Simplified information about the resources that were rotated as part of the key rotation process.
+ | provider_config_id |
+ string |
+ |
+ Optional
-
-
-
- | Field | Type | Label | Description |
-
-
+Configuration ID for the key provider, if applicable
+
- | id |
- string |
+ legacy |
+ bool |
|
- The unique identifier of the policy object |
+ Optional
+
+Whether the key is a legacy key |
- | fqn |
- string |
+ metadata |
+ common.MetadataMutable |
|
- The fully qualified name of the policy object |
+ Common metadata
+
+Mutable metadata for the key |
@@ -11101,8 +11556,8 @@ MappedPolicyObject
- RotateKeyRequest
-
+ CreateKeyResponse
+ Response to a CreateKeyRequest, containing the created asymmetric key
@@ -11112,24 +11567,10 @@ RotateKeyRequest
- | id |
- string |
- |
- Current Active Key UUID |
-
-
-
- | key |
- KasKeyIdentifier |
- |
- Alternative way to specify the active key using KAS ID and Key ID |
-
-
-
- | new_key |
- RotateKeyRequest.NewKey |
+ kas_key |
+ policy.KasKey |
|
- Information about the new key to be rotated in |
+ The created asymmetric key for a KAS. |
@@ -11139,8 +11580,8 @@ RotateKeyRequest
- RotateKeyRequest.NewKey
- Nested message for specifying the new key details
+ CreatePublicKeyRequest
+
@@ -11150,54 +11591,24 @@ RotateKeyRequest.NewKey
- | key_id |
+ kas_id |
string |
|
Required |
- | algorithm |
- policy.Algorithm |
- |
- Required |
-
-
-
- | key_mode |
- policy.KeyMode |
- |
- Required |
-
-
-
- | public_key_ctx |
- policy.PublicKeyCtx |
- |
- Required |
-
-
-
- | private_key_ctx |
- policy.PrivateKeyCtx |
- |
- Required |
-
-
-
- | provider_config_id |
- string |
+ key |
+ policy.KasPublicKey |
|
- Conditionally Required.
-
-Validation handled by message-level CEL |
+ Required |
| metadata |
common.MetadataMutable |
|
- Common metadata fields |
+ Common metadata |
@@ -11207,8 +11618,8 @@ RotateKeyRequest.NewKey
- RotateKeyResponse
- Response message for the RotateKey request
+ CreatePublicKeyResponse
+
@@ -11218,17 +11629,10 @@ RotateKeyResponse
- | kas_key |
- policy.KasKey |
- |
- The newly rotated Kas Key |
-
-
-
- | rotated_resources |
- RotatedResources |
+ key |
+ policy.Key |
|
- All resources that were rotated as part of the key rotation process |
+ |
@@ -11238,8 +11642,8 @@ RotateKeyResponse
- RotatedResources
- All resources that were rotated as part of the key rotation process
+ DeactivatePublicKeyRequest
+
@@ -11249,30 +11653,33 @@ RotatedResources
- | rotated_out_key |
- policy.KasKey |
+ id |
+ string |
|
- The old key that was rotated out |
-
-
-
- | attribute_definition_mappings |
- ChangeMappings |
- repeated |
|
-
- | attribute_value_mappings |
- ChangeMappings |
- repeated |
- |
-
+
+
+
+
+
+
+
+ DeactivatePublicKeyResponse
+
+
+
+
+
+ | Field | Type | Label | Description |
+
+
- | namespace_mappings |
- ChangeMappings |
- repeated |
+ key |
+ policy.Key |
+ |
|
@@ -11283,8 +11690,8 @@ RotatedResources
- SetBaseKeyRequest
- Sets the specified key as the base key for the Key Access Server Note: The key must be active.
+ DeleteKeyAccessServerRequest
+
@@ -11297,14 +11704,7 @@ SetBaseKeyRequest
id |
string |
|
- Current Key UUID tp be set as default |
-
-
-
- | key |
- KasKeyIdentifier |
- |
- Alternative way to specify the key using KAS ID and Key ID |
+ Required |
@@ -11314,7 +11714,7 @@ SetBaseKeyRequest
- SetBaseKeyResponse
+ DeleteKeyAccessServerResponse
@@ -11325,17 +11725,41 @@ SetBaseKeyResponse
- | new_base_key |
- policy.SimpleKasKey |
+ key_access_server |
+ policy.KeyAccessServer |
|
- The key that was set as base |
+ |
+
+
+
+
+
+
+
+ GetBaseKeyRequest
+
+
+
+
+
+
+ GetBaseKeyResponse
+
+
+
+
+
+ | Field | Type | Label | Description |
+
+
+
- | previous_base_key |
+ base_key |
policy.SimpleKasKey |
|
- The previous base key, if any |
+ The current base key |
@@ -11345,7 +11769,7 @@ SetBaseKeyResponse
- UpdateKeyAccessServerRequest
+ GetKeyAccessServerRequest
@@ -11359,53 +11783,102 @@ UpdateKeyAccessServerRe
| id |
string |
|
- Required |
+ Deprecated. Deprecated |
- | uri |
+ kas_id |
string |
|
- Optional |
+ option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field |
- | public_key |
- policy.PublicKey |
+ name |
+ string |
|
- Deprecated
-Optional |
+ |
- | source_type |
- policy.SourceType |
+ uri |
+ string |
|
- Optional
-Using UNSPECIFIED will result in a successful update,
-but will not actually update the underlying source.
-You should not update KAS's from INTERNAL/EXTERNAL
-to unspecified. |
+ |
+
+
+
+
+
+
+
+
+ Fields with deprecated option
+
+
+
+ | Name |
+ Option |
+
+
- | name |
- string |
+ id |
+ true |
+
+
+
+
+
+
+
+
+
+ GetKeyAccessServerResponse
+
+
+
+
+
+
+
+
+
+ GetKeyRequest
+ Retrieve an existing asymmetric key from the Key Management System
+
+
+
+
+ | Field | Type | Label | Description |
+
+
+
- | metadata |
- common.MetadataMutable |
+ id |
+ string |
|
- Optional
-Common metadata |
+ The unique identifier of the key to retrieve |
- | metadata_update_behavior |
- common.MetadataUpdateEnum |
+ key |
+ KasKeyIdentifier |
|
|
@@ -11417,8 +11890,8 @@ UpdateKeyAccessServerRe
- UpdateKeyAccessServerResponse
-
+ GetKeyResponse
+ Response to a GetKeyRequest, containing the requested asymmetric key
@@ -11428,10 +11901,10 @@ UpdateKeyAccessServerR
- | key_access_server |
- policy.KeyAccessServer |
+ kas_key |
+ policy.KasKey |
|
- |
+ The requested asymmetric key for a KAS. |
@@ -11441,8 +11914,8 @@ UpdateKeyAccessServerR
- UpdateKeyRequest
- Update an existing asymmetric key in the Key Management System
+ GetPublicKeyRequest
+
@@ -11455,26 +11928,31 @@ UpdateKeyRequest
id |
string |
|
- Required
-
-The unique identifier of the key to update |
+ |
-
- | metadata |
- common.MetadataMutable |
- |
- Optional
-Common metadata
+
+ |
-Mutable metadata for the key
-
+
+
+
+
+ GetPublicKeyResponse
+
+
+
+
+
+ | Field | Type | Label | Description |
+
+
- | metadata_update_behavior |
- common.MetadataUpdateEnum |
+ key |
+ policy.Key |
|
- The behavior for updating the metadata |
+ |
@@ -11484,8 +11962,8 @@ UpdateKeyRequest
- UpdateKeyResponse
- Response to an UpdateKeyRequest, containing the updated asymmetric key
+ GrantedPolicyObject
+ Can be namespace, attribute definition, or value
@@ -11495,10 +11973,17 @@ UpdateKeyResponse
- | kas_key |
- policy.KasKey |
+ id |
+ string |
|
- The updated kas key |
+ |
+
+
+
+ | fqn |
+ string |
+ |
+ |
@@ -11508,8 +11993,8 @@ UpdateKeyResponse
- UpdatePublicKeyRequest
-
+ KasKeyIdentifier
+ Nested message for specifying the active key using KAS ID and Key ID
@@ -11547,7 +12038,7 @@ UpdatePublicKeyRequest
- UpdatePublicKeyResponse
+ KasKeysSort
@@ -11558,274 +12049,156 @@ UpdatePublicKeyResponse
- | key |
- policy.Key |
+ field |
+ SortKasKeysType |
+ |
+ |
+
+
+
+ | direction |
+ policy.SortDirection |
|
|
-
-
-
-
-
-
-
-
- SortKasKeysType
-
-
-
- | Name | Number | Description |
-
-
-
-
- | SORT_KAS_KEYS_TYPE_UNSPECIFIED |
- 0 |
- |
-
-
-
- | SORT_KAS_KEYS_TYPE_KEY_ID |
- 1 |
- |
-
-
-
- | SORT_KAS_KEYS_TYPE_CREATED_AT |
- 2 |
- |
-
-
-
- | SORT_KAS_KEYS_TYPE_UPDATED_AT |
- 3 |
- |
-
-
-
-
-
- SortKeyAccessServersType
-
-
-
- | Name | Number | Description |
-
-
-
-
- | SORT_KEY_ACCESS_SERVERS_TYPE_UNSPECIFIED |
- 0 |
- |
-
-
-
- | SORT_KEY_ACCESS_SERVERS_TYPE_NAME |
- 1 |
- |
-
-
-
- | SORT_KEY_ACCESS_SERVERS_TYPE_URI |
- 2 |
- |
-
-
-
- | SORT_KEY_ACCESS_SERVERS_TYPE_CREATED_AT |
- 3 |
- |
-
-
-
- | SORT_KEY_ACCESS_SERVERS_TYPE_UPDATED_AT |
- 4 |
- |
-
-
-
-
-
-
-
-
-
- KeyAccessServerRegistryService
-
-
+
-
-
- Methods with deprecated option
-
+
+
+
+ KeyAccessServerGrants
+ Deprecated
+
+
+
+
+
-
-
- Methods with idempotency_level option
-
+
+
+
+
+
+
-
- | Method Name |
- Option |
-
+ | Field | Type | Label | Description |
-
-
- | ListKeyAccessServers |
- NO_SIDE_EFFECTS |
-
-
-
- | GetKeyAccessServer |
- NO_SIDE_EFFECTS |
-
-
-
- | ListKeyAccessServerGrants |
- NO_SIDE_EFFECTS |
-
-
+
+
+ | field |
+ SortKeyAccessServersType |
+ |
+ |
+
+
+
+ | direction |
+ policy.SortDirection |
+ |
+ |
+
+
+
+
-
-
- policy/keymanagement/key_management.protoTop
- KeyMapping
+
+
+
+
+
+ | Field | Type | Label | Description |
+
+
+
+
+ | kid |
+ string |
+ |
+ |
+
+
+
+ | kas_uri |
+ string |
+ |
+ |
+
+
+
+ | namespace_mappings |
+ MappedPolicyObject |
+ repeated |
+ List of namespaces mapped to the key |
+
+
+
+ | attribute_mappings |
+ MappedPolicyObject |
+ repeated |
+ List of attribute definitions mapped to the key |
+
+
+
+ | value_mappings |
+ MappedPolicyObject |
+ repeated |
+ List of attribute values mapped to the key |
+
+
+
+
+
+
+
- CreateProviderConfigRequest
- Provider Configuration Requests and Response Messages
+ ListKeyAccessServerGrantsRequest
+ LIST of KAS Grants returns flat response of grants to all policy objects. It does not employ selectors for grants to specific policy objects or build the attribute tree relation. If grants to a known namespace, attribute, or value are needed, use the respective GET request to the specific policy object.
@@ -11835,34 +12208,40 @@ CreateProviderConfigRe
- | name |
+ kas_id |
string |
|
- Required
-The name of the key provider. (e.g. "AWS KMS Instance 1", "Google Cloud KMS Instance 2") |
+ Optional
+Filter LIST by ID of a registered Key Access Server.
+If neither is provided, grants from all registered KASs to policy attribute
+objects are returned. |
- | config_json |
- bytes |
+ kas_uri |
+ string |
|
- Required
-JSON configuration for the key provider. This is unique to individual key providers. |
+ Optional
+Filter LIST by URI of a registered Key Access Server.
+If none is provided, grants from all registered KASs to policy attribute
+objects are returned. |
- | manager |
+ kas_name |
string |
|
- Required
-The type of key manager (e.g. "aws", "gcp", "azure", "opentdf.io/basic") |
+ Optional
+Filter LIST by name of a registered Key Access Server.
+If none are provided, grants from all registered KASs to policy attribute
+objects are returned. |
- | metadata |
- common.MetadataMutable |
+ pagination |
+ policy.PageRequest |
|
- Common metadata |
+ Optional |
@@ -11872,8 +12251,8 @@ CreateProviderConfigRe
- CreateProviderConfigResponse
-
+ ListKeyAccessServerGrantsResponse
+ Deprecated
+
+
+ Fields with deprecated option
+
+
+
+ | Name |
+ Option |
+
+
+
+
+
+ | grants |
+ true |
+
+
+
+
+
+
- DeleteProviderConfigRequest
- In order to delete a provider configuration you must first delete all keys associated with the provider.
+ ListKeyAccessServersRequest
+
@@ -11907,10 +12314,21 @@ DeleteProviderConfigRe
- | id |
- string |
+ pagination |
+ policy.PageRequest |
|
- Required |
+ Optional |
+
+
+
+ | sort |
+ KeyAccessServersSort |
+ repeated |
+ Optional - CONSTRAINT: max 1 item
+Sort defaults:
+ - direction UNSPECIFIED defaults to DESC for the specified field
+ - field UNSPECIFIED defaults to created_at with the specified direction
+ - both UNSPECIFIED or sort omitted defaults to created_at DESC |
@@ -11920,7 +12338,7 @@ DeleteProviderConfigRe
- DeleteProviderConfigResponse
+ ListKeyAccessServersResponse
@@ -11931,8 +12349,15 @@ DeleteProviderConfigR
- | provider_config |
- policy.KeyProviderConfig |
+ key_access_servers |
+ policy.KeyAccessServer |
+ repeated |
+ |
+
+
+
+ | pagination |
+ policy.PageResponse |
|
|
@@ -11944,7 +12369,7 @@ DeleteProviderConfigR
- GetProviderConfigRequest
+ ListKeyMappingsRequest
@@ -11958,21 +12383,21 @@ GetProviderConfigRequest<
| id |
string |
|
- |
+ The unique identifier of the key to retrieve |
- | name |
- string |
+ key |
+ KasKeyIdentifier |
|
|
- | manager |
- string |
+ pagination |
+ policy.PageRequest |
|
- Optional - filter by manager type when searching by name |
+ Pagination request for the list of keys |
@@ -11982,7 +12407,7 @@ GetProviderConfigRequest<
- GetProviderConfigResponse
+ ListKeyMappingsResponse
@@ -11993,10 +12418,17 @@ GetProviderConfigRespons
- | provider_config |
- policy.KeyProviderConfig |
+ key_mappings |
+ KeyMapping |
+ repeated |
+ The list of key mappings |
+
+
+
+ | pagination |
+ policy.PageResponse |
|
- |
+ Pagination response for the list of keys |
@@ -12006,8 +12438,8 @@ GetProviderConfigRespons
- ListProviderConfigsRequest
-
+ ListKeysRequest
+ List all asymmetric keys managed by a specific Key Access Server or with a given algorithm
@@ -12016,11 +12448,61 @@ ListProviderConfigsRequ
+
+ | key_algorithm |
+ policy.Algorithm |
+ |
+ Filter keys by algorithm |
+
+
+
+ | kas_id |
+ string |
+ |
+ Filter keys by the KAS ID |
+
+
+
+ | kas_name |
+ string |
+ |
+ Filter keys by the KAS name |
+
+
+
+ | kas_uri |
+ string |
+ |
+ Filter keys by the KAS URI |
+
+
+
+ | legacy |
+ bool |
+ optional |
+ Optional
+
+Filter for legacy keys |
+
+
| pagination |
policy.PageRequest |
|
- Optional |
+ Optional
+
+Pagination request for the list of keys |
+
+
+
+ | sort |
+ KasKeysSort |
+ repeated |
+ Optional - CONSTRAINT: max 1 item
+Sort defaults:
+ - direction UNSPECIFIED defaults to DESC for the specified field
+ - field UNSPECIFIED defaults to created_at with the specified direction
+ - both UNSPECIFIED or sort omitted defaults to created_at DESC |
@@ -12030,8 +12512,8 @@ ListProviderConfigsRequ
- ListProviderConfigsResponse
-
+ ListKeysResponse
+ Response to a ListKeysRequest, containing the list of asymmetric keys and pagination information
@@ -12041,17 +12523,17 @@ ListProviderConfigsRes
- | provider_configs |
- policy.KeyProviderConfig |
+ kas_keys |
+ policy.KasKey |
repeated |
- |
+ The list of kas keys |
| pagination |
policy.PageResponse |
|
- |
+ Pagination response for the list of keys |
@@ -12061,7 +12543,7 @@ ListProviderConfigsRes
- UpdateProviderConfigRequest
+ ListPublicKeyMappingRequest
@@ -12072,46 +12554,38 @@ UpdateProviderConfigRe
- | id |
- string |
- |
- Required |
-
-
-
- | name |
+ kas_id |
string |
|
Optional |
- | config_json |
- bytes |
+ kas_name |
+ string |
|
Optional |
- | manager |
+ kas_uri |
string |
|
Optional |
- | metadata |
- common.MetadataMutable |
+ public_key_id |
+ string |
|
- Optional
-Common metadata |
+ Optional Public Key ID |
- | metadata_update_behavior |
- common.MetadataUpdateEnum |
+ pagination |
+ policy.PageRequest |
|
- |
+ Optional |
@@ -12121,7 +12595,7 @@ UpdateProviderConfigRe
- UpdateProviderConfigResponse
+ ListPublicKeyMappingResponse
@@ -12132,8 +12606,15 @@ UpdateProviderConfigR
- | provider_config |
- policy.KeyProviderConfig |
+ public_key_mappings |
+ ListPublicKeyMappingResponse.PublicKeyMapping |
+ repeated |
+ |
+
+
+
+ | pagination |
+ policy.PageResponse |
|
|
@@ -12145,70 +12626,8 @@ UpdateProviderConfigR
-
-
-
-
-
-
- KeyManagementService
+ ListPublicKeyMappingResponse.Association
-
-
-
-
-
-
- policy/namespaces/namespaces.protoTop
- AssignKeyAccessServerToNamespaceRequest
- Deprecated: utilize AssignPublicKeyToNamespaceRequest
@@ -12218,8 +12637,15 @@ AssignKeyAcce
- | namespace_key_access_server |
- NamespaceKeyAccessServer |
+ id |
+ string |
+ |
+ |
+
+
+
+ | fqn |
+ string |
|
|
@@ -12231,7 +12657,7 @@ AssignKeyAcce
- AssignKeyAccessServerToNamespaceResponse
+ ListPublicKeyMappingResponse.PublicKey
@@ -12242,33 +12668,30 @@
-
-
-
-
-
- AssignPublicKeyToNamespaceRequest
- Assign Key to Namespace
-
-
-
@@ -12303,7 +12747,7 @@ AssignPublicKeyToN
- CreateNamespaceRequest
+ ListPublicKeysRequest
@@ -12314,15 +12758,29 @@ CreateNamespaceRequest
- | name |
+ kas_id |
string |
|
- Required |
+ Optional |
- | metadata |
- common.MetadataMutable |
+ kas_name |
+ string |
+ |
+ Optional |
+
+
+
+ | kas_uri |
+ string |
+ |
+ Optional |
+
+
+
+ | pagination |
+ policy.PageRequest |
|
Optional |
@@ -12334,7 +12792,7 @@ CreateNamespaceRequest
- CreateNamespaceResponse
+ ListPublicKeysResponse
@@ -12345,8 +12803,15 @@ CreateNamespaceResponse
- | namespace |
- policy.Namespace |
+ keys |
+ policy.Key |
+ repeated |
+ |
+
+
+
+ | pagination |
+ policy.PageResponse |
|
|
@@ -12358,7 +12823,7 @@ CreateNamespaceResponse
- DeactivateNamespaceRequest
+ MappedPolicyObject
@@ -12372,7 +12837,14 @@ DeactivateNamespaceRequest
| id |
string |
|
- Required |
+ The unique identifier of the policy object |
+
+
+
+ | fqn |
+ string |
+ |
+ The fully qualified name of the policy object |
@@ -12382,14 +12854,7 @@ DeactivateNamespaceRequest
- DeactivateNamespaceResponse
-
-
-
-
-
-
- GetNamespaceRequest
+ RotateKeyRequest
@@ -12403,53 +12868,32 @@ GetNamespaceRequest
id |
string |
|
- Deprecated. Deprecated |
+ Current Active Key UUID |
- | namespace_id |
- string |
+ key |
+ KasKeyIdentifier |
|
- option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field |
+ Alternative way to specify the active key using KAS ID and Key ID |
- | fqn |
- string |
+ new_key |
+ RotateKeyRequest.NewKey |
|
- |
+ Information about the new key to be rotated in |
-
-
- Fields with deprecated option
-
-
-
- | Name |
- Option |
-
-
-
-
-
- | id |
- true |
-
-
-
-
-
-
- GetNamespaceResponse
-
+ RotateKeyRequest.NewKey
+ Nested message for specifying the new key details
@@ -12459,53 +12903,54 @@ GetNamespaceResponse
- | namespace |
- policy.Namespace |
+ key_id |
+ string |
|
- |
+ Required |
-
-
-
-
-
-
-
- ListNamespacesRequest
-
-
-
-
-
- | Field | Type | Label | Description |
-
-
+
+ | algorithm |
+ policy.Algorithm |
+ |
+ Required |
+
- | state |
- common.ActiveStateEnum |
+ key_mode |
+ policy.KeyMode |
|
- Optional
-ACTIVE by default when not specified |
+ Required |
- | pagination |
- policy.PageRequest |
+ public_key_ctx |
+ policy.PublicKeyCtx |
|
- Optional |
+ Required |
- | sort |
- NamespacesSort |
- repeated |
- Optional - CONSTRAINT: max 1 item
-Sort defaults:
- - direction UNSPECIFIED defaults to DESC for the specified field
- - field UNSPECIFIED defaults to created_at with the specified direction
- - both UNSPECIFIED or sort omitted defaults to created_at DESC |
+ private_key_ctx |
+ policy.PrivateKeyCtx |
+ |
+ Required |
+
+
+
+ | provider_config_id |
+ string |
+ |
+ Conditionally Required.
+
+Validation handled by message-level CEL |
+
+
+
+ | metadata |
+ common.MetadataMutable |
+ |
+ Common metadata fields |
@@ -12515,8 +12960,8 @@ ListNamespacesRequest
- ListNamespacesResponse
-
+ RotateKeyResponse
+ Response message for the RotateKey request
@@ -12526,17 +12971,17 @@ ListNamespacesResponse
- | namespaces |
- policy.Namespace |
- repeated |
- |
+ kas_key |
+ policy.KasKey |
+ |
+ The newly rotated Kas Key |
- | pagination |
- policy.PageResponse |
+ rotated_resources |
+ RotatedResources |
|
- |
+ All resources that were rotated as part of the key rotation process |
@@ -12546,8 +12991,8 @@ ListNamespacesResponse
- NamespaceKey
-
+ RotatedResources
+ All resources that were rotated as part of the key rotation process
@@ -12557,17 +13002,31 @@ NamespaceKey
- | namespace_id |
- string |
+ rotated_out_key |
+ policy.KasKey |
|
- Required |
+ The old key that was rotated out |
- | key_id |
- string |
- |
- Required (The id from the Asymmetric Key object) |
+ attribute_definition_mappings |
+ ChangeMappings |
+ repeated |
+ |
+
+
+
+ | attribute_value_mappings |
+ ChangeMappings |
+ repeated |
+ |
+
+
+
+ | namespace_mappings |
+ ChangeMappings |
+ repeated |
+ |
@@ -12577,8 +13036,8 @@ NamespaceKey
- NamespaceKeyAccessServer
- Deprecated
+ SetBaseKeyRequest
+ Sets the specified key as the base key for the Key Access Server Note: The key must be active.
@@ -12588,17 +13047,17 @@ NamespaceKeyAccessServer
- | namespace_id |
+ id |
string |
|
- Required |
+ Current Key UUID tp be set as default |
- | key_access_server_id |
- string |
+ key |
+ KasKeyIdentifier |
|
- Required |
+ Alternative way to specify the key using KAS ID and Key ID |
@@ -12608,7 +13067,7 @@ NamespaceKeyAccessServerNamespacesSort
+ SetBaseKeyResponse
@@ -12619,17 +13078,17 @@ NamespacesSort
- | field |
- SortNamespacesType |
+ new_base_key |
+ policy.SimpleKasKey |
|
- |
+ The key that was set as base |
- | direction |
- policy.SortDirection |
+ previous_base_key |
+ policy.SimpleKasKey |
|
- |
+ The previous base key, if any |
@@ -12639,8 +13098,8 @@ NamespacesSort
- RemoveKeyAccessServerFromNamespaceRequest
- Deprecated: utilize RemovePublicKeyFromNamespaceRequest
+ UpdateKeyAccessServerRequest
+
@@ -12650,8 +13109,56 @@ RemoveKeyAc
- | namespace_key_access_server |
- NamespaceKeyAccessServer |
+ id |
+ string |
+ |
+ Required |
+
+
+
+ | uri |
+ string |
+ |
+ Optional |
+
+
+
+ | public_key |
+ policy.PublicKey |
+ |
+ Deprecated
+Optional |
+
+
+
+ | source_type |
+ policy.SourceType |
+ |
+ Optional
+Using UNSPECIFIED will result in a successful update,
+but will not actually update the underlying source.
+You should not update KAS's from INTERNAL/EXTERNAL
+to unspecified. |
+
+
+
+ | name |
+ string |
+ |
+ Optional |
+
+
+
+ | metadata |
+ common.MetadataMutable |
+ |
+ Optional
+Common metadata |
+
+
+
+ | metadata_update_behavior |
+ common.MetadataUpdateEnum |
|
|
@@ -12663,7 +13170,7 @@ RemoveKeyAc
- RemoveKeyAccessServerFromNamespaceResponse
+ UpdateKeyAccessServerResponse
@@ -12674,8 +13181,8 @@ RemoveKeyA
- | namespace_key_access_server |
- NamespaceKeyAccessServer |
+ key_access_server |
+ policy.KeyAccessServer |
|
|
@@ -12687,8 +13194,8 @@ RemoveKeyA
- RemovePublicKeyFromNamespaceRequest
-
+ UpdateKeyRequest
+ Update an existing asymmetric key in the Key Management System
@@ -12698,10 +13205,29 @@ RemovePublicKeyFr
- | namespace_key |
- NamespaceKey |
+ id |
+ string |
|
- |
+ Required
+
+The unique identifier of the key to update |
+
+
+
+ | metadata |
+ common.MetadataMutable |
+ |
+ Optional
+Common metadata
+
+Mutable metadata for the key |
+
+
+
+ | metadata_update_behavior |
+ common.MetadataUpdateEnum |
+ |
+ The behavior for updating the metadata |
@@ -12711,8 +13237,8 @@ RemovePublicKeyFr
- RemovePublicKeyFromNamespaceResponse
-
+ UpdateKeyResponse
+ Response to an UpdateKeyRequest, containing the updated asymmetric key
@@ -12722,10 +13248,10 @@ RemovePublicKeyF
- | namespace_key |
- NamespaceKey |
+ kas_key |
+ policy.KasKey |
|
- |
+ The updated kas key |
@@ -12735,7 +13261,7 @@ RemovePublicKeyF
- UpdateNamespaceRequest
+ UpdatePublicKeyRequest
@@ -12756,7 +13282,8 @@ UpdateNamespaceRequest
metadata |
common.MetadataMutable |
|
- Optional |
+ Optional
+Common metadata |
@@ -12773,7 +13300,7 @@ UpdateNamespaceRequest
- UpdateNamespaceResponse
+ UpdatePublicKeyResponse
@@ -12784,8 +13311,8 @@ UpdateNamespaceResponse
- | namespace |
- policy.Namespace |
+ key |
+ policy.Key |
|
|
@@ -12799,7 +13326,7 @@ UpdateNamespaceResponse
- SortNamespacesType
+ SortKasKeysType
@@ -12808,31 +13335,66 @@ SortNamespacesType
- | SORT_NAMESPACES_TYPE_UNSPECIFIED |
+ SORT_KAS_KEYS_TYPE_UNSPECIFIED |
0 |
|
- | SORT_NAMESPACES_TYPE_NAME |
+ SORT_KAS_KEYS_TYPE_KEY_ID |
1 |
|
- | SORT_NAMESPACES_TYPE_FQN |
+ SORT_KAS_KEYS_TYPE_CREATED_AT |
2 |
|
- | SORT_NAMESPACES_TYPE_CREATED_AT |
+ SORT_KAS_KEYS_TYPE_UPDATED_AT |
3 |
|
+
+
+
+ SortKeyAccessServersType
+
+
+
+ | Name | Number | Description |
+
+
+
- | SORT_NAMESPACES_TYPE_UPDATED_AT |
+ SORT_KEY_ACCESS_SERVERS_TYPE_UNSPECIFIED |
+ 0 |
+ |
+
+
+
+ | SORT_KEY_ACCESS_SERVERS_TYPE_NAME |
+ 1 |
+ |
+
+
+
+ | SORT_KEY_ACCESS_SERVERS_TYPE_URI |
+ 2 |
+ |
+
+
+
+ | SORT_KEY_ACCESS_SERVERS_TYPE_CREATED_AT |
+ 3 |
+ |
+
+
+
+ | SORT_KEY_ACCESS_SERVERS_TYPE_UPDATED_AT |
4 |
|
@@ -12844,7 +13406,7 @@ SortNamespacesType
- NamespaceService
+ KeyAccessServerRegistryService
@@ -12853,68 +13415,102 @@ NamespaceService
- | GetNamespace |
- GetNamespaceRequest |
- GetNamespaceResponse |
+ ListKeyAccessServers |
+ ListKeyAccessServersRequest |
+ ListKeyAccessServersResponse |
|
- | ListNamespaces |
- ListNamespacesRequest |
- ListNamespacesResponse |
+ GetKeyAccessServer |
+ GetKeyAccessServerRequest |
+ GetKeyAccessServerResponse |
|
- | CreateNamespace |
- CreateNamespaceRequest |
- CreateNamespaceResponse |
+ CreateKeyAccessServer |
+ CreateKeyAccessServerRequest |
+ CreateKeyAccessServerResponse |
|
- | UpdateNamespace |
- UpdateNamespaceRequest |
- UpdateNamespaceResponse |
+ UpdateKeyAccessServer |
+ UpdateKeyAccessServerRequest |
+ UpdateKeyAccessServerResponse |
|
- | DeactivateNamespace |
- DeactivateNamespaceRequest |
- DeactivateNamespaceResponse |
+ DeleteKeyAccessServer |
+ DeleteKeyAccessServerRequest |
+ DeleteKeyAccessServerResponse |
|
- | AssignKeyAccessServerToNamespace |
- AssignKeyAccessServerToNamespaceRequest |
- AssignKeyAccessServerToNamespaceResponse |
- Deprecated: utilize AssignPublicKeyToNamespace |
+ ListKeyAccessServerGrants |
+ ListKeyAccessServerGrantsRequest |
+ ListKeyAccessServerGrantsResponse |
+ Deprecated |
+
+
+
+ | CreateKey |
+ CreateKeyRequest |
+ CreateKeyResponse |
+ KAS Key Management
+Request to create a new key in the Key Access Service. |
+
+
+
+ | GetKey |
+ GetKeyRequest |
+ GetKeyResponse |
+ Request to retrieve a key from the Key Access Service. |
+
+
+
+ | ListKeys |
+ ListKeysRequest |
+ ListKeysResponse |
+ Request to list keys in the Key Access Service. |
+
+
+
+ | UpdateKey |
+ UpdateKeyRequest |
+ UpdateKeyResponse |
+ Request to update a key in the Key Access Service. |
+
+
+
+ | RotateKey |
+ RotateKeyRequest |
+ RotateKeyResponse |
+ Request to rotate a key in the Key Access Service. |
- | RemoveKeyAccessServerFromNamespace |
- RemoveKeyAccessServerFromNamespaceRequest |
- RemoveKeyAccessServerFromNamespaceResponse |
- Deprecated: utilize RemovePublicKeyFromNamespace |
+ SetBaseKey |
+ SetBaseKeyRequest |
+ SetBaseKeyResponse |
+ Request to set the default a default kas key. |
- | AssignPublicKeyToNamespace |
- AssignPublicKeyToNamespaceRequest |
- AssignPublicKeyToNamespaceResponse |
- --------------------------------------*
-Namespace <> Key RPCs
---------------------------------------- |
+ GetBaseKey |
+ GetBaseKeyRequest |
+ GetBaseKeyResponse |
+ Get Default kas keys |
- | RemovePublicKeyFromNamespace |
- RemovePublicKeyFromNamespaceRequest |
- RemovePublicKeyFromNamespaceResponse |
- |
+ ListKeyMappings |
+ ListKeyMappingsRequest |
+ ListKeyMappingsResponse |
+ Request to list key mappings in the Key Access Service. |
@@ -12934,12 +13530,7 @@ Methods with deprecated option
- | AssignKeyAccessServerToNamespace |
- true |
-
-
-
- | RemoveKeyAccessServerFromNamespace |
+ ListKeyAccessServerGrants |
true |
@@ -12960,12 +13551,17 @@ Methods with idempotency_level option
- | GetNamespace |
+ ListKeyAccessServers |
NO_SIDE_EFFECTS |
- | ListNamespaces |
+ GetKeyAccessServer |
+ NO_SIDE_EFFECTS |
+
+
+
+ | ListKeyAccessServerGrants |
NO_SIDE_EFFECTS |
@@ -12974,224 +13570,15 @@ Methods with idempotency_level option
-
-
- policy/obligations/obligations.protoTop
- AddObligationTriggerRequest
- Obligation Triggers are owned by the namespace that owns the action and attribute value, which must be the same. In this way, a trigger can intentionally cross namespace boundaries: associating obligation values of a different namespace than the one that owns the action being taken or the attribute value.
-
-
-
-
-
-
-
-
- AddObligationTriggerResponse
-
-
-
-
-
-
-
-
-
- CreateObligationRequest
-
-
-
-
-
- | Field | Type | Label | Description |
-
-
-
-
- | namespace_id |
- string |
- |
- |
-
-
-
- | namespace_fqn |
- string |
- |
- |
-
-
-
- | name |
- string |
- |
- |
-
-
-
- | values |
- string |
- repeated |
- Optional |
-
-
-
- | metadata |
- common.MetadataMutable |
- |
- Optional
-Common metadata |
-
-
-
-
-
-
-
-
-
- CreateObligationResponse
-
-
-
-
-
-
-
-
-
- CreateObligationValueRequest
-
-
-
-
-
- | Field | Type | Label | Description |
-
-
-
-
- | obligation_id |
- string |
- |
- |
-
-
-
- | obligation_fqn |
- string |
- |
- |
-
-
-
- | value |
- string |
- |
- |
-
-
-
- | triggers |
- ValueTriggerRequest |
- repeated |
- Optional
-Combination of action and attribute_value that will trigger this obligation value policy decisioning. |
-
-
-
- | metadata |
- common.MetadataMutable |
- |
- Optional
-Common metadata |
-
-
-
-
-
-
+
+
+ policy/keymanagement/key_management.protoTop
+ CreateObligationValueResponse
-
+ CreateProviderConfigRequest
+ Provider Configuration Requests and Response Messages
@@ -13201,41 +13588,34 @@ CreateObligationValueR
- | value |
- policy.ObligationValue |
+ name |
+ string |
|
- |
+ Required
+The name of the key provider. (e.g. "AWS KMS Instance 1", "Google Cloud KMS Instance 2") |
-
-
-
-
-
-
-
- DeleteObligationRequest
-
-
-
-
-
- | Field | Type | Label | Description |
-
-
+
+ | config_json |
+ bytes |
+ |
+ Required
+JSON configuration for the key provider. This is unique to individual key providers. |
+
- | id |
+ manager |
string |
|
- |
+ Required
+The type of key manager (e.g. "aws", "gcp", "azure", "opentdf.io/basic") |
- | fqn |
- string |
+ metadata |
+ common.MetadataMutable |
|
- |
+ Common metadata |
@@ -13245,7 +13625,7 @@ DeleteObligationRequest
- DeleteObligationResponse
+ CreateProviderConfigResponse
@@ -13256,8 +13636,8 @@ DeleteObligationResponse
- | obligation |
- policy.Obligation |
+ provider_config |
+ policy.KeyProviderConfig |
|
|
@@ -13269,8 +13649,8 @@ DeleteObligationResponseDeleteObligationValueRequest
-
+ DeleteProviderConfigRequest
+ In order to delete a provider configuration you must first delete all keys associated with the provider.
@@ -13283,14 +13663,7 @@ DeleteObligationValueRe
| id |
string |
|
- |
-
-
-
- | fqn |
- string |
- |
- |
+ Required |
@@ -13300,7 +13673,7 @@ DeleteObligationValueRe
- DeleteObligationValueResponse
+ DeleteProviderConfigResponse
@@ -13311,8 +13684,8 @@ DeleteObligationValueR
- | value |
- policy.ObligationValue |
+ provider_config |
+ policy.KeyProviderConfig |
|
|
@@ -13324,7 +13697,7 @@ DeleteObligationValueR
- GetObligationRequest
+ GetProviderConfigRequest
@@ -13342,12 +13715,19 @@ GetObligationRequest
- | fqn |
+ name |
string |
|
|
+
+ | manager |
+ string |
+ |
+ Optional - filter by manager type when searching by name |
+
+
@@ -13355,7 +13735,7 @@ GetObligationRequest
- GetObligationResponse
+ GetProviderConfigResponse
@@ -13366,8 +13746,8 @@ GetObligationResponse
- | obligation |
- policy.Obligation |
+ provider_config |
+ policy.KeyProviderConfig |
|
|
@@ -13379,8 +13759,8 @@ GetObligationResponse
- GetObligationTriggerRequest
- Triggers
+ ListProviderConfigsRequest
+
@@ -13390,10 +13770,10 @@ GetObligationTriggerRequ
- | id |
- string |
+ pagination |
+ policy.PageRequest |
|
- Required |
+ Optional |
@@ -13403,7 +13783,7 @@ GetObligationTriggerRequ
- GetObligationTriggerResponse
+ ListProviderConfigsResponse
@@ -13414,8 +13794,15 @@ GetObligationTriggerRes
- | trigger |
- policy.ObligationTrigger |
+ provider_configs |
+ policy.KeyProviderConfig |
+ repeated |
+ |
+
+
+
+ | pagination |
+ policy.PageResponse |
|
|
@@ -13427,8 +13814,8 @@ GetObligationTriggerRes
- GetObligationValueRequest
- Values
+ UpdateProviderConfigRequest
+
@@ -13441,13 +13828,42 @@ GetObligationValueRequest<
| id |
string |
|
- |
+ Required |
- | fqn |
+ name |
+ string |
+ |
+ Optional |
+
+
+
+ | config_json |
+ bytes |
+ |
+ Optional |
+
+
+
+ | manager |
string |
|
+ Optional |
+
+
+
+ | metadata |
+ common.MetadataMutable |
+ |
+ Optional
+Common metadata |
+
+
+
+ | metadata_update_behavior |
+ common.MetadataUpdateEnum |
+ |
|
@@ -13458,7 +13874,7 @@ GetObligationValueRequest<
- GetObligationValueResponse
+ UpdateProviderConfigResponse
@@ -13469,8 +13885,8 @@ GetObligationValueRespons
- | value |
- policy.ObligationValue |
+ provider_config |
+ policy.KeyProviderConfig |
|
|
@@ -13482,8 +13898,70 @@ GetObligationValueRespons
- GetObligationValuesByFQNsRequest
+
+
+
+
+
+
+ KeyManagementService
+
+
+
+
+
+
+ policy/namespaces/namespaces.protoTop
+ AssignKeyAccessServerToNamespaceRequest
+ Deprecated: utilize AssignPublicKeyToNamespaceRequest
@@ -13493,9 +13971,9 @@ GetObligationValues
- | fqns |
- string |
- repeated |
+ namespace_key_access_server |
+ NamespaceKeyAccessServer |
+ |
|
@@ -13506,7 +13984,7 @@ GetObligationValues
- GetObligationValuesByFQNsResponse
+ AssignKeyAccessServerToNamespaceResponse
@@ -13517,9 +13995,9 @@ GetObligationValue
- | fqn_value_map |
- GetObligationValuesByFQNsResponse.FqnValueMapEntry |
- repeated |
+ namespace_key_access_server |
+ NamespaceKeyAccessServer |
+ |
|
@@ -13530,8 +14008,8 @@ GetObligationValue
- GetObligationValuesByFQNsResponse.FqnValueMapEntry
-
+ AssignPublicKeyToNamespaceRequest
+ Assign Key to Namespace
@@ -13541,15 +14019,32 @@
+
+
+
+
+
+ AssignPublicKeyToNamespaceResponse
+
+
+
+
+
+ | Field | Type | Label | Description |
+
+
+
- | value |
- policy.ObligationValue |
+ namespace_key |
+ NamespaceKey |
|
|
@@ -13561,7 +14056,7 @@ G
- GetObligationsByFQNsRequest
+ CreateNamespaceRequest
@@ -13572,10 +14067,17 @@ GetObligationsByFQNsRequ
- | fqns |
+ name |
string |
- repeated |
- |
+ |
+ Required |
+
+
+
+ | metadata |
+ common.MetadataMutable |
+ |
+ Optional |
@@ -13585,7 +14087,7 @@ GetObligationsByFQNsRequ
- GetObligationsByFQNsResponse
+ CreateNamespaceResponse
@@ -13596,9 +14098,9 @@ GetObligationsByFQNsRes
- | fqn_obligation_map |
- GetObligationsByFQNsResponse.FqnObligationMapEntry |
- repeated |
+ namespace |
+ policy.Namespace |
+ |
|
@@ -13609,7 +14111,7 @@ GetObligationsByFQNsRes
- GetObligationsByFQNsResponse.FqnObligationMapEntry
+ DeactivateNamespaceRequest
@@ -13620,17 +14122,10 @@ G
- | key |
+ id |
string |
|
- |
-
-
-
- | value |
- policy.Obligation |
- |
- |
+ Required |
@@ -13640,7 +14135,14 @@ G
- ListObligationTriggersRequest
+ DeactivateNamespaceResponse
+
+
+
+
+
+
+ GetNamespaceRequest
@@ -13651,34 +14153,55 @@ ListObligationTriggers
- | namespace_id |
+ id |
string |
|
- |
+ Deprecated. Deprecated |
- | namespace_fqn |
+ namespace_id |
string |
|
- |
+ option (buf.validate.oneof).required = true; // TODO: enable this when we remove the deprecated field |
- | pagination |
- policy.PageRequest |
+ fqn |
+ string |
|
- Optional |
+ |
+
+
+ Fields with deprecated option
+
+
+
+ | Name |
+ Option |
+
+
+
+
+
+ | id |
+ true |
+
+
+
+
+
+
- ListObligationTriggersResponse
+ GetNamespaceResponse
@@ -13689,15 +14212,8 @@ ListObligationTrigger
- | triggers |
- policy.ObligationTrigger |
- repeated |
- |
-
-
-
- | pagination |
- policy.PageResponse |
+ namespace |
+ policy.Namespace |
|
|
@@ -13709,7 +14225,7 @@ ListObligationTrigger
- ListObligationsRequest
+ ListNamespacesRequest
@@ -13720,17 +14236,11 @@ ListObligationsRequest
- | namespace_id |
- string |
- |
- |
-
-
-
- | namespace_fqn |
- string |
+ state |
+ common.ActiveStateEnum |
|
- |
+ Optional
+ACTIVE by default when not specified |
@@ -13742,7 +14252,7 @@ ListObligationsRequest
| sort |
- ObligationsSort |
+ NamespacesSort |
repeated |
Optional - CONSTRAINT: max 1 item
Sort defaults:
@@ -13758,7 +14268,7 @@ ListObligationsRequest
- ListObligationsResponse
+ ListNamespacesResponse
@@ -13769,8 +14279,8 @@ ListObligationsResponse
|
- | obligations |
- policy.Obligation |
+ namespaces |
+ policy.Namespace |
repeated |
|
@@ -13789,7 +14299,7 @@ ListObligationsResponse
- ObligationsSort
+ NamespaceKey
@@ -13800,17 +14310,17 @@ ObligationsSort
- | field |
- SortObligationsType |
+ namespace_id |
+ string |
|
- |
+ Required |
- | direction |
- policy.SortDirection |
+ key_id |
+ string |
|
- |
+ Required (The id from the Asymmetric Key object) |
@@ -13820,8 +14330,8 @@ ObligationsSort
- RemoveObligationTriggerRequest
-
+ NamespaceKeyAccessServer
+ Deprecated
@@ -13831,7 +14341,14 @@ RemoveObligationTrigg
- | id |
+ namespace_id |
+ string |
+ |
+ Required |
+
+
+
+ | key_access_server_id |
string |
|
Required |
@@ -13844,7 +14361,7 @@ RemoveObligationTrigg
- RemoveObligationTriggerResponse
+ NamespacesSort
@@ -13855,8 +14372,15 @@ RemoveObligationTrig
- | trigger |
- policy.ObligationTrigger |
+ field |
+ SortNamespacesType |
+ |
+ |
+
+
+
+ | direction |
+ policy.SortDirection |
|
|
@@ -13868,8 +14392,8 @@ RemoveObligationTrig
- UpdateObligationRequest
-
+ RemoveKeyAccessServerFromNamespaceRequest
+ Deprecated: utilize RemovePublicKeyFromNamespaceRequest
@@ -13879,29 +14403,8 @@ UpdateObligationRequest
- | id |
- string |
- |
- Required |
-
-
-
- | name |
- string |
- |
- Optional |
-
-
-
- | metadata |
- common.MetadataMutable |
- |
- |
-
-
-
- | metadata_update_behavior |
- common.MetadataUpdateEnum |
+ namespace_key_access_server |
+ NamespaceKeyAccessServer |
|
|
@@ -13913,7 +14416,7 @@ UpdateObligationRequest
- UpdateObligationResponse
+ RemoveKeyAccessServerFromNamespaceResponse
@@ -13924,8 +14427,8 @@ UpdateObligationResponse
- | obligation |
- policy.Obligation |
+ namespace_key_access_server |
+ NamespaceKeyAccessServer |
|
|
@@ -13937,7 +14440,7 @@ UpdateObligationResponseUpdateObligationValueRequest
+ RemovePublicKeyFromNamespaceRequest
@@ -13948,38 +14451,32 @@ UpdateObligationValueRe
- | id |
- string |
- |
- Required |
-
-
-
- | value |
- string |
+ namespace_key |
+ NamespaceKey |
|
- Optional |
-
-
-
- | triggers |
- ValueTriggerRequest |
- repeated |
- Optional
-Obligation Triggers provided here will replace all existing records in the database. |
+ |
-
- | metadata |
- common.MetadataMutable |
- |
- Optional
-Common metadata |
-
+
+
+
+
+
+
+
+ RemovePublicKeyFromNamespaceResponse
+
+
+
+
+
+ | Field | Type | Label | Description |
+
+
- | metadata_update_behavior |
- common.MetadataUpdateEnum |
+ namespace_key |
+ NamespaceKey |
|
|
@@ -13991,7 +14488,7 @@ UpdateObligationValueRe
- UpdateObligationValueResponse
+ UpdateNamespaceRequest
@@ -14002,8 +14499,22 @@ UpdateObligationValueR
- | value |
- policy.ObligationValue |
+ id |
+ string |
+ |
+ Required |
+
+
+
+ | metadata |
+ common.MetadataMutable |
+ |
+ Optional |
+
+
+
+ | metadata_update_behavior |
+ common.MetadataUpdateEnum |
|
|
@@ -14015,7 +14526,7 @@ UpdateObligationValueR
- ValueTriggerRequest
+ UpdateNamespaceResponse
@@ -14026,24 +14537,10 @@ ValueTriggerRequest
- | action |
- common.IdNameIdentifier |
- |
- Required. The ID of the action that will trigger this obligation value policy decisioning. |
-
-
-
- | attribute_value |
- common.IdFqnIdentifier |
- |
- Required. The attribute value ID that will trigger this obligation value policy decisioning. |
-
-
-
- | context |
- policy.RequestContext |
+ namespace |
+ policy.Namespace |
|
- Optional. The request context for this obligation value policy decisioning. |
+ |
@@ -14055,7 +14552,7 @@ ValueTriggerRequest
- SortObligationsType
+ SortNamespacesType
@@ -14064,31 +14561,31 @@ SortObligationsType
- | SORT_OBLIGATIONS_TYPE_UNSPECIFIED |
+ SORT_NAMESPACES_TYPE_UNSPECIFIED |
0 |
|
- | SORT_OBLIGATIONS_TYPE_NAME |
+ SORT_NAMESPACES_TYPE_NAME |
1 |
|
- | SORT_OBLIGATIONS_TYPE_FQN |
+ SORT_NAMESPACES_TYPE_FQN |
2 |
|
- | SORT_OBLIGATIONS_TYPE_CREATED_AT |
+ SORT_NAMESPACES_TYPE_CREATED_AT |
3 |
|
- | SORT_OBLIGATIONS_TYPE_UPDATED_AT |
+ SORT_NAMESPACES_TYPE_UPDATED_AT |
4 |
|
@@ -14100,8 +14597,8 @@ SortObligationsType
- Service
- Obligation Service /
+ NamespaceService
+
| Method Name | Request Type | Response Type | Description |
@@ -14109,107 +14606,67 @@ Service
- | ListObligations |
- ListObligationsRequest |
- ListObligationsResponse |
- |
-
-
-
- | GetObligation |
- GetObligationRequest |
- GetObligationResponse |
- |
-
-
-
- | GetObligationsByFQNs |
- GetObligationsByFQNsRequest |
- GetObligationsByFQNsResponse |
- |
-
-
-
- | CreateObligation |
- CreateObligationRequest |
- CreateObligationResponse |
- |
-
-
-
- | UpdateObligation |
- UpdateObligationRequest |
- UpdateObligationResponse |
- |
-
-
-
- | DeleteObligation |
- DeleteObligationRequest |
- DeleteObligationResponse |
- |
-
-
-
- | GetObligationValue |
- GetObligationValueRequest |
- GetObligationValueResponse |
+ GetNamespace |
+ GetNamespaceRequest |
+ GetNamespaceResponse |
|
- | GetObligationValuesByFQNs |
- GetObligationValuesByFQNsRequest |
- GetObligationValuesByFQNsResponse |
+ ListNamespaces |
+ ListNamespacesRequest |
+ ListNamespacesResponse |
|
- | CreateObligationValue |
- CreateObligationValueRequest |
- CreateObligationValueResponse |
+ CreateNamespace |
+ CreateNamespaceRequest |
+ CreateNamespaceResponse |
|
- | UpdateObligationValue |
- UpdateObligationValueRequest |
- UpdateObligationValueResponse |
+ UpdateNamespace |
+ UpdateNamespaceRequest |
+ UpdateNamespaceResponse |
|
- | DeleteObligationValue |
- DeleteObligationValueRequest |
- DeleteObligationValueResponse |
+ DeactivateNamespace |
+ DeactivateNamespaceRequest |
+ DeactivateNamespaceResponse |
|
- | GetObligationTrigger |
- GetObligationTriggerRequest |
- GetObligationTriggerResponse |
- |
+ AssignKeyAccessServerToNamespace |
+ AssignKeyAccessServerToNamespaceRequest |
+ AssignKeyAccessServerToNamespaceResponse |
+ Deprecated: utilize AssignPublicKeyToNamespace |
- | AddObligationTrigger |
- AddObligationTriggerRequest |
- AddObligationTriggerResponse |
- |
+ RemoveKeyAccessServerFromNamespace |
+ RemoveKeyAccessServerFromNamespaceRequest |
+ RemoveKeyAccessServerFromNamespaceResponse |
+ Deprecated: utilize RemovePublicKeyFromNamespace |
- | RemoveObligationTrigger |
- RemoveObligationTriggerRequest |
- RemoveObligationTriggerResponse |
- |
+ AssignPublicKeyToNamespace |
+ AssignPublicKeyToNamespaceRequest |
+ AssignPublicKeyToNamespaceResponse |
+ --------------------------------------*
+Namespace <> Key RPCs
+--------------------------------------- |
- | ListObligationTriggers |
- ListObligationTriggersRequest |
- ListObligationTriggersResponse |
+ RemovePublicKeyFromNamespace |
+ RemovePublicKeyFromNamespaceRequest |
+ RemovePublicKeyFromNamespaceResponse |
|
@@ -14219,7 +14676,7 @@ Service
- Methods with idempotency_level option
+ Methods with deprecated option
@@ -14230,37 +14687,38 @@ Methods with idempotency_level option
- | ListObligations |
- NO_SIDE_EFFECTS |
-
-
-
- | GetObligation |
- NO_SIDE_EFFECTS |
-
-
-
- | GetObligationsByFQNs |
- NO_SIDE_EFFECTS |
+ AssignKeyAccessServerToNamespace |
+ true |
- | GetObligationValue |
- NO_SIDE_EFFECTS |
+ RemoveKeyAccessServerFromNamespace |
+ true |
+
+
+
+
+
+
+ Methods with idempotency_level option
+
+
- | GetObligationValuesByFQNs |
- NO_SIDE_EFFECTS |
+ Method Name |
+ Option |
+
+
- | GetObligationTrigger |
+ GetNamespace |
NO_SIDE_EFFECTS |
- | ListObligationTriggers |
+ ListNamespaces |
NO_SIDE_EFFECTS |
@@ -14271,13 +14729,13 @@ Methods with idempotency_level option
- policy/registeredresources/registered_resources.protoTop
+ policy/obligations/obligations.protoTop
ActionAttributeValue
-
+ AddObligationTriggerRequest
+ Obligation Triggers are owned by the namespace that owns the action and attribute value, which must be the same. In this way, a trigger can intentionally cross namespace boundaries: associating obligation values of a different namespace than the one that owns the action being taken or the attribute value.
+
+
+
+
+
+ AddObligationTriggerResponse
+
+
+
+
+
+ | Field | Type | Label | Description |
+
+
+
+
+ | trigger |
+ policy.ObligationTrigger |
|
|
@@ -14321,7 +14812,7 @@ ActionAttributeValueCreateRegisteredResourceRequest
+ CreateObligationRequest
@@ -14332,33 +14823,31 @@ CreateRegist
- | name |
+ namespace_id |
string |
|
- Required |
+ |
- | values |
+ namespace_fqn |
string |
- repeated |
- Optional
-Registered Resource Values (when provided) must be alphanumeric strings, allowing hyphens and underscores but not as the first or last character.
-The stored value will be normalized to lower case. |
+ |
+ |
- | namespace_id |
+ name |
string |
|
|
- | namespace_fqn |
+ values |
string |
- |
- |
+ repeated |
+ Optional |
@@ -14376,7 +14865,7 @@ CreateRegist
- CreateRegisteredResourceResponse
+ CreateObligationResponse
@@ -14387,8 +14876,8 @@ CreateRegis
- | resource |
- policy.RegisteredResource |
+ obligation |
+ policy.Obligation |
|
|
@@ -14400,7 +14889,7 @@ CreateRegis
- CreateRegisteredResourceValueRequest
+ CreateObligationValueRequest
@@ -14411,26 +14900,32 @@ CreateR
- | resource_id |
+ obligation_id |
string |
|
- Required |
+ |
+
+
+
+ | obligation_fqn |
+ string |
+ |
+ |
| value |
string |
|
- Required |
+ |
- | action_attribute_values |
- ActionAttributeValue |
+ triggers |
+ ValueTriggerRequest |
repeated |
Optional
-The associated Action <> AttributeValue combinations to be utilized in authorization/entitlement decisioning
-(i.e. action read -> attribute value https://example.com/attr/department/value/marketing) |
+Combination of action and attribute_value that will trigger this obligation value policy decisioning.
