diff --git a/docusaurus.config.ts b/docusaurus.config.ts index e1b9f6b..3657ed1 100644 --- a/docusaurus.config.ts +++ b/docusaurus.config.ts @@ -9,10 +9,16 @@ import type { Config } from "@docusaurus/types"; import type * as Preset from "@docusaurus/preset-classic"; import matter from "gray-matter"; import listRemote from "./docusaurus-lib-list-remote"; -import { openApiSpecs } from "./preprocessing"; +import { preprocessOpenApiSpecs, openApiSpecs } from './src/openapi/preprocessing'; import languageTabs from "./openapi-generated-clients"; import { getSpecDocumentationPlugins } from './src/utils/spec-documentation'; +// Execute the preprocessing function for OpenAPI specs +preprocessOpenApiSpecs().catch(error => { + console.error('Failed to preprocess OpenAPI specs:', error); + process.exit(1); +}); + const otdfctl = listRemote.createRepo("opentdf", "otdfctl", "main"); const config: Config = { diff --git a/package.json b/package.json index b6858a0..0607a80 100644 --- a/package.json +++ b/package.json @@ -14,8 +14,8 @@ "write-heading-ids": "docusaurus write-heading-ids", "gen-api-docs-all": "docusaurus gen-api-docs all --all-versions", "gen-api-docs-clean": "docusaurus clean-api-docs all", - "check-vendored-yaml": "tsx scripts/check-vendored-yaml.ts", - "update-vendored-yaml": "tsx scripts/update-vendored-yaml.ts" + "check-vendored-yaml": "tsx src/openapi/check-vendored-yaml.ts", + "update-vendored-yaml": "tsx src/openapi/update-vendored-yaml.ts" }, "dependencies": { "@docusaurus/core": "^3.6.3", diff --git a/specs/policy/actions/actions.openapi.yaml b/specs/policy/actions/actions.openapi.yaml index 619dcd2..3f4f224 100644 --- a/specs/policy/actions/actions.openapi.yaml +++ b/specs/policy/actions/actions.openapi.yaml @@ -309,8 +309,14 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. + + Not recommended for use in new APIs, but still useful for legacy APIs and + has no plan to be removed. google.protobuf.Timestamp: type: string + examples: + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -463,7 +469,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: Deprecated + description: Deprecated KAS grants for the attribute. Use kas_keys instead. fqn: type: string title: fqn @@ -650,7 +656,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: KAS grants for the namespace + description: Deprecated KAS grants for the namespace. Use kas_keys instead. kasKeys: type: array items: @@ -897,9 +903,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: |- - Deprecated - list of key access servers + description: Deprecated KAS grants for the value. Use kas_keys instead. fqn: type: string title: fqn diff --git a/specs/policy/attributes/attributes.openapi.yaml b/specs/policy/attributes/attributes.openapi.yaml index 7bdb5d4..0703961 100644 --- a/specs/policy/attributes/attributes.openapi.yaml +++ b/specs/policy/attributes/attributes.openapi.yaml @@ -137,9 +137,11 @@ paths: Fully Qualified Names of attribute values (i.e. https:///attr//value/), normalized to lower case. - name: withValue.withKeyAccessGrants in: query + description: Deprecated schema: type: boolean title: with_key_access_grants + description: Deprecated - name: withValue.withSubjectMaps in: query schema: @@ -152,9 +154,11 @@ paths: title: with_resource_maps - name: withValue.withAttribute.withKeyAccessGrants in: query + description: Deprecated schema: type: boolean title: with_key_access_grants + description: Deprecated responses: default: description: Error @@ -456,6 +460,7 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToAttributeResponse' + deprecated: true /policy.attributes.AttributesService/RemoveKeyAccessServerFromAttribute: post: tags: @@ -491,6 +496,7 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.attributes.RemoveKeyAccessServerFromAttributeResponse' + deprecated: true /policy.attributes.AttributesService/AssignKeyAccessServerToValue: post: tags: @@ -526,6 +532,7 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.attributes.AssignKeyAccessServerToValueResponse' + deprecated: true /policy.attributes.AttributesService/RemoveKeyAccessServerFromValue: post: tags: @@ -561,6 +568,7 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.attributes.RemoveKeyAccessServerFromValueResponse' + deprecated: true /policy.attributes.AttributesService/AssignPublicKeyToAttribute: post: tags: @@ -842,8 +850,14 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. + + Not recommended for use in new APIs, but still useful for legacy APIs and + has no plan to be removed. google.protobuf.Timestamp: type: string + examples: + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -996,7 +1010,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: Deprecated + description: Deprecated KAS grants for the attribute. Use kas_keys instead. fqn: type: string title: fqn @@ -1024,6 +1038,7 @@ components: withKeyAccessGrants: type: boolean title: with_key_access_grants + description: Deprecated withSubjectMaps: type: boolean title: with_subject_maps @@ -1041,6 +1056,7 @@ components: withKeyAccessGrants: type: boolean title: with_key_access_grants + description: Deprecated withNamespace: title: with_namespace $ref: '#/components/schemas/policy.AttributeValueSelector.AttributeSelector.NamespaceSelector' @@ -1215,7 +1231,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: KAS grants for the namespace + description: Deprecated KAS grants for the namespace. Use kas_keys instead. kasKeys: type: array items: @@ -1462,9 +1478,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: |- - Deprecated - list of key access servers + description: Deprecated KAS grants for the value. Use kas_keys instead. fqn: type: string title: fqn @@ -1601,6 +1615,7 @@ components: description: Required title: AttributeKeyAccessServer additionalProperties: false + description: Deprecated policy.attributes.CreateAttributeRequest: type: object properties: @@ -1633,7 +1648,10 @@ components: uniqueItems: true title: values uniqueItems: true - description: "Optional \n Attribute values (when provided) must be alphanumeric strings, allowing hyphens and underscores but not as the first or last character.\n The stored attribute value will be normalized to lower case." + description: |- + Optional + Attribute values (when provided) must be alphanumeric strings, allowing hyphens and underscores but not as the first or last character. + The stored attribute value will be normalized to lower case. metadata: title: metadata description: Optional diff --git a/specs/policy/kasregistry/key_access_server_registry.openapi.yaml b/specs/policy/kasregistry/key_access_server_registry.openapi.yaml index d311651..a676adf 100644 --- a/specs/policy/kasregistry/key_access_server_registry.openapi.yaml +++ b/specs/policy/kasregistry/key_access_server_registry.openapi.yaml @@ -224,6 +224,7 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.kasregistry.ListKeyAccessServerGrantsResponse' + deprecated: true /policy.kasregistry.KeyAccessServerRegistryService/CreateKey: post: tags: @@ -478,6 +479,42 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.kasregistry.GetBaseKeyResponse' + /policy.kasregistry.KeyAccessServerRegistryService/ListKeyMappings: + post: + tags: + - policy.kasregistry.KeyAccessServerRegistryService + summary: ListKeyMappings + description: Request to list key mappings in the Key Access Service. + operationId: policy.kasregistry.KeyAccessServerRegistryService.ListKeyMappings + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.kasregistry.ListKeyMappingsRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.kasregistry.ListKeyMappingsResponse' components: schemas: common.MetadataUpdateEnum: @@ -598,8 +635,14 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. + + Not recommended for use in new APIs, but still useful for legacy APIs and + has no plan to be removed. google.protobuf.Timestamp: type: string + examples: + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -726,6 +769,10 @@ components: title: provider_config description: Optional Configuration for the key provider $ref: '#/components/schemas/policy.KeyProviderConfig' + legacy: + type: boolean + title: legacy + description: Optional Indicates a key may be found in TDFs without key identifiers metadata: title: metadata description: Common metadata fields @@ -1097,7 +1144,7 @@ components: Required The algorithm to be used for the key The key_algorithm must be one of the defined values.: ``` - this in [1, 2, 3, 4] + this in [1, 2, 3, 4, 5] ``` $ref: '#/components/schemas/policy.Algorithm' @@ -1123,6 +1170,10 @@ components: type: string title: provider_config_id description: Optional Configuration ID for the key provider, if applicable + legacy: + type: boolean + title: legacy + description: Optional Whether the key is a legacy key metadata: title: metadata description: Common metadata Mutable metadata for the key @@ -1417,6 +1468,35 @@ components: title: KeyAccessServerGrants additionalProperties: false description: Deprecated + policy.kasregistry.KeyMapping: + type: object + properties: + kid: + type: string + title: kid + kasUri: + type: string + title: kas_uri + namespaceMappings: + type: array + items: + $ref: '#/components/schemas/policy.kasregistry.MappedPolicyObject' + title: namespace_mappings + description: List of namespaces mapped to the key + attributeMappings: + type: array + items: + $ref: '#/components/schemas/policy.kasregistry.MappedPolicyObject' + title: attribute_mappings + description: List of attribute definitions mapped to the key + valueMappings: + type: array + items: + $ref: '#/components/schemas/policy.kasregistry.MappedPolicyObject' + title: value_mappings + description: List of attribute values mapped to the key + title: KeyMapping + additionalProperties: false policy.kasregistry.ListKeyAccessServerGrantsRequest: type: object properties: @@ -1508,6 +1588,47 @@ components: $ref: '#/components/schemas/policy.PageResponse' title: ListKeyAccessServersResponse