExternalCaWriteConfigDnsAwsRoute53OperationRequest { + name: string; + pki_external_ca_mount_path: string; + PkiExternalCaWriteConfigDnsAwsRoute53Request: PkiExternalCaWriteConfigDnsAwsRoute53Request; +} + +export interface SecretsApiPkiExternalCaWriteConfigDnsAzureDnsOperationRequest { + name: string; + pki_external_ca_mount_path: string; + PkiExternalCaWriteConfigDnsAzureDnsRequest: PkiExternalCaWriteConfigDnsAzureDnsRequest; +} + +export interface SecretsApiPkiExternalCaWriteConfigDnsGoogleCloudDnsOperationRequest { + name: string; + pki_external_ca_mount_path: string; + PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest: PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest; +} + +export interface SecretsApiPkiExternalCaWriteConfigDnsRfc2136OperationRequest { + name: string; + pki_external_ca_mount_path: string; + PkiExternalCaWriteConfigDnsRfc2136Request: PkiExternalCaWriteConfigDnsRfc2136Request; +} + +export interface SecretsApiPkiExternalCaWriteDnsTestWorkflowOperationRequest { + pki_external_ca_mount_path: string; + PkiExternalCaWriteDnsTestWorkflowRequest: PkiExternalCaWriteDnsTestWorkflowRequest; +} + export interface SecretsApiPkiExternalCaWriteRoleNameOperationRequest { name: string; pki_external_ca_mount_path: string; @@ -16534,6 +16670,162 @@ export class SecretsApi extends runtime.BaseAPI { return await response.value(); } + /** + */ + async pkiExternalCaDeleteConfigDnsAwsRoute53Raw(requestParameters: SecretsApiPkiExternalCaDeleteConfigDnsAwsRoute53Request, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['name'] == null) { + throw new runtime.RequiredError( + 'name', + 'Required parameter "name" was null or undefined when calling pkiExternalCaDeleteConfigDnsAwsRoute53().' + ); + } + + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaDeleteConfigDnsAwsRoute53().' + ); + } + + const queryParameters: any = {}; + + const headerParameters: runtime.HTTPHeaders = {}; + + const builtPath = `/{pki_external_ca_mount_path}/config/dns/aws-route53/{name}`.replace(`{${"name"}}`, encodeURIComponent(String(requestParameters['name']).replace(/\/+$/, ''))).replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'DELETE', + headers: headerParameters, + query: queryParameters, + }, initOverrides); + + return new runtime.VoidApiResponse(response); + } + + /** + */ + async pkiExternalCaDeleteConfigDnsAwsRoute53(name: string, pki_external_ca_mount_path: string, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaDeleteConfigDnsAwsRoute53Raw({ name: name, pki_external_ca_mount_path: pki_external_ca_mount_path }, initOverrides); + return await response.value(); + } + + /** + */ + async pkiExternalCaDeleteConfigDnsAzureDnsRaw(requestParameters: SecretsApiPkiExternalCaDeleteConfigDnsAzureDnsRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['name'] == null) { + throw new runtime.RequiredError( + 'name', + 'Required parameter "name" was null or undefined when calling pkiExternalCaDeleteConfigDnsAzureDns().' + ); + } + + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaDeleteConfigDnsAzureDns().' + ); + } + + const queryParameters: any = {}; + + const headerParameters: runtime.HTTPHeaders = {}; + + const builtPath = `/{pki_external_ca_mount_path}/config/dns/azure-dns/{name}`.replace(`{${"name"}}`, encodeURIComponent(String(requestParameters['name']).replace(/\/+$/, ''))).replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'DELETE', + headers: headerParameters, + query: queryParameters, + }, initOverrides); + + return new runtime.VoidApiResponse(response); + } + + /** + */ + async pkiExternalCaDeleteConfigDnsAzureDns(name: string, pki_external_ca_mount_path: string, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaDeleteConfigDnsAzureDnsRaw({ name: name, pki_external_ca_mount_path: pki_external_ca_mount_path }, initOverrides); + return await response.value(); + } + + /** + */ + async pkiExternalCaDeleteConfigDnsGoogleCloudDnsRaw(requestParameters: SecretsApiPkiExternalCaDeleteConfigDnsGoogleCloudDnsRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['name'] == null) { + throw new runtime.RequiredError( + 'name', + 'Required parameter "name" was null or undefined when calling pkiExternalCaDeleteConfigDnsGoogleCloudDns().' + ); + } + + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaDeleteConfigDnsGoogleCloudDns().' + ); + } + + const queryParameters: any = {}; + + const headerParameters: runtime.HTTPHeaders = {}; + + const builtPath = `/{pki_external_ca_mount_path}/config/dns/google-cloud-dns/{name}`.replace(`{${"name"}}`, encodeURIComponent(String(requestParameters['name']).replace(/\/+$/, ''))).replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'DELETE', + headers: headerParameters, + query: queryParameters, + }, initOverrides); + + return new runtime.VoidApiResponse(response); + } + + /** + */ + async pkiExternalCaDeleteConfigDnsGoogleCloudDns(name: string, pki_external_ca_mount_path: string, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaDeleteConfigDnsGoogleCloudDnsRaw({ name: name, pki_external_ca_mount_path: pki_external_ca_mount_path }, initOverrides); + return await response.value(); + } + + /** + */ + async pkiExternalCaDeleteConfigDnsRfc2136Raw(requestParameters: SecretsApiPkiExternalCaDeleteConfigDnsRfc2136Request, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['name'] == null) { + throw new runtime.RequiredError( + 'name', + 'Required parameter "name" was null or undefined when calling pkiExternalCaDeleteConfigDnsRfc2136().' + ); + } + + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaDeleteConfigDnsRfc2136().' + ); + } + + const queryParameters: any = {}; + + const headerParameters: runtime.HTTPHeaders = {}; + + const builtPath = `/{pki_external_ca_mount_path}/config/dns/rfc2136/{name}`.replace(`{${"name"}}`, encodeURIComponent(String(requestParameters['name']).replace(/\/+$/, ''))).replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'DELETE', + headers: headerParameters, + query: queryParameters, + }, initOverrides); + + return new runtime.VoidApiResponse(response); + } + + /** + */ + async pkiExternalCaDeleteConfigDnsRfc2136(name: string, pki_external_ca_mount_path: string, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaDeleteConfigDnsRfc2136Raw({ name: name, pki_external_ca_mount_path: pki_external_ca_mount_path }, initOverrides); + return await response.value(); + } + /** */ async pkiExternalCaDeleteRoleNameRaw(requestParameters: SecretsApiPkiExternalCaDeleteRoleNameRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { @@ -16616,6 +16908,221 @@ export class SecretsApi extends runtime.BaseAPI { return await response.value(); } + /** + */ + async pkiExternalCaListConfigDnsRaw(requestParameters: SecretsApiPkiExternalCaListConfigDnsRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaListConfigDns().' + ); + } + + if (requestParameters['list'] == null) { + throw new runtime.RequiredError( + 'list', + 'Required parameter "list" was null or undefined when calling pkiExternalCaListConfigDns().' + ); + } + + const queryParameters: any = {}; + + if (requestParameters['list'] != null) { + queryParameters['list'] = requestParameters['list']; + } + + const headerParameters: runtime.HTTPHeaders = {}; + + const builtPath = `/{pki_external_ca_mount_path}/config/dns/`.replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'GET', + headers: headerParameters, + query: queryParameters, + }, initOverrides); + + return new runtime.JSONApiResponse(response, (jsonValue) => StandardListResponseFromJSON(jsonValue)); + } + + /** + */ + async pkiExternalCaListConfigDns(pki_external_ca_mount_path: string, list: SecretsApiPkiExternalCaListConfigDnsListEnum, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaListConfigDnsRaw({ pki_external_ca_mount_path: pki_external_ca_mount_path, list: list }, initOverrides); + return await response.value(); + } + + /** + */ + async pkiExternalCaListConfigDnsAwsRoute53Raw(requestParameters: SecretsApiPkiExternalCaListConfigDnsAwsRoute53Request, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaListConfigDnsAwsRoute53().' + ); + } + + if (requestParameters['list'] == null) { + throw new runtime.RequiredError( + 'list', + 'Required parameter "list" was null or undefined when calling pkiExternalCaListConfigDnsAwsRoute53().' + ); + } + + const queryParameters: any = {}; + + if (requestParameters['list'] != null) { + queryParameters['list'] = requestParameters['list']; + } + + const headerParameters: runtime.HTTPHeaders = {}; + + const builtPath = `/{pki_external_ca_mount_path}/config/dns/aws-route53/`.replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'GET', + headers: headerParameters, + query: queryParameters, + }, initOverrides); + + return new runtime.JSONApiResponse(response, (jsonValue) => StandardListResponseFromJSON(jsonValue)); + } + + /** + */ + async pkiExternalCaListConfigDnsAwsRoute53(pki_external_ca_mount_path: string, list: SecretsApiPkiExternalCaListConfigDnsAwsRoute53ListEnum, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaListConfigDnsAwsRoute53Raw({ pki_external_ca_mount_path: pki_external_ca_mount_path, list: list }, initOverrides); + return await response.value(); + } + + /** + */ + async pkiExternalCaListConfigDnsAzureDnsRaw(requestParameters: SecretsApiPkiExternalCaListConfigDnsAzureDnsRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaListConfigDnsAzureDns().' + ); + } + + if (requestParameters['list'] == null) { + throw new runtime.RequiredError( + 'list', + 'Required parameter "list" was null or undefined when calling pkiExternalCaListConfigDnsAzureDns().' + ); + } + + const queryParameters: any = {}; + + if (requestParameters['list'] != null) { + queryParameters['list'] = requestParameters['list']; + } + + const headerParameters: runtime.HTTPHeaders = {}; + + const builtPath = `/{pki_external_ca_mount_path}/config/dns/azure-dns/`.replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'GET', + headers: headerParameters, + query: queryParameters, + }, initOverrides); + + return new runtime.JSONApiResponse(response, (jsonValue) => StandardListResponseFromJSON(jsonValue)); + } + + /** + */ + async pkiExternalCaListConfigDnsAzureDns(pki_external_ca_mount_path: string, list: SecretsApiPkiExternalCaListConfigDnsAzureDnsListEnum, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaListConfigDnsAzureDnsRaw({ pki_external_ca_mount_path: pki_external_ca_mount_path, list: list }, initOverrides); + return await response.value(); + } + + /** + */ + async pkiExternalCaListConfigDnsGoogleCloudDnsRaw(requestParameters: SecretsApiPkiExternalCaListConfigDnsGoogleCloudDnsRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaListConfigDnsGoogleCloudDns().' + ); + } + + if (requestParameters['list'] == null) { + throw new runtime.RequiredError( + 'list', + 'Required parameter "list" was null or undefined when calling pkiExternalCaListConfigDnsGoogleCloudDns().' + ); + } + + const queryParameters: any = {}; + + if (requestParameters['list'] != null) { + queryParameters['list'] = requestParameters['list']; + } + + const headerParameters: runtime.HTTPHeaders = {}; + + const builtPath = `/{pki_external_ca_mount_path}/config/dns/google-cloud-dns/`.replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'GET', + headers: headerParameters, + query: queryParameters, + }, initOverrides); + + return new runtime.JSONApiResponse(response, (jsonValue) => StandardListResponseFromJSON(jsonValue)); + } + + /** + */ + async pkiExternalCaListConfigDnsGoogleCloudDns(pki_external_ca_mount_path: string, list: SecretsApiPkiExternalCaListConfigDnsGoogleCloudDnsListEnum, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaListConfigDnsGoogleCloudDnsRaw({ pki_external_ca_mount_path: pki_external_ca_mount_path, list: list }, initOverrides); + return await response.value(); + } + + /** + */ + async pkiExternalCaListConfigDnsRfc2136Raw(requestParameters: SecretsApiPkiExternalCaListConfigDnsRfc2136Request, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaListConfigDnsRfc2136().' + ); + } + + if (requestParameters['list'] == null) { + throw new runtime.RequiredError( + 'list', + 'Required parameter "list" was null or undefined when calling pkiExternalCaListConfigDnsRfc2136().' + ); + } + + const queryParameters: any = {}; + + if (requestParameters['list'] != null) { + queryParameters['list'] = requestParameters['list']; + } + + const headerParameters: runtime.HTTPHeaders = {}; + + const builtPath = `/{pki_external_ca_mount_path}/config/dns/rfc2136/`.replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'GET', + headers: headerParameters, + query: queryParameters, + }, initOverrides); + + return new runtime.JSONApiResponse(response, (jsonValue) => StandardListResponseFromJSON(jsonValue)); + } + + /** + */ + async pkiExternalCaListConfigDnsRfc2136(pki_external_ca_mount_path: string, list: SecretsApiPkiExternalCaListConfigDnsRfc2136ListEnum, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaListConfigDnsRfc2136Raw({ pki_external_ca_mount_path: pki_external_ca_mount_path, list: list }, initOverrides); + return await response.value(); + } + /** */ async pkiExternalCaListLookupOrdersRaw(requestParameters: SecretsApiPkiExternalCaListLookupOrdersRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { @@ -16791,6 +17298,162 @@ export class SecretsApi extends runtime.BaseAPI { return await response.value(); } + /** + */ + async pkiExternalCaReadConfigDnsAwsRoute53Raw(requestParameters: SecretsApiPkiExternalCaReadConfigDnsAwsRoute53Request, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['name'] == null) { + throw new runtime.RequiredError( + 'name', + 'Required parameter "name" was null or undefined when calling pkiExternalCaReadConfigDnsAwsRoute53().' + ); + } + + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaReadConfigDnsAwsRoute53().' + ); + } + + const queryParameters: any = {}; + + const headerParameters: runtime.HTTPHeaders = {}; + + const builtPath = `/{pki_external_ca_mount_path}/config/dns/aws-route53/{name}`.replace(`{${"name"}}`, encodeURIComponent(String(requestParameters['name']).replace(/\/+$/, ''))).replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'GET', + headers: headerParameters, + query: queryParameters, + }, initOverrides); + + return new runtime.JSONApiResponse(response, (jsonValue) => PkiExternalCaReadConfigDnsAwsRoute53ResponseFromJSON(jsonValue)); + } + + /** + */ + async pkiExternalCaReadConfigDnsAwsRoute53(name: string, pki_external_ca_mount_path: string, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaReadConfigDnsAwsRoute53Raw({ name: name, pki_external_ca_mount_path: pki_external_ca_mount_path }, initOverrides); + return await response.value(); + } + + /** + */ + async pkiExternalCaReadConfigDnsAzureDnsRaw(requestParameters: SecretsApiPkiExternalCaReadConfigDnsAzureDnsRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['name'] == null) { + throw new runtime.RequiredError( + 'name', + 'Required parameter "name" was null or undefined when calling pkiExternalCaReadConfigDnsAzureDns().' + ); + } + + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaReadConfigDnsAzureDns().' + ); + } + + const queryParameters: any = {}; + + const headerParameters: runtime.HTTPHeaders = {}; + + const builtPath = `/{pki_external_ca_mount_path}/config/dns/azure-dns/{name}`.replace(`{${"name"}}`, encodeURIComponent(String(requestParameters['name']).replace(/\/+$/, ''))).replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'GET', + headers: headerParameters, + query: queryParameters, + }, initOverrides); + + return new runtime.JSONApiResponse(response, (jsonValue) => PkiExternalCaReadConfigDnsAzureDnsResponseFromJSON(jsonValue)); + } + + /** + */ + async pkiExternalCaReadConfigDnsAzureDns(name: string, pki_external_ca_mount_path: string, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaReadConfigDnsAzureDnsRaw({ name: name, pki_external_ca_mount_path: pki_external_ca_mount_path }, initOverrides); + return await response.value(); + } + + /** + */ + async pkiExternalCaReadConfigDnsGoogleCloudDnsRaw(requestParameters: SecretsApiPkiExternalCaReadConfigDnsGoogleCloudDnsRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['name'] == null) { + throw new runtime.RequiredError( + 'name', + 'Required parameter "name" was null or undefined when calling pkiExternalCaReadConfigDnsGoogleCloudDns().' + ); + } + + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaReadConfigDnsGoogleCloudDns().' + ); + } + + const queryParameters: any = {}; + + const headerParameters: runtime.HTTPHeaders = {}; + + const builtPath = `/{pki_external_ca_mount_path}/config/dns/google-cloud-dns/{name}`.replace(`{${"name"}}`, encodeURIComponent(String(requestParameters['name']).replace(/\/+$/, ''))).replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'GET', + headers: headerParameters, + query: queryParameters, + }, initOverrides); + + return new runtime.JSONApiResponse(response, (jsonValue) => PkiExternalCaReadConfigDnsGoogleCloudDnsResponseFromJSON(jsonValue)); + } + + /** + */ + async pkiExternalCaReadConfigDnsGoogleCloudDns(name: string, pki_external_ca_mount_path: string, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaReadConfigDnsGoogleCloudDnsRaw({ name: name, pki_external_ca_mount_path: pki_external_ca_mount_path }, initOverrides); + return await response.value(); + } + + /** + */ + async pkiExternalCaReadConfigDnsRfc2136Raw(requestParameters: SecretsApiPkiExternalCaReadConfigDnsRfc2136Request, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['name'] == null) { + throw new runtime.RequiredError( + 'name', + 'Required parameter "name" was null or undefined when calling pkiExternalCaReadConfigDnsRfc2136().' + ); + } + + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaReadConfigDnsRfc2136().' + ); + } + + const queryParameters: any = {}; + + const headerParameters: runtime.HTTPHeaders = {}; + + const builtPath = `/{pki_external_ca_mount_path}/config/dns/rfc2136/{name}`.replace(`{${"name"}}`, encodeURIComponent(String(requestParameters['name']).replace(/\/+$/, ''))).replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'GET', + headers: headerParameters, + query: queryParameters, + }, initOverrides); + + return new runtime.JSONApiResponse(response, (jsonValue) => PkiExternalCaReadConfigDnsRfc2136ResponseFromJSON(jsonValue)); + } + + /** + */ + async pkiExternalCaReadConfigDnsRfc2136(name: string, pki_external_ca_mount_path: string, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaReadConfigDnsRfc2136Raw({ name: name, pki_external_ca_mount_path: pki_external_ca_mount_path }, initOverrides); + return await response.value(); + } + /** */ async pkiExternalCaReadLookupCertSerialRaw(requestParameters: SecretsApiPkiExternalCaReadLookupCertSerialRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { @@ -17183,6 +17846,244 @@ export class SecretsApi extends runtime.BaseAPI { return await response.value(); } + /** + */ + async pkiExternalCaWriteConfigDnsAwsRoute53Raw(requestParameters: SecretsApiPkiExternalCaWriteConfigDnsAwsRoute53OperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['name'] == null) { + throw new runtime.RequiredError( + 'name', + 'Required parameter "name" was null or undefined when calling pkiExternalCaWriteConfigDnsAwsRoute53().' + ); + } + + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaWriteConfigDnsAwsRoute53().' + ); + } + + if (requestParameters['PkiExternalCaWriteConfigDnsAwsRoute53Request'] == null) { + throw new runtime.RequiredError( + 'PkiExternalCaWriteConfigDnsAwsRoute53Request', + 'Required parameter "PkiExternalCaWriteConfigDnsAwsRoute53Request" was null or undefined when calling pkiExternalCaWriteConfigDnsAwsRoute53().' + ); + } + + const queryParameters: any = {}; + + const headerParameters: runtime.HTTPHeaders = {}; + + headerParameters['Content-Type'] = 'application/json'; + + const builtPath = `/{pki_external_ca_mount_path}/config/dns/aws-route53/{name}`.replace(`{${"name"}}`, encodeURIComponent(String(requestParameters['name']).replace(/\/+$/, ''))).replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'POST', + headers: headerParameters, + query: queryParameters, + body: PkiExternalCaWriteConfigDnsAwsRoute53RequestToJSON(requestParameters['PkiExternalCaWriteConfigDnsAwsRoute53Request']), + }, initOverrides); + + return new runtime.JSONApiResponse(response, (jsonValue) => PkiExternalCaWriteConfigDnsAwsRoute53ResponseFromJSON(jsonValue)); + } + + /** + */ + async pkiExternalCaWriteConfigDnsAwsRoute53(name: string, pki_external_ca_mount_path: string, PkiExternalCaWriteConfigDnsAwsRoute53Request: PkiExternalCaWriteConfigDnsAwsRoute53Request, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaWriteConfigDnsAwsRoute53Raw({ name: name, pki_external_ca_mount_path: pki_external_ca_mount_path, PkiExternalCaWriteConfigDnsAwsRoute53Request: PkiExternalCaWriteConfigDnsAwsRoute53Request }, initOverrides); + return await response.value(); + } + + /** + */ + async pkiExternalCaWriteConfigDnsAzureDnsRaw(requestParameters: SecretsApiPkiExternalCaWriteConfigDnsAzureDnsOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['name'] == null) { + throw new runtime.RequiredError( + 'name', + 'Required parameter "name" was null or undefined when calling pkiExternalCaWriteConfigDnsAzureDns().' + ); + } + + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaWriteConfigDnsAzureDns().' + ); + } + + if (requestParameters['PkiExternalCaWriteConfigDnsAzureDnsRequest'] == null) { + throw new runtime.RequiredError( + 'PkiExternalCaWriteConfigDnsAzureDnsRequest', + 'Required parameter "PkiExternalCaWriteConfigDnsAzureDnsRequest" was null or undefined when calling pkiExternalCaWriteConfigDnsAzureDns().' + ); + } + + const queryParameters: any = {}; + + const headerParameters: runtime.HTTPHeaders = {}; + + headerParameters['Content-Type'] = 'application/json'; + + const builtPath = `/{pki_external_ca_mount_path}/config/dns/azure-dns/{name}`.replace(`{${"name"}}`, encodeURIComponent(String(requestParameters['name']).replace(/\/+$/, ''))).replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'POST', + headers: headerParameters, + query: queryParameters, + body: PkiExternalCaWriteConfigDnsAzureDnsRequestToJSON(requestParameters['PkiExternalCaWriteConfigDnsAzureDnsRequest']), + }, initOverrides); + + return new runtime.JSONApiResponse(response, (jsonValue) => PkiExternalCaWriteConfigDnsAzureDnsResponseFromJSON(jsonValue)); + } + + /** + */ + async pkiExternalCaWriteConfigDnsAzureDns(name: string, pki_external_ca_mount_path: string, PkiExternalCaWriteConfigDnsAzureDnsRequest: PkiExternalCaWriteConfigDnsAzureDnsRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaWriteConfigDnsAzureDnsRaw({ name: name, pki_external_ca_mount_path: pki_external_ca_mount_path, PkiExternalCaWriteConfigDnsAzureDnsRequest: PkiExternalCaWriteConfigDnsAzureDnsRequest }, initOverrides); + return await response.value(); + } + + /** + */ + async pkiExternalCaWriteConfigDnsGoogleCloudDnsRaw(requestParameters: SecretsApiPkiExternalCaWriteConfigDnsGoogleCloudDnsOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['name'] == null) { + throw new runtime.RequiredError( + 'name', + 'Required parameter "name" was null or undefined when calling pkiExternalCaWriteConfigDnsGoogleCloudDns().' + ); + } + + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaWriteConfigDnsGoogleCloudDns().' + ); + } + + if (requestParameters['PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest'] == null) { + throw new runtime.RequiredError( + 'PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest', + 'Required parameter "PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest" was null or undefined when calling pkiExternalCaWriteConfigDnsGoogleCloudDns().' + ); + } + + const queryParameters: any = {}; + + const headerParameters: runtime.HTTPHeaders = {}; + + headerParameters['Content-Type'] = 'application/json'; + + const builtPath = `/{pki_external_ca_mount_path}/config/dns/google-cloud-dns/{name}`.replace(`{${"name"}}`, encodeURIComponent(String(requestParameters['name']).replace(/\/+$/, ''))).replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'POST', + headers: headerParameters, + query: queryParameters, + body: PkiExternalCaWriteConfigDnsGoogleCloudDnsRequestToJSON(requestParameters['PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest']), + }, initOverrides); + + return new runtime.JSONApiResponse(response, (jsonValue) => PkiExternalCaWriteConfigDnsGoogleCloudDnsResponseFromJSON(jsonValue)); + } + + /** + */ + async pkiExternalCaWriteConfigDnsGoogleCloudDns(name: string, pki_external_ca_mount_path: string, PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest: PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaWriteConfigDnsGoogleCloudDnsRaw({ name: name, pki_external_ca_mount_path: pki_external_ca_mount_path, PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest: PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest }, initOverrides); + return await response.value(); + } + + /** + */ + async pkiExternalCaWriteConfigDnsRfc2136Raw(requestParameters: SecretsApiPkiExternalCaWriteConfigDnsRfc2136OperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['name'] == null) { + throw new runtime.RequiredError( + 'name', + 'Required parameter "name" was null or undefined when calling pkiExternalCaWriteConfigDnsRfc2136().' + ); + } + + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaWriteConfigDnsRfc2136().' + ); + } + + if (requestParameters['PkiExternalCaWriteConfigDnsRfc2136Request'] == null) { + throw new runtime.RequiredError( + 'PkiExternalCaWriteConfigDnsRfc2136Request', + 'Required parameter "PkiExternalCaWriteConfigDnsRfc2136Request" was null or undefined when calling pkiExternalCaWriteConfigDnsRfc2136().' + ); + } + + const queryParameters: any = {}; + + const headerParameters: runtime.HTTPHeaders = {}; + + headerParameters['Content-Type'] = 'application/json'; + + const builtPath = `/{pki_external_ca_mount_path}/config/dns/rfc2136/{name}`.replace(`{${"name"}}`, encodeURIComponent(String(requestParameters['name']).replace(/\/+$/, ''))).replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'POST', + headers: headerParameters, + query: queryParameters, + body: PkiExternalCaWriteConfigDnsRfc2136RequestToJSON(requestParameters['PkiExternalCaWriteConfigDnsRfc2136Request']), + }, initOverrides); + + return new runtime.JSONApiResponse(response, (jsonValue) => PkiExternalCaWriteConfigDnsRfc2136ResponseFromJSON(jsonValue)); + } + + /** + */ + async pkiExternalCaWriteConfigDnsRfc2136(name: string, pki_external_ca_mount_path: string, PkiExternalCaWriteConfigDnsRfc2136Request: PkiExternalCaWriteConfigDnsRfc2136Request, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaWriteConfigDnsRfc2136Raw({ name: name, pki_external_ca_mount_path: pki_external_ca_mount_path, PkiExternalCaWriteConfigDnsRfc2136Request: PkiExternalCaWriteConfigDnsRfc2136Request }, initOverrides); + return await response.value(); + } + + /** + */ + async pkiExternalCaWriteDnsTestWorkflowRaw(requestParameters: SecretsApiPkiExternalCaWriteDnsTestWorkflowOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { + if (requestParameters['pki_external_ca_mount_path'] == null) { + throw new runtime.RequiredError( + 'pki_external_ca_mount_path', + 'Required parameter "pki_external_ca_mount_path" was null or undefined when calling pkiExternalCaWriteDnsTestWorkflow().' + ); + } + + if (requestParameters['PkiExternalCaWriteDnsTestWorkflowRequest'] == null) { + throw new runtime.RequiredError( + 'PkiExternalCaWriteDnsTestWorkflowRequest', + 'Required parameter "PkiExternalCaWriteDnsTestWorkflowRequest" was null or undefined when calling pkiExternalCaWriteDnsTestWorkflow().' + ); + } + + const queryParameters: any = {}; + + const headerParameters: runtime.HTTPHeaders = {}; + + headerParameters['Content-Type'] = 'application/json'; + + const builtPath = `/{pki_external_ca_mount_path}/dns/test/workflow`.replace(`{${"pki_external_ca_mount_path"}}`, encodeURIComponent(String(requestParameters['pki_external_ca_mount_path']).replace(/\/+$/, ''))); + const response = await this.request({ + path: builtPath.replace(/\/\/+/g, '/'), + method: 'POST', + headers: headerParameters, + query: queryParameters, + body: PkiExternalCaWriteDnsTestWorkflowRequestToJSON(requestParameters['PkiExternalCaWriteDnsTestWorkflowRequest']), + }, initOverrides); + + return new runtime.JSONApiResponse(response, (jsonValue) => PkiExternalCaWriteDnsTestWorkflowResponseFromJSON(jsonValue)); + } + + /** + */ + async pkiExternalCaWriteDnsTestWorkflow(pki_external_ca_mount_path: string, PkiExternalCaWriteDnsTestWorkflowRequest: PkiExternalCaWriteDnsTestWorkflowRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise { + const response = await this.pkiExternalCaWriteDnsTestWorkflowRaw({ pki_external_ca_mount_path: pki_external_ca_mount_path, PkiExternalCaWriteDnsTestWorkflowRequest: PkiExternalCaWriteDnsTestWorkflowRequest }, initOverrides); + return await response.value(); + } + /** */ async pkiExternalCaWriteRoleNameRaw(requestParameters: SecretsApiPkiExternalCaWriteRoleNameOperationRequest, initOverrides?: RequestInit | runtime.InitOverrideFunction): Promise> { @@ -35474,6 +36375,41 @@ export enum SecretsApiNomadListRolesListEnum { export enum SecretsApiPkiExternalCaListConfigAcmeAccountListEnum { TRUE = 'true' } +/** + * @export + * @enum {string} + */ +export enum SecretsApiPkiExternalCaListConfigDnsListEnum { + TRUE = 'true' +} +/** + * @export + * @enum {string} + */ +export enum SecretsApiPkiExternalCaListConfigDnsAwsRoute53ListEnum { + TRUE = 'true' +} +/** + * @export + * @enum {string} + */ +export enum SecretsApiPkiExternalCaListConfigDnsAzureDnsListEnum { + TRUE = 'true' +} +/** + * @export + * @enum {string} + */ +export enum SecretsApiPkiExternalCaListConfigDnsGoogleCloudDnsListEnum { + TRUE = 'true' +} +/** + * @export + * @enum {string} + */ +export enum SecretsApiPkiExternalCaListConfigDnsRfc2136ListEnum { + TRUE = 'true' +} /** * @export * @enum {string} diff --git a/src/models/PkiExternalCaReadConfigDnsAwsRoute53Response.ts b/src/models/PkiExternalCaReadConfigDnsAwsRoute53Response.ts new file mode 100644 index 0000000..2a26524 --- /dev/null +++ b/src/models/PkiExternalCaReadConfigDnsAwsRoute53Response.ts @@ -0,0 +1,141 @@ +/** + * Copyright IBM Corp. 2025, 2026 + */ + +/* tslint:disable */ +/* eslint-disable */ +/** + * HashiCorp Vault API + * HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`. + * + * The version of the OpenAPI document: 3.0.0 + * + * + * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * https://openapi-generator.tech + * Do not edit the class manually. + */ + +import { mapValues } from '../runtime'; +/** + * + * @export + * @interface PkiExternalCaReadConfigDnsAwsRoute53Response + */ +export interface PkiExternalCaReadConfigDnsAwsRoute53Response { + /** + * AWS access key ID for Route53 API access + * @type {string} + * @memberof PkiExternalCaReadConfigDnsAwsRoute53Response + */ + access_key_id?: string; + /** + * AWS IAM role ARN to assume for Route53 operations + * @type {string} + * @memberof PkiExternalCaReadConfigDnsAwsRoute53Response + */ + assume_role_arn?: string; + /** + * Configuration creation timestamp + * @type {Date} + * @memberof PkiExternalCaReadConfigDnsAwsRoute53Response + */ + creation_date?: Date; + /** + * External ID for AWS STS AssumeRole + * @type {string} + * @memberof PkiExternalCaReadConfigDnsAwsRoute53Response + */ + external_id?: string; + /** + * AWS Route53 hosted zone ID + * @type {string} + * @memberof PkiExternalCaReadConfigDnsAwsRoute53Response + */ + hosted_zone_id?: string; + /** + * List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com) + * @type {Array} + * @memberof PkiExternalCaReadConfigDnsAwsRoute53Response + */ + identifiers?: Array; + /** + * Configuration last update timestamp + * @type {Date} + * @memberof PkiExternalCaReadConfigDnsAwsRoute53Response + */ + last_update_date?: Date; + /** + * Name of the aws-route53 DNS configuration + * @type {string} + * @memberof PkiExternalCaReadConfigDnsAwsRoute53Response + */ + name?: string; + /** + * AWS region for Route53 operations + * @type {string} + * @memberof PkiExternalCaReadConfigDnsAwsRoute53Response + */ + region?: string; + /** + * TTL for DNS TXT records used in DNS-01 challenges + * @type {string} + * @memberof PkiExternalCaReadConfigDnsAwsRoute53Response + */ + ttl?: string; +} + +/** + * Check if a given object implements the PkiExternalCaReadConfigDnsAwsRoute53Response interface. + */ +export function instanceOfPkiExternalCaReadConfigDnsAwsRoute53Response(value: object): value is PkiExternalCaReadConfigDnsAwsRoute53Response { + return true; +} + +export function PkiExternalCaReadConfigDnsAwsRoute53ResponseFromJSON(json: any): PkiExternalCaReadConfigDnsAwsRoute53Response { + return PkiExternalCaReadConfigDnsAwsRoute53ResponseFromJSONTyped(json, false); +} + +export function PkiExternalCaReadConfigDnsAwsRoute53ResponseFromJSONTyped(json: any, ignoreDiscriminator: boolean): PkiExternalCaReadConfigDnsAwsRoute53Response { + if (json == null) { + return json; + } + return { + + 'access_key_id': json['access_key_id'] == null ? undefined : json['access_key_id'], + 'assume_role_arn': json['assume_role_arn'] == null ? undefined : json['assume_role_arn'], + 'creation_date': json['creation_date'] == null ? undefined : (new Date(json['creation_date'])), + 'external_id': json['external_id'] == null ? undefined : json['external_id'], + 'hosted_zone_id': json['hosted_zone_id'] == null ? undefined : json['hosted_zone_id'], + 'identifiers': json['identifiers'] == null ? undefined : json['identifiers'], + 'last_update_date': json['last_update_date'] == null ? undefined : (new Date(json['last_update_date'])), + 'name': json['name'] == null ? undefined : json['name'], + 'region': json['region'] == null ? undefined : json['region'], + 'ttl': json['ttl'] == null ? undefined : json['ttl'], + }; +} + +export function PkiExternalCaReadConfigDnsAwsRoute53ResponseToJSON(json: any): PkiExternalCaReadConfigDnsAwsRoute53Response { + return PkiExternalCaReadConfigDnsAwsRoute53ResponseToJSONTyped(json, false); +} + +export function PkiExternalCaReadConfigDnsAwsRoute53ResponseToJSONTyped(value?: PkiExternalCaReadConfigDnsAwsRoute53Response | null, ignoreDiscriminator: boolean = false): any { + if (value == null) { + return value; + } + + return { + + 'access_key_id': value['access_key_id'], + 'assume_role_arn': value['assume_role_arn'], + 'creation_date': value['creation_date'] == null ? undefined : ((value['creation_date']).toISOString()), + 'external_id': value['external_id'], + 'hosted_zone_id': value['hosted_zone_id'], + 'identifiers': value['identifiers'], + 'last_update_date': value['last_update_date'] == null ? undefined : ((value['last_update_date']).toISOString()), + 'name': value['name'], + 'region': value['region'], + 'ttl': value['ttl'], + }; +} + diff --git a/src/models/PkiExternalCaReadConfigDnsAzureDnsResponse.ts b/src/models/PkiExternalCaReadConfigDnsAzureDnsResponse.ts new file mode 100644 index 0000000..144d06d --- /dev/null +++ b/src/models/PkiExternalCaReadConfigDnsAzureDnsResponse.ts @@ -0,0 +1,149 @@ +/** + * Copyright IBM Corp. 2025, 2026 + */ + +/* tslint:disable */ +/* eslint-disable */ +/** + * HashiCorp Vault API + * HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`. + * + * The version of the OpenAPI document: 3.0.0 + * + * + * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * https://openapi-generator.tech + * Do not edit the class manually. + */ + +import { mapValues } from '../runtime'; +/** + * + * @export + * @interface PkiExternalCaReadConfigDnsAzureDnsResponse + */ +export interface PkiExternalCaReadConfigDnsAzureDnsResponse { + /** + * Azure service principal client ID + * @type {string} + * @memberof PkiExternalCaReadConfigDnsAzureDnsResponse + */ + client_id?: string; + /** + * Configuration creation timestamp + * @type {Date} + * @memberof PkiExternalCaReadConfigDnsAzureDnsResponse + */ + creation_date?: Date; + /** + * Azure cloud environment (AzurePublic, AzureChina, AzureGovernment; default: AzurePublic) + * @type {string} + * @memberof PkiExternalCaReadConfigDnsAzureDnsResponse + */ + environment?: string; + /** + * List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com) + * @type {Array} + * @memberof PkiExternalCaReadConfigDnsAzureDnsResponse + */ + identifiers?: Array; + /** + * Configuration last update timestamp + * @type {Date} + * @memberof PkiExternalCaReadConfigDnsAzureDnsResponse + */ + last_update_date?: Date; + /** + * Name of the azure-dns DNS configuration + * @type {string} + * @memberof PkiExternalCaReadConfigDnsAzureDnsResponse + */ + name?: string; + /** + * Azure resource group name containing the DNS zone + * @type {string} + * @memberof PkiExternalCaReadConfigDnsAzureDnsResponse + */ + resource_group_name?: string; + /** + * Azure subscription ID + * @type {string} + * @memberof PkiExternalCaReadConfigDnsAzureDnsResponse + */ + subscription_id?: string; + /** + * Azure tenant ID + * @type {string} + * @memberof PkiExternalCaReadConfigDnsAzureDnsResponse + */ + tenant_id?: string; + /** + * TTL for DNS TXT records used in DNS-01 challenges + * @type {string} + * @memberof PkiExternalCaReadConfigDnsAzureDnsResponse + */ + ttl?: string; + /** + * Azure DNS zone name + * @type {string} + * @memberof PkiExternalCaReadConfigDnsAzureDnsResponse + */ + zone_name?: string; +} + +/** + * Check if a given object implements the PkiExternalCaReadConfigDnsAzureDnsResponse interface. + */ +export function instanceOfPkiExternalCaReadConfigDnsAzureDnsResponse(value: object): value is PkiExternalCaReadConfigDnsAzureDnsResponse { + return true; +} + +export function PkiExternalCaReadConfigDnsAzureDnsResponseFromJSON(json: any): PkiExternalCaReadConfigDnsAzureDnsResponse { + return PkiExternalCaReadConfigDnsAzureDnsResponseFromJSONTyped(json, false); +} + +export function PkiExternalCaReadConfigDnsAzureDnsResponseFromJSONTyped(json: any, ignoreDiscriminator: boolean): PkiExternalCaReadConfigDnsAzureDnsResponse { + if (json == null) { + return json; + } + return { + + 'client_id': json['client_id'] == null ? undefined : json['client_id'], + 'creation_date': json['creation_date'] == null ? undefined : (new Date(json['creation_date'])), + 'environment': json['environment'] == null ? undefined : json['environment'], + 'identifiers': json['identifiers'] == null ? undefined : json['identifiers'], + 'last_update_date': json['last_update_date'] == null ? undefined : (new Date(json['last_update_date'])), + 'name': json['name'] == null ? undefined : json['name'], + 'resource_group_name': json['resource_group_name'] == null ? undefined : json['resource_group_name'], + 'subscription_id': json['subscription_id'] == null ? undefined : json['subscription_id'], + 'tenant_id': json['tenant_id'] == null ? undefined : json['tenant_id'], + 'ttl': json['ttl'] == null ? undefined : json['ttl'], + 'zone_name': json['zone_name'] == null ? undefined : json['zone_name'], + }; +} + +export function PkiExternalCaReadConfigDnsAzureDnsResponseToJSON(json: any): PkiExternalCaReadConfigDnsAzureDnsResponse { + return PkiExternalCaReadConfigDnsAzureDnsResponseToJSONTyped(json, false); +} + +export function PkiExternalCaReadConfigDnsAzureDnsResponseToJSONTyped(value?: PkiExternalCaReadConfigDnsAzureDnsResponse | null, ignoreDiscriminator: boolean = false): any { + if (value == null) { + return value; + } + + return { + + 'client_id': value['client_id'], + 'creation_date': value['creation_date'] == null ? undefined : ((value['creation_date']).toISOString()), + 'environment': value['environment'], + 'identifiers': value['identifiers'], + 'last_update_date': value['last_update_date'] == null ? undefined : ((value['last_update_date']).toISOString()), + 'name': value['name'], + 'resource_group_name': value['resource_group_name'], + 'subscription_id': value['subscription_id'], + 'tenant_id': value['tenant_id'], + 'ttl': value['ttl'], + 'zone_name': value['zone_name'], + }; +} + diff --git a/src/models/PkiExternalCaReadConfigDnsGoogleCloudDnsResponse.ts b/src/models/PkiExternalCaReadConfigDnsGoogleCloudDnsResponse.ts new file mode 100644 index 0000000..64d1b47 --- /dev/null +++ b/src/models/PkiExternalCaReadConfigDnsGoogleCloudDnsResponse.ts @@ -0,0 +1,125 @@ +/** + * Copyright IBM Corp. 2025, 2026 + */ + +/* tslint:disable */ +/* eslint-disable */ +/** + * HashiCorp Vault API + * HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`. + * + * The version of the OpenAPI document: 3.0.0 + * + * + * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * https://openapi-generator.tech + * Do not edit the class manually. + */ + +import { mapValues } from '../runtime'; +/** + * + * @export + * @interface PkiExternalCaReadConfigDnsGoogleCloudDnsResponse + */ +export interface PkiExternalCaReadConfigDnsGoogleCloudDnsResponse { + /** + * Configuration creation timestamp + * @type {Date} + * @memberof PkiExternalCaReadConfigDnsGoogleCloudDnsResponse + */ + creation_date?: Date; + /** + * List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com) + * @type {Array} + * @memberof PkiExternalCaReadConfigDnsGoogleCloudDnsResponse + */ + identifiers?: Array; + /** + * Service account email to impersonate + * @type {string} + * @memberof PkiExternalCaReadConfigDnsGoogleCloudDnsResponse + */ + impersonate_service_account?: string; + /** + * Configuration last update timestamp + * @type {Date} + * @memberof PkiExternalCaReadConfigDnsGoogleCloudDnsResponse + */ + last_update_date?: Date; + /** + * Name of the google-cloud-dns DNS configuration + * @type {string} + * @memberof PkiExternalCaReadConfigDnsGoogleCloudDnsResponse + */ + name?: string; + /** + * GCP project name + * @type {string} + * @memberof PkiExternalCaReadConfigDnsGoogleCloudDnsResponse + */ + project?: string; + /** + * TTL for DNS TXT records used in DNS-01 challenges + * @type {string} + * @memberof PkiExternalCaReadConfigDnsGoogleCloudDnsResponse + */ + ttl?: string; + /** + * GCP DNS zone name + * @type {string} + * @memberof PkiExternalCaReadConfigDnsGoogleCloudDnsResponse + */ + zone_name?: string; +} + +/** + * Check if a given object implements the PkiExternalCaReadConfigDnsGoogleCloudDnsResponse interface. + */ +export function instanceOfPkiExternalCaReadConfigDnsGoogleCloudDnsResponse(value: object): value is PkiExternalCaReadConfigDnsGoogleCloudDnsResponse { + return true; +} + +export function PkiExternalCaReadConfigDnsGoogleCloudDnsResponseFromJSON(json: any): PkiExternalCaReadConfigDnsGoogleCloudDnsResponse { + return PkiExternalCaReadConfigDnsGoogleCloudDnsResponseFromJSONTyped(json, false); +} + +export function PkiExternalCaReadConfigDnsGoogleCloudDnsResponseFromJSONTyped(json: any, ignoreDiscriminator: boolean): PkiExternalCaReadConfigDnsGoogleCloudDnsResponse { + if (json == null) { + return json; + } + return { + + 'creation_date': json['creation_date'] == null ? undefined : (new Date(json['creation_date'])), + 'identifiers': json['identifiers'] == null ? undefined : json['identifiers'], + 'impersonate_service_account': json['impersonate_service_account'] == null ? undefined : json['impersonate_service_account'], + 'last_update_date': json['last_update_date'] == null ? undefined : (new Date(json['last_update_date'])), + 'name': json['name'] == null ? undefined : json['name'], + 'project': json['project'] == null ? undefined : json['project'], + 'ttl': json['ttl'] == null ? undefined : json['ttl'], + 'zone_name': json['zone_name'] == null ? undefined : json['zone_name'], + }; +} + +export function PkiExternalCaReadConfigDnsGoogleCloudDnsResponseToJSON(json: any): PkiExternalCaReadConfigDnsGoogleCloudDnsResponse { + return PkiExternalCaReadConfigDnsGoogleCloudDnsResponseToJSONTyped(json, false); +} + +export function PkiExternalCaReadConfigDnsGoogleCloudDnsResponseToJSONTyped(value?: PkiExternalCaReadConfigDnsGoogleCloudDnsResponse | null, ignoreDiscriminator: boolean = false): any { + if (value == null) { + return value; + } + + return { + + 'creation_date': value['creation_date'] == null ? undefined : ((value['creation_date']).toISOString()), + 'identifiers': value['identifiers'], + 'impersonate_service_account': value['impersonate_service_account'], + 'last_update_date': value['last_update_date'] == null ? undefined : ((value['last_update_date']).toISOString()), + 'name': value['name'], + 'project': value['project'], + 'ttl': value['ttl'], + 'zone_name': value['zone_name'], + }; +} + diff --git a/src/models/PkiExternalCaReadConfigDnsRfc2136Response.ts b/src/models/PkiExternalCaReadConfigDnsRfc2136Response.ts new file mode 100644 index 0000000..d2ee421 --- /dev/null +++ b/src/models/PkiExternalCaReadConfigDnsRfc2136Response.ts @@ -0,0 +1,125 @@ +/** + * Copyright IBM Corp. 2025, 2026 + */ + +/* tslint:disable */ +/* eslint-disable */ +/** + * HashiCorp Vault API + * HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`. + * + * The version of the OpenAPI document: 3.0.0 + * + * + * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * https://openapi-generator.tech + * Do not edit the class manually. + */ + +import { mapValues } from '../runtime'; +/** + * + * @export + * @interface PkiExternalCaReadConfigDnsRfc2136Response + */ +export interface PkiExternalCaReadConfigDnsRfc2136Response { + /** + * Configuration creation timestamp + * @type {Date} + * @memberof PkiExternalCaReadConfigDnsRfc2136Response + */ + creation_date?: Date; + /** + * List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com) + * @type {Array} + * @memberof PkiExternalCaReadConfigDnsRfc2136Response + */ + identifiers?: Array; + /** + * Configuration last update timestamp + * @type {Date} + * @memberof PkiExternalCaReadConfigDnsRfc2136Response + */ + last_update_date?: Date; + /** + * Name of the rfc2136 DNS configuration + * @type {string} + * @memberof PkiExternalCaReadConfigDnsRfc2136Response + */ + name?: string; + /** + * DNS server address (IP:port format, e.g., 192.168.1.1:53) + * @type {string} + * @memberof PkiExternalCaReadConfigDnsRfc2136Response + */ + nameserver?: string; + /** + * TSIG algorithm (e.g., hmac-sha256, hmac-sha512). Defaults to hmac-sha256 + * @type {string} + * @memberof PkiExternalCaReadConfigDnsRfc2136Response + */ + tsig_algorithm?: string; + /** + * TSIG key name for authenticated DNS updates + * @type {string} + * @memberof PkiExternalCaReadConfigDnsRfc2136Response + */ + tsig_key_name?: string; + /** + * TTL for DNS TXT records used in DNS-01 challenges + * @type {string} + * @memberof PkiExternalCaReadConfigDnsRfc2136Response + */ + ttl?: string; +} + +/** + * Check if a given object implements the PkiExternalCaReadConfigDnsRfc2136Response interface. + */ +export function instanceOfPkiExternalCaReadConfigDnsRfc2136Response(value: object): value is PkiExternalCaReadConfigDnsRfc2136Response { + return true; +} + +export function PkiExternalCaReadConfigDnsRfc2136ResponseFromJSON(json: any): PkiExternalCaReadConfigDnsRfc2136Response { + return PkiExternalCaReadConfigDnsRfc2136ResponseFromJSONTyped(json, false); +} + +export function PkiExternalCaReadConfigDnsRfc2136ResponseFromJSONTyped(json: any, ignoreDiscriminator: boolean): PkiExternalCaReadConfigDnsRfc2136Response { + if (json == null) { + return json; + } + return { + + 'creation_date': json['creation_date'] == null ? undefined : (new Date(json['creation_date'])), + 'identifiers': json['identifiers'] == null ? undefined : json['identifiers'], + 'last_update_date': json['last_update_date'] == null ? undefined : (new Date(json['last_update_date'])), + 'name': json['name'] == null ? undefined : json['name'], + 'nameserver': json['nameserver'] == null ? undefined : json['nameserver'], + 'tsig_algorithm': json['tsig_algorithm'] == null ? undefined : json['tsig_algorithm'], + 'tsig_key_name': json['tsig_key_name'] == null ? undefined : json['tsig_key_name'], + 'ttl': json['ttl'] == null ? undefined : json['ttl'], + }; +} + +export function PkiExternalCaReadConfigDnsRfc2136ResponseToJSON(json: any): PkiExternalCaReadConfigDnsRfc2136Response { + return PkiExternalCaReadConfigDnsRfc2136ResponseToJSONTyped(json, false); +} + +export function PkiExternalCaReadConfigDnsRfc2136ResponseToJSONTyped(value?: PkiExternalCaReadConfigDnsRfc2136Response | null, ignoreDiscriminator: boolean = false): any { + if (value == null) { + return value; + } + + return { + + 'creation_date': value['creation_date'] == null ? undefined : ((value['creation_date']).toISOString()), + 'identifiers': value['identifiers'], + 'last_update_date': value['last_update_date'] == null ? undefined : ((value['last_update_date']).toISOString()), + 'name': value['name'], + 'nameserver': value['nameserver'], + 'tsig_algorithm': value['tsig_algorithm'], + 'tsig_key_name': value['tsig_key_name'], + 'ttl': value['ttl'], + }; +} + diff --git a/src/models/PkiExternalCaWriteConfigDnsAwsRoute53Request.ts b/src/models/PkiExternalCaWriteConfigDnsAwsRoute53Request.ts new file mode 100644 index 0000000..4703919 --- /dev/null +++ b/src/models/PkiExternalCaWriteConfigDnsAwsRoute53Request.ts @@ -0,0 +1,125 @@ +/** + * Copyright IBM Corp. 2025, 2026 + */ + +/* tslint:disable */ +/* eslint-disable */ +/** + * HashiCorp Vault API + * HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`. + * + * The version of the OpenAPI document: 3.0.0 + * + * + * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * https://openapi-generator.tech + * Do not edit the class manually. + */ + +import { mapValues } from '../runtime'; +/** + * + * @export + * @interface PkiExternalCaWriteConfigDnsAwsRoute53Request + */ +export interface PkiExternalCaWriteConfigDnsAwsRoute53Request { + /** + * AWS access key ID for Route53 API access + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Request + */ + access_key_id?: string; + /** + * AWS IAM role ARN to assume for Route53 operations + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Request + */ + assume_role_arn?: string; + /** + * External ID for AWS STS AssumeRole + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Request + */ + external_id?: string; + /** + * AWS Route53 hosted zone ID + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Request + */ + hosted_zone_id?: string; + /** + * List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com) + * @type {Array} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Request + */ + identifiers?: Array; + /** + * AWS region for Route53 operations + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Request + */ + region?: string; + /** + * AWS secret access key for Route53 API access + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Request + */ + secret_access_key?: string; + /** + * TTL for DNS TXT records used in DNS-01 challenges + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Request + */ + ttl?: string; +} + +/** + * Check if a given object implements the PkiExternalCaWriteConfigDnsAwsRoute53Request interface. + */ +export function instanceOfPkiExternalCaWriteConfigDnsAwsRoute53Request(value: object): value is PkiExternalCaWriteConfigDnsAwsRoute53Request { + return true; +} + +export function PkiExternalCaWriteConfigDnsAwsRoute53RequestFromJSON(json: any): PkiExternalCaWriteConfigDnsAwsRoute53Request { + return PkiExternalCaWriteConfigDnsAwsRoute53RequestFromJSONTyped(json, false); +} + +export function PkiExternalCaWriteConfigDnsAwsRoute53RequestFromJSONTyped(json: any, ignoreDiscriminator: boolean): PkiExternalCaWriteConfigDnsAwsRoute53Request { + if (json == null) { + return json; + } + return { + + 'access_key_id': json['access_key_id'] == null ? undefined : json['access_key_id'], + 'assume_role_arn': json['assume_role_arn'] == null ? undefined : json['assume_role_arn'], + 'external_id': json['external_id'] == null ? undefined : json['external_id'], + 'hosted_zone_id': json['hosted_zone_id'] == null ? undefined : json['hosted_zone_id'], + 'identifiers': json['identifiers'] == null ? undefined : json['identifiers'], + 'region': json['region'] == null ? undefined : json['region'], + 'secret_access_key': json['secret_access_key'] == null ? undefined : json['secret_access_key'], + 'ttl': json['ttl'] == null ? undefined : json['ttl'], + }; +} + +export function PkiExternalCaWriteConfigDnsAwsRoute53RequestToJSON(json: any): PkiExternalCaWriteConfigDnsAwsRoute53Request { + return PkiExternalCaWriteConfigDnsAwsRoute53RequestToJSONTyped(json, false); +} + +export function PkiExternalCaWriteConfigDnsAwsRoute53RequestToJSONTyped(value?: PkiExternalCaWriteConfigDnsAwsRoute53Request | null, ignoreDiscriminator: boolean = false): any { + if (value == null) { + return value; + } + + return { + + 'access_key_id': value['access_key_id'], + 'assume_role_arn': value['assume_role_arn'], + 'external_id': value['external_id'], + 'hosted_zone_id': value['hosted_zone_id'], + 'identifiers': value['identifiers'], + 'region': value['region'], + 'secret_access_key': value['secret_access_key'], + 'ttl': value['ttl'], + }; +} + diff --git a/src/models/PkiExternalCaWriteConfigDnsAwsRoute53Response.ts b/src/models/PkiExternalCaWriteConfigDnsAwsRoute53Response.ts new file mode 100644 index 0000000..37f6654 --- /dev/null +++ b/src/models/PkiExternalCaWriteConfigDnsAwsRoute53Response.ts @@ -0,0 +1,141 @@ +/** + * Copyright IBM Corp. 2025, 2026 + */ + +/* tslint:disable */ +/* eslint-disable */ +/** + * HashiCorp Vault API + * HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`. + * + * The version of the OpenAPI document: 3.0.0 + * + * + * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * https://openapi-generator.tech + * Do not edit the class manually. + */ + +import { mapValues } from '../runtime'; +/** + * + * @export + * @interface PkiExternalCaWriteConfigDnsAwsRoute53Response + */ +export interface PkiExternalCaWriteConfigDnsAwsRoute53Response { + /** + * AWS access key ID for Route53 API access + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Response + */ + access_key_id?: string; + /** + * AWS IAM role ARN to assume for Route53 operations + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Response + */ + assume_role_arn?: string; + /** + * Configuration creation timestamp + * @type {Date} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Response + */ + creation_date?: Date; + /** + * External ID for AWS STS AssumeRole + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Response + */ + external_id?: string; + /** + * AWS Route53 hosted zone ID + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Response + */ + hosted_zone_id?: string; + /** + * List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com) + * @type {Array} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Response + */ + identifiers?: Array; + /** + * Configuration last update timestamp + * @type {Date} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Response + */ + last_update_date?: Date; + /** + * Name of the aws-route53 DNS configuration + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Response + */ + name?: string; + /** + * AWS region for Route53 operations + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Response + */ + region?: string; + /** + * TTL for DNS TXT records used in DNS-01 challenges + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAwsRoute53Response + */ + ttl?: string; +} + +/** + * Check if a given object implements the PkiExternalCaWriteConfigDnsAwsRoute53Response interface. + */ +export function instanceOfPkiExternalCaWriteConfigDnsAwsRoute53Response(value: object): value is PkiExternalCaWriteConfigDnsAwsRoute53Response { + return true; +} + +export function PkiExternalCaWriteConfigDnsAwsRoute53ResponseFromJSON(json: any): PkiExternalCaWriteConfigDnsAwsRoute53Response { + return PkiExternalCaWriteConfigDnsAwsRoute53ResponseFromJSONTyped(json, false); +} + +export function PkiExternalCaWriteConfigDnsAwsRoute53ResponseFromJSONTyped(json: any, ignoreDiscriminator: boolean): PkiExternalCaWriteConfigDnsAwsRoute53Response { + if (json == null) { + return json; + } + return { + + 'access_key_id': json['access_key_id'] == null ? undefined : json['access_key_id'], + 'assume_role_arn': json['assume_role_arn'] == null ? undefined : json['assume_role_arn'], + 'creation_date': json['creation_date'] == null ? undefined : (new Date(json['creation_date'])), + 'external_id': json['external_id'] == null ? undefined : json['external_id'], + 'hosted_zone_id': json['hosted_zone_id'] == null ? undefined : json['hosted_zone_id'], + 'identifiers': json['identifiers'] == null ? undefined : json['identifiers'], + 'last_update_date': json['last_update_date'] == null ? undefined : (new Date(json['last_update_date'])), + 'name': json['name'] == null ? undefined : json['name'], + 'region': json['region'] == null ? undefined : json['region'], + 'ttl': json['ttl'] == null ? undefined : json['ttl'], + }; +} + +export function PkiExternalCaWriteConfigDnsAwsRoute53ResponseToJSON(json: any): PkiExternalCaWriteConfigDnsAwsRoute53Response { + return PkiExternalCaWriteConfigDnsAwsRoute53ResponseToJSONTyped(json, false); +} + +export function PkiExternalCaWriteConfigDnsAwsRoute53ResponseToJSONTyped(value?: PkiExternalCaWriteConfigDnsAwsRoute53Response | null, ignoreDiscriminator: boolean = false): any { + if (value == null) { + return value; + } + + return { + + 'access_key_id': value['access_key_id'], + 'assume_role_arn': value['assume_role_arn'], + 'creation_date': value['creation_date'] == null ? undefined : ((value['creation_date']).toISOString()), + 'external_id': value['external_id'], + 'hosted_zone_id': value['hosted_zone_id'], + 'identifiers': value['identifiers'], + 'last_update_date': value['last_update_date'] == null ? undefined : ((value['last_update_date']).toISOString()), + 'name': value['name'], + 'region': value['region'], + 'ttl': value['ttl'], + }; +} + diff --git a/src/models/PkiExternalCaWriteConfigDnsAzureDnsRequest.ts b/src/models/PkiExternalCaWriteConfigDnsAzureDnsRequest.ts new file mode 100644 index 0000000..06b4285 --- /dev/null +++ b/src/models/PkiExternalCaWriteConfigDnsAzureDnsRequest.ts @@ -0,0 +1,133 @@ +/** + * Copyright IBM Corp. 2025, 2026 + */ + +/* tslint:disable */ +/* eslint-disable */ +/** + * HashiCorp Vault API + * HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`. + * + * The version of the OpenAPI document: 3.0.0 + * + * + * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * https://openapi-generator.tech + * Do not edit the class manually. + */ + +import { mapValues } from '../runtime'; +/** + * + * @export + * @interface PkiExternalCaWriteConfigDnsAzureDnsRequest + */ +export interface PkiExternalCaWriteConfigDnsAzureDnsRequest { + /** + * Azure service principal client ID + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsRequest + */ + client_id?: string; + /** + * Azure service principal client secret + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsRequest + */ + client_secret?: string; + /** + * Azure cloud environment (AzurePublic, AzureChina, AzureGovernment; default: AzurePublic) + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsRequest + */ + environment?: string; + /** + * List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com) + * @type {Array} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsRequest + */ + identifiers?: Array; + /** + * Azure resource group name containing the DNS zone + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsRequest + */ + resource_group_name?: string; + /** + * Azure subscription ID + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsRequest + */ + subscription_id?: string; + /** + * Azure tenant ID + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsRequest + */ + tenant_id?: string; + /** + * TTL for DNS TXT records used in DNS-01 challenges + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsRequest + */ + ttl?: string; + /** + * Azure DNS zone name + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsRequest + */ + zone_name?: string; +} + +/** + * Check if a given object implements the PkiExternalCaWriteConfigDnsAzureDnsRequest interface. + */ +export function instanceOfPkiExternalCaWriteConfigDnsAzureDnsRequest(value: object): value is PkiExternalCaWriteConfigDnsAzureDnsRequest { + return true; +} + +export function PkiExternalCaWriteConfigDnsAzureDnsRequestFromJSON(json: any): PkiExternalCaWriteConfigDnsAzureDnsRequest { + return PkiExternalCaWriteConfigDnsAzureDnsRequestFromJSONTyped(json, false); +} + +export function PkiExternalCaWriteConfigDnsAzureDnsRequestFromJSONTyped(json: any, ignoreDiscriminator: boolean): PkiExternalCaWriteConfigDnsAzureDnsRequest { + if (json == null) { + return json; + } + return { + + 'client_id': json['client_id'] == null ? undefined : json['client_id'], + 'client_secret': json['client_secret'] == null ? undefined : json['client_secret'], + 'environment': json['environment'] == null ? undefined : json['environment'], + 'identifiers': json['identifiers'] == null ? undefined : json['identifiers'], + 'resource_group_name': json['resource_group_name'] == null ? undefined : json['resource_group_name'], + 'subscription_id': json['subscription_id'] == null ? undefined : json['subscription_id'], + 'tenant_id': json['tenant_id'] == null ? undefined : json['tenant_id'], + 'ttl': json['ttl'] == null ? undefined : json['ttl'], + 'zone_name': json['zone_name'] == null ? undefined : json['zone_name'], + }; +} + +export function PkiExternalCaWriteConfigDnsAzureDnsRequestToJSON(json: any): PkiExternalCaWriteConfigDnsAzureDnsRequest { + return PkiExternalCaWriteConfigDnsAzureDnsRequestToJSONTyped(json, false); +} + +export function PkiExternalCaWriteConfigDnsAzureDnsRequestToJSONTyped(value?: PkiExternalCaWriteConfigDnsAzureDnsRequest | null, ignoreDiscriminator: boolean = false): any { + if (value == null) { + return value; + } + + return { + + 'client_id': value['client_id'], + 'client_secret': value['client_secret'], + 'environment': value['environment'], + 'identifiers': value['identifiers'], + 'resource_group_name': value['resource_group_name'], + 'subscription_id': value['subscription_id'], + 'tenant_id': value['tenant_id'], + 'ttl': value['ttl'], + 'zone_name': value['zone_name'], + }; +} + diff --git a/src/models/PkiExternalCaWriteConfigDnsAzureDnsResponse.ts b/src/models/PkiExternalCaWriteConfigDnsAzureDnsResponse.ts new file mode 100644 index 0000000..a7a0a43 --- /dev/null +++ b/src/models/PkiExternalCaWriteConfigDnsAzureDnsResponse.ts @@ -0,0 +1,149 @@ +/** + * Copyright IBM Corp. 2025, 2026 + */ + +/* tslint:disable */ +/* eslint-disable */ +/** + * HashiCorp Vault API + * HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`. + * + * The version of the OpenAPI document: 3.0.0 + * + * + * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * https://openapi-generator.tech + * Do not edit the class manually. + */ + +import { mapValues } from '../runtime'; +/** + * + * @export + * @interface PkiExternalCaWriteConfigDnsAzureDnsResponse + */ +export interface PkiExternalCaWriteConfigDnsAzureDnsResponse { + /** + * Azure service principal client ID + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsResponse + */ + client_id?: string; + /** + * Configuration creation timestamp + * @type {Date} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsResponse + */ + creation_date?: Date; + /** + * Azure cloud environment (AzurePublic, AzureChina, AzureGovernment; default: AzurePublic) + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsResponse + */ + environment?: string; + /** + * List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com) + * @type {Array} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsResponse + */ + identifiers?: Array; + /** + * Configuration last update timestamp + * @type {Date} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsResponse + */ + last_update_date?: Date; + /** + * Name of the azure-dns DNS configuration + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsResponse + */ + name?: string; + /** + * Azure resource group name containing the DNS zone + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsResponse + */ + resource_group_name?: string; + /** + * Azure subscription ID + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsResponse + */ + subscription_id?: string; + /** + * Azure tenant ID + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsResponse + */ + tenant_id?: string; + /** + * TTL for DNS TXT records used in DNS-01 challenges + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsResponse + */ + ttl?: string; + /** + * Azure DNS zone name + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsAzureDnsResponse + */ + zone_name?: string; +} + +/** + * Check if a given object implements the PkiExternalCaWriteConfigDnsAzureDnsResponse interface. + */ +export function instanceOfPkiExternalCaWriteConfigDnsAzureDnsResponse(value: object): value is PkiExternalCaWriteConfigDnsAzureDnsResponse { + return true; +} + +export function PkiExternalCaWriteConfigDnsAzureDnsResponseFromJSON(json: any): PkiExternalCaWriteConfigDnsAzureDnsResponse { + return PkiExternalCaWriteConfigDnsAzureDnsResponseFromJSONTyped(json, false); +} + +export function PkiExternalCaWriteConfigDnsAzureDnsResponseFromJSONTyped(json: any, ignoreDiscriminator: boolean): PkiExternalCaWriteConfigDnsAzureDnsResponse { + if (json == null) { + return json; + } + return { + + 'client_id': json['client_id'] == null ? undefined : json['client_id'], + 'creation_date': json['creation_date'] == null ? undefined : (new Date(json['creation_date'])), + 'environment': json['environment'] == null ? undefined : json['environment'], + 'identifiers': json['identifiers'] == null ? undefined : json['identifiers'], + 'last_update_date': json['last_update_date'] == null ? undefined : (new Date(json['last_update_date'])), + 'name': json['name'] == null ? undefined : json['name'], + 'resource_group_name': json['resource_group_name'] == null ? undefined : json['resource_group_name'], + 'subscription_id': json['subscription_id'] == null ? undefined : json['subscription_id'], + 'tenant_id': json['tenant_id'] == null ? undefined : json['tenant_id'], + 'ttl': json['ttl'] == null ? undefined : json['ttl'], + 'zone_name': json['zone_name'] == null ? undefined : json['zone_name'], + }; +} + +export function PkiExternalCaWriteConfigDnsAzureDnsResponseToJSON(json: any): PkiExternalCaWriteConfigDnsAzureDnsResponse { + return PkiExternalCaWriteConfigDnsAzureDnsResponseToJSONTyped(json, false); +} + +export function PkiExternalCaWriteConfigDnsAzureDnsResponseToJSONTyped(value?: PkiExternalCaWriteConfigDnsAzureDnsResponse | null, ignoreDiscriminator: boolean = false): any { + if (value == null) { + return value; + } + + return { + + 'client_id': value['client_id'], + 'creation_date': value['creation_date'] == null ? undefined : ((value['creation_date']).toISOString()), + 'environment': value['environment'], + 'identifiers': value['identifiers'], + 'last_update_date': value['last_update_date'] == null ? undefined : ((value['last_update_date']).toISOString()), + 'name': value['name'], + 'resource_group_name': value['resource_group_name'], + 'subscription_id': value['subscription_id'], + 'tenant_id': value['tenant_id'], + 'ttl': value['ttl'], + 'zone_name': value['zone_name'], + }; +} + diff --git a/src/models/PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest.ts b/src/models/PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest.ts new file mode 100644 index 0000000..719ad73 --- /dev/null +++ b/src/models/PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest.ts @@ -0,0 +1,109 @@ +/** + * Copyright IBM Corp. 2025, 2026 + */ + +/* tslint:disable */ +/* eslint-disable */ +/** + * HashiCorp Vault API + * HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`. + * + * The version of the OpenAPI document: 3.0.0 + * + * + * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * https://openapi-generator.tech + * Do not edit the class manually. + */ + +import { mapValues } from '../runtime'; +/** + * + * @export + * @interface PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest + */ +export interface PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest { + /** + * GCP service account credentials as JSON content + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest + */ + credentials?: string; + /** + * List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com) + * @type {Array} + * @memberof PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest + */ + identifiers?: Array; + /** + * Service account email to impersonate + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest + */ + impersonate_service_account?: string; + /** + * GCP project name + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest + */ + project?: string; + /** + * TTL for DNS TXT records used in DNS-01 challenges + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest + */ + ttl?: string; + /** + * GCP DNS zone name + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest + */ + zone_name?: string; +} + +/** + * Check if a given object implements the PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest interface. + */ +export function instanceOfPkiExternalCaWriteConfigDnsGoogleCloudDnsRequest(value: object): value is PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest { + return true; +} + +export function PkiExternalCaWriteConfigDnsGoogleCloudDnsRequestFromJSON(json: any): PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest { + return PkiExternalCaWriteConfigDnsGoogleCloudDnsRequestFromJSONTyped(json, false); +} + +export function PkiExternalCaWriteConfigDnsGoogleCloudDnsRequestFromJSONTyped(json: any, ignoreDiscriminator: boolean): PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest { + if (json == null) { + return json; + } + return { + + 'credentials': json['credentials'] == null ? undefined : json['credentials'], + 'identifiers': json['identifiers'] == null ? undefined : json['identifiers'], + 'impersonate_service_account': json['impersonate_service_account'] == null ? undefined : json['impersonate_service_account'], + 'project': json['project'] == null ? undefined : json['project'], + 'ttl': json['ttl'] == null ? undefined : json['ttl'], + 'zone_name': json['zone_name'] == null ? undefined : json['zone_name'], + }; +} + +export function PkiExternalCaWriteConfigDnsGoogleCloudDnsRequestToJSON(json: any): PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest { + return PkiExternalCaWriteConfigDnsGoogleCloudDnsRequestToJSONTyped(json, false); +} + +export function PkiExternalCaWriteConfigDnsGoogleCloudDnsRequestToJSONTyped(value?: PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest | null, ignoreDiscriminator: boolean = false): any { + if (value == null) { + return value; + } + + return { + + 'credentials': value['credentials'], + 'identifiers': value['identifiers'], + 'impersonate_service_account': value['impersonate_service_account'], + 'project': value['project'], + 'ttl': value['ttl'], + 'zone_name': value['zone_name'], + }; +} + diff --git a/src/models/PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse.ts b/src/models/PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse.ts new file mode 100644 index 0000000..56c7d9b --- /dev/null +++ b/src/models/PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse.ts @@ -0,0 +1,125 @@ +/** + * Copyright IBM Corp. 2025, 2026 + */ + +/* tslint:disable */ +/* eslint-disable */ +/** + * HashiCorp Vault API + * HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`. + * + * The version of the OpenAPI document: 3.0.0 + * + * + * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * https://openapi-generator.tech + * Do not edit the class manually. + */ + +import { mapValues } from '../runtime'; +/** + * + * @export + * @interface PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse + */ +export interface PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse { + /** + * Configuration creation timestamp + * @type {Date} + * @memberof PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse + */ + creation_date?: Date; + /** + * List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com) + * @type {Array} + * @memberof PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse + */ + identifiers?: Array; + /** + * Service account email to impersonate + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse + */ + impersonate_service_account?: string; + /** + * Configuration last update timestamp + * @type {Date} + * @memberof PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse + */ + last_update_date?: Date; + /** + * Name of the google-cloud-dns DNS configuration + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse + */ + name?: string; + /** + * GCP project name + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse + */ + project?: string; + /** + * TTL for DNS TXT records used in DNS-01 challenges + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse + */ + ttl?: string; + /** + * GCP DNS zone name + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse + */ + zone_name?: string; +} + +/** + * Check if a given object implements the PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse interface. + */ +export function instanceOfPkiExternalCaWriteConfigDnsGoogleCloudDnsResponse(value: object): value is PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse { + return true; +} + +export function PkiExternalCaWriteConfigDnsGoogleCloudDnsResponseFromJSON(json: any): PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse { + return PkiExternalCaWriteConfigDnsGoogleCloudDnsResponseFromJSONTyped(json, false); +} + +export function PkiExternalCaWriteConfigDnsGoogleCloudDnsResponseFromJSONTyped(json: any, ignoreDiscriminator: boolean): PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse { + if (json == null) { + return json; + } + return { + + 'creation_date': json['creation_date'] == null ? undefined : (new Date(json['creation_date'])), + 'identifiers': json['identifiers'] == null ? undefined : json['identifiers'], + 'impersonate_service_account': json['impersonate_service_account'] == null ? undefined : json['impersonate_service_account'], + 'last_update_date': json['last_update_date'] == null ? undefined : (new Date(json['last_update_date'])), + 'name': json['name'] == null ? undefined : json['name'], + 'project': json['project'] == null ? undefined : json['project'], + 'ttl': json['ttl'] == null ? undefined : json['ttl'], + 'zone_name': json['zone_name'] == null ? undefined : json['zone_name'], + }; +} + +export function PkiExternalCaWriteConfigDnsGoogleCloudDnsResponseToJSON(json: any): PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse { + return PkiExternalCaWriteConfigDnsGoogleCloudDnsResponseToJSONTyped(json, false); +} + +export function PkiExternalCaWriteConfigDnsGoogleCloudDnsResponseToJSONTyped(value?: PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse | null, ignoreDiscriminator: boolean = false): any { + if (value == null) { + return value; + } + + return { + + 'creation_date': value['creation_date'] == null ? undefined : ((value['creation_date']).toISOString()), + 'identifiers': value['identifiers'], + 'impersonate_service_account': value['impersonate_service_account'], + 'last_update_date': value['last_update_date'] == null ? undefined : ((value['last_update_date']).toISOString()), + 'name': value['name'], + 'project': value['project'], + 'ttl': value['ttl'], + 'zone_name': value['zone_name'], + }; +} + diff --git a/src/models/PkiExternalCaWriteConfigDnsRfc2136Request.ts b/src/models/PkiExternalCaWriteConfigDnsRfc2136Request.ts new file mode 100644 index 0000000..a894bbf --- /dev/null +++ b/src/models/PkiExternalCaWriteConfigDnsRfc2136Request.ts @@ -0,0 +1,109 @@ +/** + * Copyright IBM Corp. 2025, 2026 + */ + +/* tslint:disable */ +/* eslint-disable */ +/** + * HashiCorp Vault API + * HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`. + * + * The version of the OpenAPI document: 3.0.0 + * + * + * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * https://openapi-generator.tech + * Do not edit the class manually. + */ + +import { mapValues } from '../runtime'; +/** + * + * @export + * @interface PkiExternalCaWriteConfigDnsRfc2136Request + */ +export interface PkiExternalCaWriteConfigDnsRfc2136Request { + /** + * List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com) + * @type {Array} + * @memberof PkiExternalCaWriteConfigDnsRfc2136Request + */ + identifiers?: Array; + /** + * DNS server address (IP:port format, e.g., 192.168.1.1:53) + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsRfc2136Request + */ + nameserver?: string; + /** + * TSIG algorithm (e.g., hmac-sha256, hmac-sha512). Defaults to hmac-sha256 + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsRfc2136Request + */ + tsig_algorithm?: string; + /** + * TSIG key name for authenticated DNS updates + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsRfc2136Request + */ + tsig_key_name?: string; + /** + * TSIG secret (base64 encoded) for authenticated DNS updates + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsRfc2136Request + */ + tsig_secret?: string; + /** + * TTL for DNS TXT records used in DNS-01 challenges + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsRfc2136Request + */ + ttl?: string; +} + +/** + * Check if a given object implements the PkiExternalCaWriteConfigDnsRfc2136Request interface. + */ +export function instanceOfPkiExternalCaWriteConfigDnsRfc2136Request(value: object): value is PkiExternalCaWriteConfigDnsRfc2136Request { + return true; +} + +export function PkiExternalCaWriteConfigDnsRfc2136RequestFromJSON(json: any): PkiExternalCaWriteConfigDnsRfc2136Request { + return PkiExternalCaWriteConfigDnsRfc2136RequestFromJSONTyped(json, false); +} + +export function PkiExternalCaWriteConfigDnsRfc2136RequestFromJSONTyped(json: any, ignoreDiscriminator: boolean): PkiExternalCaWriteConfigDnsRfc2136Request { + if (json == null) { + return json; + } + return { + + 'identifiers': json['identifiers'] == null ? undefined : json['identifiers'], + 'nameserver': json['nameserver'] == null ? undefined : json['nameserver'], + 'tsig_algorithm': json['tsig_algorithm'] == null ? undefined : json['tsig_algorithm'], + 'tsig_key_name': json['tsig_key_name'] == null ? undefined : json['tsig_key_name'], + 'tsig_secret': json['tsig_secret'] == null ? undefined : json['tsig_secret'], + 'ttl': json['ttl'] == null ? undefined : json['ttl'], + }; +} + +export function PkiExternalCaWriteConfigDnsRfc2136RequestToJSON(json: any): PkiExternalCaWriteConfigDnsRfc2136Request { + return PkiExternalCaWriteConfigDnsRfc2136RequestToJSONTyped(json, false); +} + +export function PkiExternalCaWriteConfigDnsRfc2136RequestToJSONTyped(value?: PkiExternalCaWriteConfigDnsRfc2136Request | null, ignoreDiscriminator: boolean = false): any { + if (value == null) { + return value; + } + + return { + + 'identifiers': value['identifiers'], + 'nameserver': value['nameserver'], + 'tsig_algorithm': value['tsig_algorithm'], + 'tsig_key_name': value['tsig_key_name'], + 'tsig_secret': value['tsig_secret'], + 'ttl': value['ttl'], + }; +} + diff --git a/src/models/PkiExternalCaWriteConfigDnsRfc2136Response.ts b/src/models/PkiExternalCaWriteConfigDnsRfc2136Response.ts new file mode 100644 index 0000000..f30681e --- /dev/null +++ b/src/models/PkiExternalCaWriteConfigDnsRfc2136Response.ts @@ -0,0 +1,125 @@ +/** + * Copyright IBM Corp. 2025, 2026 + */ + +/* tslint:disable */ +/* eslint-disable */ +/** + * HashiCorp Vault API + * HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`. + * + * The version of the OpenAPI document: 3.0.0 + * + * + * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * https://openapi-generator.tech + * Do not edit the class manually. + */ + +import { mapValues } from '../runtime'; +/** + * + * @export + * @interface PkiExternalCaWriteConfigDnsRfc2136Response + */ +export interface PkiExternalCaWriteConfigDnsRfc2136Response { + /** + * Configuration creation timestamp + * @type {Date} + * @memberof PkiExternalCaWriteConfigDnsRfc2136Response + */ + creation_date?: Date; + /** + * List of DNS identifiers this provider can be used for. Supports wildcard patterns with leftmost * (e.g., *.example.com) + * @type {Array} + * @memberof PkiExternalCaWriteConfigDnsRfc2136Response + */ + identifiers?: Array; + /** + * Configuration last update timestamp + * @type {Date} + * @memberof PkiExternalCaWriteConfigDnsRfc2136Response + */ + last_update_date?: Date; + /** + * Name of the rfc2136 DNS configuration + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsRfc2136Response + */ + name?: string; + /** + * DNS server address (IP:port format, e.g., 192.168.1.1:53) + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsRfc2136Response + */ + nameserver?: string; + /** + * TSIG algorithm (e.g., hmac-sha256, hmac-sha512). Defaults to hmac-sha256 + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsRfc2136Response + */ + tsig_algorithm?: string; + /** + * TSIG key name for authenticated DNS updates + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsRfc2136Response + */ + tsig_key_name?: string; + /** + * TTL for DNS TXT records used in DNS-01 challenges + * @type {string} + * @memberof PkiExternalCaWriteConfigDnsRfc2136Response + */ + ttl?: string; +} + +/** + * Check if a given object implements the PkiExternalCaWriteConfigDnsRfc2136Response interface. + */ +export function instanceOfPkiExternalCaWriteConfigDnsRfc2136Response(value: object): value is PkiExternalCaWriteConfigDnsRfc2136Response { + return true; +} + +export function PkiExternalCaWriteConfigDnsRfc2136ResponseFromJSON(json: any): PkiExternalCaWriteConfigDnsRfc2136Response { + return PkiExternalCaWriteConfigDnsRfc2136ResponseFromJSONTyped(json, false); +} + +export function PkiExternalCaWriteConfigDnsRfc2136ResponseFromJSONTyped(json: any, ignoreDiscriminator: boolean): PkiExternalCaWriteConfigDnsRfc2136Response { + if (json == null) { + return json; + } + return { + + 'creation_date': json['creation_date'] == null ? undefined : (new Date(json['creation_date'])), + 'identifiers': json['identifiers'] == null ? undefined : json['identifiers'], + 'last_update_date': json['last_update_date'] == null ? undefined : (new Date(json['last_update_date'])), + 'name': json['name'] == null ? undefined : json['name'], + 'nameserver': json['nameserver'] == null ? undefined : json['nameserver'], + 'tsig_algorithm': json['tsig_algorithm'] == null ? undefined : json['tsig_algorithm'], + 'tsig_key_name': json['tsig_key_name'] == null ? undefined : json['tsig_key_name'], + 'ttl': json['ttl'] == null ? undefined : json['ttl'], + }; +} + +export function PkiExternalCaWriteConfigDnsRfc2136ResponseToJSON(json: any): PkiExternalCaWriteConfigDnsRfc2136Response { + return PkiExternalCaWriteConfigDnsRfc2136ResponseToJSONTyped(json, false); +} + +export function PkiExternalCaWriteConfigDnsRfc2136ResponseToJSONTyped(value?: PkiExternalCaWriteConfigDnsRfc2136Response | null, ignoreDiscriminator: boolean = false): any { + if (value == null) { + return value; + } + + return { + + 'creation_date': value['creation_date'] == null ? undefined : ((value['creation_date']).toISOString()), + 'identifiers': value['identifiers'], + 'last_update_date': value['last_update_date'] == null ? undefined : ((value['last_update_date']).toISOString()), + 'name': value['name'], + 'nameserver': value['nameserver'], + 'tsig_algorithm': value['tsig_algorithm'], + 'tsig_key_name': value['tsig_key_name'], + 'ttl': value['ttl'], + }; +} + diff --git a/src/models/PkiExternalCaWriteDnsTestWorkflowRequest.ts b/src/models/PkiExternalCaWriteDnsTestWorkflowRequest.ts new file mode 100644 index 0000000..cf1d483 --- /dev/null +++ b/src/models/PkiExternalCaWriteDnsTestWorkflowRequest.ts @@ -0,0 +1,96 @@ +/** + * Copyright IBM Corp. 2025, 2026 + */ + +/* tslint:disable */ +/* eslint-disable */ +/** + * HashiCorp Vault API + * HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`. + * + * The version of the OpenAPI document: 3.0.0 + * + * + * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * https://openapi-generator.tech + * Do not edit the class manually. + */ + +import { mapValues } from '../runtime'; +/** + * + * @export + * @interface PkiExternalCaWriteDnsTestWorkflowRequest + */ +export interface PkiExternalCaWriteDnsTestWorkflowRequest { + /** + * The DNS identifier (domain name) to test with + * @type {string} + * @memberof PkiExternalCaWriteDnsTestWorkflowRequest + */ + identifier: string; + /** + * Do not perform any cleanup operations, useful for testing and manual validation a record was created within the DNS provider + * @type {boolean} + * @memberof PkiExternalCaWriteDnsTestWorkflowRequest + */ + omit_cleanup?: boolean; + /** + * The name of the DNS provider configuration to test + * @type {string} + * @memberof PkiExternalCaWriteDnsTestWorkflowRequest + */ + provider_name: string; + /** + * The DNS provider type + * @type {string} + * @memberof PkiExternalCaWriteDnsTestWorkflowRequest + */ + provider_type: string; +} + +/** + * Check if a given object implements the PkiExternalCaWriteDnsTestWorkflowRequest interface. + */ +export function instanceOfPkiExternalCaWriteDnsTestWorkflowRequest(value: object): value is PkiExternalCaWriteDnsTestWorkflowRequest { + if (!('identifier' in value) || value['identifier'] === undefined) return false; + if (!('provider_name' in value) || value['provider_name'] === undefined) return false; + if (!('provider_type' in value) || value['provider_type'] === undefined) return false; + return true; +} + +export function PkiExternalCaWriteDnsTestWorkflowRequestFromJSON(json: any): PkiExternalCaWriteDnsTestWorkflowRequest { + return PkiExternalCaWriteDnsTestWorkflowRequestFromJSONTyped(json, false); +} + +export function PkiExternalCaWriteDnsTestWorkflowRequestFromJSONTyped(json: any, ignoreDiscriminator: boolean): PkiExternalCaWriteDnsTestWorkflowRequest { + if (json == null) { + return json; + } + return { + + 'identifier': json['identifier'], + 'omit_cleanup': json['omit_cleanup'] == null ? undefined : json['omit_cleanup'], + 'provider_name': json['provider_name'], + 'provider_type': json['provider_type'], + }; +} + +export function PkiExternalCaWriteDnsTestWorkflowRequestToJSON(json: any): PkiExternalCaWriteDnsTestWorkflowRequest { + return PkiExternalCaWriteDnsTestWorkflowRequestToJSONTyped(json, false); +} + +export function PkiExternalCaWriteDnsTestWorkflowRequestToJSONTyped(value?: PkiExternalCaWriteDnsTestWorkflowRequest | null, ignoreDiscriminator: boolean = false): any { + if (value == null) { + return value; + } + + return { + + 'identifier': value['identifier'], + 'omit_cleanup': value['omit_cleanup'], + 'provider_name': value['provider_name'], + 'provider_type': value['provider_type'], + }; +} + diff --git a/src/models/PkiExternalCaWriteDnsTestWorkflowResponse.ts b/src/models/PkiExternalCaWriteDnsTestWorkflowResponse.ts new file mode 100644 index 0000000..f654132 --- /dev/null +++ b/src/models/PkiExternalCaWriteDnsTestWorkflowResponse.ts @@ -0,0 +1,109 @@ +/** + * Copyright IBM Corp. 2025, 2026 + */ + +/* tslint:disable */ +/* eslint-disable */ +/** + * HashiCorp Vault API + * HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`. + * + * The version of the OpenAPI document: 3.0.0 + * + * + * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * https://openapi-generator.tech + * Do not edit the class manually. + */ + +import { mapValues } from '../runtime'; +/** + * + * @export + * @interface PkiExternalCaWriteDnsTestWorkflowResponse + */ +export interface PkiExternalCaWriteDnsTestWorkflowResponse { + /** + * The identifier that was tested + * @type {string} + * @memberof PkiExternalCaWriteDnsTestWorkflowResponse + */ + identifier?: string; + /** + * Status message describing the test result + * @type {string} + * @memberof PkiExternalCaWriteDnsTestWorkflowResponse + */ + message?: string; + /** + * The provider name that was tested + * @type {string} + * @memberof PkiExternalCaWriteDnsTestWorkflowResponse + */ + provider_name?: string; + /** + * The provider type that was tested + * @type {string} + * @memberof PkiExternalCaWriteDnsTestWorkflowResponse + */ + provider_type?: string; + /** + * The DNS record name that was created + * @type {string} + * @memberof PkiExternalCaWriteDnsTestWorkflowResponse + */ + record_name?: string; + /** + * Whether the test was successful + * @type {boolean} + * @memberof PkiExternalCaWriteDnsTestWorkflowResponse + */ + success?: boolean; +} + +/** + * Check if a given object implements the PkiExternalCaWriteDnsTestWorkflowResponse interface. + */ +export function instanceOfPkiExternalCaWriteDnsTestWorkflowResponse(value: object): value is PkiExternalCaWriteDnsTestWorkflowResponse { + return true; +} + +export function PkiExternalCaWriteDnsTestWorkflowResponseFromJSON(json: any): PkiExternalCaWriteDnsTestWorkflowResponse { + return PkiExternalCaWriteDnsTestWorkflowResponseFromJSONTyped(json, false); +} + +export function PkiExternalCaWriteDnsTestWorkflowResponseFromJSONTyped(json: any, ignoreDiscriminator: boolean): PkiExternalCaWriteDnsTestWorkflowResponse { + if (json == null) { + return json; + } + return { + + 'identifier': json['identifier'] == null ? undefined : json['identifier'], + 'message': json['message'] == null ? undefined : json['message'], + 'provider_name': json['provider_name'] == null ? undefined : json['provider_name'], + 'provider_type': json['provider_type'] == null ? undefined : json['provider_type'], + 'record_name': json['record_name'] == null ? undefined : json['record_name'], + 'success': json['success'] == null ? undefined : json['success'], + }; +} + +export function PkiExternalCaWriteDnsTestWorkflowResponseToJSON(json: any): PkiExternalCaWriteDnsTestWorkflowResponse { + return PkiExternalCaWriteDnsTestWorkflowResponseToJSONTyped(json, false); +} + +export function PkiExternalCaWriteDnsTestWorkflowResponseToJSONTyped(value?: PkiExternalCaWriteDnsTestWorkflowResponse | null, ignoreDiscriminator: boolean = false): any { + if (value == null) { + return value; + } + + return { + + 'identifier': value['identifier'], + 'message': value['message'], + 'provider_name': value['provider_name'], + 'provider_type': value['provider_type'], + 'record_name': value['record_name'], + 'success': value['success'], + }; +} + diff --git a/src/models/PkiExternalCaWriteRoleNameRequest.ts b/src/models/PkiExternalCaWriteRoleNameRequest.ts index d178c2a..a030574 100644 --- a/src/models/PkiExternalCaWriteRoleNameRequest.ts +++ b/src/models/PkiExternalCaWriteRoleNameRequest.ts @@ -59,6 +59,18 @@ export interface PkiExternalCaWriteRoleNameRequest { * @memberof PkiExternalCaWriteRoleNameRequest */ csr_identifier_population?: PkiExternalCaWriteRoleNameRequestCsrIdentifierPopulationEnum; + /** + * The DNS provider configuration to use for DNS-01 challenges (optional) + * @type {string} + * @memberof PkiExternalCaWriteRoleNameRequest + */ + dns_provider_name?: string; + /** + * The DNS provider type (required when dns_provider_name is provided) + * @type {string} + * @memberof PkiExternalCaWriteRoleNameRequest + */ + dns_provider_type?: string; /** * Force deletion even when active orders exist * @type {boolean} @@ -124,6 +136,8 @@ export function PkiExternalCaWriteRoleNameRequestFromJSONTyped(json: any, ignore 'allowed_domains': json['allowed_domains'] == null ? undefined : json['allowed_domains'], 'csr_generate_key_type': json['csr_generate_key_type'] == null ? undefined : json['csr_generate_key_type'], 'csr_identifier_population': json['csr_identifier_population'] == null ? undefined : json['csr_identifier_population'], + 'dns_provider_name': json['dns_provider_name'] == null ? undefined : json['dns_provider_name'], + 'dns_provider_type': json['dns_provider_type'] == null ? undefined : json['dns_provider_type'], 'force': json['force'] == null ? undefined : json['force'], }; } @@ -145,6 +159,8 @@ export function PkiExternalCaWriteRoleNameRequestToJSONTyped(value?: PkiExternal 'allowed_domains': value['allowed_domains'], 'csr_generate_key_type': value['csr_generate_key_type'], 'csr_identifier_population': value['csr_identifier_population'], + 'dns_provider_name': value['dns_provider_name'], + 'dns_provider_type': value['dns_provider_type'], 'force': value['force'], }; } diff --git a/src/models/index.ts b/src/models/index.ts index 9bad220..ba6c577 100644 --- a/src/models/index.ts +++ b/src/models/index.ts @@ -335,8 +335,22 @@ export * from './PkiConfigureUrlsResponse'; export * from './PkiCrossSignIntermediateRequest'; export * from './PkiCrossSignIntermediateResponse'; export * from './PkiExternalCaCreateConfigAcmeAccountNameImportRequest'; +export * from './PkiExternalCaReadConfigDnsAwsRoute53Response'; +export * from './PkiExternalCaReadConfigDnsAzureDnsResponse'; +export * from './PkiExternalCaReadConfigDnsGoogleCloudDnsResponse'; +export * from './PkiExternalCaReadConfigDnsRfc2136Response'; export * from './PkiExternalCaWriteConfigAcmeAccountNameRequest'; export * from './PkiExternalCaWriteConfigAcmeAccountNameRotateKeyRequest'; +export * from './PkiExternalCaWriteConfigDnsAwsRoute53Request'; +export * from './PkiExternalCaWriteConfigDnsAwsRoute53Response'; +export * from './PkiExternalCaWriteConfigDnsAzureDnsRequest'; +export * from './PkiExternalCaWriteConfigDnsAzureDnsResponse'; +export * from './PkiExternalCaWriteConfigDnsGoogleCloudDnsRequest'; +export * from './PkiExternalCaWriteConfigDnsGoogleCloudDnsResponse'; +export * from './PkiExternalCaWriteConfigDnsRfc2136Request'; +export * from './PkiExternalCaWriteConfigDnsRfc2136Response'; +export * from './PkiExternalCaWriteDnsTestWorkflowRequest'; +export * from './PkiExternalCaWriteDnsTestWorkflowResponse'; export * from './PkiExternalCaWriteRoleNameNewOrderRequest'; export * from './PkiExternalCaWriteRoleNameOrderOrderIdFulfilledChallengeRequest'; export * from './PkiExternalCaWriteRoleNameOrderOrderIdRevokeRequest';