@@ -14448,7 +14943,7 @@ CreateR
- CreateRegisteredResourceValueResponse
+ CreateObligationValueResponse
@@ -14460,7 +14955,7 @@ Create
| value |
- policy.RegisteredResourceValue |
+ policy.ObligationValue |
|
|
@@ -14472,7 +14967,7 @@ Create
- DeleteRegisteredResourceRequest
+ DeleteObligationRequest
@@ -14486,7 +14981,14 @@ DeleteRegist
| id |
string |
|
- Required |
+ |
+
+
+
+ | fqn |
+ string |
+ |
+ |
@@ -14496,7 +14998,7 @@ DeleteRegist
- DeleteRegisteredResourceResponse
+ DeleteObligationResponse
@@ -14507,8 +15009,8 @@ DeleteRegis
- | resource |
- policy.RegisteredResource |
+ obligation |
+ policy.Obligation |
|
|
@@ -14520,7 +15022,7 @@ DeleteRegis
- DeleteRegisteredResourceValueRequest
+ DeleteObligationValueRequest
@@ -14534,7 +15036,14 @@ DeleteR
| id |
string |
|
- Required |
+ |
+
+
+
+ | fqn |
+ string |
+ |
+ |
@@ -14544,7 +15053,7 @@ DeleteR
- DeleteRegisteredResourceValueResponse
+ DeleteObligationValueResponse
@@ -14556,7 +15065,7 @@
@@ -14586,24 +15095,58 @@ GetRegisteredRe
- | name |
+ fqn |
string |
|
|
+
+
+
+
+
+
+
+ GetObligationResponse
+
+
+
+
+
+
+
+
+
+ GetObligationTriggerRequest
+ Triggers
+
+
+
+
+ | Field | Type | Label | Description |
+
+
+
- | namespace_id |
+ id |
string |
|
- |
+ Required |
@@ -14613,7 +15156,7 @@ GetRegisteredRe
- GetRegisteredResourceResponse
+ GetObligationTriggerResponse
@@ -14624,8 +15167,8 @@ GetRegisteredR
- | resource |
- policy.RegisteredResource |
+ trigger |
+ policy.ObligationTrigger |
|
|
@@ -14637,8 +15180,8 @@ GetRegisteredR
- GetRegisteredResourceValueRequest
-
+ GetObligationValueRequest
+ Values
@@ -14668,7 +15211,7 @@ GetRegiste
- GetRegisteredResourceValueResponse
+ GetObligationValueResponse
@@ -14680,7 +15223,7 @@ GetRegist
| value |
- policy.RegisteredResourceValue |
+ policy.ObligationValue |
|
|
@@ -14692,7 +15235,7 @@ GetRegist
- GetRegisteredResourceValuesByFQNsRequest
+ GetObligationValuesByFQNsRequest
@@ -14706,7 +15249,7 @@ Get
| fqns |
string |
repeated |
- Required |
+ |
@@ -14716,7 +15259,7 @@ Get
- GetRegisteredResourceValuesByFQNsResponse
+ GetObligationValuesByFQNsResponse
@@ -14728,7 +15271,7 @@
@@ -14759,7 +15302,7 @@ policy.RegisteredResourceValue
+ | policy.ObligationValue |
|
|
@@ -14771,7 +15314,7 @@ ListRegisteredResourceValuesRequest
+ GetObligationsByFQNsRequest
@@ -14782,10 +15325,96 @@ ListRegi
- | resource_id |
+ fqns |
+ string |
+ repeated |
+ |
+
+
+
+
+
+
+
+
+
+ GetObligationsByFQNsResponse
+
+
+
+
+
+
+
+
+
+ GetObligationsByFQNsResponse.FqnObligationMapEntry
+
+
+
+
+
+
+
+
+
+ ListObligationTriggersRequest
+
+
+
+
+
+ | Field | Type | Label | Description |
+
+
+
+
+ | namespace_id |
+ string |
+ |
+ |
+
+
+
+ | namespace_fqn |
+ string |
+ |
+ |
@@ -14802,7 +15431,7 @@ ListRegi
- ListRegisteredResourceValuesResponse
+ ListObligationTriggersResponse
@@ -14813,8 +15442,8 @@ ListReg
- | values |
- policy.RegisteredResourceValue |
+ triggers |
+ policy.ObligationTrigger |
repeated |
|
@@ -14833,7 +15462,7 @@ ListReg
- ListRegisteredResourcesRequest
+ ListObligationsRequest
@@ -14866,7 +15495,7 @@ ListRegistere
| sort |
- RegisteredResourcesSort |
+ ObligationsSort |
repeated |
Optional - CONSTRAINT: max 1 item
Sort defaults:
@@ -14882,7 +15511,7 @@ ListRegistere
- ListRegisteredResourcesResponse
+ ListObligationsResponse
@@ -14893,8 +15522,8 @@ |
+
- policy/resourcemapping/resource_mapping.protoTop
+ policy/registeredresources/registered_resources.protoTop
CreateResourceMappingGroupRequest
+ ActionAttributeValue
@@ -15241,12 +16040,50 @@ CreateResource
- | namespace_id |
+ action_id |
string |
|
- Required |
+ |
+
+
+
+ | action_name |
+ string |
+ |
+ |
+
+
+
+ | attribute_value_id |
+ string |
+ |
+ |
+
+
+
+ | attribute_value_fqn |
+ string |
+ |
+ |
+
+
+
+
+
+
+
+ CreateRegisteredResourceRequest
+
+
+
+
+
+ | Field | Type | Label | Description |
+
+
+
| name |
string |
@@ -15254,11 +16091,35 @@ CreateResource
Required |
+
+ | values |
+ string |
+ repeated |
+ Optional
+Registered Resource Values (when provided) must be alphanumeric strings, allowing hyphens and underscores but not as the first or last character.
+The stored value will be normalized to lower case. |
+
+
+
+ | namespace_id |
+ string |
+ |
+ |
+
+
+
+ | namespace_fqn |
+ string |
+ |
+ |
+
+
| metadata |
common.MetadataMutable |
|
- Common metadata |
+ Optional
+Common metadata |
@@ -15268,7 +16129,7 @@ CreateResource
- CreateResourceMappingGroupResponse
+ CreateRegisteredResourceResponse
@@ -15279,8 +16140,8 @@ CreateResourc
- | resource_mapping_group |
- policy.ResourceMappingGroup |
+ resource |
+ policy.RegisteredResource |
|
|
@@ -15292,7 +16153,7 @@ CreateResourc
- CreateResourceMappingRequest
+ CreateRegisteredResourceValueRequest
@@ -15303,31 +16164,34 @@ CreateResourceMappi
- | attribute_value_id |
+ resource_id |
string |
|
Required |
- | terms |
+ value |
string |
- repeated |
+ |
Required |
- | group_id |
- string |
- |
- Optional |
+ action_attribute_values |
+ ActionAttributeValue |
+ repeated |
+ Optional
+The associated Action <> AttributeValue combinations to be utilized in authorization/entitlement decisioning
+(i.e. action read -> attribute value https://example.com/attr/department/value/marketing) |
| metadata |
common.MetadataMutable |
|
- Optional |
+ Optional
+Common metadata |
@@ -15337,7 +16201,7 @@ CreateResourceMappi
- CreateResourceMappingResponse
+ CreateRegisteredResourceValueResponse
@@ -15348,8 +16212,8 @@ CreateResourceMapp
- | resource_mapping |
- policy.ResourceMapping |
+ value |
+ policy.RegisteredResourceValue |
|
|
@@ -15361,7 +16225,7 @@ CreateResourceMapp
- DeleteResourceMappingGroupRequest
+ DeleteRegisteredResourceRequest
@@ -15385,7 +16249,7 @@ DeleteResource
- DeleteResourceMappingGroupResponse
+ DeleteRegisteredResourceResponse
@@ -15396,8 +16260,8 @@ DeleteResourc
- | resource_mapping_group |
- policy.ResourceMappingGroup |
+ resource |
+ policy.RegisteredResource |
|
|
@@ -15409,7 +16273,7 @@ DeleteResourc
- DeleteResourceMappingRequest
+ DeleteRegisteredResourceValueRequest
@@ -15433,7 +16297,7 @@ DeleteResourceMappi
- DeleteResourceMappingResponse
+ DeleteRegisteredResourceValueResponse
@@ -15444,8 +16308,8 @@ DeleteResourceMapp
- | resource_mapping |
- policy.ResourceMapping |
+ value |
+ policy.RegisteredResourceValue |
|
|
@@ -15457,7 +16321,7 @@ DeleteResourceMapp
- GetResourceMappingGroupRequest
+ GetRegisteredResourceRequest
@@ -15471,7 +16335,28 @@ GetResourceMappin
| id |
string |
|
- Required |
+ |
+
+
+
+ | name |
+ string |
+ |
+ |
+
+
+
+ | namespace_fqn |
+ string |
+ |
+ |
+
+
+
+ | namespace_id |
+ string |
+ |
+ |
@@ -15481,7 +16366,7 @@ GetResourceMappin
- GetResourceMappingGroupResponse
+ GetRegisteredResourceResponse
@@ -15492,8 +16377,8 @@ GetResourceMappi
- | resource_mapping_group |
- policy.ResourceMappingGroup |
+ resource |
+ policy.RegisteredResource |
|
|
@@ -15505,7 +16390,7 @@ GetResourceMappi
- GetResourceMappingRequest
+ GetRegisteredResourceValueRequest
@@ -15519,7 +16404,14 @@ GetResourceMappingRequ
| id |
string |
|
- Required |
+ |
+
+
+
+ | fqn |
+ string |
+ |
+ |
@@ -15529,7 +16421,7 @@ GetResourceMappingRequ
- GetResourceMappingResponse
+ GetRegisteredResourceValueResponse
@@ -15540,8 +16432,8 @@ GetResourceMappingRes
- | resource_mapping |
- policy.ResourceMapping |
+ value |
+ policy.RegisteredResourceValue |
|
|
@@ -15553,7 +16445,7 @@ GetResourceMappingRes
- ListResourceMappingGroupsRequest
+ GetRegisteredResourceValuesByFQNsRequest
@@ -15564,17 +16456,10 @@ ListResourceMap
- | namespace_id |
+ fqns |
string |
- |
- Optional |
-
-
-
- | pagination |
- policy.PageRequest |
- |
- Optional |
+ repeated |
+ Required |
@@ -15584,7 +16469,7 @@ ListResourceMap
- ListResourceMappingGroupsResponse
+ GetRegisteredResourceValuesByFQNsResponse
@@ -15595,19 +16480,12 @@
@@ -15615,7 +16493,7 @@ ListResourceMa
- ListResourceMappingsByGroupFqnsRequest
+ GetRegisteredResourceValuesByFQNsResponse.FqnValueMapEntry
@@ -15626,11 +16504,17 @@ ListResou
- | fqns |
- string |
- repeated |
- Required
-Structure of the RM Group FQN is 'https://<namespace>/resm/<group name>' |
+ key |
+ string |
+ |
+ |
+
+
+
+ | value |
+ policy.RegisteredResourceValue |
+ |
+ |
@@ -15640,7 +16524,7 @@ ListResou
- ListResourceMappingsByGroupFqnsResponse
+ ListRegisteredResourceValuesRequest
@@ -15651,10 +16535,17 @@ ListReso
- | fqn_resource_mapping_groups |
- ListResourceMappingsByGroupFqnsResponse.FqnResourceMappingGroupsEntry |
- repeated |
- |
+ resource_id |
+ string |
+ |
+ Optional |
+
+
+
+ | pagination |
+ policy.PageRequest |
+ |
+ Optional |
@@ -15664,7 +16555,7 @@ ListReso
- ListResourceMappingsByGroupFqnsResponse.FqnResourceMappingGroupsEntry
+ ListRegisteredResourceValuesResponse
@@ -15675,15 +16566,15 @@
@@ -15706,10 +16597,17 @@ ListResourceMappings
- | group_id |
+ namespace_id |
string |
|
- Optional |
+ |
+
+
+
+ | namespace_fqn |
+ string |
+ |
+ |
@@ -15719,6 +16617,17 @@ ListResourceMappings
Optional |
+
+ | sort |
+ RegisteredResourcesSort |
+ repeated |
+ Optional - CONSTRAINT: max 1 item
+Sort defaults:
+ - direction UNSPECIFIED defaults to DESC for the specified field
+ - field UNSPECIFIED defaults to created_at with the specified direction
+ - both UNSPECIFIED or sort omitted defaults to created_at DESC |
+
+
@@ -15726,7 +16635,7 @@ ListResourceMappings
- ListResourceMappingsResponse
+ ListRegisteredResourcesResponse
@@ -15737,8 +16646,8 @@
+
- policy/subjectmapping/subject_mapping.protoTop
+ policy/resourcemapping/resource_mapping.protoTop
CreateSubjectConditionSetRequest
+ CreateResourceMappingGroupRequest
@@ -16103,24 +16994,24 @@ CreateSubjectCon
- | subject_condition_set |
- SubjectConditionSetCreate |
+ namespace_id |
+ string |
|
- |
+ Required |
- | namespace_id |
+ name |
string |
|
- |
+ Required |
- | namespace_fqn |
- string |
+ metadata |
+ common.MetadataMutable |
|
- |
+ Common metadata |
@@ -16130,7 +17021,7 @@ CreateSubjectCon
- CreateSubjectConditionSetResponse
+ CreateResourceMappingGroupResponse
@@ -16141,8 +17032,8 @@ CreateSubjectCo
- | subject_condition_set |
- policy.SubjectConditionSet |
+ resource_mapping_group |
+ policy.ResourceMappingGroup |
|
|
@@ -16154,7 +17045,7 @@ CreateSubjectCo
- CreateSubjectMappingRequest
+ CreateResourceMappingRequest
@@ -16168,46 +17059,21 @@ CreateSubjectMappingR
| attribute_value_id |
string |
|
- Required
-Attribute Value to be mapped to |
-
-
-
- | actions |
- policy.Action |
- repeated |
- Required
-The actions permitted by subjects in this mapping |
-
-
-
- | existing_subject_condition_set_id |
- string |
- |
- Either of the following:
-Reuse existing SubjectConditionSet (NOTE: prioritized over new_subject_condition_set) |
-
-
-
- | new_subject_condition_set |
- SubjectConditionSetCreate |
- |
- Create new SubjectConditionSet (NOTE: ignored if existing_subject_condition_set_id is provided) |
+ Required |
- | namespace_id |
+ terms |
string |
- |
- Optional
-Namespace ID or FQN for the subject mapping |
+ repeated |
+ Required |
- | namespace_fqn |
+ group_id |
string |
|
- |
+ Optional |
@@ -16224,7 +17090,7 @@ CreateSubjectMappingR
- CreateSubjectMappingResponse
+ CreateResourceMappingResponse
@@ -16235,8 +17101,8 @@ CreateSubjectMapping
- | subject_mapping |
- policy.SubjectMapping |
+ resource_mapping |
+ policy.ResourceMapping |
|
|
@@ -16248,38 +17114,7 @@ CreateSubjectMapping
- DeleteAllUnmappedSubjectConditionSetsRequest
- Prune any Subject Condition Sets not utilized within a Subject Mapping
-
-
-
-
-
- DeleteAllUnmappedSubjectConditionSetsResponse
-
-
-
-
-
- | Field | Type | Label | Description |
-
-
-
-
- | subject_condition_sets |
- policy.SubjectConditionSet |
- repeated |
- Only IDs of any deleted Subject Condition Set provided |
-
-
-
-
-
-
-
-
-
- DeleteSubjectConditionSetRequest
+ DeleteResourceMappingGroupRequest
@@ -16303,7 +17138,7 @@ DeleteSubjectCon
- DeleteSubjectConditionSetResponse
+ DeleteResourceMappingGroupResponse
@@ -16314,10 +17149,10 @@ DeleteSubjectCo
- | subject_condition_set |
- policy.SubjectConditionSet |
+ resource_mapping_group |
+ policy.ResourceMappingGroup |
|
- Only ID of deleted Subject Condition Set provided |
+ |
@@ -16327,7 +17162,7 @@ DeleteSubjectCo
- DeleteSubjectMappingRequest
+ DeleteResourceMappingRequest
@@ -16351,7 +17186,7 @@ DeleteSubjectMappingR
- DeleteSubjectMappingResponse
+ DeleteResourceMappingResponse
@@ -16362,10 +17197,10 @@ DeleteSubjectMapping
- | subject_mapping |
- policy.SubjectMapping |
+ resource_mapping |
+ policy.ResourceMapping |
|
- Only ID of the updated Subject Mapping provided |
+ |
@@ -16375,7 +17210,7 @@ DeleteSubjectMapping
- GetSubjectConditionSetRequest
+ GetResourceMappingGroupRequest
@@ -16399,7 +17234,7 @@ GetSubjectCondition
- GetSubjectConditionSetResponse
+ GetResourceMappingGroupResponse
@@ -16410,19 +17245,12 @@ GetSubjectConditio
- | subject_condition_set |
- policy.SubjectConditionSet |
+ resource_mapping_group |
+ policy.ResourceMappingGroup |
|
|
-
- | associated_subject_mappings |
- policy.SubjectMapping |
- repeated |
- contextualized Subject Mappings associated with this SubjectConditionSet |
-
-
@@ -16430,7 +17258,7 @@ GetSubjectConditio
- GetSubjectMappingRequest
+ GetResourceMappingRequest
@@ -16454,7 +17282,7 @@ GetSubjectMappingRequest
- GetSubjectMappingResponse
+ GetResourceMappingResponse
@@ -16465,8 +17293,8 @@ GetSubjectMappingRespon
- | subject_mapping |
- policy.SubjectMapping |
+ resource_mapping |
+ policy.ResourceMapping |
|
|
@@ -16478,7 +17306,7 @@ GetSubjectMappingRespon
- ListSubjectConditionSetsRequest
+ ListResourceMappingGroupsRequest
@@ -16492,14 +17320,7 @@ ListSubjectCondit
| namespace_id |
string |
|
- |
-
-
-
- | namespace_fqn |
- string |
- |
- |
+ Optional |
@@ -16509,17 +17330,6 @@ ListSubjectCondit
Optional |
-
- | sort |
- SubjectConditionSetsSort |
- repeated |
- Optional - CONSTRAINT: max 1 item
-Sort defaults:
- - direction UNSPECIFIED defaults to DESC for the specified field
- - field UNSPECIFIED defaults to created_at with the specified direction
- - both UNSPECIFIED or sort omitted defaults to created_at DESC |
-
-
@@ -16527,7 +17337,7 @@ ListSubjectCondit
- ListSubjectConditionSetsResponse
+ ListResourceMappingGroupsResponse
@@ -16538,8 +17348,8 @@ ListSubjectCondi
- | subject_condition_sets |
- policy.SubjectConditionSet |
+ resource_mapping_groups |
+ policy.ResourceMappingGroup |
repeated |
|
@@ -16558,7 +17368,7 @@ ListSubjectCondi
- ListSubjectMappingsRequest
+ ListResourceMappingsByGroupFqnsRequest
@@ -16569,35 +17379,11 @@ ListSubjectMappingsReq
- | namespace_id |
- string |
- |
- |
-
-
-
- | namespace_fqn |
+ fqns |
string |
- |
- |
-
-
-
- | pagination |
- policy.PageRequest |
- |
- Optional |
-
-
-
- | sort |
- SubjectMappingsSort |
repeated |
- Optional - CONSTRAINT: max 1 item
-Sort defaults:
- - direction UNSPECIFIED defaults to DESC for the specified field
- - field UNSPECIFIED defaults to created_at with the specified direction
- - both UNSPECIFIED or sort omitted defaults to created_at DESC |
+ Required
+Structure of the RM Group FQN is 'https://<namespace>/resm/<group name>' |
@@ -16607,7 +17393,7 @@ ListSubjectMappingsReq
- ListSubjectMappingsResponse
+ ListResourceMappingsByGroupFqnsResponse
@@ -16618,19 +17404,12 @@
@@ -16638,8 +17417,8 @@ ListSubjectMappingsRe
- MatchSubjectMappingsRequest
- MatchSubjectMappingsRequest liberally returns a list of SubjectMappings based on the provided SubjectProperties. The SubjectMappings are returned if an external selector field matches.
+ ListResourceMappingsByGroupFqnsResponse.FqnResourceMappingGroupsEntry
+
@@ -16649,33 +17428,16 @@ MatchSubjectMappingsR
- | subject_properties |
- policy.SubjectProperty |
- repeated |
- |
-
-
-
-
-
-
-
-
-
- MatchSubjectMappingsResponse
-
-
-
-
-
- | Field | Type | Label | Description |
-
-
+ key |
+ string |
+ |
+ |
+
- | subject_mappings |
- policy.SubjectMapping |
- repeated |
+ value |
+ ResourceMappingsByGroup |
+ |
|
@@ -16686,7 +17448,7 @@ MatchSubjectMappings
- SubjectConditionSetCreate
+ ListResourceMappingsRequest
@@ -16697,18 +17459,17 @@ SubjectConditionSetCrea
- | subject_sets |
- policy.SubjectSet |
- repeated |
- Required |
+ group_id |
+ string |
+ |
+ Optional |
- | metadata |
- common.MetadataMutable |
+ pagination |
+ policy.PageRequest |
|
- Optional
-Common metadata |
+ Optional |
@@ -16718,7 +17479,7 @@ SubjectConditionSetCrea
- SubjectConditionSetsSort
+ ListResourceMappingsResponse
@@ -16729,15 +17490,15 @@ SubjectConditionSetsSort
- | field |
- SortSubjectConditionSetsType |
- |
+ resource_mappings |
+ policy.ResourceMapping |
+ repeated |
|
- | direction |
- policy.SortDirection |
+ pagination |
+ policy.PageResponse |
|
|
@@ -16749,7 +17510,7 @@ SubjectConditionSetsSort
- SubjectMappingsSort
+ ResourceMappingsByGroup
@@ -16760,16 +17521,16 @@ SubjectMappingsSort
- | field |
- SortSubjectMappingsType |
+ group |
+ policy.ResourceMappingGroup |
|
|
- | direction |
- policy.SortDirection |
- |
+ mappings |
+ policy.ResourceMapping |
+ repeated |
|
@@ -16780,7 +17541,7 @@ SubjectMappingsSort
- UpdateSubjectConditionSetRequest
+ UpdateResourceMappingGroupRequest
@@ -16798,11 +17559,17 @@ UpdateSubjectCon
- | subject_sets |
- policy.SubjectSet |
- repeated |
- Optional
-If provided, replaces entire existing structure of Subject Sets, Condition Groups, & Conditions |
+ namespace_id |
+ string |
+ |
+ Optional |
+
+
+
+ | name |
+ string |
+ |
+ Optional |
@@ -16826,7 +17593,7 @@ UpdateSubjectCon
- UpdateSubjectConditionSetResponse
+ UpdateResourceMappingGroupResponse
@@ -16837,10 +17604,10 @@ UpdateSubjectCo
- | subject_condition_set |
- policy.SubjectConditionSet |
+ resource_mapping_group |
+ policy.ResourceMappingGroup |
|
- Only ID of updated Subject Condition Set provided |
+ |
@@ -16850,7 +17617,7 @@ UpdateSubjectCo
- UpdateSubjectMappingRequest
+ UpdateResourceMappingRequest
@@ -16868,26 +17635,32 @@ UpdateSubjectMappingR
- | subject_condition_set_id |
+ attribute_value_id |
string |
|
- Optional
-Replaces the existing SubjectConditionSet id with a new one |
+ Optional |
- | actions |
- policy.Action |
+ terms |
+ string |
repeated |
- Optional
-Replaces entire list of actions permitted by subjects |
+ Optional |
+
+
+
+ | group_id |
+ string |
+ |
+ Optional |
| metadata |
common.MetadataMutable |
|
- Common metadata |
+ Optional
+Common Metadata |
@@ -16904,7 +17677,7 @@ UpdateSubjectMappingR
- UpdateSubjectMappingResponse
+ UpdateResourceMappingResponse
@@ -16915,10 +17688,10 @@ UpdateSubjectMapping
- | subject_mapping |
- policy.SubjectMapping |
+ resource_mapping |
+ policy.ResourceMapping |
|
- Only ID of the updated Subject Mapping provided |
+ |
@@ -16930,70 +17703,12 @@ UpdateSubjectMapping
- SortSubjectConditionSetsType
-
-
-
- | Name | Number | Description |
-
-
-
-
- | SORT_SUBJECT_CONDITION_SETS_TYPE_UNSPECIFIED |
- 0 |
- |
-
-
-
- | SORT_SUBJECT_CONDITION_SETS_TYPE_CREATED_AT |
- 1 |
- |
-
-
-
- | SORT_SUBJECT_CONDITION_SETS_TYPE_UPDATED_AT |
- 2 |
- |
-
-
-
-
-
- SortSubjectMappingsType
-
-
-
- | Name | Number | Description |
-
-
-
-
- | SORT_SUBJECT_MAPPINGS_TYPE_UNSPECIFIED |
- 0 |
- |
-
-
-
- | SORT_SUBJECT_MAPPINGS_TYPE_CREATED_AT |
- 1 |
- |
-
-
-
- | SORT_SUBJECT_MAPPINGS_TYPE_UPDATED_AT |
- 2 |
- |
-
-
-
-
-
- SubjectMappingService
-
+ ResourceMappingService
+ Resource Mapping Groups
| Method Name | Request Type | Response Type | Description |
@@ -17001,86 +17716,79 @@ SubjectMappingService
- | MatchSubjectMappings |
- MatchSubjectMappingsRequest |
- MatchSubjectMappingsResponse |
- Find matching Subject Mappings for a given Subject |
-
-
-
- | ListSubjectMappings |
- ListSubjectMappingsRequest |
- ListSubjectMappingsResponse |
+ ListResourceMappingGroups |
+ ListResourceMappingGroupsRequest |
+ ListResourceMappingGroupsResponse |
|
- | GetSubjectMapping |
- GetSubjectMappingRequest |
- GetSubjectMappingResponse |
+ GetResourceMappingGroup |
+ GetResourceMappingGroupRequest |
+ GetResourceMappingGroupResponse |
|
- | CreateSubjectMapping |
- CreateSubjectMappingRequest |
- CreateSubjectMappingResponse |
+ CreateResourceMappingGroup |
+ CreateResourceMappingGroupRequest |
+ CreateResourceMappingGroupResponse |
|
- | UpdateSubjectMapping |
- UpdateSubjectMappingRequest |
- UpdateSubjectMappingResponse |
+ UpdateResourceMappingGroup |
+ UpdateResourceMappingGroupRequest |
+ UpdateResourceMappingGroupResponse |
|
- | DeleteSubjectMapping |
- DeleteSubjectMappingRequest |
- DeleteSubjectMappingResponse |
+ DeleteResourceMappingGroup |
+ DeleteResourceMappingGroupRequest |
+ DeleteResourceMappingGroupResponse |
|
- | ListSubjectConditionSets |
- ListSubjectConditionSetsRequest |
- ListSubjectConditionSetsResponse |
+ ListResourceMappings |
+ ListResourceMappingsRequest |
+ ListResourceMappingsResponse |
|
- | GetSubjectConditionSet |
- GetSubjectConditionSetRequest |
- GetSubjectConditionSetResponse |
+ ListResourceMappingsByGroupFqns |
+ ListResourceMappingsByGroupFqnsRequest |
+ ListResourceMappingsByGroupFqnsResponse |
|
- | CreateSubjectConditionSet |
- CreateSubjectConditionSetRequest |
- CreateSubjectConditionSetResponse |
+ GetResourceMapping |
+ GetResourceMappingRequest |
+ GetResourceMappingResponse |
|
- | UpdateSubjectConditionSet |
- UpdateSubjectConditionSetRequest |
- UpdateSubjectConditionSetResponse |
+ CreateResourceMapping |
+ CreateResourceMappingRequest |
+ CreateResourceMappingResponse |
|
- | DeleteSubjectConditionSet |
- DeleteSubjectConditionSetRequest |
- DeleteSubjectConditionSetResponse |
+ UpdateResourceMapping |
+ UpdateResourceMappingRequest |
+ UpdateResourceMappingResponse |
|
- | DeleteAllUnmappedSubjectConditionSets |
- DeleteAllUnmappedSubjectConditionSetsRequest |
- DeleteAllUnmappedSubjectConditionSetsResponse |
+ DeleteResourceMapping |
+ DeleteResourceMappingRequest |
+ DeleteResourceMappingResponse |
|
@@ -17101,22 +17809,27 @@ Methods with idempotency_level option
- | ListSubjectMappings |
+ ListResourceMappingGroups |
NO_SIDE_EFFECTS |
- | GetSubjectMapping |
+ GetResourceMappingGroup |
NO_SIDE_EFFECTS |
- | ListSubjectConditionSets |
+ ListResourceMappings |
NO_SIDE_EFFECTS |
- | GetSubjectConditionSet |
+ ListResourceMappingsByGroupFqns |
+ NO_SIDE_EFFECTS |
+
+
+
+ | GetResourceMapping |
NO_SIDE_EFFECTS |
diff --git a/docs/openapi/authorization/authorization.openapi.yaml b/docs/openapi/authorization/authorization.openapi.yaml
index 1f3648bae8..bc3a5104e6 100644
--- a/docs/openapi/authorization/authorization.openapi.yaml
+++ b/docs/openapi/authorization/authorization.openapi.yaml
@@ -133,6 +133,7 @@ components:
Example Request Get Decisions to answer the question - Do Bob (represented by entity chain ec1)
and Alice (represented by entity chain ec2) have TRANSMIT authorization for
2 resources; resource1 (attr-set-1) defined by attributes foo:bar resource2 (attr-set-2) defined by attribute foo:bar, color:red ?
+
{
"actions": [
{
@@ -204,11 +205,13 @@ components:
Example response for a Decision Request - Do Bob (represented by entity chain ec1)
and Alice (represented by entity chain ec2) have TRANSMIT authorization for
2 resources; resource1 (attr-set-1) defined by attributes foo:bar resource2 (attr-set-2) defined by attribute foo:bar, color:red ?
+
Results:
- bob has permitted authorization to transmit for a resource defined by attr-set-1 attributes and has a watermark obligation
- bob has denied authorization to transmit a for a resource defined by attr-set-2 attributes
- alice has permitted authorization to transmit for a resource defined by attr-set-1 attributes
- alice has denied authorization to transmit a for a resource defined by attr-set-2 attributes
+
{
"entityChainId": "ec1",
"resourceAttributesId": "attr-set-1",
@@ -420,7 +423,9 @@ components:
additionalProperties: false
description: |-
Request to get entitlements for one or more entities for an optional attribute scope
+
Example: Get entitlements for bob and alice (both represented using an email address
+
{
"entities": [
{
@@ -451,6 +456,7 @@ components:
additionalProperties: false
description: |-
Example Response for a request of : Get entitlements for bob and alice (both represented using an email address
+
{
"entitlements": [
{
@@ -522,6 +528,7 @@ components:
Example Request Get Decisions by Token to answer the question - Do Bob and client1 (represented by token tok1)
and Alice and client2 (represented by token tok2) have TRANSMIT authorization for
2 resources; resource1 (attr-set-1) defined by attributes foo:bar resource2 (attr-set-2) defined by attribute foo:bar, color:red ?
+
{
"actions": [
{
diff --git a/docs/openapi/policy/dynamicvaluemapping/dynamic_value_mapping.openapi.yaml b/docs/openapi/policy/dynamicvaluemapping/dynamic_value_mapping.openapi.yaml
new file mode 100644
index 0000000000..0c19ff5295
--- /dev/null
+++ b/docs/openapi/policy/dynamicvaluemapping/dynamic_value_mapping.openapi.yaml
@@ -0,0 +1,1454 @@
+openapi: 3.1.0
+info:
+ title: policy.dynamicvaluemapping
+paths:
+ /policy.dynamicvaluemapping.DynamicValueMappingService/CreateDynamicValueMapping:
+ post:
+ tags:
+ - policy.dynamicvaluemapping.DynamicValueMappingService
+ summary: CreateDynamicValueMapping
+ operationId: policy.dynamicvaluemapping.DynamicValueMappingService.CreateDynamicValueMapping
+ parameters:
+ - name: Connect-Protocol-Version
+ in: header
+ required: true
+ schema:
+ $ref: '#/components/schemas/connect-protocol-version'
+ - name: Connect-Timeout-Ms
+ in: header
+ schema:
+ $ref: '#/components/schemas/connect-timeout-header'
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/policy.dynamicvaluemapping.CreateDynamicValueMappingRequest'
+ required: true
+ responses:
+ default:
+ description: Error
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/connect.error'
+ "200":
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/policy.dynamicvaluemapping.CreateDynamicValueMappingResponse'
+ /policy.dynamicvaluemapping.DynamicValueMappingService/DeleteDynamicValueMapping:
+ post:
+ tags:
+ - policy.dynamicvaluemapping.DynamicValueMappingService
+ summary: DeleteDynamicValueMapping
+ operationId: policy.dynamicvaluemapping.DynamicValueMappingService.DeleteDynamicValueMapping
+ parameters:
+ - name: Connect-Protocol-Version
+ in: header
+ required: true
+ schema:
+ $ref: '#/components/schemas/connect-protocol-version'
+ - name: Connect-Timeout-Ms
+ in: header
+ schema:
+ $ref: '#/components/schemas/connect-timeout-header'
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/policy.dynamicvaluemapping.DeleteDynamicValueMappingRequest'
+ required: true
+ responses:
+ default:
+ description: Error
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/connect.error'
+ "200":
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/policy.dynamicvaluemapping.DeleteDynamicValueMappingResponse'
+ /policy.dynamicvaluemapping.DynamicValueMappingService/GetDynamicValueMapping:
+ post:
+ tags:
+ - policy.dynamicvaluemapping.DynamicValueMappingService
+ summary: GetDynamicValueMapping
+ operationId: policy.dynamicvaluemapping.DynamicValueMappingService.GetDynamicValueMapping
+ parameters:
+ - name: Connect-Protocol-Version
+ in: header
+ required: true
+ schema:
+ $ref: '#/components/schemas/connect-protocol-version'
+ - name: Connect-Timeout-Ms
+ in: header
+ schema:
+ $ref: '#/components/schemas/connect-timeout-header'
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/policy.dynamicvaluemapping.GetDynamicValueMappingRequest'
+ required: true
+ responses:
+ default:
+ description: Error
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/connect.error'
+ "200":
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/policy.dynamicvaluemapping.GetDynamicValueMappingResponse'
+ /policy.dynamicvaluemapping.DynamicValueMappingService/ListDynamicValueMappings:
+ post:
+ tags:
+ - policy.dynamicvaluemapping.DynamicValueMappingService
+ summary: ListDynamicValueMappings
+ operationId: policy.dynamicvaluemapping.DynamicValueMappingService.ListDynamicValueMappings
+ parameters:
+ - name: Connect-Protocol-Version
+ in: header
+ required: true
+ schema:
+ $ref: '#/components/schemas/connect-protocol-version'
+ - name: Connect-Timeout-Ms
+ in: header
+ schema:
+ $ref: '#/components/schemas/connect-timeout-header'
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/policy.dynamicvaluemapping.ListDynamicValueMappingsRequest'
+ required: true
+ responses:
+ default:
+ description: Error
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/connect.error'
+ "200":
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/policy.dynamicvaluemapping.ListDynamicValueMappingsResponse'
+ /policy.dynamicvaluemapping.DynamicValueMappingService/UpdateDynamicValueMapping:
+ post:
+ tags:
+ - policy.dynamicvaluemapping.DynamicValueMappingService
+ summary: UpdateDynamicValueMapping
+ operationId: policy.dynamicvaluemapping.DynamicValueMappingService.UpdateDynamicValueMapping
+ parameters:
+ - name: Connect-Protocol-Version
+ in: header
+ required: true
+ schema:
+ $ref: '#/components/schemas/connect-protocol-version'
+ - name: Connect-Timeout-Ms
+ in: header
+ schema:
+ $ref: '#/components/schemas/connect-timeout-header'
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/policy.dynamicvaluemapping.UpdateDynamicValueMappingRequest'
+ required: true
+ responses:
+ default:
+ description: Error
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/connect.error'
+ "200":
+ description: Success
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/policy.dynamicvaluemapping.UpdateDynamicValueMappingResponse'
+components:
+ schemas:
+ common.Metadata:
+ type: object
+ properties:
+ createdAt:
+ title: created_at
+ description: created_at set by server (entity who created will recorded in an audit event)
+ $ref: '#/components/schemas/google.protobuf.Timestamp'
+ updatedAt:
+ title: updated_at
+ description: updated_at set by server (entity who updated will recorded in an audit event)
+ $ref: '#/components/schemas/google.protobuf.Timestamp'
+ labels:
+ type: object
+ title: labels
+ additionalProperties:
+ type: string
+ title: value
+ description: optional short description
+ title: Metadata
+ additionalProperties: false
+ description: Struct to uniquely identify a resource with optional additional metadata
+ common.Metadata.LabelsEntry:
+ type: object
+ properties:
+ key:
+ type: string
+ title: key
+ value:
+ type: string
+ title: value
+ title: LabelsEntry
+ additionalProperties: false
+ common.MetadataMutable:
+ type: object
+ properties:
+ labels:
+ type: object
+ title: labels
+ additionalProperties:
+ type: string
+ title: value
+ description: optional labels
+ title: MetadataMutable
+ additionalProperties: false
+ common.MetadataMutable.LabelsEntry:
+ type: object
+ properties:
+ key:
+ type: string
+ title: key
+ value:
+ type: string
+ title: value
+ title: LabelsEntry
+ additionalProperties: false
+ common.MetadataUpdateEnum:
+ type: string
+ title: MetadataUpdateEnum
+ enum:
+ - METADATA_UPDATE_ENUM_UNSPECIFIED
+ - METADATA_UPDATE_ENUM_EXTEND
+ - METADATA_UPDATE_ENUM_REPLACE
+ connect-protocol-version:
+ type: number
+ title: Connect-Protocol-Version
+ enum:
+ - 1
+ description: Define the version of the Connect protocol
+ const: 1
+ connect-timeout-header:
+ type: number
+ title: Connect-Timeout-Ms
+ description: Define the timeout, in ms
+ connect.error:
+ type: object
+ properties:
+ code:
+ type: string
+ examples:
+ - not_found
+ enum:
+ - canceled
+ - unknown
+ - invalid_argument
+ - deadline_exceeded
+ - not_found
+ - already_exists
+ - permission_denied
+ - resource_exhausted
+ - failed_precondition
+ - aborted
+ - out_of_range
+ - unimplemented
+ - internal
+ - unavailable
+ - data_loss
+ - unauthenticated
+ description: The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
+ message:
+ type: string
+ description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
+ details:
+ type: array
+ items:
+ $ref: '#/components/schemas/connect.error_details.Any'
+ description: A list of messages that carry the error details. There is no limit on the number of messages.
+ title: Connect Error
+ additionalProperties: true
+ description: 'Error type returned by Connect: https://connectrpc.com/docs/go/errors/#http-representation'
+ connect.error_details.Any:
+ type: object
+ properties:
+ type:
+ type: string
+ description: 'A URL that acts as a globally unique identifier for the type of the serialized message. For example: `type.googleapis.com/google.rpc.ErrorInfo`. This is used to determine the schema of the data in the `value` field and is the discriminator for the `debug` field.'
+ value:
+ type: string
+ format: binary
+ description: The Protobuf message, serialized as bytes and base64-encoded. The specific message type is identified by the `type` field.
+ debug:
+ oneOf:
+ - type: object
+ title: Any
+ additionalProperties: true
+ description: Detailed error information.
+ discriminator:
+ propertyName: type
+ title: Debug
+ description: Deserialized error detail payload. The 'type' field indicates the schema. This field is for easier debugging and should not be relied upon for application logic.
+ additionalProperties: true
+ description: Contains an arbitrary serialized message along with a @type that describes the type of the serialized message, with an additional debug field for ConnectRPC error details.
+ google.protobuf.BoolValue:
+ type: boolean
+ description: |-
+ Wrapper message for `bool`.
+
+ The JSON representation for `BoolValue` is JSON `true` and `false`.
+
+ Not recommended for use in new APIs, but still useful for legacy APIs and
+ has no plan to be removed.
+ google.protobuf.Timestamp:
+ type: string
+ examples:
+ - "2023-01-15T01:30:15.01Z"
+ - "2024-12-25T12:00:00Z"
+ format: date-time
+ description: |-
+ A Timestamp represents a point in time independent of any time zone or local
+ calendar, encoded as a count of seconds and fractions of seconds at
+ nanosecond resolution. The count is relative to an epoch at UTC midnight on
+ January 1, 1970, in the proleptic Gregorian calendar which extends the
+ Gregorian calendar backwards to year one.
+
+ All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
+ second table is needed for interpretation, using a [24-hour linear
+ smear](https://developers.google.com/time/smear).
+
+ The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
+ restricting to that range, we ensure that we can convert to and from [RFC
+ 3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
+
+ # Examples
+
+ Example 1: Compute Timestamp from POSIX `time()`.
+
+ Timestamp timestamp;
+ timestamp.set_seconds(time(NULL));
+ timestamp.set_nanos(0);
+
+ Example 2: Compute Timestamp from POSIX `gettimeofday()`.
+
+ struct timeval tv;
+ gettimeofday(&tv, NULL);
+
+ Timestamp timestamp;
+ timestamp.set_seconds(tv.tv_sec);
+ timestamp.set_nanos(tv.tv_usec * 1000);
+
+ Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
+
+ FILETIME ft;
+ GetSystemTimeAsFileTime(&ft);
+ UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
+
+ // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
+ // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
+ Timestamp timestamp;
+ timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
+ timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
+
+ Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
+
+ long millis = System.currentTimeMillis();
+
+ Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
+ .setNanos((int) ((millis % 1000) * 1000000)).build();
+
+ Example 5: Compute Timestamp from Java `Instant.now()`.
+
+ Instant now = Instant.now();
+
+ Timestamp timestamp =
+ Timestamp.newBuilder().setSeconds(now.getEpochSecond())
+ .setNanos(now.getNano()).build();
+
+ Example 6: Compute Timestamp from current time in Python.
+
+ timestamp = Timestamp()
+ timestamp.GetCurrentTime()
+
+ # JSON Mapping
+
+ In JSON format, the Timestamp type is encoded as a string in the
+ [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
+ format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
+ where {year} is always expressed using four digits while {month}, {day},
+ {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
+ seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
+ are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
+ is required. A proto3 JSON serializer should always use UTC (as indicated by
+ "Z") when printing the Timestamp type and a proto3 JSON parser should be
+ able to accept both UTC and other timezones (as indicated by an offset).
+
+ For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
+ 01:30 UTC on January 15, 2017.
+
+ In JavaScript, one can convert a Date object to this format using the
+ standard
+ [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
+ method. In Python, a standard `datetime.datetime` object can be converted
+ to this format using
+ [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
+ the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
+ the Joda Time's [`ISODateTimeFormat.dateTime()`](
+ http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime()
+ ) to obtain a formatter capable of generating timestamps in this format.
+ policy.Action:
+ type: object
+ allOf:
+ - properties:
+ id:
+ type: string
+ title: id
+ description: Generated uuid in database
+ name:
+ type: string
+ title: name
+ namespace:
+ title: namespace
+ description: Namespace context for this action
+ $ref: '#/components/schemas/policy.Namespace'
+ metadata:
+ title: metadata
+ $ref: '#/components/schemas/common.Metadata'
+ - oneOf:
+ - type: object
+ properties:
+ custom:
+ type: string
+ title: custom
+ description: Deprecated
+ title: custom
+ required:
+ - custom
+ - type: object
+ properties:
+ standard:
+ title: standard
+ description: Deprecated
+ $ref: '#/components/schemas/policy.Action.StandardAction'
+ title: standard
+ required:
+ - standard
+ title: Action
+ additionalProperties: false
+ description: An action an entity can take
+ policy.Action.StandardAction:
+ type: string
+ title: StandardAction
+ enum:
+ - STANDARD_ACTION_UNSPECIFIED
+ - STANDARD_ACTION_DECRYPT
+ - STANDARD_ACTION_TRANSMIT
+ policy.Algorithm:
+ type: string
+ title: Algorithm
+ enum:
+ - ALGORITHM_UNSPECIFIED
+ - ALGORITHM_RSA_2048
+ - ALGORITHM_RSA_4096
+ - ALGORITHM_EC_P256
+ - ALGORITHM_EC_P384
+ - ALGORITHM_EC_P521
+ - ALGORITHM_HPQT_XWING
+ - ALGORITHM_HPQT_SECP256R1_MLKEM768
+ - ALGORITHM_HPQT_SECP384R1_MLKEM1024
+ description: Supported key algorithms.
+ policy.Attribute:
+ type: object
+ properties:
+ id:
+ type: string
+ title: id
+ namespace:
+ title: namespace
+ description: namespace of the attribute
+ $ref: '#/components/schemas/policy.Namespace'
+ name:
+ type: string
+ title: name
+ description: attribute name
+ rule:
+ title: rule
+ description: attribute rule enum
+ $ref: '#/components/schemas/policy.AttributeRuleTypeEnum'
+ values:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.Value'
+ title: values
+ grants:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.KeyAccessServer'
+ title: grants
+ description: Deprecated KAS grants for the attribute. Use kas_keys instead.
+ fqn:
+ type: string
+ title: fqn
+ active:
+ title: active
+ description: active by default until explicitly deactivated
+ $ref: '#/components/schemas/google.protobuf.BoolValue'
+ kasKeys:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.SimpleKasKey'
+ title: kas_keys
+ description: Keys associated with the attribute
+ allowTraversal:
+ title: allow_traversal
+ description: |-
+ Whether or not we will use the attribute definition during encryption
+ if the attribute value is missing.
+ $ref: '#/components/schemas/google.protobuf.BoolValue'
+ metadata:
+ title: metadata
+ description: Common metadata
+ $ref: '#/components/schemas/common.Metadata'
+ title: Attribute
+ required:
+ - rule
+ additionalProperties: false
+ policy.AttributeRuleTypeEnum:
+ type: string
+ title: AttributeRuleTypeEnum
+ enum:
+ - ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED
+ - ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF
+ - ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF
+ - ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY
+ policy.Condition:
+ type: object
+ properties:
+ subjectExternalSelectorValue:
+ type: string
+ title: subject_external_selector_value
+ description: |-
+ a selector for a field value on a flattened Entity Representation (such as
+ from idP/LDAP)
+ operator:
+ title: operator
+ description: the evaluation operator of relation
+ $ref: '#/components/schemas/policy.SubjectMappingOperatorEnum'
+ subjectExternalValues:
+ type: array
+ items:
+ type: string
+ title: subject_external_values
+ minItems: 1
+ description: |-
+ list of comparison values for the result of applying the
+ subject_external_selector_value on a flattened Entity Representation
+ (Subject), evaluated by the operator
+ title: Condition
+ required:
+ - subjectExternalSelectorValue
+ - operator
+ additionalProperties: false
+ description: |-
+ *
+ A Condition defines a rule of
+ policy.ConditionBooleanTypeEnum:
+ type: string
+ title: ConditionBooleanTypeEnum
+ enum:
+ - CONDITION_BOOLEAN_TYPE_ENUM_UNSPECIFIED
+ - CONDITION_BOOLEAN_TYPE_ENUM_AND
+ - CONDITION_BOOLEAN_TYPE_ENUM_OR
+ policy.ConditionGroup:
+ type: object
+ properties:
+ conditions:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.Condition'
+ title: conditions
+ minItems: 1
+ booleanOperator:
+ title: boolean_operator
+ description: the boolean evaluation type across the conditions
+ $ref: '#/components/schemas/policy.ConditionBooleanTypeEnum'
+ title: ConditionGroup
+ required:
+ - booleanOperator
+ additionalProperties: false
+ description: A collection of Conditions evaluated by the boolean_operator provided
+ policy.DynamicValueMapping:
+ type: object
+ properties:
+ id:
+ type: string
+ title: id
+ attributeDefinition:
+ title: attribute_definition
+ description: the Attribute Definition whose values are entitled dynamically
+ $ref: '#/components/schemas/policy.Attribute'
+ valueResolver:
+ title: value_resolver
+ description: the dynamic resolver matched against the requested resource value segment
+ $ref: '#/components/schemas/policy.DynamicValueResolver'
+ subjectConditionSet:
+ title: subject_condition_set
+ description: |-
+ optional static pre-gate on the entity, evaluated with normal SubjectConditionSet
+ semantics (no dynamic overload). When present, both the gate and the resolver must
+ pass for entitlement.
+ $ref: '#/components/schemas/policy.SubjectConditionSet'
+ actions:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.Action'
+ title: actions
+ description: the actions permitted by subjects in this mapping
+ namespace:
+ title: namespace
+ description: the namespace containing this mapping
+ $ref: '#/components/schemas/policy.Namespace'
+ metadata:
+ title: metadata
+ $ref: '#/components/schemas/common.Metadata'
+ title: DynamicValueMapping
+ additionalProperties: false
+ description: |-
+ Dynamic Value Mapping: a Policy assigning permitted action(s) to
+ dynamically-requested values under an Attribute Definition. It raises entitlement
+ authority from a concrete Attribute Value to the Attribute Definition: at decision time
+ the value_resolver compares the requested resource value segment against the entity
+ representation, avoiding pre-provisioning a value + subject mapping per discrete value.
+ policy.DynamicValueOperatorEnum:
+ type: string
+ title: DynamicValueOperatorEnum
+ enum:
+ - DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED
+ - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN
+ - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS
+ description: |-
+ Operators for dynamic, definition-level value entitlement. Unlike
+ SubjectMappingOperatorEnum, whose right-hand operand is a static list authored into
+ policy, a DynamicValueOperatorEnum's right-hand operand is the requested resource's
+ attribute value segment, supplied at decision time. Each value is the inversion of its
+ static SubjectMappingOperatorEnum counterpart.
+ policy.DynamicValueResolver:
+ type: object
+ properties:
+ subjectExternalSelectorValue:
+ type: string
+ title: subject_external_selector_value
+ description: |-
+ a selector for a field value on a flattened Entity Representation (such as from
+ idP/LDAP), e.g. ".patientAssignments[]"
+ operator:
+ title: operator
+ description: the dynamic operator comparing the selector result to the resource value segment
+ $ref: '#/components/schemas/policy.DynamicValueOperatorEnum'
+ title: DynamicValueResolver
+ required:
+ - subjectExternalSelectorValue
+ - operator
+ additionalProperties: false
+ description: |-
+ Definition Value Resolver: the dynamic half of a DynamicValueMapping. It
+ resolves a selector against the entity representation and compares the result to the
+ requested resource value segment using a DynamicValueOperatorEnum.
+ policy.KasPublicKey:
+ type: object
+ properties:
+ pem:
+ type: string
+ title: pem
+ maxLength: 8192
+ minLength: 1
+ description: x509 ASN.1 content in PEM envelope, usually
+ kid:
+ type: string
+ title: kid
+ maxLength: 32
+ minLength: 1
+ description: A unique string identifier for this key
+ alg:
+ not:
+ enum:
+ - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED
+ title: alg
+ description: |-
+ A known algorithm type with any additional parameters encoded.
+ To start, these may be `rsa:2048` for RSA-based wrapping and
+ `ec:secp256r1` for EC-based wrapping, but more formats may be added as needed.
+ $ref: '#/components/schemas/policy.KasPublicKeyAlgEnum'
+ title: KasPublicKey
+ additionalProperties: false
+ description: |-
+ Deprecated
+ A KAS public key and some associated metadata for further identifcation
+ policy.KasPublicKeyAlgEnum:
+ type: string
+ title: KasPublicKeyAlgEnum
+ enum:
+ - KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED
+ - KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048
+ - KAS_PUBLIC_KEY_ALG_ENUM_RSA_4096
+ - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1
+ - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP384R1
+ - KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP521R1
+ - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_XWING
+ - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP256R1_MLKEM768
+ - KAS_PUBLIC_KEY_ALG_ENUM_HPQT_SECP384R1_MLKEM1024
+ policy.KasPublicKeySet:
+ type: object
+ properties:
+ keys:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.KasPublicKey'
+ title: keys
+ title: KasPublicKeySet
+ additionalProperties: false
+ description: |-
+ Deprecated
+ A list of known KAS public keys
+ policy.KeyAccessServer:
+ type: object
+ properties:
+ id:
+ type: string
+ title: id
+ uri:
+ type: string
+ title: uri
+ description: |
+ Address of a KAS instance
+ uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.
+ publicKey:
+ title: public_key
+ description: 'Deprecated: KAS can have multiple key pairs'
+ $ref: '#/components/schemas/policy.PublicKey'
+ sourceType:
+ title: source_type
+ description: 'The source of the KAS: (INTERNAL, EXTERNAL)'
+ $ref: '#/components/schemas/policy.SourceType'
+ kasKeys:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.SimpleKasKey'
+ title: kas_keys
+ description: Kas keys associated with this KAS
+ name:
+ type: string
+ title: name
+ description: |-
+ Optional
+ Unique name of the KAS instance
+ metadata:
+ title: metadata
+ description: Common metadata
+ $ref: '#/components/schemas/common.Metadata'
+ title: KeyAccessServer
+ additionalProperties: false
+ description: Key Access Server Registry
+ policy.Namespace:
+ type: object
+ properties:
+ id:
+ type: string
+ title: id
+ description: generated uuid in database
+ name:
+ type: string
+ title: name
+ description: |-
+ used to partition Attribute Definitions, support by namespace AuthN and
+ enable federation
+ fqn:
+ type: string
+ title: fqn
+ active:
+ title: active
+ description: active by default until explicitly deactivated
+ $ref: '#/components/schemas/google.protobuf.BoolValue'
+ metadata:
+ title: metadata
+ $ref: '#/components/schemas/common.Metadata'
+ grants:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.KeyAccessServer'
+ title: grants
+ description: Deprecated KAS grants for the namespace. Use kas_keys instead.
+ kasKeys:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.SimpleKasKey'
+ title: kas_keys
+ description: Keys for the namespace
+ title: Namespace
+ additionalProperties: false
+ policy.Obligation:
+ type: object
+ properties:
+ id:
+ type: string
+ title: id
+ namespace:
+ title: namespace
+ $ref: '#/components/schemas/policy.Namespace'
+ name:
+ type: string
+ title: name
+ values:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.ObligationValue'
+ title: values
+ fqn:
+ type: string
+ title: fqn
+ metadata:
+ title: metadata
+ $ref: '#/components/schemas/common.Metadata'
+ title: Obligation
+ additionalProperties: false
+ policy.ObligationTrigger:
+ type: object
+ properties:
+ id:
+ type: string
+ title: id
+ obligationValue:
+ title: obligation_value
+ $ref: '#/components/schemas/policy.ObligationValue'
+ action:
+ title: action
+ $ref: '#/components/schemas/policy.Action'
+ attributeValue:
+ title: attribute_value
+ $ref: '#/components/schemas/policy.Value'
+ context:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.RequestContext'
+ title: context
+ namespace:
+ title: namespace
+ description: The source namespace for this trigger, derived from the attribute value and action.