additionalProperties: false + policy.kasregistry.ListKeyMappingsRequest: + type: object + oneOf: + - properties: + id: + type: string + title: id + format: uuid + description: The unique identifier of the key to retrieve + title: id + required: + - id + - properties: + key: + title: key + $ref: '#/components/schemas/policy.kasregistry.KasKeyIdentifier' + title: key + required: + - key + properties: + pagination: + title: pagination + description: Pagination request for the list of keys + $ref: '#/components/schemas/policy.PageRequest' + title: ListKeyMappingsRequest + additionalProperties: false + policy.kasregistry.ListKeyMappingsResponse: + type: object + properties: + keyMappings: + type: array + items: + $ref: '#/components/schemas/policy.kasregistry.KeyMapping' + title: key_mappings + description: The list of key mappings + pagination: + title: pagination + description: Pagination response for the list of keys + $ref: '#/components/schemas/policy.PageResponse' + title: ListKeyMappingsResponse + additionalProperties: false policy.kasregistry.ListKeysRequest: type: object oneOf: @@ -1546,10 +1667,15 @@ components: Filter keys by algorithm The key_algorithm must be one of the defined values.: ``` - this in [0, 1, 2, 3, 4] + this in [0, 1, 2, 3, 4, 5] ``` $ref: '#/components/schemas/policy.Algorithm' + legacy: + type: boolean + title: legacy + description: Optional Filter for legacy keys + nullable: true pagination: title: pagination description: Optional Pagination request for the list of keys @@ -1733,6 +1859,19 @@ components: $ref: '#/components/schemas/policy.PageResponse' title: ListPublicKeysResponse additionalProperties: false + policy.kasregistry.MappedPolicyObject: + type: object + properties: + id: + type: string + title: id + description: The unique identifier of the policy object + fqn: + type: string + title: fqn + description: The fully qualified name of the policy object + title: MappedPolicyObject + additionalProperties: false policy.kasregistry.RotateKeyRequest: type: object oneOf: @@ -1790,7 +1929,7 @@ components: Required The key_algorithm must be one of the defined values.: ``` - this in [1, 2, 3, 4] + this in [1, 2, 3, 4, 5] ``` $ref: '#/components/schemas/policy.Algorithm' diff --git a/specs/policy/keymanagement/key_management.openapi.yaml b/specs/policy/keymanagement/key_management.openapi.yaml index 4d28d36..e481df3 100644 --- a/specs/policy/keymanagement/key_management.openapi.yaml +++ b/specs/policy/keymanagement/key_management.openapi.yaml @@ -246,6 +246,9 @@ components: additionalProperties: false google.protobuf.Timestamp: type: string + examples: + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local diff --git a/specs/policy/namespaces/namespaces.openapi.yaml b/specs/policy/namespaces/namespaces.openapi.yaml index a33a2be..e5c3dfa 100644 --- a/specs/policy/namespaces/namespaces.openapi.yaml +++ b/specs/policy/namespaces/namespaces.openapi.yaml @@ -216,6 +216,7 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.namespaces.AssignKeyAccessServerToNamespaceResponse' + deprecated: true /policy.namespaces.NamespaceService/RemoveKeyAccessServerFromNamespace: post: tags: @@ -251,6 +252,7 @@ paths: application/json: schema: $ref: '#/components/schemas/policy.namespaces.RemoveKeyAccessServerFromNamespaceResponse' + deprecated: true /policy.namespaces.NamespaceService/AssignPublicKeyToNamespace: post: tags: @@ -436,8 +438,14 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. + + Not recommended for use in new APIs, but still useful for legacy APIs and + has no plan to be removed. google.protobuf.Timestamp: type: string + examples: + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -643,7 +651,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: KAS grants for the namespace + description: Deprecated KAS grants for the namespace. Use kas_keys instead. kasKeys: type: array items: @@ -942,6 +950,7 @@ components: description: Required title: NamespaceKeyAccessServer additionalProperties: false + description: Deprecated policy.namespaces.RemoveKeyAccessServerFromNamespaceRequest: type: object properties: diff --git a/specs/policy/objects.openapi.yaml b/specs/policy/objects.openapi.yaml index d2b2c9e..e0bc4d1 100644 --- a/specs/policy/objects.openapi.yaml +++ b/specs/policy/objects.openapi.yaml @@ -122,8 +122,14 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. + + Not recommended for use in new APIs, but still useful for legacy APIs and + has no plan to be removed. google.protobuf.Timestamp: type: string + examples: + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -283,6 +289,10 @@ components: title: provider_config description: Optional Configuration for the key provider $ref: '#/components/schemas/policy.KeyProviderConfig' + legacy: + type: boolean + title: legacy + description: Optional Indicates a key may be found in TDFs without key identifiers metadata: title: metadata description: Common metadata fields @@ -317,7 +327,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: Deprecated + description: Deprecated KAS grants for the attribute. Use kas_keys instead. fqn: type: string title: fqn @@ -562,7 +572,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: KAS grants for the namespace + description: Deprecated KAS grants for the namespace. Use kas_keys instead. kasKeys: type: array items: @@ -571,6 +581,65 @@ components: description: Keys for the namespace title: Namespace additionalProperties: false + policy.Obligation: + type: object + properties: + id: + type: string + title: id + namespace: + title: namespace + $ref: '#/components/schemas/policy.Namespace' + name: + type: string + title: name + values: + type: array + items: + $ref: '#/components/schemas/policy.ObligationValue' + title: values + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: Obligation + additionalProperties: false + policy.ObligationTrigger: + type: object + properties: + id: + type: string + title: id + obligationValue: + title: obligation_value + $ref: '#/components/schemas/policy.ObligationValue' + action: + title: action + $ref: '#/components/schemas/policy.Action' + attributeValue: + title: attribute_value + $ref: '#/components/schemas/policy.Value' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: ObligationTrigger + additionalProperties: false + policy.ObligationValue: + type: object + properties: + id: + type: string + title: id + obligation: + title: obligation + $ref: '#/components/schemas/policy.Obligation' + value: + type: string + title: value + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: ObligationValue + additionalProperties: false policy.PrivateKeyCtx: type: object properties: @@ -908,9 +977,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: |- - Deprecated - list of key access servers + description: Deprecated KAS grants for the value. Use kas_keys instead. fqn: type: string title: fqn diff --git a/specs/policy/obligations/obligations.openapi.yaml b/specs/policy/obligations/obligations.openapi.yaml new file mode 100644 index 0000000..46256da --- /dev/null +++ b/specs/policy/obligations/obligations.openapi.yaml @@ -0,0 +1,1729 @@ +openapi: 3.1.0 +info: + title: policy.obligations +paths: + /policy.obligations.Service/ListObligations: + post: + tags: + - policy.obligations.Service + summary: ListObligations + operationId: policy.obligations.Service.ListObligations + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.ListObligationsRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.ListObligationsResponse' + /policy.obligations.Service/GetObligation: + post: + tags: + - policy.obligations.Service + summary: GetObligation + operationId: policy.obligations.Service.GetObligation + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.GetObligationRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.GetObligationResponse' + /policy.obligations.Service/GetObligationsByFQNs: + post: + tags: + - policy.obligations.Service + summary: GetObligationsByFQNs + operationId: policy.obligations.Service.GetObligationsByFQNs + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.GetObligationsByFQNsRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.GetObligationsByFQNsResponse' + /policy.obligations.Service/CreateObligation: + post: + tags: + - policy.obligations.Service + summary: CreateObligation + operationId: policy.obligations.Service.CreateObligation + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.CreateObligationRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.CreateObligationResponse' + /policy.obligations.Service/UpdateObligation: + post: + tags: + - policy.obligations.Service + summary: UpdateObligation + operationId: policy.obligations.Service.UpdateObligation + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.UpdateObligationRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.UpdateObligationResponse' + /policy.obligations.Service/DeleteObligation: + post: + tags: + - policy.obligations.Service + summary: DeleteObligation + operationId: policy.obligations.Service.DeleteObligation + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.DeleteObligationRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.DeleteObligationResponse' + /policy.obligations.Service/GetObligationValue: + post: + tags: + - policy.obligations.Service + summary: GetObligationValue + operationId: policy.obligations.Service.GetObligationValue + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.GetObligationValueRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.GetObligationValueResponse' + /policy.obligations.Service/GetObligationValuesByFQNs: + post: + tags: + - policy.obligations.Service + summary: GetObligationValuesByFQNs + operationId: policy.obligations.Service.GetObligationValuesByFQNs + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.GetObligationValuesByFQNsRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.GetObligationValuesByFQNsResponse' + /policy.obligations.Service/CreateObligationValue: + post: + tags: + - policy.obligations.Service + summary: CreateObligationValue + operationId: policy.obligations.Service.CreateObligationValue + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.CreateObligationValueRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.CreateObligationValueResponse' + /policy.obligations.Service/UpdateObligationValue: + post: + tags: + - policy.obligations.Service + summary: UpdateObligationValue + operationId: policy.obligations.Service.UpdateObligationValue + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.UpdateObligationValueRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.UpdateObligationValueResponse' + /policy.obligations.Service/DeleteObligationValue: + post: + tags: + - policy.obligations.Service + summary: DeleteObligationValue + operationId: policy.obligations.Service.DeleteObligationValue + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.DeleteObligationValueRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.DeleteObligationValueResponse' + /policy.obligations.Service/AddObligationTrigger: + post: + tags: + - policy.obligations.Service + summary: AddObligationTrigger + operationId: policy.obligations.Service.AddObligationTrigger + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.AddObligationTriggerRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.AddObligationTriggerResponse' + /policy.obligations.Service/RemoveObligationTrigger: + post: + tags: + - policy.obligations.Service + summary: RemoveObligationTrigger + operationId: policy.obligations.Service.RemoveObligationTrigger + parameters: + - name: Connect-Protocol-Version + in: header + required: true + schema: + $ref: '#/components/schemas/connect-protocol-version' + - name: Connect-Timeout-Ms + in: header + schema: + $ref: '#/components/schemas/connect-timeout-header' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.RemoveObligationTriggerRequest' + required: true + responses: + default: + description: Error + content: + application/json: + schema: + $ref: '#/components/schemas/connect.error' + "200": + description: Success + content: + application/json: + schema: + $ref: '#/components/schemas/policy.obligations.RemoveObligationTriggerResponse' +components: + schemas: + common.MetadataUpdateEnum: + type: string + title: MetadataUpdateEnum + enum: + - METADATA_UPDATE_ENUM_UNSPECIFIED + - METADATA_UPDATE_ENUM_EXTEND + - METADATA_UPDATE_ENUM_REPLACE + policy.Action.StandardAction: + type: string + title: StandardAction + enum: + - STANDARD_ACTION_UNSPECIFIED + - STANDARD_ACTION_DECRYPT + - STANDARD_ACTION_TRANSMIT + policy.Algorithm: + type: string + title: Algorithm + enum: + - ALGORITHM_UNSPECIFIED + - ALGORITHM_RSA_2048 + - ALGORITHM_RSA_4096 + - ALGORITHM_EC_P256 + - ALGORITHM_EC_P384 + - ALGORITHM_EC_P521 + description: Supported key algorithms. + policy.AttributeRuleTypeEnum: + type: string + title: AttributeRuleTypeEnum + enum: + - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED + - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF + - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF + - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY + policy.ConditionBooleanTypeEnum: + type: string + title: ConditionBooleanTypeEnum + enum: + - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED + - CONDITION_BOOLEAN_TYPE_ENUM_AND + - CONDITION_BOOLEAN_TYPE_ENUM_OR + policy.KasPublicKeyAlgEnum: + type: string + title: KasPublicKeyAlgEnum + enum: + - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 + - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + policy.SourceType: + type: string + title: SourceType + enum: + - SOURCE_TYPE_UNSPECIFIED + - SOURCE_TYPE_INTERNAL + - SOURCE_TYPE_EXTERNAL + description: |- + Describes whether this kas is managed by the organization or if they imported + the kas information from an external party. These two modes are necessary in order + to encrypt a tdf dek with an external parties kas public key. + policy.SubjectMappingOperatorEnum: + type: string + title: SubjectMappingOperatorEnum + enum: + - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED + - SUBJECT_MAPPING_OPERATOR_ENUM_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN + - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS + common.Metadata: + type: object + properties: + createdAt: + title: created_at + description: created_at set by server (entity who created will recorded in an audit event) + $ref: '#/components/schemas/google.protobuf.Timestamp' + updatedAt: + title: updated_at + description: updated_at set by server (entity who updated will recorded in an audit event) + $ref: '#/components/schemas/google.protobuf.Timestamp' + labels: + type: object + title: labels + additionalProperties: + type: string + title: value + description: optional short description + title: Metadata + additionalProperties: false + description: Struct to uniquely identify a resource with optional additional metadata + common.Metadata.LabelsEntry: + type: object + properties: + key: + type: string + title: key + value: + type: string + title: value + title: LabelsEntry + additionalProperties: false + common.MetadataMutable: + type: object + properties: + labels: + type: object + title: labels + additionalProperties: + type: string + title: value + description: optional labels + title: MetadataMutable + additionalProperties: false + common.MetadataMutable.LabelsEntry: + type: object + properties: + key: + type: string + title: key + value: + type: string + title: value + title: LabelsEntry + additionalProperties: false + google.protobuf.BoolValue: + type: boolean + description: |- + Wrapper message for `bool`. + + The JSON representation for `BoolValue` is JSON `true` and `false`. + + Not recommended for use in new APIs, but still useful for legacy APIs and + has no plan to be removed. + google.protobuf.Timestamp: + type: string + examples: + - 1s + - 1.000340012s + format: date-time + description: |- + A Timestamp represents a point in time independent of any time zone or local + calendar, encoded as a count of seconds and fractions of seconds at + nanosecond resolution. The count is relative to an epoch at UTC midnight on + January 1, 1970, in the proleptic Gregorian calendar which extends the + Gregorian calendar backwards to year one. + + All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap + second table is needed for interpretation, using a [24-hour linear + smear](https://developers.google.com/time/smear). + + The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By + restricting to that range, we ensure that we can convert to and from [RFC + 3339](https://www.ietf.org/rfc/rfc3339.txt) date strings. + + # Examples + + Example 1: Compute Timestamp from POSIX `time()`. + + Timestamp timestamp; + timestamp.set_seconds(time(NULL)); + timestamp.set_nanos(0); + + Example 2: Compute Timestamp from POSIX `gettimeofday()`. + + struct timeval tv; + gettimeofday(&tv, NULL); + + Timestamp timestamp; + timestamp.set_seconds(tv.tv_sec); + timestamp.set_nanos(tv.tv_usec * 1000); + + Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`. + + FILETIME ft; + GetSystemTimeAsFileTime(&ft); + UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime; + + // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z + // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z. + Timestamp timestamp; + timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL)); + timestamp.set_nanos((INT32) ((ticks % 10000000) * 100)); + + Example 4: Compute Timestamp from Java `System.currentTimeMillis()`. + + long millis = System.currentTimeMillis(); + + Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000) + .setNanos((int) ((millis % 1000) * 1000000)).build(); + + Example 5: Compute Timestamp from Java `Instant.now()`. + + Instant now = Instant.now(); + + Timestamp timestamp = + Timestamp.newBuilder().setSeconds(now.getEpochSecond()) + .setNanos(now.getNano()).build(); + + Example 6: Compute Timestamp from current time in Python. + + timestamp = Timestamp() + timestamp.GetCurrentTime() + + # JSON Mapping + + In JSON format, the Timestamp type is encoded as a string in the + [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the + format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z" + where {year} is always expressed using four digits while {month}, {day}, + {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional + seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution), + are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone + is required. A proto3 JSON serializer should always use UTC (as indicated by + "Z") when printing the Timestamp type and a proto3 JSON parser should be + able to accept both UTC and other timezones (as indicated by an offset). + + For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past + 01:30 UTC on January 15, 2017. + + In JavaScript, one can convert a Date object to this format using the + standard + [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString) + method. In Python, a standard `datetime.datetime` object can be converted + to this format using + [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with + the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use + the Joda Time's [`ISODateTimeFormat.dateTime()`]( + http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime() + ) to obtain a formatter capable of generating timestamps in this format. + policy.Action: + type: object + oneOf: + - properties: + custom: + type: string + title: custom + description: Deprecated + title: custom + required: + - custom + - properties: + standard: + title: standard + description: Deprecated + $ref: '#/components/schemas/policy.Action.StandardAction' + title: standard + required: + - standard + properties: + id: + type: string + title: id + description: Generated uuid in database + name: + type: string + title: name + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: Action + additionalProperties: false + description: An action an entity can take + policy.Attribute: + type: object + properties: + id: + type: string + title: id + namespace: + title: namespace + description: namespace of the attribute + $ref: '#/components/schemas/policy.Namespace' + name: + type: string + title: name + description: attribute name + rule: + title: rule + description: attribute rule enum + $ref: '#/components/schemas/policy.AttributeRuleTypeEnum' + values: + type: array + items: + $ref: '#/components/schemas/policy.Value' + title: values + grants: + type: array + items: + $ref: '#/components/schemas/policy.KeyAccessServer' + title: grants + description: Deprecated KAS grants for the attribute. Use kas_keys instead. + fqn: + type: string + title: fqn + active: + title: active + description: active by default until explicitly deactivated + $ref: '#/components/schemas/google.protobuf.BoolValue' + kasKeys: + type: array + items: + $ref: '#/components/schemas/policy.SimpleKasKey' + title: kas_keys + description: Keys associated with the attribute + metadata: + title: metadata + description: Common metadata + $ref: '#/components/schemas/common.Metadata' + title: Attribute + required: + - rule + additionalProperties: false + policy.Condition: + type: object + properties: + subjectExternalSelectorValue: + type: string + title: subject_external_selector_value + description: |- + a selector for a field value on a flattened Entity Representation (such as + from idP/LDAP) + operator: + title: operator + description: the evaluation operator of relation + $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum' + subjectExternalValues: + type: array + items: + type: string + minItems: 1 + title: subject_external_values + minItems: 1 + description: |- + list of comparison values for the result of applying the + subject_external_selector_value on a flattened Entity Representation + (Subject), evaluated by the operator + title: Condition + required: + - subjectExternalSelectorValue + - operator + additionalProperties: false + description: |- + * + A Condition defines a rule of + policy.ConditionGroup: + type: object + properties: + conditions: + type: array + items: + $ref: '#/components/schemas/policy.Condition' + title: conditions + minItems: 1 + booleanOperator: + title: boolean_operator + description: the boolean evaluation type across the conditions + $ref: '#/components/schemas/policy.ConditionBooleanTypeEnum' + title: ConditionGroup + required: + - booleanOperator + additionalProperties: false + description: A collection of Conditions evaluated by the boolean_operator provided + policy.KasPublicKey: + type: object + properties: + pem: + type: string + title: pem + maxLength: 8192 + minLength: 1 + description: x509 ASN.1 content in PEM envelope, usually + kid: + type: string + title: kid + maxLength: 32 + minLength: 1 + description: A unique string identifier for this key + alg: + not: + enum: + - 0 + title: alg + description: |- + A known algorithm type with any additional parameters encoded. + To start, these may be `rsa:2048` for encrypting ZTDF files and + `ec:secp256r1` for nanoTDF, but more formats may be added as needed. + $ref: '#/components/schemas/policy.KasPublicKeyAlgEnum' + title: KasPublicKey + additionalProperties: false + description: |- + Deprecated + A KAS public key and some associated metadata for further identifcation + policy.KasPublicKeySet: + type: object + properties: + keys: + type: array + items: + $ref: '#/components/schemas/policy.KasPublicKey' + title: keys + title: KasPublicKeySet + additionalProperties: false + description: |- + Deprecated + A list of known KAS public keys + policy.KeyAccessServer: + type: object + properties: + id: + type: string + title: id + uri: + type: string + title: uri + description: |+ + Address of a KAS instance + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https?://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(:[0-9]+)?(/.*)?$') + ``` + + publicKey: + title: public_key + description: Deprecated + $ref: '#/components/schemas/policy.PublicKey' + sourceType: + title: source_type + description: 'The source of the KAS: (INTERNAL, EXTERNAL)' + $ref: '#/components/schemas/policy.SourceType' + kasKeys: + type: array + items: + $ref: '#/components/schemas/policy.SimpleKasKey' + title: kas_keys + description: Kas keys associated with this KAS + name: + type: string + title: name + description: |- + Optional + Unique name of the KAS instance + metadata: + title: metadata + description: Common metadata + $ref: '#/components/schemas/common.Metadata' + title: KeyAccessServer + additionalProperties: false + description: Key Access Server Registry + policy.Namespace: + type: object + properties: + id: + type: string + title: id + description: generated uuid in database + name: + type: string + title: name + description: |- + used to partition Attribute Definitions, support by namespace AuthN and + enable federation + fqn: + type: string + title: fqn + active: + title: active + description: active by default until explicitly deactivated + $ref: '#/components/schemas/google.protobuf.BoolValue' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + grants: + type: array + items: + $ref: '#/components/schemas/policy.KeyAccessServer' + title: grants + description: Deprecated KAS grants for the namespace. Use kas_keys instead. + kasKeys: + type: array + items: + $ref: '#/components/schemas/policy.SimpleKasKey' + title: kas_keys + description: Keys for the namespace + title: Namespace + additionalProperties: false + policy.Obligation: + type: object + properties: + id: + type: string + title: id + namespace: + title: namespace + $ref: '#/components/schemas/policy.Namespace' + name: + type: string + title: name + values: + type: array + items: + $ref: '#/components/schemas/policy.ObligationValue' + title: values + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: Obligation + additionalProperties: false + policy.ObligationTrigger: + type: object + properties: + id: + type: string + title: id + obligationValue: + title: obligation_value + $ref: '#/components/schemas/policy.ObligationValue' + action: + title: action + $ref: '#/components/schemas/policy.Action' + attributeValue: + title: attribute_value + $ref: '#/components/schemas/policy.Value' + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: ObligationTrigger + additionalProperties: false + policy.ObligationValue: + type: object + properties: + id: + type: string + title: id + obligation: + title: obligation + $ref: '#/components/schemas/policy.Obligation' + value: + type: string + title: value + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: ObligationValue + additionalProperties: false + policy.PageRequest: + type: object + properties: + limit: + type: integer + title: limit + format: int32 + description: |- + Optional + Set to configured default limit if not provided + Maximum limit set in platform config and enforced by services + offset: + type: integer + title: offset + format: int32 + description: |- + Optional + Defaulted if not provided + title: PageRequest + additionalProperties: false + policy.PageResponse: + type: object + properties: + currentOffset: + type: integer + title: current_offset + format: int32 + description: Requested pagination offset + nextOffset: + type: integer + title: next_offset + format: int32 + description: |- + Calculated with request limit + offset or defaults + Empty when none remain after current page + total: + type: integer + title: total + format: int32 + description: Total count of entire list + title: PageResponse + additionalProperties: false + policy.PublicKey: + type: object + oneOf: + - properties: + cached: + title: cached + description: public key with additional information. Current preferred version + $ref: '#/components/schemas/policy.KasPublicKeySet' + title: cached + required: + - cached + - properties: + remote: + type: string + title: remote + description: |+ + kas public key url - optional since can also be retrieved via public key + URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.: + ``` + this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$') + ``` + + title: remote + required: + - remote + title: PublicKey + additionalProperties: false + description: Deprecated + policy.ResourceMapping: + type: object + properties: + id: + type: string + title: id + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + attributeValue: + title: attribute_value + $ref: '#/components/schemas/policy.Value' + terms: + type: array + items: + type: string + title: terms + group: + title: group + $ref: '#/components/schemas/policy.ResourceMappingGroup' + title: ResourceMapping + required: + - attributeValue + additionalProperties: false + description: |- + Resource Mappings (aka Access Control Resource Encodings aka ACRE) are + structures supporting the mapping of Resources and Attribute Values + policy.ResourceMappingGroup: + type: object + properties: + id: + type: string + title: id + namespaceId: + type: string + title: namespace_id + description: the namespace containing the group of resource mappings + name: + type: string + title: name + description: |- + the common name for the group of resource mappings, which must be unique + per namespace + metadata: + title: metadata + description: Common metadata + $ref: '#/components/schemas/common.Metadata' + title: ResourceMappingGroup + required: + - namespaceId + - name + additionalProperties: false + description: |- + Resource Mapping Groups are namespaced collections of Resource Mappings + associated under a common group name. + policy.SimpleKasKey: + type: object + properties: + kasUri: + type: string + title: kas_uri + description: The URL of the Key Access Server + publicKey: + title: public_key + description: The public key of the Key that belongs to the KAS + $ref: '#/components/schemas/policy.SimpleKasPublicKey' + kasId: + type: string + title: kas_id + description: The ID of the Key Access Server + title: SimpleKasKey + additionalProperties: false + policy.SimpleKasPublicKey: + type: object + properties: + algorithm: + title: algorithm + $ref: '#/components/schemas/policy.Algorithm' + kid: + type: string + title: kid + pem: + type: string + title: pem + title: SimpleKasPublicKey + additionalProperties: false + policy.SubjectConditionSet: + type: object + properties: + id: + type: string + title: id + subjectSets: + type: array + items: + $ref: '#/components/schemas/policy.SubjectSet' + title: subject_sets + minItems: 1 + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: SubjectConditionSet + additionalProperties: false + description: |- + A container for multiple Subject Sets, each containing Condition Groups, each + containing Conditions. Multiple Subject Sets in a SubjectConditionSet are + evaluated with AND logic. As each Subject Mapping has only one Attribute + Value, the SubjectConditionSet is reusable across multiple Subject Mappings / + Attribute Values and is an independent unit. + policy.SubjectMapping: + type: object + properties: + id: + type: string + title: id + attributeValue: + title: attribute_value + description: 'the Attribute Value mapped to; aka: "The Entity Entitlement Attribute"' + $ref: '#/components/schemas/policy.Value' + subjectConditionSet: + title: subject_condition_set + description: the reusable SubjectConditionSet mapped to the given Attribute Value + $ref: '#/components/schemas/policy.SubjectConditionSet' + actions: + type: array + items: + $ref: '#/components/schemas/policy.Action' + title: actions + description: The actions permitted by subjects in this mapping + metadata: + title: metadata + $ref: '#/components/schemas/common.Metadata' + title: SubjectMapping + additionalProperties: false + description: |- + Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute + value + action(s) combination + policy.SubjectSet: + type: object + properties: + conditionGroups: + type: array + items: + $ref: '#/components/schemas/policy.ConditionGroup' + title: condition_groups + minItems: 1 + description: multiple Condition Groups are evaluated with AND logic + title: SubjectSet + additionalProperties: false + description: A collection of Condition Groups + policy.Value: + type: object + properties: + id: + type: string + title: id + description: generated uuid in database + attribute: + title: attribute + $ref: '#/components/schemas/policy.Attribute' + value: + type: string + title: value + grants: + type: array + items: + $ref: '#/components/schemas/policy.KeyAccessServer' + title: grants + description: Deprecated KAS grants for the value. Use kas_keys instead. + fqn: + type: string + title: fqn + active: + title: active + description: active by default until explicitly deactivated + $ref: '#/components/schemas/google.protobuf.BoolValue' + subjectMappings: + type: array + items: + $ref: '#/components/schemas/policy.SubjectMapping' + title: subject_mappings + description: subject mapping + kasKeys: + type: array + items: + $ref: '#/components/schemas/policy.SimpleKasKey' + title: kas_keys + resourceMappings: + type: array + items: + $ref: '#/components/schemas/policy.ResourceMapping' + title: resource_mappings + metadata: + title: metadata + description: Common metadata + $ref: '#/components/schemas/common.Metadata' + title: Value + additionalProperties: false + policy.obligations.AddObligationTriggerRequest: + type: object + properties: + obligationValueId: + type: string + title: obligation_value_id + description: Required + actionId: + type: string + title: action_id + attributeValueId: + type: string + title: attribute_value_id + metadata: + title: metadata + description: |- + Optional + Common metadata + $ref: '#/components/schemas/common.MetadataMutable' + title: AddObligationTriggerRequest + additionalProperties: false + description: Triggers + policy.obligations.AddObligationTriggerResponse: + type: object + properties: + trigger: + title: trigger + $ref: '#/components/schemas/policy.ObligationTrigger' + title: AddObligationTriggerResponse + additionalProperties: false + policy.obligations.CreateObligationRequest: + type: object + oneOf: + - properties: + fqn: + type: string + title: fqn + title: fqn + required: + - fqn + - properties: + id: + type: string + title: id + title: id + required: + - id + properties: + name: + type: string + title: name + values: + type: array + items: + type: string + title: values + description: Optional + metadata: + title: metadata + description: |- + Optional + Common metadata + $ref: '#/components/schemas/common.MetadataMutable' + title: CreateObligationRequest + additionalProperties: false + policy.obligations.CreateObligationResponse: + type: object + properties: + obligation: + title: obligation + $ref: '#/components/schemas/policy.Obligation' + title: CreateObligationResponse + additionalProperties: false + policy.obligations.CreateObligationValueRequest: + type: object + oneOf: + - properties: + fqn: + type: string + title: fqn + title: fqn + required: + - fqn + - properties: + id: + type: string + title: id + title: id + required: + - id + properties: + value: + type: string + title: value + metadata: + title: metadata + description: |- + Optional + Common metadata + $ref: '#/components/schemas/common.MetadataMutable' + title: CreateObligationValueRequest + additionalProperties: false + policy.obligations.CreateObligationValueResponse: + type: object + properties: + value: + title: value + $ref: '#/components/schemas/policy.ObligationValue' + title: CreateObligationValueResponse + additionalProperties: false + policy.obligations.DeleteObligationRequest: + type: object + oneOf: + - properties: + fqn: + type: string + title: fqn + title: fqn + required: + - fqn + - properties: + id: + type: string + title: id + title: id + required: + - id + title: DeleteObligationRequest + additionalProperties: false + policy.obligations.DeleteObligationResponse: + type: object + properties: + obligation: + title: obligation + $ref: '#/components/schemas/policy.Obligation' + title: DeleteObligationResponse + additionalProperties: false + policy.obligations.DeleteObligationValueRequest: + type: object + oneOf: + - properties: + fqn: + type: string + title: fqn + title: fqn + required: + - fqn + - properties: + id: + type: string + title: id + title: id + required: + - id + title: DeleteObligationValueRequest + additionalProperties: false + policy.obligations.DeleteObligationValueResponse: + type: object + properties: + value: + title: value + $ref: '#/components/schemas/policy.ObligationValue' + title: DeleteObligationValueResponse + additionalProperties: false + policy.obligations.GetObligationRequest: + type: object + oneOf: + - properties: + fqn: + type: string + title: fqn + title: fqn + required: + - fqn + - properties: + id: + type: string + title: id + title: id + required: + - id + title: GetObligationRequest + additionalProperties: false + description: Definitions + policy.obligations.GetObligationResponse: + type: object + properties: + obligation: + title: obligation + $ref: '#/components/schemas/policy.Obligation' + title: GetObligationResponse + additionalProperties: false + policy.obligations.GetObligationValueRequest: + type: object + oneOf: + - properties: + fqn: + type: string + title: fqn + title: fqn + required: + - fqn + - properties: + id: + type: string + title: id + title: id + required: + - id + title: GetObligationValueRequest + additionalProperties: false + description: Values + policy.obligations.GetObligationValueResponse: + type: object + properties: + value: + title: value + $ref: '#/components/schemas/policy.ObligationValue' + title: GetObligationValueResponse + additionalProperties: false + policy.obligations.GetObligationValuesByFQNsRequest: + type: object + properties: + fqns: + type: array + items: + type: string + title: fqns + title: GetObligationValuesByFQNsRequest + additionalProperties: false + policy.obligations.GetObligationValuesByFQNsResponse: + type: object + properties: + fqnValueMap: + type: object + title: fqn_value_map + additionalProperties: + title: value + $ref: '#/components/schemas/policy.ObligationValue' + title: GetObligationValuesByFQNsResponse + additionalProperties: false + policy.obligations.GetObligationValuesByFQNsResponse.FqnValueMapEntry: + type: object + properties: + key: + type: string + title: key + value: + title: value + $ref: '#/components/schemas/policy.ObligationValue' + title: FqnValueMapEntry + additionalProperties: false + policy.obligations.GetObligationsByFQNsRequest: + type: object + properties: + fqns: + type: array + items: + type: string + title: fqns + title: GetObligationsByFQNsRequest + additionalProperties: false + policy.obligations.GetObligationsByFQNsResponse: + type: object + properties: + fqnObligationMap: + type: object + title: fqn_obligation_map + additionalProperties: + title: value + $ref: '#/components/schemas/policy.Obligation' + title: GetObligationsByFQNsResponse + additionalProperties: false + policy.obligations.GetObligationsByFQNsResponse.FqnObligationMapEntry: + type: object + properties: + key: + type: string + title: key + value: + title: value + $ref: '#/components/schemas/policy.Obligation' + title: FqnObligationMapEntry + additionalProperties: false + policy.obligations.ListObligationsRequest: + type: object + oneOf: + - properties: + fqn: + type: string + title: fqn + title: fqn + required: + - fqn + - properties: + id: + type: string + title: id + title: id + required: + - id + properties: + pagination: + title: pagination + description: Optional + $ref: '#/components/schemas/policy.PageRequest' + title: ListObligationsRequest + additionalProperties: false + policy.obligations.ListObligationsResponse: + type: object + properties: + obligations: + type: array + items: + $ref: '#/components/schemas/policy.Obligation' + title: obligations + pagination: + title: pagination + $ref: '#/components/schemas/policy.PageResponse' + title: ListObligationsResponse + additionalProperties: false + policy.obligations.RemoveObligationTriggerRequest: + type: object + properties: + id: + type: string + title: id + title: RemoveObligationTriggerRequest + additionalProperties: false + policy.obligations.RemoveObligationTriggerResponse: + type: object + properties: + trigger: + title: trigger + $ref: '#/components/schemas/policy.ObligationTrigger' + title: RemoveObligationTriggerResponse + additionalProperties: false + policy.obligations.UpdateObligationRequest: + type: object + properties: + id: + type: string + title: id + description: Required + name: + type: string + title: name + description: Optional + metadata: + title: metadata + $ref: '#/components/schemas/common.MetadataMutable' + metadataUpdateBehavior: + title: metadata_update_behavior + $ref: '#/components/schemas/common.MetadataUpdateEnum' + title: UpdateObligationRequest + additionalProperties: false + policy.obligations.UpdateObligationResponse: + type: object + properties: + obligation: + title: obligation + $ref: '#/components/schemas/policy.Obligation' + title: UpdateObligationResponse + additionalProperties: false + policy.obligations.UpdateObligationValueRequest: + type: object + properties: + id: + type: string + title: id + description: Required + value: + type: string + title: value + description: Optional + metadata: + title: metadata + $ref: '#/components/schemas/common.MetadataMutable' + metadataUpdateBehavior: + title: metadata_update_behavior + $ref: '#/components/schemas/common.MetadataUpdateEnum' + title: UpdateObligationValueRequest + additionalProperties: false + policy.obligations.UpdateObligationValueResponse: + type: object + properties: + value: + title: value + $ref: '#/components/schemas/policy.ObligationValue' + title: UpdateObligationValueResponse + additionalProperties: false + connect-protocol-version: + type: number + title: Connect-Protocol-Version + enum: + - 1 + description: Define the version of the Connect protocol + const: 1 + connect-timeout-header: + type: number + title: Connect-Timeout-Ms + description: Define the timeout, in ms + connect.error: + type: object + properties: + code: + type: string + examples: + - not_found + enum: + - canceled + - unknown + - invalid_argument + - deadline_exceeded + - not_found + - already_exists + - permission_denied + - resource_exhausted + - failed_precondition + - aborted + - out_of_range + - unimplemented + - internal + - unavailable + - data_loss + - unauthenticated + description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + message: + type: string + description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + detail: + $ref: '#/components/schemas/google.protobuf.Any' + title: Connect Error + additionalProperties: true + description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation' + google.protobuf.Any: + type: object + properties: + type: + type: string + value: + type: string + format: binary + debug: + type: object + additionalProperties: true + additionalProperties: true + description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. +security: [] +tags: + - name: policy.obligations.Service + description: |- + / + / Obligation Service + / diff --git a/specs/policy/registeredresources/registered_resources.openapi.yaml b/specs/policy/registeredresources/registered_resources.openapi.yaml index 3f53184..7bc73e2 100644 --- a/specs/policy/registeredresources/registered_resources.openapi.yaml +++ b/specs/policy/registeredresources/registered_resources.openapi.yaml @@ -519,8 +519,14 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. + + Not recommended for use in new APIs, but still useful for legacy APIs and + has no plan to be removed. google.protobuf.Timestamp: type: string + examples: + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -673,7 +679,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: Deprecated + description: Deprecated KAS grants for the attribute. Use kas_keys instead. fqn: type: string title: fqn @@ -860,7 +866,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: KAS grants for the namespace + description: Deprecated KAS grants for the namespace. Use kas_keys instead. kasKeys: type: array items: @@ -1168,9 +1174,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: |- - Deprecated - list of key access servers + description: Deprecated KAS grants for the value. Use kas_keys instead. fqn: type: string title: fqn diff --git a/specs/policy/resourcemapping/resource_mapping.openapi.yaml b/specs/policy/resourcemapping/resource_mapping.openapi.yaml index f8134a6..7e13ecd 100644 --- a/specs/policy/resourcemapping/resource_mapping.openapi.yaml +++ b/specs/policy/resourcemapping/resource_mapping.openapi.yaml @@ -519,8 +519,14 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. + + Not recommended for use in new APIs, but still useful for legacy APIs and + has no plan to be removed. google.protobuf.Timestamp: type: string + examples: + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -673,7 +679,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: Deprecated + description: Deprecated KAS grants for the attribute. Use kas_keys instead. fqn: type: string title: fqn @@ -860,7 +866,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: KAS grants for the namespace + description: Deprecated KAS grants for the namespace. Use kas_keys instead. kasKeys: type: array items: @@ -1107,9 +1113,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: |- - Deprecated - list of key access servers + description: Deprecated KAS grants for the value. Use kas_keys instead. fqn: type: string title: fqn diff --git a/specs/policy/selectors.openapi.yaml b/specs/policy/selectors.openapi.yaml index a35d717..3a43030 100644 --- a/specs/policy/selectors.openapi.yaml +++ b/specs/policy/selectors.openapi.yaml @@ -10,6 +10,7 @@ components: withKeyAccessGrants: type: boolean title: with_key_access_grants + description: Deprecated withNamespace: title: with_namespace $ref: '#/components/schemas/policy.AttributeDefinitionSelector.NamespaceSelector' @@ -28,6 +29,7 @@ components: withKeyAccessGrants: type: boolean title: with_key_access_grants + description: Deprecated withSubjectMaps: type: boolean title: with_subject_maps @@ -50,6 +52,7 @@ components: withKeyAccessGrants: type: boolean title: with_key_access_grants + description: Deprecated withValues: title: with_values $ref: '#/components/schemas/policy.AttributeNamespaceSelector.AttributeSelector.ValueSelector' @@ -61,6 +64,7 @@ components: withKeyAccessGrants: type: boolean title: with_key_access_grants + description: Deprecated withSubjectMaps: type: boolean title: with_subject_maps @@ -75,6 +79,7 @@ components: withKeyAccessGrants: type: boolean title: with_key_access_grants + description: Deprecated withSubjectMaps: type: boolean title: with_subject_maps @@ -92,6 +97,7 @@ components: withKeyAccessGrants: type: boolean title: with_key_access_grants + description: Deprecated withNamespace: title: with_namespace $ref: '#/components/schemas/policy.AttributeValueSelector.AttributeSelector.NamespaceSelector' diff --git a/specs/policy/subjectmapping/subject_mapping.openapi.yaml b/specs/policy/subjectmapping/subject_mapping.openapi.yaml index ca1b88f..69d6ed3 100644 --- a/specs/policy/subjectmapping/subject_mapping.openapi.yaml +++ b/specs/policy/subjectmapping/subject_mapping.openapi.yaml @@ -555,8 +555,14 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. + + Not recommended for use in new APIs, but still useful for legacy APIs and + has no plan to be removed. google.protobuf.Timestamp: type: string + examples: + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -709,7 +715,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: Deprecated + description: Deprecated KAS grants for the attribute. Use kas_keys instead. fqn: type: string title: fqn @@ -896,7 +902,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: KAS grants for the namespace + description: Deprecated KAS grants for the namespace. Use kas_keys instead. kasKeys: type: array items: @@ -1168,9 +1174,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: |- - Deprecated - list of key access servers + description: Deprecated KAS grants for the value. Use kas_keys instead. fqn: type: string title: fqn diff --git a/specs/policy/unsafe/unsafe.openapi.yaml b/specs/policy/unsafe/unsafe.openapi.yaml index 875c41c..2ff949d 100644 --- a/specs/policy/unsafe/unsafe.openapi.yaml +++ b/specs/policy/unsafe/unsafe.openapi.yaml @@ -413,6 +413,24 @@ components: - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1 - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1 + policy.KeyMode: + type: string + title: KeyMode + enum: + - KEY_MODE_UNSPECIFIED + - KEY_MODE_CONFIG_ROOT_KEY + - KEY_MODE_PROVIDER_ROOT_KEY + - KEY_MODE_REMOTE + - KEY_MODE_PUBLIC_KEY_ONLY + description: Describes the management and operational mode of a cryptographic key. + policy.KeyStatus: + type: string + title: KeyStatus + enum: + - KEY_STATUS_UNSPECIFIED + - KEY_STATUS_ACTIVE + - KEY_STATUS_ROTATED + description: The status of the key policy.SourceType: type: string title: SourceType @@ -470,8 +488,14 @@ components: Wrapper message for `bool`. The JSON representation for `BoolValue` is JSON `true` and `false`. + + Not recommended for use in new APIs, but still useful for legacy APIs and + has no plan to be removed. google.protobuf.Timestamp: type: string + examples: + - 1s + - 1.000340012s format: date-time description: |- A Timestamp represents a point in time independent of any time zone or local @@ -596,6 +620,51 @@ components: title: Action additionalProperties: false description: An action an entity can take + policy.AsymmetricKey: + type: object + properties: + id: + type: string + title: id + description: Required + keyId: + type: string + title: key_id + description: Required + keyAlgorithm: + title: key_algorithm + description: Required + $ref: '#/components/schemas/policy.Algorithm' + keyStatus: + title: key_status + description: Required + $ref: '#/components/schemas/policy.KeyStatus' + keyMode: + title: key_mode + description: Required Specifies how the key is managed (local or remote) + $ref: '#/components/schemas/policy.KeyMode' + publicKeyCtx: + title: public_key_ctx + description: Required Specific structure based on key provider implementation + $ref: '#/components/schemas/policy.PublicKeyCtx' + privateKeyCtx: + title: private_key_ctx + description: Optional Specific structure based on key provider implementation + $ref: '#/components/schemas/policy.PrivateKeyCtx' + providerConfig: + title: provider_config + description: Optional Configuration for the key provider + $ref: '#/components/schemas/policy.KeyProviderConfig' + legacy: + type: boolean + title: legacy + description: Optional Indicates a key may be found in TDFs without key identifiers + metadata: + title: metadata + description: Common metadata fields + $ref: '#/components/schemas/common.Metadata' + title: AsymmetricKey + additionalProperties: false policy.Attribute: type: object properties: @@ -624,7 +693,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: Deprecated + description: Deprecated KAS grants for the attribute. Use kas_keys instead. fqn: type: string title: fqn @@ -697,6 +766,20 @@ components: - booleanOperator additionalProperties: false description: A collection of Conditions evaluated by the boolean_operator provided + policy.KasKey: + type: object + properties: + kasId: + type: string + title: kas_id + key: + title: key + $ref: '#/components/schemas/policy.AsymmetricKey' + kasUri: + type: string + title: kas_uri + title: KasKey + additionalProperties: false policy.KasPublicKey: type: object properties: @@ -740,31 +823,6 @@ components: description: |- Deprecated A list of known KAS public keys - policy.Key: - type: object - properties: - id: - type: string - title: id - description: the database record ID, not the key ID (`kid`) - isActive: - title: is_active - $ref: '#/components/schemas/google.protobuf.BoolValue' - wasMapped: - title: was_mapped - $ref: '#/components/schemas/google.protobuf.BoolValue' - publicKey: - title: public_key - $ref: '#/components/schemas/policy.KasPublicKey' - kas: - title: kas - $ref: '#/components/schemas/policy.KeyAccessServer' - metadata: - title: metadata - description: Common metadata - $ref: '#/components/schemas/common.Metadata' - title: Key - additionalProperties: false policy.KeyAccessServer: type: object properties: @@ -808,6 +866,25 @@ components: title: KeyAccessServer additionalProperties: false description: Key Access Server Registry + policy.KeyProviderConfig: + type: object + properties: + id: + type: string + title: id + name: + type: string + title: name + configJson: + type: string + title: config_json + format: byte + metadata: + title: metadata + description: Common metadata + $ref: '#/components/schemas/common.Metadata' + title: KeyProviderConfig + additionalProperties: false policy.Namespace: type: object properties: @@ -836,7 +913,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: KAS grants for the namespace + description: Deprecated KAS grants for the namespace. Use kas_keys instead. kasKeys: type: array items: @@ -845,6 +922,20 @@ components: description: Keys for the namespace title: Namespace additionalProperties: false + policy.PrivateKeyCtx: + type: object + properties: + keyId: + type: string + title: key_id + minLength: 1 + description: Required Key ID for the symmetric key wrapping this key. + wrappedKey: + type: string + title: wrapped_key + description: Optional Base64 encoded wrapped key. Conditionally required if key_mode is LOCAL. Should not be present if key_mode is REMOTE. + title: PrivateKeyCtx + additionalProperties: false policy.PublicKey: type: object oneOf: @@ -873,6 +964,16 @@ components: title: PublicKey additionalProperties: false description: Deprecated + policy.PublicKeyCtx: + type: object + properties: + pem: + type: string + title: pem + minLength: 1 + description: Required Base64 encoded public key in PEM format + title: PublicKeyCtx + additionalProperties: false policy.ResourceMapping: type: object properties: @@ -1041,9 +1142,7 @@ components: items: $ref: '#/components/schemas/policy.KeyAccessServer' title: grants - description: |- - Deprecated - list of key access servers + description: Deprecated KAS grants for the value. Use kas_keys instead. fqn: type: string title: fqn @@ -1148,15 +1247,32 @@ components: description: |- Required UUID of the Key + kid: + type: string + title: kid + description: |- + Required + The key id assigned to this key (Ex: "key-1") + kasUri: + type: string + title: kas_uri + description: |- + Required + The kas uri for which this key belongs (Ex: "https://kas.example.com:8080") title: UnsafeDeleteKasKeyRequest + required: + - kid + - kasUri additionalProperties: false - description: WARNING!! + description: |- + WARNING!! + Deleting a key will make it so that ANY TDF that was encrypted with this key cannot be decrypted by the platform. policy.unsafe.UnsafeDeleteKasKeyResponse: type: object properties: key: title: key - $ref: '#/components/schemas/policy.Key' + $ref: '#/components/schemas/policy.KasKey' title: UnsafeDeleteKasKeyResponse additionalProperties: false policy.unsafe.UnsafeDeleteNamespaceRequest: diff --git a/scripts/check-vendored-yaml.ts b/src/openapi/check-vendored-yaml.ts similarity index 82% rename from scripts/check-vendored-yaml.ts rename to src/openapi/check-vendored-yaml.ts index dcaa185..f82bd05 100644 --- a/scripts/check-vendored-yaml.ts +++ b/src/openapi/check-vendored-yaml.ts @@ -1,7 +1,9 @@ +/* +When making changes to this file, consider: https://virtru.atlassian.net/browse/DSPX-1577 +*/ import * as fs from 'fs'; -import * as path from 'path'; import * as crypto from 'crypto'; -import { openApiSpecsArray } from '../preprocessing'; +import { openApiSpecsArray } from './preprocessing'; function fileHash(filePath: string): string { if (!fs.existsSync(filePath)) return ''; @@ -34,9 +36,8 @@ async function main() { let hasDiff = false; for (const spec of openApiSpecsArray) { if (!spec.url) continue; // Only process specs with a URL - // Remove leading './' for specPath if present, and resolve relative to this script - const specPath = spec.specPath.replace(/^\.\//, '../'); - const absPath = path.resolve(__dirname, specPath); + // absPaths is the absolute path to the spec file + const absPath = spec.specPath; const tmpPath = absPath + '.tmp'; // Download to tmpPath await downloadFile(spec.url, tmpPath); @@ -46,6 +47,8 @@ async function main() { if (oldHash !== newHash) { hasDiff = true; console.error(`❌ Vendored file out of date: ${spec.specPath}\nPlease run 'npm run update-vendored-yaml' to update.`); + } else { + console.log(`✅ Vendored file is up to date: ${spec.specPath}`); } fs.unlinkSync(tmpPath); } diff --git a/preprocessing.ts b/src/openapi/preprocessing.ts similarity index 58% rename from preprocessing.ts rename to src/openapi/preprocessing.ts index aed73d5..1e41098 100644 --- a/preprocessing.ts +++ b/src/openapi/preprocessing.ts @@ -1,13 +1,31 @@ +/* +When making changes to this file, consider: https://virtru.atlassian.net/browse/DSPX-1577 +*/ import * as fs from 'fs'; import * as path from 'path'; import * as yaml from 'js-yaml'; import type * as OpenApiPlugin from "docusaurus-plugin-openapi-docs"; +// Utility to find the repo root (directory containing package.json) +function findRepoRoot(startDir = __dirname): string { + let dir = startDir; + while (!fs.existsSync(path.join(dir, 'package.json'))) { + const parent = path.dirname(dir); + if (parent === dir) throw new Error('Could not find package.json in parent directories'); + dir = parent; + } + return dir; +} + +const repoRoot = findRepoRoot(); +const specsDir = path.join(repoRoot, 'specs'); +const specsProcessedDir = path.join(repoRoot, 'specs-processed'); + // Boolean to control whether we add '[Preprocessed on' timestamp ']' to the description const ADD_TIMESTAMP_TO_DESCRIPTION = false; // The location prefix of built OpenAPI documentation -const OUTPUT_PREFIX = 'docs/OpenAPI-clients'; +const OUTPUT_PREFIX = path.join(repoRoot, 'docs', 'OpenAPI-clients'); // The index page for OpenAPI documentation, to support bookmarking & sharing the URL const OPENAPI_INDEX_PAGE = `${OUTPUT_PREFIX}/index.md`; @@ -34,7 +52,7 @@ interface ApiSpecDefinition { let openApiSpecsArray: ApiSpecDefinition[] = [ { id: "Well-Known Configuration", - specPath: "./specs/wellknownconfiguration/wellknown_configuration.openapi.yaml", + specPath: path.join(specsDir, 'wellknownconfiguration/wellknown_configuration.openapi.yaml'), outputDir: `${OUTPUT_PREFIX}/wellknownconfiguration`, url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/wellknownconfiguration/wellknown_configuration.openapi.yaml', sidebarOptions: { @@ -44,10 +62,9 @@ let openApiSpecsArray: ApiSpecDefinition[] = [ }, { id: "V1 Authorization", - specPath: "./specs/authorization/authorization.openapi.yaml", + specPath: path.join(specsDir, 'authorization/authorization.openapi.yaml'), outputDir: `${OUTPUT_PREFIX}/authorization/v1`, url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/authorization/authorization.openapi.yaml', - // specPathModified is auto-generated if not specified sidebarOptions: { groupPathsBy: "tag", categoryLinkSource: "info", @@ -55,11 +72,10 @@ let openApiSpecsArray: ApiSpecDefinition[] = [ }, { id: "V2 Authorization", - specPath: "./specs/authorization/v2/authorization.openapi.yaml", + specPath: path.join(specsDir, 'authorization/v2/authorization.openapi.yaml'), outputDir: `${OUTPUT_PREFIX}/authorization/v2`, url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/authorization/v2/authorization.openapi.yaml', - // Example