+ $ref: '#/components/schemas/policy.Namespace'
+ metadata:
+ title: metadata
+ $ref: '#/components/schemas/common.Metadata'
+ title: ObligationTrigger
+ additionalProperties: false
+ policy.ObligationValue:
+ type: object
+ properties:
+ id:
+ type: string
+ title: id
+ obligation:
+ title: obligation
+ $ref: '#/components/schemas/policy.Obligation'
+ value:
+ type: string
+ title: value
+ triggers:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.ObligationTrigger'
+ title: triggers
+ fqn:
+ type: string
+ title: fqn
+ metadata:
+ title: metadata
+ $ref: '#/components/schemas/common.Metadata'
+ title: ObligationValue
+ additionalProperties: false
+ policy.PageRequest:
+ type: object
+ properties:
+ limit:
+ type: integer
+ title: limit
+ format: int32
+ description: |-
+ Optional
+ Set to configured default limit if not provided
+ Maximum limit set in platform config and enforced by services
+ offset:
+ type: integer
+ title: offset
+ format: int32
+ description: |-
+ Optional
+ Defaulted if not provided
+ title: PageRequest
+ additionalProperties: false
+ policy.PageResponse:
+ type: object
+ properties:
+ currentOffset:
+ type: integer
+ title: current_offset
+ format: int32
+ description: Requested pagination offset
+ nextOffset:
+ type: integer
+ title: next_offset
+ format: int32
+ description: |-
+ Calculated with request limit + offset or defaults
+ Empty when none remain after current page
+ total:
+ type: integer
+ title: total
+ format: int32
+ description: Total count of entire list
+ title: PageResponse
+ additionalProperties: false
+ policy.PolicyEnforcementPoint:
+ type: object
+ properties:
+ clientId:
+ type: string
+ title: client_id
+ minLength: 1
+ title: PolicyEnforcementPoint
+ additionalProperties: false
+ policy.PublicKey:
+ type: object
+ oneOf:
+ - type: object
+ properties:
+ cached:
+ title: cached
+ description: public key with additional information. Current preferred version
+ $ref: '#/components/schemas/policy.KasPublicKeySet'
+ title: cached
+ required:
+ - cached
+ - type: object
+ properties:
+ remote:
+ type: string
+ title: remote
+ description: |
+ kas public key url - optional since can also be retrieved via public key
+ uri_format // URI must be a valid URL (e.g., 'https://demo.com/') followed by additional segments. Each segment must start and end with an alphanumeric character, can contain hyphens, alphanumeric characters, and slashes.
+ title: remote
+ required:
+ - remote
+ title: PublicKey
+ additionalProperties: false
+ description: Deprecated
+ policy.RequestContext:
+ type: object
+ properties:
+ pep:
+ title: pep
+ $ref: '#/components/schemas/policy.PolicyEnforcementPoint'
+ title: RequestContext
+ required:
+ - pep
+ additionalProperties: false
+ description: Holds the context needed for obligation fulfillment
+ policy.ResourceMapping:
+ type: object
+ properties:
+ id:
+ type: string
+ title: id
+ metadata:
+ title: metadata
+ $ref: '#/components/schemas/common.Metadata'
+ attributeValue:
+ title: attribute_value
+ $ref: '#/components/schemas/policy.Value'
+ terms:
+ type: array
+ items:
+ type: string
+ title: terms
+ group:
+ title: group
+ $ref: '#/components/schemas/policy.ResourceMappingGroup'
+ title: ResourceMapping
+ required:
+ - attributeValue
+ additionalProperties: false
+ description: |-
+ Resource Mappings (aka Access Control Resource Encodings aka ACRE) are
+ structures supporting the mapping of Resources and Attribute Values
+ policy.ResourceMappingGroup:
+ type: object
+ properties:
+ id:
+ type: string
+ title: id
+ namespaceId:
+ type: string
+ title: namespace_id
+ description: the namespace containing the group of resource mappings
+ name:
+ type: string
+ title: name
+ description: |-
+ the common name for the group of resource mappings, which must be unique
+ per namespace
+ fqn:
+ type: string
+ title: fqn
+ description: the fully qualified name of the resource mapping group
+ metadata:
+ title: metadata
+ description: Common metadata
+ $ref: '#/components/schemas/common.Metadata'
+ title: ResourceMappingGroup
+ required:
+ - namespaceId
+ - name
+ additionalProperties: false
+ description: |-
+ Resource Mapping Groups are namespaced collections of Resource Mappings
+ associated under a common group name.
+ policy.SimpleKasKey:
+ type: object
+ properties:
+ kasUri:
+ type: string
+ title: kas_uri
+ description: The URL of the Key Access Server
+ publicKey:
+ title: public_key
+ description: The public key of the Key that belongs to the KAS
+ $ref: '#/components/schemas/policy.SimpleKasPublicKey'
+ kasId:
+ type: string
+ title: kas_id
+ description: The ID of the Key Access Server
+ title: SimpleKasKey
+ additionalProperties: false
+ policy.SimpleKasPublicKey:
+ type: object
+ properties:
+ algorithm:
+ title: algorithm
+ $ref: '#/components/schemas/policy.Algorithm'
+ kid:
+ type: string
+ title: kid
+ pem:
+ type: string
+ title: pem
+ title: SimpleKasPublicKey
+ additionalProperties: false
+ policy.SortDirection:
+ type: string
+ title: SortDirection
+ enum:
+ - SORT_DIRECTION_UNSPECIFIED
+ - SORT_DIRECTION_ASC
+ - SORT_DIRECTION_DESC
+ description: |-
+ Sorting direction shared across list APIs.
+ When the 'sort' field is omitted or the chosen sort 'field' is UNSPECIFIED,
+ the endpoint's request message defines the default ordering; see the
+ specific List* request docs.
+ policy.SourceType:
+ type: string
+ title: SourceType
+ enum:
+ - SOURCE_TYPE_UNSPECIFIED
+ - SOURCE_TYPE_INTERNAL
+ - SOURCE_TYPE_EXTERNAL
+ description: |-
+ Describes whether this kas is managed by the organization or if they imported
+ the kas information from an external party. These two modes are necessary in order
+ to encrypt a tdf dek with an external parties kas public key.
+ policy.SubjectConditionSet:
+ type: object
+ properties:
+ id:
+ type: string
+ title: id
+ namespace:
+ title: namespace
+ description: |-
+ the namespace containing this subject condition set
+ possible this is empty in the case a subject condition set
+ has not been migrated to a namespace.
+ $ref: '#/components/schemas/policy.Namespace'
+ subjectSets:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.SubjectSet'
+ title: subject_sets
+ minItems: 1
+ metadata:
+ title: metadata
+ $ref: '#/components/schemas/common.Metadata'
+ title: SubjectConditionSet
+ additionalProperties: false
+ description: |-
+ A container for multiple Subject Sets, each containing Condition Groups, each
+ containing Conditions. Multiple Subject Sets in a SubjectConditionSet are
+ evaluated with AND logic. As each Subject Mapping has only one Attribute
+ Value, the SubjectConditionSet is reusable across multiple Subject Mappings /
+ Attribute Values and is an independent unit.
+ policy.SubjectMapping:
+ type: object
+ properties:
+ id:
+ type: string
+ title: id
+ attributeValue:
+ title: attribute_value
+ description: 'the Attribute Value mapped to; aka: "The Entity Entitlement Attribute"'
+ $ref: '#/components/schemas/policy.Value'
+ subjectConditionSet:
+ title: subject_condition_set
+ description: the reusable SubjectConditionSet mapped to the given Attribute Value
+ $ref: '#/components/schemas/policy.SubjectConditionSet'
+ actions:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.Action'
+ title: actions
+ description: The actions permitted by subjects in this mapping
+ namespace:
+ title: namespace
+ description: |-
+ the namespace containing this subject mapping
+ possible this is empty. If so that means
+ the Subject Mapping has not been migrated to a namespace.
+ $ref: '#/components/schemas/policy.Namespace'
+ metadata:
+ title: metadata
+ $ref: '#/components/schemas/common.Metadata'
+ title: SubjectMapping
+ additionalProperties: false
+ description: |-
+ Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute
+ value + action(s) combination
+ policy.SubjectMappingOperatorEnum:
+ type: string
+ title: SubjectMappingOperatorEnum
+ enum:
+ - SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED
+ - SUBJECT_MAPPING_OPERATOR_ENUM_IN
+ - SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN
+ - SUBJECT_MAPPING_OPERATOR_ENUM_IN_CONTAINS
+ policy.SubjectSet:
+ type: object
+ properties:
+ conditionGroups:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.ConditionGroup'
+ title: condition_groups
+ minItems: 1
+ description: multiple Condition Groups are evaluated with AND logic
+ title: SubjectSet
+ additionalProperties: false
+ description: A collection of Condition Groups
+ policy.Value:
+ type: object
+ properties:
+ id:
+ type: string
+ title: id
+ description: generated uuid in database
+ attribute:
+ title: attribute
+ $ref: '#/components/schemas/policy.Attribute'
+ value:
+ type: string
+ title: value
+ grants:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.KeyAccessServer'
+ title: grants
+ description: Deprecated KAS grants for the value. Use kas_keys instead.
+ fqn:
+ type: string
+ title: fqn
+ active:
+ title: active
+ description: active by default until explicitly deactivated
+ $ref: '#/components/schemas/google.protobuf.BoolValue'
+ subjectMappings:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.SubjectMapping'
+ title: subject_mappings
+ description: subject mapping
+ kasKeys:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.SimpleKasKey'
+ title: kas_keys
+ resourceMappings:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.ResourceMapping'
+ title: resource_mappings
+ obligations:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.Obligation'
+ title: obligations
+ metadata:
+ title: metadata
+ description: Common metadata
+ $ref: '#/components/schemas/common.Metadata'
+ title: Value
+ additionalProperties: false
+ policy.dynamicvaluemapping.CreateDynamicValueMappingRequest:
+ type: object
+ allOf:
+ - oneOf:
+ - required:
+ - attributeDefinitionId
+ - required:
+ - attributeDefinitionFqn
+ properties:
+ attributeDefinitionId:
+ type: string
+ title: attribute_definition_id
+ format: uuid
+ attributeDefinitionFqn:
+ type: string
+ title: attribute_definition_fqn
+ minLength: 1
+ format: uri
+ valueResolver:
+ title: value_resolver
+ description: 'Required: the dynamic resolver comparing entity selector result to the resource value segment'
+ $ref: '#/components/schemas/policy.DynamicValueResolver'
+ actions:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.Action'
+ title: actions
+ minItems: 1
+ description: |
+ Required: actions permitted on a matched value
+ action_name_or_id_not_empty // Action name or ID must not be empty if provided
+ existingSubjectConditionSetId:
+ type: string
+ title: existing_subject_condition_set_id
+ description: |
+ Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ...
+ optional_uuid_format // Optional field must be a valid UUID
+ newSubjectConditionSet:
+ title: new_subject_condition_set
+ description: '... or create a new one (ignored if existing_subject_condition_set_id is provided)'
+ $ref: '#/components/schemas/policy.subjectmapping.SubjectConditionSetCreate'
+ namespaceId:
+ type: string
+ title: namespace_id
+ format: uuid
+ description: 'Optional: namespace ID or FQN for the mapping'
+ namespaceFqn:
+ type: string
+ title: namespace_fqn
+ minLength: 1
+ format: uri
+ metadata:
+ title: metadata
+ description: Optional
+ $ref: '#/components/schemas/common.MetadataMutable'
+ title: CreateDynamicValueMappingRequest
+ required:
+ - valueResolver
+ additionalProperties: false
+ policy.dynamicvaluemapping.CreateDynamicValueMappingResponse:
+ type: object
+ properties:
+ dynamicValueMapping:
+ title: dynamic_value_mapping
+ $ref: '#/components/schemas/policy.DynamicValueMapping'
+ title: CreateDynamicValueMappingResponse
+ additionalProperties: false
+ policy.dynamicvaluemapping.DeleteDynamicValueMappingRequest:
+ type: object
+ properties:
+ id:
+ type: string
+ title: id
+ format: uuid
+ description: Required
+ title: DeleteDynamicValueMappingRequest
+ additionalProperties: false
+ policy.dynamicvaluemapping.DeleteDynamicValueMappingResponse:
+ type: object
+ properties:
+ dynamicValueMapping:
+ title: dynamic_value_mapping
+ description: Only ID of the deleted mapping provided
+ $ref: '#/components/schemas/policy.DynamicValueMapping'
+ title: DeleteDynamicValueMappingResponse
+ additionalProperties: false
+ policy.dynamicvaluemapping.DynamicValueMappingsSort:
+ type: object
+ properties:
+ field:
+ title: field
+ $ref: '#/components/schemas/policy.dynamicvaluemapping.SortDynamicValueMappingsType'
+ direction:
+ title: direction
+ $ref: '#/components/schemas/policy.SortDirection'
+ title: DynamicValueMappingsSort
+ additionalProperties: false
+ policy.dynamicvaluemapping.GetDynamicValueMappingRequest:
+ type: object
+ properties:
+ id:
+ type: string
+ title: id
+ format: uuid
+ description: Required
+ title: GetDynamicValueMappingRequest
+ additionalProperties: false
+ policy.dynamicvaluemapping.GetDynamicValueMappingResponse:
+ type: object
+ properties:
+ dynamicValueMapping:
+ title: dynamic_value_mapping
+ $ref: '#/components/schemas/policy.DynamicValueMapping'
+ title: GetDynamicValueMappingResponse
+ additionalProperties: false
+ policy.dynamicvaluemapping.ListDynamicValueMappingsRequest:
+ type: object
+ properties:
+ namespaceId:
+ type: string
+ title: namespace_id
+ description: |
+ Optional
+ Namespace ID, or Attribute Definition ID to filter by
+ optional_uuid_format // Optional field must be a valid UUID
+ attributeDefinitionId:
+ type: string
+ title: attribute_definition_id
+ description: |
+ optional_uuid_format // Optional field must be a valid UUID
+ pagination:
+ title: pagination
+ description: Optional
+ $ref: '#/components/schemas/policy.PageRequest'
+ sort:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.dynamicvaluemapping.DynamicValueMappingsSort'
+ title: sort
+ maxItems: 1
+ description: 'Optional - CONSTRAINT: max 1 item'
+ title: ListDynamicValueMappingsRequest
+ additionalProperties: false
+ policy.dynamicvaluemapping.ListDynamicValueMappingsResponse:
+ type: object
+ properties:
+ dynamicValueMappings:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.DynamicValueMapping'
+ title: dynamic_value_mappings
+ pagination:
+ title: pagination
+ $ref: '#/components/schemas/policy.PageResponse'
+ title: ListDynamicValueMappingsResponse
+ additionalProperties: false
+ policy.dynamicvaluemapping.SortDynamicValueMappingsType:
+ type: string
+ title: SortDynamicValueMappingsType
+ enum:
+ - SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UNSPECIFIED
+ - SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_CREATED_AT
+ - SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UPDATED_AT
+ policy.dynamicvaluemapping.UpdateDynamicValueMappingRequest:
+ type: object
+ properties:
+ id:
+ type: string
+ title: id
+ format: uuid
+ description: Required
+ valueResolver:
+ title: value_resolver
+ description: 'Optional: replace the dynamic resolver'
+ $ref: '#/components/schemas/policy.DynamicValueResolver'
+ subjectConditionSetId:
+ type: string
+ title: subject_condition_set_id
+ description: |
+ Optional: replace the static pre-gate SubjectConditionSet by id
+ optional_uuid_format // Optional field must be a valid UUID
+ actions:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.Action'
+ title: actions
+ description: |
+ Optional: replace the entire list of actions
+ action_name_or_id_not_empty // Action name or ID must not be empty if provided
+ metadata:
+ title: metadata
+ description: Common metadata
+ $ref: '#/components/schemas/common.MetadataMutable'
+ metadataUpdateBehavior:
+ title: metadata_update_behavior
+ $ref: '#/components/schemas/common.MetadataUpdateEnum'
+ title: UpdateDynamicValueMappingRequest
+ additionalProperties: false
+ policy.dynamicvaluemapping.UpdateDynamicValueMappingResponse:
+ type: object
+ properties:
+ dynamicValueMapping:
+ title: dynamic_value_mapping
+ $ref: '#/components/schemas/policy.DynamicValueMapping'
+ title: UpdateDynamicValueMappingResponse
+ additionalProperties: false
+ policy.subjectmapping.SubjectConditionSetCreate:
+ type: object
+ properties:
+ subjectSets:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.SubjectSet'
+ title: subject_sets
+ minItems: 1
+ description: Required
+ metadata:
+ title: metadata
+ description: |-
+ Optional
+ Common metadata
+ $ref: '#/components/schemas/common.MetadataMutable'
+ title: SubjectConditionSetCreate
+ additionalProperties: false
+security: []
+tags:
+ - name: policy.dynamicvaluemapping.DynamicValueMappingService
diff --git a/docs/openapi/policy/objects.openapi.yaml b/docs/openapi/policy/objects.openapi.yaml
index 6bef650b76..2be6d6e904 100644
--- a/docs/openapi/policy/objects.openapi.yaml
+++ b/docs/openapi/policy/objects.openapi.yaml
@@ -368,6 +368,83 @@ components:
- booleanOperator
additionalProperties: false
description: A collection of Conditions evaluated by the boolean_operator provided
+ policy.DynamicValueMapping:
+ type: object
+ properties:
+ id:
+ type: string
+ title: id
+ attributeDefinition:
+ title: attribute_definition
+ description: the Attribute Definition whose values are entitled dynamically
+ $ref: '#/components/schemas/policy.Attribute'
+ valueResolver:
+ title: value_resolver
+ description: the dynamic resolver matched against the requested resource value segment
+ $ref: '#/components/schemas/policy.DynamicValueResolver'
+ subjectConditionSet:
+ title: subject_condition_set
+ description: |-
+ optional static pre-gate on the entity, evaluated with normal SubjectConditionSet
+ semantics (no dynamic overload). When present, both the gate and the resolver must
+ pass for entitlement.
+ $ref: '#/components/schemas/policy.SubjectConditionSet'
+ actions:
+ type: array
+ items:
+ $ref: '#/components/schemas/policy.Action'
+ title: actions
+ description: the actions permitted by subjects in this mapping
+ namespace:
+ title: namespace
+ description: the namespace containing this mapping
+ $ref: '#/components/schemas/policy.Namespace'
+ metadata:
+ title: metadata
+ $ref: '#/components/schemas/common.Metadata'
+ title: DynamicValueMapping
+ additionalProperties: false
+ description: |-
+ Dynamic Value Mapping: a Policy assigning permitted action(s) to
+ dynamically-requested values under an Attribute Definition. It raises entitlement
+ authority from a concrete Attribute Value to the Attribute Definition: at decision time
+ the value_resolver compares the requested resource value segment against the entity
+ representation, avoiding pre-provisioning a value + subject mapping per discrete value.
+ policy.DynamicValueOperatorEnum:
+ type: string
+ title: DynamicValueOperatorEnum
+ enum:
+ - DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED
+ - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN
+ - DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS
+ description: |-
+ Operators for dynamic, definition-level value entitlement. Unlike
+ SubjectMappingOperatorEnum, whose right-hand operand is a static list authored into
+ policy, a DynamicValueOperatorEnum's right-hand operand is the requested resource's
+ attribute value segment, supplied at decision time. Each value is the inversion of its
+ static SubjectMappingOperatorEnum counterpart.
+ policy.DynamicValueResolver:
+ type: object
+ properties:
+ subjectExternalSelectorValue:
+ type: string
+ title: subject_external_selector_value
+ description: |-
+ a selector for a field value on a flattened Entity Representation (such as from
+ idP/LDAP), e.g. ".patientAssignments[]"
+ operator:
+ title: operator
+ description: the dynamic operator comparing the selector result to the resource value segment
+ $ref: '#/components/schemas/policy.DynamicValueOperatorEnum'
+ title: DynamicValueResolver
+ required:
+ - subjectExternalSelectorValue
+ - operator
+ additionalProperties: false
+ description: |-
+ Definition Value Resolver: the dynamic half of a DynamicValueMapping. It
+ resolves a selector against the entity representation and compares the result to the
+ requested resource value segment using a DynamicValueOperatorEnum.
policy.KasKey:
type: object
properties:
@@ -989,6 +1066,7 @@ components:
authoritative source such as an IDP (Identity Provider) or User Store.
Examples include such ADFS/LDAP, OKTA, etc. For now, a valid property must
contain both a selector expression & a resulting value.
+
The external_selector_value is a specifier to select a value from a flattened
external representation of an Entity (such as from idP/LDAP), and the
external_value is the value selected by the external_selector_value on that
diff --git a/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml b/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml
index 10e2ebeb84..a988610cbb 100644
--- a/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml
+++ b/docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml
@@ -1348,6 +1348,7 @@ components:
authoritative source such as an IDP (Identity Provider) or User Store.
Examples include such ADFS/LDAP, OKTA, etc. For now, a valid property must
contain both a selector expression & a resulting value.
+
The external_selector_value is a specifier to select a value from a flattened
external representation of an Entity (such as from idP/LDAP), and the
external_value is the value selected by the external_selector_value on that
diff --git a/protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping.pb.go b/protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping.pb.go
new file mode 100644
index 0000000000..07d2e2d39e
--- /dev/null
+++ b/protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping.pb.go
@@ -0,0 +1,1293 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// protoc-gen-go v1.33.0
+// protoc (unknown)
+// source: policy/dynamicvaluemapping/dynamic_value_mapping.proto
+
+package dynamicvaluemapping
+
+import (
+ _ "buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go/buf/validate"
+ common "github.com/opentdf/platform/protocol/go/common"
+ policy "github.com/opentdf/platform/protocol/go/policy"
+ subjectmapping "github.com/opentdf/platform/protocol/go/policy/subjectmapping"
+ protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+ protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+ reflect "reflect"
+ sync "sync"
+)
+
+const (
+ // Verify that this generated code is sufficiently up-to-date.
+ _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+ // Verify that runtime/protoimpl is sufficiently up-to-date.
+ _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type SortDynamicValueMappingsType int32
+
+const (
+ SortDynamicValueMappingsType_SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UNSPECIFIED SortDynamicValueMappingsType = 0
+ SortDynamicValueMappingsType_SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_CREATED_AT SortDynamicValueMappingsType = 1
+ SortDynamicValueMappingsType_SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UPDATED_AT SortDynamicValueMappingsType = 2
+)
+
+// Enum value maps for SortDynamicValueMappingsType.
+var (
+ SortDynamicValueMappingsType_name = map[int32]string{
+ 0: "SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UNSPECIFIED",
+ 1: "SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_CREATED_AT",
+ 2: "SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UPDATED_AT",
+ }
+ SortDynamicValueMappingsType_value = map[string]int32{
+ "SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UNSPECIFIED": 0,
+ "SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_CREATED_AT": 1,
+ "SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UPDATED_AT": 2,
+ }
+)
+
+func (x SortDynamicValueMappingsType) Enum() *SortDynamicValueMappingsType {
+ p := new(SortDynamicValueMappingsType)
+ *p = x
+ return p
+}
+
+func (x SortDynamicValueMappingsType) String() string {
+ return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (SortDynamicValueMappingsType) Descriptor() protoreflect.EnumDescriptor {
+ return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_enumTypes[0].Descriptor()
+}
+
+func (SortDynamicValueMappingsType) Type() protoreflect.EnumType {
+ return &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_enumTypes[0]
+}
+
+func (x SortDynamicValueMappingsType) Number() protoreflect.EnumNumber {
+ return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use SortDynamicValueMappingsType.Descriptor instead.
+func (SortDynamicValueMappingsType) EnumDescriptor() ([]byte, []int) {
+ return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{0}
+}
+
+type GetDynamicValueMappingRequest struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Required
+ Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+}
+
+func (x *GetDynamicValueMappingRequest) Reset() {
+ *x = GetDynamicValueMappingRequest{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[0]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *GetDynamicValueMappingRequest) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetDynamicValueMappingRequest) ProtoMessage() {}
+
+func (x *GetDynamicValueMappingRequest) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[0]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetDynamicValueMappingRequest.ProtoReflect.Descriptor instead.
+func (*GetDynamicValueMappingRequest) Descriptor() ([]byte, []int) {
+ return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *GetDynamicValueMappingRequest) GetId() string {
+ if x != nil {
+ return x.Id
+ }
+ return ""
+}
+
+type GetDynamicValueMappingResponse struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ DynamicValueMapping *policy.DynamicValueMapping `protobuf:"bytes,1,opt,name=dynamic_value_mapping,json=dynamicValueMapping,proto3" json:"dynamic_value_mapping,omitempty"`
+}
+
+func (x *GetDynamicValueMappingResponse) Reset() {
+ *x = GetDynamicValueMappingResponse{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[1]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *GetDynamicValueMappingResponse) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetDynamicValueMappingResponse) ProtoMessage() {}
+
+func (x *GetDynamicValueMappingResponse) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[1]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetDynamicValueMappingResponse.ProtoReflect.Descriptor instead.
+func (*GetDynamicValueMappingResponse) Descriptor() ([]byte, []int) {
+ return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *GetDynamicValueMappingResponse) GetDynamicValueMapping() *policy.DynamicValueMapping {
+ if x != nil {
+ return x.DynamicValueMapping
+ }
+ return nil
+}
+
+type DynamicValueMappingsSort struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ Field SortDynamicValueMappingsType `protobuf:"varint,1,opt,name=field,proto3,enum=policy.dynamicvaluemapping.SortDynamicValueMappingsType" json:"field,omitempty"`
+ Direction policy.SortDirection `protobuf:"varint,2,opt,name=direction,proto3,enum=policy.SortDirection" json:"direction,omitempty"`
+}
+
+func (x *DynamicValueMappingsSort) Reset() {
+ *x = DynamicValueMappingsSort{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[2]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *DynamicValueMappingsSort) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DynamicValueMappingsSort) ProtoMessage() {}
+
+func (x *DynamicValueMappingsSort) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[2]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use DynamicValueMappingsSort.ProtoReflect.Descriptor instead.
+func (*DynamicValueMappingsSort) Descriptor() ([]byte, []int) {
+ return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *DynamicValueMappingsSort) GetField() SortDynamicValueMappingsType {
+ if x != nil {
+ return x.Field
+ }
+ return SortDynamicValueMappingsType_SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UNSPECIFIED
+}
+
+func (x *DynamicValueMappingsSort) GetDirection() policy.SortDirection {
+ if x != nil {
+ return x.Direction
+ }
+ return policy.SortDirection(0)
+}
+
+type ListDynamicValueMappingsRequest struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Optional
+ // Namespace ID, or Attribute Definition ID to filter by
+ NamespaceId string `protobuf:"bytes,1,opt,name=namespace_id,json=namespaceId,proto3" json:"namespace_id,omitempty"`
+ AttributeDefinitionId string `protobuf:"bytes,2,opt,name=attribute_definition_id,json=attributeDefinitionId,proto3" json:"attribute_definition_id,omitempty"`
+ // Optional
+ Pagination *policy.PageRequest `protobuf:"bytes,10,opt,name=pagination,proto3" json:"pagination,omitempty"`
+ // Optional - CONSTRAINT: max 1 item
+ Sort []*DynamicValueMappingsSort `protobuf:"bytes,11,rep,name=sort,proto3" json:"sort,omitempty"`
+}
+
+func (x *ListDynamicValueMappingsRequest) Reset() {
+ *x = ListDynamicValueMappingsRequest{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[3]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *ListDynamicValueMappingsRequest) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ListDynamicValueMappingsRequest) ProtoMessage() {}
+
+func (x *ListDynamicValueMappingsRequest) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[3]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use ListDynamicValueMappingsRequest.ProtoReflect.Descriptor instead.
+func (*ListDynamicValueMappingsRequest) Descriptor() ([]byte, []int) {
+ return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *ListDynamicValueMappingsRequest) GetNamespaceId() string {
+ if x != nil {
+ return x.NamespaceId
+ }
+ return ""
+}
+
+func (x *ListDynamicValueMappingsRequest) GetAttributeDefinitionId() string {
+ if x != nil {
+ return x.AttributeDefinitionId
+ }
+ return ""
+}
+
+func (x *ListDynamicValueMappingsRequest) GetPagination() *policy.PageRequest {
+ if x != nil {
+ return x.Pagination
+ }
+ return nil
+}
+
+func (x *ListDynamicValueMappingsRequest) GetSort() []*DynamicValueMappingsSort {
+ if x != nil {
+ return x.Sort
+ }
+ return nil
+}
+
+type ListDynamicValueMappingsResponse struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ DynamicValueMappings []*policy.DynamicValueMapping `protobuf:"bytes,1,rep,name=dynamic_value_mappings,json=dynamicValueMappings,proto3" json:"dynamic_value_mappings,omitempty"`
+ Pagination *policy.PageResponse `protobuf:"bytes,10,opt,name=pagination,proto3" json:"pagination,omitempty"`
+}
+
+func (x *ListDynamicValueMappingsResponse) Reset() {
+ *x = ListDynamicValueMappingsResponse{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[4]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *ListDynamicValueMappingsResponse) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ListDynamicValueMappingsResponse) ProtoMessage() {}
+
+func (x *ListDynamicValueMappingsResponse) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[4]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use ListDynamicValueMappingsResponse.ProtoReflect.Descriptor instead.
+func (*ListDynamicValueMappingsResponse) Descriptor() ([]byte, []int) {
+ return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *ListDynamicValueMappingsResponse) GetDynamicValueMappings() []*policy.DynamicValueMapping {
+ if x != nil {
+ return x.DynamicValueMappings
+ }
+ return nil
+}
+
+func (x *ListDynamicValueMappingsResponse) GetPagination() *policy.PageResponse {
+ if x != nil {
+ return x.Pagination
+ }
+ return nil
+}
+
+type CreateDynamicValueMappingRequest struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ AttributeDefinitionId string `protobuf:"bytes,1,opt,name=attribute_definition_id,json=attributeDefinitionId,proto3" json:"attribute_definition_id,omitempty"`
+ AttributeDefinitionFqn string `protobuf:"bytes,2,opt,name=attribute_definition_fqn,json=attributeDefinitionFqn,proto3" json:"attribute_definition_fqn,omitempty"`
+ // Required: the dynamic resolver comparing entity selector result to the resource value segment
+ ValueResolver *policy.DynamicValueResolver `protobuf:"bytes,3,opt,name=value_resolver,json=valueResolver,proto3" json:"value_resolver,omitempty"`
+ // Required: actions permitted on a matched value
+ Actions []*policy.Action `protobuf:"bytes,4,rep,name=actions,proto3" json:"actions,omitempty"`
+ // Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ...
+ ExistingSubjectConditionSetId string `protobuf:"bytes,5,opt,name=existing_subject_condition_set_id,json=existingSubjectConditionSetId,proto3" json:"existing_subject_condition_set_id,omitempty"`
+ // ... or create a new one (ignored if existing_subject_condition_set_id is provided)
+ NewSubjectConditionSet *subjectmapping.SubjectConditionSetCreate `protobuf:"bytes,6,opt,name=new_subject_condition_set,json=newSubjectConditionSet,proto3" json:"new_subject_condition_set,omitempty"`
+ // Optional: namespace ID or FQN for the mapping
+ NamespaceId string `protobuf:"bytes,7,opt,name=namespace_id,json=namespaceId,proto3" json:"namespace_id,omitempty"`
+ NamespaceFqn string `protobuf:"bytes,8,opt,name=namespace_fqn,json=namespaceFqn,proto3" json:"namespace_fqn,omitempty"`
+ // Optional
+ Metadata *common.MetadataMutable `protobuf:"bytes,100,opt,name=metadata,proto3" json:"metadata,omitempty"`
+}
+
+func (x *CreateDynamicValueMappingRequest) Reset() {
+ *x = CreateDynamicValueMappingRequest{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[5]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *CreateDynamicValueMappingRequest) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CreateDynamicValueMappingRequest) ProtoMessage() {}
+
+func (x *CreateDynamicValueMappingRequest) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[5]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use CreateDynamicValueMappingRequest.ProtoReflect.Descriptor instead.
+func (*CreateDynamicValueMappingRequest) Descriptor() ([]byte, []int) {
+ return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *CreateDynamicValueMappingRequest) GetAttributeDefinitionId() string {
+ if x != nil {
+ return x.AttributeDefinitionId
+ }
+ return ""
+}
+
+func (x *CreateDynamicValueMappingRequest) GetAttributeDefinitionFqn() string {
+ if x != nil {
+ return x.AttributeDefinitionFqn
+ }
+ return ""
+}
+
+func (x *CreateDynamicValueMappingRequest) GetValueResolver() *policy.DynamicValueResolver {
+ if x != nil {
+ return x.ValueResolver
+ }
+ return nil
+}
+
+func (x *CreateDynamicValueMappingRequest) GetActions() []*policy.Action {
+ if x != nil {
+ return x.Actions
+ }
+ return nil
+}
+
+func (x *CreateDynamicValueMappingRequest) GetExistingSubjectConditionSetId() string {
+ if x != nil {
+ return x.ExistingSubjectConditionSetId
+ }
+ return ""
+}
+
+func (x *CreateDynamicValueMappingRequest) GetNewSubjectConditionSet() *subjectmapping.SubjectConditionSetCreate {
+ if x != nil {
+ return x.NewSubjectConditionSet
+ }
+ return nil
+}
+
+func (x *CreateDynamicValueMappingRequest) GetNamespaceId() string {
+ if x != nil {
+ return x.NamespaceId
+ }
+ return ""
+}
+
+func (x *CreateDynamicValueMappingRequest) GetNamespaceFqn() string {
+ if x != nil {
+ return x.NamespaceFqn
+ }
+ return ""
+}
+
+func (x *CreateDynamicValueMappingRequest) GetMetadata() *common.MetadataMutable {
+ if x != nil {
+ return x.Metadata
+ }
+ return nil
+}
+
+type CreateDynamicValueMappingResponse struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ DynamicValueMapping *policy.DynamicValueMapping `protobuf:"bytes,1,opt,name=dynamic_value_mapping,json=dynamicValueMapping,proto3" json:"dynamic_value_mapping,omitempty"`
+}
+
+func (x *CreateDynamicValueMappingResponse) Reset() {
+ *x = CreateDynamicValueMappingResponse{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[6]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *CreateDynamicValueMappingResponse) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CreateDynamicValueMappingResponse) ProtoMessage() {}
+
+func (x *CreateDynamicValueMappingResponse) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[6]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use CreateDynamicValueMappingResponse.ProtoReflect.Descriptor instead.
+func (*CreateDynamicValueMappingResponse) Descriptor() ([]byte, []int) {
+ return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *CreateDynamicValueMappingResponse) GetDynamicValueMapping() *policy.DynamicValueMapping {
+ if x != nil {
+ return x.DynamicValueMapping
+ }
+ return nil
+}
+
+type UpdateDynamicValueMappingRequest struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Required
+ Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+ // Optional: replace the dynamic resolver
+ ValueResolver *policy.DynamicValueResolver `protobuf:"bytes,2,opt,name=value_resolver,json=valueResolver,proto3" json:"value_resolver,omitempty"`
+ // Optional: replace the static pre-gate SubjectConditionSet by id
+ SubjectConditionSetId string `protobuf:"bytes,3,opt,name=subject_condition_set_id,json=subjectConditionSetId,proto3" json:"subject_condition_set_id,omitempty"`
+ // Optional: replace the entire list of actions
+ Actions []*policy.Action `protobuf:"bytes,4,rep,name=actions,proto3" json:"actions,omitempty"`
+ // Common metadata
+ Metadata *common.MetadataMutable `protobuf:"bytes,100,opt,name=metadata,proto3" json:"metadata,omitempty"`
+ MetadataUpdateBehavior common.MetadataUpdateEnum `protobuf:"varint,101,opt,name=metadata_update_behavior,json=metadataUpdateBehavior,proto3,enum=common.MetadataUpdateEnum" json:"metadata_update_behavior,omitempty"`
+}
+
+func (x *UpdateDynamicValueMappingRequest) Reset() {
+ *x = UpdateDynamicValueMappingRequest{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[7]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *UpdateDynamicValueMappingRequest) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UpdateDynamicValueMappingRequest) ProtoMessage() {}
+
+func (x *UpdateDynamicValueMappingRequest) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[7]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use UpdateDynamicValueMappingRequest.ProtoReflect.Descriptor instead.
+func (*UpdateDynamicValueMappingRequest) Descriptor() ([]byte, []int) {
+ return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *UpdateDynamicValueMappingRequest) GetId() string {
+ if x != nil {
+ return x.Id
+ }
+ return ""
+}
+
+func (x *UpdateDynamicValueMappingRequest) GetValueResolver() *policy.DynamicValueResolver {
+ if x != nil {
+ return x.ValueResolver
+ }
+ return nil
+}
+
+func (x *UpdateDynamicValueMappingRequest) GetSubjectConditionSetId() string {
+ if x != nil {
+ return x.SubjectConditionSetId
+ }
+ return ""
+}
+
+func (x *UpdateDynamicValueMappingRequest) GetActions() []*policy.Action {
+ if x != nil {
+ return x.Actions
+ }
+ return nil
+}
+
+func (x *UpdateDynamicValueMappingRequest) GetMetadata() *common.MetadataMutable {
+ if x != nil {
+ return x.Metadata
+ }
+ return nil
+}
+
+func (x *UpdateDynamicValueMappingRequest) GetMetadataUpdateBehavior() common.MetadataUpdateEnum {
+ if x != nil {
+ return x.MetadataUpdateBehavior
+ }
+ return common.MetadataUpdateEnum(0)
+}
+
+type UpdateDynamicValueMappingResponse struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ DynamicValueMapping *policy.DynamicValueMapping `protobuf:"bytes,1,opt,name=dynamic_value_mapping,json=dynamicValueMapping,proto3" json:"dynamic_value_mapping,omitempty"`
+}
+
+func (x *UpdateDynamicValueMappingResponse) Reset() {
+ *x = UpdateDynamicValueMappingResponse{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[8]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *UpdateDynamicValueMappingResponse) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UpdateDynamicValueMappingResponse) ProtoMessage() {}
+
+func (x *UpdateDynamicValueMappingResponse) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[8]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use UpdateDynamicValueMappingResponse.ProtoReflect.Descriptor instead.
+func (*UpdateDynamicValueMappingResponse) Descriptor() ([]byte, []int) {
+ return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{8}
+}
+
+func (x *UpdateDynamicValueMappingResponse) GetDynamicValueMapping() *policy.DynamicValueMapping {
+ if x != nil {
+ return x.DynamicValueMapping
+ }
+ return nil
+}
+
+type DeleteDynamicValueMappingRequest struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Required
+ Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+}
+
+func (x *DeleteDynamicValueMappingRequest) Reset() {
+ *x = DeleteDynamicValueMappingRequest{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[9]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *DeleteDynamicValueMappingRequest) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DeleteDynamicValueMappingRequest) ProtoMessage() {}
+
+func (x *DeleteDynamicValueMappingRequest) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[9]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use DeleteDynamicValueMappingRequest.ProtoReflect.Descriptor instead.
+func (*DeleteDynamicValueMappingRequest) Descriptor() ([]byte, []int) {
+ return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{9}
+}
+
+func (x *DeleteDynamicValueMappingRequest) GetId() string {
+ if x != nil {
+ return x.Id
+ }
+ return ""
+}
+
+type DeleteDynamicValueMappingResponse struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Only ID of the deleted mapping provided
+ DynamicValueMapping *policy.DynamicValueMapping `protobuf:"bytes,1,opt,name=dynamic_value_mapping,json=dynamicValueMapping,proto3" json:"dynamic_value_mapping,omitempty"`
+}
+
+func (x *DeleteDynamicValueMappingResponse) Reset() {
+ *x = DeleteDynamicValueMappingResponse{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[10]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *DeleteDynamicValueMappingResponse) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DeleteDynamicValueMappingResponse) ProtoMessage() {}
+
+func (x *DeleteDynamicValueMappingResponse) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[10]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use DeleteDynamicValueMappingResponse.ProtoReflect.Descriptor instead.
+func (*DeleteDynamicValueMappingResponse) Descriptor() ([]byte, []int) {
+ return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP(), []int{10}
+}
+
+func (x *DeleteDynamicValueMappingResponse) GetDynamicValueMapping() *policy.DynamicValueMapping {
+ if x != nil {
+ return x.DynamicValueMapping
+ }
+ return nil
+}
+
+var File_policy_dynamicvaluemapping_dynamic_value_mapping_proto protoreflect.FileDescriptor
+
+var file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDesc = []byte{
+ 0x0a, 0x36, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63,
+ 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2f, 0x64, 0x79, 0x6e,
+ 0x61, 0x6d, 0x69, 0x63, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69,
+ 0x6e, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1a, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+ 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70,
+ 0x70, 0x69, 0x6e, 0x67, 0x1a, 0x1b, 0x62, 0x75, 0x66, 0x2f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61,
+ 0x74, 0x65, 0x2f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+ 0x6f, 0x1a, 0x13, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e,
+ 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x14, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x6f,
+ 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x16, 0x70, 0x6f,
+ 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x2e, 0x70,
+ 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x2b, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, 0x75, 0x62,
+ 0x6a, 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2f, 0x73, 0x75, 0x62, 0x6a,
+ 0x65, 0x63, 0x74, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+ 0x6f, 0x22, 0x39, 0x0a, 0x1d, 0x47, 0x65, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56,
+ 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65,
+ 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x08,
+ 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x22, 0x71, 0x0a, 0x1e,
+ 0x47, 0x65, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d,
+ 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4f,
+ 0x0a, 0x15, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f,
+ 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e,
+ 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61,
+ 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x13, 0x64, 0x79, 0x6e, 0x61,
+ 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x22,
+ 0xb3, 0x01, 0x0a, 0x18, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65,
+ 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x53, 0x6f, 0x72, 0x74, 0x12, 0x58, 0x0a, 0x05,
+ 0x66, 0x69, 0x65, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, 0x2e, 0x70, 0x6f,
+ 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75,
+ 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x79, 0x6e,
+ 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67,
+ 0x73, 0x54, 0x79, 0x70, 0x65, 0x42, 0x08, 0xba, 0x48, 0x05, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52,
+ 0x05, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x12, 0x3d, 0x0a, 0x09, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74,
+ 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x15, 0x2e, 0x70, 0x6f, 0x6c, 0x69,
+ 0x63, 0x79, 0x2e, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e,
+ 0x42, 0x08, 0xba, 0x48, 0x05, 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x09, 0x64, 0x69, 0x72, 0x65,
+ 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xf3, 0x04, 0x0a, 0x1f, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x79,
+ 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e,
+ 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0xd7, 0x01, 0x0a, 0x0c, 0x6e, 0x61,
+ 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+ 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74,
+ 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61,
+ 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c,
+ 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69,
+ 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69,
+ 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e,
+ 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66,
+ 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41,
+ 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d,
+ 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46,
+ 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d,
+ 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x0b, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63,
+ 0x65, 0x49, 0x64, 0x12, 0xec, 0x01, 0x0a, 0x17, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74,
+ 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18,
+ 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01, 0xba, 0x01, 0xab, 0x01,
+ 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x5f,
+ 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c,
+ 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62, 0x65, 0x20, 0x61,
+ 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a, 0x6e, 0x73, 0x69, 0x7a,
+ 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20,
+ 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x28, 0x27, 0x5b, 0x30,
+ 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d, 0x2d, 0x5b, 0x30, 0x2d,
+ 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39,
+ 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61,
+ 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d,
+ 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52, 0x15, 0x61, 0x74, 0x74,
+ 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e,
+ 0x49, 0x64, 0x12, 0x33, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+ 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
+ 0x50, 0x61, 0x67, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x0a, 0x70, 0x61, 0x67,
+ 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x52, 0x0a, 0x04, 0x73, 0x6f, 0x72, 0x74, 0x18,
+ 0x0b, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x34, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64,
+ 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69,
+ 0x6e, 0x67, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d,
+ 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x53, 0x6f, 0x72, 0x74, 0x42, 0x08, 0xba, 0x48, 0x05,
+ 0x92, 0x01, 0x02, 0x10, 0x01, 0x52, 0x04, 0x73, 0x6f, 0x72, 0x74, 0x22, 0xab, 0x01, 0x0a, 0x20,
+ 0x4c, 0x69, 0x73, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65,
+ 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+ 0x12, 0x51, 0x0a, 0x16, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x5f, 0x76, 0x61, 0x6c, 0x75,
+ 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b,
+ 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69,
+ 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x14, 0x64,
+ 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69,
+ 0x6e, 0x67, 0x73, 0x12, 0x34, 0x0a, 0x0a, 0x70, 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f,
+ 0x6e, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+ 0x2e, 0x50, 0x61, 0x67, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x52, 0x0a, 0x70,
+ 0x61, 0x67, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x90, 0x08, 0x0a, 0x20, 0x43, 0x72,
+ 0x65, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65,
+ 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x40,
+ 0x0a, 0x17, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69,
+ 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42,
+ 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x15, 0x61, 0x74, 0x74, 0x72, 0x69,
+ 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64,
+ 0x12, 0x44, 0x0a, 0x18, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65,
+ 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x66, 0x71, 0x6e, 0x18, 0x02, 0x20, 0x01,
+ 0x28, 0x09, 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x01, 0x88, 0x01, 0x01, 0x52, 0x16,
+ 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74,
+ 0x69, 0x6f, 0x6e, 0x46, 0x71, 0x6e, 0x12, 0x4b, 0x0a, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f,
+ 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c,
+ 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56,
+ 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x42, 0x06, 0xba, 0x48,
+ 0x03, 0xc8, 0x01, 0x01, 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c,
+ 0x76, 0x65, 0x72, 0x12, 0xb8, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18,
+ 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41,
+ 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x8d, 0x01, 0xba, 0x48, 0x89, 0x01, 0xba, 0x01, 0x80, 0x01,
+ 0x0a, 0x1b, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x5f, 0x6f, 0x72,
+ 0x5f, 0x69, 0x64, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x2f, 0x41,
+ 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72, 0x20, 0x49, 0x44,
+ 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, 0x65, 0x6d, 0x70,
+ 0x74, 0x79, 0x20, 0x69, 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x64, 0x1a, 0x30,
+ 0x74, 0x68, 0x69, 0x73, 0x2e, 0x61, 0x6c, 0x6c, 0x28, 0x69, 0x74, 0x65, 0x6d, 0x2c, 0x20, 0x69,
+ 0x74, 0x65, 0x6d, 0x2e, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x20, 0x7c,
+ 0x7c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x69, 0x64, 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x29,
+ 0x92, 0x01, 0x02, 0x08, 0x01, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0xfe,
+ 0x01, 0x0a, 0x21, 0x65, 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x5f, 0x73, 0x75, 0x62, 0x6a,
+ 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65,
+ 0x74, 0x5f, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf,
+ 0x01, 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f,
+ 0x75, 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74,
+ 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74,
+ 0x20, 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44,
+ 0x1a, 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20,
+ 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65,
+ 0x73, 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38,
+ 0x7d, 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d,
+ 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d,
+ 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b,
+ 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29,
+ 0x52, 0x1d, 0x65, 0x78, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63,
+ 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x49, 0x64, 0x12,
+ 0x6b, 0x0a, 0x19, 0x6e, 0x65, 0x77, 0x5f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63,
+ 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, 0x06, 0x20, 0x01,
+ 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x75, 0x62, 0x6a,
+ 0x65, 0x63, 0x74, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65,
+ 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x43, 0x72,
+ 0x65, 0x61, 0x74, 0x65, 0x52, 0x16, 0x6e, 0x65, 0x77, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74,
+ 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x12, 0x2b, 0x0a, 0x0c,
+ 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x07, 0x20, 0x01,
+ 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x0b, 0x6e, 0x61,
+ 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x49, 0x64, 0x12, 0x2f, 0x0a, 0x0d, 0x6e, 0x61, 0x6d,
+ 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x66, 0x71, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09,
+ 0x42, 0x0a, 0xba, 0x48, 0x07, 0x72, 0x05, 0x10, 0x01, 0x88, 0x01, 0x01, 0x52, 0x0c, 0x6e, 0x61,
+ 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x46, 0x71, 0x6e, 0x12, 0x33, 0x0a, 0x08, 0x6d, 0x65,
+ 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x63,
+ 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x4d, 0x75,
+ 0x74, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x3a,
+ 0x5b, 0xba, 0x48, 0x58, 0x22, 0x35, 0x0a, 0x17, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74,
+ 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x0a,
+ 0x18, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e,
+ 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x66, 0x71, 0x6e, 0x10, 0x01, 0x22, 0x1f, 0x0a, 0x0c, 0x6e,
+ 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x0a, 0x0d, 0x6e, 0x61, 0x6d,
+ 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x66, 0x71, 0x6e, 0x10, 0x00, 0x22, 0x74, 0x0a, 0x21,
+ 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c,
+ 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+ 0x65, 0x12, 0x4f, 0x0a, 0x15, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x5f, 0x76, 0x61, 0x6c,
+ 0x75, 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b,
+ 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69,
+ 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x13, 0x64,
+ 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69,
+ 0x6e, 0x67, 0x22, 0xc6, 0x05, 0x0a, 0x20, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e,
+ 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67,
+ 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20,
+ 0x01, 0x28, 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69,
+ 0x64, 0x12, 0x43, 0x0a, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x6c,
+ 0x76, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x70, 0x6f, 0x6c, 0x69,
+ 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52,
+ 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65,
+ 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, 0xed, 0x01, 0x0a, 0x18, 0x73, 0x75, 0x62, 0x6a, 0x65,
+ 0x63, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74,
+ 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0xb3, 0x01, 0xba, 0x48, 0xaf, 0x01,
+ 0xba, 0x01, 0xab, 0x01, 0x0a, 0x14, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x5f, 0x75,
+ 0x75, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x23, 0x4f, 0x70, 0x74, 0x69,
+ 0x6f, 0x6e, 0x61, 0x6c, 0x20, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20,
+ 0x62, 0x65, 0x20, 0x61, 0x20, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x20, 0x55, 0x55, 0x49, 0x44, 0x1a,
+ 0x6e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x74, 0x68, 0x69, 0x73, 0x29, 0x20, 0x3d, 0x3d, 0x20, 0x30,
+ 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73,
+ 0x28, 0x27, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x38, 0x7d,
+ 0x2d, 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d,
+ 0x5b, 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b,
+ 0x30, 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x34, 0x7d, 0x2d, 0x5b, 0x30,
+ 0x2d, 0x39, 0x61, 0x2d, 0x66, 0x41, 0x2d, 0x46, 0x5d, 0x7b, 0x31, 0x32, 0x7d, 0x27, 0x29, 0x52,
+ 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f,
+ 0x6e, 0x53, 0x65, 0x74, 0x49, 0x64, 0x12, 0xc7, 0x01, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f,
+ 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63,
+ 0x79, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x9c, 0x01, 0xba, 0x48, 0x98, 0x01, 0xba,
+ 0x01, 0x94, 0x01, 0x0a, 0x1b, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65,
+ 0x5f, 0x6f, 0x72, 0x5f, 0x69, 0x64, 0x5f, 0x6e, 0x6f, 0x74, 0x5f, 0x65, 0x6d, 0x70, 0x74, 0x79,
+ 0x12, 0x2f, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x6e, 0x61, 0x6d, 0x65, 0x20, 0x6f, 0x72,
+ 0x20, 0x49, 0x44, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20,
+ 0x65, 0x6d, 0x70, 0x74, 0x79, 0x20, 0x69, 0x66, 0x20, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65,
+ 0x64, 0x1a, 0x44, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x73, 0x69, 0x7a, 0x65, 0x28, 0x29, 0x20, 0x3d,
+ 0x3d, 0x20, 0x30, 0x20, 0x7c, 0x7c, 0x20, 0x74, 0x68, 0x69, 0x73, 0x2e, 0x61, 0x6c, 0x6c, 0x28,
+ 0x69, 0x74, 0x65, 0x6d, 0x2c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x6e, 0x61, 0x6d, 0x65, 0x20,
+ 0x21, 0x3d, 0x20, 0x27, 0x27, 0x20, 0x7c, 0x7c, 0x20, 0x69, 0x74, 0x65, 0x6d, 0x2e, 0x69, 0x64,
+ 0x20, 0x21, 0x3d, 0x20, 0x27, 0x27, 0x29, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73,
+ 0x12, 0x33, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01,
+ 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61,
+ 0x64, 0x61, 0x74, 0x61, 0x4d, 0x75, 0x74, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x08, 0x6d, 0x65, 0x74,
+ 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x54, 0x0a, 0x18, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
+ 0x61, 0x5f, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f,
+ 0x72, 0x18, 0x65, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1a, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e,
+ 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x45,
+ 0x6e, 0x75, 0x6d, 0x52, 0x16, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x55, 0x70, 0x64,
+ 0x61, 0x74, 0x65, 0x42, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x22, 0x74, 0x0a, 0x21, 0x55,
+ 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75,
+ 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+ 0x12, 0x4f, 0x0a, 0x15, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x5f, 0x76, 0x61, 0x6c, 0x75,
+ 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32,
+ 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63,
+ 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x13, 0x64, 0x79,
+ 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e,
+ 0x67, 0x22, 0x3c, 0x0a, 0x20, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d,
+ 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65,
+ 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
+ 0x09, 0x42, 0x08, 0xba, 0x48, 0x05, 0x72, 0x03, 0xb0, 0x01, 0x01, 0x52, 0x02, 0x69, 0x64, 0x22,
+ 0x74, 0x0a, 0x21, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63,
+ 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70,
+ 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4f, 0x0a, 0x15, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x5f,
+ 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20,
+ 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e,
+ 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67,
+ 0x52, 0x13, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61,
+ 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2a, 0xb2, 0x01, 0x0a, 0x1c, 0x53, 0x6f, 0x72, 0x74, 0x44, 0x79,
+ 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e,
+ 0x67, 0x73, 0x54, 0x79, 0x70, 0x65, 0x12, 0x30, 0x0a, 0x2c, 0x53, 0x4f, 0x52, 0x54, 0x5f, 0x44,
+ 0x59, 0x4e, 0x41, 0x4d, 0x49, 0x43, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4d, 0x41, 0x50,
+ 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45,
+ 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x2f, 0x0a, 0x2b, 0x53, 0x4f, 0x52, 0x54,
+ 0x5f, 0x44, 0x59, 0x4e, 0x41, 0x4d, 0x49, 0x43, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4d,
+ 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45,
+ 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, 0x10, 0x01, 0x12, 0x2f, 0x0a, 0x2b, 0x53, 0x4f, 0x52,
+ 0x54, 0x5f, 0x44, 0x59, 0x4e, 0x41, 0x4d, 0x49, 0x43, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f,
+ 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x53, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x50,
+ 0x44, 0x41, 0x54, 0x45, 0x44, 0x5f, 0x41, 0x54, 0x10, 0x02, 0x32, 0xa7, 0x06, 0x0a, 0x1a, 0x44,
+ 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69,
+ 0x6e, 0x67, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x9a, 0x01, 0x0a, 0x18, 0x4c, 0x69,
+ 0x73, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61,
+ 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x3b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
+ 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70,
+ 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56,
+ 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75,
+ 0x65, 0x73, 0x74, 0x1a, 0x3c, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e,
+ 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67,
+ 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75,
+ 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+ 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0x94, 0x01, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x44, 0x79,
+ 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e,
+ 0x67, 0x12, 0x39, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d,
+ 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x47,
+ 0x65, 0x74, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61,
+ 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3a, 0x2e, 0x70,
+ 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c,
+ 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x47, 0x65, 0x74, 0x44, 0x79, 0x6e,
+ 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67,
+ 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x03, 0x90, 0x02, 0x01, 0x12, 0x9a, 0x01,
+ 0x0a, 0x19, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56,
+ 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x3c, 0x2e, 0x70, 0x6f,
+ 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75,
+ 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44,
+ 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69,
+ 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3d, 0x2e, 0x70, 0x6f, 0x6c, 0x69,
+ 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d,
+ 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e,
+ 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67,
+ 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x9a, 0x01, 0x0a, 0x19, 0x55,
+ 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75,
+ 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x3c, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63,
+ 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61,
+ 0x70, 0x70, 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61,
+ 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52,
+ 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x3d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
+ 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70,
+ 0x69, 0x6e, 0x67, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69,
+ 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73,
+ 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x9a, 0x01, 0x0a, 0x19, 0x44, 0x65, 0x6c, 0x65,
+ 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61,
+ 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x3c, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64,
+ 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69,
+ 0x6e, 0x67, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63,
+ 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75,
+ 0x65, 0x73, 0x74, 0x1a, 0x3d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e,
+ 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67,
+ 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61,
+ 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+ 0x73, 0x65, 0x22, 0x00, 0x42, 0x87, 0x02, 0x0a, 0x1e, 0x63, 0x6f, 0x6d, 0x2e, 0x70, 0x6f, 0x6c,
+ 0x69, 0x63, 0x79, 0x2e, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65,
+ 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x42, 0x18, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63,
+ 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x50, 0x72, 0x6f, 0x74,
+ 0x6f, 0x50, 0x01, 0x5a, 0x42, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+ 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d,
+ 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c,
+ 0x69, 0x63, 0x79, 0x2f, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65,
+ 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0xa2, 0x02, 0x03, 0x50, 0x44, 0x58, 0xaa, 0x02, 0x1a,
+ 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61,
+ 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0xca, 0x02, 0x1a, 0x50, 0x6f, 0x6c,
+ 0x69, 0x63, 0x79, 0x5c, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65,
+ 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0xe2, 0x02, 0x26, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+ 0x5c, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70,
+ 0x70, 0x69, 0x6e, 0x67, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
+ 0xea, 0x02, 0x1b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x3a, 0x3a, 0x44, 0x79, 0x6e, 0x61, 0x6d,
+ 0x69, 0x63, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x6d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x62, 0x06,
+ 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescOnce sync.Once
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescData = file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDesc
+)
+
+func file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescGZIP() []byte {
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescOnce.Do(func() {
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescData = protoimpl.X.CompressGZIP(file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescData)
+ })
+ return file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDescData
+}
+
+var file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
+var file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes = make([]protoimpl.MessageInfo, 11)
+var file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_goTypes = []interface{}{
+ (SortDynamicValueMappingsType)(0), // 0: policy.dynamicvaluemapping.SortDynamicValueMappingsType
+ (*GetDynamicValueMappingRequest)(nil), // 1: policy.dynamicvaluemapping.GetDynamicValueMappingRequest
+ (*GetDynamicValueMappingResponse)(nil), // 2: policy.dynamicvaluemapping.GetDynamicValueMappingResponse
+ (*DynamicValueMappingsSort)(nil), // 3: policy.dynamicvaluemapping.DynamicValueMappingsSort
+ (*ListDynamicValueMappingsRequest)(nil), // 4: policy.dynamicvaluemapping.ListDynamicValueMappingsRequest
+ (*ListDynamicValueMappingsResponse)(nil), // 5: policy.dynamicvaluemapping.ListDynamicValueMappingsResponse
+ (*CreateDynamicValueMappingRequest)(nil), // 6: policy.dynamicvaluemapping.CreateDynamicValueMappingRequest
+ (*CreateDynamicValueMappingResponse)(nil), // 7: policy.dynamicvaluemapping.CreateDynamicValueMappingResponse
+ (*UpdateDynamicValueMappingRequest)(nil), // 8: policy.dynamicvaluemapping.UpdateDynamicValueMappingRequest
+ (*UpdateDynamicValueMappingResponse)(nil), // 9: policy.dynamicvaluemapping.UpdateDynamicValueMappingResponse
+ (*DeleteDynamicValueMappingRequest)(nil), // 10: policy.dynamicvaluemapping.DeleteDynamicValueMappingRequest
+ (*DeleteDynamicValueMappingResponse)(nil), // 11: policy.dynamicvaluemapping.DeleteDynamicValueMappingResponse
+ (*policy.DynamicValueMapping)(nil), // 12: policy.DynamicValueMapping
+ (policy.SortDirection)(0), // 13: policy.SortDirection
+ (*policy.PageRequest)(nil), // 14: policy.PageRequest
+ (*policy.PageResponse)(nil), // 15: policy.PageResponse
+ (*policy.DynamicValueResolver)(nil), // 16: policy.DynamicValueResolver
+ (*policy.Action)(nil), // 17: policy.Action
+ (*subjectmapping.SubjectConditionSetCreate)(nil), // 18: policy.subjectmapping.SubjectConditionSetCreate
+ (*common.MetadataMutable)(nil), // 19: common.MetadataMutable
+ (common.MetadataUpdateEnum)(0), // 20: common.MetadataUpdateEnum
+}
+var file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_depIdxs = []int32{
+ 12, // 0: policy.dynamicvaluemapping.GetDynamicValueMappingResponse.dynamic_value_mapping:type_name -> policy.DynamicValueMapping
+ 0, // 1: policy.dynamicvaluemapping.DynamicValueMappingsSort.field:type_name -> policy.dynamicvaluemapping.SortDynamicValueMappingsType
+ 13, // 2: policy.dynamicvaluemapping.DynamicValueMappingsSort.direction:type_name -> policy.SortDirection
+ 14, // 3: policy.dynamicvaluemapping.ListDynamicValueMappingsRequest.pagination:type_name -> policy.PageRequest
+ 3, // 4: policy.dynamicvaluemapping.ListDynamicValueMappingsRequest.sort:type_name -> policy.dynamicvaluemapping.DynamicValueMappingsSort
+ 12, // 5: policy.dynamicvaluemapping.ListDynamicValueMappingsResponse.dynamic_value_mappings:type_name -> policy.DynamicValueMapping
+ 15, // 6: policy.dynamicvaluemapping.ListDynamicValueMappingsResponse.pagination:type_name -> policy.PageResponse
+ 16, // 7: policy.dynamicvaluemapping.CreateDynamicValueMappingRequest.value_resolver:type_name -> policy.DynamicValueResolver
+ 17, // 8: policy.dynamicvaluemapping.CreateDynamicValueMappingRequest.actions:type_name -> policy.Action
+ 18, // 9: policy.dynamicvaluemapping.CreateDynamicValueMappingRequest.new_subject_condition_set:type_name -> policy.subjectmapping.SubjectConditionSetCreate
+ 19, // 10: policy.dynamicvaluemapping.CreateDynamicValueMappingRequest.metadata:type_name -> common.MetadataMutable
+ 12, // 11: policy.dynamicvaluemapping.CreateDynamicValueMappingResponse.dynamic_value_mapping:type_name -> policy.DynamicValueMapping
+ 16, // 12: policy.dynamicvaluemapping.UpdateDynamicValueMappingRequest.value_resolver:type_name -> policy.DynamicValueResolver
+ 17, // 13: policy.dynamicvaluemapping.UpdateDynamicValueMappingRequest.actions:type_name -> policy.Action
+ 19, // 14: policy.dynamicvaluemapping.UpdateDynamicValueMappingRequest.metadata:type_name -> common.MetadataMutable
+ 20, // 15: policy.dynamicvaluemapping.UpdateDynamicValueMappingRequest.metadata_update_behavior:type_name -> common.MetadataUpdateEnum
+ 12, // 16: policy.dynamicvaluemapping.UpdateDynamicValueMappingResponse.dynamic_value_mapping:type_name -> policy.DynamicValueMapping
+ 12, // 17: policy.dynamicvaluemapping.DeleteDynamicValueMappingResponse.dynamic_value_mapping:type_name -> policy.DynamicValueMapping
+ 4, // 18: policy.dynamicvaluemapping.DynamicValueMappingService.ListDynamicValueMappings:input_type -> policy.dynamicvaluemapping.ListDynamicValueMappingsRequest
+ 1, // 19: policy.dynamicvaluemapping.DynamicValueMappingService.GetDynamicValueMapping:input_type -> policy.dynamicvaluemapping.GetDynamicValueMappingRequest
+ 6, // 20: policy.dynamicvaluemapping.DynamicValueMappingService.CreateDynamicValueMapping:input_type -> policy.dynamicvaluemapping.CreateDynamicValueMappingRequest
+ 8, // 21: policy.dynamicvaluemapping.DynamicValueMappingService.UpdateDynamicValueMapping:input_type -> policy.dynamicvaluemapping.UpdateDynamicValueMappingRequest
+ 10, // 22: policy.dynamicvaluemapping.DynamicValueMappingService.DeleteDynamicValueMapping:input_type -> policy.dynamicvaluemapping.DeleteDynamicValueMappingRequest
+ 5, // 23: policy.dynamicvaluemapping.DynamicValueMappingService.ListDynamicValueMappings:output_type -> policy.dynamicvaluemapping.ListDynamicValueMappingsResponse
+ 2, // 24: policy.dynamicvaluemapping.DynamicValueMappingService.GetDynamicValueMapping:output_type -> policy.dynamicvaluemapping.GetDynamicValueMappingResponse
+ 7, // 25: policy.dynamicvaluemapping.DynamicValueMappingService.CreateDynamicValueMapping:output_type -> policy.dynamicvaluemapping.CreateDynamicValueMappingResponse
+ 9, // 26: policy.dynamicvaluemapping.DynamicValueMappingService.UpdateDynamicValueMapping:output_type -> policy.dynamicvaluemapping.UpdateDynamicValueMappingResponse
+ 11, // 27: policy.dynamicvaluemapping.DynamicValueMappingService.DeleteDynamicValueMapping:output_type -> policy.dynamicvaluemapping.DeleteDynamicValueMappingResponse
+ 23, // [23:28] is the sub-list for method output_type
+ 18, // [18:23] is the sub-list for method input_type
+ 18, // [18:18] is the sub-list for extension type_name
+ 18, // [18:18] is the sub-list for extension extendee
+ 0, // [0:18] is the sub-list for field type_name
+}
+
+func init() { file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_init() }
+func file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_init() {
+ if File_policy_dynamicvaluemapping_dynamic_value_mapping_proto != nil {
+ return
+ }
+ if !protoimpl.UnsafeEnabled {
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*GetDynamicValueMappingRequest); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*GetDynamicValueMappingResponse); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*DynamicValueMappingsSort); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*ListDynamicValueMappingsRequest); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*ListDynamicValueMappingsResponse); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*CreateDynamicValueMappingRequest); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*CreateDynamicValueMappingResponse); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*UpdateDynamicValueMappingRequest); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*UpdateDynamicValueMappingResponse); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*DeleteDynamicValueMappingRequest); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*DeleteDynamicValueMappingResponse); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ }
+ type x struct{}
+ out := protoimpl.TypeBuilder{
+ File: protoimpl.DescBuilder{
+ GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+ RawDescriptor: file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDesc,
+ NumEnums: 1,
+ NumMessages: 11,
+ NumExtensions: 0,
+ NumServices: 1,
+ },
+ GoTypes: file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_goTypes,
+ DependencyIndexes: file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_depIdxs,
+ EnumInfos: file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_enumTypes,
+ MessageInfos: file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_msgTypes,
+ }.Build()
+ File_policy_dynamicvaluemapping_dynamic_value_mapping_proto = out.File
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_rawDesc = nil
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_goTypes = nil
+ file_policy_dynamicvaluemapping_dynamic_value_mapping_proto_depIdxs = nil
+}
diff --git a/protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping_grpc.pb.go b/protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping_grpc.pb.go
new file mode 100644
index 0000000000..513595f0ef
--- /dev/null
+++ b/protocol/go/policy/dynamicvaluemapping/dynamic_value_mapping_grpc.pb.go
@@ -0,0 +1,258 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.3.0
+// - protoc (unknown)
+// source: policy/dynamicvaluemapping/dynamic_value_mapping.proto
+
+package dynamicvaluemapping
+
+import (
+ context "context"
+ grpc "google.golang.org/grpc"
+ codes "google.golang.org/grpc/codes"
+ status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+const (
+ DynamicValueMappingService_ListDynamicValueMappings_FullMethodName = "/policy.dynamicvaluemapping.DynamicValueMappingService/ListDynamicValueMappings"
+ DynamicValueMappingService_GetDynamicValueMapping_FullMethodName = "/policy.dynamicvaluemapping.DynamicValueMappingService/GetDynamicValueMapping"
+ DynamicValueMappingService_CreateDynamicValueMapping_FullMethodName = "/policy.dynamicvaluemapping.DynamicValueMappingService/CreateDynamicValueMapping"
+ DynamicValueMappingService_UpdateDynamicValueMapping_FullMethodName = "/policy.dynamicvaluemapping.DynamicValueMappingService/UpdateDynamicValueMapping"
+ DynamicValueMappingService_DeleteDynamicValueMapping_FullMethodName = "/policy.dynamicvaluemapping.DynamicValueMappingService/DeleteDynamicValueMapping"
+)
+
+// DynamicValueMappingServiceClient is the client API for DynamicValueMappingService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type DynamicValueMappingServiceClient interface {
+ ListDynamicValueMappings(ctx context.Context, in *ListDynamicValueMappingsRequest, opts ...grpc.CallOption) (*ListDynamicValueMappingsResponse, error)
+ GetDynamicValueMapping(ctx context.Context, in *GetDynamicValueMappingRequest, opts ...grpc.CallOption) (*GetDynamicValueMappingResponse, error)
+ CreateDynamicValueMapping(ctx context.Context, in *CreateDynamicValueMappingRequest, opts ...grpc.CallOption) (*CreateDynamicValueMappingResponse, error)
+ UpdateDynamicValueMapping(ctx context.Context, in *UpdateDynamicValueMappingRequest, opts ...grpc.CallOption) (*UpdateDynamicValueMappingResponse, error)
+ DeleteDynamicValueMapping(ctx context.Context, in *DeleteDynamicValueMappingRequest, opts ...grpc.CallOption) (*DeleteDynamicValueMappingResponse, error)
+}
+
+type dynamicValueMappingServiceClient struct {
+ cc grpc.ClientConnInterface
+}
+
+func NewDynamicValueMappingServiceClient(cc grpc.ClientConnInterface) DynamicValueMappingServiceClient {
+ return &dynamicValueMappingServiceClient{cc}
+}
+
+func (c *dynamicValueMappingServiceClient) ListDynamicValueMappings(ctx context.Context, in *ListDynamicValueMappingsRequest, opts ...grpc.CallOption) (*ListDynamicValueMappingsResponse, error) {
+ out := new(ListDynamicValueMappingsResponse)
+ err := c.cc.Invoke(ctx, DynamicValueMappingService_ListDynamicValueMappings_FullMethodName, in, out, opts...)
+ if err != nil {
+ return nil, err
+ }
+ return out, nil
+}
+
+func (c *dynamicValueMappingServiceClient) GetDynamicValueMapping(ctx context.Context, in *GetDynamicValueMappingRequest, opts ...grpc.CallOption) (*GetDynamicValueMappingResponse, error) {
+ out := new(GetDynamicValueMappingResponse)
+ err := c.cc.Invoke(ctx, DynamicValueMappingService_GetDynamicValueMapping_FullMethodName, in, out, opts...)
+ if err != nil {
+ return nil, err
+ }
+ return out, nil
+}
+
+func (c *dynamicValueMappingServiceClient) CreateDynamicValueMapping(ctx context.Context, in *CreateDynamicValueMappingRequest, opts ...grpc.CallOption) (*CreateDynamicValueMappingResponse, error) {
+ out := new(CreateDynamicValueMappingResponse)
+ err := c.cc.Invoke(ctx, DynamicValueMappingService_CreateDynamicValueMapping_FullMethodName, in, out, opts...)
+ if err != nil {
+ return nil, err
+ }
+ return out, nil
+}
+
+func (c *dynamicValueMappingServiceClient) UpdateDynamicValueMapping(ctx context.Context, in *UpdateDynamicValueMappingRequest, opts ...grpc.CallOption) (*UpdateDynamicValueMappingResponse, error) {
+ out := new(UpdateDynamicValueMappingResponse)
+ err := c.cc.Invoke(ctx, DynamicValueMappingService_UpdateDynamicValueMapping_FullMethodName, in, out, opts...)
+ if err != nil {
+ return nil, err
+ }
+ return out, nil
+}
+
+func (c *dynamicValueMappingServiceClient) DeleteDynamicValueMapping(ctx context.Context, in *DeleteDynamicValueMappingRequest, opts ...grpc.CallOption) (*DeleteDynamicValueMappingResponse, error) {
+ out := new(DeleteDynamicValueMappingResponse)
+ err := c.cc.Invoke(ctx, DynamicValueMappingService_DeleteDynamicValueMapping_FullMethodName, in, out, opts...)
+ if err != nil {
+ return nil, err
+ }
+ return out, nil
+}
+
+// DynamicValueMappingServiceServer is the server API for DynamicValueMappingService service.
+// All implementations must embed UnimplementedDynamicValueMappingServiceServer
+// for forward compatibility
+type DynamicValueMappingServiceServer interface {
+ ListDynamicValueMappings(context.Context, *ListDynamicValueMappingsRequest) (*ListDynamicValueMappingsResponse, error)
+ GetDynamicValueMapping(context.Context, *GetDynamicValueMappingRequest) (*GetDynamicValueMappingResponse, error)
+ CreateDynamicValueMapping(context.Context, *CreateDynamicValueMappingRequest) (*CreateDynamicValueMappingResponse, error)
+ UpdateDynamicValueMapping(context.Context, *UpdateDynamicValueMappingRequest) (*UpdateDynamicValueMappingResponse, error)
+ DeleteDynamicValueMapping(context.Context, *DeleteDynamicValueMappingRequest) (*DeleteDynamicValueMappingResponse, error)
+ mustEmbedUnimplementedDynamicValueMappingServiceServer()
+}
+
+// UnimplementedDynamicValueMappingServiceServer must be embedded to have forward compatible implementations.
+type UnimplementedDynamicValueMappingServiceServer struct {
+}
+
+func (UnimplementedDynamicValueMappingServiceServer) ListDynamicValueMappings(context.Context, *ListDynamicValueMappingsRequest) (*ListDynamicValueMappingsResponse, error) {
+ return nil, status.Errorf(codes.Unimplemented, "method ListDynamicValueMappings not implemented")
+}
+func (UnimplementedDynamicValueMappingServiceServer) GetDynamicValueMapping(context.Context, *GetDynamicValueMappingRequest) (*GetDynamicValueMappingResponse, error) {
+ return nil, status.Errorf(codes.Unimplemented, "method GetDynamicValueMapping not implemented")
+}
+func (UnimplementedDynamicValueMappingServiceServer) CreateDynamicValueMapping(context.Context, *CreateDynamicValueMappingRequest) (*CreateDynamicValueMappingResponse, error) {
+ return nil, status.Errorf(codes.Unimplemented, "method CreateDynamicValueMapping not implemented")
+}
+func (UnimplementedDynamicValueMappingServiceServer) UpdateDynamicValueMapping(context.Context, *UpdateDynamicValueMappingRequest) (*UpdateDynamicValueMappingResponse, error) {
+ return nil, status.Errorf(codes.Unimplemented, "method UpdateDynamicValueMapping not implemented")
+}
+func (UnimplementedDynamicValueMappingServiceServer) DeleteDynamicValueMapping(context.Context, *DeleteDynamicValueMappingRequest) (*DeleteDynamicValueMappingResponse, error) {
+ return nil, status.Errorf(codes.Unimplemented, "method DeleteDynamicValueMapping not implemented")
+}
+func (UnimplementedDynamicValueMappingServiceServer) mustEmbedUnimplementedDynamicValueMappingServiceServer() {
+}
+
+// UnsafeDynamicValueMappingServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to DynamicValueMappingServiceServer will
+// result in compilation errors.
+type UnsafeDynamicValueMappingServiceServer interface {
+ mustEmbedUnimplementedDynamicValueMappingServiceServer()
+}
+
+func RegisterDynamicValueMappingServiceServer(s grpc.ServiceRegistrar, srv DynamicValueMappingServiceServer) {
+ s.RegisterService(&DynamicValueMappingService_ServiceDesc, srv)
+}
+
+func _DynamicValueMappingService_ListDynamicValueMappings_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+ in := new(ListDynamicValueMappingsRequest)
+ if err := dec(in); err != nil {
+ return nil, err
+ }
+ if interceptor == nil {
+ return srv.(DynamicValueMappingServiceServer).ListDynamicValueMappings(ctx, in)
+ }
+ info := &grpc.UnaryServerInfo{
+ Server: srv,
+ FullMethod: DynamicValueMappingService_ListDynamicValueMappings_FullMethodName,
+ }
+ handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+ return srv.(DynamicValueMappingServiceServer).ListDynamicValueMappings(ctx, req.(*ListDynamicValueMappingsRequest))
+ }
+ return interceptor(ctx, in, info, handler)
+}
+
+func _DynamicValueMappingService_GetDynamicValueMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+ in := new(GetDynamicValueMappingRequest)
+ if err := dec(in); err != nil {
+ return nil, err
+ }
+ if interceptor == nil {
+ return srv.(DynamicValueMappingServiceServer).GetDynamicValueMapping(ctx, in)
+ }
+ info := &grpc.UnaryServerInfo{
+ Server: srv,
+ FullMethod: DynamicValueMappingService_GetDynamicValueMapping_FullMethodName,
+ }
+ handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+ return srv.(DynamicValueMappingServiceServer).GetDynamicValueMapping(ctx, req.(*GetDynamicValueMappingRequest))
+ }
+ return interceptor(ctx, in, info, handler)
+}
+
+func _DynamicValueMappingService_CreateDynamicValueMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+ in := new(CreateDynamicValueMappingRequest)
+ if err := dec(in); err != nil {
+ return nil, err
+ }
+ if interceptor == nil {
+ return srv.(DynamicValueMappingServiceServer).CreateDynamicValueMapping(ctx, in)
+ }
+ info := &grpc.UnaryServerInfo{
+ Server: srv,
+ FullMethod: DynamicValueMappingService_CreateDynamicValueMapping_FullMethodName,
+ }
+ handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+ return srv.(DynamicValueMappingServiceServer).CreateDynamicValueMapping(ctx, req.(*CreateDynamicValueMappingRequest))
+ }
+ return interceptor(ctx, in, info, handler)
+}
+
+func _DynamicValueMappingService_UpdateDynamicValueMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+ in := new(UpdateDynamicValueMappingRequest)
+ if err := dec(in); err != nil {
+ return nil, err
+ }
+ if interceptor == nil {
+ return srv.(DynamicValueMappingServiceServer).UpdateDynamicValueMapping(ctx, in)
+ }
+ info := &grpc.UnaryServerInfo{
+ Server: srv,
+ FullMethod: DynamicValueMappingService_UpdateDynamicValueMapping_FullMethodName,
+ }
+ handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+ return srv.(DynamicValueMappingServiceServer).UpdateDynamicValueMapping(ctx, req.(*UpdateDynamicValueMappingRequest))
+ }
+ return interceptor(ctx, in, info, handler)
+}
+
+func _DynamicValueMappingService_DeleteDynamicValueMapping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+ in := new(DeleteDynamicValueMappingRequest)
+ if err := dec(in); err != nil {
+ return nil, err
+ }
+ if interceptor == nil {
+ return srv.(DynamicValueMappingServiceServer).DeleteDynamicValueMapping(ctx, in)
+ }
+ info := &grpc.UnaryServerInfo{
+ Server: srv,
+ FullMethod: DynamicValueMappingService_DeleteDynamicValueMapping_FullMethodName,
+ }
+ handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+ return srv.(DynamicValueMappingServiceServer).DeleteDynamicValueMapping(ctx, req.(*DeleteDynamicValueMappingRequest))
+ }
+ return interceptor(ctx, in, info, handler)
+}
+
+// DynamicValueMappingService_ServiceDesc is the grpc.ServiceDesc for DynamicValueMappingService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var DynamicValueMappingService_ServiceDesc = grpc.ServiceDesc{
+ ServiceName: "policy.dynamicvaluemapping.DynamicValueMappingService",
+ HandlerType: (*DynamicValueMappingServiceServer)(nil),
+ Methods: []grpc.MethodDesc{
+ {
+ MethodName: "ListDynamicValueMappings",
+ Handler: _DynamicValueMappingService_ListDynamicValueMappings_Handler,
+ },
+ {
+ MethodName: "GetDynamicValueMapping",
+ Handler: _DynamicValueMappingService_GetDynamicValueMapping_Handler,
+ },
+ {
+ MethodName: "CreateDynamicValueMapping",
+ Handler: _DynamicValueMappingService_CreateDynamicValueMapping_Handler,
+ },
+ {
+ MethodName: "UpdateDynamicValueMapping",
+ Handler: _DynamicValueMappingService_UpdateDynamicValueMapping_Handler,
+ },
+ {
+ MethodName: "DeleteDynamicValueMapping",
+ Handler: _DynamicValueMappingService_DeleteDynamicValueMapping_Handler,
+ },
+ },
+ Streams: []grpc.StreamDesc{},
+ Metadata: "policy/dynamicvaluemapping/dynamic_value_mapping.proto",
+}
diff --git a/protocol/go/policy/dynamicvaluemapping/dynamicvaluemappingconnect/dynamic_value_mapping.connect.go b/protocol/go/policy/dynamicvaluemapping/dynamicvaluemappingconnect/dynamic_value_mapping.connect.go
new file mode 100644
index 0000000000..dfe90334f5
--- /dev/null
+++ b/protocol/go/policy/dynamicvaluemapping/dynamicvaluemappingconnect/dynamic_value_mapping.connect.go
@@ -0,0 +1,238 @@
+// Code generated by protoc-gen-connect-go. DO NOT EDIT.
+//
+// Source: policy/dynamicvaluemapping/dynamic_value_mapping.proto
+
+package dynamicvaluemappingconnect
+
+import (
+ connect "connectrpc.com/connect"
+ context "context"
+ errors "errors"
+ dynamicvaluemapping "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping"
+ http "net/http"
+ strings "strings"
+)
+
+// This is a compile-time assertion to ensure that this generated file and the connect package are
+// compatible. If you get a compiler error that this constant is not defined, this code was
+// generated with a version of connect newer than the one compiled into your binary. You can fix the
+// problem by either regenerating this code with an older version of connect or updating the connect
+// version compiled into your binary.
+const _ = connect.IsAtLeastVersion1_13_0
+
+const (
+ // DynamicValueMappingServiceName is the fully-qualified name of the DynamicValueMappingService
+ // service.
+ DynamicValueMappingServiceName = "policy.dynamicvaluemapping.DynamicValueMappingService"
+)
+
+// These constants are the fully-qualified names of the RPCs defined in this package. They're
+// exposed at runtime as Spec.Procedure and as the final two segments of the HTTP route.
+//
+// Note that these are different from the fully-qualified method names used by
+// google.golang.org/protobuf/reflect/protoreflect. To convert from these constants to
+// reflection-formatted method names, remove the leading slash and convert the remaining slash to a
+// period.
+const (
+ // DynamicValueMappingServiceListDynamicValueMappingsProcedure is the fully-qualified name of the
+ // DynamicValueMappingService's ListDynamicValueMappings RPC.
+ DynamicValueMappingServiceListDynamicValueMappingsProcedure = "/policy.dynamicvaluemapping.DynamicValueMappingService/ListDynamicValueMappings"
+ // DynamicValueMappingServiceGetDynamicValueMappingProcedure is the fully-qualified name of the
+ // DynamicValueMappingService's GetDynamicValueMapping RPC.
+ DynamicValueMappingServiceGetDynamicValueMappingProcedure = "/policy.dynamicvaluemapping.DynamicValueMappingService/GetDynamicValueMapping"
+ // DynamicValueMappingServiceCreateDynamicValueMappingProcedure is the fully-qualified name of the
+ // DynamicValueMappingService's CreateDynamicValueMapping RPC.
+ DynamicValueMappingServiceCreateDynamicValueMappingProcedure = "/policy.dynamicvaluemapping.DynamicValueMappingService/CreateDynamicValueMapping"
+ // DynamicValueMappingServiceUpdateDynamicValueMappingProcedure is the fully-qualified name of the
+ // DynamicValueMappingService's UpdateDynamicValueMapping RPC.
+ DynamicValueMappingServiceUpdateDynamicValueMappingProcedure = "/policy.dynamicvaluemapping.DynamicValueMappingService/UpdateDynamicValueMapping"
+ // DynamicValueMappingServiceDeleteDynamicValueMappingProcedure is the fully-qualified name of the
+ // DynamicValueMappingService's DeleteDynamicValueMapping RPC.
+ DynamicValueMappingServiceDeleteDynamicValueMappingProcedure = "/policy.dynamicvaluemapping.DynamicValueMappingService/DeleteDynamicValueMapping"
+)
+
+// DynamicValueMappingServiceClient is a client for the
+// policy.dynamicvaluemapping.DynamicValueMappingService service.
+type DynamicValueMappingServiceClient interface {
+ ListDynamicValueMappings(context.Context, *connect.Request[dynamicvaluemapping.ListDynamicValueMappingsRequest]) (*connect.Response[dynamicvaluemapping.ListDynamicValueMappingsResponse], error)
+ GetDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.GetDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.GetDynamicValueMappingResponse], error)
+ CreateDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.CreateDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.CreateDynamicValueMappingResponse], error)
+ UpdateDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.UpdateDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.UpdateDynamicValueMappingResponse], error)
+ DeleteDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.DeleteDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.DeleteDynamicValueMappingResponse], error)
+}
+
+// NewDynamicValueMappingServiceClient constructs a client for the
+// policy.dynamicvaluemapping.DynamicValueMappingService service. By default, it uses the Connect
+// protocol with the binary Protobuf Codec, asks for gzipped responses, and sends uncompressed
+// requests. To use the gRPC or gRPC-Web protocols, supply the connect.WithGRPC() or
+// connect.WithGRPCWeb() options.
+//
+// The URL supplied here should be the base URL for the Connect or gRPC server (for example,
+// http://api.acme.com or https://acme.com/grpc).
+func NewDynamicValueMappingServiceClient(httpClient connect.HTTPClient, baseURL string, opts ...connect.ClientOption) DynamicValueMappingServiceClient {
+ baseURL = strings.TrimRight(baseURL, "/")
+ dynamicValueMappingServiceMethods := dynamicvaluemapping.File_policy_dynamicvaluemapping_dynamic_value_mapping_proto.Services().ByName("DynamicValueMappingService").Methods()
+ return &dynamicValueMappingServiceClient{
+ listDynamicValueMappings: connect.NewClient[dynamicvaluemapping.ListDynamicValueMappingsRequest, dynamicvaluemapping.ListDynamicValueMappingsResponse](
+ httpClient,
+ baseURL+DynamicValueMappingServiceListDynamicValueMappingsProcedure,
+ connect.WithSchema(dynamicValueMappingServiceMethods.ByName("ListDynamicValueMappings")),
+ connect.WithIdempotency(connect.IdempotencyNoSideEffects),
+ connect.WithClientOptions(opts...),
+ ),
+ getDynamicValueMapping: connect.NewClient[dynamicvaluemapping.GetDynamicValueMappingRequest, dynamicvaluemapping.GetDynamicValueMappingResponse](
+ httpClient,
+ baseURL+DynamicValueMappingServiceGetDynamicValueMappingProcedure,
+ connect.WithSchema(dynamicValueMappingServiceMethods.ByName("GetDynamicValueMapping")),
+ connect.WithIdempotency(connect.IdempotencyNoSideEffects),
+ connect.WithClientOptions(opts...),
+ ),
+ createDynamicValueMapping: connect.NewClient[dynamicvaluemapping.CreateDynamicValueMappingRequest, dynamicvaluemapping.CreateDynamicValueMappingResponse](
+ httpClient,
+ baseURL+DynamicValueMappingServiceCreateDynamicValueMappingProcedure,
+ connect.WithSchema(dynamicValueMappingServiceMethods.ByName("CreateDynamicValueMapping")),
+ connect.WithClientOptions(opts...),
+ ),
+ updateDynamicValueMapping: connect.NewClient[dynamicvaluemapping.UpdateDynamicValueMappingRequest, dynamicvaluemapping.UpdateDynamicValueMappingResponse](
+ httpClient,
+ baseURL+DynamicValueMappingServiceUpdateDynamicValueMappingProcedure,
+ connect.WithSchema(dynamicValueMappingServiceMethods.ByName("UpdateDynamicValueMapping")),
+ connect.WithClientOptions(opts...),
+ ),
+ deleteDynamicValueMapping: connect.NewClient[dynamicvaluemapping.DeleteDynamicValueMappingRequest, dynamicvaluemapping.DeleteDynamicValueMappingResponse](
+ httpClient,
+ baseURL+DynamicValueMappingServiceDeleteDynamicValueMappingProcedure,
+ connect.WithSchema(dynamicValueMappingServiceMethods.ByName("DeleteDynamicValueMapping")),
+ connect.WithClientOptions(opts...),
+ ),
+ }
+}
+
+// dynamicValueMappingServiceClient implements DynamicValueMappingServiceClient.
+type dynamicValueMappingServiceClient struct {
+ listDynamicValueMappings *connect.Client[dynamicvaluemapping.ListDynamicValueMappingsRequest, dynamicvaluemapping.ListDynamicValueMappingsResponse]
+ getDynamicValueMapping *connect.Client[dynamicvaluemapping.GetDynamicValueMappingRequest, dynamicvaluemapping.GetDynamicValueMappingResponse]
+ createDynamicValueMapping *connect.Client[dynamicvaluemapping.CreateDynamicValueMappingRequest, dynamicvaluemapping.CreateDynamicValueMappingResponse]
+ updateDynamicValueMapping *connect.Client[dynamicvaluemapping.UpdateDynamicValueMappingRequest, dynamicvaluemapping.UpdateDynamicValueMappingResponse]
+ deleteDynamicValueMapping *connect.Client[dynamicvaluemapping.DeleteDynamicValueMappingRequest, dynamicvaluemapping.DeleteDynamicValueMappingResponse]
+}
+
+// ListDynamicValueMappings calls
+// policy.dynamicvaluemapping.DynamicValueMappingService.ListDynamicValueMappings.
+func (c *dynamicValueMappingServiceClient) ListDynamicValueMappings(ctx context.Context, req *connect.Request[dynamicvaluemapping.ListDynamicValueMappingsRequest]) (*connect.Response[dynamicvaluemapping.ListDynamicValueMappingsResponse], error) {
+ return c.listDynamicValueMappings.CallUnary(ctx, req)
+}
+
+// GetDynamicValueMapping calls
+// policy.dynamicvaluemapping.DynamicValueMappingService.GetDynamicValueMapping.
+func (c *dynamicValueMappingServiceClient) GetDynamicValueMapping(ctx context.Context, req *connect.Request[dynamicvaluemapping.GetDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.GetDynamicValueMappingResponse], error) {
+ return c.getDynamicValueMapping.CallUnary(ctx, req)
+}
+
+// CreateDynamicValueMapping calls
+// policy.dynamicvaluemapping.DynamicValueMappingService.CreateDynamicValueMapping.
+func (c *dynamicValueMappingServiceClient) CreateDynamicValueMapping(ctx context.Context, req *connect.Request[dynamicvaluemapping.CreateDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.CreateDynamicValueMappingResponse], error) {
+ return c.createDynamicValueMapping.CallUnary(ctx, req)
+}
+
+// UpdateDynamicValueMapping calls
+// policy.dynamicvaluemapping.DynamicValueMappingService.UpdateDynamicValueMapping.
+func (c *dynamicValueMappingServiceClient) UpdateDynamicValueMapping(ctx context.Context, req *connect.Request[dynamicvaluemapping.UpdateDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.UpdateDynamicValueMappingResponse], error) {
+ return c.updateDynamicValueMapping.CallUnary(ctx, req)
+}
+
+// DeleteDynamicValueMapping calls
+// policy.dynamicvaluemapping.DynamicValueMappingService.DeleteDynamicValueMapping.
+func (c *dynamicValueMappingServiceClient) DeleteDynamicValueMapping(ctx context.Context, req *connect.Request[dynamicvaluemapping.DeleteDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.DeleteDynamicValueMappingResponse], error) {
+ return c.deleteDynamicValueMapping.CallUnary(ctx, req)
+}
+
+// DynamicValueMappingServiceHandler is an implementation of the
+// policy.dynamicvaluemapping.DynamicValueMappingService service.
+type DynamicValueMappingServiceHandler interface {
+ ListDynamicValueMappings(context.Context, *connect.Request[dynamicvaluemapping.ListDynamicValueMappingsRequest]) (*connect.Response[dynamicvaluemapping.ListDynamicValueMappingsResponse], error)
+ GetDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.GetDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.GetDynamicValueMappingResponse], error)
+ CreateDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.CreateDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.CreateDynamicValueMappingResponse], error)
+ UpdateDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.UpdateDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.UpdateDynamicValueMappingResponse], error)
+ DeleteDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.DeleteDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.DeleteDynamicValueMappingResponse], error)
+}
+
+// NewDynamicValueMappingServiceHandler builds an HTTP handler from the service implementation. It
+// returns the path on which to mount the handler and the handler itself.
+//
+// By default, handlers support the Connect, gRPC, and gRPC-Web protocols with the binary Protobuf
+// and JSON codecs. They also support gzip compression.
+func NewDynamicValueMappingServiceHandler(svc DynamicValueMappingServiceHandler, opts ...connect.HandlerOption) (string, http.Handler) {
+ dynamicValueMappingServiceMethods := dynamicvaluemapping.File_policy_dynamicvaluemapping_dynamic_value_mapping_proto.Services().ByName("DynamicValueMappingService").Methods()
+ dynamicValueMappingServiceListDynamicValueMappingsHandler := connect.NewUnaryHandler(
+ DynamicValueMappingServiceListDynamicValueMappingsProcedure,
+ svc.ListDynamicValueMappings,
+ connect.WithSchema(dynamicValueMappingServiceMethods.ByName("ListDynamicValueMappings")),
+ connect.WithIdempotency(connect.IdempotencyNoSideEffects),
+ connect.WithHandlerOptions(opts...),
+ )
+ dynamicValueMappingServiceGetDynamicValueMappingHandler := connect.NewUnaryHandler(
+ DynamicValueMappingServiceGetDynamicValueMappingProcedure,
+ svc.GetDynamicValueMapping,
+ connect.WithSchema(dynamicValueMappingServiceMethods.ByName("GetDynamicValueMapping")),
+ connect.WithIdempotency(connect.IdempotencyNoSideEffects),
+ connect.WithHandlerOptions(opts...),
+ )
+ dynamicValueMappingServiceCreateDynamicValueMappingHandler := connect.NewUnaryHandler(
+ DynamicValueMappingServiceCreateDynamicValueMappingProcedure,
+ svc.CreateDynamicValueMapping,
+ connect.WithSchema(dynamicValueMappingServiceMethods.ByName("CreateDynamicValueMapping")),
+ connect.WithHandlerOptions(opts...),
+ )
+ dynamicValueMappingServiceUpdateDynamicValueMappingHandler := connect.NewUnaryHandler(
+ DynamicValueMappingServiceUpdateDynamicValueMappingProcedure,
+ svc.UpdateDynamicValueMapping,
+ connect.WithSchema(dynamicValueMappingServiceMethods.ByName("UpdateDynamicValueMapping")),
+ connect.WithHandlerOptions(opts...),
+ )
+ dynamicValueMappingServiceDeleteDynamicValueMappingHandler := connect.NewUnaryHandler(
+ DynamicValueMappingServiceDeleteDynamicValueMappingProcedure,
+ svc.DeleteDynamicValueMapping,
+ connect.WithSchema(dynamicValueMappingServiceMethods.ByName("DeleteDynamicValueMapping")),
+ connect.WithHandlerOptions(opts...),
+ )
+ return "/policy.dynamicvaluemapping.DynamicValueMappingService/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ switch r.URL.Path {
+ case DynamicValueMappingServiceListDynamicValueMappingsProcedure:
+ dynamicValueMappingServiceListDynamicValueMappingsHandler.ServeHTTP(w, r)
+ case DynamicValueMappingServiceGetDynamicValueMappingProcedure:
+ dynamicValueMappingServiceGetDynamicValueMappingHandler.ServeHTTP(w, r)
+ case DynamicValueMappingServiceCreateDynamicValueMappingProcedure:
+ dynamicValueMappingServiceCreateDynamicValueMappingHandler.ServeHTTP(w, r)
+ case DynamicValueMappingServiceUpdateDynamicValueMappingProcedure:
+ dynamicValueMappingServiceUpdateDynamicValueMappingHandler.ServeHTTP(w, r)
+ case DynamicValueMappingServiceDeleteDynamicValueMappingProcedure:
+ dynamicValueMappingServiceDeleteDynamicValueMappingHandler.ServeHTTP(w, r)
+ default:
+ http.NotFound(w, r)
+ }
+ })
+}
+
+// UnimplementedDynamicValueMappingServiceHandler returns CodeUnimplemented from all methods.
+type UnimplementedDynamicValueMappingServiceHandler struct{}
+
+func (UnimplementedDynamicValueMappingServiceHandler) ListDynamicValueMappings(context.Context, *connect.Request[dynamicvaluemapping.ListDynamicValueMappingsRequest]) (*connect.Response[dynamicvaluemapping.ListDynamicValueMappingsResponse], error) {
+ return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.dynamicvaluemapping.DynamicValueMappingService.ListDynamicValueMappings is not implemented"))
+}
+
+func (UnimplementedDynamicValueMappingServiceHandler) GetDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.GetDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.GetDynamicValueMappingResponse], error) {
+ return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.dynamicvaluemapping.DynamicValueMappingService.GetDynamicValueMapping is not implemented"))
+}
+
+func (UnimplementedDynamicValueMappingServiceHandler) CreateDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.CreateDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.CreateDynamicValueMappingResponse], error) {
+ return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.dynamicvaluemapping.DynamicValueMappingService.CreateDynamicValueMapping is not implemented"))
+}
+
+func (UnimplementedDynamicValueMappingServiceHandler) UpdateDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.UpdateDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.UpdateDynamicValueMappingResponse], error) {
+ return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.dynamicvaluemapping.DynamicValueMappingService.UpdateDynamicValueMapping is not implemented"))
+}
+
+func (UnimplementedDynamicValueMappingServiceHandler) DeleteDynamicValueMapping(context.Context, *connect.Request[dynamicvaluemapping.DeleteDynamicValueMappingRequest]) (*connect.Response[dynamicvaluemapping.DeleteDynamicValueMappingResponse], error) {
+ return nil, connect.NewError(connect.CodeUnimplemented, errors.New("policy.dynamicvaluemapping.DynamicValueMappingService.DeleteDynamicValueMapping is not implemented"))
+}
diff --git a/protocol/go/policy/objects.pb.go b/protocol/go/policy/objects.pb.go
index b9eda84a37..4d90965eda 100644
--- a/protocol/go/policy/objects.pb.go
+++ b/protocol/go/policy/objects.pb.go
@@ -180,6 +180,64 @@ func (ConditionBooleanTypeEnum) EnumDescriptor() ([]byte, []int) {
return file_policy_objects_proto_rawDescGZIP(), []int{2}
}
+// Operators for dynamic, definition-level value entitlement. Unlike
+// SubjectMappingOperatorEnum, whose right-hand operand is a static list authored into
+// policy, a DynamicValueOperatorEnum's right-hand operand is the requested resource's
+// attribute value segment, supplied at decision time. Each value is the inversion of its
+// static SubjectMappingOperatorEnum counterpart.
+type DynamicValueOperatorEnum int32
+
+const (
+ DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED DynamicValueOperatorEnum = 0
+ // true when the requested resource value segment equals one of the values resolved by
+ // the selector against the entity representation (inversion of IN)
+ DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN DynamicValueOperatorEnum = 1
+ // true when one of the selector-resolved entity values contains the requested resource
+ // value segment as a substring (inversion of IN_CONTAINS)
+ DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS DynamicValueOperatorEnum = 2
+)
+
+// Enum value maps for DynamicValueOperatorEnum.
+var (
+ DynamicValueOperatorEnum_name = map[int32]string{
+ 0: "DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED",
+ 1: "DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN",
+ 2: "DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS",
+ }
+ DynamicValueOperatorEnum_value = map[string]int32{
+ "DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED": 0,
+ "DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN": 1,
+ "DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS": 2,
+ }
+)
+
+func (x DynamicValueOperatorEnum) Enum() *DynamicValueOperatorEnum {
+ p := new(DynamicValueOperatorEnum)
+ *p = x
+ return p
+}
+
+func (x DynamicValueOperatorEnum) String() string {
+ return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (DynamicValueOperatorEnum) Descriptor() protoreflect.EnumDescriptor {
+ return file_policy_objects_proto_enumTypes[3].Descriptor()
+}
+
+func (DynamicValueOperatorEnum) Type() protoreflect.EnumType {
+ return &file_policy_objects_proto_enumTypes[3]
+}
+
+func (x DynamicValueOperatorEnum) Number() protoreflect.EnumNumber {
+ return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use DynamicValueOperatorEnum.Descriptor instead.
+func (DynamicValueOperatorEnum) EnumDescriptor() ([]byte, []int) {
+ return file_policy_objects_proto_rawDescGZIP(), []int{3}
+}
+
// Describes whether this kas is managed by the organization or if they imported
// the kas information from an external party. These two modes are necessary in order
// to encrypt a tdf dek with an external parties kas public key.
@@ -218,11 +276,11 @@ func (x SourceType) String() string {
}
func (SourceType) Descriptor() protoreflect.EnumDescriptor {
- return file_policy_objects_proto_enumTypes[3].Descriptor()
+ return file_policy_objects_proto_enumTypes[4].Descriptor()
}
func (SourceType) Type() protoreflect.EnumType {
- return &file_policy_objects_proto_enumTypes[3]
+ return &file_policy_objects_proto_enumTypes[4]
}
func (x SourceType) Number() protoreflect.EnumNumber {
@@ -231,7 +289,7 @@ func (x SourceType) Number() protoreflect.EnumNumber {
// Deprecated: Use SourceType.Descriptor instead.
func (SourceType) EnumDescriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{3}
+ return file_policy_objects_proto_rawDescGZIP(), []int{4}
}
type KasPublicKeyAlgEnum int32
@@ -285,11 +343,11 @@ func (x KasPublicKeyAlgEnum) String() string {
}
func (KasPublicKeyAlgEnum) Descriptor() protoreflect.EnumDescriptor {
- return file_policy_objects_proto_enumTypes[4].Descriptor()
+ return file_policy_objects_proto_enumTypes[5].Descriptor()
}
func (KasPublicKeyAlgEnum) Type() protoreflect.EnumType {
- return &file_policy_objects_proto_enumTypes[4]
+ return &file_policy_objects_proto_enumTypes[5]
}
func (x KasPublicKeyAlgEnum) Number() protoreflect.EnumNumber {
@@ -298,7 +356,7 @@ func (x KasPublicKeyAlgEnum) Number() protoreflect.EnumNumber {
// Deprecated: Use KasPublicKeyAlgEnum.Descriptor instead.
func (KasPublicKeyAlgEnum) EnumDescriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{4}
+ return file_policy_objects_proto_rawDescGZIP(), []int{5}
}
// Supported key algorithms.
@@ -353,11 +411,11 @@ func (x Algorithm) String() string {
}
func (Algorithm) Descriptor() protoreflect.EnumDescriptor {
- return file_policy_objects_proto_enumTypes[5].Descriptor()
+ return file_policy_objects_proto_enumTypes[6].Descriptor()
}
func (Algorithm) Type() protoreflect.EnumType {
- return &file_policy_objects_proto_enumTypes[5]
+ return &file_policy_objects_proto_enumTypes[6]
}
func (x Algorithm) Number() protoreflect.EnumNumber {
@@ -366,7 +424,7 @@ func (x Algorithm) Number() protoreflect.EnumNumber {
// Deprecated: Use Algorithm.Descriptor instead.
func (Algorithm) EnumDescriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{5}
+ return file_policy_objects_proto_rawDescGZIP(), []int{6}
}
// The status of the key
@@ -403,11 +461,11 @@ func (x KeyStatus) String() string {
}
func (KeyStatus) Descriptor() protoreflect.EnumDescriptor {
- return file_policy_objects_proto_enumTypes[6].Descriptor()
+ return file_policy_objects_proto_enumTypes[7].Descriptor()
}
func (KeyStatus) Type() protoreflect.EnumType {
- return &file_policy_objects_proto_enumTypes[6]
+ return &file_policy_objects_proto_enumTypes[7]
}
func (x KeyStatus) Number() protoreflect.EnumNumber {
@@ -416,7 +474,7 @@ func (x KeyStatus) Number() protoreflect.EnumNumber {
// Deprecated: Use KeyStatus.Descriptor instead.
func (KeyStatus) EnumDescriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{6}
+ return file_policy_objects_proto_rawDescGZIP(), []int{7}
}
// Describes the management and operational mode of a cryptographic key.
@@ -472,11 +530,11 @@ func (x KeyMode) String() string {
}
func (KeyMode) Descriptor() protoreflect.EnumDescriptor {
- return file_policy_objects_proto_enumTypes[7].Descriptor()
+ return file_policy_objects_proto_enumTypes[8].Descriptor()
}
func (KeyMode) Type() protoreflect.EnumType {
- return &file_policy_objects_proto_enumTypes[7]
+ return &file_policy_objects_proto_enumTypes[8]
}
func (x KeyMode) Number() protoreflect.EnumNumber {
@@ -485,7 +543,7 @@ func (x KeyMode) Number() protoreflect.EnumNumber {
// Deprecated: Use KeyMode.Descriptor instead.
func (KeyMode) EnumDescriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{7}
+ return file_policy_objects_proto_rawDescGZIP(), []int{8}
}
type Action_StandardAction int32
@@ -525,11 +583,11 @@ func (x Action_StandardAction) String() string {
}
func (Action_StandardAction) Descriptor() protoreflect.EnumDescriptor {
- return file_policy_objects_proto_enumTypes[8].Descriptor()
+ return file_policy_objects_proto_enumTypes[9].Descriptor()
}
func (Action_StandardAction) Type() protoreflect.EnumType {
- return &file_policy_objects_proto_enumTypes[8]
+ return &file_policy_objects_proto_enumTypes[9]
}
func (x Action_StandardAction) Number() protoreflect.EnumNumber {
@@ -1331,6 +1389,174 @@ func (x *SubjectMapping) GetMetadata() *common.Metadata {
return nil
}
+// Definition Value Resolver: the dynamic half of a DynamicValueMapping. It
+// resolves a selector against the entity representation and compares the result to the
+// requested resource value segment using a DynamicValueOperatorEnum.
+type DynamicValueResolver struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // a selector for a field value on a flattened Entity Representation (such as from
+ // idP/LDAP), e.g. ".patientAssignments[]"
+ SubjectExternalSelectorValue string `protobuf:"bytes,1,opt,name=subject_external_selector_value,json=subjectExternalSelectorValue,proto3" json:"subject_external_selector_value,omitempty"`
+ // the dynamic operator comparing the selector result to the resource value segment
+ Operator DynamicValueOperatorEnum `protobuf:"varint,2,opt,name=operator,proto3,enum=policy.DynamicValueOperatorEnum" json:"operator,omitempty"`
+}
+
+func (x *DynamicValueResolver) Reset() {
+ *x = DynamicValueResolver{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_objects_proto_msgTypes[8]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *DynamicValueResolver) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DynamicValueResolver) ProtoMessage() {}
+
+func (x *DynamicValueResolver) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_objects_proto_msgTypes[8]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use DynamicValueResolver.ProtoReflect.Descriptor instead.
+func (*DynamicValueResolver) Descriptor() ([]byte, []int) {
+ return file_policy_objects_proto_rawDescGZIP(), []int{8}
+}
+
+func (x *DynamicValueResolver) GetSubjectExternalSelectorValue() string {
+ if x != nil {
+ return x.SubjectExternalSelectorValue
+ }
+ return ""
+}
+
+func (x *DynamicValueResolver) GetOperator() DynamicValueOperatorEnum {
+ if x != nil {
+ return x.Operator
+ }
+ return DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED
+}
+
+// Dynamic Value Mapping: a Policy assigning permitted action(s) to
+// dynamically-requested values under an Attribute Definition. It raises entitlement
+// authority from a concrete Attribute Value to the Attribute Definition: at decision time
+// the value_resolver compares the requested resource value segment against the entity
+// representation, avoiding pre-provisioning a value + subject mapping per discrete value.
+type DynamicValueMapping struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+ // the Attribute Definition whose values are entitled dynamically
+ AttributeDefinition *Attribute `protobuf:"bytes,2,opt,name=attribute_definition,json=attributeDefinition,proto3" json:"attribute_definition,omitempty"`
+ // the dynamic resolver matched against the requested resource value segment
+ ValueResolver *DynamicValueResolver `protobuf:"bytes,3,opt,name=value_resolver,json=valueResolver,proto3" json:"value_resolver,omitempty"`
+ // optional static pre-gate on the entity, evaluated with normal SubjectConditionSet
+ // semantics (no dynamic overload). When present, both the gate and the resolver must
+ // pass for entitlement.
+ SubjectConditionSet *SubjectConditionSet `protobuf:"bytes,4,opt,name=subject_condition_set,json=subjectConditionSet,proto3" json:"subject_condition_set,omitempty"`
+ // the actions permitted by subjects in this mapping
+ Actions []*Action `protobuf:"bytes,5,rep,name=actions,proto3" json:"actions,omitempty"`
+ // the namespace containing this mapping
+ Namespace *Namespace `protobuf:"bytes,6,opt,name=namespace,proto3" json:"namespace,omitempty"`
+ Metadata *common.Metadata `protobuf:"bytes,100,opt,name=metadata,proto3" json:"metadata,omitempty"`
+}
+
+func (x *DynamicValueMapping) Reset() {
+ *x = DynamicValueMapping{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_policy_objects_proto_msgTypes[9]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *DynamicValueMapping) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DynamicValueMapping) ProtoMessage() {}
+
+func (x *DynamicValueMapping) ProtoReflect() protoreflect.Message {
+ mi := &file_policy_objects_proto_msgTypes[9]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use DynamicValueMapping.ProtoReflect.Descriptor instead.