of custom modified path: - specPathModified: "./specs-processed/authorization/v2/authorization.openapi.yaml", + // specPathModified: path.join(specsProcessedDir, 'authorization/v2/authorization.openapi.yaml'), sidebarOptions: { groupPathsBy: "tag", categoryLinkSource: "info", @@ -67,7 +83,7 @@ let openApiSpecsArray: ApiSpecDefinition[] = [ }, { id: "V1 Entity Resolution", - specPath: "./specs/entityresolution/entity_resolution.openapi.yaml", + specPath: path.join(specsDir, 'entityresolution/entity_resolution.openapi.yaml'), outputDir: `${OUTPUT_PREFIX}/entityresolution/v1`, url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/entityresolution/entity_resolution.openapi.yaml', sidebarOptions: { @@ -77,7 +93,7 @@ let openApiSpecsArray: ApiSpecDefinition[] = [ }, { id: "V2 Entity Resolution", - specPath: "./specs/entityresolution/v2/entity_resolution.openapi.yaml", + specPath: path.join(specsDir, 'entityresolution/v2/entity_resolution.openapi.yaml'), outputDir: `${OUTPUT_PREFIX}/entityresolution/v2`, url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/entityresolution/v2/entity_resolution.openapi.yaml', sidebarOptions: { @@ -87,7 +103,7 @@ let openApiSpecsArray: ApiSpecDefinition[] = [ }, { id: "kas", - specPath: "./specs/kas/kas.openapi.yaml", + specPath: path.join(specsDir, 'kas/kas.openapi.yaml'), outputDir: `${OUTPUT_PREFIX}/kas`, url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/kas/kas.openapi.yaml', sidebarOptions: { @@ -95,7 +111,126 @@ let openApiSpecsArray: ApiSpecDefinition[] = [ categoryLinkSource: "info", }, }, - // Add more entries here for other OpenAPI specs + { + id: "Policy Objects", + specPath: path.join(specsDir, 'policy/objects.openapi.yaml'), + outputDir: `${OUTPUT_PREFIX}/policy`, + url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/policy/objects.openapi.yaml', + sidebarOptions: { + categoryLinkSource: "info", + groupPathsBy: "tagGroup", + }, + }, + { + id: "Key Management", + specPath: path.join(specsDir, 'policy/keymanagement/key_management.openapi.yaml'), + outputDir: `${OUTPUT_PREFIX}/policy/keymanagement`, + url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/policy/keymanagement/key_management.openapi.yaml', + sidebarOptions: { + categoryLinkSource: "info", + groupPathsBy: "tagGroup", + }, + }, + { + id: "Policy Resource Mapping", + specPath: path.join(specsDir, 'policy/resourcemapping/resource_mapping.openapi.yaml'), + outputDir: `${OUTPUT_PREFIX}/policy/resourcemapping`, + url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml', + sidebarOptions: { + categoryLinkSource: "info", + groupPathsBy: "tagGroup", + }, + }, + { + id: "Policy Namespaces", + specPath: path.join(specsDir, 'policy/namespaces/namespaces.openapi.yaml'), + outputDir: `${OUTPUT_PREFIX}/policy/namespaces`, + url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/policy/namespaces/namespaces.openapi.yaml', + sidebarOptions: { + categoryLinkSource: "info", + groupPathsBy: "tagGroup", + }, + }, + { + id: "Policy Attributes", + specPath: path.join(specsDir, 'policy/attributes/attributes.openapi.yaml'), + outputDir: `${OUTPUT_PREFIX}/policy/attributes`, + url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/policy/attributes/attributes.openapi.yaml', + sidebarOptions: { + categoryLinkSource: "info", + groupPathsBy: "tagGroup", + }, + }, + { + id: "Policy Unsafe Service", + specPath: path.join(specsDir, 'policy/unsafe/unsafe.openapi.yaml'), + outputDir: `${OUTPUT_PREFIX}/policy/unsafe`, + url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/policy/unsafe/unsafe.openapi.yaml', + sidebarOptions: { + categoryLinkSource: "info", + groupPathsBy: "tagGroup", + }, + }, + { + id: "Policy Actions", + specPath: path.join(specsDir, 'policy/actions/actions.openapi.yaml'), + outputDir: `${OUTPUT_PREFIX}/policy/actions`, + url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/policy/actions/actions.openapi.yaml', + sidebarOptions: { + categoryLinkSource: "info", + groupPathsBy: "tagGroup", + }, + }, + { + id: "Policy Registered Resources", + specPath: path.join(specsDir, 'policy/registeredresources/registered_resources.openapi.yaml'), + outputDir: `${OUTPUT_PREFIX}/policy/registeredresources`, + url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/policy/registeredresources/registered_resources.openapi.yaml', + sidebarOptions: { + categoryLinkSource: "info", + groupPathsBy: "tagGroup", + }, + }, + { + id: "Policy Subject Mapping", + specPath: path.join(specsDir, 'policy/subjectmapping/subject_mapping.openapi.yaml'), + outputDir: `${OUTPUT_PREFIX}/policy/subjectmapping`, + url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml', + sidebarOptions: { + groupPathsBy: "tag", + categoryLinkSource: "info", + }, + }, + { + id: "Policy KAS Registry", + specPath: path.join(specsDir, 'policy/kasregistry/key_access_server_registry.openapi.yaml'), + outputDir: `${OUTPUT_PREFIX}/policy/kasregistry`, + url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml', + sidebarOptions: { + categoryLinkSource: "info", + groupPathsBy: "tagGroup", + }, + }, + { + id: "Policy Obligations", + specPath: path.join(specsDir, 'policy/obligations/obligations.openapi.yaml'), + outputDir: `${OUTPUT_PREFIX}/policy/obligations`, + url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/policy/obligations/obligations.openapi.yaml', + sidebarOptions: { + categoryLinkSource: "info", + groupPathsBy: "tagGroup", + }, + }, + { + id: "Policy Selectors", + specPath: path.join(specsDir, 'policy/selectors.openapi.yaml'), + outputDir: `${OUTPUT_PREFIX}/policy`, + url: 'https://raw.githubusercontent.com/opentdf/platform/refs/heads/main/docs/openapi/policy/selectors.openapi.yaml', + sidebarOptions: { + categoryLinkSource: "info", + groupPathsBy: "tagGroup", + }, + } ]; // Convert array to object keyed by id, omitting 'url' for Docusaurus config @@ -145,21 +280,21 @@ async function copySamplesToProcessedSpecs() { console.log('🔄 Ensuring sample files exist in "specs-processed" directory...'); - const processedDir = path.resolve(__dirname, 'specs-processed'); - fs.mkdirSync(processedDir, { recursive: true }); - + // Use canonical processed and source directories + fs.mkdirSync(specsProcessedDir, { recursive: true }); + // Handle petstore specifically - it has a downloadUrl - const petstorePath = path.resolve(__dirname, 'specs-processed/petstore.yaml'); - const petstoreSourcePath = path.resolve(__dirname, 'specs/petstore.yaml'); - + const petstorePath = path.join(specsProcessedDir, 'petstore.yaml'); + const petstoreSourcePath = path.join(specsDir, 'petstore.yaml'); + // Always copy from source directory, overwriting if it exists console.log(`Copying petstore spec from ${petstoreSourcePath}`); fs.copyFileSync(petstoreSourcePath, petstorePath); - + // Handle bookstore specifically - const bookstorePath = path.resolve(__dirname, 'specs-processed/bookstore.yaml'); - const bookstoreSourcePath = path.resolve(__dirname, 'specs/bookstore.yaml'); - + const bookstorePath = path.join(specsProcessedDir, 'bookstore.yaml'); + const bookstoreSourcePath = path.join(specsDir, 'bookstore.yaml'); + // Always copy from source directory, overwriting if it exists console.log(`Copying bookstore spec from ${bookstoreSourcePath}`); fs.copyFileSync(bookstoreSourcePath, bookstorePath); @@ -193,14 +328,14 @@ async function preprocessOpenApiSpecs() { // Generate modified path if not specified if (!spec.specPathModified) { - // Store processed files in a 'specs-processed' directory by default - spec.specPathModified = path.join( - parsedPath.dir.replace(/^\.\/specs/, './specs-processed'), - parsedPath.base - ); + // Extract the relative path from specsDir + const relativePath = path.relative(specsDir, spec.specPath); + + // Store processed files in 'specs-processed' directory while preserving the original directory structure + spec.specPathModified = path.join(specsProcessedDir, relativePath); } - const targetPath = path.resolve(__dirname, spec.specPathModified); + const targetPath = path.resolve(spec.specPathModified); console.log(`Processing: ${sourcePath} → ${targetPath}`); @@ -300,10 +435,6 @@ Expand each section in the navigation panel to access the OpenAPI documentation console.log('✨ OpenAPI preprocessing complete'); }; -// Execute the preprocessing function -preprocessOpenApiSpecs().catch(error => { - console.error('Failed to preprocess OpenAPI specs:', error); - process.exit(1); -}); -export { openApiSpecs, openApiSpecsArray }; \ No newline at end of file +// Export the function and data without automatically executing it +export { openApiSpecs, openApiSpecsArray, preprocessOpenApiSpecs }; \ No newline at end of file diff --git a/scripts/update-vendored-yaml.ts b/src/openapi/update-vendored-yaml.ts similarity index 86% rename from scripts/update-vendored-yaml.ts rename to src/openapi/update-vendored-yaml.ts index 3790d25..8f29513 100644 --- a/scripts/update-vendored-yaml.ts +++ b/src/openapi/update-vendored-yaml.ts @@ -1,6 +1,9 @@ +/* +When making changes to this file, consider: https://virtru.atlassian.net/browse/DSPX-1577 +*/ import * as fs from 'fs'; import * as path from 'path'; -import { openApiSpecsArray } from '../preprocessing'; +import { openApiSpecsArray } from './preprocessing'; /** * Downloads the latest vendored OpenAPI YAML files from the upstream GitHub repository @@ -31,9 +34,8 @@ async function updateVendoredYaml() { for (const spec of openApiSpecsArray) { if (!spec.url) continue; // Only process specs with a URL - // Remove leading './' for specPath if present, and resolve relative to this script - const specPath = spec.specPath.replace(/^\.\//, '../'); - const absPath = path.resolve(__dirname, specPath); + // absPaths is the absolute path to the spec file + const absPath = spec.specPath; fs.mkdirSync(path.dirname(absPath), { recursive: true }); console.log(`⬇️ Downloading ${spec.url} → ${absPath}`); try {