+func (*DynamicValueMapping) Descriptor() ([]byte, []int) {
+ return file_policy_objects_proto_rawDescGZIP(), []int{9}
+}
+
+func (x *DynamicValueMapping) GetId() string {
+ if x != nil {
+ return x.Id
+ }
+ return ""
+}
+
+func (x *DynamicValueMapping) GetAttributeDefinition() *Attribute {
+ if x != nil {
+ return x.AttributeDefinition
+ }
+ return nil
+}
+
+func (x *DynamicValueMapping) GetValueResolver() *DynamicValueResolver {
+ if x != nil {
+ return x.ValueResolver
+ }
+ return nil
+}
+
+func (x *DynamicValueMapping) GetSubjectConditionSet() *SubjectConditionSet {
+ if x != nil {
+ return x.SubjectConditionSet
+ }
+ return nil
+}
+
+func (x *DynamicValueMapping) GetActions() []*Action {
+ if x != nil {
+ return x.Actions
+ }
+ return nil
+}
+
+func (x *DynamicValueMapping) GetNamespace() *Namespace {
+ if x != nil {
+ return x.Namespace
+ }
+ return nil
+}
+
+func (x *DynamicValueMapping) GetMetadata() *common.Metadata {
+ if x != nil {
+ return x.Metadata
+ }
+ return nil
+}
+
// *
// A Condition defines a rule of
@@ -1353,7 +1579,7 @@ type Condition struct {
func (x *Condition) Reset() {
*x = Condition{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[8]
+ mi := &file_policy_objects_proto_msgTypes[10]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -1366,7 +1592,7 @@ func (x *Condition) String() string {
func (*Condition) ProtoMessage() {}
func (x *Condition) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[8]
+ mi := &file_policy_objects_proto_msgTypes[10]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -1379,7 +1605,7 @@ func (x *Condition) ProtoReflect() protoreflect.Message {
// Deprecated: Use Condition.ProtoReflect.Descriptor instead.
func (*Condition) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{8}
+ return file_policy_objects_proto_rawDescGZIP(), []int{10}
}
func (x *Condition) GetSubjectExternalSelectorValue() string {
@@ -1417,7 +1643,7 @@ type ConditionGroup struct {
func (x *ConditionGroup) Reset() {
*x = ConditionGroup{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[9]
+ mi := &file_policy_objects_proto_msgTypes[11]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -1430,7 +1656,7 @@ func (x *ConditionGroup) String() string {
func (*ConditionGroup) ProtoMessage() {}
func (x *ConditionGroup) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[9]
+ mi := &file_policy_objects_proto_msgTypes[11]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -1443,7 +1669,7 @@ func (x *ConditionGroup) ProtoReflect() protoreflect.Message {
// Deprecated: Use ConditionGroup.ProtoReflect.Descriptor instead.
func (*ConditionGroup) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{9}
+ return file_policy_objects_proto_rawDescGZIP(), []int{11}
}
func (x *ConditionGroup) GetConditions() []*Condition {
@@ -1473,7 +1699,7 @@ type SubjectSet struct {
func (x *SubjectSet) Reset() {
*x = SubjectSet{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[10]
+ mi := &file_policy_objects_proto_msgTypes[12]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -1486,7 +1712,7 @@ func (x *SubjectSet) String() string {
func (*SubjectSet) ProtoMessage() {}
func (x *SubjectSet) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[10]
+ mi := &file_policy_objects_proto_msgTypes[12]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -1499,7 +1725,7 @@ func (x *SubjectSet) ProtoReflect() protoreflect.Message {
// Deprecated: Use SubjectSet.ProtoReflect.Descriptor instead.
func (*SubjectSet) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{10}
+ return file_policy_objects_proto_rawDescGZIP(), []int{12}
}
func (x *SubjectSet) GetConditionGroups() []*ConditionGroup {
@@ -1531,7 +1757,7 @@ type SubjectConditionSet struct {
func (x *SubjectConditionSet) Reset() {
*x = SubjectConditionSet{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[11]
+ mi := &file_policy_objects_proto_msgTypes[13]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -1544,7 +1770,7 @@ func (x *SubjectConditionSet) String() string {
func (*SubjectConditionSet) ProtoMessage() {}
func (x *SubjectConditionSet) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[11]
+ mi := &file_policy_objects_proto_msgTypes[13]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -1557,7 +1783,7 @@ func (x *SubjectConditionSet) ProtoReflect() protoreflect.Message {
// Deprecated: Use SubjectConditionSet.ProtoReflect.Descriptor instead.
func (*SubjectConditionSet) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{11}
+ return file_policy_objects_proto_rawDescGZIP(), []int{13}
}
func (x *SubjectConditionSet) GetId() string {
@@ -1610,7 +1836,7 @@ type SubjectProperty struct {
func (x *SubjectProperty) Reset() {
*x = SubjectProperty{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[12]
+ mi := &file_policy_objects_proto_msgTypes[14]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -1623,7 +1849,7 @@ func (x *SubjectProperty) String() string {
func (*SubjectProperty) ProtoMessage() {}
func (x *SubjectProperty) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[12]
+ mi := &file_policy_objects_proto_msgTypes[14]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -1636,7 +1862,7 @@ func (x *SubjectProperty) ProtoReflect() protoreflect.Message {
// Deprecated: Use SubjectProperty.ProtoReflect.Descriptor instead.
func (*SubjectProperty) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{12}
+ return file_policy_objects_proto_rawDescGZIP(), []int{14}
}
func (x *SubjectProperty) GetExternalSelectorValue() string {
@@ -1675,7 +1901,7 @@ type ResourceMappingGroup struct {
func (x *ResourceMappingGroup) Reset() {
*x = ResourceMappingGroup{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[13]
+ mi := &file_policy_objects_proto_msgTypes[15]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -1688,7 +1914,7 @@ func (x *ResourceMappingGroup) String() string {
func (*ResourceMappingGroup) ProtoMessage() {}
func (x *ResourceMappingGroup) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[13]
+ mi := &file_policy_objects_proto_msgTypes[15]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -1701,7 +1927,7 @@ func (x *ResourceMappingGroup) ProtoReflect() protoreflect.Message {
// Deprecated: Use ResourceMappingGroup.ProtoReflect.Descriptor instead.
func (*ResourceMappingGroup) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{13}
+ return file_policy_objects_proto_rawDescGZIP(), []int{15}
}
func (x *ResourceMappingGroup) GetId() string {
@@ -1756,7 +1982,7 @@ type ResourceMapping struct {
func (x *ResourceMapping) Reset() {
*x = ResourceMapping{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[14]
+ mi := &file_policy_objects_proto_msgTypes[16]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -1769,7 +1995,7 @@ func (x *ResourceMapping) String() string {
func (*ResourceMapping) ProtoMessage() {}
func (x *ResourceMapping) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[14]
+ mi := &file_policy_objects_proto_msgTypes[16]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -1782,7 +2008,7 @@ func (x *ResourceMapping) ProtoReflect() protoreflect.Message {
// Deprecated: Use ResourceMapping.ProtoReflect.Descriptor instead.
func (*ResourceMapping) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{14}
+ return file_policy_objects_proto_rawDescGZIP(), []int{16}
}
func (x *ResourceMapping) GetId() string {
@@ -1845,7 +2071,7 @@ type KeyAccessServer struct {
func (x *KeyAccessServer) Reset() {
*x = KeyAccessServer{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[15]
+ mi := &file_policy_objects_proto_msgTypes[17]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -1858,7 +2084,7 @@ func (x *KeyAccessServer) String() string {
func (*KeyAccessServer) ProtoMessage() {}
func (x *KeyAccessServer) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[15]
+ mi := &file_policy_objects_proto_msgTypes[17]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -1871,7 +2097,7 @@ func (x *KeyAccessServer) ProtoReflect() protoreflect.Message {
// Deprecated: Use KeyAccessServer.ProtoReflect.Descriptor instead.
func (*KeyAccessServer) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{15}
+ return file_policy_objects_proto_rawDescGZIP(), []int{17}
}
func (x *KeyAccessServer) GetId() string {
@@ -1941,7 +2167,7 @@ type Key struct {
func (x *Key) Reset() {
*x = Key{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[16]
+ mi := &file_policy_objects_proto_msgTypes[18]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -1954,7 +2180,7 @@ func (x *Key) String() string {
func (*Key) ProtoMessage() {}
func (x *Key) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[16]
+ mi := &file_policy_objects_proto_msgTypes[18]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -1967,7 +2193,7 @@ func (x *Key) ProtoReflect() protoreflect.Message {
// Deprecated: Use Key.ProtoReflect.Descriptor instead.
func (*Key) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{16}
+ return file_policy_objects_proto_rawDescGZIP(), []int{18}
}
func (x *Key) GetId() string {
@@ -2032,7 +2258,7 @@ type KasPublicKey struct {
func (x *KasPublicKey) Reset() {
*x = KasPublicKey{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[17]
+ mi := &file_policy_objects_proto_msgTypes[19]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -2045,7 +2271,7 @@ func (x *KasPublicKey) String() string {
func (*KasPublicKey) ProtoMessage() {}
func (x *KasPublicKey) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[17]
+ mi := &file_policy_objects_proto_msgTypes[19]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -2058,7 +2284,7 @@ func (x *KasPublicKey) ProtoReflect() protoreflect.Message {
// Deprecated: Use KasPublicKey.ProtoReflect.Descriptor instead.
func (*KasPublicKey) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{17}
+ return file_policy_objects_proto_rawDescGZIP(), []int{19}
}
func (x *KasPublicKey) GetPem() string {
@@ -2095,7 +2321,7 @@ type KasPublicKeySet struct {
func (x *KasPublicKeySet) Reset() {
*x = KasPublicKeySet{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[18]
+ mi := &file_policy_objects_proto_msgTypes[20]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -2108,7 +2334,7 @@ func (x *KasPublicKeySet) String() string {
func (*KasPublicKeySet) ProtoMessage() {}
func (x *KasPublicKeySet) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[18]
+ mi := &file_policy_objects_proto_msgTypes[20]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -2121,7 +2347,7 @@ func (x *KasPublicKeySet) ProtoReflect() protoreflect.Message {
// Deprecated: Use KasPublicKeySet.ProtoReflect.Descriptor instead.
func (*KasPublicKeySet) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{18}
+ return file_policy_objects_proto_rawDescGZIP(), []int{20}
}
func (x *KasPublicKeySet) GetKeys() []*KasPublicKey {
@@ -2147,7 +2373,7 @@ type PublicKey struct {
func (x *PublicKey) Reset() {
*x = PublicKey{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[19]
+ mi := &file_policy_objects_proto_msgTypes[21]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -2160,7 +2386,7 @@ func (x *PublicKey) String() string {
func (*PublicKey) ProtoMessage() {}
func (x *PublicKey) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[19]
+ mi := &file_policy_objects_proto_msgTypes[21]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -2173,7 +2399,7 @@ func (x *PublicKey) ProtoReflect() protoreflect.Message {
// Deprecated: Use PublicKey.ProtoReflect.Descriptor instead.
func (*PublicKey) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{19}
+ return file_policy_objects_proto_rawDescGZIP(), []int{21}
}
func (m *PublicKey) GetPublicKey() isPublicKey_PublicKey {
@@ -2231,7 +2457,7 @@ type RegisteredResource struct {
func (x *RegisteredResource) Reset() {
*x = RegisteredResource{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[20]
+ mi := &file_policy_objects_proto_msgTypes[22]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -2244,7 +2470,7 @@ func (x *RegisteredResource) String() string {
func (*RegisteredResource) ProtoMessage() {}
func (x *RegisteredResource) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[20]
+ mi := &file_policy_objects_proto_msgTypes[22]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -2257,7 +2483,7 @@ func (x *RegisteredResource) ProtoReflect() protoreflect.Message {
// Deprecated: Use RegisteredResource.ProtoReflect.Descriptor instead.
func (*RegisteredResource) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{20}
+ return file_policy_objects_proto_rawDescGZIP(), []int{22}
}
func (x *RegisteredResource) GetId() string {
@@ -2312,7 +2538,7 @@ type RegisteredResourceValue struct {
func (x *RegisteredResourceValue) Reset() {
*x = RegisteredResourceValue{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[21]
+ mi := &file_policy_objects_proto_msgTypes[23]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -2325,7 +2551,7 @@ func (x *RegisteredResourceValue) String() string {
func (*RegisteredResourceValue) ProtoMessage() {}
func (x *RegisteredResourceValue) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[21]
+ mi := &file_policy_objects_proto_msgTypes[23]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -2338,7 +2564,7 @@ func (x *RegisteredResourceValue) ProtoReflect() protoreflect.Message {
// Deprecated: Use RegisteredResourceValue.ProtoReflect.Descriptor instead.
func (*RegisteredResourceValue) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{21}
+ return file_policy_objects_proto_rawDescGZIP(), []int{23}
}
func (x *RegisteredResourceValue) GetId() string {
@@ -2394,7 +2620,7 @@ type PolicyEnforcementPoint struct {
func (x *PolicyEnforcementPoint) Reset() {
*x = PolicyEnforcementPoint{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[22]
+ mi := &file_policy_objects_proto_msgTypes[24]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -2407,7 +2633,7 @@ func (x *PolicyEnforcementPoint) String() string {
func (*PolicyEnforcementPoint) ProtoMessage() {}
func (x *PolicyEnforcementPoint) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[22]
+ mi := &file_policy_objects_proto_msgTypes[24]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -2420,7 +2646,7 @@ func (x *PolicyEnforcementPoint) ProtoReflect() protoreflect.Message {
// Deprecated: Use PolicyEnforcementPoint.ProtoReflect.Descriptor instead.
func (*PolicyEnforcementPoint) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{22}
+ return file_policy_objects_proto_rawDescGZIP(), []int{24}
}
func (x *PolicyEnforcementPoint) GetClientId() string {
@@ -2442,7 +2668,7 @@ type RequestContext struct {
func (x *RequestContext) Reset() {
*x = RequestContext{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[23]
+ mi := &file_policy_objects_proto_msgTypes[25]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -2455,7 +2681,7 @@ func (x *RequestContext) String() string {
func (*RequestContext) ProtoMessage() {}
func (x *RequestContext) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[23]
+ mi := &file_policy_objects_proto_msgTypes[25]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -2468,7 +2694,7 @@ func (x *RequestContext) ProtoReflect() protoreflect.Message {
// Deprecated: Use RequestContext.ProtoReflect.Descriptor instead.
func (*RequestContext) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{23}
+ return file_policy_objects_proto_rawDescGZIP(), []int{25}
}
func (x *RequestContext) GetPep() *PolicyEnforcementPoint {
@@ -2494,7 +2720,7 @@ type Obligation struct {
func (x *Obligation) Reset() {
*x = Obligation{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[24]
+ mi := &file_policy_objects_proto_msgTypes[26]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -2507,7 +2733,7 @@ func (x *Obligation) String() string {
func (*Obligation) ProtoMessage() {}
func (x *Obligation) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[24]
+ mi := &file_policy_objects_proto_msgTypes[26]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -2520,7 +2746,7 @@ func (x *Obligation) ProtoReflect() protoreflect.Message {
// Deprecated: Use Obligation.ProtoReflect.Descriptor instead.
func (*Obligation) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{24}
+ return file_policy_objects_proto_rawDescGZIP(), []int{26}
}
func (x *Obligation) GetId() string {
@@ -2581,7 +2807,7 @@ type ObligationValue struct {
func (x *ObligationValue) Reset() {
*x = ObligationValue{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[25]
+ mi := &file_policy_objects_proto_msgTypes[27]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -2594,7 +2820,7 @@ func (x *ObligationValue) String() string {
func (*ObligationValue) ProtoMessage() {}
func (x *ObligationValue) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[25]
+ mi := &file_policy_objects_proto_msgTypes[27]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -2607,7 +2833,7 @@ func (x *ObligationValue) ProtoReflect() protoreflect.Message {
// Deprecated: Use ObligationValue.ProtoReflect.Descriptor instead.
func (*ObligationValue) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{25}
+ return file_policy_objects_proto_rawDescGZIP(), []int{27}
}
func (x *ObligationValue) GetId() string {
@@ -2670,7 +2896,7 @@ type ObligationTrigger struct {
func (x *ObligationTrigger) Reset() {
*x = ObligationTrigger{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[26]
+ mi := &file_policy_objects_proto_msgTypes[28]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -2683,7 +2909,7 @@ func (x *ObligationTrigger) String() string {
func (*ObligationTrigger) ProtoMessage() {}
func (x *ObligationTrigger) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[26]
+ mi := &file_policy_objects_proto_msgTypes[28]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -2696,7 +2922,7 @@ func (x *ObligationTrigger) ProtoReflect() protoreflect.Message {
// Deprecated: Use ObligationTrigger.ProtoReflect.Descriptor instead.
func (*ObligationTrigger) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{26}
+ return file_policy_objects_proto_rawDescGZIP(), []int{28}
}
func (x *ObligationTrigger) GetId() string {
@@ -2761,7 +2987,7 @@ type KasKey struct {
func (x *KasKey) Reset() {
*x = KasKey{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[27]
+ mi := &file_policy_objects_proto_msgTypes[29]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -2774,7 +3000,7 @@ func (x *KasKey) String() string {
func (*KasKey) ProtoMessage() {}
func (x *KasKey) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[27]
+ mi := &file_policy_objects_proto_msgTypes[29]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -2787,7 +3013,7 @@ func (x *KasKey) ProtoReflect() protoreflect.Message {
// Deprecated: Use KasKey.ProtoReflect.Descriptor instead.
func (*KasKey) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{27}
+ return file_policy_objects_proto_rawDescGZIP(), []int{29}
}
func (x *KasKey) GetKasId() string {
@@ -2823,7 +3049,7 @@ type PublicKeyCtx struct {
func (x *PublicKeyCtx) Reset() {
*x = PublicKeyCtx{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[28]
+ mi := &file_policy_objects_proto_msgTypes[30]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -2836,7 +3062,7 @@ func (x *PublicKeyCtx) String() string {
func (*PublicKeyCtx) ProtoMessage() {}
func (x *PublicKeyCtx) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[28]
+ mi := &file_policy_objects_proto_msgTypes[30]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -2849,7 +3075,7 @@ func (x *PublicKeyCtx) ProtoReflect() protoreflect.Message {
// Deprecated: Use PublicKeyCtx.ProtoReflect.Descriptor instead.
func (*PublicKeyCtx) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{28}
+ return file_policy_objects_proto_rawDescGZIP(), []int{30}
}
func (x *PublicKeyCtx) GetPem() string {
@@ -2873,7 +3099,7 @@ type PrivateKeyCtx struct {
func (x *PrivateKeyCtx) Reset() {
*x = PrivateKeyCtx{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[29]
+ mi := &file_policy_objects_proto_msgTypes[31]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -2886,7 +3112,7 @@ func (x *PrivateKeyCtx) String() string {
func (*PrivateKeyCtx) ProtoMessage() {}
func (x *PrivateKeyCtx) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[29]
+ mi := &file_policy_objects_proto_msgTypes[31]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -2899,7 +3125,7 @@ func (x *PrivateKeyCtx) ProtoReflect() protoreflect.Message {
// Deprecated: Use PrivateKeyCtx.ProtoReflect.Descriptor instead.
func (*PrivateKeyCtx) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{29}
+ return file_policy_objects_proto_rawDescGZIP(), []int{31}
}
func (x *PrivateKeyCtx) GetKeyId() string {
@@ -2946,7 +3172,7 @@ type AsymmetricKey struct {
func (x *AsymmetricKey) Reset() {
*x = AsymmetricKey{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[30]
+ mi := &file_policy_objects_proto_msgTypes[32]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -2959,7 +3185,7 @@ func (x *AsymmetricKey) String() string {
func (*AsymmetricKey) ProtoMessage() {}
func (x *AsymmetricKey) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[30]
+ mi := &file_policy_objects_proto_msgTypes[32]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -2972,7 +3198,7 @@ func (x *AsymmetricKey) ProtoReflect() protoreflect.Message {
// Deprecated: Use AsymmetricKey.ProtoReflect.Descriptor instead.
func (*AsymmetricKey) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{30}
+ return file_policy_objects_proto_rawDescGZIP(), []int{32}
}
func (x *AsymmetricKey) GetId() string {
@@ -3063,7 +3289,7 @@ type SymmetricKey struct {
func (x *SymmetricKey) Reset() {
*x = SymmetricKey{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[31]
+ mi := &file_policy_objects_proto_msgTypes[33]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -3076,7 +3302,7 @@ func (x *SymmetricKey) String() string {
func (*SymmetricKey) ProtoMessage() {}
func (x *SymmetricKey) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[31]
+ mi := &file_policy_objects_proto_msgTypes[33]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -3089,7 +3315,7 @@ func (x *SymmetricKey) ProtoReflect() protoreflect.Message {
// Deprecated: Use SymmetricKey.ProtoReflect.Descriptor instead.
func (*SymmetricKey) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{31}
+ return file_policy_objects_proto_rawDescGZIP(), []int{33}
}
func (x *SymmetricKey) GetId() string {
@@ -3156,7 +3382,7 @@ type RegisteredResourceValue_ActionAttributeValue struct {
func (x *RegisteredResourceValue_ActionAttributeValue) Reset() {
*x = RegisteredResourceValue_ActionAttributeValue{}
if protoimpl.UnsafeEnabled {
- mi := &file_policy_objects_proto_msgTypes[32]
+ mi := &file_policy_objects_proto_msgTypes[34]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@@ -3169,7 +3395,7 @@ func (x *RegisteredResourceValue_ActionAttributeValue) String() string {
func (*RegisteredResourceValue_ActionAttributeValue) ProtoMessage() {}
func (x *RegisteredResourceValue_ActionAttributeValue) ProtoReflect() protoreflect.Message {
- mi := &file_policy_objects_proto_msgTypes[32]
+ mi := &file_policy_objects_proto_msgTypes[34]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@@ -3182,7 +3408,7 @@ func (x *RegisteredResourceValue_ActionAttributeValue) ProtoReflect() protorefle
// Deprecated: Use RegisteredResourceValue_ActionAttributeValue.ProtoReflect.Descriptor instead.
func (*RegisteredResourceValue_ActionAttributeValue) Descriptor() ([]byte, []int) {
- return file_policy_objects_proto_rawDescGZIP(), []int{21, 0}
+ return file_policy_objects_proto_rawDescGZIP(), []int{23, 0}
}
func (x *RegisteredResourceValue_ActionAttributeValue) GetId() string {
@@ -3367,6 +3593,42 @@ var file_policy_objects_proto_rawDesc = []byte{
0x61, 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x2c,
0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b,
0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61,
+ 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xb0, 0x01, 0x0a,
+ 0x14, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73,
+ 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x12, 0x4d, 0x0a, 0x1f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74,
+ 0x5f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74,
+ 0x6f, 0x72, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x06,
+ 0xba, 0x48, 0x03, 0xc8, 0x01, 0x01, 0x52, 0x1c, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x45,
+ 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x56,
+ 0x61, 0x6c, 0x75, 0x65, 0x12, 0x49, 0x0a, 0x08, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72,
+ 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e,
+ 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4f, 0x70, 0x65, 0x72,
+ 0x61, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x75, 0x6d, 0x42, 0x0b, 0xba, 0x48, 0x08, 0xc8, 0x01, 0x01,
+ 0x82, 0x01, 0x02, 0x10, 0x01, 0x52, 0x08, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x22,
+ 0x8a, 0x03, 0x0a, 0x13, 0x44, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65,
+ 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20,
+ 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x44, 0x0a, 0x14, 0x61, 0x74, 0x74, 0x72, 0x69,
+ 0x62, 0x75, 0x74, 0x65, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x18,
+ 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41,
+ 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x13, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62,
+ 0x75, 0x74, 0x65, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x43, 0x0a,
+ 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x72, 0x18,
+ 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x44,
+ 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c,
+ 0x76, 0x65, 0x72, 0x52, 0x0d, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76,
+ 0x65, 0x72, 0x12, 0x4f, 0x0a, 0x15, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x63, 0x6f,
+ 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28,
+ 0x0b, 0x32, 0x1b, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65,
+ 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x74, 0x52, 0x13,
+ 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e,
+ 0x53, 0x65, 0x74, 0x12, 0x28, 0x0a, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x05,
+ 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0e, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x41, 0x63,
+ 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x2f, 0x0a,
+ 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b,
+ 0x32, 0x11, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70,
+ 0x61, 0x63, 0x65, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x2c,
+ 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x64, 0x20, 0x01, 0x28, 0x0b,
+ 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61,
0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0xe9, 0x01, 0x0a,
0x09, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x4d, 0x0a, 0x1f, 0x73, 0x75,
0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x73,
@@ -3740,79 +4002,90 @@ var file_policy_objects_proto_rawDesc = []byte{
0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4e, 0x44,
0x10, 0x01, 0x12, 0x22, 0x0a, 0x1e, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f,
0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55,
- 0x4d, 0x5f, 0x4f, 0x52, 0x10, 0x02, 0x2a, 0x5d, 0x0a, 0x0a, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65,
- 0x54, 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a, 0x17, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54,
- 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10,
- 0x00, 0x12, 0x18, 0x0a, 0x14, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45,
- 0x5f, 0x49, 0x4e, 0x54, 0x45, 0x52, 0x4e, 0x41, 0x4c, 0x10, 0x01, 0x12, 0x18, 0x0a, 0x14, 0x53,
- 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x58, 0x54, 0x45, 0x52,
- 0x4e, 0x41, 0x4c, 0x10, 0x02, 0x2a, 0x9b, 0x03, 0x0a, 0x13, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62,
- 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x27, 0x0a,
- 0x23, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f,
- 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49,
- 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x24, 0x0a, 0x20, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55,
+ 0x4d, 0x5f, 0x4f, 0x52, 0x10, 0x02, 0x2a, 0xb6, 0x01, 0x0a, 0x18, 0x44, 0x79, 0x6e, 0x61, 0x6d,
+ 0x69, 0x63, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45,
+ 0x6e, 0x75, 0x6d, 0x12, 0x2b, 0x0a, 0x27, 0x44, 0x59, 0x4e, 0x41, 0x4d, 0x49, 0x43, 0x5f, 0x56,
+ 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e,
+ 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00,
+ 0x12, 0x31, 0x0a, 0x2d, 0x44, 0x59, 0x4e, 0x41, 0x4d, 0x49, 0x43, 0x5f, 0x56, 0x41, 0x4c, 0x55,
+ 0x45, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f,
+ 0x52, 0x45, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x56, 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x49,
+ 0x4e, 0x10, 0x01, 0x12, 0x3a, 0x0a, 0x36, 0x44, 0x59, 0x4e, 0x41, 0x4d, 0x49, 0x43, 0x5f, 0x56,
+ 0x41, 0x4c, 0x55, 0x45, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e,
+ 0x55, 0x4d, 0x5f, 0x52, 0x45, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x56, 0x41, 0x4c, 0x55,
+ 0x45, 0x5f, 0x49, 0x4e, 0x5f, 0x43, 0x4f, 0x4e, 0x54, 0x41, 0x49, 0x4e, 0x53, 0x10, 0x02, 0x2a,
+ 0x5d, 0x0a, 0x0a, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a,
+ 0x17, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53,
+ 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x18, 0x0a, 0x14, 0x53, 0x4f,
+ 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x49, 0x4e, 0x54, 0x45, 0x52, 0x4e,
+ 0x41, 0x4c, 0x10, 0x01, 0x12, 0x18, 0x0a, 0x14, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x54,
+ 0x59, 0x50, 0x45, 0x5f, 0x45, 0x58, 0x54, 0x45, 0x52, 0x4e, 0x41, 0x4c, 0x10, 0x02, 0x2a, 0x9b,
+ 0x03, 0x0a, 0x13, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x41,
+ 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x27, 0x0a, 0x23, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55,
0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55,
- 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x10, 0x01, 0x12, 0x24, 0x0a, 0x20,
- 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41,
- 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x34, 0x30, 0x39, 0x36,
- 0x10, 0x02, 0x12, 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43,
- 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x43,
- 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, 0x35, 0x36, 0x52, 0x31, 0x10, 0x05, 0x12, 0x28, 0x0a, 0x24,
- 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41,
- 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x33,
- 0x38, 0x34, 0x52, 0x31, 0x10, 0x06, 0x12, 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55,
+ 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12,
+ 0x24, 0x0a, 0x20, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45,
+ 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x32,
+ 0x30, 0x34, 0x38, 0x10, 0x01, 0x12, 0x24, 0x0a, 0x20, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42,
+ 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d,
+ 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x34, 0x30, 0x39, 0x36, 0x10, 0x02, 0x12, 0x28, 0x0a, 0x24, 0x4b,
+ 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c,
+ 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, 0x35,
+ 0x36, 0x52, 0x31, 0x10, 0x05, 0x12, 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42,
+ 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d,
+ 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x33, 0x38, 0x34, 0x52, 0x31, 0x10, 0x06, 0x12,
+ 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45,
+ 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45,
+ 0x43, 0x50, 0x35, 0x32, 0x31, 0x52, 0x31, 0x10, 0x07, 0x12, 0x26, 0x0a, 0x22, 0x4b, 0x41, 0x53,
+ 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f,
+ 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x58, 0x57, 0x49, 0x4e, 0x47, 0x10,
+ 0x0a, 0x12, 0x33, 0x0a, 0x2f, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f,
+ 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x50, 0x51,
+ 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, 0x35, 0x36, 0x52, 0x31, 0x5f, 0x4d, 0x4c, 0x4b, 0x45,
+ 0x4d, 0x37, 0x36, 0x38, 0x10, 0x0b, 0x12, 0x34, 0x0a, 0x30, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55,
0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55,
- 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x35, 0x32, 0x31, 0x52, 0x31, 0x10, 0x07,
- 0x12, 0x26, 0x0a, 0x22, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b,
- 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54,
- 0x5f, 0x58, 0x57, 0x49, 0x4e, 0x47, 0x10, 0x0a, 0x12, 0x33, 0x0a, 0x2f, 0x4b, 0x41, 0x53, 0x5f,
- 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45,
- 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, 0x35, 0x36,
- 0x52, 0x31, 0x5f, 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x37, 0x36, 0x38, 0x10, 0x0b, 0x12, 0x34, 0x0a,
- 0x30, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f,
- 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45,
- 0x43, 0x50, 0x33, 0x38, 0x34, 0x52, 0x31, 0x5f, 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x31, 0x30, 0x32,
- 0x34, 0x10, 0x0c, 0x2a, 0x84, 0x02, 0x0a, 0x09, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68,
- 0x6d, 0x12, 0x19, 0x0a, 0x15, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x55,
- 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12,
- 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x32, 0x30,
- 0x34, 0x38, 0x10, 0x01, 0x12, 0x16, 0x0a, 0x12, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48,
- 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x34, 0x30, 0x39, 0x36, 0x10, 0x02, 0x12, 0x15, 0x0a, 0x11,
- 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x32, 0x35,
- 0x36, 0x10, 0x03, 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d,
- 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x33, 0x38, 0x34, 0x10, 0x04, 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c,
- 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x35, 0x32, 0x31, 0x10,
- 0x05, 0x12, 0x18, 0x0a, 0x14, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x48,
- 0x50, 0x51, 0x54, 0x5f, 0x58, 0x57, 0x49, 0x4e, 0x47, 0x10, 0x06, 0x12, 0x25, 0x0a, 0x21, 0x41,
+ 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x33, 0x38, 0x34, 0x52, 0x31,
+ 0x5f, 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x31, 0x30, 0x32, 0x34, 0x10, 0x0c, 0x2a, 0x84, 0x02, 0x0a,
+ 0x09, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x19, 0x0a, 0x15, 0x41, 0x4c,
+ 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46,
+ 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x16, 0x0a, 0x12, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54,
+ 0x48, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x10, 0x01, 0x12, 0x16, 0x0a,
+ 0x12, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x34,
+ 0x30, 0x39, 0x36, 0x10, 0x02, 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54,
+ 0x48, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x32, 0x35, 0x36, 0x10, 0x03, 0x12, 0x15, 0x0a, 0x11,
+ 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x33, 0x38,
+ 0x34, 0x10, 0x04, 0x12, 0x15, 0x0a, 0x11, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d,
+ 0x5f, 0x45, 0x43, 0x5f, 0x50, 0x35, 0x32, 0x31, 0x10, 0x05, 0x12, 0x18, 0x0a, 0x14, 0x41, 0x4c,
+ 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x58, 0x57, 0x49,
+ 0x4e, 0x47, 0x10, 0x06, 0x12, 0x25, 0x0a, 0x21, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48,
+ 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, 0x35, 0x36, 0x52, 0x31,
+ 0x5f, 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x37, 0x36, 0x38, 0x10, 0x07, 0x12, 0x26, 0x0a, 0x22, 0x41,
0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45,
- 0x43, 0x50, 0x32, 0x35, 0x36, 0x52, 0x31, 0x5f, 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x37, 0x36, 0x38,
- 0x10, 0x07, 0x12, 0x26, 0x0a, 0x22, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f,
- 0x48, 0x50, 0x51, 0x54, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x33, 0x38, 0x34, 0x52, 0x31, 0x5f, 0x4d,
- 0x4c, 0x4b, 0x45, 0x4d, 0x31, 0x30, 0x32, 0x34, 0x10, 0x08, 0x2a, 0x56, 0x0a, 0x09, 0x4b, 0x65,
- 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x1a, 0x0a, 0x16, 0x4b, 0x45, 0x59, 0x5f, 0x53,
- 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45,
- 0x44, 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, 0x4b, 0x45, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55,
- 0x53, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x56, 0x45, 0x10, 0x01, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x45,
- 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x52, 0x4f, 0x54, 0x41, 0x54, 0x45, 0x44,
- 0x10, 0x02, 0x2a, 0x94, 0x01, 0x0a, 0x07, 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x18,
- 0x0a, 0x14, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45,
- 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x4b, 0x45, 0x59, 0x5f,
- 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47, 0x5f, 0x52, 0x4f, 0x4f, 0x54,
- 0x5f, 0x4b, 0x45, 0x59, 0x10, 0x01, 0x12, 0x1e, 0x0a, 0x1a, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f,
- 0x44, 0x45, 0x5f, 0x50, 0x52, 0x4f, 0x56, 0x49, 0x44, 0x45, 0x52, 0x5f, 0x52, 0x4f, 0x4f, 0x54,
- 0x5f, 0x4b, 0x45, 0x59, 0x10, 0x02, 0x12, 0x13, 0x0a, 0x0f, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f,
- 0x44, 0x45, 0x5f, 0x52, 0x45, 0x4d, 0x4f, 0x54, 0x45, 0x10, 0x03, 0x12, 0x1c, 0x0a, 0x18, 0x4b,
- 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b,
- 0x45, 0x59, 0x5f, 0x4f, 0x4e, 0x4c, 0x59, 0x10, 0x04, 0x42, 0x82, 0x01, 0x0a, 0x0a, 0x63, 0x6f,
- 0x6d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x42, 0x0c, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74,
- 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
- 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61,
- 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67,
- 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xa2, 0x02, 0x03, 0x50, 0x58, 0x58, 0xaa, 0x02,
- 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xca, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79,
- 0xe2, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74,
- 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x62, 0x06,
- 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0x43, 0x50, 0x33, 0x38, 0x34, 0x52, 0x31, 0x5f, 0x4d, 0x4c, 0x4b, 0x45, 0x4d, 0x31, 0x30, 0x32,
+ 0x34, 0x10, 0x08, 0x2a, 0x56, 0x0a, 0x09, 0x4b, 0x65, 0x79, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73,
+ 0x12, 0x1a, 0x0a, 0x16, 0x4b, 0x45, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x55,
+ 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11,
+ 0x4b, 0x45, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55, 0x53, 0x5f, 0x41, 0x43, 0x54, 0x49, 0x56,
+ 0x45, 0x10, 0x01, 0x12, 0x16, 0x0a, 0x12, 0x4b, 0x45, 0x59, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x55,
+ 0x53, 0x5f, 0x52, 0x4f, 0x54, 0x41, 0x54, 0x45, 0x44, 0x10, 0x02, 0x2a, 0x94, 0x01, 0x0a, 0x07,
+ 0x4b, 0x65, 0x79, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x18, 0x0a, 0x14, 0x4b, 0x45, 0x59, 0x5f, 0x4d,
+ 0x4f, 0x44, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10,
+ 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x43, 0x4f,
+ 0x4e, 0x46, 0x49, 0x47, 0x5f, 0x52, 0x4f, 0x4f, 0x54, 0x5f, 0x4b, 0x45, 0x59, 0x10, 0x01, 0x12,
+ 0x1e, 0x0a, 0x1a, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x50, 0x52, 0x4f, 0x56,
+ 0x49, 0x44, 0x45, 0x52, 0x5f, 0x52, 0x4f, 0x4f, 0x54, 0x5f, 0x4b, 0x45, 0x59, 0x10, 0x02, 0x12,
+ 0x13, 0x0a, 0x0f, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x52, 0x45, 0x4d, 0x4f,
+ 0x54, 0x45, 0x10, 0x03, 0x12, 0x1c, 0x0a, 0x18, 0x4b, 0x45, 0x59, 0x5f, 0x4d, 0x4f, 0x44, 0x45,
+ 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x4f, 0x4e, 0x4c, 0x59,
+ 0x10, 0x04, 0x42, 0x82, 0x01, 0x0a, 0x0a, 0x63, 0x6f, 0x6d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63,
+ 0x79, 0x42, 0x0c, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50,
+ 0x01, 0x5a, 0x2e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70,
+ 0x65, 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70,
+ 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63,
+ 0x79, 0xa2, 0x02, 0x03, 0x50, 0x58, 0x58, 0xaa, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79,
+ 0xca, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xe2, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69,
+ 0x63, 0x79, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02,
+ 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
@@ -3827,148 +4100,158 @@ func file_policy_objects_proto_rawDescGZIP() []byte {
return file_policy_objects_proto_rawDescData
}
-var file_policy_objects_proto_enumTypes = make([]protoimpl.EnumInfo, 9)
-var file_policy_objects_proto_msgTypes = make([]protoimpl.MessageInfo, 33)
+var file_policy_objects_proto_enumTypes = make([]protoimpl.EnumInfo, 10)
+var file_policy_objects_proto_msgTypes = make([]protoimpl.MessageInfo, 35)
var file_policy_objects_proto_goTypes = []interface{}{
- (AttributeRuleTypeEnum)(0), // 0: policy.AttributeRuleTypeEnum
- (SubjectMappingOperatorEnum)(0), // 1: policy.SubjectMappingOperatorEnum
- (ConditionBooleanTypeEnum)(0), // 2: policy.ConditionBooleanTypeEnum
- (SourceType)(0), // 3: policy.SourceType
- (KasPublicKeyAlgEnum)(0), // 4: policy.KasPublicKeyAlgEnum
- (Algorithm)(0), // 5: policy.Algorithm
- (KeyStatus)(0), // 6: policy.KeyStatus
- (KeyMode)(0), // 7: policy.KeyMode
- (Action_StandardAction)(0), // 8: policy.Action.StandardAction
- (*SimpleKasPublicKey)(nil), // 9: policy.SimpleKasPublicKey
- (*SimpleKasKey)(nil), // 10: policy.SimpleKasKey
- (*KeyProviderConfig)(nil), // 11: policy.KeyProviderConfig
- (*Namespace)(nil), // 12: policy.Namespace
- (*Attribute)(nil), // 13: policy.Attribute
- (*Value)(nil), // 14: policy.Value
- (*Action)(nil), // 15: policy.Action
- (*SubjectMapping)(nil), // 16: policy.SubjectMapping
- (*Condition)(nil), // 17: policy.Condition
- (*ConditionGroup)(nil), // 18: policy.ConditionGroup
- (*SubjectSet)(nil), // 19: policy.SubjectSet
- (*SubjectConditionSet)(nil), // 20: policy.SubjectConditionSet
- (*SubjectProperty)(nil), // 21: policy.SubjectProperty
- (*ResourceMappingGroup)(nil), // 22: policy.ResourceMappingGroup
- (*ResourceMapping)(nil), // 23: policy.ResourceMapping
- (*KeyAccessServer)(nil), // 24: policy.KeyAccessServer
- (*Key)(nil), // 25: policy.Key
- (*KasPublicKey)(nil), // 26: policy.KasPublicKey
- (*KasPublicKeySet)(nil), // 27: policy.KasPublicKeySet
- (*PublicKey)(nil), // 28: policy.PublicKey
- (*RegisteredResource)(nil), // 29: policy.RegisteredResource
- (*RegisteredResourceValue)(nil), // 30: policy.RegisteredResourceValue
- (*PolicyEnforcementPoint)(nil), // 31: policy.PolicyEnforcementPoint
- (*RequestContext)(nil), // 32: policy.RequestContext
- (*Obligation)(nil), // 33: policy.Obligation
- (*ObligationValue)(nil), // 34: policy.ObligationValue
- (*ObligationTrigger)(nil), // 35: policy.ObligationTrigger
- (*KasKey)(nil), // 36: policy.KasKey
- (*PublicKeyCtx)(nil), // 37: policy.PublicKeyCtx
- (*PrivateKeyCtx)(nil), // 38: policy.PrivateKeyCtx
- (*AsymmetricKey)(nil), // 39: policy.AsymmetricKey
- (*SymmetricKey)(nil), // 40: policy.SymmetricKey
- (*RegisteredResourceValue_ActionAttributeValue)(nil), // 41: policy.RegisteredResourceValue.ActionAttributeValue
- (*common.Metadata)(nil), // 42: common.Metadata
- (*wrapperspb.BoolValue)(nil), // 43: google.protobuf.BoolValue
+ (AttributeRuleTypeEnum)(0), // 0: policy.AttributeRuleTypeEnum
+ (SubjectMappingOperatorEnum)(0), // 1: policy.SubjectMappingOperatorEnum
+ (ConditionBooleanTypeEnum)(0), // 2: policy.ConditionBooleanTypeEnum
+ (DynamicValueOperatorEnum)(0), // 3: policy.DynamicValueOperatorEnum
+ (SourceType)(0), // 4: policy.SourceType
+ (KasPublicKeyAlgEnum)(0), // 5: policy.KasPublicKeyAlgEnum
+ (Algorithm)(0), // 6: policy.Algorithm
+ (KeyStatus)(0), // 7: policy.KeyStatus
+ (KeyMode)(0), // 8: policy.KeyMode
+ (Action_StandardAction)(0), // 9: policy.Action.StandardAction
+ (*SimpleKasPublicKey)(nil), // 10: policy.SimpleKasPublicKey
+ (*SimpleKasKey)(nil), // 11: policy.SimpleKasKey
+ (*KeyProviderConfig)(nil), // 12: policy.KeyProviderConfig
+ (*Namespace)(nil), // 13: policy.Namespace
+ (*Attribute)(nil), // 14: policy.Attribute
+ (*Value)(nil), // 15: policy.Value
+ (*Action)(nil), // 16: policy.Action
+ (*SubjectMapping)(nil), // 17: policy.SubjectMapping
+ (*DynamicValueResolver)(nil), // 18: policy.DynamicValueResolver
+ (*DynamicValueMapping)(nil), // 19: policy.DynamicValueMapping
+ (*Condition)(nil), // 20: policy.Condition
+ (*ConditionGroup)(nil), // 21: policy.ConditionGroup
+ (*SubjectSet)(nil), // 22: policy.SubjectSet
+ (*SubjectConditionSet)(nil), // 23: policy.SubjectConditionSet
+ (*SubjectProperty)(nil), // 24: policy.SubjectProperty
+ (*ResourceMappingGroup)(nil), // 25: policy.ResourceMappingGroup
+ (*ResourceMapping)(nil), // 26: policy.ResourceMapping
+ (*KeyAccessServer)(nil), // 27: policy.KeyAccessServer
+ (*Key)(nil), // 28: policy.Key
+ (*KasPublicKey)(nil), // 29: policy.KasPublicKey
+ (*KasPublicKeySet)(nil), // 30: policy.KasPublicKeySet
+ (*PublicKey)(nil), // 31: policy.PublicKey
+ (*RegisteredResource)(nil), // 32: policy.RegisteredResource
+ (*RegisteredResourceValue)(nil), // 33: policy.RegisteredResourceValue
+ (*PolicyEnforcementPoint)(nil), // 34: policy.PolicyEnforcementPoint
+ (*RequestContext)(nil), // 35: policy.RequestContext
+ (*Obligation)(nil), // 36: policy.Obligation
+ (*ObligationValue)(nil), // 37: policy.ObligationValue
+ (*ObligationTrigger)(nil), // 38: policy.ObligationTrigger
+ (*KasKey)(nil), // 39: policy.KasKey
+ (*PublicKeyCtx)(nil), // 40: policy.PublicKeyCtx
+ (*PrivateKeyCtx)(nil), // 41: policy.PrivateKeyCtx
+ (*AsymmetricKey)(nil), // 42: policy.AsymmetricKey
+ (*SymmetricKey)(nil), // 43: policy.SymmetricKey
+ (*RegisteredResourceValue_ActionAttributeValue)(nil), // 44: policy.RegisteredResourceValue.ActionAttributeValue
+ (*common.Metadata)(nil), // 45: common.Metadata
+ (*wrapperspb.BoolValue)(nil), // 46: google.protobuf.BoolValue
}
var file_policy_objects_proto_depIdxs = []int32{
- 5, // 0: policy.SimpleKasPublicKey.algorithm:type_name -> policy.Algorithm
- 9, // 1: policy.SimpleKasKey.public_key:type_name -> policy.SimpleKasPublicKey
- 42, // 2: policy.KeyProviderConfig.metadata:type_name -> common.Metadata
- 43, // 3: policy.Namespace.active:type_name -> google.protobuf.BoolValue
- 42, // 4: policy.Namespace.metadata:type_name -> common.Metadata
- 24, // 5: policy.Namespace.grants:type_name -> policy.KeyAccessServer
- 10, // 6: policy.Namespace.kas_keys:type_name -> policy.SimpleKasKey
- 12, // 7: policy.Attribute.namespace:type_name -> policy.Namespace
+ 6, // 0: policy.SimpleKasPublicKey.algorithm:type_name -> policy.Algorithm
+ 10, // 1: policy.SimpleKasKey.public_key:type_name -> policy.SimpleKasPublicKey
+ 45, // 2: policy.KeyProviderConfig.metadata:type_name -> common.Metadata
+ 46, // 3: policy.Namespace.active:type_name -> google.protobuf.BoolValue
+ 45, // 4: policy.Namespace.metadata:type_name -> common.Metadata
+ 27, // 5: policy.Namespace.grants:type_name -> policy.KeyAccessServer
+ 11, // 6: policy.Namespace.kas_keys:type_name -> policy.SimpleKasKey
+ 13, // 7: policy.Attribute.namespace:type_name -> policy.Namespace
0, // 8: policy.Attribute.rule:type_name -> policy.AttributeRuleTypeEnum
- 14, // 9: policy.Attribute.values:type_name -> policy.Value
- 24, // 10: policy.Attribute.grants:type_name -> policy.KeyAccessServer
- 43, // 11: policy.Attribute.active:type_name -> google.protobuf.BoolValue
- 10, // 12: policy.Attribute.kas_keys:type_name -> policy.SimpleKasKey
- 43, // 13: policy.Attribute.allow_traversal:type_name -> google.protobuf.BoolValue
- 42, // 14: policy.Attribute.metadata:type_name -> common.Metadata
- 13, // 15: policy.Value.attribute:type_name -> policy.Attribute
- 24, // 16: policy.Value.grants:type_name -> policy.KeyAccessServer
- 43, // 17: policy.Value.active:type_name -> google.protobuf.BoolValue
- 16, // 18: policy.Value.subject_mappings:type_name -> policy.SubjectMapping
- 10, // 19: policy.Value.kas_keys:type_name -> policy.SimpleKasKey
- 23, // 20: policy.Value.resource_mappings:type_name -> policy.ResourceMapping
- 33, // 21: policy.Value.obligations:type_name -> policy.Obligation
- 42, // 22: policy.Value.metadata:type_name -> common.Metadata
- 8, // 23: policy.Action.standard:type_name -> policy.Action.StandardAction
- 12, // 24: policy.Action.namespace:type_name -> policy.Namespace
- 42, // 25: policy.Action.metadata:type_name -> common.Metadata
- 14, // 26: policy.SubjectMapping.attribute_value:type_name -> policy.Value
- 20, // 27: policy.SubjectMapping.subject_condition_set:type_name -> policy.SubjectConditionSet
- 15, // 28: policy.SubjectMapping.actions:type_name -> policy.Action
- 12, // 29: policy.SubjectMapping.namespace:type_name -> policy.Namespace
- 42, // 30: policy.SubjectMapping.metadata:type_name -> common.Metadata
- 1, // 31: policy.Condition.operator:type_name -> policy.SubjectMappingOperatorEnum
- 17, // 32: policy.ConditionGroup.conditions:type_name -> policy.Condition
- 2, // 33: policy.ConditionGroup.boolean_operator:type_name -> policy.ConditionBooleanTypeEnum
- 18, // 34: policy.SubjectSet.condition_groups:type_name -> policy.ConditionGroup
- 12, // 35: policy.SubjectConditionSet.namespace:type_name -> policy.Namespace
- 19, // 36: policy.SubjectConditionSet.subject_sets:type_name -> policy.SubjectSet
- 42, // 37: policy.SubjectConditionSet.metadata:type_name -> common.Metadata
- 42, // 38: policy.ResourceMappingGroup.metadata:type_name -> common.Metadata
- 42, // 39: policy.ResourceMapping.metadata:type_name -> common.Metadata
- 14, // 40: policy.ResourceMapping.attribute_value:type_name -> policy.Value
- 22, // 41: policy.ResourceMapping.group:type_name -> policy.ResourceMappingGroup
- 28, // 42: policy.KeyAccessServer.public_key:type_name -> policy.PublicKey
- 3, // 43: policy.KeyAccessServer.source_type:type_name -> policy.SourceType
- 10, // 44: policy.KeyAccessServer.kas_keys:type_name -> policy.SimpleKasKey
- 42, // 45: policy.KeyAccessServer.metadata:type_name -> common.Metadata
- 43, // 46: policy.Key.is_active:type_name -> google.protobuf.BoolValue
- 43, // 47: policy.Key.was_mapped:type_name -> google.protobuf.BoolValue
- 26, // 48: policy.Key.public_key:type_name -> policy.KasPublicKey
- 24, // 49: policy.Key.kas:type_name -> policy.KeyAccessServer
- 42, // 50: policy.Key.metadata:type_name -> common.Metadata
- 4, // 51: policy.KasPublicKey.alg:type_name -> policy.KasPublicKeyAlgEnum
- 26, // 52: policy.KasPublicKeySet.keys:type_name -> policy.KasPublicKey
- 27, // 53: policy.PublicKey.cached:type_name -> policy.KasPublicKeySet
- 30, // 54: policy.RegisteredResource.values:type_name -> policy.RegisteredResourceValue
- 12, // 55: policy.RegisteredResource.namespace:type_name -> policy.Namespace
- 42, // 56: policy.RegisteredResource.metadata:type_name -> common.Metadata
- 29, // 57: policy.RegisteredResourceValue.resource:type_name -> policy.RegisteredResource
- 41, // 58: policy.RegisteredResourceValue.action_attribute_values:type_name -> policy.RegisteredResourceValue.ActionAttributeValue
- 42, // 59: policy.RegisteredResourceValue.metadata:type_name -> common.Metadata
- 31, // 60: policy.RequestContext.pep:type_name -> policy.PolicyEnforcementPoint
- 12, // 61: policy.Obligation.namespace:type_name -> policy.Namespace
- 34, // 62: policy.Obligation.values:type_name -> policy.ObligationValue
- 42, // 63: policy.Obligation.metadata:type_name -> common.Metadata
- 33, // 64: policy.ObligationValue.obligation:type_name -> policy.Obligation
- 35, // 65: policy.ObligationValue.triggers:type_name -> policy.ObligationTrigger
- 42, // 66: policy.ObligationValue.metadata:type_name -> common.Metadata
- 34, // 67: policy.ObligationTrigger.obligation_value:type_name -> policy.ObligationValue
- 15, // 68: policy.ObligationTrigger.action:type_name -> policy.Action
- 14, // 69: policy.ObligationTrigger.attribute_value:type_name -> policy.Value
- 32, // 70: policy.ObligationTrigger.context:type_name -> policy.RequestContext
- 12, // 71: policy.ObligationTrigger.namespace:type_name -> policy.Namespace
- 42, // 72: policy.ObligationTrigger.metadata:type_name -> common.Metadata
- 39, // 73: policy.KasKey.key:type_name -> policy.AsymmetricKey
- 5, // 74: policy.AsymmetricKey.key_algorithm:type_name -> policy.Algorithm
- 6, // 75: policy.AsymmetricKey.key_status:type_name -> policy.KeyStatus
- 7, // 76: policy.AsymmetricKey.key_mode:type_name -> policy.KeyMode
- 37, // 77: policy.AsymmetricKey.public_key_ctx:type_name -> policy.PublicKeyCtx
- 38, // 78: policy.AsymmetricKey.private_key_ctx:type_name -> policy.PrivateKeyCtx
- 11, // 79: policy.AsymmetricKey.provider_config:type_name -> policy.KeyProviderConfig
- 42, // 80: policy.AsymmetricKey.metadata:type_name -> common.Metadata
- 6, // 81: policy.SymmetricKey.key_status:type_name -> policy.KeyStatus
- 7, // 82: policy.SymmetricKey.key_mode:type_name -> policy.KeyMode
- 11, // 83: policy.SymmetricKey.provider_config:type_name -> policy.KeyProviderConfig
- 42, // 84: policy.SymmetricKey.metadata:type_name -> common.Metadata
- 15, // 85: policy.RegisteredResourceValue.ActionAttributeValue.action:type_name -> policy.Action
- 14, // 86: policy.RegisteredResourceValue.ActionAttributeValue.attribute_value:type_name -> policy.Value
- 42, // 87: policy.RegisteredResourceValue.ActionAttributeValue.metadata:type_name -> common.Metadata
- 88, // [88:88] is the sub-list for method output_type
- 88, // [88:88] is the sub-list for method input_type
- 88, // [88:88] is the sub-list for extension type_name
- 88, // [88:88] is the sub-list for extension extendee
- 0, // [0:88] is the sub-list for field type_name
+ 15, // 9: policy.Attribute.values:type_name -> policy.Value
+ 27, // 10: policy.Attribute.grants:type_name -> policy.KeyAccessServer
+ 46, // 11: policy.Attribute.active:type_name -> google.protobuf.BoolValue
+ 11, // 12: policy.Attribute.kas_keys:type_name -> policy.SimpleKasKey
+ 46, // 13: policy.Attribute.allow_traversal:type_name -> google.protobuf.BoolValue
+ 45, // 14: policy.Attribute.metadata:type_name -> common.Metadata
+ 14, // 15: policy.Value.attribute:type_name -> policy.Attribute
+ 27, // 16: policy.Value.grants:type_name -> policy.KeyAccessServer
+ 46, // 17: policy.Value.active:type_name -> google.protobuf.BoolValue
+ 17, // 18: policy.Value.subject_mappings:type_name -> policy.SubjectMapping
+ 11, // 19: policy.Value.kas_keys:type_name -> policy.SimpleKasKey
+ 26, // 20: policy.Value.resource_mappings:type_name -> policy.ResourceMapping
+ 36, // 21: policy.Value.obligations:type_name -> policy.Obligation
+ 45, // 22: policy.Value.metadata:type_name -> common.Metadata
+ 9, // 23: policy.Action.standard:type_name -> policy.Action.StandardAction
+ 13, // 24: policy.Action.namespace:type_name -> policy.Namespace
+ 45, // 25: policy.Action.metadata:type_name -> common.Metadata
+ 15, // 26: policy.SubjectMapping.attribute_value:type_name -> policy.Value
+ 23, // 27: policy.SubjectMapping.subject_condition_set:type_name -> policy.SubjectConditionSet
+ 16, // 28: policy.SubjectMapping.actions:type_name -> policy.Action
+ 13, // 29: policy.SubjectMapping.namespace:type_name -> policy.Namespace
+ 45, // 30: policy.SubjectMapping.metadata:type_name -> common.Metadata
+ 3, // 31: policy.DynamicValueResolver.operator:type_name -> policy.DynamicValueOperatorEnum
+ 14, // 32: policy.DynamicValueMapping.attribute_definition:type_name -> policy.Attribute
+ 18, // 33: policy.DynamicValueMapping.value_resolver:type_name -> policy.DynamicValueResolver
+ 23, // 34: policy.DynamicValueMapping.subject_condition_set:type_name -> policy.SubjectConditionSet
+ 16, // 35: policy.DynamicValueMapping.actions:type_name -> policy.Action
+ 13, // 36: policy.DynamicValueMapping.namespace:type_name -> policy.Namespace
+ 45, // 37: policy.DynamicValueMapping.metadata:type_name -> common.Metadata
+ 1, // 38: policy.Condition.operator:type_name -> policy.SubjectMappingOperatorEnum
+ 20, // 39: policy.ConditionGroup.conditions:type_name -> policy.Condition
+ 2, // 40: policy.ConditionGroup.boolean_operator:type_name -> policy.ConditionBooleanTypeEnum
+ 21, // 41: policy.SubjectSet.condition_groups:type_name -> policy.ConditionGroup
+ 13, // 42: policy.SubjectConditionSet.namespace:type_name -> policy.Namespace
+ 22, // 43: policy.SubjectConditionSet.subject_sets:type_name -> policy.SubjectSet
+ 45, // 44: policy.SubjectConditionSet.metadata:type_name -> common.Metadata
+ 45, // 45: policy.ResourceMappingGroup.metadata:type_name -> common.Metadata
+ 45, // 46: policy.ResourceMapping.metadata:type_name -> common.Metadata
+ 15, // 47: policy.ResourceMapping.attribute_value:type_name -> policy.Value
+ 25, // 48: policy.ResourceMapping.group:type_name -> policy.ResourceMappingGroup
+ 31, // 49: policy.KeyAccessServer.public_key:type_name -> policy.PublicKey
+ 4, // 50: policy.KeyAccessServer.source_type:type_name -> policy.SourceType
+ 11, // 51: policy.KeyAccessServer.kas_keys:type_name -> policy.SimpleKasKey
+ 45, // 52: policy.KeyAccessServer.metadata:type_name -> common.Metadata
+ 46, // 53: policy.Key.is_active:type_name -> google.protobuf.BoolValue
+ 46, // 54: policy.Key.was_mapped:type_name -> google.protobuf.BoolValue
+ 29, // 55: policy.Key.public_key:type_name -> policy.KasPublicKey
+ 27, // 56: policy.Key.kas:type_name -> policy.KeyAccessServer
+ 45, // 57: policy.Key.metadata:type_name -> common.Metadata
+ 5, // 58: policy.KasPublicKey.alg:type_name -> policy.KasPublicKeyAlgEnum
+ 29, // 59: policy.KasPublicKeySet.keys:type_name -> policy.KasPublicKey
+ 30, // 60: policy.PublicKey.cached:type_name -> policy.KasPublicKeySet
+ 33, // 61: policy.RegisteredResource.values:type_name -> policy.RegisteredResourceValue
+ 13, // 62: policy.RegisteredResource.namespace:type_name -> policy.Namespace
+ 45, // 63: policy.RegisteredResource.metadata:type_name -> common.Metadata
+ 32, // 64: policy.RegisteredResourceValue.resource:type_name -> policy.RegisteredResource
+ 44, // 65: policy.RegisteredResourceValue.action_attribute_values:type_name -> policy.RegisteredResourceValue.ActionAttributeValue
+ 45, // 66: policy.RegisteredResourceValue.metadata:type_name -> common.Metadata
+ 34, // 67: policy.RequestContext.pep:type_name -> policy.PolicyEnforcementPoint
+ 13, // 68: policy.Obligation.namespace:type_name -> policy.Namespace
+ 37, // 69: policy.Obligation.values:type_name -> policy.ObligationValue
+ 45, // 70: policy.Obligation.metadata:type_name -> common.Metadata
+ 36, // 71: policy.ObligationValue.obligation:type_name -> policy.Obligation
+ 38, // 72: policy.ObligationValue.triggers:type_name -> policy.ObligationTrigger
+ 45, // 73: policy.ObligationValue.metadata:type_name -> common.Metadata
+ 37, // 74: policy.ObligationTrigger.obligation_value:type_name -> policy.ObligationValue
+ 16, // 75: policy.ObligationTrigger.action:type_name -> policy.Action
+ 15, // 76: policy.ObligationTrigger.attribute_value:type_name -> policy.Value
+ 35, // 77: policy.ObligationTrigger.context:type_name -> policy.RequestContext
+ 13, // 78: policy.ObligationTrigger.namespace:type_name -> policy.Namespace
+ 45, // 79: policy.ObligationTrigger.metadata:type_name -> common.Metadata
+ 42, // 80: policy.KasKey.key:type_name -> policy.AsymmetricKey
+ 6, // 81: policy.AsymmetricKey.key_algorithm:type_name -> policy.Algorithm
+ 7, // 82: policy.AsymmetricKey.key_status:type_name -> policy.KeyStatus
+ 8, // 83: policy.AsymmetricKey.key_mode:type_name -> policy.KeyMode
+ 40, // 84: policy.AsymmetricKey.public_key_ctx:type_name -> policy.PublicKeyCtx
+ 41, // 85: policy.AsymmetricKey.private_key_ctx:type_name -> policy.PrivateKeyCtx
+ 12, // 86: policy.AsymmetricKey.provider_config:type_name -> policy.KeyProviderConfig
+ 45, // 87: policy.AsymmetricKey.metadata:type_name -> common.Metadata
+ 7, // 88: policy.SymmetricKey.key_status:type_name -> policy.KeyStatus
+ 8, // 89: policy.SymmetricKey.key_mode:type_name -> policy.KeyMode
+ 12, // 90: policy.SymmetricKey.provider_config:type_name -> policy.KeyProviderConfig
+ 45, // 91: policy.SymmetricKey.metadata:type_name -> common.Metadata
+ 16, // 92: policy.RegisteredResourceValue.ActionAttributeValue.action:type_name -> policy.Action
+ 15, // 93: policy.RegisteredResourceValue.ActionAttributeValue.attribute_value:type_name -> policy.Value
+ 45, // 94: policy.RegisteredResourceValue.ActionAttributeValue.metadata:type_name -> common.Metadata
+ 95, // [95:95] is the sub-list for method output_type
+ 95, // [95:95] is the sub-list for method input_type
+ 95, // [95:95] is the sub-list for extension type_name
+ 95, // [95:95] is the sub-list for extension extendee
+ 0, // [0:95] is the sub-list for field type_name
}
func init() { file_policy_objects_proto_init() }
@@ -4074,7 +4357,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*Condition); i {
+ switch v := v.(*DynamicValueResolver); i {
case 0:
return &v.state
case 1:
@@ -4086,7 +4369,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*ConditionGroup); i {
+ switch v := v.(*DynamicValueMapping); i {
case 0:
return &v.state
case 1:
@@ -4098,7 +4381,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*SubjectSet); i {
+ switch v := v.(*Condition); i {
case 0:
return &v.state
case 1:
@@ -4110,7 +4393,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*SubjectConditionSet); i {
+ switch v := v.(*ConditionGroup); i {
case 0:
return &v.state
case 1:
@@ -4122,7 +4405,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*SubjectProperty); i {
+ switch v := v.(*SubjectSet); i {
case 0:
return &v.state
case 1:
@@ -4134,7 +4417,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*ResourceMappingGroup); i {
+ switch v := v.(*SubjectConditionSet); i {
case 0:
return &v.state
case 1:
@@ -4146,7 +4429,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*ResourceMapping); i {
+ switch v := v.(*SubjectProperty); i {
case 0:
return &v.state
case 1:
@@ -4158,7 +4441,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[15].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*KeyAccessServer); i {
+ switch v := v.(*ResourceMappingGroup); i {
case 0:
return &v.state
case 1:
@@ -4170,7 +4453,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[16].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*Key); i {
+ switch v := v.(*ResourceMapping); i {
case 0:
return &v.state
case 1:
@@ -4182,7 +4465,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[17].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*KasPublicKey); i {
+ switch v := v.(*KeyAccessServer); i {
case 0:
return &v.state
case 1:
@@ -4194,7 +4477,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[18].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*KasPublicKeySet); i {
+ switch v := v.(*Key); i {
case 0:
return &v.state
case 1:
@@ -4206,7 +4489,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[19].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*PublicKey); i {
+ switch v := v.(*KasPublicKey); i {
case 0:
return &v.state
case 1:
@@ -4218,7 +4501,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[20].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*RegisteredResource); i {
+ switch v := v.(*KasPublicKeySet); i {
case 0:
return &v.state
case 1:
@@ -4230,7 +4513,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[21].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*RegisteredResourceValue); i {
+ switch v := v.(*PublicKey); i {
case 0:
return &v.state
case 1:
@@ -4242,7 +4525,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[22].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*PolicyEnforcementPoint); i {
+ switch v := v.(*RegisteredResource); i {
case 0:
return &v.state
case 1:
@@ -4254,7 +4537,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[23].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*RequestContext); i {
+ switch v := v.(*RegisteredResourceValue); i {
case 0:
return &v.state
case 1:
@@ -4266,7 +4549,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[24].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*Obligation); i {
+ switch v := v.(*PolicyEnforcementPoint); i {
case 0:
return &v.state
case 1:
@@ -4278,7 +4561,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[25].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*ObligationValue); i {
+ switch v := v.(*RequestContext); i {
case 0:
return &v.state
case 1:
@@ -4290,7 +4573,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[26].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*ObligationTrigger); i {
+ switch v := v.(*Obligation); i {
case 0:
return &v.state
case 1:
@@ -4302,7 +4585,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[27].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*KasKey); i {
+ switch v := v.(*ObligationValue); i {
case 0:
return &v.state
case 1:
@@ -4314,7 +4597,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[28].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*PublicKeyCtx); i {
+ switch v := v.(*ObligationTrigger); i {
case 0:
return &v.state
case 1:
@@ -4326,7 +4609,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[29].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*PrivateKeyCtx); i {
+ switch v := v.(*KasKey); i {
case 0:
return &v.state
case 1:
@@ -4338,7 +4621,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[30].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*AsymmetricKey); i {
+ switch v := v.(*PublicKeyCtx); i {
case 0:
return &v.state
case 1:
@@ -4350,7 +4633,7 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[31].Exporter = func(v interface{}, i int) interface{} {
- switch v := v.(*SymmetricKey); i {
+ switch v := v.(*PrivateKeyCtx); i {
case 0:
return &v.state
case 1:
@@ -4362,6 +4645,30 @@ func file_policy_objects_proto_init() {
}
}
file_policy_objects_proto_msgTypes[32].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*AsymmetricKey); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_policy_objects_proto_msgTypes[33].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*SymmetricKey); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_policy_objects_proto_msgTypes[34].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*RegisteredResourceValue_ActionAttributeValue); i {
case 0:
return &v.state
@@ -4378,7 +4685,7 @@ func file_policy_objects_proto_init() {
(*Action_Standard)(nil),
(*Action_Custom)(nil),
}
- file_policy_objects_proto_msgTypes[19].OneofWrappers = []interface{}{
+ file_policy_objects_proto_msgTypes[21].OneofWrappers = []interface{}{
(*PublicKey_Remote)(nil),
(*PublicKey_Cached)(nil),
}
@@ -4387,8 +4694,8 @@ func file_policy_objects_proto_init() {
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_policy_objects_proto_rawDesc,
- NumEnums: 9,
- NumMessages: 33,
+ NumEnums: 10,
+ NumMessages: 35,
NumExtensions: 0,
NumServices: 0,
},
diff --git a/sdk/codegen/main.go b/sdk/codegen/main.go
index f917a9e5fc..b9dc704a02 100644
--- a/sdk/codegen/main.go
+++ b/sdk/codegen/main.go
@@ -66,6 +66,10 @@ var clientsToGenerateList = []runner.ClientsToGenerate{
GrpcClientInterface: "SubjectMappingServiceClient",
GrpcPackagePath: "github.com/opentdf/platform/protocol/go/policy/subjectmapping",
},
+ {
+ GrpcClientInterface: "DynamicValueMappingServiceClient",
+ GrpcPackagePath: "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping",
+ },
{
GrpcClientInterface: "UnsafeServiceClient",
GrpcPackagePath: "github.com/opentdf/platform/protocol/go/policy/unsafe",
diff --git a/sdk/sdk.go b/sdk/sdk.go
index fa809e6e12..01f2ae04d1 100644
--- a/sdk/sdk.go
+++ b/sdk/sdk.go
@@ -96,6 +96,7 @@ type SDK struct {
RegisteredResources sdkconnect.RegisteredResourcesServiceClient
ResourceMapping sdkconnect.ResourceMappingServiceClient
SubjectMapping sdkconnect.SubjectMappingServiceClient
+ DynamicValueMapping sdkconnect.DynamicValueMappingServiceClient
Unsafe sdkconnect.UnsafeServiceClient
KeyManagement sdkconnect.KeyManagementServiceClient
wellknownConfiguration sdkconnect.WellKnownServiceClient
@@ -229,6 +230,7 @@ func New(platformEndpoint string, opts ...Option) (*SDK, error) {
RegisteredResources: sdkconnect.NewRegisteredResourcesServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...),
ResourceMapping: sdkconnect.NewResourceMappingServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...),
SubjectMapping: sdkconnect.NewSubjectMappingServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...),
+ DynamicValueMapping: sdkconnect.NewDynamicValueMappingServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...),
Unsafe: sdkconnect.NewUnsafeServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...),
KeyAccessServerRegistry: sdkconnect.NewKeyAccessServerRegistryServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...),
Authorization: sdkconnect.NewAuthorizationServiceClientConnectWrapper(platformConn.Client, platformConn.Endpoint, platformConn.Options...),
diff --git a/sdk/sdkconnect/dynamicvaluemapping.go b/sdk/sdkconnect/dynamicvaluemapping.go
new file mode 100644
index 0000000000..7c74300686
--- /dev/null
+++ b/sdk/sdkconnect/dynamicvaluemapping.go
@@ -0,0 +1,70 @@
+// Wrapper for DynamicValueMappingServiceClient (generated code) DO NOT EDIT
+package sdkconnect
+
+import (
+ "connectrpc.com/connect"
+ "context"
+ "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping"
+ "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping/dynamicvaluemappingconnect"
+)
+
+type DynamicValueMappingServiceClientConnectWrapper struct {
+ dynamicvaluemappingconnect.DynamicValueMappingServiceClient
+}
+
+func NewDynamicValueMappingServiceClientConnectWrapper(httpClient connect.HTTPClient, baseURL string, opts ...connect.ClientOption) *DynamicValueMappingServiceClientConnectWrapper {
+ return &DynamicValueMappingServiceClientConnectWrapper{DynamicValueMappingServiceClient: dynamicvaluemappingconnect.NewDynamicValueMappingServiceClient(httpClient, baseURL, opts...)}
+}
+
+type DynamicValueMappingServiceClient interface {
+ ListDynamicValueMappings(ctx context.Context, req *dynamicvaluemapping.ListDynamicValueMappingsRequest) (*dynamicvaluemapping.ListDynamicValueMappingsResponse, error)
+ GetDynamicValueMapping(ctx context.Context, req *dynamicvaluemapping.GetDynamicValueMappingRequest) (*dynamicvaluemapping.GetDynamicValueMappingResponse, error)
+ CreateDynamicValueMapping(ctx context.Context, req *dynamicvaluemapping.CreateDynamicValueMappingRequest) (*dynamicvaluemapping.CreateDynamicValueMappingResponse, error)
+ UpdateDynamicValueMapping(ctx context.Context, req *dynamicvaluemapping.UpdateDynamicValueMappingRequest) (*dynamicvaluemapping.UpdateDynamicValueMappingResponse, error)
+ DeleteDynamicValueMapping(ctx context.Context, req *dynamicvaluemapping.DeleteDynamicValueMappingRequest) (*dynamicvaluemapping.DeleteDynamicValueMappingResponse, error)
+}
+
+func (w *DynamicValueMappingServiceClientConnectWrapper) ListDynamicValueMappings(ctx context.Context, req *dynamicvaluemapping.ListDynamicValueMappingsRequest) (*dynamicvaluemapping.ListDynamicValueMappingsResponse, error) {
+ // Wrap Connect RPC client request
+ res, err := w.DynamicValueMappingServiceClient.ListDynamicValueMappings(ctx, connect.NewRequest(req))
+ if res == nil {
+ return nil, err
+ }
+ return res.Msg, err
+}
+
+func (w *DynamicValueMappingServiceClientConnectWrapper) GetDynamicValueMapping(ctx context.Context, req *dynamicvaluemapping.GetDynamicValueMappingRequest) (*dynamicvaluemapping.GetDynamicValueMappingResponse, error) {
+ // Wrap Connect RPC client request
+ res, err := w.DynamicValueMappingServiceClient.GetDynamicValueMapping(ctx, connect.NewRequest(req))
+ if res == nil {
+ return nil, err
+ }
+ return res.Msg, err
+}
+
+func (w *DynamicValueMappingServiceClientConnectWrapper) CreateDynamicValueMapping(ctx context.Context, req *dynamicvaluemapping.CreateDynamicValueMappingRequest) (*dynamicvaluemapping.CreateDynamicValueMappingResponse, error) {
+ // Wrap Connect RPC client request
+ res, err := w.DynamicValueMappingServiceClient.CreateDynamicValueMapping(ctx, connect.NewRequest(req))
+ if res == nil {
+ return nil, err
+ }
+ return res.Msg, err
+}
+
+func (w *DynamicValueMappingServiceClientConnectWrapper) UpdateDynamicValueMapping(ctx context.Context, req *dynamicvaluemapping.UpdateDynamicValueMappingRequest) (*dynamicvaluemapping.UpdateDynamicValueMappingResponse, error) {
+ // Wrap Connect RPC client request
+ res, err := w.DynamicValueMappingServiceClient.UpdateDynamicValueMapping(ctx, connect.NewRequest(req))
+ if res == nil {
+ return nil, err
+ }
+ return res.Msg, err
+}
+
+func (w *DynamicValueMappingServiceClientConnectWrapper) DeleteDynamicValueMapping(ctx context.Context, req *dynamicvaluemapping.DeleteDynamicValueMappingRequest) (*dynamicvaluemapping.DeleteDynamicValueMappingResponse, error) {
+ // Wrap Connect RPC client request
+ res, err := w.DynamicValueMappingServiceClient.DeleteDynamicValueMapping(ctx, connect.NewRequest(req))
+ if res == nil {
+ return nil, err
+ }
+ return res.Msg, err
+}
diff --git a/service/authorization/v2/cache.go b/service/authorization/v2/cache.go
index 57db585676..1fd9acb767 100644
--- a/service/authorization/v2/cache.go
+++ b/service/authorization/v2/cache.go
@@ -14,10 +14,11 @@ import (
)
const (
- attributesCacheKey = "attributes_cache_key"
- subjectMappingsCacheKey = "subject_mappings_cache_key"
- registeredResourcesCacheKey = "registered_resources_cache_key"
- obligationsCacheKey = "obligations_cache_key"
+ attributesCacheKey = "attributes_cache_key"
+ subjectMappingsCacheKey = "subject_mappings_cache_key"
+ dynamicValueMappingsCacheKey = "dynamic_value_mappings_cache_key"
+ registeredResourcesCacheKey = "registered_resources_cache_key"
+ obligationsCacheKey = "obligations_cache_key"
)
var (
@@ -60,10 +61,11 @@ type EntitlementPolicyCache struct {
// The EntitlementPolicy struct holds all the cached entitlement policy, as generics allow one
// data type per service cache instance.
type EntitlementPolicy struct {
- Attributes []*policy.Attribute
- SubjectMappings []*policy.SubjectMapping
- RegisteredResources []*policy.RegisteredResource
- Obligations []*policy.Obligation
+ Attributes []*policy.Attribute
+ SubjectMappings []*policy.SubjectMapping
+ DynamicValueMappings []*policy.DynamicValueMapping
+ RegisteredResources []*policy.RegisteredResource
+ Obligations []*policy.Obligation
}
// NewEntitlementPolicyCache holds a platform-provided cache client and manages a periodic refresh of
@@ -178,6 +180,10 @@ func (c *EntitlementPolicyCache) Refresh(ctx context.Context) error {
if err != nil {
return err
}
+ dynamicValueMappings, err := c.retriever.ListAllDynamicValueMappings(ctx)
+ if err != nil {
+ return err
+ }
registeredResources, err := c.retriever.ListAllRegisteredResources(ctx)
if err != nil {
return err
@@ -200,6 +206,12 @@ func (c *EntitlementPolicyCache) Refresh(ctx context.Context) error {
return errors.Join(ErrFailedToSet, err)
}
+ err = c.cacheClient.Set(ctx, dynamicValueMappingsCacheKey, dynamicValueMappings, authzCacheTags)
+ if err != nil {
+ c.isCacheFilled = false
+ return errors.Join(ErrFailedToSet, err)
+ }
+
err = c.cacheClient.Set(ctx, registeredResourcesCacheKey, registeredResources, authzCacheTags)
if err != nil {
c.isCacheFilled = false
@@ -270,6 +282,28 @@ func (c *EntitlementPolicyCache) ListAllSubjectMappings(ctx context.Context) ([]
return subjectMappings, nil
}
+// ListAllDynamicValueMappings returns the cached dynamic value entitlement mappings, or none on a cache miss
+func (c *EntitlementPolicyCache) ListAllDynamicValueMappings(ctx context.Context) ([]*policy.DynamicValueMapping, error) {
+ var (
+ mappings []*policy.DynamicValueMapping
+ ok bool
+ )
+
+ cached, err := c.cacheClient.Get(ctx, dynamicValueMappingsCacheKey)
+ if err != nil {
+ if errors.Is(err, cache.ErrCacheMiss) {
+ return mappings, nil
+ }
+ return nil, fmt.Errorf("%w, dynamic value mappings: %w", ErrFailedToGet, err)
+ }
+
+ mappings, ok = cached.([]*policy.DynamicValueMapping)
+ if !ok {
+ return nil, fmt.Errorf("%w: %T", ErrCachedTypeNotExpected, cached)
+ }
+ return mappings, nil
+}
+
// ListAllRegisteredResources returns the cached registered resources, or none in the event of a cache miss
func (c *EntitlementPolicyCache) ListAllRegisteredResources(ctx context.Context) ([]*policy.RegisteredResource, error) {
var (
diff --git a/service/integration/dynamic_value_mappings_test.go b/service/integration/dynamic_value_mappings_test.go
new file mode 100644
index 0000000000..5527a84d3a
--- /dev/null
+++ b/service/integration/dynamic_value_mappings_test.go
@@ -0,0 +1,236 @@
+package integration
+
+import (
+ "context"
+ "log/slog"
+ "testing"
+
+ "github.com/opentdf/platform/protocol/go/policy"
+ "github.com/opentdf/platform/protocol/go/policy/attributes"
+ "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping"
+ "github.com/opentdf/platform/protocol/go/policy/subjectmapping"
+ "github.com/opentdf/platform/protocol/go/policy/unsafe"
+ "github.com/opentdf/platform/service/internal/fixtures"
+ policydb "github.com/opentdf/platform/service/policy/db"
+ "github.com/stretchr/testify/suite"
+)
+
+type DynamicValueMappingsSuite struct {
+ suite.Suite
+ f fixtures.Fixtures
+ db fixtures.DBInterface
+ //nolint:containedctx // Only used for test suite
+ ctx context.Context
+}
+
+func (s *DynamicValueMappingsSuite) SetupSuite() {
+ slog.Info("setting up db.DynamicValueMappings test suite")
+ s.ctx = context.Background()
+ c := *Config
+ c.DB.Schema = "test_opentdf_dynamic_value_mappings"
+ s.db = fixtures.NewDBInterface(s.ctx, c)
+ s.f = fixtures.NewFixture(s.db)
+ s.f.Provision(s.ctx)
+}
+
+func (s *DynamicValueMappingsSuite) TearDownSuite() {
+ slog.Info("tearing down db.DynamicValueMappings test suite")
+ s.f.TearDown(s.ctx)
+}
+
+func TestDynamicValueMappingsSuite(t *testing.T) {
+ if testing.Short() {
+ t.Skip("skipping dynamic_value_mappings integration tests")
+ }
+ suite.Run(t, new(DynamicValueMappingsSuite))
+}
+
+func (s *DynamicValueMappingsSuite) TestCreateAndGet() {
+ attr := s.createDefinition("dvem_create_ok", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF)
+
+ created, err := s.db.PolicyClient.CreateDynamicValueMapping(s.ctx, &dynamicvaluemapping.CreateDynamicValueMappingRequest{
+ AttributeDefinitionId: attr.GetId(),
+ ValueResolver: s.resolver(".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN),
+ Actions: []*policy.Action{s.readAction()},
+ })
+ s.Require().NoError(err)
+ s.Require().NotEmpty(created.GetId())
+
+ got, err := s.db.PolicyClient.GetDynamicValueMapping(s.ctx, created.GetId())
+ s.Require().NoError(err)
+ s.Equal(attr.GetId(), got.GetAttributeDefinition().GetId())
+ s.Equal(".patientAssignments[]", got.GetValueResolver().GetSubjectExternalSelectorValue())
+ s.Equal(policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN, got.GetValueResolver().GetOperator())
+ s.Len(got.GetActions(), 1)
+ s.Nil(got.GetSubjectConditionSet(), "optional static pre-gate omitted")
+}
+
+func (s *DynamicValueMappingsSuite) TestCreateWithStaticGate() {
+ attr := s.createDefinition("dvem_create_gate", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF)
+
+ created, err := s.db.PolicyClient.CreateDynamicValueMapping(s.ctx, &dynamicvaluemapping.CreateDynamicValueMappingRequest{
+ AttributeDefinitionId: attr.GetId(),
+ ValueResolver: s.resolver(".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN),
+ Actions: []*policy.Action{s.readAction()},
+ NewSubjectConditionSet: s.sampleSCSCreate(),
+ })
+ s.Require().NoError(err)
+
+ got, err := s.db.PolicyClient.GetDynamicValueMapping(s.ctx, created.GetId())
+ s.Require().NoError(err)
+ s.Require().NotNil(got.GetSubjectConditionSet(), "static pre-gate should be hydrated")
+ s.NotEmpty(got.GetSubjectConditionSet().GetSubjectSets())
+}
+
+func (s *DynamicValueMappingsSuite) TestRejectsHierarchyDefinition() {
+ attr := s.createDefinition("dvem_hierarchy", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY)
+
+ _, err := s.db.PolicyClient.CreateDynamicValueMapping(s.ctx, &dynamicvaluemapping.CreateDynamicValueMappingRequest{
+ AttributeDefinitionId: attr.GetId(),
+ ValueResolver: s.resolver(".x[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN),
+ Actions: []*policy.Action{s.readAction()},
+ })
+ s.Require().Error(err, "HIERARCHY definitions must be rejected")
+}
+
+func (s *DynamicValueMappingsSuite) TestNoCoexistence_SubjectMappingThenDynamic() {
+ attr := s.createDefinition("dvem_coexist_fwd", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF)
+ val, err := s.db.PolicyClient.CreateAttributeValue(s.ctx, attr.GetId(), &attributes.CreateAttributeValueRequest{Value: "v1"})
+ s.Require().NoError(err)
+
+ _, err = s.db.PolicyClient.CreateSubjectMapping(s.ctx, &subjectmapping.CreateSubjectMappingRequest{
+ AttributeValueId: val.GetId(),
+ Actions: []*policy.Action{s.readAction()},
+ NewSubjectConditionSet: s.sampleSCSCreate(),
+ })
+ s.Require().NoError(err)
+
+ // definition now has a value-level subject mapping; a dynamic mapping must be rejected
+ _, err = s.db.PolicyClient.CreateDynamicValueMapping(s.ctx, &dynamicvaluemapping.CreateDynamicValueMappingRequest{
+ AttributeDefinitionId: attr.GetId(),
+ ValueResolver: s.resolver(".x[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN),
+ Actions: []*policy.Action{s.readAction()},
+ })
+ s.Require().Error(err, "dynamic mapping must not coexist with value-level subject mappings")
+}
+
+func (s *DynamicValueMappingsSuite) TestNoCoexistence_DynamicThenSubjectMapping() {
+ attr := s.createDefinition("dvem_coexist_rev", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF)
+
+ _, err := s.db.PolicyClient.CreateDynamicValueMapping(s.ctx, &dynamicvaluemapping.CreateDynamicValueMappingRequest{
+ AttributeDefinitionId: attr.GetId(),
+ ValueResolver: s.resolver(".x[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN),
+ Actions: []*policy.Action{s.readAction()},
+ })
+ s.Require().NoError(err)
+
+ val, err := s.db.PolicyClient.CreateAttributeValue(s.ctx, attr.GetId(), &attributes.CreateAttributeValueRequest{Value: "v1"})
+ s.Require().NoError(err)
+
+ // definition now has a dynamic mapping; a value-level subject mapping must be rejected
+ _, err = s.db.PolicyClient.CreateSubjectMapping(s.ctx, &subjectmapping.CreateSubjectMappingRequest{
+ AttributeValueId: val.GetId(),
+ Actions: []*policy.Action{s.readAction()},
+ NewSubjectConditionSet: s.sampleSCSCreate(),
+ })
+ s.Require().Error(err, "value-level subject mapping must not coexist with a dynamic mapping")
+}
+
+func (s *DynamicValueMappingsSuite) TestRejectsRuleChangeToHierarchy() {
+ attr := s.createDefinition("dvem_rule_guard", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF)
+
+ _, err := s.db.PolicyClient.CreateDynamicValueMapping(s.ctx, &dynamicvaluemapping.CreateDynamicValueMappingRequest{
+ AttributeDefinitionId: attr.GetId(),
+ ValueResolver: s.resolver(".x[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN),
+ Actions: []*policy.Action{s.readAction()},
+ })
+ s.Require().NoError(err)
+
+ _, err = s.db.PolicyClient.UnsafeUpdateAttribute(s.ctx, &unsafe.UnsafeUpdateAttributeRequest{
+ Id: attr.GetId(),
+ Rule: policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY,
+ })
+ s.Require().Error(err, "changing the rule to HIERARCHY must be rejected when a dynamic mapping exists")
+}
+
+func (s *DynamicValueMappingsSuite) TestUpdateAndDelete() {
+ attr := s.createDefinition("dvem_update_delete", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF)
+
+ created, err := s.db.PolicyClient.CreateDynamicValueMapping(s.ctx, &dynamicvaluemapping.CreateDynamicValueMappingRequest{
+ AttributeDefinitionId: attr.GetId(),
+ ValueResolver: s.resolver(".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN),
+ Actions: []*policy.Action{s.readAction()},
+ })
+ s.Require().NoError(err)
+
+ updated, err := s.db.PolicyClient.UpdateDynamicValueMapping(s.ctx, &dynamicvaluemapping.UpdateDynamicValueMappingRequest{
+ Id: created.GetId(),
+ ValueResolver: s.resolver(".accounts[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS),
+ })
+ s.Require().NoError(err)
+ s.Equal(".accounts[]", updated.GetValueResolver().GetSubjectExternalSelectorValue())
+ s.Equal(policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS, updated.GetValueResolver().GetOperator())
+
+ _, err = s.db.PolicyClient.DeleteDynamicValueMapping(s.ctx, created.GetId())
+ s.Require().NoError(err)
+
+ _, err = s.db.PolicyClient.GetDynamicValueMapping(s.ctx, created.GetId())
+ s.Require().Error(err, "mapping should be gone after delete")
+}
+
+func (s *DynamicValueMappingsSuite) TestListByDefinition() {
+ attr := s.createDefinition("dvem_list", policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF)
+ _, err := s.db.PolicyClient.CreateDynamicValueMapping(s.ctx, &dynamicvaluemapping.CreateDynamicValueMappingRequest{
+ AttributeDefinitionId: attr.GetId(),
+ ValueResolver: s.resolver(".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN),
+ Actions: []*policy.Action{s.readAction()},
+ })
+ s.Require().NoError(err)
+
+ resp, err := s.db.PolicyClient.ListDynamicValueMappings(s.ctx, &dynamicvaluemapping.ListDynamicValueMappingsRequest{
+ AttributeDefinitionId: attr.GetId(),
+ })
+ s.Require().NoError(err)
+ s.Require().Len(resp.GetDynamicValueMappings(), 1)
+ s.Equal(attr.GetId(), resp.GetDynamicValueMappings()[0].GetAttributeDefinition().GetId())
+}
+
+// createDefinition makes a fresh attribute under the example.com namespace with no values
+// or subject mappings, so each test controls its own coexistence state.
+func (s *DynamicValueMappingsSuite) createDefinition(name string, rule policy.AttributeRuleTypeEnum) *policy.Attribute {
+ nsID := s.f.GetNamespaceKey("example.com").ID
+ attr, err := s.db.PolicyClient.CreateAttribute(s.ctx, &attributes.CreateAttributeRequest{
+ Name: name,
+ NamespaceId: nsID,
+ Rule: rule,
+ })
+ s.Require().NoError(err)
+ s.Require().NotNil(attr)
+ return attr
+}
+
+func (s *DynamicValueMappingsSuite) readAction() *policy.Action {
+ return s.f.GetStandardAction(policydb.ActionRead.String())
+}
+
+func (s *DynamicValueMappingsSuite) resolver(selector string, op policy.DynamicValueOperatorEnum) *policy.DynamicValueResolver {
+ return &policy.DynamicValueResolver{
+ SubjectExternalSelectorValue: selector,
+ Operator: op,
+ }
+}
+
+func (s *DynamicValueMappingsSuite) sampleSCSCreate() *subjectmapping.SubjectConditionSetCreate {
+ return &subjectmapping.SubjectConditionSetCreate{
+ SubjectSets: []*policy.SubjectSet{{
+ ConditionGroups: []*policy.ConditionGroup{{
+ BooleanOperator: policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_AND,
+ Conditions: []*policy.Condition{{
+ SubjectExternalSelectorValue: ".department",
+ Operator: policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_IN,
+ SubjectExternalValues: []string{"cardiology"},
+ }},
+ }},
+ }},
+ }
+}
diff --git a/service/internal/access/v2/helpers.go b/service/internal/access/v2/helpers.go
index decb42f2c3..2df99356de 100644
--- a/service/internal/access/v2/helpers.go
+++ b/service/internal/access/v2/helpers.go
@@ -13,6 +13,7 @@ import (
"github.com/opentdf/platform/protocol/go/policy"
attrs "github.com/opentdf/platform/protocol/go/policy/attributes"
"github.com/opentdf/platform/service/internal/access/v2/obligations"
+ "github.com/opentdf/platform/service/internal/subjectmappingbuiltin"
"github.com/opentdf/platform/service/logger"
)
@@ -21,6 +22,7 @@ var (
ErrInvalidAttributeDefinition = errors.New("access: invalid attribute definition")
ErrInvalidRegisteredResource = errors.New("access: invalid registered resource")
ErrInvalidRegisteredResourceValue = errors.New("access: invalid registered resource value")
+ ErrInvalidDynamicValueMapping = errors.New("access: invalid dynamic value mapping")
)
// getDefinition parses the value FQN and uses it to retrieve the definition from the provided definitions map
@@ -197,6 +199,8 @@ func getResourceDecisionableAttributes(
entitleableAttributesByValueFQN map[string]*attrs.GetAttributeValuesByFqnsResponse_AttributeAndValue,
// this is needed to support direct entitlement ad-hoc attribute values
entitleableAttributesByDefinitionFQN map[string]*policy.Attribute,
+ // definitions carrying a dynamic value entitlement mapping also support synthetic values
+ dynamicMappingsByDefinitionFQN subjectmappingbuiltin.DynamicValueMappingsByDefinitionFQN,
// action *policy.Action,
resources []*authz.Resource,
allowDirectEntitlements bool,
@@ -251,24 +255,29 @@ func getResourceDecisionableAttributes(
attributeAndValue, ok := entitleableAttributesByValueFQN[attrValueFQN]
if !ok {
- // if the attribute value FQN is not found, then check if direct entitlements with synthetic values are enabled (experimental)
- if !allowDirectEntitlements {
- // if disabled, add to not found list and skip to next attribute value FQN
+ // The value FQN is not a concrete policy value. A synthetic value is created
+ // when either direct entitlements are enabled (experimental) OR the parent
+ // definition carries a dynamic value entitlement mapping (DSPX-2754), since
+ // dynamic mappings entitle values that are not pre-provisioned in policy.
+ parentDefinition, err := getDefinition(attrValueFQN, entitleableAttributesByDefinitionFQN)
+ if err != nil {
+ // definition not found: add to not found list and skip
notFoundFQNs = append(notFoundFQNs, attrValueFQN)
continue
}
- // now process direct entitlement that only exists at attribute definition level
- logger.DebugContext(ctx, "processing direct entitlement for resource decisionable attribute value", slog.String("attribute_value_fqn", attrValueFQN))
-
- // try to find the definition by extracting partial FQN from direct entitlement synthetic value FQN
- parentDefinition, err := getDefinition(attrValueFQN, entitleableAttributesByDefinitionFQN)
- if err != nil {
- // if definition not found, add to not found list and skip to next attribute value FQN
+ _, hasDynamicMapping := dynamicMappingsByDefinitionFQN[parentDefinition.GetFqn()]
+ if !allowDirectEntitlements && !hasDynamicMapping {
+ // neither path enabled for this value: add to not found list and skip
notFoundFQNs = append(notFoundFQNs, attrValueFQN)
continue
}
+ logger.DebugContext(ctx, "processing synthetic value for resource decisionable attribute value",
+ slog.String("attribute_value_fqn", attrValueFQN),
+ slog.Bool("has_dynamic_mapping", hasDynamicMapping),
+ )
+
// Extract the value part from the FQN
// FQN format: https:///attr//value/
parsedAttrValueFQN, err := identifier.Parse[*identifier.FullyQualifiedAttribute](attrValueFQN)
diff --git a/service/internal/access/v2/helpers_test.go b/service/internal/access/v2/helpers_test.go
index 3862c6f8b0..149eaa108a 100644
--- a/service/internal/access/v2/helpers_test.go
+++ b/service/internal/access/v2/helpers_test.go
@@ -1147,6 +1147,7 @@ func Test_getResourceDecisionableAttributes(t *testing.T) {
nil, // registered resources are not used by direct entitlements
nil, // direct entitlements will not be in entitleableAttributesByValueFQN map, due to synthetic values
entitleableAttributesByDefinitionFQN,
+ nil, // no definition value entitlement mappings
resources,
true, // allow direct entitlements
)
@@ -1173,6 +1174,7 @@ func Test_getResourceDecisionableAttributes(t *testing.T) {
nil, // registered resources are not used by direct entitlements
nil, // direct entitlements will not be in entitleableAttributesByValueFQN map, due to synthetic values
entitleableAttributesByDefinitionFQN,
+ nil, // no definition value entitlement mappings
resources,
true, // allow direct entitlements
)
@@ -1195,6 +1197,7 @@ func Test_getResourceDecisionableAttributes(t *testing.T) {
nil, // registered resources are not used by direct entitlements
nil, // direct entitlements will not be in entitleableAttributesByValueFQN map, due to synthetic values
entitleableAttributesByDefinitionFQN,
+ nil, // no definition value entitlement mappings
resources,
false, // disable direct entitlements
)
diff --git a/service/internal/access/v2/just_in_time_pdp.go b/service/internal/access/v2/just_in_time_pdp.go
index d90addfd4a..336b5835e3 100644
--- a/service/internal/access/v2/just_in_time_pdp.go
+++ b/service/internal/access/v2/just_in_time_pdp.go
@@ -91,8 +91,12 @@ func NewJustInTimePDP(
if err != nil {
return nil, fmt.Errorf("failed to fetch all obligations: %w", err)
}
+ allDynamicValueMappings, err := store.ListAllDynamicValueMappings(ctx)
+ if err != nil {
+ return nil, fmt.Errorf("failed to fetch all dynamic value mappings: %w", err)
+ }
- pdp, err := NewPolicyDecisionPoint(ctx, log, allAttributes, allSubjectMappings, allRegisteredResources, allowDirectEntitlements, namespacedPolicy)
+ pdp, err := NewPolicyDecisionPointWithDynamicValueMappings(ctx, log, allAttributes, allSubjectMappings, allDynamicValueMappings, allRegisteredResources, allowDirectEntitlements, namespacedPolicy)
if err != nil {
return nil, fmt.Errorf("failed to create new policy decision point: %w", err)
}
diff --git a/service/internal/access/v2/pdp.go b/service/internal/access/v2/pdp.go
index 784ea6988e..cb801bad0b 100644
--- a/service/internal/access/v2/pdp.go
+++ b/service/internal/access/v2/pdp.go
@@ -61,6 +61,7 @@ type PolicyDecisionPoint struct {
allEntitleableAttributesByValueFQN map[string]*attrs.GetAttributeValuesByFqnsResponse_AttributeAndValue
allRegisteredResourceValuesByFQN map[string]*policy.RegisteredResourceValue
allAttributesByDefinitionFQN map[string]*policy.Attribute
+ dynamicMappingsByDefinitionFQN subjectmappingbuiltin.DynamicValueMappingsByDefinitionFQN
allowDirectEntitlements bool
namespacedPolicy bool
}
@@ -85,6 +86,31 @@ func NewPolicyDecisionPoint(
allRegisteredResources []*policy.RegisteredResource,
allowDirectEntitlements bool,
namespacedPolicy bool,
+) (*PolicyDecisionPoint, error) {
+ return NewPolicyDecisionPointWithDynamicValueMappings(
+ ctx,
+ l,
+ allAttributeDefinitions,
+ allSubjectMappings,
+ nil,
+ allRegisteredResources,
+ allowDirectEntitlements,
+ namespacedPolicy,
+ )
+}
+
+// NewPolicyDecisionPointWithDynamicValueMappings is NewPolicyDecisionPoint
+// plus the dynamic, definition-level value entitlement mappings (DSPX-2754). The mappings
+// argument may be nil/empty when the feature is unused.
+func NewPolicyDecisionPointWithDynamicValueMappings(
+ ctx context.Context,
+ l *logger.Logger,
+ allAttributeDefinitions []*policy.Attribute,
+ allSubjectMappings []*policy.SubjectMapping,
+ allDynamicValueMappings []*policy.DynamicValueMapping,
+ allRegisteredResources []*policy.RegisteredResource,
+ allowDirectEntitlements bool,
+ namespacedPolicy bool,
) (*PolicyDecisionPoint, error) {
var err error
@@ -160,6 +186,43 @@ func NewPolicyDecisionPoint(
allEntitleableAttributesByValueFQN[mappedValueFQN] = mapped
}
+ dynamicMappingsByDefinitionFQN := make(subjectmappingbuiltin.DynamicValueMappingsByDefinitionFQN)
+ for _, mapping := range allDynamicValueMappings {
+ if err := validateDynamicValueMapping(mapping); err != nil {
+ l.WarnContext(ctx,
+ "invalid dynamic value mapping - skipping",
+ slog.Any("dynamic_value_mapping", mapping),
+ slog.Any("error", err),
+ )
+ continue
+ }
+
+ if namespacedPolicy {
+ ns := mapping.GetNamespace()
+ if ns == nil || (ns.GetId() == "" && ns.GetFqn() == "") {
+ l.TraceContext(ctx,
+ "unnamespaced dynamic value mapping in strict namespaced-policy mode - skipping",
+ slog.String("reason", "dynamic_value_mapping_namespace_missing"),
+ slog.String("dynamic_value_mapping_id", mapping.GetId()),
+ slog.String("attribute_definition_fqn", mapping.GetAttributeDefinition().GetFqn()),
+ )
+ continue
+ }
+ }
+
+ definitionFQN := mapping.GetAttributeDefinition().GetFqn()
+ if _, ok := allAttributesByDefinitionFQN[definitionFQN]; !ok {
+ l.WarnContext(ctx,
+ "dynamic value mapping references unknown attribute definition - skipping",
+ slog.String("dynamic_value_mapping_id", mapping.GetId()),
+ slog.String("attribute_definition_fqn", definitionFQN),
+ )
+ continue
+ }
+
+ dynamicMappingsByDefinitionFQN[definitionFQN] = append(dynamicMappingsByDefinitionFQN[definitionFQN], mapping)
+ }
+
allRegisteredResourceValuesByFQN := make(map[string]*policy.RegisteredResourceValue)
for _, rr := range allRegisteredResources {
if err := validateRegisteredResource(rr); err != nil {
@@ -192,12 +255,13 @@ func NewPolicyDecisionPoint(
}
pdp := &PolicyDecisionPoint{
- l,
- allEntitleableAttributesByValueFQN,
- allRegisteredResourceValuesByFQN,
- allAttributesByDefinitionFQN,
- allowDirectEntitlements,
- namespacedPolicy,
+ logger: l,
+ allEntitleableAttributesByValueFQN: allEntitleableAttributesByValueFQN,
+ allRegisteredResourceValuesByFQN: allRegisteredResourceValuesByFQN,
+ allAttributesByDefinitionFQN: allAttributesByDefinitionFQN,
+ dynamicMappingsByDefinitionFQN: dynamicMappingsByDefinitionFQN,
+ allowDirectEntitlements: allowDirectEntitlements,
+ namespacedPolicy: namespacedPolicy,
}
return pdp, nil
}
@@ -245,6 +309,7 @@ func (p *PolicyDecisionPoint) GetDecision(
p.allRegisteredResourceValuesByFQN,
p.allEntitleableAttributesByValueFQN,
p.allAttributesByDefinitionFQN, /* action, */
+ p.dynamicMappingsByDefinitionFQN,
resources,
p.allowDirectEntitlements,
)
@@ -301,6 +366,24 @@ func (p *PolicyDecisionPoint) GetDecision(
}
}
+ // Evaluate dynamic, definition-level value entitlement mappings (DSPX-2754) and merge
+ // their results into the entitled FQNs before rule evaluation.
+ if len(p.dynamicMappingsByDefinitionFQN) > 0 {
+ dynamicEntitledFQNsToActions, err := subjectmappingbuiltin.EvaluateDynamicValueMappingsWithActions(
+ p.dynamicMappingsByDefinitionFQN,
+ decisionableAttributes,
+ entityRepresentation,
+ l.Logger,
+ )
+ if err != nil {
+ return nil, nil, fmt.Errorf("error evaluating dynamic value mappings: %w", err)
+ }
+ for fqn, actions := range dynamicEntitledFQNsToActions {
+ entitledFQNsToActions[fqn] = append(entitledFQNsToActions[fqn], actions...)
+ }
+ l.DebugContext(ctx, "evaluated dynamic value mappings", slog.Any("dynamic_entitled_value_fqns_to_actions", dynamicEntitledFQNsToActions))
+ }
+
decision := &Decision{
AllPermitted: true,
Results: make([]ResourceDecision, len(resources)),
@@ -355,6 +438,7 @@ func (p *PolicyDecisionPoint) GetDecisionRegisteredResource(
p.allRegisteredResourceValuesByFQN,
p.allEntitleableAttributesByValueFQN,
p.allAttributesByDefinitionFQN, /*action, */
+ p.dynamicMappingsByDefinitionFQN,
resources,
p.allowDirectEntitlements,
)
diff --git a/service/internal/access/v2/pdp_dynamic_test.go b/service/internal/access/v2/pdp_dynamic_test.go
new file mode 100644
index 0000000000..58e4816324
--- /dev/null
+++ b/service/internal/access/v2/pdp_dynamic_test.go
@@ -0,0 +1,86 @@
+package access
+
+import (
+ authz "github.com/opentdf/platform/protocol/go/authorization/v2"
+ "github.com/opentdf/platform/protocol/go/policy"
+)
+
+// Test_GetDecision_DynamicValueMapping_MultiValue exercises the full
+// GetDecision path for dynamic, definition-level value entitlement (DSPX-2754), focused on
+// the multi-value rule semantics: a single resource carries two dynamic values under one
+// definition while the entity is entitled to only one. ANY_OF should permit, ALL_OF deny.
+func (s *PDPTestSuite) Test_GetDecision_DynamicValueMapping_MultiValue() {
+ const ns = "hospital.co"
+ defFQN := createAttrFQN(ns, "mrn")
+ v123 := createAttrValueFQN(ns, "mrn", "mrn-123")
+ v456 := createAttrValueFQN(ns, "mrn", "mrn-456")
+ namespace := &policy.Namespace{Name: ns, Fqn: "https://" + ns}
+
+ buildPDP := func(rule policy.AttributeRuleTypeEnum) *PolicyDecisionPoint {
+ // A dynamic definition has no statically provisioned values.
+ attr := &policy.Attribute{
+ Fqn: defFQN,
+ Rule: rule,
+ Namespace: namespace,
+ }
+ mapping := &policy.DynamicValueMapping{
+ AttributeDefinition: attr,
+ ValueResolver: &policy.DynamicValueResolver{
+ SubjectExternalSelectorValue: ".properties.patientAssignments[]",
+ Operator: policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN,
+ },
+ Actions: []*policy.Action{testActionRead},
+ Namespace: namespace,
+ }
+ pdp, err := NewPolicyDecisionPointWithDynamicValueMappings(
+ s.T().Context(),
+ s.logger,
+ []*policy.Attribute{attr},
+ []*policy.SubjectMapping{},
+ []*policy.DynamicValueMapping{mapping},
+ nil,
+ false, // allowDirectEntitlements: dynamic mappings synthesize values on their own
+ false, // namespacedPolicy
+ )
+ s.Require().NoError(err)
+ s.Require().NotNil(pdp)
+ return pdp
+ }
+
+ // Entity is assigned mrn-123 only (entitled to one of the two requested values).
+ entityOne := s.createEntityWithProps("provider-1", map[string]interface{}{
+ "patientAssignments": []interface{}{"mrn-123"},
+ })
+ // Single resource carrying BOTH dynamic values under the one definition.
+ resourceBothValues := []*authz.Resource{createAttributeValueResource("resource-1", v123, v456)}
+
+ s.Run("ANY_OF permits when entitled to one of two dynamic values", func() {
+ pdp := buildPDP(policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF)
+ decision, entitlements, err := pdp.GetDecision(s.T().Context(), entityOne, testActionRead, resourceBothValues)
+ s.Require().NoError(err)
+ s.Require().NotNil(decision)
+ s.True(decision.AllPermitted, "ANY_OF: one entitled dynamic value suffices")
+ s.Contains(entitlements, v123, "should be entitled to the matched dynamic value")
+ s.NotContains(entitlements, v456, "should not be entitled to the unmatched dynamic value")
+ s.Require().Contains(entitlements[v123], testActionRead)
+ })
+
+ s.Run("ALL_OF denies when entitled to only one of two dynamic values", func() {
+ pdp := buildPDP(policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF)
+ decision, _, err := pdp.GetDecision(s.T().Context(), entityOne, testActionRead, resourceBothValues)
+ s.Require().NoError(err)
+ s.Require().NotNil(decision)
+ s.False(decision.AllPermitted, "ALL_OF: mrn-456 is not entitled, so the resource is denied")
+ })
+
+ s.Run("ALL_OF permits when entitled to both dynamic values", func() {
+ entityBoth := s.createEntityWithProps("provider-2", map[string]interface{}{
+ "patientAssignments": []interface{}{"mrn-123", "mrn-456"},
+ })
+ pdp := buildPDP(policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF)
+ decision, _, err := pdp.GetDecision(s.T().Context(), entityBoth, testActionRead, resourceBothValues)
+ s.Require().NoError(err)
+ s.Require().NotNil(decision)
+ s.True(decision.AllPermitted, "ALL_OF: both dynamic values are entitled")
+ })
+}
diff --git a/service/internal/access/v2/policy_store.go b/service/internal/access/v2/policy_store.go
index f9381e9262..8cd71b78ac 100644
--- a/service/internal/access/v2/policy_store.go
+++ b/service/internal/access/v2/policy_store.go
@@ -7,6 +7,7 @@ import (
"github.com/opentdf/platform/protocol/go/common"
"github.com/opentdf/platform/protocol/go/policy"
attrs "github.com/opentdf/platform/protocol/go/policy/attributes"
+ "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping"
"github.com/opentdf/platform/protocol/go/policy/obligations"
"github.com/opentdf/platform/protocol/go/policy/registeredresources"
"github.com/opentdf/platform/protocol/go/policy/subjectmapping"
@@ -17,6 +18,7 @@ import (
type EntitlementPolicyStore interface {
ListAllAttributes(ctx context.Context) ([]*policy.Attribute, error)
ListAllSubjectMappings(ctx context.Context) ([]*policy.SubjectMapping, error)
+ ListAllDynamicValueMappings(ctx context.Context) ([]*policy.DynamicValueMapping, error)
ListAllRegisteredResources(ctx context.Context) ([]*policy.RegisteredResource, error)
ListAllObligations(ctx context.Context) ([]*policy.Obligation, error)
IsEnabled() bool
@@ -24,10 +26,11 @@ type EntitlementPolicyStore interface {
}
var (
- ErrFailedToFetchAttributes = errors.New("failed to fetch attributes from policy service")
- ErrFailedToFetchSubjectMappings = errors.New("failed to fetch subject mappings from policy service")
- ErrFailedToFetchRegisteredResources = errors.New("failed to fetch registered resources from policy service")
- ErrFailedToFetchObligations = errors.New("failed to fetch obligations from policy service")
+ ErrFailedToFetchAttributes = errors.New("failed to fetch attributes from policy service")
+ ErrFailedToFetchSubjectMappings = errors.New("failed to fetch subject mappings from policy service")
+ ErrFailedToFetchDynamicValueMappings = errors.New("failed to fetch dynamic value mappings from policy service")
+ ErrFailedToFetchRegisteredResources = errors.New("failed to fetch registered resources from policy service")
+ ErrFailedToFetchObligations = errors.New("failed to fetch obligations from policy service")
)
// EntitlementPolicyRetriever satisfies the EntitlementPolicyStore interface and fetches fresh
@@ -103,6 +106,32 @@ func (p *EntitlementPolicyRetriever) ListAllSubjectMappings(ctx context.Context)
return smList, nil
}
+func (p *EntitlementPolicyRetriever) ListAllDynamicValueMappings(ctx context.Context) ([]*policy.DynamicValueMapping, error) {
+ // If quantity exceeds maximum list pagination, all are needed to determine entitlements
+ var nextOffset int32
+ mappingsList := make([]*policy.DynamicValueMapping, 0)
+
+ for {
+ listed, err := p.SDK.DynamicValueMapping.ListDynamicValueMappings(ctx, &dynamicvaluemapping.ListDynamicValueMappingsRequest{
+ // defer to service default for limit pagination
+ Pagination: &policy.PageRequest{
+ Offset: nextOffset,
+ },
+ })
+ if err != nil {
+ return nil, errors.Join(ErrFailedToFetchDynamicValueMappings, err)
+ }
+
+ nextOffset = listed.GetPagination().GetNextOffset()
+ mappingsList = append(mappingsList, listed.GetDynamicValueMappings()...)
+
+ if nextOffset <= 0 {
+ break
+ }
+ }
+ return mappingsList, nil
+}
+
func (p *EntitlementPolicyRetriever) ListAllRegisteredResources(ctx context.Context) ([]*policy.RegisteredResource, error) {
// If quantity of registered resources exceeds maximum list pagination, all are needed to determine entitlements
var nextOffset int32
diff --git a/service/internal/access/v2/validators.go b/service/internal/access/v2/validators.go
index fff3d6e451..5910a95ace 100644
--- a/service/internal/access/v2/validators.go
+++ b/service/internal/access/v2/validators.go
@@ -127,6 +127,40 @@ func validateAttribute(attribute *policy.Attribute) error {
return nil
}
+// validateDynamicValueMapping validates a dynamic value entitlement mapping
+// is usable for an entitlement decision.
+//
+// mapping:
+//
+// - must not be nil
+// - must reference an attribute definition with a non-empty FQN
+// - the definition must not be HIERARCHY (ordered static values are incompatible)
+// - must have a value resolver with a selector and a specified operator
+// - must have at least one action
+func validateDynamicValueMapping(mapping *policy.DynamicValueMapping) error {
+ if mapping == nil {
+ return fmt.Errorf("dynamic value mapping is nil: %w", ErrInvalidDynamicValueMapping)
+ }
+ def := mapping.GetAttributeDefinition()
+ if def == nil || def.GetFqn() == "" {
+ return fmt.Errorf("mapping's attribute definition is missing: %w", ErrInvalidDynamicValueMapping)
+ }
+ if def.GetRule() == policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY {
+ return fmt.Errorf("HIERARCHY definitions are not supported for dynamic value entitlement: %w", ErrInvalidDynamicValueMapping)
+ }
+ resolver := mapping.GetValueResolver()
+ if resolver == nil || resolver.GetSubjectExternalSelectorValue() == "" {
+ return fmt.Errorf("mapping's value resolver selector is empty: %w", ErrInvalidDynamicValueMapping)
+ }
+ if resolver.GetOperator() == policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED {
+ return fmt.Errorf("mapping's value resolver operator is unspecified: %w", ErrInvalidDynamicValueMapping)
+ }
+ if len(mapping.GetActions()) == 0 {
+ return fmt.Errorf("mapping's actions are empty: %w", ErrInvalidDynamicValueMapping)
+ }
+ return nil
+}
+
// validateRegisteredResource validates the registered resource is valid for an entitlement decision
//
// registered resource:
diff --git a/service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin.go b/service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin.go
new file mode 100644
index 0000000000..8c3b8eccc3
--- /dev/null
+++ b/service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin.go
@@ -0,0 +1,154 @@
+package subjectmappingbuiltin
+
+import (
+ "errors"
+ "fmt"
+ "log/slog"
+ "strings"
+
+ "github.com/opentdf/platform/lib/flattening"
+ "github.com/opentdf/platform/lib/identifier"
+ entityresolutionV2 "github.com/opentdf/platform/protocol/go/entityresolution/v2"
+ "github.com/opentdf/platform/protocol/go/policy"
+ "github.com/opentdf/platform/protocol/go/policy/attributes"
+)
+
+// DynamicValueMappingsByDefinitionFQN indexes dynamic mappings by their
+// parent attribute definition FQN for O(1) lookup during decisioning.
+type DynamicValueMappingsByDefinitionFQN map[string][]*policy.DynamicValueMapping
+
+// EvaluateDynamicValueMappingsWithActions resolves the dynamic, definition
+// level entitlement mappings for the resources under evaluation. For each decisionable
+// attribute value it finds the mappings on the value's parent definition, runs the
+// optional static SubjectConditionSet gate, then compares the requested resource value
+// segment against the entity representation via the mapping's resolver. On a match the
+// mapping's actions are entitled on that concrete value FQN.
+//
+// The output shape matches EvaluateSubjectMappingsWithActions so the PDP can merge the
+// two results uniformly before rule evaluation.
+func EvaluateDynamicValueMappingsWithActions(
+ mappingsByDefinitionFQN DynamicValueMappingsByDefinitionFQN,
+ decisionableAttributes map[string]*attributes.GetAttributeValuesByFqnsResponse_AttributeAndValue,
+ entityRepresentation *entityresolutionV2.EntityRepresentation,
+ l *slog.Logger,
+) (AttributeValueFQNsToActions, error) {
+ entitlementsSet := make(AttributeValueFQNsToActions)
+ if len(mappingsByDefinitionFQN) == 0 || entityRepresentation == nil {
+ return entitlementsSet, nil
+ }
+
+ for _, entity := range entityRepresentation.GetAdditionalProps() {
+ flattenedEntity, err := flattening.Flatten(entity.AsMap())
+ if err != nil {
+ return nil, fmt.Errorf("failure to flatten entity in definition value entitlement builtin: %w", err)
+ }
+
+ for valueFQN, attributeAndValue := range decisionableAttributes {
+ definitionFQN := attributeAndValue.GetAttribute().GetFqn()
+ mappings := mappingsByDefinitionFQN[definitionFQN]
+ if len(mappings) == 0 {
+ continue
+ }
+
+ segment, err := resourceValueSegment(valueFQN, attributeAndValue.GetValue())
+ if err != nil {
+ return nil, err
+ }
+
+ // mappings on the same definition are OR-ed together
+ for _, mapping := range mappings {
+ matched, err := evaluateDynamicValueMapping(mapping, flattenedEntity, segment)
+ if err != nil {
+ return nil, err
+ }
+ if !matched {
+ continue
+ }
+ if _, ok := entitlementsSet[valueFQN]; !ok {
+ entitlementsSet[valueFQN] = make([]*policy.Action, 0)
+ }
+ entitlementsSet[valueFQN] = append(
+ entitlementsSet[valueFQN],
+ dedupeSubjectMappingActions(mapping.GetActions(), l)...,
+ )
+ }
+ }
+ }
+
+ return entitlementsSet, nil
+}
+
+// evaluateDynamicValueMapping returns true when the optional static gate
+// passes (if present) AND the dynamic resolver matches the resource value segment.
+func evaluateDynamicValueMapping(
+ mapping *policy.DynamicValueMapping,
+ entity flattening.Flattened,
+ segment string,
+) (bool, error) {
+ // optional static pre-gate: all subject sets AND together with normal semantics
+ for _, subjectSet := range mapping.GetSubjectConditionSet().GetSubjectSets() {
+ ok, err := EvaluateSubjectSet(subjectSet, entity)
+ if err != nil {
+ return false, err
+ }
+ if !ok {
+ return false, nil
+ }
+ }
+
+ return evaluateValueResolver(mapping.GetValueResolver(), entity, segment)
+}
+
+// evaluateValueResolver compares the resource value segment against the entity values
+// resolved by the selector, applying the dynamic operator. Both sides are canonicalized
+// (lowercased + trimmed) so external systems that disagree with policy on case still match.
+func evaluateValueResolver(resolver *policy.DynamicValueResolver, entity flattening.Flattened, segment string) (bool, error) {
+ selector := resolver.GetSubjectExternalSelectorValue()
+ entityValues := flattening.GetFromFlattened(entity, selector)
+ target := canonicalizeValueSegment(segment)
+
+ switch resolver.GetOperator() {
+ case policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN:
+ for _, ev := range entityValues {
+ if ev == nil {
+ continue
+ }
+ if canonicalizeValueSegment(fmt.Sprintf("%v", ev)) == target {
+ return true, nil
+ }
+ }
+ return false, nil
+ case policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS:
+ for _, ev := range entityValues {
+ if ev == nil {
+ continue
+ }
+ if strings.Contains(canonicalizeValueSegment(fmt.Sprintf("%v", ev)), target) {
+ return true, nil
+ }
+ }
+ return false, nil
+ case policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED:
+ return false, errors.New("unspecified dynamic value operator")
+ default:
+ return false, fmt.Errorf("unsupported dynamic value operator: %s", resolver.GetOperator())
+ }
+}
+
+func canonicalizeValueSegment(s string) string {
+ return strings.ToLower(strings.TrimSpace(s))
+}
+
+// resourceValueSegment returns the concrete value segment for a resource value FQN,
+// preferring the value already parsed onto the policy.Value and falling back to parsing
+// the FQN.
+func resourceValueSegment(valueFQN string, value *policy.Value) (string, error) {
+ if v := value.GetValue(); v != "" {
+ return v, nil
+ }
+ parsed, err := identifier.Parse[*identifier.FullyQualifiedAttribute](valueFQN)
+ if err != nil {
+ return "", fmt.Errorf("parsing resource value FQN %q: %w", valueFQN, err)
+ }
+ return parsed.Value, nil
+}
diff --git a/service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin_test.go b/service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin_test.go
new file mode 100644
index 0000000000..b178a4f2f3
--- /dev/null
+++ b/service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin_test.go
@@ -0,0 +1,179 @@
+package subjectmappingbuiltin
+
+import (
+ "log/slog"
+ "testing"
+
+ entityresolutionV2 "github.com/opentdf/platform/protocol/go/entityresolution/v2"
+ "github.com/opentdf/platform/protocol/go/policy"
+ "github.com/opentdf/platform/protocol/go/policy/attributes"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+ "google.golang.org/protobuf/types/known/structpb"
+)
+
+func dvemEntityRep(t *testing.T, props map[string]interface{}) *entityresolutionV2.EntityRepresentation {
+ t.Helper()
+ s, err := structpb.NewStruct(props)
+ require.NoError(t, err)
+ return &entityresolutionV2.EntityRepresentation{
+ OriginalId: "entity-1",
+ AdditionalProps: []*structpb.Struct{s},
+ }
+}
+
+func dvemActions(names ...string) []*policy.Action {
+ out := make([]*policy.Action, 0, len(names))
+ for _, n := range names {
+ out = append(out, &policy.Action{Name: n})
+ }
+ return out
+}
+
+func dvemActionNames(acts []*policy.Action) []string {
+ out := make([]string, 0, len(acts))
+ for _, a := range acts {
+ out = append(out, a.GetName())
+ }
+ return out
+}
+
+func dvemDecisionable(defFQN, valueFQN, segment string) map[string]*attributes.GetAttributeValuesByFqnsResponse_AttributeAndValue {
+ return map[string]*attributes.GetAttributeValuesByFqnsResponse_AttributeAndValue{
+ valueFQN: {
+ Value: &policy.Value{Fqn: valueFQN, Value: segment},
+ Attribute: &policy.Attribute{Fqn: defFQN},
+ },
+ }
+}
+
+func dvemMapping(defFQN, selector string, op policy.DynamicValueOperatorEnum, scs *policy.SubjectConditionSet, actionNames ...string) *policy.DynamicValueMapping {
+ return &policy.DynamicValueMapping{
+ AttributeDefinition: &policy.Attribute{Fqn: defFQN},
+ ValueResolver: &policy.DynamicValueResolver{
+ SubjectExternalSelectorValue: selector,
+ Operator: op,
+ },
+ SubjectConditionSet: scs,
+ Actions: dvemActions(actionNames...),
+ }
+}
+
+// TestEvaluateDynamicValueMappings_MRNExample replays the ADR#266 worked
+// example (patient / provider / nurse) against the production evaluator.
+func TestEvaluateDynamicValueMappings_MRNExample(t *testing.T) {
+ const def = "https://hospital.co/attr/mrn"
+ const valueFQN = "https://hospital.co/attr/mrn/value/mrn-123"
+
+ cases := []struct {
+ name string
+ selector string
+ props map[string]interface{}
+ acts []string
+ wantMatch bool
+ }{
+ {"patient", ".medicalRecordNumber", map[string]interface{}{"medicalRecordNumber": "mrn-123"}, []string{"read", "update_profile"}, true},
+ {"provider", ".patientAssignments[]", map[string]interface{}{"patientAssignments": []interface{}{"mrn-123", "mrn-789"}}, []string{"read", "write_order", "update_chart"}, true},
+ {"nurse", ".careTeamAssignments[]", map[string]interface{}{"careTeamAssignments": []interface{}{"mrn-123"}}, []string{"read", "update_chart"}, true},
+ {"unassigned", ".patientAssignments[]", map[string]interface{}{"patientAssignments": []interface{}{"mrn-456"}}, []string{"read"}, false},
+ }
+
+ for _, tc := range cases {
+ t.Run(tc.name, func(t *testing.T) {
+ mapping := dvemMapping(def, tc.selector, policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN, nil, tc.acts...)
+ byDef := DynamicValueMappingsByDefinitionFQN{def: {mapping}}
+
+ got, err := EvaluateDynamicValueMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "mrn-123"), dvemEntityRep(t, tc.props), slog.Default())
+ require.NoError(t, err)
+ if tc.wantMatch {
+ assert.ElementsMatch(t, tc.acts, dvemActionNames(got[valueFQN]))
+ } else {
+ assert.Empty(t, got[valueFQN])
+ }
+ })
+ }
+}
+
+// TestEvaluateDynamicValueMappings_Canonicalization covers the external
+// system case-mismatch concern: the IdP reports MRN-123, policy stores mrn-123.
+func TestEvaluateDynamicValueMappings_Canonicalization(t *testing.T) {
+ const def = "https://hospital.co/attr/mrn"
+ const valueFQN = "https://hospital.co/attr/mrn/value/mrn-123"
+ mapping := dvemMapping(def, ".medicalRecordNumber", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN, nil, "read")
+ byDef := DynamicValueMappingsByDefinitionFQN{def: {mapping}}
+
+ got, err := EvaluateDynamicValueMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "mrn-123"), dvemEntityRep(t, map[string]interface{}{"medicalRecordNumber": "MRN-123"}), slog.Default())
+ require.NoError(t, err)
+ assert.Equal(t, []string{"read"}, dvemActionNames(got[valueFQN]))
+}
+
+// TestEvaluateDynamicValueMappings_InContains covers the substring operator.
+func TestEvaluateDynamicValueMappings_InContains(t *testing.T) {
+ const def = "https://acme.co/attr/group"
+ const valueFQN = "https://acme.co/attr/group/value/team"
+ mapping := dvemMapping(def, ".groups[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS, nil, "read")
+ byDef := DynamicValueMappingsByDefinitionFQN{def: {mapping}}
+
+ got, err := EvaluateDynamicValueMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "team"), dvemEntityRep(t, map[string]interface{}{"groups": []interface{}{"prefix-team-suffix"}}), slog.Default())
+ require.NoError(t, err)
+ assert.Equal(t, []string{"read"}, dvemActionNames(got[valueFQN]))
+}
+
+// TestEvaluateDynamicValueMappings_StaticGate covers the optional static
+// SubjectConditionSet pre-gate combined with the dynamic resolver.
+func TestEvaluateDynamicValueMappings_StaticGate(t *testing.T) {
+ const def = "https://hospital.co/attr/mrn"
+ const valueFQN = "https://hospital.co/attr/mrn/value/mrn-123"
+
+ scs := &policy.SubjectConditionSet{
+ SubjectSets: []*policy.SubjectSet{{
+ ConditionGroups: []*policy.ConditionGroup{{
+ BooleanOperator: policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_AND,
+ Conditions: []*policy.Condition{{
+ SubjectExternalSelectorValue: ".department",
+ Operator: policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_IN,
+ SubjectExternalValues: []string{"cardiology"},
+ }},
+ }},
+ }},
+ }
+ mapping := dvemMapping(def, ".patientAssignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN, scs, "read")
+ byDef := DynamicValueMappingsByDefinitionFQN{def: {mapping}}
+
+ // cardiology provider assigned to mrn-123 -> gate + resolver pass
+ got, err := EvaluateDynamicValueMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "mrn-123"), dvemEntityRep(t, map[string]interface{}{
+ "department": "cardiology",
+ "patientAssignments": []interface{}{"mrn-123"},
+ }), slog.Default())
+ require.NoError(t, err)
+ assert.Equal(t, []string{"read"}, dvemActionNames(got[valueFQN]))
+
+ // wrong department -> static gate fails -> no entitlement
+ got, err = EvaluateDynamicValueMappingsWithActions(byDef, dvemDecisionable(def, valueFQN, "mrn-123"), dvemEntityRep(t, map[string]interface{}{
+ "department": "oncology",
+ "patientAssignments": []interface{}{"mrn-123"},
+ }), slog.Default())
+ require.NoError(t, err)
+ assert.Empty(t, got[valueFQN])
+}
+
+// TestEvaluateDynamicValueMappings_CrossDefinitionNoLeak verifies a mapping
+// only applies to its own definition: the same value segment under a different definition
+// is not entitled.
+func TestEvaluateDynamicValueMappings_CrossDefinitionNoLeak(t *testing.T) {
+ const defA = "https://a.co/attr/x"
+ const defB = "https://b.co/attr/y"
+ mapping := dvemMapping(defA, ".assignments[]", policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN, nil, "read")
+ byDef := DynamicValueMappingsByDefinitionFQN{defA: {mapping}}
+ entity := dvemEntityRep(t, map[string]interface{}{"assignments": []interface{}{"shared-1"}})
+
+ // under definition A -> entitled
+ gotA, err := EvaluateDynamicValueMappingsWithActions(byDef, dvemDecisionable(defA, defA+"/value/shared-1", "shared-1"), entity, slog.Default())
+ require.NoError(t, err)
+ assert.Equal(t, []string{"read"}, dvemActionNames(gotA[defA+"/value/shared-1"]))
+
+ // same segment under definition B -> not entitled
+ gotB, err := EvaluateDynamicValueMappingsWithActions(byDef, dvemDecisionable(defB, defB+"/value/shared-1", "shared-1"), entity, slog.Default())
+ require.NoError(t, err)
+ assert.Empty(t, gotB[defB+"/value/shared-1"])
+}
diff --git a/service/logger/audit/constants.go b/service/logger/audit/constants.go
index 9a0bb2db1b..af6a06f9ba 100644
--- a/service/logger/audit/constants.go
+++ b/service/logger/audit/constants.go
@@ -32,6 +32,7 @@ const (
ObjectTypeKasAttributeDefinitionKeyAssignment
ObjectTypeKasAttributeValueKeyAssignment
ObjectTypeKasAttributeNamespaceKeyAssignment
+ ObjectTypeDynamicValueMapping
)
func (ot ObjectType) String() string {
@@ -61,6 +62,7 @@ func (ot ObjectType) String() string {
"kas_attribute_definition_key_assignment",
"kas_attribute_value_key_assignment",
"kas_attribute_namespace_key_assignment",
+ "dynamic_value_mapping",
}[ot]
}
diff --git a/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md b/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md
new file mode 100644
index 0000000000..eb5fdaece6
--- /dev/null
+++ b/service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md
@@ -0,0 +1,140 @@
+# Dynamic Attribute Value Entitlement
+
+Entitling highly dynamic, high-cardinality attribute values (medical record numbers, account IDs,
+email-like identifiers) is impractical today: each value must be duplicated as an `AttributeValue` and
+paired with its own `SubjectMapping` + `SubjectConditionSet`, then kept constantly in sync with an
+external system of record. The cross-repo ADR [virtru-corp/adr#266](https://github.com/virtru-corp/adr/pull/266)
+chose a definition-level dynamic entitlement model (its Option 3) but **explicitly deferred to an
+implementation spike** the question of *how* to model it. This document records what that spike
+([DSPX-2754](https://virtru.atlassian.net/browse/DSPX-2754)) found.
+
+The original spike prototyped all three options as a throwaway package to make them comparable on real
+behavior. The recommendation below (a new primitive carrying a new operator) is now implemented as
+production code: the `DynamicValueMapping` primitive
+([`service/policy/objects.proto`](../objects.proto)), its dedicated
+[`DynamicValueMappingService`](../dynamicvaluemapping), DB layer, and the decision-time evaluator
+([`service/internal/subjectmappingbuiltin/dynamic_value_mapping_builtin.go`](../../internal/subjectmappingbuiltin/dynamic_value_mapping_builtin.go))
+wired into the PDP. The findings below record why that shape was chosen over the alternatives.
+
+> [!NOTE]
+> The upstream ADR ([virtru-corp/adr#266](https://github.com/virtru-corp/adr/pull/266)) named this
+> primitive `DefinitionValueEntitlementMapping` but explicitly noted that primitive names are subject to
+> change during implementation. It is implemented here as `DynamicValueMapping`, which is shorter, omits
+> the redundant "Entitlement" (consistent with `SubjectMapping`/`ResourceMapping`), and avoids overloading
+> the authorization-runtime term "entitlement".
+
+## Context
+
+How should condition-set authority be moved up from the `AttributeValue` to the `AttributeDefinition`?
+Four shapes were on the table (from the ADR discussion threads): reuse Subject Mappings, add a new
+primitive, add a new attribute rule, or add a new operator.
+
+## Recommendation: a new primitive (`DynamicValueMapping`) carrying a new operator
+
+The spike recommends a **new first-class primitive** scoped to an `AttributeDefinition`, holding a
+`selector`, a **new dynamic operator**, and `actions`. The four "options" are not mutually exclusive: the
+new operator is the shared mechanic *every* shape needs, and the new primitive is the cleanest container
+for it. Reuse-of-subject-mappings and a new-attribute-rule were both prototyped and found to carry
+avoidable downsides (below).
+
+### Shared Mechanic: a new operator (required by every option)
+
+Existing condition evaluation compares an entity's selector result against a **static list authored into
+policy** (`policy.Condition.subject_external_values`; see
+[`subjectmappingbuiltin.EvaluateCondition`](../../internal/subjectmappingbuiltin/subject_mapping_builtin.go)).
+The dynamic case **inverts** the comparison: the right-hand operand is the **resource's value segment**
+(e.g. `mrn-123`, parsed from `…/value/mrn-123`), known only at decision time, tested for membership in the
+entity's selector-resolved set (e.g. `.patientAssignments` → `["mrn-123","mrn-789"]`).
+
+This inversion cannot be expressed by the current operators, so a new operator is unavoidable regardless
+of container. The spike implements `RESOURCE_VALUE_IN` (and `RESOURCE_VALUE_IN_CONTAINS`) as the inversion
+of `IN` / `IN_CONTAINS`. Per @jrschumacher's feedback on the ADR, the operator name should make the
+direction explicit, so `RESOURCE_VALUE_IN` reads as "the resource value is in the selector result".
+
+This single function (`evaluateDynamicMatch` in `core.go`) backs all three prototyped shapes. The
+`TestMRNExampleAcrossAllShapes` test replays the ADR's worked example against all three and confirms they
+decide identically. The shapes therefore differ only in schema, admin UX, and enforcement, not behavior.
+
+## Options
+
+| Dimension | A. Reuse Subject Mappings | B. New Primitive (recommended) | C. New Attribute Rule |
+| --- | --- | --- | --- |
+| Expresses "dynamic" in schema | ✗ must overload `subject_external_values` with a sentinel | ✓ typed fields, intent explicit | ◑ rule value implies it |
+| Operator field honesty | ✗ static `SubjectMappingOperatorEnum` reused for dynamic meaning | ✓ typed to dynamic operators only | ✓ |
+| Combination rule (ANY_OF/ALL_OF) still available | ✓ orthogonal | ✓ orthogonal | ✗ rule slot consumed (see below) |
+| Reuses existing evaluator code | ✓ partial (static leaves) | ✗ (new, small) | ✗ |
+| Mixed static + dynamic conditions | ✓ supported | ✗ would need a companion subject mapping | ✗ |
+| Admin/UX clarity | ✗ "why is this subject mapping on a definition?" | ✓ distinct object, distinct mental model | ◑ overloads "rule" concept |
+| Migration drift from today | low (same tables) | medium (new table/proto) | medium |
+
+### A. Reuse Subject Mappings (Prototyped, Not Recommended)
+
+The existing `SubjectConditionSet` was re-scoped from an `AttributeValue` to an `AttributeDefinition`
+(`DefinitionScopedSubjectMapping`). It reuses the AND/OR condition-group plumbing and the static leaf
+evaluator, and it uniquely supports **mixed static + dynamic conditions** (e.g. "department is cardiology
+AND the resource MRN is in your assignments"; see `TestReuseStaticAndDynamicConditions`).
+
+But the `SubjectConditionSet` schema has no way to mark a condition as dynamic, so the prototype overloads
+`subject_external_values` with a `${resource.value}` sentinel. This is fragile: it is invisible to existing
+tooling, easy to mistype, and reuses a field that everywhere else holds a static list. It also forces a
+near-duplicate of the group-walk, because the production walk is hard-wired to the static leaf evaluator.
+Reuse keeps table and migration drift low but reduces clarity. This answers @strantalis's and @biscoe916's
+"why not just extend subject mappings?": it can be done, but the result reads less clearly than a
+purpose-built object.
+
+### C. New Attribute Rule (Prototyped, Not Recommended)
+
+Modeling dynamic as a new `AttributeRuleTypeEnum` value (`RuleDynamic`) conflates two separate ideas. The
+rule slot already encodes how *multiple values on one definition combine* (`ANY_OF` / `ALL_OF` /
+`HIERARCHY`). Using that slot to describe how values are *entitled* means a dynamic definition can no
+longer state its combination semantics. In the prototype, `RuleDynamic` defaults to `ANY_OF`, which hides
+that choice from the author. How values are entitled and how they combine are separate concerns and should
+not share one field.
+
+## Edge Cases (all exercised by tests)
+
+- **Character Set / FQN Ambiguity** (@jentfoo): value segments must never contain FQN-structural or
+ encoding characters (`/`, `.`, `%`, NUL) or non-ASCII. The spike enforces this floor
+ (`validateValueSegment`) independently of any future loosening of the value grammar. As a consequence, the
+ **current** value grammar (`lib/identifier`, strictly `[a-zA-Z0-9_-]`) already cannot represent
+ email-like identifiers (`user@acme.co` fails to parse). If the owner/email use case is in scope, the
+ value grammar must be deliberately widened, but only to a set that excludes the ambiguous characters
+ above.
+- **Canonicalization** (@biscoe916): external systems disagree with policy on case and whitespace. Without a
+ normalization step, `MRN-123` from the IdP fails to match `mrn-123` in the FQN. The spike applies a
+ pluggable `Canonicalizer` (default: lowercase + trim) to both sides. `TestCanonicalization` shows the
+ match succeed with it and fail without it. A real implementation must decide where canonicalization is
+ authoritative and whether it is configurable per definition.
+- **Cross-Definition / Namespace Collisions** (@jakedoublev): because entitlement is keyed to the value's
+ *parent definition FQN*, the same pass-through segment under a different definition is **not** granted
+ (`TestCrossDefinitionNoLeak`). This is the key advantage of entitling concrete value FQNs over entitling
+ bare pass-through values.
+- **Multi-Value Resources** (ADR decision-flow step 6): a single resource carrying several values under
+ one definition evaluates the definition rule normally. `TestDecideMultiValue` covers `ANY_OF` (one match
+ suffices) and `ALL_OF` (every value must match).
+- **API Enforcement**: a definition must not carry both a value-level static subject mapping and a dynamic
+ mapping (`ValidateNoCoexistence`), and `HIERARCHY` definitions are rejected for dynamic entitlement since
+ they require statically ordered values (`ValidateRule`).
+- **Direct-Entitlements Overlap / Migration** (@biscoe916 Q1): a direct entitlement is effectively a
+ `(value FQN, actions)` pair sourced from ERS at decision time. `TestDirectEntitlementOverlap` shows the
+ dynamic mapping reproduces the identical grant from a single policy artifact, supporting the
+ "cover the common case in policy, keep direct entitlements/EPOP for true remote entitlement" path.
+
+## Open Questions
+
+1. **Selector Syntax**: the existing flattener addresses array elements as `.patientAssignments[]`, not
+ the `.patientAssignments` shown in the ADR. The selector grammar surfaced to admins should be specified
+ and documented.
+2. **ERS Trust** (@jentfoo, @jrschumacher): like all entitlement, this trusts the ERS response. The
+ dynamic model does not worsen that posture but also does not improve it. Provenance/MITM mitigations
+ remain future work.
+3. **Persistence**: where the new primitive's selector values live for any match-acceleration analogous to
+ the cached `subject_condition_set.selector_values` column.
+4. **Canonicalization Authority**: per-definition configuration vs a single global normalization.
+5. **Value Grammar**: whether/how far to widen the allowed value character set for the email/owner use case.
+
+## Out Of Scope
+
+The broader options (do nothing, productize direct entitlements, plugin PDP) were already decided in
+[virtru-corp/adr#266](https://github.com/virtru-corp/adr/pull/266). This spike only covers how to model the
+chosen definition-level approach.
diff --git a/service/policy/db/actions.sql.go b/service/policy/db/actions.sql.go
index e3648ce58b..2af93bba93 100644
--- a/service/policy/db/actions.sql.go
+++ b/service/policy/db/actions.sql.go
@@ -1,6 +1,6 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
-// sqlc v1.31.0
+// sqlc v1.30.0
// source: actions.sql
package db
diff --git a/service/policy/db/attribute_fqn.sql.go b/service/policy/db/attribute_fqn.sql.go
index 6765e8ef51..ad4ed6b043 100644
--- a/service/policy/db/attribute_fqn.sql.go
+++ b/service/policy/db/attribute_fqn.sql.go
@@ -1,6 +1,6 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
-// sqlc v1.31.0
+// sqlc v1.30.0
// source: attribute_fqn.sql
package db
diff --git a/service/policy/db/attribute_values.sql.go b/service/policy/db/attribute_values.sql.go
index 1611d803a1..792d6b213e 100644
--- a/service/policy/db/attribute_values.sql.go
+++ b/service/policy/db/attribute_values.sql.go
@@ -1,6 +1,6 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
-// sqlc v1.31.0
+// sqlc v1.30.0
// source: attribute_values.sql
package db
diff --git a/service/policy/db/attributes.go b/service/policy/db/attributes.go
index 3fb9c47e57..acfd648534 100644
--- a/service/policy/db/attributes.go
+++ b/service/policy/db/attributes.go
@@ -461,6 +461,20 @@ func (c PolicyDBClient) UnsafeUpdateAttribute(ctx context.Context, r *unsafe.Uns
}
}
+ // Guard the reverse of validateDynamicValueMappingAttribute: a definition
+ // with a dynamic value entitlement mapping cannot be changed to HIERARCHY, which requires
+ // statically ordered values incompatible with pass-through dynamic values (DSPX-2754).
+ if rule == policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY && before.GetRule() != policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY {
+ dynamicCount, err := c.queries.countDynamicValueMappingsByDefinitionID(ctx, id)
+ if err != nil {
+ return nil, db.WrapIfKnownInvalidQueryErr(err)
+ }
+ if dynamicCount > 0 {
+ return nil, errors.Join(db.ErrRestrictViolation,
+ fmt.Errorf("attribute definition [%s] has a definition value entitlement mapping; its rule cannot be changed to HIERARCHY", id))
+ }
+ }
+
// Handle case where rule is not actually being updated
ruleString := ""
if rule != policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED {
diff --git a/service/policy/db/attributes.sql.go b/service/policy/db/attributes.sql.go
index a7a235a25f..f134a84562 100644
--- a/service/policy/db/attributes.sql.go
+++ b/service/policy/db/attributes.sql.go
@@ -1,6 +1,6 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
-// sqlc v1.31.0
+// sqlc v1.30.0
// source: attributes.sql
package db
diff --git a/service/policy/db/copyfrom.go b/service/policy/db/copyfrom.go
index e89a426d77..07ec0ceaf7 100644
--- a/service/policy/db/copyfrom.go
+++ b/service/policy/db/copyfrom.go
@@ -1,6 +1,6 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
-// sqlc v1.31.0
+// sqlc v1.30.0
// source: copyfrom.go
package db
diff --git a/service/policy/db/db.go b/service/policy/db/db.go
index d24a61d024..95f1a604c9 100644
--- a/service/policy/db/db.go
+++ b/service/policy/db/db.go
@@ -1,6 +1,6 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
-// sqlc v1.31.0
+// sqlc v1.30.0
package db
diff --git a/service/policy/db/dynamic_value_mappings.go b/service/policy/db/dynamic_value_mappings.go
new file mode 100644
index 0000000000..b083b3ac47
--- /dev/null
+++ b/service/policy/db/dynamic_value_mappings.go
@@ -0,0 +1,397 @@
+package db
+
+import (
+ "context"
+ "encoding/json"
+ "errors"
+ "fmt"
+
+ "github.com/jackc/pgx/v5/pgtype"
+ "github.com/opentdf/platform/protocol/go/common"
+ "github.com/opentdf/platform/protocol/go/policy"
+ "github.com/opentdf/platform/protocol/go/policy/attributes"
+ "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping"
+ "github.com/opentdf/platform/service/pkg/db"
+)
+
+type dynamicValueMappingRow struct {
+ id string
+ attributeDefinitionID string
+ subjectExternalSelectorValue string
+ operator int16
+ subjectConditionSetID pgtype.UUID
+ actions interface{}
+ metadata []byte
+ namespace interface{}
+}
+
+func (c PolicyDBClient) CreateDynamicValueMapping(ctx context.Context, r *dynamicvaluemapping.CreateDynamicValueMappingRequest) (*policy.DynamicValueMapping, error) {
+ resolver := r.GetValueResolver()
+ if resolver.GetOperator() == policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED {
+ return nil, errors.Join(db.ErrEnumValueInvalid, errors.New("value_resolver.operator must be specified"))
+ }
+
+ attr, err := c.resolveDynamicValueMappingAttribute(ctx, r.GetAttributeDefinitionId(), r.GetAttributeDefinitionFqn())
+ if err != nil {
+ return nil, err
+ }
+ if err := validateDynamicValueMappingAttribute(attr); err != nil {
+ return nil, err
+ }
+
+ // Enforce no-coexistence: a definition cannot have both value-level subject mappings
+ // and a dynamic value entitlement mapping (DSPX-2754 / ADR 0005).
+ if err := c.ensureNoValueSubjectMappingCoexistence(ctx, attr.GetId()); err != nil {
+ return nil, err
+ }
+
+ resolvedNamespaceID, err := c.resolveNamespace(ctx, r.GetNamespaceId(), r.GetNamespaceFqn())
+ if err != nil {
+ return nil, err
+ }
+ parsedNamespaceID := pgtypeUUID(resolvedNamespaceID)
+
+ actionIDs, err := c.resolveSubjectMappingActions(ctx, r.GetActions(), parsedNamespaceID)
+ if err != nil {
+ return nil, err
+ }
+
+ scs, err := c.resolveDynamicValueMappingSubjectConditionSet(ctx, r, resolvedNamespaceID)
+ if err != nil {
+ return nil, err
+ }
+
+ if err := c.validateDynamicValueMappingNamespaceConsistency(ctx, resolvedNamespaceID, attr, actionIDs, scs); err != nil {
+ return nil, err
+ }
+
+ metadataJSON, _, err := db.MarshalCreateMetadata(r.GetMetadata())
+ if err != nil {
+ return nil, db.WrapIfKnownInvalidQueryErr(err)
+ }
+
+ createdID, err := c.queries.createDynamicValueMapping(ctx, createDynamicValueMappingParams{
+ AttributeDefinitionID: attr.GetId(),
+ SubjectExternalSelectorValue: resolver.GetSubjectExternalSelectorValue(),
+ Operator: int16(resolver.GetOperator()),
+ Metadata: metadataJSON,
+ SubjectConditionSetID: pgtypeUUID(scs.GetId()),
+ NamespaceID: parsedNamespaceID,
+ ActionIds: actionIDs,
+ })
+ if err != nil {
+ return nil, db.WrapIfKnownInvalidQueryErr(err)
+ }
+
+ return c.GetDynamicValueMapping(ctx, createdID)
+}
+
+func (c PolicyDBClient) GetDynamicValueMapping(ctx context.Context, id string) (*policy.DynamicValueMapping, error) {
+ row, err := c.queries.getDynamicValueMapping(ctx, id)
+ if err != nil {
+ return nil, db.WrapIfKnownInvalidQueryErr(err)
+ }
+ if row.ID == "" {
+ return nil, db.ErrNotFound
+ }
+
+ return c.hydrateDynamicValueMapping(ctx, dynamicValueMappingRow{
+ id: row.ID,
+ attributeDefinitionID: row.AttributeDefinitionID,
+ subjectExternalSelectorValue: row.SubjectExternalSelectorValue,
+ operator: row.Operator,
+ subjectConditionSetID: row.SubjectConditionSetID,
+ actions: row.Actions,
+ metadata: row.Metadata,
+ namespace: row.Namespace,
+ })
+}
+
+func (c PolicyDBClient) ListDynamicValueMappings(ctx context.Context, r *dynamicvaluemapping.ListDynamicValueMappingsRequest) (*dynamicvaluemapping.ListDynamicValueMappingsResponse, error) {
+ limit, offset := c.getRequestedLimitOffset(r.GetPagination())
+
+ maxLimit := c.listCfg.limitMax
+ if maxLimit > 0 && limit > maxLimit {
+ return nil, db.ErrListLimitTooLarge
+ }
+
+ sortField, sortDirection := GetDynamicValueMappingsSortParams(r.GetSort())
+
+ rows, err := c.queries.listDynamicValueMappings(ctx, listDynamicValueMappingsParams{
+ NamespaceID: pgtypeUUID(r.GetNamespaceId()),
+ AttributeDefinitionID: pgtypeUUID(r.GetAttributeDefinitionId()),
+ Limit: limit,
+ Offset: offset,
+ SortField: sortField,
+ SortDirection: sortDirection,
+ })
+ if err != nil {
+ return nil, db.WrapIfKnownInvalidQueryErr(err)
+ }
+
+ mappings := make([]*policy.DynamicValueMapping, len(rows))
+ for i, row := range rows {
+ mapping, err := c.hydrateDynamicValueMapping(ctx, dynamicValueMappingRow{
+ id: row.ID,
+ attributeDefinitionID: row.AttributeDefinitionID,
+ subjectExternalSelectorValue: row.SubjectExternalSelectorValue,
+ operator: row.Operator,
+ subjectConditionSetID: row.SubjectConditionSetID,
+ actions: row.Actions,
+ metadata: row.Metadata,
+ namespace: row.Namespace,
+ })
+ if err != nil {
+ return nil, err
+ }
+ mappings[i] = mapping
+ }
+
+ var (
+ total int32
+ nextOffset int32
+ )
+ if len(rows) > 0 {
+ total = int32(rows[0].Total)
+ nextOffset = getNextOffset(offset, limit, total)
+ }
+
+ return &dynamicvaluemapping.ListDynamicValueMappingsResponse{
+ DynamicValueMappings: mappings,
+ Pagination: &policy.PageResponse{
+ CurrentOffset: offset,
+ Total: total,
+ NextOffset: nextOffset,
+ },
+ }, nil
+}
+
+func (c PolicyDBClient) UpdateDynamicValueMapping(ctx context.Context, r *dynamicvaluemapping.UpdateDynamicValueMappingRequest) (*policy.DynamicValueMapping, error) {
+ id := r.GetId()
+ before, err := c.GetDynamicValueMapping(ctx, id)
+ if err != nil {
+ return nil, db.WrapIfKnownInvalidQueryErr(err)
+ }
+
+ metadataJSON, _, err := db.MarshalUpdateMetadata(r.GetMetadata(), r.GetMetadataUpdateBehavior(), func() (*common.Metadata, error) {
+ return before.GetMetadata(), nil
+ })
+ if err != nil {
+ return nil, err
+ }
+
+ updateParams := updateDynamicValueMappingParams{
+ ID: id,
+ Metadata: metadataJSON,
+ SubjectConditionSetID: pgtypeUUID(r.GetSubjectConditionSetId()),
+ }
+
+ if resolver := r.GetValueResolver(); resolver != nil {
+ if resolver.GetOperator() == policy.DynamicValueOperatorEnum_DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED {
+ return nil, errors.Join(db.ErrEnumValueInvalid, errors.New("value_resolver.operator must be specified"))
+ }
+ updateParams.SubjectExternalSelectorValue = pgtypeText(resolver.GetSubjectExternalSelectorValue())
+ updateParams.Operator = pgtype.Int2{Int16: int16(resolver.GetOperator()), Valid: true}
+ }
+
+ targetNamespaceID := before.GetNamespace().GetId()
+ if actions := r.GetActions(); actions != nil {
+ actionIDs, err := c.resolveSubjectMappingActions(ctx, actions, pgtypeUUID(targetNamespaceID))
+ if err != nil {
+ return nil, err
+ }
+ updateParams.ActionIds = actionIDs
+ }
+
+ count, err := c.queries.updateDynamicValueMapping(ctx, updateParams)
+ if err != nil {
+ return nil, db.WrapIfKnownInvalidQueryErr(err)
+ }
+ if count == 0 {
+ return nil, db.ErrNotFound
+ }
+
+ return c.GetDynamicValueMapping(ctx, id)
+}
+
+func (c PolicyDBClient) DeleteDynamicValueMapping(ctx context.Context, id string) (*policy.DynamicValueMapping, error) {
+ count, err := c.queries.deleteDynamicValueMapping(ctx, id)
+ if err != nil {
+ return nil, db.WrapIfKnownInvalidQueryErr(err)
+ }
+ if count == 0 {
+ return nil, db.ErrNotFound
+ }
+
+ return &policy.DynamicValueMapping{Id: id}, nil
+}
+
+func (c PolicyDBClient) hydrateDynamicValueMapping(ctx context.Context, row dynamicValueMappingRow) (*policy.DynamicValueMapping, error) {
+ metadata := &common.Metadata{}
+ if err := unmarshalMetadata(row.metadata, metadata); err != nil {
+ return nil, err
+ }
+
+ actionsBytes, err := json.Marshal(row.actions)
+ if err != nil {
+ return nil, fmt.Errorf("failed to marshal dynamic value mapping actions from interface{}: %w", err)
+ }
+ actions := []*policy.Action{}
+ if err := unmarshalActionsProto(actionsBytes, &actions); err != nil {
+ return nil, err
+ }
+
+ attr, err := c.GetAttribute(ctx, row.attributeDefinitionID)
+ if err != nil {
+ return nil, err
+ }
+
+ namespace, err := hydrateNamespaceFromInterface(row.namespace)
+ if err != nil {
+ return nil, err
+ }
+
+ mapping := &policy.DynamicValueMapping{
+ Id: row.id,
+ AttributeDefinition: attr,
+ ValueResolver: &policy.DynamicValueResolver{
+ SubjectExternalSelectorValue: row.subjectExternalSelectorValue,
+ Operator: policy.DynamicValueOperatorEnum(row.operator),
+ },
+ Actions: actions,
+ Namespace: namespace,
+ Metadata: metadata,
+ }
+
+ // Optional static pre-gate.
+ if row.subjectConditionSetID.Valid {
+ scs, err := c.GetSubjectConditionSet(ctx, UUIDToString(row.subjectConditionSetID))
+ if err != nil {
+ return nil, err
+ }
+ mapping.SubjectConditionSet = scs
+ }
+
+ return mapping, nil
+}
+
+func (c PolicyDBClient) resolveDynamicValueMappingAttribute(ctx context.Context, id, fqn string) (*policy.Attribute, error) {
+ switch {
+ case id != "":
+ return c.GetAttribute(ctx, id)
+ case fqn != "":
+ return c.GetAttribute(ctx, &attributes.GetAttributeRequest_Fqn{Fqn: fqn})
+ default:
+ return nil, db.WrapIfKnownInvalidQueryErr(
+ errors.Join(db.ErrMissingValue, errors.New("either an attribute definition ID or FQN is required")),
+ )
+ }
+}
+
+func validateDynamicValueMappingAttribute(attr *policy.Attribute) error {
+ switch attr.GetRule() {
+ case policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF,
+ policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF:
+ return nil
+ case policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY:
+ return errors.Join(db.ErrEnumValueInvalid, errors.New("dynamic value mappings do not support HIERARCHY attributes"))
+ case policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED:
+ fallthrough
+ default:
+ return errors.Join(db.ErrEnumValueInvalid, errors.New("dynamic value mappings require ALL_OF or ANY_OF attributes"))
+ }
+}
+
+// ensureNoValueSubjectMappingCoexistence rejects creation of a dynamic mapping when the
+// definition's values already carry value-level subject mappings.
+func (c PolicyDBClient) ensureNoValueSubjectMappingCoexistence(ctx context.Context, definitionID string) error {
+ count, err := c.queries.countValueSubjectMappingsByDefinitionID(ctx, definitionID)
+ if err != nil {
+ return db.WrapIfKnownInvalidQueryErr(err)
+ }
+ if count > 0 {
+ return errors.Join(db.ErrRestrictViolation,
+ fmt.Errorf("attribute definition [%s] already has value-level subject mappings; it cannot also have a dynamic value mapping", definitionID))
+ }
+ return nil
+}
+
+// ensureNoDynamicValueMappingCoexistence rejects creation of a value-level
+// subject mapping when the value's parent definition already has a dynamic value
+// entitlement mapping.
+func (c PolicyDBClient) ensureNoDynamicValueMappingCoexistence(ctx context.Context, attributeValueID string) error {
+ if attributeValueID == "" {
+ return nil
+ }
+ definitionID, err := c.queries.getAttributeDefinitionIDByValueID(ctx, attributeValueID)
+ if err != nil {
+ return db.WrapIfKnownInvalidQueryErr(err)
+ }
+ count, err := c.queries.countDynamicValueMappingsByDefinitionID(ctx, definitionID)
+ if err != nil {
+ return db.WrapIfKnownInvalidQueryErr(err)
+ }
+ if count > 0 {
+ return errors.Join(db.ErrRestrictViolation,
+ fmt.Errorf("attribute definition [%s] has a dynamic value mapping; it cannot also have value-level subject mappings", definitionID))
+ }
+ return nil
+}
+
+func (c PolicyDBClient) resolveDynamicValueMappingSubjectConditionSet(
+ ctx context.Context,
+ r *dynamicvaluemapping.CreateDynamicValueMappingRequest,
+ namespaceID string,
+) (*policy.SubjectConditionSet, error) {
+ switch {
+ case r.GetExistingSubjectConditionSetId() != "":
+ scs, err := c.GetSubjectConditionSet(ctx, r.GetExistingSubjectConditionSetId())
+ if err != nil {
+ return nil, db.WrapIfKnownInvalidQueryErr(err)
+ }
+ return scs, nil
+ case r.GetNewSubjectConditionSet() != nil:
+ scs, err := c.CreateSubjectConditionSet(ctx, r.GetNewSubjectConditionSet(), namespaceID, "")
+ if err != nil {
+ return nil, db.WrapIfKnownInvalidQueryErr(err)
+ }
+ return scs, nil
+ default:
+ // The static pre-gate is optional; no SubjectConditionSet is a valid state.
+ return nil, nil //nolint:nilnil // optional pre-gate: nil SCS with nil error is intentional
+ }
+}
+
+func (c PolicyDBClient) validateDynamicValueMappingNamespaceConsistency(
+ ctx context.Context,
+ targetNsID string,
+ attr *policy.Attribute,
+ actionIDs []string,
+ scs *policy.SubjectConditionSet,
+) error {
+ if targetNsID != "" && attr.GetNamespace().GetId() != targetNsID {
+ return errors.Join(db.ErrNamespaceMismatch,
+ fmt.Errorf("attribute definition namespace [%s] does not match the specified dynamic value mapping namespace [%s]", attr.GetNamespace().GetId(), targetNsID))
+ }
+
+ if len(actionIDs) > 0 {
+ actionRows, err := c.queries.getActionsByIDs(ctx, actionIDs)
+ if err != nil {
+ return db.WrapIfKnownInvalidQueryErr(err)
+ }
+ for _, a := range actionRows {
+ actionNsID := UUIDToString(a.NamespaceID)
+ if actionNsID != targetNsID {
+ return errors.Join(db.ErrNamespaceMismatch,
+ fmt.Errorf("action [%s] namespace [%s] does not match the specified dynamic value mapping namespace [%s]", a.ID, actionNsID, targetNsID))
+ }
+ }
+ }
+
+ if scs != nil && scs.GetNamespace().GetId() != targetNsID {
+ return errors.Join(db.ErrNamespaceMismatch,
+ fmt.Errorf("subject condition set [%s] namespace [%s] does not match the specified dynamic value mapping namespace [%s]", scs.GetId(), scs.GetNamespace().GetId(), targetNsID))
+ }
+
+ return nil
+}
diff --git a/service/policy/db/dynamic_value_mappings.sql.go b/service/policy/db/dynamic_value_mappings.sql.go
new file mode 100644
index 0000000000..f95277e25a
--- /dev/null
+++ b/service/policy/db/dynamic_value_mappings.sql.go
@@ -0,0 +1,606 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+// sqlc v1.30.0
+// source: dynamic_value_mappings.sql
+
+package db
+
+import (
+ "context"
+
+ "github.com/jackc/pgx/v5/pgtype"
+)
+
+const countDynamicValueMappingsByDefinitionID = `-- name: countDynamicValueMappingsByDefinitionID :one
+SELECT COUNT(id)
+FROM dynamic_value_mappings
+WHERE attribute_definition_id = $1
+`
+
+// Counts dynamic value entitlement mappings on the given definition. Used to enforce
+// no-coexistence from the subject-mapping create path.
+//
+// SELECT COUNT(id)
+// FROM dynamic_value_mappings
+// WHERE attribute_definition_id = $1
+func (q *Queries) countDynamicValueMappingsByDefinitionID(ctx context.Context, attributeDefinitionID string) (int64, error) {
+ row := q.db.QueryRow(ctx, countDynamicValueMappingsByDefinitionID, attributeDefinitionID)
+ var count int64
+ err := row.Scan(&count)
+ return count, err
+}
+
+const countValueSubjectMappingsByDefinitionID = `-- name: countValueSubjectMappingsByDefinitionID :one
+SELECT COUNT(sm.id)
+FROM subject_mappings sm
+JOIN attribute_values av ON sm.attribute_value_id = av.id
+WHERE av.attribute_definition_id = $1
+`
+
+// Counts value-level subject mappings whose attribute value belongs to the given
+// definition. Used to enforce no-coexistence with dynamic value entitlement mappings.
+//
+// SELECT COUNT(sm.id)
+// FROM subject_mappings sm
+// JOIN attribute_values av ON sm.attribute_value_id = av.id
+// WHERE av.attribute_definition_id = $1
+func (q *Queries) countValueSubjectMappingsByDefinitionID(ctx context.Context, attributeDefinitionID string) (int64, error) {
+ row := q.db.QueryRow(ctx, countValueSubjectMappingsByDefinitionID, attributeDefinitionID)
+ var count int64
+ err := row.Scan(&count)
+ return count, err
+}
+
+const createDynamicValueMapping = `-- name: createDynamicValueMapping :one
+WITH inserted_mapping AS (
+ INSERT INTO dynamic_value_mappings (
+ attribute_definition_id,
+ subject_external_selector_value,
+ operator,
+ metadata,
+ subject_condition_set_id,
+ namespace_id
+ )
+ VALUES (
+ $1,
+ $2,
+ $3,
+ $4,
+ $5::uuid,
+ $6::uuid
+ )
+ RETURNING id
+),
+inserted_actions AS (
+ INSERT INTO dynamic_value_mapping_actions (dynamic_value_mapping_id, action_id)
+ SELECT
+ (SELECT id FROM inserted_mapping),
+ unnest($7::uuid[])
+)
+SELECT id FROM inserted_mapping
+`
+
+type createDynamicValueMappingParams struct {
+ AttributeDefinitionID string `json:"attribute_definition_id"`
+ SubjectExternalSelectorValue string `json:"subject_external_selector_value"`
+ Operator int16 `json:"operator"`
+ Metadata []byte `json:"metadata"`
+ SubjectConditionSetID pgtype.UUID `json:"subject_condition_set_id"`
+ NamespaceID pgtype.UUID `json:"namespace_id"`
+ ActionIds []string `json:"action_ids"`
+}
+
+// createDynamicValueMapping
+//
+// WITH inserted_mapping AS (
+// INSERT INTO dynamic_value_mappings (
+// attribute_definition_id,
+// subject_external_selector_value,
+// operator,
+// metadata,
+// subject_condition_set_id,
+// namespace_id
+// )
+// VALUES (
+// $1,
+// $2,
+// $3,
+// $4,
+// $5::uuid,
+// $6::uuid
+// )
+// RETURNING id
+// ),
+// inserted_actions AS (
+// INSERT INTO dynamic_value_mapping_actions (dynamic_value_mapping_id, action_id)
+// SELECT
+// (SELECT id FROM inserted_mapping),
+// unnest($7::uuid[])
+// )
+// SELECT id FROM inserted_mapping
+func (q *Queries) createDynamicValueMapping(ctx context.Context, arg createDynamicValueMappingParams) (string, error) {
+ row := q.db.QueryRow(ctx, createDynamicValueMapping,
+ arg.AttributeDefinitionID,
+ arg.SubjectExternalSelectorValue,
+ arg.Operator,
+ arg.Metadata,
+ arg.SubjectConditionSetID,
+ arg.NamespaceID,
+ arg.ActionIds,
+ )
+ var id string
+ err := row.Scan(&id)
+ return id, err
+}
+
+const deleteDynamicValueMapping = `-- name: deleteDynamicValueMapping :execrows
+DELETE FROM dynamic_value_mappings WHERE id = $1
+`
+
+// deleteDynamicValueMapping
+//
+// DELETE FROM dynamic_value_mappings WHERE id = $1
+func (q *Queries) deleteDynamicValueMapping(ctx context.Context, id string) (int64, error) {
+ result, err := q.db.Exec(ctx, deleteDynamicValueMapping, id)
+ if err != nil {
+ return 0, err
+ }
+ return result.RowsAffected(), nil
+}
+
+const getAttributeDefinitionIDByValueID = `-- name: getAttributeDefinitionIDByValueID :one
+SELECT attribute_definition_id
+FROM attribute_values
+WHERE id = $1
+`
+
+// getAttributeDefinitionIDByValueID
+//
+// SELECT attribute_definition_id
+// FROM attribute_values
+// WHERE id = $1
+func (q *Queries) getAttributeDefinitionIDByValueID(ctx context.Context, id string) (string, error) {
+ row := q.db.QueryRow(ctx, getAttributeDefinitionIDByValueID, id)
+ var attribute_definition_id string
+ err := row.Scan(&attribute_definition_id)
+ return attribute_definition_id, err
+}
+
+const getDynamicValueMapping = `-- name: getDynamicValueMapping :one
+WITH mapping_actions AS (
+ SELECT
+ dvm.action_id,
+ dvm.dynamic_value_mapping_id,
+ JSONB_BUILD_OBJECT(
+ 'id', a.id,
+ 'name', a.name,
+ 'namespace', CASE WHEN a.namespace_id IS NULL THEN NULL
+ ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn)
+ END
+ ) AS action
+ FROM dynamic_value_mapping_actions dvm
+ JOIN actions a ON dvm.action_id = a.id
+ LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id
+ LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL
+ WHERE dvm.dynamic_value_mapping_id = $1
+),
+definition_actions AS (
+ SELECT
+ dynamic_value_mapping_id,
+ COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions
+ FROM mapping_actions
+ GROUP BY dynamic_value_mapping_id
+)
+SELECT
+ dvem.id,
+ dvem.attribute_definition_id,
+ dvem.subject_external_selector_value,
+ dvem.operator,
+ dvem.subject_condition_set_id,
+ COALESCE(da.actions, '[]'::JSONB) AS actions,
+ JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', dvem.metadata -> 'labels', 'created_at', dvem.created_at, 'updated_at', dvem.updated_at)) AS metadata,
+ CASE
+ WHEN dvem.namespace_id IS NULL THEN NULL
+ ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn)
+ END AS namespace
+FROM dynamic_value_mappings dvem
+LEFT JOIN definition_actions da ON dvem.id = da.dynamic_value_mapping_id
+LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id
+LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL
+WHERE dvem.id = $1
+`
+
+type getDynamicValueMappingRow struct {
+ ID string `json:"id"`
+ AttributeDefinitionID string `json:"attribute_definition_id"`
+ SubjectExternalSelectorValue string `json:"subject_external_selector_value"`
+ Operator int16 `json:"operator"`
+ SubjectConditionSetID pgtype.UUID `json:"subject_condition_set_id"`
+ Actions interface{} `json:"actions"`
+ Metadata []byte `json:"metadata"`
+ Namespace interface{} `json:"namespace"`
+}
+
+// getDynamicValueMapping
+//
+// WITH mapping_actions AS (
+// SELECT
+// dvm.action_id,
+// dvm.dynamic_value_mapping_id,
+// JSONB_BUILD_OBJECT(
+// 'id', a.id,
+// 'name', a.name,
+// 'namespace', CASE WHEN a.namespace_id IS NULL THEN NULL
+// ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn)
+// END
+// ) AS action
+// FROM dynamic_value_mapping_actions dvm
+// JOIN actions a ON dvm.action_id = a.id
+// LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id
+// LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL
+// WHERE dvm.dynamic_value_mapping_id = $1
+// ),
+// definition_actions AS (
+// SELECT
+// dynamic_value_mapping_id,
+// COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions
+// FROM mapping_actions
+// GROUP BY dynamic_value_mapping_id
+// )
+// SELECT
+// dvem.id,
+// dvem.attribute_definition_id,
+// dvem.subject_external_selector_value,
+// dvem.operator,
+// dvem.subject_condition_set_id,
+// COALESCE(da.actions, '[]'::JSONB) AS actions,
+// JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', dvem.metadata -> 'labels', 'created_at', dvem.created_at, 'updated_at', dvem.updated_at)) AS metadata,
+// CASE
+// WHEN dvem.namespace_id IS NULL THEN NULL
+// ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn)
+// END AS namespace
+// FROM dynamic_value_mappings dvem
+// LEFT JOIN definition_actions da ON dvem.id = da.dynamic_value_mapping_id
+// LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id
+// LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL
+// WHERE dvem.id = $1
+func (q *Queries) getDynamicValueMapping(ctx context.Context, id string) (getDynamicValueMappingRow, error) {
+ row := q.db.QueryRow(ctx, getDynamicValueMapping, id)
+ var i getDynamicValueMappingRow
+ err := row.Scan(
+ &i.ID,
+ &i.AttributeDefinitionID,
+ &i.SubjectExternalSelectorValue,
+ &i.Operator,
+ &i.SubjectConditionSetID,
+ &i.Actions,
+ &i.Metadata,
+ &i.Namespace,
+ )
+ return i, err
+}
+
+const listDynamicValueMappings = `-- name: listDynamicValueMappings :many
+
+WITH params AS (
+ SELECT
+ COALESCE(NULLIF($6::text, ''), 'created_at') AS resolved_field,
+ COALESCE(NULLIF($7::text, ''), 'DESC') AS resolved_direction
+),
+mapping_actions AS (
+ SELECT
+ dvm.action_id,
+ dvm.dynamic_value_mapping_id,
+ JSONB_BUILD_OBJECT(
+ 'id', a.id,
+ 'name', a.name,
+ 'namespace', CASE WHEN a.namespace_id IS NULL THEN NULL
+ ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn)
+ END
+ ) AS action
+ FROM dynamic_value_mapping_actions dvm
+ JOIN actions a ON dvm.action_id = a.id
+ LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id
+ LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL
+),
+definition_actions AS (
+ SELECT
+ dynamic_value_mapping_id,
+ COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions
+ FROM mapping_actions
+ GROUP BY dynamic_value_mapping_id
+),
+counted AS (
+ SELECT COUNT(dvem.id) AS total
+ FROM dynamic_value_mappings dvem
+ LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id
+ LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL
+ WHERE
+ ($1::uuid IS NULL OR dvem.namespace_id = $1::uuid)
+ AND ($2::text IS NULL OR m_ns_fqns.fqn = $2::text)
+ AND ($3::uuid IS NULL OR dvem.attribute_definition_id = $3::uuid)
+)
+SELECT
+ dvem.id,
+ dvem.attribute_definition_id,
+ dvem.subject_external_selector_value,
+ dvem.operator,
+ dvem.subject_condition_set_id,
+ COALESCE(da.actions, '[]'::JSONB) AS actions,
+ JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', dvem.metadata -> 'labels', 'created_at', dvem.created_at, 'updated_at', dvem.updated_at)) AS metadata,
+ CASE
+ WHEN dvem.namespace_id IS NULL THEN NULL
+ ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn)
+ END AS namespace,
+ counted.total
+FROM dynamic_value_mappings dvem
+CROSS JOIN counted
+CROSS JOIN params p
+LEFT JOIN definition_actions da ON dvem.id = da.dynamic_value_mapping_id
+LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id
+LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL
+WHERE
+ ($1::uuid IS NULL OR dvem.namespace_id = $1::uuid)
+ AND ($2::text IS NULL OR m_ns_fqns.fqn = $2::text)
+ AND ($3::uuid IS NULL OR dvem.attribute_definition_id = $3::uuid)
+GROUP BY
+ dvem.id,
+ da.actions,
+ dvem.metadata, dvem.created_at, dvem.updated_at,
+ m_ns.id, m_ns.name, m_ns_fqns.fqn,
+ counted.total,
+ p.resolved_field, p.resolved_direction
+ORDER BY
+ CASE WHEN p.resolved_field = 'created_at' AND p.resolved_direction = 'ASC' THEN dvem.created_at END ASC,
+ CASE WHEN p.resolved_field = 'created_at' AND p.resolved_direction = 'DESC' THEN dvem.created_at END DESC,
+ CASE WHEN p.resolved_field = 'updated_at' AND p.resolved_direction = 'ASC' THEN dvem.updated_at END ASC,
+ CASE WHEN p.resolved_field = 'updated_at' AND p.resolved_direction = 'DESC' THEN dvem.updated_at END DESC,
+ dvem.id ASC
+LIMIT $5
+OFFSET $4
+`
+
+type listDynamicValueMappingsParams struct {
+ NamespaceID pgtype.UUID `json:"namespace_id"`
+ NamespaceFqn pgtype.Text `json:"namespace_fqn"`
+ AttributeDefinitionID pgtype.UUID `json:"attribute_definition_id"`
+ Offset int32 `json:"offset_"`
+ Limit int32 `json:"limit_"`
+ SortField string `json:"sort_field"`
+ SortDirection string `json:"sort_direction"`
+}
+
+type listDynamicValueMappingsRow struct {
+ ID string `json:"id"`
+ AttributeDefinitionID string `json:"attribute_definition_id"`
+ SubjectExternalSelectorValue string `json:"subject_external_selector_value"`
+ Operator int16 `json:"operator"`
+ SubjectConditionSetID pgtype.UUID `json:"subject_condition_set_id"`
+ Actions interface{} `json:"actions"`
+ Metadata []byte `json:"metadata"`
+ Namespace interface{} `json:"namespace"`
+ Total int64 `json:"total"`
+}
+
+// --------------------------------------------------------------
+// DEFINITION VALUE ENTITLEMENT MAPPINGS
+// --------------------------------------------------------------
+//
+// WITH params AS (
+// SELECT
+// COALESCE(NULLIF($6::text, ''), 'created_at') AS resolved_field,
+// COALESCE(NULLIF($7::text, ''), 'DESC') AS resolved_direction
+// ),
+// mapping_actions AS (
+// SELECT
+// dvm.action_id,
+// dvm.dynamic_value_mapping_id,
+// JSONB_BUILD_OBJECT(
+// 'id', a.id,
+// 'name', a.name,
+// 'namespace', CASE WHEN a.namespace_id IS NULL THEN NULL
+// ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn)
+// END
+// ) AS action
+// FROM dynamic_value_mapping_actions dvm
+// JOIN actions a ON dvm.action_id = a.id
+// LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id
+// LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL
+// ),
+// definition_actions AS (
+// SELECT
+// dynamic_value_mapping_id,
+// COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions
+// FROM mapping_actions
+// GROUP BY dynamic_value_mapping_id
+// ),
+// counted AS (
+// SELECT COUNT(dvem.id) AS total
+// FROM dynamic_value_mappings dvem
+// LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id
+// LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL
+// WHERE
+// ($1::uuid IS NULL OR dvem.namespace_id = $1::uuid)
+// AND ($2::text IS NULL OR m_ns_fqns.fqn = $2::text)
+// AND ($3::uuid IS NULL OR dvem.attribute_definition_id = $3::uuid)
+// )
+// SELECT
+// dvem.id,
+// dvem.attribute_definition_id,
+// dvem.subject_external_selector_value,
+// dvem.operator,
+// dvem.subject_condition_set_id,
+// COALESCE(da.actions, '[]'::JSONB) AS actions,
+// JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', dvem.metadata -> 'labels', 'created_at', dvem.created_at, 'updated_at', dvem.updated_at)) AS metadata,
+// CASE
+// WHEN dvem.namespace_id IS NULL THEN NULL
+// ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn)
+// END AS namespace,
+// counted.total
+// FROM dynamic_value_mappings dvem
+// CROSS JOIN counted
+// CROSS JOIN params p
+// LEFT JOIN definition_actions da ON dvem.id = da.dynamic_value_mapping_id
+// LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id
+// LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL
+// WHERE
+// ($1::uuid IS NULL OR dvem.namespace_id = $1::uuid)
+// AND ($2::text IS NULL OR m_ns_fqns.fqn = $2::text)
+// AND ($3::uuid IS NULL OR dvem.attribute_definition_id = $3::uuid)
+// GROUP BY
+// dvem.id,
+// da.actions,
+// dvem.metadata, dvem.created_at, dvem.updated_at,
+// m_ns.id, m_ns.name, m_ns_fqns.fqn,
+// counted.total,
+// p.resolved_field, p.resolved_direction
+// ORDER BY
+// CASE WHEN p.resolved_field = 'created_at' AND p.resolved_direction = 'ASC' THEN dvem.created_at END ASC,
+// CASE WHEN p.resolved_field = 'created_at' AND p.resolved_direction = 'DESC' THEN dvem.created_at END DESC,
+// CASE WHEN p.resolved_field = 'updated_at' AND p.resolved_direction = 'ASC' THEN dvem.updated_at END ASC,
+// CASE WHEN p.resolved_field = 'updated_at' AND p.resolved_direction = 'DESC' THEN dvem.updated_at END DESC,
+// dvem.id ASC
+// LIMIT $5
+// OFFSET $4
+func (q *Queries) listDynamicValueMappings(ctx context.Context, arg listDynamicValueMappingsParams) ([]listDynamicValueMappingsRow, error) {
+ rows, err := q.db.Query(ctx, listDynamicValueMappings,
+ arg.NamespaceID,
+ arg.NamespaceFqn,
+ arg.AttributeDefinitionID,
+ arg.Offset,
+ arg.Limit,
+ arg.SortField,
+ arg.SortDirection,
+ )
+ if err != nil {
+ return nil, err
+ }
+ defer rows.Close()
+ var items []listDynamicValueMappingsRow
+ for rows.Next() {
+ var i listDynamicValueMappingsRow
+ if err := rows.Scan(
+ &i.ID,
+ &i.AttributeDefinitionID,
+ &i.SubjectExternalSelectorValue,
+ &i.Operator,
+ &i.SubjectConditionSetID,
+ &i.Actions,
+ &i.Metadata,
+ &i.Namespace,
+ &i.Total,
+ ); err != nil {
+ return nil, err
+ }
+ items = append(items, i)
+ }
+ if err := rows.Err(); err != nil {
+ return nil, err
+ }
+ return items, nil
+}
+
+const updateDynamicValueMapping = `-- name: updateDynamicValueMapping :execrows
+WITH
+ mapping_update AS (
+ UPDATE dynamic_value_mappings
+ SET
+ metadata = COALESCE($1::JSONB, metadata),
+ subject_external_selector_value = COALESCE($2::TEXT, subject_external_selector_value),
+ operator = COALESCE($3::SMALLINT, operator),
+ subject_condition_set_id = COALESCE($4::UUID, subject_condition_set_id)
+ WHERE id = $5
+ RETURNING id
+ ),
+ action_delete AS (
+ DELETE FROM dynamic_value_mapping_actions
+ WHERE
+ dynamic_value_mapping_id = $5
+ AND $6::UUID[] IS NOT NULL
+ AND action_id NOT IN (SELECT unnest($6::UUID[]))
+ ),
+ action_insert AS (
+ INSERT INTO dynamic_value_mapping_actions (dynamic_value_mapping_id, action_id)
+ SELECT
+ $5,
+ a
+ FROM unnest($6::UUID[]) AS a
+ WHERE
+ $6::UUID[] IS NOT NULL
+ AND NOT EXISTS (
+ SELECT 1
+ FROM dynamic_value_mapping_actions
+ WHERE dynamic_value_mapping_id = $5 AND action_id = a
+ )
+ ),
+ update_count AS (
+ SELECT COUNT(*) AS cnt
+ FROM mapping_update
+ )
+SELECT cnt
+FROM update_count
+`
+
+type updateDynamicValueMappingParams struct {
+ Metadata []byte `json:"metadata"`
+ SubjectExternalSelectorValue pgtype.Text `json:"subject_external_selector_value"`
+ Operator pgtype.Int2 `json:"operator"`
+ SubjectConditionSetID pgtype.UUID `json:"subject_condition_set_id"`
+ ID string `json:"id"`
+ ActionIds []string `json:"action_ids"`
+}
+
+// updateDynamicValueMapping
+//
+// WITH
+// mapping_update AS (
+// UPDATE dynamic_value_mappings
+// SET
+// metadata = COALESCE($1::JSONB, metadata),
+// subject_external_selector_value = COALESCE($2::TEXT, subject_external_selector_value),
+// operator = COALESCE($3::SMALLINT, operator),
+// subject_condition_set_id = COALESCE($4::UUID, subject_condition_set_id)
+// WHERE id = $5
+// RETURNING id
+// ),
+// action_delete AS (
+// DELETE FROM dynamic_value_mapping_actions
+// WHERE
+// dynamic_value_mapping_id = $5
+// AND $6::UUID[] IS NOT NULL
+// AND action_id NOT IN (SELECT unnest($6::UUID[]))
+// ),
+// action_insert AS (
+// INSERT INTO dynamic_value_mapping_actions (dynamic_value_mapping_id, action_id)
+// SELECT
+// $5,
+// a
+// FROM unnest($6::UUID[]) AS a
+// WHERE
+// $6::UUID[] IS NOT NULL
+// AND NOT EXISTS (
+// SELECT 1
+// FROM dynamic_value_mapping_actions
+// WHERE dynamic_value_mapping_id = $5 AND action_id = a
+// )
+// ),
+// update_count AS (
+// SELECT COUNT(*) AS cnt
+// FROM mapping_update
+// )
+// SELECT cnt
+// FROM update_count
+func (q *Queries) updateDynamicValueMapping(ctx context.Context, arg updateDynamicValueMappingParams) (int64, error) {
+ result, err := q.db.Exec(ctx, updateDynamicValueMapping,
+ arg.Metadata,
+ arg.SubjectExternalSelectorValue,
+ arg.Operator,
+ arg.SubjectConditionSetID,
+ arg.ID,
+ arg.ActionIds,
+ )
+ if err != nil {
+ return 0, err
+ }
+ return result.RowsAffected(), nil
+}
diff --git a/service/policy/db/key_access_server_registry.sql.go b/service/policy/db/key_access_server_registry.sql.go
index f7b709306f..399449936a 100644
--- a/service/policy/db/key_access_server_registry.sql.go
+++ b/service/policy/db/key_access_server_registry.sql.go
@@ -1,6 +1,6 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
-// sqlc v1.31.0
+// sqlc v1.30.0
// source: key_access_server_registry.sql
package db
diff --git a/service/policy/db/key_management.sql.go b/service/policy/db/key_management.sql.go
index eae00e6412..2a0bcdf8af 100644
--- a/service/policy/db/key_management.sql.go
+++ b/service/policy/db/key_management.sql.go
@@ -1,6 +1,6 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
-// sqlc v1.31.0
+// sqlc v1.30.0
// source: key_management.sql
package db
diff --git a/service/policy/db/migrations/20260604000000_add_dynamic_value_mappings.sql b/service/policy/db/migrations/20260604000000_add_dynamic_value_mappings.sql
new file mode 100644
index 0000000000..6597231a8b
--- /dev/null
+++ b/service/policy/db/migrations/20260604000000_add_dynamic_value_mappings.sql
@@ -0,0 +1,61 @@
+-- +goose Up
+-- +goose StatementBegin
+
+-- Dynamic Value Mappings raise entitlement authority from a concrete
+-- attribute value to the attribute definition. A single mapping resolves entitlement for
+-- dynamically-requested values under the definition by comparing the requested resource
+-- value segment against the entity representation (the value_resolver), optionally gated
+-- by a static SubjectConditionSet.
+CREATE TABLE IF NOT EXISTS dynamic_value_mappings (
+ id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+ attribute_definition_id UUID NOT NULL REFERENCES attribute_definitions(id) ON DELETE CASCADE,
+ -- value_resolver: selector against the flattened entity representation + dynamic operator
+ subject_external_selector_value TEXT NOT NULL,
+ operator SMALLINT NOT NULL,
+ -- optional static pre-gate, evaluated with normal SubjectConditionSet semantics
+ subject_condition_set_id UUID REFERENCES subject_condition_set(id) ON DELETE CASCADE,
+ namespace_id UUID REFERENCES attribute_namespaces(id) ON DELETE CASCADE,
+ metadata JSONB,
+ created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP,
+ updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+
+COMMENT ON TABLE dynamic_value_mappings IS 'Definition-scoped dynamic value entitlement mappings (DSPX-2754)';
+COMMENT ON COLUMN dynamic_value_mappings.subject_external_selector_value IS 'Selector resolved against the entity representation, compared to the requested resource value segment';
+COMMENT ON COLUMN dynamic_value_mappings.operator IS 'policy.DynamicValueOperatorEnum value';
+
+CREATE TRIGGER dynamic_value_mappings_updated_at
+ BEFORE UPDATE ON dynamic_value_mappings
+ FOR EACH ROW
+ EXECUTE FUNCTION update_updated_at();
+
+CREATE TABLE IF NOT EXISTS dynamic_value_mapping_actions (
+ dynamic_value_mapping_id UUID NOT NULL REFERENCES dynamic_value_mappings(id) ON DELETE CASCADE,
+ action_id UUID NOT NULL REFERENCES actions(id) ON DELETE CASCADE,
+ PRIMARY KEY (dynamic_value_mapping_id, action_id)
+);
+
+CREATE INDEX idx_dynamic_value_mappings_definition_id
+ ON dynamic_value_mappings(attribute_definition_id);
+CREATE INDEX idx_dynamic_value_mappings_scs_id
+ ON dynamic_value_mappings(subject_condition_set_id);
+CREATE INDEX idx_dynamic_value_mappings_namespace_id
+ ON dynamic_value_mappings(namespace_id);
+-- No separate index on dynamic_value_mapping_actions: its composite
+-- PRIMARY KEY (dynamic_value_mapping_id, action_id) already covers lookups.
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+
+DROP INDEX IF EXISTS idx_dynamic_value_mappings_namespace_id;
+DROP INDEX IF EXISTS idx_dynamic_value_mappings_scs_id;
+DROP INDEX IF EXISTS idx_dynamic_value_mappings_definition_id;
+
+DROP TABLE IF EXISTS dynamic_value_mapping_actions;
+
+DROP TRIGGER IF EXISTS dynamic_value_mappings_updated_at ON dynamic_value_mappings;
+DROP TABLE IF EXISTS dynamic_value_mappings;
+
+-- +goose StatementEnd
diff --git a/service/policy/db/models.go b/service/policy/db/models.go
index fb0616f43f..b61f8ca3c6 100644
--- a/service/policy/db/models.go
+++ b/service/policy/db/models.go
@@ -1,6 +1,6 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
-// sqlc v1.31.0
+// sqlc v1.30.0
package db
@@ -234,6 +234,26 @@ type BaseKey struct {
KeyAccessServerKeyID pgtype.UUID `json:"key_access_server_key_id"`
}
+// Definition-scoped dynamic value entitlement mappings (DSPX-2754)
+type DynamicValueMapping struct {
+ ID string `json:"id"`
+ AttributeDefinitionID string `json:"attribute_definition_id"`
+ // Selector resolved against the entity representation, compared to the requested resource value segment
+ SubjectExternalSelectorValue string `json:"subject_external_selector_value"`
+ // policy.DynamicValueOperatorEnum value
+ Operator int16 `json:"operator"`
+ SubjectConditionSetID pgtype.UUID `json:"subject_condition_set_id"`
+ NamespaceID pgtype.UUID `json:"namespace_id"`
+ Metadata []byte `json:"metadata"`
+ CreatedAt pgtype.Timestamptz `json:"created_at"`
+ UpdatedAt pgtype.Timestamptz `json:"updated_at"`
+}
+
+type DynamicValueMappingAction struct {
+ DynamicValueMappingID string `json:"dynamic_value_mapping_id"`
+ ActionID string `json:"action_id"`
+}
+
// Table to store the known registrations of key access servers (KASs)
type KeyAccessServer struct {
// Primary key for the table
diff --git a/service/policy/db/namespaces.sql.go b/service/policy/db/namespaces.sql.go
index 7bb3937313..655ac654a0 100644
--- a/service/policy/db/namespaces.sql.go
+++ b/service/policy/db/namespaces.sql.go
@@ -1,6 +1,6 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
-// sqlc v1.31.0
+// sqlc v1.30.0
// source: namespaces.sql
package db
diff --git a/service/policy/db/obligations.sql.go b/service/policy/db/obligations.sql.go
index 893dcea627..433d76beb4 100644
--- a/service/policy/db/obligations.sql.go
+++ b/service/policy/db/obligations.sql.go
@@ -1,6 +1,6 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
-// sqlc v1.31.0
+// sqlc v1.30.0
// source: obligations.sql
package db
@@ -557,9 +557,8 @@ RETURNING id
// RETURNING id
func (q *Queries) deleteObligationTrigger(ctx context.Context, id string) (string, error) {
row := q.db.QueryRow(ctx, deleteObligationTrigger, id)
- var id_2 string
- err := row.Scan(&id_2)
- return id_2, err
+ err := row.Scan(&id)
+ return id, err
}
const deleteObligationValue = `-- name: deleteObligationValue :one
diff --git a/service/policy/db/queries/dynamic_value_mappings.sql b/service/policy/db/queries/dynamic_value_mappings.sql
new file mode 100644
index 0000000000..2b9de5074d
--- /dev/null
+++ b/service/policy/db/queries/dynamic_value_mappings.sql
@@ -0,0 +1,215 @@
+----------------------------------------------------------------
+-- DEFINITION VALUE ENTITLEMENT MAPPINGS
+----------------------------------------------------------------
+
+-- name: listDynamicValueMappings :many
+WITH params AS (
+ SELECT
+ COALESCE(NULLIF(@sort_field::text, ''), 'created_at') AS resolved_field,
+ COALESCE(NULLIF(@sort_direction::text, ''), 'DESC') AS resolved_direction
+),
+mapping_actions AS (
+ SELECT
+ dvm.action_id,
+ dvm.dynamic_value_mapping_id,
+ JSONB_BUILD_OBJECT(
+ 'id', a.id,
+ 'name', a.name,
+ 'namespace', CASE WHEN a.namespace_id IS NULL THEN NULL
+ ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn)
+ END
+ ) AS action
+ FROM dynamic_value_mapping_actions dvm
+ JOIN actions a ON dvm.action_id = a.id
+ LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id
+ LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL
+),
+definition_actions AS (
+ SELECT
+ dynamic_value_mapping_id,
+ COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions
+ FROM mapping_actions
+ GROUP BY dynamic_value_mapping_id
+),
+counted AS (
+ SELECT COUNT(dvem.id) AS total
+ FROM dynamic_value_mappings dvem
+ LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id
+ LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL
+ WHERE
+ (sqlc.narg('namespace_id')::uuid IS NULL OR dvem.namespace_id = sqlc.narg('namespace_id')::uuid)
+ AND (sqlc.narg('namespace_fqn')::text IS NULL OR m_ns_fqns.fqn = sqlc.narg('namespace_fqn')::text)
+ AND (sqlc.narg('attribute_definition_id')::uuid IS NULL OR dvem.attribute_definition_id = sqlc.narg('attribute_definition_id')::uuid)
+)
+SELECT
+ dvem.id,
+ dvem.attribute_definition_id,
+ dvem.subject_external_selector_value,
+ dvem.operator,
+ dvem.subject_condition_set_id,
+ COALESCE(da.actions, '[]'::JSONB) AS actions,
+ JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', dvem.metadata -> 'labels', 'created_at', dvem.created_at, 'updated_at', dvem.updated_at)) AS metadata,
+ CASE
+ WHEN dvem.namespace_id IS NULL THEN NULL
+ ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn)
+ END AS namespace,
+ counted.total
+FROM dynamic_value_mappings dvem
+CROSS JOIN counted
+CROSS JOIN params p
+LEFT JOIN definition_actions da ON dvem.id = da.dynamic_value_mapping_id
+LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id
+LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL
+WHERE
+ (sqlc.narg('namespace_id')::uuid IS NULL OR dvem.namespace_id = sqlc.narg('namespace_id')::uuid)
+ AND (sqlc.narg('namespace_fqn')::text IS NULL OR m_ns_fqns.fqn = sqlc.narg('namespace_fqn')::text)
+ AND (sqlc.narg('attribute_definition_id')::uuid IS NULL OR dvem.attribute_definition_id = sqlc.narg('attribute_definition_id')::uuid)
+GROUP BY
+ dvem.id,
+ da.actions,
+ dvem.metadata, dvem.created_at, dvem.updated_at,
+ m_ns.id, m_ns.name, m_ns_fqns.fqn,
+ counted.total,
+ p.resolved_field, p.resolved_direction
+ORDER BY
+ CASE WHEN p.resolved_field = 'created_at' AND p.resolved_direction = 'ASC' THEN dvem.created_at END ASC,
+ CASE WHEN p.resolved_field = 'created_at' AND p.resolved_direction = 'DESC' THEN dvem.created_at END DESC,
+ CASE WHEN p.resolved_field = 'updated_at' AND p.resolved_direction = 'ASC' THEN dvem.updated_at END ASC,
+ CASE WHEN p.resolved_field = 'updated_at' AND p.resolved_direction = 'DESC' THEN dvem.updated_at END DESC,
+ dvem.id ASC
+LIMIT @limit_
+OFFSET @offset_;
+
+-- name: getDynamicValueMapping :one
+WITH mapping_actions AS (
+ SELECT
+ dvm.action_id,
+ dvm.dynamic_value_mapping_id,
+ JSONB_BUILD_OBJECT(
+ 'id', a.id,
+ 'name', a.name,
+ 'namespace', CASE WHEN a.namespace_id IS NULL THEN NULL
+ ELSE JSONB_BUILD_OBJECT('id', ans.id, 'name', ans.name, 'fqn', ans_fqns.fqn)
+ END
+ ) AS action
+ FROM dynamic_value_mapping_actions dvm
+ JOIN actions a ON dvm.action_id = a.id
+ LEFT JOIN attribute_namespaces ans ON ans.id = a.namespace_id
+ LEFT JOIN attribute_fqns ans_fqns ON ans_fqns.namespace_id = ans.id AND ans_fqns.attribute_id IS NULL AND ans_fqns.value_id IS NULL
+ WHERE dvm.dynamic_value_mapping_id = @id
+),
+definition_actions AS (
+ SELECT
+ dynamic_value_mapping_id,
+ COALESCE(JSONB_AGG(action), '[]'::JSONB) AS actions
+ FROM mapping_actions
+ GROUP BY dynamic_value_mapping_id
+)
+SELECT
+ dvem.id,
+ dvem.attribute_definition_id,
+ dvem.subject_external_selector_value,
+ dvem.operator,
+ dvem.subject_condition_set_id,
+ COALESCE(da.actions, '[]'::JSONB) AS actions,
+ JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', dvem.metadata -> 'labels', 'created_at', dvem.created_at, 'updated_at', dvem.updated_at)) AS metadata,
+ CASE
+ WHEN dvem.namespace_id IS NULL THEN NULL
+ ELSE JSON_BUILD_OBJECT('id', m_ns.id, 'name', m_ns.name, 'fqn', m_ns_fqns.fqn)
+ END AS namespace
+FROM dynamic_value_mappings dvem
+LEFT JOIN definition_actions da ON dvem.id = da.dynamic_value_mapping_id
+LEFT JOIN attribute_namespaces m_ns ON m_ns.id = dvem.namespace_id
+LEFT JOIN attribute_fqns m_ns_fqns ON m_ns_fqns.namespace_id = m_ns.id AND m_ns_fqns.attribute_id IS NULL AND m_ns_fqns.value_id IS NULL
+WHERE dvem.id = @id;
+
+-- name: createDynamicValueMapping :one
+WITH inserted_mapping AS (
+ INSERT INTO dynamic_value_mappings (
+ attribute_definition_id,
+ subject_external_selector_value,
+ operator,
+ metadata,
+ subject_condition_set_id,
+ namespace_id
+ )
+ VALUES (
+ @attribute_definition_id,
+ @subject_external_selector_value,
+ @operator,
+ @metadata,
+ sqlc.narg('subject_condition_set_id')::uuid,
+ sqlc.narg('namespace_id')::uuid
+ )
+ RETURNING id
+),
+inserted_actions AS (
+ INSERT INTO dynamic_value_mapping_actions (dynamic_value_mapping_id, action_id)
+ SELECT
+ (SELECT id FROM inserted_mapping),
+ unnest(sqlc.arg('action_ids')::uuid[])
+)
+SELECT id FROM inserted_mapping;
+
+-- name: updateDynamicValueMapping :execrows
+WITH
+ mapping_update AS (
+ UPDATE dynamic_value_mappings
+ SET
+ metadata = COALESCE(sqlc.narg('metadata')::JSONB, metadata),
+ subject_external_selector_value = COALESCE(sqlc.narg('subject_external_selector_value')::TEXT, subject_external_selector_value),
+ operator = COALESCE(sqlc.narg('operator')::SMALLINT, operator),
+ subject_condition_set_id = COALESCE(sqlc.narg('subject_condition_set_id')::UUID, subject_condition_set_id)
+ WHERE id = sqlc.arg('id')
+ RETURNING id
+ ),
+ action_delete AS (
+ DELETE FROM dynamic_value_mapping_actions
+ WHERE
+ dynamic_value_mapping_id = sqlc.arg('id')
+ AND sqlc.narg('action_ids')::UUID[] IS NOT NULL
+ AND action_id NOT IN (SELECT unnest(sqlc.narg('action_ids')::UUID[]))
+ ),
+ action_insert AS (
+ INSERT INTO dynamic_value_mapping_actions (dynamic_value_mapping_id, action_id)
+ SELECT
+ sqlc.arg('id'),
+ a
+ FROM unnest(sqlc.narg('action_ids')::UUID[]) AS a
+ WHERE
+ sqlc.narg('action_ids')::UUID[] IS NOT NULL
+ AND NOT EXISTS (
+ SELECT 1
+ FROM dynamic_value_mapping_actions
+ WHERE dynamic_value_mapping_id = sqlc.arg('id') AND action_id = a
+ )
+ ),
+ update_count AS (
+ SELECT COUNT(*) AS cnt
+ FROM mapping_update
+ )
+SELECT cnt
+FROM update_count;
+
+-- name: deleteDynamicValueMapping :execrows
+DELETE FROM dynamic_value_mappings WHERE id = $1;
+
+-- name: countValueSubjectMappingsByDefinitionID :one
+-- Counts value-level subject mappings whose attribute value belongs to the given
+-- definition. Used to enforce no-coexistence with dynamic value entitlement mappings.
+SELECT COUNT(sm.id)
+FROM subject_mappings sm
+JOIN attribute_values av ON sm.attribute_value_id = av.id
+WHERE av.attribute_definition_id = $1;
+
+-- name: countDynamicValueMappingsByDefinitionID :one
+-- Counts dynamic value entitlement mappings on the given definition. Used to enforce
+-- no-coexistence from the subject-mapping create path.
+SELECT COUNT(id)
+FROM dynamic_value_mappings
+WHERE attribute_definition_id = $1;
+
+-- name: getAttributeDefinitionIDByValueID :one
+SELECT attribute_definition_id
+FROM attribute_values
+WHERE id = $1;
diff --git a/service/policy/db/registered_resources.sql.go b/service/policy/db/registered_resources.sql.go
index f2d85ee96b..d26fbb13ba 100644
--- a/service/policy/db/registered_resources.sql.go
+++ b/service/policy/db/registered_resources.sql.go
@@ -1,6 +1,6 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
-// sqlc v1.31.0
+// sqlc v1.30.0
// source: registered_resources.sql
package db
diff --git a/service/policy/db/resource_mapping.sql.go b/service/policy/db/resource_mapping.sql.go
index 06313547d9..61ec1eb663 100644
--- a/service/policy/db/resource_mapping.sql.go
+++ b/service/policy/db/resource_mapping.sql.go
@@ -1,6 +1,6 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
-// sqlc v1.31.0
+// sqlc v1.30.0
// source: resource_mapping.sql
package db
diff --git a/service/policy/db/subject_mappings.go b/service/policy/db/subject_mappings.go
index 6153629e5a..13d47416c1 100644
--- a/service/policy/db/subject_mappings.go
+++ b/service/policy/db/subject_mappings.go
@@ -264,6 +264,13 @@ func (c PolicyDBClient) DeleteAllUnmappedSubjectConditionSets(ctx context.Contex
// If a new subject condition set is provided, it will be created. The existing subject condition set id takes precedence.
func (c PolicyDBClient) CreateSubjectMapping(ctx context.Context, s *subjectmapping.CreateSubjectMappingRequest) (*policy.SubjectMapping, error) {
attributeValueID := s.GetAttributeValueId()
+
+ // Enforce no-coexistence: a value-level subject mapping cannot be created on a
+ // definition that already has a dynamic value entitlement mapping (DSPX-2754 / ADR 0005).
+ if err := c.ensureNoDynamicValueMappingCoexistence(ctx, attributeValueID); err != nil {
+ return nil, err
+ }
+
resolvedNamespaceID, err := c.resolveNamespace(ctx, s.GetNamespaceId(), s.GetNamespaceFqn())
if err != nil {
return nil, err
diff --git a/service/policy/db/subject_mappings.sql.go b/service/policy/db/subject_mappings.sql.go
index 259e84114b..0323b0e398 100644
--- a/service/policy/db/subject_mappings.sql.go
+++ b/service/policy/db/subject_mappings.sql.go
@@ -1,6 +1,6 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
-// sqlc v1.31.0
+// sqlc v1.30.0
// source: subject_mappings.sql
package db
diff --git a/service/policy/db/utils.go b/service/policy/db/utils.go
index 7e43fd63cd..7330819eb7 100644
--- a/service/policy/db/utils.go
+++ b/service/policy/db/utils.go
@@ -10,6 +10,7 @@ import (
"github.com/opentdf/platform/protocol/go/common"
"github.com/opentdf/platform/protocol/go/policy"
"github.com/opentdf/platform/protocol/go/policy/attributes"
+ "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping"
"github.com/opentdf/platform/protocol/go/policy/kasregistry"
"github.com/opentdf/platform/protocol/go/policy/namespaces"
"github.com/opentdf/platform/protocol/go/policy/obligations"
@@ -404,6 +405,26 @@ func GetSubjectMappingsSortParams(sort []*subjectmapping.SubjectMappingsSort) (s
return getSubjectMappingsSortField(sort[0].GetField()), getSortDirection(sort[0].GetDirection())
}
+func getDynamicValueMappingsSortField(field dynamicvaluemapping.SortDynamicValueMappingsType) string {
+ switch field {
+ case dynamicvaluemapping.SortDynamicValueMappingsType_SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_CREATED_AT:
+ return sortFieldCreatedAt
+ case dynamicvaluemapping.SortDynamicValueMappingsType_SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UPDATED_AT:
+ return sortFieldUpdatedAt
+ case dynamicvaluemapping.SortDynamicValueMappingsType_SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UNSPECIFIED:
+ fallthrough
+ default:
+ return ""
+ }
+}
+
+func GetDynamicValueMappingsSortParams(sort []*dynamicvaluemapping.DynamicValueMappingsSort) (string, string) {
+ if len(sort) == 0 {
+ return "", ""
+ }
+ return getDynamicValueMappingsSortField(sort[0].GetField()), getSortDirection(sort[0].GetDirection())
+}
+
func UUIDToString(uuid pgtype.UUID) string {
if !uuid.Valid {
return ""
diff --git a/service/policy/dynamicvaluemapping/dynamic_value_mapping.go b/service/policy/dynamicvaluemapping/dynamic_value_mapping.go
new file mode 100644
index 0000000000..3166f65462
--- /dev/null
+++ b/service/policy/dynamicvaluemapping/dynamic_value_mapping.go
@@ -0,0 +1,189 @@
+package dynamicvaluemapping
+
+import (
+ "context"
+ "errors"
+ "fmt"
+ "log/slog"
+
+ "connectrpc.com/connect"
+ dvm "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping"
+ "github.com/opentdf/platform/protocol/go/policy/dynamicvaluemapping/dynamicvaluemappingconnect"
+ "github.com/opentdf/platform/service/logger"
+ "github.com/opentdf/platform/service/logger/audit"
+ "github.com/opentdf/platform/service/pkg/config"
+ "github.com/opentdf/platform/service/pkg/db"
+ "github.com/opentdf/platform/service/pkg/serviceregistry"
+ policyconfig "github.com/opentdf/platform/service/policy/config"
+ policydb "github.com/opentdf/platform/service/policy/db"
+)
+
+type DynamicValueMappingService struct { //nolint:revive // descriptive name mirrors the policy object
+ dbClient policydb.PolicyDBClient
+ logger *logger.Logger
+ config *policyconfig.Config
+}
+
+func OnConfigUpdate(svc *DynamicValueMappingService) serviceregistry.OnConfigUpdateHook {
+ return func(_ context.Context, cfg config.ServiceConfig) error {
+ sharedCfg, err := policyconfig.GetSharedPolicyConfig(cfg)
+ if err != nil {
+ return fmt.Errorf("failed to get shared policy config: %w", err)
+ }
+ svc.config = sharedCfg
+ svc.dbClient = policydb.NewClient(svc.dbClient.Client, svc.logger, int32(sharedCfg.ListRequestLimitMax), int32(sharedCfg.ListRequestLimitDefault))
+ svc.logger.Info("dynamic value mapping service config reloaded")
+ return nil
+ }
+}
+
+func NewRegistration(ns string, dbRegister serviceregistry.DBRegister) *serviceregistry.Service[dynamicvaluemappingconnect.DynamicValueMappingServiceHandler] {
+ svc := new(DynamicValueMappingService)
+ onUpdateConfigHook := OnConfigUpdate(svc)
+
+ return &serviceregistry.Service[dynamicvaluemappingconnect.DynamicValueMappingServiceHandler]{
+ Close: svc.Close,
+ ServiceOptions: serviceregistry.ServiceOptions[dynamicvaluemappingconnect.DynamicValueMappingServiceHandler]{
+ Namespace: ns,
+ DB: dbRegister,
+ ServiceDesc: &dvm.DynamicValueMappingService_ServiceDesc,
+ ConnectRPCFunc: dynamicvaluemappingconnect.NewDynamicValueMappingServiceHandler,
+ OnConfigUpdate: onUpdateConfigHook,
+ RegisterFunc: func(srp serviceregistry.RegistrationParams) (dynamicvaluemappingconnect.DynamicValueMappingServiceHandler, serviceregistry.HandlerServer) {
+ logger := srp.Logger
+ cfg, err := policyconfig.GetSharedPolicyConfig(srp.Config)
+ if err != nil {
+ logger.Error("error getting dynamic value mapping service policy config", slog.String("error", err.Error()))
+ panic(err)
+ }
+
+ svc.logger = logger
+ svc.dbClient = policydb.NewClient(srp.DBClient, logger, int32(cfg.ListRequestLimitMax), int32(cfg.ListRequestLimitDefault))
+ svc.config = cfg
+ return svc, nil
+ },
+ },
+ }
+}
+
+// Close gracefully shuts down the service, closing the database client.
+func (s *DynamicValueMappingService) Close() {
+ s.logger.Info("gracefully shutting down dynamic value mapping service")
+ s.dbClient.Close()
+}
+
+func (s DynamicValueMappingService) CreateDynamicValueMapping(ctx context.Context,
+ req *connect.Request[dvm.CreateDynamicValueMappingRequest],
+) (*connect.Response[dvm.CreateDynamicValueMappingResponse], error) {
+ rsp := &dvm.CreateDynamicValueMappingResponse{}
+ s.logger.DebugContext(ctx, "creating dynamic value mapping")
+ if s.config.NamespacedPolicy && req.Msg.GetNamespaceId() == "" && req.Msg.GetNamespaceFqn() == "" {
+ return nil, connect.NewError(connect.CodeInvalidArgument, errors.New("either namespace_id or namespace_fqn must be provided"))
+ }
+
+ auditParams := audit.PolicyEventParams{
+ ActionType: audit.ActionTypeCreate,
+ ObjectType: audit.ObjectTypeDynamicValueMapping,
+ }
+
+ // Creation may involve action or SubjectConditionSet creation, so use a transaction.
+ err := s.dbClient.RunInTx(ctx, func(txClient *policydb.PolicyDBClient) error {
+ mapping, err := txClient.CreateDynamicValueMapping(ctx, req.Msg)
+ if err != nil {
+ s.logger.Audit.PolicyCRUDFailure(ctx, auditParams)
+ return err
+ }
+
+ auditParams.ObjectID = mapping.GetId()
+ auditParams.Original = mapping
+ s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams)
+
+ rsp.DynamicValueMapping = mapping
+ return nil
+ })
+ if err != nil {
+ return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextCreationFailed, slog.String("dynamicValueMapping", req.Msg.String()))
+ }
+ return connect.NewResponse(rsp), nil
+}
+
+func (s DynamicValueMappingService) ListDynamicValueMappings(ctx context.Context,
+ req *connect.Request[dvm.ListDynamicValueMappingsRequest],
+) (*connect.Response[dvm.ListDynamicValueMappingsResponse], error) {
+ s.logger.DebugContext(ctx, "listing dynamic value mappings")
+
+ rsp, err := s.dbClient.ListDynamicValueMappings(ctx, req.Msg)
+ if err != nil {
+ return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextListRetrievalFailed)
+ }
+ return connect.NewResponse(rsp), nil
+}
+
+func (s DynamicValueMappingService) GetDynamicValueMapping(ctx context.Context,
+ req *connect.Request[dvm.GetDynamicValueMappingRequest],
+) (*connect.Response[dvm.GetDynamicValueMappingResponse], error) {
+ s.logger.DebugContext(ctx, "getting dynamic value mapping", slog.String("id", req.Msg.GetId()))
+
+ mapping, err := s.dbClient.GetDynamicValueMapping(ctx, req.Msg.GetId())
+ if err != nil {
+ return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextGetRetrievalFailed, slog.String("id", req.Msg.GetId()))
+ }
+ return connect.NewResponse(&dvm.GetDynamicValueMappingResponse{DynamicValueMapping: mapping}), nil
+}
+
+func (s DynamicValueMappingService) UpdateDynamicValueMapping(ctx context.Context,
+ req *connect.Request[dvm.UpdateDynamicValueMappingRequest],
+) (*connect.Response[dvm.UpdateDynamicValueMappingResponse], error) {
+ rsp := &dvm.UpdateDynamicValueMappingResponse{}
+ id := req.Msg.GetId()
+ s.logger.DebugContext(ctx, "updating dynamic value mapping", slog.String("id", id))
+
+ auditParams := audit.PolicyEventParams{
+ ActionType: audit.ActionTypeUpdate,
+ ObjectType: audit.ObjectTypeDynamicValueMapping,
+ ObjectID: id,
+ }
+
+ original, err := s.dbClient.GetDynamicValueMapping(ctx, id)
+ if err != nil {
+ s.logger.Audit.PolicyCRUDFailure(ctx, auditParams)
+ return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextGetRetrievalFailed, slog.String("id", id))
+ }
+
+ updated, err := s.dbClient.UpdateDynamicValueMapping(ctx, req.Msg)
+ if err != nil {
+ s.logger.Audit.PolicyCRUDFailure(ctx, auditParams)
+ return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextUpdateFailed, slog.String("id", id), slog.String("dynamicValueMapping", req.Msg.String()))
+ }
+
+ auditParams.Original = original
+ auditParams.Updated = updated
+ s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams)
+
+ rsp.DynamicValueMapping = updated
+ return connect.NewResponse(rsp), nil
+}
+
+func (s DynamicValueMappingService) DeleteDynamicValueMapping(ctx context.Context,
+ req *connect.Request[dvm.DeleteDynamicValueMappingRequest],
+) (*connect.Response[dvm.DeleteDynamicValueMappingResponse], error) {
+ rsp := &dvm.DeleteDynamicValueMappingResponse{}
+ id := req.Msg.GetId()
+ s.logger.DebugContext(ctx, "deleting dynamic value mapping", slog.String("id", id))
+
+ auditParams := audit.PolicyEventParams{
+ ActionType: audit.ActionTypeDelete,
+ ObjectType: audit.ObjectTypeDynamicValueMapping,
+ ObjectID: id,
+ }
+
+ deleted, err := s.dbClient.DeleteDynamicValueMapping(ctx, id)
+ if err != nil {
+ s.logger.Audit.PolicyCRUDFailure(ctx, auditParams)
+ return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextDeletionFailed, slog.String("id", id))
+ }
+
+ s.logger.Audit.PolicyCRUDSuccess(ctx, auditParams)
+ rsp.DynamicValueMapping = deleted
+ return connect.NewResponse(rsp), nil
+}
diff --git a/service/policy/dynamicvaluemapping/dynamic_value_mapping.proto b/service/policy/dynamicvaluemapping/dynamic_value_mapping.proto
new file mode 100644
index 0000000000..d7ff2ac5a1
--- /dev/null
+++ b/service/policy/dynamicvaluemapping/dynamic_value_mapping.proto
@@ -0,0 +1,171 @@
+syntax = "proto3";
+
+package policy.dynamicvaluemapping;
+
+import "buf/validate/validate.proto";
+import "common/common.proto";
+import "policy/objects.proto";
+import "policy/selectors.proto";
+import "policy/subjectmapping/subject_mapping.proto";
+
+/*
+ Dynamic Value Mapping CRUD operations
+
+ A DynamicValueMapping raises entitlement authority from a concrete AttributeValue to the
+ AttributeDefinition: at decision time the value_resolver compares the requested resource
+ value segment against the entity representation, avoiding pre-provisioning a value +
+ subject mapping per discrete value.
+*/
+
+message GetDynamicValueMappingRequest {
+ // Required
+ string id = 1 [(buf.validate.field).string.uuid = true];
+}
+message GetDynamicValueMappingResponse {
+ policy.DynamicValueMapping dynamic_value_mapping = 1;
+}
+
+enum SortDynamicValueMappingsType {
+ SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UNSPECIFIED = 0;
+ SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_CREATED_AT = 1;
+ SORT_DYNAMIC_VALUE_MAPPINGS_TYPE_UPDATED_AT = 2;
+}
+
+message DynamicValueMappingsSort {
+ SortDynamicValueMappingsType field = 1 [(buf.validate.field).enum.defined_only = true];
+ policy.SortDirection direction = 2 [(buf.validate.field).enum.defined_only = true];
+}
+
+message ListDynamicValueMappingsRequest {
+ // Optional
+ // Namespace ID, or Attribute Definition ID to filter by
+ string namespace_id = 1 [(buf.validate.field).cel = {
+ id: "optional_uuid_format"
+ message: "Optional field must be a valid UUID"
+ expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')"
+ }];
+ string attribute_definition_id = 2 [(buf.validate.field).cel = {
+ id: "optional_uuid_format"
+ message: "Optional field must be a valid UUID"
+ expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')"
+ }];
+
+ // Optional
+ policy.PageRequest pagination = 10;
+
+ // Optional - CONSTRAINT: max 1 item
+ repeated DynamicValueMappingsSort sort = 11 [(buf.validate.field).repeated.max_items = 1];
+}
+message ListDynamicValueMappingsResponse {
+ repeated policy.DynamicValueMapping dynamic_value_mappings = 1;
+
+ policy.PageResponse pagination = 10;
+}
+
+message CreateDynamicValueMappingRequest {
+ // Required: Attribute Definition ID or FQN to scope the mapping to
+ option (buf.validate.message).oneof = {
+ fields: ["attribute_definition_id", "attribute_definition_fqn"]
+ required: true
+ };
+ // Optional: Namespace ID or FQN to scope the mapping to
+ option (buf.validate.message).oneof = {
+ fields: ["namespace_id", "namespace_fqn"]
+ required: false
+ };
+
+ string attribute_definition_id = 1 [(buf.validate.field).string.uuid = true];
+ string attribute_definition_fqn = 2 [
+ (buf.validate.field).string = {
+ min_len: 1
+ uri: true
+ }
+ ];
+
+ // Required: the dynamic resolver comparing entity selector result to the resource value segment
+ policy.DynamicValueResolver value_resolver = 3 [(buf.validate.field).required = true];
+
+ // Required: actions permitted on a matched value
+ repeated policy.Action actions = 4 [
+ (buf.validate.field).repeated.min_items = 1,
+ (buf.validate.field).cel = {
+ id: "action_name_or_id_not_empty"
+ message: "Action name or ID must not be empty if provided"
+ expression: "this.all(item, item.name != '' || item.id != '')"
+ }
+ ];
+
+ // Optional static pre-gate. Reuse an existing SubjectConditionSet (prioritized) ...
+ string existing_subject_condition_set_id = 5 [(buf.validate.field).cel = {
+ id: "optional_uuid_format"
+ message: "Optional field must be a valid UUID"
+ expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')"
+ }];
+ // ... or create a new one (ignored if existing_subject_condition_set_id is provided)
+ policy.subjectmapping.SubjectConditionSetCreate new_subject_condition_set = 6;
+
+ // Optional: namespace ID or FQN for the mapping
+ string namespace_id = 7 [(buf.validate.field).string.uuid = true];
+ string namespace_fqn = 8 [
+ (buf.validate.field).string = {
+ min_len: 1
+ uri: true
+ }
+ ];
+
+ // Optional
+ common.MetadataMutable metadata = 100;
+}
+message CreateDynamicValueMappingResponse {
+ policy.DynamicValueMapping dynamic_value_mapping = 1;
+}
+
+message UpdateDynamicValueMappingRequest {
+ // Required
+ string id = 1 [(buf.validate.field).string.uuid = true];
+
+ // Optional: replace the dynamic resolver
+ policy.DynamicValueResolver value_resolver = 2;
+
+ // Optional: replace the static pre-gate SubjectConditionSet by id
+ string subject_condition_set_id = 3 [(buf.validate.field).cel = {
+ id: "optional_uuid_format"
+ message: "Optional field must be a valid UUID"
+ expression: "size(this) == 0 || this.matches('[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')"
+ }];
+
+ // Optional: replace the entire list of actions
+ repeated policy.Action actions = 4 [(buf.validate.field).cel = {
+ id: "action_name_or_id_not_empty"
+ message: "Action name or ID must not be empty if provided"
+ expression: "this.size() == 0 || this.all(item, item.name != '' || item.id != '')"
+ }];
+
+ // Common metadata
+ common.MetadataMutable metadata = 100;
+ common.MetadataUpdateEnum metadata_update_behavior = 101;
+}
+message UpdateDynamicValueMappingResponse {
+ policy.DynamicValueMapping dynamic_value_mapping = 1;
+}
+
+message DeleteDynamicValueMappingRequest {
+ // Required
+ string id = 1 [(buf.validate.field).string.uuid = true];
+}
+message DeleteDynamicValueMappingResponse {
+ // Only ID of the deleted mapping provided
+ policy.DynamicValueMapping dynamic_value_mapping = 1;
+}
+
+service DynamicValueMappingService {
+ rpc ListDynamicValueMappings(ListDynamicValueMappingsRequest) returns (ListDynamicValueMappingsResponse) {
+ option idempotency_level = NO_SIDE_EFFECTS;
+ }
+ rpc GetDynamicValueMapping(GetDynamicValueMappingRequest) returns (GetDynamicValueMappingResponse) {
+ option idempotency_level = NO_SIDE_EFFECTS;
+ }
+ rpc CreateDynamicValueMapping(CreateDynamicValueMappingRequest) returns (CreateDynamicValueMappingResponse) {}
+ rpc UpdateDynamicValueMapping(UpdateDynamicValueMappingRequest) returns (UpdateDynamicValueMappingResponse) {}
+ rpc DeleteDynamicValueMapping(DeleteDynamicValueMappingRequest) returns (DeleteDynamicValueMappingResponse) {}
+}
diff --git a/service/policy/objects.proto b/service/policy/objects.proto
index 3e6ee4d794..adac99663c 100644
--- a/service/policy/objects.proto
+++ b/service/policy/objects.proto
@@ -180,6 +180,21 @@ enum ConditionBooleanTypeEnum {
CONDITION_BOOLEAN_TYPE_ENUM_OR = 2;
}
+// Operators for dynamic, definition-level value entitlement. Unlike
+// SubjectMappingOperatorEnum, whose right-hand operand is a static list authored into
+// policy, a DynamicValueOperatorEnum's right-hand operand is the requested resource's
+// attribute value segment, supplied at decision time. Each value is the inversion of its
+// static SubjectMappingOperatorEnum counterpart.
+enum DynamicValueOperatorEnum {
+ DYNAMIC_VALUE_OPERATOR_ENUM_UNSPECIFIED = 0;
+ // true when the requested resource value segment equals one of the values resolved by
+ // the selector against the entity representation (inversion of IN)
+ DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN = 1;
+ // true when one of the selector-resolved entity values contains the requested resource
+ // value segment as a substring (inversion of IN_CONTAINS)
+ DYNAMIC_VALUE_OPERATOR_ENUM_RESOURCE_VALUE_IN_CONTAINS = 2;
+}
+
/*
Subject Mapping: A Policy assigning Subject Set(s) to a permitted attribute
value + action(s) combination
@@ -204,6 +219,53 @@ message SubjectMapping {
common.Metadata metadata = 100;
}
+/*
+ Definition Value Resolver: the dynamic half of a DynamicValueMapping. It
+ resolves a selector against the entity representation and compares the result to the
+ requested resource value segment using a DynamicValueOperatorEnum.
+*/
+message DynamicValueResolver {
+ // a selector for a field value on a flattened Entity Representation (such as from
+ // idP/LDAP), e.g. ".patientAssignments[]"
+ string subject_external_selector_value = 1 [(buf.validate.field).required = true];
+
+ // the dynamic operator comparing the selector result to the resource value segment
+ DynamicValueOperatorEnum operator = 2 [
+ (buf.validate.field).enum.defined_only = true,
+ (buf.validate.field).required = true
+ ];
+}
+
+/*
+ Dynamic Value Mapping: a Policy assigning permitted action(s) to
+ dynamically-requested values under an Attribute Definition. It raises entitlement
+ authority from a concrete Attribute Value to the Attribute Definition: at decision time
+ the value_resolver compares the requested resource value segment against the entity
+ representation, avoiding pre-provisioning a value + subject mapping per discrete value.
+*/
+message DynamicValueMapping {
+ string id = 1;
+
+ // the Attribute Definition whose values are entitled dynamically
+ Attribute attribute_definition = 2;
+
+ // the dynamic resolver matched against the requested resource value segment
+ DynamicValueResolver value_resolver = 3;
+
+ // optional static pre-gate on the entity, evaluated with normal SubjectConditionSet
+ // semantics (no dynamic overload). When present, both the gate and the resolver must
+ // pass for entitlement.
+ SubjectConditionSet subject_condition_set = 4;
+
+ // the actions permitted by subjects in this mapping
+ repeated Action actions = 5;
+
+ // the namespace containing this mapping
+ Namespace namespace = 6;
+
+ common.Metadata metadata = 100;
+}
+
/**
A Condition defines a rule of
diff --git a/service/policy/policy.go b/service/policy/policy.go
index 4e1f479454..17273dbabf 100644
--- a/service/policy/policy.go
+++ b/service/policy/policy.go
@@ -7,6 +7,7 @@ import (
"github.com/opentdf/platform/service/policy/actions"
"github.com/opentdf/platform/service/policy/attributes"
"github.com/opentdf/platform/service/policy/db/migrations"
+ "github.com/opentdf/platform/service/policy/dynamicvaluemapping"
"github.com/opentdf/platform/service/policy/kasregistry"
"github.com/opentdf/platform/service/policy/keymanagement"
"github.com/opentdf/platform/service/policy/namespaces"
@@ -36,6 +37,7 @@ func NewRegistrations() []serviceregistry.IService {
namespaces.NewRegistration(namespace, dbRegister),
resourcemapping.NewRegistration(namespace, dbRegister),
subjectmapping.NewRegistration(namespace, dbRegister),
+ dynamicvaluemapping.NewRegistration(namespace, dbRegister),
kasregistry.NewRegistration(namespace, dbRegister),
unsafe.NewRegistration(namespace, dbRegister),
actions.NewRegistration(namespace, dbRegister),
|